From de7cdddab120ecc07d412749bfb3f191c4e0afe3 Mon Sep 17 00:00:00 2001 From: Kris Kennaway Date: Sun, 18 Feb 2001 03:17:36 +0000 Subject: Import of OpenSSL 0.9.6-STABLE snapshot dated 2001-02-10 --- crypto/openssl/CHANGES | 136 ++ crypto/openssl/Configure | 9 +- crypto/openssl/LICENSE | 2 +- crypto/openssl/Makefile.org | 3 +- crypto/openssl/STATUS | 92 + crypto/openssl/TABLE | 2301 ++++++++++++++++++++ crypto/openssl/apps/app_rand.c | 6 +- crypto/openssl/apps/ca-cert.srl | 2 +- crypto/openssl/apps/dsaparam.c | 2 +- crypto/openssl/apps/passwd.c | 2 +- crypto/openssl/apps/pca-cert.srl | 2 +- crypto/openssl/apps/req.c | 9 +- crypto/openssl/apps/rsautl.c | 4 + crypto/openssl/apps/server.pem | 16 +- crypto/openssl/certs/expired/rsa-ssca.pem | 19 + crypto/openssl/config | 13 +- crypto/openssl/crypto/Makefile.ssl | 3 +- crypto/openssl/crypto/asn1/Makefile.ssl | 3 +- crypto/openssl/crypto/asn1/a_strnid.c | 2 +- crypto/openssl/crypto/asn1/asn1_mac.h | 23 + crypto/openssl/crypto/asn1/x_crl.c | 10 +- crypto/openssl/crypto/bf/Makefile.ssl | 3 +- crypto/openssl/crypto/bio/Makefile.ssl | 3 +- crypto/openssl/crypto/bio/b_sock.c | 14 +- crypto/openssl/crypto/bn/Makefile.ssl | 3 +- crypto/openssl/crypto/bn/asm/pa-risc2.s | 2 +- crypto/openssl/crypto/bn/asm/pa-risc2W.s | 2 +- crypto/openssl/crypto/bn/bn.h | 6 +- crypto/openssl/crypto/bn/bn_div.c | 6 +- crypto/openssl/crypto/bn/bn_err.c | 3 + crypto/openssl/crypto/bn/bn_lib.c | 7 + crypto/openssl/crypto/bn/bn_rand.c | 52 + crypto/openssl/crypto/bn/bn_shift.c | 5 + crypto/openssl/crypto/bn/bntest.c | 2 - crypto/openssl/crypto/buffer/Makefile.ssl | 3 +- crypto/openssl/crypto/cast/Makefile.ssl | 3 +- crypto/openssl/crypto/comp/Makefile.ssl | 3 +- crypto/openssl/crypto/conf/Makefile.ssl | 3 +- crypto/openssl/crypto/conf/conf.h | 2 + crypto/openssl/crypto/conf/conf_err.c | 2 + crypto/openssl/crypto/conf/conf_lib.c | 84 +- crypto/openssl/crypto/des/Makefile.ssl | 3 +- crypto/openssl/crypto/dh/Makefile.ssl | 3 +- crypto/openssl/crypto/dsa/Makefile.ssl | 3 +- crypto/openssl/crypto/dsa/dsa_ossl.c | 10 +- crypto/openssl/crypto/dso/Makefile.ssl | 3 +- crypto/openssl/crypto/dso/dso_dl.c | 4 +- crypto/openssl/crypto/err/Makefile.ssl | 3 +- crypto/openssl/crypto/evp/Makefile.ssl | 3 +- crypto/openssl/crypto/evp/evp.h | 36 +- crypto/openssl/crypto/ex_data.c | 2 +- crypto/openssl/crypto/hmac/Makefile.ssl | 3 +- crypto/openssl/crypto/idea/Makefile.ssl | 3 +- crypto/openssl/crypto/lhash/Makefile.ssl | 3 +- crypto/openssl/crypto/md2/Makefile.ssl | 3 +- crypto/openssl/crypto/md4/Makefile.ssl | 3 +- crypto/openssl/crypto/md5/Makefile.ssl | 3 +- crypto/openssl/crypto/mdc2/Makefile.ssl | 3 +- crypto/openssl/crypto/mem_dbg.c | 10 + crypto/openssl/crypto/objects/Makefile.ssl | 3 +- crypto/openssl/crypto/opensslv.h | 4 +- crypto/openssl/crypto/pem/Makefile.ssl | 3 +- crypto/openssl/crypto/pem/pem_info.c | 2 +- crypto/openssl/crypto/pkcs12/Makefile.ssl | 3 +- crypto/openssl/crypto/pkcs12/p12_attr.c | 2 +- crypto/openssl/crypto/pkcs12/p12_key.c | 2 +- crypto/openssl/crypto/pkcs12/p12_utl.c | 18 +- crypto/openssl/crypto/pkcs12/pkcs12.h | 2 +- crypto/openssl/crypto/pkcs7/Makefile.ssl | 3 +- crypto/openssl/crypto/pkcs7/pk7_mime.c | 6 +- crypto/openssl/crypto/rand/Makefile.ssl | 3 +- crypto/openssl/crypto/rand/rand_win.c | 2 +- crypto/openssl/crypto/rand/randfile.c | 5 +- crypto/openssl/crypto/rc2/Makefile.ssl | 3 +- crypto/openssl/crypto/rc4/Makefile.ssl | 3 +- crypto/openssl/crypto/rc5/Makefile.ssl | 3 +- crypto/openssl/crypto/ripemd/Makefile.ssl | 3 +- crypto/openssl/crypto/rsa/Makefile.ssl | 3 +- crypto/openssl/crypto/rsa/rsa_eay.c | 101 +- crypto/openssl/crypto/sha/Makefile.ssl | 3 +- crypto/openssl/crypto/sha/asm/sha1-586.pl | 12 +- crypto/openssl/crypto/stack/Makefile.ssl | 3 +- crypto/openssl/crypto/txt_db/Makefile.ssl | 3 +- crypto/openssl/crypto/x509/Makefile.ssl | 3 +- crypto/openssl/crypto/x509/by_dir.c | 2 +- crypto/openssl/crypto/x509v3/Makefile.ssl | 3 +- crypto/openssl/crypto/x509v3/v3_prn.c | 26 +- crypto/openssl/crypto/x509v3/v3_purp.c | 6 +- crypto/openssl/doc/crypto/BN_rand.pod | 12 +- crypto/openssl/doc/crypto/RAND_egd.pod | 35 +- crypto/openssl/doc/crypto/bn.pod | 1 + crypto/openssl/doc/crypto/des.pod | 2 +- crypto/openssl/doc/crypto/evp.pod | 2 +- crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod | 67 +- .../doc/ssl/SSL_CTX_add_extra_chain_cert.pod | 38 + crypto/openssl/doc/ssl/SSL_CTX_add_session.pod | 65 + crypto/openssl/doc/ssl/SSL_CTX_flush_sessions.pod | 49 + .../openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod | 53 + crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod | 50 + .../doc/ssl/SSL_CTX_load_verify_locations.pod | 124 ++ crypto/openssl/doc/ssl/SSL_CTX_new.pod | 9 +- .../doc/ssl/SSL_CTX_sess_set_cache_size.pod | 50 + crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod | 81 + crypto/openssl/doc/ssl/SSL_CTX_sessions.pod | 34 + crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod | 4 +- .../openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod | 90 + .../doc/ssl/SSL_CTX_set_default_passwd_cb.pod | 70 + crypto/openssl/doc/ssl/SSL_CTX_set_options.pod | 183 ++ .../doc/ssl/SSL_CTX_set_session_cache_mode.pod | 106 + .../doc/ssl/SSL_CTX_set_session_id_context.pod | 82 + crypto/openssl/doc/ssl/SSL_CTX_set_timeout.pod | 55 + crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod | 284 +++ crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod | 154 ++ .../doc/ssl/SSL_SESSION_get_ex_new_index.pod | 61 + crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod | 63 + crypto/openssl/doc/ssl/SSL_accept.pod | 2 +- crypto/openssl/doc/ssl/SSL_clear.pod | 2 +- crypto/openssl/doc/ssl/SSL_connect.pod | 4 +- crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod | 52 + crypto/openssl/doc/ssl/SSL_get_error.pod | 30 +- .../doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod | 61 + crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod | 59 + crypto/openssl/doc/ssl/SSL_load_client_CA_file.pod | 62 + crypto/openssl/doc/ssl/SSL_new.pod | 1 + crypto/openssl/doc/ssl/SSL_pending.pod | 13 + crypto/openssl/doc/ssl/SSL_read.pod | 2 +- crypto/openssl/doc/ssl/SSL_set_session.pod | 3 +- crypto/openssl/doc/ssl/SSL_write.pod | 8 +- crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod | 55 + crypto/openssl/doc/ssl/ssl.pod | 139 +- crypto/openssl/doc/ssleay.txt | 2 +- crypto/openssl/e_os.h | 2 + crypto/openssl/openssl.spec | 2 +- crypto/openssl/rsaref/Makefile.ssl | 3 +- crypto/openssl/ssl/Makefile.ssl | 3 +- crypto/openssl/ssl/s2_clnt.c | 1 + crypto/openssl/ssl/s2_lib.c | 10 +- crypto/openssl/ssl/s2_pkt.c | 169 +- crypto/openssl/ssl/s3_both.c | 4 +- crypto/openssl/ssl/s3_clnt.c | 1 + crypto/openssl/ssl/s3_lib.c | 88 +- crypto/openssl/ssl/s3_pkt.c | 24 +- crypto/openssl/ssl/s3_srvr.c | 1 + crypto/openssl/ssl/ssl.h | 5 +- crypto/openssl/ssl/ssl2.h | 6 +- crypto/openssl/ssl/ssl_algs.c | 4 + crypto/openssl/ssl/ssl_err.c | 3 + crypto/openssl/ssl/ssl_lib.c | 3 + crypto/openssl/ssl/ssl_locl.h | 55 +- crypto/openssl/ssl/ssl_sess.c | 1 + crypto/openssl/test/Makefile.ssl | 2 +- crypto/openssl/test/bctest | 84 + crypto/openssl/util/libeay.num | 6 +- crypto/openssl/util/mkdef.pl | 26 +- 154 files changed, 5666 insertions(+), 359 deletions(-) create mode 100644 crypto/openssl/STATUS create mode 100644 crypto/openssl/TABLE create mode 100644 crypto/openssl/certs/expired/rsa-ssca.pem create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_add_session.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_flush_sessions.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_sessions.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_set_default_passwd_cb.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_set_options.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_set_timeout.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod create mode 100644 crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod create mode 100644 crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod create mode 100644 crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod create mode 100644 crypto/openssl/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod create mode 100644 crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod create mode 100644 crypto/openssl/doc/ssl/SSL_load_client_CA_file.pod create mode 100644 crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod create mode 100755 crypto/openssl/test/bctest diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index 87853c3b29d0..5f3556cc7fb7 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -2,6 +2,142 @@ OpenSSL CHANGES _______________ + Changes between 0.9.6 and 0.9.6a [xx XXX 2001] + + *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent + Bleichenbacher's DSA attack. + [Ulf Moeller] + + *) In the NCONF_...-based implementations for CONF_... queries + (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using + a temporary CONF structure with the data component set to NULL + (which gives segmentation faults in lh_retrieve). + Instead, use NULL for the CONF pointer in CONF_get_string and + CONF_get_number (which may use environment variables) and directly + return NULL from CONF_get_section. + [Bodo Moeller] + + *) Fix potential buffer overrun for EBCDIC. + [Ulf Moeller] + + *) Tolerate nonRepudiation as being valid for S/MIME signing and certSign + keyUsage if basicConstraints absent for a CA. + [Steve Henson] + + *) Make SMIME_write_PKCS7() write mail header values with a format that + is more generally accepted (no spaces before the semicolon), since + some programs can't parse those values properly otherwise. Also make + sure BIO's that break lines after each write do not create invalid + headers. + [Richard Levitte] + + *) Make the CRL encoding routines work with empty SEQUENCE OF. The + macros previously used would not encode an empty SEQUENCE OF + and break the signature. + [Steve Henson] + + *) Zero the premaster secret after deriving the master secret in + DH ciphersuites. + [Steve Henson] + + *) Add some EVP_add_digest_alias registrations (as found in + OpenSSL_add_all_digests()) to SSL_library_init() + aka OpenSSL_add_ssl_algorithms(). This provides improved + compatibility with peers using X.509 certificates + with unconventional AlgorithmIdentifier OIDs. + [Bodo Moeller] + + *) Fix for Irix with NO_ASM. + ["Bruce W. Forsberg" ] + + *) ./config script fixes. + [Ulf Moeller, Richard Levitte] + + *) Fix 'openssl passwd -1'. + [Bodo Moeller] + + *) Change PKCS12_key_gen_asc() so it can cope with non null + terminated strings whose length is passed in the passlen + parameter, for example from PEM callbacks. This was done + by adding an extra length parameter to asc2uni(). + [Steve Henson, reported by ] + + *) Fix C code generated by 'openssl dsaparam -C': If a BN_bin2bn + call failed, free the DSA structure. + [Bodo Moeller] + + *) Fix to uni2asc() to cope with zero length Unicode strings. + These are present in some PKCS#12 files. + [Steve Henson] + + *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c). + Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits + when writing a 32767 byte record. + [Bodo Moeller; problem reported by Eric Day ] + + *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c), + obtain lock CRYPTO_LOCK_RSA before setting rsa->_method_mod_{n,p,q}. + + (RSA objects have a reference count access to which is protected + by CRYPTO_LOCK_RSA [see rsa_lib.c, s3_srvr.c, ssl_cert.c, ssl_rsa.c], + so they are meant to be shared between threads.) + [Bodo Moeller, Geoff Thorpe; original patch submitted by + "Reddie, Steven" ] + + *) Fix a deadlock in CRYPTO_mem_leaks(). + [Bodo Moeller] + + *) rand_win.c fix for Borland C. + [Ulf Möller] + + *) BN_rshift bugfix for n == 0. + [Bodo Moeller] + + *) Store verify_result within SSL_SESSION also for client side to + avoid potential security hole. (Re-used sessions on the client side + always resulted in verify_result==X509_V_OK, not using the original + result of the server certificate verification.) + [Lutz Jaenicke] + + *) Fix ssl3_pending: If the record in s->s3->rrec is not of type + SSL3_RT_APPLICATION_DATA, return 0. + Similarly, change ssl2_pending to return 0 if SSL_in_init(s) is true. + [Bodo Moeller] + + *) Fix SSL_peek: + Both ssl2_peek and ssl3_peek, which were totally broken in earlier + releases, have been re-implemented by renaming the previous + implementations of ssl2_read and ssl3_read to ssl2_read_internal + and ssl3_read_internal, respectively, and adding 'peek' parameters + to them. The new ssl[23]_{read,peek} functions are calls to + ssl[23]_read_internal with the 'peek' flag set appropriately. + A 'peek' parameter has also been added to ssl3_read_bytes, which + does the actual work for ssl3_read_internal. + [Bodo Moeller] + + *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16. + The previous value, 12, was not always sufficient for BN_mod_exp(). + [Bodo Moeller] + + *) Fix typo in get_cert_by_subject() in by_dir.c + [Jean-Marc Desperrier ] + + *) Fix SSL_CTX_set_read_ahead macro to actually use its argument. + + Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new + and not in SSL_clear because the latter is also used by the + accept/connect functions; previously, the settings made by + SSL_set_read_ahead would be lost during the handshake. + [Bodo Moeller; problems reported by Anders Gertz ] + + *) Correct util/mkdef.pl to be selective about disabled algorithms. + Previously, it would create entries for disableed algorithms no + matter what. + [Richard Levitte] + + *) Added several new manual pages for SSL_* function. + [Lutz Jaenicke] + Changes between 0.9.5a and 0.9.6 [24 Sep 2000] *) In ssl23_get_client_hello, generate an error message when faced diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure index 340077873d0b..27981d4494a4 100755 --- a/crypto/openssl/Configure +++ b/crypto/openssl/Configure @@ -280,8 +280,8 @@ my %table=( # # # -"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::", -"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::", +"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o:::::::::dlfcn:linux-shared:-fPIC", +"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o:::::::::dlfcn:linux-shared:-fPIC", "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::", "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::", @@ -297,6 +297,7 @@ my %table=( "linux-mips", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::", "linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", "linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", +"linux-s390", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::SIXTY_FOUR_BIT_LONG::", "NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", "NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", @@ -719,6 +720,10 @@ if ($shared_cflag ne "") $shared_mark2 = ".shlib."; } } +else + { + $no_shared = 1; + } #my ($bn1)=split(/\s+/,$bn_obj); #$bn1 = "" unless defined $bn1; diff --git a/crypto/openssl/LICENSE b/crypto/openssl/LICENSE index bdd5f7bdd09b..3fd259ac323d 100644 --- a/crypto/openssl/LICENSE +++ b/crypto/openssl/LICENSE @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org index c6f660954ba2..7c68e29086f4 100644 --- a/crypto/openssl/Makefile.org +++ b/crypto/openssl/Makefile.org @@ -462,7 +462,8 @@ install: all install_docs if [ -f "$$i" ]; then \ ( echo installing $$i; \ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ - $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ + (echo $$i | grep '\\.a$$' > /dev/null 2>&1) \ + && $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi \ done diff --git a/crypto/openssl/STATUS b/crypto/openssl/STATUS new file mode 100644 index 000000000000..028abb85abea --- /dev/null +++ b/crypto/openssl/STATUS @@ -0,0 +1,92 @@ + + OpenSSL STATUS Last modified at + ______________ $Date: 2000/09/24 15:42:34 $ + + DEVELOPMENT STATE + + o OpenSSL 0.9.6: Released on September 24th, 2000 + o OpenSSL 0.9.5a: Released on April 1st, 2000 + o OpenSSL 0.9.5: Released on February 28th, 2000 + o OpenSSL 0.9.4: Released on August 09th, 1999 + o OpenSSL 0.9.3a: Released on May 29th, 1999 + o OpenSSL 0.9.3: Released on May 25th, 1999 + o OpenSSL 0.9.2b: Released on March 22th, 1999 + o OpenSSL 0.9.1c: Released on December 23th, 1998 + + RELEASE SHOWSTOPPERS + + AVAILABLE PATCHES + + o CA.pl patch (Damien Miller) + + IN PROGRESS + + o Steve is currently working on (in no particular order): + ASN1 code redesign, butchery, replacement. + EVP cipher enhancement. + Proper (or at least usable) certificate chain verification. + Private key, certificate and CRL API and implementation. + Developing and bugfixing PKCS#7 (S/MIME code). + Various X509 issues: character sets, certificate request extensions. + o Geoff and Richard are currently working on: + ENGINE (the new code that gives hardware support among others). + o Richard is currently working on: + UTIL (a new set of library functions to support some higher level + functionality that is currently missing). + Dynamic thread-lock support. + Shared library support for VMS. + + NEEDS PATCH + + o non-blocking socket on AIX + o $(PERL) in */Makefile.ssl + o "Sign the certificate?" - "n" creates empty certificate file + + OPEN ISSUES + + o internal_verify doesn't know about X509.v3 (basicConstraints + CA flag ...) + + o The Makefile hierarchy and build mechanism is still not a round thing: + + 1. The config vs. Configure scripts + It's the same nasty situation as for Apache with APACI vs. + src/Configure. It confuses. + Suggestion: Merge Configure and config into a single configure + script with a Autoconf style interface ;-) and remove + Configure and config. Or even let us use GNU Autoconf + itself. Then we can avoid a lot of those platform checks + which are currently in Configure. + + o Support for Shared Libraries has to be added at least + for the major Unix platforms. The details we can rip from the stuff + Ralf has done for the Apache src/Configure script. Ben wants the + solution to be really simple. + + Status: Ralf will look how we can easily incorporate the + compiler PIC and linker DSO flags from Apache + into the OpenSSL Configure script. + + Ulf: +1 for using GNU autoconf and libtool (but not automake, + which apparently is not flexible enough to generate + libcrypto) + + + o The perl/ stuff needs a major overhaul. Currently it's + totally obsolete. Either we clean it up and enhance it to be up-to-date + with the C code or we also could replace it with the really nice + Net::SSLeay package we can find under + http://www.neuronio.pt/SSLeay.pm.html. Ralf uses this package for a + longer time and it works fine and is a nice Perl module. Best would be + to convince the author to work for the OpenSSL project and create a + Net::OpenSSL or Crypt::OpenSSL package out of it and maintains it for + us. + + Status: Ralf thinks we should both contact the author of Net::SSLeay + and look how much effort it is to bring Eric's perl/ stuff up + to date. + Paul +1 + + WISHES + + o diff --git a/crypto/openssl/TABLE b/crypto/openssl/TABLE new file mode 100644 index 000000000000..35421ceed48f --- /dev/null +++ b/crypto/openssl/TABLE @@ -0,0 +1,2301 @@ +Output of `Configure TABLE': + +*** BC-16 +$cc = bcc +$cflags = +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** BC-32 +$cc = bcc32 +$cflags = +$unistd = +$thread_cflag = +$lflags = +$bn_ops = BN_LLONG DES_PTR RC4_INDEX +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = win32 +$shared_target= +$shared_cflag = + +*** BS2000-OSD +$cc = c89 +$cflags = -O -XLLML -XLLMK -XL -DB_ENDIAN -DTERMIOS -DCHARSET_EBCDIC +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket -lnsl +$bn_ops = THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** CygWin32 +$cc = gcc +$cflags = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$unistd = +$thread_cflag = +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = win32 +$shared_target= +$shared_cflag = + +*** FreeBSD +$cc = gcc +$cflags = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-out.o asm/co86-out.o +$des_obj = asm/dx86-out.o asm/yx86-out.o +$bf_obj = asm/bx86-out.o +$md5_obj = asm/mx86-out.o +$sha1_obj = asm/sx86-out.o +$cast_obj = asm/cx86-out.o +$rc4_obj = asm/rx86-out.o +$rmd160_obj = asm/rm86-out.o +$rc5_obj = asm/r586-out.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** FreeBSD-alpha +$cc = gcc +$cflags = -DTERMIOS -O -fomit-frame-pointer +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** FreeBSD-elf +$cc = gcc +$cflags = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** MPE/iX-gcc +$cc = gcc +$cflags = -D_ENDIAN -DBN_DIV2W -O3 -DMPE -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB +$unistd = +$thread_cflag = (unknown) +$lflags = -L/SYSLOG/PUB -lsyslog -lsocket -lcurses +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** Mingw32 +$cc = gcc +$cflags = -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$unistd = +$thread_cflag = +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = win32 +$shared_target= +$shared_cflag = + +*** NetBSD-m68 +$cc = gcc +$cflags = -DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** NetBSD-sparc +$cc = gcc +$cflags = -DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** NetBSD-x86 +$cc = gcc +$cflags = -DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** OpenBSD +$cc = gcc +$cflags = -DTERMIOS -O3 -fomit-frame-pointer +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** OpenBSD-alpha +$cc = gcc +$cflags = -DTERMIOS -O3 -fomit-frame-pointer +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** OpenBSD-mips +$cc = gcc +$cflags = -O2 -DL_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** OpenBSD-x86 +$cc = gcc +$cflags = -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486 +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-out.o asm/co86-out.o +$des_obj = asm/dx86-out.o asm/yx86-out.o +$bf_obj = asm/bx86-out.o +$md5_obj = asm/mx86-out.o +$sha1_obj = asm/sx86-out.o +$cast_obj = asm/cx86-out.o +$rc4_obj = asm/rx86-out.o +$rmd160_obj = asm/rm86-out.o +$rc5_obj = asm/r586-out.o +$dso_scheme = dlfcn +$shared_target= +$shared_cflag = + +*** ReliantUNIX +$cc = cc +$cflags = -KPIC -g -DSNI -DTERMIOS -DB_ENDIAN +$unistd = +$thread_cflag = -Kthread +$lflags = -lsocket -lnsl -lc -L/usr/ucblib -lucb +$bn_ops = BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** SINIX +$cc = cc +$cflags = -O -DSNI +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket -lnsl -lc -L/usr/ucblib -lucb +$bn_ops = RC4_INDEX RC4_CHAR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** SINIX-N +$cc = /usr/ucb/cc +$cflags = -O2 -misaligned +$unistd = +$thread_cflag = (unknown) +$lflags = -lucb +$bn_ops = RC4_INDEX RC4_CHAR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** VC-MSDOS +$cc = cl +$cflags = +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** VC-NT +$cc = cl +$cflags = +$unistd = +$thread_cflag = +$lflags = +$bn_ops = BN_LLONG RC4_INDEX RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = win32 +$shared_target= +$shared_cflag = + +*** VC-W31-16 +$cc = cl +$cflags = +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** VC-W31-32 +$cc = cl +$cflags = +$unistd = +$thread_cflag = +$lflags = +$bn_ops = BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** VC-WIN16 +$cc = cl +$cflags = +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** VC-WIN32 +$cc = cl +$cflags = +$unistd = +$thread_cflag = +$lflags = +$bn_ops = BN_LLONG RC4_INDEX RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = win32 +$shared_target= +$shared_cflag = + +*** aix-cc +$cc = cc +$cflags = -O -DAIX -DB_ENDIAN -qmaxmem=16384 +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG RC4_CHAR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** aix-gcc +$cc = gcc +$cflags = -O3 -DAIX -DB_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG RC4_CHAR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** alpha-cc +$cc = cc +$cflags = -std1 -tune host -O4 -readonly_strings +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK +$bn_obj = asm/alpha.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= true64-shared +$shared_cflag = + +*** alpha-gcc +$cc = gcc +$cflags = -O3 +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1 +$bn_obj = asm/alpha.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= true64-shared +$shared_cflag = + +*** alpha164-cc +$cc = cc +$cflags = -std1 -tune host -fast -readonly_strings +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK +$bn_obj = asm/alpha.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= true64-shared +$shared_cflag = + +*** bsdi-elf-gcc +$cc = gcc +$cflags = -DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** bsdi-gcc +$cc = gcc +$cflags = -O3 -ffast-math -DL_ENDIAN -DPERL5 -m486 +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = RSA_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86bsdi.o asm/co86bsdi.o +$des_obj = asm/dx86bsdi.o asm/yx86bsdi.o +$bf_obj = asm/bx86bsdi.o +$md5_obj = asm/mx86bsdi.o +$sha1_obj = asm/sx86bsdi.o +$cast_obj = asm/cx86bsdi.o +$rc4_obj = asm/rx86bsdi.o +$rmd160_obj = asm/rm86bsdi.o +$rc5_obj = asm/r586bsdi.