From 5471f83ea72e251ea1f0d04428878a74347efa0f Mon Sep 17 00:00:00 2001 From: "Simon L. B. Nielsen" Date: Thu, 15 Mar 2007 20:03:30 +0000 Subject: [PATCH] Vendor import of OpenSSL 0.9.8e. --- crypto/openssl/CHANGES | 86 +- crypto/openssl/Configure | 4 +- crypto/openssl/FAQ | 2 +- crypto/openssl/INSTALL | 8 +- crypto/openssl/LICENSE | 2 +- crypto/openssl/Makefile | 8 +- crypto/openssl/NEWS | 12 +- crypto/openssl/README | 4 +- crypto/openssl/apps/CA.pl | 2 +- crypto/openssl/apps/Makefile | 17 +- crypto/openssl/apps/ca.c | 1 + crypto/openssl/apps/dgst.c | 48 +- crypto/openssl/apps/ec.c | 3 + crypto/openssl/apps/enc.c | 8 +- crypto/openssl/apps/ocsp.c | 6 + crypto/openssl/apps/pkcs12.c | 19 +- crypto/openssl/apps/s_client.c | 107 +- crypto/openssl/apps/s_server.c | 4 +- crypto/openssl/certs/aol1.pem | 22 + crypto/openssl/certs/aol2.pem | 33 + crypto/openssl/certs/aoltw1.pem | 23 + crypto/openssl/certs/aoltw2.pem | 34 + crypto/openssl/config | 17 +- crypto/openssl/crypto/aes/Makefile | 7 + crypto/openssl/crypto/aes/aes_misc.c | 2 +- crypto/openssl/crypto/asn1/a_strex.c | 4 +- crypto/openssl/crypto/asn1/asn1_err.c | 19 +- crypto/openssl/crypto/asn1/asn1_lib.c | 2 +- crypto/openssl/crypto/asn1/asn1t.h | 2 +- crypto/openssl/crypto/asn1/t_x509.c | 15 +- crypto/openssl/crypto/asn1/tasn_dec.c | 2 +- crypto/openssl/crypto/asn1/x_x509.c | 8 + crypto/openssl/crypto/bf/bf_ecb.c | 2 +- crypto/openssl/crypto/bio/bio.h | 45 +- crypto/openssl/crypto/bio/bio_err.c | 11 +- crypto/openssl/crypto/bio/bio_lib.c | 46 + crypto/openssl/crypto/bn/bn_err.c | 11 +- crypto/openssl/crypto/bn/bn_lib.c | 2 +- crypto/openssl/crypto/bn/bn_print.c | 2 +- crypto/openssl/crypto/buffer/buf_err.c | 11 +- crypto/openssl/crypto/camellia/Makefile | 14 +- crypto/openssl/crypto/camellia/camellia.c | 130 +- crypto/openssl/crypto/camellia/cmll_cbc.c | 145 +- crypto/openssl/crypto/camellia/cmll_locl.h | 61 +- crypto/openssl/crypto/camellia/cmll_misc.c | 12 +- crypto/openssl/crypto/cast/c_ecb.c | 2 +- crypto/openssl/crypto/comp/c_zlib.c | 55 +- crypto/openssl/crypto/comp/comp_err.c | 11 +- crypto/openssl/crypto/conf/conf_def.c | 2 +- crypto/openssl/crypto/conf/conf_err.c | 11 +- crypto/openssl/crypto/conf/conf_lib.c | 2 +- crypto/openssl/crypto/cpt_err.c | 11 +- crypto/openssl/crypto/cryptlib.c | 2 +- crypto/openssl/crypto/des/INSTALL | 2 +- crypto/openssl/crypto/des/des_ver.h | 4 +- crypto/openssl/crypto/des/ecb_enc.c | 4 +- crypto/openssl/crypto/dh/dh_err.c | 11 +- crypto/openssl/crypto/dh/dh_lib.c | 2 +- crypto/openssl/crypto/dsa/dsa_err.c | 11 +- crypto/openssl/crypto/dsa/dsa_lib.c | 2 +- crypto/openssl/crypto/dso/dso_err.c | 11 +- crypto/openssl/crypto/ec/ec_asn1.c | 4 + crypto/openssl/crypto/ec/ec_err.c | 11 +- crypto/openssl/crypto/ecdh/ech_err.c | 13 +- crypto/openssl/crypto/ecdh/ech_lib.c | 2 +- crypto/openssl/crypto/ecdsa/ecdsa.h | 1 + crypto/openssl/crypto/ecdsa/ecs_err.c | 14 +- crypto/openssl/crypto/ecdsa/ecs_lib.c | 2 +- crypto/openssl/crypto/ecdsa/ecs_ossl.c | 15 +- crypto/openssl/crypto/engine/eng_all.c | 14 +- crypto/openssl/crypto/engine/eng_err.c | 11 +- crypto/openssl/crypto/engine/eng_padlock.c | 4 +- crypto/openssl/crypto/engine/tb_ecdh.c | 2 +- crypto/openssl/crypto/engine/tb_ecdsa.c | 2 +- crypto/openssl/crypto/err/err_all.c | 4 - crypto/openssl/crypto/evp/bio_md.c | 6 + crypto/openssl/crypto/evp/evp.h | 58 +- crypto/openssl/crypto/evp/evp_enc.c | 2 +- crypto/openssl/crypto/evp/evp_err.c | 11 +- crypto/openssl/crypto/evp/evp_lib.c | 109 ++ crypto/openssl/crypto/evp/evp_locl.h | 2 +- crypto/openssl/crypto/idea/i_ecb.c | 2 +- crypto/openssl/crypto/idea/idea_lcl.h | 2 +- crypto/openssl/crypto/lhash/lhash.c | 2 +- crypto/openssl/crypto/md2/md2.h | 1 + crypto/openssl/crypto/md2/md2_dgst.c | 2 +- crypto/openssl/crypto/md4/md4.h | 1 + crypto/openssl/crypto/md4/md4_dgst.c | 2 +- crypto/openssl/crypto/md5/md5.h | 1 + crypto/openssl/crypto/md5/md5_dgst.c | 2 +- crypto/openssl/crypto/objects/obj_dat.h | 28 +- crypto/openssl/crypto/objects/obj_err.c | 11 +- crypto/openssl/crypto/objects/obj_mac.h | 15 + crypto/openssl/crypto/objects/obj_mac.num | 3 + crypto/openssl/crypto/objects/objects.txt | 6 + crypto/openssl/crypto/ocsp/ocsp_asn.c | 2 +- crypto/openssl/crypto/ocsp/ocsp_err.c | 11 +- crypto/openssl/crypto/ocsp/ocsp_vfy.c | 2 +- crypto/openssl/crypto/opensslconf.h | 6 + crypto/openssl/crypto/opensslv.h | 6 +- crypto/openssl/crypto/pem/pem.h | 2 +- crypto/openssl/crypto/pem/pem_err.c | 11 +- crypto/openssl/crypto/pem/pem_lib.c | 7 +- crypto/openssl/crypto/pem/pem_pkey.c | 1 + crypto/openssl/crypto/pkcs12/pk12err.c | 11 +- crypto/openssl/crypto/pkcs7/pk7_doit.c | 71 +- crypto/openssl/crypto/pkcs7/pk7_lib.c | 42 +- crypto/openssl/crypto/pkcs7/pk7_smime.c | 84 +- crypto/openssl/crypto/pkcs7/pkcs7err.c | 11 +- crypto/openssl/crypto/rand/md_rand.c | 2 +- crypto/openssl/crypto/rand/rand_err.c | 11 +- crypto/openssl/crypto/rc2/rc2_ecb.c | 2 +- crypto/openssl/crypto/rc4/rc4_skey.c | 2 +- crypto/openssl/crypto/ripemd/ripemd.h | 1 + crypto/openssl/crypto/ripemd/rmd_dgst.c | 2 +- crypto/openssl/crypto/rsa/rsa_err.c | 13 +- crypto/openssl/crypto/rsa/rsa_lib.c | 2 +- crypto/openssl/crypto/sha/sha.h | 1 + crypto/openssl/crypto/sha/sha1dgst.c | 2 +- crypto/openssl/crypto/sha/sha256.c | 2 +- crypto/openssl/crypto/sha/sha512.c | 2 +- crypto/openssl/crypto/sha/sha_dgst.c | 2 +- crypto/openssl/crypto/stack/safestack.h | 66 + crypto/openssl/crypto/stack/stack.c | 2 +- crypto/openssl/crypto/store/str_err.c | 11 +- crypto/openssl/crypto/txt_db/txt_db.c | 2 +- crypto/openssl/crypto/ui/ui_err.c | 11 +- crypto/openssl/crypto/x509/by_dir.c | 10 +- crypto/openssl/crypto/x509/x509.h | 4 + crypto/openssl/crypto/x509/x509_err.c | 11 +- crypto/openssl/crypto/x509/x509_req.c | 5 + crypto/openssl/crypto/x509/x509_txt.c | 2 + crypto/openssl/crypto/x509/x509_vfy.c | 21 +- crypto/openssl/crypto/x509/x509_vfy.h | 1 + crypto/openssl/crypto/x509v3/Makefile | 35 +- crypto/openssl/crypto/x509v3/ext_dat.h | 7 + crypto/openssl/crypto/x509v3/pcy_tree.c | 12 +- crypto/openssl/crypto/x509v3/v3_addr.c | 1280 +++++++++++++++++ crypto/openssl/crypto/x509v3/v3_akey.c | 2 +- crypto/openssl/crypto/x509v3/v3_alt.c | 2 +- crypto/openssl/crypto/x509v3/v3_asid.c | 842 +++++++++++ crypto/openssl/crypto/x509v3/v3_bcons.c | 2 +- crypto/openssl/crypto/x509v3/v3_bitst.c | 4 +- crypto/openssl/crypto/x509v3/v3_cpols.c | 2 +- crypto/openssl/crypto/x509v3/v3_crld.c | 2 +- crypto/openssl/crypto/x509v3/v3_enum.c | 2 +- crypto/openssl/crypto/x509v3/v3_extku.c | 4 +- crypto/openssl/crypto/x509v3/v3_ia5.c | 2 +- crypto/openssl/crypto/x509v3/v3_info.c | 4 +- crypto/openssl/crypto/x509v3/v3_int.c | 6 +- crypto/openssl/crypto/x509v3/v3_ncons.c | 2 +- crypto/openssl/crypto/x509v3/v3_ocsp.c | 14 +- crypto/openssl/crypto/x509v3/v3_pci.c | 2 +- crypto/openssl/crypto/x509v3/v3_pcons.c | 2 +- crypto/openssl/crypto/x509v3/v3_pku.c | 2 +- crypto/openssl/crypto/x509v3/v3_pmaps.c | 2 +- crypto/openssl/crypto/x509v3/v3_purp.c | 10 + crypto/openssl/crypto/x509v3/v3_skey.c | 2 +- crypto/openssl/crypto/x509v3/v3_sxnet.c | 2 +- crypto/openssl/crypto/x509v3/v3_utl.c | 5 +- crypto/openssl/crypto/x509v3/v3err.c | 29 +- crypto/openssl/crypto/x509v3/x509v3.h | 160 +++ crypto/openssl/doc/apps/ciphers.pod | 4 +- crypto/openssl/doc/apps/s_client.pod | 2 +- crypto/openssl/doc/apps/x509.pod | 8 +- .../doc/crypto/ASN1_STRING_print_ex.pod | 4 +- .../openssl/doc/crypto/BIO_set_callback.pod | 2 +- .../openssl/doc/crypto/CONF_modules_free.pod | 4 +- crypto/openssl/doc/crypto/RAND_egd.pod | 2 +- .../doc/crypto/RSA_get_ex_new_index.pod | 12 +- crypto/openssl/doc/crypto/md5.pod | 22 +- crypto/openssl/doc/crypto/mdc2.pod | 8 +- crypto/openssl/doc/crypto/ripemd.pod | 10 +- crypto/openssl/doc/crypto/sha.pod | 8 +- .../doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | 2 +- .../openssl/doc/ssl/SSL_SESSION_get_time.pod | 2 +- crypto/openssl/openssl.spec | 2 +- crypto/openssl/ssl/d1_lib.c | 2 +- crypto/openssl/ssl/d1_pkt.c | 6 +- crypto/openssl/ssl/kssl.c | 45 +- crypto/openssl/ssl/s23_clnt.c | 1 - crypto/openssl/ssl/s23_srvr.c | 1 - crypto/openssl/ssl/s2_enc.c | 9 +- crypto/openssl/ssl/s2_lib.c | 2 +- crypto/openssl/ssl/s3_clnt.c | 6 +- crypto/openssl/ssl/s3_enc.c | 7 +- crypto/openssl/ssl/s3_lib.c | 10 +- crypto/openssl/ssl/s3_pkt.c | 6 +- crypto/openssl/ssl/s3_srvr.c | 29 +- crypto/openssl/ssl/ssl.h | 26 +- crypto/openssl/ssl/ssl_ciph.c | 50 +- crypto/openssl/ssl/ssl_err.c | 13 +- crypto/openssl/ssl/ssl_lib.c | 4 +- crypto/openssl/ssl/ssl_sess.c | 71 +- crypto/openssl/ssl/t1_enc.c | 11 +- crypto/openssl/ssl/t1_lib.c | 2 +- crypto/openssl/test/Makefile | 3 + crypto/openssl/tools/c_rehash | 2 +- crypto/openssl/util/libeay.num | 101 ++ crypto/openssl/util/mk1mf.pl | 1 + crypto/openssl/util/mkdef.pl | 5 + crypto/openssl/util/mkerr.pl | 16 +- crypto/openssl/util/ssleay.num | 12 + 203 files changed, 4130 insertions(+), 831 deletions(-) create mode 100644 crypto/openssl/certs/aol1.pem create mode 100644 crypto/openssl/certs/aol2.pem create mode 100644 crypto/openssl/certs/aoltw1.pem create mode 100644 crypto/openssl/certs/aoltw2.pem create mode 100644 crypto/openssl/crypto/x509v3/v3_addr.c create mode 100644 crypto/openssl/crypto/x509v3/v3_asid.c diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index b25fde566438..c5a639f9891c 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -2,6 +2,47 @@ OpenSSL CHANGES _______________ + Changes between 0.9.8d and 0.9.8e [23 Feb 2007] + + *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that + a ciphersuite string such as "DEFAULT:RSA" cannot enable + authentication-only ciphersuites. + [Bodo Moeller] + + *) Since AES128 and AES256 (and similarly Camellia128 and + Camellia256) share a single mask bit in the logic of + ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a + kludge to work properly if AES128 is available and AES256 isn't + (or if Camellia128 is available and Camellia256 isn't). + [Victor Duchovni] + + *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c + (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): + When a point or a seed is encoded in a BIT STRING, we need to + prevent the removal of trailing zero bits to get the proper DER + encoding. (By default, crypto/asn1/a_bitstr.c assumes the case + of a NamedBitList, for which trailing 0 bits need to be removed.) + [Bodo Moeller] + + *) Have SSL/TLS server implementation tolerate "mismatched" record + protocol version while receiving ClientHello even if the + ClientHello is fragmented. (The server can't insist on the + particular protocol version it has chosen before the ServerHello + message has informed the client about his choice.) + [Bodo Moeller] + + *) Add RFC 3779 support. + [Rob Austein for ARIN, Ben Laurie] + + *) Load error codes if they are not already present instead of using a + static variable. This allows them to be cleanly unloaded and reloaded. + Improve header file function name parsing. + [Steve Henson] + + *) extend SMTP and IMAP protocol emulation in s_client to use EHLO + or CAPABILITY handshake as required by RFCs. + [Goetz Babin-Ebell] + Changes between 0.9.8c and 0.9.8d [28 Sep 2006] *) Introduce limits to prevent malicious keys being able to @@ -77,7 +118,7 @@ draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really appear there. - Also deactive the remaining ciphersuites from + Also deactivate the remaining ciphersuites from draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as unofficial, and the ID has long expired. [Bodo Moeller] @@ -1006,7 +1047,48 @@ differing sizes. [Richard Levitte] - Changes between 0.9.7k and 0.9.7l [xx XXX xxxx] + Changes between 0.9.7l and 0.9.7m [xx XXX xxxx] + + *) Cleanse PEM buffers before freeing them since they may contain + sensitive data. + [Benjamin Bennett ] + + *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that + a ciphersuite string such as "DEFAULT:RSA" cannot enable + authentication-only ciphersuites. + [Bodo Moeller] + + *) Since AES128 and AES256 share a single mask bit in the logic of + ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a + kludge to work properly if AES128 is available and AES256 isn't. + [Victor Duchovni] + + *) Have SSL/TLS server implementation tolerate "mismatched" record + protocol version while receiving ClientHello even if the + ClientHello is fragmented. (The server can't insist on the + particular protocol version it has chosen before the ServerHello + message has informed the client about his choice.) + [Bodo Moeller] + + *) Load error codes if they are not already present instead of using a + static variable. This allows them to be cleanly unloaded and reloaded. + [Steve Henson] + + Changes between 0.9.7k and 0.9.7l [28 Sep 2006] + + *) Introduce limits to prevent malicious keys being able to + cause a denial of service. (CVE-2006-2940) + [Steve Henson, Bodo Moeller] + + *) Fix ASN.1 parsing of certain invalid structures that can result + in a denial of service. (CVE-2006-2937) [Steve Henson] + + *) Fix buffer overflow in SSL_get_shared_ciphers() function. + (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] + + *) Fix SSL client code which could crash if connecting to a + malicious SSLv2 server. (CVE-2006-4343) + [Tavis Ormandy and Will Drewry, Google Security Team] *) Change ciphersuite string processing so that an explicit ciphersuite selects this one ciphersuite (so that "AES256-SHA" diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure index bf5d86aa7c9a..820be609c96d 100755 --- a/crypto/openssl/Configure +++ b/crypto/openssl/Configure @@ -568,6 +568,7 @@ my $threads=0; my $no_shared=0; # but "no-shared" is default my $zlib=1; # but "no-zlib" is default my $no_krb5=0; # but "no-krb5" is implied unless "--with-krb5-..." is used +my $no_rfc3779=1; # but "no-rfc3779" is default my $no_asm=0; my $no_dso=0; my $no_gmp=0; @@ -604,6 +605,7 @@ my %disabled = ( # "what" => "comment" "gmp" => "default", "mdc2" => "default", "rc5" => "default", + "rfc3779" => "default", "shared" => "default", "zlib" => "default", "zlib-dynamic" => "default" @@ -614,7 +616,7 @@ my %disabled = ( # "what" => "comment" # For symmetry, "disable-..." is a synonym for "no-...". # This is what $depflags will look like with the above default: -my $default_depflags = "-DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 "; +my $default_depflags = "-DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 "; my $no_sse2=0; diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ index bee5094c50e2..74bf952ddcd5 100644 --- a/crypto/openssl/FAQ +++ b/crypto/openssl/FAQ @@ -74,7 +74,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 0.9.8d was released on September 28th, 2006. +OpenSSL 0.9.8e was released on February 23rd, 2007. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at #include #include +#include #undef BUFSIZE #define BUFSIZE 1024*8 @@ -75,7 +76,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, - const char *file); + const char *file,BIO *bmd,const char *hmac_key); int MAIN(int, char **); @@ -104,6 +105,7 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif + char *hmac_key=NULL; apps_startup(); @@ -188,6 +190,12 @@ int MAIN(int argc, char **argv) out_bin = 1; else if (strcmp(*argv,"-d") == 0) debug=1; + else if (!strcmp(*argv,"-hmac")) + { + if (--argc < 1) + break; + hmac_key=*++argv; + } else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL) md=m; else @@ -261,7 +269,7 @@ int MAIN(int argc, char **argv) { BIO_set_callback(in,BIO_debug_callback); /* needed for windows 3.1 */ - BIO_set_callback_arg(in,bio_err); + BIO_set_callback_arg(in,(char *)bio_err); } if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) @@ -358,7 +366,7 @@ int MAIN(int argc, char **argv) { BIO_set_fp(in,stdin,BIO_NOCLOSE); err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, - siglen,"","(stdin)"); + siglen,"","(stdin)",bmd,hmac_key); } else { @@ -376,14 +384,15 @@ int MAIN(int argc, char **argv) } if(!out_bin) { - size_t len = strlen(name)+strlen(argv[i])+5; + size_t len = strlen(name)+strlen(argv[i])+(hmac_key ? 5 : 0)+5; tmp=tofree=OPENSSL_malloc(len); - BIO_snprintf(tmp,len,"%s(%s)= ",name,argv[i]); + BIO_snprintf(tmp,len,"%s%s(%s)= ", + hmac_key ? "HMAC-" : "",name,argv[i]); } else tmp=""; r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf, - siglen,tmp,argv[i]); + siglen,tmp,argv[i],bmd,hmac_key); if(r) err=r; if(tofree) @@ -410,11 +419,23 @@ int MAIN(int argc, char **argv) int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, - const char *file) + const char *file,BIO *bmd,const char *hmac_key) { - int len; + unsigned int len; int i; + EVP_MD_CTX *md_ctx; + HMAC_CTX hmac_ctx; + if (hmac_key) + { + EVP_MD *md; + + BIO_get_md(bmd,&md); + HMAC_CTX_init(&hmac_ctx); + HMAC_Init_ex(&hmac_ctx,hmac_key,strlen(hmac_key),md, NULL); + BIO_get_md_ctx(bmd,&md_ctx); + BIO_set_md_ctx(bmd,&hmac_ctx.md_ctx); + } for (;;) { i=BIO_read(bp,(char *)buf,BUFSIZE); @@ -457,6 +478,11 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, return 1; } } + else if(hmac_key) + { + HMAC_Final(&hmac_ctx,buf,&len); + HMAC_CTX_cleanup(&hmac_ctx); + } else len=BIO_gets(bp,(char *)buf,BUFSIZE); @@ -464,7 +490,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, else { BIO_write(out,title,strlen(title)); - for (i=0; i= 0) + BIO_printf (bio_err, "Error %s getting chain.\n", X509_verify_cert_error_string(vret)); + else + ERR_print_errors(bio_err); goto export_end; } } @@ -811,7 +814,7 @@ int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain) { X509_STORE_CTX store_ctx; STACK_OF(X509) *chn; - int i; + int i = 0; /* FIXME: Should really check the return status of X509_STORE_CTX_init * for an error, but how that fits into the return value of this @@ -819,13 +822,17 @@ int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain) X509_STORE_CTX_init(&store_ctx, store, cert, NULL); if (X509_verify_cert(&store_ctx) <= 0) { i = X509_STORE_CTX_get_error (&store_ctx); + if (i == 0) + /* avoid returning 0 if X509_verify_cert() did not + * set an appropriate error value in the context */ + i = -1; + chn = NULL; goto err; - } - chn = X509_STORE_CTX_get1_chain(&store_ctx); - i = 0; - *chain = chn; + } else + chn = X509_STORE_CTX_get1_chain(&store_ctx); err: X509_STORE_CTX_cleanup(&store_ctx); + *chain = chn; return i; } diff --git a/crypto/openssl/apps/s_client.c b/crypto/openssl/apps/s_client.c index 4a1857f3a82e..3f302c5f140d 100644 --- a/crypto/openssl/apps/s_client.c +++ b/crypto/openssl/apps/s_client.c @@ -226,7 +226,7 @@ static void sc_usage(void) BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n"); BIO_printf(bio_err," for those protocols that support it, where\n"); BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n"); - BIO_printf(bio_err," only \"smtp\" and \"pop3\" are supported.\n"); + BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", and \"ftp\" are supported.\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); #endif @@ -234,6 +234,15 @@ static void sc_usage(void) } +enum +{ + PROTO_OFF = 0, + PROTO_SMTP, + PROTO_POP3, + PROTO_IMAP, + PROTO_FTP +}; + int MAIN(int, char **); int MAIN(int argc, char **argv) @@ -260,7 +269,7 @@ int MAIN(int argc, char **argv) int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; SSL_CTX *ctx=NULL; int ret=1,in_init=1,i,nbio_test=0; - int starttls_proto = 0; + int starttls_proto = PROTO_OFF; int prexit = 0, vflags = 0; SSL_METHOD *meth=NULL; #ifdef sock_type @@ -269,6 +278,7 @@ int MAIN(int argc, char **argv) int sock_type=SOCK_STREAM; BIO *sbio; char *inrand=NULL; + int mbuf_len=0; #ifndef OPENSSL_NO_ENGINE char *engine_id=NULL; ENGINE *e=NULL; @@ -466,9 +476,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; ++argv; if (strcmp(*argv,"smtp") == 0) - starttls_proto = 1; + starttls_proto = PROTO_SMTP; else if (strcmp(*argv,"pop3") == 0) - starttls_proto = 2; + starttls_proto = PROTO_POP3; + else if (strcmp(*argv,"imap") == 0) + starttls_proto = PROTO_IMAP; + else if (strcmp(*argv,"ftp") == 0) + starttls_proto = PROTO_FTP; else goto bad; } @@ -693,7 +707,7 @@ int MAIN(int argc, char **argv) { con->debug=1; BIO_set_callback(sbio,bio_dump_callback); - BIO_set_callback_arg(sbio,bio_c_out); + BIO_set_callback_arg(sbio,(char *)bio_c_out); } if (c_msg) { @@ -719,18 +733,93 @@ int MAIN(int argc, char **argv) sbuf_off=0; /* This is an ugly hack that does a lot of assumptions */ - if (starttls_proto == 1) + /* We do have to handle multi-line responses which may come + in a single packet or not. We therefore have to use + BIO_gets() which does need a buffering BIO. So during + the initial chitchat we do push a buffering BIO into the + chain that is removed again later on to not disturb the + rest of the s_client operation. */ + if (starttls_proto == PROTO_SMTP) { - BIO_read(sbio,mbuf,BUFSIZZ); + int foundit=0; + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + /* wait for multi-line response to end from SMTP */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + } + while (mbuf_len>3 && mbuf[3]=='-'); + /* STARTTLS command requires EHLO... */ + BIO_printf(fbio,"EHLO openssl.client.net\r\n"); + BIO_flush(fbio); + /* wait for multi-line response to end EHLO SMTP response */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + if (strstr(mbuf,"STARTTLS")) + foundit=1; + } + while (mbuf_len>3 && mbuf[3]=='-'); + BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (!foundit) + BIO_printf(bio_err, + "didn't found starttls in server response," + " try anyway...\n"); BIO_printf(sbio,"STARTTLS\r\n"); BIO_read(sbio,sbuf,BUFSIZZ); } - if (starttls_proto == 2) + else if (starttls_proto == PROTO_POP3) { BIO_read(sbio,mbuf,BUFSIZZ); BIO_printf(sbio,"STLS\r\n"); BIO_read(sbio,sbuf,BUFSIZZ); } + else if (starttls_proto == PROTO_IMAP) + { + int foundit=0; + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + BIO_gets(fbio,mbuf,BUFSIZZ); + /* STARTTLS command requires CAPABILITY... */ + BIO_printf(fbio,". CAPABILITY\r\n"); + BIO_flush(fbio); + /* wait for multi-line CAPABILITY response */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + if (strstr(mbuf,"STARTTLS")) + foundit=1; + } + while (mbuf_len>3 && mbuf[0]!='.'); + BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (!foundit) + BIO_printf(bio_err, + "didn't found STARTTLS in server response," + " try anyway...\n"); + BIO_printf(sbio,". STARTTLS\r\n"); + BIO_read(sbio,sbuf,BUFSIZZ); + } + else if (starttls_proto == PROTO_FTP) + { + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + /* wait for multi-line response to end from FTP */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + } + while (mbuf_len>3 && mbuf[3]=='-'); + BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + BIO_printf(sbio,"AUTH TLS\r\n"); + BIO_read(sbio,sbuf,BUFSIZZ); + } for (;;) { @@ -755,7 +844,7 @@ int MAIN(int argc, char **argv) { BIO_printf(bio_err,"%s",mbuf); /* We don't need to know any more */ - starttls_proto = 0; + starttls_proto = PROTO_OFF; } if (reconnect) diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c index 0d6727ca43f3..6c433e63fd64 100644 --- a/crypto/openssl/apps/s_server.c +++ b/crypto/openssl/apps/s_server.c @@ -1234,7 +1234,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) { con->debug=1; BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); - BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out); + BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); } if (s_msg) { @@ -1638,7 +1638,7 @@ static int www_body(char *hostname, int s, unsigned char *context) { con->debug=1; BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); - BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out); + BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); } if (s_msg) { diff --git a/crypto/openssl/certs/aol1.pem b/crypto/openssl/certs/aol1.pem new file mode 100644 index 000000000000..d6837453dd86 --- /dev/null +++ b/crypto/openssl/certs/aol1.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDpDCCAoygAwIBAgIBATANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEc +MBoGA1UEChMTQW1lcmljYSBPbmxpbmUgSW5jLjE2MDQGA1UEAxMtQW1lcmljYSBP +bmxpbmUgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAxMB4XDTAyMDUyODA2 +MDAwMFoXDTM3MTExOTIwNDMwMFowYzELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0Ft +ZXJpY2EgT25saW5lIEluYy4xNjA0BgNVBAMTLUFtZXJpY2EgT25saW5lIFJvb3Qg +Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAKgv6KRpBgNHw+kqmP8ZonCaxlCyfqXfaE0bfA+2l2h9LaaLl+lk +hsmj76CGv2BlnEtUiMJIxUo5vxTjWVXlGbR0yLQFOVwWpeKVBeASrlmLojNoWBym +1BW32J/X3HGrfpq/m44zDyL9Hy7nBzbvYjnF3cu6JRQj3gzGPTzOggjmZj7aUTsW +OqMFf6Dch9Wc/HKpoH145LcxVR5lu9RhsCFg7RAycsWSJR74kEoYeEfffjA3PlAb +2xzTa5qGUwew76wGePiEmf4hjUyAtgyC9mZweRrTT6PP8c9GsEsPPt2IYriMqQko +O3rHl+Ee5fSfwMCuJKDIodkP1nsmgmkyPacCAwEAAaNjMGEwDwYDVR0TAQH/BAUw +AwEB/zAdBgNVHQ4EFgQUAK3Zo/Z59m50qX8zPYEX10zPM94wHwYDVR0jBBgwFoAU +AK3Zo/Z59m50qX8zPYEX10zPM94wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +BQUAA4IBAQB8itEfGDeC4Liwo+1WlchiYZwFos3CYiZhzRAW18y0ZTTQEYqtqKkF +Zu90821fnZmv9ov761KyBZiibyrFVL0lvV+uyIbqRizBs73B6UlwGBaXCBOMIOAb +LjpHyx7kADCVW/RFo8AasAFOq73AI25jP4BKxQft3OJvx8Fi8eNy1gTIdGcL+oir +oQHIb/AUr9KZzVGTfu0uOMe9zkZQPXLjeSWdm4grECDdpbgyn43gKd8hdIaC2y+C +MMbHNYaz+ZZfRtsMRf3zUMNvxsNIrUam4SdHCh0Om7bCd39j8uB9Gr784N/Xx6ds +sPmuujz9dLQR6FgNgLzTqIA6me11zEZ7 +-----END CERTIFICATE----- diff --git a/crypto/openssl/certs/aol2.pem b/crypto/openssl/certs/aol2.pem new file mode 100644 index 000000000000..492d55a98067 --- /dev/null +++ b/crypto/openssl/certs/aol2.pem @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFpDCCA4ygAwIBAgIBATANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEc +MBoGA1UEChMTQW1lcmljYSBPbmxpbmUgSW5jLjE2MDQGA1UEAxMtQW1lcmljYSBP +bmxpbmUgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAyMB4XDTAyMDUyODA2 +MDAwMFoXDTM3MDkyOTE0MDgwMFowYzELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0Ft +ZXJpY2EgT25saW5lIEluYy4xNjA0BgNVBAMTLUFtZXJpY2EgT25saW5lIFJvb3Qg +Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgMjCCAiIwDQYJKoZIhvcNAQEBBQADggIP +ADCCAgoCggIBAMxBRR3pPU0Q9oyxQcngXssNt79Hc9PwVU3dxgz6sWYFas14tNwC +206B89enfHG8dWOgXeMHDEjsJcQDIPT/DjsS/5uN4cbVG7RtIuOx238hZK+GvFci +KtZHgVdEglZTvYYUAQv8f3SkWq7xuhG1m1hagLQ3eAkzfDJHA1zEpYNI9FdWboE2 +JxhP7JsowtS013wMPgwr38oE18aO6lhOqKSlGBxsRZijQdEt0sdtjRnxrXm3gT+9 +BoInLRBYBbV4Bbkv2wxrkJB+FFk4u5QkE+XRnRTf04JNRvCAOVIyD+OEsnpD8l7e +Xz8d3eOyG6ChKiMDbi4BFYdcpnV1x5dhvt6G3NRI270qv0pV2uh9UPu0gBe4lL8B +PeraunzgWGcXuVjgiIZGZ2ydEEdYMtA1fHkqkKJaEBEjNa0vzORKW6fIJ/KD3l67 +Xnfn6KVuY8INXWHQjNJsWiEOyiijzirplcdIz5ZvHZIlyMbGwcEMBawmxNJ10uEq +Z8A9W6Wa6897GqidFEXlD6CaZd4vKL3Ob5Rmg0gp2OpljK+T2WSfVVcmv2/LNzGZ +o2C7HK2JNDJiuEMhBnIMoVxtRsX6Kc8w3onccVvdtjc+31D1uAclJuW8tf48ArO3 ++L5DwYcRlJ4jbBeKuIonDFRH8KmzwICMoCfrHRnjB453cMor9H124HhnAgMBAAGj +YzBhMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFE1FwWg4u3OpaaEg5+31IqEj +FNeeMB8GA1UdIwQYMBaAFE1FwWg4u3OpaaEg5+31IqEjFNeeMA4GA1UdDwEB/wQE +AwIBhjANBgkqhkiG9w0BAQUFAAOCAgEAZ2sGuV9FOypLM7PmG2tZTiLMubekJcmn +xPBUlgtk87FYT15R/LKXeydlwuXK5w0MJXti4/qftIe3RUavg6WXSIylvfEWK5t2 +LHo1YGwRgJfMqZJS5ivmae2p+DYtLHe/YUjRYwu5W1LtGLBDQiKmsXeu3mnFzccc +obGlHBD7GL4acN3Bkku+KVqdPzW+5X1R+FXgJXUjhx5c3LqdsKyzadsXg8n33gy8 +CNyRnqjQ1xU3c6U1uPx+xURABsPr+CKAXEfOAuMRn0T//ZoyzH1kUQ7rVyZ2OuMe +IjzCpjbdGe+n/BLzJsBZMYVMnNjP36TMzCmT/5RtdlwTCJfy7aULTd3oyWgOZtMA +DjMSW7yV5TKQqLPGbIOtd+6Lfn6xqavT4fG2wLHqiMDn05DpKJKUe2h7lyoKZy2F +AjgQ5ANh1NolNscIWC2hp1GvMApJ9aZphwctREZ2jirlmjvXGKL8nDgQzMY70rUX +Om/9riW99XJZZLF0KjhfGEzfz3EEWjbUvy+ZnOjZurGV5gJLIaFb1cFPj65pbVPb +AZO1XB4Y3WRayhgoPmMEEf0cjQAPuDffZ4qdZqkCapH/E8ovXYO8h5Ns3CRRFgQl +Zvqz2cK6Kb6aSDiCmfS/O0oxGfm/jiEzFMpPVF/7zvuPcX/9XhmgD0uRuMRUvAaw +RY8mkaKO/qk= +-----END CERTIFICATE----- diff --git a/crypto/openssl/certs/aoltw1.pem b/crypto/openssl/certs/aoltw1.pem new file mode 100644 index 000000000000..eeb0942cfb3a --- /dev/null +++ b/crypto/openssl/certs/aoltw1.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID5jCCAs6gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMCVVMx +HTAbBgNVBAoTFEFPTCBUaW1lIFdhcm5lciBJbmMuMRwwGgYDVQQLExNBbWVyaWNh +IE9ubGluZSBJbmMuMTcwNQYDVQQDEy5BT0wgVGltZSBXYXJuZXIgUm9vdCBDZXJ0 +aWZpY2F0aW9uIEF1dGhvcml0eSAxMB4XDTAyMDUyOTA2MDAwMFoXDTM3MTEyMDE1 +MDMwMFowgYMxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRBT0wgVGltZSBXYXJuZXIg +SW5jLjEcMBoGA1UECxMTQW1lcmljYSBPbmxpbmUgSW5jLjE3MDUGA1UEAxMuQU9M +IFRpbWUgV2FybmVyIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgMTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJnej8Mlo2k06AX3dLm/WpcZuS+U +0pPlLYnKhHw/EEMbjIt8hFj4JHxIzyr9wBXZGH6EGhfT257XyuTZ16pYUYfw8ItI +TuLCxFlpMGK2MKKMCxGZYTVtfu/FsRkGIBKOQuHfD5YQUqjPnF+VFNivO3ULMSAf +RC+iYkGzuxgh28pxPIzstrkNn+9R7017EvILDOGsQI93f7DKeHEMXRZxcKLXwjqF +zQ6axOAAsNUl6twr5JQtOJyJQVdkKGUZHLZEtMgxa44Be3ZZJX8VHIQIfHNlIAqh +BC4aMqiaILGcLCFZ5/vP7nAtCMpjPiybkxlqpMKX/7eGV4iFbJ4VFitNLLMCAwEA +AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoTYwFsuGkABFgFOxj8jY +PXy+XxIwHwYDVR0jBBgwFoAUoTYwFsuGkABFgFOxj8jYPXy+XxIwDgYDVR0PAQH/ +BAQDAgGGMA0GCSqGSIb3DQEBBQUAA4IBAQCKIBilvrMvtKaEAEAwKfq0FHNMeUWn +9nDg6H5kHgqVfGphwu9OH77/yZkfB2FK4V1Mza3u0FIy2VkyvNp5ctZ7CegCgTXT +Ct8RHcl5oIBN/lrXVtbtDyqvpxh1MwzqwWEFT2qaifKNuZ8u77BfWgDrvq2g+EQF +Z7zLBO+eZMXpyD8Fv8YvBxzDNnGGyjhmSs3WuEvGbKeXO/oTLW4jYYehY0KswsuX +n2Fozy1MBJ3XJU8KDk2QixhWqJNIV9xvrr2eZ1d3iVCzvhGbRWeDhhmH05i9CBoW +H1iCC+GWaQVLjuyDUTEH1dSf/1l7qG6Fz9NLqUmwX7A5KGgOc90lmt4S +-----END CERTIFICATE----- diff --git a/crypto/openssl/certs/aoltw2.pem b/crypto/openssl/certs/aoltw2.pem new file mode 100644 index 000000000000..ad10ad7826f2 --- /dev/null +++ b/crypto/openssl/certs/aoltw2.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF5jCCA86gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBgzELMAkGA1UEBhMCVVMx +HTAbBgNVBAoTFEFPTCBUaW1lIFdhcm5lciBJbmMuMRwwGgYDVQQLExNBbWVyaWNh +IE9ubGluZSBJbmMuMTcwNQYDVQQDEy5BT0wgVGltZSBXYXJuZXIgUm9vdCBDZXJ0 +aWZpY2F0aW9uIEF1dGhvcml0eSAyMB4XDTAyMDUyOTA2MDAwMFoXDTM3MDkyODIz +NDMwMFowgYMxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRBT0wgVGltZSBXYXJuZXIg +SW5jLjEcMBoGA1UECxMTQW1lcmljYSBPbmxpbmUgSW5jLjE3MDUGA1UEAxMuQU9M +IFRpbWUgV2FybmVyIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgMjCCAiIw +DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALQ3WggWmRToVbEbJGv8x4vmh6mJ +7ouZzU9AhqS2TcnZsdw8TQ2FTBVsRotSeJ/4I/1n9SQ6aF3Q92RhQVSji6UI0ilb +m2BPJoPRYxJWSXakFsKlnUWsi4SVqBax7J/qJBrvuVdcmiQhLE0OcR+mrF1FdAOY +xFSMFkpBd4aVdQxHAWZg/BXxD+r1FHjHDtdugRxev17nOirYlxcwfACtCJ0zr7iZ +YYCLqJV+FNwSbKTQ2O9ASQI2+W6p1h2WVgSysy0WVoaP2SBXgM1nEG2wTPDaRrbq +JS5Gr42whTg0ixQmgiusrpkLjhTXUr2eacOGAgvqdnUxCc4zGSGFQ+aJLZ8lN2fx +I2rSAG2X+Z/nKcrdH9cG6rjJuQkhn8g/BsXS6RJGAE57COtCPStIbp1n3UsC5ETz +kxmlJ85per5n0/xQpCyrw2u544BMzwVhSyvcG7mm0tCq9Stz+86QNZ8MUhy/XCFh +EVsVS6kkUfykXPcXnbDS+gfpj1bkGoxoigTTfFrjnqKhynFbotSg5ymFXQNoKk/S +Btc9+cMDLz9l+WceR0DTYw/j1Y75hauXTLPXJuuWCpTehTacyH+BCQJJKg71ZDIM +gtG6aoIbs0t0EfOMd9afv9w3pKdVBC/UMejTRrkDfNoSTllkt1ExMVCgyhwn2RAu +rda9EGYrw7AiShJbAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE +FE9pbQN+nZ8HGEO8txBO1b+pxCAoMB8GA1UdIwQYMBaAFE9pbQN+nZ8HGEO8txBO +1b+pxCAoMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQUFAAOCAgEAO/Ouyugu +h4X7ZVnnrREUpVe8WJ8kEle7+z802u6teio0cnAxa8cZmIDJgt43d15Ui47y6mdP +yXSEkVYJ1eV6moG2gcKtNuTxVBFT8zRFASbI5Rq8NEQh3q0l/HYWdyGQgJhXnU7q +7C+qPBR7V8F+GBRn7iTGvboVsNIYvbdVgaxTwOjdaRITQrcCtQVBynlQboIOcXKT +RuidDV29rs4prWPVVRaAMCf/drr3uNZK49m1+VLQTkCpx+XCMseqdiThawVQ68W/ +ClTluUI8JPu3B5wwn3la5uBAUhX0/Kr0VvlEl4ftDmVyXr4m+02kLQgH3thcoNyB +M5kYJRF3p+v9WAksmWsbivNSPxpNSGDxoPYzAlOL7SUJuA0t7Zdz7NeWH45gDtoQ +my8YJPamTQr5O8t1wswvziRpyQoijlmn94IM19drNZxDAGrElWe6nEXLuA4399xO +AU++CrYD062KRffaJ00psUjf5BHklka9bAI+1lHIlRcBFanyqqryvy9lG2/QuRqT +9Y41xICHPpQvZuTpqP9BnHAqTyo5GJUefvthATxRCC4oGKQWDzH9OmwjkyB24f0H +hdFbP9IcczLd+rn4jM8Ch3qaluTtT4mNU0OrDhPAARW0eTjb/G49nlG2uBOLZ8/5 +fNkiHfZdxRwBL5joeiQYvITX+txyW/fBOmg= +-----END CERTIFICATE----- diff --git a/crypto/openssl/config b/crypto/openssl/config index 26b438633edb..d7724a5b3f39 100755 --- a/crypto/openssl/config +++ b/crypto/openssl/config @@ -527,9 +527,9 @@ case "$GUESSOS" in esac if [ "$CC" = "gcc" ]; then case ${ISA:-generic} in - EV5|EV45) options="$options -mcpu=ev5";; - EV56|PCA56) options="$options -mcpu=ev56";; - *) options="$options -mcpu=ev6";; + EV5|EV45) options="$options -march=ev5";; + EV56|PCA56) options="$options -march=ev56";; + *) options="$options -march=ev6";; esac fi ;; @@ -585,18 +585,21 @@ case "$GUESSOS" in OUT="linux-generic32" ;; arm*b-*-linux2) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;; arm*l-*-linux2) OUT="linux-generic32"; options="$options -DL_ENDIAN" ;; + sh*b-*-linux2) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;; + sh*-*-linux2) OUT="linux-generic32"; options="$options -DL_ENDIAN" ;; + m68k*-*-linux2) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;; s390*-*-linux2) OUT="linux-generic32"; options="$options -DB_ENDIAN -DNO_ASM" ;; x86_64-*-linux?) OUT="linux-x86_64" ;; *86-*-linux2) OUT="linux-elf" if [ "$GCCVER" -gt 28 ]; then if grep '^model.*Pentium' /proc/cpuinfo >/dev/null ; then - options="$options -mcpu=pentium" + options="$options -march=pentium" fi if grep '^model.*Pentium Pro' /proc/cpuinfo >/dev/null ; then - options="$options -mcpu=pentiumpro" + options="$options -march=pentiumpro" fi if grep '^model.*K6' /proc/cpuinfo >/dev/null ; then - options="$options -mcpu=k6" + options="$options -march=k6" fi fi ;; *-*-linux1) OUT="linux-aout" ;; @@ -774,7 +777,7 @@ esac # options="$options -DATALLA" #fi -# gcc < 2.8 does not support -mcpu=ultrasparc +# gcc < 2.8 does not support -march=ultrasparc if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ] then echo "WARNING! Falling down to 'solaris-sparcv8-gcc'." diff --git a/crypto/openssl/crypto/aes/Makefile b/crypto/openssl/crypto/aes/Makefile index 0c9408ea1cde..0f939eb7f8ee 100644 --- a/crypto/openssl/crypto/aes/Makefile +++ b/crypto/openssl/crypto/aes/Makefile @@ -105,6 +105,13 @@ aes_ctr.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h aes_ctr.o: ../../include/openssl/opensslconf.h aes_ctr.c aes_locl.h aes_ecb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h aes_ecb.o: ../../include/openssl/opensslconf.h aes_ecb.c aes_locl.h +aes_ige.