From 5740a5e34c49bfc6885d8602958155fc91b62765 Mon Sep 17 00:00:00 2001 From: Kris Kennaway Date: Sun, 20 May 2001 03:07:21 +0000 Subject: [PATCH] Initial import of OpenSSL 0.9.6a --- crypto/openssl/CHANGES | 153 ++++++- crypto/openssl/Configure | 147 +++--- crypto/openssl/FAQ | 423 +++++++++++------- crypto/openssl/Makefile.org | 183 ++++---- crypto/openssl/Makefile.ssl | 182 ++++---- crypto/openssl/NEWS | 25 ++ crypto/openssl/README | 2 +- crypto/openssl/apps/Makefile.ssl | 41 +- crypto/openssl/apps/passwd.c | 1 + crypto/openssl/apps/s_client.c | 17 +- crypto/openssl/apps/s_server.c | 54 ++- crypto/openssl/apps/speed.c | 4 +- crypto/openssl/apps/x509.c | 2 + crypto/openssl/config | 37 +- crypto/openssl/crypto/Makefile.ssl | 7 +- crypto/openssl/crypto/asn1/asn1_lib.c | 2 +- crypto/openssl/crypto/asn1/p7_lib.c | 2 + crypto/openssl/crypto/asn1/x_name.c | 6 +- crypto/openssl/crypto/bn/asm/mips3.s | 8 +- crypto/openssl/crypto/bn/bn.h | 2 + crypto/openssl/crypto/bn/bn_div.c | 1 + crypto/openssl/crypto/bn/bn_rand.c | 63 ++- crypto/openssl/crypto/bn/bntest.c | 62 ++- crypto/openssl/crypto/crypto.h | 2 + crypto/openssl/crypto/des/asm/des-586.pl | 4 +- crypto/openssl/crypto/des/asm/des686.pl | 2 +- crypto/openssl/crypto/des/asm/readme | 2 +- crypto/openssl/crypto/des/cbc_cksm.c | 2 +- crypto/openssl/crypto/des/cfb64enc.c | 4 +- crypto/openssl/crypto/des/cfb_enc.c | 4 +- crypto/openssl/crypto/des/des.h | 8 +- crypto/openssl/crypto/des/des_enc.c | 2 +- crypto/openssl/crypto/des/des_opts.c | 48 +- crypto/openssl/crypto/des/dess.cpp | 18 +- crypto/openssl/crypto/des/ecb_enc.c | 2 +- crypto/openssl/crypto/des/ede_cbcm_enc.c | 16 +- crypto/openssl/crypto/des/ncbc_enc.c | 8 +- crypto/openssl/crypto/des/ofb64enc.c | 2 +- crypto/openssl/crypto/des/ofb_enc.c | 2 +- crypto/openssl/crypto/des/pcbc_enc.c | 4 +- crypto/openssl/crypto/des/speed.c | 4 +- crypto/openssl/crypto/des/xcbc_enc.c | 8 +- crypto/openssl/crypto/dh/dh_key.c | 11 +- crypto/openssl/crypto/dh/dh_lib.c | 8 +- crypto/openssl/crypto/dsa/dsa_key.c | 13 +- crypto/openssl/crypto/dsa/dsa_lib.c | 8 +- crypto/openssl/crypto/dso/dso_dl.c | 19 +- crypto/openssl/crypto/ebcdic.c | 2 +- crypto/openssl/crypto/err/err.c | 20 +- crypto/openssl/crypto/mdc2/mdc2dgst.c | 4 +- crypto/openssl/crypto/mem_dbg.c | 88 ++-- crypto/openssl/crypto/opensslv.h | 4 +- crypto/openssl/crypto/pkcs12/p12_key.c | 11 +- crypto/openssl/crypto/pkcs12/p12_kiss.c | 1 + crypto/openssl/crypto/pkcs7/pk7_doit.c | 13 +- crypto/openssl/crypto/pkcs7/pk7_smime.c | 13 +- crypto/openssl/crypto/rand/md_rand.c | 4 +- crypto/openssl/crypto/rand/rand.h | 4 +- crypto/openssl/crypto/rand/rand_egd.c | 7 + crypto/openssl/crypto/rand/rand_win.c | 6 +- crypto/openssl/crypto/rand/randfile.c | 28 +- crypto/openssl/crypto/rsa/rsa_eay.c | 12 +- crypto/openssl/crypto/rsa/rsa_lib.c | 10 +- crypto/openssl/crypto/uid.c | 88 ++++ crypto/openssl/crypto/x509/x509_cmp.c | 18 +- crypto/openssl/crypto/x509v3/v3_alt.c | 2 +- crypto/openssl/doc/apps/pkcs12.pod | 20 + crypto/openssl/doc/apps/s_client.pod | 9 + crypto/openssl/doc/apps/s_server.pod | 11 +- crypto/openssl/doc/crypto/BN_rand.pod | 14 +- crypto/openssl/doc/crypto/RAND_load_file.pod | 2 +- crypto/openssl/doc/crypto/rand.pod | 12 +- .../openssl/doc/ssl/SSL_CIPHER_get_name.pod | 4 +- crypto/openssl/doc/ssl/SSL_CTX_free.pod | 2 +- .../doc/ssl/SSL_CTX_load_verify_locations.pod | 4 +- crypto/openssl/doc/ssl/SSL_CTX_new.pod | 6 +- .../openssl/doc/ssl/SSL_CTX_sess_number.pod | 76 ++++ .../doc/ssl/SSL_CTX_sess_set_cache_size.pod | 1 + crypto/openssl/doc/ssl/SSL_CTX_sessions.pod | 2 +- .../doc/ssl/SSL_CTX_set_client_CA_list.pod | 4 +- crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod | 78 ++++ .../openssl/doc/ssl/SSL_CTX_set_options.pod | 2 +- .../ssl/SSL_CTX_set_session_cache_mode.pod | 1 + .../doc/ssl/SSL_CTX_set_ssl_version.pod | 13 +- .../doc/ssl/SSL_CTX_use_certificate.pod | 2 +- crypto/openssl/doc/ssl/SSL_accept.pod | 9 +- crypto/openssl/doc/ssl/SSL_clear.pod | 14 +- crypto/openssl/doc/ssl/SSL_connect.pod | 9 +- crypto/openssl/doc/ssl/SSL_free.pod | 13 +- .../doc/ssl/SSL_get_client_CA_list.pod | 8 +- .../doc/ssl/SSL_get_peer_cert_chain.pod | 2 +- .../doc/ssl/SSL_get_peer_certificate.pod | 2 +- crypto/openssl/doc/ssl/SSL_get_session.pod | 21 +- .../openssl/doc/ssl/SSL_get_verify_result.pod | 4 +- crypto/openssl/doc/ssl/SSL_get_version.pod | 46 ++ crypto/openssl/doc/ssl/SSL_read.pod | 23 +- .../openssl/doc/ssl/SSL_set_connect_state.pod | 47 ++ crypto/openssl/doc/ssl/SSL_set_shutdown.pod | 68 +++ crypto/openssl/doc/ssl/SSL_shutdown.pod | 18 +- crypto/openssl/doc/ssl/SSL_write.pod | 23 +- crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod | 1 + crypto/openssl/doc/ssl/ssl.pod | 11 +- crypto/openssl/openssl.spec | 38 +- crypto/openssl/ssl/s23_lib.c | 40 +- crypto/openssl/ssl/s23_meth.c | 2 +- crypto/openssl/ssl/s2_pkt.c | 2 +- crypto/openssl/ssl/s3_enc.c | 5 +- crypto/openssl/ssl/s3_lib.c | 2 +- crypto/openssl/ssl/ssl.h | 11 +- crypto/openssl/ssl/ssl_cert.c | 2 + crypto/openssl/ssl/ssl_err.c | 1 + crypto/openssl/ssl/ssl_lib.c | 16 +- crypto/openssl/ssl/ssl_locl.h | 4 +- crypto/openssl/ssl/t1_enc.c | 5 +- crypto/openssl/test/Makefile.ssl | 4 +- crypto/openssl/test/bctest | 68 +-- crypto/openssl/tools/c_rehash | 14 +- crypto/openssl/tools/c_rehash.in | 14 +- crypto/openssl/util/clean-depend.pl | 4 +- crypto/openssl/util/libeay.num | 5 +- crypto/openssl/util/mklink.pl | 7 +- crypto/openssl/util/pod2man.pl | 2 + 122 files changed, 1944 insertions(+), 844 deletions(-) create mode 100644 crypto/openssl/crypto/uid.c create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_sess_number.pod create mode 100644 crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod create mode 100644 crypto/openssl/doc/ssl/SSL_get_version.pod create mode 100644 crypto/openssl/doc/ssl/SSL_set_connect_state.pod create mode 100644 crypto/openssl/doc/ssl/SSL_set_shutdown.pod diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index 5f3556cc7fb7..08ef8508d80e 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -2,11 +2,125 @@ OpenSSL CHANGES _______________ - Changes between 0.9.6 and 0.9.6a [xx XXX 2001] + Changes between 0.9.6 and 0.9.6a [5 Apr 2001] + + *) Fix a couple of memory leaks in PKCS7_dataDecode() + [Steve Henson, reported by Heyun Zheng ] + + *) Change Configure and Makefiles to provide EXE_EXT, which will contain + the default extension for executables, if any. Also, make the perl + scripts that use symlink() to test if it really exists and use "cp" + if it doesn't. All this made OpenSSL compilable and installable in + CygWin. + [Richard Levitte] + + *) Fix for asn1_GetSequence() for indefinite length constructed data. + If SEQUENCE is length is indefinite just set c->slen to the total + amount of data available. + [Steve Henson, reported by shige@FreeBSD.org] + [This change does not apply to 0.9.7.] + + *) Change bctest to avoid here-documents inside command substitution + (workaround for FreeBSD /bin/sh bug). + For compatibility with Ultrix, avoid shell functions (introduced + in the bctest version that searches along $PATH). + [Bodo Moeller] + + *) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes + with des_encrypt() defined on some operating systems, like Solaris + and UnixWare. + [Richard Levitte] + + *) Check the result of RSA-CRT (see D. Boneh, R. DeMillo, R. Lipton: + On the Importance of Eliminating Errors in Cryptographic + Computations, J. Cryptology 14 (2001) 2, 101-119, + http://theory.stanford.edu/~dabo/papers/faults.ps.gz). + [Ulf Moeller] + + *) MIPS assembler BIGNUM division bug fix. + [Andy Polyakov] + + *) Disabled incorrect Alpha assembler code. + [Richard Levitte] + + *) Fix PKCS#7 decode routines so they correctly update the length + after reading an EOC for the EXPLICIT tag. + [Steve Henson] + [This change does not apply to 0.9.7.] + + *) Fix bug in PKCS#12 key generation routines. This was triggered + if a 3DES key was generated with a 0 initial byte. Include + PKCS12_BROKEN_KEYGEN compilation option to retain the old + (but broken) behaviour. + [Steve Henson] + + *) Enhance bctest to search for a working bc along $PATH and print + it when found. + [Tim Rice via Richard Levitte] + + *) Fix memory leaks in err.c: free err_data string if necessary; + don't write to the wrong index in ERR_set_error_data. + [Bodo Moeller] + + *) Implement ssl23_peek (analogous to ssl23_read), which previously + did not exist. + [Bodo Moeller] + + *) Replace rdtsc with _emit statements for VC++ version 5. + [Jeremy Cooper ] + + *) Make it possible to reuse SSLv2 sessions. + [Richard Levitte] + + *) In copy_email() check for >= 0 as a return value for + X509_NAME_get_index_by_NID() since 0 is a valid index. + [Steve Henson reported by Massimiliano Pala ] + + *) Avoid coredump with unsupported or invalid public keys by checking if + X509_get_pubkey() fails in PKCS7_verify(). Fix memory leak when + PKCS7_verify() fails with non detached data. + [Steve Henson] + + *) Don't use getenv in library functions when run as setuid/setgid. + New function OPENSSL_issetugid(). + [Ulf Moeller] + + *) Avoid false positives in memory leak detection code (crypto/mem_dbg.c) + due to incorrect handling of multi-threading: + + 1. Fix timing glitch in the MemCheck_off() portion of CRYPTO_mem_ctrl(). + + 2. Fix logical glitch in is_MemCheck_on() aka CRYPTO_is_mem_check_on(). + + 3. Count how many times MemCheck_off() has been called so that + nested use can be treated correctly. This also avoids + inband-signalling in the previous code (which relied on the + assumption that thread ID 0 is impossible). + [Bodo Moeller] + + *) Add "-rand" option also to s_client and s_server. + [Lutz Jaenicke] + + *) Fix CPU detection on Irix 6.x. + [Kurt Hockenbury and + "Bruce W. Forsberg" ] + + *) Fix X509_NAME bug which produced incorrect encoding if X509_NAME + was empty. + [Steve Henson] + [This change does not apply to 0.9.7.] + + *) Use the cached encoding of an X509_NAME structure rather than + copying it. This is apparently the reason for the libsafe "errors" + but the code is actually correct. + [Steve Henson] *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent Bleichenbacher's DSA attack. - [Ulf Moeller] + Extend BN_[pseudo_]rand: As before, top=1 forces the highest two bits + to be set and top=0 forces the highest bit to be set; top=-1 is new + and leaves the highest bit random. + [Ulf Moeller, Bodo Moeller] *) In the NCONF_...-based implementations for CONF_... queries (crypto/conf/conf_lib.c), if the input LHASH is NULL, avoid using @@ -35,6 +149,7 @@ macros previously used would not encode an empty SEQUENCE OF and break the signature. [Steve Henson] + [This change does not apply to 0.9.7.] *) Zero the premaster secret after deriving the master secret in DH ciphersuites. @@ -87,12 +202,19 @@ *) Fix a deadlock in CRYPTO_mem_leaks(). [Bodo Moeller] + *) Use better test patterns in bntest. + [Ulf Möller] + *) rand_win.c fix for Borland C. [Ulf Möller] *) BN_rshift bugfix for n == 0. [Bodo Moeller] + *) Add a 'bctest' script that checks for some known 'bc' bugs + so that 'make test' does not abort just because 'bc' is broken. + [Bodo Moeller] + *) Store verify_result within SSL_SESSION also for client side to avoid potential security hole. (Re-used sessions on the client side always resulted in verify_result==X509_V_OK, not using the original @@ -115,13 +237,40 @@ does the actual work for ssl3_read_internal. [Bodo Moeller] + *) Initialise "ex_data" member of RSA/DSA/DH structures prior to calling + the method-specific "init()" handler. Also clean up ex_data after + calling the method-specific "finish()" handler. Previously, this was + happening the other way round. + [Geoff Thorpe] + *) Increase BN_CTX_NUM (the number of BIGNUMs in a BN_CTX) to 16. The previous value, 12, was not always sufficient for BN_mod_exp(). [Bodo Moeller] + *) Make sure that shared libraries get the internal name engine with + the full version number and not just 0. This should mark the + shared libraries as not backward compatible. Of course, this should + be changed again when we can guarantee backward binary compatibility. + [Richard Levitte] + *) Fix typo in get_cert_by_subject() in by_dir.c [Jean-Marc Desperrier ] + *) Rework the system to generate shared libraries: + + - Make note of the expected extension for the shared libraries and + if there is a need for symbolic links from for example libcrypto.so.0 + to libcrypto.so.0.9.7. There is extended info in Configure for + that. + + - Make as few rebuilds of the shared libraries as possible. + + - Still avoid linking the OpenSSL programs with the shared libraries. + + - When installing, install the shared libraries separately from the + static ones. + [Richard Levitte] + *) Fix SSL_CTX_set_read_ahead macro to actually use its argument. Copy SSL_CTX's read_ahead flag to SSL object directly in SSL_new diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure index 27981d4494a4..3d454d877dab 100755 --- a/crypto/openssl/Configure +++ b/crypto/openssl/Configure @@ -89,6 +89,11 @@ my $x86_elf_asm="asm/bn86-elf.o asm/co86-elf.o:asm/dx86-elf.o asm/yx86-elf.o:asm my $x86_out_asm="asm/bn86-out.o asm/co86-out.o:asm/dx86-out.o asm/yx86-out.o:asm/bx86-out.o:asm/mx86-out.o:asm/sx86-out.o:asm/cx86-out.o:asm/rx86-out.o:asm/rm86-out.o:asm/r586-out.o"; my $x86_bsdi_asm="asm/bn86bsdi.o asm/co86bsdi.o:asm/dx86bsdi.o asm/yx86bsdi.o:asm/bx86bsdi.o:asm/mx86bsdi.o:asm/sx86bsdi.o:asm/cx86bsdi.o:asm/rx86bsdi.o:asm/rm86bsdi.o:asm/r586bsdi.o"; +my $mips3_irix_asm="asm/mips3.o::::::::"; +# There seems to be boundary faults in asm/alpha.s. +#my $alpha_asm="asm/alpha.o::::::::"; +my $alpha_asm="::::::::"; + # -DB_ENDIAN slows things down on a sparc for md5, but helps sha1. # So the md5_locl.h file has an undef B_ENDIAN if sun is defined @@ -127,32 +132,32 @@ my %table=( # surrounds it with #APP #NO_APP comment pair which (at least Solaris # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic" # error message. -"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:solaris-shared:-fPIC", +"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with GNU C setups -"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC", -"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC", -"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC", +"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8 # but keep the assembler modules. -"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC", +"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### -"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC", -"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC", +"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with Sun C setups # DO NOT use /xO[34] on sparc with SC3.0. It is broken, and will not pass the tests -"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC", +"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # SC4.0 doesn't pass 'make test', upgrade to SC5.0 or SC4.2. # SC4.2 is ok, better than gcc even on bn as long as you tell it -xarch=v8 # SC5.0 note: Compiler common patch 107357-01 or later is required! -"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC", -"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC", -"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC", -"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC", +"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs", #### -"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC", -"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC", +"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Linux setups "linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::", @@ -178,11 +183,11 @@ my %table=( # Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke # './Configure irix-[g]cc' manually. # -mips4 flag is added by ./config when appropriate. -"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::", -"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::", +"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}", +"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}", # N64 ABI builds. -"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::", -"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::", +"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}", +"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}", #### Unified HP-UX ANSI C configs. # Special notes: @@ -262,10 +267,10 @@ my %table=( # Dec Alpha, OSF/1 - the alpha164-cc is the flags for a 21164A with # the new compiler # For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version -"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:asm/alpha.o:::::::::dlfcn:true64-shared", -"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared", -"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared", -"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2:::", +"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:tru64-shared::.so", +"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so", +"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so", +"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Alpha Linux with GNU C and Compaq C setups # Special notes: @@ -280,17 +285,17 @@ my %table=( # # # -"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o:::::::::dlfcn:linux-shared:-fPIC", -"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o:::::::::dlfcn:linux-shared:-fPIC", -"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::", -"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::", +"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", +"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}", # assembler versions -- currently defunct: -##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:asm/alpha.o::", +##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${alpha_asm}", # The intel boxes :-), It would be worth seeing if bsdi-gcc can use the # bn86-elf.o file file since it is hand tweaked assembler. -"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC", +"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", @@ -299,13 +304,13 @@ my %table=( "linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", "linux-s390", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::SIXTY_FOUR_BIT_LONG::", -"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", -"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", -"NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:", -"FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "FreeBSD", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", "bsdi-gcc", "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown)::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}", -"bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +"bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "nextstep", "cc:-O -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", "nextstep3.3", "cc:-O3 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # NCR MP-RAS UNIX ver 02.03.01 @@ -315,18 +320,27 @@ my %table=( "qnx4", "cc:-DL_ENDIAN -DTERMIO::(unknown)::${x86_gcc_des} ${x86_gcc_opts}:", # Linux on ARM -"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC", +"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -# UnixWare 2.0 -"unixware-2.0","cc:-O -DFILIO_H::(unknown):-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::", -"unixware-2.0-pentium","cc:-O -DFILIO_H -Kpentium -Kthread::(unknown):-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +# UnixWare 2.0x fails destest with -O +"unixware-2.0","cc:-DFILIO_H::-Kthread:-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::", +"unixware-2.0-pentium","cc:-DFILIO_H -Kpentium::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", + +# UnixWare 2.1 +"unixware-2.1","cc:-O -DFILIO_H::-Kthread:-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::", +"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", # UnixWare 7 -"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-7-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-7-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", # IBM's AIX. "aix-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR:::", "aix-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::", +"aix43-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:", +"aix43-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:", # # Cray T90 (SDSC) @@ -353,12 +367,16 @@ my %table=( # DGUX, 88100. "dgux-R3-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::RC4_INDEX DES_UNROLL:::", -"dgux-R4-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):-lnsl -lsocket:RC4_INDEX:RC4_INDEX DES_UNROLL:::", +"dgux-R4-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):-lnsl -lsocket:RC4_INDEX DES_UNROLL:::", "dgux-R4-x86-gcc", "gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown):-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +# SCO 3 - Tim Rice +"sco3-gcc", "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... + # SCO 5 - Ben Laurie says the -O breaks the # SCO cc. "sco5-cc", "cc:::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options? +"sco5-cc-pentium", "cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options? "sco5-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ... # Sinix/ReliantUNIX RM400 @@ -398,10 +416,10 @@ my %table=( ##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown)::::::", # Some OpenBSD from Bob Beck -"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:::", -"OpenBSD-x86", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn", -"OpenBSD", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL:::", -"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR::::", +"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenBSD-x86", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenBSD", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ##### MacOS X (a.k.a. Rhapsody) setup "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::", @@ -416,6 +434,7 @@ my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32 my $prefix=""; my $openssldir=""; +my $exe_ext=""; my $install_prefix=""; my $no_threads=0; my $no_shared=1; @@ -443,10 +462,10 @@ my $md5_obj=""; my $sha1_obj=""; my $rmd160_obj=""; my $processor=""; -my $ranlib; +my $default_ranlib; my $perl; -$ranlib=&which("ranlib") or $ranlib="true"; +$default_ranlib= &which("ranlib") or $default_ranlib="true"; $perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl") or $perl="perl"; @@ -620,6 +639,7 @@ print "Configuring for $target\n"; my $IsWindows=scalar grep /^$target$/,@WinTargets; +$exe_ext=".exe" if ($target eq "CygWin32"); $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq ""); $prefix=$openssldir if $prefix eq ""; @@ -633,8 +653,8 @@ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /^\//; print "IsWindows=$IsWindows\n"; (my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj, - $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag)= - split(/\s*:\s*/,$table{$target} . ":" x 22 , -1); + $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag,my $shared_extension,my $ranlib)= + split(/\s*:\s*/,$table{$target} . ":" x 30 , -1); $cflags="$flags$cflags" if ($flags ne ""); # The DSO code currently always implements all functions so that no @@ -709,15 +729,16 @@ if ($threads) } # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org -my $shared_mark1 = ""; -my $shared_mark2 = ""; -if ($shared_cflag ne "") +my $shared_mark = ""; +if ($shared_target ne "") { - $cflags = "$shared_cflag $cflags"; + if ($shared_cflag ne "") + { + $cflags = "$shared_cflag $cflags"; + } if (!