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** cc +$cc = cc +$cflags = -O +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** cray-t3e +$cc = cc +$cflags = -DBIT_FIELD_LIMITS -DTERMIOS +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** cray-t90-cc +$cc = cc +$cflags = -DBIT_FIELD_LIMITS -DTERMIOS +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG DES_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror +$unistd = +$thread_cflag = (unknown) +$lflags = -lefence +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug-ben +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug-ben-debug +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug-ben-strict +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug-bodo +$cc = gcc +$cflags = -DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug-levitte-linux-elf +$cc = gcc +$cflags = -DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldl +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= +$shared_cflag = + +*** debug-linux-elf +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lefence -ldl +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = dlfcn +$shared_target= +$shared_cflag = + +*** debug-linux-elf-noefence +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldl +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = dlfcn +$shared_target= +$shared_cflag = + +*** debug-rse +$cc = cc +$cflags = -DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug-solaris-sparcv8-cc +$cc = cc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -KPIC + +*** debug-solaris-sparcv8-gcc +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -fPIC + +*** debug-solaris-sparcv9-cc +$cc = cc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8plus.o +$des_obj = +$bf_obj = +$md5_obj = asm/md5-sparcv8plus.o +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -KPIC + +*** debug-solaris-sparcv9-gcc +$cc = gcc +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8plus.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -fPIC + +*** debug-steve +$cc = gcc +$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** debug-ulf +$cc = gcc +$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** dgux-R3-gcc +$cc = gcc +$cflags = -O3 -fomit-frame-pointer +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = RC4_INDEX DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** dgux-R4-gcc +$cc = gcc +$cflags = -O3 -fomit-frame-pointer +$unistd = +$thread_cflag = (unknown) +$lflags = -lnsl -lsocket +$bn_ops = RC4_INDEX +$bn_obj = RC4_INDEX DES_UNROLL +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** dgux-R4-x86-gcc +$cc = gcc +$cflags = -O3 -fomit-frame-pointer -DL_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = -lnsl -lsocket +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** dist +$cc = cc +$cflags = -O +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** gcc +$cc = gcc +$cflags = -O3 +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** hpux-brokencc +$cc = cc +$cflags = -DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z +$unistd = +$thread_cflag = (unknown) +$lflags = -ldld +$bn_ops = DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-brokengcc +$cc = gcc +$cflags = -DB_ENDIAN -DBN_DIV2W -O3 +$unistd = +$thread_cflag = (unknown) +$lflags = -ldld +$bn_ops = DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-cc +$cc = cc +$cflags = -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z +$unistd = +$thread_cflag = (unknown) +$lflags = -ldld +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-gcc +$cc = gcc +$cflags = -DB_ENDIAN -DBN_DIV2W -O3 +$unistd = +$thread_cflag = (unknown) +$lflags = -ldld +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-parisc-cc +$cc = cc +$cflags = +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldld +$bn_ops = MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-parisc-cc-o4 +$cc = cc +$cflags = -Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY +$unistd = +$thread_cflag = +$lflags = -ldld +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-parisc-gcc +$cc = gcc +$cflags = -O3 -DB_ENDIAN -DBN_DIV2W +$unistd = +$thread_cflag = +$lflags = -ldld +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-parisc1_1-cc +$cc = cc +$cflags = +DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldld +$bn_ops = MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux-parisc2-cc +$cc = cc +$cflags = +DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldld +$bn_ops = SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT +$bn_obj = asm/pa-risc2.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux10-brokencc +$cc = cc +$cflags = -DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldld +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux10-brokengcc +$cc = gcc +$cflags = -DB_ENDIAN -DBN_DIV2W -O3 +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldld +$bn_ops = DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux10-cc +$cc = cc +$cflags = -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldld +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux10-gcc +$cc = gcc +$cflags = -DB_ENDIAN -DBN_DIV2W -O3 +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldld +$bn_ops = BN_LLONG DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= +$shared_cflag = + +*** hpux64-parisc-cc +$cc = cc +$cflags = -Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldl +$bn_ops = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= +$shared_cflag = + +*** hpux64-parisc2-cc +$cc = cc +$cflags = +DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldl +$bn_ops = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT +$bn_obj = asm/pa-risc2W.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= +$shared_cflag = + +*** irix-cc +$cc = cc +$cflags = -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** irix-gcc +$cc = gcc +$cflags = -O3 -DTERMIOS -DB_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** irix-mips3-cc +$cc = cc +$cflags = -n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W +$unistd = +$thread_cflag = -D_SGI_MP_SOURCE +$lflags = +$bn_ops = DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT +$bn_obj = asm/mips3.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** irix-mips3-gcc +$cc = gcc +$cflags = -mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W +$unistd = +$thread_cflag = -D_SGI_MP_SOURCE +$lflags = +$bn_ops = MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT +$bn_obj = asm/mips3.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** irix64-mips4-cc +$cc = cc +$cflags = -64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W +$unistd = +$thread_cflag = -D_SGI_MP_SOURCE +$lflags = +$bn_ops = RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG +$bn_obj = asm/mips3.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** irix64-mips4-gcc +$cc = gcc +$cflags = -mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W +$unistd = +$thread_cflag = -D_SGI_MP_SOURCE +$lflags = +$bn_ops = RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG +$bn_obj = asm/mips3.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-alpha+bwx-ccc +$cc = ccc +$cflags = -fast -readonly_strings -DL_ENDIAN -DTERMIO +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL +$bn_obj = asm/alpha.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-alpha+bwx-gcc +$cc = gcc +$cflags = -O3 -DL_ENDIAN -DTERMIO +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldl +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL +$bn_obj = asm/alpha.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= linux-shared +$shared_cflag = -fPIC + +*** linux-alpha-ccc +$cc = ccc +$cflags = -fast -readonly_strings -DL_ENDIAN -DTERMIO +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL +$bn_obj = asm/alpha.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-alpha-gcc +$cc = gcc +$cflags = -O3 -DL_ENDIAN -DTERMIO +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldl +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL +$bn_obj = asm/alpha.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= linux-shared +$shared_cflag = -fPIC + +*** linux-aout +$cc = gcc +$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-out.o asm/co86-out.o +$des_obj = asm/dx86-out.o asm/yx86-out.o +$bf_obj = asm/bx86-out.o +$md5_obj = asm/mx86-out.o +$sha1_obj = asm/sx86-out.o +$cast_obj = asm/cx86-out.o +$rc4_obj = asm/rx86-out.o +$rmd160_obj = asm/rm86-out.o +$rc5_obj = asm/r586-out.o +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-elf +$cc = gcc +$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -ldl +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = dlfcn +$shared_target= linux-shared +$shared_cflag = -fPIC + +*** linux-elf-arm +$cc = gcc +$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = BN_LLONG +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= linux-shared +$shared_cflag = -fPIC + +*** linux-ia64 +$cc = gcc +$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-m68k +$cc = gcc +$cflags = -DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = BN_LLONG +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-mips +$cc = gcc +$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-ppc +$cc = gcc +$cflags = -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = BN_LLONG +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-sparcv7 +$cc = gcc +$cflags = -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-sparcv8 +$cc = gcc +$cflags = -mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** linux-sparcv9 +$cc = gcc +$cflags = -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8plus.o +$des_obj = +$bf_obj = +$md5_obj = asm/md5-sparcv8plus.o +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** ncr-scde +$cc = cc +$cflags = -O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket -lnsl +$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** newsos4-gcc +$cc = gcc +$cflags = -O -DB_ENDIAN -DNEWS4 +$unistd = +$thread_cflag = (unknown) +$lflags = -lmld -liberty +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** nextstep +$cc = cc +$cflags = -O -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** nextstep3.3 +$cc = cc +$cflags = -O3 -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** purify +$cc = purify gcc +$cflags = -g -DPURIFY -Wall +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket -lnsl +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** qnx4 +$cc = cc +$cflags = -DL_ENDIAN -DTERMIO +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** rhapsody-ppc-cc +$cc = cc +$cflags = -O3 -DB_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** sco5-cc +$cc = cc +$cflags = +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket +$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** sco5-gcc +$cc = gcc +$cflags = -O3 -fomit-frame-pointer +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** solaris-sparc-sc3 +$cc = cc +$cflags = -fast -O -Xa -DB_ENDIAN +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -KPIC + +*** solaris-sparcv7-cc +$cc = cc +$cflags = -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -KPIC + +*** solaris-sparcv7-gcc +$cc = gcc +$cflags = -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -fPIC + +*** solaris-sparcv8-cc +$cc = cc +$cflags = -xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -KPIC + +*** solaris-sparcv8-gcc +$cc = gcc +$cflags = -mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -fPIC + +*** solaris-sparcv9-cc +$cc = cc +$cflags = -xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8plus.o +$des_obj = +$bf_obj = +$md5_obj = asm/md5-sparcv8plus.o +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -KPIC + +*** solaris-sparcv9-gcc +$cc = gcc +$cflags = -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8plus.o +$des_obj = +$bf_obj = +$md5_obj = asm/md5-sparcv8plus.o +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -fPIC + +*** solaris-sparcv9-gcc27 +$cc = gcc +$cflags = -mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR +$bn_obj = asm/sparcv8plus-gcc27.o +$des_obj = +$bf_obj = +$md5_obj = asm/md5-sparcv8plus-gcc27.o +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -fPIC + +*** solaris-x86-gcc +$cc = gcc +$cflags = -O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-sol.o asm/co86-sol.o +$des_obj = asm/dx86-sol.o asm/yx86-sol.o +$bf_obj = asm/bx86-sol.o +$md5_obj = asm/mx86-sol.o +$sha1_obj = asm/sx86-sol.o +$cast_obj = asm/cx86-sol.o +$rc4_obj = asm/rx86-sol.o +$rmd160_obj = asm/rm86-sol.o +$rc5_obj = asm/r586-sol.o +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -fPIC + +*** solaris64-sparcv9-cc +$cc = cc +$cflags = -xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl -ldl +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = asm/md5-sparcv9.o +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= solaris-shared +$shared_cflag = -KPIC + +*** sunos-gcc +$cc = gcc +$cflags = -O3 -mv8 -Dssize_t=int +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1 +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** ultrix-cc +$cc = cc +$cflags = -std1 -O -Olimit 1000 -DL_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** ultrix-gcc +$cc = gcc +$cflags = -O3 -DL_ENDIAN +$unistd = +$thread_cflag = (unknown) +$lflags = +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** unixware-2.0 +$cc = cc +$cflags = -O -DFILIO_H +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket -lnsl +$bn_ops = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** unixware-2.0-pentium +$cc = cc +$cflags = -O -DFILIO_H -Kpentium -Kthread +$unistd = +$thread_cflag = (unknown) +$lflags = -lsocket -lnsl +$bn_ops = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = + +*** unixware-7 +$cc = cc +$cflags = -O -DFILIO_H -Kalloca +$unistd = +$thread_cflag = -Kthread +$lflags = -lsocket -lnsl +$bn_ops = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = diff --git a/crypto/openssl/apps/app_rand.c b/crypto/openssl/apps/app_rand.c index 1146f9f7f38a..8a78e12eb732 100644 --- a/crypto/openssl/apps/app_rand.c +++ b/crypto/openssl/apps/app_rand.c @@ -177,8 +177,10 @@ long app_RAND_load_files(char *name) if (*n == '\0') break; egd=RAND_egd(n); - if (egd > 0) tot+=egd; - tot+=RAND_load_file(n,-1); + if (egd > 0) + tot+=egd; + else + tot+=RAND_load_file(n,-1); if (last) break; } if (tot > 512) diff --git a/crypto/openssl/apps/ca-cert.srl b/crypto/openssl/apps/ca-cert.srl index eeee65ec419f..2c7456e3eb66 100644 --- a/crypto/openssl/apps/ca-cert.srl +++ b/crypto/openssl/apps/ca-cert.srl @@ -1 +1 @@ -05 +07 diff --git a/crypto/openssl/apps/dsaparam.c b/crypto/openssl/apps/dsaparam.c index f861ec7b1ad8..4e8dcd3a68fd 100644 --- a/crypto/openssl/apps/dsaparam.c +++ b/crypto/openssl/apps/dsaparam.c @@ -311,7 +311,7 @@ bad: printf("\tdsa->g=BN_bin2bn(dsa%d_g,sizeof(dsa%d_g),NULL);\n", bits_p,bits_p); printf("\tif ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))\n"); - printf("\t\treturn(NULL);\n"); + printf("\t\t{ DSA_free(dsa); return(NULL); }\n"); printf("\treturn(dsa);\n\t}\n"); } diff --git a/crypto/openssl/apps/passwd.c b/crypto/openssl/apps/passwd.c index 6851a9927d31..533b4692d053 100644 --- a/crypto/openssl/apps/passwd.c +++ b/crypto/openssl/apps/passwd.c @@ -315,7 +315,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt) strncat(out_buf, "$", 1); strncat(out_buf, salt, 8); assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */ - salt_out = out_buf + 6; + salt_out = out_buf + 2 + strlen(magic); salt_len = strlen(salt_out); assert(salt_len <= 8); diff --git a/crypto/openssl/apps/pca-cert.srl b/crypto/openssl/apps/pca-cert.srl index 8a0f05e166aa..2c7456e3eb66 100644 --- a/crypto/openssl/apps/pca-cert.srl +++ b/crypto/openssl/apps/pca-cert.srl @@ -1 +1 @@ -01 +07 diff --git a/crypto/openssl/apps/req.c b/crypto/openssl/apps/req.c index 1aab38d9d7aa..b123236beb4c 100644 --- a/crypto/openssl/apps/req.c +++ b/crypto/openssl/apps/req.c @@ -685,16 +685,15 @@ loop: if (newreq || x509) { -#ifndef NO_DSA - if (pkey->type == EVP_PKEY_DSA) - digest=EVP_dss1(); -#endif - if (pkey == NULL) { BIO_printf(bio_err,"you need to specify a private key\n"); goto end; } +#ifndef NO_DSA + if (pkey->type == EVP_PKEY_DSA) + digest=EVP_dss1(); +#endif if (req == NULL) { req=X509_REQ_new(); diff --git a/crypto/openssl/apps/rsautl.c b/crypto/openssl/apps/rsautl.c index bcb94c3d8104..de231b045654 100644 --- a/crypto/openssl/apps/rsautl.c +++ b/crypto/openssl/apps/rsautl.c @@ -55,6 +55,9 @@ * Hudson (tjh@cryptsoft.com). * */ + +#ifndef NO_RSA + #include "apps.h" #include #include @@ -288,3 +291,4 @@ static void usage() BIO_printf(bio_err, "-hexdump hex dump output\n"); } +#endif diff --git a/crypto/openssl/apps/server.pem b/crypto/openssl/apps/server.pem index c57b32507d0a..56248e57a3f4 100644 --- a/crypto/openssl/apps/server.pem +++ b/crypto/openssl/apps/server.pem @@ -1,17 +1,17 @@ issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit) -subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) +subject= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit) -----BEGIN CERTIFICATE----- -MIIB6TCCAVICAQQwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV +MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD -VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTgwNjI5MjM1MjQwWhcNMDAwNjI4 -MjM1MjQwWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG +VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0 +MjIzMTAzWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2// -Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCVvvfkGSe2GHgDFfmOua4Isjb9 -JVhImWMASiOClkZlMESDJjsszg/6+d/W+8TrbObhazpl95FivXBVucbj9dudh7AO -IZu1h1MAPlyknc9Ud816vz3FejB4qqUoaXjnlkrIgEbr/un7jSS86WOe0hRhwHkJ -FUGcPZf9ND22Etc+AQ== +Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCT0grFQeZaqYb5EYfk20XixZV4 +GmyAbXMftG1Eo7qGiMhYzRwGNWxEYojf5PZkYZXvSqZ/ZXHXa4g59jK/rJNnaVGM +k+xIX8mxQvlV0n5O9PIha5BX5teZnkHKgL8aKKLKW1BK7YTngsfSzzaeame5iKfz +itAE+OjGF+PFKbwX8Q== -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD diff --git a/crypto/openssl/certs/expired/rsa-ssca.pem b/crypto/openssl/certs/expired/rsa-ssca.pem new file mode 100644 index 000000000000..c9403212d183 --- /dev/null +++ b/crypto/openssl/certs/expired/rsa-ssca.pem @@ -0,0 +1,19 @@ +subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority +issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority +notBefore=941109235417Z +notAfter =991231235417Z +-----BEGIN X509 CERTIFICATE----- + +MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw +HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl +IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda +Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0 +YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp +Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB +roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12 +aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc +HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A +iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7 +suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h +cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk= +-----END X509 CERTIFICATE----- diff --git a/crypto/openssl/config b/crypto/openssl/config index 6a2625308efb..1f4fef13dbc1 100755 --- a/crypto/openssl/config +++ b/crypto/openssl/config @@ -168,7 +168,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in ;; NetBSD:*:*:*386*) - echo "`/usr/sbin/sysctl -n hw.model | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0 + echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0 ;; NetBSD:*) @@ -394,7 +394,7 @@ case "$GUESSOS" in mips4-sgi-irix64) echo "WARNING! If you wish to build 64-bit library, then you have to" echo " invoke './Configre irix64-mips4-$CC' *manually*." - echo " Type Ctrl-C if you don't want to continue." + echo " Type return if you want to continue, Ctrl-C to abort." read waste < /dev/tty options="$options -mips4" OUT="irix-mips3-$CC" @@ -423,11 +423,11 @@ case "$GUESSOS" in #till 64-bit glibc for SPARC is operational:-( #echo "WARNING! If you wish to build 64-bit library, then you have to" #echo " invoke './Configure linux64-sparcv9' *manually*." - #echo " Type Ctrl-C if you don't want to continue." + #echo " Type return if you want to continue, Ctrl-C to abort." #read waste < /dev/tty OUT="linux-sparcv9" ;; sparc-*-linux2) - KARCH=`awk '/type/{print$3}' /proc/cpuinfo` + KARCH=`awk '/^type/{print$3}' /proc/cpuinfo` case ${KARCH:-sun4} in sun4u*) OUT="linux-sparcv9" ;; sun4m) OUT="linux-sparcv8" ;; @@ -435,6 +435,7 @@ case "$GUESSOS" in *) OUT="linux-sparcv7" ;; esac ;; arm*-*-linux2) OUT="linux-elf-arm" ;; + s390-*-linux2) OUT="linux-s390" ;; *-*-linux2) OUT="linux-elf" ;; *-*-linux1) OUT="linux-aout" ;; sun4u*-*-solaris2) @@ -442,7 +443,7 @@ case "$GUESSOS" in if [ "$ISA64" != "" -a "$CC" = "cc" -a $CCVER -ge 50 ]; then echo "WARNING! If you wish to build 64-bit library, then you have to" echo " invoke './Configure solaris64-sparcv9-cc' *manually*." - echo " Type Ctrl-C if you don't want to continue." + echo " Type return if you want to continue, Ctrl-C to abort." read waste < /dev/tty fi OUT="solaris-sparcv9-$CC" ;; @@ -557,7 +558,7 @@ OUT="$PREFIX$OUT" $PERL ./Configure LIST | grep "$OUT" > /dev/null if [ $? = "0" ]; then - #echo Configuring for $OUT + echo Configuring for $OUT if [ "$TEST" = "true" ]; then echo $PERL ./Configure $OUT $options diff --git a/crypto/openssl/crypto/Makefile.ssl b/crypto/openssl/crypto/Makefile.ssl index 8c399bbff14a..ae761da79f84 100644 --- a/crypto/openssl/crypto/Makefile.ssl +++ b/crypto/openssl/crypto/Makefile.ssl @@ -90,7 +90,8 @@ links: lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib libs: diff --git a/crypto/openssl/crypto/asn1/Makefile.ssl b/crypto/openssl/crypto/asn1/Makefile.ssl index eae97f321d92..269af4459323 100644 --- a/crypto/openssl/crypto/asn1/Makefile.ssl +++ b/crypto/openssl/crypto/asn1/Makefile.ssl @@ -75,7 +75,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/asn1/a_strnid.c b/crypto/openssl/crypto/asn1/a_strnid.c index 6b10cff99449..732e68fe462a 100644 --- a/crypto/openssl/crypto/asn1/a_strnid.c +++ b/crypto/openssl/crypto/asn1/a_strnid.c @@ -133,7 +133,7 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in, if(tbl) { mask = tbl->mask; if(!