synchronise with main 0.9.6 stable branch
This commit is contained in:
parent
c3970428ac
commit
da904c9cef
118 changed files with 2172 additions and 561 deletions
192
CHANGES
192
CHANGES
|
@ -4,18 +4,198 @@
|
|||
|
||||
Changes between 0.9.6b and 0.9.6c [XX xxx XXXX]
|
||||
|
||||
*) Add support for Broadcom crypto accelerator cards, backported
|
||||
*) [In 0.9.6c-engine release:]
|
||||
Add support for Broadcom crypto accelerator cards, backported
|
||||
from 0.9.7.
|
||||
[Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox]
|
||||
|
||||
*) Add support for SureWare crypto accelerator cards from
|
||||
*) [In 0.9.6c-engine release:]
|
||||
Add support for SureWare crypto accelerator cards from
|
||||
Baltimore Technologies. (Use engine 'sureware')
|
||||
[Baltimore Technologies and Mark Cox]
|
||||
|
||||
*) Add support for crypto accelerator cards from Accelerated
|
||||
*) [In 0.9.6c-engine release:]
|
||||
Add support for crypto accelerator cards from Accelerated
|
||||
Encryption Processing, www.aep.ie. (Use engine 'aep')
|
||||
[AEP Inc. and Mark Cox]
|
||||
|
||||
*) Add a configuration entry for gcc on UnixWare.
|
||||
[Gary Benson <gbenson@redhat.com>]
|
||||
|
||||
*) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
|
||||
messages are stored in a single piece (fixed-length part and
|
||||
variable-length part combined) and fix various bugs found on the way.
|
||||
[Bodo Moeller]
|
||||
|
||||
*) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
|
||||
instead. BIO_gethostbyname() does not know what timeouts are
|
||||
appropriate, so entries would stay in cache even when they have
|
||||
become invalid.
|
||||
[Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com>
|
||||
|
||||
*) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
|
||||
faced with a pathologically small ClientHello fragment that does
|
||||
not contain client_version: Instead of aborting with an error,
|
||||
simply choose the highest available protocol version (i.e.,
|
||||
TLS 1.0 unless it is disabled). In practice, ClientHello
|
||||
messages are never sent like this, but this change gives us
|
||||
strictly correct behaviour at least for TLS.
|
||||
[Bodo Moeller]
|
||||
|
||||
*) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
|
||||
never resets s->method to s->ctx->method when called from within
|
||||
one of the SSL handshake functions.
|
||||
[Bodo Moeller; problem pointed out by Niko Baric]
|
||||
|
||||
*) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
|
||||
(sent using the client's version number) if client_version is
|
||||
smaller than the protocol version in use. Also change
|
||||
ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
|
||||
the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
|
||||
the client will at least see that alert.
|
||||
[Bodo Moeller]
|
||||
|
||||
*) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
|
||||
correctly.
|
||||
[Bodo Moeller]
|
||||
|
||||
*) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
|
||||
client receives HelloRequest while in a handshake.
|
||||
[Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>]
|
||||
|
||||
*) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
|
||||
should end in 'break', not 'goto end' which circuments various
|
||||
cleanups done in state SSL_ST_OK. But session related stuff
|
||||
must be disabled for SSL_ST_OK in the case that we just sent a
|
||||
HelloRequest.
|
||||
|
||||
Also avoid some overhead by not calling ssl_init_wbio_buffer()
|
||||
before just sending a HelloRequest.
|
||||
[Bodo Moeller, Eric Rescorla <ekr@rtfm.com>]
|
||||
|
||||
*) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
|
||||
reveal whether illegal block cipher padding was found or a MAC
|
||||
verification error occured. (Neither SSLerr() codes nor alerts
|
||||
are directly visible to potential attackers, but the information
|
||||
may leak via logfiles.)
|
||||
|
||||
Similar changes are not required for the SSL 2.0 implementation
|
||||
because the number of padding bytes is sent in clear for SSL 2.0,
|
||||
and the extra bytes are just ignored. However ssl/s2_pkt.c
|
||||
failed to verify that the purported number of padding bytes is in
|
||||
the legal range.
|
||||
[Bodo Moeller]
|
||||
|
||||
*) OpenUNIX-8 support (Boyd Lynn Gerber <gerberb@zenez.com>)
|
||||
[Lutz Jaenicke]
|
||||
|
||||
*) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
|
||||
'wristwatch attack' using huge encoding parameters (cf.
|
||||
James H. Manger's CRYPTO 2001 paper). Note that the
|
||||
RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
|
||||
encoding parameters and hence was not vulnerable.
|
||||
[Bodo Moeller]
|
||||
|
||||
*) BN_sqr() bug fix.
|
||||
[Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]
|
||||
|
||||
*) Rabin-Miller test analyses assume uniformly distributed witnesses,
|
||||
so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
|
||||
followed by modular reduction.
|
||||
[Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>]
|
||||
|
||||
*) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
|
||||
equivalent based on BN_pseudo_rand() instead of BN_rand().
|
||||
[Bodo Moeller]
|
||||
|
||||
*) s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
|
||||
This function was broken, as the check for a new client hello message
|
||||
to handle SGC did not allow these large messages.
|
||||
(Tracked down by "Douglas E. Engert" <deengert@anl.gov>.)
|
||||
[Lutz Jaenicke]
|
||||
|
||||
*) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long]().
|
||||
[Lutz Jaenicke]
|
||||
|
||||
*) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
|
||||
for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>).
|
||||
[Lutz Jaenicke]
|
||||
|
||||
*) Rework the configuration and shared library support for Tru64 Unix.
|
||||
The configuration part makes use of modern compiler features and
|
||||
still retains old compiler behavior for those that run older versions
|
||||
of the OS. The shared library support part includes a variant that
|
||||
uses the RPATH feature, and is available through the special
|
||||
configuration target "alpha-cc-rpath", which will never be selected
|
||||
automatically.
|
||||
[Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte]
|
||||
|
||||
*) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
|
||||
with the same message size as in ssl3_get_certificate_request().
|
||||
Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
|
||||
messages might inadvertently be reject as too long.
|
||||
[Petr Lampa <lampa@fee.vutbr.cz>]
|
||||
|
||||
*) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX).
|
||||
[Andy Polyakov]
|
||||
|
||||
*) Modified SSL library such that the verify_callback that has been set
|
||||
specificly for an SSL object with SSL_set_verify() is actually being
|
||||
used. Before the change, a verify_callback set with this function was
|
||||
ignored and the verify_callback() set in the SSL_CTX at the time of
|
||||
the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
|
||||
to allow the necessary settings.
|
||||
[Lutz Jaenicke]
|
||||
|
||||
*) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c
|
||||
explicitly to NULL, as at least on Solaris 8 this seems not always to be
|
||||
done automatically (in contradiction to the requirements of the C
|
||||
standard). This made problems when used from OpenSSH.
|
||||
[Lutz Jaenicke]
|
||||
|
||||
*) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
|
||||
dh->length and always used
|
||||
|
||||
BN_rand_range(priv_key, dh->p).
|
||||
|
||||
BN_rand_range() is not necessary for Diffie-Hellman, and this
|
||||
specific range makes Diffie-Hellman unnecessarily inefficient if
|
||||
dh->length (recommended exponent length) is much smaller than the
|
||||
length of dh->p. We could use BN_rand_range() if the order of
|
||||
the subgroup was stored in the DH structure, but we only have
|
||||
dh->length.
|
||||
|
||||
So switch back to
|
||||
|
||||
BN_rand(priv_key, l, ...)
|
||||
|
||||
where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
|
||||
otherwise.
|
||||
[Bodo Moeller]
|
||||
|
||||
*) In
|
||||
|
||||
RSA_eay_public_encrypt
|
||||
RSA_eay_private_decrypt
|
||||
RSA_eay_private_encrypt (signing)
|
||||
RSA_eay_public_decrypt (signature verification)
|
||||
|
||||
(default implementations for RSA_public_encrypt,
|
||||
RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt),
|
||||
always reject numbers >= n.
|
||||
[Bodo Moeller]
|
||||
|
||||
*) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
|
||||
to synchronize access to 'locking_thread'. This is necessary on
|
||||
systems where access to 'locking_thread' (an 'unsigned long'
|
||||
variable) is not atomic.
|
||||
[Bodo Moeller]
|
||||
|
||||
*) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID
|
||||
*before* setting the 'crypto_lock_rand' flag. The previous code had
|
||||
a race condition if 0 is a valid thread ID.
|
||||
[Travis Vitek <vitek@roguewave.com>]
|
||||
|
||||
Changes between 0.9.6a and 0.9.6b [9 Jul 2001]
|
||||
|
||||
*) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
|
||||
|
@ -70,7 +250,7 @@
|
|||
[Ulf Möller, Bodo Möller]
|
||||
|
||||
*) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
|
||||
RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5
|
||||
RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
|
||||
when fixing the server behaviour for backwards-compatible 'client
|
||||
hello' messages. (Note that the attack is impractical against
|
||||
SSL 3.0 and TLS 1.0 anyway because length and version checking
|
||||
|
@ -120,7 +300,7 @@
|
|||
combination of a flag and a thread ID variable.
|
||||
Otherwise while one thread is in ssleay_rand_bytes (which sets the
|
||||
flag), *other* threads can enter ssleay_add_bytes without obeying
|
||||
the CRYPTO_LOCK_RAND lock (and may even illegaly release the lock
|
||||
the CRYPTO_LOCK_RAND lock (and may even illegally release the lock
|
||||
that they do not hold after the first thread unsets add_do_not_lock).
|
||||
[Bodo Moeller]
|
||||
|
||||
|
@ -762,7 +942,7 @@
|
|||
default is static libraries only, and the OpenSSL programs
|
||||
are always statically linked for now, but there are
|
||||
preparations for dynamic linking in place.
|
||||
This has been tested on Linux and True64.
|
||||
This has been tested on Linux and Tru64.
|
||||
[Richard Levitte]
|
||||
|
||||
*) Randomness polling function for Win9x, as described in:
|
||||
|
|
55
Configure
55
Configure
|
@ -125,10 +125,10 @@ my %table=(
|
|||
"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::",
|
||||
"debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown):::::",
|
||||
"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
|
||||
"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
|
||||
"debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
|
||||
"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
|
||||
"debug-ulf", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
|
||||
"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
|
||||
"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn",
|
||||
"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn",
|
||||
"dist", "cc:-O::(unknown):::::",
|
||||
|
||||
# Basic configs that should work on any (32 and less bit) box
|
||||
|
@ -276,12 +276,39 @@ my %table=(
|
|||
#### HP MPE/iX http://jazz.external.hp.com/src/openssl/
|
||||
"MPE/iX-gcc", "gcc:-D_ENDIAN -DBN_DIV2W -O3 -DMPE -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB::(unknown):-L/SYSLOG/PUB -lsyslog -lsocket -lcurses:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
|
||||
|
||||
# Dec Alpha, OSF/1 - the alpha164-cc is the flags for a 21164A with
|
||||
# the new compiler
|
||||
# Dec Alpha, OSF/1 - the alpha164-cc is historical, for the conversion
|
||||
# from the older DEC C Compiler to the newer compiler. It's now the
|
||||
# same as the preferred entry, alpha-cc. If you are still using the
|
||||
# older compiler (you're at 3.x or earlier, or perhaps very early 4.x)
|
||||
# you should use `alphaold-cc'.
|
||||
#
|
||||
# "What's in a name? That which we call a rose
|
||||
# By any other word would smell as sweet."
|
||||
#
|
||||
# - William Shakespeare, "Romeo & Juliet", Act II, scene II.
|
||||
#
|
||||
# For OSF/1 3.2b and earlier, and Digital UNIX 3.2c - 3.2g, with the
|
||||
# vendor compiler, use alphaold-cc.
|
||||
# For Digital UNIX 4.0 - 4.0e, with the vendor compiler, use alpha-cc.
|
||||
# For Tru64 UNIX 4.f - current, with the vendor compiler, use alpha-cc.
|
||||
#
|
||||
# There's also an alternate target available (which `config' will never
|
||||
# select) called alpha-cc-rpath. This target builds an RPATH into the
|
||||
# shared libraries, which is very convenient on Tru64 since binaries
|
||||
# linked against that shared library will automatically inherit that RPATH,
|
||||
# and hence know where to look for the openssl libraries, even if they're in
|
||||
# an odd place.
|
||||
#
|
||||
# For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version
|
||||
"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:tru64-shared::.so",
|
||||
"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so",
|
||||
"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so",
|
||||
#
|
||||
"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:alpha-osf1-shared::.so",
|
||||
"alphaold-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::.so",
|
||||
"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so",
|
||||
"alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so",
|
||||
"alpha-cc-rpath", "cc:-std1 -tune host -fast -readonly_strings::-pthread::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared-rpath::.so",
|
||||
#
|
||||
# This probably belongs in a different section.
|
||||
#
|
||||
"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
|
||||
#### Alpha Linux with GNU C and Compaq C setups
|
||||
|
@ -315,7 +342,7 @@ my %table=(
|
|||
"linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
|
||||
"linux-m68k", "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
|
||||
"linux-s390", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
|
||||
"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::SIXTY_FOUR_BIT_LONG::",
|
||||
"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
"NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
|
@ -347,6 +374,16 @@ my %table=(
|
|||
"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
|
||||
"unixware-7-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
|
||||
"unixware-7-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
|
||||
"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
|
||||
# OpenUNIX 8
|
||||
"OpenUNIX","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
|
||||
"OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
|
||||
"OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
|
||||
"OpenUNIX-8-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
|
||||
"OpenUNIX-8-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
|
||||
"OpenUNIX-8-shared","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic",
|
||||
"OpenUNIX-8-gcc-shared","gcc:-O3 -DFILIO_H -fomit-frame-pointer::-pthread:-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr5-shared:-fPIC",
|
||||
|
||||
# IBM's AIX.
|
||||
"aix-cc", "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR:::",
|
||||
|
|
67
FAQ
67
FAQ
|
@ -8,6 +8,7 @@ OpenSSL - Frequently Asked Questions
|
|||
* How can I contact the OpenSSL developers?
|
||||
* Where can I get a compiled version of OpenSSL?
|
||||
* Why aren't tools like 'autoconf' and 'libtool' used?
|
||||
* What is an 'engine' version?
|
||||
|
||||
[LEGAL] Legal questions
|
||||
|
||||
|
@ -33,7 +34,7 @@ OpenSSL - Frequently Asked Questions
|
|||
* Why does the linker complain about undefined symbols?
|
||||
* Why does the OpenSSL test fail with "bc: command not found"?
|
||||
* Why does the OpenSSL test fail with "bc: 1 no implemented"?
|
||||
* Why does the OpenSSL compilation fail on Alpha True64 Unix?
|
||||
* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
|
||||
* Why does the OpenSSL compilation fail with "ar: command not found"?
|
||||
* Why does the OpenSSL compilation fail on Win32 with VC++?
|
||||
|
||||
|
@ -121,6 +122,12 @@ A number of Linux and *BSD distributions include OpenSSL.
|
|||
autoconf will probably be used in future OpenSSL versions. If it was
|
||||
less Unix-centric, it might have been used much earlier.
|
||||
|
||||
* What is an 'engine' version?
|
||||
|
||||
With version 0.9.6 OpenSSL was extended to interface to external crypto
|
||||
hardware. This was realized in a special release '0.9.6-engine'. With
|
||||
version 0.9.7 (not yet released) the changes were merged into the main
|
||||
development line, so that the special release is no longer necessary.
|
||||
|
||||
[LEGAL] =======================================================================
|
||||
|
||||
|
@ -146,7 +153,7 @@ holders claim that you infringe on their rights if you use OpenSSL with
|
|||
their software on operating systems that don't normally include OpenSSL.
|
||||
|
||||
If you develop open source software that uses OpenSSL, you may find it
|
||||
useful to choose an other license than the GPL, or state explicitely that
|
||||
useful to choose an other license than the GPL, or state explicitly that
|
||||
"This program is released under the GPL with the additional exemption that
|
||||
compiling, linking, and/or using OpenSSL is allowed." If you are using
|
||||
GPL software developed by others, you may want to ask the copyright holder
|
||||
|
@ -186,7 +193,7 @@ environment variable HOME is set, then the seeding file is $HOME/.rnd.
|
|||
If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
|
||||
use file .rnd in the current directory while OpenSSL 0.9.6a uses no
|
||||
default seeding file at all. OpenSSL 0.9.6b and later will behave
|
||||
similarly to 0.9.6a, but will use a default of "C:" for HOME on
|
||||
similarly to 0.9.6a, but will use a default of "C:\" for HOME on
|
||||
Windows systems if the environment variable has not been set.
|
||||
|
||||
If the default seeding file does not exist or is too short, the "PRNG
|
||||
|
@ -297,7 +304,7 @@ there is little point presenting a certificate which the server will
|
|||
reject.
|
||||
|
||||
The solution is to add the relevant CA certificate to your servers "trusted
|
||||
CA list". How you do this depends on the server sofware in uses. You can
|
||||
CA list". How you do this depends on the server software in uses. You can
|
||||
print out the servers list of acceptable CAs using the OpenSSL s_client tool:
|
||||
|
||||
openssl s_client -connect www.some.host:443 -prexit
|
||||
|
@ -359,9 +366,9 @@ and compile/install it. GNU bc (see http://www.gnu.org/software/software.html
|
|||
for download instructions) can be safely used, for example.
|
||||
|
||||
|
||||
* Why does the OpenSSL compilation fail on Alpha True64 Unix?
|
||||
* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
|
||||
|
||||
On some Alpha installations running True64 Unix and Compaq C, the compilation
|
||||
On some Alpha installations running Tru64 Unix and Compaq C, the compilation
|
||||
of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual
|
||||
memory to continue compilation.' As far as the tests have shown, this may be
|
||||
a compiler bug. What happens is that it eats up a lot of resident memory
|
||||
|
@ -523,44 +530,16 @@ OpenSSL_add_all_algorithms(). See the manual page for more information.
|
|||
|
||||
* Why can't the OpenSSH configure script detect OpenSSL?
|
||||
|
||||
There is a problem with OpenSSH 1.2.2p1, in that the configure script
|
||||
can't find the installed OpenSSL libraries. The problem is actually
|
||||
a small glitch that is easily solved with the following patch to be
|
||||
applied to the OpenSSH distribution:
|
||||
|
||||
----- snip:start -----
|
||||
--- openssh-1.2.2p1/configure.in.orig Thu Mar 23 18:56:58 2000
|
||||
+++ openssh-1.2.2p1/configure.in Thu Mar 23 18:55:05 2000
|
||||
@@ -152,10 +152,10 @@
|
||||
AC_MSG_CHECKING([for OpenSSL/SSLeay directory])
|
||||
for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
|
||||
if test ! -z "$ssldir" ; then
|
||||
- LIBS="$saved_LIBS -L$ssldir"
|
||||
+ LIBS="$saved_LIBS -L$ssldir/lib"
|
||||
CFLAGS="$CFLAGS -I$ssldir/include"
|
||||
if test "x$need_dash_r" = "x1" ; then
|
||||
- LIBS="$LIBS -R$ssldir"
|
||||
+ LIBS="$LIBS -R$ssldir/lib"
|
||||
fi
|
||||
fi
|
||||
LIBS="$LIBS -lcrypto"
|
||||
--- openssh-1.2.2p1/configure.orig Thu Mar 23 18:55:02 2000
|
||||
+++ openssh-1.2.2p1/configure Thu Mar 23 18:57:08 2000
|
||||
@@ -1890,10 +1890,10 @@
|
||||
echo "configure:1891: checking for OpenSSL/SSLeay directory" >&5
|
||||
for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
|
||||
if test ! -z "$ssldir" ; then
|
||||
- LIBS="$saved_LIBS -L$ssldir"
|
||||
+ LIBS="$saved_LIBS -L$ssldir/lib"
|
||||
CFLAGS="$CFLAGS -I$ssldir/include"
|
||||
if test "x$need_dash_r" = "x1" ; then
|
||||
- LIBS="$LIBS -R$ssldir"
|
||||
+ LIBS="$LIBS -R$ssldir/lib"
|
||||
fi
|
||||
fi
|
||||
LIBS="$LIBS -lcrypto"
|
||||
----- snip:end -----
|
||||
Several reasons for problems with the automatic detection exist.
|
||||
OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
|
||||
Sometimes the distribution has installed an older version in the system
|
||||
locations that is detected instead of a new one installed. The OpenSSL
|
||||
library might have been compiled for another CPU or another mode (32/64 bits).
|
||||
Permissions might be wrong.
|
||||
|
||||
The general answer is to check the config.log file generated when running
|
||||
the OpenSSH configure script. It should contain the detailed information
|
||||
on why the OpenSSL library was not detected or considered incompatible.
|
||||
|
||||
* Can I use OpenSSL's SSL library with non-blocking I/O?
|
||||
|
||||
|
@ -579,7 +558,7 @@ SSL_write() will try to continue any pending handshake.
|
|||
* Why doesn't my server application receive a client certificate?
|
||||
|
||||
Due to the TLS protocol definition, a client will only send a certificate,
|
||||
if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the
|
||||
if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
|
||||
SSL_CTX_set_verify() function to enable the use of client certificates.
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
OpenSSL - Port To The Macintosh
|
||||
===============================
|
||||
OpenSSL - Port To The Macintosh OS 9 or Earlier
|
||||
===============================================
|
||||
|
||||
Thanks to Roy Wood <roy@centricsystems.ca> initial support for Mac OS (pre
|
||||
X) is now provided. "Initial" means that unlike other platforms where you
|
||||
|
@ -42,7 +42,7 @@ Installation procedure:
|
|||
BSD sockets and some other POSIX APIs. The GUSI distribution is
|
||||
expected to be found in the same directory as openssl source tree,
|
||||
i.e. in the parent directory to the one where this very file,
|
||||
namely INSTALL.MacOS. For more informations about GUSI, see
|
||||
namely INSTALL.MacOS. For more information about GUSI, see
|
||||
http://www.iis.ee.ethz.ch/~neeri/macintosh/gusi-qa.html
|
||||
|
||||
Finally some essential comments from our generous contributor:-)
|
||||
|
|
41
Makefile.org
41
Makefile.org
|
@ -263,7 +263,7 @@ do_gnu-shared:
|
|||
done
|
||||
|
||||
# This assumes that GNU utilities are *not* used
|
||||
do_tru64-shared:
|
||||
do_alpha-osf1-shared:
|
||||
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
|
||||
( set -x; ${CC} -shared -no_archive -o lib$$i.so \
|
||||
-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
|
||||
|
@ -271,6 +271,30 @@ do_tru64-shared:
|
|||
libs="$$libs -l$$i"; \
|
||||
done
|
||||
|
||||
# This assumes that GNU utilities are *not* used
|
||||
# The difference between alpha-osf1-shared and tru64-shared is the `-msym'
|
||||
# option passed to the linker.
|
||||
do_tru64-shared:
|
||||
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
|
||||
( set -x; ${CC} -shared -msym -no_archive -o lib$$i.so \
|
||||
-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
|
||||
-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
|
||||
libs="$$libs -l$$i"; \
|
||||
done
|
||||
|
||||
# This assumes that GNU utilities are *not* used
|
||||
# The difference between tru64-shared and tru64-shared-rpath is the
|
||||
# -rpath ${INSTALLTOP}/lib passed to the linker.
|
||||
do_tru64-shared-rpath:
|
||||
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
|
||||
( set -x; ${CC} -shared -msym -no_archive -o lib$$i.so \
|
||||
-rpath ${INSTALLTOP}/lib \
|
||||
-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
|
||||
-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
|
||||
libs="$$libs -l$$i"; \
|
||||
done
|
||||
|
||||
|
||||
# This assumes that GNU utilities are *not* used
|
||||
do_solaris-shared:
|
||||
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
|
||||
|
@ -281,6 +305,21 @@ do_solaris-shared:
|
|||
libs="$$libs -l$$i"; \
|
||||
done
|
||||
|
||||
# UnixWare 7 and OpenUNIX 8 native compilers used
|
||||
do_svr5-shared:
|
||||
libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
|
||||
( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
|
||||
find . -name "*.o" -print > allobjs ; \
|
||||
OBJS= ; export OBJS ; \
|
||||
for obj in `ar t lib$$i.a` ; do \
|
||||
OBJS="$${OBJS} `grep $$obj allobjs`" ; \
|
||||
done ; \
|
||||
set -x; ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
|
||||
-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
|
||||
$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
|
||||
libs="$$libs -l$$i"; \
|
||||
done
|
||||
|
||||
Makefile.ssl: Makefile.org
|
||||
@echo "Makefile.ssl is older than Makefile.org."
|
||||
@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
|
||||
|
|
7
NEWS
7
NEWS
|
@ -5,6 +5,13 @@
|
|||
This file gives a brief overview of the major changes between each OpenSSL
|
||||
release. For more details please read the CHANGES file.
|
||||
|
||||
Changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:
|
||||
|
||||
o Various SSL/TLS library bugfixes.
|
||||
o BIGNUM library fixes.
|
||||
o Add crypto accelerator support for AEP, Baltimore SureWare,
|
||||
Broadcom [in 0.9.6c-engine release].
|
||||
|
||||
Changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:
|
||||
|
||||
o Security fix: PRNG improvements.
|
||||
|
|
12
README
12
README
|
@ -62,7 +62,7 @@
|
|||
|
||||
X.509v3 certificates
|
||||
X509 encoding/decoding into/from binary ASN1 and a PEM
|
||||
based ascii-binary encoding which supports encryption with a
|
||||
based ASCII-binary encoding which supports encryption with a
|
||||
private key. Program to generate RSA and DSA certificate
|
||||
requests and to generate RSA and DSA certificates.
|
||||
|
||||
|
@ -97,7 +97,7 @@
|
|||
locations around the world. _YOU_ are responsible for ensuring that your use
|
||||
of any algorithms is legal by checking if there are any patents in your
|
||||
country. The file contains some of the patents that we know about or are
|
||||
rumoured to exist. This is not a definitive list.
|
||||
rumored to exist. This is not a definitive list.
|
||||
|
||||
RSA Security holds software patents on the RC5 algorithm. If you
|
||||
intend to use this cipher, you must contact RSA Security for
|
||||
|
@ -107,8 +107,8 @@
|
|||
only be used with RSA Security's permission.
|
||||
|
||||
The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
|
||||
Japan, Netherlands, Spain, Sweden, Switzerland, UK and the USA. They should
|
||||
be contacted if that algorithm is to be used, their web page is
|
||||
Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA. They
|
||||
should be contacted if that algorithm is to be used; their web page is
|
||||
http://www.ascom.ch/.
|
||||
|
||||
INSTALLATION
|
||||
|
@ -119,8 +119,8 @@
|
|||
INSTALL.VMS.
|
||||
|
||||
Read the documentation in the doc/ directory. It is quite rough, but it
|
||||
lists the functions, you will probably have to look at the code to work out
|
||||
how to used them. Look at the example programs.
|
||||
lists the functions; you will probably have to look at the code to work out
|
||||
how to use them. Look at the example programs.
|
||||
|
||||
SUPPORT
|
||||
-------
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
With OpenSSL 0.9.6, a new component has been added to support external
|
||||
crypto devices, for example accelerator cards. The component is called
|
||||
ENGINE, and has still a pretty experimental status and almost no
|
||||
documentation. It's designed to be faily easily extensible by the
|
||||
documentation. It's designed to be fairly easily extensible by the
|
||||
calling programs.
|
||||
|
||||
There's currently built-in support for the following crypto devices:
|
||||
|
@ -48,7 +48,7 @@
|
|||
No external crypto device is chosen unless you say so. You have actively
|
||||
tell the openssl utility commands to use it through a new command line
|
||||
switch called "-engine". And if you want to use the ENGINE library to
|
||||
do something similar, you must also explicitely choose an external crypto
|
||||
do something similar, you must also explicitly choose an external crypto
|
||||
device, or the built-in crypto routines will be used, just as in the
|
||||
default OpenSSL distribution.
|
||||
|
||||
|
@ -56,7 +56,7 @@
|
|||
PROBLEMS
|
||||
========
|
||||
|
||||
It seems like the ENGINE part doesn't work too well with Cryptoswift on
|
||||
It seems like the ENGINE part doesn't work too well with CryptoSwift on
|
||||
Win32. A quick test done right before the release showed that trying
|
||||
"openssl speed -engine cswift" generated errors. If the DSO gets enabled,
|
||||
an attempt is made to write at memory address 0x00000002.
|
||||
|
|
32
STATUS
32
STATUS
|
@ -1,9 +1,11 @@
|
|||
|
||||
OpenSSL STATUS Last modified at
|
||||
______________ $Date: 2001/04/05 17:48:02 $
|
||||
______________ $Date: 2001/11/12 22:26:22 $
|
||||
|
||||
DEVELOPMENT STATE
|
||||
|
||||
o OpenSSL 0.9.7: Under development...
|
||||
o OpenSSL 0.9.6b: Released on July 9th, 2001
|
||||
o OpenSSL 0.9.6a: Released on April 5th, 2001
|
||||
o OpenSSL 0.9.6: Released on September 24th, 2000
|
||||
o OpenSSL 0.9.5a: Released on April 1st, 2000
|
||||
|
@ -18,6 +20,11 @@
|
|||
|
||||
AVAILABLE PATCHES
|
||||
|
||||
o IA-64 (a.k.a. Intel Itanium) public-key operation performance
|
||||
patch for Linux is available for download at
|
||||
http://www.openssl.org/~appro/096b.linux-ia64.diff. As URL
|
||||
suggests the patch is relative to OpenSSL 0.9.6b.
|
||||
|
||||
IN PROGRESS
|
||||
|
||||
o Steve is currently working on (in no particular order):
|
||||
|
@ -31,12 +38,13 @@
|
|||
o Geoff and Richard are currently working on:
|
||||
ENGINE (the new code that gives hardware support among others).
|
||||
o Richard is currently working on:
|
||||
UI (User Interface)
|
||||
UTIL (a new set of library functions to support some higher level
|
||||
functionality that is currently missing).
|
||||
Shared library support for VMS.
|
||||
OCSP
|
||||
Kerberos 5 authentication
|
||||
Constification
|
||||
OCSP
|
||||
|
||||
NEEDS PATCH
|
||||
|
||||
|
@ -49,13 +57,9 @@
|
|||
o Whenever strncpy is used, make sure the resulting string is NULL-terminated
|
||||
or an error is reported
|
||||
|
||||
OPEN ISSUES
|
||||
o "OpenSSL STATUS" is never up-to-date.
|
||||
|
||||
o crypto/ex_data.c is not really thread-safe and so must be used
|
||||
with care (e.g., extra locking where necessary, or don't call
|
||||
CRYPTO_get_ex_new_index once multiple threads exist).
|
||||
The current API is not suitable for everything that it pretends
|
||||
to offer.
|
||||
OPEN ISSUES
|
||||
|
||||
o The Makefile hierarchy and build mechanism is still not a round thing:
|
||||
|
||||
|
@ -99,4 +103,14 @@
|
|||
|
||||
WISHES
|
||||
|
||||
o
|
||||
o SRP in TLS.
|
||||
[wished by:
|
||||
Dj <derek@yo.net>, Tom Wu <tom@arcot.com>,
|
||||
Tom Holroyd <tomh@po.crl.go.jp>]
|
||||
|
||||
See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
|
||||
as well as http://www-cs-students.stanford.edu/~tjw/srp/.
|
||||
|
||||
Tom Holroyd tells us there is a SRP patch for OpenSSH at
|
||||
http://members.tripod.com/professor_tom/archives/, that could
|
||||
be useful.
|
||||
|
|
250
TABLE
250
TABLE
|
@ -352,6 +352,160 @@ $shared_cflag = -fPIC
|
|||
$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
|
||||
$ranlib =
|
||||
|
||||
*** OpenUNIX
|
||||
$cc = cc
|
||||
$cflags = -O -DFILIO_H -Kalloca
|
||||
$unistd =
|
||||
$thread_cflag = -Kthread
|
||||
$lflags = -lsocket -lnsl
|
||||
$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
|
||||
$bn_obj =
|
||||
$des_obj =
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
$sha1_obj =
|
||||
$cast_obj =
|
||||
$rc4_obj =
|
||||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$dso_scheme =
|
||||
$shared_target=
|
||||
$shared_cflag =
|
||||
$shared_extension =
|
||||
$ranlib =
|
||||
|
||||
*** OpenUNIX-8
|
||||
$cc = cc
|
||||
$cflags = -O -DFILIO_H -Kalloca
|
||||
$unistd =
|
||||
$thread_cflag = -Kthread
|
||||
$lflags = -lsocket -lnsl
|
||||
$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
|
||||
$bn_obj =
|
||||
$des_obj =
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
$sha1_obj =
|
||||
$cast_obj =
|
||||
$rc4_obj =
|
||||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$dso_scheme =
|
||||
$shared_target=
|
||||
$shared_cflag =
|
||||
$shared_extension =
|
||||
$ranlib =
|
||||
|
||||
*** OpenUNIX-8-gcc
|
||||
$cc = gcc
|
||||
$cflags = -O -DFILIO_H -fomit-frame-pointer
|
||||
$unistd =
|
||||
$thread_cflag = -pthread
|
||||
$lflags = -lsocket -lnsl
|
||||
$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
|
||||
$bn_obj =
|
||||
$des_obj =
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
$sha1_obj =
|
||||
$cast_obj =
|
||||
$rc4_obj =
|
||||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$dso_scheme =
|
||||
$shared_target=
|
||||
$shared_cflag =
|
||||
$shared_extension =
|
||||
$ranlib =
|
||||
|
||||
*** OpenUNIX-8-gcc-shared
|
||||
$cc = gcc
|
||||
$cflags = -O3 -DFILIO_H -fomit-frame-pointer
|
||||
$unistd =
|
||||
$thread_cflag = -pthread
|
||||
$lflags = -lsocket -lnsl
|
||||
$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
|
||||
$bn_obj = asm/bn86-elf.o asm/co86-elf.o
|
||||
$des_obj = asm/dx86-elf.o asm/yx86-elf.o
|
||||
$bf_obj = asm/bx86-elf.o
|
||||
$md5_obj = asm/mx86-elf.o
|
||||
$sha1_obj = asm/sx86-elf.o
|
||||
$cast_obj = asm/cx86-elf.o
|
||||
$rc4_obj = asm/rx86-elf.o
|
||||
$rmd160_obj = asm/rm86-elf.o
|
||||
$rc5_obj = asm/r586-elf.o
|
||||
$dso_scheme = dlfcn
|
||||
$shared_target= svr5-shared
|
||||
$shared_cflag = -fPIC
|
||||
$shared_extension =
|
||||
$ranlib =
|
||||
|
||||
*** OpenUNIX-8-pentium
|
||||
$cc = cc
|
||||
$cflags = -O -DFILIO_H -Kalloca -Kpentium
|
||||
$unistd =
|
||||
$thread_cflag = -Kthread
|
||||
$lflags = -lsocket -lnsl
|
||||
$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
|
||||
$bn_obj =
|
||||
$des_obj =
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
$sha1_obj =
|
||||
$cast_obj =
|
||||
$rc4_obj =
|
||||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$dso_scheme =
|
||||
$shared_target=
|
||||
$shared_cflag =
|
||||
$shared_extension =
|
||||
$ranlib =
|
||||
|
||||
*** OpenUNIX-8-pentium_pro
|
||||
$cc = cc
|
||||
$cflags = -O -DFILIO_H -Kalloca -Kpentium_pro
|
||||
$unistd =
|
||||
$thread_cflag = -Kthread
|
||||
$lflags = -lsocket -lnsl
|
||||
$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
|
||||
$bn_obj =
|
||||
$des_obj =
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
$sha1_obj =
|
||||
$cast_obj =
|
||||
$rc4_obj =
|
||||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$dso_scheme =
|
||||
$shared_target=
|
||||
$shared_cflag =
|
||||
$shared_extension =
|
||||
$ranlib =
|
||||
|
||||
*** OpenUNIX-8-shared
|
||||
$cc = cc
|
||||
$cflags = -O -DFILIO_H -Kalloca
|
||||
$unistd =
|
||||
$thread_cflag = -Kthread
|
||||
$lflags = -lsocket -lnsl
|
||||
$bn_ops = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
|
||||
$bn_obj =
|
||||
$des_obj =
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
$sha1_obj =
|
||||
$cast_obj =
|
||||
$rc4_obj =
|
||||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$dso_scheme = dlfcn
|
||||
$shared_target= svr5-shared
|
||||
$shared_cflag = -Kpic
|
||||
$shared_extension =
|
||||
$ranlib =
|
||||
|
||||
*** ReliantUNIX
|
||||
$cc = cc
|
||||
$cflags = -KPIC -g -DSNI -DTERMIOS -DB_ENDIAN
|
||||
|
@ -640,9 +794,9 @@ $ranlib =
|
|||
|
||||
*** alpha-cc
|
||||
$cc = cc
|
||||
$cflags = -std1 -tune host -O4 -readonly_strings
|
||||
$cflags = -std1 -tune host -fast -readonly_strings
|
||||
$unistd =
|
||||
$thread_cflag = (unknown)
|
||||
$thread_cflag = -pthread
|
||||
$lflags =
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK
|
||||
$bn_obj =
|
||||
|
@ -660,6 +814,28 @@ $shared_cflag =
|
|||
$shared_extension = .so
|
||||
$ranlib =
|
||||
|
||||
*** alpha-cc-rpath
|
||||
$cc = cc
|
||||
$cflags = -std1 -tune host -fast -readonly_strings
|
||||
$unistd =
|
||||
$thread_cflag = -pthread
|
||||
$lflags =
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK
|
||||
$bn_obj =
|
||||
$des_obj =
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
$sha1_obj =
|
||||
$cast_obj =
|
||||
$rc4_obj =
|
||||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$dso_scheme = dlfcn
|
||||
$shared_target= tru64-shared-rpath
|
||||
$shared_cflag =
|
||||
$shared_extension = .so
|
||||
$ranlib =
|
||||
|
||||
*** alpha-gcc
|
||||
$cc = gcc
|
||||
$cflags = -O3
|
||||
|
@ -677,7 +853,7 @@ $rc4_obj =
|
|||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$dso_scheme = dlfcn
|
||||
$shared_target= tru64-shared
|
||||
$shared_target= alpha-osf1-shared
|
||||
$shared_cflag =
|
||||
$shared_extension = .so
|
||||
$ranlib =
|
||||
|
@ -686,6 +862,28 @@ $ranlib =
|
|||
$cc = cc
|
||||
$cflags = -std1 -tune host -fast -readonly_strings
|
||||
$unistd =
|
||||
$thread_cflag = -pthread
|
||||
$lflags =
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK
|
||||
$bn_obj =
|
||||
$des_obj =
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
$sha1_obj =
|
||||
$cast_obj =
|
||||
$rc4_obj =
|
||||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$dso_scheme = dlfcn
|
||||
$shared_target= tru64-shared
|
||||
$shared_cflag =
|
||||
$shared_extension = .so
|
||||
$ranlib =
|
||||
|
||||
*** alphaold-cc
|
||||
$cc = cc
|
||||
$cflags = -std1 -tune host -O4 -readonly_strings
|
||||
$unistd =
|
||||
$thread_cflag = (unknown)
|
||||
$lflags =
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK
|
||||
|
@ -699,7 +897,7 @@ $rc4_obj =
|
|||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$dso_scheme = dlfcn
|
||||
$shared_target= tru64-shared
|
||||
$shared_target= alpha-osf1-shared
|
||||
$shared_cflag =
|
||||
$shared_extension = .so
|
||||
$ranlib =
|
||||
|
@ -904,7 +1102,7 @@ $ranlib =
|
|||
|
||||
*** debug-bodo
|
||||
$cc = gcc
|
||||
$cflags = -DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall
|
||||
$cflags = -DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall
|
||||
$unistd =
|
||||
$thread_cflag = -D_REENTRANT
|
||||
$lflags =
|
||||
|
@ -926,7 +1124,7 @@ $ranlib =
|
|||
|
||||
*** debug-levitte-linux-elf
|
||||
$cc = gcc
|
||||
$cflags = -DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe
|
||||
$cflags = -DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe
|
||||
$unistd =
|
||||
$thread_cflag = -D_REENTRANT
|
||||
$lflags = -ldl
|
||||
|
@ -1124,7 +1322,7 @@ $ranlib =
|
|||
|
||||
*** debug-ulf
|
||||
$cc = gcc
|
||||
$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe
|
||||
$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -Wall -Werror -Wshadow -pipe
|
||||
$unistd =
|
||||
$thread_cflag = -D_REENTRANT
|
||||
$lflags =
|
||||
|
@ -1874,10 +2072,10 @@ $ranlib =
|
|||
$cc = gcc
|
||||
$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
|
||||
$unistd =
|
||||
$thread_cflag = (unknown)
|
||||
$lflags =
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG
|
||||
$bn_obj =
|
||||
$thread_cflag = -D_REENTRANT
|
||||
$lflags = -ldl
|
||||
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR
|
||||
$bn_obj = asm/ia64.o
|
||||
$des_obj =
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
|
@ -1886,10 +2084,10 @@ $cast_obj =
|
|||
$rc4_obj =
|
||||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$dso_scheme =
|
||||
$shared_target=
|
||||
$shared_cflag =
|
||||
$shared_extension =
|
||||
$dso_scheme = dlfcn
|
||||
$shared_target= linux-shared
|
||||
$shared_cflag = -fPIC
|
||||
$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
|
||||
$ranlib =
|
||||
|
||||
*** linux-m68k
|
||||
|
@ -2728,6 +2926,28 @@ $shared_cflag =
|
|||
$shared_extension =
|
||||
$ranlib =
|
||||
|
||||
*** unixware-7-gcc
|
||||
$cc = gcc
|
||||
$cflags = -DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall
|
||||
$unistd =
|
||||
$thread_cflag = -D_REENTRANT
|
||||
$lflags = -lsocket -lnsl
|
||||
$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
|
||||
$bn_obj =
|
||||
$des_obj =
|
||||
$bf_obj =
|
||||
$md5_obj =
|
||||
$sha1_obj =
|
||||
$cast_obj =
|
||||
$rc4_obj =
|
||||
$rmd160_obj =
|
||||
$rc5_obj =
|
||||
$dso_scheme = dlfcn
|
||||
$shared_target= gnu-shared
|
||||
$shared_cflag = -fPIC
|
||||
$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
|
||||
$ranlib =
|
||||
|
||||
*** unixware-7-pentium
|
||||
$cc = cc
|
||||
$cflags = -O -DFILIO_H -Kalloca -Kpentium
|
||||
|
|
|
@ -1133,6 +1133,7 @@ $!
|
|||
$! Save directory information
|
||||
$!
|
||||
$ __HERE = F$PARSE(F$PARSE("A.;",F$ENVIRONMENT("PROCEDURE"))-"A.;","[]A.;") - "A.;"
|
||||
$ __HERE = F$EDIT(__HERE,"UPCASE")
|
||||
$ __TOP = __HERE - "APPS]"
|
||||
$ __INCLUDE = __TOP + "INCLUDE.OPENSSL]"
|
||||
$!
|
||||
|
|
|
@ -392,8 +392,7 @@ bad:
|
|||
BIO_printf(bio_err," the random number generator\n");
|
||||
BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
|
||||
BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
|
||||
|
||||
BIO_printf(bio_err," -[digest] Digest to sign with (md5, sha1, md2, mdc2)\n");
|
||||
BIO_printf(bio_err," -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
|
||||
BIO_printf(bio_err," -config file request template file.\n");
|
||||
BIO_printf(bio_err," -new new request.\n");
|
||||
BIO_printf(bio_err," -x509 output a x509 structure instead of a cert. req.\n");
|
||||
|
|
|
@ -928,5 +928,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
|
|||
BIO_printf(bio,"---\n");
|
||||
if (peer != NULL)
|
||||
X509_free(peer);
|
||||
/* flush, or debugging output gets mixed with http response */
|
||||
BIO_flush(bio);
|
||||
}
|
||||
|
||||
|
|
32
config
32
config
|
@ -68,6 +68,11 @@ if [ "x$XREL" != "x" ]; then
|
|||
4.2)
|
||||
echo "whatever-whatever-unixware1"; exit 0
|
||||
;;
|
||||
OpenUNIX)
|
||||
if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x8" ]; then
|
||||
echo "${MACHINE}-unknown-OpenUNIX${VERSION}"; exit 0
|
||||
fi
|
||||
;;
|
||||
5)
|
||||
if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x7" ]; then
|
||||
echo "${MACHINE}-sco-unixware7"; exit 0
|
||||
|
@ -195,9 +200,24 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
|
|||
echo "${MACHINE}-whatever-openbsd"; exit 0
|
||||
;;
|
||||
|
||||
OpenUNIX:*)
|
||||
echo "${MACHINE}-unknown-OpenUNIX${VERSION}"; exit 0
|
||||
;;
|
||||
|
||||
OSF1:*:*:*alpha*)
|
||||
OSFMAJOR=`echo ${RELEASE}| sed -e 's/^V\([0-9]*\)\..*$/\1/'`
|
||||
case "$OSFMAJOR" in
|
||||
4|5)
|
||||
echo "${MACHINE}-dec-tru64"; exit 0
|
||||
;;
|
||||
1|2|3)
|
||||
echo "${MACHINE}-dec-osf"; exit 0
|
||||
;;
|
||||
*)
|
||||
echo "${MACHINE}-dec-osf"; exit 0
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
|
||||
QNX:*)
|
||||
case "$VERSION" in
|
||||
|
@ -485,7 +505,15 @@ case "$GUESSOS" in
|
|||
pmax*-*-openbsd) OUT="OpenBSD-mips" ;;
|
||||
*-*-openbsd) OUT="OpenBSD" ;;
|
||||
*86*-*-bsdi4) OUT="bsdi-elf-gcc" ;;
|
||||
*-*-osf) OUT="alpha-cc" ;;
|
||||
*-*-osf) OUT="alphaold-cc" ;;
|
||||
*-*-tru64) OUT="alpha-cc" ;;
|
||||
*-*-OpenUNIX*)
|
||||
if [ "$CC" = "gcc" ]; then
|
||||
OUT="OpenUNIX-8-gcc"
|
||||
else
|
||||
OUT="OpenUNIX-8"
|
||||
fi
|
||||
;;
|
||||
*-*-unixware7) OUT="unixware-7" ;;
|
||||
*-*-UnixWare7) OUT="unixware-7" ;;
|
||||
*-*-Unixware7) OUT="unixware-7" ;;
|
||||
|
@ -549,7 +577,7 @@ case "$GUESSOS" in
|
|||
i386-*) options="$options 386" ;;
|
||||
esac
|
||||
|
||||
for i in bf cast des dh dsa hmac md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa sha
|
||||
for i in bf cast des dh dsa hmac idea md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa sha
|
||||
do
|
||||
if [ ! -d crypto/$i ]
|
||||
then
|
||||
|
|
|
@ -105,9 +105,9 @@ int ASN1_STRING_set_default_mask_asc(char *p)
|
|||
mask = strtoul(p + 5, &end, 0);
|
||||
if(*end) return 0;
|
||||
} else if(!strcmp(p, "nombstr"))
|
||||
mask = ~(B_ASN1_BMPSTRING|B_ASN1_UTF8STRING);
|
||||
mask = ~((unsigned long)(B_ASN1_BMPSTRING|B_ASN1_UTF8STRING));
|
||||
else if(!strcmp(p, "pkix"))
|
||||
mask = ~B_ASN1_T61STRING;
|
||||
mask = ~((unsigned long)B_ASN1_T61STRING);
|
||||
else if(!strcmp(p, "utf8only")) mask = B_ASN1_UTF8STRING;
|
||||
else if(!strcmp(p, "default"))
|
||||
mask = 0xFFFFFFFFL;
|
||||
|
|
|
@ -345,13 +345,18 @@ static void ghbn_free(struct hostent *a)
|
|||
|
||||
struct hostent *BIO_gethostbyname(const char *name)
|
||||
{
|
||||
#if 1
|
||||
/* Caching gethostbyname() results forever is wrong,
|
||||
* so we have to let the true gethostbyname() worry about this */
|
||||
return gethostbyname(name);
|
||||
#else
|
||||
struct hostent *ret;
|
||||
int i,lowi=0,j;
|
||||
unsigned long low= (unsigned long)-1;
|
||||
|
||||
/* return(gethostbyname(name)); */
|
||||
|
||||
#if 0 /* It doesn't make sense to use locking here: The function interface
|
||||
# if 0
|
||||
/* It doesn't make sense to use locking here: The function interface
|
||||
* is not thread-safe, because threads can never be sure when
|
||||
* some other thread destroys the data they were given a pointer to.
|
||||
*/
|
||||
|
@ -393,7 +398,8 @@ struct hostent *BIO_gethostbyname(const char *name)
|
|||
goto end;
|
||||
if (j > 128) /* too big to cache */
|
||||
{
|
||||
#if 0 /* If we were trying to make this function thread-safe (which
|
||||
# if 0
|
||||
/* If we were trying to make this function thread-safe (which
|
||||
* is bound to fail), we'd have to give up in this case
|
||||
* (or allocate more memory). */
|
||||
ret = NULL;
|
||||
|
@ -425,8 +431,10 @@ end:
|
|||
CRYPTO_w_unlock(CRYPTO_LOCK_GETHOSTBYNAME);
|
||||
# endif
|
||||
return(ret);
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
int BIO_sock_init(void)
|
||||
{
|
||||
#ifdef WINDOWS
|
||||
|
|
|
@ -431,7 +431,7 @@ int BIO_read_filename(BIO *b,const char *name);
|
|||
#define BIO_set_ssl_renegotiate_bytes(b,num) \
|
||||
BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL);
|
||||
#define BIO_get_num_renegotiates(b) \
|
||||
BIO_ctrl(b,BIO_C_SET_SSL_NUM_RENEGOTIATES,0,NULL);
|
||||
BIO_ctrl(b,BIO_C_GET_SSL_NUM_RENEGOTIATES,0,NULL);
|
||||
#define BIO_set_ssl_renegotiate_timeout(b,seconds) \
|
||||
BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL);
|
||||
|
||||
|
|
|
@ -474,7 +474,8 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr)
|
|||
break;
|
||||
|
||||
case BIO_C_GET_WRITE_BUF_SIZE:
|
||||
num = (long) b->size;
|
||||
ret = (long) b->size;
|
||||
break;
|
||||
|
||||
case BIO_C_MAKE_BIO_PAIR:
|
||||
{
|
||||
|
|
|
@ -124,6 +124,8 @@ asm/sparcv8plus-gcc27.o: asm/sparcv8plus.S
|
|||
$(CC) $(ASFLAGS) -E asm/sparcv8plus.S | \
|
||||
/usr/ccs/bin/as -xarch=v8plus - -o asm/sparcv8plus-gcc27.o
|
||||
|
||||
asm/ia64.o: asm/ia64.S
|
||||
|
||||
files:
|
||||
$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
|
||||
|
||||
|
|
|
@ -90,8 +90,10 @@ extern "C" {
|
|||
* be on. Again this in only really a problem on machines
|
||||
* using "long long's", are 32bit, and are not using my assembler code. */
|
||||
#if defined(MSDOS) || defined(WINDOWS) || defined(WIN32) || defined(linux)
|
||||
# ifndef BN_DIV2W
|
||||
# define BN_DIV2W
|
||||
# endif
|
||||
#endif
|
||||
|
||||
/* assuming long is 64bit - this is the DEC Alpha
|
||||
* unsigned long long is only 64 bits :-(, don't define
|
||||
|
@ -329,6 +331,7 @@ void BN_CTX_end(BN_CTX *ctx);
|
|||
int BN_rand(BIGNUM *rnd, int bits, int top,int bottom);
|
||||
int BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom);
|
||||
int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
|
||||
int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range);
|
||||
int BN_num_bits(const BIGNUM *a);
|
||||
int BN_num_bits_word(BN_ULONG);
|
||||
BIGNUM *BN_new(void);
|
||||
|
|
|
@ -128,7 +128,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
|
|||
|
||||
#if !defined(NO_ASM) && !defined(NO_INLINE_ASM) && !defined(PEDANTIC) && !defined(BN_DIV3W)
|
||||
# if defined(__GNUC__) && __GNUC__>=2
|
||||
# if defined(__i386)
|
||||
# if defined(__i386) || defined (__i386__)
|
||||
/*
|
||||
* There were two reasons for implementing this template:
|
||||
* - GNU C generates a call to a function (__udivdi3 to be exact)
|
||||
|
|
|
@ -225,12 +225,15 @@ int BN_is_prime_fasttest(const BIGNUM *a, int checks,
|
|||
BN_MONT_CTX *mont = NULL;
|
||||
const BIGNUM *A = NULL;
|
||||
|
||||
if (BN_cmp(a, BN_value_one()) <= 0)
|
||||
return 0;
|
||||
|
||||
if (checks == BN_prime_checks)
|
||||
checks = BN_prime_checks_for_size(BN_num_bits(a));
|
||||
|
||||
/* first look for small factors */
|
||||
if (!BN_is_odd(a))
|
||||
return(0);
|
||||
return 0;
|
||||
if (do_trial_division)
|
||||
{
|
||||
for (i = 1; i < NUMPRIMES; i++)
|
||||
|
@ -289,10 +292,7 @@ int BN_is_prime_fasttest(const BIGNUM *a, int checks,
|
|||
|
||||
for (i = 0; i < checks; i++)
|
||||
{
|
||||
if (!BN_pseudo_rand(check, BN_num_bits(A1), 0, 0))
|
||||
goto err;
|
||||
if (BN_cmp(check, A1) >= 0)
|
||||
if (!BN_sub(check, check, A1))
|
||||
if (!BN_pseudo_rand_range(check, A1))
|
||||
goto err;
|
||||
if (!BN_add_word(check, 1))
|
||||
goto err;
|
||||
|
|
|
@ -55,6 +55,59 @@
|
|||
* copied and put under another distribution licence
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
*
|
||||
* 3. All advertising materials mentioning features or use of this
|
||||
* software must display the following acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
||||
*
|
||||
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
||||
* endorse or promote products derived from this software without
|
||||
* prior written permission. For written permission, please contact
|
||||
* openssl-core@openssl.org.
|
||||
*
|
||||
* 5. Products derived from this software may not be called "OpenSSL"
|
||||
* nor may "OpenSSL" appear in their names without prior written
|
||||
* permission of the OpenSSL Project.
|
||||
*
|
||||
* 6. Redistributions of any form whatsoever must retain the following
|
||||
* acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
||||
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
||||
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
* ====================================================================
|
||||
*
|
||||
* This product includes cryptographic software written by Eric Young
|
||||
* (eay@cryptsoft.com). This product includes software written by Tim
|
||||
* Hudson (tjh@cryptsoft.com).
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
|
@ -172,8 +225,9 @@ int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom)
|
|||
#endif
|
||||
|
||||
/* random number r: 0 <= r < range */
|
||||
int BN_rand_range(BIGNUM *r, BIGNUM *range)
|
||||
static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range)
|
||||
{
|
||||
int (*bn_rand)(BIGNUM *, int, int, int) = pseudo ? BN_pseudo_rand : BN_rand;
|
||||
int n;
|
||||
|
||||
if (range->neg || BN_is_zero(range))
|
||||
|
@ -193,7 +247,7 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range)
|
|||
do
|
||||
{
|
||||
/* range = 11..._2, so each iteration succeeds with probability >= .75 */
|
||||
if (!BN_rand(r, n, -1, 0)) return 0;
|
||||
if (!bn_rand(r, n, -1, 0)) return 0;
|
||||
}
|
||||
while (BN_cmp(r, range) >= 0);
|
||||
}
|
||||
|
@ -203,7 +257,7 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range)
|
|||
* so 3*range (= 11..._2) is exactly one bit longer than range */
|
||||
do
|
||||
{
|
||||
if (!BN_rand(r, n + 1, -1, 0)) return 0;
|
||||
if (!bn_rand(r, n + 1, -1, 0)) return 0;
|
||||
/* If r < 3*range, use r := r MOD range
|
||||
* (which is either r, r - range, or r - 2*range).
|
||||
* Otherwise, iterate once more.
|
||||
|
@ -221,3 +275,14 @@ int BN_rand_range(BIGNUM *r, BIGNUM *range)
|
|||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
int BN_rand_range(BIGNUM *r, BIGNUM *range)
|
||||
{
|
||||
return bn_rand_range(0, r, range);
|
||||
}
|
||||
|
||||
int BN_pseudo_rand_range(BIGNUM *r, BIGNUM *range)
|
||||
{
|
||||
return bn_rand_range(1, r, range);
|
||||
}
|
||||
|
|
|
@ -245,7 +245,7 @@ printf(" bn_sqr_recursive %d * %d\n",n2,n2);
|
|||
if (!zero)
|
||||
bn_sqr_recursive(&(t[n2]),t,n,p);
|
||||
else
|
||||
memset(&(t[n2]),0,n*sizeof(BN_ULONG));
|
||||
memset(&(t[n2]),0,n2*sizeof(BN_ULONG));
|
||||
bn_sqr_recursive(r,a,n,p);
|
||||
bn_sqr_recursive(&(r[n2]),&(a[n]),n,p);
|
||||
|
||||
|
|
|
@ -90,6 +90,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
|
|||
"ssl_sess_cert",
|
||||
"ssl",
|
||||
"rand",
|
||||
"rand2",
|
||||
"debug_malloc",
|
||||
"BIO",
|
||||
"gethostbyname",
|
||||
|
@ -101,7 +102,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
|
|||
"dso",
|
||||
"dynlock",
|
||||
"engine",
|
||||
#if CRYPTO_NUM_LOCKS != 29
|
||||
#if CRYPTO_NUM_LOCKS != 30
|
||||
# error "Inconsistency between crypto.h and cryptlib.c"
|
||||
#endif
|
||||
};
|
||||
|
|
|
@ -1462,6 +1462,7 @@ $!
|
|||
$! Save directory information
|
||||
$!
|
||||
$ __HERE = F$PARSE(F$PARSE("A.;",F$ENVIRONMENT("PROCEDURE"))-"A.;","[]A.;") - "A.;"
|
||||
$ __HERE = F$EDIT(__HERE,"UPCASE")
|
||||
$ __TOP = __HERE - "CRYPTO]"
|
||||
$ __INCLUDE = __TOP + "INCLUDE.OPENSSL]"
|
||||
$!
|
||||
|
|
|
@ -112,18 +112,20 @@ extern "C" {
|
|||
#define CRYPTO_LOCK_SSL_SESS_CERT 15
|
||||
#define CRYPTO_LOCK_SSL 16
|
||||
#define CRYPTO_LOCK_RAND 17
|
||||
#define CRYPTO_LOCK_MALLOC 18
|
||||
#define CRYPTO_LOCK_BIO 19
|
||||
#define CRYPTO_LOCK_GETHOSTBYNAME 20
|
||||
#define CRYPTO_LOCK_GETSERVBYNAME 21
|
||||
#define CRYPTO_LOCK_READDIR 22
|
||||
#define CRYPTO_LOCK_RSA_BLINDING 23
|
||||
#define CRYPTO_LOCK_DH 24
|
||||
#define CRYPTO_LOCK_MALLOC2 25
|
||||
#define CRYPTO_LOCK_DSO 26
|
||||
#define CRYPTO_LOCK_DYNLOCK 27
|
||||
#define CRYPTO_LOCK_ENGINE 28
|
||||
#define CRYPTO_LOCK_RAND2 18
|
||||
#define CRYPTO_LOCK_MALLOC 19
|
||||
#define CRYPTO_LOCK_BIO 20
|
||||
#define CRYPTO_LOCK_GETHOSTBYNAME 21
|
||||
#define CRYPTO_LOCK_GETSERVBYNAME 22
|
||||
#define CRYPTO_LOCK_READDIR 23
|
||||
#define CRYPTO_LOCK_RSA_BLINDING 24
|
||||
#define CRYPTO_LOCK_DH 25
|
||||
#define CRYPTO_LOCK_MALLOC2 26
|
||||
#define CRYPTO_LOCK_DSO 27
|
||||
#define CRYPTO_LOCK_DYNLOCK 28
|
||||
#define CRYPTO_NUM_LOCKS 29
|
||||
#define CRYPTO_LOCK_ENGINE 29
|
||||
#define CRYPTO_NUM_LOCKS 30
|
||||
|
||||
#define CRYPTO_LOCK 1
|
||||
#define CRYPTO_UNLOCK 2
|
||||
|
@ -351,6 +353,9 @@ int CRYPTO_push_info_(const char *info, const char *file, int line);
|
|||
int CRYPTO_pop_info(void);
|
||||
int CRYPTO_remove_all_info(void);
|
||||
|
||||
|
||||
/* Default debugging functions (enabled by CRYPTO_malloc_debug_init() macro;
|
||||
* used as default in CRYPTO_MDEBUG compilations): */
|
||||
/* The last argument has the following significance:
|
||||
*
|
||||
* 0: called before the actual memory allocation has taken place
|
||||
|
@ -359,18 +364,18 @@ int CRYPTO_remove_all_info(void);
|
|||
void CRYPTO_dbg_malloc(void *addr,int num,const char *file,int line,int before_p);
|
||||
void CRYPTO_dbg_realloc(void *addr1,void *addr2,int num,const char *file,int line,int before_p);
|
||||
void CRYPTO_dbg_free(void *addr,int before_p);
|
||||
|
||||
/* Tell the debugging code about options. By default, the following values
|
||||
* apply:
|
||||
*
|
||||
* 0: Clear all options.
|
||||
* 1: Set the "Show Time" option.
|
||||
* 2: Set the "Show Thread Number" option.
|
||||
* 3: 1 + 2
|
||||
* V_CRYPTO_MDEBUG_TIME (1): Set the "Show Time" option.
|
||||
* V_CRYPTO_MDEBUG_THREAD (2): Set the "Show Thread Number" option.
|
||||
* V_CRYPTO_MDEBUG_ALL (3): 1 + 2
|
||||
*/
|
||||
void CRYPTO_dbg_set_options(long bits);
|
||||
long CRYPTO_dbg_get_options(void);
|
||||
|
||||
|
||||
#ifndef NO_FP_API
|
||||
void CRYPTO_mem_leaks_fp(FILE *);
|
||||
#endif
|
||||
|
|
|
@ -100,6 +100,8 @@ DH_METHOD *DH_OpenSSL(void)
|
|||
static int generate_key(DH *dh)
|
||||
{
|
||||
int ok=0;
|
||||
int generate_new_key=0;
|
||||
unsigned l;
|
||||
BN_CTX ctx;
|
||||
BN_MONT_CTX *mont;
|
||||
BIGNUM *pub_key=NULL,*priv_key=NULL;
|
||||
|
@ -110,9 +112,7 @@ static int generate_key(DH *dh)
|
|||
{
|
||||
priv_key=BN_new();
|
||||
if (priv_key == NULL) goto err;
|
||||
do
|
||||
if (!BN_rand_range(priv_key, dh->p)) goto err;
|
||||
while (BN_is_zero(priv_key));
|
||||
generate_new_key=1;
|
||||
}
|
||||
else
|
||||
priv_key=dh->priv_key;
|
||||
|
@ -133,6 +133,11 @@ static int generate_key(DH *dh)
|
|||
}
|
||||
mont=(BN_MONT_CTX *)dh->method_mont_p;
|
||||
|
||||
if (generate_new_key)
|
||||
{
|
||||
l = dh->length ? dh->length : BN_num_bits(dh->p)-1; /* secret exponent length */
|
||||
if (!BN_rand(priv_key, l, 0, 0)) goto err;
|
||||
}
|
||||
if (!ENGINE_get_DH(dh->engine)->bn_mod_exp(dh, pub_key, dh->g,
|
||||
priv_key,dh->p,&ctx,mont))
|
||||
goto err;
|
||||
|
|
|
@ -64,7 +64,7 @@
|
|||
|
||||
const char *DH_version="Diffie-Hellman" OPENSSL_VERSION_PTEXT;
|
||||
|
||||
static DH_METHOD *default_DH_method;
|
||||
static DH_METHOD *default_DH_method = NULL;
|
||||
static int dh_meth_num = 0;
|
||||
static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dh_meth = NULL;
|
||||
|
||||
|
|
|
@ -67,7 +67,7 @@
|
|||
|
||||
const char *DSA_version="DSA" OPENSSL_VERSION_PTEXT;
|
||||
|
||||
static DSA_METHOD *default_DSA_method;
|
||||
static DSA_METHOD *default_DSA_method = NULL;
|
||||
static int dsa_meth_num = 0;
|
||||
static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dsa_meth = NULL;
|
||||
|
||||
|
|
|
@ -786,7 +786,7 @@ void ERR_add_error_data(int num, ...)
|
|||
if (p == NULL)
|
||||
{
|
||||
OPENSSL_free(str);
|
||||
return;
|
||||
goto err;
|
||||
}
|
||||
else
|
||||
str=p;
|
||||
|
@ -796,6 +796,7 @@ void ERR_add_error_data(int num, ...)
|
|||
}
|
||||
ERR_set_error_data(str,ERR_TXT_MALLOCED|ERR_TXT_STRING);
|
||||
|
||||
err:
|
||||
va_end(args);
|
||||
}
|
||||
|
||||
|
|
|
@ -465,7 +465,8 @@ static long b64_ctrl(BIO *b, int cmd, long num, void *ptr)
|
|||
break;
|
||||
case BIO_CTRL_WPENDING: /* More to write in buffer */
|
||||
ret=ctx->buf_len-ctx->buf_off;
|
||||
if ((ret == 0) && (ctx->base64.num != 0))
|
||||
if ((ret == 0) && (ctx->encode != B64_NONE)
|
||||
&& (ctx->base64.num != 0))
|
||||
ret=1;
|
||||
else if (ret <= 0)
|
||||
ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
|
||||
|
@ -500,7 +501,7 @@ again:
|
|||
goto again;
|
||||
}
|
||||
}
|
||||
else if (ctx->base64.num != 0)
|
||||
else if (ctx->encode != B64_NONE && ctx->base64.num != 0)
|
||||
{
|
||||
ctx->buf_off=0;
|
||||
EVP_EncodeFinal(&(ctx->base64),
|
||||
|
|
|
@ -66,7 +66,7 @@
|
|||
static EVP_MD md4_md=
|
||||
{
|
||||
NID_md4,
|
||||
0,
|
||||
NID_md4WithRSAEncryption,
|
||||
MD4_DIGEST_LENGTH,
|
||||
MD4_Init,
|
||||
MD4_Update,
|
||||
|
|
|
@ -198,7 +198,7 @@
|
|||
*
|
||||
* <appro@fy.chalmers.se>
|
||||
*/
|
||||
# if defined(__i386)
|
||||
# if defined(__i386) || defined(__i386__)
|
||||
# define ROTATE(a,n) ({ register unsigned int ret; \
|
||||
asm ( \
|
||||
"roll %1,%0" \
|
||||
|
@ -224,7 +224,7 @@
|
|||
*/
|
||||
# if defined(__GNUC__) && __GNUC__>=2 && !defined(NO_ASM) && !defined(NO_INLINE_ASM)
|
||||
/* some GNU C inline assembler templates by <appro@fy.chalmers.se> */
|
||||
# if defined(__i386) && !defined(I386_ONLY)
|
||||
# if (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY)
|
||||
# define BE_FETCH32(a) ({ register unsigned int l=(a);\
|
||||
asm ( \
|
||||
"bswapl %0" \
|
||||
|
|
|
@ -68,7 +68,7 @@
|
|||
void md4_block_host_order (MD4_CTX *c, const void *p,int num);
|
||||
void md4_block_data_order (MD4_CTX *c, const void *p,int num);
|
||||
|
||||
#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
|
||||
#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
|
||||
/*
|
||||
* *_block_host_order is expected to handle aligned data while
|
||||
* *_block_data_order - unaligned. As algorithm and host (x86)
|
||||
|
|
|
@ -66,7 +66,7 @@
|
|||
#endif
|
||||
|
||||
#ifdef MD5_ASM
|
||||
# if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
|
||||
# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
|
||||
# define md5_block_host_order md5_block_asm_host_order
|
||||
# elif defined(__sparc) && defined(ULTRASPARC)
|
||||
void md5_block_asm_data_order_aligned (MD5_CTX *c, const MD5_LONG *p,int num);
|
||||
|
@ -77,7 +77,7 @@
|
|||
void md5_block_host_order (MD5_CTX *c, const void *p,int num);
|
||||
void md5_block_data_order (MD5_CTX *c, const void *p,int num);
|
||||
|
||||
#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
|
||||
#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
|
||||
/*
|
||||
* *_block_host_order is expected to handle aligned data while
|
||||
* *_block_data_order - unaligned. As algorithm and host (x86)
|
||||
|
|
|
@ -61,12 +61,12 @@
|
|||
* perl obj_dat.pl objects.h obj_dat.h
|
||||
*/
|
||||
|
||||
#define NUM_NID 393
|
||||
#define NUM_SN 392
|
||||
#define NUM_LN 392
|
||||
#define NUM_OBJ 366
|
||||
#define NUM_NID 404
|
||||
#define NUM_SN 403
|
||||
#define NUM_LN 403
|
||||
#define NUM_OBJ 377
|
||||
|
||||
static unsigned char lvalues[2896]={
|
||||
static unsigned char lvalues[2949]={
|
||||
0x00, /* [ 0] OBJ_undef */
|
||||
0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 1] OBJ_rsadsi */
|
||||
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 7] OBJ_pkcs */
|
||||
|
@ -433,6 +433,17 @@ static unsigned char lvalues[2896]={
|
|||
0xBA,0x82,0x58, /* [2872] OBJ_dcObject */
|
||||
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x01,0x19,/* [2875] OBJ_domainComponent */
|
||||
0x09,0x92,0x26,0x89,0x93,0xF2,0x2C,0x64,0x04,0x0D,/* [2885] OBJ_Domain */
|
||||
0x50, /* [2895] OBJ_joint_iso_ccitt */
|
||||
0x55,0x01,0x05, /* [2896] OBJ_selected_attribute_types */
|
||||
0x55,0x01,0x05,0x37, /* [2899] OBJ_clearance */
|
||||
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x03,/* [2903] OBJ_md4WithRSAEncryption */
|
||||
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0A, /* [2912] OBJ_ac_proxying */
|
||||
0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x0B, /* [2920] OBJ_sinfo_access */
|
||||
0x2B,0x06,0x01,0x05,0x05,0x07,0x0A,0x06, /* [2928] OBJ_id_aca_encAttrs */
|
||||
0x55,0x04,0x48, /* [2936] OBJ_role */
|
||||
0x55,0x1D,0x24, /* [2939] OBJ_policy_constraints */
|
||||
0x55,0x1D,0x37, /* [2942] OBJ_target_information */
|
||||
0x55,0x1D,0x38, /* [2945] OBJ_no_rev_avail */
|
||||
};
|
||||
|
||||
static ASN1_OBJECT nid_objs[NUM_NID]={
|
||||
|
@ -1045,6 +1056,25 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
|
|||
{"dcobject","dcObject",NID_dcObject,3,&(lvalues[2872]),0},
|
||||
{"DC","domainComponent",NID_domainComponent,10,&(lvalues[2875]),0},
|
||||
{"domain","Domain",NID_Domain,10,&(lvalues[2885]),0},
|
||||
{"JOINT-ISO-CCITT","joint-iso-ccitt",NID_joint_iso_ccitt,1,
|
||||
&(lvalues[2895]),0},
|
||||
{"selected-attribute-types","Selected Attribute Types",
|
||||
NID_selected_attribute_types,3,&(lvalues[2896]),0},
|
||||
{"clearance","clearance",NID_clearance,4,&(lvalues[2899]),0},
|
||||
{"RSA-MD4","md4WithRSAEncryption",NID_md4WithRSAEncryption,9,
|
||||
&(lvalues[2903]),0},
|
||||
{"ac-proxying","ac-proxying",NID_ac_proxying,8,&(lvalues[2912]),0},
|
||||
{"subjectInfoAccess","Subject Information Access",NID_sinfo_access,8,
|
||||
&(lvalues[2920]),0},
|
||||
{"id-aca-encAttrs","id-aca-encAttrs",NID_id_aca_encAttrs,8,
|
||||
&(lvalues[2928]),0},
|
||||
{"role","role",NID_role,3,&(lvalues[2936]),0},
|
||||
{"policyConstraints","X509v3 Policy Constraints",
|
||||
NID_policy_constraints,3,&(lvalues[2939]),0},
|
||||
{"targetInformation","X509v3 AC Targeting",NID_target_information,3,
|
||||
&(lvalues[2942]),0},
|
||||
{"noRevAvail","X509v3 No Revocation Available",NID_no_rev_avail,3,
|
||||
&(lvalues[2945]),0},
|
||||
};
|
||||
|
||||
static ASN1_OBJECT *sn_objs[NUM_SN]={
|
||||
|
@ -1093,6 +1123,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
|
|||
&(nid_objs[46]),/* "IDEA-OFB" */
|
||||
&(nid_objs[181]),/* "ISO" */
|
||||
&(nid_objs[183]),/* "ISO-US" */
|
||||
&(nid_objs[393]),/* "JOINT-ISO-CCITT" */
|
||||
&(nid_objs[15]),/* "L" */
|
||||
&(nid_objs[ 3]),/* "MD2" */
|
||||
&(nid_objs[257]),/* "MD4" */
|
||||
|
@ -1138,6 +1169,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
|
|||
&(nid_objs[124]),/* "RLE" */
|
||||
&(nid_objs[19]),/* "RSA" */
|
||||
&(nid_objs[ 7]),/* "RSA-MD2" */
|
||||
&(nid_objs[396]),/* "RSA-MD4" */
|
||||
&(nid_objs[ 8]),/* "RSA-MD5" */
|
||||
&(nid_objs[96]),/* "RSA-MDC2" */
|
||||
&(nid_objs[104]),/* "RSA-NP-MD5" */
|
||||
|
@ -1164,6 +1196,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
|
|||
&(nid_objs[125]),/* "ZLIB" */
|
||||
&(nid_objs[289]),/* "aaControls" */
|
||||
&(nid_objs[287]),/* "ac-auditEntity" */
|
||||
&(nid_objs[397]),/* "ac-proxying" */
|
||||
&(nid_objs[288]),/* "ac-targeting" */
|
||||
&(nid_objs[368]),/* "acceptableResponses" */
|
||||
&(nid_objs[363]),/* "ad_timestamping" */
|
||||
|
@ -1178,6 +1211,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
|
|||
&(nid_objs[152]),/* "certBag" */
|
||||
&(nid_objs[89]),/* "certificatePolicies" */
|
||||
&(nid_objs[54]),/* "challengePassword" */
|
||||
&(nid_objs[395]),/* "clearance" */
|
||||
&(nid_objs[130]),/* "clientAuth" */
|
||||
&(nid_objs[131]),/* "codeSigning" */
|
||||
&(nid_objs[50]),/* "contentType" */
|
||||
|
@ -1204,6 +1238,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
|
|||
&(nid_objs[355]),/* "id-aca-accessIdentity" */
|
||||
&(nid_objs[354]),/* "id-aca-authenticationInfo" */
|
||||
&(nid_objs[356]),/* "id-aca-chargingIdentity" */
|
||||
&(nid_objs[399]),/* "id-aca-encAttrs" */
|
||||
&(nid_objs[357]),/* "id-aca-group" */
|
||||
&(nid_objs[358]),/* "id-aca-role" */
|
||||
&(nid_objs[176]),/* "id-ad" */
|
||||
|
@ -1386,6 +1421,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
|
|||
&(nid_objs[137]),/* "msSGC" */
|
||||
&(nid_objs[173]),/* "name" */
|
||||
&(nid_objs[369]),/* "noCheck" */
|
||||
&(nid_objs[403]),/* "noRevAvail" */
|
||||
&(nid_objs[72]),/* "nsBaseUrl" */
|
||||
&(nid_objs[76]),/* "nsCaPolicyUrl" */
|
||||
&(nid_objs[74]),/* "nsCaRevocationUrl" */
|
||||
|
@ -1413,9 +1449,11 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
|
|||
&(nid_objs[22]),/* "pkcs7-signedData" */
|
||||
&(nid_objs[151]),/* "pkcs8ShroudedKeyBag" */
|
||||
&(nid_objs[47]),/* "pkcs9" */
|
||||
&(nid_objs[401]),/* "policyConstraints" */
|
||||
&(nid_objs[385]),/* "private" */
|
||||
&(nid_objs[84]),/* "privateKeyUsagePeriod" */
|
||||
&(nid_objs[286]),/* "qcStatements" */
|
||||
&(nid_objs[400]),/* "role" */
|
||||
&(nid_objs[ 6]),/* "rsaEncryption" */
|
||||
&(nid_objs[377]),/* "rsaSignature" */
|
||||
&(nid_objs[ 1]),/* "rsadsi" */
|
||||
|
@ -1426,12 +1464,15 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
|
|||
&(nid_objs[159]),/* "sdsiCertificate" */
|
||||
&(nid_objs[154]),/* "secretBag" */
|
||||
&(nid_objs[386]),/* "security" */
|
||||
&(nid_objs[394]),/* "selected-attribute-types" */
|
||||
&(nid_objs[129]),/* "serverAuth" */
|
||||
&(nid_objs[371]),/* "serviceLocator" */
|
||||
&(nid_objs[52]),/* "signingTime" */
|
||||
&(nid_objs[387]),/* "snmpv2" */
|
||||
&(nid_objs[85]),/* "subjectAltName" */
|
||||
&(nid_objs[398]),/* "subjectInfoAccess" */
|
||||
&(nid_objs[82]),/* "subjectKeyIdentifier" */
|
||||
&(nid_objs[402]),/* "targetInformation" */
|
||||
&(nid_objs[293]),/* "textNotice" */
|
||||
&(nid_objs[133]),/* "timeStamping" */
|
||||
&(nid_objs[375]),/* "trustRoot" */
|
||||
|
@ -1503,12 +1544,15 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
|
|||
&(nid_objs[167]),/* "S/MIME Capabilities" */
|
||||
&(nid_objs[387]),/* "SNMPv2" */
|
||||
&(nid_objs[386]),/* "Security" */
|
||||
&(nid_objs[394]),/* "Selected Attribute Types" */
|
||||
&(nid_objs[143]),/* "Strong Extranet ID" */
|
||||
&(nid_objs[398]),/* "Subject Information Access" */
|
||||
&(nid_objs[130]),/* "TLS Web Client Authentication" */
|
||||
&(nid_objs[129]),/* "TLS Web Server Authentication" */
|
||||
&(nid_objs[133]),/* "Time Stamping" */
|
||||
&(nid_objs[375]),/* "Trust Root" */
|
||||
&(nid_objs[12]),/* "X509" */
|
||||
&(nid_objs[402]),/* "X509v3 AC Targeting" */
|
||||
&(nid_objs[90]),/* "X509v3 Authority Key Identifier" */
|
||||
&(nid_objs[87]),/* "X509v3 Basic Constraints" */
|
||||
&(nid_objs[103]),/* "X509v3 CRL Distribution Points" */
|
||||
|
@ -1519,6 +1563,8 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
|
|||
&(nid_objs[126]),/* "X509v3 Extended Key Usage" */
|
||||
&(nid_objs[86]),/* "X509v3 Issuer Alternative Name" */
|
||||
&(nid_objs[83]),/* "X509v3 Key Usage" */
|
||||
&(nid_objs[403]),/* "X509v3 No Revocation Available" */
|
||||
&(nid_objs[401]),/* "X509v3 Policy Constraints" */
|
||||
&(nid_objs[84]),/* "X509v3 Private Key Usage Period" */
|
||||
&(nid_objs[85]),/* "X509v3 Subject Alternative Name" */
|
||||
&(nid_objs[82]),/* "X509v3 Subject Key Identifier" */
|
||||
|
@ -1526,6 +1572,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
|
|||
&(nid_objs[185]),/* "X9.57 CM ?" */
|
||||
&(nid_objs[289]),/* "aaControls" */
|
||||
&(nid_objs[287]),/* "ac-auditEntity" */
|
||||
&(nid_objs[397]),/* "ac-proxying" */
|
||||
&(nid_objs[288]),/* "ac-targeting" */
|
||||
&(nid_objs[364]),/* "ad dvcs" */
|
||||
&(nid_objs[376]),/* "algorithm" */
|
||||
|
@ -1539,6 +1586,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
|
|||
&(nid_objs[111]),/* "cast5-ofb" */
|
||||
&(nid_objs[152]),/* "certBag" */
|
||||
&(nid_objs[54]),/* "challengePassword" */
|
||||
&(nid_objs[395]),/* "clearance" */
|
||||
&(nid_objs[13]),/* "commonName" */
|
||||
&(nid_objs[50]),/* "contentType" */
|
||||
&(nid_objs[53]),/* "countersignature" */
|
||||
|
@ -1581,6 +1629,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
|
|||
&(nid_objs[355]),/* "id-aca-accessIdentity" */
|
||||
&(nid_objs[354]),/* "id-aca-authenticationInfo" */
|
||||
&(nid_objs[356]),/* "id-aca-chargingIdentity" */
|
||||
&(nid_objs[399]),/* "id-aca-encAttrs" */
|
||||
&(nid_objs[357]),/* "id-aca-group" */
|
||||
&(nid_objs[358]),/* "id-aca-role" */
|
||||
&(nid_objs[176]),/* "id-ad" */
|
||||
|
@ -1747,12 +1796,14 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
|
|||
&(nid_objs[46]),/* "idea-ofb" */
|
||||
&(nid_objs[101]),/* "initials" */
|
||||
&(nid_objs[181]),/* "iso" */
|
||||
&(nid_objs[393]),/* "joint-iso-ccitt" */
|
||||
&(nid_objs[150]),/* "keyBag" */
|
||||
&(nid_objs[157]),/* "localKeyID" */
|
||||
&(nid_objs[15]),/* "localityName" */
|
||||
&(nid_objs[ 3]),/* "md2" */
|
||||
&(nid_objs[ 7]),/* "md2WithRSAEncryption" */
|
||||
&(nid_objs[257]),/* "md4" */
|
||||
&(nid_objs[396]),/* "md4WithRSAEncryption" */
|
||||
&(nid_objs[ 4]),/* "md5" */
|
||||
&(nid_objs[114]),/* "md5-sha1" */
|
||||
&(nid_objs[104]),/* "md5WithRSA" */
|
||||
|
@ -1806,6 +1857,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
|
|||
&(nid_objs[123]),/* "rc5-ofb" */
|
||||
&(nid_objs[117]),/* "ripemd160" */
|
||||
&(nid_objs[119]),/* "ripemd160WithRSA" */
|
||||
&(nid_objs[400]),/* "role" */
|
||||
&(nid_objs[19]),/* "rsa" */
|
||||
&(nid_objs[ 6]),/* "rsaEncryption" */
|
||||
&(nid_objs[377]),/* "rsaSignature" */
|
||||
|
@ -1843,6 +1895,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
|
|||
&(nid_objs[181]),/* OBJ_iso 1 */
|
||||
&(nid_objs[182]),/* OBJ_member_body 1 2 */
|
||||
&(nid_objs[379]),/* OBJ_org 1 3 */
|
||||
&(nid_objs[393]),/* OBJ_joint_iso_ccitt 2 */
|
||||
&(nid_objs[11]),/* OBJ_X500 2 5 */
|
||||
&(nid_objs[380]),/* OBJ_dod 1 3 6 */
|
||||
&(nid_objs[12]),/* OBJ_X509 2 5 4 */
|
||||
|
@ -1850,6 +1903,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
|
|||
&(nid_objs[81]),/* OBJ_id_ce 2 5 29 */
|
||||
&(nid_objs[183]),/* OBJ_ISO_US 1 2 840 */
|
||||
&(nid_objs[381]),/* OBJ_iana 1 3 6 1 */
|
||||
&(nid_objs[394]),/* OBJ_selected_attribute_types 2 5 1 5 */
|
||||
&(nid_objs[13]),/* OBJ_commonName 2 5 4 3 */
|
||||
&(nid_objs[100]),/* OBJ_surname 2 5 4 4 */
|
||||
&(nid_objs[105]),/* OBJ_serialNumber 2 5 4 5 */
|
||||
|
@ -1865,6 +1919,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
|
|||
&(nid_objs[101]),/* OBJ_initials 2 5 4 43 */
|
||||
&(nid_objs[102]),/* OBJ_uniqueIdentifier 2 5 4 45 */
|
||||
&(nid_objs[174]),/* OBJ_dnQualifier 2 5 4 46 */
|
||||
&(nid_objs[400]),/* OBJ_role 2 5 4 72 */
|
||||
&(nid_objs[82]),/* OBJ_subject_key_identifier 2 5 29 14 */
|
||||
&(nid_objs[83]),/* OBJ_key_usage 2 5 29 15 */
|
||||
&(nid_objs[84]),/* OBJ_private_key_usage_period 2 5 29 16 */
|
||||
|
@ -1878,7 +1933,10 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
|
|||
&(nid_objs[103]),/* OBJ_crl_distribution_points 2 5 29 31 */
|
||||
&(nid_objs[89]),/* OBJ_certificate_policies 2 5 29 32 */
|
||||
&(nid_objs[90]),/* OBJ_authority_key_identifier 2 5 29 35 */
|
||||
&(nid_objs[401]),/* OBJ_policy_constraints 2 5 29 36 */
|
||||
&(nid_objs[126]),/* OBJ_ext_key_usage 2 5 29 37 */
|
||||
&(nid_objs[402]),/* OBJ_target_information 2 5 29 55 */
|
||||
&(nid_objs[403]),/* OBJ_no_rev_avail 2 5 29 56 */
|
||||
&(nid_objs[390]),/* OBJ_dcObject 1466 344 */
|
||||
&(nid_objs[382]),/* OBJ_Directory 1 3 6 1 1 */
|
||||
&(nid_objs[383]),/* OBJ_Management 1 3 6 1 2 */
|
||||
|
@ -1888,6 +1946,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
|
|||
&(nid_objs[387]),/* OBJ_SNMPv2 1 3 6 1 6 */
|
||||
&(nid_objs[388]),/* OBJ_Mail 1 3 6 1 7 */
|
||||
&(nid_objs[376]),/* OBJ_algorithm 1 3 14 3 2 */
|
||||
&(nid_objs[395]),/* OBJ_clearance 2 5 1 5 55 */
|
||||
&(nid_objs[19]),/* OBJ_rsa 2 5 8 1 1 */
|
||||
&(nid_objs[96]),/* OBJ_mdc2WithRSA 2 5 8 3 100 */
|
||||
&(nid_objs[95]),/* OBJ_mdc2 2 5 8 3 101 */
|
||||
|
@ -1970,6 +2029,8 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
|
|||
&(nid_objs[290]),/* OBJ_sbqp_ipAddrBlock 1 3 6 1 5 5 7 1 7 */
|
||||
&(nid_objs[291]),/* OBJ_sbqp_autonomousSysNum 1 3 6 1 5 5 7 1 8 */
|
||||
&(nid_objs[292]),/* OBJ_sbqp_routerIdentifier 1 3 6 1 5 5 7 1 9 */
|
||||
&(nid_objs[397]),/* OBJ_ac_proxying 1 3 6 1 5 5 7 1 10 */
|
||||
&(nid_objs[398]),/* OBJ_sinfo_access 1 3 6 1 5 5 7 1 11 */
|
||||
&(nid_objs[164]),/* OBJ_id_qt_cps 1 3 6 1 5 5 7 2 1 */
|
||||
&(nid_objs[165]),/* OBJ_id_qt_unotice 1 3 6 1 5 5 7 2 2 */
|
||||
&(nid_objs[293]),/* OBJ_textNotice 1 3 6 1 5 5 7 2 3 */
|
||||
|
@ -2036,6 +2097,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
|
|||
&(nid_objs[356]),/* OBJ_id_aca_chargingIdentity 1 3 6 1 5 5 7 10 3 */
|
||||
&(nid_objs[357]),/* OBJ_id_aca_group 1 3 6 1 5 5 7 10 4 */
|
||||
&(nid_objs[358]),/* OBJ_id_aca_role 1 3 6 1 5 5 7 10 5 */
|
||||
&(nid_objs[399]),/* OBJ_id_aca_encAttrs 1 3 6 1 5 5 7 10 6 */
|
||||
&(nid_objs[359]),/* OBJ_id_qcs_pkixQCSyntax_v1 1 3 6 1 5 5 7 11 1 */
|
||||
&(nid_objs[360]),/* OBJ_id_cct_crs 1 3 6 1 5 5 7 12 1 */
|
||||
&(nid_objs[361]),/* OBJ_id_cct_PKIData 1 3 6 1 5 5 7 12 2 */
|
||||
|
@ -2050,6 +2112,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
|
|||
&(nid_objs[112]),/* OBJ_pbeWithMD5AndCast5_CBC 1 2 840 113533 7 66 12 */
|
||||
&(nid_objs[ 6]),/* OBJ_rsaEncryption 1 2 840 113549 1 1 1 */
|
||||
&(nid_objs[ 7]),/* OBJ_md2WithRSAEncryption 1 2 840 113549 1 1 2 */
|
||||
&(nid_objs[396]),/* OBJ_md4WithRSAEncryption 1 2 840 113549 1 1 3 */
|
||||
&(nid_objs[ 8]),/* OBJ_md5WithRSAEncryption 1 2 840 113549 1 1 4 */
|
||||
&(nid_objs[65]),/* OBJ_sha1WithRSAEncryption 1 2 840 113549 1 1 5 */
|
||||
&(nid_objs[28]),/* OBJ_dhKeyAgreement 1 2 840 113549 1 3 1 */
|
||||
|
|
|
@ -71,11 +71,25 @@
|
|||
#define NID_iso 181
|
||||
#define OBJ_iso 1L
|
||||
|
||||
#define SN_joint_iso_ccitt "JOINT-ISO-CCITT"
|
||||
#define LN_joint_iso_ccitt "joint-iso-ccitt"
|
||||
#define NID_joint_iso_ccitt 393
|
||||
#define OBJ_joint_iso_ccitt 2L
|
||||
|
||||
#define SN_member_body "member-body"
|
||||
#define LN_member_body "ISO Member Body"
|
||||
#define NID_member_body 182
|
||||
#define OBJ_member_body OBJ_iso,2L
|
||||
|
||||
#define SN_selected_attribute_types "selected-attribute-types"
|
||||
#define LN_selected_attribute_types "Selected Attribute Types"
|
||||
#define NID_selected_attribute_types 394
|
||||
#define OBJ_selected_attribute_types OBJ_joint_iso_ccitt,5L,1L,5L
|
||||
|
||||
#define SN_clearance "clearance"
|
||||
#define NID_clearance 395
|
||||
#define OBJ_clearance OBJ_selected_attribute_types,55L
|
||||
|
||||
#define SN_ISO_US "ISO-US"
|
||||
#define LN_ISO_US "ISO US Member Body"
|
||||
#define NID_ISO_US 183
|
||||
|
@ -145,6 +159,11 @@
|
|||
#define NID_md2WithRSAEncryption 7
|
||||
#define OBJ_md2WithRSAEncryption OBJ_pkcs1,2L
|
||||
|
||||
#define SN_md4WithRSAEncryption "RSA-MD4"
|
||||
#define LN_md4WithRSAEncryption "md4WithRSAEncryption"
|
||||
#define NID_md4WithRSAEncryption 396
|
||||
#define OBJ_md4WithRSAEncryption OBJ_pkcs1,3L
|
||||
|
||||
#define SN_md5WithRSAEncryption "RSA-MD5"
|
||||
#define LN_md5WithRSAEncryption "md5WithRSAEncryption"
|
||||
#define NID_md5WithRSAEncryption 8
|
||||
|
@ -956,6 +975,15 @@
|
|||
#define NID_sbqp_routerIdentifier 292
|
||||
#define OBJ_sbqp_routerIdentifier OBJ_id_pe,9L
|
||||
|
||||
#define SN_ac_proxying "ac-proxying"
|
||||
#define NID_ac_proxying 397
|
||||
#define OBJ_ac_proxying OBJ_id_pe,10L
|
||||
|
||||
#define SN_sinfo_access "subjectInfoAccess"
|
||||
#define LN_sinfo_access "Subject Information Access"
|
||||
#define NID_sinfo_access 398
|
||||
#define OBJ_sinfo_access OBJ_id_pe,11L
|
||||
|
||||
#define SN_id_qt_cps "id-qt-cps"
|
||||
#define LN_id_qt_cps "Policy Qualifier CPS"
|
||||
#define NID_id_qt_cps 164
|
||||
|
@ -1264,6 +1292,10 @@
|
|||
#define NID_id_aca_role 358
|
||||
#define OBJ_id_aca_role OBJ_id_aca,5L
|
||||
|
||||
#define SN_id_aca_encAttrs "id-aca-encAttrs"
|
||||
#define NID_id_aca_encAttrs 399
|
||||
#define OBJ_id_aca_encAttrs OBJ_id_aca,6L
|
||||
|
||||
#define SN_id_qcs_pkixQCSyntax_v1 "id-qcs-pkixQCSyntax-v1"
|
||||
#define NID_id_qcs_pkixQCSyntax_v1 359
|
||||
#define OBJ_id_qcs_pkixQCSyntax_v1 OBJ_id_qcs,1L
|
||||
|
@ -1555,6 +1587,11 @@
|
|||
#define NID_dnQualifier 174
|
||||
#define OBJ_dnQualifier OBJ_X509,46L
|
||||
|
||||
#define SN_role "role"
|
||||
#define LN_role "role"
|
||||
#define NID_role 400
|
||||
#define OBJ_role OBJ_X509,72L
|
||||
|
||||
#define SN_X500algorithms "X500algorithms"
|
||||
#define LN_X500algorithms "directory services - algorithms"
|
||||
#define NID_X500algorithms 378
|
||||
|
@ -1644,11 +1681,26 @@
|
|||
#define NID_authority_key_identifier 90
|
||||
#define OBJ_authority_key_identifier OBJ_id_ce,35L
|
||||
|
||||
#define SN_policy_constraints "policyConstraints"
|
||||
#define LN_policy_constraints "X509v3 Policy Constraints"
|
||||
#define NID_policy_constraints 401
|
||||
#define OBJ_policy_constraints OBJ_id_ce,36L
|
||||
|
||||
#define SN_ext_key_usage "extendedKeyUsage"
|
||||
#define LN_ext_key_usage "X509v3 Extended Key Usage"
|
||||
#define NID_ext_key_usage 126
|
||||
#define OBJ_ext_key_usage OBJ_id_ce,37L
|
||||
|
||||
#define SN_target_information "targetInformation"
|
||||
#define LN_target_information "X509v3 AC Targeting"
|
||||
#define NID_target_information 402
|
||||
#define OBJ_target_information OBJ_id_ce,55L
|
||||
|
||||
#define SN_no_rev_avail "noRevAvail"
|
||||
#define LN_no_rev_avail "X509v3 No Revocation Available"
|
||||
#define NID_no_rev_avail 403
|
||||
#define OBJ_no_rev_avail OBJ_id_ce,56L
|
||||
|
||||
#define SN_netscape "Netscape"
|
||||
#define LN_netscape "Netscape Communications Corp."
|
||||
#define NID_netscape 57
|
||||
|
|
|
@ -390,3 +390,14 @@ Enterprises 389
|
|||
dcObject 390
|
||||
domainComponent 391
|
||||
Domain 392
|
||||
joint_iso_ccitt 393
|
||||
selected_attribute_types 394
|
||||
clearance 395
|
||||
md4WithRSAEncryption 396
|
||||
ac_proxying 397
|
||||
sinfo_access 398
|
||||
id_aca_encAttrs 399
|
||||
role 400
|
||||
policy_constraints 401
|
||||
target_information 402
|
||||
no_rev_avail 403
|
||||
|
|
|
@ -1,7 +1,13 @@
|
|||
1 : ISO : iso
|
||||
|
||||
2 : JOINT-ISO-CCITT : joint-iso-ccitt
|
||||
|
||||
iso 2 : member-body : ISO Member Body
|
||||
|
||||
joint-iso-ccitt 5 1 5 : selected-attribute-types : Selected Attribute Types
|
||||
|
||||
selected-attribute-types 55 : clearance
|
||||
|
||||
member-body 840 : ISO-US : ISO US Member Body
|
||||
ISO-US 10040 : X9-57 : X9.57
|
||||
X9-57 4 : X9cm : X9.57 CM ?
|
||||
|
@ -26,6 +32,7 @@ rsadsi 1 : pkcs : RSA Data Security, Inc. PKCS
|
|||
pkcs 1 : pkcs1
|
||||
pkcs1 1 : : rsaEncryption
|
||||
pkcs1 2 : RSA-MD2 : md2WithRSAEncryption
|
||||
pkcs1 3 : RSA-MD4 : md4WithRSAEncryption
|
||||
pkcs1 4 : RSA-MD5 : md5WithRSAEncryption
|
||||
pkcs1 5 : RSA-SHA1 : sha1WithRSAEncryption
|
||||
|
||||
|
@ -302,6 +309,9 @@ id-pe 6 : aaControls
|
|||
id-pe 7 : sbqp-ipAddrBlock
|
||||
id-pe 8 : sbqp-autonomousSysNum
|
||||
id-pe 9 : sbqp-routerIdentifier
|
||||
id-pe 10 : ac-proxying
|
||||
!Cname sinfo-access
|
||||
id-pe 11 : subjectInfoAccess : Subject Information Access
|
||||
|
||||
# PKIX policyQualifiers for Internet policy qualifiers
|
||||
id-qt 1 : id-qt-cps : Policy Qualifier CPS
|
||||
|
@ -406,7 +416,9 @@ id-aca 1 : id-aca-authenticationInfo
|
|||
id-aca 2 : id-aca-accessIdentity
|
||||
id-aca 3 : id-aca-chargingIdentity
|
||||
id-aca 4 : id-aca-group
|
||||
# attention : the following seems to be obsolete, replace by 'role'
|
||||
id-aca 5 : id-aca-role
|
||||
id-aca 6 : id-aca-encAttrs
|
||||
|
||||
# qualified certificate statements
|
||||
id-qcs 1 : id-qcs-pkixQCSyntax-v1
|
||||
|
@ -498,6 +510,7 @@ X509 42 : G : givenName
|
|||
X509 43 : I : initials
|
||||
X509 45 : UID : uniqueIdentifier
|
||||
X509 46 : dnQualifier : dnQualifier
|
||||
X509 72 : role : role
|
||||
|
||||
X500 8 : X500algorithms : directory services - algorithms
|
||||
X500algorithms 1 1 : RSA : rsa
|
||||
|
@ -531,8 +544,14 @@ id-ce 31 : crlDistributionPoints : X509v3 CRL Distribution Points
|
|||
id-ce 32 : certificatePolicies : X509v3 Certificate Policies
|
||||
!Cname authority-key-identifier
|
||||
id-ce 35 : authorityKeyIdentifier : X509v3 Authority Key Identifier
|
||||
!Cname policy-constraints
|
||||
id-ce 36 : policyConstraints : X509v3 Policy Constraints
|
||||
!Cname ext-key-usage
|
||||
id-ce 37 : extendedKeyUsage : X509v3 Extended Key Usage
|
||||
!Cname target-information
|
||||
id-ce 55 : targetInformation : X509v3 AC Targeting
|
||||
!Cname no-rev-avail
|
||||
id-ce 56 : noRevAvail : X509v3 No Revocation Available
|
||||
|
||||
!Cname netscape
|
||||
2 16 840 1 113730 : Netscape : Netscape Communications Corp.
|
||||
|
|
|
@ -44,13 +44,13 @@
|
|||
*
|
||||
* libcrypto.so.0
|
||||
*
|
||||
* On True64 it works a little bit differently. There, the shared library
|
||||
* version is stored in the file, and is actually a series of versions,
|
||||
* separated by colons. The rightmost version present in the library when
|
||||
* linking an application is stored in the application to be matched at
|
||||
* run time. When the application is run, a check is done to see if the
|
||||
* library version stored in the application matches any of the versions
|
||||
* in the version string of the library itself.
|
||||
* On Tru64 and IRIX 6.x it works a little bit differently. There, the
|
||||
* shared library version is stored in the file, and is actually a series
|
||||
* of versions, separated by colons. The rightmost version present in the
|
||||
* library when linking an application is stored in the application to be
|
||||
* matched at run time. When the application is run, a check is done to
|
||||
* see if the library version stored in the application matches any of the
|
||||
* versions in the version string of the library itself.
|
||||
* This version string can be constructed in any way, depending on what
|
||||
* kind of matching is desired. However, to implement the same scheme as
|
||||
* the one used in the other unixen, all compatible versions, from lowest
|
||||
|
@ -73,7 +73,7 @@
|
|||
* However, it's nice and more understandable if it actually does.
|
||||
* The current library version is stored in the macro SHLIB_VERSION_NUMBER,
|
||||
* which is just a piece of text in the format "M.m.e" (Major, minor, edit).
|
||||
* For the sake of True64 and any other OS that behaves in similar ways,
|
||||
* For the sake of Tru64, IRIX, and any other OS that behaves in similar ways,
|
||||
* we need to keep a history of version numbers, which is done in the
|
||||
* macro SHLIB_VERSION_HISTORY. The numbers are separated by colons and
|
||||
* should only keep the versions that are binary compatible with the current.
|
||||
|
|
|
@ -1,9 +1,59 @@
|
|||
/* pk7_attr.c */
|
||||
/* S/MIME code.
|
||||
* Copyright (C) 1997-8 Dr S N Henson (shenson@bigfoot.com)
|
||||
* All Rights Reserved.
|
||||
* Redistribution of this code without the authors permission is expressly
|
||||
* prohibited.
|
||||
/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
|
||||
* project 2001.
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 2001 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
*
|
||||
* 3. All advertising materials mentioning features or use of this
|
||||
* software must display the following acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
|
||||
*
|
||||
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
||||
* endorse or promote products derived from this software without
|
||||
* prior written permission. For written permission, please contact
|
||||
* licensing@OpenSSL.org.
|
||||
*
|
||||
* 5. Products derived from this software may not be called "OpenSSL"
|
||||
* nor may "OpenSSL" appear in their names without prior written
|
||||
* permission of the OpenSSL Project.
|
||||
*
|
||||
* 6. Redistributions of any form whatsoever must retain the following
|
||||
* acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
||||
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
||||
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
* ====================================================================
|
||||
*
|
||||
* This product includes cryptographic software written by Eric Young
|
||||
* (eay@cryptsoft.com). This product includes software written by Tim
|
||||
* Hudson (tjh@cryptsoft.com).
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
|
|
|
@ -56,7 +56,7 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -144,6 +144,7 @@ static int initialized=0;
|
|||
static unsigned int crypto_lock_rand = 0; /* may be set only when a thread
|
||||
* holds CRYPTO_LOCK_RAND
|
||||
* (to prevent double locking) */
|
||||
/* access to lockin_thread is synchronized by CRYPTO_LOCK_RAND2 */
|
||||
static unsigned long locking_thread = 0; /* valid iff crypto_lock_rand is set */
|
||||
|
||||
|
||||
|
@ -210,7 +211,14 @@ static void ssleay_rand_add(const void *buf, int num, double add)
|
|||
*/
|
||||
|
||||
/* check if we already have the lock */
|
||||
do_not_lock = crypto_lock_rand && (locking_thread == CRYPTO_thread_id());
|
||||
if (crypto_lock_rand)
|
||||
{
|
||||
CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
|
||||
do_not_lock = (locking_thread == CRYPTO_thread_id());
|
||||
CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
|
||||
}
|
||||
else
|
||||
do_not_lock = 0;
|
||||
|
||||
if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND);
|
||||
st_idx=state_index;
|
||||
|
@ -361,8 +369,10 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
|
|||
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
|
||||
|
||||
/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
|
||||
crypto_lock_rand = 1;
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
|
||||
locking_thread = CRYPTO_thread_id();
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
|
||||
crypto_lock_rand = 1;
|
||||
|
||||
if (!initialized)
|
||||
{
|
||||
|
@ -435,7 +445,6 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
|
|||
|
||||
/* before unlocking, we must clear 'crypto_lock_rand' */
|
||||
crypto_lock_rand = 0;
|
||||
locking_thread = 0;
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
|
||||
|
||||
while (num > 0)
|
||||
|
@ -521,15 +530,24 @@ static int ssleay_rand_status(void)
|
|||
|
||||
/* check if we already have the lock
|
||||
* (could happen if a RAND_poll() implementation calls RAND_status()) */
|
||||
do_not_lock = crypto_lock_rand && (locking_thread == CRYPTO_thread_id());
|
||||
if (crypto_lock_rand)
|
||||
{
|
||||
CRYPTO_r_lock(CRYPTO_LOCK_RAND2);
|
||||
do_not_lock = (locking_thread == CRYPTO_thread_id());
|
||||
CRYPTO_r_unlock(CRYPTO_LOCK_RAND2);
|
||||
}
|
||||
else
|
||||
do_not_lock = 0;
|
||||
|
||||
if (!do_not_lock)
|
||||
{
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
|
||||
|
||||
/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
|
||||
crypto_lock_rand = 1;
|
||||
CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
|
||||
locking_thread = CRYPTO_thread_id();
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_RAND2);
|
||||
crypto_lock_rand = 1;
|
||||
}
|
||||
|
||||
if (!initialized)
|
||||
|
@ -544,7 +562,6 @@ static int ssleay_rand_status(void)
|
|||
{
|
||||
/* before unlocking, we must clear 'crypto_lock_rand' */
|
||||
crypto_lock_rand = 0;
|
||||
locking_thread = 0;
|
||||
|
||||
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
|
||||
}
|
||||
|
|
|
@ -71,7 +71,7 @@
|
|||
* <appro@fy.chalmers.se>
|
||||
*/
|
||||
#ifdef RMD160_ASM
|
||||
# if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
|
||||
# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
|
||||
# define ripemd160_block_host_order ripemd160_block_asm_host_order
|
||||
# endif
|
||||
#endif
|
||||
|
@ -79,7 +79,7 @@
|
|||
void ripemd160_block_host_order (RIPEMD160_CTX *c, const void *p,int num);
|
||||
void ripemd160_block_data_order (RIPEMD160_CTX *c, const void *p,int num);
|
||||
|
||||
#if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
|
||||
#if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
|
||||
#define ripemd160_block_data_order ripemd160_block_host_order
|
||||
#endif
|
||||
|
||||
|
|
|
@ -328,6 +328,7 @@ void *RSA_get_ex_data(RSA *r, int idx);
|
|||
#define RSA_R_DATA_GREATER_THAN_MOD_LEN 108
|
||||
#define RSA_R_DATA_TOO_LARGE 109
|
||||
#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 110
|
||||
#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 132
|
||||
#define RSA_R_DATA_TOO_SMALL 111
|
||||
#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 122
|
||||
#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112
|
||||
|
|
|
@ -79,8 +79,8 @@ static int RSA_eay_finish(RSA *rsa);
|
|||
static RSA_METHOD rsa_pkcs1_eay_meth={
|
||||
"Eric Young's PKCS#1 RSA",
|
||||
RSA_eay_public_encrypt,
|
||||
RSA_eay_public_decrypt,
|
||||
RSA_eay_private_encrypt,
|
||||
RSA_eay_public_decrypt, /* signature verification */
|
||||
RSA_eay_private_encrypt, /* signing */
|
||||
RSA_eay_private_decrypt,
|
||||
RSA_eay_mod_exp,
|
||||
BN_mod_exp_mont,
|
||||
|
@ -139,6 +139,13 @@ static int RSA_eay_public_encrypt(int flen, unsigned char *from,
|
|||
|
||||
if (BN_bin2bn(buf,num,&f) == NULL) goto err;
|
||||
|
||||
if (BN_ucmp(&f, rsa->n) >= 0)
|
||||
{
|
||||
/* usually the padding functions would catch this */
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
|
||||
{
|
||||
BN_MONT_CTX* bn_mont_ctx;
|
||||
|
@ -186,6 +193,7 @@ err:
|
|||
return(r);
|
||||
}
|
||||
|
||||
/* signing */
|
||||
static int RSA_eay_private_encrypt(int flen, unsigned char *from,
|
||||
unsigned char *to, RSA *rsa, int padding)
|
||||
{
|
||||
|
@ -224,6 +232,13 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
|
|||
|
||||
if (BN_bin2bn(buf,num,&f) == NULL) goto err;
|
||||
|
||||
if (BN_ucmp(&f, rsa->n) >= 0)
|
||||
{
|
||||
/* usually the padding functions would catch this */
|
||||
RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
|
||||
RSA_blinding_on(rsa,ctx);
|
||||
if (rsa->flags & RSA_FLAG_BLINDING)
|
||||
|
@ -299,6 +314,12 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
|
|||
/* make data into a big number */
|
||||
if (BN_bin2bn(from,(int)flen,&f) == NULL) goto err;
|
||||
|
||||
if (BN_ucmp(&f, rsa->n) >= 0)
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
|
||||
RSA_blinding_on(rsa,ctx);
|
||||
if (rsa->flags & RSA_FLAG_BLINDING)
|
||||
|
@ -359,6 +380,7 @@ err:
|
|||
return(r);
|
||||
}
|
||||
|
||||
/* signature verification */
|
||||
static int RSA_eay_public_decrypt(int flen, unsigned char *from,
|
||||
unsigned char *to, RSA *rsa, int padding)
|
||||
{
|
||||
|
@ -392,6 +414,13 @@ static int RSA_eay_public_decrypt(int flen, unsigned char *from,
|
|||
}
|
||||
|
||||
if (BN_bin2bn(from,flen,&f) == NULL) goto err;
|
||||
|
||||
if (BN_ucmp(&f, rsa->n) >= 0)
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT,RSA_R_DATA_TOO_LARGE_FOR_MODULUS);
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* do the decrypt */
|
||||
if ((rsa->_method_mod_n == NULL) && (rsa->flags & RSA_FLAG_CACHE_PUBLIC))
|
||||
{
|
||||
|
|
|
@ -106,6 +106,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
|
|||
{RSA_R_DATA_GREATER_THAN_MOD_LEN ,"data greater than mod len"},
|
||||
{RSA_R_DATA_TOO_LARGE ,"data too large"},
|
||||
{RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE ,"data too large for key size"},
|
||||
{RSA_R_DATA_TOO_LARGE_FOR_MODULUS ,"data too large for modulus"},
|
||||
{RSA_R_DATA_TOO_SMALL ,"data too small"},
|
||||
{RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE ,"data too small for key size"},
|
||||
{RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY ,"digest too big for rsa key"},
|
||||
|
|
|
@ -2,7 +2,22 @@
|
|||
/* Written by Ulf Moeller. This software is distributed on an "AS IS"
|
||||
basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
|
||||
|
||||
/* EME_OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
|
||||
/* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */
|
||||
|
||||
/* See Victor Shoup, "OAEP reconsidered," Nov. 2000,
|
||||
* <URL: http://www.shoup.net/papers/oaep.ps.Z>
|
||||
* for problems with the security proof for the
|
||||
* original OAEP scheme, which EME-OAEP is based on.
|
||||
*
|
||||
* A new proof can be found in E. Fujisaki, T. Okamoto,
|
||||
* D. Pointcheval, J. Stern, "RSA-OEAP is Still Alive!",
|
||||
* Dec. 2000, <URL: http://eprint.iacr.org/2000/061/>.
|
||||
* The new proof has stronger requirements for the
|
||||
* underlying permutation: "partial-one-wayness" instead
|
||||
* of one-wayness. For the RSA function, this is
|
||||
* an equivalent notion.
|
||||
*/
|
||||
|
||||
|
||||
#if !defined(NO_SHA) && !defined(NO_SHA1)
|
||||
#include <stdio.h>
|
||||
|
@ -12,10 +27,12 @@
|
|||
#include <openssl/sha.h>
|
||||
#include <openssl/rand.h>
|
||||
|
||||
int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen);
|
||||
int MGF1(unsigned char *mask, long len,
|
||||
unsigned char *seed, long seedlen);
|
||||
|
||||
int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
|
||||
unsigned char *from, int flen, unsigned char *param, int plen)
|
||||
unsigned char *from, int flen,
|
||||
unsigned char *param, int plen)
|
||||
{
|
||||
int i, emlen = tlen - 1;
|
||||
unsigned char *db, *seed;
|
||||
|
@ -25,20 +42,20 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
|
|||
{
|
||||
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
|
||||
RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
|
||||
return (0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
|
||||
{
|
||||
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
|
||||
return (0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
|
||||
if (dbmask == NULL)
|
||||
{
|
||||
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
|
||||
return (0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
to[0] = 0;
|
||||
|
@ -51,7 +68,7 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
|
|||
db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
|
||||
memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
|
||||
if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
|
||||
return (0);
|
||||
return 0;
|
||||
#ifdef PKCS_TESTVECT
|
||||
memcpy(seed,
|
||||
"\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
|
||||
|
@ -67,7 +84,7 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
|
|||
seed[i] ^= seedmask[i];
|
||||
|
||||
OPENSSL_free(dbmask);
|
||||
return (1);
|
||||
return 1;
|
||||
}
|
||||
|
||||
int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
|
||||
|
@ -78,13 +95,26 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
|
|||
unsigned char *maskeddb;
|
||||
int lzero;
|
||||
unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
|
||||
int bad = 0;
|
||||
|
||||
if (--num < 2 * SHA_DIGEST_LENGTH + 1)
|
||||
/* 'num' is the length of the modulus, i.e. does not depend on the
|
||||
* particular ciphertext. */
|
||||
goto decoding_err;
|
||||
|
||||
lzero = num - flen;
|
||||
if (lzero < 0)
|
||||
goto decoding_err;
|
||||
{
|
||||
/* lzero == -1 */
|
||||
|
||||
/* signalling this error immediately after detection might allow
|
||||
* for side-channel attacks (e.g. timing if 'plen' is huge
|
||||
* -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA Optimal
|
||||
* Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001),
|
||||
* so we use a 'bad' flag */
|
||||
bad = 1;
|
||||
lzero = 0;
|
||||
}
|
||||
maskeddb = from - lzero + SHA_DIGEST_LENGTH;
|
||||
|
||||
dblen = num - SHA_DIGEST_LENGTH;
|
||||
|
@ -92,7 +122,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
|
|||
if (db == NULL)
|
||||
{
|
||||
RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
|
||||
return (-1);
|
||||
return -1;
|
||||
}
|
||||
|
||||
MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen);
|
||||
|
@ -105,7 +135,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
|
|||
|
||||
SHA1(param, plen, phash);
|
||||
|
||||
if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0)
|
||||
if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
|
||||
goto decoding_err;
|
||||
else
|
||||
{
|
||||
|
@ -116,6 +146,8 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
|
|||
goto decoding_err;
|
||||
else
|
||||
{
|
||||
/* everything looks OK */
|
||||
|
||||
mlen = dblen - i;
|
||||
if (tlen < mlen)
|
||||
{
|
||||
|
@ -127,7 +159,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
|
|||
}
|
||||
}
|
||||
OPENSSL_free(db);
|
||||
return (mlen);
|
||||
return mlen;
|
||||
|
||||
decoding_err:
|
||||
/* to avoid chosen ciphertext attacks, the error message should not reveal
|
||||
|
@ -163,6 +195,6 @@ int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen)
|
|||
outlen = len;
|
||||
}
|
||||
}
|
||||
return (0);
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
|
|
@ -115,7 +115,7 @@
|
|||
# endif
|
||||
|
||||
# ifdef SHA1_ASM
|
||||
# if defined(__i386) || defined(_M_IX86) || defined(__INTEL__)
|
||||
# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
|
||||
# define sha1_block_host_order sha1_block_asm_host_order
|
||||
# define DONT_IMPLEMENT_BLOCK_HOST_ORDER
|
||||
# define sha1_block_data_order sha1_block_asm_data_order
|
||||
|
|
|
@ -79,7 +79,7 @@ static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
|
|||
static X509_TRUST trstandard[] = {
|
||||
{X509_TRUST_COMPAT, 0, trust_compat, "compatible", 0, NULL},
|
||||
{X509_TRUST_SSL_CLIENT, 0, trust_1oidany, "SSL Client", NID_client_auth, NULL},
|
||||
{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Client", NID_server_auth, NULL},
|
||||
{X509_TRUST_SSL_SERVER, 0, trust_1oidany, "SSL Server", NID_server_auth, NULL},
|
||||
{X509_TRUST_EMAIL, 0, trust_1oidany, "S/MIME email", NID_email_protect, NULL},
|
||||
};
|
||||
|
||||
|
|
|
@ -95,7 +95,7 @@ const char *X509_verify_cert_error_string(long n)
|
|||
case X509_V_ERR_CRL_NOT_YET_VALID:
|
||||
return("CRL is not yet valid");
|
||||
case X509_V_ERR_CERT_HAS_EXPIRED:
|
||||
return("Certificate has expired");
|
||||
return("certificate has expired");
|
||||
case X509_V_ERR_CRL_HAS_EXPIRED:
|
||||
return("CRL has expired");
|
||||
case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
|
||||
|
|
|
@ -911,6 +911,12 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t)
|
|||
ctx->flags |= X509_V_FLAG_USE_CHECK_TIME;
|
||||
}
|
||||
|
||||
void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
|
||||
int (*verify_cb)(int, X509_STORE_CTX *))
|
||||
{
|
||||
ctx->verify_cb=verify_cb;
|
||||
}
|
||||
|
||||
IMPLEMENT_STACK_OF(X509)
|
||||
IMPLEMENT_ASN1_SET_OF(X509)
|
||||
|
||||
|
|
|
@ -382,6 +382,8 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
|
|||
int purpose, int trust);
|
||||
void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags);
|
||||
void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, long flags, time_t t);
|
||||
void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
|
||||
int (*verify_cb)(int, X509_STORE_CTX *));
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
|
|
@ -125,6 +125,10 @@ Generation of RSA Parameters.
