From 81dde5e8fe0421169e26d5221c8f245e016c652b Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 12 Nov 2008 16:54:35 +0000 Subject: [PATCH] Add support for experimental code, not compiled in by default and with OPENSSL_EXPERIMENTAL_FOO around it. Make JPAKE experimental. --- CHANGES | 6 ++++++ Configure | 12 +++++++++++- apps/apps.c | 6 ++++++ apps/apps.h | 2 ++ apps/s_client.c | 7 ++++++- apps/s_server.c | 7 ++++++- crypto/err/err_all.c | 5 ++++- crypto/jpake/jpake.h | 6 ++++++ util/libeay.num | 42 +++++++++++++++++++++--------------------- util/mkdef.pl | 17 +++++++++++++++-- 10 files changed, 83 insertions(+), 27 deletions(-) diff --git a/CHANGES b/CHANGES index f2869f3e78..e41e852776 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,12 @@ Changes between 0.9.8i and 0.9.8j [xx XXX xxxx] + *) Update Configure code and WIN32 build scripts to support experimental + code. This is surrounded by OPENSSL_EXPERIMENTAL_FOO and not compiled + in by default. Using the configuration option "enable-experimental-foo" + enables it. Use this option for JPAKE. + [Steve Henson] + *) Use correct exit code if there is an error in dgst command. [Steve Henson; problem pointed out by Roland Dirlewanger] diff --git a/Configure b/Configure index c8791f6797..6641e00a0c 100755 --- a/Configure +++ b/Configure @@ -588,6 +588,7 @@ my $no_threads=0; my $threads=0; my $no_shared=0; # but "no-shared" is default my $zlib=1; # but "no-zlib" is default +my $jpake=1; # but "no-jpake" is default my $no_krb5=0; # but "no-krb5" is implied unless "--with-krb5-..." is used my $no_rfc3779=1; # but "no-rfc3779" is default my $montasm=1; # but "no-montasm" is default @@ -628,6 +629,7 @@ my %disabled = ( # "what" => "comment" "camellia" => "default", "capieng" => "default", "cms" => "default", + "experimental-jpake" => "default", "gmp" => "default", "mdc2" => "default", "montasm" => "default", # explicit option in 0.9.8 only (implicitly enabled in 0.9.9) @@ -975,6 +977,8 @@ foreach (sort (keys %disabled)) { $no_threads = 1; } elsif (/^shared$/) { $no_shared = 1; } + elsif (/^experimental-jpake$/) + { $jpake = 0; push @skip, "jpake"} elsif (/^zlib$/) { $zlib = 0; } elsif (/^montasm$/) @@ -1212,6 +1216,11 @@ if ($threads) $openssl_thread_defines .= $thread_defines; } +if ($jpake) + { + $openssl_other_defines = "#define OPENSSL_EXPERIMENTAL_JPAKE\n"; + } + if ($zlib) { $cflags = "-DZLIB $cflags"; @@ -1410,7 +1419,8 @@ while () if ($sdirs) { my $dir; foreach $dir (@skip) { - s/([ ])$dir /\1/; + s/(\s)$dir\s/$1/; + s/\s$dir$//; } } $sdirs = 0 unless /\\$/; diff --git a/apps/apps.c b/apps/apps.c index f6b3ac5667..a88674342b 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -130,7 +130,9 @@ #include #endif #include +#ifdef OPENSSL_EXPERIMENTAL_JPAKE #include +#endif #define NON_MAIN #include "apps.h" @@ -2336,6 +2338,8 @@ void policies_print(BIO *out, X509_STORE_CTX *ctx) BIO_free(out); } +#ifdef OPENSSL_EXPERIMENTAL_JPAKE + static JPAKE_CTX *jpake_init(const char *us, const char *them, const char *secret) { @@ -2547,3 +2551,5 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret) BIO_pop(bconn); BIO_free(bconn); } + +#endif diff --git a/apps/apps.h b/apps/apps.h index b867cbead3..33947612a9 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -338,8 +338,10 @@ X509_NAME *parse_name(char *str, long chtype, int multirdn); int args_verify(char ***pargs, int *pargc, int *badarg, BIO *err, X509_VERIFY_PARAM **pm); void policies_print(BIO *out, X509_STORE_CTX *ctx); +#ifdef OPENSSL_EXPERIMENTAL_JPAKE void jpake_client_auth(BIO *out, BIO *conn, const char *secret); void jpake_server_auth(BIO *out, BIO *conn, const char *secret); +#endif #define FORMAT_UNDEF 0 #define FORMAT_ASN1 1 diff --git a/apps/s_client.c b/apps/s_client.c index a00532138c..9686b0a190 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -338,7 +338,9 @@ int MAIN(int argc, char **argv) int peerlen = sizeof(peer); int enable_timeouts = 0 ; long mtu = 0; +#ifdef OPENSSL_EXPERIMENTAL_JPAKE char *jpake_secret = NULL; +#endif #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) meth=SSLv23_client_method(); @@ -583,11 +585,13 @@ int MAIN(int argc, char **argv) /* meth=TLSv1_client_method(); */ } #endif +#ifdef OPENSSL_EXPERIMENTAL_JPAKE else if (strcmp(*argv,"-jpake") == 0) { if (--argc < 1) goto bad; jpake_secret = *++argv; } +#endif else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -893,9 +897,10 @@ SSL_set_tlsext_status_ids(con, ids); #endif } #endif - +#ifdef OPENSSL_EXPERIMENTAL_JPAKE if (jpake_secret) jpake_client_auth(bio_c_out, sbio, jpake_secret); +#endif SSL_set_bio(con,sbio,sbio); SSL_set_connect_state(con); diff --git a/apps/s_server.c b/apps/s_server.c index ead4d90e15..870f464f1b 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -742,7 +742,9 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); #endif int MAIN(int, char **); +#ifdef OPENSSL_EXPERIMENTAL_JPAKE static char *jpake_secret = NULL; +#endif int MAIN(int argc, char *argv[]) { @@ -1074,11 +1076,13 @@ int MAIN(int argc, char *argv[]) } #endif +#ifdef OPENSSL_EXPERIMENTAL_JPAKE else if (strcmp(*argv,"-jpake") == 0) { if (--argc < 1) goto bad; jpake_secret = *(++argv); } +#endif else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -1680,9 +1684,10 @@ static int sv_body(char *hostname, int s, unsigned char *context) test=BIO_new(BIO_f_nbio_test()); sbio=BIO_push(test,sbio); } - +#ifdef OPENSSL_EXPERIMENTAL_JPAKE if(jpake_secret) jpake_server_auth(bio_s_out, sbio, jpake_secret); +#endif SSL_set_bio(con,sbio,sbio); SSL_set_accept_state(con); diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index 4ca08ac2b5..1e71719f1d 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -101,8 +101,9 @@ #ifndef OPENSSL_NO_CMS #include #endif - +#ifdef OPENSSL_EXPERIMENTAL_JPAKE #include +#endif void ERR_load_crypto_strings(void) { @@ -153,6 +154,8 @@ void ERR_load_crypto_strings(void) #ifndef OPENSSL_NO_CMS ERR_load_CMS_strings(); #endif +#ifdef OPENSSL_EXPERIMENTAL_JPAKE ERR_load_JPAKE_strings(); +#endif #endif } diff --git a/crypto/jpake/jpake.h b/crypto/jpake/jpake.h index becc66c334..a39a9a877f 100644 --- a/crypto/jpake/jpake.h +++ b/crypto/jpake/jpake.h @@ -8,6 +8,12 @@ #ifndef HEADER_JPAKE_H #define HEADER_JPAKE_H +#include + +#ifndef OPENSSL_EXPERIMENTAL_JPAKE +#error JPAKE is disabled. +#endif + #ifdef __cplusplus extern "C" { #endif diff --git a/util/libeay.num b/util/libeay.num index 989f5e3ea1..d6cf383972 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -3701,24 +3701,24 @@ FIPS_dsa_sig_encode 4089 EXIST:OPENSSL_FIPS:FUNCTION:DSA CRYPTO_dbg_remove_all_info 4090 EXIST::FUNCTION: OPENSSL_init 4091 EXIST::FUNCTION: private_Camellia_set_key 4092 EXIST:OPENSSL_FIPS:FUNCTION:CAMELLIA -JPAKE_STEP3A_process 4093 EXIST::FUNCTION: -JPAKE_STEP1_release 4094 EXIST::FUNCTION: -JPAKE_get_shared_key 4095 EXIST::FUNCTION: -JPAKE_STEP3B_init 4096 EXIST::FUNCTION: -JPAKE_STEP1_generate 4097 EXIST::FUNCTION: -JPAKE_STEP1_init 4098 EXIST::FUNCTION: -JPAKE_STEP3B_process 4099 EXIST::FUNCTION: -JPAKE_STEP2_generate 4100 EXIST::FUNCTION: -JPAKE_CTX_new 4101 EXIST::FUNCTION: -JPAKE_CTX_free 4102 EXIST::FUNCTION: -JPAKE_STEP3B_release 4103 EXIST::FUNCTION: -JPAKE_STEP3A_release 4104 EXIST::FUNCTION: -JPAKE_STEP2_process 4105 EXIST::FUNCTION: -CRYPTO_strdup 4106 EXIST::FUNCTION: -JPAKE_STEP3B_generate 4107 EXIST::FUNCTION: -JPAKE_STEP1_process 4108 EXIST::FUNCTION: -JPAKE_STEP3A_generate 4109 EXIST::FUNCTION: -JPAKE_STEP2_release 4110 EXIST::FUNCTION: -JPAKE_STEP3A_init 4111 EXIST::FUNCTION: -ERR_load_JPAKE_strings 4112 EXIST::FUNCTION: -JPAKE_STEP2_init 4113 EXIST::FUNCTION: +CRYPTO_strdup 4093 EXIST::FUNCTION: +JPAKE_STEP3A_process 4094 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_STEP1_release 4095 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_get_shared_key 4096 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_STEP3B_init 4097 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_STEP1_generate 4098 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_STEP1_init 4099 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_STEP3B_process 4100 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_STEP2_generate 4101 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_CTX_new 4102 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_CTX_free 4103 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_STEP3B_release 4104 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_STEP3A_release 4105 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_STEP2_process 4106 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_STEP3B_generate 4107 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_STEP1_process 4108 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_STEP3A_generate 4109 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_STEP2_release 4110 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_STEP3A_init 4111 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +ERR_load_JPAKE_strings 4112 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: +JPAKE_STEP2_init 4113 EXIST:OPENSSL_EXPERIMENTAL_JPAKE:FUNCTION: diff --git a/util/mkdef.pl b/util/mkdef.pl index 1507a8b499..fca62e4b3e 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -79,7 +79,8 @@ my $OS2=0; my $safe_stack_def = 0; my @known_platforms = ( "__FreeBSD__", "PERL5", "NeXT", - "EXPORT_VAR_AS_FUNCTION", "ZLIB", "OPENSSL_FIPS" ); + "EXPORT_VAR_AS_FUNCTION", "ZLIB", "OPENSSL_FIPS", + "OPENSSL_EXPERIMENTAL_JPAKE" ); my @known_ossl_platforms = ( "VMS", "WIN16", "WIN32", "WINNT", "OS2" ); my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1", @@ -151,7 +152,10 @@ foreach (@ARGV, split(/ /, $options)) || $_ eq "enable-zlib-dynamic") { $zlib = 1; } - + + if ($_ eq "enable-experimental-jpake") { + $jpake = 1; + } $do_ssl=1 if $_ eq "ssleay"; if ($_ eq "ssl") { @@ -552,6 +556,10 @@ sub do_defs $tag{$tag[$tag_i]}=2; print STDERR "DEBUG: $file: chaged tag $1 = 2\n" if $debug; } + if ($tag[$tag_i] eq "OPENSSL_EXPERIMENTAL_".$1) { + $tag{$tag[$tag_i]}=-2; + print STDERR "DEBUG: $file: chaged tag $1 = -2\n" if $debug; + } $tag_i--; } } elsif (/^\#\s*endif/) { @@ -561,6 +569,8 @@ sub do_defs print STDERR "DEBUG: \$t=\"$t\"\n" if $debug; if ($tag{$t}==2) { $tag{$t}=-1; + } elsif ($tag{$t}==-2) { + $tag{$t}=1; } else { $tag{$t}=0; } @@ -1099,6 +1109,9 @@ sub is_valid return 1; } if ($keyword eq "ZLIB" && $zlib) { return 1; } + if ($keyword eq "OPENSSL_EXPERIMENTAL_JPAKE" && $jpake) { + return 1; + } return 0; } else { # algorithms -- 2.25.1