generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge in the 0.9.6-stable branch once more and hope for better

Browse Source 
results.
This commit is contained in:
Richard Levitte
2001-03-13 06:49:18 +00:00
parent c540bd2851
commit 3d4bb90138
95 changed files with 1028 additions and 361 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
crypto/evp/Makefile.ssl
View File

@@ -58,7 +58,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

36
crypto/evp/evp.h
View File

@@ -463,12 +463,20 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
ASN1_TYPE *param, EVP_CIPHER *cipher,
EVP_MD *md, int en_de);
#ifndef NO_RSA
#define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\
(char *)(rsa))
#endif
#ifndef NO_DSA
#define EVP_PKEY_assign_DSA(pkey,dsa) EVP_PKEY_assign((pkey),EVP_PKEY_DSA,\
(char *)(dsa))
#endif
#ifndef NO_DH
#define EVP_PKEY_assign_DH(pkey,dh) EVP_PKEY_assign((pkey),EVP_PKEY_DH,\
(char *)(dh))
#endif
/* Add some extra combinations */
#define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a))
@@ -612,17 +620,29 @@ void BIO_set_cipher(BIO *b,const EVP_CIPHER *c,unsigned char *k,
#endif
EVP_MD *EVP_md_null(void);
#ifndef NO_MD2
EVP_MD *EVP_md2(void);
#endif
#ifndef NO_MD4
EVP_MD *EVP_md4(void);
#endif
#ifndef NO_MD5
EVP_MD *EVP_md5(void);
#endif
#ifndef NO_SHA
EVP_MD *EVP_sha(void);
EVP_MD *EVP_sha1(void);
EVP_MD *EVP_dss(void);
EVP_MD *EVP_dss1(void);
#endif
#ifndef NO_MDC2
EVP_MD *EVP_mdc2(void);
#endif
#ifndef NO_RIPEMD
EVP_MD *EVP_ripemd160(void);
#endif
EVP_CIPHER *EVP_enc_null(void); /* does nothing :-) */
#ifndef NO_DES
EVP_CIPHER *EVP_des_ecb(void);
EVP_CIPHER *EVP_des_ede(void);
EVP_CIPHER *EVP_des_ede3(void);
@@ -636,31 +656,43 @@ EVP_CIPHER *EVP_des_cbc(void);
EVP_CIPHER *EVP_des_ede_cbc(void);
EVP_CIPHER *EVP_des_ede3_cbc(void);
EVP_CIPHER *EVP_desx_cbc(void);
#endif
#ifndef NO_RC4
EVP_CIPHER *EVP_rc4(void);
EVP_CIPHER *EVP_rc4_40(void);
#endif
#ifndef NO_IDEA
EVP_CIPHER *EVP_idea_ecb(void);
EVP_CIPHER *EVP_idea_cfb(void);
EVP_CIPHER *EVP_idea_ofb(void);
EVP_CIPHER *EVP_idea_cbc(void);
#endif
#ifndef NO_RC2
EVP_CIPHER *EVP_rc2_ecb(void);
EVP_CIPHER *EVP_rc2_cbc(void);
EVP_CIPHER *EVP_rc2_40_cbc(void);
EVP_CIPHER *EVP_rc2_64_cbc(void);
EVP_CIPHER *EVP_rc2_cfb(void);
EVP_CIPHER *EVP_rc2_ofb(void);
#endif
#ifndef NO_BF
EVP_CIPHER *EVP_bf_ecb(void);
EVP_CIPHER *EVP_bf_cbc(void);
EVP_CIPHER *EVP_bf_cfb(void);
EVP_CIPHER *EVP_bf_ofb(void);
#endif
#ifndef NO_CAST
EVP_CIPHER *EVP_cast5_ecb(void);
EVP_CIPHER *EVP_cast5_cbc(void);
EVP_CIPHER *EVP_cast5_cfb(void);
EVP_CIPHER *EVP_cast5_ofb(void);
#endif
#ifndef NO_RC5
EVP_CIPHER *EVP_rc5_32_12_16_cbc(void);
EVP_CIPHER *EVP_rc5_32_12_16_ecb(void);
EVP_CIPHER *EVP_rc5_32_12_16_cfb(void);
EVP_CIPHER *EVP_rc5_32_12_16_ofb(void);
#endif
void OpenSSL_add_all_algorithms(void);
void OpenSSL_add_all_ciphers(void);
void OpenSSL_add_all_digests(void);

3
crypto/hmac/Makefile.ssl
View File

@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

3
crypto/idea/Makefile.ssl
View File

@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

3
crypto/lhash/Makefile.ssl
View File

@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

3
crypto/md2/Makefile.ssl
View File

@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

3
crypto/md4/Makefile.ssl
View File

@@ -40,7 +40,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

3
crypto/md5/Makefile.ssl
View File

@@ -50,7 +50,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
# elf

3
crypto/mdc2/Makefile.ssl
View File

@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

3
crypto/objects/Makefile.ssl
View File

@@ -39,7 +39,8 @@ all: obj_dat.h lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

3
crypto/pem/Makefile.ssl
View File

@@ -40,7 +40,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

2
crypto/pem/pem_info.c
View File

@@ -305,7 +305,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
{
if ( (xi->enc_data!=NULL) && (xi->enc_len>0) )
{
/* copy from wierdo names into more normal things */
/* copy from weirdo names into more normal things */
iv=xi->enc_cipher.iv;
data=(unsigned char *)xi->enc_data;
i=xi->enc_len;

3
crypto/pkcs12/Makefile.ssl
View File

@@ -45,7 +45,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

2
crypto/pkcs12/p12_attr.c
View File

@@ -151,7 +151,7 @@ int PKCS12_add_friendlyname_asc (PKCS12_SAFEBAG *bag, const char *name,
{
unsigned char *uniname;
int ret, unilen;
if (!asc2uni(name, &uniname, &unilen)) {
if (!asc2uni(name, namelen, &uniname, &unilen)) {
PKCS12err(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC,
ERR_R_MALLOC_FAILURE);
return 0;

2
crypto/pkcs12/p12_key.c
View File

@@ -84,7 +84,7 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt,
if(!pass) {
unipass = NULL;
uniplen = 0;
} else if (!asc2uni(pass, &unipass, &uniplen)) {
} else if (!asc2uni(pass, passlen, &unipass, &uniplen)) {
PKCS12err(PKCS12_F_PKCS12_KEY_GEN_ASC,ERR_R_MALLOC_FAILURE);
return 0;
}

18
crypto/pkcs12/p12_utl.c
View File

@@ -62,30 +62,34 @@
/* Cheap and nasty Unicode stuff */
unsigned char *asc2uni (const char *asc, unsigned char **uni, int *unilen)
unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen)
{
int ulen, i;
unsigned char *unitmp;
ulen = strlen(asc)*2 + 2;
if (!(unitmp = OPENSSL_malloc (ulen))) return NULL;
for (i = 0; i < ulen; i+=2) {
if (asclen == -1) asclen = strlen(asc);
ulen = asclen*2 + 2;
if (!(unitmp = OPENSSL_malloc(ulen))) return NULL;
for (i = 0; i < ulen - 2; i+=2) {
unitmp[i] = 0;
unitmp[i + 1] = asc[i>>1];
}
/* Make result double null terminated */
unitmp[ulen - 2] = 0;
unitmp[ulen - 1] = 0;
if (unilen) *unilen = ulen;
if (uni) *uni = unitmp;
return unitmp;
}
char *uni2asc (unsigned char *uni, int unilen)
char *uni2asc(unsigned char *uni, int unilen)
{
int asclen, i;
char *asctmp;
asclen = unilen / 2;
/* If no terminating zero allow for one */
if (uni[unilen - 1]) asclen++;
if (!unilen || uni[unilen - 1]) asclen++;
uni++;
if (!(asctmp = OPENSSL_malloc (asclen))) return NULL;
if (!(asctmp = OPENSSL_malloc(asclen))) return NULL;
for (i = 0; i < unilen; i+=2) asctmp[i>>1] = uni[i];
asctmp[asclen - 1] = 0;
return asctmp;

2
crypto/pkcs12/pkcs12.h
View File

@@ -247,7 +247,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
EVP_MD *md_type);
int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt,
int saltlen, EVP_MD *md_type);
unsigned char *asc2uni(const char *asc, unsigned char **uni, int *unilen);
unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen);
char *uni2asc(unsigned char *uni, int unilen);
int i2d_PKCS12_BAGS(PKCS12_BAGS *a, unsigned char **pp);
PKCS12_BAGS *PKCS12_BAGS_new(void);

3
crypto/pkcs7/Makefile.ssl
View File

@@ -58,7 +58,8 @@ verify: verify.o example.o lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

5
crypto/pkcs7/pk7_doit.c
View File

@@ -783,6 +783,11 @@ for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
os=si->enc_digest;
pkey = X509_get_pubkey(x509);
if (!pkey)
{
ret = -1;
goto err;
}
if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1();
i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey);

6
crypto/pkcs7/pk7_mime.c
View File

@@ -165,9 +165,9 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
}
bound[32] = 0;
BIO_printf(bio, "MIME-Version: 1.0\n");
BIO_printf(bio, "Content-Type: multipart/signed ; ");
BIO_printf(bio, "protocol=\"application/x-pkcs7-signature\" ; ");
BIO_printf(bio, "micalg=sha1 ; boundary=\"----%s\"\n\n", bound);
BIO_printf(bio, "Content-Type: multipart/signed;");
BIO_printf(bio, " protocol=\"application/x-pkcs7-signature\";");
BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"\n\n", bound);
BIO_printf(bio, "This is an S/MIME signed message\n\n");
/* Now write out the first part */
BIO_printf(bio, "------%s\n", bound);

13
crypto/pkcs7/pk7_smime.c
View File

@@ -153,7 +153,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
PKCS7_SIGNER_INFO *si;
X509_STORE_CTX cert_ctx;
char buf[4096];
int i, j=0, k;
int i, j=0, k, ret = 0;
BIO *p7bio;
BIO *tmpout;
@@ -258,18 +258,15 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
}
}
sk_X509_free(signers);
if(indata) BIO_pop(p7bio);
BIO_free_all(p7bio);
return 1;
ret = 1;
err:
if(indata) BIO_pop(p7bio);
BIO_free_all(p7bio);
sk_X509_free(signers);
BIO_free(p7bio);
return 0;
return ret;
}
STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags)

3
crypto/rand/Makefile.ssl
View File

@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

5
crypto/rand/rand_win.c
View File

@@ -570,14 +570,15 @@ static void readtimer(void)
DWORD w;
LARGE_INTEGER l;
static int have_perfc = 1;
#ifndef __GNUC__
#ifdef _MSC_VER
static int have_tsc = 1;
DWORD cyclecount;
if (have_tsc) {
__try {
__asm {
rdtsc
_emit 0x0f
_emit 0x31
mov cyclecount, eax
}
RAND_add(&cyclecount, sizeof(cyclecount), 1);

