d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial import of OpenSSL 0.9.6c

Browse Source
This commit is contained in:
kris 2002-01-27 03:13:07 +00:00
parent 3b19ada1e8
commit 1f8c2aa176
149 changed files with 5488 additions and 839 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

246
crypto/openssl/CHANGES
View File

@ -2,6 +2,246 @@
OpenSSL CHANGES
_______________
Changes between 0.9.6b and 0.9.6c [21 dec 2001]
*) Fix BN_rand_range bug pointed out by Dominikus Scherkl
<Dominikus.Scherkl@biodata.com>. (The previous implementation
worked incorrectly for those cases where range = 10..._2 and
3*range is two bits longer than range.)
[Bodo Moeller]
*) Only add signing time to PKCS7 structures if it is not already
present.
[Steve Henson]
*) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce",
OBJ_ld_ce should be OBJ_id_ce.
Also some ip-pda OIDs in crypto/objects/objects.txt were
incorrect (cf. RFC 3039).
[Matt Cooper, Frederic Giudicelli, Bodo Moeller]
*) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
returns early because it has nothing to do.
[Andy Schneider <andy.schneider@bjss.co.uk>]
*) [In 0.9.6c-engine release:]
Fix mutex callback return values in crypto/engine/hw_ncipher.c.
[Andy Schneider <andy.schneider@bjss.co.uk>]
*) [In 0.9.6c-engine release:]
Add support for Cryptographic Appliance's keyserver technology.
(Use engine 'keyclient')
[Cryptographic Appliances and Geoff Thorpe]
*) Add a configuration entry for OS/390 Unix. The C compiler 'c89'
is called via tools/c89.sh because arguments have to be
rearranged (all '-L' options must appear before the first object
modules).
[Richard Shapiro <rshapiro@abinitio.com>]
*) [In 0.9.6c-engine release:]
Add support for Broadcom crypto accelerator cards, backported
from 0.9.7.
[Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox]
*) [In 0.9.6c-engine release:]
Add support for SureWare crypto accelerator cards from
Baltimore Technologies. (Use engine 'sureware')
[Baltimore Technologies and Mark Cox]
*) [In 0.9.6c-engine release:]
Add support for crypto accelerator cards from Accelerated
Encryption Processing, www.aep.ie. (Use engine 'aep')
[AEP Inc. and Mark Cox]
*) Add a configuration entry for gcc on UnixWare.
[Gary Benson <gbenson@redhat.com>]
*) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
messages are stored in a single piece (fixed-length part and
variable-length part combined) and fix various bugs found on the way.
[Bodo Moeller]
*) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
instead. BIO_gethostbyname() does not know what timeouts are
appropriate, so entries would stay in cache even when they have
become invalid.
[Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>
*) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
faced with a pathologically small ClientHello fragment that does
not contain client_version: Instead of aborting with an error,
simply choose the highest available protocol version (i.e.,
TLS 1.0 unless it is disabled). In practice, ClientHello
messages are never sent like this, but this change gives us
strictly correct behaviour at least for TLS.
[Bodo Moeller]
*) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
never resets s->method to s->ctx->method when called from within
one of the SSL handshake functions.
[Bodo Moeller; problem pointed out by Niko Baric]
*) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
(sent using the client's version number) if client_version is
smaller than the protocol version in use. Also change
ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
the client will at least see that alert.
[Bodo Moeller]
*) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
correctly.
[Bodo Moeller]
*) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
client receives HelloRequest while in a handshake.
[Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]
*) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
should end in 'break', not 'goto end' which circuments various
cleanups done in state SSL_ST_OK. But session related stuff
must be disabled for SSL_ST_OK in the case that we just sent a
HelloRequest.
Also avoid some overhead by not calling ssl_init_wbio_buffer()
before just sending a HelloRequest.
[Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]
*) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
reveal whether illegal block cipher padding was found or a MAC
verification error occured. (Neither SSLerr() codes nor alerts
are directly visible to potential attackers, but the information
may leak via logfiles.)
Similar changes are not required for the SSL 2.0 implementation
because the number of padding bytes is sent in clear for SSL 2.0,
and the extra bytes are just ignored. However ssl/s2_pkt.c
failed to verify that the purported number of padding bytes is in
the legal range.
[Bodo Moeller]
*) Add OpenUNIX-8 support including shared libraries
(Boyd Lynn Gerber <gerberb@zenez.com>).
[Lutz Jaenicke]
*) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
'wristwatch attack' using huge encoding parameters (cf.
James H. Manger's CRYPTO 2001 paper). Note that the
RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
encoding parameters and hence was not vulnerable.
[Bodo Moeller]
*) BN_sqr() bug fix.
[Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]
*) Rabin-Miller test analyses assume uniformly distributed witnesses,
so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
followed by modular reduction.
[Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>]
*) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
equivalent based on BN_pseudo_rand() instead of BN_rand().
[Bodo Moeller]
*) s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
This function was broken, as the check for a new client hello message
to handle SGC did not allow these large messages.
(Tracked down by "Douglas E. Engert" <deengert@anl.gov>.)
[Lutz Jaenicke]
*) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long]().
[Lutz Jaenicke]
*) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>).
[Lutz Jaenicke]
*) Rework the configuration and shared library support for Tru64 Unix.
The configuration part makes use of modern compiler features and
still retains old compiler behavior for those that run older versions
of the OS. The shared library support part includes a variant that
uses the RPATH feature, and is available through the special
configuration target "alpha-cc-rpath", which will never be selected
automatically.
[Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte]
*) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
with the same message size as in ssl3_get_certificate_request().
Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
messages might inadvertently be reject as too long.
[Petr Lampa <lampa@fee.vutbr.cz>]
*) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
[Andy Polyakov]
*) Modified SSL library such that the verify_callback that has been set
specificly for an SSL object with SSL_set_verify() is actually being
used. Before the change, a verify_callback set with this function was
ignored and the verify_callback() set in the SSL_CTX at the time of
the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
to allow the necessary settings.
[Lutz Jaenicke]
*) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
explicitly to NULL, as at least on Solaris 8 this seems not always to be
done automatically (in contradiction to the requirements of the C
standard). This made problems when used from OpenSSH.
[Lutz Jaenicke]
*) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
dh->length and always used
BN_rand_range(priv_key, dh->p).
BN_rand_range() is not necessary for Diffie-Hellman, and this
specific range makes Diffie-Hellman unnecessarily inefficient if
dh->length (recommended exponent length) is much smaller than the
length of dh->p. We could use BN_rand_range() if the order of
the subgroup was stored in the DH structure, but we only have
dh->length.
So switch back to
BN_rand(priv_key, l, ...)
where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
otherwise.
[Bodo Moeller]
*) In
RSA_eay_public_encrypt
RSA_eay_private_decrypt
RSA_eay_private_encrypt (signing)
RSA_eay_public_decrypt (signature verification)
(default implementations for RSA_public_encrypt,
RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt),
always reject numbers >= n.
[Bodo Moeller]
*) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
to synchronize access to 'locking_thread'. This is necessary on
systems where access to 'locking_thread' (an 'unsigned long'
variable) is not atomic.
[Bodo Moeller]
*) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID
*before* setting the 'crypto_lock_rand' flag. The previous code had
a race condition if 0 is a valid thread ID.
[Travis Vitek <vitek@roguewave.com>]
*) Add support for shared libraries under Irix.
[Albert Chin-A-Young <china@thewrittenword.com>]
*) Add configuration option to build on Linux on both big-endian and
little-endian MIPS.
[Ralf Baechle <ralf@uni-koblenz.de>]
*) Add the possibility to create shared libraries on HP-UX.
[Richard Levitte]
Changes between 0.9.6a and 0.9.6b [9 Jul 2001]
*) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
@ -56,7 +296,7 @@
[Ulf Möller, Bodo Möller]
*) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5
RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
when fixing the server behaviour for backwards-compatible 'client
hello' messages. (Note that the attack is impractical against
SSL 3.0 and TLS 1.0 anyway because length and version checking
@ -106,7 +346,7 @@
combination of a flag and a thread ID variable.
Otherwise while one thread is in ssleay_rand_bytes (which sets the
flag), *other* threads can enter ssleay_add_bytes without obeying
the CRYPTO_LOCK_RAND lock (and may even illegaly release the lock
the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
that they do not hold after the first thread unsets add_do_not_lock).
[Bodo Moeller]
@ -748,7 +988,7 @@
default is static libraries only, and the OpenSSL programs
are always statically linked for now, but there are
preparations for dynamic linking in place.
This has been tested on Linux and True64.
This has been tested on Linux and Tru64.
[Richard Levitte]
*) Randomness polling function for Win9x, as described in:

143
crypto/openssl/Configure
View File

@ -116,10 +116,10 @@ my %table=(
"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::",
"debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown):::::",
"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
"debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
"debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn",
"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn",
"dist", "cc:-O::(unknown):::::",
# Basic configs that should work on any (32 and less bit) box
@ -132,21 +132,21 @@ my %table=(
# surrounds it with #APP #NO_APP comment pair which (at least Solaris
# 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic"
# error message.
"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#### Solaris x86 with Sun C setups
"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#### SPARC Solaris with GNU C setups
"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8
# but keep the assembler modules.
"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
####
"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#### SPARC Solaris with Sun C setups
# DO NOT use /xO[34] on sparc with SC3.0. It is broken, and will not pass the tests
@ -180,17 +180,17 @@ my %table=(
#### IRIX 5.x configs
# -mips2 flag is added by ./config when appropriate.
"irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::",
"irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR:::",
"irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR::::::::::dlfcn:irix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:irix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#### IRIX 6.x configs
# Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke
# './Configure irix-[g]cc' manually.
# -mips4 flag is added by ./config when appropriate.
"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}",
"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}",
"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# N64 ABI builds.
"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}",
"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}",
"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#### Unified HP-UX ANSI C configs.
# Special notes:
@ -222,41 +222,44 @@ my %table=(
#
#!#"hpux-parisc-cc","cc:-Ae +O3 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
# Since there is mention of this in shlib/hpux10-cc.sh
"hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
"hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn",
"hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# More attempts at unified 10.X and 11.X targets for HP C compiler.
#
# Chris Ruemmler <ruemmler@cup.hp.com>
# Kevin Steves <ks@hp.se>
"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT:-ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl",
"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl",
"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn",
"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl",
"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT:-ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# HPUX 9.X config.
# Don't use the bundled cc. It is broken. Use HP ANSI C if possible, or
# egcs. gcc 2.8.1 is also broken.
"hpux-cc", "cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::(unknown):-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
"hpux-cc", "cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::(unknown):-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# If hpux-cc fails (e.g. during "make test"), try the next one; otherwise,
# please report your OS and compiler version to the openssl-bugs@openssl.org
# mailing list.
"hpux-brokencc", "cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown):-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
"hpux-brokencc", "cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown):-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"hpux-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
"hpux-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# If hpux-gcc fails, try this one:
"hpux-brokengcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
"hpux-brokengcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# HPUX 9.X on Motorola 68k platforms with gcc
"hpux-m68k-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::BN_LLONG DES_PTR DES_UNROLL:::",
# HPUX 10.X config. Supports threads.
"hpux10-cc", "cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
"hpux10-cc", "cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# If hpux10-cc fails, try this one (if still fails, try deleting BN_LLONG):
"hpux10-brokencc", "cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
"hpux10-brokencc", "cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"hpux10-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
"hpux10-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# If hpux10-gcc fails, try this one:
"hpux10-brokengcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT:-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
"hpux10-brokengcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT:-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# HPUX 11.X from www.globus.org.
# Only works on PA-RISC 2.0 cpus, and not optimized. Why?
@ -267,12 +270,39 @@ my %table=(
#### HP MPE/iX http://jazz.external.hp.com/src/openssl/
"MPE/iX-gcc", "gcc:-D_ENDIAN -DBN_DIV2W -O3 -DMPE -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB::(unknown):-L/SYSLOG/PUB -lsyslog -lsocket -lcurses:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
# Dec Alpha, OSF/1 - the alpha164-cc is the flags for a 21164A with
# the new compiler
# Dec Alpha, OSF/1 - the alpha164-cc is historical, for the conversion
# from the older DEC C Compiler to the newer compiler. It's now the
# same as the preferred entry, alpha-cc. If you are still using the
# older compiler (you're at 3.x or earlier, or perhaps very early 4.x)
# you should use `alphaold-cc'.
#
# "What's in a name? That which we call a rose
# By any other word would smell as sweet."
#
# - William Shakespeare, "Romeo & Juliet", Act II, scene II.
#
# For OSF/1 3.2b and earlier, and Digital UNIX 3.2c - 3.2g, with the
# vendor compiler, use alphaold-cc.
# For Digital UNIX 4.0 - 4.0e, with the vendor compiler, use alpha-cc.
# For Tru64 UNIX 4.f - current, with the vendor compiler, use alpha-cc.
#
# There's also an alternate target available (which `config' will never
# select) called alpha-cc-rpath. This target builds an RPATH into the
# shared libraries, which is very convenient on Tru64 since binaries
# linked against that shared library will automatically inherit that RPATH,
# and hence know where to look for the openssl libraries, even if they're in
# an odd place.
#
# For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version
"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:tru64-shared::.so",
"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so",
"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so",
#
"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:alpha-osf1-shared::.so",
"alphaold-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::.so",
"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so",
"alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so",
"alpha-cc-rpath", "cc:-std1 -tune host -fast -readonly_strings::-pthread::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared-rpath::.so",
#
# This probably belongs in a different section.
#
"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#### Alpha Linux with GNU C and Compaq C setups
@ -302,15 +332,16 @@ my %table=(
"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
"linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
"linux-mips", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
"linux-mipsel", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
"linux-mips", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
"linux-s390", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::SIXTY_FOUR_BIT_LONG::",
"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"FreeBSD", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
"bsdi-gcc", "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown)::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}",
"bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@ -322,6 +353,9 @@ my %table=(
# QNX 4
"qnx4", "cc:-DL_ENDIAN -DTERMIO::(unknown)::${x86_gcc_des} ${x86_gcc_opts}:",
# QNX 6
"qnx6", "cc:-DL_ENDIAN -DTERMIOS::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:",
# Linux on ARM
"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@ -338,6 +372,15 @@ my %table=(
"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
"unixware-7-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
"unixware-7-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# OpenUNIX 8
"OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
"OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
"OpenUNIX-8-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
"OpenUNIX-8-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
"OpenUNIX-8-shared","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic",
"OpenUNIX-8-gcc-shared","gcc:-O3 -DFILIO_H -fomit-frame-pointer::-pthread:-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr5-shared:-fPIC",
# IBM's AIX.
"aix-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR:::",
@ -391,6 +434,12 @@ my %table=(
# SIEMENS BS2000/OSD: an EBCDIC-based mainframe
"BS2000-OSD","c89:-O -XLLML -XLLMK -XL -DB_ENDIAN -DTERMIOS -DCHARSET_EBCDIC::(unknown):-lsocket -lnsl:THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::",
# OS/390 Unix an EBCDIC-based Unix system on IBM mainframe
# You need to compile using the c89.sh wrapper in the tools directory, because the
# IBM compiler does not like the -L switch after any object modules.
#
"OS390-Unix","c89.sh:-O -DB_ENDIAN -DCHARSET_EBCDIC -DNO_SYS_PARAM_H -D_ALL_SOURCE::(unknown)::THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::",
# Windows NT, Microsoft Visual C++ 4.0
"VC-NT","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}::::::::::win32",
@ -424,8 +473,9 @@ my %table=(
"OpenBSD", "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
##### MacOS X (a.k.a. Rhapsody) setup
##### MacOS X (a.k.a. Rhapsody or Darwin) setup
"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
"darwin-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
##### Sony NEWS-OS 4.x
"newsos4-gcc","gcc:-O -DB_ENDIAN -DNEWS4::(unknown):-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
@ -861,7 +911,16 @@ while (<IN>)
s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.so.\$(SHLIB_MAJOR) .so/ if ($shared_extension ne "" && $shared_extension !~ /^\.s[ol]$/);
if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/)
{
my $sotmp = $1;
s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/
}
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
{
my $sotmp = $1;
s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
}
print OUT $_."\n";
}
close(IN);

131
crypto/openssl/FAQ
View File

@ -8,6 +8,7 @@ OpenSSL - Frequently Asked Questions
* How can I contact the OpenSSL developers?
* Where can I get a compiled version of OpenSSL?
* Why aren't tools like 'autoconf' and 'libtool' used?
* What is an 'engine' version?
[LEGAL] Legal questions
@ -27,13 +28,14 @@ OpenSSL - Frequently Asked Questions
* How can I remove the passphrase on a private key?
* Why can't I use OpenSSL certificates with SSL client authentication?
* Why does my browser give a warning about a mismatched hostname?
* How do I install a CA certificate into a browser?
[BUILD] Questions about building and testing OpenSSL
* Why does the linker complain about undefined symbols?
* Why does the OpenSSL test fail with "bc: command not found"?
* Why does the OpenSSL test fail with "bc: 1 no implemented"?
* Why does the OpenSSL compilation fail on Alpha True64 Unix?
* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
* Why does the OpenSSL compilation fail with "ar: command not found"?
* Why does the OpenSSL compilation fail on Win32 with VC++?
@ -57,7 +59,7 @@ OpenSSL - Frequently Asked Questions
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
OpenSSL 0.9.6b was released on July 9th, 2001.
OpenSSL 0.9.6b was released on December 21st, 2001.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
@ -121,6 +123,12 @@ A number of Linux and *BSD distributions include OpenSSL.
autoconf will probably be used in future OpenSSL versions. If it was
less Unix-centric, it might have been used much earlier.
* What is an 'engine' version?
With version 0.9.6 OpenSSL was extended to interface to external crypto
hardware. This was realized in a special release '0.9.6-engine'. With
version 0.9.7 (not yet released) the changes were merged into the main
development line, so that the special release is no longer necessary.
[LEGAL] =======================================================================
@ -146,7 +154,7 @@ holders claim that you infringe on their rights if you use OpenSSL with
their software on operating systems that don't normally include OpenSSL.
If you develop open source software that uses OpenSSL, you may find it
useful to choose an other license than the GPL, or state explicitely that
useful to choose an other license than the GPL, or state explicitly that
"This program is released under the GPL with the additional exemption that
compiling, linking, and/or using OpenSSL is allowed." If you are using
GPL software developed by others, you may want to ask the copyright holder
@ -186,7 +194,7 @@ environment variable HOME is set, then the seeding file is $HOME/.rnd.
If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
use file .rnd in the current directory while OpenSSL 0.9.6a uses no
default seeding file at all. OpenSSL 0.9.6b and later will behave
similarly to 0.9.6a, but will use a default of "C:" for HOME on
similarly to 0.9.6a, but will use a default of "C:\" for HOME on
Windows systems if the environment variable has not been set.
If the default seeding file does not exist or is too short, the "PRNG
@ -297,7 +305,7 @@ there is little point presenting a certificate which the server will
reject.
The solution is to add the relevant CA certificate to your servers "trusted
CA list". How you do this depends on the server sofware in uses. You can
CA list". How you do this depends on the server software in uses. You can
print out the servers list of acceptable CAs using the OpenSSL s_client tool:
openssl s_client -connect www.some.host:443 -prexit
@ -316,6 +324,26 @@ Browsers expect the server's hostname to match the value in the commonName
(CN) field of the certificate. If it does not then you get a warning.
* How do I install a CA certificate into a browser?
The usual way is to send the DER encoded certificate to the browser as
MIME type application/x-x509-ca-cert, for example by clicking on an appropriate
link. On MSIE certain extensions such as .der or .cacert may also work, or you
can import the certificate using the certificate import wizard.
You can convert a certificate to DER form using the command:
openssl x509 -in ca.pem -outform DER -out ca.der
Occasionally someone suggests using a command such as:
openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem
DO NOT DO THIS! This command will give away your CAs private key and
reduces its security to zero: allowing anyone to forge certificates in
whatever name they choose.
[BUILD] =======================================================================
* Why does the linker complain about undefined symbols?
@ -359,9 +387,9 @@ and compile/install it. GNU bc (see http://www.gnu.org/software/software.html
for download instructions) can be safely used, for example.
* Why does the OpenSSL compilation fail on Alpha True64 Unix?
* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
On some Alpha installations running True64 Unix and Compaq C, the compilation
On some Alpha installations running Tru64 Unix and Compaq C, the compilation
of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual
memory to continue compilation.' As far as the tests have shown, this may be
a compiler bug. What happens is that it eats up a lot of resident memory
@ -439,10 +467,43 @@ OpenSSL. This is described in the threads(3) manpage.
* I've compiled a program under Windows and it crashes: why?
This is usually because you've missed the comment in INSTALL.W32. You
must link with the multithreaded DLL version of the VC++ runtime library
otherwise the conflict will cause a program to crash: typically on the
first BIO related read or write operation.
This is usually because you've missed the comment in INSTALL.W32.
Your application must link against the same version of the Win32
C-Runtime against which your openssl libraries were linked. The
default version for OpenSSL is /MD - "Multithreaded DLL".
If you are using Microsoft Visual C++'s IDE (Visual Studio), in
many cases, your new project most likely defaulted to "Debug
Singlethreaded" - /ML. This is NOT interchangeable with /MD and your
program will crash, typically on the first BIO related read or write
operation.
For each of the six possible link stage configurations within Win32,
your application must link against the same by which OpenSSL was
built. If you are using MS Visual C++ (Studio) this can be changed
by:
1. Select Settings... from the Project Menu.
2. Select the C/C++ Tab.
3. Select "Code Generation from the "Category" drop down list box
4. Select the Appropriate library (see table below) from the "Use
run-time library" drop down list box. Perform this step for both
your debug and release versions of your application (look at the
top left of the settings panel to change between the two)
Single Threaded /ML - MS VC++ often defaults to
this for the release
version of a new project.
Debug Single Threaded /MLd - MS VC++ often defaults to
this for the debug version
of a new project.
Multithreaded /MT
Debug Multithreaded /MTd
Multithreaded DLL /MD - OpenSSL defaults to this.
Debug Multithreaded DLL /MDd
Note that debug and release libraries are NOT interchangeable. If you
built OpenSSL with /MD your application must use /MD and cannot use /MDd.
* How do I read or write a DER encoded buffer using the ASN1 functions?
@ -523,44 +584,16 @@ OpenSSL_add_all_algorithms(). See the manual page for more information.
* Why can't the OpenSSH configure script detect OpenSSL?
There is a problem with OpenSSH 1.2.2p1, in that the configure script
can't find the installed OpenSSL libraries. The problem is actually
a small glitch that is easily solved with the following patch to be
applied to the OpenSSH distribution:
----- snip:start -----
--- openssh-1.2.2p1/configure.in.orig Thu Mar 23 18:56:58 2000
+++ openssh-1.2.2p1/configure.in Thu Mar 23 18:55:05 2000
@@ -152,10 +152,10 @@
AC_MSG_CHECKING([for OpenSSL/SSLeay directory])
for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
if test ! -z "$ssldir" ; then
- LIBS="$saved_LIBS -L$ssldir"
+ LIBS="$saved_LIBS -L$ssldir/lib"
CFLAGS="$CFLAGS -I$ssldir/include"
if test "x$need_dash_r" = "x1" ; then
- LIBS="$LIBS -R$ssldir"
+ LIBS="$LIBS -R$ssldir/lib"
fi
fi
LIBS="$LIBS -lcrypto"
--- openssh-1.2.2p1/configure.orig Thu Mar 23 18:55:02 2000
+++ openssh-1.2.2p1/configure Thu Mar 23 18:57:08 2000
@@ -1890,10 +1890,10 @@
echo "configure:1891: checking for OpenSSL/SSLeay directory" >&5
for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
if test ! -z "$ssldir" ; then
- LIBS="$saved_LIBS -L$ssldir"
+ LIBS="$saved_LIBS -L$ssldir/lib"
CFLAGS="$CFLAGS -I$ssldir/include"
if test "x$need_dash_r" = "x1" ; then
- LIBS="$LIBS -R$ssldir"
+ LIBS="$LIBS -R$ssldir/lib"
fi
fi
LIBS="$LIBS -lcrypto"
----- snip:end -----
Several reasons for problems with the automatic detection exist.
OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
Sometimes the distribution has installed an older version in the system
locations that is detected instead of a new one installed. The OpenSSL
library might have been compiled for another CPU or another mode (32/64 bits).
Permissions might be wrong.
The general answer is to check the config.log file generated when running
the OpenSSH configure script. It should contain the detailed information
on why the OpenSSL library was not detected or considered incompatible.
* Can I use OpenSSL's SSL library with non-blocking I/O?
@ -579,7 +612,7 @@ SSL_write() will try to continue any pending handshake.
* Why doesn't my server application receive a client certificate?
Due to the TLS protocol definition, a client will only send a certificate,
if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the
if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
SSL_CTX_set_verify() function to enable the use of client certificates.

