import SNAP-20091226
This commit is contained in:
parent
48b5ff6259
commit
cef2ee707e
|
@ -2,12 +2,65 @@
|
|||
OpenSSL CHANGES
|
||||
_______________
|
||||
|
||||
Changes between 0.9.8k and 1.0 [xx XXX xxxx]
|
||||
Changes between 1.0.0 and 1.1.0 [xx XXX xxxx]
|
||||
|
||||
*) Delete MD2 from algorithm tables. This follows the recommendation in
|
||||
several standards that it is not used in new applications due to
|
||||
several cryptographic weaknesses. The algorithm is also disabled in
|
||||
the default configuration.
|
||||
*) Initial TLSv1.1 support. Since TLSv1.1 is very similar to TLS v1.0 only
|
||||
a few changes are required:
|
||||
|
||||
Add SSL_OP_NO_TLSv1_1 flag.
|
||||
Add TLSv1_1 methods.
|
||||
Update version checking logic to handle version 1.1.
|
||||
Add explicit IV handling (ported from DTLS code).
|
||||
Add command line options to s_client/s_server.
|
||||
[Steve Henson]
|
||||
|
||||
*) Experiemental password based recipient info support for CMS library:
|
||||
implementing RFC3211.
|
||||
[Steve Henson]
|
||||
|
||||
*) Split password based encryption into PBES2 and PBKDF2 functions. This
|
||||
neatly separates the code into cipher and PBE sections and is required
|
||||
for some algorithms that split PBES2 into separate pieces (such as
|
||||
password based CMS).
|
||||
[Steve Henson]
|
||||
|
||||
*) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
|
||||
return value is ignored. NB. The functions RAND_add(), RAND_seed(),
|
||||
BIO_set_cipher() and some obscure PEM functions were changed so they
|
||||
can now return an error. The RAND changes required a change to the
|
||||
RAND_METHOD structure.
|
||||
[Steve Henson]
|
||||
|
||||
*) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
|
||||
a gcc attribute to warn if the result of a function is ignored. This
|
||||
is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
|
||||
whose return value is often ignored.
|
||||
[Steve Henson]
|
||||
|
||||
Changes between 0.9.8m (?) and 1.0.0 [xx XXX xxxx]
|
||||
|
||||
*) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't
|
||||
change when encrypting or decrypting.
|
||||
[Bodo Moeller]
|
||||
|
||||
*) Add load_crls() function to apps tidying load_certs() too. Add option
|
||||
to verify utility to allow additional CRLs to be included.
|
||||
[Steve Henson]
|
||||
|
||||
*) Update OCSP request code to permit adding custom headers to the request:
|
||||
some responders need this.
|
||||
[Steve Henson]
|
||||
|
||||
*) The function EVP_PKEY_sign() returns <=0 on error: check return code
|
||||
correctly.
|
||||
[Julia Lawall <julia@diku.dk>]
|
||||
|
||||
*) Update verify callback code in apps/s_cb.c and apps/verify.c, it
|
||||
needlessly dereferenced structures, used obsolete functions and
|
||||
didn't handle all updated verify codes correctly.
|
||||
[Steve Henson]
|
||||
|
||||
*) Disable MD2 in the default configuration.
|
||||
[Steve Henson]
|
||||
|
||||
*) In BIO_pop() and BIO_push() use the ctrl argument (which was NULL) to
|
||||
|
@ -20,9 +73,9 @@
|
|||
or they could free up already freed BIOs.
|
||||
[Steve Henson]
|
||||
|
||||
*) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and
|
||||
OPENSSL_asc2uni the original names were too generic and cause name
|
||||
clashes on Netware.
|
||||
*) Extend the uni2asc/asc2uni => OPENSSL_uni2asc/OPENSSL_asc2uni
|
||||
renaming to all platforms (within the 0.9.8 branch, this was
|
||||
done conditionally on Netware platforms to avoid a name clash).
|
||||
[Guenter <lists@gknw.net>]
|
||||
|
||||
*) Add ECDHE and PSK support to DTLS.
|
||||
|
@ -812,12 +865,89 @@
|
|||
*) Change 'Configure' script to enable Camellia by default.
|
||||
[NTT]
|
||||
|
||||
Changes between 0.9.8k and 0.9.8l [xx XXX xxxx]
|
||||
Changes between 0.9.8l (?) and 0.9.8m (?) [xx XXX xxxx]
|
||||
|
||||
*) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
|
||||
connect (but not renegotiate) with servers which do not support RI.
|
||||
Until RI is more widely deployed this option is enabled by default.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add "missing" ssl ctrls to clear options and mode.
|
||||
[Steve Henson]
|
||||
|
||||
*) If client attempts to renegotiate and doesn't support RI respond with
|
||||
a no_renegotiation alert as required by draft-ietf-tls-renegotiation.
|
||||
Some renegotiating TLS clients will continue a connection gracefully
|
||||
when they receive the alert. Unfortunately OpenSSL mishandled
|
||||
this alert and would hang waiting for a server hello which it will never
|
||||
receive. Now we treat a received no_renegotiation alert as a fatal
|
||||
error. This is because applications requesting a renegotiation might well
|
||||
expect it to succeed and would have no code in place to handle the server
|
||||
denying it so the only safe thing to do is to terminate the connection.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
|
||||
peer supports secure renegotiation and 0 otherwise. Print out peer
|
||||
renegotiation support in s_client/s_server.
|
||||
[Steve Henson]
|
||||
|
||||
*) Replace the highly broken and deprecated SPKAC certification method with
|
||||
the updated NID creation version. This should correctly handle UTF8.
|
||||
[Steve Henson]
|
||||
|
||||
*) Implement draft-ietf-tls-renegotiation. Re-enable
|
||||
renegotiation but require the extension as needed. Unfortunately,
|
||||
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a
|
||||
bad idea. It has been replaced by
|
||||
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
|
||||
SSL_CTX_set_options(). This is really not recommended unless you
|
||||
know what you are doing.
|
||||
[Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson]
|
||||
|
||||
*) Fixes to stateless session resumption handling. Use initial_ctx when
|
||||
issuing and attempting to decrypt tickets in case it has changed during
|
||||
servername handling. Use a non-zero length session ID when attempting
|
||||
stateless session resumption: this makes it possible to determine if
|
||||
a resumption has occurred immediately after receiving server hello
|
||||
(several places in OpenSSL subtly assume this) instead of later in
|
||||
the handshake.
|
||||
[Steve Henson]
|
||||
|
||||
*) The functions ENGINE_ctrl(), OPENSSL_isservice(),
|
||||
CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error
|
||||
fixes for a few places where the return code is not checked
|
||||
correctly.
|
||||
[Julia Lawall <julia@diku.dk>]
|
||||
|
||||
*) Add --strict-warnings option to Configure script to include devteam
|
||||
warnings in other configurations.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add support for --libdir option and LIBDIR variable in makefiles. This
|
||||
makes it possible to install openssl libraries in locations which
|
||||
have names other than "lib", for example "/usr/lib64" which some
|
||||
systems need.
|
||||
[Steve Henson, based on patch from Jeremy Utley]
|
||||
|
||||
*) Don't allow the use of leading 0x80 in OIDs. This is a violation of
|
||||
X690 8.9.12 and can produce some misleading textual output of OIDs.
|
||||
[Steve Henson, reported by Dan Kaminsky]
|
||||
|
||||
*) Delete MD2 from algorithm tables. This follows the recommendation in
|
||||
several standards that it is not used in new applications due to
|
||||
several cryptographic weaknesses. For binary compatibility reasons
|
||||
the MD2 API is still compiled in by default.
|
||||
[Steve Henson]
|
||||
|
||||
*) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved
|
||||
and restored.
|
||||
[Steve Henson]
|
||||
|
||||
*) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and
|
||||
OPENSSL_asc2uni conditionally on Netware platforms to avoid a name
|
||||
clash.
|
||||
[Guenter <lists@gknw.net>]
|
||||
|
||||
*) Fix the server certificate chain building code to use X509_verify_cert(),
|
||||
it used to have an ad-hoc builder which was unable to cope with anything
|
||||
other than a simple chain.
|
||||
|
@ -836,7 +966,7 @@
|
|||
left. Additionally every future messege was buffered, even if the
|
||||
sequence number made no sense and would be part of another handshake.
|
||||
So only messages with sequence numbers less than 10 in advance will be
|
||||
buffered.
|
||||
buffered. (CVE-2009-1378)
|
||||
[Robin Seggelmann, discovered by Daniel Mentz]
|
||||
|
||||
*) Records are buffered if they arrive with a future epoch to be
|
||||
|
@ -845,10 +975,11 @@
|
|||
a DOS attack with sending records with future epochs until there is no
|
||||
memory left. This patch adds the pqueue_size() function to detemine
|
||||
the size of a buffer and limits the record buffer to 100 entries.
|
||||
(CVE-2009-1377)
|
||||
[Robin Seggelmann, discovered by Daniel Mentz]
|
||||
|
||||
*) Keep a copy of frag->msg_header.frag_len so it can be used after the
|
||||
parent structure is freed.
|
||||
parent structure is freed. (CVE-2009-1379)
|
||||
[Daniel Mentz]
|
||||
|
||||
*) Handle non-blocking I/O properly in SSL_shutdown() call.
|
||||
|
@ -857,6 +988,16 @@
|
|||
*) Add 2.5.4.* OIDs
|
||||
[Ilya O. <vrghost@gmail.com>]
|
||||
|
||||
Changes between 0.9.8k and 0.9.8l [5 Nov 2009]
|
||||
|
||||
*) Disable renegotiation completely - this fixes a severe security
|
||||
problem (CVE-2009-3555) at the cost of breaking all
|
||||
renegotiation. Renegotiation can be re-enabled by setting
|
||||
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
|
||||
run-time. This is really not recommended unless you know what
|
||||
you're doing.
|
||||
[Ben Laurie]
|
||||
|
||||
Changes between 0.9.8j and 0.9.8k [25 Mar 2009]
|
||||
|
||||
*) Don't set val to NULL when freeing up structures, it is freed up by
|
||||
|
@ -895,12 +1036,12 @@
|
|||
|
||||
*) Support NumericString type for name components.
|
||||
[Steve Henson]
|
||||
|
||||
|
||||
*) Allow CC in the environment to override the automatically chosen
|
||||
compiler. Note that nothing is done to ensure flags work with the
|
||||
chosen compiler.
|
||||
[Ben Laurie]
|
||||
|
||||
|
||||
Changes between 0.9.8i and 0.9.8j [07 Jan 2009]
|
||||
|
||||
*) Properly check EVP_VerifyFinal() and similar return values
|
||||
|
@ -941,6 +1082,10 @@
|
|||
|
||||
Changes between 0.9.8h and 0.9.8i [15 Sep 2008]
|
||||
|
||||
*) Fix NULL pointer dereference if a DTLS server received
|
||||
ChangeCipherSpec as first record (CVE-2009-1386).
|
||||
[PR #1679]
|
||||
|
||||
*) Fix a state transitition in s3_srvr.c and d1_srvr.c
|
||||
(was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
|
||||
[Nagendra Modadugu]
|
||||
|
@ -2344,19 +2489,6 @@
|
|||
differing sizes.
|
||||
[Richard Levitte]
|
||||
|
||||
Changes between 0.9.7m and 0.9.7n [xx XXX xxxx]
|
||||
|
||||
*) In the SSL/TLS server implementation, be strict about session ID
|
||||
context matching (which matters if an application uses a single
|
||||
external cache for different purposes). Previously,
|
||||
out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
|
||||
set. This did ensure strict client verification, but meant that,
|
||||
with applications using a single external cache for quite
|
||||
different requirements, clients could circumvent ciphersuite
|
||||
restrictions for a given session ID context by starting a session
|
||||
in a different context.
|
||||
[Bodo Moeller]
|
||||
|
||||
Changes between 0.9.7l and 0.9.7m [23 Feb 2007]
|
||||
|
||||
*) Cleanse PEM buffers before freeing them since they may contain
|
||||
|
|
|
@ -104,6 +104,8 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
|
|||
|
||||
my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
|
||||
|
||||
my $strict_warnings = 0;
|
||||
|
||||
my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
|
||||
|
||||
# MD2_CHAR slags pentium pros
|
||||
|
@ -170,9 +172,9 @@ my %table=(
|
|||
"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
|
||||
"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
|
||||
"debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll",
|
||||
"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
|
@ -186,7 +188,7 @@ my %table=(
|
|||
"debug-linux-ia32-aes", "gcc:-DAES_EXPERIMENTAL -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:x86cpuid.o:bn-586.o co-586.o x86-mont.o:des-586.o crypt586.o:aes_x86core.o aes_cbc.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o::elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"debug-linux-generic32","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"debug-linux-generic64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"debug-linux-x86_64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -DTERMIO -g -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
"debug-linux-x86_64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -DTERMIO -g -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
"dist", "cc:-O::(unknown)::::::",
|
||||
|
||||
# Basic configs that should work on any (32 and less bit) box
|
||||
|
@ -212,11 +214,11 @@ my %table=(
|
|||
# actually recommend to consider using gcc shared build even with vendor
|
||||
# compiler:-)
|
||||
# <appro@fy.chalmers.se>
|
||||
"solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
|
||||
"solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
|
||||
|
||||
#### Solaris x86 with Sun C setups
|
||||
"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
|
||||
"solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
|
||||
|
||||
#### SPARC Solaris with GNU C setups
|
||||
"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
|
@ -349,7 +351,7 @@ my %table=(
|
|||
"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
"linux-s390x", "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
#### SPARC Linux setups
|
||||
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
|
||||
|
@ -549,7 +551,7 @@ my %table=(
|
|||
"darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc64_asm}:osx64:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
|
||||
"darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
|
||||
"debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
|
||||
"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
|
||||
"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
|
||||
"debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
|
||||
|
||||
##### A/UX
|
||||
|
@ -618,9 +620,10 @@ my $idx_arflags = $idx++;
|
|||
my $idx_multilib = $idx++;
|
||||
|
||||
my $prefix="";
|
||||
my $libdir="";
|
||||
my $openssldir="";
|
||||
my $exe_ext="";
|
||||
my $install_prefix="";
|
||||
my $install_prefix= "$ENV{'INSTALL_PREFIX'}";
|
||||
my $cross_compile_prefix="";
|
||||
my $no_threads=0;
|
||||
my $threads=0;
|
||||
|
@ -664,7 +667,6 @@ my %disabled = ( # "what" => "comment" [or special keyword "experimental
|
|||
"gmp" => "default",
|
||||
"jpake" => "experimental",
|
||||
"md2" => "default",
|
||||
"mdc2" => "default",
|
||||
"rc5" => "default",
|
||||
"rfc3779" => "default",
|
||||
"shared" => "default",
|
||||
|
@ -676,7 +678,7 @@ my @experimental = ();
|
|||
|
||||
# This is what $depflags will look like with the above defaults
|
||||
# (we need this to see if we should advise the user to run "make depend"):
|
||||
my $default_depflags = " -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_STORE";
|
||||
my $default_depflags = " -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_STORE";
|
||||
|
||||
# Explicit "no-..." options will be collected in %disabled along with the defaults.
|
||||
# To remove something from %disabled, use "enable-foo" (unless it's experimental).
|
||||
|
@ -774,6 +776,10 @@ PROCESS_ARGS:
|
|||
{
|
||||
exit(&test_sanity());
|
||||
}
|
||||
elsif (/^--strict-warnings/)
|
||||
{
|
||||
$strict_warnings = 1;
|
||||
}
|
||||
elsif (/^reconfigure/ || /^reconf/)
|
||||
{
|
||||
if (open(IN,"<$Makefile"))
|
||||
|
@ -819,6 +825,10 @@ PROCESS_ARGS:
|
|||
{
|
||||
$prefix=$1;
|
||||
}
|
||||
elsif (/^--libdir=(.*)$/)
|
||||
{
|
||||
$libdir=$1;
|
||||
}
|
||||
elsif (/^--openssldir=(.*)$/)
|
||||
{
|
||||
$openssldir=$1;
|
||||
|
@ -1031,9 +1041,14 @@ $exe_ext=".pm" if ($target =~ /vos/);
|
|||
$openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
|
||||
$prefix=$openssldir if $prefix eq "";
|
||||
|
||||
$libdir="lib" if $libdir eq "";
|
||||
|
||||
$default_ranlib= &which("ranlib") or $default_ranlib="true";
|
||||
$perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
|
||||
or $perl="perl";
|
||||
my $make = $ENV{'MAKE'} || "make";
|
||||
|
||||
$cross_compile_prefix=$ENV{'CROSS_COMPILE'} if $cross_compile_prefix eq "";
|
||||
|
||||
chop $openssldir if $openssldir =~ /\/$/;
|
||||
chop $prefix if $prefix =~ /.\/$/;
|
||||
|
@ -1075,7 +1090,8 @@ my $shared_target = $fields[$idx_shared_target];
|
|||
my $shared_cflag = $fields[$idx_shared_cflag];
|
||||
my $shared_ldflag = $fields[$idx_shared_ldflag];
|
||||
my $shared_extension = $fields[$idx_shared_extension];
|
||||
my $ranlib = $fields[$idx_ranlib];
|
||||
my $ranlib = $ENV{'RANLIB'} || $fields[$idx_ranlib];
|
||||
my $ar = $ENV{'AR'} || "ar";
|
||||
my $arflags = $fields[$idx_arflags];
|
||||
my $multilib = $fields[$idx_multilib];
|
||||
|
||||
|
@ -1430,6 +1446,16 @@ if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/)
|
|||
$shlib_minor=$2;
|
||||
}
|
||||
|
||||
if ($strict_warnings)
|
||||
{
|
||||
my $wopt;
|
||||
die "ERROR --strict-warnings requires gcc" unless ($cc =~ /gcc$/);
|
||||
foreach $wopt (split /\s+/, $gcc_devteam_warn)
|
||||
{
|
||||
$cflags .= " $wopt" unless ($cflags =~ /$wopt/)
|
||||
}
|
||||
}
|
||||
|
||||
open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n";
|
||||
unlink("$Makefile.new") || die "unable to remove old $Makefile.new:$!\n" if -e "$Makefile.new";
|
||||
open(OUT,">$Makefile.new") || die "unable to create $Makefile.new:$!\n";
|
||||
|
@ -1460,20 +1486,22 @@ while (<IN>)
|
|||
s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/;
|
||||
s/^MULTILIB=.*$/MULTILIB=$multilib/;
|
||||
s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/;
|
||||
s/^LIBDIR=.*$/LIBDIR=$libdir/;
|
||||
s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/;
|
||||
s/^PLATFORM=.*$/PLATFORM=$target/;
|
||||
s/^OPTIONS=.*$/OPTIONS=$options/;
|
||||
s/^CONFIGURE_ARGS=.*$/CONFIGURE_ARGS=$argvstring/;
|
||||
if ($cross_compile_prefix)
|
||||
{
|
||||
s/^CC=.*$/CROSS_COMPILE_PREFIX= $cross_compile_prefix\nCC= \$\(CROSS_COMPILE_PREFIX\)$cc/;
|
||||
s/^AR=\s*/AR= \$\(CROSS_COMPILE_PREFIX\)/;
|
||||
s/^NM=\s*/NM= \$\(CROSS_COMPILE_PREFIX\)/;
|
||||
s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE_PREFIX\)/;
|
||||
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE_PREFIX\)$cc/ if $cc eq "gcc";
|
||||
s/^CC=.*$/CROSS_COMPILE= $cross_compile_prefix\nCC= \$\(CROSS_COMPILE\)$cc/;
|
||||
s/^AR=\s*/AR= \$\(CROSS_COMPILE\)/;
|
||||
s/^NM=\s*/NM= \$\(CROSS_COMPILE\)/;
|
||||
s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE\)/;
|
||||
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $cc eq "gcc";
|
||||
}
|
||||
else {
|
||||
s/^CC=.*$/CC= $cc/;
|
||||
s/^AR=\s*ar/AR= $ar/;
|
||||
s/^RANLIB=.*/RANLIB= $ranlib/;
|
||||
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc";
|
||||
}
|
||||
|
@ -1757,7 +1785,7 @@ if($IsMK1MF) {
|
|||
EOF
|
||||
close(OUT);
|
||||
} else {
|
||||
my $make_command = "make PERL=\'$perl\'";
|
||||
my $make_command = "$make PERL=\'$perl\'";
|
||||
my $make_targets = "";
|
||||
$make_targets .= " links" if $symlink;
|
||||
$make_targets .= " depend" if $depflags ne $default_depflags && $make_depend;
|
||||
|
|
|
@ -70,6 +70,7 @@ OpenSSL - Frequently Asked Questions
|
|||
* I think I've detected a memory leak, is this a bug?
|
||||
* Why does Valgrind complain about the use of uninitialized data?
|
||||
* Why doesn't a memory BIO work when a file does?
|
||||
* Where are the declarations and implementations of d2i_X509() etc?
|
||||
|
||||
===============================================================================
|
||||
|
||||
|
@ -967,4 +968,15 @@ is needed. This must be done by calling:
|
|||
See the manual pages for more details.
|
||||
|
||||
|
||||
* Where are the declarations and implementations of d2i_X509() etc?
|
||||
|
||||
These are defined and implemented by macros of the form:
|
||||
|
||||
|
||||
DECLARE_ASN1_FUNCTIONS(X509) and IMPLEMENT_ASN1_FUNCTIONS(X509)
|
||||
|
||||
The implementation passes an ASN1 "template" defining the structure into an
|
||||
ASN1 interpreter using generalised functions such as ASN1_item_d2i().
|
||||
|
||||
|
||||
===============================================================================
|
||||
|
|
|
@ -71,6 +71,7 @@ PERL= perl
|
|||
TAR= tar
|
||||
TARFLAGS= --no-recursion
|
||||
MAKEDEPPROG=makedepend
|
||||
LIBDIR=lib
|
||||
|
||||
# We let the C compiler driver to take care of .s files. This is done in
|
||||
# order to be excused from maintaining a separate set of architecture
|
||||
|
@ -179,11 +180,12 @@ BUILDENV= PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
|
|||
CC='$(CC)' CFLAG='$(CFLAG)' \
|
||||
AS='$(CC)' ASFLAG='$(CFLAG) -c' \
|
||||
AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)' \
|
||||
CROSS_COMPILE_PREFIX='$(CROSS_COMPILE_PREFIX)' \
|
||||
CROSS_COMPILE='$(CROSS_COMPILE)' \
|
||||
PERL='$(PERL)' ENGDIRS='$(ENGDIRS)' \
|
||||
SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/lib' \
|
||||
SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)' \
|
||||
INSTALL_PREFIX='$(INSTALL_PREFIX)' \
|
||||
INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)' \
|
||||
LIBDIR='$(LIBDIR)' \
|
||||
MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
|
||||
DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)' \
|
||||
MAKEDEPPROG='$(MAKEDEPPROG)' \
|
||||
|
@ -299,7 +301,7 @@ build-shared: do_$(SHLIB_TARGET) link-shared
|
|||
|
||||
do_$(SHLIB_TARGET):
|
||||
@ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
|
||||
if [ "$(SHLIBDIRS)" = "ssl" -a -n "$(LIBKRB5)" ]; then \
|
||||
if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
|
||||
libs="$(LIBKRB5) $$libs"; \
|
||||
fi; \
|
||||
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
||||
|
@ -313,7 +315,7 @@ do_$(SHLIB_TARGET):
|
|||
libcrypto.pc: Makefile
|
||||
@ ( echo 'prefix=$(INSTALLTOP)'; \
|
||||
echo 'exec_prefix=$${prefix}'; \
|
||||
echo 'libdir=$${exec_prefix}/lib'; \
|
||||
echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
|
||||
echo 'includedir=$${prefix}/include'; \
|
||||
echo ''; \
|
||||
echo 'Name: OpenSSL-libcrypto'; \
|
||||
|
@ -326,7 +328,7 @@ libcrypto.pc: Makefile
|
|||
libssl.pc: Makefile
|
||||
@ ( echo 'prefix=$(INSTALLTOP)'; \
|
||||
echo 'exec_prefix=$${prefix}'; \
|
||||
echo 'libdir=$${exec_prefix}/lib'; \
|
||||
echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
|
||||
echo 'includedir=$${prefix}/include'; \
|
||||
echo ''; \
|
||||
echo 'Name: OpenSSL'; \
|
||||
|
@ -339,7 +341,7 @@ libssl.pc: Makefile
|
|||
openssl.pc: Makefile
|
||||
@ ( echo 'prefix=$(INSTALLTOP)'; \
|
||||
echo 'exec_prefix=$${prefix}'; \
|
||||
echo 'libdir=$${exec_prefix}/lib'; \
|
||||
echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
|
||||
echo 'includedir=$${prefix}/include'; \
|
||||
echo ''; \
|
||||
echo 'Name: OpenSSL'; \
|
||||
|
@ -392,7 +394,7 @@ dclean:
|
|||
|
||||
rehash: rehash.time
|
||||
rehash.time: certs apps
|
||||
@if [ -z "$(CROSS_COMPILE_PREFIX)" ]; then \
|
||||
@if [ -z "$(CROSS_COMPILE)" ]; then \
|
||||
(OPENSSL="`pwd`/util/opensslwrap.sh"; \
|
||||
[ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \
|
||||
OPENSSL_DEBUG_MEMORY=on; \
|
||||
|
@ -424,7 +426,7 @@ tags:
|
|||
errors:
|
||||
$(PERL) util/mkerr.pl -recurse -write
|
||||
(cd engines; $(MAKE) PERL=$(PERL) errors)
|
||||
$(PERL) util/ck_errf.pl */*.c */*/*.c
|
||||
$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
|
||||
|
||||
stacks:
|
||||
$(PERL) util/mkstack.pl -write
|
||||
|
@ -494,9 +496,9 @@ install: all install_docs install_sw
|
|||
|
||||
install_sw:
|
||||
@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
|
||||
$(INSTALL_PREFIX)$(INSTALLTOP)/lib \
|
||||
$(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines \
|
||||
$(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \
|
||||
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
|
||||
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
|
||||
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
|
||||
$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
|
||||
$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
|
||||
$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
|
||||
|
@ -511,10 +513,10 @@ install_sw:
|
|||
do \
|
||||
if [ -f "$$i" ]; then \
|
||||
( echo installing $$i; \
|
||||
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
|
||||
$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
|
||||
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
|
||||
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
|
||||
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
|
||||
$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
|
||||
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
|
||||
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i ); \
|
||||
fi; \
|
||||
done;
|
||||
@set -e; if [ -n "$(SHARED_LIBS)" ]; then \
|
||||
|
@ -524,17 +526,17 @@ install_sw:
|
|||
if [ -f "$$i" -o -f "$$i.a" ]; then \
|
||||
( echo installing $$i; \
|
||||
if [ "$(PLATFORM)" != "Cygwin" ]; then \
|
||||
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
|
||||
chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
|
||||
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
|
||||
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
|
||||
chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
|
||||
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
|
||||
else \
|
||||
c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
|
||||
cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
|
||||
chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
|
||||
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
|
||||
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
|
||||
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
|
||||
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
|
||||
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
|
||||
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
|
||||
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
|
||||
fi ); \
|
||||
if expr $(PLATFORM) : 'mingw' > /dev/null; then \
|
||||
( case $$i in \
|
||||
|
@ -558,12 +560,12 @@ install_sw:
|
|||
sed -e '1,/^$$/d' doc/openssl-shared.txt; \
|
||||
fi; \
|
||||
fi
|
||||
cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
|
||||
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/libcrypto.pc
|
||||
cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
|
||||
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/libssl.pc
|
||||
cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
|
||||
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc
|
||||
cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
|
||||
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
|
||||
cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
|
||||
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
|
||||
cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
|
||||
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
|
||||
|
||||
install_html_docs:
|
||||
here="`pwd`"; \
|
||||
|
|
|
@ -238,7 +238,7 @@ link_a.darwin:
|
|||
if [ -n "$$SHLIB_SOVER_NODOT" ]; then \
|
||||
SHAREDFLAGS="$$SHAREDFLAGS -compatibility_version $$SHLIB_SOVER_NODOT"; \
|
||||
fi; \
|
||||
SHAREDFLAGS="$$SHAREDFLAGS -install_name $(INSTALLTOP)/lib/$$SHLIB$(SHLIB_EXT)"; \
|
||||
SHAREDFLAGS="$$SHAREDFLAGS -install_name $(INSTALLTOP)/$(LIBDIR)/$$SHLIB$(SHLIB_EXT)"; \
|
||||
$(LINK_SO_A)
|
||||
link_app.darwin: # is there run-path on darwin?
|
||||
$(LINK_APP)
|
||||
|
@ -281,7 +281,7 @@ link_a.cygwin:
|
|||
fi; \
|
||||
dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
|
||||
$(PERL) util/mkrc.pl $$dll_name | \
|
||||
$(CROSS_COMPILE_PREFIX)windres -o rc.o; \
|
||||
$(CROSS_COMPILE)windres -o rc.o; \
|
||||
extras="$$extras rc.o"; \
|
||||
ALLSYMSFLAGS='-Wl,--whole-archive'; \
|
||||
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
|
||||
OpenSSL 1.1.0-dev XX xxx XXXX
|
||||
|
||||
Copyright (c) 1998-2008 The OpenSSL Project
|
||||
Copyright (c) 1998-2009 The OpenSSL Project
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
All rights reserved.
|
||||
|
||||
|
@ -112,8 +112,6 @@
|
|||
should be contacted if that algorithm is to be used; their web page is
|
||||
http://www.ascom.ch/.
|
||||
|
||||
The MDC2 algorithm is patented by IBM.
|
||||
|
||||
NTT and Mitsubishi have patents and pending patents on the Camellia
|
||||
algorithm, but allow use at no charge without requiring an explicit
|
||||
licensing agreement: http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
|
||||
|
@ -139,6 +137,9 @@
|
|||
SUPPORT
|
||||
-------
|
||||
|
||||
See the OpenSSL website www.openssl.org for details of how to obtain
|
||||
commercial technical support.
|
||||
|
||||
If you have any problems with OpenSSL then please take the following steps
|
||||
first:
|
||||
|
||||
|
@ -165,6 +166,10 @@
|
|||
|
||||
openssl-bugs@openssl.org
|
||||
|
||||
Note that the request tracker should NOT be used for general assistance
|
||||
or support queries. Just because something doesn't work the way you expect
|
||||
does not mean it is necessarily a bug in OpenSSL.
|
||||
|
||||
Note that mail to openssl-bugs@openssl.org is recorded in the publicly
|
||||
readable request tracker database and is forwarded to a public
|
||||
mailing list. Confidential mail may be sent to openssl-security@openssl.org
|
||||
|
@ -175,10 +180,22 @@
|
|||
|
||||
Development is coordinated on the openssl-dev mailing list (see
|
||||
http://www.openssl.org for information on subscribing). If you
|
||||
would like to submit a patch, send it to openssl-dev@openssl.org with
|
||||
would like to submit a patch, send it to openssl-bugs@openssl.org with
|
||||
the string "[PATCH]" in the subject. Please be sure to include a
|
||||
textual explanation of what your patch does.
|
||||
|
||||
If you are unsure as to whether a feature will be useful for the general
|
||||
OpenSSL community please discuss it on the openssl-dev mailing list first.
|
||||
Someone may be already working on the same thing or there may be a good
|
||||
reason as to why that feature isn't implemented.
|
||||
|
||||
Patches should be as up to date as possible, preferably relative to the
|
||||
current CVS or the last snapshot. They should follow the coding style of
|
||||
OpenSSL and compile without warnings. Some of the core team developer targets
|
||||
can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL
|
||||
compiles on many varied platforms: try to ensure you only use portable
|
||||
features.
|
||||
|
||||
Note: For legal reasons, contributions from the US can be accepted only
|
||||
if a TSU notification and a copy of the patch are sent to crypt@bis.doc.gov
|
||||
(formerly BXA) with a copy to the ENC Encryption Request Coordinator;
|
||||
|
|
|
@ -1278,7 +1278,7 @@ $unistd =
|
|||
$thread_cflag = -D_REENTRANT
|
||||
$sys_id = MACOSX
|
||||
$lflags = -Wl,-search_paths_first%
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL
|
||||
$cpuid_obj = x86_64cpuid.o
|
||||
$bn_obj = x86_64-gcc.o x86_64-mont.o
|
||||
$des_obj =
|
||||
|
@ -1953,6 +1953,68 @@ $ranlib =
|
|||
$arflags =
|
||||
$multilib =
|
||||
|
||||
*** debug-linux-generic32
|
||||
$cc = gcc
|
||||
$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall
|
||||
$unistd =
|
||||
$thread_cflag = -D_REENTRANT
|
||||
$sys_id =
|
||||
$lflags = -ldl
|
||||
$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR
|
||||
$cpuid_obj =
|
||||
$bn_obj =
|
||||
$des_obj =
|
||||
$aes_obj =
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
$sha1_obj =
|
||||
$cast_obj =
|
||||
$rc4_obj =
|
||||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$wp_obj =
|
||||
$cmll_obj =
|
||||
$perlasm_scheme = void
|
||||
$dso_scheme = dlfcn
|
||||
$shared_target= linux-shared
|
||||
$shared_cflag = -fPIC
|
||||
$shared_ldflag =
|
||||
$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
|
||||
$ranlib =
|
||||
$arflags =
|
||||
$multilib =
|
||||
|
||||
*** debug-linux-generic64
|
||||
$cc = gcc
|
||||
$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall
|
||||
$unistd =
|
||||
$thread_cflag = -D_REENTRANT
|
||||
$sys_id =
|
||||
$lflags = -ldl
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR
|
||||
$cpuid_obj =
|
||||
$bn_obj =
|
||||
$des_obj =
|
||||
$aes_obj =
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
$sha1_obj =
|
||||
$cast_obj =
|
||||
$rc4_obj =
|
||||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$wp_obj =
|
||||
$cmll_obj =
|
||||
$perlasm_scheme = void
|
||||
$dso_scheme = dlfcn
|
||||
$shared_target= linux-shared
|
||||
$shared_cflag = -fPIC
|
||||
$shared_ldflag =
|
||||
$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
|
||||
$ranlib =
|
||||
$arflags =
|
||||
$multilib =
|
||||
|
||||
*** debug-linux-ia32-aes
|
||||
$cc = gcc
|
||||
$cflags = -DAES_EXPERIMENTAL -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
|
||||
|
@ -2046,6 +2108,37 @@ $ranlib =
|
|||
$arflags =
|
||||
$multilib =
|
||||
|
||||
*** debug-linux-x86_64
|
||||
$cc = gcc
|
||||
$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -DTERMIO -g -Wall -DMD32_REG_T=int
|
||||
$unistd =
|
||||
$thread_cflag = -D_REENTRANT
|
||||
$sys_id =
|
||||
$lflags = -ldl
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL
|
||||
$cpuid_obj = x86_64cpuid.o
|
||||
$bn_obj = x86_64-gcc.o x86_64-mont.o
|
||||
$des_obj =
|
||||
$aes_obj = aes-x86_64.o aesni-x86_64.o
|
||||
$bf_obj =
|
||||
$md5_obj = md5-x86_64.o
|
||||
$sha1_obj = sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o
|
||||
$cast_obj =
|
||||
$rc4_obj = rc4-x86_64.o
|
||||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$wp_obj = wp-x86_64.o
|
||||
$cmll_obj = cmll-x86_64.o cmll_misc.o
|
||||
$perlasm_scheme = elf
|
||||
$dso_scheme = dlfcn
|
||||
$shared_target= linux-shared
|
||||
$shared_cflag = -fPIC
|
||||
$shared_ldflag = -m64
|
||||
$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
|
||||
$ranlib =
|
||||
$arflags =
|
||||
$multilib = 64
|
||||
|
||||
*** debug-rse
|
||||
$cc = cc
|
||||
$cflags = -DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall
|
||||
|
@ -2208,7 +2301,7 @@ $unistd =
|
|||
$thread_cflag = -D_REENTRANT
|
||||
$sys_id =
|
||||
$lflags = -ldl
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL
|
||||
$cpuid_obj = x86_64cpuid.o
|
||||
$bn_obj = x86_64-gcc.o x86_64-mont.o
|
||||
$des_obj =
|
||||
|
@ -2234,7 +2327,7 @@ $multilib =
|
|||
|
||||
*** debug-steve32
|
||||
$cc = gcc
|
||||
$cflags = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe
|
||||
$cflags = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g -pipe
|
||||
$unistd =
|
||||
$thread_cflag = -D_REENTRANT
|
||||
$sys_id =
|
||||
|
@ -2265,12 +2358,12 @@ $multilib =
|
|||
|
||||
*** debug-steve64
|
||||
$cc = gcc
|
||||
$cflags = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int
|
||||
$cflags = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g -DMD32_REG_T=int
|
||||
$unistd =
|
||||
$thread_cflag = -D_REENTRANT
|
||||
$sys_id =
|
||||
$lflags = -ldl
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL
|
||||
$cpuid_obj = x86_64cpuid.o
|
||||
$bn_obj = x86_64-gcc.o x86_64-mont.o
|
||||
$des_obj =
|
||||
|
@ -3727,7 +3820,7 @@ $unistd =
|
|||
$thread_cflag = -D_REENTRANT
|
||||
$sys_id =
|
||||
$lflags = -ldl
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL
|
||||
$cpuid_obj = x86_64cpuid.o
|
||||
$bn_obj = x86_64-gcc.o x86_64-mont.o
|
||||
$des_obj =
|
||||
|
@ -4750,7 +4843,7 @@ $unistd =
|
|||
$thread_cflag = -D_REENTRANT
|
||||
$sys_id =
|
||||
$lflags = -lsocket -lnsl -ldl
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL
|
||||
$cpuid_obj = x86_64cpuid.o
|
||||
$bn_obj = x86_64-gcc.o x86_64-mont.o
|
||||
$des_obj =
|
||||
|
@ -4781,7 +4874,7 @@ $unistd =
|
|||
$thread_cflag = -D_REENTRANT
|
||||
$sys_id =
|
||||
$lflags = -lsocket -lnsl -ldl
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL
|
||||
$cpuid_obj = x86_64cpuid.o
|
||||
$bn_obj = x86_64-gcc.o x86_64-mont.o
|
||||
$des_obj =
|
||||
|
|
|
@ -5,10 +5,10 @@
|
|||
# things easier between now and when Eric is convinced to fix it :-)
|
||||
#
|
||||
# CA -newca ... will setup the right stuff
|
||||
# CA -newreq ... will generate a certificate request
|
||||
# CA -sign ... will sign the generated request and output
|
||||
# CA -newreq ... will generate a certificate request
|
||||
# CA -sign ... will sign the generated request and output
|
||||
#
|
||||
# At the end of that grab newreq.pem and newcert.pem (one has the key
|
||||
# At the end of that grab newreq.pem and newcert.pem (one has the key
|
||||
# and the other the certificate) and cat them together and that is what
|
||||
# you want/need ... I'll make even this a little cleaner later.
|
||||
#
|
||||
|
@ -16,8 +16,8 @@
|
|||
# 12-Jan-96 tjh Added more things ... including CA -signcert which
|
||||
# converts a certificate to a request and then signs it.
|
||||
# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
|
||||
# environment variable so this can be driven from
|
||||
# a script.
|
||||
# environment variable so this can be driven from
|
||||
# a script.
|
||||
# 25-Jul-96 eay Cleaned up filenames some more.
|
||||
# 11-Jun-96 eay Fixed a few filename missmatches.
|
||||
# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'.
|
||||
|
@ -29,52 +29,87 @@
|
|||
|
||||
# default openssl.cnf file has setup as per the following
|
||||
# demoCA ... where everything is stored
|
||||
cp_pem() {
|
||||
infile=$1
|
||||
outfile=$2
|
||||
bound=$3
|
||||
flag=0
|
||||
exec <$infile;
|
||||
while read line; do
|
||||
if [ $flag -eq 1 ]; then
|
||||
echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null
|
||||
if [ $? -eq 0 ] ; then
|
||||
echo $line >>$outfile
|
||||
break
|
||||
else
|
||||
echo $line >>$outfile
|
||||
fi
|
||||
fi
|
||||
|
||||
echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
echo $line >$outfile
|
||||
flag=1
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
usage() {
|
||||
echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
|
||||
}
|
||||
|
||||
if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
|
||||
|
||||
DAYS="-days 365" # 1 year
|
||||
if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year
|
||||
CADAYS="-days 1095" # 3 years
|
||||
REQ="$OPENSSL req $SSLEAY_CONFIG"
|
||||
CA="$OPENSSL ca $SSLEAY_CONFIG"
|
||||
VERIFY="$OPENSSL verify"
|
||||
X509="$OPENSSL x509"
|
||||
PKCS12="openssl pkcs12"
|
||||
|
||||
CATOP=./demoCA
|
||||
if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
|
||||
CAKEY=./cakey.pem
|
||||
CAREQ=./careq.pem
|
||||
CACERT=./cacert.pem
|
||||
|
||||
for i
|
||||
do
|
||||
case $i in
|
||||
RET=0
|
||||
|
||||
while [ "$1" != "" ] ; do
|
||||
case $1 in
|
||||
-\?|-h|-help)
|
||||
echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2
|
||||
usage
|
||||
exit 0
|
||||
;;
|
||||
-newcert)
|
||||
-newcert)
|
||||
# create a certificate
|
||||
$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
|
||||
RET=$?
|
||||
echo "Certificate is in newcert.pem, private key is in newkey.pem"
|
||||
;;
|
||||
-newreq)
|
||||
-newreq)
|
||||
# create a certificate request
|
||||
$REQ -new -keyout newkey.pem -out newreq.pem $DAYS
|
||||
RET=$?
|
||||
echo "Request is in newreq.pem, private key is in newkey.pem"
|
||||
;;
|
||||
-newca)
|
||||
-newreq-nodes)
|
||||
# create a certificate request
|
||||
$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
|
||||
RET=$?
|
||||
echo "Request (and private key) is in newreq.pem"
|
||||
;;
|
||||
-newca)
|
||||
# if explicitly asked for or it doesn't exist then setup the directory
|
||||
# structure that Eric likes to manage things
|
||||
# structure that Eric likes to manage things
|
||||
NEW="1"
|
||||
if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
|
||||
# create the directory hierarchy
|
||||
mkdir ${CATOP}
|
||||
mkdir ${CATOP}/certs
|
||||
mkdir ${CATOP}/crl
|
||||
mkdir ${CATOP}/newcerts
|
||||
mkdir ${CATOP}/private
|
||||
echo "00" > ${CATOP}/serial
|
||||
mkdir -p ${CATOP}
|
||||
mkdir -p ${CATOP}/certs
|
||||
mkdir -p ${CATOP}/crl
|
||||
mkdir -p ${CATOP}/newcerts
|
||||
mkdir -p ${CATOP}/private
|
||||
touch ${CATOP}/index.txt
|
||||
fi
|
||||
if [ ! -f ${CATOP}/private/$CAKEY ]; then
|
||||
|
@ -83,37 +118,60 @@ case $i in
|
|||
|
||||
# ask user for existing CA certificate
|
||||
if [ "$FILE" ]; then
|
||||
cp $FILE ${CATOP}/private/$CAKEY
|
||||
cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
|
||||
cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
|
||||
RET=$?
|
||||
if [ ! -f "${CATOP}/serial" ]; then
|
||||
$X509 -in ${CATOP}/$CACERT -noout -next_serial \
|
||||
-out ${CATOP}/serial
|
||||
fi
|
||||
else
|
||||
echo "Making CA certificate ..."
|
||||
$REQ -new -keyout ${CATOP}/private/$CAKEY \
|
||||
-out ${CATOP}/$CAREQ
|
||||
$CA -out ${CATOP}/$CACERT $CADAYS -batch \
|
||||
$CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
|
||||
-keyfile ${CATOP}/private/$CAKEY -selfsign \
|
||||
-infiles ${CATOP}/$CAREQ
|
||||
-extensions v3_ca \
|
||||
-infiles ${CATOP}/$CAREQ
|
||||
RET=$?
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
-xsign)
|
||||
$CA -policy policy_anything -infiles newreq.pem
|
||||
$CA -policy policy_anything -infiles newreq.pem
|
||||
RET=$?
|
||||
;;
|
||||
-sign|-signreq)
|
||||
-pkcs12)
|
||||
if [ -z "$2" ] ; then
|
||||
CNAME="My Certificate"
|
||||
else
|
||||
CNAME="$2"
|
||||
fi
|
||||
$PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
|
||||
-out newcert.p12 -export -name "$CNAME"
|
||||
RET=$?
|
||||
exit $RET
|
||||
;;
|
||||
-sign|-signreq)
|
||||
$CA -policy policy_anything -out newcert.pem -infiles newreq.pem
|
||||
RET=$?
|
||||
cat newcert.pem
|
||||
echo "Signed certificate is in newcert.pem"
|
||||
;;
|
||||
-signcert)
|
||||
-signCA)
|
||||
$CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
|
||||
RET=$?
|
||||
echo "Signed CA certificate is in newcert.pem"
|
||||
;;
|
||||
-signcert)
|
||||
echo "Cert passphrase will be requested twice - bug?"
|
||||
$X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
|
||||
$CA -policy policy_anything -out newcert.pem -infiles tmp.pem
|
||||
RET=$?
|
||||
cat newcert.pem
|
||||
echo "Signed certificate is in newcert.pem"
|
||||
;;
|
||||
-verify)
|
||||
-verify)
|
||||
shift
|
||||
if [ -z "$1" ]; then
|
||||
$VERIFY -CAfile $CATOP/$CACERT newcert.pem
|
||||
|
@ -127,13 +185,14 @@ case $i in
|
|||
fi
|
||||
done
|
||||
fi
|
||||
exit 0
|
||||
exit $RET
|
||||
;;
|
||||
*)
|
||||
echo "Unknown arg $i";
|
||||
echo "Unknown arg $i" >&2
|
||||
usage
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
exit $RET
|
||||
|
||||
|
|
|
@ -789,14 +789,14 @@ s_cb.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
|
|||
s_cb.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
|
||||
s_cb.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
|
||||
s_cb.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
|
||||
s_cb.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
|
||||
s_cb.o: ../include/openssl/sha.h ../include/openssl/ssl.h
|
||||
s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
|
||||
s_cb.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
|
||||
s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
|
||||
s_cb.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
|
||||
s_cb.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
|
||||
s_cb.o: s_apps.h s_cb.c
|
||||
s_cb.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
|
||||
s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h
|
||||
s_cb.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
|
||||
s_cb.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
|
||||
s_cb.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
|
||||
s_cb.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
|
||||
s_cb.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
|
||||
s_cb.o: ../include/openssl/x509v3.h apps.h s_apps.h s_cb.c
|
||||
s_client.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
|
||||
s_client.o: ../include/openssl/bn.h ../include/openssl/buffer.h
|
||||
s_client.o: ../include/openssl/comp.h ../include/openssl/conf.h
|
||||
|
@ -933,19 +933,20 @@ speed.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
|
|||
speed.o: ../include/openssl/err.h ../include/openssl/evp.h
|
||||
speed.o: ../include/openssl/hmac.h ../include/openssl/idea.h
|
||||
speed.o: ../include/openssl/lhash.h ../include/openssl/md4.h
|
||||
speed.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
|
||||
speed.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
|
||||
speed.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
|
||||
speed.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
|
||||
speed.o: ../include/openssl/rand.h ../include/openssl/rc2.h
|
||||
speed.o: ../include/openssl/rc4.h ../include/openssl/ripemd.h
|
||||
speed.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
|
||||
speed.o: ../include/openssl/seed.h ../include/openssl/sha.h
|
||||
speed.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
|
||||
speed.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
|
||||
speed.o: ../include/openssl/ui_compat.h ../include/openssl/whrlpool.h
|
||||
speed.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
|
||||
speed.o: ../include/openssl/x509v3.h apps.h speed.c testdsa.h testrsa.h
|
||||
speed.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
|
||||
speed.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
|
||||
speed.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
|
||||
speed.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
|
||||
speed.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
|
||||
speed.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
|
||||
speed.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
|
||||
speed.o: ../include/openssl/safestack.h ../include/openssl/seed.h
|
||||
speed.o: ../include/openssl/sha.h ../include/openssl/stack.h
|
||||
speed.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
|
||||
speed.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
|
||||
speed.o: ../include/openssl/whrlpool.h ../include/openssl/x509.h
|
||||
speed.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
|
||||
speed.o: speed.c testdsa.h testrsa.h
|
||||
spkac.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
|
||||
spkac.o: ../include/openssl/buffer.h ../include/openssl/conf.h
|
||||
spkac.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
|
||||
|
|
|
@ -1095,76 +1095,120 @@ error:
|
|||
}
|
||||
#endif /* ndef OPENSSL_NO_RC4 */
|
||||
|
||||
STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
|
||||
const char *pass, ENGINE *e, const char *cert_descrip)
|
||||
static int load_certs_crls(BIO *err, const char *file, int format,
|
||||
const char *pass, ENGINE *e, const char *desc,
|
||||
STACK_OF(X509) **pcerts, STACK_OF(X509_CRL) **pcrls)
|
||||
{
|
||||
BIO *certs;
|
||||
int i;
|
||||
STACK_OF(X509) *othercerts = NULL;
|
||||
STACK_OF(X509_INFO) *allcerts = NULL;
|
||||
BIO *bio;
|
||||
STACK_OF(X509_INFO) *xis = NULL;
|
||||
X509_INFO *xi;
|
||||
PW_CB_DATA cb_data;
|
||||
int rv = 0;
|
||||
|
||||
cb_data.password = pass;
|
||||
cb_data.prompt_info = file;
|
||||
|
||||
if((certs = BIO_new(BIO_s_file())) == NULL)
|
||||
if (format != FORMAT_PEM)
|
||||
{
|
||||
ERR_print_errors(err);
|
||||
goto end;
|
||||
BIO_printf(err,"bad input format specified for %s\n", desc);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (file == NULL)
|
||||
BIO_set_fp(certs,stdin,BIO_NOCLOSE);
|
||||
bio = BIO_new_fp(stdin,BIO_NOCLOSE);
|
||||
else
|
||||
bio = BIO_new_file(file, "r");
|
||||
|
||||
if (bio == NULL)
|
||||
{
|
||||
if (BIO_read_filename(certs,file) <= 0)
|
||||
{
|
||||
BIO_printf(err, "Error opening %s %s\n",
|
||||
cert_descrip, file);
|
||||
ERR_print_errors(err);
|
||||
BIO_printf(err, "Error opening %s %s\n",
|
||||
desc, file ? file : "stdin");
|
||||
ERR_print_errors(err);
|
||||
return 0;
|
||||
}
|
||||
|
||||
xis = PEM_X509_INFO_read_bio(bio, NULL,
|
||||
(pem_password_cb *)password_callback, &cb_data);
|
||||
|
||||
BIO_free(bio);
|
||||
|
||||
if (pcerts)
|
||||
{
|
||||
*pcerts = sk_X509_new_null();
|
||||
if (!*pcerts)
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (pcrls)
|
||||
{
|
||||
*pcrls = sk_X509_CRL_new_null();
|
||||
if (!*pcrls)
|
||||
goto end;
|
||||
}
|
||||
|
||||
for(i = 0; i < sk_X509_INFO_num(xis); i++)
|
||||
{
|
||||
xi = sk_X509_INFO_value (xis, i);
|
||||
if (xi->x509 && pcerts)
|
||||
{
|
||||
if (!sk_X509_push(*pcerts, xi->x509))
|
||||
goto end;
|
||||
xi->x509 = NULL;
|
||||
}
|
||||
if (xi->crl && pcrls)
|
||||
{
|
||||
if (!sk_X509_CRL_push(*pcrls, xi->crl))
|
||||
goto end;
|
||||
xi->crl = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
if (format == FORMAT_PEM)
|
||||
if (pcerts && sk_X509_num(*pcerts) > 0)
|
||||
rv = 1;
|
||||
|
||||
if (pcrls && sk_X509_CRL_num(*pcrls) > 0)
|
||||
rv = 1;
|
||||
|
||||
end:
|
||||
|
||||
if (xis)
|
||||
sk_X509_INFO_pop_free(xis, X509_INFO_free);
|
||||
|
||||
if (rv == 0)
|
||||
{
|
||||
othercerts = sk_X509_new_null();
|
||||
if(!othercerts)
|
||||
if (pcerts)
|
||||
{
|
||||
sk_X509_free(othercerts);
|
||||
othercerts = NULL;
|
||||
goto end;
|
||||
sk_X509_pop_free(*pcerts, X509_free);
|
||||
*pcerts = NULL;
|
||||
}
|
||||
allcerts = PEM_X509_INFO_read_bio(certs, NULL,
|
||||
(pem_password_cb *)password_callback, &cb_data);
|
||||
for(i = 0; i < sk_X509_INFO_num(allcerts); i++)
|
||||
if (pcrls)
|
||||
{
|
||||
xi = sk_X509_INFO_value (allcerts, i);
|
||||
if (xi->x509)
|
||||
{
|
||||
sk_X509_push(othercerts, xi->x509);
|
||||
xi->x509 = NULL;
|
||||
}
|
||||
sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
|
||||
*pcrls = NULL;
|
||||
}
|
||||
goto end;
|
||||
}
|
||||
else {
|
||||
BIO_printf(err,"bad input format specified for %s\n",
|
||||
cert_descrip);
|
||||
goto end;
|
||||
}
|
||||
end:
|
||||
if (othercerts == NULL)
|
||||
{
|
||||
BIO_printf(err,"unable to load certificates\n");
|
||||
BIO_printf(err,"unable to load %s\n",
|
||||
pcerts ? "certificates" : "CRLs");
|
||||
ERR_print_errors(err);
|
||||
}
|
||||
if (allcerts) sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
|
||||
if (certs != NULL) BIO_free(certs);
|
||||
return(othercerts);
|
||||
return rv;
|
||||
}
|
||||
|
||||
STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
|
||||
const char *pass, ENGINE *e, const char *desc)
|
||||
{
|
||||
STACK_OF(X509) *certs;
|
||||
load_certs_crls(err, file, format, pass, e, desc, &certs, NULL);
|
||||
return certs;
|
||||
}
|
||||
|
||||
STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
|
||||
const char *pass, ENGINE *e, const char *desc)
|
||||
{
|
||||
STACK_OF(X509_CRL) *crls;
|
||||
load_certs_crls(err, file, format, pass, e, desc, NULL, &crls);
|
||||
return crls;
|
||||
}
|
||||
|
||||
#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
|
||||
/* Return error for unknown extensions */
|
||||
|
|
|
@ -168,6 +168,12 @@ extern BIO *bio_err;
|
|||
#define do_pipe_sig()
|
||||
#endif
|
||||
|
||||
#ifdef OPENSSL_NO_COMP
|
||||
#define zlib_cleanup()
|
||||
#else
|
||||
#define zlib_cleanup() COMP_zlib_cleanup()
|
||||
#endif
|
||||
|
||||
#if defined(MONOLITH) && !defined(OPENSSL_C)
|
||||
# define apps_startup() \
|
||||
do_pipe_sig()
|
||||
|
@ -182,7 +188,7 @@ extern BIO *bio_err;
|
|||
do { CONF_modules_unload(1); destroy_ui_method(); \
|
||||
OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \
|
||||
CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
|
||||
ERR_free_strings(); COMP_zlib_cleanup();} while(0)
|
||||
ERR_free_strings(); zlib_cleanup();} while(0)
|
||||
# else
|
||||
# define apps_startup() \
|
||||
do { do_pipe_sig(); CRYPTO_malloc_init(); \
|
||||
|
@ -192,7 +198,7 @@ extern BIO *bio_err;
|
|||
do { CONF_modules_unload(1); destroy_ui_method(); \
|
||||
OBJ_cleanup(); EVP_cleanup(); \
|
||||
CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
|
||||
ERR_free_strings(); } while(0)
|
||||
ERR_free_strings(); zlib_cleanup(); } while(0)
|
||||
# endif
|
||||
#endif
|
||||
|
||||
|
@ -245,6 +251,8 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
|
|||
const char *pass, ENGINE *e, const char *key_descrip);
|
||||
STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
|
||||
const char *pass, ENGINE *e, const char *cert_descrip);
|
||||
STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
|
||||
const char *pass, ENGINE *e, const char *cert_descrip);
|
||||
X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
ENGINE *setup_engine(BIO *err, const char *engine, int debug);
|
||||
|
@ -253,6 +261,7 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug);
|
|||
#ifndef OPENSSL_NO_OCSP
|
||||
OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
|
||||
char *host, char *path, char *port, int use_ssl,
|
||||
STACK_OF(CONF_VALUE) *headers,
|
||||
int req_timeout);
|
||||
#endif
|
||||
|
||||
|
|
|
@ -136,6 +136,7 @@ int MAIN(int argc, char **argv)
|
|||
char *engine=NULL;
|
||||
#endif
|
||||
unsigned char *secret_key = NULL, *secret_keyid = NULL;
|
||||
unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
|
||||
size_t secret_keylen = 0, secret_keyidlen = 0;
|
||||
|
||||
ASN1_OBJECT *econtent_type = NULL;
|
||||
|
@ -326,6 +327,13 @@ int MAIN(int argc, char **argv)
|
|||
}
|
||||
secret_keyidlen = (size_t)ltmp;
|
||||
}
|
||||
else if (!strcmp(*args,"-pwri_password"))
|
||||
{
|
||||
if (!args[1])
|
||||
goto argerr;
|
||||
args++;
|
||||
pwri_pass = (unsigned char *)*args;
|
||||
}
|
||||
else if (!strcmp(*args,"-econtent_type"))
|
||||
{
|
||||
if (!args[1])
|
||||
|
@ -559,7 +567,7 @@ int MAIN(int argc, char **argv)
|
|||
|
||||
else if (operation == SMIME_DECRYPT)
|
||||
{
|
||||
if (!recipfile && !keyfile && !secret_key)
|
||||
if (!recipfile && !keyfile && !secret_key && !pwri_pass)
|
||||
{
|
||||
BIO_printf(bio_err, "No recipient certificate or key specified\n");
|
||||
badarg = 1;
|
||||
|
@ -567,7 +575,7 @@ int MAIN(int argc, char **argv)
|
|||
}
|
||||
else if (operation == SMIME_ENCRYPT)
|
||||
{
|
||||
if (!*args && !secret_key)
|
||||
if (!*args && !secret_key && !pwri_pass)
|
||||
{
|
||||
BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
|
||||
badarg = 1;
|
||||
|
@ -880,7 +888,7 @@ int MAIN(int argc, char **argv)
|
|||
{
|
||||
if (!(store = setup_verify(bio_err, CAfile, CApath)))
|
||||
goto end;
|
||||
X509_STORE_set_verify_cb_func(store, cms_cb);
|
||||
X509_STORE_set_verify_cb(store, cms_cb);
|
||||
if (vpm)
|
||||
X509_STORE_set1_param(store, vpm);
|
||||
}
|
||||
|
@ -917,6 +925,17 @@ int MAIN(int argc, char **argv)
|
|||
secret_key = NULL;
|
||||
secret_keyid = NULL;
|
||||
}
|
||||
if (pwri_pass)
|
||||
{
|
||||
pwri_tmp = (unsigned char *)BUF_strdup((char *)pwri_pass);
|
||||
if (!pwri_tmp)
|
||||
goto end;
|
||||
if (!CMS_add0_recipient_password(cms,
|
||||
-1, NID_undef, NID_undef,
|
||||
pwri_tmp, -1, NULL))
|
||||
goto end;
|
||||
pwri_tmp = NULL;
|
||||
}
|
||||
if (!(flags & CMS_STREAM))
|
||||
{
|
||||
if (!CMS_final(cms, in, NULL, flags))
|
||||
|
@ -1043,6 +1062,16 @@ int MAIN(int argc, char **argv)
|
|||
}
|
||||
}
|
||||
|
||||
if (pwri_pass)
|
||||
{
|
||||
if (!CMS_decrypt_set1_password(cms, pwri_pass, -1))
|
||||
{
|
||||
BIO_puts(bio_err,
|
||||
"Error decrypting CMS using password\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags))
|
||||
{
|
||||
BIO_printf(bio_err, "Error decrypting CMS structure\n");
|
||||
|
@ -1167,6 +1196,8 @@ end:
|
|||
OPENSSL_free(secret_key);
|
||||
if (secret_keyid)
|
||||
OPENSSL_free(secret_keyid);
|
||||
if (pwri_tmp)
|
||||
OPENSSL_free(pwri_tmp);
|
||||
if (econtent_type)
|
||||
ASN1_OBJECT_free(econtent_type);
|
||||
if (rr)
|
||||
|
|
|
@ -155,6 +155,8 @@ int MAIN(int argc, char **argv)
|
|||
if ((*argv)[0] != '-') break;
|
||||
if (strcmp(*argv,"-c") == 0)
|
||||
separator=1;
|
||||
if (strcmp(*argv,"-r") == 0)
|
||||
separator=2;
|
||||
else if (strcmp(*argv,"-rand") == 0)
|
||||
{
|
||||
if (--argc < 1) break;
|
||||
|
@ -262,6 +264,7 @@ int MAIN(int argc, char **argv)
|
|||
BIO_printf(bio_err,"unknown option '%s'\n",*argv);
|
||||
BIO_printf(bio_err,"options are\n");
|
||||
BIO_printf(bio_err,"-c to output the digest with separating colons\n");
|
||||
BIO_printf(bio_err,"-r to output the digest in coreutils format\n");
|
||||
BIO_printf(bio_err,"-d to output debug info\n");
|
||||
BIO_printf(bio_err,"-hex output as hex dump\n");
|
||||
BIO_printf(bio_err,"-binary output in binary form\n");
|
||||
|
@ -602,6 +605,12 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
|
|||
}
|
||||
|
||||
if(binout) BIO_write(out, buf, len);
|
||||
else if (sep == 2)
|
||||
{
|
||||
for (i=0; i<(int)len; i++)
|
||||
BIO_printf(out, "%02x",buf[i]);
|
||||
BIO_printf(out, " *%s\n", file);
|
||||
}
|
||||
else
|
||||
{
|
||||
if (sig_name)
|
||||
|
|
|
@ -351,7 +351,7 @@ bad:
|
|||
BIO_printf(bio_err,"bad output format specified for outfile\n");
|
||||
goto end;
|
||||
}
|
||||
if (!i)
|
||||
if (i <= 0)
|
||||
{
|
||||
BIO_printf(bio_err,"unable to write private key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
|
|
|
@ -243,7 +243,12 @@ int MAIN(int argc, char **argv)
|
|||
goto bad;
|
||||
}
|
||||
buf[0]='\0';
|
||||
fgets(buf,sizeof buf,infile);
|
||||
if (!fgets(buf,sizeof buf,infile))
|
||||
{
|
||||
BIO_printf(bio_err,"unable to read key from '%s'\n",
|
||||
file);
|
||||
goto bad;
|
||||
}
|
||||
fclose(infile);
|
||||
i=strlen(buf);
|
||||
if ((i > 0) &&
|
||||
|
|
|
@ -57,7 +57,7 @@ $ LOOP_EXE_END:
|
|||
$
|
||||
$ SET NOON
|
||||
$ COPY CA.COM WRK_SSLEXE:CA.COM/LOG
|
||||
$ SET FILE/PROT=W:RE WRK_SSLVEXE:CA.COM
|
||||
$ SET FILE/PROT=W:RE WRK_SSLEXE:CA.COM
|
||||
$ COPY OPENSSL-VMS.CNF WRK_SSLROOT:[000000]OPENSSL.CNF/LOG
|
||||
$ SET FILE/PROT=W:R WRK_SSLROOT:[000000]OPENSSL.CNF
|
||||
$ SET ON
|
||||
|
|
|
@ -330,7 +330,8 @@ int main(int Argc, char *Argv[])
|
|||
else prompt="OpenSSL> ";
|
||||
fputs(prompt,stdout);
|
||||
fflush(stdout);
|
||||
fgets(p,n,stdin);
|
||||
if (!fgets(p,n,stdin))
|
||||
goto end;
|
||||
if (p[0] == '\0') goto end;
|
||||
i=strlen(p);
|
||||
if (i <= 1) break;
|
||||
|
|
|
@ -275,7 +275,6 @@ int MAIN(int argc, char **argv)
|
|||
}
|
||||
if (topk8)
|
||||
{
|
||||
BIO_free(in); /* Not needed in this section */
|
||||
pkey = load_key(bio_err, infile, informat, 1,
|
||||
passin, e, "key");
|
||||
if (!pkey)
|
||||
|
|
|
@ -1,18 +1,16 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: DES-EDE3-CBC,BA26229A1653B7FF
|
||||
|
||||
6nhWG8PKhTPO/s3ZvjUa6226NlKdvPDZFsNXOOoSUs9ejxpb/aj5huhs6qRYzsz9
|
||||
Year47uaAZYhGD0vAagnNiBnYmjWEpN9G/wQxG7pgZThK1ZxDi63qn8aQ8UjuGHo
|
||||
F6RpnnBQIAnWTWqr/Qsybtc5EoNkrj/Cpx0OfbSr6gZsFBCxwX1R1hT3/mhJ45f3
|
||||
XMofY32Vdfx9/vtw1O7HmlHXQnXaqnbd9/nn1EpvFJG9+UjPoW7gV4jCOLuR4deE
|
||||
jS8hm+cpkwXmFtk3VGjT9tQXPpMv3JpYfBqgGQoMAJ5Toq0DWcHi6Wg08PsD8lgy
|
||||
vmTioPsRg+JGkJkJ8GnusgLpQdlQJbjzd7wGE6ElUFLfOxLo8bLlRHoriHNdWYhh
|
||||
JjY0LyeTkovcmWxVjImc6ZyBz5Ly4t0BYf1gq3OkjsV91Q1taBxnhiavfizqMCAf
|
||||
PPB3sLQnlXG77TOXkNxpqbZfEYrVZW2Nsqqdn8s07Uj4IMONZyq2odYKWFPMJBiM
|
||||
POYwXjMAOcmFMTHYsVlhcUJuV6LOuipw/FEbTtPH/MYMxLe4zx65dYo1rb4iLKLS
|
||||
gMtB0o/Wl4Xno3ZXh1ucicYnV2J7NpVcjVq+3SFiCRu2SrSkZHZ23EPS13Ec6fcz
|
||||
8X/YGA2vTJ8MAOozAzQUwHQYvLk7bIoQVekqDq4p0AZQbhdspHpArCk0Ifqqzg/v
|
||||
Uyky/zZiQYanzDenTSRVI/8wac3olxpU8QvbySxYqmbkgq6bTpXJfYFQfnAttEsC
|
||||
dA4S5UFgyOPZluxCAM4yaJF3Ft6neutNwftuJQMbgCUi9vYg2tGdSw==
|
||||
-----END RSA PRIVATE KEY-----
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMo7DFNMqywUA1O/
|
||||
qvWqCOm6rGrUAcR+dKsSXw6y2qiKO7APDDyotc0b4Mxwqjga98npex2RBIwUoCGJ
|
||||
iEmMXo/a8RbXVUZ+ZwcAX7PC+XeXVC5qoajaBBkd2MvYmib/2PqnNrgvhHsUL5dO
|
||||
xhC7cRqxLM/g45k3Yyw+nGa+WkTdAgMBAAECgYBMBT5w4dVG0I8foGFnz+9hzWab
|
||||
Ee9IKjE5TcKmB93ilXQyjrWO5+zPmbc7ou6aAKk9IaPCTY1kCyzW7pho7Xdt+RFq
|
||||
TgVXGZZfqtixO7f2/5oqZAkd00eOn9ZrhBpVMu4yXbbDvhDyFe4/oy0HGDjRUhxa
|
||||
Lf6ZlBuTherxm4eFkQJBAPBQwRs9UtqaMAQlagA9pV5UsQjV1WT4IxDURMPfXgCd
|
||||
ETNkB6pP0SmxQm5xhv9N2HY1UtoWpug9s0OU5IJB15sCQQDXbfbjiujNbuOxCFNw
|
||||
68JZaCFVdNovyOWORkpenQLNEjVkmTCS9OayK09ADEYtsdpUGKeF+2EYBNkFr5px
|
||||
CajnAkBMYI4PNz1HBuwt1SpMa0tMoMQnV7bbwVV7usskKbC5pzHZUHhzM6z5gEHp
|
||||
0iEisT4Ty7zKXZqsgzefSgoaMAzzAkEAoCIaUhtwXzwdPfvNYnOs3J6doJMimECB
|
||||
+lbfcyLM8TimvadtRt+KGEg/OYGmLNM2UiqdY+duzdbUpvhYGcwvYwJAQvaoi9z2
|
||||
CkiwSs/PFrLaNlfLJmXRsUBzmiWYoh6+IQJJorEXz7ewI72ee9RBO4s746cgUFwH
|
||||
Ri+qO+HhZFUBqQ==
|
||||
-----END PRIVATE KEY-----
|
||||
|
|
|
@ -1441,7 +1441,8 @@ start:
|
|||
buf[0]='\0';
|
||||
if (!batch)
|
||||
{
|
||||
fgets(buf,sizeof buf,stdin);
|
||||
if (!fgets(buf,sizeof buf,stdin))
|
||||
return 0;
|
||||
}
|
||||
else
|
||||
{
|
||||
|
@ -1499,7 +1500,8 @@ start:
|
|||
buf[0]='\0';
|
||||
if (!batch)
|
||||
{
|
||||
fgets(buf,sizeof buf,stdin);
|
||||
if (!fgets(buf,sizeof buf,stdin))
|
||||
return 0;
|
||||
}
|
||||
else
|
||||
{
|
||||
|
|
|
@ -426,7 +426,7 @@ bad:
|
|||
BIO_printf(bio_err,"bad output format specified for outfile\n");
|
||||
goto end;
|
||||
}
|
||||
if (!i)
|
||||
if (i <= 0)
|
||||
{
|
||||
BIO_printf(bio_err,"unable to write key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
|
|
|
@ -171,3 +171,6 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
|
|||
unsigned char *data, int len,
|
||||
void *arg);
|
||||
#endif
|
||||
|
||||
int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len);
|
||||
int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len);
|
||||
|
|
|
@ -117,17 +117,21 @@
|
|||
#undef NON_MAIN
|
||||
#undef USE_SOCKETS
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/ssl.h>
|
||||
#include "s_apps.h"
|
||||
|
||||
#define COOKIE_SECRET_LENGTH 16
|
||||
|
||||
int verify_depth=0;
|
||||
int verify_error=X509_V_OK;
|
||||
int verify_return_error=0;
|
||||
unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
|
||||
int cookie_initialized=0;
|
||||
|
||||
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
|
||||
{
|
||||
char buf[256];
|
||||
X509 *err_cert;
|
||||
int err,depth;
|
||||
|
||||
|
@ -135,8 +139,15 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
|
|||
err= X509_STORE_CTX_get_error(ctx);
|
||||
depth= X509_STORE_CTX_get_error_depth(ctx);
|
||||
|
||||
X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf);
|
||||
BIO_printf(bio_err,"depth=%d %s\n",depth,buf);
|
||||
BIO_printf(bio_err,"depth=%d ",depth);
|
||||
if (err_cert)
|
||||
{
|
||||
X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
|
||||
0, XN_FLAG_ONELINE);
|
||||
BIO_puts(bio_err, "\n");
|
||||
}
|
||||
else
|
||||
BIO_puts(bio_err, "<no cert>\n");
|
||||
if (!ok)
|
||||
{
|
||||
BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
|
||||
|
@ -153,25 +164,33 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
|
|||
verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG;
|
||||
}
|
||||
}
|
||||
switch (ctx->error)
|
||||
switch (err)
|
||||
{
|
||||
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
|
||||
X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,sizeof buf);
|
||||
BIO_printf(bio_err,"issuer= %s\n",buf);
|
||||
BIO_puts(bio_err,"issuer= ");
|
||||
X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
|
||||
0, XN_FLAG_ONELINE);
|
||||
BIO_puts(bio_err, "\n");
|
||||
break;
|
||||
case X509_V_ERR_CERT_NOT_YET_VALID:
|
||||
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
|
||||
BIO_printf(bio_err,"notBefore=");
|
||||
ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
|
||||
ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert));
|
||||
BIO_printf(bio_err,"\n");
|
||||
break;
|
||||
case X509_V_ERR_CERT_HAS_EXPIRED:
|
||||
case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
|
||||
BIO_printf(bio_err,"notAfter=");
|
||||
ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
|
||||
ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert));
|
||||
BIO_printf(bio_err,"\n");
|
||||
break;
|
||||
case X509_V_ERR_NO_EXPLICIT_POLICY:
|
||||
policies_print(bio_err, ctx);
|
||||
break;
|
||||
}
|
||||
if (err == X509_V_OK && ok == 2)
|
||||
policies_print(bio_err, ctx);
|
||||
|
||||
BIO_printf(bio_err,"verify return:%d\n",ok);
|
||||
return(ok);
|
||||
}
|
||||
|
@ -650,6 +669,10 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
|
|||
extname = "server ticket";
|
||||
break;
|
||||
|
||||
case TLSEXT_TYPE_renegotiate:
|
||||
extname = "renegotiate";
|
||||
break;
|
||||
|
||||
#ifdef TLSEXT_TYPE_opaque_prf_input
|
||||
case TLSEXT_TYPE_opaque_prf_input:
|
||||
extname = "opaque PRF input";
|
||||
|
@ -668,3 +691,188 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
|
|||
BIO_dump(bio, (char *)data, len);
|
||||
(void)BIO_flush(bio);
|
||||
}
|
||||
|
||||
int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)
|
||||
{
|
||||
unsigned char *buffer, result[EVP_MAX_MD_SIZE];
|
||||
unsigned int length, resultlength;
|
||||
#if OPENSSL_USE_IPV6
|
||||
union {
|
||||
struct sockaddr_storage ss;
|
||||
struct sockaddr_in6 s6;
|
||||
struct sockaddr_in s4;
|
||||
} peer;
|
||||
#else
|
||||
struct sockaddr_in peer;
|
||||
#endif
|
||||
|
||||
/* Initialize a random secret */
|
||||
if (!cookie_initialized)
|
||||
{
|
||||
if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH))
|
||||
{
|
||||
BIO_printf(bio_err,"error setting random cookie secret\n");
|
||||
return 0;
|
||||
}
|
||||
cookie_initialized = 1;
|
||||
}
|
||||
|
||||
/* Read peer information */
|
||||
(void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
|
||||
|
||||
/* Create buffer with peer's address and port */
|
||||
#if OPENSSL_USE_IPV6
|
||||
length = 0;
|
||||
switch (peer.ss.ss_family)
|
||||
{
|
||||
case AF_INET:
|
||||
length += sizeof(struct in_addr);
|
||||
length += sizeof(peer.s4.sin_port);
|
||||
break;
|
||||
case AF_INET6:
|
||||
length += sizeof(struct in6_addr);
|
||||
length += sizeof(peer.s6.sin6_port);
|
||||
break;
|
||||
default:
|
||||
OPENSSL_assert(0);
|
||||
break;
|
||||
}
|
||||
#else
|
||||
length = sizeof(peer.sin_addr);
|
||||
length += sizeof(peer.sin_port);
|
||||
#endif
|
||||
buffer = OPENSSL_malloc(length);
|
||||
|
||||
if (buffer == NULL)
|
||||
{
|
||||
BIO_printf(bio_err,"out of memory\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if OPENSSL_USE_IPV6
|
||||
switch (peer.ss.ss_family)
|
||||
{
|
||||
case AF_INET:
|
||||
memcpy(buffer,
|
||||
&peer.s4.sin_port,
|
||||
sizeof(peer.s4.sin_port));
|
||||
memcpy(buffer + sizeof(peer.s4.sin_port),
|
||||
&peer.s4.sin_addr,
|
||||
sizeof(struct in_addr));
|
||||
break;
|
||||
case AF_INET6:
|
||||
memcpy(buffer,
|
||||
&peer.s6.sin6_port,
|
||||
sizeof(peer.s6.sin6_port));
|
||||
memcpy(buffer + sizeof(peer.s6.sin6_port),
|
||||
&peer.s6.sin6_addr,
|
||||
sizeof(struct in6_addr));
|
||||
break;
|
||||
default:
|
||||
OPENSSL_assert(0);
|
||||
break;
|
||||
}
|
||||
#else
|
||||
memcpy(buffer, &peer.sin_port, sizeof(peer.sin_port));
|
||||
memcpy(buffer + sizeof(peer.sin_port), &peer.sin_addr, sizeof(peer.sin_addr));
|
||||
#endif
|
||||
|
||||
/* Calculate HMAC of buffer using the secret */
|
||||
HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
|
||||
buffer, length, result, &resultlength);
|
||||
OPENSSL_free(buffer);
|
||||
|
||||
memcpy(cookie, result, resultlength);
|
||||
*cookie_len = resultlength;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)
|
||||
{
|
||||
unsigned char *buffer, result[EVP_MAX_MD_SIZE];
|
||||
unsigned int length, resultlength;
|
||||
#if OPENSSL_USE_IPV6
|
||||
union {
|
||||
struct sockaddr_storage ss;
|
||||
struct sockaddr_in6 s6;
|
||||
struct sockaddr_in s4;
|
||||
} peer;
|
||||
#else
|
||||
struct sockaddr_in peer;
|
||||
#endif
|
||||
|
||||
/* If secret isn't initialized yet, the cookie can't be valid */
|
||||
if (!cookie_initialized)
|
||||
return 0;
|
||||
|
||||
/* Read peer information */
|
||||
(void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
|
||||
|
||||
/* Create buffer with peer's address and port */
|
||||
#if OPENSSL_USE_IPV6
|
||||
length = 0;
|
||||
switch (peer.ss.ss_family)
|
||||
{
|
||||
case AF_INET:
|
||||
length += sizeof(struct in_addr);
|
||||
length += sizeof(peer.s4.sin_port);
|
||||
break;
|
||||
case AF_INET6:
|
||||
length += sizeof(struct in6_addr);
|
||||
length += sizeof(peer.s6.sin6_port);
|
||||
break;
|
||||
default:
|
||||
OPENSSL_assert(0);
|
||||
break;
|
||||
}
|
||||
#else
|
||||
length = sizeof(peer.sin_addr);
|
||||
length += sizeof(peer.sin_port);
|
||||
#endif
|
||||
buffer = OPENSSL_malloc(length);
|
||||
|
||||
if (buffer == NULL)
|
||||
{
|
||||
BIO_printf(bio_err,"out of memory\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if OPENSSL_USE_IPV6
|
||||
switch (peer.ss.ss_family)
|
||||
{
|
||||
case AF_INET:
|
||||
memcpy(buffer,
|
||||
&peer.s4.sin_port,
|
||||
sizeof(peer.s4.sin_port));
|
||||
memcpy(buffer + sizeof(peer.s4.sin_port),
|
||||
&peer.s4.sin_addr,
|
||||
sizeof(struct in_addr));
|
||||
break;
|
||||
case AF_INET6:
|
||||
memcpy(buffer,
|
||||
&peer.s6.sin6_port,
|
||||
sizeof(peer.s6.sin6_port));
|
||||
memcpy(buffer + sizeof(peer.s6.sin6_port),
|
||||
&peer.s6.sin6_addr,
|
||||
sizeof(struct in6_addr));
|
||||
break;
|
||||
default:
|
||||
OPENSSL_assert(0);
|
||||
break;
|
||||
}
|
||||
#else
|
||||
memcpy(buffer, &peer.sin_port, sizeof(peer.sin_port));
|
||||
memcpy(buffer + sizeof(peer.sin_port), &peer.sin_addr, sizeof(peer.sin_addr));
|
||||
#endif
|
||||
|
||||
/* Calculate HMAC of buffer using the secret */
|
||||
HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
|
||||
buffer, length, result, &resultlength);
|
||||
OPENSSL_free(buffer);
|
||||
|
||||
if (cookie_len == resultlength && memcmp(result, cookie, resultlength) == 0)
|
||||
return 1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -318,10 +318,11 @@ static void sc_usage(void)
|
|||
#endif
|
||||
BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
|
||||
BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
|
||||
BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
|
||||
BIO_printf(bio_err," -tls1 - just use TLSv1\n");
|
||||
BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
|
||||
BIO_printf(bio_err," -mtu - set the link layer MTU\n");
|
||||
BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
|
||||
BIO_printf(bio_err," -no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
|
||||
BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
|
||||
BIO_printf(bio_err," -serverpref - Use server's cipher preferences (only SSLv2)\n");
|
||||
BIO_printf(bio_err," -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
|
||||
|
@ -343,6 +344,7 @@ static void sc_usage(void)
|
|||
BIO_printf(bio_err," -status - request certificate status from server\n");
|
||||
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
|
||||
#endif
|
||||
BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
|
@ -381,7 +383,7 @@ int MAIN(int, char **);
|
|||
|
||||
int MAIN(int argc, char **argv)
|
||||
{
|
||||
int off=0;
|
||||
unsigned int off=0, clr=0;
|
||||
SSL *con=NULL;
|
||||
int s,k,width,state=0;
|
||||
char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
|
||||
|
@ -411,6 +413,7 @@ int MAIN(int argc, char **argv)
|
|||
BIO *sbio;
|
||||
char *inrand=NULL;
|
||||
int mbuf_len=0;
|
||||
struct timeval timeout, *timeoutp;
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
char *engine_id=NULL;
|
||||
char *ssl_client_engine_id=NULL;
|
||||
|
@ -595,6 +598,8 @@ int MAIN(int argc, char **argv)
|
|||
meth=SSLv3_client_method();
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_TLS1
|
||||
else if (strcmp(*argv,"-tls1_1") == 0)
|
||||
meth=TLSv1_1_client_method();
|
||||
else if (strcmp(*argv,"-tls1") == 0)
|
||||
meth=TLSv1_client_method();
|
||||
#endif
|
||||
|
@ -643,6 +648,8 @@ int MAIN(int argc, char **argv)
|
|||
if (--argc < 1) goto bad;
|
||||
CAfile= *(++argv);
|
||||
}
|
||||
else if (strcmp(*argv,"-no_tls1_1") == 0)
|
||||
off|=SSL_OP_NO_TLSv1_1;
|
||||
else if (strcmp(*argv,"-no_tls1") == 0)
|
||||
off|=SSL_OP_NO_TLSv1;
|
||||
else if (strcmp(*argv,"-no_ssl3") == 0)
|
||||
|
@ -657,6 +664,12 @@ int MAIN(int argc, char **argv)
|
|||
#endif
|
||||
else if (strcmp(*argv,"-serverpref") == 0)
|
||||
off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
|
||||
else if (strcmp(*argv,"-legacy_renegotiation") == 0)
|
||||
off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
|
||||
else if (strcmp(*argv,"-legacy_server_connect") == 0)
|
||||
{ off|=SSL_OP_LEGACY_SERVER_CONNECT; }
|
||||
else if (strcmp(*argv,"-no_legacy_server_connect") == 0)
|
||||
{ clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
|
||||
else if (strcmp(*argv,"-cipher") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
|
@ -867,6 +880,9 @@ bad:
|
|||
SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
|
||||
else
|
||||
SSL_CTX_set_options(ctx,off);
|
||||
|
||||
if (clr)
|
||||
SSL_CTX_clear_options(ctx, clr);
|
||||
/* DTLS: partial reads end up discarding unread UDP bytes :-(
|
||||
* Setting read ahead solves this problem.
|
||||
*/
|
||||
|
@ -979,7 +995,6 @@ re_start:
|
|||
|
||||
if ( SSL_version(con) == DTLS1_VERSION)
|
||||
{
|
||||
struct timeval timeout;
|
||||
|
||||
sbio=BIO_new_dgram(s,BIO_NOCLOSE);
|
||||
if (getsockname(s, &peer, (void *)&peerlen) < 0)
|
||||
|
@ -1196,6 +1211,12 @@ SSL_set_tlsext_status_ids(con, ids);
|
|||
FD_ZERO(&readfds);
|
||||
FD_ZERO(&writefds);
|
||||
|
||||
if ((SSL_version(con) == DTLS1_VERSION) &&
|
||||
DTLSv1_get_timeout(con, &timeout))
|
||||
timeoutp = &timeout;
|
||||
else
|
||||
timeoutp = NULL;
|
||||
|
||||
if (SSL_in_init(con) && !SSL_total_renegotiations(con))
|
||||
{
|
||||
in_init=1;
|
||||
|
@ -1300,7 +1321,7 @@ SSL_set_tlsext_status_ids(con, ids);
|
|||
if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
|
||||
#endif
|
||||
} else i=select(width,(void *)&readfds,(void *)&writefds,
|
||||
NULL,NULL);
|
||||
NULL,timeoutp);
|
||||
}
|
||||
#elif defined(OPENSSL_SYS_NETWARE)
|
||||
if(!write_tty) {
|
||||
|
@ -1310,7 +1331,7 @@ SSL_set_tlsext_status_ids(con, ids);
|
|||
i=select(width,(void *)&readfds,(void *)&writefds,
|
||||
NULL,&tv);
|
||||
} else i=select(width,(void *)&readfds,(void *)&writefds,
|
||||
NULL,NULL);
|
||||
NULL,timeoutp);
|
||||
}
|
||||
#elif defined(OPENSSL_SYS_BEOS_R5)
|
||||
/* Under BeOS-R5 the situation is similar to DOS */
|
||||
|
@ -1328,12 +1349,12 @@ SSL_set_tlsext_status_ids(con, ids);
|
|||
if (!i && (stdin_set != 1 || !read_tty))
|
||||
continue;
|
||||
} else i=select(width,(void *)&readfds,(void *)&writefds,
|
||||
NULL,NULL);
|
||||
NULL,timeoutp);
|
||||
}
|
||||
(void)fcntl(fileno(stdin), F_SETFL, 0);
|
||||
#else
|
||||
i=select(width,(void *)&readfds,(void *)&writefds,
|
||||
NULL,NULL);
|
||||
NULL,timeoutp);
|
||||
#endif
|
||||
if ( i < 0)
|
||||
{
|
||||
|
@ -1344,6 +1365,11 @@ SSL_set_tlsext_status_ids(con, ids);
|
|||
}
|
||||
}
|
||||
|
||||
if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
|
||||
{
|
||||
BIO_printf(bio_err,"TIMEOUT occured\n");
|
||||
}
|
||||
|
||||
if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
|
||||
{
|
||||
k=SSL_write(con,&(cbuf[cbuf_off]),
|
||||
|
@ -1711,6 +1737,8 @@ static void print_stuff(BIO *bio, SSL *s, int full)
|
|||
EVP_PKEY_bits(pktmp));
|
||||
EVP_PKEY_free(pktmp);
|
||||
}
|
||||
BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
|
||||
SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
comp=SSL_get_current_compression(s);
|
||||
expansion=SSL_get_current_expansion(s);
|
||||
|
|
|
@ -458,6 +458,7 @@ static void sv_usage(void)
|
|||
#endif
|
||||
BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n");
|
||||
BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n");
|
||||
BIO_printf(bio_err," -tls1_1 - Just talk TLSv1_1\n");
|
||||
BIO_printf(bio_err," -tls1 - Just talk TLSv1\n");
|
||||
BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n");
|
||||
BIO_printf(bio_err," -timeout - Enable timeouts\n");
|
||||
|
@ -466,6 +467,7 @@ static void sv_usage(void)
|
|||
BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n");
|
||||
BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n");
|
||||
BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n");
|
||||
BIO_printf(bio_err," -no_tls1_1 - Just disable TLSv1.1\n");
|
||||
#ifndef OPENSSL_NO_DH
|
||||
BIO_printf(bio_err," -no_dhe - Disable ephemeral DH\n");
|
||||
#endif
|
||||
|
@ -491,6 +493,7 @@ static void sv_usage(void)
|
|||
BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2);
|
||||
BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
|
||||
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
|
||||
BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
|
||||
#endif
|
||||
}
|
||||
|
||||
|
@ -787,7 +790,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
|
|||
if (!OCSP_REQUEST_add_ext(req, ext, -1))
|
||||
goto err;
|
||||
}
|
||||
resp = process_responder(err, req, host, path, port, use_ssl,
|
||||
resp = process_responder(err, req, host, path, port, use_ssl, NULL,
|
||||
srctx->timeout);
|
||||
if (!resp)
|
||||
{
|
||||
|
@ -859,6 +862,7 @@ int MAIN(int argc, char *argv[])
|
|||
int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
|
||||
X509 *s_cert = NULL, *s_dcert = NULL;
|
||||
EVP_PKEY *s_key = NULL, *s_dkey = NULL;
|
||||
int no_cache = 0;
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
EVP_PKEY *s_key2 = NULL;
|
||||
X509 *s_cert2 = NULL;
|
||||
|
@ -1001,6 +1005,8 @@ int MAIN(int argc, char *argv[])
|
|||
if (--argc < 1) goto bad;
|
||||
CApath= *(++argv);
|
||||
}
|
||||
else if (strcmp(*argv,"-no_cache") == 0)
|
||||
no_cache = 1;
|
||||
else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
|
||||
{
|
||||
if (badarg)
|
||||
|
@ -1011,6 +1017,8 @@ int MAIN(int argc, char *argv[])
|
|||
verify_return_error = 1;
|
||||
else if (strcmp(*argv,"-serverpref") == 0)
|
||||
{ off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
|
||||
else if (strcmp(*argv,"-legacy_renegotiation") == 0)
|
||||
off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
|
||||
else if (strcmp(*argv,"-cipher") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
|
@ -1114,6 +1122,8 @@ int MAIN(int argc, char *argv[])
|
|||
{ off|=SSL_OP_NO_SSLv2; }
|
||||
else if (strcmp(*argv,"-no_ssl3") == 0)
|
||||
{ off|=SSL_OP_NO_SSLv3; }
|
||||
else if (strcmp(*argv,"-no_tls1_1") == 0)
|
||||
{ off|=SSL_OP_NO_TLSv1_1; }
|
||||
else if (strcmp(*argv,"-no_tls1") == 0)
|
||||
{ off|=SSL_OP_NO_TLSv1; }
|
||||
else if (strcmp(*argv,"-no_comp") == 0)
|
||||
|
@ -1131,6 +1141,8 @@ int MAIN(int argc, char *argv[])
|
|||
{ meth=SSLv3_server_method(); }
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_TLS1
|
||||
else if (strcmp(*argv,"-tls1_1") == 0)
|
||||
{ meth=TLSv1_1_server_method(); }
|
||||
else if (strcmp(*argv,"-tls1") == 0)
|
||||
{ meth=TLSv1_server_method(); }
|
||||
#endif
|
||||
|
@ -1388,8 +1400,10 @@ bad:
|
|||
if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
|
||||
|
||||
if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
|
||||
|
||||
SSL_CTX_sess_set_cache_size(ctx,128);
|
||||
if (no_cache)
|
||||
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
|
||||
else
|
||||
SSL_CTX_sess_set_cache_size(ctx,128);
|
||||
|
||||
#if 0
|
||||
if (cipher == NULL) cipher=getenv("SSL_CIPHER");
|
||||
|
@ -1455,7 +1469,10 @@ bad:
|
|||
|
||||
if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback);
|
||||
|
||||
SSL_CTX_sess_set_cache_size(ctx2,128);
|
||||
if (no_cache)
|
||||
SSL_CTX_set_session_cache_mode(ctx2,SSL_SESS_CACHE_OFF);
|
||||
else
|
||||
SSL_CTX_sess_set_cache_size(ctx2,128);
|
||||
|
||||
if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
|
||||
(!SSL_CTX_set_default_verify_paths(ctx2)))
|
||||
|
@ -1654,6 +1671,10 @@ bad:
|
|||
SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
|
||||
sizeof s_server_session_id_context);
|
||||
|
||||
/* Set DTLS cookie generation and verification callbacks */
|
||||
SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
|
||||
SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
|
||||
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
if (ctx2)
|
||||
{
|
||||
|
@ -1750,8 +1771,11 @@ static int sv_body(char *hostname, int s, unsigned char *context)
|
|||
unsigned long l;
|
||||
SSL *con=NULL;
|
||||
BIO *sbio;
|
||||
struct timeval timeout;
|
||||
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
|
||||
struct timeval tv;
|
||||
#else
|
||||
struct timeval *timeoutp;
|
||||
#endif
|
||||
|
||||
if ((buf=OPENSSL_malloc(bufsize)) == NULL)
|
||||
|
@ -1808,7 +1832,6 @@ static int sv_body(char *hostname, int s, unsigned char *context)
|
|||
|
||||
if (SSL_version(con) == DTLS1_VERSION)
|
||||
{
|
||||
struct timeval timeout;
|
||||
|
||||
sbio=BIO_new_dgram(s,BIO_NOCLOSE);
|
||||
|
||||
|
@ -1919,7 +1942,19 @@ static int sv_body(char *hostname, int s, unsigned char *context)
|
|||
read_from_terminal = 1;
|
||||
(void)fcntl(fileno(stdin), F_SETFL, 0);
|
||||
#else
|
||||
i=select(width,(void *)&readfds,NULL,NULL,NULL);
|
||||
if ((SSL_version(con) == DTLS1_VERSION) &&
|
||||
DTLSv1_get_timeout(con, &timeout))
|
||||
timeoutp = &timeout;
|
||||
else
|
||||
timeoutp = NULL;
|
||||
|
||||
i=select(width,(void *)&readfds,NULL,NULL,timeoutp);
|
||||
|
||||
if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
|
||||
{
|
||||
BIO_printf(bio_err,"TIMEOUT occured\n");
|
||||
}
|
||||
|
||||
if (i <= 0) continue;
|
||||
if (FD_ISSET(fileno(stdin),&readfds))
|
||||
read_from_terminal = 1;
|
||||
|
@ -2180,6 +2215,8 @@ static int init_ssl_connection(SSL *con)
|
|||
con->kssl_ctx->client_princ);
|
||||
}
|
||||
#endif /* OPENSSL_NO_KRB5 */
|
||||
BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
|
||||
SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
|
||||
return(1);
|
||||
}
|
||||
|
||||
|
|
|
@ -671,7 +671,7 @@ int MAIN(int argc, char **argv)
|
|||
{
|
||||
if (!(store = setup_verify(bio_err, CAfile, CApath)))
|
||||
goto end;
|
||||
X509_STORE_set_verify_cb_func(store, smime_cb);
|
||||
X509_STORE_set_verify_cb(store, smime_cb);
|
||||
if (vpm)
|
||||
X509_STORE_set1_param(store, vpm);
|
||||
}
|
||||
|
|
|
@ -649,7 +649,7 @@ static ASN1_INTEGER *create_nonce(int bits)
|
|||
|
||||
/* Generating random byte sequence. */
|
||||
if (len > (int)sizeof(buf)) goto err;
|
||||
if (!RAND_bytes(buf, len)) goto err;
|
||||
if (RAND_bytes(buf, len) <= 0) goto err;
|
||||
|
||||
/* Find the first non-zero byte and creating ASN1_INTEGER object. */
|
||||
for (i = 0; i < len && !buf[i]; ++i);
|
||||
|
@ -1083,7 +1083,7 @@ static X509_STORE *create_cert_store(char *ca_path, char *ca_file)
|
|||
cert_ctx = X509_STORE_new();
|
||||
|
||||
/* Setting the callback for certificate chain verification. */
|
||||
X509_STORE_set_verify_cb_func(cert_ctx, verify_cb);
|
||||
X509_STORE_set_verify_cb(cert_ctx, verify_cb);
|
||||
|
||||
/* Adding a trusted certificate directory source. */
|
||||
if (ca_path)
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
#!/usr/bin/perl -w
|
||||
# Written by Zoltan Glozik <zglozik@stones.com>.
|
||||
# Copyright (c) 2002 The OpenTSA Project. All rights reserved.
|
||||
$::version = '$Id: tsget,v 1.1.1.1 2009/07/19 23:02:28 christos Exp $';
|
||||
$::version = '$Id: tsget,v 1.1.1.2 2009/12/26 23:30:58 christos Exp $';
|
||||
|
||||
use strict;
|
||||
use IO::Handle;
|
||||
use Getopt::Std;
|
||||
use File::Basename;
|
||||
use WWW::Curl::easy;
|
||||
use WWW::Curl::Easy;
|
||||
|
||||
use vars qw(%options);
|
||||
|
||||
|
@ -37,7 +37,7 @@ sub create_curl {
|
|||
my $url = shift;
|
||||
|
||||
# Create Curl object.
|
||||
my $curl = WWW::Curl::easy::new();
|
||||
my $curl = WWW::Curl::Easy::new();
|
||||
|
||||
# Error-handling related options.
|
||||
$curl->setopt(CURLOPT_VERBOSE, 1) if $options{d};
|
||||
|
@ -49,7 +49,7 @@ sub create_curl {
|
|||
$curl->setopt(CURLOPT_CUSTOMREQUEST, "POST");
|
||||
$curl->setopt(CURLOPT_HTTPHEADER,
|
||||
["Content-Type: application/timestamp-query",
|
||||
"Accept: application/timestamp-reply"]);
|
||||
"Accept: application/timestamp-reply,application/timestamp-response"]);
|
||||
$curl->setopt(CURLOPT_READFUNCTION, \&read_body);
|
||||
$curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); });
|
||||
|
||||
|
@ -102,7 +102,8 @@ sub get_timestamp {
|
|||
$error_string .= " ($::error_buf)" if defined($::error_buf);
|
||||
} else {
|
||||
my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE);
|
||||
if (lc($ct) ne "application/timestamp-reply") {
|
||||
if (lc($ct) ne "application/timestamp-reply"
|
||||
&& lc($ct) ne "application/timestamp-response") {
|
||||
$error_string = "unexpected content type returned: $ct";
|
||||
}
|
||||
}
|
||||
|
@ -192,4 +193,4 @@ REQUEST: foreach (@ARGV) {
|
|||
STDERR->printflush(", $output written.\n") if $options{v};
|
||||
}
|
||||
$curl->cleanup();
|
||||
WWW::Curl::easy::global_cleanup();
|
||||
WWW::Curl::Easy::global_cleanup();
|
||||
|
|
|
@ -70,8 +70,9 @@
|
|||
#define PROG verify_main
|
||||
|
||||
static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx);
|
||||
static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose, ENGINE *e);
|
||||
static STACK_OF(X509) *load_untrusted(char *file);
|
||||
static int check(X509_STORE *ctx, char *file,
|
||||
STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
|
||||
STACK_OF(X509_CRL) *crls, ENGINE *e);
|
||||
static int v_verbose=0, vflags = 0;
|
||||
|
||||
int MAIN(int, char **);
|
||||
|
@ -80,10 +81,10 @@ int MAIN(int argc, char **argv)
|
|||
{
|
||||
ENGINE *e = NULL;
|
||||
int i,ret=1, badarg = 0;
|
||||
int purpose = -1;
|
||||
char *CApath=NULL,*CAfile=NULL;
|
||||
char *untfile = NULL, *trustfile = NULL;
|
||||
char *untfile = NULL, *trustfile = NULL, *crlfile = NULL;
|
||||
STACK_OF(X509) *untrusted = NULL, *trusted = NULL;
|
||||
STACK_OF(X509_CRL) *crls = NULL;
|
||||
X509_STORE *cert_ctx=NULL;
|
||||
X509_LOOKUP *lookup=NULL;
|
||||
X509_VERIFY_PARAM *vpm = NULL;
|
||||
|
@ -93,7 +94,7 @@ int MAIN(int argc, char **argv)
|
|||
|
||||
cert_ctx=X509_STORE_new();
|
||||
if (cert_ctx == NULL) goto end;
|
||||
X509_STORE_set_verify_cb_func(cert_ctx,cb);
|
||||
X509_STORE_set_verify_cb(cert_ctx,cb);
|
||||
|
||||
ERR_load_crypto_strings();
|
||||
|
||||
|
@ -139,6 +140,11 @@ int MAIN(int argc, char **argv)
|
|||
if (argc-- < 1) goto end;
|
||||
trustfile= *(++argv);
|
||||
}
|
||||
else if (strcmp(*argv,"-CRLfile") == 0)
|
||||
{
|
||||
if (argc-- < 1) goto end;
|
||||
crlfile= *(++argv);
|
||||
}
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
else if (strcmp(*argv,"-engine") == 0)
|
||||
{
|
||||
|
@ -192,26 +198,34 @@ int MAIN(int argc, char **argv)
|
|||
|
||||
ERR_clear_error();
|
||||
|
||||
if(untfile) {
|
||||
if(!(untrusted = load_untrusted(untfile))) {
|
||||
BIO_printf(bio_err, "Error loading untrusted file %s\n", untfile);
|
||||
ERR_print_errors(bio_err);
|
||||
if(untfile)
|
||||
{
|
||||
untrusted = load_certs(bio_err, untfile, FORMAT_PEM,
|
||||
NULL, e, "untrusted certificates");
|
||||
if(!untrusted)
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if(trustfile) {
|
||||
if(!(trusted = load_untrusted(trustfile))) {
|
||||
BIO_printf(bio_err, "Error loading untrusted file %s\n", trustfile);
|
||||
ERR_print_errors(bio_err);
|
||||
if(trustfile)
|
||||
{
|
||||
trusted = load_certs(bio_err, trustfile, FORMAT_PEM,
|
||||
NULL, e, "trusted certificates");
|
||||
if(!trusted)
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, purpose, e);
|
||||
if(crlfile)
|
||||
{
|
||||
crls = load_crls(bio_err, crlfile, FORMAT_PEM,
|
||||
NULL, e, "other CRLs");
|
||||
if(!crls)
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e);
|
||||
else
|
||||
for (i=0; i<argc; i++)
|
||||
check(cert_ctx,argv[i], untrusted, trusted, purpose, e);
|
||||
check(cert_ctx,argv[i], untrusted, trusted, crls, e);
|
||||
ret=0;
|
||||
end:
|
||||
if (ret == 1) {
|
||||
|
@ -232,11 +246,14 @@ end:
|
|||
if (cert_ctx != NULL) X509_STORE_free(cert_ctx);
|
||||
sk_X509_pop_free(untrusted, X509_free);
|
||||
sk_X509_pop_free(trusted, X509_free);
|
||||
sk_X509_CRL_pop_free(crls, X509_CRL_free);
|
||||
apps_shutdown();
|
||||
OPENSSL_EXIT(ret);
|
||||
}
|
||||
|
||||
static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose, ENGINE *e)
|
||||
static int check(X509_STORE *ctx, char *file,
|
||||
STACK_OF(X509) *uchain, STACK_OF(X509) *tchain,
|
||||
STACK_OF(X509_CRL) *crls, ENGINE *e)
|
||||
{
|
||||
X509 *x=NULL;
|
||||
int i=0,ret=0;
|
||||
|
@ -260,7 +277,8 @@ static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X
|
|||
goto end;
|
||||
}
|
||||
if(tchain) X509_STORE_CTX_trusted_stack(csc, tchain);
|
||||
if(purpose >= 0) X509_STORE_CTX_set_purpose(csc, purpose);
|
||||
if (crls)
|
||||
X509_STORE_CTX_set0_crls(csc, crls);
|
||||
i=X509_verify_cert(csc);
|
||||
X509_STORE_CTX_free(csc);
|
||||
|
||||
|
@ -278,90 +296,53 @@ end:
|
|||
return(ret);
|
||||
}
|
||||
|
||||
static STACK_OF(X509) *load_untrusted(char *certfile)
|
||||
{
|
||||
STACK_OF(X509_INFO) *sk=NULL;
|
||||
STACK_OF(X509) *stack=NULL, *ret=NULL;
|
||||
BIO *in=NULL;
|
||||
X509_INFO *xi;
|
||||
|
||||
if(!(stack = sk_X509_new_null())) {
|
||||
BIO_printf(bio_err,"memory allocation failure\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if(!(in=BIO_new_file(certfile, "r"))) {
|
||||
BIO_printf(bio_err,"error opening the file, %s\n",certfile);
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* This loads from a file, a stack of x509/crl/pkey sets */
|
||||
if(!(sk=PEM_X509_INFO_read_bio(in,NULL,NULL,NULL))) {
|
||||
BIO_printf(bio_err,"error reading the file, %s\n",certfile);
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* scan over it and pull out the certs */
|
||||
while (sk_X509_INFO_num(sk))
|
||||
{
|
||||
xi=sk_X509_INFO_shift(sk);
|
||||
if (xi->x509 != NULL)
|
||||
{
|
||||
sk_X509_push(stack,xi->x509);
|
||||
xi->x509=NULL;
|
||||
}
|
||||
X509_INFO_free(xi);
|
||||
}
|
||||
if(!sk_X509_num(stack)) {
|
||||
BIO_printf(bio_err,"no certificates in file, %s\n",certfile);
|
||||
sk_X509_free(stack);
|
||||
goto end;
|
||||
}
|
||||
ret=stack;
|
||||
end:
|
||||
BIO_free(in);
|
||||
sk_X509_INFO_free(sk);
|
||||
return(ret);
|
||||
}
|
||||
|
||||
static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
|
||||
{
|
||||
char buf[256];
|
||||
int cert_error = X509_STORE_CTX_get_error(ctx);
|
||||
X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
|
||||
|
||||
if (!ok)
|
||||
{
|
||||
if (ctx->current_cert)
|
||||
if (current_cert)
|
||||
{
|
||||
X509_NAME_oneline(
|
||||
X509_get_subject_name(ctx->current_cert),buf,
|
||||
sizeof buf);
|
||||
printf("%s\n",buf);
|
||||
X509_NAME_print_ex_fp(stdout,
|
||||
X509_get_subject_name(current_cert),
|
||||
0, XN_FLAG_ONELINE);
|
||||
printf("\n");
|
||||
}
|
||||
printf("%serror %d at %d depth lookup:%s\n",
|
||||
X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "",
|
||||
cert_error,
|
||||
X509_STORE_CTX_get_error_depth(ctx),
|
||||
X509_verify_cert_error_string(cert_error));
|
||||
switch(cert_error)
|
||||
{
|
||||
case X509_V_ERR_NO_EXPLICIT_POLICY:
|
||||
policies_print(NULL, ctx);
|
||||
case X509_V_ERR_CERT_HAS_EXPIRED:
|
||||
|
||||
/* since we are just checking the certificates, it is
|
||||
* ok if they are self signed. But we should still warn
|
||||
* the user.
|
||||
*/
|
||||
|
||||
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
|
||||
/* Continue after extension errors too */
|
||||
case X509_V_ERR_INVALID_CA:
|
||||
case X509_V_ERR_INVALID_NON_CA:
|
||||
case X509_V_ERR_PATH_LENGTH_EXCEEDED:
|
||||
case X509_V_ERR_INVALID_PURPOSE:
|
||||
case X509_V_ERR_CRL_HAS_EXPIRED:
|
||||
case X509_V_ERR_CRL_NOT_YET_VALID:
|
||||
case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
|
||||
ok = 1;
|
||||
|
||||
}
|
||||
printf("error %d at %d depth lookup:%s\n",ctx->error,
|
||||
ctx->error_depth,
|
||||
X509_verify_cert_error_string(ctx->error));
|
||||
if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED) ok=1;
|
||||
/* since we are just checking the certificates, it is
|
||||
* ok if they are self signed. But we should still warn
|
||||
* the user.
|
||||
*/
|
||||
if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
|
||||
/* Continue after extension errors too */
|
||||
if (ctx->error == X509_V_ERR_INVALID_CA) ok=1;
|
||||
if (ctx->error == X509_V_ERR_INVALID_NON_CA) ok=1;
|
||||
if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1;
|
||||
if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1;
|
||||
if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
|
||||
if (ctx->error == X509_V_ERR_CRL_HAS_EXPIRED) ok=1;
|
||||
if (ctx->error == X509_V_ERR_CRL_NOT_YET_VALID) ok=1;
|
||||
if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) ok=1;
|
||||
|
||||
if (ctx->error == X509_V_ERR_NO_EXPLICIT_POLICY)
|
||||
policies_print(NULL, ctx);
|
||||
return ok;
|
||||
|
||||
}
|
||||
if ((ctx->error == X509_V_OK) && (ok == 2))
|
||||
if (cert_error == X509_V_OK && ok == 2)
|
||||
policies_print(NULL, ctx);
|
||||
if (!v_verbose)
|
||||
ERR_clear_error();
|
||||
|
|
|
@ -225,7 +225,7 @@ int MAIN(int argc, char **argv)
|
|||
|
||||
ctx=X509_STORE_new();
|
||||
if (ctx == NULL) goto end;
|
||||
X509_STORE_set_verify_cb_func(ctx,callb);
|
||||
X509_STORE_set_verify_cb(ctx,callb);
|
||||
|
||||
argc--;
|
||||
argv++;
|
||||
|
|
|
@ -48,10 +48,10 @@ done
|
|||
|
||||
# First get uname entries that we use below
|
||||
|
||||
MACHINE=`(uname -m) 2>/dev/null` || MACHINE="unknown"
|
||||
RELEASE=`(uname -r) 2>/dev/null` || RELEASE="unknown"
|
||||
SYSTEM=`(uname -s) 2>/dev/null` || SYSTEM="unknown"
|
||||
VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown"
|
||||
[ "$MACHINE" ] || MACHINE=`(uname -m) 2>/dev/null` || MACHINE="unknown"
|
||||
[ "$RELEASE" ] || RELEASE=`(uname -r) 2>/dev/null` || RELEASE="unknown"
|
||||
[ "$SYSTEM" ] || SYSTEM=`(uname -s) 2>/dev/null` || SYSTEM="unknown"
|
||||
[ "$BUILD" ] || VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown"
|
||||
|
||||
|
||||
# Now test for ISC and SCO, since it is has a braindamaged uname.
|
||||
|
|
|
@ -15,6 +15,7 @@
|
|||
$PREFIX="aesni"; # if $PREFIX is set to "AES", the script
|
||||
# generates drop-in replacement for
|
||||
# crypto/aes/asm/aes-586.pl:-)
|
||||
$inline=1; # inline _aesni_[en|de]crypt
|
||||
|
||||
$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
|
||||
push(@INC,"${dir}","${dir}../../perlasm");
|
||||
|
@ -105,27 +106,33 @@ sub aesni_generate1 # fully unrolled loop
|
|||
}
|
||||
|
||||
# void $PREFIX_encrypt (const void *inp,void *out,const AES_KEY *key);
|
||||
# &aesni_generate1("dec");
|
||||
&aesni_generate1("enc") if (!$inline);
|
||||
&function_begin_B("${PREFIX}_encrypt");
|
||||
&mov ("eax",&wparam(0));
|
||||
&mov ($key,&wparam(2));
|
||||
&movups ($inout0,&QWP(0,"eax"));
|
||||
&mov ($rounds,&DWP(240,$key));
|
||||
&mov ("eax",&wparam(1));
|
||||
&aesni_inline_generate1("enc"); # &call ("_aesni_encrypt1");
|
||||
if ($inline)
|
||||
{ &aesni_inline_generate1("enc"); }
|
||||
else
|
||||
{ &call ("_aesni_encrypt1"); }
|
||||
&movups (&QWP(0,"eax"),$inout0);
|
||||
&ret ();
|
||||
&function_end_B("${PREFIX}_encrypt");
|
||||
|
||||
# void $PREFIX_decrypt (const void *inp,void *out,const AES_KEY *key);
|
||||
# &aesni_generate1("dec");
|
||||
&aesni_generate1("dec") if(!$inline);
|
||||
&function_begin_B("${PREFIX}_decrypt");
|
||||
&mov ("eax",&wparam(0));
|
||||
&mov ($key,&wparam(2));
|
||||
&movups ($inout0,&QWP(0,"eax"));
|
||||
&mov ($rounds,&DWP(240,$key));
|
||||
&mov ("eax",&wparam(1));
|
||||
&aesni_inline_generate1("dec"); # &call ("_aesni_decrypt1");
|
||||
if ($inline)
|
||||
{ &aesni_inline_generate1("dec"); }
|
||||
else
|
||||
{ &call ("_aesni_decrypt1"); }
|
||||
&movups (&QWP(0,"eax"),$inout0);
|
||||
&ret ();
|
||||
&function_end_B("${PREFIX}_decrypt");
|
||||
|
@ -283,7 +290,10 @@ if ($PREFIX eq "aesni") {
|
|||
jmp (&label("ecb_ret"));
|
||||
|
||||
&set_label("ecb_enc_one",16);
|
||||
&aesni_inline_generate1("enc"); # &call ("_aesni_encrypt1");
|
||||
if ($inline)
|
||||
{ &aesni_inline_generate1("enc"); }
|
||||
else
|
||||
{ &call ("_aesni_encrypt1"); }
|
||||
&movups (&QWP(0,$out),$inout0);
|
||||
&jmp (&label("ecb_ret"));
|
||||
|
||||
|
@ -342,7 +352,10 @@ if ($PREFIX eq "aesni") {
|
|||
&jmp (&label("ecb_ret"));
|
||||
|
||||
&set_label("ecb_dec_one",16);
|
||||
&aesni_inline_generate1("dec"); # &call ("_aesni_decrypt3");
|
||||
if ($inline)
|
||||
{ &aesni_inline_generate1("dec"); }
|
||||
else
|
||||
{ &call ("_aesni_decrypt1"); }
|
||||
&movups (&QWP(0,$out),$inout0);
|
||||
&jmp (&label("ecb_ret"));
|
||||
|
||||
|
@ -391,7 +404,10 @@ if ($PREFIX eq "aesni") {
|
|||
&movups ($ivec,&QWP(0,$inp));
|
||||
&lea ($inp,&DWP(16,$inp));
|
||||
&pxor ($inout0,$ivec);
|
||||
&aesni_inline_generate1("enc"); # &call ("_aesni_encrypt3");
|
||||
if ($inline)
|
||||
{ &aesni_inline_generate1("enc"); }
|
||||
else
|
||||
{ &call ("_aesni_encrypt1"); }
|
||||
&sub ($len,16);
|
||||
&lea ($out,&DWP(16,$out));
|
||||
&mov ($rounds,$rounds_); # restore $rounds
|
||||
|
@ -474,7 +490,10 @@ if ($PREFIX eq "aesni") {
|
|||
&jmp (&label("cbc_dec_tail_collected"));
|
||||
|
||||
&set_label("cbc_dec_one");
|
||||
&aesni_inline_generate1("dec"); # &call ("_aesni_decrypt3");
|
||||
if ($inline)
|
||||
{ &aesni_inline_generate1("dec"); }
|
||||
else
|
||||
{ &call ("_aesni_decrypt1"); }
|
||||
&pxor ($inout0,$ivec);
|
||||
&movaps ($ivec,$in0);
|
||||
&jmp (&label("cbc_dec_tail_collected"));
|
||||
|
|
|
@ -87,7 +87,8 @@ int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data,
|
|||
p=str;
|
||||
i2d(data,&p);
|
||||
|
||||
EVP_Digest(str, i, md, len, type, NULL);
|
||||
if (!EVP_Digest(str, i, md, len, type, NULL))
|
||||
return 0;
|
||||
OPENSSL_free(str);
|
||||
return(1);
|
||||
}
|
||||
|
@ -104,7 +105,8 @@ int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, void *asn,
|
|||
i=ASN1_item_i2d(asn,&str, it);
|
||||
if (!str) return(0);
|
||||
|
||||
EVP_Digest(str, i, md, len, type, NULL);
|
||||
if (!EVP_Digest(str, i, md, len, type, NULL))
|
||||
return 0;
|
||||
OPENSSL_free(str);
|
||||
return(1);
|
||||
}
|
||||
|
|
|
@ -62,7 +62,7 @@
|
|||
|
||||
#ifndef NO_OLD_ASN1
|
||||
|
||||
void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, char *x)
|
||||
void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, void *x)
|
||||
{
|
||||
unsigned char *b,*p;
|
||||
const unsigned char *p2;
|
||||
|
|
|
@ -93,7 +93,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
|
|||
int str_type;
|
||||
int ret;
|
||||
char free_out;
|
||||
int outform, outlen;
|
||||
int outform, outlen = 0;
|
||||
ASN1_STRING *dest;
|
||||
unsigned char *p;
|
||||
int nchar;
|
||||
|
|
|
@ -290,6 +290,17 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
|
|||
const unsigned char *p;
|
||||
unsigned char *data;
|
||||
int i;
|
||||
/* Sanity check OID encoding: can't have 0x80 in subidentifiers, see:
|
||||
* X.690 8.19.2
|
||||
*/
|
||||
for (i = 0, p = *pp + 1; i < len - 1; i++, p++)
|
||||
{
|
||||
if (*p == 0x80)
|
||||
{
|
||||
ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
/* only the ASN1_OBJECTs from the 'table' will have values
|
||||
* for ->sn or ->ln */
|
||||
|
|
|
@ -184,9 +184,9 @@ int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
|
|||
p=buf_in;
|
||||
|
||||
i2d(data,&p);
|
||||
EVP_SignInit_ex(&ctx,type, NULL);
|
||||
EVP_SignUpdate(&ctx,(unsigned char *)buf_in,inl);
|
||||
if (!EVP_SignFinal(&ctx,(unsigned char *)buf_out,
|
||||
if (!EVP_SignInit_ex(&ctx,type, NULL)
|
||||
|| !EVP_SignUpdate(&ctx,(unsigned char *)buf_in,inl)
|
||||
|| !EVP_SignFinal(&ctx,(unsigned char *)buf_out,
|
||||
(unsigned int *)&outl,pkey))
|
||||
{
|
||||
outl=0;
|
||||
|
@ -270,9 +270,9 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
|
|||
goto err;
|
||||
}
|
||||
|
||||
EVP_SignInit_ex(&ctx,type, NULL);
|
||||
EVP_SignUpdate(&ctx,(unsigned char *)buf_in,inl);
|
||||
if (!EVP_SignFinal(&ctx,(unsigned char *)buf_out,
|
||||
if (!EVP_SignInit_ex(&ctx,type, NULL)
|
||||
|| !EVP_SignUpdate(&ctx,(unsigned char *)buf_in,inl)
|
||||
|| !EVP_SignFinal(&ctx,(unsigned char *)buf_out,
|
||||
(unsigned int *)&outl,pkey))
|
||||
{
|
||||
outl=0;
|
||||
|
|
|
@ -101,8 +101,13 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
|
|||
p=buf_in;
|
||||
|
||||
i2d(data,&p);
|
||||
EVP_VerifyInit_ex(&ctx,type, NULL);
|
||||
EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
|
||||
if (!EVP_VerifyInit_ex(&ctx,type, NULL)
|
||||
|| !EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl))
|
||||
{
|
||||
ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
|
||||
ret=0;
|
||||
goto err;
|
||||
}
|
||||
|
||||
OPENSSL_cleanse(buf_in,(unsigned int)inl);
|
||||
OPENSSL_free(buf_in);
|
||||
|
@ -173,7 +178,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
|
|||
goto err;
|
||||
}
|
||||
|
||||
EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
|
||||
if (!EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl))
|
||||
{
|
||||
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
|
||||
ret=0;
|
||||
goto err;
|
||||
}
|
||||
|
||||
OPENSSL_cleanse(buf_in,(unsigned int)inl);
|
||||
OPENSSL_free(buf_in);
|
||||
|
|
|
@ -301,6 +301,8 @@ EVP_PKEY_ASN1_METHOD* EVP_PKEY_asn1_new(int id, int flags,
|
|||
if (!ameth->info)
|
||||
goto err;
|
||||
}
|
||||
else
|
||||
ameth->info = NULL;
|
||||
|
||||
if (pem_str)
|
||||
{
|
||||
|
@ -308,6 +310,8 @@ EVP_PKEY_ASN1_METHOD* EVP_PKEY_asn1_new(int id, int flags,
|
|||
if (!ameth->pem_str)
|
||||
goto err;
|
||||
}
|
||||
else
|
||||
ameth->pem_str = NULL;
|
||||
|
||||
ameth->pub_decode = 0;
|
||||
ameth->pub_encode = 0;
|
||||
|
|
|
@ -230,6 +230,10 @@ typedef struct asn1_object_st
|
|||
*/
|
||||
|
||||
#define ASN1_STRING_FLAG_CONT 0x020
|
||||
/* This flag is used by ASN1 code to indicate an ASN1_STRING is an MSTRING
|
||||
* type.
|
||||
*/
|
||||
#define ASN1_STRING_FLAG_MSTRING 0x040
|
||||
/* This is the base type that holds just about everything :-) */
|
||||
typedef struct asn1_string_st
|
||||
{
|
||||
|
@ -948,7 +952,7 @@ int ASN1_put_eoc(unsigned char **pp);
|
|||
int ASN1_object_size(int constructed, int length, int tag);
|
||||
|
||||
/* Used to implement other functions */
|
||||
void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, char *x);
|
||||
void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, void *x);
|
||||
|
||||
#define ASN1_dup_of(type,i2d,d2i,x) \
|
||||
((type*)ASN1_dup(CHECKED_I2D_OF(type, i2d), \
|
||||
|
@ -1262,6 +1266,7 @@ void ERR_load_ASN1_strings(void);
|
|||
#define ASN1_F_PKCS5_PBE2_SET_IV 167
|
||||
#define ASN1_F_PKCS5_PBE_SET 202
|
||||
#define ASN1_F_PKCS5_PBE_SET0_ALGOR 215
|
||||
#define ASN1_F_PKCS5_PBKDF2_SET 219
|
||||
#define ASN1_F_SMIME_READ_ASN1 212
|
||||
#define ASN1_F_SMIME_TEXT 213
|
||||
#define ASN1_F_X509_CINF_NEW 168
|
||||
|
@ -1328,6 +1333,7 @@ void ERR_load_ASN1_strings(void);
|
|||
#define ASN1_R_INVALID_MIME_TYPE 205
|
||||
#define ASN1_R_INVALID_MODIFIER 186
|
||||
#define ASN1_R_INVALID_NUMBER 187
|
||||
#define ASN1_R_INVALID_OBJECT_ENCODING 216
|
||||
#define ASN1_R_INVALID_SEPARATOR 131
|
||||
#define ASN1_R_INVALID_TIME_FORMAT 132
|
||||
#define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH 133
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* crypto/asn1/asn1_err.c */
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -179,6 +179,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
|
|||
{ERR_FUNC(ASN1_F_PKCS5_PBE2_SET_IV), "PKCS5_pbe2_set_iv"},
|
||||
{ERR_FUNC(ASN1_F_PKCS5_PBE_SET), "PKCS5_pbe_set"},
|
||||
{ERR_FUNC(ASN1_F_PKCS5_PBE_SET0_ALGOR), "PKCS5_pbe_set0_algor"},
|
||||
{ERR_FUNC(ASN1_F_PKCS5_PBKDF2_SET), "PKCS5_pbkdf2_set"},
|
||||
{ERR_FUNC(ASN1_F_SMIME_READ_ASN1), "SMIME_read_ASN1"},
|
||||
{ERR_FUNC(ASN1_F_SMIME_TEXT), "SMIME_text"},
|
||||
{ERR_FUNC(ASN1_F_X509_CINF_NEW), "X509_CINF_NEW"},
|
||||
|
@ -248,6 +249,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
|
|||
{ERR_REASON(ASN1_R_INVALID_MIME_TYPE) ,"invalid mime type"},
|
||||
{ERR_REASON(ASN1_R_INVALID_MODIFIER) ,"invalid modifier"},
|
||||
{ERR_REASON(ASN1_R_INVALID_NUMBER) ,"invalid number"},
|
||||
{ERR_REASON(ASN1_R_INVALID_OBJECT_ENCODING),"invalid object encoding"},
|
||||
{ERR_REASON(ASN1_R_INVALID_SEPARATOR) ,"invalid separator"},
|
||||
{ERR_REASON(ASN1_R_INVALID_TIME_FORMAT) ,"invalid time format"},
|
||||
{ERR_REASON(ASN1_R_INVALID_UNIVERSALSTRING_LENGTH),"invalid universalstring length"},
|
||||
|
|
|
@ -227,6 +227,8 @@ ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf)
|
|||
/* Allocate buffer for new encoding */
|
||||
|
||||
new_der = OPENSSL_malloc(len);
|
||||
if (!new_der)
|
||||
goto err;
|
||||
|
||||
/* Generate tagged encoding */
|
||||
|
||||
|
@ -452,6 +454,8 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf)
|
|||
int derlen;
|
||||
int i;
|
||||
sk = sk_ASN1_TYPE_new_null();
|
||||
if (!sk)
|
||||
goto bad;
|
||||
if (section)
|
||||
{
|
||||
if (!cnf)
|
||||
|
@ -464,7 +468,8 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf)
|
|||
ASN1_TYPE *typ = ASN1_generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf);
|
||||
if (!typ)
|
||||
goto bad;
|
||||
sk_ASN1_TYPE_push(sk, typ);
|
||||
if (!sk_ASN1_TYPE_push(sk, typ))
|
||||
goto bad;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -475,6 +480,9 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf)
|
|||
else
|
||||
derlen = i2d_ASN1_SEQUENCE_ANY(sk, &der);
|
||||
|
||||
if (derlen < 0)
|
||||
goto bad;
|
||||
|
||||
if (!(ret = ASN1_TYPE_new()))
|
||||
goto bad;
|
||||
|
||||
|
|
|
@ -239,7 +239,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
|
|||
ii=d2i_ASN1_BOOLEAN(NULL,&opp,len+hl);
|
||||
if (ii < 0)
|
||||
{
|
||||
if (BIO_write(bp,"Bad boolean\n",12))
|
||||
if (BIO_write(bp,"Bad boolean\n",12) <= 0)
|
||||
goto end;
|
||||
}
|
||||
BIO_printf(bp,":%d",ii);
|
||||
|
|
|
@ -87,9 +87,13 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
|
|||
}
|
||||
else ret= *a;
|
||||
|
||||
ret->save_type=type;
|
||||
ret->type=EVP_PKEY_type(type);
|
||||
switch (ret->type)
|
||||
if (!EVP_PKEY_set_type(ret, type))
|
||||
{
|
||||
ASN1err(ASN1_F_D2I_PUBLICKEY,ERR_R_EVP_LIB);
|
||||
goto err;
|
||||
}
|
||||
|
||||
switch (EVP_PKEY_id(ret))
|
||||
{
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
case EVP_PKEY_RSA:
|
||||
|
|
|
@ -129,6 +129,7 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp,
|
|||
unsigned char buf[256],*zz;
|
||||
unsigned char key[EVP_MAX_KEY_LENGTH];
|
||||
EVP_CIPHER_CTX ctx;
|
||||
EVP_CIPHER_CTX_init(&ctx);
|
||||
|
||||
if (a == NULL) return(0);
|
||||
|
||||
|
@ -206,24 +207,28 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp,
|
|||
i = strlen((char *)buf);
|
||||
/* If the key is used for SGC the algorithm is modified a little. */
|
||||
if(sgckey) {
|
||||
EVP_Digest(buf, i, buf, NULL, EVP_md5(), NULL);
|
||||
if (!EVP_Digest(buf, i, buf, NULL, EVP_md5(), NULL))
|
||||
goto err;
|
||||
memcpy(buf + 16, "SGCKEYSALT", 10);
|
||||
i = 26;
|
||||
}
|
||||
|
||||
EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL);
|
||||
if (!EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL))
|
||||
goto err;
|
||||
OPENSSL_cleanse(buf,256);
|
||||
|
||||
/* Encrypt private key in place */
|
||||
zz = enckey->enckey->digest->data;
|
||||
EVP_CIPHER_CTX_init(&ctx);
|
||||
EVP_EncryptInit_ex(&ctx,EVP_rc4(),NULL,key,NULL);
|
||||
EVP_EncryptUpdate(&ctx,zz,&i,zz,pkeylen);
|
||||
EVP_EncryptFinal_ex(&ctx,zz + i,&j);
|
||||
EVP_CIPHER_CTX_cleanup(&ctx);
|
||||
if (!EVP_EncryptInit_ex(&ctx,EVP_rc4(),NULL,key,NULL))
|
||||
goto err;
|
||||
if (!EVP_EncryptUpdate(&ctx,zz,&i,zz,pkeylen))
|
||||
goto err;
|
||||
if (!EVP_EncryptFinal_ex(&ctx,zz + i,&j))
|
||||
goto err;
|
||||
|
||||
ret = i2d_NETSCAPE_ENCRYPTED_PKEY(enckey, pp);
|
||||
err:
|
||||
EVP_CIPHER_CTX_cleanup(&ctx);
|
||||
NETSCAPE_ENCRYPTED_PKEY_free(enckey);
|
||||
NETSCAPE_PKEY_free(pkey);
|
||||
return(ret);
|
||||
|
@ -289,6 +294,7 @@ static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
|
|||
const unsigned char *zz;
|
||||
unsigned char key[EVP_MAX_KEY_LENGTH];
|
||||
EVP_CIPHER_CTX ctx;
|
||||
EVP_CIPHER_CTX_init(&ctx);
|
||||
|
||||
i=cb((char *)buf,256,"Enter Private Key password:",0);
|
||||
if (i != 0)
|
||||
|
@ -299,19 +305,22 @@ static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
|
|||
|
||||
i = strlen((char *)buf);
|
||||
if(sgckey){
|
||||
EVP_Digest(buf, i, buf, NULL, EVP_md5(), NULL);
|
||||
if (!EVP_Digest(buf, i, buf, NULL, EVP_md5(), NULL))
|
||||
goto err;
|
||||
memcpy(buf + 16, "SGCKEYSALT", 10);
|
||||
i = 26;
|
||||
}
|
||||
|
||||
EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL);
|
||||
if (!EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL))
|
||||
goto err;
|
||||
OPENSSL_cleanse(buf,256);
|
||||
|
||||
EVP_CIPHER_CTX_init(&ctx);
|
||||
EVP_DecryptInit_ex(&ctx,EVP_rc4(),NULL, key,NULL);
|
||||
EVP_DecryptUpdate(&ctx,os->data,&i,os->data,os->length);
|
||||
EVP_DecryptFinal_ex(&ctx,&(os->data[i]),&j);
|
||||
EVP_CIPHER_CTX_cleanup(&ctx);
|
||||
if (!EVP_DecryptInit_ex(&ctx,EVP_rc4(),NULL, key,NULL))
|
||||
goto err;
|
||||
if (!EVP_DecryptUpdate(&ctx,os->data,&i,os->data,os->length))
|
||||
goto err;
|
||||
if (!EVP_DecryptFinal_ex(&ctx,&(os->data[i]),&j))
|
||||
goto err;
|
||||
os->length=i+j;
|
||||
|
||||
zz=os->data;
|
||||
|
@ -329,6 +338,7 @@ static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
|
|||
goto err;
|
||||
}
|
||||
err:
|
||||
EVP_CIPHER_CTX_cleanup(&ctx);
|
||||
NETSCAPE_PKEY_free(pkey);
|
||||
return(ret);
|
||||
}
|
||||
|
|
|
@ -91,12 +91,10 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
|
|||
unsigned char *aiv, int prf_nid)
|
||||
{
|
||||
X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL;
|
||||
int alg_nid;
|
||||
int alg_nid, keylen;
|
||||
EVP_CIPHER_CTX ctx;
|
||||
unsigned char iv[EVP_MAX_IV_LENGTH];
|
||||
PBKDF2PARAM *kdf = NULL;
|
||||
PBE2PARAM *pbe2 = NULL;
|
||||
ASN1_OCTET_STRING *osalt = NULL;
|
||||
ASN1_OBJECT *obj;
|
||||
|
||||
alg_nid = EVP_CIPHER_type(cipher);
|
||||
|
@ -127,7 +125,8 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
|
|||
EVP_CIPHER_CTX_init(&ctx);
|
||||
|
||||
/* Dummy cipherinit to just setup the IV, and PRF */
|
||||
EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0);
|
||||
if (!EVP_CipherInit_ex(&ctx, cipher, NULL, NULL, iv, 0))
|
||||
goto err;
|
||||
if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
|
||||
ASN1err(ASN1_F_PKCS5_PBE2_SET_IV,
|
||||
ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
|
||||
|
@ -145,55 +144,19 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
|
|||
}
|
||||
EVP_CIPHER_CTX_cleanup(&ctx);
|
||||
|
||||
if(!(kdf = PBKDF2PARAM_new())) goto merr;
|
||||
if(!(osalt = M_ASN1_OCTET_STRING_new())) goto merr;
|
||||
|
||||
if (!saltlen) saltlen = PKCS5_SALT_LEN;
|
||||
if (!(osalt->data = OPENSSL_malloc (saltlen))) goto merr;
|
||||
osalt->length = saltlen;
|
||||
if (salt) memcpy (osalt->data, salt, saltlen);
|
||||
else if (RAND_pseudo_bytes (osalt->data, saltlen) < 0) goto merr;
|
||||
|
||||
if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
|
||||
if(!ASN1_INTEGER_set(kdf->iter, iter)) goto merr;
|
||||
|
||||
/* Now include salt in kdf structure */
|
||||
kdf->salt->value.octet_string = osalt;
|
||||
kdf->salt->type = V_ASN1_OCTET_STRING;
|
||||
osalt = NULL;
|
||||
|
||||
/* If its RC2 then we'd better setup the key length */
|
||||
|
||||
if(alg_nid == NID_rc2_cbc) {
|
||||
if(!(kdf->keylength = M_ASN1_INTEGER_new())) goto merr;
|
||||
if(!ASN1_INTEGER_set (kdf->keylength,
|
||||
EVP_CIPHER_key_length(cipher))) goto merr;
|
||||
}
|
||||
if(alg_nid == NID_rc2_cbc)
|
||||
keylen = EVP_CIPHER_key_length(cipher);
|
||||
else
|
||||
keylen = -1;
|
||||
|
||||
/* prf can stay NULL if we are using hmacWithSHA1 */
|
||||
if (prf_nid != NID_hmacWithSHA1)
|
||||
{
|
||||
kdf->prf = X509_ALGOR_new();
|
||||
if (!kdf->prf)
|
||||
goto merr;
|
||||
X509_ALGOR_set0(kdf->prf, OBJ_nid2obj(prf_nid),
|
||||
V_ASN1_NULL, NULL);
|
||||
}
|
||||
/* Setup keyfunc */
|
||||
|
||||
/* Now setup the PBE2PARAM keyfunc structure */
|
||||
pbe2->keyfunc = PKCS5_pbkdf2_set(iter, salt, saltlen, prf_nid, keylen);
|
||||
|
||||
pbe2->keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2);
|
||||
|
||||
/* Encode PBKDF2PARAM into parameter of pbe2 */
|
||||
|
||||
if(!(pbe2->keyfunc->parameter = ASN1_TYPE_new())) goto merr;
|
||||
|
||||
if(!ASN1_item_pack(kdf, ASN1_ITEM_rptr(PBKDF2PARAM),
|
||||
&pbe2->keyfunc->parameter->value.sequence)) goto merr;
|
||||
pbe2->keyfunc->parameter->type = V_ASN1_SEQUENCE;
|
||||
|
||||
PBKDF2PARAM_free(kdf);
|
||||
kdf = NULL;
|
||||
if (!pbe2->keyfunc)
|
||||
goto merr;
|
||||
|
||||
/* Now set up top level AlgorithmIdentifier */
|
||||
|
||||
|
@ -219,8 +182,6 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
|
|||
err:
|
||||
PBE2PARAM_free(pbe2);
|
||||
/* Note 'scheme' is freed as part of pbe2 */
|
||||
M_ASN1_OCTET_STRING_free(osalt);
|
||||
PBKDF2PARAM_free(kdf);
|
||||
X509_ALGOR_free(kalg);
|
||||
X509_ALGOR_free(ret);
|
||||
|
||||
|
@ -233,3 +194,85 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
|
|||
{
|
||||
return PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, -1);
|
||||
}
|
||||
|
||||
X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
|
||||
int prf_nid, int keylen)
|
||||
{
|
||||
X509_ALGOR *keyfunc = NULL;
|
||||
PBKDF2PARAM *kdf = NULL;
|
||||
ASN1_OCTET_STRING *osalt = NULL;
|
||||
|
||||
if(!(kdf = PBKDF2PARAM_new()))
|
||||
goto merr;
|
||||
if(!(osalt = M_ASN1_OCTET_STRING_new()))
|
||||
goto merr;
|
||||
|
||||
kdf->salt->value.octet_string = osalt;
|
||||
kdf->salt->type = V_ASN1_OCTET_STRING;
|
||||
|
||||
if (!saltlen)
|
||||
saltlen = PKCS5_SALT_LEN;
|
||||
if (!(osalt->data = OPENSSL_malloc (saltlen)))
|
||||
goto merr;
|
||||
|
||||
osalt->length = saltlen;
|
||||
|
||||
if (salt)
|
||||
memcpy (osalt->data, salt, saltlen);
|
||||
else if (RAND_pseudo_bytes (osalt->data, saltlen) < 0)
|
||||
goto merr;
|
||||
|
||||
if(iter <= 0)
|
||||
iter = PKCS5_DEFAULT_ITER;
|
||||
|
||||
if(!ASN1_INTEGER_set(kdf->iter, iter))
|
||||
goto merr;
|
||||
|
||||
/* If have a key len set it up */
|
||||
|
||||
if(keylen > 0)
|
||||
{
|
||||
if(!(kdf->keylength = M_ASN1_INTEGER_new()))
|
||||
goto merr;
|
||||
if(!ASN1_INTEGER_set (kdf->keylength, keylen))
|
||||
goto merr;
|
||||
}
|
||||
|
||||
/* prf can stay NULL if we are using hmacWithSHA1 */
|
||||
if (prf_nid > 0 && prf_nid != NID_hmacWithSHA1)
|
||||
{
|
||||
kdf->prf = X509_ALGOR_new();
|
||||
if (!kdf->prf)
|
||||
goto merr;
|
||||
X509_ALGOR_set0(kdf->prf, OBJ_nid2obj(prf_nid),
|
||||
V_ASN1_NULL, NULL);
|
||||
}
|
||||
|
||||
/* Finally setup the keyfunc structure */
|
||||
|
||||
keyfunc = X509_ALGOR_new();
|
||||
if (!keyfunc)
|
||||
goto merr;
|
||||
|
||||
keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2);
|
||||
|
||||
/* Encode PBKDF2PARAM into parameter of pbe2 */
|
||||
|
||||
if(!(keyfunc->parameter = ASN1_TYPE_new()))
|
||||
goto merr;
|
||||
|
||||
if(!ASN1_item_pack(kdf, ASN1_ITEM_rptr(PBKDF2PARAM),
|
||||
&keyfunc->parameter->value.sequence))
|
||||
goto merr;
|
||||
keyfunc->parameter->type = V_ASN1_SEQUENCE;
|
||||
|
||||
PBKDF2PARAM_free(kdf);
|
||||
return keyfunc;
|
||||
|
||||
merr:
|
||||
ASN1err(ASN1_F_PKCS5_PBKDF2_SET,ERR_R_MALLOC_FAILURE);
|
||||
PBKDF2PARAM_free(kdf);
|
||||
X509_ALGOR_free(keyfunc);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
|
|
@ -255,7 +255,8 @@ int X509_ocspid_print (BIO *bp, X509 *x)
|
|||
goto err;
|
||||
i2d_X509_NAME(x->cert_info->subject, &dertmp);
|
||||
|
||||
EVP_Digest(der, derlen, SHA1md, NULL, EVP_sha1(), NULL);
|
||||
if (!EVP_Digest(der, derlen, SHA1md, NULL, EVP_sha1(), NULL))
|
||||
goto err;
|
||||
for (i=0; i < SHA_DIGEST_LENGTH; i++)
|
||||
{
|
||||
if (BIO_printf(bp,"%02X",SHA1md[i]) <= 0) goto err;
|
||||
|
@ -268,8 +269,10 @@ int X509_ocspid_print (BIO *bp, X509 *x)
|
|||
if (BIO_printf(bp,"\n Public key OCSP hash: ") <= 0)
|
||||
goto err;
|
||||
|
||||
EVP_Digest(x->cert_info->key->public_key->data,
|
||||
x->cert_info->key->public_key->length, SHA1md, NULL, EVP_sha1(), NULL);
|
||||
if (!EVP_Digest(x->cert_info->key->public_key->data,
|
||||
x->cert_info->key->public_key->length,
|
||||
SHA1md, NULL, EVP_sha1(), NULL))
|
||||
goto err;
|
||||
for (i=0; i < SHA_DIGEST_LENGTH; i++)
|
||||
{
|
||||
if (BIO_printf(bp,"%02X",SHA1md[i]) <= 0)
|
||||
|
@ -376,7 +379,7 @@ int ASN1_GENERALIZEDTIME_print(BIO *bp, const ASN1_GENERALIZEDTIME *tm)
|
|||
{
|
||||
s= (v[12]-'0')*10+(v[13]-'0');
|
||||
/* Check for fractions of seconds. */
|
||||
if (i >= 15 && v[14] == '.')
|
||||
if (tm->length >= 15 && v[14] == '.')
|
||||
{
|
||||
int l = tm->length;
|
||||
f = &v[14]; /* The decimal point. */
|
||||
|
|
|
@ -325,6 +325,7 @@ static void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt)
|
|||
int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
|
||||
{
|
||||
ASN1_TYPE *typ;
|
||||
ASN1_STRING *str;
|
||||
int utype;
|
||||
|
||||
if (it && it->funcs)
|
||||
|
@ -362,7 +363,10 @@ int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
|
|||
break;
|
||||
|
||||
default:
|
||||
*pval = (ASN1_VALUE *)ASN1_STRING_type_new(utype);
|
||||
str = ASN1_STRING_type_new(utype);
|
||||
if (it->itype == ASN1_ITYPE_MSTRING && str)
|
||||
str->flags |= ASN1_STRING_FLAG_MSTRING;
|
||||
*pval = (ASN1_VALUE *)str;
|
||||
break;
|
||||
}
|
||||
if (*pval)
|
||||
|
|
|
@ -157,6 +157,7 @@ extern "C" {
|
|||
* previous write
|
||||
* operation */
|
||||
|
||||
#define BIO_CTRL_DGRAM_GET_PEER 46
|
||||
#define BIO_CTRL_DGRAM_SET_PEER 44 /* Destination for the data */
|
||||
|
||||
#define BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT 45 /* Next DTLS handshake timeout to
|
||||
|
@ -538,6 +539,8 @@ int BIO_ctrl_reset_read_request(BIO *b);
|
|||
(int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP, 0, NULL)
|
||||
#define BIO_dgram_send_timedout(b) \
|
||||
(int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP, 0, NULL)
|
||||
#define BIO_dgram_get_peer(b,peer) \
|
||||
(int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_PEER, 0, (char *)peer)
|
||||
#define BIO_dgram_set_peer(b,peer) \
|
||||
(int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, (char *)peer)
|
||||
|
||||
|
|
|
@ -108,7 +108,13 @@ static BIO_METHOD methods_dgramp=
|
|||
|
||||
typedef struct bio_dgram_data_st
|
||||
{
|
||||
struct sockaddr peer;
|
||||
union {
|
||||
struct sockaddr sa;
|
||||
struct sockaddr_in sa_in;
|
||||
#if OPENSSL_USE_IPV6
|
||||
struct sockaddr_in6 sa_in6;
|
||||
#endif
|
||||
} peer;
|
||||
unsigned int connected;
|
||||
unsigned int _errno;
|
||||
unsigned int mtu;
|
||||
|
@ -274,27 +280,41 @@ static int dgram_read(BIO *b, char *out, int outl)
|
|||
int ret=0;
|
||||
bio_dgram_data *data = (bio_dgram_data *)b->ptr;
|
||||
|
||||
struct sockaddr peer;
|
||||
int peerlen = sizeof(peer);
|
||||
struct {
|
||||
/*
|
||||
* See commentary in b_sock.c. <appro>
|
||||
*/
|
||||
union { size_t s; int i; } len;
|
||||
union {
|
||||
struct sockaddr sa;
|
||||
struct sockaddr_in sa_in;
|
||||
#if OPENSSL_USE_IPV6
|
||||
struct sockaddr_in6 sa_in6;
|
||||
#endif
|
||||
} peer;
|
||||
} sa;
|
||||
|
||||
sa.len.s=0;
|
||||
sa.len.i=sizeof(sa.peer);
|
||||
|
||||
if (out != NULL)
|
||||
{
|
||||
clear_socket_error();
|
||||
memset(&peer, 0x00, peerlen);
|
||||
/* Last arg in recvfrom is signed on some platforms and
|
||||
* unsigned on others. It is of type socklen_t on some
|
||||
* but this is not universal. Cast to (void *) to avoid
|
||||
* compiler warnings.
|
||||
*/
|
||||
memset(&sa.peer, 0x00, sizeof(sa.peer));
|
||||
dgram_adjust_rcv_timeout(b);
|
||||
ret=recvfrom(b->num,out,outl,0,&peer,(void *)&peerlen);
|
||||
ret=recvfrom(b->num,out,outl,0,&sa.peer.sa,(void *)&sa.len);
|
||||
if (sizeof(sa.len.i)!=sizeof(sa.len.s) && sa.len.i==0)
|
||||
{
|
||||
OPENSSL_assert(sa.len.s<=sizeof(sa.peer));
|
||||
sa.len.i = (int)sa.len.s;
|
||||
}
|
||||
dgram_reset_rcv_timeout(b);
|
||||
|
||||
if ( ! data->connected && ret > 0)
|
||||
BIO_ctrl(b, BIO_CTRL_DGRAM_CONNECT, 0, &peer);
|
||||
if ( ! data->connected && ret >= 0)
|
||||
BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &sa.peer);
|
||||
|
||||
BIO_clear_retry_flags(b);
|
||||
if (ret <= 0)
|
||||
if (ret < 0)
|
||||
{
|
||||
if (BIO_dgram_should_retry(ret))
|
||||
{
|
||||
|
@ -312,19 +332,19 @@ static int dgram_write(BIO *b, const char *in, int inl)
|
|||
bio_dgram_data *data = (bio_dgram_data *)b->ptr;
|
||||
clear_socket_error();
|
||||
|
||||
if ( data->connected )
|
||||
ret=writesocket(b->num,in,inl);
|
||||
else
|
||||
if ( data->connected )
|
||||
ret=writesocket(b->num,in,inl);
|
||||
else
|
||||
#if defined(NETWARE_CLIB) && defined(NETWARE_BSDSOCK)
|
||||
ret=sendto(b->num, (char *)in, inl, 0, &data->peer, sizeof(data->peer));
|
||||
ret=sendto(b->num, (char *)in, inl, 0, &data->peer.sa, sizeof(data->peer));
|
||||
#else
|
||||
ret=sendto(b->num, in, inl, 0, &data->peer, sizeof(data->peer));
|
||||
ret=sendto(b->num, in, inl, 0, &data->peer.sa, sizeof(data->peer));
|
||||
#endif
|
||||
|
||||
BIO_clear_retry_flags(b);
|
||||
if (ret <= 0)
|
||||
{
|
||||
if (BIO_sock_should_retry(ret))
|
||||
if (BIO_dgram_should_retry(ret))
|
||||
{
|
||||
BIO_set_retry_write(b);
|
||||
data->_errno = get_last_socket_error();
|
||||
|
@ -405,7 +425,20 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
|
|||
else
|
||||
{
|
||||
#endif
|
||||
memcpy(&(data->peer),to, sizeof(struct sockaddr));
|
||||
switch (to->sa_family)
|
||||
{
|
||||
case AF_INET:
|
||||
memcpy(&data->peer,to,sizeof(data->peer.sa_in));
|
||||
break;
|
||||
#if OPENSSL_USE_IPV6
|
||||
case AF_INET6:
|
||||
memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
memcpy(&data->peer,to,sizeof(data->peer.sa));
|
||||
break;
|
||||
}
|
||||
#if 0
|
||||
}
|
||||
#endif
|
||||
|
@ -429,12 +462,14 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
|
|||
&sockopt_val, sizeof(sockopt_val))) < 0)
|
||||
perror("setsockopt");
|
||||
break;
|
||||
#if OPENSSL_USE_IPV6
|
||||
case AF_INET6:
|
||||
sockopt_val = IPV6_PMTUDISC_DO;
|
||||
if ((ret = setsockopt(b->num, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
|
||||
&sockopt_val, sizeof(sockopt_val))) < 0)
|
||||
perror("setsockopt");
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
ret = -1;
|
||||
break;
|
||||
|
@ -470,6 +505,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
|
|||
ret = data->mtu;
|
||||
}
|
||||
break;
|
||||
#if OPENSSL_USE_IPV6
|
||||
case AF_INET6:
|
||||
if ((ret = getsockopt(b->num, IPPROTO_IPV6, IPV6_MTU, (void *)&sockopt_val,
|
||||
&sockopt_len)) < 0 || sockopt_val < 0)
|
||||
|
@ -485,6 +521,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
|
|||
ret = data->mtu;
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
ret = 0;
|
||||
break;
|
||||
|
@ -506,21 +543,65 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
|
|||
if ( to != NULL)
|
||||
{
|
||||
data->connected = 1;
|
||||
memcpy(&(data->peer),to, sizeof(struct sockaddr));
|
||||
switch (to->sa_family)
|
||||
{
|
||||
case AF_INET:
|
||||
memcpy(&data->peer,to,sizeof(data->peer.sa_in));
|
||||
break;
|
||||
#if OPENSSL_USE_IPV6
|
||||
case AF_INET6:
|
||||
memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
memcpy(&data->peer,to,sizeof(data->peer.sa));
|
||||
break;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
data->connected = 0;
|
||||
memset(&(data->peer), 0x00, sizeof(struct sockaddr));
|
||||
memset(&(data->peer), 0x00, sizeof(data->peer));
|
||||
}
|
||||
break;
|
||||
case BIO_CTRL_DGRAM_GET_PEER:
|
||||
switch (data->peer.sa.sa_family)
|
||||
{
|
||||
case AF_INET:
|
||||
ret=sizeof(data->peer.sa_in);
|
||||
break;
|
||||
#if OPENSSL_USE_IPV6
|
||||
case AF_INET6:
|
||||
ret=sizeof(data->peer.sa_in6);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
ret=sizeof(data->peer.sa);
|
||||
break;
|
||||
}
|
||||
if (num==0 || num>ret)
|
||||
num=ret;
|
||||
memcpy(ptr,&data->peer,(ret=num));
|
||||
break;
|
||||
case BIO_CTRL_DGRAM_SET_PEER:
|
||||
to = (struct sockaddr *) ptr;
|
||||
switch (to->sa_family)
|
||||
{
|
||||
case AF_INET:
|
||||
memcpy(&data->peer,to,sizeof(data->peer.sa_in));
|
||||
break;
|
||||
#if OPENSSL_USE_IPV6
|
||||
case AF_INET6:
|
||||
memcpy(&data->peer,to,sizeof(data->peer.sa_in6));
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
memcpy(&data->peer,to,sizeof(data->peer.sa));
|
||||
break;
|
||||
}
|
||||
break;
|
||||
case BIO_CTRL_DGRAM_SET_PEER:
|
||||
to = (struct sockaddr *) ptr;
|
||||
|
||||
memcpy(&(data->peer), to, sizeof(struct sockaddr));
|
||||
break;
|
||||
case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT:
|
||||
memcpy(&(data->next_timeout), ptr, sizeof(struct timeval));
|
||||
memcpy(&(data->next_timeout), ptr, sizeof(struct timeval));
|
||||
break;
|
||||
#if defined(SO_RCVTIMEO)
|
||||
case BIO_CTRL_DGRAM_SET_RECV_TIMEOUT:
|
||||
|
@ -684,10 +765,6 @@ int BIO_dgram_non_fatal_error(int err)
|
|||
# endif
|
||||
#endif
|
||||
|
||||
#if defined(ENOTCONN)
|
||||
case ENOTCONN:
|
||||
#endif
|
||||
|
||||
#ifdef EINTR
|
||||
case EINTR:
|
||||
#endif
|
||||
|
@ -710,11 +787,6 @@ int BIO_dgram_non_fatal_error(int err)
|
|||
case EALREADY:
|
||||
#endif
|
||||
|
||||
/* DF bit set, and packet larger than MTU */
|
||||
#ifdef EMSGSIZE
|
||||
case EMSGSIZE:
|
||||
#endif
|
||||
|
||||
return(1);
|
||||
/* break; */
|
||||
default:
|
||||
|
|
|
@ -1032,15 +1032,15 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
|
|||
goto err;
|
||||
if (al > j || bl > j)
|
||||
{
|
||||
bn_wexpand(t,k*4);
|
||||
bn_wexpand(rr,k*4);
|
||||
if (bn_wexpand(t,k*4) == NULL) goto err;
|
||||
if (bn_wexpand(rr,k*4) == NULL) goto err;
|
||||
bn_mul_part_recursive(rr->d,a->d,b->d,
|
||||
j,al-j,bl-j,t->d);
|
||||
}
|
||||
else /* al <= j || bl <= j */
|
||||
{
|
||||
bn_wexpand(t,k*2);
|
||||
bn_wexpand(rr,k*2);
|
||||
if (bn_wexpand(t,k*2) == NULL) goto err;
|
||||
if (bn_wexpand(rr,k*2) == NULL) goto err;
|
||||
bn_mul_recursive(rr->d,a->d,b->d,
|
||||
j,al-j,bl-j,t->d);
|
||||
}
|
||||
|
|
|
@ -1029,7 +1029,7 @@ int test_exp(BIO *bp, BN_CTX *ctx)
|
|||
BN_bntest_rand(a,20+i*5,0,0); /**/
|
||||
BN_bntest_rand(b,2+i,0,0); /**/
|
||||
|
||||
if (!BN_exp(d,a,b,ctx))
|
||||
if (BN_exp(d,a,b,ctx) <= 0)
|
||||
return(0);
|
||||
|
||||
if (bp != NULL)
|
||||
|
|
|
@ -656,7 +656,7 @@ Camellia_cbc_encrypt:
|
|||
mov %rsi,$out # out argument
|
||||
mov %r8,%rbx # ivp argument
|
||||
mov %rcx,$key # key argument
|
||||
mov 272(%rcx),$keyend # grandRounds
|
||||
mov 272(%rcx),${keyend}d # grandRounds
|
||||
|
||||
mov %r8,$_ivp
|
||||
mov %rbp,$_rsp
|
||||
|
|
|
@ -65,7 +65,7 @@
|
|||
*/
|
||||
|
||||
void CAST_cfb64_encrypt(const unsigned char *in, unsigned char *out,
|
||||
long length, CAST_KEY *schedule, unsigned char *ivec,
|
||||
long length, const CAST_KEY *schedule, unsigned char *ivec,
|
||||
int *num, int enc)
|
||||
{
|
||||
register CAST_LONG v0,v1,t;
|
||||
|
@ -119,4 +119,3 @@ void CAST_cfb64_encrypt(const unsigned char *in, unsigned char *out,
|
|||
v0=v1=ti[0]=ti[1]=t=c=cc=0;
|
||||
*num=n;
|
||||
}
|
||||
|
||||
|
|
|
@ -63,7 +63,7 @@
|
|||
const char CAST_version[]="CAST" OPENSSL_VERSION_PTEXT;
|
||||
|
||||
void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out,
|
||||
CAST_KEY *ks, int enc)
|
||||
const CAST_KEY *ks, int enc)
|
||||
{
|
||||
CAST_LONG l,d[2];
|
||||
|
||||
|
@ -77,4 +77,3 @@ void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out,
|
|||
l=d[1]; l2n(l,out);
|
||||
l=d[0]=d[1]=0;
|
||||
}
|
||||
|
||||
|
|
|
@ -59,9 +59,10 @@
|
|||
#include <openssl/cast.h>
|
||||
#include "cast_lcl.h"
|
||||
|
||||
void CAST_encrypt(CAST_LONG *data, CAST_KEY *key)
|
||||
void CAST_encrypt(CAST_LONG *data, const CAST_KEY *key)
|
||||
{
|
||||
register CAST_LONG l,r,*k,t;
|
||||
register CAST_LONG l,r,t;
|
||||
const register CAST_LONG *k;
|
||||
|
||||
k= &(key->data[0]);
|
||||
l=data[0];
|
||||
|
@ -91,9 +92,10 @@ void CAST_encrypt(CAST_LONG *data, CAST_KEY *key)
|
|||
data[0]=r&0xffffffffL;
|
||||
}
|
||||
|
||||
void CAST_decrypt(CAST_LONG *data, CAST_KEY *key)
|
||||
void CAST_decrypt(CAST_LONG *data, const CAST_KEY *key)
|
||||
{
|
||||
register CAST_LONG l,r,*k,t;
|
||||
register CAST_LONG l,r,t;
|
||||
const register CAST_LONG *k;
|
||||
|
||||
k= &(key->data[0]);
|
||||
l=data[0];
|
||||
|
@ -124,7 +126,7 @@ void CAST_decrypt(CAST_LONG *data, CAST_KEY *key)
|
|||
}
|
||||
|
||||
void CAST_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
|
||||
CAST_KEY *ks, unsigned char *iv, int enc)
|
||||
const CAST_KEY *ks, unsigned char *iv, int enc)
|
||||
{
|
||||
register CAST_LONG tin0,tin1;
|
||||
register CAST_LONG tout0,tout1,xor0,xor1;
|
||||
|
@ -204,4 +206,3 @@ void CAST_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
|
|||
tin0=tin1=tout0=tout1=xor0=xor1=0;
|
||||
tin[0]=tin[1]=0;
|
||||
}
|
||||
|
||||
|
|
|
@ -64,7 +64,7 @@
|
|||
* 64bit block we have used is contained in *num;
|
||||
*/
|
||||
void CAST_ofb64_encrypt(const unsigned char *in, unsigned char *out,
|
||||
long length, CAST_KEY *schedule, unsigned char *ivec,
|
||||
long length, const CAST_KEY *schedule, unsigned char *ivec,
|
||||
int *num)
|
||||
{
|
||||
register CAST_LONG v0,v1,t;
|
||||
|
@ -108,4 +108,3 @@ void CAST_ofb64_encrypt(const unsigned char *in, unsigned char *out,
|
|||
t=v0=v1=ti[0]=ti[1]=0;
|
||||
*num=n;
|
||||
}
|
||||
|
||||
|
|
|
@ -18,9 +18,11 @@ APPS=
|
|||
|
||||
LIB=$(TOP)/libcrypto.a
|
||||
LIBSRC= cms_lib.c cms_asn1.c cms_att.c cms_io.c cms_smime.c cms_err.c \
|
||||
cms_sd.c cms_dd.c cms_cd.c cms_env.c cms_enc.c cms_ess.c
|
||||
cms_sd.c cms_dd.c cms_cd.c cms_env.c cms_enc.c cms_ess.c \
|
||||
cms_pwri.c
|
||||
LIBOBJ= cms_lib.o cms_asn1.o cms_att.o cms_io.o cms_smime.o cms_err.o \
|
||||
cms_sd.o cms_dd.o cms_cd.o cms_env.o cms_enc.o cms_ess.o
|
||||
cms_sd.o cms_dd.o cms_cd.o cms_env.o cms_enc.o cms_ess.o \
|
||||
cms_pwri.o
|
||||
|
||||
SRC= $(LIBSRC)
|
||||
|
||||
|
|
|
@ -184,6 +184,8 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert);
|
|||
int CMS_decrypt_set1_key(CMS_ContentInfo *cms,
|
||||
unsigned char *key, size_t keylen,
|
||||
unsigned char *id, size_t idlen);
|
||||
int CMS_decrypt_set1_password(CMS_ContentInfo *cms,
|
||||
unsigned char *pass, ssize_t passlen);
|
||||
|
||||
STACK_OF(CMS_RecipientInfo) *CMS_get0_RecipientInfos(CMS_ContentInfo *cms);
|
||||
int CMS_RecipientInfo_type(CMS_RecipientInfo *ri);
|
||||
|
@ -219,6 +221,14 @@ int CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri,
|
|||
int CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri,
|
||||
const unsigned char *id, size_t idlen);
|
||||
|
||||
int CMS_RecipientInfo_set0_password(CMS_RecipientInfo *ri,
|
||||
unsigned char *pass, ssize_t passlen);
|
||||
|
||||
CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms,
|
||||
int iter, int wrap_nid, int pbe_nid,
|
||||
unsigned char *pass, ssize_t passlen,
|
||||
const EVP_CIPHER *kekciph);
|
||||
|
||||
int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);
|
||||
|
||||
int CMS_uncompress(CMS_ContentInfo *cms, BIO *dcont, BIO *out,
|
||||
|
@ -330,6 +340,7 @@ void ERR_load_CMS_strings(void);
|
|||
#define CMS_F_CHECK_CONTENT 99
|
||||
#define CMS_F_CMS_ADD0_CERT 164
|
||||
#define CMS_F_CMS_ADD0_RECIPIENT_KEY 100
|
||||
#define CMS_F_CMS_ADD0_RECIPIENT_PASSWORD 165
|
||||
#define CMS_F_CMS_ADD1_RECEIPTREQUEST 158
|
||||
#define CMS_F_CMS_ADD1_RECIPIENT_CERT 101
|
||||
#define CMS_F_CMS_ADD1_SIGNER 102
|
||||
|
@ -344,6 +355,7 @@ void ERR_load_CMS_strings(void);
|
|||
#define CMS_F_CMS_DATAINIT 111
|
||||
#define CMS_F_CMS_DECRYPT 112
|
||||
#define CMS_F_CMS_DECRYPT_SET1_KEY 113
|
||||
#define CMS_F_CMS_DECRYPT_SET1_PASSWORD 166
|
||||
#define CMS_F_CMS_DECRYPT_SET1_PKEY 114
|
||||
#define CMS_F_CMS_DIGESTALGORITHM_FIND_CTX 115
|
||||
#define CMS_F_CMS_DIGESTALGORITHM_INIT_BIO 116
|
||||
|
@ -378,7 +390,9 @@ void ERR_load_CMS_strings(void);
|
|||
#define CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT 141
|
||||
#define CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_ALGS 142
|
||||
#define CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_SIGNER_ID 143
|
||||
#define CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT 167
|
||||
#define CMS_F_CMS_RECIPIENTINFO_SET0_KEY 144
|
||||
#define CMS_F_CMS_RECIPIENTINFO_SET0_PASSWORD 168
|
||||
#define CMS_F_CMS_RECIPIENTINFO_SET0_PKEY 145
|
||||
#define CMS_F_CMS_SET1_SIGNERIDENTIFIER 146
|
||||
#define CMS_F_CMS_SET_DETACHED 147
|
||||
|
@ -419,6 +433,7 @@ void ERR_load_CMS_strings(void);
|
|||
#define CMS_R_ERROR_SETTING_KEY 115
|
||||
#define CMS_R_ERROR_SETTING_RECIPIENTINFO 116
|
||||
#define CMS_R_INVALID_ENCRYPTED_KEY_LENGTH 117
|
||||
#define CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER 176
|
||||
#define CMS_R_INVALID_KEY_LENGTH 118
|
||||
#define CMS_R_MD_BIO_INIT_ERROR 119
|
||||
#define CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH 120
|
||||
|
@ -431,6 +446,7 @@ void ERR_load_CMS_strings(void);
|
|||
#define CMS_R_NOT_ENCRYPTED_DATA 122
|
||||
#define CMS_R_NOT_KEK 123
|
||||
#define CMS_R_NOT_KEY_TRANSPORT 124
|
||||
#define CMS_R_NOT_PWRI 177
|
||||
#define CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE 125
|
||||
#define CMS_R_NO_CIPHER 126
|
||||
#define CMS_R_NO_CONTENT 127
|
||||
|
@ -443,6 +459,7 @@ void ERR_load_CMS_strings(void);
|
|||
#define CMS_R_NO_MATCHING_RECIPIENT 132
|
||||
#define CMS_R_NO_MATCHING_SIGNATURE 166
|
||||
#define CMS_R_NO_MSGSIGDIGEST 167
|
||||
#define CMS_R_NO_PASSWORD 178
|
||||
#define CMS_R_NO_PRIVATE_KEY 133
|
||||
#define CMS_R_NO_PUBLIC_KEY 134
|
||||
#define CMS_R_NO_RECEIPT_REQUEST 168
|
||||
|
@ -466,10 +483,12 @@ void ERR_load_CMS_strings(void);
|
|||
#define CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM 151
|
||||
#define CMS_R_UNSUPPORTED_CONTENT_TYPE 152
|
||||
#define CMS_R_UNSUPPORTED_KEK_ALGORITHM 153
|
||||
#define CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM 179
|
||||
#define CMS_R_UNSUPPORTED_RECIPIENT_TYPE 154
|
||||
#define CMS_R_UNSUPPORTED_RECPIENTINFO_TYPE 155
|
||||
#define CMS_R_UNSUPPORTED_TYPE 156
|
||||
#define CMS_R_UNWRAP_ERROR 157
|
||||
#define CMS_R_UNWRAP_FAILURE 180
|
||||
#define CMS_R_VERIFICATION_FAILURE 158
|
||||
#define CMS_R_WRAP_ERROR 159
|
||||
|
||||
|
|
|
@ -237,6 +237,15 @@ static int cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
|
|||
OPENSSL_free(kekri->key);
|
||||
}
|
||||
}
|
||||
else if (ri->type == CMS_RECIPINFO_PASS)
|
||||
{
|
||||
CMS_PasswordRecipientInfo *pwri = ri->d.pwri;
|
||||
if (pwri->pass)
|
||||
{
|
||||
OPENSSL_cleanse(pwri->pass, pwri->passlen);
|
||||
OPENSSL_free(pwri->pass);
|
||||
}
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
|
|
@ -65,14 +65,13 @@
|
|||
/* CMS EnvelopedData Utilities */
|
||||
|
||||
DECLARE_ASN1_ITEM(CMS_EnvelopedData)
|
||||
DECLARE_ASN1_ITEM(CMS_RecipientInfo)
|
||||
DECLARE_ASN1_ITEM(CMS_KeyTransRecipientInfo)
|
||||
DECLARE_ASN1_ITEM(CMS_KEKRecipientInfo)
|
||||
DECLARE_ASN1_ITEM(CMS_OtherKeyAttribute)
|
||||
|
||||
DECLARE_STACK_OF(CMS_RecipientInfo)
|
||||
|
||||
static CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms)
|
||||
CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms)
|
||||
{
|
||||
if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped)
|
||||
{
|
||||
|
@ -786,6 +785,9 @@ int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
|
|||
case CMS_RECIPINFO_KEK:
|
||||
return cms_RecipientInfo_kekri_decrypt(cms, ri);
|
||||
|
||||
case CMS_RECIPINFO_PASS:
|
||||
return cms_RecipientInfo_pwri_crypt(cms, ri, 0);
|
||||
|
||||
default:
|
||||
CMSerr(CMS_F_CMS_RECIPIENTINFO_DECRYPT,
|
||||
CMS_R_UNSUPPORTED_RECPIENTINFO_TYPE);
|
||||
|
@ -829,6 +831,10 @@ BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms)
|
|||
r = cms_RecipientInfo_kekri_encrypt(cms, ri);
|
||||
break;
|
||||
|
||||
case CMS_RECIPINFO_PASS:
|
||||
r = cms_RecipientInfo_pwri_crypt(cms, ri, 1);
|
||||
break;
|
||||
|
||||
default:
|
||||
CMSerr(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO,
|
||||
CMS_R_UNSUPPORTED_RECIPIENT_TYPE);
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* crypto/cms/cms_err.c */
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -73,6 +73,7 @@ static ERR_STRING_DATA CMS_str_functs[]=
|
|||
{ERR_FUNC(CMS_F_CHECK_CONTENT), "CHECK_CONTENT"},
|
||||
{ERR_FUNC(CMS_F_CMS_ADD0_CERT), "CMS_add0_cert"},
|
||||
{ERR_FUNC(CMS_F_CMS_ADD0_RECIPIENT_KEY), "CMS_add0_recipient_key"},
|
||||
{ERR_FUNC(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD), "CMS_add0_recipient_password"},
|
||||
{ERR_FUNC(CMS_F_CMS_ADD1_RECEIPTREQUEST), "CMS_add1_ReceiptRequest"},
|
||||
{ERR_FUNC(CMS_F_CMS_ADD1_RECIPIENT_CERT), "CMS_add1_recipient_cert"},
|
||||
{ERR_FUNC(CMS_F_CMS_ADD1_SIGNER), "CMS_add1_signer"},
|
||||
|
@ -87,6 +88,7 @@ static ERR_STRING_DATA CMS_str_functs[]=
|
|||
{ERR_FUNC(CMS_F_CMS_DATAINIT), "CMS_dataInit"},
|
||||
{ERR_FUNC(CMS_F_CMS_DECRYPT), "CMS_decrypt"},
|
||||
{ERR_FUNC(CMS_F_CMS_DECRYPT_SET1_KEY), "CMS_decrypt_set1_key"},
|
||||
{ERR_FUNC(CMS_F_CMS_DECRYPT_SET1_PASSWORD), "CMS_decrypt_set1_password"},
|
||||
{ERR_FUNC(CMS_F_CMS_DECRYPT_SET1_PKEY), "CMS_decrypt_set1_pkey"},
|
||||
{ERR_FUNC(CMS_F_CMS_DIGESTALGORITHM_FIND_CTX), "cms_DigestAlgorithm_find_ctx"},
|
||||
{ERR_FUNC(CMS_F_CMS_DIGESTALGORITHM_INIT_BIO), "cms_DigestAlgorithm_init_bio"},
|
||||
|
@ -105,7 +107,7 @@ static ERR_STRING_DATA CMS_str_functs[]=
|
|||
{ERR_FUNC(CMS_F_CMS_GET0_CERTIFICATE_CHOICES), "CMS_GET0_CERTIFICATE_CHOICES"},
|
||||
{ERR_FUNC(CMS_F_CMS_GET0_CONTENT), "CMS_get0_content"},
|
||||
{ERR_FUNC(CMS_F_CMS_GET0_ECONTENT_TYPE), "CMS_GET0_ECONTENT_TYPE"},
|
||||
{ERR_FUNC(CMS_F_CMS_GET0_ENVELOPED), "CMS_GET0_ENVELOPED"},
|
||||
{ERR_FUNC(CMS_F_CMS_GET0_ENVELOPED), "cms_get0_enveloped"},
|
||||
{ERR_FUNC(CMS_F_CMS_GET0_REVOCATION_CHOICES), "CMS_GET0_REVOCATION_CHOICES"},
|
||||
{ERR_FUNC(CMS_F_CMS_GET0_SIGNED), "CMS_GET0_SIGNED"},
|
||||
{ERR_FUNC(CMS_F_CMS_MSGSIGDIGEST_ADD1), "cms_msgSigDigest_add1"},
|
||||
|
@ -121,7 +123,9 @@ static ERR_STRING_DATA CMS_str_functs[]=
|
|||
{ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT), "CMS_RECIPIENTINFO_KTRI_ENCRYPT"},
|
||||
{ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_ALGS), "CMS_RecipientInfo_ktri_get0_algs"},
|
||||
{ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_SIGNER_ID), "CMS_RecipientInfo_ktri_get0_signer_id"},
|
||||
{ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT), "cms_RecipientInfo_pwri_crypt"},
|
||||
{ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_SET0_KEY), "CMS_RecipientInfo_set0_key"},
|
||||
{ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_SET0_PASSWORD), "CMS_RecipientInfo_set0_password"},
|
||||
{ERR_FUNC(CMS_F_CMS_RECIPIENTINFO_SET0_PKEY), "CMS_RecipientInfo_set0_pkey"},
|
||||
{ERR_FUNC(CMS_F_CMS_SET1_SIGNERIDENTIFIER), "cms_set1_SignerIdentifier"},
|
||||
{ERR_FUNC(CMS_F_CMS_SET_DETACHED), "CMS_set_detached"},
|
||||
|
@ -165,6 +169,7 @@ static ERR_STRING_DATA CMS_str_reasons[]=
|
|||
{ERR_REASON(CMS_R_ERROR_SETTING_KEY) ,"error setting key"},
|
||||
{ERR_REASON(CMS_R_ERROR_SETTING_RECIPIENTINFO),"error setting recipientinfo"},
|
||||
{ERR_REASON(CMS_R_INVALID_ENCRYPTED_KEY_LENGTH),"invalid encrypted key length"},
|
||||
{ERR_REASON(CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER),"invalid key encryption parameter"},
|
||||
{ERR_REASON(CMS_R_INVALID_KEY_LENGTH) ,"invalid key length"},
|
||||
{ERR_REASON(CMS_R_MD_BIO_INIT_ERROR) ,"md bio init error"},
|
||||
{ERR_REASON(CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH),"messagedigest attribute wrong length"},
|
||||
|
@ -177,6 +182,7 @@ static ERR_STRING_DATA CMS_str_reasons[]=
|
|||
{ERR_REASON(CMS_R_NOT_ENCRYPTED_DATA) ,"not encrypted data"},
|
||||
{ERR_REASON(CMS_R_NOT_KEK) ,"not kek"},
|
||||
{ERR_REASON(CMS_R_NOT_KEY_TRANSPORT) ,"not key transport"},
|
||||
{ERR_REASON(CMS_R_NOT_PWRI) ,"not pwri"},
|
||||
{ERR_REASON(CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE),"not supported for this key type"},
|
||||
{ERR_REASON(CMS_R_NO_CIPHER) ,"no cipher"},
|
||||
{ERR_REASON(CMS_R_NO_CONTENT) ,"no content"},
|
||||
|
@ -189,6 +195,7 @@ static ERR_STRING_DATA CMS_str_reasons[]=
|
|||
{ERR_REASON(CMS_R_NO_MATCHING_RECIPIENT) ,"no matching recipient"},
|
||||
{ERR_REASON(CMS_R_NO_MATCHING_SIGNATURE) ,"no matching signature"},
|
||||
{ERR_REASON(CMS_R_NO_MSGSIGDIGEST) ,"no msgsigdigest"},
|
||||
{ERR_REASON(CMS_R_NO_PASSWORD) ,"no password"},
|
||||
{ERR_REASON(CMS_R_NO_PRIVATE_KEY) ,"no private key"},
|
||||
{ERR_REASON(CMS_R_NO_PUBLIC_KEY) ,"no public key"},
|
||||
{ERR_REASON(CMS_R_NO_RECEIPT_REQUEST) ,"no receipt request"},
|
||||
|
@ -212,10 +219,12 @@ static ERR_STRING_DATA CMS_str_reasons[]=
|
|||
{ERR_REASON(CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
|
||||
{ERR_REASON(CMS_R_UNSUPPORTED_CONTENT_TYPE),"unsupported content type"},
|
||||
{ERR_REASON(CMS_R_UNSUPPORTED_KEK_ALGORITHM),"unsupported kek algorithm"},
|
||||
{ERR_REASON(CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM),"unsupported key encryption algorithm"},
|
||||
{ERR_REASON(CMS_R_UNSUPPORTED_RECIPIENT_TYPE),"unsupported recipient type"},
|
||||
{ERR_REASON(CMS_R_UNSUPPORTED_RECPIENTINFO_TYPE),"unsupported recpientinfo type"},
|
||||
{ERR_REASON(CMS_R_UNSUPPORTED_TYPE) ,"unsupported type"},
|
||||
{ERR_REASON(CMS_R_UNWRAP_ERROR) ,"unwrap error"},
|
||||
{ERR_REASON(CMS_R_UNWRAP_FAILURE) ,"unwrap failure"},
|
||||
{ERR_REASON(CMS_R_VERIFICATION_FAILURE) ,"verification failure"},
|
||||
{ERR_REASON(CMS_R_WRAP_ERROR) ,"wrap error"},
|
||||
{0,NULL}
|
||||
|
|
|
@ -344,7 +344,7 @@ int cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms)
|
|||
|
||||
/* Get original receipt request details */
|
||||
|
||||
if (!CMS_get1_ReceiptRequest(osi, &rr))
|
||||
if (CMS_get1_ReceiptRequest(osi, &rr) <= 0)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NO_RECEIPT_REQUEST);
|
||||
goto err;
|
||||
|
@ -385,7 +385,7 @@ ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si)
|
|||
|
||||
/* Get original receipt request details */
|
||||
|
||||
if (!CMS_get1_ReceiptRequest(si, &rr))
|
||||
if (CMS_get1_ReceiptRequest(si, &rr) <= 0)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_ENCODE_RECEIPT, CMS_R_NO_RECEIPT_REQUEST);
|
||||
goto err;
|
||||
|
|
|
@ -273,6 +273,9 @@ struct CMS_PasswordRecipientInfo_st
|
|||
X509_ALGOR *keyDerivationAlgorithm;
|
||||
X509_ALGOR *keyEncryptionAlgorithm;
|
||||
ASN1_OCTET_STRING *encryptedKey;
|
||||
/* Extra info: password to use */
|
||||
unsigned char *pass;
|
||||
size_t passlen;
|
||||
};
|
||||
|
||||
struct CMS_OtherRecipientInfo_st
|
||||
|
@ -411,6 +414,8 @@ DECLARE_ASN1_ITEM(CMS_SignerInfo)
|
|||
DECLARE_ASN1_ITEM(CMS_IssuerAndSerialNumber)
|
||||
DECLARE_ASN1_ITEM(CMS_Attributes_Sign)
|
||||
DECLARE_ASN1_ITEM(CMS_Attributes_Verify)
|
||||
DECLARE_ASN1_ITEM(CMS_RecipientInfo)
|
||||
DECLARE_ASN1_ITEM(CMS_PasswordRecipientInfo)
|
||||
DECLARE_ASN1_ALLOC_FUNCTIONS(CMS_IssuerAndSerialNumber)
|
||||
|
||||
#define CMS_SIGNERINFO_ISSUER_SERIAL 0
|
||||
|
@ -454,6 +459,11 @@ int cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src);
|
|||
ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si);
|
||||
|
||||
BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms);
|
||||
CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms);
|
||||
|
||||
/* PWRI routines */
|
||||
int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
|
||||
int en_de);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
|
|
@ -407,10 +407,7 @@ int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain,
|
|||
}
|
||||
BIO_get_md_ctx(chain, &mtmp);
|
||||
if (EVP_MD_CTX_type(mtmp) == nid)
|
||||
{
|
||||
EVP_MD_CTX_copy_ex(mctx, mtmp);
|
||||
return 1;
|
||||
}
|
||||
return EVP_MD_CTX_copy_ex(mctx, mtmp);
|
||||
chain = BIO_next(chain);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,453 @@
|
|||
/* crypto/cms/cms_pwri.c */
|
||||
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
|
||||
* project.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2009 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
*
|
||||
* 3. All advertising materials mentioning features or use of this
|
||||
* software must display the following acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
|
||||
*
|
||||
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
||||
* endorse or promote products derived from this software without
|
||||
* prior written permission. For written permission, please contact
|
||||
* licensing@OpenSSL.org.
|
||||
*
|
||||
* 5. Products derived from this software may not be called "OpenSSL"
|
||||
* nor may "OpenSSL" appear in their names without prior written
|
||||
* permission of the OpenSSL Project.
|
||||
*
|
||||
* 6. Redistributions of any form whatsoever must retain the following
|
||||
* acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
||||
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
||||
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
* ====================================================================
|
||||
*/
|
||||
|
||||
#include "cryptlib.h"
|
||||
#include <openssl/asn1t.h>
|
||||
#include <openssl/pem.h>
|
||||
#include <openssl/x509v3.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/cms.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/aes.h>
|
||||
#include "cms_lcl.h"
|
||||
#include "asn1_locl.h"
|
||||
|
||||
int CMS_RecipientInfo_set0_password(CMS_RecipientInfo *ri,
|
||||
unsigned char *pass, ssize_t passlen)
|
||||
{
|
||||
CMS_PasswordRecipientInfo *pwri;
|
||||
if (ri->type != CMS_RECIPINFO_PASS)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_PASSWORD, CMS_R_NOT_PWRI);
|
||||
return 0;
|
||||
}
|
||||
|
||||
pwri = ri->d.pwri;
|
||||
pwri->pass = pass;
|
||||
if (pass && passlen < 0)
|
||||
passlen = strlen((char *)pass);
|
||||
pwri->passlen = passlen;
|
||||
return 1;
|
||||
}
|
||||
|
||||
CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms,
|
||||
int iter, int wrap_nid, int pbe_nid,
|
||||
unsigned char *pass, ssize_t passlen,
|
||||
const EVP_CIPHER *kekciph)
|
||||
{
|
||||
CMS_RecipientInfo *ri = NULL;
|
||||
CMS_EnvelopedData *env;
|
||||
CMS_PasswordRecipientInfo *pwri;
|
||||
EVP_CIPHER_CTX ctx;
|
||||
X509_ALGOR *encalg = NULL;
|
||||
unsigned char iv[EVP_MAX_IV_LENGTH];
|
||||
int ivlen;
|
||||
env = cms_get0_enveloped(cms);
|
||||
if (!env)
|
||||
goto err;
|
||||
|
||||
if (wrap_nid <= 0)
|
||||
wrap_nid = NID_id_alg_PWRI_KEK;
|
||||
|
||||
if (pbe_nid <= 0)
|
||||
pbe_nid = NID_id_pbkdf2;
|
||||
|
||||
/* Get from enveloped data */
|
||||
if (kekciph == NULL)
|
||||
kekciph = env->encryptedContentInfo->cipher;
|
||||
|
||||
if (kekciph == NULL)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, CMS_R_NO_CIPHER);
|
||||
return NULL;
|
||||
}
|
||||
if (wrap_nid != NID_id_alg_PWRI_KEK)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD,
|
||||
CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* Setup algorithm identifier for cipher */
|
||||
encalg = X509_ALGOR_new();
|
||||
EVP_CIPHER_CTX_init(&ctx);
|
||||
|
||||
if (EVP_EncryptInit_ex(&ctx, kekciph, NULL, NULL, NULL) <= 0)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB);
|
||||
goto err;
|
||||
}
|
||||
|
||||
ivlen = EVP_CIPHER_CTX_iv_length(&ctx);
|
||||
|
||||
if (ivlen > 0)
|
||||
{
|
||||
if (RAND_pseudo_bytes(iv, ivlen) <= 0)
|
||||
goto err;
|
||||
if (EVP_EncryptInit_ex(&ctx, NULL, NULL, NULL, iv) <= 0)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD,
|
||||
ERR_R_EVP_LIB);
|
||||
goto err;
|
||||
}
|
||||
encalg->parameter = ASN1_TYPE_new();
|
||||
if (!encalg->parameter)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD,
|
||||
ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
if (EVP_CIPHER_param_to_asn1(&ctx, encalg->parameter) <= 0)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD,
|
||||
CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
encalg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(&ctx));
|
||||
|
||||
EVP_CIPHER_CTX_cleanup(&ctx);
|
||||
|
||||
/* Initialize recipient info */
|
||||
ri = M_ASN1_new_of(CMS_RecipientInfo);
|
||||
if (!ri)
|
||||
goto merr;
|
||||
|
||||
ri->d.pwri = M_ASN1_new_of(CMS_PasswordRecipientInfo);
|
||||
if (!ri->d.pwri)
|
||||
goto merr;
|
||||
ri->type = CMS_RECIPINFO_PASS;
|
||||
|
||||
pwri = ri->d.pwri;
|
||||
/* Since this is overwritten, free up empty structure already there */
|
||||
X509_ALGOR_free(pwri->keyEncryptionAlgorithm);
|
||||
pwri->keyEncryptionAlgorithm = X509_ALGOR_new();
|
||||
if (!pwri->keyEncryptionAlgorithm)
|
||||
goto merr;
|
||||
pwri->keyEncryptionAlgorithm->algorithm = OBJ_nid2obj(wrap_nid);
|
||||
pwri->keyEncryptionAlgorithm->parameter = ASN1_TYPE_new();
|
||||
if (!pwri->keyEncryptionAlgorithm->parameter)
|
||||
goto merr;
|
||||
|
||||
if(!ASN1_item_pack(encalg, ASN1_ITEM_rptr(X509_ALGOR),
|
||||
&pwri->keyEncryptionAlgorithm->parameter->value.sequence))
|
||||
goto merr;
|
||||
pwri->keyEncryptionAlgorithm->parameter->type = V_ASN1_SEQUENCE;
|
||||
|
||||
X509_ALGOR_free(encalg);
|
||||
encalg = NULL;
|
||||
|
||||
/* Setup PBE algorithm */
|
||||
|
||||
pwri->keyDerivationAlgorithm = PKCS5_pbkdf2_set(iter, NULL, 0, -1, -1);
|
||||
|
||||
if (!pwri->keyDerivationAlgorithm)
|
||||
goto err;
|
||||
|
||||
CMS_RecipientInfo_set0_password(ri, pass, passlen);
|
||||
pwri->version = 0;
|
||||
|
||||
if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri))
|
||||
goto merr;
|
||||
|
||||
return ri;
|
||||
|
||||
merr:
|
||||
CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_MALLOC_FAILURE);
|
||||
err:
|
||||
EVP_CIPHER_CTX_cleanup(&ctx);
|
||||
if (ri)
|
||||
M_ASN1_free_of(ri, CMS_RecipientInfo);
|
||||
if (encalg)
|
||||
X509_ALGOR_free(encalg);
|
||||
return NULL;
|
||||
|
||||
}
|
||||
|
||||
/* This is an implementation of the key wrapping mechanism in RFC3211,
|
||||
* at some point this should go into EVP.
|
||||
*/
|
||||
|
||||
static int kek_unwrap_key(unsigned char *out, size_t *outlen,
|
||||
const unsigned char *in, size_t inlen, EVP_CIPHER_CTX *ctx)
|
||||
{
|
||||
size_t blocklen = EVP_CIPHER_CTX_block_size(ctx);
|
||||
unsigned char *tmp;
|
||||
int outl, rv = 0;
|
||||
if (inlen < 2 * blocklen)
|
||||
{
|
||||
/* too small */
|
||||
return 0;
|
||||
}
|
||||
if (inlen % blocklen)
|
||||
{
|
||||
/* Invalid size */
|
||||
return 0;
|
||||
}
|
||||
tmp = OPENSSL_malloc(inlen);
|
||||
/* setup IV by decrypting last two blocks */
|
||||
EVP_DecryptUpdate(ctx, tmp + inlen - 2 * blocklen, &outl,
|
||||
in + inlen - 2 * blocklen, blocklen * 2);
|
||||
/* Do a decrypt of last decrypted block to set IV to correct value
|
||||
* output it to start of buffer so we don't corrupt decrypted block
|
||||
* this works because buffer is at least two block lengths long.
|
||||
*/
|
||||
EVP_DecryptUpdate(ctx, tmp, &outl,
|
||||
tmp + inlen - blocklen, blocklen);
|
||||
/* Can now decrypt first n - 1 blocks */
|
||||
EVP_DecryptUpdate(ctx, tmp, &outl, in, inlen - blocklen);
|
||||
|
||||
/* Reset IV to original value */
|
||||
EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, NULL);
|
||||
/* Decrypt again */
|
||||
EVP_DecryptUpdate(ctx, tmp, &outl, tmp, inlen);
|
||||
/* Check check bytes */
|
||||
if (((tmp[1] ^ tmp[4]) & (tmp[2] ^ tmp[5]) & (tmp[3] ^ tmp[6])) != 0xff)
|
||||
{
|
||||
/* Check byte failure */
|
||||
goto err;
|
||||
}
|
||||
if (inlen < (size_t)(tmp[0] - 4 ))
|
||||
{
|
||||
/* Invalid length value */
|
||||
goto err;
|
||||
}
|
||||
*outlen = (size_t)tmp[0];
|
||||
memcpy(out, tmp + 4, *outlen);
|
||||
rv = 1;
|
||||
err:
|
||||
OPENSSL_cleanse(tmp, inlen);
|
||||
OPENSSL_free(tmp);
|
||||
return rv;
|
||||
|
||||
}
|
||||
|
||||
static int kek_wrap_key(unsigned char *out, size_t *outlen,
|
||||
const unsigned char *in, size_t inlen, EVP_CIPHER_CTX *ctx)
|
||||
{
|
||||
size_t blocklen = EVP_CIPHER_CTX_block_size(ctx);
|
||||
size_t olen;
|
||||
int dummy;
|
||||
/* First decide length of output buffer: need header and round up to
|
||||
* multiple of block length.
|
||||
*/
|
||||
olen = (inlen + 4 + blocklen - 1)/blocklen;
|
||||
olen *= blocklen;
|
||||
if (olen < 2 * blocklen)
|
||||
{
|
||||
/* Key too small */
|
||||
return 0;
|
||||
}
|
||||
if (inlen > 0xFF)
|
||||
{
|
||||
/* Key too large */
|
||||
return 0;
|
||||
}
|
||||
if (out)
|
||||
{
|
||||
/* Set header */
|
||||
out[0] = (unsigned char)inlen;
|
||||
out[1] = in[0] ^ 0xFF;
|
||||
out[2] = in[1] ^ 0xFF;
|
||||
out[3] = in[2] ^ 0xFF;
|
||||
memcpy(out + 4, in, inlen);
|
||||
/* Add random padding to end */
|
||||
if (olen > inlen + 4)
|
||||
RAND_pseudo_bytes(out + 4 + inlen, olen - 4 - inlen);
|
||||
/* Encrypt twice */
|
||||
EVP_EncryptUpdate(ctx, out, &dummy, out, olen);
|
||||
EVP_EncryptUpdate(ctx, out, &dummy, out, olen);
|
||||
}
|
||||
|
||||
*outlen = olen;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Encrypt/Decrypt content key in PWRI recipient info */
|
||||
|
||||
int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
|
||||
int en_de)
|
||||
{
|
||||
CMS_EncryptedContentInfo *ec;
|
||||
CMS_PasswordRecipientInfo *pwri;
|
||||
const unsigned char *p = NULL;
|
||||
int plen;
|
||||
int r = 0;
|
||||
X509_ALGOR *algtmp, *kekalg = NULL;
|
||||
EVP_CIPHER_CTX kekctx;
|
||||
const EVP_CIPHER *kekcipher;
|
||||
unsigned char *key = NULL;
|
||||
size_t keylen;
|
||||
|
||||
ec = cms->d.envelopedData->encryptedContentInfo;
|
||||
|
||||
pwri = ri->d.pwri;
|
||||
EVP_CIPHER_CTX_init(&kekctx);
|
||||
|
||||
if (!pwri->pass)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, CMS_R_NO_PASSWORD);
|
||||
return 0;
|
||||
}
|
||||
algtmp = pwri->keyEncryptionAlgorithm;
|
||||
|
||||
if (!algtmp || OBJ_obj2nid(algtmp->algorithm) != NID_id_alg_PWRI_KEK)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
|
||||
CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (algtmp->parameter->type == V_ASN1_SEQUENCE)
|
||||
{
|
||||
p = algtmp->parameter->value.sequence->data;
|
||||
plen = algtmp->parameter->value.sequence->length;
|
||||
kekalg = d2i_X509_ALGOR(NULL, &p, plen);
|
||||
}
|
||||
if (kekalg == NULL)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
|
||||
CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER);
|
||||
return 0;
|
||||
}
|
||||
|
||||
kekcipher = EVP_get_cipherbyobj(kekalg->algorithm);
|
||||
|
||||
if(!kekcipher)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
|
||||
CMS_R_UNKNOWN_CIPHER);
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* Fixup cipher based on AlgorithmIdentifier to set IV etc */
|
||||
if (!EVP_CipherInit_ex(&kekctx, kekcipher, NULL, NULL, NULL, en_de))
|
||||
goto err;
|
||||
EVP_CIPHER_CTX_set_padding(&kekctx, 0);
|
||||
if(EVP_CIPHER_asn1_to_param(&kekctx, kekalg->parameter) < 0)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
|
||||
CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
|
||||
goto err;
|
||||
}
|
||||
|
||||
algtmp = pwri->keyDerivationAlgorithm;
|
||||
|
||||
/* Finish password based key derivation to setup key in "ctx" */
|
||||
|
||||
if (EVP_PBE_CipherInit(algtmp->algorithm,
|
||||
(char *)pwri->pass, pwri->passlen,
|
||||
algtmp->parameter, &kekctx, en_de) < 0)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, ERR_R_EVP_LIB);
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* Finally wrap/unwrap the key */
|
||||
|
||||
if (en_de)
|
||||
{
|
||||
|
||||
if (!kek_wrap_key(NULL, &keylen, ec->key, ec->keylen, &kekctx))
|
||||
goto err;
|
||||
|
||||
key = OPENSSL_malloc(keylen);
|
||||
|
||||
if (!key)
|
||||
goto err;
|
||||
|
||||
if (!kek_wrap_key(key, &keylen, ec->key, ec->keylen, &kekctx))
|
||||
goto err;
|
||||
pwri->encryptedKey->data = key;
|
||||
pwri->encryptedKey->length = keylen;
|
||||
}
|
||||
else
|
||||
{
|
||||
key = OPENSSL_malloc(pwri->encryptedKey->length);
|
||||
|
||||
if (!key)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
|
||||
ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
if (!kek_unwrap_key(key, &keylen,
|
||||
pwri->encryptedKey->data,
|
||||
pwri->encryptedKey->length, &kekctx))
|
||||
{
|
||||
CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT,
|
||||
CMS_R_UNWRAP_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
|
||||
ec->key = key;
|
||||
ec->keylen = keylen;
|
||||
|
||||
}
|
||||
|
||||
r = 1;
|
||||
|
||||
err:
|
||||
|
||||
EVP_CIPHER_CTX_cleanup(&kekctx);
|
||||
|
||||
if (!r && key)
|
||||
OPENSSL_free(key);
|
||||
X509_ALGOR_free(kekalg);
|
||||
|
||||
return r;
|
||||
|
||||
}
|
|
@ -641,7 +641,8 @@ static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms,
|
|||
cms->d.signedData->encapContentInfo->eContentType;
|
||||
unsigned char md[EVP_MAX_MD_SIZE];
|
||||
unsigned int mdlen;
|
||||
EVP_DigestFinal_ex(&mctx, md, &mdlen);
|
||||
if (!EVP_DigestFinal_ex(&mctx, md, &mdlen))
|
||||
goto err;
|
||||
if (!CMS_signed_add1_attr_by_NID(si, NID_pkcs9_messageDigest,
|
||||
V_ASN1_OCTET_STRING,
|
||||
md, mdlen))
|
||||
|
@ -799,7 +800,7 @@ int CMS_SignerInfo_verify(CMS_SignerInfo *si)
|
|||
}
|
||||
r = EVP_DigestVerifyFinal(&mctx,
|
||||
si->signature->data, si->signature->length);
|
||||
if (!r)
|
||||
if (r <= 0)
|
||||
CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, CMS_R_VERIFICATION_FAILURE);
|
||||
err:
|
||||
EVP_MD_CTX_cleanup(&mctx);
|
||||
|
|
|
@ -680,6 +680,30 @@ int CMS_decrypt_set1_key(CMS_ContentInfo *cms,
|
|||
return 0;
|
||||
|
||||
}
|
||||
|
||||
int CMS_decrypt_set1_password(CMS_ContentInfo *cms,
|
||||
unsigned char *pass, ssize_t passlen)
|
||||
{
|
||||
STACK_OF(CMS_RecipientInfo) *ris;
|
||||
CMS_RecipientInfo *ri;
|
||||
int i, r;
|
||||
ris = CMS_get0_RecipientInfos(cms);
|
||||
for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++)
|
||||
{
|
||||
ri = sk_CMS_RecipientInfo_value(ris, i);
|
||||
if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_PASS)
|
||||
continue;
|
||||
CMS_RecipientInfo_set0_password(ri, pass, passlen);
|
||||
r = CMS_RecipientInfo_decrypt(cms, ri);
|
||||
CMS_RecipientInfo_set0_password(ri, NULL, 0);
|
||||
if (r > 0)
|
||||
return 1;
|
||||
}
|
||||
|
||||
CMSerr(CMS_F_CMS_DECRYPT_SET1_PASSWORD, CMS_R_NO_MATCHING_RECIPIENT);
|
||||
return 0;
|
||||
|
||||
}
|
||||
|
||||
int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
|
||||
BIO *dcont, BIO *out,
|
||||
|
|
|
@ -860,7 +860,7 @@ void OPENSSL_showfatal (const char *fmta,...)
|
|||
|
||||
#if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
|
||||
/* this -------------v--- guards NT-specific calls */
|
||||
if (GetVersion() < 0x80000000 && OPENSSL_isservice())
|
||||
if (GetVersion() < 0x80000000 && OPENSSL_isservice() > 0)
|
||||
{ HANDLE h = RegisterEventSource(0,_T("OPENSSL"));
|
||||
const TCHAR *pmsg=buf;
|
||||
ReportEvent(h,EVENTLOG_ERROR_TYPE,0,0,0,1,0,&pmsg,0);
|
||||
|
|
|
@ -192,7 +192,7 @@ $ LIB_CAMELLIA = "camellia,cmll_misc,cmll_ecb,cmll_cbc,cmll_ofb,"+ -
|
|||
$ LIB_SEED = "seed,seed_ecb,seed_cbc,seed_cfb,seed_ofb"
|
||||
$ LIB_MODES = "cbc128,ctr128,cfb128,ofb128"
|
||||
$ LIB_BN_ASM = "[.asm]vms.mar,vms-helper"
|
||||
$ IF F$TRNLNM("OPENSSL_NO_ASM").OR.ARCH.EQS."AXP" THEN LIB_BN_ASM = "bn_asm"
|
||||
$ IF F$TRNLNM("OPENSSL_NO_ASM").OR.ARCH.NES."VAX" THEN LIB_BN_ASM = "bn_asm"
|
||||
$ LIB_BN = "bn_add,bn_div,bn_exp,bn_lib,bn_ctx,bn_mul,bn_mod,"+ -
|
||||
"bn_print,bn_rand,bn_shift,bn_word,bn_blind,"+ -
|
||||
"bn_kron,bn_sqrt,bn_gcd,bn_prime,bn_err,bn_sqr,"+LIB_BN_ASM+","+ -
|
||||
|
|
|
@ -157,7 +157,6 @@ struct dh_st
|
|||
this for backward compatibility: */
|
||||
#define DH_CHECK_P_NOT_STRONG_PRIME DH_CHECK_P_NOT_SAFE_PRIME
|
||||
|
||||
#define DHparams_dup(x) ASN1_dup_of_const(DH,i2d_DHparams,d2i_DHparams,x)
|
||||
#define d2i_DHparams_fp(fp,x) (DH *)ASN1_d2i_fp((char *(*)())DH_new, \
|
||||
(char *(*)())d2i_DHparams,(fp),(unsigned char **)(x))
|
||||
#define i2d_DHparams_fp(fp,x) ASN1_i2d_fp(i2d_DHparams,(fp), \
|
||||
|
@ -165,6 +164,8 @@ struct dh_st
|
|||
#define d2i_DHparams_bio(bp,x) ASN1_d2i_bio_of(DH,DH_new,d2i_DHparams,bp,x)
|
||||
#define i2d_DHparams_bio(bp,x) ASN1_i2d_bio_of_const(DH,i2d_DHparams,bp,x)
|
||||
|
||||
DH *DHparams_dup(DH *);
|
||||
|
||||
const DH_METHOD *DH_OpenSSL(void);
|
||||
|
||||
void DH_set_default_method(const DH_METHOD *meth);
|
||||
|
|
|
@ -86,3 +86,8 @@ ASN1_SEQUENCE_cb(DHparams, dh_cb) = {
|
|||
} ASN1_SEQUENCE_END_cb(DH, DHparams)
|
||||
|
||||
IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DH, DHparams, DHparams)
|
||||
|
||||
DH *DHparams_dup(DH *dh)
|
||||
{
|
||||
return ASN1_item_dup(ASN1_ITEM_rptr(DHparams), dh);
|
||||
}
|
||||
|
|
|
@ -195,8 +195,9 @@ dsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
|
|||
dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
|
||||
dsa_sign.o: ../../include/openssl/opensslconf.h
|
||||
dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
dsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
dsa_sign.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_sign.c
|
||||
dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
|
||||
dsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
|
||||
dsa_sign.o: ../cryptlib.h dsa_sign.c
|
||||
dsa_vrf.o: ../../e_os.h ../../include/openssl/bio.h
|
||||
dsa_vrf.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
dsa_vrf.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
|
||||
|
|
|
@ -165,7 +165,6 @@ struct dsa_st
|
|||
ENGINE *engine;
|
||||
};
|
||||
|
||||
#define DSAparams_dup(x) ASN1_dup_of_const(DSA,i2d_DSAparams,d2i_DSAparams,x)
|
||||
#define d2i_DSAparams_fp(fp,x) (DSA *)ASN1_d2i_fp((char *(*)())DSA_new, \
|
||||
(char *(*)())d2i_DSAparams,(fp),(unsigned char **)(x))
|
||||
#define i2d_DSAparams_fp(fp,x) ASN1_i2d_fp(i2d_DSAparams,(fp), \
|
||||
|
@ -174,6 +173,7 @@ struct dsa_st
|
|||
#define i2d_DSAparams_bio(bp,x) ASN1_i2d_bio_of_const(DSA,i2d_DSAparams,bp,x)
|
||||
|
||||
|
||||
DSA *DSAparams_dup(DSA *x);
|
||||
DSA_SIG * DSA_SIG_new(void);
|
||||
void DSA_SIG_free(DSA_SIG *a);
|
||||
int i2d_DSA_SIG(const DSA_SIG *a, unsigned char **pp);
|
||||
|
|
|
@ -143,3 +143,8 @@ ASN1_CHOICE_cb(DSAPublicKey, dsa_cb) = {
|
|||
} ASN1_CHOICE_END_cb(DSA, DSAPublicKey, write_params)
|
||||
|
||||
IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DSA, DSAPublicKey, DSAPublicKey)
|
||||
|
||||
DSA *DSAparams_dup(DSA *dsa)
|
||||
{
|
||||
return ASN1_item_dup(ASN1_ITEM_rptr(DSAparams), dsa);
|
||||
}
|
||||
|
|
|
@ -201,8 +201,10 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
|
|||
}
|
||||
|
||||
/* step 2 */
|
||||
EVP_Digest(seed, qsize, md, NULL, evpmd, NULL);
|
||||
EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL);
|
||||
if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
|
||||
goto err;
|
||||
if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
|
||||
goto err;
|
||||
for (i = 0; i < qsize; i++)
|
||||
md[i]^=buf2[i];
|
||||
|
||||
|
@ -252,7 +254,9 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
|
|||
break;
|
||||
}
|
||||
|
||||
EVP_Digest(buf, qsize, md ,NULL, evpmd, NULL);
|
||||
if (!EVP_Digest(buf, qsize, md ,NULL, evpmd,
|
||||
NULL))
|
||||
goto err;
|
||||
|
||||
/* step 8 */
|
||||
if (!BN_bin2bn(md, qsize, r0))
|
||||
|
|
|
@ -132,7 +132,7 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
|
|||
|
||||
ret = DSA_sign(type, tbs, tbslen, sig, &sltmp, dsa);
|
||||
|
||||
if (ret < 0)
|
||||
if (ret <= 0)
|
||||
return ret;
|
||||
*siglen = sltmp;
|
||||
return 1;
|
||||
|
@ -186,6 +186,7 @@ static int pkey_dsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
|
|||
|
||||
case EVP_PKEY_CTRL_MD:
|
||||
if (EVP_MD_type((const EVP_MD *)p2) != NID_sha1 &&
|
||||
EVP_MD_type((const EVP_MD *)p2) != NID_dsa &&
|
||||
EVP_MD_type((const EVP_MD *)p2) != NID_sha224 &&
|
||||
EVP_MD_type((const EVP_MD *)p2) != NID_sha256)
|
||||
{
|
||||
|
|
|
@ -60,6 +60,7 @@
|
|||
|
||||
#include "cryptlib.h"
|
||||
#include <openssl/dsa.h>
|
||||
#include <openssl/rand.h>
|
||||
|
||||
DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
|
||||
{
|
||||
|
@ -70,6 +71,7 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
|
|||
unsigned int *siglen, DSA *dsa)
|
||||
{
|
||||
DSA_SIG *s;
|
||||
RAND_seed(dgst, dlen);
|
||||
s=DSA_do_sign(dgst,dlen,dsa);
|
||||
if (s == NULL)
|
||||
{
|
||||
|
|
|
@ -143,7 +143,7 @@ static int pkey_ec_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
|
|||
|
||||
ret = ECDSA_sign(type, tbs, tbslen, sig, &sltmp, ec);
|
||||
|
||||
if (ret < 0)
|
||||
if (ret <= 0)
|
||||
return ret;
|
||||
*siglen = (size_t)sltmp;
|
||||
return 1;
|
||||
|
|
|
@ -121,10 +121,11 @@ ecs_sign.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
|
|||
ecs_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
|
||||
ecs_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
|
||||
ecs_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
ecs_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
|
||||
ecs_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
|
||||
ecs_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
|
||||
ecs_sign.o: ../../include/openssl/x509_vfy.h ecs_locl.h ecs_sign.c
|
||||
ecs_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
|
||||
ecs_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
|
||||
ecs_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
|
||||
ecs_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
|
||||
ecs_sign.o: ecs_locl.h ecs_sign.c
|
||||
ecs_vrf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
|
||||
ecs_vrf.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
ecs_vrf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
|
||||
|
|
|
@ -212,7 +212,7 @@ err:
|
|||
static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
|
||||
const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey)
|
||||
{
|
||||
int ok = 0;
|
||||
int ok = 0, i;
|
||||
BIGNUM *kinv=NULL, *s, *m=NULL,*tmp=NULL,*order=NULL;
|
||||
const BIGNUM *ckinv;
|
||||
BN_CTX *ctx = NULL;
|
||||
|
@ -251,22 +251,19 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
|
|||
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (8 * dgst_len > BN_num_bits(order))
|
||||
i = BN_num_bits(order);
|
||||
/* Need to truncate digest if it is too long: first truncate whole
|
||||
* bytes.
|
||||
*/
|
||||
if (8 * dgst_len > i)
|
||||
dgst_len = (i + 7)/8;
|
||||
if (!BN_bin2bn(dgst, dgst_len, m))
|
||||
{
|
||||
/* XXX
|
||||
*
|
||||
* Should provide for optional hash truncation:
|
||||
* Keep the BN_num_bits(order) leftmost bits of dgst
|
||||
* (see March 2006 FIPS 186-3 draft, which has a few
|
||||
* confusing errors in this part though)
|
||||
*/
|
||||
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
|
||||
ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (!BN_bin2bn(dgst, dgst_len, m))
|
||||
/* If still too long truncate remaining bits with a shift */
|
||||
if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7)))
|
||||
{
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
|
@ -346,7 +343,7 @@ err:
|
|||
static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
|
||||
const ECDSA_SIG *sig, EC_KEY *eckey)
|
||||
{
|
||||
int ret = -1;
|
||||
int ret = -1, i;
|
||||
BN_CTX *ctx;
|
||||
BIGNUM *order, *u1, *u2, *m, *X;
|
||||
EC_POINT *point = NULL;
|
||||
|
@ -384,21 +381,6 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
|
|||
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (8 * dgst_len > BN_num_bits(order))
|
||||
{
|
||||
/* XXX
|
||||
*
|
||||
* Should provide for optional hash truncation:
|
||||
* Keep the BN_num_bits(order) leftmost bits of dgst
|
||||
* (see March 2006 FIPS 186-3 draft, which has a few
|
||||
* confusing errors in this part though)
|
||||
*/
|
||||
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY,
|
||||
ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
|
||||
ret = 0;
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
|
||||
BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||
|
||||
|
@ -415,11 +397,23 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
|
|||
goto err;
|
||||
}
|
||||
/* digest -> m */
|
||||
i = BN_num_bits(order);
|
||||
/* Need to truncate digest if it is too long: first truncate whole
|
||||
* bytes.
|
||||
*/
|
||||
if (8 * dgst_len > i)
|
||||
dgst_len = (i + 7)/8;
|
||||
if (!BN_bin2bn(dgst, dgst_len, m))
|
||||
{
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
/* If still too long truncate remaining bits with a shift */
|
||||
if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7)))
|
||||
{
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
/* u1 = m * tmp mod order */
|
||||
if (!BN_mod_mul(u1, m, u2, order, ctx))
|
||||
{
|
||||
|
|
|
@ -57,6 +57,7 @@
|
|||
#ifndef OPENSSL_NO_ENGINE
|
||||
#include <openssl/engine.h>
|
||||
#endif
|
||||
#include <openssl/rand.h>
|
||||
|
||||
ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey)
|
||||
{
|
||||
|
@ -83,6 +84,7 @@ int ECDSA_sign_ex(int type, const unsigned char *dgst, int dlen, unsigned char
|
|||
EC_KEY *eckey)
|
||||
{
|
||||
ECDSA_SIG *s;
|
||||
RAND_seed(dgst, dlen);
|
||||
s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey);
|
||||
if (s == NULL)
|
||||
{
|
||||
|
|
|
@ -245,7 +245,7 @@ typedef struct
|
|||
} AESNI_KEY;
|
||||
|
||||
static int
|
||||
aesni_init_key (EVP_CIPHER_CTX *ctx, const unsigned char *user_key,
|
||||
aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *user_key,
|
||||
const unsigned char *iv, int enc)
|
||||
{
|
||||
int ret;
|
||||
|
@ -259,7 +259,7 @@ aesni_init_key (EVP_CIPHER_CTX *ctx, const unsigned char *user_key,
|
|||
ret=aesni_set_decrypt_key(user_key, ctx->key_len * 8, key);
|
||||
|
||||
if(ret < 0) {
|
||||
EVPerr(EVP_F_AES_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
|
||||
EVPerr(EVP_F_AESNI_INIT_KEY,EVP_R_AES_KEY_SETUP_FAILED);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -280,7 +280,7 @@ int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name,
|
|||
}
|
||||
/* Force the result of the control command to 0 or 1, for the reasons
|
||||
* mentioned before. */
|
||||
if (ENGINE_ctrl(e, num, i, p, f))
|
||||
if (ENGINE_ctrl(e, num, i, p, f) > 0)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
@ -345,7 +345,7 @@ int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
|
|||
* usage of these commands is consistent across applications and
|
||||
* that certain applications don't understand it one way, and
|
||||
* others another. */
|
||||
if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL))
|
||||
if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL) > 0)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
@ -360,7 +360,7 @@ int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
|
|||
if(flags & ENGINE_CMD_FLAG_STRING)
|
||||
{
|
||||
/* Same explanation as above */
|
||||
if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL))
|
||||
if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL) > 0)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
@ -383,7 +383,7 @@ int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
|
|||
}
|
||||
/* Force the result of the control command to 0 or 1, for the reasons
|
||||
* mentioned before. */
|
||||
if(ENGINE_ctrl(e, num, l, NULL, NULL))
|
||||
if(ENGINE_ctrl(e, num, l, NULL, NULL) > 0)
|
||||
return 1;
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -102,6 +102,7 @@
|
|||
#ifndef OPENSSL_NO_JPAKE
|
||||
#include <openssl/jpake.h>
|
||||
#endif
|
||||
#include <openssl/comp.h>
|
||||
|
||||
void ERR_load_crypto_strings(void)
|
||||
{
|
||||
|
@ -154,5 +155,6 @@ void ERR_load_crypto_strings(void)
|
|||
#ifndef OPENSSL_NO_JPAKE
|
||||
ERR_load_JPAKE_strings();
|
||||
#endif
|
||||
ERR_load_COMP_strings();
|
||||
#endif
|
||||
}
|
||||
|
|
|
@ -470,13 +470,21 @@ m_md5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
|
|||
m_md5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
|
||||
m_md5.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
|
||||
m_md5.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_md5.c
|
||||
m_mdc2.o: ../../e_os.h ../../include/openssl/bio.h
|
||||
m_mdc2.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
|
||||
m_mdc2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
m_mdc2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
|
||||
m_mdc2.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
|
||||
m_mdc2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
|
||||
m_mdc2.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
|
||||
m_mdc2.o: ../../include/openssl/symhacks.h ../cryptlib.h m_mdc2.c
|
||||
m_mdc2.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
|
||||
m_mdc2.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
|
||||
m_mdc2.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
|
||||
m_mdc2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
|
||||
m_mdc2.o: ../../include/openssl/lhash.h ../../include/openssl/mdc2.h
|
||||
m_mdc2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
|
||||
m_mdc2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
|
||||
m_mdc2.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
|
||||
m_mdc2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
|
||||
m_mdc2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
|
||||
m_mdc2.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
|
||||
m_mdc2.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
|
||||
m_mdc2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_mdc2.c
|
||||
m_null.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
|
||||
m_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
|
||||
m_null.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
|
||||
|
|
|
@ -198,9 +198,13 @@ static int enc_read(BIO *b, char *out, int outl)
|
|||
}
|
||||
else
|
||||
{
|
||||
EVP_CipherUpdate(&(ctx->cipher),
|
||||
if (!EVP_CipherUpdate(&(ctx->cipher),
|
||||
(unsigned char *)ctx->buf,&ctx->buf_len,
|
||||
(unsigned char *)&(ctx->buf[BUF_OFFSET]),i);
|
||||
(unsigned char *)&(ctx->buf[BUF_OFFSET]),i))
|
||||
{
|
||||
BIO_clear_retry_flags(b);
|
||||
return 0;
|
||||
}
|
||||
ctx->cont=1;
|
||||
/* Note: it is possible for EVP_CipherUpdate to
|
||||
* decrypt zero bytes because this is or looks like
|
||||
|
@ -257,9 +261,13 @@ static int enc_write(BIO *b, const char *in, int inl)
|
|||
while (inl > 0)
|
||||
{
|
||||
n=(inl > ENC_BLOCK_SIZE)?ENC_BLOCK_SIZE:inl;
|
||||
EVP_CipherUpdate(&(ctx->cipher),
|
||||
if (!EVP_CipherUpdate(&(ctx->cipher),
|
||||
(unsigned char *)ctx->buf,&ctx->buf_len,
|
||||
(unsigned char *)in,n);
|
||||
(unsigned char *)in,n))
|
||||
{
|
||||
BIO_clear_retry_flags(b);
|
||||
return 0;
|
||||
}
|
||||
inl-=n;
|
||||
in+=n;
|
||||
|
||||
|
@ -298,8 +306,9 @@ static long enc_ctrl(BIO *b, int cmd, long num, void *ptr)
|
|||
case BIO_CTRL_RESET:
|
||||
ctx->ok=1;
|
||||
ctx->finished=0;
|
||||
EVP_CipherInit_ex(&(ctx->cipher),NULL,NULL,NULL,NULL,
|
||||
ctx->cipher.encrypt);
|
||||
if (!EVP_CipherInit_ex(&(ctx->cipher),NULL,NULL,NULL,NULL,
|
||||
ctx->cipher.encrypt))
|
||||
return 0;
|
||||
ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
|
||||
break;
|
||||
case BIO_CTRL_EOF: /* More to read */
|
||||
|
@ -405,22 +414,24 @@ EVP_CIPHER_ctx *c;
|
|||
}
|
||||
*/
|
||||
|
||||
void BIO_set_cipher(BIO *b, const EVP_CIPHER *c, const unsigned char *k,
|
||||
int BIO_set_cipher(BIO *b, const EVP_CIPHER *c, const unsigned char *k,
|
||||
const unsigned char *i, int e)
|
||||
{
|
||||
BIO_ENC_CTX *ctx;
|
||||
|
||||
if (b == NULL) return;
|
||||
if (b == NULL) return 0;
|
||||
|
||||
if ((b->callback != NULL) &&
|
||||
(b->callback(b,BIO_CB_CTRL,(const char *)c,BIO_CTRL_SET,e,0L) <= 0))
|
||||
return;
|
||||
return 0;
|
||||
|
||||
b->init=1;
|
||||
ctx=(BIO_ENC_CTX *)b->ptr;
|
||||
EVP_CipherInit_ex(&(ctx->cipher),c,NULL, k,i,e);
|
||||
if (!EVP_CipherInit_ex(&(ctx->cipher),c,NULL, k,i,e))
|
||||
return 0;
|
||||
|
||||
if (b->callback != NULL)
|
||||
b->callback(b,BIO_CB_CTRL,(const char *)c,BIO_CTRL_SET,e,1L);
|
||||
return b->callback(b,BIO_CB_CTRL,(const char *)c,BIO_CTRL_SET,e,1L);
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
|
|
@ -153,8 +153,12 @@ static int md_write(BIO *b, const char *in, int inl)
|
|||
{
|
||||
if (ret > 0)
|
||||
{
|
||||
EVP_DigestUpdate(ctx,(const unsigned char *)in,
|
||||
(unsigned int)ret);
|
||||
if (!EVP_DigestUpdate(ctx,(const unsigned char *)in,
|
||||
(unsigned int)ret))
|
||||
{
|
||||
BIO_clear_retry_flags(b);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
if(b->next_bio != NULL)
|
||||
|
@ -220,7 +224,8 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
|
|||
case BIO_CTRL_DUP:
|
||||
dbio=ptr;
|
||||
dctx=dbio->ptr;
|
||||
EVP_MD_CTX_copy_ex(dctx,ctx);
|
||||
if (!EVP_MD_CTX_copy_ex(dctx,ctx))
|
||||
return 0;
|
||||
b->init=1;
|
||||
break;
|
||||
default:
|
||||
|
|
|
@ -133,10 +133,10 @@ static int ok_new(BIO *h);
|
|||
static int ok_free(BIO *data);
|
||||
static long ok_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp);
|
||||
|
||||
static void sig_out(BIO* b);
|
||||
static void sig_in(BIO* b);
|
||||
static void block_out(BIO* b);
|
||||
static void block_in(BIO* b);
|
||||
static __owur int sig_out(BIO* b);
|
||||
static __owur int sig_in(BIO* b);
|
||||
static __owur int block_out(BIO* b);
|
||||
static __owur int block_in(BIO* b);
|
||||
#define OK_BLOCK_SIZE (1024*4)
|
||||
#define OK_BLOCK_BLOCK 4
|
||||
#define IOBS (OK_BLOCK_SIZE+ OK_BLOCK_BLOCK+ 3*EVP_MAX_MD_SIZE)
|
||||
|
@ -266,10 +266,24 @@ static int ok_read(BIO *b, char *out, int outl)
|
|||
ctx->buf_len+= i;
|
||||
|
||||
/* no signature yet -- check if we got one */
|
||||
if (ctx->sigio == 1) sig_in(b);
|
||||
if (ctx->sigio == 1)
|
||||
{
|
||||
if (!sig_in(b))
|
||||
{
|
||||
BIO_clear_retry_flags(b);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* signature ok -- check if we got block */
|
||||
if (ctx->sigio == 0) block_in(b);
|
||||
if (ctx->sigio == 0)
|
||||
{
|
||||
if (!block_in(b))
|
||||
{
|
||||
BIO_clear_retry_flags(b);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* invalid block -- cancel */
|
||||
if (ctx->cont <= 0) break;
|
||||
|
@ -293,7 +307,8 @@ static int ok_write(BIO *b, const char *in, int inl)
|
|||
|
||||
if ((ctx == NULL) || (b->next_bio == NULL) || (b->init == 0)) return(0);
|
||||
|
||||
if(ctx->sigio) sig_out(b);
|
||||
if(ctx->sigio && !sig_out(b))
|
||||
return 0;
|
||||
|
||||
do{
|
||||
BIO_clear_retry_flags(b);
|
||||
|
@ -332,7 +347,11 @@ static int ok_write(BIO *b, const char *in, int inl)
|
|||
|
||||
if(ctx->buf_len >= OK_BLOCK_SIZE+ OK_BLOCK_BLOCK)
|
||||
{
|
||||
block_out(b);
|
||||
if (!block_out(b))
|
||||
{
|
||||
BIO_clear_retry_flags(b);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}while(inl > 0);
|
||||
|
||||
|
@ -379,7 +398,8 @@ static long ok_ctrl(BIO *b, int cmd, long num, void *ptr)
|
|||
case BIO_CTRL_FLUSH:
|
||||
/* do a final write */
|
||||
if(ctx->blockout == 0)
|
||||
block_out(b);
|
||||
if (!block_out(b))
|
||||
return 0;
|
||||
|
||||
while (ctx->blockout)
|
||||
{
|
||||
|
@ -408,7 +428,8 @@ static long ok_ctrl(BIO *b, int cmd, long num, void *ptr)
|
|||
break;
|
||||
case BIO_C_SET_MD:
|
||||
md=ptr;
|
||||
EVP_DigestInit_ex(&ctx->md, md, NULL);
|
||||
if (!EVP_DigestInit_ex(&ctx->md, md, NULL))
|
||||
return 0;
|
||||
b->init=1;
|
||||
break;
|
||||
case BIO_C_GET_MD:
|
||||
|
@ -455,7 +476,7 @@ static void longswap(void *_ptr, size_t len)
|
|||
}
|
||||
}
|
||||
|
||||
static void sig_out(BIO* b)
|
||||
static int sig_out(BIO* b)
|
||||
{
|
||||
BIO_OK_CTX *ctx;
|
||||
EVP_MD_CTX *md;
|
||||
|
@ -463,9 +484,10 @@ static void sig_out(BIO* b)
|
|||
ctx=b->ptr;
|
||||
md=&ctx->md;
|
||||
|
||||
if(ctx->buf_len+ 2* md->digest->md_size > OK_BLOCK_SIZE) return;
|
||||
if(ctx->buf_len+ 2* md->digest->md_size > OK_BLOCK_SIZE) return 1;
|
||||
|
||||
EVP_DigestInit_ex(md, md->digest, NULL);
|
||||
if (!EVP_DigestInit_ex(md, md->digest, NULL))
|
||||
goto berr;
|
||||
/* FIXME: there's absolutely no guarantee this makes any sense at all,
|
||||
* particularly now EVP_MD_CTX has been restructured.
|
||||
*/
|
||||
|
@ -474,14 +496,20 @@ static void sig_out(BIO* b)
|
|||
longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size);
|
||||
ctx->buf_len+= md->digest->md_size;
|
||||
|
||||
EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN));
|
||||
EVP_DigestFinal_ex(md, &(ctx->buf[ctx->buf_len]), NULL);
|
||||
if (!EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN)))
|
||||
goto berr;
|
||||
if (!EVP_DigestFinal_ex(md, &(ctx->buf[ctx->buf_len]), NULL))
|
||||
goto berr;
|
||||
ctx->buf_len+= md->digest->md_size;
|
||||
ctx->blockout= 1;
|
||||
ctx->sigio= 0;
|
||||
return 1;
|
||||
berr:
|
||||
BIO_clear_retry_flags(b);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void sig_in(BIO* b)
|
||||
static int sig_in(BIO* b)
|
||||
{
|
||||
BIO_OK_CTX *ctx;
|
||||
EVP_MD_CTX *md;
|
||||
|
@ -491,15 +519,18 @@ static void sig_in(BIO* b)
|
|||
ctx=b->ptr;
|
||||
md=&ctx->md;
|
||||
|
||||
if((int)(ctx->buf_len-ctx->buf_off) < 2*md->digest->md_size) return;
|
||||
if((int)(ctx->buf_len-ctx->buf_off) < 2*md->digest->md_size) return 1;
|
||||
|
||||
EVP_DigestInit_ex(md, md->digest, NULL);
|
||||
if (!EVP_DigestInit_ex(md, md->digest, NULL))
|
||||
goto berr;
|
||||
memcpy(md->md_data, &(ctx->buf[ctx->buf_off]), md->digest->md_size);
|
||||
longswap(md->md_data, md->digest->md_size);
|
||||
ctx->buf_off+= md->digest->md_size;
|
||||
|
||||
EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN));
|
||||
EVP_DigestFinal_ex(md, tmp, NULL);
|
||||
if (!EVP_DigestUpdate(md, WELLKNOWN, strlen(WELLKNOWN)))
|
||||
goto berr;
|
||||
if (!EVP_DigestFinal_ex(md, tmp, NULL))
|
||||
goto berr;
|
||||
ret= memcmp(&(ctx->buf[ctx->buf_off]), tmp, md->digest->md_size) == 0;
|
||||
ctx->buf_off+= md->digest->md_size;
|
||||
if(ret == 1)
|
||||
|
@ -516,9 +547,13 @@ static void sig_in(BIO* b)
|
|||
{
|
||||
ctx->cont= 0;
|
||||
}
|
||||
return 1;
|
||||
berr:
|
||||
BIO_clear_retry_flags(b);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void block_out(BIO* b)
|
||||
static int block_out(BIO* b)
|
||||
{
|
||||
BIO_OK_CTX *ctx;
|
||||
EVP_MD_CTX *md;
|
||||
|
@ -532,13 +567,20 @@ static void block_out(BIO* b)
|
|||
ctx->buf[1]=(unsigned char)(tl>>16);
|
||||
ctx->buf[2]=(unsigned char)(tl>>8);
|
||||
ctx->buf[3]=(unsigned char)(tl);
|
||||
EVP_DigestUpdate(md, (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl);
|
||||
EVP_DigestFinal_ex(md, &(ctx->buf[ctx->buf_len]), NULL);
|
||||
if (!EVP_DigestUpdate(md,
|
||||
(unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl))
|
||||
goto berr;
|
||||
if (!EVP_DigestFinal_ex(md, &(ctx->buf[ctx->buf_len]), NULL))
|
||||
goto berr;
|
||||
ctx->buf_len+= md->digest->md_size;
|
||||
ctx->blockout= 1;
|
||||
return 1;
|
||||
berr:
|
||||
BIO_clear_retry_flags(b);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void block_in(BIO* b)
|
||||
static int block_in(BIO* b)
|
||||
{
|
||||
BIO_OK_CTX *ctx;
|
||||
EVP_MD_CTX *md;
|
||||
|
@ -554,10 +596,13 @@ static void block_in(BIO* b)
|
|||
tl|=ctx->buf[2]; tl<<=8;
|
||||
tl|=ctx->buf[3];
|
||||
|
||||
if (ctx->buf_len < tl+ OK_BLOCK_BLOCK+ md->digest->md_size) return;
|
||||
if (ctx->buf_len < tl+ OK_BLOCK_BLOCK+ md->digest->md_size) return 1;
|
||||
|
||||
EVP_DigestUpdate(md, (unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl);
|
||||
EVP_DigestFinal_ex(md, tmp, NULL);
|
||||
if (!EVP_DigestUpdate(md,
|
||||
(unsigned char*) &(ctx->buf[OK_BLOCK_BLOCK]), tl))
|
||||
goto berr;
|
||||
if (!EVP_DigestFinal_ex(md, tmp, NULL))
|
||||
goto berr;
|
||||
if(memcmp(&(ctx->buf[tl+ OK_BLOCK_BLOCK]), tmp, md->digest->md_size) == 0)
|
||||
{
|
||||
/* there might be parts from next block lurking around ! */
|
||||
|
@ -571,5 +616,9 @@ static void block_in(BIO* b)
|
|||
{
|
||||
ctx->cont= 0;
|
||||
}
|
||||
return 1;
|
||||
berr:
|
||||
BIO_clear_retry_flags(b);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -71,6 +71,8 @@ void OpenSSL_add_all_ciphers(void)
|
|||
EVP_add_cipher(EVP_des_cfb8());
|
||||
EVP_add_cipher(EVP_des_ede_cfb());
|
||||
EVP_add_cipher(EVP_des_ede3_cfb());
|
||||
EVP_add_cipher(EVP_des_ede3_cfb1());
|
||||
EVP_add_cipher(EVP_des_ede3_cfb8());
|
||||
|
||||
EVP_add_cipher(EVP_des_ofb());
|
||||
EVP_add_cipher(EVP_des_ede_ofb());
|
||||
|
|
|
@ -126,7 +126,8 @@ EVP_MD_CTX *EVP_MD_CTX_create(void)
|
|||
{
|
||||
EVP_MD_CTX *ctx=OPENSSL_malloc(sizeof *ctx);
|
||||
|
||||
EVP_MD_CTX_init(ctx);
|
||||
if (ctx)
|
||||
EVP_MD_CTX_init(ctx);
|
||||
|
||||
return ctx;
|
||||
}
|
||||
|
@ -202,6 +203,12 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
|
|||
{
|
||||
ctx->update = type->update;
|
||||
ctx->md_data=OPENSSL_malloc(type->ctx_size);
|
||||
if (ctx->md_data == NULL)
|
||||
{
|
||||
EVPerr(EVP_F_EVP_DIGESTINIT_EX,
|
||||
ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
|
@ -286,8 +293,17 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
|
|||
|
||||
if (in->md_data && out->digest->ctx_size)
|
||||
{
|
||||
if (tmp_buf) out->md_data = tmp_buf;
|
||||
else out->md_data=OPENSSL_malloc(out->digest->ctx_size);
|
||||
if (tmp_buf)
|
||||
out->md_data = tmp_buf;
|
||||
else
|
||||
{
|
||||
out->md_data=OPENSSL_malloc(out->digest->ctx_size);
|
||||
if (!out->md_data)
|
||||
{
|
||||
EVPerr(EVP_F_EVP_MD_CTX_COPY_EX,ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
memcpy(out->md_data,in->md_data,out->digest->ctx_size);
|
||||
}
|
||||
|
||||
|
|
|
@ -183,7 +183,8 @@ static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
|
|||
key_bits =rc2_magic_to_meth((int)num);
|
||||
if (!key_bits)
|
||||
return(-1);
|
||||
if(i > 0) EVP_CipherInit_ex(c, NULL, NULL, NULL, iv, -1);
|
||||
if(i > 0 && !EVP_CipherInit_ex(c, NULL, NULL, NULL, iv, -1))
|
||||
return -1;
|
||||
EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL);
|
||||
EVP_CIPHER_CTX_set_key_length(c, key_bits / 8);
|
||||
}
|
||||
|
|
|
@ -480,7 +480,7 @@ void BIO_set_md(BIO *,const EVP_MD *md);
|
|||
#define BIO_get_cipher_status(b) BIO_ctrl(b,BIO_C_GET_CIPHER_STATUS,0,NULL)
|
||||
#define BIO_get_cipher_ctx(b,c_pp) BIO_ctrl(b,BIO_C_GET_CIPHER_CTX,0,(char *)c_pp)
|
||||
|
||||
int EVP_Cipher(EVP_CIPHER_CTX *c,
|
||||
__owur int EVP_Cipher(EVP_CIPHER_CTX *c,
|
||||
unsigned char *out,
|
||||
const unsigned char *in,
|
||||
unsigned int inl);
|
||||
|
@ -498,83 +498,83 @@ void EVP_MD_CTX_init(EVP_MD_CTX *ctx);
|
|||
int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx);
|
||||
EVP_MD_CTX *EVP_MD_CTX_create(void);
|
||||
void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx);
|
||||
int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in);
|
||||
__owur int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in);
|
||||
void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags);
|
||||
void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags);
|
||||
int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx,int flags);
|
||||
int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
|
||||
int EVP_DigestUpdate(EVP_MD_CTX *ctx,const void *d,
|
||||
__owur int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
|
||||
__owur int EVP_DigestUpdate(EVP_MD_CTX *ctx,const void *d,
|
||||
size_t cnt);
|
||||
int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s);
|
||||
int EVP_Digest(const void *data, size_t count,
|
||||
__owur int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s);
|
||||
__owur int EVP_Digest(const void *data, size_t count,
|
||||
unsigned char *md, unsigned int *size, const EVP_MD *type, ENGINE *impl);
|
||||
|
||||
int EVP_MD_CTX_copy(EVP_MD_CTX *out,const EVP_MD_CTX *in);
|
||||
int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
|
||||
int EVP_DigestFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s);
|
||||
__owur int EVP_MD_CTX_copy(EVP_MD_CTX *out,const EVP_MD_CTX *in);
|
||||
__owur int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
|
||||
__owur int EVP_DigestFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s);
|
||||
|
||||
int EVP_read_pw_string(char *buf,int length,const char *prompt,int verify);
|
||||
void EVP_set_pw_prompt(const char *prompt);
|
||||
char * EVP_get_pw_prompt(void);
|
||||
|
||||
int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md,
|
||||
__owur int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md,
|
||||
const unsigned char *salt, const unsigned char *data,
|
||||
int datal, int count, unsigned char *key,unsigned char *iv);
|
||||
|
||||
int EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher,
|
||||
__owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher,
|
||||
const unsigned char *key, const unsigned char *iv);
|
||||
int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl,
|
||||
__owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl,
|
||||
const unsigned char *key, const unsigned char *iv);
|
||||
int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
__owur int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
int *outl, const unsigned char *in, int inl);
|
||||
int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
|
||||
int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
|
||||
__owur int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
|
||||
__owur int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
|
||||
|
||||
int EVP_DecryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher,
|
||||
__owur int EVP_DecryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher,
|
||||
const unsigned char *key, const unsigned char *iv);
|
||||
int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl,
|
||||
__owur int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl,
|
||||
const unsigned char *key, const unsigned char *iv);
|
||||
int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
__owur int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
int *outl, const unsigned char *in, int inl);
|
||||
int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
|
||||
int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
|
||||
__owur int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
|
||||
__owur int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
|
||||
|
||||
int EVP_CipherInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher,
|
||||
__owur int EVP_CipherInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher,
|
||||
const unsigned char *key,const unsigned char *iv,
|
||||
int enc);
|
||||
int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl,
|
||||
__owur int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl,
|
||||
const unsigned char *key,const unsigned char *iv,
|
||||
int enc);
|
||||
int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
__owur int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
int *outl, const unsigned char *in, int inl);
|
||||
int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
|
||||
int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
|
||||
__owur int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
|
||||
__owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl);
|
||||
|
||||
int EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s,
|
||||
__owur int EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s,
|
||||
EVP_PKEY *pkey);
|
||||
|
||||
int EVP_VerifyFinal(EVP_MD_CTX *ctx,const unsigned char *sigbuf,
|
||||
__owur int EVP_VerifyFinal(EVP_MD_CTX *ctx,const unsigned char *sigbuf,
|
||||
unsigned int siglen,EVP_PKEY *pkey);
|
||||
|
||||
int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
__owur int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
|
||||
int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
|
||||
__owur int EVP_DigestSignFinal(EVP_MD_CTX *ctx,
|
||||
unsigned char *sigret, size_t *siglen);
|
||||
|
||||
int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
__owur int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
||||
const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
|
||||
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx,
|
||||
__owur int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx,
|
||||
unsigned char *sig, size_t siglen);
|
||||
|
||||
int EVP_OpenInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,
|
||||
__owur int EVP_OpenInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type,
|
||||
const unsigned char *ek, int ekl, const unsigned char *iv,
|
||||
EVP_PKEY *priv);
|
||||
int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
|
||||
__owur int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl);
|
||||
|
||||
int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
|
||||
__owur int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
|
||||
unsigned char **ek, int *ekl, unsigned char *iv,
|
||||
EVP_PKEY **pubk, int npubk);
|
||||
int EVP_SealFinal(EVP_CIPHER_CTX *ctx,unsigned char *out,int *outl);
|
||||
__owur int EVP_SealFinal(EVP_CIPHER_CTX *ctx,unsigned char *out,int *outl);
|
||||
|
||||
void EVP_EncodeInit(EVP_ENCODE_CTX *ctx);
|
||||
void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx,unsigned char *out,int *outl,
|
||||
|
@ -603,7 +603,7 @@ BIO_METHOD *BIO_f_md(void);
|
|||
BIO_METHOD *BIO_f_base64(void);
|
||||
BIO_METHOD *BIO_f_cipher(void);
|
||||
BIO_METHOD *BIO_f_reliable(void);
|
||||
void BIO_set_cipher(BIO *b,const EVP_CIPHER *c,const unsigned char *k,
|
||||
__owur int BIO_set_cipher(BIO *b,const EVP_CIPHER *c,const unsigned char *k,
|
||||
const unsigned char *i, int enc);
|
||||
#endif
|
||||
|
||||
|
@ -1177,6 +1177,7 @@ void ERR_load_EVP_strings(void);
|
|||
/* Error codes for the EVP functions. */
|
||||
|
||||
/* Function codes. */
|
||||
#define EVP_F_AESNI_INIT_KEY 163
|
||||
#define EVP_F_AES_INIT_KEY 133
|
||||
#define EVP_F_CAMELLIA_INIT_KEY 159
|
||||
#define EVP_F_D2I_PKEY 100
|
||||
|
@ -1235,6 +1236,7 @@ void ERR_load_EVP_strings(void);
|
|||
#define EVP_F_INT_CTX_NEW 157
|
||||
#define EVP_F_PKCS5_PBE_KEYIVGEN 117
|
||||
#define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118
|
||||
#define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 164
|
||||
#define EVP_F_PKCS8_SET_BROKEN 112
|
||||
#define EVP_F_PKEY_SET_TYPE 158
|
||||
#define EVP_F_RC2_MAGIC_TO_METH 109
|
||||
|
@ -1289,6 +1291,8 @@ void ERR_load_EVP_strings(void);
|
|||
#define EVP_R_PRIVATE_KEY_DECODE_ERROR 145
|
||||
#define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146
|
||||
#define EVP_R_PUBLIC_KEY_NOT_RSA 106
|
||||
#define EVP_R_UNKNOWN_CIPHER 160
|
||||
#define EVP_R_UNKNOWN_DIGEST 161
|
||||
#define EVP_R_UNKNOWN_PBE_ALGORITHM 121
|
||||
#define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS 135
|
||||
#define EVP_R_UNSUPPORTED_ALGORITHM 156
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* crypto/evp/evp_err.c */
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -70,6 +70,7 @@
|
|||
|
||||
static ERR_STRING_DATA EVP_str_functs[]=
|
||||
{
|
||||
{ERR_FUNC(EVP_F_AESNI_INIT_KEY), "AESNI_INIT_KEY"},
|
||||
{ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"},
|
||||
{ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "CAMELLIA_INIT_KEY"},
|
||||
{ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"},
|
||||
|
@ -85,7 +86,7 @@ static ERR_STRING_DATA EVP_str_functs[]=
|
|||
{ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX), "EVP_DigestInit_ex"},
|
||||
{ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX), "EVP_EncryptFinal_ex"},
|
||||
{ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX), "EVP_MD_CTX_copy_ex"},
|
||||
{ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_SIZE"},
|
||||
{ERR_FUNC(EVP_F_EVP_MD_SIZE), "EVP_MD_size"},
|
||||
{ERR_FUNC(EVP_F_EVP_OPENINIT), "EVP_OpenInit"},
|
||||
{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD), "EVP_PBE_alg_add"},
|
||||
{ERR_FUNC(EVP_F_EVP_PBE_ALG_ADD_TYPE), "EVP_PBE_alg_add_type"},
|
||||
|
@ -128,6 +129,7 @@ static ERR_STRING_DATA EVP_str_functs[]=
|
|||
{ERR_FUNC(EVP_F_INT_CTX_NEW), "INT_CTX_NEW"},
|
||||
{ERR_FUNC(EVP_F_PKCS5_PBE_KEYIVGEN), "PKCS5_PBE_keyivgen"},
|
||||
{ERR_FUNC(EVP_F_PKCS5_V2_PBE_KEYIVGEN), "PKCS5_v2_PBE_keyivgen"},
|
||||
{ERR_FUNC(EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN), "PKCS5_V2_PBKDF2_KEYIVGEN"},
|
||||
{ERR_FUNC(EVP_F_PKCS8_SET_BROKEN), "PKCS8_set_broken"},
|
||||
{ERR_FUNC(EVP_F_PKEY_SET_TYPE), "PKEY_SET_TYPE"},
|
||||
{ERR_FUNC(EVP_F_RC2_MAGIC_TO_METH), "RC2_MAGIC_TO_METH"},
|
||||
|
@ -185,6 +187,8 @@ static ERR_STRING_DATA EVP_str_reasons[]=
|
|||
{ERR_REASON(EVP_R_PRIVATE_KEY_DECODE_ERROR),"private key decode error"},
|
||||
{ERR_REASON(EVP_R_PRIVATE_KEY_ENCODE_ERROR),"private key encode error"},
|
||||
{ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA) ,"public key not rsa"},
|
||||
{ERR_REASON(EVP_R_UNKNOWN_CIPHER) ,"unknown cipher"},
|
||||
{ERR_REASON(EVP_R_UNKNOWN_DIGEST) ,"unknown digest"},
|
||||
{ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"},
|
||||
{ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"},
|
||||
{ERR_REASON(EVP_R_UNSUPPORTED_ALGORITHM) ,"unsupported algorithm"},
|
||||
|
|
|
@ -115,7 +115,7 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
|
|||
unsigned char md_buf[EVP_MAX_MD_SIZE];
|
||||
int niv,nkey,addmd=0;
|
||||
unsigned int mds=0,i;
|
||||
|
||||
int rv = 0;
|
||||
nkey=type->key_len;
|
||||
niv=type->iv_len;
|
||||
OPENSSL_assert(nkey <= EVP_MAX_KEY_LENGTH);
|
||||
|
@ -129,17 +129,24 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
|
|||
if (!EVP_DigestInit_ex(&c,md, NULL))
|
||||
return 0;
|
||||
if (addmd++)
|
||||
EVP_DigestUpdate(&c,&(md_buf[0]),mds);
|
||||
EVP_DigestUpdate(&c,data,datal);
|
||||
if (!EVP_DigestUpdate(&c,&(md_buf[0]),mds))
|
||||
goto err;
|
||||
if (!EVP_DigestUpdate(&c,data,datal))
|
||||
goto err;
|
||||
if (salt != NULL)
|
||||
EVP_DigestUpdate(&c,salt,PKCS5_SALT_LEN);
|
||||
EVP_DigestFinal_ex(&c,&(md_buf[0]),&mds);
|
||||
if (!EVP_DigestUpdate(&c,salt,PKCS5_SALT_LEN))
|
||||
goto err;
|
||||
if (!EVP_DigestFinal_ex(&c,&(md_buf[0]),&mds))
|
||||
goto err;
|
||||
|
||||
for (i=1; i<(unsigned int)count; i++)
|
||||
{
|
||||
EVP_DigestInit_ex(&c,md, NULL);
|
||||
EVP_DigestUpdate(&c,&(md_buf[0]),mds);
|
||||
EVP_DigestFinal_ex(&c,&(md_buf[0]),&mds);
|
||||
if (!EVP_DigestInit_ex(&c,md, NULL))
|
||||
goto err;
|
||||
if (!EVP_DigestUpdate(&c,&(md_buf[0]),mds))
|
||||
goto err;
|
||||
if (!EVP_DigestFinal_ex(&c,&(md_buf[0]),&mds))
|
||||
goto err;
|
||||
}
|
||||
i=0;
|
||||
if (nkey)
|
||||
|
@ -168,8 +175,10 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
|
|||
}
|
||||
if ((nkey == 0) && (niv == 0)) break;
|
||||
}
|
||||
rv = type->key_len;
|
||||
err:
|
||||
EVP_MD_CTX_cleanup(&c);
|
||||
OPENSSL_cleanse(&(md_buf[0]),EVP_MAX_MD_SIZE);
|
||||
return(type->key_len);
|
||||
return rv;
|
||||
}
|
||||
|
||||
|
|
|
@ -159,6 +159,12 @@ int EVP_CIPHER_type(const EVP_CIPHER *ctx)
|
|||
|
||||
return NID_des_cfb64;
|
||||
|
||||
case NID_des_ede3_cfb64:
|
||||
case NID_des_ede3_cfb8:
|
||||
case NID_des_ede3_cfb1:
|
||||
|
||||
return NID_des_cfb64;
|
||||
|
||||
default:
|
||||
/* Check it has an OID and it is valid */
|
||||
otmp = OBJ_nid2obj(nid);
|
||||
|
|
|
@ -343,3 +343,7 @@ struct evp_pkey_method_st
|
|||
} /* EVP_PKEY_METHOD */;
|
||||
|
||||
void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx);
|
||||
|
||||
int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
|
||||
ASN1_TYPE *param,
|
||||
const EVP_CIPHER *c, const EVP_MD *md, int en_de);
|
||||
|
|
|
@ -61,6 +61,7 @@
|
|||
#include <openssl/evp.h>
|
||||
#include <openssl/pkcs12.h>
|
||||
#include <openssl/x509.h>
|
||||
#include "evp_locl.h"
|
||||
|
||||
/* Password based encryption (PBE) functions */
|
||||
|
||||
|
@ -87,6 +88,10 @@ static const EVP_PBE_CTL builtin_pbe[] =
|
|||
{EVP_PBE_TYPE_OUTER, NID_pbeWithSHA1AndRC2_CBC,
|
||||
NID_rc2_64_cbc, NID_sha1, PKCS5_PBE_keyivgen},
|
||||
|
||||
#ifndef OPENSSL_NO_HMAC
|
||||
{EVP_PBE_TYPE_OUTER, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen},
|
||||
#endif
|
||||
|
||||
{EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And128BitRC4,
|
||||
NID_rc4, NID_sha1, PKCS12_PBE_keyivgen},
|
||||
{EVP_PBE_TYPE_OUTER, NID_pbe_WithSHA1And40BitRC4,
|
||||
|
@ -174,12 +179,26 @@ int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
|
|||
if (cipher_nid == -1)
|
||||
cipher = NULL;
|
||||
else
|
||||
{
|
||||
cipher = EVP_get_cipherbynid(cipher_nid);
|
||||
if (!cipher)
|
||||
{
|
||||
EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_CIPHER);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
if (md_nid == -1)
|
||||
md = NULL;
|
||||
else
|
||||
{
|
||||
md = EVP_get_digestbynid(md_nid);
|
||||
if (!md)
|
||||
{
|
||||
EVPerr(EVP_F_EVP_PBE_CIPHERINIT,EVP_R_UNKNOWN_DIGEST);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
if (!keygen(ctx, pass, passlen, param, cipher, md, en_de))
|
||||
{
|
||||
|
|
|
@ -179,8 +179,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t siglen)
|
|||
unsigned int mdlen;
|
||||
int vctx;
|
||||
|
||||
/* FIXME: surely this should test verifyctx? (Ben 29/12/08) */
|
||||
if (ctx->pctx->pmeth->signctx)
|
||||
if (ctx->pctx->pmeth->verifyctx)
|
||||
vctx = 1;
|
||||
else
|
||||
vctx = 0;
|
||||
|
|
|
@ -82,6 +82,8 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
|
|||
unsigned char *salt;
|
||||
const unsigned char *pbuf;
|
||||
int mdsize;
|
||||
int rv = 0;
|
||||
EVP_MD_CTX_init(&ctx);
|
||||
|
||||
/* Extract useful info from parameter */
|
||||
if (param == NULL || param->type != V_ASN1_SEQUENCE ||
|
||||
|
@ -104,29 +106,37 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
|
|||
if(!pass) passlen = 0;
|
||||
else if(passlen == -1) passlen = strlen(pass);
|
||||
|
||||
EVP_MD_CTX_init(&ctx);
|
||||
EVP_DigestInit_ex(&ctx, md, NULL);
|
||||
EVP_DigestUpdate(&ctx, pass, passlen);
|
||||
EVP_DigestUpdate(&ctx, salt, saltlen);
|
||||
if (!EVP_DigestInit_ex(&ctx, md, NULL))
|
||||
goto err;
|
||||
if (!EVP_DigestUpdate(&ctx, pass, passlen))
|
||||
goto err;
|
||||
if (!EVP_DigestUpdate(&ctx, salt, saltlen))
|
||||
goto err;
|
||||
PBEPARAM_free(pbe);
|
||||
EVP_DigestFinal_ex(&ctx, md_tmp, NULL);
|
||||
if (!EVP_DigestFinal_ex(&ctx, md_tmp, NULL))
|
||||
goto err;
|
||||
mdsize = EVP_MD_size(md);
|
||||
if (mdsize < 0)
|
||||
return 0;
|
||||
for (i = 1; i < iter; i++) {
|
||||
EVP_DigestInit_ex(&ctx, md, NULL);
|
||||
EVP_DigestUpdate(&ctx, md_tmp, mdsize);
|
||||
EVP_DigestFinal_ex (&ctx, md_tmp, NULL);
|
||||
if (!EVP_DigestInit_ex(&ctx, md, NULL))
|
||||
goto err;
|
||||
if (!EVP_DigestUpdate(&ctx, md_tmp, mdsize))
|
||||
goto err;
|
||||
if (!EVP_DigestFinal_ex (&ctx, md_tmp, NULL))
|
||||
goto err;
|
||||
}
|
||||
EVP_MD_CTX_cleanup(&ctx);
|
||||
OPENSSL_assert(EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp));
|
||||
memcpy(key, md_tmp, EVP_CIPHER_key_length(cipher));
|
||||
OPENSSL_assert(EVP_CIPHER_iv_length(cipher) <= 16);
|
||||
memcpy(iv, md_tmp + (16 - EVP_CIPHER_iv_length(cipher)),
|
||||
EVP_CIPHER_iv_length(cipher));
|
||||
EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de);
|
||||
if (!EVP_CipherInit_ex(cctx, cipher, NULL, key, iv, en_de))
|
||||
goto err;
|
||||
OPENSSL_cleanse(md_tmp, EVP_MAX_MD_SIZE);
|
||||
OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
|
||||
OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
|
||||
return 1;
|
||||
rv = 1;
|
||||
err:
|
||||
return rv;
|
||||
}
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue