Compare commits
67 Commits
OpenSSL_1_
...
OpenSSL_1_
| Author | SHA1 | Date | |
|---|---|---|---|
|
08e4c7a967 | ||
|
|
697e4edcad | ||
|
|
b26297ca51 | ||
|
|
6ca7dba0cf | ||
|
|
f1fa05b407 | ||
|
|
02e22c35fe | ||
|
|
b935714237 | ||
|
|
a8314df902 | ||
|
|
0cd7a0325f | ||
|
|
16b7c81d55 | ||
|
|
424ba8b588 | ||
|
|
bf493e8d62 | ||
|
|
c714e43c8d | ||
|
|
cdf9d6f6ed | ||
|
|
cc4b48c27c | ||
|
|
cac9c92cc0 | ||
|
|
d40abf1689 | ||
|
|
69e9c69e70 | ||
|
|
c489ea7d01 | ||
|
|
26c6857a59 | ||
|
|
508bd3d1aa | ||
|
|
8705846710 | ||
|
|
c944a9696e | ||
|
|
943cc09d8a | ||
|
|
fc6800d19f | ||
|
|
d06f047b04 | ||
|
|
ddc899bada | ||
|
|
bd479e25c7 | ||
|
|
eaf5bd168e | ||
|
|
d7ecc206ba | ||
|
|
11ea212e8c | ||
|
|
cb29d8c11f | ||
|
|
adcea5a043 | ||
|
|
f02f7c2c4a | ||
|
|
a1e44cc14f | ||
|
|
d2d09bf68c | ||
|
|
e2dfb655f7 | ||
|
|
463e76b63c | ||
|
|
2dc4b0dbe8 | ||
|
|
7b23c126e6 | ||
|
|
25e3d2225a | ||
|
|
c8e0b5d7b6 | ||
|
|
4fb7e2b445 | ||
|
|
9138e3c061 | ||
|
|
9b2a29660b | ||
|
|
b7b4a9fa57 | ||
|
|
1fb07a7de8 | ||
|
|
b9cbcaad58 | ||
|
|
c6706a6f6c | ||
|
|
958e6a75a1 | ||
|
|
397977726c | ||
|
|
285d9189c7 | ||
|
|
767d3e0054 | ||
|
|
409d2a1b71 | ||
|
|
e0b9678d7f | ||
|
|
166dea6ac8 | ||
|
|
52bef4d677 | ||
|
|
801e5ef840 | ||
|
|
0044739ae5 | ||
|
|
4e44bd3650 | ||
|
|
0cffb0cd3e | ||
|
|
aaa3850ccd | ||
|
|
a17b5d5a4f | ||
|
|
2f97765bc3 | ||
|
|
3205ca8deb | ||
|
|
1cb4d65b87 | ||
|
|
7b2dd292bc |
112
CHANGES
112
CHANGES
@@ -2,7 +2,25 @@
|
||||
OpenSSL CHANGES
|
||||
_______________
|
||||
|
||||
Changes between 1.0.0f and 1.0.1 [xx XXX xxxx]
|
||||
Changes between 1.0.0h and 1.0.1 [xx XXX xxxx]
|
||||
|
||||
*) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
|
||||
STRING form instead of a DigestInfo.
|
||||
[Steve Henson]
|
||||
|
||||
*) The format used for MDC2 RSA signatures is inconsistent between EVP
|
||||
and the RSA_sign/RSA_verify functions. This was made more apparent when
|
||||
OpenSSL used RSA_sign/RSA_verify for some RSA signatures in particular
|
||||
those which went through EVP_PKEY_METHOD in 1.0.0 and later. Detect
|
||||
the correct format in RSA_verify so both forms transparently work.
|
||||
[Steve Henson]
|
||||
|
||||
*) Some servers which support TLS 1.0 can choke if we initially indicate
|
||||
support for TLS 1.2 and later renegotiate using TLS 1.0 in the RSA
|
||||
encrypted premaster secret. As a workaround use the maximum pemitted
|
||||
client version in client hello, this should keep such servers happy
|
||||
and still work with previous versions of OpenSSL.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add support for TLS/DTLS heartbeats.
|
||||
[Robin Seggelmann <seggelmann@fh-muenster.de>]
|
||||
@@ -267,7 +285,56 @@
|
||||
Add command line options to s_client/s_server.
|
||||
[Steve Henson]
|
||||
|
||||
Changes between 1.0.0e and 1.0.0f [xx XXX xxxx]
|
||||
Changes between 1.0.0g and 1.0.0h [xx XXX xxxx]
|
||||
|
||||
*) Fix CVE-2011-4619: make sure we really are receiving a
|
||||
client hello before rejecting multiple SGC restarts. Thanks to
|
||||
Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
|
||||
[Steve Henson]
|
||||
|
||||
Changes between 1.0.0f and 1.0.0g [18 Jan 2012]
|
||||
|
||||
*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
|
||||
Thanks to Antonio Martin, Enterprise Secure Access Research and
|
||||
Development, Cisco Systems, Inc. for discovering this bug and
|
||||
preparing a fix. (CVE-2012-0050)
|
||||
[Antonio Martin]
|
||||
|
||||
Changes between 1.0.0e and 1.0.0f [4 Jan 2012]
|
||||
|
||||
*) Nadhem Alfardan and Kenny Paterson have discovered an extension
|
||||
of the Vaudenay padding oracle attack on CBC mode encryption
|
||||
which enables an efficient plaintext recovery attack against
|
||||
the OpenSSL implementation of DTLS. Their attack exploits timing
|
||||
differences arising during decryption processing. A research
|
||||
paper describing this attack can be found at:
|
||||
http://www.isg.rhul.ac.uk/~kp/dtls.pdf
|
||||
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
|
||||
Security Group at Royal Holloway, University of London
|
||||
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
|
||||
<seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
|
||||
for preparing the fix. (CVE-2011-4108)
|
||||
[Robin Seggelmann, Michael Tuexen]
|
||||
|
||||
*) Clear bytes used for block padding of SSL 3.0 records.
|
||||
(CVE-2011-4576)
|
||||
[Adam Langley (Google)]
|
||||
|
||||
*) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
|
||||
Kadianakis <desnacked@gmail.com> for discovering this issue and
|
||||
Adam Langley for preparing the fix. (CVE-2011-4619)
|
||||
[Adam Langley (Google)]
|
||||
|
||||
*) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027)
|
||||
[Andrey Kulikov <amdeich@gmail.com>]
|
||||
|
||||
*) Prevent malformed RFC3779 data triggering an assertion failure.
|
||||
Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
|
||||
and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
|
||||
[Rob Austein <sra@hactrn.net>]
|
||||
|
||||
*) Improved PRNG seeding for VOS.
|
||||
[Paul Green <Paul.Green@stratus.com>]
|
||||
|
||||
*) Fix ssl_ciph.c set-up race.
|
||||
[Adam Langley (Google)]
|
||||
@@ -1196,8 +1263,47 @@
|
||||
|
||||
*) Change 'Configure' script to enable Camellia by default.
|
||||
[NTT]
|
||||
|
||||
Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
|
||||
|
||||
*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
|
||||
Thanks to Antonio Martin, Enterprise Secure Access Research and
|
||||
Development, Cisco Systems, Inc. for discovering this bug and
|
||||
preparing a fix. (CVE-2012-0050)
|
||||
[Antonio Martin]
|
||||
|
||||
Changes between 0.9.8r and 0.9.8s [xx XXX xxxx]
|
||||
Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
|
||||
|
||||
*) Nadhem Alfardan and Kenny Paterson have discovered an extension
|
||||
of the Vaudenay padding oracle attack on CBC mode encryption
|
||||
which enables an efficient plaintext recovery attack against
|
||||
the OpenSSL implementation of DTLS. Their attack exploits timing
|
||||
differences arising during decryption processing. A research
|
||||
paper describing this attack can be found at:
|
||||
http://www.isg.rhul.ac.uk/~kp/dtls.pdf
|
||||
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
|
||||
Security Group at Royal Holloway, University of London
|
||||
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
|
||||
<seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
|
||||
for preparing the fix. (CVE-2011-4108)
|
||||
[Robin Seggelmann, Michael Tuexen]
|
||||
|
||||
*) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
|
||||
[Ben Laurie, Kasper <ekasper@google.com>]
|
||||
|
||||
*) Clear bytes used for block padding of SSL 3.0 records.
|
||||
(CVE-2011-4576)
|
||||
[Adam Langley (Google)]
|
||||
|
||||
*) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
|
||||
Kadianakis <desnacked@gmail.com> for discovering this issue and
|
||||
Adam Langley for preparing the fix. (CVE-2011-4619)
|
||||
[Adam Langley (Google)]
|
||||
|
||||
*) Prevent malformed RFC3779 data triggering an assertion failure.
|
||||
Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
|
||||
and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
|
||||
[Rob Austein <sra@hactrn.net>]
|
||||
|
||||
*) Fix ssl_ciph.c set-up race.
|
||||
[Adam Langley (Google)]
|
||||
|
||||
@@ -296,8 +296,8 @@ my %table=(
|
||||
# Since there is mention of this in shlib/hpux10-cc.sh
|
||||
"hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${no_asm}:dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${no_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"hpux-parisc1_1-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${parisc11_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"hpux-parisc2-gcc","gcc:-march=2.0 -O3 -DB_ENDIAN -D_REENTRANT::::-Wl,+s -ldld:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL DES_RISC1::pa-risc2.o::::::::::::::void:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"hpux-parisc1_1-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${parisc11_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa1.1",
|
||||
"hpux-parisc2-gcc","gcc:-march=2.0 -O3 -DB_ENDIAN -D_REENTRANT::::-Wl,+s -ldld:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL DES_RISC1:".eval{my $asm=$parisc20_asm;$asm=~s/2W\./2\./;$asm=~s/:64/:32/;$asm}.":dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_32",
|
||||
"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2W.o::::::::::::::void:dlfcn:hpux-shared:-fpic:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_64",
|
||||
|
||||
# More attempts at unified 10.X and 11.X targets for HP C compiler.
|
||||
@@ -306,7 +306,7 @@ my %table=(
|
||||
# Kevin Steves <ks@hp.se>
|
||||
"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:${no_asm}:dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"hpux-parisc1_1-cc","cc:+DA1.1 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:${parisc11_asm}:dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa1.1",
|
||||
"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY -D_REENTRANT::::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2.o::::::::::::::void:dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY -D_REENTRANT::::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:".eval{my $asm=$parisc20_asm;$asm=~s/2W\./2\./;$asm=~s/:64/:32/;$asm}.":dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_32",
|
||||
"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:${parisc20_asm}:dlfcn:hpux-shared:+Z:+DD64 -b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_64",
|
||||
|
||||
# HP/UX IA-64 targets
|
||||
@@ -1019,10 +1019,11 @@ if (defined($disabled{"ec"}) || defined($disabled{"dsa"})
|
||||
$disabled{"gost"} = "forced";
|
||||
}
|
||||
|
||||
# SRP requires TLSEXT
|
||||
# SRP and HEARTBEATS require TLSEXT
|
||||
if (defined($disabled{"tlsext"}))
|
||||
{
|
||||
$disabled{"srp"} = "forced";
|
||||
$disabled{"heartbeats"} = "forced";
|
||||
}
|
||||
|
||||
if ($target eq "TABLE") {
|
||||
|
||||
@@ -364,7 +364,8 @@ libcrypto.pc: Makefile
|
||||
echo 'Description: OpenSSL cryptography library'; \
|
||||
echo 'Version: '$(VERSION); \
|
||||
echo 'Requires: '; \
|
||||
echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \
|
||||
echo 'Libs: -L$${libdir} -lcrypto'; \
|
||||
echo 'Libs.private: $(EX_LIBS)'; \
|
||||
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
|
||||
|
||||
libssl.pc: Makefile
|
||||
@@ -377,7 +378,8 @@ libssl.pc: Makefile
|
||||
echo 'Description: Secure Sockets Layer and cryptography libraries'; \
|
||||
echo 'Version: '$(VERSION); \
|
||||
echo 'Requires: '; \
|
||||
echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
|
||||
echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
|
||||
echo 'Libs.private: $(EX_LIBS)'; \
|
||||
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
|
||||
|
||||
openssl.pc: Makefile
|
||||
@@ -390,7 +392,8 @@ openssl.pc: Makefile
|
||||
echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
|
||||
echo 'Version: '$(VERSION); \
|
||||
echo 'Requires: '; \
|
||||
echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
|
||||
echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
|
||||
echo 'Libs.private: $(EX_LIBS)'; \
|
||||
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
|
||||
|
||||
Makefile: Makefile.org Configure config
|
||||
|
||||
14
NEWS
14
NEWS
@@ -5,7 +5,7 @@
|
||||
This file gives a brief overview of the major changes between each OpenSSL
|
||||
release. For more details please read the CHANGES file.
|
||||
|
||||
Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.1:
|
||||
Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.1:
|
||||
|
||||
o TLS/DTLS heartbeat support.
|
||||
o SCTP support.
|
||||
@@ -18,6 +18,18 @@
|
||||
o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
|
||||
o SRP support.
|
||||
|
||||
Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g:
|
||||
|
||||
o Fix for DTLS DoS issue CVE-2012-0050
|
||||
|
||||
Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f:
|
||||
|
||||
o Fix for DTLS plaintext recovery attack CVE-2011-4108
|
||||
o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
|
||||
o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
|
||||
o Check parameters are not NULL in GOST ENGINE CVE-2012-0027
|
||||
o Check for malformed RFC3779 data CVE-2011-4577
|
||||
|
||||
Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e:
|
||||
|
||||
o Fix for CRL vulnerability issue CVE-2011-3207
|
||||
|
||||
2
README
2
README
@@ -1,5 +1,5 @@
|
||||
|
||||
OpenSSL 1.0.1-beta1 3 Jan 2012
|
||||
OpenSSL 1.0.1-beta3 23 Feb 2012
|
||||
|
||||
Copyright (c) 1998-2011 The OpenSSL Project
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
|
||||
4
STATUS
4
STATUS
@@ -1,10 +1,12 @@
|
||||
|
||||
OpenSSL STATUS Last modified at
|
||||
______________ $Date: 2012/01/03 13:30:27 $
|
||||
______________ $Date: 2012/02/23 22:13:59 $
|
||||
|
||||
DEVELOPMENT STATE
|
||||
|
||||
o OpenSSL 1.1.0: Under development...
|
||||
o OpenSSL 1.0.1-beta3: Released on February 23rd, 2011
|
||||
o OpenSSL 1.0.1-beta2: Released on January 19th, 2011
|
||||
o OpenSSL 1.0.1-beta1: Released on January 3rd, 2011
|
||||
o OpenSSL 1.0.0d: Released on February 8nd, 2011
|
||||
o OpenSSL 1.0.0c: Released on December 2nd, 2010
|
||||
|
||||
34
TABLE
34
TABLE
@@ -3298,7 +3298,7 @@ $shared_ldflag = -shared
|
||||
$shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
|
||||
$ranlib =
|
||||
$arflags =
|
||||
$multilib =
|
||||
$multilib = /pa1.1
|
||||
|
||||
*** hpux-parisc2-cc
|
||||
$cc = cc
|
||||
@@ -3308,22 +3308,22 @@ $thread_cflag =
|
||||
$sys_id =
|
||||
$lflags = -Wl,+s -ldld
|
||||
$bn_ops = SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
|
||||
$cpuid_obj =
|
||||
$bn_obj = pa-risc2.o
|
||||
$cpuid_obj = pariscid.o
|
||||
$bn_obj = pa-risc2.o parisc-mont.o
|
||||
$des_obj =
|
||||
$aes_obj =
|
||||
$aes_obj = aes_core.o aes_cbc.o aes-parisc.o
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
$sha1_obj =
|
||||
$sha1_obj = sha1-parisc.o sha256-parisc.o sha512-parisc.o
|
||||
$cast_obj =
|
||||
$rc4_obj =
|
||||
$rc4_obj = rc4-parisc.o
|
||||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$wp_obj =
|
||||
$cmll_obj =
|
||||
$modes_obj =
|
||||
$modes_obj = ghash-parisc.o
|
||||
$engines_obj =
|
||||
$perlasm_scheme = void
|
||||
$perlasm_scheme = 32
|
||||
$dso_scheme = dl
|
||||
$shared_target= hpux-shared
|
||||
$shared_cflag = +Z
|
||||
@@ -3331,7 +3331,7 @@ $shared_ldflag = -b
|
||||
$shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
|
||||
$ranlib =
|
||||
$arflags =
|
||||
$multilib =
|
||||
$multilib = /pa20_32
|
||||
|
||||
*** hpux-parisc2-gcc
|
||||
$cc = gcc
|
||||
@@ -3341,22 +3341,22 @@ $thread_cflag =
|
||||
$sys_id =
|
||||
$lflags = -Wl,+s -ldld
|
||||
$bn_ops = SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL DES_RISC1
|
||||
$cpuid_obj =
|
||||
$bn_obj = pa-risc2.o
|
||||
$cpuid_obj = pariscid.o
|
||||
$bn_obj = pa-risc2.o parisc-mont.o
|
||||
$des_obj =
|
||||
$aes_obj =
|
||||
$aes_obj = aes_core.o aes_cbc.o aes-parisc.o
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
$sha1_obj =
|
||||
$sha1_obj = sha1-parisc.o sha256-parisc.o sha512-parisc.o
|
||||
$cast_obj =
|
||||
$rc4_obj =
|
||||
$rc4_obj = rc4-parisc.o
|
||||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$wp_obj =
|
||||
$cmll_obj =
|
||||
$modes_obj =
|
||||
$modes_obj = ghash-parisc.o
|
||||
$engines_obj =
|
||||
$perlasm_scheme = void
|
||||
$perlasm_scheme = 32
|
||||
$dso_scheme = dl
|
||||
$shared_target= hpux-shared
|
||||
$shared_cflag = -fPIC
|
||||
@@ -3364,7 +3364,7 @@ $shared_ldflag = -shared
|
||||
$shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
|
||||
$ranlib =
|
||||
$arflags =
|
||||
$multilib =
|
||||
$multilib = /pa20_32
|
||||
|
||||
*** hpux64-ia64-cc
|
||||
$cc = cc
|
||||
|
||||
@@ -109,7 +109,7 @@
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef _POSIX_C_SOURCE
|
||||
#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
|
||||
#define _POSIX_C_SOURCE 2 /* On VMS, you need to define this to get
|
||||
the declaration of fileno(). The value
|
||||
2 is to make sure no function defined
|
||||
@@ -1215,7 +1215,8 @@ STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
|
||||
const char *pass, ENGINE *e, const char *desc)
|
||||
{
|
||||
STACK_OF(X509) *certs;
|
||||
load_certs_crls(err, file, format, pass, e, desc, &certs, NULL);
|
||||
if (!load_certs_crls(err, file, format, pass, e, desc, &certs, NULL))
|
||||
return NULL;
|
||||
return certs;
|
||||
}
|
||||
|
||||
@@ -1223,7 +1224,8 @@ STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
|
||||
const char *pass, ENGINE *e, const char *desc)
|
||||
{
|
||||
STACK_OF(X509_CRL) *crls;
|
||||
load_certs_crls(err, file, format, pass, e, desc, NULL, &crls);
|
||||
if (!load_certs_crls(err, file, format, pass, e, desc, NULL, &crls))
|
||||
return NULL;
|
||||
return crls;
|
||||
}
|
||||
|
||||
|
||||
@@ -2560,7 +2560,7 @@ static int get_certificate_status(const char *serial, CA_DB *db)
|
||||
|
||||
/* Make it Upper Case */
|
||||
for (i=0; row[DB_serial][i] != '\0'; i++)
|
||||
row[DB_serial][i] = toupper(row[DB_serial][i]);
|
||||
row[DB_serial][i] = toupper((unsigned char)row[DB_serial][i]);
|
||||
|
||||
|
||||
ok=1;
|
||||
|
||||
@@ -626,7 +626,7 @@ int MAIN(int argc, char **argv)
|
||||
BIO_printf (bio_err, "-certsout file certificate output file\n");
|
||||
BIO_printf (bio_err, "-signer file signer certificate file\n");
|
||||
BIO_printf (bio_err, "-recip file recipient certificate file for decryption\n");
|
||||
BIO_printf (bio_err, "-keyid use subject key identifier\n");
|
||||
BIO_printf (bio_err, "-keyid use subject key identifier\n");
|
||||
BIO_printf (bio_err, "-in file input file\n");
|
||||
BIO_printf (bio_err, "-inform arg input format SMIME (default), PEM or DER\n");
|
||||
BIO_printf (bio_err, "-inkey file input private key (if not signer or recipient)\n");
|
||||
|
||||
12
apps/dgst.c
12
apps/dgst.c
@@ -127,6 +127,7 @@ int MAIN(int argc, char **argv)
|
||||
#endif
|
||||
char *hmac_key=NULL;
|
||||
char *mac_name=NULL;
|
||||
int non_fips_allow = 0;
|
||||
STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
|
||||
|
||||
apps_startup();
|
||||
@@ -215,6 +216,10 @@ int MAIN(int argc, char **argv)
|
||||
out_bin = 1;
|
||||
else if (strcmp(*argv,"-d") == 0)
|
||||
debug=1;
|
||||
else if (strcmp(*argv,"-non-fips-allow") == 0)
|
||||
non_fips_allow=1;
|
||||
else if (!strcmp(*argv,"-fips-fingerprint"))
|
||||
hmac_key = "etaonrishdlcupfm";
|
||||
else if (!strcmp(*argv,"-hmac"))
|
||||
{
|
||||
if (--argc < 1)
|
||||
@@ -395,6 +400,13 @@ int MAIN(int argc, char **argv)
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (non_fips_allow)
|
||||
{
|
||||
EVP_MD_CTX *md_ctx;
|
||||
BIO_get_md_ctx(bmd,&md_ctx);
|
||||
EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
}
|
||||
|
||||
if (hmac_key)
|
||||
{
|
||||
sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
|
||||
|
||||
@@ -129,6 +129,7 @@ int MAIN(int argc, char **argv)
|
||||
char *engine = NULL;
|
||||
#endif
|
||||
const EVP_MD *dgst=NULL;
|
||||
int non_fips_allow = 0;
|
||||
|
||||
apps_startup();
|
||||
|
||||
@@ -281,6 +282,8 @@ int MAIN(int argc, char **argv)
|
||||
if (--argc < 1) goto bad;
|
||||
md= *(++argv);
|
||||
}
|
||||
else if (strcmp(*argv,"-non-fips-allow") == 0)
|
||||
non_fips_allow = 1;
|
||||
else if ((argv[0][0] == '-') &&
|
||||
((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))
|
||||
{
|
||||
@@ -589,6 +592,11 @@ bad:
|
||||
*/
|
||||
|
||||
BIO_get_cipher_ctx(benc, &ctx);
|
||||
|
||||
if (non_fips_allow)
|
||||
EVP_CIPHER_CTX_set_flags(ctx,
|
||||
EVP_CIPH_FLAG_NON_FIPS_ALLOW);
|
||||
|
||||
if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc))
|
||||
{
|
||||
BIO_printf(bio_err, "Error setting cipher %s\n",
|
||||
|
||||
@@ -44,9 +44,9 @@ extern int smime_main(int argc,char *argv[]);
|
||||
extern int rand_main(int argc,char *argv[]);
|
||||
extern int engine_main(int argc,char *argv[]);
|
||||
extern int ocsp_main(int argc,char *argv[]);
|
||||
extern int srp_main(int argc,char *argv[]);
|
||||
extern int prime_main(int argc,char *argv[]);
|
||||
extern int ts_main(int argc,char *argv[]);
|
||||
extern int srp_main(int argc,char *argv[]);
|
||||
|
||||
#define FUNC_TYPE_GENERAL 1
|
||||
#define FUNC_TYPE_MD 2
|
||||
@@ -146,11 +146,11 @@ FUNCTION functions[] = {
|
||||
#ifndef OPENSSL_NO_OCSP
|
||||
{FUNC_TYPE_GENERAL,"ocsp",ocsp_main},
|
||||
#endif
|
||||
{FUNC_TYPE_GENERAL,"prime",prime_main},
|
||||
{FUNC_TYPE_GENERAL,"ts",ts_main},
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
{FUNC_TYPE_GENERAL,"srp",srp_main},
|
||||
#endif
|
||||
{FUNC_TYPE_GENERAL,"prime",prime_main},
|
||||
{FUNC_TYPE_GENERAL,"ts",ts_main},
|
||||
#ifndef OPENSSL_NO_MD2
|
||||
{FUNC_TYPE_MD,"md2",dgst_main},
|
||||
#endif
|
||||
|
||||
@@ -51,6 +51,8 @@ foreach (@ARGV)
|
||||
{ print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n"; }
|
||||
elsif ( ($_ =~ /^ocsp$/))
|
||||
{ print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n"; }
|
||||
elsif ( ($_ =~ /^srp$/))
|
||||
{ print "#ifndef OPENSSL_NO_SRP\n${str}#endif\n"; }
|
||||
else
|
||||
{ print $str; }
|
||||
}
|
||||
|
||||
@@ -357,6 +357,12 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
|
||||
case TLS1_VERSION:
|
||||
str_version = "TLS 1.0 ";
|
||||
break;
|
||||
case TLS1_1_VERSION:
|
||||
str_version = "TLS 1.1 ";
|
||||
break;
|
||||
case TLS1_2_VERSION:
|
||||
str_version = "TLS 1.2 ";
|
||||
break;
|
||||
case DTLS1_VERSION:
|
||||
str_version = "DTLS 1.0 ";
|
||||
break;
|
||||
|
||||
@@ -362,7 +362,7 @@ static void sc_usage(void)
|
||||
# endif
|
||||
#endif
|
||||
BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
|
||||
BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list");
|
||||
BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
|
||||
BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
|
||||
BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
|
||||
}
|
||||
@@ -763,7 +763,7 @@ int MAIN(int argc, char **argv)
|
||||
psk_key=*(++argv);
|
||||
for (j = 0; j < strlen(psk_key); j++)
|
||||
{
|
||||
if (isxdigit((int)psk_key[j]))
|
||||
if (isxdigit((unsigned char)psk_key[j]))
|
||||
continue;
|
||||
BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
|
||||
goto bad;
|
||||
@@ -2077,30 +2077,33 @@ static void print_stuff(BIO *bio, SSL *s, int full)
|
||||
}
|
||||
|
||||
SSL_SESSION_print(bio,SSL_get_session(s));
|
||||
if (keymatexportlabel != NULL) {
|
||||
if (keymatexportlabel != NULL)
|
||||
{
|
||||
BIO_printf(bio, "Keying material exporter:\n");
|
||||
BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
|
||||
BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
|
||||
exportedkeymat = OPENSSL_malloc(keymatexportlen);
|
||||
if (exportedkeymat != NULL) {
|
||||
i = SSL_export_keying_material(s, exportedkeymat,
|
||||
keymatexportlen,
|
||||
keymatexportlabel,
|
||||
strlen(keymatexportlabel),
|
||||
NULL, 0, 0);
|
||||
if (i != keymatexportlen) {
|
||||
BIO_printf(bio,
|
||||
" Error: return value %i\n", i);
|
||||
} else {
|
||||
if (exportedkeymat != NULL)
|
||||
{
|
||||
if (!SSL_export_keying_material(s, exportedkeymat,
|
||||
keymatexportlen,
|
||||
keymatexportlabel,
|
||||
strlen(keymatexportlabel),
|
||||
NULL, 0, 0))
|
||||
{
|
||||
BIO_printf(bio, " Error\n");
|
||||
}
|
||||
else
|
||||
{
|
||||
BIO_printf(bio, " Keying material: ");
|
||||
for (i=0; i<keymatexportlen; i++)
|
||||
BIO_printf(bio, "%02X",
|
||||
exportedkeymat[i]);
|
||||
BIO_printf(bio, "\n");
|
||||
}
|
||||
}
|
||||
OPENSSL_free(exportedkeymat);
|
||||
}
|
||||
}
|
||||
}
|
||||
BIO_printf(bio,"---\n");
|
||||
if (peer != NULL)
|
||||
X509_free(peer);
|
||||
|
||||
@@ -556,7 +556,7 @@ static void sv_usage(void)
|
||||
# ifndef OPENSSL_NO_NEXTPROTONEG
|
||||
BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
|
||||
# endif
|
||||
BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list");
|
||||
BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
|
||||
#endif
|
||||
BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
|
||||
BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
|
||||
@@ -1204,7 +1204,7 @@ int MAIN(int argc, char *argv[])
|
||||
psk_key=*(++argv);
|
||||
for (i=0; i<strlen(psk_key); i++)
|
||||
{
|
||||
if (isxdigit((int)psk_key[i]))
|
||||
if (isxdigit((unsigned char)psk_key[i]))
|
||||
continue;
|
||||
BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
|
||||
goto bad;
|
||||
@@ -2245,6 +2245,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
|
||||
{ static count=0; if (++count == 100) { count=0; SSL_renegotiate(con); } }
|
||||
#endif
|
||||
k=SSL_write(con,&(buf[l]),(unsigned int)i);
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
while (SSL_get_error(con,k) == SSL_ERROR_WANT_X509_LOOKUP)
|
||||
{
|
||||
BIO_printf(bio_s_out,"LOOKUP renego during write\n");
|
||||
@@ -2255,6 +2256,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
|
||||
BIO_printf(bio_s_out,"LOOKUP not successful\n");
|
||||
k=SSL_write(con,&(buf[l]),(unsigned int)i);
|
||||
}
|
||||
#endif
|
||||
switch (SSL_get_error(con,k))
|
||||
{
|
||||
case SSL_ERROR_NONE:
|
||||
@@ -2302,6 +2304,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
|
||||
{
|
||||
again:
|
||||
i=SSL_read(con,(char *)buf,bufsize);
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
while (SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP)
|
||||
{
|
||||
BIO_printf(bio_s_out,"LOOKUP renego during read\n");
|
||||
@@ -2312,6 +2315,7 @@ again:
|
||||
BIO_printf(bio_s_out,"LOOKUP not successful\n");
|
||||
i=SSL_read(con,(char *)buf,bufsize);
|
||||
}
|
||||
#endif
|
||||
switch (SSL_get_error(con,i))
|
||||
{
|
||||
case SSL_ERROR_NONE:
|
||||
@@ -2389,6 +2393,7 @@ static int init_ssl_connection(SSL *con)
|
||||
|
||||
|
||||
i=SSL_accept(con);
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP)
|
||||
{
|
||||
BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login);
|
||||
@@ -2399,6 +2404,7 @@ static int init_ssl_connection(SSL *con)
|
||||
BIO_printf(bio_s_out,"LOOKUP not successful\n");
|
||||
i=SSL_accept(con);
|
||||
}
|
||||
#endif
|
||||
if (i <= 0)
|
||||
{
|
||||
if (BIO_sock_should_retry(i))
|
||||
@@ -2469,31 +2475,34 @@ static int init_ssl_connection(SSL *con)
|
||||
#endif /* OPENSSL_NO_KRB5 */
|
||||
BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
|
||||
SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
|
||||
if (keymatexportlabel != NULL) {
|
||||
BIO_printf(bio_s_out, "Keying material exporter:\n");
|
||||
BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel);
|
||||
BIO_printf(bio_s_out, " Length: %i bytes\n",
|
||||
if (keymatexportlabel != NULL)
|
||||
{
|
||||
BIO_printf(bio_s_out, "Keying material exporter:\n");
|
||||
BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel);
|
||||
BIO_printf(bio_s_out, " Length: %i bytes\n",
|
||||
keymatexportlen);
|
||||
exportedkeymat = OPENSSL_malloc(keymatexportlen);
|
||||
if (exportedkeymat != NULL) {
|
||||
i = SSL_export_keying_material(con, exportedkeymat,
|
||||
keymatexportlen,
|
||||
keymatexportlabel,
|
||||
strlen(keymatexportlabel),
|
||||
NULL, 0, 0);
|
||||
if (i != keymatexportlen) {
|
||||
BIO_printf(bio_s_out,
|
||||
" Error: return value %i\n", i);
|
||||
} else {
|
||||
BIO_printf(bio_s_out, " Keying material: ");
|
||||
for (i=0; i<keymatexportlen; i++)
|
||||
BIO_printf(bio_s_out, "%02X",
|
||||
exportedkeymat = OPENSSL_malloc(keymatexportlen);
|
||||
if (exportedkeymat != NULL)
|
||||
{
|
||||
if (!SSL_export_keying_material(con, exportedkeymat,
|
||||
keymatexportlen,
|
||||
keymatexportlabel,
|
||||
strlen(keymatexportlabel),
|
||||
NULL, 0, 0))
|
||||
{
|
||||
BIO_printf(bio_s_out, " Error\n");
|
||||
}
|
||||
else
|
||||
{
|
||||
BIO_printf(bio_s_out, " Keying material: ");
|
||||
for (i=0; i<keymatexportlen; i++)
|
||||
BIO_printf(bio_s_out, "%02X",
|
||||
exportedkeymat[i]);
|
||||
BIO_printf(bio_s_out, "\n");
|
||||
}
|
||||
OPENSSL_free(exportedkeymat);
|
||||
}
|
||||
}
|
||||
BIO_printf(bio_s_out, "\n");
|
||||
}
|
||||
OPENSSL_free(exportedkeymat);
|
||||
}
|
||||
}
|
||||
|
||||
return(1);
|
||||
}
|
||||
@@ -2623,6 +2632,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
|
||||
if (hack)
|
||||
{
|
||||
i=SSL_accept(con);
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP)
|
||||
{
|
||||
BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login);
|
||||
@@ -2633,7 +2643,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
|
||||
BIO_printf(bio_s_out,"LOOKUP not successful\n");
|
||||
i=SSL_accept(con);
|
||||
}
|
||||
|
||||
#endif
|
||||
switch (SSL_get_error(con,i))
|
||||
{
|
||||
case SSL_ERROR_NONE:
|
||||
|
||||
@@ -2597,7 +2597,7 @@ static void pkey_print_message(const char *str, const char *str2, long num,
|
||||
BIO_printf(bio_err,mr ? "+DTP:%d:%s:%s:%d\n"
|
||||
: "Doing %d bit %s %s's for %ds: ",bits,str,str2,tm);
|
||||
(void)BIO_flush(bio_err);
|
||||
alarm(RSA_SECONDS);
|
||||
alarm(tm);
|
||||
#else
|
||||
BIO_printf(bio_err,mr ? "+DNP:%ld:%d:%s:%s\n"
|
||||
: "Doing %ld %d bit %s %s's: ",num,bits,str,str2);
|
||||
|
||||
@@ -1176,6 +1176,7 @@ ___
|
||||
# As UltraSPARC T1, a.k.a. Niagara, has shared FPU, FP nops can have
|
||||
# undesired effect, so just omit them and sacrifice some portion of
|
||||
# percent in performance...
|
||||
$code =~ s/fmovs.*$//gem;
|
||||
$code =~ s/fmovs.*$//gm;
|
||||
|
||||
print $code;
|
||||
close STDOUT; # ensure flush
|
||||
|
||||
@@ -386,8 +386,8 @@ long ASN1_INTEGER_get(const ASN1_INTEGER *a)
|
||||
|
||||
if (a->length > (int)sizeof(long))
|
||||
{
|
||||
/* hmm... a bit ugly */
|
||||
return(0xffffffffL);
|
||||
/* hmm... a bit ugly, return all ones */
|
||||
return -1;
|
||||
}
|
||||
if (a->data == NULL)
|
||||
return 0;
|
||||
|
||||
@@ -801,7 +801,7 @@ static MIME_HEADER *mime_hdr_new(char *name, char *value)
|
||||
if(name) {
|
||||
if(!(tmpname = BUF_strdup(name))) return NULL;
|
||||
for(p = tmpname ; *p; p++) {
|
||||
c = *p;
|
||||
c = (unsigned char)*p;
|
||||
if(isupper(c)) {
|
||||
c = tolower(c);
|
||||
*p = c;
|
||||
@@ -811,7 +811,7 @@ static MIME_HEADER *mime_hdr_new(char *name, char *value)
|
||||
if(value) {
|
||||
if(!(tmpval = BUF_strdup(value))) return NULL;
|
||||
for(p = tmpval ; *p; p++) {
|
||||
c = *p;
|
||||
c = (unsigned char)*p;
|
||||
if(isupper(c)) {
|
||||
c = tolower(c);
|
||||
*p = c;
|
||||
@@ -835,7 +835,7 @@ static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value)
|
||||
tmpname = BUF_strdup(name);
|
||||
if(!tmpname) return 0;
|
||||
for(p = tmpname ; *p; p++) {
|
||||
c = *p;
|
||||
c = (unsigned char)*p;
|
||||
if(isupper(c)) {
|
||||
c = tolower(c);
|
||||
*p = c;
|
||||
@@ -858,6 +858,10 @@ static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value)
|
||||
static int mime_hdr_cmp(const MIME_HEADER * const *a,
|
||||
const MIME_HEADER * const *b)
|
||||
{
|
||||
if ((*a)->name == NULL || (*b)->name == NULL)
|
||||
return (*a)->name - (*b)->name < 0 ? -1 :
|
||||
(*a)->name - (*b)->name > 0 ? 1 : 0;
|
||||
|
||||
return(strcmp((*a)->name, (*b)->name));
|
||||
}
|
||||
|
||||
|
||||
@@ -138,10 +138,10 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
|
||||
if (BIO_write(bp," Serial Number:",22) <= 0) goto err;
|
||||
|
||||
bs=X509_get_serialNumber(x);
|
||||
if (bs->length <= 4)
|
||||
if (bs->length <= (int)sizeof(long))
|
||||
{
|
||||
l=ASN1_INTEGER_get(bs);
|
||||
if (l < 0)
|
||||
if (bs->type == V_ASN1_NEG_INTEGER)
|
||||
{
|
||||
l= -l;
|
||||
neg="-";
|
||||
|
||||
@@ -472,6 +472,10 @@ extern "C" {
|
||||
}
|
||||
#endif /* !BN_LLONG */
|
||||
|
||||
#if defined(OPENSSL_DOING_MAKEDEPEND) && defined(OPENSSL_FIPS)
|
||||
#undef bn_div_words
|
||||
#endif
|
||||
|
||||
void bn_mul_normal(BN_ULONG *r,BN_ULONG *a,int na,BN_ULONG *b,int nb);
|
||||
void bn_mul_comba8(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
|
||||
void bn_mul_comba4(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b);
|
||||
|
||||
@@ -341,7 +341,7 @@ static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
|
||||
#define bn_32_set_0(to, n) (to)[n] = (BN_ULONG)0;
|
||||
# if defined(_WIN32) && !defined(__GNUC__)
|
||||
# define NIST_INT64 __int64
|
||||
# else
|
||||
# elif defined(BN_LLONG)
|
||||
# define NIST_INT64 long long
|
||||
# endif
|
||||
#endif /* BN_BITS2 != 64 */
|
||||
|
||||
@@ -698,7 +698,7 @@ void OPENSSL_cpuid_setup(void)
|
||||
#if defined(_WIN32)
|
||||
if (!sscanf(env+off,"%I64i",&vec)) vec = strtoul(env+off,NULL,0);
|
||||
#else
|
||||
vec = strtoull(env+off,NULL,0);
|
||||
if (!sscanf(env+off,"%lli",(long long *)&vec)) vec = strtoul(env+off,NULL,0);
|
||||
#endif
|
||||
if (off) vec = OPENSSL_ia32_cpuid()&~vec;
|
||||
}
|
||||
|
||||
@@ -64,7 +64,6 @@
|
||||
#include <string.h>
|
||||
#include "ec_lcl.h"
|
||||
#include <openssl/err.h>
|
||||
#include <string.h>
|
||||
#ifdef OPENSSL_FIPS
|
||||
#include <openssl/fips.h>
|
||||
#endif
|
||||
|
||||
@@ -58,6 +58,7 @@
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/aes.h>
|
||||
#include <openssl/sha.h>
|
||||
#include "evp_locl.h"
|
||||
|
||||
#ifndef EVP_CIPH_FLAG_AEAD_CIPHER
|
||||
#define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
|
||||
|
||||
@@ -125,10 +125,14 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
|
||||
/* Ensure a context left lying around from last time is cleared
|
||||
* (the previous check attempted to avoid this if the same
|
||||
* ENGINE and EVP_CIPHER could be used). */
|
||||
EVP_CIPHER_CTX_cleanup(ctx);
|
||||
|
||||
/* Restore encrypt field: it is zeroed by cleanup */
|
||||
ctx->encrypt = enc;
|
||||
if (ctx->cipher)
|
||||
{
|
||||
unsigned long flags = ctx->flags;
|
||||
EVP_CIPHER_CTX_cleanup(ctx);
|
||||
/* Restore encrypt and flags */
|
||||
ctx->encrypt = enc;
|
||||
ctx->flags = flags;
|
||||
}
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
if(impl)
|
||||
{
|
||||
|
||||
@@ -352,6 +352,7 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
|
||||
|
||||
#ifdef OPENSSL_DOING_MAKEDEPEND
|
||||
#undef SHA1_Init
|
||||
#undef SHA1_Update
|
||||
#undef SHA224_Init
|
||||
#undef SHA256_Init
|
||||
#undef SHA384_Init
|
||||
|
||||
@@ -331,7 +331,7 @@ if (!$x86only) {{{
|
||||
|
||||
&static_label("rem_4bit");
|
||||
|
||||
if (0) {{ # "May" MMX version is kept for reference...
|
||||
if (!$sse2) {{ # pure-MMX "May" version...
|
||||
|
||||
$S=12; # shift factor for rem_4bit
|
||||
|
||||
|
||||
@@ -723,7 +723,11 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx,void *key,block128_f block)
|
||||
# endif
|
||||
gcm_init_4bit(ctx->Htable,ctx->H.u);
|
||||
# if defined(GHASH_ASM_X86) /* x86 only */
|
||||
# if defined(OPENSSL_IA32_SSE2)
|
||||
if (OPENSSL_ia32cap_P[0]&(1<<25)) { /* check SSE bit */
|
||||
# else
|
||||
if (OPENSSL_ia32cap_P[0]&(1<<23)) { /* check MMX bit */
|
||||
# endif
|
||||
ctx->gmult = gcm_gmult_4bit_mmx;
|
||||
ctx->ghash = gcm_ghash_4bit_mmx;
|
||||
} else {
|
||||
|
||||
@@ -36,7 +36,7 @@ typedef unsigned char u8;
|
||||
# undef STRICT_ALIGNMENT
|
||||
#endif
|
||||
|
||||
#if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPNESSL_NO_INLINE_ASM)
|
||||
#if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
|
||||
#if defined(__GNUC__) && __GNUC__>=2
|
||||
# if defined(__x86_64) || defined(__x86_64__)
|
||||
# define BSWAP8(x) ({ u64 ret=(x); \
|
||||
|
||||
@@ -25,11 +25,11 @@
|
||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
#define OPENSSL_VERSION_NUMBER 0x10001001L
|
||||
#define OPENSSL_VERSION_NUMBER 0x10001003L
|
||||
#ifdef OPENSSL_FIPS
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1-fips-beta1 03 Jan 2012"
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1-fips-beta3 23 Feb 2012"
|
||||
#else
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1-beta1 03 Jan 2012"
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1-beta3 23 Feb 2012"
|
||||
#endif
|
||||
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
|
||||
|
||||
|
||||
@@ -569,7 +569,8 @@ my %globals;
|
||||
$v.=" READONLY";
|
||||
$v.=" ALIGN(".($1 eq "p" ? 4 : 8).")" if ($masm>=$masmref);
|
||||
} elsif ($line=~/\.CRT\$/i) {
|
||||
$v.=" READONLY ALIGN(8)";
|
||||
$v.=" READONLY ";
|
||||
$v.=$masm>=$masmref ? "ALIGN(8)" : "DWORD";
|
||||
}
|
||||
}
|
||||
$current_segment = $line;
|
||||
|
||||
@@ -137,7 +137,7 @@ int RAND_load_file(const char *file, long bytes)
|
||||
in=fopen(file,"rb");
|
||||
#endif
|
||||
if (in == NULL) goto err;
|
||||
#if defined(S_IFBLK) && defined(S_IFCHR) && !defined(OPNESSL_NO_POSIX_IO)
|
||||
#if defined(S_IFBLK) && defined(S_IFCHR) && !defined(OPENSSL_NO_POSIX_IO)
|
||||
if (sb.st_mode & (S_IFBLK | S_IFCHR)) {
|
||||
/* this file is a device. we don't want read an infinite number
|
||||
* of bytes from a random device, nor do we want to use buffered
|
||||
|
||||
@@ -243,9 +243,9 @@ ___
|
||||
|
||||
$code.=<<___;
|
||||
|
||||
.EXPORT RC4_set_key,ENTRY,ARGW0=GR,ARGW1=GR,ARGW2=GR
|
||||
.EXPORT private_RC4_set_key,ENTRY,ARGW0=GR,ARGW1=GR,ARGW2=GR
|
||||
.ALIGN 8
|
||||
RC4_set_key
|
||||
private_RC4_set_key
|
||||
.PROC
|
||||
.CALLINFO NO_CALLS
|
||||
.ENTRY
|
||||
|
||||
@@ -222,7 +222,20 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
if (rctx->pad_mode == RSA_X931_PADDING)
|
||||
|
||||
if (EVP_MD_type(rctx->md) == NID_mdc2)
|
||||
{
|
||||
unsigned int sltmp;
|
||||
if (rctx->pad_mode != RSA_PKCS1_PADDING)
|
||||
return -1;
|
||||
ret = RSA_sign_ASN1_OCTET_STRING(NID_mdc2,
|
||||
tbs, tbslen, sig, &sltmp, rsa);
|
||||
|
||||
if (ret <= 0)
|
||||
return ret;
|
||||
ret = sltmp;
|
||||
}
|
||||
else if (rctx->pad_mode == RSA_X931_PADDING)
|
||||
{
|
||||
if (!setup_tbuf(rctx, ctx))
|
||||
return -1;
|
||||
|
||||
@@ -199,6 +199,22 @@ int int_rsa_verify(int dtype, const unsigned char *m,
|
||||
i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
|
||||
|
||||
if (i <= 0) goto err;
|
||||
/* Oddball MDC2 case: signature can be OCTET STRING.
|
||||
* check for correct tag and length octets.
|
||||
*/
|
||||
if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10)
|
||||
{
|
||||
if (rm)
|
||||
{
|
||||
memcpy(rm, s + 2, 16);
|
||||
*prm_len = 16;
|
||||
ret = 1;
|
||||
}
|
||||
else if(memcmp(m, s + 2, 16))
|
||||
RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
|
||||
else
|
||||
ret = 1;
|
||||
}
|
||||
|
||||
/* Special case: SSL signature */
|
||||
if(dtype == NID_md5_sha1) {
|
||||
|
||||
@@ -170,7 +170,6 @@ void OPENSSL_cpuid_setup(void)
|
||||
char *e;
|
||||
struct sigaction common_act,ill_oact,bus_oact;
|
||||
sigset_t all_masked,oset;
|
||||
int sig;
|
||||
static int trigger=0;
|
||||
|
||||
if (trigger) return;
|
||||
|
||||
@@ -43,7 +43,8 @@ links:
|
||||
@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
|
||||
|
||||
install:
|
||||
@for i in $(EXHEADER) ; \
|
||||
@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
|
||||
@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
|
||||
do \
|
||||
(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
|
||||
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
|
||||
|
||||
@@ -192,6 +192,18 @@
|
||||
#define SSL_CTX_set_srp_verify_param_callback SSL_CTX_set_srp_vfy_param_cb
|
||||
#undef SSL_CTX_set_srp_username_callback
|
||||
#define SSL_CTX_set_srp_username_callback SSL_CTX_set_srp_un_cb
|
||||
#undef ssl_add_clienthello_use_srtp_ext
|
||||
#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext
|
||||
#undef ssl_add_serverhello_use_srtp_ext
|
||||
#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext
|
||||
#undef ssl_parse_clienthello_use_srtp_ext
|
||||
#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext
|
||||
#undef ssl_parse_serverhello_use_srtp_ext
|
||||
#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext
|
||||
#undef SSL_CTX_set_next_protos_advertised_cb
|
||||
#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb
|
||||
#undef SSL_CTX_set_next_proto_select_cb
|
||||
#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb
|
||||
|
||||
/* Hack some long ENGINE names */
|
||||
#undef ENGINE_get_default_BN_mod_exp_crt
|
||||
|
||||
@@ -86,9 +86,6 @@
|
||||
#include <openssl/dh.h>
|
||||
#endif
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
@@ -122,7 +122,7 @@
|
||||
* sigaction and fileno included. -pedantic would be more appropriate for
|
||||
* the intended purposes, but we can't prevent users from adding -ansi.
|
||||
*/
|
||||
#ifndef _POSIX_C_SOURCE
|
||||
#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
|
||||
#define _POSIX_C_SOURCE 2
|
||||
#endif
|
||||
#include <signal.h>
|
||||
|
||||
@@ -142,12 +142,13 @@ unsigned int v3_addr_get_afi(const IPAddressFamily *f)
|
||||
* Expand the bitstring form of an address into a raw byte array.
|
||||
* At the moment this is coded for simplicity, not speed.
|
||||
*/
|
||||
static void addr_expand(unsigned char *addr,
|
||||
static int addr_expand(unsigned char *addr,
|
||||
const ASN1_BIT_STRING *bs,
|
||||
const int length,
|
||||
const unsigned char fill)
|
||||
{
|
||||
OPENSSL_assert(bs->length >= 0 && bs->length <= length);
|
||||
if (bs->length < 0 || bs->length > length)
|
||||
return 0;
|
||||
if (bs->length > 0) {
|
||||
memcpy(addr, bs->data, bs->length);
|
||||
if ((bs->flags & 7) != 0) {
|
||||
@@ -159,6 +160,7 @@ static void addr_expand(unsigned char *addr,
|
||||
}
|
||||
}
|
||||
memset(addr + bs->length, fill, length - bs->length);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -181,15 +183,13 @@ static int i2r_address(BIO *out,
|
||||
return 0;
|
||||
switch (afi) {
|
||||
case IANA_AFI_IPV4:
|
||||
if (bs->length > 4)
|
||||
if (!addr_expand(addr, bs, 4, fill))
|
||||
return 0;
|
||||
addr_expand(addr, bs, 4, fill);
|
||||
BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
|
||||
break;
|
||||
case IANA_AFI_IPV6:
|
||||
if (bs->length > 16)
|
||||
if (!addr_expand(addr, bs, 16, fill))
|
||||
return 0;
|
||||
addr_expand(addr, bs, 16, fill);
|
||||
for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
|
||||
;
|
||||
for (i = 0; i < n; i += 2)
|
||||
@@ -315,6 +315,12 @@ static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
|
||||
/*
|
||||
* Sort comparison function for a sequence of IPAddressOrRange
|
||||
* elements.
|
||||
*
|
||||
* There's no sane answer we can give if addr_expand() fails, and an
|
||||
* assertion failure on externally supplied data is seriously uncool,
|
||||
* so we just arbitrarily declare that if given invalid inputs this
|
||||
* function returns -1. If this messes up your preferred sort order
|
||||
* for garbage input, tough noogies.
|
||||
*/
|
||||
static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
|
||||
const IPAddressOrRange *b,
|
||||
@@ -326,22 +332,26 @@ static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
|
||||
|
||||
switch (a->type) {
|
||||
case IPAddressOrRange_addressPrefix:
|
||||
addr_expand(addr_a, a->u.addressPrefix, length, 0x00);
|
||||
if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
|
||||
return -1;
|
||||
prefixlen_a = addr_prefixlen(a->u.addressPrefix);
|
||||
break;
|
||||
case IPAddressOrRange_addressRange:
|
||||
addr_expand(addr_a, a->u.addressRange->min, length, 0x00);
|
||||
if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
|
||||
return -1;
|
||||
prefixlen_a = length * 8;
|
||||
break;
|
||||
}
|
||||
|
||||
switch (b->type) {
|
||||
case IPAddressOrRange_addressPrefix:
|
||||
addr_expand(addr_b, b->u.addressPrefix, length, 0x00);
|
||||
if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
|
||||
return -1;
|
||||
prefixlen_b = addr_prefixlen(b->u.addressPrefix);
|
||||
break;
|
||||
case IPAddressOrRange_addressRange:
|
||||
addr_expand(addr_b, b->u.addressRange->min, length, 0x00);
|
||||
if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
|
||||
return -1;
|
||||
prefixlen_b = length * 8;
|
||||
break;
|
||||
}
|
||||
@@ -602,10 +612,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
|
||||
return NULL;
|
||||
switch (afi) {
|
||||
case IANA_AFI_IPV4:
|
||||
sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
|
||||
(void) sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
|
||||
break;
|
||||
case IANA_AFI_IPV6:
|
||||
sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
|
||||
(void) sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
|
||||
break;
|
||||
}
|
||||
f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
|
||||
@@ -657,22 +667,22 @@ int v3_addr_add_range(IPAddrBlocks *addr,
|
||||
/*
|
||||
* Extract min and max values from an IPAddressOrRange.
|
||||
*/
|
||||
static void extract_min_max(IPAddressOrRange *aor,
|
||||
static int extract_min_max(IPAddressOrRange *aor,
|
||||
unsigned char *min,
|
||||
unsigned char *max,
|
||||
int length)
|
||||
{
|
||||
OPENSSL_assert(aor != NULL && min != NULL && max != NULL);
|
||||
if (aor == NULL || min == NULL || max == NULL)
|
||||
return 0;
|
||||
switch (aor->type) {
|
||||
case IPAddressOrRange_addressPrefix:
|
||||
addr_expand(min, aor->u.addressPrefix, length, 0x00);
|
||||
addr_expand(max, aor->u.addressPrefix, length, 0xFF);
|
||||
return;
|
||||
return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
|
||||
addr_expand(max, aor->u.addressPrefix, length, 0xFF));
|
||||
case IPAddressOrRange_addressRange:
|
||||
addr_expand(min, aor->u.addressRange->min, length, 0x00);
|
||||
addr_expand(max, aor->u.addressRange->max, length, 0xFF);
|
||||
return;
|
||||
return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
|
||||
addr_expand(max, aor->u.addressRange->max, length, 0xFF));
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -688,9 +698,10 @@ int v3_addr_get_range(IPAddressOrRange *aor,
|
||||
if (aor == NULL || min == NULL || max == NULL ||
|
||||
afi_length == 0 || length < afi_length ||
|
||||
(aor->type != IPAddressOrRange_addressPrefix &&
|
||||
aor->type != IPAddressOrRange_addressRange))
|
||||
aor->type != IPAddressOrRange_addressRange) ||
|
||||
!extract_min_max(aor, min, max, afi_length))
|
||||
return 0;
|
||||
extract_min_max(aor, min, max, afi_length);
|
||||
|
||||
return afi_length;
|
||||
}
|
||||
|
||||
@@ -772,8 +783,9 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
|
||||
IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
|
||||
IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
|
||||
|
||||
extract_min_max(a, a_min, a_max, length);
|
||||
extract_min_max(b, b_min, b_max, length);
|
||||
if (!extract_min_max(a, a_min, a_max, length) ||
|
||||
!extract_min_max(b, b_min, b_max, length))
|
||||
return 0;
|
||||
|
||||
/*
|
||||
* Punt misordered list, overlapping start, or inverted range.
|
||||
@@ -808,7 +820,8 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
|
||||
{
|
||||
IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
|
||||
if (a != NULL && a->type == IPAddressOrRange_addressRange) {
|
||||
extract_min_max(a, a_min, a_max, length);
|
||||
if (!extract_min_max(a, a_min, a_max, length))
|
||||
return 0;
|
||||
if (memcmp(a_min, a_max, length) > 0 ||
|
||||
range_should_be_prefix(a_min, a_max, length) >= 0)
|
||||
return 0;
|
||||
@@ -844,8 +857,9 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
|
||||
unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
|
||||
unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
|
||||
|
||||
extract_min_max(a, a_min, a_max, length);
|
||||
extract_min_max(b, b_min, b_max, length);
|
||||
if (!extract_min_max(a, a_min, a_max, length) ||
|
||||
!extract_min_max(b, b_min, b_max, length))
|
||||
return 0;
|
||||
|
||||
/*
|
||||
* Punt inverted ranges.
|
||||
@@ -870,8 +884,8 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
|
||||
IPAddressOrRange *merged;
|
||||
if (!make_addressRange(&merged, a_min, b_max, length))
|
||||
return 0;
|
||||
sk_IPAddressOrRange_set(aors, i, merged);
|
||||
sk_IPAddressOrRange_delete(aors, i + 1);
|
||||
(void) sk_IPAddressOrRange_set(aors, i, merged);
|
||||
(void) sk_IPAddressOrRange_delete(aors, i + 1);
|
||||
IPAddressOrRange_free(a);
|
||||
IPAddressOrRange_free(b);
|
||||
--i;
|
||||
@@ -909,7 +923,7 @@ int v3_addr_canonize(IPAddrBlocks *addr)
|
||||
v3_addr_get_afi(f)))
|
||||
return 0;
|
||||
}
|
||||
sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
|
||||
(void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
|
||||
sk_IPAddressFamily_sort(addr);
|
||||
OPENSSL_assert(v3_addr_is_canonical(addr));
|
||||
return 1;
|
||||
@@ -1131,13 +1145,15 @@ static int addr_contains(IPAddressOrRanges *parent,
|
||||
|
||||
p = 0;
|
||||
for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
|
||||
extract_min_max(sk_IPAddressOrRange_value(child, c),
|
||||
c_min, c_max, length);
|
||||
if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
|
||||
c_min, c_max, length))
|
||||
return -1;
|
||||
for (;; p++) {
|
||||
if (p >= sk_IPAddressOrRange_num(parent))
|
||||
return 0;
|
||||
extract_min_max(sk_IPAddressOrRange_value(parent, p),
|
||||
p_min, p_max, length);
|
||||
if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
|
||||
p_min, p_max, length))
|
||||
return 0;
|
||||
if (memcmp(p_max, c_max, length) < 0)
|
||||
continue;
|
||||
if (memcmp(p_min, c_min, length) > 0)
|
||||
@@ -1159,7 +1175,7 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
|
||||
return 1;
|
||||
if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
|
||||
return 0;
|
||||
sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
|
||||
(void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
|
||||
for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
|
||||
IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
|
||||
int j = sk_IPAddressFamily_find(b, fa);
|
||||
@@ -1224,7 +1240,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
|
||||
}
|
||||
if (!v3_addr_is_canonical(ext))
|
||||
validation_err(X509_V_ERR_INVALID_EXTENSION);
|
||||
sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
|
||||
(void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
|
||||
if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
|
||||
X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
|
||||
ret = 0;
|
||||
@@ -1250,7 +1266,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
|
||||
}
|
||||
continue;
|
||||
}
|
||||
sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
|
||||
(void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
|
||||
for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
|
||||
IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
|
||||
int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
|
||||
|
||||
@@ -358,6 +358,20 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
|
||||
goto done;
|
||||
}
|
||||
|
||||
/*
|
||||
* Check for inverted range.
|
||||
*/
|
||||
i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
|
||||
{
|
||||
ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
|
||||
ASN1_INTEGER *a_min, *a_max;
|
||||
if (a != NULL && a->type == ASIdOrRange_range) {
|
||||
extract_min_max(a, &a_min, &a_max);
|
||||
if (ASN1_INTEGER_cmp(a_min, a_max) > 0)
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
|
||||
ret = 1;
|
||||
|
||||
done:
|
||||
@@ -392,9 +406,18 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
|
||||
return 1;
|
||||
|
||||
/*
|
||||
* We have a list. Sort it.
|
||||
* If not a list, or if empty list, it's broken.
|
||||
*/
|
||||
if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
|
||||
sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) {
|
||||
X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
|
||||
X509V3_R_EXTENSION_VALUE_ERROR);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* We have a non-empty list. Sort it.
|
||||
*/
|
||||
OPENSSL_assert(choice->type == ASIdentifierChoice_asIdsOrRanges);
|
||||
sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
|
||||
|
||||
/*
|
||||
@@ -414,6 +437,13 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
|
||||
*/
|
||||
OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
|
||||
|
||||
/*
|
||||
* Punt inverted ranges.
|
||||
*/
|
||||
if (ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
|
||||
ASN1_INTEGER_cmp(b_min, b_max) > 0)
|
||||
goto done;
|
||||
|
||||
/*
|
||||
* Check for overlaps.
|
||||
*/
|
||||
@@ -465,12 +495,26 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
|
||||
break;
|
||||
}
|
||||
ASIdOrRange_free(b);
|
||||
sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
|
||||
(void) sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
|
||||
i--;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Check for final inverted range.
|
||||
*/
|
||||
i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
|
||||
{
|
||||
ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
|
||||
ASN1_INTEGER *a_min, *a_max;
|
||||
if (a != NULL && a->type == ASIdOrRange_range) {
|
||||
extract_min_max(a, &a_min, &a_max);
|
||||
if (ASN1_INTEGER_cmp(a_min, a_max) > 0)
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
|
||||
OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
|
||||
|
||||
ret = 1;
|
||||
@@ -498,6 +542,7 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
|
||||
struct v3_ext_ctx *ctx,
|
||||
STACK_OF(CONF_VALUE) *values)
|
||||
{
|
||||
ASN1_INTEGER *min = NULL, *max = NULL;
|
||||
ASIdentifiers *asid = NULL;
|
||||
int i;
|
||||
|
||||
@@ -508,7 +553,6 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
|
||||
|
||||
for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
|
||||
CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
|
||||
ASN1_INTEGER *min = NULL, *max = NULL;
|
||||
int i1, i2, i3, is_range, which;
|
||||
|
||||
/*
|
||||
@@ -578,18 +622,19 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
|
||||
max = s2i_ASN1_INTEGER(NULL, s + i2);
|
||||
OPENSSL_free(s);
|
||||
if (min == NULL || max == NULL) {
|
||||
ASN1_INTEGER_free(min);
|
||||
ASN1_INTEGER_free(max);
|
||||
X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
if (ASN1_INTEGER_cmp(min, max) > 0) {
|
||||
X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_EXTENSION_VALUE_ERROR);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
if (!v3_asid_add_id_or_range(asid, which, min, max)) {
|
||||
ASN1_INTEGER_free(min);
|
||||
ASN1_INTEGER_free(max);
|
||||
X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
min = max = NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -601,6 +646,8 @@ static void *v2i_ASIdentifiers(const struct v3_ext_method *method,
|
||||
|
||||
err:
|
||||
ASIdentifiers_free(asid);
|
||||
ASN1_INTEGER_free(min);
|
||||
ASN1_INTEGER_free(max);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
@@ -114,6 +114,8 @@ hexadecimal value if preceded by B<0x>. Default value is 65537.
|
||||
|
||||
The number of bits in the generated parameters. If not specified 1024 is used.
|
||||
|
||||
=back
|
||||
|
||||
=head1 DH PARAMETER GENERATION OPTIONS
|
||||
|
||||
=over 4
|
||||
|
||||
@@ -287,8 +287,6 @@ SHA Digest
|
||||
|
||||
SHA-1 Digest
|
||||
|
||||
=back
|
||||
|
||||
=item B<sha224>
|
||||
|
||||
SHA-224 Digest
|
||||
@@ -305,6 +303,8 @@ SHA-384 Digest
|
||||
|
||||
SHA-512 Digest
|
||||
|
||||
=back
|
||||
|
||||
=head2 ENCODING AND CIPHER COMMANDS
|
||||
|
||||
=over 10
|
||||
|
||||
@@ -114,7 +114,7 @@ using the public key B<eckey>.
|
||||
|
||||
ECDSA_size() returns the maximum length signature or 0 on error.
|
||||
|
||||
ECDSA_sign_setup() and ECDSA_sign() return 1 if successful or -1
|
||||
ECDSA_sign_setup() and ECDSA_sign() return 1 if successful or 0
|
||||
on error.
|
||||
|
||||
ECDSA_verify() and ECDSA_do_verify() return 1 for a valid
|
||||
|
||||
@@ -280,6 +280,10 @@ int pkey_GOST01cp_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key, size_t * key_l
|
||||
}
|
||||
|
||||
param = get_encryption_params(gkt->key_agreement_info->cipher);
|
||||
if(!param){
|
||||
goto err;
|
||||
}
|
||||
|
||||
gost_init(&ctx,param->sblock);
|
||||
OPENSSL_assert(gkt->key_agreement_info->eph_iv->length==8);
|
||||
memcpy(wrappedKey,gkt->key_agreement_info->eph_iv->data,8);
|
||||
|
||||
@@ -261,6 +261,10 @@ int pkey_GOST94cp_decrypt(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *key_len
|
||||
}
|
||||
|
||||
param = get_encryption_params(gkt->key_agreement_info->cipher);
|
||||
if(!param){
|
||||
goto err;
|
||||
}
|
||||
|
||||
gost_init(&cctx,param->sblock);
|
||||
OPENSSL_assert(gkt->key_agreement_info->eph_iv->length==8);
|
||||
memcpy(wrappedKey,gkt->key_agreement_info->eph_iv->data,8);
|
||||
|
||||
@@ -123,7 +123,7 @@ static int pkey_gost_ctrl94_str(EVP_PKEY_CTX *ctx,
|
||||
}
|
||||
if (strlen(value) == 1)
|
||||
{
|
||||
switch(toupper(value[0]))
|
||||
switch(toupper((unsigned char)value[0]))
|
||||
{
|
||||
case 'A':
|
||||
param_nid = NID_id_GostR3410_94_CryptoPro_A_ParamSet;
|
||||
@@ -142,9 +142,9 @@ static int pkey_gost_ctrl94_str(EVP_PKEY_CTX *ctx,
|
||||
break;
|
||||
}
|
||||
}
|
||||
else if ((strlen(value) == 2) && (toupper(value[0]) == 'X'))
|
||||
else if ((strlen(value) == 2) && (toupper((unsigned char)value[0]) == 'X'))
|
||||
{
|
||||
switch (toupper(value[1]))
|
||||
switch (toupper((unsigned char)value[1]))
|
||||
{
|
||||
case 'A':
|
||||
param_nid = NID_id_GostR3410_94_CryptoPro_XchA_ParamSet;
|
||||
@@ -198,7 +198,7 @@ static int pkey_gost_ctrl01_str(EVP_PKEY_CTX *ctx,
|
||||
}
|
||||
if (strlen(value) == 1)
|
||||
{
|
||||
switch(toupper(value[0]))
|
||||
switch(toupper((unsigned char)value[0]))
|
||||
{
|
||||
case 'A':
|
||||
param_nid = NID_id_GostR3410_2001_CryptoPro_A_ParamSet;
|
||||
@@ -217,9 +217,9 @@ static int pkey_gost_ctrl01_str(EVP_PKEY_CTX *ctx,
|
||||
break;
|
||||
}
|
||||
}
|
||||
else if ((strlen(value) == 2) && (toupper(value[0]) == 'X'))
|
||||
else if ((strlen(value) == 2) && (toupper((unsigned char)value[0]) == 'X'))
|
||||
{
|
||||
switch (toupper(value[1]))
|
||||
switch (toupper((unsigned char)value[1]))
|
||||
{
|
||||
case 'A':
|
||||
param_nid = NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet;
|
||||
|
||||
@@ -85,7 +85,6 @@ extern int GetThreadID(void);
|
||||
#ifndef OPENSSL_NO_DH
|
||||
#include <openssl/dh.h>
|
||||
#endif
|
||||
#include <openssl/bn.h>
|
||||
|
||||
#ifndef OPENSSL_NO_HW
|
||||
#ifndef OPENSSL_NO_HW_AEP
|
||||
|
||||
@@ -442,28 +442,36 @@ static int capi_init(ENGINE *e)
|
||||
CAPI_CTX *ctx;
|
||||
const RSA_METHOD *ossl_rsa_meth;
|
||||
const DSA_METHOD *ossl_dsa_meth;
|
||||
capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 0);
|
||||
cert_capi_idx = X509_get_ex_new_index(0, NULL, NULL, NULL, 0);
|
||||
|
||||
if (capi_idx < 0)
|
||||
{
|
||||
capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 0);
|
||||
if (capi_idx < 0)
|
||||
goto memerr;
|
||||
|
||||
cert_capi_idx = X509_get_ex_new_index(0, NULL, NULL, NULL, 0);
|
||||
|
||||
/* Setup RSA_METHOD */
|
||||
rsa_capi_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
|
||||
ossl_rsa_meth = RSA_PKCS1_SSLeay();
|
||||
capi_rsa_method.rsa_pub_enc = ossl_rsa_meth->rsa_pub_enc;
|
||||
capi_rsa_method.rsa_pub_dec = ossl_rsa_meth->rsa_pub_dec;
|
||||
capi_rsa_method.rsa_mod_exp = ossl_rsa_meth->rsa_mod_exp;
|
||||
capi_rsa_method.bn_mod_exp = ossl_rsa_meth->bn_mod_exp;
|
||||
|
||||
/* Setup DSA Method */
|
||||
dsa_capi_idx = DSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
|
||||
ossl_dsa_meth = DSA_OpenSSL();
|
||||
capi_dsa_method.dsa_do_verify = ossl_dsa_meth->dsa_do_verify;
|
||||
capi_dsa_method.dsa_mod_exp = ossl_dsa_meth->dsa_mod_exp;
|
||||
capi_dsa_method.bn_mod_exp = ossl_dsa_meth->bn_mod_exp;
|
||||
}
|
||||
|
||||
ctx = capi_ctx_new();
|
||||
if (!ctx || (capi_idx < 0))
|
||||
if (!ctx)
|
||||
goto memerr;
|
||||
|
||||
ENGINE_set_ex_data(e, capi_idx, ctx);
|
||||
/* Setup RSA_METHOD */
|
||||
rsa_capi_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
|
||||
ossl_rsa_meth = RSA_PKCS1_SSLeay();
|
||||
capi_rsa_method.rsa_pub_enc = ossl_rsa_meth->rsa_pub_enc;
|
||||
capi_rsa_method.rsa_pub_dec = ossl_rsa_meth->rsa_pub_dec;
|
||||
capi_rsa_method.rsa_mod_exp = ossl_rsa_meth->rsa_mod_exp;
|
||||
capi_rsa_method.bn_mod_exp = ossl_rsa_meth->bn_mod_exp;
|
||||
|
||||
/* Setup DSA Method */
|
||||
dsa_capi_idx = DSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
|
||||
ossl_dsa_meth = DSA_OpenSSL();
|
||||
capi_dsa_method.dsa_do_verify = ossl_dsa_meth->dsa_do_verify;
|
||||
capi_dsa_method.dsa_mod_exp = ossl_dsa_meth->dsa_mod_exp;
|
||||
capi_dsa_method.bn_mod_exp = ossl_dsa_meth->bn_mod_exp;
|
||||
|
||||
#ifdef OPENSSL_CAPIENG_DIALOG
|
||||
{
|
||||
@@ -1156,6 +1164,7 @@ static int capi_list_containers(CAPI_CTX *ctx, BIO *out)
|
||||
{
|
||||
CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_ENUMCONTAINERS_ERROR);
|
||||
capi_addlasterror();
|
||||
CryptReleaseContext(hprov, 0);
|
||||
return 0;
|
||||
}
|
||||
CAPI_trace(ctx, "Got max container len %d\n", buflen);
|
||||
@@ -1573,6 +1582,8 @@ static int capi_ctx_set_provname(CAPI_CTX *ctx, LPSTR pname, DWORD type, int che
|
||||
}
|
||||
CryptReleaseContext(hprov, 0);
|
||||
}
|
||||
if (ctx->cspname)
|
||||
OPENSSL_free(ctx->cspname);
|
||||
ctx->cspname = BUF_strdup(pname);
|
||||
ctx->csptype = type;
|
||||
return 1;
|
||||
@@ -1582,9 +1593,12 @@ static int capi_ctx_set_provname_idx(CAPI_CTX *ctx, int idx)
|
||||
{
|
||||
LPSTR pname;
|
||||
DWORD type;
|
||||
int res;
|
||||
if (capi_get_provname(ctx, &pname, &type, idx) != 1)
|
||||
return 0;
|
||||
return capi_ctx_set_provname(ctx, pname, type, 0);
|
||||
res = capi_ctx_set_provname(ctx, pname, type, 0);
|
||||
OPENSSL_free(pname);
|
||||
return res;
|
||||
}
|
||||
|
||||
static int cert_issuer_match(STACK_OF(X509_NAME) *ca_dn, X509 *x)
|
||||
|
||||
@@ -784,7 +784,7 @@ $!
|
||||
$! Copy All The ".H" Files From The [.SSL] Directory.
|
||||
$!
|
||||
$! (keep these in the same order as ssl/Makefile)
|
||||
$ EXHEADER := ssl.h, ssl2.h, ssl3.h, ssl23.h, tls1.h, dtls1.h, kssl.h
|
||||
$ EXHEADER := ssl.h, ssl2.h, ssl3.h, ssl23.h, tls1.h, dtls1.h, kssl.h, srtp.h
|
||||
$ copy sys$disk:[.ssl]'exheader' sys$disk:[.include.openssl]
|
||||
$!
|
||||
$! Purge the [.include.openssl] header files.
|
||||
|
||||
41
ssl/d1_pkt.c
41
ssl/d1_pkt.c
@@ -383,6 +383,8 @@ dtls1_process_record(SSL *s)
|
||||
SSL3_RECORD *rr;
|
||||
unsigned int mac_size;
|
||||
unsigned char md[EVP_MAX_MD_SIZE];
|
||||
int decryption_failed_or_bad_record_mac = 0;
|
||||
unsigned char *mac = NULL;
|
||||
|
||||
|
||||
rr= &(s->s3->rrec);
|
||||
@@ -417,13 +419,10 @@ dtls1_process_record(SSL *s)
|
||||
enc_err = s->method->ssl3_enc->enc(s,0);
|
||||
if (enc_err <= 0)
|
||||
{
|
||||
/* decryption failed, silently discard message */
|
||||
if (enc_err < 0)
|
||||
{
|
||||
rr->length = 0;
|
||||
s->packet_length = 0;
|
||||
}
|
||||
goto err;
|
||||
/* To minimize information leaked via timing, we will always
|
||||
* perform all computations before discarding the message.
|
||||
*/
|
||||
decryption_failed_or_bad_record_mac = 1;
|
||||
}
|
||||
|
||||
#ifdef TLS_DEBUG
|
||||
@@ -453,28 +452,32 @@ printf("\n");
|
||||
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
|
||||
goto f_err;
|
||||
#else
|
||||
goto err;
|
||||
decryption_failed_or_bad_record_mac = 1;
|
||||
#endif
|
||||
}
|
||||
/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
|
||||
if (rr->length < mac_size)
|
||||
if (rr->length >= mac_size)
|
||||
{
|
||||
#if 0 /* OK only for stream ciphers */
|
||||
al=SSL_AD_DECODE_ERROR;
|
||||
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
|
||||
goto f_err;
|
||||
#else
|
||||
goto err;
|
||||
#endif
|
||||
rr->length -= mac_size;
|
||||
mac = &rr->data[rr->length];
|
||||
}
|
||||
rr->length-=mac_size;
|
||||
else
|
||||
rr->length = 0;
|
||||
i=s->method->ssl3_enc->mac(s,md,0);
|
||||
if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
|
||||
if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0)
|
||||
{
|
||||
goto err;
|
||||
decryption_failed_or_bad_record_mac = 1;
|
||||
}
|
||||
}
|
||||
|
||||
if (decryption_failed_or_bad_record_mac)
|
||||
{
|
||||
/* decryption failed, silently discard message */
|
||||
rr->length = 0;
|
||||
s->packet_length = 0;
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* r->length is now just compressed */
|
||||
if (s->expand != NULL)
|
||||
{
|
||||
|
||||
@@ -278,19 +278,25 @@ int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int max
|
||||
return 1;
|
||||
}
|
||||
|
||||
if((ct*2) > maxlen)
|
||||
if((2 + ct*2 + 1) > maxlen)
|
||||
{
|
||||
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT,SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Add the length */
|
||||
s2n(ct * 2, p);
|
||||
for(i=0;i<ct;i++)
|
||||
{
|
||||
prof=sk_SRTP_PROTECTION_PROFILE_value(clnt,i);
|
||||
s2n(prof->id,p);
|
||||
}
|
||||
|
||||
/* Add an empty use_mki value */
|
||||
*p++ = 0;
|
||||
}
|
||||
*len=ct*2;
|
||||
|
||||
*len=2 + ct*2 + 1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -300,23 +306,48 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
|
||||
{
|
||||
SRTP_PROTECTION_PROFILE *cprof,*sprof;
|
||||
STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr;
|
||||
int ct;
|
||||
int mki_len;
|
||||
int i,j;
|
||||
int id;
|
||||
int ret;
|
||||
|
||||
if(len%2)
|
||||
|
||||
/* Length value + the MKI length */
|
||||
if(len < 3)
|
||||
{
|
||||
SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
|
||||
*al=SSL_AD_DECODE_ERROR;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Pull off the length of the cipher suite list */
|
||||
n2s(d, ct);
|
||||
len -= 2;
|
||||
|
||||
/* Check that it is even */
|
||||
if(ct%2)
|
||||
{
|
||||
SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
|
||||
*al=SSL_AD_DECODE_ERROR;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Check that lengths are consistent */
|
||||
if(len < (ct + 1))
|
||||
{
|
||||
SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
|
||||
*al=SSL_AD_DECODE_ERROR;
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
|
||||
|
||||
while(len)
|
||||
while(ct)
|
||||
{
|
||||
n2s(d,id);
|
||||
len-=2;
|
||||
ct-=2;
|
||||
len-=2;
|
||||
|
||||
if(!find_profile_by_num(id,&cprof))
|
||||
{
|
||||
@@ -328,6 +359,17 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
|
||||
}
|
||||
}
|
||||
|
||||
/* Now extract the MKI value as a sanity check, but discard it for now */
|
||||
mki_len = *d;
|
||||
d++; len--;
|
||||
|
||||
if (mki_len != len)
|
||||
{
|
||||
SSLerr(SSL_F_SSL_PARSE_CLIENTHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_MKI_VALUE);
|
||||
*al=SSL_AD_DECODE_ERROR;
|
||||
return 1;
|
||||
}
|
||||
|
||||
srvr=SSL_get_srtp_profiles(s);
|
||||
|
||||
/* Pick our most preferred profile. If no profiles have been
|
||||
@@ -364,7 +406,7 @@ int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int max
|
||||
{
|
||||
if(p)
|
||||
{
|
||||
if(maxlen < 2)
|
||||
if(maxlen < 5)
|
||||
{
|
||||
SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
|
||||
return 1;
|
||||
@@ -375,10 +417,11 @@ int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int max
|
||||
SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,SSL_R_USE_SRTP_NOT_NEGOTIATED);
|
||||
return 1;
|
||||
}
|
||||
|
||||
s2n(2, p);
|
||||
s2n(s->srtp_profile->id,p);
|
||||
}
|
||||
*len=2;
|
||||
*p++ = 0;
|
||||
}
|
||||
*len=5;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -388,10 +431,20 @@ int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
|
||||
{
|
||||
unsigned id;
|
||||
int i;
|
||||
int ct;
|
||||
|
||||
STACK_OF(SRTP_PROTECTION_PROFILE) *clnt;
|
||||
SRTP_PROTECTION_PROFILE *prof;
|
||||
|
||||
if(len!=2)
|
||||
if(len!=5)
|
||||
{
|
||||
SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
|
||||
*al=SSL_AD_DECODE_ERROR;
|
||||
return 1;
|
||||
}
|
||||
|
||||
n2s(d, ct);
|
||||
if(ct!=2)
|
||||
{
|
||||
SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
|
||||
*al=SSL_AD_DECODE_ERROR;
|
||||
@@ -399,6 +452,12 @@ int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
|
||||
}
|
||||
|
||||
n2s(d,id);
|
||||
if (*d) /* Must be no MKI, since we never offer one */
|
||||
{
|
||||
SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT,SSL_R_BAD_SRTP_MKI_VALUE);
|
||||
*al=SSL_AD_ILLEGAL_PARAMETER;
|
||||
return 1;
|
||||
}
|
||||
|
||||
clnt=SSL_get_srtp_profiles(s);
|
||||
|
||||
|
||||
@@ -689,9 +689,43 @@ int ssl3_client_hello(SSL *s)
|
||||
/* Do the message type and length last */
|
||||
d=p= &(buf[4]);
|
||||
|
||||
/* version indicates the negotiated version: for example from
|
||||
* an SSLv2/v3 compatible client hello). The client_version
|
||||
* field is the maximum version we permit and it is also
|
||||
* used in RSA encrypted premaster secrets. Some servers can
|
||||
* choke if we initially report a higher version then
|
||||
* renegotiate to a lower one in the premaster secret. This
|
||||
* didn't happen with TLS 1.0 as most servers supported it
|
||||
* but it can with TLS 1.1 or later if the server only supports
|
||||
* 1.0.
|
||||
*
|
||||
* Possible scenario with previous logic:
|
||||
* 1. Client hello indicates TLS 1.2
|
||||
* 2. Server hello says TLS 1.0
|
||||
* 3. RSA encrypted premaster secret uses 1.2.
|
||||
* 4. Handhaked proceeds using TLS 1.0.
|
||||
* 5. Server sends hello request to renegotiate.
|
||||
* 6. Client hello indicates TLS v1.0 as we now
|
||||
* know that is maximum server supports.
|
||||
* 7. Server chokes on RSA encrypted premaster secret
|
||||
* containing version 1.0.
|
||||
*
|
||||
* For interoperability it should be OK to always use the
|
||||
* maximum version we support in client hello and then rely
|
||||
* on the checking of version to ensure the servers isn't
|
||||
* being inconsistent: for example initially negotiating with
|
||||
* TLS 1.0 and renegotiating with TLS 1.2. We do this by using
|
||||
* client_version in client hello and not resetting it to
|
||||
* the negotiated version.
|
||||
*/
|
||||
#if 0
|
||||
*(p++)=s->version>>8;
|
||||
*(p++)=s->version&0xff;
|
||||
s->client_version=s->version;
|
||||
#else
|
||||
*(p++)=s->client_version>>8;
|
||||
*(p++)=s->client_version&0xff;
|
||||
#endif
|
||||
|
||||
/* Random stuff */
|
||||
memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
|
||||
|
||||
@@ -512,6 +512,9 @@ int ssl3_enc(SSL *s, int send)
|
||||
|
||||
/* we need to add 'i-1' padding bytes */
|
||||
l+=i;
|
||||
/* the last of these zero bytes will be overwritten
|
||||
* with the padding length. */
|
||||
memset(&rec->input[rec->length], 0, i);
|
||||
rec->length+=i;
|
||||
rec->input[l-1]=(i-1);
|
||||
}
|
||||
|
||||
@@ -3589,7 +3589,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
|
||||
ctx->srp_ctx.login = NULL;
|
||||
if (parg == NULL)
|
||||
break;
|
||||
if (strlen((char *)parg) > 254)
|
||||
if (strlen((const char *)parg) > 255 || strlen((const char *)parg) < 1)
|
||||
{
|
||||
SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_SRP_USERNAME);
|
||||
return 0;
|
||||
|
||||
@@ -295,6 +295,7 @@ int ssl3_accept(SSL *s)
|
||||
}
|
||||
|
||||
s->init_num=0;
|
||||
s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
|
||||
|
||||
if (s->state != SSL_ST_RENEGOTIATE)
|
||||
{
|
||||
@@ -881,6 +882,13 @@ int ssl3_check_client_hello(SSL *s)
|
||||
s->s3->tmp.reuse_message = 1;
|
||||
if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
|
||||
{
|
||||
/* We only allow the client to restart the handshake once per
|
||||
* negotiation. */
|
||||
if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
|
||||
{
|
||||
SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
|
||||
return -1;
|
||||
}
|
||||
/* Throw away what we have done so far in the current handshake,
|
||||
* which will now be aborted. (A full SSL_clear would be too much.) */
|
||||
#ifndef OPENSSL_NO_DH
|
||||
@@ -897,6 +905,7 @@ int ssl3_check_client_hello(SSL *s)
|
||||
s->s3->tmp.ecdh = NULL;
|
||||
}
|
||||
#endif
|
||||
s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
|
||||
return 2;
|
||||
}
|
||||
return 1;
|
||||
@@ -2291,6 +2300,7 @@ int ssl3_get_client_key_exchange(SSL *s)
|
||||
if (i <= 0)
|
||||
{
|
||||
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
|
||||
BN_clear_free(pub);
|
||||
goto err;
|
||||
}
|
||||
|
||||
@@ -2900,7 +2910,7 @@ int ssl3_get_cert_verify(SSL *s)
|
||||
SSL3_ST_SR_CERT_VRFY_A,
|
||||
SSL3_ST_SR_CERT_VRFY_B,
|
||||
-1,
|
||||
514, /* 514? */
|
||||
516, /* Enough for 4096 bit RSA key with TLS v1.2 */
|
||||
&ok);
|
||||
|
||||
if (!ok) return((int)n);
|
||||
|
||||
@@ -218,7 +218,7 @@ $ LIB_SSL = "s2_meth,s2_srvr,s2_clnt,s2_lib,s2_enc,s2_pkt,"+ -
|
||||
"s23_meth,s23_srvr,s23_clnt,s23_lib,s23_pkt,"+ -
|
||||
"t1_meth,t1_srvr,t1_clnt,t1_lib,t1_enc,"+ -
|
||||
"d1_meth,d1_srvr,d1_clnt,d1_lib,d1_pkt,"+ -
|
||||
"d1_both,d1_enc,"+ -
|
||||
"d1_both,d1_enc,d1_srtp,"+ -
|
||||
"ssl_lib,ssl_err2,ssl_cert,ssl_sess,"+ -
|
||||
"ssl_ciph,ssl_stat,ssl_rsa,"+ -
|
||||
"ssl_asn1,ssl_txt,ssl_algs,"+ -
|
||||
|
||||
112
ssl/ssl.h
112
ssl/ssl.h
@@ -927,29 +927,9 @@ struct ssl_ctx_st
|
||||
/* Callback for status request */
|
||||
int (*tlsext_status_cb)(SSL *ssl, void *arg);
|
||||
void *tlsext_status_arg;
|
||||
|
||||
# ifndef OPENSSL_NO_NEXTPROTONEG
|
||||
/* Next protocol negotiation information */
|
||||
/* (for experimental NPN extension). */
|
||||
|
||||
/* For a server, this contains a callback function by which the set of
|
||||
* advertised protocols can be provided. */
|
||||
int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf,
|
||||
unsigned int *len, void *arg);
|
||||
void *next_protos_advertised_cb_arg;
|
||||
/* For a client, this contains a callback function that selects the
|
||||
* next protocol from the list provided by the server. */
|
||||
int (*next_proto_select_cb)(SSL *s, unsigned char **out,
|
||||
unsigned char *outlen,
|
||||
const unsigned char *in,
|
||||
unsigned int inlen,
|
||||
void *arg);
|
||||
void *next_proto_select_cb_arg;
|
||||
|
||||
/* draft-rescorla-tls-opaque-prf-input-00.txt information */
|
||||
int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
|
||||
void *tlsext_opaque_prf_input_callback_arg;
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
@@ -972,6 +952,24 @@ struct ssl_ctx_st
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
# ifndef OPENSSL_NO_NEXTPROTONEG
|
||||
/* Next protocol negotiation information */
|
||||
/* (for experimental NPN extension). */
|
||||
|
||||
/* For a server, this contains a callback function by which the set of
|
||||
* advertised protocols can be provided. */
|
||||
int (*next_protos_advertised_cb)(SSL *s, const unsigned char **buf,
|
||||
unsigned int *len, void *arg);
|
||||
void *next_protos_advertised_cb_arg;
|
||||
/* For a client, this contains a callback function that selects the
|
||||
* next protocol from the list provided by the server. */
|
||||
int (*next_proto_select_cb)(SSL *s, unsigned char **out,
|
||||
unsigned char *outlen,
|
||||
const unsigned char *in,
|
||||
unsigned int inlen,
|
||||
void *arg);
|
||||
void *next_proto_select_cb_arg;
|
||||
# endif
|
||||
/* SRTP profiles we are willing to do from RFC 5764 */
|
||||
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
|
||||
#endif
|
||||
@@ -1147,10 +1145,6 @@ struct ssl_st
|
||||
* NB: For servers, the 'new' session may actually be a previously
|
||||
* cached session or even the previous session unless
|
||||
* SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION is set */
|
||||
int renegotiate;/* 1 if we are renegotiating.
|
||||
* 2 if we are a server and are inside a handshake
|
||||
* (i.e. not just sending a HelloRequest) */
|
||||
|
||||
int quiet_shutdown;/* don't send shutdown packets */
|
||||
int shutdown; /* we have shut things down, 0x01 sent, 0x02
|
||||
* for received */
|
||||
@@ -1248,10 +1242,6 @@ struct ssl_st
|
||||
unsigned char *psk, unsigned int max_psk_len);
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
SRP_CTX srp_ctx; /* ctx for SRP authentication */
|
||||
#endif
|
||||
|
||||
SSL_CTX *ctx;
|
||||
/* set this flag to 1 and a sleep(1) is put into all SSL_read()
|
||||
* and SSL_write() calls, good for nbio debuging :-) */
|
||||
@@ -1349,6 +1339,14 @@ struct ssl_st
|
||||
#else
|
||||
#define session_ctx ctx
|
||||
#endif /* OPENSSL_NO_TLSEXT */
|
||||
|
||||
int renegotiate;/* 1 if we are renegotiating.
|
||||
* 2 if we are a server and are inside a handshake
|
||||
* (i.e. not just sending a HelloRequest) */
|
||||
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
SRP_CTX srp_ctx; /* ctx for SRP authentication */
|
||||
#endif
|
||||
};
|
||||
|
||||
#endif
|
||||
@@ -2040,7 +2038,7 @@ int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secre
|
||||
|
||||
void SSL_set_debug(SSL *s, int debug);
|
||||
int SSL_cache_hit(SSL *s);
|
||||
|
||||
|
||||
/* BEGIN ERROR CODES */
|
||||
/* The following lines are auto generated by the script mkerr.pl. Any changes
|
||||
* made after this point may be overwritten when the script is next run.
|
||||
@@ -2068,7 +2066,7 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_F_DTLS1_GET_MESSAGE_FRAGMENT 253
|
||||
#define SSL_F_DTLS1_GET_RECORD 254
|
||||
#define SSL_F_DTLS1_HANDLE_TIMEOUT 297
|
||||
#define SSL_F_DTLS1_HEARTBEAT 314
|
||||
#define SSL_F_DTLS1_HEARTBEAT 305
|
||||
#define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
|
||||
#define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
|
||||
#define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
|
||||
@@ -2118,6 +2116,7 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_F_SSL3_CALLBACK_CTRL 233
|
||||
#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
|
||||
#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
|
||||
#define SSL_F_SSL3_CHECK_CLIENT_HELLO 304
|
||||
#define SSL_F_SSL3_CLIENT_HELLO 131
|
||||
#define SSL_F_SSL3_CONNECT 132
|
||||
#define SSL_F_SSL3_CTRL 213
|
||||
@@ -2136,7 +2135,7 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_F_SSL3_GET_KEY_EXCHANGE 141
|
||||
#define SSL_F_SSL3_GET_MESSAGE 142
|
||||
#define SSL_F_SSL3_GET_NEW_SESSION_TICKET 283
|
||||
#define SSL_F_SSL3_GET_NEXT_PROTO 305
|
||||
#define SSL_F_SSL3_GET_NEXT_PROTO 306
|
||||
#define SSL_F_SSL3_GET_RECORD 143
|
||||
#define SSL_F_SSL3_GET_SERVER_CERTIFICATE 144
|
||||
#define SSL_F_SSL3_GET_SERVER_DONE 145
|
||||
@@ -2224,7 +2223,7 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
|
||||
#define SSL_F_SSL_SESSION_NEW 189
|
||||
#define SSL_F_SSL_SESSION_PRINT_FP 190
|
||||
#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 306
|
||||
#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312
|
||||
#define SSL_F_SSL_SESS_CERT_NEW 225
|
||||
#define SSL_F_SSL_SET_CERT 191
|
||||
#define SSL_F_SSL_SET_CIPHER_LIST 271
|
||||
@@ -2238,7 +2237,7 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_F_SSL_SET_TRUST 228
|
||||
#define SSL_F_SSL_SET_WFD 196
|
||||
#define SSL_F_SSL_SHUTDOWN 224
|
||||
#define SSL_F_SSL_SRP_CTX_INIT 304
|
||||
#define SSL_F_SSL_SRP_CTX_INIT 313
|
||||
#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243
|
||||
#define SSL_F_SSL_UNDEFINED_FUNCTION 197
|
||||
#define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244
|
||||
@@ -2258,8 +2257,8 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_F_TLS1_CHANGE_CIPHER_STATE 209
|
||||
#define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274
|
||||
#define SSL_F_TLS1_ENC 210
|
||||
#define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 312
|
||||
#define SSL_F_TLS1_HEARTBEAT 313
|
||||
#define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 314
|
||||
#define SSL_F_TLS1_HEARTBEAT 315
|
||||
#define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT 275
|
||||
#define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT 276
|
||||
#define SSL_F_TLS1_PRF 284
|
||||
@@ -2299,12 +2298,13 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_R_BAD_RSA_MODULUS_LENGTH 121
|
||||
#define SSL_R_BAD_RSA_SIGNATURE 122
|
||||
#define SSL_R_BAD_SIGNATURE 123
|
||||
#define SSL_R_BAD_SRP_A_LENGTH 346
|
||||
#define SSL_R_BAD_SRP_B_LENGTH 347
|
||||
#define SSL_R_BAD_SRP_G_LENGTH 348
|
||||
#define SSL_R_BAD_SRP_N_LENGTH 349
|
||||
#define SSL_R_BAD_SRP_S_LENGTH 350
|
||||
#define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 360
|
||||
#define SSL_R_BAD_SRP_A_LENGTH 347
|
||||
#define SSL_R_BAD_SRP_B_LENGTH 348
|
||||
#define SSL_R_BAD_SRP_G_LENGTH 349
|
||||
#define SSL_R_BAD_SRP_N_LENGTH 350
|
||||
#define SSL_R_BAD_SRP_S_LENGTH 351
|
||||
#define SSL_R_BAD_SRTP_MKI_VALUE 352
|
||||
#define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 353
|
||||
#define SSL_R_BAD_SSL_FILETYPE 124
|
||||
#define SSL_R_BAD_SSL_SESSION_ID_LENGTH 125
|
||||
#define SSL_R_BAD_STATE 126
|
||||
@@ -2343,7 +2343,7 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE 322
|
||||
#define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE 323
|
||||
#define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 310
|
||||
#define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 361
|
||||
#define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 354
|
||||
#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150
|
||||
#define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282
|
||||
#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 151
|
||||
@@ -2360,7 +2360,7 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_R_INVALID_COMMAND 280
|
||||
#define SSL_R_INVALID_COMPRESSION_ALGORITHM 341
|
||||
#define SSL_R_INVALID_PURPOSE 278
|
||||
#define SSL_R_INVALID_SRP_USERNAME 351
|
||||
#define SSL_R_INVALID_SRP_USERNAME 357
|
||||
#define SSL_R_INVALID_STATUS_RESPONSE 328
|
||||
#define SSL_R_INVALID_TICKET_KEYS_LENGTH 325
|
||||
#define SSL_R_INVALID_TRUST 279
|
||||
@@ -2390,13 +2390,13 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_R_MISSING_RSA_CERTIFICATE 168
|
||||
#define SSL_R_MISSING_RSA_ENCRYPTING_CERT 169
|
||||
#define SSL_R_MISSING_RSA_SIGNING_CERT 170
|
||||
#define SSL_R_MISSING_SRP_PARAM 352
|
||||
#define SSL_R_MISSING_SRP_USERNAME 353
|
||||
#define SSL_R_MISSING_SRP_PARAM 358
|
||||
#define SSL_R_MISSING_TMP_DH_KEY 171
|
||||
#define SSL_R_MISSING_TMP_ECDH_KEY 311
|
||||
#define SSL_R_MISSING_TMP_RSA_KEY 172
|
||||
#define SSL_R_MISSING_TMP_RSA_PKEY 173
|
||||
#define SSL_R_MISSING_VERIFY_MESSAGE 174
|
||||
#define SSL_R_MULTIPLE_SGC_RESTARTS 346
|
||||
#define SSL_R_NON_SSLV2_INITIAL_PACKET 175
|
||||
#define SSL_R_NO_CERTIFICATES_RETURNED 176
|
||||
#define SSL_R_NO_CERTIFICATE_ASSIGNED 177
|
||||
@@ -2420,7 +2420,7 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_R_NO_RENEGOTIATION 339
|
||||
#define SSL_R_NO_REQUIRED_DIGEST 324
|
||||
#define SSL_R_NO_SHARED_CIPHER 193
|
||||
#define SSL_R_NO_SRTP_PROFILES 362
|
||||
#define SSL_R_NO_SRTP_PROFILES 359
|
||||
#define SSL_R_NO_VERIFY_CALLBACK 194
|
||||
#define SSL_R_NULL_SSL_CTX 195
|
||||
#define SSL_R_NULL_SSL_METHOD_PASSED 196
|
||||
@@ -2464,12 +2464,12 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_R_SERVERHELLO_TLSEXT 275
|
||||
#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
|
||||
#define SSL_R_SHORT_READ 219
|
||||
#define SSL_R_SIGNATURE_ALGORITHMS_ERROR 359
|
||||
#define SSL_R_SIGNATURE_ALGORITHMS_ERROR 360
|
||||
#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
|
||||
#define SSL_R_SRP_A_CALC 354
|
||||
#define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 363
|
||||
#define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG 364
|
||||
#define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 365
|
||||
#define SSL_R_SRP_A_CALC 361
|
||||
#define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 362
|
||||
#define SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG 363
|
||||
#define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 364
|
||||
#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
|
||||
#define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 299
|
||||
#define SSL_R_SSL3_EXT_INVALID_ECPOINTFORMAT 321
|
||||
@@ -2514,8 +2514,8 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112
|
||||
#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
|
||||
#define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232
|
||||
#define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT 368
|
||||
#define SSL_R_TLS_HEARTBEAT_PENDING 369
|
||||
#define SSL_R_TLS_HEARTBEAT_PEER_DOESNT_ACCEPT 365
|
||||
#define SSL_R_TLS_HEARTBEAT_PENDING 366
|
||||
#define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367
|
||||
#define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
|
||||
#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
|
||||
@@ -2538,7 +2538,7 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247
|
||||
#define SSL_R_UNKNOWN_CIPHER_RETURNED 248
|
||||
#define SSL_R_UNKNOWN_CIPHER_TYPE 249
|
||||
#define SSL_R_UNKNOWN_DIGEST 357
|
||||
#define SSL_R_UNKNOWN_DIGEST 368
|
||||
#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 250
|
||||
#define SSL_R_UNKNOWN_PKEY_TYPE 251
|
||||
#define SSL_R_UNKNOWN_PROTOCOL 252
|
||||
@@ -2553,14 +2553,14 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_R_UNSUPPORTED_PROTOCOL 258
|
||||
#define SSL_R_UNSUPPORTED_SSL_VERSION 259
|
||||
#define SSL_R_UNSUPPORTED_STATUS_TYPE 329
|
||||
#define SSL_R_USE_SRTP_NOT_NEGOTIATED 366
|
||||
#define SSL_R_USE_SRTP_NOT_NEGOTIATED 369
|
||||
#define SSL_R_WRITE_BIO_NOT_SET 260
|
||||
#define SSL_R_WRONG_CIPHER_RETURNED 261
|
||||
#define SSL_R_WRONG_MESSAGE_TYPE 262
|
||||
#define SSL_R_WRONG_NUMBER_OF_KEY_BITS 263
|
||||
#define SSL_R_WRONG_SIGNATURE_LENGTH 264
|
||||
#define SSL_R_WRONG_SIGNATURE_SIZE 265
|
||||
#define SSL_R_WRONG_SIGNATURE_TYPE 358
|
||||
#define SSL_R_WRONG_SIGNATURE_TYPE 370
|
||||
#define SSL_R_WRONG_SSL_VERSION 266
|
||||
#define SSL_R_WRONG_VERSION_NUMBER 267
|
||||
#define SSL_R_X509_LIB 268
|
||||
|
||||
21
ssl/ssl3.h
21
ssl/ssl3.h
@@ -388,6 +388,17 @@ typedef struct ssl3_buffer_st
|
||||
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
|
||||
#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
|
||||
#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
|
||||
|
||||
/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
|
||||
* restart a handshake because of MS SGC and so prevents us
|
||||
* from restarting the handshake in a loop. It's reset on a
|
||||
* renegotiation, so effectively limits the client to one restart
|
||||
* per negotiation. This limits the possibility of a DDoS
|
||||
* attack where the client handshakes in a loop using SGC to
|
||||
* restart. Servers which permit renegotiation can still be
|
||||
* effected, but we can't prevent that.
|
||||
*/
|
||||
#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
|
||||
|
||||
#ifndef OPENSSL_NO_SSL_INTERN
|
||||
|
||||
@@ -466,11 +477,6 @@ typedef struct ssl3_state_st
|
||||
void *server_opaque_prf_input;
|
||||
size_t server_opaque_prf_input_len;
|
||||
|
||||
#ifndef OPENSSL_NO_NEXTPROTONEG
|
||||
/* Set if we saw the Next Protocol Negotiation extension from our peer. */
|
||||
int next_proto_neg_seen;
|
||||
#endif
|
||||
|
||||
struct {
|
||||
/* actually only needs to be 16+20 */
|
||||
unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2];
|
||||
@@ -528,6 +534,11 @@ typedef struct ssl3_state_st
|
||||
unsigned char previous_server_finished[EVP_MAX_MD_SIZE];
|
||||
unsigned char previous_server_finished_len;
|
||||
int send_connection_binding; /* TODOEKR */
|
||||
|
||||
#ifndef OPENSSL_NO_NEXTPROTONEG
|
||||
/* Set if we saw the Next Protocol Negotiation extension from our peer. */
|
||||
int next_proto_neg_seen;
|
||||
#endif
|
||||
} SSL3_STATE;
|
||||
|
||||
#endif
|
||||
|
||||
@@ -90,7 +90,7 @@ int SSL_library_init(void)
|
||||
EVP_add_cipher(EVP_aes_256_cbc());
|
||||
EVP_add_cipher(EVP_aes_128_gcm());
|
||||
EVP_add_cipher(EVP_aes_256_gcm());
|
||||
#if !defined(OPENSSL_NO_SHA) && !defined(OPNESSL_NO_SHA1)
|
||||
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
|
||||
EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
|
||||
EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
|
||||
#endif
|
||||
|
||||
@@ -138,6 +138,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
|
||||
{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"},
|
||||
{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"},
|
||||
{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
|
||||
{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"},
|
||||
{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"},
|
||||
{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
|
||||
{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
|
||||
@@ -327,6 +328,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
|
||||
{ERR_REASON(SSL_R_BAD_SRP_G_LENGTH) ,"bad srp g length"},
|
||||
{ERR_REASON(SSL_R_BAD_SRP_N_LENGTH) ,"bad srp n length"},
|
||||
{ERR_REASON(SSL_R_BAD_SRP_S_LENGTH) ,"bad srp s length"},
|
||||
{ERR_REASON(SSL_R_BAD_SRTP_MKI_VALUE) ,"bad srtp mki value"},
|
||||
{ERR_REASON(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST),"bad srtp protection profile list"},
|
||||
{ERR_REASON(SSL_R_BAD_SSL_FILETYPE) ,"bad ssl filetype"},
|
||||
{ERR_REASON(SSL_R_BAD_SSL_SESSION_ID_LENGTH),"bad ssl session id length"},
|
||||
@@ -414,12 +416,12 @@ static ERR_STRING_DATA SSL_str_reasons[]=
|
||||
{ERR_REASON(SSL_R_MISSING_RSA_ENCRYPTING_CERT),"missing rsa encrypting cert"},
|
||||
{ERR_REASON(SSL_R_MISSING_RSA_SIGNING_CERT),"missing rsa signing cert"},
|
||||
{ERR_REASON(SSL_R_MISSING_SRP_PARAM) ,"can't find SRP server param"},
|
||||
{ERR_REASON(SSL_R_MISSING_SRP_USERNAME) ,"missing srp username"},
|
||||
{ERR_REASON(SSL_R_MISSING_TMP_DH_KEY) ,"missing tmp dh key"},
|
||||
{ERR_REASON(SSL_R_MISSING_TMP_ECDH_KEY) ,"missing tmp ecdh key"},
|
||||
{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
|
||||
{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"},
|
||||
{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
|
||||
{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
|
||||
{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
|
||||
{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
|
||||
{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
|
||||
|
||||
@@ -1079,8 +1079,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
|
||||
s->max_cert_list=larg;
|
||||
return(l);
|
||||
case SSL_CTRL_SET_MTU:
|
||||
#ifndef OPENSSL_NO_DTLS1
|
||||
if (larg < (long)dtls1_min_mtu())
|
||||
return 0;
|
||||
#endif
|
||||
|
||||
if (SSL_version(s) == DTLS1_VERSION ||
|
||||
SSL_version(s) == DTLS1_BAD_VER)
|
||||
|
||||
92
ssl/t1_lib.c
92
ssl/t1_lib.c
@@ -432,25 +432,29 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
#define MIN(x,y) (((x)<(y))?(x):(y))
|
||||
/* we add SRP username the first time only if we have one! */
|
||||
/* Add SRP username if there is one */
|
||||
if (s->srp_ctx.login != NULL)
|
||||
{/* Add TLS extension SRP username to the Client Hello message */
|
||||
int login_len = MIN(strlen(s->srp_ctx.login) + 1, 255);
|
||||
long lenmax;
|
||||
{ /* Add TLS extension SRP username to the Client Hello message */
|
||||
|
||||
if ((lenmax = limit - ret - 5) < 0) return NULL;
|
||||
if (login_len > lenmax) return NULL;
|
||||
if (login_len > 255)
|
||||
int login_len = strlen(s->srp_ctx.login);
|
||||
if (login_len > 255 || login_len == 0)
|
||||
{
|
||||
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
/* check for enough space.
|
||||
4 for the srp type type and entension length
|
||||
1 for the srp user identity
|
||||
+ srp user identity length
|
||||
*/
|
||||
if ((limit - ret - 5 - login_len) < 0) return NULL;
|
||||
|
||||
/* fill in the extension */
|
||||
s2n(TLSEXT_TYPE_srp,ret);
|
||||
s2n(login_len+1,ret);
|
||||
|
||||
(*ret++) = (unsigned char) MIN(strlen(s->srp_ctx.login), 254);
|
||||
memcpy(ret, s->srp_ctx.login, MIN(strlen(s->srp_ctx.login), 254));
|
||||
(*ret++) = (unsigned char) login_len;
|
||||
memcpy(ret, s->srp_ctx.login, login_len);
|
||||
ret+=login_len;
|
||||
}
|
||||
#endif
|
||||
@@ -812,17 +816,21 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_HEARTBEATS
|
||||
/* Add Heartbeat extension */
|
||||
s2n(TLSEXT_TYPE_heartbeat,ret);
|
||||
s2n(1,ret);
|
||||
/* Set mode:
|
||||
* 1: peer may send requests
|
||||
* 2: peer not allowed to send requests
|
||||
*/
|
||||
if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
|
||||
*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
|
||||
else
|
||||
*(ret++) = SSL_TLSEXT_HB_ENABLED;
|
||||
/* Add Heartbeat extension if we've received one */
|
||||
if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED)
|
||||
{
|
||||
s2n(TLSEXT_TYPE_heartbeat,ret);
|
||||
s2n(1,ret);
|
||||
/* Set mode:
|
||||
* 1: peer may send requests
|
||||
* 2: peer not allowed to send requests
|
||||
*/
|
||||
if (s->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_RECV_REQUESTS)
|
||||
*(ret++) = SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
|
||||
else
|
||||
*(ret++) = SSL_TLSEXT_HB_ENABLED;
|
||||
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_NEXTPROTONEG
|
||||
@@ -1003,13 +1011,25 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
else if (type == TLSEXT_TYPE_srp)
|
||||
{
|
||||
if (size > 0)
|
||||
if (size <= 0 || ((len = data[0])) != (size -1))
|
||||
{
|
||||
len = data[0];
|
||||
if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
|
||||
return -1;
|
||||
memcpy(s->srp_ctx.login, &data[1], len);
|
||||
s->srp_ctx.login[len]='\0';
|
||||
*al = SSL_AD_DECODE_ERROR;
|
||||
return 0;
|
||||
}
|
||||
if (s->srp_ctx.login != NULL)
|
||||
{
|
||||
*al = SSL_AD_DECODE_ERROR;
|
||||
return 0;
|
||||
}
|
||||
if ((s->srp_ctx.login = OPENSSL_malloc(len+1)) == NULL)
|
||||
return -1;
|
||||
memcpy(s->srp_ctx.login, &data[1], len);
|
||||
s->srp_ctx.login[len]='\0';
|
||||
|
||||
if (strlen(s->srp_ctx.login) != len)
|
||||
{
|
||||
*al = SSL_AD_DECODE_ERROR;
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
@@ -1244,6 +1264,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
|
||||
sdata = data;
|
||||
if (dsize > 0)
|
||||
{
|
||||
if (s->tlsext_ocsp_exts)
|
||||
{
|
||||
sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
|
||||
X509_EXTENSION_free);
|
||||
}
|
||||
|
||||
s->tlsext_ocsp_exts =
|
||||
d2i_X509_EXTENSIONS(NULL,
|
||||
&sdata, dsize);
|
||||
@@ -1273,6 +1299,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
|
||||
s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
|
||||
s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
|
||||
break;
|
||||
default: *al = SSL_AD_ILLEGAL_PARAMETER;
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
@@ -1544,6 +1572,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
|
||||
s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED;
|
||||
s->tlsext_heartbeat |= SSL_TLSEXT_HB_DONT_SEND_REQUESTS;
|
||||
break;
|
||||
default: *al = SSL_AD_ILLEGAL_PARAMETER;
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
@@ -2231,7 +2261,7 @@ static tls12_lookup tls12_sig[] = {
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
{EVP_PKEY_RSA, TLSEXT_signature_rsa},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
{EVP_PKEY_DSA, TLSEXT_signature_dsa},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_ECDSA
|
||||
@@ -2265,6 +2295,8 @@ static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
|
||||
int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
|
||||
{
|
||||
int sig_id, md_id;
|
||||
if (!md)
|
||||
return 0;
|
||||
md_id = tls12_find_id(EVP_MD_type(md), tls12_md,
|
||||
sizeof(tls12_md)/sizeof(tls12_lookup));
|
||||
if (md_id == -1)
|
||||
|
||||
@@ -59,7 +59,6 @@ while(<IN>) {
|
||||
}
|
||||
close(IN);
|
||||
|
||||
$fipsdir =~ tr/\//${o}/;
|
||||
$debug = 1 if $mf_platform =~ /^debug-/;
|
||||
|
||||
die "Makefile is not the toplevel Makefile!\n" if $ssl_version eq "";
|
||||
@@ -234,6 +233,8 @@ else
|
||||
$cflags.=' -DTERMIO';
|
||||
}
|
||||
|
||||
$fipsdir =~ s/\//${o}/g;
|
||||
|
||||
$out_dir=(defined($VARS{'OUT'}))?$VARS{'OUT'}:$out_def.($debug?".dbg":"");
|
||||
$tmp_dir=(defined($VARS{'TMP'}))?$VARS{'TMP'}:$tmp_def.($debug?".dbg":"");
|
||||
$inc_dir=(defined($VARS{'INC'}))?$VARS{'INC'}:$inc_def;
|
||||
|
||||
@@ -310,11 +310,13 @@ SSL_SESSION_get_id_len 351 NOEXIST::FUNCTION:
|
||||
kssl_ctx_get0_client_princ 352 EXIST::FUNCTION:KRB5
|
||||
SSL_export_keying_material 353 EXIST::FUNCTION:TLSEXT
|
||||
SSL_set_tlsext_use_srtp 354 EXIST::FUNCTION:
|
||||
SSL_CTX_set_next_protos_advertised_cb 355 EXIST::FUNCTION:NEXTPROTONEG
|
||||
SSL_CTX_set_next_protos_advertised_cb 355 EXIST:!VMS:FUNCTION:NEXTPROTONEG
|
||||
SSL_CTX_set_next_protos_adv_cb 355 EXIST:VMS:FUNCTION:NEXTPROTONEG
|
||||
SSL_get0_next_proto_negotiated 356 EXIST::FUNCTION:NEXTPROTONEG
|
||||
SSL_get_selected_srtp_profile 357 EXIST::FUNCTION:
|
||||
SSL_CTX_set_tlsext_use_srtp 358 EXIST::FUNCTION:
|
||||
SSL_select_next_proto 359 EXIST::FUNCTION:NEXTPROTONEG
|
||||
SSL_get_srtp_profiles 360 EXIST::FUNCTION:
|
||||
SSL_CTX_set_next_proto_select_cb 361 EXIST::FUNCTION:NEXTPROTONEG
|
||||
SSL_CTX_set_next_proto_select_cb 361 EXIST:!VMS:FUNCTION:NEXTPROTONEG
|
||||
SSL_CTX_set_next_proto_sel_cb 361 EXIST:VMS:FUNCTION:NEXTPROTONEG
|
||||
SSL_SESSION_get_compress_id 362 EXIST::FUNCTION:
|
||||
|
||||
Reference in New Issue
Block a user