From e40c9513e267e21491ba2701e021759930a22060 Mon Sep 17 00:00:00 2001 From: Peter Avalos Date: Wed, 28 Mar 2007 19:01:30 +0000 Subject: [PATCH] Import OpenSSL 0.9.8e. --- crypto/openssl-0.9/CHANGES | 86 +- crypto/openssl-0.9/FAQ | 2 +- crypto/openssl-0.9/LICENSE | 2 +- crypto/openssl-0.9/NEWS | 12 +- crypto/openssl-0.9/README | 4 +- crypto/openssl-0.9/apps/CA.pl | 2 +- crypto/openssl-0.9/apps/ca.c | 1 + crypto/openssl-0.9/apps/dgst.c | 48 +- crypto/openssl-0.9/apps/ec.c | 3 + crypto/openssl-0.9/apps/enc.c | 8 +- crypto/openssl-0.9/apps/ocsp.c | 6 + crypto/openssl-0.9/apps/pkcs12.c | 19 +- crypto/openssl-0.9/apps/s_client.c | 107 +- crypto/openssl-0.9/apps/s_server.c | 4 +- crypto/openssl-0.9/crypto/aes/aes_misc.c | 2 +- crypto/openssl-0.9/crypto/asn1/a_strex.c | 4 +- crypto/openssl-0.9/crypto/asn1/asn1_err.c | 17 +- crypto/openssl-0.9/crypto/asn1/asn1_lib.c | 2 +- crypto/openssl-0.9/crypto/asn1/asn1t.h | 2 +- crypto/openssl-0.9/crypto/asn1/t_x509.c | 15 +- crypto/openssl-0.9/crypto/asn1/tasn_dec.c | 2 +- crypto/openssl-0.9/crypto/asn1/x_x509.c | 8 + crypto/openssl-0.9/crypto/bf/bf_ecb.c | 2 +- crypto/openssl-0.9/crypto/bio/bio.h | 45 +- crypto/openssl-0.9/crypto/bio/bio_err.c | 9 +- crypto/openssl-0.9/crypto/bio/bio_lib.c | 46 + crypto/openssl-0.9/crypto/bn/bn_err.c | 9 +- crypto/openssl-0.9/crypto/bn/bn_lib.c | 2 +- crypto/openssl-0.9/crypto/bn/bn_print.c | 2 +- crypto/openssl-0.9/crypto/buffer/buf_err.c | 9 +- crypto/openssl-0.9/crypto/camellia/camellia.c | 130 +-- crypto/openssl-0.9/crypto/camellia/cmll_cbc.c | 145 ++- crypto/openssl-0.9/crypto/camellia/cmll_locl.h | 65 +- crypto/openssl-0.9/crypto/camellia/cmll_misc.c | 12 +- crypto/openssl-0.9/crypto/cast/c_ecb.c | 2 +- crypto/openssl-0.9/crypto/comp/c_zlib.c | 55 +- crypto/openssl-0.9/crypto/comp/comp_err.c | 9 +- crypto/openssl-0.9/crypto/conf/conf_def.c | 2 +- crypto/openssl-0.9/crypto/conf/conf_err.c | 9 +- crypto/openssl-0.9/crypto/conf/conf_lib.c | 2 +- crypto/openssl-0.9/crypto/cpt_err.c | 9 +- crypto/openssl-0.9/crypto/cryptlib.c | 2 +- crypto/openssl-0.9/crypto/des/des_ver.h | 4 +- crypto/openssl-0.9/crypto/des/ecb_enc.c | 4 +- crypto/openssl-0.9/crypto/dh/dh_err.c | 9 +- crypto/openssl-0.9/crypto/dh/dh_key.c | 2 +- crypto/openssl-0.9/crypto/dh/dh_lib.c | 2 +- crypto/openssl-0.9/crypto/dsa/dsa_err.c | 9 +- crypto/openssl-0.9/crypto/dsa/dsa_lib.c | 2 +- crypto/openssl-0.9/crypto/dso/dso_err.c | 9 +- crypto/openssl-0.9/crypto/ec/ec_asn1.c | 4 + crypto/openssl-0.9/crypto/ec/ec_err.c | 9 +- crypto/openssl-0.9/crypto/ecdh/ech_err.c | 11 +- crypto/openssl-0.9/crypto/ecdh/ech_lib.c | 2 +- crypto/openssl-0.9/crypto/ecdsa/ecdsa.h | 1 + crypto/openssl-0.9/crypto/ecdsa/ecs_err.c | 12 +- crypto/openssl-0.9/crypto/ecdsa/ecs_lib.c | 2 +- crypto/openssl-0.9/crypto/ecdsa/ecs_ossl.c | 15 +- crypto/openssl-0.9/crypto/engine/eng_all.c | 12 +- crypto/openssl-0.9/crypto/engine/eng_err.c | 9 +- crypto/openssl-0.9/crypto/engine/eng_padlock.c | 4 +- crypto/openssl-0.9/crypto/engine/tb_ecdh.c | 2 +- crypto/openssl-0.9/crypto/engine/tb_ecdsa.c | 2 +- crypto/openssl-0.9/crypto/err/err_all.c | 4 - crypto/openssl-0.9/crypto/evp/bio_md.c | 6 + crypto/openssl-0.9/crypto/evp/evp.h | 60 +- crypto/openssl-0.9/crypto/evp/evp_enc.c | 2 +- crypto/openssl-0.9/crypto/evp/evp_err.c | 9 +- crypto/openssl-0.9/crypto/evp/evp_lib.c | 109 ++ crypto/openssl-0.9/crypto/evp/evp_locl.h | 2 +- crypto/openssl-0.9/crypto/idea/i_ecb.c | 2 +- crypto/openssl-0.9/crypto/idea/idea_lcl.h | 2 +- crypto/openssl-0.9/crypto/lhash/lhash.c | 2 +- crypto/openssl-0.9/crypto/md2/md2.h | 1 + crypto/openssl-0.9/crypto/md2/md2_dgst.c | 2 +- crypto/openssl-0.9/crypto/md4/md4.h | 1 + crypto/openssl-0.9/crypto/md4/md4_dgst.c | 2 +- crypto/openssl-0.9/crypto/md5/md5.h | 1 + crypto/openssl-0.9/crypto/md5/md5_dgst.c | 2 +- crypto/openssl-0.9/crypto/objects/obj_dat.h | 28 +- crypto/openssl-0.9/crypto/objects/obj_err.c | 9 +- crypto/openssl-0.9/crypto/objects/obj_mac.h | 15 + crypto/openssl-0.9/crypto/ocsp/ocsp_asn.c | 2 +- crypto/openssl-0.9/crypto/ocsp/ocsp_err.c | 9 +- crypto/openssl-0.9/crypto/ocsp/ocsp_vfy.c | 2 +- crypto/openssl-0.9/crypto/opensslv.h | 6 +- crypto/openssl-0.9/crypto/pem/pem.h | 2 +- crypto/openssl-0.9/crypto/pem/pem_err.c | 9 +- crypto/openssl-0.9/crypto/pem/pem_lib.c | 7 +- crypto/openssl-0.9/crypto/pem/pem_pkey.c | 1 + crypto/openssl-0.9/crypto/pkcs12/pk12err.c | 9 +- crypto/openssl-0.9/crypto/pkcs7/pk7_doit.c | 71 +- crypto/openssl-0.9/crypto/pkcs7/pk7_lib.c | 42 +- crypto/openssl-0.9/crypto/pkcs7/pk7_smime.c | 84 +- crypto/openssl-0.9/crypto/pkcs7/pkcs7err.c | 9 +- crypto/openssl-0.9/crypto/rand/md_rand.c | 2 +- crypto/openssl-0.9/crypto/rand/rand_err.c | 9 +- crypto/openssl-0.9/crypto/rc2/rc2_ecb.c | 2 +- crypto/openssl-0.9/crypto/rc4/rc4_skey.c | 2 +- crypto/openssl-0.9/crypto/ripemd/ripemd.h | 1 + crypto/openssl-0.9/crypto/ripemd/rmd_dgst.c | 2 +- crypto/openssl-0.9/crypto/rsa/rsa_err.c | 11 +- crypto/openssl-0.9/crypto/rsa/rsa_lib.c | 2 +- crypto/openssl-0.9/crypto/sha/sha.h | 1 + crypto/openssl-0.9/crypto/sha/sha1dgst.c | 2 +- crypto/openssl-0.9/crypto/sha/sha256.c | 2 +- crypto/openssl-0.9/crypto/sha/sha512.c | 2 +- crypto/openssl-0.9/crypto/sha/sha_dgst.c | 2 +- crypto/openssl-0.9/crypto/stack/safestack.h | 66 ++ crypto/openssl-0.9/crypto/stack/stack.c | 2 +- crypto/openssl-0.9/crypto/store/str_err.c | 9 +- crypto/openssl-0.9/crypto/txt_db/txt_db.c | 2 +- crypto/openssl-0.9/crypto/ui/ui_err.c | 9 +- crypto/openssl-0.9/crypto/x509/by_dir.c | 10 +- crypto/openssl-0.9/crypto/x509/x509.h | 4 + crypto/openssl-0.9/crypto/x509/x509_err.c | 9 +- crypto/openssl-0.9/crypto/x509/x509_req.c | 5 + crypto/openssl-0.9/crypto/x509/x509_txt.c | 2 + crypto/openssl-0.9/crypto/x509/x509_vfy.c | 21 +- crypto/openssl-0.9/crypto/x509/x509_vfy.h | 1 + crypto/openssl-0.9/crypto/x509v3/ext_dat.h | 7 + crypto/openssl-0.9/crypto/x509v3/pcy_tree.c | 12 +- crypto/openssl-0.9/crypto/x509v3/v3_addr.c | 1280 ++++++++++++++++++++++++ crypto/openssl-0.9/crypto/x509v3/v3_akey.c | 2 +- crypto/openssl-0.9/crypto/x509v3/v3_alt.c | 2 +- crypto/openssl-0.9/crypto/x509v3/v3_asid.c | 842 ++++++++++++++++ crypto/openssl-0.9/crypto/x509v3/v3_bcons.c | 2 +- crypto/openssl-0.9/crypto/x509v3/v3_bitst.c | 4 +- crypto/openssl-0.9/crypto/x509v3/v3_cpols.c | 2 +- crypto/openssl-0.9/crypto/x509v3/v3_crld.c | 2 +- crypto/openssl-0.9/crypto/x509v3/v3_enum.c | 2 +- crypto/openssl-0.9/crypto/x509v3/v3_extku.c | 4 +- crypto/openssl-0.9/crypto/x509v3/v3_ia5.c | 2 +- crypto/openssl-0.9/crypto/x509v3/v3_info.c | 4 +- crypto/openssl-0.9/crypto/x509v3/v3_int.c | 6 +- crypto/openssl-0.9/crypto/x509v3/v3_ncons.c | 2 +- crypto/openssl-0.9/crypto/x509v3/v3_ocsp.c | 14 +- crypto/openssl-0.9/crypto/x509v3/v3_pci.c | 2 +- crypto/openssl-0.9/crypto/x509v3/v3_pcons.c | 2 +- crypto/openssl-0.9/crypto/x509v3/v3_pku.c | 2 +- crypto/openssl-0.9/crypto/x509v3/v3_pmaps.c | 2 +- crypto/openssl-0.9/crypto/x509v3/v3_purp.c | 10 + crypto/openssl-0.9/crypto/x509v3/v3_skey.c | 2 +- crypto/openssl-0.9/crypto/x509v3/v3_sxnet.c | 2 +- crypto/openssl-0.9/crypto/x509v3/v3_utl.c | 5 +- crypto/openssl-0.9/crypto/x509v3/v3err.c | 27 +- crypto/openssl-0.9/crypto/x509v3/x509v3.h | 160 +++ crypto/openssl-0.9/ssl/d1_lib.c | 2 +- crypto/openssl-0.9/ssl/d1_pkt.c | 6 +- crypto/openssl-0.9/ssl/kssl.c | 45 +- crypto/openssl-0.9/ssl/s23_clnt.c | 1 - crypto/openssl-0.9/ssl/s23_srvr.c | 1 - crypto/openssl-0.9/ssl/s2_enc.c | 9 +- crypto/openssl-0.9/ssl/s2_lib.c | 2 +- crypto/openssl-0.9/ssl/s3_clnt.c | 6 +- crypto/openssl-0.9/ssl/s3_enc.c | 7 +- crypto/openssl-0.9/ssl/s3_lib.c | 10 +- crypto/openssl-0.9/ssl/s3_pkt.c | 6 +- crypto/openssl-0.9/ssl/s3_srvr.c | 29 +- crypto/openssl-0.9/ssl/ssl.h | 26 +- crypto/openssl-0.9/ssl/ssl_ciph.c | 50 +- crypto/openssl-0.9/ssl/ssl_err.c | 11 +- crypto/openssl-0.9/ssl/ssl_lib.c | 4 +- crypto/openssl-0.9/ssl/ssl_sess.c | 71 +- crypto/openssl-0.9/ssl/t1_enc.c | 11 +- crypto/openssl-0.9/ssl/t1_lib.c | 2 +- 166 files changed, 3722 insertions(+), 720 deletions(-) create mode 100644 crypto/openssl-0.9/crypto/x509v3/v3_addr.c create mode 100644 crypto/openssl-0.9/crypto/x509v3/v3_asid.c diff --git a/crypto/openssl-0.9/CHANGES b/crypto/openssl-0.9/CHANGES index b25fde5664..c5a639f989 100644 --- a/crypto/openssl-0.9/CHANGES +++ b/crypto/openssl-0.9/CHANGES @@ -2,6 +2,47 @@ OpenSSL CHANGES _______________ + Changes between 0.9.8d and 0.9.8e [23 Feb 2007] + + *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that + a ciphersuite string such as "DEFAULT:RSA" cannot enable + authentication-only ciphersuites. + [Bodo Moeller] + + *) Since AES128 and AES256 (and similarly Camellia128 and + Camellia256) share a single mask bit in the logic of + ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a + kludge to work properly if AES128 is available and AES256 isn't + (or if Camellia128 is available and Camellia256 isn't). + [Victor Duchovni] + + *) Fix the BIT STRING encoding generated by crypto/ec/ec_asn1.c + (within i2d_ECPrivateKey, i2d_ECPKParameters, i2d_ECParameters): + When a point or a seed is encoded in a BIT STRING, we need to + prevent the removal of trailing zero bits to get the proper DER + encoding. (By default, crypto/asn1/a_bitstr.c assumes the case + of a NamedBitList, for which trailing 0 bits need to be removed.) + [Bodo Moeller] + + *) Have SSL/TLS server implementation tolerate "mismatched" record + protocol version while receiving ClientHello even if the + ClientHello is fragmented. (The server can't insist on the + particular protocol version it has chosen before the ServerHello + message has informed the client about his choice.) + [Bodo Moeller] + + *) Add RFC 3779 support. + [Rob Austein for ARIN, Ben Laurie] + + *) Load error codes if they are not already present instead of using a + static variable. This allows them to be cleanly unloaded and reloaded. + Improve header file function name parsing. + [Steve Henson] + + *) extend SMTP and IMAP protocol emulation in s_client to use EHLO + or CAPABILITY handshake as required by RFCs. + [Goetz Babin-Ebell] + Changes between 0.9.8c and 0.9.8d [28 Sep 2006] *) Introduce limits to prevent malicious keys being able to @@ -77,7 +118,7 @@ draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really appear there. - Also deactive the remaining ciphersuites from + Also deactivate the remaining ciphersuites from draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as unofficial, and the ID has long expired. [Bodo Moeller] @@ -1006,7 +1047,48 @@ differing sizes. [Richard Levitte] - Changes between 0.9.7k and 0.9.7l [xx XXX xxxx] + Changes between 0.9.7l and 0.9.7m [xx XXX xxxx] + + *) Cleanse PEM buffers before freeing them since they may contain + sensitive data. + [Benjamin Bennett ] + + *) Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that + a ciphersuite string such as "DEFAULT:RSA" cannot enable + authentication-only ciphersuites. + [Bodo Moeller] + + *) Since AES128 and AES256 share a single mask bit in the logic of + ssl/ssl_ciph.c, the code for masking out disabled ciphers needs a + kludge to work properly if AES128 is available and AES256 isn't. + [Victor Duchovni] + + *) Have SSL/TLS server implementation tolerate "mismatched" record + protocol version while receiving ClientHello even if the + ClientHello is fragmented. (The server can't insist on the + particular protocol version it has chosen before the ServerHello + message has informed the client about his choice.) + [Bodo Moeller] + + *) Load error codes if they are not already present instead of using a + static variable. This allows them to be cleanly unloaded and reloaded. + [Steve Henson] + + Changes between 0.9.7k and 0.9.7l [28 Sep 2006] + + *) Introduce limits to prevent malicious keys being able to + cause a denial of service. (CVE-2006-2940) + [Steve Henson, Bodo Moeller] + + *) Fix ASN.1 parsing of certain invalid structures that can result + in a denial of service. (CVE-2006-2937) [Steve Henson] + + *) Fix buffer overflow in SSL_get_shared_ciphers() function. + (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] + + *) Fix SSL client code which could crash if connecting to a + malicious SSLv2 server. (CVE-2006-4343) + [Tavis Ormandy and Will Drewry, Google Security Team] *) Change ciphersuite string processing so that an explicit ciphersuite selects this one ciphersuite (so that "AES256-SHA" diff --git a/crypto/openssl-0.9/FAQ b/crypto/openssl-0.9/FAQ index bee5094c50..74bf952ddc 100644 --- a/crypto/openssl-0.9/FAQ +++ b/crypto/openssl-0.9/FAQ @@ -74,7 +74,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 0.9.8d was released on September 28th, 2006. +OpenSSL 0.9.8e was released on February 23rd, 2007. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at #include #include +#include #undef BUFSIZE #define BUFSIZE 1024*8 @@ -75,7 +76,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, - const char *file); + const char *file,BIO *bmd,const char *hmac_key); int MAIN(int, char **); @@ -104,6 +105,7 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif + char *hmac_key=NULL; apps_startup(); @@ -188,6 +190,12 @@ int MAIN(int argc, char **argv) out_bin = 1; else if (strcmp(*argv,"-d") == 0) debug=1; + else if (!strcmp(*argv,"-hmac")) + { + if (--argc < 1) + break; + hmac_key=*++argv; + } else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL) md=m; else @@ -261,7 +269,7 @@ int MAIN(int argc, char **argv) { BIO_set_callback(in,BIO_debug_callback); /* needed for windows 3.1 */ - BIO_set_callback_arg(in,bio_err); + BIO_set_callback_arg(in,(char *)bio_err); } if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) @@ -358,7 +366,7 @@ int MAIN(int argc, char **argv) { BIO_set_fp(in,stdin,BIO_NOCLOSE); err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, - siglen,"","(stdin)"); + siglen,"","(stdin)",bmd,hmac_key); } else { @@ -376,14 +384,15 @@ int MAIN(int argc, char **argv) } if(!out_bin) { - size_t len = strlen(name)+strlen(argv[i])+5; + size_t len = strlen(name)+strlen(argv[i])+(hmac_key ? 5 : 0)+5; tmp=tofree=OPENSSL_malloc(len); - BIO_snprintf(tmp,len,"%s(%s)= ",name,argv[i]); + BIO_snprintf(tmp,len,"%s%s(%s)= ", + hmac_key ? "HMAC-" : "",name,argv[i]); } else tmp=""; r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf, - siglen,tmp,argv[i]); + siglen,tmp,argv[i],bmd,hmac_key); if(r) err=r; if(tofree) @@ -410,11 +419,23 @@ end: int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title, - const char *file) + const char *file,BIO *bmd,const char *hmac_key) { - int len; + unsigned int len; int i; + EVP_MD_CTX *md_ctx; + HMAC_CTX hmac_ctx; + + if (hmac_key) + { + EVP_MD *md; + BIO_get_md(bmd,&md); + HMAC_CTX_init(&hmac_ctx); + HMAC_Init_ex(&hmac_ctx,hmac_key,strlen(hmac_key),md, NULL); + BIO_get_md_ctx(bmd,&md_ctx); + BIO_set_md_ctx(bmd,&hmac_ctx.md_ctx); + } for (;;) { i=BIO_read(bp,(char *)buf,BUFSIZE); @@ -457,6 +478,11 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, return 1; } } + else if(hmac_key) + { + HMAC_Final(&hmac_ctx,buf,&len); + HMAC_CTX_cleanup(&hmac_ctx); + } else len=BIO_gets(bp,(char *)buf,BUFSIZE); @@ -464,7 +490,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, else { BIO_write(out,title,strlen(title)); - for (i=0; i= 0) + BIO_printf (bio_err, "Error %s getting chain.\n", X509_verify_cert_error_string(vret)); + else + ERR_print_errors(bio_err); goto export_end; } } @@ -811,7 +814,7 @@ int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain) { X509_STORE_CTX store_ctx; STACK_OF(X509) *chn; - int i; + int i = 0; /* FIXME: Should really check the return status of X509_STORE_CTX_init * for an error, but how that fits into the return value of this @@ -819,13 +822,17 @@ int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain) X509_STORE_CTX_init(&store_ctx, store, cert, NULL); if (X509_verify_cert(&store_ctx) <= 0) { i = X509_STORE_CTX_get_error (&store_ctx); + if (i == 0) + /* avoid returning 0 if X509_verify_cert() did not + * set an appropriate error value in the context */ + i = -1; + chn = NULL; goto err; - } - chn = X509_STORE_CTX_get1_chain(&store_ctx); - i = 0; - *chain = chn; + } else + chn = X509_STORE_CTX_get1_chain(&store_ctx); err: X509_STORE_CTX_cleanup(&store_ctx); + *chain = chn; return i; } diff --git a/crypto/openssl-0.9/apps/s_client.c b/crypto/openssl-0.9/apps/s_client.c index 4a1857f3a8..3f302c5f14 100644 --- a/crypto/openssl-0.9/apps/s_client.c +++ b/crypto/openssl-0.9/apps/s_client.c @@ -226,7 +226,7 @@ static void sc_usage(void) BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n"); BIO_printf(bio_err," for those protocols that support it, where\n"); BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n"); - BIO_printf(bio_err," only \"smtp\" and \"pop3\" are supported.\n"); + BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", and \"ftp\" are supported.\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); #endif @@ -234,6 +234,15 @@ static void sc_usage(void) } +enum +{ + PROTO_OFF = 0, + PROTO_SMTP, + PROTO_POP3, + PROTO_IMAP, + PROTO_FTP +}; + int MAIN(int, char **); int MAIN(int argc, char **argv) @@ -260,7 +269,7 @@ int MAIN(int argc, char **argv) int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; SSL_CTX *ctx=NULL; int ret=1,in_init=1,i,nbio_test=0; - int starttls_proto = 0; + int starttls_proto = PROTO_OFF; int prexit = 0, vflags = 0; SSL_METHOD *meth=NULL; #ifdef sock_type @@ -269,6 +278,7 @@ int MAIN(int argc, char **argv) int sock_type=SOCK_STREAM; BIO *sbio; char *inrand=NULL; + int mbuf_len=0; #ifndef OPENSSL_NO_ENGINE char *engine_id=NULL; ENGINE *e=NULL; @@ -466,9 +476,13 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; ++argv; if (strcmp(*argv,"smtp") == 0) - starttls_proto = 1; + starttls_proto = PROTO_SMTP; else if (strcmp(*argv,"pop3") == 0) - starttls_proto = 2; + starttls_proto = PROTO_POP3; + else if (strcmp(*argv,"imap") == 0) + starttls_proto = PROTO_IMAP; + else if (strcmp(*argv,"ftp") == 0) + starttls_proto = PROTO_FTP; else goto bad; } @@ -693,7 +707,7 @@ re_start: { con->debug=1; BIO_set_callback(sbio,bio_dump_callback); - BIO_set_callback_arg(sbio,bio_c_out); + BIO_set_callback_arg(sbio,(char *)bio_c_out); } if (c_msg) { @@ -719,18 +733,93 @@ re_start: sbuf_off=0; /* This is an ugly hack that does a lot of assumptions */ - if (starttls_proto == 1) + /* We do have to handle multi-line responses which may come + in a single packet or not. We therefore have to use + BIO_gets() which does need a buffering BIO. So during + the initial chitchat we do push a buffering BIO into the + chain that is removed again later on to not disturb the + rest of the s_client operation. */ + if (starttls_proto == PROTO_SMTP) { - BIO_read(sbio,mbuf,BUFSIZZ); + int foundit=0; + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + /* wait for multi-line response to end from SMTP */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + } + while (mbuf_len>3 && mbuf[3]=='-'); + /* STARTTLS command requires EHLO... */ + BIO_printf(fbio,"EHLO openssl.client.net\r\n"); + BIO_flush(fbio); + /* wait for multi-line response to end EHLO SMTP response */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + if (strstr(mbuf,"STARTTLS")) + foundit=1; + } + while (mbuf_len>3 && mbuf[3]=='-'); + BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (!foundit) + BIO_printf(bio_err, + "didn't found starttls in server response," + " try anyway...\n"); BIO_printf(sbio,"STARTTLS\r\n"); BIO_read(sbio,sbuf,BUFSIZZ); } - if (starttls_proto == 2) + else if (starttls_proto == PROTO_POP3) { BIO_read(sbio,mbuf,BUFSIZZ); BIO_printf(sbio,"STLS\r\n"); BIO_read(sbio,sbuf,BUFSIZZ); } + else if (starttls_proto == PROTO_IMAP) + { + int foundit=0; + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + BIO_gets(fbio,mbuf,BUFSIZZ); + /* STARTTLS command requires CAPABILITY... */ + BIO_printf(fbio,". CAPABILITY\r\n"); + BIO_flush(fbio); + /* wait for multi-line CAPABILITY response */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + if (strstr(mbuf,"STARTTLS")) + foundit=1; + } + while (mbuf_len>3 && mbuf[0]!='.'); + BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (!foundit) + BIO_printf(bio_err, + "didn't found STARTTLS in server response," + " try anyway...\n"); + BIO_printf(sbio,". STARTTLS\r\n"); + BIO_read(sbio,sbuf,BUFSIZZ); + } + else if (starttls_proto == PROTO_FTP) + { + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + /* wait for multi-line response to end from FTP */ + do + { + mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ); + } + while (mbuf_len>3 && mbuf[3]=='-'); + BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + BIO_printf(sbio,"AUTH TLS\r\n"); + BIO_read(sbio,sbuf,BUFSIZZ); + } for (;;) { @@ -755,7 +844,7 @@ re_start: { BIO_printf(bio_err,"%s",mbuf); /* We don't need to know any more */ - starttls_proto = 0; + starttls_proto = PROTO_OFF; } if (reconnect) diff --git a/crypto/openssl-0.9/apps/s_server.c b/crypto/openssl-0.9/apps/s_server.c index 0d6727ca43..6c433e63fd 100644 --- a/crypto/openssl-0.9/apps/s_server.c +++ b/crypto/openssl-0.9/apps/s_server.c @@ -1234,7 +1234,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) { con->debug=1; BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); - BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out); + BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); } if (s_msg) { @@ -1638,7 +1638,7 @@ static int www_body(char *hostname, int s, unsigned char *context) { con->debug=1; BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); - BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out); + BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); } if (s_msg) { diff --git a/crypto/openssl-0.9/crypto/aes/aes_misc.c b/crypto/openssl-0.9/crypto/aes/aes_misc.c index 090def25d5..4fead1b4c7 100644 --- a/crypto/openssl-0.9/crypto/aes/aes_misc.c +++ b/crypto/openssl-0.9/crypto/aes/aes_misc.c @@ -53,7 +53,7 @@ #include #include "aes_locl.h" -const char *AES_version="AES" OPENSSL_VERSION_PTEXT; +const char AES_version[]="AES" OPENSSL_VERSION_PTEXT; const char *AES_options(void) { #ifdef FULL_UNROLL diff --git a/crypto/openssl-0.9/crypto/asn1/a_strex.c b/crypto/openssl-0.9/crypto/asn1/a_strex.c index fc743c2ad0..c2dbb6f9a5 100644 --- a/crypto/openssl-0.9/crypto/asn1/a_strex.c +++ b/crypto/openssl-0.9/crypto/asn1/a_strex.c @@ -170,7 +170,7 @@ static int do_buf(unsigned char *buf, int buflen, q = buf + buflen; outlen = 0; while(p != q) { - if(p == buf) orflags = CHARTYPE_FIRST_ESC_2253; + if(p == buf && flags & ASN1_STRFLGS_ESC_2253) orflags = CHARTYPE_FIRST_ESC_2253; else orflags = 0; switch(type & BUF_TYPE_WIDTH_MASK) { case 4: @@ -197,7 +197,7 @@ static int do_buf(unsigned char *buf, int buflen, default: return -1; /* invalid width */ } - if (p == q) orflags = CHARTYPE_LAST_ESC_2253; + if (p == q && flags & ASN1_STRFLGS_ESC_2253) orflags = CHARTYPE_LAST_ESC_2253; if(type & BUF_TYPE_CONVUTF8) { unsigned char utfbuf[6]; int utflen; diff --git a/crypto/openssl-0.9/crypto/asn1/asn1_err.c b/crypto/openssl-0.9/crypto/asn1/asn1_err.c index c672d2ebe5..f6b5c3f3dd 100644 --- a/crypto/openssl-0.9/crypto/asn1/asn1_err.c +++ b/crypto/openssl-0.9/crypto/asn1/asn1_err.c @@ -123,7 +123,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_EX_D2I), "ASN1_TEMPLATE_EX_D2I"}, {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NEW), "ASN1_TEMPLATE_NEW"}, {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I), "ASN1_TEMPLATE_NOEXP_D2I"}, -{ERR_FUNC(ASN1_F_ASN1_TIME_SET), "ASN1_TIME_SET"}, +{ERR_FUNC(ASN1_F_ASN1_TIME_SET), "ASN1_TIME_set"}, {ERR_FUNC(ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING), "ASN1_TYPE_get_int_octetstring"}, {ERR_FUNC(ASN1_F_ASN1_TYPE_GET_OCTETSTRING), "ASN1_TYPE_get_octetstring"}, {ERR_FUNC(ASN1_F_ASN1_UNPACK_STRING), "ASN1_unpack_string"}, @@ -168,10 +168,10 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_FUNC(ASN1_F_OID_MODULE_INIT), "OID_MODULE_INIT"}, {ERR_FUNC(ASN1_F_PARSE_TAGGING), "PARSE_TAGGING"}, {ERR_FUNC(ASN1_F_PKCS5_PBE2_SET), "PKCS5_pbe2_set"}, -{ERR_FUNC(ASN1_F_PKCS5_PBE_SET), "PKCS5_PBE_SET"}, +{ERR_FUNC(ASN1_F_PKCS5_PBE_SET), "PKCS5_pbe_set"}, {ERR_FUNC(ASN1_F_X509_CINF_NEW), "X509_CINF_NEW"}, -{ERR_FUNC(ASN1_F_X509_CRL_ADD0_REVOKED), "X509_CRL_ADD0_REVOKED"}, -{ERR_FUNC(ASN1_F_X509_INFO_NEW), "X509_INFO_NEW"}, +{ERR_FUNC(ASN1_F_X509_CRL_ADD0_REVOKED), "X509_CRL_add0_revoked"}, +{ERR_FUNC(ASN1_F_X509_INFO_NEW), "X509_INFO_new"}, {ERR_FUNC(ASN1_F_X509_NAME_ENCODE), "X509_NAME_ENCODE"}, {ERR_FUNC(ASN1_F_X509_NAME_EX_D2I), "X509_NAME_EX_D2I"}, {ERR_FUNC(ASN1_F_X509_NAME_EX_NEW), "X509_NAME_EX_NEW"}, @@ -287,15 +287,12 @@ static ERR_STRING_DATA ASN1_str_reasons[]= void ERR_load_ASN1_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(ASN1_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,ASN1_str_functs); ERR_load_strings(0,ASN1_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/asn1/asn1_lib.c b/crypto/openssl-0.9/crypto/asn1/asn1_lib.c index bb94257cee..d5ae5b2258 100644 --- a/crypto/openssl-0.9/crypto/asn1/asn1_lib.c +++ b/crypto/openssl-0.9/crypto/asn1/asn1_lib.c @@ -64,7 +64,7 @@ static int asn1_get_length(const unsigned char **pp,int *inf,long *rl,int max); static void asn1_put_length(unsigned char **pp, int length); -const char *ASN1_version="ASN.1" OPENSSL_VERSION_PTEXT; +const char ASN1_version[]="ASN.1" OPENSSL_VERSION_PTEXT; static int _asn1_check_infinite_end(const unsigned char **p, long len) { diff --git a/crypto/openssl-0.9/crypto/asn1/asn1t.h b/crypto/openssl-0.9/crypto/asn1/asn1t.h index cc0cd1c842..adbc2a63dd 100644 --- a/crypto/openssl-0.9/crypto/asn1/asn1t.h +++ b/crypto/openssl-0.9/crypto/asn1/asn1t.h @@ -99,7 +99,7 @@ extern "C" { #define ASN1_ITEM_start(itname) \ const ASN1_ITEM * itname##_it(void) \ { \ - static const ASN1_ITEM local_it = { \ + static const ASN1_ITEM local_it = { #define ASN1_ITEM_end(itname) \ }; \ diff --git a/crypto/openssl-0.9/crypto/asn1/t_x509.c b/crypto/openssl-0.9/crypto/asn1/t_x509.c index 61f48d14d7..fe2ea4046d 100644 --- a/crypto/openssl-0.9/crypto/asn1/t_x509.c +++ b/crypto/openssl-0.9/crypto/asn1/t_x509.c @@ -445,9 +445,9 @@ err: int X509_NAME_print(BIO *bp, X509_NAME *name, int obase) { char *s,*c,*b; - int ret=0,l,ll,i,first=1; + int ret=0,l,i; - ll=80-2-obase; + l=80-2-obase; b=s=X509_NAME_oneline(name,NULL,0); if (!*s) @@ -457,7 +457,6 @@ int X509_NAME_print(BIO *bp, X509_NAME *name, int obase) } s++; /* skip the first slash */ - l=ll; c=s; for (;;) { @@ -479,16 +478,6 @@ int X509_NAME_print(BIO *bp, X509_NAME *name, int obase) (*s == '\0')) #endif { - if ((l <= 0) && !first) - { - first=0; - if (BIO_write(bp,"\n",1) != 1) goto err; - for (i=0; iex_pathlen = -1; ret->skid = NULL; ret->akid = NULL; +#ifndef OPENSSL_NO_RFC3779 + ret->rfc3779_addr = NULL; + ret->rfc3779_asid = NULL; +#endif ret->aux = NULL; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); break; @@ -109,6 +113,10 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it) ASN1_OCTET_STRING_free(ret->skid); AUTHORITY_KEYID_free(ret->akid); policy_cache_free(ret->policy_cache); +#ifndef OPENSSL_NO_RFC3779 + sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); + ASIdentifiers_free(ret->rfc3779_asid); +#endif if (ret->name != NULL) OPENSSL_free(ret->name); break; diff --git a/crypto/openssl-0.9/crypto/bf/bf_ecb.c b/crypto/openssl-0.9/crypto/bf/bf_ecb.c index 341991636f..1607cefa32 100644 --- a/crypto/openssl-0.9/crypto/bf/bf_ecb.c +++ b/crypto/openssl-0.9/crypto/bf/bf_ecb.c @@ -65,7 +65,7 @@ * CAMBRIDGE SECURITY WORKSHOP, CAMBRIDGE, U.K., DECEMBER 9-11, 1993) */ -const char *BF_version="Blowfish" OPENSSL_VERSION_PTEXT; +const char BF_version[]="Blowfish" OPENSSL_VERSION_PTEXT; const char *BF_options(void) { diff --git a/crypto/openssl-0.9/crypto/bio/bio.h b/crypto/openssl-0.9/crypto/bio/bio.h index 07333cf0b3..2c9e8a7c80 100644 --- a/crypto/openssl-0.9/crypto/bio/bio.h +++ b/crypto/openssl-0.9/crypto/bio/bio.h @@ -196,28 +196,32 @@ extern "C" { */ #define BIO_FLAGS_MEM_RDONLY 0x200 -#define BIO_set_flags(b,f) ((b)->flags|=(f)) -#define BIO_get_flags(b) ((b)->flags) +typedef struct bio_st BIO; + +void BIO_set_flags(BIO *b, int flags); +int BIO_test_flags(const BIO *b, int flags); +void BIO_clear_flags(BIO *b, int flags); + +#define BIO_get_flags(b) BIO_test_flags(b, ~(0x0)) #define BIO_set_retry_special(b) \ - ((b)->flags|=(BIO_FLAGS_IO_SPECIAL|BIO_FLAGS_SHOULD_RETRY)) + BIO_set_flags(b, (BIO_FLAGS_IO_SPECIAL|BIO_FLAGS_SHOULD_RETRY)) #define BIO_set_retry_read(b) \ - ((b)->flags|=(BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY)) + BIO_set_flags(b, (BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY)) #define BIO_set_retry_write(b) \ - ((b)->flags|=(BIO_FLAGS_WRITE|BIO_FLAGS_SHOULD_RETRY)) + BIO_set_flags(b, (BIO_FLAGS_WRITE|BIO_FLAGS_SHOULD_RETRY)) /* These are normally used internally in BIOs */ -#define BIO_clear_flags(b,f) ((b)->flags&= ~(f)) #define BIO_clear_retry_flags(b) \ - ((b)->flags&= ~(BIO_FLAGS_RWS|BIO_FLAGS_SHOULD_RETRY)) + BIO_clear_flags(b, (BIO_FLAGS_RWS|BIO_FLAGS_SHOULD_RETRY)) #define BIO_get_retry_flags(b) \ - ((b)->flags&(BIO_FLAGS_RWS|BIO_FLAGS_SHOULD_RETRY)) + BIO_test_flags(b, (BIO_FLAGS_RWS|BIO_FLAGS_SHOULD_RETRY)) /* These should be used by the application to tell why we should retry */ -#define BIO_should_read(a) ((a)->flags & BIO_FLAGS_READ) -#define BIO_should_write(a) ((a)->flags & BIO_FLAGS_WRITE) -#define BIO_should_io_special(a) ((a)->flags & BIO_FLAGS_IO_SPECIAL) -#define BIO_retry_type(a) ((a)->flags & BIO_FLAGS_RWS) -#define BIO_should_retry(a) ((a)->flags & BIO_FLAGS_SHOULD_RETRY) +#define BIO_should_read(a) BIO_test_flags(a, BIO_FLAGS_READ) +#define BIO_should_write(a) BIO_test_flags(a, BIO_FLAGS_WRITE) +#define BIO_should_io_special(a) BIO_test_flags(a, BIO_FLAGS_IO_SPECIAL) +#define BIO_retry_type(a) BIO_test_flags(a, BIO_FLAGS_RWS) +#define BIO_should_retry(a) BIO_test_flags(a, BIO_FLAGS_SHOULD_RETRY) /* The next three are used in conjunction with the * BIO_should_io_special() condition. After this returns true, @@ -246,14 +250,14 @@ extern "C" { #define BIO_cb_pre(a) (!((a)&BIO_CB_RETURN)) #define BIO_cb_post(a) ((a)&BIO_CB_RETURN) -#define BIO_set_callback(b,cb) ((b)->callback=(cb)) -#define BIO_set_callback_arg(b,arg) ((b)->cb_arg=(char *)(arg)) -#define BIO_get_callback_arg(b) ((b)->cb_arg) -#define BIO_get_callback(b) ((b)->callback) -#define BIO_method_name(b) ((b)->method->name) -#define BIO_method_type(b) ((b)->method->type) +long (*BIO_get_callback(const BIO *b)) (struct bio_st *,int,const char *,int, long,long); +void BIO_set_callback(BIO *b, + long (*callback)(struct bio_st *,int,const char *,int, long,long)); +char *BIO_get_callback_arg(const BIO *b); +void BIO_set_callback_arg(BIO *b, char *arg); -typedef struct bio_st BIO; +const char * BIO_method_name(const BIO *b); +int BIO_method_type(const BIO *b); typedef void bio_info_cb(struct bio_st *, int, const char *, int, long, long); @@ -386,6 +390,7 @@ typedef struct bio_f_buffer_ctx_struct #define BIO_C_NWRITE0 145 #define BIO_C_NWRITE 146 #define BIO_C_RESET_READ_REQUEST 147 +#define BIO_C_SET_MD_CTX 148 #define BIO_set_app_data(s,arg) BIO_set_ex_data(s,0,arg) diff --git a/crypto/openssl-0.9/crypto/bio/bio_err.c b/crypto/openssl-0.9/crypto/bio/bio_err.c index 426f8d13c6..6603f1c74d 100644 --- a/crypto/openssl-0.9/crypto/bio/bio_err.c +++ b/crypto/openssl-0.9/crypto/bio/bio_err.c @@ -143,15 +143,12 @@ static ERR_STRING_DATA BIO_str_reasons[]= void ERR_load_BIO_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(BIO_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,BIO_str_functs); ERR_load_strings(0,BIO_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/bio/bio_lib.c b/crypto/openssl-0.9/crypto/bio/bio_lib.c index dcc989f9d6..3f52ae953c 100644 --- a/crypto/openssl-0.9/crypto/bio/bio_lib.c +++ b/crypto/openssl-0.9/crypto/bio/bio_lib.c @@ -141,6 +141,52 @@ int BIO_free(BIO *a) void BIO_vfree(BIO *a) { BIO_free(a); } +void BIO_clear_flags(BIO *b, int flags) + { + b->flags &= ~flags; + } + +int BIO_test_flags(const BIO *b, int flags) + { + return (b->flags & flags); + } + +void BIO_set_flags(BIO *b, int flags) + { + b->flags |= flags; + } + +long (*BIO_get_callback(const BIO *b))(struct bio_st *,int,const char *,int, long,long) + { + return b->callback; + } + +void BIO_set_callback(BIO *b, long (*cb)(struct bio_st *,int,const char *,int, long,long)) + { + b->callback = cb; + } + +void BIO_set_callback_arg(BIO *b, char *arg) + { + b->cb_arg = arg; + } + +char * BIO_get_callback_arg(const BIO *b) + { + return b->cb_arg; + } + +const char * BIO_method_name(const BIO *b) + { + return b->method->name; + } + +int BIO_method_type(const BIO *b) + { + return b->method->type; + } + + int BIO_read(BIO *b, void *out, int outl) { int i; diff --git a/crypto/openssl-0.9/crypto/bn/bn_err.c b/crypto/openssl-0.9/crypto/bn/bn_err.c index a253959a5c..24fbbb772d 100644 --- a/crypto/openssl-0.9/crypto/bn/bn_err.c +++ b/crypto/openssl-0.9/crypto/bn/bn_err.c @@ -137,15 +137,12 @@ static ERR_STRING_DATA BN_str_reasons[]= void ERR_load_BN_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(BN_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,BN_str_functs); ERR_load_strings(0,BN_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/bn/bn_lib.c b/crypto/openssl-0.9/crypto/bn/bn_lib.c index 3c4d5459f6..210ccb42bb 100644 --- a/crypto/openssl-0.9/crypto/bn/bn_lib.c +++ b/crypto/openssl-0.9/crypto/bn/bn_lib.c @@ -67,7 +67,7 @@ #include "cryptlib.h" #include "bn_lcl.h" -const char *BN_version="Big Number" OPENSSL_VERSION_PTEXT; +const char BN_version[]="Big Number" OPENSSL_VERSION_PTEXT; /* This stuff appears to be completely unused, so is deprecated */ #ifndef OPENSSL_NO_DEPRECATED diff --git a/crypto/openssl-0.9/crypto/bn/bn_print.c b/crypto/openssl-0.9/crypto/bn/bn_print.c index 055d048856..810dde34e1 100644 --- a/crypto/openssl-0.9/crypto/bn/bn_print.c +++ b/crypto/openssl-0.9/crypto/bn/bn_print.c @@ -62,7 +62,7 @@ #include #include "bn_lcl.h" -static const char *Hex="0123456789ABCDEF"; +static const char Hex[]="0123456789ABCDEF"; /* Must 'OPENSSL_free' the returned data */ char *BN_bn2hex(const BIGNUM *a) diff --git a/crypto/openssl-0.9/crypto/buffer/buf_err.c b/crypto/openssl-0.9/crypto/buffer/buf_err.c index 8fc67d3542..3e25bbe879 100644 --- a/crypto/openssl-0.9/crypto/buffer/buf_err.c +++ b/crypto/openssl-0.9/crypto/buffer/buf_err.c @@ -88,15 +88,12 @@ static ERR_STRING_DATA BUF_str_reasons[]= void ERR_load_BUF_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(BUF_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,BUF_str_functs); ERR_load_strings(0,BUF_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/camellia/camellia.c b/crypto/openssl-0.9/crypto/camellia/camellia.c index 63505464a8..491c26b39e 100644 --- a/crypto/openssl-0.9/crypto/camellia/camellia.c +++ b/crypto/openssl-0.9/crypto/camellia/camellia.c @@ -76,12 +76,7 @@ #include "camellia.h" #include "cmll_locl.h" -/* - * must be defined uint32_t - */ - /* key constants */ - #define CAMELLIA_SIGMA1L (0xA09E667FL) #define CAMELLIA_SIGMA1R (0x3BCC908BL) #define CAMELLIA_SIGMA2L (0xB67AE858L) @@ -100,18 +95,9 @@ */ /* e is pointer of subkey */ -#ifdef L_ENDIAN - -#define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2 + 1]) -#define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2]) - -#else /* big endian */ - #define CamelliaSubkeyL(INDEX) (subkey[(INDEX)*2]) #define CamelliaSubkeyR(INDEX) (subkey[(INDEX)*2 + 1]) -#endif /* IS_LITTLE_ENDIAN */ - /* rotation right shift 1byte */ #define CAMELLIA_RR8(x) (((x) >> 8) + ((x) << 24)) /* rotation left shift 1bit */ @@ -170,44 +156,6 @@ do \ * for speed up * */ -#if !defined(_MSC_VER) - -#define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \ -do \ - { \ - t0 = kll; \ - t2 = krr; \ - t0 &= ll; \ - t2 |= rr; \ - rl ^= t2; \ - lr ^= CAMELLIA_RL1(t0); \ - t3 = krl; \ - t1 = klr; \ - t3 &= rl; \ - t1 |= lr; \ - ll ^= t1; \ - rr ^= CAMELLIA_RL1(t3); \ - } while(0) - -#define CAMELLIA_ROUNDSM(xl, xr, kl, kr, yl, yr, il, ir, t0, t1) \ -do \ - { \ - ir = CAMELLIA_SP1110(xr & 0xff); \ - il = CAMELLIA_SP1110((xl>>24) & 0xff); \ - ir ^= CAMELLIA_SP0222((xr>>24) & 0xff); \ - il ^= CAMELLIA_SP0222((xl>>16) & 0xff); \ - ir ^= CAMELLIA_SP3033((xr>>16) & 0xff); \ - il ^= CAMELLIA_SP3033((xl>>8) & 0xff); \ - ir ^= CAMELLIA_SP4404((xr>>8) & 0xff); \ - il ^= CAMELLIA_SP4404(xl & 0xff); \ - il ^= kl; \ - ir ^= il ^ kr; \ - yl ^= ir; \ - yr ^= CAMELLIA_RR8(il) ^ ir; \ - } while(0) - -#else /* for MS-VC */ - #define CAMELLIA_FLS(ll, lr, rl, rr, kll, klr, krl, krr, t0, t1, t2, t3) \ do \ { \ @@ -249,9 +197,8 @@ do \ yl ^= ir; \ yr ^= il; \ } while(0) -#endif -static const uint32_t camellia_sp1110[256] = +static const u32 camellia_sp1110[256] = { 0x70707000,0x82828200,0x2c2c2c00,0xececec00, 0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500, @@ -319,7 +266,7 @@ static const uint32_t camellia_sp1110[256] = 0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00, }; -static const uint32_t camellia_sp0222[256] = +static const u32 camellia_sp0222[256] = { 0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9, 0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb, @@ -387,7 +334,7 @@ static const uint32_t camellia_sp0222[256] = 0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d, }; -static const uint32_t camellia_sp3033[256] = +static const u32 camellia_sp3033[256] = { 0x38003838,0x41004141,0x16001616,0x76007676, 0xd900d9d9,0x93009393,0x60006060,0xf200f2f2, @@ -455,7 +402,7 @@ static const uint32_t camellia_sp3033[256] = 0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f, }; -static const uint32_t camellia_sp4404[256] = +static const u32 camellia_sp4404[256] = { 0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0, 0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae, @@ -523,20 +470,19 @@ static const uint32_t camellia_sp4404[256] = 0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e, }; - /** * Stuff related to the Camellia key schedule */ #define subl(x) subL[(x)] #define subr(x) subR[(x)] -void camellia_setup128(const unsigned char *key, uint32_t *subkey) +void camellia_setup128(const u8 *key, u32 *subkey) { - uint32_t kll, klr, krl, krr; - uint32_t il, ir, t0, t1, w0, w1; - uint32_t kw4l, kw4r, dw, tl, tr; - uint32_t subL[26]; - uint32_t subR[26]; + u32 kll, klr, krl, krr; + u32 il, ir, t0, t1, w0, w1; + u32 kw4l, kw4r, dw, tl, tr; + u32 subL[26]; + u32 subR[26]; /** * k == kll || klr || krl || krr (|| is concatination) @@ -833,14 +779,14 @@ void camellia_setup128(const unsigned char *key, uint32_t *subkey) return; } -void camellia_setup256(const unsigned char *key, uint32_t *subkey) +void camellia_setup256(const u8 *key, u32 *subkey) { - uint32_t kll,klr,krl,krr; /* left half of key */ - uint32_t krll,krlr,krrl,krrr; /* right half of key */ - uint32_t il, ir, t0, t1, w0, w1; /* temporary variables */ - uint32_t kw4l, kw4r, dw, tl, tr; - uint32_t subL[34]; - uint32_t subR[34]; + u32 kll,klr,krl,krr; /* left half of key */ + u32 krll,krlr,krrl,krrr; /* right half of key */ + u32 il, ir, t0, t1, w0, w1; /* temporary variables */ + u32 kw4l, kw4r, dw, tl, tr; + u32 subL[34]; + u32 subR[34]; /** * key = (kll || klr || krl || krr || krll || krlr || krrl || krrr) @@ -1245,18 +1191,18 @@ void camellia_setup256(const unsigned char *key, uint32_t *subkey) return; } -void camellia_setup192(const unsigned char *key, uint32_t *subkey) +void camellia_setup192(const u8 *key, u32 *subkey) { - unsigned char kk[32]; - uint32_t krll, krlr, krrl,krrr; + u8 kk[32]; + u32 krll, krlr, krrl,krrr; memcpy(kk, key, 24); - memcpy((unsigned char *)&krll, key+16,4); - memcpy((unsigned char *)&krlr, key+20,4); + memcpy((u8 *)&krll, key+16,4); + memcpy((u8 *)&krlr, key+20,4); krrl = ~krll; krrr = ~krlr; - memcpy(kk+24, (unsigned char *)&krrl, 4); - memcpy(kk+28, (unsigned char *)&krrr, 4); + memcpy(kk+24, (u8 *)&krrl, 4); + memcpy(kk+28, (u8 *)&krrr, 4); camellia_setup256(kk, subkey); return; } @@ -1265,11 +1211,10 @@ void camellia_setup192(const unsigned char *key, uint32_t *subkey) /** * Stuff related to camellia encryption/decryption */ -void camellia_encrypt128(const uint32_t *subkey, uint32_t *io) +void camellia_encrypt128(const u32 *subkey, u32 *io) { - uint32_t il, ir, t0, t1; + u32 il, ir, t0, t1; - SWAP4WORD(io); /* pre whitening but absorb kw2*/ io[0] ^= CamelliaSubkeyL(0); io[1] ^= CamelliaSubkeyR(0); @@ -1352,16 +1297,13 @@ void camellia_encrypt128(const uint32_t *subkey, uint32_t *io) io[1] = io[3]; io[2] = t0; io[3] = t1; - SWAP4WORD(io); - + return; } -void camellia_decrypt128(const uint32_t *subkey, uint32_t *io) +void camellia_decrypt128(const u32 *subkey, u32 *io) { - uint32_t il,ir,t0,t1; /* temporary valiables */ - - SWAP4WORD(io); + u32 il,ir,t0,t1; /* temporary valiables */ /* pre whitening but absorb kw2*/ io[0] ^= CamelliaSubkeyL(24); @@ -1445,7 +1387,6 @@ void camellia_decrypt128(const uint32_t *subkey, uint32_t *io) io[1] = io[3]; io[2] = t0; io[3] = t1; - SWAP4WORD(io); return; } @@ -1453,11 +1394,9 @@ void camellia_decrypt128(const uint32_t *subkey, uint32_t *io) /** * stuff for 192 and 256bit encryption/decryption */ -void camellia_encrypt256(const uint32_t *subkey, uint32_t *io) +void camellia_encrypt256(const u32 *subkey, u32 *io) { - uint32_t il,ir,t0,t1; /* temporary valiables */ - - SWAP4WORD(io); + u32 il,ir,t0,t1; /* temporary valiables */ /* pre whitening but absorb kw2*/ io[0] ^= CamelliaSubkeyL(0); @@ -1565,16 +1504,14 @@ void camellia_encrypt256(const uint32_t *subkey, uint32_t *io) io[1] = io[3]; io[2] = t0; io[3] = t1; - SWAP4WORD(io); return; } -void camellia_decrypt256(const uint32_t *subkey, uint32_t *io) +void camellia_decrypt256(const u32 *subkey, u32 *io) { - uint32_t il,ir,t0,t1; /* temporary valiables */ + u32 il,ir,t0,t1; /* temporary valiables */ - SWAP4WORD(io); /* pre whitening but absorb kw2*/ io[0] ^= CamelliaSubkeyL(32); io[1] ^= CamelliaSubkeyR(32); @@ -1681,7 +1618,6 @@ void camellia_decrypt256(const uint32_t *subkey, uint32_t *io) io[1] = io[3]; io[2] = t0; io[3] = t1; - SWAP4WORD(io); return; } diff --git a/crypto/openssl-0.9/crypto/camellia/cmll_cbc.c b/crypto/openssl-0.9/crypto/camellia/cmll_cbc.c index 24080e14f5..4141a7b59b 100644 --- a/crypto/openssl-0.9/crypto/camellia/cmll_cbc.c +++ b/crypto/openssl-0.9/crypto/camellia/cmll_cbc.c @@ -67,25 +67,28 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, unsigned long n; unsigned long len = length; - unsigned char tmp[CAMELLIA_BLOCK_SIZE]; const unsigned char *iv = ivec; - uint32_t t32[UNITSIZE]; + union { u32 t32[CAMELLIA_BLOCK_SIZE/sizeof(u32)]; + u8 t8 [CAMELLIA_BLOCK_SIZE]; } tmp; + const union { long one; char little; } camellia_endian = {1}; assert(in && out && key && ivec); assert((CAMELLIA_ENCRYPT == enc)||(CAMELLIA_DECRYPT == enc)); - if(((size_t)in) % ALIGN == 0 - && ((size_t)out) % ALIGN == 0 - && ((size_t)ivec) % ALIGN == 0) + if(((size_t)in|(size_t)out|(size_t)ivec) % sizeof(u32) == 0) { if (CAMELLIA_ENCRYPT == enc) { while (len >= CAMELLIA_BLOCK_SIZE) { - XOR4WORD2((uint32_t *)out, - (uint32_t *)in, (uint32_t *)iv); - key->enc(key->rd_key, (uint32_t *)out); + XOR4WORD2((u32 *)out, + (u32 *)in, (u32 *)iv); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); + key->enc(key->rd_key, (u32 *)out); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); iv = out; len -= CAMELLIA_BLOCK_SIZE; in += CAMELLIA_BLOCK_SIZE; @@ -97,7 +100,11 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, out[n] = in[n] ^ iv[n]; for(n=len; n < CAMELLIA_BLOCK_SIZE; ++n) out[n] = iv[n]; - key->enc(key->rd_key, (uint32_t *)out); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); + key->enc(key->rd_key, (u32 *)out); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); iv = out; } memcpy(ivec,iv,CAMELLIA_BLOCK_SIZE); @@ -107,8 +114,12 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, while (len >= CAMELLIA_BLOCK_SIZE) { memcpy(out,in,CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key,(uint32_t *)out); - XOR4WORD((uint32_t *)out, (uint32_t *)iv); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); + key->dec(key->rd_key,(u32 *)out); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); + XOR4WORD((u32 *)out, (u32 *)iv); iv = in; len -= CAMELLIA_BLOCK_SIZE; in += CAMELLIA_BLOCK_SIZE; @@ -116,10 +127,14 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, } if (len) { - memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key, (uint32_t *)tmp); + memcpy(tmp.t8, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + key->dec(key->rd_key, tmp.t32); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); for(n=0; n < len; ++n) - out[n] = tmp[n] ^ iv[n]; + out[n] = tmp.t8[n] ^ iv[n]; iv = in; } memcpy(ivec,iv,CAMELLIA_BLOCK_SIZE); @@ -128,23 +143,31 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, { while (len >= CAMELLIA_BLOCK_SIZE) { - memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key, (uint32_t *)out); - XOR4WORD((uint32_t *)out, (uint32_t *)ivec); - memcpy(ivec, tmp, CAMELLIA_BLOCK_SIZE); + memcpy(tmp.t8, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); + key->dec(key->rd_key, (u32 *)out); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); + XOR4WORD((u32 *)out, (u32 *)ivec); + memcpy(ivec, tmp.t8, CAMELLIA_BLOCK_SIZE); len -= CAMELLIA_BLOCK_SIZE; in += CAMELLIA_BLOCK_SIZE; out += CAMELLIA_BLOCK_SIZE; } if (len) { - memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key,(uint32_t *)out); + memcpy(tmp.t8, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); + key->dec(key->rd_key,(u32 *)out); + if (camellia_endian.little) + SWAP4WORD((u32 *)out); for(n=0; n < len; ++n) out[n] ^= ivec[n]; for(n=len; n < CAMELLIA_BLOCK_SIZE; ++n) - out[n] = tmp[n]; - memcpy(ivec, tmp, CAMELLIA_BLOCK_SIZE); + out[n] = tmp.t8[n]; + memcpy(ivec, tmp.t8, CAMELLIA_BLOCK_SIZE); } } } @@ -155,10 +178,13 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, while (len >= CAMELLIA_BLOCK_SIZE) { for(n=0; n < CAMELLIA_BLOCK_SIZE; ++n) - out[n] = in[n] ^ iv[n]; - memcpy(t32, out, CAMELLIA_BLOCK_SIZE); - key->enc(key->rd_key, t32); - memcpy(out, t32, CAMELLIA_BLOCK_SIZE); + tmp.t8[n] = in[n] ^ iv[n]; + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + key->enc(key->rd_key, tmp.t32); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + memcpy(out, tmp.t8, CAMELLIA_BLOCK_SIZE); iv = out; len -= CAMELLIA_BLOCK_SIZE; in += CAMELLIA_BLOCK_SIZE; @@ -167,10 +193,15 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, if (len) { for(n=0; n < len; ++n) - out[n] = in[n] ^ iv[n]; + tmp.t8[n] = in[n] ^ iv[n]; for(n=len; n < CAMELLIA_BLOCK_SIZE; ++n) - out[n] = iv[n]; - key->enc(key->rd_key, (uint32_t *)out); + tmp.t8[n] = iv[n]; + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + key->enc(key->rd_key, tmp.t32); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + memcpy(out, tmp.t8, CAMELLIA_BLOCK_SIZE); iv = out; } memcpy(ivec,iv,CAMELLIA_BLOCK_SIZE); @@ -179,11 +210,14 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, { while (len >= CAMELLIA_BLOCK_SIZE) { - memcpy(t32,in,CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key,t32); - memcpy(out,t32,CAMELLIA_BLOCK_SIZE); + memcpy(tmp.t8,in,CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + key->dec(key->rd_key,tmp.t32); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); for(n=0; n < CAMELLIA_BLOCK_SIZE; ++n) - out[n] ^= iv[n]; + out[n] = tmp.t8[n] ^ iv[n]; iv = in; len -= CAMELLIA_BLOCK_SIZE; in += CAMELLIA_BLOCK_SIZE; @@ -191,12 +225,14 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, } if (len) { - memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); - memcpy(t32, in, CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key, t32); - memcpy(out, t32, CAMELLIA_BLOCK_SIZE); + memcpy(tmp.t8, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + key->dec(key->rd_key, tmp.t32); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); for(n=0; n < len; ++n) - out[n] = tmp[n] ^ iv[n]; + out[n] = tmp.t8[n] ^ iv[n]; iv = in; } memcpy(ivec,iv,CAMELLIA_BLOCK_SIZE); @@ -205,30 +241,33 @@ void Camellia_cbc_encrypt(const unsigned char *in, unsigned char *out, { while (len >= CAMELLIA_BLOCK_SIZE) { - memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); - memcpy(t32, in, CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key, t32); - memcpy(out, t32, CAMELLIA_BLOCK_SIZE); + memcpy(tmp.t8, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + key->dec(key->rd_key, tmp.t32); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); for(n=0; n < CAMELLIA_BLOCK_SIZE; ++n) - out[n] ^= ivec[n]; - memcpy(ivec, tmp, CAMELLIA_BLOCK_SIZE); + tmp.t8[n] ^= ivec[n]; + memcpy(ivec, in, CAMELLIA_BLOCK_SIZE); + memcpy(out, tmp.t8, CAMELLIA_BLOCK_SIZE); len -= CAMELLIA_BLOCK_SIZE; in += CAMELLIA_BLOCK_SIZE; out += CAMELLIA_BLOCK_SIZE; } if (len) { - memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); - memcpy(t32, in, CAMELLIA_BLOCK_SIZE); - key->dec(key->rd_key,t32); - memcpy(out, t32, CAMELLIA_BLOCK_SIZE); + memcpy(tmp.t8, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); + key->dec(key->rd_key,tmp.t32); + if (camellia_endian.little) + SWAP4WORD(tmp.t32); for(n=0; n < len; ++n) - out[n] ^= ivec[n]; - for(n=len; n < CAMELLIA_BLOCK_SIZE; ++n) - out[n] = tmp[n]; - memcpy(ivec, tmp, CAMELLIA_BLOCK_SIZE); + tmp.t8[n] ^= ivec[n]; + memcpy(ivec, in, CAMELLIA_BLOCK_SIZE); + memcpy(out,tmp.t8,len); } } } } - diff --git a/crypto/openssl-0.9/crypto/camellia/cmll_locl.h b/crypto/openssl-0.9/crypto/camellia/cmll_locl.h index 8ea3639a5b..2ac2e95435 100644 --- a/crypto/openssl-0.9/crypto/camellia/cmll_locl.h +++ b/crypto/openssl-0.9/crypto/camellia/cmll_locl.h @@ -73,55 +73,42 @@ #include #include -#if defined(_MSC_VER) -typedef unsigned char uint8_t; -typedef unsigned int uint32_t; -typedef unsigned __int64 uint64_t; -#else -#include -#endif +typedef unsigned char u8; +typedef unsigned int u32; #ifdef __cplusplus extern "C" { #endif -#define ALIGN 4 -#define UNITSIZE 4 - #if defined(_MSC_VER) && (defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64)) # define SWAP(x) ( _lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00 ) -# define GETU32(p) SWAP(*((uint32_t *)(p))) -# define PUTU32(ct, st) { *((uint32_t *)(ct)) = SWAP((st)); } +# define GETU32(p) SWAP(*((u32 *)(p))) +# define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); } # define CAMELLIA_SWAP4(x) (x = ( _lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00) ) - #else /* not windows */ -# define GETU32(pt) (((uint32_t)(pt)[0] << 24) \ - ^ ((uint32_t)(pt)[1] << 16) \ - ^ ((uint32_t)(pt)[2] << 8) \ - ^ ((uint32_t)(pt)[3])) - -# define PUTU32(ct, st) { (ct)[0] = (uint8_t)((st) >> 24); \ - (ct)[1] = (uint8_t)((st) >> 16); \ - (ct)[2] = (uint8_t)((st) >> 8); \ - (ct)[3] = (uint8_t)(st); } - -#ifdef L_ENDIAN -#if (defined (__GNUC__) && !defined(i386)) +# define GETU32(pt) (((u32)(pt)[0] << 24) \ + ^ ((u32)(pt)[1] << 16) \ + ^ ((u32)(pt)[2] << 8) \ + ^ ((u32)(pt)[3])) + +# define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); \ + (ct)[1] = (u8)((st) >> 16); \ + (ct)[2] = (u8)((st) >> 8); \ + (ct)[3] = (u8)(st); } + +#if (defined (__GNUC__) && (defined(__x86_64__) || defined(__x86_64))) #define CAMELLIA_SWAP4(x) \ do{\ asm("bswap %1" : "+r" (x));\ }while(0) -#else /* not gcc */ +#else #define CAMELLIA_SWAP4(x) \ do{\ - x = ((uint32_t)x << 16) + ((uint32_t)x >> 16);\ - x = (((uint32_t)x & 0xff00ff) << 8) + (((uint32_t)x >> 8) & 0xff00ff);\ + x = ((u32)x << 16) + ((u32)x >> 16);\ + x = (((u32)x & 0xff00ff) << 8) + (((u32)x >> 8) & 0xff00ff);\ } while(0) -#endif /* not gcc */ -#else /* big endian */ -#define CAMELLIA_SWAP4(x) -#endif /* L_ENDIAN */ +#endif #endif #define COPY4WORD(dst, src) \ @@ -161,14 +148,14 @@ extern "C" { }while(0) -void camellia_setup128(const unsigned char *key, uint32_t *subkey); -void camellia_setup192(const unsigned char *key, uint32_t *subkey); -void camellia_setup256(const unsigned char *key, uint32_t *subkey); +void camellia_setup128(const u8 *key, u32 *subkey); +void camellia_setup192(const u8 *key, u32 *subkey); +void camellia_setup256(const u8 *key, u32 *subkey); -void camellia_encrypt128(const uint32_t *subkey, uint32_t *io); -void camellia_decrypt128(const uint32_t *subkey, uint32_t *io); -void camellia_encrypt256(const uint32_t *subkey, uint32_t *io); -void camellia_decrypt256(const uint32_t *subkey, uint32_t *io); +void camellia_encrypt128(const u32 *subkey, u32 *io); +void camellia_decrypt128(const u32 *subkey, u32 *io); +void camellia_encrypt256(const u32 *subkey, u32 *io); +void camellia_decrypt256(const u32 *subkey, u32 *io); #ifdef __cplusplus } diff --git a/crypto/openssl-0.9/crypto/camellia/cmll_misc.c b/crypto/openssl-0.9/crypto/camellia/cmll_misc.c index 3c4ec36662..f1047b54e0 100644 --- a/crypto/openssl-0.9/crypto/camellia/cmll_misc.c +++ b/crypto/openssl-0.9/crypto/camellia/cmll_misc.c @@ -53,7 +53,7 @@ #include #include "cmll_locl.h" -const char *CAMELLIA_version="CAMELLIA" OPENSSL_VERSION_PTEXT; +const char CAMELLIA_version[]="CAMELLIA" OPENSSL_VERSION_PTEXT; int Camellia_set_key(const unsigned char *userKey, const int bits, CAMELLIA_KEY *key) @@ -91,20 +91,26 @@ int Camellia_set_key(const unsigned char *userKey, const int bits, void Camellia_encrypt(const unsigned char *in, unsigned char *out, const CAMELLIA_KEY *key) { - uint32_t tmp[UNITSIZE]; + u32 tmp[CAMELLIA_BLOCK_SIZE/sizeof(u32)]; + const union { long one; char little; } camellia_endian = {1}; memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) SWAP4WORD(tmp); key->enc(key->rd_key, tmp); + if (camellia_endian.little) SWAP4WORD(tmp); memcpy(out, tmp, CAMELLIA_BLOCK_SIZE); } void Camellia_decrypt(const unsigned char *in, unsigned char *out, const CAMELLIA_KEY *key) { - uint32_t tmp[UNITSIZE]; + u32 tmp[CAMELLIA_BLOCK_SIZE/sizeof(u32)]; + const union { long one; char little; } camellia_endian = {1}; memcpy(tmp, in, CAMELLIA_BLOCK_SIZE); + if (camellia_endian.little) SWAP4WORD(tmp); key->dec(key->rd_key, tmp); + if (camellia_endian.little) SWAP4WORD(tmp); memcpy(out, tmp, CAMELLIA_BLOCK_SIZE); } diff --git a/crypto/openssl-0.9/crypto/cast/c_ecb.c b/crypto/openssl-0.9/crypto/cast/c_ecb.c index 0b3da9ad87..f2dc606226 100644 --- a/crypto/openssl-0.9/crypto/cast/c_ecb.c +++ b/crypto/openssl-0.9/crypto/cast/c_ecb.c @@ -60,7 +60,7 @@ #include "cast_lcl.h" #include -const char *CAST_version="CAST" OPENSSL_VERSION_PTEXT; +const char CAST_version[]="CAST" OPENSSL_VERSION_PTEXT; void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, CAST_KEY *ks, int enc) diff --git a/crypto/openssl-0.9/crypto/comp/c_zlib.c b/crypto/openssl-0.9/crypto/comp/c_zlib.c index 941b807eb3..43402e75db 100644 --- a/crypto/openssl-0.9/crypto/comp/c_zlib.c +++ b/crypto/openssl-0.9/crypto/comp/c_zlib.c @@ -31,6 +31,24 @@ static int zlib_stateful_compress_block(COMP_CTX *ctx, unsigned char *out, static int zlib_stateful_expand_block(COMP_CTX *ctx, unsigned char *out, unsigned int olen, unsigned char *in, unsigned int ilen); + +/* memory allocations functions for zlib intialization */ +static void* zlib_zalloc(void* opaque, unsigned int no, unsigned int size) +{ + void *p; + + p=OPENSSL_malloc(no*size); + if (p) + memset(p, 0, no*size); + return p; +} + + +static void zlib_zfree(void* opaque, void* address) +{ + OPENSSL_free(address); +} + #if 0 static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out, unsigned int olen, unsigned char *in, unsigned int ilen); @@ -133,8 +151,8 @@ static int zlib_stateful_init(COMP_CTX *ctx) if (state == NULL) goto err; - state->istream.zalloc = Z_NULL; - state->istream.zfree = Z_NULL; + state->istream.zalloc = zlib_zalloc; + state->istream.zfree = zlib_zfree; state->istream.opaque = Z_NULL; state->istream.next_in = Z_NULL; state->istream.next_out = Z_NULL; @@ -145,8 +163,8 @@ static int zlib_stateful_init(COMP_CTX *ctx) if (err != Z_OK) goto err; - state->ostream.zalloc = Z_NULL; - state->ostream.zfree = Z_NULL; + state->ostream.zalloc = zlib_zalloc; + state->ostream.zfree = zlib_zfree; state->ostream.opaque = Z_NULL; state->ostream.next_in = Z_NULL; state->ostream.next_out = Z_NULL; @@ -158,17 +176,6 @@ static int zlib_stateful_init(COMP_CTX *ctx) goto err; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data); - if (zlib_stateful_ex_idx == -1) - { - CRYPTO_w_lock(CRYPTO_LOCK_COMP); - if (zlib_stateful_ex_idx == -1) - zlib_stateful_ex_idx = - CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP, - 0,NULL,NULL,NULL,zlib_stateful_free_ex_data); - CRYPTO_w_unlock(CRYPTO_LOCK_COMP); - if (zlib_stateful_ex_idx == -1) - goto err; - } CRYPTO_set_ex_data(&ctx->ex_data,zlib_stateful_ex_idx,state); return 1; err: @@ -379,7 +386,25 @@ COMP_METHOD *COMP_zlib(void) if (zlib_loaded) #endif #if defined(ZLIB) || defined(ZLIB_SHARED) + { + /* init zlib_stateful_ex_idx here so that in a multi-process + * application it's enough to intialize openssl before forking + * (idx will be inherited in all the children) */ + if (zlib_stateful_ex_idx == -1) + { + CRYPTO_w_lock(CRYPTO_LOCK_COMP); + if (zlib_stateful_ex_idx == -1) + zlib_stateful_ex_idx = + CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP, + 0,NULL,NULL,NULL,zlib_stateful_free_ex_data); + CRYPTO_w_unlock(CRYPTO_LOCK_COMP); + if (zlib_stateful_ex_idx == -1) + goto err; + } + meth = &zlib_stateful_method; + } +err: #endif return(meth); diff --git a/crypto/openssl-0.9/crypto/comp/comp_err.c b/crypto/openssl-0.9/crypto/comp/comp_err.c index bf7aa3af76..07372226c9 100644 --- a/crypto/openssl-0.9/crypto/comp/comp_err.c +++ b/crypto/openssl-0.9/crypto/comp/comp_err.c @@ -82,15 +82,12 @@ static ERR_STRING_DATA COMP_str_reasons[]= void ERR_load_COMP_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(COMP_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,COMP_str_functs); ERR_load_strings(0,COMP_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/conf/conf_def.c b/crypto/openssl-0.9/crypto/conf/conf_def.c index 8083a009d7..d8bce8732a 100644 --- a/crypto/openssl-0.9/crypto/conf/conf_def.c +++ b/crypto/openssl-0.9/crypto/conf/conf_def.c @@ -88,7 +88,7 @@ static int def_dump(const CONF *conf, BIO *bp); static int def_is_number(const CONF *conf, char c); static int def_to_int(const CONF *conf, char c); -const char *CONF_def_version="CONF_def" OPENSSL_VERSION_PTEXT; +const char CONF_def_version[]="CONF_def" OPENSSL_VERSION_PTEXT; static CONF_METHOD default_method = { "OpenSSL default", diff --git a/crypto/openssl-0.9/crypto/conf/conf_err.c b/crypto/openssl-0.9/crypto/conf/conf_err.c index 6250689746..a16a5e0bd4 100644 --- a/crypto/openssl-0.9/crypto/conf/conf_err.c +++ b/crypto/openssl-0.9/crypto/conf/conf_err.c @@ -118,15 +118,12 @@ static ERR_STRING_DATA CONF_str_reasons[]= void ERR_load_CONF_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(CONF_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,CONF_str_functs); ERR_load_strings(0,CONF_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/conf/conf_lib.c b/crypto/openssl-0.9/crypto/conf/conf_lib.c index a55a5457c6..2a3399d269 100644 --- a/crypto/openssl-0.9/crypto/conf/conf_lib.c +++ b/crypto/openssl-0.9/crypto/conf/conf_lib.c @@ -63,7 +63,7 @@ #include #include -const char *CONF_version="CONF" OPENSSL_VERSION_PTEXT; +const char CONF_version[]="CONF" OPENSSL_VERSION_PTEXT; static CONF_METHOD *default_CONF_method=NULL; diff --git a/crypto/openssl-0.9/crypto/cpt_err.c b/crypto/openssl-0.9/crypto/cpt_err.c index 06a6109cce..9fd41fff8c 100644 --- a/crypto/openssl-0.9/crypto/cpt_err.c +++ b/crypto/openssl-0.9/crypto/cpt_err.c @@ -92,15 +92,12 @@ static ERR_STRING_DATA CRYPTO_str_reasons[]= void ERR_load_CRYPTO_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(CRYPTO_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,CRYPTO_str_functs); ERR_load_strings(0,CRYPTO_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/cryptlib.c b/crypto/openssl-0.9/crypto/cryptlib.c index 315559c71c..86af760d38 100644 --- a/crypto/openssl-0.9/crypto/cryptlib.c +++ b/crypto/openssl-0.9/crypto/cryptlib.c @@ -125,7 +125,7 @@ DECLARE_STACK_OF(CRYPTO_dynlock) IMPLEMENT_STACK_OF(CRYPTO_dynlock) /* real #defines in crypto.h, keep these upto date */ -static const char* lock_names[CRYPTO_NUM_LOCKS] = +static const char* const lock_names[CRYPTO_NUM_LOCKS] = { "<>", "err", diff --git a/crypto/openssl-0.9/crypto/des/des_ver.h b/crypto/openssl-0.9/crypto/des/des_ver.h index 379bbadda2..d1ada258a6 100644 --- a/crypto/openssl-0.9/crypto/des/des_ver.h +++ b/crypto/openssl-0.9/crypto/des/des_ver.h @@ -67,5 +67,5 @@ #define DES_version OSSL_DES_version #define libdes_version OSSL_libdes_version -OPENSSL_EXTERN const char *OSSL_DES_version; /* SSLeay version string */ -OPENSSL_EXTERN const char *OSSL_libdes_version; /* old libdes version string */ +OPENSSL_EXTERN const char OSSL_DES_version[]; /* SSLeay version string */ +OPENSSL_EXTERN const char OSSL_libdes_version[]; /* old libdes version string */ diff --git a/crypto/openssl-0.9/crypto/des/ecb_enc.c b/crypto/openssl-0.9/crypto/des/ecb_enc.c index 784aa5ba23..00d5b91e8c 100644 --- a/crypto/openssl-0.9/crypto/des/ecb_enc.c +++ b/crypto/openssl-0.9/crypto/des/ecb_enc.c @@ -62,8 +62,8 @@ #include #include -OPENSSL_GLOBAL const char *libdes_version="libdes" OPENSSL_VERSION_PTEXT; -OPENSSL_GLOBAL const char *DES_version="DES" OPENSSL_VERSION_PTEXT; +OPENSSL_GLOBAL const char libdes_version[]="libdes" OPENSSL_VERSION_PTEXT; +OPENSSL_GLOBAL const char DES_version[]="DES" OPENSSL_VERSION_PTEXT; const char *DES_options(void) { diff --git a/crypto/openssl-0.9/crypto/dh/dh_err.c b/crypto/openssl-0.9/crypto/dh/dh_err.c index 783bb4754c..a2d8196ecb 100644 --- a/crypto/openssl-0.9/crypto/dh/dh_err.c +++ b/crypto/openssl-0.9/crypto/dh/dh_err.c @@ -93,15 +93,12 @@ static ERR_STRING_DATA DH_str_reasons[]= void ERR_load_DH_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(DH_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,DH_str_functs); ERR_load_strings(0,DH_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/dh/dh_key.c b/crypto/openssl-0.9/crypto/dh/dh_key.c index cb5abdcf47..37a2c1bca2 100644 --- a/crypto/openssl-0.9/crypto/dh/dh_key.c +++ b/crypto/openssl-0.9/crypto/dh/dh_key.c @@ -173,7 +173,7 @@ err: static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) { - BN_CTX *ctx; + BN_CTX *ctx=NULL; BN_MONT_CTX *mont=NULL; BIGNUM *tmp; int ret= -1; diff --git a/crypto/openssl-0.9/crypto/dh/dh_lib.c b/crypto/openssl-0.9/crypto/dh/dh_lib.c index 09965ee2ea..7aef080e7a 100644 --- a/crypto/openssl-0.9/crypto/dh/dh_lib.c +++ b/crypto/openssl-0.9/crypto/dh/dh_lib.c @@ -64,7 +64,7 @@ #include #endif -const char *DH_version="Diffie-Hellman" OPENSSL_VERSION_PTEXT; +const char DH_version[]="Diffie-Hellman" OPENSSL_VERSION_PTEXT; static const DH_METHOD *default_DH_method = NULL; diff --git a/crypto/openssl-0.9/crypto/dsa/dsa_err.c b/crypto/openssl-0.9/crypto/dsa/dsa_err.c index d7fac69154..768711994b 100644 --- a/crypto/openssl-0.9/crypto/dsa/dsa_err.c +++ b/crypto/openssl-0.9/crypto/dsa/dsa_err.c @@ -100,15 +100,12 @@ static ERR_STRING_DATA DSA_str_reasons[]= void ERR_load_DSA_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(DSA_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,DSA_str_functs); ERR_load_strings(0,DSA_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/dsa/dsa_lib.c b/crypto/openssl-0.9/crypto/dsa/dsa_lib.c index b9825791ba..e9b75902db 100644 --- a/crypto/openssl-0.9/crypto/dsa/dsa_lib.c +++ b/crypto/openssl-0.9/crypto/dsa/dsa_lib.c @@ -70,7 +70,7 @@ #include #endif -const char *DSA_version="DSA" OPENSSL_VERSION_PTEXT; +const char DSA_version[]="DSA" OPENSSL_VERSION_PTEXT; static const DSA_METHOD *default_DSA_method = NULL; diff --git a/crypto/openssl-0.9/crypto/dso/dso_err.c b/crypto/openssl-0.9/crypto/dso/dso_err.c index aa91170b1b..a8b0a210de 100644 --- a/crypto/openssl-0.9/crypto/dso/dso_err.c +++ b/crypto/openssl-0.9/crypto/dso/dso_err.c @@ -136,15 +136,12 @@ static ERR_STRING_DATA DSO_str_reasons[]= void ERR_load_DSO_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(DSO_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,DSO_str_functs); ERR_load_strings(0,DSO_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/ec/ec_asn1.c b/crypto/openssl-0.9/crypto/ec/ec_asn1.c index 66ef129293..ae55539859 100644 --- a/crypto/openssl-0.9/crypto/ec/ec_asn1.c +++ b/crypto/openssl-0.9/crypto/ec/ec_asn1.c @@ -529,6 +529,8 @@ static int ec_asn1_group2curve(const EC_GROUP *group, X9_62_CURVE *curve) ECerr(EC_F_EC_ASN1_GROUP2CURVE, ERR_R_MALLOC_FAILURE); goto err; } + curve->seed->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); + curve->seed->flags |= ASN1_STRING_FLAG_BITS_LEFT; if (!ASN1_BIT_STRING_set(curve->seed, group->seed, (int)group->seed_len)) { @@ -1291,6 +1293,8 @@ int i2d_ECPrivateKey(EC_KEY *a, unsigned char **out) goto err; } + priv_key->publicKey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); + priv_key->publicKey->flags |= ASN1_STRING_FLAG_BITS_LEFT; if (!M_ASN1_BIT_STRING_set(priv_key->publicKey, buffer, buf_len)) { diff --git a/crypto/openssl-0.9/crypto/ec/ec_err.c b/crypto/openssl-0.9/crypto/ec/ec_err.c index 031c54d0b5..7be315bac9 100644 --- a/crypto/openssl-0.9/crypto/ec/ec_err.c +++ b/crypto/openssl-0.9/crypto/ec/ec_err.c @@ -227,15 +227,12 @@ static ERR_STRING_DATA EC_str_reasons[]= void ERR_load_EC_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(EC_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,EC_str_functs); ERR_load_strings(0,EC_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/ecdh/ech_err.c b/crypto/openssl-0.9/crypto/ecdh/ech_err.c index 626f49ba33..4d2ede75bd 100644 --- a/crypto/openssl-0.9/crypto/ecdh/ech_err.c +++ b/crypto/openssl-0.9/crypto/ecdh/ech_err.c @@ -71,7 +71,7 @@ static ERR_STRING_DATA ECDH_str_functs[]= { {ERR_FUNC(ECDH_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"}, -{ERR_FUNC(ECDH_F_ECDH_DATA_NEW_METHOD), "ECDH_DATA_new_method"}, +{ERR_FUNC(ECDH_F_ECDH_DATA_NEW_METHOD), "ECDH_DATA_NEW_METHOD"}, {0,NULL} }; @@ -87,15 +87,12 @@ static ERR_STRING_DATA ECDH_str_reasons[]= void ERR_load_ECDH_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(ECDH_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,ECDH_str_functs); ERR_load_strings(0,ECDH_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/ecdh/ech_lib.c b/crypto/openssl-0.9/crypto/ecdh/ech_lib.c index 01e75e2a5c..e89b1d4772 100644 --- a/crypto/openssl-0.9/crypto/ecdh/ech_lib.c +++ b/crypto/openssl-0.9/crypto/ecdh/ech_lib.c @@ -74,7 +74,7 @@ #endif #include -const char *ECDH_version="ECDH" OPENSSL_VERSION_PTEXT; +const char ECDH_version[]="ECDH" OPENSSL_VERSION_PTEXT; static const ECDH_METHOD *default_ECDH_method = NULL; diff --git a/crypto/openssl-0.9/crypto/ecdsa/ecdsa.h b/crypto/openssl-0.9/crypto/ecdsa/ecdsa.h index 76c5a4aa2a..f20c8ee738 100644 --- a/crypto/openssl-0.9/crypto/ecdsa/ecdsa.h +++ b/crypto/openssl-0.9/crypto/ecdsa/ecdsa.h @@ -261,6 +261,7 @@ void ERR_load_ECDSA_strings(void); #define ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 101 #define ECDSA_R_ERR_EC_LIB 102 #define ECDSA_R_MISSING_PARAMETERS 103 +#define ECDSA_R_NEED_NEW_SETUP_VALUES 106 #define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED 104 #define ECDSA_R_SIGNATURE_MALLOC_FAILED 105 diff --git a/crypto/openssl-0.9/crypto/ecdsa/ecs_err.c b/crypto/openssl-0.9/crypto/ecdsa/ecs_err.c index 90f1942e79..d2a53730ea 100644 --- a/crypto/openssl-0.9/crypto/ecdsa/ecs_err.c +++ b/crypto/openssl-0.9/crypto/ecdsa/ecs_err.c @@ -70,7 +70,7 @@ static ERR_STRING_DATA ECDSA_str_functs[]= { -{ERR_FUNC(ECDSA_F_ECDSA_DATA_NEW_METHOD), "ECDSA_DATA_new_method"}, +{ERR_FUNC(ECDSA_F_ECDSA_DATA_NEW_METHOD), "ECDSA_DATA_NEW_METHOD"}, {ERR_FUNC(ECDSA_F_ECDSA_DO_SIGN), "ECDSA_do_sign"}, {ERR_FUNC(ECDSA_F_ECDSA_DO_VERIFY), "ECDSA_do_verify"}, {ERR_FUNC(ECDSA_F_ECDSA_SIGN_SETUP), "ECDSA_sign_setup"}, @@ -83,6 +83,7 @@ static ERR_STRING_DATA ECDSA_str_reasons[]= {ERR_REASON(ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"}, {ERR_REASON(ECDSA_R_ERR_EC_LIB) ,"err ec lib"}, {ERR_REASON(ECDSA_R_MISSING_PARAMETERS) ,"missing parameters"}, +{ERR_REASON(ECDSA_R_NEED_NEW_SETUP_VALUES),"need new setup values"}, {ERR_REASON(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED),"random number generation failed"}, {ERR_REASON(ECDSA_R_SIGNATURE_MALLOC_FAILED),"signature malloc failed"}, {0,NULL} @@ -92,15 +93,12 @@ static ERR_STRING_DATA ECDSA_str_reasons[]= void ERR_load_ECDSA_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(ECDSA_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,ECDSA_str_functs); ERR_load_strings(0,ECDSA_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/ecdsa/ecs_lib.c b/crypto/openssl-0.9/crypto/ecdsa/ecs_lib.c index 1fb9bc9600..85e8a3a7ed 100644 --- a/crypto/openssl-0.9/crypto/ecdsa/ecs_lib.c +++ b/crypto/openssl-0.9/crypto/ecdsa/ecs_lib.c @@ -61,7 +61,7 @@ #include #include -const char *ECDSA_version="ECDSA" OPENSSL_VERSION_PTEXT; +const char ECDSA_version[]="ECDSA" OPENSSL_VERSION_PTEXT; static const ECDSA_METHOD *default_ECDSA_method = NULL; diff --git a/crypto/openssl-0.9/crypto/ecdsa/ecs_ossl.c b/crypto/openssl-0.9/crypto/ecdsa/ecs_ossl.c index 8be45ddc93..32d66a9774 100644 --- a/crypto/openssl-0.9/crypto/ecdsa/ecs_ossl.c +++ b/crypto/openssl-0.9/crypto/ecdsa/ecs_ossl.c @@ -299,8 +299,21 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB); goto err; } + if (BN_is_zero(s)) + { + /* if kinv and r have been supplied by the caller + * don't to generate new kinv and r values */ + if (in_kinv != NULL && in_r != NULL) + { + ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ECDSA_R_NEED_NEW_SETUP_VALUES); + goto err; + } + } + else + /* s != 0 => we have a valid signature */ + break; } - while (BN_is_zero(s)); + while (1); ok = 1; err: diff --git a/crypto/openssl-0.9/crypto/engine/eng_all.c b/crypto/openssl-0.9/crypto/engine/eng_all.c index 86b2f9a1c3..8599046717 100644 --- a/crypto/openssl-0.9/crypto/engine/eng_all.c +++ b/crypto/openssl-0.9/crypto/engine/eng_all.c @@ -68,6 +68,9 @@ void ENGINE_load_builtin_engines(void) #if 0 ENGINE_load_openssl(); #endif +#if !defined(OPENSSL_NO_HW) && !defined(OPENSSL_NO_HW_PADLOCK) + ENGINE_load_padlock(); +#endif ENGINE_load_dynamic(); #ifndef OPENSSL_NO_STATIC_ENGINE #ifndef OPENSSL_NO_HW @@ -95,16 +98,15 @@ void ENGINE_load_builtin_engines(void) #ifndef OPENSSL_NO_HW_UBSEC ENGINE_load_ubsec(); #endif -#ifndef OPENSSL_NO_HW_PADLOCK - ENGINE_load_padlock(); +#endif +#if !defined(OPENSSL_NO_GMP) && !defined(OPENSSL_NO_HW_GMP) + ENGINE_load_gmp(); #endif #endif +#ifndef OPENSSL_NO_HW #if defined(__OpenBSD__) || defined(__FreeBSD__) ENGINE_load_cryptodev(); #endif -#if !defined(OPENSSL_NO_GMP) && !defined(OPENSSL_NO_HW_GMP) - ENGINE_load_gmp(); -#endif #endif } diff --git a/crypto/openssl-0.9/crypto/engine/eng_err.c b/crypto/openssl-0.9/crypto/engine/eng_err.c index 62db507ce2..369f2e22d3 100644 --- a/crypto/openssl-0.9/crypto/engine/eng_err.c +++ b/crypto/openssl-0.9/crypto/engine/eng_err.c @@ -157,15 +157,12 @@ static ERR_STRING_DATA ENGINE_str_reasons[]= void ERR_load_ENGINE_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(ENGINE_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,ENGINE_str_functs); ERR_load_strings(0,ENGINE_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/engine/eng_padlock.c b/crypto/openssl-0.9/crypto/engine/eng_padlock.c index 8d92af6f8b..e1d66eac58 100644 --- a/crypto/openssl-0.9/crypto/engine/eng_padlock.c +++ b/crypto/openssl-0.9/crypto/engine/eng_padlock.c @@ -436,8 +436,8 @@ static inline void *name(size_t cnt, \ rep_xcrypt "\n" \ " popl %%ebx" \ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \ - : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \ - : "edx", "cc"); \ + : "0"(cdata), "1"(cnt), "2"(out), "3"(inp), "m"(*cdata) \ + : "edx", "cc", "memory"); \ return iv; \ } diff --git a/crypto/openssl-0.9/crypto/engine/tb_ecdh.c b/crypto/openssl-0.9/crypto/engine/tb_ecdh.c index 59977f7dd0..c8ec7812c5 100644 --- a/crypto/openssl-0.9/crypto/engine/tb_ecdh.c +++ b/crypto/openssl-0.9/crypto/engine/tb_ecdh.c @@ -107,7 +107,7 @@ int ENGINE_set_default_ECDH(ENGINE *e) { if(e->ecdh_meth) return engine_table_register(&ecdh_table, - engine_unregister_all_ECDH, e, &dummy_nid, 1, 0); + engine_unregister_all_ECDH, e, &dummy_nid, 1, 1); return 1; } diff --git a/crypto/openssl-0.9/crypto/engine/tb_ecdsa.c b/crypto/openssl-0.9/crypto/engine/tb_ecdsa.c index e30b02e8c5..005ecb622c 100644 --- a/crypto/openssl-0.9/crypto/engine/tb_ecdsa.c +++ b/crypto/openssl-0.9/crypto/engine/tb_ecdsa.c @@ -92,7 +92,7 @@ int ENGINE_set_default_ECDSA(ENGINE *e) { if(e->ecdsa_meth) return engine_table_register(&ecdsa_table, - engine_unregister_all_ECDSA, e, &dummy_nid, 1, 0); + engine_unregister_all_ECDSA, e, &dummy_nid, 1, 1); return 1; } diff --git a/crypto/openssl-0.9/crypto/err/err_all.c b/crypto/openssl-0.9/crypto/err/err_all.c index bfb4c1ab12..c33d24bb68 100644 --- a/crypto/openssl-0.9/crypto/err/err_all.c +++ b/crypto/openssl-0.9/crypto/err/err_all.c @@ -97,10 +97,6 @@ void ERR_load_crypto_strings(void) { - static int done=0; - - if (done) return; - done=1; #ifndef OPENSSL_NO_ERR ERR_load_ERR_strings(); /* include error strings for SYSerr */ ERR_load_BN_strings(); diff --git a/crypto/openssl-0.9/crypto/evp/bio_md.c b/crypto/openssl-0.9/crypto/evp/bio_md.c index 76ff9fe815..d648ac6da6 100644 --- a/crypto/openssl-0.9/crypto/evp/bio_md.c +++ b/crypto/openssl-0.9/crypto/evp/bio_md.c @@ -200,6 +200,12 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr) else ret=0; break; + case BIO_C_SET_MD_CTX: + if (b->init) + b->ptr=ptr; + else + ret=0; + break; case BIO_C_DO_STATE_MACHINE: BIO_clear_retry_flags(b); ret=BIO_ctrl(b->next_bio,cmd,num,ptr); diff --git a/crypto/openssl-0.9/crypto/evp/evp.h b/crypto/openssl-0.9/crypto/evp/evp.h index 1b09bd8dfe..636f426c69 100644 --- a/crypto/openssl-0.9/crypto/evp/evp.h +++ b/crypto/openssl-0.9/crypto/evp/evp.h @@ -429,36 +429,36 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, #define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a)) #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a)) -#define EVP_MD_type(e) ((e)->type) +int EVP_MD_type(const EVP_MD *md); #define EVP_MD_nid(e) EVP_MD_type(e) #define EVP_MD_name(e) OBJ_nid2sn(EVP_MD_nid(e)) -#define EVP_MD_pkey_type(e) ((e)->pkey_type) -#define EVP_MD_size(e) ((e)->md_size) -#define EVP_MD_block_size(e) ((e)->block_size) +int EVP_MD_pkey_type(const EVP_MD *md); +int EVP_MD_size(const EVP_MD *md); +int EVP_MD_block_size(const EVP_MD *md); -#define EVP_MD_CTX_md(e) ((e)->digest) -#define EVP_MD_CTX_size(e) EVP_MD_size((e)->digest) -#define EVP_MD_CTX_block_size(e) EVP_MD_block_size((e)->digest) -#define EVP_MD_CTX_type(e) EVP_MD_type((e)->digest) +const EVP_MD * EVP_MD_CTX_md(const EVP_MD_CTX *ctx); +#define EVP_MD_CTX_size(e) EVP_MD_size(EVP_MD_CTX_md(e)) +#define EVP_MD_CTX_block_size(e) EVP_MD_block_size(EVP_MD_CTX_md(e)) +#define EVP_MD_CTX_type(e) EVP_MD_type(EVP_MD_CTX_md(e)) -#define EVP_CIPHER_nid(e) ((e)->nid) +int EVP_CIPHER_nid(const EVP_CIPHER *cipher); #define EVP_CIPHER_name(e) OBJ_nid2sn(EVP_CIPHER_nid(e)) -#define EVP_CIPHER_block_size(e) ((e)->block_size) -#define EVP_CIPHER_key_length(e) ((e)->key_len) -#define EVP_CIPHER_iv_length(e) ((e)->iv_len) -#define EVP_CIPHER_flags(e) ((e)->flags) -#define EVP_CIPHER_mode(e) (((e)->flags) & EVP_CIPH_MODE) - -#define EVP_CIPHER_CTX_cipher(e) ((e)->cipher) -#define EVP_CIPHER_CTX_nid(e) ((e)->cipher->nid) -#define EVP_CIPHER_CTX_block_size(e) ((e)->cipher->block_size) -#define EVP_CIPHER_CTX_key_length(e) ((e)->key_len) -#define EVP_CIPHER_CTX_iv_length(e) ((e)->cipher->iv_len) -#define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) -#define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d)) +int EVP_CIPHER_block_size(const EVP_CIPHER *cipher); +int EVP_CIPHER_key_length(const EVP_CIPHER *cipher); +int EVP_CIPHER_iv_length(const EVP_CIPHER *cipher); +unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher); +#define EVP_CIPHER_mode(e) (EVP_CIPHER_flags(e) & EVP_CIPH_MODE) + +const EVP_CIPHER * EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); +int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx); +int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx); +int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx); +int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx); +void * EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx); +void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data); #define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c)) -#define EVP_CIPHER_CTX_flags(e) ((e)->cipher->flags) -#define EVP_CIPHER_CTX_mode(e) ((e)->cipher->flags & EVP_CIPH_MODE) +unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx); +#define EVP_CIPHER_CTX_mode(e) (EVP_CIPHER_CTX_flags(e) & EVP_CIPH_MODE) #define EVP_ENCODE_LENGTH(l) (((l+2)/3*4)+(l/48+1)*2+80) #define EVP_DECODE_LENGTH(l) ((l+3)/4*3+80) @@ -479,10 +479,14 @@ void BIO_set_md(BIO *,const EVP_MD *md); #endif #define BIO_get_md(b,mdp) BIO_ctrl(b,BIO_C_GET_MD,0,(char *)mdp) #define BIO_get_md_ctx(b,mdcp) BIO_ctrl(b,BIO_C_GET_MD_CTX,0,(char *)mdcp) +#define BIO_set_md_ctx(b,mdcp) BIO_ctrl(b,BIO_C_SET_MD_CTX,0,(char *)mdcp) #define BIO_get_cipher_status(b) BIO_ctrl(b,BIO_C_GET_CIPHER_STATUS,0,NULL) #define BIO_get_cipher_ctx(b,c_pp) BIO_ctrl(b,BIO_C_GET_CIPHER_CTX,0,(char *)c_pp) -#define EVP_Cipher(c,o,i,l) (c)->cipher->do_cipher((c),(o),(i),(l)) +int EVP_Cipher(EVP_CIPHER_CTX *c, + unsigned char *out, + const unsigned char *in, + unsigned int inl); #define EVP_add_cipher_alias(n,alias) \ OBJ_NAME_add((alias),OBJ_NAME_TYPE_CIPHER_METH|OBJ_NAME_ALIAS,(n)) @@ -498,9 +502,9 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx); EVP_MD_CTX *EVP_MD_CTX_create(void); void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx); int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in); -#define EVP_MD_CTX_set_flags(ctx,flgs) ((ctx)->flags|=(flgs)) -#define EVP_MD_CTX_clear_flags(ctx,flgs) ((ctx)->flags&=~(flgs)) -#define EVP_MD_CTX_test_flags(ctx,flgs) ((ctx)->flags&(flgs)) +void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags); +void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags); +int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx,int flags); int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); int EVP_DigestUpdate(EVP_MD_CTX *ctx,const void *d, size_t cnt); diff --git a/crypto/openssl-0.9/crypto/evp/evp_enc.c b/crypto/openssl-0.9/crypto/evp/evp_enc.c index f0b725def6..a1904993bf 100644 --- a/crypto/openssl-0.9/crypto/evp/evp_enc.c +++ b/crypto/openssl-0.9/crypto/evp/evp_enc.c @@ -66,7 +66,7 @@ #endif #include "evp_locl.h" -const char *EVP_version="EVP" OPENSSL_VERSION_PTEXT; +const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT; void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) { diff --git a/crypto/openssl-0.9/crypto/evp/evp_err.c b/crypto/openssl-0.9/crypto/evp/evp_err.c index cb6d9fac2e..e8c9e8de9c 100644 --- a/crypto/openssl-0.9/crypto/evp/evp_err.c +++ b/crypto/openssl-0.9/crypto/evp/evp_err.c @@ -163,15 +163,12 @@ static ERR_STRING_DATA EVP_str_reasons[]= void ERR_load_EVP_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(EVP_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,EVP_str_functs); ERR_load_strings(0,EVP_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/evp/evp_lib.c b/crypto/openssl-0.9/crypto/evp/evp_lib.c index 36213964dd..f92db23af6 100644 --- a/crypto/openssl-0.9/crypto/evp/evp_lib.c +++ b/crypto/openssl-0.9/crypto/evp/evp_lib.c @@ -168,3 +168,112 @@ int EVP_CIPHER_type(const EVP_CIPHER *ctx) } } +int EVP_CIPHER_block_size(const EVP_CIPHER *e) + { + return e->block_size; + } + +int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx) + { + return ctx->cipher->block_size; + } + +int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) + { + return ctx->cipher->do_cipher(ctx,out,in,inl); + } + +const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) + { + return ctx->cipher; + } + +unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher) + { + return cipher->flags; + } + +unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx) + { + return ctx->cipher->flags; + } + +void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx) + { + return ctx->app_data; + } + +void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data) + { + ctx->app_data = data; + } + +int EVP_CIPHER_iv_length(const EVP_CIPHER *cipher) + { + return cipher->iv_len; + } + +int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx) + { + return ctx->cipher->iv_len; + } + +int EVP_CIPHER_key_length(const EVP_CIPHER *cipher) + { + return cipher->key_len; + } + +int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx) + { + return ctx->cipher->key_len; + } + +int EVP_CIPHER_nid(const EVP_CIPHER *cipher) + { + return cipher->nid; + } + +int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx) + { + return ctx->cipher->nid; + } + +int EVP_MD_block_size(const EVP_MD *md) + { + return md->block_size; + } + +int EVP_MD_type(const EVP_MD *md) + { + return md->type; + } + +int EVP_MD_pkey_type(const EVP_MD *md) + { + return md->pkey_type; + } + +int EVP_MD_size(const EVP_MD *md) + { + return md->md_size; + } + +const EVP_MD * EVP_MD_CTX_md(const EVP_MD_CTX *ctx) + { + return ctx->digest; + } + +void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags) + { + ctx->flags |= flags; + } + +void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags) + { + ctx->flags &= ~flags; + } + +int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, int flags) + { + return (ctx->flags & flags); + } diff --git a/crypto/openssl-0.9/crypto/evp/evp_locl.h b/crypto/openssl-0.9/crypto/evp/evp_locl.h index 2204e345ad..20139d20e4 100644 --- a/crypto/openssl-0.9/crypto/evp/evp_locl.h +++ b/crypto/openssl-0.9/crypto/evp/evp_locl.h @@ -65,7 +65,7 @@ bl = ctx->cipher->block_size;\ if(inl < bl) return 1;\ inl -= bl; \ - for(i=0; i <= inl; i+=bl) \ + for(i=0; i <= inl; i+=bl) #define BLOCK_CIPHER_func_ecb(cname, cprefix, kstruct, ksched) \ static int cname##_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \ diff --git a/crypto/openssl-0.9/crypto/idea/i_ecb.c b/crypto/openssl-0.9/crypto/idea/i_ecb.c index fb613db595..fef38230a7 100644 --- a/crypto/openssl-0.9/crypto/idea/i_ecb.c +++ b/crypto/openssl-0.9/crypto/idea/i_ecb.c @@ -60,7 +60,7 @@ #include "idea_lcl.h" #include -const char *IDEA_version="IDEA" OPENSSL_VERSION_PTEXT; +const char IDEA_version[]="IDEA" OPENSSL_VERSION_PTEXT; const char *idea_options(void) { diff --git a/crypto/openssl-0.9/crypto/idea/idea_lcl.h b/crypto/openssl-0.9/crypto/idea/idea_lcl.h index 463aa36ce9..f3dbfa67e9 100644 --- a/crypto/openssl-0.9/crypto/idea/idea_lcl.h +++ b/crypto/openssl-0.9/crypto/idea/idea_lcl.h @@ -67,7 +67,7 @@ if (ul != 0) \ r-=((r)>>16); \ } \ else \ - r=(-(int)a-b+1); /* assuming a or b is 0 and in range */ \ + r=(-(int)a-b+1); /* assuming a or b is 0 and in range */ #ifdef undef #define idea_mul(r,a,b,ul,sl) \ diff --git a/crypto/openssl-0.9/crypto/lhash/lhash.c b/crypto/openssl-0.9/crypto/lhash/lhash.c index 55cb05579b..04ea80203c 100644 --- a/crypto/openssl-0.9/crypto/lhash/lhash.c +++ b/crypto/openssl-0.9/crypto/lhash/lhash.c @@ -100,7 +100,7 @@ #include #include -const char *lh_version="lhash" OPENSSL_VERSION_PTEXT; +const char lh_version[]="lhash" OPENSSL_VERSION_PTEXT; #undef MIN_NODES #define MIN_NODES 16 diff --git a/crypto/openssl-0.9/crypto/md2/md2.h b/crypto/openssl-0.9/crypto/md2/md2.h index 5b71855cb2..a46120e7d4 100644 --- a/crypto/openssl-0.9/crypto/md2/md2.h +++ b/crypto/openssl-0.9/crypto/md2/md2.h @@ -63,6 +63,7 @@ #ifdef OPENSSL_NO_MD2 #error MD2 is disabled. #endif +#include #define MD2_DIGEST_LENGTH 16 #define MD2_BLOCK 16 diff --git a/crypto/openssl-0.9/crypto/md2/md2_dgst.c b/crypto/openssl-0.9/crypto/md2/md2_dgst.c index 15e77d60be..6f68b25c6a 100644 --- a/crypto/openssl-0.9/crypto/md2/md2_dgst.c +++ b/crypto/openssl-0.9/crypto/md2/md2_dgst.c @@ -63,7 +63,7 @@ #include #include -const char *MD2_version="MD2" OPENSSL_VERSION_PTEXT; +const char MD2_version[]="MD2" OPENSSL_VERSION_PTEXT; /* Implemented from RFC1319 The MD2 Message-Digest Algorithm */ diff --git a/crypto/openssl-0.9/crypto/md4/md4.h b/crypto/openssl-0.9/crypto/md4/md4.h index b080cbdc21..5598c93a4f 100644 --- a/crypto/openssl-0.9/crypto/md4/md4.h +++ b/crypto/openssl-0.9/crypto/md4/md4.h @@ -60,6 +60,7 @@ #define HEADER_MD4_H #include +#include #ifdef __cplusplus extern "C" { diff --git a/crypto/openssl-0.9/crypto/md4/md4_dgst.c b/crypto/openssl-0.9/crypto/md4/md4_dgst.c index d4c7057f13..86b79b8e4d 100644 --- a/crypto/openssl-0.9/crypto/md4/md4_dgst.c +++ b/crypto/openssl-0.9/crypto/md4/md4_dgst.c @@ -60,7 +60,7 @@ #include "md4_locl.h" #include -const char *MD4_version="MD4" OPENSSL_VERSION_PTEXT; +const char MD4_version[]="MD4" OPENSSL_VERSION_PTEXT; /* Implemented from RFC1186 The MD4 Message-Digest Algorithm */ diff --git a/crypto/openssl-0.9/crypto/md5/md5.h b/crypto/openssl-0.9/crypto/md5/md5.h index 6d283fe9da..dbdc0e1abc 100644 --- a/crypto/openssl-0.9/crypto/md5/md5.h +++ b/crypto/openssl-0.9/crypto/md5/md5.h @@ -60,6 +60,7 @@ #define HEADER_MD5_H #include +#include #ifdef __cplusplus extern "C" { diff --git a/crypto/openssl-0.9/crypto/md5/md5_dgst.c b/crypto/openssl-0.9/crypto/md5/md5_dgst.c index f97f48e55b..953f0496f6 100644 --- a/crypto/openssl-0.9/crypto/md5/md5_dgst.c +++ b/crypto/openssl-0.9/crypto/md5/md5_dgst.c @@ -60,7 +60,7 @@ #include "md5_locl.h" #include -const char *MD5_version="MD5" OPENSSL_VERSION_PTEXT; +const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT; /* Implemented from RFC1321 The MD5 Message-Digest Algorithm */ diff --git a/crypto/openssl-0.9/crypto/objects/obj_dat.h b/crypto/openssl-0.9/crypto/objects/obj_dat.h index 78439a33c8..a116bb7f28 100644 --- a/crypto/openssl-0.9/crypto/objects/obj_dat.h +++ b/crypto/openssl-0.9/crypto/objects/obj_dat.h @@ -62,12 +62,12 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 769 -#define NUM_SN 765 -#define NUM_LN 765 -#define NUM_OBJ 721 +#define NUM_NID 772 +#define NUM_SN 768 +#define NUM_LN 768 +#define NUM_OBJ 724 -static unsigned char lvalues[5107]={ +static unsigned char lvalues[5116]={ 0x00, /* [ 0] OBJ_undef */ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */ @@ -789,6 +789,9 @@ static unsigned char lvalues[5107]={ 0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x03, /* [5082] OBJ_camellia_128_ofb128 */ 0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x17, /* [5090] OBJ_camellia_192_ofb128 */ 0x03,0xA2,0x31,0x05,0x03,0x01,0x09,0x2B, /* [5098] OBJ_camellia_256_ofb128 */ +0x55,0x1D,0x09, /* [5106] OBJ_subject_directory_attributes */ +0x55,0x1D,0x1C, /* [5109] OBJ_issuing_distribution_point */ +0x55,0x1D,0x1D, /* [5112] OBJ_certificate_issuer */ }; static ASN1_OBJECT nid_objs[NUM_NID]={ @@ -1987,6 +1990,12 @@ static ASN1_OBJECT nid_objs[NUM_NID]={ &(lvalues[5090]),0}, {"CAMELLIA-256-OFB","camellia-256-ofb",NID_camellia_256_ofb128,8, &(lvalues[5098]),0}, +{"subjectDirectoryAttributes","X509v3 Subject Directory Attributes", + NID_subject_directory_attributes,3,&(lvalues[5106]),0}, +{"issuingDistributionPoint","X509v3 Issuing Distrubution Point", + NID_issuing_distribution_point,3,&(lvalues[5109]),0}, +{"certificateIssuer","X509v3 Certificate Issuer", + NID_certificate_issuer,3,&(lvalues[5112]),0}, }; static ASN1_OBJECT *sn_objs[NUM_SN]={ @@ -2203,6 +2212,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[443]),/* "caseIgnoreIA5StringSyntax" */ &(nid_objs[152]),/* "certBag" */ &(nid_objs[677]),/* "certicom-arc" */ +&(nid_objs[771]),/* "certificateIssuer" */ &(nid_objs[89]),/* "certificatePolicies" */ &(nid_objs[54]),/* "challengePassword" */ &(nid_objs[407]),/* "characteristic-two-field" */ @@ -2442,6 +2452,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[295]),/* "ipsecTunnel" */ &(nid_objs[296]),/* "ipsecUser" */ &(nid_objs[86]),/* "issuerAltName" */ +&(nid_objs[770]),/* "issuingDistributionPoint" */ &(nid_objs[492]),/* "janetMailbox" */ &(nid_objs[150]),/* "keyBag" */ &(nid_objs[83]),/* "keyUsage" */ @@ -2723,6 +2734,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[387]),/* "snmpv2" */ &(nid_objs[660]),/* "streetAddress" */ &(nid_objs[85]),/* "subjectAltName" */ +&(nid_objs[769]),/* "subjectDirectoryAttributes" */ &(nid_objs[398]),/* "subjectInfoAccess" */ &(nid_objs[82]),/* "subjectKeyIdentifier" */ &(nid_objs[498]),/* "subtreeMaximumQuality" */ @@ -2852,11 +2864,13 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[103]),/* "X509v3 CRL Distribution Points" */ &(nid_objs[88]),/* "X509v3 CRL Number" */ &(nid_objs[141]),/* "X509v3 CRL Reason Code" */ +&(nid_objs[771]),/* "X509v3 Certificate Issuer" */ &(nid_objs[89]),/* "X509v3 Certificate Policies" */ &(nid_objs[140]),/* "X509v3 Delta CRL Indicator" */ &(nid_objs[126]),/* "X509v3 Extended Key Usage" */ &(nid_objs[748]),/* "X509v3 Inhibit Any Policy" */ &(nid_objs[86]),/* "X509v3 Issuer Alternative Name" */ +&(nid_objs[770]),/* "X509v3 Issuing Distrubution Point" */ &(nid_objs[83]),/* "X509v3 Key Usage" */ &(nid_objs[666]),/* "X509v3 Name Constraints" */ &(nid_objs[403]),/* "X509v3 No Revocation Available" */ @@ -2864,6 +2878,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[747]),/* "X509v3 Policy Mappings" */ &(nid_objs[84]),/* "X509v3 Private Key Usage Period" */ &(nid_objs[85]),/* "X509v3 Subject Alternative Name" */ +&(nid_objs[769]),/* "X509v3 Subject Directory Attributes" */ &(nid_objs[82]),/* "X509v3 Subject Key Identifier" */ &(nid_objs[184]),/* "X9.57" */ &(nid_objs[185]),/* "X9.57 CM ?" */ @@ -3569,6 +3584,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[174]),/* OBJ_dnQualifier 2 5 4 46 */ &(nid_objs[510]),/* OBJ_pseudonym 2 5 4 65 */ &(nid_objs[400]),/* OBJ_role 2 5 4 72 */ +&(nid_objs[769]),/* OBJ_subject_directory_attributes 2 5 29 9 */ &(nid_objs[82]),/* OBJ_subject_key_identifier 2 5 29 14 */ &(nid_objs[83]),/* OBJ_key_usage 2 5 29 15 */ &(nid_objs[84]),/* OBJ_private_key_usage_period 2 5 29 16 */ @@ -3580,6 +3596,8 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[430]),/* OBJ_hold_instruction_code 2 5 29 23 */ &(nid_objs[142]),/* OBJ_invalidity_date 2 5 29 24 */ &(nid_objs[140]),/* OBJ_delta_crl 2 5 29 27 */ +&(nid_objs[770]),/* OBJ_issuing_distribution_point 2 5 29 28 */ +&(nid_objs[771]),/* OBJ_certificate_issuer 2 5 29 29 */ &(nid_objs[666]),/* OBJ_name_constraints 2 5 29 30 */ &(nid_objs[103]),/* OBJ_crl_distribution_points 2 5 29 31 */ &(nid_objs[89]),/* OBJ_certificate_policies 2 5 29 32 */ diff --git a/crypto/openssl-0.9/crypto/objects/obj_err.c b/crypto/openssl-0.9/crypto/objects/obj_err.c index 0682979b38..12b48850c6 100644 --- a/crypto/openssl-0.9/crypto/objects/obj_err.c +++ b/crypto/openssl-0.9/crypto/objects/obj_err.c @@ -91,15 +91,12 @@ static ERR_STRING_DATA OBJ_str_reasons[]= void ERR_load_OBJ_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(OBJ_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,OBJ_str_functs); ERR_load_strings(0,OBJ_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/objects/obj_mac.h b/crypto/openssl-0.9/crypto/objects/obj_mac.h index df4ad903f9..f447bbe69a 100644 --- a/crypto/openssl-0.9/crypto/objects/obj_mac.h +++ b/crypto/openssl-0.9/crypto/objects/obj_mac.h @@ -2044,6 +2044,11 @@ #define NID_id_ce 81 #define OBJ_id_ce OBJ_X500,29L +#define SN_subject_directory_attributes "subjectDirectoryAttributes" +#define LN_subject_directory_attributes "X509v3 Subject Directory Attributes" +#define NID_subject_directory_attributes 769 +#define OBJ_subject_directory_attributes OBJ_id_ce,9L + #define SN_subject_key_identifier "subjectKeyIdentifier" #define LN_subject_key_identifier "X509v3 Subject Key Identifier" #define NID_subject_key_identifier 82 @@ -2094,6 +2099,16 @@ #define NID_delta_crl 140 #define OBJ_delta_crl OBJ_id_ce,27L +#define SN_issuing_distribution_point "issuingDistributionPoint" +#define LN_issuing_distribution_point "X509v3 Issuing Distrubution Point" +#define NID_issuing_distribution_point 770 +#define OBJ_issuing_distribution_point OBJ_id_ce,28L + +#define SN_certificate_issuer "certificateIssuer" +#define LN_certificate_issuer "X509v3 Certificate Issuer" +#define NID_certificate_issuer 771 +#define OBJ_certificate_issuer OBJ_id_ce,29L + #define SN_name_constraints "nameConstraints" #define LN_name_constraints "X509v3 Name Constraints" #define NID_name_constraints 666 diff --git a/crypto/openssl-0.9/crypto/ocsp/ocsp_asn.c b/crypto/openssl-0.9/crypto/ocsp/ocsp_asn.c index 6a3a360d54..39b7a1c568 100644 --- a/crypto/openssl-0.9/crypto/ocsp/ocsp_asn.c +++ b/crypto/openssl-0.9/crypto/ocsp/ocsp_asn.c @@ -62,7 +62,7 @@ ASN1_SEQUENCE(OCSP_SIGNATURE) = { ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR), ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING), - ASN1_EXP_SEQUENCE_OF(OCSP_SIGNATURE, certs, X509, 0) + ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SIGNATURE, certs, X509, 0) } ASN1_SEQUENCE_END(OCSP_SIGNATURE) IMPLEMENT_ASN1_FUNCTIONS(OCSP_SIGNATURE) diff --git a/crypto/openssl-0.9/crypto/ocsp/ocsp_err.c b/crypto/openssl-0.9/crypto/ocsp/ocsp_err.c index 2c8ed72884..ad62364f29 100644 --- a/crypto/openssl-0.9/crypto/ocsp/ocsp_err.c +++ b/crypto/openssl-0.9/crypto/ocsp/ocsp_err.c @@ -129,15 +129,12 @@ static ERR_STRING_DATA OCSP_str_reasons[]= void ERR_load_OCSP_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(OCSP_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,OCSP_str_functs); ERR_load_strings(0,OCSP_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/ocsp/ocsp_vfy.c b/crypto/openssl-0.9/crypto/ocsp/ocsp_vfy.c index 3d58dfb06c..23ea41c847 100644 --- a/crypto/openssl-0.9/crypto/ocsp/ocsp_vfy.c +++ b/crypto/openssl-0.9/crypto/ocsp/ocsp_vfy.c @@ -367,7 +367,7 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *st return 0; } gen = req->tbsRequest->requestorName; - if (gen->type != GEN_DIRNAME) + if (!gen || gen->type != GEN_DIRNAME) { OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE); return 0; diff --git a/crypto/openssl-0.9/crypto/opensslv.h b/crypto/openssl-0.9/crypto/opensslv.h index beedc19285..8a5b34e4f0 100644 --- a/crypto/openssl-0.9/crypto/opensslv.h +++ b/crypto/openssl-0.9/crypto/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090804f +#define OPENSSL_VERSION_NUMBER 0x0090805fL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8d-fips 28 Sep 2006" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8e-fips 23 Feb 2007" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8d 28 Sep 2006" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8e 23 Feb 2007" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/openssl-0.9/crypto/pem/pem.h b/crypto/openssl-0.9/crypto/pem/pem.h index 7db6b423d0..c28706ddc0 100644 --- a/crypto/openssl-0.9/crypto/pem/pem.h +++ b/crypto/openssl-0.9/crypto/pem/pem.h @@ -221,7 +221,7 @@ typedef struct pem_ctx_st type *PEM_read_##name(FILE *fp, type **x, pem_password_cb *cb, void *u)\ { \ return(((type *(*)(D2I_OF(type),char *,FILE *,type **,pem_password_cb *,void *))openssl_fcast(PEM_ASN1_read))(d2i_##asn1, str,fp,x,cb,u)); \ -} \ +} #define IMPLEMENT_PEM_write_fp(name, type, str, asn1) \ int PEM_write_##name(FILE *fp, type *x) \ diff --git a/crypto/openssl-0.9/crypto/pem/pem_err.c b/crypto/openssl-0.9/crypto/pem/pem_err.c index 7837cde153..3133563d77 100644 --- a/crypto/openssl-0.9/crypto/pem/pem_err.c +++ b/crypto/openssl-0.9/crypto/pem/pem_err.c @@ -124,15 +124,12 @@ static ERR_STRING_DATA PEM_str_reasons[]= void ERR_load_PEM_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(PEM_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,PEM_str_functs); ERR_load_strings(0,PEM_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/pem/pem_lib.c b/crypto/openssl-0.9/crypto/pem/pem_lib.c index 7cfc2f3e0a..9bae4c8850 100644 --- a/crypto/openssl-0.9/crypto/pem/pem_lib.c +++ b/crypto/openssl-0.9/crypto/pem/pem_lib.c @@ -69,7 +69,7 @@ #include #endif -const char *PEM_version="PEM" OPENSSL_VERSION_PTEXT; +const char PEM_version[]="PEM" OPENSSL_VERSION_PTEXT; #define MIN_LENGTH 4 @@ -579,6 +579,7 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, } EVP_EncodeFinal(&ctx,buf,&outl); if ((outl > 0) && (BIO_write(bp,(char *)buf,outl) != outl)) goto err; + OPENSSL_cleanse(buf, PEM_BUFSIZE*8); OPENSSL_free(buf); buf = NULL; if ( (BIO_write(bp,"-----END ",9) != 9) || @@ -587,8 +588,10 @@ int PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, goto err; return(i+outl); err: - if (buf) + if (buf) { + OPENSSL_cleanse(buf, PEM_BUFSIZE*8); OPENSSL_free(buf); + } PEMerr(PEM_F_PEM_WRITE_BIO,reason); return(0); } diff --git a/crypto/openssl-0.9/crypto/pem/pem_pkey.c b/crypto/openssl-0.9/crypto/pem/pem_pkey.c index 2162a45323..4da4c31ce5 100644 --- a/crypto/openssl-0.9/crypto/pem/pem_pkey.c +++ b/crypto/openssl-0.9/crypto/pem/pem_pkey.c @@ -125,6 +125,7 @@ p8err: PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY,ERR_R_ASN1_LIB); err: OPENSSL_free(nm); + OPENSSL_cleanse(data, len); OPENSSL_free(data); return(ret); } diff --git a/crypto/openssl-0.9/crypto/pkcs12/pk12err.c b/crypto/openssl-0.9/crypto/pkcs12/pk12err.c index 5c92cb08e0..07a1fb6907 100644 --- a/crypto/openssl-0.9/crypto/pkcs12/pk12err.c +++ b/crypto/openssl-0.9/crypto/pkcs12/pk12err.c @@ -133,15 +133,12 @@ static ERR_STRING_DATA PKCS12_str_reasons[]= void ERR_load_PKCS12_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(PKCS12_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,PKCS12_str_functs); ERR_load_strings(0,PKCS12_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/pkcs7/pk7_doit.c b/crypto/openssl-0.9/crypto/pkcs7/pk7_doit.c index a4bbba0556..a03d7ebedf 100644 --- a/crypto/openssl-0.9/crypto/pkcs7/pk7_doit.c +++ b/crypto/openssl-0.9/crypto/pkcs7/pk7_doit.c @@ -217,7 +217,9 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) keylen=EVP_CIPHER_key_length(evp_cipher); ivlen=EVP_CIPHER_iv_length(evp_cipher); xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); - if (ivlen > 0) RAND_pseudo_bytes(iv,ivlen); + if (ivlen > 0) + if (RAND_pseudo_bytes(iv,ivlen) <= 0) + goto err; if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1)<=0) goto err; if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) @@ -226,10 +228,13 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) goto err; if (ivlen > 0) { - if (xalg->parameter == NULL) - xalg->parameter=ASN1_TYPE_new(); + if (xalg->parameter == NULL) { + xalg->parameter = ASN1_TYPE_new(); + if (xalg->parameter == NULL) + goto err; + } if(EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0) - goto err; + goto err; } /* Lets do the pub key stuff :-) */ @@ -242,7 +247,8 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_MISSING_CERIPEND_INFO); goto err; } - pkey=X509_get_pubkey(ri->cert); + if ((pkey=X509_get_pubkey(ri->cert)) == NULL) + goto err; jj=EVP_PKEY_size(pkey); EVP_PKEY_free(pkey); if (max < jj) max=jj; @@ -255,7 +261,8 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) for (i=0; icert); + if ((pkey=X509_get_pubkey(ri->cert)) == NULL) + goto err; jj=EVP_PKEY_encrypt(tmp,key,keylen,pkey); EVP_PKEY_free(pkey); if (jj <= 0) @@ -291,6 +298,8 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) if(bio == NULL) { bio=BIO_new(BIO_s_mem()); + if (bio == NULL) + goto err; BIO_set_mem_eof_return(bio,0); } } @@ -541,6 +550,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) bio=BIO_new(BIO_s_mem()); BIO_set_mem_eof_return(bio,0); } + if (bio == NULL) + goto err; #endif } BIO_push(out,bio); @@ -695,9 +706,13 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) ERR_R_MALLOC_FAILURE); goto err; } - PKCS7_add_signed_attribute(si, + if (!PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, - V_ASN1_UTCTIME,sign_time); + V_ASN1_UTCTIME,sign_time)) + { + M_ASN1_UTCTIME_free(sign_time); + goto err; + } } /* Add digest */ @@ -714,11 +729,16 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) { PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE); + M_ASN1_OCTET_STRING_free(digest); goto err; } - PKCS7_add_signed_attribute(si, + if (!PKCS7_add_signed_attribute(si, NID_pkcs9_messageDigest, - V_ASN1_OCTET_STRING,digest); + V_ASN1_OCTET_STRING,digest)) + { + M_ASN1_OCTET_STRING_free(digest); + goto err; + } /* Now sign the attributes */ EVP_SignInit_ex(&ctx_tmp,md_tmp,NULL); @@ -976,8 +996,13 @@ PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) int i; i=OBJ_obj2nid(p7->type); - if (i != NID_pkcs7_signedAndEnveloped) return(NULL); + if (i != NID_pkcs7_signedAndEnveloped) + return NULL; + if (p7->d.signed_and_enveloped == NULL) + return NULL; rsk=p7->d.signed_and_enveloped->recipientinfo; + if (rsk == NULL) + return NULL; ri=sk_PKCS7_RECIP_INFO_value(rsk,0); if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx) return(NULL); ri=sk_PKCS7_RECIP_INFO_value(rsk,idx); @@ -1031,6 +1056,8 @@ int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, if (p7si->auth_attr != NULL) sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr,X509_ATTRIBUTE_free); p7si->auth_attr=sk_X509_ATTRIBUTE_dup(sk); + if (p7si->auth_attr == NULL) + return 0; for (i=0; iauth_attr,i, @@ -1049,6 +1076,8 @@ int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk) sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, X509_ATTRIBUTE_free); p7si->unauth_attr=sk_X509_ATTRIBUTE_dup(sk); + if (p7si->unauth_attr == NULL) + return 0; for (i=0; iunauth_attr,i, @@ -1078,10 +1107,16 @@ static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, if (*sk == NULL) { - *sk = sk_X509_ATTRIBUTE_new_null(); + if (!(*sk = sk_X509_ATTRIBUTE_new_null())) + return 0; new_attrib: - attr=X509_ATTRIBUTE_create(nid,atrtype,value); - sk_X509_ATTRIBUTE_push(*sk,attr); + if (!(attr=X509_ATTRIBUTE_create(nid,atrtype,value))) + return 0; + if (!sk_X509_ATTRIBUTE_push(*sk,attr)) + { + X509_ATTRIBUTE_free(attr); + return 0; + } } else { @@ -1094,7 +1129,13 @@ new_attrib: { X509_ATTRIBUTE_free(attr); attr=X509_ATTRIBUTE_create(nid,atrtype,value); - sk_X509_ATTRIBUTE_set(*sk,i,attr); + if (attr == NULL) + return 0; + if (!sk_X509_ATTRIBUTE_set(*sk,i,attr)) + { + X509_ATTRIBUTE_free(attr); + return 0; + } goto end; } } diff --git a/crypto/openssl-0.9/crypto/pkcs7/pk7_lib.c b/crypto/openssl-0.9/crypto/pkcs7/pk7_lib.c index 58ce6791c9..f2490941a3 100644 --- a/crypto/openssl-0.9/crypto/pkcs7/pk7_lib.c +++ b/crypto/openssl-0.9/crypto/pkcs7/pk7_lib.c @@ -271,16 +271,23 @@ int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi) if (!j) /* we need to add another algorithm */ { if(!(alg=X509_ALGOR_new()) - || !(alg->parameter = ASN1_TYPE_new())) { + || !(alg->parameter = ASN1_TYPE_new())) + { + X509_ALGOR_free(alg); PKCS7err(PKCS7_F_PKCS7_ADD_SIGNER,ERR_R_MALLOC_FAILURE); return(0); - } + } alg->algorithm=OBJ_nid2obj(nid); alg->parameter->type = V_ASN1_NULL; - sk_X509_ALGOR_push(md_sk,alg); + if (!sk_X509_ALGOR_push(md_sk,alg)) + { + X509_ALGOR_free(alg); + return 0; + } } - sk_PKCS7_SIGNER_INFO_push(signer_sk,psi); + if (!sk_PKCS7_SIGNER_INFO_push(signer_sk,psi)) + return 0; return(1); } @@ -305,8 +312,17 @@ int PKCS7_add_certificate(PKCS7 *p7, X509 *x509) if (*sk == NULL) *sk=sk_X509_new_null(); + if (*sk == NULL) + { + PKCS7err(PKCS7_F_PKCS7_ADD_CERTIFICATE,ERR_R_MALLOC_FAILURE); + return 0; + } CRYPTO_add(&x509->references,1,CRYPTO_LOCK_X509); - sk_X509_push(*sk,x509); + if (!sk_X509_push(*sk,x509)) + { + X509_free(x509); + return 0; + } return(1); } @@ -331,9 +347,18 @@ int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl) if (*sk == NULL) *sk=sk_X509_CRL_new_null(); + if (*sk == NULL) + { + PKCS7err(PKCS7_F_PKCS7_ADD_CRL,ERR_R_MALLOC_FAILURE); + return 0; + } CRYPTO_add(&crl->references,1,CRYPTO_LOCK_X509_CRL); - sk_X509_CRL_push(*sk,crl); + if (!sk_X509_CRL_push(*sk,crl)) + { + X509_CRL_free(crl); + return 0; + } return(1); } @@ -424,6 +449,7 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey, if (!PKCS7_add_signer(p7,si)) goto err; return(si); err: + PKCS7_SIGNER_INFO_free(si); return(NULL); } @@ -468,6 +494,7 @@ PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509) if (!PKCS7_add_recipient_info(p7,ri)) goto err; return(ri); err: + PKCS7_RECIP_INFO_free(ri); return(NULL); } @@ -490,7 +517,8 @@ int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri) return(0); } - sk_PKCS7_RECIP_INFO_push(sk,ri); + if (!sk_PKCS7_RECIP_INFO_push(sk,ri)) + return 0; return(1); } diff --git a/crypto/openssl-0.9/crypto/pkcs7/pk7_smime.c b/crypto/openssl-0.9/crypto/pkcs7/pk7_smime.c index dc835e5b8a..fab85137b7 100644 --- a/crypto/openssl-0.9/crypto/pkcs7/pk7_smime.c +++ b/crypto/openssl-0.9/crypto/pkcs7/pk7_smime.c @@ -66,10 +66,10 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, int flags) { - PKCS7 *p7; + PKCS7 *p7 = NULL; PKCS7_SIGNER_INFO *si; - BIO *p7bio; - STACK_OF(X509_ALGOR) *smcap; + BIO *p7bio = NULL; + STACK_OF(X509_ALGOR) *smcap = NULL; int i; if(!X509_check_private_key(signcert, pkey)) { @@ -82,48 +82,58 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, return NULL; } - PKCS7_set_type(p7, NID_pkcs7_signed); + if (!PKCS7_set_type(p7, NID_pkcs7_signed)) + goto err; - PKCS7_content_new(p7, NID_pkcs7_data); + if (!PKCS7_content_new(p7, NID_pkcs7_data)) + goto err; - if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha1()))) { + if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha1()))) { PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR); - PKCS7_free(p7); - return NULL; + goto err; } if(!(flags & PKCS7_NOCERTS)) { - PKCS7_add_certificate(p7, signcert); + if (!PKCS7_add_certificate(p7, signcert)) + goto err; if(certs) for(i = 0; i < sk_X509_num(certs); i++) - PKCS7_add_certificate(p7, sk_X509_value(certs, i)); + if (!PKCS7_add_certificate(p7, sk_X509_value(certs, i))) + goto err; } if(!(flags & PKCS7_NOATTR)) { - PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, - V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)); + if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, + V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data))) + goto err; /* Add SMIMECapabilities */ if(!(flags & PKCS7_NOSMIMECAP)) { if(!(smcap = sk_X509_ALGOR_new_null())) { PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE); - PKCS7_free(p7); - return NULL; + goto err; } #ifndef OPENSSL_NO_DES - PKCS7_simple_smimecap (smcap, NID_des_ede3_cbc, -1); + if (!PKCS7_simple_smimecap (smcap, NID_des_ede3_cbc, -1)) + goto err; #endif #ifndef OPENSSL_NO_RC2 - PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 128); - PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 64); + if (!PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 128)) + goto err; + if (!PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 64)) + goto err; #endif #ifndef OPENSSL_NO_DES - PKCS7_simple_smimecap (smcap, NID_des_cbc, -1); + if (!PKCS7_simple_smimecap (smcap, NID_des_cbc, -1)) + goto err; #endif #ifndef OPENSSL_NO_RC2 - PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 40); + if (!PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 40)) + goto err; #endif - PKCS7_add_attrib_smimecap (si, smcap); + if (!PKCS7_add_attrib_smimecap (si, smcap)) + goto err; sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free); + smcap = NULL; } } @@ -135,22 +145,24 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, if (!(p7bio = PKCS7_dataInit(p7, NULL))) { PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE); - PKCS7_free(p7); - return NULL; + goto err; } SMIME_crlf_copy(data, p7bio, flags); - if (!PKCS7_dataFinal(p7,p7bio)) { + if (!PKCS7_dataFinal(p7,p7bio)) { PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_DATASIGN); - PKCS7_free(p7); - BIO_free_all(p7bio); - return NULL; + goto err; } BIO_free_all(p7bio); return p7; +err: + sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free); + BIO_free_all(p7bio); + PKCS7_free(p7); + return NULL; } int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, @@ -262,7 +274,8 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, tmpin = indata; - p7bio=PKCS7_dataInit(p7,tmpin); + if (!(p7bio=PKCS7_dataInit(p7,tmpin))) + goto err; if(flags & PKCS7_TEXT) { if(!(tmpout = BIO_new(BIO_s_mem()))) { @@ -341,7 +354,7 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) if(sk_PKCS7_SIGNER_INFO_num(sinfos) <= 0) { PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_NO_SIGNERS); - return 0; + return NULL; } if(!(signers = sk_X509_new_null())) { @@ -364,10 +377,13 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) if (!signer) { PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS,PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND); sk_X509_free(signers); - return 0; + return NULL; } - sk_X509_push(signers, signer); + if (!sk_X509_push(signers, signer)) { + sk_X509_free(signers); + return NULL; + } } return signers; } @@ -387,7 +403,8 @@ PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, return NULL; } - PKCS7_set_type(p7, NID_pkcs7_enveloped); + if (!PKCS7_set_type(p7, NID_pkcs7_enveloped)) + goto err; if(!PKCS7_set_cipher(p7, cipher)) { PKCS7err(PKCS7_F_PKCS7_ENCRYPT,PKCS7_R_ERROR_SETTING_CIPHER); goto err; @@ -421,7 +438,7 @@ PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, err: - BIO_free(p7bio); + BIO_free_all(p7bio); PKCS7_free(p7); return NULL; @@ -459,10 +476,13 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags) /* Encrypt BIOs can't do BIO_gets() so add a buffer BIO */ if(!(tmpbuf = BIO_new(BIO_f_buffer()))) { PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE); + BIO_free_all(tmpmem); return 0; } if(!(bread = BIO_push(tmpbuf, tmpmem))) { PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE); + BIO_free_all(tmpbuf); + BIO_free_all(tmpmem); return 0; } ret = SMIME_text(bread, data); diff --git a/crypto/openssl-0.9/crypto/pkcs7/pkcs7err.c b/crypto/openssl-0.9/crypto/pkcs7/pkcs7err.c index 4cd293472f..c0e3d4cd33 100644 --- a/crypto/openssl-0.9/crypto/pkcs7/pkcs7err.c +++ b/crypto/openssl-0.9/crypto/pkcs7/pkcs7err.c @@ -156,15 +156,12 @@ static ERR_STRING_DATA PKCS7_str_reasons[]= void ERR_load_PKCS7_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(PKCS7_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,PKCS7_str_functs); ERR_load_strings(0,PKCS7_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/rand/md_rand.c b/crypto/openssl-0.9/crypto/rand/md_rand.c index 6e10f6ef67..9783d0c23e 100644 --- a/crypto/openssl-0.9/crypto/rand/md_rand.c +++ b/crypto/openssl-0.9/crypto/rand/md_rand.c @@ -152,7 +152,7 @@ static unsigned long locking_thread = 0; /* valid iff crypto_lock_rand is set */ int rand_predictable=0; #endif -const char *RAND_version="RAND" OPENSSL_VERSION_PTEXT; +const char RAND_version[]="RAND" OPENSSL_VERSION_PTEXT; static void ssleay_rand_cleanup(void); static void ssleay_rand_seed(const void *buf, int num); diff --git a/crypto/openssl-0.9/crypto/rand/rand_err.c b/crypto/openssl-0.9/crypto/rand/rand_err.c index b2f2448b66..386934dcd1 100644 --- a/crypto/openssl-0.9/crypto/rand/rand_err.c +++ b/crypto/openssl-0.9/crypto/rand/rand_err.c @@ -85,15 +85,12 @@ static ERR_STRING_DATA RAND_str_reasons[]= void ERR_load_RAND_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(RAND_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,RAND_str_functs); ERR_load_strings(0,RAND_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/rc2/rc2_ecb.c b/crypto/openssl-0.9/crypto/rc2/rc2_ecb.c index d3e8c2718a..fff86c7af8 100644 --- a/crypto/openssl-0.9/crypto/rc2/rc2_ecb.c +++ b/crypto/openssl-0.9/crypto/rc2/rc2_ecb.c @@ -60,7 +60,7 @@ #include "rc2_locl.h" #include -const char *RC2_version="RC2" OPENSSL_VERSION_PTEXT; +const char RC2_version[]="RC2" OPENSSL_VERSION_PTEXT; /* RC2 as implemented frm a posting from * Newsgroups: sci.crypt diff --git a/crypto/openssl-0.9/crypto/rc4/rc4_skey.c b/crypto/openssl-0.9/crypto/rc4/rc4_skey.c index 781ff2d8b9..b22c40b0bd 100644 --- a/crypto/openssl-0.9/crypto/rc4/rc4_skey.c +++ b/crypto/openssl-0.9/crypto/rc4/rc4_skey.c @@ -60,7 +60,7 @@ #include "rc4_locl.h" #include -const char *RC4_version="RC4" OPENSSL_VERSION_PTEXT; +const char RC4_version[]="RC4" OPENSSL_VERSION_PTEXT; const char *RC4_options(void) { diff --git a/crypto/openssl-0.9/crypto/ripemd/ripemd.h b/crypto/openssl-0.9/crypto/ripemd/ripemd.h index 06bd67183b..033a5965b5 100644 --- a/crypto/openssl-0.9/crypto/ripemd/ripemd.h +++ b/crypto/openssl-0.9/crypto/ripemd/ripemd.h @@ -60,6 +60,7 @@ #define HEADER_RIPEMD_H #include +#include #ifdef __cplusplus extern "C" { diff --git a/crypto/openssl-0.9/crypto/ripemd/rmd_dgst.c b/crypto/openssl-0.9/crypto/ripemd/rmd_dgst.c index 03a286dfcc..9608a8fd0e 100644 --- a/crypto/openssl-0.9/crypto/ripemd/rmd_dgst.c +++ b/crypto/openssl-0.9/crypto/ripemd/rmd_dgst.c @@ -60,7 +60,7 @@ #include "rmd_locl.h" #include -const char *RMD160_version="RIPE-MD160" OPENSSL_VERSION_PTEXT; +const char RMD160_version[]="RIPE-MD160" OPENSSL_VERSION_PTEXT; # ifdef RMD160_ASM void ripemd160_block_x86(RIPEMD160_CTX *c, unsigned long *p,size_t num); diff --git a/crypto/openssl-0.9/crypto/rsa/rsa_err.c b/crypto/openssl-0.9/crypto/rsa/rsa_err.c index da7a4fb4c2..fe3ba1b44b 100644 --- a/crypto/openssl-0.9/crypto/rsa/rsa_err.c +++ b/crypto/openssl-0.9/crypto/rsa/rsa_err.c @@ -100,7 +100,7 @@ static ERR_STRING_DATA RSA_str_functs[]= {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_SSLV23), "RSA_padding_check_SSLv23"}, {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931), "RSA_padding_check_X931"}, {ERR_FUNC(RSA_F_RSA_PRINT), "RSA_print"}, -{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_PRINT_FP"}, +{ERR_FUNC(RSA_F_RSA_PRINT_FP), "RSA_print_fp"}, {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING), "RSA_setup_blinding"}, {ERR_FUNC(RSA_F_RSA_SIGN), "RSA_sign"}, {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING), "RSA_sign_ASN1_OCTET_STRING"}, @@ -160,15 +160,12 @@ static ERR_STRING_DATA RSA_str_reasons[]= void ERR_load_RSA_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(RSA_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,RSA_str_functs); ERR_load_strings(0,RSA_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/rsa/rsa_lib.c b/crypto/openssl-0.9/crypto/rsa/rsa_lib.c index 66cd15ff6d..cca32c098d 100644 --- a/crypto/openssl-0.9/crypto/rsa/rsa_lib.c +++ b/crypto/openssl-0.9/crypto/rsa/rsa_lib.c @@ -67,7 +67,7 @@ #include #endif -const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT; +const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT; static const RSA_METHOD *default_RSA_meth=NULL; diff --git a/crypto/openssl-0.9/crypto/sha/sha.h b/crypto/openssl-0.9/crypto/sha/sha.h index a83bd3cace..eed44d7f94 100644 --- a/crypto/openssl-0.9/crypto/sha/sha.h +++ b/crypto/openssl-0.9/crypto/sha/sha.h @@ -60,6 +60,7 @@ #define HEADER_SHA_H #include +#include #ifdef __cplusplus extern "C" { diff --git a/crypto/openssl-0.9/crypto/sha/sha1dgst.c b/crypto/openssl-0.9/crypto/sha/sha1dgst.c index 447ce53e17..50d1925cde 100644 --- a/crypto/openssl-0.9/crypto/sha/sha1dgst.c +++ b/crypto/openssl-0.9/crypto/sha/sha1dgst.c @@ -64,7 +64,7 @@ #include -const char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT; +const char SHA1_version[]="SHA1" OPENSSL_VERSION_PTEXT; /* The implementation is in ../md32_common.h */ diff --git a/crypto/openssl-0.9/crypto/sha/sha256.c b/crypto/openssl-0.9/crypto/sha/sha256.c index bbc20da0e9..05ae9445db 100644 --- a/crypto/openssl-0.9/crypto/sha/sha256.c +++ b/crypto/openssl-0.9/crypto/sha/sha256.c @@ -14,7 +14,7 @@ #include #include -const char *SHA256_version="SHA-256" OPENSSL_VERSION_PTEXT; +const char SHA256_version[]="SHA-256" OPENSSL_VERSION_PTEXT; int SHA224_Init (SHA256_CTX *c) { diff --git a/crypto/openssl-0.9/crypto/sha/sha512.c b/crypto/openssl-0.9/crypto/sha/sha512.c index f965cff692..39d18b8fb4 100644 --- a/crypto/openssl-0.9/crypto/sha/sha512.c +++ b/crypto/openssl-0.9/crypto/sha/sha512.c @@ -50,7 +50,7 @@ #include "cryptlib.h" -const char *SHA512_version="SHA-512" OPENSSL_VERSION_PTEXT; +const char SHA512_version[]="SHA-512" OPENSSL_VERSION_PTEXT; #if defined(_M_IX86) || defined(_M_AMD64) || defined(__i386) || defined(__x86_64) #define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA diff --git a/crypto/openssl-0.9/crypto/sha/sha_dgst.c b/crypto/openssl-0.9/crypto/sha/sha_dgst.c index 60465d0c3e..70eb56032c 100644 --- a/crypto/openssl-0.9/crypto/sha/sha_dgst.c +++ b/crypto/openssl-0.9/crypto/sha/sha_dgst.c @@ -64,7 +64,7 @@ #include -const char *SHA_version="SHA" OPENSSL_VERSION_PTEXT; +const char SHA_version[]="SHA" OPENSSL_VERSION_PTEXT; /* The implementation is in ../md32_common.h */ diff --git a/crypto/openssl-0.9/crypto/stack/safestack.h b/crypto/openssl-0.9/crypto/stack/safestack.h index e5f5be9f9c..d496f365c2 100644 --- a/crypto/openssl-0.9/crypto/stack/safestack.h +++ b/crypto/openssl-0.9/crypto/stack/safestack.h @@ -234,6 +234,28 @@ STACK_OF(type) \ #define sk_ACCESS_DESCRIPTION_sort(st) SKM_sk_sort(ACCESS_DESCRIPTION, (st)) #define sk_ACCESS_DESCRIPTION_is_sorted(st) SKM_sk_is_sorted(ACCESS_DESCRIPTION, (st)) +#define sk_ASIdOrRange_new(st) SKM_sk_new(ASIdOrRange, (st)) +#define sk_ASIdOrRange_new_null() SKM_sk_new_null(ASIdOrRange) +#define sk_ASIdOrRange_free(st) SKM_sk_free(ASIdOrRange, (st)) +#define sk_ASIdOrRange_num(st) SKM_sk_num(ASIdOrRange, (st)) +#define sk_ASIdOrRange_value(st, i) SKM_sk_value(ASIdOrRange, (st), (i)) +#define sk_ASIdOrRange_set(st, i, val) SKM_sk_set(ASIdOrRange, (st), (i), (val)) +#define sk_ASIdOrRange_zero(st) SKM_sk_zero(ASIdOrRange, (st)) +#define sk_ASIdOrRange_push(st, val) SKM_sk_push(ASIdOrRange, (st), (val)) +#define sk_ASIdOrRange_unshift(st, val) SKM_sk_unshift(ASIdOrRange, (st), (val)) +#define sk_ASIdOrRange_find(st, val) SKM_sk_find(ASIdOrRange, (st), (val)) +#define sk_ASIdOrRange_find_ex(st, val) SKM_sk_find_ex(ASIdOrRange, (st), (val)) +#define sk_ASIdOrRange_delete(st, i) SKM_sk_delete(ASIdOrRange, (st), (i)) +#define sk_ASIdOrRange_delete_ptr(st, ptr) SKM_sk_delete_ptr(ASIdOrRange, (st), (ptr)) +#define sk_ASIdOrRange_insert(st, val, i) SKM_sk_insert(ASIdOrRange, (st), (val), (i)) +#define sk_ASIdOrRange_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ASIdOrRange, (st), (cmp)) +#define sk_ASIdOrRange_dup(st) SKM_sk_dup(ASIdOrRange, st) +#define sk_ASIdOrRange_pop_free(st, free_func) SKM_sk_pop_free(ASIdOrRange, (st), (free_func)) +#define sk_ASIdOrRange_shift(st) SKM_sk_shift(ASIdOrRange, (st)) +#define sk_ASIdOrRange_pop(st) SKM_sk_pop(ASIdOrRange, (st)) +#define sk_ASIdOrRange_sort(st) SKM_sk_sort(ASIdOrRange, (st)) +#define sk_ASIdOrRange_is_sorted(st) SKM_sk_is_sorted(ASIdOrRange, (st)) + #define sk_ASN1_GENERALSTRING_new(st) SKM_sk_new(ASN1_GENERALSTRING, (st)) #define sk_ASN1_GENERALSTRING_new_null() SKM_sk_new_null(ASN1_GENERALSTRING) #define sk_ASN1_GENERALSTRING_free(st) SKM_sk_free(ASN1_GENERALSTRING, (st)) @@ -608,6 +630,50 @@ STACK_OF(type) \ #define sk_GENERAL_SUBTREE_sort(st) SKM_sk_sort(GENERAL_SUBTREE, (st)) #define sk_GENERAL_SUBTREE_is_sorted(st) SKM_sk_is_sorted(GENERAL_SUBTREE, (st)) +#define sk_IPAddressFamily_new(st) SKM_sk_new(IPAddressFamily, (st)) +#define sk_IPAddressFamily_new_null() SKM_sk_new_null(IPAddressFamily) +#define sk_IPAddressFamily_free(st) SKM_sk_free(IPAddressFamily, (st)) +#define sk_IPAddressFamily_num(st) SKM_sk_num(IPAddressFamily, (st)) +#define sk_IPAddressFamily_value(st, i) SKM_sk_value(IPAddressFamily, (st), (i)) +#define sk_IPAddressFamily_set(st, i, val) SKM_sk_set(IPAddressFamily, (st), (i), (val)) +#define sk_IPAddressFamily_zero(st) SKM_sk_zero(IPAddressFamily, (st)) +#define sk_IPAddressFamily_push(st, val) SKM_sk_push(IPAddressFamily, (st), (val)) +#define sk_IPAddressFamily_unshift(st, val) SKM_sk_unshift(IPAddressFamily, (st), (val)) +#define sk_IPAddressFamily_find(st, val) SKM_sk_find(IPAddressFamily, (st), (val)) +#define sk_IPAddressFamily_find_ex(st, val) SKM_sk_find_ex(IPAddressFamily, (st), (val)) +#define sk_IPAddressFamily_delete(st, i) SKM_sk_delete(IPAddressFamily, (st), (i)) +#define sk_IPAddressFamily_delete_ptr(st, ptr) SKM_sk_delete_ptr(IPAddressFamily, (st), (ptr)) +#define sk_IPAddressFamily_insert(st, val, i) SKM_sk_insert(IPAddressFamily, (st), (val), (i)) +#define sk_IPAddressFamily_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(IPAddressFamily, (st), (cmp)) +#define sk_IPAddressFamily_dup(st) SKM_sk_dup(IPAddressFamily, st) +#define sk_IPAddressFamily_pop_free(st, free_func) SKM_sk_pop_free(IPAddressFamily, (st), (free_func)) +#define sk_IPAddressFamily_shift(st) SKM_sk_shift(IPAddressFamily, (st)) +#define sk_IPAddressFamily_pop(st) SKM_sk_pop(IPAddressFamily, (st)) +#define sk_IPAddressFamily_sort(st) SKM_sk_sort(IPAddressFamily, (st)) +#define sk_IPAddressFamily_is_sorted(st) SKM_sk_is_sorted(IPAddressFamily, (st)) + +#define sk_IPAddressOrRange_new(st) SKM_sk_new(IPAddressOrRange, (st)) +#define sk_IPAddressOrRange_new_null() SKM_sk_new_null(IPAddressOrRange) +#define sk_IPAddressOrRange_free(st) SKM_sk_free(IPAddressOrRange, (st)) +#define sk_IPAddressOrRange_num(st) SKM_sk_num(IPAddressOrRange, (st)) +#define sk_IPAddressOrRange_value(st, i) SKM_sk_value(IPAddressOrRange, (st), (i)) +#define sk_IPAddressOrRange_set(st, i, val) SKM_sk_set(IPAddressOrRange, (st), (i), (val)) +#define sk_IPAddressOrRange_zero(st) SKM_sk_zero(IPAddressOrRange, (st)) +#define sk_IPAddressOrRange_push(st, val) SKM_sk_push(IPAddressOrRange, (st), (val)) +#define sk_IPAddressOrRange_unshift(st, val) SKM_sk_unshift(IPAddressOrRange, (st), (val)) +#define sk_IPAddressOrRange_find(st, val) SKM_sk_find(IPAddressOrRange, (st), (val)) +#define sk_IPAddressOrRange_find_ex(st, val) SKM_sk_find_ex(IPAddressOrRange, (st), (val)) +#define sk_IPAddressOrRange_delete(st, i) SKM_sk_delete(IPAddressOrRange, (st), (i)) +#define sk_IPAddressOrRange_delete_ptr(st, ptr) SKM_sk_delete_ptr(IPAddressOrRange, (st), (ptr)) +#define sk_IPAddressOrRange_insert(st, val, i) SKM_sk_insert(IPAddressOrRange, (st), (val), (i)) +#define sk_IPAddressOrRange_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(IPAddressOrRange, (st), (cmp)) +#define sk_IPAddressOrRange_dup(st) SKM_sk_dup(IPAddressOrRange, st) +#define sk_IPAddressOrRange_pop_free(st, free_func) SKM_sk_pop_free(IPAddressOrRange, (st), (free_func)) +#define sk_IPAddressOrRange_shift(st) SKM_sk_shift(IPAddressOrRange, (st)) +#define sk_IPAddressOrRange_pop(st) SKM_sk_pop(IPAddressOrRange, (st)) +#define sk_IPAddressOrRange_sort(st) SKM_sk_sort(IPAddressOrRange, (st)) +#define sk_IPAddressOrRange_is_sorted(st) SKM_sk_is_sorted(IPAddressOrRange, (st)) + #define sk_KRB5_APREQBODY_new(st) SKM_sk_new(KRB5_APREQBODY, (st)) #define sk_KRB5_APREQBODY_new_null() SKM_sk_new_null(KRB5_APREQBODY) #define sk_KRB5_APREQBODY_free(st) SKM_sk_free(KRB5_APREQBODY, (st)) diff --git a/crypto/openssl-0.9/crypto/stack/stack.c b/crypto/openssl-0.9/crypto/stack/stack.c index 5967a2c735..378bd7c796 100644 --- a/crypto/openssl-0.9/crypto/stack/stack.c +++ b/crypto/openssl-0.9/crypto/stack/stack.c @@ -73,7 +73,7 @@ #undef MIN_NODES #define MIN_NODES 4 -const char *STACK_version="Stack" OPENSSL_VERSION_PTEXT; +const char STACK_version[]="Stack" OPENSSL_VERSION_PTEXT; #include diff --git a/crypto/openssl-0.9/crypto/store/str_err.c b/crypto/openssl-0.9/crypto/store/str_err.c index 5c6fe832e8..6fee649822 100644 --- a/crypto/openssl-0.9/crypto/store/str_err.c +++ b/crypto/openssl-0.9/crypto/store/str_err.c @@ -200,15 +200,12 @@ static ERR_STRING_DATA STORE_str_reasons[]= void ERR_load_STORE_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(STORE_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,STORE_str_functs); ERR_load_strings(0,STORE_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/txt_db/txt_db.c b/crypto/openssl-0.9/crypto/txt_db/txt_db.c index e9e503eb07..3ed5f72ee9 100644 --- a/crypto/openssl-0.9/crypto/txt_db/txt_db.c +++ b/crypto/openssl-0.9/crypto/txt_db/txt_db.c @@ -66,7 +66,7 @@ #undef BUFSIZE #define BUFSIZE 512 -const char *TXT_DB_version="TXT_DB" OPENSSL_VERSION_PTEXT; +const char TXT_DB_version[]="TXT_DB" OPENSSL_VERSION_PTEXT; TXT_DB *TXT_DB_read(BIO *in, int num) { diff --git a/crypto/openssl-0.9/crypto/ui/ui_err.c b/crypto/openssl-0.9/crypto/ui/ui_err.c index d983cdd66f..786bd0dbc3 100644 --- a/crypto/openssl-0.9/crypto/ui/ui_err.c +++ b/crypto/openssl-0.9/crypto/ui/ui_err.c @@ -101,15 +101,12 @@ static ERR_STRING_DATA UI_str_reasons[]= void ERR_load_UI_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(UI_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,UI_str_functs); ERR_load_strings(0,UI_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/x509/by_dir.c b/crypto/openssl-0.9/crypto/x509/by_dir.c index ea689aed1a..37f9a48206 100644 --- a/crypto/openssl-0.9/crypto/x509/by_dir.c +++ b/crypto/openssl-0.9/crypto/x509/by_dir.c @@ -189,7 +189,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) s=dir; p=s; - for (;;) + for (;;p++) { if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0')) { @@ -198,8 +198,11 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) len=(int)(p-ss); if (len == 0) continue; for (j=0; jnum_dirs; j++) - if (strncmp(ctx->dirs[j],ss,(unsigned int)len) == 0) - continue; + if (strlen(ctx->dirs[j]) == (size_t)len && + strncmp(ctx->dirs[j],ss,(unsigned int)len) == 0) + break; + if (jnum_dirs) + continue; if (ctx->num_dirs_alloced < (ctx->num_dirs+1)) { ctx->num_dirs_alloced+=10; @@ -231,7 +234,6 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) ctx->num_dirs++; } if (*p == '\0') break; - p++; } return(1); } diff --git a/crypto/openssl-0.9/crypto/x509/x509.h b/crypto/openssl-0.9/crypto/x509/x509.h index 66990ae5a8..16a954f709 100644 --- a/crypto/openssl-0.9/crypto/x509/x509.h +++ b/crypto/openssl-0.9/crypto/x509/x509.h @@ -288,6 +288,10 @@ struct x509_st ASN1_OCTET_STRING *skid; struct AUTHORITY_KEYID_st *akid; X509_POLICY_CACHE *policy_cache; +#ifndef OPENSSL_NO_RFC3779 + STACK_OF(IPAddressFamily) *rfc3779_addr; + struct ASIdentifiers_st *rfc3779_asid; +#endif #ifndef OPENSSL_NO_SHA unsigned char sha1_hash[SHA_DIGEST_LENGTH]; #endif diff --git a/crypto/openssl-0.9/crypto/x509/x509_err.c b/crypto/openssl-0.9/crypto/x509/x509_err.c index b7bc383a50..fb377292da 100644 --- a/crypto/openssl-0.9/crypto/x509/x509_err.c +++ b/crypto/openssl-0.9/crypto/x509/x509_err.c @@ -150,15 +150,12 @@ static ERR_STRING_DATA X509_str_reasons[]= void ERR_load_X509_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(X509_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,X509_str_functs); ERR_load_strings(0,X509_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/x509/x509_req.c b/crypto/openssl-0.9/crypto/x509/x509_req.c index ab13bcfc06..3872e1fb64 100644 --- a/crypto/openssl-0.9/crypto/x509/x509_req.c +++ b/crypto/openssl-0.9/crypto/x509/x509_req.c @@ -242,6 +242,11 @@ int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts, at = NULL; attr->single = 0; attr->object = OBJ_nid2obj(nid); + if (!req->req_info->attributes) + { + if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null())) + goto err; + } if(!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) goto err; return 1; err: diff --git a/crypto/openssl-0.9/crypto/x509/x509_txt.c b/crypto/openssl-0.9/crypto/x509/x509_txt.c index 7dd2b761d9..a80c87eef3 100644 --- a/crypto/openssl-0.9/crypto/x509/x509_txt.c +++ b/crypto/openssl-0.9/crypto/x509/x509_txt.c @@ -162,6 +162,8 @@ const char *X509_verify_cert_error_string(long n) return("invalid or inconsistent certificate policy extension"); case X509_V_ERR_NO_EXPLICIT_POLICY: return("no explicit policy"); + case X509_V_ERR_UNNESTED_RESOURCE: + return("RFC 3779 resource not subset of parent's resources"); default: BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); diff --git a/crypto/openssl-0.9/crypto/x509/x509_vfy.c b/crypto/openssl-0.9/crypto/x509/x509_vfy.c index 79dae3d3bf..07df21f6b9 100644 --- a/crypto/openssl-0.9/crypto/x509/x509_vfy.c +++ b/crypto/openssl-0.9/crypto/x509/x509_vfy.c @@ -79,7 +79,7 @@ static int check_revocation(X509_STORE_CTX *ctx); static int check_cert(X509_STORE_CTX *ctx); static int check_policy(X509_STORE_CTX *ctx); static int internal_verify(X509_STORE_CTX *ctx); -const char *X509_version="X.509" OPENSSL_VERSION_PTEXT; +const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT; static int null_callback(int ok, X509_STORE_CTX *e) @@ -312,6 +312,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx) ok=internal_verify(ctx); if(!ok) goto end; +#ifndef OPENSSL_NO_RFC3779 + /* RFC 3779 path validation, now that CRL check has been done */ + ok = v3_asid_validate_path(ctx); + if (!ok) goto end; + ok = v3_addr_validate_path(ctx); + if (!ok) goto end; +#endif + /* If we get this far evaluate policies */ if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) ok = ctx->check_policy(ctx); @@ -1460,9 +1468,16 @@ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) { if (ctx->cleanup) ctx->cleanup(ctx); - X509_VERIFY_PARAM_free(ctx->param); - if (ctx->tree) + if (ctx->param != NULL) + { + X509_VERIFY_PARAM_free(ctx->param); + ctx->param=NULL; + } + if (ctx->tree != NULL) + { X509_policy_tree_free(ctx->tree); + ctx->tree=NULL; + } if (ctx->chain != NULL) { sk_X509_pop_free(ctx->chain,X509_free); diff --git a/crypto/openssl-0.9/crypto/x509/x509_vfy.h b/crypto/openssl-0.9/crypto/x509/x509_vfy.h index 3f16330444..76c76e1719 100644 --- a/crypto/openssl-0.9/crypto/x509/x509_vfy.h +++ b/crypto/openssl-0.9/crypto/x509/x509_vfy.h @@ -331,6 +331,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_ERR_INVALID_POLICY_EXTENSION 42 #define X509_V_ERR_NO_EXPLICIT_POLICY 43 +#define X509_V_ERR_UNNESTED_RESOURCE 44 /* The application is not happy */ #define X509_V_ERR_APPLICATION_VERIFICATION 50 diff --git a/crypto/openssl-0.9/crypto/x509v3/ext_dat.h b/crypto/openssl-0.9/crypto/x509v3/ext_dat.h index 3596684687..5c063ac65d 100644 --- a/crypto/openssl-0.9/crypto/x509v3/ext_dat.h +++ b/crypto/openssl-0.9/crypto/x509v3/ext_dat.h @@ -67,6 +67,9 @@ extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; extern X509V3_EXT_METHOD v3_crl_hold, v3_pci; extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp; +#ifndef OPENSSL_NO_RFC3779 +extern X509V3_EXT_METHOD v3_addr, v3_asid; +#endif /* This table will be searched using OBJ_bsearch so it *must* kept in * order of the ext_nid values. @@ -99,6 +102,10 @@ static X509V3_EXT_METHOD *standard_exts[] = { #endif &v3_sxnet, &v3_info, +#ifndef OPENSSL_NO_RFC3779 +&v3_addr, +&v3_asid, +#endif #ifndef OPENSSL_NO_OCSP &v3_ocsp_nonce, &v3_ocsp_crlid, diff --git a/crypto/openssl-0.9/crypto/x509v3/pcy_tree.c b/crypto/openssl-0.9/crypto/x509v3/pcy_tree.c index 1c68ce3352..27d29f25a8 100644 --- a/crypto/openssl-0.9/crypto/x509v3/pcy_tree.c +++ b/crypto/openssl-0.9/crypto/x509v3/pcy_tree.c @@ -197,7 +197,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, /* Any matching allowed if certificate is self * issued and not the last in the chain. */ - if (!(x->ex_flags && EXFLAG_SS) || (i == 0)) + if (!(x->ex_flags & EXFLAG_SS) || (i == 0)) level->flags |= X509_V_FLAG_INHIBIT_ANY; } else @@ -628,6 +628,16 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, /* Tree OK: continue */ case 1: + if (!tree) + /* + * tree_init() returns success and a null tree + * if it's just looking at a trust anchor. + * I'm not sure that returning success here is + * correct, but I'm sure that reporting this + * as an internal error which our caller + * interprets as a malloc failure is wrong. + */ + return 1; break; } diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_addr.c b/crypto/openssl-0.9/crypto/x509v3/v3_addr.c new file mode 100644 index 0000000000..ed9847b307 --- /dev/null +++ b/crypto/openssl-0.9/crypto/x509v3/v3_addr.c @@ -0,0 +1,1280 @@ +/* + * Contributed to the OpenSSL Project by the American Registry for + * Internet Numbers ("ARIN"). + */ +/* ==================================================================== + * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + */ + +/* + * Implementation of RFC 3779 section 2.2. + */ + +#include +#include +#include +#include "cryptlib.h" +#include +#include +#include +#include +#include + +#ifndef OPENSSL_NO_RFC3779 + +/* + * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. + */ + +ASN1_SEQUENCE(IPAddressRange) = { + ASN1_SIMPLE(IPAddressRange, min, ASN1_BIT_STRING), + ASN1_SIMPLE(IPAddressRange, max, ASN1_BIT_STRING) +} ASN1_SEQUENCE_END(IPAddressRange) + +ASN1_CHOICE(IPAddressOrRange) = { + ASN1_SIMPLE(IPAddressOrRange, u.addressPrefix, ASN1_BIT_STRING), + ASN1_SIMPLE(IPAddressOrRange, u.addressRange, IPAddressRange) +} ASN1_CHOICE_END(IPAddressOrRange) + +ASN1_CHOICE(IPAddressChoice) = { + ASN1_SIMPLE(IPAddressChoice, u.inherit, ASN1_NULL), + ASN1_SEQUENCE_OF(IPAddressChoice, u.addressesOrRanges, IPAddressOrRange) +} ASN1_CHOICE_END(IPAddressChoice) + +ASN1_SEQUENCE(IPAddressFamily) = { + ASN1_SIMPLE(IPAddressFamily, addressFamily, ASN1_OCTET_STRING), + ASN1_SIMPLE(IPAddressFamily, ipAddressChoice, IPAddressChoice) +} ASN1_SEQUENCE_END(IPAddressFamily) + +ASN1_ITEM_TEMPLATE(IPAddrBlocks) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, + IPAddrBlocks, IPAddressFamily) +ASN1_ITEM_TEMPLATE_END(IPAddrBlocks) + +IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange) +IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange) +IMPLEMENT_ASN1_FUNCTIONS(IPAddressChoice) +IMPLEMENT_ASN1_FUNCTIONS(IPAddressFamily) + +/* + * How much buffer space do we need for a raw address? + */ +#define ADDR_RAW_BUF_LEN 16 + +/* + * What's the address length associated with this AFI? + */ +static int length_from_afi(const unsigned afi) +{ + switch (afi) { + case IANA_AFI_IPV4: + return 4; + case IANA_AFI_IPV6: + return 16; + default: + return 0; + } +} + +/* + * Extract the AFI from an IPAddressFamily. + */ +unsigned v3_addr_get_afi(const IPAddressFamily *f) +{ + return ((f != NULL && + f->addressFamily != NULL && + f->addressFamily->data != NULL) + ? ((f->addressFamily->data[0] << 8) | + (f->addressFamily->data[1])) + : 0); +} + +/* + * Expand the bitstring form of an address into a raw byte array. + * At the moment this is coded for simplicity, not speed. + */ +static void addr_expand(unsigned char *addr, + const ASN1_BIT_STRING *bs, + const int length, + const unsigned char fill) +{ + assert(bs->length >= 0 && bs->length <= length); + if (bs->length > 0) { + memcpy(addr, bs->data, bs->length); + if ((bs->flags & 7) != 0) { + unsigned char mask = 0xFF >> (8 - (bs->flags & 7)); + if (fill == 0) + addr[bs->length - 1] &= ~mask; + else + addr[bs->length - 1] |= mask; + } + } + memset(addr + bs->length, fill, length - bs->length); +} + +/* + * Extract the prefix length from a bitstring. + */ +#define addr_prefixlen(bs) ((int) ((bs)->length * 8 - ((bs)->flags & 7))) + +/* + * i2r handler for one address bitstring. + */ +static int i2r_address(BIO *out, + const unsigned afi, + const unsigned char fill, + const ASN1_BIT_STRING *bs) +{ + unsigned char addr[ADDR_RAW_BUF_LEN]; + int i, n; + + switch (afi) { + case IANA_AFI_IPV4: + addr_expand(addr, bs, 4, fill); + BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); + break; + case IANA_AFI_IPV6: + addr_expand(addr, bs, 16, fill); + for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2) + ; + for (i = 0; i < n; i += 2) + BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : "")); + if (i < 16) + BIO_puts(out, ":"); + break; + default: + for (i = 0; i < bs->length; i++) + BIO_printf(out, "%s%02x", (i > 0 ? ":" : ""), bs->data[i]); + BIO_printf(out, "[%d]", (int) (bs->flags & 7)); + break; + } + return 1; +} + +/* + * i2r handler for a sequence of addresses and ranges. + */ +static int i2r_IPAddressOrRanges(BIO *out, + const int indent, + const IPAddressOrRanges *aors, + const unsigned afi) +{ + int i; + for (i = 0; i < sk_IPAddressOrRange_num(aors); i++) { + const IPAddressOrRange *aor = sk_IPAddressOrRange_value(aors, i); + BIO_printf(out, "%*s", indent, ""); + switch (aor->type) { + case IPAddressOrRange_addressPrefix: + if (!i2r_address(out, afi, 0x00, aor->u.addressPrefix)) + return 0; + BIO_printf(out, "/%d\n", addr_prefixlen(aor->u.addressPrefix)); + continue; + case IPAddressOrRange_addressRange: + if (!i2r_address(out, afi, 0x00, aor->u.addressRange->min)) + return 0; + BIO_puts(out, "-"); + if (!i2r_address(out, afi, 0xFF, aor->u.addressRange->max)) + return 0; + BIO_puts(out, "\n"); + continue; + } + } + return 1; +} + +/* + * i2r handler for an IPAddrBlocks extension. + */ +static int i2r_IPAddrBlocks(X509V3_EXT_METHOD *method, + void *ext, + BIO *out, + int indent) +{ + const IPAddrBlocks *addr = ext; + int i; + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); + const unsigned afi = v3_addr_get_afi(f); + switch (afi) { + case IANA_AFI_IPV4: + BIO_printf(out, "%*sIPv4", indent, ""); + break; + case IANA_AFI_IPV6: + BIO_printf(out, "%*sIPv6", indent, ""); + break; + default: + BIO_printf(out, "%*sUnknown AFI %u", indent, "", afi); + break; + } + if (f->addressFamily->length > 2) { + switch (f->addressFamily->data[2]) { + case 1: + BIO_puts(out, " (Unicast)"); + break; + case 2: + BIO_puts(out, " (Multicast)"); + break; + case 3: + BIO_puts(out, " (Unicast/Multicast)"); + break; + case 4: + BIO_puts(out, " (MPLS)"); + break; + case 64: + BIO_puts(out, " (Tunnel)"); + break; + case 65: + BIO_puts(out, " (VPLS)"); + break; + case 66: + BIO_puts(out, " (BGP MDT)"); + break; + case 128: + BIO_puts(out, " (MPLS-labeled VPN)"); + break; + default: + BIO_printf(out, " (Unknown SAFI %u)", + (unsigned) f->addressFamily->data[2]); + break; + } + } + switch (f->ipAddressChoice->type) { + case IPAddressChoice_inherit: + BIO_puts(out, ": inherit\n"); + break; + case IPAddressChoice_addressesOrRanges: + BIO_puts(out, ":\n"); + if (!i2r_IPAddressOrRanges(out, + indent + 2, + f->ipAddressChoice->u.addressesOrRanges, + afi)) + return 0; + break; + } + } + return 1; +} + +/* + * Sort comparison function for a sequence of IPAddressOrRange + * elements. + */ +static int IPAddressOrRange_cmp(const IPAddressOrRange *a, + const IPAddressOrRange *b, + const int length) +{ + unsigned char addr_a[ADDR_RAW_BUF_LEN], addr_b[ADDR_RAW_BUF_LEN]; + int prefixlen_a = 0; + int prefixlen_b = 0; + int r; + + switch (a->type) { + case IPAddressOrRange_addressPrefix: + addr_expand(addr_a, a->u.addressPrefix, length, 0x00); + prefixlen_a = addr_prefixlen(a->u.addressPrefix); + break; + case IPAddressOrRange_addressRange: + addr_expand(addr_a, a->u.addressRange->min, length, 0x00); + prefixlen_a = length * 8; + break; + } + + switch (b->type) { + case IPAddressOrRange_addressPrefix: + addr_expand(addr_b, b->u.addressPrefix, length, 0x00); + prefixlen_b = addr_prefixlen(b->u.addressPrefix); + break; + case IPAddressOrRange_addressRange: + addr_expand(addr_b, b->u.addressRange->min, length, 0x00); + prefixlen_b = length * 8; + break; + } + + if ((r = memcmp(addr_a, addr_b, length)) != 0) + return r; + else + return prefixlen_a - prefixlen_b; +} + +/* + * IPv4-specific closure over IPAddressOrRange_cmp, since sk_sort() + * comparision routines are only allowed two arguments. + */ +static int v4IPAddressOrRange_cmp(const IPAddressOrRange * const *a, + const IPAddressOrRange * const *b) +{ + return IPAddressOrRange_cmp(*a, *b, 4); +} + +/* + * IPv6-specific closure over IPAddressOrRange_cmp, since sk_sort() + * comparision routines are only allowed two arguments. + */ +static int v6IPAddressOrRange_cmp(const IPAddressOrRange * const *a, + const IPAddressOrRange * const *b) +{ + return IPAddressOrRange_cmp(*a, *b, 16); +} + +/* + * Calculate whether a range collapses to a prefix. + * See last paragraph of RFC 3779 2.2.3.7. + */ +static int range_should_be_prefix(const unsigned char *min, + const unsigned char *max, + const int length) +{ + unsigned char mask; + int i, j; + + for (i = 0; i < length && min[i] == max[i]; i++) + ; + for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) + ; + if (i < j) + return -1; + if (i > j) + return i * 8; + mask = min[i] ^ max[i]; + switch (mask) { + case 0x01: j = 7; break; + case 0x03: j = 6; break; + case 0x07: j = 5; break; + case 0x0F: j = 4; break; + case 0x1F: j = 3; break; + case 0x3F: j = 2; break; + case 0x7F: j = 1; break; + default: return -1; + } + if ((min[i] & mask) != 0 || (max[i] & mask) != mask) + return -1; + else + return i * 8 + j; +} + +/* + * Construct a prefix. + */ +static int make_addressPrefix(IPAddressOrRange **result, + unsigned char *addr, + const int prefixlen) +{ + int bytelen = (prefixlen + 7) / 8, bitlen = prefixlen % 8; + IPAddressOrRange *aor = IPAddressOrRange_new(); + + if (aor == NULL) + return 0; + aor->type = IPAddressOrRange_addressPrefix; + if (aor->u.addressPrefix == NULL && + (aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) + goto err; + if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, bytelen)) + goto err; + aor->u.addressPrefix->flags &= ~7; + aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; + if (bitlen > 0) { + aor->u.addressPrefix->data[bytelen - 1] &= ~(0xFF >> bitlen); + aor->u.addressPrefix->flags |= 8 - bitlen; + } + + *result = aor; + return 1; + + err: + IPAddressOrRange_free(aor); + return 0; +} + +/* + * Construct a range. If it can be expressed as a prefix, + * return a prefix instead. Doing this here simplifies + * the rest of the code considerably. + */ +static int make_addressRange(IPAddressOrRange **result, + unsigned char *min, + unsigned char *max, + const int length) +{ + IPAddressOrRange *aor; + int i, prefixlen; + + if ((prefixlen = range_should_be_prefix(min, max, length)) >= 0) + return make_addressPrefix(result, min, prefixlen); + + if ((aor = IPAddressOrRange_new()) == NULL) + return 0; + aor->type = IPAddressOrRange_addressRange; + assert(aor->u.addressRange == NULL); + if ((aor->u.addressRange = IPAddressRange_new()) == NULL) + goto err; + if (aor->u.addressRange->min == NULL && + (aor->u.addressRange->min = ASN1_BIT_STRING_new()) == NULL) + goto err; + if (aor->u.addressRange->max == NULL && + (aor->u.addressRange->max = ASN1_BIT_STRING_new()) == NULL) + goto err; + + for (i = length; i > 0 && min[i - 1] == 0x00; --i) + ; + if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) + goto err; + aor->u.addressRange->min->flags &= ~7; + aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; + if (i > 0) { + unsigned char b = min[i - 1]; + int j = 1; + while ((b & (0xFFU >> j)) != 0) + ++j; + aor->u.addressRange->min->flags |= 8 - j; + } + + for (i = length; i > 0 && max[i - 1] == 0xFF; --i) + ; + if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) + goto err; + aor->u.addressRange->max->flags &= ~7; + aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; + if (i > 0) { + unsigned char b = max[i - 1]; + int j = 1; + while ((b & (0xFFU >> j)) != (0xFFU >> j)) + ++j; + aor->u.addressRange->max->flags |= 8 - j; + } + + *result = aor; + return 1; + + err: + IPAddressOrRange_free(aor); + return 0; +} + +/* + * Construct a new address family or find an existing one. + */ +static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, + const unsigned afi, + const unsigned *safi) +{ + IPAddressFamily *f; + unsigned char key[3]; + unsigned keylen; + int i; + + key[0] = (afi >> 8) & 0xFF; + key[1] = afi & 0xFF; + if (safi != NULL) { + key[2] = *safi & 0xFF; + keylen = 3; + } else { + keylen = 2; + } + + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { + f = sk_IPAddressFamily_value(addr, i); + assert(f->addressFamily->data != NULL); + if (f->addressFamily->length == keylen && + !memcmp(f->addressFamily->data, key, keylen)) + return f; + } + + if ((f = IPAddressFamily_new()) == NULL) + goto err; + if (f->ipAddressChoice == NULL && + (f->ipAddressChoice = IPAddressChoice_new()) == NULL) + goto err; + if (f->addressFamily == NULL && + (f->addressFamily = ASN1_OCTET_STRING_new()) == NULL) + goto err; + if (!ASN1_OCTET_STRING_set(f->addressFamily, key, keylen)) + goto err; + if (!sk_IPAddressFamily_push(addr, f)) + goto err; + + return f; + + err: + IPAddressFamily_free(f); + return NULL; +} + +/* + * Add an inheritance element. + */ +int v3_addr_add_inherit(IPAddrBlocks *addr, + const unsigned afi, + const unsigned *safi) +{ + IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); + if (f == NULL || + f->ipAddressChoice == NULL || + (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && + f->ipAddressChoice->u.addressesOrRanges != NULL)) + return 0; + if (f->ipAddressChoice->type == IPAddressChoice_inherit && + f->ipAddressChoice->u.inherit != NULL) + return 1; + if (f->ipAddressChoice->u.inherit == NULL && + (f->ipAddressChoice->u.inherit = ASN1_NULL_new()) == NULL) + return 0; + f->ipAddressChoice->type = IPAddressChoice_inherit; + return 1; +} + +/* + * Construct an IPAddressOrRange sequence, or return an existing one. + */ +static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr, + const unsigned afi, + const unsigned *safi) +{ + IPAddressFamily *f = make_IPAddressFamily(addr, afi, safi); + IPAddressOrRanges *aors = NULL; + + if (f == NULL || + f->ipAddressChoice == NULL || + (f->ipAddressChoice->type == IPAddressChoice_inherit && + f->ipAddressChoice->u.inherit != NULL)) + return NULL; + if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) + aors = f->ipAddressChoice->u.addressesOrRanges; + if (aors != NULL) + return aors; + if ((aors = sk_IPAddressOrRange_new_null()) == NULL) + return NULL; + switch (afi) { + case IANA_AFI_IPV4: + sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); + break; + case IANA_AFI_IPV6: + sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); + break; + } + f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; + f->ipAddressChoice->u.addressesOrRanges = aors; + return aors; +} + +/* + * Add a prefix. + */ +int v3_addr_add_prefix(IPAddrBlocks *addr, + const unsigned afi, + const unsigned *safi, + unsigned char *a, + const int prefixlen) +{ + IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); + IPAddressOrRange *aor; + if (aors == NULL || !make_addressPrefix(&aor, a, prefixlen)) + return 0; + if (sk_IPAddressOrRange_push(aors, aor)) + return 1; + IPAddressOrRange_free(aor); + return 0; +} + +/* + * Add a range. + */ +int v3_addr_add_range(IPAddrBlocks *addr, + const unsigned afi, + const unsigned *safi, + unsigned char *min, + unsigned char *max) +{ + IPAddressOrRanges *aors = make_prefix_or_range(addr, afi, safi); + IPAddressOrRange *aor; + int length = length_from_afi(afi); + if (aors == NULL) + return 0; + if (!make_addressRange(&aor, min, max, length)) + return 0; + if (sk_IPAddressOrRange_push(aors, aor)) + return 1; + IPAddressOrRange_free(aor); + return 0; +} + +/* + * Extract min and max values from an IPAddressOrRange. + */ +static void extract_min_max(IPAddressOrRange *aor, + unsigned char *min, + unsigned char *max, + int length) +{ + assert(aor != NULL && min != NULL && max != NULL); + switch (aor->type) { + case IPAddressOrRange_addressPrefix: + addr_expand(min, aor->u.addressPrefix, length, 0x00); + addr_expand(max, aor->u.addressPrefix, length, 0xFF); + return; + case IPAddressOrRange_addressRange: + addr_expand(min, aor->u.addressRange->min, length, 0x00); + addr_expand(max, aor->u.addressRange->max, length, 0xFF); + return; + } +} + +/* + * Public wrapper for extract_min_max(). + */ +int v3_addr_get_range(IPAddressOrRange *aor, + const unsigned afi, + unsigned char *min, + unsigned char *max, + const int length) +{ + int afi_length = length_from_afi(afi); + if (aor == NULL || min == NULL || max == NULL || + afi_length == 0 || length < afi_length || + (aor->type != IPAddressOrRange_addressPrefix && + aor->type != IPAddressOrRange_addressRange)) + return 0; + extract_min_max(aor, min, max, afi_length); + return afi_length; +} + +/* + * Sort comparision function for a sequence of IPAddressFamily. + * + * The last paragraph of RFC 3779 2.2.3.3 is slightly ambiguous about + * the ordering: I can read it as meaning that IPv6 without a SAFI + * comes before IPv4 with a SAFI, which seems pretty weird. The + * examples in appendix B suggest that the author intended the + * null-SAFI rule to apply only within a single AFI, which is what I + * would have expected and is what the following code implements. + */ +static int IPAddressFamily_cmp(const IPAddressFamily * const *a_, + const IPAddressFamily * const *b_) +{ + const ASN1_OCTET_STRING *a = (*a_)->addressFamily; + const ASN1_OCTET_STRING *b = (*b_)->addressFamily; + int len = ((a->length <= b->length) ? a->length : b->length); + int cmp = memcmp(a->data, b->data, len); + return cmp ? cmp : a->length - b->length; +} + +/* + * Check whether an IPAddrBLocks is in canonical form. + */ +int v3_addr_is_canonical(IPAddrBlocks *addr) +{ + unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; + unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; + IPAddressOrRanges *aors; + int i, j, k; + + /* + * Empty extension is cannonical. + */ + if (addr == NULL) + return 1; + + /* + * Check whether the top-level list is in order. + */ + for (i = 0; i < sk_IPAddressFamily_num(addr) - 1; i++) { + const IPAddressFamily *a = sk_IPAddressFamily_value(addr, i); + const IPAddressFamily *b = sk_IPAddressFamily_value(addr, i + 1); + if (IPAddressFamily_cmp(&a, &b) >= 0) + return 0; + } + + /* + * Top level's ok, now check each address family. + */ + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); + int length = length_from_afi(v3_addr_get_afi(f)); + + /* + * Inheritance is canonical. Anything other than inheritance or + * a SEQUENCE OF IPAddressOrRange is an ASN.1 error or something. + */ + if (f == NULL || f->ipAddressChoice == NULL) + return 0; + switch (f->ipAddressChoice->type) { + case IPAddressChoice_inherit: + continue; + case IPAddressChoice_addressesOrRanges: + break; + default: + return 0; + } + + /* + * It's an IPAddressOrRanges sequence, check it. + */ + aors = f->ipAddressChoice->u.addressesOrRanges; + if (sk_IPAddressOrRange_num(aors) == 0) + return 0; + for (j = 0; j < sk_IPAddressOrRange_num(aors) - 1; j++) { + IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); + IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); + + extract_min_max(a, a_min, a_max, length); + extract_min_max(b, b_min, b_max, length); + + /* + * Punt misordered list, overlapping start, or inverted range. + */ + if (memcmp(a_min, b_min, length) >= 0 || + memcmp(a_min, a_max, length) > 0 || + memcmp(b_min, b_max, length) > 0) + return 0; + + /* + * Punt if adjacent or overlapping. Check for adjacency by + * subtracting one from b_min first. + */ + for (k = length - 1; k >= 0 && b_min[k]-- == 0x00; k--) + ; + if (memcmp(a_max, b_min, length) >= 0) + return 0; + + /* + * Check for range that should be expressed as a prefix. + */ + if (a->type == IPAddressOrRange_addressRange && + range_should_be_prefix(a_min, a_max, length) >= 0) + return 0; + } + + /* + * Check final range to see if it should be a prefix. + */ + j = sk_IPAddressOrRange_num(aors) - 1; + { + IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); + if (a->type == IPAddressOrRange_addressRange) { + extract_min_max(a, a_min, a_max, length); + if (range_should_be_prefix(a_min, a_max, length) >= 0) + return 0; + } + } + } + + /* + * If we made it through all that, we're happy. + */ + return 1; +} + +/* + * Whack an IPAddressOrRanges into canonical form. + */ +static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors, + const unsigned afi) +{ + int i, j, length = length_from_afi(afi); + + /* + * Sort the IPAddressOrRanges sequence. + */ + sk_IPAddressOrRange_sort(aors); + + /* + * Clean up representation issues, punt on duplicates or overlaps. + */ + for (i = 0; i < sk_IPAddressOrRange_num(aors) - 1; i++) { + IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, i); + IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, i + 1); + unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; + unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; + + extract_min_max(a, a_min, a_max, length); + extract_min_max(b, b_min, b_max, length); + + /* + * Punt overlaps. + */ + if (memcmp(a_max, b_min, length) >= 0) + return 0; + + /* + * Merge if a and b are adjacent. We check for + * adjacency by subtracting one from b_min first. + */ + for (j = length - 1; j >= 0 && b_min[j]-- == 0x00; j--) + ; + if (memcmp(a_max, b_min, length) == 0) { + IPAddressOrRange *merged; + if (!make_addressRange(&merged, a_min, b_max, length)) + return 0; + sk_IPAddressOrRange_set(aors, i, merged); + sk_IPAddressOrRange_delete(aors, i + 1); + IPAddressOrRange_free(a); + IPAddressOrRange_free(b); + --i; + continue; + } + } + + return 1; +} + +/* + * Whack an IPAddrBlocks extension into canonical form. + */ +int v3_addr_canonize(IPAddrBlocks *addr) +{ + int i; + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); + if (f->ipAddressChoice->type == IPAddressChoice_addressesOrRanges && + !IPAddressOrRanges_canonize(f->ipAddressChoice->u.addressesOrRanges, + v3_addr_get_afi(f))) + return 0; + } + sk_IPAddressFamily_sort(addr); + assert(v3_addr_is_canonical(addr)); + return 1; +} + +/* + * v2i handler for the IPAddrBlocks extension. + */ +static void *v2i_IPAddrBlocks(struct v3_ext_method *method, + struct v3_ext_ctx *ctx, + STACK_OF(CONF_VALUE) *values) +{ + static const char v4addr_chars[] = "0123456789."; + static const char v6addr_chars[] = "0123456789.:abcdefABCDEF"; + IPAddrBlocks *addr = NULL; + char *s = NULL, *t; + int i; + + if ((addr = sk_IPAddressFamily_new(IPAddressFamily_cmp)) == NULL) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); + return NULL; + } + + for (i = 0; i < sk_CONF_VALUE_num(values); i++) { + CONF_VALUE *val = sk_CONF_VALUE_value(values, i); + unsigned char min[ADDR_RAW_BUF_LEN], max[ADDR_RAW_BUF_LEN]; + unsigned afi, *safi = NULL, safi_; + const char *addr_chars; + int prefixlen, i1, i2, delim, length; + + if ( !name_cmp(val->name, "IPv4")) { + afi = IANA_AFI_IPV4; + } else if (!name_cmp(val->name, "IPv6")) { + afi = IANA_AFI_IPV6; + } else if (!name_cmp(val->name, "IPv4-SAFI")) { + afi = IANA_AFI_IPV4; + safi = &safi_; + } else if (!name_cmp(val->name, "IPv6-SAFI")) { + afi = IANA_AFI_IPV6; + safi = &safi_; + } else { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_NAME_ERROR); + X509V3_conf_err(val); + goto err; + } + + switch (afi) { + case IANA_AFI_IPV4: + addr_chars = v4addr_chars; + break; + case IANA_AFI_IPV6: + addr_chars = v6addr_chars; + break; + } + + length = length_from_afi(afi); + + /* + * Handle SAFI, if any, and BUF_strdup() so we can null-terminate + * the other input values. + */ + if (safi != NULL) { + *safi = strtoul(val->value, &t, 0); + t += strspn(t, " \t"); + if (*safi > 0xFF || *t++ != ':') { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_SAFI); + X509V3_conf_err(val); + goto err; + } + t += strspn(t, " \t"); + s = BUF_strdup(t); + } else { + s = BUF_strdup(val->value); + } + if (s == NULL) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); + goto err; + } + + /* + * Check for inheritance. Not worth additional complexity to + * optimize this (seldom-used) case. + */ + if (!strcmp(s, "inherit")) { + if (!v3_addr_add_inherit(addr, afi, safi)) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_INHERITANCE); + X509V3_conf_err(val); + goto err; + } + OPENSSL_free(s); + s = NULL; + continue; + } + + i1 = strspn(s, addr_chars); + i2 = i1 + strspn(s + i1, " \t"); + delim = s[i2++]; + s[i1] = '\0'; + + if (a2i_ipadd(min, s) != length) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); + X509V3_conf_err(val); + goto err; + } + + switch (delim) { + case '/': + prefixlen = (int) strtoul(s + i2, &t, 10); + if (t == s + i2 || *t != '\0') { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); + X509V3_conf_err(val); + goto err; + } + if (!v3_addr_add_prefix(addr, afi, safi, min, prefixlen)) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); + goto err; + } + break; + case '-': + i1 = i2 + strspn(s + i2, " \t"); + i2 = i1 + strspn(s + i1, addr_chars); + if (i1 == i2 || s[i2] != '\0') { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); + X509V3_conf_err(val); + goto err; + } + if (a2i_ipadd(max, s + i1) != length) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_INVALID_IPADDRESS); + X509V3_conf_err(val); + goto err; + } + if (!v3_addr_add_range(addr, afi, safi, min, max)) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); + goto err; + } + break; + case '\0': + if (!v3_addr_add_prefix(addr, afi, safi, min, length * 8)) { + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); + goto err; + } + break; + default: + X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR); + X509V3_conf_err(val); + goto err; + } + + OPENSSL_free(s); + s = NULL; + } + + /* + * Canonize the result, then we're done. + */ + if (!v3_addr_canonize(addr)) + goto err; + return addr; + + err: + OPENSSL_free(s); + sk_IPAddressFamily_pop_free(addr, IPAddressFamily_free); + return NULL; +} + +/* + * OpenSSL dispatch + */ +const X509V3_EXT_METHOD v3_addr = { + NID_sbgp_ipAddrBlock, /* nid */ + 0, /* flags */ + ASN1_ITEM_ref(IPAddrBlocks), /* template */ + 0, 0, 0, 0, /* old functions, ignored */ + 0, /* i2s */ + 0, /* s2i */ + 0, /* i2v */ + v2i_IPAddrBlocks, /* v2i */ + i2r_IPAddrBlocks, /* i2r */ + 0, /* r2i */ + NULL /* extension-specific data */ +}; + +/* + * Figure out whether extension sues inheritance. + */ +int v3_addr_inherits(IPAddrBlocks *addr) +{ + int i; + if (addr == NULL) + return 0; + for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { + IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); + if (f->ipAddressChoice->type == IPAddressChoice_inherit) + return 1; + } + return 0; +} + +/* + * Figure out whether parent contains child. + */ +static int addr_contains(IPAddressOrRanges *parent, + IPAddressOrRanges *child, + int length) +{ + unsigned char p_min[ADDR_RAW_BUF_LEN], p_max[ADDR_RAW_BUF_LEN]; + unsigned char c_min[ADDR_RAW_BUF_LEN], c_max[ADDR_RAW_BUF_LEN]; + int p, c; + + if (child == NULL || parent == child) + return 1; + if (parent == NULL) + return 0; + + p = 0; + for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { + extract_min_max(sk_IPAddressOrRange_value(child, c), + c_min, c_max, length); + for (;; p++) { + if (p >= sk_IPAddressOrRange_num(parent)) + return 0; + extract_min_max(sk_IPAddressOrRange_value(parent, p), + p_min, p_max, length); + if (memcmp(p_max, c_max, length) < 0) + continue; + if (memcmp(p_min, c_min, length) > 0) + return 0; + break; + } + } + + return 1; +} + +/* + * Test whether a is a subset of b. + */ +int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) +{ + int i; + if (a == NULL || a == b) + return 1; + if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) + return 0; + sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); + for (i = 0; i < sk_IPAddressFamily_num(a); i++) { + IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); + int j = sk_IPAddressFamily_find(b, fa); + IPAddressFamily *fb = sk_IPAddressFamily_value(b, j); + if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, + fa->ipAddressChoice->u.addressesOrRanges, + length_from_afi(v3_addr_get_afi(fb)))) + return 0; + } + return 1; +} + +/* + * Validation error handling via callback. + */ +#define validation_err(_err_) \ + do { \ + if (ctx != NULL) { \ + ctx->error = _err_; \ + ctx->error_depth = i; \ + ctx->current_cert = x; \ + ret = ctx->verify_cb(0, ctx); \ + } else { \ + ret = 0; \ + } \ + if (!ret) \ + goto done; \ + } while (0) + +/* + * Core code for RFC 3779 2.3 path validation. + */ +static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, + STACK_OF(X509) *chain, + IPAddrBlocks *ext) +{ + IPAddrBlocks *child = NULL; + int i, j, ret = 1; + X509 *x = NULL; + + assert(chain != NULL && sk_X509_num(chain) > 0); + assert(ctx != NULL || ext != NULL); + assert(ctx == NULL || ctx->verify_cb != NULL); + + /* + * Figure out where to start. If we don't have an extension to + * check, we're done. Otherwise, check canonical form and + * set up for walking up the chain. + */ + if (ext != NULL) { + i = -1; + } else { + i = 0; + x = sk_X509_value(chain, i); + assert(x != NULL); + if ((ext = x->rfc3779_addr) == NULL) + goto done; + } + if (!v3_addr_is_canonical(ext)) + validation_err(X509_V_ERR_INVALID_EXTENSION); + sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); + if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { + X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); + ret = 0; + goto done; + } + + /* + * Now walk up the chain. No cert may list resources that its + * parent doesn't list. + */ + for (i++; i < sk_X509_num(chain); i++) { + x = sk_X509_value(chain, i); + assert(x != NULL); + if (!v3_addr_is_canonical(x->rfc3779_addr)) + validation_err(X509_V_ERR_INVALID_EXTENSION); + if (x->rfc3779_addr == NULL) { + for (j = 0; j < sk_IPAddressFamily_num(child); j++) { + IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); + if (fc->ipAddressChoice->type != IPAddressChoice_inherit) { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + break; + } + } + continue; + } + sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp); + for (j = 0; j < sk_IPAddressFamily_num(child); j++) { + IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); + int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); + IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, k); + if (fp == NULL) { + if (fc->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + break; + } + continue; + } + if (fp->ipAddressChoice->type == IPAddressChoice_addressesOrRanges) { + if (fc->ipAddressChoice->type == IPAddressChoice_inherit || + addr_contains(fp->ipAddressChoice->u.addressesOrRanges, + fc->ipAddressChoice->u.addressesOrRanges, + length_from_afi(v3_addr_get_afi(fc)))) + sk_IPAddressFamily_set(child, j, fp); + else + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + } + } + + /* + * Trust anchor can't inherit. + */ + if (x->rfc3779_addr != NULL) { + for (j = 0; j < sk_IPAddressFamily_num(x->rfc3779_addr); j++) { + IPAddressFamily *fp = sk_IPAddressFamily_value(x->rfc3779_addr, j); + if (fp->ipAddressChoice->type == IPAddressChoice_inherit && + sk_IPAddressFamily_find(child, fp) >= 0) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + } + + done: + sk_IPAddressFamily_free(child); + return ret; +} + +#undef validation_err + +/* + * RFC 3779 2.3 path validation -- called from X509_verify_cert(). + */ +int v3_addr_validate_path(X509_STORE_CTX *ctx) +{ + return v3_addr_validate_path_internal(ctx, ctx->chain, NULL); +} + +/* + * RFC 3779 2.3 path validation of an extension. + * Test whether chain covers extension. + */ +int v3_addr_validate_resource_set(STACK_OF(X509) *chain, + IPAddrBlocks *ext, + int allow_inheritance) +{ + if (ext == NULL) + return 1; + if (chain == NULL || sk_X509_num(chain) == 0) + return 0; + if (!allow_inheritance && v3_addr_inherits(ext)) + return 0; + return v3_addr_validate_path_internal(NULL, chain, ext); +} + +#endif /* OPENSSL_NO_RFC3779 */ diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_akey.c b/crypto/openssl-0.9/crypto/x509v3/v3_akey.c index c481b6f12d..ac0548b775 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_akey.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_akey.c @@ -68,7 +68,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); -X509V3_EXT_METHOD v3_akey_id = +const X509V3_EXT_METHOD v3_akey_id = { NID_authority_key_identifier, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_KEYID), diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_alt.c b/crypto/openssl-0.9/crypto/x509v3/v3_alt.c index b38b3dbfe6..bb2f5bc54e 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_alt.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_alt.c @@ -68,7 +68,7 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens); static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx); static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx); -X509V3_EXT_METHOD v3_alt[] = { +const X509V3_EXT_METHOD v3_alt[] = { { NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES), 0,0,0,0, 0,0, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_asid.c b/crypto/openssl-0.9/crypto/x509v3/v3_asid.c new file mode 100644 index 0000000000..271930f967 --- /dev/null +++ b/crypto/openssl-0.9/crypto/x509v3/v3_asid.c @@ -0,0 +1,842 @@ +/* + * Contributed to the OpenSSL Project by the American Registry for + * Internet Numbers ("ARIN"). + */ +/* ==================================================================== + * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + */ + +/* + * Implementation of RFC 3779 section 3.2. + */ + +#include +#include +#include +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include + +#ifndef OPENSSL_NO_RFC3779 + +/* + * OpenSSL ASN.1 template translation of RFC 3779 3.2.3. + */ + +ASN1_SEQUENCE(ASRange) = { + ASN1_SIMPLE(ASRange, min, ASN1_INTEGER), + ASN1_SIMPLE(ASRange, max, ASN1_INTEGER) +} ASN1_SEQUENCE_END(ASRange) + +ASN1_CHOICE(ASIdOrRange) = { + ASN1_SIMPLE(ASIdOrRange, u.id, ASN1_INTEGER), + ASN1_SIMPLE(ASIdOrRange, u.range, ASRange) +} ASN1_CHOICE_END(ASIdOrRange) + +ASN1_CHOICE(ASIdentifierChoice) = { + ASN1_SIMPLE(ASIdentifierChoice, u.inherit, ASN1_NULL), + ASN1_SEQUENCE_OF(ASIdentifierChoice, u.asIdsOrRanges, ASIdOrRange) +} ASN1_CHOICE_END(ASIdentifierChoice) + +ASN1_SEQUENCE(ASIdentifiers) = { + ASN1_EXP_OPT(ASIdentifiers, asnum, ASIdentifierChoice, 0), + ASN1_EXP_OPT(ASIdentifiers, rdi, ASIdentifierChoice, 1) +} ASN1_SEQUENCE_END(ASIdentifiers) + +IMPLEMENT_ASN1_FUNCTIONS(ASRange) +IMPLEMENT_ASN1_FUNCTIONS(ASIdOrRange) +IMPLEMENT_ASN1_FUNCTIONS(ASIdentifierChoice) +IMPLEMENT_ASN1_FUNCTIONS(ASIdentifiers) + +/* + * i2r method for an ASIdentifierChoice. + */ +static int i2r_ASIdentifierChoice(BIO *out, + ASIdentifierChoice *choice, + int indent, + const char *msg) +{ + int i; + char *s; + if (choice == NULL) + return 1; + BIO_printf(out, "%*s%s:\n", indent, "", msg); + switch (choice->type) { + case ASIdentifierChoice_inherit: + BIO_printf(out, "%*sinherit\n", indent + 2, ""); + break; + case ASIdentifierChoice_asIdsOrRanges: + for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges); i++) { + ASIdOrRange *aor = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); + switch (aor->type) { + case ASIdOrRange_id: + if ((s = i2s_ASN1_INTEGER(NULL, aor->u.id)) == NULL) + return 0; + BIO_printf(out, "%*s%s\n", indent + 2, "", s); + OPENSSL_free(s); + break; + case ASIdOrRange_range: + if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->min)) == NULL) + return 0; + BIO_printf(out, "%*s%s-", indent + 2, "", s); + OPENSSL_free(s); + if ((s = i2s_ASN1_INTEGER(NULL, aor->u.range->max)) == NULL) + return 0; + BIO_printf(out, "%s\n", s); + OPENSSL_free(s); + break; + default: + return 0; + } + } + break; + default: + return 0; + } + return 1; +} + +/* + * i2r method for an ASIdentifier extension. + */ +static int i2r_ASIdentifiers(X509V3_EXT_METHOD *method, + void *ext, + BIO *out, + int indent) +{ + ASIdentifiers *asid = ext; + return (i2r_ASIdentifierChoice(out, asid->asnum, indent, + "Autonomous System Numbers") && + i2r_ASIdentifierChoice(out, asid->rdi, indent, + "Routing Domain Identifiers")); +} + +/* + * Sort comparision function for a sequence of ASIdOrRange elements. + */ +static int ASIdOrRange_cmp(const ASIdOrRange * const *a_, + const ASIdOrRange * const *b_) +{ + const ASIdOrRange *a = *a_, *b = *b_; + + assert((a->type == ASIdOrRange_id && a->u.id != NULL) || + (a->type == ASIdOrRange_range && a->u.range != NULL && + a->u.range->min != NULL && a->u.range->max != NULL)); + + assert((b->type == ASIdOrRange_id && b->u.id != NULL) || + (b->type == ASIdOrRange_range && b->u.range != NULL && + b->u.range->min != NULL && b->u.range->max != NULL)); + + if (a->type == ASIdOrRange_id && b->type == ASIdOrRange_id) + return ASN1_INTEGER_cmp(a->u.id, b->u.id); + + if (a->type == ASIdOrRange_range && b->type == ASIdOrRange_range) { + int r = ASN1_INTEGER_cmp(a->u.range->min, b->u.range->min); + return r != 0 ? r : ASN1_INTEGER_cmp(a->u.range->max, b->u.range->max); + } + + if (a->type == ASIdOrRange_id) + return ASN1_INTEGER_cmp(a->u.id, b->u.range->min); + else + return ASN1_INTEGER_cmp(a->u.range->min, b->u.id); +} + +/* + * Add an inherit element. + */ +int v3_asid_add_inherit(ASIdentifiers *asid, int which) +{ + ASIdentifierChoice **choice; + if (asid == NULL) + return 0; + switch (which) { + case V3_ASID_ASNUM: + choice = &asid->asnum; + break; + case V3_ASID_RDI: + choice = &asid->rdi; + break; + default: + return 0; + } + if (*choice == NULL) { + if ((*choice = ASIdentifierChoice_new()) == NULL) + return 0; + assert((*choice)->u.inherit == NULL); + if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL) + return 0; + (*choice)->type = ASIdentifierChoice_inherit; + } + return (*choice)->type == ASIdentifierChoice_inherit; +} + +/* + * Add an ID or range to an ASIdentifierChoice. + */ +int v3_asid_add_id_or_range(ASIdentifiers *asid, + int which, + ASN1_INTEGER *min, + ASN1_INTEGER *max) +{ + ASIdentifierChoice **choice; + ASIdOrRange *aor; + if (asid == NULL) + return 0; + switch (which) { + case V3_ASID_ASNUM: + choice = &asid->asnum; + break; + case V3_ASID_RDI: + choice = &asid->rdi; + break; + default: + return 0; + } + if (*choice != NULL && (*choice)->type == ASIdentifierChoice_inherit) + return 0; + if (*choice == NULL) { + if ((*choice = ASIdentifierChoice_new()) == NULL) + return 0; + assert((*choice)->u.asIdsOrRanges == NULL); + (*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp); + if ((*choice)->u.asIdsOrRanges == NULL) + return 0; + (*choice)->type = ASIdentifierChoice_asIdsOrRanges; + } + if ((aor = ASIdOrRange_new()) == NULL) + return 0; + if (max == NULL) { + aor->type = ASIdOrRange_id; + aor->u.id = min; + } else { + aor->type = ASIdOrRange_range; + if ((aor->u.range = ASRange_new()) == NULL) + goto err; + ASN1_INTEGER_free(aor->u.range->min); + aor->u.range->min = min; + ASN1_INTEGER_free(aor->u.range->max); + aor->u.range->max = max; + } + if (!(sk_ASIdOrRange_push((*choice)->u.asIdsOrRanges, aor))) + goto err; + return 1; + + err: + ASIdOrRange_free(aor); + return 0; +} + +/* + * Extract min and max values from an ASIdOrRange. + */ +static void extract_min_max(ASIdOrRange *aor, + ASN1_INTEGER **min, + ASN1_INTEGER **max) +{ + assert(aor != NULL && min != NULL && max != NULL); + switch (aor->type) { + case ASIdOrRange_id: + *min = aor->u.id; + *max = aor->u.id; + return; + case ASIdOrRange_range: + *min = aor->u.range->min; + *max = aor->u.range->max; + return; + } +} + +/* + * Check whether an ASIdentifierChoice is in canonical form. + */ +static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) +{ + ASN1_INTEGER *a_max_plus_one = NULL; + BIGNUM *bn = NULL; + int i, ret = 0; + + /* + * Empty element or inheritance is canonical. + */ + if (choice == NULL || choice->type == ASIdentifierChoice_inherit) + return 1; + + /* + * If not a list, or if empty list, it's broken. + */ + if (choice->type != ASIdentifierChoice_asIdsOrRanges || + sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) + return 0; + + /* + * It's a list, check it. + */ + for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { + ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); + ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); + ASN1_INTEGER *a_min, *a_max, *b_min, *b_max; + + extract_min_max(a, &a_min, &a_max); + extract_min_max(b, &b_min, &b_max); + + /* + * Punt misordered list, overlapping start, or inverted range. + */ + if (ASN1_INTEGER_cmp(a_min, b_min) >= 0 || + ASN1_INTEGER_cmp(a_min, a_max) > 0 || + ASN1_INTEGER_cmp(b_min, b_max) > 0) + goto done; + + /* + * Calculate a_max + 1 to check for adjacency. + */ + if ((bn == NULL && (bn = BN_new()) == NULL) || + ASN1_INTEGER_to_BN(a_max, bn) == NULL || + !BN_add_word(bn, 1) || + (a_max_plus_one = BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) { + X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL, + ERR_R_MALLOC_FAILURE); + goto done; + } + + /* + * Punt if adjacent or overlapping. + */ + if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) >= 0) + goto done; + } + + ret = 1; + + done: + ASN1_INTEGER_free(a_max_plus_one); + BN_free(bn); + return ret; +} + +/* + * Check whether an ASIdentifier extension is in canonical form. + */ +int v3_asid_is_canonical(ASIdentifiers *asid) +{ + return (asid == NULL || + (ASIdentifierChoice_is_canonical(asid->asnum) || + ASIdentifierChoice_is_canonical(asid->rdi))); +} + +/* + * Whack an ASIdentifierChoice into canonical form. + */ +static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice) +{ + ASN1_INTEGER *a_max_plus_one = NULL; + BIGNUM *bn = NULL; + int i, ret = 0; + + /* + * Nothing to do for empty element or inheritance. + */ + if (choice == NULL || choice->type == ASIdentifierChoice_inherit) + return 1; + + /* + * We have a list. Sort it. + */ + assert(choice->type == ASIdentifierChoice_asIdsOrRanges); + sk_ASIdOrRange_sort(choice->u.asIdsOrRanges); + + /* + * Now check for errors and suboptimal encoding, rejecting the + * former and fixing the latter. + */ + for (i = 0; i < sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; i++) { + ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i); + ASIdOrRange *b = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i + 1); + ASN1_INTEGER *a_min, *a_max, *b_min, *b_max; + + extract_min_max(a, &a_min, &a_max); + extract_min_max(b, &b_min, &b_max); + + /* + * Make sure we're properly sorted (paranoia). + */ + assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0); + + /* + * Check for overlaps. + */ + if (ASN1_INTEGER_cmp(a_max, b_min) >= 0) { + X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, + X509V3_R_EXTENSION_VALUE_ERROR); + goto done; + } + + /* + * Calculate a_max + 1 to check for adjacency. + */ + if ((bn == NULL && (bn = BN_new()) == NULL) || + ASN1_INTEGER_to_BN(a_max, bn) == NULL || + !BN_add_word(bn, 1) || + (a_max_plus_one = BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) { + X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, ERR_R_MALLOC_FAILURE); + goto done; + } + + /* + * If a and b are adjacent, merge them. + */ + if (ASN1_INTEGER_cmp(a_max_plus_one, b_min) == 0) { + ASRange *r; + switch (a->type) { + case ASIdOrRange_id: + if ((r = OPENSSL_malloc(sizeof(ASRange))) == NULL) { + X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE, + ERR_R_MALLOC_FAILURE); + goto done; + } + r->min = a_min; + r->max = b_max; + a->type = ASIdOrRange_range; + a->u.range = r; + break; + case ASIdOrRange_range: + ASN1_INTEGER_free(a->u.range->max); + a->u.range->max = b_max; + break; + } + switch (b->type) { + case ASIdOrRange_id: + b->u.id = NULL; + break; + case ASIdOrRange_range: + b->u.range->max = NULL; + break; + } + ASIdOrRange_free(b); + sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1); + i--; + continue; + } + } + + assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */ + + ret = 1; + + done: + ASN1_INTEGER_free(a_max_plus_one); + BN_free(bn); + return ret; +} + +/* + * Whack an ASIdentifier extension into canonical form. + */ +int v3_asid_canonize(ASIdentifiers *asid) +{ + return (asid == NULL || + (ASIdentifierChoice_canonize(asid->asnum) && + ASIdentifierChoice_canonize(asid->rdi))); +} + +/* + * v2i method for an ASIdentifier extension. + */ +static void *v2i_ASIdentifiers(struct v3_ext_method *method, + struct v3_ext_ctx *ctx, + STACK_OF(CONF_VALUE) *values) +{ + ASIdentifiers *asid = NULL; + int i; + + if ((asid = ASIdentifiers_new()) == NULL) { + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); + return NULL; + } + + for (i = 0; i < sk_CONF_VALUE_num(values); i++) { + CONF_VALUE *val = sk_CONF_VALUE_value(values, i); + ASN1_INTEGER *min = NULL, *max = NULL; + int i1, i2, i3, is_range, which; + + /* + * Figure out whether this is an AS or an RDI. + */ + if ( !name_cmp(val->name, "AS")) { + which = V3_ASID_ASNUM; + } else if (!name_cmp(val->name, "RDI")) { + which = V3_ASID_RDI; + } else { + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_EXTENSION_NAME_ERROR); + X509V3_conf_err(val); + goto err; + } + + /* + * Handle inheritance. + */ + if (!strcmp(val->value, "inherit")) { + if (v3_asid_add_inherit(asid, which)) + continue; + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_INHERITANCE); + X509V3_conf_err(val); + goto err; + } + + /* + * Number, range, or mistake, pick it apart and figure out which. + */ + i1 = strspn(val->value, "0123456789"); + if (val->value[i1] == '\0') { + is_range = 0; + } else { + is_range = 1; + i2 = i1 + strspn(val->value + i1, " \t"); + if (val->value[i2] != '-') { + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_ASNUMBER); + X509V3_conf_err(val); + goto err; + } + i2++; + i2 = i2 + strspn(val->value + i2, " \t"); + i3 = i2 + strspn(val->value + i2, "0123456789"); + if (val->value[i3] != '\0') { + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_INVALID_ASRANGE); + X509V3_conf_err(val); + goto err; + } + } + + /* + * Syntax is ok, read and add it. + */ + if (!is_range) { + if (!X509V3_get_value_int(val, &min)) { + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); + goto err; + } + } else { + char *s = BUF_strdup(val->value); + if (s == NULL) { + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); + goto err; + } + s[i1] = '\0'; + min = s2i_ASN1_INTEGER(NULL, s); + max = s2i_ASN1_INTEGER(NULL, s + i2); + OPENSSL_free(s); + if (min == NULL || max == NULL) { + ASN1_INTEGER_free(min); + ASN1_INTEGER_free(max); + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); + goto err; + } + } + if (!v3_asid_add_id_or_range(asid, which, min, max)) { + ASN1_INTEGER_free(min); + ASN1_INTEGER_free(max); + X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE); + goto err; + } + } + + /* + * Canonize the result, then we're done. + */ + if (!v3_asid_canonize(asid)) + goto err; + return asid; + + err: + ASIdentifiers_free(asid); + return NULL; +} + +/* + * OpenSSL dispatch. + */ +const X509V3_EXT_METHOD v3_asid = { + NID_sbgp_autonomousSysNum, /* nid */ + 0, /* flags */ + ASN1_ITEM_ref(ASIdentifiers), /* template */ + 0, 0, 0, 0, /* old functions, ignored */ + 0, /* i2s */ + 0, /* s2i */ + 0, /* i2v */ + v2i_ASIdentifiers, /* v2i */ + i2r_ASIdentifiers, /* i2r */ + 0, /* r2i */ + NULL /* extension-specific data */ +}; + +/* + * Figure out whether extension uses inheritance. + */ +int v3_asid_inherits(ASIdentifiers *asid) +{ + return (asid != NULL && + ((asid->asnum != NULL && + asid->asnum->type == ASIdentifierChoice_inherit) || + (asid->rdi != NULL && + asid->rdi->type == ASIdentifierChoice_inherit))); +} + +/* + * Figure out whether parent contains child. + */ +static int asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) +{ + ASN1_INTEGER *p_min, *p_max, *c_min, *c_max; + int p, c; + + if (child == NULL || parent == child) + return 1; + if (parent == NULL) + return 0; + + p = 0; + for (c = 0; c < sk_ASIdOrRange_num(child); c++) { + extract_min_max(sk_ASIdOrRange_value(child, c), &c_min, &c_max); + for (;; p++) { + if (p >= sk_ASIdOrRange_num(parent)) + return 0; + extract_min_max(sk_ASIdOrRange_value(parent, p), &p_min, &p_max); + if (ASN1_INTEGER_cmp(p_max, c_max) < 0) + continue; + if (ASN1_INTEGER_cmp(p_min, c_min) > 0) + return 0; + break; + } + } + + return 1; +} + +/* + * Test whether a is a subet of b. + */ +int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b) +{ + return (a == NULL || + a == b || + (b != NULL && + !v3_asid_inherits(a) && + !v3_asid_inherits(b) && + asid_contains(b->asnum->u.asIdsOrRanges, + a->asnum->u.asIdsOrRanges) && + asid_contains(b->rdi->u.asIdsOrRanges, + a->rdi->u.asIdsOrRanges))); +} + +/* + * Validation error handling via callback. + */ +#define validation_err(_err_) \ + do { \ + if (ctx != NULL) { \ + ctx->error = _err_; \ + ctx->error_depth = i; \ + ctx->current_cert = x; \ + ret = ctx->verify_cb(0, ctx); \ + } else { \ + ret = 0; \ + } \ + if (!ret) \ + goto done; \ + } while (0) + +/* + * Core code for RFC 3779 3.3 path validation. + */ +static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx, + STACK_OF(X509) *chain, + ASIdentifiers *ext) +{ + ASIdOrRanges *child_as = NULL, *child_rdi = NULL; + int i, ret = 1, inherit_as = 0, inherit_rdi = 0; + X509 *x = NULL; + + assert(chain != NULL && sk_X509_num(chain) > 0); + assert(ctx != NULL || ext != NULL); + assert(ctx == NULL || ctx->verify_cb != NULL); + + /* + * Figure out where to start. If we don't have an extension to + * check, we're done. Otherwise, check canonical form and + * set up for walking up the chain. + */ + if (ext != NULL) { + i = -1; + } else { + i = 0; + x = sk_X509_value(chain, i); + assert(x != NULL); + if ((ext = x->rfc3779_asid) == NULL) + goto done; + } + if (!v3_asid_is_canonical(ext)) + validation_err(X509_V_ERR_INVALID_EXTENSION); + if (ext->asnum != NULL) { + switch (ext->asnum->type) { + case ASIdentifierChoice_inherit: + inherit_as = 1; + break; + case ASIdentifierChoice_asIdsOrRanges: + child_as = ext->asnum->u.asIdsOrRanges; + break; + } + } + if (ext->rdi != NULL) { + switch (ext->rdi->type) { + case ASIdentifierChoice_inherit: + inherit_rdi = 1; + break; + case ASIdentifierChoice_asIdsOrRanges: + child_rdi = ext->rdi->u.asIdsOrRanges; + break; + } + } + + /* + * Now walk up the chain. Extensions must be in canonical form, no + * cert may list resources that its parent doesn't list. + */ + for (i++; i < sk_X509_num(chain); i++) { + x = sk_X509_value(chain, i); + assert(x != NULL); + if (x->rfc3779_asid == NULL) { + if (child_as != NULL || child_rdi != NULL) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + continue; + } + if (!v3_asid_is_canonical(x->rfc3779_asid)) + validation_err(X509_V_ERR_INVALID_EXTENSION); + if (x->rfc3779_asid->asnum == NULL && child_as != NULL) { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + child_as = NULL; + inherit_as = 0; + } + if (x->rfc3779_asid->asnum != NULL && + x->rfc3779_asid->asnum->type == ASIdentifierChoice_asIdsOrRanges) { + if (inherit_as || + asid_contains(x->rfc3779_asid->asnum->u.asIdsOrRanges, child_as)) { + child_as = x->rfc3779_asid->asnum->u.asIdsOrRanges; + inherit_as = 0; + } else { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + } + if (x->rfc3779_asid->rdi == NULL && child_rdi != NULL) { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + child_rdi = NULL; + inherit_rdi = 0; + } + if (x->rfc3779_asid->rdi != NULL && + x->rfc3779_asid->rdi->type == ASIdentifierChoice_asIdsOrRanges) { + if (inherit_rdi || + asid_contains(x->rfc3779_asid->rdi->u.asIdsOrRanges, child_rdi)) { + child_rdi = x->rfc3779_asid->rdi->u.asIdsOrRanges; + inherit_rdi = 0; + } else { + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + } + } + + /* + * Trust anchor can't inherit. + */ + if (x->rfc3779_asid != NULL) { + if (x->rfc3779_asid->asnum != NULL && + x->rfc3779_asid->asnum->type == ASIdentifierChoice_inherit) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + if (x->rfc3779_asid->rdi != NULL && + x->rfc3779_asid->rdi->type == ASIdentifierChoice_inherit) + validation_err(X509_V_ERR_UNNESTED_RESOURCE); + } + + done: + return ret; +} + +#undef validation_err + +/* + * RFC 3779 3.3 path validation -- called from X509_verify_cert(). + */ +int v3_asid_validate_path(X509_STORE_CTX *ctx) +{ + return v3_asid_validate_path_internal(ctx, ctx->chain, NULL); +} + +/* + * RFC 3779 3.3 path validation of an extension. + * Test whether chain covers extension. + */ +int v3_asid_validate_resource_set(STACK_OF(X509) *chain, + ASIdentifiers *ext, + int allow_inheritance) +{ + if (ext == NULL) + return 1; + if (chain == NULL || sk_X509_num(chain) == 0) + return 0; + if (!allow_inheritance && v3_asid_inherits(ext)) + return 0; + return v3_asid_validate_path_internal(NULL, chain, ext); +} + +#endif /* OPENSSL_NO_RFC3779 */ diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_bcons.c b/crypto/openssl-0.9/crypto/x509v3/v3_bcons.c index cbb012715e..74b1233071 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_bcons.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_bcons.c @@ -67,7 +67,7 @@ static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist); static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); -X509V3_EXT_METHOD v3_bcons = { +const X509V3_EXT_METHOD v3_bcons = { NID_basic_constraints, 0, ASN1_ITEM_ref(BASIC_CONSTRAINTS), 0,0,0,0, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_bitst.c b/crypto/openssl-0.9/crypto/x509v3/v3_bitst.c index 170c8d280b..cf31f0816e 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_bitst.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_bitst.c @@ -88,8 +88,8 @@ static BIT_STRING_BITNAME key_usage_type_table[] = { -X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table); -X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table); +const X509V3_EXT_METHOD v3_nscert = EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table); +const X509V3_EXT_METHOD v3_key_usage = EXT_BITSTRING(NID_key_usage, key_usage_type_table); STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret) diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_cpols.c b/crypto/openssl-0.9/crypto/x509v3/v3_cpols.c index e5b8c5a1ac..a40f490aa9 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_cpols.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_cpols.c @@ -77,7 +77,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org); static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos); -X509V3_EXT_METHOD v3_cpols = { +const X509V3_EXT_METHOD v3_cpols = { NID_certificate_policies, 0,ASN1_ITEM_ref(CERTIFICATEPOLICIES), 0,0,0,0, 0,0, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_crld.c b/crypto/openssl-0.9/crypto/x509v3/v3_crld.c index f90829c574..c6e3ebae7b 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_crld.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_crld.c @@ -68,7 +68,7 @@ static STACK_OF(CONF_VALUE) *i2v_crld(X509V3_EXT_METHOD *method, static STACK_OF(DIST_POINT) *v2i_crld(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -X509V3_EXT_METHOD v3_crld = { +const X509V3_EXT_METHOD v3_crld = { NID_crl_distribution_points, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(CRL_DIST_POINTS), 0,0,0,0, 0,0, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_enum.c b/crypto/openssl-0.9/crypto/x509v3/v3_enum.c index 010c9d6260..a236cb22e1 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_enum.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_enum.c @@ -72,7 +72,7 @@ static ENUMERATED_NAMES crl_reasons[] = { {-1, NULL, NULL} }; -X509V3_EXT_METHOD v3_crl_reason = { +const X509V3_EXT_METHOD v3_crl_reason = { NID_crl_reason, 0, ASN1_ITEM_ref(ASN1_ENUMERATED), 0,0,0,0, (X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_extku.c b/crypto/openssl-0.9/crypto/x509v3/v3_extku.c index 58c1c2e699..a4efe0031e 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_extku.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_extku.c @@ -68,7 +68,7 @@ static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method, static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method, void *eku, STACK_OF(CONF_VALUE) *extlist); -X509V3_EXT_METHOD v3_ext_ku = { +const X509V3_EXT_METHOD v3_ext_ku = { NID_ext_key_usage, 0, ASN1_ITEM_ref(EXTENDED_KEY_USAGE), 0,0,0,0, @@ -80,7 +80,7 @@ X509V3_EXT_METHOD v3_ext_ku = { }; /* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */ -X509V3_EXT_METHOD v3_ocsp_accresp = { +const X509V3_EXT_METHOD v3_ocsp_accresp = { NID_id_pkix_OCSP_acceptableResponses, 0, ASN1_ITEM_ref(EXTENDED_KEY_USAGE), 0,0,0,0, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_ia5.c b/crypto/openssl-0.9/crypto/x509v3/v3_ia5.c index 9683afa47c..b739ccd036 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_ia5.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_ia5.c @@ -65,7 +65,7 @@ static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5); static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); -X509V3_EXT_METHOD v3_ns_ia5_list[] = { +const X509V3_EXT_METHOD v3_ns_ia5_list[] = { EXT_IA5STRING(NID_netscape_base_url), EXT_IA5STRING(NID_netscape_revocation_url), EXT_IA5STRING(NID_netscape_ca_revocation_url), diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_info.c b/crypto/openssl-0.9/crypto/x509v3/v3_info.c index ab4f0eae19..e0ef69de42 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_info.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_info.c @@ -69,7 +69,7 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); -X509V3_EXT_METHOD v3_info = +const X509V3_EXT_METHOD v3_info = { NID_info_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS), 0,0,0,0, 0,0, @@ -78,7 +78,7 @@ X509V3_EXT_METHOD v3_info = 0,0, NULL}; -X509V3_EXT_METHOD v3_sinfo = +const X509V3_EXT_METHOD v3_sinfo = { NID_sinfo_access, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS), 0,0,0,0, 0,0, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_int.c b/crypto/openssl-0.9/crypto/x509v3/v3_int.c index 85e79c05ca..9a48dc1508 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_int.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_int.c @@ -60,14 +60,14 @@ #include "cryptlib.h" #include -X509V3_EXT_METHOD v3_crl_num = { +const X509V3_EXT_METHOD v3_crl_num = { NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), 0,0,0,0, (X509V3_EXT_I2S)i2s_ASN1_INTEGER, 0, 0,0,0,0, NULL}; -X509V3_EXT_METHOD v3_delta_crl = { +const X509V3_EXT_METHOD v3_delta_crl = { NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER), 0,0,0,0, (X509V3_EXT_I2S)i2s_ASN1_INTEGER, @@ -79,7 +79,7 @@ static void * s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value return s2i_ASN1_INTEGER(meth, value); } -X509V3_EXT_METHOD v3_inhibit_anyp = { +const X509V3_EXT_METHOD v3_inhibit_anyp = { NID_inhibit_any_policy, 0, ASN1_ITEM_ref(ASN1_INTEGER), 0,0,0,0, (X509V3_EXT_I2S)i2s_ASN1_INTEGER, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_ncons.c b/crypto/openssl-0.9/crypto/x509v3/v3_ncons.c index 5fded6910e..42e7f5a879 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_ncons.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_ncons.c @@ -72,7 +72,7 @@ static int do_i2r_name_constraints(X509V3_EXT_METHOD *method, BIO *bp, int ind, char *name); static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip); -X509V3_EXT_METHOD v3_name_constraints = { +const X509V3_EXT_METHOD v3_name_constraints = { NID_name_constraints, 0, ASN1_ITEM_ref(NAME_CONSTRAINTS), 0,0,0,0, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_ocsp.c b/crypto/openssl-0.9/crypto/x509v3/v3_ocsp.c index 28c11a4dbf..62aac06335 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_ocsp.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_ocsp.c @@ -82,7 +82,7 @@ static int i2r_ocsp_nocheck(X509V3_EXT_METHOD *method, void *nocheck, BIO *out, static void *s2i_ocsp_nocheck(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, const char *str); static int i2r_ocsp_serviceloc(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind); -X509V3_EXT_METHOD v3_ocsp_crlid = { +const X509V3_EXT_METHOD v3_ocsp_crlid = { NID_id_pkix_OCSP_CrlID, 0, ASN1_ITEM_ref(OCSP_CRLID), 0,0,0,0, 0,0, @@ -91,7 +91,7 @@ X509V3_EXT_METHOD v3_ocsp_crlid = { NULL }; -X509V3_EXT_METHOD v3_ocsp_acutoff = { +const X509V3_EXT_METHOD v3_ocsp_acutoff = { NID_id_pkix_OCSP_archiveCutoff, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME), 0,0,0,0, 0,0, @@ -100,7 +100,7 @@ X509V3_EXT_METHOD v3_ocsp_acutoff = { NULL }; -X509V3_EXT_METHOD v3_crl_invdate = { +const X509V3_EXT_METHOD v3_crl_invdate = { NID_invalidity_date, 0, ASN1_ITEM_ref(ASN1_GENERALIZEDTIME), 0,0,0,0, 0,0, @@ -109,7 +109,7 @@ X509V3_EXT_METHOD v3_crl_invdate = { NULL }; -X509V3_EXT_METHOD v3_crl_hold = { +const X509V3_EXT_METHOD v3_crl_hold = { NID_hold_instruction_code, 0, ASN1_ITEM_ref(ASN1_OBJECT), 0,0,0,0, 0,0, @@ -118,7 +118,7 @@ X509V3_EXT_METHOD v3_crl_hold = { NULL }; -X509V3_EXT_METHOD v3_ocsp_nonce = { +const X509V3_EXT_METHOD v3_ocsp_nonce = { NID_id_pkix_OCSP_Nonce, 0, NULL, ocsp_nonce_new, ocsp_nonce_free, @@ -130,7 +130,7 @@ X509V3_EXT_METHOD v3_ocsp_nonce = { NULL }; -X509V3_EXT_METHOD v3_ocsp_nocheck = { +const X509V3_EXT_METHOD v3_ocsp_nocheck = { NID_id_pkix_OCSP_noCheck, 0, ASN1_ITEM_ref(ASN1_NULL), 0,0,0,0, 0,s2i_ocsp_nocheck, @@ -139,7 +139,7 @@ X509V3_EXT_METHOD v3_ocsp_nocheck = { NULL }; -X509V3_EXT_METHOD v3_ocsp_serviceloc = { +const X509V3_EXT_METHOD v3_ocsp_serviceloc = { NID_id_pkix_OCSP_serviceLocator, 0, ASN1_ITEM_ref(OCSP_SERVICELOC), 0,0,0,0, 0,0, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_pci.c b/crypto/openssl-0.9/crypto/x509v3/v3_pci.c index ccb0da548a..5158b1dfb3 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_pci.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_pci.c @@ -44,7 +44,7 @@ static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext, static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); -X509V3_EXT_METHOD v3_pci = +const X509V3_EXT_METHOD v3_pci = { NID_proxyCertInfo, 0, ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION), 0,0,0,0, 0,0, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_pcons.c b/crypto/openssl-0.9/crypto/x509v3/v3_pcons.c index 91ae862ed7..13248c2ada 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_pcons.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_pcons.c @@ -69,7 +69,7 @@ static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method, static void *v2i_POLICY_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); -X509V3_EXT_METHOD v3_policy_constraints = { +const X509V3_EXT_METHOD v3_policy_constraints = { NID_policy_constraints, 0, ASN1_ITEM_ref(POLICY_CONSTRAINTS), 0,0,0,0, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_pku.c b/crypto/openssl-0.9/crypto/x509v3/v3_pku.c index 49a2e4697a..5c4626e89b 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_pku.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_pku.c @@ -66,7 +66,7 @@ static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *u /* static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); */ -X509V3_EXT_METHOD v3_pkey_usage_period = { +const X509V3_EXT_METHOD v3_pkey_usage_period = { NID_private_key_usage_period, 0, ASN1_ITEM_ref(PKEY_USAGE_PERIOD), 0,0,0,0, 0,0,0,0, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_pmaps.c b/crypto/openssl-0.9/crypto/x509v3/v3_pmaps.c index 137be58ad9..626303264f 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_pmaps.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_pmaps.c @@ -68,7 +68,7 @@ static void *v2i_POLICY_MAPPINGS(X509V3_EXT_METHOD *method, static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist); -X509V3_EXT_METHOD v3_policy_mappings = { +const X509V3_EXT_METHOD v3_policy_mappings = { NID_policy_mappings, 0, ASN1_ITEM_ref(POLICY_MAPPINGS), 0,0,0,0, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_purp.c b/crypto/openssl-0.9/crypto/x509v3/v3_purp.c index 1222c3ce5b..b2f5cdfa05 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_purp.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_purp.c @@ -285,7 +285,12 @@ int X509_supported_extension(X509_EXTENSION *ex) NID_key_usage, /* 83 */ NID_subject_alt_name, /* 85 */ NID_basic_constraints, /* 87 */ + NID_certificate_policies, /* 89 */ NID_ext_key_usage, /* 126 */ +#ifndef OPENSSL_NO_RFC3779 + NID_sbgp_ipAddrBlock, /* 290 */ + NID_sbgp_autonomousSysNum, /* 291 */ +#endif NID_proxyCertInfo /* 661 */ }; @@ -410,6 +415,11 @@ static void x509v3_cache_extensions(X509 *x) } x->skid =X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL); x->akid =X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL); +#ifndef OPENSSL_NO_RFC3779 + x->rfc3779_addr =X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); + x->rfc3779_asid =X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, + NULL, NULL); +#endif for (i = 0; i < X509_get_ext_count(x); i++) { ex = X509_get_ext(x, i); diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_skey.c b/crypto/openssl-0.9/crypto/x509v3/v3_skey.c index b17a72d46c..da0a3558f6 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_skey.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_skey.c @@ -62,7 +62,7 @@ #include static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); -X509V3_EXT_METHOD v3_skey_id = { +const X509V3_EXT_METHOD v3_skey_id = { NID_subject_key_identifier, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING), 0,0,0,0, (X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_sxnet.c b/crypto/openssl-0.9/crypto/x509v3/v3_sxnet.c index 819e2e670d..eaea9ea01b 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_sxnet.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_sxnet.c @@ -72,7 +72,7 @@ static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent) static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); #endif -X509V3_EXT_METHOD v3_sxnet = { +const X509V3_EXT_METHOD v3_sxnet = { NID_sxnet, X509V3_EXT_MULTILINE, ASN1_ITEM_ref(SXNET), 0,0,0,0, 0,0, diff --git a/crypto/openssl-0.9/crypto/x509v3/v3_utl.c b/crypto/openssl-0.9/crypto/x509v3/v3_utl.c index 7911c4bdaf..3dba0557b8 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3_utl.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3_utl.c @@ -71,7 +71,6 @@ static STACK *get_email(X509_NAME *name, GENERAL_NAMES *gens); static void str_free(void *str); static int append_ia5(STACK **sk, ASN1_IA5STRING *email); -static int a2i_ipadd(unsigned char *ipout, const char *ipasc); static int ipv4_from_asc(unsigned char *v4, const char *in); static int ipv6_from_asc(unsigned char *v6, const char *in); static int ipv6_cb(const char *elem, int len, void *usr); @@ -366,7 +365,7 @@ char *hex_to_string(unsigned char *buffer, long len) char *tmp, *q; unsigned char *p; int i; - static char hexdig[] = "0123456789ABCDEF"; + const static char hexdig[] = "0123456789ABCDEF"; if(!buffer || !len) return NULL; if(!(tmp = OPENSSL_malloc(len * 3 + 1))) { X509V3err(X509V3_F_HEX_TO_STRING,ERR_R_MALLOC_FAILURE); @@ -615,7 +614,7 @@ ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc) } -static int a2i_ipadd(unsigned char *ipout, const char *ipasc) +int a2i_ipadd(unsigned char *ipout, const char *ipasc) { /* If string contains a ':' assume IPv6 */ diff --git a/crypto/openssl-0.9/crypto/x509v3/v3err.c b/crypto/openssl-0.9/crypto/x509v3/v3err.c index 451645f1f3..d538ad8b80 100644 --- a/crypto/openssl-0.9/crypto/x509v3/v3err.c +++ b/crypto/openssl-0.9/crypto/x509v3/v3err.c @@ -70,6 +70,8 @@ static ERR_STRING_DATA X509V3_str_functs[]= { +{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"}, +{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"}, {ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"}, {ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"}, {ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"}, @@ -94,12 +96,13 @@ static ERR_STRING_DATA X509V3_str_functs[]= {ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"}, {ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"}, {ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"}, -{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_ADD_ID_ASC"}, +{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"}, {ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"}, {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"}, {ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"}, {ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"}, -{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "V2I_ASN1_BIT_STRING"}, +{ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"}, +{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"}, {ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS), "V2I_AUTHORITY_INFO_ACCESS"}, {ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"}, {ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"}, @@ -107,11 +110,13 @@ static ERR_STRING_DATA X509V3_str_functs[]= {ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"}, {ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"}, {ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"}, +{ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"}, {ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"}, {ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"}, {ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"}, {ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"}, {ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"}, +{ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL), "V3_ADDR_VALIDATE_PATH_INTERNAL"}, {ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"}, {ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"}, {ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"}, @@ -120,10 +125,10 @@ static ERR_STRING_DATA X509V3_str_functs[]= {ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"}, {ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"}, {ERR_FUNC(X509V3_F_X509V3_EXT_NCONF), "X509V3_EXT_nconf"}, -{ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_GET_SECTION"}, +{ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_get_section"}, {ERR_FUNC(X509V3_F_X509V3_GET_STRING), "X509V3_get_string"}, {ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"}, -{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_PARSE_LIST"}, +{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"}, {ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"}, {ERR_FUNC(X509V3_F_X509_PURPOSE_SET), "X509_PURPOSE_set"}, {0,NULL} @@ -149,8 +154,12 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION),"illegal empty extension"}, {ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) ,"illegal hex digit"}, {ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG),"incorrect policy syntax tag"}, +{ERR_REASON(X509V3_R_INVALID_ASNUMBER) ,"invalid asnumber"}, +{ERR_REASON(X509V3_R_INVALID_ASRANGE) ,"invalid asrange"}, {ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING),"invalid boolean string"}, {ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING),"invalid extension string"}, +{ERR_REASON(X509V3_R_INVALID_INHERITANCE),"invalid inheritance"}, +{ERR_REASON(X509V3_R_INVALID_IPADDRESS) ,"invalid ipaddress"}, {ERR_REASON(X509V3_R_INVALID_NAME) ,"invalid name"}, {ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT),"invalid null argument"}, {ERR_REASON(X509V3_R_INVALID_NULL_NAME) ,"invalid null name"}, @@ -162,6 +171,7 @@ static ERR_STRING_DATA X509V3_str_reasons[]= {ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER),"invalid policy identifier"}, {ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING),"invalid proxy policy setting"}, {ERR_REASON(X509V3_R_INVALID_PURPOSE) ,"invalid purpose"}, +{ERR_REASON(X509V3_R_INVALID_SAFI) ,"invalid safi"}, {ERR_REASON(X509V3_R_INVALID_SECTION) ,"invalid section"}, {ERR_REASON(X509V3_R_INVALID_SYNTAX) ,"invalid syntax"}, {ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR),"issuer decode error"}, @@ -198,15 +208,12 @@ static ERR_STRING_DATA X509V3_str_reasons[]= void ERR_load_X509V3_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,X509V3_str_functs); ERR_load_strings(0,X509V3_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/crypto/x509v3/x509v3.h b/crypto/openssl-0.9/crypto/x509v3/x509v3.h index 34429828f0..91d2fb5b8b 100644 --- a/crypto/openssl-0.9/crypto/x509v3/x509v3.h +++ b/crypto/openssl-0.9/crypto/x509v3/x509v3.h @@ -620,11 +620,161 @@ void X509_email_free(STACK *sk); ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc); ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); +int a2i_ipadd(unsigned char *ipout, const char *ipasc); int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk, unsigned long chtype); void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent); +#ifndef OPENSSL_NO_RFC3779 + +typedef struct ASRange_st { + ASN1_INTEGER *min, *max; +} ASRange; + +#define ASIdOrRange_id 0 +#define ASIdOrRange_range 1 + +typedef struct ASIdOrRange_st { + int type; + union { + ASN1_INTEGER *id; + ASRange *range; + } u; +} ASIdOrRange; + +typedef STACK_OF(ASIdOrRange) ASIdOrRanges; +DECLARE_STACK_OF(ASIdOrRange) + +#define ASIdentifierChoice_inherit 0 +#define ASIdentifierChoice_asIdsOrRanges 1 + +typedef struct ASIdentifierChoice_st { + int type; + union { + ASN1_NULL *inherit; + ASIdOrRanges *asIdsOrRanges; + } u; +} ASIdentifierChoice; + +typedef struct ASIdentifiers_st { + ASIdentifierChoice *asnum, *rdi; +} ASIdentifiers; + +DECLARE_ASN1_FUNCTIONS(ASRange) +DECLARE_ASN1_FUNCTIONS(ASIdOrRange) +DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice) +DECLARE_ASN1_FUNCTIONS(ASIdentifiers) + + +typedef struct IPAddressRange_st { + ASN1_BIT_STRING *min, *max; +} IPAddressRange; + +#define IPAddressOrRange_addressPrefix 0 +#define IPAddressOrRange_addressRange 1 + +typedef struct IPAddressOrRange_st { + int type; + union { + ASN1_BIT_STRING *addressPrefix; + IPAddressRange *addressRange; + } u; +} IPAddressOrRange; + +typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges; +DECLARE_STACK_OF(IPAddressOrRange) + +#define IPAddressChoice_inherit 0 +#define IPAddressChoice_addressesOrRanges 1 + +typedef struct IPAddressChoice_st { + int type; + union { + ASN1_NULL *inherit; + IPAddressOrRanges *addressesOrRanges; + } u; +} IPAddressChoice; + +typedef struct IPAddressFamily_st { + ASN1_OCTET_STRING *addressFamily; + IPAddressChoice *ipAddressChoice; +} IPAddressFamily; + +typedef STACK_OF(IPAddressFamily) IPAddrBlocks; +DECLARE_STACK_OF(IPAddressFamily) + +DECLARE_ASN1_FUNCTIONS(IPAddressRange) +DECLARE_ASN1_FUNCTIONS(IPAddressOrRange) +DECLARE_ASN1_FUNCTIONS(IPAddressChoice) +DECLARE_ASN1_FUNCTIONS(IPAddressFamily) + +/* + * API tag for elements of the ASIdentifer SEQUENCE. + */ +#define V3_ASID_ASNUM 0 +#define V3_ASID_RDI 1 + +/* + * AFI values, assigned by IANA. It'd be nice to make the AFI + * handling code totally generic, but there are too many little things + * that would need to be defined for other address families for it to + * be worth the trouble. + */ +#define IANA_AFI_IPV4 1 +#define IANA_AFI_IPV6 2 + +/* + * Utilities to construct and extract values from RFC3779 extensions, + * since some of the encodings (particularly for IP address prefixes + * and ranges) are a bit tedious to work with directly. + */ +int v3_asid_add_inherit(ASIdentifiers *asid, int which); +int v3_asid_add_id_or_range(ASIdentifiers *asid, int which, + ASN1_INTEGER *min, ASN1_INTEGER *max); +int v3_addr_add_inherit(IPAddrBlocks *addr, + const unsigned afi, const unsigned *safi); +int v3_addr_add_prefix(IPAddrBlocks *addr, + const unsigned afi, const unsigned *safi, + unsigned char *a, const int prefixlen); +int v3_addr_add_range(IPAddrBlocks *addr, + const unsigned afi, const unsigned *safi, + unsigned char *min, unsigned char *max); +unsigned v3_addr_get_afi(const IPAddressFamily *f); +int v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi, + unsigned char *min, unsigned char *max, + const int length); + +/* + * Canonical forms. + */ +int v3_asid_is_canonical(ASIdentifiers *asid); +int v3_addr_is_canonical(IPAddrBlocks *addr); +int v3_asid_canonize(ASIdentifiers *asid); +int v3_addr_canonize(IPAddrBlocks *addr); + +/* + * Tests for inheritance and containment. + */ +int v3_asid_inherits(ASIdentifiers *asid); +int v3_addr_inherits(IPAddrBlocks *addr); +int v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b); +int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b); + +/* + * Check whether RFC 3779 extensions nest properly in chains. + */ +int v3_asid_validate_path(X509_STORE_CTX *); +int v3_addr_validate_path(X509_STORE_CTX *); +int v3_asid_validate_resource_set(STACK_OF(X509) *chain, + ASIdentifiers *ext, + int allow_inheritance); +int v3_addr_validate_resource_set(STACK_OF(X509) *chain, + IPAddrBlocks *ext, + int allow_inheritance); + +#endif /* OPENSSL_NO_RFC3779 */ + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. @@ -634,6 +784,8 @@ void ERR_load_X509V3_strings(void); /* Error codes for the X509V3 functions. */ /* Function codes. */ +#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE 156 +#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL 157 #define X509V3_F_COPY_EMAIL 122 #define X509V3_F_COPY_ISSUER 123 #define X509V3_F_DO_DIRNAME 144 @@ -663,6 +815,7 @@ void ERR_load_X509V3_strings(void); #define X509V3_F_SXNET_ADD_ID_ULONG 127 #define X509V3_F_SXNET_GET_ID_ASC 128 #define X509V3_F_SXNET_GET_ID_ULONG 129 +#define X509V3_F_V2I_ASIDENTIFIERS 158 #define X509V3_F_V2I_ASN1_BIT_STRING 101 #define X509V3_F_V2I_AUTHORITY_INFO_ACCESS 139 #define X509V3_F_V2I_AUTHORITY_KEYID 119 @@ -671,11 +824,13 @@ void ERR_load_X509V3_strings(void); #define X509V3_F_V2I_EXTENDED_KEY_USAGE 103 #define X509V3_F_V2I_GENERAL_NAMES 118 #define X509V3_F_V2I_GENERAL_NAME_EX 117 +#define X509V3_F_V2I_IPADDRBLOCKS 159 #define X509V3_F_V2I_ISSUER_ALT 153 #define X509V3_F_V2I_NAME_CONSTRAINTS 147 #define X509V3_F_V2I_POLICY_CONSTRAINTS 146 #define X509V3_F_V2I_POLICY_MAPPINGS 145 #define X509V3_F_V2I_SUBJECT_ALT 154 +#define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL 160 #define X509V3_F_V3_GENERIC_EXTENSION 116 #define X509V3_F_X509V3_ADD1_I2D 140 #define X509V3_F_X509V3_ADD_VALUE 105 @@ -710,8 +865,12 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_ILLEGAL_EMPTY_EXTENSION 151 #define X509V3_R_ILLEGAL_HEX_DIGIT 113 #define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 152 +#define X509V3_R_INVALID_ASNUMBER 160 +#define X509V3_R_INVALID_ASRANGE 161 #define X509V3_R_INVALID_BOOLEAN_STRING 104 #define X509V3_R_INVALID_EXTENSION_STRING 105 +#define X509V3_R_INVALID_INHERITANCE 162 +#define X509V3_R_INVALID_IPADDRESS 163 #define X509V3_R_INVALID_NAME 106 #define X509V3_R_INVALID_NULL_ARGUMENT 107 #define X509V3_R_INVALID_NULL_NAME 108 @@ -723,6 +882,7 @@ void ERR_load_X509V3_strings(void); #define X509V3_R_INVALID_POLICY_IDENTIFIER 134 #define X509V3_R_INVALID_PROXY_POLICY_SETTING 153 #define X509V3_R_INVALID_PURPOSE 146 +#define X509V3_R_INVALID_SAFI 164 #define X509V3_R_INVALID_SECTION 135 #define X509V3_R_INVALID_SYNTAX 143 #define X509V3_R_ISSUER_DECODE_ERROR 126 diff --git a/crypto/openssl-0.9/ssl/d1_lib.c b/crypto/openssl-0.9/ssl/d1_lib.c index 7830811144..d07a212fac 100644 --- a/crypto/openssl-0.9/ssl/d1_lib.c +++ b/crypto/openssl-0.9/ssl/d1_lib.c @@ -61,7 +61,7 @@ #include #include "ssl_locl.h" -const char *dtls1_version_str="DTLSv1" OPENSSL_VERSION_PTEXT; +const char dtls1_version_str[]="DTLSv1" OPENSSL_VERSION_PTEXT; SSL3_ENC_METHOD DTLSv1_enc_data={ dtls1_enc, diff --git a/crypto/openssl-0.9/ssl/d1_pkt.c b/crypto/openssl-0.9/ssl/d1_pkt.c index f8f4516525..8270419a8d 100644 --- a/crypto/openssl-0.9/ssl/d1_pkt.c +++ b/crypto/openssl-0.9/ssl/d1_pkt.c @@ -533,11 +533,7 @@ again: n2s(p,rr->length); /* Lets check version */ - if (s->first_packet) - { - s->first_packet=0; - } - else + if (!s->first_packet) { if (version != s->version) { diff --git a/crypto/openssl-0.9/ssl/kssl.c b/crypto/openssl-0.9/ssl/kssl.c index ffa8d52e70..1064282730 100644 --- a/crypto/openssl-0.9/ssl/kssl.c +++ b/crypto/openssl-0.9/ssl/kssl.c @@ -784,6 +784,25 @@ kssl_krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, } #endif /* OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32 */ + +/* memory allocation functions for non-temporary storage + * (e.g. stuff that gets saved into the kssl context) */ +static void* kssl_calloc(size_t nmemb, size_t size) +{ + void* p; + + p=OPENSSL_malloc(nmemb*size); + if (p){ + memset(p, 0, nmemb*size); + } + return p; +} + +#define kssl_malloc(size) OPENSSL_malloc((size)) +#define kssl_realloc(ptr, size) OPENSSL_realloc(ptr, size) +#define kssl_free(ptr) OPENSSL_free((ptr)) + + char *kstring(char *string) { @@ -1548,7 +1567,7 @@ kssl_sget_tkt( /* UPDATE */ KSSL_CTX *kssl_ctx, KSSL_CTX * kssl_ctx_new(void) { - return ((KSSL_CTX *) calloc(1, sizeof(KSSL_CTX))); + return ((KSSL_CTX *) kssl_calloc(1, sizeof(KSSL_CTX))); } @@ -1562,13 +1581,13 @@ kssl_ctx_free(KSSL_CTX *kssl_ctx) if (kssl_ctx->key) OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); - if (kssl_ctx->key) free(kssl_ctx->key); - if (kssl_ctx->client_princ) free(kssl_ctx->client_princ); - if (kssl_ctx->service_host) free(kssl_ctx->service_host); - if (kssl_ctx->service_name) free(kssl_ctx->service_name); - if (kssl_ctx->keytab_file) free(kssl_ctx->keytab_file); + if (kssl_ctx->key) kssl_free(kssl_ctx->key); + if (kssl_ctx->client_princ) kssl_free(kssl_ctx->client_princ); + if (kssl_ctx->service_host) kssl_free(kssl_ctx->service_host); + if (kssl_ctx->service_name) kssl_free(kssl_ctx->service_name); + if (kssl_ctx->keytab_file) kssl_free(kssl_ctx->keytab_file); - free(kssl_ctx); + kssl_free(kssl_ctx); return (KSSL_CTX *) NULL; } @@ -1593,7 +1612,7 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, case KSSL_SERVER: princ = &kssl_ctx->service_host; break; default: return KSSL_CTX_ERR; break; } - if (*princ) free(*princ); + if (*princ) kssl_free(*princ); /* Add up all the entity->lengths */ length = 0; @@ -1606,7 +1625,7 @@ kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, /* Space for the ('@'+realm+NULL | NULL) */ length += ((realm)? realm->length + 2: 1); - if ((*princ = calloc(1, length)) == NULL) + if ((*princ = kssl_calloc(1, length)) == NULL) return KSSL_CTX_ERR; else { @@ -1649,7 +1668,7 @@ kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text) case KSSL_KEYTAB: string = &kssl_ctx->keytab_file; break; default: return KSSL_CTX_ERR; break; } - if (*string) free(*string); + if (*string) kssl_free(*string); if (!text) { @@ -1657,7 +1676,7 @@ kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text) return KSSL_CTX_OK; } - if ((*string = calloc(1, strlen(text) + 1)) == NULL) + if ((*string = kssl_calloc(1, strlen(text) + 1)) == NULL) return KSSL_CTX_ERR; else strcpy(*string, text); @@ -1681,7 +1700,7 @@ kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session) if (kssl_ctx->key) { OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length); - free(kssl_ctx->key); + kssl_free(kssl_ctx->key); } if (session) @@ -1707,7 +1726,7 @@ kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session) } if ((kssl_ctx->key = - (krb5_octet FAR *) calloc(1, kssl_ctx->length)) == NULL) + (krb5_octet FAR *) kssl_calloc(1, kssl_ctx->length)) == NULL) { kssl_ctx->length = 0; return KSSL_CTX_ERR; diff --git a/crypto/openssl-0.9/ssl/s23_clnt.c b/crypto/openssl-0.9/ssl/s23_clnt.c index ed4ee72393..769dabdbb8 100644 --- a/crypto/openssl-0.9/ssl/s23_clnt.c +++ b/crypto/openssl-0.9/ssl/s23_clnt.c @@ -574,7 +574,6 @@ static int ssl23_get_server_hello(SSL *s) if (!ssl_get_new_session(s,0)) goto err; - s->first_packet=1; return(SSL_connect(s)); err: return(-1); diff --git a/crypto/openssl-0.9/ssl/s23_srvr.c b/crypto/openssl-0.9/ssl/s23_srvr.c index da4f377e76..6637bb9549 100644 --- a/crypto/openssl-0.9/ssl/s23_srvr.c +++ b/crypto/openssl-0.9/ssl/s23_srvr.c @@ -565,7 +565,6 @@ int ssl23_get_client_hello(SSL *s) s->init_num=0; if (buf != buf_space) OPENSSL_free(buf); - s->first_packet=1; return(SSL_accept(s)); err: if (buf != buf_space) OPENSSL_free(buf); diff --git a/crypto/openssl-0.9/ssl/s2_enc.c b/crypto/openssl-0.9/ssl/s2_enc.c index 18882bf704..1f62acd5b1 100644 --- a/crypto/openssl-0.9/ssl/s2_enc.c +++ b/crypto/openssl-0.9/ssl/s2_enc.c @@ -82,15 +82,18 @@ int ssl2_enc_init(SSL *s, int client) ((s->enc_read_ctx=(EVP_CIPHER_CTX *) OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) goto err; + + /* make sure it's intialized in case the malloc for enc_write_ctx fails + * and we exit with an error */ + rs= s->enc_read_ctx; + EVP_CIPHER_CTX_init(rs); + if ((s->enc_write_ctx == NULL) && ((s->enc_write_ctx=(EVP_CIPHER_CTX *) OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) goto err; - rs= s->enc_read_ctx; ws= s->enc_write_ctx; - - EVP_CIPHER_CTX_init(rs); EVP_CIPHER_CTX_init(ws); num=c->key_len; diff --git a/crypto/openssl-0.9/ssl/s2_lib.c b/crypto/openssl-0.9/ssl/s2_lib.c index def3a6e89a..10751b22ba 100644 --- a/crypto/openssl-0.9/ssl/s2_lib.c +++ b/crypto/openssl-0.9/ssl/s2_lib.c @@ -63,7 +63,7 @@ #include #include -const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT; +const char ssl2_version_str[]="SSLv2" OPENSSL_VERSION_PTEXT; #define SSL2_NUM_CIPHERS (sizeof(ssl2_ciphers)/sizeof(SSL_CIPHER)) diff --git a/crypto/openssl-0.9/ssl/s3_clnt.c b/crypto/openssl-0.9/ssl/s3_clnt.c index 26788858d7..278be82294 100644 --- a/crypto/openssl-0.9/ssl/s3_clnt.c +++ b/crypto/openssl-0.9/ssl/s3_clnt.c @@ -1796,8 +1796,10 @@ int ssl3_send_client_key_exchange(SSL *s) n+=2; } - if (RAND_bytes(tmp_buf,sizeof tmp_buf) <= 0) - goto err; + tmp_buf[0]=s->client_version>>8; + tmp_buf[1]=s->client_version&0xff; + if (RAND_bytes(&(tmp_buf[2]),sizeof tmp_buf-2) <= 0) + goto err; /* 20010420 VRS. Tried it this way; failed. ** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL); diff --git a/crypto/openssl-0.9/ssl/s3_enc.c b/crypto/openssl-0.9/ssl/s3_enc.c index 561a9846e9..2859351b00 100644 --- a/crypto/openssl-0.9/ssl/s3_enc.c +++ b/crypto/openssl-0.9/ssl/s3_enc.c @@ -221,6 +221,9 @@ int ssl3_change_cipher_state(SSL *s, int which) reuse_dd = 1; else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; + else + /* make sure it's intialized in case we exit later with an error */ + EVP_CIPHER_CTX_init(s->enc_read_ctx); dd= s->enc_read_ctx; s->read_hash=m; #ifndef OPENSSL_NO_COMP @@ -254,6 +257,9 @@ int ssl3_change_cipher_state(SSL *s, int which) reuse_dd = 1; else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; + else + /* make sure it's intialized in case we exit later with an error */ + EVP_CIPHER_CTX_init(s->enc_write_ctx); dd= s->enc_write_ctx; s->write_hash=m; #ifndef OPENSSL_NO_COMP @@ -279,7 +285,6 @@ int ssl3_change_cipher_state(SSL *s, int which) if (reuse_dd) EVP_CIPHER_CTX_cleanup(dd); - EVP_CIPHER_CTX_init(dd); p=s->s3->tmp.key_block; i=EVP_MD_size(m); diff --git a/crypto/openssl-0.9/ssl/s3_lib.c b/crypto/openssl-0.9/ssl/s3_lib.c index 0eff243c12..28eaf9ddeb 100644 --- a/crypto/openssl-0.9/ssl/s3_lib.c +++ b/crypto/openssl-0.9/ssl/s3_lib.c @@ -132,7 +132,7 @@ #endif #include -const char *ssl3_version_str="SSLv3" OPENSSL_VERSION_PTEXT; +const char ssl3_version_str[]="SSLv3" OPENSSL_VERSION_PTEXT; #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers)/sizeof(SSL_CIPHER)) @@ -568,7 +568,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_SHA1 |SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, - 112, + 168, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, @@ -624,7 +624,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_kKRB5|SSL_aKRB5| SSL_3DES|SSL_MD5 |SSL_SSLV3, SSL_NOT_EXP|SSL_HIGH, 0, - 112, + 168, 168, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, @@ -694,7 +694,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_SHA1 |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, - 128, + 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, @@ -736,7 +736,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_kKRB5|SSL_aKRB5| SSL_RC4|SSL_MD5 |SSL_SSLV3, SSL_EXPORT|SSL_EXP40, 0, - 128, + 40, 128, SSL_ALL_CIPHERS, SSL_ALL_STRENGTHS, diff --git a/crypto/openssl-0.9/ssl/s3_pkt.c b/crypto/openssl-0.9/ssl/s3_pkt.c index d0f54e297b..44c7c143fe 100644 --- a/crypto/openssl-0.9/ssl/s3_pkt.c +++ b/crypto/openssl-0.9/ssl/s3_pkt.c @@ -277,11 +277,7 @@ again: n2s(p,rr->length); /* Lets check version */ - if (s->first_packet) - { - s->first_packet=0; - } - else + if (!s->first_packet) { if (version != s->version) { diff --git a/crypto/openssl-0.9/ssl/s3_srvr.c b/crypto/openssl-0.9/ssl/s3_srvr.c index 098eea13ce..9414cf09fb 100644 --- a/crypto/openssl-0.9/ssl/s3_srvr.c +++ b/crypto/openssl-0.9/ssl/s3_srvr.c @@ -300,8 +300,9 @@ int ssl3_accept(SSL *s) case SSL3_ST_SW_CERT_A: case SSL3_ST_SW_CERT_B: - /* Check if it is anon DH or anon ECDH */ - if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL)) + /* Check if it is anon DH or anon ECDH or KRB5 */ + if (!(s->s3->tmp.new_cipher->algorithms & SSL_aNULL) + && !(s->s3->tmp.new_cipher->algorithms & SSL_aKRB5)) { ret=ssl3_send_server_certificate(s); if (ret <= 0) goto end; @@ -679,9 +680,9 @@ int ssl3_get_client_hello(SSL *s) */ if (s->state == SSL3_ST_SR_CLNT_HELLO_A) { - s->first_packet=1; s->state=SSL3_ST_SR_CLNT_HELLO_B; } + s->first_packet=1; n=s->method->ssl_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, SSL3_ST_SR_CLNT_HELLO_C, @@ -690,6 +691,7 @@ int ssl3_get_client_hello(SSL *s) &ok); if (!ok) return((int)n); + s->first_packet=0; d=p=(unsigned char *)s->init_msg; /* use version from inside client hello, not from record header @@ -1995,6 +1997,25 @@ int ssl3_get_client_key_exchange(SSL *s) SSL_R_DATA_LENGTH_TOO_LONG); goto err; } + if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) + { + /* The premaster secret must contain the same version number as the + * ClientHello to detect version rollback attacks (strangely, the + * protocol does not offer such protection for DH ciphersuites). + * However, buggy clients exist that send random bytes instead of + * the protocol version. + * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. + * (Perhaps we should have a separate BUG value for the Kerberos cipher) + */ + if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && + (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_AD_DECODE_ERROR); + goto err; + } + } + EVP_CIPHER_CTX_cleanup(&ciph_ctx); s->session->master_key_length= @@ -2042,7 +2063,7 @@ int ssl3_get_client_key_exchange(SSL *s) if (l & SSL_kECDH) { /* use the certificate */ - tkey = s->cert->key->privatekey->pkey.ec; + tkey = s->cert->pkeys[SSL_PKEY_ECC].privatekey->pkey.ec; } else { diff --git a/crypto/openssl-0.9/ssl/ssl.h b/crypto/openssl-0.9/ssl/ssl.h index 83f1fee804..2e067e7a78 100644 --- a/crypto/openssl-0.9/ssl/ssl.h +++ b/crypto/openssl-0.9/ssl/ssl.h @@ -319,7 +319,7 @@ extern "C" { #ifdef OPENSSL_NO_CAMELLIA # define SSL_DEFAULT_CIPHER_LIST "ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */ #else -# define SSL_DEFAULT_CIPHER_LIST "AES:CAMELLIA:-ECCdraft:ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */ +# define SSL_DEFAULT_CIPHER_LIST "AES:CAMELLIA:ALL:!ADH:+RC4:@STRENGTH" /* low priority for RC4 */ #endif /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ @@ -791,18 +791,18 @@ struct ssl_ctx_st #define SSL_CTX_sess_cache_full(ctx) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL) -#define SSL_CTX_sess_set_new_cb(ctx,cb) ((ctx)->new_session_cb=(cb)) -#define SSL_CTX_sess_get_new_cb(ctx) ((ctx)->new_session_cb) -#define SSL_CTX_sess_set_remove_cb(ctx,cb) ((ctx)->remove_session_cb=(cb)) -#define SSL_CTX_sess_get_remove_cb(ctx) ((ctx)->remove_session_cb) -#define SSL_CTX_sess_set_get_cb(ctx,cb) ((ctx)->get_session_cb=(cb)) -#define SSL_CTX_sess_get_get_cb(ctx) ((ctx)->get_session_cb) -#define SSL_CTX_set_info_callback(ctx,cb) ((ctx)->info_callback=(cb)) -#define SSL_CTX_get_info_callback(ctx) ((ctx)->info_callback) -#define SSL_CTX_set_client_cert_cb(ctx,cb) ((ctx)->client_cert_cb=(cb)) -#define SSL_CTX_get_client_cert_cb(ctx) ((ctx)->client_cert_cb) -#define SSL_CTX_set_cookie_generate_cb(ctx,cb) ((ctx)->app_gen_cookie_cb=(cb)) -#define SSL_CTX_set_cookie_verify_cb(ctx,cb) ((ctx)->app_verify_cookie_cb=(cb)) +void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl,SSL_SESSION *sess)); +int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess); +void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*remove_session_cb)(struct ssl_ctx_st *ctx,SSL_SESSION *sess)); +void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess); +void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data,int len,int *copy)); +SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, unsigned char *Data, int len, int *copy); +void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,int val)); +void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val); +void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)); +int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey); +void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)); +void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)); #define SSL_NOTHING 1 #define SSL_WRITING 2 diff --git a/crypto/openssl-0.9/ssl/ssl_ciph.c b/crypto/openssl-0.9/ssl/ssl_ciph.c index 933d487ca0..9bb770da27 100644 --- a/crypto/openssl-0.9/ssl/ssl_ciph.c +++ b/crypto/openssl-0.9/ssl/ssl_ciph.c @@ -432,9 +432,18 @@ static void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr, *tail=curr; } -static unsigned long ssl_cipher_get_disabled(void) +struct disabled_masks { /* This is a kludge no longer needed with OpenSSL 0.9.9, + * where 128-bit and 256-bit algorithms simply will get + * separate bits. */ + unsigned long mask; /* everything except m256 */ + unsigned long m256; /* applies to 256-bit algorithms only */ +}; + +struct disabled_masks ssl_cipher_get_disabled(void) { unsigned long mask; + unsigned long m256; + struct disabled_masks ret; mask = SSL_kFZA; #ifdef OPENSSL_NO_RSA @@ -462,18 +471,26 @@ static unsigned long ssl_cipher_get_disabled(void) mask |= (ssl_cipher_methods[SSL_ENC_RC2_IDX ] == NULL) ? SSL_RC2 :0; mask |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA:0; mask |= (ssl_cipher_methods[SSL_ENC_eFZA_IDX] == NULL) ? SSL_eFZA:0; - mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0; - mask |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA:0; mask |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 :0; mask |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1:0; - return(mask); + /* finally consider algorithms where mask and m256 differ */ + m256 = mask; + mask |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES:0; + mask |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA:0; + m256 |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES:0; + m256 |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA:0; + + ret.mask = mask; + ret.m256 = m256; + return ret; } static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, - int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list, - CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) + int num_of_ciphers, unsigned long mask, unsigned long m256, + CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, + CIPHER_ORDER **tail_p) { int i, co_list_num; SSL_CIPHER *c; @@ -490,8 +507,9 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, for (i = 0; i < num_of_ciphers; i++) { c = ssl_method->get_cipher(i); +#define IS_MASKED(c) ((c)->algorithms & (((c)->alg_bits == 256) ? m256 : mask)) /* drop those that use any of that is not available */ - if ((c != NULL) && c->valid && !(c->algorithms & mask)) + if ((c != NULL) && c->valid && !IS_MASKED(c)) { co_list[co_list_num].cipher = c; co_list[co_list_num].next = NULL; @@ -898,7 +916,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, * rest of the command, if any left, until * end or ':' is found. */ - while ((*l != '\0') && ITEM_SEP(*l)) + while ((*l != '\0') && !ITEM_SEP(*l)) l++; } else if (found) @@ -909,7 +927,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, } else { - while ((*l != '\0') && ITEM_SEP(*l)) + while ((*l != '\0') && !ITEM_SEP(*l)) l++; } if (*l == '\0') break; /* done */ @@ -925,6 +943,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, { int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; unsigned long disabled_mask; + unsigned long disabled_m256; STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; const char *rule_p; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; @@ -940,7 +959,12 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, * To reduce the work to do we only want to process the compiled * in algorithms, so we first get the mask of disabled ciphers. */ - disabled_mask = ssl_cipher_get_disabled(); + { + struct disabled_masks d; + d = ssl_cipher_get_disabled(); + disabled_mask = d.mask; + disabled_m256 = d.m256; + } /* * Now we have to collect the available ciphers from the compiled @@ -959,7 +983,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask, - co_list, &head, &tail); + disabled_m256, co_list, &head, &tail); /* * We also need cipher aliases for selecting based on the rule_str. @@ -979,8 +1003,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ } - ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mask, - head); + ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, + (disabled_mask & disabled_m256), head); /* * If the rule_string begins with DEFAULT, apply the default rule diff --git a/crypto/openssl-0.9/ssl/ssl_err.c b/crypto/openssl-0.9/ssl/ssl_err.c index 4a4ba68526..e7f4d93c7d 100644 --- a/crypto/openssl-0.9/ssl/ssl_err.c +++ b/crypto/openssl-0.9/ssl/ssl_err.c @@ -204,7 +204,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"}, {ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"}, {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"}, -{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_LOAD_CLIENT_CA_FILE"}, +{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, {ERR_FUNC(SSL_F_SSL_NEW), "SSL_new"}, {ERR_FUNC(SSL_F_SSL_PEEK), "SSL_peek"}, {ERR_FUNC(SSL_F_SSL_READ), "SSL_read"}, @@ -486,15 +486,12 @@ static ERR_STRING_DATA SSL_str_reasons[]= void ERR_load_SSL_strings(void) { - static int init=1; +#ifndef OPENSSL_NO_ERR - if (init) + if (ERR_func_error_string(SSL_str_functs[0].error) == NULL) { - init=0; -#ifndef OPENSSL_NO_ERR ERR_load_strings(0,SSL_str_functs); ERR_load_strings(0,SSL_str_reasons); -#endif - } +#endif } diff --git a/crypto/openssl-0.9/ssl/ssl_lib.c b/crypto/openssl-0.9/ssl/ssl_lib.c index 4971b34375..4e81922d75 100644 --- a/crypto/openssl-0.9/ssl/ssl_lib.c +++ b/crypto/openssl-0.9/ssl/ssl_lib.c @@ -2416,14 +2416,14 @@ int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, #endif void SSL_set_info_callback(SSL *ssl, - void (*cb)(const SSL *ssl,int type,int val)) + void (*cb)(const SSL *ssl,int type,int val)) { ssl->info_callback=cb; } /* One compiler (Diab DCC) doesn't like argument names in returned function pointer. */ -void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/) +void (*SSL_get_info_callback(const SSL *ssl))(const SSL * /*ssl*/,int /*type*/,int /*val*/) { return ssl->info_callback; } diff --git a/crypto/openssl-0.9/ssl/ssl_sess.c b/crypto/openssl-0.9/ssl/ssl_sess.c index 2f26593c70..f80eee6e37 100644 --- a/crypto/openssl-0.9/ssl/ssl_sess.c +++ b/crypto/openssl-0.9/ssl/ssl_sess.c @@ -580,7 +580,7 @@ int SSL_set_session(SSL *s, SSL_SESSION *session) if (s->kssl_ctx && !s->kssl_ctx->client_princ && session->krb5_client_princ_len > 0) { - s->kssl_ctx->client_princ = (char *)malloc(session->krb5_client_princ_len + 1); + s->kssl_ctx->client_princ = (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1); memcpy(s->kssl_ctx->client_princ,session->krb5_client_princ, session->krb5_client_princ_len); s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0'; @@ -765,3 +765,72 @@ static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s) } } +void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, + int (*cb)(struct ssl_st *ssl,SSL_SESSION *sess)) + { + ctx->new_session_cb=cb; + } + +int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess) + { + return ctx->new_session_cb; + } + +void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, + void (*cb)(SSL_CTX *ctx,SSL_SESSION *sess)) + { + ctx->remove_session_cb=cb; + } + +void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx,SSL_SESSION *sess) + { + return ctx->remove_session_cb; + } + +void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, + SSL_SESSION *(*cb)(struct ssl_st *ssl, + unsigned char *data,int len,int *copy)) + { + ctx->get_session_cb=cb; + } + +SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, + unsigned char *data,int len,int *copy) + { + return ctx->get_session_cb; + } + +void SSL_CTX_set_info_callback(SSL_CTX *ctx, + void (*cb)(const SSL *ssl,int type,int val)) + { + ctx->info_callback=cb; + } + +void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val) + { + return ctx->info_callback; + } + +void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, + int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)) + { + ctx->client_cert_cb=cb; + } + +int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PKEY **pkey) + { + return ctx->client_cert_cb; + } + +void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, + int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)) + { + ctx->app_gen_cookie_cb=cb; + } + +void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, + int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)) + { + ctx->app_verify_cookie_cb=cb; + } + diff --git a/crypto/openssl-0.9/ssl/t1_enc.c b/crypto/openssl-0.9/ssl/t1_enc.c index e0ce681574..68448b98ca 100644 --- a/crypto/openssl-0.9/ssl/t1_enc.c +++ b/crypto/openssl-0.9/ssl/t1_enc.c @@ -267,6 +267,9 @@ int tls1_change_cipher_state(SSL *s, int which) reuse_dd = 1; else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; + else + /* make sure it's intialized in case we exit later with an error */ + EVP_CIPHER_CTX_init(s->enc_read_ctx); dd= s->enc_read_ctx; s->read_hash=m; #ifndef OPENSSL_NO_COMP @@ -301,10 +304,9 @@ int tls1_change_cipher_state(SSL *s, int which) reuse_dd = 1; else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; - if ((s->enc_write_ctx == NULL) && - ((s->enc_write_ctx=(EVP_CIPHER_CTX *) - OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) - goto err; + else + /* make sure it's intialized in case we exit later with an error */ + EVP_CIPHER_CTX_init(s->enc_write_ctx); dd= s->enc_write_ctx; s->write_hash=m; #ifndef OPENSSL_NO_COMP @@ -331,7 +333,6 @@ int tls1_change_cipher_state(SSL *s, int which) if (reuse_dd) EVP_CIPHER_CTX_cleanup(dd); - EVP_CIPHER_CTX_init(dd); p=s->s3->tmp.key_block; i=EVP_MD_size(m); diff --git a/crypto/openssl-0.9/ssl/t1_lib.c b/crypto/openssl-0.9/ssl/t1_lib.c index d4516eba71..1ecbbcb8fb 100644 --- a/crypto/openssl-0.9/ssl/t1_lib.c +++ b/crypto/openssl-0.9/ssl/t1_lib.c @@ -60,7 +60,7 @@ #include #include "ssl_locl.h" -const char *tls1_version_str="TLSv1" OPENSSL_VERSION_PTEXT; +const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT; SSL3_ENC_METHOD TLSv1_enc_data={ tls1_enc, -- 2.11.4.GIT