From 2f1d799c7fdb37463bdfea3b87bc6cda42518b1f Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Thu, 29 Jan 2004 09:42:47 +0000 Subject: [PATCH] Recent changes from 0.9.6-stable. --- Configure | 2 +- apps/apps.h | 4 ++++ crypto/asn1/a_strex.c | 11 +++++++---- crypto/bf/bftest.c | 4 ++++ crypto/bio/b_print.c | 6 +++--- crypto/cryptlib.h | 4 ++++ crypto/engine/hw_ncipher.c | 35 ++++++++++++++++++++++++++++++++++- crypto/x509/by_dir.c | 2 +- ssl/s3_enc.c | 12 ++++++------ ssl/ssl_ciph.c | 6 +++--- 10 files changed, 67 insertions(+), 19 deletions(-) diff --git a/Configure b/Configure index 3c18281dd3..c0f79cac82 100755 --- a/Configure +++ b/Configure @@ -132,7 +132,7 @@ my %table=( "debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wmissing-declarations -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-declarations -Wno-long-long -pipe::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "dist", "cc:-O::(unknown):::::", # Basic configs that should work on any (32 and less bit) box diff --git a/apps/apps.h b/apps/apps.h index ae70d33b85..c61fa6f00a 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -59,7 +59,11 @@ #ifndef HEADER_APPS_H #define HEADER_APPS_H +#ifdef FLAT_INC #include "e_os.h" +#else +#include "../e_os.h" +#endif #include #include diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c index 91fcbb4335..309abc727b 100644 --- a/crypto/asn1/a_strex.c +++ b/crypto/asn1/a_strex.c @@ -78,7 +78,8 @@ * and a FILE pointer. */ -int send_mem_chars(void *arg, const void *buf, int len) +#if 0 /* Not used */ +static int send_mem_chars(void *arg, const void *buf, int len) { unsigned char **out = arg; if(!out) return 1; @@ -86,15 +87,16 @@ int send_mem_chars(void *arg, const void *buf, int len) *out += len; return 1; } +#endif -int send_bio_chars(void *arg, const void *buf, int len) +static int send_bio_chars(void *arg, const void *buf, int len) { if(!arg) return 1; if(BIO_write(arg, buf, len) != len) return 0; return 1; } -int send_fp_chars(void *arg, const void *buf, int len) +static int send_fp_chars(void *arg, const void *buf, int len) { if(!arg) return 1; if(fwrite(buf, 1, len, arg) != (unsigned int)len) return 0; @@ -240,7 +242,8 @@ static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen * #01234 format. */ -int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str) +static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, + ASN1_STRING *str) { /* Placing the ASN1_STRING in a temp ASN1_TYPE allows * the DER encoding to readily obtained diff --git a/crypto/bf/bftest.c b/crypto/bf/bftest.c index 42e00963e7..89b72d44bd 100644 --- a/crypto/bf/bftest.c +++ b/crypto/bf/bftest.c @@ -63,7 +63,11 @@ #include #include +#ifdef FLAT_INC #include "e_os.h" +#else +#include "../e_os.h" +#endif #ifdef NO_BF int main(int argc, char *argv[]) diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index b40d494fa9..a3f05ac2da 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -565,12 +565,12 @@ abs_val(LDOUBLE value) } static LDOUBLE -pow10(int exp) +pow10(int in_exp) { LDOUBLE result = 1; - while (exp) { + while (in_exp) { result *= 10; - exp--; + in_exp--; } return result; } diff --git a/crypto/cryptlib.h b/crypto/cryptlib.h index 390488a37d..e619a992f7 100644 --- a/crypto/cryptlib.h +++ b/crypto/cryptlib.h @@ -62,7 +62,11 @@ #include #include +#ifdef FLAT_INC #include "e_os.h" +#else +#include "../e_os.h" +#endif #include #include diff --git a/crypto/engine/hw_ncipher.c b/crypto/engine/hw_ncipher.c index 6f2a9dedd5..2692015529 100644 --- a/crypto/engine/hw_ncipher.c +++ b/crypto/engine/hw_ncipher.c @@ -164,7 +164,7 @@ static RAND_METHOD hwcrhk_rand = hwcrhk_rand_bytes, NULL, NULL, - hwcrhk_rand_bytes, + NULL, hwcrhk_rand_status, }; @@ -293,6 +293,7 @@ ENGINE *ENGINE_ncipher() { RSA_METHOD *meth1; DH_METHOD *meth2; + const RAND_METHOD *meth3; /* We know that the "PKCS1_SSLeay()" functions hook properly * to the cswift-specific mod_exp and mod_exp_crt so we use @@ -311,6 +312,14 @@ ENGINE *ENGINE_ncipher() meth2 = DH_OpenSSL(); hwcrhk_dh.generate_key = meth2->generate_key; hwcrhk_dh.compute_key = meth2->compute_key; + + /* Much the same for RAND */ + meth3 = RAND_SSLeay(); + hwcrhk_rand.seed = meth3->seed; + hwcrhk_rand.cleanup = meth3->cleanup; + hwcrhk_rand.add = meth3->add; + hwcrhk_rand.pseudorand = meth3->pseudorand; + return &engine_hwcrhk; } @@ -386,6 +395,8 @@ static int hwcrhk_init() HWCryptoHook_RSAUnloadKey_t *p7; HWCryptoHook_RandomBytes_t *p8; HWCryptoHook_ModExpCRT_t *p9; + int rand_cnt; + RAND_METHOD *rand_method = RAND_SSLeay(); if(hwcrhk_dso != NULL) { @@ -466,6 +477,28 @@ static int hwcrhk_init() hndidx = RSA_get_ex_new_index(0, "nFast HWCryptoHook RSA key handle", NULL, NULL, hwcrhk_ex_free); + + /* Let's seed the OpenSSL pool with a bit of hardware randomness + for a maximum of 32 rounds. Beyond that, the OpenSSL random + pool should be good, and if not, we assume something is seriously + wrong with OpenSSL (for now, we let it be and let the user discover + it through normal means. That may need to change). */ + rand_cnt = 32; + do + { + unsigned char buf[8]; + + /* If something went wrong, it's OK to just return a fault. + All that may happen is that the OpenSSL randomness pool + is a bit more seeded, and that can't really be a bad thing, + right? */ + if (!hwcrhk_rand.bytes(buf, sizeof(buf))) + goto err; + + rand_method->seed(buf, sizeof(buf)); + } + while(rand_cnt-- > 0 && rand_method->status()); + return 1; err: if(hwcrhk_dso) diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index f09022379f..2e435bafb9 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -329,7 +329,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, } else { - snprintf(b->data,"%s%c%08lx.%s%d", + sprintf(b->data,"%s%c%08lx.%s%d", ctx->dirs[i],c,h,postfix,k); } k++; diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index bbadac0d37..b4ab009531 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -188,9 +188,9 @@ int ssl3_change_cipher_state(SSL *s, int which) COMP_METHOD *comp; const EVP_MD *m; MD5_CTX md; - int exp,n,i,j,k,cl; + int is_exp,n,i,j,k,cl; - exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); + is_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); c=s->s3->tmp.new_sym_enc; m=s->s3->tmp.new_hash; if (s->s3->tmp.new_compression == NULL) @@ -262,9 +262,9 @@ int ssl3_change_cipher_state(SSL *s, int which) p=s->s3->tmp.key_block; i=EVP_MD_size(m); cl=EVP_CIPHER_key_length(c); - j=exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? - cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; - /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ + j=is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? + cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; + /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */ k=EVP_CIPHER_iv_length(c); if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) @@ -292,7 +292,7 @@ int ssl3_change_cipher_state(SSL *s, int which) } memcpy(mac_secret,ms,i); - if (exp) + if (is_exp) { /* In here I set both the read and write key/iv to the * same value since only the correct one will be used :-). diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 8a9232b04e..28f966b1d8 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -870,7 +870,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) { int is_export,pkl,kl; - char *ver,*exp; + char *ver,*exp_str; char *kx,*au,*enc,*mac; unsigned long alg,alg2,alg_s; static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n"; @@ -882,7 +882,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) is_export=SSL_C_IS_EXPORT(cipher); pkl=SSL_C_EXPORT_PKEYLENGTH(cipher); kl=SSL_C_EXPORT_KEYLENGTH(cipher); - exp=is_export?" export":""; + exp_str=is_export?" export":""; if (alg & SSL_SSLV2) ver="SSLv2"; @@ -983,7 +983,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) else if (len < 128) return("Buffer too small"); - BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp); + BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str); return(buf); } -- 2.25.1