(tbl->flags & STABLE_NO_MASK)) mask &= global_mask; - ret = ASN1_mbstring_ncopy(out, in, inlen, inform, tbl->mask, + ret = ASN1_mbstring_ncopy(out, in, inlen, inform, mask, tbl->minsize, tbl->maxsize); } else ret = ASN1_mbstring_copy(out, in, inlen, inform, DIRSTRING_TYPE & global_mask); if(ret <= 0) return NULL; diff --git a/crypto/openssl/crypto/asn1/asn1_mac.h b/crypto/openssl/crypto/asn1/asn1_mac.h index 4512ba6cc604..af0e664b2de0 100644 --- a/crypto/openssl/crypto/asn1/asn1_mac.h +++ b/crypto/openssl/crypto/asn1/asn1_mac.h @@ -196,6 +196,9 @@ err:\ if ((a != NULL) && (sk_##type##_num(a) != 0)) \ M_ASN1_I2D_put_SEQUENCE_type(type,a,f); +#define M_ASN1_I2D_put_SEQUENCE_opt_ex_type(type,a,f) \ + if (a) M_ASN1_I2D_put_SEQUENCE_type(type,a,f); + #define M_ASN1_D2I_get_IMP_set_opt(b,func,free_func,tag) \ if ((c.slen != 0) && \ (M_ASN1_next == \ @@ -389,6 +392,9 @@ err:\ if ((a != NULL) && (sk_##type##_num(a) != 0)) \ M_ASN1_I2D_len_SEQUENCE_type(type,a,f); +#define M_ASN1_I2D_len_SEQUENCE_opt_ex_type(type,a,f) \ + if (a) M_ASN1_I2D_len_SEQUENCE_type(type,a,f); + #define M_ASN1_I2D_len_IMP_SET(a,f,x) \ ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET); @@ -452,6 +458,15 @@ err:\ ret+=ASN1_object_size(1,v,mtag); \ } +#define M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \ + if (a)\ + { \ + v=i2d_ASN1_SET_OF_##type(a,NULL,f,tag, \ + V_ASN1_UNIVERSAL, \ + IS_SEQUENCE); \ + ret+=ASN1_object_size(1,v,mtag); \ + } + /* Put Macros */ #define M_ASN1_I2D_put(a,f) f(a,&p) @@ -536,6 +551,14 @@ err:\ IS_SEQUENCE); \ } +#define M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(type,a,f,mtag,tag,v) \ + if (a) \ + { \ + ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \ + i2d_ASN1_SET_OF_##type(a,&p,f,tag,V_ASN1_UNIVERSAL, \ + IS_SEQUENCE); \ + } + #define M_ASN1_I2D_seq_total() \ r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); \ if (pp == NULL) return(r); \ diff --git a/crypto/openssl/crypto/asn1/x_crl.c b/crypto/openssl/crypto/asn1/x_crl.c index 1f302d0e01eb..51518cdf3502 100644 --- a/crypto/openssl/crypto/asn1/x_crl.c +++ b/crypto/openssl/crypto/asn1/x_crl.c @@ -71,14 +71,14 @@ int i2d_X509_REVOKED(X509_REVOKED *a, unsigned char **pp) M_ASN1_I2D_len(a->serialNumber,i2d_ASN1_INTEGER); M_ASN1_I2D_len(a->revocationDate,i2d_ASN1_TIME); - M_ASN1_I2D_len_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_len_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION); M_ASN1_I2D_seq_total(); M_ASN1_I2D_put(a->serialNumber,i2d_ASN1_INTEGER); M_ASN1_I2D_put(a->revocationDate,i2d_ASN1_TIME); - M_ASN1_I2D_put_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_put_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION); M_ASN1_I2D_finish(); @@ -121,7 +121,7 @@ int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp) { M_ASN1_I2D_len(a->nextUpdate,i2d_ASN1_TIME); } M_ASN1_I2D_len_SEQUENCE_opt_type(X509_REVOKED,a->revoked, i2d_X509_REVOKED); - M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_len_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION,0, V_ASN1_SEQUENCE,v1); @@ -138,7 +138,7 @@ int i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **pp) { M_ASN1_I2D_put(a->nextUpdate,i2d_ASN1_TIME); } M_ASN1_I2D_put_SEQUENCE_opt_type(X509_REVOKED,a->revoked, i2d_X509_REVOKED); - M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, + M_ASN1_I2D_put_EXP_SEQUENCE_opt_ex_type(X509_EXTENSION,a->extensions, i2d_X509_EXTENSION,0, V_ASN1_SEQUENCE,v1); @@ -260,7 +260,7 @@ X509_CRL_INFO *X509_CRL_INFO_new(void) M_ASN1_New(ret->lastUpdate,M_ASN1_UTCTIME_new); ret->nextUpdate=NULL; M_ASN1_New(ret->revoked,sk_X509_REVOKED_new_null); - M_ASN1_New(ret->extensions,sk_X509_EXTENSION_new_null); + ret->extensions = NULL; sk_X509_REVOKED_set_cmp_func(ret->revoked,X509_REVOKED_cmp); return(ret); M_ASN1_New_Error(ASN1_F_X509_CRL_INFO_NEW); diff --git a/crypto/openssl/crypto/bf/Makefile.ssl b/crypto/openssl/crypto/bf/Makefile.ssl index adc9eec3c6ab..2d61ec50f422 100644 --- a/crypto/openssl/crypto/bf/Makefile.ssl +++ b/crypto/openssl/crypto/bf/Makefile.ssl @@ -44,7 +44,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/bio/Makefile.ssl b/crypto/openssl/crypto/bio/Makefile.ssl index af5998b102c4..00caa9f7eb17 100644 --- a/crypto/openssl/crypto/bio/Makefile.ssl +++ b/crypto/openssl/crypto/bio/Makefile.ssl @@ -49,7 +49,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/bio/b_sock.c b/crypto/openssl/crypto/bio/b_sock.c index 64310058b45f..62cc3f1a0c81 100644 --- a/crypto/openssl/crypto/bio/b_sock.c +++ b/crypto/openssl/crypto/bio/b_sock.c @@ -113,8 +113,8 @@ int BIO_get_host_ip(const char *str, unsigned char *ip) /* At this point, we have something that is most probably correct in some way, so let's init the socket. */ - if (!BIO_sock_init()) - return(0); /* don't generate another error code here */ + if (BIO_sock_init() != 1) + return 0; /* don't generate another error code here */ /* If the string actually contained an IP address, we need not do anything more */ @@ -519,15 +519,15 @@ int BIO_get_accept_socket(char *host, int bind_mode) { int ret=0; struct sockaddr_in server,client; - int s= -1,cs; + int s=INVALID_SOCKET,cs; unsigned char ip[4]; unsigned short port; - char *str,*e; + char *str=NULL,*e; const char *h,*p; unsigned long l; int err_num; - if (!BIO_sock_init()) return(INVALID_SOCKET); + if (BIO_sock_init() != 1) return(INVALID_SOCKET); if ((str=BUF_strdup(host)) == NULL) return(INVALID_SOCKET); @@ -553,7 +553,7 @@ int BIO_get_accept_socket(char *host, int bind_mode) h="*"; } - if (!BIO_get_port(p,&port)) return(INVALID_SOCKET); + if (!BIO_get_port(p,&port)) goto err; memset((char *)&server,0,sizeof(server)); server.sin_family=AF_INET; @@ -563,7 +563,7 @@ int BIO_get_accept_socket(char *host, int bind_mode) server.sin_addr.s_addr=INADDR_ANY; else { - if (!BIO_get_host_ip(h,&(ip[0]))) return(INVALID_SOCKET); + if (!BIO_get_host_ip(h,&(ip[0]))) goto err; l=(unsigned long) ((unsigned long)ip[0]<<24L)| ((unsigned long)ip[1]<<16L)| diff --git a/crypto/openssl/crypto/bn/Makefile.ssl b/crypto/openssl/crypto/bn/Makefile.ssl index 85be16a5b64c..ad36267e2698 100644 --- a/crypto/openssl/crypto/bn/Makefile.ssl +++ b/crypto/openssl/crypto/bn/Makefile.ssl @@ -68,7 +68,8 @@ bnbug: bnbug.c ../../libcrypto.a top lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/bn/asm/pa-risc2.s b/crypto/openssl/crypto/bn/asm/pa-risc2.s index 7239aa2c7629..af9730d06215 100644 --- a/crypto/openssl/crypto/bn/asm/pa-risc2.s +++ b/crypto/openssl/crypto/bn/asm/pa-risc2.s @@ -1611,7 +1611,7 @@ bn_mul_comba4 .IMPORT $global$,DATA .SPACE $TEXT$ .SUBSPA $CODE$ - .SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16 + .SUBSPA $LIT$,ACCESS=0x2c C$7 .ALIGN 8 .STRINGZ "Division would overflow (%d)\n" diff --git a/crypto/openssl/crypto/bn/asm/pa-risc2W.s b/crypto/openssl/crypto/bn/asm/pa-risc2W.s index 54b6606252ea..a99545754d18 100644 --- a/crypto/openssl/crypto/bn/asm/pa-risc2W.s +++ b/crypto/openssl/crypto/bn/asm/pa-risc2W.s @@ -1598,7 +1598,7 @@ bn_mul_comba4 .IMPORT $global$,DATA .SPACE $TEXT$ .SUBSPA $CODE$ - .SUBSPA $LIT$,QUAD=0,ALIGN=8,ACCESS=0x2c,SORT=16 + .SUBSPA $LIT$,ACCESS=0x2c C$4 .ALIGN 8 .STRINGZ "Division would overflow (%d)\n" diff --git a/crypto/openssl/crypto/bn/bn.h b/crypto/openssl/crypto/bn/bn.h index 1eb8395b25c3..ef1cfb0259b9 100644 --- a/crypto/openssl/crypto/bn/bn.h +++ b/crypto/openssl/crypto/bn/bn.h @@ -239,7 +239,7 @@ typedef struct bignum_st } BIGNUM; /* Used for temp variables */ -#define BN_CTX_NUM 12 +#define BN_CTX_NUM 16 #define BN_CTX_NUM_POS 12 typedef struct bignum_ctx { @@ -328,6 +328,7 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx); void BN_CTX_end(BN_CTX *ctx); int BN_rand(BIGNUM *rnd, int bits, int top,int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom); +int BN_rand_range(BIGNUM *rnd, BIGNUM *range); int BN_num_bits(const BIGNUM *a); int BN_num_bits_word(BN_ULONG); BIGNUM *BN_new(void); @@ -493,16 +494,19 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num); #define BN_F_BN_MPI2BN 112 #define BN_F_BN_NEW 113 #define BN_F_BN_RAND 114 +#define BN_F_BN_RAND_RANGE 122 #define BN_F_BN_USUB 115 /* Reason codes. */ #define BN_R_ARG2_LT_ARG3 100 #define BN_R_BAD_RECIPROCAL 101 +#define BN_R_BIGNUM_TOO_LONG 114 #define BN_R_CALLED_WITH_EVEN_MODULUS 102 #define BN_R_DIV_BY_ZERO 103 #define BN_R_ENCODING_ERROR 104 #define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 105 #define BN_R_INVALID_LENGTH 106 +#define BN_R_INVALID_RANGE 115 #define BN_R_NOT_INITIALIZED 107 #define BN_R_NO_INVERSE 108 #define BN_R_TOO_MANY_TEMPORARY_VARIABLES 109 diff --git a/crypto/openssl/crypto/bn/bn_div.c b/crypto/openssl/crypto/bn/bn_div.c index c3772c243be5..891b6026311c 100644 --- a/crypto/openssl/crypto/bn/bn_div.c +++ b/crypto/openssl/crypto/bn/bn_div.c @@ -180,13 +180,13 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, BN_CTX_start(ctx); tmp=BN_CTX_get(ctx); - tmp->neg=0; snum=BN_CTX_get(ctx); sdiv=BN_CTX_get(ctx); if (dv == NULL) res=BN_CTX_get(ctx); else res=dv; - if (res == NULL) goto err; + if (sdiv==NULL || res == NULL) goto err; + tmp->neg=0; /* First we normalise the numbers */ norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2); @@ -237,7 +237,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, for (i=0; i +#include #include #include "cryptlib.h" #include "bn_lcl.h" @@ -319,6 +320,12 @@ BIGNUM *bn_expand2(BIGNUM *b, int words) if (words > b->dmax) { + if (words > (INT_MAX/(4*BN_BITS2))) + { + BNerr(BN_F_BN_EXPAND2,BN_R_BIGNUM_TOO_LONG); + return NULL; + } + bn_check_top(b); if (BN_get_flags(b,BN_FLG_STATIC_DATA)) { diff --git a/crypto/openssl/crypto/bn/bn_rand.c b/crypto/openssl/crypto/bn/bn_rand.c index 21ecbc04ed0a..224a0ff7a2c3 100644 --- a/crypto/openssl/crypto/bn/bn_rand.c +++ b/crypto/openssl/crypto/bn/bn_rand.c @@ -140,3 +140,55 @@ int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) { return bnrand(1, rnd, bits, top, bottom); } + +/* random number r: 0 <= r < range */ +int BN_rand_range(BIGNUM *r, BIGNUM *range) + { + int n; + + if (range->neg || BN_is_zero(range)) + { + BNerr(BN_F_BN_RAND_RANGE, BN_R_INVALID_RANGE); + return 0; + } + + n = BN_num_bits(range); /* n > 0 */ + + if (n == 1) + { + if (!BN_zero(r)) return 0; + } + else if (BN_is_bit_set(range, n - 2)) + { + do + { + /* range = 11..._2, so each iteration succeeds with probability >= .75 */ + if (!BN_rand(r, n, 0, 0)) return 0; + } + while (BN_cmp(r, range) >= 0); + } + else + { + /* range = 10..._2, + * so 3*range (= 11..._2) is exactly one bit longer than range */ + do + { + if (!BN_rand(r, n + 1, 0, 0)) return 0; + /* If r < 3*range, use r := r MOD range + * (which is either r, r - range, or r - 2*range). + * Otherwise, iterate once more. + * Since 3*range = 11..._2, each iteration succeeds with + * probability >= .75. */ + if (BN_cmp(r ,range) >= 0) + { + if (!BN_sub(r, r, range)) return 0; + if (BN_cmp(r, range) >= 0) + if (!BN_sub(r, r, range)) return 0; + } + } + while (BN_cmp(r, range) >= 0); + } + + return 1; + } + diff --git a/crypto/openssl/crypto/bn/bn_shift.c b/crypto/openssl/crypto/bn/bn_shift.c index 0883247384e9..c2608f9f4a90 100644 --- a/crypto/openssl/crypto/bn/bn_shift.c +++ b/crypto/openssl/crypto/bn/bn_shift.c @@ -172,6 +172,11 @@ int BN_rshift(BIGNUM *r, BIGNUM *a, int n) r->neg=a->neg; if (bn_wexpand(r,a->top-nw+1) == NULL) return(0); } + else + { + if (n == 0) + return 1; /* or the copying loop will go berserk */ + } f= &(a->d[nw]); t=r->d; diff --git a/crypto/openssl/crypto/bn/bntest.c b/crypto/openssl/crypto/bn/bntest.c index 0a97af69c586..c9801dc01614 100644 --- a/crypto/openssl/crypto/bn/bntest.c +++ b/crypto/openssl/crypto/bn/bntest.c @@ -107,11 +107,9 @@ static const char rnd_seed[] = "string to make the random number generator think static void message(BIO *out, char *m) { fprintf(stderr, "test %s\n", m); -#if defined(linux) || defined(__FreeBSD__) /* can we use GNU bc features? */ BIO_puts(out, "print \"test "); BIO_puts(out, m); BIO_puts(out, "\\n\"\n"); -#endif } int main(int argc, char *argv[]) diff --git a/crypto/openssl/crypto/buffer/Makefile.ssl b/crypto/openssl/crypto/buffer/Makefile.ssl index 4e11038c8b12..c088ec6b3c76 100644 --- a/crypto/openssl/crypto/buffer/Makefile.ssl +++ b/crypto/openssl/crypto/buffer/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/cast/Makefile.ssl b/crypto/openssl/crypto/cast/Makefile.ssl index afba084e8bbf..0aa1cbc55a29 100644 --- a/crypto/openssl/crypto/cast/Makefile.ssl +++ b/crypto/openssl/crypto/cast/Makefile.ssl @@ -47,7 +47,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/comp/Makefile.ssl b/crypto/openssl/crypto/comp/Makefile.ssl index 3064df244798..ba705c2a1c3c 100644 --- a/crypto/openssl/crypto/comp/Makefile.ssl +++ b/crypto/openssl/crypto/comp/Makefile.ssl @@ -42,7 +42,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/conf/Makefile.ssl b/crypto/openssl/crypto/conf/Makefile.ssl index ea82d467270e..a96212252a0b 100644 --- a/crypto/openssl/crypto/conf/Makefile.ssl +++ b/crypto/openssl/crypto/conf/Makefile.ssl @@ -40,7 +40,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/conf/conf.h b/crypto/openssl/crypto/conf/conf.h index 2f70634455b9..cd40a0db215a 100644 --- a/crypto/openssl/crypto/conf/conf.h +++ b/crypto/openssl/crypto/conf/conf.h @@ -167,6 +167,8 @@ int NCONF_dump_bio(CONF *conf, BIO *out); #define CONF_R_MISSING_EQUAL_SIGN 101 #define CONF_R_NO_CLOSE_BRACE 102 #define CONF_R_NO_CONF 105 +#define CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE 106 +#define CONF_R_NO_SECTION 107 #define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 103 #define CONF_R_VARIABLE_HAS_NO_VALUE 104 diff --git a/crypto/openssl/crypto/conf/conf_err.c b/crypto/openssl/crypto/conf/conf_err.c index 06d3163573c2..8c2bc6f1c4cb 100644 --- a/crypto/openssl/crypto/conf/conf_err.c +++ b/crypto/openssl/crypto/conf/conf_err.c @@ -87,6 +87,8 @@ static ERR_STRING_DATA CONF_str_reasons[]= {CONF_R_MISSING_EQUAL_SIGN ,"missing equal sign"}, {CONF_R_NO_CLOSE_BRACE ,"no close brace"}, {CONF_R_NO_CONF ,"no conf"}, +{CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE ,"no conf or environment variable"}, +{CONF_R_NO_SECTION ,"no section"}, {CONF_R_UNABLE_TO_CREATE_NEW_SECTION ,"unable to create new section"}, {CONF_R_VARIABLE_HAS_NO_VALUE ,"variable has no value"}, {0,NULL} diff --git a/crypto/openssl/crypto/conf/conf_lib.c b/crypto/openssl/crypto/conf/conf_lib.c index 4c8ca9e9ae4f..11ec6397324d 100644 --- a/crypto/openssl/crypto/conf/conf_lib.c +++ b/crypto/openssl/crypto/conf/conf_lib.c @@ -131,38 +131,59 @@ LHASH *CONF_load_bio(LHASH *conf, BIO *bp,long *eline) STACK_OF(CONF_VALUE) *CONF_get_section(LHASH *conf,char *section) { - CONF ctmp; + if (conf == NULL) + { + return NULL; + } + else + { + CONF ctmp; - if (default_CONF_method == NULL) - default_CONF_method = NCONF_default(); + if (default_CONF_method == NULL) + default_CONF_method = NCONF_default(); - default_CONF_method->init(&ctmp); - ctmp.data = conf; - return NCONF_get_section(&ctmp, section); + default_CONF_method->init(&ctmp); + ctmp.data = conf; + return NCONF_get_section(&ctmp, section); + } } char *CONF_get_string(LHASH *conf,char *group,char *name) { - CONF ctmp; + if (conf == NULL) + { + return NCONF_get_string(NULL, group, name); + } + else + { + CONF ctmp; - if (default_CONF_method == NULL) - default_CONF_method = NCONF_default(); + if (default_CONF_method == NULL) + default_CONF_method = NCONF_default(); - default_CONF_method->init(&ctmp); - ctmp.data = conf; - return NCONF_get_string(&ctmp, group, name); + default_CONF_method->init(&ctmp); + ctmp.data = conf; + return NCONF_get_string(&ctmp, group, name); + } } long CONF_get_number(LHASH *conf,char *group,char *name) { - CONF ctmp; + if (conf == NULL) + { + return NCONF_get_number(NULL, group, name); + } + else + { + CONF ctmp; - if (default_CONF_method == NULL) - default_CONF_method = NCONF_default(); + if (default_CONF_method == NULL) + default_CONF_method = NCONF_default(); - default_CONF_method->init(&ctmp); - ctmp.data = conf; - return NCONF_get_number(&ctmp, group, name); + default_CONF_method->init(&ctmp); + ctmp.data = conf; + return NCONF_get_number(&ctmp, group, name); + } } void CONF_free(LHASH *conf) @@ -299,27 +320,46 @@ STACK_OF(CONF_VALUE) *NCONF_get_section(CONF *conf,char *section) return NULL; } + if (section == NULL) + { + CONFerr(CONF_F_NCONF_GET_SECTION,CONF_R_NO_SECTION); + return NULL; + } + return _CONF_get_section_values(conf, section); } char *NCONF_get_string(CONF *conf,char *group,char *name) { + char *s = _CONF_get_string(conf, group, name); + + /* Since we may get a value from an environment variable even + if conf is NULL, let's check the value first */ + if (s) return s; + if (conf == NULL) { - CONFerr(CONF_F_NCONF_GET_STRING,CONF_R_NO_CONF); + CONFerr(CONF_F_NCONF_GET_STRING, + CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE); return NULL; } - - return _CONF_get_string(conf, group, name); + return NULL; } long NCONF_get_number(CONF *conf,char *group,char *name) { +#if 0 /* As with _CONF_get_string(), we rely on the possibility of finding + an environment variable with a suitable name. Unfortunately, there's + no way with the current API to see if we found one or not... + The meaning of this is that if a number is not found anywhere, it + will always default to 0. */ if (conf == NULL) { - CONFerr(CONF_F_NCONF_GET_NUMBER,CONF_R_NO_CONF); + CONFerr(CONF_F_NCONF_GET_NUMBER, + CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE); return 0; } +#endif return _CONF_get_number(conf, group, name); } diff --git a/crypto/openssl/crypto/des/Makefile.ssl b/crypto/openssl/crypto/des/Makefile.ssl index b3cfe3dab6ba..28e58f4207ff 100644 --- a/crypto/openssl/crypto/des/Makefile.ssl +++ b/crypto/openssl/crypto/des/Makefile.ssl @@ -57,7 +57,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib des: des.o cbc3_enc.o lib diff --git a/crypto/openssl/crypto/dh/Makefile.ssl b/crypto/openssl/crypto/dh/Makefile.ssl index 30f1b8029030..ccee00eeca2c 100644 --- a/crypto/openssl/crypto/dh/Makefile.ssl +++ b/crypto/openssl/crypto/dh/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/dsa/Makefile.ssl b/crypto/openssl/crypto/dsa/Makefile.ssl index 5df3b1cc43b8..1dfdb2d76922 100644 --- a/crypto/openssl/crypto/dsa/Makefile.ssl +++ b/crypto/openssl/crypto/dsa/Makefile.ssl @@ -41,7 +41,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/dsa/dsa_ossl.c b/crypto/openssl/crypto/dsa/dsa_ossl.c index 094356518f2e..428357233057 100644 --- a/crypto/openssl/crypto/dsa/dsa_ossl.c +++ b/crypto/openssl/crypto/dsa/dsa_ossl.c @@ -179,13 +179,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) kinv=NULL; /* Get random k */ - for (;;) - { - if (!BN_rand(&k, BN_num_bits(dsa->q), 0, 0)) goto err; - if (BN_cmp(&k,dsa->q) >= 0) - BN_sub(&k,&k,dsa->q); - if (!BN_is_zero(&k)) break; - } + do + if (!BN_rand_range(&k, dsa->q)) goto err; + while (BN_is_zero(&k)); if ((dsa->method_mont_p == NULL) && (dsa->flags & DSA_FLAG_CACHE_MONT_P)) { diff --git a/crypto/openssl/crypto/dso/Makefile.ssl b/crypto/openssl/crypto/dso/Makefile.ssl index effc46d2dc94..33630e0bbb25 100644 --- a/crypto/openssl/crypto/dso/Makefile.ssl +++ b/crypto/openssl/crypto/dso/Makefile.ssl @@ -41,7 +41,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/dso/dso_dl.c b/crypto/openssl/crypto/dso/dso_dl.c index 69810fc3bb93..f661ec5bfb39 100644 --- a/crypto/openssl/crypto/dso/dso_dl.c +++ b/crypto/openssl/crypto/dso/dso_dl.c @@ -187,7 +187,7 @@ static void *dl_bind_var(DSO *dso, const char *symname) DSOerr(DSO_F_DL_BIND_VAR,DSO_R_NULL_HANDLE); return(NULL); } - if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0) + if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0) { DSOerr(DSO_F_DL_BIND_VAR,DSO_R_SYM_FAILURE); return(NULL); @@ -216,7 +216,7 @@ static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname) DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_NULL_HANDLE); return(NULL); } - if (shl_findsym(ptr, symname, TYPE_UNDEFINED, &sym) < 0) + if (shl_findsym(&ptr, symname, TYPE_UNDEFINED, &sym) < 0) { DSOerr(DSO_F_DL_BIND_FUNC,DSO_R_SYM_FAILURE); return(NULL); diff --git a/crypto/openssl/crypto/err/Makefile.ssl b/crypto/openssl/crypto/err/Makefile.ssl index d001895cb676..42b9faa559f1 100644 --- a/crypto/openssl/crypto/err/Makefile.ssl +++ b/crypto/openssl/crypto/err/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/evp/Makefile.ssl b/crypto/openssl/crypto/evp/Makefile.ssl index 747051e4f13b..fb9945db1684 100644 --- a/crypto/openssl/crypto/evp/Makefile.ssl +++ b/crypto/openssl/crypto/evp/Makefile.ssl @@ -58,7 +58,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/evp/evp.h b/crypto/openssl/crypto/evp/evp.h index f5b938d2f848..cdf5f3cf8942 100644 --- a/crypto/openssl/crypto/evp/evp.h +++ b/crypto/openssl/crypto/evp/evp.h @@ -463,12 +463,20 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, EVP_CIPHER *cipher, EVP_MD *md, int en_de); +#ifndef NO_RSA #define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\ (char *)(rsa)) +#endif + +#ifndef NO_DSA #define EVP_PKEY_assign_DSA(pkey,dsa) EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\ (char *)(dsa)) +#endif + +#ifndef NO_DH #define EVP_PKEY_assign_DH(pkey,dh) EVP_PKEY_assign((pkey),EVP_PKEY_DH,\ (char *)(dh)) +#endif /* Add some extra combinations */ #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a)) @@ -612,17 +620,29 @@ void BIO_set_cipher(BIO *b,const EVP_CIPHER *c,unsigned char *k, #endif EVP_MD *EVP_md_null(void); +#ifndef NO_MD2 EVP_MD *EVP_md2(void); +#endif +#ifndef NO_MD4 EVP_MD *EVP_md4(void); +#endif +#ifndef NO_MD5 EVP_MD *EVP_md5(void); +#endif +#ifndef NO_SHA EVP_MD *EVP_sha(void); EVP_MD *EVP_sha1(void); EVP_MD *EVP_dss(void); EVP_MD *EVP_dss1(void); +#endif +#ifndef NO_MDC2 EVP_MD *EVP_mdc2(void); +#endif +#ifndef NO_RIPEMD EVP_MD *EVP_ripemd160(void); - +#endif EVP_CIPHER *EVP_enc_null(void); /* does nothing :-) */ +#ifndef NO_DES EVP_CIPHER *EVP_des_ecb(void); EVP_CIPHER *EVP_des_ede(void); EVP_CIPHER *EVP_des_ede3(void); @@ -636,31 +656,43 @@ EVP_CIPHER *EVP_des_cbc(void); EVP_CIPHER *EVP_des_ede_cbc(void); EVP_CIPHER *EVP_des_ede3_cbc(void); EVP_CIPHER *EVP_desx_cbc(void); +#endif +#ifndef NO_RC4 EVP_CIPHER *EVP_rc4(void); EVP_CIPHER *EVP_rc4_40(void); +#endif +#ifndef NO_IDEA EVP_CIPHER *EVP_idea_ecb(void); EVP_CIPHER *EVP_idea_cfb(void); EVP_CIPHER *EVP_idea_ofb(void); EVP_CIPHER *EVP_idea_cbc(void); +#endif +#ifndef NO_RC2 EVP_CIPHER *EVP_rc2_ecb(void); EVP_CIPHER *EVP_rc2_cbc(void); EVP_CIPHER *EVP_rc2_40_cbc(void); EVP_CIPHER *EVP_rc2_64_cbc(void); EVP_CIPHER *EVP_rc2_cfb(void); EVP_CIPHER *EVP_rc2_ofb(void); +#endif +#ifndef NO_BF EVP_CIPHER *EVP_bf_ecb(void); EVP_CIPHER *EVP_bf_cbc(void); EVP_CIPHER *EVP_bf_cfb(void); EVP_CIPHER *EVP_bf_ofb(void); +#endif +#ifndef NO_CAST EVP_CIPHER *EVP_cast5_ecb(void); EVP_CIPHER *EVP_cast5_cbc(void); EVP_CIPHER *EVP_cast5_cfb(void); EVP_CIPHER *EVP_cast5_ofb(void); +#endif +#ifndef NO_RC5 EVP_CIPHER *EVP_rc5_32_12_16_cbc(void); EVP_CIPHER *EVP_rc5_32_12_16_ecb(void); EVP_CIPHER *EVP_rc5_32_12_16_cfb(void); EVP_CIPHER *EVP_rc5_32_12_16_ofb(void); - +#endif void OpenSSL_add_all_algorithms(void); void OpenSSL_add_all_ciphers(void); void OpenSSL_add_all_digests(void); diff --git a/crypto/openssl/crypto/ex_data.c b/crypto/openssl/crypto/ex_data.c index 1ee88da2a83b..739e543d782c 100644 --- a/crypto/openssl/crypto/ex_data.c +++ b/crypto/openssl/crypto/ex_data.c @@ -101,7 +101,7 @@ int CRYPTO_get_ex_new_index(int idx, STACK_OF(CRYPTO_EX_DATA_FUNCS) **skp, long ret=idx; err: MemCheck_on(); - return(idx); + return(ret); } int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int idx, void *val) diff --git a/crypto/openssl/crypto/hmac/Makefile.ssl b/crypto/openssl/crypto/hmac/Makefile.ssl index 430eab4c9a15..ed3c8c64d1ca 100644 --- a/crypto/openssl/crypto/hmac/Makefile.ssl +++ b/crypto/openssl/crypto/hmac/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/idea/Makefile.ssl b/crypto/openssl/crypto/idea/Makefile.ssl index 3bd3e53ef4f4..d29bcd687460 100644 --- a/crypto/openssl/crypto/idea/Makefile.ssl +++ b/crypto/openssl/crypto/idea/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/lhash/Makefile.ssl b/crypto/openssl/crypto/lhash/Makefile.ssl index d7a51db3ee6c..60bb6b12e406 100644 --- a/crypto/openssl/crypto/lhash/Makefile.ssl +++ b/crypto/openssl/crypto/lhash/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/md2/Makefile.ssl b/crypto/openssl/crypto/md2/Makefile.ssl index c25ab74a3816..8b382c35ff44 100644 --- a/crypto/openssl/crypto/md2/Makefile.ssl +++ b/crypto/openssl/crypto/md2/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/md4/Makefile.ssl b/crypto/openssl/crypto/md4/Makefile.ssl index 5341bf5b4632..bc38badb0a2b 100644 --- a/crypto/openssl/crypto/md4/Makefile.ssl +++ b/crypto/openssl/crypto/md4/Makefile.ssl @@ -40,7 +40,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/md5/Makefile.ssl b/crypto/openssl/crypto/md5/Makefile.ssl index 92ffc0b502d5..e5ec4a21ae33 100644 --- a/crypto/openssl/crypto/md5/Makefile.ssl +++ b/crypto/openssl/crypto/md5/Makefile.ssl @@ -50,7 +50,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/mdc2/Makefile.ssl b/crypto/openssl/crypto/mdc2/Makefile.ssl index a50de0f42a67..4b1b3e36961a 100644 --- a/crypto/openssl/crypto/mdc2/Makefile.ssl +++ b/crypto/openssl/crypto/mdc2/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/mem_dbg.c b/crypto/openssl/crypto/mem_dbg.c index 866c53e73a92..ddf4be28caa8 100644 --- a/crypto/openssl/crypto/mem_dbg.c +++ b/crypto/openssl/crypto/mem_dbg.c @@ -671,7 +671,15 @@ void CRYPTO_mem_leaks(BIO *b) * void_fn_to_char kludge in CRYPTO_mem_leaks_cb. * Otherwise the code police will come and get us.) */ + int old_mh_mode; + CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); + + /* avoid deadlock when lh_free() uses CRYPTO_dbg_free(), + * which uses CRYPTO_is_mem_check_on */ + old_mh_mode = mh_mode; + mh_mode = CRYPTO_MEM_CHECK_OFF; + if (mh != NULL) { lh_free(mh); @@ -685,6 +693,8 @@ void CRYPTO_mem_leaks(BIO *b) amih = NULL; } } + + mh_mode = old_mh_mode; CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC); } MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ diff --git a/crypto/openssl/crypto/objects/Makefile.ssl b/crypto/openssl/crypto/objects/Makefile.ssl index 47fdc34eec53..1b43d8027b84 100644 --- a/crypto/openssl/crypto/objects/Makefile.ssl +++ b/crypto/openssl/crypto/objects/Makefile.ssl @@ -39,7 +39,8 @@ all: obj_dat.h lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h index 71b53efd5187..4c644abe4400 100644 --- a/crypto/openssl/crypto/opensslv.h +++ b/crypto/openssl/crypto/opensslv.h @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090600fL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6 24 Sep 2000" +#define OPENSSL_VERSION_NUMBER 0x00906010L +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6a-dev XX xxx XXXX" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/openssl/crypto/pem/Makefile.ssl b/crypto/openssl/crypto/pem/Makefile.ssl index ed8910921883..111dbc1ae460 100644 --- a/crypto/openssl/crypto/pem/Makefile.ssl +++ b/crypto/openssl/crypto/pem/Makefile.ssl @@ -40,7 +40,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/pem/pem_info.c b/crypto/openssl/crypto/pem/pem_info.c index 1c5c6dea000e..f1694f112531 100644 --- a/crypto/openssl/crypto/pem/pem_info.c +++ b/crypto/openssl/crypto/pem/pem_info.c @@ -305,7 +305,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc, { if ( (xi->enc_data!=NULL) && (xi->enc_len>0) ) { - /* copy from wierdo names into more normal things */ + /* copy from weirdo names into more normal things */ iv=xi->enc_cipher.iv; data=(unsigned char *)xi->enc_data; i=xi->enc_len; diff --git a/crypto/openssl/crypto/pkcs12/Makefile.ssl b/crypto/openssl/crypto/pkcs12/Makefile.ssl index 8f42d3044dfb..c92dd276398c 100644 --- a/crypto/openssl/crypto/pkcs12/Makefile.ssl +++ b/crypto/openssl/crypto/pkcs12/Makefile.ssl @@ -45,7 +45,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/pkcs12/p12_attr.c b/crypto/openssl/crypto/pkcs12/p12_attr.c index f1a210b5d274..a16a97d03dff 100644 --- a/crypto/openssl/crypto/pkcs12/p12_attr.c +++ b/crypto/openssl/crypto/pkcs12/p12_attr.c @@ -151,7 +151,7 @@ int PKCS12_add_friendlyname_asc (PKCS12_SAFEBAG *bag, const char *name, { unsigned char *uniname; int ret, unilen; - if (!asc2uni(name, &uniname, &unilen)) { + if (!asc2uni(name, namelen, &uniname, &unilen)) { PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC, ERR_R_MALLOC_FAILURE); return 0; diff --git a/crypto/openssl/crypto/pkcs12/p12_key.c b/crypto/openssl/crypto/pkcs12/p12_key.c index b042dcf05c95..a9b4b8c9721e 100644 --- a/crypto/openssl/crypto/pkcs12/p12_key.c +++ b/crypto/openssl/crypto/pkcs12/p12_key.c @@ -84,7 +84,7 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, if(!pass) { unipass = NULL; uniplen = 0; - } else if (!asc2uni(pass, &unipass, &uniplen)) { + } else if (!asc2uni(pass, passlen, &unipass, &uniplen)) { PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE); return 0; } diff --git a/crypto/openssl/crypto/pkcs12/p12_utl.c b/crypto/openssl/crypto/pkcs12/p12_utl.c index 17f41b45496b..2f1d1e534fc8 100644 --- a/crypto/openssl/crypto/pkcs12/p12_utl.c +++ b/crypto/openssl/crypto/pkcs12/p12_utl.c @@ -62,30 +62,34 @@ /* Cheap and nasty Unicode stuff */ -unsigned char *asc2uni (const char *asc, unsigned char **uni, int *unilen) +unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen) { int ulen, i; unsigned char *unitmp; - ulen = strlen(asc)*2 + 2; - if (!(unitmp = OPENSSL_malloc (ulen))) return NULL; - for (i = 0; i < ulen; i+=2) { + if (asclen == -1) asclen = strlen(asc); + ulen = asclen*2 + 2; + if (!(unitmp = OPENSSL_malloc(ulen))) return NULL; + for (i = 0; i < ulen - 2; i+=2) { unitmp[i] = 0; unitmp[i + 1] = asc[i>>1]; } + /* Make result double null terminated */ + unitmp[ulen - 2] = 0; + unitmp[ulen - 1] = 0; if (unilen) *unilen = ulen; if (uni) *uni = unitmp; return unitmp; } -char *uni2asc (unsigned char *uni, int unilen) +char *uni2asc(unsigned char *uni, int unilen) { int asclen, i; char *asctmp; asclen = unilen / 2; /* If no terminating zero allow for one */ - if (uni[unilen - 1]) asclen++; + if (!unilen || uni[unilen - 1]) asclen++; uni++; - if (!(asctmp = OPENSSL_malloc (asclen))) return NULL; + if (!(asctmp = OPENSSL_malloc(asclen))) return NULL; for (i = 0; i < unilen; i+=2) asctmp[i>>1] = uni[i]; asctmp[asclen - 1] = 0; return asctmp; diff --git a/crypto/openssl/crypto/pkcs12/pkcs12.h b/crypto/openssl/crypto/pkcs12/pkcs12.h index 502fceff954a..e529154f2634 100644 --- a/crypto/openssl/crypto/pkcs12/pkcs12.h +++ b/crypto/openssl/crypto/pkcs12/pkcs12.h @@ -247,7 +247,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, EVP_MD *md_type); int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, EVP_MD *md_type); -unsigned char *asc2uni(const char *asc, unsigned char **uni, int *unilen); +unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen); char *uni2asc(unsigned char *uni, int unilen); int i2d_PKCS12_BAGS(PKCS12_BAGS *a, unsigned char **pp); PKCS12_BAGS *PKCS12_BAGS_new(void); diff --git a/crypto/openssl/crypto/pkcs7/Makefile.ssl b/crypto/openssl/crypto/pkcs7/Makefile.ssl index 1757fc39ac78..5e8a6808d357 100644 --- a/crypto/openssl/crypto/pkcs7/Makefile.ssl +++ b/crypto/openssl/crypto/pkcs7/Makefile.ssl @@ -58,7 +58,8 @@ verify: verify.o example.o lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/pkcs7/pk7_mime.c b/crypto/openssl/crypto/pkcs7/pk7_mime.c index 994473c0bd3d..086d39427012 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_mime.c +++ b/crypto/openssl/crypto/pkcs7/pk7_mime.c @@ -165,9 +165,9 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) } bound[32] = 0; BIO_printf(bio, "MIME-Version: 1.0\n"); - BIO_printf(bio, "Content-Type: multipart/signed ; "); - BIO_printf(bio, "protocol=\"application/x-pkcs7-signature\" ; "); - BIO_printf(bio, "micalg=sha1 ; boundary=\"----%s\"\n\n", bound); + BIO_printf(bio, "Content-Type: multipart/signed;"); + BIO_printf(bio, " protocol=\"application/x-pkcs7-signature\";"); + BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"\n\n", bound); BIO_printf(bio, "This is an S/MIME signed message\n\n"); /* Now write out the first part */ BIO_printf(bio, "------%s\n", bound); diff --git a/crypto/openssl/crypto/rand/Makefile.ssl b/crypto/openssl/crypto/rand/Makefile.ssl index b3054dc166c9..e9a6876b5a74 100644 --- a/crypto/openssl/crypto/rand/Makefile.ssl +++ b/crypto/openssl/crypto/rand/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/rand/rand_win.c b/crypto/openssl/crypto/rand/rand_win.c index 9f2dcff9a92b..8850b9ae916c 100644 --- a/crypto/openssl/crypto/rand/rand_win.c +++ b/crypto/openssl/crypto/rand/rand_win.c @@ -570,7 +570,7 @@ static void readtimer(void) DWORD w; LARGE_INTEGER l; static int have_perfc = 1; -#ifndef __GNUC__ +#ifdef _MSC_VER static int have_tsc = 1; DWORD cyclecount; diff --git a/crypto/openssl/crypto/rand/randfile.c b/crypto/openssl/crypto/rand/randfile.c index 528e410f7400..02f16aa81032 100644 --- a/crypto/openssl/crypto/rand/randfile.c +++ b/crypto/openssl/crypto/rand/randfile.c @@ -83,6 +83,9 @@ /* #define RFILE ".rnd" - defined in ../../e_os.h */ +/* Note that these functions are intended for seed files only. + * Entropy devices and EGD sockets are handled in rand_unix.c */ + int RAND_load_file(const char *file, long bytes) { /* If bytes >= 0, read up to 'bytes' bytes. @@ -117,7 +120,7 @@ int RAND_load_file(const char *file, long bytes) if (bytes > 0) { bytes-=n; - if (bytes == 0) break; + if (bytes <= 0) break; } } fclose(in); diff --git a/crypto/openssl/crypto/rc2/Makefile.ssl b/crypto/openssl/crypto/rc2/Makefile.ssl index 542397d69aa6..6966e01b6f27 100644 --- a/crypto/openssl/crypto/rc2/Makefile.ssl +++ b/crypto/openssl/crypto/rc2/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/rc4/Makefile.ssl b/crypto/openssl/crypto/rc4/Makefile.ssl index 53eac2064a4c..8ffff0a74e3d 100644 --- a/crypto/openssl/crypto/rc4/Makefile.ssl +++ b/crypto/openssl/crypto/rc4/Makefile.ssl @@ -47,7 +47,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/rc5/Makefile.ssl b/crypto/openssl/crypto/rc5/Makefile.ssl index 3d1685602969..cf5d176859ba 100644 --- a/crypto/openssl/crypto/rc5/Makefile.ssl +++ b/crypto/openssl/crypto/rc5/Makefile.ssl @@ -44,7 +44,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/ripemd/Makefile.ssl b/crypto/openssl/crypto/ripemd/Makefile.ssl index 4bd78dd6fd2f..0b1cd7394132 100644 --- a/crypto/openssl/crypto/ripemd/Makefile.ssl +++ b/crypto/openssl/crypto/ripemd/Makefile.ssl @@ -42,7 +42,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/rsa/Makefile.ssl b/crypto/openssl/crypto/rsa/Makefile.ssl index 22a42b4e1b74..1be9a1cd2397 100644 --- a/crypto/openssl/crypto/rsa/Makefile.ssl +++ b/crypto/openssl/crypto/rsa/Makefile.ssl @@ -41,7 +41,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c index 618b5bd59565..62618fe5a999 100644 --- a/crypto/openssl/crypto/rsa/rsa_eay.c +++ b/crypto/openssl/crypto/rsa/rsa_eay.c @@ -138,11 +138,28 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from, if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) { - if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_n == NULL) + { + rsa->_method_mod_n = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } - + if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, rsa->_method_mod_n)) goto err; @@ -369,11 +386,28 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from, /* do the decrypt */ if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) { - if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_n == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_n == NULL) + { + rsa->_method_mod_n = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } - + if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, rsa->_method_mod_n)) goto err; @@ -421,20 +455,53 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa) { if (rsa->_method_mod_p == NULL) { - if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p, - ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_p == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_p == NULL) + { + rsa->_method_mod_p = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } + if (rsa->_method_mod_q == NULL) { - if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL) - if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q, - ctx)) - goto err; + BN_MONT_CTX* bn_mont_ctx; + if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx)) + { + BN_MONT_CTX_free(bn_mont_ctx); + goto err; + } + if (rsa->_method_mod_q == NULL) /* other thread may have finished first */ + { + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + if (rsa->_method_mod_q == NULL) + { + rsa->_method_mod_q = bn_mont_ctx; + bn_mont_ctx = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + } + if (bn_mont_ctx) + BN_MONT_CTX_free(bn_mont_ctx); } } - + if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, rsa->_method_mod_q)) goto err; diff --git a/crypto/openssl/crypto/sha/Makefile.ssl b/crypto/openssl/crypto/sha/Makefile.ssl index 0e6e7b8940c6..75d3e0bf4ff3 100644 --- a/crypto/openssl/crypto/sha/Makefile.ssl +++ b/crypto/openssl/crypto/sha/Makefile.ssl @@ -42,7 +42,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib # elf diff --git a/crypto/openssl/crypto/sha/asm/sha1-586.pl b/crypto/openssl/crypto/sha/asm/sha1-586.pl index 09df993ecd4e..fe51fd079457 100644 --- a/crypto/openssl/crypto/sha/asm/sha1-586.pl +++ b/crypto/openssl/crypto/sha/asm/sha1-586.pl @@ -317,7 +317,7 @@ sub BODY_60_79 sub sha1_block_host { - local($name)=@_; + local($name, $sclabel)=@_; &function_begin_B($name,""); @@ -352,7 +352,7 @@ sub sha1_block_host &mov(&swtmp($i+0),$A); &mov(&swtmp($i+1),$B); } - &jmp(&label("shortcut")); + &jmp($sclabel); &function_end_B($name); } @@ -529,10 +529,12 @@ sub sha1_block_data &pop("esi"); &ret(); - # it has to reside within sha1_block_asm_host_order body - # because it calls &jmp(&label("shortcut")); - &sha1_block_host("sha1_block_asm_host_order"); + # keep a note of shortcut label so it can be used outside + # block. + my $sclabel = &label("shortcut"); &function_end_B($name); + # Putting this here avoids problems with MASM in debugging mode + &sha1_block_host("sha1_block_asm_host_order", $sclabel); } diff --git a/crypto/openssl/crypto/stack/Makefile.ssl b/crypto/openssl/crypto/stack/Makefile.ssl index 69d0a1cf6884..2027d3946ce1 100644 --- a/crypto/openssl/crypto/stack/Makefile.ssl +++ b/crypto/openssl/crypto/stack/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/txt_db/Makefile.ssl b/crypto/openssl/crypto/txt_db/Makefile.ssl index 0e900ce7485b..567202abb771 100644 --- a/crypto/openssl/crypto/txt_db/Makefile.ssl +++ b/crypto/openssl/crypto/txt_db/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/x509/Makefile.ssl b/crypto/openssl/crypto/x509/Makefile.ssl index f8e59666c99f..55356c680b20 100644 --- a/crypto/openssl/crypto/x509/Makefile.ssl +++ b/crypto/openssl/crypto/x509/Makefile.ssl @@ -49,7 +49,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/x509/by_dir.c b/crypto/openssl/crypto/x509/by_dir.c index cac64a6f4045..448bd7e69cca 100644 --- a/crypto/openssl/crypto/x509/by_dir.c +++ b/crypto/openssl/crypto/x509/by_dir.c @@ -327,7 +327,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, * it out again */ CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE); j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp); - if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,i); + if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j); else tmp = NULL; CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE); diff --git a/crypto/openssl/crypto/x509v3/Makefile.ssl b/crypto/openssl/crypto/x509v3/Makefile.ssl index 483df46fd416..8ed366504940 100644 --- a/crypto/openssl/crypto/x509v3/Makefile.ssl +++ b/crypto/openssl/crypto/x509v3/Makefile.ssl @@ -43,7 +43,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/crypto/x509v3/v3_prn.c b/crypto/openssl/crypto/x509v3/v3_prn.c index dbc4fb1f1600..14b804c4ad33 100644 --- a/crypto/openssl/crypto/x509v3/v3_prn.c +++ b/crypto/openssl/crypto/x509v3/v3_prn.c @@ -85,9 +85,16 @@ void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml) else BIO_printf(out, "%s:%s", nval->name, nval->value); #else else { - char tmp[10240]; /* 10k is BIO_printf's limit anyway */ - ascii2ebcdic(tmp, nval->value, strlen(nval->value)+1); - BIO_printf(out, "%s:%s", nval->name, tmp); + int len; + char *tmp; + len = strlen(nval->value)+1; + tmp = OPENSSL_malloc(len); + if (tmp) + { + ascii2ebcdic(tmp, nval->value, len); + BIO_printf(out, "%s:%s", nval->name, tmp); + OPENSSL_free(tmp); + } } #endif if(ml) BIO_puts(out, "\n"); @@ -115,9 +122,16 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent) BIO_printf(out, "%*s%s", indent, "", value); #else { - char tmp[10240]; /* 10k is BIO_printf's limit anyway */ - ascii2ebcdic(tmp, value, strlen(value)+1); - BIO_printf(out, "%*s%s", indent, "", tmp); + int len; + char *tmp; + len = strlen(value)+1; + tmp = OPENSSL_malloc(len); + if (tmp) + { + ascii2ebcdic(tmp, value, len); + BIO_printf(out, "%*s%s", indent, "", tmp); + OPENSSL_free(tmp); + } } #endif } else if(method->i2v) { diff --git a/crypto/openssl/crypto/x509v3/v3_purp.c b/crypto/openssl/crypto/x509v3/v3_purp.c index 867699b26f3a..8aecd00e6325 100644 --- a/crypto/openssl/crypto/x509v3/v3_purp.c +++ b/crypto/openssl/crypto/x509v3/v3_purp.c @@ -362,6 +362,8 @@ static int ca_check(const X509 *x) else return 0; } else { if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; + /* If key usage present it must have certSign so tolerate it */ + else if (x->ex_flags & EXFLAG_KUSAGE) return 3; else return 2; } } @@ -380,7 +382,7 @@ static int check_ssl_ca(const X509 *x) if(ca_ret != 2) return ca_ret; else return 0; } - + static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca) { @@ -446,7 +448,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c int ret; ret = purpose_smime(x, ca); if(!ret || ca) return ret; - if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0; + if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0; return ret; } diff --git a/crypto/openssl/doc/crypto/BN_rand.pod b/crypto/openssl/doc/crypto/BN_rand.pod index 33363c981f60..2a8bed5fed8f 100644 --- a/crypto/openssl/doc/crypto/BN_rand.pod +++ b/crypto/openssl/doc/crypto/BN_rand.pod @@ -12,6 +12,8 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); + int BN_rand_range(BIGNUM *rnd, BIGNUM *range); + =head1 DESCRIPTION BN_rand() generates a cryptographically strong pseudo-random number of @@ -25,11 +27,14 @@ this function are not necessarily unpredictable. They can be used for non-cryptographic purposes and for certain purposes in cryptographic protocols, but usually not for key generation etc. -The PRNG must be seeded prior to calling BN_rand(). +BN_rand_range() generates a cryptographically strong pseudo-random +number B in the range 0 = B E B. + +The PRNG must be seeded prior to calling BN_rand() or BN_rand_range(). =head1 RETURN VALUES -BN_rand() and BN_pseudo_rand() return 1 on success, 0 on error. +The functions return 1 on success, 0 on error. The error codes can be obtained by L. =head1 SEE ALSO @@ -40,6 +45,7 @@ L, L =head1 HISTORY BN_rand() is available in all versions of SSLeay and OpenSSL. -BN_pseudo_rand() was added in OpenSSL 0.9.5. +BN_pseudo_rand() was added in OpenSSL 0.9.5, and BN_rand_range() +in OpenSSL 0.9.6a. =cut diff --git a/crypto/openssl/doc/crypto/RAND_egd.pod b/crypto/openssl/doc/crypto/RAND_egd.pod index 40241e2df8ee..71cab3ca04a4 100644 --- a/crypto/openssl/doc/crypto/RAND_egd.pod +++ b/crypto/openssl/doc/crypto/RAND_egd.pod @@ -9,10 +9,30 @@ RAND_egd - query entropy gathering daemon #include int RAND_egd(const char *path); + int RAND_egd_bytes(const char *path, int bytes); =head1 DESCRIPTION RAND_egd() queries the entropy gathering daemon EGD on socket B. +It queries 255 bytes and uses L to seed the +OpenSSL built-in PRNG. RAND_egd(path) is a wrapper for +RAND_egd_bytes(path, 255); + +RAND_egd_bytes() queries the entropy gathering daemon EGD on socket B. +It queries B bytes and uses L to seed the +OpenSSL built-in PRNG. +This function is more flexible than RAND_egd(). +When only one secret key must +be generated, it is not necessary to request the full amount 255 bytes from +the EGD socket. This can be advantageous, since the amount of entropy +that can be retrieved from EGD over time is limited. + +=head1 NOTES + +On systems without /dev/*random devices providing entropy from the kernel, +the EGD entropy gathering daemon can be used to collect entropy. It provides +a socket interface through which entropy can be gathered in chunks up to +255 bytes. Several chunks can be queried during one connection. EGD is available from http://www.lothar.com/tech/crypto/ (C to install). It is run as B @@ -21,22 +41,27 @@ RAND_egd() is called with that path as an argument, it tries to read random bytes that EGD has collected. The read is performed in non-blocking mode. -Alternatively, the EGD-compatible daemon PRNGD can be used. It is +Alternatively, the EGD-interface compatible daemon PRNGD can be used. It is available from http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html . +PRNGD does employ an internal PRNG itself and can therefore never run +out of entropy. =head1 RETURN VALUE -RAND_egd() returns the number of bytes read from the daemon on -success, and -1 if the connection failed or the daemon did not return -enough data to fully seed the PRNG. +RAND_egd() and RAND_egd_bytes() return the number of bytes read from the +daemon on success, and -1 if the connection failed or the daemon did not +return enough data to fully seed the PRNG. =head1 SEE ALSO -L, L, L +L, L, +L =head1 HISTORY RAND_egd() is available since OpenSSL 0.9.5. +RAND_egd_bytes() is available since OpenSSL 0.9.6. + =cut diff --git a/crypto/openssl/doc/crypto/bn.pod b/crypto/openssl/doc/crypto/bn.pod index 1504a1c92dfd..d183028d6127 100644 --- a/crypto/openssl/doc/crypto/bn.pod +++ b/crypto/openssl/doc/crypto/bn.pod @@ -60,6 +60,7 @@ bn - multiprecision integer arithmetics int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); + int BN_rand_range(BIGNUM *rnd, BIGNUM *range); BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add, BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg); diff --git a/crypto/openssl/doc/crypto/des.pod b/crypto/openssl/doc/crypto/des.pod index ab3e26e9ecd8..99080391b176 100644 --- a/crypto/openssl/doc/crypto/des.pod +++ b/crypto/openssl/doc/crypto/des.pod @@ -345,7 +345,7 @@ the MIT Kerberos library. =head1 SEE ALSO -crypt(3), L, L, L +crypt(3), L, L, L =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/evp.pod b/crypto/openssl/doc/crypto/evp.pod index f089dd49a219..edf47dbde664 100644 --- a/crypto/openssl/doc/crypto/evp.pod +++ b/crypto/openssl/doc/crypto/evp.pod @@ -10,7 +10,7 @@ evp - high-level cryptographic functions =head1 DESCRIPTION -The EVP library provided a high-level interface to cryptographic +The EVP library provides a high-level interface to cryptographic functions. BI<...> and BI<...> provide public key encryption diff --git a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod index 7fea14ee6867..bf851dcea5a0 100644 --- a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod +++ b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod @@ -2,8 +2,7 @@ =head1 NAME -SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, -SSL_CIPHER_description - get SSL_CIPHER properties +SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_description - get SSL_CIPHER properties =head1 SYNOPSIS @@ -29,9 +28,10 @@ SSL_CIPHER_get_version() returns the protocol version for B, currently SSL_CIPHER_description() returns a textual description of the cipher used into the buffer B of length B provided. B must be at least -128 bytes, otherwise the string "Buffer too small" is returned. If B -is NULL, a buffer of 128 bytes is allocated using OPENSSL_malloc(). If the -allocation fails, the string "OPENSSL_malloc Error" is returned. +128 bytes, otherwise a pointer to the the string "Buffer too small" is +returned. If B is NULL, a buffer of 128 bytes is allocated using +OPENSSL_malloc(). If the allocation fails, a pointer to the string +"OPENSSL_malloc Error" is returned. =head1 NOTES @@ -40,11 +40,66 @@ export cipher like e.g. EXP-RC4-MD5 has only 40 secret bits. The algorithm does use the full 128 bits (which would be returned for B), of which however 88bits are fixed. The search space is hence only 40 bits. +The string returned by SSL_CIPHER_description() in case of success consists +of cleartext information seperated by one or more blanks in the following +sequence: + +=over 4 + +=item + +Textual representation of the cipher name. + +=item + +Protocol version: B, B. The TLSv1 ciphers are flagged with SSLv3. + +=item Kx= + +Key exchange method: B (for export ciphers as B or +B), B (for export ciphers as B or B), +B, B, B. + +=item Au= + +Authentication method: B, B, B, B. None is the +representation of anonymous ciphers. + +=item Enc= + +Encryption method with number of secret bits: B, B, +B<3DES(168)>, B, B, B, B, +B, B, B, B, B, B. + +=item Mac= + +Message digest: B, B. + +=item + +If the cipher is flagged exportable with respect to old US crypto +regulations, the word "B" is printed. + +=back + +=head1 EXAMPLES + +Some examples for the output of SSL_CIPHER_description(): + + EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 + EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 + RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 + EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export + =head1 BUGS If SSL_CIPHER_description() is called with B being NULL, the library crashes. +If SSL_CIPHER_description() cannot handle a built-in cipher, the according +description of the cipher property is B. This case should not +occur. + =head1 RETURN VALUES See DESCRIPTION @@ -52,6 +107,6 @@ See DESCRIPTION =head1 SEE ALSO L, L, -L +L, L =cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod b/crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod new file mode 100644 index 000000000000..21a9db0e2a40 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod @@ -0,0 +1,38 @@ +=pod + +=head1 NAME + +SSL_CTX_add_extra_chain_cert - add certificate to chain + +=head1 SYNOPSIS + + #include + + long SSL_CTX_add_extra_chain_cert(SSL_CTX ctx, X509 *x509) + +=head1 DESCRIPTION + +SSL_CTX_add_extra_chain_cert() adds the certificate B to the certificate +chain presented together with the certificate. Several certificates +can be added one after the other. + +=head1 NOTES + +When constructing the certificate chain, the chain will be formed from +these certificates explicitly specified. If no chain is specified, +the library will try to complete the chain from the available CA +certificates in the trusted CA storage, see +L. + +=head1 RETURN VALUES + +SSL_CTX_add_extra_chain_cert() returns 1 on success. Check out the +error stack to find out the reason for failure otherwise. + +=head1 SEE ALSO + +L, +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod b/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod new file mode 100644 index 000000000000..af326c2f7340 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod @@ -0,0 +1,65 @@ +=pod + +=head1 NAME + +SSL_CTX_add_session, SSL_add_session, SSL_CTX_remove_session, SSL_remove_session - manipulate session cache + +=head1 SYNOPSIS + + #include + + int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c); + int SSL_add_session(SSL_CTX *ctx, SSL_SESSION *c); + + int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c); + int SSL_remove_session(SSL_CTX *ctx, SSL_SESSION *c); + +=head1 DESCRIPTION + +SSL_CTX_add_session() adds the session B to the context B. The +reference count for session B is incremented by 1. If a session with +the same session id already exists, the old session is removed by calling +L. + +SSL_CTX_remove_session() removes the session B from the context B. +L is called once for B. + +SSL_add_session() and SSL_remove_session() are synonyms for their +SSL_CTX_*() counterparts. + +=head1 NOTES + +When adding a new session to the internal session cache, it is examined +whether a session with the same session id already exists. In this case +it is assumed that both sessions are identical. If the same session is +stored in a different SSL_SESSION object, The old session is +removed and replaced by the new session. If the session is actually +identical (the SSL_SESSION object is identical), SSL_CTX_add_session() +is a no-op, and the return value is 0. + + +=head1 RETURN VALUES + +The following values are returned by all functions: + +=over 4 + +=item 0 + + The operation failed. In case of the add operation, it was tried to add + the same (identical) session twice. In case of the remove operation, the + session was not found in the cache. + +=item 1 + + The operation succeeded. + +=back + +=head1 SEE ALSO + +L, +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_flush_sessions.pod b/crypto/openssl/doc/ssl/SSL_CTX_flush_sessions.pod new file mode 100644 index 000000000000..148c36c87151 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_flush_sessions.pod @@ -0,0 +1,49 @@ +=pod + +=head1 NAME + +SSL_CTX_flush_sessions, SSL_flush_sessions - remove expired sessions + +=head1 SYNOPSIS + + #include + + void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm); + void SSL_flush_sessions(SSL_CTX *ctx, long tm); + +=head1 DESCRIPTION + +SSL_CTX_flush_sessions() causes a run through the session cache of +B to remove sessions expired at time B. + +SSL_flush_sessions() is a synonym for SSL_CTX_flush_sessions(). + +=head1 NOTES + +If enabled, the internal session cache will collect all sessions established +up to the specified maximum number (see SSL_CTX_sess_set_cache_size()). +As sessions will not be reused ones they are expired, they should be +removed from the cache to save resources. This can either be done + automatically whenever 255 new sessions were established (see +L) +or manually by calling SSL_CTX_flush_sessions(). + +The parameter B specifies the time which should be used for the +expiration test, in most cases the actual time given by time(0) +will be used. + +SSL_CTX_flush_sessions() will only check sessions stored in the internal +cache. When a session is found and removed, the remove_session_cb is however +called to synchronize with the external cache (see +L). + +=head1 RETURN VALUES + +=head1 SEE ALSO + +L, +L, +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod new file mode 100644 index 000000000000..15067438c82d --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_get_ex_new_index.pod @@ -0,0 +1,53 @@ +=pod + +=head1 NAME + +SSL_CTX_get_ex_new_index, SSL_CTX_set_ex_data, SSL_CTX_get_ex_data - internal application specific data functions + +=head1 SYNOPSIS + + #include + + int SSL_CTX_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); + + int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *arg); + + void *SSL_CTX_get_ex_data(SSL_CTX *ctx, int idx); + + typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, + int idx, long argl, void *argp); + +=head1 DESCRIPTION + +Several OpenSSL structures can have application specific data attached to them. +These functions are used internally by OpenSSL to manipulate application +specific data attached to a specific structure. + +SSL_CTX_get_ex_new_index() is used to register a new index for application +specific data. + +SSL_CTX_set_ex_data() is used to store application data at B for B +into the B object. + +SSL_CTX_get_ex_data() is used to retrieve the information for B from +B. + +A detailed description for the B<*_get_ex_new_index()> functionality +can be found in L. +The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in +L. + +=head1 SEE ALSO + +L, +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod b/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod new file mode 100644 index 000000000000..7f10c6e94509 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_get_verify_mode.pod @@ -0,0 +1,50 @@ +=pod + +=head1 NAME + +SSL_CTX_get_verify_mode, SSL_get_verify_mode, SSL_CTX_get_verify_depth, SSL_get_verify_depth, SSL_get_verify_callback, SSL_CTX_get_verify_callback - get currently set verification parameters + +=head1 SYNOPSIS + + #include + + int SSL_CTX_get_verify_mode(SSL_CTX *ctx); + int SSL_get_verify_mode(SSL *ssl); + int SSL_CTX_get_verify_depth(SSL_CTX *ctx); + int SSL_get_verify_depth(SSL *ssl); + int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int, X509_STORE_CTX *); + int (*SSL_get_verify_callback(SSL *ssl))(int, X509_STORE_CTX *); + +=head1 DESCRIPTION + +SSL_CTX_get_verify_mode() returns the verification mode currently set in +B. + +SSL_get_verify_mode() returns the verification mode currently set in +B. + +SSL_CTX_get_verify_depth() returns the verification depth limit currently set +in B. If no limit has been explicitly set, -1 is returned and the +default value will be used. + +SSL_get_verify_depth() returns the verification depth limit currently set +in B. If no limit has been explicitly set, -1 is returned and the +default value will be used. + +SSL_CTX_get_verify_callback() returns a function pointer to the verification +callback currently set in B. If no callback was explicitly set, the +NULL pointer is returned and the default callback will be used. + +SSL_get_verify_callback() returns a function pointer to the verification +callback currently set in B. If no callback was explicitly set, the +NULL pointer is returned and the default callback will be used. + +=head1 RETURN VALUES + +See DESCRIPTION + +=head1 SEE ALSO + +L, L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod b/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod new file mode 100644 index 000000000000..0e2d2179c8c1 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod @@ -0,0 +1,124 @@ +=pod + +=head1 NAME + +SSL_CTX_load_verify_locations - set default locations for trusted CA +certificates + +=head1 SYNOPSIS + + #include + + int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, + const char *CApath); + +=head1 DESCRIPTION + +SSL_CTX_load_verify_locations() specifies the locations for B, at +which CA certificates for verification purposes are located. The certificates +available via B and B are trusted. + +=head1 NOTES + +If B is not NULL, it points to a file of CA certificates in PEM +format. The file can contain several CA certificates identified by + + -----BEGIN CERTIFICATE----- + ... (CA certificate in base64 encoding) ... + -----END CERTIFICATE----- + +sequences. Before, between, and after the certificates text is allowed +which can be used e.g. for descriptions of the certificates. + +The B is processed on execution of the SSL_CTX_load_verify_locations() +function. + +If on an TLS/SSL server no special setting is perfomed using *client_CA_list() +functions, the certificates contained in B are listed to the client +as available CAs during the TLS/SSL handshake. + +If B is not NULL, it points to a directory containing CA certificates +in PEM format. The files each contain one CA certificate. The files are +looked up by the CA subject name hash value, which must hence be available. +If more than one CA certificate with the same name hash value exist, the +extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search +is performed in the ordering of the extension number, regardless of other +properties of the certificates. +Use the B utility to create the necessary links. + +The certificates in B are only looked up when required, e.g. when +building the certificate chain or when actually performing the verification +of a peer certificate. + +On a server, the certificates in B are not listed as available +CA certificates to a client during a TLS/SSL handshake. + +When looking up CA certificates, the OpenSSL library will first search the +certificates in B, then those in B. Certificate matching +is done based on the subject name, the key identifier (if present), and the +serial number as taken from the certificate to be verified. If these data +do not match, the next certificate will be tried. If a first certificate +matching the parameters is found, the verification process will be performed; +no other certificates for the same parameters will be searched in case of +failure. + +When building its own certificate chain, an OpenSSL client/server will +try to fill in missing certificates from B/B, if the +certificate chain was not explicitely specified (see +L, +L. + +=head1 WARNINGS + +If several CA certificates matching the name, key identifier, and serial +number condition are available, only the first one will be examined. This +may lead to unexpected results if the same CA certificate is available +with different expiration dates. If a "certificate expired" verification +error occurs, no other certificate will be searched. Make sure to not +have expired certificates mixed with valid ones. + +=head1 EXAMPLES + +Generate a CA certificate file with descriptive text from the CA certificates +ca1.pem ca2.pem ca3.pem: + + #!/bin/sh + rm CAfile.pem + for i in ca1.pem ca2.pem ca3.pem ; do + openssl x509 -in $i -text >> CAfile.pem + done + +Prepare the directory /some/where/certs containing several CA certificates +for use as B: + + cd /some/where/certs + c_rehash . + +=head1 RETURN VALUES + +The following return values can occur: + +=over 4 + +=item 0 + +The operation failed because B and B are NULL or the +processing at one of the locations specified failed. Check the error +stack to find out the reason. + +=item 1 + +The operation succeeded. + +=back + +=head1 SEE ALSO + +L, +L, +L, +L, +L + + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_new.pod b/crypto/openssl/doc/ssl/SSL_CTX_new.pod index e166c692c355..8b16ea3c903d 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_new.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_new.pod @@ -33,9 +33,9 @@ understand SSLv2 client hello messages. =item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void) A TLS/SSL connection established with these methods will only understand the -SSLv3 and TLSv1 protocol. A client will send out SSLv3 client hello messages -and will indicate that it also understands TLSv1. A server will only understand -SSLv3 and TLSv1 client hello messages. This especially means, that it will +SSLv3 protocol. A client will send out SSLv3 client hello messages +and will indicate that it only understands SSLv3. A server will only understand +SSLv3 client hello messages. This especially means, that it will not understand SSLv2 client hello messages which are widely used for compatibility reasons, see SSLv23_*_method(). @@ -46,7 +46,8 @@ TLSv1 protocol. A client will send out TLSv1 client hello messages and will indicate that it only understands TLSv1. A server will only understand TLSv1 client hello messages. This especially means, that it will not understand SSLv2 client hello messages which are widely used for -compatibility reasons, see SSLv23_*_method(). +compatibility reasons, see SSLv23_*_method(). It will also not understand +SSLv3 client hello messages. =item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod new file mode 100644 index 000000000000..469933baf35b --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod @@ -0,0 +1,50 @@ +=pod + +=head1 NAME + +SSL_CTX_sess_set_cache_size, SSL_CTX_sess_get_cache_size - manipulate session cache size + +=head1 SYNOPSIS + + #include + + long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, long t); + long SSL_CTX_sess_get_cache_size(SSL_CTX *ctx); + +=head1 DESCRIPTION + +SSL_CTX_sess_set_cache_size() sets the size of the internal session cache +of context B to B. + +SSL_CTX_sess_get_cache_size() returns the currently valid session cache size. + +=head1 NOTES + +The internal session cache size is SSL_SESSION_CACHE_MAX_SIZE_DEFAULT, +currently 1024*20, so that up to 20000 sessions can be held. This size +can be modified using the SSL_CTX_sess_set_cache_size() call. A special +case is the size 0, which is used for unlimited size. + +When the maximum number of sessions is reached, no more new sessions are +added to the cache. New space may be added by calling +L to remove +expired sessions. + +If the size of the session cache is reduced and more sessions are already +in the session cache, old session will be removed at the next time a +session shall be added. This removal is not synchronized with the +expiration of sessions. + +=head1 RETURN VALUES + +SSL_CTX_sess_set_cache_size() returns the previously valid size. + +SSL_CTX_sess_get_cache_size() returns the currently valid size. + +=head1 SEE ALSO + +L, +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod new file mode 100644 index 000000000000..b6f15b440425 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod @@ -0,0 +1,81 @@ +=pod + +=head1 NAME + +SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SSL_CTX_sess_get_new_cb, SSL_CTX_sess_get_remove_cb, SSL_CTX_sess_get_get_cb - provide callback functions for server side external session caching + +=head1 SYNOPSIS + + #include + + void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, + int (*new_session_cb)(SSL *, SSL_SESSION *)); + void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, + void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *)); + void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, + SSL_SESSION (*get_session_cb)(SSL *, unsigned char *, int, int *)); + + int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess); + void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess); + SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, unsigned char *data, int len, int *copy); + + int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess); + void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess); + SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data, + int len, int *copy); + +=head1 DESCRIPTION + +SSL_CTX_sess_set_new_cb() sets the callback function, which is automatically +called whenever a new session was negotiated. + +SSL_CTX_sess_set_remove_cb() sets the callback function, which is +automatically called whenever a session is removed by the SSL engine, +because it is considered faulty or the session has become obsolete because +of exceeding the timeout value. + +SSL_CTX_sess_set_get_cb() sets the callback function which is called, +whenever a SSL/TLS client proposed to resume a session but the session +could not be found in the internal session cache (see +L). +(SSL/TLS server only.) + +SSL_CTX_sess_get_new_cb(), SSL_CTX_sess_get_remove_cb(), and +SSL_CTX_sess_get_get_cb() allow to retrieve the function pointers of the +provided callback functions. If a callback function has not been set, +the NULL pointer is returned. + +=head1 NOTES + +In order to allow external session caching, synchronization with the internal +session cache is realized via callback functions. Inside these callback +functions, session can be saved to disk or put into a database using the +L interface. + +The new_session_cb() is called, whenever a new session has been negotiated +and session caching is enabled (see +L). +The new_session_cb() is passed the B connection and the ssl session +B. If the callback returns B<0>, the session will be immediately +removed again. + +The remove_session_cb() is called, whenever the SSL engine removes a session +from the internal cache. This happens if the session is removed because +it is expired or when a connection was not shutdown cleanly. The +remove_session_cb() is passed the B and the ssl session B. +It does not provide any feedback. + +The get_session_cb() is only called on SSL/TLS servers with the session id +proposed by the client. The get_session_cb() is always called, also when +session caching was disabled. The get_session_cb() is passed the +B connection, the session id of length B at the memory location +B. With the parameter B the callback can require the +SSL engine to increment the reference count of the SSL_SESSION object. + +=head1 SEE ALSO + +L, L, +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod b/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod new file mode 100644 index 000000000000..ad92a8c5d23e --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod @@ -0,0 +1,34 @@ +=pod + +=head1 NAME + +SSL_CTX_sessions - access internal session cache + +=head1 SYNOPSIS + + #include + + struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx); + +=head1 DESCRIPTION + +SSL_CTX_sessions() returns a pointer to the lhash databases containing the +internal session cache for B. + +=head1 NOTES + +The sessions in the internal session cache are kept in an +L type database. It is possible to directly +access this database e.g. for searching. In parallel, the sessions +form a linked list which is maintained seperatly from the +L operations, so that the database must not be +modified directly but by using the +L family of functions. + +=head1 SEE ALSO + +L, L, +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod index 272d6b3de282..9a29eeeb9558 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod @@ -2,8 +2,7 @@ =head1 NAME -SSL_CTX_set_cipher_list, SSL_set_cipher_list -- choose list of available SSL_CIPHERs +SSL_CTX_set_cipher_list, SSL_set_cipher_list - choose list of available SSL_CIPHERs =head1 SYNOPSIS @@ -47,6 +46,7 @@ could be selected and 0 on complete failure. =head1 SEE ALSO L, L, +L, L =cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod new file mode 100644 index 000000000000..f27a291cb654 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod @@ -0,0 +1,90 @@ +=pod + +=head1 NAME + +SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA, +SSL_add_client_CA - set list of CAs sent to the client when requesting a +client certificate + +=head1 SYNOPSIS + + #include + + void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); + void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); + int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert); + int SSL_add_client_CA(SSL *ssl, X509 *cacert); + +=head1 DESCRIPTION + +SSL_CTX_set_client_CA_list() sets the B of CAs sent to the client when +requesting a client certificate for B. + +SSL_set_client_CA_list() sets the B of CAs sent to the client when +requesting a client certificate for the chosen B, overriding the +setting valid for B's SSL_CTX object. + +SSL_CTX_add_client_CA() adds the CA name extracted from B to the +list of CAs sent to the client when requesting a client certificate for +B. + +SSL_add_client_CA() adds the CA name extracted from B to the +list of CAs sent to the client when requesting a client certificate for +the chosen B, overriding the setting valid for B's SSL_CTX object. + +=head1 NOTES + +When a TLS/SSL server requests a client certificate (see +B), it sends a list of CAs, for which +it will accept certificates, to the client. If no special list is provided, +the CAs available using the B option in +L +are sent. + +This list can be explicitely set using the SSL_CTX_set_client_CA_list() for +B and SSL_set_client_CA_list() for the specific B. The list +specified overrides the previous setting. The CAs listed do not become +trusted (B only contains the names, not the complete certificates); use +L +to additionally load them for verification. + +SSL_CTX_add_client_CA() and SSL_add_client_CA() can be used to add additional +items the list of client CAs. If no list was specified before using +SSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(), a new client +CA list for B or B (as appropriate) is opened. The CAs implicitly +specified using +L +are no longer used automatically. + +These functions are only useful for TLS/SSL servers. + +=head1 RETURN VALUES + +SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return +diagnostic information. + +SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return +values: + +=over 4 + +=item 1 + +The operation succeeded. + +=item 0 + +A failure while manipulating the STACK_OF(X509_NAME) object occured or +the X509_NAME could not be extracted from B. Check the error stack +to find out the reason. + +=back + +=head1 SEE ALSO + +L, +L, +L +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_default_passwd_cb.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_default_passwd_cb.pod new file mode 100644 index 000000000000..a5343a1cf398 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_default_passwd_cb.pod @@ -0,0 +1,70 @@ +=pod + +=head1 NAME + +SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata - set passwd callback for encrypted PEM file handling + +=head1 SYNOPSIS + + #include + + void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); + void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); + + int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata); + +=head1 DESCRIPTION + +SSL_CTX_set_default_passwd_cb() sets the default password callback called +when loading/storing a PEM certificate with encryption. + +SSL_CTX_set_default_passwd_cb_userdata() sets a pointer to B which +will be provided to the password callback on invocation. + +The pem_passwd_cb(), which must be provided by the application, hands back the +password to be used during decryption. On invocation a pointer to B +is provided. The pem_passwd_cb must write the password into the provided buffer +B which is of size B. The actual length of the password must +be returned to the calling function. B indicates whether the +callback is used for reading/decryption (rwflag=0) or writing/encryption +(rwflag=1). + +=head1 NOTES + +When loading or storing private keys, a password might be supplied to +protect the private key. The way this password can be supplied may depend +on the application. If only one private key is handled, it can be practical +to have pem_passwd_cb() handle the password dialog interactively. If several +keys have to be handled, it can be practical to ask for the password once, +then keep it in memory and use it several times. In the last case, the +password could be stored into the B storage and the +pem_passwd_cb() only returns the password already stored. + +Other items in PEM formatting (certificates) can also be encrypted, it is +however not usual, as certificate information is considered public. + +=head1 RETURN VALUES + +SSL_CTX_set_default_passwd_cb() and SSL_CTX_set_default_passwd_cb_userdata() +do not provide diagnostic information. + +=head1 EXAMPLES + +The following example returns the password provided as B to the +calling function. The password is considered to be a '\0' terminated +string. If the password does not fit into the buffer, the password is +truncated. + + int pem_passwd_cb(char *buf, int size, int rwflag, void *password) + { + strncpy(buf, (char *)(password), size); + buf[size - 1] = '\0'; + return(strlen(buf)); + } + +=head1 SEE ALSO + +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod new file mode 100644 index 000000000000..bd5b0cbf9629 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod @@ -0,0 +1,183 @@ +=pod + +=head1 NAME + +SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - manipulate SSL engine options + +=head1 SYNOPSIS + + #include + + long SSL_CTX_set_options(SSL_CTX *ctx, long options); + long SSL_set_options(SSL *ssl, long options); + + long SSL_CTX_get_options(SSL_CTX *ctx); + long SSL_get_options(SSL *ssl); + +=head1 DESCRIPTION + +SSL_CTX_set_options() adds the options set via bitmask in B to B. +Options already set before are not cleared. + +SSL_set_options() adds the options set via bitmask in B to B. +Options already set before are not cleared. + +SSL_CTX_get_options() returns the options set for B. + +SSL_get_options() returns the options set for B. + +=head1 NOTES + +The behaviour of the SSL library can be changed by setting several options. +The options are coded as bitmasks and can be combined by a logical B +operation (|). Options can only be added but can never be reset. + +During a handshake, the option settings of the SSL object used. When +a new SSL object is created from a context using SSL_new(), the current +option setting is copied. Changes to B do not affect already created +SSL objects. SSL_clear() does not affect the settings. + +The following B options are available: + +=over 4 + +=item SSL_OP_MICROSOFT_SESS_ID_BUG + +www.microsoft.com - when talking SSLv2, if session-id reuse is +performed, the session-id passed back in the server-finished message +is different from the one decided upon. + +=item SSL_OP_NETSCAPE_CHALLENGE_BUG + +Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte +challenge but then appears to only use 16 bytes when generating the +encryption keys. Using 16 bytes is ok but it should be ok to use 32. +According to the SSLv3 spec, one should use 32 bytes for the challenge +when opperating in SSLv2/v3 compatablity mode, but as mentioned above, +this breaks this server so 16 bytes is the way to go. + +=item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + +ssl3.netscape.com:443, first a connection is established with RC4-MD5. +If it is then resumed, we end up using DES-CBC3-SHA. It should be +RC4-MD5 according to 7.6.1.3, 'cipher_suite'. + +Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug. +It only really shows up when connecting via SSLv2/v3 then reconnecting +via SSLv3. The cipher list changes.... + +NEW INFORMATION. Try connecting with a cipher list of just +DES-CBC-SHA:RC4-MD5. For some weird reason, each new connection uses +RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when +doing a re-connect, always takes the first cipher in the cipher list. + +=item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + +... + +=item SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + +... + +=item SSL_OP_MSIE_SSLV2_RSA_PADDING + +... + +=item SSL_OP_SSLEAY_080_CLIENT_DH_BUG + +... + +=item SSL_OP_TLS_D5_BUG + +... + +=item SSL_OP_TLS_BLOCK_PADDING_BUG + +... + +=item SSL_OP_TLS_ROLLBACK_BUG + +Disable version rollback attack detection. + +During the client key exchange, the client must send the same information +about acceptable SSL/TLS protocol levels as during the first hello. Some +clients violate this rule by adapting to the server's answer. (Example: +the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server +only understands up to SSLv3. In this case the client must still use the +same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect +to the server's answer and violate the version rollback protection.) + +=item SSL_OP_ALL + +All of the above bug workarounds. + +=back + +It is save and recommended to use SSL_OP_ALL to enable the bug workaround +options. + +The following B options are available: + +=over 4 + +=item SSL_OP_SINGLE_DH_USE + +Always create a new key when using temporary DH parameters. + +=item SSL_OP_EPHEMERAL_RSA + +Also use the temporary RSA key when doing RSA operations. + +=item SSL_OP_PKCS1_CHECK_1 + +... + +=item SSL_OP_PKCS1_CHECK_2 + +... + +=item SSL_OP_NETSCAPE_CA_DN_BUG + +If we accept a netscape connection, demand a client cert, have a +non-self-sighed CA which does not have it's CA in netscape, and the +browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta + +=item SSL_OP_NON_EXPORT_FIRST + +On servers try to use non-export (stronger) ciphers first. This option does +not work under all circumstances (in the code it is declared "broken"). + +=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG + +... + +=item SSL_OP_NO_SSLv2 + +Do not use the SSLv2 protocol. + +=item SSL_OP_NO_SSLv3 + +Do not use the SSLv3 protocol. + +=item SSL_OP_NO_TLSv1 + +Do not use the TLSv1 protocol. + +=back + +=head1 RETURN VALUES + +SSL_CTX_set_options() and SSL_set_options() return the new options bitmask +after adding B. + +SSL_CTX_get_options() and SSL_get_options() return the current bitmask. + +=head1 SEE ALSO + +L, L, L + +=head1 HISTORY + +SSL_OP_TLS_ROLLBACK_BUG has been added in OpenSSL 0.9.6. + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod new file mode 100644 index 000000000000..ba3502a0a423 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod @@ -0,0 +1,106 @@ +=pod + +=head1 NAME + +SSL_CTX_set_session_cache_mode, SSL_CTX_get_session_cache_mode - enable/disable session caching + +=head1 SYNOPSIS + + #include + + long SSL_CTX_set_session_cache_mode(SSL_CTX ctx, long