diff options
| author | Jacques Vidrine <nectar@FreeBSD.org> | 2003-02-20 20:42:20 +0000 |
|---|---|---|
| committer | Jacques Vidrine <nectar@FreeBSD.org> | 2003-02-20 20:42:20 +0000 |
| commit | 4c8f8cd8d03cbebf9043e936aa6bf87f6f89fb3c (patch) | |
| tree | 21a67fc006bb551b102c9f2f1464dafe08bee19b /crypto | |
| parent | ff40e40b779e0d47da83d2059457f138bf0ba8e6 (diff) | |
Notes
Diffstat (limited to 'crypto')
264 files changed, 1596 insertions, 771 deletions
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index 75ebac55bf53..cf7444a1a9c3 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -2,6 +2,87 @@ OpenSSL CHANGES _______________ + Changes between 0.9.6h and 0.9.6i [19 Feb 2003] + + *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked + via timing by performing a MAC computation even if incorrrect + block cipher padding has been found. This is a countermeasure + against active attacks where the attacker has to distinguish + between bad padding and a MAC verification error. (CAN-2003-0078) + + [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), + Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and + Martin Vuagnoux (EPFL, Ilion)] + + Changes between 0.9.6g and 0.9.6h [5 Dec 2002] + + *) New function OPENSSL_cleanse(), which is used to cleanse a section of + memory from it's contents. This is done with a counter that will + place alternating values in each byte. This can be used to solve + two issues: 1) the removal of calls to memset() by highly optimizing + compilers, and 2) cleansing with other values than 0, since those can + be read through on certain media, for example a swap space on disk. + [Geoff Thorpe] + + *) Bugfix: client side session caching did not work with external caching, + because the session->cipher setting was not restored when reloading + from the external cache. This problem was masked, when + SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set. + (Found by Steve Haslam <steve@araqnid.ddts.net>.) + [Lutz Jaenicke] + + *) Fix client_certificate (ssl/s2_clnt.c): The permissible total + length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33. + [Zeev Lieber <zeev-l@yahoo.com>] + + *) Undo an undocumented change introduced in 0.9.6e which caused + repeated calls to OpenSSL_add_all_ciphers() and + OpenSSL_add_all_digests() to be ignored, even after calling + EVP_cleanup(). + [Richard Levitte] + + *) Change the default configuration reader to deal with last line not + being properly terminated. + [Richard Levitte] + + *) Change X509_NAME_cmp() so it applies the special rules on handling + DN values that are of type PrintableString, as well as RDNs of type + emailAddress where the value has the type ia5String. + [stefank@valicert.com via Richard Levitte] + + *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half + the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently + doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be + the bitwise-OR of the two for use by the majority of applications + wanting this behaviour, and update the docs. The documented + behaviour and actual behaviour were inconsistent and had been + changing anyway, so this is more a bug-fix than a behavioural + change. + [Geoff Thorpe, diagnosed by Nadav Har'El] + + *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c + (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). + [Bodo Moeller] + + *) Fix initialization code race conditions in + SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), + SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), + SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), + TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), + ssl2_get_cipher_by_char(), + ssl3_get_cipher_by_char(). + [Patrick McCormick <patrick@tellme.com>, Bodo Moeller] + + *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after + the cached sessions are flushed, as the remove_cb() might use ex_data + contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com> + (see [openssl.org #212]). + [Geoff Thorpe, Lutz Jaenicke] + + *) Fix typo in OBJ_txt2obj which incorrectly passed the content + length, instead of the encoding length to d2i_ASN1_OBJECT. + [Steve Henson] + Changes between 0.9.6f and 0.9.6g [9 Aug 2002] *) [In 0.9.6g-engine release:] @@ -23,6 +104,12 @@ Changes between 0.9.6d and 0.9.6e [30 Jul 2002] + *) Add various sanity checks to asn1_get_length() to reject + the ASN1 length bytes if they exceed sizeof(long), will appear + negative or the content length exceeds the length of the + supplied buffer. + [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>] + *) Fix cipher selection routines: ciphers without encryption had no flags for the cipher strength set and where therefore not handled correctly by the selection routines (PR #130). @@ -54,7 +141,7 @@ *) Add various sanity checks to asn1_get_length() to reject the ASN1 length bytes if they exceed sizeof(long), will appear negative or the content length exceeds the length of the - supplied buffer. + supplied buffer. (CAN-2002-0659) [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>] *) Assertions for various potential buffer overflows, not known to @@ -159,8 +246,8 @@ value is 0. [Richard Levitte] - *) [In 0.9.6c-engine release:] - Fix a crashbug and a logic bug in hwcrhk_load_pubkey() + *) [In 0.9.6d-engine release:] + Fix a crashbug and a logic bug in hwcrhk_load_pubkey(). [Toomas Kiisk <vix@cyber.ee> via Richard Levitte] *) Add the configuration target linux-s390x. diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure index 15cfbaa0331b..672f9d858bbe 100755 --- a/crypto/openssl/Configure +++ b/crypto/openssl/Configure @@ -122,7 +122,7 @@ my %table=( "debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn", +"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wstrict-prototypes -Wmissing-prototypes -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "dist", "cc:-O::(unknown):::::", # Basic configs that should work on any (32 and less bit) box @@ -395,7 +395,7 @@ my %table=( "aix-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR:::", "aix-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::", "aix43-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:", -"aix43-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:", +"aix43-gcc", "gcc:-O1 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:", # # Cray T90 and similar (SDSC) @@ -477,7 +477,7 @@ my %table=( # Cygwin "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32", -"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32:cygwin-shared:::.dll", +"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -march=i486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32:cygwin-shared:::.dll", # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at> "ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown)::::::", @@ -495,12 +495,18 @@ my %table=( "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::", "darwin-ppc-cc","cc:-O3 -D_DARWIN -DB_ENDIAN -fno-common::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", +##### A/UX +"aux3-gcc","gcc:-O2 -DTERMIO::(unknown):-lbsd:RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::", + ##### Sony NEWS-OS 4.x "newsos4-gcc","gcc:-O -DB_ENDIAN -DNEWS4::(unknown):-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::", ##### VxWorks for various targets "vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DVXWORKS -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::-r:::::", +##### Compaq Non-Stop Kernel (Tandem) +"tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown)::THIRTY_TWO_BIT:::", + ); my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32 @@ -577,6 +583,7 @@ my $libs; my $target; my $options; my $symlink; +my $make_depend=0; my @argvcopy=@ARGV; my $argvstring=""; @@ -619,7 +626,7 @@ PROCESS_ARGS: { $threads=1; } elsif (/^no-shared$/) { $no_shared=1; } - elsif (/^shared$/) + elsif (/^shared$/ || /^-shared$/ || /^--shared$/) { $no_shared=0; } elsif (/^no-symlinks$/) { $symlink=0; } @@ -1188,11 +1195,13 @@ if($IsWindows) { EOF close(OUT); } else { - (system "make -f Makefile.ssl PERL=\'$perl\' links") == 0 or exit $? - if $symlink; - ### (system 'make depend') == 0 or exit $? if $depflags ne ""; - # Run "make depend" manually if you want to be able to delete - # the source code files of ciphers you left out. + my $make_command = "make -f Makefile.ssl PERL=\'$perl\'"; + my $make_targets = ""; + $make_targets .= " links" if $symlink; + $make_targets .= " depend" if $depflags ne "" && $make_depend; + $make_targets .= " gentests" if $symlink; + (system $make_command.$make_targets) == 0 or exit $? + if $make_targets ne ""; if ( $perl =~ m@^/@) { &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";'); &dofile("apps/der_chop",$perl,'^#!/', '#!%s'); @@ -1202,6 +1211,15 @@ EOF &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";'); &dofile("apps/der_chop",'/usr/local/bin/perl','^#!/', '#!%s'); &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s'); + } + if ($depflags ne "" && !$make_depend) { + print <<EOF; + +Since you've disabled at least one algorithm, you need to do the following +before building: + + make depend +EOF } } diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ index f9cd7d2820a9..e2e7adf46a5a 100644 --- a/crypto/openssl/FAQ +++ b/crypto/openssl/FAQ @@ -9,6 +9,7 @@ OpenSSL - Frequently Asked Questions * Where can I get a compiled version of OpenSSL? * Why aren't tools like 'autoconf' and 'libtool' used? * What is an 'engine' version? +* How do I check the authenticity of the OpenSSL distribution? [LEGAL] Legal questions @@ -35,6 +36,7 @@ OpenSSL - Frequently Asked Questions * Why does the linker complain about undefined symbols? * Why does the OpenSSL test fail with "bc: command not found"? * Why does the OpenSSL test fail with "bc: 1 no implemented"? +* Why does the OpenSSL test fail with "bc: stack empty"? * Why does the OpenSSL compilation fail on Alpha Tru64 Unix? * Why does the OpenSSL compilation fail with "ar: command not found"? * Why does the OpenSSL compilation fail on Win32 with VC++? @@ -61,7 +63,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 0.9.6g was released on 9 August 2002. +OpenSSL 0.9.7a was released on February 19, 2003. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: @@ -132,6 +134,19 @@ hardware. This was realized in a special release '0.9.6-engine'. With version 0.9.7 (not yet released) the changes were merged into the main development line, so that the special release is no longer necessary. +* How do I check the authenticity of the OpenSSL distribution? + +We provide MD5 digests and ASC signatures of each tarball. +Use MD5 to check that a tarball from a mirror site is identical: + + md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5 + +You can check authenticity using pgp or gpg. You need the OpenSSL team +member public key used to sign it (download it from a key server). Then +just do: + + pgp TARBALL.asc + [LEGAL] ======================================================================= * Do I need patent licenses to use OpenSSL? @@ -169,18 +184,30 @@ for permission to use their software with OpenSSL. Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide a "randomness -device" that serves this purpose. On other systems, applications have -to call the RAND_add() or RAND_seed() function with appropriate data -before generating keys or performing public key encryption. -(These functions initialize the pseudo-random number generator, PRNG.) +device" (/dev/urandom or /dev/random) that serves this purpose. +All OpenSSL versions try to use /dev/urandom by default; starting with +version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not +available. + +On other systems, applications have to call the RAND_add() or +RAND_seed() function with appropriate data before generating keys or +performing public key encryption. (These functions initialize the +pseudo-random number generator, PRNG.) Some broken applications do +not do this. As of version 0.9.5, the OpenSSL functions that need +randomness report an error if the random number generator has not been +seeded with at least 128 bits of randomness. If this error occurs and +is not discussed in the documentation of the application you are +using, please contact the author of that application; it is likely +that it never worked correctly. OpenSSL 0.9.5 and later make the +error visible by refusing to perform potentially insecure encryption. -Some broken applications do not do this. As of version 0.9.5, the -OpenSSL functions that need randomness report an error if the random -number generator has not been seeded with at least 128 bits of -randomness. If this error occurs, please contact the author of the -application you are using. It is likely that it never worked -correctly. OpenSSL 0.9.5 and later make the error visible by refusing -to perform potentially insecure encryption. +If you are using Solaris 8, you can add /dev/urandom and /dev/random +devices by installing patch 112438 (Sparc) or 112439 (x86), which are +available via the Patchfinder at <URL: http://sunsolve.sun.com> +(Solaris 9 includes these devices by default). For /dev/random support +for earlier Solaris versions, see Sun's statement at +<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski> +(the SUNWski package is available in patch 105710). On systems without /dev/urandom and /dev/random, it is a good idea to use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for @@ -213,16 +240,6 @@ OpenSSL command line tools. Applications using the OpenSSL library provide their own configuration options to specify the entropy source, please check out the documentation coming the with application. -For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested -installing the SUNski package from Sun patch 105710-01 (Sparc) which -adds a /dev/random device and make sure it gets used, usually through -$RANDFILE. There are probably similar patches for the other Solaris -versions. An official statement from Sun with respect to /dev/random -support can be found at - http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski -However, be warned that /dev/random is usually a blocking device, which -may have some effects on OpenSSL. - * Why do I get an "unable to write 'random state'" error message? @@ -392,6 +409,17 @@ and compile/install it. GNU bc (see http://www.gnu.org/software/software.html for download instructions) can be safely used, for example. +* Why does the OpenSSL test fail with "bc: stack empty"? + +On some DG/ux versions, bc seems to have a too small stack for calculations +that the OpenSSL bntest throws at it. This gets triggered when you run the +test suite (using "make test"). The message returned is "bc: stack empty". + +The best way to deal with this is to find another implementation of bc +and compile/install it. GNU bc (see http://www.gnu.org/software/software.html +for download instructions) can be safely used, for example. + + * Why does the OpenSSL compilation fail on Alpha Tru64 Unix? On some Alpha installations running Tru64 Unix and Compaq C, the compilation diff --git a/crypto/openssl/INSTALL b/crypto/openssl/INSTALL index 75a843b15f4e..e78e283a9876 100644 --- a/crypto/openssl/INSTALL +++ b/crypto/openssl/INSTALL @@ -129,8 +129,8 @@ standard headers). If it is a problem with OpenSSL itself, please report the problem to <openssl-bugs@openssl.org> (note that your message will be recorded in the request tracker publicly readable - via http://www.openssl.org/rt2.html and will be forwarded to a public - mailing list). Include the output of "make report" in your message. + via http://www.openssl.org/support/rt2.html and will be forwarded to a + public mailing list). Include the output of "make report" in your message. Please check out the request tracker. Maybe the bug was already reported or has already been fixed. @@ -151,7 +151,7 @@ in Makefile.ssl and run "make clean; make". Please send a bug report to <openssl-bugs@openssl.org>, including the output of "make report" in order to be added to the request tracker at - http://www.openssl.org/rt2.html. + http://www.openssl.org/support/rt2.html. 4. If everything tests ok, install OpenSSL with @@ -285,3 +285,15 @@ targets for shared library creation, like linux-shared. Those targets can currently be used on their own just as well, but this is expected to change in future versions of OpenSSL. + + Note on random number generation + -------------------------------- + + Availability of cryptographically secure random numbers is required for + secret key generation. OpenSSL provides several options to seed the + internal PRNG. If not properly seeded, the internal PRNG will refuse + to deliver random bytes and a "PRNG not seeded error" will occur. + On systems without /dev/urandom (or similar) device, it may be necessary + to install additional support software to obtain random seed. + Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(), + and the FAQ for more information. diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org index 56e11a144b72..cdf2d1b69032 100644 --- a/crypto/openssl/Makefile.org +++ b/crypto/openssl/Makefile.org @@ -270,9 +270,7 @@ do_gnu-shared: done DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \ - collect2=`gcc -print-prog-name=collect2 2>&1` && \ - [ -n "$$collect2" ] && \ - my_ld=`$$collect2 --help 2>&1 | grep Usage: | sed 's/^Usage: *\([^ ][^ ]*\).*/\1/'` && \ + my_ld=`${CC} -print-prog-name=ld 2>&1` && \ [ -n "$$my_ld" ] && \ $$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1 @@ -529,6 +527,10 @@ links: fi; \ done; +gentests: + @(cd test && echo "generating dummy tests (if needed)..." && \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate ); + dclean: rm -f *.bak @for i in $(DIRS) ;\ @@ -610,6 +612,9 @@ update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_ # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal # tar does not support the --files-from option. tar: + find . -type d -print | xargs chmod 755 + find . -type f -print | xargs chmod a+r + find . -type f -perm -0100 -print | xargs chmod a+x find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \ $(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \ tardy --user_number=0 --user_name=openssl \ @@ -652,9 +657,10 @@ install: all install_docs do \ if [ -f "$$i" ]; then \ ( echo installing $$i; \ - cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ - $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi; \ done @if [ -n "$(SHARED_LIBS)" ]; then \ @@ -664,14 +670,17 @@ install: all install_docs if [ -f "$$i" -o -f "$$i.a" ]; then \ ( echo installing $$i; \ if [ "$(PLATFORM)" != "Cygwin" ]; then \ - cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ - chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ else \ c=`echo $$i | sed 's/^lib/cyg/'`; \ - cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ - chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ - cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ + cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ + chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ + mv $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ + cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \ + mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ fi ); \ fi; \ done; \ @@ -687,13 +696,13 @@ install_docs: $(INSTALL_PREFIX)$(MANDIR)/man3 \ $(INSTALL_PREFIX)$(MANDIR)/man5 \ $(INSTALL_PREFIX)$(MANDIR)/man7 - @pod2man=`cd util; ./pod2mantest ignore`; \ + @pod2man="`cd util; ./pod2mantest $(PERL)`"; \ for i in doc/apps/*.pod; do \ fn=`basename $$i .pod`; \ if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \ echo "installing man$$sec/`basename $$i .pod`.$$sec"; \ (cd `$(PERL) util/dirname.pl $$i`; \ - sh -c "$(PERL) $$pod2man \ + sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \ @@ -703,7 +712,7 @@ install_docs: if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \ echo "installing man$$sec/`basename $$i .pod`.$$sec"; \ (cd `$(PERL) util/dirname.pl $$i`; \ - sh -c "$(PERL) $$pod2man \ + sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \ diff --git a/crypto/openssl/Makefile.ssl b/crypto/openssl/Makefile.ssl index 43b5ac39582b..0d31698695b3 100644 --- a/crypto/openssl/Makefile.ssl +++ b/crypto/openssl/Makefile.ssl @@ -4,23 +4,23 @@ ## Makefile for OpenSSL ## -VERSION=0.9.6g +VERSION=0.9.6i MAJOR=0 MINOR=9.6 SHLIB_VERSION_NUMBER=0.9.6 SHLIB_VERSION_HISTORY= SHLIB_MAJOR=0 SHLIB_MINOR=9.6 -SHLIB_EXT= -PLATFORM=dist -OPTIONS= -CONFIGURE_ARGS=dist -SHLIB_TARGET= +SHLIB_EXT=.so.$(SHLIB_MAJOR).$(SHLIB_MINOR) +PLATFORM=FreeBSD-elf +OPTIONS=386 +CONFIGURE_ARGS=FreeBSD-elf 386 +SHLIB_TARGET=bsd-gcc-shared # INSTALL_PREFIX is for package builders so that they can configure # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/. # Normally it is left empty. -INSTALL_PREFIX= +INSTALL_PREFIX=/var/tmp/ssl INSTALLTOP=/usr/local/ssl # Do not edit this manually. Use Configure --openssldir=DIR do change this! @@ -55,21 +55,21 @@ OPENSSLDIR=/usr/local/ssl # equal 4. # PKCS1_CHECK - pkcs1 tests. -CC= cc +CC= gcc #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -CFLAG= -O +CFLAG= -fPIC -DTHREADS -pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE -DDSO_DLFCN -DHAVE_DLFCN_H -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM DEPFLAG= PEX_LIBS= EX_LIBS= EXE_EXT= AR=ar r RANLIB= /usr/bin/ranlib -PERL= /usr/local/bin/perl +PERL= /usr/local/bin/perl5 TAR= tar TARFLAGS= --no-recursion # Set BN_ASM to bn_asm.o if you want to use the C version -BN_ASM= bn_asm.o +BN_ASM= asm/bn86-elf.o asm/co86-elf.o #BN_ASM= bn_asm.o #BN_ASM= asm/bn86-elf.o # elf, linux-elf #BN_ASM= asm/bn86-sol.o # solaris @@ -85,11 +85,11 @@ BN_ASM= bn_asm.o # For x86 assembler: Set PROCESSOR to 386 if you want to support # the 80386. -PROCESSOR= +PROCESSOR= 386 # Set DES_ENC to des_enc.o if you want to use the C version #There are 4 x86 assember options. -DES_ENC= des_enc.o fcrypt_b.o +DES_ENC= asm/dx86-elf.o asm/yx86-elf.o #DES_ENC= des_enc.o fcrypt_b.o # C #DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf #DES_ENC= asm/dx86-sol.o asm/yx86-sol.o # solaris @@ -98,7 +98,7 @@ DES_ENC= des_enc.o fcrypt_b.o # Set BF_ENC to bf_enc.o if you want to use the C version #There are 4 x86 assember options. -BF_ENC= bf_enc.o +BF_ENC= asm/bx86-elf.o #BF_ENC= bf_enc.o #BF_ENC= asm/bx86-elf.o # elf #BF_ENC= asm/bx86-sol.o # solaris @@ -107,7 +107,7 @@ BF_ENC= bf_enc.o # Set CAST_ENC to c_enc.o if you want to use the C version #There are 4 x86 assember options. -CAST_ENC= c_enc.o +CAST_ENC= asm/cx86-elf.o #CAST_ENC= c_enc.o #CAST_ENC= asm/cx86-elf.o # elf #CAST_ENC= asm/cx86-sol.o # solaris @@ -116,7 +116,7 @@ CAST_ENC= c_enc.o # Set RC4_ENC to rc4_enc.o if you want to use the C version #There are 4 x86 assember options. -RC4_ENC= rc4_enc.o +RC4_ENC= asm/rx86-elf.o #RC4_ENC= rc4_enc.o #RC4_ENC= asm/rx86-elf.o # elf #RC4_ENC= asm/rx86-sol.o # solaris @@ -125,7 +125,7 @@ RC4_ENC= rc4_enc.o # Set RC5_ENC to rc5_enc.o if you want to use the C version #There are 4 x86 assember options. -RC5_ENC= rc5_enc.o +RC5_ENC= asm/r586-elf.o #RC5_ENC= rc5_enc.o #RC5_ENC= asm/r586-elf.o # elf #RC5_ENC= asm/r586-sol.o # solaris @@ -133,21 +133,21 @@ RC5_ENC= rc5_enc.o #RC5_ENC= asm/r586bsdi.o # bsdi # Also need MD5_ASM defined -MD5_ASM_OBJ= +MD5_ASM_OBJ= asm/mx86-elf.o #MD5_ASM_OBJ= asm/mx86-elf.o # elf #MD5_ASM_OBJ= asm/mx86-sol.o # solaris #MD5_ASM_OBJ= asm/mx86-out.o # a.out, FreeBSD #MD5_ASM_OBJ= asm/mx86bsdi.o # bsdi # Also need SHA1_ASM defined -SHA1_ASM_OBJ= +SHA1_ASM_OBJ= asm/sx86-elf.o #SHA1_ASM_OBJ= asm/sx86-elf.o # elf #SHA1_ASM_OBJ= asm/sx86-sol.o # solaris #SHA1_ASM_OBJ= asm/sx86-out.o # a.out, FreeBSD #SHA1_ASM_OBJ= asm/sx86bsdi.o # bsdi # Also need RMD160_ASM defined -RMD160_ASM_OBJ= +RMD160_ASM_OBJ= asm/rm86-elf.o #RMD160_ASM_OBJ= asm/rm86-elf.o # elf #RMD160_ASM_OBJ= asm/rm86-sol.o # solaris #RMD160_ASM_OBJ= asm/rm86-out.o # a.out, FreeBSD @@ -184,7 +184,7 @@ LIBS= libcrypto.a libssl.a SHARED_CRYPTO=libcrypto$(SHLIB_EXT) SHARED_SSL=libssl$(SHLIB_EXT) SHARED_LIBS= -SHARED_LIBS_LINK_EXTS= +SHARED_LIBS_LINK_EXTS=.so.$(SHLIB_MAJOR) .so SHARED_LDFLAGS= GENERAL= Makefile @@ -272,9 +272,7 @@ do_gnu-shared: done DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \ - collect2=`gcc -print-prog-name=collect2 2>&1` && \ - [ -n "$$collect2" ] && \ - my_ld=`$$collect2 --help 2>&1 | grep Usage: | sed 's/^Usage: *\([^ ][^ ]*\).*/\1/'` && \ + my_ld=`${CC} -print-prog-name=ld 2>&1` && \ [ -n "$$my_ld" ] && \ $$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1 @@ -531,6 +529,10 @@ links: fi; \ done; +gentests: + @(cd test && echo "generating dummy tests (if needed)..." && \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate ); + dclean: rm -f *.bak @for i in $(DIRS) ;\ @@ -612,6 +614,9 @@ update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_ # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal # tar does not support the --files-from option. tar: + find . -type d -print | xargs chmod 755 + find . -type f -print | xargs chmod a+r + find . -type f -perm -0100 -print | xargs chmod a+x find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \ $(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \ tardy --user_number=0 --user_name=openssl \ @@ -654,9 +659,10 @@ install: all install_docs do \ if [ -f "$$i" ]; then \ ( echo installing $$i; \ - cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ - $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi; \ done @if [ -n "$(SHARED_LIBS)" ]; then \ @@ -666,14 +672,17 @@ install: all install_docs if [ -f "$$i" -o -f "$$i.a" ]; then \ ( echo installing $$i; \ if [ "$(PLATFORM)" != "Cygwin" ]; then \ - cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ - chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ else \ c=`echo $$i | sed 's/^lib/cyg/'`; \ - cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ - chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ - cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ + cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ + chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ + mv $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ + cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \ + mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ fi ); \ fi; \ done; \ @@ -689,13 +698,13 @@ install_docs: $(INSTALL_PREFIX)$(MANDIR)/man3 \ $(INSTALL_PREFIX)$(MANDIR)/man5 \ $(INSTALL_PREFIX)$(MANDIR)/man7 - @pod2man=`cd util; ./pod2mantest ignore`; \ + @pod2man="`cd util; ./pod2mantest $(PERL)`"; \ for i in doc/apps/*.pod; do \ fn=`basename $$i .pod`; \ if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \ echo "installing man$$sec/`basename $$i .pod`.$$sec"; \ (cd `$(PERL) util/dirname.pl $$i`; \ - sh -c "$(PERL) $$pod2man \ + sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \ @@ -705,7 +714,7 @@ install_docs: if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \ echo "installing man$$sec/`basename $$i .pod`.