$no_shared) { - $shared_mark1 = ".shlib-clean."; - $shared_mark2 = ".shlib."; + #$shared_mark = "\$(SHARED_LIBS)"; } } else @@ -725,6 +746,11 @@ else $no_shared = 1; } +if ($ranlib eq "") + { + $ranlib = $default_ranlib; + } + #my ($bn1)=split(/\s+/,$bn_obj); #$bn1 = "" unless defined $bn1; #$bn1=$bn_asm unless ($bn1 =~ /\.o$/); @@ -805,6 +831,7 @@ while () s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/; s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/; s/^SHLIB_MINOR=.*/SHLIB_MINOR=$shlib_minor/; + s/^SHLIB_EXT=.*/SHLIB_EXT=$shared_extension/; s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/; s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/; s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/; @@ -815,6 +842,7 @@ while () s/^CFLAG=.*$/CFLAG= $cflags/; s/^DEPFLAG=.*$/DEPFLAG= $depflags/; s/^EX_LIBS=.*$/EX_LIBS= $lflags/; + s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/; s/^BN_ASM=.*$/BN_ASM= $bn_obj/; s/^DES_ENC=.*$/DES_ENC= $des_obj/; s/^BF_ENC=.*$/BF_ENC= $bf_obj/; @@ -828,9 +856,9 @@ while () s/^RANLIB=.*/RANLIB= $ranlib/; s/^PERL=.*/PERL= $perl/; s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; - s/^SHLIB_MARK1=.*/SHLIB_MARK1=$shared_mark1/; - s/^SHLIB_MARK2=.*/SHLIB_MARK2=$shared_mark2/; - s/^LIBS=.*/LIBS=libcrypto\.so\* libssl\.so\*/ if (!$no_shared); + s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/; + s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared); + s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.so.\$(SHLIB_MAJOR) .so/ if ($shared_extension ne "" && $shared_extension !~ /^\.s[ol]$/); print OUT $_."\n"; } close(IN); @@ -1117,8 +1145,9 @@ sub print_table_entry (my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops, my $bn_obj,my $des_obj,my $bf_obj, my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj, - my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag)= - split(/\s*:\s*/,$table{$target} . ":" x 22 , -1); + my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag, + my $shared_extension,my $ranlib)= + split(/\s*:\s*/,$table{$target} . ":" x 30 , -1); print < and I get errors why? -* I've called and it fails, why? -* I just get a load of numbers for the error output, what do they mean? -* Why do I get errors about unknown algorithms? +* Why aren't tools like 'autoconf' and 'libtool' used? + +[LEGAL] Legal questions + +* Do I need patent licenses to use OpenSSL? +* Can I use OpenSSL with GPL software? + +[USER] Questions on using the OpenSSL applications + +* Why do I get a "PRNG not seeded" error message? * How do I create certificates or certificate requests? * Why can't I create certificate requests? * Why does fail with a certificate verify error? @@ -22,17 +24,38 @@ OpenSSL - Frequently Asked Questions * How can I create DSA certificates? * Why can't I make an SSL connection using a DSA certificate? * How can I remove the passphrase on a private key? -* Why can't the OpenSSH configure script detect OpenSSL? +* Why can't I use OpenSSL certificates with SSL client authentication? +* Why does my browser give a warning about a mismatched hostname? + +[BUILD] Questions about building and testing OpenSSL + +* Why does the linker complain about undefined symbols? * Why does the OpenSSL test fail with "bc: command not found"? * Why does the OpenSSL test fail with "bc: 1 no implemented"? * Why does the OpenSSL compilation fail on Alpha True64 Unix? * Why does the OpenSSL compilation fail with "ar: command not found"? +* Why does the OpenSSL compilation fail on Win32 with VC++? +[PROG] Questions about programming with OpenSSL + +* Is OpenSSL thread-safe? +* I've compiled a program under Windows and it crashes: why? +* How do I read or write a DER encoded buffer using the ASN1 functions? +* I've tried using and I get errors why? +* I've called and it fails, why? +* I just get a load of numbers for the error output, what do they mean? +* Why do I get errors about unknown algorithms? +* Why can't the OpenSSH configure script detect OpenSSL? +* Can I use OpenSSL's SSL library with non-blocking I/O? + +=============================================================================== + +[MISC] ======================================================================== * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 0.9.6 was released on September 24th, 2000. +OpenSSL 0.9.6a was released on April 5th, 2001. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at . +* Where can I get a compiled version of OpenSSL? + +Some applications that use OpenSSL are distributed in binary form. +When using such an application, you don't need to install OpenSSL +yourself; the application will include the required parts (e.g. DLLs). + +If you want to install OpenSSL on a Windows system and you don't have +a C compiler, read the "Mingw32" section of INSTALL.W32 for information +on how to obtain and install the free GNU C compiler. + +A number of Linux and *BSD distributions include OpenSSL. + + +* Why aren't tools like 'autoconf' and 'libtool' used? + +autoconf will probably be used in future OpenSSL versions. If it was +less Unix-centric, it might have been used much earlier. + + +[LEGAL] ======================================================================= + * Do I need patent licenses to use OpenSSL? The patents section of the README file lists patents that may apply to @@ -89,17 +133,25 @@ You can configure OpenSSL so as not to use RC5 and IDEA by using ./config no-rc5 no-idea -* Is OpenSSL thread-safe? +* Can I use OpenSSL with GPL software? -Yes (with limitations: an SSL connection may not concurrently be used -by multiple threads). On Windows and many Unix systems, OpenSSL -automatically uses the multi-threaded versions of the standard -libraries. If your platform is not one of these, consult the INSTALL -file. +On many systems including the major Linux and BSD distributions, yes (the +GPL does not place restrictions on using libraries that are part of the +normal operating system distribution). -Multi-threaded applications must provide two callback functions to -OpenSSL. This is described in the threads(3) manpage. +On other systems, the situation is less clear. Some GPL software copyright +holders claim that you infringe on their rights if you use OpenSSL with +their software on operating systems that don't normally include OpenSSL. +If you develop open source software that uses OpenSSL, you may find it +useful to choose an other license than the GPL, or state explicitely that +"This program is released under the GPL with the additional exemption that +compiling, linking, and/or using OpenSSL is allowed." If you are using +GPL software developed by others, you may want to ask the copyright holder +for permission to use their software with OpenSSL. + + +[USER] ======================================================================== * Why do I get a "PRNG not seeded" error message? @@ -138,6 +190,101 @@ versions. However, be warned that /dev/random is usually a blocking device, which may have some effects on OpenSSL. +* How do I create certificates or certificate requests? + +Check out the CA.pl(1) manual page. This provides a simple wrapper round +the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check +out the manual pages for the individual utilities and the certificate +extensions documentation (currently in doc/openssl.txt). + + +* Why can't I create certificate requests? + +You typically get the error: + + unable to find 'distinguished_name' in config + problems making Certificate Request + +This is because it can't find the configuration file. Check out the +DIAGNOSTICS section of req(1) for more information. + + +* Why does fail with a certificate verify error? + +This problem is usually indicated by log messages saying something like +"unable to get local issuer certificate" or "self signed certificate". +When a certificate is verified its root CA must be "trusted" by OpenSSL +this typically means that the CA certificate must be placed in a directory +or file and the relevant program configured to read it. The OpenSSL program +'verify' behaves in a similar way and issues similar error messages: check +the verify(1) program manual page for more information. + + +* Why can I only use weak ciphers when I connect to a server using OpenSSL? + +This is almost certainly because you are using an old "export grade" browser +which only supports weak encryption. Upgrade your browser to support 128 bit +ciphers. + + +* How can I create DSA certificates? + +Check the CA.pl(1) manual page for a DSA certificate example. + + +* Why can't I make an SSL connection to a server using a DSA certificate? + +Typically you'll see a message saying there are no shared ciphers when +the same setup works fine with an RSA certificate. There are two possible +causes. The client may not support connections to DSA servers most web +browsers (including Netscape and MSIE) only support connections to servers +supporting RSA cipher suites. The other cause is that a set of DH parameters +has not been supplied to the server. DH parameters can be created with the +dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: +check the source to s_server in apps/s_server.c for an example. + + +* How can I remove the passphrase on a private key? + +Firstly you should be really *really* sure you want to do this. Leaving +a private key unencrypted is a major security risk. If you decide that +you do have to do this check the EXAMPLES sections of the rsa(1) and +dsa(1) manual pages. + + +* Why can't I use OpenSSL certificates with SSL client authentication? + +What will typically happen is that when a server requests authentication +it will either not include your certificate or tell you that you have +no client certificates (Netscape) or present you with an empty list box +(MSIE). The reason for this is that when a server requests a client +certificate it includes a list of CAs names which it will accept. Browsers +will only let you select certificates from the list on the grounds that +there is little point presenting a certificate which the server will +reject. + +The solution is to add the relevant CA certificate to your servers "trusted +CA list". How you do this depends on the server sofware in uses. You can +print out the servers list of acceptable CAs using the OpenSSL s_client tool: + +openssl s_client -connect www.some.host:443 -prexit + +If your server only requests certificates on certain URLs then you may need +to manually issue an HTTP GET command to get the list when s_client connects: + +GET /some/page/needing/a/certificate.html + +If your CA does not appear in the list then this confirms the problem. + + +* Why does my browser give a warning about a mismatched hostname? + +Browsers expect the server's hostname to match the value in the commonName +(CN) field of the certificate. If it does not then you get a warning. + + +[BUILD] ======================================================================= + * Why does the linker complain about undefined symbols? Maybe the compilation was interrupted, and make doesn't notice that @@ -162,17 +309,99 @@ If none of these helps, you may want to try using the current snapshot. If the problem persists, please submit a bug report. -* Where can I get a compiled version of OpenSSL? +* Why does the OpenSSL test fail with "bc: command not found"? -Some applications that use OpenSSL are distributed in binary form. -When using such an application, you don't need to install OpenSSL -yourself; the application will include the required parts (e.g. DLLs). +You didn't install "bc", the Unix calculator. If you want to run the +tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor. -If you want to install OpenSSL on a Windows system and you don't have -a C compiler, read the "Mingw32" section of INSTALL.W32 for information -on how to obtain and install the free GNU C compiler. -A number of Linux and *BSD distributions include OpenSSL. +* Why does the OpenSSL test fail with "bc: 1 no implemented"? + +On some SCO installations or versions, bc has a bug that gets triggered +when you run the test suite (using "make test"). The message returned is +"bc: 1 not implemented". + +The best way to deal with this is to find another implementation of bc +and compile/install it. GNU bc (see http://www.gnu.org/software/software.html +for download instructions) can be safely used, for example. + + +* Why does the OpenSSL compilation fail on Alpha True64 Unix? + +On some Alpha installations running True64 Unix and Compaq C, the compilation +of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual +memory to continue compilation.' As far as the tests have shown, this may be +a compiler bug. What happens is that it eats up a lot of resident memory +to build something, probably a table. The problem is clearly in the +optimization code, because if one eliminates optimization completely (-O0), +the compilation goes through (and the compiler consumes about 2MB of resident +memory instead of 240MB or whatever one's limit is currently). + +There are three options to solve this problem: + +1. set your current data segment size soft limit higher. Experience shows +that about 241000 kbytes seems to be enough on an AlphaServer DS10. You do +this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of +kbytes to set the limit to. + +2. If you have a hard limit that is lower than what you need and you can't +get it changed, you can compile all of OpenSSL with -O0 as optimization +level. This is however not a very nice thing to do for those who expect to +get the best result from OpenSSL. A bit more complicated solution is the +following: + +----- snip:start ----- + make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \ + sed -e 's/ -O[0-9] / -O0 /'`" + rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'` + make +----- snip:end ----- + +This will only compile sha_dgst.c with -O0, the rest with the optimization +level chosen by the configuration process. When the above is done, do the +test and installation and you're set. + + +* Why does the OpenSSL compilation fail with "ar: command not found"? + +Getting this message is quite usual on Solaris 2, because Sun has hidden +away 'ar' and other development commands in directories that aren't in +$PATH by default. One of those directories is '/usr/ccs/bin'. The +quickest way to fix this is to do the following (it assumes you use sh +or any sh-compatible shell): + +----- snip:start ----- + PATH=${PATH}:/usr/ccs/bin; export PATH +----- snip:end ----- + +and then redo the compilation. What you should really do is make sure +'/usr/ccs/bin' is permanently in your $PATH, for example through your +'.profile' (again, assuming you use a sh-compatible shell). + + +* Why does the OpenSSL compilation fail on Win32 with VC++? + +Sometimes, you may get reports from VC++ command line (cl) that it +can't find standard include files like stdio.h and other weirdnesses. +One possible cause is that the environment isn't correctly set up. +To solve that problem, one should run VCVARS32.BAT which is found in +the 'bin' subdirectory of the VC++ installation directory (somewhere +under 'Program Files'). This needs to be done prior to running NMAKE, +and the changes are only valid for the current DOS session. + + +[PROG] ======================================================================== + +* Is OpenSSL thread-safe? + +Yes (with limitations: an SSL connection may not concurrently be used +by multiple threads). On Windows and many Unix systems, OpenSSL +automatically uses the multi-threaded versions of the standard +libraries. If your platform is not one of these, consult the INSTALL +file. + +Multi-threaded applications must provide two callback functions to +OpenSSL. This is described in the threads(3) manpage. * I've compiled a program under Windows and it crashes: why? @@ -259,68 +488,6 @@ is forgetting to load OpenSSL's table of algorithms with OpenSSL_add_all_algorithms(). See the manual page for more information. -* How do I create certificates or certificate requests? - -Check out the CA.pl(1) manual page. This provides a simple wrapper round -the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check -out the manual pages for the individual utilities and the certificate -extensions documentation (currently in doc/openssl.txt). - - -* Why can't I create certificate requests? - -You typically get the error: - - unable to find 'distinguished_name' in config - problems making Certificate Request - -This is because it can't find the configuration file. Check out the -DIAGNOSTICS section of req(1) for more information. - - -* Why does fail with a certificate verify error? - -This problem is usually indicated by log messages saying something like -"unable to get local issuer certificate" or "self signed certificate". -When a certificate is verified its root CA must be "trusted" by OpenSSL -this typically means that the CA certificate must be placed in a directory -or file and the relevant program configured to read it. The OpenSSL program -'verify' behaves in a similar way and issues similar error messages: check -the verify(1) program manual page for more information. - - -* Why can I only use weak ciphers when I connect to a server using OpenSSL? - -This is almost certainly because you are using an old "export grade" browser -which only supports weak encryption. Upgrade your browser to support 128 bit -ciphers. - - -* How can I create DSA certificates? - -Check the CA.pl(1) manual page for a DSA certificate example. - - -* Why can't I make an SSL connection to a server using a DSA certificate? - -Typically you'll see a message saying there are no shared ciphers when -the same setup works fine with an RSA certificate. There are two possible -causes. The client may not support connections to DSA servers most web -browsers (including Netscape and MSIE) only support connections to servers -supporting RSA cipher suites. The other cause is that a set of DH parameters -has not been supplied to the server. DH parameters can be created with the -dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: -check the source to s_server in apps/s_server.c for an example. - - -* How can I remove the passphrase on a private key? - -Firstly you should be really *really* sure you want to do this. Leaving -a private key unencrypted is a major security risk. If you decide that -you do have to do this check the EXAMPLES sections of the rsa(1) and -dsa(1) manual pages. - - * Why can't the OpenSSH configure script detect OpenSSL? There is a problem with OpenSSH 1.2.2p1, in that the configure script @@ -362,71 +529,19 @@ applied to the OpenSSH distribution: ----- snip:end ----- -* Why does the OpenSSL test fail with "bc: command not found"? +* Can I use OpenSSL's SSL library with non-blocking I/O? -You didn't install "bc", the Unix calculator. If you want to run the -tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor. +Yes; make sure to read the SSL_get_error(3) manual page! + +A pitfall to avoid: Don't assume that SSL_read() will just read from +the underlying transport or that SSL_write() will just write to it -- +it is also possible that SSL_write() cannot do any useful work until +there is data to read, or that SSL_read() cannot do anything until it +is possible to send data. One reason for this is that the peer may +request a new TLS/SSL handshake at any time during the protocol, +requiring a bi-directional message exchange; both SSL_read() and +SSL_write() will try to continue any pending handshake. -* Why does the OpenSSL test fail with "bc: 1 no implemented"? - -On some SCO installations or versions, bc has a bug that gets triggered when -you run the test suite (using "make test"). The message returned is "bc: -1 not implemented". The best way to deal with this is to find another -implementation of bc and compile/install it. For example, GNU bc (see -http://www.gnu.org/software/software.html for download instructions) can -be safely used. - - -* Why does the OpenSSL compilation fail on Alpha True64 Unix? - -On some Alpha installations running True64 Unix and Compaq C, the compilation -of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual -memory to continue compilation.' As far as the tests have shown, this may be -a compiler bug. What happens is that it eats up a lot of resident memory -to build something, probably a table. The problem is clearly in the -optimization code, because if one eliminates optimization completely (-O0), -the compilation goes through (and the compiler consumes about 2MB of resident -memory instead of 240MB or whatever one's limit is currently). - -There are three options to solve this problem: - -1. set your current data segment size soft limit higher. Experience shows -that about 241000 kbytes seems to be enough on an AlphaServer DS10. You do -this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of -kbytes to set the limit to. - -2. If you have a hard limit that is lower than what you need and you can't -get it changed, you can compile all of OpenSSL with -O0 as optimization -level. This is however not a very nice thing to do for those who expect to -get the best result from OpenSSL. A bit more complicated solution is the -following: - ------ snip:start ----- - make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \ - sed -e 's/ -O[0-9] / -O0 /'`" - rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'` - make ------ snip:end ----- - -This will only compile sha_dgst.c with -O0, the rest with the optimization -level chosen by the configuration process. When the above is done, do the -test and installation and you're set. - - -* Why does the OpenSSL compilation fail with "ar: command not found"? - -Getting this message is quite usual on Solaris 2, because Sun has hidden -away 'ar' and other development commands in directories that aren't in -$PATH by default. One of those directories is '/usr/ccs/bin'. The -quickest way to fix this is to do the following (it assumes you use sh -or any sh-compatible shell): - ------ snip:start ----- - PATH=${PATH}:/usr/ccs/bin; export PATH ------ snip:end ----- - -and then redo the compilation. What you should really do is make sure -'/usr/ccs/bin' is permanently in your $PATH, for example through your -'.profile' (again, assuming you use a sh-compatible shell). +=============================================================================== diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org index 7c68e29086f4..0d685c190643 100644 --- a/crypto/openssl/Makefile.org +++ b/crypto/openssl/Makefile.org @@ -9,6 +9,7 @@ SHLIB_VERSION_NUMBER= SHLIB_VERSION_HISTORY= SHLIB_MAJOR= SHLIB_MINOR= +SHLIB_EXT= PLATFORM=dist OPTIONS= CONFIGURE_ARGS= @@ -56,8 +57,9 @@ CC= gcc #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM CFLAG= -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM DEPFLAG= -PEX_LIBS= -L. -L.. -L../.. -L../../.. +PEX_LIBS= EX_LIBS= +EXE_EXT= AR=ar r RANLIB= ranlib PERL= perl @@ -149,14 +151,11 @@ RMD160_ASM_OBJ= asm/rm86-out.o #RMD160_ASM_OBJ= asm/rm86-out.o # a.out, FreeBSD #RMD160_ASM_OBJ= asm/rm86bsdi.o # bsdi -# To do special treatment, use "directory names" starting with a period. # When we're prepared to use shared libraries in the programs we link here -# we might have SHLIB_MARK1 get the value ".shlib." and SHLIB_MARK2 be empty, -# or have that configurable. -SHLIB_MARK1=.shlib-clean. -SHLIB_MARK2=.shlib. +# we might set SHLIB_MARK to '$(SHARED_LIBS)'. +SHLIB_MARK= -DIRS= crypto ssl rsaref $(SHLIB_MARK1) apps test tools $(SHLIB_MARK2) +DIRS= crypto ssl rsaref $(SHLIB_MARK) apps test tools SHLIBDIRS= crypto ssl # dirs in crypto to build @@ -180,7 +179,10 @@ ONEDIRS=out tmp EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS WDIRS= windows LIBS= libcrypto.a libssl.a -SHARED_LIBS=libcrypto.so libssl.so +SHARED_CRYPTO=libcrypto$(SHLIB_EXT) +SHARED_SSL=libssl$(SHLIB_EXT) +SHARED_LIBS= +SHARED_LIBS_LINK_EXTS= GENERAL= Makefile BASENAME= openssl @@ -190,108 +192,93 @@ WTARFILE= $(NAME)-win.tar EXHEADER= e_os.h e_os2.h HEADER= e_os.h -all: Makefile.ssl - @need_shlib=true; \ - for i in $(DIRS) ;\ - do \ - if [ "$$i" = ".shlib-clean." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) clean-shared; \ - fi; \ - elif [ "$$i" = ".shlib." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) $(SHARED_LIBS); \ - fi; \ - need_shlib=false; \ - else \ - (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \ - fi; \ - done; \ - if $$need_shlib && [ "$(SHLIB_MARK1)" != "" -o "$(SHLIB_MARK1)" != "" ]; then \ - $(MAKE) $(SHARED_LIBS); \ - fi +# When we're prepared to use shared libraries in the programs we link here +# we might remove 'clean-shared' from the targets to perform at this stage + +all: clean-shared Makefile.ssl sub_all sub_all: - @need_shlib=true; \ - for i in $(DIRS) ;\ + @for i in $(DIRS); \ do \ - if [ "$$i" = ".shlib-clean." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) clean-shared; \ - fi; \ - elif [ "$$i" = ".shlib." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) $(SHARED_LIBS); \ - fi; \ - need_shlib=false; \ - else \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' all ) || exit 1; \ + else \ + $(MAKE) $$i; \ fi; \ done; \ - if $$need_shlib && [ "$(SHLIB_MARK1)" != "" -o "$(SHLIB_MARK1)" != "" ]; then \ + if echo "$(DIRS)" | \ + egrep '(^| )(crypto|ssl)( |$$)' > /dev/null 2>&1 && \ + [ -n "$(SHARED_LIBS)" ]; then \ $(MAKE) $(SHARED_LIBS); \ fi -libcrypto.so: libcrypto.a +libcrypto$(SHLIB_EXT): libcrypto.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) SHLIBDIRS=crypto $(SHLIB_TARGET); \ + $(MAKE) SHLIBDIRS=crypto build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2; \ fi -libssl.so: libcrypto.so libssl.a +libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-L. -lcrypto' $(SHLIB_TARGET); \ + $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2; \ fi clean-shared: - for i in ${SHLIBDIRS}; do \ - rm -f lib$$i.so \ - lib$$i.so.${SHLIB_MAJOR} \ - lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + @for i in $(SHLIBDIRS); do \ + if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ + tmp="$(SHARED_LIBS_LINK_EXTS)"; \ + for j in $${tmp:-x}; do \ + ( set -x; rm -f lib$$i$$j ); \ + done; \ + fi; \ + ( set -x; rm -f lib$$i$(SHLIB_EXT) ); \ done -linux-shared: - libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ - rm -f lib$$i.so \ - lib$$i.so.${SHLIB_MAJOR} \ - lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ +link-shared: + @for i in $(SHLIBDIRS); do \ + prev=lib$$i$(SHLIB_EXT); \ + if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ + tmp="$(SHARED_LIBS_LINK_EXTS)"; \ + for j in $${tmp:-x}; do \ + ( set -x; ln -f -s $$prev lib$$i$$j ); \ + prev=lib$$i$$j; \ + done; \ + fi; \ + done + +build-shared: clean-shared do_$(SHLIB_TARGET) link-shared + +do_bsd-gcc-shared: do_gnu-shared +do_linux-shared: do_gnu-shared +do_gnu-shared: + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ ( set -x; ${CC} -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -Wl,-S,-soname=lib$$i.so.${SHLIB_MAJOR} \ + -Wl,-S,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,--whole-archive lib$$i.a \ -Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -L. -l$$i"; \ - ( set -x; \ - ln -s lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - lib$$i.so.${SHLIB_MAJOR}; \ - ln -s lib$$i.so.${SHLIB_MAJOR} lib$$i.so ); \ + libs="$$libs -l$$i"; \ done # This assumes that GNU utilities are *not* used -true64-shared: - libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ +do_tru64-shared: + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ ( set -x; ${CC} -shared -no_archive -o lib$$i.so \ -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -L. -l$$i"; \ + libs="$$libs -l$$i"; \ done # This assumes that GNU utilities are *not* used -solaris-shared: - libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ - rm -f lib$$i.so \ - lib$$i.so.${SHLIB_MAJOR} \ - lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ - ( set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -h lib$$i.so.${SHLIB_MAJOR} \ +do_solaris-shared: + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ + set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -L. -l$$i"; \ - ln -s lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - lib$$i.so.${SHLIB_MAJOR}; \ - ln -s lib$$i.so.${SHLIB_MAJOR} lib$$i.so; \ + libs="$$libs -l$$i"; \ done Makefile.ssl: Makefile.org @@ -306,7 +293,7 @@ clean: rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making clean in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \ rm -f $(LIBS); \ @@ -327,7 +314,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl > $(TOP)/MINFO @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making 'files' in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \ fi; \ @@ -338,7 +325,7 @@ links: @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) @for i in $(DIRS); do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making links in $$i..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \ fi; \ @@ -348,7 +335,7 @@ dclean: rm -f *.bak @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making dclean in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \ fi; \ @@ -363,7 +350,7 @@ test: tests tests: rehash @(cd test && echo "testing..." && \ - $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' tests ); + $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' EXE_EXT='${EXE_EXT}' tests ); @apps/openssl version -a report: @@ -372,7 +359,7 @@ report: depend: @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making dependencies $$i..." && \ $(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' depend ) || exit 1; \ fi; \ @@ -381,7 +368,7 @@ depend: lint: @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making lint $$i..." && \ $(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \ fi; \ @@ -390,7 +377,7 @@ lint: tags: @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making tags $$i..." && \ $(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \ fi; \ @@ -452,9 +439,9 @@ install: all install_docs done; @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i; echo "installing $$i..."; \ - $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' install ); \ + $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' install ); \ fi; \ done @for i in $(LIBS) ;\ @@ -462,11 +449,24 @@ install: all install_docs if [ -f "$$i" ]; then \ ( echo installing $$i; \ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ - (echo $$i | grep '\\.a$$' > /dev/null 2>&1) \ - && $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ + $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi \ done + @if [ -n "$(SHARED_LIBS)" ]; then \ + tmp="$(SHARED_LIBS)"; \ + for i in $${tmp:-x}; \ + do \ + if [ -f "$$i" ]; then \ + ( echo installing $$i; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ + fi \ + done; \ + ( here="`pwd`"; \ + cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ + make -f $$here/Makefile link-shared ); \ + fi install_docs: @$(PERL) $(TOP)/util/mkdir-p.pl \ @@ -493,11 +493,4 @@ install_docs: > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \ done -shlib: all - if [ ! -d shlib_dir ] ; then mkdir shlib_dir ; else rm -f shlib_dir/* ; fi - cd shlib_dir ; ar -x ../libcrypto.a && $(CC) -shared ./*.o -Wl,-soname -Wl,libcrypto.so.0.9 \ - -o ./libcrypto.so.0.9.4 && rm *.o - cd shlib_dir ; ar -x ../libssl.a && $(CC) -shared ./*.o -Wl,-soname -Wl,libssl.so.0.9 \ - -o ./libssl.so.0.9.4 && rm *.o - # DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/crypto/openssl/Makefile.ssl b/crypto/openssl/Makefile.ssl index 80876a1970b5..acba9557bb76 100644 --- a/crypto/openssl/Makefile.ssl +++ b/crypto/openssl/Makefile.ssl @@ -4,13 +4,14 @@ ## Makefile for OpenSSL ## -VERSION=0.9.6 +VERSION=0.9.6a MAJOR=0 MINOR=9.6 SHLIB_VERSION_NUMBER=0.9.6 SHLIB_VERSION_HISTORY= SHLIB_MAJOR=0 SHLIB_MINOR=9.6 +SHLIB_EXT= PLATFORM=dist OPTIONS= CONFIGURE_ARGS=dist @@ -58,8 +59,9 @@ CC= cc #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM CFLAG= -O DEPFLAG= -PEX_LIBS= -L. -L.. -L../.. -L../../.. +PEX_LIBS= EX_LIBS= +EXE_EXT= AR=ar r RANLIB= /usr/bin/ranlib PERL= /usr/local/bin/perl @@ -151,14 +153,11 @@ RMD160_ASM_OBJ= #RMD160_ASM_OBJ= asm/rm86-out.o # a.out, FreeBSD #RMD160_ASM_OBJ= asm/rm86bsdi.o # bsdi -# To do special treatment, use "directory names" starting with a period. # When we're prepared to use shared libraries in the programs we link here -# we might have SHLIB_MARK1 get the value ".shlib." and SHLIB_MARK2 be empty, -# or have that configurable. -SHLIB_MARK1= -SHLIB_MARK2= +# we might set SHLIB_MARK to '$(SHARED_LIBS)'. +SHLIB_MARK= -DIRS= crypto ssl rsaref $(SHLIB_MARK1) apps test tools $(SHLIB_MARK2) +DIRS= crypto ssl rsaref $(SHLIB_MARK) apps test tools SHLIBDIRS= crypto ssl # dirs in crypto to build @@ -182,7 +181,10 @@ ONEDIRS=out tmp EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS WDIRS= windows LIBS= libcrypto.a libssl.a -SHARED_LIBS=libcrypto.so libssl.so +SHARED_CRYPTO=libcrypto$(SHLIB_EXT) +SHARED_SSL=libssl$(SHLIB_EXT) +SHARED_LIBS= +SHARED_LIBS_LINK_EXTS= GENERAL= Makefile BASENAME= openssl @@ -192,108 +194,93 @@ WTARFILE= $(NAME)-win.tar EXHEADER= e_os.h e_os2.h HEADER= e_os.h -all: Makefile.ssl - @need_shlib=true; \ - for i in $(DIRS) ;\ - do \ - if [ "$$i" = ".shlib-clean." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) clean-shared; \ - fi; \ - elif [ "$$i" = ".shlib." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) $(SHARED_LIBS); \ - fi; \ - need_shlib=false; \ - else \ - (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \ - fi; \ - done; \ - if $$need_shlib && [ "$(SHLIB_MARK1)" != "" -o "$(SHLIB_MARK1)" != "" ]; then \ - $(MAKE) $(SHARED_LIBS); \ - fi +# When we're prepared to use shared libraries in the programs we link here +# we might remove 'clean-shared' from the targets to perform at this stage + +all: clean-shared Makefile.ssl sub_all sub_all: - @need_shlib=true; \ - for i in $(DIRS) ;\ + @for i in $(DIRS); \ do \ - if [ "$$i" = ".shlib-clean." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) clean-shared; \ - fi; \ - elif [ "$$i" = ".shlib." ]; then \ - if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) $(SHARED_LIBS); \ - fi; \ - need_shlib=false; \ - else \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' all ) || exit 1; \ + else \ + $(MAKE) $$i; \ fi; \ done; \ - if $$need_shlib && [ "$(SHLIB_MARK1)" != "" -o "$(SHLIB_MARK1)" != "" ]; then \ + if echo "$(DIRS)" | \ + egrep '(^| )(crypto|ssl)( |$$)' > /dev/null 2>&1 && \ + [ -n "$(SHARED_LIBS)" ]; then \ $(MAKE) $(SHARED_LIBS); \ fi -libcrypto.so: libcrypto.a +libcrypto$(SHLIB_EXT): libcrypto.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) SHLIBDIRS=crypto $(SHLIB_TARGET); \ + $(MAKE) SHLIBDIRS=crypto build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2; \ fi -libssl.so: libcrypto.so libssl.a +libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ - $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-L. -lcrypto' $(SHLIB_TARGET); \ + $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \ else \ echo "There's no support for shared libraries on this platform" >&2; \ fi clean-shared: - for i in ${SHLIBDIRS}; do \ - rm -f lib$$i.so \ - lib$$i.so.${SHLIB_MAJOR} \ - lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + @for i in $(SHLIBDIRS); do \ + if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ + tmp="$(SHARED_LIBS_LINK_EXTS)"; \ + for j in $${tmp:-x}; do \ + ( set -x; rm -f lib$$i$$j ); \ + done; \ + fi; \ + ( set -x; rm -f lib$$i$(SHLIB_EXT) ); \ done -linux-shared: - libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ - rm -f lib$$i.so \ - lib$$i.so.${SHLIB_MAJOR} \ - lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ +link-shared: + @for i in $(SHLIBDIRS); do \ + prev=lib$$i$(SHLIB_EXT); \ + if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ + tmp="$(SHARED_LIBS_LINK_EXTS)"; \ + for j in $${tmp:-x}; do \ + ( set -x; ln -f -s $$prev lib$$i$$j ); \ + prev=lib$$i$$j; \ + done; \ + fi; \ + done + +build-shared: clean-shared do_$(SHLIB_TARGET) link-shared + +do_bsd-gcc-shared: do_gnu-shared +do_linux-shared: do_gnu-shared +do_gnu-shared: + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ ( set -x; ${CC} -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -Wl,-S,-soname=lib$$i.so.${SHLIB_MAJOR} \ + -Wl,-S,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,--whole-archive lib$$i.a \ -Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -L. -l$$i"; \ - ( set -x; \ - ln -s lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - lib$$i.so.${SHLIB_MAJOR}; \ - ln -s lib$$i.so.${SHLIB_MAJOR} lib$$i.so ); \ + libs="$$libs -l$$i"; \ done # This assumes that GNU utilities are *not* used -true64-shared: - libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ +do_tru64-shared: + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ ( set -x; ${CC} -shared -no_archive -o lib$$i.so \ -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -L. -l$$i"; \ + libs="$$libs -l$$i"; \ done # This assumes that GNU utilities are *not* used -solaris-shared: - libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ - rm -f lib$$i.so \ - lib$$i.so.${SHLIB_MAJOR} \ - lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ - ( set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -h lib$$i.so.${SHLIB_MAJOR} \ +do_solaris-shared: + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ + set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \ - libs="$$libs -L. -l$$i"; \ - ln -s lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - lib$$i.so.${SHLIB_MAJOR}; \ - ln -s lib$$i.so.${SHLIB_MAJOR} lib$$i.so; \ + libs="$$libs -l$$i"; \ done Makefile.ssl: Makefile.org @@ -308,7 +295,7 @@ clean: rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making clean in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \ rm -f $(LIBS); \ @@ -329,7 +316,7 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl > $(TOP)/MINFO @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making 'files' in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \ fi; \ @@ -340,7 +327,7 @@ links: @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) @for i in $(DIRS); do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making links in $$i..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \ fi; \ @@ -350,7 +337,7 @@ dclean: rm -f *.bak @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making dclean in $$i..." && \ $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \ fi; \ @@ -365,7 +352,7 @@ test: tests tests: rehash @(cd test && echo "testing..." && \ - $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' tests ); + $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' EXE_EXT='${EXE_EXT}' tests ); @apps/openssl version -a report: @@ -374,7 +361,7 @@ report: depend: @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making dependencies $$i..." && \ $(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' depend ) || exit 1; \ fi; \ @@ -383,7 +370,7 @@ depend: lint: @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making lint $$i..." && \ $(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \ fi; \ @@ -392,7 +379,7 @@ lint: tags: @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i && echo "making tags $$i..." && \ $(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \ fi; \ @@ -454,9 +441,9 @@ install: all install_docs done; @for i in $(DIRS) ;\ do \ - if echo "$$i" | grep -v '^\.'; then \ + if [ -d "$$i" ]; then \ (cd $$i; echo "installing $$i..."; \ - $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' install ); \ + $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' install ); \ fi; \ done @for i in $(LIBS) ;\ @@ -468,6 +455,20 @@ install: all install_docs chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi \ done + @if [ -n "$(SHARED_LIBS)" ]; then \ + tmp="$(SHARED_LIBS)"; \ + for i in $${tmp:-x}; \ + do \ + if [ -f "$$i" ]; then \ + ( echo installing $$i; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ + fi \ + done; \ + ( here="`pwd`"; \ + cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ + make -f $$here/Makefile link-shared ); \ + fi install_docs: @$(PERL) $(TOP)/util/mkdir-p.pl \ @@ -494,11 +495,4 @@ install_docs: > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \ done -shlib: all - if [ ! -d shlib_dir ] ; then mkdir shlib_dir ; else rm -f shlib_dir/* ; fi - cd shlib_dir ; ar -x ../libcrypto.a && $(CC) -shared ./*.o -Wl,-soname -Wl,libcrypto.so.0.9 \ - -o ./libcrypto.so.0.9.4 && rm *.o - cd shlib_dir ; ar -x ../libssl.a && $(CC) -shared ./*.o -Wl,-soname -Wl,libssl.so.0.9 \ - -o ./libssl.so.0.9.4 && rm *.o - # DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS index 7cf95cfb0bf9..b9ea61239f09 100644 --- a/crypto/openssl/NEWS +++ b/crypto/openssl/NEWS @@ -5,6 +5,31 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a: + + o Security fix: change behavior of OpenSSL to avoid using + environment variables when running as root. + o Security fix: check the result of RSA-CRT to reduce the + possibility of deducing the private key from an incorrectly + calculated signature. + o Security fix: prevent Bleichenbacher's DSA attack. + o Security fix: Zero the premaster secret after deriving the + master secret in DH ciphersuites. + o Reimplement SSL_peek(), which had various problems. + o Compatibility fix: the function des_encrypt() renamed to + des_encrypt1() to avoid clashes with some Unixen libc. + o Bug fixes for Win32, HP/UX and Irix. + o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and + memory checking routines. + o Bug fixes for RSA operations in threaded enviroments. + o Bug fixes in misc. openssl applications. + o Remove a few potential memory leaks. + o Add tighter checks of BIGNUM routines. + o Shared library support has been reworked for generality. + o More documentation. + o New function BN_rand_range(). + o Add "-rand" option to openssl s_client and s_server. + Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6: o Some documentation for BIO and SSL libraries. diff --git a/crypto/openssl/README b/crypto/openssl/README index d5969e2ad795..41713cfbbc84 100644 --- a/crypto/openssl/README +++ b/crypto/openssl/README @@ -1,5 +1,5 @@ - OpenSSL 0.9.6 24 Sep 2000 + OpenSSL 0.9.6a 5 Apr 2001 Copyright (c) 1998-2000 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/openssl/apps/Makefile.ssl b/crypto/openssl/apps/Makefile.ssl index 438c05261066..d3f9ab0f7241 100644 --- a/crypto/openssl/apps/Makefile.ssl +++ b/crypto/openssl/apps/Makefile.ssl @@ -18,6 +18,7 @@ RM= rm -f PEX_LIBS= EX_LIBS= +EXE_EXT= CFLAGS= -DMONOLITH $(INCLUDES) $(CFLAG) @@ -32,7 +33,7 @@ PROGRAM= openssl SCRIPTS=CA.sh CA.pl der_chop -EXE= $(PROGRAM) +EXE= $(PROGRAM)$(EXE_EXT) E_EXE= verify asn1pars req dgst dh dhparam enc passwd gendh errstr \ ca crl rsa rsautl dsa dsaparam \ @@ -77,7 +78,7 @@ top: all: exe -exe: $(EXE) +exe: $(PROGRAM) req: sreq.o $(A_OBJ) $(DLIBCRYPTO) $(CC) -o req $(CFLAG) sreq.o $(A_OBJ) $(RAND_OBJ) $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) @@ -718,15 +719,15 @@ s_client.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s_client.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s_client.o: ../include/openssl/opensslv.h ../include/openssl/pem.h s_client.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s_client.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s_client.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s_client.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s_client.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s_client.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s_client.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s_client.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h -s_client.o: s_apps.h +s_client.o: ../include/openssl/rand.h ../include/openssl/rc2.h +s_client.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s_client.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s_client.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s_client.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s_client.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s_client.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s_client.o: ../include/openssl/tls1.h ../include/openssl/x509.h +s_client.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_server.o: ../include/openssl/asn1.h ../include/openssl/bio.h s_server.o: ../include/openssl/blowfish.h ../include/openssl/bn.h s_server.o: ../include/openssl/buffer.h ../include/openssl/cast.h @@ -742,15 +743,15 @@ s_server.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h s_server.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s_server.o: ../include/openssl/opensslv.h ../include/openssl/pem.h s_server.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s_server.o: ../include/openssl/rc2.h ../include/openssl/rc4.h -s_server.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h -s_server.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s_server.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h -s_server.o: s_apps.h +s_server.o: ../include/openssl/rand.h ../include/openssl/rc2.h +s_server.o: ../include/openssl/rc4.h ../include/openssl/rc5.h +s_server.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h +s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s_server.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s_server.o: ../include/openssl/tls1.h ../include/openssl/x509.h +s_server.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_socket.o: ../include/openssl/asn1.h ../include/openssl/bio.h s_socket.o: ../include/openssl/blowfish.h ../include/openssl/bn.h s_socket.o: ../include/openssl/buffer.h ../include/openssl/cast.h diff --git a/crypto/openssl/apps/passwd.c b/crypto/openssl/apps/passwd.c index 533b4692d053..ea2b089e24a7 100644 --- a/crypto/openssl/apps/passwd.c +++ b/crypto/openssl/apps/passwd.c @@ -272,6 +272,7 @@ int MAIN(int argc, char **argv) } while (!done); } + ret = 0; err: ERR_print_errors(bio_err); diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c index c93531718a4e..aa19e0a22353 100644 --- a/crypto/openssl/apps/s_client.c +++ b/crypto/openssl/apps/s_client.c @@ -79,6 +79,7 @@ typedef unsigned int u_int; #include #include #include +#include #include "s_apps.h" #ifdef WINDOWS @@ -152,6 +153,7 @@ static void sc_usage(void) BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); BIO_printf(bio_err," command to see what is available\n"); + BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); } @@ -179,6 +181,7 @@ int MAIN(int argc, char **argv) int prexit = 0; SSL_METHOD *meth=NULL; BIO *sbio; + char *inrand=NULL; #ifdef WINDOWS struct timeval tv; #endif @@ -316,6 +319,11 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-nbio") == 0) { c_nbio=1; } #endif + else if (strcmp(*argv,"-rand") == 0) + { + if (--argc < 1) goto bad; + inrand= *(++argv); + } else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -332,7 +340,14 @@ bad: goto end; } - app_RAND_load_file(NULL, bio_err, 0); + if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL + && !RAND_status()) + { + BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n"); + } + if (inrand != NULL) + BIO_printf(bio_err,"%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); if (bio_c_out == NULL) { diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c index b5932832569a..624dfb5e4198 100644 --- a/crypto/openssl/apps/s_server.c +++ b/crypto/openssl/apps/s_server.c @@ -83,6 +83,7 @@ typedef unsigned int u_int; #include #include #include +#include #include "s_apps.h" #ifdef WINDOWS @@ -242,6 +243,7 @@ static void sv_usage(void) BIO_printf(bio_err," -bugs - Turn on SSL bug compatibility\n"); BIO_printf(bio_err," -www - Respond to a 'GET /' with a status page\n"); BIO_printf(bio_err," -WWW - Respond to a 'GET / HTTP/1.0' with file ./\n"); + BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); } static int local_argc=0; @@ -411,6 +413,7 @@ int MAIN(int argc, char *argv[]) int no_tmp_rsa=0,no_dhe=0,nocert=0; int state=0; SSL_METHOD *meth=NULL; + char *inrand=NULL; #ifndef NO_DH DH *dh=NULL; #endif @@ -565,6 +568,11 @@ int MAIN(int argc, char *argv[]) else if (strcmp(*argv,"-tls1") == 0) { meth=TLSv1_server_method(); } #endif + else if (strcmp(*argv,"-rand") == 0) + { + if (--argc < 1) goto bad; + inrand= *(++argv); + } else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -581,7 +589,14 @@ bad: goto end; } - app_RAND_load_file(NULL, bio_err, 0); + if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL + && !RAND_status()) + { + BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n"); + } + if (inrand != NULL) + BIO_printf(bio_err,"%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); if (bio_s_out == NULL) { @@ -676,7 +691,8 @@ bad: #ifndef NO_RSA #if 1 - SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb); + if (!no_tmp_rsa) + SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb); #else if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) { @@ -1336,15 +1352,29 @@ static int www_body(char *hostname, int s, unsigned char *context) /* skip the '/' */ p= &(buf[5]); - dot=0; + + dot = 1; for (e=p; *e != '\0'; e++) { - if (e[0] == ' ') break; - if ( (e[0] == '.') && - (strncmp(&(e[-1]),"/../",4) == 0)) - dot=1; + if (e[0] == ' ') + break; + + switch (dot) + { + case 1: + dot = (e[0] == '.') ? 2 : 0; + break; + case 2: + dot = (e[0] == '.') ? 3 : 0; + break; + case 3: + dot = (e[0] == '/') ? -1 : 0; + break; + } + if (dot == 0) + dot = (e[0] == '/') ? 1 : 0; } - + dot = (dot == 3) || (dot == -1); /* filename contains ".." component */ if (*e == '\0') { @@ -1368,9 +1398,11 @@ static int www_body(char *hostname, int s, unsigned char *context) break; } +#if 0 /* append if a directory lookup */ if (e[-1] == '/') strcat(p,"index.html"); +#endif /* if a directory, do the index thang */ if (stat(p,&st_buf) < 0) @@ -1382,7 +1414,13 @@ static int www_body(char *hostname, int s, unsigned char *context) } if (S_ISDIR(st_buf.st_mode)) { +#if 0 /* must check buffer size */ strcat(p,"/index.html"); +#else + BIO_puts(io,text); + BIO_printf(io,"'%s' is a directory\r\n",p); + break; +#endif } if ((file=BIO_new_file(p,"r")) == NULL) diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c index 627cab1d3116..067903099d93 100644 --- a/crypto/openssl/apps/speed.c +++ b/crypto/openssl/apps/speed.c @@ -831,6 +831,7 @@ int MAIN(int argc, char **argv) } #endif +#ifndef NO_DSA dsa_c[R_DSA_512][0]=count/1000; dsa_c[R_DSA_512][1]=count/1000/2; for (i=1; itype == EVP_PKEY_DSA) digest=EVP_dss1(); +#endif rq=X509_to_X509_REQ(x,pk,digest); EVP_PKEY_free(pk); diff --git a/crypto/openssl/config b/crypto/openssl/config index 1f4fef13dbc1..c69ea6dfce08 100755 --- a/crypto/openssl/config +++ b/crypto/openssl/config @@ -49,10 +49,18 @@ if [ "x$XREL" != "x" ]; then echo "whatever-whatever-sco5"; exit 0 ;; 4.2MP) - if [ "x$VERSION" = "x2.1.1" ]; then + if [ "x$VERSION" = "x2.01" ]; then + echo "${MACHINE}-whatever-unixware201"; exit 0 + elif [ "x$VERSION" = "x2.02" ]; then + echo "${MACHINE}-whatever-unixware202"; exit 0 + elif [ "x$VERSION" = "x2.03" ]; then + echo "${MACHINE}-whatever-unixware203"; exit 0 + elif [ "x$VERSION" = "x2.1.1" ]; then echo "${MACHINE}-whatever-unixware211"; exit 0 elif [ "x$VERSION" = "x2.1.2" ]; then echo "${MACHINE}-whatever-unixware212"; exit 0 + elif [ "x$VERSION" = "x2.1.3" ]; then + echo "${MACHINE}-whatever-unixware213"; exit 0 else echo "${MACHINE}-whatever-unixware2"; exit 0 fi @@ -79,6 +87,14 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in echo "m68k-apple-aux3"; exit 0 ;; + AIX:[3456789]:4:*) + echo "${MACHINE}-ibm-aix43"; exit 0 + ;; + + AIX:*:[56789]:*) + echo "${MACHINE}-ibm-aix43"; exit 0 + ;; + AIX:*) echo "${MACHINE}-ibm-aix"; exit 0 ;; @@ -393,10 +409,16 @@ case "$GUESSOS" in ;; mips4-sgi-irix64) echo "WARNING! If you wish to build 64-bit library, then you have to" - echo " invoke './Configre irix64-mips4-$CC' *manually*." + echo " invoke './Configure irix64-mips4-$CC' *manually*." echo " Type return if you want to continue, Ctrl-C to abort." read waste < /dev/tty - options="$options -mips4" + CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'` + CPU=${CPU:-0} + if [ $CPU -ge 5000 ]; then + options="$options -mips4" + else + options="$options -mips3" + fi OUT="irix-mips3-$CC" ;; alpha-*-linux2) @@ -467,9 +489,12 @@ case "$GUESSOS" in *-*-unixware7) OUT="unixware-7" ;; *-*-UnixWare7) OUT="unixware-7" ;; *-*-Unixware7) OUT="unixware-7" ;; - *-*-unixware[1-2]*) OUT="unixware-2.0" ;; - *-*-UnixWare[1-2]*) OUT="unixware-2.0" ;; - *-*-Unixware[1-2]*) OUT="unixware-2.0" ;; + *-*-unixware20*) OUT="unixware-2.0" ;; + *-*-unixware21*) OUT="unixware-2.1" ;; + *-*-UnixWare20*) OUT="unixware-2.0" ;; + *-*-UnixWare21*) OUT="unixware-2.1" ;; + *-*-Unixware20*) OUT="unixware-2.0" ;; + *-*-Unixware21*) OUT="unixware-2.1" ;; BS2000-siemens-sysv4) OUT="BS2000-OSD" ;; RM*-siemens-sysv4) OUT="ReliantUNIX" ;; *-siemens-sysv4) OUT="SINIX" ;; diff --git a/crypto/openssl/crypto/Makefile.ssl b/crypto/openssl/crypto/Makefile.ssl index ae761da79f84..97984f8e8355 100644 --- a/crypto/openssl/crypto/Makefile.ssl +++ b/crypto/openssl/crypto/Makefile.ssl @@ -34,8 +34,8 @@ SDIRS= md2 md5 sha mdc2 hmac ripemd \ GENERAL=Makefile README crypto-lib.com install.com LIB= $(TOP)/libcrypto.a -LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c -LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o +LIBSRC= cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c +LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o SRC= $(LIBSRC) @@ -198,3 +198,6 @@ tmdiff.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h tmdiff.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h tmdiff.o: ../include/openssl/stack.h ../include/openssl/symhacks.h tmdiff.o: ../include/openssl/tmdiff.h cryptlib.h +uid.o: ../include/openssl/crypto.h ../include/openssl/opensslv.h +uid.o: ../include/openssl/safestack.h ../include/openssl/stack.h +uid.o: ../include/openssl/symhacks.h diff --git a/crypto/openssl/crypto/asn1/asn1_lib.c b/crypto/openssl/crypto/asn1/asn1_lib.c index 77447a524095..a8b651e54e7c 100644 --- a/crypto/openssl/crypto/asn1/asn1_lib.c +++ b/crypto/openssl/crypto/asn1/asn1_lib.c @@ -301,7 +301,7 @@ int asn1_GetSequence(ASN1_CTX *c, long *length) return(0); } if (c->inf == (1|V_ASN1_CONSTRUCTED)) - c->slen= *length+ *(c->pp)-c->p; + c->slen= *length; c->eos=0; return(1); } diff --git a/crypto/openssl/crypto/asn1/p7_lib.c b/crypto/openssl/crypto/asn1/p7_lib.c index b1196ef581ce..8a340b01190e 100644 --- a/crypto/openssl/crypto/asn1/p7_lib.c +++ b/crypto/openssl/crypto/asn1/p7_lib.c @@ -307,12 +307,14 @@ PKCS7 *d2i_PKCS7(PKCS7 **a, unsigned char **pp, long length) } if (Tinf == (1|V_ASN1_CONSTRUCTED)) { + c.q=c.p; if (!ASN1_check_infinite_end(&c.p,c.slen)) { c.error=ERR_R_MISSING_ASN1_EOS; c.line=__LINE__; goto err; } + c.slen-=(c.p-c.q); } } else diff --git a/crypto/openssl/crypto/asn1/x_name.c b/crypto/openssl/crypto/asn1/x_name.c index b832deb928b0..1885d699efd5 100644 --- a/crypto/openssl/crypto/asn1/x_name.c +++ b/crypto/openssl/crypto/asn1/x_name.c @@ -141,10 +141,12 @@ static int i2d_X509_NAME_entries(X509_NAME *a) } size+=i2d_X509_NAME_ENTRY(ne,NULL); } - - ret+=ASN1_object_size(1,size,V_ASN1_SET); if (fe != NULL) + { + /* SET OF needed only if entries is non empty */ + ret+=ASN1_object_size(1,size,V_ASN1_SET); fe->size=size; + } r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); diff --git a/crypto/openssl/crypto/bn/asm/mips3.s b/crypto/openssl/crypto/bn/asm/mips3.s index 2df4dcd4b0bf..45786c00a5f3 100644 --- a/crypto/openssl/crypto/bn/asm/mips3.s +++ b/crypto/openssl/crypto/bn/asm/mips3.s @@ -586,13 +586,13 @@ LEAF(bn_div_3_words) ld a0,(a3) move ta2,a1 ld a1,-8(a3) - move ta3,ra - move v1,zero + bne a0,a2,.L_bn_div_3_words_proceed li v0,-1 - beq a0,a2,.L_bn_div_3_words_skip_div + jr ra +.L_bn_div_3_words_proceed: + move ta3,ra bal bn_div_words move ra,ta3 -.L_bn_div_3_words_skip_div: dmultu ta2,v0 ld t2,-16(a3) move ta0,zero diff --git a/crypto/openssl/crypto/bn/bn.h b/crypto/openssl/crypto/bn/bn.h index ef1cfb0259b9..b232c2ceae3e 100644 --- a/crypto/openssl/crypto/bn/bn.h +++ b/crypto/openssl/crypto/bn/bn.h @@ -468,6 +468,8 @@ BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp,int num); # define bn_dump(a,b) #endif +int BN_bntest_rand(BIGNUM *rnd, int bits, int top,int bottom); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/crypto/openssl/crypto/bn/bn_div.c b/crypto/openssl/crypto/bn/bn_div.c index 891b6026311c..c328b5b4110b 100644 --- a/crypto/openssl/crypto/bn/bn_div.c +++ b/crypto/openssl/crypto/bn/bn_div.c @@ -238,6 +238,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, { BN_ULONG q,l0; #if defined(BN_DIV3W) && !defined(NO_ASM) + BN_ULONG bn_div_3_words(BN_ULONG*,BN_ULONG,BN_ULONG); q=bn_div_3_words(wnump,d1,d0); #else BN_ULONG n0,n1,rem=0; diff --git a/crypto/openssl/crypto/bn/bn_rand.c b/crypto/openssl/crypto/bn/bn_rand.c index 224a0ff7a2c3..acd06199218b 100644 --- a/crypto/openssl/crypto/bn/bn_rand.c +++ b/crypto/openssl/crypto/bn/bn_rand.c @@ -76,7 +76,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) bytes=(bits+7)/8; bit=(bits-1)%8; - mask=0xff<= 128 && i > 0) + buf[i] = buf[i-1]; + else if (c < 42) + buf[i] = 0; + else if (c < 84) + buf[i] = 255; + } + } +#endif + + if (top != -1) + { + if (top) + { + if (bit == 0) + { + buf[0]=1; + buf[1]|=0x80; + } + else + { + buf[0]|=(3<<(bit-1)); + } } else { - buf[0]|=(3<<(bit-1)); - buf[0]&= ~(mask<<1); + buf[0]|=(1< 0 */ - + if (n == 1) { if (!BN_zero(r)) return 0; @@ -163,7 +193,7 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range) do { /* range = 11..._2, so each iteration succeeds with probability >= .75 */ - if (!BN_rand(r, n, 0, 0)) return 0; + if (!BN_rand(r, n, -1, 0)) return 0; } while (BN_cmp(r, range) >= 0); } @@ -173,7 +203,7 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range) * so 3*range (= 11..._2) is exactly one bit longer than range */ do { - if (!BN_rand(r, n + 1, 0, 0)) return 0; + if (!BN_rand(r, n + 1, -1, 0)) return 0; /* If r < 3*range, use r := r MOD range * (which is either r, r - range, or r - 2*range). * Otherwise, iterate once more. @@ -191,4 +221,3 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range) return 1; } - diff --git a/crypto/openssl/crypto/bn/bntest.c b/crypto/openssl/crypto/bn/bntest.c index c9801dc01614..af0c2629e87e 100644 --- a/crypto/openssl/crypto/bn/bntest.c +++ b/crypto/openssl/crypto/bn/bntest.c @@ -120,9 +120,7 @@ int main(int argc, char *argv[]) results = 0; - RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_rand may fail, and we don't - * even check its return value - * (which we should) */ + RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */ argc--; argv++; @@ -251,10 +249,10 @@ int test_add(BIO *bp) BN_init(&b); BN_init(&c); - BN_rand(&a,512,0,0); + BN_bntest_rand(&a,512,0,0); for (i=0; ineg=rand_neg(); b->neg=rand_neg(); if (bp == NULL) @@ -730,11 +728,11 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx) d=BN_new(); e=BN_new(); - BN_rand(c,1024,0,0); /**/ + BN_bntest_rand(c,1024,0,0); /**/ for (i=0; ineg=rand_neg(); b->neg=rand_neg(); /* if (bp == NULL) @@ -792,11 +790,11 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx) d=BN_new(); e=BN_new(); - BN_rand(c,30,0,1); /* must be odd for montgomery */ + BN_bntest_rand(c,30,0,1); /* must be odd for montgomery */ for (i=0; ineg=rand_neg(); } for (i=0; ineg=rand_neg(); for (i=0; ineg=rand_neg(); for (i=0; ineg=rand_neg(); for (i=0; i>32 and diff --git a/crypto/openssl/crypto/des/des.h b/crypto/openssl/crypto/des/des.h index 2db9748cb410..6b8a7ee11b1d 100644 --- a/crypto/openssl/crypto/des/des.h +++ b/crypto/openssl/crypto/des/des.h @@ -147,14 +147,14 @@ void des_ecb_encrypt(const_des_cblock *input,des_cblock *output, Data is a pointer to 2 unsigned long's and ks is the des_key_schedule to use. enc, is non zero specifies encryption, zero if decryption. */ -void des_encrypt(DES_LONG *data,des_key_schedule ks, int enc); +void des_encrypt1(DES_LONG *data,des_key_schedule ks, int enc); -/* This functions is the same as des_encrypt() except that the DES +/* This functions is the same as des_encrypt1() except that the DES initial permutation (IP) and final permutation (FP) have been left - out. As for des_encrypt(), you should not use this function. + out. As for des_encrypt1(), you should not use this function. It is used by the routines in the library that implement triple DES. IP() des_encrypt2() des_encrypt2() des_encrypt2() FP() is the same - as des_encrypt() des_encrypt() des_encrypt() except faster :-). */ + as des_encrypt1() des_encrypt1() des_encrypt1() except faster :-). */ void des_encrypt2(DES_LONG *data,des_key_schedule ks, int enc); void des_encrypt3(DES_LONG *data, des_key_schedule ks1, diff --git a/crypto/openssl/crypto/des/des_enc.c b/crypto/openssl/crypto/des/des_enc.c index 8311e106281c..0bd9fa39bcd4 100644 --- a/crypto/openssl/crypto/des/des_enc.c +++ b/crypto/openssl/crypto/des/des_enc.c @@ -58,7 +58,7 @@ #include "des_locl.h" -void des_encrypt(DES_LONG *data, des_key_schedule ks, int enc) +void des_encrypt1(DES_LONG *data, des_key_schedule ks, int enc) { register DES_LONG l,r,t,u; #ifdef DES_PTR diff --git a/crypto/openssl/crypto/des/des_opts.c b/crypto/openssl/crypto/des/des_opts.c index b2ca7ac31d6c..138ee1c6b47b 100644 --- a/crypto/openssl/crypto/des/des_opts.c +++ b/crypto/openssl/crypto/des/des_opts.c @@ -118,7 +118,7 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#define des_encrypt des_encrypt_u4_cisc_idx +#define des_encrypt1 des_encrypt_u4_cisc_idx #define des_encrypt2 des_encrypt2_u4_cisc_idx #define des_encrypt3 des_encrypt3_u4_cisc_idx #define des_decrypt3 des_decrypt3_u4_cisc_idx @@ -130,11 +130,11 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_cisc_idx +#define des_encrypt1 des_encrypt_u16_cisc_idx #define des_encrypt2 des_encrypt2_u16_cisc_idx #define des_encrypt3 des_encrypt3_u16_cisc_idx #define des_decrypt3 des_decrypt3_u16_cisc_idx @@ -146,11 +146,11 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc1_idx +#define des_encrypt1 des_encrypt_u4_risc1_idx #define des_encrypt2 des_encrypt2_u4_risc1_idx #define des_encrypt3 des_encrypt3_u4_risc1_idx #define des_decrypt3 des_decrypt3_u4_risc1_idx @@ -166,11 +166,11 @@ extern void exit(); #define DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc2_idx +#define des_encrypt1 des_encrypt_u4_risc2_idx #define des_encrypt2 des_encrypt2_u4_risc2_idx #define des_encrypt3 des_encrypt3_u4_risc2_idx #define des_decrypt3 des_decrypt3_u4_risc2_idx @@ -182,11 +182,11 @@ extern void exit(); #undef DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc1_idx +#define des_encrypt1 des_encrypt_u16_risc1_idx #define des_encrypt2 des_encrypt2_u16_risc1_idx #define des_encrypt3 des_encrypt3_u16_risc1_idx #define des_decrypt3 des_decrypt3_u16_risc1_idx @@ -198,11 +198,11 @@ extern void exit(); #define DES_RISC2 #undef DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc2_idx +#define des_encrypt1 des_encrypt_u16_risc2_idx #define des_encrypt2 des_encrypt2_u16_risc2_idx #define des_encrypt3 des_encrypt3_u16_risc2_idx #define des_decrypt3 des_decrypt3_u16_risc2_idx @@ -218,11 +218,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_cisc_ptr +#define des_encrypt1 des_encrypt_u4_cisc_ptr #define des_encrypt2 des_encrypt2_u4_cisc_ptr #define des_encrypt3 des_encrypt3_u4_cisc_ptr #define des_decrypt3 des_decrypt3_u4_cisc_ptr @@ -234,11 +234,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_cisc_ptr +#define des_encrypt1 des_encrypt_u16_cisc_ptr #define des_encrypt2 des_encrypt2_u16_cisc_ptr #define des_encrypt3 des_encrypt3_u16_cisc_ptr #define des_decrypt3 des_decrypt3_u16_cisc_ptr @@ -250,11 +250,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc1_ptr +#define des_encrypt1 des_encrypt_u4_risc1_ptr #define des_encrypt2 des_encrypt2_u4_risc1_ptr #define des_encrypt3 des_encrypt3_u4_risc1_ptr #define des_decrypt3 des_decrypt3_u4_risc1_ptr @@ -270,11 +270,11 @@ extern void exit(); #define DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u4_risc2_ptr +#define des_encrypt1 des_encrypt_u4_risc2_ptr #define des_encrypt2 des_encrypt2_u4_risc2_ptr #define des_encrypt3 des_encrypt3_u4_risc2_ptr #define des_decrypt3 des_decrypt3_u4_risc2_ptr @@ -286,11 +286,11 @@ extern void exit(); #undef DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc1_ptr +#define des_encrypt1 des_encrypt_u16_risc1_ptr #define des_encrypt2 des_encrypt2_u16_risc1_ptr #define des_encrypt3 des_encrypt3_u16_risc1_ptr #define des_decrypt3 des_decrypt3_u16_risc1_ptr @@ -302,11 +302,11 @@ extern void exit(); #define DES_RISC2 #define DES_PTR #undef D_ENCRYPT -#undef des_encrypt +#undef des_encrypt1 #undef des_encrypt2 #undef des_encrypt3 #undef des_decrypt3 -#define des_encrypt des_encrypt_u16_risc2_ptr +#define des_encrypt1 des_encrypt_u16_risc2_ptr #define des_encrypt2 des_encrypt2_u16_risc2_ptr #define des_encrypt3 des_encrypt3_u16_risc2_ptr #define des_decrypt3 des_decrypt3_u16_risc2_ptr @@ -453,7 +453,7 @@ int main(int argc, char **argv) count*=2; Time_F(START); for (i=count; i; i--) - des_encrypt(data,&(sch[0]),DES_ENCRYPT); + des_encrypt1(data,&(sch[0]),DES_ENCRYPT); d=Time_F(STOP); } while (d < 3.0); ca=count; diff --git a/crypto/openssl/crypto/des/dess.cpp b/crypto/openssl/crypto/des/dess.cpp index 753e67ad9be2..5549bab90afb 100644 --- a/crypto/openssl/crypto/des/dess.cpp +++ b/crypto/openssl/crypto/des/dess.cpp @@ -45,19 +45,19 @@ void main(int argc,char *argv[]) { for (i=0; i<1000; i++) /**/ { - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); GetTSC(s1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); GetTSC(e1); GetTSC(s2); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); + des_encrypt1(&data[0],key,1); GetTSC(e2); - des_encrypt(&data[0],key,1); + des_encrypt1(&data[0],key,1); } printf("des %d %d (%d)\n", diff --git a/crypto/openssl/crypto/des/ecb_enc.c b/crypto/openssl/crypto/des/ecb_enc.c index b261a8aad940..d481327ef3b3 100644 --- a/crypto/openssl/crypto/des/ecb_enc.c +++ b/crypto/openssl/crypto/des/ecb_enc.c @@ -114,7 +114,7 @@ void des_ecb_encrypt(const_des_cblock *input, des_cblock *output, c2l(in,l); ll[0]=l; c2l(in,l); ll[1]=l; - des_encrypt(ll,ks,enc); + des_encrypt1(ll,ks,enc); l=ll[0]; l2c(l,out); l=ll[1]; l2c(l,out); l=ll[0]=ll[1]=0; diff --git a/crypto/openssl/crypto/des/ede_cbcm_enc.c b/crypto/openssl/crypto/des/ede_cbcm_enc.c index c53062481ddd..b98f7e17af1d 100644 --- a/crypto/openssl/crypto/des/ede_cbcm_enc.c +++ b/crypto/openssl/crypto/des/ede_cbcm_enc.c @@ -95,7 +95,7 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, { tin[0]=m0; tin[1]=m1; - des_encrypt(tin,ks3,1); + des_encrypt1(tin,ks3,1); m0=tin[0]; m1=tin[1]; @@ -113,13 +113,13 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, tin[0]=tin0; tin[1]=tin1; - des_encrypt(tin,ks1,1); + des_encrypt1(tin,ks1,1); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks2,0); + des_encrypt1(tin,ks2,0); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks1,1); + des_encrypt1(tin,ks1,1); tout0=tin[0]; tout1=tin[1]; @@ -146,7 +146,7 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, { tin[0]=m0; tin[1]=m1; - des_encrypt(tin,ks3,1); + des_encrypt1(tin,ks3,1); m0=tin[0]; m1=tin[1]; @@ -158,13 +158,13 @@ void des_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, tin[0]=tin0; tin[1]=tin1; - des_encrypt(tin,ks1,0); + des_encrypt1(tin,ks1,0); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks2,1); + des_encrypt1(tin,ks2,1); tin[0]^=m0; tin[1]^=m1; - des_encrypt(tin,ks1,0); + des_encrypt1(tin,ks1,0); tout0=tin[0]; tout1=tin[1]; diff --git a/crypto/openssl/crypto/des/ncbc_enc.c b/crypto/openssl/crypto/des/ncbc_enc.c index 3b681691a9b7..b8db07b199d6 100644 --- a/crypto/openssl/crypto/des/ncbc_enc.c +++ b/crypto/openssl/crypto/des/ncbc_enc.c @@ -89,7 +89,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, c2l(in,tin1); tin0^=tout0; tin[0]=tin0; tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT); tout0=tin[0]; l2c(tout0,out); tout1=tin[1]; l2c(tout1,out); } @@ -98,7 +98,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, c2ln(in,tin0,tin1,l+8); tin0^=tout0; tin[0]=tin0; tin1^=tout1; tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT); tout0=tin[0]; l2c(tout0,out); tout1=tin[1]; l2c(tout1,out); } @@ -116,7 +116,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, { c2l(in,tin0); tin[0]=tin0; c2l(in,tin1); tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0; tout1=tin[1]^xor1; l2c(tout0,out); @@ -128,7 +128,7 @@ void des_ncbc_encrypt(const unsigned char *in, unsigned char *out, long length, { c2l(in,tin0); tin[0]=tin0; c2l(in,tin1); tin[1]=tin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0; tout1=tin[1]^xor1; l2cn(tout0,tout1,out,l+8); diff --git a/crypto/openssl/crypto/des/ofb64enc.c b/crypto/openssl/crypto/des/ofb64enc.c index 64953959cab0..1a1d1f1ac470 100644 --- a/crypto/openssl/crypto/des/ofb64enc.c +++ b/crypto/openssl/crypto/des/ofb64enc.c @@ -87,7 +87,7 @@ void des_ofb64_encrypt(register const unsigned char *in, { if (n == 0) { - des_encrypt(ti,schedule,DES_ENCRYPT); + des_encrypt1(ti,schedule,DES_ENCRYPT); dp=d; t=ti[0]; l2c(t,dp); t=ti[1]; l2c(t,dp); diff --git a/crypto/openssl/crypto/des/ofb_enc.c b/crypto/openssl/crypto/des/ofb_enc.c index a8f425a575a1..70493e632ccf 100644 --- a/crypto/openssl/crypto/des/ofb_enc.c +++ b/crypto/openssl/crypto/des/ofb_enc.c @@ -101,7 +101,7 @@ void des_ofb_encrypt(const unsigned char *in, unsigned char *out, int numbits, { ti[0]=v0; ti[1]=v1; - des_encrypt((DES_LONG *)ti,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT); vv0=ti[0]; vv1=ti[1]; c2ln(in,d0,d1,n); diff --git a/crypto/openssl/crypto/des/pcbc_enc.c b/crypto/openssl/crypto/des/pcbc_enc.c index dd69a26d4aab..5b987f074d31 100644 --- a/crypto/openssl/crypto/des/pcbc_enc.c +++ b/crypto/openssl/crypto/des/pcbc_enc.c @@ -85,7 +85,7 @@ void des_pcbc_encrypt(const unsigned char *input, unsigned char *output, c2ln(in,sin0,sin1,length); tin[0]=sin0^xor0; tin[1]=sin1^xor1; - des_encrypt((DES_LONG *)tin,schedule,DES_ENCRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_ENCRYPT); tout0=tin[0]; tout1=tin[1]; xor0=sin0^tout0; @@ -103,7 +103,7 @@ void des_pcbc_encrypt(const unsigned char *input, unsigned char *output, c2l(in,sin1); tin[0]=sin0; tin[1]=sin1; - des_encrypt((DES_LONG *)tin,schedule,DES_DECRYPT); + des_encrypt1((DES_LONG *)tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0; tout1=tin[1]^xor1; if (length >= 8) diff --git a/crypto/openssl/crypto/des/speed.c b/crypto/openssl/crypto/des/speed.c index 814b86f4aee5..1223edf29079 100644 --- a/crypto/openssl/crypto/des/speed.c +++ b/crypto/openssl/crypto/des/speed.c @@ -204,7 +204,7 @@ int main(int argc, char **argv) count*=2; Time_F(START); for (i=count; i; i--) - des_encrypt(data,&(sch[0]),DES_ENCRYPT); + des_encrypt1(data,&(sch[0]),DES_ENCRYPT); d=Time_F(STOP); } while (d < 3.0); ca=count; @@ -241,7 +241,7 @@ int main(int argc, char **argv) { DES_LONG data[2]; - des_encrypt(data,&(sch[0]),DES_ENCRYPT); + des_encrypt1(data,&(sch[0]),DES_ENCRYPT); } d=Time_F(STOP); printf("%ld des_encrypt's in %.2f second\n",count,d); diff --git a/crypto/openssl/crypto/des/xcbc_enc.c b/crypto/openssl/crypto/des/xcbc_enc.c index 51e17e6b8a64..ccfede13aca6 100644 --- a/crypto/openssl/crypto/des/xcbc_enc.c +++ b/crypto/openssl/crypto/des/xcbc_enc.c @@ -138,7 +138,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, c2l(in,tin1); tin0^=tout0^inW0; tin[0]=tin0; tin1^=tout1^inW1; tin[1]=tin1; - des_encrypt(tin,schedule,DES_ENCRYPT); + des_encrypt1(tin,schedule,DES_ENCRYPT); tout0=tin[0]^outW0; l2c(tout0,out); tout1=tin[1]^outW1; l2c(tout1,out); } @@ -147,7 +147,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, c2ln(in,tin0,tin1,l+8); tin0^=tout0^inW0; tin[0]=tin0; tin1^=tout1^inW1; tin[1]=tin1; - des_encrypt(tin,schedule,DES_ENCRYPT); + des_encrypt1(tin,schedule,DES_ENCRYPT); tout0=tin[0]^outW0; l2c(tout0,out); tout1=tin[1]^outW1; l2c(tout1,out); } @@ -163,7 +163,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, { c2l(in,tin0); tin[0]=tin0^outW0; c2l(in,tin1); tin[1]=tin1^outW1; - des_encrypt(tin,schedule,DES_DECRYPT); + des_encrypt1(tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0^inW0; tout1=tin[1]^xor1^inW1; l2c(tout0,out); @@ -175,7 +175,7 @@ void des_xcbc_encrypt(const unsigned char *in, unsigned char *out, { c2l(in,tin0); tin[0]=tin0^outW0; c2l(in,tin1); tin[1]=tin1^outW1; - des_encrypt(tin,schedule,DES_DECRYPT); + des_encrypt1(tin,schedule,DES_DECRYPT); tout0=tin[0]^xor0^inW0; tout1=tin[1]^xor1^inW1; l2cn(tout0,tout1,out,l+8); diff --git a/crypto/openssl/crypto/dh/dh_key.c b/crypto/openssl/crypto/dh/dh_key.c index 6f9426dd6fc2..a6469cad2c5b 100644 --- a/crypto/openssl/crypto/dh/dh_key.c +++ b/crypto/openssl/crypto/dh/dh_key.c @@ -99,7 +99,6 @@ DH_METHOD *DH_OpenSSL(void) static int generate_key(DH *dh) { int ok=0; - unsigned int i; BN_CTX ctx; BN_MONT_CTX *mont; BIGNUM *pub_key=NULL,*priv_key=NULL; @@ -108,15 +107,11 @@ static int generate_key(DH *dh) if (dh->priv_key == NULL) { - i=dh->length; - if (i == 0) - { - /* Make the number p-1 bits long */ - i=BN_num_bits(dh->p)-1; - } priv_key=BN_new(); if (priv_key == NULL) goto err; - if (!BN_rand(priv_key,i,0,0)) goto err; + do + if (!BN_rand_range(priv_key, dh->p)) goto err; + while (BN_is_zero(priv_key)); } else priv_key=dh->priv_key; diff --git a/crypto/openssl/crypto/dh/dh_lib.c b/crypto/openssl/crypto/dh/dh_lib.c index a8d5340bf435..8516bdafb4a3 100644 --- a/crypto/openssl/crypto/dh/dh_lib.c +++ b/crypto/openssl/crypto/dh/dh_lib.c @@ -120,13 +120,13 @@ DH *DH_new_method(DH_METHOD *meth) ret->method_mont_p=NULL; ret->references = 1; ret->flags=ret->meth->flags; + CRYPTO_new_ex_data(dh_meth,ret,&ret->ex_data); if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { + CRYPTO_free_ex_data(dh_meth,ret,&ret->ex_data); OPENSSL_free(ret); ret=NULL; } - else - CRYPTO_new_ex_data(dh_meth,ret,&ret->ex_data); return(ret); } @@ -147,10 +147,10 @@ void DH_free(DH *r) } #endif - CRYPTO_free_ex_data(dh_meth, r, &r->ex_data); - if(r->meth->finish) r->meth->finish(r); + CRYPTO_free_ex_data(dh_meth, r, &r->ex_data); + if (r->p != NULL) BN_clear_free(r->p); if (r->g != NULL) BN_clear_free(r->g); if (r->q != NULL) BN_clear_free(r->q); diff --git a/crypto/openssl/crypto/dsa/dsa_key.c b/crypto/openssl/crypto/dsa/dsa_key.c index af3c56d770ec..86cacfb3b9d7 100644 --- a/crypto/openssl/crypto/dsa/dsa_key.c +++ b/crypto/openssl/crypto/dsa/dsa_key.c @@ -68,7 +68,6 @@ int DSA_generate_key(DSA *dsa) { int ok=0; - unsigned int i; BN_CTX *ctx=NULL; BIGNUM *pub_key=NULL,*priv_key=NULL; @@ -81,15 +80,9 @@ int DSA_generate_key(DSA *dsa) else priv_key=dsa->priv_key; - i=BN_num_bits(dsa->q); - for (;;) - { - if (!BN_rand(priv_key,i,0,0)) - goto err; - if (BN_cmp(priv_key,dsa->q) >= 0) - BN_sub(priv_key,priv_key,dsa->q); - if (!BN_is_zero(priv_key)) break; - } + do + if (!BN_rand_range(priv_key,dsa->q)) goto err; + while (BN_is_zero(priv_key)); if (dsa->pub_key == NULL) { diff --git a/crypto/openssl/crypto/dsa/dsa_lib.c b/crypto/openssl/crypto/dsa/dsa_lib.c index be30d18b8a05..5dfc0eea43ce 100644 --- a/crypto/openssl/crypto/dsa/dsa_lib.c +++ b/crypto/openssl/crypto/dsa/dsa_lib.c @@ -125,13 +125,13 @@ DSA *DSA_new_method(DSA_METHOD *meth) ret->references=1; ret->flags=ret->meth->flags; + CRYPTO_new_ex_data(dsa_meth,ret,&ret->ex_data); if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { + CRYPTO_free_ex_data(dsa_meth,ret,&ret->ex_data); OPENSSL_free(ret); ret=NULL; } - else - CRYPTO_new_ex_data(dsa_meth,ret,&ret->ex_data); return(ret); } @@ -155,10 +155,10 @@ void DSA_free(DSA *r) } #endif - CRYPTO_free_ex_data(dsa_meth, r, &r->ex_data); - if(r->meth->finish) r->meth->finish(r); + CRYPTO_free_ex_data(dsa_meth, r, &r->ex_data); + if (r->p != NULL) BN_clear_free(r->p); if (r->q != NULL) BN_clear_free(r->q); if (r->g != NULL) BN_clear_free(r->g); diff --git a/crypto/openssl/crypto/dso/dso_dl.c b/crypto/openssl/crypto/dso/dso_dl.c index f661ec5bfb39..455bd66ecfc6 100644 --- a/crypto/openssl/crypto/dso/dso_dl.c +++ b/crypto/openssl/crypto/dso/dso_dl.c @@ -82,7 +82,7 @@ static int dl_unbind_func(DSO *dso, char *symname, DSO_FUNC_TYPE symptr); static int dl_init(DSO *dso); static int dl_finish(DSO *dso); #endif -static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg); +static long dl_ctrl(DSO *dso, int cmd, long larg, void *parg); static DSO_METHOD dso_meth_dl = { "OpenSSL 'dl' shared library method", @@ -111,6 +111,11 @@ DSO_METHOD *DSO_METHOD_dl(void) * type so the cast is safe. */ +#if defined(__hpux) +static const char extension[] = ".sl"; +#else +static const char extension[] = ".so"; +#endif static int dl_load(DSO *dso, const char *filename) { shl_t ptr; @@ -118,12 +123,12 @@ static int dl_load(DSO *dso, const char *filename) int len; /* The same comment as in dlfcn_load applies here. bleurgh. */ - len = strlen(filename); + len = strlen(filename) + strlen(extension); if((dso->flags & DSO_FLAG_NAME_TRANSLATION) && - (len + 6 < DSO_MAX_TRANSLATED_SIZE) && + (len + 3 < DSO_MAX_TRANSLATED_SIZE) && (strstr(filename, "/") == NULL)) { - sprintf(translated, "lib%s.so", filename); + sprintf(translated, "lib%s%s", filename, extension); ptr = shl_load(translated, BIND_IMMEDIATE, NULL); } else @@ -224,7 +229,7 @@ static DSO_FUNC_TYPE dl_bind_func(DSO *dso, const char *symname) return((DSO_FUNC_TYPE)sym); } -static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg) +static long dl_ctrl(DSO *dso, int cmd, long larg, void *parg) { if(dso == NULL) { @@ -236,10 +241,10 @@ static int dl_ctrl(DSO *dso, int cmd, long larg, void *parg) case DSO_CTRL_GET_FLAGS: return dso->flags; case DSO_CTRL_SET_FLAGS: - dso->flags = (int)larg; + dso->flags = larg; return(0); case DSO_CTRL_OR_FLAGS: - dso->flags |= (int)larg; + dso->flags |= larg; return(0); default: break; diff --git a/crypto/openssl/crypto/ebcdic.c b/crypto/openssl/crypto/ebcdic.c index 31397b2add77..91a7a8bcb430 100644 --- a/crypto/openssl/crypto/ebcdic.c +++ b/crypto/openssl/crypto/ebcdic.c @@ -211,7 +211,7 @@ ascii2ebcdic(void *dest, const void *srce, size_t count) } #else /*CHARSET_EBCDIC*/ -#ifdef PEDANTIC +#if defined(PEDANTIC) || defined(VMS) || defined(__VMS) static void *dummy=&dummy; #endif #endif diff --git a/crypto/openssl/crypto/err/err.c b/crypto/openssl/crypto/err/err.c index bfecb86c754b..be4a71ed0663 100644 --- a/crypto/openssl/crypto/err/err.c +++ b/crypto/openssl/crypto/err/err.c @@ -387,20 +387,18 @@ void ERR_put_error(int lib, int func, int reason, const char *file, void ERR_clear_error(void) { + int i; ERR_STATE *es; es=ERR_get_state(); -#if 0 - /* hmm... is this needed */ for (i=0; ierr_buffer[i]=0; + err_clear_data(es,i); es->err_file[i]=NULL; es->err_line[i]= -1; - err_clear_data(es,i); } -#endif es->top=es->bottom=0; } @@ -462,7 +460,14 @@ static unsigned long get_error_values(int inc, const char **file, int *line, } } - if (data != NULL) + if (data == NULL) + { + if (inc) + { + err_clear_data(es, i); + } + } + else { if (es->err_data[i] == NULL) { @@ -747,8 +752,9 @@ void ERR_set_error_data(char *data, int flags) if (i == 0) i=ERR_NUM_ERRORS-1; + err_clear_data(es,i); es->err_data[i]=data; - es->err_data_flags[es->top]=flags; + es->err_data_flags[i]=flags; } void ERR_add_error_data(int num, ...) @@ -757,7 +763,7 @@ void ERR_add_error_data(int num, ...) int i,n,s; char *str,*p,*a; - s=64; + s=80; str=OPENSSL_malloc(s+1); if (str == NULL) return; str[0]='\0'; diff --git a/crypto/openssl/crypto/mdc2/mdc2dgst.c b/crypto/openssl/crypto/mdc2/mdc2dgst.c index c630a24c2eed..84c6c4551a16 100644 --- a/crypto/openssl/crypto/mdc2/mdc2dgst.c +++ b/crypto/openssl/crypto/mdc2/mdc2dgst.c @@ -136,11 +136,11 @@ static void mdc2_body(MDC2_CTX *c, const unsigned char *in, unsigned int len) des_set_odd_parity(&c->h); des_set_key_unchecked(&c->h,k); - des_encrypt(d,k,1); + des_encrypt1(d,k,1); des_set_odd_parity(&c->hh); des_set_key_unchecked(&c->hh,k); - des_encrypt(dd,k,1); + des_encrypt1(dd,k,1); ttin0=tin0^dd[0]; ttin1=tin1^dd[1]; diff --git a/crypto/openssl/crypto/mem_dbg.c b/crypto/openssl/crypto/mem_dbg.c index ddf4be28caa8..ef19d8f84489 100644 --- a/crypto/openssl/crypto/mem_dbg.c +++ b/crypto/openssl/crypto/mem_dbg.c @@ -81,7 +81,8 @@ static int mh_mode=CRYPTO_MEM_CHECK_OFF; */ static unsigned long order = 0; /* number of memory requests */ -static LHASH *mh=NULL; /* hash-table of memory requests (address as key) */ +static LHASH *mh=NULL; /* hash-table of memory requests (address as key); + * access requires MALLOC2 lock */ typedef struct app_mem_info_st @@ -103,7 +104,8 @@ typedef struct app_mem_info_st static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's * that are at the top of their thread's stack - * (with `thread' as key) */ + * (with `thread' as key); + * access requires MALLOC2 lock */ typedef struct mem_st /* memory-block description */ @@ -128,7 +130,15 @@ static long options = /* extra information to be recorded */ 0; -static unsigned long disabling_thread = 0; +static unsigned int num_disable = 0; /* num_disable > 0 + * iff + * mh_mode == CRYPTO_MEM_CHECK_ON (w/o ..._ENABLE) + */ +static unsigned long disabling_thread = 0; /* Valid iff num_disable > 0. + * CRYPTO_LOCK_MALLOC2 is locked + * exactly in this case (by the + * thread named in disabling_thread). + */ int CRYPTO_mem_ctrl(int mode) { @@ -137,22 +147,23 @@ int CRYPTO_mem_ctrl(int mode) CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); switch (mode) { - /* for applications: */ + /* for applications (not to be called while multiple threads + * use the library): */ case CRYPTO_MEM_CHECK_ON: /* aka MemCheck_start() */ mh_mode = CRYPTO_MEM_CHECK_ON|CRYPTO_MEM_CHECK_ENABLE; - disabling_thread = 0; + num_disable = 0; break; case CRYPTO_MEM_CHECK_OFF: /* aka MemCheck_stop() */ mh_mode = 0; - disabling_thread = 0; + num_disable = 0; /* should be true *before* MemCheck_stop is used, + or there'll be a lot of confusion */ break; /* switch off temporarily (for library-internal use): */ case CRYPTO_MEM_CHECK_DISABLE: /* aka MemCheck_off() */ if (mh_mode & CRYPTO_MEM_CHECK_ON) { - mh_mode&= ~CRYPTO_MEM_CHECK_ENABLE; - if (disabling_thread != CRYPTO_thread_id()) /* otherwise we already have the MALLOC2 lock */ + if (!num_disable || (disabling_thread != CRYPTO_thread_id())) /* otherwise we already have the MALLOC2 lock */ { /* Long-time lock CRYPTO_LOCK_MALLOC2 must not be claimed while * we're holding CRYPTO_LOCK_MALLOC, or we'll deadlock if @@ -169,18 +180,23 @@ int CRYPTO_mem_ctrl(int mode) * OpenSSL threads. */ CRYPTO_w_lock(CRYPTO_LOCK_MALLOC2); CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); + mh_mode &= ~CRYPTO_MEM_CHECK_ENABLE; disabling_thread=CRYPTO_thread_id(); } + num_disable++; } break; case CRYPTO_MEM_CHECK_ENABLE: /* aka MemCheck_on() */ if (mh_mode & CRYPTO_MEM_CHECK_ON) { - mh_mode|=CRYPTO_MEM_CHECK_ENABLE; - if (disabling_thread != 0) + if (num_disable) /* always true, or something is going wrong */ { - disabling_thread=0; - CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2); + num_disable--; + if (num_disable == 0) + { + mh_mode|=CRYPTO_MEM_CHECK_ENABLE; + CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2); + } } } break; @@ -198,12 +214,12 @@ int CRYPTO_is_mem_check_on(void) if (mh_mode & CRYPTO_MEM_CHECK_ON) { - CRYPTO_w_lock(CRYPTO_LOCK_MALLOC); + CRYPTO_r_lock(CRYPTO_LOCK_MALLOC); ret = (mh_mode & CRYPTO_MEM_CHECK_ENABLE) - && disabling_thread != CRYPTO_thread_id(); + || (disabling_thread != CRYPTO_thread_id()); - CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC); + CRYPTO_r_unlock(CRYPTO_LOCK_MALLOC); } return(ret); } @@ -293,7 +309,7 @@ int CRYPTO_push_info_(const char *info, const char *file, int line) if (is_MemCheck_on()) { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* obtain MALLOC2 lock */ if ((ami = (APP_INFO *)OPENSSL_malloc(sizeof(APP_INFO))) == NULL) { @@ -330,7 +346,7 @@ int CRYPTO_push_info_(const char *info, const char *file, int line) ami->next=amim; } err: - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock */ } return(ret); @@ -342,11 +358,11 @@ int CRYPTO_pop_info(void) if (is_MemCheck_on()) /* _must_ be true, or something went severely wrong */ { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* obtain MALLOC2 lock */ ret=(pop_info() != NULL); - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock */ } return(ret); } @@ -357,12 +373,12 @@ int CRYPTO_remove_all_info(void) if (is_MemCheck_on()) /* _must_ be true */ { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* obtain MALLOC2 lock */ while(pop_info() != NULL) ret++; - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock */ } return(ret); } @@ -385,11 +401,12 @@ void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line, if (is_MemCheck_on()) { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* make sure we hold MALLOC2 lock */ if ((m=(MEM *)OPENSSL_malloc(sizeof(MEM))) == NULL) { OPENSSL_free(addr); - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ return; } if (mh == NULL) @@ -448,7 +465,8 @@ void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line, OPENSSL_free(mm); } err: - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ } break; } @@ -467,7 +485,7 @@ void CRYPTO_dbg_free(void *addr, int before_p) if (is_MemCheck_on() && (mh != NULL)) { - MemCheck_off(); + MemCheck_off(); /* make sure we hold MALLOC2 lock */ m.addr=addr; mp=(MEM *)lh_delete(mh,(char *)&m); @@ -484,7 +502,8 @@ void CRYPTO_dbg_free(void *addr, int before_p) OPENSSL_free(mp); } - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ } break; case 1: @@ -518,7 +537,7 @@ void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num, if (is_MemCheck_on()) { - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ + MemCheck_off(); /* make sure we hold MALLOC2 lock */ m.addr=addr1; mp=(MEM *)lh_delete(mh,(char *)&m); @@ -535,7 +554,8 @@ void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num, lh_insert(mh,(char *)mp); } - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ + MemCheck_on(); /* release MALLOC2 lock + * if num_disabled drops to 0 */ } break; } @@ -642,10 +662,12 @@ void CRYPTO_mem_leaks(BIO *b) if (mh == NULL && amih == NULL) return; + + MemCheck_off(); /* obtain MALLOC2 lock */ + ml.bio=b; ml.bytes=0; ml.chunks=0; - MemCheck_off(); /* obtains CRYPTO_LOCK_MALLOC2 */ if (mh != NULL) lh_doall_arg(mh,(void (*)())print_leak,(char *)&ml); if (ml.chunks != 0) @@ -697,13 +719,7 @@ void CRYPTO_mem_leaks(BIO *b) mh_mode = old_mh_mode; CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC); } - MemCheck_on(); /* releases CRYPTO_LOCK_MALLOC2 */ - -#if 0 - lh_stats_bio(mh,b); - lh_node_stats_bio(mh,b); - lh_node_usage_stats_bio(mh,b); -#endif + MemCheck_on(); /* release MALLOC2 lock */ } #ifndef NO_FP_API diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h index 4c644abe4400..8566730aaa16 100644 --- a/crypto/openssl/crypto/opensslv.h +++ b/crypto/openssl/crypto/opensslv.h @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x00906010L -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6a-dev XX xxx XXXX" +#define OPENSSL_VERSION_NUMBER 0x0090601fL +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6a 5 Apr 2001" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/openssl/crypto/pkcs12/p12_key.c b/crypto/openssl/crypto/pkcs12/p12_key.c index a9b4b8c9721e..a4fd5b98ec9a 100644 --- a/crypto/openssl/crypto/pkcs12/p12_key.c +++ b/crypto/openssl/crypto/pkcs12/p12_key.c @@ -102,7 +102,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, const EVP_MD *md_type) { unsigned char *B, *D, *I, *p, *Ai; - int Slen, Plen, Ilen; + int Slen, Plen, Ilen, Ijlen; int i, j, u, v; BIGNUM *Ij, *Bpl1; /* These hold Ij and B + 1 */ EVP_MD_CTX ctx; @@ -180,10 +180,17 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, BN_bin2bn (I + j, v, Ij); BN_add (Ij, Ij, Bpl1); BN_bn2bin (Ij, B); + Ijlen = BN_num_bytes (Ij); /* If more than 2^(v*8) - 1 cut off MSB */ - if (BN_num_bytes (Ij) > v) { + if (Ijlen > v) { BN_bn2bin (Ij, B); memcpy (I + j, B + 1, v); +#ifndef PKCS12_BROKEN_KEYGEN + /* If less than v bytes pad with zeroes */ + } else if (Ijlen < v) { + memset(I + j, 0, v - Ijlen); + BN_bn2bin(Ij, I + j + v - Ijlen); +#endif } else BN_bn2bin (Ij, I + j); } } diff --git a/crypto/openssl/crypto/pkcs12/p12_kiss.c b/crypto/openssl/crypto/pkcs12/p12_kiss.c index 1fbbd6c99f90..5d67f19b4552 100644 --- a/crypto/openssl/crypto/pkcs12/p12_kiss.c +++ b/crypto/openssl/crypto/pkcs12/p12_kiss.c @@ -264,6 +264,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, if (lkey) { *keymatch |= MATCH_CERT; if (cert) *cert = x509; + else X509_free(x509); } else { if(ca) sk_X509_push (*ca, x509); else X509_free(x509); diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c index 099e9651c1c3..bf43d030ade6 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_doit.c +++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c @@ -370,7 +370,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) if (ri == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); - return(NULL); + goto err; } jj=EVP_PKEY_size(pkey); @@ -393,7 +393,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) BIO_get_cipher_ctx(etmp,&evp_ctx); EVP_CipherInit(evp_ctx,evp_cipher,NULL,NULL,0); if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0) - return(NULL); + goto err; if (jj != EVP_CIPHER_CTX_key_length(evp_ctx)) { /* Some S/MIME clients don't use the same key @@ -588,8 +588,10 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) pp=NULL; } +#ifndef NO_DSA if (si->pkey->type == EVP_PKEY_DSA) ctx_tmp.digest=EVP_dss1(); +#endif if (!EVP_SignFinal(&ctx_tmp,(unsigned char *)buf->data, (unsigned int *)&buf->length,si->pkey)) @@ -783,7 +785,14 @@ for (ii=0; iienc_digest; pkey = X509_get_pubkey(x509); + if (!pkey) + { + ret = -1; + goto err; + } +#ifndef NO_DSA if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1(); +#endif i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey); EVP_PKEY_free(pkey); diff --git a/crypto/openssl/crypto/pkcs7/pk7_smime.c b/crypto/openssl/crypto/pkcs7/pk7_smime.c index d716f9faeba6..3d3214f5eee8 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_smime.c +++ b/crypto/openssl/crypto/pkcs7/pk7_smime.c @@ -153,7 +153,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, PKCS7_SIGNER_INFO *si; X509_STORE_CTX cert_ctx; char buf[4096]; - int i, j=0, k; + int i, j=0, k, ret = 0; BIO *p7bio; BIO *tmpout; @@ -258,18 +258,15 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, } } - sk_X509_free(signers); - if(indata) BIO_pop(p7bio); - BIO_free_all(p7bio); - - return 1; + ret = 1; err: + if(indata) BIO_pop(p7bio); + BIO_free_all(p7bio); sk_X509_free(signers); - BIO_free(p7bio); - return 0; + return ret; } STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) diff --git a/crypto/openssl/crypto/rand/md_rand.c b/crypto/openssl/crypto/rand/md_rand.c index d167dea77db6..567838f6c334 100644 --- a/crypto/openssl/crypto/rand/md_rand.c +++ b/crypto/openssl/crypto/rand/md_rand.c @@ -482,12 +482,12 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) unpredictable */ static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) { - int ret, err; + int ret; ret = RAND_bytes(buf, num); if (ret == 0) { - err = ERR_peek_error(); + long err = ERR_peek_error(); if (ERR_GET_LIB(err) == ERR_LIB_RAND && ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED) (void)ERR_get_error(); diff --git a/crypto/openssl/crypto/rand/rand.h b/crypto/openssl/crypto/rand/rand.h index 971880edaa2a..918f865d90fa 100644 --- a/crypto/openssl/crypto/rand/rand.h +++ b/crypto/openssl/crypto/rand/rand.h @@ -59,6 +59,8 @@ #ifndef HEADER_RAND_H #define HEADER_RAND_H +#include + #ifdef __cplusplus extern "C" { #endif @@ -87,7 +89,7 @@ void RAND_seed(const void *buf,int num); void RAND_add(const void *buf,int num,double entropy); int RAND_load_file(const char *file,long max_bytes); int RAND_write_file(const char *file); -const char *RAND_file_name(char *file,int num); +const char *RAND_file_name(char *file,size_t num); int RAND_status(void); int RAND_egd(const char *path); int RAND_egd_bytes(const char *path,int bytes); diff --git a/crypto/openssl/crypto/rand/rand_egd.c b/crypto/openssl/crypto/rand/rand_egd.c index 02a0d86fa330..79b5e6fa57f8 100644 --- a/crypto/openssl/crypto/rand/rand_egd.c +++ b/crypto/openssl/crypto/rand/rand_egd.c @@ -74,7 +74,14 @@ int RAND_egd_bytes(const char *path,int bytes) #include OPENSSL_UNISTD #include #include +#ifndef NO_SYS_UN_H #include +#else +struct sockaddr_un { + short sun_family; /* AF_UNIX */ + char sun_path[108]; /* path name (gag) */ +}; +#endif /* NO_SYS_UN_H */ #include #ifndef offsetof diff --git a/crypto/openssl/crypto/rand/rand_win.c b/crypto/openssl/crypto/rand/rand_win.c index 8850b9ae916c..3d137badd0e5 100644 --- a/crypto/openssl/crypto/rand/rand_win.c +++ b/crypto/openssl/crypto/rand/rand_win.c @@ -577,7 +577,8 @@ static void readtimer(void) if (have_tsc) { __try { __asm { - rdtsc + _emit 0x0f + _emit 0x31 mov cyclecount, eax } RAND_add(&cyclecount, sizeof(cyclecount), 1); @@ -725,8 +726,9 @@ int RAND_poll(void) #ifdef DEVRANDOM return 1; -#endif +#else return 0; +#endif } #endif diff --git a/crypto/openssl/crypto/rand/randfile.c b/crypto/openssl/crypto/rand/randfile.c index 02f16aa81032..7548ac324c05 100644 --- a/crypto/openssl/crypto/rand/randfile.c +++ b/crypto/openssl/crypto/rand/randfile.c @@ -73,7 +73,7 @@ # include #endif -#include +#include "openssl/e_os.h" #include #include @@ -194,12 +194,13 @@ err: return (rand_err ? -1 : ret); } -const char *RAND_file_name(char *buf, int size) +const char *RAND_file_name(char *buf, size_t size) { - char *s; + char *s=NULL; char *ret=NULL; - s=getenv("RANDFILE"); + if (OPENSSL_issetugid() == 0) + s=getenv("RANDFILE"); if (s != NULL) { strncpy(buf,s,size-1); @@ -208,16 +209,19 @@ const char *RAND_file_name(char *buf, int size) } else { - s=getenv("HOME"); - if (s == NULL) return(RFILE); - if (((int)(strlen(s)+strlen(RFILE)+2)) > size) - return(RFILE); - strcpy(buf,s); + if (OPENSSL_issetugid() == 0) + s=getenv("HOME"); + if (s != NULL && (strlen(s)+strlen(RFILE)+2 < size)) + { + strcpy(buf,s); #ifndef VMS - strcat(buf,"/"); + strcat(buf,"/"); #endif - strcat(buf,RFILE); - ret=buf; + strcat(buf,RFILE); + ret=buf; + } + else + buf[0] = '\0'; /* no file name */ } return(ret); } diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c index 62618fe5a999..3e3832025781 100644 --- a/crypto/openssl/crypto/rsa/rsa_eay.c +++ b/crypto/openssl/crypto/rsa/rsa_eay.c @@ -443,13 +443,14 @@ err: static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa) { - BIGNUM r1,m1; + BIGNUM r1,m1,vrfy; int ret=0; BN_CTX *ctx; if ((ctx=BN_CTX_new()) == NULL) goto err; BN_init(&m1); BN_init(&r1); + BN_init(&vrfy); if (rsa->flags & RSA_FLAG_CACHE_PRIVATE) { @@ -530,10 +531,19 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa) if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err; if (!BN_add(r0,&r1,&m1)) goto err; + if (rsa->e && rsa->n) + { + if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,NULL)) goto err; + if (BN_cmp(I, &vrfy) != 0) + { + if (!rsa->meth->bn_mod_exp(r0,I,rsa->d,rsa->n,ctx,NULL)) goto err; + } + } ret=1; err: BN_clear_free(&m1); BN_clear_free(&r1); + BN_clear_free(&vrfy); BN_CTX_free(ctx); return(ret); } diff --git a/crypto/openssl/crypto/rsa/rsa_lib.c b/crypto/openssl/crypto/rsa/rsa_lib.c index bbddd3f0f0bf..422643e9f2e8 100644 --- a/crypto/openssl/crypto/rsa/rsa_lib.c +++ b/crypto/openssl/crypto/rsa/rsa_lib.c @@ -145,13 +145,13 @@ RSA *RSA_new_method(RSA_METHOD *meth) ret->blinding=NULL; ret->bignum_data=NULL; ret->flags=ret->meth->flags; + CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data); if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { + CRYPTO_free_ex_data(rsa_meth,ret,&ret->ex_data); OPENSSL_free(ret); ret=NULL; } - else - CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data); return(ret); } @@ -174,11 +174,11 @@ void RSA_free(RSA *r) } #endif - CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data); - if (r->meth->finish != NULL) r->meth->finish(r); + CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data); + if (r->n != NULL) BN_clear_free(r->n); if (r->e != NULL) BN_clear_free(r->e); if (r->d != NULL) BN_clear_free(r->d); @@ -272,7 +272,7 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) BN_CTX_start(ctx); A = BN_CTX_get(ctx); - if (!BN_rand(A,BN_num_bits(rsa->n)-1,1,0)) goto err; + if (!BN_rand_range(A,rsa->n)) goto err; if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; if (!rsa->meth->bn_mod_exp(A,A,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) diff --git a/crypto/openssl/crypto/uid.c b/crypto/openssl/crypto/uid.c new file mode 100644 index 000000000000..b5b61b76d4e3 --- /dev/null +++ b/crypto/openssl/crypto/uid.c @@ -0,0 +1,88 @@ +/* crypto/uid.c */ +/* ==================================================================== + * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include + +#if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD__ > 2) + +#include + +int OPENSSL_issetugid(void) + { + return issetugid(); + } + +#elif defined(WIN32) + +int OPENSSL_issetugid(void) + { + return 0; + } + +#else + +#include +#include + +int OPENSSL_issetugid(void) + { + if (getuid() != geteuid()) return 1; + if (getgid() != getegid()) return 1; + return 0; + } +#endif + + + diff --git a/crypto/openssl/crypto/x509/x509_cmp.c b/crypto/openssl/crypto/x509/x509_cmp.c index b147d573d2f9..3f9f9b3d472e 100644 --- a/crypto/openssl/crypto/x509/x509_cmp.c +++ b/crypto/openssl/crypto/x509/x509_cmp.c @@ -199,19 +199,13 @@ unsigned long X509_NAME_hash(X509_NAME *x) { unsigned long ret=0; unsigned char md[16]; - unsigned char str[256],*p,*pp; - int i; - i=i2d_X509_NAME(x,NULL); - if (i > sizeof(str)) - p=OPENSSL_malloc(i); - else - p=str; - - pp=p; - i2d_X509_NAME(x,&pp); - MD5((unsigned char *)p,i,&(md[0])); - if (p != str) OPENSSL_free(p); + /* Ensure cached version is up to date */ + i2d_X509_NAME(x,NULL); + /* Use cached encoding directly rather than copying: this should + * keep libsafe happy. + */ + MD5((unsigned char *)x->bytes->data,x->bytes->length,&(md[0])); ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) diff --git a/crypto/openssl/crypto/x509v3/v3_alt.c b/crypto/openssl/crypto/x509v3/v3_alt.c index 733919f2507b..94bebcd4480c 100644 --- a/crypto/openssl/crypto/x509v3/v3_alt.c +++ b/crypto/openssl/crypto/x509v3/v3_alt.c @@ -270,7 +270,7 @@ static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens) /* Now add any email address(es) to STACK */ i = -1; while((i = X509_NAME_get_index_by_NID(nm, - NID_pkcs9_emailAddress, i)) > 0) { + NID_pkcs9_emailAddress, i)) >= 0) { ne = X509_NAME_get_entry(nm, i); email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne)); if(!email || !(gen = GENERAL_NAME_new())) { diff --git a/crypto/openssl/doc/apps/pkcs12.pod b/crypto/openssl/doc/apps/pkcs12.pod index c4009998b8a9..7e0307dda0bf 100644 --- a/crypto/openssl/doc/apps/pkcs12.pod +++ b/crypto/openssl/doc/apps/pkcs12.pod @@ -304,6 +304,26 @@ Include some extra certificates: Some would argue that the PKCS#12 standard is one big bug :-) +Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation +routines. Under rare circumstances this could produce a PKCS#12 file encrypted +with an invalid key. As a result some PKCS#12 files which triggered this bug +from other implementations (MSIE or Netscape) could not be decrypted +by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could +not be decrypted by other implementations. The chances of producing such +a file are relatively small: less than 1 in 256. + +A side effect of fixing this bug is that any old invalidly encrypted PKCS#12 +files cannot no longer be parsed by the fixed version. Under such circumstances +the B utility will report that the MAC is OK but fail with a decryption +error when extracting private keys. + +This problem can be resolved by extracting the private keys and certificates +from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12 +file from the keys and certificates using a newer version of OpenSSL. For example: + + old-openssl -in bad.p12 -out keycerts.pem + openssl -in keycerts.pem -export -name "My PKCS#12 file" -out fixed.p12 + =head1 SEE ALSO L diff --git a/crypto/openssl/doc/apps/s_client.pod b/crypto/openssl/doc/apps/s_client.pod index 2f8037531996..f596ec71fc7a 100644 --- a/crypto/openssl/doc/apps/s_client.pod +++ b/crypto/openssl/doc/apps/s_client.pod @@ -32,6 +32,7 @@ B B [B<-no_tls1>] [B<-bugs>] [B<-cipher cipherlist>] +[B<-rand file(s)>] =head1 DESCRIPTION @@ -156,6 +157,14 @@ the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the B command for more information. +=item B<-rand file(s)> + +a file or files containing random data used to seed the random number +generator, or an EGD socket (see L). +Multiple files can be specified separated by a OS-dependent character. +The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for +all others. + =back =head1 CONNECTED COMMANDS diff --git a/crypto/openssl/doc/apps/s_server.pod b/crypto/openssl/doc/apps/s_server.pod index 0f29c361d90b..0f67d555289a 100644 --- a/crypto/openssl/doc/apps/s_server.pod +++ b/crypto/openssl/doc/apps/s_server.pod @@ -39,6 +39,7 @@ B B [B<-hack>] [B<-www>] [B<-WWW>] +[B<-rand file(s)>] =head1 DESCRIPTION @@ -94,7 +95,7 @@ using a set of DH parameters. If not specified then an attempt is made to load the parameters from the server certificate file. If this fails then a static set of parameters hard coded into the s_server program will be used. -=item B<-nodhe> +=item B<-no_dhe> if this option is set then no DH parameters will be loaded effectively disabling the ephemeral DH cipher suites. @@ -186,6 +187,14 @@ emulates a simple web server. Pages will be resolved relative to the current directory, for example if the URL https://myhost/page.html is requested the file ./page.html will be loaded. +=item B<-rand file(s)> + +a file or files containing random data used to seed the random number +generator, or an EGD socket (see L). +Multiple files can be specified separated by a OS-dependent character. +The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for +all others. + =back =head1 CONNECTED COMMANDS diff --git a/crypto/openssl/doc/crypto/BN_rand.pod b/crypto/openssl/doc/crypto/BN_rand.pod index 2a8bed5fed8f..cbae2fca9774 100644 --- a/crypto/openssl/doc/crypto/BN_rand.pod +++ b/crypto/openssl/doc/crypto/BN_rand.pod @@ -17,10 +17,12 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number =head1 DESCRIPTION BN_rand() generates a cryptographically strong pseudo-random number of -B bits in length and stores it in B. If B is true, the -two most significant bits of the number will be set to 1, so that the -product of two such random numbers will always have 2*B length. -If B is true, the number will be odd. +B bits in length and stores it in B. If B is -1, the +most significant bit of the random number can be zero. If B is 0, +it is set to 1, and if B is 1, the two most significant bits of +the number will be set to 1, so that the product of two such random +numbers will always have 2*B length. If B is true, the +number will be odd. BN_pseudo_rand() does the same, but pseudo-random numbers generated by this function are not necessarily unpredictable. They can be used for @@ -45,7 +47,7 @@ L, L =head1 HISTORY BN_rand() is available in all versions of SSLeay and OpenSSL. -BN_pseudo_rand() was added in OpenSSL 0.9.5, and BN_rand_range() -in OpenSSL 0.9.6a. +BN_pseudo_rand() was added in OpenSSL 0.9.5. The B == -1 case +and the function BN_rand_range() were added in OpenSSL 0.9.6a. =cut diff --git a/crypto/openssl/doc/crypto/RAND_load_file.pod b/crypto/openssl/doc/crypto/RAND_load_file.pod index 8dd700ca3d4b..d8c134e621d1 100644 --- a/crypto/openssl/doc/crypto/RAND_load_file.pod +++ b/crypto/openssl/doc/crypto/RAND_load_file.pod @@ -8,7 +8,7 @@ RAND_load_file, RAND_write_file, RAND_file_name - PRNG seed file #include - const char *RAND_file_name(char *buf, int num); + const char *RAND_file_name(char *buf, size_t num); int RAND_load_file(const char *filename, long max_bytes); diff --git a/crypto/openssl/doc/crypto/rand.pod b/crypto/openssl/doc/crypto/rand.pod index 295b6810505a..9545f0e10959 100644 --- a/crypto/openssl/doc/crypto/rand.pod +++ b/crypto/openssl/doc/crypto/rand.pod @@ -8,17 +8,17 @@ rand - pseudo-random number generator #include - int RAND_bytes(unsigned char *buf,int num); - int RAND_pseudo_bytes(unsigned char *buf,int num); + int RAND_bytes(unsigned char *buf, int num); + int RAND_pseudo_bytes(unsigned char *buf, int num); - void RAND_seed(const void *buf,int num); - void RAND_add(const void *buf,int num,int entropy); + void RAND_seed(const void *buf, int num); + void RAND_add(const void *buf, int num, int entropy); int RAND_status(void); void RAND_screen(void); - int RAND_load_file(const char *file,long max_bytes); + int RAND_load_file(const char *file, long max_bytes); int RAND_write_file(const char *file); - const char *RAND_file_name(char *file,int num); + const char *RAND_file_name(char *file, size_t num); int RAND_egd(const char *path); diff --git a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod index bf851dcea5a0..4b91c63ba0df 100644 --- a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod +++ b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod @@ -41,7 +41,7 @@ does use the full 128 bits (which would be returned for B), of which however 88bits are fixed. The search space is hence only 40 bits. The string returned by SSL_CIPHER_description() in case of success consists -of cleartext information seperated by one or more blanks in the following +of cleartext information separated by one or more blanks in the following sequence: =over 4 @@ -65,7 +65,7 @@ B, B, B. Authentication method: B, B, B, B. None is the representation of anonymous ciphers. -=item Enc= +=item Enc= Encryption method with number of secret bits: B, B, B<3DES(168)>, B, B, B, B, diff --git a/crypto/openssl/doc/ssl/SSL_CTX_free.pod b/crypto/openssl/doc/ssl/SSL_CTX_free.pod index de6967242220..c716cde164c6 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_free.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_free.pod @@ -17,7 +17,7 @@ SSL_CTX object pointed to by B and frees up the allocated memory if the the reference count has reached 0. It also calls the free()ing procedures for indirectly affected items, if -applicable: the session cacahe, the list of ciphers, the list of Client CAs, +applicable: the session cache, the list of ciphers, the list of Client CAs, the certificates and keys. =head1 RETURN VALUES diff --git a/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod b/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod index 0e2d2179c8c1..88f18bd5ff40 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod @@ -33,7 +33,7 @@ which can be used e.g. for descriptions of the certificates. The B is processed on execution of the SSL_CTX_load_verify_locations() function. -If on an TLS/SSL server no special setting is perfomed using *client_CA_list() +If on an TLS/SSL server no special setting is performed using *client_CA_list() functions, the certificates contained in B are listed to the client as available CAs during the TLS/SSL handshake. @@ -64,7 +64,7 @@ failure. When building its own certificate chain, an OpenSSL client/server will try to fill in missing certificates from B/B, if the -certificate chain was not explicitely specified (see +certificate chain was not explicitly specified (see L, L. diff --git a/crypto/openssl/doc/ssl/SSL_CTX_new.pod b/crypto/openssl/doc/ssl/SSL_CTX_new.pod index 8b16ea3c903d..1dae8b0bdd02 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_new.