183
crypto/openssl/Makefile.org
View File

@ -256,28 +256,169 @@ do_linux-shared: do_gnu-shared
do_gnu-shared:
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; ${CC} -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-Wl,-S,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-Wl,--whole-archive lib$$i.a \
-Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -l$$i"; \
done
DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \
collect2=`gcc -print-prog-name=collect2 2>&1` && \
[ -n "$$collect2" ] && \
my_ld=`$$collect2 --help 2>&1 | grep Usage: | sed 's/^Usage: *\([^ ][^ ]*\).*/\1/'` && \
[ -n "$$my_ld" ] && \
$$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1
# This assumes that GNU utilities are *not* used
do_alpha-osf1-shared:
if ${DETECT_GNU_LD}; then \
$(MAKE) do_gnu-shared; \
else \
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; ${CC} -shared -o lib$$i.so \
-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -l$$i"; \
done; \
fi
# This assumes that GNU utilities are *not* used
# The difference between alpha-osf1-shared and tru64-shared is the `-msym'
# option passed to the linker.
do_tru64-shared:
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; ${CC} -shared -no_archive -o lib$$i.so \
-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -l$$i"; \
done
if ${DETECT_GNU_LD}; then \
$(MAKE) do_gnu-shared; \
else \
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; ${CC} -shared -msym -o lib$$i.so \
-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -l$$i"; \
done; \
fi
# This assumes that GNU utilities are *not* used
# The difference between tru64-shared and tru64-shared-rpath is the
# -rpath ${INSTALLTOP}/lib passed to the linker.
do_tru64-shared-rpath:
if ${DETECT_GNU_LD}; then \
$(MAKE) do_gnu-shared; \
else \
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; ${CC} -shared -msym -o lib$$i.so \
-rpath ${INSTALLTOP}/lib \
-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -l$$i"; \
done; \
fi
# This assumes that GNU utilities are *not* used
do_solaris-shared:
if ${DETECT_GNU_LD}; then \
$(MAKE) do_gnu-shared; \
else \
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -l$$i"; \
done; \
fi
# UnixWare 7 and OpenUNIX 8 native compilers used
do_svr5-shared:
if ${DETECT_GNU_LD}; then \
$(MAKE) do_gnu-shared; \
else \
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
find . -name "*.o" -print > allobjs ; \
OBJS= ; export OBJS ; \
for obj in `ar t lib$$i.a` ; do \
OBJS="$${OBJS} `grep $$obj allobjs`" ; \
done ; \
set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
libs="$$libs -l$$i"; \
done; \
fi
# This assumes that GNU utilities are *not* used
do_irix-shared:
if ${DETECT_GNU_LD}; then \
$(MAKE) do_gnu-shared; \
else \
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; ${CC} -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-all lib$$i.a $$libs ${EX_LIBS} -lc) || exit 1; \
libs="$$libs -l$$i"; \
done; \
fi
# This assumes that GNU utilities are *not* used
do_hpux-shared:
libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; /usr/ccs/bin/ld +vnocompatwarnings \
-b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-Fl lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -L. -l$$i"; \
done
# This assumes that GNU utilities are *not* used
do_hpux64-shared:
libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; /usr/ccs/bin/ld -b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+forceload lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -L. -l$$i"; \
done
# The following method is said to work on all platforms. Tests will
# determine if that's how it's gong to be used.
# This assumes that for all but GNU systems, GNU utilities are *not* used.
# ALLSYMSFLAGS would be:
# GNU systems: --whole-archive
# Tru64 Unix: -all
# Solaris: -z allextract
# Irix: -all
# HP/UX-32bit: -Fl
# HP/UX-64bit: +forceload
# AIX: -bnogc
# SHAREDFLAGS would be:
# GNU systems: -shared -Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}
# Tru64 Unix: -shared \
# -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}"
# Solaris: -G -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}
# Irix: -shared -Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}
# HP/UX-32bit: +vnocompatwarnings -b -z +s \
# +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}
# HP/UX-64bit: -b -z +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}
# AIX: -G -bE:lib$$i.exp -bM:SRE
# SHAREDCMD would be:
# GNU systems: $(CC)
# Tru64 Unix: $(CC)
# Solaris: $(CC)
# Irix: $(CC)
# HP/UX-32bit: /usr/ccs/bin/ld
# HP/UX-64bit: /usr/ccs/bin/ld
# AIX: $(CC)
ALLSYMSFLAG=-bnogc
SHAREDFLAGS=-G -bE:lib$$i.exp -bM:SRE
SHAREDCMD=$(CC)
do_aix-shared:
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
( set -x; \
ld -r -o $$i.o $(ALLSYMSFLAG) lib$$i.a && \
( nm -Pg lib$$i.o | grep ' [BD] ' | cut -f1 -d' ' > lib$$i.exp; \
$(SHAREDCMD) $(SHAREDFLAG) -o lib$$i.so lib$$i.o \
$$libs ${EX_LIBS} ) ) \
|| exit 1; \
libs="$$libs -l$$i"; \
done
@ -350,7 +491,7 @@ test: tests
tests: rehash
@(cd test && echo "testing..." && \
$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' EXE_EXT='${EXE_EXT}' tests );
$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' EXE_EXT='${EXE_EXT}' tests );
@apps/openssl version -a
report:
@ -384,25 +525,25 @@ tags:
done;
errors:
perl util/mkerr.pl -recurse -write
$(PERL) util/mkerr.pl -recurse -write
stacks:
perl util/mkstack.pl -write
$(PERL) util/mkstack.pl -write
util/libeay.num::
perl util/mkdef.pl crypto update
$(PERL) util/mkdef.pl crypto update
util/ssleay.num::
perl util/mkdef.pl ssl update
$(PERL) util/mkdef.pl ssl update
crypto/objects/obj_dat.h: crypto/objects/obj_mac.h crypto/objects/obj_dat.pl
perl crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h
$(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h
crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt
perl crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
$(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
TABLE: Configure
(echo 'Output of `Configure TABLE'"':"; \
perl Configure TABLE) > TABLE
$(PERL) Configure TABLE) > TABLE
update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE
@ -459,8 +600,8 @@ install: all install_docs
do \
if [ -f "$$i" ]; then \
( echo installing $$i; \
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
cp -f $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
fi \
done; \
( here="`pwd`"; \

185
crypto/openssl/Makefile.ssl
View File

@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
VERSION=0.9.6b
VERSION=0.9.6c
MAJOR=0
MINOR=9.6
SHLIB_VERSION_NUMBER=0.9.6
@ -258,28 +258,169 @@ do_linux-shared: do_gnu-shared
do_gnu-shared:
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; ${CC} -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-Wl,-S,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-Wl,--whole-archive lib$$i.a \
-Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -l$$i"; \
done
DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \
collect2=`gcc -print-prog-name=collect2 2>&1` && \
[ -n "$$collect2" ] && \
my_ld=`$$collect2 --help 2>&1 | grep Usage: | sed 's/^Usage: *\([^ ][^ ]*\).*/\1/'` && \
[ -n "$$my_ld" ] && \
$$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1
# This assumes that GNU utilities are *not* used
do_alpha-osf1-shared:
if ${DETECT_GNU_LD}; then \
$(MAKE) do_gnu-shared; \
else \
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; ${CC} -shared -o lib$$i.so \
-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -l$$i"; \
done; \
fi
# This assumes that GNU utilities are *not* used
# The difference between alpha-osf1-shared and tru64-shared is the `-msym'
# option passed to the linker.
do_tru64-shared:
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; ${CC} -shared -no_archive -o lib$$i.so \
-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -l$$i"; \
done
if ${DETECT_GNU_LD}; then \
$(MAKE) do_gnu-shared; \
else \
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; ${CC} -shared -msym -o lib$$i.so \
-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -l$$i"; \
done; \
fi
# This assumes that GNU utilities are *not* used
# The difference between tru64-shared and tru64-shared-rpath is the
# -rpath ${INSTALLTOP}/lib passed to the linker.
do_tru64-shared-rpath:
if ${DETECT_GNU_LD}; then \
$(MAKE) do_gnu-shared; \
else \
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; ${CC} -shared -msym -o lib$$i.so \
-rpath ${INSTALLTOP}/lib \
-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -l$$i"; \
done; \
fi
# This assumes that GNU utilities are *not* used
do_solaris-shared:
if ${DETECT_GNU_LD}; then \
$(MAKE) do_gnu-shared; \
else \
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -l$$i"; \
done; \
fi
# UnixWare 7 and OpenUNIX 8 native compilers used
do_svr5-shared:
if ${DETECT_GNU_LD}; then \
$(MAKE) do_gnu-shared; \
else \
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
find . -name "*.o" -print > allobjs ; \
OBJS= ; export OBJS ; \
for obj in `ar t lib$$i.a` ; do \
OBJS="$${OBJS} `grep $$obj allobjs`" ; \
done ; \
set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
libs="$$libs -l$$i"; \
done; \
fi
# This assumes that GNU utilities are *not* used
do_irix-shared:
if ${DETECT_GNU_LD}; then \
$(MAKE) do_gnu-shared; \
else \
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; ${CC} -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-all lib$$i.a $$libs ${EX_LIBS} -lc) || exit 1; \
libs="$$libs -l$$i"; \
done; \
fi
# This assumes that GNU utilities are *not* used
do_hpux-shared:
libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; /usr/ccs/bin/ld +vnocompatwarnings \
-b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-Fl lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -L. -l$$i"; \
done
# This assumes that GNU utilities are *not* used
do_hpux64-shared:
libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( set -x; /usr/ccs/bin/ld -b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+forceload lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
libs="$$libs -L. -l$$i"; \
done
# The following method is said to work on all platforms. Tests will
# determine if that's how it's gong to be used.
# This assumes that for all but GNU systems, GNU utilities are *not* used.
# ALLSYMSFLAGS would be:
# GNU systems: --whole-archive
# Tru64 Unix: -all
# Solaris: -z allextract
# Irix: -all
# HP/UX-32bit: -Fl
# HP/UX-64bit: +forceload
# AIX: -bnogc
# SHAREDFLAGS would be:
# GNU systems: -shared -Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}
# Tru64 Unix: -shared \
# -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}"
# Solaris: -G -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}
# Irix: -shared -Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}
# HP/UX-32bit: +vnocompatwarnings -b -z +s \
# +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}
# HP/UX-64bit: -b -z +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}
# AIX: -G -bE:lib$$i.exp -bM:SRE
# SHAREDCMD would be:
# GNU systems: $(CC)
# Tru64 Unix: $(CC)
# Solaris: $(CC)
# Irix: $(CC)
# HP/UX-32bit: /usr/ccs/bin/ld
# HP/UX-64bit: /usr/ccs/bin/ld
# AIX: $(CC)
ALLSYMSFLAG=-bnogc
SHAREDFLAGS=-G -bE:lib$$i.exp -bM:SRE
SHAREDCMD=$(CC)
do_aix-shared:
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
( set -x; \
ld -r -o $$i.o $(ALLSYMSFLAG) lib$$i.a && \
( nm -Pg lib$$i.o | grep ' [BD] ' | cut -f1 -d' ' > lib$$i.exp; \
$(SHAREDCMD) $(SHAREDFLAG) -o lib$$i.so lib$$i.o \
$$libs ${EX_LIBS} ) ) \
|| exit 1; \
libs="$$libs -l$$i"; \
done
@ -352,7 +493,7 @@ test: tests
tests: rehash
@(cd test && echo "testing..." && \
$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' EXE_EXT='${EXE_EXT}' tests );
$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' EXE_EXT='${EXE_EXT}' tests );
@apps/openssl version -a
report:
@ -386,25 +527,25 @@ tags:
done;
errors:
perl util/mkerr.pl -recurse -write
$(PERL) util/mkerr.pl -recurse -write
stacks:
perl util/mkstack.pl -write
$(PERL) util/mkstack.pl -write
util/libeay.num::
perl util/mkdef.pl crypto update
$(PERL) util/mkdef.pl crypto update
util/ssleay.num::
perl util/mkdef.pl ssl update
$(PERL) util/mkdef.pl ssl update
crypto/objects/obj_dat.h: crypto/objects/obj_mac.h crypto/objects/obj_dat.pl
perl crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h
$(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h
crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt
perl crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
$(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
TABLE: Configure
(echo 'Output of `Configure TABLE'"':"; \
perl Configure TABLE) > TABLE
$(PERL) Configure TABLE) > TABLE
update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE
@ -461,8 +602,8 @@ install: all install_docs
do \
if [ -f "$$i" ]; then \
( echo installing $$i; \
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
cp -f $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
fi \
done; \
( here="`pwd`"; \

13
crypto/openssl/NEWS
View File

@ -5,6 +5,19 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:
o Various SSL/TLS library bugfixes.
o BIGNUM library fixes.
o RSA OAEP and random number generation fixes.
o Object identifiers corrected and added.
o Add assembler BN routines for IA64.
o Add support for OS/390 Unix, UnixWare with gcc, OpenUNIX 8,
MIPS Linux; shared library support for Irix, HP-UX.
o Add crypto accelerator support for AEP, Baltimore SureWare,
Broadcom and Cryptographic Appliance's keyserver
[in 0.9.6c-engine release].
Changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:
o Security fix: PRNG improvements.

14
crypto/openssl/README
View File

@ -1,5 +1,5 @@
OpenSSL 0.9.6b 9 Jul 2001
OpenSSL 0.9.6c 21 dec 2001
Copyright (c) 1998-2001 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@ -62,7 +62,7 @@
X.509v3 certificates
X509 encoding/decoding into/from binary ASN1 and a PEM
based ascii-binary encoding which supports encryption with a
based ASCII-binary encoding which supports encryption with a
private key. Program to generate RSA and DSA certificate
requests and to generate RSA and DSA certificates.
@ -97,7 +97,7 @@
locations around the world. _YOU_ are responsible for ensuring that your use
of any algorithms is legal by checking if there are any patents in your
country. The file contains some of the patents that we know about or are
rumoured to exist. This is not a definitive list.
rumored to exist. This is not a definitive list.
RSA Security holds software patents on the RC5 algorithm. If you
intend to use this cipher, you must contact RSA Security for
@ -107,8 +107,8 @@
only be used with RSA Security's permission.
The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
Japan, Netherlands, Spain, Sweden, Switzerland, UK and the USA. They should
be contacted if that algorithm is to be used, their web page is
Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA. They
should be contacted if that algorithm is to be used; their web page is
http://www.ascom.ch/.
INSTALLATION
@ -119,8 +119,8 @@
INSTALL.VMS.
Read the documentation in the doc/ directory. It is quite rough, but it
lists the functions, you will probably have to look at the code to work out
how to used them. Look at the example programs.
lists the functions; you will probably have to look at the code to work out
how to use them. Look at the example programs.
SUPPORT
-------

6
crypto/openssl/README.ENGINE
View File

@ -5,7 +5,7 @@
With OpenSSL 0.9.6, a new component has been added to support external
crypto devices, for example accelerator cards. The component is called
ENGINE, and has still a pretty experimental status and almost no
documentation. It's designed to be faily easily extensible by the
documentation. It's designed to be fairly easily extensible by the
calling programs.
There's currently built-in support for the following crypto devices:
@ -48,7 +48,7 @@
No external crypto device is chosen unless you say so. You have actively
tell the openssl utility commands to use it through a new command line
switch called "-engine". And if you want to use the ENGINE library to
do something similar, you must also explicitely choose an external crypto
do something similar, you must also explicitly choose an external crypto
device, or the built-in crypto routines will be used, just as in the
default OpenSSL distribution.
@ -56,7 +56,7 @@
PROBLEMS
========
It seems like the ENGINE part doesn't work too well with Cryptoswift on
It seems like the ENGINE part doesn't work too well with CryptoSwift on
Win32. A quick test done right before the release showed that trying
"openssl speed -engine cswift" generated errors. If the DSO gets enabled,
an attempt is made to write at memory address 0x00000002.

3
crypto/openssl/apps/req.c
View File

@ -383,8 +383,7 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err," the random number generator\n");
BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
BIO_printf(bio_err," -[digest] Digest to sign with (md5, sha1, md2, mdc2)\n");
BIO_printf(bio_err," -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
BIO_printf(bio_err," -config file request template file.\n");
BIO_printf(bio_err," -new new request.\n");
BIO_printf(bio_err," -x509 output a x509 structure instead of a cert. req.\n");

2
crypto/openssl/apps/s_client.c
View File

@ -896,5 +896,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
BIO_printf(bio,"---\n");
if (peer != NULL)
X509_free(peer);
/* flush, or debugging output gets mixed with http response */
BIO_flush(bio);
}

67
crypto/openssl/config
View File

@ -68,6 +68,11 @@ if [ "x$XREL" != "x" ]; then
4.2)
echo "whatever-whatever-unixware1"; exit 0
;;
OpenUNIX)
if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x8" ]; then
echo "${MACHINE}-unknown-OpenUNIX${VERSION}"; exit 0
fi
;;
5)
if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x7" ]; then
echo "${MACHINE}-sco-unixware7"; exit 0
@ -195,15 +200,33 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
echo "${MACHINE}-whatever-openbsd"; exit 0
;;
OpenUNIX:*)
echo "${MACHINE}-unknown-OpenUNIX${VERSION}"; exit 0
;;
OSF1:*:*:*alpha*)
echo "${MACHINE}-dec-osf"; exit 0
OSFMAJOR=`echo ${RELEASE}| sed -e 's/^V\([0-9]*\)\..*$/\1/'`
case "$OSFMAJOR" in
4|5)
echo "${MACHINE}-dec-tru64"; exit 0
;;
1|2|3)
echo "${MACHINE}-dec-osf"; exit 0
;;
*)
echo "${MACHINE}-dec-osf"; exit 0
;;
esac
;;
QNX:*)
case "$VERSION" in
case "$RELEASE" in
4*)
echo "${MACHINE}-whatever-qnx4"
;;
6*)
echo "${MACHINE}-whatever-qnx6"
;;
*)
echo "${MACHINE}-whatever-qnx"
;;
@ -219,6 +242,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
echo "ppc-apple-rhapsody"; exit 0
;;
Darwin:*)
echo "ppc-apple-darwin"; exit 0
;;
SunOS:5.*)
echo "${MACHINE}-whatever-solaris2"; exit 0
;;
@ -271,6 +298,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
echo "mips-sony-newsos4"; exit 0;
;;
CYGWIN*)
echo "${MACHINE}-whatever-cygwin32"; exit 0
;;
esac
#
@ -435,11 +466,27 @@ case "$GUESSOS" in
esac
fi
;;
mips-*-linux?) OUT="linux-mips" ;;
mips-*-linux?)
cat >dummy.c <<EOF
#include <stdio.h> /* for printf() prototype */
int main (argc, argv) int argc; char *argv[]; {
#ifdef __MIPSEB__
printf ("linux-%s\n", argv[1]);
#endif
#ifdef __MIPSEL__
printf ("linux-%sel\n", argv[1]);
#endif
return 0;
}
EOF
${CC} -o dummy dummy.c && OUT=`./dummy ${MACHINE}`
rm dummy dummy.c
;;
ppc-*-linux2) OUT="linux-ppc" ;;
m68k-*-linux*) OUT="linux-m68k" ;;
ia64-*-linux?) OUT="linux-ia64" ;;
ppc-apple-rhapsody) OUT="rhapsody-ppc-cc" ;;
ppc-apple-darwin) OUT="darwin-ppc-cc" ;;
sparc64-*-linux2)
#Before we can uncomment following lines we have to wait at least
#till 64-bit glibc for SPARC is operational:-(
@ -485,7 +532,15 @@ case "$GUESSOS" in
pmax*-*-openbsd) OUT="OpenBSD-mips" ;;
*-*-openbsd) OUT="OpenBSD" ;;
*86*-*-bsdi4) OUT="bsdi-elf-gcc" ;;
*-*-osf) OUT="alpha-cc" ;;
*-*-osf) OUT="alphaold-cc" ;;
*-*-tru64) OUT="alpha-cc" ;;
*-*-OpenUNIX*)
if [ "$CC" = "gcc" ]; then
OUT="OpenUNIX-8-gcc"
else
OUT="OpenUNIX-8"
fi
;;
*-*-unixware7) OUT="unixware-7" ;;
*-*-UnixWare7) OUT="unixware-7" ;;
*-*-Unixware7) OUT="unixware-7" ;;
@ -505,6 +560,8 @@ case "$GUESSOS" in
# *-aix) OUT="aix-$CC" ;;
# *-dgux) OUT="dgux" ;;
mips-sony-newsos4) OUT="newsos4-gcc" ;;
*-*-cygwin32) OUT="CygWin32"
options="$options no-threads no-asm" ;;
*) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
esac
@ -533,7 +590,7 @@ case "$GUESSOS" in
i386-*) options="$options 386" ;;
esac
for i in bf cast des dh dsa hmac md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa sha
for i in bf cast des dh dsa hmac idea md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa sha
do
if [ ! -d crypto/$i ]
then

4
crypto/openssl/crypto/asn1/a_strnid.c
View File

@ -105,9 +105,9 @@ int ASN1_STRING_set_default_mask_asc(char *p)
mask = strtoul(p + 5, &end, 0);
if(*end) return 0;
} else if(!strcmp(p, "nombstr"))
mask = ~(B_ASN1_BMPSTRING|B_ASN1_UTF8STRING);
mask = ~((unsigned long)(B_ASN1_BMPSTRING|B_ASN1_UTF8STRING));
else if(!strcmp(p, "pkix"))
mask = ~B_ASN1_T61STRING;
mask = ~((unsigned long)B_ASN1_T61STRING);
else if(!strcmp(p, "utf8only")) mask = B_ASN1_UTF8STRING;
else if(!strcmp(p, "default"))
mask = 0xFFFFFFFFL;

4
crypto/openssl/crypto/asn1/asn1.h
View File

@ -834,8 +834,6 @@ void ASN1_HEADER_free(ASN1_HEADER *a);
int ASN1_UNIVERSALSTRING_to_string(ASN1_UNIVERSALSTRING *s);
void ERR_load_ASN1_strings(void);
/* Not used that much at this point, except for the first two */
ASN1_METHOD *X509_asn1_meth(void);
ASN1_METHOD *RSAPrivateKey_asn1_meth(void);
@ -877,6 +875,7 @@ void ASN1_STRING_TABLE_cleanup(void);
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_ASN1_strings(void);
/* Error codes for the ASN1 functions. */
@ -1148,4 +1147,3 @@ void ASN1_STRING_TABLE_cleanup(void);
}
#endif
#endif

4
crypto/openssl/crypto/bio/b_print.c
View File

@ -569,7 +569,7 @@ pow10(int exp)
}
static long
round(LDOUBLE value)
roundv(LDOUBLE value)
{
long intpart;
intpart = (long) value;
@ -621,7 +621,7 @@ fmtfp(
/* we "cheat" by converting the fractional part to integer by
multiplying by a factor of 10 */
fracpart = round((pow10(max)) * (ufvalue - intpart));
fracpart = roundv((pow10(max)) * (ufvalue - intpart));
if (fracpart >= pow10(max)) {
intpart++;

40
crypto/openssl/crypto/bio/b_sock.c
View File

@ -95,8 +95,10 @@ static struct ghbn_cache_st
} ghbn_cache[GHBN_NUM];
static int get_ip(const char *str,unsigned char *ip);
#if 0
static void ghbn_free(struct hostent *a);
static struct hostent *ghbn_dup(struct hostent *a);
#endif
int BIO_get_host_ip(const char *str, unsigned char *ip)
{
int i;
@ -266,6 +268,7 @@ long BIO_ghbn_ctrl(int cmd, int iarg, char *parg)
return(1);
}
#if 0
static struct hostent *ghbn_dup(struct hostent *a)
{
struct hostent *ret;
@ -342,21 +345,27 @@ static void ghbn_free(struct hostent *a)
if (a->h_name != NULL) OPENSSL_free(a->h_name);
OPENSSL_free(a);
}
#endif
struct hostent *BIO_gethostbyname(const char *name)
{
#if 1
/* Caching gethostbyname() results forever is wrong,
* so we have to let the true gethostbyname() worry about this */
return gethostbyname(name);
#else
struct hostent *ret;
int i,lowi=0,j;
unsigned long low= (unsigned long)-1;
/* return(gethostbyname(name)); */
#if 0 /* It doesn't make sense to use locking here: The function interface
* is not thread-safe, because threads can never be sure when
* some other thread destroys the data they were given a pointer to.
*/
# if 0
/* It doesn't make sense to use locking here: The function interface
* is not thread-safe, because threads can never be sure when
* some other thread destroys the data they were given a pointer to.
*/
CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME);
#endif
# endif
j=strlen(name);
if (j < 128)
{
@ -384,20 +393,21 @@ struct hostent *BIO_gethostbyname(const char *name)
* parameter is 'char *', instead of 'const char *'
*/
ret=gethostbyname(
#ifndef CONST_STRICT
# ifndef CONST_STRICT
(char *)
#endif
# endif
name);
if (ret == NULL)
goto end;
if (j > 128) /* too big to cache */
{
#if 0 /* If we were trying to make this function thread-safe (which
* is bound to fail), we'd have to give up in this case
* (or allocate more memory). */
# if 0
/* If we were trying to make this function thread-safe (which
* is bound to fail), we'd have to give up in this case
* (or allocate more memory). */
ret = NULL;
#endif
# endif
goto end;
}
@ -421,12 +431,14 @@ struct hostent *BIO_gethostbyname(const char *name)
ghbn_cache[i].order=BIO_ghbn_miss+BIO_ghbn_hits;
}
end:
#if 0
# if 0
CRYPTO_w_unlock(CRYPTO_LOCK_GETHOSTBYNAME);
#endif
# endif
return(ret);
#endif
}
int BIO_sock_init(void)
{
#ifdef WINDOWS

6
crypto/openssl/crypto/bio/bio.h
View File

@ -431,7 +431,7 @@ int BIO_read_filename(BIO *b,const char *name);
#define BIO_set_ssl_renegotiate_bytes(b,num) \
BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL);
#define BIO_get_num_renegotiates(b) \
BIO_ctrl(b,BIO_C_SET_SSL_NUM_RENEGOTIATES,0,NULL);
BIO_ctrl(b,BIO_C_GET_SSL_NUM_RENEGOTIATES,0,NULL);
#define BIO_set_ssl_renegotiate_timeout(b,seconds) \
BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL);
@ -588,8 +588,6 @@ int BIO_sock_init(void );
void BIO_sock_cleanup(void);
int BIO_set_tcp_ndelay(int sock,int turn_on);
void ERR_load_BIO_strings(void );
BIO *BIO_new_socket(int sock, int close_flag);
BIO *BIO_new_fd(int fd, int close_flag);
BIO *BIO_new_connect(char *host_port);
@ -615,6 +613,7 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args);
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_BIO_strings(void);
/* Error codes for the BIO functions. */
@ -684,4 +683,3 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args);
}
#endif
#endif

3
crypto/openssl/crypto/bio/bss_bio.c
View File

@ -474,7 +474,8 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr)
break;
case BIO_C_GET_WRITE_BUF_SIZE:
num = (long) b->size;
ret = (long) b->size;
break;
case BIO_C_MAKE_BIO_PAIR:
{

2
crypto/openssl/crypto/bn/Makefile.ssl
View File

@ -124,6 +124,8 @@ asm/sparcv8plus-gcc27.o: asm/sparcv8plus.S
$(CC) $(ASFLAGS) -E asm/sparcv8plus.S | \
/usr/ccs/bin/as -xarch=v8plus - -o asm/sparcv8plus-gcc27.o
asm/ia64.o: asm/ia64.S
files:
$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO

1498
crypto/openssl/crypto/bn/asm/ia64.S Normal file
View File

File diff suppressed because it is too large Load Diff

8
crypto/openssl/crypto/bn/bn.h
View File

@ -90,7 +90,9 @@ extern "C" {
* be on. Again this in only really a problem on machines
* using "long long's", are 32bit, and are not using my assembler code. */
#if defined(MSDOS) || defined(WINDOWS) || defined(WIN32) || defined(linux)
#define BN_DIV2W
# ifndef BN_DIV2W
# define BN_DIV2W
# endif
#endif
/* assuming long is 64bit - this is the DEC Alpha
@ -329,6 +331,7 @@ void BN_CTX_end(BN_CTX *ctx);
int BN_rand(BIGNUM *rnd, int bits, int top,int bottom);
int BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom);
int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range);
int BN_num_bits(const BIGNUM *a);
int BN_num_bits_word(BN_ULONG);
BIGNUM *BN_new(void);
@ -403,7 +406,6 @@ int BN_is_prime(const BIGNUM *p,int nchecks,
int BN_is_prime_fasttest(const BIGNUM *p,int nchecks,
void (*callback)(int,int,void *),BN_CTX *ctx,void *cb_arg,
int do_trial_division);
void ERR_load_BN_strings(void );
BN_MONT_CTX *BN_MONT_CTX_new(void );
void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
@ -474,6 +476,7 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top,int bottom);
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_BN_strings(void);
/* Error codes for the BN functions. */
@ -517,4 +520,3 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top,int bottom);
}
#endif
#endif

2
crypto/openssl/crypto/bn/bn_div.c
View File

@ -128,7 +128,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
#if !defined(NO_ASM) && !defined(NO_INLINE_ASM) && !defined(PEDANTIC) && !defined(BN_DIV3W)
# if defined(__GNUC__) && __GNUC__>=2
# if defined(__i386)
# if defined(__i386) || defined (__i386__)
/*
* There were two reasons for implementing this template:
* - GNU C generates a call to a function (__udivdi3 to be exact)

10
crypto/openssl/crypto/bn/bn_prime.c
View File

@ -225,12 +225,15 @@ int BN_is_prime_fasttest(const BIGNUM *a, int checks,
BN_MONT_CTX *mont = NULL;
const BIGNUM *A = NULL;
if (BN_cmp(a, BN_value_one()) <= 0)
return 0;
if (checks == BN_prime_checks)
checks = BN_prime_checks_for_size(BN_num_bits(a));
/* first look for small factors */
if (!BN_is_odd(a))
return(0);
return 0;
if (do_trial_division)
{
for (i = 1; i < NUMPRIMES; i++)
@ -289,11 +292,8 @@ int BN_is_prime_fasttest(const BIGNUM *a, int checks,
for (i = 0; i < checks; i++)
{
if (!BN_pseudo_rand(check, BN_num_bits(A1), 0, 0))
if (!BN_pseudo_rand_range(check, A1))
goto err;
if (BN_cmp(check, A1) >= 0)
if (!BN_sub(check, check, A1))
goto err;
if (!BN_add_word(check, 1))
goto err;
/* now 1 <= check < A */

93
crypto/openssl/crypto/bn/bn_rand.c
View File

@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include <time.h>
@ -172,8 +225,9 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom)
#endif
/* random number r: 0 <= r < range */
int BN_rand_range(BIGNUM *r, BIGNUM *range)
static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range)
{
int (*bn_rand)(BIGNUM *, int, int, int) = pseudo ? BN_pseudo_rand : BN_rand;
int n;
if (range->neg || BN_is_zero(range))
@ -184,26 +238,19 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range)
n = BN_num_bits(range); /* n > 0 */
/* BN_is_bit_set(range, n - 1) always holds */
if (n == 1)
{
if (!BN_zero(r)) return 0;
}
else if (BN_is_bit_set(range, n - 2))
else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3))
{
do
{
/* range = 11..._2, so each iteration succeeds with probability >= .75 */
if (!BN_rand(r, n, -1, 0)) return 0;
}
while (BN_cmp(r, range) >= 0);
}
else
{
/* range = 10..._2,
/* range = 100..._2,
* so 3*range (= 11..._2) is exactly one bit longer than range */
do
{
if (!BN_rand(r, n + 1, -1, 0)) return 0;
if (!bn_rand(r, n + 1, -1, 0)) return 0;
/* If r < 3*range, use r := r MOD range
* (which is either r, r - range, or r - 2*range).
* Otherwise, iterate once more.
@ -218,6 +265,26 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range)
}
while (BN_cmp(r, range) >= 0);
}
else
{
do
{
/* range = 11..._2 or range = 101..._2 */
if (!bn_rand(r, n, -1, 0)) return 0;
}
while (BN_cmp(r, range) >= 0);
}
return 1;
}
int BN_rand_range(BIGNUM *r, BIGNUM *range)
{
return bn_rand_range(0, r, range);
}
int BN_pseudo_rand_range(BIGNUM *r, BIGNUM *range)
{
return bn_rand_range(1, r, range);
}

2
crypto/openssl/crypto/bn/bn_sqr.c
View File

@ -245,7 +245,7 @@ printf(" bn_sqr_recursive %d * %d\n",n2,n2);
if (!zero)
bn_sqr_recursive(&(t[n2]),t,n,p);
else
memset(&(t[n2]),0,n*sizeof(BN_ULONG));
memset(&(t[n2]),0,n2*sizeof(BN_ULONG));
bn_sqr_recursive(r,a,n,p);
bn_sqr_recursive(&(r[n2]),&(a[n]),n,p);

4
crypto/openssl/crypto/buffer/buffer.h
View File

@ -75,12 +75,11 @@ void BUF_MEM_free(BUF_MEM *a);
int BUF_MEM_grow(BUF_MEM *str, int len);
char * BUF_strdup(const char *str);
void ERR_load_BUF_strings(void );
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_BUF_strings(void);
/* Error codes for the BUF functions. */
@ -95,4 +94,3 @@ void ERR_load_BUF_strings(void );
}
#endif
#endif

9
crypto/openssl/crypto/comp/Makefile.ssl
View File

@ -22,10 +22,10 @@ TEST=
APPS=
LIB=$(TOP)/libcrypto.a
LIBSRC= comp_lib.c \
LIBSRC= comp_lib.c comp_err.c \
c_rle.c c_zlib.c
LIBOBJ= comp_lib.o \
LIBOBJ= comp_lib.o comp_err.o \
c_rle.o c_zlib.o
SRC= $(LIBSRC)
@ -94,6 +94,11 @@ c_zlib.o: ../../include/openssl/crypto.h ../../include/openssl/obj_mac.h
c_zlib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
c_zlib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
c_zlib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
comp_err.o: ../../include/openssl/bio.h ../../include/openssl/comp.h
comp_err.o: ../../include/openssl/crypto.h ../../include/openssl/err.h
comp_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslv.h
comp_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
comp_err.o: ../../include/openssl/symhacks.h
comp_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
comp_lib.o: ../../include/openssl/bn.h ../../include/openssl/comp.h
comp_lib.o: ../../include/openssl/crypto.h ../../include/openssl/obj_mac.h

2
crypto/openssl/crypto/comp/comp.h
View File

@ -47,6 +47,7 @@ COMP_METHOD *COMP_zlib(void );
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_COMP_strings(void);
/* Error codes for the COMP functions. */
@ -58,4 +59,3 @@ COMP_METHOD *COMP_zlib(void );
}
#endif
#endif

3
crypto/openssl/crypto/conf/conf.h
View File

@ -108,7 +108,6 @@ long CONF_get_number(LHASH *conf,char *group,char *name);
void CONF_free(LHASH *conf);
int CONF_dump_fp(LHASH *conf, FILE *out);
int CONF_dump_bio(LHASH *conf, BIO *out);
void ERR_load_CONF_strings(void );
/* New conf code. The semantics are different from the functions above.
If that wasn't the case, the above functions would have been replaced */
@ -145,6 +144,7 @@ int NCONF_dump_bio(CONF *conf, BIO *out);
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_CONF_strings(void);
/* Error codes for the CONF functions. */
@ -176,4 +176,3 @@ int NCONF_dump_bio(CONF *conf, BIO *out);
}
#endif
#endif

6
crypto/openssl/crypto/cryptlib.c
View File

@ -90,6 +90,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
"ssl_sess_cert",
"ssl",
"rand",
"rand2",
"debug_malloc",
"BIO",
"gethostbyname",
@ -100,7 +101,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
"debug_malloc2",
"dso",
"dynlock",
#if CRYPTO_NUM_LOCKS != 28
#if CRYPTO_NUM_LOCKS != 29
# error "Inconsistency between crypto.h and cryptlib.c"
#endif
};
@ -227,7 +228,10 @@ void CRYPTO_destroy_dynlockid(int i)
CRYPTO_w_lock(CRYPTO_LOCK_DYNLOCK);
if (dyn_locks == NULL || i >= sk_CRYPTO_dynlock_num(dyn_locks))
{
CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
return;
}
pointer = sk_CRYPTO_dynlock_value(dyn_locks, i);
if (pointer != NULL)
{

40
crypto/openssl/crypto/crypto.h
View File

@ -112,17 +112,18 @@ extern "C" {
#define CRYPTO_LOCK_SSL_SESS_CERT 15
#define CRYPTO_LOCK_SSL 16
#define CRYPTO_LOCK_RAND 17
#define CRYPTO_LOCK_MALLOC 18
#define CRYPTO_LOCK_BIO 19
#define CRYPTO_LOCK_GETHOSTBYNAME 20
#define CRYPTO_LOCK_GETSERVBYNAME 21
#define CRYPTO_LOCK_READDIR 22
#define CRYPTO_LOCK_RSA_BLINDING 23
#define CRYPTO_LOCK_DH 24
#define CRYPTO_LOCK_MALLOC2 25
#define CRYPTO_LOCK_DSO 26
#define CRYPTO_LOCK_DYNLOCK 27
#define CRYPTO_NUM_LOCKS 28
#define CRYPTO_LOCK_RAND2 18
#define CRYPTO_LOCK_MALLOC 19
#define CRYPTO_LOCK_BIO 20
#define CRYPTO_LOCK_GETHOSTBYNAME 21
#define CRYPTO_LOCK_GETSERVBYNAME 22
#define CRYPTO_LOCK_READDIR 23
#define CRYPTO_LOCK_RSA_BLINDING 24
#define CRYPTO_LOCK_DH 25
#define CRYPTO_LOCK_MALLOC2 26
#define CRYPTO_LOCK_DSO 27
#define CRYPTO_LOCK_DYNLOCK 28
#define CRYPTO_NUM_LOCKS 29
#define CRYPTO_LOCK 1
#define CRYPTO_UNLOCK 2
@ -350,6 +351,9 @@ int CRYPTO_push_info_(const char *info, const char *file, int line);
int CRYPTO_pop_info(void);
int CRYPTO_remove_all_info(void);
/* Default debugging functions (enabled by CRYPTO_malloc_debug_init() macro;
* used as default in CRYPTO_MDEBUG compilations): */
/* The last argument has the following significance:
*
* 0: called before the actual memory allocation has taken place
@ -358,18 +362,18 @@ int CRYPTO_remove_all_info(void);
void CRYPTO_dbg_malloc(void *addr,int num,const char *file,int line,int before_p);
void CRYPTO_dbg_realloc(void *addr1,void *addr2,int num,const char *file,int line,int before_p);
void CRYPTO_dbg_free(void *addr,int before_p);
/* Tell the debugging code about options. By default, the following values
* apply:
*
* 0: Clear all options.
* 1: Set the "Show Time" option.
* 2: Set the "Show Thread Number" option.
* 3: 1 + 2
* 0: Clear all options.
* V_CRYPTO_MDEBUG_TIME (1): Set the "Show Time" option.
* V_CRYPTO_MDEBUG_THREAD (2): Set the "Show Thread Number" option.
* V_CRYPTO_MDEBUG_ALL (3): 1 + 2
*/
void CRYPTO_dbg_set_options(long bits);
long CRYPTO_dbg_get_options(void);
#ifndef NO_FP_API
void CRYPTO_mem_leaks_fp(FILE *);
#endif
@ -377,12 +381,11 @@ void CRYPTO_mem_leaks(struct bio_st *bio);
/* unsigned long order, char *file, int line, int num_bytes, char *addr */
void CRYPTO_mem_leaks_cb(void (*cb)(unsigned long, const char *, int, int, void *));
void ERR_load_CRYPTO_strings(void);
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_CRYPTO_strings(void);
/* Error codes for the CRYPTO functions. */
@ -399,4 +402,3 @@ void ERR_load_CRYPTO_strings(void);
}
#endif
#endif

3
crypto/openssl/crypto/dh/dh.h
View File

@ -177,12 +177,12 @@ int DHparams_print(BIO *bp, DH *x);
#else
int DHparams_print(char *bp, DH *x);
#endif
void ERR_load_DH_strings(void );
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_DH_strings(void);
/* Error codes for the DH functions. */
@ -201,4 +201,3 @@ void ERR_load_DH_strings(void );
}
#endif
#endif

14
crypto/openssl/crypto/dh/dh_key.c
View File

@ -99,6 +99,8 @@ DH_METHOD *DH_OpenSSL(void)
static int generate_key(DH *dh)
{
int ok=0;
int generate_new_key=0;
unsigned l;
BN_CTX ctx;
BN_MONT_CTX *mont;
BIGNUM *pub_key=NULL,*priv_key=NULL;
@ -109,9 +111,7 @@ static int generate_key(DH *dh)
{
priv_key=BN_new();
if (priv_key == NULL) goto err;
do
if (!BN_rand_range(priv_key, dh->p)) goto err;
while (BN_is_zero(priv_key));
generate_new_key=1;
}
else
priv_key=dh->priv_key;
@ -132,8 +132,12 @@ static int generate_key(DH *dh)
}
mont=(BN_MONT_CTX *)dh->method_mont_p;
if (!dh->meth->bn_mod_exp(dh, pub_key,dh->g,priv_key,dh->p,&ctx,mont))
goto err;
if (generate_new_key)
{
l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */
if (!BN_rand(priv_key, l, 0, 0)) goto err;
}
if (!dh->meth->bn_mod_exp(dh, pub_key,dh->g,priv_key,dh->p,&ctx,mont)) goto err;
dh->pub_key=pub_key;
dh->priv_key=priv_key;

2
crypto/openssl/crypto/dh/dh_lib.c
View File

@ -63,7 +63,7 @@
const char *DH_version="Diffie-Hellman" OPENSSL_VERSION_PTEXT;
static DH_METHOD *default_DH_method;
static DH_METHOD *default_DH_method = NULL;
static int dh_meth_num = 0;
static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dh_meth = NULL;

4
crypto/openssl/crypto/dsa/dsa.h
View File

@ -178,8 +178,6 @@ int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
int DSA_set_ex_data(DSA *d, int idx, void *arg);
void *DSA_get_ex_data(DSA *d, int idx);
void ERR_load_DSA_strings(void );
DSA * d2i_DSAPublicKey(DSA **a, unsigned char **pp, long length);
DSA * d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length);
DSA * d2i_DSAparams(DSA **a, unsigned char **pp, long length);
@ -216,6 +214,7 @@ DH *DSA_dup_DH(DSA *r);
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_DSA_strings(void);
/* Error codes for the DSA functions. */
@ -242,4 +241,3 @@ DH *DSA_dup_DH(DSA *r);
}
#endif
#endif

2
crypto/openssl/crypto/dsa/dsa_lib.c
View File

@ -66,7 +66,7 @@
const char *DSA_version="DSA" OPENSSL_VERSION_PTEXT;
static DSA_METHOD *default_DSA_method;
static DSA_METHOD *default_DSA_method = NULL;
static int dsa_meth_num = 0;
static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dsa_meth = NULL;

4
crypto/openssl/crypto/dso/dso.h
View File

@ -194,12 +194,11 @@ DSO_METHOD *DSO_METHOD_win32(void);
/* If VMS is defined, use shared images. If not, return NULL. */
DSO_METHOD *DSO_METHOD_vms(void);
void ERR_load_DSO_strings(void);
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_DSO_strings(void);
/* Error codes for the DSO functions. */
@ -247,4 +246,3 @@ void ERR_load_DSO_strings(void);
}
#endif
#endif

3
crypto/openssl/crypto/err/err.c
View File

@ -784,7 +784,7 @@ void ERR_add_error_data(int num, ...)
if (p == NULL)
{
OPENSSL_free(str);
return;
goto err;
}
else
str=p;
@ -794,6 +794,7 @@ void ERR_add_error_data(int num, ...)
}
ERR_set_error_data(str,ERR_TXT_MALLOCED|ERR_TXT_STRING);
err:
va_end(args);
}

3
crypto/openssl/crypto/err/err.h
View File

@ -132,6 +132,7 @@ typedef struct err_state_st
#define ERR_LIB_PKCS12 35
#define ERR_LIB_RAND 36
#define ERR_LIB_DSO 37
#define ERR_LIB_COMP 41
#define ERR_LIB_USER 128
@ -161,6 +162,7 @@ typedef struct err_state_st
#define PKCS12err(f,r) ERR_PUT_error(ERR_LIB_PKCS12,(f),(r),ERR_file_name,__LINE__)
#define RANDerr(f,r) ERR_PUT_error(ERR_LIB_RAND,(f),(r),ERR_file_name,__LINE__)
#define DSOerr(f,r) ERR_PUT_error(ERR_LIB_DSO,(f),(r),ERR_file_name,__LINE__)
#define COMPerr(f,r) ERR_PUT_error(ERR_LIB_COMP,(f),(r),ERR_file_name,__LINE__)
/* Borland C seems too stupid to be able to shift and do longs in
* the pre-processor :-( */
@ -210,6 +212,7 @@ typedef struct err_state_st
#define ERR_R_PKCS7_LIB ERR_LIB_PKCS7
#define ERR_R_PKCS12_LIB ERR_LIB_PKCS12
#define ERR_R_DSO_LIB ERR_LIB_DSO
#define ERR_R_COMP_LIB ERR_LIB_COMP
/* fatal error */
#define ERR_R_MALLOC_FAILURE (1|ERR_R_FATAL)

5
crypto/openssl/crypto/evp/bio_b64.c
View File

@ -465,7 +465,8 @@ static long b64_ctrl(BIO *b, int cmd, long num, void *ptr)
break;
case BIO_CTRL_WPENDING: /* More to write in buffer */
ret=ctx->buf_len-ctx->buf_off;
if ((ret == 0) && (ctx->base64.num != 0))
if ((ret == 0) && (ctx->encode != B64_NONE)
&& (ctx->base64.num != 0))
ret=1;
else if (ret <= 0)
ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
@ -500,7 +501,7 @@ static long b64_ctrl(BIO *b, int cmd, long num, void *ptr)
goto again;
}
}
else if (ctx->base64.num != 0)
else if (ctx->encode != B64_NONE && ctx->base64.num != 0)
{
ctx->buf_off=0;
EVP_EncodeFinal(&(ctx->base64),

4
crypto/openssl/crypto/evp/evp.h
View File

@ -603,8 +603,6 @@ int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned
char *out, int *outl);
int EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n);
void ERR_load_EVP_strings(void );
void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
@ -777,6 +775,7 @@ void EVP_PBE_cleanup(void);
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_EVP_strings(void);
/* Error codes for the EVP functions. */
@ -849,4 +848,3 @@ void EVP_PBE_cleanup(void);
}
#endif
#endif

2
crypto/openssl/crypto/evp/m_md4.c
View File

@ -66,7 +66,7 @@
static EVP_MD md4_md=
{
NID_md4,
0,
NID_md4WithRSAEncryption,
MD4_DIGEST_LENGTH,
MD4_Init,
MD4_Update,

4
crypto/openssl/crypto/md32_common.h
View File

@ -198,7 +198,7 @@
*
* <appro@fy.chalmers.se>
*/
# if defined(__i386)
# if defined(__i386) || defined(__i386__)
# define ROTATE(a,n) ({ register unsigned int ret; \
asm ( \
"roll %1,%0" \
@ -224,7 +224,7 @@
*/
# if defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM) && !defined(NO_INLINE_ASM)
/* some GNU C inline assembler templates by <appro@fy.chalmers.se> */
# if defined(__i386) && !defined(I386_ONLY)
# if (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY)
# define BE_FETCH32(a) ({ register unsigned int l=(a);\
asm ( \
"bswapl %0" \

2
crypto/openssl/crypto/md4/md4_locl.h
View File

@ -68,7 +68,7 @@
void md4_block_host_order (MD4_CTX *c, const void *p,int num);
void md4_block_data_order (MD4_CTX *c, const void *p,int num);
#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
/*
* *_block_host_order is expected to handle aligned data while
* *_block_data_order - unaligned. As algorithm and host (x86)

4
crypto/openssl/crypto/md5/md5_locl.h
View File

@ -66,7 +66,7 @@
#endif
#ifdef MD5_ASM
# if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
# define md5_block_host_order md5_block_asm_host_order
# elif defined(__sparc) && defined(ULTRASPARC)
void md5_block_asm_data_order_aligned (MD5_CTX *c, const MD5_LONG *p,int num);
@ -77,7 +77,7 @@
void md5_block_host_order (MD5_CTX *c, const void *p,int num);
void md5_block_data_order (MD5_CTX *c, const void *p,int num);
#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
/*
* *_block_host_order is expected to handle aligned data while
* *_block_data_order - unaligned. As algorithm and host (x86)

7
crypto/openssl/crypto/objects/Makefile.ssl
View File

@ -43,6 +43,13 @@ lib: $(LIBOBJ)
- $(RANLIB) $(LIB)
@touch lib
obj_dat.h: obj_dat.pl obj_mac.h
perl obj_dat.pl obj_mac.h obj_dat.h
# objects.pl both reads and writes obj_mac.num
obj_mac.h: objects.pl objects.txt obj_mac.num
perl objects.pl objects.txt obj_mac.num obj_mac.h
files:
$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO

272
crypto/openssl/crypto/objects/obj_dat.h
View File

@ -1,4 +1,10 @@
/* lib/obj/obj_dat.h */
/* crypto/objects/obj_dat.h */
/* THIS FILE IS GENERATED FROM objects.h by obj_dat.pl via the
* following command:
* perl obj_dat.pl objects.h obj_dat.h
*/
/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -56,17 +62,12 @@
* [including the GNU Public Licence.]
*/
/* THIS FILE IS GENERATED FROM Objects.h by obj_dat.pl via the
* following command:
* perl obj_dat.pl objects.h obj_dat.h
*/
#define NUM_NID 404
#define NUM_SN 402
#define NUM_LN 402
#define NUM_OBJ 376
#define NUM_NID 393
#define NUM_SN 392
#define NUM_LN 392
#define NUM_OBJ 366
static unsigned char lvalues[2896]={
static unsigned char lvalues[2941]={
0x00, /* [ 0] OBJ_undef */
0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */
@ -390,49 +391,59 @@ static unsigned char lvalues[2896]={
0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x01, /* [2583] OBJ_id_on_personalData */
0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x01, /* [2591] OBJ_id_pda_dateOfBirth */
0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x02, /* [2599] OBJ_id_pda_placeOfBirth */
0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x03, /* [2607] OBJ_id_pda_pseudonym */
0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x04, /* [2615] OBJ_id_pda_gender */
0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x05, /* [2623] OBJ_id_pda_countryOfCitizenship */
0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x06, /* [2631] OBJ_id_pda_countryOfResidence */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x01, /* [2639] OBJ_id_aca_authenticationInfo */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x02, /* [2647] OBJ_id_aca_accessIdentity */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x03, /* [2655] OBJ_id_aca_chargingIdentity */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x04, /* [2663] OBJ_id_aca_group */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x05, /* [2671] OBJ_id_aca_role */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0B,0x01, /* [2679] OBJ_id_qcs_pkixQCSyntax_v1 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x01, /* [2687] OBJ_id_cct_crs */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x02, /* [2695] OBJ_id_cct_PKIData */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x03, /* [2703] OBJ_id_cct_PKIResponse */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x03, /* [2711] OBJ_ad_timeStamping */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x04, /* [2719] OBJ_ad_dvcs */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x01,/* [2727] OBJ_id_pkix_OCSP_basic */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x02,/* [2736] OBJ_id_pkix_OCSP_Nonce */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x03,/* [2745] OBJ_id_pkix_OCSP_CrlID */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x04,/* [2754] OBJ_id_pkix_OCSP_acceptableResponses */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x05,/* [2763] OBJ_id_pkix_OCSP_noCheck */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x06,/* [2772] OBJ_id_pkix_OCSP_archiveCutoff */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x07,/* [2781] OBJ_id_pkix_OCSP_serviceLocator */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x08,/* [2790] OBJ_id_pkix_OCSP_extendedStatus */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x09,/* [2799] OBJ_id_pkix_OCSP_valid */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0A,/* [2808] OBJ_id_pkix_OCSP_path */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0B,/* [2817] OBJ_id_pkix_OCSP_trustRoot */
0x2B,0x0E,0x03,0x02, /* [2826] OBJ_algorithm */
0x2B,0x0E,0x03,0x02,0x0B, /* [2830] OBJ_rsaSignature */
0x55,0x08, /* [2835] OBJ_X500algorithms */
0x2B, /* [2837] OBJ_org */
0x2B,0x06, /* [2838] OBJ_dod */
0x2B,0x06,0x01, /* [2840] OBJ_iana */
0x2B,0x06,0x01,0x01, /* [2843] OBJ_Directory */
0x2B,0x06,0x01,0x02, /* [2847] OBJ_Management */
0x2B,0x06,0x01,0x03, /* [2851] OBJ_Experimental */
0x2B,0x06,0x01,0x04, /* [2855] OBJ_Private */
0x2B,0x06,0x01,0x05, /* [2859] OBJ_Security */
0x2B,0x06,0x01,0x06, /* [2863] OBJ_SNMPv2 */
0x2B,0x06,0x01,0x07, /* [2867] OBJ_Mail */
0x01, /* [2871] OBJ_Enterprises */
0xBA,0x82,0x58, /* [2872] OBJ_dcObject */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x19,/* [2875] OBJ_domainComponent */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0D,/* [2885] OBJ_Domain */
0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x03, /* [2607] OBJ_id_pda_gender */
0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x04, /* [2615] OBJ_id_pda_countryOfCitizenship */
0x2B,0x06,0x01,0x05,0x05,0x07,0x09,0x05, /* [2623] OBJ_id_pda_countryOfResidence */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x01, /* [2631] OBJ_id_aca_authenticationInfo */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x02, /* [2639] OBJ_id_aca_accessIdentity */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x03, /* [2647] OBJ_id_aca_chargingIdentity */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x04, /* [2655] OBJ_id_aca_group */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x05, /* [2663] OBJ_id_aca_role */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0B,0x01, /* [2671] OBJ_id_qcs_pkixQCSyntax_v1 */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x01, /* [2679] OBJ_id_cct_crs */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x02, /* [2687] OBJ_id_cct_PKIData */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0C,0x03, /* [2695] OBJ_id_cct_PKIResponse */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x03, /* [2703] OBJ_ad_timeStamping */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x04, /* [2711] OBJ_ad_dvcs */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x01,/* [2719] OBJ_id_pkix_OCSP_basic */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x02,/* [2728] OBJ_id_pkix_OCSP_Nonce */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x03,/* [2737] OBJ_id_pkix_OCSP_CrlID */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x04,/* [2746] OBJ_id_pkix_OCSP_acceptableResponses */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x05,/* [2755] OBJ_id_pkix_OCSP_noCheck */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x06,/* [2764] OBJ_id_pkix_OCSP_archiveCutoff */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x07,/* [2773] OBJ_id_pkix_OCSP_serviceLocator */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x08,/* [2782] OBJ_id_pkix_OCSP_extendedStatus */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x09,/* [2791] OBJ_id_pkix_OCSP_valid */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0A,/* [2800] OBJ_id_pkix_OCSP_path */
0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x0B,/* [2809] OBJ_id_pkix_OCSP_trustRoot */
0x2B,0x0E,0x03,0x02, /* [2818] OBJ_algorithm */
0x2B,0x0E,0x03,0x02,0x0B, /* [2822] OBJ_rsaSignature */
0x55,0x08, /* [2827] OBJ_X500algorithms */
0x2B, /* [2829] OBJ_org */
0x2B,0x06, /* [2830] OBJ_dod */
0x2B,0x06,0x01, /* [2832] OBJ_iana */
0x2B,0x06,0x01,0x01, /* [2835] OBJ_Directory */
0x2B,0x06,0x01,0x02, /* [2839] OBJ_Management */
0x2B,0x06,0x01,0x03, /* [2843] OBJ_Experimental */
0x2B,0x06,0x01,0x04, /* [2847] OBJ_Private */
0x2B,0x06,0x01,0x05, /* [2851] OBJ_Security */
0x2B,0x06,0x01,0x06, /* [2855] OBJ_SNMPv2 */
0x2B,0x06,0x01,0x07, /* [2859] OBJ_Mail */
0x01, /* [2863] OBJ_Enterprises */
0xBA,0x82,0x58, /* [2864] OBJ_dcObject */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x19,/* [2867] OBJ_domainComponent */
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0D,/* [2877] OBJ_Domain */
0x50, /* [2887] OBJ_joint_iso_ccitt */
0x55,0x01,0x05, /* [2888] OBJ_selected_attribute_types */
0x55,0x01,0x05,0x37, /* [2891] OBJ_clearance */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x03,/* [2895] OBJ_md4WithRSAEncryption */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0A, /* [2904] OBJ_ac_proxying */
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0B, /* [2912] OBJ_sinfo_access */
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x06, /* [2920] OBJ_id_aca_encAttrs */
0x55,0x04,0x48, /* [2928] OBJ_role */
0x55,0x1D,0x24, /* [2931] OBJ_policy_constraints */
0x55,0x1D,0x37, /* [2934] OBJ_target_information */
0x55,0x1D,0x38, /* [2937] OBJ_no_rev_avail */
};
static ASN1_OBJECT nid_objs[NUM_NID]={
@ -576,7 +587,8 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
{"G","givenName",NID_givenName,3,&(lvalues[535]),0},
{"S","surname",NID_surname,3,&(lvalues[538]),0},
{"I","initials",NID_initials,3,&(lvalues[541]),0},
{"UID","uniqueIdentifier",NID_uniqueIdentifier,3,&(lvalues[544]),0},
{"uniqueIdentifier","uniqueIdentifier",NID_uniqueIdentifier,3,
&(lvalues[544]),0},
{"crlDistributionPoints","X509v3 CRL Distribution Points",
NID_crl_distribution_points,3,&(lvalues[547]),0},
{"RSA-NP-MD5","md5WithRSA",NID_md5WithRSA,5,&(lvalues[550]),0},
@ -985,66 +997,84 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
&(lvalues[2591]),0},
{"id-pda-placeOfBirth","id-pda-placeOfBirth",NID_id_pda_placeOfBirth,
8,&(lvalues[2599]),0},
{"id-pda-pseudonym","id-pda-pseudonym",NID_id_pda_pseudonym,8,
&(lvalues[2607]),0},
{"id-pda-gender","id-pda-gender",NID_id_pda_gender,8,&(lvalues[2615]),0},
{NULL,NULL,NID_undef,0,NULL},
{"id-pda-gender","id-pda-gender",NID_id_pda_gender,8,&(lvalues[2607]),0},
{"id-pda-countryOfCitizenship","id-pda-countryOfCitizenship",
NID_id_pda_countryOfCitizenship,8,&(lvalues[2623]),0},
NID_id_pda_countryOfCitizenship,8,&(lvalues[2615]),0},
{"id-pda-countryOfResidence","id-pda-countryOfResidence",
NID_id_pda_countryOfResidence,8,&(lvalues[2631]),0},
NID_id_pda_countryOfResidence,8,&(lvalues[2623]),0},
{"id-aca-authenticationInfo","id-aca-authenticationInfo",
NID_id_aca_authenticationInfo,8,&(lvalues[2639]),0},
NID_id_aca_authenticationInfo,8,&(lvalues[2631]),0},
{"id-aca-accessIdentity","id-aca-accessIdentity",
NID_id_aca_accessIdentity,8,&(lvalues[2647]),0},
NID_id_aca_accessIdentity,8,&(lvalues[2639]),0},
{"id-aca-chargingIdentity","id-aca-chargingIdentity",
NID_id_aca_chargingIdentity,8,&(lvalues[2655]),0},
{"id-aca-group","id-aca-group",NID_id_aca_group,8,&(lvalues[2663]),0},
{"id-aca-role","id-aca-role",NID_id_aca_role,8,&(lvalues[2671]),0},
NID_id_aca_chargingIdentity,8,&(lvalues[2647]),0},
{"id-aca-group","id-aca-group",NID_id_aca_group,8,&(lvalues[2655]),0},
{"id-aca-role","id-aca-role",NID_id_aca_role,8,&(lvalues[2663]),0},
{"id-qcs-pkixQCSyntax-v1","id-qcs-pkixQCSyntax-v1",
NID_id_qcs_pkixQCSyntax_v1,8,&(lvalues[2679]),0},
{"id-cct-crs","id-cct-crs",NID_id_cct_crs,8,&(lvalues[2687]),0},
NID_id_qcs_pkixQCSyntax_v1,8,&(lvalues[2671]),0},
{"id-cct-crs","id-cct-crs",NID_id_cct_crs,8,&(lvalues[2679]),0},
{"id-cct-PKIData","id-cct-PKIData",NID_id_cct_PKIData,8,
&(lvalues[2695]),0},
&(lvalues[2687]),0},
{"id-cct-PKIResponse","id-cct-PKIResponse",NID_id_cct_PKIResponse,8,
&(lvalues[2703]),0},
&(lvalues[2695]),0},
{"ad_timestamping","AD Time Stamping",NID_ad_timeStamping,8,
&(lvalues[2711]),0},
{"AD_DVCS","ad dvcs",NID_ad_dvcs,8,&(lvalues[2719]),0},
&(lvalues[2703]),0},
{"AD_DVCS","ad dvcs",NID_ad_dvcs,8,&(lvalues[2711]),0},
{"basicOCSPResponse","Basic OCSP Response",NID_id_pkix_OCSP_basic,9,
&(lvalues[2727]),0},
{"Nonce","OCSP Nonce",NID_id_pkix_OCSP_Nonce,9,&(lvalues[2736]),0},
{"CrlID","OCSP CRL ID",NID_id_pkix_OCSP_CrlID,9,&(lvalues[2745]),0},
&(lvalues[2719]),0},
{"Nonce","OCSP Nonce",NID_id_pkix_OCSP_Nonce,9,&(lvalues[2728]),0},
{"CrlID","OCSP CRL ID",NID_id_pkix_OCSP_CrlID,9,&(lvalues[2737]),0},
{"acceptableResponses","Acceptable OCSP Responses",
NID_id_pkix_OCSP_acceptableResponses,9,&(lvalues[2754]),0},
{"noCheck","noCheck",NID_id_pkix_OCSP_noCheck,9,&(lvalues[2763]),0},
NID_id_pkix_OCSP_acceptableResponses,9,&(lvalues[2746]),0},
{"noCheck","noCheck",NID_id_pkix_OCSP_noCheck,9,&(lvalues[2755]),0},
{"archiveCutoff","OCSP Archive Cutoff",NID_id_pkix_OCSP_archiveCutoff,
9,&(lvalues[2772]),0},
9,&(lvalues[2764]),0},
{"serviceLocator","OCSP Service Locator",
NID_id_pkix_OCSP_serviceLocator,9,&(lvalues[2781]),0},
NID_id_pkix_OCSP_serviceLocator,9,&(lvalues[2773]),0},
{"extendedStatus","Extended OCSP Status",
NID_id_pkix_OCSP_extendedStatus,9,&(lvalues[2790]),0},
{"valid","valid",NID_id_pkix_OCSP_valid,9,&(lvalues[2799]),0},
{"path","path",NID_id_pkix_OCSP_path,9,&(lvalues[2808]),0},
NID_id_pkix_OCSP_extendedStatus,9,&(lvalues[2782]),0},
{"valid","valid",NID_id_pkix_OCSP_valid,9,&(lvalues[2791]),0},
{"path","path",NID_id_pkix_OCSP_path,9,&(lvalues[2800]),0},
{"trustRoot","Trust Root",NID_id_pkix_OCSP_trustRoot,9,
&(lvalues[2817]),0},
{"algorithm","algorithm",NID_algorithm,4,&(lvalues[2826]),0},
{"rsaSignature","rsaSignature",NID_rsaSignature,5,&(lvalues[2830]),0},
&(lvalues[2809]),0},
{"algorithm","algorithm",NID_algorithm,4,&(lvalues[2818]),0},
{"rsaSignature","rsaSignature",NID_rsaSignature,5,&(lvalues[2822]),0},
{"X500algorithms","directory services - algorithms",
NID_X500algorithms,2,&(lvalues[2835]),0},
{"ORG","org",NID_org,1,&(lvalues[2837]),0},
{"DOD","dod",NID_dod,2,&(lvalues[2838]),0},
{"IANA","iana",NID_iana,3,&(lvalues[2840]),0},
{"directory","Directory",NID_Directory,4,&(lvalues[2843]),0},
{"mgmt","Management",NID_Management,4,&(lvalues[2847]),0},
{"experimental","Experimental",NID_Experimental,4,&(lvalues[2851]),0},
{"private","Private",NID_Private,4,&(lvalues[2855]),0},
{"security","Security",NID_Security,4,&(lvalues[2859]),0},
{"snmpv2","SNMPv2",NID_SNMPv2,4,&(lvalues[2863]),0},
{"mail","Mail",NID_Mail,4,&(lvalues[2867]),0},
{"enterprises","Enterprises",NID_Enterprises,1,&(lvalues[2871]),0},
{"dcobject","dcObject",NID_dcObject,3,&(lvalues[2872]),0},
{"DC","domainComponent",NID_domainComponent,10,&(lvalues[2875]),0},
{"domain","Domain",NID_Domain,10,&(lvalues[2885]),0},
NID_X500algorithms,2,&(lvalues[2827]),0},
{"ORG","org",NID_org,1,&(lvalues[2829]),0},
{"DOD","dod",NID_dod,2,&(lvalues[2830]),0},
{"IANA","iana",NID_iana,3,&(lvalues[2832]),0},
{"directory","Directory",NID_Directory,4,&(lvalues[2835]),0},
{"mgmt","Management",NID_Management,4,&(lvalues[2839]),0},
{"experimental","Experimental",NID_Experimental,4,&(lvalues[2843]),0},
{"private","Private",NID_Private,4,&(lvalues[2847]),0},
{"security","Security",NID_Security,4,&(lvalues[2851]),0},
{"snmpv2","SNMPv2",NID_SNMPv2,4,&(lvalues[2855]),0},
{"mail","Mail",NID_Mail,4,&(lvalues[2859]),0},
{"enterprises","Enterprises",NID_Enterprises,1,&(lvalues[2863]),0},
{"dcobject","dcObject",NID_dcObject,3,&(lvalues[2864]),0},
{"DC","domainComponent",NID_domainComponent,10,&(lvalues[2867]),0},
{"domain","Domain",NID_Domain,10,&(lvalues[2877]),0},
{"JOINT-ISO-CCITT","joint-iso-ccitt",NID_joint_iso_ccitt,1,
&(lvalues[2887]),0},
{"selected-attribute-types","Selected Attribute Types",
NID_selected_attribute_types,3,&(lvalues[2888]),0},
{"clearance","clearance",NID_clearance,4,&(lvalues[2891]),0},
{"RSA-MD4","md4WithRSAEncryption",NID_md4WithRSAEncryption,9,
&(lvalues[2895]),0},
{"ac-proxying","ac-proxying",NID_ac_proxying,8,&(lvalues[2904]),0},
{"subjectInfoAccess","Subject Information Access",NID_sinfo_access,8,
&(lvalues[2912]),0},
{"id-aca-encAttrs","id-aca-encAttrs",NID_id_aca_encAttrs,8,
&(lvalues[2920]),0},
{"role","role",NID_role,3,&(lvalues[2928]),0},
{"policyConstraints","X509v3 Policy Constraints",
NID_policy_constraints,3,&(lvalues[2931]),0},
{"targetInformation","X509v3 AC Targeting",NID_target_information,3,
&(lvalues[2934]),0},
{"noRevAvail","X509v3 No Revocation Available",NID_no_rev_avail,3,
&(lvalues[2937]),0},
};
static ASN1_OBJECT *sn_objs[NUM_SN]={
@ -1093,6 +1123,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
&(nid_objs[46]),/* "IDEA-OFB" */
&(nid_objs[181]),/* "ISO" */
&(nid_objs[183]),/* "ISO-US" */
&(nid_objs[393]),/* "JOINT-ISO-CCITT" */
&(nid_objs[15]),/* "L" */
&(nid_objs[ 3]),/* "MD2" */
&(nid_objs[257]),/* "MD4" */
@ -1138,6 +1169,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
&(nid_objs[124]),/* "RLE" */
&(nid_objs[19]),/* "RSA" */
&(nid_objs[ 7]),/* "RSA-MD2" */
&(nid_objs[396]),/* "RSA-MD4" */
&(nid_objs[ 8]),/* "RSA-MD5" */
&(nid_objs[96]),/* "RSA-MDC2" */
&(nid_objs[104]),/* "RSA-NP-MD5" */
@ -1154,7 +1186,6 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
&(nid_objs[16]),/* "ST" */
&(nid_objs[143]),/* "SXNetID" */
&(nid_objs[106]),/* "T" */
&(nid_objs[102]),/* "UID" */
&(nid_objs[ 0]),/* "UNDEF" */
&(nid_objs[11]),/* "X500" */
&(nid_objs[378]),/* "X500algorithms" */
@ -1164,6 +1195,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
&(nid_objs[125]),/* "ZLIB" */
&(nid_objs[289]),/* "aaControls" */
&(nid_objs[287]),/* "ac-auditEntity" */
&(nid_objs[397]),/* "ac-proxying" */
&(nid_objs[288]),/* "ac-targeting" */
&(nid_objs[368]),/* "acceptableResponses" */
&(nid_objs[363]),/* "ad_timestamping" */
@ -1178,6 +1210,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
&(nid_objs[152]),/* "certBag" */
&(nid_objs[89]),/* "certificatePolicies" */
&(nid_objs[54]),/* "challengePassword" */
&(nid_objs[395]),/* "clearance" */
&(nid_objs[130]),/* "clientAuth" */
&(nid_objs[131]),/* "codeSigning" */
&(nid_objs[50]),/* "contentType" */
@ -1204,6 +1237,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
&(nid_objs[355]),/* "id-aca-accessIdentity" */
&(nid_objs[354]),/* "id-aca-authenticationInfo" */
&(nid_objs[356]),/* "id-aca-chargingIdentity" */
&(nid_objs[399]),/* "id-aca-encAttrs" */
&(nid_objs[357]),/* "id-aca-group" */
&(nid_objs[358]),/* "id-aca-role" */
&(nid_objs[176]),/* "id-ad" */
@ -1275,7 +1309,6 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
&(nid_objs[348]),/* "id-pda-dateOfBirth" */
&(nid_objs[351]),/* "id-pda-gender" */
&(nid_objs[349]),/* "id-pda-placeOfBirth" */
&(nid_objs[350]),/* "id-pda-pseudonym" */
&(nid_objs[175]),/* "id-pe" */
&(nid_objs[261]),/* "id-pkip" */
&(nid_objs[258]),/* "id-pkix-mod" */
@ -1386,6 +1419,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
&(nid_objs[137]),/* "msSGC" */
&(nid_objs[173]),/* "name" */
&(nid_objs[369]),/* "noCheck" */
&(nid_objs[403]),/* "noRevAvail" */
&(nid_objs[72]),/* "nsBaseUrl" */
&(nid_objs[76]),/* "nsCaPolicyUrl" */
&(nid_objs[74]),/* "nsCaRevocationUrl" */
@ -1413,9 +1447,11 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
&(nid_objs[22]),/* "pkcs7-signedData" */
&(nid_objs[151]),/* "pkcs8ShroudedKeyBag" */
&(nid_objs[47]),/* "pkcs9" */
&(nid_objs[401]),/* "policyConstraints" */
&(nid_objs[385]),/* "private" */
&(nid_objs[84]),/* "privateKeyUsagePeriod" */
&(nid_objs[286]),/* "qcStatements" */
&(nid_objs[400]),/* "role" */
&(nid_objs[ 6]),/* "rsaEncryption" */
&(nid_objs[377]),/* "rsaSignature" */
&(nid_objs[ 1]),/* "rsadsi" */
@ -1426,15 +1462,19 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
&(nid_objs[159]),/* "sdsiCertificate" */
&(nid_objs[154]),/* "secretBag" */
&(nid_objs[386]),/* "security" */
&(nid_objs[394]),/* "selected-attribute-types" */
&(nid_objs[129]),/* "serverAuth" */
&(nid_objs[371]),/* "serviceLocator" */
&(nid_objs[52]),/* "signingTime" */
&(nid_objs[387]),/* "snmpv2" */
&(nid_objs[85]),/* "subjectAltName" */
&(nid_objs[398]),/* "subjectInfoAccess" */
&(nid_objs[82]),/* "subjectKeyIdentifier" */
&(nid_objs[402]),/* "targetInformation" */
&(nid_objs[293]),/* "textNotice" */
&(nid_objs[133]),/* "timeStamping" */
&(nid_objs[375]),/* "trustRoot" */
&(nid_objs[102]),/* "uniqueIdentifier" */
&(nid_objs[55]),/* "unstructuredAddress" */
&(nid_objs[49]),/* "unstructuredName" */
&(nid_objs[373]),/* "valid" */
@ -1503,12 +1543,15 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
&(nid_objs[167]),/* "S/MIME Capabilities" */
&(nid_objs[387]),/* "SNMPv2" */
&(nid_objs[386]),/* "Security" */
&(nid_objs[394]),/* "Selected Attribute Types" */
&(nid_objs[143]),/* "Strong Extranet ID" */
&(nid_objs[398]),/* "Subject Information Access" */
&(nid_objs[130]),/* "TLS Web Client Authentication" */
&(nid_objs[129]),/* "TLS Web Server Authentication" */
&(nid_objs[133]),/* "Time Stamping" */
&(nid_objs[375]),/* "Trust Root" */
&(nid_objs[12]),/* "X509" */
&(nid_objs[402]),/* "X509v3 AC Targeting" */
&(nid_objs[90]),/* "X509v3 Authority Key Identifier" */
&(nid_objs[87]),/* "X509v3 Basic Constraints" */
&(nid_objs[103]),/* "X509v3 CRL Distribution Points" */
@ -1519,6 +1562,8 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
&(nid_objs[126]),/* "X509v3 Extended Key Usage" */
&(nid_objs[86]),/* "X509v3 Issuer Alternative Name" */
&(nid_objs[83]),/* "X509v3 Key Usage" */
&(nid_objs[403]),/* "X509v3 No Revocation Available" */
&(nid_objs[401]),/* "X509v3 Policy Constraints" */
&(nid_objs[84]),/* "X509v3 Private Key Usage Period" */
&(nid_objs[85]),/* "X509v3 Subject Alternative Name" */
&(nid_objs[82]),/* "X509v3 Subject Key Identifier" */
@ -1526,6 +1571,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
&(nid_objs[185]),/* "X9.57 CM ?" */
&(nid_objs[289]),/* "aaControls" */
&(nid_objs[287]),/* "ac-auditEntity" */
&(nid_objs[397]),/* "ac-proxying" */
&(nid_objs[288]),/* "ac-targeting" */
&(nid_objs[364]),/* "ad dvcs" */
&(nid_objs[376]),/* "algorithm" */
@ -1539,6 +1585,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
&(nid_objs[111]),/* "cast5-ofb" */
&(nid_objs[152]),/* "certBag" */
&(nid_objs[54]),/* "challengePassword" */
&(nid_objs[395]),/* "clearance" */
&(nid_objs[13]),/* "commonName" */
&(nid_objs[50]),/* "contentType" */
&(nid_objs[53]),/* "countersignature" */
@ -1581,6 +1628,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
&(nid_objs[355]),/* "id-aca-accessIdentity" */
&(nid_objs[354]),/* "id-aca-authenticationInfo" */
&(nid_objs[356]),/* "id-aca-chargingIdentity" */
&(nid_objs[399]),/* "id-aca-encAttrs" */
&(nid_objs[357]),/* "id-aca-group" */
&(nid_objs[358]),/* "id-aca-role" */
&(nid_objs[176]),/* "id-ad" */
@ -1652,7 +1700,6 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
&(nid_objs[348]),/* "id-pda-dateOfBirth" */
&(nid_objs[351]),/* "id-pda-gender" */
&(nid_objs[349]),/* "id-pda-placeOfBirth" */
&(nid_objs[350]),/* "id-pda-pseudonym" */
&(nid_objs[175]),/* "id-pe" */
&(nid_objs[261]),/* "id-pkip" */
&(nid_objs[258]),/* "id-pkix-mod" */
@ -1747,12 +1794,14 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
&(nid_objs[46]),/* "idea-ofb" */
&(nid_objs[101]),/* "initials" */
&(nid_objs[181]),/* "iso" */
&(nid_objs[393]),/* "joint-iso-ccitt" */
&(nid_objs[150]),/* "keyBag" */
&(nid_objs[157]),/* "localKeyID" */
&(nid_objs[15]),/* "localityName" */
&(nid_objs[ 3]),/* "md2" */
&(nid_objs[ 7]),/* "md2WithRSAEncryption" */
&(nid_objs[257]),/* "md4" */
&(nid_objs[396]),/* "md4WithRSAEncryption" */
&(nid_objs[ 4]),/* "md5" */
&(nid_objs[114]),/* "md5-sha1" */
&(nid_objs[104]),/* "md5WithRSA" */
@ -1806,6 +1855,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
&(nid_objs[123]),/* "rc5-ofb" */
&(nid_objs[117]),/* "ripemd160" */
&(nid_objs[119]),/* "ripemd160WithRSA" */
&(nid_objs[400]),/* "role" */
&(nid_objs[19]),/* "rsa" */
&(nid_objs[ 6]),/* "rsaEncryption" */
&(nid_objs[377]),/* "rsaSignature" */
@ -1843,6 +1893,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
&(nid_objs[181]),/* OBJ_iso 1 */
&(nid_objs[182]),/* OBJ_member_body 1 2 */
&(nid_objs[379]),/* OBJ_org 1 3 */
&(nid_objs[393]),/* OBJ_joint_iso_ccitt 2 */
&(nid_objs[11]),/* OBJ_X500 2 5 */
&(nid_objs[380]),/* OBJ_dod 1 3 6 */
&(nid_objs[12]),/* OBJ_X509 2 5 4 */
@ -1850,6 +1901,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
&(nid_objs[81]),/* OBJ_id_ce 2 5 29 */
&(nid_objs[183]),/* OBJ_ISO_US 1 2 840 */
&(nid_objs[381]),/* OBJ_iana 1 3 6 1 */
&(nid_objs[394]),/* OBJ_selected_attribute_types 2 5 1 5 */
&(nid_objs[13]),/* OBJ_commonName 2 5 4 3 */
&(nid_objs[100]),/* OBJ_surname 2 5 4 4 */
&(nid_objs[105]),/* OBJ_serialNumber 2 5 4 5 */
@ -1865,6 +1917,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
&(nid_objs[101]),/* OBJ_initials 2 5 4 43 */
&(nid_objs[102]),/* OBJ_uniqueIdentifier 2 5 4 45 */
&(nid_objs[174]),/* OBJ_dnQualifier 2 5 4 46 */
&(nid_objs[400]),/* OBJ_role 2 5 4 72 */
&(nid_objs[82]),/* OBJ_subject_key_identifier 2 5 29 14 */
&(nid_objs[83]),/* OBJ_key_usage 2 5 29 15 */
&(nid_objs[84]),/* OBJ_private_key_usage_period 2 5 29 16 */
@ -1878,7 +1931,10 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
&(nid_objs[103]),/* OBJ_crl_distribution_points 2 5 29 31 */
&(nid_objs[89]),/* OBJ_certificate_policies 2 5 29 32 */
&(nid_objs[90]),/* OBJ_authority_key_identifier 2 5 29 35 */
&(nid_objs[401]),/* OBJ_policy_constraints 2 5 29 36 */
&(nid_objs[126]),/* OBJ_ext_key_usage 2 5 29 37 */
&(nid_objs[402]),/* OBJ_target_information 2 5 29 55 */
&(nid_objs[403]),/* OBJ_no_rev_avail 2 5 29 56 */
&(nid_objs[390]),/* OBJ_dcObject 1466 344 */
&(nid_objs[382]),/* OBJ_Directory 1 3 6 1 1 */
&(nid_objs[383]),/* OBJ_Management 1 3 6 1 2 */
@ -1888,6 +1944,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
&(nid_objs[387]),/* OBJ_SNMPv2 1 3 6 1 6 */
&(nid_objs[388]),/* OBJ_Mail 1 3 6 1 7 */
&(nid_objs[376]),/* OBJ_algorithm 1 3 14 3 2 */
&(nid_objs[395]),/* OBJ_clearance 2 5 1 5 55 */
&(nid_objs[19]),/* OBJ_rsa 2 5 8 1 1 */
&(nid_objs[96]),/* OBJ_mdc2WithRSA 2 5 8 3 100 */
&(nid_objs[95]),/* OBJ_mdc2 2 5 8 3 101 */
@ -1970,6 +2027,8 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
&(nid_objs[290]),/* OBJ_sbqp_ipAddrBlock 1 3 6 1 5 5 7 1 7 */
&(nid_objs[291]),/* OBJ_sbqp_autonomousSysNum 1 3 6 1 5 5 7 1 8 */
&(nid_objs[292]),/* OBJ_sbqp_routerIdentifier 1 3 6 1 5 5 7 1 9 */
&(nid_objs[397]),/* OBJ_ac_proxying 1 3 6 1 5 5 7 1 10 */
&(nid_objs[398]),/* OBJ_sinfo_access 1 3 6 1 5 5 7 1 11 */
&(nid_objs[164]),/* OBJ_id_qt_cps 1 3 6 1 5 5 7 2 1 */
&(nid_objs[165]),/* OBJ_id_qt_unotice 1 3 6 1 5 5 7 2 2 */
&(nid_objs[293]),/* OBJ_textNotice 1 3 6 1 5 5 7 2 3 */
@ -2027,15 +2086,15 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
&(nid_objs[347]),/* OBJ_id_on_personalData 1 3 6 1 5 5 7 8 1 */
&(nid_objs[348]),/* OBJ_id_pda_dateOfBirth 1 3 6 1 5 5 7 9 1 */
&(nid_objs[349]),/* OBJ_id_pda_placeOfBirth 1 3 6 1 5 5 7 9 2 */
&(nid_objs[350]),/* OBJ_id_pda_pseudonym 1 3 6 1 5 5 7 9 3 */
&(nid_objs[351]),/* OBJ_id_pda_gender 1 3 6 1 5 5 7 9 4 */
&(nid_objs[352]),/* OBJ_id_pda_countryOfCitizenship 1 3 6 1 5 5 7 9 5 */
&(nid_objs[353]),/* OBJ_id_pda_countryOfResidence 1 3 6 1 5 5 7 9 6 */
&(nid_objs[351]),/* OBJ_id_pda_gender 1 3 6 1 5 5 7 9 3 */
&(nid_objs[352]),/* OBJ_id_pda_countryOfCitizenship 1 3 6 1 5 5 7 9 4 */
&(nid_objs[353]),/* OBJ_id_pda_countryOfResidence 1 3 6 1 5 5 7 9 5 */
&(nid_objs[354]),/* OBJ_id_aca_authenticationInfo 1 3 6 1 5 5 7 10 1 */
&(nid_objs[355]),/* OBJ_id_aca_accessIdentity 1 3 6 1 5 5 7 10 2 */
&(nid_objs[356]),/* OBJ_id_aca_chargingIdentity 1 3 6 1 5 5 7 10 3 */
&(nid_objs[357]),/* OBJ_id_aca_group 1 3 6 1 5 5 7 10 4 */
&(nid_objs[358]),/* OBJ_id_aca_role 1 3 6 1 5 5 7 10 5 */
&(nid_objs[399]),/* OBJ_id_aca_encAttrs 1 3 6 1 5 5 7 10 6 */
&(nid_objs[359]),/* OBJ_id_qcs_pkixQCSyntax_v1 1 3 6 1 5 5 7 11 1 */
&(nid_objs[360]),/* OBJ_id_cct_crs 1 3 6 1 5 5 7 12 1 */
&(nid_objs[361]),/* OBJ_id_cct_PKIData 1 3 6 1 5 5 7 12 2 */
@ -2050,6 +2109,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
&(nid_objs[112]),/* OBJ_pbeWithMD5AndCast5_CBC 1 2 840 113533 7 66 12 */
&(nid_objs[ 6]),/* OBJ_rsaEncryption 1 2 840 113549 1 1 1 */
&(nid_objs[ 7]),/* OBJ_md2WithRSAEncryption 1 2 840 113549 1 1 2 */
&(nid_objs[396]),/* OBJ_md4WithRSAEncryption 1 2 840 113549 1 1 3 */
&(nid_objs[ 8]),/* OBJ_md5WithRSAEncryption 1 2 840 113549 1 1 4 */
&(nid_objs[65]),/* OBJ_sha1WithRSAEncryption 1 2 840 113549 1 1 5 */
&(nid_objs[28]),/* OBJ_dhKeyAgreement 1 2 840 113549 1 3 1 */

13
crypto/openssl/crypto/objects/obj_dat.pl
View File

@ -164,7 +164,13 @@ foreach (sort obj_cmp @a)
}
print OUT <<'EOF';
/* lib/obj/obj_dat.h */
/* crypto/objects/obj_dat.h */
/* THIS FILE IS GENERATED FROM objects.h by obj_dat.pl via the
* following command:
* perl obj_dat.pl objects.h obj_dat.h
*/
/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -222,11 +228,6 @@ print OUT <<'EOF';
* [including the GNU Public Licence.]
*/
/* THIS FILE IS GENERATED FROM Objects.h by obj_dat.pl via the
* following command:
* perl obj_dat.pl objects.h obj_dat.h
*/
EOF
printf OUT "#define NUM_NID %d\n",$n;

76
crypto/openssl/crypto/objects/obj_mac.h
View File

@ -1,4 +1,10 @@
/* lib/obj/obj_mac.h */
/* crypto/objects/obj_mac.h */
/* THIS FILE IS GENERATED FROM objects.txt by objects.pl via the
* following command:
* perl objects.pl objects.txt obj_mac.num obj_mac.h
*/
/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -56,11 +62,6 @@
* [including the GNU Public Licence.]
*/
/* THIS FILE IS GENERATED FROM objects.txt by objects.pl via the
* following command:
* perl objects.pl objects.txt obj_mac.num obj_mac.h
*/
#define SN_undef "UNDEF"
#define LN_undef "undefined"
#define NID_undef 0
@ -71,11 +72,25 @@
#define NID_iso 181
#define OBJ_iso 1L
#define SN_joint_iso_ccitt "JOINT-ISO-CCITT"
#define LN_joint_iso_ccitt "joint-iso-ccitt"
#define NID_joint_iso_ccitt 393
#define OBJ_joint_iso_ccitt 2L
#define SN_member_body "member-body"
#define LN_member_body "ISO Member Body"
#define NID_member_body 182
#define OBJ_member_body OBJ_iso,2L
#define SN_selected_attribute_types "selected-attribute-types"
#define LN_selected_attribute_types "Selected Attribute Types"
#define NID_selected_attribute_types 394
#define OBJ_selected_attribute_types OBJ_joint_iso_ccitt,5L,1L,5L
#define SN_clearance "clearance"
#define NID_clearance 395
#define OBJ_clearance OBJ_selected_attribute_types,55L
#define SN_ISO_US "ISO-US"
#define LN_ISO_US "ISO US Member Body"
#define NID_ISO_US 183
@ -145,6 +160,11 @@
#define NID_md2WithRSAEncryption 7
#define OBJ_md2WithRSAEncryption OBJ_pkcs1,2L
#define SN_md4WithRSAEncryption "RSA-MD4"
#define LN_md4WithRSAEncryption "md4WithRSAEncryption"
#define NID_md4WithRSAEncryption 396
#define OBJ_md4WithRSAEncryption OBJ_pkcs1,3L
#define SN_md5WithRSAEncryption "RSA-MD5"
#define LN_md5WithRSAEncryption "md5WithRSAEncryption"
#define NID_md5WithRSAEncryption 8
@ -956,6 +976,15 @@
#define NID_sbqp_routerIdentifier 292
#define OBJ_sbqp_routerIdentifier OBJ_id_pe,9L
#define SN_ac_proxying "ac-proxying"
#define NID_ac_proxying 397
#define OBJ_ac_proxying OBJ_id_pe,10L
#define SN_sinfo_access "subjectInfoAccess"
#define LN_sinfo_access "Subject Information Access"
#define NID_sinfo_access 398
#define OBJ_sinfo_access OBJ_id_pe,11L
#define SN_id_qt_cps "id-qt-cps"
#define LN_id_qt_cps "Policy Qualifier CPS"
#define NID_id_qt_cps 164
@ -1228,21 +1257,17 @@
#define NID_id_pda_placeOfBirth 349
#define OBJ_id_pda_placeOfBirth OBJ_id_pda,2L
#define SN_id_pda_pseudonym "id-pda-pseudonym"
#define NID_id_pda_pseudonym 350
#define OBJ_id_pda_pseudonym OBJ_id_pda,3L
#define SN_id_pda_gender "id-pda-gender"
#define NID_id_pda_gender 351
#define OBJ_id_pda_gender OBJ_id_pda,4L
#define OBJ_id_pda_gender OBJ_id_pda,3L
#define SN_id_pda_countryOfCitizenship "id-pda-countryOfCitizenship"
#define NID_id_pda_countryOfCitizenship 352
#define OBJ_id_pda_countryOfCitizenship OBJ_id_pda,5L
#define OBJ_id_pda_countryOfCitizenship OBJ_id_pda,4L
#define SN_id_pda_countryOfResidence "id-pda-countryOfResidence"
#define NID_id_pda_countryOfResidence 353
#define OBJ_id_pda_countryOfResidence OBJ_id_pda,6L
#define OBJ_id_pda_countryOfResidence OBJ_id_pda,5L
#define SN_id_aca_authenticationInfo "id-aca-authenticationInfo"
#define NID_id_aca_authenticationInfo 354
@ -1264,6 +1289,10 @@
#define NID_id_aca_role 358
#define OBJ_id_aca_role OBJ_id_aca,5L
#define SN_id_aca_encAttrs "id-aca-encAttrs"
#define NID_id_aca_encAttrs 399
#define OBJ_id_aca_encAttrs OBJ_id_aca,6L
#define SN_id_qcs_pkixQCSyntax_v1 "id-qcs-pkixQCSyntax-v1"
#define NID_id_qcs_pkixQCSyntax_v1 359
#define OBJ_id_qcs_pkixQCSyntax_v1 OBJ_id_qcs,1L
@ -1545,7 +1574,6 @@
#define NID_initials 101
#define OBJ_initials OBJ_X509,43L
#define SN_uniqueIdentifier "UID"
#define LN_uniqueIdentifier "uniqueIdentifier"
#define NID_uniqueIdentifier 102
#define OBJ_uniqueIdentifier OBJ_X509,45L
@ -1555,6 +1583,11 @@
#define NID_dnQualifier 174
#define OBJ_dnQualifier OBJ_X509,46L
#define SN_role "role"
#define LN_role "role"
#define NID_role 400
#define OBJ_role OBJ_X509,72L
#define SN_X500algorithms "X500algorithms"
#define LN_X500algorithms "directory services - algorithms"
#define NID_X500algorithms 378
@ -1644,11 +1677,26 @@
#define NID_authority_key_identifier 90
#define OBJ_authority_key_identifier OBJ_id_ce,35L
#define SN_policy_constraints "policyConstraints"
#define LN_policy_constraints "X509v3 Policy Constraints"
#define NID_policy_constraints 401
#define OBJ_policy_constraints OBJ_id_ce,36L
#define SN_ext_key_usage "extendedKeyUsage"
#define LN_ext_key_usage "X509v3 Extended Key Usage"
#define NID_ext_key_usage 126
#define OBJ_ext_key_usage OBJ_id_ce,37L
#define SN_target_information "targetInformation"
#define LN_target_information "X509v3 AC Targeting"
#define NID_target_information 402
#define OBJ_target_information OBJ_id_ce,55L
#define SN_no_rev_avail "noRevAvail"
#define LN_no_rev_avail "X509v3 No Revocation Available"
#define NID_no_rev_avail 403
#define OBJ_no_rev_avail OBJ_id_ce,56L
#define SN_netscape "Netscape"
#define LN_netscape "Netscape Communications Corp."
#define NID_netscape 57

11
crypto/openssl/crypto/objects/obj_mac.num
View File

@ -390,3 +390,14 @@ Enterprises 389
dcObject 390
domainComponent 391
Domain 392
joint_iso_ccitt 393
selected_attribute_types 394
clearance 395
md4WithRSAEncryption 396
ac_proxying 397
sinfo_access 398
id_aca_encAttrs 399
role 400
policy_constraints 401
target_information 402
no_rev_avail 403

38
crypto/openssl/crypto/objects/objects.h
View File

@ -452,54 +452,54 @@
#define LN_desx_cbc "desx-cbc"
#define NID_desx_cbc 80
#define SN_ld_ce "ld-ce"
#define NID_ld_ce 81
#define OBJ_ld_ce 2L,5L,29L
#define SN_id_ce "id-ce"
#define NID_id_ce 81
#define OBJ_id_ce 2L,5L,29L
#define SN_subject_key_identifier "subjectKeyIdentifier"
#define LN_subject_key_identifier "X509v3 Subject Key Identifier"
#define NID_subject_key_identifier 82
#define OBJ_subject_key_identifier OBJ_ld_ce,14L
#define OBJ_subject_key_identifier OBJ_id_ce,14L
#define SN_key_usage "keyUsage"
#define LN_key_usage "X509v3 Key Usage"
#define NID_key_usage 83
#define OBJ_key_usage OBJ_ld_ce,15L
#define OBJ_key_usage OBJ_id_ce,15L
#define SN_private_key_usage_period "privateKeyUsagePeriod"
#define LN_private_key_usage_period "X509v3 Private Key Usage Period"
#define NID_private_key_usage_period 84
#define OBJ_private_key_usage_period OBJ_ld_ce,16L
#define OBJ_private_key_usage_period OBJ_id_ce,16L
#define SN_subject_alt_name "subjectAltName"
#define LN_subject_alt_name "X509v3 Subject Alternative Name"
#define NID_subject_alt_name 85
#define OBJ_subject_alt_name OBJ_ld_ce,17L
#define OBJ_subject_alt_name OBJ_id_ce,17L
#define SN_issuer_alt_name "issuerAltName"
#define LN_issuer_alt_name "X509v3 Issuer Alternative Name"
#define NID_issuer_alt_name 86
#define OBJ_issuer_alt_name OBJ_ld_ce,18L
#define OBJ_issuer_alt_name OBJ_id_ce,18L
#define SN_basic_constraints "basicConstraints"
#define LN_basic_constraints "X509v3 Basic Constraints"
#define NID_basic_constraints 87
#define OBJ_basic_constraints OBJ_ld_ce,19L
#define OBJ_basic_constraints OBJ_id_ce,19L
#define SN_crl_number "crlNumber"
#define LN_crl_number "X509v3 CRL Number"
#define NID_crl_number 88
#define OBJ_crl_number OBJ_ld_ce,20L
#define OBJ_crl_number OBJ_id_ce,20L
#define SN_certificate_policies "certificatePolicies"
#define LN_certificate_policies "X509v3 Certificate Policies"
#define NID_certificate_policies 89
#define OBJ_certificate_policies OBJ_ld_ce,32L
#define OBJ_certificate_policies OBJ_id_ce,32L
#define SN_authority_key_identifier "authorityKeyIdentifier"
#define LN_authority_key_identifier "X509v3 Authority Key Identifier"
#define NID_authority_key_identifier 90
#define OBJ_authority_key_identifier OBJ_ld_ce,35L
#define OBJ_authority_key_identifier OBJ_id_ce,35L
#define SN_bf_cbc "BF-CBC"
#define LN_bf_cbc "bf-cbc"
@ -560,7 +560,7 @@
#define SN_crl_distribution_points "crlDistributionPoints"
#define LN_crl_distribution_points "X509v3 CRL Distribution Points"
#define NID_crl_distribution_points 103
#define OBJ_crl_distribution_points OBJ_ld_ce,31L
#define OBJ_crl_distribution_points OBJ_id_ce,31L
#define SN_md5WithRSA "RSA-NP-MD5"
#define LN_md5WithRSA "md5WithRSA"
@ -677,7 +677,7 @@
#define SN_ext_key_usage "extendedKeyUsage"
#define LN_ext_key_usage "X509v3 Extended Key Usage"
#define NID_ext_key_usage 126
#define OBJ_ext_key_usage OBJ_ld_ce,37
#define OBJ_ext_key_usage OBJ_id_ce,37
#define SN_id_pkix "PKIX"
#define NID_id_pkix 127
@ -751,17 +751,17 @@
#define SN_delta_crl "deltaCRL"
#define LN_delta_crl "X509v3 Delta CRL Indicator"
#define NID_delta_crl 140
#define OBJ_delta_crl OBJ_ld_ce,27L
#define OBJ_delta_crl OBJ_id_ce,27L
#define SN_crl_reason "CRLReason"
#define LN_crl_reason "CRL Reason Code"
#define NID_crl_reason 141
#define OBJ_crl_reason OBJ_ld_ce,21L
#define OBJ_crl_reason OBJ_id_ce,21L
#define SN_invalidity_date "invalidityDate"
#define LN_invalidity_date "Invalidity Date"
#define NID_invalidity_date 142
#define OBJ_invalidity_date OBJ_ld_ce,24L
#define OBJ_invalidity_date OBJ_id_ce,24L
#define SN_sxnet "SXNetID"
#define LN_sxnet "Strong Extranet ID"
@ -1005,8 +1005,6 @@ int OBJ_sn2nid(const char *s);
int OBJ_cmp(ASN1_OBJECT *a,ASN1_OBJECT *b);
char * OBJ_bsearch(char *key,char *base,int num,int size,int (*cmp)(const void *, const void *));
void ERR_load_OBJ_strings(void );
int OBJ_new_nid(int num);
int OBJ_add_object(ASN1_OBJECT *obj);
int OBJ_create(char *oid,char *sn,char *ln);
@ -1017,6 +1015,7 @@ int OBJ_create_objects(BIO *in);
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_OBJ_strings(void);
/* Error codes for the OBJ functions. */
@ -1035,4 +1034,3 @@ int OBJ_create_objects(BIO *in);
}
#endif
#endif

13
crypto/openssl/crypto/objects/objects.pl
View File

@ -114,7 +114,13 @@ close NUMOUT;
open (OUT,">$ARGV[2]") || die "Can't open output file $ARGV[2]";
print OUT <<'EOF';
/* lib/obj/obj_mac.h */
/* crypto/objects/obj_mac.h */
/* THIS FILE IS GENERATED FROM objects.txt by objects.pl via the
* following command:
* perl objects.pl objects.txt obj_mac.num obj_mac.h
*/
/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -172,11 +178,6 @@ print OUT <<'EOF';
* [including the GNU Public Licence.]
*/
/* THIS FILE IS GENERATED FROM objects.txt by objects.pl via the
* following command:
* perl objects.pl objects.txt obj_mac.num obj_mac.h
*/
#define SN_undef "UNDEF"
#define LN_undef "undefined"
#define NID_undef 0

21
crypto/openssl/crypto/objects/objects.txt
View File

@ -1,7 +1,13 @@
1 : ISO : iso
2 : JOINT-ISO-CCITT : joint-iso-ccitt
iso 2 : member-body : ISO Member Body
joint-iso-ccitt 5 1 5 : selected-attribute-types : Selected Attribute Types
selected-attribute-types 55 : clearance
member-body 840 : ISO-US : ISO US Member Body
ISO-US 10040 : X9-57 : X9.57
X9-57 4 : X9cm : X9.57 CM ?
@ -26,6 +32,7 @@ rsadsi 1 : pkcs : RSA Data Security, Inc. PKCS
pkcs 1 : pkcs1
pkcs1 1 : : rsaEncryption
pkcs1 2 : RSA-MD2 : md2WithRSAEncryption
pkcs1 3 : RSA-MD4 : md4WithRSAEncryption
pkcs1 4 : RSA-MD5 : md5WithRSAEncryption
pkcs1 5 : RSA-SHA1 : sha1WithRSAEncryption
@ -302,6 +309,9 @@ id-pe 6 : aaControls
id-pe 7 : sbqp-ipAddrBlock
id-pe 8 : sbqp-autonomousSysNum
id-pe 9 : sbqp-routerIdentifier
id-pe 10 : ac-proxying
!Cname sinfo-access
id-pe 11 : subjectInfoAccess : Subject Information Access
# PKIX policyQualifiers for Internet policy qualifiers
id-qt 1 : id-qt-cps : Policy Qualifier CPS
@ -406,7 +416,9 @@ id-aca 1 : id-aca-authenticationInfo
id-aca 2 : id-aca-accessIdentity
id-aca 3 : id-aca-chargingIdentity
id-aca 4 : id-aca-group
# attention : the following seems to be obsolete, replace by 'role'
id-aca 5 : id-aca-role
id-aca 6 : id-aca-encAttrs
# qualified certificate statements
id-qcs 1 : id-qcs-pkixQCSyntax-v1
@ -496,8 +508,9 @@ X509 13 : D : description
X509 41 : name : name
X509 42 : G : givenName
X509 43 : I : initials
X509 45 : UID : uniqueIdentifier
X509 45 : : uniqueIdentifier
X509 46 : dnQualifier : dnQualifier
X509 72 : role : role
X500 8 : X500algorithms : directory services - algorithms
X500algorithms 1 1 : RSA : rsa
@ -531,8 +544,14 @@ id-ce 31 : crlDistributionPoints : X509v3 CRL Distribution Points
id-ce 32 : certificatePolicies : X509v3 Certificate Policies
!Cname authority-key-identifier
id-ce 35 : authorityKeyIdentifier : X509v3 Authority Key Identifier
!Cname policy-constraints
id-ce 36 : policyConstraints : X509v3 Policy Constraints
!Cname ext-key-usage
id-ce 37 : extendedKeyUsage : X509v3 Extended Key Usage
!Cname target-information
id-ce 55 : targetInformation : X509v3 AC Targeting
!Cname no-rev-avail
id-ce 56 : noRevAvail : X509v3 No Revocation Available
!Cname netscape
2 16 840 1 113730 : Netscape : Netscape Communications Corp.

20
crypto/openssl/crypto/opensslv.h
View File

@ -25,8 +25,8 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
#define OPENSSL_VERSION_NUMBER 0x0090602fL
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6b 9 Jul 2001"
#define OPENSSL_VERSION_NUMBER 0x0090603fL
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6c 21 dec 2001"
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
@ -44,13 +44,13 @@
*
* libcrypto.so.0
*
* On True64 it works a little bit differently. There, the shared library
* version is stored in the file, and is actually a series of versions,
* separated by colons. The rightmost version present in the library when
* linking an application is stored in the application to be matched at
* run time. When the application is run, a check is done to see if the
* library version stored in the application matches any of the versions
* in the version string of the library itself.
* On Tru64 and IRIX 6.x it works a little bit differently. There, the
* shared library version is stored in the file, and is actually a series
* of versions, separated by colons. The rightmost version present in the
* library when linking an application is stored in the application to be
* matched at run time. When the application is run, a check is done to
* see if the library version stored in the application matches any of the
* versions in the version string of the library itself.
* This version string can be constructed in any way, depending on what
* kind of matching is desired. However, to implement the same scheme as
* the one used in the other unixen, all compatible versions, from lowest
@ -73,7 +73,7 @@
* However, it's nice and more understandable if it actually does.
* The current library version is stored in the macro SHLIB_VERSION_NUMBER,
* which is just a piece of text in the format "M.m.e" (Major, minor, edit).
* For the sake of True64 and any other OS that behaves in similar ways,
* For the sake of Tru64, IRIX, and any other OS that behaves in similar ways,
* we need to keep a history of version numbers, which is done in the
* macro SHLIB_VERSION_HISTORY. The numbers are separated by colons and
* should only keep the versions that are binary compatible with the current.

4
crypto/openssl/crypto/pem/pem.h
View File

@ -524,8 +524,6 @@ void PEM_SignUpdate(EVP_MD_CTX *ctx,unsigned char *d,unsigned int cnt);
int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
unsigned int *siglen, EVP_PKEY *pkey);
void ERR_load_PEM_strings(void);
void PEM_proc_type(char *buf, int type);
void PEM_dek_info(char *buf, const char *type, int len, char *str);
@ -614,6 +612,7 @@ int PEM_write_PKCS8PrivateKey(FILE *fp,EVP_PKEY *x,const EVP_CIPHER *enc,
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_PEM_strings(void);
/* Error codes for the PEM functions. */
@ -664,4 +663,3 @@ int PEM_write_PKCS8PrivateKey(FILE *fp,EVP_PKEY *x,const EVP_CIPHER *enc,
}
#endif
#endif

3
crypto/openssl/crypto/pkcs12/pkcs12.h
View File

@ -267,7 +267,6 @@ PKCS12_SAFEBAG *PKCS12_SAFEBAG_new(void);
PKCS12_SAFEBAG *d2i_PKCS12_SAFEBAG(PKCS12_SAFEBAG **a, unsigned char **pp,
long length);
void PKCS12_SAFEBAG_free(PKCS12_SAFEBAG *a);
void ERR_load_PKCS12_strings(void);
void PKCS12_PBE_add(void);
int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
STACK_OF(X509) **ca);
@ -284,6 +283,7 @@ int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass);
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_PKCS12_strings(void);
/* Error codes for the PKCS12 functions. */
@ -342,4 +342,3 @@ int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass);
}
#endif
#endif

60
crypto/openssl/crypto/pkcs7/pk7_attr.c
View File

@ -1,9 +1,59 @@
/* pk7_attr.c */
/* S/MIME code.
* Copyright (C) 1997-8 Dr S N Henson (shenson@bigfoot.com)
* All Rights Reserved.
* Redistribution of this code without the authors permission is expressly
* prohibited.
/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
* project 2001.
*/
/* ====================================================================
* Copyright (c) 2001 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>

14
crypto/openssl/crypto/pkcs7/pk7_doit.c
View File

@ -558,11 +558,15 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
ASN1_UTCTIME *sign_time;
const EVP_MD *md_tmp;
/* Add signing time */
sign_time=X509_gmtime_adj(NULL,0);
PKCS7_add_signed_attribute(si,
NID_pkcs9_signingTime,
V_ASN1_UTCTIME,sign_time);
/* Add signing time if not already present */
if (!PKCS7_get_signed_attribute(si,
NID_pkcs9_signingTime))
{
sign_time=X509_gmtime_adj(NULL,0);
PKCS7_add_signed_attribute(si,
NID_pkcs9_signingTime,
V_ASN1_UTCTIME,sign_time);
}
/* Add digest */
md_tmp=EVP_MD_CTX_md(&ctx_tmp);

4
crypto/openssl/crypto/pkcs7/pkcs7.h
View File

@ -353,8 +353,6 @@ int i2d_PKCS7(PKCS7 *a,
PKCS7 *d2i_PKCS7(PKCS7 **a,
unsigned char **pp,long length);
void ERR_load_PKCS7_strings(void);
long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg);
@ -422,6 +420,7 @@ int SMIME_text(BIO *in, BIO *out);
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_PKCS7_strings(void);
/* Error codes for the PKCS7 functions. */
@ -502,4 +501,3 @@ int SMIME_text(BIO *in, BIO *out);
}
#endif
#endif

31
crypto/openssl/crypto/rand/md_rand.c
View File

@ -56,7 +56,7 @@
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -144,6 +144,7 @@ static int initialized=0;
static unsigned int crypto_lock_rand = 0; /* may be set only when a thread
* holds CRYPTO_LOCK_RAND
* (to prevent double locking) */
/* access to lockin_thread is synchronized by CRYPTO_LOCK_RAND2 */
static unsigned long locking_thread = 0; /* valid iff crypto_lock_rand is set */
@ -210,7 +211,14 @@ static void ssleay_rand_add(const void *buf, int num, double add)
*/
/* check if we already have the lock */
do_not_lock = crypto_lock_rand && (locking_thread == CRYPTO_thread_id());
if (crypto_lock_rand)
{
CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
do_not_lock = (locking_thread == CRYPTO_thread_id());
CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
}
else
do_not_lock = 0;
if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
st_idx=state_index;
@ -361,8 +369,10 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
crypto_lock_rand = 1;
CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
locking_thread = CRYPTO_thread_id();
CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
crypto_lock_rand = 1;
if (!initialized)
{
@ -435,7 +445,6 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
/* before unlocking, we must clear 'crypto_lock_rand' */
crypto_lock_rand = 0;
locking_thread = 0;
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
while (num > 0)
@ -521,15 +530,24 @@ static int ssleay_rand_status(void)
/* check if we already have the lock
* (could happen if a RAND_poll() implementation calls RAND_status()) */
do_not_lock = crypto_lock_rand && (locking_thread == CRYPTO_thread_id());
if (crypto_lock_rand)
{
CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
do_not_lock = (locking_thread == CRYPTO_thread_id());
CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
}
else
do_not_lock = 0;
if (!do_not_lock)
{
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
crypto_lock_rand = 1;
CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
locking_thread = CRYPTO_thread_id();
CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
crypto_lock_rand = 1;
}
if (!initialized)
@ -544,7 +562,6 @@ static int ssleay_rand_status(void)
{
/* before unlocking, we must clear 'crypto_lock_rand' */
crypto_lock_rand = 0;
locking_thread = 0;
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
}

10
crypto/openssl/crypto/rand/rand.h
View File

@ -93,7 +93,6 @@ const char *RAND_file_name(char *file,size_t num);
int RAND_status(void);
int RAND_egd(const char *path);
int RAND_egd_bytes(const char *path,int bytes);
void ERR_load_RAND_strings(void);
int RAND_poll(void);
#ifdef __cplusplus
@ -115,10 +114,15 @@ int RAND_event(UINT, WPARAM, LPARAM);
#endif
#endif
#ifdef __cplusplus
extern "C" {
#endif
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_RAND_strings(void);
/* Error codes for the RAND functions. */
@ -128,5 +132,7 @@ int RAND_event(UINT, WPARAM, LPARAM);
/* Reason codes. */
#define RAND_R_PRNG_NOT_SEEDED 100
#ifdef __cplusplus
}
#endif
#endif

4
crypto/openssl/crypto/ripemd/rmd_locl.h
View File

@ -71,7 +71,7 @@
* <appro@fy.chalmers.se>
*/
#ifdef RMD160_ASM
# if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
# define ripemd160_block_host_order ripemd160_block_asm_host_order
# endif
#endif
@ -79,7 +79,7 @@
void ripemd160_block_host_order (RIPEMD160_CTX *c, const void *p,int num);
void ripemd160_block_data_order (RIPEMD160_CTX *c, const void *p,int num);
#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
#define ripemd160_block_data_order ripemd160_block_host_order
#endif

5
crypto/openssl/crypto/rsa/rsa.h
View File

@ -202,8 +202,6 @@ RSA_METHOD *RSA_PKCS1_SSLeay(void);
RSA_METHOD *RSA_null_method(void);
void ERR_load_RSA_strings(void );
RSA * d2i_RSAPublicKey(RSA **a, unsigned char **pp, long length);
int i2d_RSAPublicKey(RSA *a, unsigned char **pp);
RSA * d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length);
@ -275,6 +273,7 @@ void *RSA_get_ex_data(RSA *r, int idx);
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_RSA_strings(void);
/* Error codes for the RSA functions. */
@ -316,6 +315,7 @@ void *RSA_get_ex_data(RSA *r, int idx);
#define RSA_R_DATA_GREATER_THAN_MOD_LEN 108
#define RSA_R_DATA_TOO_LARGE 109
#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 110
#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 132
#define RSA_R_DATA_TOO_SMALL 111
#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 122
#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112
@ -342,4 +342,3 @@ void *RSA_get_ex_data(RSA *r, int idx);
}
#endif
#endif

33
crypto/openssl/crypto/rsa/rsa_eay.c
View File

@ -78,8 +78,8 @@ static int RSA_eay_finish(RSA *rsa);
static RSA_METHOD rsa_pkcs1_eay_meth={
"Eric Young's PKCS#1 RSA",
RSA_eay_public_encrypt,
RSA_eay_public_decrypt,
RSA_eay_private_encrypt,
RSA_eay_public_decrypt, /* signature verification */
RSA_eay_private_encrypt, /* signing */
RSA_eay_private_decrypt,
RSA_eay_mod_exp,
BN_mod_exp_mont,
@ -136,6 +136,13 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from,
if (BN_bin2bn(buf,num,&f) == NULL) goto err;
if (BN_ucmp(&f, rsa->n) >= 0)
{
/* usually the padding functions would catch this */
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
goto err;
}
if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
{
BN_MONT_CTX* bn_mont_ctx;
@ -183,6 +190,7 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from,
return(r);
}
/* signing */
static int RSA_eay_private_encrypt(int flen, unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
@ -218,6 +226,13 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
if (i <= 0) goto err;
if (BN_bin2bn(buf,num,&f) == NULL) goto err;
if (BN_ucmp(&f, rsa->n) >= 0)
{
/* usually the padding functions would catch this */
RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
goto err;
}
if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
RSA_blinding_on(rsa,ctx);
@ -292,6 +307,12 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
/* make data into a big number */
if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
if (BN_ucmp(&f, rsa->n) >= 0)
{
RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
goto err;
}
if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
RSA_blinding_on(rsa,ctx);
if (rsa->flags & RSA_FLAG_BLINDING)
@ -352,6 +373,7 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
return(r);
}
/* signature verification */
static int RSA_eay_public_decrypt(int flen, unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
@ -383,6 +405,13 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from,
}
if (BN_bin2bn(from,flen,&f) == NULL) goto err;
if (BN_ucmp(&f, rsa->n) >= 0)
{
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
goto err;
}
/* do the decrypt */
if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
{

1
crypto/openssl/crypto/rsa/rsa_err.c
View File

@ -106,6 +106,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
{RSA_R_DATA_GREATER_THAN_MOD_LEN ,"data greater than mod len"},
{RSA_R_DATA_TOO_LARGE ,"data too large"},
{RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE ,"data too large for key size"},
{RSA_R_DATA_TOO_LARGE_FOR_MODULUS ,"data too large for modulus"},
{RSA_R_DATA_TOO_SMALL ,"data too small"},
{RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE ,"data too small for key size"},
{RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY ,"digest too big for rsa key"},

284
crypto/openssl/crypto/rsa/rsa_oaep.c
View File

@ -2,7 +2,22 @@
/* Written by Ulf Moeller. This software is distributed on an "AS IS"
basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
/* EME_OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
/* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
* <URL: http://www.shoup.net/papers/oaep.ps.Z>
* for problems with the security proof for the
* original OAEP scheme, which EME-OAEP is based on.
*
* A new proof can be found in E. Fujisaki, T. Okamoto,
* D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
* Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
* The new proof has stronger requirements for the
* underlying permutation: "partial-one-wayness" instead
* of one-wayness. For the RSA function, this is
* an equivalent notion.
*/
#if !defined(NO_SHA) && !defined(NO_SHA1)
#include <stdio.h>
@ -12,157 +27,174 @@
#include <openssl/sha.h>
#include <openssl/rand.h>
int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen);
int MGF1(unsigned char *mask, long len,
unsigned char *seed, long seedlen);
int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
unsigned char *from, int flen, unsigned char *param, int plen)
{
int i, emlen = tlen - 1;
unsigned char *db, *seed;
unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
unsigned char *from, int flen,
unsigned char *param, int plen)
{
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
return (0);
}
int i, emlen = tlen - 1;
unsigned char *db, *seed;
unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
{
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
return (0);
}
dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
if (dbmask == NULL)
{
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
return (0);
}
if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
{
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
return 0;
}
to[0] = 0;
seed = to + 1;
db = to + SHA_DIGEST_LENGTH + 1;
if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
{
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
return 0;
}
SHA1(param, plen, db);
memset(db + SHA_DIGEST_LENGTH, 0,
emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
return (0);
dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
if (dbmask == NULL)
{
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
return 0;
}
to[0] = 0;
seed = to + 1;
db = to + SHA_DIGEST_LENGTH + 1;
SHA1(param, plen, db);
memset(db + SHA_DIGEST_LENGTH, 0,
emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
return 0;
#ifdef PKCS_TESTVECT
memcpy(seed,
memcpy(seed,
"\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
20);
#endif
MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
db[i] ^= dbmask[i];
MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
db[i] ^= dbmask[i];
MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
for (i = 0; i < SHA_DIGEST_LENGTH; i++)
seed[i] ^= seedmask[i];
MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH);
for (i = 0; i < SHA_DIGEST_LENGTH; i++)
seed[i] ^= seedmask[i];
OPENSSL_free(dbmask);
return (1);
}
OPENSSL_free(dbmask);
return 1;
}
int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
unsigned char *from, int flen, int num, unsigned char *param,
int plen)
{
int i, dblen, mlen = -1;
unsigned char *maskeddb;
int lzero;
unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
if (--num < 2 * SHA_DIGEST_LENGTH + 1)
goto decoding_err;
lzero = num - flen;
if (lzero < 0)
goto decoding_err;
maskeddb = from - lzero + SHA_DIGEST_LENGTH;
dblen = num - SHA_DIGEST_LENGTH;
db = OPENSSL_malloc(dblen);
if (db == NULL)
{
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
return (-1);
}
int i, dblen, mlen = -1;
unsigned char *maskeddb;
int lzero;
unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
int bad = 0;
MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
seed[i] ^= from[i - lzero];
MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
for (i = 0; i < dblen; i++)
db[i] ^= maskeddb[i];
if (--num < 2 * SHA_DIGEST_LENGTH + 1)
/* 'num' is the length of the modulus, i.e. does not depend on the
* particular ciphertext. */
goto decoding_err;
SHA1(param, plen, phash);
if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0)
goto decoding_err;
else
{
for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
if (db[i] != 0x00)
break;
if (db[i] != 0x01 || i++ >= dblen)
goto decoding_err;
else
{
mlen = dblen - i;
if (tlen < mlen)
lzero = num - flen;
if (lzero < 0)
{
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
mlen = -1;
/* lzero == -1 */
/* signalling this error immediately after detection might allow
* for side-channel attacks (e.g. timing if 'plen' is huge
* -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
* Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
* so we use a 'bad' flag */
bad = 1;
lzero = 0;
}
else
memcpy(to, db + i, mlen);
}
}
OPENSSL_free(db);
return (mlen);
maskeddb = from - lzero + SHA_DIGEST_LENGTH;
dblen = num - SHA_DIGEST_LENGTH;
db = OPENSSL_malloc(dblen);
if (db == NULL)
{
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
return -1;
}
MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
for (i = lzero; i < SHA_DIGEST_LENGTH; i++)
seed[i] ^= from[i - lzero];
MGF1(db, dblen, seed, SHA_DIGEST_LENGTH);
for (i = 0; i < dblen; i++)
db[i] ^= maskeddb[i];
SHA1(param, plen, phash);
if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
goto decoding_err;
else
{
for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
if (db[i] != 0x00)
break;
if (db[i] != 0x01 || i++ >= dblen)
goto decoding_err;
else
{
/* everything looks OK */
mlen = dblen - i;
if (tlen < mlen)
{
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
mlen = -1;
}
else
memcpy(to, db + i, mlen);
}
}
OPENSSL_free(db);
return mlen;
decoding_err:
/* to avoid chosen ciphertext attacks, the error message should not reveal
* which kind of decoding error happened */
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
if (db != NULL) OPENSSL_free(db);
return -1;
}
/* to avoid chosen ciphertext attacks, the error message should not reveal
* which kind of decoding error happened */
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
if (db != NULL) OPENSSL_free(db);
return -1;
}
int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen)
{
long i, outlen = 0;
unsigned char cnt[4];
SHA_CTX c;
unsigned char md[SHA_DIGEST_LENGTH];
for (i = 0; outlen < len; i++)
{
cnt[0] = (i >> 24) & 255, cnt[1] = (i >> 16) & 255,
cnt[2] = (i >> 8) & 255, cnt[3] = i & 255;
SHA1_Init(&c);
SHA1_Update(&c, seed, seedlen);
SHA1_Update(&c, cnt, 4);
if (outlen + SHA_DIGEST_LENGTH <= len)
{
SHA1_Final(mask + outlen, &c);
outlen += SHA_DIGEST_LENGTH;
}
else
{
SHA1_Final(md, &c);
memcpy(mask + outlen, md, len - outlen);
outlen = len;
}
long i, outlen = 0;
unsigned char cnt[4];
SHA_CTX c;
unsigned char md[SHA_DIGEST_LENGTH];
for (i = 0; outlen < len; i++)
{
cnt[0] = (i >> 24) & 255, cnt[1] = (i >> 16) & 255,
cnt[2] = (i >> 8) & 255, cnt[3] = i & 255;
SHA1_Init(&c);
SHA1_Update(&c, seed, seedlen);
SHA1_Update(&c, cnt, 4);
if (outlen + SHA_DIGEST_LENGTH <= len)
{
SHA1_Final(mask + outlen, &c);
outlen += SHA_DIGEST_LENGTH;
}
else
{
SHA1_Final(md, &c);
memcpy(mask + outlen, md, len - outlen);
outlen = len;
}
}
return 0;
}
return (0);
}
#endif

2
crypto/openssl/crypto/sha/sha_locl.h
View File

@ -115,7 +115,7 @@
# endif
# ifdef SHA1_ASM
# if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
# define sha1_block_host_order sha1_block_asm_host_order
# define DONT_IMPLEMENT_BLOCK_HOST_ORDER
# define sha1_block_data_order sha1_block_asm_data_order

3
crypto/openssl/crypto/x509/x509.h
View File

@ -810,7 +810,6 @@ const char * X509_get_default_private_dir(void );
X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
X509 * X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
void ERR_load_X509_strings(void );
X509_ALGOR * X509_ALGOR_new(void );
void X509_ALGOR_free(X509_ALGOR *a);
@ -1220,6 +1219,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_X509_strings(void);
/* Error codes for the X509 functions. */
@ -1291,4 +1291,3 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
}
#endif
#endif

2
crypto/openssl/crypto/x509/x509_trs.c
View File

@ -79,7 +79,7 @@ static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
static X509_TRUST trstandard[] = {
{X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Client", NID_server_auth, NULL},
{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
};

2
crypto/openssl/crypto/x509/x509_txt.c
View File

@ -95,7 +95,7 @@ const char *X509_verify_cert_error_string(long n)
case X509_V_ERR_CRL_NOT_YET_VALID:
return("CRL is not yet valid");
case X509_V_ERR_CERT_HAS_EXPIRED:
return("Certificate has expired");
return("certificate has expired");
case X509_V_ERR_CRL_HAS_EXPIRED:
return("CRL has expired");
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:

6
crypto/openssl/crypto/x509/x509_vfy.c
View File

@ -911,6 +911,12 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t)
ctx->flags |= X509_V_FLAG_USE_CHECK_TIME;
}
void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
int (*verify_cb)(int, X509_STORE_CTX *))
{
ctx->verify_cb=verify_cb;
}
IMPLEMENT_STACK_OF(X509)
IMPLEMENT_ASN1_SET_OF(X509)

2
crypto/openssl/crypto/x509/x509_vfy.h
View File

@ -382,6 +382,8 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
int purpose, int trust);
void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags);
void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t);
void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
int (*verify_cb)(int, X509_STORE_CTX *));
#ifdef __cplusplus
}

3
crypto/openssl/crypto/x509v3/x509v3.h
View File

@ -354,7 +354,6 @@ typedef struct x509_purpose_st {
DECLARE_STACK_OF(X509_PURPOSE)
void ERR_load_X509V3_strings(void);
int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **pp);
BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a, unsigned char **pp, long length);
BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void);
@ -555,6 +554,7 @@ void X509_email_free(STACK *sk);
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_X509V3_strings(void);
/* Error codes for the X509V3 functions. */
@ -650,4 +650,3 @@ void X509_email_free(STACK *sk);
}
#endif
#endif

21
crypto/openssl/doc/apps/ca.pod
View File

@ -54,6 +54,11 @@ The options descriptions will be divided into each purpose.
specifies the configuration file to use.
=item B<-name section>
specifies the configuration file section to use (overrides
B<default_ca> in the B<ca> section).
=item B<-in filename>
an input filename containing a single certificate request to be
@ -202,8 +207,20 @@ that some software (for example Netscape) can't handle V2 CRLs.
=head1 CONFIGURATION FILE OPTIONS
The options for B<ca> are contained in the B<ca> section of the
configuration file. Many of these are identical to command line
The section of the configuration file containing options for B<ca>
is found as follows: If the B<-name> command line option is used,
then it names the section to be used. Otherwise the section to
be used must be named in the B<default_ca> option of the B<ca> section
of the configuration file (or in the default section of the
configuration file). Besides B<default_ca>, the following options are
read directly from the B<ca> section:
RANDFILE
preserve
msie_hack
With the exception of B<RANDFILE>, this is probably a bug and may
change in future releases.
Many of the configuration file options are identical to command line
options. Where the option is present in the configuration file
and the command line the command line value is used. Where an
option is described as mandatory then it must be present in

4
crypto/openssl/doc/apps/openssl.pod
View File

@ -125,6 +125,10 @@ Generation of RSA Parameters.
Generation of hashed passwords.
=item L<B<pkcs12>|pkcs12(1)>
PKCS#12 Data Management.
=item L<B<pkcs7>|pkcs7(1)>
PKCS#7 Data Management.

10
crypto/openssl/doc/apps/verify.pod
View File

@ -200,14 +200,14 @@ the signature of the certificate is invalid. Unused.
the certificate is not yet valid: the notBefore date is after the current time.
=item B<10 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid>
the CRL is not yet valid. Unused.
=item B<11 X509_V_ERR_CERT_HAS_EXPIRED: Certificate has expired>
=item B<10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired>
the certificate has expired: that is the notAfter date is before the current time.
=item B<11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid>
the CRL is not yet valid. Unused.
=item B<12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired>
the CRL has expired. Unused.

5
crypto/openssl/doc/crypto/BN_rand.pod
View File

@ -14,6 +14,8 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number
int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
int BN_pseudo_rand_range(BIGNUM *rnd, int bits, int top, int bottom);
=head1 DESCRIPTION
BN_rand() generates a cryptographically strong pseudo-random number of
@ -31,6 +33,8 @@ protocols, but usually not for key generation etc.
BN_rand_range() generates a cryptographically strong pseudo-random
number B<rnd> in the range 0 <lt>= B<rnd> E<lt> B<range>.
BN_pseudo_rand_range() does the same, but is based on BN_pseudo_rand(),
and hence numbers generated by it are not necessarily unpredictable.
The PRNG must be seeded prior to calling BN_rand() or BN_rand_range().
@ -49,5 +53,6 @@ L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
BN_rand() is available in all versions of SSLeay and OpenSSL.
BN_pseudo_rand() was added in OpenSSL 0.9.5. The B<top> == -1 case
and the function BN_rand_range() were added in OpenSSL 0.9.6a.
BN_pseudo_rand_range() was added in OpenSSL 0.9.6c.
=cut

1
crypto/openssl/doc/crypto/bn.pod
View File

@ -61,6 +61,7 @@ bn - multiprecision integer arithmetics
int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range);
BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add,
BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg);

6
crypto/openssl/doc/crypto/threads.pod
View File

@ -53,8 +53,10 @@ OpenSSL can safely be used in multi-threaded applications provided
that at least two callback functions are set.
locking_function(int mode, int n, const char *file, int line) is
needed to perform locking on shared data structures. Multi-threaded
applications will crash at random if it is not set.
needed to perform locking on shared data structures.
(Note that OpenSSL uses a number of global data structures that
will be implicitly shared whenever multiple threads use OpenSSL.)
Multi-threaded applications will crash at random if it is not set.
locking_function() must be able to handle up to CRYPTO_num_locks()
different mutex locks. It sets the B<n>-th lock if B<mode> &

70
crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod Normal file
View File

@ -0,0 +1,70 @@
=pod
=head1 NAME
SSL_COMP_add_compression_method - handle SSL/TLS integrated compression methods
=head1 SYNOPSIS
#include <openssl/ssl.h>
int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
=head1 DESCRIPTION
SSL_COMP_add_compression_method() adds the compression method B<cm> with
the identifier B<id> to the list of available compression methods. This
list is globally maintained for all SSL operations within this application.
It cannot be set for specific SSL_CTX or SSL objects.
=head1 NOTES
The TLS standard (or SSLv3) allows the integration of compression methods
into the communication. The TLS RFC does however not specify compression
methods or their corresponding identifiers, so there is currently no compatible
way to integrate compression with unknown peers. It is therefore currently not
recommended to integrate compression into applications. Applications for
non-public use may agree on certain compression methods. Using different
compression methods with the same identifier will lead to connection failure.
An OpenSSL client speaking a protocol that allows compression (SSLv3, TLSv1)
will unconditionally send the list of all compression methods enabled with
SSL_COMP_add_compression_method() to the server during the handshake.
Unlike the mechanisms to set a cipher list, there is no method available to
restrict the list of compression method on a per connection basis.
An OpenSSL server will match the identifiers listed by a client against
its own compression methods and will unconditionally activate compression
when a matching identifier is found. There is no way to restrict the list
of compression methods supported on a per connection basis.
The OpenSSL library has the compression methods B<COMP_rle()> and (when
especially enabled during compilation) B<COMP_zlib()> available.
=head1 WARNINGS
Once the identities of the compression methods for the TLS protocol have
been standardized, the compression API will most likely be changed. Using
it in the current state is not recommended.
=head1 RETURN VALUES
SSL_COMP_add_compression_method() may return the following values:
=over 4
=item 1
The operation succeeded.
=item 0
The operation failed. Check the error queue to find out the reason.
=back
=head1 SEE ALSO
L<ssl(3)|ssl(3)>
=cut

34
crypto/openssl/doc/ssl/SSL_CTX_ctrl.pod Normal file
View File

@ -0,0 +1,34 @@
=pod
=head1 NAME
SSL_CTX_ctrl, SSL_CTX_callback_ctrl, SSL_ctrl, SSL_callback_ctrl - internal handling functions for SSL_CTX and SSL objects
=head1 SYNOPSIS
#include <openssl/ssl.h>
long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg);
long SSL_CTX_callback_ctrl(SSL_CTX *, int cmd, void (*fp)());
long SSL_ctrl(SSL *ssl, int cmd, long larg, char *parg);
long SSL_callback_ctrl(SSL *, int cmd, void (*fp)());
=head1 DESCRIPTION
The SSL_*_ctrl() family of functions is used to manipulate settings of
the SSL_CTX and SSL objects. Depending on the command B<cmd> the arguments
B<larg>, B<parg>, or B<fp> are evaluated. These functions should never
be called directly. All functionalities needed are made available via
other functions or macros.
=head1 RETURN VALUES
The return values of the SSL*_ctrl() functions depend on the command
supplied via the B<cmd> parameter.
=head1 SEE ALSO
L<ssl(3)|ssl(3)>
=cut

2
crypto/openssl/doc/ssl/SSL_CTX_free.pod
View File

@ -24,6 +24,8 @@ the certificates and keys.
SSL_CTX_free() does not provide diagnostic information.
=head1 SEE ALSO
L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<ssl(3)|ssl(3)>
=cut

6
crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod
View File

@ -58,7 +58,7 @@ failure.
In server mode, when requesting a client certificate, the server must send
the list of CAs of which it will accept client certificates. This list
is not influenced by the contents of B<CAfile> or B<CApath> and must
explicitely be set using the
explicitly be set using the
L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>
family of functions.
@ -118,7 +118,7 @@ L<ssl(3)|ssl(3)>,
L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>,
L<SSL_CTX_set_cert_store(3)|SSL_CTX_set_cert_store(3)>
=cut

4
crypto/openssl/doc/ssl/SSL_CTX_new.pod
View File

@ -59,10 +59,6 @@ choice when compatibility is a concern.
=back
If a generic method is used, it is necessary to explicitly set client or
server mode with L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
or SSL_set_accept_state().
The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the B<SSL_CTX_set_options()> or
B<SSL_set_options()> functions. Using these options it is possible to choose

8
crypto/openssl/doc/ssl/SSL_CTX_sess_set_get_cb.pod
View File

@ -70,12 +70,16 @@ proposed by the client. The get_session_cb() is always called, also when
session caching was disabled. The get_session_cb() is passed the
B<ssl> connection, the session id of length B<length> at the memory location
B<data>. With the parameter B<copy> the callback can require the
SSL engine to increment the reference count of the SSL_SESSION object.
SSL engine to increment the reference count of the SSL_SESSION object,
Normally the reference count is not incremented and therefore the
session must not be explicitly freed with
L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>.
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>,
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)>
L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)>,
L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
=cut

57
crypto/openssl/doc/ssl/SSL_CTX_set_cert_store.pod Normal file
View File

@ -0,0 +1,57 @@
=pod
=head1 NAME
SSL_CTX_set_cert_store, SSL_CTX_get_cert_store - manipulate X509 certificate verification storage
=head1 SYNOPSIS
#include <openssl/ssl.h>
void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store);
X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx);
=head1 DESCRIPTION
SSL_CTX_set_cert_store() sets/replaces the certificate verification storage
of B<ctx> to/with B<store>. If another X505_STORE object is currently
set in B<ctx>, it will be X509_STORE_free()ed.
SSL_CTX_get_cert_store() returns a pointer to the current certificate
verification storage.
=head1 NOTES
In order to verify the certificates presented by the peer, trusted CA
certificates must be accessed. These CA certificates are made available
via lookup methods, handled inside the X509_STORE. From the X509_STORE
the X509_STORE_CTX used when verifying certificates is created.
Typically the trusted certificate store is handled indirectly via using
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>.
Using the SSL_CTX_set_cert_store() and SSL_CTX_get_cert_store() functions
it is possible to manipulate the X509_STORE object beyond the
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
call.
Currently no detailed documentation on how to use the X509_STORE
object is available. Not all members of the X509_STORE are used when
the verification takes place. So will e.g. the verify_callback() be
overridden with the verify_callback() set via the
L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)> family of functions.
This document must therefore be updated when documentation about the
X509_STORE object and its handling becomes available.
=head1 RETURN VALUES
SSL_CTX_set_cert_store() does not return diagnostic output.
SSL_CTX_get_cert_store() returns the current setting.
=head1 SEE ALSO
L<ssl(3)|ssl(3)>,
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>,
L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
=cut

75
crypto/openssl/doc/ssl/SSL_CTX_set_cert_verify_callback.pod Normal file
View File

@ -0,0 +1,75 @@
=pod
=head1 NAME
SSL_CTX_set_cert_verify_callback - set peer certificate verification procedure
=head1 SYNOPSIS
#include <openssl/ssl.h>
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(),
char *arg);
int (*callback)();
=head1 DESCRIPTION
SSL_CTX_set_cert_verify_callback() sets the verification callback function for
B<ctx>. SSL objects, that are created from B<ctx> inherit the setting valid at
the time, L<SSL_new(3)|SSL_new(3)> is called. B<arg> is currently ignored.
=head1 NOTES
Whenever a certificate is verified during a SSL/TLS handshake, a verification
function is called. If the application does not explicitly specify a
verification callback function, the built-in verification function is used.
If a verification callback B<callback> is specified via
SSL_CTX_set_cert_verify_callback(), the supplied callback function is called
instead. By setting B<callback> to NULL, the default behaviour is restored.
When the verification must be performed, B<callback> will be called with
the argument callback(X509_STORE_CTX *x509_store_ctx). The arguments B<arg>
that can be specified when setting B<callback> are currently ignored.
B<callback> should return 1 to indicate verification success and 0 to
indicate verification failure. If SSL_VERIFY_PEER is set and B<callback>
returns 0, the handshake will fail. As the verification procedure may
allow to continue the connection in case of failure (by always returning 1)
the verification result must be set in any case using the B<error>
member of B<x509_store_ctx>, so that the calling application will be informed
about the detailed result of the verification procedure!
Within B<x509_store_ctx>, B<callback> has access to the B<verify_callback>
function set using L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>.
=head1 WARNINGS
Do not mix the verification callback described in this function with the
B<verify_callback> function called during the verification process. The
latter is set using the L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>
family of functions.
Providing a complete verification procedure including certificate purpose
settings etc is a complex task. The built-in procedure is quite powerful
and in most cases it should be sufficient to modify its behaviour using
the B<verify_callback> function.
=head1 BUGS
It is possible to specify arguments to be passed to the verification callback.
Currently they are however not passed but ignored.
The B<callback> function is not specified via a prototype, so that no
type checking takes place.
=head1 RETURN VALUES
SSL_CTX_set_cert_verify_callback() does not provide diagnostic information.
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
=cut

24
crypto/openssl/doc/ssl/SSL_CTX_set_cipher_list.pod
View File

@ -34,9 +34,25 @@ a necessary condition. On the client side, the inclusion into the list is
also sufficient. On the server side, additional restrictions apply. All ciphers
have additional requirements. ADH ciphers don't need a certificate, but
DH-parameters must have been set. All other ciphers need a corresponding
certificate and key. A RSA cipher can only be chosen, when a RSA certificate is
available, the respective is valid for DSA ciphers. Ciphers using EDH need
a certificate and key and DH-parameters.
certificate and key.
A RSA cipher can only be chosen, when a RSA certificate is available.
RSA export ciphers with a keylength of 512 bits for the RSA key require
a temporary 512 bit RSA key, as typically the supplied key has a length
of 1024 bit (see
L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
RSA ciphers using EDH need a certificate and key and additional DH-parameters
(see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
A DSA cipher can only be chosen, when a DSA certificate is available.
DSA ciphers always use DH key exchange and therefore need DH-parameters
(see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
When these conditions are not met for any cipher in the list (e.g. a
client only supports export RSA ciphers with a asymmetric key length
of 512 bits and the server is not configured to use temporary RSA
keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated
and the handshake will fail.
=head1 RETURN VALUES
@ -47,6 +63,8 @@ could be selected and 0 on complete failure.
L<ssl(3)|ssl(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>,
L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>,
L<ciphers(1)|ciphers(1)>
=cut

6
crypto/openssl/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
View File

@ -40,6 +40,12 @@ then keep it in memory and use it several times. In the last case, the
password could be stored into the B<userdata> storage and the
pem_passwd_cb() only returns the password already stored.
When asking for the password interactively, pem_passwd_cb() can use
B<rwflag> to check, whether an item shall be encrypted (rwflag=1).
In this case the password dialog may ask for the same password twice
for comparison in order to catch typos, that would make decryption
impossible.
Other items in PEM formatting (certificates) can also be encrypted, it is
however not usual, as certificate information is considered public.

153
crypto/openssl/doc/ssl/SSL_CTX_set_info_callback.pod Normal file
View File

@ -0,0 +1,153 @@
=pod
=head1 NAME
SSL_CTX_set_info_callback, SSL_CTX_get_info_callback, SSL_set_info_callback, SSL_get_info_callback - handle information callback for SSL connections
=head1 SYNOPSIS
#include <openssl/ssl.h>
void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*callback)());
void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))();
void SSL_set_info_callback(SSL *ssl, void (*callback)());
void (*SSL_get_info_callback(SSL *ssl))();
=head1 DESCRIPTION
SSL_CTX_set_info_callback() sets the B<callback> function, that can be used to
obtain state information for SSL objects created from B<ctx> during connection
setup and use. The setting for B<ctx> is overridden from the setting for
a specific SSL object, if specified.
When B<callback> is NULL, not callback function is used.
SSL_set_info_callback() sets the B<callback> function, that can be used to
obtain state information for B<ssl> during connection setup and use.
When B<callback> is NULL, the callback setting currently valid for
B<ctx> is used.
SSL_CTX_get_info_callback() returns a pointer to the currently set information
callback function for B<ctx>.
SSL_get_info_callback() returns a pointer to the currently set information
callback function for B<ssl>.
=head1 NOTES
When setting up a connection and during use, it is possible to obtain state
information from the SSL/TLS engine. When set, an information callback function
is called whenever the state changes, an alert appears, or an error occurs.
The callback function is called as B<callback(SSL *ssl, int where, int ret)>.
The B<where> argument specifies information about where (in which context)
the callback function was called. If B<ret> is 0, an error condition occurred.
If an alert is handled, SSL_CB_ALERT is set and B<ret> specifies the alert
information.
B<where> is a bitmask made up of the following bits:
=over 4
=item SSL_CB_LOOP
Callback has been called to indicate state change inside a loop.
=item SSL_CB_EXIT
Callback has been called to indicate error exit of a handshake function.
(May be soft error with retry option for non-blocking setups.)
=item SSL_CB_READ
Callback has been called during read operation.
=item SSL_CB_WRITE
Callback has been called during write operation.
=item SSL_CB_ALERT
Callback has been called due to an alert being sent or received.
=item SSL_CB_READ_ALERT (SSL_CB_ALERT|SSL_CB_READ)
=item SSL_CB_WRITE_ALERT (SSL_CB_ALERT|SSL_CB_WRITE)
=item SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT|SSL_CB_LOOP)
=item SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT|SSL_CB_EXIT)
=item SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT|SSL_CB_LOOP)
=item SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT|SSL_CB_EXIT)
=item SSL_CB_HANDSHAKE_START
Callback has been called because a new handshake is started.
=item SSL_CB_HANDSHAKE_DONE 0x20
Callback has been called because a handshake is finished.
=back
The current state information can be obtained using the
L<SSL_state_string(3)|SSL_state_string(3)> family of functions.
The B<ret> information can be evaluated using the
L<SSL_alert_type_string(3)|SSL_alert_type_string(3)> family of functions.
=head1 RETURN VALUES
SSL_set_info_callback() does not provide diagnostic information.
SSL_get_info_callback() returns the current setting.
=head1 EXAMPLES
The following example callback function prints state strings, information
about alerts being handled and error messages to the B<bio_err> BIO.
void apps_ssl_info_callback(SSL *s, int where, int ret)
{
const char *str;
int w;
w=where& ~SSL_ST_MASK;
if (w & SSL_ST_CONNECT) str="SSL_connect";
else if (w & SSL_ST_ACCEPT) str="SSL_accept";
else str="undefined";
if (where & SSL_CB_LOOP)
{
BIO_printf(bio_err,"%s:%s\n",str,SSL_state_string_long(s));
}
else if (where & SSL_CB_ALERT)
{
str=(where & SSL_CB_READ)?"read":"write";
BIO_printf(bio_err,"SSL3 alert %s:%s:%s\n",
str,
SSL_alert_type_string_long(ret),
SSL_alert_desc_string_long(ret));
}
else if (where & SSL_CB_EXIT)
{
if (ret == 0)
BIO_printf(bio_err,"%s:failed in %s\n",
str,SSL_state_string_long(s));
else if (ret < 0)
{
BIO_printf(bio_err,"%s:error in %s\n",
str,SSL_state_string_long(s));
}
}
}
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_state_string(3)|SSL_state_string(3)>,
L<SSL_alert_type_string(3)|SSL_alert_type_string(3)>
=cut

3
crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod
View File

@ -37,6 +37,9 @@ The following mode changes are available:
Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
when just a single record has been written). When not set (the default),
SSL_write() will only report success once the complete chunk was written.
Once SSL_write() returns with r, r bytes have been successfully written
and the next call to SSL_write() must only send the n-r bytes left,
imitating the behaviour of write().
=item SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER

41
crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
View File

@ -17,10 +17,10 @@ SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - man
=head1 DESCRIPTION
SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
Options already set before are not cleared.
Options already set before are not cleared!
SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>.
Options already set before are not cleared.
Options already set before are not cleared!
SSL_CTX_get_options() returns the options set for B<ctx>.
@ -32,7 +32,12 @@ The behaviour of the SSL library can be changed by setting several options.
The options are coded as bitmasks and can be combined by a logical B<or>
operation (|). Options can only be added but can never be reset.
During a handshake, the option settings of the SSL object used. When
SSL_CTX_set_options() and SSL_set_options() affect the (external)
protocol behaviour of the SSL library. The (internal) behaviour of
the API can be changed by using the similar
L<SSL_CTX_set_modes(3)|SSL_CTX_set_modes(3)> and SSL_set_modes() functions.
During a handshake, the option settings of the SSL object are used. When
a new SSL object is created from a context using SSL_new(), the current
option setting is copied. Changes to B<ctx> do not affect already created
SSL objects. SSL_clear() does not affect the settings.
@ -122,11 +127,27 @@ The following B<modifying> options are available:
=item SSL_OP_SINGLE_DH_USE
Always create a new key when using temporary DH parameters.
Always create a new key when using temporary/ephemeral DH parameters
(see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
This option must be used to prevent small subgroup attacks, when
the DH parameters were not generated using "strong" primes
(e.g. when using DSA-parameters, see L<dhparam(1)|dhparam(1)>).
If "strong" primes were used, it is not strictly necessary to generate
a new DH key during each handshake but it is also recommended.
SSL_OP_SINGLE_DH_USE should therefore be enabled whenever
temporary/ephemeral DH parameters are used.
=item SSL_OP_EPHEMERAL_RSA
Also use the temporary RSA key when doing RSA operations.
Always use ephemeral (temporary) RSA key when doing RSA operations
(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
According to the specifications this is only done, when a RSA key
can only be used for signature operations (namely under export ciphers
with restricted RSA keylength). By setting this option, ephemeral
RSA keys are always used. This option breaks compatibility with the
SSL/TLS specifications and may lead to interoperability problems with
clients and should therefore never be used. Ciphers with EDH (ephemeral
Diffie-Hellman) key exchange should be used instead.
=item SSL_OP_PKCS1_CHECK_1
@ -142,11 +163,6 @@ If we accept a netscape connection, demand a client cert, have a
non-self-sighed CA which does not have it's CA in netscape, and the
browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta
=item SSL_OP_NON_EXPORT_FIRST
On servers try to use non-export (stronger) ciphers first. This option does
not work under all circumstances (in the code it is declared "broken").
=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
...
@ -174,7 +190,10 @@ SSL_CTX_get_options() and SSL_get_options() return the current bitmask.
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>
L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>,
L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
L<dhparam(1)|dhparam(1)>
=head1 HISTORY

63
crypto/openssl/doc/ssl/SSL_CTX_set_quiet_shutdown.pod Normal file
View File

@ -0,0 +1,63 @@
=pod
=head1 NAME
SSL_CTX_set_quiet_shutdown, SSL_CTX_get_quiet_shutdown, SSL_set_quiet_shutdown, SSL_get_quiet_shutdown - manipulate shutdown behaviour
=head1 SYNOPSIS
#include <openssl/ssl.h>
void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);
int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx);
void SSL_set_quiet_shutdown(SSL *ssl, int mode);
int SSL_get_quiet_shutdown(SSL *ssl);
=head1 DESCRIPTION
SSL_CTX_set_quiet_shutdown() sets the "quiet shutdown" flag for B<ctx> to be
B<mode>. SSL objects created from B<ctx> inherit the B<mode> valid at the time
L<SSL_new(3)|SSL_new(3)> is called. B<mode> may be 0 or 1.
SSL_CTX_get_quiet_shutdown() returns the "quiet shutdown" setting of B<ctx>.
SSL_set_quiet_shutdown() sets the "quiet shutdown" flag for B<ssl> to be
B<mode>. The setting stays valid until B<ssl> is removed with
L<SSL_free(3)|SSL_free(3)> or SSL_set_quiet_shutdown() is called again.
It is not changed when L<SSL_clear(3)|SSL_clear(3)> is called.
B<mode> may be 0 or 1.
SSL_get_quiet_shutdown() returns the "quiet shutdown" setting of B<ssl>.
=head1 NOTES
Normally when a SSL connection is finished, the parties must send out
"close notify" alert messages using L<SSL_shutdown(3)|SSL_shutdown(3)>
for a clean shutdown.
When setting the "quiet shutdown" flag to 1, L<SSL_shutdown(3)|SSL_shutdown(3)>
will set the internal flags to SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.
(L<SSL_shutdown(3)|SSL_shutdown(3)> then behaves like
L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> called with
SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN.)
The session is thus considered to be shutdown, but no "close notify" alert
is sent to the peer. This behaviour violates the TLS standard.
The default is normal shutdown behaviour as described by the TLS standard.
=head1 RETURN VALUES
SSL_CTX_set_quiet_shutdown() and SSL_set_quiet_shutdown() do not return
diagnostic information.
SSL_CTX_get_quiet_shutdown() and SSL_get_quiet_shutdown return the current
setting.
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_shutdown(3)|SSL_shutdown(3)>,
L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>, L<SSL_new(3)|SSL_new(3)>,
L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>
=cut

1
crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod
View File

@ -97,6 +97,7 @@ SSL_CTX_get_session_cache_mode() returns the currently set cache mode.
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
L<SSL_session_reused(3)|SSL_session_reused(3)>,
L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>,
L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,

8
crypto/openssl/doc/ssl/SSL_CTX_set_timeout.pod
View File

@ -37,7 +37,10 @@ L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> is called, either
directly by the application or automatically (see
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>)
The default value for session timeout is 300 seconds.
The default value for session timeout is decided on a per protocol
basis, see L<SSL_get_default_timeout(3)|SSL_get_default_timeout(3)>.
All currently supported protocols have the same default timeout value
of 300 seconds.
=head1 RETURN VALUES
@ -50,6 +53,7 @@ SSL_CTX_get_timeout() returns the currently set timeout value.
L<ssl(3)|ssl(3)>,
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>
L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
L<SSL_get_default_timeout(3)|SSL_get_default_timeout(3)>
=cut

170
crypto/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod Normal file
View File

@ -0,0 +1,170 @@
=pod
=head1 NAME
SSL_CTX_set_tmp_dh_callback, SSL_CTX_set_tmp_dh, SSL_set_tmp_dh_callback, SSL_set_tmp_dh - handle DH keys for ephemeral key exchange
=head1 SYNOPSIS
#include <openssl/ssl.h>
void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
long SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh);
void SSL_set_tmp_dh_callback(SSL_CTX *ctx,
DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
long SSL_set_tmp_dh(SSL *ssl, DH *dh)
DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength));
=head1 DESCRIPTION
SSL_CTX_set_tmp_dh_callback() sets the callback function for B<ctx> to be
used when a DH parameters are required to B<tmp_dh_callback>.
The callback is inherited by all B<ssl> objects created from B<ctx>.
SSL_CTX_set_tmp_dh() sets DH parameters to be used to be B<dh>.
The key is inherited by all B<ssl> objects created from B<ctx>.
SSL_set_tmp_dh_callback() sets the callback only for B<ssl>.
SSL_set_tmp_dh() sets the parameters only for B<ssl>.
These functions apply to SSL/TLS servers only.
=head1 NOTES
When using a cipher with RSA authentication, an ephemeral DH key exchange
can take place. Ciphers with DSA keys always use ephemeral DH keys as well.
In these cases, the session data are negotiated using the
ephemeral/temporary DH key and the key supplied and certified
by the certificate chain is only used for signing.
Anonymous ciphers (without a permanent server key) also use ephemeral DH keys.
Using ephemeral DH key exchange yields forward secrecy, as the connection
can only be decrypted, when the DH key is known. By generating a temporary
DH key inside the server application that is lost when the application
is left, it becomes impossible for an attacker to decrypt past sessions,
even if he gets hold of the normal (certified) key, as this key was
only used for signing.
In order to perform a DH key exchange the server must use a DH group
(DH parameters) and generate a DH key. The server will always generate a new
DH key during the negotiation, when the DH parameters are supplied via
callback and/or when the SSL_OP_SINGLE_DH_USE option of
L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)> is set. It will
immediately create a DH key, when DH parameters are supplied via
SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. In this case,
it may happen that a key is generated on initialization without later
being needed, while on the other hand the computer time during the
negotiation is being saved.
If "strong" primes were used to generate the DH parameters, it is not strictly
necessary to generate a new key for each handshake but it does improve forward
secrecy. If it is not assured, that "strong" primes were used (see especially
the section about DSA parameters below), SSL_OP_SINGLE_DH_USE must be used
in order to prevent small subgroup attacks. Always using SSL_OP_SINGLE_DH_USE
has an impact on the computer time needed during negotiation, but it is not
very large, so application authors/users should consider to always enable
this option.
As generating DH parameters is extremely time consuming, an application
should not generate the parameters on the fly but supply the parameters.
DH parameters can be reused, as the actual key is newly generated during
the negotiation. The risk in reusing DH parameters is that an attacker
may specialize on a very often used DH group. Applications should therefore
generate their own DH parameters during the installation process using the
openssl L<dhparam(1)|dhparam(1)> application. In order to reduce the computer
time needed for this generation, it is possible to use DSA parameters
instead (see L<dhparam(1)|dhparam(1)>), but in this case SSL_OP_SINGLE_DH_USE
is mandatory.
Application authors may compile in DH parameters. Files dh512.pem,
dh1024.pem, dh2048.pem, and dh4096 in the 'apps' directory of current
version of the OpenSSL distribution contain the 'SKIP' DH parameters,
which use safe primes and were generated verifiably pseudo-randomly.
These files can be converted into C code using the B<-C> option of the
L<dhparam(1)|dhparam(1)> application.
Authors may also generate their own set of parameters using
L<dhparam(1)|dhparam(1)>, but a user may not be sure how the parameters were
generated. The generation of DH parameters during installation is therefore
recommended.
An application may either directly specify the DH parameters or
can supply the DH parameters via a callback function. The callback approach
has the advantage, that the callback may supply DH parameters for different
key lengths.
The B<tmp_dh_callback> is called with the B<keylength> needed and
the B<is_export> information. The B<is_export> flag is set, when the
ephemeral DH key exchange is performed with an export cipher.
=head1 EXAMPLES
Handle DH parameters for key lengths of 512 and 1024 bits. (Error handling
partly left out.)
...
/* Set up ephemeral DH stuff */
DH *dh_512 = NULL;
DH *dh_1024 = NULL;
FILE *paramfile;
...
/* "openssl dhparam -out dh_param_512.pem -2 512" */
paramfile = fopen("dh_param_512.pem", "r");
if (paramfile) {
dh_512 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
fclose(paramfile);
}
/* "openssl dhparam -out dh_param_1024.pem -2 1024" */
paramfile = fopen("dh_param_1024.pem", "r");
if (paramfile) {
dh_1024 = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
fclose(paramfile);
}
...
/* "openssl dhparam -C -2 512" etc... */
DH *get_dh512() { ... }
DH *get_dh1024() { ... }
DH *tmp_dh_callback(SSL *s, int is_export, int keylength)
{
DH *dh_tmp=NULL;
switch (keylength) {
case 512:
if (!dh_512)
dh_512 = get_dh512();
dh_tmp = dh_512;
break;
case 1024:
if (!dh_1024)
dh_1024 = get_dh1024();
dh_tmp = dh_1024;
break;
default:
/* Generating a key on the fly is very costly, so use what is there */
setup_dh_parameters_like_above();
}
return(dh_tmp);
}
=head1 RETURN VALUES
SSL_CTX_set_tmp_dh_callback() and SSL_set_tmp_dh_callback() do not return
diagnostic output.
SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() do return 1 on success and 0
on failure. Check the error queue to find out the reason of failure.
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
L<ciphers(1)|ciphers(1)>, L<dhparam(1)|dhparam(1)>
=cut

166
crypto/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod Normal file
View File

@ -0,0 +1,166 @@
=pod
=head1 NAME
SSL_CTX_set_tmp_rsa_callback, SSL_CTX_set_tmp_rsa, SSL_CTX_need_tmp_rsa, SSL_set_tmp_rsa_callback, SSL_set_tmp_rsa, SSL_need_tmp_rsa - handle RSA keys for ephemeral key exchange
=head1 SYNOPSIS
#include <openssl/ssl.h>
void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,
RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength));
long SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, RSA *rsa);
long SSL_CTX_need_tmp_rsa(SSL_CTX *ctx);
void SSL_set_tmp_rsa_callback(SSL_CTX *ctx,
RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength));
long SSL_set_tmp_rsa(SSL *ssl, RSA *rsa)
long SSL_need_tmp_rsa(SSL *ssl)
RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength));
=head1 DESCRIPTION
SSL_CTX_set_tmp_rsa_callback() sets the callback function for B<ctx> to be
used when a temporary/ephemeral RSA key is required to B<tmp_rsa_callback>.
The callback is inherited by all SSL objects newly created from B<ctx>
with <SSL_new(3)|SSL_new(3)>. Already created SSL objects are not affected.
SSL_CTX_set_tmp_rsa() sets the temporary/ephemeral RSA key to be used to be
B<rsa>. The key is inherited by all SSL objects newly created from B<ctx>
with <SSL_new(3)|SSL_new(3)>. Already created SSL objects are not affected.
SSL_CTX_need_tmp_rsa() returns 1, if a temporary/ephemeral RSA key is needed
for RSA-based strength-limited 'exportable' ciphersuites because a RSA key
with a keysize larger than 512 bits is installed.
SSL_set_tmp_rsa_callback() sets the callback only for B<ssl>.
SSL_set_tmp_rsa() sets the key only for B<ssl>.
SSL_need_tmp_rsa() returns 1, if a temporary/ephemeral RSA key is needed,
for RSA-based strength-limited 'exportable' ciphersuites because a RSA key
with a keysize larger than 512 bits is installed.
These functions apply to SSL/TLS servers only.
=head1 NOTES
When using a cipher with RSA authentication, an ephemeral RSA key exchange
can take place. In this case the session data are negotiated using the
ephemeral/temporary RSA key and the RSA key supplied and certified
by the certificate chain is only used for signing.
Under previous export restrictions, ciphers with RSA keys shorter (512 bits)
than the usual key length of 1024 bits were created. To use these ciphers
with RSA keys of usual length, an ephemeral key exchange must be performed,
as the normal (certified) key cannot be directly used.
Using ephemeral RSA key exchange yields forward secrecy, as the connection
can only be decrypted, when the RSA key is known. By generating a temporary
RSA key inside the server application that is lost when the application
is left, it becomes impossible for an attacker to decrypt past sessions,
even if he gets hold of the normal (certified) RSA key, as this key was
used for signing only. The downside is that creating a RSA key is
computationally expensive.
Additionally, the use of ephemeral RSA key exchange is only allowed in
the TLS standard, when the RSA key can be used for signing only, that is
for export ciphers. Using ephemeral RSA key exchange for other purposes
violates the standard and can break interoperability with clients.
It is therefore strongly recommended to not use ephemeral RSA key
exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead
in order to achieve forward secrecy (see
L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default
and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of
L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL
standard. When ephemeral RSA key exchange is required for export ciphers,
it will automatically be used without this option!
An application may either directly specify the key or can supply the key via
a callback function. The callback approach has the advantage, that the
callback may generate the key only in case it is actually needed. As the
generation of a RSA key is however costly, it will lead to a significant
delay in the handshake procedure. Another advantage of the callback function
is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA
usage) while the explicit setting of the key is only useful for key size of
512 bits to satisfy the export restricted ciphers and does give away key length
if a longer key would be allowed.
The B<tmp_rsa_callback> is called with the B<keylength> needed and
the B<is_export> information. The B<is_export> flag is set, when the
ephemeral RSA key exchange is performed with an export cipher.
=head1 EXAMPLES
Generate temporary RSA keys to prepare ephemeral RSA key exchange. As the
generation of a RSA key costs a lot of computer time, they saved for later
reuse. For demonstration purposes, two keys for 512 bits and 1024 bits
respectively are generated.
...
/* Set up ephemeral RSA stuff */
RSA *rsa_512 = NULL;
RSA *rsa_1024 = NULL;
rsa_512 = RSA_generate_key(512,RSA_F4,NULL,NULL);
if (rsa_512 == NULL)
evaluate_error_queue();
rsa_1024 = RSA_generate_key(1024,RSA_F4,NULL,NULL);
if (rsa_1024 == NULL)
evaluate_error_queue();
...
RSA *tmp_rsa_callback(SSL *s, int is_export, int keylength)
{
RSA *rsa_tmp=NULL;
switch (keylength) {
case 512:
if (rsa_512)
rsa_tmp = rsa_512;
else { /* generate on the fly, should not happen in this example */
rsa_tmp = RSA_generate_key(keylength,RSA_F4,NULL,NULL);
rsa_512 = rsa_tmp; /* Remember for later reuse */
}
break;
case 1024:
if (rsa_1024)
rsa_tmp=rsa_1024;
else
should_not_happen_in_this_example();
break;
default:
/* Generating a key on the fly is very costly, so use what is there */
if (rsa_1024)
rsa_tmp=rsa_1024;
else
rsa_tmp=rsa_512; /* Use at least a shorter key */
}
return(rsa_tmp);
}
=head1 RETURN VALUES
SSL_CTX_set_tmp_rsa_callback() and SSL_set_tmp_rsa_callback() do not return
diagnostic output.
SSL_CTX_set_tmp_rsa() and SSL_set_tmp_rsa() do return 1 on success and 0
on failure. Check the error queue to find out the reason of failure.
SSL_CTX_need_tmp_rsa() and SSL_need_tmp_rsa() return 1 if a temporary
RSA key is needed and 0 otherwise.
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>,
L<SSL_new(3)|SSL_new(3)>, L<ciphers(1)|ciphers(1)>
=cut

14
crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod
View File

@ -59,14 +59,14 @@ The handshake will be continued regardless of the verification result.
B<Server mode:> the server sends a client certificate request to the client.
The certificate returned (if any) is checked. If the verification process
fails as indicated by B<verify_callback>, the TLS/SSL handshake is
fails, the TLS/SSL handshake is
immediately terminated with an alert message containing the reason for
the verification failure.
The behaviour can be controlled by the additional
SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags.
B<Client mode:> the server certificate is verified. If the verification process
fails as indicated by B<verify_callback>, the TLS/SSL handshake is
fails, the TLS/SSL handshake is
immediately terminated with an alert message containing the reason for
the verification failure. If no server certificate is sent, because an
anonymous cipher is used, SSL_VERIFY_PEER is ignored.
@ -92,6 +92,15 @@ B<Client mode:> ignored
Exactly one of the B<mode> flags SSL_VERIFY_NONE and SSL_VERIFY_PEER must be
set at any time.
The actual verification procedure is performed either using the built-in
verification procedure or using another application provided verification
function set with
L<SSL_CTX_set_cert_verify_callback(3)|SSL_CTX_set_cert_verify_callback(3)>.
The following descriptions apply in the case of the built-in procedure. An
application provided procedure also has access to the verify depth information
and the verify_callback() function, but the way this information is used
may be different.
SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up
to which depth certificates in a chain are used during the verification
procedure. If the certificate chain is longer than allowed, the certificates
@ -278,6 +287,7 @@ L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>,
L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>,
L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>,
L<SSL_CTX_set_cert_verify_callback(3)|SSL_CTX_set_cert_verify_callback(3)>,
L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>,
L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>

32
crypto/openssl/doc/ssl/SSL_SESSION_free.pod
View File

@ -16,10 +16,40 @@ SSL_SESSION_free() decrements the reference count of B<session> and removes
the B<SSL_SESSION> structure pointed to by B<session> and frees up the allocated
memory, if the the reference count has reached 0.
=head1 NOTES
SSL_SESSION objects are allocated, when a TLS/SSL handshake operation
is successfully completed. Depending on the settings, see
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
the SSL_SESSION objects are internally referenced by the SSL_CTX and
linked into its session cache. SSL objects may be using the SSL_SESSION object;
as a session may be reused, several SSL objects may be using one SSL_SESSION
object at the same time. It is therefore crucial to keep the reference
count (usage information) correct and not delete a SSL_SESSION object
that is still used, as this may lead to program failures due to
dangling pointers. These failures may also appear delayed, e.g.
when an SSL_SESSION object was completely freed as the reference count
incorrectly became 0, but it is still referenced in the internal
session cache and the cache list is processed during a
L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> operation.
SSL_SESSION_free() must only be called for SSL_SESSION objects, for
which the reference count was explicitly incremented (e.g.
by calling SSL_get1_session(), see L<SSL_get_session(3)|SSL_get_session(3)>)
or when the SSL_SESSION object was generated outside a TLS handshake
operation, e.g. by using L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>.
It must not be called on other SSL_SESSION objects, as this would cause
incorrect reference counts and therefore program failures.
=head1 RETURN VALUES
SSL_SESSION_free() does not provide diagnostic information.
L<ssl(3)|ssl(3)>, L<SSL_get_session(3)|SSL_get_session(3)>
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_get_session(3)|SSL_get_session(3)>,
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>
=cut

3
crypto/openssl/doc/ssl/SSL_SESSION_get_time.pod
View File

@ -58,6 +58,7 @@ If any of the function is passed the NULL pointer for the session B<s>,
=head1 SEE ALSO
L<ssl(3)|ssl(3)>,
L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>
L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>,
L<SSL_get_default_timeout(3)|SSL_get_default_timeout(3)>
=cut

5
crypto/openssl/doc/ssl/SSL_accept.pod
View File

@ -37,11 +37,6 @@ nothing is to be done, but select() can be used to check for the required
condition. When using a buffering BIO, like a BIO pair, data must be written
into or retrieved out of the BIO before being able to continue.
When using a generic method (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>), it
is necessary to call SSL_set_accept_state()
before calling SSL_accept() to explicitly switch the B<ssl> to server
mode.
=head1 RETURN VALUES
The following return values can occur:

Some files were not shown because too many files have changed in this diff Show More