|
|||
|
||||
Generation of hashed passwords.
|
||||
|
||||
=item L<B<pkcs12>|pkcs12(1)>
|
||||
|
||||
PKCS#12 Data Management.
|
||||
|
||||
=item L<B<pkcs7>|pkcs7(1)>
|
||||
|
||||
PKCS#7 Data Management.
|
||||
|
|
|
@ -200,14 +200,14 @@ the signature of the certificate is invalid. Unused.
|
|||
|
||||
the certificate is not yet valid: the notBefore date is after the current time.
|
||||
|
||||
=item B<10 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid>
|
||||
|
||||
the CRL is not yet valid. Unused.
|
||||
|
||||
=item B<11 X509_V_ERR_CERT_HAS_EXPIRED: Certificate has expired>
|
||||
=item B<10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired>
|
||||
|
||||
the certificate has expired: that is the notAfter date is before the current time.
|
||||
|
||||
=item B<11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid>
|
||||
|
||||
the CRL is not yet valid. Unused.
|
||||
|
||||
=item B<12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired>
|
||||
|
||||
the CRL has expired. Unused.
|
||||
|
|
|
@ -14,6 +14,8 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number
|
|||
|
||||
int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
|
||||
|
||||
int BN_pseudo_rand_range(BIGNUM *rnd, int bits, int top, int bottom);
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
BN_rand() generates a cryptographically strong pseudo-random number of
|
||||
|
@ -31,6 +33,8 @@ protocols, but usually not for key generation etc.
|
|||
|
||||
BN_rand_range() generates a cryptographically strong pseudo-random
|
||||
number B<rnd> in the range 0 <lt>= B<rnd> E<lt> B<range>.
|
||||
BN_pseudo_rand_range() does the same, but is based on BN_pseudo_rand(),
|
||||
and hence numbers generated by it are not necessarily unpredictable.
|
||||
|
||||
The PRNG must be seeded prior to calling BN_rand() or BN_rand_range().
|
||||
|
||||
|
@ -49,5 +53,6 @@ L<RAND_add(3)|RAND_add(3)>, L<RAND_bytes(3)|RAND_bytes(3)>
|
|||
BN_rand() is available in all versions of SSLeay and OpenSSL.
|
||||
BN_pseudo_rand() was added in OpenSSL 0.9.5. The B<top> == -1 case
|
||||
and the function BN_rand_range() were added in OpenSSL 0.9.6a.
|
||||
BN_pseudo_rand_range() was added in OpenSSL 0.9.6c.
|
||||
|
||||
=cut
|
||||
|
|
|
@ -61,6 +61,7 @@ bn - multiprecision integer arithmetics
|
|||
int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
|
||||
int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);
|
||||
int BN_rand_range(BIGNUM *rnd, BIGNUM *range);
|
||||
int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range);
|
||||
|
||||
BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add,
|
||||
BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg);
|
||||
|
|
|
@ -53,8 +53,10 @@ OpenSSL can safely be used in multi-threaded applications provided
|
|||
that at least two callback functions are set.
|
||||
|
||||
locking_function(int mode, int n, const char *file, int line) is
|
||||
needed to perform locking on shared data structures. Multi-threaded
|
||||
applications will crash at random if it is not set.
|
||||
needed to perform locking on shared data structures.
|
||||
(Note that OpenSSL uses a number of global data structures that
|
||||
will be implicitly shared whenever multiple threads use OpenSSL.)
|
||||
Multi-threaded applications will crash at random if it is not set.
|
||||
|
||||
locking_function() must be able to handle up to CRYPTO_num_locks()
|
||||
different mutex locks. It sets the B<n>-th lock if B<mode> &
|
||||
|
|
|
@ -8,10 +8,10 @@ SSL_CTX_ctrl, SSL_CTX_callback_ctrl, SSL_ctrl, SSL_callback_ctrl - internal hand
|
|||
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg);
|
||||
long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg);
|
||||
long SSL_CTX_callback_ctrl(SSL_CTX *, int cmd, void (*fp)());
|
||||
|
||||
long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
|
||||
long SSL_ctrl(SSL *ssl, int cmd, long larg, char *parg);
|
||||
long SSL_callback_ctrl(SSL *, int cmd, void (*fp)());
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
|
|
@ -24,6 +24,8 @@ the certificates and keys.
|
|||
|
||||
SSL_CTX_free() does not provide diagnostic information.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<SSL_CTX_new(3)|SSL_CTX_new(3)>, L<ssl(3)|ssl(3)>
|
||||
|
||||
=cut
|
||||
|
|
|
@ -58,7 +58,7 @@ failure.
|
|||
In server mode, when requesting a client certificate, the server must send
|
||||
the list of CAs of which it will accept client certificates. This list
|
||||
is not influenced by the contents of B<CAfile> or B<CApath> and must
|
||||
explicitely be set using the
|
||||
explicitly be set using the
|
||||
L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>
|
||||
family of functions.
|
||||
|
||||
|
@ -118,7 +118,7 @@ L<ssl(3)|ssl(3)>,
|
|||
L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
|
||||
L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
|
||||
L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
|
||||
L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>
|
||||
|
||||
L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>,
|
||||
L<SSL_CTX_set_cert_store(3)|SSL_CTX_set_cert_store(3)>
|
||||
|
||||
=cut
|
||||
|
|
|
@ -59,10 +59,6 @@ choice when compatibility is a concern.
|
|||
|
||||
=back
|
||||
|
||||
If a generic method is used, it is necessary to explicitly set client or
|
||||
server mode with L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
|
||||
or SSL_set_accept_state().
|
||||
|
||||
The list of protocols available can later be limited using the SSL_OP_NO_SSLv2,
|
||||
SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1 options of the B<SSL_CTX_set_options()> or
|
||||
B<SSL_set_options()> functions. Using these options it is possible to choose
|
||||
|
|
|
@ -70,12 +70,16 @@ proposed by the client. The get_session_cb() is always called, also when
|
|||
session caching was disabled. The get_session_cb() is passed the
|
||||
B<ssl> connection, the session id of length B<length> at the memory location
|
||||
B<data>. With the parameter B<copy> the callback can require the
|
||||
SSL engine to increment the reference count of the SSL_SESSION object.
|
||||
SSL engine to increment the reference count of the SSL_SESSION object,
|
||||
Normally the reference count is not incremented and therefore the
|
||||
session must not be explicitly freed with
|
||||
L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<ssl(3)|ssl(3)>, L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>,
|
||||
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
|
||||
L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)>
|
||||
L<SSL_CTX_flush_sessions(3)|<SSL_CTX_flush_sessions(3)>,
|
||||
L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>
|
||||
|
||||
=cut
|
||||
|
|
|
@ -34,9 +34,25 @@ a necessary condition. On the client side, the inclusion into the list is
|
|||
also sufficient. On the server side, additional restrictions apply. All ciphers
|
||||
have additional requirements. ADH ciphers don't need a certificate, but
|
||||
DH-parameters must have been set. All other ciphers need a corresponding
|
||||
certificate and key. A RSA cipher can only be chosen, when a RSA certificate is
|
||||
available, the respective is valid for DSA ciphers. Ciphers using EDH need
|
||||
a certificate and key and DH-parameters.
|
||||
certificate and key.
|
||||
|
||||
A RSA cipher can only be chosen, when a RSA certificate is available.
|
||||
RSA export ciphers with a keylength of 512 bits for the RSA key require
|
||||
a temporary 512 bit RSA key, as typically the supplied key has a length
|
||||
of 1024 bit (see
|
||||
L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
|
||||
RSA ciphers using EDH need a certificate and key and additional DH-parameters
|
||||
(see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
|
||||
|
||||
A DSA cipher can only be chosen, when a DSA certificate is available.
|
||||
DSA ciphers always use DH key exchange and therefore need DH-parameters
|
||||
(see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
|
||||
|
||||
When these conditions are not met for any cipher in the list (e.g. a
|
||||
client only supports export RSA ciphers with a asymmetric key length
|
||||
of 512 bits and the server is not configured to use temporary RSA
|
||||
keys), the "no shared cipher" (SSL_R_NO_SHARED_CIPHER) error is generated
|
||||
and the handshake will fail.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
|
@ -47,6 +63,8 @@ could be selected and 0 on complete failure.
|
|||
|
||||
L<ssl(3)|ssl(3)>, L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>,
|
||||
L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
|
||||
L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
|
||||
L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>,
|
||||
L<ciphers(1)|ciphers(1)>
|
||||
|
||||
=cut
|
||||
|
|
|
@ -40,6 +40,12 @@ then keep it in memory and use it several times. In the last case, the
|
|||
password could be stored into the B<userdata> storage and the
|
||||
pem_passwd_cb() only returns the password already stored.
|
||||
|
||||
When asking for the password interactively, pem_passwd_cb() can use
|
||||
B<rwflag> to check, whether an item shall be encrypted (rwflag=1).
|
||||
In this case the password dialog may ask for the same password twice
|
||||
for comparison in order to catch typos, that would make decryption
|
||||
impossible.
|
||||
|
||||
Other items in PEM formatting (certificates) can also be encrypted, it is
|
||||
however not usual, as certificate information is considered public.
|
||||
|
||||
|
|
|
@ -37,6 +37,9 @@ The following mode changes are available:
|
|||
Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
|
||||
when just a single record has been written). When not set (the default),
|
||||
SSL_write() will only report success once the complete chunk was written.
|
||||
Once SSL_write() returns with r, r bytes have been successfully written
|
||||
and the next call to SSL_write() must only send the n-r bytes left,
|
||||
imitating the behaviour of write().
|
||||
|
||||
=item SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
|
||||
|
||||
|
|
|
@ -17,10 +17,10 @@ SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - man
|
|||
=head1 DESCRIPTION
|
||||
|
||||
SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
|
||||
Options already set before are not cleared.
|
||||
Options already set before are not cleared!
|
||||
|
||||
SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>.
|
||||
Options already set before are not cleared.
|
||||
Options already set before are not cleared!
|
||||
|
||||
SSL_CTX_get_options() returns the options set for B<ctx>.
|
||||
|
||||
|
@ -32,7 +32,12 @@ The behaviour of the SSL library can be changed by setting several options.
|
|||
The options are coded as bitmasks and can be combined by a logical B<or>
|
||||
operation (|). Options can only be added but can never be reset.
|
||||
|
||||
During a handshake, the option settings of the SSL object used. When
|
||||
SSL_CTX_set_options() and SSL_set_options() affect the (external)
|
||||
protocol behaviour of the SSL library. The (internal) behaviour of
|
||||
the API can be changed by using the similar
|
||||
L<SSL_CTX_set_modes(3)|SSL_CTX_set_modes(3)> and SSL_set_modes() functions.
|
||||
|
||||
During a handshake, the option settings of the SSL object are used. When
|
||||
a new SSL object is created from a context using SSL_new(), the current
|
||||
option setting is copied. Changes to B<ctx> do not affect already created
|
||||
SSL objects. SSL_clear() does not affect the settings.
|
||||
|
@ -122,11 +127,27 @@ The following B<modifying> options are available:
|
|||
|
||||
=item SSL_OP_SINGLE_DH_USE
|
||||
|
||||
Always create a new key when using temporary DH parameters.
|
||||
Always create a new key when using temporary/ephemeral DH parameters
|
||||
(see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
|
||||
This option must be used to prevent small subgroup attacks, when
|
||||
the DH parameters were not generated using "strong" primes
|
||||
(e.g. when using DSA-parameters, see L<dhparam(1)|dhparam(1)>).
|
||||
If "strong" primes were used, it is not strictly necessary to generate
|
||||
a new DH key during each handshake but it is also recommended.
|
||||
SSL_OP_SINGLE_DH_USE should therefore be enabled whenever
|
||||
temporary/ephemeral DH parameters are used.
|
||||
|
||||
=item SSL_OP_EPHEMERAL_RSA
|
||||
|
||||
Also use the temporary RSA key when doing RSA operations.
|
||||
Always use ephemeral (temporary) RSA key when doing RSA operations
|
||||
(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
|
||||
According to the specifications this is only done, when a RSA key
|
||||
can only be used for signature operations (namely under export ciphers
|
||||
with restricted RSA keylength). By setting this option, ephemeral
|
||||
RSA keys are always used. This option breaks compatibility with the
|
||||
SSL/TLS specifications and may lead to interoperability problems with
|
||||
clients and should therefore never be used. Ciphers with EDH (ephemeral
|
||||
Diffie-Hellman) key exchange should be used instead.
|
||||
|
||||
=item SSL_OP_PKCS1_CHECK_1
|
||||
|
||||
|
@ -142,11 +163,6 @@ If we accept a netscape connection, demand a client cert, have a
|
|||
non-self-sighed CA which does not have it's CA in netscape, and the
|
||||
browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta
|
||||
|
||||
=item SSL_OP_NON_EXPORT_FIRST
|
||||
|
||||
On servers try to use non-export (stronger) ciphers first. This option does
|
||||
not work under all circumstances (in the code it is declared "broken").
|
||||
|
||||
=item SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
|
||||
|
||||
...
|
||||
|
@ -174,7 +190,10 @@ SSL_CTX_get_options() and SSL_get_options() return the current bitmask.
|
|||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>
|
||||
L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
|
||||
L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>,
|
||||
L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
|
||||
L<dhparam(1)|dhparam(1)>
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
|
|
|
@ -97,6 +97,7 @@ SSL_CTX_get_session_cache_mode() returns the currently set cache mode.
|
|||
=head1 SEE ALSO
|
||||
|
||||
L<ssl(3)|ssl(3)>, L<SSL_set_session(3)|SSL_set_session(3)>,
|
||||
L<SSL_session_reused(3)|SSL_session_reused(3)>,
|
||||
L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
|
||||
L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>,
|
||||
L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
|
||||
|
|
|
@ -37,7 +37,10 @@ L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> is called, either
|
|||
directly by the application or automatically (see
|
||||
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>)
|
||||
|
||||
The default value for session timeout is 300 seconds.
|
||||
The default value for session timeout is decided on a per protocol
|
||||
basis, see L<SSL_get_default_timeout(3)|SSL_get_default_timeout(3)>.
|
||||
All currently supported protocols have the same default timeout value
|
||||
of 300 seconds.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
|
@ -50,6 +53,7 @@ SSL_CTX_get_timeout() returns the currently set timeout value.
|
|||
L<ssl(3)|ssl(3)>,
|
||||
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
|
||||
L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
|
||||
L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>
|
||||
L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
|
||||
L<SSL_get_default_timeout(3)|SSL_get_default_timeout(3)>
|
||||
|
||||
=cut
|
||||
|
|
|
@ -59,14 +59,14 @@ The handshake will be continued regardless of the verification result.
|
|||
|
||||
B<Server mode:> the server sends a client certificate request to the client.
|
||||
The certificate returned (if any) is checked. If the verification process
|
||||
fails as indicated by B<verify_callback>, the TLS/SSL handshake is
|
||||
fails, the TLS/SSL handshake is
|
||||
immediately terminated with an alert message containing the reason for
|
||||
the verification failure.
|
||||
The behaviour can be controlled by the additional
|
||||
SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE flags.
|
||||
|
||||
B<Client mode:> the server certificate is verified. If the verification process
|
||||
fails as indicated by B<verify_callback>, the TLS/SSL handshake is
|
||||
fails, the TLS/SSL handshake is
|
||||
immediately terminated with an alert message containing the reason for
|
||||
the verification failure. If no server certificate is sent, because an
|
||||
anonymous cipher is used, SSL_VERIFY_PEER is ignored.
|
||||
|
@ -92,6 +92,15 @@ B<Client mode:> ignored
|
|||
Exactly one of the B<mode> flags SSL_VERIFY_NONE and SSL_VERIFY_PEER must be
|
||||
set at any time.
|
||||
|
||||
The actual verification procedure is performed either using the built-in
|
||||
verification procedure or using another application provided verification
|
||||
function set with
|
||||
L<SSL_CTX_set_cert_verify_callback(3)|SSL_CTX_set_cert_verify_callback(3)>.
|
||||
The following descriptions apply in the case of the built-in procedure. An
|
||||
application provided procedure also has access to the verify depth information
|
||||
and the verify_callback() function, but the way this information is used
|
||||
may be different.
|
||||
|
||||
SSL_CTX_set_verify_depth() and SSL_set_verify_depth() set the limit up
|
||||
to which depth certificates in a chain are used during the verification
|
||||
procedure. If the certificate chain is longer than allowed, the certificates
|
||||
|
@ -278,6 +287,7 @@ L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>,
|
|||
L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,
|
||||
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>,
|
||||
L<SSL_get_peer_certificate(3)|SSL_get_peer_certificate(3)>,
|
||||
L<SSL_CTX_set_cert_verify_callback(3)|SSL_CTX_set_cert_verify_callback(3)>,
|
||||
L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>,
|
||||
L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>
|
||||
|
||||
|
|
|
@ -16,10 +16,40 @@ SSL_SESSION_free() decrements the reference count of B<session> and removes
|
|||
the B<SSL_SESSION> structure pointed to by B<session> and frees up the allocated
|
||||
memory, if the the reference count has reached 0.
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
SSL_SESSION objects are allocated, when a TLS/SSL handshake operation
|
||||
is successfully completed. Depending on the settings, see
|
||||
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
|
||||
the SSL_SESSION objects are internally referenced by the SSL_CTX and
|
||||
linked into its session cache. SSL objects may be using the SSL_SESSION object;
|
||||
as a session may be reused, several SSL objects may be using one SSL_SESSION
|
||||
object at the same time. It is therefore crucial to keep the reference
|
||||
count (usage information) correct and not delete a SSL_SESSION object
|
||||
that is still used, as this may lead to program failures due to
|
||||
dangling pointers. These failures may also appear delayed, e.g.
|
||||
when an SSL_SESSION object was completely freed as the reference count
|
||||
incorrectly became 0, but it is still referenced in the internal
|
||||
session cache and the cache list is processed during a
|
||||
L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> operation.
|
||||
|
||||
SSL_SESSION_free() must only be called for SSL_SESSION objects, for
|
||||
which the reference count was explicitly incremented (e.g.
|
||||
by calling SSL_get1_session(), see L<SSL_get_session(3)|SSL_get_session(3)>)
|
||||
or when the SSL_SESSION object was generated outside a TLS handshake
|
||||
operation, e.g. by using L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>.
|
||||
It must not be called on other SSL_SESSION objects, as this would cause
|
||||
incorrect reference counts and therefore program failures.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
SSL_SESSION_free() does not provide diagnostic information.
|
||||
|
||||
L<ssl(3)|ssl(3)>, L<SSL_get_session(3)|SSL_get_session(3)>
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<ssl(3)|ssl(3)>, L<SSL_get_session(3)|SSL_get_session(3)>,
|
||||
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
|
||||
L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
|
||||
L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>
|
||||
|
||||
=cut
|
||||
|
|
|
@ -58,6 +58,7 @@ If any of the function is passed the NULL pointer for the session B<s>,
|
|||
=head1 SEE ALSO
|
||||
|
||||
L<ssl(3)|ssl(3)>,
|
||||
L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>
|
||||
L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>,
|
||||
L<SSL_get_default_timeout(3)|SSL_get_default_timeout(3)>
|
||||
|
||||
=cut
|
||||
|
|
|
@ -37,11 +37,6 @@ nothing is to be done, but select() can be used to check for the required
|
|||
condition. When using a buffering BIO, like a BIO pair, data must be written
|
||||
into or retrieved out of the BIO before being able to continue.
|
||||
|
||||
When using a generic method (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>), it
|
||||
is necessary to call SSL_set_accept_state()
|
||||
before calling SSL_accept() to explicitly switch the B<ssl> to server
|
||||
mode.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
The following return values can occur:
|
||||
|
|
|
@ -8,11 +8,11 @@ SSL_alert_type_string, SSL_alert_type_string_long, SSL_alert_desc_string, SSL_al
|
|||
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
const char *SSL_alert_type_string(int value);
|
||||
const char *SSL_alert_type_string_long(int value);
|
||||
char *SSL_alert_type_string(int value);
|
||||
char *SSL_alert_type_string_long(int value);
|
||||
|
||||
const char *SSL_alert_desc_string(int value);
|
||||
const char *SSL_alert_desc_string_long(int value);
|
||||
char *SSL_alert_desc_string(int value);
|
||||
char *SSL_alert_desc_string_long(int value);
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
|
|
|
@ -34,11 +34,6 @@ nothing is to be done, but select() can be used to check for the required
|
|||
condition. When using a buffering BIO, like a BIO pair, data must be written
|
||||
into or retrieved out of the BIO before being able to continue.
|
||||
|
||||
When using a generic method (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>), it
|
||||
is necessary to call L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>
|
||||
before calling SSL_connect() to explicitly switch the B<ssl> to client
|
||||
mode.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
The following return values can occur:
|
||||
|
|
|
@ -69,13 +69,13 @@ to read data. This is mainly because TLS/SSL handshakes may occur at any
|
|||
time during the protocol (initiated by either the client or the server);
|
||||
SSL_read(), SSL_peek(), and SSL_write() will handle any pending handshakes.
|
||||
|
||||
=item SSL_ERROR_WANT_CONNECT
|
||||
=item SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT
|
||||
|
||||
The operation did not complete; the same TLS/SSL I/O function should be
|
||||
called again later. The underlying BIO was not connected yet to the peer
|
||||
and the call would block in connect(). The SSL function should be
|
||||
called again when the connection is established. This messages can only
|
||||
appear with a BIO_s_connect() BIO.
|
||||
and the call would block in connect()/accept(). The SSL function should be
|
||||
called again when the connection is established. These messages can only
|
||||
appear with a BIO_s_connect() or BIO_s_accept() BIO, respectively.
|
||||
In order to find out, when the connection has been successfully established,
|
||||
on many platforms select() or poll() for writing on the socket file descriptor
|
||||
can be used.
|
||||
|
|
|
@ -19,7 +19,7 @@ peer presented. If the peer did not present a certificate, NULL is returned.
|
|||
|
||||
Due to the protocol definition, a TLS/SSL server will always send a
|
||||
certificate, if present. A client will only send a certificate when
|
||||
explicitely requested to do so by the server (see
|
||||
explicitly requested to do so by the server (see
|
||||
L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>). If an anonymous cipher
|
||||
is used, no certificates are sent.
|
||||
|
||||
|
|
|
@ -40,6 +40,12 @@ If the data is to be kept, SSL_get1_session() will increment the reference
|
|||
count and the session will stay in memory until explicitly freed with
|
||||
L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>, regardless of its state.
|
||||
|
||||
SSL_SESSION objects keep internal link information about the session cache
|
||||
list, when being inserted into one SSL_CTX object's session cache.
|
||||
One SSL_SESSION object, regardless of its reference count, must therefore
|
||||
only be used with one SSL_CTX object (and the SSL objects created
|
||||
from this SSL_CTX object).
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
The following return values can occur:
|
||||
|
|
|
@ -38,6 +38,7 @@ The return value points to an allocated SSL structure.
|
|||
|
||||
L<SSL_free(3)|SSL_free(3)>, L<SSL_clear(3)|SSL_clear(3)>,
|
||||
L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
|
||||
L<SSL_get_SSL_CTX(3)|SSL_get_SSL_CTX(3)>,
|
||||
L<ssl(3)|ssl(3)>
|
||||
|
||||
=cut
|
||||
|
|
|
@ -25,11 +25,10 @@ the SSL_read() operation. The behaviour of SSL_read() depends on the
|
|||
underlying BIO.
|
||||
|
||||
For the transparent negotiation to succeed, the B<ssl> must have been
|
||||
initialized to client or server mode. This is not the case if a generic
|
||||
method is being used (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>, so that
|
||||
initialized to client or server mode. This is being done by calling
|
||||
L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> or SSL_set_accept_state()
|
||||
must be used before the first call to an SSL_read() or
|
||||
L<SSL_write(3)|SSL_write(3)> function).
|
||||
before the first call to an SSL_read() or L<SSL_write(3)|SSL_write(3)>
|
||||
function.
|
||||
|
||||
SSL_read() works based on the SSL/TLS records. The data are received in
|
||||
records (with a maximum record size of 16kB for SSLv3/TLSv1). Only when a
|
||||
|
@ -84,9 +83,20 @@ bytes actually read from the TLS/SSL connection.
|
|||
|
||||
=item 0
|
||||
|
||||
The read operation was not successful, probably because no data was
|
||||
available. Call SSL_get_error() with the return value B<ret> to find out,
|
||||
whether an error occurred.
|
||||
The read operation was not successful. The reason may either be a clean
|
||||
shutdown due to a "close notify" alert sent by the peer (in which case
|
||||
the SSL_RECEIVED_SHUTDOWN flag in the ssl shutdown state is set
|
||||
(see L<SSL_shutdown(3)|SSL_shutdown(3)>,
|
||||
L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>). It is also possible, that
|
||||
the peer simply shut down the underlying transport and the shutdown is
|
||||
incomplete. Call SSL_get_error() with the return value B<ret> to find out,
|
||||
whether an error occurred or the connection was shut down cleanly
|
||||
(SSL_ERROR_ZERO_RETURN).
|
||||
|
||||
SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
|
||||
only be detected, whether the underlying connection was closed. It cannot
|
||||
be checked, whether the closure was initiated by the peer or by something
|
||||
else.
|
||||
|
||||
=item E<lt>0
|
||||
|
||||
|
@ -102,6 +112,7 @@ L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_write(3)|SSL_write(3)>,
|
|||
L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
|
||||
L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>
|
||||
L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
|
||||
L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
|
||||
L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
|
||||
|
||||
=cut
|
||||
|
|
|
@ -8,8 +8,8 @@ SSL_rstate_string, SSL_rstate_string_long - get textual description of state of
|
|||
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
const char *SSL_rstate_string(SSL *ssl);
|
||||
const char *SSL_rstate_string_long(SSL *ssl);
|
||||
char *SSL_rstate_string(SSL *ssl);
|
||||
char *SSL_rstate_string_long(SSL *ssl);
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
|
|
|
@ -14,9 +14,9 @@ SSL_set_connect_state, SSL_get_accept_state - prepare SSL object to work in clie
|
|||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
SSL_set_connect_state() B<ssl> to work in client mode.
|
||||
SSL_set_connect_state() sets B<ssl> to work in client mode.
|
||||
|
||||
SSL_set_accept_state() B<ssl> to work in server mode.
|
||||
SSL_set_accept_state() sets B<ssl> to work in server mode.
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
|
@ -27,12 +27,17 @@ server connections. (The method might have been changed with
|
|||
L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)> or
|
||||
SSL_set_ssl_method().)
|
||||
|
||||
In order to successfully accomplish the handshake, the SSL routines need
|
||||
to know whether they should act in server or client mode. If the generic
|
||||
method was used, this is not clear from the method itself and must be set
|
||||
with either SSL_set_connect_state() or SSL_set_accept_state(). If these
|
||||
routines are not called, the default value set when L<SSL_new(3)|SSL_new(3)>
|
||||
is called is server mode.
|
||||
When beginning a new handshake, the SSL engine must know whether it must
|
||||
call the connect (client) or accept (server) routines. Even though it may
|
||||
be clear from the method chosen, whether client or server mode was
|
||||
requested, the handshake routines must be explicitly set.
|
||||
|
||||
When using the L<SSL_connect(3)|SSL_connect(3)> or
|
||||
L<SSL_accept(3)|SSL_accept(3)> routines, the correct handshake
|
||||
routines are automatically set. When performing a transparent negotiation
|
||||
using L<SSL_write(3)|SSL_write(3)> or L<SSL_read(3)|SSL_read(3)>, the
|
||||
handshake routines must be explicitly set in advance using either
|
||||
SSL_set_connect_state() or SSL_set_accept_state().
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
|
@ -42,6 +47,8 @@ information.
|
|||
=head1 SEE ALSO
|
||||
|
||||
L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
|
||||
L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>,
|
||||
L<SSL_write(3)|SSL_write(3)>, L<SSL_read(3)|SSL_read(3)>,
|
||||
L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)>
|
||||
|
||||
=cut
|
||||
|
|
|
@ -16,12 +16,21 @@ SSL_set_session() sets B<session> to be used when the TLS/SSL connection
|
|||
is to be established. SSL_set_session() is only useful for TLS/SSL clients.
|
||||
When the session is set, the reference count of B<session> is incremented
|
||||
by 1. If the session is not reused, the reference count is decremented
|
||||
again during SSL_connect().
|
||||
again during SSL_connect(). Whether the session was reused can be queried
|
||||
with the L<SSL_session_reused(3)|SSL_session_reused(3)> call.
|
||||
|
||||
If there is already a session set inside B<ssl> (because it was set with
|
||||
SSL_set_session() before or because the same B<ssl> was already used for
|
||||
a connection), SSL_SESSION_free() will be called for that session.
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
SSL_SESSION objects keep internal link information about the session cache
|
||||
list, when being inserted into one SSL_CTX object's session cache.
|
||||
One SSL_SESSION object, regardless of its reference count, must therefore
|
||||
only be used with one SSL_CTX object (and the SSL objects created
|
||||
from this SSL_CTX object).
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
The following return values can occur:
|
||||
|
@ -41,6 +50,8 @@ The operation succeeded.
|
|||
=head1 SEE ALSO
|
||||
|
||||
L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
|
||||
L<SSL_get_session(3)|SSL_get_session(3)>,
|
||||
L<SSL_session_reused(3)|SSL_session_reused(3)>,
|
||||
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>
|
||||
|
||||
=cut
|
||||
|
|
|
@ -46,7 +46,10 @@ The shutdown state of the connection is used to determine the state of
|
|||
the ssl session. If the session is still open, when
|
||||
L<SSL_clear(3)|SSL_clear(3)> or L<SSL_free(3)|SSL_free(3)> is called,
|
||||
it is considered bad and removed according to RFC2246.
|
||||
The actual condition for a correctly closed session is SSL_SENT_SHUTDOWN.
|
||||
The actual condition for a correctly closed session is SSL_SENT_SHUTDOWN
|
||||
(according to the TLS RFC, it is acceptable to only send the "close notify"
|
||||
alert but to not wait for the peer's answer, when the underlying connection
|
||||
is closed).
|
||||
SSL_set_shutdown() can be used to set this state without sending a
|
||||
close alert to the peer (see L<SSL_shutdown(3)|SSL_shutdown(3)>).
|
||||
|
||||
|
@ -63,6 +66,7 @@ SSL_get_shutdown() returns the current setting.
|
|||
=head1 SEE ALSO
|
||||
|
||||
L<ssl(3)|ssl(3)>, L<SSL_shutdown(3)|SSL_shutdown(3)>,
|
||||
L<SSL_CTX_set_quiet_shutdown(3)|SSL_CTX_set_quiet_shutdown(3)>,
|
||||
L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>
|
||||
|
||||
=cut
|
||||
|
|
|
@ -22,10 +22,52 @@ Whether the operation succeeds or not, the SSL_SENT_SHUTDOWN flag is set and
|
|||
a currently open session is considered closed and good and will be kept in the
|
||||
session cache for further reuse.
|
||||
|
||||
The behaviour of SSL_shutdown() depends on the underlying BIO.
|
||||
The shutdown procedure consists of 2 steps: the sending of the "close notify"
|
||||
shutdown alert and the reception of the peer's "close notify" shutdown
|
||||
alert. According to the TLS standard, it is acceptable for an application
|
||||
to only send its shutdown alert and then close the underlying connection
|
||||
without waiting for the peer's response (this way resources can be saved,
|
||||
as the process can already terminate or serve another connection).
|
||||
When the underlying connection shall be used for more communications, the
|
||||
complete shutdown procedure (bidirectional "close notify" alerts) must be
|
||||
performed, so that the peers stay synchronized.
|
||||
|
||||
SSL_shutdown() supports both uni- and bidirectional shutdown by its 2 step
|
||||
behaviour.
|
||||
|
||||
=over 4
|
||||
|
||||
=item When the application is the first party to send the "close notify"
|
||||
alert, SSL_shutdown() will only send the alert and the set the
|
||||
SSL_SENT_SHUTDOWN flag (so that the session is considered good and will
|
||||
be kept in cache). SSL_shutdown() will then return with 0. If a unidirectional
|
||||
shutdown is enough (the underlying connection shall be closed anyway), this
|
||||
first call to SSL_shutdown() is sufficient. In order to complete the
|
||||
bidirectional shutdown handshake, SSL_shutdown() must be called again.
|
||||
The second call will make SSL_shutdown() wait for the peer's "close notify"
|
||||
shutdown alert. On success, the second call to SSL_shutdown() will return
|
||||
with 1.
|
||||
|
||||
=item If the peer already sent the "close notify" alert B<and> it was
|
||||
already processed implicitly inside another function
|
||||
(L<SSL_read(3)|SSL_read(3)>), the SSL_RECEIVED_SHUTDOWN flag is set.
|
||||
SSL_shutdown() will send the "close notify" alert, set the SSL_SENT_SHUTDOWN
|
||||
flag and will immediately return with 1.
|
||||
Whether SSL_RECEIVED_SHUTDOWN is already set can be checked using the
|
||||
SSL_get_shutdown() (see also L<SSL_set_shutdown(3)|SSL_set_shutdown(3)> call.
|
||||
|
||||
=back
|
||||
|
||||
It is therefore recommended, to check the return value of SSL_shutdown()
|
||||
and call SSL_shutdown() again, if the bidirectional shutdown is not yet
|
||||
complete (return value of the first call is 0). As the shutdown is not
|
||||
specially handled in the SSLv2 protocol, SSL_shutdown() will succeed on
|
||||
the first call.
|
||||
|
||||
The behaviour of SSL_shutdown() additionally depends on the underlying BIO.
|
||||
|
||||
If the underlying BIO is B<blocking>, SSL_shutdown() will only return once the
|
||||
handshake has been finished or an error occurred.
|
||||
handshake step has been finished or an error occurred.
|
||||
|
||||
If the underlying BIO is B<non-blocking>, SSL_shutdown() will also return
|
||||
when the underlying BIO could not satisfy the needs of SSL_shutdown()
|
||||
|
@ -38,6 +80,12 @@ nothing is to be done, but select() can be used to check for the required
|
|||
condition. When using a buffering BIO, like a BIO pair, data must be written
|
||||
into or retrieved out of the BIO before being able to continue.
|
||||
|
||||
SSL_shutdown() can be modified to only set the connection to "shutdown"
|
||||
state but not actually send the "close notify" alert messages,
|
||||
see L<SSL_CTX_set_quiet_shutdown(3)|SSL_CTX_set_quiet_shutdown(3)>.
|
||||
When "quiet shutdown" is enabled, SSL_shutdown() will always succeed
|
||||
and return 1.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
The following return values can occur:
|
||||
|
@ -46,19 +94,23 @@ The following return values can occur:
|
|||
|
||||
=item 1
|
||||
|
||||
The shutdown was successfully completed.
|
||||
The shutdown was successfully completed. The "close notify" alert was sent
|
||||
and the peer's "close notify" alert was received.
|
||||
|
||||
=item 0
|
||||
|
||||
The shutdown was not successful. Call SSL_get_error() with the return
|
||||
value B<ret> to find out the reason.
|
||||
The shutdown is not yet finished. Call SSL_shutdown() for a second time,
|
||||
if a bidirectional shutdown shall be performed.
|
||||
The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
|
||||
erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
|
||||
|
||||
=item -1
|
||||
|
||||
The shutdown was not successful because a fatal error occurred either
|
||||
at the protocol level or a connection failure occurred. It can also occur of
|
||||
at the protocol level or a connection failure occurred. It can also occur if
|
||||
action is need to continue the operation for non-blocking BIOs.
|
||||
Call SSL_get_error() with the return value B<ret> to find out the reason.
|
||||
Call L<SSL_get_error(3)|SSL_get_error(3)> with the return value B<ret>
|
||||
to find out the reason.
|
||||
|
||||
=back
|
||||
|
||||
|
@ -66,6 +118,7 @@ Call SSL_get_error() with the return value B<ret> to find out the reason.
|
|||
|
||||
L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>,
|
||||
L<SSL_accept(3)|SSL_accept(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
|
||||
L<SSL_CTX_set_quiet_shutdown(3)|SSL_CTX_set_quiet_shutdown(3)>,
|
||||
L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>,
|
||||
L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
|
||||
|
||||
|
|
|
@ -8,8 +8,8 @@ SSL_state_string, SSL_state_string_long - get textual description of state of an
|
|||
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
const char *SSL_state_string(SSL *ssl);
|
||||
const char *SSL_state_string_long(SSL *ssl);
|
||||
char *SSL_state_string(SSL *ssl);
|
||||
char *SSL_state_string_long(SSL *ssl);
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
|
|
|
@ -25,11 +25,9 @@ the SSL_write() operation. The behaviour of SSL_write() depends on the
|
|||
underlying BIO.
|
||||
|
||||
For the transparent negotiation to succeed, the B<ssl> must have been
|
||||
initialized to client or server mode. This is not the case if a generic
|
||||
method is being used (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>, so that
|
||||
initialized to client or server mode. This is being done by calling
|
||||
L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> or SSL_set_accept_state()
|
||||
must be used before the first call to an L<SSL_read(3)|SSL_read(3)>
|
||||
or SSL_write() function.
|
||||
before the first call to an L<SSL_read(3)|SSL_read(3)> or SSL_write() function.
|
||||
|
||||
If the underlying BIO is B<blocking>, SSL_write() will only return, once the
|
||||
write operation has been finished or an error occurred, except when a
|
||||
|
@ -80,8 +78,14 @@ bytes actually written to the TLS/SSL connection.
|
|||
|
||||
=item 0
|
||||
|
||||
The write operation was not successful. Call SSL_get_error() with the return
|
||||
value B<ret> to find out, whether an error occurred.
|
||||
The write operation was not successful. Probably the underlying connection
|
||||
was closed. Call SSL_get_error() with the return value B<ret> to find out,
|
||||
whether an error occurred or the connection was shut down cleanly
|
||||
(SSL_ERROR_ZERO_RETURN).
|
||||
|
||||
SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
|
||||
only be detected, whether the underlying connection was closed. It cannot
|
||||
be checked, why the closure happened.
|
||||
|
||||
=item E<lt>0
|
||||
|
||||
|
|
|
@ -30,7 +30,17 @@ session data on disk or into a database, it must be transformed into
|
|||
a binary ASN1 representation.
|
||||
|
||||
When using d2i_SSL_SESSION(), the SSL_SESSION object is automatically
|
||||
allocated.
|
||||
allocated. The reference count is 1, so that the session must be
|
||||
explicitly removed using L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
|
||||
unless the SSL_SESSION object is completely taken over, when being called
|
||||
inside the get_session_cb() (see
|
||||
L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>).
|
||||
|
||||
SSL_SESSION objects keep internal link information about the session cache
|
||||
list, when being inserted into one SSL_CTX object's session cache.
|
||||
One SSL_SESSION object, regardless of its reference count, must therefore
|
||||
only be used with one SSL_CTX object (and the SSL objects created
|
||||
from this SSL_CTX object).
|
||||
|
||||
When using i2d_SSL_SESSION(), the memory location pointed to by B<pp> must be
|
||||
large enough to hold the binary representation of the session. There is no
|
||||
|
@ -50,7 +60,7 @@ When the session is not valid, B<0> is returned and no operation is performed.
|
|||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<ssl(3)|ssl(3)>,
|
||||
L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
|
||||
L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>
|
||||
|
||||
=cut
|
||||
|
|
|
@ -299,7 +299,7 @@ protocol context defined in the B<SSL_CTX> structure.
|
|||
|
||||
=item void B<SSL_CTX_set_cert_store>(SSL_CTX *ctx, X509_STORE *cs);
|
||||
|
||||
=item void B<SSL_CTX_set_cert_verify_cb>(SSL_CTX *ctx, int (*cb)(SSL_CTX *), char *arg)
|
||||
=item void B<SSL_CTX_set_cert_verify_cb>(SSL_CTX *ctx, int (*cb)(), char *arg)
|
||||
|
||||
=item int B<SSL_CTX_set_cipher_list>(SSL_CTX *ctx, char *str);
|
||||
|
||||
|
@ -650,8 +650,10 @@ L<openssl(1)|openssl(1)>, L<crypto(3)|crypto(3)>,
|
|||
L<SSL_accept(3)|SSL_accept(3)>, L<SSL_clear(3)|SSL_clear(3)>,
|
||||
L<SSL_connect(3)|SSL_connect(3)>,
|
||||
L<SSL_CIPHER_get_name(3)|SSL_CIPHER_get_name(3)>,
|
||||
L<SSL_COMP_add_compression_method(3)|SSL_COMP_add_compression_method(3)>,
|
||||
L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>,
|
||||
L<SSL_CTX_add_session(3)|SSL_CTX_add_session(3)>,
|
||||
L<SSL_CTX_ctrl(3)|SSL_CTX_ctrl(3)>,
|
||||
L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)>,
|
||||
L<SSL_CTX_get_ex_new_index(3)|SSL_CTX_get_ex_new_index(3)>,
|
||||
L<SSL_CTX_get_verify_mode(3)|SSL_CTX_get_verify_mode(3)>,
|
||||
|
@ -661,18 +663,28 @@ L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>,
|
|||
L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>,
|
||||
L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>,
|
||||
L<SSL_CTX_sessions(3)|SSL_CTX_sessions(3)>,
|
||||
L<SSL_CTX_set_cert_store(3)|SSL_CTX_set_cert_store(3)>,
|
||||
L<SSL_CTX_set_cert_verify_callback(3)|SSL_CTX_set_cert_verify_callback(3)>,
|
||||
L<SSL_CTX_set_cipher_list(3)|SSL_CTX_set_cipher_list(3)>,
|
||||
L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>,
|
||||
L<SSL_CTX_set_default_passwd_cb(3)|SSL_CTX_set_default_passwd_cb(3)>,
|
||||
L<SSL_CTX_set_info_callback(3)|SSL_CTX_set_info_callback(3)>,
|
||||
L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>,
|
||||
L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>,
|
||||
L<SSL_CTX_set_quiet_shutdown(3)|SSL_CTX_set_quiet_shutdown(3)>,
|
||||
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>,
|
||||
L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>,
|
||||
L<SSL_CTX_set_ssl_version(3)|SSL_CTX_set_ssl_version(3)>,
|
||||
L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>,
|
||||
L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>,
|
||||
L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>,
|
||||
L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>,
|
||||
L<SSL_CTX_use_certificate(3)|SSL_CTX_use_certificate(3)>,
|
||||
L<SSL_alert_type_string(3)|SSL_alert_type_string(3)>,
|
||||
L<SSL_get_SSL_CTX(3)|SSL_get_SSL_CTX(3)>,
|
||||
L<SSL_get_ciphers(3)|SSL_get_ciphers(3)>,
|
||||
L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
|
||||
L<SSL_get_default_timeout(3)|SSL_get_default_timeout(3)>,
|
||||
L<SSL_get_error(3)|SSL_get_error(3)>,
|
||||
L<SSL_get_ex_data_X509_STORE_CTX_idx(3)|SSL_get_ex_data_X509_STORE_CTX_idx(3)>,
|
||||
L<SSL_get_ex_new_index(3)|SSL_get_ex_new_index(3)>,
|
||||
|
@ -685,12 +697,19 @@ L<SSL_get_version(3)|SSL_get_version(3)>,
|
|||
L<SSL_library_init(3)|SSL_library_init(3)>,
|
||||
L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>,
|
||||
L<SSL_new(3)|SSL_new(3)>,
|
||||
L<SSL_read(3)|SSL_read(3)>, L<SSL_set_bio(3)|SSL_set_bio(3)>,
|
||||
L<SSL_pending(3)|SSL_pending(3)>,
|
||||
L<SSL_read(3)|SSL_read(3)>,
|
||||
L<SSL_rstate_string(3)|SSL_rstate_string(3)>,
|
||||
L<SSL_session_reused(3)|SSL_session_reused(3)>,
|
||||
L<SSL_set_bio(3)|SSL_set_bio(3)>,
|
||||
L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
|
||||
L<SSL_set_fd(3)|SSL_set_fd(3)>, L<SSL_pending(3)|SSL_pending(3)>,
|
||||
L<SSL_set_fd(3)|SSL_set_fd(3)>,
|
||||
L<SSL_set_session(3)|SSL_set_session(3)>,
|
||||
L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
|
||||
L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_write(3)|SSL_write(3)>,
|
||||
L<SSL_shutdown(3)|SSL_shutdown(3)>,
|
||||
L<SSL_state_string(3)|SSL_state_string(3)>,
|
||||
L<SSL_want(3)|SSL_want(3)>,
|
||||
L<SSL_write(3)|SSL_write(3)>,
|
||||
L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
|
||||
L<SSL_SESSION_get_ex_new_index(3)|SSL_SESSION_get_ex_new_index(3)>,
|
||||
L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
|
||||
|
|
9
e_os.h
9
e_os.h
|
@ -413,13 +413,10 @@ extern HINSTANCE _hInstance;
|
|||
# endif
|
||||
#endif
|
||||
|
||||
#if defined(THREADS) || defined(sun)
|
||||
#ifndef _REENTRANT
|
||||
#define _REENTRANT
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#if defined(sun) && !defined(__svr4__) && !defined(__SVR4)
|
||||
/* include headers first, so our defines don't break it */
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
/* bcopy can handle overlapping moves according to SunOS 4.1.4 manpage */
|
||||
# define memmove(s1,s2,n) bcopy((s2),(s1),(n))
|
||||
# define strtoul(s,e,b) ((unsigned long int)strtol((s),(e),(b)))
|
||||
|
|
|
@ -196,10 +196,16 @@ $ IF F$SEARCH("[.CRYPTO]OPENSSLCONF_H.IN") .NES. ""
|
|||
$ THEN
|
||||
$ TYPE [.CRYPTO]OPENSSLCONF_H.IN /OUTPUT=H_FILE:
|
||||
$ ELSE
|
||||
$ ! For ODS-5
|
||||
$ IF F$SEARCH("[.CRYPTO]OPENSSLCONF.H.IN") .NES. ""
|
||||
$ THEN
|
||||
$ TYPE [.CRYPTO]OPENSSLCONF.H.IN /OUTPUT=H_FILE:
|
||||
$ ELSE
|
||||
$ WRITE SYS$ERROR "Couldn't find a [.CRYPTO]OPENSSLCONF.H_IN. Exiting!"
|
||||
$ EXIT 0
|
||||
$ ENDIF
|
||||
$ ENDIF
|
||||
$ ENDIF
|
||||
$!
|
||||
$ IF ARCH .EQS. "AXP"
|
||||
$ THEN
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/sh
|
||||
|
||||
major="0"
|
||||
minor="9.7"
|
||||
minor="9.6b"
|
||||
|
||||
slib=libssl
|
||||
sh_slib=$slib.so.$major.$minor
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/sh
|
||||
|
||||
major="0"
|
||||
minor="9.7"
|
||||
minor="9.6b"
|
||||
|
||||
slib=libssl
|
||||
sh_slib=$slib.so.$major.$minor
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/sh
|
||||
|
||||
major="0"
|
||||
minor="9.7"
|
||||
minor="9.6b"
|
||||
|
||||
slib=libssl
|
||||
sh_slib=$slib.so.$major.$minor
|
||||
|
|
|
@ -113,8 +113,8 @@ int ssl23_connect(SSL *s)
|
|||
else if (s->ctx->info_callback != NULL)
|
||||
cb=s->ctx->info_callback;
|
||||
|
||||
if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
|
||||
s->in_handshake++;
|
||||
if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
|
||||
|
||||
for (;;)
|
||||
{
|
||||
|
|
|
@ -55,6 +55,59 @@
|
|||
* copied and put under another distribution licence
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
*
|
||||
* 3. All advertising materials mentioning features or use of this
|
||||
* software must display the following acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
||||
*
|
||||
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
||||
* endorse or promote products derived from this software without
|
||||
* prior written permission. For written permission, please contact
|
||||
* openssl-core@openssl.org.
|
||||
*
|
||||
* 5. Products derived from this software may not be called "OpenSSL"
|
||||
* nor may "OpenSSL" appear in their names without prior written
|
||||
* permission of the OpenSSL Project.
|
||||
*
|
||||
* 6. Redistributions of any form whatsoever must retain the following
|
||||
* acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
||||
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
||||
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
* ====================================================================
|
||||
*
|
||||
* This product includes cryptographic software written by Eric Young
|
||||
* (eay@cryptsoft.com). This product includes software written by Tim
|
||||
* Hudson (tjh@cryptsoft.com).
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
|
|
|
@ -55,6 +55,59 @@
|
|||
* copied and put under another distribution licence
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
*
|
||||
* 3. All advertising materials mentioning features or use of this
|
||||
* software must display the following acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
||||
*
|
||||
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
||||
* endorse or promote products derived from this software without
|
||||
* prior written permission. For written permission, please contact
|
||||
* openssl-core@openssl.org.
|
||||
*
|
||||
* 5. Products derived from this software may not be called "OpenSSL"
|
||||
* nor may "OpenSSL" appear in their names without prior written
|
||||
* permission of the OpenSSL Project.
|
||||
*
|
||||
* 6. Redistributions of any form whatsoever must retain the following
|
||||
* acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
||||
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
||||
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
* ====================================================================
|
||||
*
|
||||
* This product includes cryptographic software written by Eric Young
|
||||
* (eay@cryptsoft.com). This product includes software written by Tim
|
||||
* Hudson (tjh@cryptsoft.com).
|
||||
*
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <openssl/buffer.h>
|
||||
|
@ -112,8 +165,8 @@ int ssl23_accept(SSL *s)
|
|||
else if (s->ctx->info_callback != NULL)
|
||||
cb=s->ctx->info_callback;
|
||||
|
||||
if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
|
||||
s->in_handshake++;
|
||||
if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
|
||||
|
||||
for (;;)
|
||||
{
|
||||
|
@ -179,9 +232,9 @@ int ssl23_accept(SSL *s)
|
|||
}
|
||||
}
|
||||
end:
|
||||
s->in_handshake--;
|
||||
if (cb != NULL)
|
||||
cb(s,SSL_CB_ACCEPT_EXIT,ret);
|
||||
s->in_handshake--;
|
||||
return(ret);
|
||||
}
|
||||
|
||||
|
@ -352,16 +405,21 @@ int ssl23_get_client_hello(SSL *s)
|
|||
/* We must look at client_version inside the Client Hello message
|
||||
* to get the correct minor version.
|
||||
* However if we have only a pathologically small fragment of the
|
||||
* Client Hello message, this would be difficult, we'd have
|
||||
* to read at least one additional record to find out.
|
||||
* This doesn't usually happen in real life, so we just complain
|
||||
* for now.
|
||||
*/
|
||||
* Client Hello message, this would be difficult, and we'd have
|
||||
* to read more records to find out.
|
||||
* No known SSL 3.0 client fragments ClientHello like this,
|
||||
* so we simply assume TLS 1.0 to avoid protocol version downgrade
|
||||
* attacks. */
|
||||
if (p[3] == 0 && p[4] < 6)
|
||||
{
|
||||
#if 0
|
||||
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
|
||||
goto err;
|
||||
#else
|
||||
v[1] = TLS1_VERSION_MINOR;
|
||||
#endif
|
||||
}
|
||||
else
|
||||
v[1]=p[10]; /* minor version according to client_version */
|
||||
if (v[1] >= TLS1_VERSION_MINOR)
|
||||
{
|
||||
|
@ -376,11 +434,22 @@ int ssl23_get_client_hello(SSL *s)
|
|||
type=3;
|
||||
}
|
||||
}
|
||||
else if (!(s->options & SSL_OP_NO_SSLv3))
|
||||
else
|
||||
{
|
||||
/* client requests SSL 3.0 */
|
||||
if (!(s->options & SSL_OP_NO_SSLv3))
|
||||
{
|
||||
s->version=SSL3_VERSION;
|
||||
type=3;
|
||||
}
|
||||
else if (!(s->options & SSL_OP_NO_TLSv1))
|
||||
{
|
||||
/* we won't be able to use TLS of course,
|
||||
* but this will send an appropriate alert */
|
||||
s->version=TLS1_VERSION;
|
||||
type=3;
|
||||
}
|
||||
}
|
||||
}
|
||||
else if ((strncmp("GET ", (char *)p,4) == 0) ||
|
||||
(strncmp("POST ",(char *)p,5) == 0) ||
|
||||
|
|
107
ssl/s2_clnt.c
107
ssl/s2_clnt.c
|
@ -55,6 +55,59 @@
|
|||
* copied and put under another distribution licence
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
*
|
||||
* 3. All advertising materials mentioning features or use of this
|
||||
* software must display the following acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
||||
*
|
||||
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
||||
* endorse or promote products derived from this software without
|
||||
* prior written permission. For written permission, please contact
|
||||
* openssl-core@openssl.org.
|
||||
*
|
||||
* 5. Products derived from this software may not be called "OpenSSL"
|
||||
* nor may "OpenSSL" appear in their names without prior written
|
||||
* permission of the OpenSSL Project.
|
||||
*
|
||||
* 6. Redistributions of any form whatsoever must retain the following
|
||||
* acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
||||
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
||||
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
* ====================================================================
|
||||
*
|
||||
* This product includes cryptographic software written by Eric Young
|
||||
* (eay@cryptsoft.com). This product includes software written by Tim
|
||||
* Hudson (tjh@cryptsoft.com).
|
||||
*
|
||||
*/
|
||||
|
||||
#include "ssl_locl.h"
|
||||
#ifndef NO_SSL2
|
||||
|
@ -118,8 +171,8 @@ int ssl2_connect(SSL *s)
|
|||
cb=s->ctx->info_callback;
|
||||
|
||||
/* init things to blank */
|
||||
if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
|
||||
s->in_handshake++;
|
||||
if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
|
||||
|
||||
for (;;)
|
||||
{
|
||||
|
@ -287,6 +340,7 @@ static int get_server_hello(SSL *s)
|
|||
unsigned char *buf;
|
||||
unsigned char *p;
|
||||
int i,j;
|
||||
unsigned long len;
|
||||
STACK_OF(SSL_CIPHER) *sk=NULL,*cl;
|
||||
|
||||
buf=(unsigned char *)s->init_buf->data;
|
||||
|
@ -296,6 +350,7 @@ static int get_server_hello(SSL *s)
|
|||
i=ssl2_read(s,(char *)&(buf[s->init_num]),11-s->init_num);
|
||||
if (i < (11-s->init_num))
|
||||
return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i));
|
||||
s->init_num = 11;
|
||||
|
||||
if (*(p++) != SSL2_MT_SERVER_HELLO)
|
||||
{
|
||||
|
@ -324,18 +379,22 @@ static int get_server_hello(SSL *s)
|
|||
n2s(p,i); s->s2->tmp.csl=i;
|
||||
n2s(p,i); s->s2->tmp.conn_id_length=i;
|
||||
s->state=SSL2_ST_GET_SERVER_HELLO_B;
|
||||
s->init_num=0;
|
||||
}
|
||||
|
||||
/* SSL2_ST_GET_SERVER_HELLO_B */
|
||||
j=s->s2->tmp.cert_length+s->s2->tmp.csl+s->s2->tmp.conn_id_length
|
||||
- s->init_num;
|
||||
len = 11 + (unsigned long)s->s2->tmp.cert_length + (unsigned long)s->s2->tmp.csl + (unsigned long)s->s2->tmp.conn_id_length;
|
||||
if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
|
||||
{
|
||||
SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_MESSAGE_TOO_LONG);
|
||||
return -1;
|
||||
}
|
||||
j = (int)len - s->init_num;
|
||||
i = ssl2_read(s,(char *)&(buf[s->init_num]),j);
|
||||
if (i != j) return(ssl2_part_read(s,SSL_F_GET_SERVER_HELLO,i));
|
||||
|
||||
/* things are looking good */
|
||||
|
||||
p=buf;
|
||||
p = buf + 11;
|
||||
if (s->hit)
|
||||
{
|
||||
if (s->s2->tmp.cert_length != 0)
|
||||
|
@ -645,11 +704,10 @@ static int client_certificate(SSL *s)
|
|||
unsigned char *p,*d;
|
||||
int i;
|
||||
unsigned int n;
|
||||
int cert_ch_len=0;
|
||||
int cert_ch_len;
|
||||
unsigned char *cert_ch;
|
||||
|
||||
buf=(unsigned char *)s->init_buf->data;
|
||||
cert_ch= &(buf[2]);
|
||||
|
||||
/* We have a cert associated with the SSL, so attach it to
|
||||
* the session if it does not have one */
|
||||
|
@ -660,6 +718,7 @@ static int client_certificate(SSL *s)
|
|||
SSL2_MAX_CERT_CHALLENGE_LENGTH+1-s->init_num);
|
||||
if (i<(SSL2_MIN_CERT_CHALLENGE_LENGTH+1-s->init_num))
|
||||
return(ssl2_part_read(s,SSL_F_CLIENT_CERTIFICATE,i));
|
||||
s->init_num += i;
|
||||
|
||||
/* type=buf[0]; */
|
||||
/* type eq x509 */
|
||||
|
@ -669,7 +728,6 @@ static int client_certificate(SSL *s)
|
|||
SSLerr(SSL_F_CLIENT_CERTIFICATE,SSL_R_BAD_AUTHENTICATION_TYPE);
|
||||
return(-1);
|
||||
}
|
||||
cert_ch_len=i-1;
|
||||
|
||||
if ((s->cert == NULL) ||
|
||||
(s->cert->key->x509 == NULL) ||
|
||||
|
@ -681,6 +739,9 @@ static int client_certificate(SSL *s)
|
|||
s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_C;
|
||||
}
|
||||
|
||||
cert_ch = buf + 2;
|
||||
cert_ch_len = s->init_num - 2;
|
||||
|
||||
if (s->state == SSL2_ST_X509_GET_CLIENT_CERTIFICATE)
|
||||
{
|
||||
X509 *x509=NULL;
|
||||
|
@ -786,7 +847,7 @@ static int client_certificate(SSL *s)
|
|||
static int get_server_verify(SSL *s)
|
||||
{
|
||||
unsigned char *p;
|
||||
int i;
|
||||
int i, n, len;
|
||||
|
||||
p=(unsigned char *)s->init_buf->data;
|
||||
if (s->state == SSL2_ST_GET_SERVER_VERIFY_A)
|
||||
|
@ -794,9 +855,9 @@ static int get_server_verify(SSL *s)
|
|||
i=ssl2_read(s,(char *)&(p[s->init_num]),1-s->init_num);
|
||||
if (i < (1-s->init_num))
|
||||
return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i));
|
||||
s->init_num += i;
|
||||
|
||||
s->state= SSL2_ST_GET_SERVER_VERIFY_B;
|
||||
s->init_num=0;
|
||||
if (*p != SSL2_MT_SERVER_VERIFY)
|
||||
{
|
||||
if (p[0] != SSL2_MT_ERROR)
|
||||
|
@ -813,10 +874,13 @@ static int get_server_verify(SSL *s)
|
|||
}
|
||||
|
||||
p=(unsigned char *)s->init_buf->data;
|
||||
i=ssl2_read(s,(char *)&(p[s->init_num]),
|
||||
(unsigned int)s->s2->challenge_length-s->init_num);
|
||||
if (i < ((int)s->s2->challenge_length-s->init_num))
|
||||
len = 1 + s->s2->challenge_length;
|
||||
n = len - s->init_num;
|
||||
i = ssl2_read(s,(char *)&(p[s->init_num]),n);
|
||||
if (i < n)
|
||||
return(ssl2_part_read(s,SSL_F_GET_SERVER_VERIFY,i));
|
||||
p += 1;
|
||||
|
||||
if (memcmp(p,s->s2->challenge,(unsigned int)s->s2->challenge_length) != 0)
|
||||
{
|
||||
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
|
||||
|
@ -830,7 +894,7 @@ static int get_server_finished(SSL *s)
|
|||
{
|
||||
unsigned char *buf;
|
||||
unsigned char *p;
|
||||
int i;
|
||||
int i, n, len;
|
||||
|
||||
buf=(unsigned char *)s->init_buf->data;
|
||||
p=buf;
|
||||
|
@ -839,7 +903,8 @@ static int get_server_finished(SSL *s)
|
|||
i=ssl2_read(s,(char *)&(buf[s->init_num]),1-s->init_num);
|
||||
if (i < (1-s->init_num))
|
||||
return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i));
|
||||
s->init_num=i;
|
||||
s->init_num += i;
|
||||
|
||||
if (*p == SSL2_MT_REQUEST_CERTIFICATE)
|
||||
{
|
||||
s->state=SSL2_ST_SEND_CLIENT_CERTIFICATE_A;
|
||||
|
@ -856,14 +921,15 @@ static int get_server_finished(SSL *s)
|
|||
SSLerr(SSL_F_GET_SERVER_FINISHED,SSL_R_PEER_ERROR);
|
||||
return(-1);
|
||||
}
|
||||
s->state=SSL_ST_OK;
|
||||
s->init_num=0;
|
||||
s->state=SSL2_ST_GET_SERVER_FINISHED_B;
|
||||
}
|
||||
|
||||
i=ssl2_read(s,(char *)&(buf[s->init_num]),
|
||||
SSL2_SSL_SESSION_ID_LENGTH-s->init_num);
|
||||
if (i < (SSL2_SSL_SESSION_ID_LENGTH-s->init_num))
|
||||
len = 1 + SSL2_SSL_SESSION_ID_LENGTH;
|
||||
n = len - s->init_num;
|
||||
i = ssl2_read(s,(char *)&(buf[s->init_num]), n);
|
||||
if (i < n) /* XXX could be shorter than SSL2_SSL_SESSION_ID_LENGTH, that's the maximum */
|
||||
return(ssl2_part_read(s,SSL_F_GET_SERVER_FINISHED,i));
|
||||
s->init_num += i;
|
||||
|
||||
if (!s->hit) /* new session */
|
||||
{
|
||||
|
@ -887,6 +953,7 @@ static int get_server_finished(SSL *s)
|
|||
}
|
||||
}
|
||||
}
|
||||
s->state = SSL_ST_OK;
|
||||
return(1);
|
||||
}
|
||||
|
||||
|
|
|
@ -111,8 +111,8 @@ err:
|
|||
}
|
||||
|
||||
/* read/writes from s->s2->mac_data using length for encrypt and
|
||||
* decrypt. It sets the s->s2->padding, s->[rw]length and
|
||||
* s->s2->pad_data ptr if we are encrypting */
|
||||
* decrypt. It sets s->s2->padding and s->[rw]length
|
||||
* if we are encrypting */
|
||||
void ssl2_enc(SSL *s, int send)
|
||||
{
|
||||
EVP_CIPHER_CTX *ds;
|
||||
|
|
57
ssl/s2_pkt.c
57
ssl/s2_pkt.c
|
@ -56,7 +56,7 @@
|
|||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
|
||||
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
|
@ -130,7 +130,7 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
|
|||
unsigned char mac[MAX_MAC_SIZE];
|
||||
unsigned char *p;
|
||||
int i;
|
||||
unsigned int mac_size=0;
|
||||
unsigned int mac_size;
|
||||
|
||||
ssl2_read_again:
|
||||
if (SSL_in_init(s) && !s->in_handshake)
|
||||
|
@ -235,17 +235,25 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
|
|||
/* Data portion */
|
||||
if (s->s2->clear_text)
|
||||
{
|
||||
mac_size = 0;
|
||||
s->s2->mac_data=p;
|
||||
s->s2->ract_data=p;
|
||||
s->s2->pad_data=NULL;
|
||||
if (s->s2->padding)
|
||||
{
|
||||
SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_ILLEGAL_PADDING);
|
||||
return(-1);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
mac_size=EVP_MD_size(s->read_hash);
|
||||
s->s2->mac_data=p;
|
||||
s->s2->ract_data= &p[mac_size];
|
||||
s->s2->pad_data= &p[mac_size+
|
||||
s->s2->rlength-s->s2->padding];
|
||||
if (s->s2->padding + mac_size > s->s2->rlength)
|
||||
{
|
||||
SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_ILLEGAL_PADDING);
|
||||
return(-1);
|
||||
}
|
||||
}
|
||||
|
||||
s->s2->ract_data_length=s->s2->rlength;
|
||||
|
@ -593,10 +601,8 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len)
|
|||
s->s2->wact_data= &(s->s2->wbuf[3+mac_size]);
|
||||
/* we copy the data into s->s2->wbuf */
|
||||
memcpy(s->s2->wact_data,buf,len);
|
||||
#ifdef PURIFY
|
||||
if (p)
|
||||
memset(&(s->s2->wact_data[len]),0,p);
|
||||
#endif
|
||||
memset(&(s->s2->wact_data[len]),0,p); /* arbitrary padding */
|
||||
|
||||
if (!s->s2->clear_text)
|
||||
{
|
||||
|
@ -645,27 +651,36 @@ int ssl2_part_read(SSL *s, unsigned long f, int i)
|
|||
unsigned char *p;
|
||||
int j;
|
||||
|
||||
/* check for error */
|
||||
if ((s->init_num == 0) && (i >= 3))
|
||||
if (i < 0)
|
||||
{
|
||||
/* ssl2_return_error(s); */
|
||||
/* for non-blocking io,
|
||||
* this is not necessarily fatal */
|
||||
return(i);
|
||||
}
|
||||
else
|
||||
{
|
||||
s->init_num+=i;
|
||||
|
||||
/* Check for error. While there are recoverable errors,
|
||||
* this function is not called when those must be expected;
|
||||
* any error detected here is fatal. */
|
||||
if (s->init_num >= 3)
|
||||
{
|
||||
p=(unsigned char *)s->init_buf->data;
|
||||
if (p[0] == SSL2_MT_ERROR)
|
||||
{
|
||||
j=(p[1]<<8)|p[2];
|
||||
SSLerr((int)f,ssl_mt_error(j));
|
||||
s->init_num -= 3;
|
||||
if (s->init_num > 0)
|
||||
memmove(p, p+3, s->init_num);
|
||||
}
|
||||
}
|
||||
|
||||
if (i < 0)
|
||||
{
|
||||
/* ssl2_return_error(s); */
|
||||
/* for non-blocking io,
|
||||
* this is not fatal */
|
||||
return(i);
|
||||
}
|
||||
else
|
||||
{
|
||||
s->init_num+=i;
|
||||
/* If it's not an error message, we have some error anyway --
|
||||
* the message was shorter than expected. This too is treated
|
||||
* as fatal (at least if SSL_get_error is asked for its opinion). */
|
||||
return(0);
|
||||
}
|
||||
}
|
||||
|
@ -676,7 +691,9 @@ int ssl2_do_write(SSL *s)
|
|||
|
||||
ret=ssl2_write(s,&s->init_buf->data[s->init_off],s->init_num);
|
||||
if (ret == s->init_num)
|
||||
{
|
||||
return(1);
|
||||
}
|
||||
if (ret < 0)
|
||||
return(-1);
|
||||
s->init_off+=ret;
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue