From 1ba5b1b53029f4997e9b671881312ce55dad6c59 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 1 Aug 2000 12:21:46 +0000 Subject: [PATCH] Merge from main trunk, conflicts resolved --- .cvsignore | 2 + CHANGES | 61 +++++++ Configure | 59 +++++- INSTALL.W32 | 29 +++ Makefile.org | 192 +++++++++++++++----- TABLE | 220 ++++++++++++++++++++++- apps/apps.c | 80 +++++++++ apps/apps.h | 2 + apps/asn1pars.c | 17 +- apps/passwd.c | 2 +- apps/req.c | 5 + apps/smime.c | 3 + apps/verify.c | 2 +- apps/x509.c | 26 +-- crypto/asn1/Makefile.ssl | 21 ++- crypto/asn1/a_enum.c | 1 + crypto/asn1/a_int.c | 1 + crypto/asn1/a_object.c | 41 +++-- crypto/asn1/asn1.h | 87 +++++++++ crypto/asn1/asn1_par.c | 48 ++++- crypto/asn1/d2i_dsap.c | 2 +- crypto/asn1/d2i_r_pu.c | 2 +- crypto/asn1/d2i_s_pu.c | 2 +- crypto/bio/b_dump.c | 41 +++-- crypto/bio/b_sock.c | 9 +- crypto/bio/bio.h | 1 + crypto/bn/bn_mul.c | 2 +- crypto/bn/bn_word.c | 4 +- crypto/crypto.h | 10 +- crypto/err/err.c | 31 ++-- crypto/evp/bio_b64.c | 15 +- crypto/opensslv.h | 53 ++++++ crypto/rand/Makefile.ssl | 9 +- crypto/rand/md_rand.c | 152 +++------------- crypto/rand/rand.h | 1 + crypto/rand/rand_win.c | 380 +++++++++++++++++++++++++++++++++------ crypto/rsa/rsa_ssl.c | 2 +- crypto/x509/x509.h | 75 +++++++- crypto/x509/x509_set.c | 16 +- crypto/x509/x509_vfy.c | 54 ++++-- doc/apps/CA.pl.pod | 4 +- doc/apps/passwd.pod | 13 +- doc/apps/smime.pod | 47 ++++- doc/apps/x509.pod | 161 ++++++++++++++++- doc/standards.txt | 2 + ssl/s23_clnt.c | 4 +- ssl/s23_srvr.c | 5 +- util/libeay.num | 128 ++++++------- util/mk1mf.pl | 10 +- util/mkerr.pl | 12 +- util/pl/linux.pl | 2 + 51 files changed, 1723 insertions(+), 425 deletions(-) diff --git a/.cvsignore b/.cvsignore index ea182b942c..8ff9fdc915 100644 --- a/.cvsignore +++ b/.cvsignore @@ -11,3 +11,5 @@ maketest.log cctest cctest.c cctest.a +libcrypto.so.* +libssl.so.* diff --git a/CHANGES b/CHANGES index 3f8faa9856..74f5bc7d00 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,67 @@ Changes between 0.9.5a and 0.9.6 [xx XXX 2000] + *) Fix SSL 2.0 rollback checking: Due to an off-by-one error in + RSA_padding_check_SSLv23(), special padding was never detected + and thus the SSL 3.0/TLS 1.0 countermeasure against protocol + version rollback attacks was not effective. + + In s23_clnt.c, don't use special rollback-attack detection padding + (RSA_SSLV23_PADDING) if SSL 2.0 is the only protocol enabled in the + client; similarly, in s23_srvr.c, don't do the rollback check if + SSL 2.0 is the only protocol enabled in the server. + [Bodo Moeller] + + *) Make it possible to get hexdumps of unprintable data with 'openssl + asn1parse'. By implication, the functions ASN1_parse_dump() and + BIO_dump_indent() are added. + [Richard Levitte] + + *) New functions ASN1_STRING_print_ex() and X509_NAME_print_ex() + these print out strings and name structures based on various + flags including RFC2253 support and proper handling of + multibyte characters. Added options to the 'x509' utility + to allow the various flags to be set. + [Steve Henson] + + *) Various fixes to use ASN1_TIME instead of ASN1_UTCTIME. + Also change the functions X509_cmp_current_time() and + X509_gmtime_adj() work with an ASN1_TIME structure, + this will enable certificates using GeneralizedTime in validity + dates to be checked. + [Steve Henson] + + *) Make the NEG_PUBKEY_BUG code (which tolerates invalid + negative public key encodings) on by default, + NO_NEG_PUBKEY_BUG can be set to disable it. + [Steve Henson] + + *) New function c2i_ASN1_OBJECT() which acts on ASN1_OBJECT + content octets. An i2c_ASN1_OBJECT is unnecessary because + the encoding can be trivially obtained from the structure. + [Steve Henson] + + *) crypto/err.c locking bugfix: Use write locks (CRYPTO_w_[un]lock), + not read locks (CRYPTO_r_[un]lock). + [Bodo Moeller] + + *) A first attempt at creating official support for shared + libraries through configuration. I've kept it so the + default is static libraries only, and the OpenSSL programs + are always statically linked for now, but there are + preparations for dynamic linking in place. + This has been tested on Linux and True64. + [Richard Levitte] + + *) Randomness polling function for Win9x, as described in: + Peter Gutmann, Software Generation of Practically Strong + Random Numbers. + [Ulf Möller] + + *) Fix so PRNG is seeded in req if using an already existing + DSA key. + [Steve Henson] + *) New options to smime application. -inform and -outform allow alternative formats for the S/MIME message including PEM and DER. The -content option allows the content to be diff --git a/Configure b/Configure index d729173ea6..32beadeac4 100755 --- a/Configure +++ b/Configure @@ -32,6 +32,8 @@ my $usage="Usage: Configure [no- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [- # [no-]threads [don't] try to create a library that is suitable for # multithreaded applications (default is "threads" if we # know how to do it) +# [no-]shared [don't] try to create shared libraries instead of static +# ones when possible. # no-asm do not use assembler # no-dso do not compile in any native shared-library methods. This # will ensure that all methods just return NULL. @@ -96,7 +98,7 @@ my $x86_bsdi_asm="asm/bn86bsdi.o asm/co86bsdi.o:asm/dx86bsdi.o asm/yx86bsdi.o:as # -DB_ENDIAN slows things down on a sparc for md5, but helps sha1. # So the md5_locl.h file has an undef B_ENDIAN if sun is defined -#config-string $cc : $cflags : $unistd : $thread_cflag : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme +#config-string $cc : $cflags : $unistd : $thread_cflag : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme : $shared_target : $shared_cflag my %table=( #"b", "${tcc}:${tflags}::${tlib}:${bits1}:${tbn_mul}::", @@ -250,9 +252,9 @@ my %table=( # Dec Alpha, OSF/1 - the alpha164-cc is the flags for a 21164A with # the new compiler # For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version -"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:asm/alpha.o:::::::::dlfcn", -"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn", -"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o::", +"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:asm/alpha.o:::::::::dlfcn:true64-shared", +"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared", +"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o:::::::::dlfcn:true64-shared", "FreeBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2:::", #### Alpha Linux with GNU C and Compaq C setups @@ -278,7 +280,7 @@ my %table=( # The intel boxes :-), It would be worth seeing if bsdi-gcc can use the # bn86-elf.o file file since it is hand tweaked assembler. -"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", +"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC", "debug-linux-elf","gcc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "debug-linux-elf-noefence","gcc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", @@ -299,7 +301,7 @@ my %table=( "ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown):-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::", # Linux on ARM -"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::::::::::dlfcn", +"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC", # UnixWare 2.0 "unixware-2.0","cc:-O -DFILIO_H::(unknown):-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::", @@ -399,6 +401,7 @@ my $prefix=""; my $openssldir=""; my $install_prefix=""; my $no_threads=0; +my $no_shared=1; my $threads=0; my $no_asm=0; my $no_dso=0; @@ -456,6 +459,10 @@ foreach (@ARGV) { $no_threads=1; } elsif (/^threads$/) { $threads=1; } + elsif (/^no-shared$/) + { $no_shared=1; } + elsif (/^shared$/) + { $no_shared=0; } elsif (/^no-symlinks$/) { $symlink=0; } elsif (/^no-(.+)$/) @@ -574,8 +581,8 @@ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /^\//; print "IsWindows=$IsWindows\n"; (my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj, - $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj,my $dso_scheme)= - split(/\s*:\s*/,$table{$target} . ":" x 20 , -1); + $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag)= + split(/\s*:\s*/,$table{$target} . ":" x 21 , -1); $cflags="$flags$cflags" if ($flags ne ""); # The DSO code currently always implements all functions so that no @@ -649,6 +656,19 @@ if ($threads) $openssl_thread_defines .= $thread_defines; } +# You will find shlib_mark1 and shlib_mark2 explained in Makefile.org +my $shared_mark1 = ""; +my $shared_mark2 = ""; +if ($shared_cflag ne "") + { + $cflags = "$shared_cflag $cflags"; + if (!$no_shared) + { + $shared_mark1 = ".shlib-clean."; + $shared_mark2 = ".shlib."; + } + } + #my ($bn1)=split(/\s+/,$bn_obj); #$bn1 = "" unless defined $bn1; #$bn1=$bn_asm unless ($bn1 =~ /\.o$/); @@ -680,13 +700,20 @@ if ($rmd160_obj =~ /\.o$/) my $version = "unknown"; my $major = "unknown"; my $minor = "unknown"; +my $shlib_version_number = "unknown"; +my $shlib_version_history = "unknown"; +my $shlib_major = "unknown"; +my $shlib_minor = "unknown"; open(IN,') { $version=$1 if /OPENSSL.VERSION.TEXT.*OpenSSL (\S+) /; + $shlib_version_number=$1 if /SHLIB_VERSION_NUMBER *"([^"]+)"/; + $shlib_version_history=$1 if /SHLIB_VERSION_HISTORY *"([^"]*)"/; } close(IN); +if ($shlib_version_history ne "") { $shlib_version_history .= ":"; } if ($version =~ /(^[0-9]*)\.([0-9\.]*)/) { @@ -694,6 +721,12 @@ if ($version =~ /(^[0-9]*)\.([0-9\.]*)/) $minor=$2; } +if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/) + { + $shlib_major=$1; + $shlib_minor=$2; + } + open(IN,'$Makefile") || die "unable to create $Makefile:$!\n"; print OUT "### Generated automatically from Makefile.org by Configure.\n\n"; @@ -712,6 +745,10 @@ while () s/^VERSION=.*/VERSION=$version/; s/^MAJOR=.*/MAJOR=$major/; s/^MINOR=.*/MINOR=$minor/; + s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/; + s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/; + s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/; + s/^SHLIB_MINOR=.*/SHLIB_MINOR=$shlib_minor/; s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/; s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/; s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/; @@ -733,6 +770,10 @@ while () s/^PROCESSOR=.*/PROCESSOR= $processor/; s/^RANLIB=.*/RANLIB= $ranlib/; s/^PERL=.*/PERL= $perl/; + s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/; + s/^SHLIB_MARK1=.*/SHLIB_MARK1=$shared_mark1/; + s/^SHLIB_MARK2=.*/SHLIB_MARK2=$shared_mark2/; + s/^LIBS=.*/LIBS=libcrypto\.so\* libssl\.so\*/ if (!$no_shared); print OUT $_."\n"; } close(IN); @@ -1041,5 +1082,7 @@ sub print_table_entry \$rmd160_obj = $rmd160_obj \$rc5_obj = $rc5_obj \$dso_scheme = $dso_scheme +\$shared_target= $shared_target +\$shared_cflag = $shared_cflag EOF } diff --git a/INSTALL.W32 b/INSTALL.W32 index 3e30095486..2ef764a614 100644 --- a/INSTALL.W32 +++ b/INSTALL.W32 @@ -180,6 +180,35 @@ desired, GNU bc can be built with CygWin32 without change. + Installation + ------------ + + There's currently no real installation procedure for Win32. There are, + however, some suggestions: + + - do nothing. The include files are found in the inc32/ subdirectory, + all binaries are found in out32dll/ or out32/ depending if you built + dynamic or static libraries. + + - do as is written in INSTALL.Win32 that comes with modssl: + + $ md c:\openssl + $ md c:\openssl\bin + $ md c:\openssl\lib + $ md c:\openssl\include + $ md c:\openssl\include\openssl + $ copy /b inc32\* c:\openssl\include\openssl + $ copy /b out32dll\ssleay32.lib c:\openssl\lib + $ copy /b out32dll\libeay32.lib c:\openssl\lib + $ copy /b out32dll\ssleay32.dll c:\openssl\bin + $ copy /b out32dll\libeay32.dll c:\openssl\bin + $ copy /b out32dll\openssl.exe c:\openssl\bin + + Of course, you can choose another device than c:. C: is used here + because that's usually the first (and often only) harddisk device. + Note: in the modssl INSTALL.Win32, p: is used rather than c:. + + Troubleshooting --------------- diff --git a/Makefile.org b/Makefile.org index 33337a96a2..09828b0de9 100644 --- a/Makefile.org +++ b/Makefile.org @@ -5,8 +5,14 @@ VERSION= MAJOR= MINOR= +SHLIB_VERSION_NUMBER= +SHLIB_VERSION_HISTORY= +SHLIB_MAJOR= +SHLIB_MINOR= PLATFORM=dist OPTIONS= +SHLIB_TARGET= + # INSTALL_PREFIX is for package builders so that they can configure # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/. # Normally it is left empty. @@ -142,7 +148,14 @@ RMD160_ASM_OBJ= asm/rm86-out.o #RMD160_ASM_OBJ= asm/rm86-out.o # a.out, FreeBSD #RMD160_ASM_OBJ= asm/rm86bsdi.o # bsdi -DIRS= crypto ssl rsaref apps test tools +# To do special treatment, use "directory names" starting with a period. +# When we're prepared to use shared libraries in the programs we link here +# we might have SHLIB_MARK1 get the value ".shlib." and SHLIB_MARK2 be empty, +# or have that configurable. +SHLIB_MARK1=.shlib-clean. +SHLIB_MARK2=.shlib. + +DIRS= crypto ssl rsaref $(SHLIB_MARK1) apps test tools $(SHLIB_MARK2) SHLIBDIRS= crypto ssl # dirs in crypto to build @@ -165,7 +178,8 @@ TOP= . ONEDIRS=out tmp EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS WDIRS= windows -LIBS= libcrypto.a libssl.a +LIBS= libcrypto.a libssl.a +SHARED_LIBS=libcrypto.so libssl.so GENERAL= Makefile BASENAME= openssl @@ -176,36 +190,110 @@ EXHEADER= e_os.h e_os2.h HEADER= e_os.h all: Makefile.ssl - @for i in $(DIRS) ;\ + @need_shlib=true; \ + for i in $(DIRS) ;\ do \ - (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \ - done - -@# cd crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' testapps - -@# cd perl; $(PERL) Makefile.PL; make + if [ "$$i" = ".shlib-clean." ]; then \ + if [ "$(SHLIB_TARGET)" != "" ]; then \ + $(MAKE) clean-shared; \ + fi; \ + elif [ "$$i" = ".shlib." ]; then \ + if [ "$(SHLIB_TARGET)" != "" ]; then \ + $(MAKE) $(SHARED_LIBS); \ + fi; \ + need_shlib=false; \ + else \ + (cd $$i && echo "making all in $$i..." && \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \ + fi; \ + done; \ + if $$need_shlib && [ "$(SHLIB_MARK1)" != "" -o "$(SHLIB_MARK1)" != "" ]; then \ + $(MAKE) $(SHARED_LIBS); \ + fi sub_all: - @for i in $(DIRS) ;\ + @need_shlib=true; \ + for i in $(DIRS) ;\ do \ - (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \ - done; + if [ "$$i" = ".shlib-clean." ]; then \ + if [ "$(SHLIB_TARGET)" != "" ]; then \ + $(MAKE) clean-shared; \ + fi; \ + elif [ "$$i" = ".shlib." ]; then \ + if [ "$(SHLIB_TARGET)" != "" ]; then \ + $(MAKE) $(SHARED_LIBS); \ + fi; \ + need_shlib=false; \ + else \ + (cd $$i && echo "making all in $$i..." && \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \ + fi; \ + done; \ + if $$need_shlib && [ "$(SHLIB_MARK1)" != "" -o "$(SHLIB_MARK1)" != "" ]; then \ + $(MAKE) $(SHARED_LIBS); \ + fi + +libcrypto.so: libcrypto.a + @if [ "$(SHLIB_TARGET)" != "" ]; then \ + $(MAKE) SHLIBDIRS=crypto $(SHLIB_TARGET); \ + else \ + echo "There's no support for shared libraries on this platform" >&2; \ + fi +libssl.so: libcrypto.so libssl.a + @if [ "$(SHLIB_TARGET)" != "" ]; then \ + $(MAKE) SHLIBDIRS=ssl $(SHLIB_TARGET); \ + else \ + echo "There's no support for shared libraries on this platform" >&2; \ + fi + +clean-shared: + for i in ${SHLIBDIRS}; do \ + rm -f lib$$i.so \ + lib$$i.so.${SHLIB_MAJOR} \ + lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + done linux-shared: - for i in ${SHLIBDIRS}; do \ - rm -f lib$$i.a lib$$i.so \ - lib$$i.so.${MAJOR} lib$$i.so.${MAJOR}.${MINOR}; \ - ${MAKE} CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='-fPIC ${CFLAG}' SDIRS='${SDIRS}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' DIRS=$$i clean all || exit 1; \ - ( set -x; ${CC} -shared -o lib$$i.so.${MAJOR}.${MINOR} \ - -Wl,-S,-soname=lib$$i.so.${MAJOR} \ + libs=; for i in ${SHLIBDIRS}; do \ + rm -f lib$$i.so \ + lib$$i.so.${SHLIB_MAJOR} \ + lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + ( set -x; ${CC} -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + -Wl,-S,-soname=lib$$i.so.${SHLIB_MAJOR} \ -Wl,--whole-archive lib$$i.a \ - -Wl,--no-whole-archive -lc ) || exit 1; \ - rm -f lib$$i.a; make -C $$i clean || exit 1 ;\ + -Wl,--no-whole-archive -lc $$libs ) || exit 1; \ + libs="$$libs -L. -l$$i"; \ + ( set -x; \ + ln -s lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + lib$$i.so.${SHLIB_MAJOR}; \ + ln -s lib$$i.so.${SHLIB_MAJOR} lib$$i.so ); \ done; + +# This assumes that GNU utilities are *not* used +true64-shared: + libs=; for i in ${SHLIBDIRS}; do \ + ( set -x; ${CC} -shared -no_archive -o lib$$i.so \ + -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ + -all lib$$i.a -none -lc $$libs ) || exit 1; \ + libs="$$libs -L. -l$$i"; \ + done; + +# This assumes that GNU utilities are *not* used +solaris-shared: + libs=; for i in ${SHLIBDIRS}; do \ + rm -f lib$$i.so \ + lib$$i.so.${SHLIB_MAJOR} \ + lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + ( set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + -h lib$$i.so.${SHLIB_MAJOR} \ + -z allextract lib$$i.a $$libs ) || exit 1; \ + libs="$$libs -L. -l$$i"; \ + ln -s lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + lib$$i.so.${SHLIB_MAJOR}; \ + ln -s lib$$i.so.${SHLIB_MAJOR} lib$$i.so; \ + done; \ @set -x; \ for i in ${SHLIBDIRS}; do \ - ln -s lib$$i.so.${MAJOR}.${MINOR} lib$$i.so.${MAJOR}; \ - ln -s lib$$i.so.${MAJOR} lib$$i.so; \ done; Makefile.ssl: Makefile.org @@ -220,9 +308,11 @@ clean: rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c @for i in $(DIRS) ;\ do \ - (cd $$i && echo "making clean in $$i..." && \ - $(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \ - rm -f $(LIBS); \ + if echo "$$i" | grep -v '^\.'; then \ + (cd $$i && echo "making clean in $$i..." && \ + $(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \ + rm -f $(LIBS); \ + fi; \ done; rm -f *.a *.o speed.* *.map *.so .pure core rm -f $(TARFILE) @@ -239,8 +329,10 @@ files: $(PERL) $(TOP)/util/files.pl Makefile.ssl > $(TOP)/MINFO @for i in $(DIRS) ;\ do \ - (cd $$i && echo "making 'files' in $$i..." && \ - $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \ + if echo "$$i" | grep -v '^\.'; then \ + (cd $$i && echo "making 'files' in $$i..." && \ + $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \ + fi; \ done; links: @@ -248,16 +340,20 @@ links: @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) @for i in $(DIRS); do \ - (cd $$i && echo "making links in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \ + if echo "$$i" | grep -v '^\.'; then \ + (cd $$i && echo "making links in $$i..." && \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \ + fi; \ done; dclean: rm -f *.bak @for i in $(DIRS) ;\ do \ - (cd $$i && echo "making dclean in $$i..." && \ - $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \ + if echo "$$i" | grep -v '^\.'; then \ + (cd $$i && echo "making dclean in $$i..." && \ + $(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \ + fi; \ done; rehash: rehash.time @@ -278,22 +374,28 @@ report: depend: @for i in $(DIRS) ;\ do \ - (cd $$i && echo "making dependencies $$i..." && \ - $(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' depend ) || exit 1; \ + if echo "$$i" | grep -v '^\.'; then \ + (cd $$i && echo "making dependencies $$i..." && \ + $(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' depend ) || exit 1; \ + fi; \ done; lint: @for i in $(DIRS) ;\ do \ - (cd $$i && echo "making lint $$i..." && \ - $(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \ + if echo "$$i" | grep -v '^\.'; then \ + (cd $$i && echo "making lint $$i..." && \ + $(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \ + fi; \ done; tags: @for i in $(DIRS) ;\ do \ - (cd $$i && echo "making tags $$i..." && \ - $(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \ + if echo "$$i" | grep -v '^\.'; then \ + (cd $$i && echo "making tags $$i..." && \ + $(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \ + fi; \ done; errors: @@ -352,15 +454,19 @@ install: all install_docs done; @for i in $(DIRS) ;\ do \ - (cd $$i; echo "installing $$i..."; \ - $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' install ); \ + if echo "$$i" | grep -v '^\.'; then \ + (cd $$i; echo "installing $$i..."; \ + $(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' install ); \ + fi; \ done @for i in $(LIBS) ;\ do \ - ( echo installing $$i; \ - cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ - $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ - chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ + if [ -f "$$i" ]; then \ + ( echo installing $$i; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ + $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ + fi \ done install_docs: diff --git a/TABLE b/TABLE index 79333d356f..0026a900a1 100644 --- a/TABLE +++ b/TABLE @@ -17,6 +17,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** BC-32 $cc = bcc32 @@ -35,6 +37,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** BS2000-OSD $cc = c89 @@ -53,6 +57,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** CygWin32 $cc = gcc @@ -71,6 +77,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** FreeBSD $cc = gcc @@ -89,6 +97,8 @@ $rc4_obj = asm/rx86-out.o $rmd160_obj = asm/rm86-out.o $rc5_obj = asm/r586-out.o $dso_scheme = +$shared_target= +$shared_cflag = *** FreeBSD-alpha $cc = gcc @@ -107,6 +117,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** FreeBSD-elf $cc = gcc @@ -125,6 +137,8 @@ $rc4_obj = asm/rx86-elf.o $rmd160_obj = asm/rm86-elf.o $rc5_obj = asm/r586-elf.o $dso_scheme = +$shared_target= +$shared_cflag = *** Mingw32 $cc = gcc @@ -143,6 +157,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** NetBSD-m68 $cc = gcc @@ -161,6 +177,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** NetBSD-sparc $cc = gcc @@ -179,6 +197,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** NetBSD-x86 $cc = gcc @@ -197,6 +217,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** OpenBSD $cc = gcc @@ -215,6 +237,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** OpenBSD-alpha $cc = gcc @@ -233,6 +257,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** OpenBSD-mips $cc = gcc @@ -251,6 +277,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** OpenBSD-x86 $cc = gcc @@ -269,6 +297,8 @@ $rc4_obj = asm/rx86-out.o $rmd160_obj = asm/rm86-out.o $rc5_obj = asm/r586-out.o $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** ReliantUNIX $cc = cc @@ -287,6 +317,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** SINIX $cc = cc @@ -305,6 +337,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** SINIX-N $cc = /usr/ucb/cc @@ -323,6 +357,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** VC-MSDOS $cc = cl @@ -341,6 +377,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** VC-NT $cc = cl @@ -359,6 +397,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** VC-W31-16 $cc = cl @@ -377,6 +417,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** VC-W31-32 $cc = cl @@ -395,6 +437,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** VC-WIN16 $cc = cl @@ -413,6 +457,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** VC-WIN32 $cc = cl @@ -431,6 +477,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** aix-cc $cc = cc @@ -449,6 +497,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** aix-gcc $cc = gcc @@ -467,6 +517,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** alpha-cc $cc = cc @@ -485,6 +537,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** alpha-gcc $cc = gcc @@ -503,6 +557,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** alpha164-cc $cc = cc @@ -520,7 +576,9 @@ $cast_obj = $rc4_obj = $rmd160_obj = $rc5_obj = -$dso_scheme = +$dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** bsdi-elf-gcc $cc = gcc @@ -539,6 +597,8 @@ $rc4_obj = asm/rx86-elf.o $rmd160_obj = asm/rm86-elf.o $rc5_obj = asm/r586-elf.o $dso_scheme = +$shared_target= +$shared_cflag = *** bsdi-gcc $cc = gcc @@ -557,6 +617,8 @@ $rc4_obj = asm/rx86bsdi.o $rmd160_obj = asm/rm86bsdi.o $rc5_obj = asm/r586bsdi.o $dso_scheme = +$shared_target= +$shared_cflag = *** cc $cc = cc @@ -575,6 +637,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** cray-t3e $cc = cc @@ -593,6 +657,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** cray-t90-cc $cc = cc @@ -611,6 +677,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** debug $cc = gcc @@ -629,6 +697,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** debug-ben $cc = gcc @@ -647,6 +717,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** debug-ben-debug $cc = gcc @@ -665,6 +737,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** debug-ben-strict $cc = gcc @@ -683,6 +757,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** debug-bodo $cc = gcc @@ -701,6 +777,8 @@ $rc4_obj = asm/rx86-elf.o $rmd160_obj = asm/rm86-elf.o $rc5_obj = asm/r586-elf.o $dso_scheme = +$shared_target= +$shared_cflag = *** debug-levitte-linux-elf $cc = gcc @@ -719,6 +797,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** debug-linux-elf $cc = gcc @@ -737,6 +817,8 @@ $rc4_obj = asm/rx86-elf.o $rmd160_obj = asm/rm86-elf.o $rc5_obj = asm/r586-elf.o $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** debug-linux-elf-noefence $cc = gcc @@ -755,6 +837,8 @@ $rc4_obj = asm/rx86-elf.o $rmd160_obj = asm/rm86-elf.o $rc5_obj = asm/r586-elf.o $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** debug-rse $cc = cc @@ -773,6 +857,8 @@ $rc4_obj = asm/rx86-elf.o $rmd160_obj = asm/rm86-elf.o $rc5_obj = asm/r586-elf.o $dso_scheme = +$shared_target= +$shared_cflag = *** debug-solaris-sparcv8-cc $cc = cc @@ -791,6 +877,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** debug-solaris-sparcv8-gcc $cc = gcc @@ -809,6 +897,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** debug-solaris-sparcv9-cc $cc = cc @@ -827,6 +917,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** debug-solaris-sparcv9-gcc $cc = gcc @@ -845,6 +937,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** debug-steve $cc = gcc @@ -863,6 +957,8 @@ $rc4_obj = asm/rx86-elf.o $rmd160_obj = asm/rm86-elf.o $rc5_obj = asm/r586-elf.o $dso_scheme = +$shared_target= +$shared_cflag = *** debug-ulf $cc = gcc @@ -881,6 +977,8 @@ $rc4_obj = asm/rx86-elf.o $rmd160_obj = asm/rm86-elf.o $rc5_obj = asm/r586-elf.o $dso_scheme = +$shared_target= +$shared_cflag = *** dgux-R3-gcc $cc = gcc @@ -899,6 +997,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** dgux-R4-gcc $cc = gcc @@ -917,6 +1017,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** dgux-R4-x86-gcc $cc = gcc @@ -935,6 +1037,8 @@ $rc4_obj = asm/rx86-elf.o $rmd160_obj = asm/rm86-elf.o $rc5_obj = asm/r586-elf.o $dso_scheme = +$shared_target= +$shared_cflag = *** dist $cc = cc @@ -953,6 +1057,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** gcc $cc = gcc @@ -971,6 +1077,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** hpux-brokencc $cc = cc @@ -989,6 +1097,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dl +$shared_target= +$shared_cflag = *** hpux-brokengcc $cc = gcc @@ -1007,6 +1117,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dl +$shared_target= +$shared_cflag = *** hpux-cc $cc = cc @@ -1025,6 +1137,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dl +$shared_target= +$shared_cflag = *** hpux-gcc $cc = gcc @@ -1043,6 +1157,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dl +$shared_target= +$shared_cflag = *** hpux-parisc-cc $cc = cc @@ -1061,6 +1177,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dl +$shared_target= +$shared_cflag = *** hpux-parisc-cc-o4 $cc = cc @@ -1079,6 +1197,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dl +$shared_target= +$shared_cflag = *** hpux-parisc-gcc $cc = gcc @@ -1097,6 +1217,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dl +$shared_target= +$shared_cflag = *** hpux10-brokencc $cc = cc @@ -1115,6 +1237,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dl +$shared_target= +$shared_cflag = *** hpux10-brokengcc $cc = gcc @@ -1133,6 +1257,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dl +$shared_target= +$shared_cflag = *** hpux10-cc $cc = cc @@ -1151,6 +1277,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dl +$shared_target= +$shared_cflag = *** hpux10-gcc $cc = gcc @@ -1169,6 +1297,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dl +$shared_target= +$shared_cflag = *** hpux64-parisc-cc $cc = cc @@ -1187,6 +1317,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dl +$shared_target= +$shared_cflag = *** irix-cc $cc = cc @@ -1205,6 +1337,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** irix-gcc $cc = gcc @@ -1223,6 +1357,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** irix-mips3-cc $cc = cc @@ -1241,6 +1377,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** irix-mips3-gcc $cc = gcc @@ -1259,6 +1397,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** irix64-mips4-cc $cc = cc @@ -1277,6 +1417,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** irix64-mips4-gcc $cc = gcc @@ -1295,6 +1437,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** linux-alpha+bwx-ccc $cc = ccc @@ -1313,6 +1457,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** linux-alpha+bwx-gcc $cc = gcc @@ -1331,6 +1477,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** linux-alpha-ccc $cc = ccc @@ -1349,6 +1497,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** linux-alpha-gcc $cc = gcc @@ -1367,6 +1517,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** linux-aout $cc = gcc @@ -1385,6 +1537,8 @@ $rc4_obj = asm/rx86-out.o $rmd160_obj = asm/rm86-out.o $rc5_obj = asm/r586-out.o $dso_scheme = +$shared_target= +$shared_cflag = *** linux-elf $cc = gcc @@ -1403,6 +1557,8 @@ $rc4_obj = asm/rx86-elf.o $rmd160_obj = asm/rm86-elf.o $rc5_obj = asm/r586-elf.o $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** linux-elf-arm $cc = gcc @@ -1421,6 +1577,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** linux-ia64 $cc = gcc @@ -1439,6 +1597,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** linux-m68k $cc = gcc @@ -1457,6 +1617,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** linux-mips $cc = gcc @@ -1475,6 +1637,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** linux-ppc $cc = gcc @@ -1493,6 +1657,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** linux-sparcv7 $cc = gcc @@ -1511,6 +1677,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** linux-sparcv8 $cc = gcc @@ -1529,6 +1697,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** linux-sparcv9 $cc = gcc @@ -1547,6 +1717,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** ncr-scde $cc = cc @@ -1565,6 +1737,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** nextstep $cc = cc @@ -1583,6 +1757,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** nextstep3.3 $cc = cc @@ -1601,6 +1777,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** purify $cc = purify gcc @@ -1619,6 +1797,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** rhapsody-ppc-cc $cc = cc @@ -1637,6 +1817,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** sco5-cc $cc = cc @@ -1655,6 +1837,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** sco5-gcc $cc = gcc @@ -1673,6 +1857,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** solaris-sparc-sc3 $cc = cc @@ -1691,6 +1877,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** solaris-sparcv7-cc $cc = cc @@ -1709,6 +1897,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** solaris-sparcv7-gcc $cc = gcc @@ -1727,6 +1917,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** solaris-sparcv8-cc $cc = cc @@ -1745,6 +1937,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** solaris-sparcv8-gcc $cc = gcc @@ -1763,6 +1957,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** solaris-sparcv9-cc $cc = cc @@ -1781,6 +1977,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** solaris-sparcv9-gcc $cc = gcc @@ -1799,6 +1997,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** solaris-sparcv9-gcc27 $cc = gcc @@ -1817,6 +2017,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** solaris-x86-gcc $cc = gcc @@ -1835,6 +2037,8 @@ $rc4_obj = asm/rx86-sol.o $rmd160_obj = asm/rm86-sol.o $rc5_obj = asm/r586-sol.o $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** solaris64-sparcv9-cc $cc = cc @@ -1853,6 +2057,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn +$shared_target= +$shared_cflag = *** sunos-gcc $cc = gcc @@ -1871,6 +2077,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** ultrix-cc $cc = cc @@ -1889,6 +2097,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** ultrix-gcc $cc = gcc @@ -1907,6 +2117,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** unixware-2.0 $cc = cc @@ -1925,6 +2137,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** unixware-2.0-pentium $cc = cc @@ -1943,6 +2157,8 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = *** unixware-7 $cc = cc @@ -1961,3 +2177,5 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = +$shared_target= +$shared_cflag = diff --git a/apps/apps.c b/apps/apps.c index bd8f0f7b55..fafbfc536c 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -655,3 +655,83 @@ end: return(othercerts); } +typedef struct { + char *name; + unsigned long flag; + unsigned long mask; +} NAME_EX_TBL; + +int set_name_ex(unsigned long *flags, const char *arg) +{ + char c; + const NAME_EX_TBL *ptbl, ex_tbl[] = { + { "esc_2253", ASN1_STRFLGS_ESC_2253, 0}, + { "esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0}, + { "esc_msb", ASN1_STRFLGS_ESC_MSB, 0}, + { "use_quote", ASN1_STRFLGS_ESC_QUOTE, 0}, + { "utf8", ASN1_STRFLGS_UTF8_CONVERT, 0}, + { "ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0}, + { "show_type", ASN1_STRFLGS_SHOW_TYPE, 0}, + { "dump_all", ASN1_STRFLGS_DUMP_ALL, 0}, + { "dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0}, + { "dump_der", ASN1_STRFLGS_DUMP_DER, 0}, + { "compat", XN_FLAG_COMPAT, 0xffffffffL}, + { "sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK}, + { "sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK}, + { "sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK}, + { "sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK}, + { "dn_rev", XN_FLAG_DN_REV, 0}, + { "nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK}, + { "sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK}, + { "lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK}, + { "oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK}, + { "space_eq", XN_FLAG_SPC_EQ, 0}, + { "dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0}, + { "RFC2253", XN_FLAG_RFC2253, 0xffffffffL}, + { "oneline", XN_FLAG_ONELINE, 0xffffffffL}, + { "multiline", XN_FLAG_MULTILINE, 0xffffffffL}, + { NULL, 0, 0} + }; + + c = arg[0]; + + if(c == '-') { + c = 0; + arg++; + } else if (c == '+') { + c = 1; + arg++; + } else c = 1; + + for(ptbl = ex_tbl; ptbl->name; ptbl++) { + if(!strcmp(arg, ptbl->name)) { + *flags &= ~ptbl->mask; + if(c) *flags |= ptbl->flag; + else *flags &= ~ptbl->flag; + return 1; + } + } + return 0; +} + +void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags) +{ + char buf[256]; + char mline = 0; + int indent = 0; + if(title) BIO_puts(out, title); + if((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { + mline = 1; + indent = 4; + } + if(lflags == XN_FLAG_COMPAT) { + X509_NAME_oneline(nm,buf,256); + BIO_puts(out,buf); + BIO_puts(out, "\n"); + } else { + if(mline) BIO_puts(out, "\n"); + X509_NAME_print_ex(out, nm, indent, lflags); + BIO_puts(out, "\n"); + } +} + diff --git a/apps/apps.h b/apps/apps.h index a8fd113f93..54fa01ced4 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -145,7 +145,9 @@ void program_name(char *in,char *out,int size); int chopup_args(ARGS *arg,char *buf, int *argc, char **argv[]); #ifdef HEADER_X509_H int dump_cert_text(BIO *out, X509 *x); +void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags); #endif +int set_name_ex(unsigned long *flags, const char *arg); int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2); int add_oid_section(BIO *err, LHASH *conf); X509 *load_cert(BIO *err, char *file, int format); diff --git a/apps/asn1pars.c b/apps/asn1pars.c index 2d64492ffd..30e1da443a 100644 --- a/apps/asn1pars.c +++ b/apps/asn1pars.c @@ -88,7 +88,7 @@ int MAIN(int argc, char **argv) unsigned int length=0; long num,tmplen; BIO *in=NULL,*out=NULL,*b64=NULL, *derout = NULL; - int informat,indent=0, noout = 0; + int informat,indent=0, noout = 0, dump = 0; char *infile=NULL,*str=NULL,*prog,*oidfile=NULL, *derfile=NULL; unsigned char *tmpbuf; BUF_MEM *buf=NULL; @@ -149,6 +149,16 @@ int MAIN(int argc, char **argv) length= atoi(*(++argv)); if (length == 0) goto bad; } + else if (strcmp(*argv,"-dump") == 0) + { + dump= -1; + } + else if (strcmp(*argv,"-dlimit") == 0) + { + if (--argc < 1) goto bad; + dump= atoi(*(++argv)); + if (dump <= 0) goto bad; + } else if (strcmp(*argv,"-strparse") == 0) { if (--argc < 1) goto bad; @@ -176,6 +186,8 @@ bad: BIO_printf(bio_err," -offset arg offset into file\n"); BIO_printf(bio_err," -length arg length of section in file\n"); BIO_printf(bio_err," -i indent entries\n"); + BIO_printf(bio_err," -dump dump unknown data in hex form\n"); + BIO_printf(bio_err," -dlimit arg dump the first arg bytes of unknown data in hex form\n"); BIO_printf(bio_err," -oid file file of extra oid definitions\n"); BIO_printf(bio_err," -strparse offset\n"); BIO_printf(bio_err," a series of these can be used to 'dig' into multiple\n"); @@ -293,7 +305,8 @@ bad: } } if (!noout && - !ASN1_parse(out,(unsigned char *)&(str[offset]),length,indent)) + !ASN1_parse_dump(out,(unsigned char *)&(str[offset]),length, + indent,dump)) { ERR_print_errors(bio_err); goto end; diff --git a/apps/passwd.c b/apps/passwd.c index 7ade6e54de..6c1aed0f0b 100644 --- a/apps/passwd.c +++ b/apps/passwd.c @@ -44,7 +44,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, char *passwd, BIO *out, int quiet, int table, int reverse, size_t pw_maxlen, int usecrypt, int use1, int useapr1); -/* -crypt - standard Unix password algorithm (default, only choice) +/* -crypt - standard Unix password algorithm (default) * -1 - MD5-based password algorithm * -apr1 - MD5-based password algorithm, Apache variant * -salt string - salt diff --git a/apps/req.c b/apps/req.c index 7a70094c3b..02b0d88a95 100644 --- a/apps/req.c +++ b/apps/req.c @@ -587,6 +587,11 @@ bad: BIO_printf(bio_err,"unable to load Private key\n"); goto end; } + if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA) + { + char *randfile = CONF_get_string(req_conf,SECTION,"RANDFILE"); + app_RAND_load_file(randfile, bio_err, 0); + } } if (newreq && (pkey == NULL)) diff --git a/apps/smime.c b/apps/smime.c index ebc0eb6af4..e380443d6c 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -277,8 +277,11 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-signer file signer certificate file\n"); BIO_printf (bio_err, "-recip file recipient certificate file for decryption\n"); BIO_printf (bio_err, "-in file input file\n"); + BIO_printf (bio_err, "-inform arg input format SMIME (default), PEM or DER\n"); BIO_printf (bio_err, "-inkey file input private key (if not signer or recipient)\n"); BIO_printf (bio_err, "-out file output file\n"); + BIO_printf (bio_err, "-outform arg output format SMIME (default), PEM or DER\n"); + BIO_printf (bio_err, "-content file supply or override content for detached signature\n"); BIO_printf (bio_err, "-to addr to address\n"); BIO_printf (bio_err, "-from ad from address\n"); BIO_printf (bio_err, "-subject s subject\n"); diff --git a/apps/verify.c b/apps/verify.c index 267ee4ecd7..8d211e0152 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -186,7 +186,7 @@ int MAIN(int argc, char **argv) ret=0; end: if (ret == 1) { - BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] cert1 cert2 ...\n"); + BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] cert1 cert2 ...\n"); BIO_printf(bio_err,"recognized usages:\n"); for(i = 0; i < X509_PURPOSE_get_count(); i++) { X509_PURPOSE *ptmp; diff --git a/apps/x509.c b/apps/x509.c index 39fbb65971..a071b20f40 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -128,6 +128,7 @@ static char *x509_usage[]={ " -extfile - configuration file with X509V3 extensions to add\n", " -extensions - section from config file with X509V3 extensions to add\n", " -clrext - delete extensions before signing and input certificate\n", +" -nameopt arg - various certificate name options\n", NULL }; @@ -173,6 +174,7 @@ int MAIN(int argc, char **argv) char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; int need_rand = 0; int checkend=0,checkoffset=0; + unsigned long nmflag = 0; reqfile=0; @@ -316,6 +318,11 @@ int MAIN(int argc, char **argv) alias= *(++argv); trustout = 1; } + else if (strcmp(*argv,"-nameopt") == 0) + { + if (--argc < 1) goto bad; + if(!set_name_ex(&nmflag, *(++argv))) goto bad; + } else if (strcmp(*argv,"-setalias") == 0) { if (--argc < 1) goto bad; @@ -524,9 +531,8 @@ bad: } else BIO_printf(bio_err,"Signature ok\n"); - - X509_NAME_oneline(req->req_info->subject,buf,256); - BIO_printf(bio_err,"subject=%s\n",buf); + + print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag); if ((x=X509_new()) == NULL) goto end; ci=x->cert_info; @@ -600,15 +606,13 @@ bad: { if (issuer == i) { - X509_NAME_oneline(X509_get_issuer_name(x), - buf,256); - BIO_printf(STDout,"issuer= %s\n",buf); + print_name(STDout, "issuer= ", + X509_get_issuer_name(x), nmflag); } else if (subject == i) { - X509_NAME_oneline(X509_get_subject_name(x), - buf,256); - BIO_printf(STDout,"subject=%s\n",buf); + print_name(STDout, "issuer= ", + X509_get_subject_name(x), nmflag); } else if (serial == i) { @@ -1082,7 +1086,6 @@ end: static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx) { - char buf[256]; int err; X509 *err_cert; @@ -1104,8 +1107,7 @@ static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx) else { err_cert=X509_STORE_CTX_get_current_cert(ctx); - X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256); - BIO_printf(bio_err,"%s\n",buf); + print_name(bio_err, NULL, X509_get_subject_name(err_cert),0); BIO_printf(bio_err,"error with certificate - error %d at depth %d\n%s\n", err,X509_STORE_CTX_get_error_depth(ctx), X509_verify_cert_error_string(err)); diff --git a/crypto/asn1/Makefile.ssl b/crypto/asn1/Makefile.ssl index 9034d35868..aa788ef74a 100644 --- a/crypto/asn1/Makefile.ssl +++ b/crypto/asn1/Makefile.ssl @@ -24,7 +24,7 @@ APPS= LIB=$(TOP)/libcrypto.a LIBSRC= a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c a_int.c a_octet.c \ a_null.c a_print.c a_type.c a_set.c a_dup.c a_d2i_fp.c a_i2d_fp.c a_bmp.c \ - a_enum.c a_vis.c a_utf8.c a_sign.c a_digest.c a_verify.c a_mbstr.c \ + a_enum.c a_vis.c a_utf8.c a_sign.c a_digest.c a_verify.c a_mbstr.c a_strex.c \ x_algor.c x_val.c x_pubkey.c x_sig.c x_req.c x_attrib.c \ x_name.c x_cinf.c x_x509.c x_x509a.c x_crl.c x_info.c x_spki.c nsseq.c \ d2i_r_pr.c i2d_r_pr.c d2i_r_pu.c i2d_r_pu.c \ @@ -39,7 +39,7 @@ LIBSRC= a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c a_int.c a_octet.c \ evp_asn1.c asn_pack.c p5_pbe.c p5_pbev2.c p8_pkey.c LIBOBJ= a_object.o a_bitstr.o a_utctm.o a_gentm.o a_time.o a_int.o a_octet.o \ a_null.o a_print.o a_type.o a_set.o a_dup.o a_d2i_fp.o a_i2d_fp.o a_bmp.o \ - a_enum.o a_vis.o a_utf8.o a_sign.o a_digest.o a_verify.o a_mbstr.o \ + a_enum.o a_vis.o a_utf8.o a_sign.o a_digest.o a_verify.o a_mbstr.o a_strex.o \ x_algor.o x_val.o x_pubkey.o x_sig.o x_req.o x_attrib.o \ x_name.o x_cinf.o x_x509.o x_x509a.o x_crl.o x_info.o x_spki.o nsseq.o \ d2i_r_pr.o i2d_r_pr.o d2i_r_pu.o i2d_r_pu.o \ @@ -284,6 +284,23 @@ a_sign.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h a_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h a_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h a_sign.o: ../cryptlib.h +a_strex.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +a_strex.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h +a_strex.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h +a_strex.o: ../../include/openssl/crypto.h ../../include/openssl/des.h +a_strex.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h +a_strex.o: ../../include/openssl/e_os2.h ../../include/openssl/evp.h +a_strex.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h +a_strex.o: ../../include/openssl/md2.h ../../include/openssl/md5.h +a_strex.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h +a_strex.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h +a_strex.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h +a_strex.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h +a_strex.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h +a_strex.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +a_strex.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +a_strex.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +a_strex.o: charmap.h a_strnid.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h a_strnid.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h a_strnid.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h diff --git a/crypto/asn1/a_enum.c b/crypto/asn1/a_enum.c index 34b1a38c49..53b30f2b56 100644 --- a/crypto/asn1/a_enum.c +++ b/crypto/asn1/a_enum.c @@ -75,6 +75,7 @@ void ASN1_ENUMERATED_free(ASN1_ENUMERATED *x) int i2d_ASN1_ENUMERATED(ASN1_ENUMERATED *a, unsigned char **pp) { int len, ret; + if(!a) return 0; len = i2c_ASN1_INTEGER(a, NULL); ret=ASN1_object_size(0,len,V_ASN1_ENUMERATED); if(pp) { diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c index 45927ffd6e..bb8e9cf8f9 100644 --- a/crypto/asn1/a_int.c +++ b/crypto/asn1/a_int.c @@ -77,6 +77,7 @@ int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y) int i2d_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) { int len, ret; + if(!a) return 0; len = i2c_ASN1_INTEGER(a, NULL); ret=ASN1_object_size(0,len,V_ASN1_INTEGER); if(pp) { diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index 7e1300021e..3873b98902 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -190,24 +190,13 @@ int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a) ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp, long length) - { - ASN1_OBJECT *ret=NULL; +{ unsigned char *p; long len; int tag,xclass; int inf,i; - - /* only the ASN1_OBJECTs from the 'table' will have values - * for ->sn or ->ln */ - if ((a == NULL) || ((*a) == NULL) || - !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) - { - if ((ret=ASN1_OBJECT_new()) == NULL) return(NULL); - } - else ret=(*a); - + ASN1_OBJECT *ret = NULL; p= *pp; - inf=ASN1_get_object(&p,&len,&tag,&xclass,length); if (inf & 0x80) { @@ -220,6 +209,32 @@ ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp, i=ASN1_R_EXPECTING_AN_OBJECT; goto err; } + ret = c2i_ASN1_OBJECT(a, &p, len); + if(ret) *pp = p; + return ret; +err: + ASN1err(ASN1_F_D2I_ASN1_OBJECT,i); + if ((ret != NULL) && ((a == NULL) || (*a != ret))) + ASN1_OBJECT_free(ret); + return(NULL); +} +ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp, + long len) + { + ASN1_OBJECT *ret=NULL; + unsigned char *p; + int i; + + /* only the ASN1_OBJECTs from the 'table' will have values + * for ->sn or ->ln */ + if ((a == NULL) || ((*a) == NULL) || + !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) + { + if ((ret=ASN1_OBJECT_new()) == NULL) return(NULL); + } + else ret=(*a); + + p= *pp; if ((ret->data == NULL) || (ret->length < len)) { if (ret->data != NULL) OPENSSL_free(ret->data); diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h index fcce0f6925..9189537f28 100644 --- a/crypto/asn1/asn1.h +++ b/crypto/asn1/asn1.h @@ -237,6 +237,7 @@ DECLARE_STACK_OF(ASN1_STRING_TABLE) #define ASN1_BMPSTRING ASN1_STRING #define ASN1_VISIBLESTRING ASN1_STRING #define ASN1_UTF8STRING ASN1_STRING +#define ASN1_BOOLEAN int #else typedef struct asn1_string_st ASN1_INTEGER; typedef struct asn1_string_st ASN1_ENUMERATED; @@ -253,10 +254,90 @@ typedef struct asn1_string_st ASN1_TIME; typedef struct asn1_string_st ASN1_GENERALIZEDTIME; typedef struct asn1_string_st ASN1_VISIBLESTRING; typedef struct asn1_string_st ASN1_UTF8STRING; +typedef int ASN1_BOOLEAN; #endif typedef int ASN1_NULL; +/* Parameters used by ASN1_STRING_print_ex() */ + +/* These determine which characters to escape: + * RFC2253 special characters, control characters and + * MSB set characters + */ + +#define ASN1_STRFLGS_ESC_2253 1 +#define ASN1_STRFLGS_ESC_CTRL 2 +#define ASN1_STRFLGS_ESC_MSB 4 + + +/* This flag determines how we do escaping: normally + * RC2253 backslash only, set this to use backslash and + * quote. + */ + +#define ASN1_STRFLGS_ESC_QUOTE 8 + + +/* These three flags are internal use only. */ + +/* Character is a valid PrintableString character */ +#define CHARTYPE_PRINTABLESTRING 0x10 +/* Character needs escaping if it is the first character */ +#define CHARTYPE_FIRST_ESC_2253 0x20 +/* Character needs escaping if it is the last character */ +#define CHARTYPE_LAST_ESC_2253 0x40 + +/* NB the internal flags are safely reused below by flags + * handled at the top level. + */ + +/* If this is set we convert all character strings + * to UTF8 first + */ + +#define ASN1_STRFLGS_UTF8_CONVERT 0x10 + +/* If this is set we don't attempt to interpret content: + * just assume all strings are 1 byte per character. This + * will produce some pretty odd looking output! + */ + +#define ASN1_STRFLGS_IGNORE_TYPE 0x20 + +/* If this is set we include the string type in the output */ +#define ASN1_STRFLGS_SHOW_TYPE 0x40 + +/* This determines which strings to display and which to + * 'dump' (hex dump of content octets or DER encoding). We can + * only dump non character strings or everything. If we + * don't dump 'unknown' they are interpreted as character + * strings with 1 octet per character and are subject to + * the usual escaping options. + */ + +#define ASN1_STRFLGS_DUMP_ALL 0x80 +#define ASN1_STRFLGS_DUMP_UNKNOWN 0x100 + +/* These determine what 'dumping' does, we can dump the + * content octets or the DER encoding: both use the + * RFC2253 #XXXXX notation. + */ + +#define ASN1_STRFLGS_DUMP_DER 0x200 + +/* All the string flags consistent with RFC2253, + * escaping control characters isn't essential in + * RFC2253 but it is advisable anyway. + */ + +#define ASN1_STRFLGS_RFC2253 (ASN1_STRFLGS_ESC_2253 | \ + ASN1_STRFLGS_ESC_CTRL | \ + ASN1_STRFLGS_ESC_MSB | \ + ASN1_STRFLGS_UTF8_CONVERT | \ + ASN1_STRFLGS_DUMP_UNKNOWN | \ + ASN1_STRFLGS_DUMP_DER) + DECLARE_STACK_OF(ASN1_INTEGER) DECLARE_ASN1_SET_OF(ASN1_INTEGER) @@ -265,6 +346,7 @@ typedef struct asn1_type_st int type; union { char *ptr; + ASN1_BOOLEAN boolean; ASN1_STRING * asn1_string; ASN1_OBJECT * object; ASN1_INTEGER * integer; @@ -506,6 +588,8 @@ void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value); ASN1_OBJECT * ASN1_OBJECT_new(void ); void ASN1_OBJECT_free(ASN1_OBJECT *a); int i2d_ASN1_OBJECT(ASN1_OBJECT *a,unsigned char **pp); +ASN1_OBJECT * c2i_ASN1_OBJECT(ASN1_OBJECT **a,unsigned char **pp, + long length); ASN1_OBJECT * d2i_ASN1_OBJECT(ASN1_OBJECT **a,unsigned char **pp, long length); @@ -722,6 +806,7 @@ char *ASN1_dup(int (*i2d)(),char *(*d2i)(),char *x); #ifndef NO_FP_API char *ASN1_d2i_fp(char *(*xnew)(),char *(*d2i)(),FILE *fp,unsigned char **x); int ASN1_i2d_fp(int (*i2d)(),FILE *out,unsigned char *x); +int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags); #endif #ifndef NO_BIO @@ -731,7 +816,9 @@ int ASN1_UTCTIME_print(BIO *fp,ASN1_UTCTIME *a); int ASN1_GENERALIZEDTIME_print(BIO *fp,ASN1_GENERALIZEDTIME *a); int ASN1_TIME_print(BIO *fp,ASN1_TIME *a); int ASN1_STRING_print(BIO *bp,ASN1_STRING *v); +int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags); int ASN1_parse(BIO *bp,unsigned char *pp,long len,int indent); +int ASN1_parse_dump(BIO *bp,unsigned char *pp,long len,int indent,int dump); #endif const char *ASN1_tag2str(int tag); diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c index d1e9816bad..dc868a4d87 100644 --- a/crypto/asn1/asn1_par.c +++ b/crypto/asn1/asn1_par.c @@ -65,7 +65,7 @@ static int asn1_print_info(BIO *bp, int tag, int xclass,int constructed, int indent); static int asn1_parse2(BIO *bp, unsigned char **pp, long length, - int offset, int depth, int indent); + int offset, int depth, int indent, int dump); static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed, int indent) { @@ -110,11 +110,16 @@ err: int ASN1_parse(BIO *bp, unsigned char *pp, long len, int indent) { - return(asn1_parse2(bp,&pp,len,0,0,indent)); + return(asn1_parse2(bp,&pp,len,0,0,indent,0)); + } + +int ASN1_parse_dump(BIO *bp, unsigned char *pp, long len, int indent, int dump) + { + return(asn1_parse2(bp,&pp,len,0,0,indent,dump)); } static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset, - int depth, int indent) + int depth, int indent, int dump) { unsigned char *p,*ep,*tot,*op,*opp; long len; @@ -123,7 +128,13 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset, ASN1_OBJECT *o=NULL; ASN1_OCTET_STRING *os=NULL; /* ASN1_BMPSTRING *bmp=NULL;*/ + int dump_indent; +#if 0 + dump_indent = indent; +#else + dump_indent = 6; /* Because we know BIO_dump_indent() */ +#endif p= *pp; tot=p+length; op=p-1; @@ -178,7 +189,7 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset, { r=asn1_parse2(bp,&p,(long)(tot-p), offset+(p - *pp),depth+1, - indent); + indent,dump); if (r == 0) { ret=0; goto end; } if ((r == 2) || (p >= tot)) break; } @@ -188,7 +199,7 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset, { r=asn1_parse2(bp,&p,(long)len, offset+(p - *pp),depth+1, - indent); + indent,dump); if (r == 0) { ret=0; goto end; } } } @@ -273,6 +284,20 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset, os->length) <= 0) goto end; } + if (!printable && (os->length > 0) + && dump) + { + if (!nl) + { + if (BIO_write(bp,"\n",1) <= 0) + goto end; + } + if (BIO_dump_indent(bp,opp, + ((dump == -1 || dump > os->length)?os->length:dump), + dump_indent) <= 0) + goto end; + nl=1; + } M_ASN1_OCTET_STRING_free(os); os=NULL; } @@ -341,6 +366,19 @@ static int asn1_parse2(BIO *bp, unsigned char **pp, long length, int offset, } M_ASN1_ENUMERATED_free(bs); } + else if (len > 0 && dump) + { + if (!nl) + { + if (BIO_write(bp,"\n",1) <= 0) + goto end; + } + if (BIO_dump_indent(bp,p, + ((dump == -1 || dump > len)?len:dump), + dump_indent) <= 0) + goto end; + nl=1; + } if (!nl) { diff --git a/crypto/asn1/d2i_dsap.c b/crypto/asn1/d2i_dsap.c index 6d1c297133..9d4dea6145 100644 --- a/crypto/asn1/d2i_dsap.c +++ b/crypto/asn1/d2i_dsap.c @@ -64,7 +64,7 @@ #include #include -#ifdef NEG_PUBKEY_BUG +#ifndef NO_NEG_PUBKEY_BUG #define d2i_ASN1_INTEGER d2i_ASN1_UINTEGER #endif diff --git a/crypto/asn1/d2i_r_pu.c b/crypto/asn1/d2i_r_pu.c index d1289f160e..9e5d41cf53 100644 --- a/crypto/asn1/d2i_r_pu.c +++ b/crypto/asn1/d2i_r_pu.c @@ -64,7 +64,7 @@ #include #include -#ifdef NEG_PUBKEY_BUG +#ifndef NO_NEG_PUBKEY_BUG #define d2i_ASN1_INTEGER d2i_ASN1_UINTEGER #endif diff --git a/crypto/asn1/d2i_s_pu.c b/crypto/asn1/d2i_s_pu.c index e0adaa0393..0b7d2fafcc 100644 --- a/crypto/asn1/d2i_s_pu.c +++ b/crypto/asn1/d2i_s_pu.c @@ -66,7 +66,7 @@ #include #include -#ifdef NEG_PUBKEY_BUG +#ifndef NO_NEG_PUBKEY_BUG #define d2i_ASN1_INTEGER d2i_ASN1_UINTEGER #endif diff --git a/crypto/bio/b_dump.c b/crypto/bio/b_dump.c index f5aeb237f5..7cbe4f22b5 100644 --- a/crypto/bio/b_dump.c +++ b/crypto/bio/b_dump.c @@ -66,13 +66,20 @@ #define TRUNCATE #define DUMP_WIDTH 16 +#define DUMP_WIDTH_LESS_INDENT(i) (DUMP_WIDTH-((i-(i>6?6:i)+3)/4)) int BIO_dump(BIO *bio, const char *s, int len) + { + return BIO_dump_indent(bio, s, len, 0); + } + +int BIO_dump_indent(BIO *bio, const char *s, int len, int indent) { int ret=0; - char buf[160+1],tmp[20]; + char buf[288+1],tmp[20],str[128+1]; int i,j,rows,trunc; unsigned char ch; + int dump_width; trunc=0; @@ -81,27 +88,37 @@ int BIO_dump(BIO *bio, const char *s, int len) trunc++; #endif - rows=(len/DUMP_WIDTH); - if ((rows*DUMP_WIDTH) 128) indent=128; + memset(str,' ',indent); + } + str[indent]='\0'; + + dump_width=DUMP_WIDTH_LESS_INDENT(indent); + rows=(len/dump_width); + if ((rows*dump_width)=len) { + strcpy(buf,str); + sprintf(tmp,"%04x - ",i*dump_width); + strcat(buf,tmp); + for(j=0;j=len) { strcat(buf," "); } else { - ch=((unsigned char)*(s+i*DUMP_WIDTH+j)) & 0xff; + ch=((unsigned char)*(s+i*dump_width+j)) & 0xff; sprintf(tmp,"%02x%c",ch,j==7?'-':' '); strcat(buf,tmp); } } strcat(buf," "); - for(j=0;j=len) + for(j=0;j=len) break; - ch=((unsigned char)*(s+i*DUMP_WIDTH+j)) & 0xff; + ch=((unsigned char)*(s+i*dump_width+j)) & 0xff; #ifndef CHARSET_EBCDIC sprintf(tmp,"%c",((ch>=' ')&&(ch<='~'))?ch:'.'); #else @@ -119,7 +136,7 @@ int BIO_dump(BIO *bio, const char *s, int len) } #ifdef TRUNCATE if (trunc > 0) { - sprintf(buf,"%04x - \n",len+trunc); + sprintf(buf,"%s%04x - \n",str,len+trunc); ret+=BIO_write(bio,(char *)buf,strlen(buf)); } #endif diff --git a/crypto/bio/b_sock.c b/crypto/bio/b_sock.c index b2958788b6..64310058b4 100644 --- a/crypto/bio/b_sock.c +++ b/crypto/bio/b_sock.c @@ -105,17 +105,22 @@ int BIO_get_host_ip(const char *str, unsigned char *ip) struct hostent *he; i=get_ip(str,ip); - if (i > 0) return(1); if (i < 0) { BIOerr(BIO_F_BIO_GET_HOST_IP,BIO_R_INVALID_IP_ADDRESS); goto err; } - /* do a gethostbyname */ + /* At this point, we have something that is most probably correct + in some way, so let's init the socket. */ if (!BIO_sock_init()) return(0); /* don't generate another error code here */ + /* If the string actually contained an IP address, we need not do + anything more */ + if (i > 0) return(1); + + /* do a gethostbyname */ CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME); locked = 1; he=BIO_gethostbyname(str); diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h index 5634a96a79..76748e05d8 100644 --- a/crypto/bio/bio.h +++ b/crypto/bio/bio.h @@ -559,6 +559,7 @@ int BIO_sock_non_fatal_error(int error); int BIO_fd_should_retry(int i); int BIO_fd_non_fatal_error(int error); int BIO_dump(BIO *b,const char *bytes,int len); +int BIO_dump_indent(BIO *b,const char *bytes,int len,int indent); struct hostent *BIO_gethostbyname(const char *name); /* We might want a thread-safe interface too: diff --git a/crypto/bn/bn_mul.c b/crypto/bn/bn_mul.c index 3e8baaad9a..3e8d8b9567 100644 --- a/crypto/bn/bn_mul.c +++ b/crypto/bn/bn_mul.c @@ -631,7 +631,6 @@ int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx) al=a->top; bl=b->top; - r->neg=a->neg^b->neg; if ((al == 0) || (bl == 0)) { @@ -647,6 +646,7 @@ int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx) } else rr = r; + rr->neg=a->neg^b->neg; #if defined(BN_MUL_COMBA) || defined(BN_RECURSION) i = al-bl; diff --git a/crypto/bn/bn_word.c b/crypto/bn/bn_word.c index 73157a7d43..f3bdde969c 100644 --- a/crypto/bn/bn_word.c +++ b/crypto/bn/bn_word.c @@ -115,7 +115,7 @@ int BN_add_word(BIGNUM *a, BN_ULONG w) a->neg=0; i=BN_sub_word(a,w); if (!BN_is_zero(a)) - a->neg=1; + a->neg=!(a->neg); return(i); } w&=BN_MASK2; @@ -140,7 +140,7 @@ int BN_sub_word(BIGNUM *a, BN_ULONG w) { int i; - if (a->neg) + if (BN_is_zero(a) || a->neg) { a->neg=0; i=BN_add_word(a,w); diff --git a/crypto/crypto.h b/crypto/crypto.h index f538f0b67a..5f72ed4513 100644 --- a/crypto/crypto.h +++ b/crypto/crypto.h @@ -244,11 +244,11 @@ DECLARE_STACK_OF(CRYPTO_EX_DATA_FUNCS) * unless CRYPTO_MDEBUG is defined) */ #define CRYPTO_malloc_debug_init() do {\ CRYPTO_set_mem_debug_functions(\ - (void (*)())CRYPTO_dbg_malloc,\ - (void (*)())CRYPTO_dbg_realloc,\ - (void (*)())CRYPTO_dbg_free,\ - (void (*)())CRYPTO_dbg_set_options,\ - (long (*)())CRYPTO_dbg_get_options);\ + CRYPTO_dbg_malloc,\ + CRYPTO_dbg_realloc,\ + CRYPTO_dbg_free,\ + CRYPTO_dbg_set_options,\ + CRYPTO_dbg_get_options);\ } while(0) int CRYPTO_mem_ctrl(int mode); diff --git a/crypto/err/err.c b/crypto/err/err.c index 58c918d1da..b3fd416044 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -560,7 +560,7 @@ const char *ERR_lib_error_string(unsigned long e) l=ERR_GET_LIB(e); - CRYPTO_r_lock(CRYPTO_LOCK_ERR_HASH); + CRYPTO_w_lock(CRYPTO_LOCK_ERR_HASH); if (error_hash != NULL) { @@ -568,7 +568,7 @@ const char *ERR_lib_error_string(unsigned long e) p=(ERR_STRING_DATA *)lh_retrieve(error_hash,&d); } - CRYPTO_r_unlock(CRYPTO_LOCK_ERR_HASH); + CRYPTO_w_unlock(CRYPTO_LOCK_ERR_HASH); return((p == NULL)?NULL:p->string); } @@ -581,7 +581,7 @@ const char *ERR_func_error_string(unsigned long e) l=ERR_GET_LIB(e); f=ERR_GET_FUNC(e); - CRYPTO_r_lock(CRYPTO_LOCK_ERR_HASH); + CRYPTO_w_lock(CRYPTO_LOCK_ERR_HASH); if (error_hash != NULL) { @@ -589,7 +589,7 @@ const char *ERR_func_error_string(unsigned long e) p=(ERR_STRING_DATA *)lh_retrieve(error_hash,&d); } - CRYPTO_r_unlock(CRYPTO_LOCK_ERR_HASH); + CRYPTO_w_unlock(CRYPTO_LOCK_ERR_HASH); return((p == NULL)?NULL:p->string); } @@ -602,7 +602,7 @@ const char *ERR_reason_error_string(unsigned long e) l=ERR_GET_LIB(e); r=ERR_GET_REASON(e); - CRYPTO_r_lock(CRYPTO_LOCK_ERR_HASH); + CRYPTO_w_lock(CRYPTO_LOCK_ERR_HASH); if (error_hash != NULL) { @@ -615,7 +615,7 @@ const char *ERR_reason_error_string(unsigned long e) } } - CRYPTO_r_unlock(CRYPTO_LOCK_ERR_HASH); + CRYPTO_w_unlock(CRYPTO_LOCK_ERR_HASH); return((p == NULL)?NULL:p->string); } @@ -646,7 +646,7 @@ static int pid_cmp(ERR_STATE *a, ERR_STATE *b) void ERR_remove_state(unsigned long pid) { - ERR_STATE *p,tmp; + ERR_STATE *p = NULL,tmp; if (thread_hash == NULL) return; @@ -654,12 +654,15 @@ void ERR_remove_state(unsigned long pid) pid=(unsigned long)CRYPTO_thread_id(); tmp.pid=pid; CRYPTO_w_lock(CRYPTO_LOCK_ERR); - p=(ERR_STATE *)lh_delete(thread_hash,&tmp); - if (lh_num_items(thread_hash) == 0) + if (thread_hash) { - /* make sure we don't leak memory */ - lh_free(thread_hash); - thread_hash = NULL; + p=(ERR_STATE *)lh_delete(thread_hash,&tmp); + if (lh_num_items(thread_hash) == 0) + { + /* make sure we don't leak memory */ + lh_free(thread_hash); + thread_hash = NULL; + } } CRYPTO_w_unlock(CRYPTO_LOCK_ERR); @@ -676,13 +679,13 @@ ERR_STATE *ERR_get_state(void) pid=(unsigned long)CRYPTO_thread_id(); - CRYPTO_r_lock(CRYPTO_LOCK_ERR); + CRYPTO_w_lock(CRYPTO_LOCK_ERR); if (thread_hash != NULL) { tmp.pid=pid; ret=(ERR_STATE *)lh_retrieve(thread_hash,&tmp); } - CRYPTO_r_unlock(CRYPTO_LOCK_ERR); + CRYPTO_w_unlock(CRYPTO_LOCK_ERR); /* ret == the error state, if NULL, make a new one */ if (ret == NULL) diff --git a/crypto/evp/bio_b64.c b/crypto/evp/bio_b64.c index 35c514a771..af6fa2ae8f 100644 --- a/crypto/evp/bio_b64.c +++ b/crypto/evp/bio_b64.c @@ -370,10 +370,11 @@ static int b64_write(BIO *b, const char *in, int inl) n-=i; } /* at this point all pending data has been written */ + ctx->buf_off=0; + ctx->buf_len=0; if ((in == NULL) || (inl <= 0)) return(0); - ctx->buf_off=0; while (inl > 0) { n=(inl > B64_BLOCK_SIZE)?B64_BLOCK_SIZE:inl; @@ -383,14 +384,20 @@ static int b64_write(BIO *b, const char *in, int inl) if (ctx->tmp_len > 0) { n=3-ctx->tmp_len; + /* There's a teoretical possibility for this */ + if (n > inl) + n=inl; memcpy(&(ctx->tmp[ctx->tmp_len]),in,n); ctx->tmp_len+=n; - n=ctx->tmp_len; - if (n < 3) + if (ctx->tmp_len < 3) break; ctx->buf_len=EVP_EncodeBlock( (unsigned char *)ctx->buf, - (unsigned char *)ctx->tmp,n); + (unsigned char *)ctx->tmp, + ctx->tmp_len); + /* Since we're now done using the temporary + buffer, the length should be 0'd */ + ctx->tmp_len=0; } else { diff --git a/crypto/opensslv.h b/crypto/opensslv.h index 7fcc1ad417..90b0fe2c02 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -29,4 +29,57 @@ #define OPENSSL_VERSION_TEXT "OpenSSL 0.9.5b-dev 1 Apr 2000" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT + +/* The macros below are to be used for shared library (.so, .dll, ...) + * versioning. That kind of versioning works a bit differently between + * operating systems. The most usual scheme is to set a major and a minor + * number, and have the runtime loader check that the major number is equal + * to what it was at application link time, while the minor number has to + * be greater or equal to what it was at application link time. With this + * scheme, the version number is usually part of the file name, like this: + * + * libcrypto.so.0.9 + * + * Some unixen also make a softlink with the major verson number only: + * + * libcrypto.so.0 + * + * On True64 it works a little bit differently. There, the shared library + * version is stored in the file, and is actually a series of versions, + * separated by colons. The rightmost version present in the library when + * linking an application is stored in the application to be matched at + * run time. When the application is run, a check is done to see if the + * library version stored in the application matches any of the versions + * in the version string of the library itself. + * This version string can be constructed in any way, depending on what + * kind of matching is desired. However, to implement the same scheme as + * the one used in the other unixen, all compatible versions, from lowest + * to highest, should be part of the string. Consecutive builds would + * give the following versions strings: + * + * 3.0 + * 3.0:3.1 + * 3.0:3.1:3.2 + * 4.0 + * 4.0:4.1 + * + * Notice how version 4 is completely incompatible with version, and + * therefore give the breach you can see. + * + * There may be other schemes as well that I haven't yet discovered. + * + * So, here's the way it works here: first of all, the library version + * number doesn't need at all to match the overall OpenSSL version. + * However, it's nice and more understandable if it actually does. + * The current library version is stored in the macro SHLIB_VERSION_NUMBER, + * which is just a piece of text in the format "M.m.e" (Major, minor, edit). + * For the sake of True64 and any other OS that behaves in similar ways, + * we need to keep a history of version numbers, which is done in the + * macro SHLIB_VERSION_HISTORY. The numbers are separated by colons and + * should only keep the versions that are binary compatible with the current. + */ +#define SHLIB_VERSION_HISTORY "" +#define SHLIB_VERSION_NUMBER "0.9.5b" + + #endif /* HEADER_OPENSSLV_H */ diff --git a/crypto/rand/Makefile.ssl b/crypto/rand/Makefile.ssl index 5e7032b494..9d5e92b0e9 100644 --- a/crypto/rand/Makefile.ssl +++ b/crypto/rand/Makefile.ssl @@ -83,7 +83,7 @@ md_rand.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h md_rand.o: ../../include/openssl/err.h ../../include/openssl/lhash.h md_rand.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h md_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h -md_rand.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +md_rand.o: ../../include/openssl/sha.h ../../include/openssl/stack.h rand_lcl.h rand_egd.o: ../../include/openssl/opensslconf.h ../../include/openssl/rand.h rand_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h rand_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h @@ -104,6 +104,13 @@ rand_lib.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h rand_lib.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h rand_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h rand_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +rand_win.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h +rand_win.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h +rand_win.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +rand_win.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h +rand_win.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h +rand_win.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +rand_win.o: ../../include/openssl/stack.h ../cryptlib.h rand_lcl.h randfile.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h randfile.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h randfile.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index 668da95499..837947e8a6 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -109,8 +109,6 @@ * */ -#define ENTROPY_NEEDED 20 /* require 160 bits = 20 bytes of randomness */ - #ifdef MD_RAND_DEBUG # ifndef NDEBUG # define NDEBUG @@ -119,75 +117,20 @@ #include #include -#include #include #include "openssl/e_os.h" +#include +#include "rand_lcl.h" + #include #include -#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) -#if !defined(NO_SHA) && !defined(NO_SHA1) -#define USE_SHA1_RAND -#elif !defined(NO_MD5) -#define USE_MD5_RAND -#elif !defined(NO_MDC2) && !defined(NO_DES) -#define USE_MDC2_RAND -#elif !defined(NO_MD2) -#define USE_MD2_RAND -#else -#error No message digest algorithm available -#endif -#endif - -/* Changed how the state buffer used. I now attempt to 'wrap' such - * that I don't run over the same locations the next time go through - * the 1023 bytes - many thanks to - * Robert J. LeBlanc for his comments - */ - -#if defined(USE_MD5_RAND) -#include -#define MD_DIGEST_LENGTH MD5_DIGEST_LENGTH -#define MD_CTX MD5_CTX -#define MD_Init(a) MD5_Init(a) -#define MD_Update(a,b,c) MD5_Update(a,b,c) -#define MD_Final(a,b) MD5_Final(a,b) -#define MD(a,b,c) MD5(a,b,c) -#elif defined(USE_SHA1_RAND) -#include -#define MD_DIGEST_LENGTH SHA_DIGEST_LENGTH -#define MD_CTX SHA_CTX -#define MD_Init(a) SHA1_Init(a) -#define MD_Update(a,b,c) SHA1_Update(a,b,c) -#define MD_Final(a,b) SHA1_Final(a,b) -#define MD(a,b,c) SHA1(a,b,c) -#elif defined(USE_MDC2_RAND) -#include -#define MD_DIGEST_LENGTH MDC2_DIGEST_LENGTH -#define MD_CTX MDC2_CTX -#define MD_Init(a) MDC2_Init(a) -#define MD_Update(a,b,c) MDC2_Update(a,b,c) -#define MD_Final(a,b) MDC2_Final(a,b) -#define MD(a,b,c) MDC2(a,b,c) -#elif defined(USE_MD2_RAND) -#include -#define MD_DIGEST_LENGTH MD2_DIGEST_LENGTH -#define MD_CTX MD2_CTX -#define MD_Init(a) MD2_Init(a) -#define MD_Update(a,b,c) MD2_Update(a,b,c) -#define MD_Final(a,b) MD2_Final(a,b) -#define MD(a,b,c) MD2(a,b,c) -#endif - -#include - #ifdef BN_DEBUG # define PREDICT #endif -/* #define NORAND 1 */ /* #define PREDICT 1 */ #define STATE_SIZE 1023 @@ -198,6 +141,11 @@ static long md_count[2]={0,0}; static double entropy=0; static int initialized=0; +/* This should be set to 1 only when ssleay_rand_add() is called inside + an already locked state, so it doesn't try to lock and thereby cause + a hang. And it should always be reset back to 0 before unlocking. */ +static int add_do_not_lock=0; + #ifdef PREDICT int rand_predictable=0; #endif @@ -243,10 +191,6 @@ static void ssleay_rand_add(const void *buf, int num, double add) unsigned char local_md[MD_DIGEST_LENGTH]; MD_CTX m; -#ifdef NORAND - return; -#endif - /* * (Based on the rand(3) manpage) * @@ -262,7 +206,7 @@ static void ssleay_rand_add(const void *buf, int num, double add) * hash function. */ - CRYPTO_w_lock(CRYPTO_LOCK_RAND); + if (!add_do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND); st_idx=state_index; /* use our own copies of the counters so that even @@ -294,7 +238,7 @@ static void ssleay_rand_add(const void *buf, int num, double add) md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0); - CRYPTO_w_unlock(CRYPTO_LOCK_RAND); + if (!add_do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND); for (i=0; i 0) @@ -598,12 +498,12 @@ static int ssleay_rand_status(void) { int ret; - CRYPTO_w_lock(CRYPTO_LOCK_RAND); - if (!initialized) - ssleay_rand_initialize(); - ret = entropy >= ENTROPY_NEEDED; + RAND_poll(); + CRYPTO_w_lock(CRYPTO_LOCK_RAND); + initialized = 1; + ret = entropy >= ENTROPY_NEEDED; CRYPTO_w_unlock(CRYPTO_LOCK_RAND); return ret; diff --git a/crypto/rand/rand.h b/crypto/rand/rand.h index c3a8f63214..eb9c8c034d 100644 --- a/crypto/rand/rand.h +++ b/crypto/rand/rand.h @@ -94,6 +94,7 @@ int RAND_status(void); int RAND_egd(const char *path); int RAND_egd_bytes(const char *path,int bytes); void ERR_load_RAND_strings(void); +int RAND_poll(void); #ifdef __cplusplus } diff --git a/crypto/rand/rand_win.c b/crypto/rand/rand_win.c index 222ea4a608..017ce2a9fc 100644 --- a/crypto/rand/rand_win.c +++ b/crypto/rand/rand_win.c @@ -109,51 +109,246 @@ * */ +#include "cryptlib.h" +#include +#include "rand_lcl.h" #if defined(WINDOWS) || defined(WIN32) -#include "cryptlib.h" #include -#include -/* XXX There are probably other includes missing here ... */ - - -#if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND) -#if !defined(NO_SHA) && !defined(NO_SHA1) -#define USE_SHA1_RAND -#elif !defined(NO_MD5) -#define USE_MD5_RAND -#elif !defined(NO_MDC2) && !defined(NO_DES) -#define USE_MDC2_RAND -#elif !defined(NO_MD2) -#define USE_MD2_RAND -#else -#error No message digest algorithm available +#ifndef _WIN32_WINNT +# define _WIN32_WINNT 0x0400 #endif +#include +#include + +/* Intel hardware RNG CSP -- available from + * http://developer.intel.com/design/security/rng/redist_license.htm + */ +#define PROV_INTEL_SEC 22 +#define INTEL_DEF_PROV "Intel Hardware Cryptographic Service Provider" + +static void readtimer(void); +static void readscreen(void); + +typedef BOOL (WINAPI *CRYPTACQUIRECONTEXT)(HCRYPTPROV *, LPCTSTR, LPCTSTR, + DWORD, DWORD); +typedef BOOL (WINAPI *CRYPTGENRANDOM)(HCRYPTPROV, DWORD, BYTE *); +typedef BOOL (WINAPI *CRYPTRELEASECONTEXT)(HCRYPTPROV, DWORD); + +typedef HWND (WINAPI *GETFOREGROUNDWINDOW)(VOID); +typedef BOOL (WINAPI *GETCURSORINFO)(PCURSORINFO); +typedef DWORD (WINAPI *GETQUEUESTATUS)(UINT); + +typedef HANDLE (WINAPI *CREATETOOLHELP32SNAPSHOT)(DWORD, DWORD); +typedef BOOL (WINAPI *HEAP32FIRST)(LPHEAPENTRY32, DWORD, DWORD); +typedef BOOL (WINAPI *HEAP32NEXT)(LPHEAPENTRY32); +typedef BOOL (WINAPI *HEAP32LIST)(HANDLE, LPHEAPLIST32); +typedef BOOL (WINAPI *PROCESS32)(HANDLE, LPPROCESSENTRY32); +typedef BOOL (WINAPI *THREAD32)(HANDLE, LPTHREADENTRY32); +typedef BOOL (WINAPI *MODULE32)(HANDLE, LPMODULEENTRY32); + +int RAND_poll(void) +{ + MEMORYSTATUS m; + HCRYPTPROV hProvider = 0; + BYTE buf[64]; + DWORD w; + HWND h; + + HMODULE advapi, kernel, user; + CRYPTACQUIRECONTEXT acquire; + CRYPTGENRANDOM gen; + CRYPTRELEASECONTEXT release; + + /* load functions dynamically - not available on all systems */ + advapi = GetModuleHandle("ADVAPI32.DLL"); + kernel = GetModuleHandle("KERNEL32.DLL"); + user = GetModuleHandle("USER32.DLL"); + + if (advapi) + { + acquire = (CRYPTACQUIRECONTEXT) GetProcAddress(advapi, + "CryptAcquireContextA"); + gen = (CRYPTGENRANDOM) GetProcAddress(advapi, + "CryptGenRandom"); + release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi, + "CryptReleaseContext"); + } + + if (acquire && gen && release) + { + /* poll the CryptoAPI PRNG */ + if (acquire(&hProvider, 0, 0, PROV_RSA_FULL, + CRYPT_VERIFYCONTEXT)) + { + if (gen(hProvider, sizeof(buf), buf) != 0) + { + RAND_add(buf, sizeof(buf), 0); +#ifdef DEBUG + printf("randomness from PROV_RSA_FULL\n"); #endif + } + release(hProvider, 0); + } + + /* poll the Pentium PRG with CryptoAPI */ + if (acquire(&hProvider, 0, INTEL_DEF_PROV, PROV_INTEL_SEC, 0)) + { + if (gen(hProvider, sizeof(buf), buf) != 0) + { + RAND_add(buf, sizeof(buf), 0); +#ifdef DEBUG + printf("randomness from PROV_INTEL_SEC\n"); +#endif + } + release(hProvider, 0); + } + } + + /* timer data */ + readtimer(); + + /* memory usage statistics */ + GlobalMemoryStatus(&m); + RAND_add(&m, sizeof(m), 1); + + /* process ID */ + w = GetCurrentProcessId(); + RAND_add(&w, sizeof(w), 0); + + if (user) + { + GETCURSORINFO cursor; + GETFOREGROUNDWINDOW win; + GETQUEUESTATUS queue; + + win = (GETFOREGROUNDWINDOW) GetProcAddress(user, "GetForegroundWindow"); + cursor = (GETCURSORINFO) GetProcAddress(user, "GetCursorInfo"); + queue = (GETQUEUESTATUS) GetProcAddress(user, "GetQueueStatus"); + + if (win) + { + /* window handle */ + h = win(); + RAND_add(&h, sizeof(h), 0); + } + + if (cursor) + { + /* cursor position */ + cursor(buf); + RAND_add(buf, sizeof(buf), 0); + } + + if (queue) + { + /* message queue status */ + w = queue(QS_ALLEVENTS); + RAND_add(&w, sizeof(w), 0); + } + } + + /* Toolhelp32 snapshot: enumerate processes, threads, modules and heap + * http://msdn.microsoft.com/library/psdk/winbase/toolhelp_5pfd.htm + * (Win 9x only, not available on NT) + * + * This seeding method was proposed in Peter Gutmann, Software + * Generation of Practically Strong Random Numbers, + * http://www.cs.auckland.ac.nz/~pgut001/pubs/random2.pdf + * (The assignment of entropy estimates below is arbitrary, but based + * on Peter's analysis the full poll appears to be safe. Additional + * interactive seeding is encouraged.) + */ + + if (kernel) + { + CREATETOOLHELP32SNAPSHOT snap; + HANDLE handle; + + HEAP32FIRST heap_first; + HEAP32NEXT heap_next; + HEAP32LIST heaplist_first, heaplist_next; + PROCESS32 process_first, process_next; + THREAD32 thread_first, thread_next; + MODULE32 module_first, module_next; + + HEAPLIST32 hlist; + HEAPENTRY32 hentry; + PROCESSENTRY32 p; + THREADENTRY32 t; + MODULEENTRY32 m; + + snap = (CREATETOOLHELP32SNAPSHOT) + GetProcAddress(kernel, "CreateToolhelp32Snapshot"); + heap_first = (HEAP32FIRST) GetProcAddress(kernel, "Heap32First"); + heap_next = (HEAP32NEXT) GetProcAddress(kernel, "Heap32Next"); + heaplist_first = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListFirst"); + heaplist_next = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListNext"); + process_first = (PROCESS32) GetProcAddress(kernel, "Process32First"); + process_next = (PROCESS32) GetProcAddress(kernel, "Process32Next"); + thread_first = (THREAD32) GetProcAddress(kernel, "Thread32First"); + thread_next = (THREAD32) GetProcAddress(kernel, "Thread32Next"); + module_first = (MODULE32) GetProcAddress(kernel, "Module32First"); + module_next = (MODULE32) GetProcAddress(kernel, "Module32Next"); + + if (snap && heap_first && heap_next && heaplist_first && + heaplist_next && process_first && process_next && + thread_first && thread_next && module_first && + module_next && (handle = snap(TH32CS_SNAPALL,0)) + != NULL) + { + /* heap list and heap walking */ + hlist.dwSize = sizeof(HEAPLIST32); + if (heaplist_first(handle, &hlist)) + do + { + RAND_add(&hlist, hlist.dwSize, 0); + hentry.dwSize = sizeof(HEAPENTRY32); + if (heap_first(&hentry, + hlist.th32ProcessID, + hlist.th32HeapID)) + do + RAND_add(&hentry, + hentry.dwSize, 0); + while (heap_next(&hentry)); + } while (heaplist_next(handle, + &hlist)); -#if defined(USE_MD5_RAND) -#include -#define MD_DIGEST_LENGTH MD5_DIGEST_LENGTH -#define MD(a,b,c) MD5(a,b,c) -#elif defined(USE_SHA1_RAND) -#include -#define MD_DIGEST_LENGTH SHA_DIGEST_LENGTH -#define MD(a,b,c) SHA1(a,b,c) -#elif defined(USE_MDC2_RAND) -#include -#define MD_DIGEST_LENGTH MDC2_DIGEST_LENGTH -#define MD(a,b,c) MDC2(a,b,c) -#elif defined(USE_MD2_RAND) -#include -#define MD_DIGEST_LENGTH MD2_DIGEST_LENGTH -#define MD(a,b,c) MD2(a,b,c) + /* process walking */ + p.dwSize = sizeof(PROCESSENTRY32); + if (process_first(handle, &p)) + do + RAND_add(&p, p.dwSize, 0); + while (process_next(handle, &p)); + + /* thread walking */ + t.dwSize = sizeof(THREADENTRY32); + if (thread_first(handle, &t)) + do + RAND_add(&t, t.dwSize, 0); + while (thread_next(handle, &t)); + + /* module walking */ + m.dwSize = sizeof(MODULEENTRY32); + if (module_first(handle, &m)) + do + RAND_add(&m, m.dwSize, 1); + while (module_next(handle, &m)); + + CloseHandle(handle); + } + } + +#ifdef DEBUG + printf("Exiting RAND_poll\n"); #endif + return(1); +} int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam) { double add_entropy=0; - SYSTEMTIME t; switch (iMsg) { @@ -182,19 +377,61 @@ int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam) break; } - GetSystemTime(&t); + readtimer(); RAND_add(&iMsg, sizeof(iMsg), add_entropy); RAND_add(&wParam, sizeof(wParam), 0); RAND_add(&lParam, sizeof(lParam), 0); - RAND_add(&t, sizeof(t), 0); - + return (RAND_status()); } +void RAND_screen(void) /* function available for backward compatibility */ +{ + RAND_poll(); + readscreen(); +} + + +/* feed timing information to the PRNG */ +static void readtimer(void) +{ + DWORD w, cyclecount; + LARGE_INTEGER l; + static int have_perfc = 1; +#ifndef __GNUC__ + static int have_tsc = 1; + + if (have_tsc) { + __try { + __asm { + rdtsc + mov cyclecount, eax + } + RAND_add(&cyclecount, sizeof(cyclecount), 1); + } __except(EXCEPTION_EXECUTE_HANDLER) { + have_tsc = 0; + } + } +#else +# define have_tsc 0 +#endif + + if (have_perfc) { + if (QueryPerformanceCounter(&l) == 0) + have_perfc = 0; + else + RAND_add(&l, sizeof(l), 0); + } + + if (!have_tsc && !have_perfc) { + w = GetTickCount(); + RAND_add(&w, sizeof(w), 0); + } +} + +/* feed screen contents to PRNG */ /***************************************************************************** - * Initialisation function for the SSL random generator. Takes the contents - * of the screen as random seed. * * Created 960901 by Gertjan van Oosten, gertjan@West.NL, West Consulting B.V. * @@ -210,18 +447,8 @@ int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam) * Microsoft has no warranty obligations or liability for any * Sample Application Files which are modified. */ -/* - * I have modified the loading of bytes via RAND_seed() mechanism since - * the original would have been very very CPU intensive since RAND_seed() - * does an MD5 per 16 bytes of input. The cost to digest 16 bytes is the same - * as that to digest 56 bytes. So under the old system, a screen of - * 1024*768*256 would have been CPU cost of approximately 49,000 56 byte MD5 - * digests or digesting 2.7 mbytes. What I have put in place would - * be 48 16k MD5 digests, or effectively 48*16+48 MD5 bytes or 816 kbytes - * or about 3.5 times as much. - * - eric - */ -void RAND_screen(void) + +static void readscreen(void) { HDC hScrDC; /* screen DC */ HDC hMemDC; /* memory DC */ @@ -266,11 +493,11 @@ void RAND_screen(void) /* Copy bitmap bits from memory DC to bmbits */ GetBitmapBits(hBitmap, size, bmbits); - /* Get the MD5 of the bitmap */ + /* Get the hash of the bitmap */ MD(bmbits,size,md); - /* Seed the random generator with the MD5 digest */ - RAND_seed(md, MD_DIGEST_LENGTH); + /* Seed the random generator with the hash value */ + RAND_add(md, MD_DIGEST_LENGTH, 0); } OPENSSL_free(bmbits); @@ -285,10 +512,49 @@ void RAND_screen(void) DeleteDC(hScrDC); } -#else +#else /* Unix version */ + +#include + +int RAND_poll(void) +{ + unsigned long l; + pid_t curr_pid = getpid(); +#ifdef DEVRANDOM + FILE *fh; +#endif -# if PEDANTIC -static void *dummy=&dummy; -# endif +#ifdef DEVRANDOM + /* Use a random entropy pool device. Linux, FreeBSD and OpenBSD + * have this. Use /dev/urandom if you can as /dev/random may block + * if it runs out of random entries. */ + + if ((fh = fopen(DEVRANDOM, "r")) != NULL) + { + unsigned char tmpbuf[ENTROPY_NEEDED]; + int n; + + setvbuf(fh, NULL, _IONBF, 0); + n=fread((unsigned char *)tmpbuf,1,ENTROPY_NEEDED,fh); + fclose(fh); + RAND_add(tmpbuf,sizeof tmpbuf,n); + memset(tmpbuf,0,n); + } +#endif + + /* put in some default random data, we need more than just this */ + l=curr_pid; + RAND_add(&l,sizeof(l),0); + l=getuid(); + RAND_add(&l,sizeof(l),0); + + l=time(NULL); + RAND_add(&l,sizeof(l),0); + +#ifdef DEVRANDOM + return 1; +#endif + return 0; +} #endif diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c index 81a857c813..482f4a8273 100644 --- a/crypto/rsa/rsa_ssl.c +++ b/crypto/rsa/rsa_ssl.c @@ -134,7 +134,7 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, unsigned char *from, { if (p[k] != 0x03) break; } - if (k == 0) + if (k == -1) { RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_SSLV3_ROLLBACK_ATTACK); return(-1); diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index bbf9a10ad5..ffa6e01251 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -138,8 +138,8 @@ DECLARE_ASN1_SET_OF(X509_ALGOR) typedef struct X509_val_st { - ASN1_UTCTIME *notBefore; - ASN1_UTCTIME *notAfter; + ASN1_TIME *notBefore; + ASN1_TIME *notAfter; } X509_VAL; typedef struct X509_pubkey_st @@ -320,10 +320,65 @@ DECLARE_STACK_OF(X509_TRUST) #define X509_TRUST_REJECTED 2 #define X509_TRUST_UNTRUSTED 3 +/* Flags specific to X509_NAME_print_ex() */ + +/* The field separator information */ + +#define XN_FLAG_SEP_MASK (0xf << 16) + +#define XN_FLAG_COMPAT 0 /* Traditional SSLeay: use old X509_NAME_print */ +#define XN_FLAG_SEP_COMMA_PLUS (1 << 16) /* RFC2253 ,+ */ +#define XN_FLAG_SEP_CPLUS_SPC (2 << 16) /* ,+ spaced: more readable */ +#define XN_FLAG_SEP_SPLUS_SPC (3 << 16) /* ;+ spaced */ +#define XN_FLAG_SEP_MULTILINE (4 << 16) /* One line per field */ + +#define XN_FLAG_DN_REV (1 << 20) /* Reverse DN order */ + +/* How the field name is shown */ + +#define XN_FLAG_FN_MASK (0x3 << 21) + +#define XN_FLAG_FN_SN 0 /* Object short name */ +#define XN_FLAG_FN_LN (1 << 21) /* Object long name */ +#define XN_FLAG_FN_OID (2 << 21) /* Always use OIDs */ +#define XN_FLAG_FN_NONE (3 << 21) /* No field names */ + +#define XN_FLAG_SPC_EQ (1 << 23) /* Put spaces round '=' */ + +/* This determines if we dump fields we don't recognise: + * RFC2253 requires this. + */ + +#define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24) + +/* Complete set of RFC2253 flags */ + +#define XN_FLAG_RFC2253 (ASN1_STRFLGS_RFC2253 | \ + XN_FLAG_SEP_COMMA_PLUS | \ + XN_FLAG_DN_REV | \ + XN_FLAG_FN_SN | \ + XN_FLAG_DUMP_UNKNOWN_FIELDS) + +/* readable oneline form */ + +#define XN_FLAG_ONELINE (ASN1_STRFLGS_RFC2253 | \ + ASN1_STRFLGS_ESC_QUOTE | \ + XN_FLAG_SEP_CPLUS_SPC | \ + XN_FLAG_SPC_EQ | \ + XN_FLAG_FN_SN) + +/* readable multiline form */ + +#define XN_FLAG_MULTILINE (ASN1_STRFLGS_ESC_CTRL | \ + ASN1_STRFLGS_ESC_MSB | \ + XN_FLAG_SEP_MULTILINE | \ + XN_FLAG_SPC_EQ | \ + XN_FLAG_FN_LN) + typedef struct X509_revoked_st { ASN1_INTEGER *serialNumber; - ASN1_UTCTIME *revocationDate; + ASN1_TIME *revocationDate; STACK_OF(X509_EXTENSION) /* optional */ *extensions; int sequence; /* load sequence */ } X509_REVOKED; @@ -336,8 +391,8 @@ typedef struct X509_crl_info_st ASN1_INTEGER *version; X509_ALGOR *sig_alg; X509_NAME *issuer; - ASN1_UTCTIME *lastUpdate; - ASN1_UTCTIME *nextUpdate; + ASN1_TIME *lastUpdate; + ASN1_TIME *nextUpdate; STACK_OF(X509_REVOKED) *revoked; STACK_OF(X509_EXTENSION) /* [0] */ *extensions; } X509_CRL_INFO; @@ -737,8 +792,8 @@ RSA *RSAPrivateKey_dup(RSA *rsa); #endif /* !SSLEAY_MACROS */ -int X509_cmp_current_time(ASN1_UTCTIME *s); -ASN1_UTCTIME * X509_gmtime_adj(ASN1_UTCTIME *s, long adj); +int X509_cmp_current_time(ASN1_TIME *s); +ASN1_TIME * X509_gmtime_adj(ASN1_TIME *s, long adj); const char * X509_get_default_cert_area(void ); const char * X509_get_default_cert_dir(void ); @@ -920,8 +975,8 @@ int X509_set_issuer_name(X509 *x, X509_NAME *name); X509_NAME * X509_get_issuer_name(X509 *a); int X509_set_subject_name(X509 *x, X509_NAME *name); X509_NAME * X509_get_subject_name(X509 *a); -int X509_set_notBefore(X509 *x, ASN1_UTCTIME *tm); -int X509_set_notAfter(X509 *x, ASN1_UTCTIME *tm); +int X509_set_notBefore(X509 *x, ASN1_TIME *tm); +int X509_set_notAfter(X509 *x, ASN1_TIME *tm); int X509_set_pubkey(X509 *x, EVP_PKEY *pkey); EVP_PKEY * X509_get_pubkey(X509 *x); int X509_certificate_type(X509 *x,EVP_PKEY *pubkey /* optional */); @@ -975,10 +1030,12 @@ int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); int X509_print_fp(FILE *bp,X509 *x); int X509_CRL_print_fp(FILE *bp,X509_CRL *x); int X509_REQ_print_fp(FILE *bp,X509_REQ *req); +int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags); #endif #ifndef NO_BIO int X509_NAME_print(BIO *bp, X509_NAME *name, int obase); +int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags); int X509_print(BIO *bp,X509 *x); int X509_CERT_AUX_print(BIO *bp,X509_CERT_AUX *x, int indent); int X509_CRL_print(BIO *bp,X509_CRL *x); diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c index add842d17a..aaf61ca062 100644 --- a/crypto/x509/x509_set.c +++ b/crypto/x509/x509_set.c @@ -104,36 +104,36 @@ int X509_set_subject_name(X509 *x, X509_NAME *name) return(X509_NAME_set(&x->cert_info->subject,name)); } -int X509_set_notBefore(X509 *x, ASN1_UTCTIME *tm) +int X509_set_notBefore(X509 *x, ASN1_TIME *tm) { - ASN1_UTCTIME *in; + ASN1_TIME *in; if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); in=x->cert_info->validity->notBefore; if (in != tm) { - in=M_ASN1_UTCTIME_dup(tm); + in=M_ASN1_TIME_dup(tm); if (in != NULL) { - M_ASN1_UTCTIME_free(x->cert_info->validity->notBefore); + M_ASN1_TIME_free(x->cert_info->validity->notBefore); x->cert_info->validity->notBefore=in; } } return(in != NULL); } -int X509_set_notAfter(X509 *x, ASN1_UTCTIME *tm) +int X509_set_notAfter(X509 *x, ASN1_TIME *tm) { - ASN1_UTCTIME *in; + ASN1_TIME *in; if ((x == NULL) || (x->cert_info->validity == NULL)) return(0); in=x->cert_info->validity->notAfter; if (in != tm) { - in=M_ASN1_UTCTIME_dup(tm); + in=M_ASN1_TIME_dup(tm); if (in != NULL) { - M_ASN1_UTCTIME_free(x->cert_info->validity->notAfter); + M_ASN1_TIME_free(x->cert_info->validity->notAfter); x->cert_info->validity->notAfter=in; } } diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index e9311d5ea8..0d5273d51a 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -502,10 +502,10 @@ end: return(ok); } -int X509_cmp_current_time(ASN1_UTCTIME *ctm) +int X509_cmp_current_time(ASN1_TIME *ctm) { char *str; - ASN1_UTCTIME atm; + ASN1_TIME atm; time_t offset; char buff1[24],buff2[24],*p; int i,j; @@ -513,14 +513,32 @@ int X509_cmp_current_time(ASN1_UTCTIME *ctm) p=buff1; i=ctm->length; str=(char *)ctm->data; - if ((i < 11) || (i > 17)) return(0); - memcpy(p,str,10); - p+=10; - str+=10; + if(ctm->type == V_ASN1_UTCTIME) { + if ((i < 11) || (i > 17)) return(0); + memcpy(p,str,10); + p+=10; + str+=10; + } else { + if(i < 13) return 0; + memcpy(p,str,12); + p+=12; + str+=12; + } if ((*str == 'Z') || (*str == '-') || (*str == '+')) { *(p++)='0'; *(p++)='0'; } - else { *(p++)= *(str++); *(p++)= *(str++); } + else + { + *(p++)= *(str++); + *(p++)= *(str++); + /* Skip any fractional seconds... */ + if(*str == '.') + { + str++; + while((*str >= '0') && (*str <= '9')) str++; + } + + } *(p++)='Z'; *(p++)='\0'; @@ -535,19 +553,22 @@ int X509_cmp_current_time(ASN1_UTCTIME *ctm) if (*str == '-') offset= -offset; } - atm.type=V_ASN1_UTCTIME; + atm.type=ctm->type; atm.length=sizeof(buff2); atm.data=(unsigned char *)buff2; X509_gmtime_adj(&atm,-offset*60); - i=(buff1[0]-'0')*10+(buff1[1]-'0'); - if (i < 50) i+=100; /* cf. RFC 2459 */ - j=(buff2[0]-'0')*10+(buff2[1]-'0'); - if (j < 50) j+=100; + if(ctm->type == V_ASN1_UTCTIME) + { + i=(buff1[0]-'0')*10+(buff1[1]-'0'); + if (i < 50) i+=100; /* cf. RFC 2459 */ + j=(buff2[0]-'0')*10+(buff2[1]-'0'); + if (j < 50) j+=100; - if (i < j) return (-1); - if (i > j) return (1); + if (i < j) return (-1); + if (i > j) return (1); + } i=strcmp(buff1,buff2); if (i == 0) /* wait a second then return younger :-) */ return(-1); @@ -555,13 +576,14 @@ int X509_cmp_current_time(ASN1_UTCTIME *ctm) return(i); } -ASN1_UTCTIME *X509_gmtime_adj(ASN1_UTCTIME *s, long adj) +ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) { time_t t; time(&t); t+=adj; - return(ASN1_UTCTIME_set(s,t)); + if(s->type == V_ASN1_UTCTIME) return(ASN1_UTCTIME_set(s,t)); + return ASN1_GENERALIZEDTIME_set(s, t); } int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) diff --git a/doc/apps/CA.pl.pod b/doc/apps/CA.pl.pod index 9d287f0c4d..75aa2a1d26 100644 --- a/doc/apps/CA.pl.pod +++ b/doc/apps/CA.pl.pod @@ -69,7 +69,7 @@ list box), otherwise the name "My Certificate" is used. calls the B program to sign a certificate request. It expects the request to be in the file "newreq.pem". The new certificate is written to the file -"newcert.pem" except in the case of the B<-xcert> option when it is written +"newcert.pem" except in the case of the B<-xsign> option when it is written to standard output. =item B<-signcert> @@ -122,7 +122,7 @@ Create the CA directories and files: enter cacert.pem when prompted for the CA file name. -Create a DSA certificate request and privat key (a different set of parameters +Create a DSA certificate request and private key (a different set of parameters can optionally be created first): openssl req -out newreq.pem -newkey dsa:dsap.pem diff --git a/doc/apps/passwd.pod b/doc/apps/passwd.pod index cee6a2f172..6e098940c7 100644 --- a/doc/apps/passwd.pod +++ b/doc/apps/passwd.pod @@ -8,6 +8,7 @@ passwd - compute password hashes B [B<-crypt>] +[B<-1>] [B<-apr1>] [B<-salt> I] [B<-in> I] @@ -22,8 +23,8 @@ The B command computes the hash of a password typed at run-time or the hash of each password in a list. The password list is taken from the named file for option B<-in file>, from stdin for option B<-stdin>, and from the command line otherwise. -The Unix standard algorithm B and the MD5-based B algorithm -are available. +The Unix standard algorithm B and the MD5-based BSD password +algorithm B<1> and its Apache variant B are available. =head1 OPTIONS @@ -33,9 +34,13 @@ are available. Use the B algorithm (default). +=item B<-1> + +Use the MD5 based BSD password algorithm B<1>. + =item B<-apr1> -Use the B algorithm. +Use the B algorithm (Apache variant of the BSD algorithm). =item B<-salt> I @@ -64,6 +69,8 @@ to each password hash. B prints B. +B prints B<$1$xxxxxxxx$8XJIcl6ZXqBMCK0qFevqT1>. + B prints B<$apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0>. =cut diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index 5dee935606..eee9d049ca 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -22,8 +22,11 @@ B B [B<-signer file>] [B<-recip file>] [B<-in file>] +[B<-inform SMIME|PEM|DER>] [B<-inkey file>] [B<-out file>] +[B<-outform SMIME|PEM|DER>] +[B<-content file>] [B<-to addr>] [B<-from ad>] [B<-subject s>] @@ -74,11 +77,37 @@ takes an input message and writes out a PEM encoded PKCS#7 structure. the input message to be encrypted or signed or the MIME message to be decrypted or verified. +=item B<-inform SMIME|PEM|DER> + +this specifies the input format for the PKCS#7 structure. The default +is B which reads an S/MIME format message. B and B +format change this to expect PEM and DER format PKCS#7 structures +instead. This currently only affects the input format of the PKCS#7 +structure, if no PKCS#7 structure is being input (for example with +B<-encrypt> or B<-sign>) this option has no effect. + =item B<-out filename> the message text that has been decrypted or verified or the output MIME format message that has been signed or verified. +=item B<-outform SMIME|PEM|DER> + +this specifies the output format for the PKCS#7 structure. The default +is B which write an S/MIME format message. B and B +format change this to write PEM and DER format PKCS#7 structures +instead. This currently only affects the output format of the PKCS#7 +structure, if no PKCS#7 structure is being output (for example with +B<-verify> or B<-decrypt>) this option has no effect. + +=item B<-content filename> + +This specifies a file containing the detached content, this is only +useful with the B<-verify> command. This is only usable if the PKCS#7 +structure is using the detached signature form where the content is +not included. This option will override any content if the input format +is S/MIME and it uses the multipart/signed MIME content type. + =item B<-text> this option adds plain text (text/plain) MIME headers to the supplied @@ -204,7 +233,7 @@ a blank line. Piping the mail directly to sendmail is one way to achieve the correct format. The supplied message to be signed or encrypted must include the -necessary MIME headers: or many S/MIME clients wont display it +necessary MIME headers or many S/MIME clients wont display it properly (if at all). You can use the B<-text> option to automatically add plain text headers. @@ -301,6 +330,22 @@ Decrypt mail: openssl smime -decrypt -in mail.msg -recip mycert.pem -inkey key.pem +The output from Netscape form signing is a PKCS#7 structure with the +detached signature format. You can use this program to verify the +signature by line wrapping the base64 encoded structure and surrounding +it with: + + -----BEGIN PKCS7---- + -----END PKCS7---- + +and using the command, + + openssl smime -verify -inform PEM -in signature.pem -content content.txt + +alternatively you can base64 decode the signature and use + + openssl smime -verify -inform DER -in signature.der -content content.txt + =head1 BUGS The MIME parser isn't very clever: it seems to handle most messages that I've thrown diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index 133c4200ce..f8742f84fc 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -19,6 +19,7 @@ B B [B<-hash>] [B<-subject>] [B<-issuer>] +[B<-nameopt option>] [B<-email>] [B<-startdate>] [B<-enddate>] @@ -138,6 +139,12 @@ outputs the subject name. outputs the issuer name. +=item B<-nameopt option> + +option which determine how the subject or issuer names are displayed. This +option may be used more than once to set multiple options. See the B section for more information. + =item B<-email> outputs the email address(es) if any. @@ -335,6 +342,138 @@ specified then the extensions should either be contained in the unnamed =back +=head1 NAME OPTIONS + +The B command line switch determines how the subject and issuer +names are displayed. If no B switch is present the default "oneline" +format is used which is compatible with previous versions of OpenSSL. +Each option is described in detail below, all options can be preceded by +a B<-> to turn the option off. Only the first four will normally be used. + +=over 4 + +=item B + +use the old format. This is equivalent to specifying no name options at all. + +=item B + +displays names compatible with RFC2253 equivalent to B, B, +B, B, B, B, B, +B, B and B. + +=item B + +a oneline format which is more readable than RFC2253. It is equivalent to +specifying the B, B, B, B, B, +B, B, B, B and B +options. + +=item B + +a multiline format. It is equivalent B, B, B, +B and B. + +=item B + +escape the "special" characters required by RFC2253 in a field That is +B<,+"EE;>. Additionally B<#> is escaped at the beginnging of a string +and a space character at the beginning or end of a string. + +=item B + +escape and control characters. That is those with ASCII values less than +0x20 (space) and the delete (0x7f) character. They are escaped using the +RFC2253 \XX notation (where XX are two hex digits representing the +character value). + +=item B + +escape characters with the MSB set, that is with ASCII values larger than +127. + +=item B + +escapes some characters by surrounding the whole string with B<"> characters, +without the option all escaping is done with the B<\> character. + +=item B + +convert all strings to UTF8 format first. This is required by RFC2253. If +you are lucky enough to have a UTF8 compatible terminal then the use +of this option (and B setting B) may result in the correct +display of multibyte (international) characters. Is this option is not +present then multibyte characters larger than 0xff will be represented +using the format \UXXXX for 16 bits and \WXXXXXXXX for 32 bits. +Also if this option is off any UTF8Strings will be converted to their +character form first. + +=item B + +this option does not attempt to interpret multibyte characters in any +way. That is their content octets are merely dumped as though one octet +represents each character. This is useful for diagnostic purposes but +will result in rather odd looking output. + +=item B + +show the type of the ASN1 character string. The type precedes the +field contents. For example "BMPSTRING: Hello World". + +=item B + +when this option is set any fields that need to be hexdumped will +be dumped using the DER encoding of the field. Otherwise just the +content octets will be displayed. Both options use the RFC2253 +B<#XXXX...> format. + +=item B + +dump non character string types (for example OCTET STRING) if this +option is not set then non character string types will be displayed +as though each content octet repesents a single character. + +=item B + +dump all fields. This option when used with B allows the +DER encoding of the structure to be unambiguously determined. + +=item B + +dump any field whose OID is not recognised by OpenSSL. + +=item B, B, B, +B + +these options determine the field separators. The first character is +between RDNs and the second between multiple AVAs (multiple AVAs are +very rare and their use is discouraged). The options ending in +"space" additionally place a space after the separator to make it +more readable. The B uses a linefeed character for +the RDN separator and a spaced B<+> for the AVA separator. It also +indents the fields by four characters. + +=item B + +reverse the fields of the DN. This is required by RFC2253. As a side +effect this also reveress the order of multiple AVAs but this is +permissible. + +=item B, B, B, B + +these options alter how the field name is displayed. B does +not display the field at all. B uses the "short name" form +(CN for commonName for example). B uses the long form. +B represents the OID in numerical form and is useful for +diagnostic purpose. + +=item B + +places spaces round the B<=> character which follows the field +name. + +=back + =head1 EXAMPLES Note: in these examples the '\' means the example should be all on one @@ -348,6 +487,19 @@ Display the certificate serial number: openssl x509 -in cert.pem -noout -serial +Display the certificate subject name: + + openssl x509 -in cert.pem -noout -subject + +Display the certificate subject name in RFC2253 form: + + openssl x509 -in cert.pem -noout -subject -nameopt RFC2253 + +Display the certificate subject name in oneline form on a terminal +supporting UTF8: + + openssl x509 -in cert.pem -noout -subject -nameopt oneline -nameopt -escmsb + Display the certificate MD5 fingerprint: openssl x509 -in cert.pem -noout -fingerprint @@ -400,6 +552,11 @@ Trusted certificates have the lines -----BEGIN TRUSTED CERTIFICATE---- -----END TRUSTED CERTIFICATE---- +The conversion to UTF8 format used with the name options assumes that +T61Strings use the ISO8859-1 character set. This is wrong but Netscape +and MSIE do this as do many certificates. So although this is incorrect +it is more likely to display the majority of certificates correctly. + The B<-fingerprint> option takes the digest of the DER encoded certificate. This is commonly called a "fingerprint". Because of the nature of message digests the fingerprint of a certificate is unique to that certificate and @@ -526,10 +683,6 @@ must be present. =head1 BUGS -The way DNs are printed is in a "historical SSLeay" format which doesn't -follow any published standard. It should follow some standard like RFC2253 -or RFC1779 with options to make the stuff more readable. - Extensions in certificates are not transferred to certificate requests and vice versa. diff --git a/doc/standards.txt b/doc/standards.txt index eb8beb0f76..61ccc5d7e0 100644 --- a/doc/standards.txt +++ b/doc/standards.txt @@ -55,6 +55,8 @@ These are documents that describe things that are implemented in OpenSSL. Profile. R. Housley, W. Ford, W. Polk, D. Solo. January 1999. (Format: TXT=278438 bytes) (Status: PROPOSED STANDARD) +PKCS#8: Private-Key Information Syntax Standard + PKCS#12: Personal Information Exchange Syntax Standard, version 1.0. diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index aaedf6a9bb..5050a13ef2 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -366,7 +366,9 @@ static int ssl23_get_server_hello(SSL *s) } s->state=SSL2_ST_GET_SERVER_HELLO_A; - s->s2->ssl2_rollback=1; + if (!(s->client_version == SSL2_VERSION)) + /* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */ + s->s2->ssl2_rollback=1; /* setup the 5 bytes we have read so we get them from * the sslv2 buffer */ diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 930769be0d..a81544a1b6 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -495,9 +495,12 @@ int ssl23_get_client_hello(SSL *s) s->state=SSL2_ST_GET_CLIENT_HELLO_A; if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) || - use_sslv2_strong) + use_sslv2_strong || + (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)) s->s2->ssl2_rollback=0; else + /* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0 + * (SSL 3.0 draft/RFC 2246, App. E.2) */ s->s2->ssl2_rollback=1; /* setup the n bytes we have read so we get them from diff --git a/util/libeay.num b/util/libeay.num index 20891c218e..858026ead0 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -1842,63 +1842,71 @@ CRYPTO_get_dynlock_lock_callback 2417 CRYPTO_get_dynlock_destroy_callback 2418 CRYPTO_get_dynlock_value 2419 CRYPTO_get_dynlock_create_callback 2420 -ERR_load_ENGINE_strings 2421 -ENGINE_set_DSA 2422 -ENGINE_get_default_RSA 2423 -ENGINE_get_BN_mod_exp 2424 -DSA_get_default_openssl_method 2425 -ENGINE_set_DH 2426 -ENGINE_set_default_BN_mod_exp_crt 2427 -ENGINE_init 2428 -DH_get_default_openssl_method 2429 -RSA_set_default_openssl_method 2430 -ENGINE_finish 2431 -ENGINE_get_DH 2432 -ENGINE_set_default_DSA 2433 -ENGINE_get_name 2434 -ENGINE_get_last 2435 -ENGINE_get_prev 2436 -ENGINE_get_default_DH 2437 -ENGINE_get_RSA 2438 -ENGINE_set_default 2439 -ENGINE_get_RAND 2440 -ENGINE_get_first 2441 -ENGINE_by_id 2442 -ENGINE_get_default_BN_mod_exp_crt 2443 -RSA_get_default_openssl_method 2444 -ENGINE_set_RSA 2445 -ENGINE_set_default_RAND 2446 -ENGINE_set_BN_mod_exp 2447 -ENGINE_remove 2448 -ENGINE_free 2449 -ENGINE_get_BN_mod_exp_crt 2450 -ENGINE_get_next 2451 -ENGINE_set_name 2452 -ENGINE_get_default_DSA 2453 -ENGINE_set_default_BN_mod_exp 2454 -ENGINE_set_default_RSA 2455 -ENGINE_get_default_RAND 2456 -ENGINE_get_default_BN_mod_exp 2457 -ENGINE_set_RAND 2458 -ENGINE_set_id 2459 -ENGINE_set_BN_mod_exp_crt 2460 -ENGINE_set_default_DH 2461 -ENGINE_new 2462 -ENGINE_get_id 2463 -DSA_set_default_openssl_method 2464 -ENGINE_add 2465 -DH_set_default_openssl_method 2466 -ENGINE_get_DSA 2467 -ENGINE_ctrl 2468 -ENGINE_get_finish_function 2469 -ENGINE_get_init_function 2470 -ENGINE_set_init_function 2471 -ENGINE_set_finish_function 2472 -ENGINE_get_ctrl_function 2473 -ENGINE_set_ctrl_function 2474 -ENGINE_load_public_key 2475 -ENGINE_load_private_key 2476 -c2i_ASN1_BIT_STRING 2477 -i2c_ASN1_BIT_STRING 2478 -c2i_ASN1_INTEGER 2479 -i2c_ASN1_INTEGER 2480 +c2i_ASN1_BIT_STRING 2421 +i2c_ASN1_BIT_STRING 2422 +RAND_poll 2423 +c2i_ASN1_INTEGER 2424 +i2c_ASN1_INTEGER 2425 +ERR_load_ENGINE_strings 2426 +ENGINE_set_DSA 2427 +ENGINE_get_finish_function 2428 +ENGINE_get_default_RSA 2429 +BIO_dump_indent 2430 +ENGINE_get_BN_mod_exp 2431 +ASN1_parse_dump 2432 +DSA_get_default_openssl_method 2433 +c2i_ASN1_OBJECT 2434 +ENGINE_set_DH 2435 +ENGINE_set_default_BN_mod_exp_crt 2436 +ENGINE_init 2437 +DH_get_default_openssl_method 2438 +RSA_set_default_openssl_method 2439 +ENGINE_finish 2440 +ENGINE_load_public_key 2441 +ENGINE_get_DH 2442 +ENGINE_ctrl 2443 +ENGINE_get_init_function 2444 +ENGINE_set_init_function 2445 +ENGINE_set_default_DSA 2446 +ENGINE_get_name 2447 +ENGINE_get_last 2448 +ENGINE_get_prev 2449 +ENGINE_get_default_DH 2450 +ENGINE_get_RSA 2451 +X509_NAME_print_ex_fp 2452 +ASN1_STRING_print_ex_fp 2453 +ENGINE_set_default 2454 +ENGINE_get_RAND 2455 +ENGINE_get_first 2456 +ENGINE_by_id 2457 +ENGINE_set_finish_function 2458 +ENGINE_get_default_BN_mod_exp_crt 2459 +RSA_get_default_openssl_method 2460 +ENGINE_set_RSA 2461 +ENGINE_load_private_key 2462 +ENGINE_set_default_RAND 2463 +ENGINE_set_BN_mod_exp 2464 +ENGINE_remove 2465 +ENGINE_free 2466 +ENGINE_get_BN_mod_exp_crt 2467 +ENGINE_get_next 2468 +ENGINE_set_name 2469 +ENGINE_get_default_DSA 2470 +ENGINE_set_default_BN_mod_exp 2471 +ENGINE_set_default_RSA 2472 +ENGINE_get_default_RAND 2473 +ENGINE_get_default_BN_mod_exp 2474 +ENGINE_set_RAND 2475 +ENGINE_set_id 2476 +X509_NAME_print_ex 2477 +ENGINE_set_BN_mod_exp_crt 2478 +ENGINE_set_default_DH 2479 +ENGINE_new 2480 +ENGINE_get_id 2481 +DSA_set_default_openssl_method 2482 +ENGINE_add 2483 +DH_set_default_openssl_method 2484 +ASN1_STRING_print_ex 2485 +ENGINE_get_DSA 2486 +ENGINE_get_ctrl_function 2487 +ENGINE_set_ctrl_function 2488 diff --git a/util/mk1mf.pl b/util/mk1mf.pl index ffb3c10834..98ee587196 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -65,6 +65,7 @@ and [options] can be one of no-err - No error strings dll/shlib - Build shared libraries (MS) debug - Debug build + profile - Profiling build gcc - Use Gcc (unix) rsaref - Build to require RSAref @@ -217,9 +218,10 @@ $cflags.=" -DNO_SSL3" if $no_ssl3; $cflags.=" -DNO_ERR" if $no_err; $cflags.=" -DRSAref" if $rsaref ne ""; -if ($unix) - { $cflags="$c_flags" if ($c_flags ne ""); } -else { $cflags="$c_flags$cflags" if ($c_flags ne ""); } +## if ($unix) +## { $cflags="$c_flags" if ($c_flags ne ""); } +##else + { $cflags="$c_flags$cflags" if ($c_flags ne ""); } $ex_libs="$l_flags$ex_libs" if ($l_flags ne ""); @@ -878,8 +880,10 @@ sub read_options elsif (/^rsaref$/) { $rsaref=1; } elsif (/^gcc$/) { $gcc=1; } elsif (/^debug$/) { $debug=1; } + elsif (/^profile$/) { $profile=1; } elsif (/^shlib$/) { $shlib=1; } elsif (/^dll$/) { $shlib=1; } + elsif (/^shared$/) { } # We just need to ignore it for now... elsif (/^([^=]*)=(.*)$/){ $VARS{$1}=$2; } elsif (/^-[lL].*$/) { $l_flags.="$_ "; } elsif ((!/^-help/) && (!/^-h/) && (!/^-\?/) && /^-.*$/) diff --git a/util/mkerr.pl b/util/mkerr.pl index 5f094a5082..7d98b5234d 100644 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -79,8 +79,11 @@ while (($lib, $hdr) = each %hinc) next if($hdr eq "NONE"); print STDERR "Scanning header file $hdr\n" if $debug; open(IN, "<$hdr") || die "Can't open Header file $hdr\n"; - my $line = "", $def= ""; + my $line = "", $def= "", $linenr = 0; while() { + $linenr++; + print STDERR "line: $linenr\r" if $debug; + last if(/BEGIN\s+ERROR\s+CODES/); if ($line ne '') { $_ = $line . $_; @@ -110,7 +113,12 @@ while (($lib, $hdr) = each %hinc) } } + print STDERR " \r" if $debug; + $defnr = 0; foreach (split /;/, $def) { + $defnr++; + print STDERR "def: $defnr\r" if $debug; + s/^[\n\s]*//g; s/[\n\s]*$//g; next if(/typedef\W/); @@ -136,6 +144,8 @@ while (($lib, $hdr) = each %hinc) } } + print STDERR " \r" if $debug; + next if $reindex; # Scan function and reason codes and store them: keep a note of the diff --git a/util/pl/linux.pl b/util/pl/linux.pl index 3e49755326..8924ed5480 100644 --- a/util/pl/linux.pl +++ b/util/pl/linux.pl @@ -12,6 +12,8 @@ $rm='/bin/rm -f'; $cc='gcc'; if ($debug) { $cflags="-g2 -ggdb -DREF_CHECK -DCRYPTO_MDEBUG"; } +elsif ($profile) + { $cflags="-pg -O3"; } else { $cflags="-O3 -fomit-frame-pointer"; } -- 2.25.1