From fc56b529249c0a40df035c35c0cac91cae5c6eaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lutz=20J=C3=A4nicke?= Date: Thu, 8 Jan 2004 07:38:15 +0000 Subject: [PATCH 001/112] Updates to s_time manual page PR: #570 Submitted by: Martin Witzel --- doc/apps/s_time.pod | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/doc/apps/s_time.pod b/doc/apps/s_time.pod index a7e3c3e5b..5a38aa2e0 100644 --- a/doc/apps/s_time.pod +++ b/doc/apps/s_time.pod @@ -117,6 +117,12 @@ the server determines which cipher suite is used it should take the first supported cipher in the list sent by the client. See the L command for more information. +=item B<-time length> + +specifies how long (in seconds) B should establish connections and +optionally transfer payload data from a server. Server and client performance +and the link speed determine how many connections B can establish. + =back =head1 NOTES @@ -127,7 +133,7 @@ To connect to an SSL HTTP server and get the default page the command openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3] would typically be used (https uses port 443). 'commoncipher' is a cipher to -which both client and server can agree, see the L command +which both client and server can agree, see the L command for details. If the handshake fails then there are several possible causes, if it is From cdb42bcf0cbd5e7625ebab7c3df7caf8eb94764d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lutz=20J=C3=A4nicke?= Date: Thu, 8 Jan 2004 07:46:37 +0000 Subject: [PATCH 002/112] Cover all DSA setups when running tests PR: #748 Submitted by: Kirill Kochetkov --- apps/speed.c | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/speed.c b/apps/speed.c index d15b06e24..4c7cdcd00 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -976,6 +976,7 @@ int MAIN(int argc, char **argv) { dsa_doit[R_DSA_512]=1; dsa_doit[R_DSA_1024]=1; + dsa_doit[R_DSA_2048]=1; } else #endif From af6dab9b003c030512442d92a65c85b2e454beef Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sat, 10 Jan 2004 18:04:38 +0000 Subject: [PATCH 003/112] Adding a slash between the directoryt and the file is a problem with VMS. The C RTL can handle it well if the "directory" is a logical name with no colon, therefore ending being 'logname/file'. However, if the given logical names actually has a colon, or if you use a full VMS-syntax directory, you end up with 'logname:/file' or 'dev:[dir1.dir2]/file', and that isn't handled in any good way. So, on VMS, we need to check if the directory string ends with a separator (one of ':', ']' or '>' (< and > can be used instead [ and ])), and handle that by not inserting anything between the directory spec and the file name. In all other cases, it's assumed the directory spec is a logical name, so we need to place a colon between it and the file. Notified by Kevin Greaney . --- crypto/x509/by_dir.c | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index a9752d6a0..c9bfe40ab 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -302,9 +302,38 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, k=0; for (;;) { - BIO_snprintf(b->data,b->max, - "%s/%08lx.%s%d",ctx->dirs[i],h, - postfix,k); + char c = '/'; +#ifdef OPENSSL_SYS_VMS + char c = ctx->dirs[i][strlen(ctx->dirs[i])-1]; + if (c != ':' && c != '>' && c != ']') + { + /* If no separator is present, we assume the + directory specifier is a logical name, and + add a colon. We really should use better + VMS routines for merging things like this, + but this will do for now... + -- Richard Levitte */ + c = ':'; + } + else + { + c = '\0'; + } +#endif + if (c == '\0') + { + /* This is special. When c == '\0', no + directory separator should be added. */ + BIO_snprintf(b->data,b->max, + "%s%08lx.%s%d",ctx->dirs[i],h, + postfix,k); + } + else + { + BIO_snprintf(b->data,b->max, + "%s%c%08lx.%s%d",ctx->dirs[i],c,h, + postfix,k); + } k++; if (stat(b->data,&st) < 0) break; From 30cb9ec7150659f8272c28ce125e2e0f27cc6854 Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Wed, 21 Jan 2004 08:17:08 +0000 Subject: [PATCH 004/112] SHA-1 assembler tune-up for Intel P4 --- crypto/sha/asm/sha1-586.pl | 291 +++++++++++-------------------------- 1 file changed, 88 insertions(+), 203 deletions(-) diff --git a/crypto/sha/asm/sha1-586.pl b/crypto/sha/asm/sha1-586.pl index fe51fd079..e00f70955 100644 --- a/crypto/sha/asm/sha1-586.pl +++ b/crypto/sha/asm/sha1-586.pl @@ -1,5 +1,30 @@ #!/usr/local/bin/perl +# It was noted that Intel IA-32 C compiler generates code which +# performs ~30% *faster* on P4 CPU than original *hand-coded* +# SHA1 assembler implementation. To address this problem (and +# prove that humans are still better than machines:-), the +# original code was overhauled, which resulted in following +# performance changes: +# +# compared with original compared with Intel cc +# assembler impl. generated code +# Pentium -25% +37% +# PIII/AMD +8% +16% +# P4 +85%(!) +45% +# +# As you can see Pentium came out as looser:-( Yet I reckoned that +# improvement on P4 outweights the loss and incorporate this +# re-tuned code to 0.9.7 and later. +# ---------------------------------------------------------------- +# Those who for any particular reason absolutely must score on +# Pentium can replace this module with one from 0.9.6 distribution. +# This "offer" shall be revoked the moment programming interface to +# this module is changed, in which case this paragraph should be +# removed. +# ---------------------------------------------------------------- +# + $normal=0; push(@INC,"perlasm","../../perlasm"); @@ -77,54 +102,21 @@ sub BODY_00_15 { local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_; -return if $n & 1; &comment("00_15 $n"); - &mov($f,$c); - &mov($tmp1,$a); - &xor($f,$d); # F2 - - &rotl($tmp1,5); # A2 - - &and($f,$b); # F3 - &add($tmp1,$e); - - &rotr($b,1); # B1 <- F - &mov($e,&swtmp($n)); # G1 - - &rotr($b,1); # B1 <- F - &xor($f,$d); # F4 - - &lea($tmp1,&DWP($K,$tmp1,$e,1)); - -############################ -# &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T); -# &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E); -$n++; - local($n0,$n1,$n2,$n3,$np)=&Na($n); - ($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f); - - &mov($f,$c); - - &add($a,$tmp1); # MOVED DOWN - &xor($f,$d); # F2 - - &mov($tmp1,$a); - &and($f,$b); # F3 - - &rotl($tmp1,5); # A2 - - &add($tmp1,$e); - &mov($e,&swtmp($n)); # G1 - - &rotr($b,1); # B1 <- F - &xor($f,$d); # F4 - - &rotr($b,1); # B1 <- F - &lea($tmp1,&DWP($K,$tmp1,$e,1)); - - &add($f,$tmp1); + &mov($f,$c); # f to hold F_00_19(b,c,d) + &rotl($tmp1,5); # tmp1=ROTATE(a,5) + &xor($f,$d); + &and($f,$b); + &rotr($b,2); # b=ROTATE(b,30) + &add($tmp1,$e); # tmp1+=e; + &mov($e,&swtmp($n)); # e becomes volatile and + # is loaded with xi + &xor($f,$d); # f holds F_00_19(b,c,d) + &lea($tmp1,&DWP($K,$tmp1,$e,1));# tmp1+=K_00_19+xi + + &add($f,$tmp1); # f+=tmp1 } sub BODY_16_19 @@ -132,66 +124,24 @@ sub BODY_16_19 local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_; local($n0,$n1,$n2,$n3,$np)=&Na($n); -return if $n & 1; &comment("16_19 $n"); - &nop() if ($pos < 0); -&mov($tmp1,&swtmp($n0)); # X1 - &mov($f,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&xor($f,$tmp1); # X7 - slot - &mov($tmp1,$c); # F1 -&rotl($f,1); # X8 - slot - &xor($tmp1,$d); # F2 -&mov(&swtmp($n0),$f); # X9 - anytime - &and($tmp1,$b); # F3 -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &xor($tmp1,$d); # F4 -&mov($e,$a); # A1 - &add($f,$tmp1); # tot+=F(); - -&rotl($e,5); # A2 - -&rotr($b,1); # B1 <- F - &add($f,$e); # tot+=a - -############################ -# &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T); -# &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E); -$n++; - local($n0,$n1,$n2,$n3,$np)=&Na($n); - ($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f); - - -&mov($f,&swtmp($n0)); # X1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&rotr($c,1); #&rotr($b,1); # B1 <- F # MOVED DOWN - &xor($f,$tmp1); # X7 - slot -&rotl($f,1); # X8 - slot - &mov($tmp1,$c); # F1 -&xor($tmp1,$d); # F2 - &mov(&swtmp($n0),$f); # X9 - anytime -&and($tmp1,$b); # F3 - &lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - -&xor($tmp1,$d); # F4 - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -&rotr($b,1); # B1 <- F - &add($f,$e); # tot+=a - -&rotr($b,1); # B1 <- F - &add($f,$tmp1); # tot+=F(); - + &mov($f,&swtmp($n1)); # f to hold Xupdate(xi,xa,xb,xc,xd) + &mov($tmp1,$c); # tmp1 to hold F_00_19(b,c,d) + &xor($f,&swtmp($n0)); + &xor($tmp1,$d); + &xor($f,&swtmp($n2)); + &and($tmp1,$b); # tmp1 holds F_00_19(b,c,d) + &xor($f,&swtmp($n3)); # f holds xa^xb^xc^xd + &rotr($b,2); # b=ROTATE(b,30) + &xor($tmp1,$d); # tmp1=F_00_19(b,c,d) + &rotl($f,1); # f=ROATE(f,1) + &mov(&swtmp($n0),$f); # xi=f + &lea($f,&DWP($K,$f,$e,1)); # f+=K_00_19+e + &mov($e,$a); # e becomes volatile + &add($f,$tmp1); # f+=F_00_19(b,c,d) + &rotl($e,5); # e=ROTATE(a,5) + &add($f,$e); # f+=ROTATE(a,5) } sub BODY_20_39 @@ -201,42 +151,21 @@ sub BODY_20_39 &comment("20_39 $n"); local($n0,$n1,$n2,$n3,$np)=&Na($n); -&mov($f,&swtmp($n0)); # X1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&xor($f,$tmp1); # X7 - slot - &mov($tmp1,$b); # F1 -&rotl($f,1); # X8 - slot - &xor($tmp1,$c); # F2 -&mov(&swtmp($n0),$f); # X9 - anytime - &xor($tmp1,$d); # F3 - -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -if ($n != 79) # last loop - { - &rotr($b,1); # B1 <- F - &add($e,$tmp1); # tmp1=F()+a - - &rotr($b,1); # B2 <- F - &add($f,$e); # tot+=tmp1; - } -else - { - &add($e,$tmp1); # tmp1=F()+a - &mov($tmp1,&wparam(0)); - - &rotr($b,1); # B1 <- F - &add($f,$e); # tot+=tmp1; - - &rotr($b,1); # B2 <- F - } + &mov($f,&swtmp($n0)); # f to hold Xupdate(xi,xa,xb,xc,xd) + &mov($tmp1,$b); # tmp1 to hold F_20_39(b,c,d) + &xor($f,&swtmp($n1)); + &rotr($b,2); # b=ROTATE(b,30) + &xor($f,&swtmp($n2)); + &xor($tmp1,$c); + &xor($f,&swtmp($n3)); # f holds xa^xb^xc^xd + &xor($tmp1,$d); # tmp1 holds F_20_39(b,c,d) + &rotl($f,1); # f=ROTATE(f,1) + &mov(&swtmp($n0),$f); # xi=f + &lea($f,&DWP($K,$f,$e,1)); # f+=K_20_39+e + &mov($e,$a); # e becomes volatile + &rotl($e,5); # e=ROTATE(a,5) + &add($f,$tmp1); # f+=F_20_39(b,c,d) + &add($f,$e); # f+=ROTATE(a,5) } sub BODY_40_59 @@ -244,70 +173,27 @@ sub BODY_40_59 local($pos,$K,$X,$n,$a,$b,$c,$d,$e,$f)=@_; &comment("40_59 $n"); - return if $n & 1; local($n0,$n1,$n2,$n3,$np)=&Na($n); -&mov($f,&swtmp($n0)); # X1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&xor($f,$tmp1); # X7 - slot - &mov($tmp1,$b); # F1 -&rotl($f,1); # X8 - slot - &or($tmp1,$c); # F2 -&mov(&swtmp($n0),$f); # X9 - anytime - &and($tmp1,$d); # F3 - -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &mov($e,$b); # F4 - -&rotr($b,1); # B1 <- F - &and($e,$c); # F5 - -&or($tmp1,$e); # F6 - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -&add($tmp1,$e); # tmp1=F()+a - -############################ -# &BODY_40_59( 0,$K[2],$X,42,$A,$B,$C,$D,$E,$T); -# &BODY_40_59( 0,$K[2],$X,43,$T,$A,$B,$C,$D,$E); -$n++; - local($n0,$n1,$n2,$n3,$np)=&Na($n); - ($b,$c,$d,$e,$f,$a)=($a,$b,$c,$d,$e,$f); - - &mov($f,&swtmp($n0)); # X1 -&add($a,$tmp1); # tot+=tmp1; # moved was add f,tmp1 - &mov($tmp1,&swtmp($n1)); # X2 -&xor($f,$tmp1); # X3 - &mov($tmp1,&swtmp($n2)); # X4 -&xor($f,$tmp1); # X5 - &mov($tmp1,&swtmp($n3)); # X6 -&rotr($c,1); # B2 <- F # moved was rotr b,1 - &xor($f,$tmp1); # X7 - slot -&rotl($f,1); # X8 - slot - &mov($tmp1,$b); # F1 -&mov(&swtmp($n0),$f); # X9 - anytime - &or($tmp1,$c); # F2 -&lea($f,&DWP($K,$f,$e,1)); # tot=X+K+e - &mov($e,$b); # F4 -&and($tmp1,$d); # F3 - &and($e,$c); # F5 - -&or($tmp1,$e); # F6 - &mov($e,$a); # A1 - -&rotl($e,5); # A2 - -&rotr($b,1); # B1 <- F - &add($tmp1,$e); # tmp1=F()+a - -&rotr($b,1); # B2 <- F - &add($f,$tmp1); # tot+=tmp1; + &mov($f,&swtmp($n0)); # f to hold Xupdate(xi,xa,xb,xc,xd) + &mov($tmp1,$b); # tmp1 to hold F_40_59(b,c,d) + &xor($f,&swtmp($n1)); + &or($tmp1,$c); + &xor($f,&swtmp($n2)); + &and($tmp1,$d); + &xor($f,&swtmp($n3)); # f holds xa^xb^xc^xd + &rotl($f,1); # f=ROTATE(f,1) + &mov(&swtmp($n0),$f); # xi=f + &lea($f,&DWP($K,$f,$e,1)); # f+=K_40_59+e + &mov($e,$b); # e becomes volatile and is used + # to calculate F_40_59(b,c,d) + &rotr($b,2); # b=ROTATE(b,30) + &and($e,$c); + &or($tmp1,$e); # tmp1 holds F_40_59(b,c,d) + &mov($e,$a); + &rotl($e,5); # e=ROTATE(a,5) + &add($tmp1,$e); # tmp1+=ROTATE(a,5) + &add($f,$tmp1); # f+=tmp1; } sub BODY_60_79 @@ -495,8 +381,7 @@ sub sha1_block_data # C -> E # D -> T - # The last 2 have been moved into the last loop - # &mov($tmp1,&wparam(0)); + &mov($tmp1,&wparam(0)); &mov($D, &DWP(12,$tmp1,"",0)); &add($D,$B); From 815d7057bee1d9171d2fcde9f85084f3b23aa8f9 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 21 Jan 2004 13:08:11 +0000 Subject: [PATCH 005/112] Replace expired certificate. --- certs/expired/vsign3.pem | 18 ++++++++++++++++++ certs/vsign3.pem | 27 +++++++++++++-------------- 2 files changed, 31 insertions(+), 14 deletions(-) create mode 100644 certs/expired/vsign3.pem diff --git a/certs/expired/vsign3.pem b/certs/expired/vsign3.pem new file mode 100644 index 000000000..aa5bb4c1f --- /dev/null +++ b/certs/expired/vsign3.pem @@ -0,0 +1,18 @@ +subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority +notBefore=Jan 29 00:00:00 1996 GMT +notAfter=Jan 7 23:59:59 2004 GMT +-----BEGIN CERTIFICATE----- +MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJ +BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh +c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05 +NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD +VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJp +bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB +jQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqo +RAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4 +rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATAN +BgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJp +STbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNH +ciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZ +pA== +-----END CERTIFICATE----- diff --git a/certs/vsign3.pem b/certs/vsign3.pem index aa5bb4c1f..4b8c0251c 100644 --- a/certs/vsign3.pem +++ b/certs/vsign3.pem @@ -1,18 +1,17 @@ subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority notBefore=Jan 29 00:00:00 1996 GMT -notAfter=Jan 7 23:59:59 2004 GMT +notAfter=Aug 1 23:59:59 2028 GMT -----BEGIN CERTIFICATE----- -MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJ -BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh -c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05 -NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD -VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJp -bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB -jQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqo -RAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4 -rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATAN -BgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJp -STbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNH -ciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZ -pA== +MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG +A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz +cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 +MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV +BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt +YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE +BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is +I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G +CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do +lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc +AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k -----END CERTIFICATE----- From 9d5c3c1939ba9cdcc8b7cc0d1e56be2bab9a8a76 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 22 Jan 2004 22:36:46 +0000 Subject: [PATCH 006/112] Typo... --- crypto/x509/by_dir.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index c9bfe40ab..620734047 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -304,7 +304,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, { char c = '/'; #ifdef OPENSSL_SYS_VMS - char c = ctx->dirs[i][strlen(ctx->dirs[i])-1]; + c = ctx->dirs[i][strlen(ctx->dirs[i])-1]; if (c != ':' && c != '>' && c != ']') { /* If no separator is present, we assume the From a5e8bcfb7b276aa259a991f05d8f9860b904171e Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sat, 24 Jan 2004 01:16:02 +0000 Subject: [PATCH 007/112] We're passed p, so let's use p instead of making assumptions. --- crypto/err/err.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/err/err.c b/crypto/err/err.c index 04cea41d0..e28ec56ff 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -594,11 +594,11 @@ static void build_SYS_str_reasons() #define err_clear(p,i) \ do { \ - es->err_flags[i]=0; \ - es->err_buffer[i]=0; \ + (p)->err_flags[i]=0; \ + (p)->err_buffer[i]=0; \ err_clear_data(p,i); \ - es->err_file[i]=NULL; \ - es->err_line[i]= -1; \ + (p)->err_file[i]=NULL; \ + (p)->err_line[i]= -1; \ } while(0) static void ERR_STATE_free(ERR_STATE *s) From 7f24b1c3e9c61b7bab6a2365e9988d536092fb4b Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Sat, 24 Jan 2004 16:31:21 +0000 Subject: [PATCH 008/112] Get rid of bogus warning when compiling with Sun vendor compiler. --- crypto/ec/ec.h | 8 ++++++++ crypto/ec/ec_lcl.h | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h index 8f4d4e181..db15a8193 100644 --- a/crypto/ec/ec.h +++ b/crypto/ec/ec.h @@ -84,6 +84,10 @@ #ifdef __cplusplus extern "C" { +#elif defined(__SUNPRO_C) +# if __SUNPRO_C >= 0x520 +# pragma error_messages (off,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE) +# endif #endif @@ -501,5 +505,9 @@ void ERR_load_EC_strings(void); #ifdef __cplusplus } +#elif defined(__SUNPRO_C) +# if __SUNPRO_C >= 0x520 +# pragma error_messages (default,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE) +# endif #endif #endif diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h index f59fe0e44..9becad828 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_lcl.h @@ -75,6 +75,11 @@ #include #include +#if defined(__SUNPRO_C) +# if __SUNPRO_C >= 0x520 +# pragma error_messages (off,E_ARRAY_OF_INCOMPLETE_NONAME,E_ARRAY_OF_INCOMPLETE) +# endif +#endif /* Structure details are not part of the exported interface, * so all this may change in future versions. */ From 3a160f1dc6c312495d65fdfabd8f86c0071975c2 Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Sat, 24 Jan 2004 16:51:59 +0000 Subject: [PATCH 009/112] Fix declaration inconsistency in ecparam.c. --- apps/ecparam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/ecparam.c b/apps/ecparam.c index 010e214e5..06e4d6602 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -701,7 +701,7 @@ end: OPENSSL_EXIT(ret); } -int ecparam_print_var(BIO *out, BIGNUM *in, const char *var, +static int ecparam_print_var(BIO *out, BIGNUM *in, const char *var, int len, unsigned char *buffer) { BIO_printf(out, "static unsigned char %s_%d[] = {", var, len); From 27b2b78f9053dde311378689322903b65ed2e691 Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Sun, 25 Jan 2004 10:53:43 +0000 Subject: [PATCH 010/112] Even though C specification explicitly says that constant type "stretches" automatically to accomodate the value, some compilers fail to do so. Most notably 0x0123456789ABCDEF should come out as long long in 32-bit context, but HP compiler truncates it to 32-bit value. Which in turn breaks GF(2^m) arithmetics in hpux-parisc2-cc build. Therefore this fix... --- crypto/bn/bn_gf2m.c | 2 +- crypto/bn/bn_nist.c | 32 +++++++++++++++++++------------- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c index fb3a8a9c7..30520eede 100644 --- a/crypto/bn/bn_gf2m.c +++ b/crypto/bn/bn_gf2m.c @@ -228,7 +228,7 @@ static void bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a, const BN_ULONG tab[16], top3b = a >> 61; register BN_ULONG a1, a2, a4, a8; - a1 = a & (0x1FFFFFFFFFFFFFFF); a2 = a1 << 1; a4 = a2 << 1; a8 = a4 << 1; + a1 = a & (0x1FFFFFFFFFFFFFFFULL); a2 = a1 << 1; a4 = a2 << 1; a8 = a4 << 1; tab[ 0] = 0; tab[ 1] = a1; tab[ 2] = a2; tab[ 3] = a1^a2; tab[ 4] = a4; tab[ 5] = a1^a4; tab[ 6] = a2^a4; tab[ 7] = a1^a2^a4; diff --git a/crypto/bn/bn_nist.c b/crypto/bn/bn_nist.c index 6aa196f6f..f30f6c65d 100644 --- a/crypto/bn/bn_nist.c +++ b/crypto/bn/bn_nist.c @@ -63,19 +63,25 @@ #define BN_NIST_521_TOP (521+BN_BITS2-1)/BN_BITS2 #if BN_BITS2 == 64 -const static BN_ULONG _nist_p_192[] = {0xFFFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFFFE, - 0xFFFFFFFFFFFFFFFF}; -const static BN_ULONG _nist_p_224[] = {0x0000000000000001,0xFFFFFFFF00000000, - 0xFFFFFFFFFFFFFFFF,0x00000000FFFFFFFF}; -const static BN_ULONG _nist_p_256[] = {0xFFFFFFFFFFFFFFFF,0x00000000FFFFFFFF, - 0x0000000000000000,0xFFFFFFFF00000001}; -const static BN_ULONG _nist_p_384[] = {0x00000000FFFFFFFF,0xFFFFFFFF00000000, - 0xFFFFFFFFFFFFFFFE,0xFFFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFFFF, - 0xFFFFFFFFFFFFFFFF}; -const static BN_ULONG _nist_p_521[] = {0xFFFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFFFF, - 0xFFFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFFFF, - 0xFFFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFFFF,0xFFFFFFFFFFFFFFFF, - 0x00000000000001FF}; +const static BN_ULONG _nist_p_192[] = + {0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFEULL, + 0xFFFFFFFFFFFFFFFFULL}; +const static BN_ULONG _nist_p_224[] = + {0x0000000000000001ULL,0xFFFFFFFF00000000ULL, + 0xFFFFFFFFFFFFFFFFULL,0x00000000FFFFFFFFULL}; +const static BN_ULONG _nist_p_256[] = + {0xFFFFFFFFFFFFFFFFULL,0x00000000FFFFFFFFULL, + 0x0000000000000000ULL,0xFFFFFFFF00000001ULL}; +const static BN_ULONG _nist_p_384[] = + {0x00000000FFFFFFFFULL,0xFFFFFFFF00000000ULL, + 0xFFFFFFFFFFFFFFFEULL,0xFFFFFFFFFFFFFFFFULL, + 0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL}; +const static BN_ULONG _nist_p_521[] = + {0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL, + 0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL, + 0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL, + 0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL, + 0x00000000000001FFULL}; #elif BN_BITS2 == 32 const static BN_ULONG _nist_p_192[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFE, 0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF}; From 4de65cbc06c28f9512d88be159bd6f770fb15a14 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 26 Jan 2004 23:45:32 +0000 Subject: [PATCH 011/112] S_IFBLK and S_IFCHR may not exist in some places (like Windows), so let's check for those macros, and if they aren't defined, let's assume there aren't Unixly devices on this platform. --- crypto/rand/randfile.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c index f1f250c5b..8b072e067 100644 --- a/crypto/rand/randfile.c +++ b/crypto/rand/randfile.c @@ -110,6 +110,7 @@ int RAND_load_file(const char *file, long bytes) in=fopen(file,"rb"); if (in == NULL) goto err; +#if defined(S_IFBLK) && !defined(S_IFCHR) if (sb.st_mode & (S_IFBLK | S_IFCHR)) { /* this file is a device. we don't want read an infinite number * of bytes from a random device, nor do we want to use buffered @@ -118,6 +119,7 @@ int RAND_load_file(const char *file, long bytes) bytes = (bytes == -1) ? 2048 : bytes; /* ok, is 2048 enough? */ setvbuf(in, NULL, _IONBF, 0); /* don't do buffered reads */ } +#endif for (;;) { if (bytes > 0) @@ -151,6 +153,7 @@ int RAND_write_file(const char *file) i=stat(file,&sb); if (i != -1) { +#if defined(S_IFBLK) && !defined(S_IFCHR) if (sb.st_mode & (S_IFBLK | S_IFCHR)) { /* this file is a device. we don't write back to it. * we "succeed" on the assumption this is some sort @@ -159,6 +162,7 @@ int RAND_write_file(const char *file) */ return(1); } +#endif } #if defined(O_CREAT) && !defined(OPENSSL_SYS_WIN32) From 87203dc99aeaf3ef50b3df4ac99f2471d06434eb Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 27 Jan 2004 01:16:38 +0000 Subject: [PATCH 012/112] Avoid signed vs. unsigned warnings (which are treated like errors on Windows). --- crypto/asn1/a_gentm.c | 2 +- crypto/asn1/a_utctm.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/asn1/a_gentm.c b/crypto/asn1/a_gentm.c index 1aba86d0d..858100786 100644 --- a/crypto/asn1/a_gentm.c +++ b/crypto/asn1/a_gentm.c @@ -220,7 +220,7 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s, return(NULL); p=(char *)s->data; - if ((p == NULL) || (s->length < len)) + if ((p == NULL) || ((size_t)s->length < len)) { p=OPENSSL_malloc(len); if (p == NULL) return(NULL); diff --git a/crypto/asn1/a_utctm.c b/crypto/asn1/a_utctm.c index 6bc609a90..999852dae 100644 --- a/crypto/asn1/a_utctm.c +++ b/crypto/asn1/a_utctm.c @@ -200,7 +200,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t) return(NULL); p=(char *)s->data; - if ((p == NULL) || (s->length < len)) + if ((p == NULL) || ((size_t)s->length < len)) { p=OPENSSL_malloc(len); if (p == NULL) return(NULL); From 8c6336b0aac8c34584116d2c05b6d828dc9d8ae6 Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Tue, 27 Jan 2004 21:47:35 +0000 Subject: [PATCH 013/112] CFB DES sync-up with FIPS branch. --- crypto/des/cfb64ede.c | 111 ++++++++++++++++++++++++++++++++++++++++++ crypto/des/cfb_enc.c | 86 +++++++++++++++++--------------- crypto/evp/e_des.c | 37 +++++++++++++- crypto/evp/e_des3.c | 45 +++++++++++++++-- 4 files changed, 235 insertions(+), 44 deletions(-) diff --git a/crypto/des/cfb64ede.c b/crypto/des/cfb64ede.c index 60c1aa08d..5a54c1102 100644 --- a/crypto/des/cfb64ede.c +++ b/crypto/des/cfb64ede.c @@ -140,3 +140,114 @@ void DES_ede2_cfb64_encrypt(unsigned char *in, unsigned char *out, long length, DES_ede3_cfb64_encrypt(in,out,length,ks1,ks2,ks1,ivec,num,enc); } #endif + +/* This is compatible with the single key CFB-r for DES, even thought that's + * not what EVP needs. + */ + +void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out, + int numbits,long length,DES_key_schedule *ks1, + DES_key_schedule *ks2,DES_key_schedule *ks3, + DES_cblock *ivec,int enc) + { + register DES_LONG d0,d1,v0,v1; + register unsigned long l=length; + register int num=numbits,n=(numbits+7)/8,i; + DES_LONG ti[2]; + unsigned char *iv; + unsigned char ovec[16]; + + if (num > 64) return; + iv = &(*ivec)[0]; + c2l(iv,v0); + c2l(iv,v1); + if (enc) + { + while (l >= n) + { + l-=n; + ti[0]=v0; + ti[1]=v1; + DES_encrypt3(ti,ks1,ks2,ks3); + c2ln(in,d0,d1,n); + in+=n; + d0^=ti[0]; + d1^=ti[1]; + l2cn(d0,d1,out,n); + out+=n; + /* 30-08-94 - eay - changed because l>>32 and + * l<<32 are bad under gcc :-( */ + if (num == 32) + { v0=v1; v1=d0; } + else if (num == 64) + { v0=d0; v1=d1; } + else + { + iv=&ovec[0]; + l2c(v0,iv); + l2c(v1,iv); + l2c(d0,iv); + l2c(d1,iv); + /* shift ovec left most of the bits... */ + memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); + /* now the remaining bits */ + if(num%8 != 0) + for(i=0 ; i < 8 ; ++i) + { + ovec[i]<<=num%8; + ovec[i]|=ovec[i+1]>>(8-num%8); + } + iv=&ovec[0]; + c2l(iv,v0); + c2l(iv,v1); + } + } + } + else + { + while (l >= n) + { + l-=n; + ti[0]=v0; + ti[1]=v1; + DES_encrypt3(ti,ks1,ks2,ks3); + c2ln(in,d0,d1,n); + in+=n; + /* 30-08-94 - eay - changed because l>>32 and + * l<<32 are bad under gcc :-( */ + if (num == 32) + { v0=v1; v1=d0; } + else if (num == 64) + { v0=d0; v1=d1; } + else + { + iv=&ovec[0]; + l2c(v0,iv); + l2c(v1,iv); + l2c(d0,iv); + l2c(d1,iv); + /* shift ovec left most of the bits... */ + memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); + /* now the remaining bits */ + if(num%8 != 0) + for(i=0 ; i < 8 ; ++i) + { + ovec[i]<<=num%8; + ovec[i]|=ovec[i+1]>>(8-num%8); + } + iv=&ovec[0]; + c2l(iv,v0); + c2l(iv,v1); + } + d0^=ti[0]; + d1^=ti[1]; + l2cn(d0,d1,out,n); + out+=n; + } + } + iv = &(*ivec)[0]; + l2c(v0,iv); + l2c(v1,iv); + v0=v1=d0=d1=ti[0]=ti[1]=0; + } + diff --git a/crypto/des/cfb_enc.c b/crypto/des/cfb_enc.c index 136efba95..225410efb 100644 --- a/crypto/des/cfb_enc.c +++ b/crypto/des/cfb_enc.c @@ -65,32 +65,20 @@ * the second. The second 12 bits will come from the 3rd and half the 4th * byte. */ +/* Until Aug 1 2003 this function did not correctly implement CFB-r, so it + * will not be compatible with any encryption prior to that date. Ben. */ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, - long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc) + long length, DES_key_schedule *schedule, DES_cblock *ivec, + int enc) { - register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8; - register DES_LONG mask0,mask1; + register DES_LONG d0,d1,v0,v1; register unsigned long l=length; - register int num=numbits; + register int num=numbits,n=(numbits+7)/8,i; DES_LONG ti[2]; unsigned char *iv; + unsigned char ovec[16]; if (num > 64) return; - if (num > 32) - { - mask0=0xffffffffL; - if (num == 64) - mask1=mask0; - else mask1=(1L<<(num-32))-1; - } - else - { - if (num == 32) - mask0=0xffffffffL; - else mask0=(1L<>32 and @@ -114,15 +102,25 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, { v0=v1; v1=d0; } else if (num == 64) { v0=d0; v1=d1; } - else if (num > 32) /* && num != 64 */ + else { - v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL; - v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL; - } - else /* num < 32 */ - { - v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL; - v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL; + iv=&ovec[0]; + l2c(v0,iv); + l2c(v1,iv); + l2c(d0,iv); + l2c(d1,iv); + /* shift ovec left most of the bits... */ + memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); + /* now the remaining bits */ + if(num%8 != 0) + for(i=0 ; i < 8 ; ++i) + { + ovec[i]<<=num%8; + ovec[i]|=ovec[i+1]>>(8-num%8); + } + iv=&ovec[0]; + c2l(iv,v0); + c2l(iv,v1); } } } @@ -142,18 +140,28 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, { v0=v1; v1=d0; } else if (num == 64) { v0=d0; v1=d1; } - else if (num > 32) /* && num != 64 */ + else { - v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL; - v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL; + iv=&ovec[0]; + l2c(v0,iv); + l2c(v1,iv); + l2c(d0,iv); + l2c(d1,iv); + /* shift ovec left most of the bits... */ + memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); + /* now the remaining bits */ + if(num%8 != 0) + for(i=0 ; i < 8 ; ++i) + { + ovec[i]<<=num%8; + ovec[i]|=ovec[i+1]>>(8-num%8); + } + iv=&ovec[0]; + c2l(iv,v0); + c2l(iv,v1); } - else /* num < 32 */ - { - v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL; - v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL; - } - d0=(d0^ti[0])&mask0; - d1=(d1^ti[1])&mask1; + d0^=ti[0]; + d1^=ti[1]; l2cn(d0,d1,out,n); out+=n; } diff --git a/crypto/evp/e_des.c b/crypto/evp/e_des.c index 92f6ebc34..f2554ecc6 100644 --- a/crypto/evp/e_des.c +++ b/crypto/evp/e_des.c @@ -92,20 +92,53 @@ static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return 1; } -static int des_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, unsigned int inl) +static int des_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) { DES_cfb64_encrypt(in, out, (long)inl, ctx->cipher_data, (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt); return 1; } +/* Although we have a CFB-r implementation for DES, it doesn't pack the right + way, so wrap it here */ +static int des_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { + unsigned int n; + unsigned char c[1],d[1]; + + for(n=0 ; n < inl ; ++n) + { + c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0; + DES_cfb_encrypt(c,d,1,1,ctx->cipher_data,(DES_cblock *)ctx->iv, + ctx->encrypt); + out[n/8]=(out[n/8]&~(0x80 >> (n%8)))|((d[0]&0x80) >> (n%8)); + } + return 1; + } + +static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { + DES_cfb_encrypt(in,out,8,inl,ctx->cipher_data,(DES_cblock *)ctx->iv, + ctx->encrypt); + return 1; + } + BLOCK_CIPHER_defs(des, DES_key_schedule, NID_des, 8, 8, 8, 64, 0, des_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) +BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1,0,des_init_key,NULL, + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv,NULL) + +BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8,0,des_init_key,NULL, + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv,NULL) static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index e036d07ba..b462d7c6a 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -85,7 +85,7 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { BLOCK_CIPHER_ecb_loop() - DES_ecb3_encrypt((DES_cblock *)(in + i), (DES_cblock *)(out + i), + DES_ecb3_encrypt(in + i,out + i, &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, ctx->encrypt); @@ -121,7 +121,7 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return 1; } -static int des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, +static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { DES_ede3_cfb64_encrypt(in, out, (long)inl, @@ -130,13 +130,42 @@ static int des_ede_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return 1; } +/* Although we have a CFB-r implementation for 3-DES, it doesn't pack the right + way, so wrap it here */ +static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { + unsigned int n; + unsigned char c[1],d[1]; + + for(n=0 ; n < inl ; ++n) + { + c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0; + DES_ede3_cfb_encrypt(c,d,1,1, + &data(ctx)->ks1,&data(ctx)->ks2,&data(ctx)->ks3, + (DES_cblock *)ctx->iv,ctx->encrypt); + out[n/8]=(out[n/8]&~(0x80 >> (n%8)))|((d[0]&0x80) >> (n%8)); + } + + return 1; + } + +static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { + DES_ede3_cfb_encrypt(in,out,8,inl, + &data(ctx)->ks1,&data(ctx)->ks2,&data(ctx)->ks3, + (DES_cblock *)ctx->iv,ctx->encrypt); + return 1; + } + BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, 0, des_ede_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) -#define des_ede3_cfb_cipher des_ede_cfb_cipher +#define des_ede3_cfb64_cipher des_ede_cfb64_cipher #define des_ede3_ofb_cipher des_ede_ofb_cipher #define des_ede3_cbc_cipher des_ede_cbc_cipher #define des_ede3_ecb_cipher des_ede_ecb_cipher @@ -147,6 +176,16 @@ BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, EVP_CIPHER_get_asn1_iv, NULL) +BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,0, + des_ede3_init_key,NULL, + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv,NULL) + +BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,0, + des_ede3_init_key,NULL, + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv,NULL) + static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { From 6df617a59da15286014abe03f9d3b5e2d9835d3d Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Tue, 27 Jan 2004 22:06:48 +0000 Subject: [PATCH 014/112] #undef _POSIX_C_SOURCE in ui_openssl.c ruined IRIX builds. Comment on why _POSIX_C_SOURCE needed in first place. --- crypto/ui/ui_openssl.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c index fad17024a..7c80f5feb 100644 --- a/crypto/ui/ui_openssl.c +++ b/crypto/ui/ui_openssl.c @@ -117,10 +117,14 @@ #include +/* need for #define _POSIX_C_SOURCE arises whenever you pass -ansi to gcc + * [maybe others?], because it masks interfaces not discussed in standard, + * sigaction and fileno included. -pedantic would be more appropriate for + * the intended purposes, but we can't prevent users from adding -ansi. + */ #define _POSIX_C_SOURCE 1 #include #include -#undef _POSIX_C_SOURCE #include #include From 721a5e83f92d07e2f76355e2128b4dae45f2d50d Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 28 Jan 2004 08:48:11 +0000 Subject: [PATCH 015/112] Unsigned vs. signed problem removed --- crypto/des/cfb64ede.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/des/cfb64ede.c b/crypto/des/cfb64ede.c index 5a54c1102..453b078d3 100644 --- a/crypto/des/cfb64ede.c +++ b/crypto/des/cfb64ede.c @@ -151,8 +151,8 @@ void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out, DES_cblock *ivec,int enc) { register DES_LONG d0,d1,v0,v1; - register unsigned long l=length; - register int num=numbits,n=(numbits+7)/8,i; + register unsigned long l=length,n=((unsigned int)numbits+7)/8; + register int num=numbits,i; DES_LONG ti[2]; unsigned char *iv; unsigned char ovec[16]; From 1fb724449d4b0f02c781be3ce91cdc17b2452eaa Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 28 Jan 2004 18:38:33 +0000 Subject: [PATCH 016/112] make update --- crypto/bn/Makefile.ssl | 9 +- crypto/des/Makefile.ssl | 14 +- ssl/Makefile.ssl | 392 ++++++++++++++++++++-------------------- 3 files changed, 207 insertions(+), 208 deletions(-) diff --git a/crypto/bn/Makefile.ssl b/crypto/bn/Makefile.ssl index 450f8ad58..7fe70a406 100644 --- a/crypto/bn/Makefile.ssl +++ b/crypto/bn/Makefile.ssl @@ -243,8 +243,13 @@ bn_gf2m.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_gf2m.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h bn_gf2m.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_gf2m.o: ../cryptlib.h bn_gf2m.c bn_lcl.h -bn_kron.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h -bn_kron.o: ../../include/openssl/opensslconf.h bn_kron.c bn_lcl.h +bn_kron.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h +bn_kron.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h +bn_kron.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +bn_kron.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h +bn_kron.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +bn_kron.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +bn_kron.o: ../cryptlib.h bn_kron.c bn_lcl.h bn_lib.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h diff --git a/crypto/des/Makefile.ssl b/crypto/des/Makefile.ssl index 02a62402a..a038dea22 100644 --- a/crypto/des/Makefile.ssl +++ b/crypto/des/Makefile.ssl @@ -196,13 +196,13 @@ ecb3_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h ecb3_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ecb3_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h ecb3_enc.o: des_locl.h ecb3_enc.c -ecb_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h -ecb_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h -ecb_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h -ecb_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -ecb_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h -ecb_enc.o: ../../include/openssl/ui_compat.h des_locl.h des_ver.h ecb_enc.c -ecb_enc.o: spr.h +ecb_enc.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h +ecb_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h +ecb_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +ecb_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h +ecb_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +ecb_enc.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h +ecb_enc.o: des_locl.h des_ver.h ecb_enc.c spr.h ede_cbcm_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h ede_cbcm_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h ede_cbcm_enc.o: ../../include/openssl/opensslconf.h diff --git a/ssl/Makefile.ssl b/ssl/Makefile.ssl index fad68f3af..8808e11ad 100644 --- a/ssl/Makefile.ssl +++ b/ssl/Makefile.ssl @@ -234,65 +234,63 @@ s23_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s23_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s23_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h s23_srvr.o: ../include/openssl/x509_vfy.h s23_srvr.c ssl_locl.h -s2_clnt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/asn1.h -s2_clnt.o: ../include/openssl/bio.h ../include/openssl/bn.h -s2_clnt.o: ../include/openssl/buffer.h ../include/openssl/comp.h -s2_clnt.o: ../include/openssl/crypto.h ../include/openssl/dh.h -s2_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -s2_clnt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -s2_clnt.o: ../include/openssl/ecdsa.h ../include/openssl/err.h -s2_clnt.o: ../include/openssl/evp.h ../include/openssl/kssl.h -s2_clnt.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -s2_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s2_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -s2_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s2_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h -s2_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s2_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s2_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s2_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s2_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s2_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_clnt.c -s2_clnt.o: ssl_locl.h -s2_enc.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/asn1.h -s2_enc.o: ../include/openssl/bio.h ../include/openssl/bn.h -s2_enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h -s2_enc.o: ../include/openssl/crypto.h ../include/openssl/dh.h -s2_enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -s2_enc.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -s2_enc.o: ../include/openssl/ecdsa.h ../include/openssl/err.h -s2_enc.o: ../include/openssl/evp.h ../include/openssl/kssl.h -s2_enc.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -s2_enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s2_enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -s2_enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s2_enc.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h -s2_enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s2_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s2_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s2_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s2_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s2_enc.o: ../include/openssl/x509_vfy.h s2_enc.c ssl_locl.h -s2_lib.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/asn1.h -s2_lib.o: ../include/openssl/bio.h ../include/openssl/bn.h -s2_lib.o: ../include/openssl/buffer.h ../include/openssl/comp.h -s2_lib.o: ../include/openssl/crypto.h ../include/openssl/dh.h -s2_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -s2_lib.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -s2_lib.o: ../include/openssl/ecdsa.h ../include/openssl/err.h -s2_lib.o: ../include/openssl/evp.h ../include/openssl/kssl.h -s2_lib.o: ../include/openssl/lhash.h ../include/openssl/md5.h -s2_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s2_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s2_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s2_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s2_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s2_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s2_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s2_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s2_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s2_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_lib.c -s2_lib.o: ssl_locl.h +s2_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +s2_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h +s2_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s2_clnt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +s2_clnt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +s2_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s2_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s2_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s2_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s2_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +s2_clnt.o: ../include/openssl/rand.h ../include/openssl/rsa.h +s2_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s2_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s2_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s2_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s2_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h +s2_clnt.o: ../include/openssl/x509_vfy.h s2_clnt.c ssl_locl.h +s2_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +s2_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h +s2_enc.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s2_enc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +s2_enc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +s2_enc.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_enc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s2_enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s2_enc.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s2_enc.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s2_enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +s2_enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s2_enc.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s2_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s2_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s2_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s2_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_enc.c +s2_enc.o: ssl_locl.h +s2_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +s2_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_lib.o: ../include/openssl/comp.h ../include/openssl/crypto.h +s2_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s2_lib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +s2_lib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +s2_lib.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s2_lib.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h +s2_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s2_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s2_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s2_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h +s2_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s2_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s2_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s2_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s2_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h +s2_lib.o: ../include/openssl/x509_vfy.h s2_lib.c ssl_locl.h s2_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s2_meth.o: ../include/openssl/bn.h ../include/openssl/buffer.h s2_meth.o: ../include/openssl/comp.h ../include/openssl/crypto.h @@ -312,45 +310,44 @@ s2_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s2_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s2_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_meth.c s2_meth.o: ssl_locl.h -s2_pkt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/asn1.h -s2_pkt.o: ../include/openssl/bio.h ../include/openssl/bn.h -s2_pkt.o: ../include/openssl/buffer.h ../include/openssl/comp.h -s2_pkt.o: ../include/openssl/crypto.h ../include/openssl/dh.h -s2_pkt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -s2_pkt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -s2_pkt.o: ../include/openssl/ecdsa.h ../include/openssl/err.h -s2_pkt.o: ../include/openssl/evp.h ../include/openssl/kssl.h -s2_pkt.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -s2_pkt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s2_pkt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -s2_pkt.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s2_pkt.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h -s2_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s2_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s2_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s2_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s2_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s2_pkt.o: ../include/openssl/x509_vfy.h s2_pkt.c ssl_locl.h -s2_srvr.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/asn1.h -s2_srvr.o: ../include/openssl/bio.h ../include/openssl/bn.h -s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h -s2_srvr.o: ../include/openssl/crypto.h ../include/openssl/dh.h -s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -s2_srvr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -s2_srvr.o: ../include/openssl/ecdsa.h ../include/openssl/err.h -s2_srvr.o: ../include/openssl/evp.h ../include/openssl/kssl.h -s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -s2_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s2_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h -s2_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s2_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s2_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s2_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s2_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s2_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_srvr.c -s2_srvr.o: ssl_locl.h +s2_pkt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +s2_pkt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_pkt.o: ../include/openssl/comp.h ../include/openssl/crypto.h +s2_pkt.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s2_pkt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +s2_pkt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +s2_pkt.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s2_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s2_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s2_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s2_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +s2_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s2_pkt.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s2_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_pkt.c +s2_pkt.o: ssl_locl.h +s2_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +s2_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h +s2_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +s2_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +s2_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s2_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s2_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s2_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h +s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s2_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s2_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s2_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s2_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h +s2_srvr.o: ../include/openssl/x509_vfy.h s2_srvr.c ssl_locl.h s3_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s3_both.o: ../include/openssl/bn.h ../include/openssl/buffer.h s3_both.o: ../include/openssl/comp.h ../include/openssl/crypto.h @@ -370,26 +367,26 @@ s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s3_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s3_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h s3_both.o: ../include/openssl/x509_vfy.h s3_both.c ssl_locl.h -s3_clnt.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/asn1.h -s3_clnt.o: ../include/openssl/bio.h ../include/openssl/bn.h -s3_clnt.o: ../include/openssl/buffer.h ../include/openssl/comp.h -s3_clnt.o: ../include/openssl/crypto.h ../include/openssl/dh.h -s3_clnt.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -s3_clnt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -s3_clnt.o: ../include/openssl/ecdsa.h ../include/openssl/err.h -s3_clnt.o: ../include/openssl/evp.h ../include/openssl/kssl.h -s3_clnt.o: ../include/openssl/lhash.h ../include/openssl/md5.h -s3_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s3_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s3_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s3_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s3_clnt.o: ../include/openssl/rand.h ../include/openssl/rsa.h -s3_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s3_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s3_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s3_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s3_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s3_clnt.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_clnt.c ssl_locl.h +s3_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h +s3_clnt.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s3_clnt.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +s3_clnt.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +s3_clnt.o: ../include/openssl/err.h ../include/openssl/evp.h +s3_clnt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s3_clnt.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h +s3_clnt.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s3_clnt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s3_clnt.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s3_clnt.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +s3_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s3_clnt.o: ../include/openssl/sha.h ../include/openssl/ssl.h +s3_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s3_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s3_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s3_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl_lcl.h +s3_clnt.o: s3_clnt.c ssl_locl.h s3_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s3_enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h s3_enc.o: ../include/openssl/comp.h ../include/openssl/crypto.h @@ -466,27 +463,26 @@ s3_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s3_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s3_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_pkt.c s3_pkt.o: ssl_locl.h -s3_srvr.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/asn1.h -s3_srvr.o: ../include/openssl/bio.h ../include/openssl/bn.h -s3_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h -s3_srvr.o: ../include/openssl/crypto.h ../include/openssl/dh.h -s3_srvr.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -s3_srvr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -s3_srvr.o: ../include/openssl/ecdsa.h ../include/openssl/err.h -s3_srvr.o: ../include/openssl/evp.h ../include/openssl/krb5_asn.h -s3_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s3_srvr.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h -s3_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -s3_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -s3_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s3_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h -s3_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s3_srvr.o: ../include/openssl/sha.h ../include/openssl/ssl.h -s3_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s3_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s3_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s3_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl_lcl.h -s3_srvr.o: s3_srvr.c ssl_locl.h +s3_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +s3_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h +s3_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h +s3_srvr.o: ../include/openssl/dh.h ../include/openssl/dsa.h +s3_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +s3_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +s3_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h +s3_srvr.o: ../include/openssl/krb5_asn.h ../include/openssl/kssl.h +s3_srvr.o: ../include/openssl/lhash.h ../include/openssl/md5.h +s3_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s3_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s3_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s3_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +s3_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h +s3_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s3_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s3_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s3_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s3_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h +s3_srvr.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_srvr.c ssl_locl.h ssl_algs.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ssl_algs.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssl_algs.o: ../include/openssl/comp.h ../include/openssl/crypto.h @@ -506,26 +502,25 @@ ssl_algs.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_algs.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ssl_algs.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_algs.c ssl_algs.o: ssl_locl.h -ssl_asn1.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/asn1.h -ssl_asn1.o: ../include/openssl/asn1_mac.h ../include/openssl/bio.h -ssl_asn1.o: ../include/openssl/bn.h ../include/openssl/buffer.h -ssl_asn1.o: ../include/openssl/comp.h ../include/openssl/crypto.h -ssl_asn1.o: ../include/openssl/dh.h ../include/openssl/dsa.h -ssl_asn1.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -ssl_asn1.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -ssl_asn1.o: ../include/openssl/err.h ../include/openssl/evp.h -ssl_asn1.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -ssl_asn1.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -ssl_asn1.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -ssl_asn1.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -ssl_asn1.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ssl_asn1.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -ssl_asn1.o: ../include/openssl/sha.h ../include/openssl/ssl.h -ssl_asn1.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -ssl_asn1.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -ssl_asn1.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_asn1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_asn1.c -ssl_asn1.o: ssl_locl.h +ssl_asn1.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/asn1_mac.h +ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/bn.h +ssl_asn1.o: ../include/openssl/buffer.h ../include/openssl/comp.h +ssl_asn1.o: ../include/openssl/crypto.h ../include/openssl/dh.h +ssl_asn1.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +ssl_asn1.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +ssl_asn1.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +ssl_asn1.o: ../include/openssl/evp.h ../include/openssl/kssl.h +ssl_asn1.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +ssl_asn1.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +ssl_asn1.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ssl_asn1.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ssl_asn1.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h +ssl_asn1.o: ../include/openssl/safestack.h ../include/openssl/sha.h +ssl_asn1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +ssl_asn1.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +ssl_asn1.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ssl_asn1.o: ../include/openssl/tls1.h ../include/openssl/x509.h +ssl_asn1.o: ../include/openssl/x509_vfy.h ssl_asn1.c ssl_locl.h ssl_cert.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ssl_cert.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssl_cert.o: ../include/openssl/comp.h ../include/openssl/conf.h @@ -601,26 +596,26 @@ ssl_err2.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssl_err2.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_err2.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ssl_err2.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_err2.c -ssl_lib.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/asn1.h -ssl_lib.o: ../include/openssl/bio.h ../include/openssl/bn.h -ssl_lib.o: ../include/openssl/buffer.h ../include/openssl/comp.h -ssl_lib.o: ../include/openssl/conf.h ../include/openssl/crypto.h -ssl_lib.o: ../include/openssl/dh.h ../include/openssl/dsa.h -ssl_lib.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -ssl_lib.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -ssl_lib.o: ../include/openssl/err.h ../include/openssl/evp.h -ssl_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -ssl_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -ssl_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -ssl_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -ssl_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ssl_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -ssl_lib.o: ../include/openssl/sha.h ../include/openssl/ssl.h -ssl_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -ssl_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -ssl_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -ssl_lib.o: ../include/openssl/x509v3.h kssl_lcl.h ssl_lib.c ssl_locl.h +ssl_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +ssl_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h +ssl_lib.o: ../include/openssl/crypto.h ../include/openssl/dh.h +ssl_lib.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h +ssl_lib.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +ssl_lib.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +ssl_lib.o: ../include/openssl/evp.h ../include/openssl/kssl.h +ssl_lib.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +ssl_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +ssl_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +ssl_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h +ssl_lib.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h +ssl_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h +ssl_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +ssl_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +ssl_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h +ssl_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h kssl_lcl.h +ssl_lib.o: ssl_lib.c ssl_locl.h ssl_rsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ssl_rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssl_rsa.o: ../include/openssl/comp.h ../include/openssl/crypto.h @@ -640,26 +635,25 @@ ssl_rsa.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_rsa.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ssl_rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h ssl_rsa.o: ssl_rsa.c -ssl_sess.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/asn1.h -ssl_sess.o: ../include/openssl/bio.h ../include/openssl/bn.h -ssl_sess.o: ../include/openssl/buffer.h ../include/openssl/comp.h -ssl_sess.o: ../include/openssl/crypto.h ../include/openssl/dh.h -ssl_sess.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h -ssl_sess.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -ssl_sess.o: ../include/openssl/ecdsa.h ../include/openssl/err.h -ssl_sess.o: ../include/openssl/evp.h ../include/openssl/kssl.h -ssl_sess.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -ssl_sess.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h -ssl_sess.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -ssl_sess.o: ../include/openssl/pem.h ../include/openssl/pem2.h -ssl_sess.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h -ssl_sess.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -ssl_sess.o: ../include/openssl/sha.h ../include/openssl/ssl.h -ssl_sess.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -ssl_sess.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -ssl_sess.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_sess.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -ssl_sess.o: ssl_sess.c +ssl_sess.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +ssl_sess.o: ../include/openssl/bn.h ../include/openssl/buffer.h +ssl_sess.o: ../include/openssl/comp.h ../include/openssl/crypto.h +ssl_sess.o: ../include/openssl/dh.h ../include/openssl/dsa.h +ssl_sess.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +ssl_sess.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +ssl_sess.o: ../include/openssl/err.h ../include/openssl/evp.h +ssl_sess.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +ssl_sess.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ssl_sess.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ssl_sess.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +ssl_sess.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +ssl_sess.o: ../include/openssl/rand.h ../include/openssl/rsa.h +ssl_sess.o: ../include/openssl/safestack.h ../include/openssl/sha.h +ssl_sess.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +ssl_sess.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +ssl_sess.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ssl_sess.o: ../include/openssl/tls1.h ../include/openssl/x509.h +ssl_sess.o: ../include/openssl/x509_vfy.h ssl_locl.h ssl_sess.c ssl_stat.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ssl_stat.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssl_stat.o: ../include/openssl/comp.h ../include/openssl/crypto.h From 8d1ebe0bd16238e0e9c5c8050154390ba89fa266 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 28 Jan 2004 19:05:35 +0000 Subject: [PATCH 017/112] Add the missing parts for DES CFB1 and CFB8. Add the corresponding AES parts while I'm at it. make update --- crypto/aes/aes.h | 9 ++++ crypto/aes/aes_cfb.c | 93 ++++++++++++++++++++++++++++++++++++++ crypto/des/des.h | 4 ++ crypto/evp/c_allc.c | 8 ++++ crypto/evp/e_aes.c | 26 +++++++++-- crypto/evp/e_des3.c | 3 +- crypto/evp/evp.h | 49 +++++++++++++++----- crypto/evp/evp_err.c | 4 +- crypto/evp/evp_lib.c | 24 ++++++++++ crypto/evp/evp_locl.h | 13 +++++- crypto/objects/obj_dat.h | 36 +++++++++++++-- crypto/objects/obj_mac.h | 40 ++++++++++++++++ crypto/objects/obj_mac.num | 10 ++++ crypto/objects/objects.txt | 13 ++++++ util/libeay.num | 36 ++++++++++----- 15 files changed, 335 insertions(+), 33 deletions(-) diff --git a/crypto/aes/aes.h b/crypto/aes/aes.h index 6bc0cf00a..20c4dbc0f 100644 --- a/crypto/aes/aes.h +++ b/crypto/aes/aes.h @@ -97,6 +97,15 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out, void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out, const unsigned long length, const AES_KEY *key, unsigned char *ivec, int *num, const int enc); +void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out, + const unsigned long length, const AES_KEY *key, + unsigned char *ivec, int *num, const int enc); +void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out, + const unsigned long length, const AES_KEY *key, + unsigned char *ivec, int *num, const int enc); +void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out, + const int nbits,const AES_KEY *key, + unsigned char *ivec,const int enc); void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out, const unsigned long length, const AES_KEY *key, unsigned char *ivec, int *num); diff --git a/crypto/aes/aes_cfb.c b/crypto/aes/aes_cfb.c index 9b569dda9..2e0c41ec2 100644 --- a/crypto/aes/aes_cfb.c +++ b/crypto/aes/aes_cfb.c @@ -155,3 +155,96 @@ void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out, *num=n; } +/* This expects a single block of size nbits for both in and out. Note that + it corrupts any extra bits in the last byte of out */ +/* Untested, once it is working, it will be optimised */ +void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out, + const int nbits,const AES_KEY *key, + unsigned char *ivec,const int enc) + { + int n; + unsigned char ovec[AES_BLOCK_SIZE*2]; + + assert(in && out && key && ivec); + if(enc) + { + /* construct the new IV */ + AES_encrypt(ivec,ovec,key); + /* encrypt the input */ + for(n=0 ; n < (nbits+7)/8 ; ++n) + out[n]=in[n]^ovec[n]; + /* fill in the first half of the new IV with the current IV */ + memcpy(ovec,ivec,AES_BLOCK_SIZE); + /* and put the ciphertext in the second half */ + memcpy(ovec+AES_BLOCK_SIZE,out,(nbits+7)/8); + /* shift ovec left most of the bits... */ + memmove(ovec,ovec+nbits/8,AES_BLOCK_SIZE+(nbits%8 ? 1 : 0)); + /* now the remaining bits */ + if(nbits%8 != 0) + for(n=0 ; n < AES_BLOCK_SIZE ; ++n) + { + ovec[n]<<=nbits%8; + ovec[n]|=ovec[n+1]>>(8-nbits%8); + } + /* finally, move it back into place */ + memcpy(ivec,ovec,AES_BLOCK_SIZE); + } + else + { + /* construct the new IV in the first half of ovec */ + AES_encrypt(ivec,ovec,key); + /* decrypt the input */ + for(n=0 ; n < (nbits+7)/8 ; ++n) + out[n]=in[n]^ovec[n]; + /* fill in the first half of the new IV with the current IV */ + memcpy(ovec,ivec,AES_BLOCK_SIZE); + /* append the ciphertext */ + memcpy(ovec+AES_BLOCK_SIZE,in,(nbits+7)/8); + /* shift ovec left most of the bits... */ + memmove(ovec,ovec+nbits/8,AES_BLOCK_SIZE+(nbits%8 ? 1 : 0)); + /* now the remaining bits */ + if(nbits%8 != 0) + for(n=0 ; n < AES_BLOCK_SIZE ; ++n) + { + ovec[n]<<=nbits%8; + ovec[n]|=ovec[n+1]>>(8-nbits%8); + } + /* finally, move it back into place */ + memcpy(ivec,ovec,AES_BLOCK_SIZE); + } + /* it is not necessary to cleanse ovec, since the IV is not secret */ + } + +/* N.B. This expects the input to be packed, MS bit first */ +void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out, + const unsigned long length, const AES_KEY *key, + unsigned char *ivec, int *num, const int enc) + { + unsigned int n; + unsigned char c[1],d[1]; + + assert(in && out && key && ivec && num); + assert(*num == 0); + + memset(out,0,(length+7)/8); + for(n=0 ; n < length ; ++n) + { + c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0; + AES_cfbr_encrypt_block(c,d,1,key,ivec,enc); + out[n/8]=(out[n/8]&~(1 << (7-n%8)))|((d[0]&0x80) >> (n%8)); + } + } + +void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out, + const unsigned long length, const AES_KEY *key, + unsigned char *ivec, int *num, const int enc) + { + unsigned int n; + + assert(in && out && key && ivec && num); + assert(*num == 0); + + for(n=0 ; n < length ; ++n) + AES_cfbr_encrypt_block(&in[n],&out[n],8,key,ivec,enc); + } + diff --git a/crypto/des/des.h b/crypto/des/des.h index 4475143db..3cbc2b568 100644 --- a/crypto/des/des.h +++ b/crypto/des/des.h @@ -187,6 +187,10 @@ void DES_ede3_cfb64_encrypt(const unsigned char *in,unsigned char *out, long length,DES_key_schedule *ks1, DES_key_schedule *ks2,DES_key_schedule *ks3, DES_cblock *ivec,int *num,int enc); +void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out, + int numbits,long length,DES_key_schedule *ks1, + DES_key_schedule *ks2,DES_key_schedule *ks3, + DES_cblock *ivec,int enc); void DES_ede3_ofb64_encrypt(const unsigned char *in,unsigned char *out, long length,DES_key_schedule *ks1, DES_key_schedule *ks2,DES_key_schedule *ks3, diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c index 341a958fd..fc9681236 100644 --- a/crypto/evp/c_allc.c +++ b/crypto/evp/c_allc.c @@ -67,6 +67,8 @@ void OpenSSL_add_all_ciphers(void) #ifndef OPENSSL_NO_DES EVP_add_cipher(EVP_des_cfb()); + EVP_add_cipher(EVP_des_cfb1()); + EVP_add_cipher(EVP_des_cfb8()); EVP_add_cipher(EVP_des_ede_cfb()); EVP_add_cipher(EVP_des_ede3_cfb()); @@ -150,6 +152,8 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher(EVP_aes_128_ecb()); EVP_add_cipher(EVP_aes_128_cbc()); EVP_add_cipher(EVP_aes_128_cfb()); + EVP_add_cipher(EVP_aes_128_cfb1()); + EVP_add_cipher(EVP_aes_128_cfb8()); EVP_add_cipher(EVP_aes_128_ofb()); #if 0 EVP_add_cipher(EVP_aes_128_ctr()); @@ -159,6 +163,8 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher(EVP_aes_192_ecb()); EVP_add_cipher(EVP_aes_192_cbc()); EVP_add_cipher(EVP_aes_192_cfb()); + EVP_add_cipher(EVP_aes_192_cfb1()); + EVP_add_cipher(EVP_aes_192_cfb8()); EVP_add_cipher(EVP_aes_192_ofb()); #if 0 EVP_add_cipher(EVP_aes_192_ctr()); @@ -168,6 +174,8 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher(EVP_aes_256_ecb()); EVP_add_cipher(EVP_aes_256_cbc()); EVP_add_cipher(EVP_aes_256_cfb()); + EVP_add_cipher(EVP_aes_256_cfb1()); + EVP_add_cipher(EVP_aes_256_cfb8()); EVP_add_cipher(EVP_aes_256_ofb()); #if 0 EVP_add_cipher(EVP_aes_256_ctr()); diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index bf7c45fa2..bd6c0a3a6 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -86,17 +86,35 @@ IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY, EVP_CIPHER_get_asn1_iv, NULL) +#define IMPLEMENT_AES_CFBR(ksize,cbits) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16) + +IMPLEMENT_AES_CFBR(128,1) +IMPLEMENT_AES_CFBR(192,1) +IMPLEMENT_AES_CFBR(256,1) + +IMPLEMENT_AES_CFBR(128,8) +IMPLEMENT_AES_CFBR(192,8) +IMPLEMENT_AES_CFBR(256,8) + static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) { + const unsigned char *iv, int enc) + { + int ret; if ((ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_CFB_MODE || (ctx->cipher->flags & EVP_CIPH_MODE) == EVP_CIPH_OFB_MODE || enc) - AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data); + ret=AES_set_encrypt_key(key, ctx->key_len * 8, ctx->cipher_data); else - AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data); + ret=AES_set_decrypt_key(key, ctx->key_len * 8, ctx->cipher_data); + + if(ret < 0) + { + EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED); + return 0; + } return 1; -} + } #endif diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index b462d7c6a..86342fb95 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -85,7 +85,8 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) { BLOCK_CIPHER_ecb_loop() - DES_ecb3_encrypt(in + i,out + i, + DES_ecb3_encrypt((const_DES_cblock *)(in + i), + (DES_cblock *)(out + i), &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, ctx->encrypt); diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index a1dd3da1b..a5f3c449c 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -603,9 +603,20 @@ const EVP_CIPHER *EVP_des_ede(void); const EVP_CIPHER *EVP_des_ede3(void); const EVP_CIPHER *EVP_des_ede_ecb(void); const EVP_CIPHER *EVP_des_ede3_ecb(void); -const EVP_CIPHER *EVP_des_cfb(void); -const EVP_CIPHER *EVP_des_ede_cfb(void); -const EVP_CIPHER *EVP_des_ede3_cfb(void); +const EVP_CIPHER *EVP_des_cfb64(void); +# define EVP_des_cfb EVP_des_cfb64 +const EVP_CIPHER *EVP_des_cfb1(void); +const EVP_CIPHER *EVP_des_cfb8(void); +const EVP_CIPHER *EVP_des_ede_cfb64(void); +# define EVP_des_ede_cfb EVP_des_ede_cfb64 +#if 0 +const EVP_CIPHER *EVP_des_ede_cfb1(void); +const EVP_CIPHER *EVP_des_ede_cfb8(void); +#endif +const EVP_CIPHER *EVP_des_ede3_cfb64(void); +# define EVP_des_ede3_cfb EVP_des_ede3_cfb64 +const EVP_CIPHER *EVP_des_ede3_cfb1(void); +const EVP_CIPHER *EVP_des_ede3_cfb8(void); const EVP_CIPHER *EVP_des_ofb(void); const EVP_CIPHER *EVP_des_ede_ofb(void); const EVP_CIPHER *EVP_des_ede3_ofb(void); @@ -629,7 +640,8 @@ const EVP_CIPHER *EVP_rc4_40(void); #endif #ifndef OPENSSL_NO_IDEA const EVP_CIPHER *EVP_idea_ecb(void); -const EVP_CIPHER *EVP_idea_cfb(void); +const EVP_CIPHER *EVP_idea_cfb64(void); +# define EVP_idea_cfb EVP_idea_cfb64 const EVP_CIPHER *EVP_idea_ofb(void); const EVP_CIPHER *EVP_idea_cbc(void); #endif @@ -638,45 +650,58 @@ const EVP_CIPHER *EVP_rc2_ecb(void); const EVP_CIPHER *EVP_rc2_cbc(void); const EVP_CIPHER *EVP_rc2_40_cbc(void); const EVP_CIPHER *EVP_rc2_64_cbc(void); -const EVP_CIPHER *EVP_rc2_cfb(void); +const EVP_CIPHER *EVP_rc2_cfb64(void); +# define EVP_rc2_cfb EVP_rc2_cfb64 const EVP_CIPHER *EVP_rc2_ofb(void); #endif #ifndef OPENSSL_NO_BF const EVP_CIPHER *EVP_bf_ecb(void); const EVP_CIPHER *EVP_bf_cbc(void); -const EVP_CIPHER *EVP_bf_cfb(void); +const EVP_CIPHER *EVP_bf_cfb64(void); +# define EVP_bf_cfb EVP_bf_cfb64 const EVP_CIPHER *EVP_bf_ofb(void); #endif #ifndef OPENSSL_NO_CAST const EVP_CIPHER *EVP_cast5_ecb(void); const EVP_CIPHER *EVP_cast5_cbc(void); -const EVP_CIPHER *EVP_cast5_cfb(void); +const EVP_CIPHER *EVP_cast5_cfb64(void); +# define EVP_cast5_cfb EVP_cast5_cfb64 const EVP_CIPHER *EVP_cast5_ofb(void); #endif #ifndef OPENSSL_NO_RC5 const EVP_CIPHER *EVP_rc5_32_12_16_cbc(void); const EVP_CIPHER *EVP_rc5_32_12_16_ecb(void); -const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void); +const EVP_CIPHER *EVP_rc5_32_12_16_cfb64(void); +# define EVP_rc5_32_12_16_cfb EVP_rc5_32_12_16_cfb64 const EVP_CIPHER *EVP_rc5_32_12_16_ofb(void); #endif #ifndef OPENSSL_NO_AES const EVP_CIPHER *EVP_aes_128_ecb(void); const EVP_CIPHER *EVP_aes_128_cbc(void); -const EVP_CIPHER *EVP_aes_128_cfb(void); +const EVP_CIPHER *EVP_aes_128_cfb1(void); +const EVP_CIPHER *EVP_aes_128_cfb8(void); +const EVP_CIPHER *EVP_aes_128_cfb128(void); +# define EVP_aes_128_cfb EVP_aes_128_cfb128 const EVP_CIPHER *EVP_aes_128_ofb(void); #if 0 const EVP_CIPHER *EVP_aes_128_ctr(void); #endif const EVP_CIPHER *EVP_aes_192_ecb(void); const EVP_CIPHER *EVP_aes_192_cbc(void); -const EVP_CIPHER *EVP_aes_192_cfb(void); +const EVP_CIPHER *EVP_aes_192_cfb1(void); +const EVP_CIPHER *EVP_aes_192_cfb8(void); +const EVP_CIPHER *EVP_aes_192_cfb128(void); +# define EVP_aes_192_cfb EVP_aes_192_cfb128 const EVP_CIPHER *EVP_aes_192_ofb(void); #if 0 const EVP_CIPHER *EVP_aes_192_ctr(void); #endif const EVP_CIPHER *EVP_aes_256_ecb(void); const EVP_CIPHER *EVP_aes_256_cbc(void); -const EVP_CIPHER *EVP_aes_256_cfb(void); +const EVP_CIPHER *EVP_aes_256_cfb1(void); +const EVP_CIPHER *EVP_aes_256_cfb8(void); +const EVP_CIPHER *EVP_aes_256_cfb128(void); +# define EVP_aes_256_cfb EVP_aes_256_cfb128 const EVP_CIPHER *EVP_aes_256_ofb(void); #if 0 const EVP_CIPHER *EVP_aes_256_ctr(void); @@ -794,6 +819,7 @@ void ERR_load_EVP_strings(void); /* Error codes for the EVP functions. */ /* Function codes. */ +#define EVP_F_AES_INIT_KEY 133 #define EVP_F_D2I_PKEY 100 #define EVP_F_ECDSA_PKEY2PKCS8 129 #define EVP_F_EC_KEY_PKEY2PKCS8 132 @@ -828,6 +854,7 @@ void ERR_load_EVP_strings(void); #define EVP_F_RC5_CTRL 125 /* Reason codes. */ +#define EVP_R_AES_KEY_SETUP_FAILED 143 #define EVP_R_ASN1_LIB 140 #define EVP_R_BAD_BLOCK_LENGTH 136 #define EVP_R_BAD_DECRYPT 100 diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index 815ce63b3..bf37e6651 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -1,6 +1,6 @@ /* crypto/evp/evp_err.c */ /* ==================================================================== - * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -66,6 +66,7 @@ #ifndef OPENSSL_NO_ERR static ERR_STRING_DATA EVP_str_functs[]= { +{ERR_PACK(0,EVP_F_AES_INIT_KEY,0), "AES_INIT_KEY"}, {ERR_PACK(0,EVP_F_D2I_PKEY,0), "D2I_PKEY"}, {ERR_PACK(0,EVP_F_ECDSA_PKEY2PKCS8,0), "ECDSA_PKEY2PKCS8"}, {ERR_PACK(0,EVP_F_EC_KEY_PKEY2PKCS8,0), "EC_KEY_PKEY2PKCS8"}, @@ -103,6 +104,7 @@ static ERR_STRING_DATA EVP_str_functs[]= static ERR_STRING_DATA EVP_str_reasons[]= { +{EVP_R_AES_KEY_SETUP_FAILED ,"aes key setup failed"}, {EVP_R_ASN1_LIB ,"asn1 lib"}, {EVP_R_BAD_BLOCK_LENGTH ,"bad block length"}, {EVP_R_BAD_DECRYPT ,"bad decrypt"}, diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index c97cb9cea..b532c45de 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -135,6 +135,30 @@ int EVP_CIPHER_type(const EVP_CIPHER *ctx) return NID_rc4; + case NID_aes_128_cfb128: + case NID_aes_128_cfb8: + case NID_aes_128_cfb1: + + return NID_aes_128_cfb128; + + case NID_aes_192_cfb128: + case NID_aes_192_cfb8: + case NID_aes_192_cfb1: + + return NID_aes_192_cfb128; + + case NID_aes_256_cfb128: + case NID_aes_256_cfb8: + case NID_aes_256_cfb1: + + return NID_aes_256_cfb128; + + case NID_des_cfb64: + case NID_des_cfb8: + case NID_des_cfb1: + + return NID_des_cfb64; + default: /* Check it has an OID and it is valid */ otmp = OBJ_nid2obj(nid); diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h index 4d81a3bf4..2204e345a 100644 --- a/crypto/evp/evp_locl.h +++ b/crypto/evp/evp_locl.h @@ -90,7 +90,7 @@ static int cname##_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const uns } #define BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched) \ -static int cname##_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \ +static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \ {\ cprefix##_cfb##cbits##_encrypt(in, out, (long)inl, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\ return 1;\ @@ -127,7 +127,7 @@ BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \ #define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \ iv_len, cbits, flags, init_key, cleanup, \ set_asn1, get_asn1, ctrl) \ -BLOCK_CIPHER_def1(cname, cfb##cbits, cfb, CFB, kstruct, nid, 1, \ +BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \ key_len, iv_len, flags, init_key, cleanup, set_asn1, \ get_asn1, ctrl) @@ -225,3 +225,12 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; } get_asn1, ctrl) #define EVP_C_DATA(kstruct, ctx) ((kstruct *)(ctx)->cipher_data) + +#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len) \ + BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \ + BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \ + NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \ + 0, cipher##_init_key, NULL, \ + EVP_CIPHER_set_asn1_iv, \ + EVP_CIPHER_get_asn1_iv, \ + NULL) diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index beb48b846..7889f2c9c 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -62,9 +62,9 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 726 -#define NUM_SN 721 -#define NUM_LN 721 +#define NUM_NID 736 +#define NUM_SN 731 +#define NUM_LN 731 #define NUM_OBJ 693 static unsigned char lvalues[4882]={ @@ -1896,20 +1896,36 @@ static ASN1_OBJECT nid_objs[NUM_NID]={ NID_international_organizations,1,&(lvalues[4880]),0}, {"Oakley-EC2N-3","ipsec3",NID_ipsec3,0,NULL}, {"Oakley-EC2N-4","ipsec4",NID_ipsec4,0,NULL}, +{"AES-128-CFB1","aes-128-cfb1",NID_aes_128_cfb1,0,NULL}, +{"AES-192-CFB1","aes-192-cfb1",NID_aes_192_cfb1,0,NULL}, +{"AES-256-CFB1","aes-256-cfb1",NID_aes_256_cfb1,0,NULL}, +{"AES-128-CFB8","aes-128-cfb8",NID_aes_128_cfb8,0,NULL}, +{"AES-192-CFB8","aes-192-cfb8",NID_aes_192_cfb8,0,NULL}, +{"AES-256-CFB8","aes-256-cfb8",NID_aes_256_cfb8,0,NULL}, +{"DES-CFB1","des-cfb1",NID_des_cfb1,0,NULL}, +{"DES-CFB8","des-cfb8",NID_des_cfb8,0,NULL}, +{"DES-EDE3-CFB1","des-ede3-cfb1",NID_des_ede3_cfb1,0,NULL}, +{"DES-EDE3-CFB8","des-ede3-cfb8",NID_des_ede3_cfb8,0,NULL}, }; static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[364]),/* "AD_DVCS" */ &(nid_objs[419]),/* "AES-128-CBC" */ &(nid_objs[421]),/* "AES-128-CFB" */ +&(nid_objs[726]),/* "AES-128-CFB1" */ +&(nid_objs[729]),/* "AES-128-CFB8" */ &(nid_objs[418]),/* "AES-128-ECB" */ &(nid_objs[420]),/* "AES-128-OFB" */ &(nid_objs[423]),/* "AES-192-CBC" */ &(nid_objs[425]),/* "AES-192-CFB" */ +&(nid_objs[727]),/* "AES-192-CFB1" */ +&(nid_objs[730]),/* "AES-192-CFB8" */ &(nid_objs[422]),/* "AES-192-ECB" */ &(nid_objs[424]),/* "AES-192-OFB" */ &(nid_objs[427]),/* "AES-256-CBC" */ &(nid_objs[429]),/* "AES-256-CFB" */ +&(nid_objs[728]),/* "AES-256-CFB1" */ +&(nid_objs[731]),/* "AES-256-CFB8" */ &(nid_objs[426]),/* "AES-256-ECB" */ &(nid_objs[428]),/* "AES-256-OFB" */ &(nid_objs[91]),/* "BF-CBC" */ @@ -1929,6 +1945,8 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[31]),/* "DES-CBC" */ &(nid_objs[707]),/* "DES-CDMF" */ &(nid_objs[30]),/* "DES-CFB" */ +&(nid_objs[732]),/* "DES-CFB1" */ +&(nid_objs[733]),/* "DES-CFB8" */ &(nid_objs[29]),/* "DES-ECB" */ &(nid_objs[32]),/* "DES-EDE" */ &(nid_objs[43]),/* "DES-EDE-CBC" */ @@ -1937,6 +1955,8 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[33]),/* "DES-EDE3" */ &(nid_objs[44]),/* "DES-EDE3-CBC" */ &(nid_objs[61]),/* "DES-EDE3-CFB" */ +&(nid_objs[734]),/* "DES-EDE3-CFB1" */ +&(nid_objs[735]),/* "DES-EDE3-CFB8" */ &(nid_objs[63]),/* "DES-EDE3-OFB" */ &(nid_objs[45]),/* "DES-OFB" */ &(nid_objs[80]),/* "DESX-CBC" */ @@ -2737,14 +2757,20 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[670]),/* "additional verification" */ &(nid_objs[419]),/* "aes-128-cbc" */ &(nid_objs[421]),/* "aes-128-cfb" */ +&(nid_objs[726]),/* "aes-128-cfb1" */ +&(nid_objs[729]),/* "aes-128-cfb8" */ &(nid_objs[418]),/* "aes-128-ecb" */ &(nid_objs[420]),/* "aes-128-ofb" */ &(nid_objs[423]),/* "aes-192-cbc" */ &(nid_objs[425]),/* "aes-192-cfb" */ +&(nid_objs[727]),/* "aes-192-cfb1" */ +&(nid_objs[730]),/* "aes-192-cfb8" */ &(nid_objs[422]),/* "aes-192-ecb" */ &(nid_objs[424]),/* "aes-192-ofb" */ &(nid_objs[427]),/* "aes-256-cbc" */ &(nid_objs[429]),/* "aes-256-cfb" */ +&(nid_objs[728]),/* "aes-256-cfb1" */ +&(nid_objs[731]),/* "aes-256-cfb8" */ &(nid_objs[426]),/* "aes-256-ecb" */ &(nid_objs[428]),/* "aes-256-ofb" */ &(nid_objs[376]),/* "algorithm" */ @@ -2803,6 +2829,8 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[31]),/* "des-cbc" */ &(nid_objs[707]),/* "des-cdmf" */ &(nid_objs[30]),/* "des-cfb" */ +&(nid_objs[732]),/* "des-cfb1" */ +&(nid_objs[733]),/* "des-cfb8" */ &(nid_objs[29]),/* "des-ecb" */ &(nid_objs[32]),/* "des-ede" */ &(nid_objs[43]),/* "des-ede-cbc" */ @@ -2811,6 +2839,8 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[33]),/* "des-ede3" */ &(nid_objs[44]),/* "des-ede3-cbc" */ &(nid_objs[61]),/* "des-ede3-cfb" */ +&(nid_objs[734]),/* "des-ede3-cfb1" */ +&(nid_objs[735]),/* "des-ede3-cfb8" */ &(nid_objs[63]),/* "des-ede3-ofb" */ &(nid_objs[45]),/* "des-ofb" */ &(nid_objs[107]),/* "description" */ diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h index ba871f478..f04ff9be4 100644 --- a/crypto/objects/obj_mac.h +++ b/crypto/objects/obj_mac.h @@ -2319,6 +2319,46 @@ #define NID_aes_256_cfb128 429 #define OBJ_aes_256_cfb128 OBJ_aes,44L +#define SN_aes_128_cfb1 "AES-128-CFB1" +#define LN_aes_128_cfb1 "aes-128-cfb1" +#define NID_aes_128_cfb1 726 + +#define SN_aes_192_cfb1 "AES-192-CFB1" +#define LN_aes_192_cfb1 "aes-192-cfb1" +#define NID_aes_192_cfb1 727 + +#define SN_aes_256_cfb1 "AES-256-CFB1" +#define LN_aes_256_cfb1 "aes-256-cfb1" +#define NID_aes_256_cfb1 728 + +#define SN_aes_128_cfb8 "AES-128-CFB8" +#define LN_aes_128_cfb8 "aes-128-cfb8" +#define NID_aes_128_cfb8 729 + +#define SN_aes_192_cfb8 "AES-192-CFB8" +#define LN_aes_192_cfb8 "aes-192-cfb8" +#define NID_aes_192_cfb8 730 + +#define SN_aes_256_cfb8 "AES-256-CFB8" +#define LN_aes_256_cfb8 "aes-256-cfb8" +#define NID_aes_256_cfb8 731 + +#define SN_des_cfb1 "DES-CFB1" +#define LN_des_cfb1 "des-cfb1" +#define NID_des_cfb1 732 + +#define SN_des_cfb8 "DES-CFB8" +#define LN_des_cfb8 "des-cfb8" +#define NID_des_cfb8 733 + +#define SN_des_ede3_cfb1 "DES-EDE3-CFB1" +#define LN_des_ede3_cfb1 "des-ede3-cfb1" +#define NID_des_ede3_cfb1 734 + +#define SN_des_ede3_cfb8 "DES-EDE3-CFB8" +#define LN_des_ede3_cfb8 "des-ede3-cfb8" +#define NID_des_ede3_cfb8 735 + #define SN_hold_instruction_code "holdInstructionCode" #define LN_hold_instruction_code "Hold Instruction Code" #define NID_hold_instruction_code 430 diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index b4ff8f026..65ecec0fb 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -723,3 +723,13 @@ joint_iso_itu_t 722 international_organizations 723 ipsec3 724 ipsec4 725 +aes_128_cfb1 726 +aes_192_cfb1 727 +aes_256_cfb1 728 +aes_128_cfb8 729 +aes_192_cfb8 730 +aes_256_cfb8 731 +des_cfb1 732 +des_cfb8 733 +des_ede3_cfb1 734 +des_ede3_cfb8 735 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index 0160b3e5f..ae78c0dfb 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -775,6 +775,19 @@ aes 43 : AES-256-OFB : aes-256-ofb !Cname aes-256-cfb128 aes 44 : AES-256-CFB : aes-256-cfb +# There are no OIDs for these modes... + + : AES-128-CFB1 : aes-128-cfb1 + : AES-192-CFB1 : aes-192-cfb1 + : AES-256-CFB1 : aes-256-cfb1 + : AES-128-CFB8 : aes-128-cfb8 + : AES-192-CFB8 : aes-192-cfb8 + : AES-256-CFB8 : aes-256-cfb8 + : DES-CFB1 : des-cfb1 + : DES-CFB8 : des-cfb8 + : DES-EDE3-CFB1 : des-ede3-cfb1 + : DES-EDE3-CFB8 : des-ede3-cfb8 + # Hold instruction CRL entry extension !Cname hold-instruction-code id-ce 23 : holdInstructionCode : Hold Instruction Code diff --git a/util/libeay.num b/util/libeay.num index cc60c323a..6d66ffc9b 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -284,20 +284,20 @@ EVP_add_alias 291 NOEXIST::FUNCTION: EVP_add_cipher 292 EXIST::FUNCTION: EVP_add_digest 293 EXIST::FUNCTION: EVP_bf_cbc 294 EXIST::FUNCTION:BF -EVP_bf_cfb 295 EXIST::FUNCTION:BF +EVP_bf_cfb64 295 EXIST::FUNCTION:BF EVP_bf_ecb 296 EXIST::FUNCTION:BF EVP_bf_ofb 297 EXIST::FUNCTION:BF EVP_cleanup 298 EXIST::FUNCTION: EVP_des_cbc 299 EXIST::FUNCTION:DES -EVP_des_cfb 300 EXIST::FUNCTION:DES +EVP_des_cfb64 300 EXIST::FUNCTION:DES EVP_des_ecb 301 EXIST::FUNCTION:DES EVP_des_ede 302 EXIST::FUNCTION:DES EVP_des_ede3 303 EXIST::FUNCTION:DES EVP_des_ede3_cbc 304 EXIST::FUNCTION:DES -EVP_des_ede3_cfb 305 EXIST::FUNCTION:DES +EVP_des_ede3_cfb64 305 EXIST::FUNCTION:DES EVP_des_ede3_ofb 306 EXIST::FUNCTION:DES EVP_des_ede_cbc 307 EXIST::FUNCTION:DES -EVP_des_ede_cfb 308 EXIST::FUNCTION:DES +EVP_des_ede_cfb64 308 EXIST::FUNCTION:DES EVP_des_ede_ofb 309 EXIST::FUNCTION:DES EVP_des_ofb 310 EXIST::FUNCTION:DES EVP_desx_cbc 311 EXIST::FUNCTION:DES @@ -308,14 +308,14 @@ EVP_get_cipherbyname 315 EXIST::FUNCTION: EVP_get_digestbyname 316 EXIST::FUNCTION: EVP_get_pw_prompt 317 EXIST::FUNCTION: EVP_idea_cbc 318 EXIST::FUNCTION:IDEA -EVP_idea_cfb 319 EXIST::FUNCTION:IDEA +EVP_idea_cfb64 319 EXIST::FUNCTION:IDEA EVP_idea_ecb 320 EXIST::FUNCTION:IDEA EVP_idea_ofb 321 EXIST::FUNCTION:IDEA EVP_md2 322 EXIST::FUNCTION:MD2 EVP_md5 323 EXIST::FUNCTION:MD5 EVP_md_null 324 EXIST::FUNCTION: EVP_rc2_cbc 325 EXIST::FUNCTION:RC2 -EVP_rc2_cfb 326 EXIST::FUNCTION:RC2 +EVP_rc2_cfb64 326 EXIST::FUNCTION:RC2 EVP_rc2_ecb 327 EXIST::FUNCTION:RC2 EVP_rc2_ofb 328 EXIST::FUNCTION:RC2 EVP_rc4 329 EXIST::FUNCTION:RC4 @@ -962,7 +962,7 @@ i2t_ASN1_OBJECT 979 EXIST::FUNCTION: BN_BLINDING_new 980 EXIST::FUNCTION: BN_BLINDING_free 981 EXIST::FUNCTION: EVP_cast5_cbc 983 EXIST::FUNCTION:CAST -EVP_cast5_cfb 984 EXIST::FUNCTION:CAST +EVP_cast5_cfb64 984 EXIST::FUNCTION:CAST EVP_cast5_ecb 985 EXIST::FUNCTION:CAST EVP_cast5_ofb 986 EXIST::FUNCTION:CAST BF_decrypt 987 EXIST::FUNCTION:BF @@ -1057,7 +1057,7 @@ EVP_CIPHER_param_to_asn1 1084 EXIST::FUNCTION: EVP_CIPHER_get_asn1_iv 1085 EXIST::FUNCTION: EVP_CIPHER_set_asn1_iv 1086 EXIST::FUNCTION: EVP_rc5_32_12_16_cbc 1087 EXIST::FUNCTION:RC5 -EVP_rc5_32_12_16_cfb 1088 EXIST::FUNCTION:RC5 +EVP_rc5_32_12_16_cfb64 1088 EXIST::FUNCTION:RC5 EVP_rc5_32_12_16_ecb 1089 EXIST::FUNCTION:RC5 EVP_rc5_32_12_16_ofb 1090 EXIST::FUNCTION:RC5 asn1_add_error 1091 EXIST::FUNCTION: @@ -2776,10 +2776,10 @@ ENGINE_load_4758cca 3218 EXIST::FUNCTION:ENGINE,STATIC_ENGIN _ossl_096_des_random_seed 3219 EXIST::FUNCTION:DES EVP_aes_256_ofb 3220 EXIST::FUNCTION:AES EVP_aes_192_ofb 3221 EXIST::FUNCTION:AES -EVP_aes_128_cfb 3222 EXIST::FUNCTION:AES -EVP_aes_256_cfb 3223 EXIST::FUNCTION:AES +EVP_aes_128_cfb64 3222 NOEXIST::FUNCTION: +EVP_aes_256_cfb64 3223 NOEXIST::FUNCTION: EVP_aes_128_ofb 3224 EXIST::FUNCTION:AES -EVP_aes_192_cfb 3225 EXIST::FUNCTION:AES +EVP_aes_192_cfb64 3225 NOEXIST::FUNCTION: CONF_modules_free 3226 EXIST::FUNCTION: NCONF_default 3227 EXIST::FUNCTION: OPENSSL_no_config 3228 EXIST::FUNCTION: @@ -3148,3 +3148,17 @@ BN_GF2m_mod_inv_arr 3576 EXIST::FUNCTION: ENGINE_unregister_ECDSA 3577 EXIST::FUNCTION:ENGINE PKCS7_set_digest 3578 EXIST::FUNCTION: PKCS7_set0_type_other 3579 EXIST::FUNCTION: +EVP_aes_128_cfb8 3580 EXIST::FUNCTION:AES +EVP_aes_256_cfb128 3581 EXIST::FUNCTION:AES +EVP_aes_128_cfb1 3582 EXIST::FUNCTION:AES +EVP_aes_192_cfb8 3583 EXIST::FUNCTION:AES +EVP_aes_256_cfb8 3584 EXIST::FUNCTION:AES +DES_ede3_cfb_encrypt 3585 EXIST::FUNCTION:DES +EVP_aes_128_cfb128 3586 EXIST::FUNCTION:AES +EVP_des_ede3_cfb8 3587 EXIST::FUNCTION:DES +EVP_aes_192_cfb128 3588 EXIST::FUNCTION:AES +EVP_aes_192_cfb1 3589 EXIST::FUNCTION:AES +EVP_des_cfb8 3590 EXIST::FUNCTION:DES +EVP_aes_256_cfb1 3591 EXIST::FUNCTION:AES +EVP_des_cfb1 3592 EXIST::FUNCTION:DES +EVP_des_ede3_cfb1 3593 EXIST::FUNCTION:DES From e5886a238829e1ceaa2b2b375a52ddc7f2d1c8d3 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 28 Jan 2004 19:07:41 +0000 Subject: [PATCH 018/112] make update --- crypto/rand/Makefile.ssl | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/crypto/rand/Makefile.ssl b/crypto/rand/Makefile.ssl index 03d789632..49a225d67 100644 --- a/crypto/rand/Makefile.ssl +++ b/crypto/rand/Makefile.ssl @@ -91,7 +91,8 @@ md_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h md_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h md_rand.o: ../../include/openssl/sha.h ../../include/openssl/stack.h md_rand.o: ../../include/openssl/symhacks.h md_rand.c rand_lcl.h -rand_egd.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +rand_egd.o: ../../include/openssl/buffer.h ../../include/openssl/e_os2.h +rand_egd.o: ../../include/openssl/opensslconf.h rand_egd.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h rand_egd.o: rand_egd.c rand_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h @@ -165,8 +166,9 @@ rand_win.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h rand_win.o: ../../include/openssl/sha.h ../../include/openssl/stack.h rand_win.o: ../../include/openssl/symhacks.h ../cryptlib.h rand_lcl.h rand_win.o: rand_win.c -randfile.o: ../../e_os.h ../../include/openssl/crypto.h -randfile.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h +randfile.o: ../../e_os.h ../../include/openssl/buffer.h +randfile.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +randfile.o: ../../include/openssl/opensslconf.h randfile.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h randfile.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h randfile.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h From b86ed8d18fbdd3e7f409b17785dd41c520e88de6 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 29 Jan 2004 00:05:09 +0000 Subject: [PATCH 019/112] In the development branch, it feels quite all right to warn on a lot more stuff. --- Configure | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Configure b/Configure index 340fa1f23..466a8dfca 100755 --- a/Configure +++ b/Configure @@ -145,10 +145,10 @@ my %table=( "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32::::win32:cygwin-shared:::.dll", "debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared", "debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn:linux-shared", -"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wtraditional -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wtraditional -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -Wtraditional -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -Wtraditional -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-geoff","gcc:-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DBN_CTX_DEBUG -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -g -ggdb3 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "dist", "cc:-O::(unknown)::::::", From 61a88c31c00ed57c1f09e21f3cc26158e7f22699 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 29 Jan 2004 02:55:43 +0000 Subject: [PATCH 020/112] Typo --- crypto/rand/randfile.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c index 8b072e067..f5d0843d1 100644 --- a/crypto/rand/randfile.c +++ b/crypto/rand/randfile.c @@ -110,7 +110,7 @@ int RAND_load_file(const char *file, long bytes) in=fopen(file,"rb"); if (in == NULL) goto err; -#if defined(S_IFBLK) && !defined(S_IFCHR) +#if defined(S_IFBLK) && defined(S_IFCHR) if (sb.st_mode & (S_IFBLK | S_IFCHR)) { /* this file is a device. we don't want read an infinite number * of bytes from a random device, nor do we want to use buffered @@ -153,7 +153,7 @@ int RAND_write_file(const char *file) i=stat(file,&sb); if (i != -1) { -#if defined(S_IFBLK) && !defined(S_IFCHR) +#if defined(S_IFBLK) && defined(S_IFCHR) if (sb.st_mode & (S_IFBLK | S_IFCHR)) { /* this file is a device. we don't write back to it. * we "succeed" on the assumption this is some sort From bb5810d21d0d766b67a1f1924c3e313cec8fbeac Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 29 Jan 2004 10:56:18 +0000 Subject: [PATCH 021/112] -Wtraditional was a little too much... --- Configure | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Configure b/Configure index 466a8dfca..9cf03b51b 100755 --- a/Configure +++ b/Configure @@ -145,10 +145,10 @@ my %table=( "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32::::win32:cygwin-shared:::.dll", "debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared", "debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn:linux-shared", -"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wtraditional -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wtraditional -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -Wtraditional -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -Wtraditional -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-geoff","gcc:-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DBN_CTX_DEBUG -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -g -ggdb3 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "dist", "cc:-O::(unknown)::::::", From 7e22a1df55db03bc1a2f146d3e2bf2cc5ae34055 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 29 Jan 2004 11:24:32 +0000 Subject: [PATCH 022/112] Remove typos --- Configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Configure b/Configure index 9cf03b51b..fd833ee5a 100755 --- a/Configure +++ b/Configure @@ -147,8 +147,8 @@ my %table=( "debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn:linux-shared", "debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-geoff","gcc:-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DBN_CTX_DEBUG -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -g -ggdb3 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "dist", "cc:-O::(unknown)::::::", From 12470927760cdbcb0885f9cf03aebda495d784d2 Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Thu, 29 Jan 2004 22:16:08 +0000 Subject: [PATCH 023/112] HP/UX PA-RISC 2 targets update. --- Configure | 18 +++++---- TABLE | 83 ++++++++++++++++++++++++++++++++++++++++-- config | 19 +++------- crypto/bn/Makefile.ssl | 7 ++++ 4 files changed, 102 insertions(+), 25 deletions(-) diff --git a/Configure b/Configure index fd833ee5a..02915fb74 100755 --- a/Configure +++ b/Configure @@ -252,21 +252,15 @@ my %table=( # crypto/sha/sha_lcl.h. # # -#!#"hpux-parisc-cc","cc:-Ae +O3 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl", # Since there is mention of this in shlib/hpux10-cc.sh "hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux-parisc2-gcc","gcc:-march=2.0 -O3 -DB_ENDIAN::-D_REENTRANT::-Wl,+s -ldld:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL DES_RISC1:asm/pa-risc2.o:::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # 64bit PARISC for GCC without optimization, which seems to make problems. # Submitted by "hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -# HP/UX IA-64 targets -"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -# Frank Geurts has patiently assisted with -# with debugging of the following config. -"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", - # More attempts at unified 10.X and 11.X targets for HP C compiler. # # Chris Ruemmler @@ -278,6 +272,16 @@ my %table=( # hpux-parisc1_0-cc with +DAportable flag would make more sense. "hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +# HP/UX IA-64 targets +"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +# Frank Geurts has patiently assisted with +# with debugging of the following config. +"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +# GCC builds [not tested yet]... +# _ILP32 should have been defined by compiler driver, but it isn't... +"hpux-ia64-gcc","gcc:-O3 -DB_ENDIAN -D_ILP32::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64.o:::::::::dlfcn:hpux-shared:-fpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux64-ia64-gcc","gcc:-mlp64 -O3 -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64.o:::::::::dlfcn:hpux-shared:-fpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + # HPUX 9.X config. # Don't use the bundled cc. It is broken. Use HP ANSI C if possible, or # egcs. gcc 2.8.1 is also broken. diff --git a/TABLE b/TABLE index 35e0b6941..1b67cc2aa 100644 --- a/TABLE +++ b/TABLE @@ -1702,7 +1702,7 @@ $arflags = *** debug-levitte-linux-elf $cc = gcc -$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe +$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -1727,7 +1727,7 @@ $arflags = *** debug-levitte-linux-elf-extreme $cc = gcc -$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe +$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -1752,7 +1752,7 @@ $arflags = *** debug-levitte-linux-noasm $cc = gcc -$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe +$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -1777,7 +1777,7 @@ $arflags = *** debug-levitte-linux-noasm-extreme $cc = gcc -$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe +$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -2350,6 +2350,31 @@ $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = +*** hpux-ia64-gcc +$cc = gcc +$cflags = -O3 -DB_ENDIAN -D_ILP32 +$unistd = +$thread_cflag = -D_REENTRANT +$sys_id = +$lflags = -ldl +$bn_ops = SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT +$bn_obj = asm/ia64.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= hpux-shared +$shared_cflag = -fpic +$shared_ldflag = +$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) +$ranlib = +$arflags = + *** hpux-m68k-gcc $cc = gcc $cflags = -DB_ENDIAN -DBN_DIV2W -O3 @@ -2500,6 +2525,31 @@ $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = +*** hpux-parisc2-gcc +$cc = gcc +$cflags = -march=2.0 -O3 -DB_ENDIAN +$unistd = +$thread_cflag = -D_REENTRANT +$sys_id = +$lflags = -Wl,+s -ldld +$bn_ops = SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL DES_RISC1 +$bn_obj = asm/pa-risc2.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dl +$shared_target= hpux-shared +$shared_cflag = -fPIC +$shared_ldflag = +$shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR) +$ranlib = +$arflags = + *** hpux10-brokencc $cc = cc $cflags = -DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z @@ -2625,6 +2675,31 @@ $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = +*** hpux64-ia64-gcc +$cc = gcc +$cflags = -mlp64 -O3 -DB_ENDIAN +$unistd = +$thread_cflag = -D_REENTRANT +$sys_id = +$lflags = -ldl +$bn_ops = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT +$bn_obj = asm/ia64.o +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= hpux-shared +$shared_cflag = -fpic +$shared_ldflag = +$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) +$ranlib = +$arflags = + *** hpux64-parisc-gcc $cc = gcc $cflags = -DB_ENDIAN -DMD32_XARRAY diff --git a/config b/config index 1722b8e76..a0dc457c5 100755 --- a/config +++ b/config @@ -683,15 +683,8 @@ EOF RM*-siemens-sysv4) OUT="ReliantUNIX" ;; *-siemens-sysv4) OUT="SINIX" ;; *-hpux1*) - if [ $CC = "gcc" ]; - then - if [ $GCC_BITS = "64" ]; then - OUT="hpux64-parisc-gcc" - else - OUT="hpux-parisc-gcc" - fi - else - OUT="hpux-parisc-$CC" + if [ $CC = "gcc" -a $GCC_BITS = "64" ]; then + OUT="hpux64-parisc2-gcc" fi KERNEL_BITS=`(getconf KERNEL_BITS) 2>/dev/null` KERNEL_BITS=${KERNEL_BITS:-32} @@ -708,9 +701,7 @@ EOF fi OUT="hpux64-ia64-cc" elif [ $CPU_VERSION -ge 532 ]; then # PA-RISC 2.x CPU - if [ "$CC" = "cc" ]; then - OUT="hpux-parisc2-cc" # can't we have hpux-parisc2-gcc? - fi + OUT=${OUT:-"hpux-parisc2-${CC}"} if [ $KERNEL_BITS -eq 64 -a "$CC" = "cc" ]; then echo "WARNING! If you wish to build 64-bit library then you have to" echo " invoke './Configure hpux64-parisc2-cc' *manually*." @@ -720,9 +711,9 @@ EOF fi fi elif [ $CPU_VERSION -ge 528 ]; then # PA-RISC 1.1+ CPU - : + OUT="hpux-parisc-${CC} elif [ $CPU_VERSION -ge 523 ]; then # PA-RISC 1.0 CPU - : + OUT="hpux-parisc-${CC} else # Motorola(?) CPU OUT="hpux-$CC" fi diff --git a/crypto/bn/Makefile.ssl b/crypto/bn/Makefile.ssl index 7fe70a406..341790354 100644 --- a/crypto/bn/Makefile.ssl +++ b/crypto/bn/Makefile.ssl @@ -122,6 +122,13 @@ asm/ia64-cpp.o: asm/ia64.S asm/x86_64-gcc.o: asm/x86_64-gcc.c +# GNU assembler fails to compile PA-RISC2 modules, insist on calling +# vendor assembler... +asm/pa-risc2W.o: asm/pa-risc2W.s + /usr/ccs/bin/as -o asm/pa-rics2W.o asm/pa-risc2W.s +asm/pa-risc2.o: asm/pa-risc2.s + /usr/ccs/bin/as -o asm/pa-rics2.o asm/pa-risc2.s + files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO From d04b1b46562880b97468b0fa519b36c3be770072 Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Fri, 30 Jan 2004 05:41:23 +0000 Subject: [PATCH 024/112] Typo in PA-RISC 2 rules in crypto/bn/Makefile.ssl --- crypto/bn/Makefile.ssl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/bn/Makefile.ssl b/crypto/bn/Makefile.ssl index 341790354..c94e7548b 100644 --- a/crypto/bn/Makefile.ssl +++ b/crypto/bn/Makefile.ssl @@ -125,9 +125,9 @@ asm/x86_64-gcc.o: asm/x86_64-gcc.c # GNU assembler fails to compile PA-RISC2 modules, insist on calling # vendor assembler... asm/pa-risc2W.o: asm/pa-risc2W.s - /usr/ccs/bin/as -o asm/pa-rics2W.o asm/pa-risc2W.s + /usr/ccs/bin/as -o asm/pa-risc2W.o asm/pa-risc2W.s asm/pa-risc2.o: asm/pa-risc2.s - /usr/ccs/bin/as -o asm/pa-rics2.o asm/pa-risc2.s + /usr/ccs/bin/as -o asm/pa-risc2.o asm/pa-risc2.s files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO From d4575825f1ded552a32c70f8d5e62668978eda91 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 1 Feb 2004 13:39:51 +0000 Subject: [PATCH 025/112] Add flag to avoid continuous memory allocate when calling EVP_MD_CTX_copy_ex(). Without this HMAC is several times slower than < 0.9.7. --- CHANGES | 6 ++++++ crypto/evp/digest.c | 15 ++++++++++++--- crypto/evp/evp.h | 2 ++ 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index f3c304af7..5590487fd 100644 --- a/CHANGES +++ b/CHANGES @@ -617,6 +617,12 @@ Changes between 0.9.7c and 0.9.7d [xx XXX XXXX] + *) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when + calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without + this HMAC (and other) operations are several times slower than OpenSSL + < 0.9.7. + [Steve Henson] + *) Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex(). [Peter Sylvester ] diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index b22eed442..0623ddf1f 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -248,6 +248,7 @@ int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) { + unsigned char *tmp_buf; if ((in == NULL) || (in->digest == NULL)) { EVPerr(EVP_F_EVP_MD_CTX_COPY,EVP_R_INPUT_NOT_INITIALIZED); @@ -262,15 +263,22 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) } #endif + if (out->digest == in->digest) + { + tmp_buf = out->md_data; + EVP_MD_CTX_set_flags(out,EVP_MD_CTX_FLAG_REUSE); + } + else tmp_buf = NULL; EVP_MD_CTX_cleanup(out); memcpy(out,in,sizeof *out); if (out->digest->ctx_size) { - out->md_data=OPENSSL_malloc(out->digest->ctx_size); + if (tmp_buf) out->md_data = tmp_buf; + else out->md_data=OPENSSL_malloc(out->digest->ctx_size); memcpy(out->md_data,in->md_data,out->digest->ctx_size); } - + if (out->digest->copy) return out->digest->copy(out,in); @@ -308,7 +316,8 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) if (ctx->digest && ctx->digest->cleanup && !EVP_MD_CTX_test_flags(ctx,EVP_MD_CTX_FLAG_CLEANED)) ctx->digest->cleanup(ctx); - if (ctx->digest && ctx->digest->ctx_size && ctx->md_data) + if (ctx->digest && ctx->digest->ctx_size && ctx->md_data + && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) { OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size); OPENSSL_free(ctx->md_data); diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index a5f3c449c..dd2d186a5 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -288,6 +288,8 @@ struct env_md_ctx_st * once only */ #define EVP_MD_CTX_FLAG_CLEANED 0x0002 /* context has already been * cleaned */ +#define EVP_MD_CTX_FLAG_REUSE 0x0004 /* Don't free up ctx->md_data + * in EVP_MD_CTX_cleanup */ struct evp_cipher_st { From 1751034669af1e687f4fefeff0bbbf98b4adb05a Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Sat, 7 Feb 2004 09:51:28 +0000 Subject: [PATCH 026/112] Typo in crypto/bn/asm/x86_64.c, bn_div_words(). PR: 821 --- crypto/bn/asm/x86_64-gcc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c index b97b39466..450e8e432 100644 --- a/crypto/bn/asm/x86_64-gcc.c +++ b/crypto/bn/asm/x86_64-gcc.c @@ -142,7 +142,7 @@ void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n) BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) { BN_ULONG ret,waste; - asm ("divq %3" + asm ("divq %4" : "=a"(ret),"=d"(waste) : "a"(l),"d"(h),"g"(d) : "cc"); From 37ead9be0b990b94ec6dbf466cdc05f53c18d442 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 8 Feb 2004 13:30:04 +0000 Subject: [PATCH 027/112] Fix handling of -offset and -length in asn1parse tool. If -offset exceeds -length of data available exit with an error. Don't read past end of total data available when -offset supplied. If -length exceeds total available truncate it. --- apps/asn1pars.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/apps/asn1pars.c b/apps/asn1pars.c index 5f8ba5e73..88db0d197 100644 --- a/apps/asn1pars.c +++ b/apps/asn1pars.c @@ -333,7 +333,15 @@ bad: num=tmplen; } - if (length == 0) length=(unsigned int)num; + if (offset >= num) + { + BIO_printf(bio_err, "Error: offset too large\n"); + goto end; + } + + num -= offset; + + if ((length == 0) || (length > num)) length=(unsigned int)num; if(derout) { if(BIO_write(derout, str + offset, length) != (int)length) { BIO_printf(bio_err, "Error writing output\n"); From 6c43032121b3403061119def69c5684ab955e7e2 Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Tue, 10 Feb 2004 18:46:10 +0000 Subject: [PATCH 028/112] minor signed/unsigned warning fixes --- apps/asn1pars.c | 2 +- apps/req.c | 4 ++-- crypto/des/cfb_enc.c | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/apps/asn1pars.c b/apps/asn1pars.c index 88db0d197..c28b5ec19 100644 --- a/apps/asn1pars.c +++ b/apps/asn1pars.c @@ -341,7 +341,7 @@ bad: num -= offset; - if ((length == 0) || (length > num)) length=(unsigned int)num; + if ((length == 0) || ((long)length > num)) length=(unsigned int)num; if(derout) { if(BIO_write(derout, str + offset, length) != (int)length) { BIO_printf(bio_err, "Error writing output\n"); diff --git a/apps/req.c b/apps/req.c index c4594c490..5df8f89fc 100644 --- a/apps/req.c +++ b/apps/req.c @@ -1322,7 +1322,7 @@ start: for (;;) /* If OBJ not recognised ignore it */ if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start; if (BIO_snprintf(buf,sizeof buf,"%s_default",v->name) - >= sizeof buf) + >= (int)sizeof(buf)) { BIO_printf(bio_err,"Name '%s' too long\n",v->name); return 0; @@ -1387,7 +1387,7 @@ start2: for (;;) goto start2; if (BIO_snprintf(buf,sizeof buf,"%s_default",type) - >= sizeof buf) + >= (int)sizeof(buf)) { BIO_printf(bio_err,"Name '%s' too long\n",v->name); return 0; diff --git a/crypto/des/cfb_enc.c b/crypto/des/cfb_enc.c index 225410efb..0013556c7 100644 --- a/crypto/des/cfb_enc.c +++ b/crypto/des/cfb_enc.c @@ -84,7 +84,7 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, c2l(iv,v1); if (enc) { - while (l >= n) + while (l >= (unsigned long)n) { l-=n; ti[0]=v0; @@ -126,7 +126,7 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, } else { - while (l >= n) + while (l >= (unsigned long)n) { l-=n; ti[0]=v0; From dc90f64d563f2c9709749d0731d6b26c6bce5325 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 19 Feb 2004 18:16:38 +0000 Subject: [PATCH 029/112] Use an OCTET STRING for the encoding of an OCSP nonce value. The old raw format can't be handled by some implementations and updates to RFC2560 will make this mandatory. --- CHANGES | 7 +++++++ crypto/ocsp/ocsp_ext.c | 24 +++++++++++++++++------- 2 files changed, 24 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index 5590487fd..bea8e7683 100644 --- a/CHANGES +++ b/CHANGES @@ -617,6 +617,13 @@ Changes between 0.9.7c and 0.9.7d [xx XXX XXXX] + *) When creating an OCSP nonce use an OCTET STRING inside the extnValue. + A clarification of RFC2560 will require the use of OCTET STRINGs and + some implementations cannot handle the current raw format. Since OpenSSL + copies and compares OCSP nonces as opaque blobs without any attempt at + parsing them this should not create any compatibility issues. + [Steve Henson] + *) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without this HMAC (and other) operations are several times slower than OpenSSL diff --git a/crypto/ocsp/ocsp_ext.c b/crypto/ocsp/ocsp_ext.c index d6c8899f5..57399433f 100644 --- a/crypto/ocsp/ocsp_ext.c +++ b/crypto/ocsp/ocsp_ext.c @@ -305,6 +305,8 @@ err: /* Add a nonce to an extension stack. A nonce can be specificed or if NULL * a random nonce will be generated. + * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the + * nonce, previous versions used the raw nonce. */ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len) @@ -313,20 +315,28 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, ASN1_OCTET_STRING os; int ret = 0; if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH; - if (val) tmpval = val; + /* Create the OCTET STRING manually by writing out the header and + * appending the content octets. This avoids an extra memory allocation + * operation in some cases. Applications should *NOT* do this because + * it relies on library internals. + */ + os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING); + os.data = OPENSSL_malloc(os.length); + if (os.data == NULL) + goto err; + tmpval = os.data; + ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL); + if (val) + memcpy(tmpval, val, len); else - { - if (!(tmpval = OPENSSL_malloc(len))) goto err; RAND_pseudo_bytes(tmpval, len); - } - os.data = tmpval; - os.length = len; if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0, X509V3_ADD_REPLACE)) goto err; ret = 1; err: - if(!val) OPENSSL_free(tmpval); + if (os.data) + OPENSSL_free(os.data); return ret; } From 1b06804491c8cd5a7bb1e4911578351bbe91a2af Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Sun, 22 Feb 2004 19:30:41 +0000 Subject: [PATCH 030/112] When adding positive elements, we can use BN_uadd() instead of BN_add(). Submitted by: Nils Larsch Reviewed by: Geoff Thorpe --- crypto/bn/bn_mod.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/bn/bn_mod.c b/crypto/bn/bn_mod.c index 61b725509..77d6ddb91 100644 --- a/crypto/bn/bn_mod.c +++ b/crypto/bn/bn_mod.c @@ -149,7 +149,7 @@ int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_ * and less than m */ int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m) { - if (!BN_add(r, a, b)) return 0; + if (!BN_uadd(r, a, b)) return 0; if (BN_ucmp(r, m) >= 0) return BN_usub(r, r, m); return 1; From c6700d27461e213af63bec686c57bd5a57c94a91 Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Sun, 22 Feb 2004 19:32:53 +0000 Subject: [PATCH 031/112] A cleanup of the ecs_ossl.c code and some (doxygen) comments for ecdsa.h Submitted by: Nils Larsch Reviewed by: Geoff Thorpe --- crypto/ecdsa/ecdsa.h | 155 +++++++++++++++++++++--- crypto/ecdsa/ecs_ossl.c | 256 +++++++++++++++++++--------------------- 2 files changed, 258 insertions(+), 153 deletions(-) diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h index e82762d35..3e6abd26f 100644 --- a/crypto/ecdsa/ecdsa.h +++ b/crypto/ecdsa/ecdsa.h @@ -1,6 +1,10 @@ /* crypto/ecdsa/ecdsa.h */ +/** + * \file crypto/ecdsa/ecdsa.h Include file for the OpenSSL ECDSA functions + * \author Written by Nils Larsch for the OpenSSL project + */ /* ==================================================================== - * Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -96,7 +100,7 @@ typedef struct ecdsa_data_st { /* EC_KEY_METH_DATA part */ int (*init)(EC_KEY *); void (*finish)(EC_KEY *); - /* method specific part */ + /* method (ECDSA) specific part */ BIGNUM *kinv; /* signing pre-calc */ BIGNUM *r; /* signing pre-calc */ ENGINE *engine; @@ -105,38 +109,157 @@ typedef struct ecdsa_data_st { CRYPTO_EX_DATA ex_data; } ECDSA_DATA; -/* signature functions */ +/** ECDSA_SIG *ECDSA_SIG_new(void) + * allocates and initialize a ECDSA_SIG structure + * \return pointer to a ECDSA_SIG structure or NULL if an error occurred + */ ECDSA_SIG *ECDSA_SIG_new(void); + +/** ECDSA_SIG_free + * frees a ECDSA_SIG structure + * \param a pointer to the ECDSA_SIG structure + */ void ECDSA_SIG_free(ECDSA_SIG *a); + +/** i2d_ECDSA_SIG + * DER encode content of ECDSA_SIG object (note: this function modifies *pp + * (*pp += length of the DER encoded signature)). + * \param a pointer to the ECDSA_SIG object + * \param pp pointer to a unsigned char pointer for the output or NULL + * \return the length of the DER encoded ECDSA_SIG object or 0 + */ int i2d_ECDSA_SIG(const ECDSA_SIG *a, unsigned char **pp); -ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **v, const unsigned char **pp, long length); -/* ECDSA_DATA functions */ +/** d2i_ECDSA_SIG + * decodes a DER encoded ECDSA signature (note: this function changes *pp + * (*pp += len)). + * \param v pointer to ECDSA_SIG pointer (may be NULL) + * \param pp buffer with the DER encoded signature + * \param len bufferlength + * \return pointer to the decoded ECDSA_SIG structure (or NULL) + */ +ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **v, const unsigned char **pp, long len); + +/** ECDSA_DATA_new + * creates a new ECDSA_DATA object + * \return pointer to a newly allocated (and initialized) ECDSA_DATA object + */ ECDSA_DATA *ECDSA_DATA_new(void); -ECDSA_DATA *ECDSA_DATA_new_method(ENGINE *); -void ECDSA_DATA_free(ECDSA_DATA *); -ECDSA_DATA *ecdsa_check(EC_KEY *); +/** ECDSA_DATA_new_method + * creates a new ECDSA_DATA object using a specified ENGINE + * \param eng pointer to a ENGINE structure + * \return pointer to a newly allocated (and initialized) ECDSA_DATA object + */ +ECDSA_DATA *ECDSA_DATA_new_method(ENGINE *eng); -ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dgst_len, EC_KEY *); +/** ECDSA_DATA_free + * frees ECDSA_DATA structure + * \param data pointer to a ECDSA_DATA structure + */ +void ECDSA_DATA_free(ECDSA_DATA *data); + +/** ecdsa_check + * checks whether ECKEY->meth_data is a pointer to a ECDSA_DATA structure + * and if not it removes the old meth_data and creates a ECDSA_DATA structure. + * \param eckey pointer to a EC_KEY object + * \return pointer to a ECDSA_DATA structure + */ +ECDSA_DATA *ecdsa_check(EC_KEY *eckey); + +/** ECDSA_do_sign + * computes the ECDSA signature of the given hash value using + * the supplied private key and returns the created signature. + * \param dgst pointer to the hash value + * \param dgst_len length of the hash value + * \param eckey pointer to the EC_KEY object containing a private EC key + * \return pointer to a ECDSA_SIG structure or NULL + */ +ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst,int dgst_len,EC_KEY *eckey); + +/** ECDSA_do_verify + * verifies that the supplied signature is a valid ECDSA + * signature of the supplied hash value using the supplied public key. + * \param dgst pointer to the hash value + * \param dgst_len length of the hash value + * \param sig pointer to the ECDSA_SIG structure + * \param eckey pointer to the EC_KEY object containing a public EC key + * \return 1 if the signature is valid, 0 if the signature is invalid and -1 on error + */ int ECDSA_do_verify(const unsigned char *dgst, int dgst_len, ECDSA_SIG *sig, EC_KEY* eckey); const ECDSA_METHOD *ECDSA_OpenSSL(void); -void ECDSA_set_default_method(const ECDSA_METHOD *); -const ECDSA_METHOD *ECDSA_get_default_method(void); -int ECDSA_set_method(EC_KEY *, const ECDSA_METHOD *); +/** ECDSA_set_default_method + * sets the default ECDSA method + * \param meth the new default ECDSA_METHOD + */ +void ECDSA_set_default_method(const ECDSA_METHOD *meth); -int ECDSA_size(const EC_KEY *); +/** ECDSA_get_default_method + * returns the default ECDSA method + * \return pointer to ECDSA_METHOD structure containing the default method + */ +const ECDSA_METHOD *ECDSA_get_default_method(void); + +/** ECDSA_set_method + * sets method to be used for the ECDSA operations + * \param eckey pointer to the EC_KEY object + * \param meth pointer to the new method + * \return 1 on success and 0 otherwise + */ +int ECDSA_set_method(EC_KEY *eckey, const ECDSA_METHOD *meth); + +/** ECDSA_size + * returns the maximum length of the DER encoded signature + * \param eckey pointer to a EC_KEY object + * \return numbers of bytes required for the DER encoded signature + */ +int ECDSA_size(const EC_KEY *eckey); + +/** ECDSA_sign_setup + * precompute parts of the signing operation (the computed values may be + * passed to ECDSA_DATA->kinv and ECDSA_DATA->r for a later signature + * computation). + * \param eckey pointer to the EC_KEY object containing a private EC key + * \param ctx pointer to a BN_CTX object (may be NULL) + * \param kinv pointer to a BIGNUM pointer for the inverse of k + * \param rp pointer to a BIGNUM pointer for x coordinate of k * generator + * \return 1 on success and 0 otherwise + */ int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, BIGNUM **rp); -int ECDSA_sign(int type, const unsigned char *dgst, int dgst_len, + +/** ECDSA_sign + * computes ECDSA signature of a given hash value using the supplied + * private key (note: sig must point to ECDSA_size(eckey) bytes of memory). + * \param type this parameter is ignored + * \param dgst pointer to the hash value to sign + * \param dgstlen length of the hash value + * \param sig buffer to hold the DER encoded signature + * \param siglen pointer to the length of the returned signature + * \param eckey pointer to the EC_KEY object containing a private EC key + * \return 1 on success and 0 otherwise + */ +int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig, unsigned int *siglen, EC_KEY *eckey); -int ECDSA_verify(int type, const unsigned char *dgst, int dgst_len, - const unsigned char *sig, int sig_len, EC_KEY *eckey); +/** ECDSA_verify + * verifies that the given signature is valid ECDSA signature + * of the supplied hash value using the specified public key. + * \param type this parameter is ignored + * \param dgst pointer to the hash value + * \param dgstlen length of the hash value + * \param sig pointer to the DER encoded signature + * \param siglen length of the DER encoded signature + * \param eckey pointer to the EC_KEY object containing a public EC key + * \return 1 if the signature is valid, 0 if the signature is invalid and -1 on error + */ +int ECDSA_verify(int type, const unsigned char *dgst, int dgstlen, + const unsigned char *sig, int siglen, EC_KEY *eckey); +/* the standard ex_data functions */ int ECDSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int ECDSA_set_ex_data(EC_KEY *d, int idx, void *arg); diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c index ba1c56121..7e4b61fde 100644 --- a/crypto/ecdsa/ecs_ossl.c +++ b/crypto/ecdsa/ecs_ossl.c @@ -1,6 +1,9 @@ /* crypto/ecdsa/ecs_ossl.c */ +/* + * Written by Nils Larsch for the OpenSSL project + */ /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -86,49 +89,43 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { BN_CTX *ctx = NULL; - BIGNUM k,*kinv=NULL,*r=NULL,*order=NULL,*X=NULL; + BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL; EC_POINT *tmp_point=NULL; + EC_GROUP *group; int ret = 0; if (!eckey || !eckey->group || !eckey->pub_key || !eckey->priv_key) { ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_PASSED_NULL_PARAMETER); return 0; } - - BN_init(&k); + group = eckey->group; if (ctx_in == NULL) { - if ((ctx=BN_CTX_new()) == NULL) + if ((ctx = BN_CTX_new()) == NULL) { - ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE); - goto err; + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_MALLOC_FAILURE); + return 0; } } else - ctx=ctx_in; + ctx = ctx_in; - if ((r = BN_new()) == NULL) + k = BN_new(); /* this value is later returned in *kinvp */ + r = BN_new(); /* this value is later returned in *rp */ + order = BN_new(); + X = BN_new(); + if (!k || !r || !order || !X) { - ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); - goto err; + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_MALLOC_FAILURE); + goto err; } - if ((order = BN_new()) == NULL) - { - ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); - goto err; - } - if ((X = BN_new()) == NULL) - { - ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); - goto err; - } - if ((tmp_point = EC_POINT_new(eckey->group)) == NULL) + if ((tmp_point = EC_POINT_new(group)) == NULL) { ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } - if (!EC_GROUP_get_order(eckey->group,order,ctx)) + if (!EC_GROUP_get_order(group, order, ctx)) { ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; @@ -138,42 +135,39 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, { /* get random k */ do - if (!BN_rand_range(&k,order)) + if (!BN_rand_range(k, order)) { ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); goto err; } - while (BN_is_zero(&k)); + while (BN_is_zero(k)); /* compute r the x-coordinate of generator * k */ - if (!EC_POINT_mul(eckey->group, tmp_point, &k, NULL, NULL, ctx)) + if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); goto err; } - if (EC_METHOD_get_field_type(EC_GROUP_method_of(eckey->group)) - == NID_X9_62_prime_field) + if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) { - if (!EC_POINT_get_affine_coordinates_GFp(eckey->group, + if (!EC_POINT_get_affine_coordinates_GFp(group, tmp_point, X, NULL, ctx)) { - ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, - ERR_R_EC_LIB); + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB); goto err; } } else /* NID_X9_62_characteristic_two_field */ { - if (!EC_POINT_get_affine_coordinates_GF2m(eckey->group, + if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp_point, X, NULL, ctx)) { - ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, - ERR_R_EC_LIB); + ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP,ERR_R_EC_LIB); goto err; } } - if (!BN_nnmod(r,X,order,ctx)) + if (!BN_nnmod(r, X, order, ctx)) { ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); goto err; @@ -182,36 +176,34 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, while (BN_is_zero(r)); /* compute the inverse of k */ - if ((kinv = BN_mod_inverse(NULL,&k,order,ctx)) == NULL) + if (!BN_mod_inverse(k, k, order, ctx)) { ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_BN_LIB); goto err; } - - if (*rp == NULL) + /* clear old values if necessary */ + if (*rp != NULL) BN_clear_free(*rp); - *rp = r; - if (*kinvp == NULL) + if (*kinvp != NULL) BN_clear_free(*kinvp); - *kinvp = kinv; - kinv = NULL; + /* save the pre-computed values */ + *rp = r; + *kinvp = k; ret = 1; err: if (!ret) { - if (kinv != NULL) BN_clear_free(kinv); + if (k != NULL) BN_clear_free(k); if (r != NULL) BN_clear_free(r); } if (ctx_in == NULL) BN_CTX_free(ctx); - if (kinv != NULL) - BN_clear_free(kinv); if (order != NULL) - BN_clear_free(order); + BN_free(order); if (tmp_point != NULL) EC_POINT_free(tmp_point); - if (X) BN_clear_free(X); - BN_clear_free(&k); + if (X) + BN_clear_free(X); return(ret); } @@ -219,32 +211,38 @@ err: static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, EC_KEY *eckey) { - BIGNUM *kinv=NULL,*r=NULL,*s=NULL,*m=NULL,*tmp=NULL,*order=NULL; - BIGNUM xr; - BN_CTX *ctx=NULL; - ECDSA_SIG *ret=NULL; + int ok = 0; + BIGNUM *kinv=NULL, *r, *s, *m=NULL,*tmp=NULL,*order=NULL; + BN_CTX *ctx = NULL; + EC_GROUP *group; + ECDSA_SIG *ret; ECDSA_DATA *ecdsa; - BN_init(&xr); - ecdsa = ecdsa_check(eckey); - if (!eckey || !eckey->group || !eckey->pub_key || !eckey->priv_key - || !ecdsa) + if (!eckey->group || !eckey->pub_key || !eckey->priv_key || !ecdsa) { ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_PASSED_NULL_PARAMETER); - goto err; + return NULL; } + group = eckey->group; + ret = ECDSA_SIG_new(); + if (!ret) + { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); + return NULL; + } + s = ret->s; + if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL || - (tmp = BN_new()) == NULL || (m = BN_new()) == NULL || - (s = BN_new()) == NULL ) + (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); goto err; } - if (!EC_GROUP_get_order(eckey->group,order,ctx)) + if (!EC_GROUP_get_order(group, order, ctx)) { ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB); goto err; @@ -256,7 +254,7 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, goto err; } - if (BN_bin2bn(dgst,dgst_len,m) == NULL) + if (!BN_bin2bn(dgst, dgst_len, m)) { ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); goto err; @@ -265,34 +263,34 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, { if (ecdsa->kinv == NULL || ecdsa->r == NULL) { - if (!ECDSA_sign_setup(eckey,ctx,&kinv,&r)) + if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) { - ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, - ERR_R_ECDSA_LIB); + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,ERR_R_ECDSA_LIB); goto err; } + r = ret->r; } else { - kinv = ecdsa->kinv; + BN_free(ret->r); + kinv = ecdsa->kinv; + r = ecdsa->r; + ret->r = r; ecdsa->kinv = NULL; - r = ecdsa->r; - ecdsa->r = NULL; + ecdsa->r = NULL; } - if (!BN_mod_mul(tmp,eckey->priv_key,r,order,ctx)) + if (!BN_mod_mul(tmp, eckey->priv_key, r, order, ctx)) { ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); goto err; } - if (!BN_add(s,tmp,m)) + if (!BN_mod_add_quick(s, tmp, m, order)) { ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); goto err; } - if (BN_cmp(s,order) > 0) - BN_sub(s,s,order); - if (!BN_mod_mul(s,s,kinv,order,ctx)) + if (!BN_mod_mul(s, s, kinv, order, ctx)) { ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); goto err; @@ -300,23 +298,13 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, } while (BN_is_zero(s)); - if ((ret = ECDSA_SIG_new()) == NULL) - { - ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE); - goto err; - } - if (BN_copy(ret->r, r) == NULL || BN_copy(ret->s, s) == NULL) + ok = 1; +err: + if (!ok) { ECDSA_SIG_free(ret); ret = NULL; - ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); } - -err: - if (r) - BN_clear_free(r); - if (s) - BN_clear_free(s); if (ctx) BN_CTX_free(ctx); if (m) @@ -324,92 +312,99 @@ err: if (tmp) BN_clear_free(tmp); if (order) - BN_clear_free(order); + BN_free(order); if (kinv) BN_clear_free(kinv); - return(ret); + return ret; } static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, ECDSA_SIG *sig, EC_KEY *eckey) { - BN_CTX *ctx; - BIGNUM *order=NULL,*u1=NULL,*u2=NULL,*m=NULL,*X=NULL; - EC_POINT *point=NULL; int ret = -1; + BN_CTX *ctx; + BIGNUM *order, *u1, *u2, *m, *X; + EC_POINT *point = NULL; + EC_GROUP *group; + /* check input values */ if (!eckey || !eckey->group || !eckey->pub_key || !sig) { ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_MISSING_PARAMETERS); return -1; } - if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL || - (u1 = BN_new()) == NULL || (u2 = BN_new()) == NULL || - (m = BN_new()) == NULL || (X = BN_new()) == NULL) + group = eckey->group; + + ctx = BN_CTX_new(); + if (!ctx) { ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE); - goto err; + return -1; } - if (!EC_GROUP_get_order(eckey->group, order, ctx)) + BN_CTX_start(ctx); + order = BN_CTX_get(ctx); + u1 = BN_CTX_get(ctx); + u2 = BN_CTX_get(ctx); + m = BN_CTX_get(ctx); + X = BN_CTX_get(ctx); + if (!X) { ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); goto err; } - - if (BN_is_zero(sig->r) || BN_get_sign(sig->r) || - BN_ucmp(sig->r, order) >= 0) + + if (!EC_GROUP_get_order(group, order, ctx)) { - ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE); - ret = 0; - goto err; - } - if (BN_is_zero(sig->s) || BN_get_sign(sig->s) || - BN_ucmp(sig->s, order) >= 0) - { - ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE); - ret = 0; + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB); goto err; } + if (BN_is_zero(sig->r) || BN_get_sign(sig->r) || + BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) || + BN_get_sign(sig->s) || BN_ucmp(sig->s, order) >= 0) + { + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ECDSA_R_BAD_SIGNATURE); + ret = 0; /* signature is invalid */ + goto err; + } /* calculate tmp1 = inv(S) mod order */ - if ((BN_mod_inverse(u2,sig->s,order,ctx)) == NULL) + if (!BN_mod_inverse(u2, sig->s, order, ctx)) { ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); goto err; } /* digest -> m */ - if (BN_bin2bn(dgst,dgst_len,m) == NULL) + if (!BN_bin2bn(dgst, dgst_len, m)) { ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); goto err; } /* u1 = m * tmp mod order */ - if (!BN_mod_mul(u1,m,u2,order,ctx)) + if (!BN_mod_mul(u1, m, u2, order, ctx)) { ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); goto err; } /* u2 = r * w mod q */ - if (!BN_mod_mul(u2,sig->r,u2,order,ctx)) + if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) { ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); goto err; } - if ((point = EC_POINT_new(eckey->group)) == NULL) + if ((point = EC_POINT_new(group)) == NULL) { ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_MALLOC_FAILURE); goto err; } - if (!EC_POINT_mul(eckey->group, point, u1, eckey->pub_key, u2, ctx)) + if (!EC_POINT_mul(group, point, u1, eckey->pub_key, u2, ctx)) { ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB); goto err; } - if (EC_METHOD_get_field_type(EC_GROUP_method_of(eckey->group)) - == NID_X9_62_prime_field) + if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) { - if (!EC_POINT_get_affine_coordinates_GFp(eckey->group, + if (!EC_POINT_get_affine_coordinates_GFp(group, point, X, NULL, ctx)) { ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); @@ -418,7 +413,7 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, } else /* NID_X9_62_characteristic_two_field */ { - if (!EC_POINT_get_affine_coordinates_GF2m(eckey->group, + if (!EC_POINT_get_affine_coordinates_GF2m(group, point, X, NULL, ctx)) { ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB); @@ -426,30 +421,17 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, } } - if (!BN_nnmod(u1,X,order,ctx)) + if (!BN_nnmod(u1, X, order, ctx)) { ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB); goto err; } - - /* is now in u1. If the signature is correct, it will be - * equal to R. */ - ret = (BN_ucmp(u1,sig->r) == 0); - - err: - if (ctx) - BN_CTX_free(ctx); - if (u1) - BN_clear_free(u1); - if (u2) - BN_clear_free(u2); - if (m) - BN_clear_free(m); - if (X) - BN_clear_free(X); - if (order) - BN_clear_free(order); + /* if the signature is correct u1 is equal to sig->r */ + ret = (BN_ucmp(u1, sig->r) == 0); +err: + BN_CTX_end(ctx); + BN_CTX_free(ctx); if (point) EC_POINT_free(point); - return(ret); + return ret; } From 8bb0c8522a3980a82bf0ebfbdf782ec306c35ea6 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 26 Feb 2004 21:44:41 +0000 Subject: [PATCH 032/112] Document the AES options for 'openssl smime'. PR: 834 --- doc/apps/smime.pod | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index 2453dd273..222d3d943 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -17,6 +17,9 @@ B B [B<-rc2-40>] [B<-rc2-64>] [B<-rc2-128>] +[B<-ase128>] +[B<-ase192>] +[B<-ase256>] [B<-in file>] [B<-certfile file>] [B<-signer file>] @@ -126,11 +129,11 @@ B<-verify>. This directory must be a standard certificate directory: that is a hash of each subject name (using B) should be linked to each certificate. -=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128> +=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256> -the encryption algorithm to use. DES (56 bits), triple DES (168 bits) -or 40, 64 or 128 bit RC2 respectively if not specified 40 bit RC2 is -used. Only used with B<-encrypt>. +the encryption algorithm to use. DES (56 bits), triple DES (168 bits), +40, 64 or 128 bit RC2 or 128, 192 or 256 bit AES respectively. If not +specified 40 bit RC2 is used. Only used with B<-encrypt>. =item B<-nointern> From f727266ae843eaa3502f1e35fe594b195a3879ed Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 26 Feb 2004 22:07:45 +0000 Subject: [PATCH 033/112] Make sure the given EVP_PKEY is updated in the PEM_STRING_PKCS8INF case also. PR: 833 --- crypto/pem/pem_pkey.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index 92a55f536..d23adf302 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -89,6 +89,10 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, vo p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len); if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); + if(x) { + if(*x) EVP_PKEY_free((EVP_PKEY *)*x); + *x = ret; + } PKCS8_PRIV_KEY_INFO_free(p8inf); } else if (strcmp(nm,PEM_STRING_PKCS8) == 0) { PKCS8_PRIV_KEY_INFO *p8inf; From ee3a47a99406a782d5152841148b539d3aad32bb Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Fri, 27 Feb 2004 02:24:49 +0000 Subject: [PATCH 034/112] AES is spelled AES, not ASE. Oops... --- doc/apps/smime.pod | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index 222d3d943..84b673f79 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -17,9 +17,9 @@ B B [B<-rc2-40>] [B<-rc2-64>] [B<-rc2-128>] -[B<-ase128>] -[B<-ase192>] -[B<-ase256>] +[B<-aes128>] +[B<-aes192>] +[B<-aes256>] [B<-in file>] [B<-certfile file>] [B<-signer file>] From 5075521e75c99e5cc7f4cab4f3fccc0421e525ce Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Fri, 27 Feb 2004 23:03:23 +0000 Subject: [PATCH 035/112] Add ECDSA documentation. Submitted by: Nils Larsch --- doc/crypto/ecdsa.pod | 232 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 232 insertions(+) create mode 100644 doc/crypto/ecdsa.pod diff --git a/doc/crypto/ecdsa.pod b/doc/crypto/ecdsa.pod new file mode 100644 index 000000000..2a0f41263 --- /dev/null +++ b/doc/crypto/ecdsa.pod @@ -0,0 +1,232 @@ +=pod + +=head1 NAME + +ecdsa - Elliptic Curve Digital Signature Algorithm + +=head1 SYNOPSIS + + #include + + ECDSA_SIG* ECDSA_SIG_new(void); + void ECDSA_SIG_free(ECDSA_SIG *sig); + int i2d_ECDSA_SIG(const ECDSA_SIG *sig, unsigned char **pp); + ECDSA_SIG* d2i_ECDSA_SIG(ECDSA_SIG **sig, const unsigned char **pp, + long len); + + ECDSA_DATA* ECDSA_DATA_new(void); + ECDSA_DATA* ECDSA_DATA_new_method(ENGINE *eng); + void ECDSA_DATA_free(ECDSA_DATA *data); + ECDSA_DATA* ecdsa_check(EC_KEY *eckey); + + ECDSA_SIG* ECDSA_do_sign(const unsigned char *dgst, int dgst_len, + EC_KEY *eckey); + int ECDSA_do_verify(const unsigned char *dgst, int dgst_len, + ECDSA_SIG *sig, EC_KEY* eckey); + int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx, + BIGNUM **kinv, BIGNUM **rp); + int ECDSA_sign(int type, const unsigned char *dgst, + int dgstlen, unsigned char *sig, + unsigned int *siglen, EC_KEY *eckey); + int ECDSA_verify(int type, const unsigned char *dgst, + int dgstlen, const unsigned char *sig, + int siglen, EC_KEY *eckey); + int ECDSA_size(const EC_KEY *eckey); + + const ECDSA_METHOD* ECDSA_OpenSSL(void); + void ECDSA_set_default_method(const ECDSA_METHOD *meth); + const ECDSA_METHOD* ECDSA_get_default_method(void); + int ECDSA_set_method(EC_KEY *eckey,const ECDSA_METHOD *meth); + + int ECDSA_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, + CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); + int ECDSA_set_ex_data(EC_KEY *d, int idx, void *arg); + void* ECDSA_get_ex_data(EC_KEY *d, int idx); + +=head1 DESCRIPTION + +The B structure consists of two BIGNUMs for the +r and s value of a ECDSA signature (see X9.62 or FIPS 186-2). + + struct + { + BIGNUM *r; + BIGNUM *s; + } ECDSA_SIG; + +ECDSA_SIG_new() allocates a new B structure (note: this +function also allocates the BIGNUMs) and initialize it. + +ECDSA_SIG_free() frees the B structure B. + +i2d_ECDSA_SIG() creates the DER encoding of the ECDSA signature +B and writes the encoded signature to B<*pp> (note: if B +is NULL B returns the expected length in bytes of +the DER encoded signature). B returns the length +of the DER encoded signature (or 0 on error). + +d2i_ECDSA_SIG() decodes a DER encoded ECDSA signature and returns +the decoded signature in a newly allocated B structure. +B<*sig> points to the buffer containing the DER encoded signature +of size B. + +The B structure extends the B +structure with ECDSA specific data. + + struct + { + /* EC_KEY_METH_DATA part */ + int (*init)(EC_KEY *); + void (*finish)(EC_KEY *); + /* method (ECDSA) specific part */ + BIGNUM *kinv; /* signing pre-calc */ + BIGNUM *r; /* signing pre-calc */ + ... + } + ECDSA_DATA; + +B and B are used to store precomputed values (see +B). + +ECDSA_DATA_new() returns a newly allocated and initialized +B structure (or NULL on error). + +ECDSA_DATA_free() frees the B structure B. + +ecdsa_check() returns the pointer to the B +structure in Bmeth_data> (if Bmeth_data> +is not a pointer to a B structure then the old +data is freed and a new B structure is allocated +using B). + +ECDSA_size() returns the maximum length of a DER encoded +ECDSA signature created with the private EC key B. + +ECDSA_sign_setup() may be used to precompute parts of the +signing operation. B is the private EC key and B +is a pointer to B structure (or NULL). The precomputed +values or returned in B and B and can be used in a +later call to B or B when placed in +Bkinv> and Br>. + +ECDSA_sign() computes a digital signature of the B bytes +hash value B using the private EC key B and places +the DER encoding of the created signature in B. The length +of the created signature is returned in B. Note: B +must point to B bytes of memory. The parameter B +is ignored. + +ECDSA_verify() verifies that the signature in B of size +B is a valid ECDSA signature of the hash value +value B of size B using the public key B. +The parameter B is ignored. + +ECDSA_do_sign() computes a digital signature of the B +bytes hash value B using the private key B and +returns the signature in a newly allocated B structure +(or NULL on error). + +ECDSA_do_verify() verifies that the signature B is a valid +ECDSA signature of the hash value B of size B +using the public key B. + +=head1 RETURN VALUES + +ECDSA_size() returns the maximum length signature or 0 on error. + +ECDSA_sign_setup() and ECDSA_sign() return 1 if successful or -1 +on error. + +ECDSA_verify() and ECDSA_do_verify() return 1 for a valid +signature, 0 for an invalid signature and -1 on error. +The error codes can be obtained by L. + +=head1 EXAMPLES + +Creating a ECDSA signature of given SHA-1 hash value using the +named curve secp192k1. + +First step: create a EC_KEY object (note: this part is B ECDSA +specific) + + int ret; + ECDSA_SIG *sig; + EC_KEY *eckey = EC_KEY_new(); + if (eckey == NULL) + { + /* error */ + } + key->group = EC_GROUP_new_by_nid(NID_secp192k1); + if (key->group == NULL) + { + /* error */ + } + if (!EC_KEY_generate_key(eckey)) + { + /* error */ + } + +Second step: compute the ECDSA signature of a SHA-1 hash value +using B + + sig = ECDSA_do_sign(digest, 20, eckey); + if (sig == NULL) + { + /* error */ + } + +or using B + + unsigned char *buffer, *pp; + int buf_len; + buf_len = ECDSA_size(eckey); + buffer = OPENSSL_malloc(buf_len); + pp = buffer; + if (!ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey); + { + /* error */ + } + +Third step: verify the created ECDSA signature using B + + ret = ECDSA_do_verify(digest, 20, sig, eckey); + +or using B + + ret = ECDSA_verify(0, digest, 20, buffer, buf_len, eckey); + +and finally evaluate the return value: + + if (ret == -1) + { + /* error */ + } + else if (ret == 0) + { + /* incorrect signature */ + } + else /* ret == 1 */ + { + /* signature ok */ + } + +=head1 CONFORMING TO + +ANSI X9.62, US Federal Information Processing Standard FIPS 186-2 +(Digital Signature Standard, DSS) + +=head1 SEE ALSO + +L, L + +=head1 HISTORY + +The ecdsa implementation was first introduced in OpenSSL 0.9.8 + +=head1 AUTHOR + +Nils Larsch for the OpenSSL project (http://www.openssl.org). + +=cut From a30af36c77af13044b75338d26451a5f16367421 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 1 Mar 2004 01:04:40 +0000 Subject: [PATCH 036/112] Initial docs for the OpenSSL library configuration via openssl.cnf --- doc/apps/config.pod | 65 ++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 62 insertions(+), 3 deletions(-) diff --git a/doc/apps/config.pod b/doc/apps/config.pod index ce874a42c..cc102a968 100644 --- a/doc/apps/config.pod +++ b/doc/apps/config.pod @@ -10,7 +10,8 @@ config - OpenSSL CONF library configuration files The OpenSSL CONF library can be used to read configuration files. It is used for the OpenSSL master configuration file B and in a few other places like B files and certificate extension -files for the B utility. +files for the B utility. OpenSSL applications can also use the +CONF library for their own purposes. A configuration file is divided into a number of sections. Each section starts with a line B<[ section_name ]> and ends when a new section is @@ -51,13 +52,71 @@ or the B<\> character. By making the last character of a line a B<\> a B string can be spread across multiple lines. In addition the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized. +=head1 OPENSSL LIBRARY CONFIGURATION + +In OpenSSL 0.9.7 and later applications can automatically configure certain +aspects of OpenSSL using the master OpenSSL configuration file, or optionally +an alternative configuration file. The B utility includes this +functionality: any sub command uses the master OpenSSL configuration file +unless an option is used in the sub command to use an alternative configuration +file. + +To enable library configuration the default section needs to contain an +appropriate line which points to the main configuration section. The default +name is B which is used by the B utility. Other +applications may use an alternative name such as B. + +The configuration section should consist of a set of name value pairs which +contain specific module configuration information. The B represents +the name of the I the meaning of the B is +module specific: it may, for example, represent a further configuration +section containing configuration module specific information. E.g. + + openssl_conf = openssl_init + + [openssl_init] + + oid_section = new_oids + engines = engine_section + + [new_oids] + + ... new oids here ... + + [engine_section] + + ... engine stuff here ... + +Currently there are two supported configuration modules supported. One for +ASN1 objects another for ENGINE configuration. + +=head2 ASN1 OBJECT CONFIGURATION MODULE + +This module has the name B. The value of this variable points +to a section containing name value pairs of OIDs: the name is the OID short +and long name, the value is the numerical form of the OID. Although some of +the B utility sub commands already have their own ASN1 OBJECT section +functionality not all do. By using the ASN1 OBJECT configuration module +B the B utility sub commands can see the new objects as well +as any compliant applications. For example: + + [new_oids] + + some_new_oid = 1.2.3.4 + some_other_oid = 1.2.3.5 + +=head2 ENGINE CONFIGURATION MODULE + +To be continued... + =head1 NOTES If a configuration file attempts to expand a variable that doesn't exist then an error is flagged and the file will not load. This can happen if an attempt is made to expand an environment variable that doesn't -exist. For example the default OpenSSL master configuration file used -the value of B which may not be defined on non Unix systems. +exist. For example in a previous version of OpenSSL the default OpenSSL +master configuration file used the value of B which may not be +defined on non Unix systems and would cause an error. This can be worked around by including a B section to provide a default value: then if the environment lookup fails the default value From 4cfa4ae820c24462c916a43d36d5daaeaf85345e Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 1 Mar 2004 14:58:22 +0000 Subject: [PATCH 037/112] Avoid a memory leak in OCSP_parse_url(). Notified by Paul Siegel --- crypto/ocsp/ocsp_lib.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/ocsp/ocsp_lib.c b/crypto/ocsp/ocsp_lib.c index 3875af165..9e87fc789 100644 --- a/crypto/ocsp/ocsp_lib.c +++ b/crypto/ocsp/ocsp_lib.c @@ -253,6 +253,7 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss err: + if (buf) OPENSSL_free(buf); if (*ppath) OPENSSL_free(*ppath); if (*pport) OPENSSL_free(*pport); if (*phost) OPENSSL_free(*phost); From f2c18125607f0871df4cb5dfbeaf830f57811184 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 1 Mar 2004 19:15:24 +0000 Subject: [PATCH 038/112] More autoconfig docs. --- doc/apps/config.pod | 81 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 78 insertions(+), 3 deletions(-) diff --git a/doc/apps/config.pod b/doc/apps/config.pod index cc102a968..8f823fa6d 100644 --- a/doc/apps/config.pod +++ b/doc/apps/config.pod @@ -87,8 +87,8 @@ section containing configuration module specific information. E.g. ... engine stuff here ... -Currently there are two supported configuration modules supported. One for -ASN1 objects another for ENGINE configuration. +Currently there are two configuration modules. One for ASN1 objects another +for ENGINE configuration. =head2 ASN1 OBJECT CONFIGURATION MODULE @@ -107,7 +107,82 @@ as any compliant applications. For example: =head2 ENGINE CONFIGURATION MODULE -To be continued... +This ENGINE configuration module has the name B. The value of this +variable points to a section containing further ENGINE configuration +information. + +The section pointed to by B is a table of engine names (though see +B below) and further sections containing configuration informations +specific to each ENGINE. + +Each ENGINE specific section is used to set default algorithms, load +dynamic, perform initialization and send ctrls. The actual operation performed +depends on the I name which is the name of the name value pair. The +currently supported commands are listed below. + +For example: + + [engine_section] + + # Configure ENGINE named "foo" + foo = foo_section + # Configure ENGINE named "bar" + bar = bar_section + + [foo_section] + ... foo ENGINE specific commands ... + + [bar_section] + ... "bar" ENGINE specific commands ... + +The command B is used to give the ENGINE name. If used this +command must be first. For example: + + [engine_section] + # This would normally handle an ENGINE named "foo" + foo = foo_section + + [foo_section] + # Override default name and use "myfoo" instead. + engine_id = myfoo + +The command B loads and adds an ENGINE from the given path. It +is equivalent to sending the ctrls B with the path argument followed +by B with value 2 and B to the dynamic ENGINE. If this is +not the required behaviour then alternative ctrls can be sent directly +to the dynamic ENGINE using ctrl commands. + +The command B determines whether to initialize the ENGINE. If the value +is B<0> the ENGINE will not be initialized, if B<1> and attempt it made to +initialized the ENGINE immediately. If the B command is not present +then an attempt will be made to initialize the ENGINE after all commands in +its section have been processed. + +The command B sets the default algorithms an ENGINE will +supply using the functions B + +If the name matches none of the above command names it is assumed to be a +ctrl command which is sent to the ENGINE. The value of the command is the +argument to the ctrl command. If the value is the string B then no +value is sent to the command. + +For example: + + + [engine_section] + + # Configure ENGINE named "foo" + foo = foo_section + + [foo_section] + # Load engine from DSO + dynamic_path = /some/path/fooengine.so + # A foo specific ctrl. + some_ctrl = some_value + # Another ctrl that doesn't take a value. + other_ctrl = EMPTY + # Supply all default algorithms + default_algorithms = ALL =head1 NOTES From 5a8922aed50153592f8976b4c8a57c61f28363f0 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 2 Mar 2004 01:01:11 +0000 Subject: [PATCH 039/112] Documentation of the KISS autoconfig functions. --- doc/crypto/OPENSSL_config.pod | 77 +++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 doc/crypto/OPENSSL_config.pod diff --git a/doc/crypto/OPENSSL_config.pod b/doc/crypto/OPENSSL_config.pod new file mode 100644 index 000000000..18da16f3c --- /dev/null +++ b/doc/crypto/OPENSSL_config.pod @@ -0,0 +1,77 @@ +=pod + +=head1 NAME + +OPENSSL_config, OPENSSL_no_config - minimal OpenSSL configuration + +=head1 SYNOPSIS + + #include + + void OPENSSL_config(const char *config_name); + void OPENSSL_no_config(void); + +=head1 DESCRIPTION + +OPENSSL_config() configures OpenSSL using the standard B +configuration file name using B. If B is NULL then +the default name B will be used. Any errors are ignored. Further +calls to OPENSSL_config() will have no effect. The configuration file format +is documented in the L manual page. + +OPENSSL_no_config() disables configuration. If called before OPENSSL_config() +no configuration takes place. + +=head1 NOTES + +It is B recommended that B new applications call OPENSSL_config() +or the more sophisticated functions such as CONF_modules_load() during +initialization (that is before starting any threads). By doing this +an application does not need to keep track of all configuration options +and some new functionality can be supported automatically. + +It is also possible to automatically call OPENSSL_config() when an application +calls OPENSSL_add_all_algorithms() by compiling an application with the +preprocessor symbol B #define'd. + +The environment variable B can be set to specify the location +of the configuration file. + +Currently ASN1 OBJECTs and ENGINE configuration can be performed future +versions of OpenSSL will add new configuration options. + +There are several reasons why calling the OpenSSL configuration routines is +advisable. For example new ENGINE functionality was added to OpenSSL 0.9.7. +In OpenSSL 0.9.7 control functions can be supported by ENGINEs, this can be +used (among other things) to load dynamic ENGINEs from shared libraries (DSOs). +However very few applications currently support the control interface and so +very few can load and use dynamic ENGINEs. Equally in future more sophisticated +ENGINEs will require certain control operations to customize them. If an +application calls OPENSSL_config() it doesn't need to know or care about +ENGINE control operations because they can be performed by editing a +configuration file. + +=head1 RESTRICTIONS + +The OPENSSL_config() function is designed to be a very simple "call it and +forget it" function. As a result its behaviour is somewhat limited. It ignores +all errors silently and it can only load from the standard configuration file +location for example. + +It is however B better than nothing. Applications which need finer +control over the configuration functionality should use the configuration +functions such as CONF_load_modules() directly. + +=head1 RETURN VALUES + +Neither OPENSSL_config() nor OPENSSL_no_config() return a value. + +=head1 SEE ALSO + +L + +=head1 HISTORY + +OPENSSL_config() and OPENSSL_no_config() first appeared in OpenSSL 0.9.7 + +=cut From f82bb9cb9c50a9b998143218a88d2a5b53b70be6 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 2 Mar 2004 13:31:32 +0000 Subject: [PATCH 040/112] Config docs. --- doc/crypto/CONF_modules_free.pod | 47 ++++++++++++++++ doc/crypto/CONF_modules_load_file.pod | 60 +++++++++++++++++++++ doc/crypto/OPENSSL_config.pod | 13 +++-- doc/crypto/OPENSSL_load_builtin_modules.pod | 51 ++++++++++++++++++ 4 files changed, 167 insertions(+), 4 deletions(-) create mode 100644 doc/crypto/CONF_modules_free.pod create mode 100644 doc/crypto/CONF_modules_load_file.pod create mode 100644 doc/crypto/OPENSSL_load_builtin_modules.pod diff --git a/doc/crypto/CONF_modules_free.pod b/doc/crypto/CONF_modules_free.pod new file mode 100644 index 000000000..af8ae6a5c --- /dev/null +++ b/doc/crypto/CONF_modules_free.pod @@ -0,0 +1,47 @@ +=pod + +=head1 NAME + + CONF_modules_free, CONF_modules_load, CONF_modules_unload - + OpenSSL configuration cleanup functions + +=head1 SYNOPSIS + + #include + + void CONF_modules_free(void); + void CONF_modules_unload(int all); + void CONF_modules_finish(void); + +=head1 DESCRIPTION + +CONF_modules_free() closes down and frees up all memory allocated by all +configuration modules. + +CONF_modules_finish() calls each configuration modules B handler +to free up any configuration that module may have performed. + +CONF_modules_unload() finishes and unloads configuration modules. If +B is set to B<0> only modules loaded from DSOs will be unloads. If +B is B<1> all modules, including builtin modules will be unloaded. + +=head1 NOTES + +Normally applications will only call CONF_modules_free() at application to +tidy up any configuration performed. + +=head1 RETURN VALUE + +None of the functions return a value. + +=head1 SEE ALSO + +L, L, +L + +=head1 HISTORY + +CONF_modules_free(), CONF_modules_unload(), and CONF_modules_finish() +first appeared in OpenSSL 0.9.7. + +=cut diff --git a/doc/crypto/CONF_modules_load_file.pod b/doc/crypto/CONF_modules_load_file.pod new file mode 100644 index 000000000..9965d69bf --- /dev/null +++ b/doc/crypto/CONF_modules_load_file.pod @@ -0,0 +1,60 @@ +=pod + +=head1 NAME + + CONF_modules_load_file, CONF_modules_load - OpenSSL configuration functions + +=head1 SYNOPSIS + + #include + + int CONF_modules_load_file(const char *filename, const char *appname, + unsigned long flags); + int CONF_modules_load(const CONF *cnf, const char *appname, + unsigned long flags); + +=head1 DESCRIPTION + +The function CONF_modules_load_file() configures OpenSSL using file +B and application name B. If B is NULL +the standard OpenSSL configuration file is used. If B is +NULL the standard OpenSSL application name B is used. +The behaviour can be cutomized using B. + +CONF_modules_load() is idential to CONF_modules_load_file() except it +read configuration information from B. + +=head1 NOTES + +The following B are currently recognized: + +B if set errors returned by individual +configuration modules are ignored. If not set the first module error is +considered fatal and no further modules are loads. + +Normally any modules errors will add error information to the error queue. If +B is set no error information is added. + +If B is set configuration module loading from DSOs is +disabled. + +B if set will make CONF_load_modules_file() +ignore missing configuration files. Normally a missing configuration file +return an error. + +=head1 RETURN VALUE + +These functions return 1 for success and a zero or negative value for +failure. If module errors are not ignored the return code will reflect the +return value of the failing module (this will always be zero or negative). + +=head1 SEE ALSO + +L, L, +L, L + +=head1 HISTORY + +CONF_modules_load_file and CONF_modules_load first appeared in OpenSSL 0.9.7. + +=cut diff --git a/doc/crypto/OPENSSL_config.pod b/doc/crypto/OPENSSL_config.pod index 18da16f3c..16600620c 100644 --- a/doc/crypto/OPENSSL_config.pod +++ b/doc/crypto/OPENSSL_config.pod @@ -2,7 +2,7 @@ =head1 NAME -OPENSSL_config, OPENSSL_no_config - minimal OpenSSL configuration +OPENSSL_config, OPENSSL_no_config - simple OpenSSL configuration functions =head1 SYNOPSIS @@ -32,7 +32,8 @@ and some new functionality can be supported automatically. It is also possible to automatically call OPENSSL_config() when an application calls OPENSSL_add_all_algorithms() by compiling an application with the -preprocessor symbol B #define'd. +preprocessor symbol B #define'd. In this way configuration +can be added without source changes. The environment variable B can be set to specify the location of the configuration file. @@ -51,6 +52,9 @@ application calls OPENSSL_config() it doesn't need to know or care about ENGINE control operations because they can be performed by editing a configuration file. +Applications should free up configuration at application closedown by calling +CONF_modules_free(). + =head1 RESTRICTIONS The OPENSSL_config() function is designed to be a very simple "call it and @@ -59,7 +63,7 @@ all errors silently and it can only load from the standard configuration file location for example. It is however B better than nothing. Applications which need finer -control over the configuration functionality should use the configuration +control over their configuration functionality should use the configuration functions such as CONF_load_modules() directly. =head1 RETURN VALUES @@ -68,7 +72,8 @@ Neither OPENSSL_config() nor OPENSSL_no_config() return a value. =head1 SEE ALSO -L +L, L, +L =head1 HISTORY diff --git a/doc/crypto/OPENSSL_load_builtin_modules.pod b/doc/crypto/OPENSSL_load_builtin_modules.pod new file mode 100644 index 000000000..f14dfaf00 --- /dev/null +++ b/doc/crypto/OPENSSL_load_builtin_modules.pod @@ -0,0 +1,51 @@ +=pod + +=head1 NAME + +OPENSSL_load_builtin_modules - add standard configuration modules + +=head1 SYNOPSIS + + #include + + void OPENSSL_load_builtin_modules(void); + void ASN1_add_oid_module(void); + ENGINE_add_conf_module(); + +=head1 DESCRIPTION + +The function OPENSSL_load_builtin_modules() adds all the standard OpenSSL +configuration modules to the internal list. They can then be used by the +OpenSSL configuration code. + +ASN1_add_oid_module() adds just the ASN1 OBJECT module. + +ENGINE_add_conf_module() adds just the ENGINE configuration module. + +=head1 NOTES + +If the simple configuration function OPENSSL_config() is called then +OPENSSL_load_builtin_modules() is called automatically. + +Applications which use the configuration functions directly will need to +call OPENSSL_load_builtin_modules() themselves I any other +configuration code. + +Applications should call OPENSSL_load_builtin_modules() to load all +configuration modules instead of adding modules selectively: otherwise +functionality may be missing from the application if an when new +modules are added. + +=head1 RETURN VALUE + +None of the functions return a value. + +=head1 SEE ALSO + +L, L + +=head1 HISTORY + +These functions first appeared in OpenSSL 0.9.7. + +=cut From ec7c9ee8b8715f60c5f1f315ce2f8a5022a01473 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 2 Mar 2004 13:39:23 +0000 Subject: [PATCH 041/112] Indent some of the code examples. --- FAQ | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/FAQ b/FAQ index ca5683def..bd40bcd24 100644 --- a/FAQ +++ b/FAQ @@ -646,26 +646,26 @@ built OpenSSL with /MD your application must use /MD and cannot use /MDd. * How do I read or write a DER encoded buffer using the ASN1 functions? You have two options. You can either use a memory BIO in conjunction -with the i2d_XXX_bio() or d2i_XXX_bio() functions or you can use the -i2d_XXX(), d2i_XXX() functions directly. Since these are often the +with the i2d_*_bio() or d2i_*_bio() functions or you can use the +i2d_*(), d2i_*() functions directly. Since these are often the cause of grief here are some code fragments using PKCS7 as an example: -unsigned char *buf, *p; -int len; + unsigned char *buf, *p; + int len; -len = i2d_PKCS7(p7, NULL); -buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */ -p = buf; -i2d_PKCS7(p7, &p); + len = i2d_PKCS7(p7, NULL); + buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */ + p = buf; + i2d_PKCS7(p7, &p); At this point buf contains the len bytes of the DER encoding of p7. The opposite assumes we already have len bytes in buf: -unsigned char *p; -p = buf; -p7 = d2i_PKCS7(NULL, &p, len); + unsigned char *p; + p = buf; + p7 = d2i_PKCS7(NULL, &p, len); At this point p7 contains a valid PKCS7 structure of NULL if an error occurred. If an error occurred ERR_print_errors(bio) should give more From d9f40bbe558f6ec212361aad036d3444821e84ed Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 4 Mar 2004 07:47:40 +0000 Subject: [PATCH 042/112] Make our page with pointers to binary distributions visible in the FAQ --- FAQ | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/FAQ b/FAQ index bd40bcd24..25e101adb 100644 --- a/FAQ +++ b/FAQ @@ -116,11 +116,14 @@ OpenSSL. Information on the OpenSSL mailing lists is available from * Where can I get a compiled version of OpenSSL? +You can finder pointers to binary distributions in +http://www.openssl.org/related/binaries.html . + Some applications that use OpenSSL are distributed in binary form. When using such an application, you don't need to install OpenSSL yourself; the application will include the required parts (e.g. DLLs). -If you want to install OpenSSL on a Windows system and you don't have +If you want to build OpenSSL on a Windows system and you don't have a C compiler, read the "Mingw32" section of INSTALL.W32 for information on how to obtain and install the free GNU C compiler. From 91180d45f9d92a089080dfef5363edb74d9b741b Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 4 Mar 2004 21:44:39 +0000 Subject: [PATCH 043/112] Typos. Reported by: Jose Castejon-Amenedo --- crypto/ocsp/ocsp_vfy.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 1f5fda7ca..3d58dfb06 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -3,7 +3,7 @@ * project 2000. */ /* ==================================================================== - * Copyright (c) 2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -272,7 +272,7 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) for (i = 1; i < idcount; i++) { - tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; + tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; /* Check to see if IDs match */ if (OCSP_id_issuer_cmp(cid, tmpid)) { @@ -330,7 +330,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, OCSP_CERTID *tmpid; for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) { - tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; + tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; ret = ocsp_match_issuerid(cert, tmpid, NULL); if (ret <= 0) return ret; } From bc501570109e7837e1de1689de1eec9420e4cf89 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 5 Mar 2004 17:16:35 +0000 Subject: [PATCH 044/112] Various X509 fixes. Disable broken certificate workarounds when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in CRL issuer certificates. Reject CRLs with unhandled (any) critical extensions. --- CHANGES | 8 ++++++ crypto/x509/x509_txt.c | 6 +++++ crypto/x509/x509_vfy.c | 55 +++++++++++++++++++++++++++++++++++------ crypto/x509/x509_vfy.h | 19 ++++++++++---- crypto/x509v3/v3_purp.c | 5 ++-- 5 files changed, 79 insertions(+), 14 deletions(-) diff --git a/CHANGES b/CHANGES index bea8e7683..19803f293 100644 --- a/CHANGES +++ b/CHANGES @@ -617,6 +617,14 @@ Changes between 0.9.7c and 0.9.7d [xx XXX XXXX] + *) X509 verify fixes. Disable broken certificate workarounds when + X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if + keyUsage extension present. Don't accept CRLs with unhandled critical + extensions: since verify currently doesn't process CRL extensions this + rejects a CRL with *any* critical extensions. Add new verify error codes + for these cases. + [Steve Henson] + *) When creating an OCSP nonce use an OCTET STRING inside the extnValue. A clarification of RFC2560 will require the use of OCTET STRINGs and some implementations cannot handle the current raw format. Since OpenSSL diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index 5a945a70f..e31ebc674 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -147,6 +147,12 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: return("unhandled critical extension"); + case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: + return("key usage does not include CRL signing"); + + case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: + return("unhandled critical CRL extension"); + default: BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 2bb21b443..2e4d0b823 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -383,6 +383,7 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) /* Check all untrusted certificates */ for (i = 0; i < ctx->last_untrusted; i++) { + int ret; x = sk_X509_value(ctx->chain, i); if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) && (x->ex_flags & EXFLAG_CRITICAL)) @@ -393,7 +394,10 @@ static int check_chain_purpose(X509_STORE_CTX *ctx) ok=cb(0,ctx); if (!ok) goto end; } - if (!X509_check_purpose(x, ctx->purpose, i)) + ret = X509_check_purpose(x, ctx->purpose, i); + if ((ret == 0) + || ((ctx->flags & X509_V_FLAG_X509_STRICT) + && (ret != 1))) { if (i) ctx->error = X509_V_ERR_INVALID_CA; @@ -537,6 +541,14 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) if(issuer) { + /* Check for cRLSign bit if keyUsage present */ + if ((issuer->ex_flags & EXFLAG_KUSAGE) && + !(issuer->ex_kusage & KU_CRL_SIGN)) + { + ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; + ok = ctx->verify_cb(0, ctx); + if(!ok) goto err; + } /* Attempt to get issuer certificate public key */ ikey = X509_get_pubkey(issuer); @@ -611,17 +623,46 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { int idx, ok; X509_REVOKED rtmp; + STACK_OF(X509_EXTENSION) *exts; + X509_EXTENSION *ext; /* Look for serial number of certificate in CRL */ rtmp.serialNumber = X509_get_serialNumber(x); idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp); - /* Not found: OK */ - if(idx == -1) return 1; - /* Otherwise revoked: want something cleverer than + /* If found assume revoked: want something cleverer than * this to handle entry extensions in V2 CRLs. */ - ctx->error = X509_V_ERR_CERT_REVOKED; - ok = ctx->verify_cb(0, ctx); - return ok; + if(idx >= 0) + { + ctx->error = X509_V_ERR_CERT_REVOKED; + ok = ctx->verify_cb(0, ctx); + if (!ok) return 0; + } + + if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL) + return 1; + + /* See if we have any critical CRL extensions: since we + * currently don't handle any CRL extensions the CRL must be + * rejected. + * This code accesses the X509_CRL structure directly: applications + * shouldn't do this. + */ + + exts = crl->crl->extensions; + + for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) + { + ext = sk_X509_EXTENSION_value(exts, idx); + if (ext->critical > 0) + { + ctx->error = + X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; + ok = ctx->verify_cb(0, ctx); + if(!ok) return 0; + break; + } + } + return 1; } static int internal_verify(X509_STORE_CTX *ctx) diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 3a0ccbe48..7e24ded81 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -305,17 +305,26 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 #define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 +#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 +#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 /* Certificate verify flags */ -#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 /* Send issuer+subject checks to verify_cb */ -#define X509_V_FLAG_USE_CHECK_TIME 0x2 /* Use check time instead of current time */ -#define X509_V_FLAG_CRL_CHECK 0x4 /* Lookup CRLs */ -#define X509_V_FLAG_CRL_CHECK_ALL 0x8 /* Lookup CRLs for whole chain */ -#define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Ignore unhandled critical extensions */ +/* Send issuer+subject checks to verify_cb */ +#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 +/* Use check time instead of current time */ +#define X509_V_FLAG_USE_CHECK_TIME 0x2 +/* Lookup CRLs */ +#define X509_V_FLAG_CRL_CHECK 0x4 +/* Lookup CRLs for whole chain */ +#define X509_V_FLAG_CRL_CHECK_ALL 0x8 +/* Ignore unhandled critical extensions */ +#define X509_V_FLAG_IGNORE_CRITICAL 0x10 +/* Disable workarounds for broken certificates */ +#define X509_V_FLAG_X509_STRICT 0x20 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index b1a6d2632..67596862a 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -3,7 +3,7 @@ * project 2001. */ /* ==================================================================== - * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -415,6 +415,7 @@ static void x509v3_cache_extensions(X509 *x) * 1 is a CA * 2 basicConstraints absent so "maybe" a CA * 3 basicConstraints absent but self signed V1. + * 4 basicConstraints absent but keyUsage present and keyCertSign asserted. */ #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) @@ -436,7 +437,7 @@ static int ca_check(const X509 *x) } else { if((x->ex_flags & V1_ROOT) == V1_ROOT) return 3; /* If key usage present it must have certSign so tolerate it */ - else if (x->ex_flags & EXFLAG_KUSAGE) return 3; + else if (x->ex_flags & EXFLAG_KUSAGE) return 4; else return 2; } } From 216ad9ef58853e30b005446d26326a99bfb2fea5 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 5 Mar 2004 23:39:42 +0000 Subject: [PATCH 045/112] Memory leak fix. --- crypto/pem/pem_lib.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index e921cc4c1..7a383f3df 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -537,7 +537,7 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, long len) { int nlen,n,i,j,outl; - unsigned char *buf; + unsigned char *buf = NULL; EVP_ENCODE_CTX ctx; int reason=ERR_R_BUF_LIB; @@ -557,7 +557,7 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, goto err; } - buf=(unsigned char *)OPENSSL_malloc(PEM_BUFSIZE*8); + buf = OPENSSL_malloc(PEM_BUFSIZE*8); if (buf == NULL) { reason=ERR_R_MALLOC_FAILURE; @@ -578,12 +578,15 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, EVP_EncodeFinal(&ctx,buf,&outl); if ((outl > 0) && (BIO_write(bp,(char *)buf,outl) != outl)) goto err; OPENSSL_free(buf); + buf = NULL; if ( (BIO_write(bp,"-----END ",9) != 9) || (BIO_write(bp,name,nlen) != nlen) || (BIO_write(bp,"-----\n",6) != 6)) goto err; return(i+outl); err: + if (buf) + OPENSSL_free(buf); PEMerr(PEM_F_PEM_WRITE_BIO,reason); return(0); } From 3f39976da3124dde862eada02af948b1d8567933 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 5 Mar 2004 23:46:29 +0000 Subject: [PATCH 046/112] Call autoconfig code in pkcs7 utility. --- apps/pkcs7.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apps/pkcs7.c b/apps/pkcs7.c index 6c58c67eb..da4dbe7a0 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -102,6 +102,9 @@ int MAIN(int argc, char **argv) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); + if (!load_config(bio_err, NULL)) + goto end; + infile=NULL; outfile=NULL; informat=FORMAT_PEM; From 5fa5eb71a4eb1e015228327eeae415e129ef2faf Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 5 Mar 2004 23:47:56 +0000 Subject: [PATCH 047/112] Cleanup ASN1 OID module when it exits. --- crypto/asn1/asn_moid.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/crypto/asn1/asn_moid.c b/crypto/asn1/asn_moid.c index be20db4ba..edb44c988 100644 --- a/crypto/asn1/asn_moid.c +++ b/crypto/asn1/asn_moid.c @@ -87,9 +87,14 @@ static int oid_module_init(CONF_IMODULE *md, const CONF *cnf) } } return 1; -} + } + +static void oid_module_finish(CONF_IMODULE *md) + { + OBJ_cleanup(); + } void ASN1_add_oid_module(void) { - CONF_module_add("oid_section", oid_module_init, 0); + CONF_module_add("oid_section", oid_module_init, oid_module_finish); } From 2457c19df127456db2af099ae86f68e0b4fdbacf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulf=20M=C3=B6ller?= Date: Sat, 6 Mar 2004 08:43:36 +0000 Subject: [PATCH 048/112] typo --- doc/crypto/BN_new.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/crypto/BN_new.pod b/doc/crypto/BN_new.pod index 3033789c5..ab7a105e3 100644 --- a/doc/crypto/BN_new.pod +++ b/doc/crypto/BN_new.pod @@ -20,7 +20,7 @@ BN_new, BN_init, BN_clear, BN_free, BN_clear_free - allocate and free BIGNUMs =head1 DESCRIPTION -BN_new() allocated and initializes a B structure. BN_init() +BN_new() allocates and initializes a B structure. BN_init() initializes an existing uninitialized B. BN_clear() is used to destroy sensitive data such as keys when they From edec614efddb8dc275f5537a8af98e2a1cac91b5 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 8 Mar 2004 13:56:31 +0000 Subject: [PATCH 049/112] Support for inhibitAnyPolicy extension. --- CHANGES | 3 +++ crypto/objects/obj_dat.h | 16 +++++++++++----- crypto/objects/obj_mac.h | 5 +++++ crypto/objects/obj_mac.num | 1 + crypto/objects/objects.txt | 2 ++ crypto/x509v3/ext_dat.h | 7 ++++--- crypto/x509v3/v3_int.c | 25 +++++++++++++++++++------ 7 files changed, 45 insertions(+), 14 deletions(-) diff --git a/CHANGES b/CHANGES index 19803f293..22449a3ac 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,9 @@ Changes between 0.9.7c and 0.9.8 [xx XXX xxxx] + *) Support for inhibitAnyPolicy certificate extension. + [Steve Henson] + *) An audit of the BIGNUM code is underway, for which debugging code is enabled when BN_DEBUG is defined. This makes stricter enforcements on what is considered valid when processing BIGNUMs, and causes execution to diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 7889f2c9c..10781b79c 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -62,12 +62,12 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 736 -#define NUM_SN 731 -#define NUM_LN 731 -#define NUM_OBJ 693 +#define NUM_NID 737 +#define NUM_SN 732 +#define NUM_LN 732 +#define NUM_OBJ 694 -static unsigned char lvalues[4882]={ +static unsigned char lvalues[4885]={ 0x00, /* [ 0] OBJ_undef */ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */ @@ -761,6 +761,7 @@ static unsigned char lvalues[4882]={ 0x00, /* [4878] OBJ_itu_t */ 0x50, /* [4879] OBJ_joint_iso_itu_t */ 0x67, /* [4880] OBJ_international_organizations */ +0x55,0x1D,0x36, /* [4881] OBJ_inhibit_any_policy */ }; static ASN1_OBJECT nid_objs[NUM_NID]={ @@ -1906,6 +1907,8 @@ static ASN1_OBJECT nid_objs[NUM_NID]={ {"DES-CFB8","des-cfb8",NID_des_cfb8,0,NULL}, {"DES-EDE3-CFB1","des-ede3-cfb1",NID_des_ede3_cfb1,0,NULL}, {"DES-EDE3-CFB8","des-ede3-cfb8",NID_des_ede3_cfb8,0,NULL}, +{"inhibitAnyPolicy","X509v3 Inhibit Any Policy", + NID_inhibit_any_policy,3,&(lvalues[4881]),0}, }; static ASN1_OBJECT *sn_objs[NUM_SN]={ @@ -2323,6 +2326,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[249]),/* "id-smime-spq-ets-sqt-uri" */ &(nid_objs[527]),/* "identified-organization" */ &(nid_objs[461]),/* "info" */ +&(nid_objs[736]),/* "inhibitAnyPolicy" */ &(nid_objs[101]),/* "initials" */ &(nid_objs[723]),/* "international-organizations" */ &(nid_objs[142]),/* "invalidityDate" */ @@ -2736,6 +2740,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[89]),/* "X509v3 Certificate Policies" */ &(nid_objs[140]),/* "X509v3 Delta CRL Indicator" */ &(nid_objs[126]),/* "X509v3 Extended Key Usage" */ +&(nid_objs[736]),/* "X509v3 Inhibit Any Policy" */ &(nid_objs[86]),/* "X509v3 Issuer Alternative Name" */ &(nid_objs[83]),/* "X509v3 Key Usage" */ &(nid_objs[720]),/* "X509v3 Name Constraints" */ @@ -3436,6 +3441,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[90]),/* OBJ_authority_key_identifier 2 5 29 35 */ &(nid_objs[401]),/* OBJ_policy_constraints 2 5 29 36 */ &(nid_objs[126]),/* OBJ_ext_key_usage 2 5 29 37 */ +&(nid_objs[736]),/* OBJ_inhibit_any_policy 2 5 29 54 */ &(nid_objs[402]),/* OBJ_target_information 2 5 29 55 */ &(nid_objs[403]),/* OBJ_no_rev_avail 2 5 29 56 */ &(nid_objs[577]),/* OBJ_set_ctype 2 23 42 0 */ diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h index f04ff9be4..0e20e94a8 100644 --- a/crypto/objects/obj_mac.h +++ b/crypto/objects/obj_mac.h @@ -2082,6 +2082,11 @@ #define NID_ext_key_usage 126 #define OBJ_ext_key_usage OBJ_id_ce,37L +#define SN_inhibit_any_policy "inhibitAnyPolicy" +#define LN_inhibit_any_policy "X509v3 Inhibit Any Policy" +#define NID_inhibit_any_policy 736 +#define OBJ_inhibit_any_policy OBJ_id_ce,54L + #define SN_target_information "targetInformation" #define LN_target_information "X509v3 AC Targeting" #define NID_target_information 402 diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index 65ecec0fb..683381145 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -733,3 +733,4 @@ des_cfb1 732 des_cfb8 733 des_ede3_cfb1 734 des_ede3_cfb8 735 +inhibit_any_policy 736 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index ae78c0dfb..18a2334d9 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -679,6 +679,8 @@ id-ce 35 : authorityKeyIdentifier : X509v3 Authority Key Identifier id-ce 36 : policyConstraints : X509v3 Policy Constraints !Cname ext-key-usage id-ce 37 : extendedKeyUsage : X509v3 Extended Key Usage +!Cname inhibit-any-policy +id-ce 54 : inhibitAnyPolicy : X509v3 Inhibit Any Policy !Cname target-information id-ce 55 : targetInformation : X509v3 AC Targeting !Cname no-rev-avail diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h index 0879ae5dd..bf693698b 100644 --- a/crypto/x509v3/ext_dat.h +++ b/crypto/x509v3/ext_dat.h @@ -3,7 +3,7 @@ * project 1999. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -65,7 +65,7 @@ extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; extern X509V3_EXT_METHOD v3_crl_hold; extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; -extern X509V3_EXT_METHOD v3_name_constraints; +extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp; /* This table will be searched using OBJ_bsearch so it *must* kept in * order of the ext_nid values. @@ -111,7 +111,8 @@ static X509V3_EXT_METHOD *standard_exts[] = { &v3_crl_hold, #endif &v3_policy_mappings, -&v3_name_constraints +&v3_name_constraints, +&v3_inhibit_anyp }; /* Number of standard extensions */ diff --git a/crypto/x509v3/v3_int.c b/crypto/x509v3/v3_int.c index f34cbfb73..a352f68a9 100644 --- a/crypto/x509v3/v3_int.c +++ b/crypto/x509v3/v3_int.c @@ -3,7 +3,7 @@ * project 1999. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -61,9 +61,22 @@ #include X509V3_EXT_METHOD v3_crl_num = { -NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), -0,0,0,0, -(X509V3_EXT_I2S)i2s_ASN1_INTEGER, -0, -0,0,0,0, NULL}; + NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), + 0,0,0,0, + (X509V3_EXT_I2S)i2s_ASN1_INTEGER, + 0, + 0,0,0,0, NULL}; + +void * s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value) + { + return s2i_ASN1_INTEGER(meth, value); + } + +X509V3_EXT_METHOD v3_inhibit_anyp = { + NID_inhibit_any_policy, 0, ASN1_ITEM_ref(ASN1_INTEGER), + 0,0,0,0, + (X509V3_EXT_I2S)i2s_ASN1_INTEGER, + (X509V3_EXT_S2I)s2i_asn1_int, + 0,0,0,0, NULL}; + From a4e3150f00c379a2922180c77eb622ccabfeebd8 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 8 Mar 2004 18:15:32 +0000 Subject: [PATCH 050/112] Fix policy constraints syntax. --- crypto/x509v3/v3_pcons.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/x509v3/v3_pcons.c b/crypto/x509v3/v3_pcons.c index 10d2120c3..91ae862ed 100644 --- a/crypto/x509v3/v3_pcons.c +++ b/crypto/x509v3/v3_pcons.c @@ -81,8 +81,8 @@ NULL }; ASN1_SEQUENCE(POLICY_CONSTRAINTS) = { - ASN1_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, ASN1_INTEGER), - ASN1_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER) + ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, ASN1_INTEGER,0), + ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER,1) } ASN1_SEQUENCE_END(POLICY_CONSTRAINTS) IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS) From e7716b7a197d551a22dfdb4df6021db8e92bae5d Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Tue, 9 Mar 2004 03:47:35 +0000 Subject: [PATCH 051/112] More changes coming out of the bignum auditing. BN_CTX_get() should ideally return a "zero" bignum as BN_new() does - so reset 'top'. During BN_CTX_end(), released bignums should be consistent so enforce this in debug builds. Also, reduce the number of wasted BN_clear_free() calls from BN_CTX_end() (typically by 75% or so). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Submitted by: Nils Larsch Reviewed by: Geoff Thorpe, Ulf Möller --- crypto/bn/bn_ctx.c | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index 7b5be7c43..9366ce6d7 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -123,7 +123,8 @@ void BN_CTX_free(BN_CTX *ctx) for (i=0; i < BN_CTX_NUM; i++) { bn_check_top(&(ctx->bn[i])); - BN_clear_free(&(ctx->bn[i])); + if (ctx->bn[i].d) + BN_clear_free(&(ctx->bn[i])); } if (ctx->flags & BN_FLG_MALLOCED) OPENSSL_free(ctx); @@ -154,7 +155,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx) } return NULL; } - bn_check_top(&(ctx->bn[ctx->tos])); + /* always return a 'zeroed' bignum */ + ctx->bn[ctx->tos].top = 0; return (&(ctx->bn[ctx->tos++])); } @@ -170,19 +172,11 @@ void BN_CTX_end(BN_CTX *ctx) ctx->too_many = 0; ctx->depth--; - /* It appears some "scrapbook" uses of BN_CTX result in BIGNUMs being - * left in an inconsistent state when they are released (eg. BN_div). - * These can trip us up when they get reused, so the safest fix is to - * make sure the BIGNUMs are made sane when the context usage is - * releasing them. */ if (ctx->depth < BN_CTX_NUM_POS) -#if 0 +#ifndef BN_DEBUG ctx->tos = ctx->pos[ctx->depth]; #else - { while(ctx->tos > ctx->pos[ctx->depth]) - /* This ensures the BIGNUM is sane(r) for reuse. */ - ctx->bn[--(ctx->tos)].top = 0; - } + bn_check_top(&ctx->bn[--(ctx->tos)]); #endif } From a8aa764d3c96eb65b22863cdc5f6ab08d92dd355 Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Tue, 9 Mar 2004 03:53:40 +0000 Subject: [PATCH 052/112] Minimise the amount of code dependent on BN_DEBUG_RAND. In particular, redefine bn_clear_top2max() to be a NOP in the non-debugging case, and remove some unnecessary usages in bn_nist.c. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Submitted by: Nils Larsch Reviewed by: Geoff Thorpe, Ulf Möller --- crypto/bn/bn_div.c | 6 +----- crypto/bn/bn_lcl.h | 5 ++++- crypto/bn/bn_nist.c | 17 ----------------- 3 files changed, 5 insertions(+), 23 deletions(-) diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c index 2f464b31d..556fcda1e 100644 --- a/crypto/bn/bn_div.c +++ b/crypto/bn/bn_div.c @@ -232,10 +232,8 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, wnum.neg = 0; wnum.d = &(snum->d[loop]); wnum.top = div_n; -#ifdef BN_DEBUG_RAND /* only needed when BN_ucmp messes up the values between top and max */ wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */ -#endif /* Get the top 2 words of sdiv */ /* div_n=sdiv->top; */ @@ -256,12 +254,10 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, if (BN_ucmp(&wnum,sdiv) >= 0) { -#ifdef BN_DEBUG_RAND /* If BN_DEBUG_RAND is defined BN_ucmp changes (via * bn_pollute) the const bignum arguments => * clean the values between top and max again */ bn_clear_top2max(&wnum); -#endif bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n); *resp=1; } @@ -384,13 +380,13 @@ X) -> 0x%08X\n", /* store part of the result */ *resp = q; } + bn_correct_top(snum); if (rm != NULL) { /* Keep a copy of the neg flag in num because if rm==num * BN_rshift() will overwrite it. */ int neg = num->neg; - bn_correct_top(snum); BN_rshift(rm,snum,norm_shift); if (!BN_is_zero(rm)) rm->neg = neg; diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h index 18960f191..45e19221a 100644 --- a/crypto/bn/bn_lcl.h +++ b/crypto/bn/bn_lcl.h @@ -240,7 +240,7 @@ extern "C" { #define Lw(t) (((BN_ULONG)(t))&BN_MASK2) #define Hw(t) (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2) - +#ifdef BN_DEBUG_RAND #define bn_clear_top2max(a) \ { \ int ind = (a)->dmax - (a)->top; \ @@ -248,6 +248,9 @@ extern "C" { for (; ind != 0; ind--) \ *(++ftl) = 0x0; \ } +#else +#define bn_clear_top2max(a) +#endif #ifdef BN_LLONG #define mul_add(r,a,w,c) { \ diff --git a/crypto/bn/bn_nist.c b/crypto/bn/bn_nist.c index f30f6c65d..a29503be2 100644 --- a/crypto/bn/bn_nist.c +++ b/crypto/bn/bn_nist.c @@ -359,12 +359,7 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, --carry; } r->top = BN_NIST_192_TOP; - -#if 1 - bn_clear_top2max(r); -#endif bn_correct_top(r); - if (BN_ucmp(r, field) >= 0) { bn_sub_words(r_d, r_d, _nist_p_192, BN_NIST_192_TOP); @@ -453,11 +448,7 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, } r->top = BN_NIST_224_TOP; -#if 1 - bn_clear_top2max(r); -#endif bn_correct_top(r); - if (BN_ucmp(r, field) >= 0) { bn_sub_words(r_d, r_d, _nist_p_224, BN_NIST_224_TOP); @@ -612,11 +603,7 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, } r->top = BN_NIST_256_TOP; -#if 1 - bn_clear_top2max(r); -#endif bn_correct_top(r); - if (BN_ucmp(r, field) >= 0) { bn_sub_words(r_d, r_d, _nist_p_256, BN_NIST_256_TOP); @@ -781,11 +768,7 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, } r->top = BN_NIST_384_TOP; -#if 1 - bn_clear_top2max(r); -#endif bn_correct_top(r); - if (BN_ucmp(r, field) >= 0) { bn_sub_words(r_d, r_d, _nist_p_384, BN_NIST_384_TOP); From 93825dddad499c925acbd3e1f20feb8ad999caa1 Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Wed, 10 Mar 2004 01:20:26 +0000 Subject: [PATCH 053/112] static --- crypto/x509v3/v3_int.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/x509v3/v3_int.c b/crypto/x509v3/v3_int.c index a352f68a9..fd6bebbb7 100644 --- a/crypto/x509v3/v3_int.c +++ b/crypto/x509v3/v3_int.c @@ -67,7 +67,7 @@ X509V3_EXT_METHOD v3_crl_num = { 0, 0,0,0,0, NULL}; -void * s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value) +static void * s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value) { return s2i_ASN1_INTEGER(meth, value); } From 30fbcaa213866426c9f6b9dad01b9885ab760e31 Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Fri, 12 Mar 2004 21:52:54 +0000 Subject: [PATCH 054/112] IRIX 6.x shared build fix-up. For reference. Note that both cc and gcc support -Wl flag, but we can't use -Wl,-[not]all with both drivers, because cc rearranges options passed through -Wl. We can't use -Wl,-all,libcrypto.a,-notall with cc either, because it refuses to start with "no input" error. --- Configure | 10 +++++----- Makefile.shared | 12 ++++++++---- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/Configure b/Configure index 02915fb74..0b9766f95 100755 --- a/Configure +++ b/Configure @@ -216,13 +216,13 @@ my %table=( "irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### IRIX 6.x configs # Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke -# './Configure irix-[g]cc' manually. +# './Configure irix-cc -o32' manually. # -mips4 flag is added by ./config when appropriate. -"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared::-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared::-n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # N64 ABI builds. -"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared::-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared::-64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Unified HP-UX ANSI C configs. # Special notes: diff --git a/Makefile.shared b/Makefile.shared index aee364bea..d0ff69c83 100644 --- a/Makefile.shared +++ b/Makefile.shared @@ -548,8 +548,10 @@ link_o.irix: SHLIB=lib$(LIBNAME).so; \ SHLIB_SUFFIX=; \ LIBDEPS="$(LIBDEPS) -lc"; \ - ALLSYMSFLAGS='-all'; \ - NOALLSYMSFLAGS=''; \ + MINUSWL=""; \ + ($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSWL="-Wl,"; \ + ALLSYMSFLAGS="$${MINUSWL}-all"; \ + NOALLSYMSFLAGS="$${MINUSWL}-notall"; \ SHAREDFLAGS="-shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-rpath,$(LIBRPATH)"; \ SHAREDCMD='$(CC)'; \ fi; \ @@ -562,8 +564,10 @@ link_a.irix: SHLIB=lib$(LIBNAME).so; \ SHLIB_SUFFIX=; \ LIBDEPS="$(LIBDEPS) -lc"; \ - ALLSYMSFLAGS='-all'; \ - NOALLSYMSFLAGS=''; \ + MINUSWL=""; \ + ($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSWL="-Wl,"; \ + ALLSYMSFLAGS="$${MINUSWL}-all"; \ + NOALLSYMSFLAGS="$${MINUSWL}-notall"; \ SHAREDFLAGS="-shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-rpath,$(LIBRPATH)"; \ SHAREDCMD='$(CC)'; \ fi; \ From 9e051bac139ce07f846d88b90f3ec514c39ea416 Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Sat, 13 Mar 2004 22:10:15 +0000 Subject: [PATCH 055/112] Document a change I'd already made, and at the same time, correct the change to work properly; BN_zero() should set 'neg' to zero as well as 'top' to match the behaviour of BN_new(). --- CHANGES | 6 +++++- crypto/bn/bn_ctx.c | 6 ++++-- crypto/bn/bn_div.c | 1 - 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/CHANGES b/CHANGES index 22449a3ac..e675c9030 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 0.9.7c and 0.9.8 [xx XXX xxxx] + *) BN_CTX_get() should return zero-valued bignums, providing the same + initialised value as BN_new(). + [Geoff Thorpe, suggested by Ulf Möller] + *) Support for inhibitAnyPolicy certificate extension. [Steve Henson] @@ -21,7 +25,7 @@ some point, these tighter rules will become openssl's default to improve maintainability, though the assert()s and other overheads will remain only in debugging configurations. See bn.h for more details. - [Geoff Thorpe] + [Geoff Thorpe, Nils Larsch, Ulf Möller] *) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure that can only be obtained through BN_CTX_new() (which implicitly diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index 9366ce6d7..f48055b26 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -140,6 +140,7 @@ void BN_CTX_start(BN_CTX *ctx) BIGNUM *BN_CTX_get(BN_CTX *ctx) { + BIGNUM *ret; /* Note: If BN_CTX_get is ever changed to allocate BIGNUMs dynamically, * make sure that if BN_CTX_get fails once it will return NULL again * until BN_CTX_end is called. (This is so that callers have to check @@ -155,9 +156,10 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx) } return NULL; } + ret = ctx->bn + (ctx->tos++); /* always return a 'zeroed' bignum */ - ctx->bn[ctx->tos].top = 0; - return (&(ctx->bn[ctx->tos++])); + BN_zero(ret); + return ret; } void BN_CTX_end(BN_CTX *ctx) diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c index 556fcda1e..3b4392955 100644 --- a/crypto/bn/bn_div.c +++ b/crypto/bn/bn_div.c @@ -214,7 +214,6 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, res=BN_CTX_get(ctx); else res=dv; if (sdiv == NULL || res == NULL) goto err; - tmp->neg=0; /* First we normalise the numbers */ norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2); From 5d735465d1b5b7853506979946ad5730cc3615bb Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Sat, 13 Mar 2004 23:04:15 +0000 Subject: [PATCH 056/112] The efforts to eliminate the dual-representation of zero and to ensure bignums are passed in and out of functions and APIs in a consistent form has highlighted that zero-valued bignums don't need any allocated word data. The use of BN_set_word() to initialise a bignum to zero causes needless allocation and gives it a return value that must be checked. This change converts BN_zero() to a self-contained macro that has no return/expression value and does not cause any expansion of bignum data. Note, it would be tempting to rewrite the deprecated version as a success-valued comma expression, such as; #define BN_zero(a) ((a)->top = (a)->neg = 0, 1) However, this evaluates 'a' twice and would confuse initialisation loops (eg. while(..) { BN_zero(bn++) } ). As such, the deprecated version continues to use BN_set_word(). --- crypto/bn/bn.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h index f58d5f55a..a01f193da 100644 --- a/crypto/bn/bn.h +++ b/crypto/bn/bn.h @@ -372,7 +372,17 @@ int BN_GENCB_call(BN_GENCB *cb, int a, int b); #define BN_is_odd(a) (((a)->top > 0) && ((a)->d[0] & 1)) #define BN_one(a) (BN_set_word((a),1)) +#define BN_zero_ex(a) \ + do { \ + BIGNUM *_tmp_bn = (a); \ + _tmp_bn->top = 0; \ + _tmp_bn->neg = 0; \ + } while(0) +#ifdef OPENSSL_NO_DEPRECATED +#define BN_zero(a) BN_zero_ex(a) +#else #define BN_zero(a) (BN_set_word((a),0)) +#endif /* BN_set_sign(BIGNUM *, int) sets the sign of a BIGNUM * (0 for a non-negative value, 1 for negative) */ #define BN_set_sign(a,b) ((a)->neg = (b)) From b6358c89a10128692875fb92921b663c4d079a1e Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Sat, 13 Mar 2004 23:57:20 +0000 Subject: [PATCH 057/112] Convert openssl code not to assume the deprecated form of BN_zero(). Remove certain redundant BN_zero() initialisations, because BN_CTX_get(), BN_init(), [etc] already initialise to zero. Correct error checking in bn_sqr.c, and be less wishy-wash about how/why the result's 'top' value is set (note also, 'max' is always > 0 at this point). --- CHANGES | 6 ++++++ crypto/bn/bn_exp.c | 12 ++++++++---- crypto/bn/bn_exp2.c | 6 ++++-- crypto/bn/bn_gf2m.c | 23 +++++++++++++++-------- crypto/bn/bn_mont.c | 6 +++--- crypto/bn/bn_mul.c | 4 ++-- crypto/bn/bn_nist.c | 20 ++++++++++++++++---- crypto/bn/bn_rand.c | 4 +--- crypto/bn/bn_recp.c | 5 ++--- crypto/bn/bn_sqr.c | 17 +++++++++++------ crypto/bn/bn_sqrt.c | 4 ++-- crypto/ec/ec2_mult.c | 4 ++-- crypto/ec/ec2_smpl.c | 3 ++- crypto/ec/ec_lib.c | 4 ++-- crypto/ec/ecp_smpl.c | 7 ++++--- 15 files changed, 80 insertions(+), 45 deletions(-) diff --git a/CHANGES b/CHANGES index e675c9030..a8866ad9a 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,12 @@ Changes between 0.9.7c and 0.9.8 [xx XXX xxxx] + *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results, + and this should never fail. So the return value from the use of + BN_set_word() (which can fail due to needless expansion) is now deprecated; + if OPENSSL_NO_DEPRECATED is defined, BN_zero() is a void macro. + [Geoff Thorpe] + *) BN_CTX_get() should return zero-valued bignums, providing the same initialised value as BN_new(). [Geoff Thorpe, suggested by Ulf Möller] diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index aef77cb79..c11e5afd3 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -266,7 +266,8 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, if (!BN_nnmod(&(val[0]),a,m,ctx)) goto err; /* 1 */ if (BN_is_zero(&(val[0]))) { - ret = BN_zero(r); + BN_zero(r); + ret = 1; goto err; } @@ -409,7 +410,8 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, aa=a; if (BN_is_zero(aa)) { - ret = BN_zero(rr); + BN_zero(rr); + ret = 1; goto err; } if (!BN_to_montgomery(&(val[0]),aa,mont,ctx)) goto err; /* 1 */ @@ -541,7 +543,8 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, } if (a == 0) { - ret = BN_zero(rr); + BN_zero(rr); + ret = 1; return ret; } @@ -666,7 +669,8 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, if (!BN_nnmod(&(val[0]),a,m,ctx)) goto err; /* 1 */ if (BN_is_zero(&(val[0]))) { - ret = BN_zero(r); + BN_zero(r); + ret = 1; goto err; } diff --git a/crypto/bn/bn_exp2.c b/crypto/bn/bn_exp2.c index 979ceeffc..1223c678c 100644 --- a/crypto/bn/bn_exp2.c +++ b/crypto/bn/bn_exp2.c @@ -179,7 +179,8 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, a_mod_m = a1; if (BN_is_zero(a_mod_m)) { - ret = BN_zero(rr); + BN_zero(rr); + ret = 1; goto err; } @@ -214,7 +215,8 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, a_mod_m = a2; if (BN_is_zero(a_mod_m)) { - ret = BN_zero(rr); + BN_zero(rr); + ret = 1; goto err; } if (!BN_to_montgomery(&(val2[0]),a_mod_m,mont,ctx)) goto err; diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c index 30520eede..17513b116 100644 --- a/crypto/bn/bn_gf2m.c +++ b/crypto/bn/bn_gf2m.c @@ -329,8 +329,11 @@ int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[]) bn_check_top(a); if (!p[0]) + { /* reduction mod 1 => return 0 */ - return BN_zero(r); + BN_zero(r); + return 1; + } /* Since the algorithm does reduction in the r value, if a != r, copy * the contents of a into r so we can do reduction in r. @@ -590,7 +593,6 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) if (v == NULL) goto err; if (!BN_one(b)) goto err; - if (!BN_zero(c)) goto err; if (!BN_GF2m_mod(u, a, p)) goto err; if (!BN_copy(v, p)) goto err; @@ -709,7 +711,6 @@ int BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x, const BIGNUM *p if (!BN_GF2m_mod(u, y, p)) goto err; if (!BN_GF2m_mod(a, x, p)) goto err; if (!BN_copy(b, p)) goto err; - if (!BN_zero(v)) goto err; while (!BN_is_odd(a)) { @@ -865,13 +866,15 @@ int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[], BN_ bn_check_top(a); if (!p[0]) + { /* reduction mod 1 => return 0 */ - return BN_zero(r); + BN_zero(r); + return 1; + } BN_CTX_start(ctx); if ((u = BN_CTX_get(ctx)) == NULL) goto err; - if (!BN_zero(u)) goto err; if (!BN_set_bit(u, p[0] - 1)) goto err; ret = BN_GF2m_mod_exp_arr(r, a, u, p, ctx); bn_check_top(r); @@ -921,8 +924,11 @@ int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const unsigned int p bn_check_top(a_); if (!p[0]) + { /* reduction mod 1 => return 0 */ - return BN_zero(r); + BN_zero(r); + return 1; + } BN_CTX_start(ctx); a = BN_CTX_get(ctx); @@ -934,7 +940,8 @@ int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const unsigned int p if (BN_is_zero(a)) { - ret = BN_zero(r); + BN_zero(r); + ret = 1; goto err; } @@ -960,7 +967,7 @@ int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const unsigned int p { if (!BN_rand(rho, p[0], 0, 0)) goto err; if (!BN_GF2m_mod_arr(rho, rho, p)) goto err; - if (!BN_zero(z)) goto err; + BN_zero(z); if (!BN_copy(w, rho)) goto err; for (j = 1; j <= p[0] - 1; j++) { diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c index 22d23cc3d..14650ab9d 100644 --- a/crypto/bn/bn_mont.c +++ b/crypto/bn/bn_mont.c @@ -284,7 +284,7 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) BN_ULONG buf[2]; mont->ri=(BN_num_bits(mod)+(BN_BITS2-1))/BN_BITS2*BN_BITS2; - if (!(BN_zero(R))) goto err; + BN_zero(R); if (!(BN_set_bit(R,BN_BITS2))) goto err; /* R */ buf[0]=mod->d[0]; /* tmod = N mod word size */ @@ -314,7 +314,7 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) #else /* !MONT_WORD */ { /* bignum version */ mont->ri=BN_num_bits(&mont->N); - if (!BN_zero(R)) goto err; + BN_zero(R); if (!BN_set_bit(R,mont->ri)) goto err; /* R = 2^ri */ /* Ri = R^-1 mod N*/ if ((BN_mod_inverse(&Ri,R,&mont->N,ctx)) == NULL) @@ -328,7 +328,7 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) #endif /* setup RR for conversions */ - if (!BN_zero(&(mont->RR))) goto err; + BN_zero(&(mont->RR)); if (!BN_set_bit(&(mont->RR),mont->ri*2)) goto err; if (!BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx)) goto err; diff --git a/crypto/bn/bn_mul.c b/crypto/bn/bn_mul.c index 5a92f9a33..aec1eafc6 100644 --- a/crypto/bn/bn_mul.c +++ b/crypto/bn/bn_mul.c @@ -964,7 +964,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) if ((al == 0) || (bl == 0)) { - if (!BN_zero(r)) goto err; + BN_zero(r); return(1); } top=al+bl; @@ -1094,8 +1094,8 @@ end: if (r != rr) BN_copy(r,rr); ret=1; err: - BN_CTX_end(ctx); bn_check_top(r); + BN_CTX_end(ctx); return(ret); } diff --git a/crypto/bn/bn_nist.c b/crypto/bn/bn_nist.c index a29503be2..bbe2cbe74 100644 --- a/crypto/bn/bn_nist.c +++ b/crypto/bn/bn_nist.c @@ -319,7 +319,10 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, top = BN_ucmp(field, a); if (top == 0) - return BN_zero(r); + { + BN_zero(r); + return 1; + } else if (top > 0) return (r == a)? 1 : (BN_copy(r ,a) != NULL); @@ -394,7 +397,10 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, tmp_int = BN_ucmp(field, a); if (tmp_int == 0) - return BN_zero(r); + { + BN_zero(r); + return 1; + } else if (tmp_int > 0) return (r == a)? 1 : (BN_copy(r ,a) != NULL); @@ -514,7 +520,10 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, tmp_int = BN_ucmp(field, a); if (tmp_int == 0) - return BN_zero(r); + { + BN_zero(r); + return 1; + } else if (tmp_int > 0) return (r == a)? 1 : (BN_copy(r ,a) != NULL); @@ -672,7 +681,10 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, tmp_int = BN_ucmp(field, a); if (tmp_int == 0) - return BN_zero(r); + { + BN_zero(r); + return 1; + } else if (tmp_int > 0) return (r == a)? 1 : (BN_copy(r ,a) != NULL); diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index de5a1f0c6..df45575f9 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -244,9 +244,7 @@ static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range) /* BN_is_bit_set(range, n - 1) always holds */ if (n == 1) - { - if (!BN_zero(r)) return 0; - } + BN_zero(r); else if (!BN_is_bit_set(range, n - 2) && !BN_is_bit_set(range, n - 3)) { /* range = 100..._2, diff --git a/crypto/bn/bn_recp.c b/crypto/bn/bn_recp.c index 411dd6089..05b845b2a 100644 --- a/crypto/bn/bn_recp.c +++ b/crypto/bn/bn_recp.c @@ -94,7 +94,7 @@ void BN_RECP_CTX_free(BN_RECP_CTX *recp) int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *d, BN_CTX *ctx) { if (!BN_copy(&(recp->N),d)) return 0; - if (!BN_zero(&(recp->Nr))) return 0; + BN_zero(&(recp->Nr)); recp->num_bits=BN_num_bits(d); recp->shift=0; return(1); @@ -148,7 +148,7 @@ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, if (BN_ucmp(m,&(recp->N)) < 0) { - if (!BN_zero(d)) return 0; + BN_zero(d); if (!BN_copy(r,m)) return 0; BN_CTX_end(ctx); return(1); @@ -221,7 +221,6 @@ int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx) BN_init(&t); - if (!BN_zero(&t)) goto err; if (!BN_set_bit(&t,len)) goto err; if (!BN_div(r,NULL,&t,m,ctx)) goto err; diff --git a/crypto/bn/bn_sqr.c b/crypto/bn/bn_sqr.c index ab678d1f3..8831daa39 100644 --- a/crypto/bn/bn_sqr.c +++ b/crypto/bn/bn_sqr.c @@ -77,15 +77,15 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) if (al <= 0) { r->top=0; - return(1); + return 1; } BN_CTX_start(ctx); rr=(a != r) ? r : BN_CTX_get(ctx); tmp=BN_CTX_get(ctx); - if (tmp == NULL) goto err; + if (!rr || !tmp) goto err; - max=(al+al); + max = 2 * al; /* Non-zero (from above) */ if (bn_wexpand(rr,max+1) == NULL) goto err; if (al == 4) @@ -138,14 +138,19 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) #endif } - rr->top=max; rr->neg=0; - if ((max > 0) && (rr->d[max-1] == 0)) rr->top--; + /* If the most-significant half of the top word of 'a' is zero, then + * the square of 'a' will max-1 words. */ + if(a->d[al - 1] == (a->d[al - 1] & BN_MASK2l)) + rr->top = max - 1; + else + rr->top = max; if (rr != r) BN_copy(r,rr); ret = 1; err: + if(rr) bn_check_top(rr); + if(tmp) bn_check_top(tmp); BN_CTX_end(ctx); - bn_check_top(r); return(ret); } diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c index 51902703e..924ee274d 100644 --- a/crypto/bn/bn_sqrt.c +++ b/crypto/bn/bn_sqrt.c @@ -288,7 +288,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) if (BN_is_zero(t)) { /* special case: a == 0 (mod p) */ - if (!BN_zero(ret)) goto end; + BN_zero(ret); err = 0; goto end; } @@ -301,7 +301,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) if (BN_is_zero(x)) { /* special case: a == 0 (mod p) */ - if (!BN_zero(ret)) goto end; + BN_zero(ret); err = 0; goto end; } diff --git a/crypto/ec/ec2_mult.c b/crypto/ec/ec2_mult.c index a0ee7c152..a8ead01d6 100644 --- a/crypto/ec/ec2_mult.c +++ b/crypto/ec/ec2_mult.c @@ -155,8 +155,8 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG if (BN_is_zero(z1)) { - if (!BN_zero(x2)) return 0; - if (!BN_zero(z2)) return 0; + BN_zero(x2); + BN_zero(z2); return 1; } diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c index 89e815201..1132c8e5a 100644 --- a/crypto/ec/ec2_smpl.c +++ b/crypto/ec/ec2_smpl.c @@ -335,7 +335,8 @@ int ec_GF2m_simple_point_copy(EC_POINT *dest, const EC_POINT *src) int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point) { point->Z_is_one = 0; - return (BN_zero(&point->Z)); + BN_zero(&point->Z); + return 1; } diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index b3ef05659..ba5b821c9 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -299,12 +299,12 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIG if (order != NULL) { if (!BN_copy(&group->order, order)) return 0; } else - { if (!BN_zero(&group->order)) return 0; } + BN_zero(&group->order); if (cofactor != NULL) { if (!BN_copy(&group->cofactor, cofactor)) return 0; } else - { if (!BN_zero(&group->cofactor)) return 0; } + BN_zero(&group->cofactor); return 1; } diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c index 1abe831a3..de90f90aa 100644 --- a/crypto/ec/ecp_smpl.c +++ b/crypto/ec/ecp_smpl.c @@ -385,7 +385,8 @@ int ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point) { point->Z_is_one = 0; - return (BN_zero(&point->Z)); + BN_zero(&point->Z); + return 1; } @@ -1093,7 +1094,7 @@ int ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, con else { /* a is the inverse of b */ - if (!BN_zero(&r->Z)) goto end; + BN_zero(&r->Z); r->Z_is_one = 0; ret = 1; goto end; @@ -1169,7 +1170,7 @@ int ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_ if (EC_POINT_is_at_infinity(group, a)) { - if (!BN_zero(&r->Z)) return 0; + BN_zero(&r->Z); r->Z_is_one = 0; return 1; } From 560f7abb7e12d09b5e1dd2e9c8e3c6a04fc901d3 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 15 Mar 2004 22:33:19 +0000 Subject: [PATCH 058/112] Make sure we use unsigned constants, or come compilers may complain. --- crypto/ec/ec2_smpl.c | 2 +- crypto/ec/ecp_smpl.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c index 1132c8e5a..d34e97d67 100644 --- a/crypto/ec/ec2_smpl.c +++ b/crypto/ec/ec2_smpl.c @@ -575,7 +575,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } form = buf[0]; y_bit = form & 1; - form = form & ~1; + form = form & ~1U; if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED) && (form != POINT_CONVERSION_UNCOMPRESSED) && (form != POINT_CONVERSION_HYBRID)) diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c index de90f90aa..993771952 100644 --- a/crypto/ec/ecp_smpl.c +++ b/crypto/ec/ecp_smpl.c @@ -902,7 +902,7 @@ int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } form = buf[0]; y_bit = form & 1; - form = form & ~1; + form = form & ~1U; if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED) && (form != POINT_CONVERSION_UNCOMPRESSED) && (form != POINT_CONVERSION_HYBRID)) From fd836aeee017d4c7fef8e4d21afa07081e815be2 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 15 Mar 2004 22:37:08 +0000 Subject: [PATCH 059/112] Make sure that the last argument to RAND_add() is a float, or some compilers may complain. --- crypto/rand/md_rand.c | 2 +- crypto/rand/rand_unix.c | 8 ++++---- crypto/rsa/rsa_eay.c | 2 +- crypto/rsa/rsa_lib.c | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index 66b229c9b..303e5898c 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -315,7 +315,7 @@ static void ssleay_rand_add(const void *buf, int num, double add) static void ssleay_rand_seed(const void *buf, int num) { - ssleay_rand_add(buf, num, num); + ssleay_rand_add(buf, num, (float)num); } static int ssleay_rand_bytes(unsigned char *buf, int num) diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c index ef8020121..aef6914bb 100644 --- a/crypto/rand/rand_unix.c +++ b/crypto/rand/rand_unix.c @@ -233,19 +233,19 @@ int RAND_poll(void) #if defined(DEVRANDOM) || defined(DEVRANDOM_EGD) if (n > 0) { - RAND_add(tmpbuf,sizeof tmpbuf,n); + RAND_add(tmpbuf,sizeof tmpbuf,(float)n); OPENSSL_cleanse(tmpbuf,n); } #endif /* put in some default random data, we need more than just this */ l=curr_pid; - RAND_add(&l,sizeof(l),0); + RAND_add(&l,sizeof(l),0.0); l=getuid(); - RAND_add(&l,sizeof(l),0); + RAND_add(&l,sizeof(l),0.0); l=time(NULL); - RAND_add(&l,sizeof(l),0); + RAND_add(&l,sizeof(l),0.0); #if defined(DEVRANDOM) || defined(DEVRANDOM_EGD) return 1; diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index ee2a70bb4..5beb9c9fd 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -243,7 +243,7 @@ static BN_BLINDING *setup_blinding(RSA *rsa, BN_CTX *ctx) if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) { /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ - RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); + RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0); if (!BN_pseudo_rand_range(A,rsa->n)) goto err; } else diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index e4d622851..cba2dd66c 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -343,7 +343,7 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) { /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ - RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); + RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0.0); if (!BN_pseudo_rand_range(A,rsa->n)) goto err; } else From ec37635c948e2cda2dc55e8b3630f516a4b06fd7 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 15 Mar 2004 23:02:55 +0000 Subject: [PATCH 060/112] It was just pointed out to me that it's better to cast to double... --- crypto/rand/md_rand.c | 2 +- crypto/rand/rand_unix.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index 303e5898c..87fd9455e 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -315,7 +315,7 @@ static void ssleay_rand_add(const void *buf, int num, double add) static void ssleay_rand_seed(const void *buf, int num) { - ssleay_rand_add(buf, num, (float)num); + ssleay_rand_add(buf, num, (double)num); } static int ssleay_rand_bytes(unsigned char *buf, int num) diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c index aef6914bb..d2fdb35b5 100644 --- a/crypto/rand/rand_unix.c +++ b/crypto/rand/rand_unix.c @@ -233,7 +233,7 @@ int RAND_poll(void) #if defined(DEVRANDOM) || defined(DEVRANDOM_EGD) if (n > 0) { - RAND_add(tmpbuf,sizeof tmpbuf,(float)n); + RAND_add(tmpbuf,sizeof tmpbuf,(double)n); OPENSSL_cleanse(tmpbuf,n); } #endif From 875a644a9047e96dfcce27af876d30460759805e Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 15 Mar 2004 23:15:26 +0000 Subject: [PATCH 061/112] Constify d2i, s2i, c2i and r2i functions and other associated functions and macros. This change has associated tags: LEVITTE_before_const and LEVITTE_after_const. Those will be removed when this change has been properly reviewed. --- CHANGES | 3 ++ apps/apps.c | 2 +- apps/asn1pars.c | 4 ++- apps/pkcs12.c | 2 +- crypto/asn1/a_bitstr.c | 7 +++-- crypto/asn1/a_bool.c | 4 +-- crypto/asn1/a_bytes.c | 22 ++++++++------ crypto/asn1/a_d2i_fp.c | 6 ++-- crypto/asn1/a_dup.c | 3 +- crypto/asn1/a_gentm.c | 2 +- crypto/asn1/a_hdr.c | 2 +- crypto/asn1/a_int.c | 10 +++--- crypto/asn1/a_object.c | 8 ++--- crypto/asn1/a_octet.c | 2 +- crypto/asn1/a_set.c | 4 +-- crypto/asn1/a_utctm.c | 2 +- crypto/asn1/asn1.h | 61 +++++++++++++++++++++++++------------ crypto/asn1/asn1_gen.c | 8 +++-- crypto/asn1/asn1_lib.c | 44 +++++++++++++++++++-------- crypto/asn1/asn1_mac.h | 30 ++++++++++-------- crypto/asn1/asn1_par.c | 10 +++--- crypto/asn1/asn1t.h | 18 +++++------ crypto/asn1/asn_pack.c | 6 ++-- crypto/asn1/d2i_pr.c | 6 ++-- crypto/asn1/d2i_pu.c | 2 +- crypto/asn1/evp_asn1.c | 4 +-- crypto/asn1/tasn_dec.c | 66 +++++++++++++++++++++------------------- crypto/asn1/tasn_utl.c | 2 +- crypto/asn1/x_bignum.c | 5 +-- crypto/asn1/x_long.c | 5 +-- crypto/asn1/x_name.c | 6 ++-- crypto/asn1/x_pkey.c | 2 +- crypto/asn1/x_pubkey.c | 16 +++++----- crypto/asn1/x_x509.c | 4 +-- crypto/evp/bio_enc.c | 4 +-- crypto/evp/digest.c | 2 +- crypto/evp/encode.c | 4 +-- crypto/evp/evp.h | 42 +++++++++++++------------ crypto/evp/evp_key.c | 2 +- crypto/evp/evp_pkey.c | 4 +-- crypto/evp/p5_crpt.c | 3 +- crypto/evp/p5_crpt2.c | 5 +-- crypto/evp/p_dec.c | 2 +- crypto/evp/p_enc.c | 2 +- crypto/evp/p_open.c | 5 +-- crypto/evp/p_verify.c | 2 +- crypto/krb5/krb5_asn.h | 2 +- crypto/objects/obj_dat.c | 10 +++--- crypto/pem/pem_pkey.c | 3 +- crypto/pkcs12/p12_crpt.c | 3 +- crypto/pkcs12/p12_decr.c | 3 +- crypto/pkcs12/p12_npas.c | 3 +- crypto/pkcs7/pk7_attr.c | 3 +- crypto/rsa/rsa_saos.c | 3 +- crypto/rsa/rsa_sign.c | 4 +-- crypto/x509/x509.h | 12 ++++---- crypto/x509/x509_req.c | 3 +- crypto/x509/x509spki.c | 3 +- crypto/x509v3/v3_lib.c | 3 +- crypto/x509v3/v3_ocsp.c | 8 ++--- crypto/x509v3/v3_prn.c | 3 +- crypto/x509v3/x509v3.h | 6 ++-- ssl/s2_clnt.c | 2 +- ssl/s2_srvr.c | 6 ++-- ssl/s3_clnt.c | 10 +++--- ssl/s3_srvr.c | 5 +-- ssl/ssl.h | 10 +++--- ssl/ssl_locl.h | 2 +- ssl/ssl_rsa.c | 14 ++++----- 69 files changed, 331 insertions(+), 245 deletions(-) diff --git a/CHANGES b/CHANGES index a8866ad9a..6029cce5b 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,9 @@ Changes between 0.9.7c and 0.9.8 [xx XXX xxxx] + *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with + associated ASN1, EVP and SSL functions and old ASN1 macros. + *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results, and this should never fail. So the return value from the use of BN_set_word() (which can fail due to needless expansion) is now deprecated; diff --git a/apps/apps.c b/apps/apps.c index 47b59b454..eae1fedcd 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -758,7 +758,7 @@ X509 *load_cert(BIO *err, const char *file, int format, x=d2i_X509_bio(cert,NULL); else if (format == FORMAT_NETSCAPE) { - unsigned char *p,*op; + const unsigned char *p,*op; int size=0,i; /* We sort of have to do it this way because it is sort of nice diff --git a/apps/asn1pars.c b/apps/asn1pars.c index c28b5ec19..305db1590 100644 --- a/apps/asn1pars.c +++ b/apps/asn1pars.c @@ -94,6 +94,7 @@ int MAIN(int argc, char **argv) char *infile=NULL,*str=NULL,*prog,*oidfile=NULL, *derfile=NULL; char *genstr=NULL, *genconf=NULL; unsigned char *tmpbuf; + const unsigned char *ctmpbuf; BUF_MEM *buf=NULL; STACK *osk=NULL; ASN1_TYPE *at=NULL; @@ -317,7 +318,8 @@ bad: tmpbuf+=j; tmplen-=j; atmp = at; - at = d2i_ASN1_TYPE(NULL,&tmpbuf,tmplen); + ctmpbuf = tmpbuf; + at = d2i_ASN1_TYPE(NULL,&ctmpbuf,tmplen); ASN1_TYPE_free(atmp); if(!at) { diff --git a/apps/pkcs12.c b/apps/pkcs12.c index cbd933667..dd0d29bfa 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -811,7 +811,7 @@ err: int alg_print (BIO *x, X509_ALGOR *alg) { PBEPARAM *pbe; - unsigned char *p; + const unsigned char *p; p = alg->parameter->value.sequence->data; pbe = d2i_PBEPARAM (NULL, &p, alg->parameter->value.sequence->length); BIO_printf (bio_err, "%s, Iteration %ld\n", diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c index f4ea96cd5..c1d3c2821 100644 --- a/crypto/asn1/a_bitstr.c +++ b/crypto/asn1/a_bitstr.c @@ -113,11 +113,12 @@ int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp) return(ret); } -ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp, - long len) +ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, + const unsigned char **pp, long len) { ASN1_BIT_STRING *ret=NULL; - unsigned char *p,*s; + const unsigned char *p; + unsigned char *s; int i; if (len < 1) diff --git a/crypto/asn1/a_bool.c b/crypto/asn1/a_bool.c index 24333ea4d..331acdf05 100644 --- a/crypto/asn1/a_bool.c +++ b/crypto/asn1/a_bool.c @@ -75,10 +75,10 @@ int i2d_ASN1_BOOLEAN(int a, unsigned char **pp) return(r); } -int d2i_ASN1_BOOLEAN(int *a, unsigned char **pp, long length) +int d2i_ASN1_BOOLEAN(int *a, const unsigned char **pp, long length) { int ret= -1; - unsigned char *p; + const unsigned char *p; long len; int inf,tag,xclass; int i=0; diff --git a/crypto/asn1/a_bytes.c b/crypto/asn1/a_bytes.c index afd27b80e..8d13f9c93 100644 --- a/crypto/asn1/a_bytes.c +++ b/crypto/asn1/a_bytes.c @@ -60,14 +60,15 @@ #include "cryptlib.h" #include -static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c); +static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c); /* type is a 'bitmap' of acceptable string types. */ -ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, unsigned char **pp, +ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, const unsigned char **pp, long length, int type) { ASN1_STRING *ret=NULL; - unsigned char *p,*s; + const unsigned char *p; + unsigned char *s; long len; int inf,tag,xclass; int i=0; @@ -153,11 +154,12 @@ int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass) return(r); } -ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, long length, - int Ptag, int Pclass) +ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp, + long length, int Ptag, int Pclass) { ASN1_STRING *ret=NULL; - unsigned char *p,*s; + const unsigned char *p; + unsigned char *s; long len; int inf,tag,xclass; int i=0; @@ -185,7 +187,7 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, long length, if (inf & V_ASN1_CONSTRUCTED) { - ASN1_CTX c; + ASN1_const_CTX c; c.pp=pp; c.p=p; @@ -247,7 +249,7 @@ err: * them into the one structure that is then returned */ /* There have been a few bug fixes for this function from * Paul Keogh , many thanks to him */ -static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c) +static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c) { ASN1_STRING *os=NULL; BUF_MEM b; @@ -268,7 +270,7 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c) { if (c->inf & 1) { - c->eos=ASN1_check_infinite_end(&c->p, + c->eos=ASN1_const_check_infinite_end(&c->p, (long)(c->max-c->p)); if (c->eos) break; } @@ -296,7 +298,7 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c) num+=os->length; } - if (!asn1_Finish(c)) goto err; + if (!asn1_const_Finish(c)) goto err; a->length=num; if (a->data != NULL) OPENSSL_free(a->data); diff --git a/crypto/asn1/a_d2i_fp.c b/crypto/asn1/a_d2i_fp.c index b67b75e7c..2e99e4c69 100644 --- a/crypto/asn1/a_d2i_fp.c +++ b/crypto/asn1/a_d2i_fp.c @@ -107,14 +107,14 @@ err: void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x) { BUF_MEM *b = NULL; - unsigned char *p; + const unsigned char *p; void *ret=NULL; int len; len = asn1_d2i_read_bio(in, &b); if(len < 0) goto err; - p=(unsigned char *)b->data; + p=(const unsigned char *)b->data; ret=ASN1_item_d2i(x,&p,len, it); err: if (b != NULL) BUF_MEM_free(b); @@ -146,7 +146,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) unsigned char *p; int i; int ret=-1; - ASN1_CTX c; + ASN1_const_CTX c; int want=HEADER_SIZE; int eos=0; #if defined(__GNUC__) && defined(__ia64) diff --git a/crypto/asn1/a_dup.c b/crypto/asn1/a_dup.c index 58a017884..dc6826ad1 100644 --- a/crypto/asn1/a_dup.c +++ b/crypto/asn1/a_dup.c @@ -91,7 +91,8 @@ char *ASN1_dup(int (*i2d)(), char *(*d2i)(), char *x) void *ASN1_item_dup(const ASN1_ITEM *it, void *x) { - unsigned char *b = NULL, *p; + unsigned char *b = NULL; + const unsigned char *p; long i; void *ret; diff --git a/crypto/asn1/a_gentm.c b/crypto/asn1/a_gentm.c index 858100786..ea8d7b96c 100644 --- a/crypto/asn1/a_gentm.c +++ b/crypto/asn1/a_gentm.c @@ -181,7 +181,7 @@ err: return(0); } -int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str) +int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str) { ASN1_GENERALIZEDTIME t; diff --git a/crypto/asn1/a_hdr.c b/crypto/asn1/a_hdr.c index b1aad81f7..b354ae586 100644 --- a/crypto/asn1/a_hdr.c +++ b/crypto/asn1/a_hdr.c @@ -76,7 +76,7 @@ int i2d_ASN1_HEADER(ASN1_HEADER *a, unsigned char **pp) M_ASN1_I2D_finish(); } -ASN1_HEADER *d2i_ASN1_HEADER(ASN1_HEADER **a, unsigned char **pp, +ASN1_HEADER *d2i_ASN1_HEADER(ASN1_HEADER **a, const unsigned char **pp, long length) { M_ASN1_D2I_vars(a,ASN1_HEADER *,ASN1_HEADER_new); diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c index 4bb300c20..5d76de79b 100644 --- a/crypto/asn1/a_int.c +++ b/crypto/asn1/a_int.c @@ -155,11 +155,12 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) /* Convert just ASN1 INTEGER content octets to ASN1_INTEGER structure */ -ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp, +ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, long len) { ASN1_INTEGER *ret=NULL; - unsigned char *p,*to,*s, *pend; + const unsigned char *p, *pend; + unsigned char *to,*s; int i; if ((a == NULL) || ((*a) == NULL)) @@ -247,11 +248,12 @@ err: * with its MSB set as negative (it doesn't add a padding zero). */ -ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, unsigned char **pp, +ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp, long length) { ASN1_INTEGER *ret=NULL; - unsigned char *p,*to,*s; + const unsigned char *p; + unsigned char *to,*s; long len; int inf,tag,xclass; int i; diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index 124451d7a..715042e6e 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -189,10 +189,10 @@ int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a) return(i); } -ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp, +ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long length) { - unsigned char *p; + const unsigned char *p; long len; int tag,xclass; int inf,i; @@ -219,11 +219,11 @@ err: ASN1_OBJECT_free(ret); return(NULL); } -ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp, +ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len) { ASN1_OBJECT *ret=NULL; - unsigned char *p; + const unsigned char *p; int i; /* only the ASN1_OBJECTs from the 'table' will have values diff --git a/crypto/asn1/a_octet.c b/crypto/asn1/a_octet.c index 9690bae0f..24fd0f8e5 100644 --- a/crypto/asn1/a_octet.c +++ b/crypto/asn1/a_octet.c @@ -66,6 +66,6 @@ ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup(ASN1_OCTET_STRING *x) int ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b) { return M_ASN1_OCTET_STRING_cmp(a, b); } -int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *x, unsigned char *d, int len) +int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *x, const unsigned char *d, int len) { return M_ASN1_OCTET_STRING_set(x, d, len); } diff --git a/crypto/asn1/a_set.c b/crypto/asn1/a_set.c index 0f839822f..f37408a31 100644 --- a/crypto/asn1/a_set.c +++ b/crypto/asn1/a_set.c @@ -153,10 +153,10 @@ SetBlob return(r); } -STACK *d2i_ASN1_SET(STACK **a, unsigned char **pp, long length, +STACK *d2i_ASN1_SET(STACK **a, const unsigned char **pp, long length, char *(*func)(), void (*free_func)(void *), int ex_tag, int ex_class) { - ASN1_CTX c; + ASN1_const_CTX c; STACK *ret=NULL; if ((a == NULL) || ((*a) == NULL)) diff --git a/crypto/asn1/a_utctm.c b/crypto/asn1/a_utctm.c index 999852dae..fea659032 100644 --- a/crypto/asn1/a_utctm.c +++ b/crypto/asn1/a_utctm.c @@ -162,7 +162,7 @@ err: return(0); } -int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str) +int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str) { ASN1_UTCTIME t; diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h index a9ba2d6e9..dbf0f636e 100644 --- a/crypto/asn1/asn1.h +++ b/crypto/asn1/asn1.h @@ -160,6 +160,10 @@ struct X509_algor_st; #define DECLARE_ASN1_SET_OF(type) /* filled in by mkstack.pl */ #define IMPLEMENT_ASN1_SET_OF(type) /* nothing, no longer needed */ +/* We MUST make sure that, except for constness, asn1_ctx_st and + asn1_const_ctx are exactly the same. Fortunately, as soon as + the old ASN1 parsing macros are gone, we can throw this away + as well... */ typedef struct asn1_ctx_st { unsigned char *p;/* work char pointer */ @@ -175,6 +179,21 @@ typedef struct asn1_ctx_st int line; /* used in error processing */ } ASN1_CTX; +typedef struct asn1_const_ctx_st + { + const unsigned char *p;/* work char pointer */ + int eos; /* end of sequence read for indefinite encoding */ + int error; /* error code to use when returning an error */ + int inf; /* constructed if 0x20, indefinite is 0x21 */ + int tag; /* tag from last 'get object' */ + int xclass; /* class from last 'get object' */ + long slen; /* length of last 'get object' */ + const unsigned char *max; /* largest value of p allowed */ + const unsigned char *q;/* temporary variable */ + const unsigned char **pp;/* variable */ + int line; /* used in error processing */ + } ASN1_const_CTX; + /* These are used internally in the ASN1_OBJECT to keep track of * whether the names and data need to be free()ed */ #define ASN1_OBJECT_FLAG_DYNAMIC 0x01 /* internal use */ @@ -276,7 +295,7 @@ typedef struct ASN1_VALUE_st ASN1_VALUE; DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) #define DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) \ - type *d2i_##name(type **a, unsigned char **in, long len); \ + type *d2i_##name(type **a, const unsigned char **in, long len); \ int i2d_##name(type *a, unsigned char **out); \ DECLARE_ASN1_ITEM(itname) @@ -712,9 +731,9 @@ void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value); ASN1_OBJECT * ASN1_OBJECT_new(void ); void ASN1_OBJECT_free(ASN1_OBJECT *a); int i2d_ASN1_OBJECT(ASN1_OBJECT *a,unsigned char **pp); -ASN1_OBJECT * c2i_ASN1_OBJECT(ASN1_OBJECT **a,unsigned char **pp, +ASN1_OBJECT * c2i_ASN1_OBJECT(ASN1_OBJECT **a,const unsigned char **pp, long length); -ASN1_OBJECT * d2i_ASN1_OBJECT(ASN1_OBJECT **a,unsigned char **pp, +ASN1_OBJECT * d2i_ASN1_OBJECT(ASN1_OBJECT **a,const unsigned char **pp, long length); DECLARE_ASN1_ITEM(ASN1_OBJECT) @@ -737,7 +756,7 @@ unsigned char * ASN1_STRING_data(ASN1_STRING *x); DECLARE_ASN1_FUNCTIONS(ASN1_BIT_STRING) int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a,unsigned char **pp); -ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,unsigned char **pp, +ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,const unsigned char **pp, long length); int ASN1_BIT_STRING_set(ASN1_BIT_STRING *a, unsigned char *d, int length ); @@ -753,13 +772,13 @@ int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value, BIT_STRING_BITNAME *tbl); int i2d_ASN1_BOOLEAN(int a,unsigned char **pp); -int d2i_ASN1_BOOLEAN(int *a,unsigned char **pp,long length); +int d2i_ASN1_BOOLEAN(int *a,const unsigned char **pp,long length); DECLARE_ASN1_FUNCTIONS(ASN1_INTEGER) int i2c_ASN1_INTEGER(ASN1_INTEGER *a,unsigned char **pp); -ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a,unsigned char **pp, +ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a,const unsigned char **pp, long length); -ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a,unsigned char **pp, +ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a,const unsigned char **pp, long length); ASN1_INTEGER * ASN1_INTEGER_dup(ASN1_INTEGER *x); int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y); @@ -768,7 +787,7 @@ DECLARE_ASN1_FUNCTIONS(ASN1_ENUMERATED) int ASN1_UTCTIME_check(ASN1_UTCTIME *a); ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s,time_t t); -int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str); +int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str); int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t); #if 0 time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s); @@ -776,12 +795,12 @@ time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s); int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *a); ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,time_t t); -int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str); +int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str); DECLARE_ASN1_FUNCTIONS(ASN1_OCTET_STRING) ASN1_OCTET_STRING * ASN1_OCTET_STRING_dup(ASN1_OCTET_STRING *a); int ASN1_OCTET_STRING_cmp(ASN1_OCTET_STRING *a, ASN1_OCTET_STRING *b); -int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, unsigned char *data, int len); +int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, const unsigned char *data, int len); DECLARE_ASN1_FUNCTIONS(ASN1_VISIBLESTRING) DECLARE_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING) @@ -812,7 +831,7 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag, int ex_class, int is_set); -STACK * d2i_ASN1_SET(STACK **a, unsigned char **pp, long length, +STACK * d2i_ASN1_SET(STACK **a, const unsigned char **pp, long length, char *(*func)(), void (*free_func)(void *), int ex_tag, int ex_class); @@ -846,20 +865,22 @@ BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai,BIGNUM *bn); int ASN1_PRINTABLE_type(unsigned char *s, int max); int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass); -ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, +ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp, long length, int Ptag, int Pclass); unsigned long ASN1_tag2bit(int tag); /* type is one or more of the B_ASN1_ values. */ -ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a,unsigned char **pp, +ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a,const unsigned char **pp, long length,int type); /* PARSING */ int asn1_Finish(ASN1_CTX *c); +int asn1_const_Finish(ASN1_const_CTX *c); /* SPECIALS */ -int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, +int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag, int *pclass, long omax); int ASN1_check_infinite_end(unsigned char **p,long len); +int ASN1_const_check_infinite_end(const unsigned char **p,long len); void ASN1_put_object(unsigned char **pp, int constructed, int length, int tag, int xclass); int ASN1_put_eoc(unsigned char **pp); @@ -890,14 +911,14 @@ int ASN1_GENERALIZEDTIME_print(BIO *fp,ASN1_GENERALIZEDTIME *a); int ASN1_TIME_print(BIO *fp,ASN1_TIME *a); int ASN1_STRING_print(BIO *bp,ASN1_STRING *v); int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags); -int ASN1_parse(BIO *bp,unsigned char *pp,long len,int indent); -int ASN1_parse_dump(BIO *bp,unsigned char *pp,long len,int indent,int dump); +int ASN1_parse(BIO *bp,const unsigned char *pp,long len,int indent); +int ASN1_parse_dump(BIO *bp,const unsigned char *pp,long len,int indent,int dump); #endif const char *ASN1_tag2str(int tag); /* Used to load and write netscape format cert/key */ int i2d_ASN1_HEADER(ASN1_HEADER *a,unsigned char **pp); -ASN1_HEADER *d2i_ASN1_HEADER(ASN1_HEADER **a,unsigned char **pp, long length); +ASN1_HEADER *d2i_ASN1_HEADER(ASN1_HEADER **a,const unsigned char **pp, long length); ASN1_HEADER *ASN1_HEADER_new(void ); void ASN1_HEADER_free(ASN1_HEADER *a); @@ -918,8 +939,8 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a,long *num, unsigned char *data, int max_len); -STACK *ASN1_seq_unpack(unsigned char *buf, int len, char *(*d2i)(), - void (*free_func)(void *) ); +STACK *ASN1_seq_unpack(const unsigned char *buf, int len, char *(*d2i)(), + void (*free_func)(void *) ); unsigned char *ASN1_seq_pack(STACK *safes, int (*i2d)(), unsigned char **buf, int *len ); void *ASN1_unpack_string(ASN1_STRING *oct, char *(*d2i)()); @@ -947,7 +968,7 @@ void ASN1_STRING_TABLE_cleanup(void); /* Old API compatible functions */ ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it); void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it); -ASN1_VALUE * ASN1_item_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_ITEM *it); +ASN1_VALUE * ASN1_item_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_ITEM *it); int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it); int ASN1_item_ndef_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it); diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c index 277726cd5..efd80215c 100644 --- a/crypto/asn1/asn1_gen.c +++ b/crypto/asn1/asn1_gen.c @@ -141,7 +141,9 @@ ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf) int i, len; unsigned char *orig_der = NULL, *new_der = NULL; - unsigned char *cpy_start, *p; + const unsigned char *cpy_start; + unsigned char *p; + const unsigned char *cp; int cpy_len; long hdr_len; int hdr_constructed = 0, hdr_tag, hdr_class; @@ -249,10 +251,10 @@ ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf) /* Copy across original encoding */ memcpy(p, cpy_start, cpy_len); - p = new_der; + cp = new_der; /* Obtain new ASN1_TYPE structure */ - ret = d2i_ASN1_TYPE(NULL, &p, len); + ret = d2i_ASN1_TYPE(NULL, &cp, len); err: if (orig_der) diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index b720bccac..504e612a8 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -62,11 +62,11 @@ #include #include -static int asn1_get_length(unsigned char **pp,int *inf,long *rl,int max); +static int asn1_get_length(const unsigned char **pp,int *inf,long *rl,int max); static void asn1_put_length(unsigned char **pp, int length); const char *ASN1_version="ASN.1" OPENSSL_VERSION_PTEXT; -int ASN1_check_infinite_end(unsigned char **p, long len) +static int _asn1_check_infinite_end(const unsigned char **p, long len) { /* If there is 0 or 1 byte left, the length check should pick * things up */ @@ -80,13 +80,23 @@ int ASN1_check_infinite_end(unsigned char **p, long len) return(0); } +int ASN1_check_infinite_end(unsigned char **p, long len) + { + return _asn1_check_infinite_end((const unsigned char **)p, len); + } -int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass, - long omax) +int ASN1_const_check_infinite_end(const unsigned char **p, long len) + { + return _asn1_check_infinite_end(p, len); + } + + +int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag, + int *pclass, long omax) { int i,ret; long l; - unsigned char *p= *pp; + const unsigned char *p= *pp; int tag,xclass,inf; long max=omax; @@ -141,9 +151,9 @@ err: return(0x80); } -static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max) +static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, int max) { - unsigned char *p= *pp; + const unsigned char *p= *pp; unsigned long ret=0; unsigned int i; @@ -272,11 +282,11 @@ int ASN1_object_size(int constructed, int length, int tag) return(ret); } -int asn1_Finish(ASN1_CTX *c) +static int _asn1_Finish(ASN1_const_CTX *c) { if ((c->inf == (1|V_ASN1_CONSTRUCTED)) && (!c->eos)) { - if (!ASN1_check_infinite_end(&c->p,c->slen)) + if (!ASN1_const_check_infinite_end(&c->p,c->slen)) { c->error=ERR_R_MISSING_ASN1_EOS; return(0); @@ -291,9 +301,19 @@ int asn1_Finish(ASN1_CTX *c) return(1); } -int asn1_GetSequence(ASN1_CTX *c, long *length) +int asn1_Finish(ASN1_CTX *c) { - unsigned char *q; + return _asn1_Finish((ASN1_const_CTX *)c); + } + +int asn1_const_Finish(ASN1_const_CTX *c) + { + return _asn1_Finish(c); + } + +int asn1_GetSequence(ASN1_const_CTX *c, long *length) + { + const unsigned char *q; q=c->p; c->inf=ASN1_get_object(&(c->p),&(c->slen),&(c->tag),&(c->xclass), @@ -419,7 +439,7 @@ int ASN1_STRING_cmp(ASN1_STRING *a, ASN1_STRING *b) return(i); } -void asn1_add_error(unsigned char *address, int offset) +void asn1_add_error(const unsigned char *address, int offset) { char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1]; diff --git a/crypto/asn1/asn1_mac.h b/crypto/asn1/asn1_mac.h index a48649cee..a67fb341e 100644 --- a/crypto/asn1/asn1_mac.h +++ b/crypto/asn1/asn1_mac.h @@ -73,11 +73,11 @@ extern "C" { ERR_PUT_error(ASN1_MAC_ERR_LIB,(f),(r),__FILE__,(line)) #define M_ASN1_D2I_vars(a,type,func) \ - ASN1_CTX c; \ + ASN1_const_CTX c; \ type ret=NULL; \ \ - c.pp=(unsigned char **)pp; \ - c.q= *(unsigned char **)pp; \ + c.pp=(const unsigned char **)pp; \ + c.q= *(const unsigned char **)pp; \ c.error=ERR_R_NESTED_ASN1_ERROR; \ if ((a == NULL) || ((*a) == NULL)) \ { if ((ret=(type)func()) == NULL) \ @@ -85,13 +85,13 @@ extern "C" { else ret=(*a); #define M_ASN1_D2I_Init() \ - c.p= *(unsigned char **)pp; \ + c.p= *(const unsigned char **)pp; \ c.max=(length == 0)?0:(c.p+length); #define M_ASN1_D2I_Finish_2(a) \ - if (!asn1_Finish(&c)) \ + if (!asn1_const_Finish(&c)) \ { c.line=__LINE__; goto err; } \ - *(unsigned char **)pp=c.p; \ + *(const unsigned char **)pp=c.p; \ if (a != NULL) (*a)=ret; \ return(ret); @@ -99,7 +99,7 @@ extern "C" { M_ASN1_D2I_Finish_2(a); \ err:\ ASN1_MAC_H_err((e),c.error,c.line); \ - asn1_add_error(*(unsigned char **)pp,(int)(c.q- *pp)); \ + asn1_add_error(*(const unsigned char **)pp,(int)(c.q- *pp)); \ if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \ return(NULL) @@ -123,7 +123,7 @@ err:\ #define M_ASN1_D2I_end_sequence() \ (((c.inf&1) == 0)?(c.slen <= 0): \ - (c.eos=ASN1_check_infinite_end(&c.p,c.slen))) + (c.eos=ASN1_const_check_infinite_end(&c.p,c.slen))) /* Don't use this with d2i_ASN1_BOOLEAN() */ #define M_ASN1_D2I_get(b,func) \ @@ -278,7 +278,7 @@ err:\ { c.line=__LINE__; goto err; } \ if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \ Tlen = c.slen - (c.p - c.q); \ - if(!ASN1_check_infinite_end(&c.p, Tlen)) \ + if(!ASN1_const_check_infinite_end(&c.p, Tlen)) \ { c.error=ERR_R_MISSING_ASN1_EOS; \ c.line=__LINE__; goto err; } \ }\ @@ -353,8 +353,12 @@ err:\ return(NULL) -#define M_ASN1_next (*c.p) -#define M_ASN1_next_prev (*c.q) +/* BIG UGLY WARNING! This is so damn ugly I wanna puke. Unfortunately, + some macros that use ASN1_const_CTX still insist on writing in the input + stream. ARGH! ARGH! ARGH! Let's get rid of this macro package. + Please? -- Richard Levitte */ +#define M_ASN1_next (*((unsigned char *)(c.p))) +#define M_ASN1_next_prev (*((unsigned char *)(c.q))) /*************************************************/ @@ -551,8 +555,8 @@ err:\ #define M_ASN1_I2D_finish() *pp=p; \ return(r); -int asn1_GetSequence(ASN1_CTX *c, long *length); -void asn1_add_error(unsigned char *address,int offset); +int asn1_GetSequence(ASN1_const_CTX *c, long *length); +void asn1_add_error(const unsigned char *address,int offset); #ifdef __cplusplus } #endif diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c index bd8de1e8d..0e5bf915a 100644 --- a/crypto/asn1/asn1_par.c +++ b/crypto/asn1/asn1_par.c @@ -64,7 +64,7 @@ static int asn1_print_info(BIO *bp, int tag, int xclass,int constructed, int indent); -static int asn1_parse2(BIO *bp, unsigned char **pp, long length, +static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, int depth, int indent, int dump); static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed, int indent) @@ -103,20 +103,20 @@ err: return(0); } -int ASN1_parse(BIO *bp, unsigned char *pp, long len, int indent) +int ASN1_parse(BIO *bp, const unsigned char *pp, long len, int indent) { return(asn1_parse2(bp,&pp,len,0,0,indent,0)); } -int ASN1_parse_dump(BIO *bp, unsigned char *pp, long len, int indent, int dump) +int ASN1_parse_dump(BIO *bp, const unsigned char *pp, long len, int indent, int dump) { return(asn1_parse2(bp,&pp,len,0,0,indent,dump)); } -static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset, +static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, int depth, int indent, int dump) { - unsigned char *p,*ep,*tot,*op,*opp; + const unsigned char *p,*ep,*tot,*op,*opp; long len; int tag,xclass,ret=0; int nl,hl,j,r; diff --git a/crypto/asn1/asn1t.h b/crypto/asn1/asn1t.h index 6cfa2dd50..a02483683 100644 --- a/crypto/asn1/asn1t.h +++ b/crypto/asn1/asn1t.h @@ -634,10 +634,10 @@ struct ASN1_TLC_st{ typedef ASN1_VALUE * ASN1_new_func(void); typedef void ASN1_free_func(ASN1_VALUE *a); -typedef ASN1_VALUE * ASN1_d2i_func(ASN1_VALUE **a, unsigned char ** in, long length); +typedef ASN1_VALUE * ASN1_d2i_func(ASN1_VALUE **a, const unsigned char ** in, long length); typedef int ASN1_i2d_func(ASN1_VALUE * a, unsigned char **in); -typedef int ASN1_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it, +typedef int ASN1_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx); typedef int ASN1_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass); @@ -645,7 +645,7 @@ typedef int ASN1_ex_new_func(ASN1_VALUE **pval, const ASN1_ITEM *it); typedef void ASN1_ex_free_func(ASN1_VALUE **pval, const ASN1_ITEM *it); typedef int ASN1_primitive_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it); -typedef int ASN1_primitive_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it); +typedef int ASN1_primitive_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it); typedef struct ASN1_COMPAT_FUNCS_st { ASN1_new_func *asn1_new; @@ -793,7 +793,7 @@ typedef struct ASN1_AUX_st { IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) #define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \ - stname *d2i_##fname(stname **a, unsigned char **in, long len) \ + stname *d2i_##fname(stname **a, const unsigned char **in, long len) \ { \ return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, ASN1_ITEM_rptr(itname));\ } \ @@ -814,7 +814,7 @@ typedef struct ASN1_AUX_st { #define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \ stname *d2i_##fname(stname **a, const unsigned char **in, long len) \ { \ - return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, (unsigned char **)in, len, ASN1_ITEM_rptr(itname));\ + return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, ASN1_ITEM_rptr(itname));\ } \ int i2d_##fname(const stname *a, unsigned char **out) \ { \ @@ -855,8 +855,8 @@ int ASN1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt); int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it); void ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt); -int ASN1_template_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_TEMPLATE *tt); -int ASN1_item_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it, +int ASN1_template_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_TEMPLATE *tt); +int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx); int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass); @@ -864,7 +864,7 @@ int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLAT void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it); int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it); -int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it); +int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it); int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it); int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it); @@ -878,7 +878,7 @@ int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it); void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it); void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it); int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval, const ASN1_ITEM *it); -int asn1_enc_save(ASN1_VALUE **pval, unsigned char *in, int inlen, const ASN1_ITEM *it); +int asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen, const ASN1_ITEM *it); #ifdef __cplusplus } diff --git a/crypto/asn1/asn_pack.c b/crypto/asn1/asn_pack.c index e6051db2d..ea56aa6ab 100644 --- a/crypto/asn1/asn_pack.c +++ b/crypto/asn1/asn_pack.c @@ -66,11 +66,11 @@ /* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */ -STACK *ASN1_seq_unpack(unsigned char *buf, int len, char *(*d2i)(), +STACK *ASN1_seq_unpack(const unsigned char *buf, int len, char *(*d2i)(), void (*free_func)(void *)) { STACK *sk; - unsigned char *pbuf; + const unsigned char *pbuf; pbuf = buf; if (!(sk = d2i_ASN1_SET(NULL, &pbuf, len, d2i, free_func, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL))) @@ -181,7 +181,7 @@ ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct) void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it) { - unsigned char *p; + const unsigned char *p; void *ret; p = oct->data; diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index 8d0dc2790..5f3058514 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -72,7 +72,7 @@ #include #endif -EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, unsigned char **pp, +EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) { EVP_PKEY *ret; @@ -135,11 +135,11 @@ err: /* This works like d2i_PrivateKey() except it automatically works out the type */ -EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, unsigned char **pp, +EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, long length) { STACK_OF(ASN1_TYPE) *inkey; - unsigned char *p; + const unsigned char *p; int keytype; p = *pp; /* Dirty trick: read in the ASN1 data into a STACK_OF(ASN1_TYPE): diff --git a/crypto/asn1/d2i_pu.c b/crypto/asn1/d2i_pu.c index d0fd73209..8a05810ed 100644 --- a/crypto/asn1/d2i_pu.c +++ b/crypto/asn1/d2i_pu.c @@ -72,7 +72,7 @@ #include #endif -EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, unsigned char **pp, +EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) { EVP_PKEY *ret; diff --git a/crypto/asn1/evp_asn1.c b/crypto/asn1/evp_asn1.c index 3506005a7..162b37bc3 100644 --- a/crypto/asn1/evp_asn1.c +++ b/crypto/asn1/evp_asn1.c @@ -137,9 +137,9 @@ int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a, long *num, unsigned char *data, int ret= -1,n; ASN1_INTEGER *ai=NULL; ASN1_OCTET_STRING *os=NULL; - unsigned char *p; + const unsigned char *p; long length; - ASN1_CTX c; + ASN1_const_CTX c; if ((a->type != V_ASN1_SEQUENCE) || (a->value.sequence == NULL)) { diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index e5774fef4..aa26a44ea 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -65,14 +65,14 @@ #include #include -static int asn1_check_eoc(unsigned char **in, long len); -static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass); -static int collect_data(BUF_MEM *buf, unsigned char **p, long plen); +static int asn1_check_eoc(const unsigned char **in, long len); +static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, char inf, int tag, int aclass); +static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen); static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, char *cst, - unsigned char **in, long len, int exptag, int expclass, char opt, ASN1_TLC *ctx); -static int asn1_template_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx); -static int asn1_template_noexp_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx); -static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long len, + const unsigned char **in, long len, int exptag, int expclass, char opt, ASN1_TLC *ctx); +static int asn1_template_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx); +static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx); +static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx); /* Table to convert tags to bit values, used for MSTRING type */ @@ -106,7 +106,7 @@ unsigned long ASN1_tag2bit(int tag) * case. */ -ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it) +ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it) { ASN1_TLC c; ASN1_VALUE *ptmpval = NULL; @@ -117,7 +117,7 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const return NULL; } -int ASN1_template_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_TEMPLATE *tt) +int ASN1_template_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_TEMPLATE *tt) { ASN1_TLC c; asn1_tlc_clear(&c); @@ -129,7 +129,7 @@ int ASN1_template_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN * If 'opt' set and tag mismatch return -1 to handle OPTIONAL */ -int ASN1_item_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1_ITEM *it, +int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx) { const ASN1_TEMPLATE *tt, *errtt = NULL; @@ -137,7 +137,9 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1 const ASN1_EXTERN_FUNCS *ef; const ASN1_AUX *aux = it->funcs; ASN1_aux_cb *asn1_cb; - unsigned char *p, *q, imphack = 0, oclass; + const unsigned char *p, *q; + unsigned char *wp=NULL; /* BIG FAT WARNING! BREAKS CONST WHERE USED */ + unsigned char imphack = 0, oclass; char seq_eoc, seq_nolen, cst, isopt; long tmplen; int i; @@ -229,14 +231,14 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1 */ if(tag != -1) { - p = *in; - imphack = *p; - *p = (unsigned char)((*p & V_ASN1_CONSTRUCTED) | it->utype); + wp = *(unsigned char **)in; + imphack = *wp; + *wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED) | it->utype); } ptmpval = cf->asn1_d2i(pval, in, len); - if(tag != -1) *p = imphack; + if(tag != -1) *wp = imphack; if(ptmpval) return 1; ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR); @@ -416,12 +418,12 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1 * rest. */ -static int asn1_template_ex_d2i(ASN1_VALUE **val, unsigned char **in, long inlen, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx) +static int asn1_template_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long inlen, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx) { int flags, aclass; int ret; long len; - unsigned char *p, *q; + const unsigned char *p, *q; char exp_eoc; if(!val) return 0; flags = tt->flags; @@ -478,11 +480,11 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val, unsigned char **in, long inlen return 0; } -static int asn1_template_noexp_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx) +static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx) { int flags, aclass; int ret; - unsigned char *p, *q; + const unsigned char *p, *q; if(!val) return 0; flags = tt->flags; aclass = flags & ASN1_TFLG_TAG_CLASS; @@ -578,16 +580,16 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, unsigned char **in, long le return 0; } -static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inlen, +static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in, long inlen, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx) { int ret = 0, utype; long plen; char cst, inf, free_cont = 0; - unsigned char *p; + const unsigned char *p; BUF_MEM buf; - unsigned char *cont = NULL; + const unsigned char *cont = NULL; long len; if(!pval) { ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_ILLEGAL_NULL); @@ -670,7 +672,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inl return 0; } buf.data[len] = 0; - cont = (unsigned char *)buf.data; + cont = (const unsigned char *)buf.data; free_cont = 1; } else { cont = p; @@ -690,7 +692,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inl /* Translate ASN1 content octets into a structure */ -int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) +int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) { ASN1_VALUE **opval = NULL; ASN1_STRING *stmp; @@ -781,7 +783,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char /* If we've already allocated a buffer use it */ if(*free_cont) { if(stmp->data) OPENSSL_free(stmp->data); - stmp->data = cont; + stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */ stmp->length = len; *free_cont = 0; } else { @@ -816,9 +818,9 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char * length constructed stuff. */ -static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, int tag, int aclass) +static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, char inf, int tag, int aclass) { - unsigned char *p, *q; + const unsigned char *p, *q; long plen; char cst, ininf; p = *in; @@ -860,7 +862,7 @@ static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, in return 1; } -static int collect_data(BUF_MEM *buf, unsigned char **p, long plen) +static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen) { int len; if(buf) { @@ -877,9 +879,9 @@ static int collect_data(BUF_MEM *buf, unsigned char **p, long plen) /* Check for ASN1 EOC and swallow it if found */ -static int asn1_check_eoc(unsigned char **in, long len) +static int asn1_check_eoc(const unsigned char **in, long len) { - unsigned char *p; + const unsigned char *p; if(len < 2) return 0; p = *in; if(!p[0] && !p[1]) { @@ -897,12 +899,12 @@ static int asn1_check_eoc(unsigned char **in, long len) */ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, char *cst, - unsigned char **in, long len, int exptag, int expclass, char opt, ASN1_TLC *ctx) + const unsigned char **in, long len, int exptag, int expclass, char opt, ASN1_TLC *ctx) { int i; int ptag, pclass; long plen; - unsigned char *p, *q; + const unsigned char *p, *q; p = *in; q = p; diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c index 2a3f5db8f..c137a0ab0 100644 --- a/crypto/asn1/tasn_utl.c +++ b/crypto/asn1/tasn_utl.c @@ -154,7 +154,7 @@ void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it) } } -int asn1_enc_save(ASN1_VALUE **pval, unsigned char *in, int inlen, const ASN1_ITEM *it) +int asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen, const ASN1_ITEM *it) { ASN1_ENCODING *enc; enc = asn1_get_enc_ptr(pval, it); diff --git a/crypto/asn1/x_bignum.c b/crypto/asn1/x_bignum.c index 848c7a087..a80532cef 100644 --- a/crypto/asn1/x_bignum.c +++ b/crypto/asn1/x_bignum.c @@ -72,7 +72,7 @@ static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it); static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it); static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it); -static int bn_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it); +static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it); static ASN1_PRIMITIVE_FUNCS bignum_pf = { NULL, 0, @@ -122,7 +122,8 @@ static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN return pad + BN_num_bytes(bn); } -static int bn_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) +static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, + int utype, char *free_cont, const ASN1_ITEM *it) { BIGNUM *bn; if(!*pval) bn_new(pval, it); diff --git a/crypto/asn1/x_long.c b/crypto/asn1/x_long.c index 4b5953c0f..71774fa33 100644 --- a/crypto/asn1/x_long.c +++ b/crypto/asn1/x_long.c @@ -69,7 +69,7 @@ static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it); static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it); static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it); -static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it); +static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it); static ASN1_PRIMITIVE_FUNCS long_pf = { NULL, 0, @@ -136,7 +136,8 @@ static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const A return clen + pad; } -static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) +static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, + int utype, char *free_cont, const ASN1_ITEM *it) { int neg, i; long ltmp; diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c index caece0f15..cc8c979ad 100644 --- a/crypto/asn1/x_name.c +++ b/crypto/asn1/x_name.c @@ -61,7 +61,7 @@ #include #include -static int x509_name_ex_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_ITEM *it, +static int x509_name_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx); static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass); @@ -156,10 +156,10 @@ static void sk_internal_free(void *a) sk_free(a); } -static int x509_name_ex_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_ITEM *it, +static int x509_name_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx) { - unsigned char *p = *in, *q; + const unsigned char *p = *in, *q; STACK *intname = NULL; int i, j, ret; X509_NAME *nm = NULL; diff --git a/crypto/asn1/x_pkey.c b/crypto/asn1/x_pkey.c index f1c6221ac..c88cfd593 100644 --- a/crypto/asn1/x_pkey.c +++ b/crypto/asn1/x_pkey.c @@ -69,7 +69,7 @@ int i2d_X509_PKEY(X509_PKEY *a, unsigned char **pp) return(0); } -X509_PKEY *d2i_X509_PKEY(X509_PKEY **a, unsigned char **pp, long length) +X509_PKEY *d2i_X509_PKEY(X509_PKEY **a, const unsigned char **pp, long length) { int i; M_ASN1_D2I_vars(a,X509_PKEY *,X509_PKEY_new); diff --git a/crypto/asn1/x_pubkey.c b/crypto/asn1/x_pubkey.c index 01698dd21..83ead744f 100644 --- a/crypto/asn1/x_pubkey.c +++ b/crypto/asn1/x_pubkey.c @@ -226,7 +226,7 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) EVP_PKEY *ret=NULL; long j; int type; - unsigned char *p; + const unsigned char *p; #if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA) const unsigned char *cp; X509_ALGOR *a; @@ -342,7 +342,7 @@ err: * and encode or decode as X509_PUBKEY */ -EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, unsigned char **pp, +EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, const unsigned char **pp, long length) { X509_PUBKEY *xpk; @@ -375,12 +375,12 @@ int i2d_PUBKEY(EVP_PKEY *a, unsigned char **pp) * keys */ #ifndef OPENSSL_NO_RSA -RSA *d2i_RSA_PUBKEY(RSA **a, unsigned char **pp, +RSA *d2i_RSA_PUBKEY(RSA **a, const unsigned char **pp, long length) { EVP_PKEY *pkey; RSA *key; - unsigned char *q; + const unsigned char *q; q = *pp; pkey = d2i_PUBKEY(NULL, &q, length); if (!pkey) return NULL; @@ -415,12 +415,12 @@ int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp) #endif #ifndef OPENSSL_NO_DSA -DSA *d2i_DSA_PUBKEY(DSA **a, unsigned char **pp, +DSA *d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length) { EVP_PKEY *pkey; DSA *key; - unsigned char *q; + const unsigned char *q; q = *pp; pkey = d2i_PUBKEY(NULL, &q, length); if (!pkey) return NULL; @@ -455,11 +455,11 @@ int i2d_DSA_PUBKEY(DSA *a, unsigned char **pp) #endif #ifndef OPENSSL_NO_EC -EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, unsigned char **pp, long length) +EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length) { EVP_PKEY *pkey; EC_KEY *key; - unsigned char *q; + const unsigned char *q; q = *pp; pkey = d2i_PUBKEY(NULL, &q, length); if (!pkey) return(NULL); diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index b50167ce4..f71ba267d 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -161,9 +161,9 @@ void *X509_get_ex_data(X509 *r, int idx) * */ -X509 *d2i_X509_AUX(X509 **a, unsigned char **pp, long length) +X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) { - unsigned char *q; + const unsigned char *q; X509 *ret; /* Save start position */ q = *pp; diff --git a/crypto/evp/bio_enc.c b/crypto/evp/bio_enc.c index ab8185150..183836c85 100644 --- a/crypto/evp/bio_enc.c +++ b/crypto/evp/bio_enc.c @@ -405,8 +405,8 @@ EVP_CIPHER_ctx *c; } */ -void BIO_set_cipher(BIO *b, const EVP_CIPHER *c, unsigned char *k, - unsigned char *i, int e) +void BIO_set_cipher(BIO *b, const EVP_CIPHER *c, const unsigned char *k, + const unsigned char *i, int e) { BIO_ENC_CTX *ctx; diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 0623ddf1f..bd014ac81 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -285,7 +285,7 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) return 1; } -int EVP_Digest(void *data, unsigned int count, +int EVP_Digest(const void *data, unsigned int count, unsigned char *md, unsigned int *size, const EVP_MD *type, ENGINE *impl) { EVP_MD_CTX ctx; diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c index 32744ca68..2968f6460 100644 --- a/crypto/evp/encode.c +++ b/crypto/evp/encode.c @@ -129,7 +129,7 @@ void EVP_EncodeInit(EVP_ENCODE_CTX *ctx) } void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, - unsigned char *in, int inl) + const unsigned char *in, int inl) { int i,j; unsigned int total=0; @@ -233,7 +233,7 @@ void EVP_DecodeInit(EVP_ENCODE_CTX *ctx) * 1 for full line */ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, - unsigned char *in, int inl) + const unsigned char *in, int inl) { int seof= -1,eof=0,rv= -1,ret=0,i,v,tmp,n,ln,tmp2,exp_nl; unsigned char *d; diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index dd2d186a5..ce5c210f6 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -489,7 +489,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); int EVP_DigestUpdate(EVP_MD_CTX *ctx,const void *d, unsigned int cnt); int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s); -int EVP_Digest(void *data, unsigned int count, +int EVP_Digest(const void *data, unsigned int count, unsigned char *md, unsigned int *size, const EVP_MD *type, ENGINE *impl); int EVP_MD_CTX_copy(EVP_MD_CTX *out,const EVP_MD_CTX *in); @@ -497,7 +497,7 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type); int EVP_DigestFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s); int EVP_read_pw_string(char *buf,int length,const char *prompt,int verify); -void EVP_set_pw_prompt(char *prompt); +void EVP_set_pw_prompt(const char *prompt); char * EVP_get_pw_prompt(void); int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md, @@ -536,26 +536,28 @@ int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); int EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s, EVP_PKEY *pkey); -int EVP_VerifyFinal(EVP_MD_CTX *ctx,unsigned char *sigbuf, +int EVP_VerifyFinal(EVP_MD_CTX *ctx,const unsigned char *sigbuf, unsigned int siglen,EVP_PKEY *pkey); -int EVP_OpenInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,unsigned char *ek, - int ekl,unsigned char *iv,EVP_PKEY *priv); +int EVP_OpenInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type, + const unsigned char *ek, int ekl, const unsigned char *iv, + EVP_PKEY *priv); int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); -int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char **ek, - int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk); +int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, + unsigned char **ek, int *ekl, unsigned char *iv, + EVP_PKEY **pubk, int npubk); int EVP_SealFinal(EVP_CIPHER_CTX *ctx,unsigned char *out,int *outl); void EVP_EncodeInit(EVP_ENCODE_CTX *ctx); -void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out, - int *outl,unsigned char *in,int inl); +void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl, + const unsigned char *in,int inl); void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl); int EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int n); void EVP_DecodeInit(EVP_ENCODE_CTX *ctx); int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl, - unsigned char *in, int inl); + const unsigned char *in, int inl); int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl); int EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n); @@ -571,8 +573,8 @@ BIO_METHOD *BIO_f_md(void); BIO_METHOD *BIO_f_base64(void); BIO_METHOD *BIO_f_cipher(void); BIO_METHOD *BIO_f_reliable(void); -void BIO_set_cipher(BIO *b,const EVP_CIPHER *c,unsigned char *k, - unsigned char *i, int enc); +void BIO_set_cipher(BIO *b,const EVP_CIPHER *c,const unsigned char *k, + const unsigned char *i, int enc); #endif const EVP_MD *EVP_md_null(void); @@ -734,10 +736,12 @@ const EVP_CIPHER *EVP_get_cipherbyname(const char *name); const EVP_MD *EVP_get_digestbyname(const char *name); void EVP_cleanup(void); -int EVP_PKEY_decrypt(unsigned char *dec_key,unsigned char *enc_key, - int enc_key_len,EVP_PKEY *private_key); +int EVP_PKEY_decrypt(unsigned char *dec_key, + const unsigned char *enc_key,int enc_key_len, + EVP_PKEY *private_key); int EVP_PKEY_encrypt(unsigned char *enc_key, - unsigned char *key,int key_len,EVP_PKEY *pub_key); + const unsigned char *key,int key_len, + EVP_PKEY *pub_key); int EVP_PKEY_type(int type); int EVP_PKEY_bits(EVP_PKEY *pkey); int EVP_PKEY_size(EVP_PKEY *pkey); @@ -766,13 +770,13 @@ struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey); EVP_PKEY * EVP_PKEY_new(void); void EVP_PKEY_free(EVP_PKEY *pkey); -EVP_PKEY * d2i_PublicKey(int type,EVP_PKEY **a, unsigned char **pp, +EVP_PKEY * d2i_PublicKey(int type,EVP_PKEY **a, const unsigned char **pp, long length); int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp); -EVP_PKEY * d2i_PrivateKey(int type,EVP_PKEY **a, unsigned char **pp, +EVP_PKEY * d2i_PrivateKey(int type,EVP_PKEY **a, const unsigned char **pp, long length); -EVP_PKEY * d2i_AutoPrivateKey(EVP_PKEY **a, unsigned char **pp, +EVP_PKEY * d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, long length); int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp); @@ -798,7 +802,7 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de); int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, - unsigned char *salt, int saltlen, int iter, + const unsigned char *salt, int saltlen, int iter, int keylen, unsigned char *out); int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, diff --git a/crypto/evp/evp_key.c b/crypto/evp/evp_key.c index 5f387a94d..0a27f496c 100644 --- a/crypto/evp/evp_key.c +++ b/crypto/evp/evp_key.c @@ -66,7 +66,7 @@ /* should be init to zeros. */ static char prompt_string[80]; -void EVP_set_pw_prompt(char *prompt) +void EVP_set_pw_prompt(const char *prompt) { if (prompt == NULL) prompt_string[0]='\0'; diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index a08eb43a6..a82090ead 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -93,7 +93,7 @@ EVP_PKEY *EVP_PKCS82PKEY (PKCS8_PRIV_KEY_INFO *p8) int plen; #endif X509_ALGOR *a; - unsigned char *p; + const unsigned char *p; const unsigned char *cp; int pkeylen; int nid; @@ -385,7 +385,7 @@ PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken) return NULL; } RAND_add(p8->pkey->value.octet_string->data, - p8->pkey->value.octet_string->length, 0); + p8->pkey->value.octet_string->length, 0.0); return p8; } diff --git a/crypto/evp/p5_crpt.c b/crypto/evp/p5_crpt.c index 39306f456..c0dfb7de3 100644 --- a/crypto/evp/p5_crpt.c +++ b/crypto/evp/p5_crpt.c @@ -110,7 +110,8 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen, int i; PBEPARAM *pbe; int saltlen, iter; - unsigned char *salt, *pbuf; + unsigned char *salt; + const unsigned char *pbuf; /* Extract useful info from parameter */ pbuf = param->value.sequence->data; diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c index dca051486..f2e143d2a 100644 --- a/crypto/evp/p5_crpt2.c +++ b/crypto/evp/p5_crpt2.c @@ -77,7 +77,7 @@ */ int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, - unsigned char *salt, int saltlen, int iter, + const unsigned char *salt, int saltlen, int iter, int keylen, unsigned char *out) { unsigned char digtmp[SHA_DIGEST_LENGTH], *p, itmp[4]; @@ -148,7 +148,8 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de) { - unsigned char *pbuf, *salt, key[EVP_MAX_KEY_LENGTH]; + unsigned char *salt, key[EVP_MAX_KEY_LENGTH]; + const unsigned char *pbuf; int saltlen, iter, plen; unsigned int keylen; PBE2PARAM *pbe2 = NULL; diff --git a/crypto/evp/p_dec.c b/crypto/evp/p_dec.c index 8af620400..f64901f65 100644 --- a/crypto/evp/p_dec.c +++ b/crypto/evp/p_dec.c @@ -66,7 +66,7 @@ #include #include -int EVP_PKEY_decrypt(unsigned char *key, unsigned char *ek, int ekl, +int EVP_PKEY_decrypt(unsigned char *key, const unsigned char *ek, int ekl, EVP_PKEY *priv) { int ret= -1; diff --git a/crypto/evp/p_enc.c b/crypto/evp/p_enc.c index 656883b99..c2dfdc52a 100644 --- a/crypto/evp/p_enc.c +++ b/crypto/evp/p_enc.c @@ -66,7 +66,7 @@ #include #include -int EVP_PKEY_encrypt(unsigned char *ek, unsigned char *key, int key_len, +int EVP_PKEY_encrypt(unsigned char *ek, const unsigned char *key, int key_len, EVP_PKEY *pubk) { int ret=0; diff --git a/crypto/evp/p_open.c b/crypto/evp/p_open.c index bc3940847..8ec6c75a1 100644 --- a/crypto/evp/p_open.c +++ b/crypto/evp/p_open.c @@ -65,8 +65,9 @@ #include #include -int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char *ek, - int ekl, unsigned char *iv, EVP_PKEY *priv) +int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, + const unsigned char *ek, int ekl, const unsigned char *iv, + EVP_PKEY *priv) { unsigned char *key=NULL; int i,size=0,ret=0; diff --git a/crypto/evp/p_verify.c b/crypto/evp/p_verify.c index d854d743a..21a40a375 100644 --- a/crypto/evp/p_verify.c +++ b/crypto/evp/p_verify.c @@ -62,7 +62,7 @@ #include #include -int EVP_VerifyFinal(EVP_MD_CTX *ctx, unsigned char *sigbuf, +int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf, unsigned int siglen, EVP_PKEY *pkey) { unsigned char m[EVP_MAX_MD_SIZE]; diff --git a/crypto/krb5/krb5_asn.h b/crypto/krb5/krb5_asn.h index 3329477b0..41725d0dc 100644 --- a/crypto/krb5/krb5_asn.h +++ b/crypto/krb5/krb5_asn.h @@ -225,7 +225,7 @@ DECLARE_STACK_OF(KRB5_AUTHENTBODY) ** void name##_free(type *a); ** DECLARE_ASN1_ENCODE_FUNCTIONS(type, name, name) = ** DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) = -** type *d2i_##name(type **a, unsigned char **in, long len); +** type *d2i_##name(type **a, const unsigned char **in, long len); ** int i2d_##name(type *a, unsigned char **out); ** DECLARE_ASN1_ITEM(itname) = OPENSSL_EXTERN const ASN1_ITEM itname##_it */ diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index b1108568f..dbff4e075 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -397,7 +397,9 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name) { int nid = NID_undef; ASN1_OBJECT *op=NULL; - unsigned char *buf,*p; + unsigned char *buf; + unsigned char *p; + const unsigned char *cp; int i, j; if(!no_name) { @@ -423,9 +425,9 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name) ASN1_put_object(&p,0,i,V_ASN1_OBJECT,V_ASN1_UNIVERSAL); /* Write out contents */ a2d_ASN1_OBJECT(p,i,s,-1); - - p=buf; - op=d2i_ASN1_OBJECT(NULL,&p,j); + + cp=buf; + op=d2i_ASN1_OBJECT(NULL,&cp,j); OPENSSL_free(buf); return op; } diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index d23adf302..7f33bf761 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -70,7 +70,8 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u) { char *nm=NULL; - unsigned char *p=NULL,*data=NULL; + const unsigned char *p=NULL; + unsigned char *data=NULL; long len; EVP_PKEY *ret=NULL; diff --git a/crypto/pkcs12/p12_crpt.c b/crypto/pkcs12/p12_crpt.c index 5e8958612..654d15c82 100644 --- a/crypto/pkcs12/p12_crpt.c +++ b/crypto/pkcs12/p12_crpt.c @@ -89,7 +89,8 @@ int PKCS12_PBE_keyivgen (EVP_CIPHER_CTX *ctx, const char *pass, int passlen, { PBEPARAM *pbe; int saltlen, iter; - unsigned char *salt, *pbuf; + unsigned char *salt; + const unsigned char *pbuf; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; /* Extract useful info from parameter */ diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c index b5684a83b..19c0ccff6 100644 --- a/crypto/pkcs12/p12_decr.c +++ b/crypto/pkcs12/p12_decr.c @@ -113,7 +113,8 @@ unsigned char * PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass, void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it, const char *pass, int passlen, ASN1_OCTET_STRING *oct, int zbuf) { - unsigned char *out, *p; + unsigned char *out; + const unsigned char *p; void *ret; int outlen; diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c index af708a274..e62d497c6 100644 --- a/crypto/pkcs12/p12_npas.c +++ b/crypto/pkcs12/p12_npas.c @@ -206,7 +206,8 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass) static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen) { PBEPARAM *pbe; - unsigned char *p; + const unsigned char *p; + p = alg->parameter->value.sequence->data; pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length); *pnid = OBJ_obj2nid(alg->algorithm); diff --git a/crypto/pkcs7/pk7_attr.c b/crypto/pkcs7/pk7_attr.c index 5ff5a88b5..56ce00058 100644 --- a/crypto/pkcs7/pk7_attr.c +++ b/crypto/pkcs7/pk7_attr.c @@ -96,7 +96,8 @@ int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap) STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si) { ASN1_TYPE *cap; - unsigned char *p; + const unsigned char *p; + cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities); if (!cap) return NULL; p = cap->value.sequence->data; diff --git a/crypto/rsa/rsa_saos.c b/crypto/rsa/rsa_saos.c index f462716a5..1e9339367 100644 --- a/crypto/rsa/rsa_saos.c +++ b/crypto/rsa/rsa_saos.c @@ -107,7 +107,8 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype, RSA *rsa) { int i,ret=0; - unsigned char *p,*s; + unsigned char *s; + const unsigned char *p; ASN1_OCTET_STRING *sig=NULL; if (siglen != (unsigned int)RSA_size(rsa)) diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index 02eb8136b..e50c83927 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -146,7 +146,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, unsigned char *sigbuf, unsigned int siglen, RSA *rsa) { int i,ret=0,sigtype; - unsigned char *p,*s; + unsigned char *s; X509_SIG *sig=NULL; if (siglen != (unsigned int)RSA_size(rsa)) @@ -181,7 +181,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE); else ret = 1; } else { - p=s; + const unsigned char *p=s; sig=d2i_X509_SIG(NULL,&p,(long)i); if (sig == NULL) goto err; diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index 9b26b24ef..e7d2c5ba5 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -884,21 +884,21 @@ EVP_PKEY * X509_PUBKEY_get(X509_PUBKEY *key); int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain); int i2d_PUBKEY(EVP_PKEY *a,unsigned char **pp); -EVP_PKEY * d2i_PUBKEY(EVP_PKEY **a,unsigned char **pp, +EVP_PKEY * d2i_PUBKEY(EVP_PKEY **a,const unsigned char **pp, long length); #ifndef OPENSSL_NO_RSA int i2d_RSA_PUBKEY(RSA *a,unsigned char **pp); -RSA * d2i_RSA_PUBKEY(RSA **a,unsigned char **pp, +RSA * d2i_RSA_PUBKEY(RSA **a,const unsigned char **pp, long length); #endif #ifndef OPENSSL_NO_DSA int i2d_DSA_PUBKEY(DSA *a,unsigned char **pp); -DSA * d2i_DSA_PUBKEY(DSA **a,unsigned char **pp, +DSA * d2i_DSA_PUBKEY(DSA **a,const unsigned char **pp, long length); #endif #ifndef OPENSSL_NO_EC int i2d_EC_PUBKEY(EC_KEY *a, unsigned char **pp); -EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, unsigned char **pp, +EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length); #endif @@ -929,7 +929,7 @@ int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, int X509_set_ex_data(X509 *r, int idx, void *arg); void *X509_get_ex_data(X509 *r, int idx); int i2d_X509_AUX(X509 *a,unsigned char **pp); -X509 * d2i_X509_AUX(X509 **a,unsigned char **pp,long length); +X509 * d2i_X509_AUX(X509 **a,const unsigned char **pp,long length); int X509_alias_set1(X509 *x, unsigned char *name, int len); int X509_keyid_set1(X509 *x, unsigned char *id, int len); @@ -951,7 +951,7 @@ int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); X509_PKEY * X509_PKEY_new(void ); void X509_PKEY_free(X509_PKEY *a); int i2d_X509_PKEY(X509_PKEY *a,unsigned char **pp); -X509_PKEY * d2i_X509_PKEY(X509_PKEY **a,unsigned char **pp,long length); +X509_PKEY * d2i_X509_PKEY(X509_PKEY **a,const unsigned char **pp,long length); DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKI) DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKAC) diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c index b4ad53431..f70c6ab07 100644 --- a/crypto/x509/x509_req.c +++ b/crypto/x509/x509_req.c @@ -188,7 +188,8 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) STACK_OF(X509_ATTRIBUTE) *sk; ASN1_TYPE *ext = NULL; int i; - unsigned char *p; + const unsigned char *p; + if ((req == NULL) || (req->req_info == NULL)) return(NULL); sk=req->req_info->attributes; diff --git a/crypto/x509/x509spki.c b/crypto/x509/x509spki.c index 4c3af946e..ed868b838 100644 --- a/crypto/x509/x509spki.c +++ b/crypto/x509/x509spki.c @@ -77,7 +77,8 @@ EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x) NETSCAPE_SPKI * NETSCAPE_SPKI_b64_decode(const char *str, int len) { - unsigned char *spki_der, *p; + unsigned char *spki_der; + const unsigned char *p; int spki_len; NETSCAPE_SPKI *spki; if(len <= 0) len = strlen(str); diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c index ca5a4a4a5..04d99b333 100644 --- a/crypto/x509v3/v3_lib.c +++ b/crypto/x509v3/v3_lib.c @@ -162,7 +162,8 @@ int X509V3_add_standard_extensions(void) void *X509V3_EXT_d2i(X509_EXTENSION *ext) { X509V3_EXT_METHOD *method; - unsigned char *p; + const unsigned char *p; + if(!(method = X509V3_EXT_get(ext))) return NULL; p = ext->value->data; if(method->it) return ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it)); diff --git a/crypto/x509v3/v3_ocsp.c b/crypto/x509v3/v3_ocsp.c index 21badc13f..28c11a4db 100644 --- a/crypto/x509v3/v3_ocsp.c +++ b/crypto/x509v3/v3_ocsp.c @@ -74,12 +74,12 @@ static int i2r_object(X509V3_EXT_METHOD *method, void *obj, BIO *out, int indent static void *ocsp_nonce_new(void); static int i2d_ocsp_nonce(void *a, unsigned char **pp); -static void *d2i_ocsp_nonce(void *a, unsigned char **pp, long length); +static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length); static void ocsp_nonce_free(void *a); static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent); static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, int indent); -static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); +static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str); static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind); X509V3_EXT_METHOD v3_ocsp_crlid = { @@ -208,7 +208,7 @@ static int i2d_ocsp_nonce(void *a, unsigned char **pp) return os->length; } -static void *d2i_ocsp_nonce(void *a, unsigned char **pp, long length) +static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length) { ASN1_OCTET_STRING *os, **pos; pos = a; @@ -246,7 +246,7 @@ static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, return 1; } -static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str) +static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str) { return ASN1_NULL_new(); } diff --git a/crypto/x509v3/v3_prn.c b/crypto/x509v3/v3_prn.c index 8e3b3d867..20bd9bda1 100644 --- a/crypto/x509v3/v3_prn.c +++ b/crypto/x509v3/v3_prn.c @@ -109,10 +109,11 @@ int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int inde { void *ext_str = NULL; char *value = NULL; - unsigned char *p; + const unsigned char *p; X509V3_EXT_METHOD *method; STACK_OF(CONF_VALUE) *nval = NULL; int ok = 1; + if(!(method = X509V3_EXT_get(ext))) return unknown_ext_print(out, ext, flag, indent, 0); p = ext->value->data; diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index 25b049bfb..ec4df61bb 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -74,14 +74,14 @@ struct v3_ext_ctx; typedef void * (*X509V3_EXT_NEW)(void); typedef void (*X509V3_EXT_FREE)(void *); -typedef void * (*X509V3_EXT_D2I)(void *, unsigned char ** , long); +typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long); typedef int (*X509V3_EXT_I2D)(void *, unsigned char **); typedef STACK_OF(CONF_VALUE) * (*X509V3_EXT_I2V)(struct v3_ext_method *method, void *ext, STACK_OF(CONF_VALUE) *extlist); typedef void * (*X509V3_EXT_V2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, STACK_OF(CONF_VALUE) *values); typedef char * (*X509V3_EXT_I2S)(struct v3_ext_method *method, void *ext); -typedef void * (*X509V3_EXT_S2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str); +typedef void * (*X509V3_EXT_S2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str); typedef int (*X509V3_EXT_I2R)(struct v3_ext_method *method, void *ext, BIO *out, int indent); -typedef void * (*X509V3_EXT_R2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str); +typedef void * (*X509V3_EXT_R2I)(struct v3_ext_method *method, struct v3_ext_ctx *ctx, const char *str); /* V3 extension structure */ diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c index da8846025..77d8a3b83 100644 --- a/ssl/s2_clnt.c +++ b/ssl/s2_clnt.c @@ -1034,7 +1034,7 @@ static int get_server_finished(SSL *s) } /* loads in the certificate from the server */ -int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data) +int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data) { STACK_OF(X509) *sk=NULL; EVP_PKEY *pkey=NULL; diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c index 5da2a54af..6c43f7207 100644 --- a/ssl/s2_srvr.c +++ b/ssl/s2_srvr.c @@ -936,6 +936,7 @@ static int server_finish(SSL *s) /* send the request and check the response */ static int request_certificate(SSL *s) { + const unsigned char *cp; unsigned char *p,*p2,*buf2; unsigned char *ccd; int i,j,ctype,ret= -1; @@ -1052,7 +1053,8 @@ static int request_certificate(SSL *s) s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* CLIENT-CERTIFICATE */ p += 6; - x509=(X509 *)d2i_X509(NULL,&p,(long)s->s2->tmp.clen); + cp = p; + x509=(X509 *)d2i_X509(NULL,&cp,(long)s->s2->tmp.clen); if (x509 == NULL) { SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_X509_LIB); @@ -1092,7 +1094,7 @@ static int request_certificate(SSL *s) pkey=X509_get_pubkey(x509); if (pkey == NULL) goto end; - i=EVP_VerifyFinal(&ctx,p,s->s2->tmp.rlen,pkey); + i=EVP_VerifyFinal(&ctx,cp,s->s2->tmp.rlen,pkey); EVP_PKEY_free(pkey); EVP_MD_CTX_cleanup(&ctx); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index cd70bb1fb..09f6c8d3a 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -780,7 +780,8 @@ static int ssl3_get_server_certificate(SSL *s) int al,i,ok,ret= -1; unsigned long n,nc,llen,l; X509 *x=NULL; - unsigned char *p,*d,*q; + const unsigned char *q,*p; + unsigned char *d; STACK_OF(X509) *sk=NULL; SESS_CERT *sc; EVP_PKEY *pkey=NULL; @@ -807,7 +808,7 @@ static int ssl3_get_server_certificate(SSL *s) SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_BAD_MESSAGE_TYPE); goto f_err; } - d=p=(unsigned char *)s->init_msg; + p=d=(unsigned char *)s->init_msg; if ((sk=sk_X509_new_null()) == NULL) { @@ -1408,7 +1409,8 @@ static int ssl3_get_certificate_request(SSL *s) unsigned long n,nc,l; unsigned int llen,ctype_num,i; X509_NAME *xn=NULL; - unsigned char *p,*d,*q; + const unsigned char *p,*q; + unsigned char *d; STACK_OF(X509_NAME) *ca_sk=NULL; n=ssl3_get_message(s, @@ -1447,7 +1449,7 @@ static int ssl3_get_certificate_request(SSL *s) } } - d=p=(unsigned char *)s->init_msg; + p=d=(unsigned char *)s->init_msg; if ((ca_sk=sk_X509_NAME_new(ca_dn_cmp)) == NULL) { diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index c426cd444..be92932bb 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -2294,7 +2294,8 @@ static int ssl3_get_client_certificate(SSL *s) int i,ok,al,ret= -1; X509 *x=NULL; unsigned long l,nc,llen,n; - unsigned char *p,*d,*q; + const unsigned char *p,*q; + unsigned char *d; STACK_OF(X509) *sk=NULL; n=ssl3_get_message(s, @@ -2332,7 +2333,7 @@ static int ssl3_get_client_certificate(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_WRONG_MESSAGE_TYPE); goto f_err; } - d=p=(unsigned char *)s->init_msg; + p=d=(unsigned char *)s->init_msg; if ((sk=sk_X509_new_null()) == NULL) { diff --git a/ssl/ssl.h b/ssl/ssl.h index 1ceb10ab7..6a022bf03 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -1233,9 +1233,9 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); #endif int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len); int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); -int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len); +int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, const unsigned char *d, long len); int SSL_use_certificate(SSL *ssl, X509 *x); -int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len); +int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len); #ifndef OPENSSL_NO_STDIO int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type); @@ -1305,12 +1305,12 @@ void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,v #ifndef OPENSSL_NO_RSA int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); #endif -int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len); +int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len); int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); int SSL_CTX_use_PrivateKey_ASN1(int pk,SSL_CTX *ctx, - unsigned char *d, long len); + const unsigned char *d, long len); int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x); -int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d); +int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d); void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 4adf5f5b1..c2e6ff8cf 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -544,7 +544,7 @@ SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p); int ssl2_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p); int ssl2_part_read(SSL *s, unsigned long f, int i); int ssl2_do_write(SSL *s); -int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data); +int ssl2_set_certificate(SSL *s, int type, int len, const unsigned char *data); void ssl2_return_error(SSL *s,int reason); void ssl2_write_error(SSL *s); int ssl2_num_ciphers(void); diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 330390519..72511d248 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -131,7 +131,7 @@ end: } #endif -int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len) +int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) { X509 *x; int ret; @@ -382,10 +382,10 @@ end: } #endif -int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, unsigned char *d, long len) +int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len) { int ret; - unsigned char *p; + const unsigned char *p; EVP_PKEY *pkey; p=d; @@ -545,7 +545,7 @@ end: } #endif -int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d) +int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d) { X509 *x; int ret; @@ -640,7 +640,7 @@ end: } #endif -int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len) +int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len) { int ret; const unsigned char *p; @@ -717,11 +717,11 @@ end: } #endif -int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d, +int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d, long len) { int ret; - unsigned char *p; + const unsigned char *p; EVP_PKEY *pkey; p=d; From 4e8172d6dafec18c4512267b80879de7f0a9fff9 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 16 Mar 2004 13:51:11 +0000 Subject: [PATCH 062/112] Avoid warnings. --- ssl/kssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssl/kssl.c b/ssl/kssl.c index 7c45f8ff4..51378897f 100644 --- a/ssl/kssl.c +++ b/ssl/kssl.c @@ -953,7 +953,7 @@ print_krb5_authdata(char *label, krb5_authdata **adata) printf("%s, authdata==0\n", label); return; } - printf("%s [%p]\n", label, adata); + printf("%s [%p]\n", label, (void *)adata); #if 0 { int i; @@ -1725,7 +1725,7 @@ kssl_ctx_show(KSSL_CTX *kssl_ctx) return; } else - printf("%p\n", kssl_ctx); + printf("%p\n", (void *)kssl_ctx); printf("\tservice:\t%s\n", (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL"); From e042540f6bb0ebd8acf5c2ab0ccd1f14b5fc0f77 Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Wed, 17 Mar 2004 17:36:54 +0000 Subject: [PATCH 063/112] Variety of belt-tightenings in the bignum code. (Please help test this!) - Remove some unnecessary "+1"-like fudges. Sizes should be handled exactly, as enlarging size parameters causes needless bloat and may just make bugs less likely rather than fixing them: bn_expand() macro, bn_expand_internal(), and BN_sqr(). - Deprecate bn_dup_expand() - it's new since 0.9.7, unused, and not that useful. - Remove unnecessary zeroing of unused bytes in bn_expand2(). - Rewrite BN_set_word() - it should be much simpler, the previous complexities probably date from old mismatched type issues. - Add missing bn_check_top() macros in bn_word.c - Improve some degenerate case handling in BN_[add|sub]_word(), add comments, and avoid a bignum expansion if an overflow isn't possible. --- crypto/bn/bn.h | 6 ++++-- crypto/bn/bn_lib.c | 28 ++++++++++++++++++++++------ crypto/bn/bn_sqr.c | 2 +- crypto/bn/bn_word.c | 30 +++++++++++++++++++++--------- 4 files changed, 48 insertions(+), 18 deletions(-) diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h index a01f193da..dac794b60 100644 --- a/crypto/bn/bn.h +++ b/crypto/bn/bn.h @@ -617,10 +617,12 @@ const BIGNUM *BN_get0_nist_prime_521(void); /* library internal functions */ #define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\ - (a):bn_expand2((a),(bits)/BN_BITS2+1)) + (a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2)) #define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words))) BIGNUM *bn_expand2(BIGNUM *a, int words); -BIGNUM *bn_dup_expand(const BIGNUM *a, int words); +#ifndef OPENSSL_NO_DEPRECATED +BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */ +#endif /* Bignum consistency macros * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 3f607cd53..0cc20d923 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -330,7 +330,7 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) BNerr(BN_F_BN_EXPAND_INTERNAL,BN_R_EXPAND_ON_STATIC_BIGNUM_DATA); return(NULL); } - a=A=(BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG)*(words+1)); + a=A=(BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG)*words); if (A == NULL) { BNerr(BN_F_BN_EXPAND_INTERNAL,ERR_R_MALLOC_FAILURE); @@ -369,7 +369,7 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) } #else - memset(A,0,sizeof(BN_ULONG)*(words+1)); + memset(A,0,sizeof(BN_ULONG)*words); memcpy(A,b->d,sizeof(b->d[0])*b->top); #endif @@ -387,6 +387,7 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) * while bn_dup_expand() makes sure allocation is made only once. */ +#ifndef OPENSSL_NO_DEPRECATED BIGNUM *bn_dup_expand(const BIGNUM *b, int words) { BIGNUM *r = NULL; @@ -430,6 +431,7 @@ BIGNUM *bn_dup_expand(const BIGNUM *b, int words) bn_check_top(r); return r; } +#endif /* This is an internal function that should not be used in applications. * It ensures that 'b' has enough room for a 'words' word number @@ -439,9 +441,6 @@ BIGNUM *bn_dup_expand(const BIGNUM *b, int words) BIGNUM *bn_expand2(BIGNUM *b, int words) { - BN_ULONG *A; - int i; - bn_check_top(b); if (words > b->dmax) @@ -453,10 +452,13 @@ BIGNUM *bn_expand2(BIGNUM *b, int words) b->dmax=words; } +/* None of this should be necessary because of what b->top means! */ +#if 0 /* NB: bn_wexpand() calls this only if the BIGNUM really has to grow */ if (b->top < b->dmax) { - A = &(b->d[b->top]); + int i; + BN_ULONG *A = &(b->d[b->top]); for (i=(b->dmax - b->top)>>3; i>0; i--,A+=8) { A[0]=0; A[1]=0; A[2]=0; A[3]=0; @@ -466,6 +468,7 @@ BIGNUM *bn_expand2(BIGNUM *b, int words) A[0]=0; assert(A == &(b->d[b->dmax])); } +#endif bn_check_top(b); return b; } @@ -632,6 +635,7 @@ BN_ULONG BN_get_word(const BIGNUM *a) return(ret); } +#if 0 /* a->d[0] is a BN_ULONG, w is a BN_ULONG, what's the big deal? */ int BN_set_word(BIGNUM *a, BN_ULONG w) { int i,n; @@ -660,6 +664,18 @@ int BN_set_word(BIGNUM *a, BN_ULONG w) bn_check_top(a); return(1); } +#else +int BN_set_word(BIGNUM *a, BN_ULONG w) + { + bn_check_top(a); + if (bn_expand(a,(int)sizeof(BN_ULONG)*8) == NULL) return(0); + a->neg = 0; + a->d[0] = w; + a->top = (w ? 1 : 0); + bn_check_top(a); + return(1); + } +#endif BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) { diff --git a/crypto/bn/bn_sqr.c b/crypto/bn/bn_sqr.c index 8831daa39..3b4b3f0d3 100644 --- a/crypto/bn/bn_sqr.c +++ b/crypto/bn/bn_sqr.c @@ -86,7 +86,7 @@ int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) if (!rr || !tmp) goto err; max = 2 * al; /* Non-zero (from above) */ - if (bn_wexpand(rr,max+1) == NULL) goto err; + if (bn_wexpand(rr,max) == NULL) goto err; if (al == 4) { diff --git a/crypto/bn/bn_word.c b/crypto/bn/bn_word.c index a24115015..7aa2a33d2 100644 --- a/crypto/bn/bn_word.c +++ b/crypto/bn/bn_word.c @@ -69,6 +69,7 @@ BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w) #endif int i; + bn_check_top(a); w&=BN_MASK2; for (i=a->top-1; i>=0; i--) { @@ -88,6 +89,7 @@ BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w) BN_ULONG ret = 0; int i; + bn_check_top(a); w &= BN_MASK2; if (!w) @@ -116,11 +118,14 @@ int BN_add_word(BIGNUM *a, BN_ULONG w) BN_ULONG l; int i; + bn_check_top(a); w &= BN_MASK2; - if (!w) - return 1; - + /* degenerate case: w is zero */ + if (!w) return 1; + /* degenerate case: a is zero */ + if(BN_is_zero(a)) return BN_set_word(a, w); + /* handle 'a' when negative */ if (a->neg) { a->neg=0; @@ -129,14 +134,17 @@ int BN_add_word(BIGNUM *a, BN_ULONG w) a->neg=!(a->neg); return(i); } - if (bn_wexpand(a,a->top+1) == NULL) return(0); + /* Only expand (and risk failing) if it's possibly necessary */ + if (((BN_ULONG)(a->d[a->top - 1] + 1) == 0) && + (bn_wexpand(a,a->top+1) == NULL)) + return(0); i=0; for (;;) { if (i >= a->top) l=w; else - l=(a->d[i]+(BN_ULONG)w)&BN_MASK2; + l=(a->d[i]+w)&BN_MASK2; a->d[i]=l; if (w > l) w=1; @@ -154,12 +162,15 @@ int BN_sub_word(BIGNUM *a, BN_ULONG w) { int i; + bn_check_top(a); w &= BN_MASK2; - if (!w) - return 1; - - if (BN_is_zero(a) || a->neg) + /* degenerate case: w is zero */ + if (!w) return 1; + /* degenerate case: a is zero */ + if(BN_is_zero(a)) return BN_set_word(a,w); + /* handle 'a' when negative */ + if (a->neg) { a->neg=0; i=BN_add_word(a,w); @@ -198,6 +209,7 @@ int BN_mul_word(BIGNUM *a, BN_ULONG w) { BN_ULONG ll; + bn_check_top(a); w&=BN_MASK2; if (a->top) { From 7f663ce430e19099eb3b4f42e9692028b405f90c Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Wed, 17 Mar 2004 18:30:47 +0000 Subject: [PATCH 064/112] Note my bignum hijinx in case app maintainers are using CHANGES for their porting efforts. Also, add Richard's name to the prior change. --- CHANGES | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGES b/CHANGES index 6029cce5b..5677cb7b2 100644 --- a/CHANGES +++ b/CHANGES @@ -4,8 +4,15 @@ Changes between 0.9.7c and 0.9.8 [xx XXX xxxx] + *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and + remained unused and not that useful. A variety of other little bignum + tweaks and fixes have also been made continuing on from the audit (see + below). + [Geoff Thorpe] + *) Constify all or almost all d2i, c2i, s2i and r2i functions, along with associated ASN1, EVP and SSL functions and old ASN1 macros. + [Richard Levitte] *) BN_zero() only needs to set 'top' and 'neg' to zero for correct results, and this should never fail. So the return value from the use of From 18a6333180f2e49393276972fc43449a6e17ed45 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sun, 21 Mar 2004 22:36:27 +0000 Subject: [PATCH 065/112] Make sure fd is defined where it should. PR: 849 --- crypto/bio/bss_file.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c index f36bec286..d4c058a1e 100644 --- a/crypto/bio/bss_file.c +++ b/crypto/bio/bss_file.c @@ -213,6 +213,8 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) b->shutdown=(int)num&BIO_CLOSE; b->ptr=(char *)ptr; b->init=1; + { + int fd = fileno((FILE*)ptr); #if defined(OPENSSL_SYS_WINDOWS) if (num & BIO_FP_TEXT) _setmode(fd,_O_TEXT); @@ -222,12 +224,10 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) /* Under CLib there are differences in file modes */ if (num & BIO_FP_TEXT) - _setmode(fileno((FILE *)ptr),O_TEXT); + _setmode(fd,O_TEXT); else - _setmode(fileno((FILE *)ptr),O_BINARY); + _setmode(fd,O_BINARY); #elif defined(OPENSSL_SYS_MSDOS) - { - int fd = fileno((FILE*)ptr); /* Set correct text/binary mode */ if (num & BIO_FP_TEXT) _setmode(fd,_O_TEXT); @@ -242,13 +242,13 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) else _setmode(fd,_O_BINARY); } - } #elif defined(OPENSSL_SYS_OS2) if (num & BIO_FP_TEXT) - setmode(fileno((FILE *)ptr), O_TEXT); + setmode(fd, O_TEXT); else - setmode(fileno((FILE *)ptr), O_BINARY); + setmode(fd, O_BINARY); #endif + } break; case BIO_C_SET_FILENAME: file_free(b); From ec5d8a54e9ea80599bf67a7c9349b49d430dde62 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sun, 21 Mar 2004 22:39:52 +0000 Subject: [PATCH 066/112] Remove a warning for conversion double->long. This has impacts on Windows. PR: 849 --- crypto/bio/b_print.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index 960a049bc..decefc227 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -641,9 +641,9 @@ fmtfp( multiplying by a factor of 10 */ fracpart = roundv((pow10(max)) * (ufvalue - intpart)); - if (fracpart >= pow10(max)) { + if (fracpart >= (long)pow10(max)) { intpart++; - fracpart -= pow10(max); + fracpart -= (long)pow10(max); } /* convert integer part */ From b8b0b5d8567c260bde005d7a0964c261f6be2752 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sun, 21 Mar 2004 22:50:20 +0000 Subject: [PATCH 067/112] Change \t to real tab in echo argument. PR: 847 --- tools/c_issuer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/c_issuer b/tools/c_issuer index 4c691201b..55821ab74 100644 --- a/tools/c_issuer +++ b/tools/c_issuer @@ -6,5 +6,5 @@ for i in $* do n=`openssl x509 -issuer -noout -in $i` - echo "$i\t$n" + echo "$i $n" done From 9449e38504dea3e1500cd58f40c1b2b904ef843d Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sun, 21 Mar 2004 23:03:52 +0000 Subject: [PATCH 068/112] Correct minor spelling error. PR: 845 --- doc/crypto/pem.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/crypto/pem.pod b/doc/crypto/pem.pod index 861311445..4f9a27df0 100644 --- a/doc/crypto/pem.pod +++ b/doc/crypto/pem.pod @@ -471,6 +471,6 @@ is guaranteed to work. =head1 RETURN CODES The read routines return either a pointer to the structure read or NULL -is an error occurred. +if an error occurred. The write routines return 1 for success or 0 for failure. From 4acc3e907d29d8d61ae7e11ad7985a986332a1c1 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 23 Mar 2004 14:14:35 +0000 Subject: [PATCH 069/112] Initial support for certificate policy checking and evaluation. This is currently *very* experimental and needs to be more fully integrated with the main verification code. --- CHANGES | 5 + crypto/asn1/x_x509.c | 3 + crypto/ossl_typ.h | 5 + crypto/stack/safestack.h | 63 ++++ crypto/x509/x509.h | 1 + crypto/x509/x509_vfy.h | 38 +++ crypto/x509v3/Makefile.ssl | 8 +- crypto/x509v3/pcy_cache.c | 286 ++++++++++++++++ crypto/x509v3/pcy_data.c | 123 +++++++ crypto/x509v3/pcy_int.h | 220 ++++++++++++ crypto/x509v3/pcy_lib.c | 165 +++++++++ crypto/x509v3/pcy_map.c | 186 ++++++++++ crypto/x509v3/pcy_node.c | 159 +++++++++ crypto/x509v3/pcy_tree.c | 681 +++++++++++++++++++++++++++++++++++++ crypto/x509v3/x509v3.h | 2 + 15 files changed, 1942 insertions(+), 3 deletions(-) create mode 100644 crypto/x509v3/pcy_cache.c create mode 100644 crypto/x509v3/pcy_data.c create mode 100644 crypto/x509v3/pcy_int.h create mode 100644 crypto/x509v3/pcy_lib.c create mode 100644 crypto/x509v3/pcy_map.c create mode 100644 crypto/x509v3/pcy_node.c create mode 100644 crypto/x509v3/pcy_tree.c diff --git a/CHANGES b/CHANGES index 5677cb7b2..aebf096f9 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,11 @@ Changes between 0.9.7c and 0.9.8 [xx XXX xxxx] + *) Preliminary support for certificate policy evaluation and checking. This + is initially intended to pass the tests outlined in "Conformance Testing + of Relying Party Client Certificate Path Processing Logic" v1.07. + [Steve Henson] + *) bn_dup_expand() has been deprecated, it was introduced in 0.9.7 and remained unused and not that useful. A variety of other little bignum tweaks and fixes have also been made continuing on from the audit (see diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index f71ba267d..eff2290c2 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -79,6 +79,8 @@ ASN1_SEQUENCE(X509_CINF) = { IMPLEMENT_ASN1_FUNCTIONS(X509_CINF) /* X509 top level structure needs a bit of customisation */ +extern void policy_cache_free(X509_POLICY_CACHE *cache); + static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it) { X509 *ret = (X509 *)*pval; @@ -106,6 +108,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it) X509_CERT_AUX_free(ret->aux); ASN1_OCTET_STRING_free(ret->skid); AUTHORITY_KEYID_free(ret->akid); + policy_cache_free(ret->policy_cache); if (ret->name != NULL) OPENSSL_free(ret->name); break; diff --git a/crypto/ossl_typ.h b/crypto/ossl_typ.h index 46200a80b..2977b1082 100644 --- a/crypto/ossl_typ.h +++ b/crypto/ossl_typ.h @@ -119,6 +119,11 @@ typedef struct conf_st CONF; typedef struct engine_st ENGINE; +typedef struct X509_POLICY_NODE_st X509_POLICY_NODE; +typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL; +typedef struct X509_POLICY_TREE_st X509_POLICY_TREE; +typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE; + /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */ #define DECLARE_PKCS12_STACK_OF(type) /* Nothing */ #define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */ diff --git a/crypto/stack/safestack.h b/crypto/stack/safestack.h index 3110e50a8..cd9e780e4 100644 --- a/crypto/stack/safestack.h +++ b/crypto/stack/safestack.h @@ -1359,6 +1359,69 @@ STACK_OF(type) \ #define sk_X509_OBJECT_pop(st) SKM_sk_pop(X509_OBJECT, (st)) #define sk_X509_OBJECT_sort(st) SKM_sk_sort(X509_OBJECT, (st)) +#define sk_X509_POLICY_DATA_new(st) SKM_sk_new(X509_POLICY_DATA, (st)) +#define sk_X509_POLICY_DATA_new_null() SKM_sk_new_null(X509_POLICY_DATA) +#define sk_X509_POLICY_DATA_free(st) SKM_sk_free(X509_POLICY_DATA, (st)) +#define sk_X509_POLICY_DATA_num(st) SKM_sk_num(X509_POLICY_DATA, (st)) +#define sk_X509_POLICY_DATA_value(st, i) SKM_sk_value(X509_POLICY_DATA, (st), (i)) +#define sk_X509_POLICY_DATA_set(st, i, val) SKM_sk_set(X509_POLICY_DATA, (st), (i), (val)) +#define sk_X509_POLICY_DATA_zero(st) SKM_sk_zero(X509_POLICY_DATA, (st)) +#define sk_X509_POLICY_DATA_push(st, val) SKM_sk_push(X509_POLICY_DATA, (st), (val)) +#define sk_X509_POLICY_DATA_unshift(st, val) SKM_sk_unshift(X509_POLICY_DATA, (st), (val)) +#define sk_X509_POLICY_DATA_find(st, val) SKM_sk_find(X509_POLICY_DATA, (st), (val)) +#define sk_X509_POLICY_DATA_find_ex(st, val) SKM_sk_find_ex(X509_POLICY_DATA, (st), (val)) +#define sk_X509_POLICY_DATA_delete(st, i) SKM_sk_delete(X509_POLICY_DATA, (st), (i)) +#define sk_X509_POLICY_DATA_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_POLICY_DATA, (st), (ptr)) +#define sk_X509_POLICY_DATA_insert(st, val, i) SKM_sk_insert(X509_POLICY_DATA, (st), (val), (i)) +#define sk_X509_POLICY_DATA_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_DATA, (st), (cmp)) +#define sk_X509_POLICY_DATA_dup(st) SKM_sk_dup(X509_POLICY_DATA, st) +#define sk_X509_POLICY_DATA_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_DATA, (st), (free_func)) +#define sk_X509_POLICY_DATA_shift(st) SKM_sk_shift(X509_POLICY_DATA, (st)) +#define sk_X509_POLICY_DATA_pop(st) SKM_sk_pop(X509_POLICY_DATA, (st)) +#define sk_X509_POLICY_DATA_sort(st) SKM_sk_sort(X509_POLICY_DATA, (st)) + +#define sk_X509_POLICY_NODE_new(st) SKM_sk_new(X509_POLICY_NODE, (st)) +#define sk_X509_POLICY_NODE_new_null() SKM_sk_new_null(X509_POLICY_NODE) +#define sk_X509_POLICY_NODE_free(st) SKM_sk_free(X509_POLICY_NODE, (st)) +#define sk_X509_POLICY_NODE_num(st) SKM_sk_num(X509_POLICY_NODE, (st)) +#define sk_X509_POLICY_NODE_value(st, i) SKM_sk_value(X509_POLICY_NODE, (st), (i)) +#define sk_X509_POLICY_NODE_set(st, i, val) SKM_sk_set(X509_POLICY_NODE, (st), (i), (val)) +#define sk_X509_POLICY_NODE_zero(st) SKM_sk_zero(X509_POLICY_NODE, (st)) +#define sk_X509_POLICY_NODE_push(st, val) SKM_sk_push(X509_POLICY_NODE, (st), (val)) +#define sk_X509_POLICY_NODE_unshift(st, val) SKM_sk_unshift(X509_POLICY_NODE, (st), (val)) +#define sk_X509_POLICY_NODE_find(st, val) SKM_sk_find(X509_POLICY_NODE, (st), (val)) +#define sk_X509_POLICY_NODE_find_ex(st, val) SKM_sk_find_ex(X509_POLICY_NODE, (st), (val)) +#define sk_X509_POLICY_NODE_delete(st, i) SKM_sk_delete(X509_POLICY_NODE, (st), (i)) +#define sk_X509_POLICY_NODE_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_POLICY_NODE, (st), (ptr)) +#define sk_X509_POLICY_NODE_insert(st, val, i) SKM_sk_insert(X509_POLICY_NODE, (st), (val), (i)) +#define sk_X509_POLICY_NODE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_NODE, (st), (cmp)) +#define sk_X509_POLICY_NODE_dup(st) SKM_sk_dup(X509_POLICY_NODE, st) +#define sk_X509_POLICY_NODE_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_NODE, (st), (free_func)) +#define sk_X509_POLICY_NODE_shift(st) SKM_sk_shift(X509_POLICY_NODE, (st)) +#define sk_X509_POLICY_NODE_pop(st) SKM_sk_pop(X509_POLICY_NODE, (st)) +#define sk_X509_POLICY_NODE_sort(st) SKM_sk_sort(X509_POLICY_NODE, (st)) + +#define sk_X509_POLICY_REF_new(st) SKM_sk_new(X509_POLICY_REF, (st)) +#define sk_X509_POLICY_REF_new_null() SKM_sk_new_null(X509_POLICY_REF) +#define sk_X509_POLICY_REF_free(st) SKM_sk_free(X509_POLICY_REF, (st)) +#define sk_X509_POLICY_REF_num(st) SKM_sk_num(X509_POLICY_REF, (st)) +#define sk_X509_POLICY_REF_value(st, i) SKM_sk_value(X509_POLICY_REF, (st), (i)) +#define sk_X509_POLICY_REF_set(st, i, val) SKM_sk_set(X509_POLICY_REF, (st), (i), (val)) +#define sk_X509_POLICY_REF_zero(st) SKM_sk_zero(X509_POLICY_REF, (st)) +#define sk_X509_POLICY_REF_push(st, val) SKM_sk_push(X509_POLICY_REF, (st), (val)) +#define sk_X509_POLICY_REF_unshift(st, val) SKM_sk_unshift(X509_POLICY_REF, (st), (val)) +#define sk_X509_POLICY_REF_find(st, val) SKM_sk_find(X509_POLICY_REF, (st), (val)) +#define sk_X509_POLICY_REF_find_ex(st, val) SKM_sk_find_ex(X509_POLICY_REF, (st), (val)) +#define sk_X509_POLICY_REF_delete(st, i) SKM_sk_delete(X509_POLICY_REF, (st), (i)) +#define sk_X509_POLICY_REF_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_POLICY_REF, (st), (ptr)) +#define sk_X509_POLICY_REF_insert(st, val, i) SKM_sk_insert(X509_POLICY_REF, (st), (val), (i)) +#define sk_X509_POLICY_REF_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_REF, (st), (cmp)) +#define sk_X509_POLICY_REF_dup(st) SKM_sk_dup(X509_POLICY_REF, st) +#define sk_X509_POLICY_REF_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_REF, (st), (free_func)) +#define sk_X509_POLICY_REF_shift(st) SKM_sk_shift(X509_POLICY_REF, (st)) +#define sk_X509_POLICY_REF_pop(st) SKM_sk_pop(X509_POLICY_REF, (st)) +#define sk_X509_POLICY_REF_sort(st) SKM_sk_sort(X509_POLICY_REF, (st)) + #define sk_X509_PURPOSE_new(st) SKM_sk_new(X509_PURPOSE, (st)) #define sk_X509_PURPOSE_new_null() SKM_sk_new_null(X509_PURPOSE) #define sk_X509_PURPOSE_free(st) SKM_sk_free(X509_PURPOSE, (st)) diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index e7d2c5ba5..b73a69959 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -285,6 +285,7 @@ struct x509_st unsigned long ex_nscert; ASN1_OCTET_STRING *skid; struct AUTHORITY_KEYID_st *akid; + X509_POLICY_CACHE *policy_cache; #ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; #endif diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 7e24ded81..6cf3d70ff 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -325,6 +325,14 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ #define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Disable workarounds for broken certificates */ #define X509_V_FLAG_X509_STRICT 0x20 +/* Enable policy checking */ +#define X509_V_FLAG_POLICY_CHECK 0x40 +/* Policy variable require-explicit-policy */ +#define X509_V_FLAG_EXPLICIT_POLICY 0x80 +/* Policy variable inhibit-policy-mapping */ +#define X509_V_FLAG_INHIBIT_ANY 0x100 +/* Policy variable inhibit-any-policy */ +#define X509_V_FLAG_INHIBIT_MAP 0x200 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); @@ -410,6 +418,36 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t); void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)); +int X509_policy_check(X509_POLICY_TREE **ptree, int *explicit, + STACK_OF(X509) *certs, + STACK_OF(ASN1_OBJECT) *policy_oids, + unsigned int flags); + +void X509_policy_tree_free(X509_POLICY_TREE *tree); + +int X509_policy_tree_level_count(const X509_POLICY_TREE *tree); +X509_POLICY_LEVEL * + X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i); + +STACK_OF(X509_POLICY_NODE) * + X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree); + +STACK_OF(X509_POLICY_NODE) * + X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree); + +int X509_policy_level_node_count(X509_POLICY_LEVEL *level); + +X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i); + +const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node); + +STACK_OF(POLICYQUALIFIER) * + X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node); +const X509_POLICY_NODE * + X509_policy_node_get0_parent(const X509_POLICY_NODE *node); + +void X509_policy_lib_init(void); + #ifdef __cplusplus } #endif diff --git a/crypto/x509v3/Makefile.ssl b/crypto/x509v3/Makefile.ssl index e29f366cb..ab1317326 100644 --- a/crypto/x509v3/Makefile.ssl +++ b/crypto/x509v3/Makefile.ssl @@ -26,16 +26,18 @@ LIB=$(TOP)/libcrypto.a LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \ v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \ v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \ -v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c +v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c pcy_cache.c pcy_node.c \ +pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \ v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \ v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \ -v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o +v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o pcy_cache.o pcy_node.o \ +pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o SRC= $(LIBSRC) EXHEADER= x509v3.h -HEADER= $(EXHEADER) +HEADER= $(EXHEADER) pcy_int.h ALL= $(GENERAL) $(SRC) $(HEADER) diff --git a/crypto/x509v3/pcy_cache.c b/crypto/x509v3/pcy_cache.c new file mode 100644 index 000000000..23d930dd9 --- /dev/null +++ b/crypto/x509v3/pcy_cache.c @@ -0,0 +1,286 @@ +/* pcy_cache.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 2004. + */ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include "cryptlib.h" +#include +#include + +#include "pcy_int.h" + +static int policy_data_cmp(void *pa, void *pb); +static int policy_cache_set_int(long *out, ASN1_INTEGER *value); + +/* Set cache entry according to CertificatePolicies extension. + * Note: this destroys the passed CERTIFICATEPOLICIES structure. + */ + +static int policy_cache_create(X509 *x, + CERTIFICATEPOLICIES *policies, int crit) + { + int i; + int ret = 0; + X509_POLICY_CACHE *cache = x->policy_cache; + X509_POLICY_DATA *data = NULL; + POLICYINFO *policy; + if (sk_POLICYINFO_num(policies) == 0) + goto bad_policy; + cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp); + if (!cache->data) + goto bad_policy; + for (i = 0; i < sk_POLICYINFO_num(policies); i++) + { + policy = sk_POLICYINFO_value(policies, i); + data = policy_data_new(policy, NULL, crit); + if (!data) + goto bad_policy; + /* Duplicate policy OIDs are illegal: reject if matches + * found. + */ + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) + { + if (cache->anyPolicy) + { + ret = -1; + goto bad_policy; + } + cache->anyPolicy = data; + } + else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) + { + ret = -1; + goto bad_policy; + } + else if (!sk_X509_POLICY_DATA_push(cache->data, data)) + goto bad_policy; + data = NULL; + } + ret = 1; + bad_policy: + if (ret == -1) + x->ex_flags |= EXFLAG_INVALID_POLICY; + if (data) + policy_data_free(data); + sk_POLICYINFO_pop_free(policies, POLICYINFO_free); + if (ret <= 0) + { + sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); + cache->data = NULL; + } + return ret; + } + + +static int policy_cache_new(X509 *x) + { + X509_POLICY_CACHE *cache; + ASN1_INTEGER *ext_any = NULL; + POLICY_CONSTRAINTS *ext_pcons = NULL; + CERTIFICATEPOLICIES *ext_cpols = NULL; + POLICY_MAPPINGS *ext_pmaps = NULL; + int i; + cache = OPENSSL_malloc(sizeof(X509_POLICY_CACHE)); + if (!cache) + return 0; + cache->anyPolicy = NULL; + cache->data = NULL; + cache->maps = NULL; + cache->any_skip = -1; + cache->explicit_skip = -1; + cache->map_skip = -1; + + x->policy_cache = cache; + + /* Handle requireExplicitPolicy *first*. Need to process this + * even if we don't have any policies. + */ + ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL); + + if (!ext_pcons) + { + if (i != -1) + goto bad_cache; + } + else + { + if (!ext_pcons->requireExplicitPolicy + && !ext_pcons->inhibitPolicyMapping) + goto bad_cache; + if (!policy_cache_set_int(&cache->explicit_skip, + ext_pcons->requireExplicitPolicy)) + goto bad_cache; + if (!policy_cache_set_int(&cache->map_skip, + ext_pcons->inhibitPolicyMapping)) + goto bad_cache; + } + + /* Process CertificatePolicies */ + + ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL); + /* If no CertificatePolicies extension or problem decoding then + * there is no point continuing because the valid policies will be + * NULL. + */ + if (!ext_cpols) + { + /* If not absent some problem with extension */ + if (i != -1) + goto bad_cache; + return 1; + } + + i = policy_cache_create(x, ext_cpols, i); + + /* NB: ext_cpols freed by policy_cache_set_policies */ + + if (i <= 0) + return i; + + ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL); + + if (!ext_pmaps) + { + /* If not absent some problem with extension */ + if (i != -1) + goto bad_cache; + } + else + { + i = policy_cache_set_mapping(x, ext_pmaps); + if (i <= 0) + goto bad_cache; + } + + ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL); + + if (!ext_any) + { + if (i != -1) + goto bad_cache; + } + else if (!policy_cache_set_int(&cache->any_skip, ext_any)) + goto bad_cache; + + if (0) + { + bad_cache: + x->ex_flags |= EXFLAG_INVALID_POLICY; + } + + if(ext_pcons) + POLICY_CONSTRAINTS_free(ext_pcons); + + if (ext_any) + ASN1_INTEGER_free(ext_any); + + return 1; + + +} + +void policy_cache_free(X509_POLICY_CACHE *cache) + { + if (!cache) + return; + if (cache->anyPolicy) + policy_data_free(cache->anyPolicy); + if (cache->data) + sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); + OPENSSL_free(cache); + } + +const X509_POLICY_CACHE *policy_cache_set(X509 *x) + { + + if (x->policy_cache == NULL) + { + CRYPTO_w_lock(CRYPTO_LOCK_X509); + policy_cache_new(x); + CRYPTO_w_unlock(CRYPTO_LOCK_X509); + } + + return x->policy_cache; + + } + +X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache, + const ASN1_OBJECT *id) + { + int idx; + X509_POLICY_DATA tmp; + tmp.valid_policy = (ASN1_OBJECT *)id; + idx = sk_X509_POLICY_DATA_find(cache->data, &tmp); + if (idx == -1) + return NULL; + return sk_X509_POLICY_DATA_value(cache->data, idx); + } + +static int policy_data_cmp(void *pa, void *pb) + { + X509_POLICY_DATA **a = pa; X509_POLICY_DATA **b = pb; + return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy); + } + +static int policy_cache_set_int(long *out, ASN1_INTEGER *value) + { + if (value == NULL) + return 1; + if (value->type == V_ASN1_NEG_INTEGER) + return 0; + *out = ASN1_INTEGER_get(value); + return 1; + } diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c new file mode 100644 index 000000000..fae74cac9 --- /dev/null +++ b/crypto/x509v3/pcy_data.c @@ -0,0 +1,123 @@ +/* pcy_data.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 2004. + */ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include "cryptlib.h" +#include +#include + +#include "pcy_int.h" + +/* Policy Node routines */ + +void policy_data_free(X509_POLICY_DATA *data) + { + ASN1_OBJECT_free(data->valid_policy); + /* Don't free qualifiers if shared */ + if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS)) + sk_POLICYINFO_pop_free(data->qualifier_set, + POLICYQUALINFO_free); + sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free); + OPENSSL_free(data); + } + +/* Create a data based on an existing policy. If 'id' is NULL use the + * oid in the policy, otherwise use 'id'. This behaviour covers the two + * types of data in RFC3280: data with from a CertificatePolcies extension + * and additional data with just the qualifiers of anyPolicy and ID from + * another source. + */ + +X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit) + { + X509_POLICY_DATA *ret; + if (!policy && !id) + return NULL; + ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA)); + if (!ret) + return NULL; + ret->expected_policy_set = sk_ASN1_OBJECT_new_null(); + if (!ret->expected_policy_set) + { + OPENSSL_free(ret); + return NULL; + } + + if (crit) + ret->flags = POLICY_DATA_FLAG_CRITICAL; + else + ret->flags = 0; + + if (id) + ret->valid_policy = id; + else + { + ret->valid_policy = policy->policyid; + policy->policyid = NULL; + } + + if (policy) + { + ret->qualifier_set = policy->qualifiers; + policy->qualifiers = NULL; + } + else + ret->qualifier_set = NULL; + + return ret; + } + diff --git a/crypto/x509v3/pcy_int.h b/crypto/x509v3/pcy_int.h new file mode 100644 index 000000000..65689880a --- /dev/null +++ b/crypto/x509v3/pcy_int.h @@ -0,0 +1,220 @@ +/* pcy_int.h */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 2004. + */ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +DECLARE_STACK_OF(X509_POLICY_DATA) +DECLARE_STACK_OF(X509_POLICY_REF) +DECLARE_STACK_OF(X509_POLICY_NODE) + +typedef struct X509_POLICY_DATA_st X509_POLICY_DATA; +typedef struct X509_POLICY_REF_st X509_POLICY_REF; + +/* Internal structures */ + +/* This structure and the field names correspond to the Policy 'node' of + * RFC3280. NB this structure contains no pointers to parent or child + * data: X509_POLICY_NODE contains that. This means that the main policy data + * can be kept static and cached with the certificate. + */ + +struct X509_POLICY_DATA_st + { + unsigned int flags; + /* Policy OID and qualifiers for this data */ + ASN1_OBJECT *valid_policy; + STACK_OF(POLICYQUALIFIER) *qualifier_set; + STACK_OF(ASN1_OBJECT) *expected_policy_set; + }; + +/* X509_POLICY_DATA flags values */ + +/* This flag indicates the structure has been mapped using a policy mapping + * extension. If policy mapping is not active its references get deleted. + */ + +#define POLICY_DATA_FLAG_MAPPED 0x1 + +/* This flag indicates the data doesn't correspond to a policy in Certificate + * Policies: it has been mapped to any policy. + */ + +#define POLICY_DATA_FLAG_MAPPED_ANY 0x2 + +/* AND with flags to see if any mapping has occurred */ + +#define POLICY_DATA_FLAG_MAP_MASK 0x3 + +/* qualifiers are shared and shouldn't be freed */ + +#define POLICY_DATA_FLAG_SHARED_QUALIFIERS 0x4 + +/* Parent node is an extra node and should be freed */ + +#define POLICY_DATA_FLAG_EXTRA_NODE 0x8 + +/* Corresponding CertificatePolicies is critical */ + +#define POLICY_DATA_FLAG_CRITICAL 0x10 + +/* This structure is an entry from a table of mapped policies which + * cross reference the policy it refers to. + */ + +struct X509_POLICY_REF_st + { + ASN1_OBJECT *subjectDomainPolicy; + const X509_POLICY_DATA *data; + }; + +/* This structure is cached with a certificate */ + +struct X509_POLICY_CACHE_st { + /* anyPolicy data or NULL if no anyPolicy */ + X509_POLICY_DATA *anyPolicy; + /* other policy data */ + STACK_OF(X509_POLICY_DATA) *data; + /* If policyMappings extension present a table of mapped policies */ + STACK_OF(POLICY_REF) *maps; + /* If InhibitAnyPolicy present this is its value or -1 if absent. */ + long any_skip; + /* If policyConstraints and requireExplicitPolicy present this is its + * value or -1 if absent. + */ + long explicit_skip; + /* If policyConstraints and policyMapping present this is its + * value or -1 if absent. + */ + long map_skip; + }; + +/*#define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL*/ + +/* This structure represents the relationship between nodes */ + +struct X509_POLICY_NODE_st + { + /* node data this refers to */ + const X509_POLICY_DATA *data; + /* Parent node */ + X509_POLICY_NODE *parent; + /* Number of child nodes */ + int nchild; + }; + +struct X509_POLICY_LEVEL_st + { + /* Cert for this level */ + X509 *cert; + /* nodes at this level */ + STACK_OF(X509_POLICY_NODE) *nodes; + /* anyPolicy node */ + X509_POLICY_NODE *anyPolicy; + /* Extra data */ + /*STACK_OF(X509_POLICY_DATA) *extra_data;*/ + unsigned int flags; + }; + +struct X509_POLICY_TREE_st + { + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; + /* Extra policy data when additional nodes (not from the certificate) + * are required. + */ + STACK_OF(X509_POLICY_DATA) *extra_data; + /* This is the authority constained policy set */ + STACK_OF(X509_POLICY_NODE) *auth_policies; + STACK_OF(X509_POLICY_NODE) *user_policies; + unsigned int flags; + }; + +/* Set if anyPolicy present in user policies */ +#define POLICY_FLAG_ANY_POLICY 0x2 + +/* Useful macros */ + +#define node_critical(node) ((node)->data->flags & POLICY_DATA_FLAG_CRITICAL) + +/* Internal functions */ + +X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, + int crit); +void policy_data_free(X509_POLICY_DATA *data); + +X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache, + const ASN1_OBJECT *id); +int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps); + + +STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void); + +void policy_cache_init(void); + +X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, + const ASN1_OBJECT *id); + +X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_TREE) *sk, + const ASN1_OBJECT *id); + +X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + const X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, + X509_POLICY_TREE *tree); +void policy_node_free(X509_POLICY_NODE *node); + +const X509_POLICY_CACHE *policy_cache_set(X509 *x); diff --git a/crypto/x509v3/pcy_lib.c b/crypto/x509v3/pcy_lib.c new file mode 100644 index 000000000..b56739e67 --- /dev/null +++ b/crypto/x509v3/pcy_lib.c @@ -0,0 +1,165 @@ +/* pcy_lib.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 2004. + */ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + + +#include "cryptlib.h" +#include +#include + +#include "pcy_int.h" + +/* accessor functions */ + +/* X509_POLICY_TREE stuff */ + +int X509_policy_tree_level_count(const X509_POLICY_TREE *tree) + { + if (!tree) + return 0; + return tree->nlevel; + } + +X509_POLICY_LEVEL * + X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i) + { + if (!tree || (i < 0) || (i >= tree->nlevel)) + return NULL; + return tree->levels + i; + } + +STACK_OF(X509_POLICY_NODE) * + X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree) + { + if (!tree) + return NULL; + return tree->auth_policies; + } + +STACK_OF(X509_POLICY_NODE) * + X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree) + { + if (!tree) + return NULL; + if (tree->flags & POLICY_FLAG_ANY_POLICY) + return tree->auth_policies; + else + return tree->user_policies; + } + +/* X509_POLICY_LEVEL stuff */ + +int X509_policy_level_node_count(X509_POLICY_LEVEL *level) + { + int n; + if (!level) + return 0; + if (level->anyPolicy) + n = 1; + else + n = 0; + if (level->nodes) + n += sk_X509_POLICY_NODE_num(level->nodes); + return n; + } + +X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i) + { + if (!level) + return NULL; + if (level->anyPolicy) + { + if (i == 0) + return level->anyPolicy; + i--; + } + return sk_X509_POLICY_NODE_value(level->nodes, i); + } + +/* X509_POLICY_NODE stuff */ + +const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node) + { + if (!node) + return NULL; + return node->data->valid_policy; + } + +int X509_policy_node_get_critical(const X509_POLICY_NODE *node) + { + if (node_critical(node)) + return 1; + return 0; + } + +STACK_OF(POLICYQUALIFIER) * + X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node) + { + if (!node) + return NULL; + return node->data->qualifier_set; + } + +const X509_POLICY_NODE * + X509_policy_node_get0_parent(const X509_POLICY_NODE *node) + { + if (!node) + return NULL; + return node->parent; + } + + diff --git a/crypto/x509v3/pcy_map.c b/crypto/x509v3/pcy_map.c new file mode 100644 index 000000000..fe934e27b --- /dev/null +++ b/crypto/x509v3/pcy_map.c @@ -0,0 +1,186 @@ +/* pcy_map.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 2004. + */ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include "cryptlib.h" +#include +#include + +#include "pcy_int.h" + +static int ref_cmp(void *pa, void *pb) + { + X509_POLICY_REF **a = pa; X509_POLICY_REF **b = pb; + return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy); + } + +static void policy_map_free(X509_POLICY_REF *map) + { + if (map->subjectDomainPolicy) + ASN1_OBJECT_free(map->subjectDomainPolicy); + OPENSSL_free(map); + } + +X509_POLICY_REF *policy_map_find(X509_POLICY_CACHE *cache, ASN1_OBJECT *id) + { + X509_POLICY_REF tmp; + int idx; + tmp.subjectDomainPolicy = id; + + idx = sk_X509_POLICY_REF_find(cache->maps, &tmp); + if (idx == -1) + return NULL; + return sk_X509_POLICY_REF_value(cache->maps, idx); + } + +/* Set policy mapping entries in cache. + * Note: this modifies the passed POLICY_MAPPINGS structure + */ + +int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) + { + POLICY_MAPPING *map; + X509_POLICY_REF *ref = NULL; + X509_POLICY_DATA *data; + X509_POLICY_CACHE *cache = x->policy_cache; + int i; + int ret = 0; + if (sk_POLICY_MAPPING_num(maps) == 0) + { + ret = -1; + goto bad_mapping; + } + cache->maps = sk_X509_POLICY_REF_new(ref_cmp); + for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) + { + map = sk_POLICY_MAPPING_value(maps, i); + /* Reject if map to or from anyPolicy */ + if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) + || (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) + { + ret = -1; + goto bad_mapping; + } + + /* If we've already mapped from this OID bad mapping */ + if (policy_map_find(cache, map->subjectDomainPolicy) != NULL) + { + ret = -1; + goto bad_mapping; + } + + /* Attempt to find matching policy data */ + data = policy_cache_find_data(cache, map->issuerDomainPolicy); + /* If we don't have anyPolicy can't map */ + if (!data && !cache->anyPolicy) + continue; + + /* Create a NODE from anyPolicy */ + if (!data) + { + data = policy_data_new(NULL, map->issuerDomainPolicy, + cache->anyPolicy->flags + & POLICY_DATA_FLAG_CRITICAL); + if (!data) + goto bad_mapping; + data->qualifier_set = cache->anyPolicy->qualifier_set; + map->issuerDomainPolicy = NULL; + data->flags |= POLICY_DATA_FLAG_MAPPED_ANY; + data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; + if (!sk_X509_POLICY_DATA_push(cache->data, data)) + { + policy_data_free(data); + goto bad_mapping; + } + } + else + data->flags |= POLICY_DATA_FLAG_MAPPED; + + if (!sk_ASN1_OBJECT_push(data->expected_policy_set, + map->subjectDomainPolicy)) + goto bad_mapping; + + ref = OPENSSL_malloc(sizeof(X509_POLICY_REF)); + if (!ref) + goto bad_mapping; + + ref->subjectDomainPolicy = map->subjectDomainPolicy; + map->subjectDomainPolicy = NULL; + ref->data = data; + + if (!sk_X509_POLICY_REF_push(cache->maps, ref)) + goto bad_mapping; + + ref = NULL; + + } + + ret = 1; + bad_mapping: + if (ret == -1) + x->ex_flags |= EXFLAG_INVALID_POLICY; + if (ref) + policy_map_free(ref); + if (ret <= 0) + { + sk_X509_POLICY_REF_pop_free(cache->maps, policy_map_free); + cache->maps = NULL; + } + sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); + return ret; + + } diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c new file mode 100644 index 000000000..3d6bd34cc --- /dev/null +++ b/crypto/x509v3/pcy_node.c @@ -0,0 +1,159 @@ +/* pcy_node.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 2004. + */ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include +#include +#include +#include + +#include "pcy_int.h" + +static int node_cmp(void *pa, void *pb) + { + X509_POLICY_NODE **a = pa, **b = pb; + return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy); + } + +STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void) + { + return sk_X509_POLICY_NODE_new(node_cmp); + } + +X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes, + const ASN1_OBJECT *id) + { + X509_POLICY_DATA n; + X509_POLICY_NODE l; + int idx; + + n.valid_policy = (ASN1_OBJECT *)id; + l.data = &n; + + idx = sk_X509_POLICY_NODE_find(nodes, &l); + if (idx == -1) + return NULL; + + return sk_X509_POLICY_NODE_value(nodes, idx); + + } + +X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, + const ASN1_OBJECT *id) + { + return tree_find_sk(level->nodes, id); + } + +X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + const X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, + X509_POLICY_TREE *tree) + { + X509_POLICY_NODE *node; + node = OPENSSL_malloc(sizeof(X509_POLICY_NODE)); + if (!node) + return NULL; + node->data = data; + node->parent = parent; + node->nchild = 0; + if (level) + { + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) + { + if (level->anyPolicy) + goto node_error; + level->anyPolicy = node; + } + else + { + + if (!level->nodes) + level->nodes = policy_node_cmp_new(); + if (!level->nodes) + goto node_error; + if (!sk_X509_POLICY_NODE_push(level->nodes, node)) + goto node_error; + } + } + + if (tree) + { + if (!tree->extra_data) + tree->extra_data = sk_X509_POLICY_DATA_new_null(); + if (!tree->extra_data) + goto node_error; + if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) + goto node_error; + } + + if (parent) + parent->nchild++; + + return node; + + node_error: + policy_node_free(node); + return 0; + + } + +void policy_node_free(X509_POLICY_NODE *node) + { + OPENSSL_free(node); + } + + diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c new file mode 100644 index 000000000..16cacde0c --- /dev/null +++ b/crypto/x509v3/pcy_tree.c @@ -0,0 +1,681 @@ +/* pcy_tree.c */ +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 2004. + */ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include "cryptlib.h" +#include +#include + +#include "pcy_int.h" + +/* Initialize policy tree. Return values: + * 0 Some internal error occured. + * -1 Inconsistent or invalid extensions in certificates. + * 1 Tree initialized OK. + * 2 Policy tree is empty. + * 5 Tree OK and requireExplicitPolicy true. + * 6 Tree empty and requireExplicitPolicy true. + */ + +static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + unsigned int flags) + { + X509_POLICY_TREE *tree; + X509_POLICY_LEVEL *level; + const X509_POLICY_CACHE *cache; + X509_POLICY_DATA *data = NULL; + X509 *x; + int ret = 1; + int i, n; + *ptree = NULL; + n = sk_X509_num(certs); + int explicit_policy; + int any_skip; + int map_skip; + + /* Disable policy mapping for now... */ + flags |= X509_V_FLAG_INHIBIT_MAP; + + if (flags & X509_V_FLAG_EXPLICIT_POLICY) + explicit_policy = 0; + else + explicit_policy = n + 1; + + if (flags & X509_V_FLAG_INHIBIT_ANY) + any_skip = 0; + else + any_skip = n + 1; + + if (flags & X509_V_FLAG_INHIBIT_MAP) + map_skip = 0; + else + map_skip = n + 1; + + /* Can't do anything with just a trust anchor */ + if (n == 1) + return 1; + /* First setup policy cache in all certificates apart from the + * trust anchor. Note any bad cache results on the way. Also can + * calculate explicit_policy value at this point. + */ + for (i = n - 2; i >= 0; i--) + { + x = sk_X509_value(certs, i); + X509_check_purpose(x, -1, -1); + cache = policy_cache_set(x); + /* If cache NULL something bad happened: return immediately */ + if (cache == NULL) + return 0; + /* If inconsistent extensions keep a note of it but continue */ + if (x->ex_flags & EXFLAG_INVALID_POLICY) + ret = -1; + /* Otherwise if we have no data (hence no CertificatePolicies) + * and haven't already set an inconsistent code note it. + */ + else if ((ret == 1) && !cache->data) + ret = 2; + if (explicit_policy > 0) + { + explicit_policy--; + if (!(x->ex_flags & EXFLAG_SS) + && (cache->explicit_skip != -1) + && (cache->explicit_skip < explicit_policy)) + explicit_policy = cache->explicit_skip; + } + } + + if (ret != 1) + { + if (ret == 2 && !explicit_policy) + return 6; + return ret; + } + + + /* If we get this far initialize the tree */ + + tree = OPENSSL_malloc(sizeof(X509_POLICY_TREE)); + + if (!tree) + return 0; + + tree->flags = 0; + tree->levels = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL) * n); + tree->nlevel = 0; + tree->extra_data = NULL; + tree->auth_policies = NULL; + tree->user_policies = NULL; + + if (!tree) + { + OPENSSL_free(tree); + return 0; + } + + memset(tree->levels, 0, n * sizeof(X509_POLICY_LEVEL)); + + tree->nlevel = n; + + level = tree->levels; + + /* Root data: initialize to anyPolicy */ + + data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0); + + if (!data || !level_add_node(level, data, NULL, tree)) + goto bad_tree; + + for (i = n - 2; i >= 0; i--) + { + level++; + x = sk_X509_value(certs, i); + cache = policy_cache_set(x); + + CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); + level->cert = x; + + if (!cache->anyPolicy) + level->flags |= X509_V_FLAG_INHIBIT_ANY; + + /* Determine inhibit any and inhibit map flags */ + if (any_skip == 0) + { + /* Any matching allowed if certificate is self + * issued and not the last in the chain. + */ + if (!(x->ex_flags && EXFLAG_SS) || (i == 0)) + level->flags |= X509_V_FLAG_INHIBIT_ANY; + } + else + { + any_skip--; + if ((cache->any_skip > 0) + && (cache->any_skip < any_skip)) + any_skip = cache->any_skip; + } + + if (map_skip == 0) + level->flags |= X509_V_FLAG_INHIBIT_MAP; + else + { + map_skip--; + if ((cache->map_skip > 0) + && (cache->map_skip < map_skip)) + map_skip = cache->map_skip; + } + + + } + + *ptree = tree; + + if (explicit_policy) + return 1; + else + return 5; + + bad_tree: + + X509_policy_tree_free(tree); + + return 0; + + } + +/* This corresponds to RFC3280 XXXX XXXXX: + * link any data from CertificatePolicies onto matching parent + * or anyPolicy if no match. + */ + +static int tree_link_nodes(X509_POLICY_LEVEL *curr, + const X509_POLICY_CACHE *cache) + { + int i; + X509_POLICY_LEVEL *last; + X509_POLICY_DATA *data; + X509_POLICY_NODE *parent; + last = curr - 1; + for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) + { + data = sk_X509_POLICY_DATA_value(cache->data, i); + /* If a node is mapped any it doesn't have a corresponding + * CertificatePolicies entry. + * However such an identical node would be created + * if anyPolicy matching is enabled because there would be + * no match with the parent valid_policy_set. So we create + * link because then it will have the mapping flags + * right and we can prune it later. + */ + if ((data->flags & POLICY_DATA_FLAG_MAPPED_ANY) + && !(curr->flags & X509_V_FLAG_INHIBIT_ANY)) + continue; + /* Look for matching node in parent */ + parent = level_find_node(last, data->valid_policy); + /* If no match link to anyPolicy */ + if (!parent) + parent = last->anyPolicy; + if (parent && !level_add_node(curr, data, parent, NULL)) + return 0; + } + return 1; + } + +/* This corresponds to RFC3280 XXXX XXXXX: + * Create new data for any unmatched policies in the parent and link + * to anyPolicy. + */ + +static int tree_link_any(X509_POLICY_LEVEL *curr, + const X509_POLICY_CACHE *cache, + X509_POLICY_TREE *tree) + { + int i; + X509_POLICY_DATA *data; + X509_POLICY_NODE *node; + X509_POLICY_LEVEL *last; + + last = curr - 1; + + for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) + { + node = sk_X509_POLICY_NODE_value(last->nodes, i); + + /* Skip any node with any children: we only want unmathced + * nodes. + * + * Note: need something better for policy mapping + * because each node may have multiple children + */ + if (node->nchild) + continue; + /* Create a new node with qualifiers from anyPolicy and + * id from unmatched node. + */ + data = policy_data_new(NULL, node->data->valid_policy, + node_critical(node)); + + if (data == NULL) + return 0; + data->qualifier_set = curr->anyPolicy->data->qualifier_set; + data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; + if (!level_add_node(curr, data, node, tree)) + { + policy_data_free(data); + return 0; + } + } + /* Finally add link to anyPolicy */ + if (last->anyPolicy) + { + if (!level_add_node(curr, cache->anyPolicy, + last->anyPolicy, NULL)) + return 0; + } + return 1; + } + +/* Prune the tree: delete any child mapped child data on the current level + * then proceed up the tree deleting any data with no children. If we ever + * have no data on a level we can halt because the tree will be empty. + */ + +static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr) + { + X509_POLICY_NODE *node; + int i; + for (i = sk_X509_POLICY_NODE_num(curr->nodes) - 1; i >= 0; i--) + { + node = sk_X509_POLICY_NODE_value(curr->nodes, i); + /* Delete any mapped data: see RFC3280 XXXX */ + if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) + { + node->parent->nchild--; + OPENSSL_free(node); + sk_X509_POLICY_NODE_delete(curr->nodes, i); + } + } + + for(;;) { + --curr; + for (i = sk_X509_POLICY_NODE_num(curr->nodes) - 1; i >= 0; i--) + { + node = sk_X509_POLICY_NODE_value(curr->nodes, i); + if (node->nchild == 0) + { + node->parent->nchild--; + OPENSSL_free(node); + sk_X509_POLICY_NODE_delete(curr->nodes, i); + } + } + if (curr->anyPolicy && !curr->anyPolicy->nchild) + { + if (curr->anyPolicy->parent) + curr->anyPolicy->parent->nchild--; + OPENSSL_free(curr->anyPolicy); + curr->anyPolicy = NULL; + } + if (curr == tree->levels) + { + /* If we zapped anyPolicy at top then tree is empty */ + if (!curr->anyPolicy) + return 2; + return 1; + } + } + + return 1; + + } + +static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes, + X509_POLICY_NODE *pcy) + { + if (!*pnodes) + { + *pnodes = policy_node_cmp_new(); + if (!*pnodes) + return 0; + } + else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1) + return 1; + + if (!sk_X509_POLICY_NODE_push(*pnodes, pcy)) + return 0; + + return 1; + + } + +/* Calculate the authority set based on policy tree. + * The 'pnodes' parameter is used as a store for the set of policy nodes + * used to calculate the user set. If the authority set is not anyPolicy + * then pnodes will just point to the authority set. If however the authority + * set is anyPolicy then the set of valid policies (other than anyPolicy) + * is store in pnodes. The return value of '2' is used in this case to indicate + * that pnodes should be freed. + */ + +static int tree_calculate_authority_set(X509_POLICY_TREE *tree, + STACK_OF(X509_POLICY_NODES) **pnodes) + { + X509_POLICY_LEVEL *curr; + X509_POLICY_NODE *node, *anyptr; + STACK_OF(X509_POLICY_NODES) **addnodes; + int i, j; + curr = tree->levels + tree->nlevel - 1; + + /* If last level contains anyPolicy set is anyPolicy */ + if (curr->anyPolicy) + { + if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy)) + return 0; + addnodes = pnodes; + } + else + /* Add policies to authority set */ + addnodes = &tree->auth_policies; + + curr = tree->levels; + for (i = 1; i < tree->nlevel; i++) + { + /* If no anyPolicy node on this this level it can't + * appear on lower levels so end search. + */ + if (!(anyptr = curr->anyPolicy)) + break; + curr++; + for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) + { + node = sk_X509_POLICY_NODE_value(curr->nodes, j); + if ((node->parent == anyptr) + && !tree_add_auth_node(addnodes, node)) + return 0; + } + } + + if (addnodes == pnodes) + return 2; + + *pnodes = tree->auth_policies; + + return 1; + } + +static int tree_calculate_user_set(X509_POLICY_TREE *tree, + STACK_OF(ASN1_OBJECT) *policy_oids, + STACK_OF(X509_POLICY_NODE) *auth_nodes) + { + int i; + X509_POLICY_NODE *node; + ASN1_OBJECT *oid; + + X509_POLICY_NODE *anyPolicy; + X509_POLICY_DATA *extra; + + /* Check if anyPolicy present in authority constrained policy set: + * this will happen if it is a leaf node. + */ + + if (sk_ASN1_OBJECT_num(policy_oids) <= 0) + return 1; + + anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy; + + for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) + { + oid = sk_ASN1_OBJECT_value(policy_oids, i); + if (OBJ_obj2nid(oid) == NID_any_policy) + { + tree->flags |= POLICY_FLAG_ANY_POLICY; + return 1; + } + } + + for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) + { + oid = sk_ASN1_OBJECT_value(policy_oids, i); + node = tree_find_sk(auth_nodes, oid); + if (!node) + { + if (!anyPolicy) + continue; + /* Create a new node with policy ID from user set + * and qualifiers from anyPolicy. + */ + extra = policy_data_new(NULL, oid, + node_critical(anyPolicy)); + if (!extra) + return 0; + extra->qualifier_set = anyPolicy->data->qualifier_set; + extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS + | POLICY_DATA_FLAG_EXTRA_NODE; + node = level_add_node(NULL, extra, anyPolicy->parent, + tree); + } + if (!tree->user_policies) + { + tree->user_policies = sk_X509_POLICY_NODE_new_null(); + if (!tree->user_policies) + return 1; + } + if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) + return 0; + } + return 1; + + } + +static int tree_evaluate(X509_POLICY_TREE *tree) + { + int ret, i; + X509_POLICY_LEVEL *curr = tree->levels + 1; + const X509_POLICY_CACHE *cache; + + for(i = 1; i < tree->nlevel; i++, curr++) + { + cache = policy_cache_set(curr->cert); + if (!tree_link_nodes(curr, cache)) + return 0; + + if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) + && !tree_link_any(curr, cache, tree)) + return 0; + ret = tree_prune(tree, curr); + if (ret != 1) + return ret; + } + + return 1; + + } + +static void exnode_free(X509_POLICY_NODE *node) + { + if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE)) + OPENSSL_free(node); + } + + +void X509_policy_tree_free(X509_POLICY_TREE *tree) + { + X509_POLICY_LEVEL *curr; + int i; + + if (!tree) + return; + + sk_X509_POLICY_NODE_free(tree->auth_policies); + sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free); + + for(i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) + { + if (curr->cert) + X509_free(curr->cert); + if (curr->nodes) + sk_X509_POLICY_NODE_pop_free(curr->nodes, + policy_node_free); + if (curr->anyPolicy) + policy_node_free(curr->anyPolicy); + } + + if (tree->extra_data) + sk_X509_POLICY_DATA_pop_free(tree->extra_data, + policy_data_free); + + OPENSSL_free(tree->levels); + OPENSSL_free(tree); + + } + +/* Application policy checking function. + * Return codes: + * 0 Internal Error. + * 1 Successful. + * -1 One or more certificates contain invalid or inconsistent extensions + * -2 User constrained policy set empty and requireExplicit true. + */ + +int X509_policy_check(X509_POLICY_TREE **ptree, int *explicit, + STACK_OF(X509) *certs, + STACK_OF(ASN1_OBJECT) *policy_oids, + unsigned int flags) + { + int ret; + X509_POLICY_TREE *tree = NULL; + STACK_OF(X509_NODE) *nodes, *auth_nodes = NULL; + *ptree = NULL; + + *explicit = 0; + ret = tree_init(&tree, certs, flags); + + + switch (ret) + { + + /* Tree empty requireExplicit False: OK */ + case 2: + return 1; + + /* Some internal error */ + case 0: + return 0; + + /* Tree empty requireExplicit True: Error */ + + case 6: + *explicit = 1; + return -2; + + /* Tree OK requireExplicit True: OK and continue */ + case 5: + *explicit = 1; + break; + + /* Tree OK: continue */ + + case 1: + break; + } + + ret = tree_evaluate(tree); + + if (ret <= 0) + goto error; + + /* Return value 2 means tree empty */ + if (ret == 2) + { + X509_policy_tree_free(tree); + if (*explicit) + return -2; + else + return 1; + } + + /* Tree is not empty: continue */ + + ret = tree_calculate_authority_set(tree, &auth_nodes); + + if (!ret) + goto error; + + if (!tree_calculate_user_set(tree, policy_oids, auth_nodes)) + goto error; + + if (ret == 2) + sk_X509_POLICY_NODE_free(auth_nodes); + + if (tree) + *ptree = tree; + + if (*explicit) + { + nodes = X509_policy_tree_get0_user_policies(tree); + if (sk_X509_POLICY_NODE_num(nodes) <= 0) + return -2; + } + + return 1; + + error: + + X509_policy_tree_free(tree); + + return 0; + + } + diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index ec4df61bb..d3c06f581 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -352,6 +352,8 @@ typedef struct POLICY_CONSTRAINTS_st { #define EXFLAG_SET 0x100 #define EXFLAG_CRITICAL 0x200 +#define EXFLAG_INVALID_POLICY 0x400 + #define KU_DIGITAL_SIGNATURE 0x0080 #define KU_NON_REPUDIATION 0x0040 #define KU_KEY_ENCIPHERMENT 0x0020 From d7eed1929bada81819260dec0720a289c07b1749 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 23 Mar 2004 14:50:16 +0000 Subject: [PATCH 070/112] Sync the VMS build with Unix. --- crypto/crypto-lib.com | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/crypto-lib.com b/crypto/crypto-lib.com index 5f7c83fe5..190c34aea 100644 --- a/crypto/crypto-lib.com +++ b/crypto/crypto-lib.com @@ -254,7 +254,8 @@ $ LIB_X509 = "x509_def,x509_d2,x509_r2x,x509_cmp,"+ - $ LIB_X509V3 = "v3_bcons,v3_bitst,v3_conf,v3_extku,v3_ia5,v3_lib,"+ - "v3_prn,v3_utl,v3err,v3_genn,v3_alt,v3_skey,v3_akey,v3_pku,"+ - "v3_int,v3_enum,v3_sxnet,v3_cpols,v3_crld,v3_purp,v3_info,"+ - - "v3_ocsp,v3_akeya,v3_pmaps,v3_pcons,v3_ncons" + "v3_ocsp,v3_akeya,v3_pmaps,v3_pcons,v3_ncons,pcy_cache,pcy_node,"+ - + "pcy_data,pcy_map,pcy_tree,pcy_lib" $ LIB_CONF = "conf_err,conf_lib,conf_api,conf_def,conf_mod,conf_mall,conf_sap" $ LIB_TXT_DB = "txt_db" $ LIB_PKCS7 = "pk7_asn1,pk7_lib,pkcs7err,pk7_doit,pk7_smime,pk7_attr,"+ - From e725a9660b424968e6efa5e943975b3b97398bab Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 23 Mar 2004 15:06:33 +0000 Subject: [PATCH 071/112] make update --- TABLE | 8 ++-- crypto/x509v3/Makefile.ssl | 95 ++++++++++++++++++++++++++++++++++++++ util/libeay.num | 19 +++++++- 3 files changed, 117 insertions(+), 5 deletions(-) diff --git a/TABLE b/TABLE index 1b67cc2aa..429e627b9 100644 --- a/TABLE +++ b/TABLE @@ -2870,7 +2870,7 @@ $rc5_obj = $dso_scheme = dlfcn $shared_target= irix-shared $shared_cflag = -$shared_ldflag = +$shared_ldflag = -n32 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = @@ -2895,7 +2895,7 @@ $rc5_obj = $dso_scheme = dlfcn $shared_target= irix-shared $shared_cflag = -$shared_ldflag = +$shared_ldflag = -mabi=n32 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = @@ -2920,7 +2920,7 @@ $rc5_obj = $dso_scheme = dlfcn $shared_target= irix-shared $shared_cflag = -$shared_ldflag = +$shared_ldflag = -64 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = @@ -2945,7 +2945,7 @@ $rc5_obj = $dso_scheme = dlfcn $shared_target= irix-shared $shared_cflag = -$shared_ldflag = +$shared_ldflag = -mabi=64 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = diff --git a/crypto/x509v3/Makefile.ssl b/crypto/x509v3/Makefile.ssl index ab1317326..7e9685741 100644 --- a/crypto/x509v3/Makefile.ssl +++ b/crypto/x509v3/Makefile.ssl @@ -87,6 +87,101 @@ clean: # DO NOT DELETE THIS LINE -- make depend depends on it. +pcy_cache.o: ../../e_os.h ../../include/openssl/asn1.h +pcy_cache.o: ../../include/openssl/bio.h ../../include/openssl/bn.h +pcy_cache.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h +pcy_cache.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h +pcy_cache.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h +pcy_cache.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h +pcy_cache.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h +pcy_cache.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +pcy_cache.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +pcy_cache.o: ../../include/openssl/opensslconf.h +pcy_cache.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +pcy_cache.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h +pcy_cache.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +pcy_cache.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +pcy_cache.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +pcy_cache.o: ../../include/openssl/x509v3.h ../cryptlib.h pcy_cache.c pcy_int.h +pcy_data.o: ../../e_os.h ../../include/openssl/asn1.h +pcy_data.o: ../../include/openssl/bio.h ../../include/openssl/bn.h +pcy_data.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h +pcy_data.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h +pcy_data.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h +pcy_data.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h +pcy_data.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h +pcy_data.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +pcy_data.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +pcy_data.o: ../../include/openssl/opensslconf.h +pcy_data.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +pcy_data.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h +pcy_data.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +pcy_data.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +pcy_data.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +pcy_data.o: ../../include/openssl/x509v3.h ../cryptlib.h pcy_data.c pcy_int.h +pcy_lib.o: ../../e_os.h ../../include/openssl/asn1.h +pcy_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h +pcy_lib.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h +pcy_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h +pcy_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h +pcy_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h +pcy_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h +pcy_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +pcy_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +pcy_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +pcy_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h +pcy_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +pcy_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +pcy_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h +pcy_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h +pcy_lib.o: ../cryptlib.h pcy_int.h pcy_lib.c +pcy_map.o: ../../e_os.h ../../include/openssl/asn1.h +pcy_map.o: ../../include/openssl/bio.h ../../include/openssl/bn.h +pcy_map.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h +pcy_map.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h +pcy_map.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h +pcy_map.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h +pcy_map.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h +pcy_map.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +pcy_map.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +pcy_map.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +pcy_map.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h +pcy_map.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +pcy_map.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +pcy_map.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h +pcy_map.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h +pcy_map.o: ../cryptlib.h pcy_int.h pcy_map.c +pcy_node.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +pcy_node.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h +pcy_node.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h +pcy_node.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h +pcy_node.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h +pcy_node.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h +pcy_node.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +pcy_node.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +pcy_node.o: ../../include/openssl/opensslconf.h +pcy_node.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +pcy_node.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h +pcy_node.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +pcy_node.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +pcy_node.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +pcy_node.o: ../../include/openssl/x509v3.h pcy_int.h pcy_node.c +pcy_tree.o: ../../e_os.h ../../include/openssl/asn1.h +pcy_tree.o: ../../include/openssl/bio.h ../../include/openssl/bn.h +pcy_tree.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h +pcy_tree.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h +pcy_tree.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h +pcy_tree.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h +pcy_tree.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h +pcy_tree.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +pcy_tree.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +pcy_tree.o: ../../include/openssl/opensslconf.h +pcy_tree.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +pcy_tree.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h +pcy_tree.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +pcy_tree.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +pcy_tree.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +pcy_tree.o: ../../include/openssl/x509v3.h ../cryptlib.h pcy_int.h pcy_tree.c v3_akey.o: ../../e_os.h ../../include/openssl/asn1.h v3_akey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_akey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h diff --git a/util/libeay.num b/util/libeay.num index 6d66ffc9b..3d3ab3dbd 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -2419,7 +2419,7 @@ UI_get_string_type 2916 EXIST::FUNCTION: ENGINE_unregister_DH 2917 EXIST::FUNCTION:ENGINE ENGINE_register_all_DSA 2918 EXIST::FUNCTION:ENGINE OCSP_ONEREQ_get_ext_by_critical 2919 EXIST::FUNCTION: -bn_dup_expand 2920 EXIST::FUNCTION: +bn_dup_expand 2920 EXIST::FUNCTION:DEPRECATED OCSP_cert_id_new 2921 EXIST::FUNCTION: BASIC_CONSTRAINTS_it 2922 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: BASIC_CONSTRAINTS_it 2922 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: @@ -3162,3 +3162,20 @@ EVP_des_cfb8 3590 EXIST::FUNCTION:DES EVP_aes_256_cfb1 3591 EXIST::FUNCTION:AES EVP_des_cfb1 3592 EXIST::FUNCTION:DES EVP_des_ede3_cfb1 3593 EXIST::FUNCTION:DES +X509_policy_node_get0_parent 3594 EXIST::FUNCTION: +X509_policy_tree_get0_policies 3595 EXIST::FUNCTION: +X509_policy_level_node_count 3596 EXIST::FUNCTION: +X509_policy_node_get0_qualifiers 3597 EXIST::FUNCTION: +X509_policy_node_get0_policy 3598 EXIST::FUNCTION: +X509_policy_tree_free 3599 EXIST::FUNCTION: +AES_cfbr_encrypt_block 3600 EXIST::FUNCTION:AES +AES_cfb8_encrypt 3601 EXIST::FUNCTION:AES +X509_policy_level_get0_node 3602 EXIST::FUNCTION: +X509_policy_tree_level_count 3603 EXIST::FUNCTION: +X509_policy_tree_get0_level 3604 EXIST::FUNCTION: +ASN1_const_check_infinite_end 3605 EXIST::FUNCTION: +X509_policy_tree_get0_user_policies 3606 EXIST::FUNCTION: +X509_policy_lib_init 3607 EXIST::FUNCTION: +asn1_const_Finish 3608 EXIST::FUNCTION: +X509_policy_check 3609 EXIST::FUNCTION: +AES_cfb1_encrypt 3610 EXIST::FUNCTION:AES From f46e76ef50576e638c1ca0bb837101de3580b105 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 23 Mar 2004 21:01:34 +0000 Subject: [PATCH 072/112] Make it clear that for RSA_NO_PADDING, flen must be RSA_size(rsa) --- doc/crypto/RSA_public_encrypt.pod | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/crypto/RSA_public_encrypt.pod b/doc/crypto/RSA_public_encrypt.pod index d53e19d2b..ab0fe3b2c 100644 --- a/doc/crypto/RSA_public_encrypt.pod +++ b/doc/crypto/RSA_public_encrypt.pod @@ -47,9 +47,10 @@ Encrypting user data directly with RSA is insecure. =back B must be less than RSA_size(B) - 11 for the PKCS #1 v1.5 -based padding modes, and less than RSA_size(B) - 41 for -RSA_PKCS1_OAEP_PADDING. The random number generator must be seeded -prior to calling RSA_public_encrypt(). +based padding modes, less than RSA_size(B) - 41 for +RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B) for RSA_NO_PADDING. +The random number generator must be seeded prior to calling +RSA_public_encrypt(). RSA_private_decrypt() decrypts the B bytes at B using the private key B and stores the plaintext in B. B must point From 8ee18dd5202596f46279415d51725752a50590b6 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 24 Mar 2004 09:40:23 +0000 Subject: [PATCH 073/112] Make sure toupper() is properly declared. --- crypto/o_str.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/o_str.c b/crypto/o_str.c index efe20b77a..d626c98d0 100644 --- a/crypto/o_str.c +++ b/crypto/o_str.c @@ -56,6 +56,7 @@ * */ +#include #include #include "o_str.h" #include From a0b5ebeac6d03738f63bb7ce4e9fa5da3e746252 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 24 Mar 2004 09:40:59 +0000 Subject: [PATCH 074/112] Typo... --- crypto/o_str.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/o_str.c b/crypto/o_str.c index d626c98d0..0bdfb4007 100644 --- a/crypto/o_str.c +++ b/crypto/o_str.c @@ -88,7 +88,7 @@ int OPENSSL_strncasecmp(const char *str1, const char *str2, size_t n) int OPENSSL_strcasecmp(const char *str1, const char *str2) { #if defined(OPENSSL_SYS_VMS) - return OSSL_strncasecmp(str1, str2, (size_t)-1); + return OPENSSL_strncasecmp(str1, str2, (size_t)-1); #elif defined(OPENSSL_SYS_WINDOWS) return _stricmp(str1, str2); #else From 3d8b8860cf36eebe0c182b22f190d0b7acde08b9 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 24 Mar 2004 09:41:33 +0000 Subject: [PATCH 075/112] o_str.h isn't a public header file. --- e_os.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e_os.h b/e_os.h index aae3c79b8..09774165e 100644 --- a/e_os.h +++ b/e_os.h @@ -548,7 +548,7 @@ extern char *sys_errlist[]; extern int sys_nerr; # define strncasecmp _strnicmp #elif defined(OPENSSL_SYS_VMS) /* VMS below version 7.0 doesn't have strcasecmp() */ -# include +# include "o_str.h" # define strcasecmp OPENSSL_strcasecmp # define strncasecmp OPENSSL_strncasecmp #elif defined(OPENSSL_SYS_OS2) && defined(__EMX__) From d342ec33353ce29fc431de2a2c9797764dcd9c0e Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 24 Mar 2004 09:43:03 +0000 Subject: [PATCH 076/112] o_str.h isn't a public header file, so make sure it will still be included. --- apps/makeapps.com | 6 +++--- test/maketests.com | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apps/makeapps.com b/apps/makeapps.com index 33759de23..8d121cc15 100644 --- a/apps/makeapps.com +++ b/apps/makeapps.com @@ -679,7 +679,7 @@ $ IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" - THEN CC = "CC/DECC" $ CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + - "/NOLIST/PREFIX=ALL" + - - "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS + "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS $! $! Define The Linker Options File Name. $! @@ -711,7 +711,7 @@ $ EXIT $ ENDIF $ IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC" $ CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + - - "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS + "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS $ CCDEFS = CCDEFS + ",""VAXC""" $! $! Define As SYS$COMMON:[SYSLIB] @@ -743,7 +743,7 @@ $! Use GNU C... $! $ IF F$TYPE(GCC) .EQS. "" THEN GCC := GCC $ CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + - - "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS + "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS $! $! Define The Linker Options File Name. $! diff --git a/test/maketests.com b/test/maketests.com index da32daaa7..af134a28f 100644 --- a/test/maketests.com +++ b/test/maketests.com @@ -616,7 +616,7 @@ $ IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" - THEN CC = "CC/DECC" $ CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + - "/NOLIST/PREFIX=ALL" + - - "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS + "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS $! $! Define The Linker Options File Name. $! @@ -649,7 +649,7 @@ $ EXIT $ ENDIF $ IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC" $ CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + - - "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS + "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS $ CCDEFS = CCDEFS + ",""VAXC""" $! $! Define As SYS$COMMON:[SYSLIB] @@ -680,7 +680,7 @@ $! $! Use GNU C... $! $ CC = "GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + - - "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS + "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS $! $! Define The Linker Options File Name. $! From a08e05d1be4c5affd5a833b9014664686b79c0e3 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 24 Mar 2004 09:52:16 +0000 Subject: [PATCH 077/112] Add store.h among the exported headers on VMS. --- crypto/install.com | 13 +++++++++---- makevms.com | 13 +++++++++---- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/crypto/install.com b/crypto/install.com index f043a731d..c98f5c581 100644 --- a/crypto/install.com +++ b/crypto/install.com @@ -32,14 +32,18 @@ $ IF F$PARSE("WRK_SSLALIB:") .EQS. "" THEN - $ IF F$PARSE("WRK_SSLINCLUDE:") .EQS. "" THEN - CREATE/DIR/LOG WRK_SSLINCLUDE: $ -$ SDIRS := ,MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,- +$ SDIRS := ,- + OBJECTS,- + MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,- DES,RC2,RC4,RC5,IDEA,BF,CAST,- BN,EC,RSA,DSA,ECDSA,DH,ECDH,DSO,ENGINE,AES,- - BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,- + BUFFER,BIO,STACK,LHASH,RAND,ERR,- EVP,ASN1,PEM,X509,X509V3,CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,- - UI,KRB5 + UI,KRB5,- + STORE $ EXHEADER_ := crypto.h,tmdiff.h,opensslv.h,opensslconf.h,ebcdic.h,- symhacks.h,ossl_typ.h +$ EXHEADER_OBJECTS := objects.h,obj_mac.h $ EXHEADER_MD2 := md2.h $ EXHEADER_MD4 := md4.h $ EXHEADER_MD5 := md5.h @@ -70,7 +74,6 @@ $ EXHEADER_STACK := stack.h,safestack.h $ EXHEADER_LHASH := lhash.h $ EXHEADER_RAND := rand.h $ EXHEADER_ERR := err.h -$ EXHEADER_OBJECTS := objects.h,obj_mac.h $ EXHEADER_EVP := evp.h $ EXHEADER_ASN1 := asn1.h,asn1_mac.h,asn1t.h $ EXHEADER_PEM := pem.h,pem2.h @@ -84,6 +87,8 @@ $ EXHEADER_COMP := comp.h $ EXHEADER_OCSP := ocsp.h $ EXHEADER_UI := ui.h,ui_compat.h $ EXHEADER_KRB5 := krb5_asn.h +$! EXHEADER_STORE := store.h,str_compat.h +$ EXHEADER_STORE := store.h $ LIBS := LIBCRYPTO $ $ VEXE_DIR := [-.VAX.EXE.CRYPTO] diff --git a/makevms.com b/makevms.com index 6db8a5988..8033ffc8d 100755 --- a/makevms.com +++ b/makevms.com @@ -418,13 +418,17 @@ $ COPY 'EXHEADER' SYS$DISK:[.INCLUDE.OPENSSL] $! $! Copy All The ".H" Files From The [.CRYPTO] Directory Tree. $! -$ SDIRS := ,MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,- +$ SDIRS := ,- + OBJECTS,- + MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,- DES,RC2,RC4,RC5,IDEA,BF,CAST,- BN,EC,RSA,DSA,ECDSA,DH,ECDH,DSO,ENGINE,AES,- - BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,- - EVP,ASN1,PEM,X509,X509V3,CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,UI,KRB5 + BUFFER,BIO,STACK,LHASH,RAND,ERR,- + EVP,ASN1,PEM,X509,X509V3,CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,UI,KRB5,- + STORE $ EXHEADER_ := crypto.h,tmdiff.h,opensslv.h,opensslconf.h,ebcdic.h,symhacks.h,- ossl_typ.h +$ EXHEADER_OBJECTS := objects.h,obj_mac.h $ EXHEADER_MD2 := md2.h $ EXHEADER_MD4 := md4.h $ EXHEADER_MD5 := md5.h @@ -455,7 +459,6 @@ $ EXHEADER_STACK := stack.h,safestack.h $ EXHEADER_LHASH := lhash.h $ EXHEADER_RAND := rand.h $ EXHEADER_ERR := err.h -$ EXHEADER_OBJECTS := objects.h,obj_mac.h $ EXHEADER_EVP := evp.h $ EXHEADER_ASN1 := asn1.h,asn1_mac.h,asn1t.h $ EXHEADER_PEM := pem.h,pem2.h @@ -469,6 +472,8 @@ $ EXHEADER_COMP := comp.h $ EXHEADER_OCSP := ocsp.h $ EXHEADER_UI := ui.h,ui_compat.h $ EXHEADER_KRB5 := krb5_asn.h +$!EXHEADER_STORE := store.h,str_compat.h +$ EXHEADER_STORE := store.h $ $ I = 0 $ LOOP_SDIRS: From 5c42f62e48ec226fdd54d13147853270f91285f5 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 24 Mar 2004 10:48:50 +0000 Subject: [PATCH 078/112] Only build the PKCS#7 test applications if "pkcs7" is present in SDIRS. --- crypto/Makefile.ssl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/Makefile.ssl b/crypto/Makefile.ssl index ed7d17618..46993bd34 100644 --- a/crypto/Makefile.ssl +++ b/crypto/Makefile.ssl @@ -65,7 +65,8 @@ buildinf.h: ../Makefile.ssl testapps: if echo ${SDIRS} | fgrep ' des '; \ then cd des && $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' des; fi - cd pkcs7 && $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' testapps + if echo ${SDIRS} | fgrep ' pkcs7 '; \ + then cd pkcs7 && $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' testapps; fi subdirs: @for i in $(SDIRS) ;\ From ba5477eb1a33c9efd288a190de44ca8479ce000f Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 24 Mar 2004 10:50:25 +0000 Subject: [PATCH 079/112] Make it easier to buld test applications... --- Makefile.org | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/Makefile.org b/Makefile.org index 5c3e60ff0..46a491851 100644 --- a/Makefile.org +++ b/Makefile.org @@ -217,12 +217,12 @@ HEADER= e_os.h all: Makefile.ssl build_all openssl.pc -BUILD_CMD=if echo " $(DIRS) " | grep " $$i " >/dev/null 2>/dev/null; then \ - if [ -d "$$i" ]; then \ - (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \ +BUILD_CMD=if echo " $(DIRS) " | grep " $$dir " >/dev/null 2>/dev/null; then \ + if [ -d "$$dir" ]; then \ + (cd $$dir && echo "making $$target in $$dir..." && \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' $$target ) || exit 1; \ else \ - $(MAKE) $$i; \ + $(MAKE) $$dir; \ fi; fi sub_all: build_all @@ -231,17 +231,21 @@ build_all: build_libs build_apps build_tests build_tools build_libs: build_crypto build_ssl build_engines build_crypto: - @i=crypto; $(BUILD_CMD) + @dir=crypto; target=all; $(BUILD_CMD) build_ssl: - @i=ssl; $(BUILD_CMD) + @dir=ssl; target=all; $(BUILD_CMD) build_engines: - @i=engines; $(BUILD_CMD) + @dir=engines; target=all; $(BUILD_CMD) build_apps: - @i=apps; $(BUILD_CMD) + @dir=apps; target=all; $(BUILD_CMD) build_tests: - @i=test; $(BUILD_CMD) + @dir=test; target=all; $(BUILD_CMD) build_tools: - @i=tools; $(BUILD_CMD) + @dir=tools; target=all; $(BUILD_CMD) + +all_testapps: build_libs build_testapps +build_testapps: + @dir=crypto; target=testapps; $(BUILD_CMD) libcrypto$(SHLIB_EXT): libcrypto.a @if [ "$(SHLIB_TARGET)" != "" ]; then \ @@ -355,12 +359,7 @@ links: @$(TOP)/util/point.sh Makefile.ssl Makefile @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) - @set -e; for i in $(DIRS); do \ - if [ -d "$$i" ]; then \ - (cd $$i && echo "making links in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \ - fi; \ - done; + @set -e; target=links; for dir in $(DIRS); do $(BUILD_CMD); done gentests: @(cd test && echo "generating dummy tests (if needed)..." && \ From 0fa793bc7b2ce19c2e7b893717be0879b4e41b49 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 24 Mar 2004 10:50:42 +0000 Subject: [PATCH 080/112] Correct constness problems. --- crypto/pkcs7/example.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/pkcs7/example.c b/crypto/pkcs7/example.c index c993947cc..2953d04b5 100644 --- a/crypto/pkcs7/example.c +++ b/crypto/pkcs7/example.c @@ -123,7 +123,7 @@ int get_signed_seq2string(PKCS7_SIGNER_INFO *si, char **str1, char **str2) so=PKCS7_get_signed_attribute(si,signed_seq2string_nid); if (so && (so->type == V_ASN1_SEQUENCE)) { - ASN1_CTX c; + ASN1_const_CTX c; ASN1_STRING *s; long length; ASN1_OCTET_STRING *os1,*os2; @@ -144,7 +144,7 @@ int get_signed_seq2string(PKCS7_SIGNER_INFO *si, char **str1, char **str2) goto err; c.slen-=(c.p-c.q); - if (!asn1_Finish(&c)) goto err; + if (!asn1_const_Finish(&c)) goto err; *str1=malloc(os1->length+1); *str2=malloc(os2->length+1); memcpy(*str1,os1->data,os1->length); @@ -290,7 +290,7 @@ int sk_get_seq2string(STACK_OF(X509_ATTRIBUTE) *sk, char **str1, char **str2) so=PKCS7_get_signed_attribute(&si,signed_seq2string_nid); if (so->type == V_ASN1_SEQUENCE) { - ASN1_CTX c; + ASN1_const_CTX c; ASN1_STRING *s; long length; ASN1_OCTET_STRING *os1,*os2; @@ -311,7 +311,7 @@ int sk_get_seq2string(STACK_OF(X509_ATTRIBUTE) *sk, char **str1, char **str2) goto err; c.slen-=(c.p-c.q); - if (!asn1_Finish(&c)) goto err; + if (!asn1_const_Finish(&c)) goto err; *str1=malloc(os1->length+1); *str2=malloc(os2->length+1); memcpy(*str1,os1->data,os1->length); From e703b4659878f479bf3b0df49c1004860fe29d7a Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 24 Mar 2004 10:55:48 +0000 Subject: [PATCH 081/112] Don't define fd for platforms that do not use it, as some may not declare fileno() properly --- crypto/bio/bss_file.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c index d4c058a1e..667c2eb2f 100644 --- a/crypto/bio/bss_file.c +++ b/crypto/bio/bss_file.c @@ -214,13 +214,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) b->ptr=(char *)ptr; b->init=1; { - int fd = fileno((FILE*)ptr); #if defined(OPENSSL_SYS_WINDOWS) + int fd = fileno((FILE*)ptr); if (num & BIO_FP_TEXT) _setmode(fd,_O_TEXT); else _setmode(fd,_O_BINARY); #elif defined(OPENSSL_SYS_NETWARE) && defined(NETWARE_CLIB) + int fd = fileno((FILE*)ptr); /* Under CLib there are differences in file modes */ if (num & BIO_FP_TEXT) @@ -228,6 +229,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) else _setmode(fd,O_BINARY); #elif defined(OPENSSL_SYS_MSDOS) + int fd = fileno((FILE*)ptr); /* Set correct text/binary mode */ if (num & BIO_FP_TEXT) _setmode(fd,_O_TEXT); @@ -243,6 +245,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) _setmode(fd,_O_BINARY); } #elif defined(OPENSSL_SYS_OS2) + int fd = fileno((FILE*)ptr); if (num & BIO_FP_TEXT) setmode(fd, O_TEXT); else From 032c3ecb18ca3ac4823424aaf072f2deb28a987c Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Thu, 25 Mar 2004 02:19:42 +0000 Subject: [PATCH 082/112] Protect against gcc's "warning: cast does not match function type". --- crypto/bio/b_print.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index decefc227..47b04396d 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -619,6 +619,7 @@ fmtfp( int caps = 0; long intpart; long fracpart; + long max10; if (max < 0) max = 6; @@ -639,11 +640,12 @@ fmtfp( /* we "cheat" by converting the fractional part to integer by multiplying by a factor of 10 */ - fracpart = roundv((pow10(max)) * (ufvalue - intpart)); + max10 = roundv(pow10(max)); + fracpart = roundv(pow10(max) * (ufvalue - intpart)); - if (fracpart >= (long)pow10(max)) { + if (fracpart >= max10) { intpart++; - fracpart -= (long)pow10(max); + fracpart -= max10; } /* convert integer part */ From 2bd4e3379f8d9bf517f72c95c488f5b9f3b3a0d3 Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Thu, 25 Mar 2004 02:24:38 +0000 Subject: [PATCH 083/112] Remove some warnings. --- crypto/x509v3/pcy_cache.c | 2 ++ crypto/x509v3/pcy_lib.c | 2 ++ crypto/x509v3/pcy_map.c | 2 +- crypto/x509v3/pcy_tree.c | 4 ++-- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/crypto/x509v3/pcy_cache.c b/crypto/x509v3/pcy_cache.c index 23d930dd9..7cad12b51 100644 --- a/crypto/x509v3/pcy_cache.c +++ b/crypto/x509v3/pcy_cache.c @@ -232,6 +232,7 @@ static int policy_cache_new(X509 *x) } +#if 0 void policy_cache_free(X509_POLICY_CACHE *cache) { if (!cache) @@ -242,6 +243,7 @@ void policy_cache_free(X509_POLICY_CACHE *cache) sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); OPENSSL_free(cache); } +#endif const X509_POLICY_CACHE *policy_cache_set(X509 *x) { diff --git a/crypto/x509v3/pcy_lib.c b/crypto/x509v3/pcy_lib.c index b56739e67..441a70e92 100644 --- a/crypto/x509v3/pcy_lib.c +++ b/crypto/x509v3/pcy_lib.c @@ -139,12 +139,14 @@ const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node) return node->data->valid_policy; } +#if 0 int X509_policy_node_get_critical(const X509_POLICY_NODE *node) { if (node_critical(node)) return 1; return 0; } +#endif STACK_OF(POLICYQUALIFIER) * X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node) diff --git a/crypto/x509v3/pcy_map.c b/crypto/x509v3/pcy_map.c index fe934e27b..093e4b6a8 100644 --- a/crypto/x509v3/pcy_map.c +++ b/crypto/x509v3/pcy_map.c @@ -75,7 +75,7 @@ static void policy_map_free(X509_POLICY_REF *map) OPENSSL_free(map); } -X509_POLICY_REF *policy_map_find(X509_POLICY_CACHE *cache, ASN1_OBJECT *id) +static X509_POLICY_REF *policy_map_find(X509_POLICY_CACHE *cache, ASN1_OBJECT *id) { X509_POLICY_REF tmp; int idx; diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index 16cacde0c..8871ab88b 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -81,11 +81,11 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, X509 *x; int ret = 1; int i, n; - *ptree = NULL; - n = sk_X509_num(certs); int explicit_policy; int any_skip; int map_skip; + *ptree = NULL; + n = sk_X509_num(certs); /* Disable policy mapping for now... */ flags |= X509_V_FLAG_INHIBIT_MAP; From 2d2a5ba32a6da293bbe290529293c485d36e1c19 Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Thu, 25 Mar 2004 02:41:35 +0000 Subject: [PATCH 084/112] Damn, I was a bit hasty with my fix and hadn't spotted the linker dependency from asn1. --- crypto/x509v3/pcy_cache.c | 2 -- crypto/x509v3/pcy_int.h | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/x509v3/pcy_cache.c b/crypto/x509v3/pcy_cache.c index 7cad12b51..23d930dd9 100644 --- a/crypto/x509v3/pcy_cache.c +++ b/crypto/x509v3/pcy_cache.c @@ -232,7 +232,6 @@ static int policy_cache_new(X509 *x) } -#if 0 void policy_cache_free(X509_POLICY_CACHE *cache) { if (!cache) @@ -243,7 +242,6 @@ void policy_cache_free(X509_POLICY_CACHE *cache) sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); OPENSSL_free(cache); } -#endif const X509_POLICY_CACHE *policy_cache_set(X509 *x) { diff --git a/crypto/x509v3/pcy_int.h b/crypto/x509v3/pcy_int.h index 65689880a..8efe67397 100644 --- a/crypto/x509v3/pcy_int.h +++ b/crypto/x509v3/pcy_int.h @@ -205,6 +205,8 @@ STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void); void policy_cache_init(void); +void policy_cache_free(X509_POLICY_CACHE *cache); + X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, const ASN1_OBJECT *id); From 46ef873f0b3c04b6415cddac5d4a7b27b53cc482 Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Thu, 25 Mar 2004 02:52:04 +0000 Subject: [PATCH 085/112] By adding a BN_CTX parameter to the 'rsa_mod_exp' callback, private key operations no longer require two distinct BN_CTX structures. This may put more "strain" on the current BN_CTX implementation (which has a fixed limit to the number of variables it will hold), but so far this limit is not triggered by any of the tests pass and I will be changing BN_CTX in the near future to avoid this problem anyway. This also changes the default RSA implementation code to use the BN_CTX in favour of initialising some of its variables locally in each function. --- CHANGES | 4 + crypto/rsa/rsa.h | 2 +- crypto/rsa/rsa_eay.c | 181 ++++++++++++++++++++++--------------------- engines/e_aep.c | 12 +-- engines/e_atalla.c | 9 +-- engines/e_cswift.c | 9 +-- engines/e_ncipher.c | 4 +- engines/e_nuron.c | 4 +- engines/e_ubsec.c | 12 +-- 9 files changed, 112 insertions(+), 125 deletions(-) diff --git a/CHANGES b/CHANGES index aebf096f9..6eceebac1 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 0.9.7c and 0.9.8 [xx XXX xxxx] + *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD + to allow all RSA operations to function using a single BN_CTX. + [Geoff Thorpe] + *) Preliminary support for certificate policy evaluation and checking. This is initially intended to pass the tests outlined in "Conformance Testing of Relying Party Client Certificate Path Processing Logic" v1.07. diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h index 12689fc22..b3ed1edd3 100644 --- a/crypto/rsa/rsa.h +++ b/crypto/rsa/rsa.h @@ -93,7 +93,7 @@ typedef struct rsa_meth_st int (*rsa_priv_dec)(int flen,const unsigned char *from, unsigned char *to, RSA *rsa,int padding); - int (*rsa_mod_exp)(BIGNUM *r0,const BIGNUM *I,RSA *rsa); /* Can be null */ + int (*rsa_mod_exp)(BIGNUM *r0,const BIGNUM *I,RSA *rsa,BN_CTX *ctx); /* Can be null */ int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); /* Can be null */ diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 5beb9c9fd..b66b4bc14 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -72,7 +72,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,int padding); static int RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,int padding); -static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa); +static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx); static int RSA_eay_init(RSA *rsa); static int RSA_eay_finish(RSA *rsa); static RSA_METHOD rsa_pkcs1_eay_meth={ @@ -137,16 +137,18 @@ static int rsa_eay_mont_helper(BN_MONT_CTX **ptr, const BIGNUM *modulus, BN_CTX static int RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { - BIGNUM f,ret; + BIGNUM *f,*ret; int i,j,k,num=0,r= -1; unsigned char *buf=NULL; BN_CTX *ctx=NULL; - BN_init(&f); - BN_init(&ret); if ((ctx=BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); + f = BN_CTX_get(ctx); + ret = BN_CTX_get(ctx); num=BN_num_bytes(rsa->n); - if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) + buf = OPENSSL_malloc(num); + if (!f || !ret || !buf) { RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,ERR_R_MALLOC_FAILURE); goto err; @@ -174,9 +176,9 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, } if (i <= 0) goto err; - if (BN_bin2bn(buf,num,&f) == NULL) goto err; + if (BN_bin2bn(buf,num,f) == NULL) goto err; - if (BN_ucmp(&f, rsa->n) >= 0) + if (BN_ucmp(f, rsa->n) >= 0) { /* usually the padding functions would catch this */ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); @@ -185,21 +187,23 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, + if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, rsa->_method_mod_n)) goto err; /* put in leading 0 bytes if the number is less than the * length of the modulus */ - j=BN_num_bytes(&ret); - i=BN_bn2bin(&ret,&(to[num-j])); + j=BN_num_bytes(ret); + i=BN_bn2bin(ret,&(to[num-j])); for (k=0; k<(num-i); k++) to[k]=0; r=num; err: - if (ctx != NULL) BN_CTX_free(ctx); - BN_clear_free(&f); - BN_clear_free(&ret); + if (ctx != NULL) + { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } if (buf != NULL) { OPENSSL_cleanse(buf,num); @@ -265,19 +269,20 @@ err: static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { - BIGNUM f,ret; + BIGNUM *f,*ret; int i,j,k,num=0,r= -1; unsigned char *buf=NULL; BN_CTX *ctx=NULL; int local_blinding = 0; BN_BLINDING *blinding = NULL; - BN_init(&f); - BN_init(&ret); - if ((ctx=BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); + f = BN_CTX_get(ctx); + ret = BN_CTX_get(ctx); num=BN_num_bytes(rsa->n); - if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) + buf = OPENSSL_malloc(num); + if(!f || !ret || !buf) { RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE); goto err; @@ -298,9 +303,9 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, } if (i <= 0) goto err; - if (BN_bin2bn(buf,num,&f) == NULL) goto err; + if (BN_bin2bn(buf,num,f) == NULL) goto err; - if (BN_ucmp(&f, rsa->n) >= 0) + if (BN_ucmp(f, rsa->n) >= 0) { /* usually the padding functions would catch this */ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); @@ -339,7 +344,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, } if (blinding) - if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; + if (!BN_BLINDING_convert(f, blinding, ctx)) goto err; if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || ((rsa->p != NULL) && @@ -347,29 +352,31 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL)) ) - { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } + { if (!rsa->meth->rsa_mod_exp(ret,f,rsa,ctx)) goto err; } else { MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx, + if (!rsa->meth->bn_mod_exp(ret,f,rsa->d,rsa->n,ctx, rsa->_method_mod_n)) goto err; } if (blinding) - if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; + if (!BN_BLINDING_invert(ret, blinding, ctx)) goto err; /* put in leading 0 bytes if the number is less than the * length of the modulus */ - j=BN_num_bytes(&ret); - i=BN_bn2bin(&ret,&(to[num-j])); + j=BN_num_bytes(ret); + i=BN_bn2bin(ret,&(to[num-j])); for (k=0; k<(num-i); k++) to[k]=0; r=num; err: - if (ctx != NULL) BN_CTX_free(ctx); - BN_clear_free(&ret); - BN_clear_free(&f); + if (ctx != NULL) + { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } if (local_blinding) BN_BLINDING_free(blinding); if (buf != NULL) @@ -383,7 +390,7 @@ err: static int RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { - BIGNUM f,ret; + BIGNUM *f,*ret; int j,num=0,r= -1; unsigned char *p; unsigned char *buf=NULL; @@ -391,14 +398,13 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, int local_blinding = 0; BN_BLINDING *blinding = NULL; - BN_init(&f); - BN_init(&ret); - ctx=BN_CTX_new(); - if (ctx == NULL) goto err; - + if((ctx = BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); + f = BN_CTX_get(ctx); + ret = BN_CTX_get(ctx); num=BN_num_bytes(rsa->n); - - if ((buf=(unsigned char *)OPENSSL_malloc(num)) == NULL) + buf = OPENSSL_malloc(num); + if(!f || !ret || !buf) { RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE); goto err; @@ -413,9 +419,9 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, } /* make data into a big number */ - if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err; + if (BN_bin2bn(from,(int)flen,f) == NULL) goto err; - if (BN_ucmp(&f, rsa->n) >= 0) + if (BN_ucmp(f, rsa->n) >= 0) { RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); goto err; @@ -453,7 +459,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, } if (blinding) - if (!BN_BLINDING_convert(&f, blinding, ctx)) goto err; + if (!BN_BLINDING_convert(f, blinding, ctx)) goto err; /* do the decrypt */ if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || @@ -462,20 +468,20 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, (rsa->dmp1 != NULL) && (rsa->dmq1 != NULL) && (rsa->iqmp != NULL)) ) - { if (!rsa->meth->rsa_mod_exp(&ret,&f,rsa)) goto err; } + { if (!rsa->meth->rsa_mod_exp(ret,f,rsa,ctx)) goto err; } else { MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx, + if (!rsa->meth->bn_mod_exp(ret,f,rsa->d,rsa->n,ctx, rsa->_method_mod_n)) goto err; } if (blinding) - if (!BN_BLINDING_invert(&ret, blinding, ctx)) goto err; + if (!BN_BLINDING_invert(ret, blinding, ctx)) goto err; p=buf; - j=BN_bn2bin(&ret,p); /* j is only used with no-padding mode */ + j=BN_bn2bin(ret,p); /* j is only used with no-padding mode */ switch (padding) { @@ -501,9 +507,11 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_PADDING_CHECK_FAILED); err: - if (ctx != NULL) BN_CTX_free(ctx); - BN_clear_free(&f); - BN_clear_free(&ret); + if (ctx != NULL) + { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } if (local_blinding) BN_BLINDING_free(blinding); if (buf != NULL) @@ -518,20 +526,19 @@ err: static int RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) { - BIGNUM f,ret; + BIGNUM *f,*ret; int i,num=0,r= -1; unsigned char *p; unsigned char *buf=NULL; BN_CTX *ctx=NULL; - BN_init(&f); - BN_init(&ret); - ctx=BN_CTX_new(); - if (ctx == NULL) goto err; - + if((ctx = BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); + f = BN_CTX_get(ctx); + ret = BN_CTX_get(ctx); num=BN_num_bytes(rsa->n); - buf=(unsigned char *)OPENSSL_malloc(num); - if (buf == NULL) + buf = OPENSSL_malloc(num); + if(!f || !ret || !buf) { RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,ERR_R_MALLOC_FAILURE); goto err; @@ -545,9 +552,9 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, goto err; } - if (BN_bin2bn(from,flen,&f) == NULL) goto err; + if (BN_bin2bn(from,flen,f) == NULL) goto err; - if (BN_ucmp(&f, rsa->n) >= 0) + if (BN_ucmp(f, rsa->n) >= 0) { RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); goto err; @@ -555,11 +562,11 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - if (!rsa->meth->bn_mod_exp(&ret,&f,rsa->e,rsa->n,ctx, + if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx, rsa->_method_mod_n)) goto err; p=buf; - i=BN_bn2bin(&ret,p); + i=BN_bn2bin(ret,p); switch (padding) { @@ -577,9 +584,11 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_PADDING_CHECK_FAILED); err: - if (ctx != NULL) BN_CTX_free(ctx); - BN_clear_free(&f); - BN_clear_free(&ret); + if (ctx != NULL) + { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } if (buf != NULL) { OPENSSL_cleanse(buf,num); @@ -588,37 +597,36 @@ err: return(r); } -static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) +static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { - BIGNUM r1,m1,vrfy; + BIGNUM *r1,*m1,*vrfy; int ret=0; - BN_CTX *ctx; - BN_init(&m1); - BN_init(&r1); - BN_init(&vrfy); - if ((ctx=BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); + r1 = BN_CTX_get(ctx); + m1 = BN_CTX_get(ctx); + vrfy = BN_CTX_get(ctx); MONT_HELPER(rsa, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); MONT_HELPER(rsa, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err); MONT_HELPER(rsa, ctx, n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err); - if (!BN_mod(&r1,I,rsa->q,ctx)) goto err; - if (!rsa->meth->bn_mod_exp(&m1,&r1,rsa->dmq1,rsa->q,ctx, + if (!BN_mod(r1,I,rsa->q,ctx)) goto err; + if (!rsa->meth->bn_mod_exp(m1,r1,rsa->dmq1,rsa->q,ctx, rsa->_method_mod_q)) goto err; - if (!BN_mod(&r1,I,rsa->p,ctx)) goto err; - if (!rsa->meth->bn_mod_exp(r0,&r1,rsa->dmp1,rsa->p,ctx, + if (!BN_mod(r1,I,rsa->p,ctx)) goto err; + if (!rsa->meth->bn_mod_exp(r0,r1,rsa->dmp1,rsa->p,ctx, rsa->_method_mod_p)) goto err; - if (!BN_sub(r0,r0,&m1)) goto err; + if (!BN_sub(r0,r0,m1)) goto err; /* This will help stop the size of r0 increasing, which does * affect the multiply if it optimised for a power of 2 size */ if (BN_get_sign(r0)) if (!BN_add(r0,r0,rsa->p)) goto err; - if (!BN_mul(&r1,r0,rsa->iqmp,ctx)) goto err; - if (!BN_mod(r0,&r1,rsa->p,ctx)) goto err; + if (!BN_mul(r1,r0,rsa->iqmp,ctx)) goto err; + if (!BN_mod(r0,r1,rsa->p,ctx)) goto err; /* If p < q it is occasionally possible for the correction of * adding 'p' if r0 is negative above to leave the result still * negative. This can break the private key operations: the following @@ -628,21 +636,21 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) */ if (BN_get_sign(r0)) if (!BN_add(r0,r0,rsa->p)) goto err; - if (!BN_mul(&r1,r0,rsa->q,ctx)) goto err; - if (!BN_add(r0,&r1,&m1)) goto err; + if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; + if (!BN_add(r0,r1,m1)) goto err; if (rsa->e && rsa->n) { - if (!rsa->meth->bn_mod_exp(&vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; + if (!rsa->meth->bn_mod_exp(vrfy,r0,rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; /* If 'I' was greater than (or equal to) rsa->n, the operation * will be equivalent to using 'I mod n'. However, the result of * the verify will *always* be less than 'n' so we don't check * for absolute equality, just congruency. */ - if (!BN_sub(&vrfy, &vrfy, I)) goto err; - if (!BN_mod(&vrfy, &vrfy, rsa->n, ctx)) goto err; - if (BN_get_sign(&vrfy)) - if (!BN_add(&vrfy, &vrfy, rsa->n)) goto err; - if (!BN_is_zero(&vrfy)) + if (!BN_sub(vrfy, vrfy, I)) goto err; + if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) goto err; + if (BN_get_sign(vrfy)) + if (!BN_add(vrfy, vrfy, rsa->n)) goto err; + if (!BN_is_zero(vrfy)) /* 'I' and 'vrfy' aren't congruent mod n. Don't leak * miscalculated CRT output, just do a raw (slower) * mod_exp and return that instead. */ @@ -651,10 +659,7 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) } ret=1; err: - BN_clear_free(&m1); - BN_clear_free(&r1); - BN_clear_free(&vrfy); - BN_CTX_free(ctx); + BN_CTX_end(ctx); return(ret); } diff --git a/engines/e_aep.c b/engines/e_aep.c index 5083c80ef..aa4fe7570 100644 --- a/engines/e_aep.c +++ b/engines/e_aep.c @@ -106,7 +106,7 @@ static AEP_RV aep_mod_exp_crt(BIGNUM *r,const BIGNUM *a, const BIGNUM *p, /* RSA stuff */ #ifndef OPENSSL_NO_RSA -static int aep_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); +static int aep_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); #endif /* This function is aliased to mod_exp (with the mont stuff dropped). */ @@ -745,15 +745,11 @@ static int aep_rand_status(void) #endif #ifndef OPENSSL_NO_RSA -static int aep_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) +static int aep_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { - BN_CTX *ctx = NULL; int to_return = 0; AEP_RV rv = AEP_R_OK; - if ((ctx = BN_CTX_new()) == NULL) - goto err; - if (!aep_dso) { AEPHKerr(AEPHK_F_AEP_RSA_MOD_EXP,AEPHK_R_NOT_LOADED); @@ -767,7 +763,7 @@ static int aep_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) if (rv == FAIL_TO_SW){ const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); - to_return = (*meth->rsa_mod_exp)(r0, I, rsa); + to_return = (*meth->rsa_mod_exp)(r0, I, rsa, ctx); goto err; } else if (rv != AEP_R_OK) @@ -790,8 +786,6 @@ static int aep_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) to_return = 1; err: - if(ctx) - BN_CTX_free(ctx); return to_return; } #endif diff --git a/engines/e_atalla.c b/engines/e_atalla.c index 79abc7067..cc6c9695f 100644 --- a/engines/e_atalla.c +++ b/engines/e_atalla.c @@ -86,7 +86,7 @@ static int atalla_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, #ifndef OPENSSL_NO_RSA /* RSA stuff */ -static int atalla_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); +static int atalla_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); #endif /* This function is aliased to mod_exp (with the mont stuff dropped). */ static int atalla_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, @@ -502,9 +502,8 @@ err: } #ifndef OPENSSL_NO_RSA -static int atalla_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) +static int atalla_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { - BN_CTX *ctx = NULL; int to_return = 0; if(!atalla_dso) @@ -512,8 +511,6 @@ static int atalla_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) ATALLAerr(ATALLA_F_ATALLA_RSA_MOD_EXP,ATALLA_R_NOT_LOADED); goto err; } - if((ctx = BN_CTX_new()) == NULL) - goto err; if(!rsa->d || !rsa->n) { ATALLAerr(ATALLA_F_ATALLA_RSA_MOD_EXP,ATALLA_R_MISSING_KEY_COMPONENTS); @@ -521,8 +518,6 @@ static int atalla_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) } to_return = atalla_mod_exp(r0, I, rsa->d, rsa->n, ctx); err: - if(ctx) - BN_CTX_free(ctx); return to_return; } #endif diff --git a/engines/e_cswift.c b/engines/e_cswift.c index 793aaccb1..cc39cd494 100644 --- a/engines/e_cswift.c +++ b/engines/e_cswift.c @@ -103,7 +103,7 @@ static int cswift_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, #ifndef OPENSSL_NO_RSA /* RSA stuff */ -static int cswift_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); +static int cswift_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); #endif /* This function is aliased to mod_exp (with the mont stuff dropped). */ static int cswift_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, @@ -668,13 +668,10 @@ err: } #ifndef OPENSSL_NO_RSA -static int cswift_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) +static int cswift_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { - BN_CTX *ctx; int to_return = 0; - if((ctx = BN_CTX_new()) == NULL) - goto err; if(!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp) { CSWIFTerr(CSWIFT_F_CSWIFT_RSA_MOD_EXP,CSWIFT_R_MISSING_KEY_COMPONENTS); @@ -683,8 +680,6 @@ static int cswift_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) to_return = cswift_mod_exp_crt(r0, I, rsa->p, rsa->q, rsa->dmp1, rsa->dmq1, rsa->iqmp, ctx); err: - if(ctx) - BN_CTX_free(ctx); return to_return; } #endif diff --git a/engines/e_ncipher.c b/engines/e_ncipher.c index e416cffed..e075d1b45 100644 --- a/engines/e_ncipher.c +++ b/engines/e_ncipher.c @@ -102,7 +102,7 @@ static int hwcrhk_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, #ifndef OPENSSL_NO_RSA /* RSA stuff */ -static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa); +static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); #endif /* This function is aliased to mod_exp (with the mont stuff dropped). */ static int hwcrhk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, @@ -946,7 +946,7 @@ err: } #ifndef OPENSSL_NO_RSA -static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa) +static int hwcrhk_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { char tempbuf[1024]; HWCryptoHook_ErrMsgBuf rmsg; diff --git a/engines/e_nuron.c b/engines/e_nuron.c index e3a9406c4..4df6f0495 100644 --- a/engines/e_nuron.c +++ b/engines/e_nuron.c @@ -192,9 +192,9 @@ static int nuron_mod_exp(BIGNUM *r,const BIGNUM *a,const BIGNUM *p, } #ifndef OPENSSL_NO_RSA -static int nuron_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) +static int nuron_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { - return nuron_mod_exp(r0,I,rsa->d,rsa->n,NULL); + return nuron_mod_exp(r0,I,rsa->d,rsa->n,ctx); } #endif diff --git a/engines/e_ubsec.c b/engines/e_ubsec.c index 094458887..5aa29f1c5 100644 --- a/engines/e_ubsec.c +++ b/engines/e_ubsec.c @@ -89,7 +89,7 @@ static int ubsec_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *q, const BIGNUM *dp, const BIGNUM *dq, const BIGNUM *qinv, BN_CTX *ctx); #ifndef OPENSSL_NO_RSA -static int ubsec_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); +static int ubsec_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); #endif static int ubsec_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); @@ -590,14 +590,10 @@ static int ubsec_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, } #ifndef OPENSSL_NO_RSA -static int ubsec_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) +static int ubsec_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { - BN_CTX *ctx; int to_return = 0; - if((ctx = BN_CTX_new()) == NULL) - goto err; - if(!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp) { UBSECerr(UBSEC_F_UBSEC_RSA_MOD_EXP, UBSEC_R_MISSING_KEY_COMPONENTS); @@ -612,11 +608,9 @@ static int ubsec_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) * Do in software as hardware failed. */ const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); - to_return = (*meth->rsa_mod_exp)(r0, I, rsa); + to_return = (*meth->rsa_mod_exp)(r0, I, rsa, ctx); } err: - if(ctx) - BN_CTX_free(ctx); return to_return; } #endif From ea77fc33807c9fc66f10c9d6f5176f4df1adb631 Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Thu, 25 Mar 2004 02:55:17 +0000 Subject: [PATCH 086/112] ... and this should likewise fix up those RSA implementations that weren't already built and tested. --- crypto/engine/eng_cryptodev.c | 6 +++--- engines/e_gmp.c | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index 65f20726b..84d062a23 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -100,7 +100,7 @@ static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); -static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); +static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); static int cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g, @@ -767,7 +767,7 @@ cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) } static int -cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) +cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { struct crypt_kop kop; int ret = 1; @@ -796,7 +796,7 @@ cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) { const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); - ret = (*meth->rsa_mod_exp)(r0, I, rsa); + ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx); } err: zapparams(&kop); diff --git a/engines/e_gmp.c b/engines/e_gmp.c index 64cb039ed..39da65f74 100644 --- a/engines/e_gmp.c +++ b/engines/e_gmp.c @@ -101,7 +101,7 @@ static int e_gmp_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void)); #ifndef OPENSSL_NO_RSA /* RSA stuff */ -static int e_gmp_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa); +static int e_gmp_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); static int e_gmp_rsa_finish(RSA *r); #endif @@ -361,7 +361,7 @@ static int e_gmp_rsa_finish(RSA *rsa) return 1; } -static int e_gmp_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa) +static int e_gmp_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { E_GMP_RSA_CTX *hptr; int to_return = 0; From 514871099478191c10cf600cf32758e6ae781058 Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Thu, 25 Mar 2004 03:03:52 +0000 Subject: [PATCH 087/112] Adds warnings about two curves and fixes the "seed" value for two other curves. Submitted by: Nils Larsch --- apps/ecparam.c | 8 ++------ crypto/ec/ec_curve.c | 40 +++++++++++++++++++++++++++++++++------- 2 files changed, 35 insertions(+), 13 deletions(-) diff --git a/apps/ecparam.c b/apps/ecparam.c index 06e4d6602..ae046f9a8 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -342,7 +342,6 @@ bad: EC_builtin_curve *curves = NULL; size_t crv_len = 0; size_t n = 0; - size_t len; crv_len = EC_get_builtin_curves(NULL, 0); @@ -369,11 +368,8 @@ bad: if (sname == NULL) sname = ""; - len = BIO_printf(out, " %-10s: ", sname); - if (len + strlen(comment) > 80) - BIO_printf(out, "\n%80s\n", comment); - else - BIO_printf(out, "%s\n", comment); + BIO_printf(out, " %-10s: ", sname); + BIO_printf(out, "%s\n", comment); } OPENSSL_free(curves); diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c index 9bd743c10..c5b54c733 100644 --- a/crypto/ec/ec_curve.c +++ b/crypto/ec/ec_curve.c @@ -86,8 +86,7 @@ typedef struct ec_curve_data_st { const BN_ULONG cofactor;/* the cofactor */ const unsigned char *seed;/* the seed (optional) */ size_t seed_len; - const char *comment; /* a short (less than 80 characters) - * description of the curve */ + const char *comment; /* a short description of the curve */ } EC_CURVE_DATA; /* the nist prime curves */ @@ -498,7 +497,7 @@ static const EC_CURVE_DATA _EC_SECG_CHAR2_163K1 = { "0289070FB05D38FF58321F2E800536D538CCDAA3D9", "04000000000000000000020108A2E0CC0D99F8A5EF", 2, NULL, 0, - "SECG/NIST/WTLS recommended curve over a 163 bit binary field" + "\n\tSECG/NIST/WTLS recommended curve over a 163 bit binary field" }; static const unsigned char _EC_SECG_CHAR2_163R1_SEED[] = { @@ -512,7 +511,15 @@ static const EC_CURVE_DATA _EC_SECG_CHAR2_163R1 = { "0369979697AB43897789566789567F787A7876A654", "00435EDB42EFAFB2989D51FEFCE3C80988F41FF883", "03FFFFFFFFFFFFFFFFFFFF48AAB689C29CA710279B", 2, +/* The algorithm used to derive the curve parameters from + * the seed used here is slightly different than the + * algorithm described in X9.62 . + */ +#if 0 _EC_SECG_CHAR2_163R1_SEED, 20, +#else + NULL, 0, +#endif "SECG recommended curve over a 163 bit binary field" }; @@ -527,7 +534,14 @@ static const EC_CURVE_DATA _EC_SECG_CHAR2_163R2 ={ "03F0EBA16286A2D57EA0991168D4994637E8343E36", "00D51FBC6C71A0094FA2CDD545B11C5C0C797324F1", "040000000000000000000292FE77E70C12A4234C33", 2, +/* The seed here was used to created the curve parameters in normal + * basis representation (and not the polynomial representation used here) + */ +#if 0 _EC_SECG_CHAR2_163R2_SEED, 20, +#else + NULL, 0, +#endif "SECG/NIST recommended curve over a 163 bit binary field" }; @@ -570,7 +584,7 @@ static const EC_CURVE_DATA _EC_SECG_CHAR2_233K1 = { "01DB537DECE819B7F70F555A67C427A8CD9BF18AEB9B56E0C11056FAE6A3", "008000000000000000000000000000069D5BB915BCD46EFB1AD5F173ABDF", 4, NULL, 0, - "SECG/NIST/WTLS recommended curve over a 233 bit binary field" + "\n\tSECG/NIST/WTLS recommended curve over a 233 bit binary field" }; static const unsigned char _EC_SECG_CHAR2_233R1_SEED[] = { @@ -585,7 +599,7 @@ static const EC_CURVE_DATA _EC_SECG_CHAR2_233R1 = { "01006A08A41903350678E58528BEBF8A0BEFF867A7CA36716F7E01F81052", "01000000000000000000000000000013E974E72F8A6922031D2603CFE0D7", 2, _EC_SECG_CHAR2_233R1_SEED, 20, - "SECG/NIST/WTLS recommended curve over a 233 bit binary field" + "\n\tSECG/NIST/WTLS recommended curve over a 233 bit binary field" }; static const EC_CURVE_DATA _EC_SECG_CHAR2_239K1 = { @@ -982,6 +996,11 @@ static const EC_CURVE_DATA _EC_WTLS_1 = { }; /* IPSec curves */ +/* NOTE: The of curves over a extension field of non prime degree + * is not recommended (Weil-descent). + * As the group order is not a prime this curve is not suitable + * for ECDSA. + */ static const EC_CURVE_DATA _EC_IPSEC_155_ID3 = { NID_X9_62_characteristic_two_field, "0800000000000000000000004000000000000001", @@ -991,9 +1010,15 @@ static const EC_CURVE_DATA _EC_IPSEC_155_ID3 = { "1c8", "2AAAAAAAAAAAAAAAAAAC7F3C7881BD0868FA86C",3, NULL, 0, - "IPSec/IKE/Oakley curve #3 over a 155 bit binary field" + "\n\tIPSec/IKE/Oakley curve #3 over a 155 bit binary field.\n" + "\tNot suitable for ECDSA.\n\tQuestionable extension field!" }; +/* NOTE: The of curves over a extension field of non prime degree + * is not recommended (Weil-descent). + * As the group order is not a prime this curve is not suitable + * for ECDSA. + */ static const EC_CURVE_DATA _EC_IPSEC_185_ID4 = { NID_X9_62_characteristic_two_field, "020000000000000000000000000000200000000000000001", @@ -1003,7 +1028,8 @@ static const EC_CURVE_DATA _EC_IPSEC_185_ID4 = { "0d", "FFFFFFFFFFFFFFFFFFFFFFEDF97C44DB9F2420BAFCA75E",2, NULL, 0, - "IPSec/IKE/Oakley curve #4 over a 185 bit binary field" + "\n\tIPSec/IKE/Oakley curve #4 over a 185 bit binary field.\n" + "\tNot suitable for ECDSA.\n\tQuestionable extension field!" }; typedef struct _ec_list_element_st { From 5c98b2caf5ce545fbf77611431c7084979da8177 Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Thu, 25 Mar 2004 04:16:14 +0000 Subject: [PATCH 088/112] Replace the BN_CTX implementation with my current work. I'm leaving the little TODO list in there as well as the debugging code (only enabled if BN_CTX_DEBUG is defined). I'd appreciate as much review and testing as can be spared for this. I'll commit some changes to other parts of the bignum code shortly to make better use of this implementation (no more fixed size limitations). Note also that under identical optimisations, I'm seeing a noticable speed increase over openssl-0.9.7 - so any feedback to confirm/deny this on other systems would also be most welcome. --- CHANGES | 9 + crypto/bn/bn_ctx.c | 440 ++++++++++++++++++++++++++++++++++++--------- 2 files changed, 364 insertions(+), 85 deletions(-) diff --git a/CHANGES b/CHANGES index 6eceebac1..b65a37aa7 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,15 @@ Changes between 0.9.7c and 0.9.8 [xx XXX xxxx] + *) Reimplemented the BN_CTX implementation. There is now no more static + limitation on the number of variables it can handle nor the depth of the + "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack + information can now expand as required, and rather than having a single + static array of bignums, BN_CTX now uses a linked-list of such arrays + allowing it to expand on demand whilst maintaining the usefulness of + BN_CTX's "bundling". + [Geoff Thorpe] + *) Add a missing BN_CTX parameter to the 'rsa_mod_exp' callback in RSA_METHOD to allow all RSA operations to function using a single BN_CTX. [Geoff Thorpe] diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index f48055b26..5aec0c987 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -1,7 +1,7 @@ /* crypto/bn/bn_ctx.c */ /* Written by Ulf Moeller for the OpenSSL project. */ /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -66,119 +66,389 @@ #include "cryptlib.h" #include "bn_lcl.h" -/* BN_CTX structure details */ -#define BN_CTX_NUM 32 -#define BN_CTX_NUM_POS 12 +/* TODO list + * + * 1. Check a bunch of "(words+1)" type hacks in various bignum functions and + * check they can be safely removed. + * - BN_bin2bn() looks pretty nasty with the miscellaneous +1 and +2 adjustments. + * Needs a full rubber-gloving, me thinks. + * - Check +1 and other ugliness in BN_from_montgomery() + * - Aspects of BN_bn2dec() also look a bit arbitrary + * + * 2. Consider allowing a BN_new_ex() that, at least, lets you specify an + * appropriate 'block' size that will be honoured by bn_expand_internal() to + * prevent piddly little reallocations. OTOH, profiling bignum expansions in + * BN_CTX doesn't show this to be a big issue. + */ + +/* How many bignums are in each "pool item"; */ +#define BN_CTX_POOL_SIZE 16 +/* The stack frame info is resizing, set a first-time expansion size; */ +#define BN_CTX_START_FRAMES 32 + +/***********/ +/* BN_POOL */ +/***********/ + +/* A bundle of bignums that can be linked with other bundles */ +typedef struct bignum_pool_item + { + /* The bignum values */ + BIGNUM vals[BN_CTX_POOL_SIZE]; + /* Linked-list admin */ + struct bignum_pool_item *prev, *next; + } BN_POOL_ITEM; +/* A linked-list of bignums grouped in bundles */ +typedef struct bignum_pool + { + /* Linked-list admin */ + BN_POOL_ITEM *head, *current, *tail; + /* Stack depth and allocation size */ + unsigned used, size; + } BN_POOL; +static void BN_POOL_init(BN_POOL *); +static void BN_POOL_finish(BN_POOL *); +#ifndef OPENSSL_NO_DEPRECATED +static void BN_POOL_reset(BN_POOL *); +#endif +static BIGNUM * BN_POOL_get(BN_POOL *); +static void BN_POOL_release(BN_POOL *, unsigned int); + +/************/ +/* BN_STACK */ +/************/ + +/* A wrapper to manage the "stack frames" */ +typedef struct bignum_ctx_stack + { + /* Array of indexes into the bignum stack */ + unsigned int *indexes; + /* Number of stack frames, and the size of the allocated array */ + unsigned int depth, size; + } BN_STACK; +static void BN_STACK_init(BN_STACK *); +static void BN_STACK_finish(BN_STACK *); +#ifndef OPENSSL_NO_DEPRECATED +static void BN_STACK_reset(BN_STACK *); +#endif +static int BN_STACK_push(BN_STACK *, unsigned int); +static unsigned int BN_STACK_pop(BN_STACK *); + +/**********/ +/* BN_CTX */ +/**********/ + +/* The opaque BN_CTX type */ struct bignum_ctx { - int tos; - BIGNUM bn[BN_CTX_NUM]; - int flags; - int depth; - int pos[BN_CTX_NUM_POS]; + /* The bignum bundles */ + BN_POOL pool; + /* The "stack frames", if you will */ + BN_STACK stack; + /* The number of bignums currently assigned */ + unsigned int used; + /* Depth of stack overflow */ + int err_stack; + /* Block "gets" until an "end" (compatibility behaviour) */ int too_many; }; +/* Enable this to find BN_CTX bugs */ +#ifdef BN_CTX_DEBUG +static const char *ctxdbg_cur = NULL; +static void ctxdbg(BN_CTX *ctx) + { + unsigned int bnidx = 0, fpidx = 0; + BN_POOL_ITEM *item = ctx->pool.head; + BN_STACK *stack = &ctx->stack; + printf("(%08x): ", (unsigned int)ctx); + while(bnidx < ctx->used) + { + printf("%02x ", item->vals[bnidx++ % BN_CTX_POOL_SIZE].dmax); + if(!(bnidx % BN_CTX_POOL_SIZE)) + item = item->next; + } + printf("\n"); + bnidx = 0; + printf(" : "); + while(fpidx < stack->depth) + { + while(bnidx++ < stack->indexes[fpidx]) + printf(" "); + printf("^^ "); + bnidx++; + fpidx++; + } + printf("\n"); + } +#define CTXDBG_ENTRY(str, ctx) do { \ + ctxdbg_cur = (str); \ + printf("Starting %s\n", ctxdbg_cur); \ + ctxdbg(ctx); \ + } while(0) +#define CTXDBG_EXIT(ctx) do { \ + printf("Ending %s\n", ctxdbg_cur); \ + ctxdbg(ctx); \ + } while(0) +#define CTXDBG_RET(ctx,ret) +#else +#define CTXDBG_ENTRY(str, ctx) +#define CTXDBG_EXIT(ctx) +#define CTXDBG_RET(ctx,ret) +#endif + +/* This function is an evil legacy and should not be used. This implementation + * is WYSIWYG, though I've done my best. */ #ifndef OPENSSL_NO_DEPRECATED void BN_CTX_init(BN_CTX *ctx) -#else -static void BN_CTX_init(BN_CTX *ctx) -#endif { -#if 0 /* explicit version */ - int i; - ctx->tos = 0; - ctx->flags = 0; - ctx->depth = 0; + /* Assume the caller obtained the context via BN_CTX_new() and so is + * trying to reset it for use. Nothing else makes sense, least of all + * binary compatibility from a time when they could declare a static + * variable. */ + BN_POOL_reset(&ctx->pool); + BN_STACK_reset(&ctx->stack); + ctx->used = 0; + ctx->err_stack = 0; ctx->too_many = 0; - for (i = 0; i < BN_CTX_NUM; i++) - BN_init(&(ctx->bn[i])); -#else - memset(ctx, 0, sizeof *ctx); -#endif } +#endif BN_CTX *BN_CTX_new(void) { - BN_CTX *ret; - - ret=(BN_CTX *)OPENSSL_malloc(sizeof(BN_CTX)); - if (ret == NULL) + BN_CTX *ret = OPENSSL_malloc(sizeof(BN_CTX)); + if(!ret) { BNerr(BN_F_BN_CTX_NEW,ERR_R_MALLOC_FAILURE); - return(NULL); + return NULL; } - - BN_CTX_init(ret); - ret->flags=BN_FLG_MALLOCED; - return(ret); + /* Initialise the structure */ + BN_POOL_init(&ret->pool); + BN_STACK_init(&ret->stack); + ret->used = 0; + ret->err_stack = 0; + ret->too_many = 0; + return ret; } void BN_CTX_free(BN_CTX *ctx) { - int i; - - if (ctx == NULL) return; - assert(ctx->depth == 0); - - for (i=0; i < BN_CTX_NUM; i++) { - bn_check_top(&(ctx->bn[i])); - if (ctx->bn[i].d) - BN_clear_free(&(ctx->bn[i])); +#ifdef BN_CTX_DEBUG + BN_POOL_ITEM *pool = ctx->pool.head; + printf("BN_CTX_free, stack-size=%d, pool-bignums=%d\n", + ctx->stack.size, ctx->pool.size); + printf("dmaxs: "); + while(pool) { + unsigned loop = 0; + while(loop < BN_CTX_POOL_SIZE) + printf("%02x ", pool->vals[loop++].dmax); + pool = pool->next; } - if (ctx->flags & BN_FLG_MALLOCED) - OPENSSL_free(ctx); + printf("\n"); +#endif + BN_STACK_finish(&ctx->stack); + BN_POOL_finish(&ctx->pool); + OPENSSL_free(ctx); } void BN_CTX_start(BN_CTX *ctx) { - if (ctx->depth < BN_CTX_NUM_POS) - ctx->pos[ctx->depth] = ctx->tos; - ctx->depth++; - } - - -BIGNUM *BN_CTX_get(BN_CTX *ctx) - { - BIGNUM *ret; - /* Note: If BN_CTX_get is ever changed to allocate BIGNUMs dynamically, - * make sure that if BN_CTX_get fails once it will return NULL again - * until BN_CTX_end is called. (This is so that callers have to check - * only the last return value.) - */ - if (ctx->depth > BN_CTX_NUM_POS || ctx->tos >= BN_CTX_NUM) + CTXDBG_ENTRY("BN_CTX_start", ctx); + /* If we're already overflowing ... */ + if(ctx->err_stack || ctx->too_many) + ctx->err_stack++; + /* (Try to) get a new frame pointer */ + else if(!BN_STACK_push(&ctx->stack, ctx->used)) { - if (!ctx->too_many) - { - BNerr(BN_F_BN_CTX_GET,BN_R_TOO_MANY_TEMPORARY_VARIABLES); - /* disable error code until BN_CTX_end is called: */ - ctx->too_many = 1; - } - return NULL; + /* I know this isn't BN_CTX_get, but ... */ + BNerr(BN_F_BN_CTX_GET,BN_R_TOO_MANY_TEMPORARY_VARIABLES); + ctx->err_stack++; } - ret = ctx->bn + (ctx->tos++); - /* always return a 'zeroed' bignum */ - BN_zero(ret); - return ret; + CTXDBG_EXIT(ctx); } void BN_CTX_end(BN_CTX *ctx) { - if (ctx == NULL) return; - assert(ctx->depth > 0); - if (ctx->depth == 0) - /* should never happen, but we can tolerate it if not in - * debug mode (could be a 'goto err' in the calling function - * before BN_CTX_start was reached) */ - BN_CTX_start(ctx); - - ctx->too_many = 0; - ctx->depth--; - if (ctx->depth < BN_CTX_NUM_POS) -#ifndef BN_DEBUG - ctx->tos = ctx->pos[ctx->depth]; -#else - while(ctx->tos > ctx->pos[ctx->depth]) - bn_check_top(&ctx->bn[--(ctx->tos)]); -#endif + CTXDBG_ENTRY("BN_CTX_end", ctx); + if(ctx->err_stack) + ctx->err_stack--; + else + { + unsigned int fp = BN_STACK_pop(&ctx->stack); + /* Does this stack frame have anything to release? */ + if(fp < ctx->used) + BN_POOL_release(&ctx->pool, ctx->used - fp); + ctx->used = fp; + /* Unjam "too_many" in case "get" had failed */ + ctx->too_many = 0; + } + CTXDBG_EXIT(ctx); } + +BIGNUM *BN_CTX_get(BN_CTX *ctx) + { + BIGNUM *ret; + CTXDBG_ENTRY("BN_CTX_get", ctx); + if(ctx->err_stack || ctx->too_many) return NULL; + if((ret = BN_POOL_get(&ctx->pool)) == NULL) + { + /* Setting too_many prevents repeated "get" attempts from + * cluttering the error stack. */ + ctx->too_many = 1; + BNerr(BN_F_BN_CTX_GET,BN_R_TOO_MANY_TEMPORARY_VARIABLES); + return NULL; + } + /* OK, make sure the returned bignum is "zero" */ + BN_zero(ret); + ctx->used++; + CTXDBG_RET(ctx, ret); + return ret; + } + +/************/ +/* BN_STACK */ +/************/ + +static void BN_STACK_init(BN_STACK *st) + { + st->indexes = NULL; + st->depth = st->size = 0; + } + +static void BN_STACK_finish(BN_STACK *st) + { + if(st->size) OPENSSL_free(st->indexes); + } + +#ifndef OPENSSL_NO_DEPRECATED +static void BN_STACK_reset(BN_STACK *st) + { + st->depth = 0; + } +#endif + +static int BN_STACK_push(BN_STACK *st, unsigned int idx) + { + if(st->depth == st->size) + /* Need to expand */ + { + unsigned int newsize = (st->size ? + (st->size * 3 / 2) : BN_CTX_START_FRAMES); + unsigned int *newitems = OPENSSL_malloc(newsize * + sizeof(unsigned int)); + if(!newitems) return 0; + if(st->depth) + memcpy(newitems, st->indexes, st->depth * + sizeof(unsigned int)); + if(st->size) OPENSSL_free(st->indexes); + st->indexes = newitems; + st->size = newsize; + } + st->indexes[(st->depth)++] = idx; + return 1; + } + +static unsigned int BN_STACK_pop(BN_STACK *st) + { + return st->indexes[--(st->depth)]; + } + +/***********/ +/* BN_POOL */ +/***********/ + +static void BN_POOL_init(BN_POOL *p) + { + p->head = p->current = p->tail = NULL; + p->used = p->size = 0; + } + +static void BN_POOL_finish(BN_POOL *p) + { + while(p->head) + { + unsigned int loop = 0; + BIGNUM *bn = p->head->vals; + while(loop++ < BN_CTX_POOL_SIZE) + { + if(bn->d) BN_clear_free(bn); + bn++; + } + p->current = p->head->next; + OPENSSL_free(p->head); + p->head = p->current; + } + } + +#ifndef OPENSSL_NO_DEPRECATED +static void BN_POOL_reset(BN_POOL *p) + { + BN_POOL_ITEM *item = p->head; + while(item) + { + unsigned int loop = 0; + BIGNUM *bn = item->vals; + while(loop++ < BN_CTX_POOL_SIZE) + { + if(bn->d) BN_clear(bn); + bn++; + } + item = item->next; + } + p->current = p->head; + p->used = 0; + } +#endif + +static BIGNUM *BN_POOL_get(BN_POOL *p) + { + if(p->used == p->size) + { + BIGNUM *bn; + unsigned int loop = 0; + BN_POOL_ITEM *item = OPENSSL_malloc(sizeof(BN_POOL_ITEM)); + if(!item) return NULL; + /* Initialise the structure */ + bn = item->vals; + while(loop++ < BN_CTX_POOL_SIZE) + BN_init(bn++); + item->prev = p->tail; + item->next = NULL; + /* Link it in */ + if(!p->head) + p->head = p->current = p->tail = item; + else + { + p->tail->next = item; + p->tail = item; + p->current = item; + } + p->size += BN_CTX_POOL_SIZE; + p->used++; + /* Return the first bignum from the new pool */ + return item->vals; + } + if(!p->used) + p->current = p->head; + else if((p->used % BN_CTX_POOL_SIZE) == 0) + p->current = p->current->next; + return p->current->vals + ((p->used++) % BN_CTX_POOL_SIZE); + } + +static void BN_POOL_release(BN_POOL *p, unsigned int num) + { + unsigned int offset = (p->used - 1) % BN_CTX_POOL_SIZE; + p->used -= num; + while(num--) + { + bn_check_top(p->current->vals + offset); + if(!offset) + { + offset = BN_CTX_POOL_SIZE - 1; + p->current = p->current->prev; + } + else + offset--; + } + } + From c86f2054f39c7005bc03f91db2d7bcf38f0a92ac Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Thu, 25 Mar 2004 04:32:24 +0000 Subject: [PATCH 089/112] Adjust various bignum functions to use BN_CTX for variables instead of locally initialising their own. NB: I've removed the "BN_clear_free()" loops for the exit-paths in some of these functions, and that may be a major part of the performance improvements we're seeing. The "free" part can be removed because we're using BN_CTX. The "clear" part OTOH can be removed because BN_CTX destruction automatically performs this task, so performing it inside functions that may be called repeatedly is wasteful. This is currently safe within openssl due to the fact that BN_CTX objects are never created for longer than a single high-level operation. However, that is only because there's currently no mechanism in openssl for thread-local storage. Beyond that, this might be an issue for applications using the bignum API directly and caching their own BN_CTX objects. The solution is to introduce a flag to BN_CTX_start() that allows its variables to be automatically sanitised on release during BN_CTX_end(). This way any higher-level function (and perhaps the application) can specify this flag in its own BN_CTX_start()/BN_CTX_end() pair, and this will cause inner-loop functions specifying the flag to be ignored so that sanitisation is handled only once back out at the higher level. I will be implementing this in the near future. --- crypto/bn/bn_exp.c | 84 ++++++++++++++++++++------------------------ crypto/bn/bn_exp2.c | 50 ++++++++++++-------------- crypto/bn/bn_mont.c | 35 +++++++++--------- crypto/bn/bn_prime.c | 17 +++++---- crypto/bn/bn_recp.c | 11 +++--- 5 files changed, 95 insertions(+), 102 deletions(-) diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index c11e5afd3..d6bb2b439 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -231,9 +231,10 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx) { int i,j,bits,ret=0,wstart,wend,window,wvalue; - int start=1,ts=0; + int start=1; BIGNUM *aa; - BIGNUM val[TABLE_SIZE]; + /* Table of variables obtained from 'ctx' */ + BIGNUM *val[TABLE_SIZE]; BN_RECP_CTX recp; bits=BN_num_bits(p); @@ -245,7 +246,9 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, } BN_CTX_start(ctx); - if ((aa = BN_CTX_get(ctx)) == NULL) goto err; + aa = BN_CTX_get(ctx); + val[0] = BN_CTX_get(ctx); + if(!aa || !val[0]) goto err; BN_RECP_CTX_init(&recp); if (m->neg) @@ -260,11 +263,8 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, if (BN_RECP_CTX_set(&recp,m,ctx) <= 0) goto err; } - BN_init(&(val[0])); - ts=1; - - if (!BN_nnmod(&(val[0]),a,m,ctx)) goto err; /* 1 */ - if (BN_is_zero(&(val[0]))) + if (!BN_nnmod(val[0],a,m,ctx)) goto err; /* 1 */ + if (BN_is_zero(val[0])) { BN_zero(r); ret = 1; @@ -274,16 +274,16 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, window = BN_window_bits_for_exponent_size(bits); if (window > 1) { - if (!BN_mod_mul_reciprocal(aa,&(val[0]),&(val[0]),&recp,ctx)) + if (!BN_mod_mul_reciprocal(aa,val[0],val[0],&recp,ctx)) goto err; /* 2 */ j=1<<(window-1); for (i=1; i>1]),&recp,ctx)) + if (!BN_mod_mul_reciprocal(r,r,val[wvalue>>1],&recp,ctx)) goto err; /* move the 'window' down further */ @@ -347,8 +347,6 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, ret=1; err: BN_CTX_end(ctx); - for (i=0; ineg || BN_ucmp(a,m) >= 0) { - if (!BN_nnmod(&(val[0]),a,m,ctx)) + if (!BN_nnmod(val[0],a,m,ctx)) goto err; - aa= &(val[0]); + aa= val[0]; } else aa=a; @@ -414,20 +411,20 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ret = 1; goto err; } - if (!BN_to_montgomery(&(val[0]),aa,mont,ctx)) goto err; /* 1 */ + if (!BN_to_montgomery(val[0],aa,mont,ctx)) goto err; /* 1 */ window = BN_window_bits_for_exponent_size(bits); if (window > 1) { - if (!BN_mod_mul_montgomery(d,&(val[0]),&(val[0]),mont,ctx)) goto err; /* 2 */ + if (!BN_mod_mul_montgomery(d,val[0],val[0],mont,ctx)) goto err; /* 2 */ j=1<<(window-1); for (i=1; i>1]),mont,ctx)) + if (!BN_mod_mul_montgomery(r,r,val[wvalue>>1],mont,ctx)) goto err; /* move the 'window' down further */ @@ -494,8 +491,6 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, err: if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont); BN_CTX_end(ctx); - for (i=0; i 1) { - if (!BN_mod_mul(d,&(val[0]),&(val[0]),m,ctx)) + if (!BN_mod_mul(d,val[0],val[0],m,ctx)) goto err; /* 2 */ j=1<<(window-1); for (i=1; i>1]),m,ctx)) + if (!BN_mod_mul(r,r,val[wvalue>>1],m,ctx)) goto err; /* move the 'window' down further */ @@ -750,8 +744,6 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, ret=1; err: BN_CTX_end(ctx); - for (i=0; ineg || BN_ucmp(a1,m) >= 0) { - if (!BN_mod(&(val1[0]),a1,m,ctx)) + if (!BN_mod(val1[0],a1,m,ctx)) goto err; - a_mod_m = &(val1[0]); + a_mod_m = val1[0]; } else a_mod_m = a1; @@ -184,32 +184,30 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, goto err; } - if (!BN_to_montgomery(&(val1[0]),a_mod_m,mont,ctx)) goto err; + if (!BN_to_montgomery(val1[0],a_mod_m,mont,ctx)) goto err; if (window1 > 1) { - if (!BN_mod_mul_montgomery(d,&(val1[0]),&(val1[0]),mont,ctx)) goto err; + if (!BN_mod_mul_montgomery(d,val1[0],val1[0],mont,ctx)) goto err; j=1<<(window1-1); for (i=1; ineg || BN_ucmp(a2,m) >= 0) { - if (!BN_mod(&(val2[0]),a2,m,ctx)) + if (!BN_mod(val2[0],a2,m,ctx)) goto err; - a_mod_m = &(val2[0]); + a_mod_m = val2[0]; } else a_mod_m = a2; @@ -219,19 +217,19 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, ret = 1; goto err; } - if (!BN_to_montgomery(&(val2[0]),a_mod_m,mont,ctx)) goto err; + if (!BN_to_montgomery(val2[0],a_mod_m,mont,ctx)) goto err; if (window2 > 1) { - if (!BN_mod_mul_montgomery(d,&(val2[0]),&(val2[0]),mont,ctx)) goto err; + if (!BN_mod_mul_montgomery(d,val2[0],val2[0],mont,ctx)) goto err; j=1<<(window2-1); for (i=1; i>1]),mont,ctx)) + if (!BN_mod_mul_montgomery(r,r,val1[wvalue1>>1],mont,ctx)) goto err; wvalue1 = 0; r_is_one = 0; @@ -297,7 +295,7 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, if (wvalue2 && b == wpos2) { /* wvalue2 is odd and < 2^window2 */ - if (!BN_mod_mul_montgomery(r,r,&(val2[wvalue2>>1]),mont,ctx)) + if (!BN_mod_mul_montgomery(r,r,val2[wvalue2>>1],mont,ctx)) goto err; wvalue2 = 0; r_is_one = 0; @@ -308,10 +306,6 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, err: if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont); BN_CTX_end(ctx); - for (i=0; iRR); /* grab RR as a temp */ BN_copy(&(mont->N),mod); /* Set N */ mont->N.neg = 0; @@ -294,22 +296,21 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) tmod.dmax=2; tmod.neg=0; /* Ri = R^-1 mod N*/ - if ((BN_mod_inverse(&Ri,R,&tmod,ctx)) == NULL) + if ((BN_mod_inverse(Ri,R,&tmod,ctx)) == NULL) goto err; - if (!BN_lshift(&Ri,&Ri,BN_BITS2)) goto err; /* R*Ri */ - if (!BN_is_zero(&Ri)) + if (!BN_lshift(Ri,Ri,BN_BITS2)) goto err; /* R*Ri */ + if (!BN_is_zero(Ri)) { - if (!BN_sub_word(&Ri,1)) goto err; + if (!BN_sub_word(Ri,1)) goto err; } else /* if N mod word size == 1 */ { - if (!BN_set_word(&Ri,BN_MASK2)) goto err; /* Ri-- (mod word size) */ + if (!BN_set_word(Ri,BN_MASK2)) goto err; /* Ri-- (mod word size) */ } - if (!BN_div(&Ri,NULL,&Ri,&tmod,ctx)) goto err; + if (!BN_div(Ri,NULL,Ri,&tmod,ctx)) goto err; /* Ni = (R*Ri-1)/N, * keep only least significant word: */ - mont->n0 = (Ri.top > 0) ? Ri.d[0] : 0; - BN_free(&Ri); + mont->n0 = (Ri->top > 0) ? Ri->d[0] : 0; } #else /* !MONT_WORD */ { /* bignum version */ @@ -317,13 +318,12 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) BN_zero(R); if (!BN_set_bit(R,mont->ri)) goto err; /* R = 2^ri */ /* Ri = R^-1 mod N*/ - if ((BN_mod_inverse(&Ri,R,&mont->N,ctx)) == NULL) + if ((BN_mod_inverse(Ri,R,&mont->N,ctx)) == NULL) goto err; - if (!BN_lshift(&Ri,&Ri,mont->ri)) goto err; /* R*Ri */ - if (!BN_sub_word(&Ri,1)) goto err; + if (!BN_lshift(Ri,Ri,mont->ri)) goto err; /* R*Ri */ + if (!BN_sub_word(Ri,1)) goto err; /* Ni = (R*Ri-1) / N */ - if (!BN_div(&(mont->Ni),NULL,&Ri,&mont->N,ctx)) goto err; - BN_free(&Ri); + if (!BN_div(&(mont->Ni),NULL,Ri,&mont->N,ctx)) goto err; } #endif @@ -332,9 +332,10 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) if (!BN_set_bit(&(mont->RR),mont->ri*2)) goto err; if (!BN_mod(&(mont->RR),&(mont->RR),&(mont->N),ctx)) goto err; - return(1); + ret = 1; err: - return(0); + BN_CTX_end(ctx); + return ret; } BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from) diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index 4430e90df..d03403a60 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -159,15 +159,17 @@ int BN_GENCB_call(BN_GENCB *cb, int a, int b) int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb) { - BIGNUM t; + BIGNUM *t; int found=0; int i,j,c1=0; BN_CTX *ctx; int checks = BN_prime_checks_for_size(bits); - BN_init(&t); ctx=BN_CTX_new(); if (ctx == NULL) goto err; + BN_CTX_start(ctx); + t = BN_CTX_get(ctx); + if(!t) goto err; loop: /* make a random number and set the top and bottom bits */ if (add == NULL) @@ -204,7 +206,7 @@ loop: * check that (p-1)/2 is prime. * Since a prime is odd, We just * need to divide by 2 */ - if (!BN_rshift1(&t,ret)) goto err; + if (!BN_rshift1(t,ret)) goto err; for (i=0; i Date: Thu, 25 Mar 2004 13:37:02 +0000 Subject: [PATCH 090/112] Fix ASN1 warnings. --- crypto/stack/safestack.h | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/crypto/stack/safestack.h b/crypto/stack/safestack.h index cd9e780e4..e52a859eb 100644 --- a/crypto/stack/safestack.h +++ b/crypto/stack/safestack.h @@ -115,10 +115,10 @@ STACK_OF(type) \ ((void (*)(STACK_OF(type) *))sk_sort)(st) #define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - ((STACK_OF(type) * (*) (STACK_OF(type) **,unsigned char **, long , \ - type *(*)(type **, unsigned char **,long), \ - void (*)(type *), int ,int )) d2i_ASN1_SET) \ - (st,pp,length, d2i_func, free_func, ex_tag,ex_class) +((STACK_OF(type) * (*) (STACK_OF(type) **,const unsigned char **, long , \ + type *(*)(type **, const unsigned char **,long), \ + void (*)(type *), int ,int )) d2i_ASN1_SET) \ + (st,pp,length, d2i_func, free_func, ex_tag,ex_class) #define SKM_ASN1_SET_OF_i2d(type, st, pp, i2d_func, ex_tag, ex_class, is_set) \ ((int (*)(STACK_OF(type) *,unsigned char **, \ int (*)(type *,unsigned char **), int , int , int)) i2d_ASN1_SET) \ @@ -129,14 +129,15 @@ STACK_OF(type) \ int (*)(type *,unsigned char **), unsigned char **,int *)) ASN1_seq_pack) \ (st, i2d_func, buf, len) #define SKM_ASN1_seq_unpack(type, buf, len, d2i_func, free_func) \ - ((STACK_OF(type) * (*)(unsigned char *,int, \ - type *(*)(type **,unsigned char **, long), \ + ((STACK_OF(type) * (*)(const unsigned char *,int, \ + type *(*)(type **,const unsigned char **, long), \ void (*)(type *)))ASN1_seq_unpack) \ (buf,len,d2i_func, free_func) #define SKM_PKCS12_decrypt_d2i(type, algor, d2i_func, free_func, pass, passlen, oct, seq) \ ((STACK_OF(type) * (*)(X509_ALGOR *, \ - type *(*)(type **, unsigned char **, long), void (*)(type *), \ + type *(*)(type **, const unsigned char **, long), \ + void (*)(type *), \ const char *, int, \ ASN1_STRING *, int))PKCS12_decrypt_d2i) \ (algor,d2i_func,free_func,pass,passlen,oct,seq) From b79c82eaabd87d336f91881f63b4104fec9ae445 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 25 Mar 2004 13:45:58 +0000 Subject: [PATCH 091/112] Fix loads of warnings in policy code. I'll remember to try to compile this with warnings enabled next time :-) --- crypto/x509/x509_vfy.h | 2 +- crypto/x509v3/pcy_cache.c | 7 ++++--- crypto/x509v3/pcy_data.c | 2 +- crypto/x509v3/pcy_int.h | 8 ++++---- crypto/x509v3/pcy_lib.c | 2 +- crypto/x509v3/pcy_map.c | 4 ++-- crypto/x509v3/pcy_node.c | 6 +++--- crypto/x509v3/pcy_tree.c | 6 +++--- 8 files changed, 19 insertions(+), 18 deletions(-) diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 6cf3d70ff..41644a9fe 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -441,7 +441,7 @@ X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i); const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node); -STACK_OF(POLICYQUALIFIER) * +STACK_OF(POLICYQUALINFO) * X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node); const X509_POLICY_NODE * X509_policy_node_get0_parent(const X509_POLICY_NODE *node); diff --git a/crypto/x509v3/pcy_cache.c b/crypto/x509v3/pcy_cache.c index 23d930dd9..c18beb89f 100644 --- a/crypto/x509v3/pcy_cache.c +++ b/crypto/x509v3/pcy_cache.c @@ -62,7 +62,8 @@ #include "pcy_int.h" -static int policy_data_cmp(void *pa, void *pb); +static int policy_data_cmp(const X509_POLICY_DATA * const *a, + const X509_POLICY_DATA * const *b); static int policy_cache_set_int(long *out, ASN1_INTEGER *value); /* Set cache entry according to CertificatePolicies extension. @@ -269,9 +270,9 @@ X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache, return sk_X509_POLICY_DATA_value(cache->data, idx); } -static int policy_data_cmp(void *pa, void *pb) +static int policy_data_cmp(const X509_POLICY_DATA * const *a, + const X509_POLICY_DATA * const *b) { - X509_POLICY_DATA **a = pa; X509_POLICY_DATA **b = pb; return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy); } diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c index fae74cac9..614d2b493 100644 --- a/crypto/x509v3/pcy_data.c +++ b/crypto/x509v3/pcy_data.c @@ -69,7 +69,7 @@ void policy_data_free(X509_POLICY_DATA *data) ASN1_OBJECT_free(data->valid_policy); /* Don't free qualifiers if shared */ if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS)) - sk_POLICYINFO_pop_free(data->qualifier_set, + sk_POLICYQUALINFO_pop_free(data->qualifier_set, POLICYQUALINFO_free); sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free); OPENSSL_free(data); diff --git a/crypto/x509v3/pcy_int.h b/crypto/x509v3/pcy_int.h index 8efe67397..33d6adfb9 100644 --- a/crypto/x509v3/pcy_int.h +++ b/crypto/x509v3/pcy_int.h @@ -76,7 +76,7 @@ struct X509_POLICY_DATA_st unsigned int flags; /* Policy OID and qualifiers for this data */ ASN1_OBJECT *valid_policy; - STACK_OF(POLICYQUALIFIER) *qualifier_set; + STACK_OF(POLICYQUALINFO) *qualifier_set; STACK_OF(ASN1_OBJECT) *expected_policy_set; }; @@ -128,7 +128,7 @@ struct X509_POLICY_CACHE_st { /* other policy data */ STACK_OF(X509_POLICY_DATA) *data; /* If policyMappings extension present a table of mapped policies */ - STACK_OF(POLICY_REF) *maps; + STACK_OF(X509_POLICY_REF) *maps; /* If InhibitAnyPolicy present this is its value or -1 if absent. */ long any_skip; /* If policyConstraints and requireExplicitPolicy present this is its @@ -210,11 +210,11 @@ void policy_cache_free(X509_POLICY_CACHE *cache); X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, const ASN1_OBJECT *id); -X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_TREE) *sk, +X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, const ASN1_OBJECT *id); X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - const X509_POLICY_DATA *data, + X509_POLICY_DATA *data, X509_POLICY_NODE *parent, X509_POLICY_TREE *tree); void policy_node_free(X509_POLICY_NODE *node); diff --git a/crypto/x509v3/pcy_lib.c b/crypto/x509v3/pcy_lib.c index 441a70e92..dae4840bc 100644 --- a/crypto/x509v3/pcy_lib.c +++ b/crypto/x509v3/pcy_lib.c @@ -148,7 +148,7 @@ int X509_policy_node_get_critical(const X509_POLICY_NODE *node) } #endif -STACK_OF(POLICYQUALIFIER) * +STACK_OF(POLICYQUALINFO) * X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node) { if (!node) diff --git a/crypto/x509v3/pcy_map.c b/crypto/x509v3/pcy_map.c index 093e4b6a8..35221e8ba 100644 --- a/crypto/x509v3/pcy_map.c +++ b/crypto/x509v3/pcy_map.c @@ -62,9 +62,9 @@ #include "pcy_int.h" -static int ref_cmp(void *pa, void *pb) +static int ref_cmp(const X509_POLICY_REF * const *a, + const X509_POLICY_REF * const *b) { - X509_POLICY_REF **a = pa; X509_POLICY_REF **b = pb; return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy); } diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c index 3d6bd34cc..254f3484d 100644 --- a/crypto/x509v3/pcy_node.c +++ b/crypto/x509v3/pcy_node.c @@ -63,9 +63,9 @@ #include "pcy_int.h" -static int node_cmp(void *pa, void *pb) +static int node_cmp(const X509_POLICY_NODE * const *a, + const X509_POLICY_NODE * const *b) { - X509_POLICY_NODE **a = pa, **b = pb; return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy); } @@ -99,7 +99,7 @@ X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, } X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - const X509_POLICY_DATA *data, + X509_POLICY_DATA *data, X509_POLICY_NODE *parent, X509_POLICY_TREE *tree) { diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index 8871ab88b..9ac169c00 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -410,11 +410,11 @@ static int tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes, */ static int tree_calculate_authority_set(X509_POLICY_TREE *tree, - STACK_OF(X509_POLICY_NODES) **pnodes) + STACK_OF(X509_POLICY_NODE) **pnodes) { X509_POLICY_LEVEL *curr; X509_POLICY_NODE *node, *anyptr; - STACK_OF(X509_POLICY_NODES) **addnodes; + STACK_OF(X509_POLICY_NODE) **addnodes; int i, j; curr = tree->levels + tree->nlevel - 1; @@ -596,7 +596,7 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *explicit, { int ret; X509_POLICY_TREE *tree = NULL; - STACK_OF(X509_NODE) *nodes, *auth_nodes = NULL; + STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL; *ptree = NULL; *explicit = 0; From a87228031f8a4e274c2f859a2589dcef2eb7cc58 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 25 Mar 2004 15:52:43 +0000 Subject: [PATCH 092/112] RAND_add() wants a double as it's last argument. --- crypto/bn/bn_rand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index df45575f9..323bfa74b 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -140,7 +140,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) /* make a random number and set the top and bottom bits */ time(&tim); - RAND_add(&tim,sizeof(tim),0); + RAND_add(&tim,sizeof(tim),0.0); if (pseudorand) { From a481b4b52ce48aec3ccc6583a95e60cbb5c3042b Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 25 Mar 2004 16:04:02 +0000 Subject: [PATCH 093/112] A couple more cases where RAND_add() gets an integer instead of a doule as last argument. --- crypto/rand/randfile.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c index f5d0843d1..fd9035284 100644 --- a/crypto/rand/randfile.c +++ b/crypto/rand/randfile.c @@ -104,7 +104,7 @@ int RAND_load_file(const char *file, long bytes) i=stat(file,&sb); /* If the state fails, put some crap in anyway */ - RAND_add(&sb,sizeof(sb),0); + RAND_add(&sb,sizeof(sb),0.0); if (i < 0) return(0); if (bytes == 0) return(ret); @@ -129,7 +129,7 @@ int RAND_load_file(const char *file, long bytes) i=fread(buf,1,n,in); if (i <= 0) break; /* even if n != i, use the full array */ - RAND_add(buf,n,i); + RAND_add(buf,n,(double)i); ret+=i; if (bytes > 0) { From 482c2acf02ae6709292682bef24b12e2b45d7974 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 25 Mar 2004 16:21:42 +0000 Subject: [PATCH 094/112] Make prototypes for some callback pointers. --- crypto/bio/bio_lib.c | 12 ++++++------ crypto/bio/bss_conn.c | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index 692c8fb5c..5e96772ca 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -144,7 +144,7 @@ void BIO_vfree(BIO *a) int BIO_read(BIO *b, void *out, int outl) { int i; - long (*cb)(); + long (*cb)(BIO *,int,const char *,int,long,long); if ((b == NULL) || (b->method == NULL) || (b->method->bread == NULL)) { @@ -176,7 +176,7 @@ int BIO_read(BIO *b, void *out, int outl) int BIO_write(BIO *b, const void *in, int inl) { int i; - long (*cb)(); + long (*cb)(BIO *,int,const char *,int,long,long); if (b == NULL) return(0); @@ -211,7 +211,7 @@ int BIO_write(BIO *b, const void *in, int inl) int BIO_puts(BIO *b, const char *in) { int i; - long (*cb)(); + long (*cb)(BIO *,int,const char *,int,long,long); if ((b == NULL) || (b->method == NULL) || (b->method->bputs == NULL)) { @@ -244,7 +244,7 @@ int BIO_puts(BIO *b, const char *in) int BIO_gets(BIO *b, char *in, int inl) { int i; - long (*cb)(); + long (*cb)(BIO *,int,const char *,int,long,long); if ((b == NULL) || (b->method == NULL) || (b->method->bgets == NULL)) { @@ -305,7 +305,7 @@ char *BIO_ptr_ctrl(BIO *b, int cmd, long larg) long BIO_ctrl(BIO *b, int cmd, long larg, void *parg) { long ret; - long (*cb)(); + long (*cb)(BIO *,int,const char *,int,long,long); if (b == NULL) return(0); @@ -332,7 +332,7 @@ long BIO_ctrl(BIO *b, int cmd, long larg, void *parg) long BIO_callback_ctrl(BIO *b, int cmd, void (*fp)(struct bio_st *, int, const char *, int, long, long)) { long ret; - long (*cb)(); + long (*cb)(BIO *,int,const char *,int,long,long); if (b == NULL) return(0); diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index f1016e51d..a608d81c7 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -130,7 +130,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c) int ret= -1,i; unsigned long l; char *p,*q; - int (*cb)()=NULL; + int (*cb)(const BIO *,int,int)=NULL; if (c->info_callback != NULL) cb=c->info_callback; From c2dc3ee8d9f9662486fba8c450ed8ac8251357e1 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 25 Mar 2004 19:52:34 +0000 Subject: [PATCH 095/112] Change spaces to symbols in names. PR: 856 --- util/extract-names.pl | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/util/extract-names.pl b/util/extract-names.pl index 744a8e232..35bd6ed84 100644 --- a/util/extract-names.pl +++ b/util/extract-names.pl @@ -9,9 +9,11 @@ while() { } elsif ($name) { if (/ - /) { s/ - .*//; - s/,[ \t]+/,/g; - s/^[ \t]+//g; - s/[ \t]+$//g; + s/,\s+/,/g; + s/\s+,/,/g; + s/^\s+//g; + s/\s+$//g; + s/\s/_/g; push @words, split ','; } } From fd9fa844e21b08b6038e7175f05fbd9be815d3df Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 25 Mar 2004 20:01:01 +0000 Subject: [PATCH 096/112] Wrap code starting with a definition. PR: 854 --- crypto/rand/randfile.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c index fd9035284..dda020fb1 100644 --- a/crypto/rand/randfile.c +++ b/crypto/rand/randfile.c @@ -166,6 +166,7 @@ int RAND_write_file(const char *file) } #if defined(O_CREAT) && !defined(OPENSSL_SYS_WIN32) + { /* For some reason Win32 can't write to files created this way */ /* chmod(..., 0600) is too late to protect the file, @@ -173,6 +174,7 @@ int RAND_write_file(const char *file) int fd = open(file, O_CREAT, 0600); if (fd != -1) out = fdopen(fd, "wb"); + } #endif if (out == NULL) out = fopen(file,"wb"); From d530017c003890695977e3a9bfd62e420f943b83 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 25 Mar 2004 20:09:00 +0000 Subject: [PATCH 097/112] Move the definition of Win32_rename(), since the macro rename gets undefined in the middle of the code on Windows, and that disrupts operations in functions later that use rename()... PR: 853 --- apps/apps.c | 76 ++++++++++++++++++++++++++--------------------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index eae1fedcd..fa2f8a2b8 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -341,44 +341,6 @@ void program_name(char *in, char *out, int size) #endif #endif -#ifdef OPENSSL_SYS_WIN32 -int WIN32_rename(char *from, char *to) - { -#ifndef OPENSSL_SYS_WINCE - /* Windows rename gives an error if 'to' exists, so delete it - * first and ignore file not found errror - */ - if((remove(to) != 0) && (errno != ENOENT)) - return -1; -#undef rename - return rename(from, to); -#else - /* convert strings to UNICODE */ - { - BOOL result = FALSE; - WCHAR* wfrom; - WCHAR* wto; - int i; - wfrom = malloc((strlen(from)+1)*2); - wto = malloc((strlen(to)+1)*2); - if (wfrom != NULL && wto != NULL) - { - for (i=0; i<(int)strlen(from)+1; i++) - wfrom[i] = (short)from[i]; - for (i=0; i<(int)strlen(to)+1; i++) - wto[i] = (short)to[i]; - result = MoveFile(wfrom, wto); - } - if (wfrom != NULL) - free(wfrom); - if (wto != NULL) - free(wto); - return result; - } -#endif - } -#endif - int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[]) { int num,len,i; @@ -2114,3 +2076,41 @@ error: return NULL; } +/* This code MUST COME AFTER anything that uses rename() */ +#ifdef OPENSSL_SYS_WIN32 +int WIN32_rename(char *from, char *to) + { +#ifndef OPENSSL_SYS_WINCE + /* Windows rename gives an error if 'to' exists, so delete it + * first and ignore file not found errror + */ + if((remove(to) != 0) && (errno != ENOENT)) + return -1; +#undef rename + return rename(from, to); +#else + /* convert strings to UNICODE */ + { + BOOL result = FALSE; + WCHAR* wfrom; + WCHAR* wto; + int i; + wfrom = malloc((strlen(from)+1)*2); + wto = malloc((strlen(to)+1)*2); + if (wfrom != NULL && wto != NULL) + { + for (i=0; i<(int)strlen(from)+1; i++) + wfrom[i] = (short)from[i]; + for (i=0; i<(int)strlen(to)+1; i++) + wto[i] = (short)to[i]; + result = MoveFile(wfrom, wto); + } + if (wfrom != NULL) + free(wfrom); + if (wto != NULL) + free(wto); + return result; + } +#endif + } +#endif From 0020502a07d5b030617b8a2a83c74232a7b672cd Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 25 Mar 2004 21:32:30 +0000 Subject: [PATCH 098/112] SSL_COMP_get_compression_method is a typo (a missing 's' at the end of the symbol name). --- crypto/symhacks.h | 2 ++ ssl/ssl.h | 4 ++-- ssl/ssl_locl.h | 6 ------ util/ssleay.num | 4 ++-- 4 files changed, 6 insertions(+), 10 deletions(-) diff --git a/crypto/symhacks.h b/crypto/symhacks.h index a40e4fa46..9a46a2a21 100644 --- a/crypto/symhacks.h +++ b/crypto/symhacks.h @@ -163,6 +163,8 @@ #define SSL_CTX_set_cert_verify_callback SSL_CTX_set_cert_verify_cb #undef SSL_CTX_set_default_passwd_cb_userdata #define SSL_CTX_set_default_passwd_cb_userdata SSL_CTX_set_def_passwd_cb_ud +#undef SSL_COMP_get_compression_methods +#define SSL_COMP_get_compression_methods SSL_COMP_get_compress_methods /* Hack some long ENGINE names */ #undef ENGINE_get_default_BN_mod_exp_crt diff --git a/ssl/ssl.h b/ssl/ssl.h index 6a022bf03..8a16d77ac 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -1490,10 +1490,10 @@ void SSL_set_tmp_ecdh_callback(SSL *ssl, #endif #ifndef OPENSSL_NO_COMP -STACK_OF(SSL_COMP) *SSL_COMP_get_compression_method(void); +STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void); int SSL_COMP_add_compression_method(int id,COMP_METHOD *cm); #else -void *SSL_COMP_get_compression_method(void); +void *SSL_COMP_get_compression_methods(void); int SSL_COMP_add_compression_method(int id,char *cm); #endif diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index c2e6ff8cf..26e518ade 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -492,11 +492,6 @@ OPENSSL_EXTERN SSL3_ENC_METHOD ssl3_undef_enc_method; OPENSSL_EXTERN SSL_CIPHER ssl2_ciphers[]; OPENSSL_EXTERN SSL_CIPHER ssl3_ciphers[]; -#ifdef OPENSSL_SYS_VMS -#undef SSL_COMP_get_compression_methods -#define SSL_COMP_get_compression_methods SSL_COMP_get_compress_methods -#endif - SSL_METHOD *ssl_bad_method(int ver); SSL_METHOD *sslv2_base_method(void); @@ -643,7 +638,6 @@ int ssl_ok(SSL *s); int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs); SSL_COMP *ssl3_comp_find(STACK_OF(SSL_COMP) *sk, int n); -STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void); #endif diff --git a/util/ssleay.num b/util/ssleay.num index c2a4909f1..8ed7b4ab1 100755 --- a/util/ssleay.num +++ b/util/ssleay.num @@ -218,8 +218,8 @@ SSL_set_msg_callback 267 EXIST::FUNCTION: SSL_set_tmp_ecdh_callback 268 EXIST::FUNCTION:ECDH SSL_CTX_set_tmp_ecdh_callback 269 EXIST::FUNCTION:ECDH SSL_SESSION_get_id 270 EXIST::FUNCTION: -SSL_COMP_get_compression_method 271 EXIST::FUNCTION:COMP +SSL_COMP_get_compression_methods 271 EXIST:!VMS:FUNCTION:COMP +SSL_COMP_get_compress_methods 271 EXIST:VMS:FUNCTION:COMP SSL_COMP_get_name 272 EXIST::FUNCTION: SSL_get_current_expansion 273 EXIST::FUNCTION: SSL_get_current_compression 274 EXIST::FUNCTION: -SSL_COMP_get_compression_methods 275 EXIST::FUNCTION: From 34be34fdd0f46d762ec51f698d76a219396fb3f6 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 25 Mar 2004 23:32:06 +0000 Subject: [PATCH 099/112] Remove BN_CTX debug from debug-steve --- Configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configure b/Configure index 0b9766f95..829f9b37a 100755 --- a/Configure +++ b/Configure @@ -143,7 +143,7 @@ my %table=( "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32::::win32:cygwin-shared:::.dll", -"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared", +"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared", "debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn:linux-shared", "debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", From beedea2fefcb085250389f2987b52fe3e0e4975c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 26 Mar 2004 00:24:38 +0000 Subject: [PATCH 100/112] Free up BIO properly when using streaming S/MIME sign. --- crypto/pkcs7/pk7_mime.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c index 182341846..210ec1e8c 100644 --- a/crypto/pkcs7/pk7_mime.c +++ b/crypto/pkcs7/pk7_mime.c @@ -239,14 +239,13 @@ static int pkcs7_output_data(BIO *out, BIO *data, PKCS7 *p7, int flags) /* Finalize signatures */ PKCS7_dataFinal(p7, p7bio); - /* Now remove any digests from output BIO */ + /* Now remove any digests prepended to the BIO */ - while (1) + while (p7bio != out) { tmpbio = BIO_pop(p7bio); - if (tmpbio == out) - break; - BIO_free(tmpbio); + BIO_free(p7bio); + p7bio = tmpbio; } return 1; From 6446e0c3c8286428374ec738ffdc859802bd3c92 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 27 Mar 2004 13:30:14 +0000 Subject: [PATCH 101/112] Extend OID config module format. --- CHANGES | 6 ++++ crypto/asn1/asn_moid.c | 64 ++++++++++++++++++++++++++++++++++++++++-- doc/apps/config.pod | 5 ++++ 3 files changed, 73 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index b65a37aa7..b242e468e 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,12 @@ Changes between 0.9.7c and 0.9.8 [xx XXX xxxx] + *) Extend ASN1 oid configuration module. It now additionally accepts the + syntax: + + shortName = some long name, 1.2.3.4 + [Steve Henson] + *) Reimplemented the BN_CTX implementation. There is now no more static limitation on the number of variables it can handle nor the depth of the "stack" handling for BN_CTX_start()/BN_CTX_end() pairs. The stack diff --git a/crypto/asn1/asn_moid.c b/crypto/asn1/asn_moid.c index edb44c988..72cc1210b 100644 --- a/crypto/asn1/asn_moid.c +++ b/crypto/asn1/asn_moid.c @@ -3,7 +3,7 @@ * project 2001. */ /* ==================================================================== - * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 2001-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -57,6 +57,7 @@ */ #include +#include #include #include "cryptlib.h" #include @@ -65,6 +66,8 @@ /* Simple ASN1 OID module: add all objects in a given section */ +static int do_create(char *value, char *name); + static int oid_module_init(CONF_IMODULE *md, const CONF *cnf) { int i; @@ -80,7 +83,7 @@ static int oid_module_init(CONF_IMODULE *md, const CONF *cnf) for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) { oval = sk_CONF_VALUE_value(sktmp, i); - if(OBJ_create(oval->value, oval->name, oval->name) == NID_undef) + if(!do_create(oval->value, oval->name)) { ASN1err(ASN1_F_OID_MODULE_INIT, ASN1_R_ADDING_OBJECT); return 0; @@ -98,3 +101,60 @@ void ASN1_add_oid_module(void) { CONF_module_add("oid_section", oid_module_init, oid_module_finish); } + +/* Create an OID based on a name value pair. Accept two formats. + * shortname = 1.2.3.4 + * shortname = some long name, 1.2.3.4 + */ + + +static int do_create(char *value, char *name) + { + int nid; + ASN1_OBJECT *oid; + char *ln, *ostr, *p, *lntmp; + p = strrchr(value, ','); + if (!p) + { + ln = name; + ostr = value; + } + else + { + ln = NULL; + ostr = p + 1; + if (!*ostr) + return 0; + while(isspace((unsigned char)*ostr)) ostr++; + } + + nid = OBJ_create(ostr, name, ln); + + if (nid == NID_undef) + return 0; + + if (p) + { + ln = value; + while(isspace((unsigned char)*ln)) ln++; + p--; + while(isspace((unsigned char)*p)) + { + if (p == ln) + return 0; + p--; + } + p++; + lntmp = OPENSSL_malloc((p - ln) + 1); + if (lntmp == NULL) + return 0; + memcpy(lntmp, ln, p - ln); + lntmp[p - ln + 1] = 0; + oid = OBJ_nid2obj(nid); + oid->ln = lntmp; + } + + return 1; + } + + diff --git a/doc/apps/config.pod b/doc/apps/config.pod index 8f823fa6d..2158cf425 100644 --- a/doc/apps/config.pod +++ b/doc/apps/config.pod @@ -105,6 +105,11 @@ as any compliant applications. For example: some_new_oid = 1.2.3.4 some_other_oid = 1.2.3.5 +In OpenSSL 0.9.8 it is also possible to set the value to the long name followed +by a comma and the numerical OID form. For example: + + shortName = some object long name, 1.2.3.4 + =head2 ENGINE CONFIGURATION MODULE This ENGINE configuration module has the name B. The value of this From e1a27eb34a6bf40af1bd6450d0fb3d57f6e24ab5 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 27 Mar 2004 22:49:28 +0000 Subject: [PATCH 102/112] Allow CRLs to be passed into X509_STORE_CTX. This is useful when the verified structure can contain its own CRLs (such as PKCS#7 signedData). Tidy up some of the verify code. --- CHANGES | 6 + crypto/pkcs7/pk7_smime.c | 2 + crypto/pkcs7/pkcs7.h | 1 + crypto/x509/x509_vfy.c | 256 ++++++++++++++++++++++++++------------- crypto/x509/x509_vfy.h | 2 + 5 files changed, 183 insertions(+), 84 deletions(-) diff --git a/CHANGES b/CHANGES index b242e468e..c5c2ebba9 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,12 @@ Changes between 0.9.7c and 0.9.8 [xx XXX xxxx] + *) Add a local set of CRLs that can be used by X509_verify_cert() as well + as looking them up. This is useful when the verified structure may contain + CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs + present unless the new PKCS7_NO_CRL flag is asserted. + [Steve Henson] + *) Extend ASN1 oid configuration module. It now additionally accepts the syntax: diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index 333a8aa38..6aca0222d 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -217,6 +217,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, sk_X509_free(signers); return 0; } + if (!(flags & PKCS7_NOCRL)) + X509_STORE_CTX_set0_crls(&cert_ctx, p7->d.sign->crl); i = X509_verify_cert(&cert_ctx); if (i <= 0) j = X509_STORE_CTX_get_error(&cert_ctx); X509_STORE_CTX_cleanup(&cert_ctx); diff --git a/crypto/pkcs7/pkcs7.h b/crypto/pkcs7/pkcs7.h index 788cd5d6c..9dc3c0caa 100644 --- a/crypto/pkcs7/pkcs7.h +++ b/crypto/pkcs7/pkcs7.h @@ -265,6 +265,7 @@ DECLARE_PKCS12_STACK_OF(PKCS7) #define PKCS7_NOOLDMIMETYPE 0x400 #define PKCS7_CRLFEOL 0x800 #define PKCS7_STREAM 0x1000 +#define PKCS7_NOCRL 0x2000 /* Flags: for compatibility with older code */ diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 2e4d0b823..3e82f9548 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -499,17 +499,124 @@ static int check_cert(X509_STORE_CTX *ctx) } +/* Check CRL times against values in X509_STORE_CTX */ + +static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) + { + time_t *ptime; + int i; + ctx->current_crl = crl; + if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) + ptime = &ctx->check_time; + else + ptime = NULL; + + i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); + if (i == 0) + { + ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; + if (!notify || !ctx->verify_cb(0, ctx)) + return 0; + } + + if (i > 0) + { + ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; + if (!notify || !ctx->verify_cb(0, ctx)) + return 0; + } + + if(X509_CRL_get_nextUpdate(crl)) + { + i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); + + if (i == 0) + { + ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; + if (!notify || !ctx->verify_cb(0, ctx)) + return 0; + } + + if (i < 0) + { + ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; + if (!notify || !ctx->verify_cb(0, ctx)) + return 0; + } + } + + ctx->current_crl = NULL; + + return 1; + } + +/* Lookup CRLs from the supplied list. Look for matching isser name + * and validity. If we can't find a valid CRL return the last one + * with matching name. This gives more meaningful error codes. Otherwise + * we'd get a CRL not found error if a CRL existed with matching name but + * was invalid. + */ + +static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, + X509_NAME *nm, STACK_OF(X509_CRL) *crls) + { + int i; + X509_CRL *crl, *best_crl = NULL; + for (i = 0; i < sk_X509_CRL_num(crls); i++) + { + crl = sk_X509_CRL_value(crls, i); + if (X509_NAME_cmp(nm, X509_CRL_get_issuer(crl))) + continue; + if (check_crl_time(ctx, crl, 0)) + { + *pcrl = crl; + CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509); + return 1; + } + best_crl = crl; + } + if (best_crl) + { + *pcrl = best_crl; + CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509); + } + + return 0; + } + /* Retrieve CRL corresponding to certificate: currently just a * subject lookup: maybe use AKID later... - * Also might look up any included CRLs too (e.g PKCS#7 signedData). */ -static int get_crl(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x) +static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) { int ok; + X509_CRL *crl = NULL; X509_OBJECT xobj; - ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, X509_get_issuer_name(x), &xobj); - if (!ok) return 0; - *crl = xobj.data.crl; + X509_NAME *nm; + nm = X509_get_issuer_name(x); + ok = get_crl_sk(ctx, &crl, nm, ctx->crls); + if (ok) + { + *pcrl = crl; + return 1; + } + + ok = X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj); + + if (!ok) + { + /* If we got a near match from get_crl_sk use that */ + if (crl) + { + *pcrl = crl; + return 1; + } + return 0; + } + + *pcrl = xobj.data.crl; + if (crl) + X509_CRL_free(crl); return 1; } @@ -518,8 +625,7 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) { X509 *issuer = NULL; EVP_PKEY *ikey = NULL; - int ok = 0, chnum, cnum, i; - time_t *ptime; + int ok = 0, chnum, cnum; cnum = ctx->error_depth; chnum = sk_X509_num(ctx->chain) - 1; /* Find CRL issuer: if not last certificate then issuer @@ -571,45 +677,8 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) } } - /* OK, CRL signature valid check times */ - if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) - ptime = &ctx->check_time; - else - ptime = NULL; - - i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); - if (i == 0) - { - ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; - ok = ctx->verify_cb(0, ctx); - if (!ok) goto err; - } - - if (i > 0) - { - ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; - ok = ctx->verify_cb(0, ctx); - if (!ok) goto err; - } - - if(X509_CRL_get_nextUpdate(crl)) - { - i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); - - if (i == 0) - { - ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; - ok = ctx->verify_cb(0, ctx); - if (!ok) goto err; - } - - if (i < 0) - { - ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; - ok = ctx->verify_cb(0, ctx); - if (!ok) goto err; - } - } + if (!check_crl_time(ctx, crl, 1)) + goto err; ok = 1; @@ -665,12 +734,58 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) return 1; } +static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) + { + time_t *ptime; + int i; + + if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) + ptime = &ctx->check_time; + else + ptime = NULL; + + i=X509_cmp_time(X509_get_notBefore(x), ptime); + if (i == 0) + { + ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; + ctx->current_cert=x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } + + if (i > 0) + { + ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; + ctx->current_cert=x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } + + i=X509_cmp_time(X509_get_notAfter(x), ptime); + if (i == 0) + { + ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; + ctx->current_cert=x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } + + if (i < 0) + { + ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; + ctx->current_cert=x; + if (!ctx->verify_cb(0, ctx)) + return 0; + } + + return 1; + } + static int internal_verify(X509_STORE_CTX *ctx) { - int i,ok=0,n; + int ok=0,n; X509 *xs,*xi; EVP_PKEY *pkey=NULL; - time_t *ptime; int (*cb)(); cb=ctx->verify_cb; @@ -679,10 +794,7 @@ static int internal_verify(X509_STORE_CTX *ctx) ctx->error_depth=n-1; n--; xi=sk_X509_value(ctx->chain,n); - if (ctx->flags & X509_V_FLAG_USE_CHECK_TIME) - ptime = &ctx->check_time; - else - ptime = NULL; + if (ctx->check_issued(ctx, xi, xi)) xs=xi; else @@ -735,41 +847,12 @@ static int internal_verify(X509_STORE_CTX *ctx) } EVP_PKEY_free(pkey); pkey=NULL; - - i=X509_cmp_time(X509_get_notBefore(xs), ptime); - if (i == 0) - { - ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; - ctx->current_cert=xs; - ok=(*cb)(0,ctx); - if (!ok) goto end; - } - if (i > 0) - { - ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; - ctx->current_cert=xs; - ok=(*cb)(0,ctx); - if (!ok) goto end; - } - xs->valid=1; } - i=X509_cmp_time(X509_get_notAfter(xs), ptime); - if (i == 0) - { - ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; - ctx->current_cert=xs; - ok=(*cb)(0,ctx); - if (!ok) goto end; - } + xs->valid = 1; - if (i < 0) - { - ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; - ctx->current_cert=xs; - ok=(*cb)(0,ctx); - if (!ok) goto end; - } + if (!check_cert_time(ctx, xs)) + goto end; /* The last error (if any) is still in the error value */ ctx->current_cert=xs; @@ -1000,6 +1083,11 @@ void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) ctx->untrusted=sk; } +void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) + { + ctx->crls=sk; + } + int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) { return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 41644a9fe..3deb5e400 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -218,6 +218,7 @@ struct x509_store_ctx_st /* X509_STORE_CTX */ /* The following are set by the caller */ X509 *cert; /* The cert to check */ STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */ + STACK_OF(X509_CRL) *crls; /* CRLs */ int purpose; /* purpose to check untrusted certificates */ int trust; /* trust setting to check */ time_t check_time; /* time to make verify at */ @@ -409,6 +410,7 @@ STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx); STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx); void X509_STORE_CTX_set_cert(X509_STORE_CTX *c,X509 *x); void X509_STORE_CTX_set_chain(X509_STORE_CTX *c,STACK_OF(X509) *sk); +void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c,STACK_OF(X509_CRL) *sk); int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, From e07d3a021d1e7ef168669cf8c4431f1078de022f Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 28 Mar 2004 12:29:05 +0000 Subject: [PATCH 103/112] Remove obsolete files. --- crypto/asn1/f.c | 80 ----------------- crypto/asn1/x_cinf.c | 201 ------------------------------------------- 2 files changed, 281 deletions(-) delete mode 100644 crypto/asn1/f.c delete mode 100644 crypto/asn1/x_cinf.c diff --git a/crypto/asn1/f.c b/crypto/asn1/f.c deleted file mode 100644 index 82bccdfd5..000000000 --- a/crypto/asn1/f.c +++ /dev/null @@ -1,80 +0,0 @@ -/* crypto/asn1/f.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -#include -#include -#include - -main() - { - ASN1_TYPE *at; - char buf[512]; - int n; - long l; - - at=ASN1_TYPE_new(); - - n=ASN1_TYPE_set_int_octetstring(at,98736,"01234567",8); - printf("%d\n",n); - n=ASN1_TYPE_get_int_octetstring(at,&l,buf,8); - buf[8]='\0'; - printf("%ld %d %d\n",l,n,buf[8]); - buf[8]='\0'; - printf("%s\n",buf); - ERR_load_crypto_strings(); - ERR_print_errors_fp(stderr); - } diff --git a/crypto/asn1/x_cinf.c b/crypto/asn1/x_cinf.c deleted file mode 100644 index 339a110ee..000000000 --- a/crypto/asn1/x_cinf.c +++ /dev/null @@ -1,201 +0,0 @@ -/* crypto/asn1/x_cinf.c */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include "cryptlib.h" -#include -#include - -int i2d_X509_CINF(X509_CINF *a, unsigned char **pp) - { - int v1=0,v2=0; - M_ASN1_I2D_vars(a); - - M_ASN1_I2D_len_EXP_opt(a->version,i2d_ASN1_INTEGER,0,v1); - M_ASN1_I2D_len(a->serialNumber, i2d_ASN1_INTEGER); - M_ASN1_I2D_len(a->signature, i2d_X509_ALGOR); - M_ASN1_I2D_len(a->issuer, i2d_X509_NAME); - M_ASN1_I2D_len(a->validity, i2d_X509_VAL); - M_ASN1_I2D_len(a->subject, i2d_X509_NAME); - M_ASN1_I2D_len(a->key, i2d_X509_PUBKEY); - M_ASN1_I2D_len_IMP_opt(a->issuerUID, i2d_ASN1_BIT_STRING); - M_ASN1_I2D_len_IMP_opt(a->subjectUID, i2d_ASN1_BIT_STRING); - M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, - i2d_X509_EXTENSION,3, - V_ASN1_SEQUENCE,v2); - - M_ASN1_I2D_seq_total(); - - M_ASN1_I2D_put_EXP_opt(a->version,i2d_ASN1_INTEGER,0,v1); - M_ASN1_I2D_put(a->serialNumber, i2d_ASN1_INTEGER); - M_ASN1_I2D_put(a->signature, i2d_X509_ALGOR); - M_ASN1_I2D_put(a->issuer, i2d_X509_NAME); - M_ASN1_I2D_put(a->validity, i2d_X509_VAL); - M_ASN1_I2D_put(a->subject, i2d_X509_NAME); - M_ASN1_I2D_put(a->key, i2d_X509_PUBKEY); - M_ASN1_I2D_put_IMP_opt(a->issuerUID, i2d_ASN1_BIT_STRING,1); - M_ASN1_I2D_put_IMP_opt(a->subjectUID, i2d_ASN1_BIT_STRING,2); - M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions, - i2d_X509_EXTENSION,3, - V_ASN1_SEQUENCE,v2); - - M_ASN1_I2D_finish(); - } - -X509_CINF *d2i_X509_CINF(X509_CINF **a, unsigned char **pp, long length) - { - int ver=0; - M_ASN1_D2I_vars(a,X509_CINF *,X509_CINF_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - /* we have the optional version field */ - if (M_ASN1_next == (V_ASN1_CONTEXT_SPECIFIC | V_ASN1_CONSTRUCTED | 0)) - { - M_ASN1_D2I_get_EXP_opt(ret->version,d2i_ASN1_INTEGER,0); - if (ret->version->data != NULL) - ver=ret->version->data[0]; - } - else - { - if (ret->version != NULL) - { - M_ASN1_INTEGER_free(ret->version); - ret->version=NULL; - } - } - M_ASN1_D2I_get(ret->serialNumber,d2i_ASN1_INTEGER); - M_ASN1_D2I_get(ret->signature,d2i_X509_ALGOR); - M_ASN1_D2I_get(ret->issuer,d2i_X509_NAME); - M_ASN1_D2I_get(ret->validity,d2i_X509_VAL); - M_ASN1_D2I_get(ret->subject,d2i_X509_NAME); - M_ASN1_D2I_get(ret->key,d2i_X509_PUBKEY); - if (ver >= 1) /* version 2 extensions */ - { - if (ret->issuerUID != NULL) - { - M_ASN1_BIT_STRING_free(ret->issuerUID); - ret->issuerUID=NULL; - } - if (ret->subjectUID != NULL) - { - M_ASN1_BIT_STRING_free(ret->subjectUID); - ret->subjectUID=NULL; - } - M_ASN1_D2I_get_IMP_opt(ret->issuerUID,d2i_ASN1_BIT_STRING, 1, - V_ASN1_BIT_STRING); - M_ASN1_D2I_get_IMP_opt(ret->subjectUID,d2i_ASN1_BIT_STRING, 2, - V_ASN1_BIT_STRING); - } -/* Note: some broken certificates include extensions but don't set - * the version number properly. By bypassing this check they can - * be parsed. - */ - -#ifdef VERSION_EXT_CHECK - if (ver >= 2) /* version 3 extensions */ -#endif - { - if (ret->extensions != NULL) - while (sk_X509_EXTENSION_num(ret->extensions)) - X509_EXTENSION_free( - sk_X509_EXTENSION_pop(ret->extensions)); - M_ASN1_D2I_get_EXP_set_opt_type(X509_EXTENSION,ret->extensions, - d2i_X509_EXTENSION, - X509_EXTENSION_free,3, - V_ASN1_SEQUENCE); - } - M_ASN1_D2I_Finish(a,X509_CINF_free,ASN1_F_D2I_X509_CINF); - } - -X509_CINF *X509_CINF_new(void) - { - X509_CINF *ret=NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret,X509_CINF); - ret->version=NULL; - M_ASN1_New(ret->serialNumber,M_ASN1_INTEGER_new); - M_ASN1_New(ret->signature,X509_ALGOR_new); - M_ASN1_New(ret->issuer,X509_NAME_new); - M_ASN1_New(ret->validity,X509_VAL_new); - M_ASN1_New(ret->subject,X509_NAME_new); - M_ASN1_New(ret->key,X509_PUBKEY_new); - ret->issuerUID=NULL; - ret->subjectUID=NULL; - ret->extensions=NULL; - return(ret); - M_ASN1_New_Error(ASN1_F_X509_CINF_NEW); - } - -void X509_CINF_free(X509_CINF *a) - { - if (a == NULL) return; - M_ASN1_INTEGER_free(a->version); - M_ASN1_INTEGER_free(a->serialNumber); - X509_ALGOR_free(a->signature); - X509_NAME_free(a->issuer); - X509_VAL_free(a->validity); - X509_NAME_free(a->subject); - X509_PUBKEY_free(a->key); - M_ASN1_BIT_STRING_free(a->issuerUID); - M_ASN1_BIT_STRING_free(a->subjectUID); - sk_X509_EXTENSION_pop_free(a->extensions,X509_EXTENSION_free); - OPENSSL_free(a); - } - From 5d6383c83f34a9c8612a6eedd484d41e4be4974c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 28 Mar 2004 12:40:11 +0000 Subject: [PATCH 104/112] Make {i2v,v2i}_ASN1_BIT_STRING global. make update --- TABLE | 2 +- crypto/x509v3/v3_bitst.c | 10 ++-------- crypto/x509v3/x509v3.h | 7 +++++++ util/libeay.num | 3 +++ 4 files changed, 13 insertions(+), 9 deletions(-) diff --git a/TABLE b/TABLE index 429e627b9..1500669de 100644 --- a/TABLE +++ b/TABLE @@ -2027,7 +2027,7 @@ $arflags = *** debug-steve $cc = gcc -$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe +$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe $unistd = $thread_cflag = -D_REENTRANT $sys_id = diff --git a/crypto/x509v3/v3_bitst.c b/crypto/x509v3/v3_bitst.c index 16cf12556..42d5f8bef 100644 --- a/crypto/x509v3/v3_bitst.c +++ b/crypto/x509v3/v3_bitst.c @@ -61,12 +61,6 @@ #include #include -static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, - ASN1_BIT_STRING *bits, - STACK_OF(CONF_VALUE) *extlist); - static BIT_STRING_BITNAME ns_cert_type_table[] = { {0, "SSL Client", "client"}, {1, "SSL Server", "server"}, @@ -97,7 +91,7 @@ static BIT_STRING_BITNAME key_usage_type_table[] = { X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table); X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table); -static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, +STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret) { BIT_STRING_BITNAME *bnam; @@ -108,7 +102,7 @@ static STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, return ret; } -static ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, +ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval) { CONF_VALUE *val; diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index d3c06f581..89cc3c49d 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -452,6 +452,13 @@ DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD) DECLARE_ASN1_FUNCTIONS(GENERAL_NAME) + +ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); +STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, + ASN1_BIT_STRING *bits, + STACK_OF(CONF_VALUE) *extlist); + STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret); int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen); diff --git a/util/libeay.num b/util/libeay.num index 3d3ab3dbd..e86af1b7d 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -3179,3 +3179,6 @@ X509_policy_lib_init 3607 EXIST::FUNCTION: asn1_const_Finish 3608 EXIST::FUNCTION: X509_policy_check 3609 EXIST::FUNCTION: AES_cfb1_encrypt 3610 EXIST::FUNCTION:AES +X509_STORE_CTX_set0_crls 3611 EXIST::FUNCTION: +v2i_ASN1_BIT_STRING 3612 EXIST::FUNCTION: +i2v_ASN1_BIT_STRING 3613 EXIST::FUNCTION: From 216659eb87485402a8e861a6de77233d1f5d7425 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 28 Mar 2004 17:38:00 +0000 Subject: [PATCH 105/112] Enhance EVP code to generate random symmetric keys of the appropriate form, for example correct DES parity. Update S/MIME code and EVP_SealInit to use new functions. PR: 700 --- CHANGES | 10 +++++++ crypto/evp/e_des.c | 38 ++++++++++++++++++++----- crypto/evp/e_des3.c | 62 +++++++++++++++++++++++++++++++++-------- crypto/evp/evp.h | 4 +++ crypto/evp/evp_enc.c | 10 +++++++ crypto/evp/p_seal.c | 2 +- crypto/pkcs7/pk7_doit.c | 15 ++++++---- 7 files changed, 116 insertions(+), 25 deletions(-) diff --git a/CHANGES b/CHANGES index c5c2ebba9..a72d5d6ea 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,16 @@ Changes between 0.9.7c and 0.9.8 [xx XXX xxxx] + *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. + This will generate a random key of the appropriate length based on the + cipher context. The EVP_CIPHER can provide its own random key generation + routine to support keys of a specific form. This is used in the des and + 3des routines to generate a key of the correct parity. Update S/MIME + code to use new functions and hence generate correct parity DES keys. + Add EVP_CHECK_DES_KEY #define to return an error if the key is not + valid (weak or incorrect parity). + [Steve Henson] + *) Add a local set of CRLs that can be used by X509_verify_cert() as well as looking them up. This is useful when the verified structure may contain CRLs, for example PKCS#7 signedData. Modify PKCS7_verify() to use any CRLs diff --git a/crypto/evp/e_des.c b/crypto/evp/e_des.c index f2554ecc6..856323648 100644 --- a/crypto/evp/e_des.c +++ b/crypto/evp/e_des.c @@ -63,9 +63,11 @@ #include #include "evp_locl.h" #include +#include static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); +static int des_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr); /* Because of various casts and different names can't use IMPLEMENT_BLOCK_CIPHER */ @@ -127,26 +129,48 @@ static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, } BLOCK_CIPHER_defs(des, DES_key_schedule, NID_des, 8, 8, 8, 64, - 0, des_init_key, NULL, + EVP_CIPH_RAND_KEY, des_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, - NULL) + des_ctrl) -BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1,0,des_init_key,NULL, +BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1, + EVP_CIPH_RAND_KEY, des_init_key,NULL, EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv,NULL) + EVP_CIPHER_get_asn1_iv,des_ctrl) -BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8,0,des_init_key,NULL, +BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8, + EVP_CIPH_RAND_KEY,des_init_key,NULL, EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv,NULL) + EVP_CIPHER_get_asn1_iv,des_ctrl) static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { DES_cblock *deskey = (DES_cblock *)key; - +#ifdef EVP_CHECK_DES_KEY + if(DES_set_key_checked(deskey,ctx->cipher_data) != 0) + return 0; +#else DES_set_key_unchecked(deskey,ctx->cipher_data); +#endif return 1; } +static int des_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) + { + + switch(type) + { + case EVP_CTRL_RAND_KEY: + if (RAND_bytes(ptr, 8) <= 0) + return 0; + DES_set_odd_parity((DES_cblock *)ptr); + return 1; + + default: + return -1; + } + } + #endif diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index 86342fb95..ac148efab 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -63,6 +63,7 @@ #include #include "evp_locl.h" #include +#include static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv,int enc); @@ -70,6 +71,8 @@ static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv,int enc); +static int des3_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr); + typedef struct { DES_key_schedule ks1;/* key schedule */ @@ -161,10 +164,10 @@ static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, } BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, - 0, des_ede_init_key, NULL, + EVP_CIPH_RAND_KEY, des_ede_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, - NULL) + des3_ctrl) #define des_ede3_cfb64_cipher des_ede_cfb64_cipher #define des_ede3_ofb_cipher des_ede_ofb_cipher @@ -172,28 +175,35 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, #define des_ede3_ecb_cipher des_ede_ecb_cipher BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, - 0, des_ede3_init_key, NULL, + EVP_CIPH_RAND_KEY, des_ede3_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, - NULL) + des3_ctrl) -BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,0, - des_ede3_init_key,NULL, +BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1, + EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL, EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv,NULL) + EVP_CIPHER_get_asn1_iv, + des3_ctrl) -BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,0, - des_ede3_init_key,NULL, +BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8, + EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL, EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv,NULL) + EVP_CIPHER_get_asn1_iv, + des3_ctrl) static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { DES_cblock *deskey = (DES_cblock *)key; - +#ifdef EVP_CHECK_DES_KEY + if (DES_set_key_checked(&deskey[0],&data(ctx)->ks1) + !! DES_set_key_checked(&deskey[1],&data(ctx)->ks2)) + return 0; +#else DES_set_key_unchecked(&deskey[0],&data(ctx)->ks1); DES_set_key_unchecked(&deskey[1],&data(ctx)->ks2); +#endif memcpy(&data(ctx)->ks3,&data(ctx)->ks1, sizeof(data(ctx)->ks1)); return 1; @@ -214,13 +224,41 @@ static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, } #endif /* KSSL_DEBUG */ +#ifdef EVP_CHECK_DES_KEY + if (DES_set_key_checked(&deskey[0],&data(ctx)->ks1) + || DES_set_key_checked(&deskey[1],&data(ctx)->ks2) + || DES_set_key_checked(&deskey[2],&data(ctx)->ks3)) + return 0; +#else DES_set_key_unchecked(&deskey[0],&data(ctx)->ks1); DES_set_key_unchecked(&deskey[1],&data(ctx)->ks2); DES_set_key_unchecked(&deskey[2],&data(ctx)->ks3); - +#endif return 1; } +static int des3_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) + { + + DES_cblock *deskey = ptr; + + switch(type) + { + case EVP_CTRL_RAND_KEY: + if (RAND_bytes(ptr, c->key_len) <= 0) + return 0; + DES_set_odd_parity(deskey); + if (c->key_len >= 16) + DES_set_odd_parity(deskey + 1); + if (c->key_len >= 24) + DES_set_odd_parity(deskey + 2); + return 1; + + default: + return -1; + } + } + const EVP_CIPHER *EVP_des_ede(void) { return &des_ede_ecb; diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index ce5c210f6..6adbe891a 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -332,6 +332,8 @@ struct evp_cipher_st #define EVP_CIPH_CUSTOM_KEY_LENGTH 0x80 /* Don't use standard block padding */ #define EVP_CIPH_NO_PADDING 0x100 +/* cipher handles random key generation */ +#define EVP_CIPH_RAND_KEY 0x200 /* ctrl() values */ @@ -341,6 +343,7 @@ struct evp_cipher_st #define EVP_CTRL_SET_RC2_KEY_BITS 0x3 #define EVP_CTRL_GET_RC5_ROUNDS 0x4 #define EVP_CTRL_SET_RC5_ROUNDS 0x5 +#define EVP_CTRL_RAND_KEY 0x6 typedef struct evp_cipher_info_st { @@ -567,6 +570,7 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a); int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen); int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *c, int pad); int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); +int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key); #ifndef OPENSSL_NO_BIO BIO_METHOD *BIO_f_md(void); diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index cecb09cbe..b5236b976 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -534,3 +534,13 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) } return ret; } + +int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key) + { + if (ctx->cipher->flags & EVP_CIPH_RAND_KEY) + return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key); + if (RAND_bytes(key, ctx->key_len) <= 0) + return 0; + return 1; + } + diff --git a/crypto/evp/p_seal.c b/crypto/evp/p_seal.c index 37e547fe7..8cc8fcb0b 100644 --- a/crypto/evp/p_seal.c +++ b/crypto/evp/p_seal.c @@ -78,7 +78,7 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char **ek } if ((npubk <= 0) || !pubk) return 1; - if (RAND_bytes(key,EVP_MAX_KEY_LENGTH) <= 0) + if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) return 0; if (EVP_CIPHER_CTX_iv_length(ctx)) RAND_pseudo_bytes(iv,EVP_CIPHER_CTX_iv_length(ctx)); diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 0b262fa06..25483bc15 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -215,11 +215,14 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) BIO_get_cipher_ctx(btmp, &ctx); keylen=EVP_CIPHER_key_length(evp_cipher); ivlen=EVP_CIPHER_iv_length(evp_cipher); - if (RAND_bytes(key,keylen) <= 0) - goto err; xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); if (ivlen > 0) RAND_pseudo_bytes(iv,ivlen); - EVP_CipherInit_ex(ctx, evp_cipher, NULL, key, iv, 1); + if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1)<=0) + goto err; + if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) + goto err; + if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 1) <= 0) + goto err; if (ivlen > 0) { if (xalg->parameter == NULL) @@ -440,7 +443,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) evp_ctx=NULL; BIO_get_cipher_ctx(etmp,&evp_ctx); - EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0); + if (EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0) <= 0) + goto err; if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0) goto err; @@ -456,7 +460,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) goto err; } } - EVP_CipherInit_ex(evp_ctx,NULL,NULL,tmp,NULL,0); + if (EVP_CipherInit_ex(evp_ctx,NULL,NULL,tmp,NULL,0) <= 0) + goto err; OPENSSL_cleanse(tmp,jj); From 1a979201d5b099edbc1e3ad2fb157ee058091a40 Mon Sep 17 00:00:00 2001 From: Andy Polyakov Date: Sun, 28 Mar 2004 21:27:47 +0000 Subject: [PATCH 106/112] This is essentially Intel 32-bit compiler tune-up. To start with all available compiler versions generated bogus machine code trying to compile new crypto/des/cfb_enc.c. Secondly, 8th version defines __GNUC__ macro, but fails to compile *some* inline assembler correctly. Note that all versions of icc implement MSC-like _lrot[rl] intrinsic, which is used now instead of offensive asm. Finally, unnecessary linker dependencies are eliminated. Most notably dependency from libirc.a caused trouble at application start-up, if libcrypto.so is linked with -Bsymbolic (which it is). --- Configure | 17 ++++++++++- crypto/des/cfb_enc.c | 65 ++++++++++++++++++++++++++++--------------- crypto/des/des_locl.h | 2 +- crypto/md32_common.h | 4 +-- crypto/rc5/rc5_locl.h | 2 +- 5 files changed, 62 insertions(+), 28 deletions(-) diff --git a/Configure b/Configure index 829f9b37a..d52e90d20 100755 --- a/Configure +++ b/Configure @@ -378,7 +378,7 @@ my %table=( # The intel boxes :-), It would be worth seeing if bsdi-gcc can use the # bn86-elf.o file file since it is hand tweaked assembler. -"linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-pentium", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ppro", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -1164,6 +1164,21 @@ else $openssl_other_defines.="#define OPENSSL_NO_STATIC_ENGINE\n"; } +# Compiler fix-ups +if ($target =~ /icc$/) + { + my($iccver)=`$cc -V 2>&1`; + if ($iccver =~ /Version ([0-9]+)\./) { $iccver=$1; } + else { $iccver=0; } + if ($iccver>=8) + { + # Eliminate unnecessary dependency from libirc.a. This is + # essential for shared library support, as otherwise + # apps/openssl can end up in endless loop upon startup... + $cflags.=" -Dmemcpy=__builtin_memcpy -Dmemset=__builtin_memset"; + } + } + if ($sys_id ne "") { #$cflags="-DOPENSSL_SYSNAME_$sys_id $cflags"; diff --git a/crypto/des/cfb_enc.c b/crypto/des/cfb_enc.c index 0013556c7..6738e7c0e 100644 --- a/crypto/des/cfb_enc.c +++ b/crypto/des/cfb_enc.c @@ -58,6 +58,7 @@ #include "e_os.h" #include "des_locl.h" +#include /* The input and output are loaded in multiples of 8 bits. * What this means is that if you hame numbits=12 and length=2 @@ -73,12 +74,22 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, { register DES_LONG d0,d1,v0,v1; register unsigned long l=length; - register int num=numbits,n=(numbits+7)/8,i; + register int num=numbits/8,n=(numbits+7)/8,i,rem=numbits%8; DES_LONG ti[2]; unsigned char *iv; +#ifndef L_ENDIAN unsigned char ovec[16]; +#else + unsigned int sh[4]; + unsigned char *ovec=(unsigned char *)sh; - if (num > 64) return; + /* I kind of count that compiler optimizes away this assertioni,*/ + assert (sizeof(sh[0])==4); /* as this holds true for all, */ + /* but 16-bit platforms... */ + +#endif + + if (numbits<=0 || numbits > 64) return; iv = &(*ivec)[0]; c2l(iv,v0); c2l(iv,v1); @@ -98,29 +109,34 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, out+=n; /* 30-08-94 - eay - changed because l>>32 and * l<<32 are bad under gcc :-( */ - if (num == 32) + if (numbits == 32) { v0=v1; v1=d0; } - else if (num == 64) + else if (numbits == 64) { v0=d0; v1=d1; } else { +#ifndef L_ENDIAN iv=&ovec[0]; l2c(v0,iv); l2c(v1,iv); l2c(d0,iv); l2c(d1,iv); - /* shift ovec left most of the bits... */ - memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); - /* now the remaining bits */ - if(num%8 != 0) +#else + sh[0]=v0, sh[1]=v1, sh[2]=d0, sh[3]=d1; +#endif + if (rem==0) + memcpy(ovec,ovec+num,8); + else for(i=0 ; i < 8 ; ++i) - { - ovec[i]<<=num%8; - ovec[i]|=ovec[i+1]>>(8-num%8); - } + ovec[i]=ovec[i+num]<>(8-rem); +#ifdef L_ENDIAN + v0=sh[0], v1=sh[1]; +#else iv=&ovec[0]; c2l(iv,v0); c2l(iv,v1); +#endif } } } @@ -136,29 +152,34 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, in+=n; /* 30-08-94 - eay - changed because l>>32 and * l<<32 are bad under gcc :-( */ - if (num == 32) + if (numbits == 32) { v0=v1; v1=d0; } - else if (num == 64) + else if (numbits == 64) { v0=d0; v1=d1; } else { +#ifndef L_ENDIAN iv=&ovec[0]; l2c(v0,iv); l2c(v1,iv); l2c(d0,iv); l2c(d1,iv); - /* shift ovec left most of the bits... */ - memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0)); - /* now the remaining bits */ - if(num%8 != 0) +#else + sh[0]=v0, sh[1]=v1, sh[2]=d0, sh[3]=d1; +#endif + if (rem==0) + memcpy (ovec,ovec+num,8); + else for(i=0 ; i < 8 ; ++i) - { - ovec[i]<<=num%8; - ovec[i]|=ovec[i+1]>>(8-num%8); - } + ovec[i]=ovec[i+num]<>(8-rem); +#ifdef L_ENDIAN + v0=sh[0], v1=sh[1]; +#else iv=&ovec[0]; c2l(iv,v0); c2l(iv,v1); +#endif } d0^=ti[0]; d1^=ti[1]; diff --git a/crypto/des/des_locl.h b/crypto/des/des_locl.h index e44e8e98b..f992697b0 100644 --- a/crypto/des/des_locl.h +++ b/crypto/des/des_locl.h @@ -160,7 +160,7 @@ } \ } -#if defined(OPENSSL_SYS_WIN32) && defined(_MSC_VER) +#if (defined(OPENSSL_SYS_WIN32) && defined(_MSC_VER)) || defined(__ICC) #define ROTATE(a,n) (_lrotr(a,n)) #elif defined(__GNUC__) && __GNUC__>=2 && !defined(__STRICT_ANSI__) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC) # if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__) diff --git a/crypto/md32_common.h b/crypto/md32_common.h index 0cdc06e31..307ec30df 100644 --- a/crypto/md32_common.h +++ b/crypto/md32_common.h @@ -179,13 +179,11 @@ */ #undef ROTATE #ifndef PEDANTIC -# if 0 /* defined(_MSC_VER) */ +# if defined(_MSC_VER) || defined(__ICC) # define ROTATE(a,n) _lrotl(a,n) # elif defined(__MWERKS__) # if defined(__POWERPC__) # define ROTATE(a,n) __rlwinm(a,n,0,31) -# elif defined(OPENSSL_SYSNAME_NETWARE) -# define ROTATE(a,n) _lrotl(a,n) # elif defined(__MC68K__) /* Motorola specific tweak. */ # define ROTATE(a,n) ( n<24 ? __rol(a,n) : __ror(a,32-n) ) diff --git a/crypto/rc5/rc5_locl.h b/crypto/rc5/rc5_locl.h index f4ebc2300..282dd3882 100644 --- a/crypto/rc5/rc5_locl.h +++ b/crypto/rc5/rc5_locl.h @@ -146,7 +146,7 @@ *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \ *((c)++)=(unsigned char)(((l) )&0xff)) -#if defined(OPENSSL_SYS_WIN32) && defined(_MSC_VER) +#if (defined(OPENSSL_SYS_WIN32) && defined(_MSC_VER)) || defined(__ICC) #define ROTATE_l32(a,n) _lrotl(a,n) #define ROTATE_r32(a,n) _lrotr(a,n) #elif defined(__GNUC__) && __GNUC__>=2 && !defined(__STRICT_ANSI__) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) && !defined(PEDANTIC) From ab23d5ffda681e639485e9b1fce795975a48903b Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Mon, 29 Mar 2004 08:13:49 +0000 Subject: [PATCH 107/112] Add symbol hacks for some long names. make update --- crypto/evp/Makefile.ssl | 14 ++++---- crypto/symhacks.h | 54 ++++++++++++++++++++++++++++ util/libeay.num | 79 +++++++++++++++++++++++++++-------------- 3 files changed, 115 insertions(+), 32 deletions(-) diff --git a/crypto/evp/Makefile.ssl b/crypto/evp/Makefile.ssl index 0f9fd4b3d..f3de16a6f 100644 --- a/crypto/evp/Makefile.ssl +++ b/crypto/evp/Makefile.ssl @@ -238,9 +238,10 @@ e_des.o: ../../include/openssl/err.h ../../include/openssl/evp.h e_des.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h e_des.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h e_des.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -e_des.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -e_des.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h -e_des.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_des.c evp_locl.h +e_des.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h +e_des.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +e_des.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h +e_des.o: ../cryptlib.h e_des.c evp_locl.h e_des3.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h e_des3.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h e_des3.o: ../../include/openssl/crypto.h ../../include/openssl/des.h @@ -249,9 +250,10 @@ e_des3.o: ../../include/openssl/err.h ../../include/openssl/evp.h e_des3.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h e_des3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h e_des3.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -e_des3.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -e_des3.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h -e_des3.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_des3.c evp_locl.h +e_des3.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h +e_des3.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +e_des3.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h +e_des3.o: ../cryptlib.h e_des3.c evp_locl.h e_idea.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h e_idea.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h e_idea.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h diff --git a/crypto/symhacks.h b/crypto/symhacks.h index 9a46a2a21..67fa4304b 100644 --- a/crypto/symhacks.h +++ b/crypto/symhacks.h @@ -127,6 +127,10 @@ /* Hack some long X509 names */ #undef X509_REVOKED_get_ext_by_critical #define X509_REVOKED_get_ext_by_critical X509_REVOKED_get_ext_by_critic +#undef X509_policy_tree_get0_user_policies +#define X509_policy_tree_get0_user_policies X509_pcy_tree_get0_usr_policies +#undef X509_policy_node_get0_qualifiers +#define X509_policy_node_get0_qualifiers X509_pcy_node_get0_qualifiers /* Hack some long CRYPTO names */ #undef CRYPTO_set_dynlock_destroy_callback @@ -288,6 +292,56 @@ #undef ec_GFp_simple_group_check_discriminant #define ec_GFp_simple_group_check_discriminant ec_GFp_simple_grp_chk_discrim +/* Hack som long STORE names */ +#undef STORE_method_set_initialise_function +#define STORE_method_set_initialise_function STORE_meth_set_initialise_fn +#undef STORE_method_set_cleanup_function +#define STORE_method_set_cleanup_function STORE_meth_set_cleanup_fn +#undef STORE_method_set_generate_function +#define STORE_method_set_generate_function STORE_meth_set_generate_fn +#undef STORE_method_set_modify_function +#define STORE_method_set_modify_function STORE_meth_set_modify_fn +#undef STORE_method_set_revoke_function +#define STORE_method_set_revoke_function STORE_meth_set_revoke_fn +#undef STORE_method_set_delete_function +#define STORE_method_set_delete_function STORE_meth_set_delete_fn +#undef STORE_method_set_list_start_function +#define STORE_method_set_list_start_function STORE_meth_set_list_start_fn +#undef STORE_method_set_list_next_function +#define STORE_method_set_list_next_function STORE_meth_set_list_next_fn +#undef STORE_method_set_list_end_function +#define STORE_method_set_list_end_function STORE_meth_set_list_end_fn +#undef STORE_method_set_update_store_function +#define STORE_method_set_update_store_function STORE_meth_set_update_store_fn +#undef STORE_method_set_lock_store_function +#define STORE_method_set_lock_store_function STORE_meth_set_lock_store_fn +#undef STORE_method_set_unlock_store_function +#define STORE_method_set_unlock_store_function STORE_meth_set_unlock_store_fn +#undef STORE_method_get_initialise_function +#define STORE_method_get_initialise_function STORE_meth_get_initialise_fn +#undef STORE_method_get_cleanup_function +#define STORE_method_get_cleanup_function STORE_meth_get_cleanup_fn +#undef STORE_method_get_generate_function +#define STORE_method_get_generate_function STORE_meth_get_generate_fn +#undef STORE_method_get_modify_function +#define STORE_method_get_modify_function STORE_meth_get_modify_fn +#undef STORE_method_get_revoke_function +#define STORE_method_get_revoke_function STORE_meth_get_revoke_fn +#undef STORE_method_get_delete_function +#define STORE_method_get_delete_function STORE_meth_get_delete_fn +#undef STORE_method_get_list_start_function +#define STORE_method_get_list_start_function STORE_meth_get_list_start_fn +#undef STORE_method_get_list_next_function +#define STORE_method_get_list_next_function STORE_meth_get_list_next_fn +#undef STORE_method_get_list_end_function +#define STORE_method_get_list_end_function STORE_meth_get_list_end_fn +#undef STORE_method_get_update_store_function +#define STORE_method_get_update_store_function STORE_meth_get_update_store_fn +#undef STORE_method_get_lock_store_function +#define STORE_method_get_lock_store_function STORE_meth_get_lock_store_fn +#undef STORE_method_get_unlock_store_function +#define STORE_method_get_unlock_store_function STORE_meth_get_unlock_store_fn + #endif /* defined OPENSSL_SYS_VMS */ diff --git a/util/libeay.num b/util/libeay.num index e86af1b7d..2a7d024ab 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -2807,7 +2807,8 @@ ERR_release_err_state_table 3247 EXIST::FUNCTION:LHASH ERR_set_mark 3248 EXIST::FUNCTION: ENGINE_set_STORE 3249 EXIST::FUNCTION:ENGINE ENGINE_register_ECDSA 3250 EXIST::FUNCTION:ENGINE -STORE_method_set_list_start_function 3251 EXIST::FUNCTION: +STORE_method_set_list_start_function 3251 EXIST:!VMS:FUNCTION: +STORE_meth_set_list_start_fn 3251 EXIST:VMS:FUNCTION: NAME_CONSTRAINTS_free 3252 EXIST::FUNCTION: STORE_ATTR_INFO_set_number 3253 EXIST::FUNCTION: POLICY_MAPPING_it 3254 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: @@ -2822,7 +2823,8 @@ NAME_CONSTRAINTS_it 3261 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIA NAME_CONSTRAINTS_it 3261 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: ECDH_get_default_method 3262 EXIST::FUNCTION:ECDH PKCS12_add_safe 3263 EXIST::FUNCTION: -STORE_method_get_update_store_function 3264 EXIST::FUNCTION: +STORE_method_get_update_store_function 3264 EXIST:!VMS:FUNCTION: +STORE_meth_get_update_store_fn 3264 EXIST:VMS:FUNCTION: ENGINE_register_ECDH 3265 EXIST::FUNCTION:ENGINE i2d_ECPrivateKey 3266 EXIST::FUNCTION:EC BN_get0_nist_prime_192 3267 EXIST::FUNCTION: @@ -2841,7 +2843,8 @@ EC_KEY_copy 3278 EXIST::FUNCTION:EC EC_GROUP_check_discriminant 3279 EXIST::FUNCTION:EC i2o_ECPublicKey 3280 EXIST::FUNCTION:EC a2i_IPADDRESS 3281 EXIST::FUNCTION: -STORE_method_set_initialise_function 3282 EXIST::FUNCTION: +STORE_method_set_initialise_function 3282 EXIST:!VMS:FUNCTION: +STORE_meth_set_initialise_fn 3282 EXIST:VMS:FUNCTION: EC_POINT_point2bn 3283 EXIST::FUNCTION:EC STORE_ATTR_INFO_set_dn 3284 EXIST::FUNCTION: EC_GROUP_new_curve_GF2m 3285 EXIST::FUNCTION:EC @@ -2875,11 +2878,14 @@ EC_KEY_up_ref 3310 EXIST::FUNCTION:EC POLICY_MAPPING_free 3311 EXIST::FUNCTION: BN_GF2m_mod_div 3312 EXIST::FUNCTION: EC_KEY_free 3313 EXIST::FUNCTION:EC -STORE_method_set_list_next_function 3314 EXIST::FUNCTION: +STORE_method_set_list_next_function 3314 EXIST:!VMS:FUNCTION: +STORE_meth_set_list_next_fn 3314 EXIST:VMS:FUNCTION: PEM_write_bio_ECPrivateKey 3315 EXIST::FUNCTION:EC d2i_EC_PUBKEY 3316 EXIST::FUNCTION:EC -STORE_method_get_generate_function 3317 EXIST::FUNCTION: -STORE_method_set_list_end_function 3318 EXIST::FUNCTION: +STORE_method_get_generate_function 3317 EXIST:!VMS:FUNCTION: +STORE_meth_get_generate_fn 3317 EXIST:VMS:FUNCTION: +STORE_method_set_list_end_function 3318 EXIST:!VMS:FUNCTION: +STORE_meth_set_list_end_fn 3318 EXIST:VMS:FUNCTION: EC_GROUP_have_precompute_mult 3319 EXIST::FUNCTION:EC EC_KEY_print_fp 3320 EXIST::FUNCTION:EC,FP_API BN_GF2m_mod_arr 3321 EXIST::FUNCTION: @@ -2917,7 +2923,8 @@ i2d_ECPKParameters 3352 EXIST::FUNCTION:EC BN_GENCB_call 3353 EXIST::FUNCTION: BN_ncopy 3354 EXIST::FUNCTION: d2i_ECPKParameters 3355 EXIST::FUNCTION:EC -STORE_method_set_generate_function 3356 EXIST::FUNCTION: +STORE_method_set_generate_function 3356 EXIST:!VMS:FUNCTION: +STORE_meth_set_generate_fn 3356 EXIST:VMS:FUNCTION: ENGINE_set_ECDH 3357 EXIST::FUNCTION:ENGINE NAME_CONSTRAINTS_new 3358 EXIST::FUNCTION: PEM_write_bio_EC_PUBKEY 3359 EXIST::FUNCTION:EC @@ -2925,12 +2932,14 @@ STORE_ATTR_INFO_set_cstr 3360 EXIST::FUNCTION: STORE_list_crl_next 3361 EXIST::FUNCTION: STORE_ATTR_INFO_in_range 3362 EXIST::FUNCTION: ECParameters_print 3363 EXIST::FUNCTION:BIO,EC -STORE_method_set_delete_function 3364 EXIST::FUNCTION: +STORE_method_set_delete_function 3364 EXIST:!VMS:FUNCTION: +STORE_meth_set_delete_fn 3364 EXIST:VMS:FUNCTION: STORE_list_certificate_next 3365 EXIST::FUNCTION: ASN1_generate_nconf 3366 EXIST::FUNCTION: BUF_memdup 3367 EXIST::FUNCTION: BN_GF2m_mod_mul 3368 EXIST::FUNCTION: -STORE_method_get_list_next_function 3369 EXIST::FUNCTION: +STORE_method_get_list_next_function 3369 EXIST:!VMS:FUNCTION: +STORE_meth_get_list_next_fn 3369 EXIST:VMS:FUNCTION: STORE_ATTR_INFO_get0_dn 3370 EXIST::FUNCTION: STORE_list_private_key_next 3371 EXIST::FUNCTION: EC_GROUP_set_seed 3372 EXIST::FUNCTION:EC @@ -2938,7 +2947,8 @@ STORE_ATTR_INFO_free 3373 EXIST::FUNCTION: STORE_get_private_key 3374 EXIST::FUNCTION: STORE_ATTR_INFO_new 3375 EXIST::FUNCTION: EC_GROUP_get_curve_GF2m 3376 EXIST::FUNCTION:EC -STORE_method_set_revoke_function 3377 EXIST::FUNCTION: +STORE_method_set_revoke_function 3377 EXIST:!VMS:FUNCTION: +STORE_meth_set_revoke_fn 3377 EXIST:VMS:FUNCTION: STORE_store_number 3378 EXIST::FUNCTION: BN_is_prime_ex 3379 EXIST::FUNCTION: STORE_revoke_public_key 3380 EXIST::FUNCTION: @@ -2960,11 +2970,13 @@ ECDSA_DATA_free 3395 EXIST::FUNCTION:ECDSA STORE_modify_private_key 3396 EXIST::FUNCTION: EC_METHOD_get_field_type 3397 EXIST::FUNCTION:EC EC_GFp_nist_method 3398 EXIST::FUNCTION:EC -STORE_method_set_modify_function 3399 EXIST::FUNCTION: +STORE_method_set_modify_function 3399 EXIST:!VMS:FUNCTION: +STORE_meth_set_modify_fn 3399 EXIST:VMS:FUNCTION: STORE_parse_attrs_next 3400 EXIST::FUNCTION: X509_CERT_PAIR_it 3401 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: X509_CERT_PAIR_it 3401 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -STORE_method_get_revoke_function 3402 EXIST::FUNCTION: +STORE_method_get_revoke_function 3402 EXIST:!VMS:FUNCTION: +STORE_meth_get_revoke_fn 3402 EXIST:VMS:FUNCTION: STORE_method_set_get_function 3403 EXIST::FUNCTION: STORE_modify_number 3404 EXIST::FUNCTION: STORE_method_get_store_function 3405 EXIST::FUNCTION: @@ -2980,11 +2992,14 @@ ECDH_set_default_method 3414 EXIST::FUNCTION:ECDH EC_KEY_generate_key 3415 EXIST::FUNCTION:EC BN_GF2m_arr2poly 3416 EXIST::FUNCTION: STORE_method_get_get_function 3417 EXIST::FUNCTION: -STORE_method_set_cleanup_function 3418 EXIST::FUNCTION: +STORE_method_set_cleanup_function 3418 EXIST:!VMS:FUNCTION: +STORE_meth_set_cleanup_fn 3418 EXIST:VMS:FUNCTION: EC_GROUP_check 3419 EXIST::FUNCTION:EC d2i_ECPrivateKey_bio 3420 EXIST::FUNCTION:BIO,EC -STORE_method_get_lock_store_function 3421 EXIST::FUNCTION: -STORE_method_set_update_store_function 3422 EXIST::FUNCTION: +STORE_method_get_lock_store_function 3421 EXIST:!VMS:FUNCTION: +STORE_meth_get_lock_store_fn 3421 EXIST:VMS:FUNCTION: +STORE_method_set_update_store_function 3422 EXIST:!VMS:FUNCTION: +STORE_meth_set_update_store_fn 3422 EXIST:VMS:FUNCTION: d2i_ECPrivateKey 3423 EXIST::FUNCTION:EC ASN1_item_ndef_i2d 3424 EXIST::FUNCTION: STORE_delete_private_key 3425 EXIST::FUNCTION: @@ -3001,25 +3016,29 @@ X509_CERT_PAIR_free 3435 EXIST::FUNCTION: STORE_revoke_private_key 3436 EXIST::FUNCTION: BN_nist_mod_224 3437 EXIST::FUNCTION: STORE_ATTR_INFO_modify_dn 3438 EXIST::FUNCTION: -STORE_method_get_initialise_function 3439 EXIST::FUNCTION: +STORE_method_get_initialise_function 3439 EXIST:!VMS:FUNCTION: +STORE_meth_get_initialise_fn 3439 EXIST:VMS:FUNCTION: STORE_delete_number 3440 EXIST::FUNCTION: i2d_EC_PUBKEY_bio 3441 EXIST::FUNCTION:BIO,EC EC_GROUP_get_asn1_flag 3442 EXIST::FUNCTION:EC STORE_ATTR_INFO_in_ex 3443 EXIST::FUNCTION: STORE_list_crl_start 3444 EXIST::FUNCTION: ECDH_get_ex_new_index 3445 EXIST::FUNCTION:ECDH -STORE_method_get_modify_function 3446 EXIST::FUNCTION: +STORE_method_get_modify_function 3446 EXIST:!VMS:FUNCTION: +STORE_meth_get_modify_fn 3446 EXIST:VMS:FUNCTION: STORE_store_certificate 3447 EXIST::FUNCTION: OBJ_bsearch_ex 3448 EXIST::FUNCTION: STORE_ATTR_INFO_set_sha1str 3449 EXIST::FUNCTION: BN_GF2m_mod_inv 3450 EXIST::FUNCTION: BN_GF2m_mod_exp 3451 EXIST::FUNCTION: STORE_modify_public_key 3452 EXIST::FUNCTION: -STORE_method_get_list_start_function 3453 EXIST::FUNCTION: +STORE_method_get_list_start_function 3453 EXIST:!VMS:FUNCTION: +STORE_meth_get_list_start_fn 3453 EXIST:VMS:FUNCTION: EC_GROUP_get0_seed 3454 EXIST::FUNCTION:EC ecdsa_check 3455 EXIST::FUNCTION:ECDSA STORE_store_arbitrary 3456 EXIST::FUNCTION: -STORE_method_set_unlock_store_function 3457 EXIST::FUNCTION: +STORE_method_set_unlock_store_function 3457 EXIST:!VMS:FUNCTION: +STORE_meth_set_unlock_store_fn 3457 EXIST:VMS:FUNCTION: BN_GF2m_mod_div_arr 3458 EXIST::FUNCTION: ENGINE_set_ECDSA 3459 EXIST::FUNCTION:ENGINE STORE_create_method 3460 EXIST::FUNCTION: @@ -3043,7 +3062,8 @@ EC_GROUP_cmp 3475 EXIST::FUNCTION:EC STORE_revoke_certificate 3476 EXIST::FUNCTION: ECDH_DATA_new_method 3477 EXIST::FUNCTION:ECDH BN_get0_nist_prime_256 3478 EXIST::FUNCTION: -STORE_method_get_delete_function 3479 EXIST::FUNCTION: +STORE_method_get_delete_function 3479 EXIST:!VMS:FUNCTION: +STORE_meth_get_delete_fn 3479 EXIST:VMS:FUNCTION: PEM_read_ECPrivateKey 3480 EXIST:!WIN16:FUNCTION:EC STORE_parse_attrs_endp 3481 EXIST::FUNCTION: ERR_load_ECDSA_strings 3482 EXIST::FUNCTION:ECDSA @@ -3079,7 +3099,8 @@ STORE_delete_certificate 3509 EXIST::FUNCTION: STORE_method_get_ctrl_function 3510 EXIST::FUNCTION: STORE_free 3511 EXIST::FUNCTION: PEM_write_ECPrivateKey 3512 EXIST:!WIN16:FUNCTION:EC -STORE_method_get_unlock_store_function 3513 EXIST::FUNCTION: +STORE_method_get_unlock_store_function 3513 EXIST:!VMS:FUNCTION: +STORE_meth_get_unlock_store_fn 3513 EXIST:VMS:FUNCTION: STORE_get_ex_data 3514 EXIST::FUNCTION: PEM_read_ECPKParameters 3515 EXIST:!WIN16:FUNCTION:EC X509_CERT_PAIR_new 3516 EXIST::FUNCTION: @@ -3108,7 +3129,8 @@ STORE_ATTR_INFO_modify_sha1str 3536 EXIST::FUNCTION: BN_generate_prime_ex 3537 EXIST::FUNCTION: DH_generate_parameters_ex 3538 EXIST::FUNCTION:DH PEM_read_bio_ECPrivateKey 3539 EXIST::FUNCTION:EC -STORE_method_get_cleanup_function 3540 EXIST::FUNCTION: +STORE_method_get_cleanup_function 3540 EXIST:!VMS:FUNCTION: +STORE_meth_get_cleanup_fn 3540 EXIST:VMS:FUNCTION: ENGINE_get_ECDH 3541 EXIST::FUNCTION:ENGINE d2i_ECDSA_SIG 3542 EXIST::FUNCTION:ECDSA BN_is_prime_fasttest_ex 3543 EXIST::FUNCTION: @@ -3128,7 +3150,8 @@ STORE_get_crl 3556 EXIST::FUNCTION: EC_GF2m_simple_method 3557 EXIST::FUNCTION:EC ECDSA_set_ex_data 3558 EXIST::FUNCTION:ECDSA EC_KEY_print 3559 EXIST::FUNCTION:BIO,EC -STORE_method_set_lock_store_function 3560 EXIST::FUNCTION: +STORE_method_set_lock_store_function 3560 EXIST:!VMS:FUNCTION: +STORE_meth_set_lock_store_fn 3560 EXIST:VMS:FUNCTION: ECDSA_get_ex_new_index 3561 EXIST::FUNCTION:ECDSA POLICY_MAPPING_new 3562 EXIST::FUNCTION: STORE_list_certificate_endp 3563 EXIST::FUNCTION: @@ -3138,7 +3161,8 @@ d2i_EC_PUBKEY_fp 3566 EXIST::FUNCTION:EC,FP_API ecdh_check 3567 EXIST::FUNCTION:ECDH ECDSA_DATA_new_method 3568 EXIST::FUNCTION:ECDSA PEM_read_bio_X509_CERT_PAIR 3569 EXIST::FUNCTION: -STORE_method_get_list_end_function 3570 EXIST::FUNCTION: +STORE_method_get_list_end_function 3570 EXIST:!VMS:FUNCTION: +STORE_meth_get_list_end_fn 3570 EXIST:VMS:FUNCTION: ENGINE_set_default_ECDH 3571 EXIST::FUNCTION:ENGINE STORE_new_method 3572 EXIST::FUNCTION: PKCS12_add_key 3573 EXIST::FUNCTION: @@ -3165,7 +3189,8 @@ EVP_des_ede3_cfb1 3593 EXIST::FUNCTION:DES X509_policy_node_get0_parent 3594 EXIST::FUNCTION: X509_policy_tree_get0_policies 3595 EXIST::FUNCTION: X509_policy_level_node_count 3596 EXIST::FUNCTION: -X509_policy_node_get0_qualifiers 3597 EXIST::FUNCTION: +X509_policy_node_get0_qualifiers 3597 EXIST:!VMS:FUNCTION: +X509_pcy_node_get0_qualifiers 3597 EXIST:VMS:FUNCTION: X509_policy_node_get0_policy 3598 EXIST::FUNCTION: X509_policy_tree_free 3599 EXIST::FUNCTION: AES_cfbr_encrypt_block 3600 EXIST::FUNCTION:AES @@ -3174,7 +3199,8 @@ X509_policy_level_get0_node 3602 EXIST::FUNCTION: X509_policy_tree_level_count 3603 EXIST::FUNCTION: X509_policy_tree_get0_level 3604 EXIST::FUNCTION: ASN1_const_check_infinite_end 3605 EXIST::FUNCTION: -X509_policy_tree_get0_user_policies 3606 EXIST::FUNCTION: +X509_policy_tree_get0_user_policies 3606 EXIST:!VMS:FUNCTION: +X509_pcy_tree_get0_usr_policies 3606 EXIST:VMS:FUNCTION: X509_policy_lib_init 3607 EXIST::FUNCTION: asn1_const_Finish 3608 EXIST::FUNCTION: X509_policy_check 3609 EXIST::FUNCTION: @@ -3182,3 +3208,4 @@ AES_cfb1_encrypt 3610 EXIST::FUNCTION:AES X509_STORE_CTX_set0_crls 3611 EXIST::FUNCTION: v2i_ASN1_BIT_STRING 3612 EXIST::FUNCTION: i2v_ASN1_BIT_STRING 3613 EXIST::FUNCTION: +EVP_CIPHER_CTX_rand_key 3614 EXIST::FUNCTION: From ecf139917dd7a4671a4bb1bf530f3b0ab5bb3bf1 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 31 Mar 2004 12:17:24 +0000 Subject: [PATCH 108/112] New function X509_POLICY_NODE_print() --- crypto/x509v3/pcy_int.h | 3 ++- crypto/x509v3/v3_cpols.c | 20 +++++++++++++++++++- crypto/x509v3/x509v3.h | 4 +++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/crypto/x509v3/pcy_int.h b/crypto/x509v3/pcy_int.h index 33d6adfb9..ba62a209d 100644 --- a/crypto/x509v3/pcy_int.h +++ b/crypto/x509v3/pcy_int.h @@ -188,7 +188,8 @@ struct X509_POLICY_TREE_st /* Useful macros */ -#define node_critical(node) ((node)->data->flags & POLICY_DATA_FLAG_CRITICAL) +#define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL) +#define node_critical(node) node_data_critical(node->data) /* Internal functions */ diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c index 0d554f3a2..62b34e1f9 100644 --- a/crypto/x509v3/v3_cpols.c +++ b/crypto/x509v3/v3_cpols.c @@ -3,7 +3,7 @@ * project 1999. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -63,6 +63,8 @@ #include #include +#include "pcy_int.h" + /* Certificate policies extension support: this one is a bit complex... */ static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out, int indent); @@ -420,3 +422,19 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent) notice->exptext->data); } +void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) + { + const X509_POLICY_DATA *dat = node->data; + + BIO_printf(out, "%*sPolicy: ", indent, ""); + + i2a_ASN1_OBJECT(out, dat->valid_policy); + BIO_puts(out, "\n"); + BIO_printf(out, "%*s%s\n", indent + 2, "", + node_data_critical(dat) ? "Critical" : "Non Critical"); + if (dat->qualifier_set) + print_qualifiers(out, dat->qualifier_set, indent + 2); + else + BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, ""); + } + diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index 89cc3c49d..677a930f7 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -3,7 +3,7 @@ * project 1999. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -604,6 +604,8 @@ ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk, unsigned long chtype); +void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. From bf5773fa2d4b448ab8e0db0ecbcc0ac094ee492e Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 31 Mar 2004 12:55:33 +0000 Subject: [PATCH 109/112] Oops forgot CHANGES entry. --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index a72d5d6ea..baa2a8afe 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,9 @@ Changes between 0.9.7c and 0.9.8 [xx XXX xxxx] + *) New function X509_POLICY_NODE_print() which prints out policy nodes. + [Steve Henson] + *) Add new EVP function EVP_CIPHER_CTX_rand_key and associated functionality. This will generate a random key of the appropriate length based on the cipher context. The EVP_CIPHER can provide its own random key generation From b6a5fdb8a7fa643242b3abd6075553875e427b53 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 1 Apr 2004 22:23:46 +0000 Subject: [PATCH 110/112] Don't use C++ reserved word. --- crypto/x509/x509_vfy.h | 2 +- crypto/x509v3/pcy_tree.c | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index 3deb5e400..c9129ba5a 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -420,7 +420,7 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t); void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)); -int X509_policy_check(X509_POLICY_TREE **ptree, int *explicit, +int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids, unsigned int flags); diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index 9ac169c00..62eea0c4a 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -589,7 +589,7 @@ void X509_policy_tree_free(X509_POLICY_TREE *tree) * -2 User constrained policy set empty and requireExplicit true. */ -int X509_policy_check(X509_POLICY_TREE **ptree, int *explicit, +int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids, unsigned int flags) @@ -599,7 +599,7 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *explicit, STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL; *ptree = NULL; - *explicit = 0; + *pexplicit_policy = 0; ret = tree_init(&tree, certs, flags); @@ -617,12 +617,12 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *explicit, /* Tree empty requireExplicit True: Error */ case 6: - *explicit = 1; + *pexplicit_policy = 1; return -2; /* Tree OK requireExplicit True: OK and continue */ case 5: - *explicit = 1; + *pexplicit_policy = 1; break; /* Tree OK: continue */ @@ -640,7 +640,7 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *explicit, if (ret == 2) { X509_policy_tree_free(tree); - if (*explicit) + if (*pexplicit_policy) return -2; else return 1; @@ -662,7 +662,7 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *explicit, if (tree) *ptree = tree; - if (*explicit) + if (*pexplicit_policy) { nodes = X509_policy_tree_get0_user_policies(tree); if (sk_X509_POLICY_NODE_num(nodes) <= 0) From 2749276b95952d3898bc3b64373ade78a8f84fb7 Mon Sep 17 00:00:00 2001 From: Geoff Thorpe Date: Fri, 2 Apr 2004 06:25:11 +0000 Subject: [PATCH 111/112] Avoid undefined results when the parameter is out of range. --- crypto/stack/stack.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c index 1d2b47ee6..821b6caca 100644 --- a/crypto/stack/stack.c +++ b/crypto/stack/stack.c @@ -307,7 +307,7 @@ int sk_num(const STACK *st) char *sk_value(const STACK *st, int i) { - if(st == NULL) return NULL; + if(!st || (i < 0) || (i >= st->num)) return NULL; return st->data[i]; } From 28722cf2127b6541656d7ac320e22234a8a77e34 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 13 Apr 2004 17:47:37 +0000 Subject: [PATCH 112/112] Add some root CAs. --- certs/eng1.pem | 23 +++++++++++++++++++++++ certs/eng2.pem | 23 +++++++++++++++++++++++ certs/eng3.pem | 34 ++++++++++++++++++++++++++++++++++ certs/eng4.pem | 23 +++++++++++++++++++++++ certs/eng5.pem | 23 +++++++++++++++++++++++ 5 files changed, 126 insertions(+) create mode 100644 certs/eng1.pem create mode 100644 certs/eng2.pem create mode 100644 certs/eng3.pem create mode 100644 certs/eng4.pem create mode 100644 certs/eng5.pem diff --git a/certs/eng1.pem b/certs/eng1.pem new file mode 100644 index 000000000..7ed8b1b5e --- /dev/null +++ b/certs/eng1.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UEBhMCQ0Ex +CzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMRgwFgYDVQQKEw9CYW5rRW5n +aW5lIEluYy4xKTAnBgNVBAsTIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IERpdmlz +aW9uMRMwEQYDVQQDEwpiYW5rZW5naW5lMSAwHgYJKoZIhvcNAQkBFhFjYUBiYW5r +ZW5naW5lLmNvbTAeFw05ODAxMDEwMDAwMDBaFw0zODAxMTcwMDAwMDBaMIGoMQsw +CQYDVQQGEwJDQTELMAkGA1UECBMCT04xEDAOBgNVBAcTB1Rvcm9udG8xGDAWBgNV +BAoTD0JhbmtFbmdpbmUgSW5jLjEpMCcGA1UECxMgQ2VydGlmaWNhdGlvbiBBdXRo +b3JpdHkgRGl2aXNpb24xEzARBgNVBAMTCmJhbmtlbmdpbmUxIDAeBgkqhkiG9w0B +CQEWEWNhQGJhbmtlbmdpbmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA14LoTUAl1/hEy+Kh1kLHiBdW2zD3V4IhM7xxTVKsYsIH56nr69ATTIxU +P36eRzeZ137qt1AxHFjDCidk3m1Ul6l59ProPexdslLLM2npM3f2cteg+toyiYiS +EJKjyzIu1xF1j9qzGkymSY/4DsXLZNk9FaczxMk/Ooc6Os1M3AverL4VG4rYIb6f +eR32cIKJ9Q1fGuyKk7ipq1XQfPW8a8TgZdbHbe7U9Gk3iasGMHHvpR9Ep3mGbgdT +uQ98SBEuIwe1BUCGg/MXpVy48MNXfAMotBgGw4pl9yqSjMni2FB+E9Q9DHFs2RgX +MqzKuo8zcPxKx2kZ6Arj8+27dw2clQIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0G +CSqGSIb3DQEBBQUAA4IBAQBauupHX9EhpC/r57d6b5kkeWvognxIP9//TO4iw3qb +zIXEkPXmJmwVzlzoKJWqiya+aw19SP0+G6CzsFOBo/9ehmz+hZ8bhYX4MjlWzX5u +Tnkhz172j9fOBUmrTVPkcRIs6zjCD5PQAGoBPP1/Zdy2N36lZ0U7lg07Opirj/yJ +PSJeM2j0fwIFAroiVckvdT0BVwB6S/cPaAQGPghbbr1YGSmYrMriSv825ILJUfxz +rJYunGR9FiY9Ob7+jwJwiZMS4CxSPktutxr/3hOvr1+ALS7IcVakhhA3PuZAJbdH +FRclR9qMM8aBnBZmf+Uv3K3uhT+UBzzY654U9Yi1JYnA +-----END CERTIFICATE----- diff --git a/certs/eng2.pem b/certs/eng2.pem new file mode 100644 index 000000000..73066309b --- /dev/null +++ b/certs/eng2.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UEBhMCQ0Ex +CzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMRgwFgYDVQQKEw9DZXJ0RW5n +aW5lIEluYy4xKTAnBgNVBAsTIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IERpdmlz +aW9uMRMwEQYDVQQDEwpjZXJ0ZW5naW5lMSAwHgYJKoZIhvcNAQkBFhFjYUBjZXJ0 +ZW5naW5lLmNvbTAeFw05ODAxMDEwMDAwMDBaFw0zODAxMTcwMDAwMDBaMIGoMQsw +CQYDVQQGEwJDQTELMAkGA1UECBMCT04xEDAOBgNVBAcTB1Rvcm9udG8xGDAWBgNV +BAoTD0NlcnRFbmdpbmUgSW5jLjEpMCcGA1UECxMgQ2VydGlmaWNhdGlvbiBBdXRo +b3JpdHkgRGl2aXNpb24xEzARBgNVBAMTCmNlcnRlbmdpbmUxIDAeBgkqhkiG9w0B +CQEWEWNhQGNlcnRlbmdpbmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA7aTXURShaeVt9u/dP3Q2dVib3jTCZvEyc6yfpGgaYWewXWuP4HOSfI4h +GZblbpl+dzJc6RjhR+pguIRtbT5FJB8SJGjRqoujBEOQOxtVtc2fjM9Dqh0iOvMW +WS6buxHG55GVrHAQaO5HXEScKQBa9ZyNmpSXPTEBrDMej1OAGOkc524/TZrgFPF4 +AiJLLkxCcP8NuzUKlW3WzNMSSoCtjkUKy4wjSLlAWCFM0T9Df6/+Z8ZUQTzHoKCD +ncH5Qnynd7DlOwKQ2JwwxRhYGiGVTUN0GUq7qA11kW3+vnbFesKQXoF6o2PVx9s2 +YXviI2NXXUjZ0pVnsnFCc45Pm8XojwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0G +CSqGSIb3DQEBBQUAA4IBAQBP/aHOKJ00Akzc9HWM1X30hlWZFBaQi4pqD4Uhk8+p +KzzwFP5DRLBOz8TYBbtdXrS6hxVMr2sqWmhVkuyepWhHZazKGyHY/y0FbOXsewAV +1QxxSyx7ve89pCKv4/w0rQcP916iHc8Y/TCpmz7eITa3GId+8H/XTaBi8GBp9X9O +w8m25FmEB1NT+eJwefvfdKowjy4tSorKdW/eJspxNuTSRGmUy8G71W5dYvgpAlx6 +mdnHyzxEGvRYNNI2bS0ifXgbEFNWqSas9q34ea5KOpkJu8T/KyXfSb6rPOsBSb0t +wMowwGtCVH2C4Lw/8zo0EjhMpTOsPaub408PrZ+NQ2bl +-----END CERTIFICATE----- diff --git a/certs/eng3.pem b/certs/eng3.pem new file mode 100644 index 000000000..28bcce2df --- /dev/null +++ b/certs/eng3.pem @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF3TCCA8WgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UEBhMCQ0Ex +CzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMRgwFgYDVQQKEw9Gb3J0RW5n +aW5lIEluYy4xKTAnBgNVBAsTIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IERpdmlz +aW9uMRMwEQYDVQQDEwpmb3J0ZW5naW5lMSAwHgYJKoZIhvcNAQkBFhFjYUBmb3J0 +ZW5naW5lLmNvbTAeFw05ODAxMDEwMDAwMDBaFw0zODAxMTcwMDAwMDBaMIGoMQsw +CQYDVQQGEwJDQTELMAkGA1UECBMCT04xEDAOBgNVBAcTB1Rvcm9udG8xGDAWBgNV +BAoTD0ZvcnRFbmdpbmUgSW5jLjEpMCcGA1UECxMgQ2VydGlmaWNhdGlvbiBBdXRo +b3JpdHkgRGl2aXNpb24xEzARBgNVBAMTCmZvcnRlbmdpbmUxIDAeBgkqhkiG9w0B +CQEWEWNhQGZvcnRlbmdpbmUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC +CgKCAgEAyr7GbpwDxx1v3EYbo0gcO+ligEhlDqG2e7u/AbWGoVAqc8+q6auUJUtz +4i7oh0yNadu1o9kpXW+znkgO0zlrgjGskqqMO1ooppzTJdFy/P8gR6x1Iuv3kWtX +OuzwPPEjv09LWlhyJsN+oU4ztTVf07I0Q9zYupcoDQ58XKRheI9KdDB2DYSmxywA +WSLQwIeG0Qa7gvokeQlpkgkEC7viEecJ3752KXBJHnh7As51mxnlpmG6sDy67Eli +HDw5tHETRqbtnscGBjskGQBqR5xt7+QnnthZrN8HJHDoa9zgGephwizhkL44lXLF +YK9W5XhFbblw2c+mAcHkokRiwD7CPeIoyD2a/Jcw3n5hegKTlNhd4BFGVF6JR7gF +OFk2QfHXit5uthsij9Xhl7WAgQUqLgggD9MphqPf4nY66OZUJV9ZsmB+Qfp8UizB +0WAOegactKVyRqHtRa+KIEXQXNtZgjcmMk9CYkP0nIbKtgKXaH6+9VMHNOryCnFE +7pSsuPUkypncFWCHGSeiFO3w4w4J4csltxBADQzxfRu5KZnlToQN7bVpI/Q31tVX +E5bjrJcq6Oj/OTqZ3ID+OqbkUdAg0ggjRKcTgxnLHd/AbMzJ6PsclDDf7cLs0WSl +xMxQR/z5bNST1rNtT9rsiv2TOhfvCBxO9AOjBioO8PLO032HTNECAwEAAaMQMA4w +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAgEAVyBpPWfT2VOyvVpslGKx +8h0+CWP8cilygGRtZJ5dAJzc//1REAHdvK+TgZ4Foz3dqHhXI+RNN0FpzuWaYMjW +ZTS0kAmcOQuGY1Oo4PGlPHI21pNz29oFDTJr0ZmLBJ4JKVsE2soJg55jdk9MZHA7 +K//7HH9RsmrWZOE5DZDlrxp6+naixhMwnlPKKisIy9GNZUPqGdUWABMdB/BUVVNl +NU5TtWpIXUClMd8a+eoKcItBeYXowkHOBpinPkDX3clFDIUfWiw0Ro08s8SrrFqR +8Szwbrj52Xv1RM56oGqCjnkvJctxihODV7NcpxoAFjIZokDom0q6zPrrTUsLFQov +Plovc3w5hmALiDMshaTvE1nm3Psn4yQ+FlRE8epTZrQiIGypZkZC6lcz0mYawueW +cThYWGFhVG4ktQzOjjNRsNxopW+W7cF1zQTxiWUDnxIKSj7gtdQ2jiubxEEhfVag +r8DMtAccNVTZVURpGi56TptOOuotrTqqC+2GviW4hlxvdvmuQN0OlXlUwzz2Trxc +FamNnuA54lZw/8arLtxsFmHrcnPw53+1spumLD0S5UkxHNu40h6LIVpZz3H+0rLz +uFofTfiyMjcfK2AyHQTgUCbsrvgNuLDQUbyFGVchdFUkhztX3DhEVnxnnrpY4BVj +QdTqWIvw7lGlSuDCjxEQAOc= +-----END CERTIFICATE----- diff --git a/certs/eng4.pem b/certs/eng4.pem new file mode 100644 index 000000000..9a7b15622 --- /dev/null +++ b/certs/eng4.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UEBhMCQ0Ex +CzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMRgwFgYDVQQKEw9NYWlsRW5n +aW5lIEluYy4xKTAnBgNVBAsTIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IERpdmlz +aW9uMRMwEQYDVQQDEwptYWlsZW5naW5lMSAwHgYJKoZIhvcNAQkBFhFjYUBtYWls +ZW5naW5lLmNvbTAeFw05ODAxMDEwMDAwMDBaFw0zODAxMTcwMDAwMDBaMIGoMQsw +CQYDVQQGEwJDQTELMAkGA1UECBMCT04xEDAOBgNVBAcTB1Rvcm9udG8xGDAWBgNV +BAoTD01haWxFbmdpbmUgSW5jLjEpMCcGA1UECxMgQ2VydGlmaWNhdGlvbiBBdXRo +b3JpdHkgRGl2aXNpb24xEzARBgNVBAMTCm1haWxlbmdpbmUxIDAeBgkqhkiG9w0B +CQEWEWNhQG1haWxlbmdpbmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAqXmfsU+lx+NFmn6tN17RTOyaddHqLnr/3rzEDIyT9TN+tF9TG7jmK7lJ +Jrj5arQ3nTFaLF8JuND2U1z/cLPw6/TX+1tE3v3CNUDSjaisyUDiUyp3TE8hMMMz +zfZQn0JsGgNhhWxqyzjhRQGtKL4+xtn8VsF/8zGgZYke7nlmVKz/FslDFTnNoodL +BAEGiu9JQS9qqpbSs20NdZ6LXPL2A4iTjnsNFBW3jIMVIn/JVVyaycU7ue2oFviD +vLNpkVZcR7A+jjIdIumOc5VSF0y7y74cQC5YwkR2mLK7UBYDK6NCY3ta/C4M8NsM +0FpmvRl0+A1ivZtVwqI98dxDtp7HeQIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0G +CSqGSIb3DQEBBQUAA4IBAQAjfNn5BCzxylBDakFQGWKE/P43PRibMOEzfd7+DzbY +WIekoz3i00DwoH3b6j4gwlDJRAOq4dF6/Pt/uBOHDo/op+ef+9ErmKPd+ehXN9h3 +7QbccTgz7DtVwA4iRlDRLru+JuXzT+OsCHuFZMOLJ+KD2JAGh3W68JjdcLkrlcpt +AU0wc5aOHPPfEBdIah8y8QtNzXRVzoBt8zzvgCARkXxTS2u/9QaXR1hML0JtDgQS +SdZ6Kd8SN6yzqxD+buYD5sOfJmjBF/n3lqFHNMHnnGXy2TAXZtIAWzffU3A0cGPB +N6FZ026a86HbF1X4k+xszhbJu/ikczyuWnCJIg3fTYSD +-----END CERTIFICATE----- diff --git a/certs/eng5.pem b/certs/eng5.pem new file mode 100644 index 000000000..3416ccad2 --- /dev/null +++ b/certs/eng5.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID6TCCAtGgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMCQ0Ex +CzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMRowGAYDVQQKExFUcmFkZXJF +bmdpbmUgSW5jLjEpMCcGA1UECxMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgRGl2 +aXNpb24xFTATBgNVBAMTDHRyYWRlcmVuZ2luZTEiMCAGCSqGSIb3DQEJARYTY2FA +dHJhZGVyZW5naW5lLmNvbTAeFw05ODAxMDEwMDAwMDBaFw0zODAxMTcwMDAwMDBa +MIGuMQswCQYDVQQGEwJDQTELMAkGA1UECBMCT04xEDAOBgNVBAcTB1Rvcm9udG8x +GjAYBgNVBAoTEVRyYWRlckVuZ2luZSBJbmMuMSkwJwYDVQQLEyBDZXJ0aWZpY2F0 +aW9uIEF1dGhvcml0eSBEaXZpc2lvbjEVMBMGA1UEAxMMdHJhZGVyZW5naW5lMSIw +IAYJKoZIhvcNAQkBFhNjYUB0cmFkZXJlbmdpbmUuY29tMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAzyX5QE+5SN+zgNn1v3zp9HmP4hQOWW8WuEVItZVP +9bt/xj5NeJd1kyPL/SqnF2qHcL3o/74r0Ga55aKHniwKYgQTlp5ELGfQ568QQeN9 +xNIHtUXeStI9zCNZyZC+4YqObdMR/ivKA/WsLfUVMl2lV5JzJJz1BOE0gKEYiEyz +gIq5oLzkP/mOXoHRvWSZD2D0eHYIO7ovV2epVFK7g7p+dC4QoeIUEli+GF/Myg88 +dV/qmi+Sybck2RLPXa8Nh27/ETVQ7kE1Eafmx7EyCqIhG+5lwJAy3HwHUBwAYuzj +iuZz5lD8aQmr8SKuvy3eOH9SVN5wh3YBlrNGwTStkESVLwIDAQABoxAwDjAMBgNV +HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAWOPAUhZd3x9EQiFJcuxFTMd9q +axgcriCzJsM6D96sYGko9xTeLhX/lr1bliVYI5AlupoLXAdMzGHJkOgaTirKjQXr +F9nymDdUWKe3TmwGob5016nQlH7qRKvGO3hka0rOGRK2U/2JT/4Qp8iH/DFi6cyM +uP0q8n64SAkxZXLzUuFQXqf7U/SNjzb9XJQEIAdjp7eYd3Qb4jDsDcX0FrKMF1aV +r0dCDnS7am7WTXPYCDGdSkPgEHEtLYIYH3lZp5sKdVZ9wl4F0WNFkRWRUr7AXPjw +50uLmUNmKCd8JZLMGA1TRNSTi7U9EcrWt0OkMWm74T2WVnAgNsDv2WrWsGfj +-----END CERTIFICATE-----