From 40e66398dbe7f5e9ff6984ff0b2f92d0f151995e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulf=20M=C3=B6ller?= Date: Sun, 22 Sep 2002 08:49:22 +0000 Subject: [PATCH 01/49] use OPENSSL_SYS_MSDOS rather than __DJGPP__ to disable egd, this is not compiler specific --- crypto/rand/rand_egd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/rand/rand_egd.c b/crypto/rand/rand_egd.c index abc3ac27d..668c785f0 100644 --- a/crypto/rand/rand_egd.c +++ b/crypto/rand/rand_egd.c @@ -94,7 +94,7 @@ * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255. */ -#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(__DJGPP__) +#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) { return(-1); From e78f137899af768e1e9335f080826dc9f18eb882 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bodo=20M=C3=B6ller?= Date: Mon, 23 Sep 2002 14:25:07 +0000 Subject: [PATCH 02/49] really fix race condition PR: 262 --- CHANGES | 8 ++++++-- crypto/cryptlib.c | 3 ++- crypto/crypto.h | 51 ++++++++++++++++++++++++----------------------- ssl/s23_clnt.c | 4 ++++ ssl/s23_srvr.c | 4 ++++ ssl/s2_clnt.c | 4 ++++ ssl/s2_srvr.c | 4 ++++ ssl/s3_clnt.c | 4 ++++ ssl/s3_srvr.c | 4 ++++ ssl/t1_clnt.c | 4 ++++ ssl/t1_srvr.c | 4 ++++ 11 files changed, 66 insertions(+), 28 deletions(-) diff --git a/CHANGES b/CHANGES index b21766284..1a312d9e6 100644 --- a/CHANGES +++ b/CHANGES @@ -1927,8 +1927,12 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). [Bodo Moeller] - *) Fix race condition in SSLv3_client_method(). - [Bodo Moeller] + *) Fix initialization code race conditions in + SSLv23_client_method(), SSLv23_server_method(), + SSLv2_client_method(), SSLv2_server_method(), + SSLv3_client_method(), SSLv3_server_method(), + TLSv1_client_method(), TLSv1_server_method(). + [Patrick McCormick , Bodo Moeller] *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after the cached sessions are flushed, as the remove_cb() might use ex_data diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index b72f7fb01..5d8debd2c 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -94,6 +94,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] = "ssl_session", "ssl_sess_cert", "ssl", + "ssl_method", "rand", "rand2", "debug_malloc", @@ -111,7 +112,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] = "ecdsa", "ec", "ecdh", -#if CRYPTO_NUM_LOCKS != 34 +#if CRYPTO_NUM_LOCKS != 35 # error "Inconsistency between crypto.h and cryptlib.c" #endif }; diff --git a/crypto/crypto.h b/crypto/crypto.h index e4d1526e0..1490db9aa 100644 --- a/crypto/crypto.h +++ b/crypto/crypto.h @@ -111,30 +111,31 @@ extern "C" { #define CRYPTO_LOCK_DSA 8 #define CRYPTO_LOCK_RSA 9 #define CRYPTO_LOCK_EVP_PKEY 10 -#define CRYPTO_LOCK_X509_STORE 11 -#define CRYPTO_LOCK_SSL_CTX 12 -#define CRYPTO_LOCK_SSL_CERT 13 -#define CRYPTO_LOCK_SSL_SESSION 14 -#define CRYPTO_LOCK_SSL_SESS_CERT 15 -#define CRYPTO_LOCK_SSL 16 -#define CRYPTO_LOCK_RAND 17 -#define CRYPTO_LOCK_RAND2 18 -#define CRYPTO_LOCK_MALLOC 19 -#define CRYPTO_LOCK_BIO 20 -#define CRYPTO_LOCK_GETHOSTBYNAME 21 -#define CRYPTO_LOCK_GETSERVBYNAME 22 -#define CRYPTO_LOCK_READDIR 23 -#define CRYPTO_LOCK_RSA_BLINDING 24 -#define CRYPTO_LOCK_DH 25 -#define CRYPTO_LOCK_MALLOC2 26 -#define CRYPTO_LOCK_DSO 27 -#define CRYPTO_LOCK_DYNLOCK 28 -#define CRYPTO_LOCK_ENGINE 29 -#define CRYPTO_LOCK_UI 30 -#define CRYPTO_LOCK_ECDSA 31 -#define CRYPTO_LOCK_EC 32 -#define CRYPTO_LOCK_ECDH 33 -#define CRYPTO_NUM_LOCKS 34 +#define CRYPTO_LOCK_X509_STORE 11 +#define CRYPTO_LOCK_SSL_CTX 12 +#define CRYPTO_LOCK_SSL_CERT 13 +#define CRYPTO_LOCK_SSL_SESSION 14 +#define CRYPTO_LOCK_SSL_SESS_CERT 15 +#define CRYPTO_LOCK_SSL 16 +#define CRYPTO_LOCK_SSL_METHOD 17 +#define CRYPTO_LOCK_RAND 18 +#define CRYPTO_LOCK_RAND2 19 +#define CRYPTO_LOCK_MALLOC 20 +#define CRYPTO_LOCK_BIO 21 +#define CRYPTO_LOCK_GETHOSTBYNAME 22 +#define CRYPTO_LOCK_GETSERVBYNAME 23 +#define CRYPTO_LOCK_READDIR 24 +#define CRYPTO_LOCK_RSA_BLINDING 25 +#define CRYPTO_LOCK_DH 26 +#define CRYPTO_LOCK_MALLOC2 27 +#define CRYPTO_LOCK_DSO 28 +#define CRYPTO_LOCK_DYNLOCK 29 +#define CRYPTO_LOCK_ENGINE 30 +#define CRYPTO_LOCK_UI 31 +#define CRYPTO_LOCK_ECDSA 32 +#define CRYPTO_LOCK_EC 33 +#define CRYPTO_LOCK_ECDH 34 +#define CRYPTO_NUM_LOCKS 35 #define CRYPTO_LOCK 1 #define CRYPTO_UNLOCK 2 @@ -156,7 +157,7 @@ extern "C" { #endif #else #define CRYPTO_w_lock(a) -#define CRYPTO_w_unlock(a) +#define CRYPTO_w_unlock(a) #define CRYPTO_r_lock(a) #define CRYPTO_r_unlock(a) #define CRYPTO_add(a,b,c) ((*(a))+=(b)) diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 019e9aece..9c02cb49a 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -87,11 +87,15 @@ SSL_METHOD *SSLv23_client_method(void) if (init) { + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + memcpy((char *)&SSLv23_client_data, (char *)sslv23_base_method(),sizeof(SSL_METHOD)); SSLv23_client_data.ssl_connect=ssl23_connect; SSLv23_client_data.get_ssl_method=ssl23_get_client_method; init=0; + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv23_client_data); } diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 8743b61cb..5c7e9fa97 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -139,11 +139,15 @@ SSL_METHOD *SSLv23_server_method(void) if (init) { + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + memcpy((char *)&SSLv23_server_data, (char *)sslv23_base_method(),sizeof(SSL_METHOD)); SSLv23_server_data.ssl_accept=ssl23_accept; SSLv23_server_data.get_ssl_method=ssl23_get_server_method; init=0; + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv23_server_data); } diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c index 570d0664e..0d2903982 100644 --- a/ssl/s2_clnt.c +++ b/ssl/s2_clnt.c @@ -145,11 +145,15 @@ SSL_METHOD *SSLv2_client_method(void) if (init) { + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(), sizeof(SSL_METHOD)); SSLv2_client_data.ssl_connect=ssl2_connect; SSLv2_client_data.get_ssl_method=ssl2_get_client_method; init=0; + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv2_client_data); } diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c index 97dda2dde..d64d4e1ed 100644 --- a/ssl/s2_srvr.c +++ b/ssl/s2_srvr.c @@ -145,11 +145,15 @@ SSL_METHOD *SSLv2_server_method(void) if (init) { + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + memcpy((char *)&SSLv2_server_data,(char *)sslv2_base_method(), sizeof(SSL_METHOD)); SSLv2_server_data.ssl_accept=ssl2_accept; SSLv2_server_data.get_ssl_method=ssl2_get_server_method; init=0; + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv2_server_data); } diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 578eca457..6e29a6ce3 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -178,11 +178,15 @@ SSL_METHOD *SSLv3_client_method(void) if (init) { + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(), sizeof(SSL_METHOD)); SSLv3_client_data.ssl_connect=ssl3_connect; SSLv3_client_data.get_ssl_method=ssl3_get_client_method; init=0; + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv3_client_data); } diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 4b374a9cd..7742f3b8b 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -181,11 +181,15 @@ SSL_METHOD *SSLv3_server_method(void) if (init) { + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(), sizeof(SSL_METHOD)); SSLv3_server_data.ssl_accept=ssl3_accept; SSLv3_server_data.get_ssl_method=ssl3_get_server_method; init=0; + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv3_server_data); } diff --git a/ssl/t1_clnt.c b/ssl/t1_clnt.c index 9ad518f9f..3eb3ae56c 100644 --- a/ssl/t1_clnt.c +++ b/ssl/t1_clnt.c @@ -79,11 +79,15 @@ SSL_METHOD *TLSv1_client_method(void) if (init) { + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + memcpy((char *)&TLSv1_client_data,(char *)tlsv1_base_method(), sizeof(SSL_METHOD)); TLSv1_client_data.ssl_connect=ssl3_connect; TLSv1_client_data.get_ssl_method=tls1_get_client_method; init=0; + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&TLSv1_client_data); } diff --git a/ssl/t1_srvr.c b/ssl/t1_srvr.c index 6e765e587..c72e5525a 100644 --- a/ssl/t1_srvr.c +++ b/ssl/t1_srvr.c @@ -80,11 +80,15 @@ SSL_METHOD *TLSv1_server_method(void) if (init) { + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + memcpy((char *)&TLSv1_server_data,(char *)tlsv1_base_method(), sizeof(SSL_METHOD)); TLSv1_server_data.ssl_accept=ssl3_accept; TLSv1_server_data.get_ssl_method=tls1_get_server_method; init=0; + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&TLSv1_server_data); } From 5d9470ff8e8c030b71dcc2e02c1c43d5deb1fa72 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 25 Sep 2002 12:41:59 +0000 Subject: [PATCH 03/49] -elapsed is also useful when using gettimeofday --- apps/speed.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/speed.c b/apps/speed.c index 84e8f98e8..a8a375ff2 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -1070,7 +1070,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err,"\n"); BIO_printf(bio_err,"Available options:\n"); -#ifdef TIMES +#if defined(TIMES) || defined(USE_TOD) BIO_printf(bio_err,"-elapsed measure time in real time instead of CPU user time.\n"); #endif BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n"); From b3823ac64b4e0582d6b5bc81804b809e86753d3a Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 25 Sep 2002 12:49:40 +0000 Subject: [PATCH 04/49] Missing ; --- crypto/engine/eng_init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/engine/eng_init.c b/crypto/engine/eng_init.c index 98caa21e3..170c1791b 100644 --- a/crypto/engine/eng_init.c +++ b/crypto/engine/eng_init.c @@ -93,7 +93,7 @@ int engine_unlocked_finish(ENGINE *e, int unlock_for_handlers) * there's a chance that both threads will together take the count from * 2 to 0 without either calling finish(). */ e->funct_ref--; - engine_ref_debug(e, 1, -1) + engine_ref_debug(e, 1, -1); if((e->funct_ref == 0) && e->finish) { if(unlock_for_handlers) From cd98ab6491421db18dd8b4442d016e01ff202fc1 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 25 Sep 2002 12:52:13 +0000 Subject: [PATCH 05/49] Incorrect argument order to memset() --- crypto/engine/hw_4758_cca.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/engine/hw_4758_cca.c b/crypto/engine/hw_4758_cca.c index bfb80968e..6d41b9ed2 100644 --- a/crypto/engine/hw_4758_cca.c +++ b/crypto/engine/hw_4758_cca.c @@ -715,7 +715,7 @@ static int cca_rsa_verify(int type, const unsigned char *m, unsigned int m_len, if (type == NID_sha1 || type == NID_md5) { - memset(hashBuffer, keyLength+1, 0); + memset(hashBuffer, 0, keyLength+1); OPENSSL_free(hashBuffer); } @@ -838,7 +838,7 @@ static int cca_rsa_sign(int type, const unsigned char *m, unsigned int m_len, if (type == NID_sha1 || type == NID_md5) { - memset(hashBuffer, keyLength+1, 0); + memset(hashBuffer, 0, keyLength+1); OPENSSL_free(hashBuffer); } From 153aecf91a9d11ccbdf7dedc1051cb6c746f7d6e Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 25 Sep 2002 13:11:12 +0000 Subject: [PATCH 06/49] It makes more sense to refer to specific function manuals than the concept manual when the specific function is refered to in the current manual text. This correction was originally introduced in OpenBSD's tracking of OpenSSL. --- doc/crypto/BN_add.pod | 2 +- doc/crypto/BN_add_word.pod | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/crypto/BN_add.pod b/doc/crypto/BN_add.pod index a99fe3380..88c7a799e 100644 --- a/doc/crypto/BN_add.pod +++ b/doc/crypto/BN_add.pod @@ -111,7 +111,7 @@ The error codes can be obtained by L. =head1 SEE ALSO -L, L, L, +L, L, L, L, L =head1 HISTORY diff --git a/doc/crypto/BN_add_word.pod b/doc/crypto/BN_add_word.pod index 66bedfb92..94244adea 100644 --- a/doc/crypto/BN_add_word.pod +++ b/doc/crypto/BN_add_word.pod @@ -46,7 +46,7 @@ BN_mod_word() and BN_div_word() return B%B. =head1 SEE ALSO -L, L, L +L, L, L =head1 HISTORY From e204516178dd32e4450f1a26e7f86aa3f6b0a900 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 25 Sep 2002 13:25:44 +0000 Subject: [PATCH 07/49] Remove reference to RSA_PKCS1_RSAref, since it doesn't exist any more. This correction was originally introduced in OpenBSD's tracking of OpenSSL. --- doc/crypto/RSA_set_method.pod | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/doc/crypto/RSA_set_method.pod b/doc/crypto/RSA_set_method.pod index 0687c2242..060c4cc25 100644 --- a/doc/crypto/RSA_set_method.pod +++ b/doc/crypto/RSA_set_method.pod @@ -3,13 +3,12 @@ =head1 NAME RSA_set_default_method, RSA_get_default_method, RSA_set_method, -RSA_get_method, RSA_PKCS1_SSLeay, -RSA_null_method, RSA_flags, RSA_new_method - select RSA method +RSA_get_method, RSA_PKCS1_SSLeay, RSA_null_method, RSA_flags, +RSA_new_method - select RSA method =head1 SYNOPSIS #include - #include void RSA_set_default_method(const RSA_METHOD *meth); @@ -21,11 +20,13 @@ RSA_null_method, RSA_flags, RSA_new_method - select RSA method RSA_METHOD *RSA_PKCS1_SSLeay(void); + RSA_METHOD *RSA_PKCS1_RSAref(void); + RSA_METHOD *RSA_null_method(void); int RSA_flags(const RSA *rsa); - RSA *RSA_new_method(ENGINE *engine); + RSA *RSA_new_method(RSA_METHOD *method); =head1 DESCRIPTION @@ -70,6 +71,12 @@ B will be used for the RSA operations. If B is NULL, the default ENGINE for RSA operations is used, and if no default ENGINE is set, the RSA_METHOD controlled by RSA_set_default_method() is used. +RSA_flags() returns the B that are set for B's current method. + +RSA_new_method() allocates and initializes an B structure so that +B will be used for the RSA operations. If B is B, +the default method is used. + =head1 THE RSA_METHOD STRUCTURE typedef struct rsa_meth_st From 2018681b335e5d6852461808718d188cda00bafd Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 25 Sep 2002 13:26:36 +0000 Subject: [PATCH 08/49] Remove *all* references to RSA_PKCS1_RSAref, since it doesn't exist any more. This correction was originally introduced in OpenBSD's tracking of OpenSSL. --- doc/crypto/RSA_set_method.pod | 2 -- 1 file changed, 2 deletions(-) diff --git a/doc/crypto/RSA_set_method.pod b/doc/crypto/RSA_set_method.pod index 060c4cc25..0a305f6b1 100644 --- a/doc/crypto/RSA_set_method.pod +++ b/doc/crypto/RSA_set_method.pod @@ -20,8 +20,6 @@ RSA_new_method - select RSA method RSA_METHOD *RSA_PKCS1_SSLeay(void); - RSA_METHOD *RSA_PKCS1_RSAref(void); - RSA_METHOD *RSA_null_method(void); int RSA_flags(const RSA *rsa); From 6859cf745961b04bea73297a275b3269085f6970 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 25 Sep 2002 13:33:28 +0000 Subject: [PATCH 09/49] It makes more sense to refer to specific function manuals than the concept manual when the specific function is refered to in the current manual text. This correction was originally introduced in OpenBSD's tracking of OpenSSL. --- doc/crypto/BN_CTX_new.pod | 2 +- doc/crypto/BN_bn2bin.pod | 2 +- doc/crypto/BN_copy.pod | 2 +- doc/crypto/BN_generate_prime.pod | 2 +- doc/crypto/BN_mod_inverse.pod | 2 +- doc/crypto/BN_mod_mul_montgomery.pod | 2 +- doc/crypto/BN_mod_mul_reciprocal.pod | 2 +- doc/crypto/BN_new.pod | 2 +- doc/crypto/BN_rand.pod | 2 +- doc/crypto/DH_generate_key.pod | 2 +- doc/crypto/DH_generate_parameters.pod | 3 ++- doc/crypto/DH_new.pod | 2 +- doc/crypto/DSA_SIG_new.pod | 3 ++- doc/crypto/DSA_do_sign.pod | 2 +- doc/crypto/DSA_dup_DH.pod | 2 +- doc/crypto/DSA_generate_key.pod | 3 ++- doc/crypto/DSA_generate_parameters.pod | 2 +- doc/crypto/DSA_new.pod | 2 +- doc/crypto/DSA_sign.pod | 2 +- doc/crypto/RAND_bytes.pod | 3 ++- doc/crypto/RSA_check_key.pod | 2 +- doc/crypto/RSA_generate_key.pod | 3 ++- doc/crypto/RSA_new.pod | 3 ++- doc/crypto/RSA_private_encrypt.pod | 3 ++- doc/crypto/RSA_public_encrypt.pod | 3 ++- doc/crypto/RSA_sign.pod | 4 ++-- doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod | 4 ++-- 27 files changed, 37 insertions(+), 29 deletions(-) diff --git a/doc/crypto/BN_CTX_new.pod b/doc/crypto/BN_CTX_new.pod index c94d8c610..ad8d07db8 100644 --- a/doc/crypto/BN_CTX_new.pod +++ b/doc/crypto/BN_CTX_new.pod @@ -42,7 +42,7 @@ BN_CTX_init() and BN_CTX_free() have no return values. =head1 SEE ALSO -L, L, L, +L, L, L, L =head1 HISTORY diff --git a/doc/crypto/BN_bn2bin.pod b/doc/crypto/BN_bn2bin.pod index b62d1af0f..a4b17ca60 100644 --- a/doc/crypto/BN_bn2bin.pod +++ b/doc/crypto/BN_bn2bin.pod @@ -80,7 +80,7 @@ The error codes can be obtained by L. =head1 SEE ALSO -L, L, L, +L, L, L, L, L diff --git a/doc/crypto/BN_copy.pod b/doc/crypto/BN_copy.pod index 8ad25e783..388dd7df2 100644 --- a/doc/crypto/BN_copy.pod +++ b/doc/crypto/BN_copy.pod @@ -25,7 +25,7 @@ by L. =head1 SEE ALSO -L, L +L, L =head1 HISTORY diff --git a/doc/crypto/BN_generate_prime.pod b/doc/crypto/BN_generate_prime.pod index 638f6514e..6ea23791d 100644 --- a/doc/crypto/BN_generate_prime.pod +++ b/doc/crypto/BN_generate_prime.pod @@ -90,7 +90,7 @@ The error codes can be obtained by L. =head1 SEE ALSO -L, L, L +L, L, L =head1 HISTORY diff --git a/doc/crypto/BN_mod_inverse.pod b/doc/crypto/BN_mod_inverse.pod index 49e62daf9..3ea3975c7 100644 --- a/doc/crypto/BN_mod_inverse.pod +++ b/doc/crypto/BN_mod_inverse.pod @@ -27,7 +27,7 @@ NULL on error. The error codes can be obtained by L, L, L +L, L, L =head1 HISTORY diff --git a/doc/crypto/BN_mod_mul_montgomery.pod b/doc/crypto/BN_mod_mul_montgomery.pod index ed4af7a21..6b16351b9 100644 --- a/doc/crypto/BN_mod_mul_montgomery.pod +++ b/doc/crypto/BN_mod_mul_montgomery.pod @@ -87,7 +87,7 @@ outside the expected range. =head1 SEE ALSO -L, L, L, +L, L, L, L =head1 HISTORY diff --git a/doc/crypto/BN_mod_mul_reciprocal.pod b/doc/crypto/BN_mod_mul_reciprocal.pod index a28925f8a..74a216ddc 100644 --- a/doc/crypto/BN_mod_mul_reciprocal.pod +++ b/doc/crypto/BN_mod_mul_reciprocal.pod @@ -69,7 +69,7 @@ The error codes can be obtained by L. =head1 SEE ALSO -L, L, L, +L, L, L, L =head1 HISTORY diff --git a/doc/crypto/BN_new.pod b/doc/crypto/BN_new.pod index c1394ff2a..3033789c5 100644 --- a/doc/crypto/BN_new.pod +++ b/doc/crypto/BN_new.pod @@ -42,7 +42,7 @@ values. =head1 SEE ALSO -L, L +L, L =head1 HISTORY diff --git a/doc/crypto/BN_rand.pod b/doc/crypto/BN_rand.pod index 9cec238f9..81f93c2eb 100644 --- a/doc/crypto/BN_rand.pod +++ b/doc/crypto/BN_rand.pod @@ -45,7 +45,7 @@ The error codes can be obtained by L. =head1 SEE ALSO -L, L, L, +L, L, L, L, L =head1 HISTORY diff --git a/doc/crypto/DH_generate_key.pod b/doc/crypto/DH_generate_key.pod index 920995b2e..81f09fdf4 100644 --- a/doc/crypto/DH_generate_key.pod +++ b/doc/crypto/DH_generate_key.pod @@ -40,7 +40,7 @@ The error codes can be obtained by L. =head1 SEE ALSO -L, L, L, L +L, L, L, L =head1 HISTORY diff --git a/doc/crypto/DH_generate_parameters.pod b/doc/crypto/DH_generate_parameters.pod index a7d0c75f0..9081e9ea7 100644 --- a/doc/crypto/DH_generate_parameters.pod +++ b/doc/crypto/DH_generate_parameters.pod @@ -59,7 +59,8 @@ a usable generator. =head1 SEE ALSO -L, L, L, L +L, L, L, +L =head1 HISTORY diff --git a/doc/crypto/DH_new.pod b/doc/crypto/DH_new.pod index 64624b9d1..60c930093 100644 --- a/doc/crypto/DH_new.pod +++ b/doc/crypto/DH_new.pod @@ -29,7 +29,7 @@ DH_free() returns no value. =head1 SEE ALSO -L, L, +L, L, L, L diff --git a/doc/crypto/DSA_SIG_new.pod b/doc/crypto/DSA_SIG_new.pod index 671655554..3ac614003 100644 --- a/doc/crypto/DSA_SIG_new.pod +++ b/doc/crypto/DSA_SIG_new.pod @@ -30,7 +30,8 @@ DSA_SIG_free() returns no value. =head1 SEE ALSO -L, L, L +L, L, +L =head1 HISTORY diff --git a/doc/crypto/DSA_do_sign.pod b/doc/crypto/DSA_do_sign.pod index a24fd5714..5dfc733b2 100644 --- a/doc/crypto/DSA_do_sign.pod +++ b/doc/crypto/DSA_do_sign.pod @@ -36,7 +36,7 @@ L. =head1 SEE ALSO -L, L, L, +L, L, L, L, L diff --git a/doc/crypto/DSA_dup_DH.pod b/doc/crypto/DSA_dup_DH.pod index fdfe125ab..7f6f0d111 100644 --- a/doc/crypto/DSA_dup_DH.pod +++ b/doc/crypto/DSA_dup_DH.pod @@ -27,7 +27,7 @@ Be careful to avoid small subgroup attacks when using this. =head1 SEE ALSO -L, L, L +L, L, L =head1 HISTORY diff --git a/doc/crypto/DSA_generate_key.pod b/doc/crypto/DSA_generate_key.pod index 52890db5b..af83ccfaa 100644 --- a/doc/crypto/DSA_generate_key.pod +++ b/doc/crypto/DSA_generate_key.pod @@ -24,7 +24,8 @@ The error codes can be obtained by L. =head1 SEE ALSO -L, L, L, L +L, L, L, +L =head1 HISTORY diff --git a/doc/crypto/DSA_generate_parameters.pod b/doc/crypto/DSA_generate_parameters.pod index 43f60b0eb..be7c924ff 100644 --- a/doc/crypto/DSA_generate_parameters.pod +++ b/doc/crypto/DSA_generate_parameters.pod @@ -90,7 +90,7 @@ Seed lengths E 20 are not supported. =head1 SEE ALSO -L, L, L, +L, L, L, L =head1 HISTORY diff --git a/doc/crypto/DSA_new.pod b/doc/crypto/DSA_new.pod index 546146d9d..48e9b82a0 100644 --- a/doc/crypto/DSA_new.pod +++ b/doc/crypto/DSA_new.pod @@ -31,7 +31,7 @@ DSA_free() returns no value. =head1 SEE ALSO -L, L, +L, L, L, L diff --git a/doc/crypto/DSA_sign.pod b/doc/crypto/DSA_sign.pod index f6e60a8ca..97389e8ec 100644 --- a/doc/crypto/DSA_sign.pod +++ b/doc/crypto/DSA_sign.pod @@ -55,7 +55,7 @@ Standard, DSS), ANSI X9.30 =head1 SEE ALSO -L, L, L, +L, L, L, L =head1 HISTORY diff --git a/doc/crypto/RAND_bytes.pod b/doc/crypto/RAND_bytes.pod index b6ebd5052..ce6329ce5 100644 --- a/doc/crypto/RAND_bytes.pod +++ b/doc/crypto/RAND_bytes.pod @@ -35,7 +35,8 @@ method. =head1 SEE ALSO -L, L, L +L, L, +L =head1 HISTORY diff --git a/doc/crypto/RSA_check_key.pod b/doc/crypto/RSA_check_key.pod index 3d824a07f..a5198f3db 100644 --- a/doc/crypto/RSA_check_key.pod +++ b/doc/crypto/RSA_check_key.pod @@ -58,7 +58,7 @@ provide their own verifiers. =head1 SEE ALSO -L, L +L, L =head1 HISTORY diff --git a/doc/crypto/RSA_generate_key.pod b/doc/crypto/RSA_generate_key.pod index 8714f7179..52dbb14a5 100644 --- a/doc/crypto/RSA_generate_key.pod +++ b/doc/crypto/RSA_generate_key.pod @@ -59,7 +59,8 @@ RSA_generate_key() goes into an infinite loop for illegal input values. =head1 SEE ALSO -L, L, L, L +L, L, L, +L =head1 HISTORY diff --git a/doc/crypto/RSA_new.pod b/doc/crypto/RSA_new.pod index f0d996c40..3d15b9282 100644 --- a/doc/crypto/RSA_new.pod +++ b/doc/crypto/RSA_new.pod @@ -30,7 +30,8 @@ RSA_free() returns no value. =head1 SEE ALSO -L, L, L, +L, L, +L, L =head1 HISTORY diff --git a/doc/crypto/RSA_private_encrypt.pod b/doc/crypto/RSA_private_encrypt.pod index 6861a98a1..746a80c79 100644 --- a/doc/crypto/RSA_private_encrypt.pod +++ b/doc/crypto/RSA_private_encrypt.pod @@ -59,7 +59,8 @@ obtained by L. =head1 SEE ALSO -L, L, L, L +L, L, +L, L =head1 HISTORY diff --git a/doc/crypto/RSA_public_encrypt.pod b/doc/crypto/RSA_public_encrypt.pod index e20dfcb55..d53e19d2b 100644 --- a/doc/crypto/RSA_public_encrypt.pod +++ b/doc/crypto/RSA_public_encrypt.pod @@ -72,7 +72,8 @@ SSL, PKCS #1 v2.0 =head1 SEE ALSO -L, L, L, L +L, L, L, +L =head1 HISTORY diff --git a/doc/crypto/RSA_sign.pod b/doc/crypto/RSA_sign.pod index f0bf6eea1..71688a665 100644 --- a/doc/crypto/RSA_sign.pod +++ b/doc/crypto/RSA_sign.pod @@ -50,8 +50,8 @@ SSL, PKCS #1 v2.0 =head1 SEE ALSO -L, L, L, -L, +L, L, +L, L, L =head1 HISTORY diff --git a/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod b/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod index df9ceb339..e70380bbf 100644 --- a/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod +++ b/doc/crypto/RSA_sign_ASN1_OCTET_STRING.pod @@ -47,8 +47,8 @@ These functions serve no recognizable purpose. =head1 SEE ALSO -L, L, L, -L, L, +L, L, +L, L, L, L =head1 HISTORY From 94960c84215f89cc7f655ad13418fbb38e597ed2 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 25 Sep 2002 14:14:11 +0000 Subject: [PATCH 10/49] Make sure that the signal storage is regarded as volatile. This correction was originally introduced in OpenBSD's tracking of OpenSSL. --- crypto/ui/ui_openssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c index 2c2fbc044..f47ed31cb 100644 --- a/crypto/ui/ui_openssl.c +++ b/crypto/ui/ui_openssl.c @@ -378,7 +378,7 @@ static void read_till_nl(FILE *in) } while (strchr(buf,'\n') == NULL); } -static sig_atomic_t intr_signal; +static volatile sig_atomic_t intr_signal; static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl) { From b8565a9af9c6a4113b11764d2f79e799266a33c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bodo=20M=C3=B6ller?= Date: Wed, 25 Sep 2002 15:38:57 +0000 Subject: [PATCH 11/49] really fix race conditions Submitted by: "Patrick McCormick" PR: 262 PR: 291 --- CHANGES | 4 +++- ssl/s23_clnt.c | 13 ++++++++----- ssl/s23_srvr.c | 13 ++++++++----- ssl/s2_clnt.c | 13 ++++++++----- ssl/s2_lib.c | 16 ++++++++++------ ssl/s2_srvr.c | 13 ++++++++----- ssl/s3_clnt.c | 13 ++++++++----- ssl/s3_lib.c | 17 ++++++++++------- ssl/s3_srvr.c | 15 +++++++++------ ssl/t1_clnt.c | 15 +++++++++------ ssl/t1_srvr.c | 15 +++++++++------ 11 files changed, 90 insertions(+), 57 deletions(-) diff --git a/CHANGES b/CHANGES index 1a312d9e6..2443971bb 100644 --- a/CHANGES +++ b/CHANGES @@ -1931,7 +1931,9 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k SSLv23_client_method(), SSLv23_server_method(), SSLv2_client_method(), SSLv2_server_method(), SSLv3_client_method(), SSLv3_server_method(), - TLSv1_client_method(), TLSv1_server_method(). + TLSv1_client_method(), TLSv1_server_method(), + ssl2_get_cipher_by_char(), + ssl3_get_cipher_by_char(). [Patrick McCormick , Bodo Moeller] *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 9c02cb49a..99230890a 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -89,11 +89,14 @@ SSL_METHOD *SSLv23_client_method(void) { CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); - memcpy((char *)&SSLv23_client_data, - (char *)sslv23_base_method(),sizeof(SSL_METHOD)); - SSLv23_client_data.ssl_connect=ssl23_connect; - SSLv23_client_data.get_ssl_method=ssl23_get_client_method; - init=0; + if (init) + { + memcpy((char *)&SSLv23_client_data, + (char *)sslv23_base_method(),sizeof(SSL_METHOD)); + SSLv23_client_data.ssl_connect=ssl23_connect; + SSLv23_client_data.get_ssl_method=ssl23_get_client_method; + init=0; + } CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 5c7e9fa97..442c95aa9 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -141,11 +141,14 @@ SSL_METHOD *SSLv23_server_method(void) { CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); - memcpy((char *)&SSLv23_server_data, - (char *)sslv23_base_method(),sizeof(SSL_METHOD)); - SSLv23_server_data.ssl_accept=ssl23_accept; - SSLv23_server_data.get_ssl_method=ssl23_get_server_method; - init=0; + if (init) + { + memcpy((char *)&SSLv23_server_data, + (char *)sslv23_base_method(),sizeof(SSL_METHOD)); + SSLv23_server_data.ssl_accept=ssl23_accept; + SSLv23_server_data.get_ssl_method=ssl23_get_server_method; + init=0; + } CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c index 0d2903982..be03e9c63 100644 --- a/ssl/s2_clnt.c +++ b/ssl/s2_clnt.c @@ -147,11 +147,14 @@ SSL_METHOD *SSLv2_client_method(void) { CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); - memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(), - sizeof(SSL_METHOD)); - SSLv2_client_data.ssl_connect=ssl2_connect; - SSLv2_client_data.get_ssl_method=ssl2_get_client_method; - init=0; + if (init) + { + memcpy((char *)&SSLv2_client_data,(char *)sslv2_base_method(), + sizeof(SSL_METHOD)); + SSLv2_client_data.ssl_connect=ssl2_connect; + SSLv2_client_data.get_ssl_method=ssl2_get_client_method; + init=0; + } CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c index cc0dcfa95..0cbbb066f 100644 --- a/ssl/s2_lib.c +++ b/ssl/s2_lib.c @@ -377,15 +377,19 @@ SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p) { CRYPTO_w_lock(CRYPTO_LOCK_SSL); - for (i=0; i Date: Wed, 25 Sep 2002 20:19:04 +0000 Subject: [PATCH 12/49] Add missing brackets. Submitted by: "Chris Brook" --- ssl/ssltest.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssl/ssltest.c b/ssl/ssltest.c index c84c643c2..ed8071631 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -423,7 +423,7 @@ int main(int argc, char *argv[]) #ifndef OPENSSL_NO_DH dhe1024=1; #else - fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"; + fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); #endif } else if (strcmp(*argv,"-dhe1024dsa") == 0) @@ -431,7 +431,7 @@ int main(int argc, char *argv[]) #ifndef OPENSSL_NO_DH dhe1024dsa=1; #else - fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"; + fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); #endif } else if (strcmp(*argv,"-no_dhe") == 0) From 929f11673384d9f518b47bd4dc7f1878e80cdf28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bodo=20M=C3=B6ller?= Date: Thu, 26 Sep 2002 15:52:34 +0000 Subject: [PATCH 13/49] fix more race conditions Submitted by: "Patrick McCormick" PR: 262 --- CHANGES | 8 ++++---- ssl/s23_meth.c | 19 +++++++++++++------ ssl/s2_meth.c | 19 +++++++++++++------ ssl/s3_meth.c | 19 +++++++++++++------ ssl/t1_meth.c | 20 ++++++++++++++------ 5 files changed, 57 insertions(+), 28 deletions(-) diff --git a/CHANGES b/CHANGES index 2443971bb..feba2200e 100644 --- a/CHANGES +++ b/CHANGES @@ -1928,10 +1928,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k [Bodo Moeller] *) Fix initialization code race conditions in - SSLv23_client_method(), SSLv23_server_method(), - SSLv2_client_method(), SSLv2_server_method(), - SSLv3_client_method(), SSLv3_server_method(), - TLSv1_client_method(), TLSv1_server_method(), + SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), + SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), + SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), + TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), ssl2_get_cipher_by_char(), ssl3_get_cipher_by_char(). [Patrick McCormick , Bodo Moeller] diff --git a/ssl/s23_meth.c b/ssl/s23_meth.c index 40684311d..f20714083 100644 --- a/ssl/s23_meth.c +++ b/ssl/s23_meth.c @@ -80,12 +80,19 @@ SSL_METHOD *SSLv23_method(void) if (init) { - memcpy((char *)&SSLv23_data,(char *)sslv23_base_method(), - sizeof(SSL_METHOD)); - SSLv23_data.ssl_connect=ssl23_connect; - SSLv23_data.ssl_accept=ssl23_accept; - SSLv23_data.get_ssl_method=ssl23_get_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv23_data,(char *)sslv23_base_method(), + sizeof(SSL_METHOD)); + SSLv23_data.ssl_connect=ssl23_connect; + SSLv23_data.ssl_accept=ssl23_accept; + SSLv23_data.get_ssl_method=ssl23_get_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv23_data); } diff --git a/ssl/s2_meth.c b/ssl/s2_meth.c index d30b7179f..8b6cbd086 100644 --- a/ssl/s2_meth.c +++ b/ssl/s2_meth.c @@ -77,12 +77,19 @@ SSL_METHOD *SSLv2_method(void) if (init) { - memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(), - sizeof(SSL_METHOD)); - SSLv2_data.ssl_connect=ssl2_connect; - SSLv2_data.ssl_accept=ssl2_accept; - SSLv2_data.get_ssl_method=ssl2_get_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv2_data,(char *)sslv2_base_method(), + sizeof(SSL_METHOD)); + SSLv2_data.ssl_connect=ssl2_connect; + SSLv2_data.ssl_accept=ssl2_accept; + SSLv2_data.get_ssl_method=ssl2_get_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv2_data); } diff --git a/ssl/s3_meth.c b/ssl/s3_meth.c index 81bcad89c..1fd7a96f8 100644 --- a/ssl/s3_meth.c +++ b/ssl/s3_meth.c @@ -76,12 +76,19 @@ SSL_METHOD *SSLv3_method(void) if (init) { - memcpy((char *)&SSLv3_data,(char *)sslv3_base_method(), - sizeof(SSL_METHOD)); - SSLv3_data.ssl_connect=ssl3_connect; - SSLv3_data.ssl_accept=ssl3_accept; - SSLv3_data.get_ssl_method=ssl3_get_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&SSLv3_data,(char *)sslv3_base_method(), + sizeof(SSL_METHOD)); + SSLv3_data.ssl_connect=ssl3_connect; + SSLv3_data.ssl_accept=ssl3_accept; + SSLv3_data.get_ssl_method=ssl3_get_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } return(&SSLv3_data); } diff --git a/ssl/t1_meth.c b/ssl/t1_meth.c index 9bb36a7d1..fcc243f78 100644 --- a/ssl/t1_meth.c +++ b/ssl/t1_meth.c @@ -76,13 +76,21 @@ SSL_METHOD *TLSv1_method(void) if (init) { - memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(), - sizeof(SSL_METHOD)); - TLSv1_data.ssl_connect=ssl3_connect; - TLSv1_data.ssl_accept=ssl3_accept; - TLSv1_data.get_ssl_method=tls1_get_method; - init=0; + CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD); + + if (init) + { + memcpy((char *)&TLSv1_data,(char *)tlsv1_base_method(), + sizeof(SSL_METHOD)); + TLSv1_data.ssl_connect=ssl3_connect; + TLSv1_data.ssl_accept=ssl3_accept; + TLSv1_data.get_ssl_method=tls1_get_method; + init=0; + } + + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD); } + return(&TLSv1_data); } From 293d5082c75b72ae56cfac02deb5dd6357130c2d Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 2 Oct 2002 00:19:33 +0000 Subject: [PATCH 14/49] The OpenBSD project has replaced the first implementation of the /dev/crypto engine with something they claim is better. I have nothing to compare to, and I assume they know what they're talking about. The interesting part with this one is that it's loaded by default on OpenBSD systems. This change was originally introduced in OpenBSD's tracking of OpenSSL. --- crypto/engine/Makefile.ssl | 4 +- crypto/engine/eng_all.c | 15 +- crypto/engine/engine.h | 2 +- crypto/engine/hw_cryptodev.c | 1117 ++++++++++++++++++++++++++++++++++ crypto/evp/c_all.c | 3 + util/libeay.num | 2 +- 6 files changed, 1137 insertions(+), 6 deletions(-) create mode 100644 crypto/engine/hw_cryptodev.c diff --git a/crypto/engine/Makefile.ssl b/crypto/engine/Makefile.ssl index a34ce9da1..a9a50716d 100644 --- a/crypto/engine/Makefile.ssl +++ b/crypto/engine/Makefile.ssl @@ -28,13 +28,13 @@ LIBSRC= eng_err.c eng_lib.c eng_list.c eng_init.c eng_ctrl.c \ tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_rand.c tb_cipher.c tb_digest.c tb_ecdh.c \ eng_openssl.c eng_dyn.c eng_cnf.c \ hw_atalla.c hw_cswift.c hw_ncipher.c hw_nuron.c hw_ubsec.c \ - hw_openbsd_dev_crypto.c hw_aep.c hw_sureware.c hw_4758_cca.c + hw_cryptodev.c hw_aep.c hw_sureware.c hw_4758_cca.c LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \ eng_table.o eng_pkey.o eng_fat.o eng_all.o \ tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_rand.o tb_cipher.o tb_digest.o tb_ecdh.o \ eng_openssl.o eng_dyn.o eng_cnf.o \ hw_atalla.o hw_cswift.o hw_ncipher.o hw_nuron.o hw_ubsec.o \ - hw_openbsd_dev_crypto.o hw_aep.o hw_sureware.o hw_4758_cca.o + hw_cryptodev.o hw_aep.o hw_sureware.o hw_4758_cca.o SRC= $(LIBSRC) diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c index b3030fe50..e4d48dae8 100644 --- a/crypto/engine/eng_all.c +++ b/crypto/engine/eng_all.c @@ -95,8 +95,19 @@ void ENGINE_load_builtin_engines(void) #ifndef OPENSSL_NO_HW_4758_CCA ENGINE_load_4758cca(); #endif -#ifdef OPENSSL_OPENBSD_DEV_CRYPTO - ENGINE_load_openbsd_dev_crypto(); +#ifdef __OpenBSD__ + ENGINE_load_cryptodev(); #endif #endif } + +#ifdef __OpenBSD__ +void ENGINE_setup_openbsd(void) { + static int openbsd_default_loaded = 0; + if (!openbsd_default_loaded) { + ENGINE_load_cryptodev(); + ENGINE_register_all_complete(); + } + openbsd_default_loaded=1; +} +#endif diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h index 50638d4b0..7bc5b4f49 100644 --- a/crypto/engine/engine.h +++ b/crypto/engine/engine.h @@ -326,7 +326,7 @@ void ENGINE_load_ubsec(void); void ENGINE_load_aep(void); void ENGINE_load_sureware(void); void ENGINE_load_4758cca(void); -void ENGINE_load_openbsd_dev_crypto(void); +void ENGINE_load_cryptodev(void); void ENGINE_load_builtin_engines(void); /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation diff --git a/crypto/engine/hw_cryptodev.c b/crypto/engine/hw_cryptodev.c new file mode 100644 index 000000000..df887b03d --- /dev/null +++ b/crypto/engine/hw_cryptodev.c @@ -0,0 +1,1117 @@ +/* + * Copyright (c) 2002 Bob Beck + * Copyright (c) 2002 Theo de Raadt + * Copyright (c) 2002 Markus Friedl + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the author nor the names of contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include +#include +#include + +#ifndef __OpenBSD__ + +void +ENGINE_load_cryptodev(void) +{ + /* This is a NOP unless __OpenBSD__ is defined */ + return; +} + +#else /* __OpenBSD__ */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +struct dev_crypto_state { + struct session_op d_sess; + int d_fd; +}; + +static u_int32_t cryptodev_asymfeat = 0; + +static int get_asym_dev_crypto(void); +static int open_dev_crypto(void); +static int get_dev_crypto(void); +static int cryptodev_max_iv(int cipher); +static int cryptodev_key_length_valid(int cipher, int len); +static int cipher_nid_to_cryptodev(int nid); +static int get_cryptodev_ciphers(const int **cnids); +static int get_cryptodev_digests(const int **cnids); +static int cryptodev_usable_ciphers(const int **nids); +static int cryptodev_usable_digests(const int **nids); +static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl); +static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc); +static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx); +static int cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + const int **nids, int nid); +static int cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, + const int **nids, int nid); +static int bn2crparam(const BIGNUM *a, struct crparam *crp); +static int crparam2bn(struct crparam *crp, BIGNUM *a); +static void zapparams(struct crypt_kop *kop); +static int cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, + int slen, BIGNUM *s); + +static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, + RSA *rsa); +static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa); +static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +static int cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g, + BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p, + BN_CTX *ctx, BN_MONT_CTX *mont); +static DSA_SIG *cryptodev_dsa_do_sign(const unsigned char *dgst, + int dlen, DSA *dsa); +static int cryptodev_dsa_verify(const unsigned char *dgst, int dgst_len, + DSA_SIG *sig, DSA *dsa); +static int cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *m_ctx); +static int cryptodev_dh_compute_key(unsigned char *key, + const BIGNUM *pub_key, DH *dh); +static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, + void (*f)()); +void ENGINE_load_cryptodev(void); + +static const ENGINE_CMD_DEFN cryptodev_defns[] = { + { 0, NULL, NULL, 0 } +}; + +static struct { + int id; + int nid; + int ivmax; + int keylen; +} ciphers[] = { + { CRYPTO_DES_CBC, NID_des_cbc, 8, 8, }, + { CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, }, + { CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, }, + { CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, }, + { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, }, + { CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, }, + { 0, NID_undef, 0, 0, }, +}; + +static struct { + int id; + int nid; +} digests[] = { + { CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, }, + { CRYPTO_RIPEMD160_HMAC, NID_ripemd160, }, + { CRYPTO_MD5_KPDK, NID_undef, }, + { CRYPTO_SHA1_KPDK, NID_undef, }, + { CRYPTO_MD5, NID_md5, }, + { CRYPTO_SHA1, NID_undef, }, + { 0, NID_undef, }, +}; + +/* + * Return a fd if /dev/crypto seems usable, 0 otherwise. + */ +static int +open_dev_crypto(void) +{ + static int fd = -1; + + if (fd == -1) { + if ((fd = open("/dev/crypto", O_RDWR, 0)) == -1) + return (-1); + /* close on exec */ + if (fcntl(fd, F_SETFD, 1) == -1) { + close(fd); + fd = -1; + return (-1); + } + } + return (fd); +} + +static int +get_dev_crypto(void) +{ + int fd, retfd; + + if ((fd = open_dev_crypto()) == -1) + return (-1); + if (ioctl(fd, CRIOGET, &retfd) == -1) + return (-1); + + /* close on exec */ + if (fcntl(retfd, F_SETFD, 1) == -1) { + close(retfd); + return (-1); + } + return (retfd); +} + +/* Caching version for asym operations */ +static int +get_asym_dev_crypto(void) +{ + static int fd = -1; + + if (fd == -1) + fd = get_dev_crypto(); + return fd; +} + +/* + * XXXX this needs to be set for each alg - and determined from + * a running card. + */ +static int +cryptodev_max_iv(int cipher) +{ + int i; + + for (i = 0; ciphers[i].id; i++) + if (ciphers[i].id == cipher) + return (ciphers[i].ivmax); + return (0); +} + +/* + * XXXX this needs to be set for each alg - and determined from + * a running card. For now, fake it out - but most of these + * for real devices should return 1 for the supported key + * sizes the device can handle. + */ +static int +cryptodev_key_length_valid(int cipher, int len) +{ + int i; + + for (i = 0; ciphers[i].id; i++) + if (ciphers[i].id == cipher) + return (ciphers[i].keylen == len); + return (0); +} + +/* convert libcrypto nids to cryptodev */ +static int +cipher_nid_to_cryptodev(int nid) +{ + int i; + + for (i = 0; ciphers[i].id; i++) + if (ciphers[i].nid == nid) + return (ciphers[i].id); + return (0); +} + +/* + * Find out what ciphers /dev/crypto will let us have a session for. + * XXX note, that some of these openssl doesn't deal with yet! + * returning them here is harmless, as long as we return NULL + * when asked for a handler in the cryptodev_engine_ciphers routine + */ +static int +get_cryptodev_ciphers(const int **cnids) +{ + static int nids[CRYPTO_ALGORITHM_MAX]; + struct session_op sess; + int fd, i, count = 0; + + if ((fd = get_dev_crypto()) < 0) { + *nids = NULL; + return (0); + } + memset(&sess, 0, sizeof(sess)); + sess.key = (caddr_t)"123456781234567812345678"; + + for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { + if (ciphers[i].nid == NID_undef) + continue; + sess.cipher = ciphers[i].id; + sess.keylen = ciphers[i].keylen; + sess.mac = 0; + if (ioctl(fd, CIOCGSESSION, &sess) != -1 && + ioctl(fd, CIOCFSESSION, &sess.ses) != -1) + nids[count++] = ciphers[i].nid; + } + close(fd); + + if (count > 0) + *cnids = nids; + else + *cnids = NULL; + return (count); +} + +/* + * Find out what digests /dev/crypto will let us have a session for. + * XXX note, that some of these openssl doesn't deal with yet! + * returning them here is harmless, as long as we return NULL + * when asked for a handler in the cryptodev_engine_digests routine + */ +static int +get_cryptodev_digests(const int **cnids) +{ + static int nids[CRYPTO_ALGORITHM_MAX]; + struct session_op sess; + int fd, i, count = 0; + + if ((fd = get_dev_crypto()) < 0) { + *nids = NULL; + return (0); + } + memset(&sess, 0, sizeof(sess)); + for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { + if (digests[i].nid == NID_undef) + continue; + sess.mac = digests[i].id; + sess.cipher = 0; + if (ioctl(fd, CIOCGSESSION, &sess) != -1 && + ioctl(fd, CIOCFSESSION, &sess.ses) != -1) + nids[count++] = digests[i].nid; + } + close(fd); + + if (count > 0) + *cnids = nids; + else + *cnids = NULL; + return (count); +} + +/* + * Find the useable ciphers|digests from dev/crypto - this is the first + * thing called by the engine init crud which determines what it + * can use for ciphers from this engine. We want to return + * only what we can do, anythine else is handled by software. + * + * If we can't initialize the device to do anything useful for + * any reason, we want to return a NULL array, and 0 length, + * which forces everything to be done is software. By putting + * the initalization of the device in here, we ensure we can + * use this engine as the default, and if for whatever reason + * /dev/crypto won't do what we want it will just be done in + * software + * + * This can (should) be greatly expanded to perhaps take into + * account speed of the device, and what we want to do. + * (although the disabling of particular alg's could be controlled + * by the device driver with sysctl's.) - this is where we + * want most of the decisions made about what we actually want + * to use from /dev/crypto. + */ +static int +cryptodev_usable_ciphers(const int **nids) +{ + return (get_cryptodev_ciphers(nids)); +} + +static int +cryptodev_usable_digests(const int **nids) +{ + /* + * XXXX just disable all digests for now, because it sucks. + * we need a better way to decide this - i.e. I may not + * want digests on slow cards like hifn on fast machines, + * but might want them on slow or loaded machines, etc. + * will also want them when using crypto cards that don't + * suck moose gonads - would be nice to be able to decide something + * as reasonable default without having hackery that's card dependent. + * of course, the default should probably be just do everything, + * with perhaps a sysctl to turn algoritms off (or have them off + * by default) on cards that generally suck like the hifn. + */ + *nids = NULL; + return (0); +} + +static int +cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) +{ + struct crypt_op cryp; + struct dev_crypto_state *state = ctx->cipher_data; + struct session_op *sess = &state->d_sess; + void *iiv; + unsigned char save_iv[EVP_MAX_IV_LENGTH]; + + if (state->d_fd < 0) + return (0); + if (!inl) + return (1); + if ((inl % ctx->cipher->block_size) != 0) + return (0); + + memset(&cryp, 0, sizeof(cryp)); + + cryp.ses = sess->ses; + cryp.flags = 0; + cryp.len = inl; + cryp.src = (caddr_t) in; + cryp.dst = (caddr_t) out; + cryp.mac = 0; + + cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT; + + if (ctx->cipher->iv_len) { + cryp.iv = (caddr_t) ctx->iv; + if (!ctx->encrypt) { + iiv = (void *) in + inl - ctx->cipher->iv_len; + memcpy(save_iv, iiv, ctx->cipher->iv_len); + } + } else + cryp.iv = NULL; + + if (ioctl(state->d_fd, CIOCCRYPT, &cryp) == -1) { + /* XXX need better errror handling + * this can fail for a number of different reasons. + */ + return (0); + } + + if (ctx->cipher->iv_len) { + if (ctx->encrypt) + iiv = (void *) out + inl - ctx->cipher->iv_len; + else + iiv = save_iv; + memcpy(ctx->iv, iiv, ctx->cipher->iv_len); + } + return (1); +} + +static int +cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) +{ + struct dev_crypto_state *state = ctx->cipher_data; + struct session_op *sess = &state->d_sess; + int cipher; + + if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef) + return (0); + + if (ctx->cipher->iv_len > cryptodev_max_iv(cipher)) + return (0); + + if (!cryptodev_key_length_valid(cipher, ctx->key_len)) + return (0); + + memset(sess, 0, sizeof(struct session_op)); + + if ((state->d_fd = get_dev_crypto()) < 0) + return (0); + + sess->key = (unsigned char *)key; + sess->keylen = ctx->key_len; + sess->cipher = cipher; + + if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) { + close(state->d_fd); + state->d_fd = -1; + return (0); + } + return (1); +} + +/* + * free anything we allocated earlier when initting a + * session, and close the session. + */ +static int +cryptodev_cleanup(EVP_CIPHER_CTX *ctx) +{ + int ret = 0; + struct dev_crypto_state *state = ctx->cipher_data; + struct session_op *sess = &state->d_sess; + + if (state->d_fd < 0) + return (0); + + /* XXX if this ioctl fails, someting's wrong. the invoker + * may have called us with a bogus ctx, or we could + * have a device that for whatever reason just doesn't + * want to play ball - it's not clear what's right + * here - should this be an error? should it just + * increase a counter, hmm. For right now, we return + * 0 - I don't believe that to be "right". we could + * call the gorpy openssl lib error handlers that + * print messages to users of the library. hmm.. + */ + + if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) == -1) { + ret = 0; + } else { + ret = 1; + } + close(state->d_fd); + state->d_fd = -1; + + return (ret); +} + +/* + * libcrypto EVP stuff - this is how we get wired to EVP so the engine + * gets called when libcrypto requests a cipher NID. + */ + +/* DES CBC EVP */ +const EVP_CIPHER cryptodev_des_cbc = { + NID_des_cbc, + 8, 8, 8, + EVP_CIPH_CBC_MODE, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, + NULL +}; + +/* 3DES CBC EVP */ +const EVP_CIPHER cryptodev_3des_cbc = { + NID_des_ede3_cbc, + 8, 24, 8, + EVP_CIPH_CBC_MODE, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, + NULL +}; + +const EVP_CIPHER cryptodev_bf_cbc = { + NID_bf_cbc, + 8, 16, 8, + EVP_CIPH_CBC_MODE, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, + NULL +}; + +const EVP_CIPHER cryptodev_cast_cbc = { + NID_cast5_cbc, + 8, 16, 8, + EVP_CIPH_CBC_MODE, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, + NULL +}; + +const EVP_CIPHER cryptodev_aes_cbc = { + NID_aes_128_cbc, + 16, 16, 16, + EVP_CIPH_CBC_MODE, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, + NULL +}; + +/* + * Registered by the ENGINE when used to find out how to deal with + * a particular NID in the ENGINE. this says what we'll do at the + * top level - note, that list is restricted by what we answer with + */ +static int +cryptodev_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + const int **nids, int nid) +{ + if (!cipher) + return (cryptodev_usable_ciphers(nids)); + + switch (nid) { + case NID_des_ede3_cbc: + *cipher = &cryptodev_3des_cbc; + break; + case NID_des_cbc: + *cipher = &cryptodev_des_cbc; + break; + case NID_bf_cbc: + *cipher = &cryptodev_bf_cbc; + break; + case NID_cast5_cbc: + *cipher = &cryptodev_cast_cbc; + break; + case NID_aes_128_cbc: + *cipher = &cryptodev_aes_cbc; + break; + default: + *cipher = NULL; + break; + } + return (*cipher != NULL); +} + +static int +cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, + const int **nids, int nid) +{ + if (!digest) + return (cryptodev_usable_digests(nids)); + + switch (nid) { + case NID_md5: + *digest = NULL; /* need to make a clean md5 critter */ + break; + default: + *digest = NULL; + break; + } + return (*digest != NULL); +} + +/* + * Convert a BIGNUM to the representation that /dev/crypto needs. + * Upon completion of use, the caller is responsible for freeing + * crp->crp_p. + */ +static int +bn2crparam(const BIGNUM *a, struct crparam *crp) +{ + int i, j, k; + ssize_t words, bytes, bits; + u_char *b; + + crp->crp_p = NULL; + crp->crp_nbits = 0; + + bits = BN_num_bits(a); + bytes = (bits + 7) / 8; + + b = malloc(bytes); + if (b == NULL) + return (1); + + crp->crp_p = b; + crp->crp_nbits = bits; + + for (i = 0, j = 0; i < a->top; i++) { + for (k = 0; k < BN_BITS2 / 8; k++) { + if ((j + k) >= bytes) + return (0); + b[j + k] = a->d[i] >> (k * 8); + } + j += BN_BITS2 / 8; + } + return (0); +} + +/* Convert a /dev/crypto parameter to a BIGNUM */ +static int +crparam2bn(struct crparam *crp, BIGNUM *a) +{ + u_int8_t *pd; + int i, bytes; + + bytes = (crp->crp_nbits + 7) / 8; + + if (bytes == 0) + return (-1); + + if ((pd = (u_int8_t *) malloc(bytes)) == NULL) + return (-1); + + for (i = 0; i < bytes; i++) + pd[i] = crp->crp_p[bytes - i - 1]; + + BN_bin2bn(pd, bytes, a); + free(pd); + + return (0); +} + +static void +zapparams(struct crypt_kop *kop) +{ + int i; + + for (i = 0; i <= kop->crk_iparams + kop->crk_oparams; i++) { + if (kop->crk_param[i].crp_p) + free(kop->crk_param[i].crp_p); + kop->crk_param[i].crp_p = NULL; + kop->crk_param[i].crp_nbits = 0; + } +} + +static int +cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r, int slen, BIGNUM *s) +{ + int fd, ret = -1; + + if ((fd = get_asym_dev_crypto()) < 0) + return (ret); + + if (r) { + kop->crk_param[kop->crk_iparams].crp_p = calloc(rlen, sizeof(char)); + kop->crk_param[kop->crk_iparams].crp_nbits = rlen * 8; + kop->crk_oparams++; + } + if (s) { + kop->crk_param[kop->crk_iparams+1].crp_p = calloc(slen, sizeof(char)); + kop->crk_param[kop->crk_iparams+1].crp_nbits = slen * 8; + kop->crk_oparams++; + } + + if (ioctl(fd, CIOCKEY, kop) == 0) { + if (r) + crparam2bn(&kop->crk_param[kop->crk_iparams], r); + if (s) + crparam2bn(&kop->crk_param[kop->crk_iparams+1], s); + ret = 0; + } + + return (ret); +} + +static int +cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) +{ + struct crypt_kop kop; + int ret = 1; + + /* Currently, we know we can do mod exp iff we can do any + * asymmetric operations at all. + */ + if (cryptodev_asymfeat == 0) { + ret = BN_mod_exp(r, a, p, m, ctx); + return (ret); + } + + memset(&kop, 0, sizeof kop); + kop.crk_op = CRK_MOD_EXP; + + /* inputs: a^p % m */ + if (bn2crparam(a, &kop.crk_param[0])) + goto err; + if (bn2crparam(p, &kop.crk_param[1])) + goto err; + if (bn2crparam(m, &kop.crk_param[2])) + goto err; + kop.crk_iparams = 3; + + if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) { + const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); + ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont); + } +err: + zapparams(&kop); + return (ret); +} + +static int +cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) +{ + int r; + BN_CTX *ctx; + + ctx = BN_CTX_new(); + r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL); + BN_CTX_free(ctx); + return (r); +} + +static int +cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa) +{ + struct crypt_kop kop; + int ret = 1; + + if (!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp) { + /* XXX 0 means failure?? */ + return (0); + } + + memset(&kop, 0, sizeof kop); + kop.crk_op = CRK_MOD_EXP_CRT; + /* inputs: rsa->p rsa->q I rsa->dmp1 rsa->dmq1 rsa->iqmp */ + if (bn2crparam(rsa->p, &kop.crk_param[0])) + goto err; + if (bn2crparam(rsa->q, &kop.crk_param[1])) + goto err; + if (bn2crparam(I, &kop.crk_param[2])) + goto err; + if (bn2crparam(rsa->dmp1, &kop.crk_param[3])) + goto err; + if (bn2crparam(rsa->dmq1, &kop.crk_param[4])) + goto err; + if (bn2crparam(rsa->iqmp, &kop.crk_param[5])) + goto err; + kop.crk_iparams = 6; + + if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) { + const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); + ret = (*meth->rsa_mod_exp)(r0, I, rsa); + } +err: + zapparams(&kop); + return (ret); +} + +static RSA_METHOD cryptodev_rsa = { + "cryptodev RSA method", + NULL, /* rsa_pub_enc */ + NULL, /* rsa_pub_dec */ + NULL, /* rsa_priv_enc */ + NULL, /* rsa_priv_dec */ + NULL, + NULL, + NULL, /* init */ + NULL, /* finish */ + 0, /* flags */ + NULL, /* app_data */ + NULL, /* rsa_sign */ + NULL /* rsa_verify */ +}; + +static int +cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx) +{ + return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx)); +} + +static int +cryptodev_dsa_dsa_mod_exp(DSA *dsa, BIGNUM *t1, BIGNUM *g, + BIGNUM *u1, BIGNUM *pub_key, BIGNUM *u2, BIGNUM *p, + BN_CTX *ctx, BN_MONT_CTX *mont) +{ + BIGNUM t2; + int ret = 0; + + BN_init(&t2); + + /* v = ( g^u1 * y^u2 mod p ) mod q */ + /* let t1 = g ^ u1 mod p */ + ret = 0; + + if (!dsa->meth->bn_mod_exp(dsa,t1,dsa->g,u1,dsa->p,ctx,mont)) + goto err; + + /* let t2 = y ^ u2 mod p */ + if (!dsa->meth->bn_mod_exp(dsa,&t2,dsa->pub_key,u2,dsa->p,ctx,mont)) + goto err; + /* let u1 = t1 * t2 mod p */ + if (!BN_mod_mul(u1,t1,&t2,dsa->p,ctx)) + goto err; + + BN_copy(t1,u1); + + ret = 1; +err: + BN_free(&t2); + return(ret); +} + +static DSA_SIG * +cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) +{ + struct crypt_kop kop; + BIGNUM *r = NULL, *s = NULL; + DSA_SIG *dsaret = NULL; + + if ((r = BN_new()) == NULL) + goto err; + if ((s = BN_new()) == NULL) { + BN_free(r); + goto err; + } + + printf("bar\n"); + memset(&kop, 0, sizeof kop); + kop.crk_op = CRK_DSA_SIGN; + + /* inputs: dgst dsa->p dsa->q dsa->g dsa->priv_key */ + kop.crk_param[0].crp_p = (caddr_t)dgst; + kop.crk_param[0].crp_nbits = dlen * 8; + if (bn2crparam(dsa->p, &kop.crk_param[1])) + goto err; + if (bn2crparam(dsa->q, &kop.crk_param[2])) + goto err; + if (bn2crparam(dsa->g, &kop.crk_param[3])) + goto err; + if (bn2crparam(dsa->priv_key, &kop.crk_param[4])) + goto err; + kop.crk_iparams = 5; + + if (cryptodev_asym(&kop, BN_num_bytes(dsa->q), r, + BN_num_bytes(dsa->q), s) == 0) { + dsaret = DSA_SIG_new(); + dsaret->r = r; + dsaret->s = s; + } else { + const DSA_METHOD *meth = DSA_OpenSSL(); + BN_free(r); + BN_free(s); + dsaret = (meth->dsa_do_sign)(dgst, dlen, dsa); + } +err: + kop.crk_param[0].crp_p = NULL; + zapparams(&kop); + return (dsaret); +} + +static int +cryptodev_dsa_verify(const unsigned char *dgst, int dlen, + DSA_SIG *sig, DSA *dsa) +{ + struct crypt_kop kop; + int dsaret = 1; + + memset(&kop, 0, sizeof kop); + kop.crk_op = CRK_DSA_VERIFY; + + /* inputs: dgst dsa->p dsa->q dsa->g dsa->pub_key sig->r sig->s */ + kop.crk_param[0].crp_p = (caddr_t)dgst; + kop.crk_param[0].crp_nbits = dlen * 8; + if (bn2crparam(dsa->p, &kop.crk_param[1])) + goto err; + if (bn2crparam(dsa->q, &kop.crk_param[2])) + goto err; + if (bn2crparam(dsa->g, &kop.crk_param[3])) + goto err; + if (bn2crparam(dsa->pub_key, &kop.crk_param[4])) + goto err; + if (bn2crparam(sig->r, &kop.crk_param[5])) + goto err; + if (bn2crparam(sig->s, &kop.crk_param[6])) + goto err; + kop.crk_iparams = 7; + + if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) { + dsaret = kop.crk_status; + } else { + const DSA_METHOD *meth = DSA_OpenSSL(); + + dsaret = (meth->dsa_do_verify)(dgst, dlen, sig, dsa); + } +err: + kop.crk_param[0].crp_p = NULL; + zapparams(&kop); + return (dsaret); +} + +static DSA_METHOD cryptodev_dsa = { + "cryptodev DSA method", + NULL, + NULL, /* dsa_sign_setup */ + NULL, + NULL, /* dsa_mod_exp */ + NULL, + NULL, /* init */ + NULL, /* finish */ + 0, /* flags */ + NULL /* app_data */ +}; + +static int +cryptodev_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a, + const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *m_ctx) +{ + return (cryptodev_bn_mod_exp(r, a, p, m, ctx, m_ctx)); +} + +static int +cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) +{ + struct crypt_kop kop; + int dhret = 1; + int fd, keylen; + + if ((fd = get_asym_dev_crypto()) < 0) { + const DH_METHOD *meth = DH_OpenSSL(); + + return ((meth->compute_key)(key, pub_key, dh)); + } + + keylen = BN_num_bits(dh->p); + + memset(&kop, 0, sizeof kop); + kop.crk_op = CRK_DH_COMPUTE_KEY; + + /* inputs: dh->priv_key pub_key dh->p key */ + if (bn2crparam(dh->priv_key, &kop.crk_param[0])) + goto err; + if (bn2crparam(pub_key, &kop.crk_param[1])) + goto err; + if (bn2crparam(dh->p, &kop.crk_param[2])) + goto err; + kop.crk_iparams = 3; + + kop.crk_param[3].crp_p = key; + kop.crk_param[3].crp_nbits = keylen * 8; + kop.crk_oparams = 1; + + if (ioctl(fd, CIOCKEY, &kop) == -1) { + const DH_METHOD *meth = DH_OpenSSL(); + + dhret = (meth->compute_key)(key, pub_key, dh); + } +err: + kop.crk_param[3].crp_p = NULL; + zapparams(&kop); + return (dhret); +} + +static DH_METHOD cryptodev_dh = { + "cryptodev DH method", + NULL, /* cryptodev_dh_generate_key */ + NULL, + NULL, + NULL, + NULL, + 0, /* flags */ + NULL /* app_data */ +}; + +/* + * ctrl right now is just a wrapper that doesn't do much + * but I expect we'll want some options soon. + */ +static int +cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) +{ + struct syslog_data sd = SYSLOG_DATA_INIT; + + switch (cmd) { + default: + syslog_r(LOG_ERR, &sd, + "cryptodev_ctrl: unknown command %d", cmd); + break; + } + return (1); +} + +void +ENGINE_load_cryptodev(void) +{ + ENGINE *engine = ENGINE_new(); + int fd; + + if (engine == NULL) + return; + if ((fd = get_dev_crypto()) < 0) + return; + + /* + * find out what asymmetric crypto algorithms we support + */ + if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) { + close(fd); + return; + } + close(fd); + + if (!ENGINE_set_id(engine, "cryptodev") || + !ENGINE_set_name(engine, "OpenBSD cryptodev engine") || + !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) || + !ENGINE_set_digests(engine, cryptodev_engine_digests) || + !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) || + !ENGINE_set_cmd_defns(engine, cryptodev_defns)) { + ENGINE_free(engine); + return; + } + + if (ENGINE_set_RSA(engine, &cryptodev_rsa)) { + const RSA_METHOD *rsa_meth = RSA_PKCS1_SSLeay(); + + cryptodev_rsa.bn_mod_exp = rsa_meth->bn_mod_exp; + cryptodev_rsa.rsa_mod_exp = rsa_meth->rsa_mod_exp; + cryptodev_rsa.rsa_pub_enc = rsa_meth->rsa_pub_enc; + cryptodev_rsa.rsa_pub_dec = rsa_meth->rsa_pub_dec; + cryptodev_rsa.rsa_priv_enc = rsa_meth->rsa_priv_enc; + cryptodev_rsa.rsa_priv_dec = rsa_meth->rsa_priv_dec; + if (cryptodev_asymfeat & CRF_MOD_EXP) { + cryptodev_rsa.bn_mod_exp = cryptodev_bn_mod_exp; + if (cryptodev_asymfeat & CRF_MOD_EXP_CRT) + cryptodev_rsa.rsa_mod_exp = + cryptodev_rsa_mod_exp; + else + cryptodev_rsa.rsa_mod_exp = + cryptodev_rsa_nocrt_mod_exp; + } + } + + if (ENGINE_set_DSA(engine, &cryptodev_dsa)) { + const DSA_METHOD *meth = DSA_OpenSSL(); + + memcpy(&cryptodev_dsa, meth, sizeof(DSA_METHOD)); + if (cryptodev_asymfeat & CRF_DSA_SIGN) + cryptodev_dsa.dsa_do_sign = cryptodev_dsa_do_sign; + if (cryptodev_asymfeat & CRF_MOD_EXP) { + cryptodev_dsa.bn_mod_exp = cryptodev_dsa_bn_mod_exp; + cryptodev_dsa.dsa_mod_exp = cryptodev_dsa_dsa_mod_exp; + } + if (cryptodev_asymfeat & CRF_DSA_VERIFY) + cryptodev_dsa.dsa_do_verify = cryptodev_dsa_verify; + } + + if (ENGINE_set_DH(engine, &cryptodev_dh)){ + const DH_METHOD *dh_meth = DH_OpenSSL(); + + cryptodev_dh.generate_key = dh_meth->generate_key; + cryptodev_dh.compute_key = dh_meth->compute_key; + cryptodev_dh.bn_mod_exp = dh_meth->bn_mod_exp; + if (cryptodev_asymfeat & CRF_MOD_EXP) { + cryptodev_dh.bn_mod_exp = cryptodev_mod_exp_dh; + if (cryptodev_asymfeat & CRF_DH_COMPUTE_KEY) + cryptodev_dh.compute_key = + cryptodev_dh_compute_key; + } + } + + ENGINE_add(engine); + ENGINE_free(engine); + ERR_clear_error(); +} + +#endif /* __OpenBSD__ */ diff --git a/crypto/evp/c_all.c b/crypto/evp/c_all.c index 2d3e57c4f..1bd54d791 100644 --- a/crypto/evp/c_all.c +++ b/crypto/evp/c_all.c @@ -73,4 +73,7 @@ void OPENSSL_add_all_algorithms_noconf(void) { OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); +#ifdef __OpenBSD__ + ENGINE_setup_openbsd(); +#endif } diff --git a/util/libeay.num b/util/libeay.num index 4b96ca8bf..3b2b6048d 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -2049,7 +2049,7 @@ SXNET_it 2613 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI UI_dup_input_boolean 2614 EXIST::FUNCTION: PKCS12_add_CSPName_asc 2615 EXIST::FUNCTION: EC_POINT_is_at_infinity 2616 EXIST::FUNCTION:EC -ENGINE_load_openbsd_dev_crypto 2617 EXIST::FUNCTION: +ENGINE_load_cryptodev 2617 EXIST::FUNCTION: DSO_convert_filename 2618 EXIST::FUNCTION: POLICYQUALINFO_it 2619 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: POLICYQUALINFO_it 2619 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: From 20b33a015f1ea8b0927aa5057d2e6abe053b902f Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 2 Oct 2002 00:22:44 +0000 Subject: [PATCH 15/49] Removal missing --- crypto/engine/hw_openbsd_dev_crypto.c | 594 -------------------------- 1 file changed, 594 deletions(-) delete mode 100644 crypto/engine/hw_openbsd_dev_crypto.c diff --git a/crypto/engine/hw_openbsd_dev_crypto.c b/crypto/engine/hw_openbsd_dev_crypto.c deleted file mode 100644 index b8aab545d..000000000 --- a/crypto/engine/hw_openbsd_dev_crypto.c +++ /dev/null @@ -1,594 +0,0 @@ -/* Written by Ben Laurie August 2001 */ -/* ==================================================================== - * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include -#include "eng_int.h" -/* Maybe this is needed? ... */ -#ifdef FLAT_INC -#include "evp_locl.h" -#else -#include "../evp/evp_locl.h" -#endif -#include - -#ifndef OPENSSL_OPENBSD_DEV_CRYPTO - -void ENGINE_load_openbsd_dev_crypto(void) - { - /* This is a NOP unless OPENSSL_OPENBSD_DEV_CRYPTO is defined */ - return; - } - -#else /* OPENSSL_OPENBSD_DEV_CRYPTO */ - -#include -#include -#include -#include -#include -#include - -#include - -/****************************************************/ -/* Declare the normal generic ENGINE stuff here ... */ - -static int dev_crypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, - const int **nids, int nid); -static int dev_crypto_digests(ENGINE *e, const EVP_MD **digest, - const int **nids, int nid); - -static const char dev_crypto_id[] = "openbsd_dev_crypto"; -static const char dev_crypto_name[] = "OpenBSD /dev/crypto"; - -static long allow_misaligned; - -#define DEV_CRYPTO_CMD_ALLOW_MISALIGNED ENGINE_CMD_BASE -static const ENGINE_CMD_DEFN dev_crypto_cmd_defns[]= - { - { DEV_CRYPTO_CMD_ALLOW_MISALIGNED, - "allow_misaligned", - "Permit misaligned data to be used", - ENGINE_CMD_FLAG_NUMERIC }, - { 0, NULL, NULL, 0 } - }; - -static int dev_crypto_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)()) - { - switch(cmd) - { - case DEV_CRYPTO_CMD_ALLOW_MISALIGNED: - allow_misaligned=i; - printf("allow misaligned=%ld\n",allow_misaligned); - break; - } - - return 1; - } - -static ENGINE *engine_openbsd_dev_crypto(void) - { - ENGINE *engine=ENGINE_new(); - - if(!ENGINE_set_id(engine, dev_crypto_id) || - !ENGINE_set_name(engine, dev_crypto_name) || - !ENGINE_set_ciphers(engine, dev_crypto_ciphers) || - !ENGINE_set_digests(engine, dev_crypto_digests) || - !ENGINE_set_ctrl_function(engine, dev_crypto_ctrl) || - !ENGINE_set_cmd_defns(engine, dev_crypto_cmd_defns)) - { - ENGINE_free(engine); - return NULL; - } - - return engine; - } - -void ENGINE_load_openbsd_dev_crypto(void) - { - /* Copied from eng_[openssl|dyn].c */ - ENGINE *toadd = engine_openbsd_dev_crypto(); - if(!toadd) return; - ENGINE_add(toadd); - ENGINE_free(toadd); - ERR_clear_error(); - } - -/******************************************************************************/ -/* Clip in the stuff from crypto/evp/openbsd_hw.c here. NB: What has changed? */ -/* I've removed the exposed EVP_*** functions, they're accessed through the */ -/* "dev_crypto_[ciphers|digests]" handlers. I've also moved the EVP_CIPHER */ -/* and EVP_MD structures to the bottom where they are close to the handlers */ -/* that expose them. What should be done? The global data (file-descriptors, */ -/* etc) should be put into ENGINE's ex_data support, and per-context data */ -/* (also file-descriptors perhaps) should be put into the contexts. Also code */ -/* formatting, fprintf statements, and OpenSSL-style error handling should be */ -/* added (dynamically, like the other ENGINEs). Also, "dynamic" support */ -/* be added to this ENGINE once it's up and running so that it could be built */ -/* as a shared-library. What else? device initialisation should take place */ -/* inside an ENGINE 'init()' handler (and likewise 'finish()'). ciphers and */ -/* digests won't be used by the framework unless the ENGINE has been */ -/* successfully initialised (that's one of the things you get for free) so */ -/* initialisation, including returning failure if device setup fails, can be */ -/* handled quite cleanly. This could presumably handle the opening (and then */ -/* closing inside 'finish()') of the 'cryptodev_fd' file-descriptor). */ - -/* longest key supported in hardware */ -#define MAX_HW_KEY 24 -#define MAX_HW_IV 8 - -#define MD5_DIGEST_LENGTH 16 -#define MD5_CBLOCK 64 - -static int fd; -static int dev_failed; - -typedef struct session_op session_op; - -#define CDATA(ctx) EVP_C_DATA(session_op,ctx) - -static void err(const char *str) - { - fprintf(stderr,"%s: errno %d\n",str,errno); - } - -static int dev_crypto_init(session_op *ses) - { - if(dev_failed) - return 0; - if(!fd) - { - int cryptodev_fd; - - if ((cryptodev_fd=open("/dev/crypto",O_RDWR,0)) < 0) - { - err("/dev/crypto"); - dev_failed=1; - return 0; - } - if (ioctl(cryptodev_fd,CRIOGET,&fd) == -1) - { - err("CRIOGET failed"); - close(cryptodev_fd); - dev_failed=1; - return 0; - } - close(cryptodev_fd); - } - assert(ses); - memset(ses,'\0',sizeof *ses); - - return 1; - } - -static int dev_crypto_cleanup(EVP_CIPHER_CTX *ctx) - { - fprintf(stderr,"cleanup %d\n",CDATA(ctx)->ses); - if(ioctl(fd,CIOCFSESSION,&CDATA(ctx)->ses) == -1) - err("CIOCFSESSION failed"); - - OPENSSL_free(CDATA(ctx)->key); - - return 1; - } - -static int dev_crypto_init_key(EVP_CIPHER_CTX *ctx,int cipher, - const unsigned char *key,int klen) - { - if(!dev_crypto_init(CDATA(ctx))) - return 0; - - CDATA(ctx)->key=OPENSSL_malloc(MAX_HW_KEY); - - assert(ctx->cipher->iv_len <= MAX_HW_IV); - - memcpy(CDATA(ctx)->key,key,klen); - - CDATA(ctx)->cipher=cipher; - CDATA(ctx)->keylen=klen; - - if (ioctl(fd,CIOCGSESSION,CDATA(ctx)) == -1) - { - err("CIOCGSESSION failed"); - return 0; - } - return 1; - } - -static int dev_crypto_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, - const unsigned char *in,unsigned int inl) - { - struct crypt_op cryp; - unsigned char lb[MAX_HW_IV]; - - if(!inl) - return 1; - - assert(CDATA(ctx)); - assert(!dev_failed); - - memset(&cryp,'\0',sizeof cryp); - cryp.ses=CDATA(ctx)->ses; - cryp.op=ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT; - cryp.flags=0; - cryp.len=inl; - assert((inl&(ctx->cipher->block_size-1)) == 0); - cryp.src=(caddr_t)in; - cryp.dst=(caddr_t)out; - cryp.mac=0; - if(ctx->cipher->iv_len) - cryp.iv=(caddr_t)ctx->iv; - - if(!ctx->encrypt) - memcpy(lb,&in[cryp.len-ctx->cipher->iv_len],ctx->cipher->iv_len); - - if(ioctl(fd, CIOCCRYPT, &cryp) == -1) - { - if(errno == EINVAL) /* buffers are misaligned */ - { - unsigned int cinl=0; - char *cin=NULL; - char *cout=NULL; - - /* NB: this can only make cinl != inl with stream ciphers */ - cinl=(inl+3)/4*4; - - if(((unsigned long)in&3) || cinl != inl) - { - cin=OPENSSL_malloc(cinl); - memcpy(cin,in,inl); - cryp.src=cin; - } - - if(((unsigned long)out&3) || cinl != inl) - { - cout=OPENSSL_malloc(cinl); - cryp.dst=cout; - } - - cryp.len=cinl; - - if(ioctl(fd, CIOCCRYPT, &cryp) == -1) - { - err("CIOCCRYPT(2) failed"); - printf("src=%p dst=%p\n",cryp.src,cryp.dst); - abort(); - return 0; - } - - if(cout) - { - memcpy(out,cout,inl); - OPENSSL_free(cout); - } - if(cin) - OPENSSL_free(cin); - } - else - { - err("CIOCCRYPT failed"); - abort(); - return 0; - } - } - - if(ctx->encrypt) - memcpy(ctx->iv,&out[cryp.len-ctx->cipher->iv_len],ctx->cipher->iv_len); - else - memcpy(ctx->iv,lb,ctx->cipher->iv_len); - - return 1; - } - -static int dev_crypto_des_ede3_init_key(EVP_CIPHER_CTX *ctx, - const unsigned char *key, - const unsigned char *iv, int enc) - { return dev_crypto_init_key(ctx,CRYPTO_3DES_CBC,key,24); } - -static int dev_crypto_rc4_init_key(EVP_CIPHER_CTX *ctx, - const unsigned char *key, - const unsigned char *iv, int enc) - { return dev_crypto_init_key(ctx,CRYPTO_ARC4,key,16); } - -typedef struct - { - session_op sess; - char *data; - int len; - unsigned char md[EVP_MAX_MD_SIZE]; - } MD_DATA; - -static int dev_crypto_init_digest(MD_DATA *md_data,int mac) - { - if(!dev_crypto_init(&md_data->sess)) - return 0; - - md_data->len=0; - md_data->data=NULL; - - md_data->sess.mac=mac; - - if (ioctl(fd,CIOCGSESSION,&md_data->sess) == -1) - { - err("CIOCGSESSION failed"); - return 0; - } - fprintf(stderr,"opened %d\n",md_data->sess.ses); - return 1; - } - -static int dev_crypto_cleanup_digest(MD_DATA *md_data) - { - fprintf(stderr,"cleanup %d\n",md_data->sess.ses); - if (ioctl(fd,CIOCFSESSION,&md_data->sess.ses) == -1) - { - err("CIOCFSESSION failed"); - return 0; - } - - return 1; - } - -/* FIXME: if device can do chained MACs, then don't accumulate */ -/* FIXME: move accumulation to the framework */ -static int dev_crypto_md5_init(EVP_MD_CTX *ctx) - { return dev_crypto_init_digest(ctx->md_data,CRYPTO_MD5); } - -static int do_digest(int ses,unsigned char *md,const void *data,int len) - { - struct crypt_op cryp; - static unsigned char md5zero[16]= - { - 0xd4,0x1d,0x8c,0xd9,0x8f,0x00,0xb2,0x04, - 0xe9,0x80,0x09,0x98,0xec,0xf8,0x42,0x7e - }; - - /* some cards can't do zero length */ - if(!len) - { - memcpy(md,md5zero,16); - return 1; - } - - memset(&cryp,'\0',sizeof cryp); - cryp.ses=ses; - cryp.op=COP_ENCRYPT;/* required to do the MAC rather than check it */ - cryp.len=len; - cryp.src=(caddr_t)data; - cryp.dst=(caddr_t)data; /* FIXME!!! */ - cryp.mac=(caddr_t)md; - - if(ioctl(fd, CIOCCRYPT, &cryp) == -1) - { - if(errno == EINVAL && allow_misaligned) /* buffer is misaligned */ - { - char *dcopy; - - dcopy=OPENSSL_malloc(len); - memcpy(dcopy,data,len); - cryp.src=dcopy; - cryp.dst=cryp.src; /* FIXME!!! */ - - if(ioctl(fd, CIOCCRYPT, &cryp) == -1) - { - err("CIOCCRYPT(MAC2) failed"); - abort(); - return 0; - } - OPENSSL_free(dcopy); - } - else - { - err("CIOCCRYPT(MAC) failed"); - abort(); - return 0; - } - } - /* printf("done\n"); */ - - return 1; - } - -static int dev_crypto_md5_update(EVP_MD_CTX *ctx,const void *data, - unsigned long len) - { - MD_DATA *md_data=ctx->md_data; - - if(ctx->flags&EVP_MD_CTX_FLAG_ONESHOT) - return do_digest(md_data->sess.ses,md_data->md,data,len); - - md_data->data=OPENSSL_realloc(md_data->data,md_data->len+len); - memcpy(md_data->data+md_data->len,data,len); - md_data->len+=len; - - return 1; - } - -static int dev_crypto_md5_final(EVP_MD_CTX *ctx,unsigned char *md) - { - int ret; - MD_DATA *md_data=ctx->md_data; - - if(ctx->flags&EVP_MD_CTX_FLAG_ONESHOT) - { - memcpy(md,md_data->md,MD5_DIGEST_LENGTH); - ret=1; - } - else - { - ret=do_digest(md_data->sess.ses,md,md_data->data,md_data->len); - OPENSSL_free(md_data->data); - md_data->data=NULL; - md_data->len=0; - } - - return ret; - } - -static int dev_crypto_md5_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from) - { - const MD_DATA *from_md=from->md_data; - MD_DATA *to_md=to->md_data; - - /* How do we copy sessions? */ - assert(from->digest->flags&EVP_MD_FLAG_ONESHOT); - - to_md->data=OPENSSL_malloc(from_md->len); - memcpy(to_md->data,from_md->data,from_md->len); - - return 1; - } - -static int dev_crypto_md5_cleanup(EVP_MD_CTX *ctx) - { - return dev_crypto_cleanup_digest(ctx->md_data); - } - -/**************************************************************************/ -/* Here are the moved declarations of the EVP_CIPHER and EVP_MD */ -/* implementations. They're down here to be within easy editor-distance */ -/* of the digests and ciphers handler functions. */ - -#define dev_crypto_des_ede3_cbc_cipher dev_crypto_cipher - -BLOCK_CIPHER_def_cbc(dev_crypto_des_ede3, session_op, NID_des_ede3, 8, 24, 8, - 0, dev_crypto_des_ede3_init_key, - dev_crypto_cleanup, - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, - NULL) - -static const EVP_CIPHER r4_cipher= - { - NID_rc4, - 1,16,0, /* FIXME: key should be up to 256 bytes */ - EVP_CIPH_VARIABLE_LENGTH, - dev_crypto_rc4_init_key, - dev_crypto_cipher, - dev_crypto_cleanup, - sizeof(session_op), - NULL, - NULL, - NULL - }; - -static const EVP_MD md5_md= - { - NID_md5, - NID_md5WithRSAEncryption, - MD5_DIGEST_LENGTH, - EVP_MD_FLAG_ONESHOT, /* XXX: set according to device info... */ - dev_crypto_md5_init, - dev_crypto_md5_update, - dev_crypto_md5_final, - dev_crypto_md5_copy, - dev_crypto_md5_cleanup, - EVP_PKEY_RSA_method, - MD5_CBLOCK, - sizeof(MD_DATA), - }; - -/****************************************************************/ -/* Implement the dev_crypto_[ciphers|digests] handlers here ... */ - -static int cipher_nids[] = {NID_des_ede3_cbc, NID_rc4}; -static int cipher_nids_num = 2; -static int digest_nids[] = {NID_md5}; -static int digest_nids_num = 1; - -static int dev_crypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher, - const int **nids, int nid) - { - if(!cipher) - { - /* We are returning a list of supported nids */ - *nids = cipher_nids; - return cipher_nids_num; - } - /* We are being asked for a specific cipher */ - if(nid == NID_rc4) - *cipher = &r4_cipher; - else if(nid == NID_des_ede3_cbc) - *cipher = &dev_crypto_des_ede3_cbc; - else - { - *cipher = NULL; - return 0; - } - return 1; - } - -static int dev_crypto_digests(ENGINE *e, const EVP_MD **digest, - const int **nids, int nid) - { - if(!digest) - { - /* We are returning a list of supported nids */ - *nids = digest_nids; - return digest_nids_num; - } - /* We are being asked for a specific digest */ - if(nid == NID_md5) - *digest = &md5_md; - else - { - *digest = NULL; - return 0; - } - return 1; - } - -#endif /* OPENSSL_OPENBSD_DEV_CRYPTO */ From 230fd6b7b66f0b72b1cf7fc300652a1adf94ba1a Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 3 Oct 2002 12:38:52 +0000 Subject: [PATCH 16/49] Preliminary streaming ASN1 encode support. --- CHANGES | 11 ++ crypto/asn1/asn1.h | 12 ++ crypto/asn1/asn1_lib.c | 17 ++- crypto/asn1/asn1t.h | 50 ++++++++- crypto/asn1/tasn_dec.c | 1 + crypto/asn1/tasn_enc.c | 239 +++++++++++++++++++++++++++++----------- crypto/asn1/tasn_fre.c | 1 + crypto/asn1/tasn_new.c | 2 + crypto/asn1/tasn_typ.c | 4 + crypto/asn1/tasn_utl.c | 3 +- crypto/pkcs7/pk7_asn1.c | 41 +++---- 11 files changed, 287 insertions(+), 94 deletions(-) diff --git a/CHANGES b/CHANGES index feba2200e..ef7d1b55d 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,17 @@ Changes between 0.9.7 and 0.9.8 [xx XXX 2002] + *) Extend ASN1 encoder to support indefinite length constructed + encoding. This can output sequences tags and octet strings in + this form. Modify pk7_asn1.c to support indefinite length + encoding. This is experimental and needs additional code to + be useful, such as an ASN1 bio and some enhanced streaming + PKCS#7 code. + + Extend template encode functionality so that tagging is passed + down to the template encoder. + [Steve Henson] + *) Let 'openssl req' fail if an argument to '-newkey' is not recognized instead of using RSA as a default. [Bodo Moeller] diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h index 1be3e0229..e870948e8 100644 --- a/crypto/asn1/asn1.h +++ b/crypto/asn1/asn1.h @@ -192,6 +192,11 @@ typedef struct asn1_object_st } ASN1_OBJECT; #define ASN1_STRING_FLAG_BITS_LEFT 0x08 /* Set if 0x07 has bits left value */ +/* This indicates that the ASN1_STRING is not a real value but just a place + * holder for the location where indefinite length constructed data should + * be inserted in the memory buffer + */ +#define ASN1_STRING_FLAG_NDEF 0x010 /* This is the base type that holds just about everything :-) */ typedef struct asn1_string_st { @@ -280,6 +285,9 @@ typedef struct ASN1_VALUE_st ASN1_VALUE; int i2d_##name(const type *a, unsigned char **out); \ DECLARE_ASN1_ITEM(name) +#define DECLARE_ASN1_NDEF_FUNCTION(name) \ + int i2d_##name##_NDEF(name *a, unsigned char **out); + #define DECLARE_ASN1_FUNCTIONS_const(name) \ name *name##_new(void); \ void name##_free(name *a); @@ -793,6 +801,8 @@ DECLARE_ASN1_FUNCTIONS(ASN1_UTCTIME) DECLARE_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME) DECLARE_ASN1_FUNCTIONS(ASN1_TIME) +DECLARE_ASN1_ITEM(ASN1_OCTET_STRING_NDEF) + ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s,time_t t); int ASN1_TIME_check(ASN1_TIME *t); ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out); @@ -849,6 +859,7 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int ASN1_check_infinite_end(unsigned char **p,long len); void ASN1_put_object(unsigned char **pp, int constructed, int length, int tag, int xclass); +int ASN1_put_eoc(unsigned char **pp); int ASN1_object_size(int constructed, int length, int tag); /* Used to implement other functions */ @@ -935,6 +946,7 @@ ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it); void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it); ASN1_VALUE * ASN1_item_d2i(ASN1_VALUE **val, unsigned char **in, long len, const ASN1_ITEM *it); int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it); +int ASN1_item_ndef_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it); void ASN1_add_oid_module(void); diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 0638870ab..3f7b3aad2 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -203,13 +203,22 @@ void ASN1_put_object(unsigned char **pp, int constructed, int length, int tag, } p += ttag; } - if ((constructed == 2) && (length == 0)) - *(p++)=0x80; /* der_put_length would output 0 instead */ + if (constructed == 2) + *(p++)=0x80; else asn1_put_length(&p,length); *pp=p; } +int ASN1_put_eoc(unsigned char **pp) + { + unsigned char *p = *pp; + *p++ = 0; + *p++ = 0; + *pp = p; + return 2; + } + static void asn1_put_length(unsigned char **pp, int length) { unsigned char *p= *pp; @@ -247,8 +256,8 @@ int ASN1_object_size(int constructed, int length, int tag) ret++; } } - if ((length == 0) && (constructed == 2)) - ret+=2; + if (constructed == 2) + return ret + 3; ret++; if (length > 127) { diff --git a/crypto/asn1/asn1t.h b/crypto/asn1/asn1t.h index ed372f855..83e8213ea 100644 --- a/crypto/asn1/asn1t.h +++ b/crypto/asn1/asn1t.h @@ -166,6 +166,9 @@ extern "C" { #stname \ ASN1_ITEM_end(tname) +#define ASN1_NDEF_SEQUENCE(tname) \ + ASN1_SEQUENCE(tname) + #define ASN1_SEQUENCE_cb(tname, cb) \ const static ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \ ASN1_SEQUENCE(tname) @@ -182,6 +185,18 @@ extern "C" { const static ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_ENCODING, 0, 0, cb, offsetof(tname, enc)}; \ ASN1_SEQUENCE(tname) +#define ASN1_NDEF_SEQUENCE_END(tname) \ + ;\ + ASN1_ITEM_start(tname) \ + ASN1_ITYPE_NDEF_SEQUENCE,\ + V_ASN1_SEQUENCE,\ + tname##_seq_tt,\ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ + NULL,\ + sizeof(tname),\ + #tname \ + ASN1_ITEM_end(tname) + #define ASN1_BROKEN_SEQUENCE_END(stname) ASN1_SEQUENCE_END_ref(stname, stname) #define ASN1_SEQUENCE_END_enc(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname) @@ -353,6 +368,10 @@ extern "C" { #define ASN1_EXP_SEQUENCE_OF_OPT(stname, field, type, tag) \ ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL) +/* EXPLICIT OPTIONAL using indefinite length constructed form */ +#define ASN1_NDEF_EXP_OPT(stname, field, type, tag) \ + ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL|ASN1_TFLG_NDEF) + /* Macros for the ASN1_ADB structure */ #define ASN1_ADB(name) \ @@ -518,6 +537,13 @@ struct ASN1_ADB_TABLE_st { #define ASN1_TFLG_COMBINE (0x1<<10) +/* This flag when present in a SEQUENCE OF, SET OF + * or EXPLICIT causes indefinite length constructed + * encoding to be used if required. + */ + +#define ASN1_TFLG_NDEF (0x1<<11) + /* This is the actual ASN1 item itself */ struct ASN1_ITEM_st { @@ -570,19 +596,25 @@ const char *sname; /* Structure name */ * has a special meaning, it is used as a mask * of acceptable types using the B_ASN1 constants. * + * NDEF_SEQUENCE is the same as SEQUENCE except + * that it will use indefinite length constructed + * encoding if requested. + * */ -#define ASN1_ITYPE_PRIMITIVE 0x0 +#define ASN1_ITYPE_PRIMITIVE 0x0 -#define ASN1_ITYPE_SEQUENCE 0x1 +#define ASN1_ITYPE_SEQUENCE 0x1 -#define ASN1_ITYPE_CHOICE 0x2 +#define ASN1_ITYPE_CHOICE 0x2 -#define ASN1_ITYPE_COMPAT 0x3 +#define ASN1_ITYPE_COMPAT 0x3 -#define ASN1_ITYPE_EXTERN 0x4 +#define ASN1_ITYPE_EXTERN 0x4 -#define ASN1_ITYPE_MSTRING 0x5 +#define ASN1_ITYPE_MSTRING 0x5 + +#define ASN1_ITYPE_NDEF_SEQUENCE 0x6 /* Cache for ASN1 tag and length, so we * don't keep re-reading it for things @@ -767,6 +799,12 @@ typedef struct ASN1_AUX_st { return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\ } +#define IMPLEMENT_ASN1_NDEF_FUNCTION(stname) \ + int i2d_##stname##_NDEF(stname *a, unsigned char **out) \ + { \ + return ASN1_item_ndef_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(stname));\ + } + /* This includes evil casts to remove const: they will go away when full * ASN1 constification is done. */ diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index f87c08793..a9b1d9ef8 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -289,6 +289,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, unsigned char **in, long len, const ASN1 goto auxerr; return 1; + case ASN1_ITYPE_NDEF_SEQUENCE: case ASN1_ITYPE_SEQUENCE: p = *in; tmplen = len; diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c index f6c8ddef0..33d6366e0 100644 --- a/crypto/asn1/tasn_enc.c +++ b/crypto/asn1/tasn_enc.c @@ -3,7 +3,7 @@ * project 2000. */ /* ==================================================================== - * Copyright (c) 2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -63,38 +63,57 @@ #include #include -static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass); -static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *seq, unsigned char **out, int skcontlen, const ASN1_ITEM *item, int isset); +static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, + const ASN1_ITEM *it, + int tag, int aclass); +static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, + int skcontlen, const ASN1_ITEM *item, + int do_sort, int iclass); +static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, + const ASN1_TEMPLATE *tt, + int tag, int aclass); +static int asn1_item_flags_i2d(ASN1_VALUE *val, unsigned char **out, + const ASN1_ITEM *it, int flags); -/* Encode an ASN1 item, this is compatible with the +/* Top level i2d equivalents: the 'ndef' variant instructs the encoder + * to use indefinite length constructed encoding, where appropriate + */ + +int ASN1_item_ndef_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it) +{ + return asn1_item_flags_i2d(val, out, it, ASN1_TFLG_NDEF); +} + +int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it) +{ + return asn1_item_flags_i2d(val, out, it, 0); +} + +/* Encode an ASN1 item, this is use by the * standard 'i2d' function. 'out' points to - * a buffer to output the data to, in future we will - * have more advanced versions that can output data - * a piece at a time and this will simply be a special - * case. + * a buffer to output the data to. * * The new i2d has one additional feature. If the output * buffer is NULL (i.e. *out == NULL) then a buffer is * allocated and populated with the encoding. */ - -int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it) +static int asn1_item_flags_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it, int flags) { if(out && !*out) { unsigned char *p, *buf; int len; - len = ASN1_item_ex_i2d(&val, NULL, it, -1, 0); + len = ASN1_item_ex_i2d(&val, NULL, it, -1, flags); if(len <= 0) return len; buf = OPENSSL_malloc(len); if(!buf) return -1; p = buf; - ASN1_item_ex_i2d(&val, &p, it, -1, 0); + ASN1_item_ex_i2d(&val, &p, it, -1, flags); *out = buf; return len; } - - return ASN1_item_ex_i2d(&val, out, it, -1, 0); + + return ASN1_item_ex_i2d(&val, out, it, -1, flags); } /* Encode an item, taking care of IMPLICIT tagging (if any). @@ -102,31 +121,34 @@ int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it) * used in external types. */ -int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass) +int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, + const ASN1_ITEM *it, int tag, int aclass) { const ASN1_TEMPLATE *tt = NULL; unsigned char *p = NULL; - int i, seqcontlen, seqlen; - ASN1_STRING *strtmp; + int i, seqcontlen, seqlen, ndef = 1; const ASN1_COMPAT_FUNCS *cf; const ASN1_EXTERN_FUNCS *ef; const ASN1_AUX *aux = it->funcs; - ASN1_aux_cb *asn1_cb; - if((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) return 0; - if(aux && aux->asn1_cb) asn1_cb = aux->asn1_cb; - else asn1_cb = 0; + ASN1_aux_cb *asn1_cb = 0; + + if((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) + return 0; + + if(aux && aux->asn1_cb) + asn1_cb = aux->asn1_cb; switch(it->itype) { case ASN1_ITYPE_PRIMITIVE: if(it->templates) - return ASN1_template_i2d(pval, out, it->templates); + return asn1_template_ex_i2d(pval, out, it->templates, + tag, aclass); return asn1_i2d_ex_primitive(pval, out, it, tag, aclass); break; case ASN1_ITYPE_MSTRING: - strtmp = (ASN1_STRING *)*pval; - return asn1_i2d_ex_primitive(pval, out, it, -1, 0); + return asn1_i2d_ex_primitive(pval, out, it, -1, aclass); case ASN1_ITYPE_CHOICE: if(asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it)) @@ -137,7 +159,8 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it const ASN1_TEMPLATE *chtt; chtt = it->templates + i; pchval = asn1_get_field_ptr(pval, chtt); - return ASN1_template_i2d(pchval, out, chtt); + return asn1_template_ex_i2d(pchval, out, chtt, + -1, aclass); } /* Fixme: error condition if selector out of range */ if(asn1_cb && !asn1_cb(ASN1_OP_I2D_POST, pval, it)) @@ -161,6 +184,12 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it *p = aclass | tag | (*p & V_ASN1_CONSTRUCTED); return i; + case ASN1_ITYPE_NDEF_SEQUENCE: +//fprintf(stderr, "NDEF sequence from %s flags %d\n", it->sname, aclass & ASN1_TFLG_NDEF); + /* Use indefinite length constructed if requested */ + if (aclass & ASN1_TFLG_NDEF) ndef = 2; + /* fall through */ + case ASN1_ITYPE_SEQUENCE: i = asn1_enc_restore(&seqcontlen, out, pval, it); /* An error occurred */ @@ -172,7 +201,9 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */ if(tag == -1) { tag = V_ASN1_SEQUENCE; - aclass = V_ASN1_UNIVERSAL; + /* Retain any other flags in aclass */ + aclass = (aclass & ~ASN1_TFLG_TAG_CLASS) + | V_ASN1_UNIVERSAL; } if(asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it)) return 0; @@ -184,13 +215,13 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it if(!seqtt) return 0; pseqval = asn1_get_field_ptr(pval, seqtt); /* FIXME: check for errors in enhanced version */ - /* FIXME: special handling of indefinite length encoding */ - seqcontlen += ASN1_template_i2d(pseqval, NULL, seqtt); + seqcontlen += asn1_template_ex_i2d(pseqval, NULL, seqtt, + -1, aclass); } - seqlen = ASN1_object_size(1, seqcontlen, tag); + seqlen = ASN1_object_size(ndef, seqcontlen, tag); if(!out) return seqlen; /* Output SEQUENCE header */ - ASN1_put_object(out, 1, seqcontlen, tag, aclass); + ASN1_put_object(out, ndef, seqcontlen, tag, aclass); for(i = 0, tt = it->templates; i < it->tcount; tt++, i++) { const ASN1_TEMPLATE *seqtt; ASN1_VALUE **pseqval; @@ -198,8 +229,9 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it if(!seqtt) return 0; pseqval = asn1_get_field_ptr(pval, seqtt); /* FIXME: check for errors in enhanced version */ - ASN1_template_i2d(pseqval, out, seqtt); + asn1_template_ex_i2d(pseqval, out, seqtt, -1, aclass); } + if (ndef == 2) ASN1_put_eoc(out); if(asn1_cb && !asn1_cb(ASN1_OP_I2D_POST, pval, it)) return 0; return seqlen; @@ -210,42 +242,91 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it return 0; } -int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt) +static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt, int tag, int iclass) { - int i, ret, flags, aclass; + int i, ret, flags, ttag, tclass, ndef; flags = tt->flags; - aclass = flags & ASN1_TFLG_TAG_CLASS; + /* Work out tag and class to use: tagging may come + * either from the template or the arguments, not both + * because this would create ambiguity. Additionally + * the iclass argument may contain some additional flags + * which should be noted and passed down to other levels. + */ + if (flags & ASN1_TFLG_TAG_MASK) + { + /* Error if argument and template tagging */ + if (tag != -1) + /* FIXME: error code here */ + return -1; + /* Get tagging from template */ + ttag = tt->tag; + tclass = flags & ASN1_TFLG_TAG_CLASS; + } + else if (tag != -1) + { + /* No template tagging, get from arguments */ + ttag = tag; + tclass = iclass & ASN1_TFLG_TAG_CLASS; + } + else + { + ttag = -1; + tclass = 0; + } + /* + * Remove any class mask from iflag. + */ + iclass &= ~ASN1_TFLG_TAG_CLASS; + + /* At this point 'ttag' contains the outer tag to use, + * 'tclass' is the class and iclass is any flags passed + * to this function. + */ + + /* if template and arguments require ndef, use it */ + if ((flags & ASN1_TFLG_NDEF) && (iclass & ASN1_TFLG_NDEF)) + ndef = 2; + else ndef = 1; + if(flags & ASN1_TFLG_SK_MASK) { /* SET OF, SEQUENCE OF */ STACK_OF(ASN1_VALUE) *sk = (STACK_OF(ASN1_VALUE) *)*pval; int isset, sktag, skaclass; int skcontlen, sklen; ASN1_VALUE *skitem; + if(!*pval) return 0; + if(flags & ASN1_TFLG_SET_OF) { isset = 1; /* 2 means we reorder */ if(flags & ASN1_TFLG_SEQUENCE_OF) isset = 2; } else isset = 0; - /* First work out inner tag value */ - if(flags & ASN1_TFLG_IMPTAG) { - sktag = tt->tag; - skaclass = aclass; + + /* Work out inner tag value: if EXPLICIT + * or no tagging use underlying type. + */ + if((ttag != -1) && !(flags & ASN1_TFLG_EXPTAG)) { + sktag = ttag; + skaclass = tclass; } else { skaclass = V_ASN1_UNIVERSAL; if(isset) sktag = V_ASN1_SET; else sktag = V_ASN1_SEQUENCE; } - /* Now work out length of items */ + + /* Determine total length of items */ skcontlen = 0; for(i = 0; i < sk_ASN1_VALUE_num(sk); i++) { skitem = sk_ASN1_VALUE_value(sk, i); - skcontlen += ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item), -1, 0); + skcontlen += ASN1_item_ex_i2d(&skitem, NULL, + ASN1_ITEM_ptr(tt->item), + -1, iclass); } - sklen = ASN1_object_size(1, skcontlen, sktag); + sklen = ASN1_object_size(ndef, skcontlen, sktag); /* If EXPLICIT need length of surrounding tag */ if(flags & ASN1_TFLG_EXPTAG) - ret = ASN1_object_size(1, sklen, tt->tag); + ret = ASN1_object_size(ndef, sklen, ttag); else ret = sklen; if(!out) return ret; @@ -253,35 +334,43 @@ int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLAT /* Now encode this lot... */ /* EXPLICIT tag */ if(flags & ASN1_TFLG_EXPTAG) - ASN1_put_object(out, 1, sklen, tt->tag, aclass); + ASN1_put_object(out, ndef, sklen, ttag, tclass); /* SET or SEQUENCE and IMPLICIT tag */ - ASN1_put_object(out, 1, skcontlen, sktag, skaclass); - /* And finally the stuff itself */ - asn1_set_seq_out(sk, out, skcontlen, ASN1_ITEM_ptr(tt->item), isset); + ASN1_put_object(out, ndef, skcontlen, sktag, skaclass); + /* And the stuff itself */ + asn1_set_seq_out(sk, out, skcontlen, ASN1_ITEM_ptr(tt->item), + isset, iclass); + if (ndef == 2) { + ASN1_put_eoc(out); + if(flags & ASN1_TFLG_EXPTAG) + ASN1_put_eoc(out); + } return ret; } - + if(flags & ASN1_TFLG_EXPTAG) { /* EXPLICIT tagging */ /* Find length of tagged item */ - i = ASN1_item_ex_i2d(pval, NULL, ASN1_ITEM_ptr(tt->item), -1, 0); + i = ASN1_item_ex_i2d(pval, NULL, ASN1_ITEM_ptr(tt->item), + -1, iclass); if(!i) return 0; /* Find length of EXPLICIT tag */ - ret = ASN1_object_size(1, i, tt->tag); + ret = ASN1_object_size(ndef, i, ttag); if(out) { /* Output tag and item */ - ASN1_put_object(out, 1, i, tt->tag, aclass); - ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, 0); + ASN1_put_object(out, ndef, i, ttag, tclass); + ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), + -1, iclass); + if (ndef == 2) ASN1_put_eoc(out); } return ret; } - if(flags & ASN1_TFLG_IMPTAG) { - /* IMPLICIT tagging */ - return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), tt->tag, aclass); - } - /* Nothing special: treat as normal */ - return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, 0); + + /* Either normal or IMPLICIT tagging: combine class and flags */ + return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), + ttag, tclass | iclass); + } /* Temporary structure used to hold DER encoding of items for SET OF */ @@ -304,7 +393,9 @@ static int der_cmp(const void *a, const void *b) /* Output the content octets of SET OF or SEQUENCE OF */ -static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, int skcontlen, const ASN1_ITEM *item, int do_sort) +static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, + int skcontlen, const ASN1_ITEM *item, + int do_sort, int iclass) { int i; ASN1_VALUE *skitem; @@ -323,7 +414,7 @@ static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, int s if(!do_sort) { for(i = 0; i < sk_ASN1_VALUE_num(sk); i++) { skitem = sk_ASN1_VALUE_value(sk, i); - ASN1_item_i2d(skitem, out, item); + ASN1_item_ex_i2d(&skitem, out, item, -1, iclass); } return 1; } @@ -332,7 +423,7 @@ static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, int s for(i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) { skitem = sk_ASN1_VALUE_value(sk, i); tder->data = p; - tder->length = ASN1_item_i2d(skitem, &p, item); + tder->length = ASN1_item_ex_i2d(&skitem, &p, item, -1, iclass); tder->field = skitem; } /* Now sort them */ @@ -359,6 +450,7 @@ static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const A int len; int utype; int usetag; + int ndef = 0; utype = it->utype; @@ -381,19 +473,27 @@ static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const A /* -1 means omit type */ - if(len == -1) return 0; + if(len == -1) + return 0; + + /* -2 return is special meaning use ndef */ + if (len == -2) + { + ndef = 2; + len = 0; + } /* If not implicitly tagged get tag from underlying type */ if(tag == -1) tag = utype; /* Output tag+length followed by content octets */ if(out) { - if(usetag) ASN1_put_object(out, 0, len, tag, aclass); + if(usetag) ASN1_put_object(out, ndef, len, tag, aclass); asn1_ex_i2c(pval, *out, &utype, it); *out += len; } - if(usetag) return ASN1_object_size(0, len, tag); + if(usetag) return ASN1_object_size(ndef, len, tag); return len; } @@ -486,6 +586,19 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const ASN1_ default: /* All based on ASN1_STRING and handled the same */ strtmp = (ASN1_STRING *)*pval; + /* Special handling for NDEF */ + if ((it->size == ASN1_TFLG_NDEF) + && (strtmp->flags & ASN1_STRING_FLAG_NDEF)) + { + if (cout) + { + strtmp->data = cout; + strtmp->length = 0; + ASN1_put_eoc(&cout); + } + /* Special return code */ + return -2; + } cont = strtmp->data; len = strtmp->length; diff --git a/crypto/asn1/tasn_fre.c b/crypto/asn1/tasn_fre.c index c7610776f..910f9b4f2 100644 --- a/crypto/asn1/tasn_fre.c +++ b/crypto/asn1/tasn_fre.c @@ -130,6 +130,7 @@ static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int c if(ef && ef->asn1_ex_free) ef->asn1_ex_free(pval, it); break; + case ASN1_ITYPE_NDEF_SEQUENCE: case ASN1_ITYPE_SEQUENCE: if(asn1_do_lock(pval, -1, it) > 0) return; if(asn1_cb) { diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c index e33861f86..11a90f739 100644 --- a/crypto/asn1/tasn_new.c +++ b/crypto/asn1/tasn_new.c @@ -155,6 +155,7 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int goto auxerr; break; + case ASN1_ITYPE_NDEF_SEQUENCE: case ASN1_ITYPE_SEQUENCE: if(asn1_cb) { i = asn1_cb(ASN1_OP_NEW_PRE, pval, it); @@ -231,6 +232,7 @@ static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it) case ASN1_ITYPE_COMPAT: case ASN1_ITYPE_CHOICE: case ASN1_ITYPE_SEQUENCE: + case ASN1_ITYPE_NDEF_SEQUENCE: *pval = NULL; break; } diff --git a/crypto/asn1/tasn_typ.c b/crypto/asn1/tasn_typ.c index 804d2eeba..6f17f1bec 100644 --- a/crypto/asn1/tasn_typ.c +++ b/crypto/asn1/tasn_typ.c @@ -131,3 +131,7 @@ IMPLEMENT_ASN1_FUNCTIONS_name(ASN1_STRING, DIRECTORYSTRING) IMPLEMENT_ASN1_TYPE_ex(ASN1_BOOLEAN, ASN1_BOOLEAN, -1) IMPLEMENT_ASN1_TYPE_ex(ASN1_TBOOLEAN, ASN1_BOOLEAN, 1) IMPLEMENT_ASN1_TYPE_ex(ASN1_FBOOLEAN, ASN1_BOOLEAN, 0) + +/* Special, OCTET STRING with indefinite length constructed support */ + +IMPLEMENT_ASN1_TYPE_ex(ASN1_OCTET_STRING_NDEF, ASN1_OCTET_STRING, ASN1_TFLG_NDEF) diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c index 8996ce8c1..2a3f5db8f 100644 --- a/crypto/asn1/tasn_utl.c +++ b/crypto/asn1/tasn_utl.c @@ -102,7 +102,8 @@ int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it) { const ASN1_AUX *aux; int *lck, ret; - if(it->itype != ASN1_ITYPE_SEQUENCE) return 0; + if((it->itype != ASN1_ITYPE_SEQUENCE) + && (it->itype != ASN1_ITYPE_NDEF_SEQUENCE)) return 0; aux = it->funcs; if(!aux || !(aux->flags & ASN1_AFLG_REFCOUNT)) return 0; lck = offset2ptr(*pval, aux->ref_offset); diff --git a/crypto/pkcs7/pk7_asn1.c b/crypto/pkcs7/pk7_asn1.c index 46f0fc937..77931feeb 100644 --- a/crypto/pkcs7/pk7_asn1.c +++ b/crypto/pkcs7/pk7_asn1.c @@ -69,30 +69,31 @@ ASN1_ADB_TEMPLATE(p7default) = ASN1_EXP_OPT(PKCS7, d.other, ASN1_ANY, 0); ASN1_ADB(PKCS7) = { - ADB_ENTRY(NID_pkcs7_data, ASN1_EXP_OPT(PKCS7, d.data, ASN1_OCTET_STRING, 0)), - ADB_ENTRY(NID_pkcs7_signed, ASN1_EXP_OPT(PKCS7, d.sign, PKCS7_SIGNED, 0)), - ADB_ENTRY(NID_pkcs7_enveloped, ASN1_EXP_OPT(PKCS7, d.enveloped, PKCS7_ENVELOPE, 0)), - ADB_ENTRY(NID_pkcs7_signedAndEnveloped, ASN1_EXP_OPT(PKCS7, d.signed_and_enveloped, PKCS7_SIGN_ENVELOPE, 0)), - ADB_ENTRY(NID_pkcs7_digest, ASN1_EXP_OPT(PKCS7, d.digest, PKCS7_DIGEST, 0)), - ADB_ENTRY(NID_pkcs7_encrypted, ASN1_EXP_OPT(PKCS7, d.encrypted, PKCS7_ENCRYPT, 0)) + ADB_ENTRY(NID_pkcs7_data, ASN1_NDEF_EXP_OPT(PKCS7, d.data, ASN1_OCTET_STRING_NDEF, 0)), + ADB_ENTRY(NID_pkcs7_signed, ASN1_NDEF_EXP_OPT(PKCS7, d.sign, PKCS7_SIGNED, 0)), + ADB_ENTRY(NID_pkcs7_enveloped, ASN1_NDEF_EXP_OPT(PKCS7, d.enveloped, PKCS7_ENVELOPE, 0)), + ADB_ENTRY(NID_pkcs7_signedAndEnveloped, ASN1_NDEF_EXP_OPT(PKCS7, d.signed_and_enveloped, PKCS7_SIGN_ENVELOPE, 0)), + ADB_ENTRY(NID_pkcs7_digest, ASN1_NDEF_EXP_OPT(PKCS7, d.digest, PKCS7_DIGEST, 0)), + ADB_ENTRY(NID_pkcs7_encrypted, ASN1_NDEF_EXP_OPT(PKCS7, d.encrypted, PKCS7_ENCRYPT, 0)) } ASN1_ADB_END(PKCS7, 0, type, 0, &p7default_tt, NULL); -ASN1_SEQUENCE(PKCS7) = { +ASN1_NDEF_SEQUENCE(PKCS7) = { ASN1_SIMPLE(PKCS7, type, ASN1_OBJECT), ASN1_ADB_OBJECT(PKCS7) -}ASN1_SEQUENCE_END(PKCS7) +}ASN1_NDEF_SEQUENCE_END(PKCS7) IMPLEMENT_ASN1_FUNCTIONS(PKCS7) +IMPLEMENT_ASN1_NDEF_FUNCTION(PKCS7) IMPLEMENT_ASN1_DUP_FUNCTION(PKCS7) -ASN1_SEQUENCE(PKCS7_SIGNED) = { +ASN1_NDEF_SEQUENCE(PKCS7_SIGNED) = { ASN1_SIMPLE(PKCS7_SIGNED, version, ASN1_INTEGER), ASN1_SET_OF(PKCS7_SIGNED, md_algs, X509_ALGOR), ASN1_SIMPLE(PKCS7_SIGNED, contents, PKCS7), ASN1_IMP_SEQUENCE_OF_OPT(PKCS7_SIGNED, cert, X509, 0), ASN1_IMP_SET_OF_OPT(PKCS7_SIGNED, crl, X509_CRL, 1), ASN1_SET_OF(PKCS7_SIGNED, signer_info, PKCS7_SIGNER_INFO) -} ASN1_SEQUENCE_END(PKCS7_SIGNED) +} ASN1_NDEF_SEQUENCE_END(PKCS7_SIGNED) IMPLEMENT_ASN1_FUNCTIONS(PKCS7_SIGNED) @@ -130,11 +131,11 @@ ASN1_SEQUENCE(PKCS7_ISSUER_AND_SERIAL) = { IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ISSUER_AND_SERIAL) -ASN1_SEQUENCE(PKCS7_ENVELOPE) = { +ASN1_NDEF_SEQUENCE(PKCS7_ENVELOPE) = { ASN1_SIMPLE(PKCS7_ENVELOPE, version, ASN1_INTEGER), ASN1_SET_OF(PKCS7_ENVELOPE, recipientinfo, PKCS7_RECIP_INFO), ASN1_SIMPLE(PKCS7_ENVELOPE, enc_data, PKCS7_ENC_CONTENT) -} ASN1_SEQUENCE_END(PKCS7_ENVELOPE) +} ASN1_NDEF_SEQUENCE_END(PKCS7_ENVELOPE) IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENVELOPE) @@ -157,15 +158,15 @@ ASN1_SEQUENCE_cb(PKCS7_RECIP_INFO, ri_cb) = { IMPLEMENT_ASN1_FUNCTIONS(PKCS7_RECIP_INFO) -ASN1_SEQUENCE(PKCS7_ENC_CONTENT) = { +ASN1_NDEF_SEQUENCE(PKCS7_ENC_CONTENT) = { ASN1_SIMPLE(PKCS7_ENC_CONTENT, content_type, ASN1_OBJECT), ASN1_SIMPLE(PKCS7_ENC_CONTENT, algorithm, X509_ALGOR), ASN1_IMP_OPT(PKCS7_ENC_CONTENT, enc_data, ASN1_OCTET_STRING, 0) -} ASN1_SEQUENCE_END(PKCS7_ENC_CONTENT) +} ASN1_NDEF_SEQUENCE_END(PKCS7_ENC_CONTENT) IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENC_CONTENT) -ASN1_SEQUENCE(PKCS7_SIGN_ENVELOPE) = { +ASN1_NDEF_SEQUENCE(PKCS7_SIGN_ENVELOPE) = { ASN1_SIMPLE(PKCS7_SIGN_ENVELOPE, version, ASN1_INTEGER), ASN1_SET_OF(PKCS7_SIGN_ENVELOPE, recipientinfo, PKCS7_RECIP_INFO), ASN1_SET_OF(PKCS7_SIGN_ENVELOPE, md_algs, X509_ALGOR), @@ -173,23 +174,23 @@ ASN1_SEQUENCE(PKCS7_SIGN_ENVELOPE) = { ASN1_IMP_SET_OF_OPT(PKCS7_SIGN_ENVELOPE, cert, X509, 0), ASN1_IMP_SET_OF_OPT(PKCS7_SIGN_ENVELOPE, crl, X509_CRL, 1), ASN1_SET_OF(PKCS7_SIGN_ENVELOPE, signer_info, PKCS7_SIGNER_INFO) -} ASN1_SEQUENCE_END(PKCS7_SIGN_ENVELOPE) +} ASN1_NDEF_SEQUENCE_END(PKCS7_SIGN_ENVELOPE) IMPLEMENT_ASN1_FUNCTIONS(PKCS7_SIGN_ENVELOPE) -ASN1_SEQUENCE(PKCS7_ENCRYPT) = { +ASN1_NDEF_SEQUENCE(PKCS7_ENCRYPT) = { ASN1_SIMPLE(PKCS7_ENCRYPT, version, ASN1_INTEGER), ASN1_SIMPLE(PKCS7_ENCRYPT, enc_data, PKCS7_ENC_CONTENT) -} ASN1_SEQUENCE_END(PKCS7_ENCRYPT) +} ASN1_NDEF_SEQUENCE_END(PKCS7_ENCRYPT) IMPLEMENT_ASN1_FUNCTIONS(PKCS7_ENCRYPT) -ASN1_SEQUENCE(PKCS7_DIGEST) = { +ASN1_NDEF_SEQUENCE(PKCS7_DIGEST) = { ASN1_SIMPLE(PKCS7_DIGEST, version, ASN1_INTEGER), ASN1_SIMPLE(PKCS7_DIGEST, md, X509_ALGOR), ASN1_SIMPLE(PKCS7_DIGEST, contents, PKCS7), ASN1_SIMPLE(PKCS7_DIGEST, digest, ASN1_OCTET_STRING) -} ASN1_SEQUENCE_END(PKCS7_DIGEST) +} ASN1_NDEF_SEQUENCE_END(PKCS7_DIGEST) IMPLEMENT_ASN1_FUNCTIONS(PKCS7_DIGEST) From 9a48b07ee40b9d4f0f00f0a0822b1296fefb10eb Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 3 Oct 2002 23:53:52 +0000 Subject: [PATCH 17/49] Various enhancements to PKCS#12 code, new medium level API, improved PKCS12_create and additional functionality in pkcs12 utility. --- CHANGES | 16 ++ apps/pkcs12.c | 249 +++++++++++++----------------- crypto/asn1/x_x509a.c | 23 +++ crypto/pkcs12/p12_crt.c | 328 ++++++++++++++++++++++++++++++---------- crypto/pkcs12/pkcs12.h | 9 ++ crypto/x509/x509.h | 1 + 6 files changed, 401 insertions(+), 225 deletions(-) diff --git a/CHANGES b/CHANGES index ef7d1b55d..54fb8daec 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,22 @@ Changes between 0.9.7 and 0.9.8 [xx XXX 2002] + *) Add new 'medium level' PKCS#12 API. Certificates and keys + can be added using this API to created arbitrary PKCS#12 + files while avoiding the low level API. + + New options to PKCS12_create(), key or cert can be NULL and + will then be omitted from the output file. The encryption + algorithm NIDs can be set to -1 for no encryption, the mac + iteration count can be set to 0 to omit the mac. + + Enhance pkcs12 utility by making the -nokeys and -nocerts + options work when creating a PKCS#12 file. New option -nomac + to omit the mac, NONE can be set for an encryption algorithm. + New code is modified to use the enhanced PKCS12_create() + instead of the low level API. + [Steve Henson] + *) Extend ASN1 encoder to support indefinite length constructed encoding. This can output sequences tags and octet strings in this form. Modify pk7_asn1.c to support indefinite length diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 1697f6157..0d7bf3e6a 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -2,10 +2,10 @@ #if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1) /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL - * project 1999. + * project. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -164,10 +164,14 @@ int MAIN(int argc, char **argv) maciter = PKCS12_DEFAULT_ITER; else if (!strcmp (*args, "-nomaciter")) maciter = 1; + else if (!strcmp (*args, "-nomac")) + maciter = -1; else if (!strcmp (*args, "-nodes")) enc=NULL; else if (!strcmp (*args, "-certpbe")) { if (args[1]) { args++; + if (!strcmp(*args, "NONE")) + cert_pbe = -1; cert_pbe=OBJ_txt2nid(*args); if(cert_pbe == NID_undef) { BIO_printf(bio_err, @@ -178,7 +182,10 @@ int MAIN(int argc, char **argv) } else if (!strcmp (*args, "-keypbe")) { if (args[1]) { args++; - key_pbe=OBJ_txt2nid(*args); + if (!strcmp(*args, "NONE")) + key_pbe = -1; + else + key_pbe=OBJ_txt2nid(*args); if(key_pbe == NID_undef) { BIO_printf(bio_err, "Unknown PBE algorithm %s\n", *args); @@ -357,24 +364,6 @@ int MAIN(int argc, char **argv) goto end; } -#if 0 - if (certfile) { - if(!(certsin = BIO_new_file(certfile, "r"))) { - BIO_printf(bio_err, "Can't open certificate file %s\n", certfile); - perror (certfile); - goto end; - } - } - - if (keyname) { - if(!(inkey = BIO_new_file(keyname, "r"))) { - BIO_printf(bio_err, "Can't key certificate file %s\n", keyname); - perror (keyname); - goto end; - } - } -#endif - #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("write files"); @@ -411,27 +400,31 @@ int MAIN(int argc, char **argv) if (export_cert) { EVP_PKEY *key = NULL; - STACK_OF(PKCS12_SAFEBAG) *bags = NULL; - STACK_OF(PKCS7) *safes = NULL; - PKCS12_SAFEBAG *bag = NULL; - PKCS8_PRIV_KEY_INFO *p8 = NULL; - PKCS7 *authsafe = NULL; - X509 *ucert = NULL; + X509 *ucert = NULL, *x = NULL; STACK_OF(X509) *certs=NULL; - char *catmp = NULL; + unsigned char *catmp = NULL; int i; - unsigned char keyid[EVP_MAX_MD_SIZE]; - unsigned int keyidlen = 0; + + if ((options & (NOCERTS|NOKEYS)) == (NOCERTS|NOKEYS)) + { + BIO_printf(bio_err, "Nothing to do!\n"); + goto export_end; + } + + if (options & NOCERTS) + chain = 0; #ifdef CRYPTO_MDEBUG CRYPTO_push_info("process -export_cert"); CRYPTO_push_info("reading private key"); #endif - key = load_key(bio_err, keyname ? keyname : infile, FORMAT_PEM, 1, - passin, e, "private key"); - if (!key) { - goto export_end; - } + if (!(options & NOKEYS)) + { + key = load_key(bio_err, keyname ? keyname : infile, + FORMAT_PEM, 1, passin, e, "private key"); + if (!key) + goto export_end; + } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); @@ -439,50 +432,62 @@ int MAIN(int argc, char **argv) #endif /* Load in all certs in input file */ - if(!(certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e, - "certificates"))) { - goto export_end; - } + if(!(options & NOCERTS)) + { + certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e, + "certificates"); + if (!certs) + goto export_end; + + if (key) + { + /* Look for matching private key */ + for(i = 0; i < sk_X509_num(certs); i++) + { + x = sk_X509_value(certs, i); + if(X509_check_private_key(x, key)) + { + ucert = x; + /* Zero keyid and alias */ + X509_keyid_set1(ucert, NULL, 0); + X509_alias_set1(ucert, NULL, 0); + /* Remove from list */ + sk_X509_delete(certs, i); + break; + } + } + if (!ucert) + { + BIO_printf(bio_err, "No certificate matches private key\n"); + goto export_end; + } + } + + } #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("reading certs from input 2"); #endif - for(i = 0; i < sk_X509_num(certs); i++) { - ucert = sk_X509_value(certs, i); - if(X509_check_private_key(ucert, key)) { - X509_digest(ucert, EVP_sha1(), keyid, &keyidlen); - break; - } - } - if(!keyidlen) { - ucert = NULL; - BIO_printf(bio_err, "No certificate matches private key\n"); - goto export_end; - } - + /* Add any more certificates asked for */ + if(certfile) + { + STACK_OF(X509) *morecerts=NULL; + if(!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM, + NULL, e, + "certificates from certfile"))) + goto export_end; + while(sk_X509_num(morecerts) > 0) + sk_X509_push(certs, sk_X509_shift(morecerts)); + sk_X509_free(morecerts); + } + #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("reading certs from certfile"); #endif - bags = sk_PKCS12_SAFEBAG_new_null (); - - /* Add any more certificates asked for */ - if (certfile) { - STACK_OF(X509) *morecerts=NULL; - if(!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM, - NULL, e, - "certificates from certfile"))) { - goto export_end; - } - while(sk_X509_num(morecerts) > 0) { - sk_X509_push(certs, sk_X509_shift(morecerts)); - } - sk_X509_free(morecerts); - } - #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("building chain"); @@ -518,100 +523,51 @@ int MAIN(int argc, char **argv) } } -#ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); - CRYPTO_push_info("building bags"); -#endif + /* Add any CA names */ - /* We now have loads of certificates: include them all */ - for(i = 0; i < sk_X509_num(certs); i++) { - X509 *cert = NULL; - cert = sk_X509_value(certs, i); - bag = PKCS12_x5092certbag(cert); - /* If it matches private key set id */ - if(cert == ucert) { - if(name) PKCS12_add_friendlyname(bag, name, -1); - PKCS12_add_localkeyid(bag, keyid, keyidlen); - } else if((catmp = sk_shift(canames))) - PKCS12_add_friendlyname(bag, catmp, -1); - sk_PKCS12_SAFEBAG_push(bags, bag); - } - sk_X509_pop_free(certs, X509_free); - certs = NULL; + for (i = 0; i < sk_num(canames); i++) + { + catmp = (unsigned char *)sk_value(canames, i); + X509_alias_set1(sk_X509_value(certs, i), catmp, -1); + } + #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); - CRYPTO_push_info("encrypting bags"); + CRYPTO_push_info("reading password"); #endif if(!noprompt && - EVP_read_pw_string(pass, 50, "Enter Export Password:", 1)) { - BIO_printf (bio_err, "Can't read Password\n"); - goto export_end; - } + EVP_read_pw_string(pass, 50, "Enter Export Password:", 1)) + { + BIO_printf (bio_err, "Can't read Password\n"); + goto export_end; + } if (!twopass) strcpy(macpass, pass); - /* Turn certbags into encrypted authsafe */ - authsafe = PKCS12_pack_p7encdata(cert_pbe, cpass, -1, NULL, 0, - iter, bags); - sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); - bags = NULL; - if (!authsafe) { - ERR_print_errors (bio_err); +#ifdef CRYPTO_MDEBUG + CRYPTO_pop_info(); + CRYPTO_push_info("creating PKCS#12 structure"); +#endif + + p12 = PKCS12_create(pass, name, key, ucert, certs, + key_pbe, cert_pbe, iter, -1, keytype); + + if (!p12) + { + ERR_print_errors (bio_err); goto export_end; - } + } - safes = sk_PKCS7_new_null (); - sk_PKCS7_push (safes, authsafe); - -#ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); - CRYPTO_push_info("building shrouded key bag"); -#endif - - /* Make a shrouded key bag */ - p8 = EVP_PKEY2PKCS8 (key); - if(keytype) PKCS8_add_keyusage(p8, keytype); - bag = PKCS12_MAKE_SHKEYBAG(key_pbe, cpass, -1, NULL, 0, iter, p8); - PKCS8_PRIV_KEY_INFO_free(p8); - p8 = NULL; - if (name) PKCS12_add_friendlyname (bag, name, -1); - if(csp_name) PKCS12_add_CSPName_asc(bag, csp_name, -1); - PKCS12_add_localkeyid (bag, keyid, keyidlen); - bags = sk_PKCS12_SAFEBAG_new_null(); - sk_PKCS12_SAFEBAG_push (bags, bag); - -#ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); - CRYPTO_push_info("encrypting shrouded key bag"); -#endif - - /* Turn it into unencrypted safe bag */ - authsafe = PKCS12_pack_p7data (bags); - sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); - bags = NULL; - sk_PKCS7_push (safes, authsafe); - -#ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); - CRYPTO_push_info("building pkcs12"); -#endif - - p12 = PKCS12_init(NID_pkcs7_data); - - PKCS12_pack_authsafes(p12, safes); - - sk_PKCS7_pop_free(safes, PKCS7_free); - safes = NULL; - - PKCS12_set_mac (p12, mpass, -1, NULL, 0, maciter, NULL); + if (maciter != -1) + PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, NULL); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); CRYPTO_push_info("writing pkcs12"); #endif - i2d_PKCS12_bio (out, p12); + i2d_PKCS12_bio(out, p12); ret = 0; @@ -624,8 +580,7 @@ int MAIN(int argc, char **argv) if (key) EVP_PKEY_free(key); if (certs) sk_X509_pop_free(certs, X509_free); - if (safes) sk_PKCS7_pop_free(safes, PKCS7_free); - if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); + if (ucert) X509_free(ucert); #ifdef CRYPTO_MDEBUG CRYPTO_pop_info(); diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c index f244768b7..0c9aa4fd0 100644 --- a/crypto/asn1/x_x509a.c +++ b/crypto/asn1/x_x509a.c @@ -91,6 +91,14 @@ static X509_CERT_AUX *aux_get(X509 *x) int X509_alias_set1(X509 *x, unsigned char *name, int len) { X509_CERT_AUX *aux; + if (!name) + { + if (!x || !x->aux || !x->aux->alias) + return 1; + ASN1_UTF8STRING_free(x->aux->alias); + x->aux->alias = NULL; + return 1; + } if(!(aux = aux_get(x))) return 0; if(!aux->alias && !(aux->alias = ASN1_UTF8STRING_new())) return 0; return ASN1_STRING_set(aux->alias, name, len); @@ -99,6 +107,14 @@ int X509_alias_set1(X509 *x, unsigned char *name, int len) int X509_keyid_set1(X509 *x, unsigned char *id, int len) { X509_CERT_AUX *aux; + if (!id) + { + if (!x || !x->aux || !x->aux->keyid) + return 1; + ASN1_OCTET_STRING_free(x->aux->keyid); + x->aux->keyid = NULL; + return 1; + } if(!(aux = aux_get(x))) return 0; if(!aux->keyid && !(aux->keyid = ASN1_OCTET_STRING_new())) return 0; return ASN1_STRING_set(aux->keyid, id, len); @@ -111,6 +127,13 @@ unsigned char *X509_alias_get0(X509 *x, int *len) return x->aux->alias->data; } +unsigned char *X509_keyid_get0(X509 *x, int *len) +{ + if(!x->aux || !x->aux->keyid) return NULL; + if(len) *len = x->aux->keyid->length; + return x->aux->keyid->data; +} + int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj) { X509_CERT_AUX *aux; diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index 4c36c643c..77b5845ea 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -1,9 +1,9 @@ /* p12_crt.c */ /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL - * project 1999. + * project. */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -60,105 +60,277 @@ #include "cryptlib.h" #include + +static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag); + PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter, int keytype) { - PKCS12 *p12; - STACK_OF(PKCS12_SAFEBAG) *bags; - STACK_OF(PKCS7) *safes; - PKCS12_SAFEBAG *bag; - PKCS8_PRIV_KEY_INFO *p8; - PKCS7 *authsafe; - X509 *tcert; + PKCS12 *p12 = NULL; + STACK_OF(PKCS7) *safes = NULL; + STACK_OF(PKCS12_SAFEBAG) *bags = NULL; + PKCS12_SAFEBAG *bag = NULL; int i; unsigned char keyid[EVP_MAX_MD_SIZE]; - unsigned int keyidlen; + unsigned int keyidlen = 0; /* Set defaults */ - if(!nid_cert) nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; - if(!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - if(!iter) iter = PKCS12_DEFAULT_ITER; - if(!mac_iter) mac_iter = 1; + if (!nid_cert) + nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; + if (!nid_key) + nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + if (!iter) + iter = PKCS12_DEFAULT_ITER; + if (!mac_iter) + mac_iter = 1; - if(!pkey || !cert) { + if(!pkey && !cert && !ca) + { PKCS12err(PKCS12_F_PKCS12_CREATE,PKCS12_R_INVALID_NULL_ARGUMENT); return NULL; - } - - if(!X509_check_private_key(cert, pkey)) return NULL; - - if(!(bags = sk_PKCS12_SAFEBAG_new_null ())) { - PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE); - return NULL; - } - - /* Add user certificate */ - if(!(bag = PKCS12_x5092certbag(cert))) return NULL; - if(name && !PKCS12_add_friendlyname(bag, name, -1)) return NULL; - X509_digest(cert, EVP_sha1(), keyid, &keyidlen); - if(!PKCS12_add_localkeyid(bag, keyid, keyidlen)) return NULL; - - if(!sk_PKCS12_SAFEBAG_push(bags, bag)) { - PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE); - return NULL; - } - - /* Add all other certificates */ - if(ca) { - for(i = 0; i < sk_X509_num(ca); i++) { - tcert = sk_X509_value(ca, i); - if(!(bag = PKCS12_x5092certbag(tcert))) return NULL; - if(!sk_PKCS12_SAFEBAG_push(bags, bag)) { - PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE); - return NULL; - } } - } - /* Turn certbags into encrypted authsafe */ - authsafe = PKCS12_pack_p7encdata (nid_cert, pass, -1, NULL, 0, - iter, bags); + if (pkey && cert) + { + if(!X509_check_private_key(cert, pkey)) + return NULL; + X509_digest(cert, EVP_sha1(), keyid, &keyidlen); + } + + if (cert) + { + bag = PKCS12_add_cert(&bags, cert); + if(name && !PKCS12_add_friendlyname(bag, name, -1)) + goto err; + if(keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) + goto err; + } + + /* Add all other certificates */ + for(i = 0; i < sk_X509_num(ca); i++) + { + if (!PKCS12_add_cert(&bags, sk_X509_value(ca, i))) + goto err; + } + + if (bags && !PKCS12_add_safe(&safes, bags, nid_cert, iter, pass)) + goto err; + sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); + bags = NULL; - if (!authsafe) return NULL; + if (pkey) + { + bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass); + if (!bag) + goto err; + if(name && !PKCS12_add_friendlyname(bag, name, -1)) + goto err; + if(keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) + goto err; + } - if(!(safes = sk_PKCS7_new_null ()) - || !sk_PKCS7_push(safes, authsafe)) { - PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE); - return NULL; - } + if (bags && !PKCS12_add_safe(&safes, bags, -1, 0, NULL)) + goto err; - /* Make a shrouded key bag */ - if(!(p8 = EVP_PKEY2PKCS8 (pkey))) return NULL; - if(keytype && !PKCS8_add_keyusage(p8, keytype)) return NULL; - bag = PKCS12_MAKE_SHKEYBAG (nid_key, pass, -1, NULL, 0, iter, p8); - if(!bag) return NULL; - PKCS8_PRIV_KEY_INFO_free(p8); - if (name && !PKCS12_add_friendlyname (bag, name, -1)) return NULL; - if(!PKCS12_add_localkeyid (bag, keyid, keyidlen)) return NULL; - if(!(bags = sk_PKCS12_SAFEBAG_new_null()) - || !sk_PKCS12_SAFEBAG_push (bags, bag)) { - PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE); - return NULL; - } - /* Turn it into unencrypted safe bag */ - if(!(authsafe = PKCS12_pack_p7data (bags))) return NULL; sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); - if(!sk_PKCS7_push(safes, authsafe)) { - PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE); - return NULL; - } + bags = NULL; - if(!(p12 = PKCS12_init (NID_pkcs7_data))) return NULL; - - if(!PKCS12_pack_authsafes (p12, safes)) return NULL; + p12 = PKCS12_add_safes(safes, 0); sk_PKCS7_pop_free(safes, PKCS7_free); - if(!PKCS12_set_mac (p12, pass, -1, NULL, 0, mac_iter, NULL)) - return NULL; + safes = NULL; + + if ((mac_iter != -1) && + !PKCS12_set_mac(p12, pass, -1, NULL, 0, mac_iter, NULL)) + goto err; return p12; + err: + + if (p12) + PKCS12_free(p12); + if (safes) + sk_PKCS7_pop_free(safes, PKCS7_free); + if (bags) + sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); + return NULL; + } + +PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) + { + PKCS12_SAFEBAG *bag = NULL; + char *name; + int namelen = -1; + unsigned char *keyid; + int keyidlen = -1; + + /* Add user certificate */ + if(!(bag = PKCS12_x5092certbag(cert))) + goto err; + + /* Use friendlyName and localKeyID in certificate. + * (if present) + */ + + name = (char *)X509_alias_get0(cert, &namelen); + + if(name && !PKCS12_add_friendlyname(bag, name, namelen)) + goto err; + + keyid = X509_keyid_get0(cert, &keyidlen); + + if(keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) + goto err; + + if (!pkcs12_add_bag(pbags, bag)) + goto err; + + return bag; + + err: + + if (bag) + PKCS12_SAFEBAG_free(bag); + + return NULL; + + } + +PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key, + int key_usage, int iter, + int nid_key, char *pass) + { + + PKCS12_SAFEBAG *bag = NULL; + PKCS8_PRIV_KEY_INFO *p8 = NULL; + + /* Make a PKCS#8 structure */ + if(!(p8 = EVP_PKEY2PKCS8(key))) + goto err; + if(key_usage && !PKCS8_add_keyusage(p8, key_usage)) + goto err; + if (nid_key != -1) + { + bag = PKCS12_MAKE_SHKEYBAG(nid_key, pass, -1, NULL, 0, iter, p8); + PKCS8_PRIV_KEY_INFO_free(p8); + } + else + bag = PKCS12_MAKE_KEYBAG(p8); + + if(!bag) + goto err; + + if (!pkcs12_add_bag(pbags, bag)) + goto err; + + return bag; + + err: + + if (bag) + PKCS12_SAFEBAG_free(bag); + + return NULL; + + } + +int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, + int nid_safe, int iter, char *pass) + { + PKCS7 *p7 = NULL; + int free_safes = 0; + + if (!*psafes) + { + *psafes = sk_PKCS7_new_null(); + if (!*psafes) + return 0; + free_safes = 1; + } + else + free_safes = 0; + + if (nid_safe == 0) + nid_safe = NID_pbe_WithSHA1And40BitRC2_CBC; + + if (nid_safe == -1) + p7 = PKCS12_pack_p7data(bags); + else + p7 = PKCS12_pack_p7encdata(nid_safe, pass, -1, NULL, 0, + iter, bags); + if (!p7) + goto err; + + if (!sk_PKCS7_push(*psafes, p7)) + goto err; + + return 1; + + err: + if (free_safes) + { + sk_PKCS7_free(*psafes); + *psafes = NULL; + } + + if (p7) + PKCS7_free(p7); + + return 0; + + } + +static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag) + { + int free_bags; + if (!pbags) + return 1; + if (!*pbags) + { + *pbags = sk_PKCS12_SAFEBAG_new_null(); + if (!*pbags) + return 0; + free_bags = 1; + } + else + free_bags = 0; + + if (!sk_PKCS12_SAFEBAG_push(*pbags, bag)) + { + if (free_bags) + { + sk_PKCS12_SAFEBAG_free(*pbags); + *pbags = NULL; + } + return 0; + } + + return 1; + + } + + +PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7) + { + PKCS12 *p12; + if (nid_p7 <= 0) + nid_p7 = NID_pkcs7_data; + p12 = PKCS12_init(nid_p7); + + if (!p12) + return NULL; + + if(!PKCS12_pack_authsafes(p12, safes)) + { + PKCS12_free(p12); + return NULL; + } + + return p12; + + } diff --git a/crypto/pkcs12/pkcs12.h b/crypto/pkcs12/pkcs12.h index dd338f266..5c8b49281 100644 --- a/crypto/pkcs12/pkcs12.h +++ b/crypto/pkcs12/pkcs12.h @@ -249,6 +249,15 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter, int keytype); + +PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert); +PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key, + int key_usage, int iter, + int key_nid, char *pass); +int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, + int safe_nid, int iter, char *pass); +PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int p7_nid); + int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12); int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12); PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12); diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index 96d3b6988..7a2c8db1b 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -929,6 +929,7 @@ X509 * d2i_X509_AUX(X509 **a,unsigned char **pp,long length); int X509_alias_set1(X509 *x, unsigned char *name, int len); int X509_keyid_set1(X509 *x, unsigned char *id, int len); unsigned char * X509_alias_get0(X509 *x, int *len); +unsigned char * X509_keyid_get0(X509 *x, int *len); int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int); int X509_TRUST_set(int *t, int trust); int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); From 2c696b2ddc2492319897c662f0c60d6ad8ee9658 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Fri, 4 Oct 2002 12:58:44 +0000 Subject: [PATCH 18/49] Add a small note saying the 'debug' option should come before the platform in the arguments to mk1mf.pl. PR: 298 --- INSTALL.W32 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/INSTALL.W32 b/INSTALL.W32 index 3de6544fc..8b22d9d05 100644 --- a/INSTALL.W32 +++ b/INSTALL.W32 @@ -82,7 +82,8 @@ There are various changes you can make to the Win32 compile environment. By default the library is not compiled with debugging symbols. If you add 'debug' to the mk1mf.pl lines in the do_* batch file then debugging symbols will be - compiled in. + compiled in. Note that mk1mf.pl expects the platform to be the last argument + on the command line, so 'debug' must appear before that, as all other options. The default Win32 environment is to leave out any Windows NT specific features. From 70e96dcf5930c14f25f64b99f7fc30fdc2c24239 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Fri, 4 Oct 2002 12:59:00 +0000 Subject: [PATCH 19/49] Document should match reality :-). PR: 255 --- doc/apps/passwd.pod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/apps/passwd.pod b/doc/apps/passwd.pod index 07d849c82..f44982549 100644 --- a/doc/apps/passwd.pod +++ b/doc/apps/passwd.pod @@ -75,7 +75,7 @@ to each password hash. B prints B. -B prints B<$1$xxxxxxxx$8XJIcl6ZXqBMCK0qFevqT1>. +B prints B<$1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.>. B prints B<$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0>. From e984b2af64e7bda295edb5c963e1b8932112230e Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Fri, 4 Oct 2002 13:04:37 +0000 Subject: [PATCH 20/49] If we're loading libz dynamically, and COMP_zlib() is called more than once, only the first call would provide the correct result. PR: 277 --- crypto/comp/c_zlib.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c index cd2f8a491..8c0876151 100644 --- a/crypto/comp/c_zlib.c +++ b/crypto/comp/c_zlib.c @@ -208,11 +208,11 @@ COMP_METHOD *COMP_zlib(void) = (inflateInit__ft) DSO_bind_func(zlib_dso, "inflateInit_"); zlib_loaded++; - meth = &zlib_method; } } -#elif defined(ZLIB) +#endif +#if defined(ZLIB) || defined(ZLIB_SHARED) meth = &zlib_method; #endif From 0638ced5cce5cab63d09c96d43a1f6cbe71a0b08 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Fri, 4 Oct 2002 13:30:57 +0000 Subject: [PATCH 21/49] Add random number generation capability to the cswift engine. Should this be added to 0.9.6-stable as well? PR: 275 --- crypto/engine/hw_cswift.c | 72 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 71 insertions(+), 1 deletion(-) diff --git a/crypto/engine/hw_cswift.c b/crypto/engine/hw_cswift.c index f5c897bdb..31b6250dd 100644 --- a/crypto/engine/hw_cswift.c +++ b/crypto/engine/hw_cswift.c @@ -121,6 +121,10 @@ static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); #endif +/* RAND stuff */ +static int cswift_rand_bytes(unsigned char *buf, int num); +static int cswift_rand_status(void); + /* The definitions for control commands specific to this engine */ #define CSWIFT_CMD_SO_PATH ENGINE_CMD_BASE static const ENGINE_CMD_DEFN cswift_cmd_defns[] = { @@ -183,6 +187,18 @@ static DH_METHOD cswift_dh = }; #endif +static RAND_METHOD cswift_random = + { + /* "CryptoSwift RAND method", */ + NULL, + cswift_rand_bytes, + NULL, + NULL, + cswift_rand_bytes, + cswift_rand_status, + }; + + /* Constants used when creating the ENGINE */ static const char *engine_cswift_id = "cswift"; static const char *engine_cswift_name = "CryptoSwift hardware engine support"; @@ -208,7 +224,7 @@ static int bind_helper(ENGINE *e) #ifndef OPENSSL_NO_DH !ENGINE_set_DH(e, &cswift_dh) || #endif - !ENGINE_set_destroy_function(e, cswift_destroy) || + !ENGINE_set_RAND(e, &cswift_random) || !ENGINE_set_init_function(e, cswift_init) || !ENGINE_set_finish_function(e, cswift_finish) || !ENGINE_set_ctrl_function(e, cswift_ctrl) || @@ -905,6 +921,60 @@ static int cswift_mod_exp_dh(const DH *dh, BIGNUM *r, } #endif +/* Random bytes are good */ +static int cswift_rand_bytes(unsigned char *buf, int num) +{ + SW_CONTEXT_HANDLE hac; + SW_STATUS swrc; + SW_LARGENUMBER largenum; + size_t nbytes = 0; + int acquired = 0; + int to_return = 0; /* assume failure */ + + if (!get_context(&hac)) + { + CSWIFTerr(CSWIFT_F_CSWIFT_CTRL, CSWIFT_R_UNIT_FAILURE); + goto err; + } + acquired = 1; + + while (nbytes < num) + { + /* tell CryptoSwift how many bytes we want and where we want it. + * Note: - CryptoSwift cannot do more than 4096 bytes at a time. + * - CryptoSwift can only do multiple of 32-bits. */ + largenum.value = (SW_BYTE *) buf + nbytes; + if (4096 > num - nbytes) + largenum.nbytes = num - nbytes; + else + largenum.nbytes = 4096; + + swrc = p_CSwift_SimpleRequest(hac, SW_CMD_RAND, NULL, 0, &largenum, 1); + if (swrc != SW_OK) + { + char tmpbuf[20]; + CSWIFTerr(CSWIFT_F_CSWIFT_CTRL, CSWIFT_R_REQUEST_FAILED); + sprintf(tmpbuf, "%ld", swrc); + ERR_add_error_data(2, "CryptoSwift error number is ", tmpbuf); + goto err; + } + + nbytes += largenum.nbytes; + } + to_return = 1; /* success */ + +err: + if (acquired) + release_context(hac); + return to_return; +} + +static int cswift_rand_status(void) +{ + return 1; +} + + /* This stuff is needed if this ENGINE is being compiled into a self-contained * shared-library. */ #ifdef ENGINE_DYNAMIC_SUPPORT From 7104c376aed7771ea1d1e4fbd2fe200e274cbc16 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Fri, 4 Oct 2002 13:43:43 +0000 Subject: [PATCH 22/49] Installed libraries should not be overwritten, especially shared ones. Use mv to make sure the old copy is unlinked instead of overwritten. PR: 273, and probably others... --- Makefile.org | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/Makefile.org b/Makefile.org index ab45a851c..cdeaae66d 100644 --- a/Makefile.org +++ b/Makefile.org @@ -706,9 +706,10 @@ install: all install_docs do \ if [ -f "$$i" ]; then \ ( echo installing $$i; \ - cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ - $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi; \ done; @if [ -n "$(SHARED_LIBS)" ]; then \ @@ -718,14 +719,17 @@ install: all install_docs if [ -f "$$i" -o -f "$$i.a" ]; then \ ( echo installing $$i; \ if [ "$(PLATFORM)" != "Cygwin" ]; then \ - cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ - chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \ + mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ else \ c=`echo $$i | sed 's/^lib/cyg/'`; \ - cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ - chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ - cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ + cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ + chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ + mv $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ + cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \ + mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \ fi ); \ fi; \ done; \ From f86abc2e80d47ec8aadcc1bbdaa002f66b0c7cab Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 4 Oct 2002 20:24:50 +0000 Subject: [PATCH 23/49] Update mkdef.pl to handle new ASN1 macro --- util/mkdef.pl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/util/mkdef.pl b/util/mkdef.pl index 3fe6d2853..dc8481681 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -710,6 +710,8 @@ sub do_defs "EXPORT_VAR_AS_FUNCTION", "FUNCTION"); next; + } elsif (/^\s*DECLARE_ASN1_NDEF_FUNCTION\s*\(\s*(\w*)\s*\)/) { + $def .= "int d2i_$1_NDEF(void);"; } elsif (/^\s*DECLARE_ASN1_SET_OF\s*\(\s*(\w*)\s*\)/) { next; } elsif (/^\s*DECLARE_PKCS12_STACK_OF\s*\(\s*(\w*)\s*\)/) { From a2a1a04e53aee63efc9040292b2edeb9b4906f31 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 4 Oct 2002 21:08:01 +0000 Subject: [PATCH 24/49] Add declaration got PKCS#7 NDEF. --- crypto/pkcs7/pkcs7.h | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/pkcs7/pkcs7.h b/crypto/pkcs7/pkcs7.h index 5819700a8..226fb6434 100644 --- a/crypto/pkcs7/pkcs7.h +++ b/crypto/pkcs7/pkcs7.h @@ -300,6 +300,7 @@ DECLARE_ASN1_FUNCTIONS(PKCS7) DECLARE_ASN1_ITEM(PKCS7_ATTR_SIGN) DECLARE_ASN1_ITEM(PKCS7_ATTR_VERIFY) +DECLARE_ASN1_NDEF_FUNCTION(PKCS7) long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg); From 3d840c827f1190f11780a5bdb05665d341fcec78 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 4 Oct 2002 21:16:58 +0000 Subject: [PATCH 25/49] make update --- crypto/engine/Makefile.ssl | 64 +++++++++++++------------------------- util/libeay.num | 10 ++++++ 2 files changed, 32 insertions(+), 42 deletions(-) diff --git a/crypto/engine/Makefile.ssl b/crypto/engine/Makefile.ssl index a9a50716d..ec8f22517 100644 --- a/crypto/engine/Makefile.ssl +++ b/crypto/engine/Makefile.ssl @@ -325,6 +325,28 @@ hw_atalla.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h hw_atalla.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h hw_atalla.o: ../cryptlib.h hw_atalla.c hw_atalla_err.c hw_atalla_err.h hw_atalla.o: vendor_defns/atalla.h +hw_cryptodev.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h +hw_cryptodev.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h +hw_cryptodev.o: ../../include/openssl/bn.h ../../include/openssl/cast.h +hw_cryptodev.o: ../../include/openssl/crypto.h ../../include/openssl/des.h +hw_cryptodev.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h +hw_cryptodev.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h +hw_cryptodev.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h +hw_cryptodev.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h +hw_cryptodev.o: ../../include/openssl/err.h ../../include/openssl/evp.h +hw_cryptodev.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h +hw_cryptodev.o: ../../include/openssl/md2.h ../../include/openssl/md4.h +hw_cryptodev.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h +hw_cryptodev.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +hw_cryptodev.o: ../../include/openssl/opensslconf.h +hw_cryptodev.o: ../../include/openssl/opensslv.h +hw_cryptodev.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h +hw_cryptodev.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h +hw_cryptodev.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h +hw_cryptodev.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +hw_cryptodev.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +hw_cryptodev.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h +hw_cryptodev.o: ../../include/openssl/ui_compat.h hw_cryptodev.c hw_cswift.o: ../../e_os.h ../../include/openssl/asn1.h hw_cswift.o: ../../include/openssl/bio.h ../../include/openssl/bn.h hw_cswift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h @@ -381,48 +403,6 @@ hw_nuron.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h hw_nuron.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h hw_nuron.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h hw_nuron.o: ../cryptlib.h hw_nuron.c hw_nuron_err.c hw_nuron_err.h -hw_openbsd_dev_crypto.o: ../../include/openssl/aes.h -hw_openbsd_dev_crypto.o: ../../include/openssl/asn1.h -hw_openbsd_dev_crypto.o: ../../include/openssl/bio.h -hw_openbsd_dev_crypto.o: ../../include/openssl/blowfish.h -hw_openbsd_dev_crypto.o: ../../include/openssl/bn.h -hw_openbsd_dev_crypto.o: ../../include/openssl/cast.h -hw_openbsd_dev_crypto.o: ../../include/openssl/conf.h -hw_openbsd_dev_crypto.o: ../../include/openssl/crypto.h -hw_openbsd_dev_crypto.o: ../../include/openssl/des.h -hw_openbsd_dev_crypto.o: ../../include/openssl/des_old.h -hw_openbsd_dev_crypto.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h -hw_openbsd_dev_crypto.o: ../../include/openssl/e_os2.h -hw_openbsd_dev_crypto.o: ../../include/openssl/ec.h -hw_openbsd_dev_crypto.o: ../../include/openssl/ecdh.h -hw_openbsd_dev_crypto.o: ../../include/openssl/ecdsa.h -hw_openbsd_dev_crypto.o: ../../include/openssl/engine.h -hw_openbsd_dev_crypto.o: ../../include/openssl/err.h -hw_openbsd_dev_crypto.o: ../../include/openssl/evp.h -hw_openbsd_dev_crypto.o: ../../include/openssl/idea.h -hw_openbsd_dev_crypto.o: ../../include/openssl/lhash.h -hw_openbsd_dev_crypto.o: ../../include/openssl/md2.h -hw_openbsd_dev_crypto.o: ../../include/openssl/md4.h -hw_openbsd_dev_crypto.o: ../../include/openssl/md5.h -hw_openbsd_dev_crypto.o: ../../include/openssl/mdc2.h -hw_openbsd_dev_crypto.o: ../../include/openssl/obj_mac.h -hw_openbsd_dev_crypto.o: ../../include/openssl/objects.h -hw_openbsd_dev_crypto.o: ../../include/openssl/opensslconf.h -hw_openbsd_dev_crypto.o: ../../include/openssl/opensslv.h -hw_openbsd_dev_crypto.o: ../../include/openssl/ossl_typ.h -hw_openbsd_dev_crypto.o: ../../include/openssl/rand.h -hw_openbsd_dev_crypto.o: ../../include/openssl/rc2.h -hw_openbsd_dev_crypto.o: ../../include/openssl/rc4.h -hw_openbsd_dev_crypto.o: ../../include/openssl/rc5.h -hw_openbsd_dev_crypto.o: ../../include/openssl/ripemd.h -hw_openbsd_dev_crypto.o: ../../include/openssl/rsa.h -hw_openbsd_dev_crypto.o: ../../include/openssl/safestack.h -hw_openbsd_dev_crypto.o: ../../include/openssl/sha.h -hw_openbsd_dev_crypto.o: ../../include/openssl/stack.h -hw_openbsd_dev_crypto.o: ../../include/openssl/symhacks.h -hw_openbsd_dev_crypto.o: ../../include/openssl/ui.h -hw_openbsd_dev_crypto.o: ../../include/openssl/ui_compat.h ../evp/evp_locl.h -hw_openbsd_dev_crypto.o: eng_int.h hw_openbsd_dev_crypto.c hw_sureware.o: ../../e_os.h ../../include/openssl/aes.h hw_sureware.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h hw_sureware.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h diff --git a/util/libeay.num b/util/libeay.num index 3b2b6048d..d73803d23 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -3010,3 +3010,13 @@ X509_REQ_print_ex 3443 EXIST::FUNCTION:BIO EC_GROUP_get_pentanomial_basis 3444 EXIST::FUNCTION:EC EC_GROUP_get_trinomial_basis 3445 EXIST::FUNCTION:EC EC_get_builtin_curves 3446 EXIST::FUNCTION:EC +PKCS12_add_safe 3447 EXIST::FUNCTION: +PKCS12_add_safes 3448 EXIST::FUNCTION: +X509_keyid_get0 3449 EXIST::FUNCTION: +ASN1_OCTET_STRING_NDEF_it 3450 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: +ASN1_OCTET_STRING_NDEF_it 3450 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +ASN1_put_eoc 3451 EXIST::FUNCTION: +PKCS12_add_key 3452 EXIST::FUNCTION: +PKCS12_add_cert 3453 EXIST::FUNCTION: +ASN1_item_ndef_i2d 3454 EXIST::FUNCTION: +d2i_PKCS7_NDEF 3455 EXIST::FUNCTION: From fc6a6a10309704e10c4493d5ee5f834a3307ffa3 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 4 Oct 2002 21:22:47 +0000 Subject: [PATCH 26/49] Add version info to Win32 DLLs. We might want to edit the strings a bit... Maybe add to 0.9.7 too? --- CHANGES | 3 +++ Configure | 64 ++++++++++++++++++++++++++++++++++++++++++++++++ util/mk1mf.pl | 21 ++++++++++++++++ util/pl/VC-32.pl | 1 + 4 files changed, 89 insertions(+) diff --git a/CHANGES b/CHANGES index 54fb8daec..6bf38c214 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,9 @@ Changes between 0.9.7 and 0.9.8 [xx XXX 2002] + *) Add version info to Win32 DLLs. + [Peter 'Luna' Runestig" ] + *) Add new 'medium level' PKCS#12 API. Certificates and keys can be added using this API to created arbitrary PKCS#12 files while avoiding the low level API. diff --git a/Configure b/Configure index 2566a3fbe..83a9d94f5 100755 --- a/Configure +++ b/Configure @@ -1156,6 +1156,7 @@ if ($rmd160_obj =~ /\.o$/) $cflags =~ s/([\\\"])/\\\1/g; my $version = "unknown"; +my $version_num = "unknown"; my $major = "unknown"; my $minor = "unknown"; my $shlib_version_number = "unknown"; @@ -1167,6 +1168,7 @@ open(IN,') { $version=$1 if /OPENSSL.VERSION.TEXT.*OpenSSL (\S+) /; + $version_num=$1 if /OPENSSL.VERSION.NUMBER.*0x(\S+)/; $shlib_version_number=$1 if /SHLIB_VERSION_NUMBER *"([^"]+)"/; $shlib_version_history=$1 if /SHLIB_VERSION_HISTORY *"([^"]*)"/; } @@ -1499,6 +1501,68 @@ EOF } } +# create the ms/version32.rc file if needed +if ($IsWindows) { + my ($v1, $v2, $v3, $v4); + if ($version_num =~ /(^[0-9a-f]{1})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})/i) { + $v1=hex $1; + $v2=hex $2; + $v3=hex $3; + $v4=hex $4; + } + open (OUT,">ms/version32.rc") || die "Can't open ms/version32.rc"; + print OUT < + +LANGUAGE 0x09,0x01 + +1 VERSIONINFO + FILEVERSION $v1,$v2,$v3,$v4 + PRODUCTVERSION $v1,$v2,$v3,$v4 + FILEFLAGSMASK 0x3fL +#ifdef _DEBUG + FILEFLAGS 0x01L +#else + FILEFLAGS 0x00L +#endif + FILEOS VOS__WINDOWS32 + FILETYPE VFT_DLL + FILESUBTYPE 0x0L +BEGIN + BLOCK "StringFileInfo" + BEGIN + BLOCK "040904b0" + BEGIN + // Required: + VALUE "CompanyName", "The OpenSSL Project, http://www.openssl.org/\\0" + VALUE "FileDescription", "OpenSSL Shared Library\\0" + VALUE "FileVersion", "$version\\0" +#if defined(CRYPTO) + VALUE "InternalName", "libeay32\\0" + VALUE "OriginalFilename", "libeay32.dll\\0" +#elif defined(SSL) + VALUE "InternalName", "ssleay32\\0" + VALUE "OriginalFilename", "ssleay32.dll\\0" +#endif + VALUE "ProductName", "The OpenSSL Toolkit\\0" + VALUE "ProductVersion", "$version\\0" + // Optional: + //VALUE "Comments", "\\0" + VALUE "LegalCopyright", "Copyright © 1998-2002 The OpenSSL Project. Copyright © 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.\\0" + //VALUE "LegalTrademarks", "\\0" + //VALUE "PrivateBuild", "\\0" + //VALUE "SpecialBuild", "\\0" + END + END + BLOCK "VarFileInfo" + BEGIN + VALUE "Translation", 0x409, 0x4b0 + END +END +EOF + close(OUT); + } + print < Date: Sat, 5 Oct 2002 01:38:58 +0000 Subject: [PATCH 27/49] Typo. --- util/libeay.num | 2 +- util/mkdef.pl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/util/libeay.num b/util/libeay.num index d73803d23..8b19e33b8 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -3019,4 +3019,4 @@ ASN1_put_eoc 3451 EXIST::FUNCTION: PKCS12_add_key 3452 EXIST::FUNCTION: PKCS12_add_cert 3453 EXIST::FUNCTION: ASN1_item_ndef_i2d 3454 EXIST::FUNCTION: -d2i_PKCS7_NDEF 3455 EXIST::FUNCTION: +i2d_PKCS7_NDEF 3455 EXIST::FUNCTION: diff --git a/util/mkdef.pl b/util/mkdef.pl index dc8481681..db08e29b7 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -711,7 +711,7 @@ sub do_defs "FUNCTION"); next; } elsif (/^\s*DECLARE_ASN1_NDEF_FUNCTION\s*\(\s*(\w*)\s*\)/) { - $def .= "int d2i_$1_NDEF(void);"; + $def .= "int i2d_$1_NDEF(void);"; } elsif (/^\s*DECLARE_ASN1_SET_OF\s*\(\s*(\w*)\s*\)/) { next; } elsif (/^\s*DECLARE_PKCS12_STACK_OF\s*\(\s*(\w*)\s*\)/) { From 6fed88113b50aaa4e76e35757f177bef19eb02de Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sat, 5 Oct 2002 20:54:09 +0000 Subject: [PATCH 28/49] For some reason, the random number support removed the destructor --- crypto/engine/hw_cswift.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/engine/hw_cswift.c b/crypto/engine/hw_cswift.c index 31b6250dd..f925707a2 100644 --- a/crypto/engine/hw_cswift.c +++ b/crypto/engine/hw_cswift.c @@ -225,6 +225,7 @@ static int bind_helper(ENGINE *e) !ENGINE_set_DH(e, &cswift_dh) || #endif !ENGINE_set_RAND(e, &cswift_random) || + !ENGINE_set_destroy_function(e, cswift_destroy) || !ENGINE_set_init_function(e, cswift_init) || !ENGINE_set_finish_function(e, cswift_finish) || !ENGINE_set_ctrl_function(e, cswift_ctrl) || From 9946fceb9d9d00b020c44f0bd7d880a6a34d4b96 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 5 Oct 2002 23:30:10 +0000 Subject: [PATCH 29/49] Some docs relating to X509 ASN1 functions. Many other ASN1 functions are identical other than the actual structure being handled. --- doc/crypto/X509_new.pod | 37 +++++++ doc/crypto/d2i_X509.pod | 224 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 261 insertions(+) create mode 100644 doc/crypto/X509_new.pod create mode 100644 doc/crypto/d2i_X509.pod diff --git a/doc/crypto/X509_new.pod b/doc/crypto/X509_new.pod new file mode 100644 index 000000000..6de81e3d1 --- /dev/null +++ b/doc/crypto/X509_new.pod @@ -0,0 +1,37 @@ +=pod + +=head1 NAME + +X509_new, X509_free, - X509 certificate ASN1 allocation functions + +=head1 SYNOPSIS + + X509 *X509_new(void); + void X509_free(X509 *a); + +=head1 DESCRIPTION + +The X509 ASN1 allocation routines, allocate and free an +X509 structure, which represents an X509 certificate. + +X509_new() allocates and initializes a X509 structure. + +X509_free() frees up the B structure B. + +=head1 RETURN VALUES + +If the allocation fails, X509_new() returns B and sets an error +code that can be obtained by L. +Otherwise it returns a pointer to the newly allocated structure. + +X509_free() returns no value. + +=head1 SEE ALSO + +L, L + +=head1 HISTORY + +X509_new() and X509_free() are available in all versions of SSLeay and OpenSSL. + +=cut diff --git a/doc/crypto/d2i_X509.pod b/doc/crypto/d2i_X509.pod new file mode 100644 index 000000000..56dfe3286 --- /dev/null +++ b/doc/crypto/d2i_X509.pod @@ -0,0 +1,224 @@ +=pod + +=head1 NAME + +d2i_X509, i2d_X509, d2i_X509_bio, d2i_X509_fp, i2d_X509_bio, +i2d_X509_fp - X509 encode and decode functions + +=head1 SYNOPSIS + + X509 *d2i_X509(X509 **px, unsigned char **in, int len); + int i2d_X509(X509 *x, unsigned char **out); + + X509 *d2i_X509_bio(BIO *bp, X509 **x); + X509 *d2i_X509_fp(FILE *fp, X509 **x); + + int i2d_X509_bio(X509 *x, BIO *bp); + int i2d_X509_fp(X509 *x, FILE *fp); + +=head1 DESCRIPTION + +The X509 encode and decode routines encode and parse an +B structure, which represents an X509 certificate. + +d2i_X509() attempts to decode B bytes at B<*out>. If +successful a pointer to the B structure is returned. If an error +occurred then B is returned. If B is not B then the +returned structure is written to B<*px>. If B<*px> is not B +then it is assumed that B<*px> contains a valid B +structure and an attempt is made to reuse it. If the call is +successful B<*out> is incremented to the byte following the +parsed data. + +i2d_X509() encodes the structure pointed to by B into DER format. +If B is not B is writes the DER encoded data to the buffer +at B<*out>, and increments it to point after the data just written. +If the return value is negative an error occurred, otherwise it +returns the length of the encoded data. + +For OpenSSL 0.9.7 and later if B<*out> is B memory will be +allocated for a buffer and the encoded data written to it. In this +case B<*out> is not incremented and it points to the start of the +data just written. + +d2i_X509_bio() is similar to d2i_X509() except it attempts +to parse data from BIO B. + +d2i_X509_fp() is similar to d2i_X509() except it attempts +to parse data from FILE pointer B. + +i2d_X509_bio() is similar to i2d_X509() except it writes +the encoding of the structure B to BIO B. + +i2d_X509_fp() is similar to i2d_X509() except it writes +the encoding of the structure B to BIO B. + +=head1 NOTES + +The letters B and B in for example B stand for +"internal" (that is an internal C structure) and "DER". So that +B converts from internal to DER. + +The functions can also understand B forms. + +The actual X509 structure passed to i2d_X509() must be a valid +populated B structure it can B simply be fed with an +empty structure such as that returned by X509_new(). + +The encoded data is in binary form and may contain embedded zeroes. +Therefore any FILE pointers or BIOs should be opened in binary mode. +Functions such as B will B return the correct length +of the encoded structure. + +The ways that B<*in> and B<*out> are incremented after the operation +can trap the unwary. See the B section for some common +errors. + +The reason for the auto increment behaviour is to reflect a typical +usage of ASN1 functions: after one structure is encoded or decoded +another will processed after it. + +=head1 EXAMPLES + +Allocate and encode the DER encoding of an X509 structure: + + int len; + unsigned char *buf, *p; + + len = i2d_X509(x, NULL); + + buf = OPENSSL_malloc(len); + + if (buf == NULL) + /* error */ + + p = buf; + + i2d_X509(x, &p); + +If you are using OpenSSL 0.9.7 or later then this can be +simplified to: + + + int len; + unsigned char *buf; + + buf = NULL; + + len = i2d_X509(x, &buf); + + if (len < 0) + /* error */ + +Attempt to decode a buffer: + + X509 *x; + + unsigned char *buf, *p; + + int len; + + /* Something to setup buf and len */ + + p = buf; + + x = d2i_X509(NULL, &p, len); + + if (x == NULL) + /* Some error */ + +Alternative technique: + + X509 *x; + + unsigned char *buf, *p; + + int len; + + /* Something to setup buf and len */ + + p = buf; + + x = NULL; + + if(!d2i_X509(&x, &p, len)) + /* Some error */ + + +=head1 WARNINGS + +The use of temporary variable is mandatory. A common +mistake is to attempt to use a buffer directly as follows: + + int len; + unsigned char *buf; + + len = i2d_X509(x, NULL); + + buf = OPENSSL_malloc(len); + + if (buf == NULL) + /* error */ + + i2d_X509(x, &buf); + + /* Other stuff ... */ + + OPENSSL_free(buf); + +This code will result in B apparently containing garbage because +it was incremented after the call to point after the data just written. +Also B will no longer contain the pointer allocated by B +and the subsequent call to B may well crash. + +The auto allocation feature (setting buf to NULL) only works on OpenSSL +0.9.7 and later. Attempts to use it on earlier versions will typically +cause a segmentation violation. + +Another trap to avoid is misuse of the B argument to B: + + X509 *x; + + if (!d2i_X509(&x, &p, len)) + /* Some error */ + +This will probably crash somewhere in B. The reason for this +is that the variable B is uninitialized and an attempt will be made to +interpret its (invalid) value as an B structure, typically causing +a segmentation violation. If B is set to NULL first then this will not +happen. + +=head1 BUGS + +In some versions of OpenSSL the "reuse" behaviour of d2i_X509() when +B<*px> is valid is broken and some parts of the reused structure may +persist if they are not present in the new one. As a result the use +of this "reuse" behaviour is strongly discouraged. + +i2d_X509() will not return an error in many versions of OpenSSL, +if mandatory fields are not initialized due to a programming error +then the encoded structure may contain invalid data or omit the +fields entirely and will not be parsed by d2i_X509(). This may be +fixed in future so code should not assume that i2d_X509() will +always succeed. + +=head1 RETURN VALUES + +d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B structure +or B if an error occurs. The error code that can be obtained by +L. + +i2d_X509(), i2d_X509_bio() and i2d_X509_fp() return a the number of bytes +successfully encoded or a negative value if an error occurs. The error code +can be obtained by L. + +=head1 SEE ALSO + +L + +=head1 HISTORY + +d2i_X509, i2d_X509, d2i_X509_bio, d2i_X509_fp, i2d_X509_bio and i2d_X509_fp +are available in all versions of SSLeay and OpenSSL. + +=cut From 1e976bdc469de6e733a4f0a5d8360315b4eaf47a Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 6 Oct 2002 00:03:20 +0000 Subject: [PATCH 30/49] Update RSAPublicKey manual page... --- doc/crypto/d2i_RSAPublicKey.pod | 39 ++++++++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/doc/crypto/d2i_RSAPublicKey.pod b/doc/crypto/d2i_RSAPublicKey.pod index ff4d0d57d..7c71bcbf3 100644 --- a/doc/crypto/d2i_RSAPublicKey.pod +++ b/doc/crypto/d2i_RSAPublicKey.pod @@ -2,7 +2,9 @@ =head1 NAME -d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey, i2d_Netscape_RSA, d2i_Netscape_RSA - ... +d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey, +d2i_RSA_PUBKEY, i2d_RSA_PUBKEY, i2d_Netscape_RSA, +d2i_Netscape_RSA - RSA public and private key encoding functions. =head1 SYNOPSIS @@ -12,6 +14,10 @@ d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey, i2d_Ne int i2d_RSAPublicKey(RSA *a, unsigned char **pp); + RSA * d2i_RSA_PUBKEY(RSA **a, unsigned char **pp, long length); + + int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp); + RSA * d2i_RSAPrivateKey(RSA **a, unsigned char **pp, long length); int i2d_RSAPrivateKey(RSA *a, unsigned char **pp); @@ -22,18 +28,39 @@ d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey, i2d_Ne =head1 DESCRIPTION -... +d2i_RSAPublicKey() and i2d_RSAPublicKey() decode and encode a PKCS#1 RSAPublicKey +structure. -=head1 RETURN VALUES +d2i_RSA_PUKEY() and i2d_RSA_PUKEY() decode and encode an RSA public key using a +SubjectPublicKeyInfo (certificate public key) structure. -... +d2i_RSAPrivateKey(), i2d_RSAPrivateKey() decode and encode a PKCS#1 RSAPrivateKey +structure. + +d2i_Netscape_RSA(), i2d_Netscape_RSA() decode and encode an RSA private key in +NET format. + +The usage of all of these functions is similar to the d2i_X509() and +i2d_X509() described in the L manual page. + +=head1 NOTES + +The B structure passed to the private key encoding functions should have +all the PKCS#1 private key components present. + +The data encoded by the private key functions is unencrypted and therefore +offers no private key security. + +The NET format functions are present to provide compatibility with certain very +old software. This format has some severe security weaknesses and should be +avoided if possible. =head1 SEE ALSO -... +L =head1 HISTORY -... +TBA =cut From 69deec58fb6afb061ff8400ec74edb889402649c Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sun, 6 Oct 2002 00:23:28 +0000 Subject: [PATCH 31/49] Do not define crypt(). The supported function is DES_crypt() (an des_crypt() when backward compatibility is desired). --- crypto/des/des_old.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/crypto/des/des_old.h b/crypto/des/des_old.h index 51b987422..1d8bf6510 100644 --- a/crypto/des/des_old.h +++ b/crypto/des/des_old.h @@ -173,10 +173,12 @@ typedef struct _ossl_old_des_ks_struct DES_fcrypt((b),(s),(r)) #define des_crypt(b,s)\ DES_crypt((b),(s)) +#if 0 #if !defined(PERL5) && !defined(__FreeBSD__) && !defined(NeXT) && !defined(__OpenBSD__) #define crypt(b,s)\ DES_crypt((b),(s)) #endif +#endif #define des_ofb_encrypt(i,o,n,l,k,iv)\ DES_ofb_encrypt((i),(o),(n),(l),&(k),(iv)) #define des_pcbc_encrypt(i,o,l,k,iv,e)\ @@ -274,8 +276,10 @@ typedef struct _ossl_old_des_ks_struct _ossl_old_des_fcrypt((b),(s),(r)) #define des_crypt(b,s)\ _ossl_old_des_crypt((b),(s)) +#if 0 #define crypt(b,s)\ _ossl_old_crypt((b),(s)) +#endif #define des_ofb_encrypt(i,o,n,l,k,iv)\ _ossl_old_des_ofb_encrypt((i),(o),(n),(l),(k),(iv)) #define des_pcbc_encrypt(i,o,l,k,iv,e)\ From 12f27bd414fbdba8fd6fbda2d3510a6ee718df74 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sun, 6 Oct 2002 00:33:23 +0000 Subject: [PATCH 32/49] Please do not use C++ comments in C code. --- crypto/asn1/tasn_enc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c index 33d6366e0..c604699e2 100644 --- a/crypto/asn1/tasn_enc.c +++ b/crypto/asn1/tasn_enc.c @@ -185,7 +185,9 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, return i; case ASN1_ITYPE_NDEF_SEQUENCE: -//fprintf(stderr, "NDEF sequence from %s flags %d\n", it->sname, aclass & ASN1_TFLG_NDEF); +#if 0 +fprintf(stderr, "NDEF sequence from %s flags %d\n", it->sname, aclass & ASN1_TFLG_NDEF); +#endif /* Use indefinite length constructed if requested */ if (aclass & ASN1_TFLG_NDEF) ndef = 2; /* fall through */ From b75b2225e5228ba4b6161f362f258fcf1c3e0702 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Sun, 6 Oct 2002 00:41:12 +0000 Subject: [PATCH 33/49] Since crypt() isn't defined anywhere, define it locally in destest.c --- crypto/des/destest.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/crypto/des/destest.c b/crypto/des/destest.c index 58e8c35dc..7799e6e4b 100644 --- a/crypto/des/destest.c +++ b/crypto/des/destest.c @@ -84,9 +84,7 @@ int main(int argc, char *argv[]) #else #include -#if defined(PERL5) || defined(__FreeBSD__) || defined(NeXT) #define crypt(c,s) (des_crypt((c),(s))) -#endif /* tisk tisk - the test keys don't all have odd parity :-( */ /* test data */ From 12dadc555fc90a89b71948105fd1d62868c86ad1 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 6 Oct 2002 12:10:35 +0000 Subject: [PATCH 34/49] Oops, remove old comment out debugging printf... --- crypto/asn1/tasn_enc.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c index c604699e2..5ce38e192 100644 --- a/crypto/asn1/tasn_enc.c +++ b/crypto/asn1/tasn_enc.c @@ -185,9 +185,6 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, return i; case ASN1_ITYPE_NDEF_SEQUENCE: -#if 0 -fprintf(stderr, "NDEF sequence from %s flags %d\n", it->sname, aclass & ASN1_TFLG_NDEF); -#endif /* Use indefinite length constructed if requested */ if (aclass & ASN1_TFLG_NDEF) ndef = 2; /* fall through */ @@ -244,6 +241,11 @@ fprintf(stderr, "NDEF sequence from %s flags %d\n", it->sname, aclass & ASN1_TFL return 0; } +int ASN1_template_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt) + { + return asn1_template_ex_i2d(pval, out, tt, -1, 0); + } + static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt, int tag, int iclass) { int i, ret, flags, ttag, tclass, ndef; From 74e3931f8438df5bcb980334e1fe4ed19f13c8ef Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 6 Oct 2002 12:14:55 +0000 Subject: [PATCH 35/49] Various Win32 fixes. Resolve signed/unsigned conflicts Make dso_win32.c compile. --- crypto/asn1/t_pkey.c | 2 +- crypto/dso/dso_win32.c | 31 ++++++++++++++++++++++++------- crypto/engine/hw_cswift.c | 2 +- 3 files changed, 26 insertions(+), 9 deletions(-) diff --git a/crypto/asn1/t_pkey.c b/crypto/asn1/t_pkey.c index 0112f7cce..46fb86a3b 100644 --- a/crypto/asn1/t_pkey.c +++ b/crypto/asn1/t_pkey.c @@ -627,7 +627,7 @@ static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf, static int print_bin(BIO *fp, const char *name, const unsigned char *buf, size_t len, int off) { - int i; + size_t i; char str[128]; if (buf == NULL) diff --git a/crypto/dso/dso_win32.c b/crypto/dso/dso_win32.c index 4ce9a5d45..58c5281de 100644 --- a/crypto/dso/dso_win32.c +++ b/crypto/dso/dso_win32.c @@ -86,6 +86,8 @@ static char *win32_name_converter(DSO *dso, const char *filename); static char *win32_merger(DSO *dso, const char *filespec1, const char *filespec2); +static const char *openssl_strnchr(const char *string, int c, size_t len); + static DSO_METHOD dso_meth_win32 = { "OpenSSL 'win32' shared library method", win32_load, @@ -258,7 +260,7 @@ struct file_st const char *predir; int predirlen; const char *dir; int dirlen; const char *file; int filelen; - } + }; static struct file_st *win32_splitter(DSO *dso, const char *filename, int assume_last_is_dir) @@ -270,7 +272,8 @@ static struct file_st *win32_splitter(DSO *dso, const char *filename, if (!filename) { DSOerr(DSO_F_WIN32_MERGER,DSO_R_NO_FILENAME); - goto err; + /*goto err;*/ + return(NULL); } result = OPENSSL_malloc(sizeof(struct file_st)); @@ -302,7 +305,8 @@ static struct file_st *win32_splitter(DSO *dso, const char *filename, { DSOerr(DSO_F_WIN32_MERGER, DSO_R_INCORRECT_FILE_SYNTAX); - goto err; + /*goto err;*/ + return(NULL); } result->device = start; result->devicelen = filename - start; @@ -354,14 +358,14 @@ static struct file_st *win32_splitter(DSO *dso, const char *filename, while(*filename); if(!result->nodelen) result->node = NULL; - if(!result->devicelen) result->devicce = NULL; + if(!result->devicelen) result->device = NULL; if(!result->dirlen) result->dir = NULL; if(!result->filelen) result->file = NULL; return(result); } -static char *win32_joiner(DSO *dso, const file_st *file_split) +static char *win32_joiner(DSO *dso, const struct file_st *file_split) { int len = 0, offset = 0; char *result = NULL; @@ -428,7 +432,7 @@ static char *win32_joiner(DSO *dso, const file_st *file_split) start = file_split->predir; while(file_split->predirlen > (start - file_split->predir)) { - const char *end = strnchr(start, '/', + const char *end = openssl_strnchr(start, '/', file_split->predirlen - (start - file_split->predir)); if(!end) end = start @@ -446,7 +450,7 @@ static char *win32_joiner(DSO *dso, const file_st *file_split) start = file_split->dir; while(file_split->dirlen > (start - file_split->dir)) { - const char *end = strnchr(start, '/', + const char *end = openssl_strnchr(start, '/', file_split->dirlen - (start - file_split->dir)); if(!end) end = start @@ -577,4 +581,17 @@ static char *win32_name_converter(DSO *dso, const char *filename) return(translated); } +static const char *openssl_strnchr(const char *string, int c, size_t len) + { + size_t i; + const char *p; + for (i = 0, p = string; i < len && *p; i++, p++) + { + if (*p == c) + return p; + } + return NULL; + } + + #endif /* OPENSSL_SYS_WIN32 */ diff --git a/crypto/engine/hw_cswift.c b/crypto/engine/hw_cswift.c index f925707a2..1b4e4e876 100644 --- a/crypto/engine/hw_cswift.c +++ b/crypto/engine/hw_cswift.c @@ -939,7 +939,7 @@ static int cswift_rand_bytes(unsigned char *buf, int num) } acquired = 1; - while (nbytes < num) + while (nbytes < (size_t)num) { /* tell CryptoSwift how many bytes we want and where we want it. * Note: - CryptoSwift cannot do more than 4096 bytes at a time. From 292fcd5c7b9c50ec5a73e0726d3ea2b1a1944832 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 6 Oct 2002 12:24:09 +0000 Subject: [PATCH 36/49] Update DH parameter docs. --- doc/crypto/d2i_DHparams.pod | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/doc/crypto/d2i_DHparams.pod b/doc/crypto/d2i_DHparams.pod index a6d1743d3..1e98aebec 100644 --- a/doc/crypto/d2i_DHparams.pod +++ b/doc/crypto/d2i_DHparams.pod @@ -2,7 +2,7 @@ =head1 NAME -d2i_DHparams, i2d_DHparams - ... +d2i_DHparams, i2d_DHparams - PKCS#3 DH parameter functions. =head1 SYNOPSIS @@ -13,18 +13,18 @@ d2i_DHparams, i2d_DHparams - ... =head1 DESCRIPTION -... +These functions decode and encode PKCS#3 DH parameters using the +DHparameter structure described in PKCS#3. -=head1 RETURN VALUES - -... +Othewise these behave in a similar way to d2i_X509() and i2d_X509() +described in the L manual page. =head1 SEE ALSO -... +L =head1 HISTORY -... +TBA =cut From 842d8e209ba53029cdeabd43fa1f497e21e4b6a6 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 6 Oct 2002 12:34:06 +0000 Subject: [PATCH 37/49] Update docs. --- doc/crypto/d2i_X509.pod | 2 ++ doc/crypto/d2i_X509_REQ.pod | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 doc/crypto/d2i_X509_REQ.pod diff --git a/doc/crypto/d2i_X509.pod b/doc/crypto/d2i_X509.pod index 56dfe3286..fc837f02b 100644 --- a/doc/crypto/d2i_X509.pod +++ b/doc/crypto/d2i_X509.pod @@ -7,6 +7,8 @@ i2d_X509_fp - X509 encode and decode functions =head1 SYNOPSIS + #include + X509 *d2i_X509(X509 **px, unsigned char **in, int len); int i2d_X509(X509 *x, unsigned char **out); diff --git a/doc/crypto/d2i_X509_REQ.pod b/doc/crypto/d2i_X509_REQ.pod new file mode 100644 index 000000000..0658725ac --- /dev/null +++ b/doc/crypto/d2i_X509_REQ.pod @@ -0,0 +1,35 @@ +=pod + +=head1 NAME + +d2i_X509_REQ, i2d_X509_REQ - PKCS#10 certificate request functions. + +=head1 SYNOPSIS + + #include + + DH *d2i_X509_REQ(X509_REQ **a, unsigned char **pp, long length); + int i2d_X509_REQ(X509_REQ *a, unsigned char **pp); + + X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **x); + X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **x); + + int i2d_X509_REQ_bio(X509_REQ *x, BIO *bp); + int i2d_X509_REQ_fp(X509_REQ *x, FILE *fp); + +=head1 DESCRIPTION + +These functions decode and encode a PKCS#10 certificate request. + +Othewise these behave in a similar way to d2i_X509() and i2d_X509() +described in the L manual page. + +=head1 SEE ALSO + +L + +=head1 HISTORY + +TBA + +=cut From 4ec0448122856e622e0ec3c87d5cc67f2d908135 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 6 Oct 2002 12:40:31 +0000 Subject: [PATCH 38/49] Update docs. --- doc/crypto/d2i_X509_CRL.pod | 37 +++++++++++++++++++++++++++++++++++++ doc/crypto/d2i_X509_REQ.pod | 3 ++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 doc/crypto/d2i_X509_CRL.pod diff --git a/doc/crypto/d2i_X509_CRL.pod b/doc/crypto/d2i_X509_CRL.pod new file mode 100644 index 000000000..613bfd491 --- /dev/null +++ b/doc/crypto/d2i_X509_CRL.pod @@ -0,0 +1,37 @@ +=pod + +=head1 NAME + +d2i_X509_CRL, i2d_X509_CRL, d2i_X509_CRL_bio, d2i_509_CRL_fp, +i2d_X509_CRL_bio, i2d_X509_CRL_fp - PKCS#10 certificate request functions. + +=head1 SYNOPSIS + + #include + + DH *d2i_X509_CRL(X509_CRL **a, unsigned char **pp, long length); + int i2d_X509_CRL(X509_CRL *a, unsigned char **pp); + + X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **x); + X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **x); + + int i2d_X509_CRL_bio(X509_CRL *x, BIO *bp); + int i2d_X509_CRL_fp(X509_CRL *x, FILE *fp); + +=head1 DESCRIPTION + +These functions decode and encode an X509 CRL (certificate revocation +list). + +Othewise the functions behave in a similar way to d2i_X509() and i2d_X509() +described in the L manual page. + +=head1 SEE ALSO + +L + +=head1 HISTORY + +TBA + +=cut diff --git a/doc/crypto/d2i_X509_REQ.pod b/doc/crypto/d2i_X509_REQ.pod index 0658725ac..9e2757f39 100644 --- a/doc/crypto/d2i_X509_REQ.pod +++ b/doc/crypto/d2i_X509_REQ.pod @@ -2,7 +2,8 @@ =head1 NAME -d2i_X509_REQ, i2d_X509_REQ - PKCS#10 certificate request functions. +d2i_X509_REQ, i2d_X509_REQ, d2i_X509_REQ_bio, d2i_X509_REQ_fp, +i2d_X509_REQ_bio, i2d_X509_REQ_fp - PKCS#10 certificate request functions. =head1 SYNOPSIS From 72e04bd13f22a14c29f2cfe8f432875641b3e772 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 6 Oct 2002 12:59:25 +0000 Subject: [PATCH 39/49] Document "0" and "1" naming convention. --- doc/crypto/crypto.pod | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/doc/crypto/crypto.pod b/doc/crypto/crypto.pod index c12eec140..7a527992b 100644 --- a/doc/crypto/crypto.pod +++ b/doc/crypto/crypto.pod @@ -62,6 +62,22 @@ L =back +=head1 NOTES + +Some of the newer functions follow a naming convention using the numbers +B<0> and B<1>. For example the functions: + + int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); + int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); + +The B<0> version uses the supplied structure pointer directly +in the parent and it will be freed up when the parent is freed. +In the above example B would be freed but B would not. + +The B<1> function uses a copy of the supplied structure pointer +(or in some cases increases its link count) in the parent and +so both (B and B above) should be freed up. + =head1 SEE ALSO L, L From 9de6bb8abc5296a79dbd85b0f86c533d5aab685b Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 7 Oct 2002 13:07:00 +0000 Subject: [PATCH 40/49] More d2i/i2d manual pages. --- doc/crypto/d2i_DSAPublicKey.pod | 82 ++++++++++++++++++++++++++++++ doc/crypto/d2i_PKCS8PrivateKey.pod | 56 ++++++++++++++++++++ doc/crypto/d2i_X509_ALGOR.pod | 30 +++++++++++ doc/crypto/d2i_X509_SIG.pod | 30 +++++++++++ 4 files changed, 198 insertions(+) create mode 100644 doc/crypto/d2i_DSAPublicKey.pod create mode 100644 doc/crypto/d2i_PKCS8PrivateKey.pod create mode 100644 doc/crypto/d2i_X509_ALGOR.pod create mode 100644 doc/crypto/d2i_X509_SIG.pod diff --git a/doc/crypto/d2i_DSAPublicKey.pod b/doc/crypto/d2i_DSAPublicKey.pod new file mode 100644 index 000000000..6ebd30427 --- /dev/null +++ b/doc/crypto/d2i_DSAPublicKey.pod @@ -0,0 +1,82 @@ +=pod + +=head1 NAME + +d2i_DSAPublicKey, i2d_DSAPublicKey, d2i_DSAPrivateKey, i2d_DSAPrivateKey, +d2i_DSA_PUBKEY, i2d_DSA_PUBKEY, d2i_DSA_SIG, i2d_DSA_SIG - DSA key encoding +and parsing functions. + +=head1 SYNOPSIS + + #include + + DSA * d2i_DSAPublicKey(DSA **a, const unsigned char **pp, long length); + + int i2d_DSAPublicKey(const DSA *a, unsigned char **pp); + + DSA * d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length); + + int i2d_DSA_PUBKEY(const DSA *a, unsigned char **pp); + + DSA * d2i_DSAPrivateKey(DSA **a, const unsigned char **pp, long length); + + int i2d_DSAPrivateKey(const DSA *a, unsigned char **pp); + + DSA * d2i_DSAparams(DSA **a, const unsigned char **pp, long length); + + int i2d_DSAparams(const DSA *a, unsigned char **pp); + + DSA * d2i_DSA_SIG(DSA_SIG **a, const unsigned char **pp, long length); + + int i2d_DSA_SIG(const DSA_SIG *a, unsigned char **pp); + +=head1 DESCRIPTION + +d2i_DSAPublicKey() and i2d_DSAPublicKey() decode and encode the DSA public key +components structure. + +d2i_DSA_PUKEY() and i2d_DSA_PUKEY() decode and encode an DSA public key using a +SubjectPublicKeyInfo (certificate public key) structure. + +d2i_DSAPrivateKey(), i2d_DSAPrivateKey() decode and encode the DSA private key +components. + +d2i_DSAparams(), i2d_DSAparams() decode and encode the DSA parameters using +a B structure as defined in RFC2459. + +d2i_DSA_SIG(), i2d_DSA_SIG() decode and encode a DSA signature using a +B structure as defined in RFC2459. + +The usage of all of these functions is similar to the d2i_X509() and +i2d_X509() described in the L manual page. + +=head1 NOTES + +The B structure passed to the private key encoding functions should have +all the private key components present. + +The data encoded by the private key functions is unencrypted and therefore +offers no private key security. + +The B functions should be used in preference to the B +functions when encoding public keys because they use a standard format. + +The B functions use an non standard format the actual data encoded +depends on the value of the B field of the B key parameter. +If B is zero then only the B field is encoded as an +B. If B is 1 then a B consisting of the +B

, B, B and B respectively fields are encoded. + +The B functions also use a non standard structure consiting +consisting of a SEQUENCE containing the B

, B, B and B and +B fields respectively. + +=head1 SEE ALSO + +L + +=head1 HISTORY + +TBA + +=cut diff --git a/doc/crypto/d2i_PKCS8PrivateKey.pod b/doc/crypto/d2i_PKCS8PrivateKey.pod new file mode 100644 index 000000000..a54b77908 --- /dev/null +++ b/doc/crypto/d2i_PKCS8PrivateKey.pod @@ -0,0 +1,56 @@ +=pod + +=head1 NAME + +d2i_PKCS8PrivateKey_bio, d2i_PKCS8PrivateKey_fp, +i2d_PKCS8PrivateKey_bio, i2d_PKCS8PrivateKey_fp, +i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp - PKCS#8 format private key functions + +=head1 SYNOPSIS + + #include + + EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u); + EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u); + + int i2d_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, + char *kstr, int klen, + pem_password_cb *cb, void *u); + + int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, + char *kstr, int klen, + pem_password_cb *cb, void *u); + + int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid, + char *kstr, int klen, + pem_password_cb *cb, void *u); + + int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, EVP_PKEY *x, int nid, + char *kstr, int klen, + pem_password_cb *cb, void *u); + +=head1 DESCRIPTION + +The PKCS#8 functions encode and decode private keys in PKCS#8 format using both +PKCS#5 v1.5 and PKCS#5 v2.0 password based encryption algorithms. + +Other than the use of DER as opposed to PEM these functions are identical to the +corresponding B function as described in the L manual page. + +=head1 NOTES + +Before using these functions L +should be called to initialize the internal algorithm lookup tables otherwise errors about +unknown algorithms will occur if an attempt is made to decrypt a private key. + +These functions are currently the only way to store encrypted private keys using DER format. + +Currently all the functions use BIOs or FILE pointers, there are no functions which +work directly on memory: this can be readily worked around by converting the buffers +to memory BIOs, see L for details. + +=head1 SEE ALSO + +L + +=cut diff --git a/doc/crypto/d2i_X509_ALGOR.pod b/doc/crypto/d2i_X509_ALGOR.pod new file mode 100644 index 000000000..bf5545769 --- /dev/null +++ b/doc/crypto/d2i_X509_ALGOR.pod @@ -0,0 +1,30 @@ +=pod + +=head1 NAME + +d2i_X509_ALGOR, i2d_X509_ALGOR - AlgorithmIdentifier functions. + +=head1 SYNOPSIS + + #include + + DH *d2i_X509_ALGOR(X509_ALGOR **a, unsigned char **pp, long length); + int i2d_X509_ALGOR(X509_ALGOR *a, unsigned char **pp); + +=head1 DESCRIPTION + +These functions decode and encode an B structure which is +equivalent to the B structure. + +Othewise these behave in a similar way to d2i_X509() and i2d_X509() +described in the L manual page. + +=head1 SEE ALSO + +L + +=head1 HISTORY + +TBA + +=cut diff --git a/doc/crypto/d2i_X509_SIG.pod b/doc/crypto/d2i_X509_SIG.pod new file mode 100644 index 000000000..39b2353bc --- /dev/null +++ b/doc/crypto/d2i_X509_SIG.pod @@ -0,0 +1,30 @@ +=pod + +=head1 NAME + +d2i_X509_SIG, i2d_X509_SIG - DigestInfo functions. + +=head1 SYNOPSIS + + #include + + DH *d2i_X509_SIG(X509_SIG **a, unsigned char **pp, long length); + int i2d_X509_SIG(X509_SIG *a, unsigned char **pp); + +=head1 DESCRIPTION + +These functions decode and encode an X509_SIG structure which is +equivalent to the B structure defined in PKCS#1 and PKCS#7. + +Othewise these behave in a similar way to d2i_X509() and i2d_X509() +described in the L manual page. + +=head1 SEE ALSO + +L + +=head1 HISTORY + +TBA + +=cut From d30e4c5b0bdcb8063ef25827af08f934a266cdab Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 7 Oct 2002 17:31:00 +0000 Subject: [PATCH 41/49] More docs. --- doc/crypto/EVP_PKEY_new.pod | 47 +++++++++++++++++++ doc/crypto/EVP_PKEY_set1_RSA.pod | 80 ++++++++++++++++++++++++++++++++ doc/crypto/PKCS7_sign.pod | 63 +++++++++++++++++++++++++ 3 files changed, 190 insertions(+) create mode 100644 doc/crypto/EVP_PKEY_new.pod create mode 100644 doc/crypto/EVP_PKEY_set1_RSA.pod create mode 100644 doc/crypto/PKCS7_sign.pod diff --git a/doc/crypto/EVP_PKEY_new.pod b/doc/crypto/EVP_PKEY_new.pod new file mode 100644 index 000000000..10687e458 --- /dev/null +++ b/doc/crypto/EVP_PKEY_new.pod @@ -0,0 +1,47 @@ +=pod + +=head1 NAME + +EVP_PKEY_new, EVP_PKEY_free - private key allocation functions. + +=head1 SYNOPSIS + + #include + + EVP_PKEY *EVP_PKEY_new(void); + void EVP_PKEY_free(EVP_PKEY *key); + + +=head1 DESCRIPTION + +The EVP_PKEY_new() function allocates an empty B +structure which is used by OpenSSL to store private keys. + +EVP_PKEY_free() frees up the private key B. + +=head1 NOTES + +The B structure is used by various OpenSSL functions +which require a general private key without reference to any +particular algorithm. + +The structure returned by EVP_PKEY_new() is empty. To add a +private key to this empty structure the functions described in +L should be used. + +=head1 RETURN VALUES + +EVP_PKEY_new() returns either the newly allocated B +structure of B if an error occurred. + +EVP_PKEY_free() does not return a value. + +=head1 SEE ALSO + +L + +=head1 HISTORY + +TBA + +=cut diff --git a/doc/crypto/EVP_PKEY_set1_RSA.pod b/doc/crypto/EVP_PKEY_set1_RSA.pod new file mode 100644 index 000000000..2db692e27 --- /dev/null +++ b/doc/crypto/EVP_PKEY_set1_RSA.pod @@ -0,0 +1,80 @@ +=pod + +=head1 NAME + +EVP_PKEY_set1_RSA, EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH, EVP_PKEY_set1_EC_KEY, +EVP_PKEY_get1_RSA, EVP_PKEY_get1_DSA, EVP_PKEY_get1_DH, EVP_PKEY_get1_EC_KEY, +EVP_PKEY_assign_RSA, EVP_PKEY_assign_DSA, EVP_PKEY_assign_DH, EVP_PKEY_assign_EC_KEY, +EVP_PKEY_type - EVP_PKEY assignment functions. + +=head1 SYNOPSIS + + #include + + int EVP_PKEY_set1_RSA(EVP_PKEY *pkey,RSA *key); + int EVP_PKEY_set1_DSA(EVP_PKEY *pkey,DSA *key); + int EVP_PKEY_set1_DH(EVP_PKEY *pkey,DH *key); + int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey,EC_KEY *key); + + RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey); + DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey); + DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey); + EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey); + + int EVP_PKEY_assign_RSA(EVP_PKEY *pkey,RSA *key); + int EVP_PKEY_assign_DSA(EVP_PKEY *pkey,DSA *key); + int EVP_PKEY_assign_DH(EVP_PKEY *pkey,DH *key); + int EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey,EC_KEY *key); + + int EVP_PKEY_type(int type); + +=head1 DESCRIPTION + +EVP_PKEY_set1_RSA(), EVP_PKEY_set1_DSA(), EVP_PKEY_set1_DH() and +EVP_PKEY_set1_EC_KEY() set the key referenced by B to B. + +EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_DH() and +EVP_PKEY_get1_EC_KEY() return the referenced key in B or +B if the key is not of the correct type. + +EVP_PKEY_assign_RSA() EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH() +and EVP_PKEY_assign_EC_KEY() also set the referenced key to B +however these use the supplied B internally and so B +will be freed when the parent B is freed. + +EVP_PKEY_type() returns the type of key corresponding to the value +B. The type of a key can be obtained with +EVP_PKEY_type(pkey->type). The return value will be EVP_PKEY_RSA, +EVP_PKEY_DSA, EVP_PKEY_DH or EVP_PKEY_EC for the corresponding +key types or NID_undef if the key type is unassigned. + +=head1 NOTES + +In accordance with the OpenSSL naming convention the key obtained +from or assigned to the B using the B<1> functions must be +freed as well as B. + +EVP_PKEY_assign_RSA() EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH() +EVP_PKEY_assign_EC_KEY() are implemented as macros. + +=head1 RETURN VALUES + +EVP_PKEY_set1_RSA(), EVP_PKEY_set1_DSA(), EVP_PKEY_set1_DH() and +EVP_PKEY_set1_EC_KEY() return 1 for success or 0 for failure. + +EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_DH() and +EVP_PKEY_get1_EC_KEY() return the referenced key or B if +an error occurred. + +EVP_PKEY_assign_RSA() EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH() +and EVP_PKEY_assign_EC_KEY() return 1 for success and 0 for failure. + +=head1 SEE ALSO + +L + +=head1 HISTORY + +TBA + +=cut diff --git a/doc/crypto/PKCS7_sign.pod b/doc/crypto/PKCS7_sign.pod new file mode 100644 index 000000000..95c4609d3 --- /dev/null +++ b/doc/crypto/PKCS7_sign.pod @@ -0,0 +1,63 @@ +=pod + +=head1 NAME + +PKCS7_sign - create a PKCS#7 signedData structure + +=head1 SYNOPSIS + +PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, int flags); + +=head1 DESCRIPTION + +PKCS7_sign() creates and returns a PKCS#7 signedData structure. B +is the certificate to sign with, B is the corresponsding private key. +B is an optional additional set of certificates to include in the +PKCS#7 structure (for example any intermediate CAs in the chain). + +The data to be signed is read from BIO B. + +B is an optional set of flags. + +=head1 NOTES + +Any of the following flags (ored together) can be passed in the B parameter. + +Many S/MIME clients expect the signed content to include valid MIME headers. If +the B flag is set MIME headers for type B are prepended +to the data. + +If B is set the signer's certificate will not be included in the +PKCS7 structure, the signer's certificate must still be supplied in the B +parameter though. This can reduce the size of the signature if the signers certificate +can be obtained by other means: for example a previously signed message. + +The data being signed is included in the PKCS7 structure, unless B +is set in which case it is omitted. This is used for PKCS7 detached signatures +which are used in S/MIME plaintext signed messages for example. + +Normally the supplied content is translated into MIME canonical format (as required +by the S/MIME specifications) if B is set no translation occurs. This +option should be used if the supplied data is in binary format otherwise the translation +will corrupt it. + +The signedData structure includes several PKCS#7 autenticatedAttributes including +the signing time, the PKCS#7 content type and the supported list of ciphers in +an SMIMECapabilities attribute. If B is set then no authenticatedAttributes +will be used. If B is set then just the SMIMECapabilities are +omitted. + +=head1 RETURN VALUES + +PKCS7_sign() returns either a valid PKCS7 structure or NULL if an error occurred. +The error can be obtained from ERR_get_error(3). + +=head1 SEE ALSO + +L, L + +=head1 HISTORY + +TBA + +=cut From 7e9db7cefcf6ea09aeda4a0395a291412a6966da Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 8 Oct 2002 00:40:58 +0000 Subject: [PATCH 42/49] PKCS7_verify() docs. --- doc/crypto/PKCS7_verify.pod | 113 ++++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 doc/crypto/PKCS7_verify.pod diff --git a/doc/crypto/PKCS7_verify.pod b/doc/crypto/PKCS7_verify.pod new file mode 100644 index 000000000..f5200a23e --- /dev/null +++ b/doc/crypto/PKCS7_verify.pod @@ -0,0 +1,113 @@ +=pod + +=head1 NAME + +PKCS7_verify - verify a PKCS#7 signedData structure + +=head1 SYNOPSIS + +int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags); + +int PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags); + +=head1 DESCRIPTION + +PKCS7_verify() verifies a PKCS#7 signedData structure. B is the PKCS7 +structure to verify. B is a set of certificates in which to search for +the signer's certificate. B is a trusted certficate store (used for +chain verification). B is the signed data if the content is not +present in B (that is it is detached). The content is written to B +if it is not NULL. + +B is an optional set of flags, which can be used to modify the verify +operation. + +PKCS7_get0_signers() retrieves the signer's certificates from B, it does +B check their validity or whether any signatures are valid. The B +and B parameters have the same meanings as in PKCS7_verify(). + +=head1 VERIFY PROCESS + +Normally the verify process proceeds as follows. + +Initially some sanity checks are performed on B. The type of B must +be signedData. There must be at least one signature on the data and if +the content is detached B cannot be B. + +An attempt is made to locate all the signer's certificates, first looking in +the B parameter (if it is not B) and then looking in any certificates +contained in the B structure itself. If any signer's certificates cannot be +located the operation fails. + +Each signer's certificate is chain verified using the B purpose and +the supplied trusted certificate store. Any internal certificates in the message +are used as untrusted CAs. If any chain verify fails an error code is returned. + +Finally the signed content is read (and written to B is it is not NULL) and +the signature's checked. + +If all signature's verify correctly then the function is successful. + +Any of the following flags (ored together) can be passed in the B parameter +to change the default verify behaviour. Only the flag B is +meaningful to PKCS7_get0_signers(). + +If B is set the certificates in the message itself are not +searched when locating the signer's certificate. This means that all the signers +certificates must be in the B parameter. + +If the B flag is set MIME headers for type B are deleted +from the content. If the content is not of type B then an error is +returned. + +If B is set the signer's certificates are not chain verified. + +If B is set then the certificates contained in the message are +not used as untrusted CAs. This means that the whole verify chain (apart from +the signer's certificate) must be contained in the trusted store. + +If B is set then the signatures on the data are not checked. + +=head1 NOTES + +One application of B is to only accept messages signed by +a small number of certificates. The acceptable certificates would be passed +in the B parameter. In this case if the signer is not one of the +certificates supplied in B then the verify will fail because the +signer cannot be found. + +Care should be taken when modifying the default verify behaviour, for example +setting B will totally disable all verification +and any signed message will be considered valid. This combination is however +useful if one merely wishes to write the content to B and its validity +is not considered important. + +Chain verification should arguably be performed using the signing time rather +than the current time. However since the signing time is supplied by the +signer it cannot be trusted without additional evidence (such as a trusted +timestamp). + +=head1 RETURN VALUES + +PKCS7_verify() returns 1 for a successful verification and zero or a negative +value if an error occurs. + +PKCS7_get0_signers() returns all signers or B if an error occurred. + +The error can be obtained from L + +=head1 BUGS + +The trusted certificate store is not searched for the signers certificate, +this is primarily due to the inadequacies of the current B +functionality. + +=head1 SEE ALSO + +L, L + +=head1 HISTORY + +TBA + +=cut From d7b2342a6a3a841b0fe1992c9522b12468f893af Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 9 Oct 2002 06:35:47 +0000 Subject: [PATCH 43/49] Add missing LF --- apps/ca.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/ca.c b/apps/ca.c index 39956e89a..d60001b01 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1691,7 +1691,7 @@ static BIGNUM *load_serial(char *serialfile) ret=ASN1_INTEGER_to_BN(ai,NULL); if (ret == NULL) { - BIO_printf(bio_err,"error converting number from bin to BIGNUM"); + BIO_printf(bio_err,"error converting number from bin to BIGNUM\n"); goto err; } err: From 4e1b50e219c175d3a6a70cc6bf3bf65fb91af269 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 9 Oct 2002 12:06:12 +0000 Subject: [PATCH 44/49] More man pages. --- doc/crypto/ASN1_OBJECT_new.pod | 43 +++++++++ doc/crypto/OBJ_nid2obj.pod | 149 +++++++++++++++++++++++++++++++ doc/crypto/PKCS7_decrypt.pod | 53 +++++++++++ doc/crypto/PKCS7_encrypt.pod | 60 +++++++++++++ doc/crypto/PKCS7_sign.pod | 24 ++++- doc/crypto/PKCS7_verify.pod | 5 +- doc/crypto/SMIME_read_PKCS7.pod | 71 +++++++++++++++ doc/crypto/SMIME_write_PKCS7.pod | 59 ++++++++++++ doc/crypto/d2i_ASN1_OBJECT.pod | 29 ++++++ doc/crypto/d2i_X509_ALGOR.pod | 2 +- doc/crypto/d2i_X509_CRL.pod | 2 +- doc/crypto/d2i_X509_REQ.pod | 2 +- doc/crypto/d2i_X509_SIG.pod | 2 +- 13 files changed, 495 insertions(+), 6 deletions(-) create mode 100644 doc/crypto/ASN1_OBJECT_new.pod create mode 100644 doc/crypto/OBJ_nid2obj.pod create mode 100644 doc/crypto/PKCS7_decrypt.pod create mode 100644 doc/crypto/PKCS7_encrypt.pod create mode 100644 doc/crypto/SMIME_read_PKCS7.pod create mode 100644 doc/crypto/SMIME_write_PKCS7.pod create mode 100644 doc/crypto/d2i_ASN1_OBJECT.pod diff --git a/doc/crypto/ASN1_OBJECT_new.pod b/doc/crypto/ASN1_OBJECT_new.pod new file mode 100644 index 000000000..51679bfcd --- /dev/null +++ b/doc/crypto/ASN1_OBJECT_new.pod @@ -0,0 +1,43 @@ +=pod + +=head1 NAME + +ASN1_OBJECT_new, ASN1_OBJECT_free, - object allocation functions + +=head1 SYNOPSIS + + ASN1_OBJECT *ASN1_OBJECT_new(void); + void ASN1_OBJECT_free(ASN1_OBJECT *a); + +=head1 DESCRIPTION + +The ASN1_OBJECT allocation routines, allocate and free an +ASN1_OBJECT structure, which represents an ASN1 OBJECT IDENTIFIER. + +ASN1_OBJECT_new() allocates and initializes a ASN1_OBJECT structure. + +ASN1_OBJECT_free() frees up the B structure B. + +=head1 NOTES + +Although ASN1_OBJECT_new() allocates a new ASN1_OBJECT structure it +is almost never used in applications. The ASN1 object utility functions +such as OBJ_nid2obj() are used instead. + +=head1 RETURN VALUES + +If the allocation fails, ASN1_OBJECT_new() returns B and sets an error +code that can be obtained by L. +Otherwise it returns a pointer to the newly allocated structure. + +ASN1_OBJECT_free() returns no value. + +=head1 SEE ALSO + +L, L + +=head1 HISTORY + +ASN1_OBJECT_new() and ASN1_OBJECT_free() are available in all versions of SSLeay and OpenSSL. + +=cut diff --git a/doc/crypto/OBJ_nid2obj.pod b/doc/crypto/OBJ_nid2obj.pod new file mode 100644 index 000000000..50650bdbc --- /dev/null +++ b/doc/crypto/OBJ_nid2obj.pod @@ -0,0 +1,149 @@ +=pod + +=head1 NAME + +OBJ_nid2obj, OBJ_nid2ln, OBJ_nid2sn, OBJ_obj2nid, OBJ_txt2nid, OBJ_ln2nid, OBJ_sn2nid, +OBJ_cmp, OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup - ASN1 object utility +functions + +=head1 SYNOPSIS + + ASN1_OBJECT * OBJ_nid2obj(int n); + const char * OBJ_nid2ln(int n); + const char * OBJ_nid2sn(int n); + + int OBJ_obj2nid(const ASN1_OBJECT *o); + int OBJ_ln2nid(const char *ln); + int OBJ_sn2nid(const char *sn); + + int OBJ_txt2nid(const char *s); + + ASN1_OBJECT * OBJ_txt2obj(const char *s, int no_name); + int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name); + + int OBJ_cmp(const ASN1_OBJECT *a,const ASN1_OBJECT *b); + ASN1_OBJECT * OBJ_dup(const ASN1_OBJECT *o); + + int OBJ_create(const char *oid,const char *sn,const char *ln); + void OBJ_cleanup(void); + +=head1 DESCRIPTION + +The ASN1 object utility functions process ASN1_OBJECT structures which are +a representation of the ASN1 OBJECT IDENTIFIER (OID) type. + +OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID B to +an ASN1_OBJECT structure, its long name and its short name respectively, +or B is an error occurred. + +OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() return the corresponding NID +for the object B, the long name or the short name respectively +or NID_undef if an error occurred. + +OBJ_txt2nid() returns NID corresponding to text string . B can be +a long name, a short name or the numerical respresentation of an object. + +OBJ_txt2obj() converts the text string B into an ASN1_OBJECT structure. +If B is 0 then long names and short names will be interpreted +as well as numerical forms. If B is 1 only the numerical form +is acceptable. + +OBJ_obj2txt() converts the B B into a textual representation. +The representation is written as a null terminated string to B +at most B bytes are written, truncating the result if necessary. +The total amount of space required is returned. If B is 0 then +if the object has a long or short name then that will be used, otherwise +the numerical form will be used. If B is 1 then the numerical +form will always be used. + +OBJ_cmp() compares B to B. If the two are identical 0 is returned. + +OBJ_dup() returns a copy of B. + +OBJ_create() adds a new object to the internal table. B is the +numerical form of the object, B the short name and B the +long name. A new NID is returned for the created object. + +OBJ_cleanup() cleans up OpenSSLs internal object table: this should +be called before an application exits if any new objects were added +using OBJ_create(). + +=head1 NOTES + +Objects in OpenSSL can have a short name, a long name and a numerical +identifier (NID) associated with them. A standard set of objects is +represented in an internal table. The appropriate values are defined +in the header file B. + +For example the OID for commonName has the following definitions: + + #define SN_commonName "CN" + #define LN_commonName "commonName" + #define NID_commonName 13 + +New objects can be added by calling OBJ_create(). + +Table objects have certain advantages over other objects: for example +their NIDs can be used in a C language switch statement. They are +also static constant structures which are shared: that is there +is only a single constant structure for each table object. + +Objects which are not in the table have the NID value NID_undef. + +Objects do not need to be in the internal tables to be processed, +the functions OBJ_txt2obj() and OBJ_obj2txt() can process the numerical +form of an OID. + +=head1 EXAMPLES + +Create an object for B: + + ASN1_OBJECT *o; + o = OBJ_nid2obj(NID_commonName); + +Check is an object is B + + if (OBJ_obj2nid(obj) == NID_commonName) + /* Do something */ + +Create a new NID and initialize an object from it: + + int new_nid; + ASN1_OBJECT *obj; + new_nid = OBJ_create("1.2.3.4", "NewOID", "New Object Identifier"); + + obj = OBJ_nid2obj(new_nid); + +Create a new object directly: + + obj = OBJ_txt2obj("1.2.3.4", 1); + +=head1 BUGS + +OBJ_obj2txt() is awkward and messy to use: it doesn't follow the +convention of other OpenSSL functions where the buffer can be set +to B to determine the amount of data that should be written. +Instead B must point to a valid buffer and B should +be set to a positive value. A buffer length of 80 should be more +than enough to handle any OID encountered in practice. + +=head1 RETURN VALUES + +OBJ_nid2obj() returns an ASN1_OBJECT structure or B is an +error occurred. + +OBJ_nid2ln() and OBJ_nid2sn() returns a valid string or B +on error. + +OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() and OBJ_txt2nid() return +a NID or NID_undef on error. + +=head1 SEE ALSO + +L + +=head1 HISTORY + +TBA + +=cut diff --git a/doc/crypto/PKCS7_decrypt.pod b/doc/crypto/PKCS7_decrypt.pod new file mode 100644 index 000000000..b0ca067b8 --- /dev/null +++ b/doc/crypto/PKCS7_decrypt.pod @@ -0,0 +1,53 @@ +=pod + +=head1 NAME + +PKCS7_decrypt - decrypt content from a PKCS#7 envelopedData structure + +=head1 SYNOPSIS + +int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags); + +=head1 DESCRIPTION + +PKCS7_decrypt() extracts and decrypts the content from a PKCS#7 envelopedData +structure. B is the private key of the recipient, B is the +recipients certificate, B is a BIO to write the content to and +B is an optional set of flags. + +=head1 NOTES + +OpenSSL_add_all_algorithms() (or equivalent) should be called before using this +function or errors about unknown algorithms will occur. + +Although the recipients certificate is not needed to decrypt the data it is needed +to locate the appropriate (of possible several) recipients in the PKCS#7 structure. + +The following flags can be passed in the B parameter. + +If the B flag is set MIME headers for type B are deleted +from the content. If the content is not of type B then an error is +returned. + +=head1 RETURN VALUES + +PKCS7_decrypt() returns either 1 for success or 0 for failure. +The error can be obtained from ERR_get_error(3) + +=head1 BUGS + +PKCS7_decrypt() must be passed the correct recipient key and certificate. It would +be better if it could look up the correct key and certificate from a database. + +The lack of single pass processing and need to hold all data in memory as +mentioned in PKCS7_sign() also applies to PKCS7_verify(). + +=head1 SEE ALSO + +L, L + +=head1 HISTORY + +PKCS7_decrypt() was added to OpenSSL 0.9.5 + +=cut diff --git a/doc/crypto/PKCS7_encrypt.pod b/doc/crypto/PKCS7_encrypt.pod new file mode 100644 index 000000000..c2597a2b1 --- /dev/null +++ b/doc/crypto/PKCS7_encrypt.pod @@ -0,0 +1,60 @@ +=pod + +=head1 NAME + +PKCS7_encrypt - create a PKCS#7 envelopedData structure + +=head1 SYNOPSIS + +PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags); + +=head1 DESCRIPTION + +PKCS7_encrypt() creates and returns a PKCS#7 envelopedData structure. B +is a list of recipient certificates. B is the content to be encrypted. +B is the symmetric cipher to use. B is an optional set of flags. + +=head1 NOTES + +Only RSA keys are supported in PKCS#7 and envelopedData so the recipient certificates +supplied to this function must all contain RSA public keys, though they do not have to +be signed using the RSA algorithm. + +EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use because +most clients will support it. + +Some old "export grade" clients may only support weak encryption using 40 or 64 bit +RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc() respectively. + +The algorithm passed in the B parameter must support ASN1 encoding of its +parameters. + +The following flags can be passed in the B parameter. + +If the B flag is set MIME headers for type B are prepended +to the data. + +Normally the supplied content is translated into MIME canonical format (as required +by the S/MIME specifications) if B is set no translation occurs. This +option should be used if the supplied data is in binary format otherwise the translation +will corrupt it. If B is set then B is ignored. + +=head1 RETURN VALUES + +PKCS7_encrypt() returns either a valid PKCS7 structure or NULL if an error occurred. +The error can be obtained from ERR_get_error(3). + +=head1 BUGS + +The lack of single pass processing and need to hold all data in memory as +mentioned in PKCS7_sign() also applies to PKCS7_verify(). + +=head1 SEE ALSO + +L, L + +=head1 HISTORY + +PKCS7_decrypt() was added to OpenSSL 0.9.5 + +=cut diff --git a/doc/crypto/PKCS7_sign.pod b/doc/crypto/PKCS7_sign.pod index 95c4609d3..fc7e649b3 100644 --- a/doc/crypto/PKCS7_sign.pod +++ b/doc/crypto/PKCS7_sign.pod @@ -47,6 +47,28 @@ an SMIMECapabilities attribute. If B is set then no authenticatedA will be used. If B is set then just the SMIMECapabilities are omitted. +If present the SMIMECapabilities attribute indicates support for the following +algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any +of these algorithms is disabled then it will not be included. + +=head1 BUGS + +PKCS7_sign() is somewhat limited. It does not support multiple signers, some +advanced attributes such as counter signatures are not supported. + +The SHA1 digest algorithm is currently always used. + +When the signed data is not detached it will be stored in memory within the +B structure. This effectively limits the size of messages which can be +signed due to memory restraints. There should be a way to sign data without +having to hold it all in memory, this would however require fairly major +revisions of the OpenSSL ASN1 code. + +Clear text signing does not store the content in memory but the way PKCS7_sign() +operates means that two passes of the data must typically be made: one to compute +the signatures and a second to output the data along with the signature. There +should be a way to process the data with only a single pass. + =head1 RETURN VALUES PKCS7_sign() returns either a valid PKCS7 structure or NULL if an error occurred. @@ -58,6 +80,6 @@ L, L =head1 HISTORY -TBA +PKCS7_sign() was added to OpenSSL 0.9.5 =cut diff --git a/doc/crypto/PKCS7_verify.pod b/doc/crypto/PKCS7_verify.pod index f5200a23e..07c9fdad4 100644 --- a/doc/crypto/PKCS7_verify.pod +++ b/doc/crypto/PKCS7_verify.pod @@ -102,12 +102,15 @@ The trusted certificate store is not searched for the signers certificate, this is primarily due to the inadequacies of the current B functionality. +The lack of single pass processing and need to hold all data in memory as +mentioned in PKCS7_sign() also applies to PKCS7_verify(). + =head1 SEE ALSO L, L =head1 HISTORY -TBA +PKCS7_verify() was added to OpenSSL 0.9.5 =cut diff --git a/doc/crypto/SMIME_read_PKCS7.pod b/doc/crypto/SMIME_read_PKCS7.pod new file mode 100644 index 000000000..ffafa3788 --- /dev/null +++ b/doc/crypto/SMIME_read_PKCS7.pod @@ -0,0 +1,71 @@ +=pod + +=head1 NAME + +SMIME_read_PKCS7 - parse S/MIME message. + +=head1 SYNOPSIS + +PKCS7 *SMIME_read_PKCS7(BIO *in, BIO **bcont); + +=head1 DESCRIPTION + +SMIME_read_PKCS7() parses a message in S/MIME format. + +B is a BIO to read the message from. + +If cleartext signing is used then the content is saved in +a memory bio which is written to B<*bcont>, otherwise +B<*bcont> is set to B. + +The parsed PKCS#7 structure is returned or B if an +error occurred. + +=head1 NOTES + +If B<*bcont> is not B then the message is clear text +signed. B<*bcont> can then be passed to PKCS7_verify() with +the B flag set. + +Otherwise the type of the returned structure can be determined +using PKCS7_type(). + +To support future functionality if B is not B +B<*bcont> should be initialized to B. For example: + + BIO *cont = NULL; + PKCS7 *p7; + + p7 = SMIME_read_PKCS7(in, &cont); + +=head1 BUGS + +The MIME parser used by SMIME_read_PKCS7() is somewhat primitive. +While it will handle most S/MIME messages more complex compound +formats may not work. + +The parser assumes that the PKCS7 structure is always base64 +encoded and will not handle the case where it is in binary format +or uses quoted printable format. + +The use of a memory BIO to hold the signed content limits the size +of message which can be processed due to memory restraints: a +streaming single pass option should be available. + +=head1 RETURN VALUES + +SMIME_read_PKCS7() returns a valid B structure or B +is an error occurred. The error can be obtained from ERR_get_error(3). + +=head1 SEE ALSO + +L, L +L, L, +L, L +L + +=head1 HISTORY + +SMIME_read_PKCS7() was added to OpenSSL 0.9.5 + +=cut diff --git a/doc/crypto/SMIME_write_PKCS7.pod b/doc/crypto/SMIME_write_PKCS7.pod new file mode 100644 index 000000000..8093241ea --- /dev/null +++ b/doc/crypto/SMIME_write_PKCS7.pod @@ -0,0 +1,59 @@ +=pod + +=head1 NAME + +SMIME_write_PKCS7 - convert PKCS#7 structure to S/MIME format. + +=head1 SYNOPSIS + +int SMIME_write_PKCS7(BIO *out, PKCS7 *p7, BIO *data, int flags); + +=head1 DESCRIPTION + +SMIME_write_PKCS7() adds the appropriate MIME headers to a PKCS#7 +structure to produce an S/MIME message. + +B is the BIO to write the data to. B is the appropriate +B structure. If cleartext signing (B +argument. B is an optional set of flags. + +=head1 NOTES + +The following flags can be passed in the B parameter. + +If B is set then cleartext signing will be used, +this option only makes sense for signedData where B +is also set when PKCS7_sign() is also called. + +If the B flag is set MIME headers for type B +are added to the content, this only makes sense if B +is also set. + +If cleartext signing is being used then the data must be read twice: +once to compute the signature in PKCS7_sign() and once to output the +S/MIME message. + +=head1 BUGS + +SMIME_write_PKCS7() always base64 encodes PKCS#7 structures, there +should be an option to disable this. + +There should really be a way to produce cleartext signing using only +a single pass of the data. + +=head1 RETURN VALUES + +SMIME_write_PKCS7() returns 1 for success or 0 for failure. + +=head1 SEE ALSO + +L, L, +L, L +L + +=head1 HISTORY + +SMIME_write_PKCS7() was added to OpenSSL 0.9.5 + +=cut diff --git a/doc/crypto/d2i_ASN1_OBJECT.pod b/doc/crypto/d2i_ASN1_OBJECT.pod new file mode 100644 index 000000000..45bb18492 --- /dev/null +++ b/doc/crypto/d2i_ASN1_OBJECT.pod @@ -0,0 +1,29 @@ +=pod + +=head1 NAME + +d2i_ASN1_OBJECT, i2d_ASN1_OBJECT - ASN1 OBJECT IDENTIFIER functions + +=head1 SYNOPSIS + + #include + + ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp, long length); + int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp); + +=head1 DESCRIPTION + +These functions decode and encode an ASN1 OBJECT IDENTIFIER. + +Othewise these behave in a similar way to d2i_X509() and i2d_X509() +described in the L manual page. + +=head1 SEE ALSO + +L + +=head1 HISTORY + +TBA + +=cut diff --git a/doc/crypto/d2i_X509_ALGOR.pod b/doc/crypto/d2i_X509_ALGOR.pod index bf5545769..9e5cd92ca 100644 --- a/doc/crypto/d2i_X509_ALGOR.pod +++ b/doc/crypto/d2i_X509_ALGOR.pod @@ -8,7 +8,7 @@ d2i_X509_ALGOR, i2d_X509_ALGOR - AlgorithmIdentifier functions. #include - DH *d2i_X509_ALGOR(X509_ALGOR **a, unsigned char **pp, long length); + X509_ALGOR *d2i_X509_ALGOR(X509_ALGOR **a, unsigned char **pp, long length); int i2d_X509_ALGOR(X509_ALGOR *a, unsigned char **pp); =head1 DESCRIPTION diff --git a/doc/crypto/d2i_X509_CRL.pod b/doc/crypto/d2i_X509_CRL.pod index 613bfd491..06c5b23c0 100644 --- a/doc/crypto/d2i_X509_CRL.pod +++ b/doc/crypto/d2i_X509_CRL.pod @@ -9,7 +9,7 @@ i2d_X509_CRL_bio, i2d_X509_CRL_fp - PKCS#10 certificate request functions. #include - DH *d2i_X509_CRL(X509_CRL **a, unsigned char **pp, long length); + X509_CRL *d2i_X509_CRL(X509_CRL **a, unsigned char **pp, long length); int i2d_X509_CRL(X509_CRL *a, unsigned char **pp); X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **x); diff --git a/doc/crypto/d2i_X509_REQ.pod b/doc/crypto/d2i_X509_REQ.pod index 9e2757f39..be4ad6825 100644 --- a/doc/crypto/d2i_X509_REQ.pod +++ b/doc/crypto/d2i_X509_REQ.pod @@ -9,7 +9,7 @@ i2d_X509_REQ_bio, i2d_X509_REQ_fp - PKCS#10 certificate request functions. #include - DH *d2i_X509_REQ(X509_REQ **a, unsigned char **pp, long length); + X509_REQ *d2i_X509_REQ(X509_REQ **a, unsigned char **pp, long length); int i2d_X509_REQ(X509_REQ *a, unsigned char **pp); X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **x); diff --git a/doc/crypto/d2i_X509_SIG.pod b/doc/crypto/d2i_X509_SIG.pod index 39b2353bc..e48fd79a5 100644 --- a/doc/crypto/d2i_X509_SIG.pod +++ b/doc/crypto/d2i_X509_SIG.pod @@ -8,7 +8,7 @@ d2i_X509_SIG, i2d_X509_SIG - DigestInfo functions. #include - DH *d2i_X509_SIG(X509_SIG **a, unsigned char **pp, long length); + X509_SIG *d2i_X509_SIG(X509_SIG **a, unsigned char **pp, long length); int i2d_X509_SIG(X509_SIG *a, unsigned char **pp); =head1 DESCRIPTION From 5fbb02fcb1ef8fc708ea12b41f70d1b6ce5732d8 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 9 Oct 2002 12:06:58 +0000 Subject: [PATCH 45/49] PKCS12_create manual page --- doc/crypto/PKCS12_create.pod | 71 ++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 doc/crypto/PKCS12_create.pod diff --git a/doc/crypto/PKCS12_create.pod b/doc/crypto/PKCS12_create.pod new file mode 100644 index 000000000..495a2b8c4 --- /dev/null +++ b/doc/crypto/PKCS12_create.pod @@ -0,0 +1,71 @@ +=pod + +=head1 NAME + +PKCS12_create - create a PKCS#12 structure + +=head1 SYNOPSIS + + #include + + PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca, + int nid_key, int nid_cert, int iter, int mac_iter, int keytype); + +=head1 DESCRIPTION + +PKCS12_create() creates a PKCS#12 structure. + +B is the passphrase to use. B is the B to use for +the supplied certifictate and key. B is the private key to include in +the structure and B its corresponding certificates. B, if not B +is an optional set of certificates to also include in the structure. + +B and B are the encryption algorithms that should be used +for the key and certificate respectively. B is the encryption algorithm +iteration count to use and B is the MAC iteration count to use. +B is the type of key. + +=head1 NOTES + +The parameters B, B, B, B and B +can all be set to zero and sensible defaults will be used. + +These defaults are: 40 bit RC2 encryption for certificates, triple DES +encryption for private keys, a key iteration count of PKCS12_DEFAULT_ITER +(currently 2048) and a MAC iteration count of 1. + +The default MAC iteration count is 1 in order to retain compatibility with +old software which did not interpret MAC iteration counts. If such compatibility +is not required then B should be set to PKCS12_DEFAULT_ITER. + +B adds a flag to the store private key. This is a non standard extension +that is only currently interpreted by MSIE. If set to zero the flag is omitted, +if set to B the key can be used for signing only, if set to B +it can be used for signing and encryption. This option was useful for old +export grade software which could use signing only keys of arbitrary size but +had restrictions on the permissible sizes of keys which could be used for +encryption. + +=head1 NEW FUNCTIONALITY IN OPENSSL 0.9.8 + +Some additional functionality was added to PKCS12_create() in OpenSSL +0.9.8. These extensions are detailed below. + +Either B, B or both can be B to indicate that no key or +certficate is required. In previous versions both hasves to be present or +a fatal error is returned. + +B or B can be set to -1 indicating that no encryption +should be used. + +B can be set to -1 and the MAC will then be omitted entirely. + +=head1 SEE ALSO + +L + +=head1 HISTORY + +PKCS12_create was added in OpenSSL 0.9.3 + +=cut From ec8ad2bb9603379651bf9196ac28593cc2360c77 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 9 Oct 2002 13:10:23 +0000 Subject: [PATCH 46/49] PKCS12_parse manual page. --- doc/crypto/PKCS12_parse.pod | 50 ++++++++++++++++++++++++++++++++++++ doc/crypto/PKCS7_encrypt.pod | 5 ++++ 2 files changed, 55 insertions(+) create mode 100644 doc/crypto/PKCS12_parse.pod diff --git a/doc/crypto/PKCS12_parse.pod b/doc/crypto/PKCS12_parse.pod new file mode 100644 index 000000000..51344f883 --- /dev/null +++ b/doc/crypto/PKCS12_parse.pod @@ -0,0 +1,50 @@ +=pod + +=head1 NAME + +PKCS12_parse - parse a PKCS#12 structure + +=head1 SYNOPSIS + + #include + +int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca); + +=head1 DESCRIPTION + +PKCS12_parse() parses a PKCS12 structure. + +B is the B structure to parse. B is the passphrase to use. +If successful the private key will be written to B<*pkey>, the corresponding +certificate to B<*cert> and any additional certificates to B<*ca>. + +=head1 NOTES + +The parameters B and B cannot be B. B can be +in which case additional certificates will be discarded. B<*ca> can also +be a valid STACK in which case additional certificates are appended to +B<*ca>. If B<*ca> is B a new STACK will be allocated. + +The B and B attributes (if present) on each certificate +will be stored in the B and B attributes of the B structure. + +=head1 BUGS + +Only a single private key and corresponding certificate is returned by this function. +More complex PKCS#12 files with multiple private keys will only return the first +match. + +Only B and B attributes are currently stored in certificates. +Other attributes are discarded. + +Attributes currently cannot be store in the private key B structure. + +=head1 SEE ALSO + +L + +=head1 HISTORY + +PKCS12_parse was added in OpenSSL 0.9.3 + +=cut diff --git a/doc/crypto/PKCS7_encrypt.pod b/doc/crypto/PKCS7_encrypt.pod index c2597a2b1..1a507b22a 100644 --- a/doc/crypto/PKCS7_encrypt.pod +++ b/doc/crypto/PKCS7_encrypt.pod @@ -29,6 +29,11 @@ RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc() respecti The algorithm passed in the B parameter must support ASN1 encoding of its parameters. +Many browsers implement a "sign and encrypt" option which is simply an S/MIME +envelopedData containing an S/MIME signed message. This can be readily produced +by storing the S/MIME signed message in a memory BIO and passing it to +PKCS7_encrypt(). + The following flags can be passed in the B parameter. If the B flag is set MIME headers for type B are prepended From 001ab3abad45752c13af5396a47551f46a6ebfdb Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 9 Oct 2002 13:25:12 +0000 Subject: [PATCH 47/49] Use double dashes so makedepend doesn't misunderstand the flags we give it. For 0.9.7 and up, that means util/domd needs to remove those double dashes from the argument list when gcc is used to find the dependencies. --- apps/Makefile.ssl | 2 +- crypto/Makefile.ssl | 2 +- crypto/aes/Makefile.ssl | 2 +- crypto/asn1/Makefile.ssl | 2 +- crypto/bf/Makefile.ssl | 2 +- crypto/bio/Makefile.ssl | 2 +- crypto/bn/Makefile.ssl | 2 +- crypto/buffer/Makefile.ssl | 2 +- crypto/cast/Makefile.ssl | 2 +- crypto/comp/Makefile.ssl | 2 +- crypto/conf/Makefile.ssl | 2 +- crypto/des/Makefile.ssl | 2 +- crypto/dh/Makefile.ssl | 2 +- crypto/dsa/Makefile.ssl | 2 +- crypto/dso/Makefile.ssl | 2 +- crypto/ec/Makefile.ssl | 2 +- crypto/ecdh/Makefile.ssl | 2 +- crypto/ecdsa/Makefile.ssl | 2 +- crypto/engine/Makefile.ssl | 2 +- crypto/err/Makefile.ssl | 2 +- crypto/evp/Makefile.ssl | 2 +- crypto/hmac/Makefile.ssl | 2 +- crypto/idea/Makefile.ssl | 2 +- crypto/krb5/Makefile.ssl | 2 +- crypto/lhash/Makefile.ssl | 2 +- crypto/md2/Makefile.ssl | 2 +- crypto/md4/Makefile.ssl | 2 +- crypto/md5/Makefile.ssl | 2 +- crypto/mdc2/Makefile.ssl | 2 +- crypto/objects/Makefile.ssl | 2 +- crypto/ocsp/Makefile.ssl | 2 +- crypto/pem/Makefile.ssl | 2 +- crypto/pkcs12/Makefile.ssl | 2 +- crypto/pkcs7/Makefile.ssl | 2 +- crypto/rand/Makefile.ssl | 2 +- crypto/rc2/Makefile.ssl | 2 +- crypto/rc4/Makefile.ssl | 2 +- crypto/rc5/Makefile.ssl | 2 +- crypto/rijndael/Makefile.ssl | 2 +- crypto/ripemd/Makefile.ssl | 2 +- crypto/rsa/Makefile.ssl | 2 +- crypto/sha/Makefile.ssl | 2 +- crypto/stack/Makefile.ssl | 2 +- crypto/txt_db/Makefile.ssl | 2 +- crypto/ui/Makefile.ssl | 2 +- crypto/x509/Makefile.ssl | 2 +- crypto/x509v3/Makefile.ssl | 2 +- ssl/Makefile.ssl | 2 +- test/Makefile.ssl | 2 +- util/domd | 7 ++++++- 50 files changed, 55 insertions(+), 50 deletions(-) diff --git a/apps/Makefile.ssl b/apps/Makefile.ssl index c75c5f3b8..62aa6f038 100644 --- a/apps/Makefile.ssl +++ b/apps/Makefile.ssl @@ -123,7 +123,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(SRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/Makefile.ssl b/crypto/Makefile.ssl index 42a01e194..574fd7286 100644 --- a/crypto/Makefile.ssl +++ b/crypto/Makefile.ssl @@ -136,7 +136,7 @@ lint: depend: if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist - $(MAKEDEPEND) $(CFLAG) $(INCLUDE) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC) if [ ! -s buildinf.h ]; then rm buildinf.h; fi @for i in $(SDIRS) ;\ do \ diff --git a/crypto/aes/Makefile.ssl b/crypto/aes/Makefile.ssl index 49dbeedf3..364d05bbf 100644 --- a/crypto/aes/Makefile.ssl +++ b/crypto/aes/Makefile.ssl @@ -75,7 +75,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/asn1/Makefile.ssl b/crypto/asn1/Makefile.ssl index bad609eac..ae74b50d4 100644 --- a/crypto/asn1/Makefile.ssl +++ b/crypto/asn1/Makefile.ssl @@ -98,7 +98,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/bf/Makefile.ssl b/crypto/bf/Makefile.ssl index 983319264..bd3cedc4f 100644 --- a/crypto/bf/Makefile.ssl +++ b/crypto/bf/Makefile.ssl @@ -96,7 +96,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/bio/Makefile.ssl b/crypto/bio/Makefile.ssl index d8beb6572..141a03ae1 100644 --- a/crypto/bio/Makefile.ssl +++ b/crypto/bio/Makefile.ssl @@ -78,7 +78,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/bn/Makefile.ssl b/crypto/bn/Makefile.ssl index 4e27e87ea..e54f06657 100644 --- a/crypto/bn/Makefile.ssl +++ b/crypto/bn/Makefile.ssl @@ -169,7 +169,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/buffer/Makefile.ssl b/crypto/buffer/Makefile.ssl index fd16e5124..e8b6c9693 100644 --- a/crypto/buffer/Makefile.ssl +++ b/crypto/buffer/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/cast/Makefile.ssl b/crypto/cast/Makefile.ssl index b04c1c0e9..c18d86845 100644 --- a/crypto/cast/Makefile.ssl +++ b/crypto/cast/Makefile.ssl @@ -97,7 +97,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/comp/Makefile.ssl b/crypto/comp/Makefile.ssl index fd192d35f..f60c7a1af 100644 --- a/crypto/comp/Makefile.ssl +++ b/crypto/comp/Makefile.ssl @@ -71,7 +71,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/conf/Makefile.ssl b/crypto/conf/Makefile.ssl index f1c02fd04..f1d2dd562 100644 --- a/crypto/conf/Makefile.ssl +++ b/crypto/conf/Makefile.ssl @@ -71,7 +71,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/des/Makefile.ssl b/crypto/des/Makefile.ssl index 14baf7d0c..ebf0806b6 100644 --- a/crypto/des/Makefile.ssl +++ b/crypto/des/Makefile.ssl @@ -130,7 +130,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/dh/Makefile.ssl b/crypto/dh/Makefile.ssl index c6e7ab63a..e1cb248db 100644 --- a/crypto/dh/Makefile.ssl +++ b/crypto/dh/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/dsa/Makefile.ssl b/crypto/dsa/Makefile.ssl index 74fd75474..306a3f200 100644 --- a/crypto/dsa/Makefile.ssl +++ b/crypto/dsa/Makefile.ssl @@ -70,7 +70,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/dso/Makefile.ssl b/crypto/dso/Makefile.ssl index f4248aa60..3d00363bb 100644 --- a/crypto/dso/Makefile.ssl +++ b/crypto/dso/Makefile.ssl @@ -70,7 +70,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/ec/Makefile.ssl b/crypto/ec/Makefile.ssl index 431a14c8a..f8d0696a3 100644 --- a/crypto/ec/Makefile.ssl +++ b/crypto/ec/Makefile.ssl @@ -73,7 +73,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/ecdh/Makefile.ssl b/crypto/ecdh/Makefile.ssl index b5c43a76b..eb2e7605e 100644 --- a/crypto/ecdh/Makefile.ssl +++ b/crypto/ecdh/Makefile.ssl @@ -69,7 +69,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/ecdsa/Makefile.ssl b/crypto/ecdsa/Makefile.ssl index 35e42803a..3bdc55efb 100644 --- a/crypto/ecdsa/Makefile.ssl +++ b/crypto/ecdsa/Makefile.ssl @@ -69,7 +69,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/engine/Makefile.ssl b/crypto/engine/Makefile.ssl index ec8f22517..fc267bb68 100644 --- a/crypto/engine/Makefile.ssl +++ b/crypto/engine/Makefile.ssl @@ -82,7 +82,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/err/Makefile.ssl b/crypto/err/Makefile.ssl index 1d863ad8d..b94fee3b6 100644 --- a/crypto/err/Makefile.ssl +++ b/crypto/err/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/evp/Makefile.ssl b/crypto/evp/Makefile.ssl index 70c8f925b..cc3775b5a 100644 --- a/crypto/evp/Makefile.ssl +++ b/crypto/evp/Makefile.ssl @@ -89,7 +89,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/hmac/Makefile.ssl b/crypto/hmac/Makefile.ssl index 33e90615d..b91f20429 100644 --- a/crypto/hmac/Makefile.ssl +++ b/crypto/hmac/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/idea/Makefile.ssl b/crypto/idea/Makefile.ssl index c9ef2cb15..ca4b76fc2 100644 --- a/crypto/idea/Makefile.ssl +++ b/crypto/idea/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/krb5/Makefile.ssl b/crypto/krb5/Makefile.ssl index 8daed5921..cc47c0547 100644 --- a/crypto/krb5/Makefile.ssl +++ b/crypto/krb5/Makefile.ssl @@ -69,7 +69,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/lhash/Makefile.ssl b/crypto/lhash/Makefile.ssl index 9f65ef9a5..1902e4a89 100644 --- a/crypto/lhash/Makefile.ssl +++ b/crypto/lhash/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/md2/Makefile.ssl b/crypto/md2/Makefile.ssl index 89a707d05..bf9e769ab 100644 --- a/crypto/md2/Makefile.ssl +++ b/crypto/md2/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/md4/Makefile.ssl b/crypto/md4/Makefile.ssl index 952399469..c2b4218bd 100644 --- a/crypto/md4/Makefile.ssl +++ b/crypto/md4/Makefile.ssl @@ -69,7 +69,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/md5/Makefile.ssl b/crypto/md5/Makefile.ssl index 0eea0e599..c64c643df 100644 --- a/crypto/md5/Makefile.ssl +++ b/crypto/md5/Makefile.ssl @@ -118,7 +118,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/mdc2/Makefile.ssl b/crypto/mdc2/Makefile.ssl index ea2b31837..387d7f8cd 100644 --- a/crypto/mdc2/Makefile.ssl +++ b/crypto/mdc2/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/objects/Makefile.ssl b/crypto/objects/Makefile.ssl index dda444fad..1f5d21349 100644 --- a/crypto/objects/Makefile.ssl +++ b/crypto/objects/Makefile.ssl @@ -76,7 +76,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/ocsp/Makefile.ssl b/crypto/ocsp/Makefile.ssl index 58fff4f94..681bf4dfe 100644 --- a/crypto/ocsp/Makefile.ssl +++ b/crypto/ocsp/Makefile.ssl @@ -71,7 +71,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/pem/Makefile.ssl b/crypto/pem/Makefile.ssl index 2c49e8a6a..afeb417a3 100644 --- a/crypto/pem/Makefile.ssl +++ b/crypto/pem/Makefile.ssl @@ -71,7 +71,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/pkcs12/Makefile.ssl b/crypto/pkcs12/Makefile.ssl index 9c81c4ae1..52ca21866 100644 --- a/crypto/pkcs12/Makefile.ssl +++ b/crypto/pkcs12/Makefile.ssl @@ -74,7 +74,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/pkcs7/Makefile.ssl b/crypto/pkcs7/Makefile.ssl index dfc9a47b4..bbeed604b 100644 --- a/crypto/pkcs7/Makefile.ssl +++ b/crypto/pkcs7/Makefile.ssl @@ -89,7 +89,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/rand/Makefile.ssl b/crypto/rand/Makefile.ssl index 4035e825e..166895ee9 100644 --- a/crypto/rand/Makefile.ssl +++ b/crypto/rand/Makefile.ssl @@ -70,7 +70,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/rc2/Makefile.ssl b/crypto/rc2/Makefile.ssl index 06090646f..aa73dea5b 100644 --- a/crypto/rc2/Makefile.ssl +++ b/crypto/rc2/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/rc4/Makefile.ssl b/crypto/rc4/Makefile.ssl index 05db5e11d..a1eb79fd0 100644 --- a/crypto/rc4/Makefile.ssl +++ b/crypto/rc4/Makefile.ssl @@ -97,7 +97,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/rc5/Makefile.ssl b/crypto/rc5/Makefile.ssl index 704976b60..bb4704d5f 100644 --- a/crypto/rc5/Makefile.ssl +++ b/crypto/rc5/Makefile.ssl @@ -94,7 +94,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/rijndael/Makefile.ssl b/crypto/rijndael/Makefile.ssl index 79ffd7598..5a5fc37d5 100644 --- a/crypto/rijndael/Makefile.ssl +++ b/crypto/rijndael/Makefile.ssl @@ -75,7 +75,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/ripemd/Makefile.ssl b/crypto/ripemd/Makefile.ssl index c129ae141..f08ad7ecc 100644 --- a/crypto/ripemd/Makefile.ssl +++ b/crypto/ripemd/Makefile.ssl @@ -92,7 +92,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/rsa/Makefile.ssl b/crypto/rsa/Makefile.ssl index 874776ce3..7e4c6db98 100644 --- a/crypto/rsa/Makefile.ssl +++ b/crypto/rsa/Makefile.ssl @@ -72,7 +72,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/sha/Makefile.ssl b/crypto/sha/Makefile.ssl index 39d11ff17..1db03049e 100644 --- a/crypto/sha/Makefile.ssl +++ b/crypto/sha/Makefile.ssl @@ -92,7 +92,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/stack/Makefile.ssl b/crypto/stack/Makefile.ssl index 6652c3e27..e4acfe6ab 100644 --- a/crypto/stack/Makefile.ssl +++ b/crypto/stack/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/txt_db/Makefile.ssl b/crypto/txt_db/Makefile.ssl index ca5e678f0..313f75313 100644 --- a/crypto/txt_db/Makefile.ssl +++ b/crypto/txt_db/Makefile.ssl @@ -68,7 +68,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/ui/Makefile.ssl b/crypto/ui/Makefile.ssl index 202a32fd4..ea16ea1cd 100644 --- a/crypto/ui/Makefile.ssl +++ b/crypto/ui/Makefile.ssl @@ -72,7 +72,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/x509/Makefile.ssl b/crypto/x509/Makefile.ssl index 424ed1dc5..f855364cc 100644 --- a/crypto/x509/Makefile.ssl +++ b/crypto/x509/Makefile.ssl @@ -78,7 +78,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/crypto/x509v3/Makefile.ssl b/crypto/x509v3/Makefile.ssl index b33e3d1eb..2535c62ff 100644 --- a/crypto/x509v3/Makefile.ssl +++ b/crypto/x509v3/Makefile.ssl @@ -74,7 +74,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/ssl/Makefile.ssl b/ssl/Makefile.ssl index 7f8d02643..6d5f9b8f8 100644 --- a/ssl/Makefile.ssl +++ b/ssl/Makefile.ssl @@ -93,7 +93,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/test/Makefile.ssl b/test/Makefile.ssl index c59412fcb..0fe9cbd51 100644 --- a/test/Makefile.ssl +++ b/test/Makefile.ssl @@ -281,7 +281,7 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff depend: - $(MAKEDEPEND) $(CFLAG) $(INCLUDES) $(DEPFLAG) $(PROGS) $(SRC) + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/util/domd b/util/domd index 8cbe383c1..49310bbdd 100755 --- a/util/domd +++ b/util/domd @@ -15,9 +15,14 @@ cp Makefile.ssl Makefile.save # fake the presence of Kerberos touch $TOP/krb5.h if [ "$MAKEDEPEND" = "gcc" ]; then + args="" + while [ $# -gt 0 ]; do + if [ "$1" != "--" ]; then args="$args $1"; fi + shift + done sed -e '/^# DO NOT DELETE.*/,$d' < Makefile.ssl > Makefile.tmp echo '# DO NOT DELETE THIS LINE -- make depend depends on it.' >> Makefile.tmp - gcc -D OPENSSL_DOING_MAKEDEPEND -M $@ >> Makefile.tmp + gcc -D OPENSSL_DOING_MAKEDEPEND -M $args >> Makefile.tmp ${PERL} $TOP/util/clean-depend.pl < Makefile.tmp > Makefile.new rm -f Makefile.tmp else From 6a89a25c27df0677e78567cd02c77f30e80814af Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 9 Oct 2002 13:40:48 +0000 Subject: [PATCH 48/49] Add a few more VxWorks targets. Correct misspelled VXWORKS macros. Add VXWORKS identifying macros to e_os2.h. Add required inclusions and mappings for VxWorks in e_os.h. A few small modifications to make OpenSSL build and work on VxWorks. PR: 253, except for the change that was handled in an earlier commit, and a request for easy build of just parts of OpenSSL. --- Configure | 2 ++ crypto/bio/bss_bio.c | 2 +- crypto/conf/conf_def.c | 9 +++++---- crypto/des/read_pwd.c | 4 ++-- crypto/rand/rand_egd.c | 2 +- crypto/rand/rand_unix.c | 2 +- crypto/tmdiff.c | 10 +++++----- crypto/ui/ui_openssl.c | 4 ++-- crypto/uid.c | 2 +- e_os.h | 30 ++++++++++++++++++++++++++++++ e_os2.h | 5 +++++ 11 files changed, 55 insertions(+), 17 deletions(-) diff --git a/Configure b/Configure index 83a9d94f5..eda271162 100755 --- a/Configure +++ b/Configure @@ -558,6 +558,8 @@ my %table=( ##### VxWorks for various targets "vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::", +"vxworks-ppc750","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG):::VXWORKS:-r:::::", +"vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::", ); diff --git a/crypto/bio/bss_bio.c b/crypto/bio/bss_bio.c index 1c485a447..67b1279b9 100644 --- a/crypto/bio/bss_bio.c +++ b/crypto/bio/bss_bio.c @@ -34,7 +34,7 @@ #include "e_os.h" /* VxWorks defines SSIZE_MAX with an empty value causing compile errors */ -#if defined(OPENSSL_SYS_VSWORKS) +#if defined(OPENSSL_SYS_VXWORKS) # undef SSIZE_MAX #endif #ifndef SSIZE_MAX diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index 5e194de60..80ac97526 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -208,7 +208,8 @@ static int def_load(CONF *conf, const char *name, long *line) static int def_load_bio(CONF *conf, BIO *in, long *line) { -#define BUFSIZE 512 +/* The macro BUFSIZE conflicts with a system macro in VxWorks */ +#define CONFBUFSIZE 512 int bufnum=0,i,ii; BUF_MEM *buff=NULL; char *s,*p,*end; @@ -255,15 +256,15 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) for (;;) { again=0; - if (!BUF_MEM_grow(buff,bufnum+BUFSIZE)) + if (!BUF_MEM_grow(buff,bufnum+CONFBUFSIZE)) { CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB); goto err; } p= &(buff->data[bufnum]); *p='\0'; - BIO_gets(in, p, BUFSIZE-1); - p[BUFSIZE-1]='\0'; + BIO_gets(in, p, CONFBUFSIZE-1); + p[CONFBUFSIZE-1]='\0'; ii=i=strlen(p); if (i == 0) break; while (i > 0) diff --git a/crypto/des/read_pwd.c b/crypto/des/read_pwd.c index 9061935f2..b893a1b03 100644 --- a/crypto/des/read_pwd.c +++ b/crypto/des/read_pwd.c @@ -133,7 +133,7 @@ #define SGTTY #endif -#if defined(OPENSSL_SYS_VSWORKS) +#if defined(OPENSSL_SYS_VXWORKS) #undef TERMIOS #undef TERMIO #undef SGTTY @@ -274,7 +274,7 @@ int des_read_pw(char *buf, char *buff, int size, const char *prompt, #ifdef OPENSSL_SYS_MSDOS if ((tty=fopen("con","r")) == NULL) tty=stdin; -#elif defined(MAC_OS_pre_X) || defined(OPENSSL_SYS_VSWORKS) +#elif defined(MAC_OS_pre_X) || defined(OPENSSL_SYS_VXWORKS) tty=stdin; #else #ifndef OPENSSL_SYS_MPE diff --git a/crypto/rand/rand_egd.c b/crypto/rand/rand_egd.c index 668c785f0..d7dad3efd 100644 --- a/crypto/rand/rand_egd.c +++ b/crypto/rand/rand_egd.c @@ -114,7 +114,7 @@ int RAND_egd_bytes(const char *path,int bytes) #include #include #ifndef NO_SYS_UN_H -# ifdef OPENSSL_SYS_VSWORKS +# ifdef OPENSSL_SYS_VXWORKS # include # else # include diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c index ec09d7460..7de21d37d 100644 --- a/crypto/rand/rand_unix.c +++ b/crypto/rand/rand_unix.c @@ -115,7 +115,7 @@ #include #include "rand_lcl.h" -#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2)) +#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS)) #include #include diff --git a/crypto/tmdiff.c b/crypto/tmdiff.c index 7ebf2b202..8d7631412 100644 --- a/crypto/tmdiff.c +++ b/crypto/tmdiff.c @@ -65,7 +65,7 @@ #undef TIMES #endif -#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS) || defined(__DECC) && !defined(OPENSSL_SYS_MACOSX) && !defined(OPENSSL_SYS_VXWORKS) +#if !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) && !(defined(OPENSSL_SYS_VMS) || defined(__DECC)) && !defined(OPENSSL_SYS_MACOSX) && !defined(OPENSSL_SYS_VXWORKS) # define TIMES #endif @@ -121,7 +121,7 @@ typedef struct ms_tm HANDLE thread_id; FILETIME ms_win32; # else -# ifdef OPENSSL_SYS_VSWORKS +# ifdef OPENSSL_SYS_VXWORKS unsigned long ticks; # else struct timeb ms_timeb; @@ -163,7 +163,7 @@ void ms_time_get(char *a) # ifdef OPENSSL_SYS_WIN32 GetThreadTimes(tm->thread_id,&tmpa,&tmpb,&tmpc,&(tm->ms_win32)); # else -# ifdef OPENSSL_SYS_VSWORKS +# ifdef OPENSSL_SYS_VXWORKS tm->ticks = tickGet(); # else ftime(&tm->ms_timeb); @@ -197,7 +197,7 @@ double ms_time_diff(char *ap, char *bp) ret=((double)(lb-la))/1e7; } # else -# ifdef OPENSSL_SYS_VSWORKS +# ifdef OPENSSL_SYS_VXWORKS ret = (double)(b->ticks - a->ticks) / (double)sysClkRateGet(); # else ret= (double)(b->ms_timeb.time-a->ms_timeb.time)+ @@ -222,7 +222,7 @@ int ms_time_cmp(char *ap, char *bp) d =(b->ms_win32.dwHighDateTime&0x000fffff)*10+b->ms_win32.dwLowDateTime/1e7; d-=(a->ms_win32.dwHighDateTime&0x000fffff)*10+a->ms_win32.dwLowDateTime/1e7; # else -# ifdef OPENSSL_SYS_VSWORKS +# ifdef OPENSSL_SYS_VXWORKS d = (b->ticks - a->ticks); # else d= (double)(b->ms_timeb.time-a->ms_timeb.time)+ diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c index f47ed31cb..f967ba75d 100644 --- a/crypto/ui/ui_openssl.c +++ b/crypto/ui/ui_openssl.c @@ -191,7 +191,7 @@ # define SGTTY #endif -#if defined(OPENSSL_SYS_VSWORKS) +#if defined(OPENSSL_SYS_VXWORKS) #undef TERMIOS #undef TERMIO #undef SGTTY @@ -450,7 +450,7 @@ static int open_console(UI *ui) CRYPTO_w_lock(CRYPTO_LOCK_UI); is_a_tty = 1; -#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_VSWORKS) +#if defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_VXWORKS) tty_in=stdin; tty_out=stderr; #else diff --git a/crypto/uid.c b/crypto/uid.c index d3d249c36..73205a4ba 100644 --- a/crypto/uid.c +++ b/crypto/uid.c @@ -65,7 +65,7 @@ int OPENSSL_issetugid(void) return issetugid(); } -#elif defined(OPENSSL_SYS_WIN32) +#elif defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS) int OPENSSL_issetugid(void) { diff --git a/e_os.h b/e_os.h index 00edebe6d..6d326e54e 100644 --- a/e_os.h +++ b/e_os.h @@ -485,6 +485,36 @@ extern char *sys_errlist[]; extern int sys_nerr; # define strcasecmp stricmp #endif +/* vxworks */ +#if defined(OPENSSL_SYS_VXWORKS) +#include +#include +#include + +#define TTY_STRUCT int + +#define sleep(a) taskDelay((a) * sysClkRateGet()) +#if defined(ioctlsocket) +#undef ioctlsocket +#endif +#define ioctlsocket(a,b,c) ioctl((a),(b),*(c)) + +#include +#include +#include + +#define getpid taskIdSelf + +/* NOTE: these are implemented by helpers in database app! + * if the database is not linked, we need to implement them + * elswhere */ +struct hostent *gethostbyname(const char *name); +struct hostent *gethostbyaddr(const char *addr, int length, int type); +struct servent *getservbyname(const char *name, const char *proto); + +#endif +/* end vxworks */ + #ifdef __cplusplus } #endif diff --git a/e_os2.h b/e_os2.h index ff68d5b94..8db74f830 100644 --- a/e_os2.h +++ b/e_os2.h @@ -178,6 +178,11 @@ extern "C" { # endif #endif +/* ------------------------------- VxWorks --------------------------------- */ +#ifdef OPENSSL_SYSNAME_VXWORKS +# define OPENSSL_SYS_VXWORKS +#endif + /** * That's it for OS-specific stuff *****************************************************************************/ From 27bad5ad3d1e0cf23595a6352ba3737233f3b8c4 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Wed, 9 Oct 2002 13:57:55 +0000 Subject: [PATCH 49/49] Don't fuss with the demo binaries --- demos/maurice/.cvsignore | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 demos/maurice/.cvsignore diff --git a/demos/maurice/.cvsignore b/demos/maurice/.cvsignore new file mode 100644 index 000000000..a99bec344 --- /dev/null +++ b/demos/maurice/.cvsignore @@ -0,0 +1,4 @@ +example1 +example2 +example3 +example4