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_new.pod @@ -59,6 +59,10 @@ choice when compatibility is a concern. =back +If a generic method is used, it is necessary to explicitly set client or +server mode with L +or SSL_set_accept_state(). + The list of protocols available can later be limited using the SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the B or B functions. Using these options it is possible to choose @@ -89,6 +93,6 @@ The return value points to an allocated SSL_CTX object. =head1 SEE ALSO L, L, -L +L, L =cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sess_number.pod b/crypto/openssl/doc/ssl/SSL_CTX_sess_number.pod new file mode 100644 index 000000000000..19aa4e29027b --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_sess_number.pod @@ -0,0 +1,76 @@ +=pod + +=head1 NAME + +SSL_CTX_sess_number, SSL_CTX_sess_connect, SSL_CTX_sess_connect_good, SSL_CTX_sess_connect_renegotiate, SSL_CTX_sess_accept, SSL_CTX_sess_accept_good, SSL_CTX_sess_accept_renegotiate, SSL_CTX_sess_hits, SSL_CTX_sess_cb_hits, SSL_CTX_sess_misses, SSL_CTX_sess_timeouts, SSL_CTX_sess_cache_full - obtain session cache statistics + +=head1 SYNOPSIS + + #include + + long SSL_CTX_sess_number(SSL_CTX *ctx); + long SSL_CTX_sess_connect(SSL_CTX *ctx); + long SSL_CTX_sess_connect_good(SSL_CTX *ctx); + long SSL_CTX_sess_connect_renegotiate(SSL_CTX *ctx); + long SSL_CTX_sess_accept(SSL_CTX *ctx); + long SSL_CTX_sess_accept_good(SSL_CTX *ctx); + long SSL_CTX_sess_accept_renegotiate(SSL_CTX *ctx); + long SSL_CTX_sess_hits(SSL_CTX *ctx); + long SSL_CTX_sess_cb_hits(SSL_CTX *ctx); + long SSL_CTX_sess_misses(SSL_CTX *ctx); + long SSL_CTX_sess_timeouts(SSL_CTX *ctx); + long SSL_CTX_sess_cache_full(SSL_CTX *ctx); + +=head1 DESCRIPTION + +SSL_CTX_sess_number() returns the current number of sessions in the internal +session cache. + +SSL_CTX_sess_connect() returns the number of started SSL/TLS handshakes in +client mode. + +SSL_CTX_sess_connect_good() returns the number of successfully established +SSL/TLS sessions in client mode. + +SSL_CTX_sess_connect_renegotiate() returns the number of start renegotiations +in client mode. + +SSL_CTX_sess_accept() returns the number of started SSL/TLS handshakes in +server mode. + +SSL_CTX_sess_accept_good() returns the number of successfully established +SSL/TLS sessions in server mode. + +SSL_CTX_sess_accept_renegotiate() returns the number of start renegotiations +in server mode. + +SSL_CTX_sess_hits() returns the number of successfully reused sessions. +In client mode a session set with L +successfully reused is counted as a hit. In server mode a session successfully +retrieved from internal or external cache is counted as a hit. + +SSL_CTX_sess_cb_hits() returns the number of successfully retrieved sessions +from the external session cache in server mode. + +SSL_CTX_sess_misses() returns the number of sessions proposed by clients +that were not found in the internal session cache in server mode. + +SSL_CTX_sess_timeouts() returns the number of sessions proposed by clients +and either found in the internal or external session cache in server mode, + but that were invalid due to timeout. These sessions are not included in +the SSL_CTX_sess_hits() count. + +SSL_CTX_sess_cache_full() returns the number of sessions that were removed +because the maximum session cache size was exceeded. + +=head1 RETURN VALUES + +The functions return the values indicated in the DESCRIPTION section. + +=head1 SEE ALSO + +L, L, +L +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod index 469933baf35b..d59a7db636a8 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_sess_set_cache_size.pod @@ -45,6 +45,7 @@ SSL_CTX_sess_get_cache_size() returns the currently valid size. L, L, +L, L =cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod b/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod index ad92a8c5d23e..e05aab3c1bc2 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_sessions.pod @@ -20,7 +20,7 @@ internal session cache for B. The sessions in the internal session cache are kept in an L type database. It is possible to directly access this database e.g. for searching. In parallel, the sessions -form a linked list which is maintained seperatly from the +form a linked list which is maintained separately from the L operations, so that the database must not be modified directly but by using the L family of functions. diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod index f27a291cb654..81e312761e7a 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod @@ -41,7 +41,7 @@ the CAs available using the B option in L are sent. -This list can be explicitely set using the SSL_CTX_set_client_CA_list() for +This list can be explicitly set using the SSL_CTX_set_client_CA_list() for B and SSL_set_client_CA_list() for the specific B. The list specified overrides the previous setting. The CAs listed do not become trusted (B only contains the names, not the complete certificates); use @@ -74,7 +74,7 @@ The operation succeeded. =item 0 -A failure while manipulating the STACK_OF(X509_NAME) object occured or +A failure while manipulating the STACK_OF(X509_NAME) object occurred or the X509_NAME could not be extracted from B. Check the error stack to find out the reason. diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod new file mode 100644 index 000000000000..9a035bb4d184 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod @@ -0,0 +1,78 @@ +=pod + +=head1 NAME + +SSL_CTX_set_mode, SSL_set_mode, SSL_CTX_get_mode, SSL_get_mode - manipulate SSL engine mode + +=head1 SYNOPSIS + + #include + + long SSL_CTX_set_mode(SSL_CTX *ctx, long mode); + long SSL_set_mode(SSL *ssl, long mode); + + long SSL_CTX_get_mode(SSL_CTX *ctx); + long SSL_get_mode(SSL *ssl); + +=head1 DESCRIPTION + +SSL_CTX_set_mode() adds the mode set via bitmask in B to B. +Options already set before are not cleared. + +SSL_set_mode() adds the mode set via bitmask in B to B. +Options already set before are not cleared. + +SSL_CTX_get_mode() returns the mode set for B. + +SSL_get_mode() returns the mode set for B. + +=head1 NOTES + +The following mode changes are available: + +=over 4 + +=item SSL_MODE_ENABLE_PARTIAL_WRITE + +Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success +when just a single record has been written). When not set (the default), +SSL_write() will only report success once the complete chunk was written. + +=item SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER + +Make it possible to retry SSL_write() with changed buffer location +(the buffer contents must stay the same). This is not the default to avoid +the misconception that non-blocking SSL_write() behaves like +non-blocking write(). + +=item SSL_MODE_AUTO_RETRY + +Never bother the application with retries if the transport is blocking. +If a renegotiation take place during normal operation, a +L or L would return +with -1 and indicate the need to retry with SSL_ERROR_WANT_READ. +In a non-blocking environment applications must be prepared to handle +incomplete read/write operations. +In a blocking environment, applications are not always prepared to +deal with read/write operations returning without success report. The +flag SSL_MODE_AUTO_RETRY will cause read/write operations to only +return after the handshake and successful completion. + +=back + +=head1 RETURN VALUES + +SSL_CTX_set_mode() and SSL_set_mode() return the new mode bitmask +after adding B. + +SSL_CTX_get_mode() and SSL_get_mode() return the current bitmask. + +=head1 SEE ALSO + +L, L, L + +=head1 HISTORY + +SSL_MODE_AUTO_RETRY as been added in OpenSSL 0.9.6. + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod index bd5b0cbf9629..3dc7cc74ad63 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod @@ -53,7 +53,7 @@ Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte challenge but then appears to only use 16 bytes when generating the encryption keys. Using 16 bytes is ok but it should be ok to use 32. According to the SSLv3 spec, one should use 32 bytes for the challenge -when opperating in SSLv2/v3 compatablity mode, but as mentioned above, +when operating in SSLv2/v3 compatibility mode, but as mentioned above, this breaks this server so 16 bytes is the way to go. =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod index ba3502a0a423..083766f8d084 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod @@ -97,6 +97,7 @@ SSL_CTX_get_session_cache_mode() returns the currently set cache mode. =head1 SEE ALSO L, L, +L, L, L, L, diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod index 3091bd6895f8..002018096551 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod @@ -17,8 +17,8 @@ SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method SSL_CTX_set_ssl_version() sets a new default TLS/SSL B for SSL objects newly created from this B. SSL objects already created with -L are not affected, except when SSL_clear() is -being called. +L are not affected, except when +L is being called. SSL_set_ssl_method() sets a new TLS/SSL B for a particular B object. It may be reset, when SSL_clear() is called. @@ -31,9 +31,9 @@ set in B. The available B choices are described in L. -When SSL_clear() is called and no session is connected to an SSL object, -the method of the SSL object is reset to the method currently set in -the corresponding SSL_CTX object. +When L is called and no session is connected to +an SSL object, the method of the SSL object is reset to the method currently +set in the corresponding SSL_CTX object. =head1 RETURN VALUES @@ -55,6 +55,7 @@ The operation succeeded. =head1 SEE ALSO L, L, -L, L +L, L, +L =cut diff --git a/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod index 58fa3e6a84f6..3b2fe6fc5081 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_use_certificate.pod @@ -117,7 +117,7 @@ in the file to the certificate store. The other certificates are added to the store of chain certificates using L. There exists only one extra chain store, so that the same chain is appended -to both types of certificates, RSA and DSA! If it is not intented to use +to both types of certificates, RSA and DSA! If it is not intended to use both type of certificate at the same time, it is recommended to use the SSL_CTX_use_certificate_chain_file() instead of the SSL_CTX_use_certificate_file() function in order to allow the use of diff --git a/crypto/openssl/doc/ssl/SSL_accept.pod b/crypto/openssl/doc/ssl/SSL_accept.pod index 46f95abb2f22..86f980de41b7 100644 --- a/crypto/openssl/doc/ssl/SSL_accept.pod +++ b/crypto/openssl/doc/ssl/SSL_accept.pod @@ -37,6 +37,11 @@ nothing is to be done, but select() can be used to check for the required condition. When using a buffering BIO, like a BIO pair, data must be written into or retrieved out of the BIO before being able to continue. +When using a generic method (see L), it +is necessary to call SSL_set_accept_state() +before calling SSL_accept() to explicitly switch the B to server +mode. + =head1 RETURN VALUES The following return values can occur: @@ -67,6 +72,8 @@ to find out the reason. =head1 SEE ALSO L, L, -L, L, L +L, L, L, +L, +L =cut diff --git a/crypto/openssl/doc/ssl/SSL_clear.pod b/crypto/openssl/doc/ssl/SSL_clear.pod index aeb0b5c7a230..8b735d81dcbc 100644 --- a/crypto/openssl/doc/ssl/SSL_clear.pod +++ b/crypto/openssl/doc/ssl/SSL_clear.pod @@ -13,8 +13,17 @@ SSL_clear - reset SSL object to allow another connection =head1 DESCRIPTION Reset B to allow another connection. All settings (method, ciphers, -BIOs) are kept. A completely negotiated B is not freed but left -untouched for the underlying B. +BIOs) are kept. + +=head1 NOTES + +SSL_clear is used to prepare an SSL object for a new connection. While all +settings are kept, a side effect is the handling of the current SSL session. +If a session is still B, it is considered bad and will be removed +from the session cache, as required by RFC2246. A session is considered open, +if L was not called for the connection +or at least L was used to +set the SSL_SENT_SHUTDOWN state. =head1 RETURN VALUES @@ -34,6 +43,7 @@ The SSL_clear() operation was successful. =back L, L, +L, L, L, L =cut diff --git a/crypto/openssl/doc/ssl/SSL_connect.pod b/crypto/openssl/doc/ssl/SSL_connect.pod index 00813ecfff6f..bcc167745b87 100644 --- a/crypto/openssl/doc/ssl/SSL_connect.pod +++ b/crypto/openssl/doc/ssl/SSL_connect.pod @@ -34,6 +34,11 @@ nothing is to be done, but select() can be used to check for the required condition. When using a buffering BIO, like a BIO pair, data must be written into or retrieved out of the BIO before being able to continue. +When using a generic method (see L), it +is necessary to call L +before calling SSL_connect() to explicitly switch the B to client +mode. + =head1 RETURN VALUES The following return values can occur: @@ -64,6 +69,8 @@ to find out the reason. =head1 SEE ALSO L, L, -L, L, L +L, L, L, +L, +L =cut diff --git a/crypto/openssl/doc/ssl/SSL_free.pod b/crypto/openssl/doc/ssl/SSL_free.pod index f3f0c345f8a1..2d4f8b6168b3 100644 --- a/crypto/openssl/doc/ssl/SSL_free.pod +++ b/crypto/openssl/doc/ssl/SSL_free.pod @@ -16,18 +16,29 @@ SSL_free() decrements the reference count of B, and removes the SSL structure pointed to by B and frees up the allocated memory if the the reference count has reached 0. -It also calls the free()ing procedures for indirectly affected items, if +=head1 NOTES + +SSL_free() also calls the free()ing procedures for indirectly affected items, if applicable: the buffering BIO, the read and write BIOs, cipher lists specially created for this B, the B. Do not explicitly free these indirectly freed up items before or after calling SSL_free(), as trying to free things twice may lead to program failure. +The ssl session has reference counts from two users: the SSL object, for +which the reference count is removed by SSL_free() and the internal +session cache. If the session is considered bad, because +L was not called for the connection +and L was not used to set the +SSL_SENT_SHUTDOWN state, the session will also be removed +from the session cache as required by RFC2246. + =head1 RETURN VALUES SSL_free() does not provide diagnostic information. L, L, +L, L, L =cut diff --git a/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod b/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod index d358bc352e69..40e01cf9c81e 100644 --- a/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod +++ b/crypto/openssl/doc/ssl/SSL_get_client_CA_list.pod @@ -13,10 +13,10 @@ SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs =head1 DESCRIPTION -SSL_CTX_get_client_CA_list() returns the list of client CAs explicitely set for +SSL_CTX_get_client_CA_list() returns the list of client CAs explicitly set for B using L. -SSL_get_client_CA_list() returns the list of client CAs explicitely +SSL_get_client_CA_list() returns the list of client CAs explicitly set for B using SSL_set_client_CA_list() or B's SSL_CTX object with L, when in server mode. In client mode, SSL_get_client_CA_list returns the list of @@ -34,12 +34,12 @@ values: =item STACK_OF(X509_NAMES) -List of CA names explicitely set (for B or in server mode) or send +List of CA names explicitly set (for B or in server mode) or send by the server (client mode). =item NULL -No client CA list was explicitely set (for B or in server mode) or +No client CA list was explicitly set (for B or in server mode) or the server did not send a list of CAs (client mode). =back diff --git a/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod b/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod index e93e8206faf5..390ce0b41b5c 100644 --- a/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod +++ b/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod @@ -15,7 +15,7 @@ SSL_get_peer_cert_chain - get the X509 certificate chain of the peer SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates forming the certificate chain of the peer. If called on the client side, the stack also contains the peer's certificate; if called on the server -side, the peer's certificate must be obtained seperately using +side, the peer's certificate must be obtained separately using L. If the peer did not present a certificate, NULL is returned. diff --git a/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod b/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod index 79c089aa5172..1102c7fba904 100644 --- a/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod +++ b/crypto/openssl/doc/ssl/SSL_get_peer_certificate.pod @@ -23,7 +23,7 @@ to check the verification state. The reference count of the X509 object is incremented by one, so that it will not be destroyed when the session containing the peer certificate is -freed. The X509 object must be explicitely freed using X509_free(). +freed. The X509 object must be explicitly freed using X509_free(). =head1 RETURN VALUES diff --git a/crypto/openssl/doc/ssl/SSL_get_session.pod b/crypto/openssl/doc/ssl/SSL_get_session.pod index aff41fb9cf62..a0266e2ac635 100644 --- a/crypto/openssl/doc/ssl/SSL_get_session.pod +++ b/crypto/openssl/doc/ssl/SSL_get_session.pod @@ -16,14 +16,30 @@ SSL_get_session - retrieve TLS/SSL session data SSL_get_session() returns a pointer to the B actually used in B. The reference count of the B is not incremented, so -that the pointer can become invalid when the B is freed and -SSL_SESSION_free() is implicitly called. +that the pointer can become invalid by other operations. SSL_get0_session() is the same as SSL_get_session(). SSL_get1_session() is the same as SSL_get_session(), but the reference count of the B is incremented by one. +=head1 NOTES + +The ssl session contains all information required to re-establish the +connection without a new handshake. + +SSL_get0_session() returns a pointer to the actual session. As the +reference counter is not incremented, the pointer is only valid while +the connection is in use. If L or +L is called, the session may be removed completely +(if considered bad), and the pointer obtained will become invalid. Even +if the session is valid, it can be removed at any time due to timeout +during L. + +If the data is to be kept, SSL_get1_session() will increment the reference +count and the session will stay in memory until explicitly freed with +L, regardless of its state. + =head1 RETURN VALUES The following return values can occur: @@ -43,6 +59,7 @@ The return value points to the data of an SSL session. =head1 SEE ALSO L, L, +L, L =cut diff --git a/crypto/openssl/doc/ssl/SSL_get_verify_result.pod b/crypto/openssl/doc/ssl/SSL_get_verify_result.pod index 4d66236a05ea..e6bac9c35a8b 100644 --- a/crypto/openssl/doc/ssl/SSL_get_verify_result.pod +++ b/crypto/openssl/doc/ssl/SSL_get_verify_result.pod @@ -19,7 +19,7 @@ X509 certificate presented by the peer, if any. SSL_get_verify_result() can only return one error code while the verification of a certificate can fail because of many reasons at the same time. Only -the last verification error that occured during the processing is available +the last verification error that occurred during the processing is available from SSL_get_verify_result(). The verification result is part of the established session and is restored @@ -28,7 +28,7 @@ when a session is reused. =head1 BUGS If no peer certificate was presented, the returned result code is -X509_V_OK. This is because no verification error occured, it does however +X509_V_OK. This is because no verification error occurred, it does however not indicate success. SSL_get_verify_result() is only useful in connection with L. diff --git a/crypto/openssl/doc/ssl/SSL_get_version.pod b/crypto/openssl/doc/ssl/SSL_get_version.pod new file mode 100644 index 000000000000..24d52912565d --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_get_version.pod @@ -0,0 +1,46 @@ +=pod + +=head1 NAME + +SSL_get_version - get the protocol version of a connection. + +=head1 SYNOPSIS + + #include + + const char *SSL_get_version(SSL *ssl); + +=head1 DESCRIPTION + +SSL_get_cipher_version() returns the name of the protocol used for the +connection B. + +=head1 RETURN VALUES + +The following strings can occur: + +=over 4 + +=item SSLv2 + +The connection uses the SSLv2 protocol. + +=item SSLv3 + +The connection uses the SSLv3 protocol. + +=item TLSv1 + +The connection uses the TLSv1 protocol. + +=item unknown + +This indicates that no version has been set (no connection established). + +=back + +=head1 SEE ALSO + +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_read.pod b/crypto/openssl/doc/ssl/SSL_read.pod index 9bff32500b89..7db5ee0a22ad 100644 --- a/crypto/openssl/doc/ssl/SSL_read.pod +++ b/crypto/openssl/doc/ssl/SSL_read.pod @@ -8,7 +8,7 @@ SSL_read - read bytes from a TLS/SSL connection. #include - int SSL_read(SSL *ssl, char *buf, int num); + int SSL_read(SSL *ssl, void *buf, int num); =head1 DESCRIPTION @@ -18,17 +18,29 @@ buffer B. =head1 NOTES If necessary, SSL_read() will negotiate a TLS/SSL session, if -not already explicitly performed by SSL_connect() or SSL_accept(). If the +not already explicitly performed by L or +L. If the peer requests a re-negotiation, it will be performed transparently during the SSL_read() operation. The behaviour of SSL_read() depends on the underlying BIO. +For the transparent negotiation to succeed, the B must have been +initialized to client or server mode. This is not the case if a generic +method is being used (see L, so that +L or SSL_set_accept_state() +must be used before the first call to an SSL_read() or +L function. + If the underlying BIO is B, SSL_read() will only return, once the -read operation has been finished or an error occurred. +read operation has been finished or an error occurred, except when a +renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. +This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the +L call. If the underlying BIO is B, SSL_read() will also return when the underlying BIO could not satisfy the needs of SSL_read() -to continue the operation. In this case a call to SSL_get_error() with the +to continue the operation. In this case a call to +L with the return value of SSL_read() will yield B or B. As at any time a re-negotiation is possible, a call to SSL_read() can also cause write operations! The calling process @@ -72,6 +84,9 @@ return value B to find out the reason. =head1 SEE ALSO L, L, +L, L, +L, L +L, L, L =cut diff --git a/crypto/openssl/doc/ssl/SSL_set_connect_state.pod b/crypto/openssl/doc/ssl/SSL_set_connect_state.pod new file mode 100644 index 000000000000..a8c4463c640a --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_set_connect_state.pod @@ -0,0 +1,47 @@ +=pod + +=head1 NAME + +SSL_set_connect_state, SSL_get_accept_state - prepare SSL object to work in client or server mode + +=head1 SYNOPSIS + + #include + + void SSL_set_connect_state(SSL *ssl); + + void SSL_set_accept_state(SSL *ssl); + +=head1 DESCRIPTION + +SSL_set_connect_state() B to work in client mode. + +SSL_set_accept_state() B to work in server mode. + +=head1 NOTES + +When the SSL_CTX object was created with L, +it was either assigned a dedicated client method, a dedicated server +method, or a generic method, that can be used for both client and +server connections. (The method might have been changed with +L or +SSL_set_ssl_method().) + +In order to successfully accomplish the handshake, the SSL routines need +to know whether they should act in server or client mode. If the generic +method was used, this is not clear from the method itself and must be set +with either SSL_set_connect_state() or SSL_set_accept_state(). If these +routines are not called, the default value set when L +is called is server mode. + +=head1 RETURN VALUES + +SSL_set_connect_state() and SSL_set_accept_state() do not return diagnostic +information. + +=head1 SEE ALSO + +L, L, L, +L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_set_shutdown.pod b/crypto/openssl/doc/ssl/SSL_set_shutdown.pod new file mode 100644 index 000000000000..6b196c1f15b8 --- /dev/null +++ b/crypto/openssl/doc/ssl/SSL_set_shutdown.pod @@ -0,0 +1,68 @@ +=pod + +=head1 NAME + +SSL_set_shutdown, SSL_get_shutdown - manipulate shutdown state of an SSL connection + +=head1 SYNOPSIS + + #include + + void SSL_set_shutdown(SSL *ssl, int mode); + + int SSL_get_shutdown(SSL *ssl); + +=head1 DESCRIPTION + +SSL_set_shutdown() sets the shutdown state of B to B. + +SSL_get_shutdown() returns the shutdown mode of B. + +=head1 NOTES + +The shutdown state of an ssl connection is a bitmask of: + +=over 4 + +=item 0 + +No shutdown setting, yet. + +=item SSL_SENT_SHUTDOWN + +A "close notify" shutdown alert was sent to the peer, the connection is being +considered closed and the session is closed and correct. + +=item SSL_RECEIVED_SHUTDOWN + +A shutdown alert was received form the peer, either a normal "close notify" +or a fatal error. + +=back + +SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN can be set at the same time. + +The shutdown state of the connection is used to determine the state of +the ssl session. If the session is still open, when +L or L is called, +it is considered bad and removed according to RFC2246. +The actual condition for a correctly closed session is SSL_SENT_SHUTDOWN. +SSL_set_shutdown() can be used to set this state without sending a +close alert to the peer (see L). + +If a "close notify" was received, SSL_RECEIVED_SHUTDOWN will be set, +for setting SSL_SENT_SHUTDOWN the application must however still call +L or SSL_set_shutdown() itself. + +=head1 RETURN VALUES + +SSL_set_shutdown() does not return diagnostic information. + +SSL_get_shutdown() returns the current setting. + +=head1 SEE ALSO + +L, L, +L, L + +=cut diff --git a/crypto/openssl/doc/ssl/SSL_shutdown.pod b/crypto/openssl/doc/ssl/SSL_shutdown.pod index 20e273bd4d58..7988dd3c90b5 100644 --- a/crypto/openssl/doc/ssl/SSL_shutdown.pod +++ b/crypto/openssl/doc/ssl/SSL_shutdown.pod @@ -12,9 +12,17 @@ SSL_shutdown - shut down a TLS/SSL connection =head1 DESCRIPTION -SSL_shutdown() shuts down an active TLS/SSL connection. It sends the shutdown -alert to the peer. The behaviour of SSL_shutdown() depends on the underlying -BIO. +SSL_shutdown() shuts down an active TLS/SSL connection. It sends the +"close notify" shutdown alert to the peer. + +=head1 NOTES + +SSL_shutdown() tries to send the "close notify" shutdown alert to the peer. +Whether the operation succeeds or not, the SSL_SENT_SHUTDOWN flag is set and +a currently open session is considered closed and good and will be kept in the +session cache for further reuse. + +The behaviour of SSL_shutdown() depends on the underlying BIO. If the underlying BIO is B, SSL_shutdown() will only return once the handshake has been finished or an error occurred. @@ -57,6 +65,8 @@ Call SSL_get_error() with the return value B to find out the reason. =head1 SEE ALSO L, L, -L, L, L +L, L, +L, +L, L =cut diff --git a/crypto/openssl/doc/ssl/SSL_write.pod b/crypto/openssl/doc/ssl/SSL_write.pod index 8110161522a3..be1ad76d3b4c 100644 --- a/crypto/openssl/doc/ssl/SSL_write.pod +++ b/crypto/openssl/doc/ssl/SSL_write.pod @@ -8,7 +8,7 @@ SSL_write - write bytes to a TLS/SSL connection. #include - int SSL_write(SSL *ssl, char *buf, int num); + int SSL_write(SSL *ssl, const void *buf, int num); =head1 DESCRIPTION @@ -18,17 +18,29 @@ B connection. =head1 NOTES If necessary, SSL_write() will negotiate a TLS/SSL session, if -not already explicitly performed by SSL_connect() or SSL_accept(). If the +not already explicitly performed by L or +L. If the peer requests a re-negotiation, it will be performed transparently during the SSL_write() operation. The behaviour of SSL_write() depends on the underlying BIO. +For the transparent negotiation to succeed, the B must have been +initialized to client or server mode. This is not the case if a generic +method is being used (see L, so that +L or SSL_set_accept_state() +must be used before the first call to an L +or SSL_write() function. + If the underlying BIO is B, SSL_write() will only return, once the -write operation has been finished or an error occurred. +write operation has been finished or an error occurred, except when a +renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. +This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the +L call. If the underlying BIO is B, SSL_write() will also return, when the underlying BIO could not satisfy the needs of SSL_write() -to continue the operation. In this case a call to SSL_get_error() with the +to continue the operation. In this case a call to +L with the return value of SSL_write() will yield B or B. As at any time a re-negotiation is possible, a call to SSL_write() can also cause read operations! The calling process @@ -71,6 +83,9 @@ return value B to find out the reason. =head1 SEE ALSO L, L, +L, L, +L, L +L, L, L =cut diff --git a/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod index 8142b6b39f75..9a1ba6c47b21 100644 --- a/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod +++ b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod @@ -1,6 +1,7 @@ =pod =head1 NAME + d2i_SSL_SESSION, i2d_SSL_SESSION - convert SSL_SESSION object from/to ASN1 representation =head1 SYNOPSIS diff --git a/crypto/openssl/doc/ssl/ssl.pod b/crypto/openssl/doc/ssl/ssl.pod index 2911c83e4879..e52124517dd5 100644 --- a/crypto/openssl/doc/ssl/ssl.pod +++ b/crypto/openssl/doc/ssl/ssl.pod @@ -544,11 +544,11 @@ connection defined in the B structure. =item long B(SSL *ssl); -=item int B(SSL *ssl, char *buf, int num); +=item int B(SSL *ssl, void *buf, int num); =item int B(SSL *ssl); -=item int B(SSL *ssl, char *buf, int num); +=item int B(SSL *ssl, void *buf, int num); =item int B(SSL *ssl); @@ -640,7 +640,7 @@ connection defined in the B structure. =item int B(s); -=item int B(SSL *ssl, char *buf, int num); +=item int B(SSL *ssl, const void *buf, int num); =back @@ -657,11 +657,13 @@ L, L, L L, +L, L, L, L, L, L, +L, L, L, L, @@ -679,12 +681,15 @@ L, L, L, L, +L, L, L, L, L, L, +L, L, L, L, +L, L, L, L, L, diff --git a/crypto/openssl/openssl.spec b/crypto/openssl/openssl.spec index fa8c16b7c76f..d7be41393784 100644 --- a/crypto/openssl/openssl.spec +++ b/crypto/openssl/openssl.spec @@ -1,15 +1,15 @@ %define libmaj 0 %define libmin 9 %define librel 6 -#%define librev +%define librev a Release: 1 %define openssldir /var/ssl Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl -Version: %{libmaj}.%{libmin}.%{librel} -#Version: %{libmaj}.%{libmin}.%{librel}%{librev} +#Version: %{libmaj}.%{libmin}.%{librel} +Version: %{libmaj}.%{libmin}.%{librel}%{librev} Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz Copyright: Freely distributable Group: System Environment/Libraries @@ -94,7 +94,7 @@ perl util/perlpath.pl /usr/bin/perl ./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-ppc shared %endif %ifarch alpha -./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha-gcc shared +./Configure %{CONFIG_FLAGS} --openssldir=%{openssldir} linux-alpha shared %endif LD_LIBRARY_PATH=`pwd` make LD_LIBRARY_PATH=`pwd` make rehash @@ -102,7 +102,7 @@ LD_LIBRARY_PATH=`pwd` make test %install rm -rf $RPM_BUILD_ROOT -make install MANDIR=/usr/man INSTALL_PREFIX="$RPM_BUILD_ROOT" +make MANDIR=/usr/man INSTALL_PREFIX="$RPM_BUILD_ROOT" install # Rename manpages for x in $RPM_BUILD_ROOT/usr/man/man*/* @@ -116,19 +116,6 @@ install -m644 libRSAglue.a $RPM_BUILD_ROOT/usr/lib # Make backwards-compatibility symlink to ssleay ln -s /usr/bin/openssl $RPM_BUILD_ROOT/usr/bin/ssleay -# Install shared libs -install -m644 libcrypto.a $RPM_BUILD_ROOT/usr/lib -install -m755 libcrypto.so.%{libmaj}.%{libmin}.%{librel} $RPM_BUILD_ROOT/usr/lib -install -m644 libssl.a $RPM_BUILD_ROOT/usr/lib -install -m755 libssl.so.%{libmaj}.%{libmin}.%{librel} $RPM_BUILD_ROOT/usr/lib -( - cd $RPM_BUILD_ROOT/usr/lib - ln -s libcrypto.so.%{libmaj}.%{libmin}.%{librel} libcrypto.so.%{libmaj} - ln -s libcrypto.so.%{libmaj}.%{libmin}.%{librel} libcrypto.so - ln -s libssl.so.%{libmaj}.%{libmin}.%{librel} libssl.so.%{libmaj} - ln -s libssl.so.%{libmaj}.%{libmin}.%{librel} libssl.so -) - %clean rm -rf $RPM_BUILD_ROOT @@ -166,6 +153,21 @@ ldconfig ldconfig %changelog +* Thu Mar 22 2001 Richard Levitte +- Removed redundant subsection that re-installed libcrypto.a and libssl.a + as well. +* Thu Mar 15 2001 Jeremiah Johnson +- Removed redundant subsection that re-installed libcrypto.so.0.9.6 and + libssl.so.0.9.6. As well as the subsection that created symlinks for + these. make install handles all this. +* Sat Oct 21 2000 Horms +- Make sure symlinks are created by using -f flag to ln. + Otherwise some .so libraries are copied rather than + linked in the resulting binary RPM. This causes the package + to be larger than neccessary and makes ldconfig complain. +* Fri Oct 13 2000 Horms +- Make defattr is set for files in all packages so packages built as + non-root will still be installed with files owned by root. * Thu Sep 14 2000 Richard Levitte - Changed to adapt to the new (supported) way of making shared libraries - Installs all static libraries, not just libRSAglue.a diff --git a/crypto/openssl/ssl/s23_lib.c b/crypto/openssl/ssl/s23_lib.c index dded7a19c5a5..ad2d8dadf755 100644 --- a/crypto/openssl/ssl/s23_lib.c +++ b/crypto/openssl/ssl/s23_lib.c @@ -63,6 +63,7 @@ static int ssl23_num_ciphers(void ); static SSL_CIPHER *ssl23_get_cipher(unsigned int u); static int ssl23_read(SSL *s, void *buf, int len); +static int ssl23_peek(SSL *s, void *buf, int len); static int ssl23_write(SSL *s, const void *buf, int len); static long ssl23_default_timeout(void ); static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); @@ -77,7 +78,7 @@ static SSL_METHOD SSLv23_data= { ssl_undefined_function, ssl_undefined_function, ssl23_read, - (int (*)(struct ssl_st *, char *, int))ssl_undefined_function, + ssl23_peek, ssl23_write, ssl_undefined_function, ssl_undefined_function, @@ -169,13 +170,6 @@ static int ssl23_read(SSL *s, void *buf, int len) { int n; -#if 0 - if (s->shutdown & SSL_RECEIVED_SHUTDOWN) - { - s->rwstate=SSL_NOTHING; - return(0); - } -#endif clear_sys_error(); if (SSL_in_init(s) && (!s->in_handshake)) { @@ -195,17 +189,33 @@ static int ssl23_read(SSL *s, void *buf, int len) } } +static int ssl23_peek(SSL *s, void *buf, int len) + { + int n; + + clear_sys_error(); + if (SSL_in_init(s) && (!s->in_handshake)) + { + n=s->handshake_func(s); + if (n < 0) return(n); + if (n == 0) + { + SSLerr(SSL_F_SSL23_PEEK,SSL_R_SSL_HANDSHAKE_FAILURE); + return(-1); + } + return(SSL_peek(s,buf,len)); + } + else + { + ssl_undefined_function(s); + return(-1); + } + } + static int ssl23_write(SSL *s, const void *buf, int len) { int n; -#if 0 - if (s->shutdown & SSL_SENT_SHUTDOWN) - { - s->rwstate=SSL_NOTHING; - return(0); - } -#endif clear_sys_error(); if (SSL_in_init(s) && (!s->in_handshake)) { diff --git a/crypto/openssl/ssl/s23_meth.c b/crypto/openssl/ssl/s23_meth.c index b52ca1d58b3f..40684311db30 100644 --- a/crypto/openssl/ssl/s23_meth.c +++ b/crypto/openssl/ssl/s23_meth.c @@ -64,7 +64,7 @@ static SSL_METHOD *ssl23_get_method(int ver); static SSL_METHOD *ssl23_get_method(int ver) { if (ver == SSL2_VERSION) - return(SSLv23_method()); + return(SSLv2_method()); else if (ver == SSL3_VERSION) return(SSLv3_method()); else if (ver == TLS1_VERSION) diff --git a/crypto/openssl/ssl/s2_pkt.c b/crypto/openssl/ssl/s2_pkt.c index 1f119442b4e8..f2f46ff377c9 100644 --- a/crypto/openssl/ssl/s2_pkt.c +++ b/crypto/openssl/ssl/s2_pkt.c @@ -300,7 +300,7 @@ int ssl2_read(SSL *s, void *buf, int len) return ssl2_read_internal(s, buf, len, 0); } -int ssl2_peek(SSL *s, char *buf, int len) +int ssl2_peek(SSL *s, void *buf, int len) { return ssl2_read_internal(s, buf, len, 1); } diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c index 012a4b874077..9f52c39ca978 100644 --- a/crypto/openssl/ssl/s3_enc.c +++ b/crypto/openssl/ssl/s3_enc.c @@ -504,7 +504,10 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send) EVP_DigestFinal( &md_ctx,md,&md_size); for (i=7; i>=0; i--) - if (++seq[i]) break; + { + ++seq[i]; + if (seq[i] != 0) break; + } return(md_size); } diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c index c170ceb97dd0..c32c06de3281 100644 --- a/crypto/openssl/ssl/s3_lib.c +++ b/crypto/openssl/ssl/s3_lib.c @@ -1335,7 +1335,7 @@ int ssl3_read(SSL *s, void *buf, int len) return ssl3_read_internal(s, buf, len, 0); } -int ssl3_peek(SSL *s, char *buf, int len) +int ssl3_peek(SSL *s, void *buf, int len) { return ssl3_read_internal(s, buf, len, 1); } diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h index fad7a0e70b36..9de9e611abd7 100644 --- a/crypto/openssl/ssl/ssl.h +++ b/crypto/openssl/ssl/ssl.h @@ -206,7 +206,7 @@ typedef struct ssl_method_st int (*ssl_accept)(SSL *s); int (*ssl_connect)(SSL *s); int (*ssl_read)(SSL *s,void *buf,int len); - int (*ssl_peek)(SSL *s,char *buf,int len); + int (*ssl_peek)(SSL *s,void *buf,int len); int (*ssl_write)(SSL *s,const void *buf,int len); int (*ssl_shutdown)(SSL *s); int (*ssl_renegotiate)(SSL *s); @@ -1061,9 +1061,9 @@ int SSL_set_trust(SSL *s, int trust); void SSL_free(SSL *ssl); int SSL_accept(SSL *ssl); int SSL_connect(SSL *ssl); -int SSL_read(SSL *ssl,char *buf,int num); -int SSL_peek(SSL *ssl,char *buf,int num); -int SSL_write(SSL *ssl,const char *buf,int num); +int SSL_read(SSL *ssl,void *buf,int num); +int SSL_peek(SSL *ssl,void *buf,int num); +int SSL_write(SSL *ssl,const void *buf,int num); long SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg); long SSL_callback_ctrl(SSL *, int, void (*)()); long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, char *parg); @@ -1209,6 +1209,7 @@ int SSL_COMP_add_compression_method(int id,char *cm); /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ +void ERR_load_SSL_strings(void); /* Error codes for the SSL functions. */ @@ -1233,6 +1234,7 @@ int SSL_COMP_add_compression_method(int id,char *cm); #define SSL_F_SSL23_CONNECT 117 #define SSL_F_SSL23_GET_CLIENT_HELLO 118 #define SSL_F_SSL23_GET_SERVER_HELLO 119 +#define SSL_F_SSL23_PEEK 237 #define SSL_F_SSL23_READ 120 #define SSL_F_SSL23_WRITE 121 #define SSL_F_SSL2_ACCEPT 122 @@ -1562,4 +1564,3 @@ int SSL_COMP_add_compression_method(int id,char *cm); } #endif #endif - diff --git a/crypto/openssl/ssl/ssl_cert.c b/crypto/openssl/ssl/ssl_cert.c index c26df62c207a..27e7fcc60ae7 100644 --- a/crypto/openssl/ssl/ssl_cert.c +++ b/crypto/openssl/ssl/ssl_cert.c @@ -271,7 +271,9 @@ CERT *ssl_cert_dup(CERT *cert) return(ret); +#ifndef NO_DH /* avoid 'unreferenced label' warning if NO_DH is defined */ err: +#endif #ifndef NO_RSA if (ret->rsa_tmp != NULL) RSA_free(ret->rsa_tmp); diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c index 9945758104b5..1ae333340794 100644 --- a/crypto/openssl/ssl/ssl_err.c +++ b/crypto/openssl/ssl/ssl_err.c @@ -86,6 +86,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_PACK(0,SSL_F_SSL23_CONNECT,0), "SSL23_CONNECT"}, {ERR_PACK(0,SSL_F_SSL23_GET_CLIENT_HELLO,0), "SSL23_GET_CLIENT_HELLO"}, {ERR_PACK(0,SSL_F_SSL23_GET_SERVER_HELLO,0), "SSL23_GET_SERVER_HELLO"}, +{ERR_PACK(0,SSL_F_SSL23_PEEK,0), "SSL23_PEEK"}, {ERR_PACK(0,SSL_F_SSL23_READ,0), "SSL23_READ"}, {ERR_PACK(0,SSL_F_SSL23_WRITE,0), "SSL23_WRITE"}, {ERR_PACK(0,SSL_F_SSL2_ACCEPT,0), "SSL2_ACCEPT"}, diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c index fec98dd8f43d..1fe85b6cb756 100644 --- a/crypto/openssl/ssl/ssl_lib.c +++ b/crypto/openssl/ssl/ssl_lib.c @@ -708,7 +708,7 @@ long SSL_get_default_timeout(SSL *s) return(s->method->get_timeout()); } -int SSL_read(SSL *s,char *buf,int num) +int SSL_read(SSL *s,void *buf,int num) { if (s->handshake_func == 0) { @@ -724,8 +724,14 @@ int SSL_read(SSL *s,char *buf,int num) return(s->method->ssl_read(s,buf,num)); } -int SSL_peek(SSL *s,char *buf,int num) +int SSL_peek(SSL *s,void *buf,int num) { + if (s->handshake_func == 0) + { + SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED); + return -1; + } + if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { return(0); @@ -733,7 +739,7 @@ int SSL_peek(SSL *s,char *buf,int num) return(s->method->ssl_peek(s,buf,num)); } -int SSL_write(SSL *s,const char *buf,int num) +int SSL_write(SSL *s,const void *buf,int num) { if (s->handshake_func == 0) { @@ -1679,6 +1685,10 @@ SSL *SSL_dup(SSL *s) if (s->cert != NULL) { + if (ret->cert != NULL) + { + ssl_cert_free(ret->cert); + } ret->cert = ssl_cert_dup(s->cert); if (ret->cert == NULL) goto err; diff --git a/crypto/openssl/ssl/ssl_locl.h b/crypto/openssl/ssl/ssl_locl.h index bc9c69914331..516d3cc5ae20 100644 --- a/crypto/openssl/ssl/ssl_locl.h +++ b/crypto/openssl/ssl/ssl_locl.h @@ -516,7 +516,7 @@ void ssl2_free(SSL *s); int ssl2_accept(SSL *s); int ssl2_connect(SSL *s); int ssl2_read(SSL *s, void *buf, int len); -int ssl2_peek(SSL *s, char *buf, int len); +int ssl2_peek(SSL *s, void *buf, int len); int ssl2_write(SSL *s, const void *buf, int len); int ssl2_shutdown(SSL *s); void ssl2_clear(SSL *s); @@ -564,7 +564,7 @@ void ssl3_free(SSL *s); int ssl3_accept(SSL *s); int ssl3_connect(SSL *s); int ssl3_read(SSL *s, void *buf, int len); -int ssl3_peek(SSL *s,char *buf, int len); +int ssl3_peek(SSL *s, void *buf, int len); int ssl3_write(SSL *s, const void *buf, int len); int ssl3_shutdown(SSL *s); void ssl3_clear(SSL *s); diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c index 0d34357eb474..d10a23af8eb5 100644 --- a/crypto/openssl/ssl/t1_enc.c +++ b/crypto/openssl/ssl/t1_enc.c @@ -572,7 +572,10 @@ printf("rec="); #endif for (i=7; i>=0; i--) - if (++seq[i]) break; + { + ++seq[i]; + if (seq[i] != 0) break; + } #ifdef TLS_DEBUG {unsigned int z; for (z=0; ztmp.bntest @echo quit >>tmp.bntest @echo "running bc" - @) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"' + @) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"' @echo 'test a^b%c implementations' ./$(EXPTEST) @@ -240,7 +240,7 @@ dclean: mv -f Makefile.new $(MAKEFILE) clean: - rm -f .rnd tmp.bntest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss log + rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss log $(DLIBSSL): (cd ../ssl; $(MAKE)) diff --git a/crypto/openssl/test/bctest b/crypto/openssl/test/bctest index 6fa0663bb008..17b75d4ecabd 100755 --- a/crypto/openssl/test/bctest +++ b/crypto/openssl/test/bctest @@ -11,8 +11,16 @@ # running) bc. -# Test for SunOS 5.[78] bc bug (or missing bc) -if [ 0 != "`bc <<\EOF +IFS=: +for dir in $PATH; do + bc="$dir/bc" + + if [ -x "$bc" -a ! -d "$bc" ]; then + failure=none + + + # Test for SunOS 5.[78] bc bug + "$bc" >tmp.bctest <<\EOF obase=16 ibase=16 a=AD88C418F31B3FC712D0425001D522B3AE9134FF3A98C13C1FCC1682211195406C1A6C66C6A\ @@ -26,17 +34,15 @@ b=DCE91E7D120B983EA9A104B5A96D634DD644C37657B1C7860B45E6838999B3DCE5A555583C6\ 8B3CD64126E1A82E190228020C05B91C8B141F1110086FC2A4C6ED631EBA129D04BB9A19FC53D\ 3ED0E2017D60A68775B75481449 (a/b)*b + (a%b) - a -EOF`" ] -then - echo "bc does not work. Consider installing GNU bc." >&2 - echo "cat >/dev/null" - exit 1 -fi +EOF + if [ 0 != "`cat tmp.bctest`" ]; then + failure=SunOStest + fi -# Test for SCO bc bug. -if [ "0 -0" != "`bc <<\EOF + if [ "$failure" = none ]; then + # Test for SCO bc bug. + "$bc" >tmp.bctest <<\EOF obase=16 ibase=16 -FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4AEC6F15AC177F176F2274D2\ @@ -62,23 +68,29 @@ F617E3145BBFBE9AFD0D6E437EA4FF6F04BC67C4F1458B4F0F47B64 - 1C2BBBB19B74E86FD32\ 9E8DB6A8C3B1B9986D57ED5419C2E855F7D5469E35E76334BB42F4C43E3F3A31B9697C171DAC4\ D97935A7E1A14AD209D6CF811F55C6DB83AA9E6DFECFCD6669DED7171EE22A40C6181615CAF3F\ 5296964 -EOF`" ] -then - echo "bc does not work. Consider installing GNU bc." >&2 - echo "cat >/dev/null" - exit 1 -fi +EOF + if [ "0 +0" != "`cat tmp.bctest`" ]; then + failure=SCOtest + fi + fi -# bc works, good. -# Now check if it knows the 'print' command. -if [ "OK" = "`bc 2>/dev/null <<\EOF -print \"OK\" -EOF`" ] -then - echo "bc" -else - echo "sed 's/print.*//' | bc" -fi + if [ "$failure" = none ]; then + # bc works; now check if it knows the 'print' command. + if [ "OK" = "`echo 'print \"OK\"' | $bc 2>/dev/null`" ] + then + echo "$bc" + else + echo "sed 's/print.*//' | $bc" + fi + exit 0 + fi -exit 0 + echo "$bc does not work properly ('$failure' failed). Looking for another bc ..." >&2 + fi +done + +echo "No working bc found. Consider installing GNU bc." >&2 +echo "cat >/dev/null" +exit 1 diff --git a/crypto/openssl/tools/c_rehash b/crypto/openssl/tools/c_rehash index 587397600655..049bb3f1ae6b 100644 --- a/crypto/openssl/tools/c_rehash +++ b/crypto/openssl/tools/c_rehash @@ -117,7 +117,12 @@ sub link_hash_cert { } $hash .= ".$suffix"; print "$fname => $hash\n"; - symlink $fname, $hash; + $symlink_exists=eval {symlink("",""); 1}; + if ($symlink_exists) { + symlink $fname, $hash; + } else { + system ("cp", $fname, $hash); + } $hashlist{$hash} = $fprint; } @@ -142,7 +147,12 @@ sub link_hash_crl { } $hash .= ".r$suffix"; print "$fname => $hash\n"; - symlink $fname, $hash; + $symlink_exists=eval {symlink("",""); 1}; + if ($symlink_exists) { + symlink $fname, $hash; + } else { + system ("cp", $fname, $hash); + } $hashlist{$hash} = $fprint; } diff --git a/crypto/openssl/tools/c_rehash.in b/crypto/openssl/tools/c_rehash.in index baec7c14ff43..26db8999d8c8 100644 --- a/crypto/openssl/tools/c_rehash.in +++ b/crypto/openssl/tools/c_rehash.in @@ -117,7 +117,12 @@ sub link_hash_cert { } $hash .= ".$suffix"; print "$fname => $hash\n"; - symlink $fname, $hash; + $symlink_exists=eval {symlink("",""); 1}; + if ($symlink_exists) { + symlink $fname, $hash; + } else { + system ("cp", $fname, $hash); + } $hashlist{$hash} = $fprint; } @@ -142,7 +147,12 @@ sub link_hash_crl { } $hash .= ".r$suffix"; print "$fname => $hash\n"; - symlink $fname, $hash; + $symlink_exists=eval {symlink("",""); 1}; + if ($symlink_exists) { + symlink $fname, $hash; + } else { + system ("cp", $fname, $hash); + } $hashlist{$hash} = $fprint; } diff --git a/crypto/openssl/util/clean-depend.pl b/crypto/openssl/util/clean-depend.pl index af676af75145..0193e726fee1 100755 --- a/crypto/openssl/util/clean-depend.pl +++ b/crypto/openssl/util/clean-depend.pl @@ -15,8 +15,8 @@ while() { my ($file,$deps)=/^(.*): (.*)$/; next if !defined $deps; my @deps=split ' ',$deps; - @deps=grep(!/^\/usr\/include/,@deps); - @deps=grep(!/^\/usr\/lib\/gcc-lib/,@deps); + @deps=grep(!/^\//,@deps); + @deps=grep(!/^\\$/,@deps); push @{$files{$file}},@deps; } diff --git a/crypto/openssl/util/libeay.num b/crypto/openssl/util/libeay.num index 9f0f5988601a..18b70c2fdcbc 100755 --- a/crypto/openssl/util/libeay.num +++ b/crypto/openssl/util/libeay.num @@ -779,7 +779,7 @@ des_ede3_cfb64_encrypt 786 EXIST::FUNCTION:DES des_ede3_ofb64_encrypt 787 EXIST::FUNCTION:DES des_enc_read 788 EXIST::FUNCTION:DES des_enc_write 789 EXIST::FUNCTION:DES -des_encrypt 790 EXIST::FUNCTION:DES +des_encrypt1 790 EXIST::FUNCTION:DES des_encrypt2 791 EXIST::FUNCTION:DES des_encrypt3 792 EXIST::FUNCTION:DES des_fcrypt 793 EXIST::FUNCTION:DES @@ -1870,3 +1870,6 @@ X509_keyid_set1 2460 EXIST::FUNCTION: BIO_next 2461 EXIST::FUNCTION: DSO_METHOD_vms 2462 EXIST::FUNCTION: BIO_f_linebuffer 2463 EXIST:VMS:FUNCTION: +BN_bntest_rand 2464 EXIST::FUNCTION: +OPENSSL_issetugid 2465 EXIST::FUNCTION: +BN_rand_range 2466 EXIST::FUNCTION: diff --git a/crypto/openssl/util/mklink.pl b/crypto/openssl/util/mklink.pl index d7b997ada723..9e9c9a514677 100755 --- a/crypto/openssl/util/mklink.pl +++ b/crypto/openssl/util/mklink.pl @@ -48,8 +48,13 @@ foreach $dirname (@from_path) { my $to = join('/', @to_path); my $file; +$symlink_exists=eval {symlink("",""); 1}; foreach $file (@files) { my $err = ""; - symlink("$to/$file", "$from/$file") or $err = " [$!]"; + if ($symlink_exists) { + symlink("$to/$file", "$from/$file") or $err = " [$!]"; + } else { + system ("cp", "$file", "$from/$file") and $err = " [$!]"; + } print $file . " => $from/$file$err\n"; } diff --git a/crypto/openssl/util/pod2man.pl b/crypto/openssl/util/pod2man.pl index f5ec0767ed4b..c6b64add602d 100755 --- a/crypto/openssl/util/pod2man.pl +++ b/crypto/openssl/util/pod2man.pl @@ -416,6 +416,8 @@ if ($name ne 'something') { warn "$0: Improper man page - malformed NAME header in paragraph $. of $ARGV[0]\n" } else { + $n[0] =~ s/\n/ /; + $n[1] =~ s/\n/ /; %namedesc = @n; } }