mode); + long SSL_CTX_get_session_cache_mode(SSL_CTX ctx); + +=head1 DESCRIPTION + +SSL_CTX_set_session_cache_mode() enables/disables session caching +by setting the operational mode for B to . + +SSL_CTX_get_session_cache_mode() returns the currently used cache mode. + +=head1 NOTES + +The OpenSSL library can store/retrieve SSL/TLS sessions for later reuse. +The sessions can be held in memory for each B, if more than one +SSL_CTX object is being maintained, the sessions are unique for each SSL_CTX +object. + +In order to reuse a session, a client must send the session's id to the +server. It can only send exactly one id. The server then decides whether it +agrees in reusing the session or starts the handshake for a new session. + +A server will lookup up the session in its internal session storage. If +the session is not found in internal storage or internal storage is +deactivated, the server will try the external storage if available. + +Since a client may try to reuse a session intended for use in a different +context, the session id context must be set by the server (see +L). + +The following session cache modes and modifiers are available: + +=over 4 + +=item SSL_SESS_CACHE_OFF + +No session caching for client or server takes place. + +=item SSL_SESS_CACHE_CLIENT + +Client sessions are added to the session cache. As there is no reliable way +for the OpenSSL library to know whether a session should be reused or which +session to choose (due to the abstract BIO layer the SSL engine does not +have details about the connection), the application must select the session +to be reused by using the L +function. This option is not activated by default. + +=item SSL_SESS_CACHE_SERVER + +Server sessions are added to the session cache. When a client proposes a +session to be reused, the session is looked up in the internal session cache. +If the session is found, the server will try to reuse the session. +This is the default. + +=item SSL_SESS_CACHE_BOTH + +Enable both SSL_SESS_CACHE_CLIENT and SSL_SESS_CACHE_SERVER at the same time. + +=item SSL_SESS_CACHE_NO_AUTO_CLEAR + +Normally the session cache is checked for expired sessions every +255 connections using the +L function. Since +this may lead to a delay which cannot be controlled, the automatic +flushing may be disabled and +L can be called +explicitly by the application. + +=item SSL_SESS_CACHE_NO_INTERNAL_LOOKUP + +By setting this flag sessions are cached in the internal storage but +they are not looked up automatically. If an external session cache +is enabled, sessions are looked up in the external cache. As automatic +lookup only applies for SSL/TLS servers, the flag has no effect on +clients. + +=back + +The default mode is SSL_SESS_CACHE_SERVER. + +=head1 RETURN VALUES + +SSL_CTX_set_session_cache_mode() returns the previously set cache mode. + +SSL_CTX_get_session_cache_mode() returns the currently set cache mode. + + +=head1 SEE ALSO + +L, L, +L, +L, +L, +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod new file mode 100644 index 000000000000..5949395159e7 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod @@ -0,0 +1,82 @@ +=pod + +=head1 NAME + +SSL_CTX_set_session_id_context, SSL_set_session_id_context - set context within which session can be reused (server side only) + +=head1 SYNOPSIS + + #include + + int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx, + unsigned int sid_ctx_len); + int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx, + unsigned int sid_ctx_len); + +=head1 DESCRIPTION + +SSL_CTX_set_session_id_context() sets the context B of length +B within which a session can be reused for the B object. + +SSL_set_session_id_context() sets the context B of length +B within which a session can be reused for the B object. + +=head1 NOTES + +Sessions are generated within a certain context. When exporting/importing +sessions with B/B it would be possible, +to re-import a session generated from another context (e.g. another +application), which might lead to malfunctions. Therefore each application +must set its own session id context B which is used to distinguish +the contexts and is stored in exported sessions. The B can be +any kind of binary data with a given length, it is therefore possible +to use e.g. the name of the application and/or the hostname and/or service +name ... + +The session id context becomes part of the session. The session id context +is set by the SSL/TLS server. The SSL_CTX_set_session_id_context() and +SSL_set_session_id_context() functions are therefore only useful on the +server side. + +OpenSSL clients will check the session id context returned by the server +when reusing a session. + +The maximum length of the B is limited to +B. + +=head1 WARNINGS + +If the session id context is not set on an SSL/TLS server, stored sessions +will not be reused but a fatal error will be flagged and the handshake +will fail. + +If a server returns a different session id context to an OpenSSL client +when reusing a session, an error will be flagged and the handshake will +fail. OpenSSL servers will always return the correct session id context, +as an OpenSSL server checks the session id context itself before reusing +a session as described above. + +=head1 RETURN VALUES + +SSL_CTX_set_session_id_context() and SSL_set_session_id_context() +return the following values: + +=over 4 + +=item 0 + +The length B of the session id context B exceeded +the maximum allowed length of B. The error +is logged to the error stack. + +=item 1 + +The operation succeeded. + +=back + +=head1 SEE ALSO + +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_timeout.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_timeout.pod new file mode 100644 index 000000000000..21faed12d425 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_timeout.pod @@ -0,0 +1,55 @@ +=pod + +=head1 NAME + +SSL_CTX_set_timeout, SSL_CTX_get_timeout - manipulate timeout values for session caching + +=head1 SYNOPSIS + + #include + + long SSL_CTX_set_timeout(SSL_CTX *ctx, long t); + long SSL_CTX_get_timeout(SSL_CTX *ctx); + +=head1 DESCRIPTION + +SSL_CTX_set_timeout() sets the timeout for newly created sessions for +B to B. The timeout value B must be given in seconds. + +SSL_CTX_get_timeout() returns the currently set timeout value for B. + +=head1 NOTES + +Whenever a new session is created, it is assigned a maximum lifetime. This +lifetime is specified by storing the creation time of the session and the +timeout value valid at this time. If the actual time is later than creation +time plus timeout, the session is not reused. + +Due to this realization, all sessions behave according to the timeout value +valid at the time of the session negotiation. Changes of the timeout value +do not affect already established sessions. + +The expiration time of a single session can be modified using the +L family of functions. + +Expired sessions are removed from the internal session cache, whenever +L is called, either +directly by the application or automatically (see +L) + +The default value for session timeout is 300 seconds. + +=head1 RETURN VALUES + +SSL_CTX_set_timeout() returns the previously set timeout value. + +SSL_CTX_get_timeout() returns the currently set timeout value. + +=head1 SEE ALSO + +L, +L, +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod new file mode 100644 index 000000000000..fc0b76118fd1 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod @@ -0,0 +1,284 @@ +=pod + +=head1 NAME + +SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth - set peer certificate verification parameters + +=head1 SYNOPSIS + + #include + + void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, + int (*verify_callback)(int, X509_STORE_CTX *)); + void SSL_set_verify(SSL *s, int mode, + int (*verify_callback)(int, X509_STORE_CTX *)); + void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth); + void SSL_set_verify_depth(SSL *s, int depth); + + int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx); + +=head1 DESCRIPTION + +SSL_CTX_set_verify() sets the verification flags for B to be B and +specifies the B function to be used. If no callback function +shall be specified, the NULL pointer can be used for B. + +SSL_set_verify() sets the verification flags for B to be B and +specifies the B function to be used. If no callback function +shall be specified, the NULL pointer can be used for B. In +this case last B set specifically for this B remains. If +no special B was set before, the default callback for the underlying +B is used, that was valid at the the time B was created with +L. + +SSL_CTX_set_verify_depth() sets the maximum B for the certificate chain +verification that shall be allowed for B. (See the BUGS section.) + +SSL_set_verify_depth() sets the maximum B for the certificate chain +verification that shall be allowed for B. (See the BUGS section.) + +=head1 NOTES + +The verification of certificates can be controlled by a set of logically +or'ed B flags: + +=over 4 + +=item SSL_VERIFY_NONE + +B the server will not send a client certificate request to the +client, so the client will not send a certificate. + +B if not using an anonymous cipher (by default disabled), the +server will send a certificate which will be checked. The result of the +certificate verification process can be checked after the TLS/SSL handshake +using the L function. +The handshake will be continued regardless of the verification result. + +=item SSL_VERIFY_PEER + +B the server sends a client certificate request to the client. +The certificate returned (if any) is checked. If the verification process +fails as indicated by B, the TLS/SSL handshake is +immediately terminated with an alert message containing the reason for +the verification failure. +The behaviour can be controlled by the additional +SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags. + +B the server certificate is verified. If the verification process +fails as indicated by B, the TLS/SSL handshake is +immediately terminated with an alert message containing the reason for +the verification failure. If no server certificate is sent, because an +anonymous cipher is used, SSL_VERIFY_PEER is ignored. + +=item SSL_VERIFY_FAIL_IF_NO_PEER_CERT + +B if the client did not return a certificate, the TLS/SSL +handshake is immediately terminated with a "handshake failure" alert. +This flag must be used together with SSL_VERIFY_PEER. + +B ignored + +=item SSL_VERIFY_CLIENT_ONCE + +B only request a client certificate on the initial TLS/SSL +handshake. Do not ask for a client certificate again in case of a +renegotiation. This flag must be used together with SSL_VERIFY_PEER. + +B ignored + +=back + +Exactly one of the B flags SSL_VERIFY_NONE and SSL_VERIFY_PEER must be +set at any time. + +SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up +to which depth certificates in a chain are used during the verification +procedure. If the certificate chain is longer than allowed, the certificates +above the limit are ignored. Error messages are generated as if these +certificates would not be present, most likely a +X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will be issued. +The depth count is "level 0:peer certificate", "level 1: CA certificate", +"level 2: higher level CA certificate", and so on. Setting the maximum +depth to 2 allows the levels 0, 1, and 2. The default depth limit is 9, +allowing for the peer certificate and additional 9 CA certificates. + +The B function is used to control the behaviour when the +SSL_VERIFY_PEER flag is set. It must be supplied by the application and +receives two arguments: B indicates, whether the verification of +the certificate in question was passed (preverify_ok=1) or not +(preverify_ok=0). B is a pointer to the complete context used +for the certificate chain verification. + +The certificate chain is checked starting with the deepest nesting level +(the root CA certificate) and worked upward to the peer's certificate. +At each level signatures and issuer attributes are checked. Whenever +a verification error is found, the error number is stored in B +and B is called with B=0. By applying +X509_CTX_store_* functions B can locate the certificate +in question and perform additional steps (see EXAMPLES). If no error is +found for a certificate, B is called with B=1 +before advancing to the next level. + +The return value of B controls the strategy of the further +verification process. If B returns 0, the verification +process is immediately stopped with "verification failed" state. If +SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and +the TLS/SSL handshake is terminated. If B returns 1, +the verification process is continued. If B always returns +1, the TLS/SSL handshake will never be terminated because of this application +experiencing a verification failure. The calling process can however +retrieve the error code of the last verification error using +L or by maintaining its +own error storage managed by B. + +If no B is specified, the default callback will be used. +Its return value is identical to B, so that any verification +failure will lead to a termination of the TLS/SSL handshake with an +alert message, if SSL_VERIFY_PEER is set. + +=head1 BUGS + +In client mode, it is not checked whether the SSL_VERIFY_PEER flag +is set, but whether SSL_VERIFY_NONE is not set. This can lead to +unexpected behaviour, if the SSL_VERIFY_PEER and SSL_VERIFY_NONE are not +used as required (exactly one must be set at any time). + +The certificate verification depth set with SSL[_CTX]_verify_depth() +stops the verification at a certain depth. The error message produced +will be that of an incomplete certificate chain and not +X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected. + +=head1 RETURN VALUES + +The SSL*_set_verify*() functions do not provide diagnostic information. + +=head1 EXAMPLES + +The following code sequence realizes an example B function +that will always continue the TLS/SSL handshake regardless of verification +failure, if wished. The callback realizes a verification depth limit with +more informational output. + +All verification errors are printed, informations about the certificate chain +are printed on request. +The example is realized for a server that does allow but not require client +certificates. + +The example makes use of the ex_data technique to store application data +into/retrieve application data from the SSL structure +(see L, +L). + + ... + typedef struct { + int verbose_mode; + int verify_depth; + int always_continue; + } mydata_t; + int mydata_index; + ... + static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) + { + char buf[256]; + X509 *err_cert; + int err, depth; + SSL *ssl; + mydata_t *mydata; + + err_cert = X509_STORE_CTX_get_current_cert(ctx); + err = X509_STORE_CTX_get_error(ctx); + depth = X509_STORE_CTX_get_error_depth(ctx); + + /* + * Retrieve the pointer to the SSL of the connection currently treated + * and the application specific data stored into the SSL object. + */ + ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); + mydata = SSL_get_ex_data(ssl, mydata_index); + + X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); + + /* + * Catch a too long certificate chain. The depth limit set using + * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so + * that whenever the "depth>verify_depth" condition is met, we + * have violated the limit and want to log this error condition. + * We must do it here, because the CHAIN_TOO_LONG error would not + * be found explicitly; only errors introduced by cutting off the + * additional certificates would be logged. + */ + if (depth > mydata->verify_depth) { + preverify_ok = 0; + err = X509_V_ERR_CERT_CHAIN_TOO_LONG; + X509_STORE_CTX_set_error(ctx, err); + } + if (!preverify_ok) { + printf("verify error:num=%d:%s:depth=%d:%s\n", err, + X509_verify_cert_error_string(err), depth, buf); + } + else if (mydata->verbose_mode) + { + printf("depth=%d:%s\n", depth, buf); + } + + /* + * At this point, err contains the last verification error. We can use + * it for something special + */ + if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) + { + X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256); + printf("issuer= %s\n", buf); + } + + if (mydata->always_continue) + return 1; + else + return preverify_ok; + } + ... + + mydata_t mydata; + + ... + mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL); + + ... + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, + verify_callback); + + /* + * Let the verify_callback catch the verify_depth error so that we get + * an appropriate error in the logfile. + */ + SSL_CTX_set_verify_depth(verify_depth + 1); + + /* + * Set up the SSL specific data into "mydata" and store it into th SSL + * structure. + */ + mydata.verify_depth = verify_depth; ... + SSL_set_ex_data(ssl, mydata_index, &mydata); + + ... + SSL_accept(ssl); /* check of success left out for clarity */ + if (peer = SSL_get_peer_certificate(ssl)) + { + if (SSL_get_verify_result(ssl) == X509_V_OK) + { + /* The client sent a certificate which verified OK */ + } + } + +=head1 SEE ALSO + +L, L, +L, +L, +L, +L, +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod new file mode 100644 index 000000000000..58fa3e6a84f6 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod @@ -0,0 +1,154 @@ +=pod + +=head1 NAME + +SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_file, SSL_use_certificate, SSL_use_certificate_ASN1, SSL_use_certificate_file, SSL_CTX_use_certificate_chain_file, SSL_CTX_use_PrivateKey, SSL_CTX_use_PrivateKey_ASN1, SSL_CTX_use_PrivateKey_file, SSL_CTX_use_RSAPrivateKey, SSL_CTX_use_RSAPrivateKey_ASN1, SSL_CTX_use_RSAPrivateKey_file, SSL_use_PrivateKey_file, SSL_use_PrivateKey_ASN1, SSL_use_PrivateKey, SSL_use_RSAPrivateKey, SSL_use_RSAPrivateKey_ASN1, SSL_use_RSAPrivateKey_file, SSL_CTX_check_private_key, SSL_check_private_key - load certificate and key data + +=head1 SYNOPSIS + + #include + + int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x); + int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d); + int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type); + int SSL_use_certificate(SSL *ssl, X509 *x); + int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len); + int SSL_use_certificate_file(SSL *ssl, const char *file, int type); + + int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); + + int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); + int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, unsigned char *d, + long len); + int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type); + int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); + int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len); + int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type); + int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); + int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len); + int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type); + int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); + int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len); + int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); + + int SSL_CTX_check_private_key(SSL_CTX *ctx); + int SSL_check_private_key(SSL *ssl); + +=head1 DESCRIPTION + +These functions load the certificates and private keys into the SSL_CTX +or SSL object, respectively. + +The SSL_CTX_* class of functions loads the certificates and keys into the +SSL_CTX object B. The information is passed to SSL objects B +created from B with L by copying, so that +changes applied to B do not propagate to already existing SSL objects. + +The SSL_* class of functions only loads certificates and keys into a +specific SSL object. The specific information is kept, when +L is called for this SSL object. + +SSL_CTX_use_certificate() loads the certificate B into B, +SSL_use_certificate() loads B into B. The rest of the +certificates needed to form the complete certificate chain can be +specified using the +L +function. + +SSL_CTX_use_certificate_ASN1() loads the ASN1 encoded certificate from +the memory location B (with length B) into B, +SSL_use_certificate_ASN1() loads the ASN1 encoded certificate into B. + +SSL_CTX_use_certificate_file() loads the first certificate stored in B +into B. The formatting B of the certificate must be specified +from the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1. +SSL_use_certificate_file() loads the certificate from B into B. +See the NOTES section on why SSL_CTX_use_certificate_chain_file() +should be preferred. + +SSL_CTX_use_certificate_chain_file() loads a certificate chain from +B into B. The certificates must be in PEM format and must +be sorted starting with the certificate to the highest level (root CA). +There is no corresponding function working on a single SSL object. + +SSL_CTX_use_PrivateKey() adds B as private key to B. +SSL_CTX_use_RSAPrivateKey() adds the private key B of type RSA +to B. SSL_use_PrivateKey() adds B as private key to B; +SSL_use_RSAPrivateKey() adds B as private key of type RSA to B. + +SSL_CTX_use_PrivateKey_ASN1() adds the private key of type B +stored at memory location B (length B) to B. +SSL_CTX_use_RSAPrivateKey_ASN1() adds the private key of type RSA +stored at memory location B (length B) to B. +SSL_use_PrivateKey_ASN1() and SSL_use_RSAPrivateKey_ASN1() add the private +key to B. + +SSL_CTX_use_PrivateKey_file() adds the first private key found in +B to B. The formatting B of the certificate must be specified +from the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1. +SSL_CTX_use_RSAPrivateKey_file() adds the first private RSA key found in +B to B. SSL_use_PrivateKey_file() adds the first private key found +in B to B; SSL_use_RSAPrivateKey_file() adds the first private +RSA key found to B. + +SSL_CTX_check_private_key() checks the consistency of a private key with +the corresponding certificate loaded into B. If more than one +key/certificate pair (RSA/DSA) is installed, the last item installed will +be checked. If e.g. the last item was a RSA certificate or key, the RSA +key/certificate pair will be checked. SSL_check_private_key() performs +the same check for B. If no key/certificate was explicitly added for +this B, the last item added into B will be checked. + +=head1 NOTES + +The internal certificate store of OpenSSL can hold two private key/certificate +pairs at a time: one key/certificate of type RSA and one key/certificate +of type DSA. The certificate used depends on the cipher select, see +also L. + +When reading certificates and private keys from file, files of type +SSL_FILETYPE_ASN1 (also known as B, binary encoding) can only contain +one certificate or private key, consequently +SSL_CTX_use_certificate_chain_file() is only applicable to PEM formatting. +Files of type SSL_FILETYPE_PEM can contain more than one item. + +SSL_CTX_use_certificate_chain_file() adds the first certificate found +in the file to the certificate store. The other certificates are added +to the store of chain certificates using +L. +There exists only one extra chain store, so that the same chain is appended +to both types of certificates, RSA and DSA! If it is not intented to use +both type of certificate at the same time, it is recommended to use the +SSL_CTX_use_certificate_chain_file() instead of the +SSL_CTX_use_certificate_file() function in order to allow the use of +complete certificate chains even when no trusted CA storage is used or +when the CA issuing the certificate shall not be added to the trusted +CA storage. + +If additional certificates are needed to complete the chain during the +TLS negotiation, CA certificates are additionally looked up in the +locations of trusted CA certificates, see +L. + +The private keys loaded from file can be encrypted. In order to successfully +load encrypted keys, a function returning the passphrase must have been +supplied, see +L. +(Certificate files might be encrypted as well from the technical point +of view, it however does not make sense as the data in the certificate +is considered public anyway.) + +=head1 RETURN VALUES + +On success, the functions return 1. +Otherwise check out the error stack to find out the reason. + +=head1 SEE ALSO + +L, L, L, +L, +L, +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod new file mode 100644 index 000000000000..dd5cb4f04bba --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_SESSION_get_ex_new_index.pod @@ -0,0 +1,61 @@ +=pod + +=head1 NAME + +SSL_SESSION_get_ex_new_index, SSL_SESSION_set_ex_data, SSL_SESSION_get_ex_data - internal application specific data functions + +=head1 SYNOPSIS + + #include + + int SSL_SESSION_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); + + int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, void *arg); + + void *SSL_SESSION_get_ex_data(SSL_SESSION *session, int idx); + + typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, + int idx, long argl, void *argp); + +=head1 DESCRIPTION + +Several OpenSSL structures can have application specific data attached to them. +These functions are used internally by OpenSSL to manipulate application +specific data attached to a specific structure. + +SSL_SESSION_get_ex_new_index() is used to register a new index for application +specific data. + +SSL_SESSION_set_ex_data() is used to store application data at B for B +into the B object. + +SSL_SESSION_get_ex_data() is used to retrieve the information for B from +B. + +A detailed description for the B<*_get_ex_new_index()> functionality +can be found in L. +The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in +L. + +=head1 WARNINGS + +The application data is only maintained for sessions held in memory. The +application data is not included when dumping the session with +i2d_SSL_SESSION() (and all functions indirectly calling the dump functions +like PEM_write_SSL_SESSION() and PEM_write_bio_SSL_SESSION()) and can +therefore not be restored. + +=head1 SEE ALSO + +L, +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod b/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod new file mode 100644 index 000000000000..cd33b73aa359 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod @@ -0,0 +1,63 @@ +=pod + +=head1 NAME + +SSL_SESSION_get_time, SSL_SESSION_set_time, SSL_SESSION_get_timeout, SSL_SESSION_get_timeout - retrieve and manipulate session time and timeout settings + +=head1 SYNOPSIS + + #include + + long SSL_SESSION_get_time(SSL_SESSION *s); + long SSL_SESSION_set_time(SSL_SESSION *s, long tm); + long SSL_SESSION_get_timeout(SSL_SESSION *s); + long SSL_SESSION_set_timeout(SSL_SESSION *s, long tm); + + long SSL_get_time(SSL_SESSION *s); + long SSL_set_time(SSL_SESSION *s, long tm); + long SSL_get_timeout(SSL_SESSION *s); + long SSL_set_timeout(SSL_SESSION *s, long tm); + +=head1 DESCRIPTION + +SSL_SESSION_get_time() returns the time at which the session B was +established. The time is given in seconds since the Epoch and therefore +compatible to the time delivered by the time() call. + +SSL_SESSION_set_time() replaces the creation time of the session B with +the chosen value B. + +SSL_SESSION_get_timeout() returns the timeout value set for session B +in seconds. + +SSL_SESSION_set_timeout() sets the timeout value for session B in seconds +to B. + +The SSL_get_time(), SSL_set_time(), SSL_get_timeout(), and SSL_set_timeout() +functions are synonyms for the SSL_SESSION_*() counterparts. + +=head1 NOTES + +Sessions are expired by examining the creation time and the timeout value. +Both are set at creation time of the session to the actual time and the +default timeout value at creation, respectively, as set by +L. +Using these functions it is possible to extend or shorten the lifetime +of the session. + +=head1 RETURN VALUES + +SSL_SESSION_get_time() and SSL_SESSION_get_timeout() return the currently +valid values. + +SSL_SESSION_set_time() and SSL_SESSION_set_timeout() return 1 on success. + +If any of the function is passed the NULL pointer for the session B, +0 is returned. + +=head1 SEE ALSO + +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_accept.pod b/crypto/openssl/doc/ssl/SSL_accept.pod index 0c79ac515e1d..46f95abb2f22 100644 --- a/crypto/openssl/doc/ssl/SSL_accept.pod +++ b/crypto/openssl/doc/ssl/SSL_accept.pod @@ -54,7 +54,7 @@ The TLS/SSL handshake was not successful but was shut down controlled and by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the return value B to find out the reason. -=item -1 +=item E0 The TLS/SSL handshake was not successful because a fatal error occurred either at the protocol level or a connection failure occurred. The shutdown was diff --git a/crypto/openssl/doc/ssl/SSL_clear.pod b/crypto/openssl/doc/ssl/SSL_clear.pod index 862fd8291df1..aeb0b5c7a230 100644 --- a/crypto/openssl/doc/ssl/SSL_clear.pod +++ b/crypto/openssl/doc/ssl/SSL_clear.pod @@ -34,6 +34,6 @@ The SSL_clear() operation was successful. =back L, L, -L +L, L =cut diff --git a/crypto/openssl/doc/ssl/SSL_connect.pod b/crypto/openssl/doc/ssl/SSL_connect.pod index debe41744f0a..00813ecfff6f 100644 --- a/crypto/openssl/doc/ssl/SSL_connect.pod +++ b/crypto/openssl/doc/ssl/SSL_connect.pod @@ -51,7 +51,7 @@ The TLS/SSL handshake was not successful but was shut down controlled and by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the return value B to find out the reason. -=item -1 +=item E0 The TLS/SSL handshake was not successful, because a fatal error occurred either at the protocol level or a connection failure occurred. The shutdown was @@ -64,6 +64,6 @@ to find out the reason. =head1 SEE ALSO L, L, -L, L , L +L, L, L =cut diff --git a/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod b/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod new file mode 100644 index 000000000000..d358bc352e69 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod @@ -0,0 +1,52 @@ +=pod + +=head1 NAME + +SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs + +=head1 SYNOPSIS + + #include + + STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s); + STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx); + +=head1 DESCRIPTION + +SSL_CTX_get_client_CA_list() returns the list of client CAs explicitely set for +B using L. + +SSL_get_client_CA_list() returns the list of client CAs explicitely +set for B using SSL_set_client_CA_list() or B's SSL_CTX object with +L, when in +server mode. In client mode, SSL_get_client_CA_list returns the list of +client CAs sent from the server, if any. + +=head1 RETURN VALUES + +SSL_CTX_set_client_CA_list() and SSL_set_client_CA_list() do not return +diagnostic information. + +SSL_CTX_add_client_CA() and SSL_add_client_CA() have the following return +values: + +=over 4 + +=item STACK_OF(X509_NAMES) + +List of CA names explicitely set (for B or in server mode) or send +by the server (client mode). + +=item NULL + +No client CA list was explicitely set (for B or in server mode) or +the server did not send a list of CAs (client mode). + +=back + +=head1 SEE ALSO + +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_get_error.pod b/crypto/openssl/doc/ssl/SSL_get_error.pod index d85b56425828..fefaf619369a 100644 --- a/crypto/openssl/doc/ssl/SSL_get_error.pod +++ b/crypto/openssl/doc/ssl/SSL_get_error.pod @@ -14,8 +14,8 @@ SSL_get_error - obtain result code for TLS/SSL I/O operation SSL_get_error() returns a result code (suitable for the C "switch" statement) for a preceding call to SSL_connect(), SSL_accept(), -SSL_read(), or SSL_write() on B. The value returned by that -TLS/SSL I/O function must be passed to SSL_get_error() in parameter +SSL_read(), SSL_peek(), or SSL_write() on B. The value returned by +that TLS/SSL I/O function must be passed to SSL_get_error() in parameter B. In addition to B and B, SSL_get_error() inspects the @@ -48,16 +48,26 @@ has been closed. =item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE The operation did not complete; the same TLS/SSL I/O function should be -called again later. There will be protocol progress if, by then, the -underlying B has data available for reading (if the result code is -B) or allows writing data (B). -For socket Bs (e.g. when SSL_set_fd() was used) this means that -select() or poll() on the underlying socket can be used to find out -when the TLS/SSL I/O function should be retried. +called again later. If, by then, the underlying B has data +available for reading (if the result code is B) +or allows writing data (B), then some TLS/SSL +protocol progress will take place, i.e. at least part of an TLS/SSL +record will be read or written. Note that the retry may again lead to +a B or B condition. +There is no fixed upper limit for the number of iterations that +may be necessary until progress becomes visible at application +protocol level. + +For socket Bs (e.g. when SSL_set_fd() was used), select() or +poll() on the underlying socket can be used to find out when the +TLS/SSL I/O function should be retried. Caveat: Any TLS/SSL I/O function can lead to either of -B and B, i.e. SSL_read() -may want to write data and SSL_write() may want to read data. +B and B. In particular, +SSL_read() or SSL_peek() may want to write data and SSL_write() may want +to read data. This is mainly because TLS/SSL handshakes may occur at any +time during the protocol (initiated by either the client or the server); +SSL_read(), SSL_peek(), and SSL_write() will handle any pending handshakes. =item SSL_ERROR_WANT_X509_LOOKUP diff --git a/crypto/openssl/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod b/crypto/openssl/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod new file mode 100644 index 000000000000..165c6a5b2cae --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_get_ex_data_X509_STORE_CTX_idx.pod @@ -0,0 +1,61 @@ +=pod + +=head1 NAME + +SSL_get_ex_data_X509_STORE_CTX_idx - get ex_data index to access SSL structure +from X509_STORE_CTX + +=head1 SYNOPSIS + + #include + + int SSL_get_ex_data_X509_STORE_CTX_idx(void); + +=head1 DESCRIPTION + +SSL_get_ex_data_X509_STORE_CTX_idx() returns the index number under which +the pointer to the SSL object is stored into the X509_STORE_CTX object. + +=head1 NOTES + +Whenever a X509_STORE_CTX object is created for the verification of the +peers certificate during a handshake, a pointer to the SSL object is +stored into the X509_STORE_CTX object to identify the connection affected. +To retrieve this pointer the X509_STORE_CTX_get_ex_data() function can +be used with the correct index. This index is globally the same for all +X509_STORE_CTX objects and can be retrieved using +SSL_get_ex_data_X509_STORE_CTX_idx(). The index value is set when +SSL_get_ex_data_X509_STORE_CTX_idx() is first called either by the application +program directly or indirectly during other SSL setup functions or during +the handshake. + +The value depends on other index values defined for X509_STORE_CTX objects +before the SSL index is created. + +=head1 RETURN VALUES + +=over 4 + +=item E=0 + +The index value to access the pointer. + +=item E0 + +An error occurred, check the error stack for a detailed error message. + +=back + +=head1 EXAMPLES + +The index returned from SSL_get_ex_data_X509_STORE_CTX_idx() allows to +access the SSL object for the connection to be accessed during the +verify_callback() when checking the peers certificate. Please check +the example in L, + +=head1 SEE ALSO + +L, L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod b/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod new file mode 100644 index 000000000000..2b69bb105003 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_get_ex_new_index.pod @@ -0,0 +1,59 @@ +=pod + +=head1 NAME + +SSL_get_ex_new_index, SSL_set_ex_data, SSL_get_ex_data - internal application specific data functions + +=head1 SYNOPSIS + + #include + + int SSL_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); + + int SSL_set_ex_data(SSL *ssl, int idx, void *arg); + + void *SSL_get_ex_data(SSL *ssl, int idx); + + typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, + int idx, long argl, void *argp); + +=head1 DESCRIPTION + +Several OpenSSL structures can have application specific data attached to them. +These functions are used internally by OpenSSL to manipulate application +specific data attached to a specific structure. + +SSL_get_ex_new_index() is used to register a new index for application +specific data. + +SSL_set_ex_data() is used to store application data at B for B into +the B object. + +SSL_get_ex_data() is used to retrieve the information for B from +B. + +A detailed description for the B<*_get_ex_new_index()> functionality +can be found in L. +The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in +L. + +=head1 EXAMPLES + +An example on how to use the functionality is included in the example +verify_callback() in L. + +=head1 SEE ALSO + +L, +L, +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_load_client_CA_file.pod b/crypto/openssl/doc/ssl/SSL_load_client_CA_file.pod new file mode 100644 index 000000000000..02527dc2edc8 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_load_client_CA_file.pod @@ -0,0 +1,62 @@ +=pod + +=head1 NAME + +SSL_load_client_CA_file - load certificate names from file + +=head1 SYNOPSIS + + #include + + STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file); + +=head1 DESCRIPTION + +SSL_load_client_CA_file() reads certificates from B and returns +a STACK_OF(X509_NAME) with the subject names found. + +=head1 NOTES + +SSL_load_client_CA_file() reads a file of PEM formatted certificates and +extracts the X509_NAMES of the certificates found. While the name suggests +the specific usage as support function for +L, +it is not limited to CA certificates. + +=head1 EXAMPLES + +Load names of CAs from file and use it as a client CA list: + + SSL_CTX *ctx; + STACK_OF(X509_NAME) *cert_names; + + ... + cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem"); + if (cert_names != NULL) + SSL_CTX_set_client_CA_list(ctx, cert_names); + else + error_handling(); + ... + +=head1 RETURN VALUES + +The following return values can occur: + +=over 4 + +=item NULL + +The operation failed, check out the error stack for the reason. + +=item Pointer to STACK_OF(X509_NAME) + +Pointer to the subject names of the successfully read certificates. + +=back + +=head1 SEE ALSO + +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_new.pod b/crypto/openssl/doc/ssl/SSL_new.pod index 8e8638fa9561..3b084e867d08 100644 --- a/crypto/openssl/doc/ssl/SSL_new.pod +++ b/crypto/openssl/doc/ssl/SSL_new.pod @@ -37,6 +37,7 @@ The return value points to an allocated SSL structure. =head1 SEE ALSO L, L, +L, L =cut diff --git a/crypto/openssl/doc/ssl/SSL_pending.pod b/crypto/openssl/doc/ssl/SSL_pending.pod index 744e1855e151..b4c48598b25d 100644 --- a/crypto/openssl/doc/ssl/SSL_pending.pod +++ b/crypto/openssl/doc/ssl/SSL_pending.pod @@ -25,6 +25,19 @@ L. The number of bytes pending is returned. +=head1 BUGS + +SSL_pending() takes into account only bytes from the TLS/SSL record +that is currently being processed (if any). If the B object's +I flag is set, additional protocol bytes may have been +read containing more TLS/SSL records; these are ignored by +SSL_pending(). + +Up to OpenSSL 0.9.6, SSL_pending() does not check if the record type +of pending data is application data. + +=head1 SEE ALSO + L, L =cut diff --git a/crypto/openssl/doc/ssl/SSL_read.pod b/crypto/openssl/doc/ssl/SSL_read.pod index 072dc26cf284..9bff32500b89 100644 --- a/crypto/openssl/doc/ssl/SSL_read.pod +++ b/crypto/openssl/doc/ssl/SSL_read.pod @@ -61,7 +61,7 @@ The read operation was not successful, probably because no data was available. Call SSL_get_error() with the return value B to find out, whether an error occurred. -=item -1 +=item E0 The read operation was not successful, because either an error occurred or action must be taken by the calling process. Call SSL_get_error() with the diff --git a/crypto/openssl/doc/ssl/SSL_set_session.pod b/crypto/openssl/doc/ssl/SSL_set_session.pod index 9f78d9e434ae..c4f7878579d5 100644 --- a/crypto/openssl/doc/ssl/SSL_set_session.pod +++ b/crypto/openssl/doc/ssl/SSL_set_session.pod @@ -40,6 +40,7 @@ The operation succeeded. =head1 SEE ALSO -L, L +L, L, +L =cut diff --git a/crypto/openssl/doc/ssl/SSL_write.pod b/crypto/openssl/doc/ssl/SSL_write.pod index db67c187e0ee..8110161522a3 100644 --- a/crypto/openssl/doc/ssl/SSL_write.pod +++ b/crypto/openssl/doc/ssl/SSL_write.pod @@ -2,7 +2,7 @@ =head1 NAME -SSL_read - write bytes to a TLS/SSL connection. +SSL_write - write bytes to a TLS/SSL connection. =head1 SYNOPSIS @@ -31,7 +31,7 @@ when the underlying BIO could not satisfy the needs of SSL_write() to continue the operation. In this case a call to SSL_get_error() with the return value of SSL_write() will yield B or B. As at any time a re-negotiation is possible, a -call to SSL_write() can also cause write operations! The calling process +call to SSL_write() can also cause read operations! The calling process then must repeat the call after taking appropriate action to satisfy the needs of SSL_write(). The action depends on the underlying BIO. When using a non-blocking socket, nothing is to be done, but select() can be used to check @@ -60,9 +60,9 @@ bytes actually written to the TLS/SSL connection. The write operation was not successful. Call SSL_get_error() with the return value B to find out, whether an error occurred. -=item -1 +=item E0 -The read operation was not successful, because either an error occurred +The write operation was not successful, because either an error occurred or action must be taken by the calling process. Call SSL_get_error() with the return value B to find out the reason. diff --git a/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod new file mode 100644 index 000000000000..8142b6b39f75 --- /dev/null +++ b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod @@ -0,0 +1,55 @@ +=pod + +=head1 NAME +d2i_SSL_SESSION, i2d_SSL_SESSION - convert SSL_SESSION object from/to ASN1 representation + +=head1 SYNOPSIS + + #include + + SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, long length); + int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); + +=head1 DESCRIPTION + +d2i_SSL_SESSION() transforms the external ASN1 representation of an SSL/TLS +session, stored as binary data at location B with length B, into +an SSL_SESSION object. + +i2d_SSL_SESSION() transforms the SSL_SESSION object B into the ASN1 +representation and stores it into the memory location pointed to by B. +The length of the resulting ASN1 representation is returned. If B is +the NULL pointer, only the length is calculated and returned. + +=head1 NOTES + +The SSL_SESSION object is built from several malloc()ed parts, it can +therefore not be moved, copied or stored directly. In order to store +session data on disk or into a database, it must be transformed into +a binary ASN1 representation. + +When using d2i_SSL_SESSION(), the SSL_SESSION object is automatically +allocated. + +When using i2d_SSL_SESSION(), the memory location pointed to by B must be +large enough to hold the binary representation of the session. There is no +known limit on the size of the created ASN1 representation, so the necessary +amount of space should be obtained by first calling i2d_SSL_SESSION() with +B, and obtain the size needed, then allocate the memory and +call i2d_SSL_SESSION() again. + +=head1 RETURN VALUES + +d2i_SSL_SESSION() returns a pointer to the newly allocated SSL_SESSION +object. In case of failure the NULL-pointer is returned and the error message +can be retrieved from the error stack. + +i2d_SSL_SESSION() returns the size of the ASN1 representation in bytes. +When the session is not valid, B<0> is returned and no operation is performed. + +=head1 SEE ALSO + +L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/ssl.pod b/crypto/openssl/doc/ssl/ssl.pod index 8ffe5904d523..2911c83e4879 100644 --- a/crypto/openssl/doc/ssl/ssl.pod +++ b/crypto/openssl/doc/ssl/ssl.pod @@ -13,6 +13,69 @@ The OpenSSL B library implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It provides a rich API which is documented here. +At first the library must be initialized; see +L. + +Then an B object is created as a framework to establish +TLS/SSL enabled connections (see L). +Various options regarding certificates, algorithms etc. can be set +in this object. + +When a network connection has been created, it can be assigned to an +B object. After the B object has been created using +L, L or +L can be used to associate the network +connection with the object. + +Then the TLS/SSL handshake is performed using +L or L +respectively. +L and L are used +to read and write data on the TLS/SSL connection. +L can be used to shut down the +TLS/SSL connection. + +=head1 DATA STRUCTURES + +Currently the OpenSSL B library functions deals with the following data +structures: + +=over 4 + +=item B (SSL Method) + +That's a dispatch structure describing the internal B library +methods/functions which implement the various protocol versions (SSLv1, SSLv2 +and TLSv1). It's needed to create an B. + +=item B (SSL Cipher) + +This structure holds the algorithm information for a particular cipher which +are a core part of the SSL/TLS protocol. The available ciphers are configured +on a B basis and the actually used ones are then part of the +B. + +=item B (SSL Context) + +That's the global context structure which is created by a server or client +once per program life-time and which holds mainly default values for the +B structures which are later created for the connections. + +=item B (SSL Session) + +This is a structure containing the current TLS/SSL session details for a +connection: Bs, client and server certificates, keys, etc. + +=item B (SSL Connection) + +That's the main SSL/TLS structure which is created by a server or client per +established connection. This actually is the core structure in the SSL API. +Under run-time the application usually deals with this structure which has +links to mostly all other structures. + +=back + + =head1 HEADER FILES Currently the OpenSSL B library provides the following C header files @@ -55,46 +118,6 @@ it's already included by ssl.h>. =back -=head1 DATA STRUCTURES - -Currently the OpenSSL B library functions deals with the following data -structures: - -=over 4 - -=item B (SSL Method) - -That's a dispatch structure describing the internal B library -methods/functions which implement the various protocol versions (SSLv1, SSLv2 -and TLSv1). It's needed to create an B. - -=item B (SSL Cipher) - -This structure holds the algorithm information for a particular cipher which -are a core part of the SSL/TLS protocol. The available ciphers are configured -on a B basis and the actually used ones are then part of the -B. - -=item B (SSL Context) - -That's the global context structure which is created by a server or client -once per program life-time and which holds mainly default values for the -B structures which are later created for the connections. - -=item B (SSL Session) - -This is a structure containing the current TLS/SSL session details for a -connection: Bs, client and server certificates, keys, etc. - -=item B (SSL Connection) - -That's the main SSL/TLS structure which is created by a server or client per -established connection. This actually is the core structure in the SSL API. -Under run-time the application usually deals with this structure which has -links to mostly all other structures. - -=back - =head1 API FUNCTIONS Currently the OpenSSL B library exports 214 API functions. @@ -625,20 +648,48 @@ connection defined in the B structure. L, L, L, L, -L, L, +L, +L, +L, +L, +L, +L, +L, +L +L, +L, +L, +L, +L, +L, +L, +L, +L, L, +L, +L, +L, L, -L, L, +L, +L, +L, +L, +L, L, L, L, L, -L, L, +L, +L, +L, L, L, L, L, L, L, L, -L +L, +L, +L, +L =head1 HISTORY diff --git a/crypto/openssl/doc/ssleay.txt b/crypto/openssl/doc/ssleay.txt index 3e964c2e9aeb..fab8d42c4221 100644 --- a/crypto/openssl/doc/ssleay.txt +++ b/crypto/openssl/doc/ssleay.txt @@ -5743,7 +5743,7 @@ strucutre but also the private key and certificate associated with EXAMPLES. -So lets play at being a wierd SSL server. +So lets play at being a weird SSL server. /* setup a context */ ctx=SSL_CTX_new(); diff --git a/crypto/openssl/e_os.h b/crypto/openssl/e_os.h index 0c0784f9a972..4f9c983ef184 100644 --- a/crypto/openssl/e_os.h +++ b/crypto/openssl/e_os.h @@ -355,12 +355,14 @@ extern HINSTANCE _hInstance; # if defined(VMS) && !defined(__DECC) # include # include +# include # else # include # ifdef FILIO_H # include /* Added for FIONBIO under unixware */ # endif # include +# include # endif # if defined(NeXT) || defined(_NEXT_SOURCE) diff --git a/crypto/openssl/openssl.spec b/crypto/openssl/openssl.spec index 18ae94e54cb7..fa8c16b7c76f 100644 --- a/crypto/openssl/openssl.spec +++ b/crypto/openssl/openssl.spec @@ -94,7 +94,7 @@ perl util/perlpath.pl /usr/bin/perl ./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-ppc shared %endif %ifarch alpha -./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha shared +./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha-gcc shared %endif LD_LIBRARY_PATH=`pwd` make LD_LIBRARY_PATH=`pwd` make rehash diff --git a/crypto/openssl/rsaref/Makefile.ssl b/crypto/openssl/rsaref/Makefile.ssl index 69d41a9a6dfb..8f27c48a5a6a 100644 --- a/crypto/openssl/rsaref/Makefile.ssl +++ b/crypto/openssl/rsaref/Makefile.ssl @@ -39,7 +39,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/ssl/Makefile.ssl b/crypto/openssl/ssl/Makefile.ssl index 04dd3e866349..61b9cee090b6 100644 --- a/crypto/openssl/ssl/Makefile.ssl +++ b/crypto/openssl/ssl/Makefile.ssl @@ -55,7 +55,8 @@ all: lib lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) - $(RANLIB) $(LIB) + @echo You may get an error following this line. Please ignore. + - $(RANLIB) $(LIB) @touch lib files: diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c index 47dd09c286f3..28d6d6529616 100644 --- a/crypto/openssl/ssl/s2_clnt.c +++ b/crypto/openssl/ssl/s2_clnt.c @@ -921,6 +921,7 @@ int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data) goto err; } ERR_clear_error(); /* but we keep s->verify_result */ + s->session->verify_result = s->verify_result; /* server's cert for this session */ sc=ssl_sess_cert_new(); diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c index 129ed89d9704..a590dbfa5ca6 100644 --- a/crypto/openssl/ssl/s2_lib.c +++ b/crypto/openssl/ssl/s2_lib.c @@ -260,7 +260,7 @@ SSL_CIPHER *ssl2_get_cipher(unsigned int u) int ssl2_pending(SSL *s) { - return(s->s2->ract_data_length); + return SSL_in_init(s) ? 0 : s->s2->ract_data_length; } int ssl2_new(SSL *s) @@ -270,10 +270,16 @@ int ssl2_new(SSL *s) if ((s2=OPENSSL_malloc(sizeof *s2)) == NULL) goto err; memset(s2,0,sizeof *s2); +#if SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER + 3 > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2 +# error "assertion failed" +#endif + if ((s2->rbuf=OPENSSL_malloc( SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err; + /* wbuf needs one byte more because when using two-byte headers, + * we leave the first byte unused in do_ssl_write (s2_pkt.c) */ if ((s2->wbuf=OPENSSL_malloc( - SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err; + SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+3)) == NULL) goto err; s->s2=s2; ssl2_clear(s); diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c index 56662f29facb..1f119442b4e8 100644 --- a/crypto/openssl/ssl/s2_pkt.c +++ b/crypto/openssl/ssl/s2_pkt.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include "ssl_locl.h" #ifndef NO_SSL2 @@ -66,23 +119,12 @@ static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend); static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len); static int write_pending(SSL *s, const unsigned char *buf, unsigned int len); static int ssl_mt_error(int n); -int ssl2_peek(SSL *s, char *buf, int len) - { - int ret; - ret=ssl2_read(s,buf,len); - if (ret > 0) - { - s->s2->ract_data_length+=ret; - s->s2->ract_data-=ret; - } - return(ret); - } -/* SSL_read - +/* SSL 2.0 imlementation for SSL_read/SSL_peek - * This routine will return 0 to len bytes, decrypted etc if required. */ -int ssl2_read(SSL *s, void *buf, int len) +static int ssl2_read_internal(SSL *s, void *buf, int len, int peek) { int n; unsigned char mac[MAX_MAC_SIZE]; @@ -90,14 +132,14 @@ int ssl2_read(SSL *s, void *buf, int len) int i; unsigned int mac_size=0; -ssl2_read_again: + ssl2_read_again: if (SSL_in_init(s) && !s->in_handshake) { n=s->handshake_func(s); if (n < 0) return(n); if (n == 0) { - SSLerr(SSL_F_SSL2_READ,SSL_R_SSL_HANDSHAKE_FAILURE); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_SSL_HANDSHAKE_FAILURE); return(-1); } } @@ -114,13 +156,22 @@ ssl2_read_again: n=len; memcpy(buf,s->s2->ract_data,(unsigned int)n); - s->s2->ract_data_length-=n; - s->s2->ract_data+=n; - if (s->s2->ract_data_length == 0) - s->rstate=SSL_ST_READ_HEADER; + if (!peek) + { + s->s2->ract_data_length-=n; + s->s2->ract_data+=n; + if (s->s2->ract_data_length == 0) + s->rstate=SSL_ST_READ_HEADER; + } + return(n); } + /* s->s2->ract_data_length == 0 + * + * Fill the buffer, then goto ssl2_read_again. + */ + if (s->rstate == SSL_ST_READ_HEADER) { if (s->first_packet) @@ -133,7 +184,7 @@ ssl2_read_again: (p[2] == SSL2_MT_CLIENT_HELLO) || (p[2] == SSL2_MT_SERVER_HELLO)))) { - SSLerr(SSL_F_SSL2_READ,SSL_R_NON_SSLV2_INITIAL_PACKET); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_NON_SSLV2_INITIAL_PACKET); return(-1); } } @@ -211,48 +262,49 @@ ssl2_read_again: (unsigned int)mac_size) != 0) || (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0)) { - SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_MAC_DECODE); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE); return(-1); } } INC32(s->s2->read_sequence); /* expect next number */ /* s->s2->ract_data is now available for processing */ -#if 1 - /* How should we react when a packet containing 0 - * bytes is received? (Note that SSLeay/OpenSSL itself - * never sends such packets; see ssl2_write.) - * Returning 0 would be interpreted by the caller as - * indicating EOF, so it's not a good idea. - * Instead, we just continue reading. Note that using - * select() for blocking sockets *never* guarantees + /* Possibly the packet that we just read had 0 actual data bytes. + * (SSLeay/OpenSSL itself never sends such packets; see ssl2_write.) + * In this case, returning 0 would be interpreted by the caller + * as indicating EOF, so it's not a good idea. Instead, we just + * continue reading; thus ssl2_read_internal may have to process + * multiple packets before it can return. + * + * [Note that using select() for blocking sockets *never* guarantees * that the next SSL_read will not block -- the available - * data may contain incomplete packets, and except for SSL 2 - * renegotiation can confuse things even more. */ + * data may contain incomplete packets, and except for SSL 2, + * renegotiation can confuse things even more.] */ goto ssl2_read_again; /* This should really be - * "return ssl2_read(s,buf,len)", - * but that would allow for - * denial-of-service attacks if a - * C compiler is used that does not - * recognize end-recursion. */ -#else - /* If a 0 byte packet was sent, return 0, otherwise - * we play havoc with people using select with - * blocking sockets. Let them handle a packet at a time, - * they should really be using non-blocking sockets. */ - if (s->s2->ract_data_length == 0) - return(0); - return(ssl2_read(s,buf,len)); -#endif + * "return ssl2_read(s,buf,len)", + * but that would allow for + * denial-of-service attacks if a + * C compiler is used that does not + * recognize end-recursion. */ } else { - SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_STATE); + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_STATE); return(-1); } } +int ssl2_read(SSL *s, void *buf, int len) + { + return ssl2_read_internal(s, buf, len, 0); + } + +int ssl2_peek(SSL *s, char *buf, int len) + { + return ssl2_read_internal(s, buf, len, 1); + } + static int read_n(SSL *s, unsigned int n, unsigned int max, unsigned int extend) { @@ -483,6 +535,9 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) { bs=EVP_CIPHER_CTX_block_size(s->enc_read_ctx); j=len+mac_size; + /* Two-byte headers allow for a larger record length than + * three-byte headers, but we can't use them if we need + * padding or if we have to set the escape bit. */ if ((j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) && (!s->s2->escape)) { @@ -498,25 +553,39 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) } else if ((bs <= 1) && (!s->s2->escape)) { - /* len=len; */ + /* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus + * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER */ s->s2->three_byte_header=0; p=0; } - else /* 3 byte header */ + else /* we may have to use a 3 byte header */ { - /*len=len; */ + /* If s->s2->escape is not set, then + * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus + * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. */ p=(j%bs); p=(p == 0)?0:(bs-p); if (s->s2->escape) + { s->s2->three_byte_header=1; + if (j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) + j=SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER; + } else s->s2->three_byte_header=(p == 0)?0:1; } } + + /* Now + * j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + * holds, and if s->s2->three_byte_header is set, then even + * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER. + */ + /* mac_size is the number of MAC bytes * len is the number of data bytes we are going to send * p is the number of padding bytes - * if p == 0, it is a 2 byte header */ + * (if it is a two-byte header, then p == 0) */ s->s2->wlength=len; s->s2->padding=p; diff --git a/crypto/openssl/ssl/s3_both.c b/crypto/openssl/ssl/s3_both.c index d92c164b0fa9..10d8d3b15afc 100644 --- a/crypto/openssl/ssl/s3_both.c +++ b/crypto/openssl/ssl/s3_both.c @@ -365,7 +365,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) while (s->init_num < 4) { i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num], - 4 - s->init_num); + 4 - s->init_num, 0); if (i <= 0) { s->rwstate=SSL_READING; @@ -434,7 +434,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) n=s->s3->tmp.message_size; while (n > 0) { - i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n); + i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0); if (i <= 0) { s->rwstate=SSL_READING; diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c index 62040f9f1d01..eec45cfa485d 100644 --- a/crypto/openssl/ssl/s3_clnt.c +++ b/crypto/openssl/ssl/s3_clnt.c @@ -815,6 +815,7 @@ static int ssl3_get_server_certificate(SSL *s) X509_free(s->session->peer); CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); s->session->peer=x; + s->session->verify_result = s->verify_result; x=NULL; ret=1; diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c index cee2021b6b0c..c170ceb97dd0 100644 --- a/crypto/openssl/ssl/s3_lib.c +++ b/crypto/openssl/ssl/s3_lib.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include #include @@ -638,10 +691,9 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u) return(NULL); } -/* The problem is that it may not be the correct record type */ int ssl3_pending(SSL *s) { - return(s->s3->rrec.length); + return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0; } int ssl3_new(SSL *s) @@ -1189,7 +1241,7 @@ int ssl3_shutdown(SSL *s) else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { /* If we are waiting for a close from our peer, we are closed */ - ssl3_read_bytes(s,0,NULL,0); + ssl3_read_bytes(s,0,NULL,0,0); } if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && @@ -1252,14 +1304,14 @@ int ssl3_write(SSL *s, const void *buf, int len) return(ret); } -int ssl3_read(SSL *s, void *buf, int len) +static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) { int ret; clear_sys_error(); if (s->s3->renegotiate) ssl3_renegotiate_check(s); s->s3->in_read_app_data=1; - ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); + ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); if ((ret == -1) && (s->s3->in_read_app_data == 0)) { /* ssl3_read_bytes decided to call s->handshake_func, which @@ -1269,7 +1321,7 @@ int ssl3_read(SSL *s, void *buf, int len) * by resetting 'in_read_app_data', strangely); so disable * handshake processing and try to read application data again. */ s->in_handshake++; - ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len); + ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); s->in_handshake--; } else @@ -1278,26 +1330,14 @@ int ssl3_read(SSL *s, void *buf, int len) return(ret); } -int ssl3_peek(SSL *s, char *buf, int len) +int ssl3_read(SSL *s, void *buf, int len) { - SSL3_RECORD *rr; - int n; - - rr= &(s->s3->rrec); - if ((rr->length == 0) || (rr->type != SSL3_RT_APPLICATION_DATA)) - { - n=ssl3_read(s,buf,1); - if (n <= 0) return(n); - rr->length++; - rr->off--; - } + return ssl3_read_internal(s, buf, len, 0); + } - if ((unsigned int)len > rr->length) - n=rr->length; - else - n=len; - memcpy(buf,&(rr->data[rr->off]),(unsigned int)n); - return(n); +int ssl3_peek(SSL *s, char *buf, int len) + { + return ssl3_read_internal(s, buf, len, 1); } int ssl3_renegotiate(SSL *s) diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c index 14140798539d..9ab76604a645 100644 --- a/crypto/openssl/ssl/s3_pkt.c +++ b/crypto/openssl/ssl/s3_pkt.c @@ -704,7 +704,7 @@ static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, * Application data protocol * none of our business */ -int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) +int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) { int al,i,j,ret; unsigned int n; @@ -715,7 +715,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) if (!ssl3_setup_buffers(s)) return(-1); - if ((type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) + if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) || + (peek && (type != SSL3_RT_APPLICATION_DATA))) { SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR); return -1; @@ -728,6 +729,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len) unsigned char *dst = buf; unsigned int k; + /* peek == 0 */ n = 0; while ((len > 0) && (s->s3->handshake_fragment_len > 0)) { @@ -763,7 +765,7 @@ start: * s->s3->rrec.length, - number of bytes. */ rr = &(s->s3->rrec); - /* get new packet */ + /* get new packet if necessary */ if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY)) { ret=ssl3_get_record(s); @@ -781,7 +783,8 @@ start: goto err; } - /* If the other end has shutdown, throw anything we read away */ + /* If the other end has shut down, throw anything we read away + * (even in 'peek' mode) */ if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { rr->length=0; @@ -810,12 +813,15 @@ start: n = (unsigned int)len; memcpy(buf,&(rr->data[rr->off]),n); - rr->length-=n; - rr->off+=n; - if (rr->length == 0) + if (!peek) { - s->rstate=SSL_ST_READ_HEADER; - rr->off=0; + rr->length-=n; + rr->off+=n; + if (rr->length == 0) + { + s->rstate=SSL_ST_READ_HEADER; + rr->off=0; + } } return(n); } diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c index bb8cfb31e55a..d04232960e30 100644 --- a/crypto/openssl/ssl/s3_srvr.c +++ b/crypto/openssl/ssl/s3_srvr.c @@ -1414,6 +1414,7 @@ static int ssl3_get_client_key_exchange(SSL *s) s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key,p,i); + memset(p,0,i); } else #endif diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h index fdbdc70ba72f..fad7a0e70b36 100644 --- a/crypto/openssl/ssl/ssl.h +++ b/crypto/openssl/ssl/ssl.h @@ -1178,7 +1178,7 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void ); #define SSL_CTX_get_read_ahead(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL) #define SSL_CTX_set_read_ahead(ctx,m) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL) + SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL) /* NB: the keylength is only applicable when is_export is true */ #ifndef NO_RSA @@ -1238,7 +1238,9 @@ int SSL_COMP_add_compression_method(int id,char *cm); #define SSL_F_SSL2_ACCEPT 122 #define SSL_F_SSL2_CONNECT 123 #define SSL_F_SSL2_ENC_INIT 124 +#define SSL_F_SSL2_PEEK 234 #define SSL_F_SSL2_READ 125 +#define SSL_F_SSL2_READ_INTERNAL 236 #define SSL_F_SSL2_SET_CERTIFICATE 126 #define SSL_F_SSL2_WRITE 127 #define SSL_F_SSL3_ACCEPT 128 @@ -1263,6 +1265,7 @@ int SSL_COMP_add_compression_method(int id,char *cm); #define SSL_F_SSL3_GET_SERVER_DONE 145 #define SSL_F_SSL3_GET_SERVER_HELLO 146 #define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147 +#define SSL_F_SSL3_PEEK 235 #define SSL_F_SSL3_READ_BYTES 148 #define SSL_F_SSL3_READ_N 149 #define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150 diff --git a/crypto/openssl/ssl/ssl2.h b/crypto/openssl/ssl/ssl2.h index df7d03c18f70..f8b56afb6b20 100644 --- a/crypto/openssl/ssl/ssl2.h +++ b/crypto/openssl/ssl/ssl2.h @@ -134,11 +134,11 @@ extern "C" { /* Upper/Lower Bounds */ #define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256 #ifdef MPE -#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)29998 +#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u #else -#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)32767 +#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */ #endif -#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /**/ +#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */ #define SSL2_CHALLENGE_LENGTH 16 /*#define SSL2_CHALLENGE_LENGTH 32 */ diff --git a/crypto/openssl/ssl/ssl_algs.c b/crypto/openssl/ssl/ssl_algs.c index a91ee6d22e45..dde8918fe0e3 100644 --- a/crypto/openssl/ssl/ssl_algs.c +++ b/crypto/openssl/ssl/ssl_algs.c @@ -88,9 +88,13 @@ int SSL_library_init(void) #ifndef NO_SHA EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); + EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); #endif #if !defined(NO_SHA) && !defined(NO_DSA) EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ + EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); + EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1"); + EVP_add_digest_alias(SN_dsaWithSHA1,"dss1"); #endif /* If you want support for phased out ciphers, add the following */ diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c index 17b4caf528a9..9945758104b5 100644 --- a/crypto/openssl/ssl/ssl_err.c +++ b/crypto/openssl/ssl/ssl_err.c @@ -91,7 +91,9 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL2_ACCEPT,0), "SSL2_ACCEPT"}, {ERR_PACK(0,SSL_F_SSL2_CONNECT,0), "SSL2_CONNECT"}, {ERR_PACK(0,SSL_F_SSL2_ENC_INIT,0), "SSL2_ENC_INIT"}, +{ERR_PACK(0,SSL_F_SSL2_PEEK,0), "SSL2_PEEK"}, {ERR_PACK(0,SSL_F_SSL2_READ,0), "SSL2_READ"}, +{ERR_PACK(0,SSL_F_SSL2_READ_INTERNAL,0), "SSL2_READ_INTERNAL"}, {ERR_PACK(0,SSL_F_SSL2_SET_CERTIFICATE,0), "SSL2_SET_CERTIFICATE"}, {ERR_PACK(0,SSL_F_SSL2_WRITE,0), "SSL2_WRITE"}, {ERR_PACK(0,SSL_F_SSL3_ACCEPT,0), "SSL3_ACCEPT"}, @@ -116,6 +118,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL3_GET_SERVER_DONE,0), "SSL3_GET_SERVER_DONE"}, {ERR_PACK(0,SSL_F_SSL3_GET_SERVER_HELLO,0), "SSL3_GET_SERVER_HELLO"}, {ERR_PACK(0,SSL_F_SSL3_OUTPUT_CERT_CHAIN,0), "SSL3_OUTPUT_CERT_CHAIN"}, +{ERR_PACK(0,SSL_F_SSL3_PEEK,0), "SSL3_PEEK"}, {ERR_PACK(0,SSL_F_SSL3_READ_BYTES,0), "SSL3_READ_BYTES"}, {ERR_PACK(0,SSL_F_SSL3_READ_N,0), "SSL3_READ_N"}, {ERR_PACK(0,SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,0), "SSL3_SEND_CERTIFICATE_REQUEST"}, diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c index 635b25062e8b..fec98dd8f43d 100644 --- a/crypto/openssl/ssl/ssl_lib.c +++ b/crypto/openssl/ssl/ssl_lib.c @@ -119,7 +119,9 @@ int SSL_clear(SSL *s) s->client_version=s->version; s->rwstate=SSL_NOTHING; s->rstate=SSL_ST_READ_HEADER; +#if 0 s->read_ahead=s->ctx->read_ahead; +#endif if (s->init_buf != NULL) { @@ -229,6 +231,7 @@ SSL *SSL_new(SSL_CTX *ctx) s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1; s->options=ctx->options; s->mode=ctx->mode; + s->read_ahead=ctx->read_ahead; /* used to happen in SSL_clear */ SSL_clear(s); CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data); diff --git a/crypto/openssl/ssl/ssl_locl.h b/crypto/openssl/ssl/ssl_locl.h index d70fff4627d6..bc9c69914331 100644 --- a/crypto/openssl/ssl/ssl_locl.h +++ b/crypto/openssl/ssl/ssl_locl.h @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #ifndef HEADER_SSL_LOCL_H #define HEADER_SSL_LOCL_H @@ -494,7 +547,7 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u); int ssl3_renegotiate(SSL *ssl); int ssl3_renegotiate_check(SSL *ssl); int ssl3_dispatch_alert(SSL *s); -int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len); +int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek); int ssl3_write_bytes(SSL *s, int type, const void *buf, int len); int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2, const char *sender, int slen,unsigned char *p); diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c index 416def8908e8..7064262def86 100644 --- a/crypto/openssl/ssl/ssl_sess.c +++ b/crypto/openssl/ssl/ssl_sess.c @@ -508,6 +508,7 @@ int SSL_set_session(SSL *s, SSL_SESSION *session) if (s->session != NULL) SSL_SESSION_free(s->session); s->session=session; + s->verify_result = s->session->verify_result; /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/ ret=1; } diff --git a/crypto/openssl/test/Makefile.ssl b/crypto/openssl/test/Makefile.ssl index 480e4bc807cf..8b353795cdf8 100644 --- a/crypto/openssl/test/Makefile.ssl +++ b/crypto/openssl/test/Makefile.ssl @@ -191,7 +191,7 @@ test_bn: @./$(BNTEST) >tmp.bntest @echo quit >>tmp.bntest @echo "running bc" - @bc tmp.bntest 2>&1 | $(PERL) -e 'while () {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} print STDERR "."; $$i++;} print STDERR "\n$$i tests passed\n"' + @) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"' @echo 'test a^b%c implementations' ./$(EXPTEST) diff --git a/crypto/openssl/test/bctest b/crypto/openssl/test/bctest new file mode 100755 index 000000000000..6fa0663bb008 --- /dev/null +++ b/crypto/openssl/test/bctest @@ -0,0 +1,84 @@ +#!/bin/sh + +# This script is used by test/Makefile.ssl to check whether a sane 'bc' +# is installed. +# ('make test_bn' should not try to run 'bc' if it does not exist or if +# it is a broken 'bc' version that is known to cause trouble.) +# +# If 'bc' works, we also test if it knows the 'print' command. +# +# In any case, output an appropriate command line for running (or not +# running) bc. + + +# Test for SunOS 5.[78] bc bug (or missing bc) +if [ 0 != "`bc <<\EOF +obase=16 +ibase=16 +a=AD88C418F31B3FC712D0425001D522B3AE9134FF3A98C13C1FCC1682211195406C1A6C66C6A\ +CEEC1A0EC16950233F77F1C2F2363D56DD71A36C57E0B2511FC4BA8F22D261FE2E9356D99AF57\ +10F3817C0E05BF79C423C3F66FDF321BE8D3F18F625D91B670931C1EF25F28E489BDA1C5422D1\ +C3F6F7A1AD21585746ECC4F10A14A778AF56F08898E965E9909E965E0CB6F85B514150C644759\ +3BE731877B16EA07B552088FF2EA728AC5E0FF3A23EB939304519AB8B60F2C33D6BA0945B66F0\ +4FC3CADF855448B24A9D7640BCF473E +b=DCE91E7D120B983EA9A104B5A96D634DD644C37657B1C7860B45E6838999B3DCE5A555583C6\ +9209E41F413422954175A06E67FFEF6746DD652F0F48AEFECC3D8CAC13523BDAAD3F5AF4212BD\ +8B3CD64126E1A82E190228020C05B91C8B141F1110086FC2A4C6ED631EBA129D04BB9A19FC53D\ +3ED0E2017D60A68775B75481449 +(a/b)*b + (a%b) - a +EOF`" ] +then + echo "bc does not work. Consider installing GNU bc." >&2 + echo "cat >/dev/null" + exit 1 +fi + + +# Test for SCO bc bug. +if [ "0 +0" != "`bc <<\EOF +obase=16 +ibase=16 +-FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4AEC6F15AC177F176F2274D2\ +9DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7F5ADFACEE54573F5D256A06\ +11B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99FB9812A0E4A5773D8B254117\ +1239157EC6E3D8D50199 * -FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4\ +AEC6F15AC177F176F2274D29DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7\ +F5ADFACEE54573F5D256A0611B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99F\ +B9812A0E4A5773D8B2541171239157EC6E3D8D50199 - FFBACC221682DA464B6D7F123482522\ +02EDAEDCA38C3B69E9B7BBCD6165A9CD8716C4903417F23C09A85B851961F92C217258CEEB866\ +85EFCC5DD131853A02C07A873B8E2AF2E40C6D5ED598CD0E8F35AD49F3C3A17FDB7653E4E2DC4\ +A8D23CC34686EE4AD01F7407A7CD74429AC6D36DBF0CB6A3E302D0E5BDFCD048A3B90C1BE5AA8\ +E16C3D5884F9136B43FF7BB443764153D4AEC176C681B078F4CC53D6EB6AB76285537DDEE7C18\ +8C72441B52EDBDDBC77E02D34E513F2AABF92F44109CAFE8242BD0ECBAC5604A94B02EA44D43C\ +04E9476E6FBC48043916BFA1485C6093603600273C9C33F13114D78064AE42F3DC466C7DA543D\ +89C8D71 +AD534AFBED2FA39EE9F40E20FCF9E2C861024DB98DDCBA1CD118C49CA55EEBC20D6BA51B2271C\ +928B693D6A73F67FEB1B4571448588B46194617D25D910C6A9A130CC963155CF34079CB218A44\ +8A1F57E276D92A33386DDCA3D241DB78C8974ABD71DD05B0FA555709C9910D745185E6FE108E3\ +37F1907D0C56F8BFBF52B9704 % -E557905B56B13441574CAFCE2BD257A750B1A8B2C88D0E36\ +E18EF7C38DAC80D3948E17ED63AFF3B3467866E3B89D09A81B3D16B52F6A3C7134D3C6F5123E9\ +F617E3145BBFBE9AFD0D6E437EA4FF6F04BC67C4F1458B4F0F47B64 - 1C2BBBB19B74E86FD32\ +9E8DB6A8C3B1B9986D57ED5419C2E855F7D5469E35E76334BB42F4C43E3F3A31B9697C171DAC4\ +D97935A7E1A14AD209D6CF811F55C6DB83AA9E6DFECFCD6669DED7171EE22A40C6181615CAF3F\ +5296964 +EOF`" ] +then + echo "bc does not work. Consider installing GNU bc." >&2 + echo "cat >/dev/null" + exit 1 +fi + + +# bc works, good. +# Now check if it knows the 'print' command. +if [ "OK" = "`bc 2>/dev/null <<\EOF +print \"OK\" +EOF`" ] +then + echo "bc" +else + echo "sed 's/print.*//' | bc" +fi + +exit 0 diff --git a/crypto/openssl/util/libeay.num b/crypto/openssl/util/libeay.num index 3a72228d6acb..9f0f5988601a 100755 --- a/crypto/openssl/util/libeay.num +++ b/crypto/openssl/util/libeay.num @@ -301,8 +301,8 @@ EVP_des_ede_cfb 308 EXIST::FUNCTION:DES EVP_des_ede_ofb 309 EXIST::FUNCTION:DES EVP_des_ofb 310 EXIST::FUNCTION:DES EVP_desx_cbc 311 EXIST::FUNCTION:DES -EVP_dss 312 EXIST::FUNCTION:DSA -EVP_dss1 313 EXIST::FUNCTION:DSA +EVP_dss 312 EXIST::FUNCTION:DSA,SHA +EVP_dss1 313 EXIST::FUNCTION:DSA,SHA EVP_enc_null 314 EXIST::FUNCTION: EVP_get_cipherbyname 315 EXIST::FUNCTION: EVP_get_digestbyname 316 EXIST::FUNCTION: @@ -926,7 +926,7 @@ PKCS7_add_signature 938 EXIST::FUNCTION: PKCS7_cert_from_signer_info 939 EXIST::FUNCTION: PKCS7_get_signer_info 940 EXIST::FUNCTION: EVP_delete_alias 941 NOEXIST::FUNCTION: -EVP_mdc2 942 EXIST::FUNCTION: +EVP_mdc2 942 EXIST::FUNCTION:MDC2 PEM_read_bio_RSAPublicKey 943 EXIST::FUNCTION:RSA PEM_write_bio_RSAPublicKey 944 EXIST::FUNCTION:RSA d2i_RSAPublicKey_bio 945 EXIST::FUNCTION:RSA diff --git a/crypto/openssl/util/mkdef.pl b/crypto/openssl/util/mkdef.pl index 0ac793555c12..8ec1d07989a9 100755 --- a/crypto/openssl/util/mkdef.pl +++ b/crypto/openssl/util/mkdef.pl @@ -119,7 +119,7 @@ foreach (@ARGV, split(/ /, $options)) elsif (/^no-rc4$/) { $no_rc4=1; } elsif (/^no-rc5$/) { $no_rc5=1; } elsif (/^no-idea$/) { $no_idea=1; } - elsif (/^no-des$/) { $no_des=1; } + elsif (/^no-des$/) { $no_des=1; $no_mdc2=1; } elsif (/^no-bf$/) { $no_bf=1; } elsif (/^no-cast$/) { $no_cast=1; } elsif (/^no-md2$/) { $no_md2=1; } @@ -704,7 +704,8 @@ EOF } else { (my $n, my $i) = split /\\/, $nums{$s}; my %pf = (); - my @p = split(/,/, ($i =~ /^.*?:(.*?):/,$1)); + my @p = split(/,/, ($i =~ /^[^:]*:([^:]*):/,$1)); + my @a = split(/,/, ($i =~ /^[^:]*:[^:]*:[^:]*:([^:]*)/,$1)); # @p_purged must contain hardware platforms only my @p_purged = (); foreach $ptmp (@p) { @@ -726,7 +727,26 @@ EOF || (!$negatives && ($rsaref || !grep(/^RSAREF$/,@p))) || ($negatives - && (!$rsaref || !grep(/^!RSAREF$/,@p))))) { + && (!$rsaref || !grep(/^!RSAREF$/,@p)))) + && (!@a || (!$no_rc2 || !grep(/^RC2$/,@a))) + && (!@a || (!$no_rc4 || !grep(/^RC4$/,@a))) + && (!@a || (!$no_rc5 || !grep(/^RC5$/,@a))) + && (!@a || (!$no_idea || !grep(/^IDEA$/,@a))) + && (!@a || (!$no_des || !grep(/^DES$/,@a))) + && (!@a || (!$no_bf || !grep(/^BF$/,@a))) + && (!@a || (!$no_cast || !grep(/^CAST$/,@a))) + && (!@a || (!$no_md2 || !grep(/^MD2$/,@a))) + && (!@a || (!$no_md4 || !grep(/^MD4$/,@a))) + && (!@a || (!$no_md5 || !grep(/^MD5$/,@a))) + && (!@a || (!$no_sha || !grep(/^SHA$/,@a))) + && (!@a || (!$no_ripemd || !grep(/^RIPEMD$/,@a))) + && (!@a || (!$no_mdc2 || !grep(/^MDC2$/,@a))) + && (!@a || (!$no_rsa || !grep(/^RSA$/,@a))) + && (!@a || (!$no_dsa || !grep(/^DSA$/,@a))) + && (!@a || (!$no_dh || !grep(/^DH$/,@a))) + && (!@a || (!$no_hmac || !grep(/^HMAC$/,@a))) + && (!@a || (!$no_fp_api || !grep(/^FP_API$/,@a))) + ) { printf OUT " %s%-40s@%d\n",($W32)?"":"_",$s,$n; # } else { # print STDERR "DEBUG: \"$sym\" (@p):", -- cgit v1.2.3