$$sec"; \ (cd `$(PERL) util/dirname.pl $$i`; \ - sh -c "$(PERL) $$pod2man \ + sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \ diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS index 577db09cff5e..8a4bb3597c5f 100644 --- a/crypto/openssl/NEWS +++ b/crypto/openssl/NEWS @@ -5,6 +5,24 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i: + + o Important security related bugfixes. + + Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h: + + o New configuration targets for Tandem OSS and A/UX. + o New OIDs for Microsoft attributes. + o Better handling of SSL session caching. + o Better comparison of distinguished names. + o Better handling of shared libraries in a mixed GNU/non-GNU environment. + o Support assembler code with Borland C. + o Fixes for length problems. + o Fixes for uninitialised variables. + o Fixes for memory leaks, some unusual crashes and some race conditions. + o Fixes for smaller building problems. + o Updates of manuals, FAQ and other instructive documents. + Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g: o Important building fixes on Unix. diff --git a/crypto/openssl/PROBLEMS b/crypto/openssl/PROBLEMS index 7e6af8ad4d87..5cb7f87de6b4 100644 --- a/crypto/openssl/PROBLEMS +++ b/crypto/openssl/PROBLEMS @@ -40,3 +40,19 @@ scripts use the same name for output and input files, which means different will interfere with each other and lead to test failure. The solution is simple for now: don't run parallell make when testing. + + +* Bugs in gcc 3.0 triggered + +According to a problem report, there are bugs in gcc 3.0 that are +triggered by some of the code in OpenSSL, more specifically in +PEM_get_EVP_CIPHER_INFO(). The triggering code is the following: + + header+=11; + if (*header != '4') return(0); header++; + if (*header != ',') return(0); header++; + +What happens is that gcc might optimize a little too agressively, and +you end up with an extra incrementation when *header != '4'. + +We recommend that you upgrade gcc to as high a 3.x version as you can. diff --git a/crypto/openssl/README b/crypto/openssl/README index da9015331f68..62e311837cce 100644 --- a/crypto/openssl/README +++ b/crypto/openssl/README @@ -1,7 +1,7 @@ - OpenSSL 0.9.6g 9 August 2002 + OpenSSL 0.9.6i Feb 19 2003 - Copyright (c) 1998-2002 The OpenSSL Project + Copyright (c) 1998-2003 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/crypto/openssl/apps/CA.pl b/crypto/openssl/apps/CA.pl index f1ac7e772690..2f7655288728 100755 --- a/crypto/openssl/apps/CA.pl +++ b/crypto/openssl/apps/CA.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/local/bin/perl5 # # CA - wrapper around ca to make it easier to use ... basically ca requires # some setup stuff to be done before you can use it and this makes diff --git a/crypto/openssl/apps/Makefile.ssl b/crypto/openssl/apps/Makefile.ssl index 0b3208f0de82..3b74fc96bbcb 100644 --- a/crypto/openssl/apps/Makefile.ssl +++ b/crypto/openssl/apps/Makefile.ssl @@ -117,7 +117,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(SRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new @@ -128,10 +128,10 @@ clean: rm -f req $(DLIBSSL): - (cd ../ssl; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}') + (cd ..; $(MAKE) DIRS=ssl all) $(DLIBCRYPTO): - (cd ../crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}') + (cd ..; $(MAKE) DIRS=crypto all) $(PROGRAM): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) $(RM) $(PROGRAM) diff --git a/crypto/openssl/apps/apps.h b/crypto/openssl/apps/apps.h index 82587b977056..1c6956a2882c 100644 --- a/crypto/openssl/apps/apps.h +++ b/crypto/openssl/apps/apps.h @@ -92,8 +92,10 @@ int WIN32_rename(char *oldname,char *newname); #define MAIN(a,v) main(a,v) #ifndef NON_MAIN +LHASH *config=NULL; BIO *bio_err=NULL; #else +extern LHASH *config; extern BIO *bio_err; #endif diff --git a/crypto/openssl/apps/asn1pars.c b/crypto/openssl/apps/asn1pars.c index 5339166e0885..8cc13ee2d113 100644 --- a/crypto/openssl/apps/asn1pars.c +++ b/crypto/openssl/apps/asn1pars.c @@ -328,6 +328,6 @@ end: if (at != NULL) ASN1_TYPE_free(at); if (osk != NULL) sk_free(osk); OBJ_cleanup(); - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c index 0618bb566086..b8487208c6d2 100644 --- a/crypto/openssl/apps/ca.c +++ b/crypto/openssl/apps/ca.c @@ -543,7 +543,7 @@ bad: goto err; } pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,key); - if(key) memset(key,0,strlen(key)); + if(key) OPENSSL_cleanse(key,strlen(key)); if (pkey == NULL) { BIO_printf(bio_err,"unable to load CA private key\n"); @@ -606,12 +606,14 @@ bad: that to access(). However, time's too short to do that just now. */ +#ifndef VXWORKS if (access(outdir,R_OK|W_OK|X_OK) != 0) { BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir); perror(outdir); goto err; } +#endif if (stat(outdir,&sb) != 0) { @@ -829,9 +831,14 @@ bad: } if (verbose) { - if ((f=BN_bn2hex(serial)) == NULL) goto err; - BIO_printf(bio_err,"next serial number is %s\n",f); - OPENSSL_free(f); + if (BN_is_zero(serial)) + BIO_printf(bio_err,"next serial number is 00\n"); + else + { + if ((f=BN_bn2hex(serial)) == NULL) goto err; + BIO_printf(bio_err,"next serial number is %s\n",f); + OPENSSL_free(f); + } } if ((attribs=CONF_get_section(conf,policy)) == NULL) @@ -1275,7 +1282,7 @@ err: X509_CRL_free(crl); CONF_free(conf); OBJ_cleanup(); - EXIT(ret); + OPENSSL_EXIT(ret); } static void lookup_fail(char *name, char *tag) @@ -1340,7 +1347,7 @@ static BIGNUM *load_serial(char *serialfile) ret=ASN1_INTEGER_to_BN(ai,NULL); if (ret == NULL) { - BIO_printf(bio_err,"error converting number from bin to BIGNUM"); + BIO_printf(bio_err,"error converting number from bin to BIGNUM\n"); goto err; } err: @@ -1728,7 +1735,10 @@ again2: BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n"); row[DB_name]=X509_NAME_oneline(subject,NULL,0); - row[DB_serial]=BN_bn2hex(serial); + if (BN_is_zero(serial)) + row[DB_serial]=BUF_strdup("00"); + else + row[DB_serial]=BN_bn2hex(serial); if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { BIO_printf(bio_err,"Memory allocation failure\n"); @@ -2142,7 +2152,10 @@ static int do_revoke(X509 *x509, TXT_DB *db) row[i]=NULL; row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0); bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL); - row[DB_serial]=BN_bn2hex(bn); + if (BN_is_zero(bn)) + row[DB_serial]=BUF_strdup("00"); + else + row[DB_serial]=BN_bn2hex(bn); BN_free(bn); if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { diff --git a/crypto/openssl/apps/ciphers.c b/crypto/openssl/apps/ciphers.c index b6e2f966d86e..0dc30d65e401 100644 --- a/crypto/openssl/apps/ciphers.c +++ b/crypto/openssl/apps/ciphers.c @@ -202,6 +202,6 @@ end: if (ctx != NULL) SSL_CTX_free(ctx); if (ssl != NULL) SSL_free(ssl); if (STDout != NULL) BIO_free_all(STDout); - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/crypto/openssl/apps/crl.c b/crypto/openssl/apps/crl.c index 3b5725f23f2c..648a32ee4cf9 100644 --- a/crypto/openssl/apps/crl.c +++ b/crypto/openssl/apps/crl.c @@ -364,7 +364,7 @@ end: X509_STORE_CTX_cleanup(&ctx); X509_STORE_free(store); } - EXIT(ret); + OPENSSL_EXIT(ret); } static X509_CRL *load_crl(char *infile, int format) diff --git a/crypto/openssl/apps/crl2p7.c b/crypto/openssl/apps/crl2p7.c index 7f853b65ab2b..3ef55dd2bb4e 100644 --- a/crypto/openssl/apps/crl2p7.c +++ b/crypto/openssl/apps/crl2p7.c @@ -166,7 +166,7 @@ bad: BIO_printf(bio_err," -certfile arg certificates file of chain to a trusted CA\n"); BIO_printf(bio_err," (can be used more than once)\n"); BIO_printf(bio_err," -nocrl no crl to load, just certs from '-certfile'\n"); - EXIT(1); + OPENSSL_EXIT(1); } ERR_load_crypto_strings(); @@ -278,7 +278,7 @@ end: if (p7 != NULL) PKCS7_free(p7); if (crl != NULL) X509_CRL_free(crl); - EXIT(ret); + OPENSSL_EXIT(ret); } /* diff --git a/crypto/openssl/apps/der_chop b/crypto/openssl/apps/der_chop index 9070b032fc38..fbd2889842e2 100644 --- a/crypto/openssl/apps/der_chop +++ b/crypto/openssl/apps/der_chop @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/local/bin/perl5 # # der_chop ... this is one total hack that Eric is really not proud of # so don't look at it and don't ask for support diff --git a/crypto/openssl/apps/dgst.c b/crypto/openssl/apps/dgst.c index 482b0238571e..e339811365c0 100644 --- a/crypto/openssl/apps/dgst.c +++ b/crypto/openssl/apps/dgst.c @@ -327,7 +327,7 @@ int MAIN(int argc, char **argv) end: if (buf != NULL) { - memset(buf,0,BUFSIZE); + OPENSSL_cleanse(buf,BUFSIZE); OPENSSL_free(buf); } if (in != NULL) BIO_free(in); @@ -335,7 +335,7 @@ end: EVP_PKEY_free(sigkey); if(sigbuf) OPENSSL_free(sigbuf); if (bmd != NULL) BIO_free(bmd); - EXIT(err); + OPENSSL_EXIT(err); } void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, diff --git a/crypto/openssl/apps/dh.c b/crypto/openssl/apps/dh.c index 7465442e49f1..ee2514a07ea1 100644 --- a/crypto/openssl/apps/dh.c +++ b/crypto/openssl/apps/dh.c @@ -319,6 +319,6 @@ end: if (in != NULL) BIO_free(in); if (out != NULL) BIO_free_all(out); if (dh != NULL) DH_free(dh); - EXIT(ret); + OPENSSL_EXIT(ret); } #endif diff --git a/crypto/openssl/apps/dhparam.c b/crypto/openssl/apps/dhparam.c index 5f9b60148d6f..baf0d3302aac 100644 --- a/crypto/openssl/apps/dhparam.c +++ b/crypto/openssl/apps/dhparam.c @@ -506,7 +506,7 @@ end: if (in != NULL) BIO_free(in); if (out != NULL) BIO_free_all(out); if (dh != NULL) DH_free(dh); - EXIT(ret); + OPENSSL_EXIT(ret); } /* dh_cb is identical to dsa_cb in apps/dsaparam.c */ diff --git a/crypto/openssl/apps/dsa.c b/crypto/openssl/apps/dsa.c index 7c4a46f78eae..04efe16b5836 100644 --- a/crypto/openssl/apps/dsa.c +++ b/crypto/openssl/apps/dsa.c @@ -293,6 +293,6 @@ end: if(dsa != NULL) DSA_free(dsa); if(passin) OPENSSL_free(passin); if(passout) OPENSSL_free(passout); - EXIT(ret); + OPENSSL_EXIT(ret); } #endif diff --git a/crypto/openssl/apps/dsaparam.c b/crypto/openssl/apps/dsaparam.c index 0c2529e2859a..ea29b0cf65af 100644 --- a/crypto/openssl/apps/dsaparam.c +++ b/crypto/openssl/apps/dsaparam.c @@ -357,7 +357,7 @@ end: if (in != NULL) BIO_free(in); if (out != NULL) BIO_free_all(out); if (dsa != NULL) DSA_free(dsa); - EXIT(ret); + OPENSSL_EXIT(ret); } static void MS_CALLBACK dsa_cb(int p, int n, void *arg) diff --git a/crypto/openssl/apps/enc.c b/crypto/openssl/apps/enc.c index e37536324213..397b0e9c12ea 100644 --- a/crypto/openssl/apps/enc.c +++ b/crypto/openssl/apps/enc.c @@ -506,9 +506,9 @@ bad: * bug picked up by * Larry J. Hughes Jr. <hughes@indiana.edu> */ if (str == strbuf) - memset(str,0,SIZE); + OPENSSL_cleanse(str,SIZE); else - memset(str,0,strlen(str)); + OPENSSL_cleanse(str,strlen(str)); } if ((hiv != NULL) && !set_hex(hiv,iv,8)) { @@ -604,7 +604,7 @@ end: if (benc != NULL) BIO_free(benc); if (b64 != NULL) BIO_free(b64); if(pass) OPENSSL_free(pass); - EXIT(ret); + OPENSSL_EXIT(ret); } int set_hex(char *in, unsigned char *out, int size) diff --git a/crypto/openssl/apps/errstr.c b/crypto/openssl/apps/errstr.c index e392328f93d2..de7d5fd6501a 100644 --- a/crypto/openssl/apps/errstr.c +++ b/crypto/openssl/apps/errstr.c @@ -121,5 +121,5 @@ int MAIN(int argc, char **argv) ret++; } } - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/crypto/openssl/apps/gendh.c b/crypto/openssl/apps/gendh.c index e0c7889a31e1..f02f87d17b3d 100644 --- a/crypto/openssl/apps/gendh.c +++ b/crypto/openssl/apps/gendh.c @@ -184,7 +184,7 @@ end: ERR_print_errors(bio_err); if (out != NULL) BIO_free_all(out); if (dh != NULL) DH_free(dh); - EXIT(ret); + OPENSSL_EXIT(ret); } static void MS_CALLBACK dh_cb(int p, int n, void *arg) diff --git a/crypto/openssl/apps/gendsa.c b/crypto/openssl/apps/gendsa.c index 6022d8f1427a..4abd7786b1b8 100644 --- a/crypto/openssl/apps/gendsa.c +++ b/crypto/openssl/apps/gendsa.c @@ -220,6 +220,6 @@ end: if (out != NULL) BIO_free_all(out); if (dsa != NULL) DSA_free(dsa); if(passout) OPENSSL_free(passout); - EXIT(ret); + OPENSSL_EXIT(ret); } #endif diff --git a/crypto/openssl/apps/genrsa.c b/crypto/openssl/apps/genrsa.c index ac0b709e7af9..1f0f2d780942 100644 --- a/crypto/openssl/apps/genrsa.c +++ b/crypto/openssl/apps/genrsa.c @@ -224,7 +224,7 @@ err: if(passout) OPENSSL_free(passout); if (ret != 0) ERR_print_errors(bio_err); - EXIT(ret); + OPENSSL_EXIT(ret); } static void MS_CALLBACK genrsa_cb(int p, int n, void *arg) diff --git a/crypto/openssl/apps/nseq.c b/crypto/openssl/apps/nseq.c index 1d73d1ad5231..da5277d4c441 100644 --- a/crypto/openssl/apps/nseq.c +++ b/crypto/openssl/apps/nseq.c @@ -102,7 +102,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-in file input file\n"); BIO_printf (bio_err, "-out file output file\n"); BIO_printf (bio_err, "-toseq output NS Sequence file\n"); - EXIT(1); + OPENSSL_EXIT(1); } if (infile) { @@ -162,6 +162,6 @@ end: BIO_free_all(out); NETSCAPE_CERT_SEQUENCE_free(seq); - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/crypto/openssl/apps/openssl.c b/crypto/openssl/apps/openssl.c index 24450ddb71f4..95e1e00a8d04 100644 --- a/crypto/openssl/apps/openssl.c +++ b/crypto/openssl/apps/openssl.c @@ -77,11 +77,11 @@ static unsigned long MS_CALLBACK hash(FUNCTION *a); static int MS_CALLBACK cmp(FUNCTION *a,FUNCTION *b); static LHASH *prog_init(void ); static int do_cmd(LHASH *prog,int argc,char *argv[]); -LHASH *config=NULL; char *default_config_file=NULL; /* Make sure there is only one when MONOLITH is defined */ #ifdef MONOLITH +LHASH *config=NULL; BIO *bio_err=NULL; #endif @@ -215,7 +215,7 @@ end: BIO_free(bio_err); bio_err=NULL; } - EXIT(ret); + OPENSSL_EXIT(ret); } #define LIST_STANDARD_COMMANDS "list-standard-commands" diff --git a/crypto/openssl/apps/openssl.cnf b/crypto/openssl/apps/openssl.cnf index 2ba3b2aa3935..dbe8cbefe0ea 100644 --- a/crypto/openssl/apps/openssl.cnf +++ b/crypto/openssl/apps/openssl.cnf @@ -2,7 +2,6 @@ # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # -# $FreeBSD$ # This definition stops the following lines choking if HOME isn't # defined. diff --git a/crypto/openssl/apps/passwd.c b/crypto/openssl/apps/passwd.c index ea2b089e24a7..eaa90312fc83 100644 --- a/crypto/openssl/apps/passwd.c +++ b/crypto/openssl/apps/passwd.c @@ -284,7 +284,7 @@ err: BIO_free(in); if (out) BIO_free_all(out); - EXIT(ret); + OPENSSL_EXIT(ret); } @@ -498,6 +498,6 @@ err: int MAIN(int argc, char **argv) { fputs("Program not available.\n", stderr) - EXIT(1); + OPENSSL_EXIT(1); } #endif diff --git a/crypto/openssl/apps/pkcs12.c b/crypto/openssl/apps/pkcs12.c index aeba62ea08c9..4e20c0cc369f 100644 --- a/crypto/openssl/apps/pkcs12.c +++ b/crypto/openssl/apps/pkcs12.c @@ -480,9 +480,10 @@ int MAIN(int argc, char **argv) /* Exclude verified certificate */ for (i = 1; i < sk_X509_num (chain2) ; i++) sk_X509_push(certs, sk_X509_value (chain2, i)); - } - sk_X509_free(chain2); - if (vret) { + /* Free first certificate */ + X509_free(sk_X509_value(chain2, 0)); + sk_X509_free(chain2); + } else { BIO_printf (bio_err, "Error %s getting chain.\n", X509_verify_cert_error_string(vret)); goto export_end; @@ -509,8 +510,6 @@ int MAIN(int argc, char **argv) } sk_X509_pop_free(certs, X509_free); certs = NULL; - /* ucert is part of certs so it is already freed */ - ucert = NULL; #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); @@ -598,7 +597,6 @@ int MAIN(int argc, char **argv) if (certs) sk_X509_pop_free(certs, X509_free); if (safes) sk_PKCS7_pop_free(safes, PKCS7_free); if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); - if (ucert) X509_free(ucert); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); @@ -668,7 +666,7 @@ int MAIN(int argc, char **argv) if (canames) sk_free(canames); if(passin) OPENSSL_free(passin); if(passout) OPENSSL_free(passout); - EXIT(ret); + OPENSSL_EXIT(ret); } int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass, diff --git a/crypto/openssl/apps/pkcs7.c b/crypto/openssl/apps/pkcs7.c index a9fff11e5cf9..f100c8d05377 100644 --- a/crypto/openssl/apps/pkcs7.c +++ b/crypto/openssl/apps/pkcs7.c @@ -154,7 +154,7 @@ bad: BIO_printf(bio_err," -print_certs print any certs or crl in the input\n"); BIO_printf(bio_err," -text print full details of certificates\n"); BIO_printf(bio_err," -noout don't output encoded data\n"); - EXIT(1); + OPENSSL_EXIT(1); } ERR_load_crypto_strings(); @@ -289,5 +289,5 @@ end: if (p7 != NULL) PKCS7_free(p7); if (in != NULL) BIO_free(in); if (out != NULL) BIO_free_all(out); - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/crypto/openssl/apps/pkcs8.c b/crypto/openssl/apps/pkcs8.c index 7b588e433707..926af8675fd0 100644 --- a/crypto/openssl/apps/pkcs8.c +++ b/crypto/openssl/apps/pkcs8.c @@ -236,7 +236,8 @@ int MAIN(int argc, char **argv) if(passout) p8pass = passout; else { p8pass = pass; - EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1); + if (EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1)) + return (1); } app_RAND_load_file(NULL, bio_err, 0); if (!(p8 = PKCS8_encrypt(pbe_nid, cipher, diff --git a/crypto/openssl/apps/rand.c b/crypto/openssl/apps/rand.c index 04764d7ffb6c..498a802650e3 100644 --- a/crypto/openssl/apps/rand.c +++ b/crypto/openssl/apps/rand.c @@ -144,5 +144,5 @@ err: ERR_print_errors(bio_err); if (out) BIO_free_all(out); - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/crypto/openssl/apps/req.c b/crypto/openssl/apps/req.c index 11c4e5f03fa6..0fb426d9023e 100644 --- a/crypto/openssl/apps/req.c +++ b/crypto/openssl/apps/req.c @@ -422,7 +422,7 @@ bad: if (template != NULL) { - long errline; + long errline = -1; BIO_printf(bio_err,"Using configuration from %s\n",template); req_conf=CONF_load(NULL,template,&errline); @@ -909,7 +909,7 @@ end: #ifndef NO_DSA if (dsa_params != NULL) DSA_free(dsa_params); #endif - EXIT(ex); + OPENSSL_EXIT(ex); } static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, int attribs) diff --git a/crypto/openssl/apps/rsa.c b/crypto/openssl/apps/rsa.c index b4b0651a94bd..f35b6d166e97 100644 --- a/crypto/openssl/apps/rsa.c +++ b/crypto/openssl/apps/rsa.c @@ -389,7 +389,7 @@ end: if(rsa != NULL) RSA_free(rsa); if(passin) OPENSSL_free(passin); if(passout) OPENSSL_free(passout); - EXIT(ret); + OPENSSL_EXIT(ret); } #else /* !NO_RSA */ diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c index 9cfe2b15804b..3e2a2953d77b 100644 --- a/crypto/openssl/apps/s_client.c +++ b/crypto/openssl/apps/s_client.c @@ -768,14 +768,14 @@ end: if (con != NULL) SSL_free(con); if (con2 != NULL) SSL_free(con2); if (ctx != NULL) SSL_CTX_free(ctx); - if (cbuf != NULL) { memset(cbuf,0,BUFSIZZ); OPENSSL_free(cbuf); } - if (sbuf != NULL) { memset(sbuf,0,BUFSIZZ); OPENSSL_free(sbuf); } + if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); } + if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); } if (bio_c_out != NULL) { BIO_free(bio_c_out); bio_c_out=NULL; } - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c index 624dfb5e4198..e6ecafd4ed1e 100644 --- a/crypto/openssl/apps/s_server.c +++ b/crypto/openssl/apps/s_server.c @@ -253,10 +253,10 @@ static char **local_argv; static int ebcdic_new(BIO *bi); static int ebcdic_free(BIO *a); static int ebcdic_read(BIO *b, char *out, int outl); -static int ebcdic_write(BIO *b, char *in, int inl); -static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr); +static int ebcdic_write(BIO *b, const char *in, int inl); +static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr); static int ebcdic_gets(BIO *bp, char *buf, int size); -static int ebcdic_puts(BIO *bp, char *str); +static int ebcdic_puts(BIO *bp, const char *str); #define BIO_TYPE_EBCDIC_FILTER (18|0x0200) static BIO_METHOD methods_ebcdic= @@ -321,7 +321,7 @@ static int ebcdic_read(BIO *b, char *out, int outl) return(ret); } -static int ebcdic_write(BIO *b, char *in, int inl) +static int ebcdic_write(BIO *b, const char *in, int inl) { EBCDIC_OUTBUFF *wbuf; int ret=0; @@ -354,7 +354,7 @@ static int ebcdic_write(BIO *b, char *in, int inl) return(ret); } -static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr) +static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr) { long ret; @@ -373,7 +373,7 @@ static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr) static int ebcdic_gets(BIO *bp, char *buf, int size) { - int i, ret; + int i, ret=0; if (bp->next_bio == NULL) return(0); /* return(BIO_gets(bp->next_bio,buf,size));*/ for (i=0; i<size-1; ++i) @@ -392,7 +392,7 @@ static int ebcdic_gets(BIO *bp, char *buf, int size) return (ret < 0 && i == 0) ? ret : i; } -static int ebcdic_puts(BIO *bp, char *str) +static int ebcdic_puts(BIO *bp, const char *str) { if (bp->next_bio == NULL) return(0); return ebcdic_write(bp, str, strlen(str)); @@ -741,7 +741,7 @@ end: BIO_free(bio_s_out); bio_s_out=NULL; } - EXIT(ret); + OPENSSL_EXIT(ret); } static void print_stats(BIO *bio, SSL_CTX *ssl_ctx) @@ -1043,7 +1043,7 @@ err: BIO_printf(bio_s_out,"CONNECTION CLOSED\n"); if (buf != NULL) { - memset(buf,0,bufsize); + OPENSSL_cleanse(buf,bufsize); OPENSSL_free(buf); } if (ret >= 0) @@ -1250,7 +1250,7 @@ static int www_body(char *hostname, int s, unsigned char *context) else { BIO_printf(bio_s_out,"read R BLOCK\n"); -#ifndef MSDOS +#if !defined(MSDOS) && !defined(VXWORKS) sleep(1); #endif continue; diff --git a/crypto/openssl/apps/s_time.c b/crypto/openssl/apps/s_time.c index 2d8e2b24d228..895741d4cde7 100644 --- a/crypto/openssl/apps/s_time.c +++ b/crypto/openssl/apps/s_time.c @@ -116,6 +116,11 @@ #include <sys/param.h> #endif +#ifdef VXWORKS +#include <tickLib.h> +#undef SIGALRM +#endif + /* The following if from times(3) man page. It may need to be changed */ #ifndef HZ @@ -461,7 +466,7 @@ int MAIN(int argc, char **argv) if (tm_cipher == NULL ) { fprintf( stderr, "No CIPHER specified\n" ); -/* EXIT(1); */ +/* OPENSSL_EXIT(1); */ } if (!(perform & 1)) goto next; @@ -628,7 +633,7 @@ end: SSL_CTX_free(tm_ctx); tm_ctx=NULL; } - EXIT(ret); + OPENSSL_EXIT(ret); } /*********************************************************************** diff --git a/crypto/openssl/apps/sess_id.c b/crypto/openssl/apps/sess_id.c index 60cc3f1e496a..cf15006ca72a 100644 --- a/crypto/openssl/apps/sess_id.c +++ b/crypto/openssl/apps/sess_id.c @@ -272,7 +272,7 @@ bad: end: if (out != NULL) BIO_free_all(out); if (x != NULL) SSL_SESSION_free(x); - EXIT(ret); + OPENSSL_EXIT(ret); } static SSL_SESSION *load_sess_id(char *infile, int format) diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c index ad3ebadeef25..6ae0c8d6ebf7 100644 --- a/crypto/openssl/apps/speed.c +++ b/crypto/openssl/apps/speed.c @@ -54,8 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * - * $FreeBSD$ */ /* most of this code has been pilfered from my libdes speed.c program */ @@ -691,7 +689,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err,"\n"); #endif -#ifdef TIMES +#if defined(TIMES) || defined(USE_TOD) BIO_printf(bio_err,"\n"); BIO_printf(bio_err,"Available options:\n"); BIO_printf(bio_err,"-elapsed measure time in real time instead of CPU user time.\n"); @@ -1414,7 +1412,7 @@ end: if (dsa_key[i] != NULL) DSA_free(dsa_key[i]); #endif - EXIT(mret); + OPENSSL_EXIT(mret); } static void print_message(char *s, long num, int length) diff --git a/crypto/openssl/apps/spkac.c b/crypto/openssl/apps/spkac.c index 459d730a704a..94723a79c359 100644 --- a/crypto/openssl/apps/spkac.c +++ b/crypto/openssl/apps/spkac.c @@ -288,5 +288,5 @@ end: BIO_free(key); EVP_PKEY_free(pkey); if(passin) OPENSSL_free(passin); - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/crypto/openssl/apps/verify.c b/crypto/openssl/apps/verify.c index 47e602d4a3c6..3ff1c0f9e7d4 100644 --- a/crypto/openssl/apps/verify.c +++ b/crypto/openssl/apps/verify.c @@ -213,7 +213,7 @@ end: if (cert_ctx != NULL) X509_STORE_free(cert_ctx); sk_X509_pop_free(untrusted, X509_free); sk_X509_pop_free(trusted, X509_free); - EXIT(ret); + OPENSSL_EXIT(ret); } static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose) diff --git a/crypto/openssl/apps/version.c b/crypto/openssl/apps/version.c index f5c9adc25471..b67f2d18126c 100644 --- a/crypto/openssl/apps/version.c +++ b/crypto/openssl/apps/version.c @@ -128,5 +128,5 @@ int MAIN(int argc, char **argv) } if (cflags) printf("%s\n",SSLeay_version(SSLEAY_CFLAGS)); end: - EXIT(ret); + OPENSSL_EXIT(ret); } diff --git a/crypto/openssl/apps/x509.c b/crypto/openssl/apps/x509.c index b9b13285f112..d20cf15267fa 100644 --- a/crypto/openssl/apps/x509.c +++ b/crypto/openssl/apps/x509.c @@ -121,7 +121,7 @@ static char *x509_usage[]={ " -CAkey arg - set the CA key, must be PEM format\n", " missing, it is assumed to be in the CA file.\n", " -CAcreateserial - create serial number file if it does not exist\n", -" -CAserial - serial file\n", +" -CAserial arg - serial file\n", " -text - print the certificate in text form\n", " -C - print out C code forms\n", " -md2/-md5/-sha1/-mdc2 - digest to use\n", @@ -447,7 +447,7 @@ bad: if (extfile) { - long errorline; + long errorline = -1; X509V3_CTX ctx2; if (!(extconf=CONF_load(NULL,extfile,&errorline))) { @@ -961,7 +961,7 @@ end: sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); if (passin) OPENSSL_free(passin); - EXIT(ret); + OPENSSL_EXIT(ret); } static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, diff --git a/crypto/openssl/config b/crypto/openssl/config index 40ad0fe6cf48..583fa70f6755 100755 --- a/crypto/openssl/config +++ b/crypto/openssl/config @@ -317,6 +317,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in *CRAY*) echo "j90-cray-unicos"; exit 0; ;; + + NONSTOP_KERNEL*) + echo "nsr-tandem-nsk"; exit 0; + ;; esac # @@ -473,7 +477,8 @@ case "$GUESSOS" in echo "WARNING! If you wish to build 64-bit library, then you have to" echo " invoke './Configure irix64-mips4-$CC' *manually*." echo " Type return if you want to continue, Ctrl-C to abort." - read waste < /dev/tty + # Do not stop if /dev/tty is unavailable + (read waste < /dev/tty) || true CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` CPU=${CPU:-0} if [ $CPU -ge 5000 ]; then @@ -528,7 +533,8 @@ EOF #echo "WARNING! If you wish to build 64-bit library, then you have to" #echo " invoke './Configure linux64-sparcv9' *manually*." #echo " Type return if you want to continue, Ctrl-C to abort." - #read waste < /dev/tty + # Do not stop if /dev/tty is unavailable + #(read waste < /dev/tty) || true OUT="linux-sparcv9" ;; sparc-*-linux2) KARCH=`awk '/^type/{print$3}' /proc/cpuinfo` @@ -569,7 +575,8 @@ EOF echo "WARNING! If you wish to build 64-bit library, then you have to" echo " invoke './Configure solaris64-sparcv9-cc' *manually*." echo " Type return if you want to continue, Ctrl-C to abort." - read waste < /dev/tty + # Do not stop if /dev/tty is unavailable + (read waste < /dev/tty) || true fi OUT="solaris-sparcv9-$CC" ;; sun4m-*-solaris2) OUT="solaris-sparcv8-$CC" ;; @@ -630,6 +637,7 @@ EOF *-*-cygwin) OUT="Cygwin" ;; t3e-cray-unicosmk) OUT="cray-t3e" ;; j90-cray-unicos) OUT="cray-j90" ;; + nsr-tandem-nsk) OUT="tandem-c89" ;; *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;; esac diff --git a/crypto/openssl/crypto/Makefile.ssl b/crypto/openssl/crypto/Makefile.ssl index f96154cacd14..727d94970335 100644 --- a/crypto/openssl/crypto/Makefile.ssl +++ b/crypto/openssl/crypto/Makefile.ssl @@ -34,8 +34,8 @@ SDIRS= md2 md5 sha mdc2 hmac ripemd \ GENERAL=Makefile README crypto-lib.com install.com LIB= $(TOP)/libcrypto.a -LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c -LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o +LIBSRC= cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c +LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o SRC= $(LIBSRC) @@ -129,7 +129,7 @@ lint: depend: if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist - $(MAKEDEPEND) $(INCLUDE) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC) if [ ! -s buildinf.h ]; then rm buildinf.h; fi @for i in $(SDIRS) ;\ do \ @@ -185,6 +185,9 @@ mem.o: ../include/openssl/e_os2.h ../include/openssl/err.h mem.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h mem.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h mem.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h +mem_clr.o: ../include/openssl/crypto.h ../include/openssl/opensslv.h +mem_clr.o: ../include/openssl/safestack.h ../include/openssl/stack.h +mem_clr.o: ../include/openssl/symhacks.h mem_dbg.o: ../include/openssl/bio.h ../include/openssl/buffer.h mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os.h mem_dbg.o: ../include/openssl/e_os2.h ../include/openssl/err.h diff --git a/crypto/openssl/crypto/asn1/Makefile.ssl b/crypto/openssl/crypto/asn1/Makefile.ssl index 73ef4d2ca937..329a235edc94 100644 --- a/crypto/openssl/crypto/asn1/Makefile.ssl +++ b/crypto/openssl/crypto/asn1/Makefile.ssl @@ -104,7 +104,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/asn1/a_sign.c b/crypto/openssl/crypto/asn1/a_sign.c index 94829d889e0d..c5cf0e3133f6 100644 --- a/crypto/openssl/crypto/asn1/a_sign.c +++ b/crypto/openssl/crypto/asn1/a_sign.c @@ -199,10 +199,10 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2, signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); signature->flags|=ASN1_STRING_FLAG_BITS_LEFT; err: - memset(&ctx,0,sizeof(ctx)); + OPENSSL_cleanse(&ctx,sizeof(ctx)); if (buf_in != NULL) - { memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); } + { OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); } if (buf_out != NULL) - { memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); } + { OPENSSL_cleanse((char *)buf_out,outll); OPENSSL_free(buf_out); } return(outl); } diff --git a/crypto/openssl/crypto/asn1/a_strex.c b/crypto/openssl/crypto/asn1/a_strex.c index 569b81199858..9a57eba270d9 100644 --- a/crypto/openssl/crypto/asn1/a_strex.c +++ b/crypto/openssl/crypto/asn1/a_strex.c @@ -519,7 +519,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in) { ASN1_STRING stmp, *str = &stmp; int mbflag, type, ret; - if(!*out || !in) return -1; + if(!in) return -1; type = in->type; if((type < 0) || (type > 30)) return -1; mbflag = tag2nbyte[type]; @@ -528,6 +528,6 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in) stmp.data = NULL; ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING); if(ret < 0) return ret; - if(out) *out = stmp.data; + *out = stmp.data; return stmp.length; } diff --git a/crypto/openssl/crypto/asn1/a_utctm.c b/crypto/openssl/crypto/asn1/a_utctm.c index dd5955ac9fdd..1aafb663f6a3 100644 --- a/crypto/openssl/crypto/asn1/a_utctm.c +++ b/crypto/openssl/crypto/asn1/a_utctm.c @@ -246,6 +246,8 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t) ts=(struct tm *)localtime(&t); } #endif + if (ts == NULL) + return(NULL); p=(char *)s->data; if ((p == NULL) || (s->length < 14)) { diff --git a/crypto/openssl/crypto/asn1/a_verify.c b/crypto/openssl/crypto/asn1/a_verify.c index 2a11927e5c1c..faa34501b98d 100644 --- a/crypto/openssl/crypto/asn1/a_verify.c +++ b/crypto/openssl/crypto/asn1/a_verify.c @@ -100,7 +100,7 @@ int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature, EVP_VerifyInit(&ctx,type); EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl); - memset(buf_in,0,(unsigned int)inl); + OPENSSL_cleanse(buf_in,(unsigned int)inl); OPENSSL_free(buf_in); if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data, diff --git a/crypto/openssl/crypto/asn1/n_pkey.c b/crypto/openssl/crypto/asn1/n_pkey.c index 984019353899..5f8ba3cc3203 100644 --- a/crypto/openssl/crypto/asn1/n_pkey.c +++ b/crypto/openssl/crypto/asn1/n_pkey.c @@ -181,7 +181,7 @@ int i2d_RSA_NET(RSA *a, unsigned char **pp, int (*cb)(), int sgckey) } EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL); - memset(buf,0,256); + OPENSSL_cleanse(buf,256); EVP_CIPHER_CTX_init(&ctx); EVP_EncryptInit(&ctx,EVP_rc4(),key,NULL); @@ -292,7 +292,7 @@ RSA *d2i_RSA_NET_2(RSA **a, unsigned char **pp, long length, } EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL); - memset(buf,0,256); + OPENSSL_cleanse(buf,256); EVP_CIPHER_CTX_init(&ctx); EVP_DecryptInit(&ctx,EVP_rc4(),key,NULL); diff --git a/crypto/openssl/crypto/asn1/p8_pkey.c b/crypto/openssl/crypto/asn1/p8_pkey.c index fa6cbfb6f885..3e0ebef50775 100644 --- a/crypto/openssl/crypto/asn1/p8_pkey.c +++ b/crypto/openssl/crypto/asn1/p8_pkey.c @@ -119,8 +119,8 @@ void PKCS8_PRIV_KEY_INFO_free (PKCS8_PRIV_KEY_INFO *a) X509_ALGOR_free(a->pkeyalg); /* Clear sensitive data */ if (a->pkey->value.octet_string) - memset (a->pkey->value.octet_string->data, - 0, a->pkey->value.octet_string->length); + OPENSSL_cleanse(a->pkey->value.octet_string->data, + a->pkey->value.octet_string->length); ASN1_TYPE_free (a->pkey); sk_X509_ATTRIBUTE_pop_free (a->attributes, X509_ATTRIBUTE_free); OPENSSL_free (a); diff --git a/crypto/openssl/crypto/bf/Makefile.ssl b/crypto/openssl/crypto/bf/Makefile.ssl index 2d61ec50f422..f60b2e957825 100644 --- a/crypto/openssl/crypto/bf/Makefile.ssl +++ b/crypto/openssl/crypto/bf/Makefile.ssl @@ -96,7 +96,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/bf/bftest.c b/crypto/openssl/crypto/bf/bftest.c index cf67cadefd42..212edfaf622e 100644 --- a/crypto/openssl/crypto/bf/bftest.c +++ b/crypto/openssl/crypto/bf/bftest.c @@ -63,6 +63,8 @@ #include <string.h> #include <stdlib.h> +#include "../e_os.h" + #ifdef NO_BF int main(int argc, char *argv[]) { @@ -275,7 +277,7 @@ int main(int argc, char *argv[]) else ret=test(); - exit(ret); + EXIT(ret); return(0); } diff --git a/crypto/openssl/crypto/bio/Makefile.ssl b/crypto/openssl/crypto/bio/Makefile.ssl index 300987309e57..76b9caf6fb7d 100644 --- a/crypto/openssl/crypto/bio/Makefile.ssl +++ b/crypto/openssl/crypto/bio/Makefile.ssl @@ -78,7 +78,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/bio/bio.h b/crypto/openssl/crypto/bio/bio.h index fd3aaa05856e..d7fc0e645605 100644 --- a/crypto/openssl/crypto/bio/bio.h +++ b/crypto/openssl/crypto/bio/bio.h @@ -241,7 +241,7 @@ typedef struct bio_method_st long (_far *ctrl)(); int (_far *create)(); int (_far *destroy)(); - long (_fat *callback_ctrl)(); + long (_far *callback_ctrl)(); } BIO_METHOD; #endif diff --git a/crypto/openssl/crypto/bn/Makefile.ssl b/crypto/openssl/crypto/bn/Makefile.ssl index 9e075a2b0f11..cfc2274569a2 100644 --- a/crypto/openssl/crypto/bn/Makefile.ssl +++ b/crypto/openssl/crypto/bn/Makefile.ssl @@ -159,7 +159,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/bn/bn.h b/crypto/openssl/crypto/bn/bn.h index 2ea9cd7203af..c0d6b1612d51 100644 --- a/crypto/openssl/crypto/bn/bn.h +++ b/crypto/openssl/crypto/bn/bn.h @@ -155,7 +155,7 @@ extern "C" { #define BN_BYTES 4 #define BN_BITS2 32 #define BN_BITS4 16 -#ifdef _MSC_VER +#if defined(_MSC_VER) || defined(__BORLANDC__) /* VC++ doesn't like the LL suffix */ #define BN_MASK (0xffffffffffffffffL) #else @@ -413,7 +413,7 @@ int BN_mod_mul_montgomery(BIGNUM *r,BIGNUM *a,BIGNUM *b,BN_MONT_CTX *mont, BN_CTX *ctx); int BN_from_montgomery(BIGNUM *r,BIGNUM *a,BN_MONT_CTX *mont,BN_CTX *ctx); void BN_MONT_CTX_free(BN_MONT_CTX *mont); -int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *modulus,BN_CTX *ctx); +int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *mod,BN_CTX *ctx); BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from); BN_BLINDING *BN_BLINDING_new(BIGNUM *A,BIGNUM *Ai,BIGNUM *mod); diff --git a/crypto/openssl/crypto/bn/bn_lib.c b/crypto/openssl/crypto/bn/bn_lib.c index 7767d6517022..5f121dea1e49 100644 --- a/crypto/openssl/crypto/bn/bn_lib.c +++ b/crypto/openssl/crypto/bn/bn_lib.c @@ -263,12 +263,12 @@ void BN_clear_free(BIGNUM *a) if (a == NULL) return; if (a->d != NULL) { - memset(a->d,0,a->dmax*sizeof(a->d[0])); + OPENSSL_cleanse(a->d,a->dmax*sizeof(a->d[0])); if (!(BN_get_flags(a,BN_FLG_STATIC_DATA))) OPENSSL_free(a->d); } i=BN_get_flags(a,BN_FLG_MALLOCED); - memset(a,0,sizeof(BIGNUM)); + OPENSSL_cleanse(a,sizeof(BIGNUM)); if (i) OPENSSL_free(a); } diff --git a/crypto/openssl/crypto/bn/bn_rand.c b/crypto/openssl/crypto/bn/bn_rand.c index 4944ffbf232f..eb65c28cbb41 100644 --- a/crypto/openssl/crypto/bn/bn_rand.c +++ b/crypto/openssl/crypto/bn/bn_rand.c @@ -201,7 +201,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) err: if (buf != NULL) { - memset(buf,0,bytes); + OPENSSL_cleanse(buf,bytes); OPENSSL_free(buf); } return(ret); diff --git a/crypto/openssl/crypto/bn/bn_word.c b/crypto/openssl/crypto/bn/bn_word.c index cd59baa2c490..988e0ca7b37f 100644 --- a/crypto/openssl/crypto/bn/bn_word.c +++ b/crypto/openssl/crypto/bn/bn_word.c @@ -123,7 +123,10 @@ int BN_add_word(BIGNUM *a, BN_ULONG w) i=0; for (;;) { - l=(a->d[i]+(BN_ULONG)w)&BN_MASK2; + if (i >= a->top) + l=w; + else + l=(a->d[i]+(BN_ULONG)w)&BN_MASK2; a->d[i]=l; if (w > l) w=1; diff --git a/crypto/openssl/crypto/bn/bntest.c b/crypto/openssl/crypto/bn/bntest.c index af0c2629e87e..6ae2b4aff08c 100644 --- a/crypto/openssl/crypto/bn/bntest.c +++ b/crypto/openssl/crypto/bn/bntest.c @@ -139,10 +139,10 @@ int main(int argc, char *argv[]) ctx=BN_CTX_new(); - if (ctx == NULL) exit(1); + if (ctx == NULL) EXIT(1); out=BIO_new(BIO_s_file()); - if (out == NULL) exit(1); + if (out == NULL) EXIT(1); if (outfile == NULL) { BIO_set_fp(out,stdout,BIO_NOCLOSE); @@ -152,7 +152,7 @@ int main(int argc, char *argv[]) if (!BIO_write_filename(out,outfile)) { perror(outfile); - exit(1); + EXIT(1); } } @@ -228,14 +228,14 @@ int main(int argc, char *argv[]) BIO_free(out); /**/ - exit(0); + EXIT(0); err: BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices * the failure, see test_bn in test/Makefile.ssl*/ BIO_flush(out); ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); - exit(1); + EXIT(1); return(1); } @@ -746,7 +746,7 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx) while ((l=ERR_get_error())) fprintf(stderr,"ERROR:%s\n", ERR_error_string(l,NULL)); - exit(1); + EXIT(1); } if (bp != NULL) { diff --git a/crypto/openssl/crypto/bn/exptest.c b/crypto/openssl/crypto/bn/exptest.c index 3e86f2ea0e0b..b3b807af387c 100644 --- a/crypto/openssl/crypto/bn/exptest.c +++ b/crypto/openssl/crypto/bn/exptest.c @@ -59,6 +59,9 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> + +#include "../e_os.h" + #include <openssl/bio.h> #include <openssl/bn.h> #include <openssl/rand.h> @@ -86,7 +89,7 @@ int main(int argc, char *argv[]) ERR_load_BN_strings(); ctx=BN_CTX_new(); - if (ctx == NULL) exit(1); + if (ctx == NULL) EXIT(1); r_mont=BN_new(); r_recp=BN_new(); r_simple=BN_new(); @@ -99,7 +102,7 @@ int main(int argc, char *argv[]) out=BIO_new(BIO_s_file()); - if (out == NULL) exit(1); + if (out == NULL) EXIT(1); BIO_set_fp(out,stdout,BIO_NOCLOSE); for (i=0; i<200; i++) @@ -124,7 +127,7 @@ int main(int argc, char *argv[]) { printf("BN_mod_exp_mont() problems\n"); ERR_print_errors(out); - exit(1); + EXIT(1); } ret=BN_mod_exp_recp(r_recp,a,b,m,ctx); @@ -132,7 +135,7 @@ int main(int argc, char *argv[]) { printf("BN_mod_exp_recp() problems\n"); ERR_print_errors(out); - exit(1); + EXIT(1); } ret=BN_mod_exp_simple(r_simple,a,b,m,ctx); @@ -140,7 +143,7 @@ int main(int argc, char *argv[]) { printf("BN_mod_exp_simple() problems\n"); ERR_print_errors(out); - exit(1); + EXIT(1); } if (BN_cmp(r_simple, r_mont) == 0 @@ -163,7 +166,7 @@ int main(int argc, char *argv[]) printf("\nrecp ="); BN_print(out,r_recp); printf("\nmont ="); BN_print(out,r_mont); printf("\n"); - exit(1); + EXIT(1); } } BN_free(r_mont); @@ -177,11 +180,11 @@ int main(int argc, char *argv[]) CRYPTO_mem_leaks(out); BIO_free(out); printf(" done\n"); - exit(0); + EXIT(0); err: ERR_load_crypto_strings(); ERR_print_errors(out); - exit(1); + EXIT(1); return(1); } diff --git a/crypto/openssl/crypto/buffer/Makefile.ssl b/crypto/openssl/crypto/buffer/Makefile.ssl index c088ec6b3c76..a96488919961 100644 --- a/crypto/openssl/crypto/buffer/Makefile.ssl +++ b/crypto/openssl/crypto/buffer/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/cast/Makefile.ssl b/crypto/openssl/crypto/cast/Makefile.ssl index 0aa1cbc55a29..b60524a37821 100644 --- a/crypto/openssl/crypto/cast/Makefile.ssl +++ b/crypto/openssl/crypto/cast/Makefile.ssl @@ -97,7 +97,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/cast/casttest.c b/crypto/openssl/crypto/cast/casttest.c index ab2aeac606ea..0e1034da45bc 100644 --- a/crypto/openssl/crypto/cast/casttest.c +++ b/crypto/openssl/crypto/cast/casttest.c @@ -60,6 +60,8 @@ #include <string.h> #include <stdlib.h> +#include "../e_os.h" + #ifdef NO_CAST int main(int argc, char *argv[]) { @@ -224,7 +226,7 @@ int main(int argc, char *argv[]) } #endif - exit(err); + EXIT(err); return(err); } #endif diff --git a/crypto/openssl/crypto/comp/Makefile.ssl b/crypto/openssl/crypto/comp/Makefile.ssl index a61c7de0fba8..0bf9280609bb 100644 --- a/crypto/openssl/crypto/comp/Makefile.ssl +++ b/crypto/openssl/crypto/comp/Makefile.ssl @@ -71,7 +71,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/conf/Makefile.ssl b/crypto/openssl/crypto/conf/Makefile.ssl index 1a433abacd8c..847443fa0ae9 100644 --- a/crypto/openssl/crypto/conf/Makefile.ssl +++ b/crypto/openssl/crypto/conf/Makefile.ssl @@ -69,7 +69,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/conf/conf_def.c b/crypto/openssl/crypto/conf/conf_def.c index d43c9de3f5f0..adc28eebff13 100644 --- a/crypto/openssl/crypto/conf/conf_def.c +++ b/crypto/openssl/crypto/conf/conf_def.c @@ -224,9 +224,9 @@ static int def_load(CONF *conf, BIO *in, long *line) section_sk=(STACK_OF(CONF_VALUE) *)sv->value; bufnum=0; + again=0; for (;;) { - again=0; if (!BUF_MEM_grow(buff,bufnum+BUFSIZE)) { CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB); @@ -237,7 +237,8 @@ static int def_load(CONF *conf, BIO *in, long *line) BIO_gets(in, p, BUFSIZE-1); p[BUFSIZE-1]='\0'; ii=i=strlen(p); - if (i == 0) break; + if (i == 0 && !again) break; + again=0; while (i > 0) { if ((p[i-1] != '\r') && (p[i-1] != '\n')) @@ -247,7 +248,7 @@ static int def_load(CONF *conf, BIO *in, long *line) } /* we removed some trailing stuff so there is a new * line on the end. */ - if (i == ii) + if (ii && i == ii) again=1; /* long line */ else { diff --git a/crypto/openssl/crypto/cryptlib.c b/crypto/openssl/crypto/cryptlib.c index 8fd2d4d26b82..aa87ffd6ec77 100644 --- a/crypto/openssl/crypto/cryptlib.c +++ b/crypto/openssl/crypto/cryptlib.c @@ -58,6 +58,7 @@ #include <stdio.h> #include <string.h> +#include <assert.h> #include "cryptlib.h" #include <openssl/crypto.h> #include <openssl/safestack.h> @@ -89,6 +90,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] = "ssl_session", "ssl_sess_cert", "ssl", + /* "ssl_method", */ "rand", "rand2", "debug_malloc", @@ -204,10 +206,18 @@ int CRYPTO_get_new_dynlockid(void) i=sk_CRYPTO_dynlock_find(dyn_locks,NULL); /* If there was none, push, thereby creating a new one */ if (i == -1) - i=sk_CRYPTO_dynlock_push(dyn_locks,pointer); + /* Since sk_push() returns the number of items on the + stack, not the location of the pushed item, we need + to transform the returned number into a position, + by decreasing it. */ + i=sk_CRYPTO_dynlock_push(dyn_locks,pointer) - 1; + else + /* If we found a place with a NULL pointer, put our pointer + in it. */ + sk_CRYPTO_dynlock_set(dyn_locks,i,pointer); CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK); - if (!i) + if (i == -1) { dynlock_destroy_callback(pointer->data,__FILE__,__LINE__); OPENSSL_free(pointer); @@ -399,16 +409,17 @@ void CRYPTO_lock(int mode, int type, const char *file, int line) #endif if (type < 0) { - int i = -type - 1; - struct CRYPTO_dynlock_value *pointer - = CRYPTO_get_dynlock_value(i); - - if (pointer && dynlock_lock_callback) + if (dynlock_lock_callback != NULL) { + struct CRYPTO_dynlock_value *pointer + = CRYPTO_get_dynlock_value(type); + + assert(pointer != NULL); + dynlock_lock_callback(mode, pointer, file, line); - } - CRYPTO_destroy_dynlockid(i); + CRYPTO_destroy_dynlockid(type); + } } else if (locking_callback != NULL) @@ -459,7 +470,7 @@ const char *CRYPTO_get_lock_name(int type) return("dynamic"); else if (type < CRYPTO_NUM_LOCKS) return(lock_names[type]); - else if (type-CRYPTO_NUM_LOCKS >= sk_num(app_locks)) + else if (type-CRYPTO_NUM_LOCKS > sk_num(app_locks)) return("ERROR"); else return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS)); diff --git a/crypto/openssl/crypto/crypto.h b/crypto/openssl/crypto/crypto.h index 8fba87131cb5..c539c435b529 100644 --- a/crypto/openssl/crypto/crypto.h +++ b/crypto/openssl/crypto/crypto.h @@ -95,35 +95,38 @@ extern "C" { * names in cryptlib.c */ -#define CRYPTO_LOCK_ERR 1 -#define CRYPTO_LOCK_ERR_HASH 2 -#define CRYPTO_LOCK_X509 3 -#define CRYPTO_LOCK_X509_INFO 4 -#define CRYPTO_LOCK_X509_PKEY 5 +#define CRYPTO_LOCK_ERR 1 +#define CRYPTO_LOCK_ERR_HASH 2 +#define CRYPTO_LOCK_X509 3 +#define CRYPTO_LOCK_X509_INFO 4 +#define CRYPTO_LOCK_X509_PKEY 5 #define CRYPTO_LOCK_X509_CRL 6 #define CRYPTO_LOCK_X509_REQ 7 #define CRYPTO_LOCK_DSA 8 #define CRYPTO_LOCK_RSA 9 #define CRYPTO_LOCK_EVP_PKEY 10 -#define CRYPTO_LOCK_X509_STORE 11 -#define CRYPTO_LOCK_SSL_CTX 12 -#define CRYPTO_LOCK_SSL_CERT 13 -#define CRYPTO_LOCK_SSL_SESSION 14 -#define CRYPTO_LOCK_SSL_SESS_CERT 15 -#define CRYPTO_LOCK_SSL 16 -#define CRYPTO_LOCK_RAND 17 -#define CRYPTO_LOCK_RAND2 18 -#define CRYPTO_LOCK_MALLOC 19 -#define CRYPTO_LOCK_BIO 20 -#define CRYPTO_LOCK_GETHOSTBYNAME 21 -#define CRYPTO_LOCK_GETSERVBYNAME 22 -#define CRYPTO_LOCK_READDIR 23 -#define CRYPTO_LOCK_RSA_BLINDING 24 -#define CRYPTO_LOCK_DH 25 -#define CRYPTO_LOCK_MALLOC2 26 -#define CRYPTO_LOCK_DSO 27 -#define CRYPTO_LOCK_DYNLOCK 28 -#define CRYPTO_NUM_LOCKS 29 +#define CRYPTO_LOCK_X509_STORE 11 +#define CRYPTO_LOCK_SSL_CTX 12 +#define CRYPTO_LOCK_SSL_CERT 13 +#define CRYPTO_LOCK_SSL_SESSION 14 +#define CRYPTO_LOCK_SSL_SESS_CERT 15 +#define CRYPTO_LOCK_SSL 16 +/* for binary compatibility between 0.9.6 minor versions, + * reuse an existing lock (later version use a new one): */ +# define CRYPTO_LOCK_SSL_METHOD CRYPTO_LOCK_SSL_CTX +#define CRYPTO_LOCK_RAND 17 +#define CRYPTO_LOCK_RAND2 18 +#define CRYPTO_LOCK_MALLOC 19 +#define CRYPTO_LOCK_BIO 20 +#define CRYPTO_LOCK_GETHOSTBYNAME 21 +#define CRYPTO_LOCK_GETSERVBYNAME 22 +#define CRYPTO_LOCK_READDIR 23 +#define CRYPTO_LOCK_RSA_BLINDING 24 +#define CRYPTO_LOCK_DH 25 +#define CRYPTO_LOCK_MALLOC2 26 +#define CRYPTO_LOCK_DSO 27 +#define CRYPTO_LOCK_DYNLOCK 28 +#define CRYPTO_NUM_LOCKS 29 #define CRYPTO_LOCK 1 #define CRYPTO_UNLOCK 2 @@ -145,7 +148,7 @@ extern "C" { #endif #else #define CRYPTO_w_lock(a) -#define CRYPTO_w_unlock(a) +#define CRYPTO_w_unlock(a) #define CRYPTO_r_lock(a) #define CRYPTO_r_unlock(a) #define CRYPTO_add(a,b,c) ((*(a))+=(b)) @@ -342,6 +345,8 @@ void CRYPTO_free(void *); void *CRYPTO_realloc(void *addr,int num, const char *file, int line); void *CRYPTO_remalloc(void *addr,int num, const char *file, int line); +void OPENSSL_cleanse(void *ptr, size_t len); + void CRYPTO_set_mem_debug_options(long bits); long CRYPTO_get_mem_debug_options(void); diff --git a/crypto/openssl/crypto/des/Makefile.ssl b/crypto/openssl/crypto/des/Makefile.ssl index 28e58f4207ff..d52a22480159 100644 --- a/crypto/openssl/crypto/des/Makefile.ssl +++ b/crypto/openssl/crypto/des/Makefile.ssl @@ -130,7 +130,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new @@ -192,8 +192,11 @@ qud_cksm.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h qud_cksm.o: ../../include/openssl/opensslconf.h des_locl.h rand_key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h rand_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/rand.h -read2pwd.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h -read2pwd.o: ../../include/openssl/opensslconf.h des_locl.h +read2pwd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h +read2pwd.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +read2pwd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +read2pwd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +read2pwd.o: des_locl.h read_pwd.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h read_pwd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h read_pwd.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h @@ -206,7 +209,10 @@ rpc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h rpc_enc.o: ../../include/openssl/opensslconf.h des_locl.h des_ver.h rpc_des.h set_key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h set_key.o: ../../include/openssl/opensslconf.h des_locl.h -str2key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h -str2key.o: ../../include/openssl/opensslconf.h des_locl.h +str2key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h +str2key.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +str2key.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +str2key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +str2key.o: des_locl.h xcbc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h xcbc_enc.o: ../../include/openssl/opensslconf.h des_locl.h diff --git a/crypto/openssl/crypto/des/des.c b/crypto/openssl/crypto/des/des.c index 215d7413c076..470432e10fb7 100644 --- a/crypto/openssl/crypto/des/des.c +++ b/crypto/openssl/crypto/des/des.c @@ -86,6 +86,7 @@ #endif #include <sys/stat.h> #endif +#include <openssl/crypto.h> #include <openssl/des.h> #include <openssl/rand.h> @@ -423,7 +424,7 @@ void doencryption(void) k2[i-8]=k; } des_set_key_unchecked(&k2,ks2); - memset(k2,0,sizeof(k2)); + OPENSSL_cleanse(k2,sizeof(k2)); } else if (longk || flag3) { @@ -431,7 +432,7 @@ void doencryption(void) { des_string_to_2keys(key,&kk,&k2); des_set_key_unchecked(&k2,ks2); - memset(k2,0,sizeof(k2)); + OPENSSL_cleanse(k2,sizeof(k2)); } else des_string_to_key(key,&kk); @@ -453,8 +454,8 @@ void doencryption(void) } des_set_key_unchecked(&kk,ks); - memset(key,0,sizeof(key)); - memset(kk,0,sizeof(kk)); + OPENSSL_cleanse(key,sizeof(key)); + OPENSSL_cleanse(kk,sizeof(kk)); /* woops - A bug that does not showup under unix :-( */ memset(iv,0,sizeof(iv)); memset(iv2,0,sizeof(iv2)); @@ -662,18 +663,18 @@ void doencryption(void) if (l) fclose(CKSUM_OUT); } problems: - memset(buf,0,sizeof(buf)); - memset(obuf,0,sizeof(obuf)); - memset(ks,0,sizeof(ks)); - memset(ks2,0,sizeof(ks2)); - memset(iv,0,sizeof(iv)); - memset(iv2,0,sizeof(iv2)); - memset(kk,0,sizeof(kk)); - memset(k2,0,sizeof(k2)); - memset(uubuf,0,sizeof(uubuf)); - memset(b,0,sizeof(b)); - memset(bb,0,sizeof(bb)); - memset(cksum,0,sizeof(cksum)); + OPENSSL_cleanse(buf,sizeof(buf)); + OPENSSL_cleanse(obuf,sizeof(obuf)); + OPENSSL_cleanse(ks,sizeof(ks)); + OPENSSL_cleanse(ks2,sizeof(ks2)); + OPENSSL_cleanse(iv,sizeof(iv)); + OPENSSL_cleanse(iv2,sizeof(iv2)); + OPENSSL_cleanse(kk,sizeof(kk)); + OPENSSL_cleanse(k2,sizeof(k2)); + OPENSSL_cleanse(uubuf,sizeof(uubuf)); + OPENSSL_cleanse(b,sizeof(b)); + OPENSSL_cleanse(bb,sizeof(bb)); + OPENSSL_cleanse(cksum,sizeof(cksum)); if (Exit) EXIT(Exit); } diff --git a/crypto/openssl/crypto/des/read2pwd.c b/crypto/openssl/crypto/des/read2pwd.c index a8ceaf088a90..115132deecbd 100644 --- a/crypto/openssl/crypto/des/read2pwd.c +++ b/crypto/openssl/crypto/des/read2pwd.c @@ -57,6 +57,7 @@ */ #include "des_locl.h" +#include <openssl/crypto.h> int des_read_password(des_cblock *key, const char *prompt, int verify) { @@ -65,8 +66,8 @@ int des_read_password(des_cblock *key, const char *prompt, int verify) if ((ok=des_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0) des_string_to_key(buf,key); - memset(buf,0,BUFSIZ); - memset(buff,0,BUFSIZ); + OPENSSL_cleanse(buf,BUFSIZ); + OPENSSL_cleanse(buff,BUFSIZ); return(ok); } @@ -78,7 +79,7 @@ int des_read_2passwords(des_cblock *key1, des_cblock *key2, const char *prompt, if ((ok=des_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0) des_string_to_2keys(buf,key1,key2); - memset(buf,0,BUFSIZ); - memset(buff,0,BUFSIZ); + OPENSSL_cleanse(buf,BUFSIZ); + OPENSSL_cleanse(buff,BUFSIZ); return(ok); } diff --git a/crypto/openssl/crypto/des/read_pwd.c b/crypto/openssl/crypto/des/read_pwd.c index cba52cad7865..a8f15909430c 100644 --- a/crypto/openssl/crypto/des/read_pwd.c +++ b/crypto/openssl/crypto/des/read_pwd.c @@ -218,7 +218,7 @@ int des_read_pw_string(char *buf, int length, const char *prompt, int ret; ret=des_read_pw(buf,buff,(length>BUFSIZ)?BUFSIZ:length,prompt,verify); - memset(buff,0,BUFSIZ); + OPENSSL_cleanse(buff,BUFSIZ); return(ret); } diff --git a/crypto/openssl/crypto/des/str2key.c b/crypto/openssl/crypto/des/str2key.c index c6abb872012f..10e1dc174d93 100644 --- a/crypto/openssl/crypto/des/str2key.c +++ b/crypto/openssl/crypto/des/str2key.c @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include <openssl/crypto.h> #include "des_locl.h" void des_string_to_key(const char *str, des_cblock *key) @@ -88,7 +89,7 @@ void des_string_to_key(const char *str, des_cblock *key) des_set_odd_parity(key); des_set_key_unchecked(key,ks); des_cbc_cksum((const unsigned char*)str,key,length,ks,key); - memset(ks,0,sizeof(ks)); + OPENSSL_cleanse(ks,sizeof(ks)); des_set_odd_parity(key); } @@ -149,7 +150,7 @@ void des_string_to_2keys(const char *str, des_cblock *key1, des_cblock *key2) des_cbc_cksum((const unsigned char*)str,key1,length,ks,key1); des_set_key_unchecked(key2,ks); des_cbc_cksum((const unsigned char*)str,key2,length,ks,key2); - memset(ks,0,sizeof(ks)); + OPENSSL_cleanse(ks,sizeof(ks)); des_set_odd_parity(key1); des_set_odd_parity(key2); } diff --git a/crypto/openssl/crypto/dh/Makefile.ssl b/crypto/openssl/crypto/dh/Makefile.ssl index ccee00eeca2c..f0c620a69579 100644 --- a/crypto/openssl/crypto/dh/Makefile.ssl +++ b/crypto/openssl/crypto/dh/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/dh/dhtest.c b/crypto/openssl/crypto/dh/dhtest.c index a38465da130e..c57cac099d49 100644 --- a/crypto/openssl/crypto/dh/dhtest.c +++ b/crypto/openssl/crypto/dh/dhtest.c @@ -59,6 +59,9 @@ #include <stdio.h> #include <stdlib.h> #include <string.h> + +#include "../e_os.h" + #ifdef WINDOWS #include "../bio/bss_file.c" #endif @@ -107,7 +110,7 @@ int main(int argc, char *argv[]) RAND_seed(rnd_seed, sizeof rnd_seed); out=BIO_new(BIO_s_file()); - if (out == NULL) exit(1); + if (out == NULL) EXIT(1); BIO_set_fp(out,stdout,BIO_NOCLOSE); a=DH_generate_parameters(64,DH_GENERATOR_5,cb,out); @@ -188,7 +191,7 @@ err: if(b != NULL) DH_free(b); if(a != NULL) DH_free(a); BIO_free(out); - exit(ret); + EXIT(ret); return(ret); } diff --git a/crypto/openssl/crypto/dsa/Makefile.ssl b/crypto/openssl/crypto/dsa/Makefile.ssl index 1dfdb2d76922..bf2d8bfde0ff 100644 --- a/crypto/openssl/crypto/dsa/Makefile.ssl +++ b/crypto/openssl/crypto/dsa/Makefile.ssl @@ -70,7 +70,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/dsa/dsatest.c b/crypto/openssl/crypto/dsa/dsatest.c index 309a7cda8992..2a25f3fe4753 100644 --- a/crypto/openssl/crypto/dsa/dsatest.c +++ b/crypto/openssl/crypto/dsa/dsatest.c @@ -61,6 +61,9 @@ #include <string.h> #include <sys/types.h> #include <sys/stat.h> + +#include "../e_os.h" + #include <openssl/crypto.h> #include <openssl/rand.h> #include <openssl/bio.h> @@ -207,10 +210,16 @@ end: BIO_free(bio_err); bio_err = NULL; } - exit(!ret); + EXIT(!ret); return(0); } +static int cb_exit(int ec) + { + EXIT(ec); + return(0); /* To keep some compilers quiet */ + } + static void MS_CALLBACK dsa_cb(int p, int n, void *arg) { char c='*'; @@ -226,7 +235,7 @@ static void MS_CALLBACK dsa_cb(int p, int n, void *arg) if (!ok && (p == 0) && (num > 1)) { BIO_printf((BIO *)arg,"error in dsatest\n"); - exit(1); + cb_exit(1); } } #endif diff --git a/crypto/openssl/crypto/dso/Makefile.ssl b/crypto/openssl/crypto/dso/Makefile.ssl index 33630e0bbb25..1fe2fd7f40c9 100644 --- a/crypto/openssl/crypto/dso/Makefile.ssl +++ b/crypto/openssl/crypto/dso/Makefile.ssl @@ -70,7 +70,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/err/Makefile.ssl b/crypto/openssl/crypto/err/Makefile.ssl index 33348217cdef..bf634f89927d 100644 --- a/crypto/openssl/crypto/err/Makefile.ssl +++ b/crypto/openssl/crypto/err/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/err/err_all.c b/crypto/openssl/crypto/err/err_all.c index 5449a31c4e94..638ed3fe715d 100644 --- a/crypto/openssl/crypto/err/err_all.c +++ b/crypto/openssl/crypto/err/err_all.c @@ -1,5 +1,4 @@ /* crypto/err/err_all.c */ -/* $FreeBSD$ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * diff --git a/crypto/openssl/crypto/evp/Makefile.ssl b/crypto/openssl/crypto/evp/Makefile.ssl index fb9945db1684..e8499190cc1e 100644 --- a/crypto/openssl/crypto/evp/Makefile.ssl +++ b/crypto/openssl/crypto/evp/Makefile.ssl @@ -87,7 +87,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/evp/bio_enc.c b/crypto/openssl/crypto/evp/bio_enc.c index c425a971afb2..a04e8b11b255 100644 --- a/crypto/openssl/crypto/evp/bio_enc.c +++ b/crypto/openssl/crypto/evp/bio_enc.c @@ -128,7 +128,7 @@ static int enc_free(BIO *a) if (a == NULL) return(0); b=(BIO_ENC_CTX *)a->ptr; EVP_CIPHER_CTX_cleanup(&(b->cipher)); - memset(a->ptr,0,sizeof(BIO_ENC_CTX)); + OPENSSL_cleanse(a->ptr,sizeof(BIO_ENC_CTX)); OPENSSL_free(a->ptr); a->ptr=NULL; a->init=0; diff --git a/crypto/openssl/crypto/evp/bio_ok.c b/crypto/openssl/crypto/evp/bio_ok.c index e617ce1d4370..e884552a4470 100644 --- a/crypto/openssl/crypto/evp/bio_ok.c +++ b/crypto/openssl/crypto/evp/bio_ok.c @@ -208,7 +208,7 @@ static int ok_new(BIO *bi) static int ok_free(BIO *a) { if (a == NULL) return(0); - memset(a->ptr,0,sizeof(BIO_OK_CTX)); + OPENSSL_cleanse(a->ptr,sizeof(BIO_OK_CTX)); OPENSSL_free(a->ptr); a->ptr=NULL; a->init=0; diff --git a/crypto/openssl/crypto/evp/c_allc.c b/crypto/openssl/crypto/evp/c_allc.c index 0820557fdbf5..f24d3756c904 100644 --- a/crypto/openssl/crypto/evp/c_allc.c +++ b/crypto/openssl/crypto/evp/c_allc.c @@ -64,10 +64,6 @@ void OpenSSL_add_all_ciphers(void) { - static int done=0; - - if (done) return; - done=1; #ifndef NO_DES EVP_add_cipher(EVP_des_cfb()); EVP_add_cipher(EVP_des_ede_cfb()); diff --git a/crypto/openssl/crypto/evp/c_alld.c b/crypto/openssl/crypto/evp/c_alld.c index 41695df1067b..bbf059eb85e2 100644 --- a/crypto/openssl/crypto/evp/c_alld.c +++ b/crypto/openssl/crypto/evp/c_alld.c @@ -64,10 +64,6 @@ void OpenSSL_add_all_digests(void) { - static int done=0; - - if (done) return; - done=1; #ifndef NO_MD2 EVP_add_digest(EVP_md2()); #endif diff --git a/crypto/openssl/crypto/evp/e_idea.c b/crypto/openssl/crypto/evp/e_idea.c index 8d3c88deb710..50f7503f32d7 100644 --- a/crypto/openssl/crypto/evp/e_idea.c +++ b/crypto/openssl/crypto/evp/e_idea.c @@ -103,7 +103,7 @@ static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, idea_set_encrypt_key(key,&tmp); idea_set_decrypt_key(&tmp,&(ctx->c.idea_ks)); - memset((unsigned char *)&tmp,0, + OPENSSL_cleanse((unsigned char *)&tmp, sizeof(IDEA_KEY_SCHEDULE)); } return 1; diff --git a/crypto/openssl/crypto/evp/evp.h b/crypto/openssl/crypto/evp/evp.h index e22089aebe72..dd1b8fa2b8e0 100644 --- a/crypto/openssl/crypto/evp/evp.h +++ b/crypto/openssl/crypto/evp/evp.h @@ -54,8 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * - * $FreeBSD$ */ #ifndef HEADER_ENVELOPE_H diff --git a/crypto/openssl/crypto/evp/evp_key.c b/crypto/openssl/crypto/evp/evp_key.c index e7434ef9b270..a31af2924e2e 100644 --- a/crypto/openssl/crypto/evp/evp_key.c +++ b/crypto/openssl/crypto/evp/evp_key.c @@ -152,8 +152,8 @@ int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md, } if ((nkey == 0) && (niv == 0)) break; } - memset(&c,0,sizeof(c)); - memset(&(md_buf[0]),0,EVP_MAX_MD_SIZE); + OPENSSL_cleanse(&c,sizeof(c)); + OPENSSL_cleanse(&(md_buf[0]),EVP_MAX_MD_SIZE); return(type->key_len); } diff --git a/crypto/openssl/crypto/evp/p5_crpt.c b/crypto/openssl/crypto/evp/p5_crpt.c index 6bfa2c5acb17..0422fa588318 100644 --- a/crypto/openssl/crypto/evp/p5_crpt.c +++ b/crypto/openssl/crypto/evp/p5_crpt.c @@ -142,8 +142,8 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen, memcpy (iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)), EVP_CIPHER_iv_length(cipher)); EVP_CipherInit(cctx, cipher, key, iv, en_de); - memset(md_tmp, 0, EVP_MAX_MD_SIZE); - memset(key, 0, EVP_MAX_KEY_LENGTH); - memset(iv, 0, EVP_MAX_IV_LENGTH); + OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE); + OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH); + OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); return 1; } diff --git a/crypto/openssl/crypto/evp/p5_crpt2.c b/crypto/openssl/crypto/evp/p5_crpt2.c index 717fad68ca8f..74c8769e460a 100644 --- a/crypto/openssl/crypto/evp/p5_crpt2.c +++ b/crypto/openssl/crypto/evp/p5_crpt2.c @@ -228,7 +228,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, iter = ASN1_INTEGER_get(kdf->iter); PKCS5_PBKDF2_HMAC_SHA1(pass, passlen, salt, saltlen, iter, keylen, key); EVP_CipherInit(ctx, NULL, key, NULL, en_de); - memset(key, 0, keylen); + OPENSSL_cleanse(key, keylen); PBKDF2PARAM_free(kdf); return 1; diff --git a/crypto/openssl/crypto/evp/p_open.c b/crypto/openssl/crypto/evp/p_open.c index 2760c00fec10..c766a3a912bc 100644 --- a/crypto/openssl/crypto/evp/p_open.c +++ b/crypto/openssl/crypto/evp/p_open.c @@ -101,7 +101,7 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char *ek, ret=1; err: - if (key != NULL) memset(key,0,size); + if (key != NULL) OPENSSL_cleanse(key,size); OPENSSL_free(key); return(ret); } diff --git a/crypto/openssl/crypto/hmac/Makefile.ssl b/crypto/openssl/crypto/hmac/Makefile.ssl index ed3c8c64d1ca..4d36069f1d21 100644 --- a/crypto/openssl/crypto/hmac/Makefile.ssl +++ b/crypto/openssl/crypto/hmac/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/hmac/hmactest.c b/crypto/openssl/crypto/hmac/hmactest.c index 4b56b8ee1355..3bc476b9c770 100644 --- a/crypto/openssl/crypto/hmac/hmactest.c +++ b/crypto/openssl/crypto/hmac/hmactest.c @@ -60,6 +60,8 @@ #include <string.h> #include <stdlib.h> +#include "../e_os.h" + #ifdef NO_HMAC int main(int argc, char *argv[]) { @@ -143,7 +145,7 @@ int main(int argc, char *argv[]) else printf("test %d ok\n",i); } - exit(err); + EXIT(err); return(0); } diff --git a/crypto/openssl/crypto/idea/Makefile.ssl b/crypto/openssl/crypto/idea/Makefile.ssl index 8923d7d066ca..bc5c5f04c52b 100644 --- a/crypto/openssl/crypto/idea/Makefile.ssl +++ b/crypto/openssl/crypto/idea/Makefile.ssl @@ -1,6 +1,5 @@ # # SSLeay/crypto/idea/Makefile -# $FreeBSD$ # DIR= idea @@ -69,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/idea/i_cbc.c b/crypto/openssl/crypto/idea/i_cbc.c index d141cc2e2e8f..ecb9cb8b8367 100644 --- a/crypto/openssl/crypto/idea/i_cbc.c +++ b/crypto/openssl/crypto/idea/i_cbc.c @@ -54,7 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * $FreeBSD$ */ #include <openssl/idea.h> diff --git a/crypto/openssl/crypto/idea/i_cfb64.c b/crypto/openssl/crypto/idea/i_cfb64.c index 6f7e364fcb5a..66d49d520eb3 100644 --- a/crypto/openssl/crypto/idea/i_cfb64.c +++ b/crypto/openssl/crypto/idea/i_cfb64.c @@ -54,7 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * $FreeBSD$ */ #include <openssl/idea.h> diff --git a/crypto/openssl/crypto/idea/i_ecb.c b/crypto/openssl/crypto/idea/i_ecb.c index 3789cb523294..fb613db595c4 100644 --- a/crypto/openssl/crypto/idea/i_ecb.c +++ b/crypto/openssl/crypto/idea/i_ecb.c @@ -54,7 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * $FreeBSD$ */ #include <openssl/idea.h> diff --git a/crypto/openssl/crypto/idea/i_ofb64.c b/crypto/openssl/crypto/idea/i_ofb64.c index b3397f9a8e11..e749e88e34ae 100644 --- a/crypto/openssl/crypto/idea/i_ofb64.c +++ b/crypto/openssl/crypto/idea/i_ofb64.c @@ -54,7 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * $FreeBSD$ */ #include <openssl/idea.h> diff --git a/crypto/openssl/crypto/idea/i_skey.c b/crypto/openssl/crypto/idea/i_skey.c index 5fea5cc2f675..1c95bc9c7b88 100644 --- a/crypto/openssl/crypto/idea/i_skey.c +++ b/crypto/openssl/crypto/idea/i_skey.c @@ -54,7 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * $FreeBSD$ */ #include <openssl/idea.h> diff --git a/crypto/openssl/crypto/idea/idea.h b/crypto/openssl/crypto/idea/idea.h index 31d3c895af99..f14adf83985e 100644 --- a/crypto/openssl/crypto/idea/idea.h +++ b/crypto/openssl/crypto/idea/idea.h @@ -54,7 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * $FreeBSD$ */ #ifndef HEADER_IDEA_H diff --git a/crypto/openssl/crypto/idea/idea_lcl.h b/crypto/openssl/crypto/idea/idea_lcl.h index 019059977145..463aa36ce9c0 100644 --- a/crypto/openssl/crypto/idea/idea_lcl.h +++ b/crypto/openssl/crypto/idea/idea_lcl.h @@ -54,7 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * $FreeBSD$ */ /* The new form of this macro (check if the a*b == 0) was suggested by diff --git a/crypto/openssl/crypto/idea/idea_spd.c b/crypto/openssl/crypto/idea/idea_spd.c index aefe1783b601..301946b19846 100644 --- a/crypto/openssl/crypto/idea/idea_spd.c +++ b/crypto/openssl/crypto/idea/idea_spd.c @@ -54,7 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * $FreeBSD$ */ /* 11-Sep-92 Andrew Daviel Support for Silicon Graphics IRIX added */ diff --git a/crypto/openssl/crypto/idea/ideatest.c b/crypto/openssl/crypto/idea/ideatest.c index 810f351713ec..01d43adb19da 100644 --- a/crypto/openssl/crypto/idea/ideatest.c +++ b/crypto/openssl/crypto/idea/ideatest.c @@ -54,13 +54,14 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * $FreeBSD$ */ #include <stdio.h> #include <string.h> #include <stdlib.h> +#include "../e_os.h" + #ifdef NO_IDEA int main(int argc, char *argv[]) { @@ -168,7 +169,7 @@ int main(int argc, char *argv[]) else printf("ok\n"); - exit(err); + EXIT(err); return(err); } diff --git a/crypto/openssl/crypto/idea/version b/crypto/openssl/crypto/idea/version index c269d8531e4d..3f2229379549 100644 --- a/crypto/openssl/crypto/idea/version +++ b/crypto/openssl/crypto/idea/version @@ -1,4 +1,3 @@ -# $FreeBSD$ 1.1 07/12/95 - eay Many thanks to Rhys Weatherley <rweather@us.oracle.com> for pointing out that I was assuming little endian byte diff --git a/crypto/openssl/crypto/lhash/Makefile.ssl b/crypto/openssl/crypto/lhash/Makefile.ssl index 60bb6b12e406..7a706e25f14f 100644 --- a/crypto/openssl/crypto/lhash/Makefile.ssl +++ b/crypto/openssl/crypto/lhash/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/md2/Makefile.ssl b/crypto/openssl/crypto/md2/Makefile.ssl index cda8385347eb..ecb80115fd6e 100644 --- a/crypto/openssl/crypto/md2/Makefile.ssl +++ b/crypto/openssl/crypto/md2/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new @@ -79,8 +79,10 @@ clean: # DO NOT DELETE THIS LINE -- make depend depends on it. -md2_dgst.o: ../../include/openssl/md2.h ../../include/openssl/opensslconf.h -md2_dgst.o: ../../include/openssl/opensslv.h +md2_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/md2.h +md2_dgst.o: ../../include/openssl/opensslconf.h +md2_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +md2_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h md2_one.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h md2_one.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h md2_one.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h diff --git a/crypto/openssl/crypto/md2/md2_dgst.c b/crypto/openssl/crypto/md2/md2_dgst.c index 608baefa8f34..fc25280469a4 100644 --- a/crypto/openssl/crypto/md2/md2_dgst.c +++ b/crypto/openssl/crypto/md2/md2_dgst.c @@ -61,6 +61,7 @@ #include <string.h> #include <openssl/md2.h> #include <openssl/opensslv.h> +#include <openssl/crypto.h> const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT; @@ -194,7 +195,7 @@ static void md2_block(MD2_CTX *c, const unsigned char *d) t=(t+i)&0xff; } memcpy(sp1,state,16*sizeof(MD2_INT)); - memset(state,0,48*sizeof(MD2_INT)); + OPENSSL_cleanse(state,48*sizeof(MD2_INT)); } void MD2_Final(unsigned char *md, MD2_CTX *c) diff --git a/crypto/openssl/crypto/md2/md2_one.c b/crypto/openssl/crypto/md2/md2_one.c index b12c37ce4def..835160ef56d1 100644 --- a/crypto/openssl/crypto/md2/md2_one.c +++ b/crypto/openssl/crypto/md2/md2_one.c @@ -88,6 +88,6 @@ unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md) } #endif MD2_Final(md,&c); - memset(&c,0,sizeof(c)); /* Security consideration */ + OPENSSL_cleanse(&c,sizeof(c)); /* Security consideration */ return(md); } diff --git a/crypto/openssl/crypto/md2/md2test.c b/crypto/openssl/crypto/md2/md2test.c index e3f4fb4c341a..4d7231753bed 100644 --- a/crypto/openssl/crypto/md2/md2test.c +++ b/crypto/openssl/crypto/md2/md2test.c @@ -60,6 +60,8 @@ #include <stdlib.h> #include <string.h> +#include "../e_os.h" + #ifdef NO_MD2 int main(int argc, char *argv[]) { @@ -119,7 +121,7 @@ int main(int argc, char *argv[]) R++; P++; } - exit(err); + EXIT(err); return(0); } diff --git a/crypto/openssl/crypto/md32_common.h b/crypto/openssl/crypto/md32_common.h index ad7c4194c243..07f6010c4eaf 100644 --- a/crypto/openssl/crypto/md32_common.h +++ b/crypto/openssl/crypto/md32_common.h @@ -602,6 +602,6 @@ void HASH_FINAL (unsigned char *md, HASH_CTX *c) c->num=0; /* clear stuff, HASH_BLOCK may be leaving some stuff on the stack * but I'm not worried :-) - memset((void *)c,0,sizeof(HASH_CTX)); + OPENSSL_cleanse((void *)c,sizeof(HASH_CTX)); */ } diff --git a/crypto/openssl/crypto/md4/Makefile.ssl b/crypto/openssl/crypto/md4/Makefile.ssl index bc38badb0a2b..1843a3f7c027 100644 --- a/crypto/openssl/crypto/md4/Makefile.ssl +++ b/crypto/openssl/crypto/md4/Makefile.ssl @@ -69,7 +69,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new @@ -82,4 +82,6 @@ clean: md4_dgst.o: ../../include/openssl/md4.h ../../include/openssl/opensslconf.h md4_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md4_locl.h -md4_one.o: ../../include/openssl/md4.h +md4_one.o: ../../include/openssl/crypto.h ../../include/openssl/md4.h +md4_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +md4_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h diff --git a/crypto/openssl/crypto/md4/md4_one.c b/crypto/openssl/crypto/md4/md4_one.c index 87a995d38d43..00565507e4bb 100644 --- a/crypto/openssl/crypto/md4/md4_one.c +++ b/crypto/openssl/crypto/md4/md4_one.c @@ -59,6 +59,7 @@ #include <stdio.h> #include <string.h> #include <openssl/md4.h> +#include <openssl/crypto.h> #ifdef CHARSET_EBCDIC #include <openssl/ebcdic.h> @@ -89,7 +90,7 @@ unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md) } #endif MD4_Final(md,&c); - memset(&c,0,sizeof(c)); /* security consideration */ + OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */ return(md); } diff --git a/crypto/openssl/crypto/md4/md4test.c b/crypto/openssl/crypto/md4/md4test.c index 97e6e21efd15..faa9e84a9a3d 100644 --- a/crypto/openssl/crypto/md4/md4test.c +++ b/crypto/openssl/crypto/md4/md4test.c @@ -60,6 +60,8 @@ #include <string.h> #include <stdlib.h> +#include "../e_os.h" + #ifdef NO_MD4 int main(int argc, char *argv[]) { @@ -115,7 +117,7 @@ int main(int argc, char *argv[]) R++; P++; } - exit(err); + EXIT(err); return(0); } diff --git a/crypto/openssl/crypto/md5/Makefile.ssl b/crypto/openssl/crypto/md5/Makefile.ssl index e5ec4a21ae33..ebd356cb3fa9 100644 --- a/crypto/openssl/crypto/md5/Makefile.ssl +++ b/crypto/openssl/crypto/md5/Makefile.ssl @@ -118,7 +118,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new @@ -131,4 +131,6 @@ clean: md5_dgst.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h md5_dgst.o: ../../include/openssl/opensslv.h ../md32_common.h md5_locl.h -md5_one.o: ../../include/openssl/md5.h +md5_one.o: ../../include/openssl/crypto.h ../../include/openssl/md5.h +md5_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +md5_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h diff --git a/crypto/openssl/crypto/md5/md5_one.c b/crypto/openssl/crypto/md5/md5_one.c index b89dec850d2d..c5dd2d81db49 100644 --- a/crypto/openssl/crypto/md5/md5_one.c +++ b/crypto/openssl/crypto/md5/md5_one.c @@ -59,6 +59,7 @@ #include <stdio.h> #include <string.h> #include <openssl/md5.h> +#include <openssl/crypto.h> #ifdef CHARSET_EBCDIC #include <openssl/ebcdic.h> @@ -89,7 +90,7 @@ unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md) } #endif MD5_Final(md,&c); - memset(&c,0,sizeof(c)); /* security consideration */ + OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */ return(md); } diff --git a/crypto/openssl/crypto/md5/md5test.c b/crypto/openssl/crypto/md5/md5test.c index 6bd86563020e..e3258cc0bf10 100644 --- a/crypto/openssl/crypto/md5/md5test.c +++ b/crypto/openssl/crypto/md5/md5test.c @@ -60,6 +60,8 @@ #include <string.h> #include <stdlib.h> +#include "../e_os.h" + #ifdef NO_MD5 int main(int argc, char *argv[]) { @@ -115,7 +117,7 @@ int main(int argc, char *argv[]) R++; P++; } - exit(err); + EXIT(err); return(0); } diff --git a/crypto/openssl/crypto/mdc2/Makefile.ssl b/crypto/openssl/crypto/mdc2/Makefile.ssl index 4b1b3e36961a..92be945f91d4 100644 --- a/crypto/openssl/crypto/mdc2/Makefile.ssl +++ b/crypto/openssl/crypto/mdc2/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/mdc2/mdc2_one.c b/crypto/openssl/crypto/mdc2/mdc2_one.c index 6cd141b4d621..37f06c8d77cf 100644 --- a/crypto/openssl/crypto/mdc2/mdc2_one.c +++ b/crypto/openssl/crypto/mdc2/mdc2_one.c @@ -69,7 +69,7 @@ unsigned char *MDC2(const unsigned char *d, unsigned long n, unsigned char *md) MDC2_Init(&c); MDC2_Update(&c,d,n); MDC2_Final(md,&c); - memset(&c,0,sizeof(c)); /* security consideration */ + OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */ return(md); } diff --git a/crypto/openssl/crypto/mdc2/mdc2test.c b/crypto/openssl/crypto/mdc2/mdc2test.c index 46c25aeff4c6..bad02979ee0e 100644 --- a/crypto/openssl/crypto/mdc2/mdc2test.c +++ b/crypto/openssl/crypto/mdc2/mdc2test.c @@ -60,6 +60,8 @@ #include <stdlib.h> #include <string.h> +#include "../e_os.h" + #if defined(NO_DES) && !defined(NO_MDC2) #define NO_MDC2 #endif @@ -134,7 +136,7 @@ int main(int argc, char *argv[]) else printf("pad2 - ok\n"); - exit(ret); + EXIT(ret); return(ret); } #endif diff --git a/crypto/openssl/crypto/mem.c b/crypto/openssl/crypto/mem.c index 9df2a367e7e2..0df0a2a5491d 100644 --- a/crypto/openssl/crypto/mem.c +++ b/crypto/openssl/crypto/mem.c @@ -173,6 +173,9 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int), void *CRYPTO_malloc_locked(int num, const char *file, int line) { void *ret = NULL; + extern unsigned char cleanse_ctr; + + if (num < 0) return NULL; allow_customize = 0; if (malloc_debug_func != NULL) @@ -187,6 +190,12 @@ void *CRYPTO_malloc_locked(int num, const char *file, int line) if (malloc_debug_func != NULL) malloc_debug_func(ret, num, file, line, 1); + /* Create a dependency on the value of 'cleanse_ctr' so our memory + * sanitisation function can't be optimised out. NB: We only do + * this for >2Kb so the overhead doesn't bother us. */ + if(ret && (num > 2048)) + ((unsigned char *)ret)[0] = cleanse_ctr; + return ret; } @@ -205,6 +214,9 @@ void CRYPTO_free_locked(void *str) void *CRYPTO_malloc(int num, const char *file, int line) { void *ret = NULL; + extern unsigned char cleanse_ctr; + + if (num < 0) return NULL; allow_customize = 0; if (malloc_debug_func != NULL) @@ -219,6 +231,12 @@ void *CRYPTO_malloc(int num, const char *file, int line) if (malloc_debug_func != NULL) malloc_debug_func(ret, num, file, line, 1); + /* Create a dependency on the value of 'cleanse_ctr' so our memory + * sanitisation function can't be optimised out. NB: We only do + * this for >2Kb so the overhead doesn't bother us. */ + if(ret && (num > 2048)) + ((unsigned char *)ret)[0] = cleanse_ctr; + return ret; } @@ -229,6 +247,8 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line) if (str == NULL) return CRYPTO_malloc(num, file, line); + if (num < 0) return NULL; + if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); ret = realloc_func(str,num); diff --git a/crypto/openssl/crypto/mem_dbg.c b/crypto/openssl/crypto/mem_dbg.c index ef19d8f84489..5d3547790fdf 100644 --- a/crypto/openssl/crypto/mem_dbg.c +++ b/crypto/openssl/crypto/mem_dbg.c @@ -102,6 +102,8 @@ typedef struct app_mem_info_st int references; } APP_INFO; +static void app_info_free(APP_INFO *); + static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's * that are at the top of their thread's stack * (with `thread' as key); @@ -140,6 +142,18 @@ static unsigned long disabling_thread = 0; /* Valid iff num_disable > 0. * thread named in disabling_thread). */ +static void app_info_free(APP_INFO *inf) + { + if (--(inf->references) <= 0) + { + if (inf->next != NULL) + { + app_info_free(inf->next); + } + OPENSSL_free(inf); + } + } + int CRYPTO_mem_ctrl(int mode) { int ret=mh_mode; @@ -496,9 +510,7 @@ void CRYPTO_dbg_free(void *addr, int before_p) mp->order, mp->addr, mp->num); #endif if (mp->app_info != NULL) - { - mp->app_info->references--; - } + app_info_free(mp->app_info); OPENSSL_free(mp); } diff --git a/crypto/openssl/crypto/objects/Makefile.ssl b/crypto/openssl/crypto/objects/Makefile.ssl index 7b1c51cdb128..bcce2fa085eb 100644 --- a/crypto/openssl/crypto/objects/Makefile.ssl +++ b/crypto/openssl/crypto/objects/Makefile.ssl @@ -76,7 +76,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/objects/obj_dat.c b/crypto/openssl/crypto/objects/obj_dat.c index 41fdf6e7b2cc..76f2e05f5080 100644 --- a/crypto/openssl/crypto/objects/obj_dat.c +++ b/crypto/openssl/crypto/objects/obj_dat.c @@ -417,7 +417,7 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name) a2d_ASN1_OBJECT(p,i,s,-1); p=buf; - op=d2i_ASN1_OBJECT(NULL,&p,i); + op=d2i_ASN1_OBJECT(NULL,&p,j); OPENSSL_free(buf); return op; } diff --git a/crypto/openssl/crypto/objects/obj_dat.h b/crypto/openssl/crypto/objects/obj_dat.h index 63e11f73547a..b8423af2f109 100644 --- a/crypto/openssl/crypto/objects/obj_dat.h +++ b/crypto/openssl/crypto/objects/obj_dat.h @@ -62,12 +62,12 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 404 -#define NUM_SN 402 -#define NUM_LN 402 -#define NUM_OBJ 376 +#define NUM_NID 406 +#define NUM_SN 404 +#define NUM_LN 404 +#define NUM_OBJ 378 -static unsigned char lvalues[2951]={ +static unsigned char lvalues[2971]={ 0x00, /* [ 0] OBJ_undef */ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */ @@ -444,6 +444,8 @@ static unsigned char lvalues[2951]={ 0x55,0x1D,0x24, /* [2941] OBJ_policy_constraints */ 0x55,0x1D,0x37, /* [2944] OBJ_target_information */ 0x55,0x1D,0x38, /* [2947] OBJ_no_rev_avail */ +0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x02,/* [2950] OBJ_ms_smartcard_login */ +0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x14,0x02,0x03,/* [2960] OBJ_ms_upn */ }; static ASN1_OBJECT nid_objs[NUM_NID]={ @@ -1075,6 +1077,10 @@ static ASN1_OBJECT nid_objs[NUM_NID]={ &(lvalues[2944]),0}, {"noRevAvail","X509v3 No Revocation Available",NID_no_rev_avail,3, &(lvalues[2947]),0}, +{"msSmartcardLogin","Microsoft Smartcardlogin",NID_ms_smartcard_login, + 10,&(lvalues[2950]),0}, +{"msUPN","Microsoft Universal Principal Name",NID_ms_upn,10, + &(lvalues[2960]),0}, }; static ASN1_OBJECT *sn_objs[NUM_SN]={ @@ -1417,6 +1423,8 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[138]),/* "msEFS" */ &(nid_objs[171]),/* "msExtReq" */ &(nid_objs[137]),/* "msSGC" */ +&(nid_objs[404]),/* "msSmartcardLogin" */ +&(nid_objs[405]),/* "msUPN" */ &(nid_objs[173]),/* "name" */ &(nid_objs[369]),/* "noCheck" */ &(nid_objs[403]),/* "noRevAvail" */ @@ -1510,7 +1518,9 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[171]),/* "Microsoft Extension Request" */ &(nid_objs[134]),/* "Microsoft Individual Code Signing" */ &(nid_objs[137]),/* "Microsoft Server Gated Crypto" */ +&(nid_objs[404]),/* "Microsoft Smartcardlogin" */ &(nid_objs[136]),/* "Microsoft Trust List Signing" */ +&(nid_objs[405]),/* "Microsoft Universal Principal Name" */ &(nid_objs[72]),/* "Netscape Base Url" */ &(nid_objs[76]),/* "Netscape CA Policy Url" */ &(nid_objs[74]),/* "Netscape CA Revocation Url" */ @@ -2196,6 +2206,8 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[136]),/* OBJ_ms_ctl_sign 1 3 6 1 4 1 311 10 3 1 */ &(nid_objs[137]),/* OBJ_ms_sgc 1 3 6 1 4 1 311 10 3 3 */ &(nid_objs[138]),/* OBJ_ms_efs 1 3 6 1 4 1 311 10 3 4 */ +&(nid_objs[404]),/* OBJ_ms_smartcard_login 1 3 6 1 4 1 311 20 2 2 */ +&(nid_objs[405]),/* OBJ_ms_upn 1 3 6 1 4 1 311 20 2 3 */ &(nid_objs[196]),/* OBJ_id_smime_mod_cms 1 2 840 113549 1 9 16 0 1 */ &(nid_objs[197]),/* OBJ_id_smime_mod_ess 1 2 840 113549 1 9 16 0 2 */ &(nid_objs[198]),/* OBJ_id_smime_mod_oid 1 2 840 113549 1 9 16 0 3 */ diff --git a/crypto/openssl/crypto/objects/obj_mac.h b/crypto/openssl/crypto/objects/obj_mac.h index a2a960ee370d..8e8952d2936d 100644 --- a/crypto/openssl/crypto/objects/obj_mac.h +++ b/crypto/openssl/crypto/objects/obj_mac.h @@ -780,6 +780,16 @@ #define NID_ms_efs 138 #define OBJ_ms_efs 1L,3L,6L,1L,4L,1L,311L,10L,3L,4L +#define SN_ms_smartcard_login "msSmartcardLogin" +#define LN_ms_smartcard_login "Microsoft Smartcardlogin" +#define NID_ms_smartcard_login 404 +#define OBJ_ms_smartcard_login 1L,3L,6L,1L,4L,1L,311L,20L,2L,2L + +#define SN_ms_upn "msUPN" +#define LN_ms_upn "Microsoft Universal Principal Name" +#define NID_ms_upn 405 +#define OBJ_ms_upn 1L,3L,6L,1L,4L,1L,311L,20L,2L,3L + #define SN_idea_cbc "IDEA-CBC" #define LN_idea_cbc "idea-cbc" #define NID_idea_cbc 34 diff --git a/crypto/openssl/crypto/objects/obj_mac.num b/crypto/openssl/crypto/objects/obj_mac.num index a6baa8c5f953..1e73da17813e 100644 --- a/crypto/openssl/crypto/objects/obj_mac.num +++ b/crypto/openssl/crypto/objects/obj_mac.num @@ -401,3 +401,5 @@ role 400 policy_constraints 401 target_information 402 no_rev_avail 403 +ms_smartcard_login 404 +ms_upn 405 diff --git a/crypto/openssl/crypto/objects/objects.txt b/crypto/openssl/crypto/objects/objects.txt index fb73408f4657..a5f6c3759ba6 100644 --- a/crypto/openssl/crypto/objects/objects.txt +++ b/crypto/openssl/crypto/objects/objects.txt @@ -246,6 +246,10 @@ rsadsi 3 8 : RC5-CBC : rc5-cbc 1 3 6 1 4 1 311 10 3 3 : msSGC : Microsoft Server Gated Crypto !Cname ms-efs 1 3 6 1 4 1 311 10 3 4 : msEFS : Microsoft Encrypted File System +!Cname ms-smartcard-login +1 3 6 1 4 1 311 20 2 2 : msSmartcardLogin : Microsoft Smartcardlogin +!Cname ms-upn +1 3 6 1 4 1 311 20 2 3 : msUPN : Microsoft Universal Principal Name 1 3 6 1 4 1 188 7 1 1 2 : IDEA-CBC : idea-cbc : IDEA-ECB : idea-ecb diff --git a/crypto/openssl/crypto/opensslconf.h b/crypto/openssl/crypto/opensslconf.h index 2c6ddaed31f6..48718f9d5095 100644 --- a/crypto/openssl/crypto/opensslconf.h +++ b/crypto/openssl/crypto/opensslconf.h @@ -6,14 +6,23 @@ /* no ciphers excluded */ #endif #ifdef OPENSSL_THREAD_DEFINES +# ifndef THREADS +# define THREADS +# endif #endif #ifdef OPENSSL_OTHER_DEFINES +# ifndef DSO_DLFCN +# define DSO_DLFCN +# endif +# ifndef HAVE_DLFCN_H +# define HAVE_DLFCN_H +# endif #endif /* crypto/opensslconf.h.in */ /* Generate 80386 code? */ -#undef I386_ONLY +#define I386_ONLY #if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */ #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) @@ -66,7 +75,7 @@ #if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) #define CONFIG_HEADER_BN_H -#undef BN_LLONG +#define BN_LLONG /* Should we define BN_DIV2W here? */ @@ -85,7 +94,7 @@ #define CONFIG_HEADER_RC4_LOCL_H /* if this is defined data[i] is used instead of *data, this is a %20 * speedup on x86 */ -#undef RC4_INDEX +#define RC4_INDEX #endif #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) @@ -99,14 +108,14 @@ /* the following is tweaked from a config script, that is why it is a * protected undef/define */ #ifndef DES_PTR -#undef DES_PTR +#define DES_PTR #endif /* This helps C compiler generate the correct code for multiple functional * units. It reduces register dependancies at the expense of 2 more * registers */ #ifndef DES_RISC1 -#undef DES_RISC1 +#define DES_RISC1 #endif #ifndef DES_RISC2 @@ -120,7 +129,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! /* Unroll the inner loop, this sometimes helps, sometimes hinders. * Very mucy CPU dependant */ #ifndef DES_UNROLL -#undef DES_UNROLL +#define DES_UNROLL #endif /* These default values were supplied by diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h index b6ae9458cc5c..6806ef725fa8 100644 --- a/crypto/openssl/crypto/opensslv.h +++ b/crypto/openssl/crypto/opensslv.h @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090607fL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6g 9 Aug 2002" +#define OPENSSL_VERSION_NUMBER 0x0090609fL +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6i Feb 19 2003" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/openssl/crypto/pem/Makefile.ssl b/crypto/openssl/crypto/pem/Makefile.ssl index 111dbc1ae460..1788f3fecd13 100644 --- a/crypto/openssl/crypto/pem/Makefile.ssl +++ b/crypto/openssl/crypto/pem/Makefile.ssl @@ -69,7 +69,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/pem/pem_info.c b/crypto/openssl/crypto/pem/pem_info.c index ef02599d55b5..2453e933dcdb 100644 --- a/crypto/openssl/crypto/pem/pem_info.c +++ b/crypto/openssl/crypto/pem/pem_info.c @@ -358,7 +358,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc, ret=1; err: - memset((char *)&ctx,0,sizeof(ctx)); - memset(buf,0,PEM_BUFSIZE); + OPENSSL_cleanse((char *)&ctx,sizeof(ctx)); + OPENSSL_cleanse(buf,PEM_BUFSIZE); return(ret); } diff --git a/crypto/openssl/crypto/pem/pem_lib.c b/crypto/openssl/crypto/pem/pem_lib.c index 01759f75c3b5..e024bd787304 100644 --- a/crypto/openssl/crypto/pem/pem_lib.c +++ b/crypto/openssl/crypto/pem/pem_lib.c @@ -380,7 +380,7 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x, * NOT taken from the BytesToKey function */ EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL); - if (kstr == (unsigned char *)buf) memset(buf,0,PEM_BUFSIZE); + if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE); buf[0]='\0'; PEM_proc_type(buf,PEM_TYPE_ENCRYPTED); @@ -401,12 +401,15 @@ int PEM_ASN1_write_bio(int (*i2d)(), const char *name, BIO *bp, char *x, i=PEM_write_bio(bp,name,buf,data,i); if (i <= 0) ret=0; err: - memset(key,0,sizeof(key)); - memset(iv,0,sizeof(iv)); - memset((char *)&ctx,0,sizeof(ctx)); - memset(buf,0,PEM_BUFSIZE); - memset(data,0,(unsigned int)dsize); - OPENSSL_free(data); + OPENSSL_cleanse(key,sizeof(key)); + OPENSSL_cleanse(iv,sizeof(iv)); + OPENSSL_cleanse((char *)&ctx,sizeof(ctx)); + OPENSSL_cleanse(buf,PEM_BUFSIZE); + if (data != NULL) + { + OPENSSL_cleanse(data,(unsigned int)dsize); + OPENSSL_free(data); + } return(ret); } @@ -444,8 +447,8 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen, EVP_DecryptUpdate(&ctx,data,&i,data,j); o=EVP_DecryptFinal(&ctx,&(data[i]),&j); EVP_CIPHER_CTX_cleanup(&ctx); - memset((char *)buf,0,sizeof(buf)); - memset((char *)key,0,sizeof(key)); + OPENSSL_cleanse((char *)buf,sizeof(buf)); + OPENSSL_cleanse((char *)key,sizeof(key)); j+=i; if (!o) { diff --git a/crypto/openssl/crypto/pem/pem_seal.c b/crypto/openssl/crypto/pem/pem_seal.c index 2a6c5133481a..ed1d3412cfd1 100644 --- a/crypto/openssl/crypto/pem/pem_seal.c +++ b/crypto/openssl/crypto/pem/pem_seal.c @@ -109,7 +109,7 @@ int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type, ret=npubk; err: if (s != NULL) OPENSSL_free(s); - memset(key,0,EVP_MAX_KEY_LENGTH); + OPENSSL_cleanse(key,EVP_MAX_KEY_LENGTH); return(ret); } diff --git a/crypto/openssl/crypto/pkcs12/Makefile.ssl b/crypto/openssl/crypto/pkcs12/Makefile.ssl index c92dd276398c..7a4994812a01 100644 --- a/crypto/openssl/crypto/pkcs12/Makefile.ssl +++ b/crypto/openssl/crypto/pkcs12/Makefile.ssl @@ -74,7 +74,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/pkcs12/p12_crpt.c b/crypto/openssl/crypto/pkcs12/p12_crpt.c index 7b96584f07d7..17d8d546f17c 100644 --- a/crypto/openssl/crypto/pkcs12/p12_crpt.c +++ b/crypto/openssl/crypto/pkcs12/p12_crpt.c @@ -118,7 +118,7 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen, } PBEPARAM_free(pbe); EVP_CipherInit(ctx, cipher, key, iv, en_de); - memset(key, 0, EVP_MAX_KEY_LENGTH); - memset(iv, 0, EVP_MAX_IV_LENGTH); + OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH); + OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); return 1; } diff --git a/crypto/openssl/crypto/pkcs12/p12_decr.c b/crypto/openssl/crypto/pkcs12/p12_decr.c index 8cd7e2f41470..68488db86405 100644 --- a/crypto/openssl/crypto/pkcs12/p12_decr.c +++ b/crypto/openssl/crypto/pkcs12/p12_decr.c @@ -137,7 +137,7 @@ char * PKCS12_decrypt_d2i (X509_ALGOR *algor, char * (*d2i)(), if (seq & 1) ret = (char *) d2i_ASN1_SET(NULL, &p, outlen, d2i, free_func, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL); else ret = d2i(NULL, &p, outlen); - if (seq & 2) memset(out, 0, outlen); + if (seq & 2) OPENSSL_cleanse(out, outlen); if(!ret) PKCS12err(PKCS12_F_PKCS12_DECRYPT_D2I,PKCS12_R_DECODE_ERROR); OPENSSL_free (out); return ret; diff --git a/crypto/openssl/crypto/pkcs12/p12_key.c b/crypto/openssl/crypto/pkcs12/p12_key.c index a4fd5b98ec9a..298e4c506b6b 100644 --- a/crypto/openssl/crypto/pkcs12/p12_key.c +++ b/crypto/openssl/crypto/pkcs12/p12_key.c @@ -91,7 +91,7 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, ret = PKCS12_key_gen_uni(unipass, uniplen, salt, saltlen, id, iter, n, out, md_type); if(unipass) { - memset(unipass, 0, uniplen); /* Clear password from memory */ + OPENSSL_cleanse(unipass, uniplen); /* Clear password from memory */ OPENSSL_free(unipass); } return ret; diff --git a/crypto/openssl/crypto/pkcs7/Makefile.ssl b/crypto/openssl/crypto/pkcs7/Makefile.ssl index da0ff22ab22d..fd4a267e8ac7 100644 --- a/crypto/openssl/crypto/pkcs7/Makefile.ssl +++ b/crypto/openssl/crypto/pkcs7/Makefile.ssl @@ -87,7 +87,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/pkcs7/bio_ber.c b/crypto/openssl/crypto/pkcs7/bio_ber.c index 5447e6981861..e73556e3023c 100644 --- a/crypto/openssl/crypto/pkcs7/bio_ber.c +++ b/crypto/openssl/crypto/pkcs7/bio_ber.c @@ -145,7 +145,7 @@ static int ber_free(BIO *a) if (a == NULL) return(0); b=(BIO_BER_CTX *)a->ptr; - memset(a->ptr,0,sizeof(BIO_BER_CTX)); + OPENSSL_cleanse(a->ptr,sizeof(BIO_BER_CTX)); OPENSSL_free(a->ptr); a->ptr=NULL; a->init=0; diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c index a45cf76c6873..aa4d49e28be9 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_doit.c +++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c @@ -241,7 +241,7 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj); } OPENSSL_free(tmp); - memset(key, 0, keylen); + OPENSSL_cleanse(key, keylen); if (out == NULL) out=btmp; @@ -448,7 +448,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) } EVP_CipherInit(evp_ctx,NULL,tmp,NULL,0); - memset(tmp,0,jj); + OPENSSL_cleanse(tmp,jj); if (out == NULL) out=etmp; diff --git a/crypto/openssl/crypto/rand/Makefile.ssl b/crypto/openssl/crypto/rand/Makefile.ssl index e9a6876b5a74..8da0c777b344 100644 --- a/crypto/openssl/crypto/rand/Makefile.ssl +++ b/crypto/openssl/crypto/rand/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/rand/md_rand.c b/crypto/openssl/crypto/rand/md_rand.c index 349629c4843e..5df32b4fe6a8 100644 --- a/crypto/openssl/crypto/rand/md_rand.c +++ b/crypto/openssl/crypto/rand/md_rand.c @@ -177,10 +177,10 @@ RAND_METHOD *RAND_SSLeay(void) static void ssleay_rand_cleanup(void) { - memset(state,0,sizeof(state)); + OPENSSL_cleanse(state,sizeof(state)); state_num=0; state_index=0; - memset(md,0,MD_DIGEST_LENGTH); + OPENSSL_cleanse(md,MD_DIGEST_LENGTH); md_count[0]=0; md_count[1]=0; entropy=0; diff --git a/crypto/openssl/crypto/rand/rand_egd.c b/crypto/openssl/crypto/rand/rand_egd.c index a6601696ad9e..ce169367857a 100644 --- a/crypto/openssl/crypto/rand/rand_egd.c +++ b/crypto/openssl/crypto/rand/rand_egd.c @@ -59,7 +59,7 @@ /* Query the EGD <URL: http://www.lothar.com/tech/crypto/>. */ -#if defined(WIN32) || defined(VMS) || defined(__VMS) +#if defined(WIN32) || defined(MSDOS) || defined(VMS) || defined(__VMS) || defined(VXWORKS) int RAND_egd(const char *path) { return(-1); diff --git a/crypto/openssl/crypto/rand/rand_win.c b/crypto/openssl/crypto/rand/rand_win.c index 2b4b1446edb6..3e148ad4d254 100644 --- a/crypto/openssl/crypto/rand/rand_win.c +++ b/crypto/openssl/crypto/rand/rand_win.c @@ -254,6 +254,10 @@ int RAND_poll(void) * at random times on Windows 2000. Reported by Jeffrey Altman. * Only use it on NT. */ + /* Wolfgang Marczy <WMarczy@topcall.co.at> reports that + * the RegQueryValueEx call below can hang on NT4.0 (SP6). + * So we don't use this at all for now. */ +#if 0 if ( osverinfo.dwPlatformId == VER_PLATFORM_WIN32_NT && osverinfo.dwMajorVersion < 5) { @@ -283,13 +287,23 @@ int RAND_poll(void) { /* For entropy count assume only least significant * byte of each DWORD is random. - */ + */ RAND_add(&length, sizeof(length), 0); RAND_add(buf, length, length / 4.0); + + /* Close the Registry Key to allow Windows to cleanup/close + * the open handle + * Note: The 'HKEY_PERFORMANCE_DATA' key is implicitly opened + * when the RegQueryValueEx above is done. However, if + * it is not explicitly closed, it can cause disk + * partition manipulation problems. + */ + RegCloseKey(HKEY_PERFORMANCE_DATA); } if (buf) free(buf); } +#endif if (advapi) { @@ -461,7 +475,7 @@ int RAND_poll(void) hlist.th32ProcessID, hlist.th32HeapID)) { - int entrycnt = 50; + int entrycnt = 80; do RAND_add(&hentry, hentry.dwSize, 5); @@ -718,8 +732,10 @@ int RAND_poll(void) /* put in some default random data, we need more than just this */ l=curr_pid; RAND_add(&l,sizeof(l),0); +#ifndef VXWORKS l=getuid(); RAND_add(&l,sizeof(l),0); +#endif l=time(NULL); RAND_add(&l,sizeof(l),0); diff --git a/crypto/openssl/crypto/rand/randfile.c b/crypto/openssl/crypto/rand/randfile.c index c2ae28c3a2a4..f64c7383b2b6 100644 --- a/crypto/openssl/crypto/rand/randfile.c +++ b/crypto/openssl/crypto/rand/randfile.c @@ -61,6 +61,8 @@ #include <stdlib.h> #include <string.h> +#include "openssl/e_os.h" + #ifdef VMS #include <unixio.h> #endif @@ -73,7 +75,6 @@ # include <sys/stat.h> #endif -#include "openssl/e_os.h" #include <openssl/crypto.h> #include <openssl/rand.h> @@ -124,7 +125,7 @@ int RAND_load_file(const char *file, long bytes) } } fclose(in); - memset(buf,0,BUFSIZE); + OPENSSL_cleanse(buf,BUFSIZE); err: return(ret); } @@ -189,7 +190,7 @@ int RAND_write_file(const char *file) #endif /* VMS */ fclose(out); - memset(buf,0,BUFSIZE); + OPENSSL_cleanse(buf,BUFSIZE); err: return (rand_err ? -1 : ret); } diff --git a/crypto/openssl/crypto/rand/randtest.c b/crypto/openssl/crypto/rand/randtest.c index da96e3f6959a..abee3f7b2b2d 100644 --- a/crypto/openssl/crypto/rand/randtest.c +++ b/crypto/openssl/crypto/rand/randtest.c @@ -60,6 +60,8 @@ #include <stdlib.h> #include <openssl/rand.h> +#include "../e_os.h" + /* some FIPS 140-1 random number test */ /* some simple tests */ @@ -202,6 +204,6 @@ int main() } printf("test 4 done\n"); err=((err)?1:0); - exit(err); + EXIT(err); return(err); } diff --git a/crypto/openssl/crypto/rc2/Makefile.ssl b/crypto/openssl/crypto/rc2/Makefile.ssl index 6966e01b6f27..90b6bd988079 100644 --- a/crypto/openssl/crypto/rc2/Makefile.ssl +++ b/crypto/openssl/crypto/rc2/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/rc2/rc2test.c b/crypto/openssl/crypto/rc2/rc2test.c index 521269ded18c..bf8bc5d02fa4 100644 --- a/crypto/openssl/crypto/rc2/rc2test.c +++ b/crypto/openssl/crypto/rc2/rc2test.c @@ -63,6 +63,8 @@ #include <string.h> #include <stdlib.h> +#include "../e_os.h" + #ifdef NO_RC2 int main(int argc, char *argv[]) { @@ -203,7 +205,7 @@ int main(int argc, char *argv[]) printf("ok\n"); #endif - exit(err); + EXIT(err); return(err); } diff --git a/crypto/openssl/crypto/rc4/Makefile.ssl b/crypto/openssl/crypto/rc4/Makefile.ssl index 8ffff0a74e3d..f3a4dad8768e 100644 --- a/crypto/openssl/crypto/rc4/Makefile.ssl +++ b/crypto/openssl/crypto/rc4/Makefile.ssl @@ -97,7 +97,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/rc4/rc4.c b/crypto/openssl/crypto/rc4/rc4.c index 709b7aff35ae..04799009e6f3 100644 --- a/crypto/openssl/crypto/rc4/rc4.c +++ b/crypto/openssl/crypto/rc4/rc4.c @@ -155,7 +155,7 @@ bad: i=EVP_read_pw_string(buf,BUFSIZ,"Enter RC4 password:",0); if (i != 0) { - memset(buf,0,BUFSIZ); + OPENSSL_cleanse(buf,BUFSIZ); fprintf(stderr,"bad password read\n"); exit(1); } @@ -163,7 +163,7 @@ bad: } MD5((unsigned char *)keystr,(unsigned long)strlen(keystr),md); - memset(keystr,0,strlen(keystr)); + OPENSSL_cleanse(keystr,strlen(keystr)); RC4_set_key(&key,MD5_DIGEST_LENGTH,md); for(;;) diff --git a/crypto/openssl/crypto/rc4/rc4test.c b/crypto/openssl/crypto/rc4/rc4test.c index 3914eb6c3831..3aa40ed23510 100644 --- a/crypto/openssl/crypto/rc4/rc4test.c +++ b/crypto/openssl/crypto/rc4/rc4test.c @@ -60,6 +60,8 @@ #include <stdlib.h> #include <string.h> +#include "../e_os.h" + #ifdef NO_RC4 int main(int argc, char *argv[]) { @@ -195,7 +197,7 @@ int main(int argc, char *argv[]) } } printf("done\n"); - exit(err); + EXIT(err); return(0); } #endif diff --git a/crypto/openssl/crypto/rc5/Makefile.ssl b/crypto/openssl/crypto/rc5/Makefile.ssl index cf5d176859ba..0497a573a093 100644 --- a/crypto/openssl/crypto/rc5/Makefile.ssl +++ b/crypto/openssl/crypto/rc5/Makefile.ssl @@ -94,7 +94,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/rc5/rc5test.c b/crypto/openssl/crypto/rc5/rc5test.c index 634ceac7c7ee..84e7c71d216a 100644 --- a/crypto/openssl/crypto/rc5/rc5test.c +++ b/crypto/openssl/crypto/rc5/rc5test.c @@ -63,6 +63,8 @@ #include <string.h> #include <stdlib.h> +#include "../e_os.h" + #ifdef NO_RC5 int main(int argc, char *argv[]) { @@ -318,7 +320,7 @@ int main(int argc, char *argv[]) } if (err == 0) printf("cbc RC5 ok\n"); - exit(err); + EXIT(err); return(err); } diff --git a/crypto/openssl/crypto/ripemd/Makefile.ssl b/crypto/openssl/crypto/ripemd/Makefile.ssl index 0b1cd7394132..2838fe40b400 100644 --- a/crypto/openssl/crypto/ripemd/Makefile.ssl +++ b/crypto/openssl/crypto/ripemd/Makefile.ssl @@ -92,7 +92,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new @@ -106,4 +106,6 @@ clean: rmd_dgst.o: ../../include/openssl/opensslconf.h rmd_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ripemd.h rmd_dgst.o: ../md32_common.h rmd_locl.h rmdconst.h -rmd_one.o: ../../include/openssl/ripemd.h +rmd_one.o: ../../include/openssl/crypto.h ../../include/openssl/opensslv.h +rmd_one.o: ../../include/openssl/ripemd.h ../../include/openssl/safestack.h +rmd_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h diff --git a/crypto/openssl/crypto/ripemd/rmd_one.c b/crypto/openssl/crypto/ripemd/rmd_one.c index efdf2dd6efc2..f8b580c33a3a 100644 --- a/crypto/openssl/crypto/ripemd/rmd_one.c +++ b/crypto/openssl/crypto/ripemd/rmd_one.c @@ -59,6 +59,7 @@ #include <stdio.h> #include <string.h> #include <openssl/ripemd.h> +#include <openssl/crypto.h> unsigned char *RIPEMD160(const unsigned char *d, unsigned long n, unsigned char *md) @@ -70,7 +71,7 @@ unsigned char *RIPEMD160(const unsigned char *d, unsigned long n, RIPEMD160_Init(&c); RIPEMD160_Update(&c,d,n); RIPEMD160_Final(md,&c); - memset(&c,0,sizeof(c)); /* security consideration */ + OPENSSL_cleanse(&c,sizeof(c)); /* security consideration */ return(md); } diff --git a/crypto/openssl/crypto/ripemd/rmdtest.c b/crypto/openssl/crypto/ripemd/rmdtest.c index 5d79c997253b..dd3a49d7058b 100644 --- a/crypto/openssl/crypto/ripemd/rmdtest.c +++ b/crypto/openssl/crypto/ripemd/rmdtest.c @@ -60,6 +60,8 @@ #include <string.h> #include <stdlib.h> +#include "../e_os.h" + #ifdef NO_RIPEMD int main(int argc, char *argv[]) { @@ -124,7 +126,7 @@ int main(int argc, char *argv[]) R++; P++; } - exit(err); + EXIT(err); return(0); } diff --git a/crypto/openssl/crypto/rsa/Makefile.ssl b/crypto/openssl/crypto/rsa/Makefile.ssl index 1be9a1cd2397..3584942d769e 100644 --- a/crypto/openssl/crypto/rsa/Makefile.ssl +++ b/crypto/openssl/crypto/rsa/Makefile.ssl @@ -70,7 +70,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/rsa/rsa.h b/crypto/openssl/crypto/rsa/rsa.h index 179706a2d430..76aed3cb3852 100644 --- a/crypto/openssl/crypto/rsa/rsa.h +++ b/crypto/openssl/crypto/rsa/rsa.h @@ -1,5 +1,4 @@ /* crypto/rsa/rsa.h */ -/* $FreeBSD$ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -170,6 +169,8 @@ struct rsa_st #define RSA_NO_PADDING 3 #define RSA_PKCS1_OAEP_PADDING 4 +#define RSA_PKCS1_PADDING_SIZE 11 + #define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg) #define RSA_get_app_data(s) RSA_get_ex_data(s,0) diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c index e861a491adfb..c49abe6e3eed 100644 --- a/crypto/openssl/crypto/rsa/rsa_eay.c +++ b/crypto/openssl/crypto/rsa/rsa_eay.c @@ -1,5 +1,4 @@ /* crypto/rsa/rsa_eay.c */ -/* $FreeBSD$ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -185,7 +184,7 @@ err: BN_clear_free(&ret); if (buf != NULL) { - memset(buf,0,num); + OPENSSL_cleanse(buf,num); OPENSSL_free(buf); } return(r); @@ -269,7 +268,7 @@ err: BN_clear_free(&f); if (buf != NULL) { - memset(buf,0,num); + OPENSSL_cleanse(buf,num); OPENSSL_free(buf); } return(r); @@ -368,7 +367,7 @@ err: BN_clear_free(&ret); if (buf != NULL) { - memset(buf,0,num); + OPENSSL_cleanse(buf,num); OPENSSL_free(buf); } return(r); @@ -465,7 +464,7 @@ err: BN_clear_free(&ret); if (buf != NULL) { - memset(buf,0,num); + OPENSSL_cleanse(buf,num); OPENSSL_free(buf); } return(r); diff --git a/crypto/openssl/crypto/rsa/rsa_lib.c b/crypto/openssl/crypto/rsa/rsa_lib.c index 5220f5f5562c..422643e9f2e8 100644 --- a/crypto/openssl/crypto/rsa/rsa_lib.c +++ b/crypto/openssl/crypto/rsa/rsa_lib.c @@ -1,5 +1,4 @@ /* crypto/rsa/rsa_lib.c */ -/* $FreeBSD$ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * diff --git a/crypto/openssl/crypto/rsa/rsa_pk1.c b/crypto/openssl/crypto/rsa/rsa_pk1.c index 48a32bc264a8..b3f1c2200dd5 100644 --- a/crypto/openssl/crypto/rsa/rsa_pk1.c +++ b/crypto/openssl/crypto/rsa/rsa_pk1.c @@ -68,7 +68,7 @@ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, int j; unsigned char *p; - if (flen > (tlen-11)) + if (flen > (tlen-RSA_PKCS1_PADDING_SIZE)) { RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1,RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); return(0); diff --git a/crypto/openssl/crypto/rsa/rsa_saos.c b/crypto/openssl/crypto/rsa/rsa_saos.c index c77f4381ffb1..749fb209655d 100644 --- a/crypto/openssl/crypto/rsa/rsa_saos.c +++ b/crypto/openssl/crypto/rsa/rsa_saos.c @@ -76,7 +76,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len, i=i2d_ASN1_OCTET_STRING(&sig,NULL); j=RSA_size(rsa); - if ((i-RSA_PKCS1_PADDING) > j) + if (i > (j-RSA_PKCS1_PADDING_SIZE)) { RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); return(0); @@ -95,7 +95,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type, unsigned char *m, unsigned int m_len, else *siglen=i; - memset(s,0,(unsigned int)j+1); + OPENSSL_cleanse(s,(unsigned int)j+1); OPENSSL_free(s); return(ret); } @@ -137,7 +137,7 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype, unsigned char *m, ret=1; err: if (sig != NULL) M_ASN1_OCTET_STRING_free(sig); - memset(s,0,(unsigned int)siglen); + OPENSSL_cleanse(s,(unsigned int)siglen); OPENSSL_free(s); return(ret); } diff --git a/crypto/openssl/crypto/rsa/rsa_sign.c b/crypto/openssl/crypto/rsa/rsa_sign.c index 31049b979194..83764a2ce3e8 100644 --- a/crypto/openssl/crypto/rsa/rsa_sign.c +++ b/crypto/openssl/crypto/rsa/rsa_sign.c @@ -109,7 +109,7 @@ int RSA_sign(int type, unsigned char *m, unsigned int m_len, i=i2d_X509_SIG(&sig,NULL); } j=RSA_size(rsa); - if ((i-RSA_PKCS1_PADDING) > j) + if (i > (j-RSA_PKCS1_PADDING_SIZE)) { RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); return(0); @@ -131,7 +131,7 @@ int RSA_sign(int type, unsigned char *m, unsigned int m_len, *siglen=i; if(type != NID_md5_sha1) { - memset(s,0,(unsigned int)j+1); + OPENSSL_cleanse(s,(unsigned int)j+1); OPENSSL_free(s); } return(ret); @@ -214,7 +214,7 @@ int RSA_verify(int dtype, unsigned char *m, unsigned int m_len, } err: if (sig != NULL) X509_SIG_free(sig); - memset(s,0,(unsigned int)siglen); + OPENSSL_cleanse(s,(unsigned int)siglen); OPENSSL_free(s); return(ret); } diff --git a/crypto/openssl/crypto/sha/Makefile.ssl b/crypto/openssl/crypto/sha/Makefile.ssl index 75d3e0bf4ff3..d0e656cb033f 100644 --- a/crypto/openssl/crypto/sha/Makefile.ssl +++ b/crypto/openssl/crypto/sha/Makefile.ssl @@ -92,7 +92,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new @@ -103,11 +103,15 @@ clean: # DO NOT DELETE THIS LINE -- make depend depends on it. -sha1_one.o: ../../include/openssl/sha.h +sha1_one.o: ../../include/openssl/crypto.h ../../include/openssl/opensslv.h +sha1_one.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +sha1_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h sha1dgst.o: ../../include/openssl/opensslconf.h sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h sha1dgst.o: ../md32_common.h sha_locl.h sha_dgst.o: ../../include/openssl/opensslconf.h sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/sha.h sha_dgst.o: ../md32_common.h sha_locl.h -sha_one.o: ../../include/openssl/sha.h +sha_one.o: ../../include/openssl/crypto.h ../../include/openssl/opensslv.h +sha_one.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +sha_one.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h diff --git a/crypto/openssl/crypto/sha/sha1_one.c b/crypto/openssl/crypto/sha/sha1_one.c index 861752eaa7ea..acf3e92ff22b 100644 --- a/crypto/openssl/crypto/sha/sha1_one.c +++ b/crypto/openssl/crypto/sha/sha1_one.c @@ -59,6 +59,7 @@ #include <stdio.h> #include <string.h> #include <openssl/sha.h> +#include <openssl/crypto.h> #ifndef NO_SHA1 unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md) @@ -70,7 +71,7 @@ unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md) SHA1_Init(&c); SHA1_Update(&c,d,n); SHA1_Final(md,&c); - memset(&c,0,sizeof(c)); + OPENSSL_cleanse(&c,sizeof(c)); return(md); } #endif diff --git a/crypto/openssl/crypto/sha/sha1test.c b/crypto/openssl/crypto/sha/sha1test.c index 688d06c63747..8c2bd33f56fa 100644 --- a/crypto/openssl/crypto/sha/sha1test.c +++ b/crypto/openssl/crypto/sha/sha1test.c @@ -60,6 +60,8 @@ #include <string.h> #include <stdlib.h> +#include "../e_os.h" + #ifdef NO_SHA int main(int argc, char *argv[]) { @@ -152,7 +154,7 @@ int main(int argc, char *argv[]) } else printf("test 3 ok\n"); - exit(err); + EXIT(err); return(0); } diff --git a/crypto/openssl/crypto/sha/sha_one.c b/crypto/openssl/crypto/sha/sha_one.c index 2d955de16286..ece37146c21d 100644 --- a/crypto/openssl/crypto/sha/sha_one.c +++ b/crypto/openssl/crypto/sha/sha_one.c @@ -59,6 +59,7 @@ #include <stdio.h> #include <string.h> #include <openssl/sha.h> +#include <openssl/crypto.h> #ifndef NO_SHA0 unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md) @@ -70,7 +71,7 @@ unsigned char *SHA(const unsigned char *d, unsigned long n, unsigned char *md) SHA_Init(&c); SHA_Update(&c,d,n); SHA_Final(md,&c); - memset(&c,0,sizeof(c)); + OPENSSL_cleanse(&c,sizeof(c)); return(md); } #endif diff --git a/crypto/openssl/crypto/sha/shatest.c b/crypto/openssl/crypto/sha/shatest.c index a5786bbf768d..d9329f0307b5 100644 --- a/crypto/openssl/crypto/sha/shatest.c +++ b/crypto/openssl/crypto/sha/shatest.c @@ -60,6 +60,8 @@ #include <string.h> #include <stdlib.h> +#include "../e_os.h" + #ifdef NO_SHA int main(int argc, char *argv[]) { @@ -152,7 +154,7 @@ int main(int argc, char *argv[]) } else printf("test 3 ok\n"); - exit(err); + EXIT(err); return(0); } diff --git a/crypto/openssl/crypto/stack/Makefile.ssl b/crypto/openssl/crypto/stack/Makefile.ssl index 2027d3946ce1..dde60c934cd5 100644 --- a/crypto/openssl/crypto/stack/Makefile.ssl +++ b/crypto/openssl/crypto/stack/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/threads/mttest.c b/crypto/openssl/crypto/threads/mttest.c index 100165948c02..3d1b212b1c74 100644 --- a/crypto/openssl/crypto/threads/mttest.c +++ b/crypto/openssl/crypto/threads/mttest.c @@ -77,6 +77,10 @@ #ifdef PTHREADS #include <pthread.h> #endif +#ifdef VXWORKS +#include <taskLib.h> +#include <semLib.h> +#endif #include <openssl/lhash.h> #include <openssl/crypto.h> #include <openssl/buffer.h> @@ -105,10 +109,12 @@ void irix_locking_callback(int mode,int type,char *file,int line); void solaris_locking_callback(int mode,int type,char *file,int line); void win32_locking_callback(int mode,int type,char *file,int line); void pthreads_locking_callback(int mode,int type,char *file,int line); +void vxworks_locking_callback(int mode,int type,char *file,int line); unsigned long irix_thread_id(void ); unsigned long solaris_thread_id(void ); unsigned long pthreads_thread_id(void ); +unsigned long vxworks_thread_id(void ); BIO *bio_err=NULL; BIO *bio_stdout=NULL; @@ -1097,4 +1103,119 @@ unsigned long pthreads_thread_id(void) #endif /* PTHREADS */ +#ifdef VXWORKS + +#define DEFAULT_TASK_NAME NULL +#define DEFAULT_TASK_PRIORITY 100 +#define DEFAULT_TASK_OPTIONS 0 +#define DEFAULT_TASK_STACK_BYTES 32768 + +static SEM_ID *lock_cs; +static long *lock_count; + +extern int sysClkRateGet(); + +void thread_setup(void) + { + int i; + + lock_cs=OPENSSL_malloc(CRYPTO_num_locks() * sizeof(SEM_ID)); + lock_count=OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); + for (i=0; i<CRYPTO_num_locks(); i++) + { + lock_count[i]=0; + lock_cs[i] = semMCreate(SEM_Q_PRIORITY | SEM_INVERSION_SAFE); + } + + CRYPTO_set_id_callback((unsigned long (*)())vxworks_thread_id); + CRYPTO_set_locking_callback((void (*)())vxworks_locking_callback); + } + +void thread_cleanup(void) + { + int i; + + CRYPTO_set_locking_callback(NULL); + fprintf(stderr,"cleanup\n"); + for (i=0; i<CRYPTO_num_locks(); i++) + { + semDelete(lock_cs[i]); + fprintf(stderr,"%8ld:%s\n",lock_count[i], + CRYPTO_get_lock_name(i)); + } + OPENSSL_free(lock_cs); + OPENSSL_free(lock_count); + + fprintf(stderr,"done cleanup\n"); + } + +void vxworks_locking_callback(int mode, int type, char *file, int line) + { +#ifdef undef + fprintf(stderr,"thread=%4d mode=%s lock=%s %s:%d\n", + CRYPTO_thread_id(), + (mode&CRYPTO_LOCK)?"l":"u", + (type&CRYPTO_READ)?"r":"w",file,line); +#endif +/* + if (CRYPTO_LOCK_SSL_CERT == type) + fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n", + CRYPTO_thread_id(), + mode,file,line); +*/ + if (mode & CRYPTO_LOCK) + { + semTake(lock_cs[type], WAIT_FOREVER); + lock_count[type]++; + } + else + { + semGive(lock_cs[type]); + } + } + + +void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx) + { + SSL_CTX *ssl_ctx[2]; + int thread_ctx[MAX_THREAD_NUMBER]; + int i; + + ssl_ctx[0]=s_ctx; + ssl_ctx[1]=c_ctx; + + /* + thr_setconcurrency(thread_number); + */ + for (i=0; i<thread_number; i++) + { + thread_ctx[i] = taskSpawn(DEFAULT_TASK_NAME, + DEFAULT_TASK_PRIORITY, + DEFAULT_TASK_OPTIONS, + DEFAULT_TASK_STACK_BYTES, + (FUNCPTR)ndoit, + (int)ssl_ctx, 0, 0, 0, 0, 0, 0, 0, 0, 0); + + printf("Spawned task %d (%x)\n", i, thread_ctx[i]); + } + + printf("reaping\n"); + for (i=0; i<thread_number; i++) + { + while(taskIdVerify(thread_ctx[i]) != ERROR) + { + taskDelay(sysClkRateGet()/10); + } + printf("Reaped task %d (%x)\n", i, thread_ctx[i]); + } + + printf("vxworks threads done (%d,%d)\n", + s_ctx->references,c_ctx->references); + } + +unsigned long vxworks_thread_id(void) + { + return((unsigned long)taskIdSelf()); + } +#endif /* VXWORKS */ diff --git a/crypto/openssl/crypto/tmdiff.c b/crypto/openssl/crypto/tmdiff.c index 830092210f42..fc38e139a71d 100644 --- a/crypto/openssl/crypto/tmdiff.c +++ b/crypto/openssl/crypto/tmdiff.c @@ -105,6 +105,11 @@ #include <windows.h> #endif +#ifdef VXWORKS +#include <tickLib.h> +#include <drv/timer/timerDev.h> +#endif + /* The following if from times(3) man page. It may need to be changed */ #ifndef HZ # ifndef CLK_TCK diff --git a/crypto/openssl/crypto/txt_db/Makefile.ssl b/crypto/openssl/crypto/txt_db/Makefile.ssl index 567202abb771..8c5db888fa5e 100644 --- a/crypto/openssl/crypto/txt_db/Makefile.ssl +++ b/crypto/openssl/crypto/txt_db/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/uid.c b/crypto/openssl/crypto/uid.c index b5b61b76d4e3..4bd283592ca8 100644 --- a/crypto/openssl/crypto/uid.c +++ b/crypto/openssl/crypto/uid.c @@ -64,7 +64,7 @@ int OPENSSL_issetugid(void) return issetugid(); } -#elif defined(WIN32) +#elif defined(WIN32) || defined(VXWORKS) int OPENSSL_issetugid(void) { diff --git a/crypto/openssl/crypto/x509/Makefile.ssl b/crypto/openssl/crypto/x509/Makefile.ssl index bcee4b362348..ef19cdd7c089 100644 --- a/crypto/openssl/crypto/x509/Makefile.ssl +++ b/crypto/openssl/crypto/x509/Makefile.ssl @@ -78,7 +78,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/crypto/x509/by_file.c b/crypto/openssl/crypto/x509/by_file.c index 78e9240a8d09..05a3a0293bee 100644 --- a/crypto/openssl/crypto/x509/by_file.c +++ b/crypto/openssl/crypto/x509/by_file.c @@ -100,18 +100,19 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, case X509_L_FILE_LOAD: if (argl == X509_FILETYPE_DEFAULT) { - ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(), - X509_FILETYPE_PEM) != 0); + file = (char *)Getenv(X509_get_default_cert_file_env()); + if (file) + ok = (X509_load_cert_crl_file(ctx,file, + X509_FILETYPE_PEM) != 0); + + if (!ok) + ok = (X509_load_cert_crl_file(ctx,X509_get_default_cert_file(), + X509_FILETYPE_PEM) != 0); + if (!ok) { X509err(X509_F_BY_FILE_CTRL,X509_R_LOADING_DEFAULTS); } - else - { - file=(char *)Getenv(X509_get_default_cert_file_env()); - ok = (X509_load_cert_crl_file(ctx,file, - X509_FILETYPE_PEM) != 0); - } } else { diff --git a/crypto/openssl/crypto/x509/x509_cmp.c b/crypto/openssl/crypto/x509/x509_cmp.c index 3f9f9b3d472e..792781009820 100644 --- a/crypto/openssl/crypto/x509/x509_cmp.c +++ b/crypto/openssl/crypto/x509/x509_cmp.c @@ -57,6 +57,7 @@ */ #include <stdio.h> +#include <ctype.h> #include "cryptlib.h" #include <openssl/asn1.h> #include <openssl/objects.h> @@ -157,6 +158,99 @@ int X509_cmp(const X509 *a, const X509 *b) } #endif + +/* Case insensitive string comparision */ +static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b) +{ + int i; + + if (a->length != b->length) + return (a->length - b->length); + + for (i=0; i<a->length; i++) + { + int ca, cb; + + ca = tolower(a->data[i]); + cb = tolower(b->data[i]); + + if (ca != cb) + return(ca-cb); + } + return 0; +} + +/* Case insensitive string comparision with space normalization + * Space normalization - ignore leading, trailing spaces, + * multiple spaces between characters are replaced by single space + */ +static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b) +{ + unsigned char *pa = NULL, *pb = NULL; + int la, lb; + + la = a->length; + lb = b->length; + pa = a->data; + pb = b->data; + + /* skip leading spaces */ + while (la > 0 && isspace(*pa)) + { + la--; + pa++; + } + while (lb > 0 && isspace(*pb)) + { + lb--; + pb++; + } + + /* skip trailing spaces */ + while (la > 0 && isspace(pa[la-1])) + la--; + while (lb > 0 && isspace(pb[lb-1])) + lb--; + + /* compare strings with space normalization */ + while (la > 0 && lb > 0) + { + int ca, cb; + + /* compare character */ + ca = tolower(*pa); + cb = tolower(*pb); + if (ca != cb) + return (ca - cb); + + pa++; pb++; + la--; lb--; + + if (la <= 0 || lb <= 0) + break; + + /* is white space next character ? */ + if (isspace(*pa) && isspace(*pb)) + { + /* skip remaining white spaces */ + while (la > 0 && isspace(*pa)) + { + la--; + pa++; + } + while (lb > 0 && isspace(*pb)) + { + lb--; + pb++; + } + } + } + if (la > 0 || lb > 0) + return la - lb; + + return 0; +} + int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) { int i,j; @@ -170,10 +264,20 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) { na=sk_X509_NAME_ENTRY_value(a->entries,i); nb=sk_X509_NAME_ENTRY_value(b->entries,i); - j=na->value->length-nb->value->length; + j=na->value->type-nb->value->type; if (j) return(j); - j=memcmp(na->value->data,nb->value->data, - na->value->length); + if (na->value->type == V_ASN1_PRINTABLESTRING) + j=nocase_spacenorm_cmp(na->value, nb->value); + else if (na->value->type == V_ASN1_IA5STRING + && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress) + j=nocase_cmp(na->value, nb->value); + else + { + j=na->value->length-nb->value->length; + if (j) return(j); + j=memcmp(na->value->data,nb->value->data, + na->value->length); + } if (j) return(j); j=na->set-nb->set; if (j) return(j); diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c index 7a3009224777..9ad9276ff76b 100644 --- a/crypto/openssl/crypto/x509/x509_vfy.c +++ b/crypto/openssl/crypto/x509/x509_vfy.c @@ -567,7 +567,7 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time) { char *str; ASN1_TIME atm; - time_t offset; + long offset; char buff1[24],buff2[24],*p; int i,j; diff --git a/crypto/openssl/crypto/x509v3/Makefile.ssl b/crypto/openssl/crypto/x509v3/Makefile.ssl index 672290a7f93b..c7d00bb8d054 100644 --- a/crypto/openssl/crypto/x509v3/Makefile.ssl +++ b/crypto/openssl/crypto/x509v3/Makefile.ssl @@ -72,7 +72,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/demos/selfsign.c b/crypto/openssl/demos/selfsign.c index 68904c611eac..3d90caaa6463 100644 --- a/crypto/openssl/demos/selfsign.c +++ b/crypto/openssl/demos/selfsign.c @@ -106,7 +106,7 @@ int days; } rsa=NULL; - X509_set_version(x,3); + X509_set_version(x,2); ASN1_INTEGER_set(X509_get_serialNumber(x),serial); X509_gmtime_adj(X509_get_notBefore(x),0); X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days); diff --git a/crypto/openssl/doc/apps/passwd.pod b/crypto/openssl/doc/apps/passwd.pod index 6e098940c750..d56f0e7a1cd7 100644 --- a/crypto/openssl/doc/apps/passwd.pod +++ b/crypto/openssl/doc/apps/passwd.pod @@ -69,7 +69,7 @@ to each password hash. B<openssl passwd -crypt -salt xx password> prints B<xxj31ZMTZzkVA>. -B<openssl passwd -1 -salt xxxxxxxx password> prints B<$1$xxxxxxxx$8XJIcl6ZXqBMCK0qFevqT1>. +B<openssl passwd -1 -salt xxxxxxxx password> prints B<$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.>. B<openssl passwd -apr1 -salt xxxxxxxx password> prints B<$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0>. diff --git a/crypto/openssl/doc/apps/req.pod b/crypto/openssl/doc/apps/req.pod index a3f54f45a30d..ed5c7effb8f8 100644 --- a/crypto/openssl/doc/apps/req.pod +++ b/crypto/openssl/doc/apps/req.pod @@ -457,13 +457,13 @@ Sample configuration containing all field values: The header and footer lines in the B<PEM> format are normally: - -----BEGIN CERTIFICATE REQUEST---- - -----END CERTIFICATE REQUEST---- + -----BEGIN CERTIFICATE REQUEST----- + -----END CERTIFICATE REQUEST----- some software (some versions of Netscape certificate server) instead needs: - -----BEGIN NEW CERTIFICATE REQUEST---- - -----END NEW CERTIFICATE REQUEST---- + -----BEGIN NEW CERTIFICATE REQUEST----- + -----END NEW CERTIFICATE REQUEST----- which is produced with the B<-newhdr> option but is otherwise compatible. Either form is accepted transparently on input. diff --git a/crypto/openssl/doc/apps/smime.pod b/crypto/openssl/doc/apps/smime.pod index fa5d23e8dc3b..2453dd2738d1 100644 --- a/crypto/openssl/doc/apps/smime.pod +++ b/crypto/openssl/doc/apps/smime.pod @@ -340,8 +340,8 @@ detached signature format. You can use this program to verify the signature by line wrapping the base64 encoded structure and surrounding it with: - -----BEGIN PKCS7---- - -----END PKCS7---- + -----BEGIN PKCS7----- + -----END PKCS7----- and using the command, diff --git a/crypto/openssl/doc/apps/x509.pod b/crypto/openssl/doc/apps/x509.pod index 84f76cb421be..890e7b5f6235 100644 --- a/crypto/openssl/doc/apps/x509.pod +++ b/crypto/openssl/doc/apps/x509.pod @@ -321,7 +321,7 @@ The default filename consists of the CA certificate file base name with ".srl" appended. For example if the CA certificate file is called "mycacert.pem" it expects to find a serial number file called "mycacert.srl". -=item B<-CAcreateserial filename> +=item B<-CAcreateserial> with this option the CA serial number file is created if it does not exist: it will contain the serial number "02" and the certificate being signed will @@ -532,25 +532,25 @@ certificate extensions: Set a certificate to be trusted for SSL client use and change set its alias to "Steve's Class 1 CA" - openssl x509 -in cert.pem -addtrust sslclient \ - -alias "Steve's Class 1 CA" -out trust.pem + openssl x509 -in cert.pem -addtrust clientAuth \ + -setalias "Steve's Class 1 CA" -out trust.pem =head1 NOTES The PEM format uses the header and footer lines: - -----BEGIN CERTIFICATE---- - -----END CERTIFICATE---- + -----BEGIN CERTIFICATE----- + -----END CERTIFICATE----- it will also handle files containing: - -----BEGIN X509 CERTIFICATE---- - -----END X509 CERTIFICATE---- + -----BEGIN X509 CERTIFICATE----- + -----END X509 CERTIFICATE----- Trusted certificates have the lines - -----BEGIN TRUSTED CERTIFICATE---- - -----END TRUSTED CERTIFICATE---- + -----BEGIN TRUSTED CERTIFICATE----- + -----END TRUSTED CERTIFICATE----- The conversion to UTF8 format used with the name options assumes that T61Strings use the ISO8859-1 character set. This is wrong but Netscape diff --git a/crypto/openssl/doc/c-indentation.el b/crypto/openssl/doc/c-indentation.el index 48ca3cf69b30..cbf01cb1720a 100644 --- a/crypto/openssl/doc/c-indentation.el +++ b/crypto/openssl/doc/c-indentation.el @@ -13,12 +13,10 @@ ; ; Apparently statement blocks that are not introduced by a statement ; such as "if" and that are not the body of a function cannot -; be handled too well by CC mode with this indentation style. -; The style defined below does not indent them at all. -; To insert tabs manually, prefix them with ^Q (the "quoted-insert" -; command of Emacs). If you know a solution to this problem -; or find other problems with this indentation style definition, -; please send e-mail to bodo@openssl.org. +; be handled too well by CC mode with this indentation style, +; so you have to indent them manually (you can use C-q tab). +; +; For suggesting improvements, please send e-mail to bodo@openssl.org. (c-add-style "eay" '((c-basic-offset . 8) diff --git a/crypto/openssl/doc/crypto/BN_CTX_new.pod b/crypto/openssl/doc/crypto/BN_CTX_new.pod index c94d8c610da5..ad8d07db89af 100644 --- a/crypto/openssl/doc/crypto/BN_CTX_new.pod +++ b/crypto/openssl/doc/crypto/BN_CTX_new.pod @@ -42,7 +42,7 @@ BN_CTX_init() and BN_CTX_free() have no return values. =head1 SEE ALSO -L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>, +L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>, L<BN_CTX_start(3)|BN_CTX_start(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/BN_add.pod b/crypto/openssl/doc/crypto/BN_add.pod index 0541d4564352..7baed2d4920e 100644 --- a/crypto/openssl/doc/crypto/BN_add.pod +++ b/crypto/openssl/doc/crypto/BN_add.pod @@ -86,7 +86,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. =head1 SEE ALSO -L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>, +L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)>, L<BN_add_word(3)|BN_add_word(3)>, L<BN_set_bit(3)|BN_set_bit(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/BN_add_word.pod b/crypto/openssl/doc/crypto/BN_add_word.pod index 66bedfb92442..94244adea4cd 100644 --- a/crypto/openssl/doc/crypto/BN_add_word.pod +++ b/crypto/openssl/doc/crypto/BN_add_word.pod @@ -46,7 +46,7 @@ BN_mod_word() and BN_div_word() return B<a>%B<w>. =head1 SEE ALSO -L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)> +L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/BN_bn2bin.pod b/crypto/openssl/doc/crypto/BN_bn2bin.pod index b62d1af0ff6d..a4b17ca60a89 100644 --- a/crypto/openssl/doc/crypto/BN_bn2bin.pod +++ b/crypto/openssl/doc/crypto/BN_bn2bin.pod @@ -80,7 +80,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. =head1 SEE ALSO -L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_zero(3)|BN_zero(3)>, +L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_zero(3)|BN_zero(3)>, L<ASN1_INTEGER_to_BN(3)|ASN1_INTEGER_to_BN(3)>, L<BN_num_bytes(3)|BN_num_bytes(3)> diff --git a/crypto/openssl/doc/crypto/BN_copy.pod b/crypto/openssl/doc/crypto/BN_copy.pod index 8ad25e7834f6..388dd7df2653 100644 --- a/crypto/openssl/doc/crypto/BN_copy.pod +++ b/crypto/openssl/doc/crypto/BN_copy.pod @@ -25,7 +25,7 @@ by L<ERR_get_error(3)|ERR_get_error(3)>. =head1 SEE ALSO -L<bn(3)|bn(3)>, L<err(3)|err(3)> +L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/BN_generate_prime.pod b/crypto/openssl/doc/crypto/BN_generate_prime.pod index 638f6514ee8a..7dccacbc1e55 100644 --- a/crypto/openssl/doc/crypto/BN_generate_prime.pod +++ b/crypto/openssl/doc/crypto/BN_generate_prime.pod @@ -70,7 +70,7 @@ If B<do_trial_division == 0>, this test is skipped. Both BN_is_prime() and BN_is_prime_fasttest() perform a Miller-Rabin probabilistic primality test with B<checks> iterations. If -B<checks == BN_prime_check>, a number of iterations is used that +B<checks == BN_prime_checks>, a number of iterations is used that yields a false positive rate of at most 2^-80 for random input. If B<callback> is not B<NULL>, B<callback(1, j, cb_arg)> is called @@ -90,7 +90,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. =head1 SEE ALSO -L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)> +L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/BN_mod_inverse.pod b/crypto/openssl/doc/crypto/BN_mod_inverse.pod index 49e62daf9f2e..3ea3975c7422 100644 --- a/crypto/openssl/doc/crypto/BN_mod_inverse.pod +++ b/crypto/openssl/doc/crypto/BN_mod_inverse.pod @@ -27,7 +27,7 @@ NULL on error. The error codes can be obtained by L<ERR_get_error(3)|ERR_get_err =head1 SEE ALSO -L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)> +L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/BN_mod_mul_montgomery.pod b/crypto/openssl/doc/crypto/BN_mod_mul_montgomery.pod index 0b8ab512df87..f3cee924b93a 100644 --- a/crypto/openssl/doc/crypto/BN_mod_mul_montgomery.pod +++ b/crypto/openssl/doc/crypto/BN_mod_mul_montgomery.pod @@ -81,7 +81,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. =head1 SEE ALSO -L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>, +L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/BN_mod_mul_reciprocal.pod b/crypto/openssl/doc/crypto/BN_mod_mul_reciprocal.pod index a28925f8a93a..74a216ddc2ad 100644 --- a/crypto/openssl/doc/crypto/BN_mod_mul_reciprocal.pod +++ b/crypto/openssl/doc/crypto/BN_mod_mul_reciprocal.pod @@ -69,7 +69,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. =head1 SEE ALSO -L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<BN_add(3)|BN_add(3)>, +L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<BN_add(3)|BN_add(3)>, L<BN_CTX_new(3)|BN_CTX_new(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/BN_new.pod b/crypto/openssl/doc/crypto/BN_new.pod index c1394ff2a37d..3033789c5147 100644 --- a/crypto/openssl/doc/crypto/BN_new.pod +++ b/crypto/openssl/doc/crypto/BN_new.pod @@ -42,7 +42,7 @@ values. =head1 SEE ALSO -L<bn(3)|bn(3)>, L<err(3)|err(3)> +L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/BN_rand.pod b/crypto/openssl/doc/crypto/BN_rand.pod index 9cec238f9e24..81f93c2eb3a4 100644 --- a/crypto/openssl/doc/crypto/BN_rand.pod +++ b/crypto/openssl/doc/crypto/BN_rand.pod @@ -45,7 +45,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. =head1 SEE ALSO -L<bn(3)|bn(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, +L<bn(3)|bn(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/DH_generate_key.pod b/crypto/openssl/doc/crypto/DH_generate_key.pod index 920995b2e5aa..81f09fdf45ea 100644 --- a/crypto/openssl/doc/crypto/DH_generate_key.pod +++ b/crypto/openssl/doc/crypto/DH_generate_key.pod @@ -40,7 +40,7 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. =head1 SEE ALSO -L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)> +L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<DH_size(3)|DH_size(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/DH_generate_parameters.pod b/crypto/openssl/doc/crypto/DH_generate_parameters.pod index a7d0c75f0cb3..9081e9ea7cf9 100644 --- a/crypto/openssl/doc/crypto/DH_generate_parameters.pod +++ b/crypto/openssl/doc/crypto/DH_generate_parameters.pod @@ -59,7 +59,8 @@ a usable generator. =head1 SEE ALSO -L<dh(3)|dh(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DH_free(3)|DH_free(3)> +L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, +L<DH_free(3)|DH_free(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/DH_new.pod b/crypto/openssl/doc/crypto/DH_new.pod index 64624b9d1560..60c930093e02 100644 --- a/crypto/openssl/doc/crypto/DH_new.pod +++ b/crypto/openssl/doc/crypto/DH_new.pod @@ -29,7 +29,7 @@ DH_free() returns no value. =head1 SEE ALSO -L<dh(3)|dh(3)>, L<err(3)|err(3)>, +L<dh(3)|dh(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<DH_generate_parameters(3)|DH_generate_parameters(3)>, L<DH_generate_key(3)|DH_generate_key(3)> diff --git a/crypto/openssl/doc/crypto/DSA_SIG_new.pod b/crypto/openssl/doc/crypto/DSA_SIG_new.pod index 671655554a53..3ac614003816 100644 --- a/crypto/openssl/doc/crypto/DSA_SIG_new.pod +++ b/crypto/openssl/doc/crypto/DSA_SIG_new.pod @@ -30,7 +30,8 @@ DSA_SIG_free() returns no value. =head1 SEE ALSO -L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<DSA_do_sign(3)|DSA_do_sign(3)> +L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, +L<DSA_do_sign(3)|DSA_do_sign(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/DSA_do_sign.pod b/crypto/openssl/doc/crypto/DSA_do_sign.pod index a24fd5714efe..5dfc733b20e2 100644 --- a/crypto/openssl/doc/crypto/DSA_do_sign.pod +++ b/crypto/openssl/doc/crypto/DSA_do_sign.pod @@ -36,7 +36,7 @@ L<ERR_get_error(3)|ERR_get_error(3)>. =head1 SEE ALSO -L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, +L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<DSA_SIG_new(3)|DSA_SIG_new(3)>, L<DSA_sign(3)|DSA_sign(3)> diff --git a/crypto/openssl/doc/crypto/DSA_dup_DH.pod b/crypto/openssl/doc/crypto/DSA_dup_DH.pod index 29cb1075d110..695f99a13b19 100644 --- a/crypto/openssl/doc/crypto/DSA_dup_DH.pod +++ b/crypto/openssl/doc/crypto/DSA_dup_DH.pod @@ -27,7 +27,7 @@ Be careful to avoid small subgroup attacks when using this. =head1 SEE ALSO -L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<err(3)|err(3)> +L<dh(3)|dh(3)>, L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/DSA_generate_key.pod b/crypto/openssl/doc/crypto/DSA_generate_key.pod index 52890db5be20..af83ccfaa16b 100644 --- a/crypto/openssl/doc/crypto/DSA_generate_key.pod +++ b/crypto/openssl/doc/crypto/DSA_generate_key.pod @@ -24,7 +24,8 @@ The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. =head1 SEE ALSO -L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<DSA_generate_parameters(3)|DSA_generate_parameters(3)> +L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, +L<DSA_generate_parameters(3)|DSA_generate_parameters(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/DSA_generate_parameters.pod b/crypto/openssl/doc/crypto/DSA_generate_parameters.pod index 43f60b0eb955..be7c924ff8f9 100644 --- a/crypto/openssl/doc/crypto/DSA_generate_parameters.pod +++ b/crypto/openssl/doc/crypto/DSA_generate_parameters.pod @@ -90,7 +90,7 @@ Seed lengths E<gt> 20 are not supported. =head1 SEE ALSO -L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, +L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<DSA_free(3)|DSA_free(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/DSA_new.pod b/crypto/openssl/doc/crypto/DSA_new.pod index 7dde54445b75..301af912dd53 100644 --- a/crypto/openssl/doc/crypto/DSA_new.pod +++ b/crypto/openssl/doc/crypto/DSA_new.pod @@ -30,7 +30,7 @@ DSA_free() returns no value. =head1 SEE ALSO -L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, +L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<DSA_generate_parameters(3)|DSA_generate_parameters(3)>, L<DSA_generate_key(3)|DSA_generate_key(3)> diff --git a/crypto/openssl/doc/crypto/DSA_sign.pod b/crypto/openssl/doc/crypto/DSA_sign.pod index f6e60a8ca32e..97389e8ec885 100644 --- a/crypto/openssl/doc/crypto/DSA_sign.pod +++ b/crypto/openssl/doc/crypto/DSA_sign.pod @@ -55,7 +55,7 @@ Standard, DSS), ANSI X9.30 =head1 SEE ALSO -L<dsa(3)|dsa(3)>, L<err(3)|err(3)>, L<rand(3)|rand(3)>, +L<dsa(3)|dsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<DSA_do_sign(3)|DSA_do_sign(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/EVP_SealInit.pod b/crypto/openssl/doc/crypto/EVP_SealInit.pod index 0451eb648a39..7cd12491cda0 100644 --- a/crypto/openssl/doc/crypto/EVP_SealInit.pod +++ b/crypto/openssl/doc/crypto/EVP_SealInit.pod @@ -12,7 +12,7 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk); int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, unsigned char *in, int inl); - int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, + void EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); =head1 DESCRIPTION @@ -43,8 +43,7 @@ page. EVP_SealInit() returns 0 on error or B<npubk> if successful. -EVP_SealUpdate() and EVP_SealFinal() return 1 for success and 0 for -failure. +EVP_SealUpdate() returns 1 for success and 0 for failure. =head1 NOTES diff --git a/crypto/openssl/doc/crypto/RAND_bytes.pod b/crypto/openssl/doc/crypto/RAND_bytes.pod index b6ebd5052788..ce6329ce54af 100644 --- a/crypto/openssl/doc/crypto/RAND_bytes.pod +++ b/crypto/openssl/doc/crypto/RAND_bytes.pod @@ -35,7 +35,8 @@ method. =head1 SEE ALSO -L<rand(3)|rand(3)>, L<err(3)|err(3)>, L<RAND_add(3)|RAND_add(3)> +L<rand(3)|rand(3)>, L<ERR_get_error(3)|ERR_get_error(3)>, +L<RAND_add(3)|RAND_add(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/RSA_check_key.pod b/crypto/openssl/doc/crypto/RSA_check_key.pod index 8a42d2e0d47e..f476a56ac8ea 100644 --- a/crypto/openssl/doc/crypto/RSA_check_key.pod +++ b/crypto/openssl/doc/crypto/RSA_check_key.pod @@ -39,7 +39,7 @@ key data too. =head1 SEE ALSO -L<rsa(3)|rsa(3)>, L<err(3)|err(3)> +L<rsa(3)|rsa(3)>, L<ERR_get_error(3)|ERR_get_error(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/RSA_generate_key.pod b/crypto/openssl/doc/crypto/RSA_generate_key.pod index 8714f7179d65..52dbb14a537d 100644 --- a/crypto/openssl/doc/crypto/RSA_generate_key.pod +++ b/crypto/openssl/doc/crypto/RSA_generate_key.pod @@ -59,7 +59,8 @@ RSA_generate_key() goes into an infinite loop for illegal input values. =head1 SEE ALSO -L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_free(3)|RSA_free(3)> +L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, +L<RSA_free(3)|RSA_free(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/RSA_print.pod b/crypto/openssl/doc/crypto/RSA_print.pod index 67876facc5df..e28d107d1c6e 100644 --- a/crypto/openssl/doc/crypto/RSA_print.pod +++ b/crypto/openssl/doc/crypto/RSA_print.pod @@ -2,9 +2,9 @@ =head1 NAME -RSA_print, RSA_print_fp, DHparams_print, DHparams_print_fp, DSA_print, -DSA_print_fp, DHparams_print, DHparams_print_fp - print cryptographic -parameters +RSA_print, RSA_print_fp, +DSAparams_print, DSAparams_print_fp, DSA_print, DSA_print_fp, +DHparams_print, DHparams_print_fp - print cryptographic parameters =head1 SYNOPSIS diff --git a/crypto/openssl/doc/crypto/RSA_private_encrypt.pod b/crypto/openssl/doc/crypto/RSA_private_encrypt.pod index 6861a98a109a..746a80c79ea0 100644 --- a/crypto/openssl/doc/crypto/RSA_private_encrypt.pod +++ b/crypto/openssl/doc/crypto/RSA_private_encrypt.pod @@ -59,7 +59,8 @@ obtained by L<ERR_get_error(3)|ERR_get_error(3)>. =head1 SEE ALSO -L<err(3)|err(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)> +L<ERR_get_error(3)|ERR_get_error(3)>, L<rsa(3)|rsa(3)>, +L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/RSA_public_encrypt.pod b/crypto/openssl/doc/crypto/RSA_public_encrypt.pod index 02edb7aa756f..9ae5f93152f9 100644 --- a/crypto/openssl/doc/crypto/RSA_public_encrypt.pod +++ b/crypto/openssl/doc/crypto/RSA_public_encrypt.pod @@ -72,7 +72,8 @@ SSL, PKCS #1 v2.0 =head1 SEE ALSO -L<err(3)|err(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_size(3)|RSA_size(3)> +L<ERR_get_error(3)|ERR_get_error(3)>, L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, +L<RSA_size(3)|RSA_size(3)> =head1 NOTES diff --git a/crypto/openssl/doc/crypto/RSA_sign.pod b/crypto/openssl/doc/crypto/RSA_sign.pod index f0bf6eea1b35..71688a665e13 100644 --- a/crypto/openssl/doc/crypto/RSA_sign.pod +++ b/crypto/openssl/doc/crypto/RSA_sign.pod @@ -50,8 +50,8 @@ SSL, PKCS #1 v2.0 =head1 SEE ALSO -L<err(3)|err(3)>, L<objects(3)|objects(3)>, L<rsa(3)|rsa(3)>, -L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>, +L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>, +L<rsa(3)|rsa(3)>, L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>, L<RSA_public_decrypt(3)|RSA_public_decrypt(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod b/crypto/openssl/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod index df9ceb339a63..e70380bbfc96 100644 --- a/crypto/openssl/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod +++ b/crypto/openssl/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod @@ -47,8 +47,8 @@ These functions serve no recognizable purpose. =head1 SEE ALSO -L<err(3)|err(3)>, L<objects(3)|objects(3)>, L<rand(3)|rand(3)>, -L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>, +L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>, +L<rand(3)|rand(3)>, L<rsa(3)|rsa(3)>, L<RSA_sign(3)|RSA_sign(3)>, L<RSA_verify(3)|RSA_verify(3)> =head1 HISTORY diff --git a/crypto/openssl/doc/openssl.txt b/crypto/openssl/doc/openssl.txt index 5da519e7e465..432a17b66cf8 100644 --- a/crypto/openssl/doc/openssl.txt +++ b/crypto/openssl/doc/openssl.txt @@ -344,7 +344,7 @@ the extension. Examples: -subjectAltName=email:copy,email:my@other.address,URL:http://my.url.here/ +subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/ subjectAltName=email:my@other.address,RID:1.2.3.4 Issuer Alternative Name. diff --git a/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod b/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod index af326c2f7340..82676b26b239 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod @@ -37,6 +37,14 @@ removed and replaced by the new session. If the session is actually identical (the SSL_SESSION object is identical), SSL_CTX_add_session() is a no-op, and the return value is 0. +If a server SSL_CTX is configured with the SSL_SESS_CACHE_NO_INTERNAL_STORE +flag then the internal cache will not be populated automatically by new +sessions negotiated by the SSL/TLS implementation, even though the internal +cache will be searched automatically for session-resume requests (the +latter can be surpressed by SSL_SESS_CACHE_NO_INTERNAL_LOOKUP). So the +application can use SSL_CTX_add_session() directly to have full control +over the sessions that can be resumed if desired. + =head1 RETURN VALUES diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod index 9aa6c6b2e393..c5d2f43dff15 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod @@ -26,12 +26,14 @@ SSL_CTX object is being maintained, the sessions are unique for each SSL_CTX object. In order to reuse a session, a client must send the session's id to the -server. It can only send exactly one id. The server then decides whether it -agrees in reusing the session or starts the handshake for a new session. +server. It can only send exactly one id. The server then either +agrees to reuse the session or it starts a full handshake (to create a new +session). -A server will lookup up the session in its internal session storage. If -the session is not found in internal storage or internal storage is -deactivated, the server will try the external storage if available. +A server will lookup up the session in its internal session storage. If the +session is not found in internal storage or lookups for the internal storage +have been deactivated (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP), the server will try +the external storage if available. Since a client may try to reuse a session intended for use in a different context, the session id context must be set by the server (see @@ -57,9 +59,10 @@ function. This option is not activated by default. =item SSL_SESS_CACHE_SERVER Server sessions are added to the session cache. When a client proposes a -session to be reused, the session is looked up in the internal session cache. -If the session is found, the server will try to reuse the session. -This is the default. +session to be reused, the server looks for the corresponding session in (first) +the internal session cache (unless SSL_SESS_CACHE_NO_INTERNAL_LOOKUP is set), +then (second) in the external cache if available. If the session is found, the +server will try to reuse the session. This is the default. =item SSL_SESS_CACHE_BOTH @@ -77,12 +80,32 @@ explicitly by the application. =item SSL_SESS_CACHE_NO_INTERNAL_LOOKUP -By setting this flag sessions are cached in the internal storage but -they are not looked up automatically. If an external session cache -is enabled, sessions are looked up in the external cache. As automatic -lookup only applies for SSL/TLS servers, the flag has no effect on +By setting this flag, session-resume operations in an SSL/TLS server will not +automatically look up sessions in the internal cache, even if sessions are +automatically stored there. If external session caching callbacks are in use, +this flag guarantees that all lookups are directed to the external cache. +As automatic lookup only applies for SSL/TLS servers, the flag has no effect on clients. +=item SSL_SESS_CACHE_NO_INTERNAL_STORE + +Depending on the presence of SSL_SESS_CACHE_CLIENT and/or SSL_SESS_CACHE_SERVER, +sessions negotiated in an SSL/TLS handshake may be cached for possible reuse. +Normally a new session is added to the internal cache as well as any external +session caching (callback) that is configured for the SSL_CTX. This flag will +prevent sessions being stored in the internal cache (though the application can +add them manually using L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>). Note: +in any SSL/TLS servers where external caching is configured, any successful +session lookups in the external cache (ie. for session-resume requests) would +normally be copied into the local cache before processing continues - this flag +prevents these additions to the internal cache as well. + +=item SSL_SESS_CACHE_NO_INTERNAL + +Enable both SSL_SESS_CACHE_NO_INTERNAL_LOOKUP and +SSL_SESS_CACHE_NO_INTERNAL_STORE at the same time. + + =back The default mode is SSL_SESS_CACHE_SERVER. @@ -98,6 +121,7 @@ SSL_CTX_get_session_cache_mode() returns the currently set cache mode. L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>, L<SSL_session_reused(3)|SSL_session_reused(3)>, +L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>, L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>, L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>, L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>, @@ -105,4 +129,9 @@ L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>, L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>, L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> +=head1 HISTORY + +SSL_SESS_CACHE_NO_INTERNAL_STORE and SSL_SESS_CACHE_NO_INTERNAL +were introduced in OpenSSL 0.9.6h. + =cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod index 5bb21ca53570..d15b2a3a1a5b 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod @@ -235,7 +235,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>). * At this point, err contains the last verification error. We can use * it for something special */ - if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) + if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) { X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, 256); printf("issuer= %s\n", buf); diff --git a/crypto/openssl/doc/ssl/ssl.pod b/crypto/openssl/doc/ssl/ssl.pod index 2dcee0385a40..8c4970491c22 100644 --- a/crypto/openssl/doc/ssl/ssl.pod +++ b/crypto/openssl/doc/ssl/ssl.pod @@ -347,7 +347,7 @@ appropriate size (using ???) and return it. long B<SSL_set_tmp_rsa_callback>(SSL *ssl, RSA *(*cb)(SSL *ssl, int export, int keylength)); -The same as L<"SSL_CTX_set_tmp_rsa_callback">, except it operates on an SSL +The same as B<SSL_CTX_set_tmp_rsa_callback>, except it operates on an SSL session instead of a context. =item void B<SSL_CTX_set_verify>(SSL_CTX *ctx, int mode, int (*cb);(void)) diff --git a/crypto/openssl/e_os.h b/crypto/openssl/e_os.h index d49c6ef7e739..58df717722c4 100644 --- a/crypto/openssl/e_os.h +++ b/crypto/openssl/e_os.h @@ -219,10 +219,11 @@ extern "C" { # define _kbhit kbhit # endif -# if defined(WIN16) && !defined(MONOLITH) && defined(SSLEAY) && defined(_WINEXITNOPERSIST) -# define EXIT(n) { if (n == 0) _wsetexit(_WINEXITNOPERSIST); return(n); } +# if defined(WIN16) && defined(SSLEAY) && defined(_WINEXITNOPERSIST) +# define EXIT(n) _wsetexit(_WINEXITNOPERSIST) +# define OPENSSL_EXIT(n) do { if (n == 0) EXIT(n); return(n); } while(0) # else -# define EXIT(n) return(n); +# define EXIT(n) return(n) # endif # define LIST_SEPARATOR_CHAR ';' # ifndef X_OK @@ -275,18 +276,13 @@ extern "C" { the status is tagged as an error, which I believe is what is wanted here. -- Richard Levitte */ -# if !defined(MONOLITH) || defined(OPENSSL_C) -# define EXIT(n) do { int __VMS_EXIT = n; \ +# define EXIT(n) do { int __VMS_EXIT = n; \ if (__VMS_EXIT == 0) \ __VMS_EXIT = 1; \ else \ __VMS_EXIT = (n << 3) | 2; \ __VMS_EXIT |= 0x10000000; \ - exit(__VMS_EXIT); \ - return(__VMS_EXIT); } while(0) -# else -# define EXIT(n) return(n) -# endif + exit(__VMS_EXIT); } while(0) # define NO_SYS_PARAM_H # else /* !defined VMS */ @@ -317,11 +313,7 @@ extern "C" { # define RFILE ".rnd" # define LIST_SEPARATOR_CHAR ':' # define NUL_DEV "/dev/null" -# ifndef MONOLITH -# define EXIT(n) exit(n); return(n) -# else -# define EXIT(n) return(n) -# endif +# define EXIT(n) exit(n) # endif # define SSLeay_getpid() getpid() @@ -441,6 +433,14 @@ extern char *sys_errlist[]; extern int sys_nerr; (((errnum)<0 || (errnum)>=sys_nerr) ? NULL : sys_errlist[errnum]) #endif +#ifndef OPENSSL_EXIT +# if defined(MONOLITH) && !defined(OPENSSL_C) +# define OPENSSL_EXIT(n) return(n) +# else +# define OPENSSL_EXIT(n) do { EXIT(n); return(n); } while(0) +# endif +#endif + /***********************************************/ /* do we need to do this for getenv. diff --git a/crypto/openssl/openssl.spec b/crypto/openssl/openssl.spec index 9bd9edb4b0e9..c3ca2610e4ad 100644 --- a/crypto/openssl/openssl.spec +++ b/crypto/openssl/openssl.spec @@ -1,7 +1,7 @@ %define libmaj 0 %define libmin 9 %define librel 6 -%define librev g +%define librev i Release: 1 %define openssldir /var/ssl diff --git a/crypto/openssl/ssl/Makefile.ssl b/crypto/openssl/ssl/Makefile.ssl index 4b8053ace67c..c25e6c8ea1af 100644 --- a/crypto/openssl/ssl/Makefile.ssl +++ b/crypto/openssl/ssl/Makefile.ssl @@ -84,7 +84,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c index 4a7aff59ad94..8c198d44b30b 100644 --- a/crypto/openssl/ssl/s23_clnt.c +++ b/crypto/openssl/ssl/s23_clnt.c @@ -54,8 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * - * $FreeBSD$ */ #include <stdio.h> @@ -89,18 +87,25 @@ SSL_METHOD *SSLv23_client_method(void) if (init) { - memcpy((char *)&SSLv23_client_data, - (char *)sslv23_base_method(),sizeof(SSL_METHOD)); - SSLv23_client_data.ssl_connect=ssl23_connect; - SSLv23_client_data.get_ssl_method=ssl23_get_client_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv23_client_data, + (char *)sslv23_base_method(),sizeof(SSL_METHOD)); + SSLv23_client_data.ssl_connect=ssl23_connect; + SSLv23_client_data.get_ssl_method=ssl23_get_client_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv23_client_data); } int ssl23_connect(SSL *s) { - BUF_MEM *buf; + BUF_MEM *buf=NULL; unsigned long Time=time(NULL); void (*cb)()=NULL; int ret= -1; @@ -154,6 +159,7 @@ int ssl23_connect(SSL *s) goto end; } s->init_buf=buf; + buf=NULL; } if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } @@ -202,6 +208,8 @@ int ssl23_connect(SSL *s) } end: s->in_handshake--; + if (buf != NULL) + BUF_MEM_free(buf); if (cb != NULL) cb(s,SSL_CB_CONNECT_EXIT,ret); return(ret); diff --git a/crypto/openssl/ssl/s23_lib.c b/crypto/openssl/ssl/s23_lib.c index fe7e2d117363..ad2d8dadf755 100644 --- a/crypto/openssl/ssl/s23_lib.c +++ b/crypto/openssl/ssl/s23_lib.c @@ -54,8 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * - * $FreeBSD$ */ #include <stdio.h> diff --git a/crypto/openssl/ssl/s23_meth.c b/crypto/openssl/ssl/s23_meth.c index 40684311db30..f207140835f8 100644 --- a/crypto/openssl/ssl/s23_meth.c +++ b/crypto/openssl/ssl/s23_meth.c @@ -80,12 +80,19 @@ SSL_METHOD *SSLv23_method(void) if (init) { - memcpy((char *)&SSLv23_data,(char *)sslv23_base_method(), - sizeof(SSL_METHOD)); - SSLv23_data.ssl_connect=ssl23_connect; - SSLv23_data.ssl_accept=ssl23_accept; - SSLv23_data.get_ssl_method=ssl23_get_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv23_data,(char *)sslv23_base_method(), + sizeof(SSL_METHOD)); + SSLv23_data.ssl_connect=ssl23_connect; + SSLv23_data.ssl_accept=ssl23_accept; + SSLv23_data.get_ssl_method=ssl23_get_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv23_data); } diff --git a/crypto/openssl/ssl/s23_srvr.c b/crypto/openssl/ssl/s23_srvr.c index b93f315bedab..40ffb65efd0a 100644 --- a/crypto/openssl/ssl/s23_srvr.c +++ b/crypto/openssl/ssl/s23_srvr.c @@ -54,8 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * - * $FreeBSD$ */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. @@ -141,11 +139,18 @@ SSL_METHOD *SSLv23_server_method(void) if (init) { - memcpy((char *)&SSLv23_server_data, - (char *)sslv23_base_method(),sizeof(SSL_METHOD)); - SSLv23_server_data.ssl_accept=ssl23_accept; - SSLv23_server_data.get_ssl_method=ssl23_get_server_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv23_server_data, + (char *)sslv23_base_method(),sizeof(SSL_METHOD)); + SSLv23_server_data.ssl_accept=ssl23_accept; + SSLv23_server_data.get_ssl_method=ssl23_get_server_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv23_server_data); } diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c index 82b70c780e67..61adfcf199e2 100644 --- a/crypto/openssl/ssl/s2_clnt.c +++ b/crypto/openssl/ssl/s2_clnt.c @@ -107,7 +107,6 @@ * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * - * $FreeBSD$ */ #include "ssl_locl.h" @@ -146,11 +145,18 @@ SSL_METHOD *SSLv2_client_method(void) if (init) { - memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(), - sizeof(SSL_METHOD)); - SSLv2_client_data.ssl_connect=ssl2_connect; - SSLv2_client_data.get_ssl_method=ssl2_get_client_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(), + sizeof(SSL_METHOD)); + SSLv2_client_data.ssl_connect=ssl2_connect; + SSLv2_client_data.get_ssl_method=ssl2_get_client_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv2_client_data); } @@ -202,10 +208,13 @@ int ssl2_connect(SSL *s) if (!BUF_MEM_grow(buf, SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)) { + if (buf == s->init_buf) + buf=NULL; ret= -1; goto end; } s->init_buf=buf; + buf=NULL; s->init_num=0; s->state=SSL2_ST_SEND_CLIENT_HELLO_A; s->ctx->stats.sess_connect++; @@ -332,6 +341,8 @@ int ssl2_connect(SSL *s) } end: s->in_handshake--; + if (buf != NULL) + BUF_MEM_free(buf); if (cb != NULL) cb(s,SSL_CB_CONNECT_EXIT,ret); return(ret); @@ -746,8 +757,8 @@ static int client_certificate(SSL *s) if (s->state == SSL2_ST_SEND_CLIENT_CERTIFICATE_A) { i=ssl2_read(s,(char *)&(buf[s->init_num]), - SSL2_MAX_CERT_CHALLENGE_LENGTH+1-s->init_num); - if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+1-s->init_num)) + SSL2_MAX_CERT_CHALLENGE_LENGTH+2-s->init_num); + if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+2-s->init_num)) return(ssl2_part_read(s,SSL_F_CLIENT_CERTIFICATE,i)); s->init_num += i; diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c index 3917efb4ae7b..8e5975cdc82f 100644 --- a/crypto/openssl/ssl/s2_enc.c +++ b/crypto/openssl/ssl/s2_enc.c @@ -54,8 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * - * $FreeBSD$ */ #include "ssl_locl.h" diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c index 64c6575c47c7..bc4113cd6811 100644 --- a/crypto/openssl/ssl/s2_lib.c +++ b/crypto/openssl/ssl/s2_lib.c @@ -54,8 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * - * $FreeBSD$ */ #include "ssl_locl.h" @@ -309,7 +307,7 @@ void ssl2_free(SSL *s) s2=s->s2; if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf); if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf); - memset(s2,0,sizeof *s2); + OPENSSL_cleanse(s2,sizeof *s2); OPENSSL_free(s2); s->s2=NULL; } @@ -378,15 +376,19 @@ SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p) { CRYPTO_w_lock(CRYPTO_LOCK_SSL); - for (i=0; i<SSL2_NUM_CIPHERS; i++) - sorted[i]= &(ssl2_ciphers[i]); + if (init) + { + for (i=0; i<SSL2_NUM_CIPHERS; i++) + sorted[i]= &(ssl2_ciphers[i]); - qsort( (char *)sorted, - SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *), - FP_ICC ssl_cipher_ptr_id_cmp); + qsort((char *)sorted, + SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *), + FP_ICC ssl_cipher_ptr_id_cmp); + init=0; + } + CRYPTO_w_unlock(CRYPTO_LOCK_SSL); - init=0; } id=0x02000000L|((unsigned long)p[0]<<16L)| diff --git a/crypto/openssl/ssl/s2_meth.c b/crypto/openssl/ssl/s2_meth.c index 01cc05ff51f6..4483572fcec9 100644 --- a/crypto/openssl/ssl/s2_meth.c +++ b/crypto/openssl/ssl/s2_meth.c @@ -54,8 +54,6 @@ * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] - * - * $FreeBSD$ */ #include "ssl_locl.h" @@ -79,12 +77,19 @@ SSL_METHOD *SSLv2_method(void) if (init) { - memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(), - sizeof(SSL_METHOD)); - SSLv2_data.ssl_connect=ssl2_connect; - SSLv2_data.ssl_accept=ssl2_accept; - SSLv2_data.get_ssl_method=ssl2_get_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(), + sizeof(SSL_METHOD)); + SSLv2_data.ssl_connect=ssl2_connect; + SSLv2_data.ssl_accept=ssl2_accept; + SSLv2_data.get_ssl_method=ssl2_get_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv2_data); } diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c index 067d9dfa68b4..3cd7597fe700 100644 --- a/crypto/openssl/ssl/s2_pkt.c +++ b/crypto/openssl/ssl/s2_pkt.c @@ -107,7 +107,6 @@ * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * - * $FreeBSD$ */ #include "ssl_locl.h" diff --git a/crypto/openssl/ssl/s2_srvr.c b/crypto/openssl/ssl/s2_srvr.c index 32519a7c5da5..4ba8fb6534d5 100644 --- a/crypto/openssl/ssl/s2_srvr.c +++ b/crypto/openssl/ssl/s2_srvr.c @@ -107,7 +107,6 @@ * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * - * $FreeBSD$ */ #include "ssl_locl.h" @@ -146,11 +145,18 @@ SSL_METHOD *SSLv2_server_method(void) if (init) { - memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(), - sizeof(SSL_METHOD)); - SSLv2_server_data.ssl_accept=ssl2_accept; - SSLv2_server_data.get_ssl_method=ssl2_get_server_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(), + sizeof(SSL_METHOD)); + SSLv2_server_data.ssl_accept=ssl2_accept; + SSLv2_server_data.get_ssl_method=ssl2_get_server_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv2_server_data); } @@ -1002,7 +1008,7 @@ static int request_certificate(SSL *s) len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen; if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) { - SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG); + SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_MESSAGE_TOO_LONG); goto end; } j = (int)len - s->init_num; diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c index 32b9cea1cabf..60c97ee62940 100644 --- a/crypto/openssl/ssl/s3_clnt.c +++ b/crypto/openssl/ssl/s3_clnt.c @@ -146,18 +146,25 @@ SSL_METHOD *SSLv3_client_method(void) if (init) { - init=0; - memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(), - sizeof(SSL_METHOD)); - SSLv3_client_data.ssl_connect=ssl3_connect; - SSLv3_client_data.get_ssl_method=ssl3_get_client_method; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(), + sizeof(SSL_METHOD)); + SSLv3_client_data.ssl_connect=ssl3_connect; + SSLv3_client_data.get_ssl_method=ssl3_get_client_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv3_client_data); } int ssl3_connect(SSL *s) { - BUF_MEM *buf; + BUF_MEM *buf=NULL; unsigned long Time=time(NULL),l; long num1; void (*cb)()=NULL; @@ -218,6 +225,7 @@ int ssl3_connect(SSL *s) goto end; } s->init_buf=buf; + buf=NULL; } if (!ssl3_setup_buffers(s)) { ret= -1; goto end; } @@ -496,6 +504,8 @@ int ssl3_connect(SSL *s) } end: s->in_handshake--; + if (buf != NULL) + BUF_MEM_free(buf); if (cb != NULL) cb(s,SSL_CB_CONNECT_EXIT,ret); return(ret); @@ -632,23 +642,11 @@ static int ssl3_get_server_hello(SSL *s) /* get the session-id */ j= *(p++); - if(j > sizeof s->session->session_id) - { - al=SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, - SSL_R_SSL3_SESSION_ID_TOO_LONG); - goto f_err; - } - - if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) + if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) { - /* SSLref returns 16 :-( */ - if (j < SSL2_SSL_SESSION_ID_LENGTH) - { - al=SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT); - goto f_err; - } + al=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG); + goto f_err; } if (j != 0 && j == s->session->session_id_length && memcmp(p,s->session->session_id,j) == 0) @@ -656,6 +654,7 @@ static int ssl3_get_server_hello(SSL *s) if(s->sid_ctx_length != s->session->sid_ctx_length || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length)) { + /* actually a client application bug */ al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); goto f_err; @@ -699,7 +698,12 @@ static int ssl3_get_server_hello(SSL *s) goto f_err; } - if (s->hit && (s->session->cipher != c)) + /* Depending on the session caching (internal/external), the cipher + and/or cipher_id values may not be set. Make sure that + cipher_id is set and use it for comparison. */ + if (s->session->cipher) + s->session->cipher_id = s->session->cipher->id; + if (s->hit && (s->session->cipher_id != c->id)) { if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) @@ -1460,7 +1464,7 @@ static int ssl3_send_client_key_exchange(SSL *s) s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, tmp_buf,SSL_MAX_MASTER_KEY_LENGTH); - memset(tmp_buf,0,SSL_MAX_MASTER_KEY_LENGTH); + OPENSSL_cleanse(tmp_buf,SSL_MAX_MASTER_KEY_LENGTH); } else #endif diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c index 79fa4f97c24f..bbadac0d3705 100644 --- a/crypto/openssl/ssl/s3_enc.c +++ b/crypto/openssl/ssl/s3_enc.c @@ -174,7 +174,7 @@ static void ssl3_generate_key_block(SSL *s, unsigned char *km, int num) km+=MD5_DIGEST_LENGTH; } - memset(smd,0,SHA_DIGEST_LENGTH); + OPENSSL_cleanse(smd,SHA_DIGEST_LENGTH); } int ssl3_change_cipher_state(SSL *s, int which) @@ -318,8 +318,8 @@ int ssl3_change_cipher_state(SSL *s, int which) EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE)); - memset(&(exp_key[0]),0,sizeof(exp_key)); - memset(&(exp_iv[0]),0,sizeof(exp_iv)); + OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key)); + OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv)); return(1); err: SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); @@ -390,7 +390,7 @@ void ssl3_cleanup_key_block(SSL *s) { if (s->s3->tmp.key_block != NULL) { - memset(s->s3->tmp.key_block,0, + OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length); OPENSSL_free(s->s3->tmp.key_block); s->s3->tmp.key_block=NULL; @@ -456,6 +456,7 @@ int ssl3_enc(SSL *s, int send) ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); return 0; } + /* otherwise, rec->length >= bs */ } EVP_Cipher(ds,rec->data,rec->input,l); @@ -464,7 +465,7 @@ int ssl3_enc(SSL *s, int send) { i=rec->data[l-1]+1; /* SSL 3.0 bounds the number of padding bytes by the block size; - * padding bytes (except that last) are arbitrary */ + * padding bytes (except the last one) are arbitrary */ if (i > bs) { /* Incorrect padding. SSLerr() and ssl3_alert are done @@ -473,6 +474,7 @@ int ssl3_enc(SSL *s, int send) * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ return -1; } + /* now i <= bs <= rec->length */ rec->length-=i; } } diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c index 9951ebb4191e..fb8ce5e2e318 100644 --- a/crypto/openssl/ssl/s3_lib.c +++ b/crypto/openssl/ssl/s3_lib.c @@ -732,7 +732,7 @@ void ssl3_free(SSL *s) #endif if (s->s3->tmp.ca_names != NULL) sk_X509_NAME_pop_free(s->s3->tmp.ca_names,X509_NAME_free); - memset(s->s3,0,sizeof *s->s3); + OPENSSL_cleanse(s->s3,sizeof *s->s3); OPENSSL_free(s->s3); s->s3=NULL; } @@ -1084,16 +1084,19 @@ SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) { CRYPTO_w_lock(CRYPTO_LOCK_SSL); - for (i=0; i<SSL3_NUM_CIPHERS; i++) - sorted[i]= &(ssl3_ciphers[i]); + if (init) + { + for (i=0; i<SSL3_NUM_CIPHERS; i++) + sorted[i]= &(ssl3_ciphers[i]); - qsort( (char *)sorted, - SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *), - FP_ICC ssl_cipher_ptr_id_cmp); + qsort(sorted, + SSL3_NUM_CIPHERS,sizeof(SSL_CIPHER *), + FP_ICC ssl_cipher_ptr_id_cmp); + init=0; + } + CRYPTO_w_unlock(CRYPTO_LOCK_SSL); - - init=0; } id=0x03000000L|((unsigned long)p[0]<<8L)|(unsigned long)p[1]; diff --git a/crypto/openssl/ssl/s3_meth.c b/crypto/openssl/ssl/s3_meth.c index 81bcad89c52f..1fd7a96f87ba 100644 --- a/crypto/openssl/ssl/s3_meth.c +++ b/crypto/openssl/ssl/s3_meth.c @@ -76,12 +76,19 @@ SSL_METHOD *SSLv3_method(void) if (init) { - memcpy((char *)&SSLv3_data,(char *)sslv3_base_method(), - sizeof(SSL_METHOD)); - SSLv3_data.ssl_connect=ssl3_connect; - SSLv3_data.ssl_accept=ssl3_accept; - SSLv3_data.get_ssl_method=ssl3_get_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv3_data,(char *)sslv3_base_method(), + sizeof(SSL_METHOD)); + SSLv3_data.ssl_connect=ssl3_connect; + SSLv3_data.ssl_accept=ssl3_accept; + SSLv3_data.get_ssl_method=ssl3_get_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv3_data); } diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c index f52303c7c3e0..caf975d68880 100644 --- a/crypto/openssl/ssl/s3_pkt.c +++ b/crypto/openssl/ssl/s3_pkt.c @@ -238,6 +238,8 @@ static int ssl3_get_record(SSL *s) unsigned int mac_size; int clear=0; size_t extra; + int decryption_failed_or_bad_record_mac = 0; + unsigned char *mac = NULL; rr= &(s->s3->rrec); sess=s->session; @@ -353,8 +355,11 @@ again: /* SSLerr() and ssl3_send_alert() have been called */ goto err; - /* otherwise enc_err == -1 */ - goto decryption_failed_or_bad_record_mac; + /* Otherwise enc_err == -1, which indicates bad padding + * (rec->length has not been changed in this case). + * To minimize information leaked via timing, we will perform + * the MAC computation anyway. */ + decryption_failed_or_bad_record_mac = 1; } #ifdef TLS_DEBUG @@ -380,28 +385,46 @@ printf("\n"); SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); goto f_err; #else - goto decryption_failed_or_bad_record_mac; + decryption_failed_or_bad_record_mac = 1; #endif } /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ - if (rr->length < mac_size) + if (rr->length >= mac_size) { + rr->length -= mac_size; + mac = &rr->data[rr->length]; + } + else + { + /* record (minus padding) is too short to contain a MAC */ #if 0 /* OK only for stream ciphers */ al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); goto f_err; #else - goto decryption_failed_or_bad_record_mac; + decryption_failed_or_bad_record_mac = 1; + rr->length = 0; #endif } - rr->length-=mac_size; i=s->method->ssl3_enc->mac(s,md,0); - if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0) + if (mac == NULL || memcmp(md, mac, mac_size) != 0) { - goto decryption_failed_or_bad_record_mac; + decryption_failed_or_bad_record_mac = 1; } } + if (decryption_failed_or_bad_record_mac) + { + /* A separate 'decryption_failed' alert was introduced with TLS 1.0, + * SSL 3.0 only has 'bad_record_mac'. But unless a decryption + * failure is directly visible from the ciphertext anyway, + * we should not reveal which kind of error occured -- this + * might become visible to an attacker (e.g. via a logfile) */ + al=SSL_AD_BAD_RECORD_MAC; + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); + goto f_err; + } + /* r->length is now just compressed */ if (s->expand != NULL) { @@ -443,14 +466,6 @@ printf("\n"); return(1); -decryption_failed_or_bad_record_mac: - /* Separate 'decryption_failed' alert was introduced with TLS 1.0, - * SSL 3.0 only has 'bad_record_mac'. But unless a decryption - * failure is directly visible from the ciphertext anyway, - * we should not reveal which kind of error occured -- this - * might become visible to an attacker (e.g. via logfile) */ - al=SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); err: diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c index fe1e6890142b..6b414cfa5c8b 100644 --- a/crypto/openssl/ssl/s3_srvr.c +++ b/crypto/openssl/ssl/s3_srvr.c @@ -151,11 +151,18 @@ SSL_METHOD *SSLv3_server_method(void) if (init) { - memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(), - sizeof(SSL_METHOD)); - SSLv3_server_data.ssl_accept=ssl3_accept; - SSLv3_server_data.get_ssl_method=ssl3_get_server_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(), + sizeof(SSL_METHOD)); + SSLv3_server_data.ssl_accept=ssl3_accept; + SSLv3_server_data.get_ssl_method=ssl3_get_server_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv3_server_data); } @@ -1464,7 +1471,7 @@ static int ssl3_get_client_key_exchange(SSL *s) s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, p,i); - memset(p,0,i); + OPENSSL_cleanse(p,i); } else #endif @@ -1527,7 +1534,7 @@ static int ssl3_get_client_key_exchange(SSL *s) s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key,p,i); - memset(p,0,i); + OPENSSL_cleanse(p,i); } else #endif @@ -1559,7 +1566,7 @@ static int ssl3_get_cert_verify(SSL *s) SSL3_ST_SR_CERT_VRFY_A, SSL3_ST_SR_CERT_VRFY_B, -1, - 512, /* 512? */ + 514, /* 514? */ &ok); if (!ok) return((int)n); diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h index 3eecead605c9..ed2eae96e3a1 100644 --- a/crypto/openssl/ssl/ssl.h +++ b/crypto/openssl/ssl/ssl.h @@ -551,10 +551,11 @@ struct ssl_ctx_st #define SSL_SESS_CACHE_SERVER 0x0002 #define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER) #define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080 -/* This one, when set, makes the server session-id lookup not look - * in the cache. If there is an application get_session callback - * defined, this will still get called. */ +/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */ #define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100 +#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200 +#define SSL_SESS_CACHE_NO_INTERNAL \ + (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE) struct lhash_st *SSL_CTX_sessions(SSL_CTX *ctx); #define SSL_CTX_sess_number(ctx) \ diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c index 4f84a3476da0..6bc3d4d70ea9 100644 --- a/crypto/openssl/ssl/ssl_lib.c +++ b/crypto/openssl/ssl/ssl_lib.c @@ -1245,13 +1245,24 @@ void SSL_CTX_free(SSL_CTX *a) abort(); /* ok */ } #endif + + /* + * Free internal session cache. However: the remove_cb() may reference + * the ex_data of SSL_CTX, thus the ex_data store can only be removed + * after the sessions were flushed. + * As the ex_data handling routines might also touch the session cache, + * the most secure solution seems to be: empty (flush) the cache, then + * free ex_data, then finally free the cache. + * (See ticket [openssl.org #212].) + */ + if (a->sessions != NULL) + SSL_CTX_flush_sessions(a,0); + CRYPTO_free_ex_data(ssl_ctx_meth,(char *)a,&a->ex_data); if (a->sessions != NULL) - { - SSL_CTX_flush_sessions(a,0); - lh_free(a->sessions); - } + lh_free(a->sessions); + if (a->cert_store != NULL) X509_STORE_free(a->cert_store); if (a->cipher_list != NULL) @@ -1472,7 +1483,7 @@ void ssl_update_cache(SSL *s,int mode) i=s->ctx->session_cache_mode; if ((i & mode) && (!s->hit) - && ((i & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP) + && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) || SSL_CTX_add_session(s->ctx,s->session)) && (s->ctx->new_session_cb != NULL)) { diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c index 2f2d5bc27f7c..a8668e42e640 100644 --- a/crypto/openssl/ssl/ssl_sess.c +++ b/crypto/openssl/ssl/ssl_sess.c @@ -258,9 +258,12 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len) if (copy) CRYPTO_add(&ret->references,1,CRYPTO_LOCK_SSL_SESSION); - /* The following should not return 1, otherwise, - * things are very strange */ - SSL_CTX_add_session(s->ctx,ret); + /* Add the externally cached session to the internal + * cache as well if and only if we are supposed to. */ + if(!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE)) + /* The following should not return 1, otherwise, + * things are very strange */ + SSL_CTX_add_session(s->ctx,ret); } if (ret == NULL) goto err; @@ -474,13 +477,13 @@ void SSL_SESSION_free(SSL_SESSION *ss) CRYPTO_free_ex_data(ssl_session_meth,ss,&ss->ex_data); - memset(ss->key_arg,0,SSL_MAX_KEY_ARG_LENGTH); - memset(ss->master_key,0,SSL_MAX_MASTER_KEY_LENGTH); - memset(ss->session_id,0,SSL_MAX_SSL_SESSION_ID_LENGTH); + OPENSSL_cleanse(ss->key_arg,SSL_MAX_KEY_ARG_LENGTH); + OPENSSL_cleanse(ss->master_key,SSL_MAX_MASTER_KEY_LENGTH); + OPENSSL_cleanse(ss->session_id,SSL_MAX_SSL_SESSION_ID_LENGTH); if (ss->sess_cert != NULL) ssl_sess_cert_free(ss->sess_cert); if (ss->peer != NULL) X509_free(ss->peer); if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); - memset(ss,0,sizeof(*ss)); + OPENSSL_cleanse(ss,sizeof(*ss)); OPENSSL_free(ss); } diff --git a/crypto/openssl/ssl/ssltest.c b/crypto/openssl/ssl/ssltest.c index 5f91ed19c737..3de9663e51ae 100644 --- a/crypto/openssl/ssl/ssltest.c +++ b/crypto/openssl/ssl/ssltest.c @@ -224,12 +224,13 @@ int main(int argc, char *argv[]) verbose = 0; debug = 0; cipher = 0; - + + bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); RAND_seed(rnd_seed, sizeof rnd_seed); - bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE); argc--; @@ -247,12 +248,22 @@ int main(int argc, char *argv[]) debug=1; else if (strcmp(*argv,"-reuse") == 0) reuse=1; -#ifndef NO_DH else if (strcmp(*argv,"-dhe1024") == 0) + { +#ifndef NO_DH dhe1024=1; +#else + fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); +#endif + } else if (strcmp(*argv,"-dhe1024dsa") == 0) + { +#ifndef NO_DH dhe1024dsa=1; +#else + fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); #endif + } else if (strcmp(*argv,"-no_dhe") == 0) no_dhe=1; else if (strcmp(*argv,"-ssl2") == 0) @@ -355,7 +366,7 @@ bad: "the test anyway (and\n-d to see what happens), " "or add one of -ssl2, -ssl3, -tls1, -reuse\n" "to avoid protocol mismatch.\n"); - exit(1); + EXIT(1); } if (print_time) @@ -620,6 +631,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, int i, r; clock_t c_clock = clock(); + memset(cbuf, 0, sizeof(cbuf)); + if (debug) if (SSL_in_init(c_ssl)) printf("client waiting in SSL_connect - %s\n", @@ -704,6 +717,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, int i, r; clock_t s_clock = clock(); + memset(sbuf, 0, sizeof(sbuf)); + if (debug) if (SSL_in_init(s_ssl)) printf("server waiting in SSL_accept - %s\n", @@ -947,6 +962,9 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) int c_write,s_write; int do_server=0,do_client=0; + memset(cbuf,0,sizeof(cbuf)); + memset(sbuf,0,sizeof(sbuf)); + c_to_s=BIO_new(BIO_s_mem()); s_to_c=BIO_new(BIO_s_mem()); if ((s_to_c == NULL) || (c_to_s == NULL)) diff --git a/crypto/openssl/ssl/t1_clnt.c b/crypto/openssl/ssl/t1_clnt.c index 9745630a008c..f68b9cc08567 100644 --- a/crypto/openssl/ssl/t1_clnt.c +++ b/crypto/openssl/ssl/t1_clnt.c @@ -79,11 +79,18 @@ SSL_METHOD *TLSv1_client_method(void) if (init) { - memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(), - sizeof(SSL_METHOD)); - TLSv1_client_data.ssl_connect=ssl3_connect; - TLSv1_client_data.get_ssl_method=tls1_get_client_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(), + sizeof(SSL_METHOD)); + TLSv1_client_data.ssl_connect=ssl3_connect; + TLSv1_client_data.get_ssl_method=tls1_get_client_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&TLSv1_client_data); } diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c index f3ecc5f5869e..a11e1130d8de 100644 --- a/crypto/openssl/ssl/t1_enc.c +++ b/crypto/openssl/ssl/t1_enc.c @@ -158,7 +158,7 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, } HMAC_cleanup(&ctx); HMAC_cleanup(&ctx_tmp); - memset(A1,0,sizeof(A1)); + OPENSSL_cleanse(A1,sizeof(A1)); } static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1, @@ -372,10 +372,10 @@ printf("\niv="); printf("\n"); #endif - memset(tmp1,0,sizeof(tmp1)); - memset(tmp2,0,sizeof(tmp1)); - memset(iv1,0,sizeof(iv1)); - memset(iv2,0,sizeof(iv2)); + OPENSSL_cleanse(tmp1,sizeof(tmp1)); + OPENSSL_cleanse(tmp2,sizeof(tmp1)); + OPENSSL_cleanse(iv1,sizeof(iv1)); + OPENSSL_cleanse(iv2,sizeof(iv2)); return(1); err: SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); @@ -426,7 +426,7 @@ printf("pre-master\n"); { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); } #endif tls1_generate_key_block(s,p1,p2,num); - memset(p2,0,num); + OPENSSL_cleanse(p2,num); OPENSSL_free(p2); #ifdef TLS_DEBUG printf("\nkey block\n"); diff --git a/crypto/openssl/ssl/t1_meth.c b/crypto/openssl/ssl/t1_meth.c index 9bb36a7d1ca9..fcc243f78264 100644 --- a/crypto/openssl/ssl/t1_meth.c +++ b/crypto/openssl/ssl/t1_meth.c @@ -76,13 +76,21 @@ SSL_METHOD *TLSv1_method(void) if (init) { - memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(), - sizeof(SSL_METHOD)); - TLSv1_data.ssl_connect=ssl3_connect; - TLSv1_data.ssl_accept=ssl3_accept; - TLSv1_data.get_ssl_method=tls1_get_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(), + sizeof(SSL_METHOD)); + TLSv1_data.ssl_connect=ssl3_connect; + TLSv1_data.ssl_accept=ssl3_accept; + TLSv1_data.get_ssl_method=tls1_get_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } + return(&TLSv1_data); } diff --git a/crypto/openssl/ssl/t1_srvr.c b/crypto/openssl/ssl/t1_srvr.c index 996b7ca8e2ef..7486c553de4e 100644 --- a/crypto/openssl/ssl/t1_srvr.c +++ b/crypto/openssl/ssl/t1_srvr.c @@ -80,11 +80,18 @@ SSL_METHOD *TLSv1_server_method(void) if (init) { - memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(), - sizeof(SSL_METHOD)); - TLSv1_server_data.ssl_accept=ssl3_accept; - TLSv1_server_data.get_ssl_method=tls1_get_server_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(), + sizeof(SSL_METHOD)); + TLSv1_server_data.ssl_accept=ssl3_accept; + TLSv1_server_data.get_ssl_method=tls1_get_server_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&TLSv1_server_data); } diff --git a/crypto/openssl/test/Makefile.ssl b/crypto/openssl/test/Makefile.ssl index 3cb1283d7c60..a6e22a3b86c0 100644 --- a/crypto/openssl/test/Makefile.ssl +++ b/crypto/openssl/test/Makefile.ssl @@ -85,7 +85,7 @@ top: all: exe -exe: $(EXE) +exe: $(EXE) dummytest files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO @@ -93,6 +93,10 @@ files: links: @@$(TOP)/util/point.sh Makefile.ssl Makefile +generate: $(SRC) +$(SRC): + @$(TOP)/util/point.sh dummytest.c $@ + errors: install: @@ -109,7 +113,7 @@ tests: exe apps \ test_ss test_ca test_ssl apps: - @(cd ../apps; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all) + @(cd ..; $(MAKE) DIRS=apps all) test_des: ./$(DESTEST) @@ -233,7 +237,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(SRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new @@ -243,10 +247,10 @@ clean: rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss log $(DLIBSSL): - (cd ../ssl; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}') + (cd ..; $(MAKE) DIRS=ssl all) $(DLIBCRYPTO): - (cd ../crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}') + (cd ..; $(MAKE) DIRS=crypto all) $(RSATEST): $(RSATEST).o $(DLIBCRYPTO) $(CC) -o $(RSATEST) $(CFLAGS) $(RSATEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) @@ -317,9 +321,13 @@ $(METHTEST): $(METHTEST).o $(DLIBCRYPTO) $(SSLTEST): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO) $(CC) -o $(SSLTEST) $(CFLAGS) $(SSLTEST).o $(PEX_LIBS) $(LIBSSL) $(LIBCRYPTO) $(EX_LIBS) +dummytest: dummytest.o $(DLIBCRYPTO) + $(CC) -o dummytest $(CFLAGS) dummytest.o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) + # DO NOT DELETE THIS LINE -- make depend depends on it. -bftest.o: ../include/openssl/blowfish.h +bftest.o: ../e_os.h ../include/openssl/blowfish.h ../include/openssl/e_os2.h +bftest.o: ../include/openssl/opensslconf.h bntest.o: ../include/openssl/asn1.h ../include/openssl/bio.h bntest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h bntest.o: ../include/openssl/buffer.h ../include/openssl/cast.h @@ -339,29 +347,31 @@ bntest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h bntest.o: ../include/openssl/sha.h ../include/openssl/stack.h bntest.o: ../include/openssl/symhacks.h ../include/openssl/x509.h bntest.o: ../include/openssl/x509_vfy.h -casttest.o: ../include/openssl/cast.h +casttest.o: ../e_os.h ../include/openssl/cast.h ../include/openssl/e_os2.h +casttest.o: ../include/openssl/opensslconf.h destest.o: ../include/openssl/des.h ../include/openssl/e_os2.h destest.o: ../include/openssl/opensslconf.h -dhtest.o: ../include/openssl/bio.h ../include/openssl/bn.h +dhtest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h dhtest.o: ../include/openssl/crypto.h ../include/openssl/dh.h -dhtest.o: ../include/openssl/err.h ../include/openssl/lhash.h -dhtest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -dhtest.o: ../include/openssl/rand.h ../include/openssl/safestack.h -dhtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -dsatest.o: ../include/openssl/bio.h ../include/openssl/bn.h +dhtest.o: ../include/openssl/e_os2.h ../include/openssl/err.h +dhtest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h +dhtest.o: ../include/openssl/opensslv.h ../include/openssl/rand.h +dhtest.o: ../include/openssl/safestack.h ../include/openssl/stack.h +dhtest.o: ../include/openssl/symhacks.h +dsatest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h dsatest.o: ../include/openssl/crypto.h ../include/openssl/dh.h -dsatest.o: ../include/openssl/dsa.h ../include/openssl/err.h -dsatest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h -dsatest.o: ../include/openssl/opensslv.h ../include/openssl/rand.h -dsatest.o: ../include/openssl/safestack.h ../include/openssl/stack.h -dsatest.o: ../include/openssl/symhacks.h -exptest.o: ../include/openssl/bio.h ../include/openssl/bn.h -exptest.o: ../include/openssl/crypto.h ../include/openssl/err.h -exptest.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h -exptest.o: ../include/openssl/opensslv.h ../include/openssl/rand.h -exptest.o: ../include/openssl/safestack.h ../include/openssl/stack.h -exptest.o: ../include/openssl/symhacks.h -hmactest.o: ../include/openssl/asn1.h ../include/openssl/bio.h +dsatest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +dsatest.o: ../include/openssl/err.h ../include/openssl/lhash.h +dsatest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +dsatest.o: ../include/openssl/rand.h ../include/openssl/safestack.h +dsatest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +exptest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h +exptest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +exptest.o: ../include/openssl/err.h ../include/openssl/lhash.h +exptest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +exptest.o: ../include/openssl/rand.h ../include/openssl/safestack.h +exptest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +hmactest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h hmactest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h hmactest.o: ../include/openssl/cast.h ../include/openssl/crypto.h hmactest.o: ../include/openssl/des.h ../include/openssl/dh.h @@ -376,17 +386,26 @@ hmactest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h hmactest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h hmactest.o: ../include/openssl/safestack.h ../include/openssl/sha.h hmactest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ideatest.o: ../include/openssl/idea.h ../include/openssl/opensslconf.h -md2test.o: ../include/openssl/md2.h ../include/openssl/opensslconf.h -md4test.o: ../include/openssl/md4.h -md5test.o: ../include/openssl/md5.h -mdc2test.o: ../include/openssl/des.h ../include/openssl/e_os2.h +ideatest.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/idea.h +ideatest.o: ../include/openssl/opensslconf.h +md2test.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/md2.h +md2test.o: ../include/openssl/opensslconf.h +md4test.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/md4.h +md4test.o: ../include/openssl/opensslconf.h +md5test.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/md5.h +md5test.o: ../include/openssl/opensslconf.h +mdc2test.o: ../e_os.h ../include/openssl/des.h ../include/openssl/e_os2.h mdc2test.o: ../include/openssl/mdc2.h ../include/openssl/opensslconf.h -randtest.o: ../include/openssl/rand.h +randtest.o: ../e_os.h ../include/openssl/e_os2.h +randtest.o: ../include/openssl/opensslconf.h ../include/openssl/rand.h +rc2test.o: ../e_os.h ../include/openssl/e_os2.h rc2test.o: ../include/openssl/opensslconf.h ../include/openssl/rc2.h +rc4test.o: ../e_os.h ../include/openssl/e_os2.h rc4test.o: ../include/openssl/opensslconf.h ../include/openssl/rc4.h -rc5test.o: ../include/openssl/rc5.h -rmdtest.o: ../include/openssl/ripemd.h +rc5test.o: ../e_os.h ../include/openssl/e_os2.h +rc5test.o: ../include/openssl/opensslconf.h ../include/openssl/rc5.h +rmdtest.o: ../e_os.h ../include/openssl/e_os2.h +rmdtest.o: ../include/openssl/opensslconf.h ../include/openssl/ripemd.h rsa_test.o: ../include/openssl/bio.h ../include/openssl/bn.h rsa_test.o: ../include/openssl/crypto.h ../include/openssl/e_os.h rsa_test.o: ../include/openssl/e_os2.h ../include/openssl/err.h @@ -394,8 +413,10 @@ rsa_test.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h rsa_test.o: ../include/openssl/opensslv.h ../include/openssl/rand.h rsa_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h rsa_test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -sha1test.o: ../include/openssl/sha.h -shatest.o: ../include/openssl/sha.h +sha1test.o: ../e_os.h ../include/openssl/e_os2.h +sha1test.o: ../include/openssl/opensslconf.h ../include/openssl/sha.h +shatest.o: ../e_os.h ../include/openssl/e_os2.h +shatest.o: ../include/openssl/opensslconf.h ../include/openssl/sha.h ssltest.o: ../include/openssl/asn1.h ../include/openssl/bio.h ssltest.o: ../include/openssl/blowfish.h ../include/openssl/bn.h ssltest.o: ../include/openssl/buffer.h ../include/openssl/cast.h diff --git a/crypto/openssl/test/methtest.c b/crypto/openssl/test/methtest.c index 06ccb3b31087..005c2f48220e 100644 --- a/crypto/openssl/test/methtest.c +++ b/crypto/openssl/test/methtest.c @@ -96,10 +96,10 @@ char *argv[]; METH_init(top); METH_control(tmp1,METH_CONTROL_DUMP,stdout); METH_control(tmp2,METH_CONTROL_DUMP,stdout); - exit(0); + EXIT(0); err: ERR_load_crypto_strings(); ERR_print_errors_fp(stderr); - exit(1); + EXIT(1); return(0); } diff --git a/crypto/openssl/test/testssl b/crypto/openssl/test/testssl index 2151a6438cda..ad4f45f1fa13 100644 --- a/crypto/openssl/test/testssl +++ b/crypto/openssl/test/testssl @@ -112,8 +112,12 @@ $ssltest -bio_pair -server_auth -client_auth $CA || exit 1 ############################################################################# -echo test tls1 with 1024bit anonymous DH, multiple handshakes -$ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time || exit 1 +if ../apps/openssl no-dh; then + echo skipping anonymous DH tests +else + echo test tls1 with 1024bit anonymous DH, multiple handshakes + $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time || exit 1 +fi if ../apps/openssl no-rsa; then echo skipping RSA tests @@ -121,8 +125,12 @@ else echo test tls1 with 1024bit RSA, no DHE, multiple handshakes ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time || exit 1 - echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes - ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time || exit 1 + if ../apps/openssl no-dh; then + echo skipping RSA+DHE tests + else + echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes + ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time || exit 1 + fi fi exit 0 diff --git a/crypto/openssl/tools/c_rehash b/crypto/openssl/tools/c_rehash index 049bb3f1ae6b..5b521d96eb6b 100644 --- a/crypto/openssl/tools/c_rehash +++ b/crypto/openssl/tools/c_rehash @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/local/bin/perl5 # Perl c_rehash script, scan all files in a directory @@ -100,7 +100,8 @@ sub check_file { sub link_hash_cert { my $fname = $_[0]; - my ($hash, $fprint) = `$openssl x509 -hash -fingerprint -noout -in $fname`; + $fname =~ s/'/'\\''/g; + my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in '$fname'`; chomp $hash; chomp $fprint; $fprint =~ s/^.*=//; @@ -130,7 +131,8 @@ sub link_hash_cert { sub link_hash_crl { my $fname = $_[0]; - my ($hash, $fprint) = `$openssl crl -hash -fingerprint -noout -in $fname`; + $fname =~ s/'/'\\''/g; + my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`; chomp $hash; chomp $fprint; $fprint =~ s/^.*=//; diff --git a/crypto/openssl/tools/c_rehash.in b/crypto/openssl/tools/c_rehash.in index 26db8999d8c8..132c0e4cebb5 100644 --- a/crypto/openssl/tools/c_rehash.in +++ b/crypto/openssl/tools/c_rehash.in @@ -100,7 +100,8 @@ sub check_file { sub link_hash_cert { my $fname = $_[0]; - my ($hash, $fprint) = `$openssl x509 -hash -fingerprint -noout -in $fname`; + $fname =~ s/'/'\\''/g; + my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in '$fname'`; chomp $hash; chomp $fprint; $fprint =~ s/^.*=//; @@ -130,7 +131,8 @@ sub link_hash_cert { sub link_hash_crl { my $fname = $_[0]; - my ($hash, $fprint) = `$openssl crl -hash -fingerprint -noout -in $fname`; + $fname =~ s/'/'\\''/g; + my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`; chomp $hash; chomp $fprint; $fprint =~ s/^.*=//; diff --git a/crypto/openssl/util/libeay.num b/crypto/openssl/util/libeay.num index ef6573cc7d3d..cfae8e59ddb8 100755 --- a/crypto/openssl/util/libeay.num +++ b/crypto/openssl/util/libeay.num @@ -301,8 +301,8 @@ EVP_des_ede_cfb 308 EXIST::FUNCTION:DES EVP_des_ede_ofb 309 EXIST::FUNCTION:DES EVP_des_ofb 310 EXIST::FUNCTION:DES EVP_desx_cbc 311 EXIST::FUNCTION:DES -EVP_dss 312 EXIST::FUNCTION:SHA,DSA -EVP_dss1 313 EXIST::FUNCTION:SHA,DSA +EVP_dss 312 EXIST::FUNCTION:DSA,SHA +EVP_dss1 313 EXIST::FUNCTION:DSA,SHA EVP_enc_null 314 EXIST::FUNCTION: EVP_get_cipherbyname 315 EXIST::FUNCTION: EVP_get_digestbyname 316 EXIST::FUNCTION: @@ -1212,7 +1212,7 @@ name_cmp 1239 EXIST::FUNCTION: str_dup 1240 NOEXIST::FUNCTION: i2s_ASN1_ENUMERATED 1241 EXIST::FUNCTION: i2s_ASN1_ENUMERATED_TABLE 1242 EXIST::FUNCTION: -BIO_s_log 1243 EXIST:!WIN16,!WIN32,!macintosh:FUNCTION: +BIO_s_log 1243 EXIST:!WIN32,!macintosh,!WIN16:FUNCTION: BIO_f_reliable 1244 EXIST::FUNCTION: PKCS7_dataFinal 1245 EXIST::FUNCTION: PKCS7_dataDecode 1246 EXIST::FUNCTION: @@ -1934,3 +1934,4 @@ ENGINE_set_ctrl_function 2522 NOEXIST::FUNCTION: BN_pseudo_rand_range 2523 EXIST::FUNCTION: X509_STORE_CTX_set_verify_cb 2524 EXIST::FUNCTION: ERR_load_COMP_strings 2525 EXIST::FUNCTION: +OPENSSL_cleanse 3245 EXIST::FUNCTION: diff --git a/crypto/openssl/util/mk1mf.pl b/crypto/openssl/util/mk1mf.pl index 4cc7881d8d73..efdf77e74fb3 100755 --- a/crypto/openssl/util/mk1mf.pl +++ b/crypto/openssl/util/mk1mf.pl @@ -206,7 +206,7 @@ $cflags.=" -DNO_MD4" if $no_md4; $cflags.=" -DNO_MD5" if $no_md5; $cflags.=" -DNO_SHA" if $no_sha; $cflags.=" -DNO_SHA1" if $no_sha1; -$cflags.=" -DNO_RIPEMD" if $no_rmd160; +$cflags.=" -DNO_RIPEMD" if $no_ripemd; $cflags.=" -DNO_MDC2" if $no_mdc2; $cflags.=" -DNO_BF" if $no_bf; $cflags.=" -DNO_CAST" if $no_cast; @@ -674,7 +674,7 @@ sub var_add @a=grep(!/(^md2)|(_md2$)/,@a) if $no_md2; @a=grep(!/(^md4)|(_md4$)/,@a) if $no_md4; @a=grep(!/(^md5)|(_md5$)/,@a) if $no_md5; - @a=grep(!/(rmd)|(ripemd)/,@a) if $no_rmd160; + @a=grep(!/(rmd)|(ripemd)/,@a) if $no_ripemd; @a=grep(!/(^d2i_r_)|(^i2d_r_)/,@a) if $no_rsa; @a=grep(!/(^p_open$)|(^p_seal$)/,@a) if $no_rsa; @@ -883,7 +883,7 @@ sub read_options elsif (/^just-ssl$/) { $no_rc2=$no_idea=$no_des=$no_bf=$no_cast=1; $no_md2=$no_sha=$no_mdc2=$no_dsa=$no_dh=1; - $no_ssl2=$no_err=$no_rmd160=$no_rc5=1; } + $no_ssl2=$no_err=$no_ripemd=$no_rc5=1; } elsif (/^rsaref$/) { $rsaref=1; } elsif (/^gcc$/) { $gcc=1; } diff --git a/crypto/openssl/util/mkcerts.sh b/crypto/openssl/util/mkcerts.sh index 5f8a1dae7395..0184fcb70ece 100755 --- a/crypto/openssl/util/mkcerts.sh +++ b/crypto/openssl/util/mkcerts.sh @@ -1,4 +1,4 @@ -#!bin/sh +#!/bin/sh # This script will re-make all the required certs. # cd apps @@ -12,8 +12,8 @@ # CAbits=1024 -SSLEAY="../apps/ssleay" -CONF="-config ../apps/ssleay.cnf" +SSLEAY="../apps/openssl" +CONF="-config ../apps/openssl.cnf" # create pca request. echo creating $CAbits bit PCA cert request diff --git a/crypto/openssl/util/pl/BC-32.pl b/crypto/openssl/util/pl/BC-32.pl index c268c495507c..655606cc1666 100644 --- a/crypto/openssl/util/pl/BC-32.pl +++ b/crypto/openssl/util/pl/BC-32.pl @@ -52,9 +52,9 @@ $lfile=''; $shlib_ex_obj=""; $app_ex_obj="c0x32.obj"; -$asm='n_o_T_a_s_m'; +$asm='nasmw -f obj'; $asm.=" /Zi" if $debug; -$afile='/Fo'; +$afile='-o'; $bn_mulw_obj=''; $bn_mulw_src=''; diff --git a/crypto/openssl/util/pl/Mingw32.pl b/crypto/openssl/util/pl/Mingw32.pl index 02a5086f8236..37f36126f371 100644 --- a/crypto/openssl/util/pl/Mingw32.pl +++ b/crypto/openssl/util/pl/Mingw32.pl @@ -1,7 +1,6 @@ #!/usr/local/bin/perl # # Mingw32.pl -- Mingw32 with GNU cp (Mingw32f.pl uses DOS tools) -# $FreeBSD$ # $o='/'; diff --git a/crypto/openssl/util/pod2mantest b/crypto/openssl/util/pod2mantest index 449ef14f1b43..026a6a1789d2 100755 --- a/crypto/openssl/util/pod2mantest +++ b/crypto/openssl/util/pod2mantest @@ -11,7 +11,8 @@ IFS=: -try_without_dir=false + +try_without_dir=true # First we try "pod2man", then "$dir/pod2man" for each item in $PATH. for dir in dummy:$PATH; do if [ "$try_without_dir" = true ]; then @@ -29,9 +30,16 @@ for dir in dummy:$PATH; do if [ ! "$pod2man" = '' ]; then failure=none + if "$pod2man" --section=1 --center=OpenSSL --release=dev pod2mantest.pod | fgrep OpenSSL >/dev/null; then + : + else + failure=BasicTest + fi - if "$pod2man" --section=1 --center=OpenSSL --release=dev pod2mantest.pod | grep '^MARKER - ' >/dev/null 2>&1; then - failure=MultilineTest + if [ "$failure" = none ]; then + if "$pod2man" --section=1 --center=OpenSSL --release=dev pod2mantest.pod | grep '^MARKER - ' >/dev/null; then + failure=MultilineTest + fi fi @@ -45,9 +53,5 @@ for dir in dummy:$PATH; do done echo "No working pod2man found. Consider installing a new version." >&2 -if [ "$1" = ignore ]; then - echo "As a workaround, we'll use a bundled old copy of pod2man.pl." >&2 - echo "../../util/pod2man.pl" - exit 0 -fi -exit 1 +echo "As a workaround, we'll use a bundled old copy of pod2man.pl." >&2 +echo "$1 ../../util/pod2man.pl" |