31
crypto/rand/randfile.c
View File

@@ -73,7 +73,7 @@
# include <sys/stat.h>
#endif
#include <openssl/e_os.h>
#include "openssl/e_os.h"
#include <openssl/crypto.h>
#include <openssl/rand.h>
@@ -83,6 +83,9 @@
/* #define RFILE ".rnd" - defined in ../../e_os.h */
/* Note that these functions are intended for seed files only.
* Entropy devices and EGD sockets are handled in rand_unix.c */
int RAND_load_file(const char *file, long bytes)
{
/* If bytes >= 0, read up to 'bytes' bytes.
@@ -117,7 +120,7 @@ int RAND_load_file(const char *file, long bytes)
if (bytes > 0)
{
bytes-=n;
if (bytes == 0) break;
if (bytes <= 0) break;
}
}
fclose(in);
@@ -193,10 +196,11 @@ err:
const char *RAND_file_name(char *buf, int size)
{
char *s;
char *s=NULL;
char *ret=NULL;
s=getenv("RANDFILE");
if (OPENSSL_issetugid() == 0)
s=getenv("RANDFILE");
if (s != NULL)
{
strncpy(buf,s,size-1);
@@ -205,16 +209,19 @@ const char *RAND_file_name(char *buf, int size)
}
else
{
s=getenv("HOME");
if (s == NULL) return(RFILE);
if (((int)(strlen(s)+strlen(RFILE)+2)) > size)
return(RFILE);
strcpy(buf,s);
if (OPENSSL_issetugid() == 0)
s=getenv("HOME");
if (s != NULL && (strlen(s)+strlen(RFILE)+2 < size))
{
strcpy(buf,s);
#ifndef VMS
strcat(buf,"/");
strcat(buf,"/");
#endif
strcat(buf,RFILE);
ret=buf;
strcat(buf,RFILE);
ret=buf;
}
else
buf[0] = '\0'; /* no file name */
}
return(ret);
}

3
crypto/rc2/Makefile.ssl
View File

@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

3
crypto/rc4/Makefile.ssl
View File

@@ -47,7 +47,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
# elf

3
crypto/rc5/Makefile.ssl
View File

@@ -44,7 +44,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
# elf

3
crypto/ripemd/Makefile.ssl
View File

@@ -42,7 +42,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
# elf

3
crypto/rsa/Makefile.ssl
View File

@@ -41,7 +41,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

97
crypto/rsa/rsa_eay.c
View File

@@ -141,9 +141,26 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from,
if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
{
if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
goto err;
BN_MONT_CTX* bn_mont_ctx;
if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
goto err;
if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
{
BN_MONT_CTX_free(bn_mont_ctx);
goto err;
}
if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
{
CRYPTO_w_lock(CRYPTO_LOCK_RSA);
if (rsa->_method_mod_n == NULL)
{
rsa->_method_mod_n = bn_mont_ctx;
bn_mont_ctx = NULL;
}
CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
}
if (bn_mont_ctx)
BN_MONT_CTX_free(bn_mont_ctx);
}
if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
@@ -378,9 +395,26 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from,
/* do the decrypt */
if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
{
if ((rsa->_method_mod_n=BN_MONT_CTX_new()) != NULL)
if (!BN_MONT_CTX_set(rsa->_method_mod_n,rsa->n,ctx))
goto err;
BN_MONT_CTX* bn_mont_ctx;
if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
goto err;
if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->n,ctx))
{
BN_MONT_CTX_free(bn_mont_ctx);
goto err;
}
if (rsa->_method_mod_n == NULL) /* other thread may have finished first */
{
CRYPTO_w_lock(CRYPTO_LOCK_RSA);
if (rsa->_method_mod_n == NULL)
{
rsa->_method_mod_n = bn_mont_ctx;
bn_mont_ctx = NULL;
}
CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
}
if (bn_mont_ctx)
BN_MONT_CTX_free(bn_mont_ctx);
}
if (!meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx,
@@ -432,20 +466,53 @@ static int RSA_eay_mod_exp(BIGNUM *r0, BIGNUM *I, RSA *rsa)
{
if (rsa->_method_mod_p == NULL)
{
if ((rsa->_method_mod_p=BN_MONT_CTX_new()) != NULL)
if (!BN_MONT_CTX_set(rsa->_method_mod_p,rsa->p,
ctx))
goto err;
BN_MONT_CTX* bn_mont_ctx;
if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
goto err;
if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->p,ctx))
{
BN_MONT_CTX_free(bn_mont_ctx);
goto err;
}
if (rsa->_method_mod_p == NULL) /* other thread may have finished first */
{
CRYPTO_w_lock(CRYPTO_LOCK_RSA);
if (rsa->_method_mod_p == NULL)
{
rsa->_method_mod_p = bn_mont_ctx;
bn_mont_ctx = NULL;
}
CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
}
if (bn_mont_ctx)
BN_MONT_CTX_free(bn_mont_ctx);
}
if (rsa->_method_mod_q == NULL)
{
if ((rsa->_method_mod_q=BN_MONT_CTX_new()) != NULL)
if (!BN_MONT_CTX_set(rsa->_method_mod_q,rsa->q,
ctx))
goto err;
BN_MONT_CTX* bn_mont_ctx;
if ((bn_mont_ctx=BN_MONT_CTX_new()) == NULL)
goto err;
if (!BN_MONT_CTX_set(bn_mont_ctx,rsa->q,ctx))
{
BN_MONT_CTX_free(bn_mont_ctx);
goto err;
}
if (rsa->_method_mod_q == NULL) /* other thread may have finished first */
{
CRYPTO_w_lock(CRYPTO_LOCK_RSA);
if (rsa->_method_mod_q == NULL)
{
rsa->_method_mod_q = bn_mont_ctx;
bn_mont_ctx = NULL;
}
CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
}
if (bn_mont_ctx)
BN_MONT_CTX_free(bn_mont_ctx);
}
}
if (!BN_mod(&r1,I,rsa->q,ctx)) goto err;
if (!meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx,
rsa->_method_mod_q)) goto err;

10
crypto/rsa/rsa_lib.c
View File

@@ -191,13 +191,13 @@ RSA *RSA_new_method(ENGINE *engine)
ret->blinding=NULL;
ret->bignum_data=NULL;
ret->flags=meth->flags;
CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data);
if ((meth->init != NULL) && !meth->init(ret))
{
CRYPTO_free_ex_data(rsa_meth,ret,&ret->ex_data);
OPENSSL_free(ret);
ret=NULL;
}
else
CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data);
return(ret);
}
@@ -221,13 +221,13 @@ void RSA_free(RSA *r)
}
#endif
CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data);
meth = ENGINE_get_RSA(r->engine);
if (meth->finish != NULL)
meth->finish(r);
ENGINE_finish(r->engine);
CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data);
if (r->n != NULL) BN_clear_free(r->n);
if (r->e != NULL) BN_clear_free(r->e);
if (r->d != NULL) BN_clear_free(r->d);
@@ -325,7 +325,7 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
BN_CTX_start(ctx);
A = BN_CTX_get(ctx);
if (!BN_rand(A,BN_num_bits(rsa->n)-1,1,0)) goto err;
if (!BN_rand_range(A,rsa->n)) goto err;
if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
if (!ENGINE_get_RSA(rsa->engine)->bn_mod_exp(A,A,

3
crypto/sha/Makefile.ssl
View File

@@ -42,7 +42,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
# elf

12
crypto/sha/asm/sha1-586.pl
View File

@@ -317,7 +317,7 @@ sub BODY_60_79
sub sha1_block_host
{
local($name)=@_;
local($name, $sclabel)=@_;
&function_begin_B($name,"");
@@ -352,7 +352,7 @@ sub sha1_block_host
&mov(&swtmp($i+0),$A);
&mov(&swtmp($i+1),$B);
}
&jmp(&label("shortcut"));
&jmp($sclabel);
&function_end_B($name);
}
@@ -529,10 +529,12 @@ sub sha1_block_data
&pop("esi");
&ret();
# it has to reside within sha1_block_asm_host_order body
# because it calls &jmp(&label("shortcut"));
&sha1_block_host("sha1_block_asm_host_order");
# keep a note of shortcut label so it can be used outside
# block.
my $sclabel = &label("shortcut");
&function_end_B($name);
# Putting this here avoids problems with MASM in debugging mode
&sha1_block_host("sha1_block_asm_host_order", $sclabel);
}

3
crypto/stack/Makefile.ssl
View File

@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

3
crypto/txt_db/Makefile.ssl
View File

@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

3
crypto/x509/Makefile.ssl
View File

@@ -49,7 +49,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

2
crypto/x509/by_dir.c
View File

@@ -327,7 +327,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
* it out again */
CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,i);
if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j);
else tmp = NULL;
CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);

18
crypto/x509/x509_cmp.c
View File

@@ -199,19 +199,13 @@ unsigned long X509_NAME_hash(X509_NAME *x)
{
unsigned long ret=0;
unsigned char md[16];
unsigned char str[256],*p,*pp;
int i;
i=i2d_X509_NAME(x,NULL);
if (i > sizeof(str))
p=OPENSSL_malloc(i);
else
p=str;
pp=p;
i2d_X509_NAME(x,&pp);
MD5((unsigned char *)p,i,&(md[0]));
if (p != str) OPENSSL_free(p);
/* Ensure cached version is up to date */
i2d_X509_NAME(x,NULL);
/* Use cached encoding directly rather than copying: this should
* keep libsafe happy.
*/
MD5((unsigned char *)x->bytes->data,x->bytes->length,&(md[0]));
ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)

3
crypto/x509v3/Makefile.ssl
View File

@@ -43,7 +43,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

2
crypto/x509v3/v3_alt.c
View File

@@ -270,7 +270,7 @@ static int copy_email(X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *gens)
/* Now add any email address(es) to STACK */
i = -1;
while((i = X509_NAME_get_index_by_NID(nm,
NID_pkcs9_emailAddress, i)) > 0) {
NID_pkcs9_emailAddress, i)) >= 0) {
ne = X509_NAME_get_entry(nm, i);
email = M_ASN1_IA5STRING_dup(X509_NAME_ENTRY_get_data(ne));
if(!email || !(gen = GENERAL_NAME_new())) {

26
crypto/x509v3/v3_prn.c
View File

@@ -85,9 +85,16 @@ void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
else BIO_printf(out, "%s:%s", nval->name, nval->value);
#else
else {
char tmp[10240]; /* 10k is BIO_printf's limit anyway */
ascii2ebcdic(tmp, nval->value, strlen(nval->value)+1);
BIO_printf(out, "%s:%s", nval->name, tmp);
int len;
char *tmp;
len = strlen(nval->value)+1;
tmp = OPENSSL_malloc(len);
if (tmp)
{
ascii2ebcdic(tmp, nval->value, len);
BIO_printf(out, "%s:%s", nval->name, tmp);
OPENSSL_free(tmp);
}
}
#endif
if(ml) BIO_puts(out, "\n");
@@ -115,9 +122,16 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, int flag, int indent)
BIO_printf(out, "%*s%s", indent, "", value);
#else
{
char tmp[10240]; /* 10k is BIO_printf's limit anyway */
ascii2ebcdic(tmp, value, strlen(value)+1);
BIO_printf(out, "%*s%s", indent, "", tmp);
int len;
char *tmp;
len = strlen(value)+1;
tmp = OPENSSL_malloc(len);
if (tmp)
{
ascii2ebcdic(tmp, value, len);
BIO_printf(out, "%*s%s", indent, "", tmp);
OPENSSL_free(tmp);
}
}
#endif
} else if(method->i2v) {

6
crypto/x509v3/v3_purp.c
View File

@@ -362,6 +362,8 @@ static int ca_check(const X509 *x)
else return 0;
} else {
if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3;
/* If key usage present it must have certSign so tolerate it */
else if (x->ex_flags & EXFLAG_KUSAGE) return 3;
else return 2;
}
}
@@ -380,7 +382,7 @@ static int check_ssl_ca(const X509 *x)
if(ca_ret != 2) return ca_ret;
else return 0;
}
static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
{
@@ -446,7 +448,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c
int ret;
ret = purpose_smime(x, ca);
if(!ret || ca) return ret;
if(ku_reject(x, KU_DIGITAL_SIGNATURE)) return 0;
if(ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION)) return 0;
return ret;
}

9
doc/apps/s_client.pod
View File

@@ -32,6 +32,7 @@ B<openssl> B<s_client>
[B<-no_tls1>]
[B<-bugs>]
[B<-cipher cipherlist>]
[B<-rand file(s)>]
[B<-engine id>]
=head1 DESCRIPTION
@@ -157,6 +158,14 @@ the server determines which cipher suite is used it should take the first
supported cipher in the list sent by the client. See the B<ciphers>
command for more information.
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
Multiple files can be specified separated by a OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
=item B<-engine id>
specifying an engine (by it's unique B<id> string) will cause B<s_client>

11
doc/apps/s_server.pod
View File

@@ -39,6 +39,7 @@ B<openssl> B<s_client>
[B<-hack>]
[B<-www>]
[B<-WWW>]
[B<-rand file(s)>]
[B<-engine id>]
=head1 DESCRIPTION
@@ -95,7 +96,7 @@ using a set of DH parameters. If not specified then an attempt is made to
load the parameters from the server certificate file. If this fails then
a static set of parameters hard coded into the s_server program will be used.
=item B<-nodhe>
=item B<-no_dhe>
if this option is set then no DH parameters will be loaded effectively
disabling the ephemeral DH cipher suites.
@@ -187,6 +188,14 @@ emulates a simple web server. Pages will be resolved relative to the
current directory, for example if the URL https://myhost/page.html is
requested the file ./page.html will be loaded.
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
Multiple files can be specified separated by a OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.
=item B<-engine id>
specifying an engine (by it's unique B<id> string) will cause B<s_server>

22
doc/crypto/BN_rand.pod
View File

@@ -12,24 +12,31 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number
int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
=head1 DESCRIPTION
BN_rand() generates a cryptographically strong pseudo-random number of
B<bits> bits in length and stores it in B<rnd>. If B<top> is true, the
two most significant bits of the number will be set to 1, so that the
product of two such random numbers will always have 2*B<bits> length.
If B<bottom> is true, the number will be odd.
B<bits> bits in length and stores it in B<rnd>. If B<top> is -1, the
most significant bit of the random number can be zero. If B<top> is 0,
it is set to 1, and if B<top> is 1, the two most significant bits of
the number will be set to 1, so that the product of two such random
numbers will always have 2*B<bits> length. If B<bottom> is true, the
number will be odd.
BN_pseudo_rand() does the same, but pseudo-random numbers generated by
this function are not necessarily unpredictable. They can be used for
non-cryptographic purposes and for certain purposes in cryptographic
protocols, but usually not for key generation etc.
The PRNG must be seeded prior to calling BN_rand().
BN_rand_range() generates a cryptographically strong pseudo-random
number B<rnd> in the range 0 <lt>= B<rnd> E<lt> B<range>.
The PRNG must be seeded prior to calling BN_rand() or BN_rand_range().
=head1 RETURN VALUES
BN_rand() and BN_pseudo_rand() return 1 on success, 0 on error.
The functions return 1 on success, 0 on error.
The error codes can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
=head1 SEE ALSO
@@ -40,6 +47,7 @@ L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
=head1 HISTORY
BN_rand() is available in all versions of SSLeay and OpenSSL.
BN_pseudo_rand() was added in OpenSSL 0.9.5.
BN_pseudo_rand() was added in OpenSSL 0.9.5. The B<top> == -1 case
and the function BN_rand_range() were added in OpenSSL 0.9.6a.
=cut

35
doc/crypto/RAND_egd.pod
View File

@@ -9,10 +9,30 @@ RAND_egd - query entropy gathering daemon
#include <openssl/rand.h>
int RAND_egd(const char *path);
int RAND_egd_bytes(const char *path, int bytes);
=head1 DESCRIPTION
RAND_egd() queries the entropy gathering daemon EGD on socket B<path>.
It queries 255 bytes and uses L<RAND_add(3)|RAND_add(3)> to seed the
OpenSSL built-in PRNG. RAND_egd(path) is a wrapper for
RAND_egd_bytes(path, 255);
RAND_egd_bytes() queries the entropy gathering daemon EGD on socket B<path>.
It queries B<bytes> bytes and uses L<RAND_add(3)|RAND_add(3)> to seed the
OpenSSL built-in PRNG.
This function is more flexible than RAND_egd().
When only one secret key must
be generated, it is not necessary to request the full amount 255 bytes from
the EGD socket. This can be advantageous, since the amount of entropy
that can be retrieved from EGD over time is limited.
=head1 NOTES
On systems without /dev/*random devices providing entropy from the kernel,
the EGD entropy gathering daemon can be used to collect entropy. It provides
a socket interface through which entropy can be gathered in chunks up to
255 bytes. Several chunks can be queried during one connection.
EGD is available from http://www.lothar.com/tech/crypto/ (C<perl
Makefile.PL; make; make install> to install). It is run as B<egd>
@@ -21,22 +41,27 @@ RAND_egd() is called with that path as an argument, it tries to read
random bytes that EGD has collected. The read is performed in
non-blocking mode.
Alternatively, the EGD-compatible daemon PRNGD can be used. It is
Alternatively, the EGD-interface compatible daemon PRNGD can be used. It is
available from
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html .
PRNGD does employ an internal PRNG itself and can therefore never run
out of entropy.
=head1 RETURN VALUE
RAND_egd() returns the number of bytes read from the daemon on
success, and -1 if the connection failed or the daemon did not return
enough data to fully seed the PRNG.
RAND_egd() and RAND_egd_bytes() return the number of bytes read from the
daemon on success, and -1 if the connection failed or the daemon did not
return enough data to fully seed the PRNG.
=head1 SEE ALSO
L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_cleanup(3)|RAND_cleanup(3)>
L<rand(3)|rand(3)>, L<RAND_add(3)|RAND_add(3)>,
L<RAND_cleanup(3)|RAND_cleanup(3)>
=head1 HISTORY
RAND_egd() is available since OpenSSL 0.9.5.
RAND_egd_bytes() is available since OpenSSL 0.9.6.
=cut

1
doc/crypto/bn.pod
View File

@@ -60,6 +60,7 @@ bn - multiprecision integer arithmetics
int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add,
BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg);

2
doc/crypto/des.pod
View File

@@ -345,7 +345,7 @@ the MIT Kerberos library.
=head1 SEE ALSO
crypt(3), L<des_modes(3)|des_modes(3)>, L<evp(3)|evp(3)>, L<rand(3)|rand(3)>
crypt(3), L<des_modes(7)|des_modes(7)>, L<evp(3)|evp(3)>, L<rand(3)|rand(3)>
=head1 HISTORY

2
doc/crypto/evp.pod
View File

@@ -10,7 +10,7 @@ evp - high-level cryptographic functions
=head1 DESCRIPTION
The EVP library provided a high-level interface to cryptographic
The EVP library provides a high-level interface to cryptographic
functions.
B<EVP_Seal>I<...> and B<EVP_Open>I<...> provide public key encryption

67
doc/ssl/SSL_CIPHER_get_name.pod
View File

@@ -2,8 +2,7 @@
=head1 NAME
SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version,
SSL_CIPHER_description - get SSL_CIPHER properties
SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_description - get SSL_CIPHER properties
=head1 SYNOPSIS
@@ -29,9 +28,10 @@ SSL_CIPHER_get_version() returns the protocol version for B<cipher>, currently
SSL_CIPHER_description() returns a textual description of the cipher used
into the buffer B<buf> of length B<len> provided. B<len> must be at least
128 bytes, otherwise the string "Buffer too small" is returned. If B<buf>
is NULL, a buffer of 128 bytes is allocated using OPENSSL_malloc(). If the
allocation fails, the string "OPENSSL_malloc Error" is returned.
128 bytes, otherwise a pointer to the the string "Buffer too small" is
returned. If B<buf> is NULL, a buffer of 128 bytes is allocated using
OPENSSL_malloc(). If the allocation fails, a pointer to the string
"OPENSSL_malloc Error" is returned.
=head1 NOTES
@@ -40,11 +40,66 @@ export cipher like e.g. EXP-RC4-MD5 has only 40 secret bits. The algorithm
does use the full 128 bits (which would be returned for B<alg_bits>), of
which however 88bits are fixed. The search space is hence only 40 bits.
The string returned by SSL_CIPHER_description() in case of success consists
of cleartext information separated by one or more blanks in the following
sequence:
=over 4
=item <ciphername>
Textual representation of the cipher name.
=item <protocol version>
Protocol version: B<SSLv2>, B<SSLv3>. The TLSv1 ciphers are flagged with SSLv3.
=item Kx=<key exchange>
Key exchange method: B<RSA> (for export ciphers as B<RSA(512)> or
B<RSA(1024)>), B<DH> (for export ciphers as B<DH(512)> or B<DH(1024)>),
B<DH/RSA>, B<DH/DSS>, B<Fortezza>.
=item Au=<authentication>
Authentication method: B<RSA>, B<DSS>, B<DH>, B<None>. None is the
representation of anonymous ciphers.
=item Enc=<symmetric encryption method>
Encryption method with number of secret bits: B<DES(40)>, B<DES(56)>,
B<3DES(168)>, B<RC4(40)>, B<RC4(56)>, B<RC4(64)>, B<RC4(128)>,
B<RC2(40)>, B<RC2(56)>, B<RC2(128)>, B<IDEA(128)>, B<Fortezza>, B<None>.
=item Mac=<message authentication code>
Message digest: B<MD5>, B<SHA1>.
=item <export flag>
If the cipher is flagged exportable with respect to old US crypto
regulations, the word "B<export>" is printed.
=back
=head1 EXAMPLES
Some examples for the output of SSL_CIPHER_description():
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
=head1 BUGS
If SSL_CIPHER_description() is called with B<cipher> being NULL, the
library crashes.
If SSL_CIPHER_description() cannot handle a built-in cipher, the according
description of the cipher property is B<unknown>. This case should not
occur.
=head1 RETURN VALUES
See DESCRIPTION
@@ -52,6 +107,6 @@ See DESCRIPTION
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_get_current_cipher(3)|SSL_get_current_cipher(3)>,
L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>
L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>, L<ciphers(1)|ciphers(1)>
=cut

2
doc/ssl/SSL_CTX_free.pod
View File

@@ -17,7 +17,7 @@ SSL_CTX object pointed to by B<ctx> and frees up the allocated memory if the
the reference count has reached 0.
It also calls the free()ing procedures for indirectly affected items, if
applicable: the session cacahe, the list of ciphers, the list of Client CAs,
applicable: the session cache, the list of ciphers, the list of Client CAs,
the certificates and keys.
=head1 RETURN VALUES

15
doc/ssl/SSL_CTX_new.pod
View File

@@ -33,9 +33,9 @@ understand SSLv2 client hello messages.
=item SSLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void)
A TLS/SSL connection established with these methods will only understand the
SSLv3 and TLSv1 protocol. A client will send out SSLv3 client hello messages
and will indicate that it also understands TLSv1. A server will only understand
SSLv3 and TLSv1 client hello messages. This especially means, that it will
SSLv3 protocol. A client will send out SSLv3 client hello messages
and will indicate that it only understands SSLv3. A server will only understand
SSLv3 client hello messages. This especially means, that it will
not understand SSLv2 client hello messages which are widely used for
compatibility reasons, see SSLv23_*_method().
@@ -46,7 +46,8 @@ TLSv1 protocol. A client will send out TLSv1 client hello messages
and will indicate that it only understands TLSv1. A server will only understand
TLSv1 client hello messages. This especially means, that it will
not understand SSLv2 client hello messages which are widely used for
compatibility reasons, see SSLv23_*_method().
compatibility reasons, see SSLv23_*_method(). It will also not understand
SSLv3 client hello messages.
=item SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
@@ -58,6 +59,10 @@ choice when compatibility is a concern.
=back
If a generic method is used, it is necessary to explicitly set client or
server mode with L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
or SSL_set_accept_state().
The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the B<SSL_CTX_set_options()> or
B<SSL_set_options()> functions. Using these options it is possible to choose
@@ -88,6 +93,6 @@ The return value points to an allocated SSL_CTX object.
=head1 SEE ALSO
L<SSL_CTX_free(3)|SSL_CTX_free(3)>, L<SSL_accept(3)|SSL_accept(3)>,
L<ssl(3)|ssl(3)>
L<ssl(3)|ssl(3)>, L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
=cut

4
doc/ssl/SSL_CTX_set_cipher_list.pod
View File

@@ -2,8 +2,7 @@
=head1 NAME
SSL_CTX_set_cipher_list, SSL_set_cipher_list
- choose list of available SSL_CIPHERs
SSL_CTX_set_cipher_list, SSL_set_cipher_list - choose list of available SSL_CIPHERs
=head1 SYNOPSIS
@@ -47,6 +46,7 @@ could be selected and 0 on complete failure.
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>,
L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
L<ciphers(1)|ciphers(1)>
=cut

13
doc/ssl/SSL_CTX_set_ssl_version.pod
View File

@@ -17,8 +17,8 @@ SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method
SSL_CTX_set_ssl_version() sets a new default TLS/SSL B<method> for SSL objects
newly created from this B<ctx>. SSL objects already created with
L<SSL_new(3)|SSL_new(3)> are not affected, except when SSL_clear() is
being called.
L<SSL_new(3)|SSL_new(3)> are not affected, except when
L<SSL_clear(3)|SSL_clear(3)> is being called.
SSL_set_ssl_method() sets a new TLS/SSL B<method> for a particular B<ssl>
object. It may be reset, when SSL_clear() is called.
@@ -31,9 +31,9 @@ set in B<ssl>.
The available B<method> choices are described in
L<SSL_CTX_new(3)|SSL_CTX_new(3)>.
When SSL_clear() is called and no session is connected to an SSL object,
the method of the SSL object is reset to the method currently set in
the corresponding SSL_CTX object.
When L<SSL_clear(3)|SSL_clear(3)> is called and no session is connected to
an SSL object, the method of the SSL object is reset to the method currently
set in the corresponding SSL_CTX object.
=head1 RETURN VALUES
@@ -55,6 +55,7 @@ The operation succeeded.
=head1 SEE ALSO
L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<SSL_new(3)|SSL_new(3)>,
L<SSL_clear(3)|SSL_clear(3)>, L<ssl(3)|ssl(3)>
L<SSL_clear(3)|SSL_clear(3)>, L<ssl(3)|ssl(3)>,
L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
=cut

11
doc/ssl/SSL_accept.pod
View File

@@ -37,6 +37,11 @@ nothing is to be done, but select() can be used to check for the required
condition. When using a buffering BIO, like a BIO pair, data must be written
into or retrieved out of the BIO before being able to continue.
When using a generic method (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>), it
is necessary to call SSL_set_accept_state()
before calling SSL_accept() to explicitly switch the B<ssl> to server
mode.
=head1 RETURN VALUES
The following return values can occur:
@@ -54,7 +59,7 @@ The TLS/SSL handshake was not successful but was shut down controlled and
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
return value B<ret> to find out the reason.
=item -1
=item E<lt>0
The TLS/SSL handshake was not successful because a fatal error occurred either
at the protocol level or a connection failure occurred. The shutdown was
@@ -67,6 +72,8 @@ to find out the reason.
=head1 SEE ALSO
L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>,
L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>,
L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
L<SSL_CTX_new(3)|SSL_CTX_new(3)>
=cut

16
doc/ssl/SSL_clear.pod
View File

@@ -13,8 +13,17 @@ SSL_clear - reset SSL object to allow another connection
=head1 DESCRIPTION
Reset B<ssl> to allow another connection. All settings (method, ciphers,
BIOs) are kept. A completely negotiated B<SSL_SESSION> is not freed but left
untouched for the underlying B<SSL_CTX>.
BIOs) are kept.
=head1 NOTES
SSL_clear is used to prepare an SSL object for a new connection. While all
settings are kept, a side effect is the handling of the current SSL session.
If a session is still B<open>, it is considered bad and will be removed
from the session cache, as required by RFC2246. A session is considered open,
if L<SSL_shutdown(3)|SSL_shutdown(3)> was not called for the connection
or at least L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> was used to
set the SSL_SENT_SHUTDOWN state.
=head1 RETURN VALUES
@@ -34,6 +43,7 @@ The SSL_clear() operation was successful.
=back
L<SSL_new(3)|SSL_new(3)>, L<SSL_free(3)|SSL_free(3)>,
L<ssl(3)|ssl(3)>
L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, L<ssl(3)|ssl(3)>
=cut

11
doc/ssl/SSL_connect.pod
View File

@@ -34,6 +34,11 @@ nothing is to be done, but select() can be used to check for the required
condition. When using a buffering BIO, like a BIO pair, data must be written
into or retrieved out of the BIO before being able to continue.
When using a generic method (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>), it
is necessary to call L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
before calling SSL_connect() to explicitly switch the B<ssl> to client
mode.
=head1 RETURN VALUES
The following return values can occur:
@@ -51,7 +56,7 @@ The TLS/SSL handshake was not successful but was shut down controlled and
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
return value B<ret> to find out the reason.
=item -1
=item E<lt>0
The TLS/SSL handshake was not successful, because a fatal error occurred either
at the protocol level or a connection failure occurred. The shutdown was
@@ -64,6 +69,8 @@ to find out the reason.
=head1 SEE ALSO
L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_accept(3)|SSL_accept(3)>,
L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)> , L<bio(3)|bio(3)>
L<SSL_shutdown(3)|SSL_shutdown(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>,
L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
L<SSL_CTX_new(3)|SSL_CTX_new(3)>
=cut

13
doc/ssl/SSL_free.pod
View File

@@ -16,18 +16,29 @@ SSL_free() decrements the reference count of B<ssl>, and removes the SSL
structure pointed to by B<ssl> and frees up the allocated memory if the
the reference count has reached 0.
It also calls the free()ing procedures for indirectly affected items, if
=head1 NOTES
SSL_free() also calls the free()ing procedures for indirectly affected items, if
applicable: the buffering BIO, the read and write BIOs,
cipher lists specially created for this B<ssl>, the B<SSL_SESSION>.
Do not explicitly free these indirectly freed up items before or after
calling SSL_free(), as trying to free things twice may lead to program
failure.
The ssl session has reference counts from two users: the SSL object, for
which the reference count is removed by SSL_free() and the internal
session cache. If the session is considered bad, because
L<SSL_shutdown(3)|SSL_shutdown(3)> was not called for the connection
and L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> was not used to set the
SSL_SENT_SHUTDOWN state, the session will also be removed
from the session cache as required by RFC2246.
=head1 RETURN VALUES
SSL_free() does not provide diagnostic information.
L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
L<ssl(3)|ssl(3)>
=cut

30
doc/ssl/SSL_get_error.pod
View File

@@ -14,8 +14,8 @@ SSL_get_error - obtain result code for TLS/SSL I/O operation
SSL_get_error() returns a result code (suitable for the C "switch"
statement) for a preceding call to SSL_connect(), SSL_accept(),
SSL_read(), or SSL_write() on B<ssl>. The value returned by that
TLS/SSL I/O function must be passed to SSL_get_error() in parameter
SSL_read(), SSL_peek(), or SSL_write() on B<ssl>. The value returned by
that TLS/SSL I/O function must be passed to SSL_get_error() in parameter
B<ret>.
In addition to B<ssl> and B<ret>, SSL_get_error() inspects the
@@ -48,16 +48,26 @@ has been closed.
=item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
The operation did not complete; the same TLS/SSL I/O function should be
called again later. There will be protocol progress if, by then, the
underlying B<BIO> has data available for reading (if the result code is
B<SSL_ERROR_WANT_READ>) or allows writing data (B<SSL_ERROR_WANT_WRITE>).
For socket B<BIO>s (e.g. when SSL_set_fd() was used) this means that
select() or poll() on the underlying socket can be used to find out
when the TLS/SSL I/O function should be retried.
called again later. If, by then, the underlying B<BIO> has data
available for reading (if the result code is B<SSL_ERROR_WANT_READ>)
or allows writing data (B<SSL_ERROR_WANT_WRITE>), then some TLS/SSL
protocol progress will take place, i.e. at least part of an TLS/SSL
record will be read or written. Note that the retry may again lead to
a B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE> condition.
There is no fixed upper limit for the number of iterations that
may be necessary until progress becomes visible at application
protocol level.
For socket B<BIO>s (e.g. when SSL_set_fd() was used), select() or
poll() on the underlying socket can be used to find out when the
TLS/SSL I/O function should be retried.
Caveat: Any TLS/SSL I/O function can lead to either of
B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>, i.e. SSL_read()
may want to write data and SSL_write() may want to read data.
B<SSL_ERROR_WANT_READ> and B<SSL_ERROR_WANT_WRITE>. In particular,
SSL_read() or SSL_peek() may want to write data and SSL_write() may want
to read data. This is mainly because TLS/SSL handshakes may occur at any
time during the protocol (initiated by either the client or the server);
SSL_read(), SSL_peek(), and SSL_write() will handle any pending handshakes.
=item SSL_ERROR_WANT_X509_LOOKUP

2
doc/ssl/SSL_get_peer_cert_chain.pod
View File

@@ -15,7 +15,7 @@ SSL_get_peer_cert_chain - get the X509 certificate chain of the peer
SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates
forming the certificate chain of the peer. If called on the client side,
the stack also contains the peer's certificate; if called on the server
side, the peer's certificate must be obtained seperately using
side, the peer's certificate must be obtained separately using
L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>.
If the peer did not present a certificate, NULL is returned.

2
doc/ssl/SSL_get_peer_certificate.pod
View File

@@ -23,7 +23,7 @@ to check the verification state.
The reference count of the X509 object is incremented by one, so that it
will not be destroyed when the session containing the peer certificate is
freed. The X509 object must be explicitely freed using X509_free().
freed. The X509 object must be explicitly freed using X509_free().
=head1 RETURN VALUES

21
doc/ssl/SSL_get_session.pod
View File

@@ -16,14 +16,30 @@ SSL_get_session - retrieve TLS/SSL session data
SSL_get_session() returns a pointer to the B<SSL_SESSION> actually used in
B<ssl>. The reference count of the B<SSL_SESSION> is not incremented, so
that the pointer can become invalid when the B<ssl> is freed and
SSL_SESSION_free() is implicitly called.
that the pointer can become invalid by other operations.
SSL_get0_session() is the same as SSL_get_session().
SSL_get1_session() is the same as SSL_get_session(), but the reference
count of the B<SSL_SESSION> is incremented by one.
=head1 NOTES
The ssl session contains all information required to re-establish the
connection without a new handshake.
SSL_get0_session() returns a pointer to the actual session. As the
reference counter is not incremented, the pointer is only valid while
the connection is in use. If L<SSL_clear(3)|SSL_clear(3)> or
L<SSL_free(3)|SSL_free(3)> is called, the session may be removed completely
(if considered bad), and the pointer obtained will become invalid. Even
if the session is valid, it can be removed at any time due to timeout
during L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>.
If the data is to be kept, SSL_get1_session() will increment the reference
count and the session will stay in memory until explicitly freed with
L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>, regardless of its state.
=head1 RETURN VALUES
The following return values can occur:
@@ -43,6 +59,7 @@ The return value points to the data of an SSL session.
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_free(3)|SSL_free(3)>,
L<SSL_clear(3)|SSL_clear(3)>,
L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
=cut

4
doc/ssl/SSL_get_verify_result.pod
View File

@@ -19,7 +19,7 @@ X509 certificate presented by the peer, if any.
SSL_get_verify_result() can only return one error code while the verification
of a certificate can fail because of many reasons at the same time. Only
the last verification error that occured during the processing is available
the last verification error that occurred during the processing is available
from SSL_get_verify_result().
The verification result is part of the established session and is restored
@@ -28,7 +28,7 @@ when a session is reused.
=head1 BUGS
If no peer certificate was presented, the returned result code is
X509_V_OK. This is because no verification error occured, it does however
X509_V_OK. This is because no verification error occurred, it does however
not indicate success. SSL_get_verify_result() is only useful in connection
with L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>.

1
doc/ssl/SSL_new.pod
View File

@@ -37,6 +37,7 @@ The return value points to an allocated SSL structure.
=head1 SEE ALSO
L<SSL_free(3)|SSL_free(3)>, L<SSL_clear(3)|SSL_clear(3)>,
L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
L<ssl(3)|ssl(3)>
=cut

13
doc/ssl/SSL_pending.pod
View File

@@ -25,6 +25,19 @@ L<SSL_read(3)|SSL_read(3)>.
The number of bytes pending is returned.
=head1 BUGS
SSL_pending() takes into account only bytes from the TLS/SSL record
that is currently being processed (if any). If the B<SSL> object's
I<read_ahead> flag is set, additional protocol bytes may have been
read containing more TLS/SSL records; these are ignored by
SSL_pending().
Up to OpenSSL 0.9.6, SSL_pending() does not check if the record type
of pending data is application data.
=head1 SEE ALSO
L<SSL_read(3)|SSL_read(3)>, L<ssl(3)|ssl(3)>
=cut

25
doc/ssl/SSL_read.pod
View File

@@ -8,7 +8,7 @@ SSL_read - read bytes from a TLS/SSL connection.
#include <openssl/ssl.h>
int SSL_read(SSL *ssl, char *buf, int num);
int SSL_read(SSL *ssl, void *buf, int num);
=head1 DESCRIPTION
@@ -18,17 +18,29 @@ buffer B<buf>.
=head1 NOTES
If necessary, SSL_read() will negotiate a TLS/SSL session, if
not already explicitly performed by SSL_connect() or SSL_accept(). If the
not already explicitly performed by L<SSL_connect(3)|SSL_connect(3)> or
L<SSL_accept(3)|SSL_accept(3)>. If the
peer requests a re-negotiation, it will be performed transparently during
the SSL_read() operation. The behaviour of SSL_read() depends on the
underlying BIO.
For the transparent negotiation to succeed, the B<ssl> must have been
initialized to client or server mode. This is not the case if a generic
method is being used (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>, so that
L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> or SSL_set_accept_state()
must be used before the first call to an SSL_read() or
L<SSL_write(3)|SSL_write(3)> function.
If the underlying BIO is B<blocking>, SSL_read() will only return, once the
read operation has been finished or an error occurred.
read operation has been finished or an error occurred, except when a
renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur.
This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the
L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> call.
If the underlying BIO is B<non-blocking>, SSL_read() will also return
when the underlying BIO could not satisfy the needs of SSL_read()
to continue the operation. In this case a call to SSL_get_error() with the
to continue the operation. In this case a call to
L<SSL_get_error(3)|SSL_get_error(3)> with the
return value of SSL_read() will yield B<SSL_ERROR_WANT_READ> or
B<SSL_ERROR_WANT_WRITE>. As at any time a re-negotiation is possible, a
call to SSL_read() can also cause write operations! The calling process
@@ -61,7 +73,7 @@ The read operation was not successful, probably because no data was
available. Call SSL_get_error() with the return value B<ret> to find out,
whether an error occurred.
=item -1
=item E<lt>0
The read operation was not successful, because either an error occurred
or action must be taken by the calling process. Call SSL_get_error() with the
@@ -72,6 +84,9 @@ return value B<ret> to find out the reason.
=head1 SEE ALSO
L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_write(3)|SSL_write(3)>,
L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>
L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
=cut

3
doc/ssl/SSL_set_session.pod
View File

@@ -40,6 +40,7 @@ The operation succeeded.
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>
=cut

18
doc/ssl/SSL_shutdown.pod
View File

@@ -12,9 +12,17 @@ SSL_shutdown - shut down a TLS/SSL connection
=head1 DESCRIPTION
SSL_shutdown() shuts down an active TLS/SSL connection. It sends the shutdown
alert to the peer. The behaviour of SSL_shutdown() depends on the underlying
BIO.
SSL_shutdown() shuts down an active TLS/SSL connection. It sends the
"close notify" shutdown alert to the peer.
=head1 NOTES
SSL_shutdown() tries to send the "close notify" shutdown alert to the peer.
Whether the operation succeeds or not, the SSL_SENT_SHUTDOWN flag is set and
a currently open session is considered closed and good and will be kept in the
session cache for further reuse.
The behaviour of SSL_shutdown() depends on the underlying BIO.
If the underlying BIO is B<blocking>, SSL_shutdown() will only return once the
handshake has been finished or an error occurred.
@@ -57,6 +65,8 @@ Call SSL_get_error() with the return value B<ret> to find out the reason.
=head1 SEE ALSO
L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>,
L<SSL_accept(3)|SSL_accept(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
L<SSL_accept(3)|SSL_accept(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
L<SSL_clear(3)|SSL_clear(3), L<SSL_free(3)|SSL_free(3)>,
L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
=cut

31
doc/ssl/SSL_write.pod
View File

@@ -2,13 +2,13 @@
=head1 NAME
SSL_read - write bytes to a TLS/SSL connection.
SSL_write - write bytes to a TLS/SSL connection.
=head1 SYNOPSIS
#include <openssl/ssl.h>
int SSL_write(SSL *ssl, char *buf, int num);
int SSL_write(SSL *ssl, const void *buf, int num);
=head1 DESCRIPTION
@@ -18,20 +18,32 @@ B<ssl> connection.
=head1 NOTES
If necessary, SSL_write() will negotiate a TLS/SSL session, if
not already explicitly performed by SSL_connect() or SSL_accept(). If the
not already explicitly performed by L<SSL_connect(3)|SSL_connect(3)> or
L<SSL_accept(3)|SSL_accept(3)>. If the
peer requests a re-negotiation, it will be performed transparently during
the SSL_write() operation. The behaviour of SSL_write() depends on the
underlying BIO.
For the transparent negotiation to succeed, the B<ssl> must have been
initialized to client or server mode. This is not the case if a generic
method is being used (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>, so that
L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> or SSL_set_accept_state()
must be used before the first call to an L<SSL_read(3)|SSL_read(3)>
or SSL_write() function.
If the underlying BIO is B<blocking>, SSL_write() will only return, once the
write operation has been finished or an error occurred.
write operation has been finished or an error occurred, except when a
renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur.
This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the
L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)> call.
If the underlying BIO is B<non-blocking>, SSL_write() will also return,
when the underlying BIO could not satisfy the needs of SSL_write()
to continue the operation. In this case a call to SSL_get_error() with the
to continue the operation. In this case a call to
L<SSL_get_error(3)|SSL_get_error(3)> with the
return value of SSL_write() will yield B<SSL_ERROR_WANT_READ> or
B<SSL_ERROR_WANT_WRITE>. As at any time a re-negotiation is possible, a
call to SSL_write() can also cause write operations! The calling process
call to SSL_write() can also cause read operations! The calling process
then must repeat the call after taking appropriate action to satisfy the
needs of SSL_write(). The action depends on the underlying BIO. When using a
non-blocking socket, nothing is to be done, but select() can be used to check
@@ -60,9 +72,9 @@ bytes actually written to the TLS/SSL connection.
The write operation was not successful. Call SSL_get_error() with the return
value B<ret> to find out, whether an error occurred.
=item -1
=item E<lt>0
The read operation was not successful, because either an error occurred
The write operation was not successful, because either an error occurred
or action must be taken by the calling process. Call SSL_get_error() with the
return value B<ret> to find out the reason.
@@ -71,6 +83,9 @@ return value B<ret> to find out the reason.
=head1 SEE ALSO
L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_read(3)|SSL_read(3)>,
L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>
L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
=cut

150
doc/ssl/ssl.pod
View File

@@ -13,6 +13,69 @@ The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) protocols. It provides a rich API which is
documented here.
At first the library must be initialized; see
L<SSL_library_init(3)|SSL_library_init(3)>.
Then an B<SSL_CTX> object is created as a framework to establish
TLS/SSL enabled connections (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>).
Various options regarding certificates, algorithms etc. can be set
in this object.
When a network connection has been created, it can be assigned to an
B<SSL> object. After the B<SSL> object has been created using
L<SSL_new(3)|SSL_new(3)>, L<SSL_set_fd(3)|SSL_set_fd(3)> or
L<SSL_set_bio(3)|SSL_set_bio(3)> can be used to associate the network
connection with the object.
Then the TLS/SSL handshake is performed using
L<SSL_accept(3)|SSL_accept(3)> or L<SSL_connect(3)|SSL_connect(3)>
respectively.
L<SSL_read(3)|SSL_read(3)> and L<SSL_write(3)|SSL_write(3)> are used
to read and write data on the TLS/SSL connection.
L<SSL_shutdown(3)|SSL_shutdown(3)> can be used to shut down the
TLS/SSL connection.
=head1 DATA STRUCTURES
Currently the OpenSSL B<ssl> library functions deals with the following data
structures:
=over 4
=item B<SSL_METHOD> (SSL Method)
That's a dispatch structure describing the internal B<ssl> library
methods/functions which implement the various protocol versions (SSLv1, SSLv2
and TLSv1). It's needed to create an B<SSL_CTX>.
=item B<SSL_CIPHER> (SSL Cipher)
This structure holds the algorithm information for a particular cipher which
are a core part of the SSL/TLS protocol. The available ciphers are configured
on a B<SSL_CTX> basis and the actually used ones are then part of the
B<SSL_SESSION>.
=item B<SSL_CTX> (SSL Context)
That's the global context structure which is created by a server or client
once per program life-time and which holds mainly default values for the
B<SSL> structures which are later created for the connections.
=item B<SSL_SESSION> (SSL Session)
This is a structure containing the current TLS/SSL session details for a
connection: B<SSL_CIPHER>s, client and server certificates, keys, etc.
=item B<SSL> (SSL Connection)
That's the main SSL/TLS structure which is created by a server or client per
established connection. This actually is the core structure in the SSL API.
Under run-time the application usually deals with this structure which has
links to mostly all other structures.
=back
=head1 HEADER FILES
Currently the OpenSSL B<ssl> library provides the following C header files
@@ -55,46 +118,6 @@ it's already included by ssl.h>.
=back
=head1 DATA STRUCTURES
Currently the OpenSSL B<ssl> library functions deals with the following data
structures:
=over 4
=item B<SSL_METHOD> (SSL Method)
That's a dispatch structure describing the internal B<ssl> library
methods/functions which implement the various protocol versions (SSLv1, SSLv2
and TLSv1). It's needed to create an B<SSL_CTX>.
=item B<SSL_CIPHER> (SSL Cipher)
This structure holds the algorithm information for a particular cipher which
are a core part of the SSL/TLS protocol. The available ciphers are configured
on a B<SSL_CTX> basis and the actually used ones are then part of the
B<SSL_SESSION>.
=item B<SSL_CTX> (SSL Context)
That's the global context structure which is created by a server or client
once per program life-time and which holds mainly default values for the
B<SSL> structures which are later created for the connections.
=item B<SSL_SESSION> (SSL Session)
This is a structure containing the current TLS/SSL session details for a
connection: B<SSL_CIPHER>s, client and server certificates, keys, etc.
=item B<SSL> (SSL Connection)
That's the main SSL/TLS structure which is created by a server or client per
established connection. This actually is the core structure in the SSL API.
Under run-time the application usually deals with this structure which has
links to mostly all other structures.
=back
=head1 API FUNCTIONS
Currently the OpenSSL B<ssl> library exports 214 API functions.
@@ -521,11 +544,11 @@ connection defined in the B<SSL> structure.
=item long B<SSL_num_renegotiations>(SSL *ssl);
=item int B<SSL_peek>(SSL *ssl, char *buf, int num);
=item int B<SSL_peek>(SSL *ssl, void *buf, int num);
=item int B<SSL_pending>(SSL *ssl);
=item int B<SSL_read>(SSL *ssl, char *buf, int num);
=item int B<SSL_read>(SSL *ssl, void *buf, int num);
=item int B<SSL_renegotiate>(SSL *ssl);
@@ -617,7 +640,7 @@ connection defined in the B<SSL> structure.
=item int B<SSL_want_x509_lookup>(s);
=item int B<SSL_write>(SSL *ssl, char *buf, int num);
=item int B<SSL_write>(SSL *ssl, const void *buf, int num);
=back
@@ -625,20 +648,53 @@ connection defined in the B<SSL> structure.
L<openssl(1)|openssl(1)>, L<crypto(3)|crypto(3)>,
L<SSL_accept(3)|SSL_accept(3)>, L<SSL_clear(3)|SSL_clear(3)>,
L<SSL_connect(3)|SSL_connect(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
L<SSL_connect(3)|SSL_connect(3)>,
L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)>,
L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>,
L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>,
L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
L<SSL_CTX_get_ex_new_index(3)|SSL_CTX_get_ex_new_index(3)>,
L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>,
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>,
L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
L<SSL_CTX_sessions(3)|SSL_CTX_sessions(3)>,
L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>,
L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>,
L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>,
L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)>,
L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>,
L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>,
L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_get_fd(3)|SSL_get_fd(3)>,
L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
L<SSL_get_error(3)|SSL_get_error(3)>,
L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>,
L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>,
L<SSL_get_fd(3)|SSL_get_fd(3)>,
L<SSL_get_peer_cert_chain(3)|SSL_get_peer_cert_chain(3)>,
L<SSL_get_rbio(3)|SSL_get_rbio(3)>,
L<SSL_get_session(3)|SSL_get_session(3)>,
L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
L<SSL_library_init(3)|SSL_library_init(3)>, L<SSL_new(3)|SSL_new(3)>,
L<SSL_get_version(3)|SSL_get_version(3)>,
L<SSL_library_init(3)|SSL_library_init(3)>,
L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>,
L<SSL_new(3)|SSL_new(3)>,
L<SSL_read(3)|SSL_read(3)>, L<SSL_set_bio(3)|SSL_set_bio(3)>,
L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
L<SSL_set_fd(3)|SSL_set_fd(3)>, L<SSL_pending(3)|SSL_pending(3)>,
L<SSL_set_session(3)|SSL_set_session(3)>,
L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_write(3)|SSL_write(3)>,
L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
L<SSL_SESSION_get_ex_new_index(3)|SSL_SESSION_get_ex_new_index(3)>,
L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>
=head1 HISTORY

2
doc/ssleay.txt
View File

@@ -5743,7 +5743,7 @@ strucutre but also the private key and certificate associated with
EXAMPLES.
So lets play at being a wierd SSL server.
So lets play at being a weird SSL server.
/* setup a context */
ctx=SSL_CTX_new();

2
ms/test.bat
View File

@@ -1,4 +1,4 @@
@echo=off
@echo off
set test=..\ms
set opath=%PATH%

3
rsaref/Makefile.ssl
View File

@@ -39,7 +39,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

3
ssl/Makefile.ssl
View File

@@ -55,7 +55,8 @@ all: lib
lib: $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
$(RANLIB) $(LIB)
@echo You may get an error following this line. Please ignore.
- $(RANLIB) $(LIB)
@touch lib
files:

40
ssl/s23_lib.c
View File

@@ -63,6 +63,7 @@
static int ssl23_num_ciphers(void );
static SSL_CIPHER *ssl23_get_cipher(unsigned int u);
static int ssl23_read(SSL *s, void *buf, int len);
static int ssl23_peek(SSL *s, void *buf, int len);
static int ssl23_write(SSL *s, const void *buf, int len);
static long ssl23_default_timeout(void );
static int ssl23_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
@@ -77,7 +78,7 @@ static SSL_METHOD SSLv23_data= {
ssl_undefined_function,
ssl_undefined_function,
ssl23_read,
(int (*)(struct ssl_st *, char *, int))ssl_undefined_function,
ssl23_peek,
ssl23_write,
ssl_undefined_function,
ssl_undefined_function,
@@ -169,13 +170,6 @@ static int ssl23_read(SSL *s, void *buf, int len)
{
int n;
#if 0
if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
{
s->rwstate=SSL_NOTHING;
return(0);
}
#endif
clear_sys_error();
if (SSL_in_init(s) && (!s->in_handshake))
{
@@ -195,17 +189,33 @@ static int ssl23_read(SSL *s, void *buf, int len)
}
}
static int ssl23_peek(SSL *s, void *buf, int len)
{
int n;
clear_sys_error();
if (SSL_in_init(s) && (!s->in_handshake))
{
n=s->handshake_func(s);
if (n < 0) return(n);
if (n == 0)
{
SSLerr(SSL_F_SSL23_PEEK,SSL_R_SSL_HANDSHAKE_FAILURE);
return(-1);
}
return(SSL_peek(s,buf,len));
}
else
{
ssl_undefined_function(s);
return(-1);
}
}
static int ssl23_write(SSL *s, const void *buf, int len)
{
int n;
#if 0
if (s->shutdown & SSL_SENT_SHUTDOWN)
{
s->rwstate=SSL_NOTHING;
return(0);
}
#endif
clear_sys_error();
if (SSL_in_init(s) && (!s->in_handshake))
{

2
ssl/s23_meth.c
View File

@@ -64,7 +64,7 @@ static SSL_METHOD *ssl23_get_method(int ver);
static SSL_METHOD *ssl23_get_method(int ver)
{
if (ver == SSL2_VERSION)
return(SSLv23_method());
return(SSLv2_method());
else if (ver == SSL3_VERSION)
return(SSLv3_method());
else if (ver == TLS1_VERSION)

1
ssl/s2_clnt.c
View File

@@ -921,6 +921,7 @@ int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data)
goto err;
}
ERR_clear_error(); /* but we keep s->verify_result */
s->session->verify_result = s->verify_result;
/* server's cert for this session */
sc=ssl_sess_cert_new();

10
ssl/s2_lib.c
View File

@@ -260,7 +260,7 @@ SSL_CIPHER *ssl2_get_cipher(unsigned int u)
int ssl2_pending(SSL *s)
{
return(s->s2->ract_data_length);
return SSL_in_init(s) ? 0 : s->s2->ract_data_length;
}
int ssl2_new(SSL *s)
@@ -270,10 +270,16 @@ int ssl2_new(SSL *s)
if ((s2=OPENSSL_malloc(sizeof *s2)) == NULL) goto err;
memset(s2,0,sizeof *s2);
#if SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER + 3 > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2
# error "assertion failed"
#endif
if ((s2->rbuf=OPENSSL_malloc(
SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
/* wbuf needs one byte more because when using two-byte headers,
* we leave the first byte unused in do_ssl_write (s2_pkt.c) */
if ((s2->wbuf=OPENSSL_malloc(
SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+3)) == NULL) goto err;
s->s2=s2;
ssl2_clear(s);

169
ssl/s2_pkt.c
View File

@@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include "ssl_locl.h"
#ifndef NO_SSL2
@@ -66,23 +119,12 @@ static int read_n(SSL *s,unsigned int n,unsigned int max,unsigned int extend);
static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len);
static int write_pending(SSL *s, const unsigned char *buf, unsigned int len);
static int ssl_mt_error(int n);
int ssl2_peek(SSL *s, char *buf, int len)
{
int ret;
ret=ssl2_read(s,buf,len);
if (ret > 0)
{
s->s2->ract_data_length+=ret;
s->s2->ract_data-=ret;
}
return(ret);
}
/* SSL_read -
/* SSL 2.0 imlementation for SSL_read/SSL_peek -
* This routine will return 0 to len bytes, decrypted etc if required.
*/
int ssl2_read(SSL *s, void *buf, int len)
static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
{
int n;
unsigned char mac[MAX_MAC_SIZE];
@@ -90,14 +132,14 @@ int ssl2_read(SSL *s, void *buf, int len)
int i;
unsigned int mac_size=0;
ssl2_read_again:
ssl2_read_again:
if (SSL_in_init(s) && !s->in_handshake)
{
n=s->handshake_func(s);
if (n < 0) return(n);
if (n == 0)
{
SSLerr(SSL_F_SSL2_READ,SSL_R_SSL_HANDSHAKE_FAILURE);
SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_SSL_HANDSHAKE_FAILURE);
return(-1);
}
}
@@ -114,13 +156,22 @@ ssl2_read_again:
n=len;
memcpy(buf,s->s2->ract_data,(unsigned int)n);
s->s2->ract_data_length-=n;
s->s2->ract_data+=n;
if (s->s2->ract_data_length == 0)
s->rstate=SSL_ST_READ_HEADER;
if (!peek)
{
s->s2->ract_data_length-=n;
s->s2->ract_data+=n;
if (s->s2->ract_data_length == 0)
s->rstate=SSL_ST_READ_HEADER;
}
return(n);
}
/* s->s2->ract_data_length == 0
*
* Fill the buffer, then goto ssl2_read_again.
*/
if (s->rstate == SSL_ST_READ_HEADER)
{
if (s->first_packet)
@@ -133,7 +184,7 @@ ssl2_read_again:
(p[2] == SSL2_MT_CLIENT_HELLO) ||
(p[2] == SSL2_MT_SERVER_HELLO))))
{
SSLerr(SSL_F_SSL2_READ,SSL_R_NON_SSLV2_INITIAL_PACKET);
SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_NON_SSLV2_INITIAL_PACKET);
return(-1);
}
}
@@ -211,48 +262,49 @@ ssl2_read_again:
(unsigned int)mac_size) != 0) ||
(s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0))
{
SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_MAC_DECODE);
SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE);
return(-1);
}
}
INC32(s->s2->read_sequence); /* expect next number */
/* s->s2->ract_data is now available for processing */
#if 1
/* How should we react when a packet containing 0
* bytes is received? (Note that SSLeay/OpenSSL itself
* never sends such packets; see ssl2_write.)
* Returning 0 would be interpreted by the caller as
* indicating EOF, so it's not a good idea.
* Instead, we just continue reading. Note that using
* select() for blocking sockets *never* guarantees
/* Possibly the packet that we just read had 0 actual data bytes.
* (SSLeay/OpenSSL itself never sends such packets; see ssl2_write.)
* In this case, returning 0 would be interpreted by the caller
* as indicating EOF, so it's not a good idea. Instead, we just
* continue reading; thus ssl2_read_internal may have to process
* multiple packets before it can return.
*
* [Note that using select() for blocking sockets *never* guarantees
* that the next SSL_read will not block -- the available
* data may contain incomplete packets, and except for SSL 2
* renegotiation can confuse things even more. */
* data may contain incomplete packets, and except for SSL 2,
* renegotiation can confuse things even more.] */
goto ssl2_read_again; /* This should really be
* "return ssl2_read(s,buf,len)",
* but that would allow for
* denial-of-service attacks if a
* C compiler is used that does not
* recognize end-recursion. */
#else
/* If a 0 byte packet was sent, return 0, otherwise
* we play havoc with people using select with
* blocking sockets. Let them handle a packet at a time,
* they should really be using non-blocking sockets. */
if (s->s2->ract_data_length == 0)
return(0);
return(ssl2_read(s,buf,len));
#endif
* "return ssl2_read(s,buf,len)",
* but that would allow for
* denial-of-service attacks if a
* C compiler is used that does not
* recognize end-recursion. */
}
else
{
SSLerr(SSL_F_SSL2_READ,SSL_R_BAD_STATE);
SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_STATE);
return(-1);
}
}
int ssl2_read(SSL *s, void *buf, int len)
{
return ssl2_read_internal(s, buf, len, 0);
}
int ssl2_peek(SSL *s, void *buf, int len)
{
return ssl2_read_internal(s, buf, len, 1);
}
static int read_n(SSL *s, unsigned int n, unsigned int max,
unsigned int extend)
{
@@ -483,6 +535,9 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
{
bs=EVP_CIPHER_CTX_block_size(s->enc_read_ctx);
j=len+mac_size;
/* Two-byte headers allow for a larger record length than
* three-byte headers, but we can't use them if we need
* padding or if we have to set the escape bit. */
if ((j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) &&
(!s->s2->escape))
{
@@ -498,25 +553,39 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
}
else if ((bs <= 1) && (!s->s2->escape))
{
/* len=len; */
/* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus
* j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER */
s->s2->three_byte_header=0;
p=0;
}
else /* 3 byte header */
else /* we may have to use a 3 byte header */
{
/*len=len; */
/* If s->s2->escape is not set, then
* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus
* j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. */
p=(j%bs);
p=(p == 0)?0:(bs-p);
if (s->s2->escape)
{
s->s2->three_byte_header=1;
if (j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
j=SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER;
}
else
s->s2->three_byte_header=(p == 0)?0:1;
}
}
/* Now
* j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
* holds, and if s->s2->three_byte_header is set, then even
* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER.
*/
/* mac_size is the number of MAC bytes
* len is the number of data bytes we are going to send
* p is the number of padding bytes
* if p == 0, it is a 2 byte header */
* (if it is a two-byte header, then p == 0) */
s->s2->wlength=len;
s->s2->padding=p;

4
ssl/s3_both.c
View File

@@ -365,7 +365,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
while (s->init_num < 4)
{
i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],
4 - s->init_num);
4 - s->init_num, 0);
if (i <= 0)
{
s->rwstate=SSL_READING;
@@ -434,7 +434,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
n=s->s3->tmp.message_size;
while (n > 0)
{
i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n);
i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0);
if (i <= 0)
{
s->rwstate=SSL_READING;

1
ssl/s3_clnt.c
View File

@@ -815,6 +815,7 @@ static int ssl3_get_server_certificate(SSL *s)
X509_free(s->session->peer);
CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
s->session->peer=x;
s->session->verify_result = s->verify_result;
x=NULL;
ret=1;

88
ssl/s3_lib.c
View File

@@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include <openssl/md5.h>
@@ -638,10 +691,9 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u)
return(NULL);
}
/* The problem is that it may not be the correct record type */
int ssl3_pending(SSL *s)
{
return(s->s3->rrec.length);
return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? s->s3->rrec.length : 0;
}
int ssl3_new(SSL *s)
@@ -1189,7 +1241,7 @@ int ssl3_shutdown(SSL *s)
else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN))
{
/* If we are waiting for a close from our peer, we are closed */
ssl3_read_bytes(s,0,NULL,0);
ssl3_read_bytes(s,0,NULL,0,0);
}
if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) &&
@@ -1252,14 +1304,14 @@ int ssl3_write(SSL *s, const void *buf, int len)
return(ret);
}
int ssl3_read(SSL *s, void *buf, int len)
static int ssl3_read_internal(SSL *s, void *buf, int len, int peek)
{
int ret;
clear_sys_error();
if (s->s3->renegotiate) ssl3_renegotiate_check(s);
s->s3->in_read_app_data=1;
ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
if ((ret == -1) && (s->s3->in_read_app_data == 0))
{
/* ssl3_read_bytes decided to call s->handshake_func, which
@@ -1269,7 +1321,7 @@ int ssl3_read(SSL *s, void *buf, int len)
* by resetting 'in_read_app_data', strangely); so disable
* handshake processing and try to read application data again. */
s->in_handshake++;
ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len);
ret=ssl3_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek);
s->in_handshake--;
}
else
@@ -1278,26 +1330,14 @@ int ssl3_read(SSL *s, void *buf, int len)
return(ret);
}
int ssl3_peek(SSL *s, char *buf, int len)
int ssl3_read(SSL *s, void *buf, int len)
{
SSL3_RECORD *rr;
int n;
return ssl3_read_internal(s, buf, len, 0);
}
rr= &(s->s3->rrec);
if ((rr->length == 0) || (rr->type != SSL3_RT_APPLICATION_DATA))
{
n=ssl3_read(s,buf,1);
if (n <= 0) return(n);
rr->length++;
rr->off--;
}
if ((unsigned int)len > rr->length)
n=rr->length;
else
n=len;
memcpy(buf,&(rr->data[rr->off]),(unsigned int)n);
return(n);
int ssl3_peek(SSL *s, void *buf, int len)
{
return ssl3_read_internal(s, buf, len, 1);
}
int ssl3_renegotiate(SSL *s)

24
ssl/s3_pkt.c
View File

@@ -704,7 +704,7 @@ static int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
* Application data protocol
* none of our business
*/
int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
{
int al,i,j,ret;
unsigned int n;
@@ -715,7 +715,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
if (!ssl3_setup_buffers(s))
return(-1);
if ((type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type)
if ((type && (type != SSL3_RT_APPLICATION_DATA) && (type != SSL3_RT_HANDSHAKE) && type) ||
(peek && (type != SSL3_RT_APPLICATION_DATA)))
{
SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_INTERNAL_ERROR);
return -1;
@@ -728,6 +729,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len)
unsigned char *dst = buf;
unsigned int k;
/* peek == 0 */
n = 0;
while ((len > 0) && (s->s3->handshake_fragment_len > 0))
{
@@ -763,7 +765,7 @@ start:
* s->s3->rrec.length, - number of bytes. */
rr = &(s->s3->rrec);
/* get new packet */
/* get new packet if necessary */
if ((rr->length == 0) || (s->rstate == SSL_ST_READ_BODY))
{
ret=ssl3_get_record(s);
@@ -781,7 +783,8 @@ start:
goto err;
}
/* If the other end has shutdown, throw anything we read away */
/* If the other end has shut down, throw anything we read away
* (even in 'peek' mode) */
if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
{
rr->length=0;
@@ -810,12 +813,15 @@ start:
n = (unsigned int)len;
memcpy(buf,&(rr->data[rr->off]),n);
rr->length-=n;
rr->off+=n;
if (rr->length == 0)
if (!peek)
{
s->rstate=SSL_ST_READ_HEADER;
rr->off=0;
rr->length-=n;
rr->off+=n;
if (rr->length == 0)
{
s->rstate=SSL_ST_READ_HEADER;
rr->off=0;
}
}
return(n);
}

1
ssl/s3_srvr.c
View File

@@ -1414,6 +1414,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key,p,i);
memset(p,0,i);
}
else
#endif

16
ssl/ssl.h
View File

@@ -206,7 +206,7 @@ typedef struct ssl_method_st
int (*ssl_accept)(SSL *s);
int (*ssl_connect)(SSL *s);
int (*ssl_read)(SSL *s,void *buf,int len);
int (*ssl_peek)(SSL *s,char *buf,int len);
int (*ssl_peek)(SSL *s,void *buf,int len);
int (*ssl_write)(SSL *s,const void *buf,int len);
int (*ssl_shutdown)(SSL *s);
int (*ssl_renegotiate)(SSL *s);
@@ -1061,9 +1061,9 @@ int SSL_set_trust(SSL *s, int trust);
void SSL_free(SSL *ssl);
int SSL_accept(SSL *ssl);
int SSL_connect(SSL *ssl);
int SSL_read(SSL *ssl,char *buf,int num);
int SSL_peek(SSL *ssl,char *buf,int num);
int SSL_write(SSL *ssl,const char *buf,int num);
int SSL_read(SSL *ssl,void *buf,int num);
int SSL_peek(SSL *ssl,void *buf,int num);
int SSL_write(SSL *ssl,const void *buf,int num);
long SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg);
long SSL_callback_ctrl(SSL *, int, void (*)());
long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, char *parg);
@@ -1178,7 +1178,7 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void );
#define SSL_CTX_get_read_ahead(ctx) \
SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
#define SSL_CTX_set_read_ahead(ctx,m) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,0,NULL)
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL)
/* NB: the keylength is only applicable when is_export is true */
#ifndef NO_RSA
@@ -1209,6 +1209,7 @@ int SSL_COMP_add_compression_method(int id,char *cm);
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_SSL_strings(void);
/* Error codes for the SSL functions. */
@@ -1233,12 +1234,15 @@ int SSL_COMP_add_compression_method(int id,char *cm);
#define SSL_F_SSL23_CONNECT 117
#define SSL_F_SSL23_GET_CLIENT_HELLO 118
#define SSL_F_SSL23_GET_SERVER_HELLO 119
#define SSL_F_SSL23_PEEK 237
#define SSL_F_SSL23_READ 120
#define SSL_F_SSL23_WRITE 121
#define SSL_F_SSL2_ACCEPT 122
#define SSL_F_SSL2_CONNECT 123
#define SSL_F_SSL2_ENC_INIT 124
#define SSL_F_SSL2_PEEK 234
#define SSL_F_SSL2_READ 125
#define SSL_F_SSL2_READ_INTERNAL 236
#define SSL_F_SSL2_SET_CERTIFICATE 126
#define SSL_F_SSL2_WRITE 127
#define SSL_F_SSL3_ACCEPT 128
@@ -1263,6 +1267,7 @@ int SSL_COMP_add_compression_method(int id,char *cm);
#define SSL_F_SSL3_GET_SERVER_DONE 145
#define SSL_F_SSL3_GET_SERVER_HELLO 146
#define SSL_F_SSL3_OUTPUT_CERT_CHAIN 147
#define SSL_F_SSL3_PEEK 235
#define SSL_F_SSL3_READ_BYTES 148
#define SSL_F_SSL3_READ_N 149
#define SSL_F_SSL3_SEND_CERTIFICATE_REQUEST 150
@@ -1559,4 +1564,3 @@ int SSL_COMP_add_compression_method(int id,char *cm);
}
#endif
#endif

6
ssl/ssl2.h
View File

@@ -134,11 +134,11 @@ extern "C" {
/* Upper/Lower Bounds */
#define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256
#ifdef MPE
#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)29998
#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u
#else
#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)32767
#define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */
#endif
#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /**/
#define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */
#define SSL2_CHALLENGE_LENGTH 16
/*#define SSL2_CHALLENGE_LENGTH 32 */

4
ssl/ssl_algs.c
View File

@@ -88,9 +88,13 @@ int SSL_library_init(void)
#ifndef NO_SHA
EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
#endif
#if !defined(NO_SHA) && !defined(NO_DSA)
EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);
EVP_add_digest_alias(SN_dsaWithSHA1,"DSS1");
EVP_add_digest_alias(SN_dsaWithSHA1,"dss1");
#endif
/* If you want support for phased out ciphers, add the following */

4
ssl/ssl_err.c
View File

@@ -86,12 +86,15 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL23_CONNECT,0), "SSL23_CONNECT"},
{ERR_PACK(0,SSL_F_SSL23_GET_CLIENT_HELLO,0), "SSL23_GET_CLIENT_HELLO"},
{ERR_PACK(0,SSL_F_SSL23_GET_SERVER_HELLO,0), "SSL23_GET_SERVER_HELLO"},
{ERR_PACK(0,SSL_F_SSL23_PEEK,0), "SSL23_PEEK"},
{ERR_PACK(0,SSL_F_SSL23_READ,0), "SSL23_READ"},
{ERR_PACK(0,SSL_F_SSL23_WRITE,0), "SSL23_WRITE"},
{ERR_PACK(0,SSL_F_SSL2_ACCEPT,0), "SSL2_ACCEPT"},
{ERR_PACK(0,SSL_F_SSL2_CONNECT,0), "SSL2_CONNECT"},
{ERR_PACK(0,SSL_F_SSL2_ENC_INIT,0), "SSL2_ENC_INIT"},
{ERR_PACK(0,SSL_F_SSL2_PEEK,0), "SSL2_PEEK"},
{ERR_PACK(0,SSL_F_SSL2_READ,0), "SSL2_READ"},
{ERR_PACK(0,SSL_F_SSL2_READ_INTERNAL,0), "SSL2_READ_INTERNAL"},
{ERR_PACK(0,SSL_F_SSL2_SET_CERTIFICATE,0), "SSL2_SET_CERTIFICATE"},
{ERR_PACK(0,SSL_F_SSL2_WRITE,0), "SSL2_WRITE"},
{ERR_PACK(0,SSL_F_SSL3_ACCEPT,0), "SSL3_ACCEPT"},
@@ -116,6 +119,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_DONE,0), "SSL3_GET_SERVER_DONE"},
{ERR_PACK(0,SSL_F_SSL3_GET_SERVER_HELLO,0), "SSL3_GET_SERVER_HELLO"},
{ERR_PACK(0,SSL_F_SSL3_OUTPUT_CERT_CHAIN,0), "SSL3_OUTPUT_CERT_CHAIN"},
{ERR_PACK(0,SSL_F_SSL3_PEEK,0), "SSL3_PEEK"},
{ERR_PACK(0,SSL_F_SSL3_READ_BYTES,0), "SSL3_READ_BYTES"},
{ERR_PACK(0,SSL_F_SSL3_READ_N,0), "SSL3_READ_N"},
{ERR_PACK(0,SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,0), "SSL3_SEND_CERTIFICATE_REQUEST"},

15
ssl/ssl_lib.c
View File

@@ -119,7 +119,9 @@ int SSL_clear(SSL *s)
s->client_version=s->version;
s->rwstate=SSL_NOTHING;
s->rstate=SSL_ST_READ_HEADER;
#if 0
s->read_ahead=s->ctx->read_ahead;
#endif
if (s->init_buf != NULL)
{
@@ -229,6 +231,7 @@ SSL *SSL_new(SSL_CTX *ctx)
s->server=(ctx->method->ssl_accept == ssl_undefined_function)?0:1;
s->options=ctx->options;
s->mode=ctx->mode;
s->read_ahead=ctx->read_ahead; /* used to happen in SSL_clear */
SSL_clear(s);
CRYPTO_new_ex_data(ssl_meth,s,&s->ex_data);
@@ -705,7 +708,7 @@ long SSL_get_default_timeout(SSL *s)
return(s->method->get_timeout());
}
int SSL_read(SSL *s,char *buf,int num)
int SSL_read(SSL *s,void *buf,int num)
{
if (s->handshake_func == 0)
{
@@ -721,8 +724,14 @@ int SSL_read(SSL *s,char *buf,int num)
return(s->method->ssl_read(s,buf,num));
}
int SSL_peek(SSL *s,char *buf,int num)
int SSL_peek(SSL *s,void *buf,int num)
{
if (s->handshake_func == 0)
{
SSLerr(SSL_F_SSL_READ, SSL_R_UNINITIALIZED);
return -1;
}
if (s->shutdown & SSL_RECEIVED_SHUTDOWN)
{
return(0);
@@ -730,7 +739,7 @@ int SSL_peek(SSL *s,char *buf,int num)
return(s->method->ssl_peek(s,buf,num));
}
int SSL_write(SSL *s,const char *buf,int num)
int SSL_write(SSL *s,const void *buf,int num)
{
if (s->handshake_func == 0)
{

59
ssl/ssl_locl.h
View File

@@ -55,6 +55,59 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#ifndef HEADER_SSL_LOCL_H
#define HEADER_SSL_LOCL_H
@@ -463,7 +516,7 @@ void ssl2_free(SSL *s);
int ssl2_accept(SSL *s);
int ssl2_connect(SSL *s);
int ssl2_read(SSL *s, void *buf, int len);
int ssl2_peek(SSL *s, char *buf, int len);
int ssl2_peek(SSL *s, void *buf, int len);
int ssl2_write(SSL *s, const void *buf, int len);
int ssl2_shutdown(SSL *s);
void ssl2_clear(SSL *s);
@@ -494,7 +547,7 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u);
int ssl3_renegotiate(SSL *ssl);
int ssl3_renegotiate_check(SSL *ssl);
int ssl3_dispatch_alert(SSL *s);
int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len);
int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek);
int ssl3_write_bytes(SSL *s, int type, const void *buf, int len);
int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
const char *sender, int slen,unsigned char *p);
@@ -511,7 +564,7 @@ void ssl3_free(SSL *s);
int ssl3_accept(SSL *s);
int ssl3_connect(SSL *s);
int ssl3_read(SSL *s, void *buf, int len);
int ssl3_peek(SSL *s,char *buf, int len);
int ssl3_peek(SSL *s, void *buf, int len);
int ssl3_write(SSL *s, const void *buf, int len);
int ssl3_shutdown(SSL *s);
void ssl3_clear(SSL *s);

1
ssl/ssl_sess.c
View File

@@ -508,6 +508,7 @@ int SSL_set_session(SSL *s, SSL_SESSION *session)
if (s->session != NULL)
SSL_SESSION_free(s->session);
s->session=session;
s->verify_result = s->session->verify_result;
/* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/
ret=1;
}

2
test/Makefile.ssl
View File

@@ -192,7 +192,7 @@ test_bn:
@./$(BNTEST) >tmp.bntest
@echo quit >>tmp.bntest
@echo "running bc"
@bc tmp.bntest 2>&1 | $(PERL) -e 'while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} print STDERR "."; $$i++;} print STDERR "\n$$i tests passed\n"'
@<tmp.bntest sh -c "`sh ./bctest`" | $(PERL) -e '$$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"'
@echo 'test a^b%c implementations'
./$(EXPTEST)

6
util/libeay.num
View File

@@ -301,8 +301,8 @@ EVP_des_ede_cfb 308 EXIST::FUNCTION:DES
EVP_des_ede_ofb 309 EXIST::FUNCTION:DES
EVP_des_ofb 310 EXIST::FUNCTION:DES
EVP_desx_cbc 311 EXIST::FUNCTION:DES
EVP_dss 312 EXIST::FUNCTION:DSA
EVP_dss1 313 EXIST::FUNCTION:DSA
EVP_dss 312 EXIST::FUNCTION:DSA,SHA
EVP_dss1 313 EXIST::FUNCTION:DSA,SHA
EVP_enc_null 314 EXIST::FUNCTION:
EVP_get_cipherbyname 315 EXIST::FUNCTION:
EVP_get_digestbyname 316 EXIST::FUNCTION:
@@ -926,7 +926,7 @@ PKCS7_add_signature 938 EXIST::FUNCTION:
PKCS7_cert_from_signer_info 939 EXIST::FUNCTION:
PKCS7_get_signer_info 940 EXIST::FUNCTION:
EVP_delete_alias 941 NOEXIST::FUNCTION:
EVP_mdc2 942 EXIST::FUNCTION:
EVP_mdc2 942 EXIST::FUNCTION:MDC2
PEM_read_bio_RSAPublicKey 943 EXIST::FUNCTION:RSA
PEM_write_bio_RSAPublicKey 944 EXIST::FUNCTION:RSA
d2i_RSAPublicKey_bio 945 EXIST::FUNCTION:RSA

26
util/mkdef.pl
View File

@@ -119,7 +119,7 @@ foreach (@ARGV, split(/ /, $options))
elsif (/^no-rc4$/) { $no_rc4=1; }
elsif (/^no-rc5$/) { $no_rc5=1; }
elsif (/^no-idea$/) { $no_idea=1; }
elsif (/^no-des$/) { $no_des=1; }
elsif (/^no-des$/) { $no_des=1; $no_mdc2=1; }
elsif (/^no-bf$/) { $no_bf=1; }
elsif (/^no-cast$/) { $no_cast=1; }
elsif (/^no-md2$/) { $no_md2=1; }
@@ -705,7 +705,8 @@ EOF
} else {
(my $n, my $i) = split /\\/, $nums{$s};
my %pf = ();
my @p = split(/,/, ($i =~ /^.*?:(.*?):/,$1));
my @p = split(/,/, ($i =~ /^[^:]*:([^:]*):/,$1));
my @a = split(/,/, ($i =~ /^[^:]*:[^:]*:[^:]*:([^:]*)/,$1));
# @p_purged must contain hardware platforms only
my @p_purged = ();
foreach $ptmp (@p) {
@@ -727,7 +728,26 @@ EOF
|| (!$negatives
&& ($rsaref || !grep(/^RSAREF$/,@p)))
|| ($negatives
&& (!$rsaref || !grep(/^!RSAREF$/,@p))))) {
&& (!$rsaref || !grep(/^!RSAREF$/,@p))))
&& (!@a || (!$no_rc2 || !grep(/^RC2$/,@a)))
&& (!@a || (!$no_rc4 || !grep(/^RC4$/,@a)))
&& (!@a || (!$no_rc5 || !grep(/^RC5$/,@a)))
&& (!@a || (!$no_idea || !grep(/^IDEA$/,@a)))
&& (!@a || (!$no_des || !grep(/^DES$/,@a)))
&& (!@a || (!$no_bf || !grep(/^BF$/,@a)))
&& (!@a || (!$no_cast || !grep(/^CAST$/,@a)))
&& (!@a || (!$no_md2 || !grep(/^MD2$/,@a)))
&& (!@a || (!$no_md4 || !grep(/^MD4$/,@a)))
&& (!@a || (!$no_md5 || !grep(/^MD5$/,@a)))
&& (!@a || (!$no_sha || !grep(/^SHA$/,@a)))
&& (!@a || (!$no_ripemd || !grep(/^RIPEMD$/,@a)))
&& (!@a || (!$no_mdc2 || !grep(/^MDC2$/,@a)))
&& (!@a || (!$no_rsa || !grep(/^RSA$/,@a)))
&& (!@a || (!$no_dsa || !grep(/^DSA$/,@a)))
&& (!@a || (!$no_dh || !grep(/^DH$/,@a)))
&& (!@a || (!$no_hmac || !grep(/^HMAC$/,@a)))
&& (!@a || (!$no_fp_api || !grep(/^FP_API$/,@a)))
) {
printf OUT " %s%-40s@%d\n",($W32)?"":"_",$s,$n;
# } else {
# print STDERR "DEBUG: \"$sym\" (@p):",

2
util/pod2man.pl
View File

@@ -416,6 +416,8 @@ if ($name ne 'something') {
warn "$0: Improper man page - malformed NAME header in paragraph $. of $ARGV[0]\n"
}
else {
$n[0] =~ s/\n/ /;
$n[1] =~ s/\n/ /;
%namedesc = @n;
}
}