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/bio.h +aes_ige.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h +aes_ige.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +aes_ige.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h +aes_ige.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +aes_ige.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h +aes_ige.o: ../../include/openssl/symhacks.h ../cryptlib.h aes_ige.c aes_locl.h aes_misc.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h aes_misc.o: ../../include/openssl/opensslconf.h aes_misc.o: ../../include/openssl/opensslv.h aes_locl.h aes_misc.c diff --git a/crypto/openssl/crypto/aes/aes_misc.c b/crypto/openssl/crypto/aes/aes_misc.c index 090def25d5ac..4fead1b4c7c5 100644 --- a/crypto/openssl/crypto/aes/aes_misc.c +++ b/crypto/openssl/crypto/aes/aes_misc.c @@ -53,7 +53,7 @@ #include #include "aes_locl.h" -const char *AES_version="AES" OPENSSL_VERSION_PTEXT; +const char AES_version[]="AES" OPENSSL_VERSION_PTEXT; const char *AES_options(void) { #ifdef FULL_UNROLL diff --git a/crypto/openssl/crypto/asn1/a_strex.c b/crypto/openssl/crypto/asn1/a_strex.c index fc743c2ad080..c2dbb6f9a58d 100644 --- a/crypto/openssl/crypto/asn1/a_strex.c +++ b/crypto/openssl/crypto/asn1/a_strex.c @@ -170,7 +170,7 @@ static int do_buf(unsigned char *buf, int buflen, q = buf + buflen; outlen = 0; while(p != q) { - if(p == buf) orflags = CHARTYPE_FIRST_ESC_2253; + if(p == buf && flags & ASN1_STRFLGS_ESC_2253) orflags = CHARTYPE_FIRST_ESC_2253; else orflags = 0; switch(type & BUF_TYPE_WIDTH_MASK) { case 4: @@ -197,7 +197,7 @@ static int do_buf(unsigned char *buf, int buflen, default: return -1; /* invalid width */ } - if (p == q) orflags = CHARTYPE_LAST_ESC_2253; + if (p == q && flags & ASN1_STRFLGS_ESC_2253) orflags = CHARTYPE_LAST_ESC_2253; if(type & BUF_TYPE_CONVUTF8) { unsigned char utfbuf[6]; int utflen; diff --git a/crypto/openssl/crypto/asn1/asn1_err.c b/crypto/openssl/crypto/asn1/asn1_err.c index c672d2ebe5f4..f6b5c3f3dd77 100644 --- a/crypto/openssl/crypto/asn1/asn1_err.c +++ b/crypto/openssl/crypto/asn1/asn1_err.c @@ -123,7 +123,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_EX_D2I), "ASN1_TEMPLATE_EX_D2I"}, {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NEW), "ASN1_TEMPLATE_NEW"}, {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I), "ASN1_TEMPLATE_NOEXP_D2I"}, -{ERR_FUNC(ASN1_F_ASN1_TIME_SET), "ASN1_TIME_SET"}, +{ERR_FUNC(ASN1_F_ASN1_TIME_SET), "ASN1_TIME_set"}, {ERR_FUNC(ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING), "ASN1_TYPE_get_int_octetstring"}, {ERR_FUNC(ASN1_F_ASN1_TYPE_GET_OCTETSTRING), "ASN1_TYPE_get_octetstring"}, {ERR_FUNC(ASN1_F_ASN1_UNPACK_STRING), "ASN1_unpack_string"}, @@ -168,10 +168,10 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_FUNC(ASN1_F_OID_MODULE_INIT), "OID_MODULE_INIT"}, {ERR_FUNC(ASN1_F_PARSE_TAGGING), "PARSE_TAGGING"}, {ERR_FUNC(ASN1_F_PKCS5_PBE2_SET), "PKCS5_pbe2_set"}, -{ERR_FUNC(ASN1_F_PKCS5_PBE_SET), "PKCS5_PBE_SET"}, +{ERR_FUNC(ASN1_F_PKCS5_PBE_SET), "PKCS5_pbe_set"}, {ERR_FUNC(ASN1_F_X509_CINF_NEW), "X509_CINF_NEW"}, -{ERR_FUNC(ASN1_F_X509_CRL_ADD0_REVOKED), "X509_CRL_ADD0_REVOKED"}, -{ERR_FUNC(ASN1_F_X509_INFO_NEW), "X509_INFO_NEW"}, +{ERR_FUNC(ASN1_F_X509_CRL_ADD0_REVOKED), "X509_CRL_add0_revoked"}, +{ERR_FUNC(ASN1_F_X509_INFO_NEW), "X509_INFO_new"}, {ERR_FUNC(ASN1_F_X509_NAME_ENCODE), "X509_NAME_ENCODE"}, {ERR_FUNC(ASN1_F_X509_NAME_EX_D2I), "X509_NAME_EX_D2I"}, {ERR_FUNC(ASN1_F_X509_NAME_EX_NEW), "X509_NAME_EX_NEW"}, @@ -287,15 +287,12 @@ static ERR_STRING_DATA ASN1_str_reasons[]= void ERR_load_ASN1_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(ASN1_str_functs[0].error) == NULL) + { ERR_load_strings(0,ASN1_str_functs); ERR_load_strings(0,ASN1_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/asn1/asn1_lib.c b/crypto/openssl/crypto/asn1/asn1_lib.c index bb94257cee34..d5ae5b2258a4 100644 --- a/crypto/openssl/crypto/asn1/asn1_lib.c +++ b/crypto/openssl/crypto/asn1/asn1_lib.c @@ -64,7 +64,7 @@ static int asn1_get_length(const unsigned char **pp,int *inf,long *rl,int max); static void asn1_put_length(unsigned char **pp, int length); -const char *ASN1_version="ASN.1" OPENSSL_VERSION_PTEXT; +const char ASN1_version[]="ASN.1" OPENSSL_VERSION_PTEXT; static int _asn1_check_infinite_end(const unsigned char **p, long len) { diff --git a/crypto/openssl/crypto/asn1/asn1t.h b/crypto/openssl/crypto/asn1/asn1t.h index cc0cd1c8423b..adbc2a63dd0f 100644 --- a/crypto/openssl/crypto/asn1/asn1t.h +++ b/crypto/openssl/crypto/asn1/asn1t.h @@ -99,7 +99,7 @@ extern "C" { #define ASN1_ITEM_start(itname) \ const ASN1_ITEM * itname##_it(void) \ { \ - static const ASN1_ITEM local_it = { \ + static const ASN1_ITEM local_it = { #define ASN1_ITEM_end(itname) \ }; \ diff --git a/crypto/openssl/crypto/asn1/t_x509.c b/crypto/openssl/crypto/asn1/t_x509.c index 61f48d14d773..fe2ea4046d2b 100644 --- a/crypto/openssl/crypto/asn1/t_x509.c +++ b/crypto/openssl/crypto/asn1/t_x509.c @@ -445,9 +445,9 @@ int ASN1_UTCTIME_print(BIO *bp, ASN1_UTCTIME *tm) int X509_NAME_print(BIO *bp, X509_NAME *name, int obase) { char *s,*c,*b; - int ret=0,l,ll,i,first=1; + int ret=0,l,i; - ll=80-2-obase; + l=80-2-obase; b=s=X509_NAME_oneline(name,NULL,0); if (!*s) @@ -457,7 +457,6 @@ int X509_NAME_print(BIO *bp, X509_NAME *name, int obase) } s++; /* skip the first slash */ - l=ll; c=s; for (;;) { @@ -479,16 +478,6 @@ int X509_NAME_print(BIO *bp, X509_NAME *name, int obase) (*s == '\0')) #endif { - if ((l <= 0) && !first) - { - first=0; - if (BIO_write(bp,"\n",1) != 1) goto err; - for (i=0; iex_pathlen = -1; ret->skid = NULL; ret->akid = NULL; +#ifndef OPENSSL_NO_RFC3779 + ret->rfc3779_addr = NULL; + ret->rfc3779_asid = NULL; +#endif ret->aux = NULL; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); break; @@ -109,6 +113,10 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it) ASN1_OCTET_STRING_free(ret->skid); AUTHORITY_KEYID_free(ret->akid); policy_cache_free(ret->policy_cache); +#ifndef OPENSSL_NO_RFC3779 + sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); + ASIdentifiers_free(ret->rfc3779_asid); +#endif if (ret->name != NULL) OPENSSL_free(ret->name); break; diff --git a/crypto/openssl/crypto/bf/bf_ecb.c b/crypto/openssl/crypto/bf/bf_ecb.c index 341991636f4a..1607cefa32cb 100644 --- a/crypto/openssl/crypto/bf/bf_ecb.c +++ b/crypto/openssl/crypto/bf/bf_ecb.c @@ -65,7 +65,7 @@ * CAMBRIDGE SECURITY WORKSHOP, CAMBRIDGE, U.K., DECEMBER 9-11, 1993) */ -const char *BF_version="Blowfish" OPENSSL_VERSION_PTEXT; +const char BF_version[]="Blowfish" OPENSSL_VERSION_PTEXT; const char *BF_options(void) { diff --git a/crypto/openssl/crypto/bio/bio.h b/crypto/openssl/crypto/bio/bio.h index 07333cf0b32e..2c9e8a7c804a 100644 --- a/crypto/openssl/crypto/bio/bio.h +++ b/crypto/openssl/crypto/bio/bio.h @@ -196,28 +196,32 @@ extern "C" { */ #define BIO_FLAGS_MEM_RDONLY 0x200 -#define BIO_set_flags(b,f) ((b)->flags|=(f)) -#define BIO_get_flags(b) ((b)->flags) +typedef struct bio_st BIO; + +void BIO_set_flags(BIO *b, int flags); +int BIO_test_flags(const BIO *b, int flags); +void BIO_clear_flags(BIO *b, int flags); + +#define BIO_get_flags(b) BIO_test_flags(b, ~(0x0)) #define BIO_set_retry_special(b) \ - ((b)->flags|=(BIO_FLAGS_IO_SPECIAL|BIO_FLAGS_SHOULD_RETRY)) + BIO_set_flags(b, (BIO_FLAGS_IO_SPECIAL|BIO_FLAGS_SHOULD_RETRY)) #define BIO_set_retry_read(b) \ - ((b)->flags|=(BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY)) + BIO_set_flags(b, (BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY)) #define BIO_set_retry_write(b) \ - ((b)->flags|=(BIO_FLAGS_WRITE|BIO_FLAGS_SHOULD_RETRY)) + BIO_set_flags(b, (BIO_FLAGS_WRITE|BIO_FLAGS_SHOULD_RETRY)) /* These are normally used internally in BIOs */ -#define BIO_clear_flags(b,f) ((b)->flags&= ~(f)) #define BIO_clear_retry_flags(b) \ - ((b)->flags&= ~(BIO_FLAGS_RWS|BIO_FLAGS_SHOULD_RETRY)) + BIO_clear_flags(b, (BIO_FLAGS_RWS|BIO_FLAGS_SHOULD_RETRY)) #define BIO_get_retry_flags(b) \ - ((b)->flags&(BIO_FLAGS_RWS|BIO_FLAGS_SHOULD_RETRY)) + BIO_test_flags(b, (BIO_FLAGS_RWS|BIO_FLAGS_SHOULD_RETRY)) /* These should be used by the application to tell why we should retry */ -#define BIO_should_read(a) ((a)->flags & BIO_FLAGS_READ) -#define BIO_should_write(a) ((a)->flags & BIO_FLAGS_WRITE) -#define BIO_should_io_special(a) ((a)->flags & BIO_FLAGS_IO_SPECIAL) -#define BIO_retry_type(a) ((a)->flags & BIO_FLAGS_RWS) -#define BIO_should_retry(a) ((a)->flags & BIO_FLAGS_SHOULD_RETRY) +#define BIO_should_read(a) BIO_test_flags(a, BIO_FLAGS_READ) +#define BIO_should_write(a) BIO_test_flags(a, BIO_FLAGS_WRITE) +#define BIO_should_io_special(a) BIO_test_flags(a, BIO_FLAGS_IO_SPECIAL) +#define BIO_retry_type(a) BIO_test_flags(a, BIO_FLAGS_RWS) +#define BIO_should_retry(a) BIO_test_flags(a, BIO_FLAGS_SHOULD_RETRY) /* The next three are used in conjunction with the * BIO_should_io_special() condition. After this returns true, @@ -246,14 +250,14 @@ extern "C" { #define BIO_cb_pre(a) (!((a)&BIO_CB_RETURN)) #define BIO_cb_post(a) ((a)&BIO_CB_RETURN) -#define BIO_set_callback(b,cb) ((b)->callback=(cb)) -#define BIO_set_callback_arg(b,arg) ((b)->cb_arg=(char *)(arg)) -#define BIO_get_callback_arg(b) ((b)->cb_arg) -#define BIO_get_callback(b) ((b)->callback) -#define BIO_method_name(b) ((b)->method->name) -#define BIO_method_type(b) ((b)->method->type) +long (*BIO_get_callback(const BIO *b)) (struct bio_st *,int,const char *,int, long,long); +void BIO_set_callback(BIO *b, + long (*callback)(struct bio_st *,int,const char *,int, long,long)); +char *BIO_get_callback_arg(const BIO *b); +void BIO_set_callback_arg(BIO *b, char *arg); -typedef struct bio_st BIO; +const char * BIO_method_name(const BIO *b); +int BIO_method_type(const BIO *b); typedef void bio_info_cb(struct bio_st *, int, const char *, int, long, long); @@ -386,6 +390,7 @@ typedef struct bio_f_buffer_ctx_struct #define BIO_C_NWRITE0 145 #define BIO_C_NWRITE 146 #define BIO_C_RESET_READ_REQUEST 147 +#define BIO_C_SET_MD_CTX 148 #define BIO_set_app_data(s,arg) BIO_set_ex_data(s,0,arg) diff --git a/crypto/openssl/crypto/bio/bio_err.c b/crypto/openssl/crypto/bio/bio_err.c index 426f8d13c6bd..6603f1c74dc8 100644 --- a/crypto/openssl/crypto/bio/bio_err.c +++ b/crypto/openssl/crypto/bio/bio_err.c @@ -143,15 +143,12 @@ static ERR_STRING_DATA BIO_str_reasons[]= void ERR_load_BIO_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(BIO_str_functs[0].error) == NULL) + { ERR_load_strings(0,BIO_str_functs); ERR_load_strings(0,BIO_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/bio/bio_lib.c b/crypto/openssl/crypto/bio/bio_lib.c index dcc989f9d6bf..3f52ae953c29 100644 --- a/crypto/openssl/crypto/bio/bio_lib.c +++ b/crypto/openssl/crypto/bio/bio_lib.c @@ -141,6 +141,52 @@ int BIO_free(BIO *a) void BIO_vfree(BIO *a) { BIO_free(a); } +void BIO_clear_flags(BIO *b, int flags) + { + b->flags &= ~flags; + } + +int BIO_test_flags(const BIO *b, int flags) + { + return (b->flags & flags); + } + +void BIO_set_flags(BIO *b, int flags) + { + b->flags |= flags; + } + +long (*BIO_get_callback(const BIO *b))(struct bio_st *,int,const char *,int, long,long) + { + return b->callback; + } + +void BIO_set_callback(BIO *b, long (*cb)(struct bio_st *,int,const char *,int, long,long)) + { + b->callback = cb; + } + +void BIO_set_callback_arg(BIO *b, char *arg) + { + b->cb_arg = arg; + } + +char * BIO_get_callback_arg(const BIO *b) + { + return b->cb_arg; + } + +const char * BIO_method_name(const BIO *b) + { + return b->method->name; + } + +int BIO_method_type(const BIO *b) + { + return b->method->type; + } + + int BIO_read(BIO *b, void *out, int outl) { int i; diff --git a/crypto/openssl/crypto/bn/bn_err.c b/crypto/openssl/crypto/bn/bn_err.c index a253959a5c94..24fbbb772d0f 100644 --- a/crypto/openssl/crypto/bn/bn_err.c +++ b/crypto/openssl/crypto/bn/bn_err.c @@ -137,15 +137,12 @@ static ERR_STRING_DATA BN_str_reasons[]= void ERR_load_BN_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(BN_str_functs[0].error) == NULL) + { ERR_load_strings(0,BN_str_functs); ERR_load_strings(0,BN_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/bn/bn_lib.c b/crypto/openssl/crypto/bn/bn_lib.c index 3c4d5459f61f..210ccb42bba1 100644 --- a/crypto/openssl/crypto/bn/bn_lib.c +++ b/crypto/openssl/crypto/bn/bn_lib.c @@ -67,7 +67,7 @@ #include "cryptlib.h" #include "bn_lcl.h" -const char *BN_version="Big Number" OPENSSL_VERSION_PTEXT; +const char BN_version[]="Big Number" OPENSSL_VERSION_PTEXT; /* This stuff appears to be completely unused, so is deprecated */ #ifndef OPENSSL_NO_DEPRECATED diff --git a/crypto/openssl/crypto/bn/bn_print.c b/crypto/openssl/crypto/bn/bn_print.c index 055d048856cd..810dde34e15c 100644 --- a/crypto/openssl/crypto/bn/bn_print.c +++ b/crypto/openssl/crypto/bn/bn_print.c @@ -62,7 +62,7 @@ #include #include "bn_lcl.h" -static const char *Hex="0123456789ABCDEF"; +static const char Hex[]="0123456789ABCDEF"; /* Must 'OPENSSL_free' the returned data */ char *BN_bn2hex(const BIGNUM *a) diff --git a/crypto/openssl/crypto/buffer/buf_err.c b/crypto/openssl/crypto/buffer/buf_err.c index 8fc67d354282..3e25bbe8798a 100644 --- a/crypto/openssl/crypto/buffer/buf_err.c +++ b/crypto/openssl/crypto/buffer/buf_err.c @@ -88,15 +88,12 @@ static ERR_STRING_DATA BUF_str_reasons[]= void ERR_load_BUF_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(BUF_str_functs[0].error) == NULL) + { ERR_load_strings(0,BUF_str_functs); ERR_load_strings(0,BUF_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/camellia/Makefile b/crypto/openssl/crypto/camellia/Makefile index 29caa14865cc..1579de5ce51f 100644 --- a/crypto/openssl/crypto/camellia/Makefile +++ b/crypto/openssl/crypto/camellia/Makefile @@ -85,19 +85,19 @@ clean: # DO NOT DELETE THIS LINE -- make depend depends on it. -camellia.o: ../../include/openssl/opensslconf.h camellia.c camellia.h -camellia.o: cmll_locl.h -cmll_cbc.o: ../../include/openssl/camellia.h +camellia.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +camellia.o: camellia.c camellia.h cmll_locl.h +cmll_cbc.o: ../../include/openssl/camellia.h ../../include/openssl/e_os2.h cmll_cbc.o: ../../include/openssl/opensslconf.h cmll_cbc.c cmll_locl.h cmll_cfb.o: ../../e_os.h ../../include/openssl/camellia.h cmll_cfb.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h cmll_cfb.o: cmll_cfb.c cmll_locl.h -cmll_ctr.o: ../../include/openssl/camellia.h +cmll_ctr.o: ../../include/openssl/camellia.h ../../include/openssl/e_os2.h cmll_ctr.o: ../../include/openssl/opensslconf.h cmll_ctr.c cmll_locl.h -cmll_ecb.o: ../../include/openssl/camellia.h +cmll_ecb.o: ../../include/openssl/camellia.h ../../include/openssl/e_os2.h cmll_ecb.o: ../../include/openssl/opensslconf.h cmll_ecb.c cmll_locl.h -cmll_misc.o: ../../include/openssl/camellia.h +cmll_misc.o: ../../include/openssl/camellia.h ../../include/openssl/e_os2.h cmll_misc.o: ../../include/openssl/opensslconf.h cmll_misc.o: ../../include/openssl/opensslv.h cmll_locl.h cmll_misc.c -cmll_ofb.o: ../../include/openssl/camellia.h +cmll_ofb.o: ../../include/openssl/camellia.h ../../include/openssl/e_os2.h cmll_ofb.o: ../../include/openssl/opensslconf.h cmll_locl.h cmll_ofb.c diff --git a/crypto/openssl/crypto/camellia/camellia.c b/crypto/openssl/crypto/camellia/camellia.c index 63505464a844..491c26b39e96 100644 --- a/crypto/openssl/crypto/camellia/camellia.c +++ b/crypto/openssl/crypto/camellia/camellia.c @@ -76,12 +76,7 @@ #include "camellia.h" #include "cmll_locl.h" -/* - * must be defined uint32_t - */ - /* key constants */ - #define CAMELLIA_SIGMA1L (0xA09E667FL) #define CAMELLIA_SIGMA1R (0x3BCC908BL) #define CAMELLIA_SIGMA2L (0xB67AE858L) @@ -100,18 +95,9 @@ */ /* e is pointer of subkey */ -#ifdef L_ENDIAN - -#define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2 + 1]) -#define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2]) - -#else /* big endian */ - #define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2]) #define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2 + 1]) -#endif /* IS_LITTLE_ENDIAN */ - /* rotation right shift 1byte */ #define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24)) /* rotation left shift 1bit */ @@ -170,44 +156,6 @@ do \ * for speed up * */ -#if !defined(_MSC_VER) - -#define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \ -do \ - { \ - t0 = kll; \ - t2 = krr; \ - t0 &= ll; \ - t2 |= rr; \ - rl ^= t2; \ - lr ^= CAMELLIA_RL1(t0); \ - t3 = krl; \ - t1 = klr; \ - t3 &= rl; \ - t1 |= lr; \ - ll ^= t1; \ - rr ^= CAMELLIA_RL1(t3); \ - } while(0) - -#define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) \ -do \ - { \ - ir = CAMELLIA_SP1110(xr & 0xff); \ - il = CAMELLIA_SP1110((xl>>24) & 0xff); \ - ir ^= CAMELLIA_SP0222((xr>>24) & 0xff); \ - il ^= CAMELLIA_SP0222((xl>>16) & 0xff); \ - ir ^= CAMELLIA_SP3033((xr>>16) & 0xff); \ - il ^= CAMELLIA_SP3033((xl>>8) & 0xff); \ - ir ^= CAMELLIA_SP4404((xr>>8) & 0xff); \ - il ^= CAMELLIA_SP4404(xl & 0xff); \ - il ^= kl; \ - ir ^= il ^ kr; \ - yl ^= ir; \ - yr ^= CAMELLIA_RR8(il) ^ ir; \ - } while(0) - -#else /* for MS-VC */ - #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \ do \ { \ @@ -249,9 +197,8 @@ do \ yl ^= ir; \ yr ^= il; \ } while(0) -#endif -static const uint32_t camellia_sp1110[256] = +static const u32 camellia_sp1110[256] = { 0x70707000,0x82828200,0x2c2c2c00,0xececec00, 0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500, @@ -319,7 +266,7 @@ static const uint32_t camellia_sp1110[256] = 0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00, }; -static const uint32_t camellia_sp0222[256] = +static const u32 camellia_sp0222[256] = { 0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9, 0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb, @@ -387,7 +334,7 @@ static const uint32_t camellia_sp0222[256] = 0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d, }; -static const uint32_t camellia_sp3033[256] = +static const u32 camellia_sp3033[256] = { 0x38003838,0x41004141,0x16001616,0x76007676, 0xd900d9d9,0x93009393,0x60006060,0xf200f2f2, @@ -455,7 +402,7 @@ static const uint32_t camellia_sp3033[256] = 0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f, }; -static const uint32_t camellia_sp4404[256] = +static const u32 camellia_sp4404[256] = { 0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0, 0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae, @@ -523,20 +470,19 @@ static const uint32_t camellia_sp4404[256] = 0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e, }; - /** * Stuff related to the Camellia key schedule */ #define subl(x) subL[(x)] #define subr(x) subR[(x)] -void camellia_setup128(const unsigned char *key, uint32_t *subkey) +void camellia_setup128(const u8 *key, u32 *subkey) { - uint32_t kll, klr, krl, krr; - uint32_t il, ir, t0, t1, w0, w1; - uint32_t kw4l, kw4r, dw, tl, tr; - uint32_t subL[26]; - uint32_t subR[26]; + u32 kll, klr, krl, krr; + u32 il, ir, t0, t1, w0, w1; + u32 kw4l, kw4r, dw, tl, tr; + u32 subL[26]; + u32 subR[26]; /** * k == kll || klr || krl || krr (|| is concatination) @@ -833,14 +779,14 @@ void camellia_setup128(const unsigned char *key, uint32_t *subkey) return; } -void camellia_setup256(const unsigned char *key, uint32_t *subkey) +void camellia_setup256(const u8 *key, u32 *subkey) { - uint32_t kll,klr,krl,krr; /* left half of key */ - uint32_t krll,krlr,krrl,krrr; /* right half of key */ - uint32_t il, ir, t0, t1, w0, w1; /* temporary variables */ - uint32_t kw4l, kw4r, dw, tl, tr; - uint32_t subL[34]; - uint32_t subR[34]; + u32 kll,klr,krl,krr; /* left half of key */ + u32 krll,krlr,krrl,krrr; /* right half of key */ + u32 il, ir, t0, t1, w0, w1; /* temporary variables */ + u32 kw4l, kw4r, dw, tl, tr; + u32 subL[34]; + u32 subR[34]; /** * key = (kll || klr || krl || krr || krll || krlr || krrl || krrr) @@ -1245,18 +1191,18 @@ void camellia_setup256(const unsigned char *key, uint32_t *subkey) return; } -void camellia_setup192(const unsigned char *key, uint32_t *subkey) +void camellia_setup192(const u8 *key, u32 *subkey) { - unsigned char kk[32]; - uint32_t krll, krlr, krrl,krrr; + u8 kk[32]; + u32 krll, krlr, krrl,krrr; memcpy(kk, key, 24); - memcpy((unsigned char *)&krll, key+16,4); - memcpy((unsigned char *)&krlr, key+20,4); + memcpy((u8 *)&krll, key+16,4); + memcpy((u8 *)&krlr, key+20,4); krrl = ~krll; krrr = ~krlr; - memcpy(kk+24, (unsigned char *)&krrl, 4); - memcpy(kk+28, (unsigned char *)&krrr, 4); + memcpy(kk+24, (u8 *)&krrl, 4); + memcpy(kk+28, (u8 *)&krrr, 4); camellia_setup256(kk, subkey); return; } @@ -1265,11 +1211,10 @@ void camellia_setup192(const unsigned char *key, uint32_t *subkey) /** * Stuff related to camellia encryption/decryption */ -void camellia_encrypt128(const uint32_t *subkey, uint32_t *io) +void camellia_encrypt128(const u32 *subkey, u32 *io) { - uint32_t il, ir, t0, t1; + u32 il, ir, t0, t1; - SWAP4WORD(io); /* pre whitening but absorb kw2*/ io[0] ^= CamelliaSubkeyL(0); io[1] ^= CamelliaSubkeyR(0); @@ -1352,16 +1297,13 @@ void camellia_encrypt128(const uint32_t *subkey, uint32_t *io) io[1] = io[3]; io[2] = t0; io[3] = t1; - SWAP4WORD(io); - + return; } -void camellia_decrypt128(const uint32_t *subkey, uint32_t *io) +void camellia_decrypt128(const u32 *subkey, u32 *io) { - uint32_t il,ir,t0,t1; /* temporary valiables */ - - SWAP4WORD(io); + u32 il,ir,t0,t1; /* temporary valiables */ /* pre whitening but absorb kw2*/ io[0] ^= CamelliaSubkeyL(24); @@ -1445,7 +1387,6 @@ void camellia_decrypt128(const uint32_t *subkey, uint32_t *io) io[1] = io[3]; io[2] = t0; io[3] = t1; - SWAP4WORD(io); return; } @@ -1453,11 +1394,9 @@ void camellia_decrypt128(const uint32_t *subkey, uint32_t *io) /** * stuff for 192 and 256bit encryption/decryption */ -void camellia_encrypt256(const uint32_t *subkey, uint32_t *io) +void camellia_encrypt256(const u32 *subkey, u32 *io) { - uint32_t il,ir,t0,t1; /* temporary valiables */ - - SWAP4WORD(io); + u32 il,ir,t0,t1; /* temporary valiables */ /* pre whitening but absorb kw2*/ io[0] ^= CamelliaSubkeyL(0); @@ -1565,16 +1504,14 @@ void camellia_encrypt256(const uint32_t *subkey, uint32_t *io) io[1] = io[3]; io[2] = t0; io[3] = t1; - SWAP4WORD(io); return; } -void camellia_decrypt256(const uint32_t *subkey, uint32_t *io) +void camellia_decrypt256(const u32 *subkey, u32 *io) { - uint32_t il,ir,t0,t1; /* temporary valiables */ + u32 il,ir,t0,t1; /* temporary valiables */ - SWAP4WORD(io); /* pre whitening but absorb kw2*/ io[0] ^= CamelliaSubkeyL(32); io[1] ^= CamelliaSubkeyR(32); @@ -1681,7 +1618,6 @@ void camellia_decrypt256(const uint32_t *subkey, uint32_t *io) io[1] = io[3]; io[2] = t0; io[3] = t1; - SWAP4WORD(io); return; } diff --git a/crypto/openssl/crypto/camellia/cmll_cbc.c b/crypto/openssl/crypto/camellia/cmll_cbc.c index 24080e14f5d6..4141a7b59bb7 100644 --- a/crypto/openssl/crypto/camellia/cmll_cbc.c +++ b/crypto/openssl/crypto/camellia/cmll_cbc.c @@ -67,25 +67,28 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, unsigned long n; unsigned long len = length; - unsigned char tmp[CAMELLIA_BLOCK_SIZE]; const unsigned char *iv = ivec; - uint32_t t32[UNITSIZE]; + union { u32 t32[CAMELLIA_BLOCK_SIZE/sizeof(u32)]; + u8 t8 [CAMELLIA_BLOCK_SIZE]; } tmp; + const union { long one; char little; } camellia_endian = {1}; assert(in && out && key && ivec); assert((CAMELLIA_ENCRYPT == enc)||(CAMELLIA_DECRYPT == enc)); - if(((size_t)in) % ALIGN == 0 - && ((size_t)out) % ALIGN == 0 - && ((size_t)ivec) % ALIGN == 0) + if(((size_t)in|(size_t)out|(size_t)ivec) % sizeof(u32) == 0) { if (CAMELLIA_ENCRYPT == enc) { while (len >= CAMELLIA_BLOCK_SIZE) { - XOR4WORD2((uint32_t *)out, - (uint32_t *)in, (uint32_t *)iv); - key->enc(key->rd_key, (uint32_t *)out); + XOR4WORD2((u32 *)out, + (u32 *)in, (u32 *)iv); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); + key->enc(key->rd_key, (u32 *)out); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); iv = out; len -= CAMELLIA_BLOCK_SIZE; in += CAMELLIA_BLOCK_SIZE; @@ -97,7 +100,11 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, out[n] = in[n] ^ iv[n]; for(n=len; n < CAMELLIA_BLOCK_SIZE; ++n) out[n] = iv[n]; - key->enc(key->rd_key, (uint32_t *)out); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); + key->enc(key->rd_key, (u32 *)out); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); iv = out; } memcpy(ivec,iv,CAMELLIA_BLOCK_SIZE); @@ -107,8 +114,12 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, while (len >= CAMELLIA_BLOCK_SIZE) { memcpy(out,in,CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key,(uint32_t *)out); - XOR4WORD((uint32_t *)out, (uint32_t *)iv); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); + key->dec(key->rd_key,(u32 *)out); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); + XOR4WORD((u32 *)out, (u32 *)iv); iv = in; len -= CAMELLIA_BLOCK_SIZE; in += CAMELLIA_BLOCK_SIZE; @@ -116,10 +127,14 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, } if (len) { - memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key, (uint32_t *)tmp); + memcpy(tmp.t8, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + key->dec(key->rd_key, tmp.t32); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); for(n=0; n < len; ++n) - out[n] = tmp[n] ^ iv[n]; + out[n] = tmp.t8[n] ^ iv[n]; iv = in; } memcpy(ivec,iv,CAMELLIA_BLOCK_SIZE); @@ -128,23 +143,31 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, { while (len >= CAMELLIA_BLOCK_SIZE) { - memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key, (uint32_t *)out); - XOR4WORD((uint32_t *)out, (uint32_t *)ivec); - memcpy(ivec, tmp, CAMELLIA_BLOCK_SIZE); + memcpy(tmp.t8, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); + key->dec(key->rd_key, (u32 *)out); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); + XOR4WORD((u32 *)out, (u32 *)ivec); + memcpy(ivec, tmp.t8, CAMELLIA_BLOCK_SIZE); len -= CAMELLIA_BLOCK_SIZE; in += CAMELLIA_BLOCK_SIZE; out += CAMELLIA_BLOCK_SIZE; } if (len) { - memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key,(uint32_t *)out); + memcpy(tmp.t8, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); + key->dec(key->rd_key,(u32 *)out); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); for(n=0; n < len; ++n) out[n] ^= ivec[n]; for(n=len; n < CAMELLIA_BLOCK_SIZE; ++n) - out[n] = tmp[n]; - memcpy(ivec, tmp, CAMELLIA_BLOCK_SIZE); + out[n] = tmp.t8[n]; + memcpy(ivec, tmp.t8, CAMELLIA_BLOCK_SIZE); } } } @@ -155,10 +178,13 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, while (len >= CAMELLIA_BLOCK_SIZE) { for(n=0; n < CAMELLIA_BLOCK_SIZE; ++n) - out[n] = in[n] ^ iv[n]; - memcpy(t32, out, CAMELLIA_BLOCK_SIZE); - key->enc(key->rd_key, t32); - memcpy(out, t32, CAMELLIA_BLOCK_SIZE); + tmp.t8[n] = in[n] ^ iv[n]; + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + key->enc(key->rd_key, tmp.t32); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + memcpy(out, tmp.t8, CAMELLIA_BLOCK_SIZE); iv = out; len -= CAMELLIA_BLOCK_SIZE; in += CAMELLIA_BLOCK_SIZE; @@ -167,10 +193,15 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, if (len) { for(n=0; n < len; ++n) - out[n] = in[n] ^ iv[n]; + tmp.t8[n] = in[n] ^ iv[n]; for(n=len; n < CAMELLIA_BLOCK_SIZE; ++n) - out[n] = iv[n]; - key->enc(key->rd_key, (uint32_t *)out); + tmp.t8[n] = iv[n]; + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + key->enc(key->rd_key, tmp.t32); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + memcpy(out, tmp.t8, CAMELLIA_BLOCK_SIZE); iv = out; } memcpy(ivec,iv,CAMELLIA_BLOCK_SIZE); @@ -179,11 +210,14 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, { while (len >= CAMELLIA_BLOCK_SIZE) { - memcpy(t32,in,CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key,t32); - memcpy(out,t32,CAMELLIA_BLOCK_SIZE); + memcpy(tmp.t8,in,CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + key->dec(key->rd_key,tmp.t32); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); for(n=0; n < CAMELLIA_BLOCK_SIZE; ++n) - out[n] ^= iv[n]; + out[n] = tmp.t8[n] ^ iv[n]; iv = in; len -= CAMELLIA_BLOCK_SIZE; in += CAMELLIA_BLOCK_SIZE; @@ -191,12 +225,14 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, } if (len) { - memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); - memcpy(t32, in, CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key, t32); - memcpy(out, t32, CAMELLIA_BLOCK_SIZE); + memcpy(tmp.t8, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + key->dec(key->rd_key, tmp.t32); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); for(n=0; n < len; ++n) - out[n] = tmp[n] ^ iv[n]; + out[n] = tmp.t8[n] ^ iv[n]; iv = in; } memcpy(ivec,iv,CAMELLIA_BLOCK_SIZE); @@ -205,30 +241,33 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, { while (len >= CAMELLIA_BLOCK_SIZE) { - memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); - memcpy(t32, in, CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key, t32); - memcpy(out, t32, CAMELLIA_BLOCK_SIZE); + memcpy(tmp.t8, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + key->dec(key->rd_key, tmp.t32); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); for(n=0; n < CAMELLIA_BLOCK_SIZE; ++n) - out[n] ^= ivec[n]; - memcpy(ivec, tmp, CAMELLIA_BLOCK_SIZE); + tmp.t8[n] ^= ivec[n]; + memcpy(ivec, in, CAMELLIA_BLOCK_SIZE); + memcpy(out, tmp.t8, CAMELLIA_BLOCK_SIZE); len -= CAMELLIA_BLOCK_SIZE; in += CAMELLIA_BLOCK_SIZE; out += CAMELLIA_BLOCK_SIZE; } if (len) { - memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); - memcpy(t32, in, CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key,t32); - memcpy(out, t32, CAMELLIA_BLOCK_SIZE); + memcpy(tmp.t8, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + key->dec(key->rd_key,tmp.t32); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); for(n=0; n < len; ++n) - out[n] ^= ivec[n]; - for(n=len; n < CAMELLIA_BLOCK_SIZE; ++n) - out[n] = tmp[n]; - memcpy(ivec, tmp, CAMELLIA_BLOCK_SIZE); + tmp.t8[n] ^= ivec[n]; + memcpy(ivec, in, CAMELLIA_BLOCK_SIZE); + memcpy(out,tmp.t8,len); } } } } - diff --git a/crypto/openssl/crypto/camellia/cmll_locl.h b/crypto/openssl/crypto/camellia/cmll_locl.h index 8ea3639a5b77..2ac2e9543571 100644 --- a/crypto/openssl/crypto/camellia/cmll_locl.h +++ b/crypto/openssl/crypto/camellia/cmll_locl.h @@ -73,55 +73,42 @@ #include #include -#if defined(_MSC_VER) -typedef unsigned char uint8_t; -typedef unsigned int uint32_t; -typedef unsigned __int64 uint64_t; -#else -#include -#endif +typedef unsigned char u8; +typedef unsigned int u32; #ifdef __cplusplus extern "C" { #endif -#define ALIGN 4 -#define UNITSIZE 4 - #if defined(_MSC_VER) && (defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64)) # define SWAP(x) ( _lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00 ) -# define GETU32(p) SWAP(*((uint32_t *)(p))) -# define PUTU32(ct, st) { *((uint32_t *)(ct)) = SWAP((st)); } +# define GETU32(p) SWAP(*((u32 *)(p))) +# define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); } # define CAMELLIA_SWAP4(x) (x = ( _lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00) ) - #else /* not windows */ -# define GETU32(pt) (((uint32_t)(pt)[0] << 24) \ - ^ ((uint32_t)(pt)[1] << 16) \ - ^ ((uint32_t)(pt)[2] << 8) \ - ^ ((uint32_t)(pt)[3])) +# define GETU32(pt) (((u32)(pt)[0] << 24) \ + ^ ((u32)(pt)[1] << 16) \ + ^ ((u32)(pt)[2] << 8) \ + ^ ((u32)(pt)[3])) -# define PUTU32(ct, st) { (ct)[0] = (uint8_t)((st) >> 24); \ - (ct)[1] = (uint8_t)((st) >> 16); \ - (ct)[2] = (uint8_t)((st) >> 8); \ - (ct)[3] = (uint8_t)(st); } +# define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); \ + (ct)[1] = (u8)((st) >> 16); \ + (ct)[2] = (u8)((st) >> 8); \ + (ct)[3] = (u8)(st); } -#ifdef L_ENDIAN -#if (defined (__GNUC__) && !defined(i386)) +#if (defined (__GNUC__) && (defined(__x86_64__) || defined(__x86_64))) #define CAMELLIA_SWAP4(x) \ do{\ asm("bswap %1" : "+r" (x));\ }while(0) -#else /* not gcc */ +#else #define CAMELLIA_SWAP4(x) \ do{\ - x = ((uint32_t)x << 16) + ((uint32_t)x >> 16);\ - x = (((uint32_t)x & 0xff00ff) << 8) + (((uint32_t)x >> 8) & 0xff00ff);\ + x = ((u32)x << 16) + ((u32)x >> 16);\ + x = (((u32)x & 0xff00ff) << 8) + (((u32)x >> 8) & 0xff00ff);\ } while(0) -#endif /* not gcc */ -#else /* big endian */ -#define CAMELLIA_SWAP4(x) -#endif /* L_ENDIAN */ +#endif #endif #define COPY4WORD(dst, src) \ @@ -161,14 +148,14 @@ extern "C" { }while(0) -void camellia_setup128(const unsigned char *key, uint32_t *subkey); -void camellia_setup192(const unsigned char *key, uint32_t *subkey); -void camellia_setup256(const unsigned char *key, uint32_t *subkey); +void camellia_setup128(const u8 *key, u32 *subkey); +void camellia_setup192(const u8 *key, u32 *subkey); +void camellia_setup256(const u8 *key, u32 *subkey); -void camellia_encrypt128(const uint32_t *subkey, uint32_t *io); -void camellia_decrypt128(const uint32_t *subkey, uint32_t *io); -void camellia_encrypt256(const uint32_t *subkey, uint32_t *io); -void camellia_decrypt256(const uint32_t *subkey, uint32_t *io); +void camellia_encrypt128(const u32 *subkey, u32 *io); +void camellia_decrypt128(const u32 *subkey, u32 *io); +void camellia_encrypt256(const u32 *subkey, u32 *io); +void camellia_decrypt256(const u32 *subkey, u32 *io); #ifdef __cplusplus } diff --git a/crypto/openssl/crypto/camellia/cmll_misc.c b/crypto/openssl/crypto/camellia/cmll_misc.c index 3c4ec36662e0..f1047b54e03b 100644 --- a/crypto/openssl/crypto/camellia/cmll_misc.c +++ b/crypto/openssl/crypto/camellia/cmll_misc.c @@ -53,7 +53,7 @@ #include #include "cmll_locl.h" -const char *CAMELLIA_version="CAMELLIA" OPENSSL_VERSION_PTEXT; +const char CAMELLIA_version[]="CAMELLIA" OPENSSL_VERSION_PTEXT; int Camellia_set_key(const unsigned char *userKey, const int bits, CAMELLIA_KEY *key) @@ -91,20 +91,26 @@ int Camellia_set_key(const unsigned char *userKey, const int bits, void Camellia_encrypt(const unsigned char *in, unsigned char *out, const CAMELLIA_KEY *key) { - uint32_t tmp[UNITSIZE]; + u32 tmp[CAMELLIA_BLOCK_SIZE/sizeof(u32)]; + const union { long one; char little; } camellia_endian = {1}; memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) SWAP4WORD(tmp); key->enc(key->rd_key, tmp); + if (camellia_endian.little) SWAP4WORD(tmp); memcpy(out, tmp, CAMELLIA_BLOCK_SIZE); } void Camellia_decrypt(const unsigned char *in, unsigned char *out, const CAMELLIA_KEY *key) { - uint32_t tmp[UNITSIZE]; + u32 tmp[CAMELLIA_BLOCK_SIZE/sizeof(u32)]; + const union { long one; char little; } camellia_endian = {1}; memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) SWAP4WORD(tmp); key->dec(key->rd_key, tmp); + if (camellia_endian.little) SWAP4WORD(tmp); memcpy(out, tmp, CAMELLIA_BLOCK_SIZE); } diff --git a/crypto/openssl/crypto/cast/c_ecb.c b/crypto/openssl/crypto/cast/c_ecb.c index 0b3da9ad8717..f2dc6062267f 100644 --- a/crypto/openssl/crypto/cast/c_ecb.c +++ b/crypto/openssl/crypto/cast/c_ecb.c @@ -60,7 +60,7 @@ #include "cast_lcl.h" #include -const char *CAST_version="CAST" OPENSSL_VERSION_PTEXT; +const char CAST_version[]="CAST" OPENSSL_VERSION_PTEXT; void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, CAST_KEY *ks, int enc) diff --git a/crypto/openssl/crypto/comp/c_zlib.c b/crypto/openssl/crypto/comp/c_zlib.c index 941b807eb391..43402e75dbf5 100644 --- a/crypto/openssl/crypto/comp/c_zlib.c +++ b/crypto/openssl/crypto/comp/c_zlib.c @@ -31,6 +31,24 @@ static int zlib_stateful_compress_block(COMP_CTX *ctx, unsigned char *out, static int zlib_stateful_expand_block(COMP_CTX *ctx, unsigned char *out, unsigned int olen, unsigned char *in, unsigned int ilen); + +/* memory allocations functions for zlib intialization */ +static void* zlib_zalloc(void* opaque, unsigned int no, unsigned int size) +{ + void *p; + + p=OPENSSL_malloc(no*size); + if (p) + memset(p, 0, no*size); + return p; +} + + +static void zlib_zfree(void* opaque, void* address) +{ + OPENSSL_free(address); +} + #if 0 static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out, unsigned int olen, unsigned char *in, unsigned int ilen); @@ -133,8 +151,8 @@ static int zlib_stateful_init(COMP_CTX *ctx) if (state == NULL) goto err; - state->istream.zalloc = Z_NULL; - state->istream.zfree = Z_NULL; + state->istream.zalloc = zlib_zalloc; + state->istream.zfree = zlib_zfree; state->istream.opaque = Z_NULL; state->istream.next_in = Z_NULL; state->istream.next_out = Z_NULL; @@ -145,8 +163,8 @@ static int zlib_stateful_init(COMP_CTX *ctx) if (err != Z_OK) goto err; - state->ostream.zalloc = Z_NULL; - state->ostream.zfree = Z_NULL; + state->ostream.zalloc = zlib_zalloc; + state->ostream.zfree = zlib_zfree; state->ostream.opaque = Z_NULL; state->ostream.next_in = Z_NULL; state->ostream.next_out = Z_NULL; @@ -158,17 +176,6 @@ static int zlib_stateful_init(COMP_CTX *ctx) goto err; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data); - if (zlib_stateful_ex_idx == -1) - { - CRYPTO_w_lock(CRYPTO_LOCK_COMP); - if (zlib_stateful_ex_idx == -1) - zlib_stateful_ex_idx = - CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP, - 0,NULL,NULL,NULL,zlib_stateful_free_ex_data); - CRYPTO_w_unlock(CRYPTO_LOCK_COMP); - if (zlib_stateful_ex_idx == -1) - goto err; - } CRYPTO_set_ex_data(&ctx->ex_data,zlib_stateful_ex_idx,state); return 1; err: @@ -379,7 +386,25 @@ COMP_METHOD *COMP_zlib(void) if (zlib_loaded) #endif #if defined(ZLIB) || defined(ZLIB_SHARED) + { + /* init zlib_stateful_ex_idx here so that in a multi-process + * application it's enough to intialize openssl before forking + * (idx will be inherited in all the children) */ + if (zlib_stateful_ex_idx == -1) + { + CRYPTO_w_lock(CRYPTO_LOCK_COMP); + if (zlib_stateful_ex_idx == -1) + zlib_stateful_ex_idx = + CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP, + 0,NULL,NULL,NULL,zlib_stateful_free_ex_data); + CRYPTO_w_unlock(CRYPTO_LOCK_COMP); + if (zlib_stateful_ex_idx == -1) + goto err; + } + meth = &zlib_stateful_method; + } +err: #endif return(meth); diff --git a/crypto/openssl/crypto/comp/comp_err.c b/crypto/openssl/crypto/comp/comp_err.c index bf7aa3af762b..07372226c9d0 100644 --- a/crypto/openssl/crypto/comp/comp_err.c +++ b/crypto/openssl/crypto/comp/comp_err.c @@ -82,15 +82,12 @@ static ERR_STRING_DATA COMP_str_reasons[]= void ERR_load_COMP_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(COMP_str_functs[0].error) == NULL) + { ERR_load_strings(0,COMP_str_functs); ERR_load_strings(0,COMP_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/conf/conf_def.c b/crypto/openssl/crypto/conf/conf_def.c index 8083a009d71a..d8bce8732a2d 100644 --- a/crypto/openssl/crypto/conf/conf_def.c +++ b/crypto/openssl/crypto/conf/conf_def.c @@ -88,7 +88,7 @@ static int def_dump(const CONF *conf, BIO *bp); static int def_is_number(const CONF *conf, char c); static int def_to_int(const CONF *conf, char c); -const char *CONF_def_version="CONF_def" OPENSSL_VERSION_PTEXT; +const char CONF_def_version[]="CONF_def" OPENSSL_VERSION_PTEXT; static CONF_METHOD default_method = { "OpenSSL default", diff --git a/crypto/openssl/crypto/conf/conf_err.c b/crypto/openssl/crypto/conf/conf_err.c index 62506897462e..a16a5e0bd44b 100644 --- a/crypto/openssl/crypto/conf/conf_err.c +++ b/crypto/openssl/crypto/conf/conf_err.c @@ -118,15 +118,12 @@ static ERR_STRING_DATA CONF_str_reasons[]= void ERR_load_CONF_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(CONF_str_functs[0].error) == NULL) + { ERR_load_strings(0,CONF_str_functs); ERR_load_strings(0,CONF_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/conf/conf_lib.c b/crypto/openssl/crypto/conf/conf_lib.c index a55a5457c634..2a3399d269e4 100644 --- a/crypto/openssl/crypto/conf/conf_lib.c +++ b/crypto/openssl/crypto/conf/conf_lib.c @@ -63,7 +63,7 @@ #include #include -const char *CONF_version="CONF" OPENSSL_VERSION_PTEXT; +const char CONF_version[]="CONF" OPENSSL_VERSION_PTEXT; static CONF_METHOD *default_CONF_method=NULL; diff --git a/crypto/openssl/crypto/cpt_err.c b/crypto/openssl/crypto/cpt_err.c index 06a6109cceed..9fd41fff8cbd 100644 --- a/crypto/openssl/crypto/cpt_err.c +++ b/crypto/openssl/crypto/cpt_err.c @@ -92,15 +92,12 @@ static ERR_STRING_DATA CRYPTO_str_reasons[]= void ERR_load_CRYPTO_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(CRYPTO_str_functs[0].error) == NULL) + { ERR_load_strings(0,CRYPTO_str_functs); ERR_load_strings(0,CRYPTO_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/cryptlib.c b/crypto/openssl/crypto/cryptlib.c index 315559c71cef..86af760d3813 100644 --- a/crypto/openssl/crypto/cryptlib.c +++ b/crypto/openssl/crypto/cryptlib.c @@ -125,7 +125,7 @@ DECLARE_STACK_OF(CRYPTO_dynlock) IMPLEMENT_STACK_OF(CRYPTO_dynlock) /* real #defines in crypto.h, keep these upto date */ -static const char* lock_names[CRYPTO_NUM_LOCKS] = +static const char* const lock_names[CRYPTO_NUM_LOCKS] = { "<>", "err", diff --git a/crypto/openssl/crypto/des/INSTALL b/crypto/openssl/crypto/des/INSTALL index 32457d775ca6..8aebdfe1100c 100644 --- a/crypto/openssl/crypto/des/INSTALL +++ b/crypto/openssl/crypto/des/INSTALL @@ -25,7 +25,7 @@ and then you can use the 'DES_PTR' option. The file options.txt has the options listed for best speed on quite a few systems. Look and the options (UNROLL, PTR, RISC2 etc) and then -turn on the relevent option in the Makefile +turn on the relevant option in the Makefile. There are some special Makefile targets that make life easier. make cc - standard cc build diff --git a/crypto/openssl/crypto/des/des_ver.h b/crypto/openssl/crypto/des/des_ver.h index 379bbadda2a7..d1ada258a65c 100644 --- a/crypto/openssl/crypto/des/des_ver.h +++ b/crypto/openssl/crypto/des/des_ver.h @@ -67,5 +67,5 @@ #define DES_version OSSL_DES_version #define libdes_version OSSL_libdes_version -OPENSSL_EXTERN const char *OSSL_DES_version; /* SSLeay version string */ -OPENSSL_EXTERN const char *OSSL_libdes_version; /* old libdes version string */ +OPENSSL_EXTERN const char OSSL_DES_version[]; /* SSLeay version string */ +OPENSSL_EXTERN const char OSSL_libdes_version[]; /* old libdes version string */ diff --git a/crypto/openssl/crypto/des/ecb_enc.c b/crypto/openssl/crypto/des/ecb_enc.c index 784aa5ba23d2..00d5b91e8ca5 100644 --- a/crypto/openssl/crypto/des/ecb_enc.c +++ b/crypto/openssl/crypto/des/ecb_enc.c @@ -62,8 +62,8 @@ #include #include -OPENSSL_GLOBAL const char *libdes_version="libdes" OPENSSL_VERSION_PTEXT; -OPENSSL_GLOBAL const char *DES_version="DES" OPENSSL_VERSION_PTEXT; +OPENSSL_GLOBAL const char libdes_version[]="libdes" OPENSSL_VERSION_PTEXT; +OPENSSL_GLOBAL const char DES_version[]="DES" OPENSSL_VERSION_PTEXT; const char *DES_options(void) { diff --git a/crypto/openssl/crypto/dh/dh_err.c b/crypto/openssl/crypto/dh/dh_err.c index 783bb4754c52..a2d8196ecbd7 100644 --- a/crypto/openssl/crypto/dh/dh_err.c +++ b/crypto/openssl/crypto/dh/dh_err.c @@ -93,15 +93,12 @@ static ERR_STRING_DATA DH_str_reasons[]= void ERR_load_DH_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(DH_str_functs[0].error) == NULL) + { ERR_load_strings(0,DH_str_functs); ERR_load_strings(0,DH_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/dh/dh_lib.c b/crypto/openssl/crypto/dh/dh_lib.c index 09965ee2ea80..7aef080e7abb 100644 --- a/crypto/openssl/crypto/dh/dh_lib.c +++ b/crypto/openssl/crypto/dh/dh_lib.c @@ -64,7 +64,7 @@ #include #endif -const char *DH_version="Diffie-Hellman" OPENSSL_VERSION_PTEXT; +const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT; static const DH_METHOD *default_DH_method = NULL; diff --git a/crypto/openssl/crypto/dsa/dsa_err.c b/crypto/openssl/crypto/dsa/dsa_err.c index d7fac691546d..768711994b9c 100644 --- a/crypto/openssl/crypto/dsa/dsa_err.c +++ b/crypto/openssl/crypto/dsa/dsa_err.c @@ -100,15 +100,12 @@ static ERR_STRING_DATA DSA_str_reasons[]= void ERR_load_DSA_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(DSA_str_functs[0].error) == NULL) + { ERR_load_strings(0,DSA_str_functs); ERR_load_strings(0,DSA_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/dsa/dsa_lib.c b/crypto/openssl/crypto/dsa/dsa_lib.c index b9825791bab4..e9b75902dbc2 100644 --- a/crypto/openssl/crypto/dsa/dsa_lib.c +++ b/crypto/openssl/crypto/dsa/dsa_lib.c @@ -70,7 +70,7 @@ #include #endif -const char *DSA_version="DSA" OPENSSL_VERSION_PTEXT; +const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT; static const DSA_METHOD *default_DSA_method = NULL; diff --git a/crypto/openssl/crypto/dso/dso_err.c b/crypto/openssl/crypto/dso/dso_err.c index aa91170b1be9..a8b0a210de43 100644 --- a/crypto/openssl/crypto/dso/dso_err.c +++ b/crypto/openssl/crypto/dso/dso_err.c @@ -136,15 +136,12 @@ static ERR_STRING_DATA DSO_str_reasons[]= void ERR_load_DSO_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(DSO_str_functs[0].error) == NULL) + { ERR_load_strings(0,DSO_str_functs); ERR_load_strings(0,DSO_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/ec/ec_asn1.c b/crypto/openssl/crypto/ec/ec_asn1.c index 66ef129293c2..ae555398594b 100644 --- a/crypto/openssl/crypto/ec/ec_asn1.c +++ b/crypto/openssl/crypto/ec/ec_asn1.c @@ -529,6 +529,8 @@ static int ec_asn1_group2curve(const EC_GROUP *group, X9_62_CURVE *curve) ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_MALLOC_FAILURE); goto err; } + curve->seed->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); + curve->seed->flags |= ASN1_STRING_FLAG_BITS_LEFT; if (!ASN1_BIT_STRING_set(curve->seed, group->seed, (int)group->seed_len)) { @@ -1291,6 +1293,8 @@ int i2d_ECPrivateKey(EC_KEY *a, unsigned char **out) goto err; } + priv_key->publicKey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); + priv_key->publicKey->flags |= ASN1_STRING_FLAG_BITS_LEFT; if (!M_ASN1_BIT_STRING_set(priv_key->publicKey, buffer, buf_len)) { diff --git a/crypto/openssl/crypto/ec/ec_err.c b/crypto/openssl/crypto/ec/ec_err.c index 031c54d0b57f..7be315bac926 100644 --- a/crypto/openssl/crypto/ec/ec_err.c +++ b/crypto/openssl/crypto/ec/ec_err.c @@ -227,15 +227,12 @@ static ERR_STRING_DATA EC_str_reasons[]= void ERR_load_EC_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(EC_str_functs[0].error) == NULL) + { ERR_load_strings(0,EC_str_functs); ERR_load_strings(0,EC_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/ecdh/ech_err.c b/crypto/openssl/crypto/ecdh/ech_err.c index 626f49ba330b..4d2ede75bd37 100644 --- a/crypto/openssl/crypto/ecdh/ech_err.c +++ b/crypto/openssl/crypto/ecdh/ech_err.c @@ -71,7 +71,7 @@ static ERR_STRING_DATA ECDH_str_functs[]= { {ERR_FUNC(ECDH_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"}, -{ERR_FUNC(ECDH_F_ECDH_DATA_NEW_METHOD), "ECDH_DATA_new_method"}, +{ERR_FUNC(ECDH_F_ECDH_DATA_NEW_METHOD), "ECDH_DATA_NEW_METHOD"}, {0,NULL} }; @@ -87,15 +87,12 @@ static ERR_STRING_DATA ECDH_str_reasons[]= void ERR_load_ECDH_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(ECDH_str_functs[0].error) == NULL) + { ERR_load_strings(0,ECDH_str_functs); ERR_load_strings(0,ECDH_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/ecdh/ech_lib.c b/crypto/openssl/crypto/ecdh/ech_lib.c index 01e75e2a5c0c..e89b1d477287 100644 --- a/crypto/openssl/crypto/ecdh/ech_lib.c +++ b/crypto/openssl/crypto/ecdh/ech_lib.c @@ -74,7 +74,7 @@ #endif #include -const char *ECDH_version="ECDH" OPENSSL_VERSION_PTEXT; +const char ECDH_version[]="ECDH" OPENSSL_VERSION_PTEXT; static const ECDH_METHOD *default_ECDH_method = NULL; diff --git a/crypto/openssl/crypto/ecdsa/ecdsa.h b/crypto/openssl/crypto/ecdsa/ecdsa.h index 76c5a4aa2ae0..f20c8ee7381e 100644 --- a/crypto/openssl/crypto/ecdsa/ecdsa.h +++ b/crypto/openssl/crypto/ecdsa/ecdsa.h @@ -261,6 +261,7 @@ void ERR_load_ECDSA_strings(void); #define ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 101 #define ECDSA_R_ERR_EC_LIB 102 #define ECDSA_R_MISSING_PARAMETERS 103 +#define ECDSA_R_NEED_NEW_SETUP_VALUES 106 #define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED 104 #define ECDSA_R_SIGNATURE_MALLOC_FAILED 105 diff --git a/crypto/openssl/crypto/ecdsa/ecs_err.c b/crypto/openssl/crypto/ecdsa/ecs_err.c index 90f1942e79fd..d2a53730ea5f 100644 --- a/crypto/openssl/crypto/ecdsa/ecs_err.c +++ b/crypto/openssl/crypto/ecdsa/ecs_err.c @@ -70,7 +70,7 @@ static ERR_STRING_DATA ECDSA_str_functs[]= { -{ERR_FUNC(ECDSA_F_ECDSA_DATA_NEW_METHOD), "ECDSA_DATA_new_method"}, +{ERR_FUNC(ECDSA_F_ECDSA_DATA_NEW_METHOD), "ECDSA_DATA_NEW_METHOD"}, {ERR_FUNC(ECDSA_F_ECDSA_DO_SIGN), "ECDSA_do_sign"}, {ERR_FUNC(ECDSA_F_ECDSA_DO_VERIFY), "ECDSA_do_verify"}, {ERR_FUNC(ECDSA_F_ECDSA_SIGN_SETUP), "ECDSA_sign_setup"}, @@ -83,6 +83,7 @@ static ERR_STRING_DATA ECDSA_str_reasons[]= {ERR_REASON(ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"}, {ERR_REASON(ECDSA_R_ERR_EC_LIB) ,"err ec lib"}, {ERR_REASON(ECDSA_R_MISSING_PARAMETERS) ,"missing parameters"}, +{ERR_REASON(ECDSA_R_NEED_NEW_SETUP_VALUES),"need new setup values"}, {ERR_REASON(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED),"random number generation failed"}, {ERR_REASON(ECDSA_R_SIGNATURE_MALLOC_FAILED),"signature malloc failed"}, {0,NULL} @@ -92,15 +93,12 @@ static ERR_STRING_DATA ECDSA_str_reasons[]= void ERR_load_ECDSA_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(ECDSA_str_functs[0].error) == NULL) + { ERR_load_strings(0,ECDSA_str_functs); ERR_load_strings(0,ECDSA_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/ecdsa/ecs_lib.c b/crypto/openssl/crypto/ecdsa/ecs_lib.c index 1fb9bc9600c8..85e8a3a7ed9b 100644 --- a/crypto/openssl/crypto/ecdsa/ecs_lib.c +++ b/crypto/openssl/crypto/ecdsa/ecs_lib.c @@ -61,7 +61,7 @@ #include #include -const char *ECDSA_version="ECDSA" OPENSSL_VERSION_PTEXT; +const char ECDSA_version[]="ECDSA" OPENSSL_VERSION_PTEXT; static const ECDSA_METHOD *default_ECDSA_method = NULL; diff --git a/crypto/openssl/crypto/ecdsa/ecs_ossl.c b/crypto/openssl/crypto/ecdsa/ecs_ossl.c index 8be45ddc9369..32d66a97741d 100644 --- a/crypto/openssl/crypto/ecdsa/ecs_ossl.c +++ b/crypto/openssl/crypto/ecdsa/ecs_ossl.c @@ -299,8 +299,21 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); goto err; } + if (BN_is_zero(s)) + { + /* if kinv and r have been supplied by the caller + * don't to generate new kinv and r values */ + if (in_kinv != NULL && in_r != NULL) + { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ECDSA_R_NEED_NEW_SETUP_VALUES); + goto err; + } + } + else + /* s != 0 => we have a valid signature */ + break; } - while (BN_is_zero(s)); + while (1); ok = 1; err: diff --git a/crypto/openssl/crypto/engine/eng_all.c b/crypto/openssl/crypto/engine/eng_all.c index 86b2f9a1c33b..8599046717a5 100644 --- a/crypto/openssl/crypto/engine/eng_all.c +++ b/crypto/openssl/crypto/engine/eng_all.c @@ -67,6 +67,9 @@ void ENGINE_load_builtin_engines(void) * *no* builtin implementations). */ #if 0 ENGINE_load_openssl(); +#endif +#if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) + ENGINE_load_padlock(); #endif ENGINE_load_dynamic(); #ifndef OPENSSL_NO_STATIC_ENGINE @@ -95,16 +98,15 @@ void ENGINE_load_builtin_engines(void) #ifndef OPENSSL_NO_HW_UBSEC ENGINE_load_ubsec(); #endif -#ifndef OPENSSL_NO_HW_PADLOCK - ENGINE_load_padlock(); -#endif -#endif -#if defined(__OpenBSD__) || defined(__FreeBSD__) - ENGINE_load_cryptodev(); #endif #if !defined(OPENSSL_NO_GMP) && !defined(OPENSSL_NO_HW_GMP) ENGINE_load_gmp(); #endif +#endif +#ifndef OPENSSL_NO_HW +#if defined(__OpenBSD__) || defined(__FreeBSD__) + ENGINE_load_cryptodev(); +#endif #endif } diff --git a/crypto/openssl/crypto/engine/eng_err.c b/crypto/openssl/crypto/engine/eng_err.c index 62db507ce29d..369f2e22d3bc 100644 --- a/crypto/openssl/crypto/engine/eng_err.c +++ b/crypto/openssl/crypto/engine/eng_err.c @@ -157,15 +157,12 @@ static ERR_STRING_DATA ENGINE_str_reasons[]= void ERR_load_ENGINE_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(ENGINE_str_functs[0].error) == NULL) + { ERR_load_strings(0,ENGINE_str_functs); ERR_load_strings(0,ENGINE_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/engine/eng_padlock.c b/crypto/openssl/crypto/engine/eng_padlock.c index 8d92af6f8bd2..e1d66eac58ad 100644 --- a/crypto/openssl/crypto/engine/eng_padlock.c +++ b/crypto/openssl/crypto/engine/eng_padlock.c @@ -436,8 +436,8 @@ static inline void *name(size_t cnt, \ rep_xcrypt "\n" \ " popl %%ebx" \ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \ - : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \ - : "edx", "cc"); \ + : "0"(cdata), "1"(cnt), "2"(out), "3"(inp), "m"(*cdata) \ + : "edx", "cc", "memory"); \ return iv; \ } diff --git a/crypto/openssl/crypto/engine/tb_ecdh.c b/crypto/openssl/crypto/engine/tb_ecdh.c index 59977f7dd0a6..c8ec7812c55f 100644 --- a/crypto/openssl/crypto/engine/tb_ecdh.c +++ b/crypto/openssl/crypto/engine/tb_ecdh.c @@ -107,7 +107,7 @@ int ENGINE_set_default_ECDH(ENGINE *e) { if(e->ecdh_meth) return engine_table_register(&ecdh_table, - engine_unregister_all_ECDH, e, &dummy_nid, 1, 0); + engine_unregister_all_ECDH, e, &dummy_nid, 1, 1); return 1; } diff --git a/crypto/openssl/crypto/engine/tb_ecdsa.c b/crypto/openssl/crypto/engine/tb_ecdsa.c index e30b02e8c59b..005ecb622c21 100644 --- a/crypto/openssl/crypto/engine/tb_ecdsa.c +++ b/crypto/openssl/crypto/engine/tb_ecdsa.c @@ -92,7 +92,7 @@ int ENGINE_set_default_ECDSA(ENGINE *e) { if(e->ecdsa_meth) return engine_table_register(&ecdsa_table, - engine_unregister_all_ECDSA, e, &dummy_nid, 1, 0); + engine_unregister_all_ECDSA, e, &dummy_nid, 1, 1); return 1; } diff --git a/crypto/openssl/crypto/err/err_all.c b/crypto/openssl/crypto/err/err_all.c index bfb4c1ab12ba..c33d24bb68c6 100644 --- a/crypto/openssl/crypto/err/err_all.c +++ b/crypto/openssl/crypto/err/err_all.c @@ -97,10 +97,6 @@ void ERR_load_crypto_strings(void) { - static int done=0; - - if (done) return; - done=1; #ifndef OPENSSL_NO_ERR ERR_load_ERR_strings(); /* include error strings for SYSerr */ ERR_load_BN_strings(); diff --git a/crypto/openssl/crypto/evp/bio_md.c b/crypto/openssl/crypto/evp/bio_md.c index 76ff9fe815a0..d648ac6da6ba 100644 --- a/crypto/openssl/crypto/evp/bio_md.c +++ b/crypto/openssl/crypto/evp/bio_md.c @@ -200,6 +200,12 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr) else ret=0; break; + case BIO_C_SET_MD_CTX: + if (b->init) + b->ptr=ptr; + else + ret=0; + break; case BIO_C_DO_STATE_MACHINE: BIO_clear_retry_flags(b); ret=BIO_ctrl(b->next_bio,cmd,num,ptr); diff --git a/crypto/openssl/crypto/evp/evp.h b/crypto/openssl/crypto/evp/evp.h index 1b09bd8dfe04..636f426c6996 100644 --- a/crypto/openssl/crypto/evp/evp.h +++ b/crypto/openssl/crypto/evp/evp.h @@ -429,36 +429,36 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, #define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a)) #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a)) -#define EVP_MD_type(e) ((e)->type) +int EVP_MD_type(const EVP_MD *md); #define EVP_MD_nid(e) EVP_MD_type(e) #define EVP_MD_name(e) OBJ_nid2sn(EVP_MD_nid(e)) -#define EVP_MD_pkey_type(e) ((e)->pkey_type) -#define EVP_MD_size(e) ((e)->md_size) -#define EVP_MD_block_size(e) ((e)->block_size) +int EVP_MD_pkey_type(const EVP_MD *md); +int EVP_MD_size(const EVP_MD *md); +int EVP_MD_block_size(const EVP_MD *md); -#define EVP_MD_CTX_md(e) ((e)->digest) -#define EVP_MD_CTX_size(e) EVP_MD_size((e)->digest) -#define EVP_MD_CTX_block_size(e) EVP_MD_block_size((e)->digest) -#define EVP_MD_CTX_type(e) EVP_MD_type((e)->digest) +const EVP_MD * EVP_MD_CTX_md(const EVP_MD_CTX *ctx); +#define EVP_MD_CTX_size(e) EVP_MD_size(EVP_MD_CTX_md(e)) +#define EVP_MD_CTX_block_size(e) EVP_MD_block_size(EVP_MD_CTX_md(e)) +#define EVP_MD_CTX_type(e) EVP_MD_type(EVP_MD_CTX_md(e)) -#define EVP_CIPHER_nid(e) ((e)->nid) +int EVP_CIPHER_nid(const EVP_CIPHER *cipher); #define EVP_CIPHER_name(e) OBJ_nid2sn(EVP_CIPHER_nid(e)) -#define EVP_CIPHER_block_size(e) ((e)->block_size) -#define EVP_CIPHER_key_length(e) ((e)->key_len) -#define EVP_CIPHER_iv_length(e) ((e)->iv_len) -#define EVP_CIPHER_flags(e) ((e)->flags) -#define EVP_CIPHER_mode(e) (((e)->flags) & EVP_CIPH_MODE) +int EVP_CIPHER_block_size(const EVP_CIPHER *cipher); +int EVP_CIPHER_key_length(const EVP_CIPHER *cipher); +int EVP_CIPHER_iv_length(const EVP_CIPHER *cipher); +unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher); +#define EVP_CIPHER_mode(e) (EVP_CIPHER_flags(e) & EVP_CIPH_MODE) -#define EVP_CIPHER_CTX_cipher(e) ((e)->cipher) -#define EVP_CIPHER_CTX_nid(e) ((e)->cipher->nid) -#define EVP_CIPHER_CTX_block_size(e) ((e)->cipher->block_size) -#define EVP_CIPHER_CTX_key_length(e) ((e)->key_len) -#define EVP_CIPHER_CTX_iv_length(e) ((e)->cipher->iv_len) -#define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) -#define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d)) +const EVP_CIPHER * EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); +int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx); +int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx); +int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx); +int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx); +void * EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx); +void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data); #define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c)) -#define EVP_CIPHER_CTX_flags(e) ((e)->cipher->flags) -#define EVP_CIPHER_CTX_mode(e) ((e)->cipher->flags & EVP_CIPH_MODE) +unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx); +#define EVP_CIPHER_CTX_mode(e) (EVP_CIPHER_CTX_flags(e) & EVP_CIPH_MODE) #define EVP_ENCODE_LENGTH(l) (((l+2)/3*4)+(l/48+1)*2+80) #define EVP_DECODE_LENGTH(l) ((l+3)/4*3+80) @@ -479,10 +479,14 @@ void BIO_set_md(BIO *,const EVP_MD *md); #endif #define BIO_get_md(b,mdp) BIO_ctrl(b,BIO_C_GET_MD,0,(char *)mdp) #define BIO_get_md_ctx(b,mdcp) BIO_ctrl(b,BIO_C_GET_MD_CTX,0,(char *)mdcp) +#define BIO_set_md_ctx(b,mdcp) BIO_ctrl(b,BIO_C_SET_MD_CTX,0,(char *)mdcp) #define BIO_get_cipher_status(b) BIO_ctrl(b,BIO_C_GET_CIPHER_STATUS,0,NULL) #define BIO_get_cipher_ctx(b,c_pp) BIO_ctrl(b,BIO_C_GET_CIPHER_CTX,0,(char *)c_pp) -#define EVP_Cipher(c,o,i,l) (c)->cipher->do_cipher((c),(o),(i),(l)) +int EVP_Cipher(EVP_CIPHER_CTX *c, + unsigned char *out, + const unsigned char *in, + unsigned int inl); #define EVP_add_cipher_alias(n,alias) \ OBJ_NAME_add((alias),OBJ_NAME_TYPE_CIPHER_METH|OBJ_NAME_ALIAS,(n)) @@ -498,9 +502,9 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx); EVP_MD_CTX *EVP_MD_CTX_create(void); void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx); int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in); -#define EVP_MD_CTX_set_flags(ctx,flgs) ((ctx)->flags|=(flgs)) -#define EVP_MD_CTX_clear_flags(ctx,flgs) ((ctx)->flags&=~(flgs)) -#define EVP_MD_CTX_test_flags(ctx,flgs) ((ctx)->flags&(flgs)) +void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags); +void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags); +int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx,int flags); int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); int EVP_DigestUpdate(EVP_MD_CTX *ctx,const void *d, size_t cnt); diff --git a/crypto/openssl/crypto/evp/evp_enc.c b/crypto/openssl/crypto/evp/evp_enc.c index f0b725def6df..a1904993bf76 100644 --- a/crypto/openssl/crypto/evp/evp_enc.c +++ b/crypto/openssl/crypto/evp/evp_enc.c @@ -66,7 +66,7 @@ #endif #include "evp_locl.h" -const char *EVP_version="EVP" OPENSSL_VERSION_PTEXT; +const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) { diff --git a/crypto/openssl/crypto/evp/evp_err.c b/crypto/openssl/crypto/evp/evp_err.c index cb6d9fac2e9f..e8c9e8de9ca7 100644 --- a/crypto/openssl/crypto/evp/evp_err.c +++ b/crypto/openssl/crypto/evp/evp_err.c @@ -163,15 +163,12 @@ static ERR_STRING_DATA EVP_str_reasons[]= void ERR_load_EVP_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(EVP_str_functs[0].error) == NULL) + { ERR_load_strings(0,EVP_str_functs); ERR_load_strings(0,EVP_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/evp/evp_lib.c b/crypto/openssl/crypto/evp/evp_lib.c index 36213964dd83..f92db23af649 100644 --- a/crypto/openssl/crypto/evp/evp_lib.c +++ b/crypto/openssl/crypto/evp/evp_lib.c @@ -168,3 +168,112 @@ int EVP_CIPHER_type(const EVP_CIPHER *ctx) } } +int EVP_CIPHER_block_size(const EVP_CIPHER *e) + { + return e->block_size; + } + +int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx) + { + return ctx->cipher->block_size; + } + +int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) + { + return ctx->cipher->do_cipher(ctx,out,in,inl); + } + +const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) + { + return ctx->cipher; + } + +unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher) + { + return cipher->flags; + } + +unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx) + { + return ctx->cipher->flags; + } + +void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx) + { + return ctx->app_data; + } + +void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data) + { + ctx->app_data = data; + } + +int EVP_CIPHER_iv_length(const EVP_CIPHER *cipher) + { + return cipher->iv_len; + } + +int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx) + { + return ctx->cipher->iv_len; + } + +int EVP_CIPHER_key_length(const EVP_CIPHER *cipher) + { + return cipher->key_len; + } + +int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx) + { + return ctx->cipher->key_len; + } + +int EVP_CIPHER_nid(const EVP_CIPHER *cipher) + { + return cipher->nid; + } + +int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx) + { + return ctx->cipher->nid; + } + +int EVP_MD_block_size(const EVP_MD *md) + { + return md->block_size; + } + +int EVP_MD_type(const EVP_MD *md) + { + return md->type; + } + +int EVP_MD_pkey_type(const EVP_MD *md) + { + return md->pkey_type; + } + +int EVP_MD_size(const EVP_MD *md) + { + return md->md_size; + } + +const EVP_MD * EVP_MD_CTX_md(const EVP_MD_CTX *ctx) + { + return ctx->digest; + } + +void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags) + { + ctx->flags |= flags; + } + +void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags) + { + ctx->flags &= ~flags; + } + +int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, int flags) + { + return (ctx->flags & flags); + } diff --git a/crypto/openssl/crypto/evp/evp_locl.h b/crypto/openssl/crypto/evp/evp_locl.h index 2204e345ad1a..20139d20e41a 100644 --- a/crypto/openssl/crypto/evp/evp_locl.h +++ b/crypto/openssl/crypto/evp/evp_locl.h @@ -65,7 +65,7 @@ bl = ctx->cipher->block_size;\ if(inl < bl) return 1;\ inl -= bl; \ - for(i=0; i <= inl; i+=bl) \ + for(i=0; i <= inl; i+=bl) #define BLOCK_CIPHER_func_ecb(cname, cprefix, kstruct, ksched) \ static int cname##_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \ diff --git a/crypto/openssl/crypto/idea/i_ecb.c b/crypto/openssl/crypto/idea/i_ecb.c index fb613db595c4..fef38230a7d1 100644 --- a/crypto/openssl/crypto/idea/i_ecb.c +++ b/crypto/openssl/crypto/idea/i_ecb.c @@ -60,7 +60,7 @@ #include "idea_lcl.h" #include -const char *IDEA_version="IDEA" OPENSSL_VERSION_PTEXT; +const char IDEA_version[]="IDEA" OPENSSL_VERSION_PTEXT; const char *idea_options(void) { diff --git a/crypto/openssl/crypto/idea/idea_lcl.h b/crypto/openssl/crypto/idea/idea_lcl.h index 463aa36ce9c0..f3dbfa67e9ed 100644 --- a/crypto/openssl/crypto/idea/idea_lcl.h +++ b/crypto/openssl/crypto/idea/idea_lcl.h @@ -67,7 +67,7 @@ if (ul != 0) \ r-=((r)>>16); \ } \ else \ - r=(-(int)a-b+1); /* assuming a or b is 0 and in range */ \ + r=(-(int)a-b+1); /* assuming a or b is 0 and in range */ #ifdef undef #define idea_mul(r,a,b,ul,sl) \ diff --git a/crypto/openssl/crypto/lhash/lhash.c b/crypto/openssl/crypto/lhash/lhash.c index 55cb05579bc7..04ea80203cc8 100644 --- a/crypto/openssl/crypto/lhash/lhash.c +++ b/crypto/openssl/crypto/lhash/lhash.c @@ -100,7 +100,7 @@ #include #include -const char *lh_version="lhash" OPENSSL_VERSION_PTEXT; +const char lh_version[]="lhash" OPENSSL_VERSION_PTEXT; #undef MIN_NODES #define MIN_NODES 16 diff --git a/crypto/openssl/crypto/md2/md2.h b/crypto/openssl/crypto/md2/md2.h index 5b71855cb2e4..a46120e7d418 100644 --- a/crypto/openssl/crypto/md2/md2.h +++ b/crypto/openssl/crypto/md2/md2.h @@ -63,6 +63,7 @@ #ifdef OPENSSL_NO_MD2 #error MD2 is disabled. #endif +#include #define MD2_DIGEST_LENGTH 16 #define MD2_BLOCK 16 diff --git a/crypto/openssl/crypto/md2/md2_dgst.c b/crypto/openssl/crypto/md2/md2_dgst.c index 15e77d60be17..6f68b25c6a8f 100644 --- a/crypto/openssl/crypto/md2/md2_dgst.c +++ b/crypto/openssl/crypto/md2/md2_dgst.c @@ -63,7 +63,7 @@ #include #include -const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT; +const char MD2_version[]="MD2" OPENSSL_VERSION_PTEXT; /* Implemented from RFC1319 The MD2 Message-Digest Algorithm */ diff --git a/crypto/openssl/crypto/md4/md4.h b/crypto/openssl/crypto/md4/md4.h index b080cbdc2140..5598c93a4fea 100644 --- a/crypto/openssl/crypto/md4/md4.h +++ b/crypto/openssl/crypto/md4/md4.h @@ -60,6 +60,7 @@ #define HEADER_MD4_H #include +#include #ifdef __cplusplus extern "C" { diff --git a/crypto/openssl/crypto/md4/md4_dgst.c b/crypto/openssl/crypto/md4/md4_dgst.c index d4c7057f13b5..86b79b8e4d45 100644 --- a/crypto/openssl/crypto/md4/md4_dgst.c +++ b/crypto/openssl/crypto/md4/md4_dgst.c @@ -60,7 +60,7 @@ #include "md4_locl.h" #include -const char *MD4_version="MD4" OPENSSL_VERSION_PTEXT; +const char MD4_version[]="MD4" OPENSSL_VERSION_PTEXT; /* Implemented from RFC1186 The MD4 Message-Digest Algorithm */ diff --git a/crypto/openssl/crypto/md5/md5.h b/crypto/openssl/crypto/md5/md5.h index 6d283fe9dac8..dbdc0e1abc7e 100644 --- a/crypto/openssl/crypto/md5/md5.h +++ b/crypto/openssl/crypto/md5/md5.h @@ -60,6 +60,7 @@ #define HEADER_MD5_H #include +#include #ifdef __cplusplus extern "C" { diff --git a/crypto/openssl/crypto/md5/md5_dgst.c b/crypto/openssl/crypto/md5/md5_dgst.c index f97f48e55bb8..953f0496f69c 100644 --- a/crypto/openssl/crypto/md5/md5_dgst.c +++ b/crypto/openssl/crypto/md5/md5_dgst.c @@ -60,7 +60,7 @@ #include "md5_locl.h" #include -const char *MD5_version="MD5" OPENSSL_VERSION_PTEXT; +const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT; /* Implemented from RFC1321 The MD5 Message-Digest Algorithm */ diff --git a/crypto/openssl/crypto/objects/obj_dat.h b/crypto/openssl/crypto/objects/obj_dat.h index 78439a33c823..a116bb7f28ab 100644 --- a/crypto/openssl/crypto/objects/obj_dat.h +++ b/crypto/openssl/crypto/objects/obj_dat.h @@ -62,12 +62,12 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 769 -#define NUM_SN 765 -#define NUM_LN 765 -#define NUM_OBJ 721 +#define NUM_NID 772 +#define NUM_SN 768 +#define NUM_LN 768 +#define NUM_OBJ 724 -static unsigned char lvalues[5107]={ +static unsigned char lvalues[5116]={ 0x00, /* [ 0] OBJ_undef */ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */ @@ -789,6 +789,9 @@ static unsigned char lvalues[5107]={ 0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x03, /* [5082] OBJ_camellia_128_ofb128 */ 0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x17, /* [5090] OBJ_camellia_192_ofb128 */ 0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2B, /* [5098] OBJ_camellia_256_ofb128 */ +0x55,0x1D,0x09, /* [5106] OBJ_subject_directory_attributes */ +0x55,0x1D,0x1C, /* [5109] OBJ_issuing_distribution_point */ +0x55,0x1D,0x1D, /* [5112] OBJ_certificate_issuer */ }; static ASN1_OBJECT nid_objs[NUM_NID]={ @@ -1987,6 +1990,12 @@ static ASN1_OBJECT nid_objs[NUM_NID]={ &(lvalues[5090]),0}, {"CAMELLIA-256-OFB","camellia-256-ofb",NID_camellia_256_ofb128,8, &(lvalues[5098]),0}, +{"subjectDirectoryAttributes","X509v3 Subject Directory Attributes", + NID_subject_directory_attributes,3,&(lvalues[5106]),0}, +{"issuingDistributionPoint","X509v3 Issuing Distrubution Point", + NID_issuing_distribution_point,3,&(lvalues[5109]),0}, +{"certificateIssuer","X509v3 Certificate Issuer", + NID_certificate_issuer,3,&(lvalues[5112]),0}, }; static ASN1_OBJECT *sn_objs[NUM_SN]={ @@ -2203,6 +2212,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[443]),/* "caseIgnoreIA5StringSyntax" */ &(nid_objs[152]),/* "certBag" */ &(nid_objs[677]),/* "certicom-arc" */ +&(nid_objs[771]),/* "certificateIssuer" */ &(nid_objs[89]),/* "certificatePolicies" */ &(nid_objs[54]),/* "challengePassword" */ &(nid_objs[407]),/* "characteristic-two-field" */ @@ -2442,6 +2452,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[295]),/* "ipsecTunnel" */ &(nid_objs[296]),/* "ipsecUser" */ &(nid_objs[86]),/* "issuerAltName" */ +&(nid_objs[770]),/* "issuingDistributionPoint" */ &(nid_objs[492]),/* "janetMailbox" */ &(nid_objs[150]),/* "keyBag" */ &(nid_objs[83]),/* "keyUsage" */ @@ -2723,6 +2734,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[387]),/* "snmpv2" */ &(nid_objs[660]),/* "streetAddress" */ &(nid_objs[85]),/* "subjectAltName" */ +&(nid_objs[769]),/* "subjectDirectoryAttributes" */ &(nid_objs[398]),/* "subjectInfoAccess" */ &(nid_objs[82]),/* "subjectKeyIdentifier" */ &(nid_objs[498]),/* "subtreeMaximumQuality" */ @@ -2852,11 +2864,13 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[103]),/* "X509v3 CRL Distribution Points" */ &(nid_objs[88]),/* "X509v3 CRL Number" */ &(nid_objs[141]),/* "X509v3 CRL Reason Code" */ +&(nid_objs[771]),/* "X509v3 Certificate Issuer" */ &(nid_objs[89]),/* "X509v3 Certificate Policies" */ &(nid_objs[140]),/* "X509v3 Delta CRL Indicator" */ &(nid_objs[126]),/* "X509v3 Extended Key Usage" */ &(nid_objs[748]),/* "X509v3 Inhibit Any Policy" */ &(nid_objs[86]),/* "X509v3 Issuer Alternative Name" */ +&(nid_objs[770]),/* "X509v3 Issuing Distrubution Point" */ &(nid_objs[83]),/* "X509v3 Key Usage" */ &(nid_objs[666]),/* "X509v3 Name Constraints" */ &(nid_objs[403]),/* "X509v3 No Revocation Available" */ @@ -2864,6 +2878,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[747]),/* "X509v3 Policy Mappings" */ &(nid_objs[84]),/* "X509v3 Private Key Usage Period" */ &(nid_objs[85]),/* "X509v3 Subject Alternative Name" */ +&(nid_objs[769]),/* "X509v3 Subject Directory Attributes" */ &(nid_objs[82]),/* "X509v3 Subject Key Identifier" */ &(nid_objs[184]),/* "X9.57" */ &(nid_objs[185]),/* "X9.57 CM ?" */ @@ -3569,6 +3584,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[174]),/* OBJ_dnQualifier 2 5 4 46 */ &(nid_objs[510]),/* OBJ_pseudonym 2 5 4 65 */ &(nid_objs[400]),/* OBJ_role 2 5 4 72 */ +&(nid_objs[769]),/* OBJ_subject_directory_attributes 2 5 29 9 */ &(nid_objs[82]),/* OBJ_subject_key_identifier 2 5 29 14 */ &(nid_objs[83]),/* OBJ_key_usage 2 5 29 15 */ &(nid_objs[84]),/* OBJ_private_key_usage_period 2 5 29 16 */ @@ -3580,6 +3596,8 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[430]),/* OBJ_hold_instruction_code 2 5 29 23 */ &(nid_objs[142]),/* OBJ_invalidity_date 2 5 29 24 */ &(nid_objs[140]),/* OBJ_delta_crl 2 5 29 27 */ +&(nid_objs[770]),/* OBJ_issuing_distribution_point 2 5 29 28 */ +&(nid_objs[771]),/* OBJ_certificate_issuer 2 5 29 29 */ &(nid_objs[666]),/* OBJ_name_constraints 2 5 29 30 */ &(nid_objs[103]),/* OBJ_crl_distribution_points 2 5 29 31 */ &(nid_objs[89]),/* OBJ_certificate_policies 2 5 29 32 */ diff --git a/crypto/openssl/crypto/objects/obj_err.c b/crypto/openssl/crypto/objects/obj_err.c index 0682979b3815..12b48850c6bc 100644 --- a/crypto/openssl/crypto/objects/obj_err.c +++ b/crypto/openssl/crypto/objects/obj_err.c @@ -91,15 +91,12 @@ static ERR_STRING_DATA OBJ_str_reasons[]= void ERR_load_OBJ_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(OBJ_str_functs[0].error) == NULL) + { ERR_load_strings(0,OBJ_str_functs); ERR_load_strings(0,OBJ_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/objects/obj_mac.h b/crypto/openssl/crypto/objects/obj_mac.h index df4ad903f98b..f447bbe69af8 100644 --- a/crypto/openssl/crypto/objects/obj_mac.h +++ b/crypto/openssl/crypto/objects/obj_mac.h @@ -2044,6 +2044,11 @@ #define NID_id_ce 81 #define OBJ_id_ce OBJ_X500,29L +#define SN_subject_directory_attributes "subjectDirectoryAttributes" +#define LN_subject_directory_attributes "X509v3 Subject Directory Attributes" +#define NID_subject_directory_attributes 769 +#define OBJ_subject_directory_attributes OBJ_id_ce,9L + #define SN_subject_key_identifier "subjectKeyIdentifier" #define LN_subject_key_identifier "X509v3 Subject Key Identifier" #define NID_subject_key_identifier 82 @@ -2094,6 +2099,16 @@ #define NID_delta_crl 140 #define OBJ_delta_crl OBJ_id_ce,27L +#define SN_issuing_distribution_point "issuingDistributionPoint" +#define LN_issuing_distribution_point "X509v3 Issuing Distrubution Point" +#define NID_issuing_distribution_point 770 +#define OBJ_issuing_distribution_point OBJ_id_ce,28L + +#define SN_certificate_issuer "certificateIssuer" +#define LN_certificate_issuer "X509v3 Certificate Issuer" +#define NID_certificate_issuer 771 +#define OBJ_certificate_issuer OBJ_id_ce,29L + #define SN_name_constraints "nameConstraints" #define LN_name_constraints "X509v3 Name Constraints" #define NID_name_constraints 666 diff --git a/crypto/openssl/crypto/objects/obj_mac.num b/crypto/openssl/crypto/objects/obj_mac.num index fb9fbb915e02..eaa01787613c 100644 --- a/crypto/openssl/crypto/objects/obj_mac.num +++ b/crypto/openssl/crypto/objects/obj_mac.num @@ -766,3 +766,6 @@ camellia_256_cfb8 765 camellia_128_ofb128 766 camellia_192_ofb128 767 camellia_256_ofb128 768 +subject_directory_attributes 769 +issuing_distribution_point 770 +certificate_issuer 771 diff --git a/crypto/openssl/crypto/objects/objects.txt b/crypto/openssl/crypto/objects/objects.txt index a73128023b69..1ba517a8eb3f 100644 --- a/crypto/openssl/crypto/objects/objects.txt +++ b/crypto/openssl/crypto/objects/objects.txt @@ -657,6 +657,8 @@ X500algorithms 3 100 : RSA-MDC2 : mdc2WithRSA X500algorithms 3 101 : MDC2 : mdc2 X500 29 : id-ce +!Cname subject-directory-attributes +id-ce 9 : subjectDirectoryAttributes : X509v3 Subject Directory Attributes !Cname subject-key-identifier id-ce 14 : subjectKeyIdentifier : X509v3 Subject Key Identifier !Cname key-usage @@ -677,6 +679,10 @@ id-ce 21 : CRLReason : X509v3 CRL Reason Code id-ce 24 : invalidityDate : Invalidity Date !Cname delta-crl id-ce 27 : deltaCRL : X509v3 Delta CRL Indicator +!Cname issuing-distribution-point +id-ce 28 : issuingDistributionPoint : X509v3 Issuing Distrubution Point +!Cname certificate-issuer +id-ce 29 : certificateIssuer : X509v3 Certificate Issuer !Cname name-constraints id-ce 30 : nameConstraints : X509v3 Name Constraints !Cname crl-distribution-points diff --git a/crypto/openssl/crypto/ocsp/ocsp_asn.c b/crypto/openssl/crypto/ocsp/ocsp_asn.c index 6a3a360d5449..39b7a1c56871 100644 --- a/crypto/openssl/crypto/ocsp/ocsp_asn.c +++ b/crypto/openssl/crypto/ocsp/ocsp_asn.c @@ -62,7 +62,7 @@ ASN1_SEQUENCE(OCSP_SIGNATURE) = { ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR), ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING), - ASN1_EXP_SEQUENCE_OF(OCSP_SIGNATURE, certs, X509, 0) + ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SIGNATURE, certs, X509, 0) } ASN1_SEQUENCE_END(OCSP_SIGNATURE) IMPLEMENT_ASN1_FUNCTIONS(OCSP_SIGNATURE) diff --git a/crypto/openssl/crypto/ocsp/ocsp_err.c b/crypto/openssl/crypto/ocsp/ocsp_err.c index 2c8ed7288486..ad62364f298e 100644 --- a/crypto/openssl/crypto/ocsp/ocsp_err.c +++ b/crypto/openssl/crypto/ocsp/ocsp_err.c @@ -129,15 +129,12 @@ static ERR_STRING_DATA OCSP_str_reasons[]= void ERR_load_OCSP_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(OCSP_str_functs[0].error) == NULL) + { ERR_load_strings(0,OCSP_str_functs); ERR_load_strings(0,OCSP_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/ocsp/ocsp_vfy.c b/crypto/openssl/crypto/ocsp/ocsp_vfy.c index 3d58dfb06cf3..23ea41c847bf 100644 --- a/crypto/openssl/crypto/ocsp/ocsp_vfy.c +++ b/crypto/openssl/crypto/ocsp/ocsp_vfy.c @@ -367,7 +367,7 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *st return 0; } gen = req->tbsRequest->requestorName; - if (gen->type != GEN_DIRNAME) + if (!gen || gen->type != GEN_DIRNAME) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE); return 0; diff --git a/crypto/openssl/crypto/opensslconf.h b/crypto/openssl/crypto/opensslconf.h index 91f14d80206b..4620e0e530e4 100644 --- a/crypto/openssl/crypto/opensslconf.h +++ b/crypto/openssl/crypto/opensslconf.h @@ -19,6 +19,9 @@ #ifndef OPENSSL_NO_RC5 # define OPENSSL_NO_RC5 #endif +#ifndef OPENSSL_NO_RFC3779 +# define OPENSSL_NO_RFC3779 +#endif #endif /* OPENSSL_DOING_MAKEDEPEND */ #ifndef OPENSSL_NO_DYNAMIC_ENGINE @@ -45,6 +48,9 @@ # if defined(OPENSSL_NO_RC5) && !defined(NO_RC5) # define NO_RC5 # endif +# if defined(OPENSSL_NO_RFC3779) && !defined(NO_RFC3779) +# define NO_RFC3779 +# endif #endif /* crypto/opensslconf.h.in */ diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h index beedc1928575..8a5b34e4f077 100644 --- a/crypto/openssl/crypto/opensslv.h +++ b/crypto/openssl/crypto/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090804f +#define OPENSSL_VERSION_NUMBER 0x0090805fL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8d-fips 28 Sep 2006" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8e-fips 23 Feb 2007" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8d 28 Sep 2006" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8e 23 Feb 2007" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/openssl/crypto/pem/pem.h b/crypto/openssl/crypto/pem/pem.h index 7db6b423d06b..c28706ddc033 100644 --- a/crypto/openssl/crypto/pem/pem.h +++ b/crypto/openssl/crypto/pem/pem.h @@ -221,7 +221,7 @@ typedef struct pem_ctx_st type *PEM_read_##name(FILE *fp, type **x, pem_password_cb *cb, void *u)\ { \ return(((type *(*)(D2I_OF(type),char *,FILE *,type **,pem_password_cb *,void *))openssl_fcast(PEM_ASN1_read))(d2i_##asn1, str,fp,x,cb,u)); \ -} \ +} #define IMPLEMENT_PEM_write_fp(name, type, str, asn1) \ int PEM_write_##name(FILE *fp, type *x) \ diff --git a/crypto/openssl/crypto/pem/pem_err.c b/crypto/openssl/crypto/pem/pem_err.c index 7837cde1537f..3133563d77b7 100644 --- a/crypto/openssl/crypto/pem/pem_err.c +++ b/crypto/openssl/crypto/pem/pem_err.c @@ -124,15 +124,12 @@ static ERR_STRING_DATA PEM_str_reasons[]= void ERR_load_PEM_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(PEM_str_functs[0].error) == NULL) + { ERR_load_strings(0,PEM_str_functs); ERR_load_strings(0,PEM_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/pem/pem_lib.c b/crypto/openssl/crypto/pem/pem_lib.c index 7cfc2f3e0a85..9bae4c8850c7 100644 --- a/crypto/openssl/crypto/pem/pem_lib.c +++ b/crypto/openssl/crypto/pem/pem_lib.c @@ -69,7 +69,7 @@ #include #endif -const char *PEM_version="PEM" OPENSSL_VERSION_PTEXT; +const char PEM_version[]="PEM" OPENSSL_VERSION_PTEXT; #define MIN_LENGTH 4 @@ -579,6 +579,7 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, } EVP_EncodeFinal(&ctx,buf,&outl); if ((outl > 0) && (BIO_write(bp,(char *)buf,outl) != outl)) goto err; + OPENSSL_cleanse(buf, PEM_BUFSIZE*8); OPENSSL_free(buf); buf = NULL; if ( (BIO_write(bp,"-----END ",9) != 9) || @@ -587,8 +588,10 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, goto err; return(i+outl); err: - if (buf) + if (buf) { + OPENSSL_cleanse(buf, PEM_BUFSIZE*8); OPENSSL_free(buf); + } PEMerr(PEM_F_PEM_WRITE_BIO,reason); return(0); } diff --git a/crypto/openssl/crypto/pem/pem_pkey.c b/crypto/openssl/crypto/pem/pem_pkey.c index 2162a45323e5..4da4c31ce5fa 100644 --- a/crypto/openssl/crypto/pem/pem_pkey.c +++ b/crypto/openssl/crypto/pem/pem_pkey.c @@ -125,6 +125,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY,ERR_R_ASN1_LIB); err: OPENSSL_free(nm); + OPENSSL_cleanse(data, len); OPENSSL_free(data); return(ret); } diff --git a/crypto/openssl/crypto/pkcs12/pk12err.c b/crypto/openssl/crypto/pkcs12/pk12err.c index 5c92cb08e0c7..07a1fb6907b1 100644 --- a/crypto/openssl/crypto/pkcs12/pk12err.c +++ b/crypto/openssl/crypto/pkcs12/pk12err.c @@ -133,15 +133,12 @@ static ERR_STRING_DATA PKCS12_str_reasons[]= void ERR_load_PKCS12_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(PKCS12_str_functs[0].error) == NULL) + { ERR_load_strings(0,PKCS12_str_functs); ERR_load_strings(0,PKCS12_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c index a4bbba0556c6..a03d7ebedf19 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_doit.c +++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c @@ -217,7 +217,9 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) keylen=EVP_CIPHER_key_length(evp_cipher); ivlen=EVP_CIPHER_iv_length(evp_cipher); xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); - if (ivlen > 0) RAND_pseudo_bytes(iv,ivlen); + if (ivlen > 0) + if (RAND_pseudo_bytes(iv,ivlen) <= 0) + goto err; if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1)<=0) goto err; if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) @@ -226,10 +228,13 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) goto err; if (ivlen > 0) { - if (xalg->parameter == NULL) - xalg->parameter=ASN1_TYPE_new(); + if (xalg->parameter == NULL) { + xalg->parameter = ASN1_TYPE_new(); + if (xalg->parameter == NULL) + goto err; + } if(EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0) - goto err; + goto err; } /* Lets do the pub key stuff :-) */ @@ -242,7 +247,8 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_MISSING_CERIPEND_INFO); goto err; } - pkey=X509_get_pubkey(ri->cert); + if ((pkey=X509_get_pubkey(ri->cert)) == NULL) + goto err; jj=EVP_PKEY_size(pkey); EVP_PKEY_free(pkey); if (max < jj) max=jj; @@ -255,7 +261,8 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) for (i=0; icert); + if ((pkey=X509_get_pubkey(ri->cert)) == NULL) + goto err; jj=EVP_PKEY_encrypt(tmp,key,keylen,pkey); EVP_PKEY_free(pkey); if (jj <= 0) @@ -291,6 +298,8 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) if(bio == NULL) { bio=BIO_new(BIO_s_mem()); + if (bio == NULL) + goto err; BIO_set_mem_eof_return(bio,0); } } @@ -541,6 +550,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) bio=BIO_new(BIO_s_mem()); BIO_set_mem_eof_return(bio,0); } + if (bio == NULL) + goto err; #endif } BIO_push(out,bio); @@ -695,9 +706,13 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) ERR_R_MALLOC_FAILURE); goto err; } - PKCS7_add_signed_attribute(si, + if (!PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, - V_ASN1_UTCTIME,sign_time); + V_ASN1_UTCTIME,sign_time)) + { + M_ASN1_UTCTIME_free(sign_time); + goto err; + } } /* Add digest */ @@ -714,11 +729,16 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) { PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE); + M_ASN1_OCTET_STRING_free(digest); goto err; } - PKCS7_add_signed_attribute(si, + if (!PKCS7_add_signed_attribute(si, NID_pkcs9_messageDigest, - V_ASN1_OCTET_STRING,digest); + V_ASN1_OCTET_STRING,digest)) + { + M_ASN1_OCTET_STRING_free(digest); + goto err; + } /* Now sign the attributes */ EVP_SignInit_ex(&ctx_tmp,md_tmp,NULL); @@ -976,8 +996,13 @@ PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) int i; i=OBJ_obj2nid(p7->type); - if (i != NID_pkcs7_signedAndEnveloped) return(NULL); + if (i != NID_pkcs7_signedAndEnveloped) + return NULL; + if (p7->d.signed_and_enveloped == NULL) + return NULL; rsk=p7->d.signed_and_enveloped->recipientinfo; + if (rsk == NULL) + return NULL; ri=sk_PKCS7_RECIP_INFO_value(rsk,0); if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx) return(NULL); ri=sk_PKCS7_RECIP_INFO_value(rsk,idx); @@ -1031,6 +1056,8 @@ int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, if (p7si->auth_attr != NULL) sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr,X509_ATTRIBUTE_free); p7si->auth_attr=sk_X509_ATTRIBUTE_dup(sk); + if (p7si->auth_attr == NULL) + return 0; for (i=0; iauth_attr,i, @@ -1049,6 +1076,8 @@ int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk) sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, X509_ATTRIBUTE_free); p7si->unauth_attr=sk_X509_ATTRIBUTE_dup(sk); + if (p7si->unauth_attr == NULL) + return 0; for (i=0; iunauth_attr,i, @@ -1078,10 +1107,16 @@ static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, if (*sk == NULL) { - *sk = sk_X509_ATTRIBUTE_new_null(); + if (!(*sk = sk_X509_ATTRIBUTE_new_null())) + return 0; new_attrib: - attr=X509_ATTRIBUTE_create(nid,atrtype,value); - sk_X509_ATTRIBUTE_push(*sk,attr); + if (!(attr=X509_ATTRIBUTE_create(nid,atrtype,value))) + return 0; + if (!sk_X509_ATTRIBUTE_push(*sk,attr)) + { + X509_ATTRIBUTE_free(attr); + return 0; + } } else { @@ -1094,7 +1129,13 @@ static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, { X509_ATTRIBUTE_free(attr); attr=X509_ATTRIBUTE_create(nid,atrtype,value); - sk_X509_ATTRIBUTE_set(*sk,i,attr); + if (attr == NULL) + return 0; + if (!sk_X509_ATTRIBUTE_set(*sk,i,attr)) + { + X509_ATTRIBUTE_free(attr); + return 0; + } goto end; } } diff --git a/crypto/openssl/crypto/pkcs7/pk7_lib.c b/crypto/openssl/crypto/pkcs7/pk7_lib.c index 58ce6791c9ac..f2490941a34d 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_lib.c +++ b/crypto/openssl/crypto/pkcs7/pk7_lib.c @@ -271,16 +271,23 @@ int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi) if (!j) /* we need to add another algorithm */ { if(!(alg=X509_ALGOR_new()) - || !(alg->parameter = ASN1_TYPE_new())) { + || !(alg->parameter = ASN1_TYPE_new())) + { + X509_ALGOR_free(alg); PKCS7err(PKCS7_F_PKCS7_ADD_SIGNER,ERR_R_MALLOC_FAILURE); return(0); - } + } alg->algorithm=OBJ_nid2obj(nid); alg->parameter->type = V_ASN1_NULL; - sk_X509_ALGOR_push(md_sk,alg); + if (!sk_X509_ALGOR_push(md_sk,alg)) + { + X509_ALGOR_free(alg); + return 0; + } } - sk_PKCS7_SIGNER_INFO_push(signer_sk,psi); + if (!sk_PKCS7_SIGNER_INFO_push(signer_sk,psi)) + return 0; return(1); } @@ -305,8 +312,17 @@ int PKCS7_add_certificate(PKCS7 *p7, X509 *x509) if (*sk == NULL) *sk=sk_X509_new_null(); + if (*sk == NULL) + { + PKCS7err(PKCS7_F_PKCS7_ADD_CERTIFICATE,ERR_R_MALLOC_FAILURE); + return 0; + } CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509); - sk_X509_push(*sk,x509); + if (!sk_X509_push(*sk,x509)) + { + X509_free(x509); + return 0; + } return(1); } @@ -331,9 +347,18 @@ int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl) if (*sk == NULL) *sk=sk_X509_CRL_new_null(); + if (*sk == NULL) + { + PKCS7err(PKCS7_F_PKCS7_ADD_CRL,ERR_R_MALLOC_FAILURE); + return 0; + } CRYPTO_add(&crl->references,1,CRYPTO_LOCK_X509_CRL); - sk_X509_CRL_push(*sk,crl); + if (!sk_X509_CRL_push(*sk,crl)) + { + X509_CRL_free(crl); + return 0; + } return(1); } @@ -424,6 +449,7 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey, if (!PKCS7_add_signer(p7,si)) goto err; return(si); err: + PKCS7_SIGNER_INFO_free(si); return(NULL); } @@ -468,6 +494,7 @@ PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509) if (!PKCS7_add_recipient_info(p7,ri)) goto err; return(ri); err: + PKCS7_RECIP_INFO_free(ri); return(NULL); } @@ -490,7 +517,8 @@ int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri) return(0); } - sk_PKCS7_RECIP_INFO_push(sk,ri); + if (!sk_PKCS7_RECIP_INFO_push(sk,ri)) + return 0; return(1); } diff --git a/crypto/openssl/crypto/pkcs7/pk7_smime.c b/crypto/openssl/crypto/pkcs7/pk7_smime.c index dc835e5b8a45..fab85137b789 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_smime.c +++ b/crypto/openssl/crypto/pkcs7/pk7_smime.c @@ -66,10 +66,10 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, int flags) { - PKCS7 *p7; + PKCS7 *p7 = NULL; PKCS7_SIGNER_INFO *si; - BIO *p7bio; - STACK_OF(X509_ALGOR) *smcap; + BIO *p7bio = NULL; + STACK_OF(X509_ALGOR) *smcap = NULL; int i; if(!X509_check_private_key(signcert, pkey)) { @@ -82,48 +82,58 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, return NULL; } - PKCS7_set_type(p7, NID_pkcs7_signed); + if (!PKCS7_set_type(p7, NID_pkcs7_signed)) + goto err; - PKCS7_content_new(p7, NID_pkcs7_data); + if (!PKCS7_content_new(p7, NID_pkcs7_data)) + goto err; - if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha1()))) { + if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha1()))) { PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR); - PKCS7_free(p7); - return NULL; + goto err; } if(!(flags & PKCS7_NOCERTS)) { - PKCS7_add_certificate(p7, signcert); + if (!PKCS7_add_certificate(p7, signcert)) + goto err; if(certs) for(i = 0; i < sk_X509_num(certs); i++) - PKCS7_add_certificate(p7, sk_X509_value(certs, i)); + if (!PKCS7_add_certificate(p7, sk_X509_value(certs, i))) + goto err; } if(!(flags & PKCS7_NOATTR)) { - PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, - V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)); + if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, + V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data))) + goto err; /* Add SMIMECapabilities */ if(!(flags & PKCS7_NOSMIMECAP)) { if(!(smcap = sk_X509_ALGOR_new_null())) { PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE); - PKCS7_free(p7); - return NULL; + goto err; } #ifndef OPENSSL_NO_DES - PKCS7_simple_smimecap (smcap, NID_des_ede3_cbc, -1); + if (!PKCS7_simple_smimecap (smcap, NID_des_ede3_cbc, -1)) + goto err; #endif #ifndef OPENSSL_NO_RC2 - PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 128); - PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 64); + if (!PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 128)) + goto err; + if (!PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 64)) + goto err; #endif #ifndef OPENSSL_NO_DES - PKCS7_simple_smimecap (smcap, NID_des_cbc, -1); + if (!PKCS7_simple_smimecap (smcap, NID_des_cbc, -1)) + goto err; #endif #ifndef OPENSSL_NO_RC2 - PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 40); + if (!PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 40)) + goto err; #endif - PKCS7_add_attrib_smimecap (si, smcap); + if (!PKCS7_add_attrib_smimecap (si, smcap)) + goto err; sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free); + smcap = NULL; } } @@ -135,22 +145,24 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, if (!(p7bio = PKCS7_dataInit(p7, NULL))) { PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE); - PKCS7_free(p7); - return NULL; + goto err; } SMIME_crlf_copy(data, p7bio, flags); - if (!PKCS7_dataFinal(p7,p7bio)) { + if (!PKCS7_dataFinal(p7,p7bio)) { PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_DATASIGN); - PKCS7_free(p7); - BIO_free_all(p7bio); - return NULL; + goto err; } BIO_free_all(p7bio); return p7; +err: + sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free); + BIO_free_all(p7bio); + PKCS7_free(p7); + return NULL; } int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, @@ -262,7 +274,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, tmpin = indata; - p7bio=PKCS7_dataInit(p7,tmpin); + if (!(p7bio=PKCS7_dataInit(p7,tmpin))) + goto err; if(flags & PKCS7_TEXT) { if(!(tmpout = BIO_new(BIO_s_mem()))) { @@ -341,7 +354,7 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) if(sk_PKCS7_SIGNER_INFO_num(sinfos) <= 0) { PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_NO_SIGNERS); - return 0; + return NULL; } if(!(signers = sk_X509_new_null())) { @@ -364,10 +377,13 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) if (!signer) { PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND); sk_X509_free(signers); - return 0; + return NULL; } - sk_X509_push(signers, signer); + if (!sk_X509_push(signers, signer)) { + sk_X509_free(signers); + return NULL; + } } return signers; } @@ -387,7 +403,8 @@ PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, return NULL; } - PKCS7_set_type(p7, NID_pkcs7_enveloped); + if (!PKCS7_set_type(p7, NID_pkcs7_enveloped)) + goto err; if(!PKCS7_set_cipher(p7, cipher)) { PKCS7err(PKCS7_F_PKCS7_ENCRYPT,PKCS7_R_ERROR_SETTING_CIPHER); goto err; @@ -421,7 +438,7 @@ PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, err: - BIO_free(p7bio); + BIO_free_all(p7bio); PKCS7_free(p7); return NULL; @@ -459,10 +476,13 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags) /* Encrypt BIOs can't do BIO_gets() so add a buffer BIO */ if(!(tmpbuf = BIO_new(BIO_f_buffer()))) { PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE); + BIO_free_all(tmpmem); return 0; } if(!(bread = BIO_push(tmpbuf, tmpmem))) { PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE); + BIO_free_all(tmpbuf); + BIO_free_all(tmpmem); return 0; } ret = SMIME_text(bread, data); diff --git a/crypto/openssl/crypto/pkcs7/pkcs7err.c b/crypto/openssl/crypto/pkcs7/pkcs7err.c index 4cd293472ff2..c0e3d4cd3336 100644 --- a/crypto/openssl/crypto/pkcs7/pkcs7err.c +++ b/crypto/openssl/crypto/pkcs7/pkcs7err.c @@ -156,15 +156,12 @@ static ERR_STRING_DATA PKCS7_str_reasons[]= void ERR_load_PKCS7_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(PKCS7_str_functs[0].error) == NULL) + { ERR_load_strings(0,PKCS7_str_functs); ERR_load_strings(0,PKCS7_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/rand/md_rand.c b/crypto/openssl/crypto/rand/md_rand.c index 6e10f6ef6761..9783d0c23e93 100644 --- a/crypto/openssl/crypto/rand/md_rand.c +++ b/crypto/openssl/crypto/rand/md_rand.c @@ -152,7 +152,7 @@ static unsigned long locking_thread = 0; /* valid iff crypto_lock_rand is set */ int rand_predictable=0; #endif -const char *RAND_version="RAND" OPENSSL_VERSION_PTEXT; +const char RAND_version[]="RAND" OPENSSL_VERSION_PTEXT; static void ssleay_rand_cleanup(void); static void ssleay_rand_seed(const void *buf, int num); diff --git a/crypto/openssl/crypto/rand/rand_err.c b/crypto/openssl/crypto/rand/rand_err.c index b2f2448b667c..386934dcd186 100644 --- a/crypto/openssl/crypto/rand/rand_err.c +++ b/crypto/openssl/crypto/rand/rand_err.c @@ -85,15 +85,12 @@ static ERR_STRING_DATA RAND_str_reasons[]= void ERR_load_RAND_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(RAND_str_functs[0].error) == NULL) + { ERR_load_strings(0,RAND_str_functs); ERR_load_strings(0,RAND_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/rc2/rc2_ecb.c b/crypto/openssl/crypto/rc2/rc2_ecb.c index d3e8c2718a30..fff86c7af897 100644 --- a/crypto/openssl/crypto/rc2/rc2_ecb.c +++ b/crypto/openssl/crypto/rc2/rc2_ecb.c @@ -60,7 +60,7 @@ #include "rc2_locl.h" #include -const char *RC2_version="RC2" OPENSSL_VERSION_PTEXT; +const char RC2_version[]="RC2" OPENSSL_VERSION_PTEXT; /* RC2 as implemented frm a posting from * Newsgroups: sci.crypt diff --git a/crypto/openssl/crypto/rc4/rc4_skey.c b/crypto/openssl/crypto/rc4/rc4_skey.c index 781ff2d8b9b8..b22c40b0bd06 100644 --- a/crypto/openssl/crypto/rc4/rc4_skey.c +++ b/crypto/openssl/crypto/rc4/rc4_skey.c @@ -60,7 +60,7 @@ #include "rc4_locl.h" #include -const char *RC4_version="RC4" OPENSSL_VERSION_PTEXT; +const char RC4_version[]="RC4" OPENSSL_VERSION_PTEXT; const char *RC4_options(void) { diff --git a/crypto/openssl/crypto/ripemd/ripemd.h b/crypto/openssl/crypto/ripemd/ripemd.h index 06bd67183bc3..033a5965b58d 100644 --- a/crypto/openssl/crypto/ripemd/ripemd.h +++ b/crypto/openssl/crypto/ripemd/ripemd.h @@ -60,6 +60,7 @@ #define HEADER_RIPEMD_H #include +#include #ifdef __cplusplus extern "C" { diff --git a/crypto/openssl/crypto/ripemd/rmd_dgst.c b/crypto/openssl/crypto/ripemd/rmd_dgst.c index 03a286dfccfa..9608a8fd0e56 100644 --- a/crypto/openssl/crypto/ripemd/rmd_dgst.c +++ b/crypto/openssl/crypto/ripemd/rmd_dgst.c @@ -60,7 +60,7 @@ #include "rmd_locl.h" #include -const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT; +const char RMD160_version[]="RIPE-MD160" OPENSSL_VERSION_PTEXT; # ifdef RMD160_ASM void ripemd160_block_x86(RIPEMD160_CTX *c, unsigned long *p,size_t num); diff --git a/crypto/openssl/crypto/rsa/rsa_err.c b/crypto/openssl/crypto/rsa/rsa_err.c index da7a4fb4c261..fe3ba1b44bbd 100644 --- a/crypto/openssl/crypto/rsa/rsa_err.c +++ b/crypto/openssl/crypto/rsa/rsa_err.c @@ -100,7 +100,7 @@ static ERR_STRING_DATA RSA_str_functs[]= {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_SSLV23), "RSA_padding_check_SSLv23"}, {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"}, {ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"}, -{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_PRINT_FP"}, +{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"}, {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"}, {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"}, @@ -160,15 +160,12 @@ static ERR_STRING_DATA RSA_str_reasons[]= void ERR_load_RSA_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(RSA_str_functs[0].error) == NULL) + { ERR_load_strings(0,RSA_str_functs); ERR_load_strings(0,RSA_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/rsa/rsa_lib.c b/crypto/openssl/crypto/rsa/rsa_lib.c index 66cd15ff6d90..cca32c098df8 100644 --- a/crypto/openssl/crypto/rsa/rsa_lib.c +++ b/crypto/openssl/crypto/rsa/rsa_lib.c @@ -67,7 +67,7 @@ #include #endif -const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT; +const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT; static const RSA_METHOD *default_RSA_meth=NULL; diff --git a/crypto/openssl/crypto/sha/sha.h b/crypto/openssl/crypto/sha/sha.h index a83bd3cace3d..eed44d7f9465 100644 --- a/crypto/openssl/crypto/sha/sha.h +++ b/crypto/openssl/crypto/sha/sha.h @@ -60,6 +60,7 @@ #define HEADER_SHA_H #include +#include #ifdef __cplusplus extern "C" { diff --git a/crypto/openssl/crypto/sha/sha1dgst.c b/crypto/openssl/crypto/sha/sha1dgst.c index 447ce53e17ee..50d1925cdeb2 100644 --- a/crypto/openssl/crypto/sha/sha1dgst.c +++ b/crypto/openssl/crypto/sha/sha1dgst.c @@ -64,7 +64,7 @@ #include -const char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT; +const char SHA1_version[]="SHA1" OPENSSL_VERSION_PTEXT; /* The implementation is in ../md32_common.h */ diff --git a/crypto/openssl/crypto/sha/sha256.c b/crypto/openssl/crypto/sha/sha256.c index bbc20da0e97f..05ae9445db11 100644 --- a/crypto/openssl/crypto/sha/sha256.c +++ b/crypto/openssl/crypto/sha/sha256.c @@ -14,7 +14,7 @@ #include #include -const char *SHA256_version="SHA-256" OPENSSL_VERSION_PTEXT; +const char SHA256_version[]="SHA-256" OPENSSL_VERSION_PTEXT; int SHA224_Init (SHA256_CTX *c) { diff --git a/crypto/openssl/crypto/sha/sha512.c b/crypto/openssl/crypto/sha/sha512.c index f965cff692cd..39d18b8fb46e 100644 --- a/crypto/openssl/crypto/sha/sha512.c +++ b/crypto/openssl/crypto/sha/sha512.c @@ -50,7 +50,7 @@ #include "cryptlib.h" -const char *SHA512_version="SHA-512" OPENSSL_VERSION_PTEXT; +const char SHA512_version[]="SHA-512" OPENSSL_VERSION_PTEXT; #if defined(_M_IX86) || defined(_M_AMD64) || defined(__i386) || defined(__x86_64) #define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA diff --git a/crypto/openssl/crypto/sha/sha_dgst.c b/crypto/openssl/crypto/sha/sha_dgst.c index 60465d0c3e93..70eb56032c38 100644 --- a/crypto/openssl/crypto/sha/sha_dgst.c +++ b/crypto/openssl/crypto/sha/sha_dgst.c @@ -64,7 +64,7 @@ #include -const char *SHA_version="SHA" OPENSSL_VERSION_PTEXT; +const char SHA_version[]="SHA" OPENSSL_VERSION_PTEXT; /* The implementation is in ../md32_common.h */ diff --git a/crypto/openssl/crypto/stack/safestack.h b/crypto/openssl/crypto/stack/safestack.h index e5f5be9f9c11..d496f365c270 100644 --- a/crypto/openssl/crypto/stack/safestack.h +++ b/crypto/openssl/crypto/stack/safestack.h @@ -234,6 +234,28 @@ STACK_OF(type) \ #define sk_ACCESS_DESCRIPTION_sort(st) SKM_sk_sort(ACCESS_DESCRIPTION, (st)) #define sk_ACCESS_DESCRIPTION_is_sorted(st) SKM_sk_is_sorted(ACCESS_DESCRIPTION, (st)) +#define sk_ASIdOrRange_new(st) SKM_sk_new(ASIdOrRange, (st)) +#define sk_ASIdOrRange_new_null() SKM_sk_new_null(ASIdOrRange) +#define sk_ASIdOrRange_free(st) SKM_sk_free(ASIdOrRange, (st)) +#define sk_ASIdOrRange_num(st) SKM_sk_num(ASIdOrRange, (st)) +#define sk_ASIdOrRange_value(st, i) SKM_sk_value(ASIdOrRange, (st), (i)) +#define sk_ASIdOrRange_set(st, i, val) SKM_sk_set(ASIdOrRange, (st), (i), (val)) +#define sk_ASIdOrRange_zero(st) SKM_sk_zero(ASIdOrRange, (st)) +#define sk_ASIdOrRange_push(st, val) SKM_sk_push(ASIdOrRange, (st), (val)) +#define sk_ASIdOrRange_unshift(st, val) SKM_sk_unshift(ASIdOrRange, (st), (val)) +#define sk_ASIdOrRange_find(st, val) SKM_sk_find(ASIdOrRange, (st), (val)) +#define sk_ASIdOrRange_find_ex(st, val) SKM_sk_find_ex(ASIdOrRange, (st), (val)) +#define sk_ASIdOrRange_delete(st, i) SKM_sk_delete(ASIdOrRange, (st), (i)) +#define sk_ASIdOrRange_delete_ptr(st, ptr) SKM_sk_delete_ptr(ASIdOrRange, (st), (ptr)) +#define sk_ASIdOrRange_insert(st, val, i) SKM_sk_insert(ASIdOrRange, (st), (val), (i)) +#define sk_ASIdOrRange_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ASIdOrRange, (st), (cmp)) +#define sk_ASIdOrRange_dup(st) SKM_sk_dup(ASIdOrRange, st) +#define sk_ASIdOrRange_pop_free(st, free_func) SKM_sk_pop_free(ASIdOrRange, (st), (free_func)) +#define sk_ASIdOrRange_shift(st) SKM_sk_shift(ASIdOrRange, (st)) +#define sk_ASIdOrRange_pop(st) SKM_sk_pop(ASIdOrRange, (st)) +#define sk_ASIdOrRange_sort(st) SKM_sk_sort(ASIdOrRange, (st)) +#define sk_ASIdOrRange_is_sorted(st) SKM_sk_is_sorted(ASIdOrRange, (st)) + #define sk_ASN1_GENERALSTRING_new(st) SKM_sk_new(ASN1_GENERALSTRING, (st)) #define sk_ASN1_GENERALSTRING_new_null() SKM_sk_new_null(ASN1_GENERALSTRING) #define sk_ASN1_GENERALSTRING_free(st) SKM_sk_free(ASN1_GENERALSTRING, (st)) @@ -608,6 +630,50 @@ STACK_OF(type) \ #define sk_GENERAL_SUBTREE_sort(st) SKM_sk_sort(GENERAL_SUBTREE, (st)) #define sk_GENERAL_SUBTREE_is_sorted(st) SKM_sk_is_sorted(GENERAL_SUBTREE, (st)) +#define sk_IPAddressFamily_new(st) SKM_sk_new(IPAddressFamily, (st)) +#define sk_IPAddressFamily_new_null() SKM_sk_new_null(IPAddressFamily) +#define sk_IPAddressFamily_free(st) SKM_sk_free(IPAddressFamily, (st)) +#define sk_IPAddressFamily_num(st) SKM_sk_num(IPAddressFamily, (st)) +#define sk_IPAddressFamily_value(st, i) SKM_sk_value(IPAddressFamily, (st), (i)) +#define sk_IPAddressFamily_set(st, i, val) SKM_sk_set(IPAddressFamily, (st), (i), (val)) +#define sk_IPAddressFamily_zero(st) SKM_sk_zero(IPAddressFamily, (st)) +#define sk_IPAddressFamily_push(st, val) SKM_sk_push(IPAddressFamily, (st), (val)) +#define sk_IPAddressFamily_unshift(st, val) SKM_sk_unshift(IPAddressFamily, (st), (val)) +#define sk_IPAddressFamily_find(st, val) SKM_sk_find(IPAddressFamily, (st), (val)) +#define sk_IPAddressFamily_find_ex(st, val) SKM_sk_find_ex(IPAddressFamily, (st), (val)) +#define sk_IPAddressFamily_delete(st, i) SKM_sk_delete(IPAddressFamily, (st), (i)) +#define sk_IPAddressFamily_delete_ptr(st, ptr) SKM_sk_delete_ptr(IPAddressFamily, (st), (ptr)) +#define sk_IPAddressFamily_insert(st, val, i) SKM_sk_insert(IPAddressFamily, (st), (val), (i)) +#define sk_IPAddressFamily_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(IPAddressFamily, (st), (cmp)) +#define sk_IPAddressFamily_dup(st) SKM_sk_dup(IPAddressFamily, st) +#define sk_IPAddressFamily_pop_free(st, free_func) SKM_sk_pop_free(IPAddressFamily, (st), (free_func)) +#define sk_IPAddressFamily_shift(st) SKM_sk_shift(IPAddressFamily, (st)) +#define sk_IPAddressFamily_pop(st) SKM_sk_pop(IPAddressFamily, (st)) +#define sk_IPAddressFamily_sort(st) SKM_sk_sort(IPAddressFamily, (st)) +#define sk_IPAddressFamily_is_sorted(st) SKM_sk_is_sorted(IPAddressFamily, (st)) + +#define sk_IPAddressOrRange_new(st) SKM_sk_new(IPAddressOrRange, (st)) +#define sk_IPAddressOrRange_new_null() SKM_sk_new_null(IPAddressOrRange) +#define sk_IPAddressOrRange_free(st) SKM_sk_free(IPAddressOrRange, (st)) +#define sk_IPAddressOrRange_num(st) SKM_sk_num(IPAddressOrRange, (st)) +#define sk_IPAddressOrRange_value(st, i) SKM_sk_value(IPAddressOrRange, (st), (i)) +#define sk_IPAddressOrRange_set(st, i, val) SKM_sk_set(IPAddressOrRange, (st), (i), (val)) +#define sk_IPAddressOrRange_zero(st) SKM_sk_zero(IPAddressOrRange, (st)) +#define sk_IPAddressOrRange_push(st, val) SKM_sk_push(IPAddressOrRange, (st), (val)) +#define sk_IPAddressOrRange_unshift(st, val) SKM_sk_unshift(IPAddressOrRange, (st), (val)) +#define sk_IPAddressOrRange_find(st, val) SKM_sk_find(IPAddressOrRange, (st), (val)) +#define sk_IPAddressOrRange_find_ex(st, val) SKM_sk_find_ex(IPAddressOrRange, (st), (val)) +#define sk_IPAddressOrRange_delete(st, i) SKM_sk_delete(IPAddressOrRange, (st), (i)) +#define sk_IPAddressOrRange_delete_ptr(st, ptr) SKM_sk_delete_ptr(IPAddressOrRange, (st), (ptr)) +#define sk_IPAddressOrRange_insert(st, val, i) SKM_sk_insert(IPAddressOrRange, (st), (val), (i)) +#define sk_IPAddressOrRange_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(IPAddressOrRange, (st), (cmp)) +#define sk_IPAddressOrRange_dup(st) SKM_sk_dup(IPAddressOrRange, st) +#define sk_IPAddressOrRange_pop_free(st, free_func) SKM_sk_pop_free(IPAddressOrRange, (st), (free_func)) +#define sk_IPAddressOrRange_shift(st) SKM_sk_shift(IPAddressOrRange, (st)) +#define sk_IPAddressOrRange_pop(st) SKM_sk_pop(IPAddressOrRange, (st)) +#define sk_IPAddressOrRange_sort(st) SKM_sk_sort(IPAddressOrRange, (st)) +#define sk_IPAddressOrRange_is_sorted(st) SKM_sk_is_sorted(IPAddressOrRange, (st)) + #define sk_KRB5_APREQBODY_new(st) SKM_sk_new(KRB5_APREQBODY, (st)) #define sk_KRB5_APREQBODY_new_null() SKM_sk_new_null(KRB5_APREQBODY) #define sk_KRB5_APREQBODY_free(st) SKM_sk_free(KRB5_APREQBODY, (st)) diff --git a/crypto/openssl/crypto/stack/stack.c b/crypto/openssl/crypto/stack/stack.c index 5967a2c73563..378bd7c7968c 100644 --- a/crypto/openssl/crypto/stack/stack.c +++ b/crypto/openssl/crypto/stack/stack.c @@ -73,7 +73,7 @@ #undef MIN_NODES #define MIN_NODES 4 -const char *STACK_version="Stack" OPENSSL_VERSION_PTEXT; +const char STACK_version[]="Stack" OPENSSL_VERSION_PTEXT; #include diff --git a/crypto/openssl/crypto/store/str_err.c b/crypto/openssl/crypto/store/str_err.c index 5c6fe832e860..6fee6498220a 100644 --- a/crypto/openssl/crypto/store/str_err.c +++ b/crypto/openssl/crypto/store/str_err.c @@ -200,15 +200,12 @@ static ERR_STRING_DATA STORE_str_reasons[]= void ERR_load_STORE_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(STORE_str_functs[0].error) == NULL) + { ERR_load_strings(0,STORE_str_functs); ERR_load_strings(0,STORE_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/txt_db/txt_db.c b/crypto/openssl/crypto/txt_db/txt_db.c index e9e503eb073c..3ed5f72ee94b 100644 --- a/crypto/openssl/crypto/txt_db/txt_db.c +++ b/crypto/openssl/crypto/txt_db/txt_db.c @@ -66,7 +66,7 @@ #undef BUFSIZE #define BUFSIZE 512 -const char *TXT_DB_version="TXT_DB" OPENSSL_VERSION_PTEXT; +const char TXT_DB_version[]="TXT_DB" OPENSSL_VERSION_PTEXT; TXT_DB *TXT_DB_read(BIO *in, int num) { diff --git a/crypto/openssl/crypto/ui/ui_err.c b/crypto/openssl/crypto/ui/ui_err.c index d983cdd66fac..786bd0dbc3b9 100644 --- a/crypto/openssl/crypto/ui/ui_err.c +++ b/crypto/openssl/crypto/ui/ui_err.c @@ -101,15 +101,12 @@ static ERR_STRING_DATA UI_str_reasons[]= void ERR_load_UI_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(UI_str_functs[0].error) == NULL) + { ERR_load_strings(0,UI_str_functs); ERR_load_strings(0,UI_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/x509/by_dir.c b/crypto/openssl/crypto/x509/by_dir.c index ea689aed1a25..37f9a4820693 100644 --- a/crypto/openssl/crypto/x509/by_dir.c +++ b/crypto/openssl/crypto/x509/by_dir.c @@ -189,7 +189,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) s=dir; p=s; - for (;;) + for (;;p++) { if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0')) { @@ -198,8 +198,11 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) len=(int)(p-ss); if (len == 0) continue; for (j=0; jnum_dirs; j++) - if (strncmp(ctx->dirs[j],ss,(unsigned int)len) == 0) - continue; + if (strlen(ctx->dirs[j]) == (size_t)len && + strncmp(ctx->dirs[j],ss,(unsigned int)len) == 0) + break; + if (jnum_dirs) + continue; if (ctx->num_dirs_alloced < (ctx->num_dirs+1)) { ctx->num_dirs_alloced+=10; @@ -231,7 +234,6 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) ctx->num_dirs++; } if (*p == '\0') break; - p++; } return(1); } diff --git a/crypto/openssl/crypto/x509/x509.h b/crypto/openssl/crypto/x509/x509.h index 66990ae5a88e..16a954f70994 100644 --- a/crypto/openssl/crypto/x509/x509.h +++ b/crypto/openssl/crypto/x509/x509.h @@ -288,6 +288,10 @@ struct x509_st ASN1_OCTET_STRING *skid; struct AUTHORITY_KEYID_st *akid; X509_POLICY_CACHE *policy_cache; +#ifndef OPENSSL_NO_RFC3779 + STACK_OF(IPAddressFamily) *rfc3779_addr; + struct ASIdentifiers_st *rfc3779_asid; +#endif #ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; #endif diff --git a/crypto/openssl/crypto/x509/x509_err.c b/crypto/openssl/crypto/x509/x509_err.c index b7bc383a5029..fb377292dac5 100644 --- a/crypto/openssl/crypto/x509/x509_err.c +++ b/crypto/openssl/crypto/x509/x509_err.c @@ -150,15 +150,12 @@ static ERR_STRING_DATA X509_str_reasons[]= void ERR_load_X509_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(X509_str_functs[0].error) == NULL) + { ERR_load_strings(0,X509_str_functs); ERR_load_strings(0,X509_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/x509/x509_req.c b/crypto/openssl/crypto/x509/x509_req.c index ab13bcfc061d..3872e1fb64a5 100644 --- a/crypto/openssl/crypto/x509/x509_req.c +++ b/crypto/openssl/crypto/x509/x509_req.c @@ -242,6 +242,11 @@ int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts, at = NULL; attr->single = 0; attr->object = OBJ_nid2obj(nid); + if (!req->req_info->attributes) + { + if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null())) + goto err; + } if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err; return 1; err: diff --git a/crypto/openssl/crypto/x509/x509_txt.c b/crypto/openssl/crypto/x509/x509_txt.c index 7dd2b761d9ab..a80c87eef3a9 100644 --- a/crypto/openssl/crypto/x509/x509_txt.c +++ b/crypto/openssl/crypto/x509/x509_txt.c @@ -162,6 +162,8 @@ const char *X509_verify_cert_error_string(long n) return("invalid or inconsistent certificate policy extension"); case X509_V_ERR_NO_EXPLICIT_POLICY: return("no explicit policy"); + case X509_V_ERR_UNNESTED_RESOURCE: + return("RFC 3779 resource not subset of parent's resources"); default: BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c index 79dae3d3bf23..07df21f6b975 100644 --- a/crypto/openssl/crypto/x509/x509_vfy.c +++ b/crypto/openssl/crypto/x509/x509_vfy.c @@ -79,7 +79,7 @@ static int check_revocation(X509_STORE_CTX *ctx); static int check_cert(X509_STORE_CTX *ctx); static int check_policy(X509_STORE_CTX *ctx); static int internal_verify(X509_STORE_CTX *ctx); -const char *X509_version="X.509" OPENSSL_VERSION_PTEXT; +const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT; static int null_callback(int ok, X509_STORE_CTX *e) @@ -312,6 +312,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx) ok=internal_verify(ctx); if(!ok) goto end; +#ifndef OPENSSL_NO_RFC3779 + /* RFC 3779 path validation, now that CRL check has been done */ + ok = v3_asid_validate_path(ctx); + if (!ok) goto end; + ok = v3_addr_validate_path(ctx); + if (!ok) goto end; +#endif + /* If we get this far evaluate policies */ if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) ok = ctx->check_policy(ctx); @@ -1460,9 +1468,16 @@ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) { if (ctx->cleanup) ctx->cleanup(ctx); - X509_VERIFY_PARAM_free(ctx->param); - if (ctx->tree) + if (ctx->param != NULL) + { + X509_VERIFY_PARAM_free(ctx->param); + ctx->param=NULL; + } + if (ctx->tree != NULL) + { X509_policy_tree_free(ctx->tree); + ctx->tree=NULL; + } if (ctx->chain != NULL) { sk_X509_pop_free(ctx->chain,X509_free); diff --git a/crypto/openssl/crypto/x509/x509_vfy.h b/crypto/openssl/crypto/x509/x509_vfy.h index 3f16330444f8..76c76e171936 100644 --- a/crypto/openssl/crypto/x509/x509_vfy.h +++ b/crypto/openssl/crypto/x509/x509_vfy.h @@ -331,6 +331,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_ERR_INVALID_POLICY_EXTENSION 42 #define X509_V_ERR_NO_EXPLICIT_POLICY 43 +#define X509_V_ERR_UNNESTED_RESOURCE 44 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 diff --git a/crypto/openssl/crypto/x509v3/Makefile b/crypto/openssl/crypto/x509v3/Makefile index 7a5266e6750d..556ef351bf88 100644 --- a/crypto/openssl/crypto/x509v3/Makefile +++ b/crypto/openssl/crypto/x509v3/Makefile @@ -21,12 +21,14 @@ LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \ v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \ v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \ v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \ -pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c +pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \ +v3_asid.c v3_addr.c LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \ v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \ v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \ v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o v3_pcia.o v3_pci.o \ -pcy_cache.o pcy_node.o pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o +pcy_cache.o pcy_node.o pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o \ +v3_asid.o v3_addr.o SRC= $(LIBSRC) @@ -166,6 +168,20 @@ pcy_tree.o: ../../include/openssl/sha.h ../../include/openssl/stack.h pcy_tree.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h pcy_tree.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h pcy_tree.o: ../cryptlib.h pcy_int.h pcy_tree.c +v3_addr.o: ../../e_os.h ../../include/openssl/asn1.h +v3_addr.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h +v3_addr.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h +v3_addr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +v3_addr.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h +v3_addr.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h +v3_addr.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +v3_addr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +v3_addr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +v3_addr.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h +v3_addr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +v3_addr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +v3_addr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +v3_addr.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_addr.c v3_akey.o: ../../e_os.h ../../include/openssl/asn1.h v3_akey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_akey.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -208,6 +224,21 @@ v3_alt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_alt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_alt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_alt.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_alt.c +v3_asid.o: ../../e_os.h ../../include/openssl/asn1.h +v3_asid.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h +v3_asid.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h +v3_asid.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h +v3_asid.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h +v3_asid.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h +v3_asid.o: ../../include/openssl/err.h ../../include/openssl/evp.h +v3_asid.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h +v3_asid.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h +v3_asid.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +v3_asid.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h +v3_asid.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +v3_asid.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h +v3_asid.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h +v3_asid.o: ../cryptlib.h v3_asid.c v3_bcons.o: ../../e_os.h ../../include/openssl/asn1.h v3_bcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_bcons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h diff --git a/crypto/openssl/crypto/x509v3/ext_dat.h b/crypto/openssl/crypto/x509v3/ext_dat.h index 35966846873a..5c063ac65dfb 100644 --- a/crypto/openssl/crypto/x509v3/ext_dat.h +++ b/crypto/openssl/crypto/x509v3/ext_dat.h @@ -67,6 +67,9 @@ extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; extern X509V3_EXT_METHOD v3_crl_hold, v3_pci; extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp; +#ifndef OPENSSL_NO_RFC3779 +extern X509V3_EXT_METHOD v3_addr, v3_asid; +#endif /* This table will be searched using OBJ_bsearch so it *must* kept in * order of the ext_nid values. @@ -99,6 +102,10 @@ static X509V3_EXT_METHOD *standard_exts[] = { #endif &v3_sxnet, &v3_info, +#ifndef OPENSSL_NO_RFC3779 +&v3_addr, +&v3_asid, +#endif #ifndef OPENSSL_NO_OCSP &v3_ocsp_nonce, &v3_ocsp_crlid, diff --git a/crypto/openssl/crypto/x509v3/pcy_tree.c b/crypto/openssl/crypto/x509v3/pcy_tree.c index 1c68ce3352cc..27d29f25a84e 100644 --- a/crypto/openssl/crypto/x509v3/pcy_tree.c +++ b/crypto/openssl/crypto/x509v3/pcy_tree.c @@ -197,7 +197,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, /* Any matching allowed if certificate is self * issued and not the last in the chain. */ - if (!(x->ex_flags && EXFLAG_SS) || (i == 0)) + if (!(x->ex_flags & EXFLAG_SS) || (i == 0)) level->flags |= X509_V_FLAG_INHIBIT_ANY; } else @@ -628,6 +628,16 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, /* Tree OK: continue */ case 1: + if (!tree) + /* + * tree_init() returns success and a null tree + * if it's just looking at a trust anchor. + * I'm not sure that returning success here is + * correct, but I'm sure that reporting this + * as an internal error which our caller + * interprets as a malloc failure is wrong. + */ + return 1; break; } diff --git a/crypto/openssl/crypto/x509v3/v3_addr.c b/crypto/openssl/crypto/x509v3/v3_addr.c new file mode 100644 index 000000000000..ed9847b3071f --- /dev/null +++ b/crypto/openssl/crypto/x509v3/v3_addr.c @@ -0,0 +1,1280 @@ +/* + * Contributed to the OpenSSL Project by the American Registry for + * Internet Numbers ("ARIN"). + */ +/* ==================================================================== + * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + */ + +/* + * Implementation of RFC 3779 section 2.2. + */ + +#include +#include +#include +#include "cryptlib.h" +#include +#include +#include +#include +#include + +#ifndef OPENSSL_NO_RFC3779 + +/* + * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. + */ + +ASN1_SEQUENCE(IPAddressRange) = { + ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING), + ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING) +} ASN1_SEQUENCE_END(IPAddressRange) + +ASN1_CHOICE(IPAddressOrRange) = { + ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING), + ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange) +} ASN1_CHOICE_END(IPAddressOrRange) + +ASN1_CHOICE(IPAddressChoice) = { + ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL), + ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange) +} ASN1_CHOICE_END(IPAddressChoice) + +ASN1_SEQUENCE(IPAddressFamily) = { + ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING), + ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice) +} ASN1_SEQUENCE_END(IPAddressFamily) + +ASN1_ITEM_TEMPLATE(IPAddrBlocks) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, + IPAddrBlocks, IPAddressFamily) +ASN1_ITEM_TEMPLATE_END(IPAddrBlocks) + +IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange) +IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange) +IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice) +IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily) + +/* + * How much buffer space do we need for a raw address? + */ +#define ADDR_RAW_BUF_LEN 16 + +/* + * What's the address length associated with this AFI? + */ +static int length_from_afi(const unsigned afi) +{ + switch (afi) { + case IANA_AFI_IPV4: + return 4; + case IANA_AFI_IPV6: + return 16; + default: + return 0; + } +} + +/* + * Extract the AFI from an IPAddressFamily. + */ +unsigned v3_addr_get_afi(const IPAddressFamily *f) +{ + return ((f != NULL && + f->addressFamily != NULL && + f->addressFamily->data != NULL) + ? ((f->addressFamily->data[0] << 8) | + (f->addressFamily->data[1])) + : 0); +} + +/* + * Expand the bitstring form of an address into a raw byte array. + * At the moment this is coded for simplicity, not speed. + */ +static void addr_expand(unsigned char *addr, + const ASN1_BIT_STRING *bs, + const int length, + const unsigned char fill) +{ + assert(bs->length >= 0 && bs->length <= length); + if (bs->length > 0) { + memcpy(addr, bs->data, bs->length); + if ((bs->flags & 7) != 0) { + unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); + if (fill == 0) + addr[bs->length - 1] &= ~mask; + else + addr[bs->length - 1] |= mask; + } + } + memset(addr + bs->length, fill, length - bs->length); +} + +/* + * Extract the prefix length from a bitstring. + */ +#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) + +/* + * i2r handler for one address bitstring. + */ +static int i2r_address(BIO *out, + const unsigned afi, + const unsigned char fill, + const ASN1_BIT_STRING *bs) +{ + unsigned char addr[ADDR_RAW_BUF_LEN]; + int i, n; + + switch (afi) { + case IANA_AFI_IPV4: + addr_expand(addr, bs, 4, fill); + BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); + break; + case IANA_AFI_IPV6: + addr_expand(addr, bs, 16, fill); + for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2) + ; + for (i = 0; i < n; i += 2) + BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : "")); + if (i < 16) + BIO_puts(out, ":"); + break; + default: + for (i = 0; i < bs->length; i++) + BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]); + BIO_printf(out, "[%d]", (int) (bs->flags & 7)); + break; + } + return 1; +} + +/* + * i2r handler for a sequence of addresses and ranges. + */ +static int i2r_IPAddressOrRanges(BIO *out, + const int indent, + const IPAddressOrRanges *aors, + const unsigned afi) +{ + int i; + for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { + const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i); + BIO_printf(out, "%*s", indent, ""); + switch (aor->type) { + case IPAddressOrRange_addressPrefix: + if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix)) + return 0; + BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix)); + continue; + case IPAddressOrRange_addressRange: + if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min)) + return 0; + BIO_puts(out, "-"); + if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max)) + return 0; + BIO_puts(out, "\n"); + continue; + } + } + return 1; +} + +/* + * i2r handler for an IPAddrBlocks extension. + */ +static int i2r_IPAddrBlocks(X509V3_EXT_METHOD *method, + void *ext, + BIO *out, + int indent) +{ + const IPAddrBlocks *addr = ext; + int i; + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); + const unsigned afi = v3_addr_get_afi(f); + switch (afi) { + case IANA_AFI_IPV4: + BIO_printf(out, "%*sIPv4", indent, ""); + break; + case IANA_AFI_IPV6: + BIO_printf(out, "%*sIPv6", indent, ""); + break; + default: + BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); + break; + } + if (f->addressFamily->length > 2) { + switch (f->addressFamily->data[2]) { + case 1: + BIO_puts(out, " (Unicast)"); + break; + case 2: + BIO_puts(out, " (Multicast)"); + break; + case 3: + BIO_puts(out, " (Unicast/Multicast)"); + break; + case 4: + BIO_puts(out, " (MPLS)"); + break; + case 64: + BIO_puts(out, " (Tunnel)"); + break; + case 65: + BIO_puts(out, " (VPLS)"); + break; + case 66: + BIO_puts(out, " (BGP MDT)"); + break; + case 128: + BIO_puts(out, " (MPLS-labeled VPN)"); + break; + default: + BIO_printf(out, " (Unknown SAFI %u)", + (unsigned) f->addressFamily->data[2]); + break; + } + } + switch (f->ipAddressChoice->type) { + case IPAddressChoice_inherit: + BIO_puts(out, ": inherit\n"); + break; + case IPAddressChoice_addressesOrRanges: + BIO_puts(out, ":\n"); + if (!i2r_IPAddressOrRanges(out, + indent + 2, + f->ipAddressChoice->u.addressesOrRanges, + afi)) + return 0; + break; + } + } + return 1; +} + +/* + * Sort comparison function for a sequence of IPAddressOrRange + * elements. + */ +static int IPAddressOrRange_cmp(const IPAddressOrRange *a, + const IPAddressOrRange *b, + const int length) +{ + unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; + int prefixlen_a = 0; + int prefixlen_b = 0; + int r; + + switch (a->type) { + case IPAddressOrRange_addressPrefix: + addr_expand(addr_a, a->u.addressPrefix, length, 0x00); + prefixlen_a = addr_prefixlen(a->u.addressPrefix); + break; + case IPAddressOrRange_addressRange: + addr_expand(addr_a, a->u.addressRange->min, length, 0x00); + prefixlen_a = length * 8; + break; + } + + switch (b->type) { + case IPAddressOrRange_addressPrefix: + addr_expand(addr_b, b->u.addressPrefix, length, 0x00); + prefixlen_b = addr_prefixlen(b->u.addressPrefix); + break; + case IPAddressOrRange_addressRange: + addr_expand(addr_b, b->u.addressRange->min, length, 0x00); + prefixlen_b = length * 8; + break; + } + + if ((r = memcmp(addr_a, addr_b, length)) != 0) + return r; + else + return prefixlen_a - prefixlen_b; +} + +/* + * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() + * comparision routines are only allowed two arguments. + */ +static int v4IPAddressOrRange_cmp(const IPAddressOrRange * const *a, + const IPAddressOrRange * const *b) +{ + return IPAddressOrRange_cmp(*a, *b, 4); +} + +/* + * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() + * comparision routines are only allowed two arguments. + */ +static int v6IPAddressOrRange_cmp(const IPAddressOrRange * const *a, + const IPAddressOrRange * const *b) +{ + return IPAddressOrRange_cmp(*a, *b, 16); +} + +/* + * Calculate whether a range collapses to a prefix. + * See last paragraph of RFC 3779 2.2.3.7. + */ +static int range_should_be_prefix(const unsigned char *min, + const unsigned char *max, + const int length) +{ + unsigned char mask; + int i, j; + + for (i = 0; i < length && min[i] == max[i]; i++) + ; + for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) + ; + if (i < j) + return -1; + if (i > j) + return i * 8; + mask = min[i] ^ max[i]; + switch (mask) { + case 0x01: j = 7; break; + case 0x03: j = 6; break; + case 0x07: j = 5; break; + case 0x0F: j = 4; break; + case 0x1F: j = 3; break; + case 0x3F: j = 2; break; + case 0x7F: j = 1; break; + default: return -1; + } + if ((min[i] & mask) != 0 || (max[i] & mask) != mask) + return -1; + else + return i * 8 + j; +} + +/* + * Construct a prefix. + */ +static int make_addressPrefix(IPAddressOrRange **result, + unsigned char *addr, + const int prefixlen) +{ + int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; + IPAddressOrRange *aor = IPAddressOrRange_new(); + + if (aor == NULL) + return 0; + aor->type = IPAddressOrRange_addressPrefix; + if (aor->u.addressPrefix == NULL && + (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) + goto err; + if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen)) + goto err; + aor->u.addressPrefix->flags &= ~7; + aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; + if (bitlen > 0) { + aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen); + aor->u.addressPrefix->flags |= 8 - bitlen; + } + + *result = aor; + return 1; + + err: + IPAddressOrRange_free(aor); + return 0; +} + +/* + * Construct a range. If it can be expressed as a prefix, + * return a prefix instead. Doing this here simplifies + * the rest of the code considerably. + */ +static int make_addressRange(IPAddressOrRange **result, + unsigned char *min, + unsigned char *max, + const int length) +{ + IPAddressOrRange *aor; + int i, prefixlen; + + if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) + return make_addressPrefix(result, min, prefixlen); + + if ((aor = IPAddressOrRange_new()) == NULL) + return 0; + aor->type = IPAddressOrRange_addressRange; + assert(aor->u.addressRange == NULL); + if ((aor->u.addressRange = IPAddressRange_new()) == NULL) + goto err; + if (aor->u.addressRange->min == NULL && + (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL) + goto err; + if (aor->u.addressRange->max == NULL && + (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL) + goto err; + + for (i = length; i > 0 && min[i - 1] == 0x00; --i) + ; + if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) + goto err; + aor->u.addressRange->min->flags &= ~7; + aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; + if (i > 0) { + unsigned char b = min[i - 1]; + int j = 1; + while ((b & (0xFFU >> j)) != 0) + ++j; + aor->u.addressRange->min->flags |= 8 - j; + } + + for (i = length; i > 0 && max[i - 1] == 0xFF; --i) + ; + if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) + goto err; + aor->u.addressRange->max->flags &= ~7; + aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; + if (i > 0) { + unsigned char b = max[i - 1]; + int j = 1; + while ((b & (0xFFU >> j)) != (0xFFU >> j)) + ++j; + aor->u.addressRange->max->flags |= 8 - j; + } + + *result = aor; + return 1; + + err: + IPAddressOrRange_free(aor); + return 0; +} + +/* + * Construct a new address family or find an existing one. + */ +static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, + const unsigned afi, + const unsigned *safi) +{ + IPAddressFamily *f; + unsigned char key[3]; + unsigned keylen; + int i; + + key[0] = (afi >> 8) & 0xFF; + key[1] = afi & 0xFF; + if (safi != NULL) { + key[2] = *safi & 0xFF; + keylen = 3; + } else { + keylen = 2; + } + + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { + f = sk_IPAddressFamily_value(addr, i); + assert(f->addressFamily->data != NULL); + if (f->addressFamily->length == keylen && + !memcmp(f->addressFamily->data, key, keylen)) + return f; + } + + if ((f = IPAddressFamily_new()) == NULL) + goto err; + if (f->ipAddressChoice == NULL && + (f->ipAddressChoice = IPAddressChoice_new()) == NULL) + goto err; + if (f->addressFamily == NULL && + (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL) + goto err; + if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen)) + goto err; + if (!sk_IPAddressFamily_push(addr, f)) + goto err; + + return f; + + err: + IPAddressFamily_free(f); + return NULL; +} + +/* + * Add an inheritance element. + */ +int v3_addr_add_inherit(IPAddrBlocks *addr, + const unsigned afi, + const unsigned *safi) +{ + IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); + if (f == NULL || + f->ipAddressChoice == NULL || + (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && + f->ipAddressChoice->u.addressesOrRanges != NULL)) + return 0; + if (f->ipAddressChoice->type == IPAddressChoice_inherit && + f->ipAddressChoice->u.inherit != NULL) + return 1; + if (f->ipAddressChoice->u.inherit == NULL && + (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) + return 0; + f->ipAddressChoice->type = IPAddressChoice_inherit; + return 1; +} + +/* + * Construct an IPAddressOrRange sequence, or return an existing one. + */ +static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr, + const unsigned afi, + const unsigned *safi) +{ + IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); + IPAddressOrRanges *aors = NULL; + + if (f == NULL || + f->ipAddressChoice == NULL || + (f->ipAddressChoice->type == IPAddressChoice_inherit && + f->ipAddressChoice->u.inherit != NULL)) + return NULL; + if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) + aors = f->ipAddressChoice->u.addressesOrRanges; + if (aors != NULL) + return aors; + if ((aors = sk_IPAddressOrRange_new_null()) == NULL) + return NULL; + switch (afi) { + case IANA_AFI_IPV4: + sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); + break; + case IANA_AFI_IPV6: + sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); + break; + } + f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; + f->ipAddressChoice->u.addressesOrRanges = aors; + return aors; +} + +/* + * Add a prefix. + */ +int v3_addr_add_prefix(IPAddrBlocks *addr, + const unsigned afi, + const unsigned *safi, + unsigned char *a, + const int prefixlen) +{ + IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); + IPAddressOrRange *aor; + if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) + return 0; + if (sk_IPAddressOrRange_push(aors, aor)) + return 1; + IPAddressOrRange_free(aor); + return 0; +} + +/* + * Add a range. + */ +int v3_addr_add_range(IPAddrBlocks *addr, + const unsigned afi, + const unsigned *safi, + unsigned char *min, + unsigned char *max) +{ + IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); + IPAddressOrRange *aor; + int length = length_from_afi(afi); + if (aors == NULL) + return 0; + if (!make_addressRange(&aor, min, max, length)) + return 0; + if (sk_IPAddressOrRange_push(aors, aor)) + return 1; + IPAddressOrRange_free(aor); + return 0; +} + +/* + * Extract min and max values from an IPAddressOrRange. + */ +static void extract_min_max(IPAddressOrRange *aor, + unsigned char *min, + unsigned char *max, + int length) +{ + assert(aor != NULL && min != NULL && max != NULL); + switch (aor->type) { + case IPAddressOrRange_addressPrefix: + addr_expand(min, aor->u.addressPrefix, length, 0x00); + addr_expand(max, aor->u.addressPrefix, length, 0xFF); + return; + case IPAddressOrRange_addressRange: + addr_expand(min, aor->u.addressRange->min, length, 0x00); + addr_expand(max, aor->u.addressRange->max, length, 0xFF); + return; + } +} + +/* + * Public wrapper for extract_min_max(). + */ +int v3_addr_get_range(IPAddressOrRange *aor, + const unsigned afi, + unsigned char *min, + unsigned char *max, + const int length) +{ + int afi_length = length_from_afi(afi); + if (aor == NULL || min == NULL || max == NULL || + afi_length == 0 || length < afi_length || + (aor->type != IPAddressOrRange_addressPrefix && + aor->type != IPAddressOrRange_addressRange)) + return 0; + extract_min_max(aor, min, max, afi_length); + return afi_length; +} + +/* + * Sort comparision function for a sequence of IPAddressFamily. + * + * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about + * the ordering: I can read it as meaning that IPv6 without a SAFI + * comes before IPv4 with a SAFI, which seems pretty weird. The + * examples in appendix B suggest that the author intended the + * null-SAFI rule to apply only within a single AFI, which is what I + * would have expected and is what the following code implements. + */ +static int IPAddressFamily_cmp(const IPAddressFamily * const *a_, + const IPAddressFamily * const *b_) +{ + const ASN1_OCTET_STRING *a = (*a_)->addressFamily; + const ASN1_OCTET_STRING *b = (*b_)->addressFamily; + int len = ((a->length <= b->length) ? a->length : b->length); + int cmp = memcmp(a->data, b->data, len); + return cmp ? cmp : a->length - b->length; +} + +/* + * Check whether an IPAddrBLocks is in canonical form. + */ +int v3_addr_is_canonical(IPAddrBlocks *addr) +{ + unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; + unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; + IPAddressOrRanges *aors; + int i, j, k; + + /* + * Empty extension is cannonical. + */ + if (addr == NULL) + return 1; + + /* + * Check whether the top-level list is in order. + */ + for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { + const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); + const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); + if (IPAddressFamily_cmp(&a, &b) >= 0) + return 0; + } + + /* + * Top level's ok, now check each address family. + */ + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); + int length = length_from_afi(v3_addr_get_afi(f)); + + /* + * Inheritance is canonical. Anything other than inheritance or + * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something. + */ + if (f == NULL || f->ipAddressChoice == NULL) + return 0; + switch (f->ipAddressChoice->type) { + case IPAddressChoice_inherit: + continue; + case IPAddressChoice_addressesOrRanges: + break; + default: + return 0; + } + + /* + * It's an IPAddressOrRanges sequence, check it. + */ + aors = f->ipAddressChoice->u.addressesOrRanges; + if (sk_IPAddressOrRange_num(aors) == 0) + return 0; + for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { + IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); + IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); + + extract_min_max(a, a_min, a_max, length); + extract_min_max(b, b_min, b_max, length); + + /* + * Punt misordered list, overlapping start, or inverted range. + */ + if (memcmp(a_min, b_min, length) >= 0 || + memcmp(a_min, a_max, length) > 0 || + memcmp(b_min, b_max, length) > 0) + return 0; + + /* + * Punt if adjacent or overlapping. Check for adjacency by + * subtracting one from b_min first. + */ + for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) + ; + if (memcmp(a_max, b_min, length) >= 0) + return 0; + + /* + * Check for range that should be expressed as a prefix. + */ + if (a->type == IPAddressOrRange_addressRange && + range_should_be_prefix(a_min, a_max, length) >= 0) + return 0; + } + + /* + * Check final range to see if it should be a prefix. + */ + j = sk_IPAddressOrRange_num(aors) - 1; + { + IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); + if (a->type == IPAddressOrRange_addressRange) { + extract_min_max(a, a_min, a_max, length); + if (range_should_be_prefix(a_min, a_max, length) >= 0) + return 0; + } + } + } + + /* + * If we made it through all that, we're happy. + */ + return 1; +} + +/* + * Whack an IPAddressOrRanges into canonical form. + */ +static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, + const unsigned afi) +{ + int i, j, length = length_from_afi(afi); + + /* + * Sort the IPAddressOrRanges sequence. + */ + sk_IPAddressOrRange_sort(aors); + + /* + * Clean up representation issues, punt on duplicates or overlaps. + */ + for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { + IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); + IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); + unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; + unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; + + extract_min_max(a, a_min, a_max, length); + extract_min_max(b, b_min, b_max, length); + + /* + * Punt overlaps. + */ + if (memcmp(a_max, b_min, length) >= 0) + return 0; + + /* + * Merge if a and b are adjacent. We check for + * adjacency by subtracting one from b_min first. + */ + for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) + ; + if (memcmp(a_max, b_min, length) == 0) { + IPAddressOrRange *merged; + if (!make_addressRange(&merged, a_min, b_max, length)) + return 0; + sk_IPAddressOrRange_set(aors, i, merged); + sk_IPAddressOrRange_delete(aors, i + 1); + IPAddressOrRange_free(a); + IPAddressOrRange_free(b); + --i; + continue; + } + } + + return 1; +} + +/* + * Whack an IPAddrBlocks extension into canonical form. + */ +int v3_addr_canonize(IPAddrBlocks *addr) +{ + int i; + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); + if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && + !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges, + v3_addr_get_afi(f))) + return 0; + } + sk_IPAddressFamily_sort(addr); + assert(v3_addr_is_canonical(addr)); + return 1; +} + +/* + * v2i handler for the IPAddrBlocks extension. + */ +static void *v2i_IPAddrBlocks(struct v3_ext_method *method, + struct v3_ext_ctx *ctx, + STACK_OF(CONF_VALUE) *values) +{ + static const char v4addr_chars[] = "0123456789."; + static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; + IPAddrBlocks *addr = NULL; + char *s = NULL, *t; + int i; + + if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); + return NULL; + } + + for (i = 0; i < sk_CONF_VALUE_num(values); i++) { + CONF_VALUE *val = sk_CONF_VALUE_value(values, i); + unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; + unsigned afi, *safi = NULL, safi_; + const char *addr_chars; + int prefixlen, i1, i2, delim, length; + + if ( !name_cmp(val->name, "IPv4")) { + afi = IANA_AFI_IPV4; + } else if (!name_cmp(val->name, "IPv6")) { + afi = IANA_AFI_IPV6; + } else if (!name_cmp(val->name, "IPv4-SAFI")) { + afi = IANA_AFI_IPV4; + safi = &safi_; + } else if (!name_cmp(val->name, "IPv6-SAFI")) { + afi = IANA_AFI_IPV6; + safi = &safi_; + } else { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_NAME_ERROR); + X509V3_conf_err(val); + goto err; + } + + switch (afi) { + case IANA_AFI_IPV4: + addr_chars = v4addr_chars; + break; + case IANA_AFI_IPV6: + addr_chars = v6addr_chars; + break; + } + + length = length_from_afi(afi); + + /* + * Handle SAFI, if any, and BUF_strdup() so we can null-terminate + * the other input values. + */ + if (safi != NULL) { + *safi = strtoul(val->value, &t, 0); + t += strspn(t, " \t"); + if (*safi > 0xFF || *t++ != ':') { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI); + X509V3_conf_err(val); + goto err; + } + t += strspn(t, " \t"); + s = BUF_strdup(t); + } else { + s = BUF_strdup(val->value); + } + if (s == NULL) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); + goto err; + } + + /* + * Check for inheritance. Not worth additional complexity to + * optimize this (seldom-used) case. + */ + if (!strcmp(s, "inherit")) { + if (!v3_addr_add_inherit(addr, afi, safi)) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_INHERITANCE); + X509V3_conf_err(val); + goto err; + } + OPENSSL_free(s); + s = NULL; + continue; + } + + i1 = strspn(s, addr_chars); + i2 = i1 + strspn(s + i1, " \t"); + delim = s[i2++]; + s[i1] = '\0'; + + if (a2i_ipadd(min, s) != length) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); + X509V3_conf_err(val); + goto err; + } + + switch (delim) { + case '/': + prefixlen = (int) strtoul(s + i2, &t, 10); + if (t == s + i2 || *t != '\0') { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); + X509V3_conf_err(val); + goto err; + } + if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); + goto err; + } + break; + case '-': + i1 = i2 + strspn(s + i2, " \t"); + i2 = i1 + strspn(s + i1, addr_chars); + if (i1 == i2 || s[i2] != '\0') { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); + X509V3_conf_err(val); + goto err; + } + if (a2i_ipadd(max, s + i1) != length) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); + X509V3_conf_err(val); + goto err; + } + if (!v3_addr_add_range(addr, afi, safi, min, max)) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); + goto err; + } + break; + case '\0': + if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); + goto err; + } + break; + default: + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); + X509V3_conf_err(val); + goto err; + } + + OPENSSL_free(s); + s = NULL; + } + + /* + * Canonize the result, then we're done. + */ + if (!v3_addr_canonize(addr)) + goto err; + return addr; + + err: + OPENSSL_free(s); + sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); + return NULL; +} + +/* + * OpenSSL dispatch + */ +const X509V3_EXT_METHOD v3_addr = { + NID_sbgp_ipAddrBlock, /* nid */ + 0, /* flags */ + ASN1_ITEM_ref(IPAddrBlocks), /* template */ + 0, 0, 0, 0, /* old functions, ignored */ + 0, /* i2s */ + 0, /* s2i */ + 0, /* i2v */ + v2i_IPAddrBlocks, /* v2i */ + i2r_IPAddrBlocks, /* i2r */ + 0, /* r2i */ + NULL /* extension-specific data */ +}; + +/* + * Figure out whether extension sues inheritance. + */ +int v3_addr_inherits(IPAddrBlocks *addr) +{ + int i; + if (addr == NULL) + return 0; + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); + if (f->ipAddressChoice->type == IPAddressChoice_inherit) + return 1; + } + return 0; +} + +/* + * Figure out whether parent contains child. + */ +static int addr_contains(IPAddressOrRanges *parent, + IPAddressOrRanges *child, + int length) +{ + unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN]; + unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; + int p, c; + + if (child == NULL || parent == child) + return 1; + if (parent == NULL) + return 0; + + p = 0; + for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { + extract_min_max(sk_IPAddressOrRange_value(child, c), + c_min, c_max, length); + for (;; p++) { + if (p >= sk_IPAddressOrRange_num(parent)) + return 0; + extract_min_max(sk_IPAddressOrRange_value(parent, p), + p_min, p_max, length); + if (memcmp(p_max, c_max, length) < 0) + continue; + if (memcmp(p_min, c_min, length) > 0) + return 0; + break; + } + } + + return 1; +} + +/* + * Test whether a is a subset of b. + */ +int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) +{ + int i; + if (a == NULL || a == b) + return 1; + if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) + return 0; + sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); + for (i = 0; i < sk_IPAddressFamily_num(a); i++) { + IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); + int j = sk_IPAddressFamily_find(b, fa); + IPAddressFamily *fb = sk_IPAddressFamily_value(b, j); + if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, + fa->ipAddressChoice->u.addressesOrRanges, + length_from_afi(v3_addr_get_afi(fb)))) + return 0; + } + return 1; +} + +/* + * Validation error handling via callback. + */ +#define validation_err(_err_) \ + do { \ + if (ctx != NULL) { \ + ctx->error = _err_; \ + ctx->error_depth = i; \ + ctx->current_cert = x; \ + ret = ctx->verify_cb(0, ctx); \ + } else { \ + ret = 0; \ + } \ + if (!ret) \ + goto done; \ + } while (0) + +/* + * Core code for RFC 3779 2.3 path validation. + */ +static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, + STACK_OF(X509) *chain, + IPAddrBlocks *ext) +{ + IPAddrBlocks *child = NULL; + int i, j, ret = 1; + X509 *x = NULL; + + assert(chain != NULL && sk_X509_num(chain) > 0); + assert(ctx != NULL || ext != NULL); + assert(ctx == NULL || ctx->verify_cb != NULL); + + /* + * Figure out where to start. If we don't have an extension to + * check, we're done. Otherwise, check canonical form and + * set up for walking up the chain. + */ + if (ext != NULL) { + i = -1; + } else { + i = 0; + x = sk_X509_value(chain, i); + assert(x != NULL); + if ((ext = x->rfc3779_addr) == NULL) + goto done; + } + if (!v3_addr_is_canonical(ext)) + validation_err(X509_V_ERR_INVALID_EXTENSION); + sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); + if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { + X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); + ret = 0; + goto done; + } + + /* + * Now walk up the chain. No cert may list resources that its + * parent doesn't list. + */ + for (i++; i < sk_X509_num(chain); i++) { + x = sk_X509_value(chain, i); + assert(x != NULL); + if (!v3_addr_is_canonical(x->rfc3779_addr)) + validation_err(X509_V_ERR_INVALID_EXTENSION); + if (x->rfc3779_addr == NULL) { + for (j = 0; j < sk_IPAddressFamily_num(child); j++) { + IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); + if (fc->ipAddressChoice->type != IPAddressChoice_inherit) { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + break; + } + } + continue; + } + sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp); + for (j = 0; j < sk_IPAddressFamily_num(child); j++) { + IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); + int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); + IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k); + if (fp == NULL) { + if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + break; + } + continue; + } + if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { + if (fc->ipAddressChoice->type == IPAddressChoice_inherit || + addr_contains(fp->ipAddressChoice->u.addressesOrRanges, + fc->ipAddressChoice->u.addressesOrRanges, + length_from_afi(v3_addr_get_afi(fc)))) + sk_IPAddressFamily_set(child, j, fp); + else + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + } + } + + /* + * Trust anchor can't inherit. + */ + if (x->rfc3779_addr != NULL) { + for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { + IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j); + if (fp->ipAddressChoice->type == IPAddressChoice_inherit && + sk_IPAddressFamily_find(child, fp) >= 0) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + } + + done: + sk_IPAddressFamily_free(child); + return ret; +} + +#undef validation_err + +/* + * RFC 3779 2.3 path validation -- called from X509_verify_cert(). + */ +int v3_addr_validate_path(X509_STORE_CTX *ctx) +{ + return v3_addr_validate_path_internal(ctx, ctx->chain, NULL); +} + +/* + * RFC 3779 2.3 path validation of an extension. + * Test whether chain covers extension. + */ +int v3_addr_validate_resource_set(STACK_OF(X509) *chain, + IPAddrBlocks *ext, + int allow_inheritance) +{ + if (ext == NULL) + return 1; + if (chain == NULL || sk_X509_num(chain) == 0) + return 0; + if (!allow_inheritance && v3_addr_inherits(ext)) + return 0; + return v3_addr_validate_path_internal(NULL, chain, ext); +} + +#endif /* OPENSSL_NO_RFC3779 */ diff --git a/crypto/openssl/crypto/x509v3/v3_akey.c b/crypto/openssl/crypto/x509v3/v3_akey.c index c481b6f12dc5..ac0548b7751b 100644 --- a/crypto/openssl/crypto/x509v3/v3_akey.c +++ b/crypto/openssl/crypto/x509v3/v3_akey.c @@ -68,7 +68,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); -X509V3_EXT_METHOD v3_akey_id = +const X509V3_EXT_METHOD v3_akey_id = { NID_authority_key_identifier, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID), diff --git a/crypto/openssl/crypto/x509v3/v3_alt.c b/crypto/openssl/crypto/x509v3/v3_alt.c index b38b3dbfe62b..bb2f5bc54eba 100644 --- a/crypto/openssl/crypto/x509v3/v3_alt.c +++ b/crypto/openssl/crypto/x509v3/v3_alt.c @@ -68,7 +68,7 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens); static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx); static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx); -X509V3_EXT_METHOD v3_alt[] = { +const X509V3_EXT_METHOD v3_alt[] = { { NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES), 0,0,0,0, 0,0, diff --git a/crypto/openssl/crypto/x509v3/v3_asid.c b/crypto/openssl/crypto/x509v3/v3_asid.c new file mode 100644 index 000000000000..271930f9670a --- /dev/null +++ b/crypto/openssl/crypto/x509v3/v3_asid.c @@ -0,0 +1,842 @@ +/* + * Contributed to the OpenSSL Project by the American Registry for + * Internet Numbers ("ARIN"). + */ +/* ==================================================================== + * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + */ + +/* + * Implementation of RFC 3779 section 3.2. + */ + +#include +#include +#include +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include + +#ifndef OPENSSL_NO_RFC3779 + +/* + * OpenSSL ASN.1 template translation of RFC 3779 3.2.3. + */ + +ASN1_SEQUENCE(ASRange) = { + ASN1_SIMPLE(ASRange, min, ASN1_INTEGER), + ASN1_SIMPLE(ASRange, max, ASN1_INTEGER) +} ASN1_SEQUENCE_END(ASRange) + +ASN1_CHOICE(ASIdOrRange) = { + ASN1_SIMPLE(ASIdOrRange, u.id, ASN1_INTEGER), + ASN1_SIMPLE(ASIdOrRange, u.range, ASRange) +} ASN1_CHOICE_END(ASIdOrRange) + +ASN1_CHOICE(ASIdentifierChoice) = { + ASN1_SIMPLE(ASIdentifierChoice, u.inherit, ASN1_NULL), + ASN1_SEQUENCE_OF(ASIdentifierChoice, u.asIdsOrRanges, ASIdOrRange) +} ASN1_CHOICE_END(ASIdentifierChoice) + +ASN1_SEQUENCE(ASIdentifiers) = { + ASN1_EXP_OPT(ASIdentifiers, asnum, ASIdentifierChoice, 0), + ASN1_EXP_OPT(ASIdentifiers, rdi, ASIdentifierChoice, 1) +} ASN1_SEQUENCE_END(ASIdentifiers) + +IMPLEMENT_ASN1_FUNCTIONS(ASRange) +IMPLEMENT_ASN1_FUNCTIONS(ASIdOrRange) +IMPLEMENT_ASN1_FUNCTIONS(ASIdentifierChoice) +IMPLEMENT_ASN1_FUNCTIONS(ASIdentifiers) + +/* + * i2r method for an ASIdentifierChoice. + */ +static int i2r_ASIdentifierChoice(BIO *out, + ASIdentifierChoice *choice, + int indent, + const char *msg) +{ + int i; + char *s; + if (choice == NULL) + return 1; + BIO_printf(out, "%*s%s:\n", indent, "", msg); + switch (choice->type) { + case ASIdentifierChoice_inherit: + BIO_printf(out, "%*sinherit\n", indent + 2, ""); + break; + case ASIdentifierChoice_asIdsOrRanges: + for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges); i++) { + ASIdOrRange *aor = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); + switch (aor->type) { + case ASIdOrRange_id: + if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) == NULL) + return 0; + BIO_printf(out, "%*s%s\n", indent + 2, "", s); + OPENSSL_free(s); + break; + case ASIdOrRange_range: + if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->min)) == NULL) + return 0; + BIO_printf(out, "%*s%s-", indent + 2, "", s); + OPENSSL_free(s); + if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->max)) == NULL) + return 0; + BIO_printf(out, "%s\n", s); + OPENSSL_free(s); + break; + default: + return 0; + } + } + break; + default: + return 0; + } + return 1; +} + +/* + * i2r method for an ASIdentifier extension. + */ +static int i2r_ASIdentifiers(X509V3_EXT_METHOD *method, + void *ext, + BIO *out, + int indent) +{ + ASIdentifiers *asid = ext; + return (i2r_ASIdentifierChoice(out, asid->asnum, indent, + "Autonomous System Numbers") && + i2r_ASIdentifierChoice(out, asid->rdi, indent, + "Routing Domain Identifiers")); +} + +/* + * Sort comparision function for a sequence of ASIdOrRange elements. + */ +static int ASIdOrRange_cmp(const ASIdOrRange * const *a_, + const ASIdOrRange * const *b_) +{ + const ASIdOrRange *a = *a_, *b = *b_; + + assert((a->type == ASIdOrRange_id && a->u.id != NULL) || + (a->type == ASIdOrRange_range && a->u.range != NULL && + a->u.range->min != NULL && a->u.range->max != NULL)); + + assert((b->type == ASIdOrRange_id && b->u.id != NULL) || + (b->type == ASIdOrRange_range && b->u.range != NULL && + b->u.range->min != NULL && b->u.range->max != NULL)); + + if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id) + return ASN1_INTEGER_cmp(a->u.id, b->u.id); + + if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) { + int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min); + return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max, b->u.range->max); + } + + if (a->type == ASIdOrRange_id) + return ASN1_INTEGER_cmp(a->u.id, b->u.range->min); + else + return ASN1_INTEGER_cmp(a->u.range->min, b->u.id); +} + +/* + * Add an inherit element. + */ +int v3_asid_add_inherit(ASIdentifiers *asid, int which) +{ + ASIdentifierChoice **choice; + if (asid == NULL) + return 0; + switch (which) { + case V3_ASID_ASNUM: + choice = &asid->asnum; + break; + case V3_ASID_RDI: + choice = &asid->rdi; + break; + default: + return 0; + } + if (*choice == NULL) { + if ((*choice = ASIdentifierChoice_new()) == NULL) + return 0; + assert((*choice)->u.inherit == NULL); + if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL) + return 0; + (*choice)->type = ASIdentifierChoice_inherit; + } + return (*choice)->type == ASIdentifierChoice_inherit; +} + +/* + * Add an ID or range to an ASIdentifierChoice. + */ +int v3_asid_add_id_or_range(ASIdentifiers *asid, + int which, + ASN1_INTEGER *min, + ASN1_INTEGER *max) +{ + ASIdentifierChoice **choice; + ASIdOrRange *aor; + if (asid == NULL) + return 0; + switch (which) { + case V3_ASID_ASNUM: + choice = &asid->asnum; + break; + case V3_ASID_RDI: + choice = &asid->rdi; + break; + default: + return 0; + } + if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit) + return 0; + if (*choice == NULL) { + if ((*choice = ASIdentifierChoice_new()) == NULL) + return 0; + assert((*choice)->u.asIdsOrRanges == NULL); + (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp); + if ((*choice)->u.asIdsOrRanges == NULL) + return 0; + (*choice)->type = ASIdentifierChoice_asIdsOrRanges; + } + if ((aor = ASIdOrRange_new()) == NULL) + return 0; + if (max == NULL) { + aor->type = ASIdOrRange_id; + aor->u.id = min; + } else { + aor->type = ASIdOrRange_range; + if ((aor->u.range = ASRange_new()) == NULL) + goto err; + ASN1_INTEGER_free(aor->u.range->min); + aor->u.range->min = min; + ASN1_INTEGER_free(aor->u.range->max); + aor->u.range->max = max; + } + if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor))) + goto err; + return 1; + + err: + ASIdOrRange_free(aor); + return 0; +} + +/* + * Extract min and max values from an ASIdOrRange. + */ +static void extract_min_max(ASIdOrRange *aor, + ASN1_INTEGER **min, + ASN1_INTEGER **max) +{ + assert(aor != NULL && min != NULL && max != NULL); + switch (aor->type) { + case ASIdOrRange_id: + *min = aor->u.id; + *max = aor->u.id; + return; + case ASIdOrRange_range: + *min = aor->u.range->min; + *max = aor->u.range->max; + return; + } +} + +/* + * Check whether an ASIdentifierChoice is in canonical form. + */ +static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) +{ + ASN1_INTEGER *a_max_plus_one = NULL; + BIGNUM *bn = NULL; + int i, ret = 0; + + /* + * Empty element or inheritance is canonical. + */ + if (choice == NULL || choice->type == ASIdentifierChoice_inherit) + return 1; + + /* + * If not a list, or if empty list, it's broken. + */ + if (choice->type != ASIdentifierChoice_asIdsOrRanges || + sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) + return 0; + + /* + * It's a list, check it. + */ + for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { + ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); + ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); + ASN1_INTEGER *a_min, *a_max, *b_min, *b_max; + + extract_min_max(a, &a_min, &a_max); + extract_min_max(b, &b_min, &b_max); + + /* + * Punt misordered list, overlapping start, or inverted range. + */ + if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 || + ASN1_INTEGER_cmp(a_min, a_max) > 0 || + ASN1_INTEGER_cmp(b_min, b_max) > 0) + goto done; + + /* + * Calculate a_max + 1 to check for adjacency. + */ + if ((bn == NULL && (bn = BN_new()) == NULL) || + ASN1_INTEGER_to_BN(a_max, bn) == NULL || + !BN_add_word(bn, 1) || + (a_max_plus_one = BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) { + X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL, + ERR_R_MALLOC_FAILURE); + goto done; + } + + /* + * Punt if adjacent or overlapping. + */ + if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0) + goto done; + } + + ret = 1; + + done: + ASN1_INTEGER_free(a_max_plus_one); + BN_free(bn); + return ret; +} + +/* + * Check whether an ASIdentifier extension is in canonical form. + */ +int v3_asid_is_canonical(ASIdentifiers *asid) +{ + return (asid == NULL || + (ASIdentifierChoice_is_canonical(asid->asnum) || + ASIdentifierChoice_is_canonical(asid->rdi))); +} + +/* + * Whack an ASIdentifierChoice into canonical form. + */ +static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) +{ + ASN1_INTEGER *a_max_plus_one = NULL; + BIGNUM *bn = NULL; + int i, ret = 0; + + /* + * Nothing to do for empty element or inheritance. + */ + if (choice == NULL || choice->type == ASIdentifierChoice_inherit) + return 1; + + /* + * We have a list. Sort it. + */ + assert(choice->type == ASIdentifierChoice_asIdsOrRanges); + sk_ASIdOrRange_sort(choice->u.asIdsOrRanges); + + /* + * Now check for errors and suboptimal encoding, rejecting the + * former and fixing the latter. + */ + for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { + ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); + ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); + ASN1_INTEGER *a_min, *a_max, *b_min, *b_max; + + extract_min_max(a, &a_min, &a_max); + extract_min_max(b, &b_min, &b_max); + + /* + * Make sure we're properly sorted (paranoia). + */ + assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0); + + /* + * Check for overlaps. + */ + if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) { + X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, + X509V3_R_EXTENSION_VALUE_ERROR); + goto done; + } + + /* + * Calculate a_max + 1 to check for adjacency. + */ + if ((bn == NULL && (bn = BN_new()) == NULL) || + ASN1_INTEGER_to_BN(a_max, bn) == NULL || + !BN_add_word(bn, 1) || + (a_max_plus_one = BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) { + X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, ERR_R_MALLOC_FAILURE); + goto done; + } + + /* + * If a and b are adjacent, merge them. + */ + if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) { + ASRange *r; + switch (a->type) { + case ASIdOrRange_id: + if ((r = OPENSSL_malloc(sizeof(ASRange))) == NULL) { + X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, + ERR_R_MALLOC_FAILURE); + goto done; + } + r->min = a_min; + r->max = b_max; + a->type = ASIdOrRange_range; + a->u.range = r; + break; + case ASIdOrRange_range: + ASN1_INTEGER_free(a->u.range->max); + a->u.range->max = b_max; + break; + } + switch (b->type) { + case ASIdOrRange_id: + b->u.id = NULL; + break; + case ASIdOrRange_range: + b->u.range->max = NULL; + break; + } + ASIdOrRange_free(b); + sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1); + i--; + continue; + } + } + + assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */ + + ret = 1; + + done: + ASN1_INTEGER_free(a_max_plus_one); + BN_free(bn); + return ret; +} + +/* + * Whack an ASIdentifier extension into canonical form. + */ +int v3_asid_canonize(ASIdentifiers *asid) +{ + return (asid == NULL || + (ASIdentifierChoice_canonize(asid->asnum) && + ASIdentifierChoice_canonize(asid->rdi))); +} + +/* + * v2i method for an ASIdentifier extension. + */ +static void *v2i_ASIdentifiers(struct v3_ext_method *method, + struct v3_ext_ctx *ctx, + STACK_OF(CONF_VALUE) *values) +{ + ASIdentifiers *asid = NULL; + int i; + + if ((asid = ASIdentifiers_new()) == NULL) { + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); + return NULL; + } + + for (i = 0; i < sk_CONF_VALUE_num(values); i++) { + CONF_VALUE *val = sk_CONF_VALUE_value(values, i); + ASN1_INTEGER *min = NULL, *max = NULL; + int i1, i2, i3, is_range, which; + + /* + * Figure out whether this is an AS or an RDI. + */ + if ( !name_cmp(val->name, "AS")) { + which = V3_ASID_ASNUM; + } else if (!name_cmp(val->name, "RDI")) { + which = V3_ASID_RDI; + } else { + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_EXTENSION_NAME_ERROR); + X509V3_conf_err(val); + goto err; + } + + /* + * Handle inheritance. + */ + if (!strcmp(val->value, "inherit")) { + if (v3_asid_add_inherit(asid, which)) + continue; + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_INHERITANCE); + X509V3_conf_err(val); + goto err; + } + + /* + * Number, range, or mistake, pick it apart and figure out which. + */ + i1 = strspn(val->value, "0123456789"); + if (val->value[i1] == '\0') { + is_range = 0; + } else { + is_range = 1; + i2 = i1 + strspn(val->value + i1, " \t"); + if (val->value[i2] != '-') { + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_ASNUMBER); + X509V3_conf_err(val); + goto err; + } + i2++; + i2 = i2 + strspn(val->value + i2, " \t"); + i3 = i2 + strspn(val->value + i2, "0123456789"); + if (val->value[i3] != '\0') { + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_ASRANGE); + X509V3_conf_err(val); + goto err; + } + } + + /* + * Syntax is ok, read and add it. + */ + if (!is_range) { + if (!X509V3_get_value_int(val, &min)) { + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); + goto err; + } + } else { + char *s = BUF_strdup(val->value); + if (s == NULL) { + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); + goto err; + } + s[i1] = '\0'; + min = s2i_ASN1_INTEGER(NULL, s); + max = s2i_ASN1_INTEGER(NULL, s + i2); + OPENSSL_free(s); + if (min == NULL || max == NULL) { + ASN1_INTEGER_free(min); + ASN1_INTEGER_free(max); + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); + goto err; + } + } + if (!v3_asid_add_id_or_range(asid, which, min, max)) { + ASN1_INTEGER_free(min); + ASN1_INTEGER_free(max); + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); + goto err; + } + } + + /* + * Canonize the result, then we're done. + */ + if (!v3_asid_canonize(asid)) + goto err; + return asid; + + err: + ASIdentifiers_free(asid); + return NULL; +} + +/* + * OpenSSL dispatch. + */ +const X509V3_EXT_METHOD v3_asid = { + NID_sbgp_autonomousSysNum, /* nid */ + 0, /* flags */ + ASN1_ITEM_ref(ASIdentifiers), /* template */ + 0, 0, 0, 0, /* old functions, ignored */ + 0, /* i2s */ + 0, /* s2i */ + 0, /* i2v */ + v2i_ASIdentifiers, /* v2i */ + i2r_ASIdentifiers, /* i2r */ + 0, /* r2i */ + NULL /* extension-specific data */ +}; + +/* + * Figure out whether extension uses inheritance. + */ +int v3_asid_inherits(ASIdentifiers *asid) +{ + return (asid != NULL && + ((asid->asnum != NULL && + asid->asnum->type == ASIdentifierChoice_inherit) || + (asid->rdi != NULL && + asid->rdi->type == ASIdentifierChoice_inherit))); +} + +/* + * Figure out whether parent contains child. + */ +static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) +{ + ASN1_INTEGER *p_min, *p_max, *c_min, *c_max; + int p, c; + + if (child == NULL || parent == child) + return 1; + if (parent == NULL) + return 0; + + p = 0; + for (c = 0; c < sk_ASIdOrRange_num(child); c++) { + extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max); + for (;; p++) { + if (p >= sk_ASIdOrRange_num(parent)) + return 0; + extract_min_max(sk_ASIdOrRange_value(parent, p), &p_min, &p_max); + if (ASN1_INTEGER_cmp(p_max, c_max) < 0) + continue; + if (ASN1_INTEGER_cmp(p_min, c_min) > 0) + return 0; + break; + } + } + + return 1; +} + +/* + * Test whether a is a subet of b. + */ +int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b) +{ + return (a == NULL || + a == b || + (b != NULL && + !v3_asid_inherits(a) && + !v3_asid_inherits(b) && + asid_contains(b->asnum->u.asIdsOrRanges, + a->asnum->u.asIdsOrRanges) && + asid_contains(b->rdi->u.asIdsOrRanges, + a->rdi->u.asIdsOrRanges))); +} + +/* + * Validation error handling via callback. + */ +#define validation_err(_err_) \ + do { \ + if (ctx != NULL) { \ + ctx->error = _err_; \ + ctx->error_depth = i; \ + ctx->current_cert = x; \ + ret = ctx->verify_cb(0, ctx); \ + } else { \ + ret = 0; \ + } \ + if (!ret) \ + goto done; \ + } while (0) + +/* + * Core code for RFC 3779 3.3 path validation. + */ +static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx, + STACK_OF(X509) *chain, + ASIdentifiers *ext) +{ + ASIdOrRanges *child_as = NULL, *child_rdi = NULL; + int i, ret = 1, inherit_as = 0, inherit_rdi = 0; + X509 *x = NULL; + + assert(chain != NULL && sk_X509_num(chain) > 0); + assert(ctx != NULL || ext != NULL); + assert(ctx == NULL || ctx->verify_cb != NULL); + + /* + * Figure out where to start. If we don't have an extension to + * check, we're done. Otherwise, check canonical form and + * set up for walking up the chain. + */ + if (ext != NULL) { + i = -1; + } else { + i = 0; + x = sk_X509_value(chain, i); + assert(x != NULL); + if ((ext = x->rfc3779_asid) == NULL) + goto done; + } + if (!v3_asid_is_canonical(ext)) + validation_err(X509_V_ERR_INVALID_EXTENSION); + if (ext->asnum != NULL) { + switch (ext->asnum->type) { + case ASIdentifierChoice_inherit: + inherit_as = 1; + break; + case ASIdentifierChoice_asIdsOrRanges: + child_as = ext->asnum->u.asIdsOrRanges; + break; + } + } + if (ext->rdi != NULL) { + switch (ext->rdi->type) { + case ASIdentifierChoice_inherit: + inherit_rdi = 1; + break; + case ASIdentifierChoice_asIdsOrRanges: + child_rdi = ext->rdi->u.asIdsOrRanges; + break; + } + } + + /* + * Now walk up the chain. Extensions must be in canonical form, no + * cert may list resources that its parent doesn't list. + */ + for (i++; i < sk_X509_num(chain); i++) { + x = sk_X509_value(chain, i); + assert(x != NULL); + if (x->rfc3779_asid == NULL) { + if (child_as != NULL || child_rdi != NULL) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + continue; + } + if (!v3_asid_is_canonical(x->rfc3779_asid)) + validation_err(X509_V_ERR_INVALID_EXTENSION); + if (x->rfc3779_asid->asnum == NULL && child_as != NULL) { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + child_as = NULL; + inherit_as = 0; + } + if (x->rfc3779_asid->asnum != NULL && + x->rfc3779_asid->asnum->type == ASIdentifierChoice_asIdsOrRanges) { + if (inherit_as || + asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges, child_as)) { + child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges; + inherit_as = 0; + } else { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + } + if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + child_rdi = NULL; + inherit_rdi = 0; + } + if (x->rfc3779_asid->rdi != NULL && + x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) { + if (inherit_rdi || + asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges, child_rdi)) { + child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges; + inherit_rdi = 0; + } else { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + } + } + + /* + * Trust anchor can't inherit. + */ + if (x->rfc3779_asid != NULL) { + if (x->rfc3779_asid->asnum != NULL && + x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + if (x->rfc3779_asid->rdi != NULL && + x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + + done: + return ret; +} + +#undef validation_err + +/* + * RFC 3779 3.3 path validation -- called from X509_verify_cert(). + */ +int v3_asid_validate_path(X509_STORE_CTX *ctx) +{ + return v3_asid_validate_path_internal(ctx, ctx->chain, NULL); +} + +/* + * RFC 3779 3.3 path validation of an extension. + * Test whether chain covers extension. + */ +int v3_asid_validate_resource_set(STACK_OF(X509) *chain, + ASIdentifiers *ext, + int allow_inheritance) +{ + if (ext == NULL) + return 1; + if (chain == NULL || sk_X509_num(chain) == 0) + return 0; + if (!allow_inheritance && v3_asid_inherits(ext)) + return 0; + return v3_asid_validate_path_internal(NULL, chain, ext); +} + +#endif /* OPENSSL_NO_RFC3779 */ diff --git a/crypto/openssl/crypto/x509v3/v3_bcons.c b/crypto/openssl/crypto/x509v3/v3_bcons.c index cbb012715e55..74b1233071cb 100644 --- a/crypto/openssl/crypto/x509v3/v3_bcons.c +++ b/crypto/openssl/crypto/x509v3/v3_bcons.c @@ -67,7 +67,7 @@ static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist); static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); -X509V3_EXT_METHOD v3_bcons = { +const X509V3_EXT_METHOD v3_bcons = { NID_basic_constraints, 0, ASN1_ITEM_ref(BASIC_CONSTRAINTS), 0,0,0,0, diff --git a/crypto/openssl/crypto/x509v3/v3_bitst.c b/crypto/openssl/crypto/x509v3/v3_bitst.c index 170c8d280bcc..cf31f0816eee 100644 --- a/crypto/openssl/crypto/x509v3/v3_bitst.c +++ b/crypto/openssl/crypto/x509v3/v3_bitst.c @@ -88,8 +88,8 @@ static BIT_STRING_BITNAME key_usage_type_table[] = { -X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table); -X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table); +const X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table); +const X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table); STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret) diff --git a/crypto/openssl/crypto/x509v3/v3_cpols.c b/crypto/openssl/crypto/x509v3/v3_cpols.c index e5b8c5a1acc2..a40f490aa904 100644 --- a/crypto/openssl/crypto/x509v3/v3_cpols.c +++ b/crypto/openssl/crypto/x509v3/v3_cpols.c @@ -77,7 +77,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org); static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos); -X509V3_EXT_METHOD v3_cpols = { +const X509V3_EXT_METHOD v3_cpols = { NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES), 0,0,0,0, 0,0, diff --git a/crypto/openssl/crypto/x509v3/v3_crld.c b/crypto/openssl/crypto/x509v3/v3_crld.c index f90829c574e7..c6e3ebae7b28 100644 --- a/crypto/openssl/crypto/x509v3/v3_crld.c +++ b/crypto/openssl/crypto/x509v3/v3_crld.c @@ -68,7 +68,7 @@ static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method, static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -X509V3_EXT_METHOD v3_crld = { +const X509V3_EXT_METHOD v3_crld = { NID_crl_distribution_points, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(CRL_DIST_POINTS), 0,0,0,0, 0,0, diff --git a/crypto/openssl/crypto/x509v3/v3_enum.c b/crypto/openssl/crypto/x509v3/v3_enum.c index 010c9d6260a9..a236cb22e158 100644 --- a/crypto/openssl/crypto/x509v3/v3_enum.c +++ b/crypto/openssl/crypto/x509v3/v3_enum.c @@ -72,7 +72,7 @@ static ENUMERATED_NAMES crl_reasons[] = { {-1, NULL, NULL} }; -X509V3_EXT_METHOD v3_crl_reason = { +const X509V3_EXT_METHOD v3_crl_reason = { NID_crl_reason, 0, ASN1_ITEM_ref(ASN1_ENUMERATED), 0,0,0,0, (X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE, diff --git a/crypto/openssl/crypto/x509v3/v3_extku.c b/crypto/openssl/crypto/x509v3/v3_extku.c index 58c1c2e69935..a4efe0031e1f 100644 --- a/crypto/openssl/crypto/x509v3/v3_extku.c +++ b/crypto/openssl/crypto/x509v3/v3_extku.c @@ -68,7 +68,7 @@ static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method, static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method, void *eku, STACK_OF(CONF_VALUE) *extlist); -X509V3_EXT_METHOD v3_ext_ku = { +const X509V3_EXT_METHOD v3_ext_ku = { NID_ext_key_usage, 0, ASN1_ITEM_ref(EXTENDED_KEY_USAGE), 0,0,0,0, @@ -80,7 +80,7 @@ X509V3_EXT_METHOD v3_ext_ku = { }; /* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */ -X509V3_EXT_METHOD v3_ocsp_accresp = { +const X509V3_EXT_METHOD v3_ocsp_accresp = { NID_id_pkix_OCSP_acceptableResponses, 0, ASN1_ITEM_ref(EXTENDED_KEY_USAGE), 0,0,0,0, diff --git a/crypto/openssl/crypto/x509v3/v3_ia5.c b/crypto/openssl/crypto/x509v3/v3_ia5.c index 9683afa47c43..b739ccd03617 100644 --- a/crypto/openssl/crypto/x509v3/v3_ia5.c +++ b/crypto/openssl/crypto/x509v3/v3_ia5.c @@ -65,7 +65,7 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5); static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); -X509V3_EXT_METHOD v3_ns_ia5_list[] = { +const X509V3_EXT_METHOD v3_ns_ia5_list[] = { EXT_IA5STRING(NID_netscape_base_url), EXT_IA5STRING(NID_netscape_revocation_url), EXT_IA5STRING(NID_netscape_ca_revocation_url), diff --git a/crypto/openssl/crypto/x509v3/v3_info.c b/crypto/openssl/crypto/x509v3/v3_info.c index ab4f0eae1942..e0ef69de4231 100644 --- a/crypto/openssl/crypto/x509v3/v3_info.c +++ b/crypto/openssl/crypto/x509v3/v3_info.c @@ -69,7 +69,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -X509V3_EXT_METHOD v3_info = +const X509V3_EXT_METHOD v3_info = { NID_info_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS), 0,0,0,0, 0,0, @@ -78,7 +78,7 @@ X509V3_EXT_METHOD v3_info = 0,0, NULL}; -X509V3_EXT_METHOD v3_sinfo = +const X509V3_EXT_METHOD v3_sinfo = { NID_sinfo_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS), 0,0,0,0, 0,0, diff --git a/crypto/openssl/crypto/x509v3/v3_int.c b/crypto/openssl/crypto/x509v3/v3_int.c index 85e79c05cad8..9a48dc1508d3 100644 --- a/crypto/openssl/crypto/x509v3/v3_int.c +++ b/crypto/openssl/crypto/x509v3/v3_int.c @@ -60,14 +60,14 @@ #include "cryptlib.h" #include -X509V3_EXT_METHOD v3_crl_num = { +const X509V3_EXT_METHOD v3_crl_num = { NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), 0,0,0,0, (X509V3_EXT_I2S)i2s_ASN1_INTEGER, 0, 0,0,0,0, NULL}; -X509V3_EXT_METHOD v3_delta_crl = { +const X509V3_EXT_METHOD v3_delta_crl = { NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER), 0,0,0,0, (X509V3_EXT_I2S)i2s_ASN1_INTEGER, @@ -79,7 +79,7 @@ static void * s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value return s2i_ASN1_INTEGER(meth, value); } -X509V3_EXT_METHOD v3_inhibit_anyp = { +const X509V3_EXT_METHOD v3_inhibit_anyp = { NID_inhibit_any_policy, 0, ASN1_ITEM_ref(ASN1_INTEGER), 0,0,0,0, (X509V3_EXT_I2S)i2s_ASN1_INTEGER, diff --git a/crypto/openssl/crypto/x509v3/v3_ncons.c b/crypto/openssl/crypto/x509v3/v3_ncons.c index 5fded6910ea5..42e7f5a8797b 100644 --- a/crypto/openssl/crypto/x509v3/v3_ncons.c +++ b/crypto/openssl/crypto/x509v3/v3_ncons.c @@ -72,7 +72,7 @@ static int do_i2r_name_constraints(X509V3_EXT_METHOD *method, BIO *bp, int ind, char *name); static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip); -X509V3_EXT_METHOD v3_name_constraints = { +const X509V3_EXT_METHOD v3_name_constraints = { NID_name_constraints, 0, ASN1_ITEM_ref(NAME_CONSTRAINTS), 0,0,0,0, diff --git a/crypto/openssl/crypto/x509v3/v3_ocsp.c b/crypto/openssl/crypto/x509v3/v3_ocsp.c index 28c11a4dbfca..62aac0633531 100644 --- a/crypto/openssl/crypto/x509v3/v3_ocsp.c +++ b/crypto/openssl/crypto/x509v3/v3_ocsp.c @@ -82,7 +82,7 @@ static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str); static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind); -X509V3_EXT_METHOD v3_ocsp_crlid = { +const X509V3_EXT_METHOD v3_ocsp_crlid = { NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID), 0,0,0,0, 0,0, @@ -91,7 +91,7 @@ X509V3_EXT_METHOD v3_ocsp_crlid = { NULL }; -X509V3_EXT_METHOD v3_ocsp_acutoff = { +const X509V3_EXT_METHOD v3_ocsp_acutoff = { NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME), 0,0,0,0, 0,0, @@ -100,7 +100,7 @@ X509V3_EXT_METHOD v3_ocsp_acutoff = { NULL }; -X509V3_EXT_METHOD v3_crl_invdate = { +const X509V3_EXT_METHOD v3_crl_invdate = { NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME), 0,0,0,0, 0,0, @@ -109,7 +109,7 @@ X509V3_EXT_METHOD v3_crl_invdate = { NULL }; -X509V3_EXT_METHOD v3_crl_hold = { +const X509V3_EXT_METHOD v3_crl_hold = { NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT), 0,0,0,0, 0,0, @@ -118,7 +118,7 @@ X509V3_EXT_METHOD v3_crl_hold = { NULL }; -X509V3_EXT_METHOD v3_ocsp_nonce = { +const X509V3_EXT_METHOD v3_ocsp_nonce = { NID_id_pkix_OCSP_Nonce, 0, NULL, ocsp_nonce_new, ocsp_nonce_free, @@ -130,7 +130,7 @@ X509V3_EXT_METHOD v3_ocsp_nonce = { NULL }; -X509V3_EXT_METHOD v3_ocsp_nocheck = { +const X509V3_EXT_METHOD v3_ocsp_nocheck = { NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL), 0,0,0,0, 0,s2i_ocsp_nocheck, @@ -139,7 +139,7 @@ X509V3_EXT_METHOD v3_ocsp_nocheck = { NULL }; -X509V3_EXT_METHOD v3_ocsp_serviceloc = { +const X509V3_EXT_METHOD v3_ocsp_serviceloc = { NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC), 0,0,0,0, 0,0, diff --git a/crypto/openssl/crypto/x509v3/v3_pci.c b/crypto/openssl/crypto/x509v3/v3_pci.c index ccb0da548ac4..5158b1dfb333 100644 --- a/crypto/openssl/crypto/x509v3/v3_pci.c +++ b/crypto/openssl/crypto/x509v3/v3_pci.c @@ -44,7 +44,7 @@ static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext, static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); -X509V3_EXT_METHOD v3_pci = +const X509V3_EXT_METHOD v3_pci = { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION), 0,0,0,0, 0,0, diff --git a/crypto/openssl/crypto/x509v3/v3_pcons.c b/crypto/openssl/crypto/x509v3/v3_pcons.c index 91ae862ed795..13248c2adaf4 100644 --- a/crypto/openssl/crypto/x509v3/v3_pcons.c +++ b/crypto/openssl/crypto/x509v3/v3_pcons.c @@ -69,7 +69,7 @@ static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method, static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); -X509V3_EXT_METHOD v3_policy_constraints = { +const X509V3_EXT_METHOD v3_policy_constraints = { NID_policy_constraints, 0, ASN1_ITEM_ref(POLICY_CONSTRAINTS), 0,0,0,0, diff --git a/crypto/openssl/crypto/x509v3/v3_pku.c b/crypto/openssl/crypto/x509v3/v3_pku.c index 49a2e4697acc..5c4626e89b5b 100644 --- a/crypto/openssl/crypto/x509v3/v3_pku.c +++ b/crypto/openssl/crypto/x509v3/v3_pku.c @@ -66,7 +66,7 @@ static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *u /* static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); */ -X509V3_EXT_METHOD v3_pkey_usage_period = { +const X509V3_EXT_METHOD v3_pkey_usage_period = { NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD), 0,0,0,0, 0,0,0,0, diff --git a/crypto/openssl/crypto/x509v3/v3_pmaps.c b/crypto/openssl/crypto/x509v3/v3_pmaps.c index 137be58ad91a..626303264f71 100644 --- a/crypto/openssl/crypto/x509v3/v3_pmaps.c +++ b/crypto/openssl/crypto/x509v3/v3_pmaps.c @@ -68,7 +68,7 @@ static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method, static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist); -X509V3_EXT_METHOD v3_policy_mappings = { +const X509V3_EXT_METHOD v3_policy_mappings = { NID_policy_mappings, 0, ASN1_ITEM_ref(POLICY_MAPPINGS), 0,0,0,0, diff --git a/crypto/openssl/crypto/x509v3/v3_purp.c b/crypto/openssl/crypto/x509v3/v3_purp.c index 1222c3ce5b13..b2f5cdfa05f3 100644 --- a/crypto/openssl/crypto/x509v3/v3_purp.c +++ b/crypto/openssl/crypto/x509v3/v3_purp.c @@ -285,7 +285,12 @@ int X509_supported_extension(X509_EXTENSION *ex) NID_key_usage, /* 83 */ NID_subject_alt_name, /* 85 */ NID_basic_constraints, /* 87 */ + NID_certificate_policies, /* 89 */ NID_ext_key_usage, /* 126 */ +#ifndef OPENSSL_NO_RFC3779 + NID_sbgp_ipAddrBlock, /* 290 */ + NID_sbgp_autonomousSysNum, /* 291 */ +#endif NID_proxyCertInfo /* 661 */ }; @@ -410,6 +415,11 @@ static void x509v3_cache_extensions(X509 *x) } x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); +#ifndef OPENSSL_NO_RFC3779 + x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); + x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, + NULL, NULL); +#endif for (i = 0; i < X509_get_ext_count(x); i++) { ex = X509_get_ext(x, i); diff --git a/crypto/openssl/crypto/x509v3/v3_skey.c b/crypto/openssl/crypto/x509v3/v3_skey.c index b17a72d46ce2..da0a3558f65b 100644 --- a/crypto/openssl/crypto/x509v3/v3_skey.c +++ b/crypto/openssl/crypto/x509v3/v3_skey.c @@ -62,7 +62,7 @@ #include static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); -X509V3_EXT_METHOD v3_skey_id = { +const X509V3_EXT_METHOD v3_skey_id = { NID_subject_key_identifier, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING), 0,0,0,0, (X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING, diff --git a/crypto/openssl/crypto/x509v3/v3_sxnet.c b/crypto/openssl/crypto/x509v3/v3_sxnet.c index 819e2e670dac..eaea9ea01b4b 100644 --- a/crypto/openssl/crypto/x509v3/v3_sxnet.c +++ b/crypto/openssl/crypto/x509v3/v3_sxnet.c @@ -72,7 +72,7 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent) static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); #endif -X509V3_EXT_METHOD v3_sxnet = { +const X509V3_EXT_METHOD v3_sxnet = { NID_sxnet, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(SXNET), 0,0,0,0, 0,0, diff --git a/crypto/openssl/crypto/x509v3/v3_utl.c b/crypto/openssl/crypto/x509v3/v3_utl.c index 7911c4bdaf3f..3dba0557b86d 100644 --- a/crypto/openssl/crypto/x509v3/v3_utl.c +++ b/crypto/openssl/crypto/x509v3/v3_utl.c @@ -71,7 +71,6 @@ static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens); static void str_free(void *str); static int append_ia5(STACK **sk, ASN1_IA5STRING *email); -static int a2i_ipadd(unsigned char *ipout, const char *ipasc); static int ipv4_from_asc(unsigned char *v4, const char *in); static int ipv6_from_asc(unsigned char *v6, const char *in); static int ipv6_cb(const char *elem, int len, void *usr); @@ -366,7 +365,7 @@ char *hex_to_string(unsigned char *buffer, long len) char *tmp, *q; unsigned char *p; int i; - static char hexdig[] = "0123456789ABCDEF"; + const static char hexdig[] = "0123456789ABCDEF"; if(!buffer || !len) return NULL; if(!(tmp = OPENSSL_malloc(len * 3 + 1))) { X509V3err(X509V3_F_HEX_TO_STRING,ERR_R_MALLOC_FAILURE); @@ -615,7 +614,7 @@ ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc) } -static int a2i_ipadd(unsigned char *ipout, const char *ipasc) +int a2i_ipadd(unsigned char *ipout, const char *ipasc) { /* If string contains a ':' assume IPv6 */ diff --git a/crypto/openssl/crypto/x509v3/v3err.c b/crypto/openssl/crypto/x509v3/v3err.c index 451645f1f3a0..d538ad8b805c 100644 --- a/crypto/openssl/crypto/x509v3/v3err.c +++ b/crypto/openssl/crypto/x509v3/v3err.c @@ -70,6 +70,8 @@ static ERR_STRING_DATA X509V3_str_functs[]= { +{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"}, +{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"}, {ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"}, {ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"}, {ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"}, @@ -94,12 +96,13 @@ static ERR_STRING_DATA X509V3_str_functs[]= {ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"}, {ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"}, {ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"}, -{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_ADD_ID_ASC"}, +{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"}, {ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"}, {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"}, {ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"}, {ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"}, -{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "V2I_ASN1_BIT_STRING"}, +{ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"}, +{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"}, {ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS), "V2I_AUTHORITY_INFO_ACCESS"}, {ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"}, {ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"}, @@ -107,11 +110,13 @@ static ERR_STRING_DATA X509V3_str_functs[]= {ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"}, {ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"}, {ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"}, +{ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"}, {ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"}, {ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"}, {ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"}, {ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"}, {ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"}, +{ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL), "V3_ADDR_VALIDATE_PATH_INTERNAL"}, {ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"}, {ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"}, {ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"}, @@ -120,10 +125,10 @@ static ERR_STRING_DATA X509V3_str_functs[]= {ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"}, {ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"}, {ERR_FUNC(X509V3_F_X509V3_EXT_NCONF), "X509V3_EXT_nconf"}, -{ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_GET_SECTION"}, +{ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_get_section"}, {ERR_FUNC(X509V3_F_X509V3_GET_STRING), "X509V3_get_string"}, {ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"}, -{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_PARSE_LIST"}, +{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"}, {ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"}, {ERR_FUNC(X509V3_F_X509_PURPOSE_SET), "X509_PURPOSE_set"}, {0,NULL} @@ -149,8 +154,12 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION),"illegal empty extension"}, {ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) ,"illegal hex digit"}, {ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"}, +{ERR_REASON(X509V3_R_INVALID_ASNUMBER) ,"invalid asnumber"}, +{ERR_REASON(X509V3_R_INVALID_ASRANGE) ,"invalid asrange"}, {ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"}, {ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING),"invalid extension string"}, +{ERR_REASON(X509V3_R_INVALID_INHERITANCE),"invalid inheritance"}, +{ERR_REASON(X509V3_R_INVALID_IPADDRESS) ,"invalid ipaddress"}, {ERR_REASON(X509V3_R_INVALID_NAME) ,"invalid name"}, {ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT),"invalid null argument"}, {ERR_REASON(X509V3_R_INVALID_NULL_NAME) ,"invalid null name"}, @@ -162,6 +171,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER),"invalid policy identifier"}, {ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING),"invalid proxy policy setting"}, {ERR_REASON(X509V3_R_INVALID_PURPOSE) ,"invalid purpose"}, +{ERR_REASON(X509V3_R_INVALID_SAFI) ,"invalid safi"}, {ERR_REASON(X509V3_R_INVALID_SECTION) ,"invalid section"}, {ERR_REASON(X509V3_R_INVALID_SYNTAX) ,"invalid syntax"}, {ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR),"issuer decode error"}, @@ -198,15 +208,12 @@ static ERR_STRING_DATA X509V3_str_reasons[]= void ERR_load_X509V3_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL) + { ERR_load_strings(0,X509V3_str_functs); ERR_load_strings(0,X509V3_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/crypto/x509v3/x509v3.h b/crypto/openssl/crypto/x509v3/x509v3.h index 34429828f073..91d2fb5b8baf 100644 --- a/crypto/openssl/crypto/x509v3/x509v3.h +++ b/crypto/openssl/crypto/x509v3/x509v3.h @@ -620,11 +620,161 @@ void X509_email_free(STACK *sk); ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc); ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); +int a2i_ipadd(unsigned char *ipout, const char *ipasc); int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk, unsigned long chtype); void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent); +#ifndef OPENSSL_NO_RFC3779 + +typedef struct ASRange_st { + ASN1_INTEGER *min, *max; +} ASRange; + +#define ASIdOrRange_id 0 +#define ASIdOrRange_range 1 + +typedef struct ASIdOrRange_st { + int type; + union { + ASN1_INTEGER *id; + ASRange *range; + } u; +} ASIdOrRange; + +typedef STACK_OF(ASIdOrRange) ASIdOrRanges; +DECLARE_STACK_OF(ASIdOrRange) + +#define ASIdentifierChoice_inherit 0 +#define ASIdentifierChoice_asIdsOrRanges 1 + +typedef struct ASIdentifierChoice_st { + int type; + union { + ASN1_NULL *inherit; + ASIdOrRanges *asIdsOrRanges; + } u; +} ASIdentifierChoice; + +typedef struct ASIdentifiers_st { + ASIdentifierChoice *asnum, *rdi; +} ASIdentifiers; + +DECLARE_ASN1_FUNCTIONS(ASRange) +DECLARE_ASN1_FUNCTIONS(ASIdOrRange) +DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice) +DECLARE_ASN1_FUNCTIONS(ASIdentifiers) + + +typedef struct IPAddressRange_st { + ASN1_BIT_STRING *min, *max; +} IPAddressRange; + +#define IPAddressOrRange_addressPrefix 0 +#define IPAddressOrRange_addressRange 1 + +typedef struct IPAddressOrRange_st { + int type; + union { + ASN1_BIT_STRING *addressPrefix; + IPAddressRange *addressRange; + } u; +} IPAddressOrRange; + +typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges; +DECLARE_STACK_OF(IPAddressOrRange) + +#define IPAddressChoice_inherit 0 +#define IPAddressChoice_addressesOrRanges 1 + +typedef struct IPAddressChoice_st { + int type; + union { + ASN1_NULL *inherit; + IPAddressOrRanges *addressesOrRanges; + } u; +} IPAddressChoice; + +typedef struct IPAddressFamily_st { + ASN1_OCTET_STRING *addressFamily; + IPAddressChoice *ipAddressChoice; +} IPAddressFamily; + +typedef STACK_OF(IPAddressFamily) IPAddrBlocks; +DECLARE_STACK_OF(IPAddressFamily) + +DECLARE_ASN1_FUNCTIONS(IPAddressRange) +DECLARE_ASN1_FUNCTIONS(IPAddressOrRange) +DECLARE_ASN1_FUNCTIONS(IPAddressChoice) +DECLARE_ASN1_FUNCTIONS(IPAddressFamily) + +/* + * API tag for elements of the ASIdentifer SEQUENCE. + */ +#define V3_ASID_ASNUM 0 +#define V3_ASID_RDI 1 + +/* + * AFI values, assigned by IANA. It'd be nice to make the AFI + * handling code totally generic, but there are too many little things + * that would need to be defined for other address families for it to + * be worth the trouble. + */ +#define IANA_AFI_IPV4 1 +#define IANA_AFI_IPV6 2 + +/* + * Utilities to construct and extract values from RFC3779 extensions, + * since some of the encodings (particularly for IP address prefixes + * and ranges) are a bit tedious to work with directly. + */ +int v3_asid_add_inherit(ASIdentifiers *asid, int which); +int v3_asid_add_id_or_range(ASIdentifiers *asid, int which, + ASN1_INTEGER *min, ASN1_INTEGER *max); +int v3_addr_add_inherit(IPAddrBlocks *addr, + const unsigned afi, const unsigned *safi); +int v3_addr_add_prefix(IPAddrBlocks *addr, + const unsigned afi, const unsigned *safi, + unsigned char *a, const int prefixlen); +int v3_addr_add_range(IPAddrBlocks *addr, + const unsigned afi, const unsigned *safi, + unsigned char *min, unsigned char *max); +unsigned v3_addr_get_afi(const IPAddressFamily *f); +int v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi, + unsigned char *min, unsigned char *max, + const int length); + +/* + * Canonical forms. + */ +int v3_asid_is_canonical(ASIdentifiers *asid); +int v3_addr_is_canonical(IPAddrBlocks *addr); +int v3_asid_canonize(ASIdentifiers *asid); +int v3_addr_canonize(IPAddrBlocks *addr); + +/* + * Tests for inheritance and containment. + */ +int v3_asid_inherits(ASIdentifiers *asid); +int v3_addr_inherits(IPAddrBlocks *addr); +int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b); +int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b); + +/* + * Check whether RFC 3779 extensions nest properly in chains. + */ +int v3_asid_validate_path(X509_STORE_CTX *); +int v3_addr_validate_path(X509_STORE_CTX *); +int v3_asid_validate_resource_set(STACK_OF(X509) *chain, + ASIdentifiers *ext, + int allow_inheritance); +int v3_addr_validate_resource_set(STACK_OF(X509) *chain, + IPAddrBlocks *ext, + int allow_inheritance); + +#endif /* OPENSSL_NO_RFC3779 */ + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. @@ -634,6 +784,8 @@ void ERR_load_X509V3_strings(void); /* Error codes for the X509V3 functions. */ /* Function codes. */ +#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 156 +#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 157 #define X509V3_F_COPY_EMAIL 122 #define X509V3_F_COPY_ISSUER 123 #define X509V3_F_DO_DIRNAME 144 @@ -663,6 +815,7 @@ void ERR_load_X509V3_strings(void); #define X509V3_F_SXNET_ADD_ID_ULONG 127 #define X509V3_F_SXNET_GET_ID_ASC 128 #define X509V3_F_SXNET_GET_ID_ULONG 129 +#define X509V3_F_V2I_ASIDENTIFIERS 158 #define X509V3_F_V2I_ASN1_BIT_STRING 101 #define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139 #define X509V3_F_V2I_AUTHORITY_KEYID 119 @@ -671,11 +824,13 @@ void ERR_load_X509V3_strings(void); #define X509V3_F_V2I_EXTENDED_KEY_USAGE 103 #define X509V3_F_V2I_GENERAL_NAMES 118 #define X509V3_F_V2I_GENERAL_NAME_EX 117 +#define X509V3_F_V2I_IPADDRBLOCKS 159 #define X509V3_F_V2I_ISSUER_ALT 153 #define X509V3_F_V2I_NAME_CONSTRAINTS 147 #define X509V3_F_V2I_POLICY_CONSTRAINTS 146 #define X509V3_F_V2I_POLICY_MAPPINGS 145 #define X509V3_F_V2I_SUBJECT_ALT 154 +#define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL 160 #define X509V3_F_V3_GENERIC_EXTENSION 116 #define X509V3_F_X509V3_ADD1_I2D 140 #define X509V3_F_X509V3_ADD_VALUE 105 @@ -710,8 +865,12 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151 #define X509V3_R_ILLEGAL_HEX_DIGIT 113 #define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152 +#define X509V3_R_INVALID_ASNUMBER 160 +#define X509V3_R_INVALID_ASRANGE 161 #define X509V3_R_INVALID_BOOLEAN_STRING 104 #define X509V3_R_INVALID_EXTENSION_STRING 105 +#define X509V3_R_INVALID_INHERITANCE 162 +#define X509V3_R_INVALID_IPADDRESS 163 #define X509V3_R_INVALID_NAME 106 #define X509V3_R_INVALID_NULL_ARGUMENT 107 #define X509V3_R_INVALID_NULL_NAME 108 @@ -723,6 +882,7 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_INVALID_POLICY_IDENTIFIER 134 #define X509V3_R_INVALID_PROXY_POLICY_SETTING 153 #define X509V3_R_INVALID_PURPOSE 146 +#define X509V3_R_INVALID_SAFI 164 #define X509V3_R_INVALID_SECTION 135 #define X509V3_R_INVALID_SYNTAX 143 #define X509V3_R_ISSUER_DECODE_ERROR 126 diff --git a/crypto/openssl/doc/apps/ciphers.pod b/crypto/openssl/doc/apps/ciphers.pod index 5a071f5da38c..e16eadef21ee 100644 --- a/crypto/openssl/doc/apps/ciphers.pod +++ b/crypto/openssl/doc/apps/ciphers.pod @@ -146,7 +146,9 @@ export encryption algorithms. Including 40 and 56 bits algorithms. =item B -56 bit export encryption algorithms. +56 bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of +56 bit export ciphers is empty unless OpenSSL has been explicitly configured +with support for experimental ciphers. =item B, B diff --git a/crypto/openssl/doc/apps/s_client.pod b/crypto/openssl/doc/apps/s_client.pod index e1e1ba9865d0..c17a83a22581 100644 --- a/crypto/openssl/doc/apps/s_client.pod +++ b/crypto/openssl/doc/apps/s_client.pod @@ -184,7 +184,7 @@ command for more information. send the protocol-specific message(s) to switch to TLS for communication. B is a keyword for the intended protocol. Currently, the only -supported keywords are "smtp" and "pop3". +supported keywords are "smtp", "pop3", "imap", and "ftp". =item B<-engine id> diff --git a/crypto/openssl/doc/apps/x509.pod b/crypto/openssl/doc/apps/x509.pod index a46378f0baae..a925da41f16a 100644 --- a/crypto/openssl/doc/apps/x509.pod +++ b/crypto/openssl/doc/apps/x509.pod @@ -404,13 +404,13 @@ B, B and B. a oneline format which is more readable than RFC2253. It is equivalent to specifying the B, B, B, B, B, -B, B, B, B and B +B, B, B, B and B options. =item B a multiline format. It is equivalent B, B, B, -B, B and B. +B, B and B. =item B @@ -510,7 +510,7 @@ diagnostic purpose. align field values for a more readable output. Only usable with B. -=item B +=item B places spaces round the B<=> character which follows the field name. @@ -620,7 +620,7 @@ Display the certificate subject name in RFC2253 form: Display the certificate subject name in oneline form on a terminal supporting UTF8: - openssl x509 -in cert.pem -noout -subject -nameopt oneline,-escmsb + openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb Display the certificate MD5 fingerprint: diff --git a/crypto/openssl/doc/crypto/ASN1_STRING_print_ex.pod b/crypto/openssl/doc/crypto/ASN1_STRING_print_ex.pod index d662225b87ad..3891b88791dd 100644 --- a/crypto/openssl/doc/crypto/ASN1_STRING_print_ex.pod +++ b/crypto/openssl/doc/crypto/ASN1_STRING_print_ex.pod @@ -43,9 +43,9 @@ interprets UTF8 sequences. Escaping takes several forms. -If the character being escaped is a 16 bit character then the form "\WXXXX" is used +If the character being escaped is a 16 bit character then the form "\UXXXX" is used using exactly four characters for the hex representation. If it is 32 bits then -"\UXXXXXXXX" is used using eight characters of its hex representation. These forms +"\WXXXXXXXX" is used using eight characters of its hex representation. These forms will only be used if UTF8 conversion is not set (see below). Printable characters are normally escaped using the backslash '\' character. If diff --git a/crypto/openssl/doc/crypto/BIO_set_callback.pod b/crypto/openssl/doc/crypto/BIO_set_callback.pod index 9b6961ca8d4a..47595562457b 100644 --- a/crypto/openssl/doc/crypto/BIO_set_callback.pod +++ b/crypto/openssl/doc/crypto/BIO_set_callback.pod @@ -17,7 +17,7 @@ BIO_debug_callback - BIO callback functions long BIO_debug_callback(BIO *bio,int cmd,const char *argp,int argi, long argl,long ret); - typedef long callback(BIO *b, int oper, const char *argp, + typedef long (*callback)(BIO *b, int oper, const char *argp, int argi, long argl, long retvalue); =head1 DESCRIPTION diff --git a/crypto/openssl/doc/crypto/CONF_modules_free.pod b/crypto/openssl/doc/crypto/CONF_modules_free.pod index af8ae6a5c92d..87bc7b783c9e 100644 --- a/crypto/openssl/doc/crypto/CONF_modules_free.pod +++ b/crypto/openssl/doc/crypto/CONF_modules_free.pod @@ -2,7 +2,7 @@ =head1 NAME - CONF_modules_free, CONF_modules_load, CONF_modules_unload - + CONF_modules_free, CONF_modules_finish, CONF_modules_unload - OpenSSL configuration cleanup functions =head1 SYNOPSIS @@ -10,8 +10,8 @@ #include void CONF_modules_free(void); - void CONF_modules_unload(int all); void CONF_modules_finish(void); + void CONF_modules_unload(int all); =head1 DESCRIPTION diff --git a/crypto/openssl/doc/crypto/RAND_egd.pod b/crypto/openssl/doc/crypto/RAND_egd.pod index 62adbe19b29e..079838ea2e4a 100644 --- a/crypto/openssl/doc/crypto/RAND_egd.pod +++ b/crypto/openssl/doc/crypto/RAND_egd.pod @@ -50,7 +50,7 @@ non-blocking mode. Alternatively, the EGD-interface compatible daemon PRNGD can be used. It is available from -http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html . +http://prngd.sourceforge.net/ . PRNGD does employ an internal PRNG itself and can therefore never run out of entropy. diff --git a/crypto/openssl/doc/crypto/RSA_get_ex_new_index.pod b/crypto/openssl/doc/crypto/RSA_get_ex_new_index.pod index 46cc8f535979..7d0fd1f91de9 100644 --- a/crypto/openssl/doc/crypto/RSA_get_ex_new_index.pod +++ b/crypto/openssl/doc/crypto/RSA_get_ex_new_index.pod @@ -17,12 +17,12 @@ RSA_get_ex_new_index, RSA_set_ex_data, RSA_get_ex_data - add application specifi void *RSA_get_ex_data(RSA *r, int idx); - typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int idx, long argl, void *argp); - typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int idx, long argl, void *argp); - typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, - int idx, long argl, void *argp); + typedef int CRYPTO_EX_new(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, + int idx, long argl, void *argp); + typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, + int idx, long argl, void *argp); =head1 DESCRIPTION diff --git a/crypto/openssl/doc/crypto/md5.pod b/crypto/openssl/doc/crypto/md5.pod index 6e6322dcdcc8..d11d5c32cbf3 100644 --- a/crypto/openssl/doc/crypto/md5.pod +++ b/crypto/openssl/doc/crypto/md5.pod @@ -12,10 +12,10 @@ MD4_Final, MD5_Init, MD5_Update, MD5_Final - MD2, MD4, and MD5 hash functions unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md); - void MD2_Init(MD2_CTX *c); - void MD2_Update(MD2_CTX *c, const unsigned char *data, + int MD2_Init(MD2_CTX *c); + int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len); - void MD2_Final(unsigned char *md, MD2_CTX *c); + int MD2_Final(unsigned char *md, MD2_CTX *c); #include @@ -23,10 +23,10 @@ MD4_Final, MD5_Init, MD5_Update, MD5_Final - MD2, MD4, and MD5 hash functions unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md); - void MD4_Init(MD4_CTX *c); - void MD4_Update(MD4_CTX *c, const void *data, + int MD4_Init(MD4_CTX *c); + int MD4_Update(MD4_CTX *c, const void *data, unsigned long len); - void MD4_Final(unsigned char *md, MD4_CTX *c); + int MD4_Final(unsigned char *md, MD4_CTX *c); #include @@ -34,10 +34,10 @@ MD4_Final, MD5_Init, MD5_Update, MD5_Final - MD2, MD4, and MD5 hash functions unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md); - void MD5_Init(MD5_CTX *c); - void MD5_Update(MD5_CTX *c, const void *data, + int MD5_Init(MD5_CTX *c); + int MD5_Update(MD5_CTX *c, const void *data, unsigned long len); - void MD5_Final(unsigned char *md, MD5_CTX *c); + int MD5_Final(unsigned char *md, MD5_CTX *c); =head1 DESCRIPTION @@ -78,8 +78,8 @@ preferred. MD2(), MD4(), and MD5() return pointers to the hash value. MD2_Init(), MD2_Update(), MD2_Final(), MD4_Init(), MD4_Update(), -MD4_Final(), MD5_Init(), MD5_Update(), and MD5_Final() do not return -values. +MD4_Final(), MD5_Init(), MD5_Update(), and MD5_Final() return 1 for +success, 0 otherwise. =head1 CONFORMING TO diff --git a/crypto/openssl/doc/crypto/mdc2.pod b/crypto/openssl/doc/crypto/mdc2.pod index 11dc303e04f4..41f648af3636 100644 --- a/crypto/openssl/doc/crypto/mdc2.pod +++ b/crypto/openssl/doc/crypto/mdc2.pod @@ -11,10 +11,10 @@ MDC2, MDC2_Init, MDC2_Update, MDC2_Final - MDC2 hash function unsigned char *MDC2(const unsigned char *d, unsigned long n, unsigned char *md); - void MDC2_Init(MDC2_CTX *c); - void MDC2_Update(MDC2_CTX *c, const unsigned char *data, + int MDC2_Init(MDC2_CTX *c); + int MDC2_Update(MDC2_CTX *c, const unsigned char *data, unsigned long len); - void MDC2_Final(unsigned char *md, MDC2_CTX *c); + int MDC2_Final(unsigned char *md, MDC2_CTX *c); =head1 DESCRIPTION @@ -46,7 +46,7 @@ hash functions directly. MDC2() returns a pointer to the hash value. -MDC2_Init(), MDC2_Update() and MDC2_Final() do not return values. +MDC2_Init(), MDC2_Update() and MDC2_Final() return 1 for success, 0 otherwise. =head1 CONFORMING TO diff --git a/crypto/openssl/doc/crypto/ripemd.pod b/crypto/openssl/doc/crypto/ripemd.pod index 31054b6a8ccd..264bb99ae793 100644 --- a/crypto/openssl/doc/crypto/ripemd.pod +++ b/crypto/openssl/doc/crypto/ripemd.pod @@ -12,10 +12,10 @@ RIPEMD-160 hash function unsigned char *RIPEMD160(const unsigned char *d, unsigned long n, unsigned char *md); - void RIPEMD160_Init(RIPEMD160_CTX *c); - void RIPEMD160_Update(RIPEMD_CTX *c, const void *data, + int RIPEMD160_Init(RIPEMD160_CTX *c); + int RIPEMD160_Update(RIPEMD_CTX *c, const void *data, unsigned long len); - void RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); + int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); =head1 DESCRIPTION @@ -47,8 +47,8 @@ hash functions directly. RIPEMD160() returns a pointer to the hash value. -RIPEMD160_Init(), RIPEMD160_Update() and RIPEMD160_Final() do not -return values. +RIPEMD160_Init(), RIPEMD160_Update() and RIPEMD160_Final() return 1 for +success, 0 otherwise. =head1 CONFORMING TO diff --git a/crypto/openssl/doc/crypto/sha.pod b/crypto/openssl/doc/crypto/sha.pod index 0ba315d6d7a3..94ab7bc72416 100644 --- a/crypto/openssl/doc/crypto/sha.pod +++ b/crypto/openssl/doc/crypto/sha.pod @@ -11,10 +11,10 @@ SHA1, SHA1_Init, SHA1_Update, SHA1_Final - Secure Hash Algorithm unsigned char *SHA1(const unsigned char *d, unsigned long n, unsigned char *md); - void SHA1_Init(SHA_CTX *c); - void SHA1_Update(SHA_CTX *c, const void *data, + int SHA1_Init(SHA_CTX *c); + int SHA1_Update(SHA_CTX *c, const void *data, unsigned long len); - void SHA1_Final(unsigned char *md, SHA_CTX *c); + int SHA1_Final(unsigned char *md, SHA_CTX *c); =head1 DESCRIPTION @@ -48,7 +48,7 @@ used only when backward compatibility is required. SHA1() returns a pointer to the hash value. -SHA1_Init(), SHA1_Update() and SHA1_Final() do not return values. +SHA1_Init(), SHA1_Update() and SHA1_Final() return 1 for success, 0 otherwise. =head1 CONFORMING TO diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod index f85775927dda..534643cd9de4 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod @@ -18,7 +18,7 @@ SSL_CTX_set_tmp_rsa_callback, SSL_CTX_set_tmp_rsa, SSL_CTX_need_tmp_rsa, SSL_set long SSL_set_tmp_rsa(SSL *ssl, RSA *rsa) long SSL_need_tmp_rsa(SSL *ssl) - RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)); + RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength); =head1 DESCRIPTION diff --git a/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod b/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod index 00883ed2a050..490337a32f0f 100644 --- a/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod +++ b/crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod @@ -2,7 +2,7 @@ =head1 NAME -SSL_SESSION_get_time, SSL_SESSION_set_time, SSL_SESSION_get_timeout, SSL_SESSION_get_timeout - retrieve and manipulate session time and timeout settings +SSL_SESSION_get_time, SSL_SESSION_set_time, SSL_SESSION_get_timeout, SSL_SESSION_set_timeout - retrieve and manipulate session time and timeout settings =head1 SYNOPSIS diff --git a/crypto/openssl/openssl.spec b/crypto/openssl/openssl.spec index b7734f73225a..7ac35737acc5 100644 --- a/crypto/openssl/openssl.spec +++ b/crypto/openssl/openssl.spec @@ -1,7 +1,7 @@ %define libmaj 0 %define libmin 9 %define librel 8 -%define librev d +%define librev e Release: 1 %define openssldir /var/ssl diff --git a/crypto/openssl/ssl/d1_lib.c b/crypto/openssl/ssl/d1_lib.c index 78308111447f..d07a212facea 100644 --- a/crypto/openssl/ssl/d1_lib.c +++ b/crypto/openssl/ssl/d1_lib.c @@ -61,7 +61,7 @@ #include #include "ssl_locl.h" -const char *dtls1_version_str="DTLSv1" OPENSSL_VERSION_PTEXT; +const char dtls1_version_str[]="DTLSv1" OPENSSL_VERSION_PTEXT; SSL3_ENC_METHOD DTLSv1_enc_data={ dtls1_enc, diff --git a/crypto/openssl/ssl/d1_pkt.c b/crypto/openssl/ssl/d1_pkt.c index f8f451652556..8270419a8dce 100644 --- a/crypto/openssl/ssl/d1_pkt.c +++ b/crypto/openssl/ssl/d1_pkt.c @@ -533,11 +533,7 @@ int dtls1_get_record(SSL *s) n2s(p,rr->length); /* Lets check version */ - if (s->first_packet) - { - s->first_packet=0; - } - else + if (!s->first_packet) { if (version != s->version) { diff --git a/crypto/openssl/ssl/kssl.c b/crypto/openssl/ssl/kssl.c index ffa8d52e7063..106428273078 100644 --- a/crypto/openssl/ssl/kssl.c +++ b/crypto/openssl/ssl/kssl.c @@ -784,6 +784,25 @@ kssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, } #endif /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */ + +/* memory allocation functions for non-temporary storage + * (e.g. stuff that gets saved into the kssl context) */ +static void* kssl_calloc(size_t nmemb, size_t size) +{ + void* p; + + p=OPENSSL_malloc(nmemb*size); + if (p){ + memset(p, 0, nmemb*size); + } + return p; +} + +#define kssl_malloc(size) OPENSSL_malloc((size)) +#define kssl_realloc(ptr, size) OPENSSL_realloc(ptr, size) +#define kssl_free(ptr) OPENSSL_free((ptr)) + + char *kstring(char *string) { @@ -1548,7 +1567,7 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, KSSL_CTX * kssl_ctx_new(void) { - return ((KSSL_CTX *) calloc(1, sizeof(KSSL_CTX))); + return ((KSSL_CTX *) kssl_calloc(1, sizeof(KSSL_CTX))); } @@ -1562,13 +1581,13 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx) if (kssl_ctx->key) OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); - if (kssl_ctx->key) free(kssl_ctx->key); - if (kssl_ctx->client_princ) free(kssl_ctx->client_princ); - if (kssl_ctx->service_host) free(kssl_ctx->service_host); - if (kssl_ctx->service_name) free(kssl_ctx->service_name); - if (kssl_ctx->keytab_file) free(kssl_ctx->keytab_file); + if (kssl_ctx->key) kssl_free(kssl_ctx->key); + if (kssl_ctx->client_princ) kssl_free(kssl_ctx->client_princ); + if (kssl_ctx->service_host) kssl_free(kssl_ctx->service_host); + if (kssl_ctx->service_name) kssl_free(kssl_ctx->service_name); + if (kssl_ctx->keytab_file) kssl_free(kssl_ctx->keytab_file); - free(kssl_ctx); + kssl_free(kssl_ctx); return (KSSL_CTX *) NULL; } @@ -1593,7 +1612,7 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, case KSSL_SERVER: princ = &kssl_ctx->service_host; break; default: return KSSL_CTX_ERR; break; } - if (*princ) free(*princ); + if (*princ) kssl_free(*princ); /* Add up all the entity->lengths */ length = 0; @@ -1606,7 +1625,7 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, /* Space for the ('@'+realm+NULL | NULL) */ length += ((realm)? realm->length + 2: 1); - if ((*princ = calloc(1, length)) == NULL) + if ((*princ = kssl_calloc(1, length)) == NULL) return KSSL_CTX_ERR; else { @@ -1649,7 +1668,7 @@ kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text) case KSSL_KEYTAB: string = &kssl_ctx->keytab_file; break; default: return KSSL_CTX_ERR; break; } - if (*string) free(*string); + if (*string) kssl_free(*string); if (!text) { @@ -1657,7 +1676,7 @@ kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text) return KSSL_CTX_OK; } - if ((*string = calloc(1, strlen(text) + 1)) == NULL) + if ((*string = kssl_calloc(1, strlen(text) + 1)) == NULL) return KSSL_CTX_ERR; else strcpy(*string, text); @@ -1681,7 +1700,7 @@ kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session) if (kssl_ctx->key) { OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); - free(kssl_ctx->key); + kssl_free(kssl_ctx->key); } if (session) @@ -1707,7 +1726,7 @@ kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session) } if ((kssl_ctx->key = - (krb5_octet FAR *) calloc(1, kssl_ctx->length)) == NULL) + (krb5_octet FAR *) kssl_calloc(1, kssl_ctx->length)) == NULL) { kssl_ctx->length = 0; return KSSL_CTX_ERR; diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c index ed4ee72393ef..769dabdbb83c 100644 --- a/crypto/openssl/ssl/s23_clnt.c +++ b/crypto/openssl/ssl/s23_clnt.c @@ -574,7 +574,6 @@ static int ssl23_get_server_hello(SSL *s) if (!ssl_get_new_session(s,0)) goto err; - s->first_packet=1; return(SSL_connect(s)); err: return(-1); diff --git a/crypto/openssl/ssl/s23_srvr.c b/crypto/openssl/ssl/s23_srvr.c index da4f377e76ea..6637bb954906 100644 --- a/crypto/openssl/ssl/s23_srvr.c +++ b/crypto/openssl/ssl/s23_srvr.c @@ -565,7 +565,6 @@ int ssl23_get_client_hello(SSL *s) s->init_num=0; if (buf != buf_space) OPENSSL_free(buf); - s->first_packet=1; return(SSL_accept(s)); err: if (buf != buf_space) OPENSSL_free(buf); diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c index 18882bf70487..1f62acd5b1e6 100644 --- a/crypto/openssl/ssl/s2_enc.c +++ b/crypto/openssl/ssl/s2_enc.c @@ -82,15 +82,18 @@ int ssl2_enc_init(SSL *s, int client) ((s->enc_read_ctx=(EVP_CIPHER_CTX *) OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) goto err; + + /* make sure it's intialized in case the malloc for enc_write_ctx fails + * and we exit with an error */ + rs= s->enc_read_ctx; + EVP_CIPHER_CTX_init(rs); + if ((s->enc_write_ctx == NULL) && ((s->enc_write_ctx=(EVP_CIPHER_CTX *) OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) goto err; - rs= s->enc_read_ctx; ws= s->enc_write_ctx; - - EVP_CIPHER_CTX_init(rs); EVP_CIPHER_CTX_init(ws); num=c->key_len; diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c index def3a6e89afd..10751b22baf8 100644 --- a/crypto/openssl/ssl/s2_lib.c +++ b/crypto/openssl/ssl/s2_lib.c @@ -63,7 +63,7 @@ #include #include -const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT; +const char ssl2_version_str[]="SSLv2" OPENSSL_VERSION_PTEXT; #define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER)) diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c index 26788858d757..278be82294cd 100644 --- a/crypto/openssl/ssl/s3_clnt.c +++ b/crypto/openssl/ssl/s3_clnt.c @@ -1796,8 +1796,10 @@ int ssl3_send_client_key_exchange(SSL *s) n+=2; } - if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0) - goto err; + tmp_buf[0]=s->client_version>>8; + tmp_buf[1]=s->client_version&0xff; + if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) + goto err; /* 20010420 VRS. Tried it this way; failed. ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c index 561a9846e974..2859351b001f 100644 --- a/crypto/openssl/ssl/s3_enc.c +++ b/crypto/openssl/ssl/s3_enc.c @@ -221,6 +221,9 @@ int ssl3_change_cipher_state(SSL *s, int which) reuse_dd = 1; else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; + else + /* make sure it's intialized in case we exit later with an error */ + EVP_CIPHER_CTX_init(s->enc_read_ctx); dd= s->enc_read_ctx; s->read_hash=m; #ifndef OPENSSL_NO_COMP @@ -254,6 +257,9 @@ int ssl3_change_cipher_state(SSL *s, int which) reuse_dd = 1; else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; + else + /* make sure it's intialized in case we exit later with an error */ + EVP_CIPHER_CTX_init(s->enc_write_ctx); dd= s->enc_write_ctx; s->write_hash=m; #ifndef OPENSSL_NO_COMP @@ -279,7 +285,6 @@ int ssl3_change_cipher_state(SSL *s, int which) if (reuse_dd) EVP_CIPHER_CTX_cleanup(dd); - EVP_CIPHER_CTX_init(dd); p=s->s3->tmp.key_block; i=EVP_MD_size(m); diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c index 0eff243c1298..28eaf9ddeb8e 100644 --- a/crypto/openssl/ssl/s3_lib.c +++ b/crypto/openssl/ssl/s3_lib.c @@ -132,7 +132,7 @@ #endif #include -const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT; +const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT; #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) @@ -568,7 +568,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, - 112, + 168, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, @@ -624,7 +624,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, - 112, + 168, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, @@ -694,7 +694,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, - 128, + 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, @@ -736,7 +736,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, - 128, + 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c index d0f54e297bb7..44c7c143fe7e 100644 --- a/crypto/openssl/ssl/s3_pkt.c +++ b/crypto/openssl/ssl/s3_pkt.c @@ -277,11 +277,7 @@ static int ssl3_get_record(SSL *s) n2s(p,rr->length); /* Lets check version */ - if (s->first_packet) - { - s->first_packet=0; - } - else + if (!s->first_packet) { if (version != s->version) { diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c index 098eea13ce77..9414cf09fb64 100644 --- a/crypto/openssl/ssl/s3_srvr.c +++ b/crypto/openssl/ssl/s3_srvr.c @@ -300,8 +300,9 @@ int ssl3_accept(SSL *s) case SSL3_ST_SW_CERT_A: case SSL3_ST_SW_CERT_B: - /* Check if it is anon DH or anon ECDH */ - if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) + /* Check if it is anon DH or anon ECDH or KRB5 */ + if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) + && !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) { ret=ssl3_send_server_certificate(s); if (ret <= 0) goto end; @@ -679,9 +680,9 @@ int ssl3_get_client_hello(SSL *s) */ if (s->state == SSL3_ST_SR_CLNT_HELLO_A) { - s->first_packet=1; s->state=SSL3_ST_SR_CLNT_HELLO_B; } + s->first_packet=1; n=s->method->ssl_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, SSL3_ST_SR_CLNT_HELLO_C, @@ -690,6 +691,7 @@ int ssl3_get_client_hello(SSL *s) &ok); if (!ok) return((int)n); + s->first_packet=0; d=p=(unsigned char *)s->init_msg; /* use version from inside client hello, not from record header @@ -1995,6 +1997,25 @@ int ssl3_get_client_key_exchange(SSL *s) SSL_R_DATA_LENGTH_TOO_LONG); goto err; } + if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) + { + /* The premaster secret must contain the same version number as the + * ClientHello to detect version rollback attacks (strangely, the + * protocol does not offer such protection for DH ciphersuites). + * However, buggy clients exist that send random bytes instead of + * the protocol version. + * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. + * (Perhaps we should have a separate BUG value for the Kerberos cipher) + */ + if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && + (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_AD_DECODE_ERROR); + goto err; + } + } + EVP_CIPHER_CTX_cleanup(&ciph_ctx); s->session->master_key_length= @@ -2042,7 +2063,7 @@ int ssl3_get_client_key_exchange(SSL *s) if (l & SSL_kECDH) { /* use the certificate */ - tkey = s->cert->key->privatekey->pkey.ec; + tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; } else { diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h index 83f1fee80461..2e067e7a78e4 100644 --- a/crypto/openssl/ssl/ssl.h +++ b/crypto/openssl/ssl/ssl.h @@ -319,7 +319,7 @@ extern "C" { #ifdef OPENSSL_NO_CAMELLIA # define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */ #else -# define SSL_DEFAULT_CIPHER_LIST "AES:CAMELLIA:-ECCdraft:ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */ +# define SSL_DEFAULT_CIPHER_LIST "AES:CAMELLIA:ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */ #endif /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ @@ -791,18 +791,18 @@ struct ssl_ctx_st #define SSL_CTX_sess_cache_full(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL) -#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb)) -#define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb) -#define SSL_CTX_sess_set_remove_cb(ctx,cb) ((ctx)->remove_session_cb=(cb)) -#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb) -#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb)) -#define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb) -#define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb)) -#define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback) -#define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb)) -#define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb) -#define SSL_CTX_set_cookie_generate_cb(ctx,cb) ((ctx)->app_gen_cookie_cb=(cb)) -#define SSL_CTX_set_cookie_verify_cb(ctx,cb) ((ctx)->app_verify_cookie_cb=(cb)) +void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess)); +int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess); +void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess)); +void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess); +void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,int len,int *copy)); +SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, unsigned char *Data, int len, int *copy); +void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,int val)); +void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val); +void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)); +int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey); +void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)); +void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)); #define SSL_NOTHING 1 #define SSL_WRITING 2 diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c index 933d487ca0b7..9bb770da2729 100644 --- a/crypto/openssl/ssl/ssl_ciph.c +++ b/crypto/openssl/ssl/ssl_ciph.c @@ -432,9 +432,18 @@ static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, *tail=curr; } -static unsigned long ssl_cipher_get_disabled(void) +struct disabled_masks { /* This is a kludge no longer needed with OpenSSL 0.9.9, + * where 128-bit and 256-bit algorithms simply will get + * separate bits. */ + unsigned long mask; /* everything except m256 */ + unsigned long m256; /* applies to 256-bit algorithms only */ +}; + +struct disabled_masks ssl_cipher_get_disabled(void) { unsigned long mask; + unsigned long m256; + struct disabled_masks ret; mask = SSL_kFZA; #ifdef OPENSSL_NO_RSA @@ -462,18 +471,26 @@ static unsigned long ssl_cipher_get_disabled(void) mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0; mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0; - mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0; - mask |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA:0; mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; - return(mask); + /* finally consider algorithms where mask and m256 differ */ + m256 = mask; + mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0; + mask |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA:0; + m256 |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES:0; + m256 |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA:0; + + ret.mask = mask; + ret.m256 = m256; + return ret; } static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, - int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list, - CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) + int num_of_ciphers, unsigned long mask, unsigned long m256, + CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, + CIPHER_ORDER **tail_p) { int i, co_list_num; SSL_CIPHER *c; @@ -490,8 +507,9 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, for (i = 0; i < num_of_ciphers; i++) { c = ssl_method->get_cipher(i); +#define IS_MASKED(c) ((c)->algorithms & (((c)->alg_bits == 256) ? m256 : mask)) /* drop those that use any of that is not available */ - if ((c != NULL) && c->valid && !(c->algorithms & mask)) + if ((c != NULL) && c->valid && !IS_MASKED(c)) { co_list[co_list_num].cipher = c; co_list[co_list_num].next = NULL; @@ -898,7 +916,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, * rest of the command, if any left, until * end or ':' is found. */ - while ((*l != '\0') && ITEM_SEP(*l)) + while ((*l != '\0') && !ITEM_SEP(*l)) l++; } else if (found) @@ -909,7 +927,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, } else { - while ((*l != '\0') && ITEM_SEP(*l)) + while ((*l != '\0') && !ITEM_SEP(*l)) l++; } if (*l == '\0') break; /* done */ @@ -925,6 +943,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, { int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; unsigned long disabled_mask; + unsigned long disabled_m256; STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; const char *rule_p; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; @@ -940,7 +959,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, * To reduce the work to do we only want to process the compiled * in algorithms, so we first get the mask of disabled ciphers. */ - disabled_mask = ssl_cipher_get_disabled(); + { + struct disabled_masks d; + d = ssl_cipher_get_disabled(); + disabled_mask = d.mask; + disabled_m256 = d.m256; + } /* * Now we have to collect the available ciphers from the compiled @@ -959,7 +983,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask, - co_list, &head, &tail); + disabled_m256, co_list, &head, &tail); /* * We also need cipher aliases for selecting based on the rule_str. @@ -979,8 +1003,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ } - ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mask, - head); + ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, + (disabled_mask & disabled_m256), head); /* * If the rule_string begins with DEFAULT, apply the default rule diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c index 4a4ba685267e..e7f4d93c7dc4 100644 --- a/crypto/openssl/ssl/ssl_err.c +++ b/crypto/openssl/ssl/ssl_err.c @@ -204,7 +204,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"}, {ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"}, {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"}, -{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_LOAD_CLIENT_CA_FILE"}, +{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, {ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"}, {ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"}, {ERR_FUNC(SSL_F_SSL_READ), "SSL_read"}, @@ -486,15 +486,12 @@ static ERR_STRING_DATA SSL_str_reasons[]= void ERR_load_SSL_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(SSL_str_functs[0].error) == NULL) + { ERR_load_strings(0,SSL_str_functs); ERR_load_strings(0,SSL_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c index 4971b34375fb..4e81922d7588 100644 --- a/crypto/openssl/ssl/ssl_lib.c +++ b/crypto/openssl/ssl/ssl_lib.c @@ -2416,14 +2416,14 @@ int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, #endif void SSL_set_info_callback(SSL *ssl, - void (*cb)(const SSL *ssl,int type,int val)) + void (*cb)(const SSL *ssl,int type,int val)) { ssl->info_callback=cb; } /* One compiler (Diab DCC) doesn't like argument names in returned function pointer. */ -void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/) +void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/) { return ssl->info_callback; } diff --git a/crypto/openssl/ssl/ssl_sess.c b/crypto/openssl/ssl/ssl_sess.c index 2f26593c7008..f80eee6e3729 100644 --- a/crypto/openssl/ssl/ssl_sess.c +++ b/crypto/openssl/ssl/ssl_sess.c @@ -580,7 +580,7 @@ int SSL_set_session(SSL *s, SSL_SESSION *session) if (s->kssl_ctx && !s->kssl_ctx->client_princ && session->krb5_client_princ_len > 0) { - s->kssl_ctx->client_princ = (char *)malloc(session->krb5_client_princ_len + 1); + s->kssl_ctx->client_princ = (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1); memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ, session->krb5_client_princ_len); s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0'; @@ -765,3 +765,72 @@ static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s) } } +void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, + int (*cb)(struct ssl_st *ssl,SSL_SESSION *sess)) + { + ctx->new_session_cb=cb; + } + +int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess) + { + return ctx->new_session_cb; + } + +void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, + void (*cb)(SSL_CTX *ctx,SSL_SESSION *sess)) + { + ctx->remove_session_cb=cb; + } + +void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx,SSL_SESSION *sess) + { + return ctx->remove_session_cb; + } + +void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, + SSL_SESSION *(*cb)(struct ssl_st *ssl, + unsigned char *data,int len,int *copy)) + { + ctx->get_session_cb=cb; + } + +SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, + unsigned char *data,int len,int *copy) + { + return ctx->get_session_cb; + } + +void SSL_CTX_set_info_callback(SSL_CTX *ctx, + void (*cb)(const SSL *ssl,int type,int val)) + { + ctx->info_callback=cb; + } + +void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val) + { + return ctx->info_callback; + } + +void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, + int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)) + { + ctx->client_cert_cb=cb; + } + +int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PKEY **pkey) + { + return ctx->client_cert_cb; + } + +void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, + int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)) + { + ctx->app_gen_cookie_cb=cb; + } + +void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, + int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)) + { + ctx->app_verify_cookie_cb=cb; + } + diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c index e0ce681574b9..68448b98caca 100644 --- a/crypto/openssl/ssl/t1_enc.c +++ b/crypto/openssl/ssl/t1_enc.c @@ -267,6 +267,9 @@ int tls1_change_cipher_state(SSL *s, int which) reuse_dd = 1; else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; + else + /* make sure it's intialized in case we exit later with an error */ + EVP_CIPHER_CTX_init(s->enc_read_ctx); dd= s->enc_read_ctx; s->read_hash=m; #ifndef OPENSSL_NO_COMP @@ -301,10 +304,9 @@ int tls1_change_cipher_state(SSL *s, int which) reuse_dd = 1; else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; - if ((s->enc_write_ctx == NULL) && - ((s->enc_write_ctx=(EVP_CIPHER_CTX *) - OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) - goto err; + else + /* make sure it's intialized in case we exit later with an error */ + EVP_CIPHER_CTX_init(s->enc_write_ctx); dd= s->enc_write_ctx; s->write_hash=m; #ifndef OPENSSL_NO_COMP @@ -331,7 +333,6 @@ int tls1_change_cipher_state(SSL *s, int which) if (reuse_dd) EVP_CIPHER_CTX_cleanup(dd); - EVP_CIPHER_CTX_init(dd); p=s->s3->tmp.key_block; i=EVP_MD_size(m); diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c index d4516eba71e0..1ecbbcb8fb1f 100644 --- a/crypto/openssl/ssl/t1_lib.c +++ b/crypto/openssl/ssl/t1_lib.c @@ -60,7 +60,7 @@ #include #include "ssl_locl.h" -const char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT; +const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; SSL3_ENC_METHOD TLSv1_enc_data={ tls1_enc, diff --git a/crypto/openssl/test/Makefile b/crypto/openssl/test/Makefile index 79830876e685..859088f3ef37 100644 --- a/crypto/openssl/test/Makefile +++ b/crypto/openssl/test/Makefile @@ -532,6 +532,9 @@ hmactest.o: ../include/openssl/safestack.h ../include/openssl/stack.h hmactest.o: ../include/openssl/symhacks.h hmactest.c ideatest.o: ../e_os.h ../include/openssl/e_os2.h ../include/openssl/idea.h ideatest.o: ../include/openssl/opensslconf.h ideatest.c +igetest.o: ../include/openssl/aes.h ../include/openssl/e_os2.h +igetest.o: ../include/openssl/opensslconf.h ../include/openssl/ossl_typ.h +igetest.o: ../include/openssl/rand.h igetest.c md2test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h md2test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h md2test.o: ../include/openssl/evp.h ../include/openssl/md2.h diff --git a/crypto/openssl/tools/c_rehash b/crypto/openssl/tools/c_rehash index 3e9ba1efe490..e614fb546667 100644 --- a/crypto/openssl/tools/c_rehash +++ b/crypto/openssl/tools/c_rehash @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/perl # Perl c_rehash script, scan all files in a directory diff --git a/crypto/openssl/util/libeay.num b/crypto/openssl/util/libeay.num index aa059f68d5f2..a8a0ff6b9d62 100755 --- a/crypto/openssl/util/libeay.num +++ b/crypto/openssl/util/libeay.num @@ -3409,3 +3409,104 @@ EVP_camellia_256_cfb1 3809 EXIST::FUNCTION:CAMELLIA EVP_camellia_256_cfb8 3810 EXIST::FUNCTION:CAMELLIA EVP_camellia_256_ecb 3811 EXIST::FUNCTION:CAMELLIA EVP_camellia_256_ofb 3812 EXIST::FUNCTION:CAMELLIA +a2i_ipadd 3813 EXIST::FUNCTION: +ASIdentifiers_free 3814 EXIST::FUNCTION:RFC3779 +i2d_ASIdOrRange 3815 EXIST::FUNCTION:RFC3779 +EVP_CIPHER_block_size 3816 EXIST::FUNCTION: +v3_asid_is_canonical 3817 EXIST::FUNCTION:RFC3779 +IPAddressChoice_free 3818 EXIST::FUNCTION:RFC3779 +EVP_CIPHER_CTX_set_app_data 3819 EXIST::FUNCTION: +BIO_set_callback_arg 3820 EXIST::FUNCTION: +v3_addr_add_prefix 3821 EXIST::FUNCTION:RFC3779 +IPAddressOrRange_it 3822 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +IPAddressOrRange_it 3822 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 +BIO_set_flags 3823 EXIST::FUNCTION: +ASIdentifiers_it 3824 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +ASIdentifiers_it 3824 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 +v3_addr_get_range 3825 EXIST::FUNCTION:RFC3779 +BIO_method_type 3826 EXIST::FUNCTION: +v3_addr_inherits 3827 EXIST::FUNCTION:RFC3779 +IPAddressChoice_it 3828 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +IPAddressChoice_it 3828 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 +AES_ige_encrypt 3829 EXIST::FUNCTION:AES +v3_addr_add_range 3830 EXIST::FUNCTION:RFC3779 +EVP_CIPHER_CTX_nid 3831 EXIST::FUNCTION: +d2i_ASRange 3832 EXIST::FUNCTION:RFC3779 +v3_addr_add_inherit 3833 EXIST::FUNCTION:RFC3779 +v3_asid_add_id_or_range 3834 EXIST::FUNCTION:RFC3779 +v3_addr_validate_resource_set 3835 EXIST::FUNCTION:RFC3779 +EVP_CIPHER_iv_length 3836 EXIST::FUNCTION: +EVP_MD_type 3837 EXIST::FUNCTION: +v3_asid_canonize 3838 EXIST::FUNCTION:RFC3779 +IPAddressRange_free 3839 EXIST::FUNCTION:RFC3779 +v3_asid_add_inherit 3840 EXIST::FUNCTION:RFC3779 +EVP_CIPHER_CTX_key_length 3841 EXIST::FUNCTION: +IPAddressRange_new 3842 EXIST::FUNCTION:RFC3779 +ASIdOrRange_new 3843 EXIST::FUNCTION:RFC3779 +EVP_MD_size 3844 EXIST::FUNCTION: +EVP_MD_CTX_test_flags 3845 EXIST::FUNCTION: +BIO_clear_flags 3846 EXIST::FUNCTION: +i2d_ASRange 3847 EXIST::FUNCTION:RFC3779 +IPAddressRange_it 3848 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +IPAddressRange_it 3848 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 +IPAddressChoice_new 3849 EXIST::FUNCTION:RFC3779 +ASIdentifierChoice_new 3850 EXIST::FUNCTION:RFC3779 +ASRange_free 3851 EXIST::FUNCTION:RFC3779 +EVP_MD_pkey_type 3852 EXIST::FUNCTION: +EVP_MD_CTX_clear_flags 3853 EXIST::FUNCTION: +IPAddressFamily_free 3854 EXIST::FUNCTION:RFC3779 +i2d_IPAddressFamily 3855 EXIST::FUNCTION:RFC3779 +IPAddressOrRange_new 3856 EXIST::FUNCTION:RFC3779 +EVP_CIPHER_flags 3857 EXIST::FUNCTION: +v3_asid_validate_resource_set 3858 EXIST::FUNCTION:RFC3779 +d2i_IPAddressRange 3859 EXIST::FUNCTION:RFC3779 +AES_bi_ige_encrypt 3860 EXIST::FUNCTION:AES +BIO_get_callback 3861 EXIST::FUNCTION: +IPAddressOrRange_free 3862 EXIST::FUNCTION:RFC3779 +v3_addr_subset 3863 EXIST::FUNCTION:RFC3779 +d2i_IPAddressFamily 3864 EXIST::FUNCTION:RFC3779 +v3_asid_subset 3865 EXIST::FUNCTION:RFC3779 +BIO_test_flags 3866 EXIST::FUNCTION: +i2d_ASIdentifierChoice 3867 EXIST::FUNCTION:RFC3779 +ASRange_it 3868 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +ASRange_it 3868 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 +d2i_ASIdentifiers 3869 EXIST::FUNCTION:RFC3779 +ASRange_new 3870 EXIST::FUNCTION:RFC3779 +d2i_IPAddressChoice 3871 EXIST::FUNCTION:RFC3779 +v3_addr_get_afi 3872 EXIST::FUNCTION:RFC3779 +EVP_CIPHER_key_length 3873 EXIST::FUNCTION: +EVP_Cipher 3874 EXIST::FUNCTION: +i2d_IPAddressOrRange 3875 EXIST::FUNCTION:RFC3779 +ASIdOrRange_it 3876 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +ASIdOrRange_it 3876 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 +EVP_CIPHER_nid 3877 EXIST::FUNCTION: +i2d_IPAddressChoice 3878 EXIST::FUNCTION:RFC3779 +EVP_CIPHER_CTX_block_size 3879 EXIST::FUNCTION: +ASIdentifiers_new 3880 EXIST::FUNCTION:RFC3779 +v3_addr_validate_path 3881 EXIST::FUNCTION:RFC3779 +IPAddressFamily_new 3882 EXIST::FUNCTION:RFC3779 +EVP_MD_CTX_set_flags 3883 EXIST::FUNCTION: +v3_addr_is_canonical 3884 EXIST::FUNCTION:RFC3779 +i2d_IPAddressRange 3885 EXIST::FUNCTION:RFC3779 +IPAddressFamily_it 3886 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +IPAddressFamily_it 3886 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 +v3_asid_inherits 3887 EXIST::FUNCTION:RFC3779 +EVP_CIPHER_CTX_cipher 3888 EXIST::FUNCTION: +EVP_CIPHER_CTX_get_app_data 3889 EXIST::FUNCTION: +EVP_MD_block_size 3890 EXIST::FUNCTION: +EVP_CIPHER_CTX_flags 3891 EXIST::FUNCTION: +v3_asid_validate_path 3892 EXIST::FUNCTION:RFC3779 +d2i_IPAddressOrRange 3893 EXIST::FUNCTION:RFC3779 +v3_addr_canonize 3894 EXIST::FUNCTION:RFC3779 +ASIdentifierChoice_it 3895 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +ASIdentifierChoice_it 3895 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 +EVP_MD_CTX_md 3896 EXIST::FUNCTION: +d2i_ASIdentifierChoice 3897 EXIST::FUNCTION:RFC3779 +BIO_method_name 3898 EXIST::FUNCTION: +EVP_CIPHER_CTX_iv_length 3899 EXIST::FUNCTION: +ASIdOrRange_free 3900 EXIST::FUNCTION:RFC3779 +ASIdentifierChoice_free 3901 EXIST::FUNCTION:RFC3779 +BIO_get_callback_arg 3902 EXIST::FUNCTION: +BIO_set_callback 3903 EXIST::FUNCTION: +d2i_ASIdOrRange 3904 EXIST::FUNCTION:RFC3779 +i2d_ASIdentifiers 3905 EXIST::FUNCTION:RFC3779 diff --git a/crypto/openssl/util/mk1mf.pl b/crypto/openssl/util/mk1mf.pl index eb6141795547..863e5e40f6f9 100755 --- a/crypto/openssl/util/mk1mf.pl +++ b/crypto/openssl/util/mk1mf.pl @@ -1022,6 +1022,7 @@ sub read_options "dll" => \$shlib, "shared" => 0, "no-gmp" => 0, + "no-rfc3779" => 0, "no-shared" => 0, "no-zlib" => 0, "no-zlib-dynamic" => 0, diff --git a/crypto/openssl/util/mkdef.pl b/crypto/openssl/util/mkdef.pl index 38b92bcedfa8..352932f349d8 100755 --- a/crypto/openssl/util/mkdef.pl +++ b/crypto/openssl/util/mkdef.pl @@ -94,6 +94,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", "FP_API", "STDIO", "SOCK", "KRB5", "DGRAM", # Engines "STATIC_ENGINE", "ENGINE", "HW", "GMP", + # RFC3779 support + "RFC3779", # Deprecated functions "DEPRECATED" ); @@ -113,6 +115,7 @@ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2; my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5; my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; my $no_camellia; my $no_fp_api; my $no_static_engine; my $no_gmp; my $no_deprecated; +my $no_rfc3779; foreach (@ARGV, split(/ /, $options)) @@ -189,6 +192,7 @@ foreach (@ARGV, split(/ /, $options)) elsif (/^no-engine$/) { $no_engine=1; } elsif (/^no-hw$/) { $no_hw=1; } elsif (/^no-gmp$/) { $no_gmp=1; } + elsif (/^no-rfc3779$/) { $no_rfc3779=1; } } @@ -1106,6 +1110,7 @@ sub is_valid if ($keyword eq "FP_API" && $no_fp_api) { return 0; } if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; } if ($keyword eq "GMP" && $no_gmp) { return 0; } + if ($keyword eq "RFC3779" && $no_rfc3779) { return 0; } if ($keyword eq "DEPRECATED" && $no_deprecated) { return 0; } # Nothing recognise as true diff --git a/crypto/openssl/util/mkerr.pl b/crypto/openssl/util/mkerr.pl index 399b10e1a338..fac7125ff3f1 100644 --- a/crypto/openssl/util/mkerr.pl +++ b/crypto/openssl/util/mkerr.pl @@ -135,6 +135,8 @@ while (($hdr, $lib) = each %libinc) print STDERR " \r" if $debug; $defnr = 0; + # Delete any DECLARE_ macros + $def =~ s/DECLARE_\w+\([\w,\s]+\)//gs; foreach (split /;/, $def) { $defnr++; print STDERR "def: $defnr\r" if $debug; @@ -147,6 +149,9 @@ while (($hdr, $lib) = each %libinc) # Skip over recognized non-function declarations next if(/typedef\W/ or /DECLARE_STACK_OF/ or /TYPEDEF_.*_OF/); + # Remove STACK_OF(foo) + s/STACK_OF\(\w+\)/void/; + # Reduce argument lists to empty () # fold round brackets recursively: (t(*v)(t),t) -> (t{}{},t) -> {} while(/\(.*\)/s) { @@ -595,17 +600,14 @@ if($static) { ${staticloader}void ERR_load_${lib}_strings(void) { - static int init=1; - - if (init) - { - init=0; #ifndef OPENSSL_NO_ERR + + if (ERR_func_error_string(${lib}_str_functs[0].error) == NULL) + { ERR_load_strings($load_errcode,${lib}_str_functs); ERR_load_strings($load_errcode,${lib}_str_reasons); -#endif - } +#endif } EOF } else { diff --git a/crypto/openssl/util/ssleay.num b/crypto/openssl/util/ssleay.num index e285a0f96f34..b424aecc52c5 100755 --- a/crypto/openssl/util/ssleay.num +++ b/crypto/openssl/util/ssleay.num @@ -226,3 +226,15 @@ DTLSv1_server_method 275 EXIST::FUNCTION: SSL_COMP_get_compression_methods 276 EXIST:!VMS:FUNCTION:COMP SSL_COMP_get_compress_methods 276 EXIST:VMS:FUNCTION:COMP SSL_SESSION_get_id 277 EXIST::FUNCTION: +SSL_CTX_sess_set_new_cb 278 EXIST::FUNCTION: +SSL_CTX_sess_get_get_cb 279 EXIST::FUNCTION: +SSL_CTX_sess_set_get_cb 280 EXIST::FUNCTION: +SSL_CTX_set_cookie_verify_cb 281 EXIST::FUNCTION: +SSL_CTX_get_info_callback 282 EXIST::FUNCTION: +SSL_CTX_set_cookie_generate_cb 283 EXIST::FUNCTION: +SSL_CTX_set_client_cert_cb 284 EXIST::FUNCTION: +SSL_CTX_sess_set_remove_cb 285 EXIST::FUNCTION: +SSL_CTX_set_info_callback 286 EXIST::FUNCTION: +SSL_CTX_sess_get_new_cb 287 EXIST::FUNCTION: +SSL_CTX_get_client_cert_cb 288 EXIST::FUNCTION: +SSL_CTX_sess_get_remove_cb 289 EXIST::FUNCTION: