diff --git a/CHANGES b/CHANGES index 784c938ca6..d23520355b 100644 --- a/CHANGES +++ b/CHANGES @@ -4,18 +4,198 @@ Changes between 0.9.6b and 0.9.6c [XX xxx XXXX] - *) Add support for Broadcom crypto accelerator cards, backported + *) [In 0.9.6c-engine release:] + Add support for Broadcom crypto accelerator cards, backported from 0.9.7. [Broadcom, Nalin Dahyabhai , Mark Cox] - *) Add support for SureWare crypto accelerator cards from + *) [In 0.9.6c-engine release:] + Add support for SureWare crypto accelerator cards from Baltimore Technologies. (Use engine 'sureware') [Baltimore Technologies and Mark Cox] - *) Add support for crypto accelerator cards from Accelerated + *) [In 0.9.6c-engine release:] + Add support for crypto accelerator cards from Accelerated Encryption Processing, www.aep.ie. (Use engine 'aep') [AEP Inc. and Mark Cox] + *) Add a configuration entry for gcc on UnixWare. + [Gary Benson ] + + *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake + messages are stored in a single piece (fixed-length part and + variable-length part combined) and fix various bugs found on the way. + [Bodo Moeller] + + *) Disable caching in BIO_gethostbyname(), directly use gethostbyname() + instead. BIO_gethostbyname() does not know what timeouts are + appropriate, so entries would stay in cache even when they have + become invalid. + [Bodo Moeller; problem pointed out by Rich Salz + + *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when + faced with a pathologically small ClientHello fragment that does + not contain client_version: Instead of aborting with an error, + simply choose the highest available protocol version (i.e., + TLS 1.0 unless it is disabled). In practice, ClientHello + messages are never sent like this, but this change gives us + strictly correct behaviour at least for TLS. + [Bodo Moeller] + + *) Fix SSL handshake functions and SSL_clear() such that SSL_clear() + never resets s->method to s->ctx->method when called from within + one of the SSL handshake functions. + [Bodo Moeller; problem pointed out by Niko Baric] + + *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert + (sent using the client's version number) if client_version is + smaller than the protocol version in use. Also change + ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if + the client demanded SSL 3.0 but only TLS 1.0 is enabled; then + the client will at least see that alert. + [Bodo Moeller] + + *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation + correctly. + [Bodo Moeller] + + *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a + client receives HelloRequest while in a handshake. + [Bodo Moeller; bug noticed by Andy Schneider ] + + *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C + should end in 'break', not 'goto end' which circuments various + cleanups done in state SSL_ST_OK. But session related stuff + must be disabled for SSL_ST_OK in the case that we just sent a + HelloRequest. + + Also avoid some overhead by not calling ssl_init_wbio_buffer() + before just sending a HelloRequest. + [Bodo Moeller, Eric Rescorla ] + + *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't + reveal whether illegal block cipher padding was found or a MAC + verification error occured. (Neither SSLerr() codes nor alerts + are directly visible to potential attackers, but the information + may leak via logfiles.) + + Similar changes are not required for the SSL 2.0 implementation + because the number of padding bytes is sent in clear for SSL 2.0, + and the extra bytes are just ignored. However ssl/s2_pkt.c + failed to verify that the purported number of padding bytes is in + the legal range. + [Bodo Moeller] + + *) OpenUNIX-8 support (Boyd Lynn Gerber ) + [Lutz Jaenicke] + + *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid + 'wristwatch attack' using huge encoding parameters (cf. + James H. Manger's CRYPTO 2001 paper). Note that the + RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use + encoding parameters and hence was not vulnerable. + [Bodo Moeller] + + *) BN_sqr() bug fix. + [Ulf Möller, reported by Jim Ellis ] + + *) Rabin-Miller test analyses assume uniformly distributed witnesses, + so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() + followed by modular reduction. + [Bodo Moeller; pointed out by Adam Young ] + + *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range() + equivalent based on BN_pseudo_rand() instead of BN_rand(). + [Bodo Moeller] + + *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB). + This function was broken, as the check for a new client hello message + to handle SGC did not allow these large messages. + (Tracked down by "Douglas E. Engert" .) + [Lutz Jaenicke] + + *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long](). + [Lutz Jaenicke] + + *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl() + for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" ). + [Lutz Jaenicke] + + *) Rework the configuration and shared library support for Tru64 Unix. + The configuration part makes use of modern compiler features and + still retains old compiler behavior for those that run older versions + of the OS. The shared library support part includes a variant that + uses the RPATH feature, and is available through the special + configuration target "alpha-cc-rpath", which will never be selected + automatically. + [Tim Mooney via Richard Levitte] + + *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message() + with the same message size as in ssl3_get_certificate_request(). + Otherwise, if no ServerKeyExchange message occurs, CertificateRequest + messages might inadvertently be reject as too long. + [Petr Lampa ] + + *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). + [Andy Polyakov] + + *) Modified SSL library such that the verify_callback that has been set + specificly for an SSL object with SSL_set_verify() is actually being + used. Before the change, a verify_callback set with this function was + ignored and the verify_callback() set in the SSL_CTX at the time of + the call was used. New function X509_STORE_CTX_set_verify_cb() introduced + to allow the necessary settings. + [Lutz Jaenicke] + + *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c + explicitly to NULL, as at least on Solaris 8 this seems not always to be + done automatically (in contradiction to the requirements of the C + standard). This made problems when used from OpenSSH. + [Lutz Jaenicke] + + *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored + dh->length and always used + + BN_rand_range(priv_key, dh->p). + + BN_rand_range() is not necessary for Diffie-Hellman, and this + specific range makes Diffie-Hellman unnecessarily inefficient if + dh->length (recommended exponent length) is much smaller than the + length of dh->p. We could use BN_rand_range() if the order of + the subgroup was stored in the DH structure, but we only have + dh->length. + + So switch back to + + BN_rand(priv_key, l, ...) + + where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1 + otherwise. + [Bodo Moeller] + + *) In + + RSA_eay_public_encrypt + RSA_eay_private_decrypt + RSA_eay_private_encrypt (signing) + RSA_eay_public_decrypt (signature verification) + + (default implementations for RSA_public_encrypt, + RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt), + always reject numbers >= n. + [Bodo Moeller] + + *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2 + to synchronize access to 'locking_thread'. This is necessary on + systems where access to 'locking_thread' (an 'unsigned long' + variable) is not atomic. + [Bodo Moeller] + + *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID + *before* setting the 'crypto_lock_rand' flag. The previous code had + a race condition if 0 is a valid thread ID. + [Travis Vitek ] + Changes between 0.9.6a and 0.9.6b [9 Jul 2001] *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) @@ -70,7 +250,7 @@ [Ulf Möller, Bodo Möller] *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 - RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5 + RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 when fixing the server behaviour for backwards-compatible 'client hello' messages. (Note that the attack is impractical against SSL 3.0 and TLS 1.0 anyway because length and version checking @@ -120,7 +300,7 @@ combination of a flag and a thread ID variable. Otherwise while one thread is in ssleay_rand_bytes (which sets the flag), *other* threads can enter ssleay_add_bytes without obeying - the CRYPTO_LOCK_RAND lock (and may even illegaly release the lock + the CRYPTO_LOCK_RAND lock (and may even illegally release the lock that they do not hold after the first thread unsets add_do_not_lock). [Bodo Moeller] @@ -762,7 +942,7 @@ default is static libraries only, and the OpenSSL programs are always statically linked for now, but there are preparations for dynamic linking in place. - This has been tested on Linux and True64. + This has been tested on Linux and Tru64. [Richard Levitte] *) Randomness polling function for Win9x, as described in: diff --git a/Configure b/Configure index c60c757152..43f9b10908 100755 --- a/Configure +++ b/Configure @@ -125,10 +125,10 @@ my %table=( "debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::", "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown):::::", "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -"debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +"debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn", +"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn", "dist", "cc:-O::(unknown):::::", # Basic configs that should work on any (32 and less bit) box @@ -276,12 +276,39 @@ my %table=( #### HP MPE/iX http://jazz.external.hp.com/src/openssl/ "MPE/iX-gcc", "gcc:-D_ENDIAN -DBN_DIV2W -O3 -DMPE -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB::(unknown):-L/SYSLOG/PUB -lsyslog -lsocket -lcurses:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::", -# Dec Alpha, OSF/1 - the alpha164-cc is the flags for a 21164A with -# the new compiler +# Dec Alpha, OSF/1 - the alpha164-cc is historical, for the conversion +# from the older DEC C Compiler to the newer compiler. It's now the +# same as the preferred entry, alpha-cc. If you are still using the +# older compiler (you're at 3.x or earlier, or perhaps very early 4.x) +# you should use `alphaold-cc'. +# +# "What's in a name? That which we call a rose +# By any other word would smell as sweet." +# +# - William Shakespeare, "Romeo & Juliet", Act II, scene II. +# +# For OSF/1 3.2b and earlier, and Digital UNIX 3.2c - 3.2g, with the +# vendor compiler, use alphaold-cc. +# For Digital UNIX 4.0 - 4.0e, with the vendor compiler, use alpha-cc. +# For Tru64 UNIX 4.f - current, with the vendor compiler, use alpha-cc. +# +# There's also an alternate target available (which `config' will never +# select) called alpha-cc-rpath. This target builds an RPATH into the +# shared libraries, which is very convenient on Tru64 since binaries +# linked against that shared library will automatically inherit that RPATH, +# and hence know where to look for the openssl libraries, even if they're in +# an odd place. +# # For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version -"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:tru64-shared::.so", -"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so", -"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so", +# +"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:alpha-osf1-shared::.so", +"alphaold-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::.so", +"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so", +"alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so", +"alpha-cc-rpath", "cc:-std1 -tune host -fast -readonly_strings::-pthread::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared-rpath::.so", +# +# This probably belongs in a different section. +# "FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Alpha Linux with GNU C and Compaq C setups @@ -315,7 +342,7 @@ my %table=( "linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", "linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", "linux-s390", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", -"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::SIXTY_FOUR_BIT_LONG::", +"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -347,6 +374,16 @@ my %table=( "unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", "unixware-7-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", "unixware-7-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + +# OpenUNIX 8 +"OpenUNIX","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"OpenUNIX-8-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"OpenUNIX-8-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::", +"OpenUNIX-8-shared","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic", +"OpenUNIX-8-gcc-shared","gcc:-O3 -DFILIO_H -fomit-frame-pointer::-pthread:-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr5-shared:-fPIC", # IBM's AIX. "aix-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR:::", diff --git a/FAQ b/FAQ index 23e212fb4e..0281b4c4c7 100644 --- a/FAQ +++ b/FAQ @@ -8,6 +8,7 @@ OpenSSL - Frequently Asked Questions * How can I contact the OpenSSL developers? * Where can I get a compiled version of OpenSSL? * Why aren't tools like 'autoconf' and 'libtool' used? +* What is an 'engine' version? [LEGAL] Legal questions @@ -33,7 +34,7 @@ OpenSSL - Frequently Asked Questions * Why does the linker complain about undefined symbols? * Why does the OpenSSL test fail with "bc: command not found"? * Why does the OpenSSL test fail with "bc: 1 no implemented"? -* Why does the OpenSSL compilation fail on Alpha True64 Unix? +* Why does the OpenSSL compilation fail on Alpha Tru64 Unix? * Why does the OpenSSL compilation fail with "ar: command not found"? * Why does the OpenSSL compilation fail on Win32 with VC++? @@ -121,6 +122,12 @@ A number of Linux and *BSD distributions include OpenSSL. autoconf will probably be used in future OpenSSL versions. If it was less Unix-centric, it might have been used much earlier. +* What is an 'engine' version? + +With version 0.9.6 OpenSSL was extended to interface to external crypto +hardware. This was realized in a special release '0.9.6-engine'. With +version 0.9.7 (not yet released) the changes were merged into the main +development line, so that the special release is no longer necessary. [LEGAL] ======================================================================= @@ -146,7 +153,7 @@ holders claim that you infringe on their rights if you use OpenSSL with their software on operating systems that don't normally include OpenSSL. If you develop open source software that uses OpenSSL, you may find it -useful to choose an other license than the GPL, or state explicitely that +useful to choose an other license than the GPL, or state explicitly that "This program is released under the GPL with the additional exemption that compiling, linking, and/or using OpenSSL is allowed." If you are using GPL software developed by others, you may want to ask the copyright holder @@ -186,7 +193,7 @@ environment variable HOME is set, then the seeding file is $HOME/.rnd. If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will use file .rnd in the current directory while OpenSSL 0.9.6a uses no default seeding file at all. OpenSSL 0.9.6b and later will behave -similarly to 0.9.6a, but will use a default of "C:" for HOME on +similarly to 0.9.6a, but will use a default of "C:\" for HOME on Windows systems if the environment variable has not been set. If the default seeding file does not exist or is too short, the "PRNG @@ -297,7 +304,7 @@ there is little point presenting a certificate which the server will reject. The solution is to add the relevant CA certificate to your servers "trusted -CA list". How you do this depends on the server sofware in uses. You can +CA list". How you do this depends on the server software in uses. You can print out the servers list of acceptable CAs using the OpenSSL s_client tool: openssl s_client -connect www.some.host:443 -prexit @@ -359,9 +366,9 @@ and compile/install it. GNU bc (see http://www.gnu.org/software/software.html for download instructions) can be safely used, for example. -* Why does the OpenSSL compilation fail on Alpha True64 Unix? +* Why does the OpenSSL compilation fail on Alpha Tru64 Unix? -On some Alpha installations running True64 Unix and Compaq C, the compilation +On some Alpha installations running Tru64 Unix and Compaq C, the compilation of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual memory to continue compilation.' As far as the tests have shown, this may be a compiler bug. What happens is that it eats up a lot of resident memory @@ -523,44 +530,16 @@ OpenSSL_add_all_algorithms(). See the manual page for more information. * Why can't the OpenSSH configure script detect OpenSSL? -There is a problem with OpenSSH 1.2.2p1, in that the configure script -can't find the installed OpenSSL libraries. The problem is actually -a small glitch that is easily solved with the following patch to be -applied to the OpenSSH distribution: - ------ snip:start ----- ---- openssh-1.2.2p1/configure.in.orig Thu Mar 23 18:56:58 2000 -+++ openssh-1.2.2p1/configure.in Thu Mar 23 18:55:05 2000 -@@ -152,10 +152,10 @@ - AC_MSG_CHECKING([for OpenSSL/SSLeay directory]) - for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do - if test ! -z "$ssldir" ; then -- LIBS="$saved_LIBS -L$ssldir" -+ LIBS="$saved_LIBS -L$ssldir/lib" - CFLAGS="$CFLAGS -I$ssldir/include" - if test "x$need_dash_r" = "x1" ; then -- LIBS="$LIBS -R$ssldir" -+ LIBS="$LIBS -R$ssldir/lib" - fi - fi - LIBS="$LIBS -lcrypto" ---- openssh-1.2.2p1/configure.orig Thu Mar 23 18:55:02 2000 -+++ openssh-1.2.2p1/configure Thu Mar 23 18:57:08 2000 -@@ -1890,10 +1890,10 @@ - echo "configure:1891: checking for OpenSSL/SSLeay directory" >&5 - for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do - if test ! -z "$ssldir" ; then -- LIBS="$saved_LIBS -L$ssldir" -+ LIBS="$saved_LIBS -L$ssldir/lib" - CFLAGS="$CFLAGS -I$ssldir/include" - if test "x$need_dash_r" = "x1" ; then -- LIBS="$LIBS -R$ssldir" -+ LIBS="$LIBS -R$ssldir/lib" - fi - fi - LIBS="$LIBS -lcrypto" ------ snip:end ----- +Several reasons for problems with the automatic detection exist. +OpenSSH requires at least version 0.9.5a of the OpenSSL libraries. +Sometimes the distribution has installed an older version in the system +locations that is detected instead of a new one installed. The OpenSSL +library might have been compiled for another CPU or another mode (32/64 bits). +Permissions might be wrong. +The general answer is to check the config.log file generated when running +the OpenSSH configure script. It should contain the detailed information +on why the OpenSSL library was not detected or considered incompatible. * Can I use OpenSSL's SSL library with non-blocking I/O? @@ -579,7 +558,7 @@ SSL_write() will try to continue any pending handshake. * Why doesn't my server application receive a client certificate? Due to the TLS protocol definition, a client will only send a certificate, -if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the +if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the SSL_CTX_set_verify() function to enable the use of client certificates. diff --git a/INSTALL.MacOS b/INSTALL.MacOS index a8c4f7f1da..43b5581cb3 100644 --- a/INSTALL.MacOS +++ b/INSTALL.MacOS @@ -1,7 +1,7 @@ -OpenSSL - Port To The Macintosh -=============================== +OpenSSL - Port To The Macintosh OS 9 or Earlier +=============================================== -Thanks to Roy Wood initial support for MacOS (pre +Thanks to Roy Wood initial support for Mac OS (pre X) is now provided. "Initial" means that unlike other platforms where you get an SDK and a "swiss army" openssl application, on Macintosh you only get one sample application which fetches a page over HTTPS(*) and dumps it @@ -42,7 +42,7 @@ Installation procedure: BSD sockets and some other POSIX APIs. The GUSI distribution is expected to be found in the same directory as openssl source tree, i.e. in the parent directory to the one where this very file, - namely INSTALL.MacOS. For more informations about GUSI, see + namely INSTALL.MacOS. For more information about GUSI, see http://www.iis.ee.ethz.ch/~neeri/macintosh/gusi-qa.html Finally some essential comments from our generous contributor:-) diff --git a/Makefile.org b/Makefile.org index f085fd2844..8500378c0c 100644 --- a/Makefile.org +++ b/Makefile.org @@ -263,7 +263,7 @@ do_gnu-shared: done # This assumes that GNU utilities are *not* used -do_tru64-shared: +do_alpha-osf1-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ ( set -x; ${CC} -shared -no_archive -o lib$$i.so \ -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ @@ -271,6 +271,30 @@ do_tru64-shared: libs="$$libs -l$$i"; \ done +# This assumes that GNU utilities are *not* used +# The difference between alpha-osf1-shared and tru64-shared is the `-msym' +# option passed to the linker. +do_tru64-shared: + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + ( set -x; ${CC} -shared -msym -no_archive -o lib$$i.so \ + -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ + -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \ + libs="$$libs -l$$i"; \ + done + +# This assumes that GNU utilities are *not* used +# The difference between tru64-shared and tru64-shared-rpath is the +# -rpath ${INSTALLTOP}/lib passed to the linker. +do_tru64-shared-rpath: + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + ( set -x; ${CC} -shared -msym -no_archive -o lib$$i.so \ + -rpath ${INSTALLTOP}/lib \ + -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ + -all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \ + libs="$$libs -l$$i"; \ + done + + # This assumes that GNU utilities are *not* used do_solaris-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ @@ -281,6 +305,21 @@ do_solaris-shared: libs="$$libs -l$$i"; \ done +# UnixWare 7 and OpenUNIX 8 native compilers used +do_svr5-shared: + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + ( PATH=/usr/ccs/bin:$$PATH ; export PATH; \ + find . -name "*.o" -print > allobjs ; \ + OBJS= ; export OBJS ; \ + for obj in `ar t lib$$i.a` ; do \ + OBJS="$${OBJS} `grep $$obj allobjs`" ; \ + done ; \ + set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + $${OBJS} $$libs ${EX_LIBS} ) || exit 1; \ + libs="$$libs -l$$i"; \ + done + Makefile.ssl: Makefile.org @echo "Makefile.ssl is older than Makefile.org." @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please." diff --git a/NEWS b/NEWS index f45d8e5ced..b8a76f8627 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,13 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c: + + o Various SSL/TLS library bugfixes. + o BIGNUM library fixes. + o Add crypto accelerator support for AEP, Baltimore SureWare, + Broadcom [in 0.9.6c-engine release]. + Changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b: o Security fix: PRNG improvements. diff --git a/README b/README index 1152ac2056..ae7e5b7a24 100644 --- a/README +++ b/README @@ -62,7 +62,7 @@ X.509v3 certificates X509 encoding/decoding into/from binary ASN1 and a PEM - based ascii-binary encoding which supports encryption with a + based ASCII-binary encoding which supports encryption with a private key. Program to generate RSA and DSA certificate requests and to generate RSA and DSA certificates. @@ -97,7 +97,7 @@ locations around the world. _YOU_ are responsible for ensuring that your use of any algorithms is legal by checking if there are any patents in your country. The file contains some of the patents that we know about or are - rumoured to exist. This is not a definitive list. + rumored to exist. This is not a definitive list. RSA Security holds software patents on the RC5 algorithm. If you intend to use this cipher, you must contact RSA Security for @@ -107,8 +107,8 @@ only be used with RSA Security's permission. The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy, - Japan, Netherlands, Spain, Sweden, Switzerland, UK and the USA. They should - be contacted if that algorithm is to be used, their web page is + Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA. They + should be contacted if that algorithm is to be used; their web page is http://www.ascom.ch/. INSTALLATION @@ -119,8 +119,8 @@ INSTALL.VMS. Read the documentation in the doc/ directory. It is quite rough, but it - lists the functions, you will probably have to look at the code to work out - how to used them. Look at the example programs. + lists the functions; you will probably have to look at the code to work out + how to use them. Look at the example programs. SUPPORT ------- diff --git a/README.ENGINE b/README.ENGINE index 3d88ed152f..43e39d5b09 100644 --- a/README.ENGINE +++ b/README.ENGINE @@ -5,7 +5,7 @@ With OpenSSL 0.9.6, a new component has been added to support external crypto devices, for example accelerator cards. The component is called ENGINE, and has still a pretty experimental status and almost no - documentation. It's designed to be faily easily extensible by the + documentation. It's designed to be fairly easily extensible by the calling programs. There's currently built-in support for the following crypto devices: @@ -48,7 +48,7 @@ No external crypto device is chosen unless you say so. You have actively tell the openssl utility commands to use it through a new command line switch called "-engine". And if you want to use the ENGINE library to - do something similar, you must also explicitely choose an external crypto + do something similar, you must also explicitly choose an external crypto device, or the built-in crypto routines will be used, just as in the default OpenSSL distribution. @@ -56,7 +56,7 @@ PROBLEMS ======== - It seems like the ENGINE part doesn't work too well with Cryptoswift on + It seems like the ENGINE part doesn't work too well with CryptoSwift on Win32. A quick test done right before the release showed that trying "openssl speed -engine cswift" generated errors. If the DSO gets enabled, an attempt is made to write at memory address 0x00000002. diff --git a/STATUS b/STATUS index 0878ac7a9b..9a8eb1b9a9 100644 --- a/STATUS +++ b/STATUS @@ -1,9 +1,11 @@ OpenSSL STATUS Last modified at - ______________ $Date: 2001/04/05 17:48:02 $ + ______________ $Date: 2001/11/12 22:26:22 $ DEVELOPMENT STATE + o OpenSSL 0.9.7: Under development... + o OpenSSL 0.9.6b: Released on July 9th, 2001 o OpenSSL 0.9.6a: Released on April 5th, 2001 o OpenSSL 0.9.6: Released on September 24th, 2000 o OpenSSL 0.9.5a: Released on April 1st, 2000 @@ -18,6 +20,11 @@ AVAILABLE PATCHES + o IA-64 (a.k.a. Intel Itanium) public-key operation performance + patch for Linux is available for download at + http://www.openssl.org/~appro/096b.linux-ia64.diff. As URL + suggests the patch is relative to OpenSSL 0.9.6b. + IN PROGRESS o Steve is currently working on (in no particular order): @@ -31,12 +38,13 @@ o Geoff and Richard are currently working on: ENGINE (the new code that gives hardware support among others). o Richard is currently working on: + UI (User Interface) UTIL (a new set of library functions to support some higher level functionality that is currently missing). Shared library support for VMS. - OCSP Kerberos 5 authentication Constification + OCSP NEEDS PATCH @@ -49,13 +57,9 @@ o Whenever strncpy is used, make sure the resulting string is NULL-terminated or an error is reported - OPEN ISSUES + o "OpenSSL STATUS" is never up-to-date. - o crypto/ex_data.c is not really thread-safe and so must be used - with care (e.g., extra locking where necessary, or don't call - CRYPTO_get_ex_new_index once multiple threads exist). - The current API is not suitable for everything that it pretends - to offer. + OPEN ISSUES o The Makefile hierarchy and build mechanism is still not a round thing: @@ -99,4 +103,14 @@ WISHES - o + o SRP in TLS. + [wished by: + Dj , Tom Wu , + Tom Holroyd ] + + See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt + as well as http://www-cs-students.stanford.edu/~tjw/srp/. + + Tom Holroyd tells us there is a SRP patch for OpenSSH at + http://members.tripod.com/professor_tom/archives/, that could + be useful. diff --git a/TABLE b/TABLE index 2d5af18259..bf539fdba9 100644 --- a/TABLE +++ b/TABLE @@ -352,6 +352,160 @@ $shared_cflag = -fPIC $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = +*** OpenUNIX +$cc = cc +$cflags = -O -DFILIO_H -Kalloca +$unistd = +$thread_cflag = -Kthread +$lflags = -lsocket -lnsl +$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = +$shared_extension = +$ranlib = + +*** OpenUNIX-8 +$cc = cc +$cflags = -O -DFILIO_H -Kalloca +$unistd = +$thread_cflag = -Kthread +$lflags = -lsocket -lnsl +$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = +$shared_extension = +$ranlib = + +*** OpenUNIX-8-gcc +$cc = gcc +$cflags = -O -DFILIO_H -fomit-frame-pointer +$unistd = +$thread_cflag = -pthread +$lflags = -lsocket -lnsl +$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = +$shared_extension = +$ranlib = + +*** OpenUNIX-8-gcc-shared +$cc = gcc +$cflags = -O3 -DFILIO_H -fomit-frame-pointer +$unistd = +$thread_cflag = -pthread +$lflags = -lsocket -lnsl +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = asm/bn86-elf.o asm/co86-elf.o +$des_obj = asm/dx86-elf.o asm/yx86-elf.o +$bf_obj = asm/bx86-elf.o +$md5_obj = asm/mx86-elf.o +$sha1_obj = asm/sx86-elf.o +$cast_obj = asm/cx86-elf.o +$rc4_obj = asm/rx86-elf.o +$rmd160_obj = asm/rm86-elf.o +$rc5_obj = asm/r586-elf.o +$dso_scheme = dlfcn +$shared_target= svr5-shared +$shared_cflag = -fPIC +$shared_extension = +$ranlib = + +*** OpenUNIX-8-pentium +$cc = cc +$cflags = -O -DFILIO_H -Kalloca -Kpentium +$unistd = +$thread_cflag = -Kthread +$lflags = -lsocket -lnsl +$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = +$shared_extension = +$ranlib = + +*** OpenUNIX-8-pentium_pro +$cc = cc +$cflags = -O -DFILIO_H -Kalloca -Kpentium_pro +$unistd = +$thread_cflag = -Kthread +$lflags = -lsocket -lnsl +$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = +$shared_target= +$shared_cflag = +$shared_extension = +$ranlib = + +*** OpenUNIX-8-shared +$cc = cc +$cflags = -O -DFILIO_H -Kalloca +$unistd = +$thread_cflag = -Kthread +$lflags = -lsocket -lnsl +$bn_ops = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= svr5-shared +$shared_cflag = -Kpic +$shared_extension = +$ranlib = + *** ReliantUNIX $cc = cc $cflags = -KPIC -g -DSNI -DTERMIOS -DB_ENDIAN @@ -640,9 +794,9 @@ $ranlib = *** alpha-cc $cc = cc -$cflags = -std1 -tune host -O4 -readonly_strings +$cflags = -std1 -tune host -fast -readonly_strings $unistd = -$thread_cflag = (unknown) +$thread_cflag = -pthread $lflags = $bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK $bn_obj = @@ -660,6 +814,28 @@ $shared_cflag = $shared_extension = .so $ranlib = +*** alpha-cc-rpath +$cc = cc +$cflags = -std1 -tune host -fast -readonly_strings +$unistd = +$thread_cflag = -pthread +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= tru64-shared-rpath +$shared_cflag = +$shared_extension = .so +$ranlib = + *** alpha-gcc $cc = gcc $cflags = -O3 @@ -677,7 +853,7 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn -$shared_target= tru64-shared +$shared_target= alpha-osf1-shared $shared_cflag = $shared_extension = .so $ranlib = @@ -686,6 +862,28 @@ $ranlib = $cc = cc $cflags = -std1 -tune host -fast -readonly_strings $unistd = +$thread_cflag = -pthread +$lflags = +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= tru64-shared +$shared_cflag = +$shared_extension = .so +$ranlib = + +*** alphaold-cc +$cc = cc +$cflags = -std1 -tune host -O4 -readonly_strings +$unistd = $thread_cflag = (unknown) $lflags = $bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK @@ -699,7 +897,7 @@ $rc4_obj = $rmd160_obj = $rc5_obj = $dso_scheme = dlfcn -$shared_target= tru64-shared +$shared_target= alpha-osf1-shared $shared_cflag = $shared_extension = .so $ranlib = @@ -904,7 +1102,7 @@ $ranlib = *** debug-bodo $cc = gcc -$cflags = -DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall +$cflags = -DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall $unistd = $thread_cflag = -D_REENTRANT $lflags = @@ -926,7 +1124,7 @@ $ranlib = *** debug-levitte-linux-elf $cc = gcc -$cflags = -DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe +$cflags = -DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe $unistd = $thread_cflag = -D_REENTRANT $lflags = -ldl @@ -1124,7 +1322,7 @@ $ranlib = *** debug-ulf $cc = gcc -$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe +$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -Wall -Werror -Wshadow -pipe $unistd = $thread_cflag = -D_REENTRANT $lflags = @@ -1874,10 +2072,10 @@ $ranlib = $cc = gcc $cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall $unistd = -$thread_cflag = (unknown) -$lflags = -$bn_ops = SIXTY_FOUR_BIT_LONG -$bn_obj = +$thread_cflag = -D_REENTRANT +$lflags = -ldl +$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR +$bn_obj = asm/ia64.o $des_obj = $bf_obj = $md5_obj = @@ -1886,10 +2084,10 @@ $cast_obj = $rc4_obj = $rmd160_obj = $rc5_obj = -$dso_scheme = -$shared_target= -$shared_cflag = -$shared_extension = +$dso_scheme = dlfcn +$shared_target= linux-shared +$shared_cflag = -fPIC +$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = *** linux-m68k @@ -2728,6 +2926,28 @@ $shared_cflag = $shared_extension = $ranlib = +*** unixware-7-gcc +$cc = gcc +$cflags = -DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall +$unistd = +$thread_cflag = -D_REENTRANT +$lflags = -lsocket -lnsl +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = +$dso_scheme = dlfcn +$shared_target= gnu-shared +$shared_cflag = -fPIC +$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) +$ranlib = + *** unixware-7-pentium $cc = cc $cflags = -O -DFILIO_H -Kalloca -Kpentium diff --git a/apps/makeapps.com b/apps/makeapps.com index 7e9d0ac8d6..fe55369843 100644 --- a/apps/makeapps.com +++ b/apps/makeapps.com @@ -1133,6 +1133,7 @@ $! $! Save directory information $! $ __HERE = F$PARSE(F$PARSE("A.;",F$ENVIRONMENT("PROCEDURE"))-"A.;","[]A.;") - "A.;" +$ __HERE = F$EDIT(__HERE,"UPCASE") $ __TOP = __HERE - "APPS]" $ __INCLUDE = __TOP + "INCLUDE.OPENSSL]" $! diff --git a/apps/req.c b/apps/req.c index ca8dc87957..860a83d16e 100644 --- a/apps/req.c +++ b/apps/req.c @@ -392,8 +392,7 @@ bad: BIO_printf(bio_err," the random number generator\n"); BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n"); BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n"); - - BIO_printf(bio_err," -[digest] Digest to sign with (md5, sha1, md2, mdc2)\n"); + BIO_printf(bio_err," -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n"); BIO_printf(bio_err," -config file request template file.\n"); BIO_printf(bio_err," -new new request.\n"); BIO_printf(bio_err," -x509 output a x509 structure instead of a cert. req.\n"); diff --git a/apps/s_client.c b/apps/s_client.c index 0e1a61b789..dedbc0af2e 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -928,5 +928,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) BIO_printf(bio,"---\n"); if (peer != NULL) X509_free(peer); + /* flush, or debugging output gets mixed with http response */ + BIO_flush(bio); } diff --git a/config b/config index 3f8f9a26fd..c5bf89787e 100755 --- a/config +++ b/config @@ -68,6 +68,11 @@ if [ "x$XREL" != "x" ]; then 4.2) echo "whatever-whatever-unixware1"; exit 0 ;; + OpenUNIX) + if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x8" ]; then + echo "${MACHINE}-unknown-OpenUNIX${VERSION}"; exit 0 + fi + ;; 5) if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x7" ]; then echo "${MACHINE}-sco-unixware7"; exit 0 @@ -195,8 +200,23 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in echo "${MACHINE}-whatever-openbsd"; exit 0 ;; + OpenUNIX:*) + echo "${MACHINE}-unknown-OpenUNIX${VERSION}"; exit 0 + ;; + OSF1:*:*:*alpha*) - echo "${MACHINE}-dec-osf"; exit 0 + OSFMAJOR=`echo ${RELEASE}| sed -e 's/^V\([0-9]*\)\..*$/\1/'` + case "$OSFMAJOR" in + 4|5) + echo "${MACHINE}-dec-tru64"; exit 0 + ;; + 1|2|3) + echo "${MACHINE}-dec-osf"; exit 0 + ;; + *) + echo "${MACHINE}-dec-osf"; exit 0 + ;; + esac ;; QNX:*) @@ -485,7 +505,15 @@ case "$GUESSOS" in pmax*-*-openbsd) OUT="OpenBSD-mips" ;; *-*-openbsd) OUT="OpenBSD" ;; *86*-*-bsdi4) OUT="bsdi-elf-gcc" ;; - *-*-osf) OUT="alpha-cc" ;; + *-*-osf) OUT="alphaold-cc" ;; + *-*-tru64) OUT="alpha-cc" ;; + *-*-OpenUNIX*) + if [ "$CC" = "gcc" ]; then + OUT="OpenUNIX-8-gcc" + else + OUT="OpenUNIX-8" + fi + ;; *-*-unixware7) OUT="unixware-7" ;; *-*-UnixWare7) OUT="unixware-7" ;; *-*-Unixware7) OUT="unixware-7" ;; @@ -549,7 +577,7 @@ case "$GUESSOS" in i386-*) options="$options 386" ;; esac -for i in bf cast des dh dsa hmac md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa sha +for i in bf cast des dh dsa hmac idea md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa sha do if [ ! -d crypto/$i ] then diff --git a/crypto/asn1/a_strnid.c b/crypto/asn1/a_strnid.c index 732e68fe46..b7db6813f9 100644 --- a/crypto/asn1/a_strnid.c +++ b/crypto/asn1/a_strnid.c @@ -105,9 +105,9 @@ int ASN1_STRING_set_default_mask_asc(char *p) mask = strtoul(p + 5, &end, 0); if(*end) return 0; } else if(!strcmp(p, "nombstr")) - mask = ~(B_ASN1_BMPSTRING|B_ASN1_UTF8STRING); + mask = ~((unsigned long)(B_ASN1_BMPSTRING|B_ASN1_UTF8STRING)); else if(!strcmp(p, "pkix")) - mask = ~B_ASN1_T61STRING; + mask = ~((unsigned long)B_ASN1_T61STRING); else if(!strcmp(p, "utf8only")) mask = B_ASN1_UTF8STRING; else if(!strcmp(p, "default")) mask = 0xFFFFFFFFL; diff --git a/crypto/bio/b_sock.c b/crypto/bio/b_sock.c index 62cc3f1a0c..d1398952b5 100644 --- a/crypto/bio/b_sock.c +++ b/crypto/bio/b_sock.c @@ -345,18 +345,23 @@ static void ghbn_free(struct hostent *a) struct hostent *BIO_gethostbyname(const char *name) { +#if 1 + /* Caching gethostbyname() results forever is wrong, + * so we have to let the true gethostbyname() worry about this */ + return gethostbyname(name); +#else struct hostent *ret; int i,lowi=0,j; unsigned long low= (unsigned long)-1; -/* return(gethostbyname(name)); */ -#if 0 /* It doesn't make sense to use locking here: The function interface - * is not thread-safe, because threads can never be sure when - * some other thread destroys the data they were given a pointer to. - */ +# if 0 + /* It doesn't make sense to use locking here: The function interface + * is not thread-safe, because threads can never be sure when + * some other thread destroys the data they were given a pointer to. + */ CRYPTO_w_lock(CRYPTO_LOCK_GETHOSTBYNAME); -#endif +# endif j=strlen(name); if (j < 128) { @@ -384,20 +389,21 @@ struct hostent *BIO_gethostbyname(const char *name) * parameter is 'char *', instead of 'const char *' */ ret=gethostbyname( -#ifndef CONST_STRICT +# ifndef CONST_STRICT (char *) -#endif +# endif name); if (ret == NULL) goto end; if (j > 128) /* too big to cache */ { -#if 0 /* If we were trying to make this function thread-safe (which - * is bound to fail), we'd have to give up in this case - * (or allocate more memory). */ +# if 0 + /* If we were trying to make this function thread-safe (which + * is bound to fail), we'd have to give up in this case + * (or allocate more memory). */ ret = NULL; -#endif +# endif goto end; } @@ -421,12 +427,14 @@ struct hostent *BIO_gethostbyname(const char *name) ghbn_cache[i].order=BIO_ghbn_miss+BIO_ghbn_hits; } end: -#if 0 +# if 0 CRYPTO_w_unlock(CRYPTO_LOCK_GETHOSTBYNAME); -#endif +# endif return(ret); +#endif } + int BIO_sock_init(void) { #ifdef WINDOWS diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h index 97003b503c..edc6cc8715 100644 --- a/crypto/bio/bio.h +++ b/crypto/bio/bio.h @@ -431,7 +431,7 @@ int BIO_read_filename(BIO *b,const char *name); #define BIO_set_ssl_renegotiate_bytes(b,num) \ BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL); #define BIO_get_num_renegotiates(b) \ - BIO_ctrl(b,BIO_C_SET_SSL_NUM_RENEGOTIATES,0,NULL); + BIO_ctrl(b,BIO_C_GET_SSL_NUM_RENEGOTIATES,0,NULL); #define BIO_set_ssl_renegotiate_timeout(b,seconds) \ BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL); diff --git a/crypto/bio/bss_bio.c b/crypto/bio/bss_bio.c index 78c6ab4fdd..4614ad44dd 100644 --- a/crypto/bio/bss_bio.c +++ b/crypto/bio/bss_bio.c @@ -474,7 +474,8 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) break; case BIO_C_GET_WRITE_BUF_SIZE: - num = (long) b->size; + ret = (long) b->size; + break; case BIO_C_MAKE_BIO_PAIR: { diff --git a/crypto/bn/Makefile.ssl b/crypto/bn/Makefile.ssl index ad36267e26..9e075a2b0f 100644 --- a/crypto/bn/Makefile.ssl +++ b/crypto/bn/Makefile.ssl @@ -124,6 +124,8 @@ asm/sparcv8plus-gcc27.o: asm/sparcv8plus.S $(CC) $(ASFLAGS) -E asm/sparcv8plus.S | \ /usr/ccs/bin/as -xarch=v8plus - -o asm/sparcv8plus-gcc27.o +asm/ia64.o: asm/ia64.S + files: $(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h index b232c2ceae..c423b65122 100644 --- a/crypto/bn/bn.h +++ b/crypto/bn/bn.h @@ -90,7 +90,9 @@ extern "C" { * be on. Again this in only really a problem on machines * using "long long's", are 32bit, and are not using my assembler code. */ #if defined(MSDOS) || defined(WINDOWS) || defined(WIN32) || defined(linux) -#define BN_DIV2W +# ifndef BN_DIV2W +# define BN_DIV2W +# endif #endif /* assuming long is 64bit - this is the DEC Alpha @@ -329,6 +331,7 @@ void BN_CTX_end(BN_CTX *ctx); int BN_rand(BIGNUM *rnd, int bits, int top,int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom); int BN_rand_range(BIGNUM *rnd, BIGNUM *range); +int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range); int BN_num_bits(const BIGNUM *a); int BN_num_bits_word(BN_ULONG); BIGNUM *BN_new(void); diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c index c328b5b411..613a268823 100644 --- a/crypto/bn/bn_div.c +++ b/crypto/bn/bn_div.c @@ -128,7 +128,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, #if !defined(NO_ASM) && !defined(NO_INLINE_ASM) && !defined(PEDANTIC) && !defined(BN_DIV3W) # if defined(__GNUC__) && __GNUC__>=2 -# if defined(__i386) +# if defined(__i386) || defined (__i386__) /* * There were two reasons for implementing this template: * - GNU C generates a call to a function (__udivdi3 to be exact) diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index a5f01b92eb..8b782fa317 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -225,12 +225,15 @@ int BN_is_prime_fasttest(const BIGNUM *a, int checks, BN_MONT_CTX *mont = NULL; const BIGNUM *A = NULL; + if (BN_cmp(a, BN_value_one()) <= 0) + return 0; + if (checks == BN_prime_checks) checks = BN_prime_checks_for_size(BN_num_bits(a)); /* first look for small factors */ if (!BN_is_odd(a)) - return(0); + return 0; if (do_trial_division) { for (i = 1; i < NUMPRIMES; i++) @@ -289,11 +292,8 @@ int BN_is_prime_fasttest(const BIGNUM *a, int checks, for (i = 0; i < checks; i++) { - if (!BN_pseudo_rand(check, BN_num_bits(A1), 0, 0)) + if (!BN_pseudo_rand_range(check, A1)) goto err; - if (BN_cmp(check, A1) >= 0) - if (!BN_sub(check, check, A1)) - goto err; if (!BN_add_word(check, 1)) goto err; /* now 1 <= check < A */ diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index acd0619921..b368d12f80 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include #include @@ -172,8 +225,9 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom) #endif /* random number r: 0 <= r < range */ -int BN_rand_range(BIGNUM *r, BIGNUM *range) +static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range) { + int (*bn_rand)(BIGNUM *, int, int, int) = pseudo ? BN_pseudo_rand : BN_rand; int n; if (range->neg || BN_is_zero(range)) @@ -193,7 +247,7 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range) do { /* range = 11..._2, so each iteration succeeds with probability >= .75 */ - if (!BN_rand(r, n, -1, 0)) return 0; + if (!bn_rand(r, n, -1, 0)) return 0; } while (BN_cmp(r, range) >= 0); } @@ -203,7 +257,7 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range) * so 3*range (= 11..._2) is exactly one bit longer than range */ do { - if (!BN_rand(r, n + 1, -1, 0)) return 0; + if (!bn_rand(r, n + 1, -1, 0)) return 0; /* If r < 3*range, use r := r MOD range * (which is either r, r - range, or r - 2*range). * Otherwise, iterate once more. @@ -221,3 +275,14 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range) return 1; } + + +int BN_rand_range(BIGNUM *r, BIGNUM *range) + { + return bn_rand_range(0, r, range); + } + +int BN_pseudo_rand_range(BIGNUM *r, BIGNUM *range) + { + return bn_rand_range(1, r, range); + } diff --git a/crypto/bn/bn_sqr.c b/crypto/bn/bn_sqr.c index 75f4f38392..09bd3377bf 100644 --- a/crypto/bn/bn_sqr.c +++ b/crypto/bn/bn_sqr.c @@ -245,7 +245,7 @@ printf(" bn_sqr_recursive %d * %d\n",n2,n2); if (!zero) bn_sqr_recursive(&(t[n2]),t,n,p); else - memset(&(t[n2]),0,n*sizeof(BN_ULONG)); + memset(&(t[n2]),0,n2*sizeof(BN_ULONG)); bn_sqr_recursive(r,a,n,p); bn_sqr_recursive(&(r[n2]),&(a[n]),n,p); diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index a7a9262133..5231f712bf 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -90,6 +90,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] = "ssl_sess_cert", "ssl", "rand", + "rand2", "debug_malloc", "BIO", "gethostbyname", @@ -101,7 +102,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] = "dso", "dynlock", "engine", -#if CRYPTO_NUM_LOCKS != 29 +#if CRYPTO_NUM_LOCKS != 30 # error "Inconsistency between crypto.h and cryptlib.c" #endif }; diff --git a/crypto/crypto-lib.com b/crypto/crypto-lib.com index 482a136177..19b968b61a 100644 --- a/crypto/crypto-lib.com +++ b/crypto/crypto-lib.com @@ -1462,6 +1462,7 @@ $! $! Save directory information $! $ __HERE = F$PARSE(F$PARSE("A.;",F$ENVIRONMENT("PROCEDURE"))-"A.;","[]A.;") - "A.;" +$ __HERE = F$EDIT(__HERE,"UPCASE") $ __TOP = __HERE - "CRYPTO]" $ __INCLUDE = __TOP + "INCLUDE.OPENSSL]" $! diff --git a/crypto/crypto.h b/crypto/crypto.h index 9257673279..52694ebffa 100644 --- a/crypto/crypto.h +++ b/crypto/crypto.h @@ -112,18 +112,20 @@ extern "C" { #define CRYPTO_LOCK_SSL_SESS_CERT 15 #define CRYPTO_LOCK_SSL 16 #define CRYPTO_LOCK_RAND 17 -#define CRYPTO_LOCK_MALLOC 18 -#define CRYPTO_LOCK_BIO 19 -#define CRYPTO_LOCK_GETHOSTBYNAME 20 -#define CRYPTO_LOCK_GETSERVBYNAME 21 -#define CRYPTO_LOCK_READDIR 22 -#define CRYPTO_LOCK_RSA_BLINDING 23 -#define CRYPTO_LOCK_DH 24 -#define CRYPTO_LOCK_MALLOC2 25 -#define CRYPTO_LOCK_DSO 26 -#define CRYPTO_LOCK_DYNLOCK 27 -#define CRYPTO_LOCK_ENGINE 28 +#define CRYPTO_LOCK_RAND2 18 +#define CRYPTO_LOCK_MALLOC 19 +#define CRYPTO_LOCK_BIO 20 +#define CRYPTO_LOCK_GETHOSTBYNAME 21 +#define CRYPTO_LOCK_GETSERVBYNAME 22 +#define CRYPTO_LOCK_READDIR 23 +#define CRYPTO_LOCK_RSA_BLINDING 24 +#define CRYPTO_LOCK_DH 25 +#define CRYPTO_LOCK_MALLOC2 26 +#define CRYPTO_LOCK_DSO 27 +#define CRYPTO_LOCK_DYNLOCK 28 #define CRYPTO_NUM_LOCKS 29 +#define CRYPTO_LOCK_ENGINE 29 +#define CRYPTO_NUM_LOCKS 30 #define CRYPTO_LOCK 1 #define CRYPTO_UNLOCK 2 @@ -351,6 +353,9 @@ int CRYPTO_push_info_(const char *info, const char *file, int line); int CRYPTO_pop_info(void); int CRYPTO_remove_all_info(void); + +/* Default debugging functions (enabled by CRYPTO_malloc_debug_init() macro; + * used as default in CRYPTO_MDEBUG compilations): */ /* The last argument has the following significance: * * 0: called before the actual memory allocation has taken place @@ -359,18 +364,18 @@ int CRYPTO_remove_all_info(void); void CRYPTO_dbg_malloc(void *addr,int num,const char *file,int line,int before_p); void CRYPTO_dbg_realloc(void *addr1,void *addr2,int num,const char *file,int line,int before_p); void CRYPTO_dbg_free(void *addr,int before_p); - /* Tell the debugging code about options. By default, the following values * apply: * - * 0: Clear all options. - * 1: Set the "Show Time" option. - * 2: Set the "Show Thread Number" option. - * 3: 1 + 2 + * 0: Clear all options. + * V_CRYPTO_MDEBUG_TIME (1): Set the "Show Time" option. + * V_CRYPTO_MDEBUG_THREAD (2): Set the "Show Thread Number" option. + * V_CRYPTO_MDEBUG_ALL (3): 1 + 2 */ void CRYPTO_dbg_set_options(long bits); long CRYPTO_dbg_get_options(void); + #ifndef NO_FP_API void CRYPTO_mem_leaks_fp(FILE *); #endif diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 22b087b778..f49e013b4a 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -100,6 +100,8 @@ DH_METHOD *DH_OpenSSL(void) static int generate_key(DH *dh) { int ok=0; + int generate_new_key=0; + unsigned l; BN_CTX ctx; BN_MONT_CTX *mont; BIGNUM *pub_key=NULL,*priv_key=NULL; @@ -110,9 +112,7 @@ static int generate_key(DH *dh) { priv_key=BN_new(); if (priv_key == NULL) goto err; - do - if (!BN_rand_range(priv_key, dh->p)) goto err; - while (BN_is_zero(priv_key)); + generate_new_key=1; } else priv_key=dh->priv_key; @@ -133,6 +133,11 @@ static int generate_key(DH *dh) } mont=(BN_MONT_CTX *)dh->method_mont_p; + if (generate_new_key) + { + l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */ + if (!BN_rand(priv_key, l, 0, 0)) goto err; + } if (!ENGINE_get_DH(dh->engine)->bn_mod_exp(dh, pub_key, dh->g, priv_key,dh->p,&ctx,mont)) goto err; diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index 96f118c153..470c7caf46 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -64,7 +64,7 @@ const char *DH_version="Diffie-Hellman" OPENSSL_VERSION_PTEXT; -static DH_METHOD *default_DH_method; +static DH_METHOD *default_DH_method = NULL; static int dh_meth_num = 0; static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dh_meth = NULL; diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index 15f667a203..006d820e87 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -67,7 +67,7 @@ const char *DSA_version="DSA" OPENSSL_VERSION_PTEXT; -static DSA_METHOD *default_DSA_method; +static DSA_METHOD *default_DSA_method = NULL; static int dsa_meth_num = 0; static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dsa_meth = NULL; diff --git a/crypto/err/err.c b/crypto/err/err.c index 839f4ab81a..5edfafba3f 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -786,7 +786,7 @@ void ERR_add_error_data(int num, ...) if (p == NULL) { OPENSSL_free(str); - return; + goto err; } else str=p; @@ -796,6 +796,7 @@ void ERR_add_error_data(int num, ...) } ERR_set_error_data(str,ERR_TXT_MALLOCED|ERR_TXT_STRING); +err: va_end(args); } diff --git a/crypto/evp/bio_b64.c b/crypto/evp/bio_b64.c index af6fa2ae8f..f12eac1b55 100644 --- a/crypto/evp/bio_b64.c +++ b/crypto/evp/bio_b64.c @@ -465,7 +465,8 @@ static long b64_ctrl(BIO *b, int cmd, long num, void *ptr) break; case BIO_CTRL_WPENDING: /* More to write in buffer */ ret=ctx->buf_len-ctx->buf_off; - if ((ret == 0) && (ctx->base64.num != 0)) + if ((ret == 0) && (ctx->encode != B64_NONE) + && (ctx->base64.num != 0)) ret=1; else if (ret <= 0) ret=BIO_ctrl(b->next_bio,cmd,num,ptr); @@ -500,7 +501,7 @@ again: goto again; } } - else if (ctx->base64.num != 0) + else if (ctx->encode != B64_NONE && ctx->base64.num != 0) { ctx->buf_off=0; EVP_EncodeFinal(&(ctx->base64), diff --git a/crypto/evp/m_md4.c b/crypto/evp/m_md4.c index 6a24ceb86d..e5005abfae 100644 --- a/crypto/evp/m_md4.c +++ b/crypto/evp/m_md4.c @@ -66,7 +66,7 @@ static EVP_MD md4_md= { NID_md4, - 0, + NID_md4WithRSAEncryption, MD4_DIGEST_LENGTH, MD4_Init, MD4_Update, diff --git a/crypto/md32_common.h b/crypto/md32_common.h index 1a404a458d..ad7c4194c2 100644 --- a/crypto/md32_common.h +++ b/crypto/md32_common.h @@ -198,7 +198,7 @@ * * */ -# if defined(__i386) +# if defined(__i386) || defined(__i386__) # define ROTATE(a,n) ({ register unsigned int ret; \ asm ( \ "roll %1,%0" \ @@ -224,7 +224,7 @@ */ # if defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM) && !defined(NO_INLINE_ASM) /* some GNU C inline assembler templates by */ -# if defined(__i386) && !defined(I386_ONLY) +# if (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY) # define BE_FETCH32(a) ({ register unsigned int l=(a);\ asm ( \ "bswapl %0" \ diff --git a/crypto/md4/md4_locl.h b/crypto/md4/md4_locl.h index 0a2b39018d..a8d31d7a73 100644 --- a/crypto/md4/md4_locl.h +++ b/crypto/md4/md4_locl.h @@ -68,7 +68,7 @@ void md4_block_host_order (MD4_CTX *c, const void *p,int num); void md4_block_data_order (MD4_CTX *c, const void *p,int num); -#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__) +#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__) /* * *_block_host_order is expected to handle aligned data while * *_block_data_order - unaligned. As algorithm and host (x86) diff --git a/crypto/md5/md5_locl.h b/crypto/md5/md5_locl.h index c912484122..f35d6f13e5 100644 --- a/crypto/md5/md5_locl.h +++ b/crypto/md5/md5_locl.h @@ -66,7 +66,7 @@ #endif #ifdef MD5_ASM -# if defined(__i386) || defined(_M_IX86) || defined(__INTEL__) +# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__) # define md5_block_host_order md5_block_asm_host_order # elif defined(__sparc) && defined(ULTRASPARC) void md5_block_asm_data_order_aligned (MD5_CTX *c, const MD5_LONG *p,int num); @@ -77,7 +77,7 @@ void md5_block_host_order (MD5_CTX *c, const void *p,int num); void md5_block_data_order (MD5_CTX *c, const void *p,int num); -#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__) +#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__) /* * *_block_host_order is expected to handle aligned data while * *_block_data_order - unaligned. As algorithm and host (x86) diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index f0d824141c..abaf181a63 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -61,12 +61,12 @@ * perl obj_dat.pl objects.h obj_dat.h */ -#define NUM_NID 393 -#define NUM_SN 392 -#define NUM_LN 392 -#define NUM_OBJ 366 +#define NUM_NID 404 +#define NUM_SN 403 +#define NUM_LN 403 +#define NUM_OBJ 377 -static unsigned char lvalues[2896]={ +static unsigned char lvalues[2949]={ 0x00, /* [ 0] OBJ_undef */ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */ @@ -433,6 +433,17 @@ static unsigned char lvalues[2896]={ 0xBA,0x82,0x58, /* [2872] OBJ_dcObject */ 0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x19,/* [2875] OBJ_domainComponent */ 0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0D,/* [2885] OBJ_Domain */ +0x50, /* [2895] OBJ_joint_iso_ccitt */ +0x55,0x01,0x05, /* [2896] OBJ_selected_attribute_types */ +0x55,0x01,0x05,0x37, /* [2899] OBJ_clearance */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x03,/* [2903] OBJ_md4WithRSAEncryption */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0A, /* [2912] OBJ_ac_proxying */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0B, /* [2920] OBJ_sinfo_access */ +0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x06, /* [2928] OBJ_id_aca_encAttrs */ +0x55,0x04,0x48, /* [2936] OBJ_role */ +0x55,0x1D,0x24, /* [2939] OBJ_policy_constraints */ +0x55,0x1D,0x37, /* [2942] OBJ_target_information */ +0x55,0x1D,0x38, /* [2945] OBJ_no_rev_avail */ }; static ASN1_OBJECT nid_objs[NUM_NID]={ @@ -1045,6 +1056,25 @@ static ASN1_OBJECT nid_objs[NUM_NID]={ {"dcobject","dcObject",NID_dcObject,3,&(lvalues[2872]),0}, {"DC","domainComponent",NID_domainComponent,10,&(lvalues[2875]),0}, {"domain","Domain",NID_Domain,10,&(lvalues[2885]),0}, +{"JOINT-ISO-CCITT","joint-iso-ccitt",NID_joint_iso_ccitt,1, + &(lvalues[2895]),0}, +{"selected-attribute-types","Selected Attribute Types", + NID_selected_attribute_types,3,&(lvalues[2896]),0}, +{"clearance","clearance",NID_clearance,4,&(lvalues[2899]),0}, +{"RSA-MD4","md4WithRSAEncryption",NID_md4WithRSAEncryption,9, + &(lvalues[2903]),0}, +{"ac-proxying","ac-proxying",NID_ac_proxying,8,&(lvalues[2912]),0}, +{"subjectInfoAccess","Subject Information Access",NID_sinfo_access,8, + &(lvalues[2920]),0}, +{"id-aca-encAttrs","id-aca-encAttrs",NID_id_aca_encAttrs,8, + &(lvalues[2928]),0}, +{"role","role",NID_role,3,&(lvalues[2936]),0}, +{"policyConstraints","X509v3 Policy Constraints", + NID_policy_constraints,3,&(lvalues[2939]),0}, +{"targetInformation","X509v3 AC Targeting",NID_target_information,3, + &(lvalues[2942]),0}, +{"noRevAvail","X509v3 No Revocation Available",NID_no_rev_avail,3, + &(lvalues[2945]),0}, }; static ASN1_OBJECT *sn_objs[NUM_SN]={ @@ -1093,6 +1123,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[46]),/* "IDEA-OFB" */ &(nid_objs[181]),/* "ISO" */ &(nid_objs[183]),/* "ISO-US" */ +&(nid_objs[393]),/* "JOINT-ISO-CCITT" */ &(nid_objs[15]),/* "L" */ &(nid_objs[ 3]),/* "MD2" */ &(nid_objs[257]),/* "MD4" */ @@ -1138,6 +1169,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[124]),/* "RLE" */ &(nid_objs[19]),/* "RSA" */ &(nid_objs[ 7]),/* "RSA-MD2" */ +&(nid_objs[396]),/* "RSA-MD4" */ &(nid_objs[ 8]),/* "RSA-MD5" */ &(nid_objs[96]),/* "RSA-MDC2" */ &(nid_objs[104]),/* "RSA-NP-MD5" */ @@ -1164,6 +1196,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[125]),/* "ZLIB" */ &(nid_objs[289]),/* "aaControls" */ &(nid_objs[287]),/* "ac-auditEntity" */ +&(nid_objs[397]),/* "ac-proxying" */ &(nid_objs[288]),/* "ac-targeting" */ &(nid_objs[368]),/* "acceptableResponses" */ &(nid_objs[363]),/* "ad_timestamping" */ @@ -1178,6 +1211,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[152]),/* "certBag" */ &(nid_objs[89]),/* "certificatePolicies" */ &(nid_objs[54]),/* "challengePassword" */ +&(nid_objs[395]),/* "clearance" */ &(nid_objs[130]),/* "clientAuth" */ &(nid_objs[131]),/* "codeSigning" */ &(nid_objs[50]),/* "contentType" */ @@ -1204,6 +1238,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[355]),/* "id-aca-accessIdentity" */ &(nid_objs[354]),/* "id-aca-authenticationInfo" */ &(nid_objs[356]),/* "id-aca-chargingIdentity" */ +&(nid_objs[399]),/* "id-aca-encAttrs" */ &(nid_objs[357]),/* "id-aca-group" */ &(nid_objs[358]),/* "id-aca-role" */ &(nid_objs[176]),/* "id-ad" */ @@ -1386,6 +1421,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[137]),/* "msSGC" */ &(nid_objs[173]),/* "name" */ &(nid_objs[369]),/* "noCheck" */ +&(nid_objs[403]),/* "noRevAvail" */ &(nid_objs[72]),/* "nsBaseUrl" */ &(nid_objs[76]),/* "nsCaPolicyUrl" */ &(nid_objs[74]),/* "nsCaRevocationUrl" */ @@ -1413,9 +1449,11 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[22]),/* "pkcs7-signedData" */ &(nid_objs[151]),/* "pkcs8ShroudedKeyBag" */ &(nid_objs[47]),/* "pkcs9" */ +&(nid_objs[401]),/* "policyConstraints" */ &(nid_objs[385]),/* "private" */ &(nid_objs[84]),/* "privateKeyUsagePeriod" */ &(nid_objs[286]),/* "qcStatements" */ +&(nid_objs[400]),/* "role" */ &(nid_objs[ 6]),/* "rsaEncryption" */ &(nid_objs[377]),/* "rsaSignature" */ &(nid_objs[ 1]),/* "rsadsi" */ @@ -1426,12 +1464,15 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={ &(nid_objs[159]),/* "sdsiCertificate" */ &(nid_objs[154]),/* "secretBag" */ &(nid_objs[386]),/* "security" */ +&(nid_objs[394]),/* "selected-attribute-types" */ &(nid_objs[129]),/* "serverAuth" */ &(nid_objs[371]),/* "serviceLocator" */ &(nid_objs[52]),/* "signingTime" */ &(nid_objs[387]),/* "snmpv2" */ &(nid_objs[85]),/* "subjectAltName" */ +&(nid_objs[398]),/* "subjectInfoAccess" */ &(nid_objs[82]),/* "subjectKeyIdentifier" */ +&(nid_objs[402]),/* "targetInformation" */ &(nid_objs[293]),/* "textNotice" */ &(nid_objs[133]),/* "timeStamping" */ &(nid_objs[375]),/* "trustRoot" */ @@ -1503,12 +1544,15 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[167]),/* "S/MIME Capabilities" */ &(nid_objs[387]),/* "SNMPv2" */ &(nid_objs[386]),/* "Security" */ +&(nid_objs[394]),/* "Selected Attribute Types" */ &(nid_objs[143]),/* "Strong Extranet ID" */ +&(nid_objs[398]),/* "Subject Information Access" */ &(nid_objs[130]),/* "TLS Web Client Authentication" */ &(nid_objs[129]),/* "TLS Web Server Authentication" */ &(nid_objs[133]),/* "Time Stamping" */ &(nid_objs[375]),/* "Trust Root" */ &(nid_objs[12]),/* "X509" */ +&(nid_objs[402]),/* "X509v3 AC Targeting" */ &(nid_objs[90]),/* "X509v3 Authority Key Identifier" */ &(nid_objs[87]),/* "X509v3 Basic Constraints" */ &(nid_objs[103]),/* "X509v3 CRL Distribution Points" */ @@ -1519,6 +1563,8 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[126]),/* "X509v3 Extended Key Usage" */ &(nid_objs[86]),/* "X509v3 Issuer Alternative Name" */ &(nid_objs[83]),/* "X509v3 Key Usage" */ +&(nid_objs[403]),/* "X509v3 No Revocation Available" */ +&(nid_objs[401]),/* "X509v3 Policy Constraints" */ &(nid_objs[84]),/* "X509v3 Private Key Usage Period" */ &(nid_objs[85]),/* "X509v3 Subject Alternative Name" */ &(nid_objs[82]),/* "X509v3 Subject Key Identifier" */ @@ -1526,6 +1572,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[185]),/* "X9.57 CM ?" */ &(nid_objs[289]),/* "aaControls" */ &(nid_objs[287]),/* "ac-auditEntity" */ +&(nid_objs[397]),/* "ac-proxying" */ &(nid_objs[288]),/* "ac-targeting" */ &(nid_objs[364]),/* "ad dvcs" */ &(nid_objs[376]),/* "algorithm" */ @@ -1539,6 +1586,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[111]),/* "cast5-ofb" */ &(nid_objs[152]),/* "certBag" */ &(nid_objs[54]),/* "challengePassword" */ +&(nid_objs[395]),/* "clearance" */ &(nid_objs[13]),/* "commonName" */ &(nid_objs[50]),/* "contentType" */ &(nid_objs[53]),/* "countersignature" */ @@ -1581,6 +1629,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[355]),/* "id-aca-accessIdentity" */ &(nid_objs[354]),/* "id-aca-authenticationInfo" */ &(nid_objs[356]),/* "id-aca-chargingIdentity" */ +&(nid_objs[399]),/* "id-aca-encAttrs" */ &(nid_objs[357]),/* "id-aca-group" */ &(nid_objs[358]),/* "id-aca-role" */ &(nid_objs[176]),/* "id-ad" */ @@ -1747,12 +1796,14 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[46]),/* "idea-ofb" */ &(nid_objs[101]),/* "initials" */ &(nid_objs[181]),/* "iso" */ +&(nid_objs[393]),/* "joint-iso-ccitt" */ &(nid_objs[150]),/* "keyBag" */ &(nid_objs[157]),/* "localKeyID" */ &(nid_objs[15]),/* "localityName" */ &(nid_objs[ 3]),/* "md2" */ &(nid_objs[ 7]),/* "md2WithRSAEncryption" */ &(nid_objs[257]),/* "md4" */ +&(nid_objs[396]),/* "md4WithRSAEncryption" */ &(nid_objs[ 4]),/* "md5" */ &(nid_objs[114]),/* "md5-sha1" */ &(nid_objs[104]),/* "md5WithRSA" */ @@ -1806,6 +1857,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={ &(nid_objs[123]),/* "rc5-ofb" */ &(nid_objs[117]),/* "ripemd160" */ &(nid_objs[119]),/* "ripemd160WithRSA" */ +&(nid_objs[400]),/* "role" */ &(nid_objs[19]),/* "rsa" */ &(nid_objs[ 6]),/* "rsaEncryption" */ &(nid_objs[377]),/* "rsaSignature" */ @@ -1843,6 +1895,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[181]),/* OBJ_iso 1 */ &(nid_objs[182]),/* OBJ_member_body 1 2 */ &(nid_objs[379]),/* OBJ_org 1 3 */ +&(nid_objs[393]),/* OBJ_joint_iso_ccitt 2 */ &(nid_objs[11]),/* OBJ_X500 2 5 */ &(nid_objs[380]),/* OBJ_dod 1 3 6 */ &(nid_objs[12]),/* OBJ_X509 2 5 4 */ @@ -1850,6 +1903,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[81]),/* OBJ_id_ce 2 5 29 */ &(nid_objs[183]),/* OBJ_ISO_US 1 2 840 */ &(nid_objs[381]),/* OBJ_iana 1 3 6 1 */ +&(nid_objs[394]),/* OBJ_selected_attribute_types 2 5 1 5 */ &(nid_objs[13]),/* OBJ_commonName 2 5 4 3 */ &(nid_objs[100]),/* OBJ_surname 2 5 4 4 */ &(nid_objs[105]),/* OBJ_serialNumber 2 5 4 5 */ @@ -1865,6 +1919,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[101]),/* OBJ_initials 2 5 4 43 */ &(nid_objs[102]),/* OBJ_uniqueIdentifier 2 5 4 45 */ &(nid_objs[174]),/* OBJ_dnQualifier 2 5 4 46 */ +&(nid_objs[400]),/* OBJ_role 2 5 4 72 */ &(nid_objs[82]),/* OBJ_subject_key_identifier 2 5 29 14 */ &(nid_objs[83]),/* OBJ_key_usage 2 5 29 15 */ &(nid_objs[84]),/* OBJ_private_key_usage_period 2 5 29 16 */ @@ -1878,7 +1933,10 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[103]),/* OBJ_crl_distribution_points 2 5 29 31 */ &(nid_objs[89]),/* OBJ_certificate_policies 2 5 29 32 */ &(nid_objs[90]),/* OBJ_authority_key_identifier 2 5 29 35 */ +&(nid_objs[401]),/* OBJ_policy_constraints 2 5 29 36 */ &(nid_objs[126]),/* OBJ_ext_key_usage 2 5 29 37 */ +&(nid_objs[402]),/* OBJ_target_information 2 5 29 55 */ +&(nid_objs[403]),/* OBJ_no_rev_avail 2 5 29 56 */ &(nid_objs[390]),/* OBJ_dcObject 1466 344 */ &(nid_objs[382]),/* OBJ_Directory 1 3 6 1 1 */ &(nid_objs[383]),/* OBJ_Management 1 3 6 1 2 */ @@ -1888,6 +1946,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[387]),/* OBJ_SNMPv2 1 3 6 1 6 */ &(nid_objs[388]),/* OBJ_Mail 1 3 6 1 7 */ &(nid_objs[376]),/* OBJ_algorithm 1 3 14 3 2 */ +&(nid_objs[395]),/* OBJ_clearance 2 5 1 5 55 */ &(nid_objs[19]),/* OBJ_rsa 2 5 8 1 1 */ &(nid_objs[96]),/* OBJ_mdc2WithRSA 2 5 8 3 100 */ &(nid_objs[95]),/* OBJ_mdc2 2 5 8 3 101 */ @@ -1970,6 +2029,8 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[290]),/* OBJ_sbqp_ipAddrBlock 1 3 6 1 5 5 7 1 7 */ &(nid_objs[291]),/* OBJ_sbqp_autonomousSysNum 1 3 6 1 5 5 7 1 8 */ &(nid_objs[292]),/* OBJ_sbqp_routerIdentifier 1 3 6 1 5 5 7 1 9 */ +&(nid_objs[397]),/* OBJ_ac_proxying 1 3 6 1 5 5 7 1 10 */ +&(nid_objs[398]),/* OBJ_sinfo_access 1 3 6 1 5 5 7 1 11 */ &(nid_objs[164]),/* OBJ_id_qt_cps 1 3 6 1 5 5 7 2 1 */ &(nid_objs[165]),/* OBJ_id_qt_unotice 1 3 6 1 5 5 7 2 2 */ &(nid_objs[293]),/* OBJ_textNotice 1 3 6 1 5 5 7 2 3 */ @@ -2036,6 +2097,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[356]),/* OBJ_id_aca_chargingIdentity 1 3 6 1 5 5 7 10 3 */ &(nid_objs[357]),/* OBJ_id_aca_group 1 3 6 1 5 5 7 10 4 */ &(nid_objs[358]),/* OBJ_id_aca_role 1 3 6 1 5 5 7 10 5 */ +&(nid_objs[399]),/* OBJ_id_aca_encAttrs 1 3 6 1 5 5 7 10 6 */ &(nid_objs[359]),/* OBJ_id_qcs_pkixQCSyntax_v1 1 3 6 1 5 5 7 11 1 */ &(nid_objs[360]),/* OBJ_id_cct_crs 1 3 6 1 5 5 7 12 1 */ &(nid_objs[361]),/* OBJ_id_cct_PKIData 1 3 6 1 5 5 7 12 2 */ @@ -2050,6 +2112,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={ &(nid_objs[112]),/* OBJ_pbeWithMD5AndCast5_CBC 1 2 840 113533 7 66 12 */ &(nid_objs[ 6]),/* OBJ_rsaEncryption 1 2 840 113549 1 1 1 */ &(nid_objs[ 7]),/* OBJ_md2WithRSAEncryption 1 2 840 113549 1 1 2 */ +&(nid_objs[396]),/* OBJ_md4WithRSAEncryption 1 2 840 113549 1 1 3 */ &(nid_objs[ 8]),/* OBJ_md5WithRSAEncryption 1 2 840 113549 1 1 4 */ &(nid_objs[65]),/* OBJ_sha1WithRSAEncryption 1 2 840 113549 1 1 5 */ &(nid_objs[28]),/* OBJ_dhKeyAgreement 1 2 840 113549 1 3 1 */ diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h index 401b1e5a1b..73b91bc6dc 100644 --- a/crypto/objects/obj_mac.h +++ b/crypto/objects/obj_mac.h @@ -71,11 +71,25 @@ #define NID_iso 181 #define OBJ_iso 1L +#define SN_joint_iso_ccitt "JOINT-ISO-CCITT" +#define LN_joint_iso_ccitt "joint-iso-ccitt" +#define NID_joint_iso_ccitt 393 +#define OBJ_joint_iso_ccitt 2L + #define SN_member_body "member-body" #define LN_member_body "ISO Member Body" #define NID_member_body 182 #define OBJ_member_body OBJ_iso,2L +#define SN_selected_attribute_types "selected-attribute-types" +#define LN_selected_attribute_types "Selected Attribute Types" +#define NID_selected_attribute_types 394 +#define OBJ_selected_attribute_types OBJ_joint_iso_ccitt,5L,1L,5L + +#define SN_clearance "clearance" +#define NID_clearance 395 +#define OBJ_clearance OBJ_selected_attribute_types,55L + #define SN_ISO_US "ISO-US" #define LN_ISO_US "ISO US Member Body" #define NID_ISO_US 183 @@ -145,6 +159,11 @@ #define NID_md2WithRSAEncryption 7 #define OBJ_md2WithRSAEncryption OBJ_pkcs1,2L +#define SN_md4WithRSAEncryption "RSA-MD4" +#define LN_md4WithRSAEncryption "md4WithRSAEncryption" +#define NID_md4WithRSAEncryption 396 +#define OBJ_md4WithRSAEncryption OBJ_pkcs1,3L + #define SN_md5WithRSAEncryption "RSA-MD5" #define LN_md5WithRSAEncryption "md5WithRSAEncryption" #define NID_md5WithRSAEncryption 8 @@ -956,6 +975,15 @@ #define NID_sbqp_routerIdentifier 292 #define OBJ_sbqp_routerIdentifier OBJ_id_pe,9L +#define SN_ac_proxying "ac-proxying" +#define NID_ac_proxying 397 +#define OBJ_ac_proxying OBJ_id_pe,10L + +#define SN_sinfo_access "subjectInfoAccess" +#define LN_sinfo_access "Subject Information Access" +#define NID_sinfo_access 398 +#define OBJ_sinfo_access OBJ_id_pe,11L + #define SN_id_qt_cps "id-qt-cps" #define LN_id_qt_cps "Policy Qualifier CPS" #define NID_id_qt_cps 164 @@ -1264,6 +1292,10 @@ #define NID_id_aca_role 358 #define OBJ_id_aca_role OBJ_id_aca,5L +#define SN_id_aca_encAttrs "id-aca-encAttrs" +#define NID_id_aca_encAttrs 399 +#define OBJ_id_aca_encAttrs OBJ_id_aca,6L + #define SN_id_qcs_pkixQCSyntax_v1 "id-qcs-pkixQCSyntax-v1" #define NID_id_qcs_pkixQCSyntax_v1 359 #define OBJ_id_qcs_pkixQCSyntax_v1 OBJ_id_qcs,1L @@ -1555,6 +1587,11 @@ #define NID_dnQualifier 174 #define OBJ_dnQualifier OBJ_X509,46L +#define SN_role "role" +#define LN_role "role" +#define NID_role 400 +#define OBJ_role OBJ_X509,72L + #define SN_X500algorithms "X500algorithms" #define LN_X500algorithms "directory services - algorithms" #define NID_X500algorithms 378 @@ -1644,11 +1681,26 @@ #define NID_authority_key_identifier 90 #define OBJ_authority_key_identifier OBJ_id_ce,35L +#define SN_policy_constraints "policyConstraints" +#define LN_policy_constraints "X509v3 Policy Constraints" +#define NID_policy_constraints 401 +#define OBJ_policy_constraints OBJ_id_ce,36L + #define SN_ext_key_usage "extendedKeyUsage" #define LN_ext_key_usage "X509v3 Extended Key Usage" #define NID_ext_key_usage 126 #define OBJ_ext_key_usage OBJ_id_ce,37L +#define SN_target_information "targetInformation" +#define LN_target_information "X509v3 AC Targeting" +#define NID_target_information 402 +#define OBJ_target_information OBJ_id_ce,55L + +#define SN_no_rev_avail "noRevAvail" +#define LN_no_rev_avail "X509v3 No Revocation Available" +#define NID_no_rev_avail 403 +#define OBJ_no_rev_avail OBJ_id_ce,56L + #define SN_netscape "Netscape" #define LN_netscape "Netscape Communications Corp." #define NID_netscape 57 diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index d73a51370f..a6baa8c5f9 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -390,3 +390,14 @@ Enterprises 389 dcObject 390 domainComponent 391 Domain 392 +joint_iso_ccitt 393 +selected_attribute_types 394 +clearance 395 +md4WithRSAEncryption 396 +ac_proxying 397 +sinfo_access 398 +id_aca_encAttrs 399 +role 400 +policy_constraints 401 +target_information 402 +no_rev_avail 403 diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index 3d443cf884..5741ef5fc4 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -1,7 +1,13 @@ 1 : ISO : iso +2 : JOINT-ISO-CCITT : joint-iso-ccitt + iso 2 : member-body : ISO Member Body +joint-iso-ccitt 5 1 5 : selected-attribute-types : Selected Attribute Types + +selected-attribute-types 55 : clearance + member-body 840 : ISO-US : ISO US Member Body ISO-US 10040 : X9-57 : X9.57 X9-57 4 : X9cm : X9.57 CM ? @@ -26,6 +32,7 @@ rsadsi 1 : pkcs : RSA Data Security, Inc. PKCS pkcs 1 : pkcs1 pkcs1 1 : : rsaEncryption pkcs1 2 : RSA-MD2 : md2WithRSAEncryption +pkcs1 3 : RSA-MD4 : md4WithRSAEncryption pkcs1 4 : RSA-MD5 : md5WithRSAEncryption pkcs1 5 : RSA-SHA1 : sha1WithRSAEncryption @@ -302,6 +309,9 @@ id-pe 6 : aaControls id-pe 7 : sbqp-ipAddrBlock id-pe 8 : sbqp-autonomousSysNum id-pe 9 : sbqp-routerIdentifier +id-pe 10 : ac-proxying +!Cname sinfo-access +id-pe 11 : subjectInfoAccess : Subject Information Access # PKIX policyQualifiers for Internet policy qualifiers id-qt 1 : id-qt-cps : Policy Qualifier CPS @@ -406,7 +416,9 @@ id-aca 1 : id-aca-authenticationInfo id-aca 2 : id-aca-accessIdentity id-aca 3 : id-aca-chargingIdentity id-aca 4 : id-aca-group +# attention : the following seems to be obsolete, replace by 'role' id-aca 5 : id-aca-role +id-aca 6 : id-aca-encAttrs # qualified certificate statements id-qcs 1 : id-qcs-pkixQCSyntax-v1 @@ -498,6 +510,7 @@ X509 42 : G : givenName X509 43 : I : initials X509 45 : UID : uniqueIdentifier X509 46 : dnQualifier : dnQualifier +X509 72 : role : role X500 8 : X500algorithms : directory services - algorithms X500algorithms 1 1 : RSA : rsa @@ -531,8 +544,14 @@ id-ce 31 : crlDistributionPoints : X509v3 CRL Distribution Points id-ce 32 : certificatePolicies : X509v3 Certificate Policies !Cname authority-key-identifier id-ce 35 : authorityKeyIdentifier : X509v3 Authority Key Identifier +!Cname policy-constraints +id-ce 36 : policyConstraints : X509v3 Policy Constraints !Cname ext-key-usage id-ce 37 : extendedKeyUsage : X509v3 Extended Key Usage +!Cname target-information +id-ce 55 : targetInformation : X509v3 AC Targeting +!Cname no-rev-avail +id-ce 56 : noRevAvail : X509v3 No Revocation Available !Cname netscape 2 16 840 1 113730 : Netscape : Netscape Communications Corp. diff --git a/crypto/opensslv.h b/crypto/opensslv.h index e903404ec7..c8b20894bb 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -44,13 +44,13 @@ * * libcrypto.so.0 * - * On True64 it works a little bit differently. There, the shared library - * version is stored in the file, and is actually a series of versions, - * separated by colons. The rightmost version present in the library when - * linking an application is stored in the application to be matched at - * run time. When the application is run, a check is done to see if the - * library version stored in the application matches any of the versions - * in the version string of the library itself. + * On Tru64 and IRIX 6.x it works a little bit differently. There, the + * shared library version is stored in the file, and is actually a series + * of versions, separated by colons. The rightmost version present in the + * library when linking an application is stored in the application to be + * matched at run time. When the application is run, a check is done to + * see if the library version stored in the application matches any of the + * versions in the version string of the library itself. * This version string can be constructed in any way, depending on what * kind of matching is desired. However, to implement the same scheme as * the one used in the other unixen, all compatible versions, from lowest @@ -73,7 +73,7 @@ * However, it's nice and more understandable if it actually does. * The current library version is stored in the macro SHLIB_VERSION_NUMBER, * which is just a piece of text in the format "M.m.e" (Major, minor, edit). - * For the sake of True64 and any other OS that behaves in similar ways, + * For the sake of Tru64, IRIX, and any other OS that behaves in similar ways, * we need to keep a history of version numbers, which is done in the * macro SHLIB_VERSION_HISTORY. The numbers are separated by colons and * should only keep the versions that are binary compatible with the current. diff --git a/crypto/pkcs7/pk7_attr.c b/crypto/pkcs7/pk7_attr.c index 6ae264cbf9..5ff5a88b5c 100644 --- a/crypto/pkcs7/pk7_attr.c +++ b/crypto/pkcs7/pk7_attr.c @@ -1,9 +1,59 @@ /* pk7_attr.c */ -/* S/MIME code. - * Copyright (C) 1997-8 Dr S N Henson (shenson@bigfoot.com) - * All Rights Reserved. - * Redistribution of this code without the authors permission is expressly - * prohibited. +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL + * project 2001. + */ +/* ==================================================================== + * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * */ #include diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index 04b9d695b0..349629c484 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -144,6 +144,7 @@ static int initialized=0; static unsigned int crypto_lock_rand = 0; /* may be set only when a thread * holds CRYPTO_LOCK_RAND * (to prevent double locking) */ +/* access to lockin_thread is synchronized by CRYPTO_LOCK_RAND2 */ static unsigned long locking_thread = 0; /* valid iff crypto_lock_rand is set */ @@ -210,7 +211,14 @@ static void ssleay_rand_add(const void *buf, int num, double add) */ /* check if we already have the lock */ - do_not_lock = crypto_lock_rand && (locking_thread == CRYPTO_thread_id()); + if (crypto_lock_rand) + { + CRYPTO_r_lock(CRYPTO_LOCK_RAND2); + do_not_lock = (locking_thread == CRYPTO_thread_id()); + CRYPTO_r_unlock(CRYPTO_LOCK_RAND2); + } + else + do_not_lock = 0; if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND); st_idx=state_index; @@ -361,8 +369,10 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) CRYPTO_w_lock(CRYPTO_LOCK_RAND); /* prevent ssleay_rand_bytes() from trying to obtain the lock again */ - crypto_lock_rand = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RAND2); locking_thread = CRYPTO_thread_id(); + CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); + crypto_lock_rand = 1; if (!initialized) { @@ -435,7 +445,6 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) /* before unlocking, we must clear 'crypto_lock_rand' */ crypto_lock_rand = 0; - locking_thread = 0; CRYPTO_w_unlock(CRYPTO_LOCK_RAND); while (num > 0) @@ -521,15 +530,24 @@ static int ssleay_rand_status(void) /* check if we already have the lock * (could happen if a RAND_poll() implementation calls RAND_status()) */ - do_not_lock = crypto_lock_rand && (locking_thread == CRYPTO_thread_id()); + if (crypto_lock_rand) + { + CRYPTO_r_lock(CRYPTO_LOCK_RAND2); + do_not_lock = (locking_thread == CRYPTO_thread_id()); + CRYPTO_r_unlock(CRYPTO_LOCK_RAND2); + } + else + do_not_lock = 0; if (!do_not_lock) { CRYPTO_w_lock(CRYPTO_LOCK_RAND); /* prevent ssleay_rand_bytes() from trying to obtain the lock again */ - crypto_lock_rand = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RAND2); locking_thread = CRYPTO_thread_id(); + CRYPTO_w_unlock(CRYPTO_LOCK_RAND2); + crypto_lock_rand = 1; } if (!initialized) @@ -544,7 +562,6 @@ static int ssleay_rand_status(void) { /* before unlocking, we must clear 'crypto_lock_rand' */ crypto_lock_rand = 0; - locking_thread = 0; CRYPTO_w_unlock(CRYPTO_LOCK_RAND); } diff --git a/crypto/ripemd/rmd_locl.h b/crypto/ripemd/rmd_locl.h index f537b88867..7b835dfbd4 100644 --- a/crypto/ripemd/rmd_locl.h +++ b/crypto/ripemd/rmd_locl.h @@ -71,7 +71,7 @@ * */ #ifdef RMD160_ASM -# if defined(__i386) || defined(_M_IX86) || defined(__INTEL__) +# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__) # define ripemd160_block_host_order ripemd160_block_asm_host_order # endif #endif @@ -79,7 +79,7 @@ void ripemd160_block_host_order (RIPEMD160_CTX *c, const void *p,int num); void ripemd160_block_data_order (RIPEMD160_CTX *c, const void *p,int num); -#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__) +#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__) #define ripemd160_block_data_order ripemd160_block_host_order #endif diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h index bda636a365..8797cfc173 100644 --- a/crypto/rsa/rsa.h +++ b/crypto/rsa/rsa.h @@ -328,6 +328,7 @@ void *RSA_get_ex_data(RSA *r, int idx); #define RSA_R_DATA_GREATER_THAN_MOD_LEN 108 #define RSA_R_DATA_TOO_LARGE 109 #define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 110 +#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 132 #define RSA_R_DATA_TOO_SMALL 111 #define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 122 #define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112 diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index cde5ca27d5..f4e96c987a 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -79,8 +79,8 @@ static int RSA_eay_finish(RSA *rsa); static RSA_METHOD rsa_pkcs1_eay_meth={ "Eric Young's PKCS#1 RSA", RSA_eay_public_encrypt, - RSA_eay_public_decrypt, - RSA_eay_private_encrypt, + RSA_eay_public_decrypt, /* signature verification */ + RSA_eay_private_encrypt, /* signing */ RSA_eay_private_decrypt, RSA_eay_mod_exp, BN_mod_exp_mont, @@ -139,6 +139,13 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from, if (BN_bin2bn(buf,num,&f) == NULL) goto err; + if (BN_ucmp(&f, rsa->n) >= 0) + { + /* usually the padding functions would catch this */ + RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); + goto err; + } + if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) { BN_MONT_CTX* bn_mont_ctx; @@ -186,6 +193,7 @@ err: return(r); } +/* signing */ static int RSA_eay_private_encrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding) { @@ -223,6 +231,13 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from, if (i <= 0) goto err; if (BN_bin2bn(buf,num,&f) == NULL) goto err; + + if (BN_ucmp(&f, rsa->n) >= 0) + { + /* usually the padding functions would catch this */ + RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); + goto err; + } if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) RSA_blinding_on(rsa,ctx); @@ -299,6 +314,12 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from, /* make data into a big number */ if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err; + if (BN_ucmp(&f, rsa->n) >= 0) + { + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); + goto err; + } + if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) RSA_blinding_on(rsa,ctx); if (rsa->flags & RSA_FLAG_BLINDING) @@ -359,6 +380,7 @@ err: return(r); } +/* signature verification */ static int RSA_eay_public_decrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding) { @@ -392,6 +414,13 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from, } if (BN_bin2bn(from,flen,&f) == NULL) goto err; + + if (BN_ucmp(&f, rsa->n) >= 0) + { + RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS); + goto err; + } + /* do the decrypt */ if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC)) { diff --git a/crypto/rsa/rsa_err.c b/crypto/rsa/rsa_err.c index 1cde7c0da4..bff7cf5d12 100644 --- a/crypto/rsa/rsa_err.c +++ b/crypto/rsa/rsa_err.c @@ -106,6 +106,7 @@ static ERR_STRING_DATA RSA_str_reasons[]= {RSA_R_DATA_GREATER_THAN_MOD_LEN ,"data greater than mod len"}, {RSA_R_DATA_TOO_LARGE ,"data too large"}, {RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE ,"data too large for key size"}, +{RSA_R_DATA_TOO_LARGE_FOR_MODULUS ,"data too large for modulus"}, {RSA_R_DATA_TOO_SMALL ,"data too small"}, {RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE ,"data too small for key size"}, {RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY ,"digest too big for rsa key"}, diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 1849e55cd5..4f0bbab386 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -2,7 +2,22 @@ /* Written by Ulf Moeller. This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */ -/* EME_OAEP as defined in RFC 2437 (PKCS #1 v2.0) */ +/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */ + +/* See Victor Shoup, "OAEP reconsidered," Nov. 2000, + * + * for problems with the security proof for the + * original OAEP scheme, which EME-OAEP is based on. + * + * A new proof can be found in E. Fujisaki, T. Okamoto, + * D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!", + * Dec. 2000, . + * The new proof has stronger requirements for the + * underlying permutation: "partial-one-wayness" instead + * of one-wayness. For the RSA function, this is + * an equivalent notion. + */ + #if !defined(NO_SHA) && !defined(NO_SHA1) #include @@ -12,157 +27,174 @@ #include #include -int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen); +int MGF1(unsigned char *mask, long len, + unsigned char *seed, long seedlen); int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, - unsigned char *from, int flen, unsigned char *param, int plen) - { - int i, emlen = tlen - 1; - unsigned char *db, *seed; - unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH]; - - if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1) + unsigned char *from, int flen, + unsigned char *param, int plen) { - RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, - RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); - return (0); - } + int i, emlen = tlen - 1; + unsigned char *db, *seed; + unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH]; - if (emlen < 2 * SHA_DIGEST_LENGTH + 1) - { - RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL); - return (0); - } - - dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH); - if (dbmask == NULL) - { - RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); - return (0); - } + if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1) + { + RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, + RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); + return 0; + } - to[0] = 0; - seed = to + 1; - db = to + SHA_DIGEST_LENGTH + 1; + if (emlen < 2 * SHA_DIGEST_LENGTH + 1) + { + RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL); + return 0; + } - SHA1(param, plen, db); - memset(db + SHA_DIGEST_LENGTH, 0, - emlen - flen - 2 * SHA_DIGEST_LENGTH - 1); - db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01; - memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen); - if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0) - return (0); + dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH); + if (dbmask == NULL) + { + RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); + return 0; + } + + to[0] = 0; + seed = to + 1; + db = to + SHA_DIGEST_LENGTH + 1; + + SHA1(param, plen, db); + memset(db + SHA_DIGEST_LENGTH, 0, + emlen - flen - 2 * SHA_DIGEST_LENGTH - 1); + db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01; + memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen); + if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0) + return 0; #ifdef PKCS_TESTVECT - memcpy(seed, + memcpy(seed, "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f", 20); #endif - MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH); - for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++) - db[i] ^= dbmask[i]; + MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH); + for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++) + db[i] ^= dbmask[i]; - MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH); - for (i = 0; i < SHA_DIGEST_LENGTH; i++) - seed[i] ^= seedmask[i]; + MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH); + for (i = 0; i < SHA_DIGEST_LENGTH; i++) + seed[i] ^= seedmask[i]; - OPENSSL_free(dbmask); - return (1); - } + OPENSSL_free(dbmask); + return 1; + } int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, unsigned char *from, int flen, int num, unsigned char *param, int plen) - { - int i, dblen, mlen = -1; - unsigned char *maskeddb; - int lzero; - unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH]; - - if (--num < 2 * SHA_DIGEST_LENGTH + 1) - goto decoding_err; - - lzero = num - flen; - if (lzero < 0) - goto decoding_err; - maskeddb = from - lzero + SHA_DIGEST_LENGTH; - - dblen = num - SHA_DIGEST_LENGTH; - db = OPENSSL_malloc(dblen); - if (db == NULL) { - RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); - return (-1); - } + int i, dblen, mlen = -1; + unsigned char *maskeddb; + int lzero; + unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH]; + int bad = 0; - MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen); - for (i = lzero; i < SHA_DIGEST_LENGTH; i++) - seed[i] ^= from[i - lzero]; - - MGF1(db, dblen, seed, SHA_DIGEST_LENGTH); - for (i = 0; i < dblen; i++) - db[i] ^= maskeddb[i]; + if (--num < 2 * SHA_DIGEST_LENGTH + 1) + /* 'num' is the length of the modulus, i.e. does not depend on the + * particular ciphertext. */ + goto decoding_err; - SHA1(param, plen, phash); - - if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0) - goto decoding_err; - else - { - for (i = SHA_DIGEST_LENGTH; i < dblen; i++) - if (db[i] != 0x00) - break; - if (db[i] != 0x01 || i++ >= dblen) - goto decoding_err; - else - { - mlen = dblen - i; - if (tlen < mlen) + lzero = num - flen; + if (lzero < 0) { - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE); - mlen = -1; + /* lzero == -1 */ + + /* signalling this error immediately after detection might allow + * for side-channel attacks (e.g. timing if 'plen' is huge + * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal + * Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001), + * so we use a 'bad' flag */ + bad = 1; + lzero = 0; } - else - memcpy(to, db + i, mlen); - } - } - OPENSSL_free(db); - return (mlen); + maskeddb = from - lzero + SHA_DIGEST_LENGTH; + + dblen = num - SHA_DIGEST_LENGTH; + db = OPENSSL_malloc(dblen); + if (db == NULL) + { + RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE); + return -1; + } + + MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen); + for (i = lzero; i < SHA_DIGEST_LENGTH; i++) + seed[i] ^= from[i - lzero]; + + MGF1(db, dblen, seed, SHA_DIGEST_LENGTH); + for (i = 0; i < dblen; i++) + db[i] ^= maskeddb[i]; + + SHA1(param, plen, phash); + + if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) + goto decoding_err; + else + { + for (i = SHA_DIGEST_LENGTH; i < dblen; i++) + if (db[i] != 0x00) + break; + if (db[i] != 0x01 || i++ >= dblen) + goto decoding_err; + else + { + /* everything looks OK */ + + mlen = dblen - i; + if (tlen < mlen) + { + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE); + mlen = -1; + } + else + memcpy(to, db + i, mlen); + } + } + OPENSSL_free(db); + return mlen; decoding_err: - /* to avoid chosen ciphertext attacks, the error message should not reveal - * which kind of decoding error happened */ - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); - if (db != NULL) OPENSSL_free(db); - return -1; - } + /* to avoid chosen ciphertext attacks, the error message should not reveal + * which kind of decoding error happened */ + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); + if (db != NULL) OPENSSL_free(db); + return -1; + } int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen) - { - long i, outlen = 0; - unsigned char cnt[4]; - SHA_CTX c; - unsigned char md[SHA_DIGEST_LENGTH]; - - for (i = 0; outlen < len; i++) { - cnt[0] = (i >> 24) & 255, cnt[1] = (i >> 16) & 255, - cnt[2] = (i >> 8) & 255, cnt[3] = i & 255; - SHA1_Init(&c); - SHA1_Update(&c, seed, seedlen); - SHA1_Update(&c, cnt, 4); - if (outlen + SHA_DIGEST_LENGTH <= len) - { - SHA1_Final(mask + outlen, &c); - outlen += SHA_DIGEST_LENGTH; - } - else - { - SHA1_Final(md, &c); - memcpy(mask + outlen, md, len - outlen); - outlen = len; - } + long i, outlen = 0; + unsigned char cnt[4]; + SHA_CTX c; + unsigned char md[SHA_DIGEST_LENGTH]; + + for (i = 0; outlen < len; i++) + { + cnt[0] = (i >> 24) & 255, cnt[1] = (i >> 16) & 255, + cnt[2] = (i >> 8) & 255, cnt[3] = i & 255; + SHA1_Init(&c); + SHA1_Update(&c, seed, seedlen); + SHA1_Update(&c, cnt, 4); + if (outlen + SHA_DIGEST_LENGTH <= len) + { + SHA1_Final(mask + outlen, &c); + outlen += SHA_DIGEST_LENGTH; + } + else + { + SHA1_Final(md, &c); + memcpy(mask + outlen, md, len - outlen); + outlen = len; + } + } + return 0; } - return (0); - } #endif diff --git a/crypto/sha/sha_locl.h b/crypto/sha/sha_locl.h index 2f8aef83f3..631ba7320c 100644 --- a/crypto/sha/sha_locl.h +++ b/crypto/sha/sha_locl.h @@ -115,7 +115,7 @@ # endif # ifdef SHA1_ASM -# if defined(__i386) || defined(_M_IX86) || defined(__INTEL__) +# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__) # define sha1_block_host_order sha1_block_asm_host_order # define DONT_IMPLEMENT_BLOCK_HOST_ORDER # define sha1_block_data_order sha1_block_asm_data_order diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index 86b3b79dcc..934e541e35 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -79,7 +79,7 @@ static int (*default_trust)(int id, X509 *x, int flags) = obj_trust; static X509_TRUST trstandard[] = { {X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL}, {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL}, -{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Client", NID_server_auth, NULL}, +{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL}, {X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL}, }; diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index cfb478d4bc..ac04d413b3 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -95,7 +95,7 @@ const char *X509_verify_cert_error_string(long n) case X509_V_ERR_CRL_NOT_YET_VALID: return("CRL is not yet valid"); case X509_V_ERR_CERT_HAS_EXPIRED: - return("Certificate has expired"); + return("certificate has expired"); case X509_V_ERR_CRL_HAS_EXPIRED: return("CRL has expired"); case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 0f4110cc64..7a30092247 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -911,6 +911,12 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t) ctx->flags |= X509_V_FLAG_USE_CHECK_TIME; } +void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, + int (*verify_cb)(int, X509_STORE_CTX *)) + { + ctx->verify_cb=verify_cb; + } + IMPLEMENT_STACK_OF(X509) IMPLEMENT_ASN1_SET_OF(X509) diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index e289d5309a..42151028a3 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -382,6 +382,8 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, int purpose, int trust); void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags); void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t); +void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, + int (*verify_cb)(int, X509_STORE_CTX *)); #ifdef __cplusplus } diff --git a/doc/apps/openssl.pod b/doc/apps/openssl.pod index 0cbd199d79..e3c79a43ce 100644 --- a/doc/apps/openssl.pod +++ b/doc/apps/openssl.pod @@ -125,6 +125,10 @@ Generation of RSA Parameters. Generation of hashed passwords. +=item L|pkcs12(1)> + +PKCS#12 Data Management. + =item L|pkcs7(1)> PKCS#7 Data Management. diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index 90455525d1..ea5c29c150 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -200,14 +200,14 @@ the signature of the certificate is invalid. Unused. the certificate is not yet valid: the notBefore date is after the current time. -=item B<10 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid> - -the CRL is not yet valid. Unused. - -=item B<11 X509_V_ERR_CERT_HAS_EXPIRED: Certificate has expired> +=item B<10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired> the certificate has expired: that is the notAfter date is before the current time. +=item B<11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid> + +the CRL is not yet valid. Unused. + =item B<12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired> the CRL has expired. Unused. diff --git a/doc/crypto/BN_rand.pod b/doc/crypto/BN_rand.pod index cbae2fca97..ecd410f7f2 100644 --- a/doc/crypto/BN_rand.pod +++ b/doc/crypto/BN_rand.pod @@ -14,6 +14,8 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number int BN_rand_range(BIGNUM *rnd, BIGNUM *range); + int BN_pseudo_rand_range(BIGNUM *rnd, int bits, int top, int bottom); + =head1 DESCRIPTION BN_rand() generates a cryptographically strong pseudo-random number of @@ -31,6 +33,8 @@ protocols, but usually not for key generation etc. BN_rand_range() generates a cryptographically strong pseudo-random number B in the range 0 = B E B. +BN_pseudo_rand_range() does the same, but is based on BN_pseudo_rand(), +and hence numbers generated by it are not necessarily unpredictable. The PRNG must be seeded prior to calling BN_rand() or BN_rand_range(). @@ -49,5 +53,6 @@ L, L BN_rand() is available in all versions of SSLeay and OpenSSL. BN_pseudo_rand() was added in OpenSSL 0.9.5. The B == -1 case and the function BN_rand_range() were added in OpenSSL 0.9.6a. +BN_pseudo_rand_range() was added in OpenSSL 0.9.6c. =cut diff --git a/doc/crypto/bn.pod b/doc/crypto/bn.pod index d183028d61..1524bc202d 100644 --- a/doc/crypto/bn.pod +++ b/doc/crypto/bn.pod @@ -61,6 +61,7 @@ bn - multiprecision integer arithmetics int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); int BN_rand_range(BIGNUM *rnd, BIGNUM *range); + int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range); BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add, BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg); diff --git a/doc/crypto/threads.pod b/doc/crypto/threads.pod index bc7ff9b705..136844be35 100644 --- a/doc/crypto/threads.pod +++ b/doc/crypto/threads.pod @@ -53,8 +53,10 @@ OpenSSL can safely be used in multi-threaded applications provided that at least two callback functions are set. locking_function(int mode, int n, const char *file, int line) is -needed to perform locking on shared data structures. Multi-threaded -applications will crash at random if it is not set. +needed to perform locking on shared data structures. +(Note that OpenSSL uses a number of global data structures that +will be implicitly shared whenever multiple threads use OpenSSL.) +Multi-threaded applications will crash at random if it is not set. locking_function() must be able to handle up to CRYPTO_num_locks() different mutex locks. It sets the B-th lock if B & diff --git a/doc/ssl/SSL_CTX_ctrl.pod b/doc/ssl/SSL_CTX_ctrl.pod index fb6adcf50c..4228225ae8 100644 --- a/doc/ssl/SSL_CTX_ctrl.pod +++ b/doc/ssl/SSL_CTX_ctrl.pod @@ -8,10 +8,10 @@ SSL_CTX_ctrl, SSL_CTX_callback_ctrl, SSL_ctrl, SSL_callback_ctrl - internal hand #include - long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg); + long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg); long SSL_CTX_callback_ctrl(SSL_CTX *, int cmd, void (*fp)()); - long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg); + long SSL_ctrl(SSL *ssl, int cmd, long larg, char *parg); long SSL_callback_ctrl(SSL *, int cmd, void (*fp)()); =head1 DESCRIPTION diff --git a/doc/ssl/SSL_CTX_free.pod b/doc/ssl/SSL_CTX_free.pod index c716cde164..55e592f5f8 100644 --- a/doc/ssl/SSL_CTX_free.pod +++ b/doc/ssl/SSL_CTX_free.pod @@ -24,6 +24,8 @@ the certificates and keys. SSL_CTX_free() does not provide diagnostic information. +=head1 SEE ALSO + L, L =cut diff --git a/doc/ssl/SSL_CTX_load_verify_locations.pod b/doc/ssl/SSL_CTX_load_verify_locations.pod index 0f63537e78..84a799fc71 100644 --- a/doc/ssl/SSL_CTX_load_verify_locations.pod +++ b/doc/ssl/SSL_CTX_load_verify_locations.pod @@ -58,7 +58,7 @@ failure. In server mode, when requesting a client certificate, the server must send the list of CAs of which it will accept client certificates. This list is not influenced by the contents of B or B and must -explicitely be set using the +explicitly be set using the L family of functions. @@ -118,7 +118,7 @@ L, L, L, L, -L - +L, +L =cut diff --git a/doc/ssl/SSL_CTX_new.pod b/doc/ssl/SSL_CTX_new.pod index 1dae8b0bdd..465220a75c 100644 --- a/doc/ssl/SSL_CTX_new.pod +++ b/doc/ssl/SSL_CTX_new.pod @@ -59,10 +59,6 @@ choice when compatibility is a concern. =back -If a generic method is used, it is necessary to explicitly set client or -server mode with L -or SSL_set_accept_state(). - The list of protocols available can later be limited using the SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the B or B functions. Using these options it is possible to choose diff --git a/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/doc/ssl/SSL_CTX_sess_set_get_cb.pod index b6f15b4404..6e0ef00632 100644 --- a/doc/ssl/SSL_CTX_sess_set_get_cb.pod +++ b/doc/ssl/SSL_CTX_sess_set_get_cb.pod @@ -70,12 +70,16 @@ proposed by the client. The get_session_cb() is always called, also when session caching was disabled. The get_session_cb() is passed the B connection, the session id of length B at the memory location B. With the parameter B the callback can require the -SSL engine to increment the reference count of the SSL_SESSION object. +SSL engine to increment the reference count of the SSL_SESSION object, +Normally the reference count is not incremented and therefore the +session must not be explicitly freed with +L. =head1 SEE ALSO L, L, L, -L +L, +L =cut diff --git a/doc/ssl/SSL_CTX_set_cipher_list.pod b/doc/ssl/SSL_CTX_set_cipher_list.pod index 9a29eeeb95..ed64f64157 100644 --- a/doc/ssl/SSL_CTX_set_cipher_list.pod +++ b/doc/ssl/SSL_CTX_set_cipher_list.pod @@ -34,9 +34,25 @@ a necessary condition. On the client side, the inclusion into the list is also sufficient. On the server side, additional restrictions apply. All ciphers have additional requirements. ADH ciphers don't need a certificate, but DH-parameters must have been set. All other ciphers need a corresponding -certificate and key. A RSA cipher can only be chosen, when a RSA certificate is -available, the respective is valid for DSA ciphers. Ciphers using EDH need -a certificate and key and DH-parameters. +certificate and key. + +A RSA cipher can only be chosen, when a RSA certificate is available. +RSA export ciphers with a keylength of 512 bits for the RSA key require +a temporary 512 bit RSA key, as typically the supplied key has a length +of 1024 bit (see +L). +RSA ciphers using EDH need a certificate and key and additional DH-parameters +(see L). + +A DSA cipher can only be chosen, when a DSA certificate is available. +DSA ciphers always use DH key exchange and therefore need DH-parameters +(see L). + +When these conditions are not met for any cipher in the list (e.g. a +client only supports export RSA ciphers with a asymmetric key length +of 512 bits and the server is not configured to use temporary RSA +keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated +and the handshake will fail. =head1 RETURN VALUES @@ -47,6 +63,8 @@ could be selected and 0 on complete failure. L, L, L, +L, +L, L =cut diff --git a/doc/ssl/SSL_CTX_set_default_passwd_cb.pod b/doc/ssl/SSL_CTX_set_default_passwd_cb.pod index a5343a1cf3..2b87f01ca1 100644 --- a/doc/ssl/SSL_CTX_set_default_passwd_cb.pod +++ b/doc/ssl/SSL_CTX_set_default_passwd_cb.pod @@ -40,6 +40,12 @@ then keep it in memory and use it several times. In the last case, the password could be stored into the B storage and the pem_passwd_cb() only returns the password already stored. +When asking for the password interactively, pem_passwd_cb() can use +B to check, whether an item shall be encrypted (rwflag=1). +In this case the password dialog may ask for the same password twice +for comparison in order to catch typos, that would make decryption +impossible. + Other items in PEM formatting (certificates) can also be encrypted, it is however not usual, as certificate information is considered public. diff --git a/doc/ssl/SSL_CTX_set_mode.pod b/doc/ssl/SSL_CTX_set_mode.pod index 9a035bb4d1..9822544e5e 100644 --- a/doc/ssl/SSL_CTX_set_mode.pod +++ b/doc/ssl/SSL_CTX_set_mode.pod @@ -37,6 +37,9 @@ The following mode changes are available: Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success when just a single record has been written). When not set (the default), SSL_write() will only report success once the complete chunk was written. +Once SSL_write() returns with r, r bytes have been successfully written +and the next call to SSL_write() must only send the n-r bytes left, +imitating the behaviour of write(). =item SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index 3dc7cc74ad..5842a31fa4 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -17,10 +17,10 @@ SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - man =head1 DESCRIPTION SSL_CTX_set_options() adds the options set via bitmask in B to B. -Options already set before are not cleared. +Options already set before are not cleared! SSL_set_options() adds the options set via bitmask in B to B. -Options already set before are not cleared. +Options already set before are not cleared! SSL_CTX_get_options() returns the options set for B. @@ -32,7 +32,12 @@ The behaviour of the SSL library can be changed by setting several options. The options are coded as bitmasks and can be combined by a logical B operation (|). Options can only be added but can never be reset. -During a handshake, the option settings of the SSL object used. When +SSL_CTX_set_options() and SSL_set_options() affect the (external) +protocol behaviour of the SSL library. The (internal) behaviour of +the API can be changed by using the similar +L and SSL_set_modes() functions. + +During a handshake, the option settings of the SSL object are used. When a new SSL object is created from a context using SSL_new(), the current option setting is copied. Changes to B do not affect already created SSL objects. SSL_clear() does not affect the settings. @@ -122,11 +127,27 @@ The following B options are available: =item SSL_OP_SINGLE_DH_USE -Always create a new key when using temporary DH parameters. +Always create a new key when using temporary/ephemeral DH parameters +(see L). +This option must be used to prevent small subgroup attacks, when +the DH parameters were not generated using "strong" primes +(e.g. when using DSA-parameters, see L). +If "strong" primes were used, it is not strictly necessary to generate +a new DH key during each handshake but it is also recommended. +SSL_OP_SINGLE_DH_USE should therefore be enabled whenever +temporary/ephemeral DH parameters are used. =item SSL_OP_EPHEMERAL_RSA -Also use the temporary RSA key when doing RSA operations. +Always use ephemeral (temporary) RSA key when doing RSA operations +(see L). +According to the specifications this is only done, when a RSA key +can only be used for signature operations (namely under export ciphers +with restricted RSA keylength). By setting this option, ephemeral +RSA keys are always used. This option breaks compatibility with the +SSL/TLS specifications and may lead to interoperability problems with +clients and should therefore never be used. Ciphers with EDH (ephemeral +Diffie-Hellman) key exchange should be used instead. =item SSL_OP_PKCS1_CHECK_1 @@ -142,11 +163,6 @@ If we accept a netscape connection, demand a client cert, have a non-self-sighed CA which does not have it's CA in netscape, and the browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta -=item SSL_OP_NON_EXPORT_FIRST - -On servers try to use non-export (stronger) ciphers first. This option does -not work under all circumstances (in the code it is declared "broken"). - =item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG ... @@ -174,7 +190,10 @@ SSL_CTX_get_options() and SSL_get_options() return the current bitmask. =head1 SEE ALSO -L, L, L +L, L, L, +L, +L, +L =head1 HISTORY diff --git a/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/doc/ssl/SSL_CTX_set_session_cache_mode.pod index 8bbfc78720..9aa6c6b2e3 100644 --- a/doc/ssl/SSL_CTX_set_session_cache_mode.pod +++ b/doc/ssl/SSL_CTX_set_session_cache_mode.pod @@ -97,6 +97,7 @@ SSL_CTX_get_session_cache_mode() returns the currently set cache mode. =head1 SEE ALSO L, L, +L, L, L, L, diff --git a/doc/ssl/SSL_CTX_set_timeout.pod b/doc/ssl/SSL_CTX_set_timeout.pod index 21faed12d4..e3de27c473 100644 --- a/doc/ssl/SSL_CTX_set_timeout.pod +++ b/doc/ssl/SSL_CTX_set_timeout.pod @@ -37,7 +37,10 @@ L is called, either directly by the application or automatically (see L) -The default value for session timeout is 300 seconds. +The default value for session timeout is decided on a per protocol +basis, see L. +All currently supported protocols have the same default timeout value +of 300 seconds. =head1 RETURN VALUES @@ -50,6 +53,7 @@ SSL_CTX_get_timeout() returns the currently set timeout value. L, L, L, -L +L, +L =cut diff --git a/doc/ssl/SSL_CTX_set_verify.pod b/doc/ssl/SSL_CTX_set_verify.pod index fc0b76118f..5bb21ca535 100644 --- a/doc/ssl/SSL_CTX_set_verify.pod +++ b/doc/ssl/SSL_CTX_set_verify.pod @@ -59,14 +59,14 @@ The handshake will be continued regardless of the verification result. B the server sends a client certificate request to the client. The certificate returned (if any) is checked. If the verification process -fails as indicated by B, the TLS/SSL handshake is +fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. The behaviour can be controlled by the additional SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags. B the server certificate is verified. If the verification process -fails as indicated by B, the TLS/SSL handshake is +fails, the TLS/SSL handshake is immediately terminated with an alert message containing the reason for the verification failure. If no server certificate is sent, because an anonymous cipher is used, SSL_VERIFY_PEER is ignored. @@ -92,6 +92,15 @@ B ignored Exactly one of the B flags SSL_VERIFY_NONE and SSL_VERIFY_PEER must be set at any time. +The actual verification procedure is performed either using the built-in +verification procedure or using another application provided verification +function set with +L. +The following descriptions apply in the case of the built-in procedure. An +application provided procedure also has access to the verify depth information +and the verify_callback() function, but the way this information is used +may be different. + SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up to which depth certificates in a chain are used during the verification procedure. If the certificate chain is longer than allowed, the certificates @@ -278,6 +287,7 @@ L, L, L, L, +L, L, L diff --git a/doc/ssl/SSL_SESSION_free.pod b/doc/ssl/SSL_SESSION_free.pod index df30ccbb32..558de01df9 100644 --- a/doc/ssl/SSL_SESSION_free.pod +++ b/doc/ssl/SSL_SESSION_free.pod @@ -16,10 +16,40 @@ SSL_SESSION_free() decrements the reference count of B and removes the B structure pointed to by B and frees up the allocated memory, if the the reference count has reached 0. +=head1 NOTES + +SSL_SESSION objects are allocated, when a TLS/SSL handshake operation +is successfully completed. Depending on the settings, see +L, +the SSL_SESSION objects are internally referenced by the SSL_CTX and +linked into its session cache. SSL objects may be using the SSL_SESSION object; +as a session may be reused, several SSL objects may be using one SSL_SESSION +object at the same time. It is therefore crucial to keep the reference +count (usage information) correct and not delete a SSL_SESSION object +that is still used, as this may lead to program failures due to +dangling pointers. These failures may also appear delayed, e.g. +when an SSL_SESSION object was completely freed as the reference count +incorrectly became 0, but it is still referenced in the internal +session cache and the cache list is processed during a +L operation. + +SSL_SESSION_free() must only be called for SSL_SESSION objects, for +which the reference count was explicitly incremented (e.g. +by calling SSL_get1_session(), see L) +or when the SSL_SESSION object was generated outside a TLS handshake +operation, e.g. by using L. +It must not be called on other SSL_SESSION objects, as this would cause +incorrect reference counts and therefore program failures. + =head1 RETURN VALUES SSL_SESSION_free() does not provide diagnostic information. -L, L +=head1 SEE ALSO + +L, L, +L, +L, + L =cut diff --git a/doc/ssl/SSL_SESSION_get_time.pod b/doc/ssl/SSL_SESSION_get_time.pod index cd33b73aa3..ea3c2bcfe6 100644 --- a/doc/ssl/SSL_SESSION_get_time.pod +++ b/doc/ssl/SSL_SESSION_get_time.pod @@ -58,6 +58,7 @@ If any of the function is passed the NULL pointer for the session B, =head1 SEE ALSO L, -L +L, +L =cut diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod index 86f980de41..ac6caf9baa 100644 --- a/doc/ssl/SSL_accept.pod +++ b/doc/ssl/SSL_accept.pod @@ -37,11 +37,6 @@ nothing is to be done, but select() can be used to check for the required condition. When using a buffering BIO, like a BIO pair, data must be written into or retrieved out of the BIO before being able to continue. -When using a generic method (see L), it -is necessary to call SSL_set_accept_state() -before calling SSL_accept() to explicitly switch the B to server -mode. - =head1 RETURN VALUES The following return values can occur: diff --git a/doc/ssl/SSL_alert_type_string.pod b/doc/ssl/SSL_alert_type_string.pod index 94e28cc307..783758943d 100644 --- a/doc/ssl/SSL_alert_type_string.pod +++ b/doc/ssl/SSL_alert_type_string.pod @@ -8,11 +8,11 @@ SSL_alert_type_string, SSL_alert_type_string_long, SSL_alert_desc_string, SSL_al #include - const char *SSL_alert_type_string(int value); - const char *SSL_alert_type_string_long(int value); + char *SSL_alert_type_string(int value); + char *SSL_alert_type_string_long(int value); - const char *SSL_alert_desc_string(int value); - const char *SSL_alert_desc_string_long(int value); + char *SSL_alert_desc_string(int value); + char *SSL_alert_desc_string_long(int value); =head1 DESCRIPTION diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod index bcc167745b..766f1876aa 100644 --- a/doc/ssl/SSL_connect.pod +++ b/doc/ssl/SSL_connect.pod @@ -34,11 +34,6 @@ nothing is to be done, but select() can be used to check for the required condition. When using a buffering BIO, like a BIO pair, data must be written into or retrieved out of the BIO before being able to continue. -When using a generic method (see L), it -is necessary to call L -before calling SSL_connect() to explicitly switch the B to client -mode. - =head1 RETURN VALUES The following return values can occur: diff --git a/doc/ssl/SSL_get_error.pod b/doc/ssl/SSL_get_error.pod index d95eec78aa..f700bf0ace 100644 --- a/doc/ssl/SSL_get_error.pod +++ b/doc/ssl/SSL_get_error.pod @@ -69,13 +69,13 @@ to read data. This is mainly because TLS/SSL handshakes may occur at any time during the protocol (initiated by either the client or the server); SSL_read(), SSL_peek(), and SSL_write() will handle any pending handshakes. -=item SSL_ERROR_WANT_CONNECT +=item SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT The operation did not complete; the same TLS/SSL I/O function should be called again later. The underlying BIO was not connected yet to the peer -and the call would block in connect(). The SSL function should be -called again when the connection is established. This messages can only -appear with a BIO_s_connect() BIO. +and the call would block in connect()/accept(). The SSL function should be +called again when the connection is established. These messages can only +appear with a BIO_s_connect() or BIO_s_accept() BIO, respectively. In order to find out, when the connection has been successfully established, on many platforms select() or poll() for writing on the socket file descriptor can be used. diff --git a/doc/ssl/SSL_get_peer_certificate.pod b/doc/ssl/SSL_get_peer_certificate.pod index 18d1db5183..60635a9660 100644 --- a/doc/ssl/SSL_get_peer_certificate.pod +++ b/doc/ssl/SSL_get_peer_certificate.pod @@ -19,7 +19,7 @@ peer presented. If the peer did not present a certificate, NULL is returned. Due to the protocol definition, a TLS/SSL server will always send a certificate, if present. A client will only send a certificate when -explicitely requested to do so by the server (see +explicitly requested to do so by the server (see L). If an anonymous cipher is used, no certificates are sent. diff --git a/doc/ssl/SSL_get_session.pod b/doc/ssl/SSL_get_session.pod index a0266e2ac6..8547faa58b 100644 --- a/doc/ssl/SSL_get_session.pod +++ b/doc/ssl/SSL_get_session.pod @@ -40,6 +40,12 @@ If the data is to be kept, SSL_get1_session() will increment the reference count and the session will stay in memory until explicitly freed with L, regardless of its state. +SSL_SESSION objects keep internal link information about the session cache +list, when being inserted into one SSL_CTX object's session cache. +One SSL_SESSION object, regardless of its reference count, must therefore +only be used with one SSL_CTX object (and the SSL objects created +from this SSL_CTX object). + =head1 RETURN VALUES The following return values can occur: diff --git a/doc/ssl/SSL_new.pod b/doc/ssl/SSL_new.pod index 3b084e867d..25300e978f 100644 --- a/doc/ssl/SSL_new.pod +++ b/doc/ssl/SSL_new.pod @@ -38,6 +38,7 @@ The return value points to an allocated SSL structure. L, L, L, +L, L =cut diff --git a/doc/ssl/SSL_read.pod b/doc/ssl/SSL_read.pod index cc7aa1a547..f6c37f77e4 100644 --- a/doc/ssl/SSL_read.pod +++ b/doc/ssl/SSL_read.pod @@ -25,11 +25,10 @@ the SSL_read() operation. The behaviour of SSL_read() depends on the underlying BIO. For the transparent negotiation to succeed, the B must have been -initialized to client or server mode. This is not the case if a generic -method is being used (see L, so that +initialized to client or server mode. This is being done by calling L or SSL_set_accept_state() -must be used before the first call to an SSL_read() or -L function). +before the first call to an SSL_read() or L +function. SSL_read() works based on the SSL/TLS records. The data are received in records (with a maximum record size of 16kB for SSLv3/TLSv1). Only when a @@ -84,9 +83,20 @@ bytes actually read from the TLS/SSL connection. =item 0 -The read operation was not successful, probably because no data was -available. Call SSL_get_error() with the return value B to find out, -whether an error occurred. +The read operation was not successful. The reason may either be a clean +shutdown due to a "close notify" alert sent by the peer (in which case +the SSL_RECEIVED_SHUTDOWN flag in the ssl shutdown state is set +(see L, +L). It is also possible, that +the peer simply shut down the underlying transport and the shutdown is +incomplete. Call SSL_get_error() with the return value B to find out, +whether an error occurred or the connection was shut down cleanly +(SSL_ERROR_ZERO_RETURN). + +SSLv2 (deprecated) does not support a shutdown alert protocol, so it can +only be detected, whether the underlying connection was closed. It cannot +be checked, whether the closure was initiated by the peer or by something +else. =item E0 @@ -102,6 +112,7 @@ L, L, L, L, L, L L, +L, L, L, L =cut diff --git a/doc/ssl/SSL_rstate_string.pod b/doc/ssl/SSL_rstate_string.pod index bdb8a1fcd5..6dbbb99b93 100644 --- a/doc/ssl/SSL_rstate_string.pod +++ b/doc/ssl/SSL_rstate_string.pod @@ -8,8 +8,8 @@ SSL_rstate_string, SSL_rstate_string_long - get textual description of state of #include - const char *SSL_rstate_string(SSL *ssl); - const char *SSL_rstate_string_long(SSL *ssl); + char *SSL_rstate_string(SSL *ssl); + char *SSL_rstate_string_long(SSL *ssl); =head1 DESCRIPTION diff --git a/doc/ssl/SSL_set_connect_state.pod b/doc/ssl/SSL_set_connect_state.pod index a8c4463c64..7adf8adfed 100644 --- a/doc/ssl/SSL_set_connect_state.pod +++ b/doc/ssl/SSL_set_connect_state.pod @@ -14,9 +14,9 @@ SSL_set_connect_state, SSL_get_accept_state - prepare SSL object to work in clie =head1 DESCRIPTION -SSL_set_connect_state() B to work in client mode. +SSL_set_connect_state() sets B to work in client mode. -SSL_set_accept_state() B to work in server mode. +SSL_set_accept_state() sets B to work in server mode. =head1 NOTES @@ -27,12 +27,17 @@ server connections. (The method might have been changed with L or SSL_set_ssl_method().) -In order to successfully accomplish the handshake, the SSL routines need -to know whether they should act in server or client mode. If the generic -method was used, this is not clear from the method itself and must be set -with either SSL_set_connect_state() or SSL_set_accept_state(). If these -routines are not called, the default value set when L -is called is server mode. +When beginning a new handshake, the SSL engine must know whether it must +call the connect (client) or accept (server) routines. Even though it may +be clear from the method chosen, whether client or server mode was +requested, the handshake routines must be explicitly set. + +When using the L or +L routines, the correct handshake +routines are automatically set. When performing a transparent negotiation +using L or L, the +handshake routines must be explicitly set in advance using either +SSL_set_connect_state() or SSL_set_accept_state(). =head1 RETURN VALUES @@ -42,6 +47,8 @@ information. =head1 SEE ALSO L, L, L, +L, L, +L, L, L =cut diff --git a/doc/ssl/SSL_set_session.pod b/doc/ssl/SSL_set_session.pod index c4f7878579..5f54714ad8 100644 --- a/doc/ssl/SSL_set_session.pod +++ b/doc/ssl/SSL_set_session.pod @@ -16,12 +16,21 @@ SSL_set_session() sets B to be used when the TLS/SSL connection is to be established. SSL_set_session() is only useful for TLS/SSL clients. When the session is set, the reference count of B is incremented by 1. If the session is not reused, the reference count is decremented -again during SSL_connect(). +again during SSL_connect(). Whether the session was reused can be queried +with the L call. If there is already a session set inside B (because it was set with SSL_set_session() before or because the same B was already used for a connection), SSL_SESSION_free() will be called for that session. +=head1 NOTES + +SSL_SESSION objects keep internal link information about the session cache +list, when being inserted into one SSL_CTX object's session cache. +One SSL_SESSION object, regardless of its reference count, must therefore +only be used with one SSL_CTX object (and the SSL objects created +from this SSL_CTX object). + =head1 RETURN VALUES The following return values can occur: @@ -41,6 +50,8 @@ The operation succeeded. =head1 SEE ALSO L, L, +L, +L, L =cut diff --git a/doc/ssl/SSL_set_shutdown.pod b/doc/ssl/SSL_set_shutdown.pod index 6b196c1f15..6289e635d9 100644 --- a/doc/ssl/SSL_set_shutdown.pod +++ b/doc/ssl/SSL_set_shutdown.pod @@ -46,7 +46,10 @@ The shutdown state of the connection is used to determine the state of the ssl session. If the session is still open, when L or L is called, it is considered bad and removed according to RFC2246. -The actual condition for a correctly closed session is SSL_SENT_SHUTDOWN. +The actual condition for a correctly closed session is SSL_SENT_SHUTDOWN +(according to the TLS RFC, it is acceptable to only send the "close notify" +alert but to not wait for the peer's answer, when the underlying connection +is closed). SSL_set_shutdown() can be used to set this state without sending a close alert to the peer (see L). @@ -63,6 +66,7 @@ SSL_get_shutdown() returns the current setting. =head1 SEE ALSO L, L, +L, L, L =cut diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod index c4ae6704e7..6b5012be7a 100644 --- a/doc/ssl/SSL_shutdown.pod +++ b/doc/ssl/SSL_shutdown.pod @@ -22,10 +22,52 @@ Whether the operation succeeds or not, the SSL_SENT_SHUTDOWN flag is set and a currently open session is considered closed and good and will be kept in the session cache for further reuse. -The behaviour of SSL_shutdown() depends on the underlying BIO. +The shutdown procedure consists of 2 steps: the sending of the "close notify" +shutdown alert and the reception of the peer's "close notify" shutdown +alert. According to the TLS standard, it is acceptable for an application +to only send its shutdown alert and then close the underlying connection +without waiting for the peer's response (this way resources can be saved, +as the process can already terminate or serve another connection). +When the underlying connection shall be used for more communications, the +complete shutdown procedure (bidirectional "close notify" alerts) must be +performed, so that the peers stay synchronized. + +SSL_shutdown() supports both uni- and bidirectional shutdown by its 2 step +behaviour. + +=over 4 + +=item When the application is the first party to send the "close notify" +alert, SSL_shutdown() will only send the alert and the set the +SSL_SENT_SHUTDOWN flag (so that the session is considered good and will +be kept in cache). SSL_shutdown() will then return with 0. If a unidirectional +shutdown is enough (the underlying connection shall be closed anyway), this +first call to SSL_shutdown() is sufficient. In order to complete the +bidirectional shutdown handshake, SSL_shutdown() must be called again. +The second call will make SSL_shutdown() wait for the peer's "close notify" +shutdown alert. On success, the second call to SSL_shutdown() will return +with 1. + +=item If the peer already sent the "close notify" alert B it was +already processed implicitly inside another function +(L), the SSL_RECEIVED_SHUTDOWN flag is set. +SSL_shutdown() will send the "close notify" alert, set the SSL_SENT_SHUTDOWN +flag and will immediately return with 1. +Whether SSL_RECEIVED_SHUTDOWN is already set can be checked using the +SSL_get_shutdown() (see also L call. + +=back + +It is therefore recommended, to check the return value of SSL_shutdown() +and call SSL_shutdown() again, if the bidirectional shutdown is not yet +complete (return value of the first call is 0). As the shutdown is not +specially handled in the SSLv2 protocol, SSL_shutdown() will succeed on +the first call. + +The behaviour of SSL_shutdown() additionally depends on the underlying BIO. If the underlying BIO is B, SSL_shutdown() will only return once the -handshake has been finished or an error occurred. +handshake step has been finished or an error occurred. If the underlying BIO is B, SSL_shutdown() will also return when the underlying BIO could not satisfy the needs of SSL_shutdown() @@ -38,6 +80,12 @@ nothing is to be done, but select() can be used to check for the required condition. When using a buffering BIO, like a BIO pair, data must be written into or retrieved out of the BIO before being able to continue. +SSL_shutdown() can be modified to only set the connection to "shutdown" +state but not actually send the "close notify" alert messages, +see L. +When "quiet shutdown" is enabled, SSL_shutdown() will always succeed +and return 1. + =head1 RETURN VALUES The following return values can occur: @@ -46,19 +94,23 @@ The following return values can occur: =item 1 -The shutdown was successfully completed. +The shutdown was successfully completed. The "close notify" alert was sent +and the peer's "close notify" alert was received. =item 0 -The shutdown was not successful. Call SSL_get_error() with the return -value B to find out the reason. +The shutdown is not yet finished. Call SSL_shutdown() for a second time, +if a bidirectional shutdown shall be performed. +The output of L may be misleading, as an +erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. =item -1 The shutdown was not successful because a fatal error occurred either -at the protocol level or a connection failure occurred. It can also occur of +at the protocol level or a connection failure occurred. It can also occur if action is need to continue the operation for non-blocking BIOs. -Call SSL_get_error() with the return value B to find out the reason. +Call L with the return value B +to find out the reason. =back @@ -66,6 +118,7 @@ Call SSL_get_error() with the return value B to find out the reason. L, L, L, L, +L, L, L, L, L diff --git a/doc/ssl/SSL_state_string.pod b/doc/ssl/SSL_state_string.pod index b4be1aaa48..4404595141 100644 --- a/doc/ssl/SSL_state_string.pod +++ b/doc/ssl/SSL_state_string.pod @@ -8,8 +8,8 @@ SSL_state_string, SSL_state_string_long - get textual description of state of an #include - const char *SSL_state_string(SSL *ssl); - const char *SSL_state_string_long(SSL *ssl); + char *SSL_state_string(SSL *ssl); + char *SSL_state_string_long(SSL *ssl); =head1 DESCRIPTION diff --git a/doc/ssl/SSL_write.pod b/doc/ssl/SSL_write.pod index b0dfefae20..dfa42e9aee 100644 --- a/doc/ssl/SSL_write.pod +++ b/doc/ssl/SSL_write.pod @@ -25,11 +25,9 @@ the SSL_write() operation. The behaviour of SSL_write() depends on the underlying BIO. For the transparent negotiation to succeed, the B must have been -initialized to client or server mode. This is not the case if a generic -method is being used (see L, so that +initialized to client or server mode. This is being done by calling L or SSL_set_accept_state() -must be used before the first call to an L -or SSL_write() function. +before the first call to an L or SSL_write() function. If the underlying BIO is B, SSL_write() will only return, once the write operation has been finished or an error occurred, except when a @@ -80,8 +78,14 @@ bytes actually written to the TLS/SSL connection. =item 0 -The write operation was not successful. Call SSL_get_error() with the return -value B to find out, whether an error occurred. +The write operation was not successful. Probably the underlying connection +was closed. Call SSL_get_error() with the return value B to find out, +whether an error occurred or the connection was shut down cleanly +(SSL_ERROR_ZERO_RETURN). + +SSLv2 (deprecated) does not support a shutdown alert protocol, so it can +only be detected, whether the underlying connection was closed. It cannot +be checked, why the closure happened. =item E0 diff --git a/doc/ssl/d2i_SSL_SESSION.pod b/doc/ssl/d2i_SSL_SESSION.pod index 9a1ba6c47b..0321a5a36f 100644 --- a/doc/ssl/d2i_SSL_SESSION.pod +++ b/doc/ssl/d2i_SSL_SESSION.pod @@ -30,7 +30,17 @@ session data on disk or into a database, it must be transformed into a binary ASN1 representation. When using d2i_SSL_SESSION(), the SSL_SESSION object is automatically -allocated. +allocated. The reference count is 1, so that the session must be +explicitly removed using L, +unless the SSL_SESSION object is completely taken over, when being called +inside the get_session_cb() (see +L). + +SSL_SESSION objects keep internal link information about the session cache +list, when being inserted into one SSL_CTX object's session cache. +One SSL_SESSION object, regardless of its reference count, must therefore +only be used with one SSL_CTX object (and the SSL objects created +from this SSL_CTX object). When using i2d_SSL_SESSION(), the memory location pointed to by B must be large enough to hold the binary representation of the session. There is no @@ -50,7 +60,7 @@ When the session is not valid, B<0> is returned and no operation is performed. =head1 SEE ALSO -L, +L, L, L =cut diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod index e52124517d..a1ff455b28 100644 --- a/doc/ssl/ssl.pod +++ b/doc/ssl/ssl.pod @@ -299,7 +299,7 @@ protocol context defined in the B structure. =item void B(SSL_CTX *ctx, X509_STORE *cs); -=item void B(SSL_CTX *ctx, int (*cb)(SSL_CTX *), char *arg) +=item void B(SSL_CTX *ctx, int (*cb)(), char *arg) =item int B(SSL_CTX *ctx, char *str); @@ -650,8 +650,10 @@ L, L, L, L, L, L, +L, L, L, +L, L, L, L, @@ -661,18 +663,28 @@ L, L, L, L, +L, +L, +L, L, L, +L, L, L, +L, L, L, L, L, +L, +L, L, L, +L, +L, L, L, +L, L, L, L, @@ -685,12 +697,19 @@ L, L, L, L, -L, L, +L, +L, +L, +L, +L, L, -L, L, +L, L, L, -L, L, +L, +L, +L, +L, L, L, L, diff --git a/e_os.h b/e_os.h index 8a996096be..ec06afb876 100644 --- a/e_os.h +++ b/e_os.h @@ -413,13 +413,10 @@ extern HINSTANCE _hInstance; # endif #endif -#if defined(THREADS) || defined(sun) -#ifndef _REENTRANT -#define _REENTRANT -#endif -#endif - #if defined(sun) && !defined(__svr4__) && !defined(__SVR4) + /* include headers first, so our defines don't break it */ +#include +#include /* bcopy can handle overlapping moves according to SunOS 4.1.4 manpage */ # define memmove(s1,s2,n) bcopy((s2),(s1),(n)) # define strtoul(s,e,b) ((unsigned long int)strtol((s),(e),(b))) diff --git a/makevms.com b/makevms.com index f55231e2a0..89d69cc73b 100755 --- a/makevms.com +++ b/makevms.com @@ -196,8 +196,14 @@ $ IF F$SEARCH("[.CRYPTO]OPENSSLCONF_H.IN") .NES. "" $ THEN $ TYPE [.CRYPTO]OPENSSLCONF_H.IN /OUTPUT=H_FILE: $ ELSE -$ WRITE SYS$ERROR "Couldn't find a [.CRYPTO]OPENSSLCONF.H_IN. Exiting!" -$ EXIT 0 +$ ! For ODS-5 +$ IF F$SEARCH("[.CRYPTO]OPENSSLCONF.H.IN") .NES. "" +$ THEN +$ TYPE [.CRYPTO]OPENSSLCONF.H.IN /OUTPUT=H_FILE: +$ ELSE +$ WRITE SYS$ERROR "Couldn't find a [.CRYPTO]OPENSSLCONF.H_IN. Exiting!" +$ EXIT 0 +$ ENDIF $ ENDIF $ ENDIF $! diff --git a/shlib/svr5-shared-gcc.sh b/shlib/svr5-shared-gcc.sh index b36a0375a6..2a359f63c4 100755 --- a/shlib/svr5-shared-gcc.sh +++ b/shlib/svr5-shared-gcc.sh @@ -1,7 +1,7 @@ #!/usr/bin/sh major="0" -minor="9.7" +minor="9.6b" slib=libssl sh_slib=$slib.so.$major.$minor diff --git a/shlib/svr5-shared-installed b/shlib/svr5-shared-installed index 544f5a9417..ca4245d1ae 100755 --- a/shlib/svr5-shared-installed +++ b/shlib/svr5-shared-installed @@ -1,7 +1,7 @@ #!/usr/bin/sh major="0" -minor="9.7" +minor="9.6b" slib=libssl sh_slib=$slib.so.$major.$minor diff --git a/shlib/svr5-shared.sh b/shlib/svr5-shared.sh index a70bb65baa..c967b8baa8 100755 --- a/shlib/svr5-shared.sh +++ b/shlib/svr5-shared.sh @@ -1,7 +1,7 @@ #!/usr/bin/sh major="0" -minor="9.7" +minor="9.6b" slib=libssl sh_slib=$slib.so.$major.$minor diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 5050a13ef2..2d0eb4a8ff 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -113,8 +113,8 @@ int ssl23_connect(SSL *s) else if (s->ctx->info_callback != NULL) cb=s->ctx->info_callback; - if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); s->in_handshake++; + if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); for (;;) { diff --git a/ssl/s23_pkt.c b/ssl/s23_pkt.c index f45e1ce3d8..a62599cc3e 100644 --- a/ssl/s23_pkt.c +++ b/ssl/s23_pkt.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include #include diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 050618235f..b40bb01ab7 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include #include @@ -112,8 +165,8 @@ int ssl23_accept(SSL *s) else if (s->ctx->info_callback != NULL) cb=s->ctx->info_callback; - if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); s->in_handshake++; + if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); for (;;) { @@ -179,9 +232,9 @@ int ssl23_accept(SSL *s) } } end: + s->in_handshake--; if (cb != NULL) cb(s,SSL_CB_ACCEPT_EXIT,ret); - s->in_handshake--; return(ret); } @@ -352,17 +405,22 @@ int ssl23_get_client_hello(SSL *s) /* We must look at client_version inside the Client Hello message * to get the correct minor version. * However if we have only a pathologically small fragment of the - * Client Hello message, this would be difficult, we'd have - * to read at least one additional record to find out. - * This doesn't usually happen in real life, so we just complain - * for now. - */ + * Client Hello message, this would be difficult, and we'd have + * to read more records to find out. + * No known SSL 3.0 client fragments ClientHello like this, + * so we simply assume TLS 1.0 to avoid protocol version downgrade + * attacks. */ if (p[3] == 0 && p[4] < 6) { +#if 0 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL); goto err; +#else + v[1] = TLS1_VERSION_MINOR; +#endif } - v[1]=p[10]; /* minor version according to client_version */ + else + v[1]=p[10]; /* minor version according to client_version */ if (v[1] >= TLS1_VERSION_MINOR) { if (!(s->options & SSL_OP_NO_TLSv1)) @@ -376,10 +434,21 @@ int ssl23_get_client_hello(SSL *s) type=3; } } - else if (!(s->options & SSL_OP_NO_SSLv3)) + else { - s->version=SSL3_VERSION; - type=3; + /* client requests SSL 3.0 */ + if (!(s->options & SSL_OP_NO_SSLv3)) + { + s->version=SSL3_VERSION; + type=3; + } + else if (!(s->options & SSL_OP_NO_TLSv1)) + { + /* we won't be able to use TLS of course, + * but this will send an appropriate alert */ + s->version=TLS1_VERSION; + type=3; + } } } else if ((strncmp("GET ", (char *)p,4) == 0) || diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c index 28d6d65296..615e425736 100644 --- a/ssl/s2_clnt.c +++ b/ssl/s2_clnt.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include "ssl_locl.h" #ifndef NO_SSL2 @@ -118,8 +171,8 @@ int ssl2_connect(SSL *s) cb=s->ctx->info_callback; /* init things to blank */ - if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); s->in_handshake++; + if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); for (;;) { @@ -287,6 +340,7 @@ static int get_server_hello(SSL *s) unsigned char *buf; unsigned char *p; int i,j; + unsigned long len; STACK_OF(SSL_CIPHER) *sk=NULL,*cl; buf=(unsigned char *)s->init_buf->data; @@ -296,6 +350,7 @@ static int get_server_hello(SSL *s) i=ssl2_read(s,(char *)&(buf[s->init_num]),11-s->init_num); if (i < (11-s->init_num)) return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i)); + s->init_num = 11; if (*(p++) != SSL2_MT_SERVER_HELLO) { @@ -324,18 +379,22 @@ static int get_server_hello(SSL *s) n2s(p,i); s->s2->tmp.csl=i; n2s(p,i); s->s2->tmp.conn_id_length=i; s->state=SSL2_ST_GET_SERVER_HELLO_B; - s->init_num=0; } /* SSL2_ST_GET_SERVER_HELLO_B */ - j=s->s2->tmp.cert_length+s->s2->tmp.csl+s->s2->tmp.conn_id_length - - s->init_num; - i=ssl2_read(s,(char *)&(buf[s->init_num]),j); + len = 11 + (unsigned long)s->s2->tmp.cert_length + (unsigned long)s->s2->tmp.csl + (unsigned long)s->s2->tmp.conn_id_length; + if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) + { + SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_MESSAGE_TOO_LONG); + return -1; + } + j = (int)len - s->init_num; + i = ssl2_read(s,(char *)&(buf[s->init_num]),j); if (i != j) return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i)); /* things are looking good */ - p=buf; + p = buf + 11; if (s->hit) { if (s->s2->tmp.cert_length != 0) @@ -645,11 +704,10 @@ static int client_certificate(SSL *s) unsigned char *p,*d; int i; unsigned int n; - int cert_ch_len=0; + int cert_ch_len; unsigned char *cert_ch; buf=(unsigned char *)s->init_buf->data; - cert_ch= &(buf[2]); /* We have a cert associated with the SSL, so attach it to * the session if it does not have one */ @@ -660,6 +718,7 @@ static int client_certificate(SSL *s) SSL2_MAX_CERT_CHALLENGE_LENGTH+1-s->init_num); if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+1-s->init_num)) return(ssl2_part_read(s,SSL_F_CLIENT_CERTIFICATE,i)); + s->init_num += i; /* type=buf[0]; */ /* type eq x509 */ @@ -669,7 +728,6 @@ static int client_certificate(SSL *s) SSLerr(SSL_F_CLIENT_CERTIFICATE,SSL_R_BAD_AUTHENTICATION_TYPE); return(-1); } - cert_ch_len=i-1; if ((s->cert == NULL) || (s->cert->key->x509 == NULL) || @@ -681,6 +739,9 @@ static int client_certificate(SSL *s) s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_C; } + cert_ch = buf + 2; + cert_ch_len = s->init_num - 2; + if (s->state == SSL2_ST_X509_GET_CLIENT_CERTIFICATE) { X509 *x509=NULL; @@ -786,7 +847,7 @@ static int client_certificate(SSL *s) static int get_server_verify(SSL *s) { unsigned char *p; - int i; + int i, n, len; p=(unsigned char *)s->init_buf->data; if (s->state == SSL2_ST_GET_SERVER_VERIFY_A) @@ -794,9 +855,9 @@ static int get_server_verify(SSL *s) i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num); if (i < (1-s->init_num)) return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i)); + s->init_num += i; s->state= SSL2_ST_GET_SERVER_VERIFY_B; - s->init_num=0; if (*p != SSL2_MT_SERVER_VERIFY) { if (p[0] != SSL2_MT_ERROR) @@ -813,10 +874,13 @@ static int get_server_verify(SSL *s) } p=(unsigned char *)s->init_buf->data; - i=ssl2_read(s,(char *)&(p[s->init_num]), - (unsigned int)s->s2->challenge_length-s->init_num); - if (i < ((int)s->s2->challenge_length-s->init_num)) + len = 1 + s->s2->challenge_length; + n = len - s->init_num; + i = ssl2_read(s,(char *)&(p[s->init_num]),n); + if (i < n) return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i)); + p += 1; + if (memcmp(p,s->s2->challenge,(unsigned int)s->s2->challenge_length) != 0) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); @@ -830,7 +894,7 @@ static int get_server_finished(SSL *s) { unsigned char *buf; unsigned char *p; - int i; + int i, n, len; buf=(unsigned char *)s->init_buf->data; p=buf; @@ -839,7 +903,8 @@ static int get_server_finished(SSL *s) i=ssl2_read(s,(char *)&(buf[s->init_num]),1-s->init_num); if (i < (1-s->init_num)) return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i)); - s->init_num=i; + s->init_num += i; + if (*p == SSL2_MT_REQUEST_CERTIFICATE) { s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_A; @@ -856,14 +921,15 @@ static int get_server_finished(SSL *s) SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_PEER_ERROR); return(-1); } - s->state=SSL_ST_OK; - s->init_num=0; + s->state=SSL2_ST_GET_SERVER_FINISHED_B; } - i=ssl2_read(s,(char *)&(buf[s->init_num]), - SSL2_SSL_SESSION_ID_LENGTH-s->init_num); - if (i < (SSL2_SSL_SESSION_ID_LENGTH-s->init_num)) + len = 1 + SSL2_SSL_SESSION_ID_LENGTH; + n = len - s->init_num; + i = ssl2_read(s,(char *)&(buf[s->init_num]), n); + if (i < n) /* XXX could be shorter than SSL2_SSL_SESSION_ID_LENGTH, that's the maximum */ return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i)); + s->init_num += i; if (!s->hit) /* new session */ { @@ -887,6 +953,7 @@ static int get_server_finished(SSL *s) } } } + s->state = SSL_ST_OK; return(1); } diff --git a/ssl/s2_enc.c b/ssl/s2_enc.c index 35acdf8276..fa2ab8dc4b 100644 --- a/ssl/s2_enc.c +++ b/ssl/s2_enc.c @@ -111,8 +111,8 @@ err: } /* read/writes from s->s2->mac_data using length for encrypt and - * decrypt. It sets the s->s2->padding, s->[rw]length and - * s->s2->pad_data ptr if we are encrypting */ + * decrypt. It sets s->s2->padding and s->[rw]length + * if we are encrypting */ void ssl2_enc(SSL *s, int send) { EVP_CIPHER_CTX *ds; diff --git a/ssl/s2_pkt.c b/ssl/s2_pkt.c index f2f46ff377..3cd7597fe7 100644 --- a/ssl/s2_pkt.c +++ b/ssl/s2_pkt.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ /* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -130,7 +130,7 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek) unsigned char mac[MAX_MAC_SIZE]; unsigned char *p; int i; - unsigned int mac_size=0; + unsigned int mac_size; ssl2_read_again: if (SSL_in_init(s) && !s->in_handshake) @@ -235,17 +235,25 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek) /* Data portion */ if (s->s2->clear_text) { + mac_size = 0; s->s2->mac_data=p; s->s2->ract_data=p; - s->s2->pad_data=NULL; + if (s->s2->padding) + { + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_ILLEGAL_PADDING); + return(-1); + } } else { mac_size=EVP_MD_size(s->read_hash); s->s2->mac_data=p; s->s2->ract_data= &p[mac_size]; - s->s2->pad_data= &p[mac_size+ - s->s2->rlength-s->s2->padding]; + if (s->s2->padding + mac_size > s->s2->rlength) + { + SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_ILLEGAL_PADDING); + return(-1); + } } s->s2->ract_data_length=s->s2->rlength; @@ -593,10 +601,8 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) s->s2->wact_data= &(s->s2->wbuf[3+mac_size]); /* we copy the data into s->s2->wbuf */ memcpy(s->s2->wact_data,buf,len); -#ifdef PURIFY if (p) - memset(&(s->s2->wact_data[len]),0,p); -#endif + memset(&(s->s2->wact_data[len]),0,p); /* arbitrary padding */ if (!s->s2->clear_text) { @@ -645,27 +651,36 @@ int ssl2_part_read(SSL *s, unsigned long f, int i) unsigned char *p; int j; - /* check for error */ - if ((s->init_num == 0) && (i >= 3)) - { - p=(unsigned char *)s->init_buf->data; - if (p[0] == SSL2_MT_ERROR) - { - j=(p[1]<<8)|p[2]; - SSLerr((int)f,ssl_mt_error(j)); - } - } - if (i < 0) { /* ssl2_return_error(s); */ /* for non-blocking io, - * this is not fatal */ + * this is not necessarily fatal */ return(i); } else { s->init_num+=i; + + /* Check for error. While there are recoverable errors, + * this function is not called when those must be expected; + * any error detected here is fatal. */ + if (s->init_num >= 3) + { + p=(unsigned char *)s->init_buf->data; + if (p[0] == SSL2_MT_ERROR) + { + j=(p[1]<<8)|p[2]; + SSLerr((int)f,ssl_mt_error(j)); + s->init_num -= 3; + if (s->init_num > 0) + memmove(p, p+3, s->init_num); + } + } + + /* If it's not an error message, we have some error anyway -- + * the message was shorter than expected. This too is treated + * as fatal (at least if SSL_get_error is asked for its opinion). */ return(0); } } @@ -676,7 +691,9 @@ int ssl2_do_write(SSL *s) ret=ssl2_write(s,&s->init_buf->data[s->init_off],s->init_num); if (ret == s->init_num) + { return(1); + } if (ret < 0) return(-1); s->init_off+=ret; diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c index 2fa2f310a8..4f1686a00c 100644 --- a/ssl/s2_srvr.c +++ b/ssl/s2_srvr.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #include "ssl_locl.h" #ifndef NO_SSL2 @@ -119,8 +172,8 @@ int ssl2_accept(SSL *s) cb=s->ctx->info_callback; /* init things to blank */ - if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); s->in_handshake++; + if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); if (s->cert == NULL) { @@ -322,6 +375,7 @@ end: static int get_client_master_key(SSL *s) { int is_export,i,n,keya,ek; + unsigned long len; unsigned char *p; SSL_CIPHER *cp; const EVP_CIPHER *c; @@ -334,6 +388,8 @@ static int get_client_master_key(SSL *s) if (i < (10-s->init_num)) return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i)); + s->init_num = 10; + if (*(p++) != SSL2_MT_CLIENT_MASTER_KEY) { if (p[-1] != SSL2_MT_ERROR) @@ -362,15 +418,21 @@ static int get_client_master_key(SSL *s) n2s(p,i); s->s2->tmp.enc=i; n2s(p,i); s->session->key_arg_length=i; s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B; - s->init_num=0; } /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */ p=(unsigned char *)s->init_buf->data; keya=s->session->key_arg_length; - n=s->s2->tmp.clear+s->s2->tmp.enc+keya - s->init_num; - i=ssl2_read(s,(char *)&(p[s->init_num]),n); + len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya; + if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) + { + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG); + return -1; + } + n = (int)len - s->init_num; + i = ssl2_read(s,(char *)&(p[s->init_num]),n); if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_MASTER_KEY,i)); + p += 10; memcpy(s->session->key_arg,&(p[s->s2->tmp.clear+s->s2->tmp.enc]), (unsigned int)keya); @@ -448,6 +510,7 @@ static int get_client_master_key(SSL *s) static int get_client_hello(SSL *s) { int i,n; + unsigned long len; unsigned char *p; STACK_OF(SSL_CIPHER) *cs; /* a stack of SSL_CIPHERS */ STACK_OF(SSL_CIPHER) *cl; /* the ones we want to use */ @@ -467,6 +530,7 @@ static int get_client_hello(SSL *s) i=ssl2_read(s,(char *)&(p[s->init_num]),9-s->init_num); if (i < (9-s->init_num)) return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i)); + s->init_num = 9; if (*(p++) != SSL2_MT_CLIENT_HELLO) { @@ -491,15 +555,20 @@ static int get_client_hello(SSL *s) return(-1); } s->state=SSL2_ST_GET_CLIENT_HELLO_C; - s->init_num=0; } /* SSL2_ST_GET_CLIENT_HELLO_C */ p=(unsigned char *)s->init_buf->data; - n=s->s2->tmp.cipher_spec_length+s->s2->challenge_length+ - s->s2->tmp.session_id_length-s->init_num; - i=ssl2_read(s,(char *)&(p[s->init_num]),n); + len = 9 + (unsigned long)s->s2->tmp.cipher_spec_length + (unsigned long)s->s2->challenge_length + (unsigned long)s->s2->tmp.session_id_length; + if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) + { + SSLerr(SSL_F_GET_CLIENT_HELLO,SSL_R_MESSAGE_TOO_LONG); + return -1; + } + n = (int)len - s->init_num; + i = ssl2_read(s,(char *)&(p[s->init_num]),n); if (i != n) return(ssl2_part_read(s,SSL_F_GET_CLIENT_HELLO,i)); + p += 9; /* get session-id before cipher stuff so we can get out session * structure if it is cached */ @@ -705,7 +774,8 @@ static int server_hello(SSL *s) static int get_client_finished(SSL *s) { unsigned char *p; - int i; + int i, n; + unsigned long len; p=(unsigned char *)s->init_buf->data; if (s->state == SSL2_ST_GET_CLIENT_FINISHED_A) @@ -713,6 +783,7 @@ static int get_client_finished(SSL *s) i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num); if (i < 1-s->init_num) return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i)); + s->init_num += i; if (*p != SSL2_MT_CLIENT_FINISHED) { @@ -725,16 +796,18 @@ static int get_client_finished(SSL *s) SSLerr(SSL_F_GET_CLIENT_FINISHED,SSL_R_PEER_ERROR); return(-1); } - s->init_num=0; s->state=SSL2_ST_GET_CLIENT_FINISHED_B; } /* SSL2_ST_GET_CLIENT_FINISHED_B */ - i=ssl2_read(s,(char *)&(p[s->init_num]),s->s2->conn_id_length-s->init_num); - if (i < (int)s->s2->conn_id_length-s->init_num) + len = 1 + (unsigned long)s->s2->conn_id_length; + n = (int)len - s->init_num; + i = ssl2_read(s,(char *)&(p[s->init_num]),n); + if (i < n) { return(ssl2_part_read(s,SSL_F_GET_CLIENT_FINISHED,i)); } + p += 1; if (memcmp(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length) != 0) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); @@ -790,6 +863,7 @@ static int request_certificate(SSL *s) unsigned char *p,*p2,*buf2; unsigned char *ccd; int i,j,ctype,ret= -1; + unsigned long len; X509 *x509=NULL; STACK_OF(X509) *sk=NULL; @@ -823,16 +897,28 @@ static int request_certificate(SSL *s) if (s->state == SSL2_ST_SEND_REQUEST_CERTIFICATE_C) { p=(unsigned char *)s->init_buf->data; - i=ssl2_read(s,(char *)&(p[s->init_num]),6-s->init_num); - if (i < 3) + i=ssl2_read(s,(char *)&(p[s->init_num]),6-s->init_num); /* try to read 6 octets ... */ + if (i < 3-s->init_num) /* ... but don't call ssl2_part_read now if we got at least 3 + * (probably NO-CERTIFICATE-ERROR) */ { ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i); goto end; } + s->init_num += i; - if ((*p == SSL2_MT_ERROR) && (i >= 3)) + if ((s->init_num >= 3) && (p[0] == SSL2_MT_ERROR)) { n2s(p,i); + if (i != SSL2_PE_NO_CERTIFICATE) + { + /* not the error message we expected -- let ssl2_part_read handle it */ + s->init_num -= 3; + ret = ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE, 3); + goto end; + } + + /* this is the one place where we can recover from an SSL 2.0 error */ + if (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { ssl2_return_error(s,SSL2_PE_BAD_CERTIFICATE); @@ -842,12 +928,18 @@ static int request_certificate(SSL *s) ret=1; goto end; } - if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) || (i < 6)) + if ((*(p++) != SSL2_MT_CLIENT_CERTIFICATE) || (s->init_num < 6)) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_REQUEST_CERTIFICATE,SSL_R_SHORT_READ); goto end; } + if (s->init_num != 6) + { + SSLerr(SSL_F_REQUEST_CERTIFICATE, SSL_R_INTERNAL_ERROR); + goto end; + } + /* ok we have a response */ /* certificate type, there is only one right now. */ ctype= *(p++); @@ -860,18 +952,24 @@ static int request_certificate(SSL *s) n2s(p,i); s->s2->tmp.clen=i; n2s(p,i); s->s2->tmp.rlen=i; s->state=SSL2_ST_SEND_REQUEST_CERTIFICATE_D; - s->init_num=0; } /* SSL2_ST_SEND_REQUEST_CERTIFICATE_D */ p=(unsigned char *)s->init_buf->data; - j=s->s2->tmp.clen+s->s2->tmp.rlen-s->init_num; - i=ssl2_read(s,(char *)&(p[s->init_num]),j); + len = 6 + (unsigned long)s->s2->tmp.clen + (unsigned long)s->s2->tmp.rlen; + if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) + { + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_MESSAGE_TOO_LONG); + goto end; + } + j = (int)len - s->init_num; + i = ssl2_read(s,(char *)&(p[s->init_num]),j); if (i < j) { ret=ssl2_part_read(s,SSL_F_REQUEST_CERTIFICATE,i); goto end; } + p += 6; x509=(X509 *)d2i_X509(NULL,&p,(long)s->s2->tmp.clen); if (x509 == NULL) diff --git a/ssl/s3_both.c b/ssl/s3_both.c index 10d8d3b15a..3f09b8bc17 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -383,7 +383,11 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) * if their format is correct. Does not count for * 'Finished' MAC. */ if (p[1] == 0 && p[2] == 0 &&p[3] == 0) + { + s->init_num = 0; skip_message = 1; + } + } while (skip_message); @@ -432,6 +436,7 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) /* next state (stn) */ p=(unsigned char *)s->init_buf->data; n=s->s3->tmp.message_size; + n -= s->init_num; while (n > 0) { i=ssl3_read_bytes(s,SSL3_RT_HANDSHAKE,&p[s->init_num],n,0); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index eec45cfa48..4d6da271a8 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -119,8 +119,8 @@ int ssl3_connect(SSL *s) else if (s->ctx->info_callback != NULL) cb=s->ctx->info_callback; - if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); s->in_handshake++; + if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); for (;;) { @@ -441,9 +441,9 @@ int ssl3_connect(SSL *s) skip=0; } end: + s->in_handshake--; if (cb != NULL) cb(s,SSL_CB_CONNECT_EXIT,ret); - s->in_handshake--; return(ret); } @@ -849,11 +849,17 @@ static int ssl3_get_key_exchange(SSL *s) DH *dh=NULL; #endif + /* use same message size as in ssl3_get_certificate_request() + * as ServerKeyExchange message may be skipped */ n=ssl3_get_message(s, SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, - 1024*8, /* ?? */ +#if defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_WIN32) + 1024*30, /* 30k max cert list :-) */ +#else + 1024*100, /* 100k max cert list :-) */ +#endif &ok); if (!ok) return((int)n); diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 8709da9175..af7075e920 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -381,8 +381,8 @@ int ssl3_enc(SSL *s, int send) if (l == 0 || l%bs != 0) { SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); - ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPT_ERROR); - return(0); + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); + return 0; } } @@ -395,9 +395,11 @@ int ssl3_enc(SSL *s, int send) * padding bytes (except that last) are arbitrary */ if (i > bs) { - SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); - ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPT_ERROR); - return(0); + /* Incorrect padding. SSLerr() and ssl3_alert are done + * by caller: we don't want to reveal whether this is + * a decryption error or a MAC verification failure + * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ + return -1; } rec->length-=i; } diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 9ab76604a6..fbe9de9ed0 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -231,7 +231,7 @@ static int ssl3_read_n(SSL *s, int n, int max, int extend) static int ssl3_get_record(SSL *s) { int ssl_major,ssl_minor,al; - int n,i,ret= -1; + int enc_err,n,i,ret= -1; SSL3_RECORD *rr; SSL_SESSION *sess; unsigned char *p; @@ -342,16 +342,23 @@ again: /* decrypt in place in 'rr->input' */ rr->data=rr->input; - if (!s->method->ssl3_enc->enc(s,0)) + enc_err = s->method->ssl3_enc->enc(s,0); + if (enc_err <= 0) { - al=SSL_AD_DECRYPT_ERROR; - goto f_err; + if (enc_err == 0) + /* SSLerr() and ssl3_send_alert() have been called */ + goto err; + + /* otherwise enc_err == -1 */ + goto decryption_failed_or_bad_record_mac; } + #ifdef TLS_DEBUG printf("dec %d\n",rr->length); { unsigned int z; for (z=0; zlength; z++) printf("%02X%c",rr->data[z],((z+1)%16)?' ':'\n'); } printf("\n"); #endif + /* r->length is now the compressed data plus mac */ if ( (sess == NULL) || (s->enc_read_ctx == NULL) || @@ -364,25 +371,30 @@ printf("\n"); if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) { +#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ al=SSL_AD_RECORD_OVERFLOW; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); goto f_err; +#else + goto decryption_failed_or_bad_record_mac; +#endif } /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ if (rr->length < mac_size) { +#if 0 /* OK only for stream ciphers */ al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); goto f_err; +#else + goto decryption_failed_or_bad_record_mac; +#endif } rr->length-=mac_size; i=s->method->ssl3_enc->mac(s,md,0); if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0) { - al=SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BAD_MAC_DECODE); - ret= -1; - goto f_err; + goto decryption_failed_or_bad_record_mac; } } @@ -427,6 +439,15 @@ printf("\n"); if (rr->length == 0) goto again; return(1); + +decryption_failed_or_bad_record_mac: + /* Separate 'decryption_failed' alert was introduced with TLS 1.0, + * SSL 3.0 only has 'bad_record_mac'. But unless a decryption + * failure is directly visible from the ciphertext anyway, + * we should not reveal which kind of error occured -- this + * might become visible to an attacker (e.g. via logfile) */ + al=SSL_AD_BAD_RECORD_MAC; + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); err: @@ -1156,6 +1177,8 @@ void ssl3_send_alert(SSL *s, int level, int desc) { /* Map tls/ssl alert value to correct one */ desc=s->method->ssl3_enc->alert_value(desc); + if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION) + desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */ if (desc < 0) return; /* If a fatal one, remove from cache */ if ((level == 2) && (s->session != NULL)) @@ -1164,7 +1187,7 @@ void ssl3_send_alert(SSL *s, int level, int desc) s->s3->alert_dispatch=1; s->s3->send_alert[0]=level; s->s3->send_alert[1]=desc; - if (s->s3->wbuf.left == 0) /* data still being written out */ + if (s->s3->wbuf.left == 0) /* data still being written out? */ ssl3_dispatch_alert(s); /* else data is still being written out, we will get written * some time in the future */ @@ -1183,9 +1206,9 @@ int ssl3_dispatch_alert(SSL *s) } else { - /* If it is important, send it now. If the message - * does not get sent due to non-blocking IO, we will - * not worry too much. */ + /* Alert sent to BIO. If it is important, flush it now. + * If the message does not get sent due to non-blocking IO, + * we will not worry too much. */ if (s->s3->send_alert[0] == SSL3_AL_FATAL) (void)BIO_flush(s->wbio); diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 258af84867..0280bb92f7 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -55,6 +55,59 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #define REUSE_CIPHER_BUG #define NETSCAPE_HANG_BUG @@ -114,6 +167,7 @@ int ssl3_accept(SSL *s) long num1; int ret= -1; int new_state,state,skip=0; + int got_new_session=0; RAND_add(&Time,sizeof(Time),0); ERR_clear_error(); @@ -125,8 +179,8 @@ int ssl3_accept(SSL *s) cb=s->ctx->info_callback; /* init things to blank */ - if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); s->in_handshake++; + if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); if (s->cert == NULL) { @@ -180,21 +234,23 @@ int ssl3_accept(SSL *s) goto end; } - /* Ok, we now need to push on a buffering BIO so that - * the output is sent in a way that TCP likes :-) - */ - if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } - s->init_num=0; if (s->state != SSL_ST_RENEGOTIATE) { + /* Ok, we now need to push on a buffering BIO so that + * the output is sent in a way that TCP likes :-) + */ + if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; } + ssl3_init_finished_mac(s); s->state=SSL3_ST_SR_CLNT_HELLO_A; s->ctx->stats.sess_accept++; } else { + /* s->state == SSL_ST_RENEGOTIATE, + * we will just send a HelloRequest */ s->ctx->stats.sess_accept_renegotiate++; s->state=SSL3_ST_SW_HELLO_REQ_A; } @@ -215,9 +271,7 @@ int ssl3_accept(SSL *s) case SSL3_ST_SW_HELLO_REQ_C: s->state=SSL_ST_OK; - ret=1; - goto end; - /* break; */ + break; case SSL3_ST_SR_CLNT_HELLO_A: case SSL3_ST_SR_CLNT_HELLO_B: @@ -226,6 +280,7 @@ int ssl3_accept(SSL *s) s->shutdown=0; ret=ssl3_get_client_hello(s); if (ret <= 0) goto end; + got_new_session=1; s->state=SSL3_ST_SW_SRVR_HELLO_A; s->init_num=0; break; @@ -456,18 +511,24 @@ int ssl3_accept(SSL *s) /* remove buffering on output */ ssl_free_wbio_buffer(s); - s->new_session=0; s->init_num=0; - ssl_update_cache(s,SSL_SESS_CACHE_SERVER); - - s->ctx->stats.sess_accept_good++; - /* s->server=1; */ - s->handshake_func=ssl3_accept; - ret=1; - - if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); + if (got_new_session) /* skipped if we just sent a HelloRequest */ + { + /* actually not necessarily a 'new' session */ + + s->new_session=0; + + ssl_update_cache(s,SSL_SESS_CACHE_SERVER); + + s->ctx->stats.sess_accept_good++; + /* s->server=1; */ + s->handshake_func=ssl3_accept; + if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1); + } + + ret = 1; goto end; /* break; */ @@ -500,9 +561,9 @@ int ssl3_accept(SSL *s) end: /* BIO_flush(s->wbio); */ + s->in_handshake--; if (cb != NULL) cb(s,SSL_CB_ACCEPT_EXIT,ret); - s->in_handshake--; return(ret); } @@ -533,11 +594,17 @@ static int ssl3_check_client_hello(SSL *s) int ok; long n; + /* this function is called when we really expect a Certificate message, + * so permit appropriate message length */ n=ssl3_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, -1, - SSL3_RT_MAX_PLAIN_LENGTH, +#if defined(MSDOS) && !defined(WIN32) + 1024*30, /* 30k max cert list :-) */ +#else + 1024*100, /* 100k max cert list :-) */ +#endif &ok); if (!ok) return((int)n); s->s3->tmp.reuse_message = 1; @@ -595,6 +662,18 @@ static int ssl3_get_client_hello(SSL *s) s->client_version=(((int)p[0])<<8)|(int)p[1]; p+=2; + if (s->client_version < s->version) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); + if ((s->client_version>>8) == SSL3_VERSION_MAJOR) + { + /* similar to ssl3_get_record, send alert using remote version number */ + s->version = s->client_version; + } + al = SSL_AD_PROTOCOL_VERSION; + goto f_err; + } + /* load the client random */ memcpy(s->s3->client_random,p,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; @@ -1262,7 +1341,7 @@ static int ssl3_get_client_key_exchange(SSL *s) SSL3_ST_SR_KEY_EXCH_A, SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, - 400, /* ???? */ + 2048, /* ???? */ &ok); if (!ok) return((int)n); diff --git a/ssl/ssl-lib.com b/ssl/ssl-lib.com index 0a8581898c..436510dd67 100644 --- a/ssl/ssl-lib.com +++ b/ssl/ssl-lib.com @@ -1197,6 +1197,7 @@ $! $! Save directory information $! $ __HERE = F$PARSE(F$PARSE("A.;",F$ENVIRONMENT("PROCEDURE"))-"A.;","[]A.;") - "A.;" +$ __HERE = F$EDIT(__HERE,"UPCASE") $ __TOP = __HERE - "SSL]" $ __INCLUDE = __TOP + "INCLUDE.OPENSSL]" $! diff --git a/ssl/ssl.h b/ssl/ssl.h index 9de9e611ab..73bcea6b4a 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -583,7 +583,9 @@ struct ssl_st int server; /* are we the server side? - mostly used by SSL_clear*/ - int new_session;/* 1 if we are to use a new session */ + int new_session;/* 1 if we are to use a new session. + * NB: For servers, the 'new' session may actually be a previously + * cached session or even the previous session */ int quiet_shutdown;/* don't send shutdown packets */ int shutdown; /* we have shut things down, 0x01 sent, 0x02 * for received */ @@ -939,6 +941,8 @@ char * SSL_CIPHER_get_version(SSL_CIPHER *c); const char * SSL_CIPHER_get_name(SSL_CIPHER *c); int SSL_get_fd(SSL *s); +int SSL_get_rfd(SSL *s); +int SSL_get_wfd(SSL *s); const char * SSL_get_cipher_list(SSL *s,int n); char * SSL_get_shared_ciphers(SSL *s, char *buf, int len); int SSL_get_read_ahead(SSL * s); @@ -1403,6 +1407,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_DATA_BETWEEN_CCS_AND_FINISHED 145 #define SSL_R_DATA_LENGTH_TOO_LONG 146 #define SSL_R_DECRYPTION_FAILED 147 +#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 1109 #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148 #define SSL_R_DIGEST_CHECK_FAILED 149 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150 @@ -1413,6 +1418,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_GOT_A_FIN_BEFORE_A_CCS 154 #define SSL_R_HTTPS_PROXY_REQUEST 155 #define SSL_R_HTTP_REQUEST 156 +#define SSL_R_ILLEGAL_PADDING 1110 #define SSL_R_INTERNAL_ERROR 157 #define SSL_R_INVALID_CHALLENGE_LENGTH 158 #define SSL_R_INVALID_COMMAND 280 @@ -1422,6 +1428,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_LENGTH_TOO_SHORT 160 #define SSL_R_LIBRARY_BUG 274 #define SSL_R_LIBRARY_HAS_NO_CIPHERS 161 +#define SSL_R_MESSAGE_TOO_LONG 1111 #define SSL_R_MISSING_DH_DSA_CERT 162 #define SSL_R_MISSING_DH_KEY 163 #define SSL_R_MISSING_DH_RSA_CERT 164 diff --git a/ssl/ssl2.h b/ssl/ssl2.h index f8b56afb6b..70aae1ec1e 100644 --- a/ssl/ssl2.h +++ b/ssl/ssl2.h @@ -189,7 +189,7 @@ typedef struct ssl2_state_st unsigned char *ract_data; unsigned char *wact_data; unsigned char *mac_data; - unsigned char *pad_data; + unsigned char *pad_data_UNUSED; /* only for binary compatibility with 0.9.6b */ unsigned char *read_key; unsigned char *write_key; @@ -209,11 +209,11 @@ typedef struct ssl2_state_st unsigned int conn_id_length; unsigned int cert_type; unsigned int cert_length; - int csl; - int clear; + unsigned int csl; + unsigned int clear; unsigned int enc; unsigned char ccl[SSL2_MAX_CERT_CHALLENGE_LENGTH]; - int cipher_spec_length; + unsigned int cipher_spec_length; unsigned int session_id_length; unsigned int clen; unsigned int rlen; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 27e7fcc60a..be3acabf3e 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -461,6 +461,9 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) X509_STORE_CTX_purpose_inherit(&ctx, i, s->purpose, s->trust); + if (s->verify_callback) + X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback); + if (s->ctx->app_verify_callback != NULL) i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */ else diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 1ae3333407..87a13dbf31 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -258,6 +258,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_DATA_BETWEEN_CCS_AND_FINISHED ,"data between ccs and finished"}, {SSL_R_DATA_LENGTH_TOO_LONG ,"data length too long"}, {SSL_R_DECRYPTION_FAILED ,"decryption failed"}, +{SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC,"decryption failed or bad record mac"}, {SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG ,"dh public value length is wrong"}, {SSL_R_DIGEST_CHECK_FAILED ,"digest check failed"}, {SSL_R_ENCRYPTED_LENGTH_TOO_LONG ,"encrypted length too long"}, @@ -268,6 +269,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_GOT_A_FIN_BEFORE_A_CCS ,"got a fin before a ccs"}, {SSL_R_HTTPS_PROXY_REQUEST ,"https proxy request"}, {SSL_R_HTTP_REQUEST ,"http request"}, +{SSL_R_ILLEGAL_PADDING ,"illegal padding"}, {SSL_R_INTERNAL_ERROR ,"internal error"}, {SSL_R_INVALID_CHALLENGE_LENGTH ,"invalid challenge length"}, {SSL_R_INVALID_COMMAND ,"invalid command"}, @@ -277,6 +279,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_LENGTH_TOO_SHORT ,"length too short"}, {SSL_R_LIBRARY_BUG ,"library bug"}, {SSL_R_LIBRARY_HAS_NO_CIPHERS ,"library has no ciphers"}, +{SSL_R_MESSAGE_TOO_LONG ,"message too long"}, {SSL_R_MISSING_DH_DSA_CERT ,"missing dh dsa cert"}, {SSL_R_MISSING_DH_KEY ,"missing dh key"}, {SSL_R_MISSING_DH_RSA_CERT ,"missing dh rsa cert"}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 1fe85b6cb7..afcc18b6bb 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -142,7 +142,7 @@ int SSL_clear(SSL *s) #if 1 /* Check to see if we were changed into a different method, if * so, revert back if we are not doing session-id reuse. */ - if ((s->session == NULL) && (s->method != s->ctx->method)) + if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method)) { s->method->ssl_free(s); s->method=s->ctx->method; @@ -410,6 +410,11 @@ BIO *SSL_get_wbio(SSL *s) { return(s->wbio); } int SSL_get_fd(SSL *s) + { + return(SSL_get_rfd(s)); + } + +int SSL_get_rfd(SSL *s) { int ret= -1; BIO *b,*r; @@ -421,6 +426,18 @@ int SSL_get_fd(SSL *s) return(ret); } +int SSL_get_wfd(SSL *s) + { + int ret= -1; + BIO *b,*r; + + b=SSL_get_wbio(s); + r=BIO_find_type(b,BIO_TYPE_DESCRIPTOR); + if (r != NULL) + BIO_get_fd(r,&ret); + return(ret); + } + #ifndef NO_SOCK int SSL_set_fd(SSL *s,int fd) { @@ -1276,8 +1293,6 @@ void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,int (*cb)(int, X509_STORE_CTX *)) { ctx->verify_mode=mode; ctx->default_verify_callback=cb; - /* This needs cleaning up EAY EAY EAY */ - X509_STORE_set_verify_cb_func(ctx->cert_store,cb); } void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth) diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c index 8e12461f3b..893c98e050 100644 --- a/ssl/ssl_stat.c +++ b/ssl/ssl_stat.c @@ -136,7 +136,7 @@ case SSL3_ST_CW_CERT_D: str="SSLv3 write client certificate D"; break; case SSL3_ST_CW_KEY_EXCH_A: str="SSLv3 write client key exchange A"; break; case SSL3_ST_CW_KEY_EXCH_B: str="SSLv3 write client key exchange B"; break; case SSL3_ST_CW_CERT_VRFY_A: str="SSLv3 write certificate verify A"; break; -case SSL3_ST_CW_CERT_VRFY_B: str="SSLv3 write certificate verify A"; break; +case SSL3_ST_CW_CERT_VRFY_B: str="SSLv3 write certificate verify B"; break; case SSL3_ST_CW_CHANGE_A: case SSL3_ST_SW_CHANGE_A: str="SSLv3 write change cipher spec A"; break; @@ -145,7 +145,7 @@ case SSL3_ST_SW_CHANGE_B: str="SSLv3 write change cipher spec B"; break; case SSL3_ST_CW_FINISHED_A: case SSL3_ST_SW_FINISHED_A: str="SSLv3 write finished A"; break; case SSL3_ST_CW_FINISHED_B: -case SSL3_ST_SW_FINISHED_B: str="SSLv3 write finished A"; break; +case SSL3_ST_SW_FINISHED_B: str="SSLv3 write finished B"; break; case SSL3_ST_CR_CHANGE_A: case SSL3_ST_SR_CHANGE_A: str="SSLv3 read change cipher spec A"; break; case SSL3_ST_CR_CHANGE_B: @@ -387,6 +387,18 @@ char *SSL_alert_desc_string(int value) case SSL3_AD_CERTIFICATE_EXPIRED: str="CE"; break; case SSL3_AD_CERTIFICATE_UNKNOWN: str="CU"; break; case SSL3_AD_ILLEGAL_PARAMETER: str="IP"; break; + case TLS1_AD_DECRYPTION_FAILED: str="DC"; break; + case TLS1_AD_RECORD_OVERFLOW: str="RO"; break; + case TLS1_AD_UNKNOWN_CA: str="CA"; break; + case TLS1_AD_ACCESS_DENIED: str="AD"; break; + case TLS1_AD_DECODE_ERROR: str="DE"; break; + case TLS1_AD_DECRYPT_ERROR: str="CY"; break; + case TLS1_AD_EXPORT_RESTRICTION: str="ER"; break; + case TLS1_AD_PROTOCOL_VERSION: str="PV"; break; + case TLS1_AD_INSUFFICIENT_SECURITY: str="IS"; break; + case TLS1_AD_INTERNAL_ERROR: str="IE"; break; + case TLS1_AD_USER_CANCELLED: str="US"; break; + case TLS1_AD_NO_RENEGOTIATION: str="NR"; break; default: str="UK"; break; } return(str); @@ -434,6 +446,42 @@ char *SSL_alert_desc_string_long(int value) case SSL3_AD_ILLEGAL_PARAMETER: str="illegal parameter"; break; + case TLS1_AD_DECRYPTION_FAILED: + str="decryption failed"; + break; + case TLS1_AD_RECORD_OVERFLOW: + str="record overflow"; + break; + case TLS1_AD_UNKNOWN_CA: + str="unknown CA"; + break; + case TLS1_AD_ACCESS_DENIED: + str="access denied"; + break; + case TLS1_AD_DECODE_ERROR: + str="decode error"; + break; + case TLS1_AD_DECRYPT_ERROR: + str="decrypt error"; + break; + case TLS1_AD_EXPORT_RESTRICTION: + str="export restriction"; + break; + case TLS1_AD_PROTOCOL_VERSION: + str="protocol version"; + break; + case TLS1_AD_INSUFFICIENT_SECURITY: + str="insufficient security"; + break; + case TLS1_AD_INTERNAL_ERROR: + str="internal error"; + break; + case TLS1_AD_USER_CANCELLED: + str="user canceled"; + break; + case TLS1_AD_NO_RENEGOTIATION: + str="no renegotiation"; + break; default: str="unknown"; break; } return(str); diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index a0758e9261..ff4f0c8ca9 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -452,8 +452,8 @@ int tls1_enc(SSL *s, int send) if (l == 0 || l%bs != 0) { SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); - ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPT_ERROR); - return(0); + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); + return 0; } } @@ -476,17 +476,18 @@ int tls1_enc(SSL *s, int send) * All of them must have value 'padding_length'. */ if (i > (int)rec->length) { - SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); - ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); - return(0); + /* Incorrect padding. SSLerr() and ssl3_alert are done + * by caller: we don't want to reveal whether this is + * a decryption error or a MAC verification failure + * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ + return -1; } for (j=(int)(l-i); j<(int)l; j++) { if (rec->data[j] != ii) { - SSLerr(SSL_F_TLS1_ENC,SSL_R_DECRYPTION_FAILED); - ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); - return(0); + /* Incorrect padding */ + return -1; } } rec->length-=i; diff --git a/test/maketests.com b/test/maketests.com index 135e0bfeb9..3d1b208ddc 100644 --- a/test/maketests.com +++ b/test/maketests.com @@ -1050,6 +1050,7 @@ $! $! Save directory information $! $ __HERE = F$PARSE(F$PARSE("A.;",F$ENVIRONMENT("PROCEDURE"))-"A.;","[]A.;") - "A.;" +$ __HERE = F$EDIT(__HERE,"UPCASE") $ __TOP = __HERE - "TEST]" $ __INCLUDE = __TOP + "INCLUDE.OPENSSL]" $! diff --git a/test/testss b/test/testss index 2f600f04d8..8d3557f356 100644 --- a/test/testss +++ b/test/testss @@ -20,6 +20,8 @@ Ucert="certU.ss" echo echo "make a certificate request using 'req'" +echo "string to make the random number generator think it has entropy" >> ./.rnd + if ../apps/openssl no-rsa; then req_new='-newkey dsa:../apps/dsa512.pem' else diff --git a/util/libeay.num b/util/libeay.num index 84ae840804..96271ed31e 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -1931,3 +1931,5 @@ DH_set_default_openssl_method 2519 EXIST::FUNCTION:DH ENGINE_get_DSA 2520 EXIST::FUNCTION: ENGINE_get_ctrl_function 2521 EXIST::FUNCTION: ENGINE_set_ctrl_function 2522 EXIST::FUNCTION: +BN_pseudo_rand_range 2523 EXIST::FUNCTION: +X509_STORE_CTX_set_verify_cb 2524 EXIST::FUNCTION: diff --git a/util/ssleay.num b/util/ssleay.num index 561bac2ec9..6883733c63 100755 --- a/util/ssleay.num +++ b/util/ssleay.num @@ -193,3 +193,5 @@ SSL_get1_session 242 EXIST::FUNCTION: SSL_CTX_callback_ctrl 243 EXIST::FUNCTION: SSL_callback_ctrl 244 EXIST::FUNCTION: SSL_CTX_sessions 245 EXIST::FUNCTION: +SSL_get_rfd 246 EXIST::FUNCTION: +SSL_get_wfd 247 EXIST::FUNCTION: