From emilia at openssl.org Wed Apr 1 20:33:23 2015 From: emilia at openssl.org (Emilia Kasper) Date: Wed, 01 Apr 2015 20:33:23 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1427920403.950249.22864.nullmailer@dev.openssl.org> The branch master has been updated via 11305038e904cdebd1c8882f6f508fe0dd14e349 (commit) from 0f2596ac547a4c198deaa3c51ecfc565c627b7af (commit) - Log ----------------------------------------------------------------- commit 11305038e904cdebd1c8882f6f508fe0dd14e349 Author: Emilia Kasper Date: Wed Apr 1 16:19:47 2015 +0200 make update Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: crypto/asn1/Makefile | 46 +++---- crypto/evp/Makefile | 3 +- crypto/x509v3/Makefile | 4 +- ssl/Makefile | 341 ++++++++++++++++++++++++++++++++----------------- test/Makefile | 27 ++-- 5 files changed, 261 insertions(+), 160 deletions(-) diff --git a/crypto/asn1/Makefile b/crypto/asn1/Makefile index ff5e3ba..2187b04 100644 --- a/crypto/asn1/Makefile +++ b/crypto/asn1/Makefile @@ -101,11 +101,12 @@ a_bitstr.o: ../../include/openssl/opensslconf.h a_bitstr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_bitstr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h a_bitstr.o: ../../include/openssl/symhacks.h ../cryptlib.h a_bitstr.c +a_bitstr.o: asn1_locl.h a_d2i_fp.o: ../../e_os.h ../../include/openssl/asn1.h -a_d2i_fp.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h -a_d2i_fp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h -a_d2i_fp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -a_d2i_fp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h +a_d2i_fp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h +a_d2i_fp.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +a_d2i_fp.o: ../../include/openssl/err.h ../../include/openssl/lhash.h +a_d2i_fp.o: ../../include/openssl/opensslconf.h a_d2i_fp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_d2i_fp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h a_d2i_fp.o: ../../include/openssl/symhacks.h ../cryptlib.h a_d2i_fp.c @@ -160,7 +161,7 @@ a_int.o: ../../include/openssl/err.h ../../include/openssl/lhash.h a_int.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h a_int.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h a_int.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -a_int.o: ../cryptlib.h a_int.c +a_int.o: ../cryptlib.h a_int.c asn1_locl.h a_mbstr.o: ../../e_os.h ../../include/openssl/asn1.h a_mbstr.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h a_mbstr.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h @@ -178,7 +179,7 @@ a_object.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h a_object.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_object.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h a_object.o: ../../include/openssl/symhacks.h ../cryptlib.h -a_object.o: ../include/internal/asn1_int.h a_object.c +a_object.o: ../include/internal/asn1_int.h a_object.c asn1_locl.h a_octet.o: ../../e_os.h ../../include/openssl/asn1.h a_octet.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h a_octet.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h @@ -246,7 +247,7 @@ a_type.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h a_type.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h a_type.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h a_type.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h -a_type.o: ../../include/openssl/symhacks.h ../cryptlib.h a_type.c +a_type.o: ../../include/openssl/symhacks.h ../cryptlib.h a_type.c asn1_locl.h a_utctm.o: ../../e_os.h ../../include/openssl/asn1.h a_utctm.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h a_utctm.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h @@ -420,7 +421,7 @@ d2i_pu.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h d2i_pu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h d2i_pu.o: ../cryptlib.h d2i_pu.c evp_asn1.o: ../../e_os.h ../../include/openssl/asn1.h -evp_asn1.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h +evp_asn1.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h evp_asn1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h evp_asn1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h evp_asn1.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h @@ -474,19 +475,19 @@ i2d_pu.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h i2d_pu.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h i2d_pu.o: ../cryptlib.h i2d_pu.c n_pkey.o: ../../e_os.h ../../include/openssl/asn1.h -n_pkey.o: ../../include/openssl/asn1_mac.h ../../include/openssl/asn1t.h -n_pkey.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h -n_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h -n_pkey.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h -n_pkey.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h -n_pkey.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h -n_pkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -n_pkey.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h -n_pkey.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h -n_pkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h -n_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h -n_pkey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h -n_pkey.o: ../../include/openssl/x509_vfy.h ../cryptlib.h n_pkey.c +n_pkey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h +n_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h +n_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h +n_pkey.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h +n_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h +n_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h +n_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h +n_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h +n_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h +n_pkey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +n_pkey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +n_pkey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +n_pkey.o: ../cryptlib.h n_pkey.c nsseq.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h nsseq.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h nsseq.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h @@ -780,8 +781,7 @@ x_nx509.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h x_nx509.o: ../../include/openssl/sha.h ../../include/openssl/stack.h x_nx509.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h x_nx509.o: ../../include/openssl/x509_vfy.h x_nx509.c -x_pkey.o: ../../e_os.h ../../include/openssl/asn1.h -x_pkey.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h +x_pkey.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h x_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h x_pkey.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h x_pkey.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h diff --git a/crypto/evp/Makefile b/crypto/evp/Makefile index c523a6d..d425166 100644 --- a/crypto/evp/Makefile +++ b/crypto/evp/Makefile @@ -637,8 +637,7 @@ p_enc.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h p_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h p_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h p_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_enc.c -p_lib.o: ../../e_os.h ../../include/openssl/asn1.h -p_lib.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h +p_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h p_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h p_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h p_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h diff --git a/crypto/x509v3/Makefile b/crypto/x509v3/Makefile index 30c1ede..24bb60b 100644 --- a/crypto/x509v3/Makefile +++ b/crypto/x509v3/Makefile @@ -524,8 +524,8 @@ v3_scts.o: ../../include/openssl/ssl2.h ../../include/openssl/ssl23.h v3_scts.o: ../../include/openssl/ssl3.h ../../include/openssl/stack.h v3_scts.o: ../../include/openssl/symhacks.h ../../include/openssl/tls1.h v3_scts.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h -v3_scts.o: ../../include/openssl/x509v3.h ../../ssl/ssl_locl.h ../cryptlib.h -v3_scts.o: v3_scts.c +v3_scts.o: ../../include/openssl/x509v3.h ../../ssl/record/record.h +v3_scts.o: ../../ssl/ssl_locl.h ../cryptlib.h v3_scts.c v3_skey.o: ../../e_os.h ../../include/openssl/asn1.h v3_skey.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h v3_skey.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h diff --git a/ssl/Makefile b/ssl/Makefile index 4168306..07a4f29 100644 --- a/ssl/Makefile +++ b/ssl/Makefile @@ -112,7 +112,7 @@ bio_ssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h bio_ssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h bio_ssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h bio_ssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h bio_ssl.c -bio_ssl.o: ssl_locl.h +bio_ssl.o: record/record.h ssl_locl.h d1_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h d1_both.o: ../include/openssl/buffer.h ../include/openssl/comp.h d1_both.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -132,7 +132,7 @@ d1_both.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h d1_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h d1_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h d1_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h -d1_both.o: ../include/openssl/x509_vfy.h d1_both.c ssl_locl.h +d1_both.o: ../include/openssl/x509_vfy.h d1_both.c record/record.h ssl_locl.h d1_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h d1_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h d1_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h @@ -154,7 +154,7 @@ d1_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h d1_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h d1_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h d1_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_clnt.c -d1_clnt.o: kssl_lcl.h ssl_locl.h +d1_clnt.o: kssl_lcl.h record/record.h ssl_locl.h d1_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h d1_lib.o: ../include/openssl/buffer.h ../include/openssl/comp.h d1_lib.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -174,7 +174,7 @@ d1_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h d1_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h d1_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h d1_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_lib.c -d1_lib.o: ssl_locl.h +d1_lib.o: record/record.h ssl_locl.h d1_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h d1_meth.o: ../include/openssl/buffer.h ../include/openssl/comp.h d1_meth.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -194,27 +194,27 @@ d1_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h d1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h d1_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h d1_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_meth.c -d1_meth.o: ssl_locl.h -d1_pkt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -d1_pkt.o: ../include/openssl/buffer.h ../include/openssl/comp.h -d1_pkt.o: ../include/openssl/crypto.h ../include/openssl/dsa.h -d1_pkt.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h -d1_pkt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -d1_pkt.o: ../include/openssl/ecdsa.h ../include/openssl/err.h -d1_pkt.o: ../include/openssl/evp.h ../include/openssl/hmac.h -d1_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -d1_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -d1_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -d1_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -d1_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -d1_pkt.o: ../include/openssl/pqueue.h ../include/openssl/rand.h -d1_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -d1_pkt.o: ../include/openssl/sha.h ../include/openssl/srtp.h -d1_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -d1_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -d1_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -d1_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h -d1_pkt.o: ../include/openssl/x509_vfy.h d1_pkt.c ssl_locl.h +d1_meth.o: record/record.h ssl_locl.h +d1_msg.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +d1_msg.o: ../include/openssl/buffer.h ../include/openssl/comp.h +d1_msg.o: ../include/openssl/crypto.h ../include/openssl/dsa.h +d1_msg.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +d1_msg.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +d1_msg.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +d1_msg.o: ../include/openssl/evp.h ../include/openssl/hmac.h +d1_msg.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +d1_msg.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +d1_msg.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +d1_msg.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +d1_msg.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +d1_msg.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h +d1_msg.o: ../include/openssl/safestack.h ../include/openssl/sha.h +d1_msg.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +d1_msg.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +d1_msg.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +d1_msg.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +d1_msg.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_msg.c +d1_msg.o: record/record.h ssl_locl.h d1_srtp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h d1_srtp.o: ../include/openssl/buffer.h ../include/openssl/comp.h d1_srtp.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -234,7 +234,7 @@ d1_srtp.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h d1_srtp.o: ../include/openssl/ssl3.h ../include/openssl/stack.h d1_srtp.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h d1_srtp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_srtp.c -d1_srtp.o: ssl_locl.h +d1_srtp.o: record/record.h ssl_locl.h d1_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h d1_srvr.o: ../include/openssl/bn.h ../include/openssl/buffer.h d1_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h @@ -256,7 +256,28 @@ d1_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h d1_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h d1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h d1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_srvr.c -d1_srvr.o: ssl_locl.h +d1_srvr.o: record/record.h ssl_locl.h +dtls1_bitmap.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +dtls1_bitmap.o: ../include/openssl/buffer.h ../include/openssl/comp.h +dtls1_bitmap.o: ../include/openssl/crypto.h ../include/openssl/dsa.h +dtls1_bitmap.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +dtls1_bitmap.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +dtls1_bitmap.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +dtls1_bitmap.o: ../include/openssl/evp.h ../include/openssl/hmac.h +dtls1_bitmap.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +dtls1_bitmap.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +dtls1_bitmap.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +dtls1_bitmap.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +dtls1_bitmap.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +dtls1_bitmap.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h +dtls1_bitmap.o: ../include/openssl/safestack.h ../include/openssl/sha.h +dtls1_bitmap.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +dtls1_bitmap.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +dtls1_bitmap.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +dtls1_bitmap.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +dtls1_bitmap.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +dtls1_bitmap.o: dtls1_bitmap.c record/../record/record.h record/../ssl_locl.h +dtls1_bitmap.o: record/dtls1_bitmap.c record/record_locl.h kssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h kssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h kssl.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h @@ -276,6 +297,71 @@ kssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h kssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h kssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl.c kssl.o: kssl_lcl.h +rec_layer_d1.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +rec_layer_d1.o: ../include/openssl/buffer.h ../include/openssl/comp.h +rec_layer_d1.o: ../include/openssl/crypto.h ../include/openssl/dsa.h +rec_layer_d1.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +rec_layer_d1.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +rec_layer_d1.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +rec_layer_d1.o: ../include/openssl/evp.h ../include/openssl/hmac.h +rec_layer_d1.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +rec_layer_d1.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +rec_layer_d1.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +rec_layer_d1.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +rec_layer_d1.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +rec_layer_d1.o: ../include/openssl/pqueue.h ../include/openssl/rand.h +rec_layer_d1.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +rec_layer_d1.o: ../include/openssl/sha.h ../include/openssl/srtp.h +rec_layer_d1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +rec_layer_d1.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +rec_layer_d1.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +rec_layer_d1.o: ../include/openssl/tls1.h ../include/openssl/x509.h +rec_layer_d1.o: ../include/openssl/x509_vfy.h rec_layer_d1.c +rec_layer_d1.o: record/../record/record.h record/../ssl_locl.h +rec_layer_d1.o: record/rec_layer_d1.c record/record_locl.h +rec_layer_s23.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +rec_layer_s23.o: ../include/openssl/buffer.h ../include/openssl/comp.h +rec_layer_s23.o: ../include/openssl/crypto.h ../include/openssl/dsa.h +rec_layer_s23.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +rec_layer_s23.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +rec_layer_s23.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +rec_layer_s23.o: ../include/openssl/evp.h ../include/openssl/hmac.h +rec_layer_s23.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +rec_layer_s23.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +rec_layer_s23.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +rec_layer_s23.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +rec_layer_s23.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +rec_layer_s23.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h +rec_layer_s23.o: ../include/openssl/safestack.h ../include/openssl/sha.h +rec_layer_s23.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +rec_layer_s23.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +rec_layer_s23.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +rec_layer_s23.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +rec_layer_s23.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +rec_layer_s23.o: rec_layer_s23.c record/../record/record.h record/../ssl_locl.h +rec_layer_s23.o: record/rec_layer_s23.c +rec_layer_s3.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +rec_layer_s3.o: ../include/openssl/buffer.h ../include/openssl/comp.h +rec_layer_s3.o: ../include/openssl/crypto.h ../include/openssl/dsa.h +rec_layer_s3.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +rec_layer_s3.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +rec_layer_s3.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +rec_layer_s3.o: ../include/openssl/evp.h ../include/openssl/hmac.h +rec_layer_s3.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +rec_layer_s3.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +rec_layer_s3.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +rec_layer_s3.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +rec_layer_s3.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +rec_layer_s3.o: ../include/openssl/pqueue.h ../include/openssl/rand.h +rec_layer_s3.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +rec_layer_s3.o: ../include/openssl/sha.h ../include/openssl/srtp.h +rec_layer_s3.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +rec_layer_s3.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +rec_layer_s3.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +rec_layer_s3.o: ../include/openssl/tls1.h ../include/openssl/x509.h +rec_layer_s3.o: ../include/openssl/x509_vfy.h rec_layer_s3.c +rec_layer_s3.o: record/../record/record.h record/../ssl_locl.h +rec_layer_s3.o: record/rec_layer_s3.c record/record_locl.h s23_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s23_clnt.o: ../include/openssl/buffer.h ../include/openssl/comp.h s23_clnt.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -295,7 +381,7 @@ s23_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s23_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s23_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s23_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s23_clnt.o: ../include/openssl/x509_vfy.h s23_clnt.c ssl_locl.h +s23_clnt.o: ../include/openssl/x509_vfy.h record/record.h s23_clnt.c ssl_locl.h s23_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s23_lib.o: ../include/openssl/buffer.h ../include/openssl/comp.h s23_lib.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -314,8 +400,8 @@ s23_lib.o: ../include/openssl/srtp.h ../include/openssl/ssl.h s23_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s23_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s23_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s23_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_lib.c -s23_lib.o: ssl_locl.h +s23_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +s23_lib.o: record/record.h s23_lib.c ssl_locl.h s23_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s23_meth.o: ../include/openssl/buffer.h ../include/openssl/comp.h s23_meth.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -334,28 +420,8 @@ s23_meth.o: ../include/openssl/srtp.h ../include/openssl/ssl.h s23_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s23_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s23_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s23_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_meth.c -s23_meth.o: ssl_locl.h -s23_pkt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s23_pkt.o: ../include/openssl/buffer.h ../include/openssl/comp.h -s23_pkt.o: ../include/openssl/crypto.h ../include/openssl/dsa.h -s23_pkt.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h -s23_pkt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -s23_pkt.o: ../include/openssl/ecdsa.h ../include/openssl/err.h -s23_pkt.o: ../include/openssl/evp.h ../include/openssl/hmac.h -s23_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s23_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s23_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s23_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s23_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s23_pkt.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h -s23_pkt.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s23_pkt.o: ../include/openssl/srtp.h ../include/openssl/ssl.h -s23_pkt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s23_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s23_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s23_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s23_pkt.c -s23_pkt.o: ssl_locl.h +s23_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +s23_meth.o: record/record.h s23_meth.c ssl_locl.h s23_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s23_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h s23_srvr.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -375,7 +441,7 @@ s23_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s23_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s23_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s23_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s23_srvr.o: ../include/openssl/x509_vfy.h s23_srvr.c ssl_locl.h +s23_srvr.o: ../include/openssl/x509_vfy.h record/record.h s23_srvr.c ssl_locl.h s3_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s3_both.o: ../include/openssl/buffer.h ../include/openssl/comp.h s3_both.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -395,7 +461,7 @@ s3_both.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s3_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s3_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s3_both.o: ../include/openssl/x509_vfy.h s3_both.c ssl_locl.h +s3_both.o: ../include/openssl/x509_vfy.h record/record.h s3_both.c ssl_locl.h s3_cbc.o: ../crypto/constant_time_locl.h ../e_os.h ../include/openssl/asn1.h s3_cbc.o: ../include/openssl/bio.h ../include/openssl/buffer.h s3_cbc.o: ../include/openssl/comp.h ../include/openssl/crypto.h @@ -415,8 +481,8 @@ s3_cbc.o: ../include/openssl/srtp.h ../include/openssl/ssl.h s3_cbc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s3_cbc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s3_cbc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s3_cbc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_cbc.c -s3_cbc.o: ssl_locl.h +s3_cbc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +s3_cbc.o: record/record.h s3_cbc.c ssl_locl.h s3_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h @@ -438,7 +504,8 @@ s3_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s3_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s3_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s3_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s3_clnt.o: ../include/openssl/x509_vfy.h kssl_lcl.h s3_clnt.c ssl_locl.h +s3_clnt.o: ../include/openssl/x509_vfy.h kssl_lcl.h record/record.h s3_clnt.c +s3_clnt.o: ssl_locl.h s3_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s3_enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h s3_enc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -458,7 +525,7 @@ s3_enc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s3_enc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s3_enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s3_enc.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s3_enc.o: ../include/openssl/x509_vfy.h s3_enc.c ssl_locl.h +s3_enc.o: ../include/openssl/x509_vfy.h record/record.h s3_enc.c ssl_locl.h s3_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s3_lib.o: ../include/openssl/buffer.h ../include/openssl/comp.h s3_lib.o: ../include/openssl/crypto.h ../include/openssl/dh.h @@ -479,7 +546,7 @@ s3_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s3_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s3_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s3_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl_lcl.h -s3_lib.o: s3_lib.c ssl_locl.h +s3_lib.o: record/record.h s3_lib.c ssl_locl.h s3_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s3_meth.o: ../include/openssl/buffer.h ../include/openssl/comp.h s3_meth.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -498,28 +565,28 @@ s3_meth.o: ../include/openssl/srtp.h ../include/openssl/ssl.h s3_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s3_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s3_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s3_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_meth.c -s3_meth.o: ssl_locl.h -s3_pkt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s3_pkt.o: ../include/openssl/buffer.h ../include/openssl/comp.h -s3_pkt.o: ../include/openssl/crypto.h ../include/openssl/dsa.h -s3_pkt.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h -s3_pkt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -s3_pkt.o: ../include/openssl/ecdsa.h ../include/openssl/err.h -s3_pkt.o: ../include/openssl/evp.h ../include/openssl/hmac.h -s3_pkt.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s3_pkt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s3_pkt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s3_pkt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s3_pkt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s3_pkt.o: ../include/openssl/pqueue.h ../include/openssl/rand.h -s3_pkt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s3_pkt.o: ../include/openssl/sha.h ../include/openssl/srtp.h -s3_pkt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s3_pkt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s3_pkt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s3_pkt.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s3_pkt.o: ../include/openssl/x509_vfy.h s3_pkt.c ssl_locl.h +s3_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +s3_meth.o: record/record.h s3_meth.c ssl_locl.h +s3_msg.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +s3_msg.o: ../include/openssl/buffer.h ../include/openssl/comp.h +s3_msg.o: ../include/openssl/crypto.h ../include/openssl/dsa.h +s3_msg.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +s3_msg.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +s3_msg.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +s3_msg.o: ../include/openssl/evp.h ../include/openssl/hmac.h +s3_msg.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s3_msg.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +s3_msg.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +s3_msg.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +s3_msg.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +s3_msg.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h +s3_msg.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s3_msg.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +s3_msg.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s3_msg.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s3_msg.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s3_msg.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +s3_msg.o: record/record.h s3_msg.c ssl_locl.h s3_srvr.o: ../crypto/constant_time_locl.h ../e_os.h ../include/openssl/asn1.h s3_srvr.o: ../include/openssl/bio.h ../include/openssl/bn.h s3_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h @@ -542,7 +609,51 @@ s3_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s3_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s3_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s3_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl_lcl.h -s3_srvr.o: s3_srvr.c ssl_locl.h +s3_srvr.o: record/record.h s3_srvr.c ssl_locl.h +ssl3_buffer.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +ssl3_buffer.o: ../include/openssl/buffer.h ../include/openssl/comp.h +ssl3_buffer.o: ../include/openssl/crypto.h ../include/openssl/dsa.h +ssl3_buffer.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +ssl3_buffer.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +ssl3_buffer.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +ssl3_buffer.o: ../include/openssl/evp.h ../include/openssl/hmac.h +ssl3_buffer.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +ssl3_buffer.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ssl3_buffer.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ssl3_buffer.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +ssl3_buffer.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +ssl3_buffer.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h +ssl3_buffer.o: ../include/openssl/safestack.h ../include/openssl/sha.h +ssl3_buffer.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +ssl3_buffer.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +ssl3_buffer.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +ssl3_buffer.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +ssl3_buffer.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ssl3_buffer.o: record/../record/record.h record/../ssl_locl.h +ssl3_buffer.o: record/record_locl.h record/ssl3_buffer.c ssl3_buffer.c +ssl3_record.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +ssl3_record.o: ../include/openssl/buffer.h ../include/openssl/comp.h +ssl3_record.o: ../include/openssl/crypto.h ../include/openssl/dsa.h +ssl3_record.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +ssl3_record.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +ssl3_record.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +ssl3_record.o: ../include/openssl/evp.h ../include/openssl/hmac.h +ssl3_record.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +ssl3_record.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +ssl3_record.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +ssl3_record.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +ssl3_record.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +ssl3_record.o: ../include/openssl/pqueue.h ../include/openssl/rand.h +ssl3_record.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +ssl3_record.o: ../include/openssl/sha.h ../include/openssl/srtp.h +ssl3_record.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +ssl3_record.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +ssl3_record.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ssl3_record.o: ../include/openssl/tls1.h ../include/openssl/x509.h +ssl3_record.o: ../include/openssl/x509_vfy.h +ssl3_record.o: record/../../crypto/constant_time_locl.h +ssl3_record.o: record/../record/record.h record/../ssl_locl.h +ssl3_record.o: record/record_locl.h record/ssl3_record.c ssl3_record.c ssl_algs.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ssl_algs.o: ../include/openssl/buffer.h ../include/openssl/comp.h ssl_algs.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -561,8 +672,8 @@ ssl_algs.o: ../include/openssl/srtp.h ../include/openssl/ssl.h ssl_algs.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssl_algs.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_algs.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_algs.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_algs.c -ssl_algs.o: ssl_locl.h +ssl_algs.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ssl_algs.o: record/record.h ssl_algs.c ssl_locl.h ssl_asn1.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/asn1_mac.h ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/buffer.h ssl_asn1.o: ../include/openssl/comp.h ../include/openssl/crypto.h @@ -582,7 +693,7 @@ ssl_asn1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ssl_asn1.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssl_asn1.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssl_asn1.o: ../include/openssl/tls1.h ../include/openssl/x509.h -ssl_asn1.o: ../include/openssl/x509_vfy.h ssl_asn1.c ssl_locl.h +ssl_asn1.o: ../include/openssl/x509_vfy.h record/record.h ssl_asn1.c ssl_locl.h ssl_cert.o: ../crypto/o_dir.h ../e_os.h ../include/openssl/asn1.h ssl_cert.o: ../include/openssl/bio.h ../include/openssl/bn.h ssl_cert.o: ../include/openssl/buffer.h ../include/openssl/comp.h @@ -604,7 +715,7 @@ ssl_cert.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssl_cert.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_cert.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ssl_cert.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -ssl_cert.o: ../include/openssl/x509v3.h ssl_cert.c ssl_locl.h +ssl_cert.o: ../include/openssl/x509v3.h record/record.h ssl_cert.c ssl_locl.h ssl_ciph.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ssl_ciph.o: ../include/openssl/buffer.h ../include/openssl/comp.h ssl_ciph.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -624,7 +735,7 @@ ssl_ciph.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h ssl_ciph.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssl_ciph.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssl_ciph.o: ../include/openssl/tls1.h ../include/openssl/x509.h -ssl_ciph.o: ../include/openssl/x509_vfy.h ssl_ciph.c ssl_locl.h +ssl_ciph.o: ../include/openssl/x509_vfy.h record/record.h ssl_ciph.c ssl_locl.h ssl_conf.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ssl_conf.o: ../include/openssl/buffer.h ../include/openssl/comp.h ssl_conf.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -644,8 +755,8 @@ ssl_conf.o: ../include/openssl/srtp.h ../include/openssl/ssl.h ssl_conf.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssl_conf.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_conf.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_conf.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_conf.c -ssl_conf.o: ssl_locl.h +ssl_conf.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ssl_conf.o: record/record.h ssl_conf.c ssl_locl.h ssl_err.o: ../include/openssl/asn1.h ../include/openssl/bio.h ssl_err.o: ../include/openssl/buffer.h ../include/openssl/comp.h ssl_err.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h @@ -704,7 +815,7 @@ ssl_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ssl_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ssl_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h ssl_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h kssl_lcl.h -ssl_lib.o: ssl_lib.c ssl_locl.h +ssl_lib.o: record/record.h ssl_lib.c ssl_locl.h ssl_rsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ssl_rsa.o: ../include/openssl/buffer.h ../include/openssl/comp.h ssl_rsa.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -723,8 +834,8 @@ ssl_rsa.o: ../include/openssl/srtp.h ../include/openssl/ssl.h ssl_rsa.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssl_rsa.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_rsa.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -ssl_rsa.o: ssl_rsa.c +ssl_rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ssl_rsa.o: record/record.h ssl_locl.h ssl_rsa.c ssl_sess.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ssl_sess.o: ../include/openssl/buffer.h ../include/openssl/comp.h ssl_sess.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -744,8 +855,8 @@ ssl_sess.o: ../include/openssl/srtp.h ../include/openssl/ssl.h ssl_sess.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssl_sess.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_sess.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_sess.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -ssl_sess.o: ssl_sess.c +ssl_sess.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ssl_sess.o: record/record.h ssl_locl.h ssl_sess.c ssl_stat.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ssl_stat.o: ../include/openssl/buffer.h ../include/openssl/comp.h ssl_stat.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -764,8 +875,8 @@ ssl_stat.o: ../include/openssl/srtp.h ../include/openssl/ssl.h ssl_stat.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssl_stat.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_stat.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_stat.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -ssl_stat.o: ssl_stat.c +ssl_stat.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ssl_stat.o: record/record.h ssl_locl.h ssl_stat.c ssl_txt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ssl_txt.o: ../include/openssl/buffer.h ../include/openssl/comp.h ssl_txt.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -784,8 +895,8 @@ ssl_txt.o: ../include/openssl/srtp.h ../include/openssl/ssl.h ssl_txt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssl_txt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_txt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_txt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -ssl_txt.o: ssl_txt.c +ssl_txt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ssl_txt.o: record/record.h ssl_locl.h ssl_txt.c ssl_utst.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ssl_utst.o: ../include/openssl/buffer.h ../include/openssl/comp.h ssl_utst.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -804,8 +915,8 @@ ssl_utst.o: ../include/openssl/srtp.h ../include/openssl/ssl.h ssl_utst.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssl_utst.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_utst.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_utst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -ssl_utst.o: ssl_utst.c +ssl_utst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ssl_utst.o: record/record.h ssl_locl.h ssl_utst.c t1_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h t1_clnt.o: ../include/openssl/buffer.h ../include/openssl/comp.h t1_clnt.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -825,7 +936,7 @@ t1_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h t1_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h t1_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h t1_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h -t1_clnt.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_clnt.c +t1_clnt.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h t1_clnt.c t1_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h t1_enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h t1_enc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -845,8 +956,8 @@ t1_enc.o: ../include/openssl/srtp.h ../include/openssl/ssl.h t1_enc.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h t1_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h t1_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -t1_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -t1_enc.o: t1_enc.c +t1_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +t1_enc.o: record/record.h ssl_locl.h t1_enc.c t1_ext.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h t1_ext.o: ../include/openssl/buffer.h ../include/openssl/comp.h t1_ext.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -865,8 +976,8 @@ t1_ext.o: ../include/openssl/srtp.h ../include/openssl/ssl.h t1_ext.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h t1_ext.o: ../include/openssl/ssl3.h ../include/openssl/stack.h t1_ext.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -t1_ext.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -t1_ext.o: t1_ext.c +t1_ext.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +t1_ext.o: record/record.h ssl_locl.h t1_ext.c t1_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h t1_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h t1_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h @@ -888,8 +999,8 @@ t1_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h t1_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h t1_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h t1_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h -t1_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h ssl_locl.h -t1_lib.o: t1_lib.c +t1_lib.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h +t1_lib.o: record/record.h ssl_locl.h t1_lib.c t1_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h t1_meth.o: ../include/openssl/buffer.h ../include/openssl/comp.h t1_meth.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -908,8 +1019,8 @@ t1_meth.o: ../include/openssl/srtp.h ../include/openssl/ssl.h t1_meth.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h t1_meth.o: ../include/openssl/ssl3.h ../include/openssl/stack.h t1_meth.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -t1_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -t1_meth.o: t1_meth.c +t1_meth.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +t1_meth.o: record/record.h ssl_locl.h t1_meth.c t1_reneg.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h t1_reneg.o: ../include/openssl/buffer.h ../include/openssl/comp.h t1_reneg.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -928,8 +1039,8 @@ t1_reneg.o: ../include/openssl/srtp.h ../include/openssl/ssl.h t1_reneg.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h t1_reneg.o: ../include/openssl/ssl3.h ../include/openssl/stack.h t1_reneg.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -t1_reneg.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -t1_reneg.o: t1_reneg.c +t1_reneg.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +t1_reneg.o: record/record.h ssl_locl.h t1_reneg.c t1_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h t1_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h t1_srvr.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -949,7 +1060,7 @@ t1_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h t1_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h t1_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h t1_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h -t1_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_srvr.c +t1_srvr.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h t1_srvr.c t1_trce.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h t1_trce.o: ../include/openssl/buffer.h ../include/openssl/comp.h t1_trce.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -968,8 +1079,8 @@ t1_trce.o: ../include/openssl/srtp.h ../include/openssl/ssl.h t1_trce.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h t1_trce.o: ../include/openssl/ssl3.h ../include/openssl/stack.h t1_trce.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -t1_trce.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h -t1_trce.o: t1_trce.c +t1_trce.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +t1_trce.o: record/record.h ssl_locl.h t1_trce.c tls_srp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h tls_srp.o: ../include/openssl/bn.h ../include/openssl/buffer.h tls_srp.o: ../include/openssl/comp.h ../include/openssl/crypto.h @@ -990,4 +1101,4 @@ tls_srp.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h tls_srp.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h tls_srp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h tls_srp.o: ../include/openssl/tls1.h ../include/openssl/x509.h -tls_srp.o: ../include/openssl/x509_vfy.h ssl_locl.h tls_srp.c +tls_srp.o: ../include/openssl/x509_vfy.h record/record.h ssl_locl.h tls_srp.c diff --git a/test/Makefile b/test/Makefile index 2e3efd8..851901b 100644 --- a/test/Makefile +++ b/test/Makefile @@ -708,8 +708,8 @@ heartbeat_test.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h heartbeat_test.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h heartbeat_test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h heartbeat_test.o: ../include/openssl/tls1.h ../include/openssl/x509.h -heartbeat_test.o: ../include/openssl/x509_vfy.h ../ssl/ssl_locl.h -heartbeat_test.o: heartbeat_test.c testutil.h +heartbeat_test.o: ../include/openssl/x509_vfy.h ../ssl/record/record.h +heartbeat_test.o: ../ssl/ssl_locl.h heartbeat_test.c testutil.h hmactest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h hmactest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h hmactest.o: ../include/openssl/evp.h ../include/openssl/hmac.h @@ -725,16 +725,9 @@ igetest.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h igetest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h igetest.o: ../include/openssl/rand.h ../include/openssl/safestack.h igetest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h igetest.c -jpaketest.o: ../include/openssl/buffer.h ../include/openssl/crypto.h -jpaketest.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h -jpaketest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -jpaketest.o: ../include/openssl/safestack.h ../include/openssl/stack.h -jpaketest.o: ../include/openssl/symhacks.h jpaketest.c -md2test.o: ../include/openssl/buffer.h ../include/openssl/crypto.h -md2test.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h -md2test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -md2test.o: ../include/openssl/safestack.h ../include/openssl/stack.h -md2test.o: ../include/openssl/symhacks.h md2test.c +jpaketest.o: ../include/openssl/opensslconf.h jpaketest.c +md2test.o: ../e_os.h ../include/openssl/e_os2.h +md2test.o: ../include/openssl/opensslconf.h md2test.c md4test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h md4test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h md4test.o: ../include/openssl/evp.h ../include/openssl/md4.h @@ -778,11 +771,8 @@ rc2test.o: ../include/openssl/opensslconf.h ../include/openssl/rc2.h rc2test.c rc4test.o: ../e_os.h ../include/openssl/e_os2.h rc4test.o: ../include/openssl/opensslconf.h ../include/openssl/rc4.h rc4test.o: ../include/openssl/sha.h rc4test.c -rc5test.o: ../include/openssl/buffer.h ../include/openssl/crypto.h -rc5test.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h -rc5test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h -rc5test.o: ../include/openssl/safestack.h ../include/openssl/stack.h -rc5test.o: ../include/openssl/symhacks.h rc5test.c +rc5test.o: ../e_os.h ../include/openssl/e_os2.h +rc5test.o: ../include/openssl/opensslconf.h rc5test.c rmdtest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h rmdtest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h rmdtest.o: ../include/openssl/evp.h ../include/openssl/obj_mac.h @@ -827,7 +817,8 @@ ssltest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h ssltest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssltest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -ssltest.o: ../include/openssl/x509v3.h ../ssl/ssl_locl.h ssltest.c +ssltest.o: ../include/openssl/x509v3.h ../ssl/record/record.h ../ssl/ssl_locl.h +ssltest.o: ssltest.c testutil.o: testutil.c testutil.h v3nametest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h v3nametest.o: ../include/openssl/buffer.h ../include/openssl/conf.h From mark at openssl.org Thu Apr 2 06:33:30 2015 From: mark at openssl.org (Mark J. Cox) Date: Thu, 02 Apr 2015 06:33:30 +0000 Subject: [openssl-commits] [web] master update Message-ID: <1427956410.119948.3819.nullmailer@dev.openssl.org> The branch master has been updated via 59fbd633e29f9bf81f90a63d96c3a8152980bece (commit) from d36a327537cccbde097051add3bde356451ec16d (commit) - Log ----------------------------------------------------------------- commit 59fbd633e29f9bf81f90a63d96c3a8152980bece Author: Mark J. Cox Date: Thu Apr 2 07:32:56 2015 +0100 Note that although this was previously fixed as a bz, it was reported as having security consequences by Huzaifa and should be ack'd to him ----------------------------------------------------------------------- Summary of changes: news/vulnerabilities.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index 01d3ce5..2c907c9 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -358,7 +358,7 @@ Maliciously crafted base 64 data could trigger a segmenation fault or memory corruption. - + From appro at openssl.org Thu Apr 2 07:37:59 2015 From: appro at openssl.org (Andy Polyakov) Date: Thu, 02 Apr 2015 07:37:59 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1427960279.349484.19097.nullmailer@dev.openssl.org> The branch master has been updated via 7b644df899d0c818488686affc0bfe2dfdd0d0c2 (commit) via 449e3f2601246e533a05ccf227375c1e15db2b55 (commit) from 11305038e904cdebd1c8882f6f508fe0dd14e349 (commit) - Log ----------------------------------------------------------------- commit 7b644df899d0c818488686affc0bfe2dfdd0d0c2 Author: Andy Polyakov Date: Mon Mar 30 16:48:38 2015 +0200 perlasm/arm-xlate.pl update (fix end-less loop and prepare for 32-bit iOS). Reviewed-by: Rich Salz commit 449e3f2601246e533a05ccf227375c1e15db2b55 Author: Andy Polyakov Date: Mon Mar 30 16:47:57 2015 +0200 Configure: android-arm facelift. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: Configurations/10-main.conf | 53 ++++++++++++++++++++++++++++++-- crypto/perlasm/arm-xlate.pl | 73 ++++++++++++++++++++++++++++++--------------- include/openssl/rand.h | 3 ++ 3 files changed, 103 insertions(+), 26 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 7cd109c..ab269ba 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -740,10 +740,35 @@ }, #### Android: linux-* but without pointers to headers and libs. + # + # It takes pair of prior-set environment variables to make it work: + # + # CROSS_SYSROOT=/some/where/android-ndk-/platforms/android-/arch-< + # CROSS_COMPILE= + # + # As well as PATH adjusted to cover ${CROSS_COMPILE}gcc and company. + # For example to compile for ICS and ARM with NDK 10d, you'd: + # + # ANDROID_NDK=/some/where/android-ndk-10d + # CROSS_SYSROOT=$ANDROID_NDK/platforms/android-14/arch-arm + # CROSS_COMPILE=arm-linux-adroideabi- + # PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.8/prebuild/linux-x86_64/ + # "android" => { inherit_from => [ "linux-generic32" ], - cflags => "-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -Wall", + # Special note about unconditional -fPIC and -pie. The underlying + # reason is that Lollipop refuses to run non-PIE. But what about + # older systems and NDKs? -fPIC was never problem, so the only + # concern if -pie. Older toolchains, e.g. r4, appear to handle it + # and binaries turn mostly functional. "Mostly" means that oldest + # Androids, such as Froyo, fail to handle executable, but newer + # systems are perfectly capable of executing binaries targeting + # Froyo. Keep in mind that in the nutshell Android builds are + # about JNI, i.e. shared libraries, not applications. + cflags => "-mandroid -fPIC --sysroot=\$(CROSS_SYSROOT) -Wa,--noexecstack -Wall", debug_cflags => "-O0 -g", + lflags => "-pie%-ldl", + shared_cflag => "", }, "android-x86" => { inherit_from => [ "android", asm("x86_asm") ], @@ -751,8 +776,32 @@ bn_ops => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}", perlasm_scheme => "android", }, - "android-armv7" => { + ################################################################ + # Contemporary Android applications can provide multiple JNI + # providers in .apk, targeting multiple architectures. Among + # them there is "place" for two ARM flavours: generic eabi and + # armv7-a/hard-float. However, it should be noted that OpenSSL's + # ability to engage NEON is not constrained by ABI choice, nor + # is your ability to call OpenSSL from your application code + # compiled with floating-point ABI other than default 'soft'. + # [Latter thanks to __attribute__((pcs("aapcs"))) declaration.] + # This means that choice of ARM libraries you provide in .apk + # is driven by application needs. For example if application + # itself benefits from NEON or is floating-point intensive, then + # it might be appropriate to provide both libraries. Otherwise + # just generic eabi would do. But in latter case it would be + # appropriate to + # + # ./Configure android-armeabi -D__ARM_MAX_ARCH__=8 + # + # in order to build "universal" binary and allow OpenSSL take + # advantage of NEON when it's available. + # + "android-armeabi" => { inherit_from => [ "android", asm("armv4_asm") ], + }, + "android-armv7" => { + inherit_from => [ "android-armeabi" ], cflags => sub { join (" ","-march=armv7-a", at _); }, }, "android-mips" => { diff --git a/crypto/perlasm/arm-xlate.pl b/crypto/perlasm/arm-xlate.pl index fd185e9..22dc7e4 100755 --- a/crypto/perlasm/arm-xlate.pl +++ b/crypto/perlasm/arm-xlate.pl @@ -18,6 +18,32 @@ my $arch = sub { if ($flavour =~ /linux/) { ".arch\t".join(',', at _); } else { ""; } }; +my $fpu = sub { + if ($flavour =~ /linux/) { ".fpu\t".join(',', at _); } + else { ""; } +}; +my $hidden = sub { + if ($flavour =~ /ios/) { ".private_extern\t".join(',', at _); } + else { ".hidden\t".join(',', at _); } +}; +my $comm = sub { + my @args = split(/,\s*/,shift); + my $name = @args[0]; + my $global = \$GLOBALS{$name}; + my $ret; + + if ($flavour =~ /ios32/) { + $ret = ".comm\t_$name, at args[1]\n"; + $ret .= ".non_lazy_symbol_pointer\n"; + $ret .= "$name:\n"; + $ret .= ".indirect_symbol\t_$name\n"; + $ret .= ".long\t0"; + $name = "_$name"; + } else { $ret = ".comm\t".join(',', at args); } + + $$global = $name; + $ret; +}; my $globl = sub { my $name = shift; my $global = \$GLOBALS{$name}; @@ -64,44 +90,43 @@ sub range { join(",",map("$r$_$sfx",($start..$end))); } -sub parse_args { +sub expand_line { my $line = shift; my @ret = (); pos($line)=0; - while (1) { - if ($line =~ m/\G\[/gc) { - $line =~ m/\G([^\]]+\][^,]*)\s*/g; - push @ret,"[$1"; + while ($line =~ m/\G[^@\/\{\"]*/g) { + if ($line =~ m/\G(@|\/\/|$)/gc) { + last; } elsif ($line =~ m/\G\{/gc) { - $line =~ m/\G([^\}]+\}[^,]*)\s*/g; - my $arg = $1; - $arg =~ s/([rdqv])([0-9]+)([^\-]*)\-\1([0-9]+)\3/range($1,$3,$2,$4)/ge; - push @ret,"{$arg"; + my $saved_pos = pos($line); + $line =~ s/\G([rdqv])([0-9]+)([^\-]*)\-\1([0-9]+)\3/range($1,$3,$2,$4)/e; + pos($line) = $saved_pos; + $line =~ m/\G[^\}]*\}/g; } - elsif ($line =~ m/\G([^,]+)\s*/g) { - push @ret,$1; + elsif ($line =~ m/\G\"/gc) { + $line =~ m/\G[^\"]*\"/g; } - - last if ($line =~ m/\G$/gc); - - $line =~ m/\G,\s*/g; } - map {my $s=$_;$s=~s/\b(\w+)/$GLOBALS{$1} or $1/ge;$s} @ret; + $line =~ s/\b(\w+)/$GLOBALS{$1} or $1/ge; + + return $line; } while($line=<>) { + if ($line =~ m/^\s*(#|@|\/\/)/) { print $line; next; } + $line =~ s|/\*.*\*/||; # get rid of C-style comments... $line =~ s|^\s+||; # ... and skip white spaces in beginning... $line =~ s|\s+$||; # ... and at the end { - $line =~ s|[\b\.]L(\w+)|L$1|g; # common denominator for Locallabel - $line =~ s|\bL(\w+)|\.L$1|g if ($dotinlocallabels); + $line =~ s|[\b\.]L(\w{2,})|L$1|g; # common denominator for Locallabel + $line =~ s|\bL(\w{2,})|\.L$1|g if ($dotinlocallabels); } { @@ -112,24 +137,24 @@ while($line=<>) { } } - if ($line !~ m/^#/o) { - $line =~ s|^\s*(\.?)(\S+)\s*||o; + if ($line !~ m/^[#@]/) { + $line =~ s|^\s*(\.?)(\S+)\s*||; my $c = $1; $c = "\t" if ($c eq ""); my $mnemonic = $2; my $opcode; - if ($mnemonic =~ m/([^\.]+)\.([^\.]+)/o) { + if ($mnemonic =~ m/([^\.]+)\.([^\.]+)/) { $opcode = eval("\$$1_$2"); } else { $opcode = eval("\$$mnemonic"); } - my @args=parse_args($line); + my $arg=expand_line($line); if (ref($opcode) eq 'CODE') { - $line = &$opcode(@args); + $line = &$opcode($arg); } elsif ($mnemonic) { $line = $c.$mnemonic; - $line.= "\t".join(',', at args) if ($#args>=0); + $line.= "\t$arg" if ($arg); } } diff --git a/include/openssl/rand.h b/include/openssl/rand.h index 14b4793..0086c07 100644 --- a/include/openssl/rand.h +++ b/include/openssl/rand.h @@ -99,6 +99,9 @@ int RAND_bytes(unsigned char *buf, int num); DECLARE_DEPRECATED(int RAND_pseudo_bytes(unsigned char *buf, int num)); #endif void RAND_seed(const void *buf, int num); +#if defined(__ANDROID__) && defined(__NDK_FPABI__) +__NDK_FPABI__ /* __attribute__((pcs("aapcs"))) on ARM */ +#endif void RAND_add(const void *buf, int num, double entropy); int RAND_load_file(const char *file, long max_bytes); int RAND_write_file(const char *file); From appro at openssl.org Thu Apr 2 07:50:52 2015 From: appro at openssl.org (Andy Polyakov) Date: Thu, 02 Apr 2015 07:50:52 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1427961052.291172.21880.nullmailer@dev.openssl.org> The branch master has been updated via be5a87a1b00aceba5484a7ec198ac622c9283def (commit) via 94376cccb4ed5b376220bffe0739140ea9dad8c8 (commit) from 7b644df899d0c818488686affc0bfe2dfdd0d0c2 (commit) - Log ----------------------------------------------------------------- commit be5a87a1b00aceba5484a7ec198ac622c9283def Author: Andy Polyakov Date: Sat Mar 28 22:01:59 2015 +0100 sha/asm/sha*-armv8.pl: add Denver and X-Gene esults. Reviewed-by: Richard Levitte commit 94376cccb4ed5b376220bffe0739140ea9dad8c8 Author: Andy Polyakov Date: Tue Mar 3 22:05:25 2015 +0100 aes/asm/aesv8-armx.pl: optimize for Cortex-A5x. ARM has optimized Cortex-A5x pipeline to favour pairs of complementary AES instructions. While modified code improves performance of post-r0p0 Cortex-A53 performance by >40% (for CBC decrypt and CTR), it hurts original r0p0. We favour later revisions, because one can't prevent future from coming. Improvement on post-r0p0 Cortex-A57 exceeds 50%, while new code is not slower on r0p0, or Apple A7 for that matter. [Update even SHA results for latest Cortex-A53.] Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: crypto/aes/asm/aesv8-armx.pl | 209 +++++++++++++++++++++++------------------ crypto/sha/asm/sha1-armv8.pl | 6 +- crypto/sha/asm/sha512-armv8.pl | 6 +- 3 files changed, 127 insertions(+), 94 deletions(-) diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl index 0675409..9844ca1 100755 --- a/crypto/aes/asm/aesv8-armx.pl +++ b/crypto/aes/asm/aesv8-armx.pl @@ -24,8 +24,12 @@ # # CBC enc CBC dec CTR # Apple A7 2.39 1.20 1.20 -# Cortex-A53 2.45 1.87 1.94 -# Cortex-A57 3.64 1.34 1.32 +# Cortex-A53 1.32 1.29 1.46 +# Cortex-A57(*) 1.95 0.85 0.93 +# Denver 1.96 0.86 0.80 +# +# (*) original 3.64/1.34/1.32 results were for r0p0 revision +# and are still same even for updated module; $flavour = shift; $output = shift; @@ -316,17 +320,17 @@ ${prefix}_${dir}crypt: .Loop_${dir}c: aes$e $inout,$rndkey0 - vld1.32 {$rndkey0},[$key],#16 aes$mc $inout,$inout + vld1.32 {$rndkey0},[$key],#16 subs $rounds,$rounds,#2 aes$e $inout,$rndkey1 - vld1.32 {$rndkey1},[$key],#16 aes$mc $inout,$inout + vld1.32 {$rndkey1},[$key],#16 b.gt .Loop_${dir}c aes$e $inout,$rndkey0 - vld1.32 {$rndkey0},[$key] aes$mc $inout,$inout + vld1.32 {$rndkey0},[$key] aes$e $inout,$rndkey1 veor $inout,$inout,$rndkey0 @@ -344,6 +348,7 @@ my ($rounds,$cnt,$key_,$step,$step1)=($enc,"w6","x7","x8","x12"); my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7)); my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1); +my ($key4,$key5,$key6,$key7)=("x6","x12","x14",$key); ### q8-q15 preloaded key schedule @@ -393,16 +398,42 @@ $code.=<<___; veor $rndzero_n_last,q8,$rndlast b.eq .Lcbc_enc128 + vld1.32 {$in0-$in1},[$key_] + add $key_,$key,#16 + add $key4,$key,#16*4 + add $key5,$key,#16*5 + aese $dat,q8 + aesmc $dat,$dat + add $key6,$key,#16*6 + add $key7,$key,#16*7 + b .Lenter_cbc_enc + +.align 4 .Loop_cbc_enc: aese $dat,q8 - vld1.32 {q8},[$key_],#16 aesmc $dat,$dat - subs $cnt,$cnt,#2 + vst1.8 {$ivec},[$out],#16 +.Lenter_cbc_enc: aese $dat,q9 - vld1.32 {q9},[$key_],#16 aesmc $dat,$dat - b.gt .Loop_cbc_enc + aese $dat,$in0 + aesmc $dat,$dat + vld1.32 {q8},[$key4] + cmp $rounds,#4 + aese $dat,$in1 + aesmc $dat,$dat + vld1.32 {q9},[$key5] + b.eq .Lcbc_enc192 + + aese $dat,q8 + aesmc $dat,$dat + vld1.32 {q8},[$key6] + aese $dat,q9 + aesmc $dat,$dat + vld1.32 {q9},[$key7] + nop +.Lcbc_enc192: aese $dat,q8 aesmc $dat,$dat subs $len,$len,#16 @@ -411,7 +442,6 @@ $code.=<<___; cclr $step,eq aese $dat,q10 aesmc $dat,$dat - add $key_,$key,#16 aese $dat,q11 aesmc $dat,$dat vld1.8 {q8},[$inp],$step @@ -420,16 +450,14 @@ $code.=<<___; veor q8,q8,$rndzero_n_last aese $dat,q13 aesmc $dat,$dat - vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] + vld1.32 {q9},[$key_] // re-pre-load rndkey[1] aese $dat,q14 aesmc $dat,$dat aese $dat,q15 - - mov $cnt,$rounds veor $ivec,$dat,$rndlast - vst1.8 {$ivec},[$out],#16 b.hs .Loop_cbc_enc + vst1.8 {$ivec},[$out],#16 b .Lcbc_done .align 5 @@ -491,79 +519,78 @@ $code.=<<___; .Loop3x_cbc_dec: aesd $dat0,q8 - aesd $dat1,q8 - aesd $dat2,q8 - vld1.32 {q8},[$key_],#16 aesimc $dat0,$dat0 + aesd $dat1,q8 aesimc $dat1,$dat1 + aesd $dat2,q8 aesimc $dat2,$dat2 + vld1.32 {q8},[$key_],#16 subs $cnt,$cnt,#2 aesd $dat0,q9 - aesd $dat1,q9 - aesd $dat2,q9 - vld1.32 {q9},[$key_],#16 aesimc $dat0,$dat0 + aesd $dat1,q9 aesimc $dat1,$dat1 + aesd $dat2,q9 aesimc $dat2,$dat2 + vld1.32 {q9},[$key_],#16 b.gt .Loop3x_cbc_dec aesd $dat0,q8 - aesd $dat1,q8 - aesd $dat2,q8 - veor $tmp0,$ivec,$rndlast aesimc $dat0,$dat0 + aesd $dat1,q8 aesimc $dat1,$dat1 + aesd $dat2,q8 aesimc $dat2,$dat2 + veor $tmp0,$ivec,$rndlast + subs $len,$len,#0x30 veor $tmp1,$in0,$rndlast + mov.lo x6,$len // x6, $cnt, is zero at this point aesd $dat0,q9 - aesd $dat1,q9 - aesd $dat2,q9 - veor $tmp2,$in1,$rndlast - subs $len,$len,#0x30 aesimc $dat0,$dat0 + aesd $dat1,q9 aesimc $dat1,$dat1 + aesd $dat2,q9 aesimc $dat2,$dat2 - vorr $ivec,$in2,$in2 - mov.lo x6,$len // x6, $cnt, is zero at this point - aesd $dat0,q12 - aesd $dat1,q12 - aesd $dat2,q12 + veor $tmp2,$in1,$rndlast add $inp,$inp,x6 // $inp is adjusted in such way that // at exit from the loop $dat1-$dat2 // are loaded with last "words" + vorr $ivec,$in2,$in2 + mov $key_,$key + aesd $dat0,q12 aesimc $dat0,$dat0 + aesd $dat1,q12 aesimc $dat1,$dat1 + aesd $dat2,q12 aesimc $dat2,$dat2 - mov $key_,$key - aesd $dat0,q13 - aesd $dat1,q13 - aesd $dat2,q13 vld1.8 {$in0},[$inp],#16 + aesd $dat0,q13 aesimc $dat0,$dat0 + aesd $dat1,q13 aesimc $dat1,$dat1 + aesd $dat2,q13 aesimc $dat2,$dat2 vld1.8 {$in1},[$inp],#16 aesd $dat0,q14 - aesd $dat1,q14 - aesd $dat2,q14 - vld1.8 {$in2},[$inp],#16 aesimc $dat0,$dat0 + aesd $dat1,q14 aesimc $dat1,$dat1 + aesd $dat2,q14 aesimc $dat2,$dat2 - vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] + vld1.8 {$in2},[$inp],#16 aesd $dat0,q15 aesd $dat1,q15 aesd $dat2,q15 - + vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] add $cnt,$rounds,#2 veor $tmp0,$tmp0,$dat0 veor $tmp1,$tmp1,$dat1 veor $dat2,$dat2,$tmp2 vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] - vorr $dat0,$in0,$in0 vst1.8 {$tmp0},[$out],#16 - vorr $dat1,$in1,$in1 + vorr $dat0,$in0,$in0 vst1.8 {$tmp1},[$out],#16 + vorr $dat1,$in1,$in1 vst1.8 {$dat2},[$out],#16 vorr $dat2,$in2,$in2 b.hs .Loop3x_cbc_dec @@ -574,39 +601,39 @@ $code.=<<___; .Lcbc_dec_tail: aesd $dat1,q8 - aesd $dat2,q8 - vld1.32 {q8},[$key_],#16 aesimc $dat1,$dat1 + aesd $dat2,q8 aesimc $dat2,$dat2 + vld1.32 {q8},[$key_],#16 subs $cnt,$cnt,#2 aesd $dat1,q9 - aesd $dat2,q9 - vld1.32 {q9},[$key_],#16 aesimc $dat1,$dat1 + aesd $dat2,q9 aesimc $dat2,$dat2 + vld1.32 {q9},[$key_],#16 b.gt .Lcbc_dec_tail aesd $dat1,q8 - aesd $dat2,q8 aesimc $dat1,$dat1 + aesd $dat2,q8 aesimc $dat2,$dat2 aesd $dat1,q9 - aesd $dat2,q9 aesimc $dat1,$dat1 + aesd $dat2,q9 aesimc $dat2,$dat2 aesd $dat1,q12 - aesd $dat2,q12 aesimc $dat1,$dat1 + aesd $dat2,q12 aesimc $dat2,$dat2 cmn $len,#0x20 aesd $dat1,q13 - aesd $dat2,q13 aesimc $dat1,$dat1 + aesd $dat2,q13 aesimc $dat2,$dat2 veor $tmp1,$ivec,$rndlast aesd $dat1,q14 - aesd $dat2,q14 aesimc $dat1,$dat1 + aesd $dat2,q14 aesimc $dat2,$dat2 veor $tmp2,$in1,$rndlast aesd $dat1,q15 @@ -707,70 +734,69 @@ $code.=<<___; .align 4 .Loop3x_ctr32: aese $dat0,q8 - aese $dat1,q8 - aese $dat2,q8 - vld1.32 {q8},[$key_],#16 aesmc $dat0,$dat0 + aese $dat1,q8 aesmc $dat1,$dat1 + aese $dat2,q8 aesmc $dat2,$dat2 + vld1.32 {q8},[$key_],#16 subs $cnt,$cnt,#2 aese $dat0,q9 - aese $dat1,q9 - aese $dat2,q9 - vld1.32 {q9},[$key_],#16 aesmc $dat0,$dat0 + aese $dat1,q9 aesmc $dat1,$dat1 + aese $dat2,q9 aesmc $dat2,$dat2 + vld1.32 {q9},[$key_],#16 b.gt .Loop3x_ctr32 aese $dat0,q8 - aese $dat1,q8 - aese $dat2,q8 - mov $key_,$key aesmc $tmp0,$dat0 - vld1.8 {$in0},[$inp],#16 + aese $dat1,q8 aesmc $tmp1,$dat1 - aesmc $dat2,$dat2 + vld1.8 {$in0},[$inp],#16 vorr $dat0,$ivec,$ivec - aese $tmp0,q9 + aese $dat2,q8 + aesmc $dat2,$dat2 vld1.8 {$in1},[$inp],#16 - aese $tmp1,q9 - aese $dat2,q9 vorr $dat1,$ivec,$ivec + aese $tmp0,q9 aesmc $tmp0,$tmp0 - vld1.8 {$in2},[$inp],#16 + aese $tmp1,q9 aesmc $tmp1,$tmp1 + vld1.8 {$in2},[$inp],#16 + mov $key_,$key + aese $dat2,q9 aesmc $tmp2,$dat2 vorr $dat2,$ivec,$ivec add $tctr0,$ctr,#1 aese $tmp0,q12 + aesmc $tmp0,$tmp0 aese $tmp1,q12 - aese $tmp2,q12 + aesmc $tmp1,$tmp1 veor $in0,$in0,$rndlast add $tctr1,$ctr,#2 - aesmc $tmp0,$tmp0 - aesmc $tmp1,$tmp1 + aese $tmp2,q12 aesmc $tmp2,$tmp2 veor $in1,$in1,$rndlast add $ctr,$ctr,#3 aese $tmp0,q13 + aesmc $tmp0,$tmp0 aese $tmp1,q13 - aese $tmp2,q13 + aesmc $tmp1,$tmp1 veor $in2,$in2,$rndlast rev $tctr0,$tctr0 - aesmc $tmp0,$tmp0 - vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] - aesmc $tmp1,$tmp1 + aese $tmp2,q13 aesmc $tmp2,$tmp2 vmov.32 ${dat0}[3], $tctr0 rev $tctr1,$tctr1 aese $tmp0,q14 + aesmc $tmp0,$tmp0 aese $tmp1,q14 - aese $tmp2,q14 + aesmc $tmp1,$tmp1 vmov.32 ${dat1}[3], $tctr1 rev $tctr2,$ctr - aesmc $tmp0,$tmp0 - aesmc $tmp1,$tmp1 + aese $tmp2,q14 aesmc $tmp2,$tmp2 vmov.32 ${dat2}[3], $tctr2 subs $len,$len,#3 @@ -778,13 +804,14 @@ $code.=<<___; aese $tmp1,q15 aese $tmp2,q15 - mov $cnt,$rounds veor $in0,$in0,$tmp0 + vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] + vst1.8 {$in0},[$out],#16 veor $in1,$in1,$tmp1 + mov $cnt,$rounds + vst1.8 {$in1},[$out],#16 veor $in2,$in2,$tmp2 vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] - vst1.8 {$in0},[$out],#16 - vst1.8 {$in1},[$out],#16 vst1.8 {$in2},[$out],#16 b.hs .Loop3x_ctr32 @@ -796,40 +823,40 @@ $code.=<<___; .Lctr32_tail: aese $dat0,q8 - aese $dat1,q8 - vld1.32 {q8},[$key_],#16 aesmc $dat0,$dat0 + aese $dat1,q8 aesmc $dat1,$dat1 + vld1.32 {q8},[$key_],#16 subs $cnt,$cnt,#2 aese $dat0,q9 - aese $dat1,q9 - vld1.32 {q9},[$key_],#16 aesmc $dat0,$dat0 + aese $dat1,q9 aesmc $dat1,$dat1 + vld1.32 {q9},[$key_],#16 b.gt .Lctr32_tail aese $dat0,q8 - aese $dat1,q8 aesmc $dat0,$dat0 + aese $dat1,q8 aesmc $dat1,$dat1 aese $dat0,q9 - aese $dat1,q9 aesmc $dat0,$dat0 + aese $dat1,q9 aesmc $dat1,$dat1 vld1.8 {$in0},[$inp],$step aese $dat0,q12 - aese $dat1,q12 - vld1.8 {$in1},[$inp] aesmc $dat0,$dat0 + aese $dat1,q12 aesmc $dat1,$dat1 + vld1.8 {$in1},[$inp] aese $dat0,q13 - aese $dat1,q13 aesmc $dat0,$dat0 + aese $dat1,q13 aesmc $dat1,$dat1 - aese $dat0,q14 - aese $dat1,q14 veor $in0,$in0,$rndlast + aese $dat0,q14 aesmc $dat0,$dat0 + aese $dat1,q14 aesmc $dat1,$dat1 veor $in1,$in1,$rndlast aese $dat0,q15 diff --git a/crypto/sha/asm/sha1-armv8.pl b/crypto/sha/asm/sha1-armv8.pl index 6be8624..a8c08c2 100644 --- a/crypto/sha/asm/sha1-armv8.pl +++ b/crypto/sha/asm/sha1-armv8.pl @@ -14,10 +14,14 @@ # # hardware-assisted software(*) # Apple A7 2.31 4.13 (+14%) -# Cortex-A53 2.19 8.73 (+108%) +# Cortex-A53 2.24 8.03 (+97%) # Cortex-A57 2.35 7.88 (+74%) +# Denver 2.13 3.97 (+0%)(**) +# X-Gene 8.80 (+200%) # # (*) Software results are presented mostly for reference purposes. +# (**) Keep in mind that Denver relies on binary translation, which +# optimizes compiler output at run-time. $flavour = shift; $output = shift; diff --git a/crypto/sha/asm/sha512-armv8.pl b/crypto/sha/asm/sha512-armv8.pl index 45eb719..d009f3f 100644 --- a/crypto/sha/asm/sha512-armv8.pl +++ b/crypto/sha/asm/sha512-armv8.pl @@ -14,8 +14,10 @@ # # SHA256-hw SHA256(*) SHA512 # Apple A7 1.97 10.5 (+33%) 6.73 (-1%(**)) -# Cortex-A53 2.38 15.6 (+110%) 10.1 (+190%(***)) +# Cortex-A53 2.38 15.5 (+115%) 10.0 (+150%(***)) # Cortex-A57 2.31 11.6 (+86%) 7.51 (+260%(***)) +# Denver 2.01 10.5 (+26%) 6.70 (+8%) +# X-Gene 20.0 (+100%) 12.8 (+300%(***)) # # (*) Software SHA256 results are of lesser relevance, presented # mostly for informational purposes. @@ -25,7 +27,7 @@ # (***) Super-impressive coefficients over gcc-generated code are # indication of some compiler "pathology", most notably code # generated with -mgeneral-regs-only is significanty faster -# and lags behind assembly only by 50-90%. +# and the gap is only 40-90%. $flavour=shift; $output=shift; From appro at openssl.org Thu Apr 2 07:52:15 2015 From: appro at openssl.org (Andy Polyakov) Date: Thu, 02 Apr 2015 07:52:15 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1427961135.768226.22736.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 0a1f31f7ba837aeaa28e49ed323e60fdd4255b28 (commit) via 5a27a20be3c67c2ba5f0258b563bcfe41b1befe1 (commit) from 3d5bb773ecd78f75984fb096bb0be7808d3dc18d (commit) - Log ----------------------------------------------------------------- commit 0a1f31f7ba837aeaa28e49ed323e60fdd4255b28 Author: Andy Polyakov Date: Sat Mar 28 22:01:59 2015 +0100 sha/asm/sha*-armv8.pl: add Denver and X-Gene esults. Reviewed-by: Richard Levitte (cherry picked from commit be5a87a1b00aceba5484a7ec198ac622c9283def) commit 5a27a20be3c67c2ba5f0258b563bcfe41b1befe1 Author: Andy Polyakov Date: Tue Mar 3 22:05:25 2015 +0100 aes/asm/aesv8-armx.pl: optimize for Cortex-A5x. ARM has optimized Cortex-A5x pipeline to favour pairs of complementary AES instructions. While modified code improves performance of post-r0p0 Cortex-A53 performance by >40% (for CBC decrypt and CTR), it hurts original r0p0. We favour later revisions, because one can't prevent future from coming. Improvement on post-r0p0 Cortex-A57 exceeds 50%, while new code is not slower on r0p0, or Apple A7 for that matter. [Update even SHA results for latest Cortex-A53.] Reviewed-by: Richard Levitte (cherry picked from commit 94376cccb4ed5b376220bffe0739140ea9dad8c8) ----------------------------------------------------------------------- Summary of changes: crypto/aes/asm/aesv8-armx.pl | 209 +++++++++++++++++++++++------------------ crypto/sha/asm/sha1-armv8.pl | 6 +- crypto/sha/asm/sha512-armv8.pl | 6 +- 3 files changed, 127 insertions(+), 94 deletions(-) diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl index 1e93f86..95ebae3 100755 --- a/crypto/aes/asm/aesv8-armx.pl +++ b/crypto/aes/asm/aesv8-armx.pl @@ -24,8 +24,12 @@ # # CBC enc CBC dec CTR # Apple A7 2.39 1.20 1.20 -# Cortex-A53 2.45 1.87 1.94 -# Cortex-A57 3.64 1.34 1.32 +# Cortex-A53 1.32 1.29 1.46 +# Cortex-A57(*) 1.95 0.85 0.93 +# Denver 1.96 0.86 0.80 +# +# (*) original 3.64/1.34/1.32 results were for r0p0 revision +# and are still same even for updated module; $flavour = shift; open STDOUT,">".shift; @@ -308,17 +312,17 @@ ${prefix}_${dir}crypt: .Loop_${dir}c: aes$e $inout,$rndkey0 - vld1.32 {$rndkey0},[$key],#16 aes$mc $inout,$inout + vld1.32 {$rndkey0},[$key],#16 subs $rounds,$rounds,#2 aes$e $inout,$rndkey1 - vld1.32 {$rndkey1},[$key],#16 aes$mc $inout,$inout + vld1.32 {$rndkey1},[$key],#16 b.gt .Loop_${dir}c aes$e $inout,$rndkey0 - vld1.32 {$rndkey0},[$key] aes$mc $inout,$inout + vld1.32 {$rndkey0},[$key] aes$e $inout,$rndkey1 veor $inout,$inout,$rndkey0 @@ -336,6 +340,7 @@ my ($rounds,$cnt,$key_,$step,$step1)=($enc,"w6","x7","x8","x12"); my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7)); my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1); +my ($key4,$key5,$key6,$key7)=("x6","x12","x14",$key); ### q8-q15 preloaded key schedule @@ -385,16 +390,42 @@ $code.=<<___; veor $rndzero_n_last,q8,$rndlast b.eq .Lcbc_enc128 + vld1.32 {$in0-$in1},[$key_] + add $key_,$key,#16 + add $key4,$key,#16*4 + add $key5,$key,#16*5 + aese $dat,q8 + aesmc $dat,$dat + add $key6,$key,#16*6 + add $key7,$key,#16*7 + b .Lenter_cbc_enc + +.align 4 .Loop_cbc_enc: aese $dat,q8 - vld1.32 {q8},[$key_],#16 aesmc $dat,$dat - subs $cnt,$cnt,#2 + vst1.8 {$ivec},[$out],#16 +.Lenter_cbc_enc: aese $dat,q9 - vld1.32 {q9},[$key_],#16 aesmc $dat,$dat - b.gt .Loop_cbc_enc + aese $dat,$in0 + aesmc $dat,$dat + vld1.32 {q8},[$key4] + cmp $rounds,#4 + aese $dat,$in1 + aesmc $dat,$dat + vld1.32 {q9},[$key5] + b.eq .Lcbc_enc192 + + aese $dat,q8 + aesmc $dat,$dat + vld1.32 {q8},[$key6] + aese $dat,q9 + aesmc $dat,$dat + vld1.32 {q9},[$key7] + nop +.Lcbc_enc192: aese $dat,q8 aesmc $dat,$dat subs $len,$len,#16 @@ -403,7 +434,6 @@ $code.=<<___; cclr $step,eq aese $dat,q10 aesmc $dat,$dat - add $key_,$key,#16 aese $dat,q11 aesmc $dat,$dat vld1.8 {q8},[$inp],$step @@ -412,16 +442,14 @@ $code.=<<___; veor q8,q8,$rndzero_n_last aese $dat,q13 aesmc $dat,$dat - vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] + vld1.32 {q9},[$key_] // re-pre-load rndkey[1] aese $dat,q14 aesmc $dat,$dat aese $dat,q15 - - mov $cnt,$rounds veor $ivec,$dat,$rndlast - vst1.8 {$ivec},[$out],#16 b.hs .Loop_cbc_enc + vst1.8 {$ivec},[$out],#16 b .Lcbc_done .align 5 @@ -483,79 +511,78 @@ $code.=<<___; .Loop3x_cbc_dec: aesd $dat0,q8 - aesd $dat1,q8 - aesd $dat2,q8 - vld1.32 {q8},[$key_],#16 aesimc $dat0,$dat0 + aesd $dat1,q8 aesimc $dat1,$dat1 + aesd $dat2,q8 aesimc $dat2,$dat2 + vld1.32 {q8},[$key_],#16 subs $cnt,$cnt,#2 aesd $dat0,q9 - aesd $dat1,q9 - aesd $dat2,q9 - vld1.32 {q9},[$key_],#16 aesimc $dat0,$dat0 + aesd $dat1,q9 aesimc $dat1,$dat1 + aesd $dat2,q9 aesimc $dat2,$dat2 + vld1.32 {q9},[$key_],#16 b.gt .Loop3x_cbc_dec aesd $dat0,q8 - aesd $dat1,q8 - aesd $dat2,q8 - veor $tmp0,$ivec,$rndlast aesimc $dat0,$dat0 + aesd $dat1,q8 aesimc $dat1,$dat1 + aesd $dat2,q8 aesimc $dat2,$dat2 + veor $tmp0,$ivec,$rndlast + subs $len,$len,#0x30 veor $tmp1,$in0,$rndlast + mov.lo x6,$len // x6, $cnt, is zero at this point aesd $dat0,q9 - aesd $dat1,q9 - aesd $dat2,q9 - veor $tmp2,$in1,$rndlast - subs $len,$len,#0x30 aesimc $dat0,$dat0 + aesd $dat1,q9 aesimc $dat1,$dat1 + aesd $dat2,q9 aesimc $dat2,$dat2 - vorr $ivec,$in2,$in2 - mov.lo x6,$len // x6, $cnt, is zero at this point - aesd $dat0,q12 - aesd $dat1,q12 - aesd $dat2,q12 + veor $tmp2,$in1,$rndlast add $inp,$inp,x6 // $inp is adjusted in such way that // at exit from the loop $dat1-$dat2 // are loaded with last "words" + vorr $ivec,$in2,$in2 + mov $key_,$key + aesd $dat0,q12 aesimc $dat0,$dat0 + aesd $dat1,q12 aesimc $dat1,$dat1 + aesd $dat2,q12 aesimc $dat2,$dat2 - mov $key_,$key - aesd $dat0,q13 - aesd $dat1,q13 - aesd $dat2,q13 vld1.8 {$in0},[$inp],#16 + aesd $dat0,q13 aesimc $dat0,$dat0 + aesd $dat1,q13 aesimc $dat1,$dat1 + aesd $dat2,q13 aesimc $dat2,$dat2 vld1.8 {$in1},[$inp],#16 aesd $dat0,q14 - aesd $dat1,q14 - aesd $dat2,q14 - vld1.8 {$in2},[$inp],#16 aesimc $dat0,$dat0 + aesd $dat1,q14 aesimc $dat1,$dat1 + aesd $dat2,q14 aesimc $dat2,$dat2 - vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] + vld1.8 {$in2},[$inp],#16 aesd $dat0,q15 aesd $dat1,q15 aesd $dat2,q15 - + vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] add $cnt,$rounds,#2 veor $tmp0,$tmp0,$dat0 veor $tmp1,$tmp1,$dat1 veor $dat2,$dat2,$tmp2 vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] - vorr $dat0,$in0,$in0 vst1.8 {$tmp0},[$out],#16 - vorr $dat1,$in1,$in1 + vorr $dat0,$in0,$in0 vst1.8 {$tmp1},[$out],#16 + vorr $dat1,$in1,$in1 vst1.8 {$dat2},[$out],#16 vorr $dat2,$in2,$in2 b.hs .Loop3x_cbc_dec @@ -566,39 +593,39 @@ $code.=<<___; .Lcbc_dec_tail: aesd $dat1,q8 - aesd $dat2,q8 - vld1.32 {q8},[$key_],#16 aesimc $dat1,$dat1 + aesd $dat2,q8 aesimc $dat2,$dat2 + vld1.32 {q8},[$key_],#16 subs $cnt,$cnt,#2 aesd $dat1,q9 - aesd $dat2,q9 - vld1.32 {q9},[$key_],#16 aesimc $dat1,$dat1 + aesd $dat2,q9 aesimc $dat2,$dat2 + vld1.32 {q9},[$key_],#16 b.gt .Lcbc_dec_tail aesd $dat1,q8 - aesd $dat2,q8 aesimc $dat1,$dat1 + aesd $dat2,q8 aesimc $dat2,$dat2 aesd $dat1,q9 - aesd $dat2,q9 aesimc $dat1,$dat1 + aesd $dat2,q9 aesimc $dat2,$dat2 aesd $dat1,q12 - aesd $dat2,q12 aesimc $dat1,$dat1 + aesd $dat2,q12 aesimc $dat2,$dat2 cmn $len,#0x20 aesd $dat1,q13 - aesd $dat2,q13 aesimc $dat1,$dat1 + aesd $dat2,q13 aesimc $dat2,$dat2 veor $tmp1,$ivec,$rndlast aesd $dat1,q14 - aesd $dat2,q14 aesimc $dat1,$dat1 + aesd $dat2,q14 aesimc $dat2,$dat2 veor $tmp2,$in1,$rndlast aesd $dat1,q15 @@ -699,70 +726,69 @@ $code.=<<___; .align 4 .Loop3x_ctr32: aese $dat0,q8 - aese $dat1,q8 - aese $dat2,q8 - vld1.32 {q8},[$key_],#16 aesmc $dat0,$dat0 + aese $dat1,q8 aesmc $dat1,$dat1 + aese $dat2,q8 aesmc $dat2,$dat2 + vld1.32 {q8},[$key_],#16 subs $cnt,$cnt,#2 aese $dat0,q9 - aese $dat1,q9 - aese $dat2,q9 - vld1.32 {q9},[$key_],#16 aesmc $dat0,$dat0 + aese $dat1,q9 aesmc $dat1,$dat1 + aese $dat2,q9 aesmc $dat2,$dat2 + vld1.32 {q9},[$key_],#16 b.gt .Loop3x_ctr32 aese $dat0,q8 - aese $dat1,q8 - aese $dat2,q8 - mov $key_,$key aesmc $tmp0,$dat0 - vld1.8 {$in0},[$inp],#16 + aese $dat1,q8 aesmc $tmp1,$dat1 - aesmc $dat2,$dat2 + vld1.8 {$in0},[$inp],#16 vorr $dat0,$ivec,$ivec - aese $tmp0,q9 + aese $dat2,q8 + aesmc $dat2,$dat2 vld1.8 {$in1},[$inp],#16 - aese $tmp1,q9 - aese $dat2,q9 vorr $dat1,$ivec,$ivec + aese $tmp0,q9 aesmc $tmp0,$tmp0 - vld1.8 {$in2},[$inp],#16 + aese $tmp1,q9 aesmc $tmp1,$tmp1 + vld1.8 {$in2},[$inp],#16 + mov $key_,$key + aese $dat2,q9 aesmc $tmp2,$dat2 vorr $dat2,$ivec,$ivec add $tctr0,$ctr,#1 aese $tmp0,q12 + aesmc $tmp0,$tmp0 aese $tmp1,q12 - aese $tmp2,q12 + aesmc $tmp1,$tmp1 veor $in0,$in0,$rndlast add $tctr1,$ctr,#2 - aesmc $tmp0,$tmp0 - aesmc $tmp1,$tmp1 + aese $tmp2,q12 aesmc $tmp2,$tmp2 veor $in1,$in1,$rndlast add $ctr,$ctr,#3 aese $tmp0,q13 + aesmc $tmp0,$tmp0 aese $tmp1,q13 - aese $tmp2,q13 + aesmc $tmp1,$tmp1 veor $in2,$in2,$rndlast rev $tctr0,$tctr0 - aesmc $tmp0,$tmp0 - vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] - aesmc $tmp1,$tmp1 + aese $tmp2,q13 aesmc $tmp2,$tmp2 vmov.32 ${dat0}[3], $tctr0 rev $tctr1,$tctr1 aese $tmp0,q14 + aesmc $tmp0,$tmp0 aese $tmp1,q14 - aese $tmp2,q14 + aesmc $tmp1,$tmp1 vmov.32 ${dat1}[3], $tctr1 rev $tctr2,$ctr - aesmc $tmp0,$tmp0 - aesmc $tmp1,$tmp1 + aese $tmp2,q14 aesmc $tmp2,$tmp2 vmov.32 ${dat2}[3], $tctr2 subs $len,$len,#3 @@ -770,13 +796,14 @@ $code.=<<___; aese $tmp1,q15 aese $tmp2,q15 - mov $cnt,$rounds veor $in0,$in0,$tmp0 + vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] + vst1.8 {$in0},[$out],#16 veor $in1,$in1,$tmp1 + mov $cnt,$rounds + vst1.8 {$in1},[$out],#16 veor $in2,$in2,$tmp2 vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] - vst1.8 {$in0},[$out],#16 - vst1.8 {$in1},[$out],#16 vst1.8 {$in2},[$out],#16 b.hs .Loop3x_ctr32 @@ -788,40 +815,40 @@ $code.=<<___; .Lctr32_tail: aese $dat0,q8 - aese $dat1,q8 - vld1.32 {q8},[$key_],#16 aesmc $dat0,$dat0 + aese $dat1,q8 aesmc $dat1,$dat1 + vld1.32 {q8},[$key_],#16 subs $cnt,$cnt,#2 aese $dat0,q9 - aese $dat1,q9 - vld1.32 {q9},[$key_],#16 aesmc $dat0,$dat0 + aese $dat1,q9 aesmc $dat1,$dat1 + vld1.32 {q9},[$key_],#16 b.gt .Lctr32_tail aese $dat0,q8 - aese $dat1,q8 aesmc $dat0,$dat0 + aese $dat1,q8 aesmc $dat1,$dat1 aese $dat0,q9 - aese $dat1,q9 aesmc $dat0,$dat0 + aese $dat1,q9 aesmc $dat1,$dat1 vld1.8 {$in0},[$inp],$step aese $dat0,q12 - aese $dat1,q12 - vld1.8 {$in1},[$inp] aesmc $dat0,$dat0 + aese $dat1,q12 aesmc $dat1,$dat1 + vld1.8 {$in1},[$inp] aese $dat0,q13 - aese $dat1,q13 aesmc $dat0,$dat0 + aese $dat1,q13 aesmc $dat1,$dat1 - aese $dat0,q14 - aese $dat1,q14 veor $in0,$in0,$rndlast + aese $dat0,q14 aesmc $dat0,$dat0 + aese $dat1,q14 aesmc $dat1,$dat1 veor $in1,$in1,$rndlast aese $dat0,q15 diff --git a/crypto/sha/asm/sha1-armv8.pl b/crypto/sha/asm/sha1-armv8.pl index deb1238..c04432a 100644 --- a/crypto/sha/asm/sha1-armv8.pl +++ b/crypto/sha/asm/sha1-armv8.pl @@ -14,10 +14,14 @@ # # hardware-assisted software(*) # Apple A7 2.31 4.13 (+14%) -# Cortex-A53 2.19 8.73 (+108%) +# Cortex-A53 2.24 8.03 (+97%) # Cortex-A57 2.35 7.88 (+74%) +# Denver 2.13 3.97 (+0%)(**) +# X-Gene 8.80 (+200%) # # (*) Software results are presented mostly for reference purposes. +# (**) Keep in mind that Denver relies on binary translation, which +# optimizes compiler output at run-time. $flavour = shift; open STDOUT,">".shift; diff --git a/crypto/sha/asm/sha512-armv8.pl b/crypto/sha/asm/sha512-armv8.pl index bd7a0a5..f7b36b9 100644 --- a/crypto/sha/asm/sha512-armv8.pl +++ b/crypto/sha/asm/sha512-armv8.pl @@ -14,8 +14,10 @@ # # SHA256-hw SHA256(*) SHA512 # Apple A7 1.97 10.5 (+33%) 6.73 (-1%(**)) -# Cortex-A53 2.38 15.6 (+110%) 10.1 (+190%(***)) +# Cortex-A53 2.38 15.5 (+115%) 10.0 (+150%(***)) # Cortex-A57 2.31 11.6 (+86%) 7.51 (+260%(***)) +# Denver 2.01 10.5 (+26%) 6.70 (+8%) +# X-Gene 20.0 (+100%) 12.8 (+300%(***)) # # (*) Software SHA256 results are of lesser relevance, presented # mostly for informational purposes. @@ -25,7 +27,7 @@ # (***) Super-impressive coefficients over gcc-generated code are # indication of some compiler "pathology", most notably code # generated with -mgeneral-regs-only is significanty faster -# and lags behind assembly only by 50-90%. +# and the gap is only 40-90%. $flavour=shift; $output=shift; From appro at openssl.org Thu Apr 2 08:04:11 2015 From: appro at openssl.org (Andy Polyakov) Date: Thu, 02 Apr 2015 08:04:11 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1427961851.073570.24862.nullmailer@dev.openssl.org> The branch master has been updated via 7eeeb49e1103533bc81c234eb19613353866e474 (commit) from be5a87a1b00aceba5484a7ec198ac622c9283def (commit) - Log ----------------------------------------------------------------- commit 7eeeb49e1103533bc81c234eb19613353866e474 Author: Andy Polyakov Date: Fri Jan 23 17:04:19 2015 +0100 modes/asm/ghashv8-armx.pl: up to 90% performance improvement. Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: crypto/modes/asm/ghashv8-armx.pl | 276 +++++++++++++++++++++++++++++++-------- 1 file changed, 222 insertions(+), 54 deletions(-) diff --git a/crypto/modes/asm/ghashv8-armx.pl b/crypto/modes/asm/ghashv8-armx.pl index 7bbe2fc..55ba779 100644 --- a/crypto/modes/asm/ghashv8-armx.pl +++ b/crypto/modes/asm/ghashv8-armx.pl @@ -16,12 +16,17 @@ # other assembly modules. Just like aesv8-armx.pl this module # supports both AArch32 and AArch64 execution modes. # +# July 2014 +# +# Implement 2x aggregated reduction [see ghash-x86.pl for background +# information]. +# # Current performance in cycles per processed byte: # # PMULL[2] 32-bit NEON(*) -# Apple A7 1.76 5.62 -# Cortex-A53 1.45 8.39 -# Cortex-A57 2.22 7.61 +# Apple A7 0.92 5.62 +# Cortex-A53 1.01 8.39 +# Cortex-A57 1.17 7.61 # # (*) presented for reference/comparison purposes; @@ -45,7 +50,7 @@ $inc="x12"; { my ($Xl,$Xm,$Xh,$IN)=map("q$_",(0..3)); -my ($t0,$t1,$t2,$t3,$H,$Hhl)=map("q$_",(8..14)); +my ($t0,$t1,$t2,$xC2,$H,$Hhl,$H2)=map("q$_",(8..14)); $code=<<___; #include "arm_arch.h" @@ -55,114 +60,277 @@ ___ $code.=".arch armv8-a+crypto\n" if ($flavour =~ /64/); $code.=".fpu neon\n.code 32\n" if ($flavour !~ /64/); +################################################################################ +# void gcm_init_v8(u128 Htable[16],const u64 H[2]); +# +# input: 128-bit H - secret parameter E(K,0^128) +# output: precomputed table filled with degrees of twisted H; +# H is twisted to handle reverse bitness of GHASH; +# only few of 16 slots of Htable[16] are used; +# data is opaque to outside world (which allows to +# optimize the code independently); +# $code.=<<___; .global gcm_init_v8 .type gcm_init_v8,%function .align 4 gcm_init_v8: - vld1.64 {$t1},[x1] @ load H - vmov.i8 $t0,#0xe1 + vld1.64 {$t1},[x1] @ load input H + vmov.i8 $xC2,#0xe1 + vshl.i64 $xC2,$xC2,#57 @ 0xc2.0 vext.8 $IN,$t1,$t1,#8 - vshl.i64 $t0,$t0,#57 - vshr.u64 $t2,$t0,#63 - vext.8 $t0,$t2,$t0,#8 @ t0=0xc2....01 + vshr.u64 $t2,$xC2,#63 vdup.32 $t1,${t1}[1] - vshr.u64 $t3,$IN,#63 + vext.8 $t0,$t2,$xC2,#8 @ t0=0xc2....01 + vshr.u64 $t2,$IN,#63 vshr.s32 $t1,$t1,#31 @ broadcast carry bit - vand $t3,$t3,$t0 + vand $t2,$t2,$t0 vshl.i64 $IN,$IN,#1 - vext.8 $t3,$t3,$t3,#8 + vext.8 $t2,$t2,$t2,#8 vand $t0,$t0,$t1 - vorr $IN,$IN,$t3 @ H<<<=1 - veor $IN,$IN,$t0 @ twisted H - vst1.64 {$IN},[x0] + vorr $IN,$IN,$t2 @ H<<<=1 + veor $H,$IN,$t0 @ twisted H + vst1.64 {$H},[x0],#16 @ store Htable[0] + + @ calculate H^2 + vext.8 $t0,$H,$H,#8 @ Karatsuba pre-processing + vpmull.p64 $Xl,$H,$H + veor $t0,$t0,$H + vpmull2.p64 $Xh,$H,$H + vpmull.p64 $Xm,$t0,$t0 + + vext.8 $t1,$Xl,$Xh,#8 @ Karatsuba post-processing + veor $t2,$Xl,$Xh + veor $Xm,$Xm,$t1 + veor $Xm,$Xm,$t2 + vpmull.p64 $t2,$Xl,$xC2 @ 1st phase + + vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result + vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl + veor $Xl,$Xm,$t2 + + vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase + vpmull.p64 $Xl,$Xl,$xC2 + veor $t2,$t2,$Xh + veor $H2,$Xl,$t2 + + vext.8 $t1,$H2,$H2,#8 @ Karatsuba pre-processing + veor $t1,$t1,$H2 + vext.8 $Hhl,$t0,$t1,#8 @ pack Karatsuba pre-processed + vst1.64 {$Hhl-$H2},[x0] @ store Htable[1..2] ret .size gcm_init_v8,.-gcm_init_v8 - +___ +################################################################################ +# void gcm_gmult_v8(u64 Xi[2],const u128 Htable[16]); +# +# input: Xi - current hash value; +# Htable - table precomputed in gcm_init_v8; +# output: Xi - next hash value Xi; +# +$code.=<<___; .global gcm_gmult_v8 .type gcm_gmult_v8,%function .align 4 gcm_gmult_v8: vld1.64 {$t1},[$Xi] @ load Xi - vmov.i8 $t3,#0xe1 - vld1.64 {$H},[$Htbl] @ load twisted H - vshl.u64 $t3,$t3,#57 + vmov.i8 $xC2,#0xe1 + vld1.64 {$H-$Hhl},[$Htbl] @ load twisted H, ... + vshl.u64 $xC2,$xC2,#57 #ifndef __ARMEB__ vrev64.8 $t1,$t1 #endif - vext.8 $Hhl,$H,$H,#8 - mov $len,#0 vext.8 $IN,$t1,$t1,#8 - mov $inc,#0 - veor $Hhl,$Hhl,$H @ Karatsuba pre-processing - mov $inp,$Xi - b .Lgmult_v8 -.size gcm_gmult_v8,.-gcm_gmult_v8 + vpmull.p64 $Xl,$H,$IN @ H.lo?Xi.lo + veor $t1,$t1,$IN @ Karatsuba pre-processing + vpmull2.p64 $Xh,$H,$IN @ H.hi?Xi.hi + vpmull.p64 $Xm,$Hhl,$t1 @ (H.lo+H.hi)?(Xi.lo+Xi.hi) + + vext.8 $t1,$Xl,$Xh,#8 @ Karatsuba post-processing + veor $t2,$Xl,$Xh + veor $Xm,$Xm,$t1 + veor $Xm,$Xm,$t2 + vpmull.p64 $t2,$Xl,$xC2 @ 1st phase of reduction + + vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result + vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl + veor $Xl,$Xm,$t2 + + vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase of reduction + vpmull.p64 $Xl,$Xl,$xC2 + veor $t2,$t2,$Xh + veor $Xl,$Xl,$t2 + +#ifndef __ARMEB__ + vrev64.8 $Xl,$Xl +#endif + vext.8 $Xl,$Xl,$Xl,#8 + vst1.64 {$Xl},[$Xi] @ write out Xi + + ret +.size gcm_gmult_v8,.-gcm_gmult_v8 +___ +################################################################################ +# void gcm_ghash_v8(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len); +# +# input: table precomputed in gcm_init_v8; +# current hash value Xi; +# pointer to input data; +# length of input data in bytes, but divisible by block size; +# output: next hash value Xi; +# +$code.=<<___; .global gcm_ghash_v8 .type gcm_ghash_v8,%function .align 4 gcm_ghash_v8: +___ +$code.=<<___ if ($flavour !~ /64/); + vstmdb sp!,{d8-d15} @ 32-bit ABI says so +___ +$code.=<<___; vld1.64 {$Xl},[$Xi] @ load [rotated] Xi - subs $len,$len,#16 - vmov.i8 $t3,#0xe1 - mov $inc,#16 - vld1.64 {$H},[$Htbl] @ load twisted H - cclr $inc,eq - vext.8 $Xl,$Xl,$Xl,#8 - vshl.u64 $t3,$t3,#57 - vld1.64 {$t1},[$inp],$inc @ load [rotated] inp - vext.8 $Hhl,$H,$H,#8 + @ "[rotated]" means that + @ loaded value would have + @ to be rotated in order to + @ make it appear as in + @ alorithm specification + subs $len,$len,#32 @ see if $len is 32 or larger + mov $inc,#16 @ $inc is used as post- + @ increment for input pointer; + @ as loop is modulo-scheduled + @ $inc is zeroed just in time + @ to preclude oversteping + @ inp[len], which means that + @ last block[s] are actually + @ loaded twice, but last + @ copy is not processed + vld1.64 {$H-$Hhl},[$Htbl],#32 @ load twisted H, ..., H^2 + vmov.i8 $xC2,#0xe1 + vld1.64 {$H2},[$Htbl] + cclr $inc,eq @ is it time to zero $inc? + vext.8 $Xl,$Xl,$Xl,#8 @ rotate Xi + vld1.64 {$t0},[$inp],#16 @ load [rotated] I[0] + vshl.u64 $xC2,$xC2,#57 @ compose 0xc2.0 constant #ifndef __ARMEB__ + vrev64.8 $t0,$t0 vrev64.8 $Xl,$Xl +#endif + vext.8 $IN,$t0,$t0,#8 @ rotate I[0] + b.lo .Lodd_tail_v8 @ $len was less than 32 +___ +{ my ($Xln,$Xmn,$Xhn,$In) = map("q$_",(4..7)); + ####### + # Xi+2 =[H*(Ii+1 + Xi+1)] mod P = + # [(H*Ii+1) + (H*Xi+1)] mod P = + # [(H*Ii+1) + H^2*(Ii+Xi)] mod P + # +$code.=<<___; + vld1.64 {$t1},[$inp],$inc @ load [rotated] I[1] +#ifndef __ARMEB__ vrev64.8 $t1,$t1 #endif - veor $Hhl,$Hhl,$H @ Karatsuba pre-processing - vext.8 $IN,$t1,$t1,#8 - b .Loop_v8 + vext.8 $In,$t1,$t1,#8 + veor $IN,$IN,$Xl @ I[i]^=Xi + vpmull.p64 $Xln,$H,$In @ H?Ii+1 + veor $t1,$t1,$In @ Karatsuba pre-processing + vpmull2.p64 $Xhn,$H,$In + b .Loop_mod2x_v8 .align 4 -.Loop_v8: +.Loop_mod2x_v8: + vext.8 $t2,$IN,$IN,#8 + subs $len,$len,#32 @ is there more data? + vpmull.p64 $Xl,$H2,$IN @ H^2.lo?Xi.lo + cclr $inc,lo @ is it time to zero $inc? + + vpmull.p64 $Xmn,$Hhl,$t1 + veor $t2,$t2,$IN @ Karatsuba pre-processing + vpmull2.p64 $Xh,$H2,$IN @ H^2.hi?Xi.hi + veor $Xl,$Xl,$Xln @ accumulate + vpmull2.p64 $Xm,$Hhl,$t2 @ (H^2.lo+H^2.hi)?(Xi.lo+Xi.hi) + vld1.64 {$t0},[$inp],$inc @ load [rotated] I[i+2] + + veor $Xh,$Xh,$Xhn + cclr $inc,eq @ is it time to zero $inc? + veor $Xm,$Xm,$Xmn + + vext.8 $t1,$Xl,$Xh,#8 @ Karatsuba post-processing + veor $t2,$Xl,$Xh + veor $Xm,$Xm,$t1 + vld1.64 {$t1},[$inp],$inc @ load [rotated] I[i+3] +#ifndef __ARMEB__ + vrev64.8 $t0,$t0 +#endif + veor $Xm,$Xm,$t2 + vpmull.p64 $t2,$Xl,$xC2 @ 1st phase of reduction + +#ifndef __ARMEB__ + vrev64.8 $t1,$t1 +#endif + vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result + vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl + vext.8 $In,$t1,$t1,#8 + vext.8 $IN,$t0,$t0,#8 + veor $Xl,$Xm,$t2 + vpmull.p64 $Xln,$H,$In @ H?Ii+1 + veor $IN,$IN,$Xh @ accumulate $IN early + + vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase of reduction + vpmull.p64 $Xl,$Xl,$xC2 + veor $IN,$IN,$t2 + veor $t1,$t1,$In @ Karatsuba pre-processing + veor $IN,$IN,$Xl + vpmull2.p64 $Xhn,$H,$In + b.hs .Loop_mod2x_v8 @ there was at least 32 more bytes + + veor $Xh,$Xh,$t2 + vext.8 $IN,$t0,$t0,#8 @ re-construct $IN + adds $len,$len,#32 @ re-construct $len + veor $Xl,$Xl,$Xh @ re-construct $Xl + b.eq .Ldone_v8 @ is $len zero? +___ +} +$code.=<<___; +.Lodd_tail_v8: vext.8 $t2,$Xl,$Xl,#8 veor $IN,$IN,$Xl @ inp^=Xi - veor $t1,$t1,$t2 @ $t1 is rotated inp^Xi + veor $t1,$t0,$t2 @ $t1 is rotated inp^Xi -.Lgmult_v8: vpmull.p64 $Xl,$H,$IN @ H.lo?Xi.lo veor $t1,$t1,$IN @ Karatsuba pre-processing vpmull2.p64 $Xh,$H,$IN @ H.hi?Xi.hi - subs $len,$len,#16 vpmull.p64 $Xm,$Hhl,$t1 @ (H.lo+H.hi)?(Xi.lo+Xi.hi) - cclr $inc,eq vext.8 $t1,$Xl,$Xh,#8 @ Karatsuba post-processing veor $t2,$Xl,$Xh veor $Xm,$Xm,$t1 - vld1.64 {$t1},[$inp],$inc @ load [rotated] inp veor $Xm,$Xm,$t2 - vpmull.p64 $t2,$Xl,$t3 @ 1st phase + vpmull.p64 $t2,$Xl,$xC2 @ 1st phase of reduction vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl -#ifndef __ARMEB__ - vrev64.8 $t1,$t1 -#endif veor $Xl,$Xm,$t2 - vext.8 $IN,$t1,$t1,#8 - vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase - vpmull.p64 $Xl,$Xl,$t3 + vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase of reduction + vpmull.p64 $Xl,$Xl,$xC2 veor $t2,$t2,$Xh veor $Xl,$Xl,$t2 - b.hs .Loop_v8 +.Ldone_v8: #ifndef __ARMEB__ vrev64.8 $Xl,$Xl #endif vext.8 $Xl,$Xl,$Xl,#8 vst1.64 {$Xl},[$Xi] @ write out Xi +___ +$code.=<<___ if ($flavour !~ /64/); + vldmia sp!,{d8-d15} @ 32-bit ABI says so +___ +$code.=<<___; ret .size gcm_ghash_v8,.-gcm_ghash_v8 ___ @@ -230,7 +398,7 @@ if ($flavour =~ /64/) { ######## 64-bit code foreach(split("\n",$code)) { s/\b[wx]([0-9]+)\b/r$1/go; # new->old registers s/\bv([0-9])\.[12468]+[bsd]\b/q$1/go; # new->old registers - s/\/\/\s?/@ /o; # new->old style commentary + s/\/\/\s?/@ /o; # new->old style commentary # fix up remainig new-style suffixes s/\],#[0-9]+/]!/o; @@ -242,7 +410,7 @@ if ($flavour =~ /64/) { ######## 64-bit code s/^(\s+)b\./$1b/o or s/^(\s+)ret/$1bx\tlr/o; - print $_,"\n"; + print $_,"\n"; } } From appro at openssl.org Thu Apr 2 08:04:45 2015 From: appro at openssl.org (Andy Polyakov) Date: Thu, 02 Apr 2015 08:04:45 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1427961885.249828.25694.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via ff864ffef33b4b09bb31ca3b0e17e1c85b65c2c8 (commit) from 0a1f31f7ba837aeaa28e49ed323e60fdd4255b28 (commit) - Log ----------------------------------------------------------------- commit ff864ffef33b4b09bb31ca3b0e17e1c85b65c2c8 Author: Andy Polyakov Date: Fri Jan 23 17:04:19 2015 +0100 modes/asm/ghashv8-armx.pl: up to 90% performance improvement. Reviewed-by: Matt Caswell (cherry picked from commit 7eeeb49e1103533bc81c234eb19613353866e474) ----------------------------------------------------------------------- Summary of changes: crypto/modes/asm/ghashv8-armx.pl | 276 +++++++++++++++++++++++++++++++-------- 1 file changed, 222 insertions(+), 54 deletions(-) diff --git a/crypto/modes/asm/ghashv8-armx.pl b/crypto/modes/asm/ghashv8-armx.pl index 54a1ac4..0b9cd73 100644 --- a/crypto/modes/asm/ghashv8-armx.pl +++ b/crypto/modes/asm/ghashv8-armx.pl @@ -16,12 +16,17 @@ # other assembly modules. Just like aesv8-armx.pl this module # supports both AArch32 and AArch64 execution modes. # +# July 2014 +# +# Implement 2x aggregated reduction [see ghash-x86.pl for background +# information]. +# # Current performance in cycles per processed byte: # # PMULL[2] 32-bit NEON(*) -# Apple A7 1.76 5.62 -# Cortex-A53 1.45 8.39 -# Cortex-A57 2.22 7.61 +# Apple A7 0.92 5.62 +# Cortex-A53 1.01 8.39 +# Cortex-A57 1.17 7.61 # # (*) presented for reference/comparison purposes; @@ -37,7 +42,7 @@ $inc="x12"; { my ($Xl,$Xm,$Xh,$IN)=map("q$_",(0..3)); -my ($t0,$t1,$t2,$t3,$H,$Hhl)=map("q$_",(8..14)); +my ($t0,$t1,$t2,$xC2,$H,$Hhl,$H2)=map("q$_",(8..14)); $code=<<___; #include "arm_arch.h" @@ -47,114 +52,277 @@ ___ $code.=".arch armv8-a+crypto\n" if ($flavour =~ /64/); $code.=".fpu neon\n.code 32\n" if ($flavour !~ /64/); +################################################################################ +# void gcm_init_v8(u128 Htable[16],const u64 H[2]); +# +# input: 128-bit H - secret parameter E(K,0^128) +# output: precomputed table filled with degrees of twisted H; +# H is twisted to handle reverse bitness of GHASH; +# only few of 16 slots of Htable[16] are used; +# data is opaque to outside world (which allows to +# optimize the code independently); +# $code.=<<___; .global gcm_init_v8 .type gcm_init_v8,%function .align 4 gcm_init_v8: - vld1.64 {$t1},[x1] @ load H - vmov.i8 $t0,#0xe1 + vld1.64 {$t1},[x1] @ load input H + vmov.i8 $xC2,#0xe1 + vshl.i64 $xC2,$xC2,#57 @ 0xc2.0 vext.8 $IN,$t1,$t1,#8 - vshl.i64 $t0,$t0,#57 - vshr.u64 $t2,$t0,#63 - vext.8 $t0,$t2,$t0,#8 @ t0=0xc2....01 + vshr.u64 $t2,$xC2,#63 vdup.32 $t1,${t1}[1] - vshr.u64 $t3,$IN,#63 + vext.8 $t0,$t2,$xC2,#8 @ t0=0xc2....01 + vshr.u64 $t2,$IN,#63 vshr.s32 $t1,$t1,#31 @ broadcast carry bit - vand $t3,$t3,$t0 + vand $t2,$t2,$t0 vshl.i64 $IN,$IN,#1 - vext.8 $t3,$t3,$t3,#8 + vext.8 $t2,$t2,$t2,#8 vand $t0,$t0,$t1 - vorr $IN,$IN,$t3 @ H<<<=1 - veor $IN,$IN,$t0 @ twisted H - vst1.64 {$IN},[x0] + vorr $IN,$IN,$t2 @ H<<<=1 + veor $H,$IN,$t0 @ twisted H + vst1.64 {$H},[x0],#16 @ store Htable[0] + + @ calculate H^2 + vext.8 $t0,$H,$H,#8 @ Karatsuba pre-processing + vpmull.p64 $Xl,$H,$H + veor $t0,$t0,$H + vpmull2.p64 $Xh,$H,$H + vpmull.p64 $Xm,$t0,$t0 + + vext.8 $t1,$Xl,$Xh,#8 @ Karatsuba post-processing + veor $t2,$Xl,$Xh + veor $Xm,$Xm,$t1 + veor $Xm,$Xm,$t2 + vpmull.p64 $t2,$Xl,$xC2 @ 1st phase + + vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result + vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl + veor $Xl,$Xm,$t2 + + vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase + vpmull.p64 $Xl,$Xl,$xC2 + veor $t2,$t2,$Xh + veor $H2,$Xl,$t2 + + vext.8 $t1,$H2,$H2,#8 @ Karatsuba pre-processing + veor $t1,$t1,$H2 + vext.8 $Hhl,$t0,$t1,#8 @ pack Karatsuba pre-processed + vst1.64 {$Hhl-$H2},[x0] @ store Htable[1..2] ret .size gcm_init_v8,.-gcm_init_v8 - +___ +################################################################################ +# void gcm_gmult_v8(u64 Xi[2],const u128 Htable[16]); +# +# input: Xi - current hash value; +# Htable - table precomputed in gcm_init_v8; +# output: Xi - next hash value Xi; +# +$code.=<<___; .global gcm_gmult_v8 .type gcm_gmult_v8,%function .align 4 gcm_gmult_v8: vld1.64 {$t1},[$Xi] @ load Xi - vmov.i8 $t3,#0xe1 - vld1.64 {$H},[$Htbl] @ load twisted H - vshl.u64 $t3,$t3,#57 + vmov.i8 $xC2,#0xe1 + vld1.64 {$H-$Hhl},[$Htbl] @ load twisted H, ... + vshl.u64 $xC2,$xC2,#57 #ifndef __ARMEB__ vrev64.8 $t1,$t1 #endif - vext.8 $Hhl,$H,$H,#8 - mov $len,#0 vext.8 $IN,$t1,$t1,#8 - mov $inc,#0 - veor $Hhl,$Hhl,$H @ Karatsuba pre-processing - mov $inp,$Xi - b .Lgmult_v8 -.size gcm_gmult_v8,.-gcm_gmult_v8 + vpmull.p64 $Xl,$H,$IN @ H.lo?Xi.lo + veor $t1,$t1,$IN @ Karatsuba pre-processing + vpmull2.p64 $Xh,$H,$IN @ H.hi?Xi.hi + vpmull.p64 $Xm,$Hhl,$t1 @ (H.lo+H.hi)?(Xi.lo+Xi.hi) + + vext.8 $t1,$Xl,$Xh,#8 @ Karatsuba post-processing + veor $t2,$Xl,$Xh + veor $Xm,$Xm,$t1 + veor $Xm,$Xm,$t2 + vpmull.p64 $t2,$Xl,$xC2 @ 1st phase of reduction + + vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result + vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl + veor $Xl,$Xm,$t2 + + vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase of reduction + vpmull.p64 $Xl,$Xl,$xC2 + veor $t2,$t2,$Xh + veor $Xl,$Xl,$t2 + +#ifndef __ARMEB__ + vrev64.8 $Xl,$Xl +#endif + vext.8 $Xl,$Xl,$Xl,#8 + vst1.64 {$Xl},[$Xi] @ write out Xi + + ret +.size gcm_gmult_v8,.-gcm_gmult_v8 +___ +################################################################################ +# void gcm_ghash_v8(u64 Xi[2],const u128 Htable[16],const u8 *inp,size_t len); +# +# input: table precomputed in gcm_init_v8; +# current hash value Xi; +# pointer to input data; +# length of input data in bytes, but divisible by block size; +# output: next hash value Xi; +# +$code.=<<___; .global gcm_ghash_v8 .type gcm_ghash_v8,%function .align 4 gcm_ghash_v8: +___ +$code.=<<___ if ($flavour !~ /64/); + vstmdb sp!,{d8-d15} @ 32-bit ABI says so +___ +$code.=<<___; vld1.64 {$Xl},[$Xi] @ load [rotated] Xi - subs $len,$len,#16 - vmov.i8 $t3,#0xe1 - mov $inc,#16 - vld1.64 {$H},[$Htbl] @ load twisted H - cclr $inc,eq - vext.8 $Xl,$Xl,$Xl,#8 - vshl.u64 $t3,$t3,#57 - vld1.64 {$t1},[$inp],$inc @ load [rotated] inp - vext.8 $Hhl,$H,$H,#8 + @ "[rotated]" means that + @ loaded value would have + @ to be rotated in order to + @ make it appear as in + @ alorithm specification + subs $len,$len,#32 @ see if $len is 32 or larger + mov $inc,#16 @ $inc is used as post- + @ increment for input pointer; + @ as loop is modulo-scheduled + @ $inc is zeroed just in time + @ to preclude oversteping + @ inp[len], which means that + @ last block[s] are actually + @ loaded twice, but last + @ copy is not processed + vld1.64 {$H-$Hhl},[$Htbl],#32 @ load twisted H, ..., H^2 + vmov.i8 $xC2,#0xe1 + vld1.64 {$H2},[$Htbl] + cclr $inc,eq @ is it time to zero $inc? + vext.8 $Xl,$Xl,$Xl,#8 @ rotate Xi + vld1.64 {$t0},[$inp],#16 @ load [rotated] I[0] + vshl.u64 $xC2,$xC2,#57 @ compose 0xc2.0 constant #ifndef __ARMEB__ + vrev64.8 $t0,$t0 vrev64.8 $Xl,$Xl +#endif + vext.8 $IN,$t0,$t0,#8 @ rotate I[0] + b.lo .Lodd_tail_v8 @ $len was less than 32 +___ +{ my ($Xln,$Xmn,$Xhn,$In) = map("q$_",(4..7)); + ####### + # Xi+2 =[H*(Ii+1 + Xi+1)] mod P = + # [(H*Ii+1) + (H*Xi+1)] mod P = + # [(H*Ii+1) + H^2*(Ii+Xi)] mod P + # +$code.=<<___; + vld1.64 {$t1},[$inp],$inc @ load [rotated] I[1] +#ifndef __ARMEB__ vrev64.8 $t1,$t1 #endif - veor $Hhl,$Hhl,$H @ Karatsuba pre-processing - vext.8 $IN,$t1,$t1,#8 - b .Loop_v8 + vext.8 $In,$t1,$t1,#8 + veor $IN,$IN,$Xl @ I[i]^=Xi + vpmull.p64 $Xln,$H,$In @ H?Ii+1 + veor $t1,$t1,$In @ Karatsuba pre-processing + vpmull2.p64 $Xhn,$H,$In + b .Loop_mod2x_v8 .align 4 -.Loop_v8: +.Loop_mod2x_v8: + vext.8 $t2,$IN,$IN,#8 + subs $len,$len,#32 @ is there more data? + vpmull.p64 $Xl,$H2,$IN @ H^2.lo?Xi.lo + cclr $inc,lo @ is it time to zero $inc? + + vpmull.p64 $Xmn,$Hhl,$t1 + veor $t2,$t2,$IN @ Karatsuba pre-processing + vpmull2.p64 $Xh,$H2,$IN @ H^2.hi?Xi.hi + veor $Xl,$Xl,$Xln @ accumulate + vpmull2.p64 $Xm,$Hhl,$t2 @ (H^2.lo+H^2.hi)?(Xi.lo+Xi.hi) + vld1.64 {$t0},[$inp],$inc @ load [rotated] I[i+2] + + veor $Xh,$Xh,$Xhn + cclr $inc,eq @ is it time to zero $inc? + veor $Xm,$Xm,$Xmn + + vext.8 $t1,$Xl,$Xh,#8 @ Karatsuba post-processing + veor $t2,$Xl,$Xh + veor $Xm,$Xm,$t1 + vld1.64 {$t1},[$inp],$inc @ load [rotated] I[i+3] +#ifndef __ARMEB__ + vrev64.8 $t0,$t0 +#endif + veor $Xm,$Xm,$t2 + vpmull.p64 $t2,$Xl,$xC2 @ 1st phase of reduction + +#ifndef __ARMEB__ + vrev64.8 $t1,$t1 +#endif + vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result + vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl + vext.8 $In,$t1,$t1,#8 + vext.8 $IN,$t0,$t0,#8 + veor $Xl,$Xm,$t2 + vpmull.p64 $Xln,$H,$In @ H?Ii+1 + veor $IN,$IN,$Xh @ accumulate $IN early + + vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase of reduction + vpmull.p64 $Xl,$Xl,$xC2 + veor $IN,$IN,$t2 + veor $t1,$t1,$In @ Karatsuba pre-processing + veor $IN,$IN,$Xl + vpmull2.p64 $Xhn,$H,$In + b.hs .Loop_mod2x_v8 @ there was at least 32 more bytes + + veor $Xh,$Xh,$t2 + vext.8 $IN,$t0,$t0,#8 @ re-construct $IN + adds $len,$len,#32 @ re-construct $len + veor $Xl,$Xl,$Xh @ re-construct $Xl + b.eq .Ldone_v8 @ is $len zero? +___ +} +$code.=<<___; +.Lodd_tail_v8: vext.8 $t2,$Xl,$Xl,#8 veor $IN,$IN,$Xl @ inp^=Xi - veor $t1,$t1,$t2 @ $t1 is rotated inp^Xi + veor $t1,$t0,$t2 @ $t1 is rotated inp^Xi -.Lgmult_v8: vpmull.p64 $Xl,$H,$IN @ H.lo?Xi.lo veor $t1,$t1,$IN @ Karatsuba pre-processing vpmull2.p64 $Xh,$H,$IN @ H.hi?Xi.hi - subs $len,$len,#16 vpmull.p64 $Xm,$Hhl,$t1 @ (H.lo+H.hi)?(Xi.lo+Xi.hi) - cclr $inc,eq vext.8 $t1,$Xl,$Xh,#8 @ Karatsuba post-processing veor $t2,$Xl,$Xh veor $Xm,$Xm,$t1 - vld1.64 {$t1},[$inp],$inc @ load [rotated] inp veor $Xm,$Xm,$t2 - vpmull.p64 $t2,$Xl,$t3 @ 1st phase + vpmull.p64 $t2,$Xl,$xC2 @ 1st phase of reduction vmov $Xh#lo,$Xm#hi @ Xh|Xm - 256-bit result vmov $Xm#hi,$Xl#lo @ Xm is rotated Xl -#ifndef __ARMEB__ - vrev64.8 $t1,$t1 -#endif veor $Xl,$Xm,$t2 - vext.8 $IN,$t1,$t1,#8 - vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase - vpmull.p64 $Xl,$Xl,$t3 + vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase of reduction + vpmull.p64 $Xl,$Xl,$xC2 veor $t2,$t2,$Xh veor $Xl,$Xl,$t2 - b.hs .Loop_v8 +.Ldone_v8: #ifndef __ARMEB__ vrev64.8 $Xl,$Xl #endif vext.8 $Xl,$Xl,$Xl,#8 vst1.64 {$Xl},[$Xi] @ write out Xi +___ +$code.=<<___ if ($flavour !~ /64/); + vldmia sp!,{d8-d15} @ 32-bit ABI says so +___ +$code.=<<___; ret .size gcm_ghash_v8,.-gcm_ghash_v8 ___ @@ -222,7 +390,7 @@ if ($flavour =~ /64/) { ######## 64-bit code foreach(split("\n",$code)) { s/\b[wx]([0-9]+)\b/r$1/go; # new->old registers s/\bv([0-9])\.[12468]+[bsd]\b/q$1/go; # new->old registers - s/\/\/\s?/@ /o; # new->old style commentary + s/\/\/\s?/@ /o; # new->old style commentary # fix up remainig new-style suffixes s/\],#[0-9]+/]!/o; @@ -234,7 +402,7 @@ if ($flavour =~ /64/) { ######## 64-bit code s/^(\s+)b\./$1b/o or s/^(\s+)ret/$1bx\tlr/o; - print $_,"\n"; + print $_,"\n"; } } From rsalz at openssl.org Thu Apr 2 19:58:36 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 02 Apr 2015 19:58:36 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1428004716.355193.30277.nullmailer@dev.openssl.org> The branch master has been updated via 22ebaae08c6c10de1e6b0225531c94e5866070d7 (commit) from 7eeeb49e1103533bc81c234eb19613353866e474 (commit) - Log ----------------------------------------------------------------- commit 22ebaae08c6c10de1e6b0225531c94e5866070d7 Author: Rich Salz Date: Thu Apr 2 15:58:10 2015 -0400 Fewer newlines in comp method output Print "supported compression methods" all on one line. Reviewed-by: Andy Polyakov ----------------------------------------------------------------------- Summary of changes: test/ssltest.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/test/ssltest.c b/test/ssltest.c index 508fedd..c9f5b4d 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -1394,16 +1394,18 @@ int main(int argc, char *argv[]) } } ssl_comp_methods = SSL_COMP_get_compression_methods(); - fprintf(stderr, "Available compression methods:\n"); + fprintf(stderr, "Available compression methods:"); { int j, n = sk_SSL_COMP_num(ssl_comp_methods); if (n == 0) fprintf(stderr, " NONE\n"); - else + else { for (j = 0; j < n; j++) { SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); - fprintf(stderr, " %d: %s\n", c->id, c->name); + fprintf(stderr, " %s:%d", c->name, c->id); } + fprintf(stderr, "\n"); + } } #endif From steve at openssl.org Fri Apr 3 20:43:40 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 03 Apr 2015 20:43:40 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1428093820.940014.3061.nullmailer@dev.openssl.org> The branch master has been updated via 40cf45456602ae3d7e6c00fdbe0f5eeab24f8afc (commit) via 19fcbc8949136032ee8b1888d2834ee45640e11e (commit) via 865b55ac8e32e9815d20b55fb05e66b61558cf6d (commit) via a469a6770a769ff88a077f4705134db9c89f653b (commit) via 1880790e2ed2474c61bdbd9283ab6fe19c605a9f (commit) via cc5b6a03a320f1bdace59ea8f41c3d525202d38e (commit) via 4fb6b0def17df98d6d16418b4b23dfde54a980ae (commit) from 22ebaae08c6c10de1e6b0225531c94e5866070d7 (commit) - Log ----------------------------------------------------------------- commit 40cf45456602ae3d7e6c00fdbe0f5eeab24f8afc Author: Dr. Stephen Henson Date: Mon Mar 30 20:28:52 2015 +0100 update ordinals Reviewed-by: Rich Salz commit 19fcbc8949136032ee8b1888d2834ee45640e11e Author: Dr. Stephen Henson Date: Mon Mar 30 20:24:44 2015 +0100 make depend Reviewed-by: Rich Salz commit 865b55ac8e32e9815d20b55fb05e66b61558cf6d Author: Dr. Stephen Henson Date: Mon Mar 30 20:11:02 2015 +0100 remove asn1_mac.h Reviewed-by: Rich Salz commit a469a6770a769ff88a077f4705134db9c89f653b Author: Dr. Stephen Henson Date: Mon Mar 30 20:31:34 2015 +0100 Remove old ASN.1 functions. Reviewed-by: Rich Salz commit 1880790e2ed2474c61bdbd9283ab6fe19c605a9f Author: Dr. Stephen Henson Date: Fri Apr 3 18:28:06 2015 +0100 Remove unnecessary use of ASN1_const_CTX Reviewed-by: Rich Salz commit cc5b6a03a320f1bdace59ea8f41c3d525202d38e Author: Dr. Stephen Henson Date: Sun Mar 29 14:07:06 2015 +0100 Rewrite ssl_asn1.c using new ASN.1 code. Complete reimplementation of d2i_SSL_SESSION and i2d_SSL_SESSION using new ASN.1 code and eliminating use of old ASN.1 macros. Reviewed-by: Rich Salz commit 4fb6b0def17df98d6d16418b4b23dfde54a980ae Author: Dr. Stephen Henson Date: Sun Mar 29 17:51:43 2015 +0100 Add macro to implement static encode functions. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/asn1/Makefile | 8 +- crypto/asn1/a_d2i_fp.c | 26 +- crypto/asn1/asn1_lib.c | 61 ---- include/openssl/asn1.h | 38 --- include/openssl/asn1_mac.h | 579 ------------------------------------ include/openssl/asn1t.h | 13 + ssl/Makefile | 2 +- ssl/ssl_asn1.c | 714 +++++++++++++++++---------------------------- util/libeay.num | 8 +- util/mkdef.pl | 1 - 10 files changed, 311 insertions(+), 1139 deletions(-) delete mode 100644 include/openssl/asn1_mac.h diff --git a/crypto/asn1/Makefile b/crypto/asn1/Makefile index 2187b04..7f3dd0d 100644 --- a/crypto/asn1/Makefile +++ b/crypto/asn1/Makefile @@ -314,10 +314,10 @@ asn1_gen.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h asn1_gen.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h asn1_gen.o: ../cryptlib.h asn1_gen.c asn1_lib.o: ../../e_os.h ../../include/openssl/asn1.h -asn1_lib.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h -asn1_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h -asn1_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h -asn1_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h +asn1_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h +asn1_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +asn1_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h +asn1_lib.o: ../../include/openssl/opensslconf.h asn1_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h asn1_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h asn1_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h asn1_lib.c diff --git a/crypto/asn1/a_d2i_fp.c b/crypto/asn1/a_d2i_fp.c index c0d9e1e..af1f7c6 100644 --- a/crypto/asn1/a_d2i_fp.c +++ b/crypto/asn1/a_d2i_fp.c @@ -146,12 +146,15 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) BUF_MEM *b; unsigned char *p; int i; - ASN1_const_CTX c; size_t want = HEADER_SIZE; int eos = 0; size_t off = 0; size_t len = 0; + const unsigned char *q; + long slen; + int inf, tag, xclass; + b = BUF_MEM_new(); if (b == NULL) { ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); @@ -183,10 +186,9 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) /* else data already loaded */ p = (unsigned char *)&(b->data[off]); - c.p = p; - c.inf = ASN1_get_object(&(c.p), &(c.slen), &(c.tag), &(c.xclass), - len - off); - if (c.inf & 0x80) { + q = p; + inf = ASN1_get_object(&q, &slen, &tag, &xclass, len - off); + if (inf & 0x80) { unsigned long e; e = ERR_GET_REASON(ERR_peek_error()); @@ -195,10 +197,10 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) else ERR_clear_error(); /* clear error */ } - i = c.p - p; /* header length */ + i = q - p; /* header length */ off += i; /* end of data */ - if (c.inf & 1) { + if (inf & 1) { /* no data body so go round again */ eos++; if (eos < 0) { @@ -206,7 +208,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) goto err; } want = HEADER_SIZE; - } else if (eos && (c.slen == 0) && (c.tag == V_ASN1_EOC)) { + } else if (eos && (slen == 0) && (tag == V_ASN1_EOC)) { /* eos value, so go back and read another header */ eos--; if (eos <= 0) @@ -214,8 +216,8 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) else want = HEADER_SIZE; } else { - /* suck in c.slen bytes of data */ - want = c.slen; + /* suck in slen bytes of data */ + want = slen; if (want > (len - off)) { want -= (len - off); if (want > INT_MAX /* BIO_read takes an int length */ || @@ -242,11 +244,11 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) want -= i; } } - if (off + c.slen < off) { + if (off + slen < off) { ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); goto err; } - off += c.slen; + off += slen; if (eos <= 0) { break; } else diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 2e36cff..b29e636 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -60,7 +60,6 @@ #include #include "cryptlib.h" #include -#include static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, int max); @@ -279,57 +278,6 @@ int ASN1_object_size(int constructed, int length, int tag) return (ret); } -static int _asn1_Finish(ASN1_const_CTX *c) -{ - if ((c->inf == (1 | V_ASN1_CONSTRUCTED)) && (!c->eos)) { - if (!ASN1_const_check_infinite_end(&c->p, c->slen)) { - c->error = ERR_R_MISSING_ASN1_EOS; - return (0); - } - } - if (((c->slen != 0) && !(c->inf & 1)) || ((c->slen < 0) && (c->inf & 1))) { - c->error = ERR_R_ASN1_LENGTH_MISMATCH; - return (0); - } - return (1); -} - -int asn1_Finish(ASN1_CTX *c) -{ - return _asn1_Finish((ASN1_const_CTX *)c); -} - -int asn1_const_Finish(ASN1_const_CTX *c) -{ - return _asn1_Finish(c); -} - -int asn1_GetSequence(ASN1_const_CTX *c, long *length) -{ - const unsigned char *q; - - q = c->p; - c->inf = ASN1_get_object(&(c->p), &(c->slen), &(c->tag), &(c->xclass), - *length); - if (c->inf & 0x80) { - c->error = ERR_R_BAD_GET_ASN1_OBJECT_CALL; - return (0); - } - if (c->tag != V_ASN1_SEQUENCE) { - c->error = ERR_R_EXPECTING_AN_ASN1_SEQUENCE; - return (0); - } - (*length) -= (c->p - q); - if (c->max && (*length < 0)) { - c->error = ERR_R_ASN1_LENGTH_MISMATCH; - return (0); - } - if (c->inf == (1 | V_ASN1_CONSTRUCTED)) - c->slen = *length + *(c->pp) - c->p; - c->eos = 0; - return (1); -} - int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str) { if (str == NULL) @@ -451,15 +399,6 @@ int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b) return (i); } -void asn1_add_error(const unsigned char *address, int offset) -{ - char buf1[DECIMAL_SIZE(address) + 1], buf2[DECIMAL_SIZE(offset) + 1]; - - BIO_snprintf(buf1, sizeof buf1, "%lu", (unsigned long)address); - BIO_snprintf(buf2, sizeof buf2, "%d", offset); - ERR_add_error_data(4, "address=", buf1, " offset=", buf2); -} - int ASN1_STRING_length(const ASN1_STRING *x) { return x->length; diff --git a/include/openssl/asn1.h b/include/openssl/asn1.h index 30de831..b1bcef7 100644 --- a/include/openssl/asn1.h +++ b/include/openssl/asn1.h @@ -159,41 +159,6 @@ extern "C" { struct X509_algor_st; DECLARE_STACK_OF(X509_ALGOR) -/* - * We MUST make sure that, except for constness, asn1_ctx_st and - * asn1_const_ctx are exactly the same. Fortunately, as soon as the old ASN1 - * parsing macros are gone, we can throw this away as well... - */ -typedef struct asn1_ctx_st { - unsigned char *p; /* work char pointer */ - int eos; /* end of sequence read for indefinite - * encoding */ - int error; /* error code to use when returning an error */ - int inf; /* constructed if 0x20, indefinite is 0x21 */ - int tag; /* tag from last 'get object' */ - int xclass; /* class from last 'get object' */ - long slen; /* length of last 'get object' */ - unsigned char *max; /* largest value of p allowed */ - unsigned char *q; /* temporary variable */ - unsigned char **pp; /* variable */ - int line; /* used in error processing */ -} ASN1_CTX; - -typedef struct asn1_const_ctx_st { - const unsigned char *p; /* work char pointer */ - int eos; /* end of sequence read for indefinite - * encoding */ - int error; /* error code to use when returning an error */ - int inf; /* constructed if 0x20, indefinite is 0x21 */ - int tag; /* tag from last 'get object' */ - int xclass; /* class from last 'get object' */ - long slen; /* length of last 'get object' */ - const unsigned char *max; /* largest value of p allowed */ - const unsigned char *q; /* temporary variable */ - const unsigned char **pp; /* variable */ - int line; /* used in error processing */ -} ASN1_const_CTX; - # define ASN1_STRING_FLAG_BITS_LEFT 0x08/* Set if 0x07 has bits left value */ /* * This indicates that the ASN1_STRING is not a real value but just a place @@ -727,9 +692,6 @@ BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn); int ASN1_PRINTABLE_type(const unsigned char *s, int max); unsigned long ASN1_tag2bit(int tag); -/* PARSING */ -int asn1_Finish(ASN1_CTX *c); -int asn1_const_Finish(ASN1_const_CTX *c); /* SPECIALS */ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag, diff --git a/include/openssl/asn1_mac.h b/include/openssl/asn1_mac.h deleted file mode 100644 index abc6dc3..0000000 --- a/include/openssl/asn1_mac.h +++ /dev/null @@ -1,579 +0,0 @@ -/* crypto/asn1/asn1_mac.h */ -/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay at cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh at cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay at cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#ifndef HEADER_ASN1_MAC_H -# define HEADER_ASN1_MAC_H - -# include - -#ifdef __cplusplus -extern "C" { -#endif - -# ifndef ASN1_MAC_ERR_LIB -# define ASN1_MAC_ERR_LIB ERR_LIB_ASN1 -# endif - -# define ASN1_MAC_H_err(f,r,line) \ - ERR_PUT_error(ASN1_MAC_ERR_LIB,(f),(r),__FILE__,(line)) - -# define M_ASN1_D2I_vars(a,type,func) \ - ASN1_const_CTX c; \ - type ret=NULL; \ - \ - c.pp=(const unsigned char **)pp; \ - c.q= *(const unsigned char **)pp; \ - c.error=ERR_R_NESTED_ASN1_ERROR; \ - if ((a == NULL) || ((*a) == NULL)) \ - { if ((ret=(type)func()) == NULL) \ - { c.line=__LINE__; goto err; } } \ - else ret=(*a); - -# define M_ASN1_D2I_Init() \ - c.p= *(const unsigned char **)pp; \ - c.max=(length == 0)?0:(c.p+length); - -# define M_ASN1_D2I_Finish_2(a) \ - if (!asn1_const_Finish(&c)) \ - { c.line=__LINE__; goto err; } \ - *(const unsigned char **)pp=c.p; \ - if (a != NULL) (*a)=ret; \ - return(ret); - -# define M_ASN1_D2I_Finish(a,func,e) \ - M_ASN1_D2I_Finish_2(a); \ -err:\ - ASN1_MAC_H_err((e),c.error,c.line); \ - asn1_add_error(*(const unsigned char **)pp,(int)(c.q- *pp)); \ - if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \ - return(NULL) - -# define M_ASN1_D2I_start_sequence() \ - if (!asn1_GetSequence(&c,&length)) \ - { c.line=__LINE__; goto err; } -/* Begin reading ASN1 without a surrounding sequence */ -# define M_ASN1_D2I_begin() \ - c.slen = length; - -/* End reading ASN1 with no check on length */ -# define M_ASN1_D2I_Finish_nolen(a, func, e) \ - *pp=c.p; \ - if (a != NULL) (*a)=ret; \ - return(ret); \ -err:\ - ASN1_MAC_H_err((e),c.error,c.line); \ - asn1_add_error(*pp,(int)(c.q- *pp)); \ - if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \ - return(NULL) - -# define M_ASN1_D2I_end_sequence() \ - (((c.inf&1) == 0)?(c.slen <= 0): \ - (c.eos=ASN1_const_check_infinite_end(&c.p,c.slen))) - -/* Don't use this with d2i_ASN1_BOOLEAN() */ -# define M_ASN1_D2I_get(b, func) \ - c.q=c.p; \ - if (func(&(b),&c.p,c.slen) == NULL) \ - {c.line=__LINE__; goto err; } \ - c.slen-=(c.p-c.q); - -/* Don't use this with d2i_ASN1_BOOLEAN() */ -# define M_ASN1_D2I_get_x(type,b,func) \ - c.q=c.p; \ - if (((D2I_OF(type))func)(&(b),&c.p,c.slen) == NULL) \ - {c.line=__LINE__; goto err; } \ - c.slen-=(c.p-c.q); - -/* use this instead () */ -# define M_ASN1_D2I_get_int(b,func) \ - c.q=c.p; \ - if (func(&(b),&c.p,c.slen) < 0) \ - {c.line=__LINE__; goto err; } \ - c.slen-=(c.p-c.q); - -# define M_ASN1_D2I_get_opt(b,func,type) \ - if ((c.slen != 0) && ((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) \ - == (V_ASN1_UNIVERSAL|(type)))) \ - { \ - M_ASN1_D2I_get(b,func); \ - } - -# define M_ASN1_D2I_get_int_opt(b,func,type) \ - if ((c.slen != 0) && ((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) \ - == (V_ASN1_UNIVERSAL|(type)))) \ - { \ - M_ASN1_D2I_get_int(b,func); \ - } - -# define M_ASN1_D2I_get_imp(b,func, type) \ - M_ASN1_next=(_tmp& V_ASN1_CONSTRUCTED)|type; \ - c.q=c.p; \ - if (func(&(b),&c.p,c.slen) == NULL) \ - {c.line=__LINE__; M_ASN1_next_prev = _tmp; goto err; } \ - c.slen-=(c.p-c.q);\ - M_ASN1_next_prev=_tmp; - -# define M_ASN1_D2I_get_IMP_opt(b,func,tag,type) \ - if ((c.slen != 0) && ((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) == \ - (V_ASN1_CONTEXT_SPECIFIC|(tag)))) \ - { \ - unsigned char _tmp = M_ASN1_next; \ - M_ASN1_D2I_get_imp(b,func, type);\ - } - -# define M_ASN1_D2I_get_set(r,func,free_func) \ - M_ASN1_D2I_get_imp_set(r,func,free_func, \ - V_ASN1_SET,V_ASN1_UNIVERSAL); - -# define M_ASN1_D2I_get_set_type(type,r,func,free_func) \ - M_ASN1_D2I_get_imp_set_type(type,r,func,free_func, \ - V_ASN1_SET,V_ASN1_UNIVERSAL); - -# define M_ASN1_D2I_get_set_opt(r,func,free_func) \ - if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \ - V_ASN1_CONSTRUCTED|V_ASN1_SET)))\ - { M_ASN1_D2I_get_set(r,func,free_func); } - -# define M_ASN1_D2I_get_set_opt_type(type,r,func,free_func) \ - if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \ - V_ASN1_CONSTRUCTED|V_ASN1_SET)))\ - { M_ASN1_D2I_get_set_type(type,r,func,free_func); } - -# define M_ASN1_I2D_len_SET_opt(a,f) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - M_ASN1_I2D_len_SET(a,f); - -# define M_ASN1_I2D_put_SET_opt(a,f) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - M_ASN1_I2D_put_SET(a,f); - -# define M_ASN1_I2D_put_SEQUENCE_opt(a,f) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - M_ASN1_I2D_put_SEQUENCE(a,f); - -# define M_ASN1_I2D_put_SEQUENCE_opt_type(type,a,f) \ - if ((a != NULL) && (sk_##type##_num(a) != 0)) \ - M_ASN1_I2D_put_SEQUENCE_type(type,a,f); - -# define M_ASN1_D2I_get_IMP_set_opt(b,func,free_func,tag) \ - if ((c.slen != 0) && \ - (M_ASN1_next == \ - (V_ASN1_CONTEXT_SPECIFIC|V_ASN1_CONSTRUCTED|(tag))))\ - { \ - M_ASN1_D2I_get_imp_set(b,func,free_func,\ - tag,V_ASN1_CONTEXT_SPECIFIC); \ - } - -# define M_ASN1_D2I_get_IMP_set_opt_type(type,b,func,free_func,tag) \ - if ((c.slen != 0) && \ - (M_ASN1_next == \ - (V_ASN1_CONTEXT_SPECIFIC|V_ASN1_CONSTRUCTED|(tag))))\ - { \ - M_ASN1_D2I_get_imp_set_type(type,b,func,free_func,\ - tag,V_ASN1_CONTEXT_SPECIFIC); \ - } - -# define M_ASN1_D2I_get_seq(r,func,free_func) \ - M_ASN1_D2I_get_imp_set(r,func,free_func,\ - V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL); - -# define M_ASN1_D2I_get_seq_type(type,r,func,free_func) \ - M_ASN1_D2I_get_imp_set_type(type,r,func,free_func,\ - V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL) - -# define M_ASN1_D2I_get_seq_opt(r,func,free_func) \ - if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \ - V_ASN1_CONSTRUCTED|V_ASN1_SEQUENCE)))\ - { M_ASN1_D2I_get_seq(r,func,free_func); } - -# define M_ASN1_D2I_get_seq_opt_type(type,r,func,free_func) \ - if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \ - V_ASN1_CONSTRUCTED|V_ASN1_SEQUENCE)))\ - { M_ASN1_D2I_get_seq_type(type,r,func,free_func); } - -# define M_ASN1_D2I_get_IMP_set(r,func,free_func,x) \ - M_ASN1_D2I_get_imp_set(r,func,free_func,\ - x,V_ASN1_CONTEXT_SPECIFIC); - -# define M_ASN1_D2I_get_IMP_set_type(type,r,func,free_func,x) \ - M_ASN1_D2I_get_imp_set_type(type,r,func,free_func,\ - x,V_ASN1_CONTEXT_SPECIFIC); - -# define M_ASN1_D2I_get_imp_set(r,func,free_func,a,b) \ - c.q=c.p; \ - if (d2i_ASN1_SET(&(r),&c.p,c.slen,(char *(*)())func,\ - (void (*)())free_func,a,b) == NULL) \ - { c.line=__LINE__; goto err; } \ - c.slen-=(c.p-c.q); - -# define M_ASN1_D2I_get_imp_set_type(type,r,func,free_func,a,b) \ - c.q=c.p; \ - if (d2i_ASN1_SET_OF_##type(&(r),&c.p,c.slen,func,\ - free_func,a,b) == NULL) \ - { c.line=__LINE__; goto err; } \ - c.slen-=(c.p-c.q); - -# define M_ASN1_D2I_get_set_strings(r,func,a,b) \ - c.q=c.p; \ - if (d2i_ASN1_STRING_SET(&(r),&c.p,c.slen,a,b) == NULL) \ - { c.line=__LINE__; goto err; } \ - c.slen-=(c.p-c.q); - -# define M_ASN1_D2I_get_EXP_opt(r,func,tag) \ - if ((c.slen != 0L) && (M_ASN1_next == \ - (V_ASN1_CONSTRUCTED|V_ASN1_CONTEXT_SPECIFIC|tag))) \ - { \ - int Tinf,Ttag,Tclass; \ - long Tlen; \ - \ - c.q=c.p; \ - Tinf=ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); \ - if (Tinf & 0x80) \ - { c.error=ERR_R_BAD_ASN1_OBJECT_HEADER; \ - c.line=__LINE__; goto err; } \ - if (Tinf == (V_ASN1_CONSTRUCTED+1)) \ - Tlen = c.slen - (c.p - c.q) - 2; \ - if (func(&(r),&c.p,Tlen) == NULL) \ - { c.line=__LINE__; goto err; } \ - if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \ - Tlen = c.slen - (c.p - c.q); \ - if(!ASN1_const_check_infinite_end(&c.p, Tlen)) \ - { c.error=ERR_R_MISSING_ASN1_EOS; \ - c.line=__LINE__; goto err; } \ - }\ - c.slen-=(c.p-c.q); \ - } - -# define M_ASN1_D2I_get_EXP_set_opt(r,func,free_func,tag,b) \ - if ((c.slen != 0) && (M_ASN1_next == \ - (V_ASN1_CONSTRUCTED|V_ASN1_CONTEXT_SPECIFIC|tag))) \ - { \ - int Tinf,Ttag,Tclass; \ - long Tlen; \ - \ - c.q=c.p; \ - Tinf=ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); \ - if (Tinf & 0x80) \ - { c.error=ERR_R_BAD_ASN1_OBJECT_HEADER; \ - c.line=__LINE__; goto err; } \ - if (Tinf == (V_ASN1_CONSTRUCTED+1)) \ - Tlen = c.slen - (c.p - c.q) - 2; \ - if (d2i_ASN1_SET(&(r),&c.p,Tlen,(char *(*)())func, \ - (void (*)())free_func, \ - b,V_ASN1_UNIVERSAL) == NULL) \ - { c.line=__LINE__; goto err; } \ - if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \ - Tlen = c.slen - (c.p - c.q); \ - if(!ASN1_check_infinite_end(&c.p, Tlen)) \ - { c.error=ERR_R_MISSING_ASN1_EOS; \ - c.line=__LINE__; goto err; } \ - }\ - c.slen-=(c.p-c.q); \ - } - -# define M_ASN1_D2I_get_EXP_set_opt_type(type,r,func,free_func,tag,b) \ - if ((c.slen != 0) && (M_ASN1_next == \ - (V_ASN1_CONSTRUCTED|V_ASN1_CONTEXT_SPECIFIC|tag))) \ - { \ - int Tinf,Ttag,Tclass; \ - long Tlen; \ - \ - c.q=c.p; \ - Tinf=ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); \ - if (Tinf & 0x80) \ - { c.error=ERR_R_BAD_ASN1_OBJECT_HEADER; \ - c.line=__LINE__; goto err; } \ - if (Tinf == (V_ASN1_CONSTRUCTED+1)) \ - Tlen = c.slen - (c.p - c.q) - 2; \ - if (d2i_ASN1_SET_OF_##type(&(r),&c.p,Tlen,func, \ - free_func,b,V_ASN1_UNIVERSAL) == NULL) \ - { c.line=__LINE__; goto err; } \ - if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \ - Tlen = c.slen - (c.p - c.q); \ - if(!ASN1_check_infinite_end(&c.p, Tlen)) \ - { c.error=ERR_R_MISSING_ASN1_EOS; \ - c.line=__LINE__; goto err; } \ - }\ - c.slen-=(c.p-c.q); \ - } - -/* New macros */ -# define M_ASN1_New_Malloc(ret,type) \ - if ((ret=(type *)OPENSSL_malloc(sizeof(type))) == NULL) \ - { c.line=__LINE__; goto err2; } - -# define M_ASN1_New(arg,func) \ - if (((arg)=func()) == NULL) return(NULL) - -# define M_ASN1_New_Error(a) \ -/*- err: ASN1_MAC_H_err((a),ERR_R_NESTED_ASN1_ERROR,c.line); \ - return(NULL);*/ \ - err2: ASN1_MAC_H_err((a),ERR_R_MALLOC_FAILURE,c.line); \ - return(NULL) - -/* - * BIG UGLY WARNING! This is so damn ugly I wanna puke. Unfortunately, some - * macros that use ASN1_const_CTX still insist on writing in the input - * stream. ARGH! ARGH! ARGH! Let's get rid of this macro package. Please? -- - * Richard Levitte - */ -# define M_ASN1_next (*((unsigned char *)(c.p))) -# define M_ASN1_next_prev (*((unsigned char *)(c.q))) - -/*************************************************/ - -# define M_ASN1_I2D_vars(a) int r=0,ret=0; \ - unsigned char *p; \ - if (a == NULL) return(0) - -/* Length Macros */ -# define M_ASN1_I2D_len(a,f) ret+=f(a,NULL) -# define M_ASN1_I2D_len_IMP_opt(a,f) if (a != NULL) M_ASN1_I2D_len(a,f) - -# define M_ASN1_I2D_len_SET(a,f) \ - ret+=i2d_ASN1_SET(a,NULL,f,V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET); - -# define M_ASN1_I2D_len_SET_type(type,a,f) \ - ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,V_ASN1_SET, \ - V_ASN1_UNIVERSAL,IS_SET); - -# define M_ASN1_I2D_len_SEQUENCE(a,f) \ - ret+=i2d_ASN1_SET(a,NULL,f,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL, \ - IS_SEQUENCE); - -# define M_ASN1_I2D_len_SEQUENCE_type(type,a,f) \ - ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,V_ASN1_SEQUENCE, \ - V_ASN1_UNIVERSAL,IS_SEQUENCE) - -# define M_ASN1_I2D_len_SEQUENCE_opt(a,f) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - M_ASN1_I2D_len_SEQUENCE(a,f); - -# define M_ASN1_I2D_len_SEQUENCE_opt_type(type,a,f) \ - if ((a != NULL) && (sk_##type##_num(a) != 0)) \ - M_ASN1_I2D_len_SEQUENCE_type(type,a,f); - -# define M_ASN1_I2D_len_IMP_SET(a,f,x) \ - ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET); - -# define M_ASN1_I2D_len_IMP_SET_type(type,a,f,x) \ - ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,x, \ - V_ASN1_CONTEXT_SPECIFIC,IS_SET); - -# define M_ASN1_I2D_len_IMP_SET_opt(a,f,x) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC, \ - IS_SET); - -# define M_ASN1_I2D_len_IMP_SET_opt_type(type,a,f,x) \ - if ((a != NULL) && (sk_##type##_num(a) != 0)) \ - ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,x, \ - V_ASN1_CONTEXT_SPECIFIC,IS_SET); - -# define M_ASN1_I2D_len_IMP_SEQUENCE(a,f,x) \ - ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC, \ - IS_SEQUENCE); - -# define M_ASN1_I2D_len_IMP_SEQUENCE_opt(a,f,x) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - ret+=i2d_ASN1_SET(a,NULL,f,x,V_ASN1_CONTEXT_SPECIFIC, \ - IS_SEQUENCE); - -# define M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(type,a,f,x) \ - if ((a != NULL) && (sk_##type##_num(a) != 0)) \ - ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,x, \ - V_ASN1_CONTEXT_SPECIFIC, \ - IS_SEQUENCE); - -# define M_ASN1_I2D_len_EXP_opt(a,f,mtag,v) \ - if (a != NULL)\ - { \ - v=f(a,NULL); \ - ret+=ASN1_object_size(1,v,mtag); \ - } - -# define M_ASN1_I2D_len_EXP_SET_opt(a,f,mtag,tag,v) \ - if ((a != NULL) && (sk_num(a) != 0))\ - { \ - v=i2d_ASN1_SET(a,NULL,f,tag,V_ASN1_UNIVERSAL,IS_SET); \ - ret+=ASN1_object_size(1,v,mtag); \ - } - -# define M_ASN1_I2D_len_EXP_SEQUENCE_opt(a,f,mtag,tag,v) \ - if ((a != NULL) && (sk_num(a) != 0))\ - { \ - v=i2d_ASN1_SET(a,NULL,f,tag,V_ASN1_UNIVERSAL, \ - IS_SEQUENCE); \ - ret+=ASN1_object_size(1,v,mtag); \ - } - -# define M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(type,a,f,mtag,tag,v) \ - if ((a != NULL) && (sk_##type##_num(a) != 0))\ - { \ - v=i2d_ASN1_SET_OF_##type(a,NULL,f,tag, \ - V_ASN1_UNIVERSAL, \ - IS_SEQUENCE); \ - ret+=ASN1_object_size(1,v,mtag); \ - } - -/* Put Macros */ -# define M_ASN1_I2D_put(a,f) f(a,&p) - -# define M_ASN1_I2D_put_IMP_opt(a,f,t) \ - if (a != NULL) \ - { \ - unsigned char *q=p; \ - f(a,&p); \ - *q=(V_ASN1_CONTEXT_SPECIFIC|t|(*q&V_ASN1_CONSTRUCTED));\ - } - -# define M_ASN1_I2D_put_SET(a,f) i2d_ASN1_SET(a,&p,f,V_ASN1_SET,\ - V_ASN1_UNIVERSAL,IS_SET) -# define M_ASN1_I2D_put_SET_type(type,a,f) \ - i2d_ASN1_SET_OF_##type(a,&p,f,V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET) -# define M_ASN1_I2D_put_IMP_SET(a,f,x) i2d_ASN1_SET(a,&p,f,x,\ - V_ASN1_CONTEXT_SPECIFIC,IS_SET) -# define M_ASN1_I2D_put_IMP_SET_type(type,a,f,x) \ - i2d_ASN1_SET_OF_##type(a,&p,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET) -# define M_ASN1_I2D_put_IMP_SEQUENCE(a,f,x) i2d_ASN1_SET(a,&p,f,x,\ - V_ASN1_CONTEXT_SPECIFIC,IS_SEQUENCE) - -# define M_ASN1_I2D_put_SEQUENCE(a,f) i2d_ASN1_SET(a,&p,f,V_ASN1_SEQUENCE,\ - V_ASN1_UNIVERSAL,IS_SEQUENCE) - -# define M_ASN1_I2D_put_SEQUENCE_type(type,a,f) \ - i2d_ASN1_SET_OF_##type(a,&p,f,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL, \ - IS_SEQUENCE) - -# define M_ASN1_I2D_put_SEQUENCE_opt(a,f) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - M_ASN1_I2D_put_SEQUENCE(a,f); - -# define M_ASN1_I2D_put_IMP_SET_opt(a,f,x) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - { i2d_ASN1_SET(a,&p,f,x,V_ASN1_CONTEXT_SPECIFIC, \ - IS_SET); } - -# define M_ASN1_I2D_put_IMP_SET_opt_type(type,a,f,x) \ - if ((a != NULL) && (sk_##type##_num(a) != 0)) \ - { i2d_ASN1_SET_OF_##type(a,&p,f,x, \ - V_ASN1_CONTEXT_SPECIFIC, \ - IS_SET); } - -# define M_ASN1_I2D_put_IMP_SEQUENCE_opt(a,f,x) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - { i2d_ASN1_SET(a,&p,f,x,V_ASN1_CONTEXT_SPECIFIC, \ - IS_SEQUENCE); } - -# define M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(type,a,f,x) \ - if ((a != NULL) && (sk_##type##_num(a) != 0)) \ - { i2d_ASN1_SET_OF_##type(a,&p,f,x, \ - V_ASN1_CONTEXT_SPECIFIC, \ - IS_SEQUENCE); } - -# define M_ASN1_I2D_put_EXP_opt(a,f,tag,v) \ - if (a != NULL) \ - { \ - ASN1_put_object(&p,1,v,tag,V_ASN1_CONTEXT_SPECIFIC); \ - f(a,&p); \ - } - -# define M_ASN1_I2D_put_EXP_SET_opt(a,f,mtag,tag,v) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - { \ - ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \ - i2d_ASN1_SET(a,&p,f,tag,V_ASN1_UNIVERSAL,IS_SET); \ - } - -# define M_ASN1_I2D_put_EXP_SEQUENCE_opt(a,f,mtag,tag,v) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - { \ - ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \ - i2d_ASN1_SET(a,&p,f,tag,V_ASN1_UNIVERSAL,IS_SEQUENCE); \ - } - -# define M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(type,a,f,mtag,tag,v) \ - if ((a != NULL) && (sk_##type##_num(a) != 0)) \ - { \ - ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \ - i2d_ASN1_SET_OF_##type(a,&p,f,tag,V_ASN1_UNIVERSAL, \ - IS_SEQUENCE); \ - } - -# define M_ASN1_I2D_seq_total() \ - r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); \ - if (pp == NULL) return(r); \ - p= *pp; \ - ASN1_put_object(&p,1,ret,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL) - -# define M_ASN1_I2D_INF_seq_start(tag,ctx) \ - *(p++)=(V_ASN1_CONSTRUCTED|(tag)|(ctx)); \ - *(p++)=0x80 - -# define M_ASN1_I2D_INF_seq_end() *(p++)=0x00; *(p++)=0x00 - -# define M_ASN1_I2D_finish() *pp=p; \ - return(r); - -int asn1_GetSequence(ASN1_const_CTX *c, long *length); -void asn1_add_error(const unsigned char *address, int offset); -#ifdef __cplusplus -} -#endif - -#endif diff --git a/include/openssl/asn1t.h b/include/openssl/asn1t.h index 7a2611e..dfd9dac 100644 --- a/include/openssl/asn1t.h +++ b/include/openssl/asn1t.h @@ -825,6 +825,19 @@ typedef struct ASN1_STREAM_ARG_st { return ASN1_item_ndef_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(stname));\ } +# define IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(stname) \ + static stname *d2i_##stname(stname **a, \ + const unsigned char **in, long len) \ + { \ + return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, \ + ASN1_ITEM_rptr(stname)); \ + } \ + static int i2d_##stname(stname *a, unsigned char **out) \ + { \ + return ASN1_item_i2d((ASN1_VALUE *)a, out, \ + ASN1_ITEM_rptr(stname)); \ + } + /* * This includes evil casts to remove const: they will go away when full ASN1 * constification is done. diff --git a/ssl/Makefile b/ssl/Makefile index 07a4f29..ef10a11 100644 --- a/ssl/Makefile +++ b/ssl/Makefile @@ -674,7 +674,7 @@ ssl_algs.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ssl_algs.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ssl_algs.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_algs.o: record/record.h ssl_algs.c ssl_locl.h -ssl_asn1.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/asn1_mac.h +ssl_asn1.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/asn1t.h ssl_asn1.o: ../include/openssl/bio.h ../include/openssl/buffer.h ssl_asn1.o: ../include/openssl/comp.h ../include/openssl/crypto.h ssl_asn1.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index dd02b41..fb2a495 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -85,537 +85,373 @@ #include #include #include "ssl_locl.h" -#include -#include +#include #include -typedef struct ssl_session_asn1_st { - ASN1_INTEGER version; - ASN1_INTEGER ssl_version; - ASN1_OCTET_STRING cipher; - ASN1_OCTET_STRING comp_id; - ASN1_OCTET_STRING master_key; - ASN1_OCTET_STRING session_id; - ASN1_OCTET_STRING session_id_context; +typedef struct { + long version; + long ssl_version; + ASN1_OCTET_STRING *cipher; + ASN1_OCTET_STRING *comp_id; + ASN1_OCTET_STRING *master_key; + ASN1_OCTET_STRING *session_id; #ifndef OPENSSL_NO_KRB5 - ASN1_OCTET_STRING krb5_princ; -#endif /* OPENSSL_NO_KRB5 */ - ASN1_INTEGER time; - ASN1_INTEGER timeout; - ASN1_INTEGER verify_result; + ASN1_OCTET_STRING *krb5_princ; +#endif + ASN1_OCTET_STRING *key_arg; + long time; + long timeout; + X509 *peer; + ASN1_OCTET_STRING *session_id_context; + long verify_result; #ifndef OPENSSL_NO_TLSEXT - ASN1_OCTET_STRING tlsext_hostname; - ASN1_INTEGER tlsext_tick_lifetime; - ASN1_OCTET_STRING tlsext_tick; -#endif /* OPENSSL_NO_TLSEXT */ -#ifndef OPENSSL_NO_PSK - ASN1_OCTET_STRING psk_identity_hint; - ASN1_OCTET_STRING psk_identity; -#endif /* OPENSSL_NO_PSK */ + ASN1_OCTET_STRING *tlsext_hostname; + long tlsext_tick_lifetime_hint; + ASN1_OCTET_STRING *tlsext_tick; +#endif +#ifndef OPENSSL_NO_TLSEXT + ASN1_OCTET_STRING *psk_identity_hint; + ASN1_OCTET_STRING *psk_identity; +#endif #ifndef OPENSSL_NO_SRP - ASN1_OCTET_STRING srp_username; -#endif /* OPENSSL_NO_SRP */ - ASN1_INTEGER flags; + ASN1_OCTET_STRING *srp_username; +#endif + long flags; } SSL_SESSION_ASN1; +ASN1_SEQUENCE(SSL_SESSION_ASN1) = { + ASN1_SIMPLE(SSL_SESSION_ASN1, version, LONG), + ASN1_SIMPLE(SSL_SESSION_ASN1, ssl_version, LONG), + ASN1_SIMPLE(SSL_SESSION_ASN1, cipher, ASN1_OCTET_STRING), + ASN1_SIMPLE(SSL_SESSION_ASN1, session_id, ASN1_OCTET_STRING), + ASN1_SIMPLE(SSL_SESSION_ASN1, master_key, ASN1_OCTET_STRING), +#ifndef OPENSSL_NO_KRB5 + ASN1_OPT(SSL_SESSION_ASN1, krb5_princ, ASN1_OCTET_STRING), +#endif + ASN1_IMP_OPT(SSL_SESSION_ASN1, key_arg, ASN1_OCTET_STRING, 0), + ASN1_EXP_OPT(SSL_SESSION_ASN1, time, ZLONG, 1), + ASN1_EXP_OPT(SSL_SESSION_ASN1, timeout, ZLONG, 2), + ASN1_EXP_OPT(SSL_SESSION_ASN1, peer, X509, 3), + ASN1_EXP_OPT(SSL_SESSION_ASN1, session_id_context, ASN1_OCTET_STRING, 4), + ASN1_EXP_OPT(SSL_SESSION_ASN1, verify_result, ZLONG, 5), +#ifndef OPENSSL_NO_TLSEXT + ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_hostname, ASN1_OCTET_STRING, 6), +#endif +#ifndef OPENSSL_NO_PSK + ASN1_EXP_OPT(SSL_SESSION_ASN1, psk_identity_hint, ASN1_OCTET_STRING, 7), + ASN1_EXP_OPT(SSL_SESSION_ASN1, psk_identity, ASN1_OCTET_STRING, 8), +#endif +#ifndef OPENSSL_NO_TLSEXT + ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_tick_lifetime_hint, ZLONG, 9), + ASN1_EXP_OPT(SSL_SESSION_ASN1, tlsext_tick, ASN1_OCTET_STRING, 10), +#endif + ASN1_EXP_OPT(SSL_SESSION_ASN1, comp_id, ASN1_OCTET_STRING, 11), +#ifndef OPENSSL_NO_SRP + ASN1_EXP_OPT(SSL_SESSION_ASN1, srp_username, ASN1_OCTET_STRING, 12), +#endif + ASN1_EXP_OPT(SSL_SESSION_ASN1, flags, ZLONG, 13) +} ASN1_SEQUENCE_END(SSL_SESSION_ASN1) + +IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(SSL_SESSION_ASN1) + +/* Utility functions for i2d_SSL_SESSION */ + +/* Initialise OCTET STRING from buffer and length */ + +static void ssl_session_oinit(ASN1_OCTET_STRING **dest, ASN1_OCTET_STRING *os, + unsigned char *data, size_t len) +{ + os->data = data; + os->length = len; + os->flags = 0; + *dest = os; +} + +/* Initialise OCTET STRING from string */ +static void ssl_session_sinit(ASN1_OCTET_STRING **dest, ASN1_OCTET_STRING *os, + char *data) +{ + if (data != NULL) + ssl_session_oinit(dest, os, (unsigned char *)data, strlen(data)); + else + *dest = NULL; +} + int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) { -#define LSIZE2 (sizeof(long)*2) - int v1 = 0, v2 = 0, v3 = 0, v4 = 0, v5 = 0, v7 = 0, v8 = 0; - unsigned char buf[4], ibuf1[LSIZE2], ibuf2[LSIZE2]; - unsigned char ibuf3[LSIZE2], ibuf4[LSIZE2], ibuf5[LSIZE2]; + + SSL_SESSION_ASN1 as; + + ASN1_OCTET_STRING cipher; + unsigned char cipher_data[2]; + ASN1_OCTET_STRING master_key, session_id, sid_ctx; + +#ifndef OPENSSL_NO_COMP + ASN1_OCTET_STRING comp_id; + unsigned char comp_id_data; +#endif + #ifndef OPENSSL_NO_TLSEXT - int v6 = 0, v9 = 0, v10 = 0; - unsigned char ibuf6[LSIZE2]; + ASN1_OCTET_STRING tlsext_hostname, tlsext_tick; #endif -#ifndef OPENSSL_NO_COMP - unsigned char cbuf; - int v11 = 0; + +#ifndef OPENSSL_NO_KRB5 + ASN1_OCTET_STRING krb5_princ; #endif + #ifndef OPENSSL_NO_SRP - int v12 = 0; + ASN1_OCTET_STRING srp_username; +#endif + +#ifndef OPENSSL_NO_PSK + ASN1_OCTET_STRING psk_identity, psk_identity_hint; #endif - unsigned char fbuf[LSIZE2]; - int v13 = 0; + long l; - SSL_SESSION_ASN1 a; - M_ASN1_I2D_vars(in); if ((in == NULL) || ((in->cipher == NULL) && (in->cipher_id == 0))) - return (0); - - /* - * Note that I cheat in the following 2 assignments. I know that if the - * ASN1_INTEGER passed to ASN1_INTEGER_set is > sizeof(long)+1, the - * buffer will not be re-OPENSSL_malloc()ed. This is a bit evil but makes - * things simple, no dynamic allocation to clean up :-) - */ - a.version.length = LSIZE2; - a.version.type = V_ASN1_INTEGER; - a.version.data = ibuf1; - ASN1_INTEGER_set(&(a.version), SSL_SESSION_ASN1_VERSION); - - a.ssl_version.length = LSIZE2; - a.ssl_version.type = V_ASN1_INTEGER; - a.ssl_version.data = ibuf2; - ASN1_INTEGER_set(&(a.ssl_version), in->ssl_version); - - a.cipher.type = V_ASN1_OCTET_STRING; - a.cipher.data = buf; + return 0; + + memset(&as, 0, sizeof(as)); + + as.version = SSL_SESSION_ASN1_VERSION; + as.ssl_version = in->ssl_version; if (in->cipher == NULL) l = in->cipher_id; else l = in->cipher->id; - a.cipher.length = 2; - buf[0] = ((unsigned char)(l >> 8L)) & 0xff; - buf[1] = ((unsigned char)(l)) & 0xff; + cipher_data[0] = ((unsigned char)(l >> 8L)) & 0xff; + cipher_data[1] = ((unsigned char)(l)) & 0xff; + + ssl_session_oinit(&as.cipher, &cipher, cipher_data, 2); #ifndef OPENSSL_NO_COMP if (in->compress_meth) { - cbuf = (unsigned char)in->compress_meth; - a.comp_id.length = 1; - a.comp_id.type = V_ASN1_OCTET_STRING; - a.comp_id.data = &cbuf; + comp_id_data = (unsigned char)in->compress_meth; + ssl_session_oinit(&as.comp_id, &comp_id, &comp_id_data, 1); } #endif - a.master_key.length = in->master_key_length; - a.master_key.type = V_ASN1_OCTET_STRING; - a.master_key.data = in->master_key; - - a.session_id.length = in->session_id_length; - a.session_id.type = V_ASN1_OCTET_STRING; - a.session_id.data = in->session_id; + ssl_session_oinit(&as.master_key, &master_key, + in->master_key, in->master_key_length); - a.session_id_context.length = in->sid_ctx_length; - a.session_id_context.type = V_ASN1_OCTET_STRING; - a.session_id_context.data = in->sid_ctx; + ssl_session_oinit(&as.session_id, &session_id, + in->session_id, in->session_id_length); + ssl_session_oinit(&as.session_id_context, &sid_ctx, + in->sid_ctx, in->sid_ctx_length); #ifndef OPENSSL_NO_KRB5 if (in->krb5_client_princ_len) { - a.krb5_princ.length = in->krb5_client_princ_len; - a.krb5_princ.type = V_ASN1_OCTET_STRING; - a.krb5_princ.data = in->krb5_client_princ; + ssl_session_oinit(&as.krb5_princ, &krb5_princ, + in->krb5_client_princ, in->krb5_client_princ_len); } #endif /* OPENSSL_NO_KRB5 */ - if (in->time != 0L) { - a.time.length = LSIZE2; - a.time.type = V_ASN1_INTEGER; - a.time.data = ibuf3; - ASN1_INTEGER_set(&(a.time), in->time); - } + as.time = in->time; + as.timeout = in->timeout; + as.verify_result = in->verify_result; - if (in->timeout != 0L) { - a.timeout.length = LSIZE2; - a.timeout.type = V_ASN1_INTEGER; - a.timeout.data = ibuf4; - ASN1_INTEGER_set(&(a.timeout), in->timeout); - } + as.peer = in->peer; - if (in->verify_result != X509_V_OK) { - a.verify_result.length = LSIZE2; - a.verify_result.type = V_ASN1_INTEGER; - a.verify_result.data = ibuf5; - ASN1_INTEGER_set(&a.verify_result, in->verify_result); - } #ifndef OPENSSL_NO_TLSEXT - if (in->tlsext_hostname) { - a.tlsext_hostname.length = strlen(in->tlsext_hostname); - a.tlsext_hostname.type = V_ASN1_OCTET_STRING; - a.tlsext_hostname.data = (unsigned char *)in->tlsext_hostname; - } + ssl_session_sinit(&as.tlsext_hostname, &tlsext_hostname, + in->tlsext_hostname); if (in->tlsext_tick) { - a.tlsext_tick.length = in->tlsext_ticklen; - a.tlsext_tick.type = V_ASN1_OCTET_STRING; - a.tlsext_tick.data = (unsigned char *)in->tlsext_tick; - } - if (in->tlsext_tick_lifetime_hint > 0) { - a.tlsext_tick_lifetime.length = LSIZE2; - a.tlsext_tick_lifetime.type = V_ASN1_INTEGER; - a.tlsext_tick_lifetime.data = ibuf6; - ASN1_INTEGER_set(&a.tlsext_tick_lifetime, - in->tlsext_tick_lifetime_hint); + ssl_session_oinit(&as.tlsext_tick, &tlsext_tick, + in->tlsext_tick, in->tlsext_ticklen); } + if (in->tlsext_tick_lifetime_hint > 0) + as.tlsext_tick_lifetime_hint = in->tlsext_tick_lifetime_hint; #endif /* OPENSSL_NO_TLSEXT */ #ifndef OPENSSL_NO_PSK - if (in->psk_identity_hint) { - a.psk_identity_hint.length = strlen(in->psk_identity_hint); - a.psk_identity_hint.type = V_ASN1_OCTET_STRING; - a.psk_identity_hint.data = (unsigned char *)(in->psk_identity_hint); - } - if (in->psk_identity) { - a.psk_identity.length = strlen(in->psk_identity); - a.psk_identity.type = V_ASN1_OCTET_STRING; - a.psk_identity.data = (unsigned char *)(in->psk_identity); - } + ssl_session_sinit(&as.psk_identity_hint, &psk_identity_hint, + in->psk_identity_hint); + ssl_session_sinit(&as.psk_identity, &psk_identity, in->psk_identity); #endif /* OPENSSL_NO_PSK */ #ifndef OPENSSL_NO_SRP - if (in->srp_username) { - a.srp_username.length = strlen(in->srp_username); - a.srp_username.type = V_ASN1_OCTET_STRING; - a.srp_username.data = (unsigned char *)(in->srp_username); - } + ssl_session_sinit(&as.srp_username, &srp_username, in->srp_username); #endif /* OPENSSL_NO_SRP */ - if (in->flags) { - a.flags.length = LSIZE2; - a.flags.type = V_ASN1_INTEGER; - a.flags.data = fbuf; - ASN1_INTEGER_set(&a.flags, in->flags); - } + as.flags = in->flags; - M_ASN1_I2D_len(&(a.version), i2d_ASN1_INTEGER); - M_ASN1_I2D_len(&(a.ssl_version), i2d_ASN1_INTEGER); - M_ASN1_I2D_len(&(a.cipher), i2d_ASN1_OCTET_STRING); - M_ASN1_I2D_len(&(a.session_id), i2d_ASN1_OCTET_STRING); - M_ASN1_I2D_len(&(a.master_key), i2d_ASN1_OCTET_STRING); -#ifndef OPENSSL_NO_KRB5 - if (in->krb5_client_princ_len) - M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING); -#endif /* OPENSSL_NO_KRB5 */ - if (in->time != 0L) - M_ASN1_I2D_len_EXP_opt(&(a.time), i2d_ASN1_INTEGER, 1, v1); - if (in->timeout != 0L) - M_ASN1_I2D_len_EXP_opt(&(a.timeout), i2d_ASN1_INTEGER, 2, v2); - if (in->peer != NULL) - M_ASN1_I2D_len_EXP_opt(in->peer, i2d_X509, 3, v3); - M_ASN1_I2D_len_EXP_opt(&a.session_id_context, i2d_ASN1_OCTET_STRING, 4, - v4); - if (in->verify_result != X509_V_OK) - M_ASN1_I2D_len_EXP_opt(&(a.verify_result), i2d_ASN1_INTEGER, 5, v5); + return i2d_SSL_SESSION_ASN1(&as, pp); -#ifndef OPENSSL_NO_TLSEXT - if (in->tlsext_tick_lifetime_hint > 0) - M_ASN1_I2D_len_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER, 9, - v9); - if (in->tlsext_tick) - M_ASN1_I2D_len_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING, 10, - v10); - if (in->tlsext_hostname) - M_ASN1_I2D_len_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING, 6, - v6); -# ifndef OPENSSL_NO_COMP - if (in->compress_meth) - M_ASN1_I2D_len_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11); -# endif -#endif /* OPENSSL_NO_TLSEXT */ -#ifndef OPENSSL_NO_PSK - if (in->psk_identity_hint) - M_ASN1_I2D_len_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING, - 7, v7); - if (in->psk_identity) - M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING, 8, - v8); -#endif /* OPENSSL_NO_PSK */ -#ifndef OPENSSL_NO_SRP - if (in->srp_username) - M_ASN1_I2D_len_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING, 12, - v12); -#endif /* OPENSSL_NO_SRP */ - if (in->flags) - M_ASN1_I2D_len_EXP_opt(&(a.flags), i2d_ASN1_INTEGER, 13, v13); +} - M_ASN1_I2D_seq_total(); +/* Utility functions for d2i_SSL_SESSION */ - M_ASN1_I2D_put(&(a.version), i2d_ASN1_INTEGER); - M_ASN1_I2D_put(&(a.ssl_version), i2d_ASN1_INTEGER); - M_ASN1_I2D_put(&(a.cipher), i2d_ASN1_OCTET_STRING); - M_ASN1_I2D_put(&(a.session_id), i2d_ASN1_OCTET_STRING); - M_ASN1_I2D_put(&(a.master_key), i2d_ASN1_OCTET_STRING); -#ifndef OPENSSL_NO_KRB5 - if (in->krb5_client_princ_len) - M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING); -#endif /* OPENSSL_NO_KRB5 */ - if (in->time != 0L) - M_ASN1_I2D_put_EXP_opt(&(a.time), i2d_ASN1_INTEGER, 1, v1); - if (in->timeout != 0L) - M_ASN1_I2D_put_EXP_opt(&(a.timeout), i2d_ASN1_INTEGER, 2, v2); - if (in->peer != NULL) - M_ASN1_I2D_put_EXP_opt(in->peer, i2d_X509, 3, v3); - M_ASN1_I2D_put_EXP_opt(&a.session_id_context, i2d_ASN1_OCTET_STRING, 4, - v4); - if (in->verify_result != X509_V_OK) - M_ASN1_I2D_put_EXP_opt(&a.verify_result, i2d_ASN1_INTEGER, 5, v5); -#ifndef OPENSSL_NO_TLSEXT - if (in->tlsext_hostname) - M_ASN1_I2D_put_EXP_opt(&(a.tlsext_hostname), i2d_ASN1_OCTET_STRING, 6, - v6); -#endif /* OPENSSL_NO_TLSEXT */ -#ifndef OPENSSL_NO_PSK - if (in->psk_identity_hint) - M_ASN1_I2D_put_EXP_opt(&(a.psk_identity_hint), i2d_ASN1_OCTET_STRING, - 7, v7); - if (in->psk_identity) - M_ASN1_I2D_put_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING, 8, - v8); -#endif /* OPENSSL_NO_PSK */ -#ifndef OPENSSL_NO_TLSEXT - if (in->tlsext_tick_lifetime_hint > 0) - M_ASN1_I2D_put_EXP_opt(&a.tlsext_tick_lifetime, i2d_ASN1_INTEGER, 9, - v9); - if (in->tlsext_tick) - M_ASN1_I2D_put_EXP_opt(&(a.tlsext_tick), i2d_ASN1_OCTET_STRING, 10, - v10); -#endif /* OPENSSL_NO_TLSEXT */ -#ifndef OPENSSL_NO_COMP - if (in->compress_meth) - M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11); -#endif -#ifndef OPENSSL_NO_SRP - if (in->srp_username) - M_ASN1_I2D_put_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING, 12, - v12); -#endif /* OPENSSL_NO_SRP */ - if (in->flags) - M_ASN1_I2D_put_EXP_opt(&a.flags, i2d_ASN1_INTEGER, 13, v13); - M_ASN1_I2D_finish(); +/* BUF_strndup an OCTET STRING */ + +static int ssl_session_strndup(char **pdst, ASN1_OCTET_STRING *src) +{ + if (*pdst) { + OPENSSL_free(*pdst); + *pdst = NULL; + } + if (src == NULL) + return 1; + *pdst = BUF_strndup((char *)src->data, src->length); + if (*pdst == NULL) + return 0; + return 1; +} + +/* Copy an OCTET STRING, return error if it exceeds maximum length */ + +static int ssl_session_memcpy(unsigned char *dst, unsigned int *pdstlen, + ASN1_OCTET_STRING *src, int maxlen) +{ + if (src == NULL) { + *pdstlen = 0; + return 1; + } + if (src->length > maxlen) + return 0; + memcpy(dst, src->data, src->length); + *pdstlen = src->length; + return 1; } SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) { - int ssl_version = 0, i; long id; - ASN1_INTEGER ai, *aip; - ASN1_OCTET_STRING os, *osp; - M_ASN1_D2I_vars(a, SSL_SESSION *, SSL_SESSION_new); - - aip = &ai; - osp = &os; - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - - ai.data = NULL; - ai.length = 0; - M_ASN1_D2I_get_x(ASN1_INTEGER, aip, d2i_ASN1_INTEGER); - if (ai.data != NULL) { - OPENSSL_free(ai.data); - ai.data = NULL; - ai.length = 0; - } + unsigned int tmpl; + const unsigned char *p = *pp; + SSL_SESSION_ASN1 *as = NULL; + SSL_SESSION *ret = NULL; + + as = d2i_SSL_SESSION_ASN1(NULL, &p, length); + /* ASN.1 code returns suitable error */ + if (as == NULL) + goto err; - /* we don't care about the version right now :-) */ - M_ASN1_D2I_get_x(ASN1_INTEGER, aip, d2i_ASN1_INTEGER); - ssl_version = (int)ASN1_INTEGER_get(aip); - ret->ssl_version = ssl_version; - if (ai.data != NULL) { - OPENSSL_free(ai.data); - ai.data = NULL; - ai.length = 0; + if (0) { + i2d_SSL_SESSION_ASN1(NULL, NULL); } - os.data = NULL; - os.length = 0; - M_ASN1_D2I_get_x(ASN1_OCTET_STRING, osp, d2i_ASN1_OCTET_STRING); - if ((ssl_version >> 8) == SSL3_VERSION_MAJOR - || (ssl_version >> 8) == DTLS1_VERSION_MAJOR - || ssl_version == DTLS1_BAD_VER) { - if (os.length != 2) { - c.error = SSL_R_CIPHER_CODE_WRONG_LENGTH; - c.line = __LINE__; + if (!a || !*a) { + ret = SSL_SESSION_new(); + if (ret == NULL) goto err; - } - id = 0x03000000L | - ((unsigned long)os.data[0] << 8L) | (unsigned long)os.data[1]; } else { - c.error = SSL_R_UNKNOWN_SSL_VERSION; - c.line = __LINE__; + ret = *a; + } + + if (as->version != SSL_SESSION_ASN1_VERSION) { + SSLerr(SSL_F_D2I_SSL_SESSION, SSL_R_UNKNOWN_SSL_VERSION); goto err; } - ret->cipher = NULL; - ret->cipher_id = id; + if ((as->ssl_version >> 8) != SSL3_VERSION_MAJOR + && (as->ssl_version >> 8) != DTLS1_VERSION_MAJOR + && as->ssl_version != DTLS1_BAD_VER) { + SSLerr(SSL_F_D2I_SSL_SESSION, SSL_R_UNSUPPORTED_SSL_VERSION); + goto err; + } - M_ASN1_D2I_get_x(ASN1_OCTET_STRING, osp, d2i_ASN1_OCTET_STRING); - i = SSL3_MAX_SSL_SESSION_ID_LENGTH; + ret->ssl_version = (int)as->ssl_version; - if (os.length > i) - os.length = i; - if (os.length > (int)sizeof(ret->session_id)) /* can't happen */ - os.length = sizeof(ret->session_id); + if (as->cipher->length != 2) { + SSLerr(SSL_F_D2I_SSL_SESSION, SSL_R_CIPHER_CODE_WRONG_LENGTH); + goto err; + } - ret->session_id_length = os.length; - OPENSSL_assert(os.length <= (int)sizeof(ret->session_id)); - memcpy(ret->session_id, os.data, os.length); + p = as->cipher->data; + id = 0x03000000L | ((unsigned long)p[0] << 8L) | (unsigned long)p[1]; - M_ASN1_D2I_get_x(ASN1_OCTET_STRING, osp, d2i_ASN1_OCTET_STRING); - if (os.length > SSL_MAX_MASTER_KEY_LENGTH) - ret->master_key_length = SSL_MAX_MASTER_KEY_LENGTH; - else - ret->master_key_length = os.length; - memcpy(ret->master_key, os.data, ret->master_key_length); + ret->cipher = NULL; + ret->cipher_id = id; - os.length = 0; + if (!ssl_session_memcpy(ret->session_id, &ret->session_id_length, + as->session_id, SSL3_MAX_SSL_SESSION_ID_LENGTH)) + goto err; + + if (!ssl_session_memcpy(ret->master_key, &tmpl, + as->master_key, SSL_MAX_MASTER_KEY_LENGTH)) + goto err; + + ret->master_key_length = tmpl; #ifndef OPENSSL_NO_KRB5 - os.length = 0; - M_ASN1_D2I_get_opt(osp, d2i_ASN1_OCTET_STRING, V_ASN1_OCTET_STRING); - if (os.data) { - if (os.length > SSL_MAX_KRB5_PRINCIPAL_LENGTH) - ret->krb5_client_princ_len = 0; - else - ret->krb5_client_princ_len = os.length; - memcpy(ret->krb5_client_princ, os.data, ret->krb5_client_princ_len); - OPENSSL_free(os.data); - os.data = NULL; - os.length = 0; - } else - ret->krb5_client_princ_len = 0; + if (!ssl_session_memcpy(ret->krb5_client_princ, &ret->krb5_client_princ_len, + as->krb5_princ, SSL_MAX_PRINCIPAL_LENGTH)) + goto err; #endif /* OPENSSL_NO_KRB5 */ - M_ASN1_D2I_get_IMP_opt(osp, d2i_ASN1_OCTET_STRING, 0, - V_ASN1_OCTET_STRING); - if (os.data != NULL) - OPENSSL_free(os.data); - - ai.length = 0; - M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 1); - if (ai.data != NULL) { - ret->time = ASN1_INTEGER_get(aip); - OPENSSL_free(ai.data); - ai.data = NULL; - ai.length = 0; - } else + if (as->time != 0) + ret->time = as->time; + else ret->time = (unsigned long)time(NULL); - ai.length = 0; - M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 2); - if (ai.data != NULL) { - ret->timeout = ASN1_INTEGER_get(aip); - OPENSSL_free(ai.data); - ai.data = NULL; - ai.length = 0; - } else + if (as->timeout != 0) + ret->timeout = as->timeout; + else ret->timeout = 3; - if (ret->peer != NULL) { - X509_free(ret->peer); - ret->peer = NULL; - } - M_ASN1_D2I_get_EXP_opt(ret->peer, d2i_X509, 3); + X509_free(ret->peer); + ret->peer = as->peer; + as->peer = NULL; - os.length = 0; - os.data = NULL; - M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 4); + if (!ssl_session_memcpy(ret->sid_ctx, &ret->sid_ctx_length, + as->session_id_context, SSL_MAX_SID_CTX_LENGTH)) + goto err; - if (os.data != NULL) { - if (os.length > SSL_MAX_SID_CTX_LENGTH) { - c.error = SSL_R_BAD_LENGTH; - c.line = __LINE__; - goto err; - } else { - ret->sid_ctx_length = os.length; - memcpy(ret->sid_ctx, os.data, os.length); - } - OPENSSL_free(os.data); - os.data = NULL; - os.length = 0; - } else - ret->sid_ctx_length = 0; - - ai.length = 0; - M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 5); - if (ai.data != NULL) { - ret->verify_result = ASN1_INTEGER_get(aip); - OPENSSL_free(ai.data); - ai.data = NULL; - ai.length = 0; - } else - ret->verify_result = X509_V_OK; + /* NB: this defaults to zero which is X509_V_OK */ + ret->verify_result = as->verify_result; #ifndef OPENSSL_NO_TLSEXT - os.length = 0; - os.data = NULL; - M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 6); - if (os.data) { - ret->tlsext_hostname = BUF_strndup((char *)os.data, os.length); - OPENSSL_free(os.data); - os.data = NULL; - os.length = 0; - } else - ret->tlsext_hostname = NULL; + if (!ssl_session_strndup(&ret->tlsext_hostname, as->tlsext_hostname)) + goto err; #endif /* OPENSSL_NO_TLSEXT */ #ifndef OPENSSL_NO_PSK - os.length = 0; - os.data = NULL; - M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 7); - if (os.data) { - ret->psk_identity_hint = BUF_strndup((char *)os.data, os.length); - OPENSSL_free(os.data); - os.data = NULL; - os.length = 0; - } else - ret->psk_identity_hint = NULL; - - os.length = 0; - os.data = NULL; - M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 8); - if (os.data) { - ret->psk_identity = BUF_strndup((char *)os.data, os.length); - OPENSSL_free(os.data); - os.data = NULL; - os.length = 0; - } else - ret->psk_identity = NULL; -#endif /* OPENSSL_NO_PSK */ + if (!ssl_session_strndup(&ret->psk_identity_hint, as->psk_identity_hint)) + goto err; + if (!ssl_session_strndup(&ret->psk_identity, as->psk_identity)) + goto err; +#endif #ifndef OPENSSL_NO_TLSEXT - ai.length = 0; - M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 9); - if (ai.data != NULL) { - ret->tlsext_tick_lifetime_hint = ASN1_INTEGER_get(aip); - OPENSSL_free(ai.data); - ai.data = NULL; - ai.length = 0; - } else - ret->tlsext_tick_lifetime_hint = 0; - os.length = 0; - os.data = NULL; - M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 10); - if (os.data) { - ret->tlsext_tick = os.data; - ret->tlsext_ticklen = os.length; - os.data = NULL; - os.length = 0; - } else + ret->tlsext_tick_lifetime_hint = as->tlsext_tick_lifetime_hint; + if (as->tlsext_tick) { + ret->tlsext_tick = as->tlsext_tick->data; + ret->tlsext_ticklen = as->tlsext_tick->length; + as->tlsext_tick->data = NULL; + } else { ret->tlsext_tick = NULL; + } #endif /* OPENSSL_NO_TLSEXT */ #ifndef OPENSSL_NO_COMP - os.length = 0; - os.data = NULL; - M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 11); - if (os.data) { - ret->compress_meth = os.data[0]; - OPENSSL_free(os.data); - os.data = NULL; + if (as->comp_id) { + if (as->comp_id->length != 1) { + SSLerr(SSL_F_D2I_SSL_SESSION, SSL_R_BAD_LENGTH); + goto err; + } + ret->compress_meth = as->comp_id->data[0]; + } else { + ret->compress_meth = 0; } #endif #ifndef OPENSSL_NO_SRP - os.length = 0; - os.data = NULL; - M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 12); - if (os.data) { - ret->srp_username = BUF_strndup((char *)os.data, os.length); - OPENSSL_free(os.data); - os.data = NULL; - os.length = 0; - } else - ret->srp_username = NULL; + if (!ssl_session_strndup(&ret->srp_username, as->srp_username)) + goto err; #endif /* OPENSSL_NO_SRP */ - ai.length = 0; - M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 13); - if (ai.data != NULL) { - ret->flags = ASN1_INTEGER_get(aip); - OPENSSL_free(ai.data); - ai.data = NULL; - ai.length = 0; - } else - ret->flags = 0; - - M_ASN1_D2I_Finish(a, SSL_SESSION_free, SSL_F_D2I_SSL_SESSION); + /* Flags defaults to zero which is fine */ + ret->flags = as->flags; + + M_ASN1_free_of(as, SSL_SESSION_ASN1); + + if ((a != NULL) && (*a == NULL)) + *a = ret; + *pp = p; + return ret; + + err: + M_ASN1_free_of(as, SSL_SESSION_ASN1); + if ((a == NULL) || (*a != ret)) + SSL_SESSION_free(ret); + return NULL; } diff --git a/util/libeay.num b/util/libeay.num index 54a4ccc..c5d6ae9 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -692,8 +692,8 @@ _des_crypt 698 NOEXIST::FUNCTION: a2d_ASN1_OBJECT 699 EXIST::FUNCTION: a2i_ASN1_INTEGER 700 EXIST::FUNCTION: a2i_ASN1_STRING 701 EXIST::FUNCTION: -asn1_Finish 702 EXIST::FUNCTION: -asn1_GetSequence 703 EXIST::FUNCTION: +asn1_Finish 702 NOEXIST::FUNCTION: +asn1_GetSequence 703 NOEXIST::FUNCTION: bn_div_words 704 NOEXIST::FUNCTION: bn_expand2 705 NOEXIST::FUNCTION: bn_mul_add_words 706 NOEXIST::FUNCTION: @@ -1060,7 +1060,7 @@ EVP_rc5_32_12_16_cbc 1087 EXIST::FUNCTION:RC5 EVP_rc5_32_12_16_cfb64 1088 EXIST::FUNCTION:RC5 EVP_rc5_32_12_16_ecb 1089 EXIST::FUNCTION:RC5 EVP_rc5_32_12_16_ofb 1090 EXIST::FUNCTION:RC5 -asn1_add_error 1091 EXIST::FUNCTION: +asn1_add_error 1091 NOEXIST::FUNCTION: d2i_ASN1_BMPSTRING 1092 EXIST::FUNCTION: i2d_ASN1_BMPSTRING 1093 EXIST::FUNCTION: BIO_f_ber 1094 NOEXIST::FUNCTION: @@ -3295,7 +3295,7 @@ PEM_write_X509_CERT_PAIR 3696 NOEXIST::FUNCTION: BIO_dump_indent_cb 3697 EXIST::FUNCTION: d2i_X509_CERT_PAIR 3698 NOEXIST::FUNCTION: STORE_list_private_key_endp 3699 NOEXIST::FUNCTION: -asn1_const_Finish 3700 EXIST::FUNCTION: +asn1_const_Finish 3700 NOEXIST::FUNCTION: i2d_EC_PUBKEY_fp 3701 EXIST::FUNCTION:EC,STDIO BN_nist_mod_256 3702 EXIST::FUNCTION: X509_VERIFY_PARAM_add0_table 3703 EXIST::FUNCTION: diff --git a/util/mkdef.pl b/util/mkdef.pl index 7f1c093..674ad1e 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -309,7 +309,6 @@ $crypto.=" include/openssl/pem.h"; #$crypto.=" include/openssl/meth.h"; $crypto.=" include/openssl/asn1.h"; $crypto.=" include/openssl/asn1t.h"; -$crypto.=" include/openssl/asn1_mac.h"; $crypto.=" include/openssl/err.h" ; # unless $no_err; $crypto.=" include/openssl/pkcs7.h"; $crypto.=" include/openssl/pkcs12.h"; From matt at openssl.org Tue Apr 7 22:39:45 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 07 Apr 2015 22:39:45 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1428446385.411904.4692.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 9da34ad6cb09e8f57093da5003839894b09fb701 (commit) from a63d3ac012f4a1c3e7440dc9d419d8bc6041ee46 (commit) - Log ----------------------------------------------------------------- commit 9da34ad6cb09e8f57093da5003839894b09fb701 Author: John Foley Date: Tue Apr 7 23:05:05 2015 +0100 Fix intermittent s_server issues with ECDHE Resolve a problem when using s_server with ECDHE cipher suites in OpenSSL_1_0_1-stable. Due to an uninitialized variable, SSL_CTX_set_tmp_ecdh() is not always invoked within s_server. This bug appears to have been introduced by 059907771b89549cbd07a81df1a5bdf51e062066. Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: apps/s_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/s_server.c b/apps/s_server.c index 1220f49..35b4061 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -998,7 +998,7 @@ int MAIN(int argc, char *argv[]) int off = 0; int no_tmp_rsa = 0, no_dhe = 0, nocert = 0; #ifndef OPENSSL_NO_ECDH - int no_ecdhe; + int no_ecdhe = 0; #endif int state = 0; const SSL_METHOD *meth = NULL; From emilia at openssl.org Wed Apr 8 14:43:13 2015 From: emilia at openssl.org (Emilia Kasper) Date: Wed, 08 Apr 2015 14:43:13 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1428504193.881619.9388.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via a20db08e77b62ee673e493e9bcbf0cacc5291f68 (commit) from 9da34ad6cb09e8f57093da5003839894b09fb701 (commit) - Log ----------------------------------------------------------------- commit a20db08e77b62ee673e493e9bcbf0cacc5291f68 Author: Emilia Kasper Date: Wed Apr 1 17:08:45 2015 +0200 Harden SSLv2-supporting servers against Bleichenbacher's attack. There is no indication that the timing differences are exploitable in OpenSSL, and indeed there is some indication (Usenix '14) that they are too small to be exploitable. Nevertheless, be careful and apply the same countermeasures as in s3_srvr.c Thanks to Nimrod Aviram, Sebastian Schinzel and Yuval Shavitt for reporting this issue. Reviewed-by: Richard Levitte (cherry picked from commit ae50d8270026edf5b3c7f8aaa0c6677462b33d97) ----------------------------------------------------------------------- Summary of changes: ssl/s2_srvr.c | 104 ++++++++++++++++++++++++++++------------------------------ 1 file changed, 51 insertions(+), 53 deletions(-) diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c index 19bb48c..4289272 100644 --- a/ssl/s2_srvr.c +++ b/ssl/s2_srvr.c @@ -111,6 +111,7 @@ #include "ssl_locl.h" #ifndef OPENSSL_NO_SSL2 +#include "../crypto/constant_time_locl.h" # include # include # include @@ -372,12 +373,15 @@ int ssl2_accept(SSL *s) static int get_client_master_key(SSL *s) { int is_export, i, n, keya; - unsigned int ek; + unsigned int num_encrypted_key_bytes, key_length; unsigned long len; unsigned char *p; const SSL_CIPHER *cp; const EVP_CIPHER *c; const EVP_MD *md; + unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; + unsigned char decrypt_good; + size_t j; p = (unsigned char *)s->init_buf->data; if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A) { @@ -465,12 +469,6 @@ static int get_client_master_key(SSL *s) return (0); } - if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) { - is_export = 1; - ek = 8; - } else - ek = 5; - /* * The format of the CLIENT-MASTER-KEY message is * 1 byte message type @@ -484,12 +482,27 @@ static int get_client_master_key(SSL *s) * * If the cipher is an export cipher, then the encrypted key bytes * are a fixed portion of the total key (5 or 8 bytes). The size of - * this portion is in |ek|. If the cipher is not an export cipher, - * then the entire key material is encrypted (i.e., clear key length - * must be zero). + * this portion is in |num_encrypted_key_bytes|. If the cipher is not an + * export cipher, then the entire key material is encrypted (i.e., clear + * key length must be zero). */ - if ((!is_export && s->s2->tmp.clear != 0) || - (is_export && s->s2->tmp.clear + ek != (unsigned int)EVP_CIPHER_key_length(c))) { + key_length = (unsigned int)EVP_CIPHER_key_length(c); + if (key_length > SSL_MAX_MASTER_KEY_LENGTH) { + ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); + return -1; + } + + if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) { + is_export = 1; + num_encrypted_key_bytes = 8; + } else if (is_export) { + num_encrypted_key_bytes = 5; + } else { + num_encrypted_key_bytes = key_length; + } + + if (s->s2->tmp.clear + num_encrypted_key_bytes != key_length) { ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH); return -1; @@ -499,64 +512,49 @@ static int get_client_master_key(SSL *s) * Decryption can't be expanding, so if we don't have enough encrypted * bytes to fit the key in the buffer, stop now. */ - if ((is_export && s->s2->tmp.enc < ek) || - (!is_export && s->s2->tmp.enc < (unsigned int)EVP_CIPHER_key_length(c))) { + if (s->s2->tmp.enc < num_encrypted_key_bytes) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT); return -1; } + /* + * We must not leak whether a decryption failure occurs because of + * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246, + * section 7.4.7.1). The code follows that advice of the TLS RFC and + * generates a random premaster secret for the case that the decrypt + * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 + */ + + /* + * should be RAND_bytes, but we cannot work around a failure. + */ + if (RAND_pseudo_bytes(rand_premaster_secret, + (int)num_encrypted_key_bytes) <= 0) + return 0; + i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc, &(p[s->s2->tmp.clear]), &(p[s->s2->tmp.clear]), (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : RSA_PKCS1_PADDING); - - /* bad decrypt */ -# if 1 + ERR_clear_error(); /* * If a bad decrypt, continue with protocol but with a random master * secret (Bleichenbacher attack) */ - if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c)) - || (is_export && i != (int)ek))) { - ERR_clear_error(); - if (is_export) - i = ek; - else - i = EVP_CIPHER_key_length(c); - if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0) - return 0; - } -# else - if (i < 0) { - error = 1; - SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_BAD_RSA_DECRYPT); - } - /* incorrect number of key bytes for non export cipher */ - else if ((!is_export && (i != EVP_CIPHER_key_length(c))) - || (is_export && ((i != ek) || (s->s2->tmp.clear + i != - EVP_CIPHER_key_length(c))))) { - error = 1; - SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_WRONG_NUMBER_OF_KEY_BITS); - } - if (error) { - ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); - return (-1); + decrypt_good = constant_time_eq_int_8(i, (int)num_encrypted_key_bytes); + for (j = 0; j < num_encrypted_key_bytes; j++) { + p[s->s2->tmp.clear + j] = + constant_time_select_8(decrypt_good, p[s->s2->tmp.clear + j], + rand_premaster_secret[j]); } -# endif - if (is_export) - i = EVP_CIPHER_key_length(c); + s->session->master_key_length = (int)key_length; + memcpy(s->session->master_key, p, key_length); + OPENSSL_cleanse(p, key_length); - if (i > SSL_MAX_MASTER_KEY_LENGTH) { - ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); - SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); - return -1; - } - s->session->master_key_length = i; - memcpy(s->session->master_key, p, (unsigned int)i); - return (1); + return 1; } static int get_client_hello(SSL *s) From emilia at openssl.org Wed Apr 8 14:43:13 2015 From: emilia at openssl.org (Emilia Kasper) Date: Wed, 08 Apr 2015 14:43:13 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1428504193.938634.9410.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via ae50d8270026edf5b3c7f8aaa0c6677462b33d97 (commit) from ff864ffef33b4b09bb31ca3b0e17e1c85b65c2c8 (commit) - Log ----------------------------------------------------------------- commit ae50d8270026edf5b3c7f8aaa0c6677462b33d97 Author: Emilia Kasper Date: Wed Apr 1 17:08:45 2015 +0200 Harden SSLv2-supporting servers against Bleichenbacher's attack. There is no indication that the timing differences are exploitable in OpenSSL, and indeed there is some indication (Usenix '14) that they are too small to be exploitable. Nevertheless, be careful and apply the same countermeasures as in s3_srvr.c Thanks to Nimrod Aviram, Sebastian Schinzel and Yuval Shavitt for reporting this issue. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: ssl/s2_srvr.c | 104 ++++++++++++++++++++++++++++------------------------------ 1 file changed, 51 insertions(+), 53 deletions(-) diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c index 19bb48c..4289272 100644 --- a/ssl/s2_srvr.c +++ b/ssl/s2_srvr.c @@ -111,6 +111,7 @@ #include "ssl_locl.h" #ifndef OPENSSL_NO_SSL2 +#include "../crypto/constant_time_locl.h" # include # include # include @@ -372,12 +373,15 @@ int ssl2_accept(SSL *s) static int get_client_master_key(SSL *s) { int is_export, i, n, keya; - unsigned int ek; + unsigned int num_encrypted_key_bytes, key_length; unsigned long len; unsigned char *p; const SSL_CIPHER *cp; const EVP_CIPHER *c; const EVP_MD *md; + unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; + unsigned char decrypt_good; + size_t j; p = (unsigned char *)s->init_buf->data; if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A) { @@ -465,12 +469,6 @@ static int get_client_master_key(SSL *s) return (0); } - if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) { - is_export = 1; - ek = 8; - } else - ek = 5; - /* * The format of the CLIENT-MASTER-KEY message is * 1 byte message type @@ -484,12 +482,27 @@ static int get_client_master_key(SSL *s) * * If the cipher is an export cipher, then the encrypted key bytes * are a fixed portion of the total key (5 or 8 bytes). The size of - * this portion is in |ek|. If the cipher is not an export cipher, - * then the entire key material is encrypted (i.e., clear key length - * must be zero). + * this portion is in |num_encrypted_key_bytes|. If the cipher is not an + * export cipher, then the entire key material is encrypted (i.e., clear + * key length must be zero). */ - if ((!is_export && s->s2->tmp.clear != 0) || - (is_export && s->s2->tmp.clear + ek != (unsigned int)EVP_CIPHER_key_length(c))) { + key_length = (unsigned int)EVP_CIPHER_key_length(c); + if (key_length > SSL_MAX_MASTER_KEY_LENGTH) { + ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); + return -1; + } + + if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) { + is_export = 1; + num_encrypted_key_bytes = 8; + } else if (is_export) { + num_encrypted_key_bytes = 5; + } else { + num_encrypted_key_bytes = key_length; + } + + if (s->s2->tmp.clear + num_encrypted_key_bytes != key_length) { ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH); return -1; @@ -499,64 +512,49 @@ static int get_client_master_key(SSL *s) * Decryption can't be expanding, so if we don't have enough encrypted * bytes to fit the key in the buffer, stop now. */ - if ((is_export && s->s2->tmp.enc < ek) || - (!is_export && s->s2->tmp.enc < (unsigned int)EVP_CIPHER_key_length(c))) { + if (s->s2->tmp.enc < num_encrypted_key_bytes) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT); return -1; } + /* + * We must not leak whether a decryption failure occurs because of + * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246, + * section 7.4.7.1). The code follows that advice of the TLS RFC and + * generates a random premaster secret for the case that the decrypt + * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 + */ + + /* + * should be RAND_bytes, but we cannot work around a failure. + */ + if (RAND_pseudo_bytes(rand_premaster_secret, + (int)num_encrypted_key_bytes) <= 0) + return 0; + i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc, &(p[s->s2->tmp.clear]), &(p[s->s2->tmp.clear]), (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : RSA_PKCS1_PADDING); - - /* bad decrypt */ -# if 1 + ERR_clear_error(); /* * If a bad decrypt, continue with protocol but with a random master * secret (Bleichenbacher attack) */ - if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c)) - || (is_export && i != (int)ek))) { - ERR_clear_error(); - if (is_export) - i = ek; - else - i = EVP_CIPHER_key_length(c); - if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0) - return 0; - } -# else - if (i < 0) { - error = 1; - SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_BAD_RSA_DECRYPT); - } - /* incorrect number of key bytes for non export cipher */ - else if ((!is_export && (i != EVP_CIPHER_key_length(c))) - || (is_export && ((i != ek) || (s->s2->tmp.clear + i != - EVP_CIPHER_key_length(c))))) { - error = 1; - SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_WRONG_NUMBER_OF_KEY_BITS); - } - if (error) { - ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); - return (-1); + decrypt_good = constant_time_eq_int_8(i, (int)num_encrypted_key_bytes); + for (j = 0; j < num_encrypted_key_bytes; j++) { + p[s->s2->tmp.clear + j] = + constant_time_select_8(decrypt_good, p[s->s2->tmp.clear + j], + rand_premaster_secret[j]); } -# endif - if (is_export) - i = EVP_CIPHER_key_length(c); + s->session->master_key_length = (int)key_length; + memcpy(s->session->master_key, p, key_length); + OPENSSL_cleanse(p, key_length); - if (i > SSL_MAX_MASTER_KEY_LENGTH) { - ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); - SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); - return -1; - } - s->session->master_key_length = i; - memcpy(s->session->master_key, p, (unsigned int)i); - return (1); + return 1; } static int get_client_hello(SSL *s) From levitte at openssl.org Wed Apr 8 15:15:30 2015 From: levitte at openssl.org (Richard Levitte) Date: Wed, 08 Apr 2015 15:15:30 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1428506130.186758.15184.nullmailer@dev.openssl.org> The branch master has been updated via 2da2a4349c1598ad0648405fe175e7846d893c45 (commit) via 04958e84d8079fa57a782db70f003c38b5b156fd (commit) via c25dea53e9db2b4956c315f85dae3f1c2854fd2b (commit) from 40cf45456602ae3d7e6c00fdbe0f5eeab24f8afc (commit) - Log ----------------------------------------------------------------- commit 2da2a4349c1598ad0648405fe175e7846d893c45 Author: Richard Levitte Date: Sat Apr 4 16:53:44 2015 +0200 Appease clang -Wshadow The macros BSWAP4 and BSWAP8 have statetemnt expressions implementations that use local variable names that shadow variables outside the macro call, generating warnings like this e_aes_cbc_hmac_sha1.c:263:14: warning: declaration shadows a local variable [-Wshadow] seqnum = BSWAP8(blocks[0].q[0]); ^ ../modes/modes_lcl.h:41:29: note: expanded from macro 'BSWAP8' ^ e_aes_cbc_hmac_sha1.c:223:12: note: previous declaration is here size_t ret = 0; ^ Have clang be quiet by modifying the macro variable names slightly (suffixing them with an underscore). Reviewed-by: Rich Salz commit 04958e84d8079fa57a782db70f003c38b5b156fd Author: Richard Levitte Date: Sat Apr 4 16:33:20 2015 +0200 Appease clang -Wgnu-statement-expression We use GNU statement expressions in crypto/md32_common.h, surrounded by checks that GNU C is indeed used to compile. It seems that clang, at least on Linux, pretends to be GNU C, therefore finds the statement expressions and then warns about them. The solution is to have clang be quiet about it. Reviewed-by: Rich Salz commit c25dea53e9db2b4956c315f85dae3f1c2854fd2b Author: Richard Levitte Date: Sat Apr 4 16:22:26 2015 +0200 Appease clang -Wempty-translation-unit ebcdic.c:284:7: warning: ISO C requires a translation unit to contain at least one declaration [-Wempty-translation-unit] ^ 1 warning generated. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: Configure | 2 +- crypto/ebcdic.c | 2 +- crypto/modes/modes_lcl.h | 38 +++++++++++++++++++------------------- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/Configure b/Configure index 97c2573..d51653a 100755 --- a/Configure +++ b/Configure @@ -112,7 +112,7 @@ my $usage="Usage: Configure [no- ...] [enable- ...] [experimenta my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DDEBUG_UNUSED"; -my $clang_disabled_warnings = "-Wno-language-extension-token -Wno-extended-offsetof -Wno-padded -Wno-shorten-64-to-32 -Wno-format-nonliteral -Wno-missing-noreturn -Wno-unused-parameter -Wno-sign-conversion -Wno-unreachable-code -Wno-conversion -Wno-documentation -Wno-missing-variable-declarations -Wno-cast-align -Wno-incompatible-pointer-types-discards-qualifiers -Wno-missing-variable-declarations -Wno-missing-field-initializers -Wno-unused-macros -Wno-disabled-macro-expansion -Wno-conditional-uninitialized -Wno-switch-enum"; +my $clang_disabled_warnings = "-Wno-language-extension-token -Wno-extended-offsetof -Wno-padded -Wno-shorten-64-to-32 -Wno-format-nonliteral -Wno-missing-noreturn -Wno-unused-parameter -Wno-sign-conversion -Wno-unreachable-code -Wno-conversion -Wno-documentation -Wno-missing-variable-declarations -Wno-cast-align -Wno-incompatible-pointer-types-discards-qualifiers -Wno-missing-variable-declarations -Wno-missing-field-initializers -Wno-unused-macros -Wno-disabled-macro-expansion -Wno-conditional-uninitialized -Wno-switch-enum -Wno-gnu-statement-expression"; my $strict_warnings = 0; diff --git a/crypto/ebcdic.c b/crypto/ebcdic.c index 4b7652c..fd6df92 100644 --- a/crypto/ebcdic.c +++ b/crypto/ebcdic.c @@ -3,7 +3,7 @@ #ifndef CHARSET_EBCDIC # include -# if defined(PEDANTIC) || defined(__DECC) || defined(OPENSSL_SYS_MACOSX) +# if defined(PEDANTIC) || defined(__DECC) || defined(OPENSSL_SYS_MACOSX) || defined(__clang__) static void *dummy = &dummy; # endif diff --git a/crypto/modes/modes_lcl.h b/crypto/modes/modes_lcl.h index 90b92c0..0fd11ce 100644 --- a/crypto/modes/modes_lcl.h +++ b/crypto/modes/modes_lcl.h @@ -38,36 +38,36 @@ typedef unsigned char u8; #if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) # if defined(__GNUC__) && __GNUC__>=2 # if defined(__x86_64) || defined(__x86_64__) -# define BSWAP8(x) ({ u64 ret=(x); \ +# define BSWAP8(x) ({ u64 ret_=(x); \ asm ("bswapq %0" \ - : "+r"(ret)); ret; }) -# define BSWAP4(x) ({ u32 ret=(x); \ + : "+r"(ret_)); ret_; }) +# define BSWAP4(x) ({ u32 ret_=(x); \ asm ("bswapl %0" \ - : "+r"(ret)); ret; }) + : "+r"(ret_)); ret_; }) # elif (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY) -# define BSWAP8(x) ({ u32 lo=(u64)(x)>>32,hi=(x); \ +# define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \ asm ("bswapl %0; bswapl %1" \ - : "+r"(hi),"+r"(lo)); \ - (u64)hi<<32|lo; }) -# define BSWAP4(x) ({ u32 ret=(x); \ + : "+r"(hi_),"+r"(lo_)); \ + (u64)hi_<<32|lo_; }) +# define BSWAP4(x) ({ u32 ret_=(x); \ asm ("bswapl %0" \ - : "+r"(ret)); ret; }) + : "+r"(ret_)); ret_; }) # elif defined(__aarch64__) -# define BSWAP8(x) ({ u64 ret; \ +# define BSWAP8(x) ({ u64 ret_; \ asm ("rev %0,%1" \ - : "=r"(ret) : "r"(x)); ret; }) -# define BSWAP4(x) ({ u32 ret; \ + : "=r"(ret_) : "r"(x)); ret_; }) +# define BSWAP4(x) ({ u32 ret_; \ asm ("rev %w0,%w1" \ - : "=r"(ret) : "r"(x)); ret; }) + : "=r"(ret_) : "r"(x)); ret_; }) # elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT) -# define BSWAP8(x) ({ u32 lo=(u64)(x)>>32,hi=(x); \ +# define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \ asm ("rev %0,%0; rev %1,%1" \ - : "+r"(hi),"+r"(lo)); \ - (u64)hi<<32|lo; }) -# define BSWAP4(x) ({ u32 ret; \ + : "+r"(hi_),"+r"(lo_)); \ + (u64)hi_<<32|lo_; }) +# define BSWAP4(x) ({ u32 ret_; \ asm ("rev %0,%1" \ - : "=r"(ret) : "r"((u32)(x))); \ - ret; }) + : "=r"(ret_) : "r"((u32)(x))); \ + ret_; }) # endif # elif defined(_MSC_VER) # if _MSC_VER>=1300 From levitte at openssl.org Wed Apr 8 15:17:03 2015 From: levitte at openssl.org (Richard Levitte) Date: Wed, 08 Apr 2015 15:17:03 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1428506223.799972.16151.nullmailer@dev.openssl.org> The branch master has been updated via 37d92b1b2bb6e6e04d62d6f7774a2d8190a99174 (commit) from 2da2a4349c1598ad0648405fe175e7846d893c45 (commit) - Log ----------------------------------------------------------------- commit 37d92b1b2bb6e6e04d62d6f7774a2d8190a99174 Author: Richard Levitte Date: Wed Apr 1 11:36:18 2015 +0200 Ignore the non-dll windows specific build directories Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index 9f85632..77f8d21 100644 --- a/.gitignore +++ b/.gitignore @@ -93,8 +93,12 @@ cscope.out *.d # Windows +/tmp32 +/tmp32.dbg /tmp32dll /tmp32dll.dbg +/out32 +/out32.dbg /out32dll /out32dll.dbg /inc32 From levitte at openssl.org Wed Apr 8 15:59:54 2015 From: levitte at openssl.org (Richard Levitte) Date: Wed, 08 Apr 2015 15:59:54 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1428508794.833136.25407.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 700c0eb8d9f155e526fab1310f6b5073327bf6a7 (commit) via a4ba7163338f30675d7c58ed274d127ad7ac04e9 (commit) via d21cbd7d5e8be3f21ffec0491b7627d02fad57ea (commit) from ae50d8270026edf5b3c7f8aaa0c6677462b33d97 (commit) - Log ----------------------------------------------------------------- commit 700c0eb8d9f155e526fab1310f6b5073327bf6a7 Author: Richard Levitte Date: Sat Apr 4 16:53:44 2015 +0200 Appease clang -Wshadow The macros BSWAP4 and BSWAP8 have statetemnt expressions implementations that use local variable names that shadow variables outside the macro call, generating warnings like this e_aes_cbc_hmac_sha1.c:263:14: warning: declaration shadows a local variable [-Wshadow] seqnum = BSWAP8(blocks[0].q[0]); ^ ../modes/modes_lcl.h:41:29: note: expanded from macro 'BSWAP8' ^ e_aes_cbc_hmac_sha1.c:223:12: note: previous declaration is here size_t ret = 0; ^ Have clang be quiet by modifying the macro variable names slightly (suffixing them with an underscore). Reviewed-by: Rich Salz (cherry picked from commit 2da2a4349c1598ad0648405fe175e7846d893c45) commit a4ba7163338f30675d7c58ed274d127ad7ac04e9 Author: Richard Levitte Date: Sat Apr 4 16:33:20 2015 +0200 Appease clang -Wgnu-statement-expression We use GNU statement expressions in crypto/md32_common.h, surrounded by checks that GNU C is indeed used to compile. It seems that clang, at least on Linux, pretends to be GNU C, therefore finds the statement expressions and then warns about them. The solution is to have clang be quiet about it. Reviewed-by: Rich Salz (cherry picked from commit 04958e84d8079fa57a782db70f003c38b5b156fd) commit d21cbd7d5e8be3f21ffec0491b7627d02fad57ea Author: Richard Levitte Date: Sat Apr 4 16:22:26 2015 +0200 Appease clang -Wempty-translation-unit ebcdic.c:284:7: warning: ISO C requires a translation unit to contain at least one declaration [-Wempty-translation-unit] ^ 1 warning generated. Reviewed-by: Rich Salz (cherry picked from commit c25dea53e9db2b4956c315f85dae3f1c2854fd2b) ----------------------------------------------------------------------- Summary of changes: Configure | 2 +- crypto/ebcdic.c | 2 +- crypto/modes/modes_lcl.h | 38 +++++++++++++++++++------------------- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/Configure b/Configure index f776e23..f4847ae 100755 --- a/Configure +++ b/Configure @@ -105,7 +105,7 @@ my $usage="Usage: Configure [no- ...] [enable- ...] [experimenta my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED"; -my $clang_disabled_warnings = "-Wno-language-extension-token -Wno-extended-offsetof -Wno-padded -Wno-shorten-64-to-32 -Wno-format-nonliteral -Wno-missing-noreturn -Wno-unused-parameter -Wno-sign-conversion -Wno-unreachable-code -Wno-conversion -Wno-documentation -Wno-missing-variable-declarations -Wno-cast-align -Wno-incompatible-pointer-types-discards-qualifiers -Wno-missing-variable-declarations -Wno-missing-field-initializers -Wno-unused-macros -Wno-disabled-macro-expansion -Wno-conditional-uninitialized -Wno-switch-enum"; +my $clang_disabled_warnings = "-Wno-language-extension-token -Wno-extended-offsetof -Wno-padded -Wno-shorten-64-to-32 -Wno-format-nonliteral -Wno-missing-noreturn -Wno-unused-parameter -Wno-sign-conversion -Wno-unreachable-code -Wno-conversion -Wno-documentation -Wno-missing-variable-declarations -Wno-cast-align -Wno-incompatible-pointer-types-discards-qualifiers -Wno-missing-variable-declarations -Wno-missing-field-initializers -Wno-unused-macros -Wno-disabled-macro-expansion -Wno-conditional-uninitialized -Wno-switch-enum -Wno-gnu-statement-expression"; my $strict_warnings = 0; diff --git a/crypto/ebcdic.c b/crypto/ebcdic.c index 4b7652c..fd6df92 100644 --- a/crypto/ebcdic.c +++ b/crypto/ebcdic.c @@ -3,7 +3,7 @@ #ifndef CHARSET_EBCDIC # include -# if defined(PEDANTIC) || defined(__DECC) || defined(OPENSSL_SYS_MACOSX) +# if defined(PEDANTIC) || defined(__DECC) || defined(OPENSSL_SYS_MACOSX) || defined(__clang__) static void *dummy = &dummy; # endif diff --git a/crypto/modes/modes_lcl.h b/crypto/modes/modes_lcl.h index 900f54c..fe14ec7 100644 --- a/crypto/modes/modes_lcl.h +++ b/crypto/modes/modes_lcl.h @@ -38,36 +38,36 @@ typedef unsigned char u8; #if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) # if defined(__GNUC__) && __GNUC__>=2 # if defined(__x86_64) || defined(__x86_64__) -# define BSWAP8(x) ({ u64 ret=(x); \ +# define BSWAP8(x) ({ u64 ret_=(x); \ asm ("bswapq %0" \ - : "+r"(ret)); ret; }) -# define BSWAP4(x) ({ u32 ret=(x); \ + : "+r"(ret_)); ret_; }) +# define BSWAP4(x) ({ u32 ret_=(x); \ asm ("bswapl %0" \ - : "+r"(ret)); ret; }) + : "+r"(ret_)); ret_; }) # elif (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY) -# define BSWAP8(x) ({ u32 lo=(u64)(x)>>32,hi=(x); \ +# define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \ asm ("bswapl %0; bswapl %1" \ - : "+r"(hi),"+r"(lo)); \ - (u64)hi<<32|lo; }) -# define BSWAP4(x) ({ u32 ret=(x); \ + : "+r"(hi_),"+r"(lo_)); \ + (u64)hi_<<32|lo_; }) +# define BSWAP4(x) ({ u32 ret_=(x); \ asm ("bswapl %0" \ - : "+r"(ret)); ret; }) + : "+r"(ret_)); ret_; }) # elif defined(__aarch64__) -# define BSWAP8(x) ({ u64 ret; \ +# define BSWAP8(x) ({ u64 ret_; \ asm ("rev %0,%1" \ - : "=r"(ret) : "r"(x)); ret; }) -# define BSWAP4(x) ({ u32 ret; \ + : "=r"(ret_) : "r"(x)); ret_; }) +# define BSWAP4(x) ({ u32 ret_; \ asm ("rev %w0,%w1" \ - : "=r"(ret) : "r"(x)); ret; }) + : "=r"(ret_) : "r"(x)); ret_; }) # elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT) -# define BSWAP8(x) ({ u32 lo=(u64)(x)>>32,hi=(x); \ +# define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \ asm ("rev %0,%0; rev %1,%1" \ - : "+r"(hi),"+r"(lo)); \ - (u64)hi<<32|lo; }) -# define BSWAP4(x) ({ u32 ret; \ + : "+r"(hi_),"+r"(lo_)); \ + (u64)hi_<<32|lo_; }) +# define BSWAP4(x) ({ u32 ret_; \ asm ("rev %0,%1" \ - : "=r"(ret) : "r"((u32)(x))); \ - ret; }) + : "=r"(ret_) : "r"((u32)(x))); \ + ret_; }) # endif # elif defined(_MSC_VER) # if _MSC_VER>=1300 From levitte at openssl.org Wed Apr 8 16:01:24 2015 From: levitte at openssl.org (Richard Levitte) Date: Wed, 08 Apr 2015 16:01:24 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1428508884.984218.26152.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 9e63eeaf76fed44bcbac16df24f06bc87d8b5de4 (commit) from 700c0eb8d9f155e526fab1310f6b5073327bf6a7 (commit) - Log ----------------------------------------------------------------- commit 9e63eeaf76fed44bcbac16df24f06bc87d8b5de4 Author: Richard Levitte Date: Wed Apr 1 11:36:18 2015 +0200 Ignore the non-dll windows specific build directories Reviewed-by: Rich Salz (cherry picked from commit 37d92b1b2bb6e6e04d62d6f7774a2d8190a99174) ----------------------------------------------------------------------- Summary of changes: .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index 2f572f3..bb3feab 100644 --- a/.gitignore +++ b/.gitignore @@ -100,8 +100,12 @@ tags TAGS # Windows +/tmp32 +/tmp32.dbg /tmp32dll /tmp32dll.dbg +/out32 +/out32.dbg /out32dll /out32dll.dbg /inc32 From levitte at openssl.org Wed Apr 8 16:01:41 2015 From: levitte at openssl.org (Richard Levitte) Date: Wed, 08 Apr 2015 16:01:41 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1428508901.426630.26526.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 10a612a9e4728f2d082941e25a40c660aa08963b (commit) from a20db08e77b62ee673e493e9bcbf0cacc5291f68 (commit) - Log ----------------------------------------------------------------- commit 10a612a9e4728f2d082941e25a40c660aa08963b Author: Richard Levitte Date: Wed Apr 1 11:36:18 2015 +0200 Ignore the non-dll windows specific build directories Reviewed-by: Rich Salz (cherry picked from commit 37d92b1b2bb6e6e04d62d6f7774a2d8190a99174) ----------------------------------------------------------------------- Summary of changes: .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index fc1e643..9a0d846 100644 --- a/.gitignore +++ b/.gitignore @@ -95,8 +95,12 @@ tags TAGS # Windows +/tmp32 +/tmp32.dbg /tmp32dll /tmp32dll.dbg +/out32 +/out32.dbg /out32dll /out32dll.dbg /inc32 From rsalz at openssl.org Wed Apr 8 16:29:02 2015 From: rsalz at openssl.org (Rich Salz) Date: Wed, 08 Apr 2015 16:29:02 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1428510542.140764.1134.nullmailer@dev.openssl.org> The branch master has been updated via 5adac91eab78d0ba8b5c84e7c883ae123c28a72b (commit) from 37d92b1b2bb6e6e04d62d6f7774a2d8190a99174 (commit) - Log ----------------------------------------------------------------- commit 5adac91eab78d0ba8b5c84e7c883ae123c28a72b Author: Rich Salz Date: Wed Apr 8 12:28:15 2015 -0400 consistent test-start logging Output a consistent "start" marker for each test. Remove "2>/dev/null" from Makefile command lines. Add OPENSSL_CONFIG=/dev/null for places where it's needed, in order to suppress a warning message from the openssl CLI. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: test/Makefile | 139 +++++++++++++++++++++++++++++++++++++--------------------- test/tcrl | 1 + test/testca | 4 +- test/testenc | 2 + test/testgen | 1 + test/testss | 5 +-- test/testssl | 1 + test/tkey | 1 + test/tocsp | 1 + test/tpkcs7 | 1 + test/tpkcs7d | 1 + test/treq | 28 +----------- test/tsid | 1 + test/tx509 | 1 + 14 files changed, 105 insertions(+), 82 deletions(-) diff --git a/test/Makefile b/test/Makefile index 851901b..13b9285 100644 --- a/test/Makefile +++ b/test/Makefile @@ -29,6 +29,9 @@ LIBCRYPTO= -L.. -lcrypto LIBSSL= -L.. -lssl LIBFIPS= -L.. -lfips +# Prefix for logline for each test +START= @@@ START + BNTEST= bntest ECTEST= ectest ECDSATEST= ecdsatest @@ -150,210 +153,248 @@ alltests: \ test_constant_time test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt + @echo $(START) $@ ../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt test_evp_extra: $(EVPEXTRATEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(EVPEXTRATEST) test_p5_crpt2: $(P5_CRPT2_TEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(P5_CRPT2_TEST) test_des: $(DESTEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(DESTEST) test_idea: $(IDEATEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(IDEATEST) test_sha: $(SHA1TEST)$(EXE_EXT) $(SHA256TEST)$(EXE_EXT) $(SHA512TEST)$(EXE_EXT) + @echo $(START) $@ -- sha1 ../util/shlib_wrap.sh ./$(SHA1TEST) + @echo $(START) $@ -- sha256 ../util/shlib_wrap.sh ./$(SHA256TEST) + @echo $(START) $@ -- sha512 ../util/shlib_wrap.sh ./$(SHA512TEST) test_mdc2: $(MDC2TEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(MDC2TEST) test_md5: $(MD5TEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(MD5TEST) test_md4: $(MD4TEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(MD4TEST) test_hmac: $(HMACTEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(HMACTEST) test_wp: $(WPTEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(WPTEST) test_md2: $(MD2TEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(MD2TEST) test_rmd: $(RMDTEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(RMDTEST) test_bf: $(BFTEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(BFTEST) test_cast: $(CASTTEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(CASTTEST) test_rc2: $(RC2TEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(RC2TEST) test_rc4: $(RC4TEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(RC4TEST) test_rc5: $(RC5TEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(RC5TEST) test_rand: $(RANDTEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(RANDTEST) test_gost2814789: $(GOST2814789TEST)$(EXE_EXT) + @echo $(START) $@ OPENSSL_ENGINES=../engines/ccgost ../util/shlib_wrap.sh ./$(GOST2814789TEST) test_enc: ../apps/openssl$(EXE_EXT) testenc + @echo $(START) $@ @sh ./testenc test_x509: ../apps/openssl$(EXE_EXT) tx509 testx509.pem v3-cert1.pem v3-cert2.pem - echo test normal x509v1 certificate - sh ./tx509 2>/dev/null - echo test first x509v3 certificate - sh ./tx509 v3-cert1.pem 2>/dev/null - echo test second x509v3 certificate - sh ./tx509 v3-cert2.pem 2>/dev/null + @echo $(START) $@ -- x509v1 certificate + sh ./tx509 + @echo $(START) $@ -- first x509v3 certificate + sh ./tx509 v3-cert1.pem + @echo $(START) $@ -- second x509v3 certificate + sh ./tx509 v3-cert2.pem test_rsa: $(RSATEST)$(EXE_EXT) ../apps/openssl$(EXE_EXT) tkey testrsa.pem - @sh ./tkey testrsa.pem rsa private 2>/dev/null - @sh ./tkey testrsapub.pem rsa public 2>/dev/null + @echo $(START) $@ ../util/shlib_wrap.sh ./$(RSATEST) + @echo $(START) $@ -- private key + @sh ./tkey testrsa.pem rsa private + @echo $(START) $@ -- public public + @sh ./tkey testrsapub.pem rsa public test_crl: ../apps/openssl$(EXE_EXT) tcrl testcrl.pem - @sh ./tcrl 2>/dev/null + @echo $(START) $@ + sh ./tcrl test_sid: ../apps/openssl$(EXE_EXT) tsid testsid.pem - @sh ./tsid 2>/dev/null + @echo $(START) $@ + @sh ./tsid test_req: ../apps/openssl$(EXE_EXT) treq testreq.pem testreq2.pem - @sh ./treq 2>/dev/null - @sh ./treq testreq2.pem 2>/dev/null + @echo $(START) $@ + @sh ./treq + @echo $(START) $@ -- testreq2 + @sh ./treq testreq2.pem test_pkcs7: ../apps/openssl$(EXE_EXT) tpkcs7 tpkcs7d testp7.pem pkcs7-1.pem - @sh ./tpkcs7 2>/dev/null - @sh ./tpkcs7d 2>/dev/null + @echo $(START) $@ -- pkcs7 + @sh ./tpkcs7 + @echo $(START) $@ -- pkcs7d + @sh ./tpkcs7d test_bn: $(BNTEST)$(EXE_EXT) $(EXPTEST)$(EXE_EXT) bctest - @echo starting big number library test, could take a while... + @echo $(START) $@ -- could take a while. @../util/shlib_wrap.sh ./$(BNTEST) >tmp.bntest @echo quit >>tmp.bntest - @echo "running bc" + @echo $(START) $@ -- running bc @) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0\r?$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"' - @echo 'test a^b%c implementations' + @echo $(START) $@ -- $(EXPTEST) ../util/shlib_wrap.sh ./$(EXPTEST) test_ec: $(ECTEST)$(EXE_EXT) tkey testec-p256.pem - @echo 'test elliptic curves' + @echo $(START) $@ ../util/shlib_wrap.sh ./$(ECTEST) - @sh ./tkey testec-p256.pem ec private 2>/dev/null - @sh ./tkey testecpub-p256.pem ec public 2>/dev/null + @echo $(START) $@ -- private + @sh ./tkey testec-p256.pem ec private + @echo $(START) $@ -- public + @sh ./tkey testecpub-p256.pem ec public test_ecdsa: $(ECDSATEST)$(EXE_EXT) - @echo 'test ecdsa' + @echo $(START) $@ ../util/shlib_wrap.sh ./$(ECDSATEST) test_ecdh: $(ECDHTEST)$(EXE_EXT) - @echo 'test ecdh' + @echo $(START) $@ ../util/shlib_wrap.sh ./$(ECDHTEST) test_verify: ../apps/openssl$(EXE_EXT) - @echo "The following command should have some OK's and some failures" - @echo "There are definitly a few expired certificates" - ../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo ../certs/demo/*.pem + @echo $(START) $@ -- expect some failures and expired certificates + OPENSSL_CONF=/dev/null ../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo ../certs/demo/*.pem test_dh: $(DHTEST)$(EXE_EXT) - @echo "Generate a set of DH parameters" + @echo $(START) $@ ../util/shlib_wrap.sh ./$(DHTEST) test_dsa: $(DSATEST)$(EXE_EXT) tkey testdsa.pem - @echo "Generate a set of DSA parameters" + @echo $(START) $@ ../util/shlib_wrap.sh ./$(DSATEST) + @echo $(START) $@ -- app2_1 ../util/shlib_wrap.sh ./$(DSATEST) -app2_1 - @sh ./tkey testdsa.pem dsa private 2>/dev/null - @sh ./tkey testdsapub.pem dsa public 2>/dev/null + @echo $(START) $@ -- private + @sh ./tkey testdsa.pem dsa private + @echo $(START) $@ -- public + @sh ./tkey testdsapub.pem dsa public test_gen testreq.pem: ../apps/openssl$(EXE_EXT) testgen test.cnf - @echo "Generate and verify a certificate request" + @echo $(START) test_gen @sh ./testgen test_ss keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \ intP1.ss intP2.ss: testss CAss.cnf Uss.cnf P1ss.cnf P2ss.cnf \ ../apps/openssl$(EXE_EXT) - @echo "Generate and certify a test certificate" + @echo $(START) test_ss @sh ./testss @cat certCA.ss certU.ss > intP1.ss @cat certCA.ss certU.ss certP1.ss > intP2.ss test_engine: $(ENGINETEST)$(EXE_EXT) - @echo "Manipulate the ENGINE structures" + @echo $(START) $@ ../util/shlib_wrap.sh ./$(ENGINETEST) test_ssl: keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \ intP1.ss intP2.ss $(SSLTEST)$(EXE_EXT) testssl testsslproxy \ ../apps/server2.pem serverinfo.pem - @echo "test SSL protocol" + @echo $(START) $@ ../util/shlib_wrap.sh ./$(SSLTEST) -test_cipherlist + @echo $(START) $@ -- key U @sh ./testssl keyU.ss certU.ss certCA.ss + @echo $(START) $@ -- key P1 @sh ./testsslproxy keyP1.ss certP1.ss intP1.ss + @echo $(START) $@ -- key P2 @sh ./testsslproxy keyP2.ss certP2.ss intP2.ss test_ca: ../apps/openssl$(EXE_EXT) testca CAss.cnf Uss.cnf - @if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then \ - echo "skipping CA.sh test -- requires RSA"; \ + @if OPENSSL_CONF=/dev/null ../util/shlib_wrap.sh ../apps/openssl no-rsa; then \ + echo SKIP $@ -- requires RSA; \ else \ - echo "Generate and certify a test certificate via the 'ca' program"; \ + echo $(START) $@; \ sh ./testca; \ fi test_tsa: ../apps/openssl$(EXE_EXT) testtsa CAtsa.cnf ../util/shlib_wrap.sh - @if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then \ - echo "skipping testtsa test -- requires RSA"; \ + @if OPENSSL_CONF=/dev/null ../util/shlib_wrap.sh ../apps/openssl no-rsa; then \ + echo SKIP $@ -- requires RSA; \ else \ + echo $(START) $@; \ sh ./testtsa; \ fi test_ige: $(IGETEST)$(EXE_EXT) - @echo "Test IGE mode" + @echo $(START) $@ ../util/shlib_wrap.sh ./$(IGETEST) test_jpake: $(JPAKETEST)$(EXE_EXT) - @echo "Test JPAKE" + @echo $(START) $@ ../util/shlib_wrap.sh ./$(JPAKETEST) test_cms: ../apps/openssl$(EXE_EXT) cms-test.pl smcont.txt - @echo "CMS consistency test" - $(PERL) cms-test.pl + @echo $(START) $@ + OPENSSL_CONFIG=/dev/null $(PERL) cms-test.pl test_srp: $(SRPTEST)$(EXE_EXT) - @echo "Test SRP" + @echo $(START) $@ ../util/shlib_wrap.sh ./srptest test_v3name: $(V3NAMETEST)$(EXE_EXT) - @echo "Test X509v3_check_*" + @echo $(START) $@ ../util/shlib_wrap.sh ./$(V3NAMETEST) test_ocsp: ../apps/openssl$(EXE_EXT) tocsp - @echo "Test OCSP" + @echo $(START) $@ @sh ./tocsp test_heartbeat: $(HEARTBEATTEST)$(EXE_EXT) + @echo $(START) $@ ../util/shlib_wrap.sh ./$(HEARTBEATTEST) test_constant_time: $(CONSTTIMETEST)$(EXE_EXT) - @echo "Test constant time utilites" + @echo $(START) $@ ../util/shlib_wrap.sh ./$(CONSTTIMETEST) -lint: - lint -DLINT $(INCLUDES) $(SRC)>fluff - depend: @if [ -z "$(THIS)" ]; then \ $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; \ diff --git a/test/tcrl b/test/tcrl index 1075a4f..216bb8a 100644 --- a/test/tcrl +++ b/test/tcrl @@ -1,5 +1,6 @@ #!/bin/sh +OPENSSL_CONF=/dev/null ; export OPENSSL_CONF cmd='../util/shlib_wrap.sh ../apps/openssl crl' if [ "$1"x != "x" ]; then diff --git a/test/testca b/test/testca index b109cfe..2cffeb7 100644 --- a/test/testca +++ b/test/testca @@ -15,7 +15,7 @@ OPENSSL="`pwd`/../util/opensslwrap.sh" export OPENSSL /bin/rm -fr demoCA -$SH ../apps/CA.sh -newca <$test; diff --git a/test/testgen b/test/testgen index 524c0d1..ed53b4a 100644 --- a/test/testgen +++ b/test/testgen @@ -3,6 +3,7 @@ T=testcert KEY=512 CA=../certs/testca.pem +OPENSSL_CONF=/dev/null ; export OPENSSL_CONF /bin/rm -f $T.1 $T.2 $T.key diff --git a/test/testss b/test/testss index 1a42685..c846b77 100644 --- a/test/testss +++ b/test/testss @@ -5,6 +5,7 @@ reqcmd="../util/shlib_wrap.sh ../apps/openssl req" x509cmd="../util/shlib_wrap.sh ../apps/openssl x509 $digest" verifycmd="../util/shlib_wrap.sh ../apps/openssl verify" dummycnf="../apps/openssl.cnf" +OPENSSL_CONF=/dev/null ; export OPENSSL_CONF CAkey="keyCA.ss" CAcert="certCA.ss" @@ -40,7 +41,7 @@ else req_new='-new' fi -$reqcmd -config $CAconf -out $CAreq -keyout $CAkey $req_new #>err.ss +$reqcmd -config $CAconf -out $CAreq -keyout $CAkey $req_new if [ $? != 0 ]; then echo "error using 'req' to generate a certificate request" exit 1 @@ -158,6 +159,4 @@ echo The second generated proxy certificate is $P2cert echo The second generated proxy private key is $P2key /bin/rm err.ss -#/bin/rm $P1intermediate -#/bin/rm $P2intermediate exit 0 diff --git a/test/testssl b/test/testssl index 71b4d2a..367807b 100644 --- a/test/testssl +++ b/test/testssl @@ -10,6 +10,7 @@ if [ "$2" = "" ]; then else cert="$2" fi +OPENSSL_CONF=/dev/null ; export OPENSSL_CONF ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert" if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then diff --git a/test/tkey b/test/tkey index 611ed7d..b7097e6 100644 --- a/test/tkey +++ b/test/tkey @@ -4,6 +4,7 @@ t=$1 ktype=$2 ptype=$3 +OPENSSL_CONF=/dev/null ; export OPENSSL_CONF if ../util/shlib_wrap.sh ../apps/openssl no-$ktype; then echo skipping $ktype $ptype conversion test exit 0 diff --git a/test/tocsp b/test/tocsp index 5fc291c..ac91145 100644 --- a/test/tocsp +++ b/test/tocsp @@ -1,6 +1,7 @@ #!/bin/sh cmd='../util/shlib_wrap.sh ../apps/openssl' +OPENSSL_CONF=/dev/null ; export OPENSSL_CONF ocspdir="ocsp-tests" # 17 December 2012 so we don't get certificate expiry errors. check_time="-attime 1355875200" diff --git a/test/tpkcs7 b/test/tpkcs7 index d7029a0..27bd343 100644 --- a/test/tpkcs7 +++ b/test/tpkcs7 @@ -1,6 +1,7 @@ #!/bin/sh cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7' +OPENSSL_CONF=/dev/null ; export OPENSSL_CONF if [ "$1"x != "x" ]; then t=$1 diff --git a/test/tpkcs7d b/test/tpkcs7d index d4bfbdf..4354d59 100644 --- a/test/tpkcs7d +++ b/test/tpkcs7d @@ -1,6 +1,7 @@ #!/bin/sh cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7' +OPENSSL_CONF=/dev/null ; export OPENSSL_CONF if [ "$1"x != "x" ]; then t=$1 diff --git a/test/treq b/test/treq index 420d25e..82decce 100644 --- a/test/treq +++ b/test/treq @@ -1,6 +1,7 @@ #!/bin/sh cmd='../util/shlib_wrap.sh ../apps/openssl req -config ../apps/openssl.cnf' +OPENSSL_CONF=/dev/null ; export OPENSSL_CONF if [ "$1"x != "x" ]; then t=$1 @@ -19,9 +20,6 @@ cp $t req-fff.p echo "p -> d" $cmd -in req-fff.p -inform p -outform d >req-f.d if [ $? != 0 ]; then exit 1; fi -#echo "p -> t" -#$cmd -in req-fff.p -inform p -outform t >req-f.t -#if [ $? != 0 ]; then exit 1; fi echo "p -> p" $cmd -in req-fff.p -inform p -outform p >req-f.p if [ $? != 0 ]; then exit 1; fi @@ -29,29 +27,14 @@ if [ $? != 0 ]; then exit 1; fi echo "d -> d" $cmd -verify -in req-f.d -inform d -outform d >req-ff.d1 if [ $? != 0 ]; then exit 1; fi -#echo "t -> d" -#$cmd -in req-f.t -inform t -outform d >req-ff.d2 -#if [ $? != 0 ]; then exit 1; fi echo "p -> d" $cmd -verify -in req-f.p -inform p -outform d >req-ff.d3 if [ $? != 0 ]; then exit 1; fi -#echo "d -> t" -#$cmd -in req-f.d -inform d -outform t >req-ff.t1 -#if [ $? != 0 ]; then exit 1; fi -#echo "t -> t" -#$cmd -in req-f.t -inform t -outform t >req-ff.t2 -#if [ $? != 0 ]; then exit 1; fi -#echo "p -> t" -#$cmd -in req-f.p -inform p -outform t >req-ff.t3 -#if [ $? != 0 ]; then exit 1; fi echo "d -> p" $cmd -in req-f.d -inform d -outform p >req-ff.p1 if [ $? != 0 ]; then exit 1; fi -#echo "t -> p" -#$cmd -in req-f.t -inform t -outform p >req-ff.p2 -#if [ $? != 0 ]; then exit 1; fi echo "p -> p" $cmd -in req-f.p -inform p -outform p >req-ff.p3 if [ $? != 0 ]; then exit 1; fi @@ -65,17 +48,8 @@ if [ $? != 0 ]; then exit 1; fi cmp req-fff.p req-ff.p3 if [ $? != 0 ]; then exit 1; fi -#cmp req-f.t req-ff.t1 -#if [ $? != 0 ]; then exit 1; fi -#cmp req-f.t req-ff.t2 -#if [ $? != 0 ]; then exit 1; fi -#cmp req-f.t req-ff.t3 -#if [ $? != 0 ]; then exit 1; fi - cmp req-f.p req-ff.p1 if [ $? != 0 ]; then exit 1; fi -#cmp req-f.p req-ff.p2 -#if [ $? != 0 ]; then exit 1; fi cmp req-f.p req-ff.p3 if [ $? != 0 ]; then exit 1; fi diff --git a/test/tsid b/test/tsid index e1eb503..c804383 100644 --- a/test/tsid +++ b/test/tsid @@ -1,5 +1,6 @@ #!/bin/sh +OPENSSL_CONF=/dev/null ; export OPENSSL_CONF cmd='../util/shlib_wrap.sh ../apps/openssl sess_id' if [ "$1"x != "x" ]; then diff --git a/test/tx509 b/test/tx509 index 0ce3b52..4e9c0a5 100644 --- a/test/tx509 +++ b/test/tx509 @@ -1,5 +1,6 @@ #!/bin/sh +OPENSSL_CONF=/dev/null ; export OPENSSL_CONF cmd='../util/shlib_wrap.sh ../apps/openssl x509' if [ "$1"x != "x" ]; then From rsalz at openssl.org Wed Apr 8 18:07:57 2015 From: rsalz at openssl.org (Rich Salz) Date: Wed, 08 Apr 2015 18:07:57 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1428516477.812523.23275.nullmailer@dev.openssl.org> The branch master has been updated via be739b0cc05cda920377d3c12c26b2dc6aa44daf (commit) from 5adac91eab78d0ba8b5c84e7c883ae123c28a72b (commit) - Log ----------------------------------------------------------------- commit be739b0cc05cda920377d3c12c26b2dc6aa44daf Author: Rich Salz Date: Wed Apr 8 14:07:39 2015 -0400 Drop CA.sh for CA.pl Remove CA.sh script and use CA.pl for testing, etc. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: CHANGES | 3 + apps/CA.sh | 198 ------------------------------------------------------- apps/Makefile | 2 +- doc/apps/ca.pod | 4 +- test/Makefile | 2 +- test/testca | 13 ++-- test/testtsa | 2 +- test/testtsa.com | 2 +- util/pl/unix.pl | 4 +- 9 files changed, 18 insertions(+), 212 deletions(-) delete mode 100644 apps/CA.sh diff --git a/CHANGES b/CHANGES index 7c57410..b44f645 100644 --- a/CHANGES +++ b/CHANGES @@ -39,6 +39,9 @@ done while fixing the error code for the key-too-small case. [Annie Yousar ] + *) CA.sh has been removmed; use CA.pl instead. + [Rich Salz] + *) Removed old DES API. [Rich Salz] diff --git a/apps/CA.sh b/apps/CA.sh deleted file mode 100644 index 7ad6b8c..0000000 --- a/apps/CA.sh +++ /dev/null @@ -1,198 +0,0 @@ -#!/bin/sh -# -# CA - wrapper around ca to make it easier to use ... basically ca requires -# some setup stuff to be done before you can use it and this makes -# things easier between now and when Eric is convinced to fix it :-) -# -# CA -newca ... will setup the right stuff -# CA -newreq ... will generate a certificate request -# CA -sign ... will sign the generated request and output -# -# At the end of that grab newreq.pem and newcert.pem (one has the key -# and the other the certificate) and cat them together and that is what -# you want/need ... I'll make even this a little cleaner later. -# -# -# 12-Jan-96 tjh Added more things ... including CA -signcert which -# converts a certificate to a request and then signs it. -# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG -# environment variable so this can be driven from -# a script. -# 25-Jul-96 eay Cleaned up filenames some more. -# 11-Jun-96 eay Fixed a few filename missmatches. -# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'. -# 18-Apr-96 tjh Original hacking -# -# Tim Hudson -# tjh at cryptsoft.com -# - -# default openssl.cnf file has setup as per the following -# demoCA ... where everything is stored -cp_pem() { - infile=$1 - outfile=$2 - bound=$3 - flag=0 - exec <$infile; - while read line; do - if [ $flag -eq 1 ]; then - echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null - if [ $? -eq 0 ] ; then - echo $line >>$outfile - break - else - echo $line >>$outfile - fi - fi - - echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null - if [ $? -eq 0 ]; then - echo $line >$outfile - flag=1 - fi - done -} - -usage() { - echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2 -} - -if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi - -if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year -CADAYS="-days 1095" # 3 years -REQ="$OPENSSL req $SSLEAY_CONFIG" -CA="$OPENSSL ca $SSLEAY_CONFIG" -VERIFY="$OPENSSL verify" -X509="$OPENSSL x509" -PKCS12="openssl pkcs12" - -if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi -CAKEY=./cakey.pem -CAREQ=./careq.pem -CACERT=./cacert.pem - -RET=0 - -while [ "$1" != "" ] ; do -case $1 in --\?|-h|-help) - usage - exit 0 - ;; --newcert) - # create a certificate - $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS - RET=$? - echo "Certificate is in newcert.pem, private key is in newkey.pem" - ;; --newreq) - # create a certificate request - $REQ -new -keyout newkey.pem -out newreq.pem $DAYS - RET=$? - echo "Request is in newreq.pem, private key is in newkey.pem" - ;; --newreq-nodes) - # create a certificate request - $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS - RET=$? - echo "Request (and private key) is in newreq.pem" - ;; --newca) - # if explicitly asked for or it doesn't exist then setup the directory - # structure that Eric likes to manage things - NEW="1" - if [ "$NEW" -o ! -f ${CATOP}/serial ]; then - # create the directory hierarchy - mkdir -p ${CATOP} - mkdir -p ${CATOP}/certs - mkdir -p ${CATOP}/crl - mkdir -p ${CATOP}/newcerts - mkdir -p ${CATOP}/private - touch ${CATOP}/index.txt - fi - if [ ! -f ${CATOP}/private/$CAKEY ]; then - echo "CA certificate filename (or enter to create)" - read FILE - - # ask user for existing CA certificate - if [ "$FILE" ]; then - cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE - cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE - RET=$? - if [ ! -f "${CATOP}/serial" ]; then - $X509 -in ${CATOP}/$CACERT -noout -next_serial \ - -out ${CATOP}/serial - fi - else - echo "Making CA certificate ..." - $REQ -new -keyout ${CATOP}/private/$CAKEY \ - -out ${CATOP}/$CAREQ - $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \ - -keyfile ${CATOP}/private/$CAKEY -selfsign \ - -extensions v3_ca \ - -infiles ${CATOP}/$CAREQ - RET=$? - fi - fi - ;; --xsign) - $CA -policy policy_anything -infiles newreq.pem - RET=$? - ;; --pkcs12) - if [ -z "$2" ] ; then - CNAME="My Certificate" - else - CNAME="$2" - fi - $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \ - -out newcert.p12 -export -name "$CNAME" - RET=$? - exit $RET - ;; --sign|-signreq) - $CA -policy policy_anything -out newcert.pem -infiles newreq.pem - RET=$? - cat newcert.pem - echo "Signed certificate is in newcert.pem" - ;; --signCA) - $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem - RET=$? - echo "Signed CA certificate is in newcert.pem" - ;; --signcert) - echo "Cert passphrase will be requested twice - bug?" - $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem - $CA -policy policy_anything -out newcert.pem -infiles tmp.pem - RET=$? - cat newcert.pem - echo "Signed certificate is in newcert.pem" - ;; --verify) - shift - if [ -z "$1" ]; then - $VERIFY -CAfile $CATOP/$CACERT newcert.pem - RET=$? - else - for j - do - $VERIFY -CAfile $CATOP/$CACERT $j - if [ $? != 0 ]; then - RET=$? - fi - done - fi - exit $RET - ;; -*) - echo "Unknown arg $i" >&2 - usage - exit 1 - ;; -esac -shift -done -exit $RET diff --git a/apps/Makefile b/apps/Makefile index 25e197f..c7a6094 100644 --- a/apps/Makefile +++ b/apps/Makefile @@ -31,7 +31,7 @@ LIBSSL=-L.. -lssl PROGRAM= openssl -SCRIPTS=CA.sh CA.pl tsget +SCRIPTS=CA.pl tsget EXE= $(PROGRAM)$(EXE_EXT) diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 42d7f83..997fa20 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -641,8 +641,8 @@ the database has to be kept in memory. The B command really needs rewriting or the required functionality exposed at either a command or interface level so a more friendly utility -(perl script or GUI) can handle things properly. The scripts B and -B help a little but not very much. +(perl script or GUI) can handle things properly. The script +B helps a little but not very much. Any fields in a request that are not present in a policy are silently deleted. This does not happen if the B<-preserveDN> option is used. To diff --git a/test/Makefile b/test/Makefile index 13b9285..e3fb791 100644 --- a/test/Makefile +++ b/test/Makefile @@ -352,7 +352,7 @@ test_ca: ../apps/openssl$(EXE_EXT) testca CAss.cnf Uss.cnf echo SKIP $@ -- requires RSA; \ else \ echo $(START) $@; \ - sh ./testca; \ + sh ./testca $(PERL); \ fi test_tsa: ../apps/openssl$(EXE_EXT) testtsa CAtsa.cnf ../util/shlib_wrap.sh diff --git a/test/testca b/test/testca index 2cffeb7..0e2d05c 100644 --- a/test/testca +++ b/test/testca @@ -1,12 +1,13 @@ #!/bin/sh -SH="/bin/sh" +PERL="$1" + if test "$OSTYPE" = msdosdjgpp; then PATH="../apps\;$PATH" else PATH="../apps:$PATH" fi -export SH PATH +export PATH SSLEAY_CONFIG="-config CAss.cnf" export SSLEAY_CONFIG @@ -15,7 +16,7 @@ OPENSSL="`pwd`/../util/opensslwrap.sh" export OPENSSL /bin/rm -fr demoCA -OPENSSL_CONFIG=/dev/null $SH ../apps/CA.sh -newca < The branch master has been updated via 2cfdfe0918f03f8323c9523a2beb2b363ae86ca7 (commit) from be739b0cc05cda920377d3c12c26b2dc6aa44daf (commit) - Log ----------------------------------------------------------------- commit 2cfdfe0918f03f8323c9523a2beb2b363ae86ca7 Author: Richard Levitte Date: Wed Apr 8 19:26:11 2015 +0200 Have mkerr.pl treat already existing multiline string defs properly Since source reformat, we ended up with some error reason string definitions that spanned two lines. That in itself is fine, but we sometimes edited them to provide better strings than what could be automatically determined from the reason macro, for example: {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "Peer haven't sent GOST certificate, required for selected ciphersuite"}, However, mkerr.pl didn't treat those two-line definitions right, and they ended up being retranslated to whatever the macro name would indicate, for example: {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "No gost certificate sent by peer"}, Clearly not what we wanted. This change fixes this problem. Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: util/mkerr.pl | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/util/mkerr.pl b/util/mkerr.pl index 96c705e..8a51588 100644 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -535,14 +535,21 @@ EOF # First, read any existing reason string definitions: my %err_reason_strings; if (open(IN,"<$cfile")) { + my $line = ""; while () { - if (/\b(${lib}_R_\w*)\b.*\"(.*)\"/) { - $err_reason_strings{$1} = $2; - } - if (/\b${lib}_F_(\w*)\b.*\"(.*)\"/) { - if (!exists $ftrans{$1} && ($1 ne $2)) { - print STDERR "WARNING: Mismatched function string $2\n"; - $ftrans{$1} = $2; + chomp; + $_ = $line . $_; + $line = ""; + if (/{ERR_(FUNC|REASON)\(/) { + if (/\b(${lib}_R_\w*)\b.*\"(.*)\"/) { + $err_reason_strings{$1} = $2; + } elsif (/\b${lib}_F_(\w*)\b.*\"(.*)\"/) { + if (!exists $ftrans{$1} && ($1 ne $2)) { + print STDERR "WARNING: Mismatched function string $2\n"; + $ftrans{$1} = $2; + } + } else { + $line = $_; } } } From levitte at openssl.org Wed Apr 8 19:46:23 2015 From: levitte at openssl.org (Richard Levitte) Date: Wed, 08 Apr 2015 19:46:23 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1428522383.331767.13398.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 42802a94be61c9378ead72bb40f02c8b33f1f6e6 (commit) from 9e63eeaf76fed44bcbac16df24f06bc87d8b5de4 (commit) - Log ----------------------------------------------------------------- commit 42802a94be61c9378ead72bb40f02c8b33f1f6e6 Author: Richard Levitte Date: Wed Apr 8 19:26:11 2015 +0200 Have mkerr.pl treat already existing multiline string defs properly Since source reformat, we ended up with some error reason string definitions that spanned two lines. That in itself is fine, but we sometimes edited them to provide better strings than what could be automatically determined from the reason macro, for example: {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "Peer haven't sent GOST certificate, required for selected ciphersuite"}, However, mkerr.pl didn't treat those two-line definitions right, and they ended up being retranslated to whatever the macro name would indicate, for example: {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "No gost certificate sent by peer"}, Clearly not what we wanted. This change fixes this problem. Reviewed-by: Matt Caswell (cherry picked from commit 2cfdfe0918f03f8323c9523a2beb2b363ae86ca7) ----------------------------------------------------------------------- Summary of changes: util/mkerr.pl | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/util/mkerr.pl b/util/mkerr.pl index 7b6776d..09ebebe 100644 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -535,14 +535,21 @@ EOF # First, read any existing reason string definitions: my %err_reason_strings; if (open(IN,"<$cfile")) { + my $line = ""; while () { - if (/\b(${lib}_R_\w*)\b.*\"(.*)\"/) { - $err_reason_strings{$1} = $2; - } - if (/\b${lib}_F_(\w*)\b.*\"(.*)\"/) { - if (!exists $ftrans{$1} && ($1 ne $2)) { - print STDERR "WARNING: Mismatched function string $2\n"; - $ftrans{$1} = $2; + chomp; + $_ = $line . $_; + $line = ""; + if (/{ERR_(FUNC|REASON)\(/) { + if (/\b(${lib}_R_\w*)\b.*\"(.*)\"/) { + $err_reason_strings{$1} = $2; + } elsif (/\b${lib}_F_(\w*)\b.*\"(.*)\"/) { + if (!exists $ftrans{$1} && ($1 ne $2)) { + print STDERR "WARNING: Mismatched function string $2\n"; + $ftrans{$1} = $2; + } + } else { + $line = $_; } } } From levitte at openssl.org Wed Apr 8 19:48:10 2015 From: levitte at openssl.org (Richard Levitte) Date: Wed, 08 Apr 2015 19:48:10 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1428522490.804115.14385.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 0186f7bf87cbb1f043cbb95bc302c1e950a19462 (commit) from 10a612a9e4728f2d082941e25a40c660aa08963b (commit) - Log ----------------------------------------------------------------- commit 0186f7bf87cbb1f043cbb95bc302c1e950a19462 Author: Richard Levitte Date: Wed Apr 8 19:26:11 2015 +0200 Have mkerr.pl treat already existing multiline string defs properly Since source reformat, we ended up with some error reason string definitions that spanned two lines. That in itself is fine, but we sometimes edited them to provide better strings than what could be automatically determined from the reason macro, for example: {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "Peer haven't sent GOST certificate, required for selected ciphersuite"}, However, mkerr.pl didn't treat those two-line definitions right, and they ended up being retranslated to whatever the macro name would indicate, for example: {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "No gost certificate sent by peer"}, Clearly not what we wanted. This change fixes this problem. Reviewed-by: Matt Caswell (cherry picked from commit 2cfdfe0918f03f8323c9523a2beb2b363ae86ca7) ----------------------------------------------------------------------- Summary of changes: util/mkerr.pl | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/util/mkerr.pl b/util/mkerr.pl index 8d2fdbc..d87c4fd 100644 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -534,14 +534,21 @@ EOF # First, read any existing reason string definitions: my %err_reason_strings; if (open(IN,"<$cfile")) { + my $line = ""; while () { - if (/\b(${lib}_R_\w*)\b.*\"(.*)\"/) { - $err_reason_strings{$1} = $2; - } - if (/\b${lib}_F_(\w*)\b.*\"(.*)\"/) { - if (!exists $ftrans{$1} && ($1 ne $2)) { - print STDERR "WARNING: Mismatched function string $2\n"; - $ftrans{$1} = $2; + chomp; + $_ = $line . $_; + $line = ""; + if (/{ERR_(FUNC|REASON)\(/) { + if (/\b(${lib}_R_\w*)\b.*\"(.*)\"/) { + $err_reason_strings{$1} = $2; + } elsif (/\b${lib}_F_(\w*)\b.*\"(.*)\"/) { + if (!exists $ftrans{$1} && ($1 ne $2)) { + print STDERR "WARNING: Mismatched function string $2\n"; + $ftrans{$1} = $2; + } + } else { + $line = $_; } } } From levitte at openssl.org Wed Apr 8 19:56:29 2015 From: levitte at openssl.org (Richard Levitte) Date: Wed, 08 Apr 2015 19:56:29 +0000 Subject: [openssl-commits] [openssl] OpenSSL_0_9_8-stable update Message-ID: <1428522989.085454.16821.nullmailer@dev.openssl.org> The branch OpenSSL_0_9_8-stable has been updated via 32fbe9149e01dc79d97efe13aff2054f77045afb (commit) from 246b35a96e6402583825fcee6a4ce5305e26ec76 (commit) - Log ----------------------------------------------------------------- commit 32fbe9149e01dc79d97efe13aff2054f77045afb Author: Richard Levitte Date: Wed Apr 8 19:26:11 2015 +0200 Have mkerr.pl treat already existing multiline string defs properly Since source reformat, we ended up with some error reason string definitions that spanned two lines. That in itself is fine, but we sometimes edited them to provide better strings than what could be automatically determined from the reason macro, for example: {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "Peer haven't sent GOST certificate, required for selected ciphersuite"}, However, mkerr.pl didn't treat those two-line definitions right, and they ended up being retranslated to whatever the macro name would indicate, for example: {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "No gost certificate sent by peer"}, Clearly not what we wanted. This change fixes this problem. Reviewed-by: Matt Caswell (cherry picked from commit 2cfdfe0918f03f8323c9523a2beb2b363ae86ca7) Conflicts: util/mkerr.pl ----------------------------------------------------------------------- Summary of changes: util/mkerr.pl | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/util/mkerr.pl b/util/mkerr.pl index 8109ab6..23e346a 100644 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -452,9 +452,17 @@ EOF # First, read any existing reason string definitions: my %err_reason_strings; if (open(IN,"<$cfile")) { + my $line = ""; while () { - if (/\b(${lib}_R_\w*)\b.*\"(.*)\"/) { - $err_reason_strings{$1} = $2; + chomp; + $_ = $line . $_; + $line = ""; + if (/{ERR_REASON\(/) { + if (/\b(${lib}_R_\w*)\b.*\"(.*)\"/) { + $err_reason_strings{$1} = $2; + } else { + $line = $_; + } } } close(IN); From rsalz at openssl.org Fri Apr 10 14:14:09 2015 From: rsalz at openssl.org (Rich Salz) Date: Fri, 10 Apr 2015 14:14:09 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1428675249.978033.30135.nullmailer@dev.openssl.org> The branch master has been updated via 30f54ad295d58ff8c6d28c1fd612d23c2c343d19 (commit) from 2cfdfe0918f03f8323c9523a2beb2b363ae86ca7 (commit) - Log ----------------------------------------------------------------- commit 30f54ad295d58ff8c6d28c1fd612d23c2c343d19 Author: Rich Salz Date: Fri Apr 10 10:06:17 2015 -0400 test script cleanup Removed commented-out tests Standardize on doing cmd ... || exit 1 instead of cmd ... if [ $? != 0] ; then exit 1 fi where that if statement has ben one, three, or four lines, variously. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: test/tcrl | 63 +++++----------------------- test/testca | 25 ++++------- test/testenc | 37 ++++------------- test/testgen | 18 +++----- test/testss | 126 +++++++++++++++----------------------------------------- test/testtsa | 132 ++++++++++++++++++++--------------------------------------- test/tkey | 76 +++++++++++----------------------- test/tpkcs7 | 36 ++++++---------- test/tpkcs7d | 24 ++++------- test/treq | 39 ++++++------------ test/tsid | 64 +++++------------------------ test/tx509 | 71 +++++++++++--------------------- 12 files changed, 204 insertions(+), 507 deletions(-) diff --git a/test/tcrl b/test/tcrl index 216bb8a..f01eff8 100644 --- a/test/tcrl +++ b/test/tcrl @@ -13,67 +13,26 @@ echo testing crl conversions cp $t crl-fff.p echo "p -> d" -$cmd -in crl-fff.p -inform p -outform d >crl-f.d -if [ $? != 0 ]; then exit 1; fi -#echo "p -> t" -#$cmd -in crl-fff.p -inform p -outform t >crl-f.t -#if [ $? != 0 ]; then exit 1; fi +$cmd -in crl-fff.p -inform p -outform d >crl-f.d || exit 1 echo "p -> p" -$cmd -in crl-fff.p -inform p -outform p >crl-f.p -if [ $? != 0 ]; then exit 1; fi +$cmd -in crl-fff.p -inform p -outform p >crl-f.p || exit 1 echo "d -> d" -$cmd -in crl-f.d -inform d -outform d >crl-ff.d1 -if [ $? != 0 ]; then exit 1; fi -#echo "t -> d" -#$cmd -in crl-f.t -inform t -outform d >crl-ff.d2 -#if [ $? != 0 ]; then exit 1; fi +$cmd -in crl-f.d -inform d -outform d >crl-ff.d1 || exit 1 echo "p -> d" -$cmd -in crl-f.p -inform p -outform d >crl-ff.d3 -if [ $? != 0 ]; then exit 1; fi +$cmd -in crl-f.p -inform p -outform d >crl-ff.d3 || exit 1 -#echo "d -> t" -#$cmd -in crl-f.d -inform d -outform t >crl-ff.t1 -#if [ $? != 0 ]; then exit 1; fi -#echo "t -> t" -#$cmd -in crl-f.t -inform t -outform t >crl-ff.t2 -#if [ $? != 0 ]; then exit 1; fi -#echo "p -> t" -#$cmd -in crl-f.p -inform p -outform t >crl-ff.t3 -#if [ $? != 0 ]; then exit 1; fi echo "d -> p" -$cmd -in crl-f.d -inform d -outform p >crl-ff.p1 -if [ $? != 0 ]; then exit 1; fi -#echo "t -> p" -#$cmd -in crl-f.t -inform t -outform p >crl-ff.p2 -#if [ $? != 0 ]; then exit 1; fi +$cmd -in crl-f.d -inform d -outform p >crl-ff.p1 || exit 1 echo "p -> p" -$cmd -in crl-f.p -inform p -outform p >crl-ff.p3 -if [ $? != 0 ]; then exit 1; fi +$cmd -in crl-f.p -inform p -outform p >crl-ff.p3 || exit 1 -cmp crl-fff.p crl-f.p -if [ $? != 0 ]; then exit 1; fi -cmp crl-fff.p crl-ff.p1 -if [ $? != 0 ]; then exit 1; fi -#cmp crl-fff.p crl-ff.p2 -#if [ $? != 0 ]; then exit 1; fi -cmp crl-fff.p crl-ff.p3 -if [ $? != 0 ]; then exit 1; fi - -#cmp crl-f.t crl-ff.t1 -#if [ $? != 0 ]; then exit 1; fi -#cmp crl-f.t crl-ff.t2 -#if [ $? != 0 ]; then exit 1; fi -#cmp crl-f.t crl-ff.t3 -#if [ $? != 0 ]; then exit 1; fi - -cmp crl-f.p crl-ff.p1 -if [ $? != 0 ]; then exit 1; fi -#cmp crl-f.p crl-ff.p2 -#if [ $? != 0 ]; then exit 1; fi -cmp crl-f.p crl-ff.p3 -if [ $? != 0 ]; then exit 1; fi +cmp crl-fff.p crl-f.p || exit 1 +cmp crl-fff.p crl-ff.p1 || exit 1 +cmp crl-fff.p crl-ff.p3 || exit 1 +cmp crl-f.p crl-ff.p1 || exit 1 +cmp crl-f.p crl-ff.p3 || exit 1 /bin/rm -f crl-f.* crl-ff.* crl-fff.* exit 0 diff --git a/test/testca b/test/testca index 0e2d05c..8961cf8 100644 --- a/test/testca +++ b/test/testca @@ -16,35 +16,28 @@ OPENSSL="`pwd`/../util/opensslwrap.sh" export OPENSSL /bin/rm -fr demoCA + +# Could do '...CA.pl -newca || exot 1 << EOF +# EOF' but that seems too obscure to me. :) OPENSSL_CONFIG=/dev/null $PERL ../apps/CA.pl -newca <$test; echo cat $cmd enc < $test > $test.cipher $cmd enc < $test.cipher >$test.clear -cmp $test $test.clear -if [ $? != 0 ] -then - exit 1 -else - /bin/rm $test.cipher $test.clear -fi +cmp $test $test.clear || exit 1 +/bin/rm $test.cipher $test.clear + echo base64 $cmd enc -a -e < $test > $test.cipher $cmd enc -a -d < $test.cipher >$test.clear -cmp $test $test.clear -if [ $? != 0 ] -then - exit 1 -else - /bin/rm $test.cipher $test.clear -fi +cmp $test $test.clear || exit 1 +/bin/rm $test.cipher $test.clear for i in `$cmd list-cipher-commands` do echo $i $cmd $i -bufsize 113 -e -k test < $test > $test.$i.cipher $cmd $i -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear - cmp $test $test.$i.clear - if [ $? != 0 ] - then - exit 1 - else - /bin/rm $test.$i.cipher $test.$i.clear - fi + cmp $test $test.$i.clear || exit 1 + /bin/rm $test.$i.cipher $test.$i.clear echo $i base64 $cmd $i -bufsize 113 -a -e -k test < $test > $test.$i.cipher $cmd $i -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear - cmp $test $test.$i.clear - if [ $? != 0 ] - then - exit 1 - else - /bin/rm $test.$i.cipher $test.$i.clear - fi + cmp $test $test.$i.clear || exit 1 + /bin/rm $test.$i.cipher $test.$i.clear done rm -f $test diff --git a/test/testgen b/test/testgen index ed53b4a..f4eb112 100644 --- a/test/testgen +++ b/test/testgen @@ -18,7 +18,7 @@ echo "generating certificate request" echo "string to make the random number generator think it has entropy" >> ./.rnd -if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then +if ../util/shlib_wrap.sh ../apps/openssl no-rsa >/dev/null; then req_new='-newkey dsa:../apps/dsa512.pem' else req_new='-new' @@ -26,20 +26,12 @@ else echo "There should not be more that at most 80 per line" fi -echo "This could take some time." - rm -f testkey.pem testreq.pem -../util/shlib_wrap.sh ../apps/openssl req -config test.cnf $req_new -out testreq.pem -if [ $? != 0 ]; then -echo problems creating request -exit 1 -fi +echo Generating request +../util/shlib_wrap.sh ../apps/openssl req -config test.cnf $req_new -out testreq.pem || exit 1 -../util/shlib_wrap.sh ../apps/openssl req -config test.cnf -verify -in testreq.pem -noout -if [ $? != 0 ]; then -echo signature on req is wrong -exit 1 -fi +echo Verifying signature on request +../util/shlib_wrap.sh ../apps/openssl req -config test.cnf -verify -in testreq.pem -noout || exit 1 exit 0 diff --git a/test/testss b/test/testss index c846b77..3afeb11 100644 --- a/test/testss +++ b/test/testss @@ -30,131 +30,71 @@ P2req="reqP2.ss" P2cert="certP2.ss" P2intermediate="tmp_intP2.ss" -echo -echo "make a certificate request using 'req'" -echo "string to make the random number generator think it has entropy" >> ./.rnd +echo string to make the random number generator think it has entropy >> ./.rnd -if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then +if ../util/shlib_wrap.sh ../apps/openssl no-rsa >/dev/null; then req_new='-newkey dsa:../apps/dsa512.pem' else req_new='-new' fi -$reqcmd -config $CAconf -out $CAreq -keyout $CAkey $req_new -if [ $? != 0 ]; then - echo "error using 'req' to generate a certificate request" - exit 1 -fi -echo -echo "convert the certificate request into a self signed certificate using 'x509'" -$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss -if [ $? != 0 ]; then - echo "error using 'x509' to self sign a certificate request" - exit 1 -fi +echo make cert request +$reqcmd -config $CAconf -out $CAreq -keyout $CAkey $req_new || exit 1 -echo -echo "convert a certificate into a certificate request using 'x509'" -$x509cmd -in $CAcert -x509toreq -signkey $CAkey -out $CAreq2 >err.ss -if [ $? != 0 ]; then - echo "error using 'x509' convert a certificate to a certificate request" - exit 1 -fi +echo convert request into self-signed cert +$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss || exit 1 -$reqcmd -config $dummycnf -verify -in $CAreq -noout -if [ $? != 0 ]; then - echo first generated request is invalid - exit 1 -fi +echo convert cert into a cert request +$x509cmd -in $CAcert -x509toreq -signkey $CAkey -out $CAreq2 >err.ss || exit 1 -$reqcmd -config $dummycnf -verify -in $CAreq2 -noout -if [ $? != 0 ]; then - echo second generated request is invalid - exit 1 -fi +echo verify request 1 +$reqcmd -config $dummycnf -verify -in $CAreq -noout || exit 1 -$verifycmd -CAfile $CAcert $CAcert -if [ $? != 0 ]; then - echo first generated cert is invalid - exit 1 -fi +echo verify request 1 +$reqcmd -config $dummycnf -verify -in $CAreq2 -noout || exit 1 -echo -echo "make a user certificate request using 'req'" -$reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss -if [ $? != 0 ]; then - echo "error using 'req' to generate a user certificate request" - exit 1 -fi +echo verify signature +$verifycmd -CAfile $CAcert $CAcert || exit 1 -echo -echo "sign user certificate request with the just created CA via 'x509'" -$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss -if [ $? != 0 ]; then - echo "error using 'x509' to sign a user certificate request" - exit 1 -fi +echo make a user cert request +$reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss || exit 1 -$verifycmd -CAfile $CAcert $Ucert -echo -echo "Certificate details" -$x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert - -echo -echo "make a proxy certificate request using 'req'" -$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss -if [ $? != 0 ]; then - echo "error using 'req' to generate a proxy certificate request" - exit 1 -fi +echo sign user cert request +$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss || exit 1 +$verifycmd -CAfile $CAcert $Ucert || exit 1 -echo -echo "sign proxy certificate request with the just created user certificate via 'x509'" -$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss -if [ $? != 0 ]; then - echo "error using 'x509' to sign a proxy certificate request" - exit 1 -fi +echo Certificate details +$x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert || exit 1 + +echo make a proxy cert request +$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss || exit 1 + +echo sign proxy with user cert +$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss || exit 1 cat $Ucert > $P1intermediate $verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert -echo -echo "Certificate details" +echo Certificate details $x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert -echo -echo "make another proxy certificate request using 'req'" -$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss -if [ $? != 0 ]; then - echo "error using 'req' to generate another proxy certificate request" - exit 1 -fi +echo make another proxy cert request +$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss || exit 1 -echo -echo "sign second proxy certificate request with the first proxy certificate via 'x509'" -$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss -if [ $? != 0 ]; then - echo "error using 'x509' to sign a second proxy certificate request" - exit 1 -fi +echo sign second proxy cert request with the first proxy cert +$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss || exit 1 +echo Certificate details cat $Ucert $P1cert > $P2intermediate $verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert -echo -echo "Certificate details" $x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert -echo echo The generated CA certificate is $CAcert echo The generated CA private key is $CAkey - echo The generated user certificate is $Ucert echo The generated user private key is $Ukey - echo The first generated proxy certificate is $P1cert echo The first generated proxy private key is $P1key - echo The second generated proxy certificate is $P2cert echo The second generated proxy private key is $P2key diff --git a/test/testtsa b/test/testtsa index a0588e3..df9abed 100644 --- a/test/testtsa +++ b/test/testtsa @@ -21,33 +21,23 @@ export SSLEAY_CONFIG OPENSSL="`pwd`/../util/opensslwrap.sh" export OPENSSL -error () { - - echo "TSA test failed!" >&2 - exit 1 -} - setup_dir () { - rm -rf tsa 2>/dev/null mkdir tsa cd ./tsa } clean_up_dir () { - cd .. rm -rf tsa } create_ca () { - - echo "Creating a new CA for the TSA tests..." + echo creating a new CA for the TSA tests TSDNSECT=ts_ca_dn export TSDNSECT ../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \ - -out tsaca.pem -keyout tsacakey.pem - test $? != 0 && error + -out tsaca.pem -keyout tsacakey.pem || exit 1 } create_tsa_cert () { @@ -59,14 +49,12 @@ create_tsa_cert () { export TSDNSECT ../../util/shlib_wrap.sh ../../apps/openssl req -new \ - -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem - test $? != 0 && error -echo Using extension $EXT + -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem || exit 1 + echo using extension $EXT ../../util/shlib_wrap.sh ../../apps/openssl x509 -req \ -in tsa_req${INDEX}.pem -out tsa_cert${INDEX}.pem \ -CA tsaca.pem -CAkey tsacakey.pem -CAcreateserial \ - -extfile $OPENSSL_CONF -extensions $EXT - test $? != 0 && error + -extfile $OPENSSL_CONF -extensions $EXT || exit 1 } print_request () { @@ -76,163 +64,133 @@ print_request () { create_time_stamp_request1 () { - ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq - test $? != 0 && error + ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq || exit 1 } create_time_stamp_request2 () { ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \ - -out req2.tsq - test $? != 0 && error + -out req2.tsq || exit 1 } create_time_stamp_request3 () { - ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq - test $? != 0 && error + ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq || exit 1 } print_response () { - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $1 -text - test $? != 0 && error + ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $1 -text || exit 1 } create_time_stamp_response () { - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -section $3 -queryfile $1 -out $2 - test $? != 0 && error + ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -section $3 -queryfile $1 -out $2 || exit 1 } time_stamp_response_token_test () { RESPONSE2=$2.copy.tsr TOKEN_DER=$2.token.der - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $TOKEN_DER -token_out - test $? != 0 && error - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2 - test $? != 0 && error - cmp $RESPONSE2 $2 - test $? != 0 && error - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -text -token_out - test $? != 0 && error - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -text -token_out - test $? != 0 && error - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -queryfile $1 -text -token_out - test $? != 0 && error + ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $TOKEN_DER -token_out || exit 1 + ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2 || exit 1 + cmp $RESPONSE2 $2 || exit 1 + ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -text -token_out || exit 1 + ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -text -token_out || exit 1 + ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -queryfile $1 -text -token_out || exit 1 } verify_time_stamp_response () { ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \ - -untrusted tsa_cert1.pem - test $? != 0 && error + -untrusted tsa_cert1.pem || exit 1 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2 -CAfile tsaca.pem \ - -untrusted tsa_cert1.pem - test $? != 0 && error + -untrusted tsa_cert1.pem || exit 1 } verify_time_stamp_token () { # create the token from the response first - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $2.token -token_out - test $? != 0 && error + ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $2.token -token_out || exit 1 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2.token -token_in \ - -CAfile tsaca.pem -untrusted tsa_cert1.pem - test $? != 0 && error + -CAfile tsaca.pem -untrusted tsa_cert1.pem || exit 1 ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2.token -token_in \ - -CAfile tsaca.pem -untrusted tsa_cert1.pem - test $? != 0 && error + -CAfile tsaca.pem -untrusted tsa_cert1.pem || exit 1 } verify_time_stamp_response_fail () { ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \ - -untrusted tsa_cert1.pem - # Checks if the verification failed, as it should have. - test $? = 0 && error - echo Ok + -untrusted tsa_cert1.pem && exit 1 + echo ok } # main functions -echo "Setting up TSA test directory..." +echo setting up TSA test directory setup_dir -echo "Creating CA for TSA tests..." +echo creating CA for TSA tests create_ca -echo "Creating tsa_cert1.pem TSA server cert..." +echo creating tsa_cert1.pem TSA server cert create_tsa_cert 1 tsa_cert -echo "Creating tsa_cert2.pem non-TSA server cert..." +echo creating tsa_cert2.pem non-TSA server cert create_tsa_cert 2 non_tsa_cert -echo "Creating req1.req time stamp request for file testtsa..." +echo creating req1.req time stamp request for file testtsa create_time_stamp_request1 -echo "Printing req1.req..." +echo printing req1.req print_request req1.tsq -echo "Generating valid response for req1.req..." +echo generating valid response for req1.req create_time_stamp_response req1.tsq resp1.tsr tsa_config1 -echo "Printing response..." +echo printing response print_response resp1.tsr -echo "Verifying valid response..." +echo verifying valid response verify_time_stamp_response req1.tsq resp1.tsr ../testtsa -echo "Verifying valid token..." +echo verifying valid token verify_time_stamp_token req1.tsq resp1.tsr ../testtsa -# The tests below are commented out, because invalid signer certificates -# can no longer be specified in the config file. - -# echo "Generating _invalid_ response for req1.req..." -# create_time_stamp_response req1.tsq resp1_bad.tsr tsa_config2 - -# echo "Printing response..." -# print_response resp1_bad.tsr - -# echo "Verifying invalid response, it should fail..." -# verify_time_stamp_response_fail req1.tsq resp1_bad.tsr - -echo "Creating req2.req time stamp request for file testtsa..." +echo creating req2.req time stamp request for file testtsa create_time_stamp_request2 -echo "Printing req2.req..." +echo printing req2.req print_request req2.tsq -echo "Generating valid response for req2.req..." +echo generating valid response for req2.req create_time_stamp_response req2.tsq resp2.tsr tsa_config1 -echo "Checking '-token_in' and '-token_out' options with '-reply'..." +echo checking -token_in and -token_out options with -reply time_stamp_response_token_test req2.tsq resp2.tsr -echo "Printing response..." +echo printing response print_response resp2.tsr -echo "Verifying valid response..." +echo verifying valid response verify_time_stamp_response req2.tsq resp2.tsr ../testtsa -echo "Verifying response against wrong request, it should fail..." +echo verifying response against wrong request, it should fail verify_time_stamp_response_fail req1.tsq resp2.tsr -echo "Verifying response against wrong request, it should fail..." +echo verifying response against wrong request, it should fail verify_time_stamp_response_fail req2.tsq resp1.tsr -echo "Creating req3.req time stamp request for file CAtsa.cnf..." +echo creating req3.req time stamp request for file CAtsa.cnf create_time_stamp_request3 -echo "Printing req3.req..." +echo printing req3.req print_request req3.tsq -echo "Verifying response against wrong request, it should fail..." +echo verifying response against wrong request, it should fail verify_time_stamp_response_fail req3.tsq resp1.tsr -echo "Cleaning up..." +echo cleaning up clean_up_dir exit 0 diff --git a/test/tkey b/test/tkey index b7097e6..c6abd2f 100644 --- a/test/tkey +++ b/test/tkey @@ -20,81 +20,55 @@ echo testing $ktype $ptype conversions cp $t $ktype-fff.p echo "p -> d" -$cmd -in $ktype-fff.p -inform p -outform d >$ktype-f.d -if [ $? != 0 ]; then exit 1; fi +$cmd -in $ktype-fff.p -inform p -outform d >$ktype-f.d || exit 1 echo "p -> p" -$cmd -in $ktype-fff.p -inform p -outform p >$ktype-f.p -if [ $? != 0 ]; then exit 1; fi +$cmd -in $ktype-fff.p -inform p -outform p >$ktype-f.p || exit 1 echo "d -> d" -$cmd -in $ktype-f.d -inform d -outform d >$ktype-ff.d1 -if [ $? != 0 ]; then exit 1; fi +$cmd -in $ktype-f.d -inform d -outform d >$ktype-ff.d1 || exit 1 echo "p -> d" -$cmd -in $ktype-f.p -inform p -outform d >$ktype-ff.d3 -if [ $? != 0 ]; then exit 1; fi +$cmd -in $ktype-f.p -inform p -outform d >$ktype-ff.d3 || exit 1 echo "d -> p" -$cmd -in $ktype-f.d -inform d -outform p >$ktype-ff.p1 -if [ $? != 0 ]; then exit 1; fi +$cmd -in $ktype-f.d -inform d -outform p >$ktype-ff.p1 || exit 1 echo "p -> p" -$cmd -in $ktype-f.p -inform p -outform p >$ktype-ff.p3 -if [ $? != 0 ]; then exit 1; fi +$cmd -in $ktype-f.p -inform p -outform p >$ktype-ff.p3 || exit 1 -cmp $ktype-fff.p $ktype-f.p -if [ $? != 0 ]; then exit 1; fi -cmp $ktype-fff.p $ktype-ff.p1 -if [ $? != 0 ]; then exit 1; fi -cmp $ktype-fff.p $ktype-ff.p3 -if [ $? != 0 ]; then exit 1; fi - -cmp $ktype-f.p $ktype-ff.p1 -if [ $? != 0 ]; then exit 1; fi -cmp $ktype-f.p $ktype-ff.p3 -if [ $? != 0 ]; then exit 1; fi +cmp $ktype-fff.p $ktype-f.p || exit 1 +cmp $ktype-fff.p $ktype-ff.p1 || exit 1 +cmp $ktype-fff.p $ktype-ff.p3 || exit 1 +cmp $ktype-f.p $ktype-ff.p1 || exit 1 +cmp $ktype-f.p $ktype-ff.p3 || exit 1 /bin/rm -f $ktype-f.* $ktype-ff.* $ktype-fff.* -if [ $ptype = "public" ]; then - exit 0 -fi +[ $ptype = "public" ] && exit 0 -cmd="../util/shlib_wrap.sh ../apps/openssl pkey" echo testing $ktype PKCS#8 conversions +cmd="../util/shlib_wrap.sh ../apps/openssl pkey" $cmd -in $t -out $ktype-fff.p echo "p -> d" -$cmd -in $ktype-fff.p -inform p -outform d >$ktype-f.d -if [ $? != 0 ]; then exit 1; fi +$cmd -in $ktype-fff.p -inform p -outform d >$ktype-f.d || exit 1 echo "p -> p" -$cmd -in $ktype-fff.p -inform p -outform p >$ktype-f.p -if [ $? != 0 ]; then exit 1; fi +$cmd -in $ktype-fff.p -inform p -outform p >$ktype-f.p || exit 1 echo "d -> d" -$cmd -in $ktype-f.d -inform d -outform d >$ktype-ff.d1 -if [ $? != 0 ]; then exit 1; fi +$cmd -in $ktype-f.d -inform d -outform d >$ktype-ff.d1 || exit 1 echo "p -> d" -$cmd -in $ktype-f.p -inform p -outform d >$ktype-ff.d3 -if [ $? != 0 ]; then exit 1; fi +$cmd -in $ktype-f.p -inform p -outform d >$ktype-ff.d3 || exit 1 echo "d -> p" -$cmd -in $ktype-f.d -inform d -outform p >$ktype-ff.p1 -if [ $? != 0 ]; then exit 1; fi +$cmd -in $ktype-f.d -inform d -outform p >$ktype-ff.p1 || exit 1 echo "p -> p" -$cmd -in $ktype-f.p -inform p -outform p >$ktype-ff.p3 -if [ $? != 0 ]; then exit 1; fi - -cmp $ktype-fff.p $ktype-f.p -if [ $? != 0 ]; then exit 1; fi -cmp $ktype-fff.p $ktype-ff.p1 -if [ $? != 0 ]; then exit 1; fi -cmp $ktype-fff.p $ktype-ff.p3 -if [ $? != 0 ]; then exit 1; fi - -cmp $ktype-f.p $ktype-ff.p1 -if [ $? != 0 ]; then exit 1; fi -cmp $ktype-f.p $ktype-ff.p3 -if [ $? != 0 ]; then exit 1; fi +$cmd -in $ktype-f.p -inform p -outform p >$ktype-ff.p3 || exit 1 + +cmp $ktype-fff.p $ktype-f.p || exit 1 +cmp $ktype-fff.p $ktype-ff.p1 || exit 1 +cmp $ktype-fff.p $ktype-ff.p3 || exit 1 +cmp $ktype-f.p $ktype-ff.p1 || exit 1 +cmp $ktype-f.p $ktype-ff.p3 || exit 1 /bin/rm -f $ktype-f.* $ktype-ff.* $ktype-fff.* diff --git a/test/tpkcs7 b/test/tpkcs7 index 27bd343..a1e8c0a 100644 --- a/test/tpkcs7 +++ b/test/tpkcs7 @@ -13,37 +13,25 @@ echo testing pkcs7 conversions cp $t p7-fff.p echo "p -> d" -$cmd -in p7-fff.p -inform p -outform d >p7-f.d -if [ $? != 0 ]; then exit 1; fi +$cmd -in p7-fff.p -inform p -outform d >p7-f.d || exit 1 echo "p -> p" -$cmd -in p7-fff.p -inform p -outform p >p7-f.p -if [ $? != 0 ]; then exit 1; fi +$cmd -in p7-fff.p -inform p -outform p >p7-f.p || exit 1 echo "d -> d" -$cmd -in p7-f.d -inform d -outform d >p7-ff.d1 -if [ $? != 0 ]; then exit 1; fi +$cmd -in p7-f.d -inform d -outform d >p7-ff.d1 || exit 1 echo "p -> d" -$cmd -in p7-f.p -inform p -outform d >p7-ff.d3 -if [ $? != 0 ]; then exit 1; fi +$cmd -in p7-f.p -inform p -outform d >p7-ff.d3 || exit 1 echo "d -> p" -$cmd -in p7-f.d -inform d -outform p >p7-ff.p1 -if [ $? != 0 ]; then exit 1; fi +$cmd -in p7-f.d -inform d -outform p >p7-ff.p1 || exit 1 echo "p -> p" -$cmd -in p7-f.p -inform p -outform p >p7-ff.p3 -if [ $? != 0 ]; then exit 1; fi - -cmp p7-fff.p p7-f.p -if [ $? != 0 ]; then exit 1; fi -cmp p7-fff.p p7-ff.p1 -if [ $? != 0 ]; then exit 1; fi -cmp p7-fff.p p7-ff.p3 -if [ $? != 0 ]; then exit 1; fi - -cmp p7-f.p p7-ff.p1 -if [ $? != 0 ]; then exit 1; fi -cmp p7-f.p p7-ff.p3 -if [ $? != 0 ]; then exit 1; fi +$cmd -in p7-f.p -inform p -outform p >p7-ff.p3 || exit 1 + +cmp p7-fff.p p7-f.p || exit 1 +cmp p7-fff.p p7-ff.p1 || exit 1 +cmp p7-fff.p p7-ff.p3 || exit 1 +cmp p7-f.p p7-ff.p1 || exit 1 +cmp p7-f.p p7-ff.p3 || exit 1 /bin/rm -f p7-f.* p7-ff.* p7-fff.* exit 0 diff --git a/test/tpkcs7d b/test/tpkcs7d index 4354d59..9dc2932 100644 --- a/test/tpkcs7d +++ b/test/tpkcs7d @@ -13,30 +13,22 @@ echo "testing pkcs7 conversions (2)" cp $t p7d-fff.p echo "p -> d" -$cmd -in p7d-fff.p -inform p -outform d >p7d-f.d -if [ $? != 0 ]; then exit 1; fi +$cmd -in p7d-fff.p -inform p -outform d >p7d-f.d || exit 1 echo "p -> p" -$cmd -in p7d-fff.p -inform p -outform p >p7d-f.p -if [ $? != 0 ]; then exit 1; fi +$cmd -in p7d-fff.p -inform p -outform p >p7d-f.p || exit 1 echo "d -> d" -$cmd -in p7d-f.d -inform d -outform d >p7d-ff.d1 -if [ $? != 0 ]; then exit 1; fi +$cmd -in p7d-f.d -inform d -outform d >p7d-ff.d1 || exit 1 echo "p -> d" -$cmd -in p7d-f.p -inform p -outform d >p7d-ff.d3 -if [ $? != 0 ]; then exit 1; fi +$cmd -in p7d-f.p -inform p -outform d >p7d-ff.d3 || exit 1 echo "d -> p" -$cmd -in p7d-f.d -inform d -outform p >p7d-ff.p1 -if [ $? != 0 ]; then exit 1; fi +$cmd -in p7d-f.d -inform d -outform p >p7d-ff.p1 || exit 1 echo "p -> p" -$cmd -in p7d-f.p -inform p -outform p >p7d-ff.p3 -if [ $? != 0 ]; then exit 1; fi +$cmd -in p7d-f.p -inform p -outform p >p7d-ff.p3 || exit 1 -cmp p7d-f.p p7d-ff.p1 -if [ $? != 0 ]; then exit 1; fi -cmp p7d-f.p p7d-ff.p3 -if [ $? != 0 ]; then exit 1; fi +cmp p7d-f.p p7d-ff.p1 || exit 1 +cmp p7d-f.p p7d-ff.p3 || exit 1 /bin/rm -f p7d-f.* p7d-ff.* p7d-fff.* exit 0 diff --git a/test/treq b/test/treq index 82decce..89f088c 100644 --- a/test/treq +++ b/test/treq @@ -18,40 +18,25 @@ echo testing req conversions cp $t req-fff.p echo "p -> d" -$cmd -in req-fff.p -inform p -outform d >req-f.d -if [ $? != 0 ]; then exit 1; fi +$cmd -in req-fff.p -inform p -outform d >req-f.d || exit 1 echo "p -> p" -$cmd -in req-fff.p -inform p -outform p >req-f.p -if [ $? != 0 ]; then exit 1; fi +$cmd -in req-fff.p -inform p -outform p >req-f.p || exit 1 echo "d -> d" -$cmd -verify -in req-f.d -inform d -outform d >req-ff.d1 -if [ $? != 0 ]; then exit 1; fi +$cmd -verify -in req-f.d -inform d -outform d >req-ff.d1 || exit 1 echo "p -> d" -$cmd -verify -in req-f.p -inform p -outform d >req-ff.d3 -if [ $? != 0 ]; then exit 1; fi - +$cmd -verify -in req-f.p -inform p -outform d >req-ff.d3 || exit 1 echo "d -> p" -$cmd -in req-f.d -inform d -outform p >req-ff.p1 -if [ $? != 0 ]; then exit 1; fi +$cmd -in req-f.d -inform d -outform p >req-ff.p1 || exit 1 echo "p -> p" -$cmd -in req-f.p -inform p -outform p >req-ff.p3 -if [ $? != 0 ]; then exit 1; fi - -cmp req-fff.p req-f.p -if [ $? != 0 ]; then exit 1; fi -cmp req-fff.p req-ff.p1 -if [ $? != 0 ]; then exit 1; fi -#cmp req-fff.p req-ff.p2 -#if [ $? != 0 ]; then exit 1; fi -cmp req-fff.p req-ff.p3 -if [ $? != 0 ]; then exit 1; fi - -cmp req-f.p req-ff.p1 -if [ $? != 0 ]; then exit 1; fi -cmp req-f.p req-ff.p3 -if [ $? != 0 ]; then exit 1; fi +$cmd -in req-f.p -inform p -outform p >req-ff.p3 || exit 1 + +cmp req-fff.p req-f.p || exit 1 +cmp req-fff.p req-ff.p1 || exit 1 +cmp req-fff.p req-ff.p3 || exit 1 +cmp req-f.p req-ff.p1 || exit 1 +cmp req-f.p req-ff.p3 || exit 1 /bin/rm -f req-f.* req-ff.* req-fff.* exit 0 diff --git a/test/tsid b/test/tsid index c804383..a5c1c73 100644 --- a/test/tsid +++ b/test/tsid @@ -13,67 +13,25 @@ echo testing session-id conversions cp $t sid-fff.p echo "p -> d" -$cmd -in sid-fff.p -inform p -outform d >sid-f.d -if [ $? != 0 ]; then exit 1; fi -#echo "p -> t" -#$cmd -in sid-fff.p -inform p -outform t >sid-f.t -#if [ $? != 0 ]; then exit 1; fi +$cmd -in sid-fff.p -inform p -outform d >sid-f.d || exit 1 echo "p -> p" -$cmd -in sid-fff.p -inform p -outform p >sid-f.p -if [ $? != 0 ]; then exit 1; fi +$cmd -in sid-fff.p -inform p -outform p >sid-f.p || exit 1 echo "d -> d" -$cmd -in sid-f.d -inform d -outform d >sid-ff.d1 -if [ $? != 0 ]; then exit 1; fi -#echo "t -> d" -#$cmd -in sid-f.t -inform t -outform d >sid-ff.d2 -#if [ $? != 0 ]; then exit 1; fi +$cmd -in sid-f.d -inform d -outform d >sid-ff.d1 || exit 1 echo "p -> d" -$cmd -in sid-f.p -inform p -outform d >sid-ff.d3 -if [ $? != 0 ]; then exit 1; fi - -#echo "d -> t" -#$cmd -in sid-f.d -inform d -outform t >sid-ff.t1 -#if [ $? != 0 ]; then exit 1; fi -#echo "t -> t" -#$cmd -in sid-f.t -inform t -outform t >sid-ff.t2 -#if [ $? != 0 ]; then exit 1; fi -#echo "p -> t" -#$cmd -in sid-f.p -inform p -outform t >sid-ff.t3 -#if [ $? != 0 ]; then exit 1; fi +$cmd -in sid-f.p -inform p -outform d >sid-ff.d3 || exit 1 echo "d -> p" -$cmd -in sid-f.d -inform d -outform p >sid-ff.p1 -if [ $? != 0 ]; then exit 1; fi -#echo "t -> p" -#$cmd -in sid-f.t -inform t -outform p >sid-ff.p2 -#if [ $? != 0 ]; then exit 1; fi +$cmd -in sid-f.d -inform d -outform p >sid-ff.p1 || exit 1 echo "p -> p" -$cmd -in sid-f.p -inform p -outform p >sid-ff.p3 -if [ $? != 0 ]; then exit 1; fi - -cmp sid-fff.p sid-f.p -if [ $? != 0 ]; then exit 1; fi -cmp sid-fff.p sid-ff.p1 -if [ $? != 0 ]; then exit 1; fi -#cmp sid-fff.p sid-ff.p2 -#if [ $? != 0 ]; then exit 1; fi -cmp sid-fff.p sid-ff.p3 -if [ $? != 0 ]; then exit 1; fi - -#cmp sid-f.t sid-ff.t1 -#if [ $? != 0 ]; then exit 1; fi -#cmp sid-f.t sid-ff.t2 -#if [ $? != 0 ]; then exit 1; fi -#cmp sid-f.t sid-ff.t3 -#if [ $? != 0 ]; then exit 1; fi +$cmd -in sid-f.p -inform p -outform p >sid-ff.p3 || exit 1 -cmp sid-f.p sid-ff.p1 -if [ $? != 0 ]; then exit 1; fi -#cmp sid-f.p sid-ff.p2 -#if [ $? != 0 ]; then exit 1; fi -cmp sid-f.p sid-ff.p3 -if [ $? != 0 ]; then exit 1; fi +cmp sid-fff.p sid-f.p || exit 1 +cmp sid-fff.p sid-ff.p1 || exit 1 +cmp sid-fff.p sid-ff.p3 || exit 1 +cmp sid-f.p sid-ff.p1 || exit 1 +cmp sid-f.p sid-ff.p3 || exit 1 /bin/rm -f sid-f.* sid-ff.* sid-fff.* exit 0 diff --git a/test/tx509 b/test/tx509 index 4e9c0a5..f4774c0 100644 --- a/test/tx509 +++ b/test/tx509 @@ -13,67 +13,44 @@ echo testing X509 conversions cp $t x509-fff.p echo "p -> d" -$cmd -in x509-fff.p -inform p -outform d >x509-f.d -if [ $? != 0 ]; then exit 1; fi +$cmd -in x509-fff.p -inform p -outform d >x509-f.d || exit 1 echo "p -> n" -$cmd -in x509-fff.p -inform p -outform n >x509-f.n -if [ $? != 0 ]; then exit 1; fi +$cmd -in x509-fff.p -inform p -outform n >x509-f.n || exit 1 echo "p -> p" -$cmd -in x509-fff.p -inform p -outform p >x509-f.p -if [ $? != 0 ]; then exit 1; fi +$cmd -in x509-fff.p -inform p -outform p >x509-f.p || exit 1 echo "d -> d" -$cmd -in x509-f.d -inform d -outform d >x509-ff.d1 -if [ $? != 0 ]; then exit 1; fi +$cmd -in x509-f.d -inform d -outform d >x509-ff.d1 || exit 1 echo "n -> d" -$cmd -in x509-f.n -inform n -outform d >x509-ff.d2 -if [ $? != 0 ]; then exit 1; fi +$cmd -in x509-f.n -inform n -outform d >x509-ff.d2 || exit 1 echo "p -> d" -$cmd -in x509-f.p -inform p -outform d >x509-ff.d3 -if [ $? != 0 ]; then exit 1; fi +$cmd -in x509-f.p -inform p -outform d >x509-ff.d3 || exit 1 echo "d -> n" -$cmd -in x509-f.d -inform d -outform n >x509-ff.n1 -if [ $? != 0 ]; then exit 1; fi +$cmd -in x509-f.d -inform d -outform n >x509-ff.n1 || exit 1 echo "n -> n" -$cmd -in x509-f.n -inform n -outform n >x509-ff.n2 -if [ $? != 0 ]; then exit 1; fi +$cmd -in x509-f.n -inform n -outform n >x509-ff.n2 || exit 1 echo "p -> n" -$cmd -in x509-f.p -inform p -outform n >x509-ff.n3 -if [ $? != 0 ]; then exit 1; fi +$cmd -in x509-f.p -inform p -outform n >x509-ff.n3 || exit 1 echo "d -> p" -$cmd -in x509-f.d -inform d -outform p >x509-ff.p1 -if [ $? != 0 ]; then exit 1; fi +$cmd -in x509-f.d -inform d -outform p >x509-ff.p1 || exit 1 echo "n -> p" -$cmd -in x509-f.n -inform n -outform p >x509-ff.p2 -if [ $? != 0 ]; then exit 1; fi +$cmd -in x509-f.n -inform n -outform p >x509-ff.p2 || exit 1 echo "p -> p" -$cmd -in x509-f.p -inform p -outform p >x509-ff.p3 -if [ $? != 0 ]; then exit 1; fi - -cmp x509-fff.p x509-f.p -if [ $? != 0 ]; then exit 1; fi -cmp x509-fff.p x509-ff.p1 -if [ $? != 0 ]; then exit 1; fi -cmp x509-fff.p x509-ff.p2 -if [ $? != 0 ]; then exit 1; fi -cmp x509-fff.p x509-ff.p3 -if [ $? != 0 ]; then exit 1; fi - -cmp x509-f.n x509-ff.n1 -if [ $? != 0 ]; then exit 1; fi -cmp x509-f.n x509-ff.n2 -if [ $? != 0 ]; then exit 1; fi -cmp x509-f.n x509-ff.n3 -if [ $? != 0 ]; then exit 1; fi - -cmp x509-f.p x509-ff.p1 -if [ $? != 0 ]; then exit 1; fi -cmp x509-f.p x509-ff.p2 -if [ $? != 0 ]; then exit 1; fi -cmp x509-f.p x509-ff.p3 -if [ $? != 0 ]; then exit 1; fi +$cmd -in x509-f.p -inform p -outform p >x509-ff.p3 || exit 1 + +cmp x509-fff.p x509-f.p || exit 1 +cmp x509-fff.p x509-ff.p1 || exit 1 +cmp x509-fff.p x509-ff.p2 || exit 1 +cmp x509-fff.p x509-ff.p3 || exit 1 + +cmp x509-f.n x509-ff.n1 || exit 1 +cmp x509-f.n x509-ff.n2 || exit 1 +cmp x509-f.n x509-ff.n3 || exit 1 +cmp x509-f.p x509-ff.p1 || exit 1 +cmp x509-f.p x509-ff.p2 || exit 1 +cmp x509-f.p x509-ff.p3 || exit 1 /bin/rm -f x509-f.* x509-ff.* x509-fff.* exit 0 From matt at openssl.org Fri Apr 10 15:25:55 2015 From: matt at openssl.org (Matt Caswell) Date: Fri, 10 Apr 2015 15:25:55 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1428679555.454748.11303.nullmailer@dev.openssl.org> The branch master has been updated via 4118dfdcc8aa2c2cf496bb33cbc1b9581c33af2f (commit) from 30f54ad295d58ff8c6d28c1fd612d23c2c343d19 (commit) - Log ----------------------------------------------------------------- commit 4118dfdcc8aa2c2cf496bb33cbc1b9581c33af2f Author: Matt Caswell Date: Fri Apr 10 15:33:45 2015 +0100 Fix read_ahead issue Fix a "&" that should have been "!" when processing read_ahead. RT#3793 Reviewed-by: Rich Salz Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: ssl/record/rec_layer_s3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index de8dac2..0ec1d2c 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -380,7 +380,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) } /* We always act like read_ahead is set for DTLS */ - if (&s->rlayer.read_ahead && !SSL_IS_DTLS(s)) + if (!s->rlayer.read_ahead && !SSL_IS_DTLS(s)) /* ignore max parameter */ max = n; else { From rsalz at openssl.org Fri Apr 10 15:40:33 2015 From: rsalz at openssl.org (Rich Salz) Date: Fri, 10 Apr 2015 15:40:33 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1428680433.560055.15666.nullmailer@dev.openssl.org> The branch master has been updated via e71cecd551f1d8beca20681184d94f7000a5e333 (commit) from 4118dfdcc8aa2c2cf496bb33cbc1b9581c33af2f (commit) - Log ----------------------------------------------------------------- commit e71cecd551f1d8beca20681184d94f7000a5e333 Author: Rich Salz Date: Fri Apr 10 11:37:53 2015 -0400 fix to "test script cleanup" Fix commit 30f54ad295d58ff8c6d28c1fd612d23c2c343d19 which used non-portable syntax for checking exit status. Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: test/testca | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/testca b/test/testca index 8961cf8..d4d0159 100644 --- a/test/testca +++ b/test/testca @@ -17,11 +17,11 @@ export OPENSSL /bin/rm -fr demoCA -# Could do '...CA.pl -newca || exot 1 << EOF +# Could do '...CA.pl -newca < The branch master has been updated via 34b0a927ab5c9232bcf864d524a9bf2558411700 (commit) from e71cecd551f1d8beca20681184d94f7000a5e333 (commit) - Log ----------------------------------------------------------------- commit 34b0a927ab5c9232bcf864d524a9bf2558411700 Author: Viktor Dukhovni Date: Fri Apr 10 12:25:30 2015 -0400 Polish shell script to avoid needless complexity. No need for here documents, just use "yes" or Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: test/testca | 32 +++++++++----------------------- 1 file changed, 9 insertions(+), 23 deletions(-) diff --git a/test/testca b/test/testca index d4d0159..4bcb1fd 100644 --- a/test/testca +++ b/test/testca @@ -1,5 +1,7 @@ #!/bin/sh +set -e + PERL="$1" if test "$OSTYPE" = msdosdjgpp; then @@ -9,35 +11,19 @@ else fi export PATH -SSLEAY_CONFIG="-config CAss.cnf" -export SSLEAY_CONFIG - -OPENSSL="`pwd`/../util/opensslwrap.sh" -export OPENSSL +export SSLEAY_CONFIG="-config CAss.cnf" +export OPENSSL="`pwd`/../util/opensslwrap.sh" /bin/rm -fr demoCA -# Could do '...CA.pl -newca < The branch master has been updated via 9fdbc9df76a68a30df349c53f1ceeb915f82948c (commit) via 7a317fa07cf3d9952c574e7d214d371798fee42a (commit) from 34b0a927ab5c9232bcf864d524a9bf2558411700 (commit) - Log ----------------------------------------------------------------- commit 9fdbc9df76a68a30df349c53f1ceeb915f82948c Author: Dr. Stephen Henson Date: Fri Apr 10 02:31:16 2015 +0100 Fix ECDH detection, add ECDH keyid test. Reviewed-by: Rich Salz commit 7a317fa07cf3d9952c574e7d214d371798fee42a Author: Dr. Stephen Henson Date: Fri Apr 10 02:33:44 2015 +0100 Fix ECDH key identifier support. PR#3789 Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/cms/cms_kari.c | 4 ++++ test/cms-test.pl | 10 +++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c index 5aaba59..69a5115 100644 --- a/crypto/cms/cms_kari.c +++ b/crypto/cms/cms_kari.c @@ -66,6 +66,7 @@ DECLARE_ASN1_ITEM(CMS_KeyAgreeRecipientInfo) DECLARE_ASN1_ITEM(CMS_RecipientEncryptedKey) DECLARE_ASN1_ITEM(CMS_OriginatorPublicKey) +DECLARE_ASN1_ITEM(CMS_RecipientKeyIdentifier) /* Key Agreement Recipient Info (KARI) routines */ @@ -360,6 +361,9 @@ int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, if (flags & CMS_USE_KEYID) { rek->rid->type = CMS_REK_KEYIDENTIFIER; + rek->rid->d.rKeyId = M_ASN1_new_of(CMS_RecipientKeyIdentifier); + if (rek->rid->d.rKeyId == NULL) + return 0; if (!cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip)) return 0; } else { diff --git a/test/cms-test.pl b/test/cms-test.pl index 51abeef..baa3b59 100644 --- a/test/cms-test.pl +++ b/test/cms-test.pl @@ -128,7 +128,7 @@ else die "Error checking for EC2M support\n"; } -system ("$ossl_path no-ecdh > $null_path"); +system ("$ossl_path no-ec > $null_path"); if ($? == 0) { $no_ecdh = 1; @@ -453,6 +453,14 @@ my @smime_cms_param_tests = ( ], [ +"enveloped content test streaming S/MIME format, ECDH, key identifier", + "-encrypt -keyid -in smcont.txt" + . " -stream -out test.cms" + . " -recip $smdir/smec1.pem", + "-decrypt -recip $smdir/smec1.pem -in test.cms -out smtst.txt" + ], + + [ "enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF", "-encrypt -in smcont.txt" . " -stream -out test.cms" From steve at openssl.org Fri Apr 10 17:53:42 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 10 Apr 2015 17:53:42 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1428688422.224194.10906.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 07395b7a6dfdbe263677e58519f1d11d51d31da5 (commit) via 784f155e0d39cff1fd6e76e75c07f56ae25ebced (commit) from 42802a94be61c9378ead72bb40f02c8b33f1f6e6 (commit) - Log ----------------------------------------------------------------- commit 07395b7a6dfdbe263677e58519f1d11d51d31da5 Author: Dr. Stephen Henson Date: Fri Apr 10 02:33:44 2015 +0100 Fix ECDH key identifier support. PR#3789 Reviewed-by: Rich Salz (cherry picked from commit 7a317fa07cf3d9952c574e7d214d371798fee42a) commit 784f155e0d39cff1fd6e76e75c07f56ae25ebced Author: Dr. Stephen Henson Date: Fri Apr 10 02:31:16 2015 +0100 Fix ECDH detection, add ECDH keyid test. Reviewed-by: Rich Salz (cherry picked from commit 9fdbc9df76a68a30df349c53f1ceeb915f82948c) ----------------------------------------------------------------------- Summary of changes: crypto/cms/cms_kari.c | 4 ++++ test/cms-test.pl | 10 +++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c index f8a6cba..2cfcdb2 100644 --- a/crypto/cms/cms_kari.c +++ b/crypto/cms/cms_kari.c @@ -66,6 +66,7 @@ DECLARE_ASN1_ITEM(CMS_KeyAgreeRecipientInfo) DECLARE_ASN1_ITEM(CMS_RecipientEncryptedKey) DECLARE_ASN1_ITEM(CMS_OriginatorPublicKey) +DECLARE_ASN1_ITEM(CMS_RecipientKeyIdentifier) /* Key Agreement Recipient Info (KARI) routines */ @@ -362,6 +363,9 @@ int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, if (flags & CMS_USE_KEYID) { rek->rid->type = CMS_REK_KEYIDENTIFIER; + rek->rid->d.rKeyId = M_ASN1_new_of(CMS_RecipientKeyIdentifier); + if (rek->rid->d.rKeyId == NULL) + return 0; if (!cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip)) return 0; } else { diff --git a/test/cms-test.pl b/test/cms-test.pl index 51abeef..baa3b59 100644 --- a/test/cms-test.pl +++ b/test/cms-test.pl @@ -128,7 +128,7 @@ else die "Error checking for EC2M support\n"; } -system ("$ossl_path no-ecdh > $null_path"); +system ("$ossl_path no-ec > $null_path"); if ($? == 0) { $no_ecdh = 1; @@ -453,6 +453,14 @@ my @smime_cms_param_tests = ( ], [ +"enveloped content test streaming S/MIME format, ECDH, key identifier", + "-encrypt -keyid -in smcont.txt" + . " -stream -out test.cms" + . " -recip $smdir/smec1.pem", + "-decrypt -recip $smdir/smec1.pem -in test.cms -out smtst.txt" + ], + + [ "enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF", "-encrypt -in smcont.txt" . " -stream -out test.cms" From steve at openssl.org Fri Apr 10 18:51:12 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 10 Apr 2015 18:51:12 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1428691872.410211.21465.nullmailer@dev.openssl.org> The branch master has been updated via f617b4969a9261b9d7d381670aefbe2cf766a2cb (commit) from 9fdbc9df76a68a30df349c53f1ceeb915f82948c (commit) - Log ----------------------------------------------------------------- commit f617b4969a9261b9d7d381670aefbe2cf766a2cb Author: Dr. Stephen Henson Date: Thu Apr 2 13:45:14 2015 +0100 Don't set *pval to NULL in ASN1_item_ex_new. While *pval is usually a pointer in rare circumstances it can be a long value. One some platforms (e.g. WIN64) where sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field. *pval is initialised correctly in the rest of ASN1_item_ex_new so setting it to NULL is unecessary anyway. Thanks to Julien Kauffmann for reporting this issue. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: crypto/asn1/tasn_new.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c index 1b36ecc..aeced95 100644 --- a/crypto/asn1/tasn_new.c +++ b/crypto/asn1/tasn_new.c @@ -94,8 +94,6 @@ int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it) else asn1_cb = 0; - *pval = NULL; - #ifdef CRYPTO_MDEBUG if (it->sname) CRYPTO_push_info(it->sname); From steve at openssl.org Fri Apr 10 18:55:02 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 10 Apr 2015 18:55:02 +0000 Subject: [openssl-commits] [openssl] OpenSSL_0_9_8-stable update Message-ID: <1428692102.477951.23433.nullmailer@dev.openssl.org> The branch OpenSSL_0_9_8-stable has been updated via c5b0f5c46309421da2fba3bd2363bbc80af385b1 (commit) from 32fbe9149e01dc79d97efe13aff2054f77045afb (commit) - Log ----------------------------------------------------------------- commit c5b0f5c46309421da2fba3bd2363bbc80af385b1 Author: Dr. Stephen Henson Date: Thu Apr 2 13:45:14 2015 +0100 Don't set *pval to NULL in ASN1_item_ex_new. While *pval is usually a pointer in rare circumstances it can be a long value. One some platforms (e.g. WIN64) where sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field. *pval is initialised correctly in the rest of ASN1_item_ex_new so setting it to NULL is unecessary anyway. Thanks to Julien Kauffmann for reporting this issue. Reviewed-by: Richard Levitte (cherry picked from commit f617b4969a9261b9d7d381670aefbe2cf766a2cb) Conflicts: crypto/asn1/tasn_new.c ----------------------------------------------------------------------- Summary of changes: crypto/asn1/tasn_new.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c index 8c540cc..b41d20c 100644 --- a/crypto/asn1/tasn_new.c +++ b/crypto/asn1/tasn_new.c @@ -100,9 +100,6 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, else asn1_cb = 0; - if (!combine) - *pval = NULL; - #ifdef CRYPTO_MDEBUG if (it->sname) CRYPTO_push_info(it->sname); From steve at openssl.org Fri Apr 10 18:55:02 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 10 Apr 2015 18:55:02 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1428692102.653205.23476.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via bd41063b1163a897333288d9789ac2ace2613783 (commit) from 0186f7bf87cbb1f043cbb95bc302c1e950a19462 (commit) - Log ----------------------------------------------------------------- commit bd41063b1163a897333288d9789ac2ace2613783 Author: Dr. Stephen Henson Date: Thu Apr 2 13:45:14 2015 +0100 Don't set *pval to NULL in ASN1_item_ex_new. While *pval is usually a pointer in rare circumstances it can be a long value. One some platforms (e.g. WIN64) where sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field. *pval is initialised correctly in the rest of ASN1_item_ex_new so setting it to NULL is unecessary anyway. Thanks to Julien Kauffmann for reporting this issue. Reviewed-by: Richard Levitte (cherry picked from commit f617b4969a9261b9d7d381670aefbe2cf766a2cb) Conflicts: crypto/asn1/tasn_new.c ----------------------------------------------------------------------- Summary of changes: crypto/asn1/tasn_new.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c index 7d2964f..b0c73be 100644 --- a/crypto/asn1/tasn_new.c +++ b/crypto/asn1/tasn_new.c @@ -100,9 +100,6 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, else asn1_cb = 0; - if (!combine) - *pval = NULL; - #ifdef CRYPTO_MDEBUG if (it->sname) CRYPTO_push_info(it->sname); From steve at openssl.org Fri Apr 10 18:55:02 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 10 Apr 2015 18:55:02 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_0-stable update Message-ID: <1428692102.553160.23455.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_0-stable has been updated via dafa9534de489bbb0c496eae628cacadcdd01821 (commit) from e35e22e1d930217fa0b879e0a7ae34efd94465e4 (commit) - Log ----------------------------------------------------------------- commit dafa9534de489bbb0c496eae628cacadcdd01821 Author: Dr. Stephen Henson Date: Thu Apr 2 13:45:14 2015 +0100 Don't set *pval to NULL in ASN1_item_ex_new. While *pval is usually a pointer in rare circumstances it can be a long value. One some platforms (e.g. WIN64) where sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field. *pval is initialised correctly in the rest of ASN1_item_ex_new so setting it to NULL is unecessary anyway. Thanks to Julien Kauffmann for reporting this issue. Reviewed-by: Richard Levitte (cherry picked from commit f617b4969a9261b9d7d381670aefbe2cf766a2cb) Conflicts: crypto/asn1/tasn_new.c ----------------------------------------------------------------------- Summary of changes: crypto/asn1/tasn_new.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c index d25c68c..9f3a411 100644 --- a/crypto/asn1/tasn_new.c +++ b/crypto/asn1/tasn_new.c @@ -100,9 +100,6 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, else asn1_cb = 0; - if (!combine) - *pval = NULL; - #ifdef CRYPTO_MDEBUG if (it->sname) CRYPTO_push_info(it->sname); From steve at openssl.org Fri Apr 10 18:55:02 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 10 Apr 2015 18:55:02 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1428692102.752987.23497.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 6df777ed508ca785b31d6e92e73961ac282ab3ea (commit) from 07395b7a6dfdbe263677e58519f1d11d51d31da5 (commit) - Log ----------------------------------------------------------------- commit 6df777ed508ca785b31d6e92e73961ac282ab3ea Author: Dr. Stephen Henson Date: Thu Apr 2 13:45:14 2015 +0100 Don't set *pval to NULL in ASN1_item_ex_new. While *pval is usually a pointer in rare circumstances it can be a long value. One some platforms (e.g. WIN64) where sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field. *pval is initialised correctly in the rest of ASN1_item_ex_new so setting it to NULL is unecessary anyway. Thanks to Julien Kauffmann for reporting this issue. Reviewed-by: Richard Levitte (cherry picked from commit f617b4969a9261b9d7d381670aefbe2cf766a2cb) Conflicts: crypto/asn1/tasn_new.c ----------------------------------------------------------------------- Summary of changes: crypto/asn1/tasn_new.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c index 7d2964f..b0c73be 100644 --- a/crypto/asn1/tasn_new.c +++ b/crypto/asn1/tasn_new.c @@ -100,9 +100,6 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, else asn1_cb = 0; - if (!combine) - *pval = NULL; - #ifdef CRYPTO_MDEBUG if (it->sname) CRYPTO_push_info(it->sname); From steve at openssl.org Sat Apr 11 11:51:43 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Sat, 11 Apr 2015 11:51:43 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1428753103.849224.20042.nullmailer@dev.openssl.org> The branch master has been updated via e2010b202a52be9120582537845f422a60d5d8c0 (commit) from f617b4969a9261b9d7d381670aefbe2cf766a2cb (commit) - Log ----------------------------------------------------------------- commit e2010b202a52be9120582537845f422a60d5d8c0 Author: Kurt Cancemi Date: Thu Apr 9 09:54:38 2015 -0400 The wrong ifdef is used to guard usage of PSK code PR#3790 Reviewed-by: Stephen Henson Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: ssl/ssl_asn1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index fb2a495..b6e7849 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -109,7 +109,7 @@ typedef struct { long tlsext_tick_lifetime_hint; ASN1_OCTET_STRING *tlsext_tick; #endif -#ifndef OPENSSL_NO_TLSEXT +#ifndef OPENSSL_NO_PSK ASN1_OCTET_STRING *psk_identity_hint; ASN1_OCTET_STRING *psk_identity; #endif From rsalz at openssl.org Sat Apr 11 14:23:03 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 11 Apr 2015 14:23:03 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1428762183.406535.4356.nullmailer@dev.openssl.org> The branch master has been updated via 62adbcee392ba1061bf213174e8c59728e00860e (commit) from e2010b202a52be9120582537845f422a60d5d8c0 (commit) - Log ----------------------------------------------------------------- commit 62adbcee392ba1061bf213174e8c59728e00860e Author: Rich Salz Date: Sat Apr 11 10:22:36 2015 -0400 free NULL cleanup 10 Avoid checking for NULL before calling free functions. This gets ssl.*free: ssl_sess_cert_free ssl_free ssl_excert_free ssl_cert_free SSL_free SSL_SRP_CTX_free SSL_SESSION_free SSL_CTX_free SSL_CTX_SRP_CTX_free SSL_CONF_CTX_free Reviewed-by: Kurt Roeckx ----------------------------------------------------------------------- Summary of changes: apps/ciphers.c | 6 ++---- apps/ocsp.c | 3 +-- apps/s_client.c | 6 ++---- apps/s_server.c | 9 +++------ apps/s_time.c | 9 +++------ demos/bio/sconnect.c | 3 +-- demos/easy_tls/easy-tls.c | 3 +-- doc/ssl/SSL_CONF_CTX_new.pod | 1 + doc/ssl/SSL_CTX_free.pod | 2 ++ doc/ssl/SSL_SESSION_free.pod | 1 + doc/ssl/SSL_free.pod | 1 + ssl/bio_ssl.c | 5 ++--- ssl/s3_clnt.c | 3 +-- ssl/ssl_lib.c | 4 ++-- ssl/ssl_sess.c | 9 +++------ test/ssltest.c | 14 +++++--------- 16 files changed, 31 insertions(+), 48 deletions(-) diff --git a/apps/ciphers.c b/apps/ciphers.c index 6c7ff01..4b9a114 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -223,10 +223,8 @@ int MAIN(int argc, char **argv) end: if (use_supported && sk) sk_SSL_CIPHER_free(sk); - if (ctx != NULL) - SSL_CTX_free(ctx); - if (ssl != NULL) - SSL_free(ssl); + SSL_CTX_free(ctx); + SSL_free(ssl); BIO_free_all(STDout); apps_shutdown(); OPENSSL_EXIT(ret); diff --git a/apps/ocsp.c b/apps/ocsp.c index 9538096..96f4c67 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -1363,8 +1363,7 @@ OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, BIO_printf(bio_err, "Error querying OCSP responder\n"); end: BIO_free_all(cbio); - if (ctx) - SSL_CTX_free(ctx); + SSL_CTX_free(ctx); return resp; } diff --git a/apps/s_client.c b/apps/s_client.c index ec11617..a7e03a5 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -2024,8 +2024,7 @@ int MAIN(int argc, char **argv) if (next_proto.data) OPENSSL_free(next_proto.data); #endif - if (ctx != NULL) - SSL_CTX_free(ctx); + SSL_CTX_free(ctx); if (cert) X509_free(cert); if (crls) @@ -2040,8 +2039,7 @@ int MAIN(int argc, char **argv) ssl_excert_free(exc); if (ssl_args) sk_OPENSSL_STRING_free(ssl_args); - if (cctx) - SSL_CONF_CTX_free(cctx); + SSL_CONF_CTX_free(cctx); #ifndef OPENSSL_NO_JPAKE if (jpake_secret && psk_key) OPENSSL_free(psk_key); diff --git a/apps/s_server.c b/apps/s_server.c index f97a97d..a66098e 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -2003,8 +2003,7 @@ int MAIN(int argc, char *argv[]) print_stats(bio_s_out, ctx); ret = 0; end: - if (ctx != NULL) - SSL_CTX_free(ctx); + SSL_CTX_free(ctx); if (s_cert) X509_free(s_cert); if (crls) @@ -2031,8 +2030,7 @@ int MAIN(int argc, char *argv[]) OPENSSL_free(tlscstatp.port); if (tlscstatp.path) OPENSSL_free(tlscstatp.path); - if (ctx2 != NULL) - SSL_CTX_free(ctx2); + SSL_CTX_free(ctx2); if (s_cert2) X509_free(s_cert2); EVP_PKEY_free(s_key2); @@ -2047,8 +2045,7 @@ int MAIN(int argc, char *argv[]) ssl_excert_free(exc); if (ssl_args) sk_OPENSSL_STRING_free(ssl_args); - if (cctx) - SSL_CONF_CTX_free(cctx); + SSL_CONF_CTX_free(cctx); #ifndef OPENSSL_NO_JPAKE if (jpake_secret && psk_key) OPENSSL_free(psk_key); diff --git a/apps/s_time.c b/apps/s_time.c index 5b94634..4f460b6 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -540,13 +540,10 @@ int MAIN(int argc, char **argv) ret = 0; end: - if (scon != NULL) - SSL_free(scon); + SSL_free(scon); - if (tm_ctx != NULL) { - SSL_CTX_free(tm_ctx); - tm_ctx = NULL; - } + SSL_CTX_free(tm_ctx); + tm_ctx = NULL; apps_shutdown(); OPENSSL_EXIT(ret); } diff --git a/demos/bio/sconnect.c b/demos/bio/sconnect.c index e6eddb1..73280b5 100644 --- a/demos/bio/sconnect.c +++ b/demos/bio/sconnect.c @@ -106,8 +106,7 @@ char *argv[]; ERR_print_errors_fp(stderr); } BIO_free_all(out); - if (ssl_ctx != NULL) - SSL_CTX_free(ssl_ctx); + SSL_CTX_free(ssl_ctx); exit(!ret); return (ret); } diff --git a/demos/easy_tls/easy-tls.c b/demos/easy_tls/easy-tls.c index 3475551..1a0a03a 100644 --- a/demos/easy_tls/easy-tls.c +++ b/demos/easy_tls/easy-tls.c @@ -804,8 +804,7 @@ SSL_CTX *tls_create_ctx(struct tls_create_ctx_args a, void *apparg) err: tls_openssl_errors(err_pref_1, err_pref_2, NULL, apparg); err_return: - if (ret != NULL) - SSL_CTX_free(ret); + SSL_CTX_free(ret); return NULL; } diff --git a/doc/ssl/SSL_CONF_CTX_new.pod b/doc/ssl/SSL_CONF_CTX_new.pod index a9ccb04..79c8c94 100644 --- a/doc/ssl/SSL_CONF_CTX_new.pod +++ b/doc/ssl/SSL_CONF_CTX_new.pod @@ -17,6 +17,7 @@ The function SSL_CONF_CTX_new() allocates and initialises an B structure for use with the SSL_CONF functions. The function SSL_CONF_CTX_free() frees up the context B. +If B is NULL nothing is done. =head1 RETURN VALUES diff --git a/doc/ssl/SSL_CTX_free.pod b/doc/ssl/SSL_CTX_free.pod index 51d8676..f37617d 100644 --- a/doc/ssl/SSL_CTX_free.pod +++ b/doc/ssl/SSL_CTX_free.pod @@ -20,6 +20,8 @@ It also calls the free()ing procedures for indirectly affected items, if applicable: the session cache, the list of ciphers, the list of Client CAs, the certificates and keys. +If B is NULL nothing is done. + =head1 WARNINGS If a session-remove callback is set (SSL_CTX_sess_set_remove_cb()), this diff --git a/doc/ssl/SSL_SESSION_free.pod b/doc/ssl/SSL_SESSION_free.pod index 110ec73..f30fe13 100644 --- a/doc/ssl/SSL_SESSION_free.pod +++ b/doc/ssl/SSL_SESSION_free.pod @@ -15,6 +15,7 @@ SSL_SESSION_free - free an allocated SSL_SESSION structure SSL_SESSION_free() decrements the reference count of B and removes the B structure pointed to by B and frees up the allocated memory, if the reference count has reached 0. +If B is NULL nothing is done. =head1 NOTES diff --git a/doc/ssl/SSL_free.pod b/doc/ssl/SSL_free.pod index 13c1abd..e3e6f56 100644 --- a/doc/ssl/SSL_free.pod +++ b/doc/ssl/SSL_free.pod @@ -15,6 +15,7 @@ SSL_free - free an allocated SSL structure SSL_free() decrements the reference count of B, and removes the SSL structure pointed to by B and frees up the allocated memory if the reference count has reached 0. +If B is NULL nothing is done. =head1 NOTES diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index 0344b7e..7cf941d 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -125,7 +125,7 @@ static int ssl_free(BIO *a) if (bs->ssl != NULL) SSL_shutdown(bs->ssl); if (a->shutdown) { - if (a->init && (bs->ssl != NULL)) + if (a->init) SSL_free(bs->ssl); a->init = 0; a->flags = 0; @@ -416,8 +416,7 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr) break; case BIO_CTRL_DUP: dbio = (BIO *)ptr; - if (((BIO_SSL *)dbio->ptr)->ssl != NULL) - SSL_free(((BIO_SSL *)dbio->ptr)->ssl); + SSL_free(((BIO_SSL *)dbio->ptr)->ssl); ((BIO_SSL *)dbio->ptr)->ssl = SSL_dup(ssl); ((BIO_SSL *)dbio->ptr)->renegotiate_count = ((BIO_SSL *)b->ptr)->renegotiate_count; diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 6da1258..404f7f9 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1215,8 +1215,7 @@ int ssl3_get_server_certificate(SSL *s) if (sc == NULL) goto err; - if (s->session->sess_cert) - ssl_sess_cert_free(s->session->sess_cert); + ssl_sess_cert_free(s->session->sess_cert); s->session->sess_cert = sc; sc->cert_chain = sk; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index abb3fd3..cb7bd86 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -393,8 +393,7 @@ SSL *SSL_new(SSL_CTX *ctx) return (s); err: - if (s != NULL) - SSL_free(s); + SSL_free(s); SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE); return (NULL); } @@ -2992,6 +2991,7 @@ int ssl_init_wbio_buffer(SSL *s, int push) void ssl_free_wbio_buffer(SSL *s) { + /* callers ensure s is never null */ if (s->bbio == NULL) return; diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 9273eb6..24e5d25 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -292,10 +292,8 @@ int ssl_get_new_session(SSL *s, int session) else ss->timeout = s->session_ctx->session_timeout; - if (s->session != NULL) { - SSL_SESSION_free(s->session); - s->session = NULL; - } + SSL_SESSION_free(s->session); + s->session = NULL; if (session) { if (s->version == SSL3_VERSION) { @@ -578,8 +576,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, s->session_ctx->stats.sess_hit++; - if (s->session != NULL) - SSL_SESSION_free(s->session); + SSL_SESSION_free(s->session); s->session = ret; s->verify_result = s->session->verify_result; return 1; diff --git a/test/ssltest.c b/test/ssltest.c index c9f5b4d..6ad6342 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -1789,15 +1789,11 @@ int main(int argc, char *argv[]) SSL_free(c_ssl); end: - if (s_ctx != NULL) - SSL_CTX_free(s_ctx); - if (c_ctx != NULL) - SSL_CTX_free(c_ctx); - - if (s_cctx) - SSL_CONF_CTX_free(s_cctx); - if (c_cctx) - SSL_CONF_CTX_free(c_cctx); + SSL_CTX_free(s_ctx); + SSL_CTX_free(c_ctx); + + SSL_CONF_CTX_free(s_cctx); + SSL_CONF_CTX_free(c_cctx); sk_OPENSSL_STRING_free(conf_args); BIO_free(bio_stdout); From kurt at openssl.org Sat Apr 11 18:34:35 2015 From: kurt at openssl.org (Kurt Roeckx) Date: Sat, 11 Apr 2015 18:34:35 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1428777275.676291.32373.nullmailer@dev.openssl.org> The branch master has been updated via a38537721dfdd853c40b4b4d99b57950075b0178 (commit) via 8ec5c5dd361343d9017eff8547b19e86e4944ebc (commit) via f49baeff50d0be9c8d86aed6fb4a08841aa3da41 (commit) from 62adbcee392ba1061bf213174e8c59728e00860e (commit) - Log ----------------------------------------------------------------- commit a38537721dfdd853c40b4b4d99b57950075b0178 Author: Rich Salz Date: Sat Apr 11 16:53:27 2015 +0200 Fix memory leak It should have freed them when != NULL, not when == NULL. Reviewed-by: Kurt Roeckx Reviewed-by: Viktor Dukhovni commit 8ec5c5dd361343d9017eff8547b19e86e4944ebc Author: Kurt Roeckx Date: Sat Apr 11 16:39:13 2015 +0200 do_dirname: Don't change gen on failures It would set gen->d.dirn to a freed pointer in case X509V3_NAME_from_section failed. Reviewed-by: Rich Salz commit f49baeff50d0be9c8d86aed6fb4a08841aa3da41 Author: Kurt Roeckx Date: Sat Apr 11 17:08:38 2015 +0200 X509_VERIFY_PARAM_free: Check param for NULL Reviewed-by: Viktor Dukhovni ----------------------------------------------------------------------- Summary of changes: crypto/ec/ecp_smpl.c | 9 +++------ crypto/x509/x509_vpm.c | 2 ++ crypto/x509v3/v3_alt.c | 18 ++++++++++-------- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c index ee0c468..2d42d34 100644 --- a/crypto/ec/ecp_smpl.c +++ b/crypto/ec/ecp_smpl.c @@ -133,12 +133,9 @@ int ec_GFp_simple_group_init(EC_GROUP *group) group->a = BN_new(); group->b = BN_new(); if (!group->field || !group->a || !group->b) { - if (!group->field) - BN_free(group->field); - if (!group->a) - BN_free(group->a); - if (!group->b) - BN_free(group->b); + BN_free(group->field); + BN_free(group->a); + BN_free(group->b); return 0; } group->a_is_minus3 = 0; diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 8194cfa..2c30ff4 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -189,6 +189,8 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) { + if (param == NULL) + return; x509_verify_param_zero(param); OPENSSL_free(param->id); OPENSSL_free(param); diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c index 50cb6b2..d5ceb44 100644 --- a/crypto/x509v3/v3_alt.c +++ b/crypto/x509v3/v3_alt.c @@ -586,24 +586,26 @@ static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) { - int ret; - STACK_OF(CONF_VALUE) *sk; - X509_NAME *nm; + int ret = 0; + STACK_OF(CONF_VALUE) *sk = NULL; + X509_NAME *nm = NULL; if (!(nm = X509_NAME_new())) - return 0; + goto err; sk = X509V3_get_section(ctx, value); if (!sk) { X509V3err(X509V3_F_DO_DIRNAME, X509V3_R_SECTION_NOT_FOUND); ERR_add_error_data(2, "section=", value); - X509_NAME_free(nm); - return 0; + goto err; } /* FIXME: should allow other character types... */ ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC); if (!ret) - X509_NAME_free(nm); + goto err; gen->d.dirn = nm; - X509V3_section_free(ctx, sk); +err: + if (ret == 0) + X509_NAME_free(nm); + X509V3_section_free(ctx, sk); return ret; } From kurt at openssl.org Sat Apr 11 18:55:35 2015 From: kurt at openssl.org (Kurt Roeckx) Date: Sat, 11 Apr 2015 18:55:35 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1428778535.714677.3154.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via ea9de25f2f577db69d67c39e5cf60be7da17c931 (commit) via f6cddcccc89bd27c09c2c659c0bdbf40647f6ead (commit) from 6df777ed508ca785b31d6e92e73961ac282ab3ea (commit) - Log ----------------------------------------------------------------- commit ea9de25f2f577db69d67c39e5cf60be7da17c931 Author: Kurt Roeckx Date: Sat Apr 11 16:39:13 2015 +0200 do_dirname: Don't change gen on failures It would set gen->d.dirn to a freed pointer in case X509V3_NAME_from_section failed. Reviewed-by: Rich Salz (cherry picked from commit 8ec5c5dd361343d9017eff8547b19e86e4944ebc) commit f6cddcccc89bd27c09c2c659c0bdbf40647f6ead Author: Kurt Roeckx Date: Sat Apr 11 17:08:38 2015 +0200 X509_VERIFY_PARAM_free: Check param for NULL Reviewed-by: Viktor Dukhovni (cherry picked from commit f49baeff50d0be9c8d86aed6fb4a08841aa3da41) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vpm.c | 2 ++ crypto/x509v3/v3_alt.c | 18 ++++++++++-------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 3222394..9f7647f 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -189,6 +189,8 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) { + if (param == NULL) + return; x509_verify_param_zero(param); OPENSSL_free(param->id); OPENSSL_free(param); diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c index 807867b..22ec202 100644 --- a/crypto/x509v3/v3_alt.c +++ b/crypto/x509v3/v3_alt.c @@ -584,24 +584,26 @@ static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) { - int ret; - STACK_OF(CONF_VALUE) *sk; - X509_NAME *nm; + int ret = 0; + STACK_OF(CONF_VALUE) *sk = NULL; + X509_NAME *nm = NULL; if (!(nm = X509_NAME_new())) - return 0; + goto err; sk = X509V3_get_section(ctx, value); if (!sk) { X509V3err(X509V3_F_DO_DIRNAME, X509V3_R_SECTION_NOT_FOUND); ERR_add_error_data(2, "section=", value); - X509_NAME_free(nm); - return 0; + goto err; } /* FIXME: should allow other character types... */ ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC); if (!ret) - X509_NAME_free(nm); + goto err; gen->d.dirn = nm; - X509V3_section_free(ctx, sk); +err: + if (ret == 0) + X509_NAME_free(nm); + X509V3_section_free(ctx, sk); return ret; } From kurt at openssl.org Sat Apr 11 19:02:00 2015 From: kurt at openssl.org (Kurt Roeckx) Date: Sat, 11 Apr 2015 19:02:00 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1428778920.725259.4021.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 047cdde7a5a873817ae1aa4205390b2b130eb173 (commit) via 10473a5a2cd3fe5be188bddf656c5f1733e220b2 (commit) from bd41063b1163a897333288d9789ac2ace2613783 (commit) - Log ----------------------------------------------------------------- commit 047cdde7a5a873817ae1aa4205390b2b130eb173 Author: Kurt Roeckx Date: Sat Apr 11 16:39:13 2015 +0200 do_dirname: Don't change gen on failures It would set gen->d.dirn to a freed pointer in case X509V3_NAME_from_section failed. Reviewed-by: Rich Salz (cherry picked from commit 8ec5c5dd361343d9017eff8547b19e86e4944ebc) commit 10473a5a2cd3fe5be188bddf656c5f1733e220b2 Author: Kurt Roeckx Date: Sat Apr 11 17:08:38 2015 +0200 X509_VERIFY_PARAM_free: Check param for NULL Reviewed-by: Viktor Dukhovni (cherry picked from commit f49baeff50d0be9c8d86aed6fb4a08841aa3da41) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vpm.c | 2 ++ crypto/x509v3/v3_alt.c | 18 ++++++++++-------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index d054366..6b0bf8a 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -100,6 +100,8 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) { + if (param == NULL) + return; x509_verify_param_zero(param); OPENSSL_free(param); } diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c index 807867b..22ec202 100644 --- a/crypto/x509v3/v3_alt.c +++ b/crypto/x509v3/v3_alt.c @@ -584,24 +584,26 @@ static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) { - int ret; - STACK_OF(CONF_VALUE) *sk; - X509_NAME *nm; + int ret = 0; + STACK_OF(CONF_VALUE) *sk = NULL; + X509_NAME *nm = NULL; if (!(nm = X509_NAME_new())) - return 0; + goto err; sk = X509V3_get_section(ctx, value); if (!sk) { X509V3err(X509V3_F_DO_DIRNAME, X509V3_R_SECTION_NOT_FOUND); ERR_add_error_data(2, "section=", value); - X509_NAME_free(nm); - return 0; + goto err; } /* FIXME: should allow other character types... */ ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC); if (!ret) - X509_NAME_free(nm); + goto err; gen->d.dirn = nm; - X509V3_section_free(ctx, sk); +err: + if (ret == 0) + X509_NAME_free(nm); + X509V3_section_free(ctx, sk); return ret; } From rsalz at openssl.org Sat Apr 11 20:34:48 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 11 Apr 2015 20:34:48 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1428784488.896365.17145.nullmailer@dev.openssl.org> The branch master has been updated via e0e920b1a063f14f36418f8795c96f2c649400e1 (commit) from a38537721dfdd853c40b4b4d99b57950075b0178 (commit) - Log ----------------------------------------------------------------- commit e0e920b1a063f14f36418f8795c96f2c649400e1 Author: Rich Salz Date: Sat Apr 11 16:32:54 2015 -0400 free NULL cleanup 9 Ongoing work to skip NULL check before calling free routine. This gets: ecp_nistz256_pre_comp_free nistp224_pre_comp_free nistp256_pre_comp_free nistp521_pre_comp_free PKCS7_free PKCS7_RECIP_INFO_free PKCS7_SIGNER_INFO_free sk_PKCS7_pop_free PKCS8_PRIV_KEY_INFO_free PKCS12_free PKCS12_SAFEBAG_free PKCS12_free sk_PKCS12_SAFEBAG_pop_free SSL_CONF_CTX_free SSL_CTX_free SSL_SESSION_free SSL_free ssl_cert_free ssl_sess_cert_free Reviewed-by: Kurt Roeckx ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 3 +-- apps/crl2p7.c | 3 +-- apps/pkcs12.c | 7 ++----- apps/pkcs7.c | 3 +-- crypto/ec/ecp_nistp224.c | 3 +-- crypto/ec/ecp_nistp256.c | 3 +-- crypto/ec/ecp_nistp521.c | 3 +-- crypto/ec/ecp_nistz256.c | 3 +-- crypto/pkcs12/p12_crt.c | 25 ++++++------------------- crypto/pkcs12/p12_init.c | 5 ++--- crypto/pkcs7/pk7_lib.c | 15 +++++---------- demos/smime/smdec.c | 6 +----- demos/smime/smenc.c | 7 +------ demos/smime/smsign.c | 6 +----- demos/smime/smsign2.c | 10 +--------- demos/smime/smver.c | 9 +-------- ssl/ssl_lib.c | 25 ++++++++----------------- ssl/ssl_sess.c | 13 ++++--------- test/evp_extra_test.c | 5 +---- test/ssltest.c | 1 - 20 files changed, 40 insertions(+), 115 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 1dcaabf..65d4e46 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -786,8 +786,7 @@ static int load_pkcs12(BIO *err, BIO *in, const char *desc, } ret = PKCS12_parse(p12, pass, pkey, cert, ca); die: - if (p12) - PKCS12_free(p12); + PKCS12_free(p12); return ret; } diff --git a/apps/crl2p7.c b/apps/crl2p7.c index ab0c3d6..86b3a94 100644 --- a/apps/crl2p7.c +++ b/apps/crl2p7.c @@ -270,8 +270,7 @@ int MAIN(int argc, char **argv) end: BIO_free(in); BIO_free_all(out); - if (p7 != NULL) - PKCS7_free(p7); + PKCS7_free(p7); if (crl != NULL) X509_CRL_free(crl); diff --git a/apps/pkcs12.c b/apps/pkcs12.c index a60a055..43892e5 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -740,8 +740,7 @@ int MAIN(int argc, char **argv) # endif ret = 0; end: - if (p12) - PKCS12_free(p12); + PKCS12_free(p12); if (export_cert || inrand) app_RAND_write_file(NULL, bio_err); # ifdef CRYPTO_MDEBUG @@ -798,9 +797,7 @@ int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, ret = 1; err: - - if (asafes) - sk_PKCS7_pop_free(asafes, PKCS7_free); + sk_PKCS7_pop_free(asafes, PKCS7_free); return ret; } diff --git a/apps/pkcs7.c b/apps/pkcs7.c index 1b07c02..4fcb089 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -297,8 +297,7 @@ int MAIN(int argc, char **argv) } ret = 0; end: - if (p7 != NULL) - PKCS7_free(p7); + PKCS7_free(p7); BIO_free(in); BIO_free_all(out); apps_shutdown(); diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c index 2f1213f..76adc8a 100644 --- a/crypto/ec/ecp_nistp224.c +++ b/crypto/ec/ecp_nistp224.c @@ -1741,8 +1741,7 @@ int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx) EC_POINT_free(generator); if (new_ctx != NULL) BN_CTX_free(new_ctx); - if (pre) - nistp224_pre_comp_free(pre); + nistp224_pre_comp_free(pre); return ret; } diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c index 9ec0346..794520e 100644 --- a/crypto/ec/ecp_nistp256.c +++ b/crypto/ec/ecp_nistp256.c @@ -2342,8 +2342,7 @@ int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx) EC_POINT_free(generator); if (new_ctx != NULL) BN_CTX_free(new_ctx); - if (pre) - nistp256_pre_comp_free(pre); + nistp256_pre_comp_free(pre); return ret; } diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c index c8f9d1e..7ceb1bc 100644 --- a/crypto/ec/ecp_nistp521.c +++ b/crypto/ec/ecp_nistp521.c @@ -2125,8 +2125,7 @@ int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx) EC_POINT_free(generator); if (new_ctx != NULL) BN_CTX_free(new_ctx); - if (pre) - nistp521_pre_comp_free(pre); + nistp521_pre_comp_free(pre); return ret; } diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index ea692b8..de9fbea 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -870,8 +870,7 @@ static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) err: if (ctx != NULL) BN_CTX_end(ctx); - if (pre_comp) - ecp_nistz256_pre_comp_free(pre_comp); + ecp_nistz256_pre_comp_free(pre_comp); if (precomp_storage) OPENSSL_free(precomp_storage); EC_POINT_free(P); diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index 1b2e889..fcc77cd 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -173,13 +173,9 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, return p12; err: - - if (p12) - PKCS12_free(p12); - if (safes) - sk_PKCS7_pop_free(safes, PKCS7_free); - if (bags) - sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); + PKCS12_free(p12); + sk_PKCS7_pop_free(safes, PKCS7_free); + sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); return NULL; } @@ -216,10 +212,7 @@ PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) return bag; err: - - if (bag) - PKCS12_SAFEBAG_free(bag); - + PKCS12_SAFEBAG_free(bag); return NULL; } @@ -252,10 +245,7 @@ PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, return bag; err: - - if (bag) - PKCS12_SAFEBAG_free(bag); - + PKCS12_SAFEBAG_free(bag); return NULL; } @@ -298,10 +288,7 @@ int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, sk_PKCS7_free(*psafes); *psafes = NULL; } - - if (p7) - PKCS7_free(p7); - + PKCS7_free(p7); return 0; } diff --git a/crypto/pkcs12/p12_init.c b/crypto/pkcs12/p12_init.c index 34710e9..22fa10e 100644 --- a/crypto/pkcs12/p12_init.c +++ b/crypto/pkcs12/p12_init.c @@ -83,10 +83,9 @@ PKCS12 *PKCS12_init(int mode) PKCS12err(PKCS12_F_PKCS12_INIT, PKCS12_R_UNSUPPORTED_PKCS12_MODE); goto err; } - return pkcs12; + err: - if (pkcs12 != NULL) - PKCS12_free(pkcs12); + PKCS12_free(pkcs12); return NULL; } diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index 956f3f2..e14d8c6 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -121,8 +121,7 @@ int PKCS7_content_new(PKCS7 *p7, int type) return (1); err: - if (ret != NULL) - PKCS7_free(ret); + PKCS7_free(ret); return (0); } @@ -133,13 +132,11 @@ int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data) i = OBJ_obj2nid(p7->type); switch (i) { case NID_pkcs7_signed: - if (p7->d.sign->contents != NULL) - PKCS7_free(p7->d.sign->contents); + PKCS7_free(p7->d.sign->contents); p7->d.sign->contents = p7_data; break; case NID_pkcs7_digest: - if (p7->d.digest->contents != NULL) - PKCS7_free(p7->d.digest->contents); + PKCS7_free(p7->d.digest->contents); p7->d.digest->contents = p7_data; break; case NID_pkcs7_data: @@ -422,8 +419,7 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey, goto err; return (si); err: - if (si) - PKCS7_SIGNER_INFO_free(si); + PKCS7_SIGNER_INFO_free(si); return (NULL); } @@ -484,8 +480,7 @@ PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509) goto err; return ri; err: - if (ri) - PKCS7_RECIP_INFO_free(ri); + PKCS7_RECIP_INFO_free(ri); return NULL; } diff --git a/demos/smime/smdec.c b/demos/smime/smdec.c index a418707..9752dea 100644 --- a/demos/smime/smdec.c +++ b/demos/smime/smdec.c @@ -53,18 +53,14 @@ int main(int argc, char **argv) ret = 0; err: - if (ret) { fprintf(stderr, "Error Signing Data\n"); ERR_print_errors_fp(stderr); } - - if (p7) - PKCS7_free(p7); + PKCS7_free(p7); if (rcert) X509_free(rcert); EVP_PKEY_free(rkey); - BIO_free(in); BIO_free(out); BIO_free(tbio); diff --git a/demos/smime/smenc.c b/demos/smime/smenc.c index 5a85537..2e594ee 100644 --- a/demos/smime/smenc.c +++ b/demos/smime/smenc.c @@ -67,23 +67,18 @@ int main(int argc, char **argv) ret = 0; err: - if (ret) { fprintf(stderr, "Error Encrypting Data\n"); ERR_print_errors_fp(stderr); } - - if (p7) - PKCS7_free(p7); + PKCS7_free(p7); if (rcert) X509_free(rcert); if (recips) sk_X509_pop_free(recips, X509_free); - BIO_free(in); BIO_free(out); BIO_free(tbio); - return ret; } diff --git a/demos/smime/smsign.c b/demos/smime/smsign.c index 455efcb..91ab8e4 100644 --- a/demos/smime/smsign.c +++ b/demos/smime/smsign.c @@ -63,18 +63,14 @@ int main(int argc, char **argv) ret = 0; err: - if (ret) { fprintf(stderr, "Error Signing Data\n"); ERR_print_errors_fp(stderr); } - - if (p7) - PKCS7_free(p7); + PKCS7_free(p7); if (scert) X509_free(scert); EVP_PKEY_free(skey); - BIO_free(in); BIO_free(out); BIO_free(tbio); diff --git a/demos/smime/smsign2.c b/demos/smime/smsign2.c index 5f20a40..0ad709d 100644 --- a/demos/smime/smsign2.c +++ b/demos/smime/smsign2.c @@ -71,27 +71,19 @@ int main(int argc, char **argv) ret = 0; err: - if (ret) { fprintf(stderr, "Error Signing Data\n"); ERR_print_errors_fp(stderr); } - - if (p7) - PKCS7_free(p7); - + PKCS7_free(p7); if (scert) X509_free(scert); EVP_PKEY_free(skey); - if (scert2) X509_free(scert2); EVP_PKEY_free(skey2); - BIO_free(in); BIO_free(out); BIO_free(tbio); - return ret; - } diff --git a/demos/smime/smver.c b/demos/smime/smver.c index 4088d3c..c4b6e75 100644 --- a/demos/smime/smver.c +++ b/demos/smime/smver.c @@ -61,22 +61,15 @@ int main(int argc, char **argv) ret = 0; err: - if (ret) { fprintf(stderr, "Error Verifying Data\n"); ERR_print_errors_fp(stderr); } - - if (p7) - PKCS7_free(p7); - + PKCS7_free(p7); if (cacert) X509_free(cacert); - BIO_free(in); BIO_free(out); BIO_free(tbio); - return ret; - } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index cb7bd86..42ee3a9 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -568,15 +568,13 @@ void SSL_free(SSL *s) ssl_clear_hash_ctx(&s->read_hash); ssl_clear_hash_ctx(&s->write_hash); - if (s->cert != NULL) - ssl_cert_free(s->cert); + ssl_cert_free(s->cert); /* Free up if allocated */ #ifndef OPENSSL_NO_TLSEXT if (s->tlsext_hostname) OPENSSL_free(s->tlsext_hostname); - if (s->initial_ctx) - SSL_CTX_free(s->initial_ctx); + SSL_CTX_free(s->initial_ctx); # ifndef OPENSSL_NO_EC if (s->tlsext_ecpointformatlist) OPENSSL_free(s->tlsext_ecpointformatlist); @@ -601,8 +599,7 @@ void SSL_free(SSL *s) RECORD_LAYER_release(&s->rlayer); - if (s->ctx) - SSL_CTX_free(s->ctx); + SSL_CTX_free(s->ctx); #ifndef OPENSSL_NO_KRB5 if (s->kssl_ctx != NULL) @@ -2011,8 +2008,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) err: SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); err2: - if (ret != NULL) - SSL_CTX_free(ret); + SSL_CTX_free(ret); return (NULL); } @@ -2062,8 +2058,7 @@ void SSL_CTX_free(SSL_CTX *a) sk_SSL_CIPHER_free(a->cipher_list); if (a->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(a->cipher_list_by_id); - if (a->cert != NULL) - ssl_cert_free(a->cert); + ssl_cert_free(a->cert); if (a->client_CA != NULL) sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free); if (a->extra_certs != NULL) @@ -2776,9 +2771,7 @@ SSL *SSL_dup(SSL *s) ret->method->ssl_new(ret); if (s->cert != NULL) { - if (ret->cert != NULL) { - ssl_cert_free(ret->cert); - } + ssl_cert_free(ret->cert); ret->cert = ssl_cert_dup(s->cert); if (ret->cert == NULL) goto err; @@ -2862,8 +2855,7 @@ SSL *SSL_dup(SSL *s) if (0) { err: - if (ret != NULL) - SSL_free(ret); + SSL_free(ret); ret = NULL; } return (ret); @@ -3092,8 +3084,7 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) } CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); - if (ssl->ctx != NULL) - SSL_CTX_free(ssl->ctx); /* decrement reference count */ + SSL_CTX_free(ssl->ctx); /* decrement reference count */ ssl->ctx = ctx; return (ssl->ctx); diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 24e5d25..a213ea9 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -726,8 +726,7 @@ void SSL_SESSION_free(SSL_SESSION *ss) OPENSSL_cleanse(ss->master_key, sizeof ss->master_key); OPENSSL_cleanse(ss->session_id, sizeof ss->session_id); - if (ss->sess_cert != NULL) - ssl_sess_cert_free(ss->sess_cert); + ssl_sess_cert_free(ss->sess_cert); if (ss->peer != NULL) X509_free(ss->peer); if (ss->ciphers != NULL) @@ -795,18 +794,14 @@ int SSL_set_session(SSL *s, SSL_SESSION *session) /* CRYPTO_w_lock(CRYPTO_LOCK_SSL); */ CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION); - if (s->session != NULL) - SSL_SESSION_free(s->session); + SSL_SESSION_free(s->session); s->session = session; s->verify_result = s->session->verify_result; /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL); */ ret = 1; } else { - if (s->session != NULL) { - SSL_SESSION_free(s->session); - s->session = NULL; - } - + SSL_SESSION_free(s->session); + s->session = NULL; meth = s->ctx->method; if (meth != s->method) { if (!SSL_set_ssl_method(s, meth)) diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c index 567ed0f..5641d98 100644 --- a/test/evp_extra_test.c +++ b/test/evp_extra_test.c @@ -410,10 +410,7 @@ static int test_EVP_PKCS82PKEY(void) ret = 1; done: - if (p8inf != NULL) { - PKCS8_PRIV_KEY_INFO_free(p8inf); - } - + PKCS8_PRIV_KEY_INFO_free(p8inf); EVP_PKEY_free(pkey); return ret; diff --git a/test/ssltest.c b/test/ssltest.c index 6ad6342..25bec77 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -1791,7 +1791,6 @@ int main(int argc, char *argv[]) end: SSL_CTX_free(s_ctx); SSL_CTX_free(c_ctx); - SSL_CONF_CTX_free(s_cctx); SSL_CONF_CTX_free(c_cctx); sk_OPENSSL_STRING_free(conf_args); From matt at openssl.org Tue Apr 14 13:56:15 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 14 Apr 2015 13:56:15 +0000 Subject: [openssl-commits] [openssl] OpenSSL_0_9_8-stable update Message-ID: <1429019775.651935.5276.nullmailer@dev.openssl.org> The branch OpenSSL_0_9_8-stable has been updated via eeda966123e96e890ad56bfcaaec82d07b36e26a (commit) from c5b0f5c46309421da2fba3bd2363bbc80af385b1 (commit) - Log ----------------------------------------------------------------- commit eeda966123e96e890ad56bfcaaec82d07b36e26a Author: Matt Caswell Date: Fri Apr 10 17:25:27 2015 +0100 Check for ClientHello message overruns The ClientHello processing is insufficiently rigorous in its checks to make sure that we don't read past the end of the message. This does not have security implications due to the size of the underlying buffer - but still needs to be fixed. With thanks to Qinghao Tang for reporting this issue. Reviewed-by: Rich Salz (cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79) ----------------------------------------------------------------------- Summary of changes: ssl/s3_srvr.c | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index a1eb02e..fe7f685 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -779,6 +779,16 @@ int ssl3_get_client_hello(SSL *s) d = p = (unsigned char *)s->init_msg; /* + * 2 bytes for client version, SSL3_RANDOM_SIZE bytes for random, 1 byte + * for session id length + */ + if (n < 2 + SSL3_RANDOM_SIZE + 1) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + + /* * use version from inside client hello, not from record header (may * differ: see RFC 2246, Appendix E, second paragraph) */ @@ -808,6 +818,12 @@ int ssl3_get_client_hello(SSL *s) unsigned int session_length, cookie_length; session_length = *(p + SSL3_RANDOM_SIZE); + + if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); if (cookie_length == 0) @@ -821,6 +837,12 @@ int ssl3_get_client_hello(SSL *s) /* get the session-id */ j = *(p++); + if (p + j > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + s->hit = 0; /* * Versions before 0.9.7 always allow session reuse during renegotiation @@ -852,8 +874,19 @@ int ssl3_get_client_hello(SSL *s) if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { /* cookie stuff */ + if (p + 1 > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } cookie_len = *(p++); + if (p + cookie_len > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + /* * The ClientHello may contain a cookie even if the * HelloVerify message has not been sent--make sure that it @@ -894,6 +927,11 @@ int ssl3_get_client_hello(SSL *s) p += cookie_len; } + if (p + 2 > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } n2s(p, i); if ((i == 0) && (j != 0)) { /* we need a cipher if we are not resuming a session */ @@ -901,7 +939,9 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED); goto f_err; } - if ((p + i) >= (d + n)) { + + /* i bytes of cipher data + 1 byte for compression length later */ + if ((p + i + 1) > (d + n)) { /* not enough data */ al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); From matt at openssl.org Tue Apr 14 13:56:28 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 14 Apr 2015 13:56:28 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_0-stable update Message-ID: <1429019788.623595.5494.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_0-stable has been updated via 923552bd5de08997523bd6d25323217fab5e83be (commit) from dafa9534de489bbb0c496eae628cacadcdd01821 (commit) - Log ----------------------------------------------------------------- commit 923552bd5de08997523bd6d25323217fab5e83be Author: Matt Caswell Date: Fri Apr 10 17:25:27 2015 +0100 Check for ClientHello message overruns The ClientHello processing is insufficiently rigorous in its checks to make sure that we don't read past the end of the message. This does not have security implications due to the size of the underlying buffer - but still needs to be fixed. With thanks to Qinghao Tang for reporting this issue. Reviewed-by: Rich Salz (cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79) ----------------------------------------------------------------------- Summary of changes: ssl/s3_srvr.c | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index dc582ea..8e30083 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -843,6 +843,16 @@ int ssl3_get_client_hello(SSL *s) d = p = (unsigned char *)s->init_msg; /* + * 2 bytes for client version, SSL3_RANDOM_SIZE bytes for random, 1 byte + * for session id length + */ + if (n < 2 + SSL3_RANDOM_SIZE + 1) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + + /* * use version from inside client hello, not from record header (may * differ: see RFC 2246, Appendix E, second paragraph) */ @@ -872,6 +882,12 @@ int ssl3_get_client_hello(SSL *s) unsigned int session_length, cookie_length; session_length = *(p + SSL3_RANDOM_SIZE); + + if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); if (cookie_length == 0) @@ -885,6 +901,12 @@ int ssl3_get_client_hello(SSL *s) /* get the session-id */ j = *(p++); + if (p + j > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + s->hit = 0; /* * Versions before 0.9.7 always allow session reuse during renegotiation @@ -916,8 +938,19 @@ int ssl3_get_client_hello(SSL *s) if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { /* cookie stuff */ + if (p + 1 > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } cookie_len = *(p++); + if (p + cookie_len > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + /* * The ClientHello may contain a cookie even if the * HelloVerify message has not been sent--make sure that it @@ -958,6 +991,11 @@ int ssl3_get_client_hello(SSL *s) p += cookie_len; } + if (p + 2 > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } n2s(p, i); if ((i == 0) && (j != 0)) { /* we need a cipher if we are not resuming a session */ @@ -965,7 +1003,9 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED); goto f_err; } - if ((p + i) >= (d + n)) { + + /* i bytes of cipher data + 1 byte for compression length later */ + if ((p + i + 1) > (d + n)) { /* not enough data */ al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); From matt at openssl.org Tue Apr 14 13:56:39 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 14 Apr 2015 13:56:39 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1429019799.868563.5712.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 89c2720298f875ac80777da2da88a64859775898 (commit) from 047cdde7a5a873817ae1aa4205390b2b130eb173 (commit) - Log ----------------------------------------------------------------- commit 89c2720298f875ac80777da2da88a64859775898 Author: Matt Caswell Date: Fri Apr 10 17:25:27 2015 +0100 Check for ClientHello message overruns The ClientHello processing is insufficiently rigorous in its checks to make sure that we don't read past the end of the message. This does not have security implications due to the size of the underlying buffer - but still needs to be fixed. With thanks to Qinghao Tang for reporting this issue. Reviewed-by: Rich Salz (cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79) ----------------------------------------------------------------------- Summary of changes: ssl/s3_srvr.c | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index b8f91bc..3cdc73c 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -992,6 +992,16 @@ int ssl3_get_client_hello(SSL *s) d = p = (unsigned char *)s->init_msg; /* + * 2 bytes for client version, SSL3_RANDOM_SIZE bytes for random, 1 byte + * for session id length + */ + if (n < 2 + SSL3_RANDOM_SIZE + 1) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + + /* * use version from inside client hello, not from record header (may * differ: see RFC 2246, Appendix E, second paragraph) */ @@ -1022,6 +1032,12 @@ int ssl3_get_client_hello(SSL *s) unsigned int session_length, cookie_length; session_length = *(p + SSL3_RANDOM_SIZE); + + if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); if (cookie_length == 0) @@ -1035,6 +1051,12 @@ int ssl3_get_client_hello(SSL *s) /* get the session-id */ j = *(p++); + if (p + j > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + s->hit = 0; /* * Versions before 0.9.7 always allow clients to resume sessions in @@ -1079,8 +1101,19 @@ int ssl3_get_client_hello(SSL *s) if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { /* cookie stuff */ + if (p + 1 > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } cookie_len = *(p++); + if (p + cookie_len > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + /* * The ClientHello may contain a cookie even if the * HelloVerify message has not been sent--make sure that it @@ -1121,6 +1154,11 @@ int ssl3_get_client_hello(SSL *s) p += cookie_len; } + if (p + 2 > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } n2s(p, i); if ((i == 0) && (j != 0)) { /* we need a cipher if we are not resuming a session */ @@ -1128,7 +1166,9 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED); goto f_err; } - if ((p + i) >= (d + n)) { + + /* i bytes of cipher data + 1 byte for compression length later */ + if ((p + i + 1) > (d + n)) { /* not enough data */ al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); From matt at openssl.org Tue Apr 14 13:56:49 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 14 Apr 2015 13:56:49 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429019809.912009.5929.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 35bac9167644d167aee57c26df206ed5f2b2a877 (commit) from ea9de25f2f577db69d67c39e5cf60be7da17c931 (commit) - Log ----------------------------------------------------------------- commit 35bac9167644d167aee57c26df206ed5f2b2a877 Author: Matt Caswell Date: Fri Apr 10 17:25:27 2015 +0100 Check for ClientHello message overruns The ClientHello processing is insufficiently rigorous in its checks to make sure that we don't read past the end of the message. This does not have security implications due to the size of the underlying buffer - but still needs to be fixed. With thanks to Qinghao Tang for reporting this issue. Reviewed-by: Rich Salz (cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79) ----------------------------------------------------------------------- Summary of changes: ssl/s3_srvr.c | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index f7ffa06..00bc757 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -931,6 +931,16 @@ int ssl3_get_client_hello(SSL *s) d = p = (unsigned char *)s->init_msg; /* + * 2 bytes for client version, SSL3_RANDOM_SIZE bytes for random, 1 byte + * for session id length + */ + if (n < 2 + SSL3_RANDOM_SIZE + 1) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + + /* * use version from inside client hello, not from record header (may * differ: see RFC 2246, Appendix E, second paragraph) */ @@ -962,6 +972,12 @@ int ssl3_get_client_hello(SSL *s) unsigned int session_length, cookie_length; session_length = *(p + SSL3_RANDOM_SIZE); + + if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); if (cookie_length == 0) @@ -975,6 +991,12 @@ int ssl3_get_client_hello(SSL *s) /* get the session-id */ j = *(p++); + if (p + j > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + s->hit = 0; /* * Versions before 0.9.7 always allow clients to resume sessions in @@ -1019,8 +1041,19 @@ int ssl3_get_client_hello(SSL *s) if (SSL_IS_DTLS(s)) { /* cookie stuff */ + if (p + 1 > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } cookie_len = *(p++); + if (p + cookie_len > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + /* * The ClientHello may contain a cookie even if the * HelloVerify message has not been sent--make sure that it @@ -1086,6 +1119,11 @@ int ssl3_get_client_hello(SSL *s) } } + if (p + 2 > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } n2s(p, i); if ((i == 0) && (j != 0)) { /* we need a cipher if we are not resuming a session */ @@ -1093,7 +1131,9 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED); goto f_err; } - if ((p + i) >= (d + n)) { + + /* i bytes of cipher data + 1 byte for compression length later */ + if ((p + i + 1) > (d + n)) { /* not enough data */ al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); From matt at openssl.org Tue Apr 14 14:02:53 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 14 Apr 2015 14:02:53 +0000 Subject: [openssl-commits] [openssl] OpenSSL_0_9_8-stable update Message-ID: <1429020173.769988.7120.nullmailer@dev.openssl.org> The branch OpenSSL_0_9_8-stable has been updated via 5d28381ae44725254e92bab9797593c6d3fa1e86 (commit) from eeda966123e96e890ad56bfcaaec82d07b36e26a (commit) - Log ----------------------------------------------------------------- commit 5d28381ae44725254e92bab9797593c6d3fa1e86 Author: Matt Caswell Date: Fri Apr 10 16:49:33 2015 +0100 Fix ssl_get_prev_session overrun If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read past the end of the ClientHello message if the session_id length in the ClientHello is invalid. This should not cause any security issues since the underlying buffer is 16k in size. It should never be possible to overrun by that many bytes. This is probably made redundant by the previous commit - but you can never be too careful. With thanks to Qinghao Tang for reporting this issue. Reviewed-by: Rich Salz (cherry picked from commit 5e0a80c1c9b2b06c2d203ad89778ce1b98e0b5ad) Conflicts: ssl/ssl_sess.c ----------------------------------------------------------------------- Summary of changes: ssl/ssl_sess.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 9c797e3..fc31296 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -310,6 +310,12 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; + + if (session_id + len > limit) { + fatal = 1; + goto err; + } + #ifndef OPENSSL_NO_TLSEXT r = tls1_process_ticket(s, session_id, len, limit, &ret); if (r == -1) { From matt at openssl.org Tue Apr 14 14:03:03 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 14 Apr 2015 14:03:03 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_0-stable update Message-ID: <1429020183.767966.7374.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_0-stable has been updated via 4bbff0f946a10f748fba3fe1bda8bbaa6d7e0d12 (commit) from 923552bd5de08997523bd6d25323217fab5e83be (commit) - Log ----------------------------------------------------------------- commit 4bbff0f946a10f748fba3fe1bda8bbaa6d7e0d12 Author: Matt Caswell Date: Fri Apr 10 16:49:33 2015 +0100 Fix ssl_get_prev_session overrun If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read past the end of the ClientHello message if the session_id length in the ClientHello is invalid. This should not cause any security issues since the underlying buffer is 16k in size. It should never be possible to overrun by that many bytes. This is probably made redundant by the previous commit - but you can never be too careful. With thanks to Qinghao Tang for reporting this issue. Reviewed-by: Rich Salz (cherry picked from commit 5e0a80c1c9b2b06c2d203ad89778ce1b98e0b5ad) Conflicts: ssl/ssl_sess.c ----------------------------------------------------------------------- Summary of changes: ssl/ssl_sess.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 1fc44c1..b9432fd 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -431,6 +431,12 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; + + if (session_id + len > limit) { + fatal = 1; + goto err; + } + #ifndef OPENSSL_NO_TLSEXT r = tls1_process_ticket(s, session_id, len, limit, &ret); if (r == -1) { From matt at openssl.org Tue Apr 14 14:03:13 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 14 Apr 2015 14:03:13 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1429020193.197591.7609.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 40f26ac782157ceeafc986e3e91429099c0f878d (commit) from 89c2720298f875ac80777da2da88a64859775898 (commit) - Log ----------------------------------------------------------------- commit 40f26ac782157ceeafc986e3e91429099c0f878d Author: Matt Caswell Date: Fri Apr 10 16:49:33 2015 +0100 Fix ssl_get_prev_session overrun If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read past the end of the ClientHello message if the session_id length in the ClientHello is invalid. This should not cause any security issues since the underlying buffer is 16k in size. It should never be possible to overrun by that many bytes. This is probably made redundant by the previous commit - but you can never be too careful. With thanks to Qinghao Tang for reporting this issue. Reviewed-by: Rich Salz (cherry picked from commit 5e0a80c1c9b2b06c2d203ad89778ce1b98e0b5ad) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_sess.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index fb4e8c5..4c7f5d8 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -481,6 +481,11 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; + if (session_id + len > limit) { + fatal = 1; + goto err; + } + if (len == 0) try_session_cache = 0; From matt at openssl.org Tue Apr 14 14:03:23 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 14 Apr 2015 14:03:23 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429020203.294676.7870.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 5101c35c9173e40051acb23e45aae128fb84806e (commit) from 35bac9167644d167aee57c26df206ed5f2b2a877 (commit) - Log ----------------------------------------------------------------- commit 5101c35c9173e40051acb23e45aae128fb84806e Author: Matt Caswell Date: Fri Apr 10 16:49:33 2015 +0100 Fix ssl_get_prev_session overrun If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read past the end of the ClientHello message if the session_id length in the ClientHello is invalid. This should not cause any security issues since the underlying buffer is 16k in size. It should never be possible to overrun by that many bytes. This is probably made redundant by the previous commit - but you can never be too careful. With thanks to Qinghao Tang for reporting this issue. Reviewed-by: Rich Salz (cherry picked from commit 5e0a80c1c9b2b06c2d203ad89778ce1b98e0b5ad) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_sess.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 1e1002f..dce9088 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -452,6 +452,11 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; + if (session_id + len > limit) { + fatal = 1; + goto err; + } + if (len == 0) try_session_cache = 0; From matt at openssl.org Tue Apr 14 14:03:31 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 14 Apr 2015 14:03:31 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429020211.912927.8148.nullmailer@dev.openssl.org> The branch master has been updated via 5e0a80c1c9b2b06c2d203ad89778ce1b98e0b5ad (commit) via 5e9f0eebcfa25a55177d9a7025713262367bec14 (commit) from e0e920b1a063f14f36418f8795c96f2c649400e1 (commit) - Log ----------------------------------------------------------------- commit 5e0a80c1c9b2b06c2d203ad89778ce1b98e0b5ad Author: Matt Caswell Date: Fri Apr 10 16:49:33 2015 +0100 Fix ssl_get_prev_session overrun If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read past the end of the ClientHello message if the session_id length in the ClientHello is invalid. This should not cause any security issues since the underlying buffer is 16k in size. It should never be possible to overrun by that many bytes. This is probably made redundant by the previous commit - but you can never be too careful. With thanks to Qinghao Tang for reporting this issue. Reviewed-by: Rich Salz commit 5e9f0eebcfa25a55177d9a7025713262367bec14 Author: Matt Caswell Date: Fri Apr 10 17:25:27 2015 +0100 Check for ClientHello message overruns The ClientHello processing is insufficiently rigorous in its checks to make sure that we don't read past the end of the message. This does not have security implications due to the size of the underlying buffer - but still needs to be fixed. With thanks to Qinghao Tang for reporting this issue. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: ssl/s3_srvr.c | 42 +++++++++++++++++++++++++++++++++++++++++- ssl/ssl_sess.c | 5 +++++ 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 5b17e52..7376fe6 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -932,6 +932,16 @@ int ssl3_get_client_hello(SSL *s) d = p = (unsigned char *)s->init_msg; /* + * 2 bytes for client version, SSL3_RANDOM_SIZE bytes for random, 1 byte + * for session id length + */ + if (n < 2 + SSL3_RANDOM_SIZE + 1) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + + /* * use version from inside client hello, not from record header (may * differ: see RFC 2246, Appendix E, second paragraph) */ @@ -963,6 +973,12 @@ int ssl3_get_client_hello(SSL *s) unsigned int session_length, cookie_length; session_length = *(p + SSL3_RANDOM_SIZE); + + if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); if (cookie_length == 0) @@ -976,6 +992,12 @@ int ssl3_get_client_hello(SSL *s) /* get the session-id */ j = *(p++); + if (p + j > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + s->hit = 0; /* * Versions before 0.9.7 always allow clients to resume sessions in @@ -1020,8 +1042,19 @@ int ssl3_get_client_hello(SSL *s) if (SSL_IS_DTLS(s)) { /* cookie stuff */ + if (p + 1 > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } cookie_len = *(p++); + if (p + cookie_len > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + /* * The ClientHello may contain a cookie even if the * HelloVerify message has not been sent--make sure that it @@ -1087,6 +1120,11 @@ int ssl3_get_client_hello(SSL *s) } } + if (p + 2 > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } n2s(p, i); if ((i == 0) && (j != 0)) { /* we need a cipher if we are not resuming a session */ @@ -1094,7 +1132,9 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED); goto f_err; } - if ((p + i) >= (d + n)) { + + /* i bytes of cipher data + 1 byte for compression length later */ + if ((p + i + 1) > (d + n)) { /* not enough data */ al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index a213ea9..3d0f950 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -442,6 +442,11 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; + if (session_id + len > limit) { + fatal = 1; + goto err; + } + if (len == 0) try_session_cache = 0; From emilia at openssl.org Wed Apr 15 12:25:08 2015 From: emilia at openssl.org (Emilia Kasper) Date: Wed, 15 Apr 2015 12:25:08 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429100708.520317.2352.nullmailer@dev.openssl.org> The branch master has been updated via 68249414405500660578b337f1c8dd5dd4bb5bcc (commit) from 5e0a80c1c9b2b06c2d203ad89778ce1b98e0b5ad (commit) - Log ----------------------------------------------------------------- commit 68249414405500660578b337f1c8dd5dd4bb5bcc Author: Emilia Kasper Date: Tue Apr 14 17:42:42 2015 +0200 Initialize variable newsig may be used (freed) uninitialized on a malloc error. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: engines/ccgost/gost_sign.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engines/ccgost/gost_sign.c b/engines/ccgost/gost_sign.c index fad2004..1d7ed86 100644 --- a/engines/ccgost/gost_sign.c +++ b/engines/ccgost/gost_sign.c @@ -54,7 +54,7 @@ void dump_dsa_sig(const char *message, DSA_SIG *sig) DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { BIGNUM *k = NULL, *tmp = NULL, *tmp2 = NULL; - DSA_SIG *newsig, *ret = NULL; + DSA_SIG *newsig = NULL, *ret = NULL; BIGNUM *md = hashsum2bn(dgst); /* check if H(M) mod q is zero */ BN_CTX *ctx = BN_CTX_new(); From steve at openssl.org Wed Apr 15 23:58:41 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Wed, 15 Apr 2015 23:58:41 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429142321.229824.15968.nullmailer@dev.openssl.org> The branch master has been updated via 5621e7aaf3932e51e85c72a81933eafbc906d22f (commit) via c954448f2c5001d12c6ff7807476915a4b85a065 (commit) from 68249414405500660578b337f1c8dd5dd4bb5bcc (commit) - Log ----------------------------------------------------------------- commit 5621e7aaf3932e51e85c72a81933eafbc906d22f Author: Dr. Stephen Henson Date: Wed Apr 15 13:58:38 2015 +0100 Remove obsolete options for debug-steve* Reviewed-by: Rich Salz commit c954448f2c5001d12c6ff7807476915a4b85a065 Author: Dr. Stephen Henson Date: Wed Apr 15 13:57:51 2015 +0100 Add -Wtype-limits to strict warnings. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: Configurations/99-personal-steve.conf | 6 +++--- Configure | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Configurations/99-personal-steve.conf b/Configurations/99-personal-steve.conf index 454b283..171b1cb 100644 --- a/Configurations/99-personal-steve.conf +++ b/Configurations/99-personal-steve.conf @@ -8,7 +8,7 @@ "debug-steve64" => { inherit_from => [ "x86_64_asm" ], cc => "gcc", - cflags => "$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g", + cflags => "$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g", thread_cflag => "-D_REENTRANT", lflags => "-ldl", bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL", @@ -22,7 +22,7 @@ "debug-steve32" => { inherit_from => [ "x86_elf_asm" ], cc => "gcc", - cflags => "$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g -pipe", + cflags => "$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -g", thread_cflag => "-D_REENTRANT", lflags => "-rdynamic -ldl", bn_ops => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}", @@ -35,7 +35,7 @@ "debug-steve-opt" => { inherit_from => [ "x86_64_asm" ], cc => "gcc", - cflags => "$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g", + cflags => "$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g", thread_cflag => "-D_REENTRANT", lflags => "-ldl", bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL", diff --git a/Configure b/Configure index d51653a..1c6b424 100755 --- a/Configure +++ b/Configure @@ -110,7 +110,7 @@ my $usage="Usage: Configure [no- ...] [enable- ...] [experimenta # Minimum warning options... any contributions to OpenSSL should at least get # past these. -my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DDEBUG_UNUSED"; +my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Wtype-limits -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DDEBUG_UNUSED"; my $clang_disabled_warnings = "-Wno-language-extension-token -Wno-extended-offsetof -Wno-padded -Wno-shorten-64-to-32 -Wno-format-nonliteral -Wno-missing-noreturn -Wno-unused-parameter -Wno-sign-conversion -Wno-unreachable-code -Wno-conversion -Wno-documentation -Wno-missing-variable-declarations -Wno-cast-align -Wno-incompatible-pointer-types-discards-qualifiers -Wno-missing-variable-declarations -Wno-missing-field-initializers -Wno-unused-macros -Wno-disabled-macro-expansion -Wno-conditional-uninitialized -Wno-switch-enum -Wno-gnu-statement-expression"; From steve at openssl.org Thu Apr 16 15:05:37 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Thu, 16 Apr 2015 15:05:37 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429196737.983587.32626.nullmailer@dev.openssl.org> The branch master has been updated via 111b60bea01d234b5873488c19ff2b9c5d4d58e9 (commit) via c4137b5e828d8fab0b244defb79257619dad8fc7 (commit) from 5621e7aaf3932e51e85c72a81933eafbc906d22f (commit) - Log ----------------------------------------------------------------- commit 111b60bea01d234b5873488c19ff2b9c5d4d58e9 Author: Dr. Stephen Henson Date: Thu Apr 16 00:21:05 2015 +0100 Reject empty generation strings. Reported by Hanno B?ck Reviewed-by: Rich Salz commit c4137b5e828d8fab0b244defb79257619dad8fc7 Author: Dr. Stephen Henson Date: Thu Apr 16 00:00:40 2015 +0100 Limit depth of nested sequences when generating ASN.1 Reported by Hanno B?ck PR#3800 Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/asn1/asn1_gen.c | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c index 0e1cc08..cee3749 100644 --- a/crypto/asn1/asn1_gen.c +++ b/crypto/asn1/asn1_gen.c @@ -74,6 +74,8 @@ #define ASN1_GEN_STR(str,val) {str, sizeof(str) - 1, val} #define ASN1_FLAG_EXP_MAX 20 +/* Maximum number of nested sequences */ +#define ASN1_GEN_SEQ_MAX_DEPTH 50 /* Input formats */ @@ -110,13 +112,16 @@ typedef struct { int exp_count; } tag_exp_arg; +static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth, + int *perr); static int bitstr_cb(const char *elem, int len, void *bitstr); static int asn1_cb(const char *elem, int len, void *bitstr); static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class, int exp_constructed, int exp_pad, int imp_ok); static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass); -static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf); +static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf, + int depth, int *perr); static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype); static int asn1_str2tag(const char *tagstr, int len); @@ -133,6 +138,16 @@ ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf) ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf) { + int err = 0; + ASN1_TYPE *ret = generate_v3(str, cnf, 0, &err); + if (err) + ASN1err(ASN1_F_ASN1_GENERATE_V3, err); + return ret; +} + +static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth, + int *perr) +{ ASN1_TYPE *ret; tag_exp_arg asn1_tags; tag_exp_type *etmp; @@ -152,17 +167,22 @@ ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf) asn1_tags.imp_class = -1; asn1_tags.format = ASN1_GEN_FORMAT_ASCII; asn1_tags.exp_count = 0; - if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0) + if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0) { + *perr = ASN1_R_UNKNOWN_TAG; return NULL; + } if ((asn1_tags.utype == V_ASN1_SEQUENCE) || (asn1_tags.utype == V_ASN1_SET)) { if (!cnf) { - ASN1err(ASN1_F_ASN1_GENERATE_V3, - ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG); + *perr = ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG; return NULL; } - ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf); + if (depth >= ASN1_GEN_SEQ_MAX_DEPTH) { + *perr = ASN1_R_ILLEGAL_NESTED_TAGGING; + return NULL; + } + ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf, depth, perr); } else ret = asn1_str2type(asn1_tags.str, asn1_tags.format, asn1_tags.utype); @@ -280,7 +300,7 @@ static int asn1_cb(const char *elem, int len, void *bitstr) int tmp_tag, tmp_class; if (elem == NULL) - return 0; + return -1; for (i = 0, p = elem; i < len; p++, i++) { /* Look for the ':' in name value pairs */ @@ -353,7 +373,7 @@ static int asn1_cb(const char *elem, int len, void *bitstr) break; case ASN1_GEN_FLAG_FORMAT: - if(!vstart) { + if (!vstart) { ASN1err(ASN1_F_ASN1_CB, ASN1_R_UNKNOWN_FORMAT); return -1; } @@ -434,7 +454,8 @@ static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass) /* Handle multiple types: SET and SEQUENCE */ -static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf) +static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf, + int depth, int *perr) { ASN1_TYPE *ret = NULL; STACK_OF(ASN1_TYPE) *sk = NULL; @@ -453,7 +474,8 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf) goto bad; for (i = 0; i < sk_CONF_VALUE_num(sect); i++) { ASN1_TYPE *typ = - ASN1_generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf); + generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf, + depth + 1, perr); if (!typ) goto bad; if (!sk_ASN1_TYPE_push(sk, typ)) From steve at openssl.org Thu Apr 16 15:08:35 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Thu, 16 Apr 2015 15:08:35 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_0-stable update Message-ID: <1429196915.423470.1729.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_0-stable has been updated via 21220998f33adaa1d29f80b6946170458e97fa9a (commit) from 4bbff0f946a10f748fba3fe1bda8bbaa6d7e0d12 (commit) - Log ----------------------------------------------------------------- commit 21220998f33adaa1d29f80b6946170458e97fa9a Author: Dr. Stephen Henson Date: Thu Apr 16 00:21:05 2015 +0100 Reject empty generation strings. Reported by Hanno B?ck Reviewed-by: Rich Salz (cherry picked from commit 111b60bea01d234b5873488c19ff2b9c5d4d58e9) Conflicts: crypto/asn1/asn1_gen.c ----------------------------------------------------------------------- Summary of changes: crypto/asn1/asn1_gen.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c index 132a9ef..e303d11 100644 --- a/crypto/asn1/asn1_gen.c +++ b/crypto/asn1/asn1_gen.c @@ -152,8 +152,10 @@ ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf) asn1_tags.imp_class = -1; asn1_tags.format = ASN1_GEN_FORMAT_ASCII; asn1_tags.exp_count = 0; - if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0) + if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0) { + *perr = ASN1_R_UNKNOWN_TAG; return NULL; + } if ((asn1_tags.utype == V_ASN1_SEQUENCE) || (asn1_tags.utype == V_ASN1_SET)) { @@ -279,6 +281,9 @@ static int asn1_cb(const char *elem, int len, void *bitstr) int tmp_tag, tmp_class; + if (elem == NULL) + return -1; + for (i = 0, p = elem; i < len; p++, i++) { /* Look for the ':' in name value pairs */ if (*p == ':') { From steve at openssl.org Thu Apr 16 15:08:35 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Thu, 16 Apr 2015 15:08:35 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429196915.611939.1773.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via bf5b8ff17dd7039b15cbc6468cd865cbc219581d (commit) via a696708ae6bbe42f409748b3e31bb2f3034edbf3 (commit) from 5101c35c9173e40051acb23e45aae128fb84806e (commit) - Log ----------------------------------------------------------------- commit bf5b8ff17dd7039b15cbc6468cd865cbc219581d Author: Dr. Stephen Henson Date: Thu Apr 16 00:00:40 2015 +0100 Limit depth of nested sequences when generating ASN.1 Reported by Hanno B?ck PR#3800 Reviewed-by: Rich Salz (cherry picked from commit c4137b5e828d8fab0b244defb79257619dad8fc7) commit a696708ae6bbe42f409748b3e31bb2f3034edbf3 Author: Dr. Stephen Henson Date: Thu Apr 16 00:21:05 2015 +0100 Reject empty generation strings. Reported by Hanno B?ck Reviewed-by: Rich Salz (cherry picked from commit 111b60bea01d234b5873488c19ff2b9c5d4d58e9) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/asn1_gen.c | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c index 11b582d..6574923 100644 --- a/crypto/asn1/asn1_gen.c +++ b/crypto/asn1/asn1_gen.c @@ -74,6 +74,8 @@ #define ASN1_GEN_STR(str,val) {str, sizeof(str) - 1, val} #define ASN1_FLAG_EXP_MAX 20 +/* Maximum number of nested sequences */ +#define ASN1_GEN_SEQ_MAX_DEPTH 50 /* Input formats */ @@ -110,13 +112,16 @@ typedef struct { int exp_count; } tag_exp_arg; +static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth, + int *perr); static int bitstr_cb(const char *elem, int len, void *bitstr); static int asn1_cb(const char *elem, int len, void *bitstr); static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class, int exp_constructed, int exp_pad, int imp_ok); static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass); -static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf); +static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf, + int depth, int *perr); static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype); static int asn1_str2tag(const char *tagstr, int len); @@ -133,6 +138,16 @@ ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf) ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf) { + int err = 0; + ASN1_TYPE *ret = generate_v3(str, cnf, 0, &err); + if (err) + ASN1err(ASN1_F_ASN1_GENERATE_V3, err); + return ret; +} + +static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth, + int *perr) +{ ASN1_TYPE *ret; tag_exp_arg asn1_tags; tag_exp_type *etmp; @@ -152,17 +167,22 @@ ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf) asn1_tags.imp_class = -1; asn1_tags.format = ASN1_GEN_FORMAT_ASCII; asn1_tags.exp_count = 0; - if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0) + if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0) { + *perr = ASN1_R_UNKNOWN_TAG; return NULL; + } if ((asn1_tags.utype == V_ASN1_SEQUENCE) || (asn1_tags.utype == V_ASN1_SET)) { if (!cnf) { - ASN1err(ASN1_F_ASN1_GENERATE_V3, - ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG); + *perr = ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG; return NULL; } - ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf); + if (depth >= ASN1_GEN_SEQ_MAX_DEPTH) { + *perr = ASN1_R_ILLEGAL_NESTED_TAGGING; + return NULL; + } + ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf, depth, perr); } else ret = asn1_str2type(asn1_tags.str, asn1_tags.format, asn1_tags.utype); @@ -280,7 +300,7 @@ static int asn1_cb(const char *elem, int len, void *bitstr) int tmp_tag, tmp_class; if (elem == NULL) - return 0; + return -1; for (i = 0, p = elem; i < len; p++, i++) { /* Look for the ':' in name value pairs */ @@ -353,7 +373,7 @@ static int asn1_cb(const char *elem, int len, void *bitstr) break; case ASN1_GEN_FLAG_FORMAT: - if(!vstart) { + if (!vstart) { ASN1err(ASN1_F_ASN1_CB, ASN1_R_UNKNOWN_FORMAT); return -1; } @@ -435,7 +455,8 @@ static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass) /* Handle multiple types: SET and SEQUENCE */ -static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf) +static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf, + int depth, int *perr) { ASN1_TYPE *ret = NULL; STACK_OF(ASN1_TYPE) *sk = NULL; @@ -454,7 +475,8 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf) goto bad; for (i = 0; i < sk_CONF_VALUE_num(sect); i++) { ASN1_TYPE *typ = - ASN1_generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf); + generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf, + depth + 1, perr); if (!typ) goto bad; if (!sk_ASN1_TYPE_push(sk, typ)) From steve at openssl.org Thu Apr 16 15:08:35 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Thu, 16 Apr 2015 15:08:35 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1429196915.505048.1751.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via da23637e8e04387689ef8747e8229a0c325a25fc (commit) via 5c3fbbc87560a5d0043fe716463948aff7140cdd (commit) from 40f26ac782157ceeafc986e3e91429099c0f878d (commit) - Log ----------------------------------------------------------------- commit da23637e8e04387689ef8747e8229a0c325a25fc Author: Dr. Stephen Henson Date: Thu Apr 16 00:00:40 2015 +0100 Limit depth of nested sequences when generating ASN.1 Reported by Hanno B?ck PR#3800 Reviewed-by: Rich Salz (cherry picked from commit c4137b5e828d8fab0b244defb79257619dad8fc7) commit 5c3fbbc87560a5d0043fe716463948aff7140cdd Author: Dr. Stephen Henson Date: Thu Apr 16 00:21:05 2015 +0100 Reject empty generation strings. Reported by Hanno B?ck Reviewed-by: Rich Salz (cherry picked from commit 111b60bea01d234b5873488c19ff2b9c5d4d58e9) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/asn1_gen.c | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c index 11b582d..6574923 100644 --- a/crypto/asn1/asn1_gen.c +++ b/crypto/asn1/asn1_gen.c @@ -74,6 +74,8 @@ #define ASN1_GEN_STR(str,val) {str, sizeof(str) - 1, val} #define ASN1_FLAG_EXP_MAX 20 +/* Maximum number of nested sequences */ +#define ASN1_GEN_SEQ_MAX_DEPTH 50 /* Input formats */ @@ -110,13 +112,16 @@ typedef struct { int exp_count; } tag_exp_arg; +static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth, + int *perr); static int bitstr_cb(const char *elem, int len, void *bitstr); static int asn1_cb(const char *elem, int len, void *bitstr); static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class, int exp_constructed, int exp_pad, int imp_ok); static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass); -static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf); +static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf, + int depth, int *perr); static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype); static int asn1_str2tag(const char *tagstr, int len); @@ -133,6 +138,16 @@ ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf) ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf) { + int err = 0; + ASN1_TYPE *ret = generate_v3(str, cnf, 0, &err); + if (err) + ASN1err(ASN1_F_ASN1_GENERATE_V3, err); + return ret; +} + +static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth, + int *perr) +{ ASN1_TYPE *ret; tag_exp_arg asn1_tags; tag_exp_type *etmp; @@ -152,17 +167,22 @@ ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf) asn1_tags.imp_class = -1; asn1_tags.format = ASN1_GEN_FORMAT_ASCII; asn1_tags.exp_count = 0; - if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0) + if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0) { + *perr = ASN1_R_UNKNOWN_TAG; return NULL; + } if ((asn1_tags.utype == V_ASN1_SEQUENCE) || (asn1_tags.utype == V_ASN1_SET)) { if (!cnf) { - ASN1err(ASN1_F_ASN1_GENERATE_V3, - ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG); + *perr = ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG; return NULL; } - ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf); + if (depth >= ASN1_GEN_SEQ_MAX_DEPTH) { + *perr = ASN1_R_ILLEGAL_NESTED_TAGGING; + return NULL; + } + ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf, depth, perr); } else ret = asn1_str2type(asn1_tags.str, asn1_tags.format, asn1_tags.utype); @@ -280,7 +300,7 @@ static int asn1_cb(const char *elem, int len, void *bitstr) int tmp_tag, tmp_class; if (elem == NULL) - return 0; + return -1; for (i = 0, p = elem; i < len; p++, i++) { /* Look for the ':' in name value pairs */ @@ -353,7 +373,7 @@ static int asn1_cb(const char *elem, int len, void *bitstr) break; case ASN1_GEN_FLAG_FORMAT: - if(!vstart) { + if (!vstart) { ASN1err(ASN1_F_ASN1_CB, ASN1_R_UNKNOWN_FORMAT); return -1; } @@ -435,7 +455,8 @@ static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass) /* Handle multiple types: SET and SEQUENCE */ -static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf) +static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf, + int depth, int *perr) { ASN1_TYPE *ret = NULL; STACK_OF(ASN1_TYPE) *sk = NULL; @@ -454,7 +475,8 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf) goto bad; for (i = 0; i < sk_CONF_VALUE_num(sect); i++) { ASN1_TYPE *typ = - ASN1_generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf); + generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf, + depth + 1, perr); if (!typ) goto bad; if (!sk_ASN1_TYPE_push(sk, typ)) From emilia at openssl.org Thu Apr 16 15:53:33 2015 From: emilia at openssl.org (Emilia Kasper) Date: Thu, 16 Apr 2015 15:53:33 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429199613.287926.7211.nullmailer@dev.openssl.org> The branch master has been updated via b65558328a9fcda5cef38857f9cc033c15ec1c32 (commit) from 111b60bea01d234b5873488c19ff2b9c5d4d58e9 (commit) - Log ----------------------------------------------------------------- commit b65558328a9fcda5cef38857f9cc033c15ec1c32 Author: Emilia Kasper Date: Thu Apr 16 16:02:53 2015 +0200 Remove code for deleted function from ssl.h ssl_cert_inst was removed in 2c3823491d8812560922a58677e3ad2db4b2ec8d Reviewed-by: Dr. Stephen Henson ----------------------------------------------------------------------- Summary of changes: include/openssl/ssl.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 50a79a8..fae706b 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -2040,7 +2040,6 @@ void ERR_load_SSL_strings(void); # define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161 # define SSL_F_SSL_CERT_ADD0_CHAIN_CERT 339 # define SSL_F_SSL_CERT_DUP 221 -# define SSL_F_SSL_CERT_INST 222 # define SSL_F_SSL_CERT_INSTANTIATE 214 # define SSL_F_SSL_CERT_NEW 162 # define SSL_F_SSL_CERT_SET0_CHAIN 340 From emilia at openssl.org Thu Apr 16 16:32:42 2015 From: emilia at openssl.org (Emilia Kasper) Date: Thu, 16 Apr 2015 16:32:42 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1429201962.312674.13108.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via e963109fcd4973a6ba13415421b21c1b8aebaf74 (commit) from da23637e8e04387689ef8747e8229a0c325a25fc (commit) - Log ----------------------------------------------------------------- commit e963109fcd4973a6ba13415421b21c1b8aebaf74 Author: Andy Polyakov Date: Tue Jul 8 23:06:59 2014 +0200 Please Clang's sanitizer, addendum. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/engine/eng_table.c | 6 ++++-- crypto/objects/obj_dat.c | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/crypto/engine/eng_table.c b/crypto/engine/eng_table.c index 2e1a7e8..27d31f7 100644 --- a/crypto/engine/eng_table.c +++ b/crypto/engine/eng_table.c @@ -351,6 +351,8 @@ void engine_table_doall(ENGINE_TABLE *table, engine_table_doall_cb *cb, ENGINE_PILE_DOALL dall; dall.cb = cb; dall.arg = arg; - lh_ENGINE_PILE_doall_arg(&table->piles, LHASH_DOALL_ARG_FN(int_cb), - ENGINE_PILE_DOALL, &dall); + if (table) + lh_ENGINE_PILE_doall_arg(&table->piles, + LHASH_DOALL_ARG_FN(int_cb), + ENGINE_PILE_DOALL, &dall); } diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index e42a1c1..5cd755d 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -142,7 +142,7 @@ static unsigned long added_obj_hash(const ADDED_OBJ *ca) return 0; } ret &= 0x3fffffffL; - ret |= ca->type << 30L; + ret |= ((unsigned long)ca->type) << 30L; return (ret); } From viktor at openssl.org Thu Apr 16 17:46:38 2015 From: viktor at openssl.org (Viktor Dukhovni) Date: Thu, 16 Apr 2015 17:46:38 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429206398.298524.22207.nullmailer@dev.openssl.org> The branch master has been updated via 61986d32f37cbaeaed08bd955ff27d35b72ea29a (commit) from b65558328a9fcda5cef38857f9cc033c15ec1c32 (commit) - Log ----------------------------------------------------------------- commit 61986d32f37cbaeaed08bd955ff27d35b72ea29a Author: Viktor Dukhovni Date: Thu Apr 16 01:50:03 2015 -0400 Code style: space after 'if' Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 4 ++-- apps/ca.c | 10 ++++---- apps/cms.c | 2 +- apps/s_cb.c | 4 ++-- apps/s_client.c | 10 ++++---- apps/s_server.c | 20 ++++++++-------- apps/s_time.c | 10 ++++---- apps/sess_id.c | 2 +- apps/speed.c | 6 ++--- apps/srp.c | 4 ++-- crypto/asn1/bio_ndef.c | 4 ++-- crypto/asn1/tasn_prn.c | 2 +- crypto/asn1/x_x509.c | 4 ++-- crypto/bio/b_print.c | 4 ++-- crypto/bio/bss_dgram.c | 4 ++-- crypto/cms/cms_pwri.c | 2 +- crypto/dh/dh_ameth.c | 2 +- crypto/dh/dh_pmeth.c | 2 +- crypto/dsa/dsa_ossl.c | 8 +++---- crypto/dso/dso_lib.c | 2 +- crypto/dso/dso_vms.c | 2 +- crypto/hmac/hmac.c | 12 +++++----- crypto/objects/o_names.c | 2 +- crypto/rand/rand_os2.c | 2 +- crypto/threads/th-lock.c | 12 +++++----- crypto/x509v3/v3_cpols.c | 8 +++---- engines/ccgost/gost2001.c | 56 ++++++++++++++++++++++----------------------- engines/ccgost/gost_ameth.c | 18 ++++++++------- engines/ccgost/gost_sign.c | 27 +++++++++++----------- engines/e_sureware.c | 6 ++--- ssl/bio_ssl.c | 4 ++-- ssl/d1_both.c | 2 +- ssl/d1_clnt.c | 2 +- ssl/d1_lib.c | 6 ++--- ssl/d1_srvr.c | 2 +- ssl/record/rec_layer_d1.c | 2 +- ssl/record/rec_layer_s3.c | 8 +++---- ssl/record/ssl3_buffer.c | 2 +- ssl/s23_clnt.c | 4 ++-- ssl/s23_srvr.c | 6 ++--- ssl/s3_both.c | 4 ++-- ssl/s3_clnt.c | 10 ++++---- ssl/s3_enc.c | 6 ++--- ssl/s3_lib.c | 2 +- ssl/s3_srvr.c | 26 ++++++++++----------- ssl/ssl_ciph.c | 2 +- ssl/ssl_lib.c | 14 ++++++------ ssl/ssl_rsa.c | 2 +- ssl/ssl_sess.c | 4 ++-- ssl/ssl_txt.c | 2 +- ssl/t1_enc.c | 4 ++-- ssl/t1_lib.c | 2 +- test/hmactest.c | 40 ++++++++++++++++---------------- test/ssltest.c | 30 ++++++++++++------------ 54 files changed, 220 insertions(+), 217 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 65d4e46..76e0ee3 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -576,7 +576,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) char *prompt = NULL; prompt = UI_construct_prompt(ui, "pass phrase", prompt_info); - if(!prompt) { + if (!prompt) { BIO_printf(bio_err, "Out of memory\n"); UI_free(ui); return 0; @@ -590,7 +590,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) PW_MIN_LENGTH, bufsiz - 1); if (ok >= 0 && verify) { buff = (char *)OPENSSL_malloc(bufsiz); - if(!buff) { + if (!buff) { BIO_printf(bio_err, "Out of memory\n"); UI_free(ui); OPENSSL_free(prompt); diff --git a/apps/ca.c b/apps/ca.c index 89bece8..e2eab91 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -563,7 +563,7 @@ int MAIN(int argc, char **argv) #ifdef OPENSSL_SYS_VMS len = strlen(s) + sizeof(CONFIG_FILE); tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } @@ -571,7 +571,7 @@ int MAIN(int argc, char **argv) #else len = strlen(s) + sizeof(CONFIG_FILE) + 1; tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } @@ -2808,7 +2808,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME *comp_time = NULL; tmp = BUF_strdup(str); - if(!tmp) { + if (!tmp) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } @@ -2830,7 +2830,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, if (prevtm) { *prevtm = ASN1_UTCTIME_new(); - if(!*prevtm) { + if (!*prevtm) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } @@ -2874,7 +2874,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, goto err; } comp_time = ASN1_GENERALIZEDTIME_new(); - if(!comp_time) { + if (!comp_time) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } diff --git a/apps/cms.c b/apps/cms.c index 0877426..73f9037 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -465,7 +465,7 @@ int MAIN(int argc, char **argv) if (key_param == NULL || key_param->idx != keyidx) { cms_key_param *nparam; nparam = OPENSSL_malloc(sizeof(cms_key_param)); - if(!nparam) { + if (!nparam) { BIO_printf(bio_err, "Out of memory\n"); goto argerr; } diff --git a/apps/s_cb.c b/apps/s_cb.c index 7e69fc8..06050db 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -460,7 +460,7 @@ int ssl_print_curves(BIO *out, SSL *s, int noshared) if (ncurves <= 0) return 1; curves = OPENSSL_malloc(ncurves * sizeof(int)); - if(!curves) { + if (!curves) { BIO_puts(out, "Malloc error getting supported curves\n"); return 0; } @@ -1181,7 +1181,7 @@ static int set_cert_cb(SSL *ssl, void *arg) print_chain_flags(bio_err, ssl, rv); if (rv & CERT_PKEY_VALID) { - if(!SSL_use_certificate(ssl, exc->cert) + if (!SSL_use_certificate(ssl, exc->cert) || !SSL_use_PrivateKey(ssl, exc->key)) { return 0; } diff --git a/apps/s_client.c b/apps/s_client.c index a7e03a5..761f352 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -550,7 +550,7 @@ static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) PW_CB_DATA cb_tmp; int l; - if(!pass) { + if (!pass) { BIO_printf(bio_err, "Malloc failure\n"); return NULL; } @@ -1304,7 +1304,7 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_SRTP if (srtp_profiles != NULL) { /* Returns 0 on success!! */ - if(SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles)) { + if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles)) { BIO_printf(bio_err, "Error setting SRTP profile\n"); ERR_print_errors(bio_err); goto end; @@ -1328,7 +1328,7 @@ int MAIN(int argc, char **argv) goto end; } /* Returns 0 on success!! */ - if(SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len)) { + if (SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len)) { BIO_printf(bio_err, "Error setting ALPN\n"); goto end; } @@ -1337,7 +1337,7 @@ int MAIN(int argc, char **argv) #endif #ifndef OPENSSL_NO_TLSEXT for (i = 0; i < serverinfo_types_count; i++) { - if(!SSL_CTX_add_client_custom_ext(ctx, + if (!SSL_CTX_add_client_custom_ext(ctx, serverinfo_types[i], NULL, NULL, NULL, serverinfo_cli_parse_cb, NULL)) { @@ -1405,7 +1405,7 @@ int MAIN(int argc, char **argv) ERR_print_errors(bio_err); goto end; } - if(!SSL_set_session(con, sess)) { + if (!SSL_set_session(con, sess)) { BIO_printf(bio_err, "Can't set session\n"); ERR_print_errors(bio_err); goto end; diff --git a/apps/s_server.c b/apps/s_server.c index a66098e..8e350c8 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -707,7 +707,7 @@ static int ebcdic_write(BIO *b, const char *in, int inl) num = inl; wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num); - if(!wbuf) + if (!wbuf) return 0; OPENSSL_free(b->ptr); @@ -1725,7 +1725,7 @@ int MAIN(int argc, char *argv[]) #ifndef OPENSSL_NO_SRTP if (srtp_profiles != NULL) { /* Returns 0 on success!! */ - if(SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles)) { + if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles)) { BIO_printf(bio_err, "Error setting SRTP profile\n"); ERR_print_errors(bio_err); goto end; @@ -1925,7 +1925,7 @@ int MAIN(int argc, char *argv[]) #endif SSL_CTX_set_verify(ctx, s_server_verify, verify_callback); - if(!SSL_CTX_set_session_id_context(ctx, + if (!SSL_CTX_set_session_id_context(ctx, (void *)&s_server_session_id_context, sizeof s_server_session_id_context)) { BIO_printf(bio_err, "error setting session id context\n"); @@ -1940,7 +1940,7 @@ int MAIN(int argc, char *argv[]) #ifndef OPENSSL_NO_TLSEXT if (ctx2) { SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback); - if(!SSL_CTX_set_session_id_context(ctx2, + if (!SSL_CTX_set_session_id_context(ctx2, (void *)&s_server_session_id_context, sizeof s_server_session_id_context)) { BIO_printf(bio_err, "error setting session id context\n"); @@ -2147,7 +2147,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) goto err; } } - if(!SSL_clear(con)) { + if (!SSL_clear(con)) { BIO_printf(bio_err, "Error clearing SSL connection\n"); ret = -1; goto err; @@ -3227,7 +3227,7 @@ static int add_session(SSL *ssl, SSL_SESSION *session) unsigned char *p; sess = OPENSSL_malloc(sizeof(simple_ssl_session)); - if(!sess) { + if (!sess) { BIO_printf(bio_err, "Out of memory adding session to external cache\n"); return 0; } @@ -3238,18 +3238,18 @@ static int add_session(SSL *ssl, SSL_SESSION *session) sess->id = BUF_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen); sess->der = OPENSSL_malloc(sess->derlen); - if(!sess->id || !sess->der) { + if (!sess->id || !sess->der) { BIO_printf(bio_err, "Out of memory adding session to external cache\n"); - if(sess->id) + if (sess->id) OPENSSL_free(sess->id); - if(sess->der) + if (sess->der) OPENSSL_free(sess->der); OPENSSL_free(sess); return 0; } p = sess->der; - if(i2d_SSL_SESSION(session, &p) < 0) { + if (i2d_SSL_SESSION(session, &p) < 0) { BIO_printf(bio_err, "Error encoding session\n"); return 0; } diff --git a/apps/s_time.c b/apps/s_time.c index 4f460b6..8f4980b 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -283,7 +283,7 @@ static int parseArgs(int argc, char **argv) if (--argc < 1) goto bad; maxTime = atoi(*(++argv)); - if(maxTime <= 0) { + if (maxTime <= 0) { BIO_printf(bio_err, "time must be > 0\n"); badop = 1; } @@ -356,7 +356,7 @@ int MAIN(int argc, char **argv) if (st_bugs) SSL_CTX_set_options(tm_ctx, SSL_OP_ALL); - if(!SSL_CTX_set_cipher_list(tm_ctx, tm_cipher)) + if (!SSL_CTX_set_cipher_list(tm_ctx, tm_cipher)) goto end; if (!set_cert_stuff(tm_ctx, t_cert_file, t_key_file)) goto end; @@ -406,7 +406,7 @@ int MAIN(int argc, char **argv) if (s_www_path != NULL) { BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", s_www_path); - if(SSL_write(scon, buf, strlen(buf)) <= 0) + if (SSL_write(scon, buf, strlen(buf)) <= 0) goto end; while ((i = SSL_read(scon, buf, sizeof(buf))) > 0) bytes_read += i; @@ -463,7 +463,7 @@ int MAIN(int argc, char **argv) if (s_www_path != NULL) { BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", s_www_path); - if(SSL_write(scon, buf, strlen(buf)) <= 0) + if (SSL_write(scon, buf, strlen(buf)) <= 0) goto end; while (SSL_read(scon, buf, sizeof(buf)) > 0) ; } @@ -501,7 +501,7 @@ int MAIN(int argc, char **argv) if (s_www_path) { BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", s_www_path); - if(SSL_write(scon, buf, strlen(buf)) <= 0) + if (SSL_write(scon, buf, strlen(buf)) <= 0) goto end; while ((i = SSL_read(scon, buf, sizeof(buf))) > 0) bytes_read += i; diff --git a/apps/sess_id.c b/apps/sess_id.c index 53ccbb3..9421e40 100644 --- a/apps/sess_id.c +++ b/apps/sess_id.c @@ -166,7 +166,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "Context too long\n"); goto end; } - if(!SSL_SESSION_set1_id_context(x, (unsigned char *)context, ctx_len)) { + if (!SSL_SESSION_set1_id_context(x, (unsigned char *)context, ctx_len)) { BIO_printf(bio_err, "Error setting id context\n"); goto end; } diff --git a/apps/speed.c b/apps/speed.c index df972a3..71aa74a 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -2723,7 +2723,7 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher) inp = OPENSSL_malloc(mblengths[num - 1]); out = OPENSSL_malloc(mblengths[num - 1] + 1024); - if(!inp || !out) { + if (!inp || !out) { BIO_printf(bio_err,"Out of memory\n"); goto end; } @@ -2813,8 +2813,8 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher) } end: - if(inp) + if (inp) OPENSSL_free(inp); - if(out) + if (out) OPENSSL_free(out); } diff --git a/apps/srp.c b/apps/srp.c index b9312f8..5acc783 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -437,7 +437,7 @@ int MAIN(int argc, char **argv) # ifdef OPENSSL_SYS_VMS len = strlen(s) + sizeof(CONFIG_FILE); tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } @@ -445,7 +445,7 @@ int MAIN(int argc, char **argv) # else len = strlen(s) + sizeof(CONFIG_FILE) + 1; tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c index 1018787..99ab5f6 100644 --- a/crypto/asn1/bio_ndef.c +++ b/crypto/asn1/bio_ndef.c @@ -161,7 +161,7 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg) derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it); p = OPENSSL_malloc(derlen); - if(!p) + if (!p) return 0; ndef_aux->derbuf = p; @@ -231,7 +231,7 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg) derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it); p = OPENSSL_malloc(derlen); - if(!p) + if (!p) return 0; ndef_aux->derbuf = p; diff --git a/crypto/asn1/tasn_prn.c b/crypto/asn1/tasn_prn.c index d1e5ba5..76d584b 100644 --- a/crypto/asn1/tasn_prn.c +++ b/crypto/asn1/tasn_prn.c @@ -287,7 +287,7 @@ static int asn1_item_print_ctx(BIO *out, ASN1_VALUE **fld, int indent, for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { const ASN1_TEMPLATE *seqtt; seqtt = asn1_do_adb(fld, tt, 1); - if(!seqtt) + if (!seqtt) return 0; tmpfld = asn1_get_field_ptr(fld, seqtt); if (!asn1_template_print_ctx(out, tmpfld, diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index 36f6ff4..08bb4bd 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -173,7 +173,7 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) /* Save start position */ q = *pp; - if(!a || *a == NULL) { + if (!a || *a == NULL) { freeret = 1; } ret = d2i_X509(a, pp, length); @@ -188,7 +188,7 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) goto err; return ret; err: - if(freeret) { + if (freeret) { X509_free(ret); if (a) *a = NULL; diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index c2cf6e6..452e5cf 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -710,7 +710,7 @@ doapr_outch(char **sbuffer, if (*maxlen == 0) *maxlen = 1024; *buffer = OPENSSL_malloc(*maxlen); - if(!*buffer) { + if (!*buffer) { /* Panic! Can't really do anything sensible. Just return */ return; } @@ -722,7 +722,7 @@ doapr_outch(char **sbuffer, } else { *maxlen += 1024; *buffer = OPENSSL_realloc(*buffer, *maxlen); - if(!*buffer) { + if (!*buffer) { /* Panic! Can't really do anything sensible. Just return */ return; } diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index ed275d1..4fa6279 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -998,7 +998,7 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag) */ sockopt_len = (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t)); authchunks = OPENSSL_malloc(sockopt_len); - if(!authchunks) { + if (!authchunks) { BIO_vfree(bio); return (NULL); } @@ -1409,7 +1409,7 @@ static int dgram_sctp_write(BIO *b, const char *in, int inl) if (data->save_shutdown && !BIO_dgram_sctp_wait_for_dry(b)) { char *tmp; data->saved_message.bio = b; - if(!(tmp = OPENSSL_malloc(inl))) { + if (!(tmp = OPENSSL_malloc(inl))) { BIOerr(BIO_F_DGRAM_SCTP_WRITE, ERR_R_MALLOC_FAILURE); return -1; } diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c index 4f1b31d..e11b1fa 100644 --- a/crypto/cms/cms_pwri.c +++ b/crypto/cms/cms_pwri.c @@ -231,7 +231,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, return 0; } tmp = OPENSSL_malloc(inlen); - if(!tmp) + if (!tmp) return 0; /* setup IV by decrypting last two blocks */ if (!EVP_DecryptUpdate(ctx, tmp + inlen - 2 * blocklen, &outl, diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index cfa2e2d..4b22ec4 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -159,7 +159,7 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) dh = pkey->pkey.dh; str = ASN1_STRING_new(); - if(!str) { + if (!str) { DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE); goto err; } diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index 5e3a5e3..3fad054 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -466,7 +466,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, ret = 0; Zlen = DH_size(dh); Z = OPENSSL_malloc(Zlen); - if(!Z) { + if (!Z) { goto err; } if (DH_compute_key_padded(Z, dhpub, dh) <= 0) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 96f5d6f..325eac4 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -108,23 +108,23 @@ static DSA_METHOD openssl_dsa_meth = { #define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \ do { \ int _tmp_res53; \ - if((dsa)->meth->dsa_mod_exp) \ + if ((dsa)->meth->dsa_mod_exp) \ _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \ (a2), (p2), (m), (ctx), (in_mont)); \ else \ _tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \ (m), (ctx), (in_mont)); \ - if(!_tmp_res53) err_instr; \ + if (!_tmp_res53) err_instr; \ } while(0) #define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \ do { \ int _tmp_res53; \ - if((dsa)->meth->bn_mod_exp) \ + if ((dsa)->meth->bn_mod_exp) \ _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \ (m), (ctx), (m_ctx)); \ else \ _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \ - if(!_tmp_res53) err_instr; \ + if (!_tmp_res53) err_instr; \ } while(0) const DSA_METHOD *DSA_OpenSSL(void) diff --git a/crypto/dso/dso_lib.c b/crypto/dso/dso_lib.c index d2a48bb..09b8eaf 100644 --- a/crypto/dso/dso_lib.c +++ b/crypto/dso/dso_lib.c @@ -285,7 +285,7 @@ DSO_FUNC_TYPE DSO_bind_func(DSO *dso, const char *symname) * honest. For one thing, I think I have to return a negative value for any * error because possible DSO_ctrl() commands may return values such as * "size"s that can legitimately be zero (making the standard - * "if(DSO_cmd(...))" form that works almost everywhere else fail at odd + * "if (DSO_cmd(...))" form that works almost everywhere else fail at odd * times. I'd prefer "output" values to be passed by reference and the return * value as success/failure like usual ... but we conform when we must... :-) */ diff --git a/crypto/dso/dso_vms.c b/crypto/dso/dso_vms.c index d3c4eab..79bbd97 100644 --- a/crypto/dso/dso_vms.c +++ b/crypto/dso/dso_vms.c @@ -527,7 +527,7 @@ static char *vms_name_converter(DSO *dso, const char *filename) { int len = strlen(filename); char *not_translated = OPENSSL_malloc(len + 1); - if(not_translated) + if (not_translated) strcpy(not_translated, filename); return (not_translated); } diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c index 8ee5b2a..ccfd16e 100644 --- a/crypto/hmac/hmac.c +++ b/crypto/hmac/hmac.c @@ -71,13 +71,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, if (md != NULL) { reset = 1; ctx->md = md; - } else if(ctx->md) { + } else if (ctx->md) { md = ctx->md; } else { return 0; } - if(!ctx->key_init && key == NULL) + if (!ctx->key_init && key == NULL) return 0; if (key != NULL) { @@ -93,7 +93,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, &ctx->key_length)) goto err; } else { - if(len < 0 || len > (int)sizeof(ctx->key)) + if (len < 0 || len > (int)sizeof(ctx->key)) return 0; memcpy(ctx->key, key, len); ctx->key_length = len; @@ -137,7 +137,7 @@ int HMAC_Init(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md) int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) { - if(!ctx->key_init) + if (!ctx->key_init) return 0; return EVP_DigestUpdate(&ctx->md_ctx, data, len); } @@ -147,7 +147,7 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) unsigned int i; unsigned char buf[EVP_MAX_MD_SIZE]; - if(!ctx->key_init) + if (!ctx->key_init) goto err; if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i)) @@ -182,7 +182,7 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) if (!EVP_MD_CTX_copy_ex(&dctx->md_ctx, &sctx->md_ctx)) goto err; dctx->key_init = sctx->key_init; - if(sctx->key_init) { + if (sctx->key_init) { memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK); dctx->key_length = sctx->key_length; } diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c index 48ab1a7..fa8709f 100644 --- a/crypto/objects/o_names.c +++ b/crypto/objects/o_names.c @@ -312,7 +312,7 @@ void OBJ_NAME_do_all_sorted(int type, d.names = OPENSSL_malloc(lh_OBJ_NAME_num_items(names_lh) * sizeof *d.names); /* Really should return an error if !d.names...but its a void function! */ - if(d.names) { + if (d.names) { d.n = 0; OBJ_NAME_do_all(type, do_all_sorted_fn, &d); diff --git a/crypto/rand/rand_os2.c b/crypto/rand/rand_os2.c index 02148d5..706ab1e 100644 --- a/crypto/rand/rand_os2.c +++ b/crypto/rand/rand_os2.c @@ -149,7 +149,7 @@ int RAND_poll(void) if (DosQuerySysState) { char *buffer = OPENSSL_malloc(256 * 1024); - if(!buffer) + if (!buffer) return 0; if (DosQuerySysState(0x1F, 0, 0, 0, buffer, 256 * 1024) == 0) { diff --git a/crypto/threads/th-lock.c b/crypto/threads/th-lock.c index 7b303b2..6732dd7 100644 --- a/crypto/threads/th-lock.c +++ b/crypto/threads/th-lock.c @@ -117,7 +117,7 @@ void CRYPTO_thread_setup(void) int i; lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(HANDLE)); - if(!lock_cs) { + if (!lock_cs) { /* Nothing we can do about this...void function! */ return; } @@ -172,7 +172,7 @@ void CRYPTO_thread_setup(void) # else lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(rwlock_t)); # endif - if(!lock_cs) { + if (!lock_cs) { /* Nothing we can do about this...void function! */ return; } @@ -248,7 +248,7 @@ void CRYPTO_thread_setup(void) char filename[20]; lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(usema_t *)); - if(!lock_cs) { + if (!lock_cs) { /* Nothing we can do about this...void function! */ return; } @@ -316,11 +316,11 @@ void CRYPTO_thread_setup(void) lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); - if(!lock_cs || !lock_count) { + if (!lock_cs || !lock_count) { /* Nothing we can do about this...void function! */ - if(lock_cs) + if (lock_cs) OPENSSL_free(lock_cs); - if(lock_count) + if (lock_count) OPENSSL_free(lock_count); return; } diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c index 66d486f..8147ea5 100644 --- a/crypto/x509v3/v3_cpols.c +++ b/crypto/x509v3/v3_cpols.c @@ -230,11 +230,11 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx, goto merr; if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) goto merr; - if(!(qual->pqualid = OBJ_nid2obj(NID_id_qt_cps))) { + if (!(qual->pqualid = OBJ_nid2obj(NID_id_qt_cps))) { X509V3err(X509V3_F_POLICY_SECTION, ERR_R_INTERNAL_ERROR); goto err; } - if(!(qual->d.cpsuri = ASN1_IA5STRING_new())) + if (!(qual->d.cpsuri = ASN1_IA5STRING_new())) goto merr; if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value, strlen(cnf->value))) @@ -294,7 +294,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, POLICYQUALINFO *qual; if (!(qual = POLICYQUALINFO_new())) goto merr; - if(!(qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice))) { + if (!(qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice))) { X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_INTERNAL_ERROR); goto err; } @@ -304,7 +304,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, for (i = 0; i < sk_CONF_VALUE_num(unot); i++) { cnf = sk_CONF_VALUE_value(unot, i); if (!strcmp(cnf->name, "explicitText")) { - if(!(not->exptext = ASN1_VISIBLESTRING_new())) + if (!(not->exptext = ASN1_VISIBLESTRING_new())) goto merr; if (!ASN1_STRING_set(not->exptext, cnf->value, strlen(cnf->value))) diff --git a/engines/ccgost/gost2001.c b/engines/ccgost/gost2001.c index 5c4efd6..83cc693 100644 --- a/engines/ccgost/gost2001.c +++ b/engines/ccgost/gost2001.c @@ -41,7 +41,7 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) BN_CTX *ctx = BN_CTX_new(); int ok = 0; - if(!ctx) { + if (!ctx) { GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); goto err; } @@ -53,7 +53,7 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) x = BN_CTX_get(ctx); y = BN_CTX_get(ctx); q = BN_CTX_get(ctx); - if(!p || !a || !b || !x || !y || !q) { + if (!p || !a || !b || !x || !y || !q) { GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); goto err; } @@ -64,7 +64,7 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) GOST_R_UNSUPPORTED_PARAMETER_SET); goto err; } - if(!BN_hex2bn(&p, params->p) + if (!BN_hex2bn(&p, params->p) || !BN_hex2bn(&a, params->a) || !BN_hex2bn(&b, params->b)) { GOSTerr(GOST_F_FILL_GOST2001_PARAMS, @@ -73,18 +73,18 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) } grp = EC_GROUP_new_curve_GFp(p, a, b, ctx); - if(!grp) { + if (!grp) { GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); goto err; } P = EC_POINT_new(grp); - if(!P) { + if (!P) { GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); goto err; } - if(!BN_hex2bn(&x, params->x) + if (!BN_hex2bn(&x, params->x) || !BN_hex2bn(&y, params->y) || !EC_POINT_set_affine_coordinates_GFp(grp, P, x, y, ctx) || !BN_hex2bn(&q, params->q)) { @@ -98,12 +98,12 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) fprintf(stderr, "\n"); #endif - if(!EC_GROUP_set_generator(grp, P, q, NULL)) { + if (!EC_GROUP_set_generator(grp, P, q, NULL)) { GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_INTERNAL_ERROR); goto err; } EC_GROUP_set_curve_name(grp, params->nid); - if(!EC_KEY_set_group(eckey, grp)) { + if (!EC_KEY_set_group(eckey, grp)) { GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_INTERNAL_ERROR); goto err; } @@ -134,7 +134,7 @@ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) NULL, *e = NULL; EC_POINT *C = NULL; BN_CTX *ctx = BN_CTX_new(); - if(!ctx || !md) { + if (!ctx || !md) { GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); goto err; } @@ -146,22 +146,22 @@ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) goto err; } group = EC_KEY_get0_group(eckey); - if(!group) { + if (!group) { GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); goto err; } order = BN_CTX_get(ctx); - if(!order || !EC_GROUP_get_order(group, order, ctx)) { + if (!order || !EC_GROUP_get_order(group, order, ctx)) { GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); goto err; } priv_key = EC_KEY_get0_private_key(eckey); - if(!priv_key) { + if (!priv_key) { GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); goto err; } e = BN_CTX_get(ctx); - if(!e || !BN_mod(e, md, order, ctx)) { + if (!e || !BN_mod(e, md, order, ctx)) { GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); goto err; } @@ -177,7 +177,7 @@ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) } k = BN_CTX_get(ctx); C = EC_POINT_new(group); - if(!k || !C) { + if (!k || !C) { GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); goto err; } @@ -205,7 +205,7 @@ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) goto err; } - if(!BN_nnmod(r, X, order, ctx)) { + if (!BN_nnmod(r, X, order, ctx)) { GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); goto err; } @@ -223,7 +223,7 @@ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) goto err; } - if(!BN_mod_mul(tmp, priv_key, r, order, ctx) + if (!BN_mod_mul(tmp, priv_key, r, order, ctx) || !BN_mod_mul(tmp2, k, e, order, ctx) || !BN_mod_add(s, tmp, tmp2, order, ctx)) { GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); @@ -234,14 +234,14 @@ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) newsig->s = BN_dup(s); newsig->r = BN_dup(r); - if(!newsig->s || !newsig->r) { + if (!newsig->s || !newsig->r) { GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); goto err; } ret = newsig; err: - if(ctx) { + if (ctx) { BN_CTX_end(ctx); BN_CTX_free(ctx); } @@ -270,7 +270,7 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, const EC_POINT *pub_key = NULL; int ok = 0; - if(!ctx || !group) { + if (!ctx || !group) { GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); goto err; } @@ -284,13 +284,13 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, X = BN_CTX_get(ctx); R = BN_CTX_get(ctx); v = BN_CTX_get(ctx); - if(!order || !e || !z1 || !z2 || !tmp || !X || !R || !v) { + if (!order || !e || !z1 || !z2 || !tmp || !X || !R || !v) { GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_MALLOC_FAILURE); goto err; } pub_key = EC_KEY_get0_public_key(ec); - if(!pub_key || !EC_GROUP_get_order(group, order, ctx)) { + if (!pub_key || !EC_GROUP_get_order(group, order, ctx)) { GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); goto err; } @@ -304,7 +304,7 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, } md = hashsum2bn(dgst); - if(!md || !BN_mod(e, md, order, ctx)) { + if (!md || !BN_mod(e, md, order, ctx)) { GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); goto err; } @@ -319,7 +319,7 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, goto err; } v = BN_mod_inverse(v, e, order, ctx); - if(!v + if (!v || !BN_mod_mul(z1, sig->s, v, order, ctx) || !BN_sub(tmp, order, sig->r) || !BN_mod_mul(z2, tmp, v, order, ctx)) { @@ -347,7 +347,7 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_EC_LIB); goto err; } - if(!BN_mod(R, X, order, ctx)) { + if (!BN_mod(R, X, order, ctx)) { GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); goto err; } @@ -392,7 +392,7 @@ int gost2001_compute_public(EC_KEY *ec) return 0; } ctx = BN_CTX_new(); - if(!ctx) { + if (!ctx) { GOSTerr(GOST_F_GOST2001_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); goto err; } @@ -403,7 +403,7 @@ int gost2001_compute_public(EC_KEY *ec) } pub_key = EC_POINT_new(group); - if(!pub_key) { + if (!pub_key) { GOSTerr(GOST_F_GOST2001_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); goto err; } @@ -436,7 +436,7 @@ int gost2001_keygen(EC_KEY *ec) BIGNUM *order = BN_new(), *d = BN_new(); const EC_GROUP *group = EC_KEY_get0_group(ec); - if(!group || !EC_GROUP_get_order(group, order, NULL)) { + if (!group || !EC_GROUP_get_order(group, order, NULL)) { GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_INTERNAL_ERROR); BN_free(d); BN_free(order); @@ -454,7 +454,7 @@ int gost2001_keygen(EC_KEY *ec) } while (BN_is_zero(d)); - if(!EC_KEY_set_private_key(ec, d)) { + if (!EC_KEY_set_private_key(ec, d)) { GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_INTERNAL_ERROR); BN_free(d); BN_free(order); diff --git a/engines/ccgost/gost_ameth.c b/engines/ccgost/gost_ameth.c index c5ca44f..b1615bf 100644 --- a/engines/ccgost/gost_ameth.c +++ b/engines/ccgost/gost_ameth.c @@ -115,7 +115,7 @@ static int decode_gost_algor_params(EVP_PKEY *pkey, X509_ALGOR *palg) } param_nid = OBJ_obj2nid(gkp->key_params); GOST_KEY_PARAMS_free(gkp); - if(!EVP_PKEY_set_type(pkey, pkey_nid)) { + if (!EVP_PKEY_set_type(pkey, pkey_nid)) { GOSTerr(GOST_F_DECODE_GOST_ALGOR_PARAMS, ERR_R_INTERNAL_ERROR); return 0; } @@ -549,16 +549,16 @@ static int param_copy_gost01(EVP_PKEY *to, const EVP_PKEY *from) } if (!eto) { eto = EC_KEY_new(); - if(!eto) { + if (!eto) { GOSTerr(GOST_F_PARAM_COPY_GOST01, ERR_R_MALLOC_FAILURE); return 0; } - if(!EVP_PKEY_assign(to, EVP_PKEY_base_id(from), eto)) { + if (!EVP_PKEY_assign(to, EVP_PKEY_base_id(from), eto)) { GOSTerr(GOST_F_PARAM_COPY_GOST01, ERR_R_INTERNAL_ERROR); return 0; } } - if(!EC_KEY_set_group(eto, EC_KEY_get0_group(efrom))) { + if (!EC_KEY_set_group(eto, EC_KEY_get0_group(efrom))) { GOSTerr(GOST_F_PARAM_COPY_GOST01, ERR_R_INTERNAL_ERROR); return 0; } @@ -756,14 +756,16 @@ static int pub_encode_gost01(X509_PUBKEY *pub, const EVP_PKEY *pk) } X = BN_new(); Y = BN_new(); - if(!X || !Y) { + if (!X || !Y) { GOSTerr(GOST_F_PUB_ENCODE_GOST01, ERR_R_MALLOC_FAILURE); - if(X) BN_free(X); - if(Y) BN_free(Y); + if (X) + BN_free(X); + if (Y) + BN_free(Y); BN_free(order); return 0; } - if(!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec), + if (!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec), pub_key, X, Y, NULL)) { GOSTerr(GOST_F_PUB_ENCODE_GOST01, ERR_R_INTERNAL_ERROR); BN_free(X); diff --git a/engines/ccgost/gost_sign.c b/engines/ccgost/gost_sign.c index 1d7ed86..c2516ea 100644 --- a/engines/ccgost/gost_sign.c +++ b/engines/ccgost/gost_sign.c @@ -58,7 +58,7 @@ DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) BIGNUM *md = hashsum2bn(dgst); /* check if H(M) mod q is zero */ BN_CTX *ctx = BN_CTX_new(); - if(!ctx) { + if (!ctx) { GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); goto err; } @@ -71,7 +71,7 @@ DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) tmp = BN_CTX_get(ctx); k = BN_CTX_get(ctx); tmp2 = BN_CTX_get(ctx); - if(!tmp || !k || !tmp2) { + if (!tmp || !k || !tmp2) { GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); goto err; } @@ -89,7 +89,7 @@ DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) BN_mod_exp(tmp, dsa->g, k, dsa->p, ctx); if (!(newsig->r)) { newsig->r = BN_new(); - if(!newsig->r) { + if (!newsig->r) { GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); goto err; } @@ -102,7 +102,7 @@ DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) BN_mod_mul(tmp2, k, md, dsa->q, ctx); if (!newsig->s) { newsig->s = BN_new(); - if(!newsig->s) { + if (!newsig->s) { GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); goto err; } @@ -114,11 +114,11 @@ DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) ret = newsig; err: BN_free(md); - if(ctx) { + if (ctx) { BN_CTX_end(ctx); BN_CTX_free(ctx); } - if(!ret && newsig) { + if (!ret && newsig) { DSA_SIG_free(newsig); } return ret; @@ -169,7 +169,7 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, BIGNUM *tmp2 = NULL, *tmp3 = NULL; int ok = 0; BN_CTX *ctx = BN_CTX_new(); - if(!ctx) { + if (!ctx) { GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE); goto err; } @@ -189,7 +189,7 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, tmp2 = BN_CTX_get(ctx); tmp3 = BN_CTX_get(ctx); u = BN_CTX_get(ctx); - if(!tmp || !v || !q2 || !z1 || !z2 || !tmp2 || !tmp3 || !u) { + if (!tmp || !v || !q2 || !z1 || !z2 || !tmp2 || !tmp3 || !u) { GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE); goto err; } @@ -214,8 +214,9 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, GOSTerr(GOST_F_GOST_DO_VERIFY, GOST_R_SIGNATURE_MISMATCH); } err: - if(md) BN_free(md); - if(ctx) { + if (md) + BN_free(md); + if (ctx) { BN_CTX_end(ctx); BN_CTX_free(ctx); } @@ -235,13 +236,13 @@ int gost94_compute_public(DSA *dsa) return 0; } ctx = BN_CTX_new(); - if(!ctx) { + if (!ctx) { GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); return 0; } dsa->pub_key = BN_new(); - if(!dsa->pub_key) { + if (!dsa->pub_key) { GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); BN_CTX_free(ctx); return 0; @@ -293,7 +294,7 @@ int fill_GOST94_params(DSA *dsa, int nid) int gost_sign_keygen(DSA *dsa) { dsa->priv_key = BN_new(); - if(!dsa->priv_key) { + if (!dsa->priv_key) { GOSTerr(GOST_F_GOST_SIGN_KEYGEN, ERR_R_MALLOC_FAILURE); return 0; } diff --git a/engines/e_sureware.c b/engines/e_sureware.c index 5e1786c..4580250 100644 --- a/engines/e_sureware.c +++ b/engines/e_sureware.c @@ -710,7 +710,7 @@ static EVP_PKEY *sureware_load_public(ENGINE *e, const char *key_id, /* set public big nums */ rsatmp->e = BN_new(); rsatmp->n = BN_new(); - if(!rsatmp->e || !rsatmp->n) + if (!rsatmp->e || !rsatmp->n) goto err; bn_expand2(rsatmp->e, el / sizeof(BN_ULONG)); bn_expand2(rsatmp->n, el / sizeof(BN_ULONG)); @@ -752,7 +752,7 @@ static EVP_PKEY *sureware_load_public(ENGINE *e, const char *key_id, dsatmp->p = BN_new(); dsatmp->q = BN_new(); dsatmp->g = BN_new(); - if(!dsatmp->pub_key || !dsatmp->p || !dsatmp->q || !dsatmp->g) + if (!dsatmp->pub_key || !dsatmp->p || !dsatmp->q || !dsatmp->g) goto err; bn_expand2(dsatmp->pub_key, el / sizeof(BN_ULONG)); bn_expand2(dsatmp->p, el / sizeof(BN_ULONG)); @@ -1018,7 +1018,7 @@ static DSA_SIG *surewarehk_dsa_do_sign(const unsigned char *from, int flen, } psign->r = BN_new(); psign->s = BN_new(); - if(!psign->r || !psign->s) + if (!psign->r || !psign->s) goto err; bn_expand2(psign->r, 20 / sizeof(BN_ULONG)); bn_expand2(psign->s, 20 / sizeof(BN_ULONG)); diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index 7cf941d..473b3ff 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -292,7 +292,7 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr) else if (ssl->handshake_func == ssl->method->ssl_accept) SSL_set_accept_state(ssl); - if(!SSL_clear(ssl)) { + if (!SSL_clear(ssl)) { ret = 0; break; } @@ -555,7 +555,7 @@ int BIO_ssl_copy_session_id(BIO *t, BIO *f) if ((((BIO_SSL *)t->ptr)->ssl == NULL) || (((BIO_SSL *)f->ptr)->ssl == NULL)) return (0); - if(!SSL_copy_session_id(((BIO_SSL *)t->ptr)->ssl, ((BIO_SSL *)f->ptr)->ssl)) + if (!SSL_copy_session_id(((BIO_SSL *)t->ptr)->ssl, ((BIO_SSL *)f->ptr)->ssl)) return 0; return (1); } diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 094b337..c3552e9 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -989,7 +989,7 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b) s->d1->handshake_write_seq, 0, 0); /* buffer the message to handle re-xmits */ - if(!dtls1_buffer_message(s, 1)) { + if (!dtls1_buffer_message(s, 1)) { SSLerr(SSL_F_DTLS1_SEND_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); return -1; } diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index c5831cd..0f4373e 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -182,7 +182,7 @@ int dtls1_connect(SSL *s) s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) { - if(!SSL_clear(s)) + if (!SSL_clear(s)) return -1; } diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index eac271d..a1d2032 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -124,7 +124,7 @@ int dtls1_new(SSL *s) { DTLS1_STATE *d1; - if(!DTLS_RECORD_LAYER_new(&s->rlayer)) { + if (!DTLS_RECORD_LAYER_new(&s->rlayer)) { return 0; } @@ -502,7 +502,7 @@ int dtls1_listen(SSL *s, struct sockaddr *client) int ret; /* Ensure there is no state left over from a previous invocation */ - if(!SSL_clear(s)) + if (!SSL_clear(s)) return -1; SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE); @@ -524,7 +524,7 @@ static int dtls1_set_handshake_header(SSL *s, int htype, unsigned long len) s->init_off = 0; /* Buffer the message to handle re-xmits */ - if(!dtls1_buffer_message(s, 0)) + if (!dtls1_buffer_message(s, 0)) return 0; return 1; diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 5ddfeac..663f118 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -185,7 +185,7 @@ int dtls1_accept(SSL *s) /* init things to blank */ s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) { - if(!SSL_clear(s)) + if (!SSL_clear(s)) return -1; } diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index c58af7f..3183bcf 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -638,7 +638,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) #ifndef OPENSSL_NO_HEARTBEATS else if (SSL3_RECORD_get_type(rr) == TLS1_RT_HEARTBEAT) { /* We allow a 0 return */ - if(dtls1_process_heartbeat(s, SSL3_RECORD_get_data(rr), + if (dtls1_process_heartbeat(s, SSL3_RECORD_get_data(rr), SSL3_RECORD_get_length(rr)) < 0) { return -1; } diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index 0ec1d2c..b7d43f3 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -170,7 +170,7 @@ void RECORD_LAYER_clear(RECORD_LAYER *rl) rl->s = s; rl->d = d; - if(d) + if (d) DTLS_RECORD_LAYER_clear(rl); } @@ -196,7 +196,7 @@ int RECORD_LAYER_write_pending(RECORD_LAYER *rl) int RECORD_LAYER_set_data(RECORD_LAYER *rl, const unsigned char *buf, int len) { rl->packet_length = len; - if(len != 0) { + if (len != 0) { rl->rstate = SSL_ST_READ_HEADER; if (!SSL3_BUFFER_is_initialised(&rl->rbuf)) if (!ssl3_setup_read_buffer(rl->s)) @@ -531,7 +531,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) packlen *= 4; wb->buf = OPENSSL_malloc(packlen); - if(!wb->buf) { + if (!wb->buf) { SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_MALLOC_FAILURE); return -1; } @@ -1130,7 +1130,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) #ifndef OPENSSL_NO_HEARTBEATS else if (SSL3_RECORD_get_type(rr)== TLS1_RT_HEARTBEAT) { /* We can ignore 0 return values */ - if(tls1_process_heartbeat(s, SSL3_RECORD_get_data(rr), + if (tls1_process_heartbeat(s, SSL3_RECORD_get_data(rr), SSL3_RECORD_get_length(rr)) < 0) { return -1; } diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c index 79a7636..732420e 100644 --- a/ssl/record/ssl3_buffer.c +++ b/ssl/record/ssl3_buffer.c @@ -114,7 +114,7 @@ void SSL3_BUFFER_set_data(SSL3_BUFFER *b, const unsigned char *d, int n) { - if(d != NULL) + if (d != NULL) memcpy(b->buf, d, n); b->left = n; b->offset = 0; diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 76ad876..4196eac 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -158,7 +158,7 @@ int ssl23_connect(SSL *s) s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) { - if(!SSL_clear(s)) + if (!SSL_clear(s)) return -1; } @@ -573,7 +573,7 @@ static int ssl23_get_server_hello(SSL *s) /* * put the 7 bytes we have read into the input buffer for SSLv3 */ - if(!RECORD_LAYER_set_data(&s->rlayer, buf, n)) + if (!RECORD_LAYER_set_data(&s->rlayer, buf, n)) goto err; s->handshake_func = s->method->ssl_connect; diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 7287022..50d634e 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -157,7 +157,7 @@ int ssl23_accept(SSL *s) s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) { - if(!SSL_clear(s)) + if (!SSL_clear(s)) return -1; } @@ -561,10 +561,10 @@ int ssl23_get_client_hello(SSL *s) /* * put the 'n' bytes we have read into the input buffer for SSLv3 */ - if(!RECORD_LAYER_set_data(&s->rlayer, buf, n)) + if (!RECORD_LAYER_set_data(&s->rlayer, buf, n)) goto err; } else { - if(!RECORD_LAYER_set_data(&s->rlayer, NULL, 0)) + if (!RECORD_LAYER_set_data(&s->rlayer, NULL, 0)) goto err; } s->handshake_func = s->method->ssl_accept; diff --git a/ssl/s3_both.c b/ssl/s3_both.c index ed6ae12..d0cb763 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -187,7 +187,7 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) s->s3->previous_server_finished_len = i; } - if(!ssl_set_handshake_header(s, SSL3_MT_FINISHED, l)) { + if (!ssl_set_handshake_header(s, SSL3_MT_FINISHED, l)) { SSLerr(SSL_F_SSL3_SEND_FINISHED, ERR_R_INTERNAL_ERROR); return -1; } @@ -328,7 +328,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, CERT_PKEY *cpk) l2n3(l, p); l += 3; - if(!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE, l)) { + if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE, l)) { SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_INTERNAL_ERROR); return 0; } diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 404f7f9..697a3b4 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -198,7 +198,7 @@ int ssl3_connect(SSL *s) s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) { - if(!SSL_clear(s)) + if (!SSL_clear(s)) return -1; } @@ -843,7 +843,7 @@ int ssl3_client_hello(SSL *s) #endif l = p - d; - if(!ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l)) { + if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); SSLerr(SSL_F_SSL3_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); goto err; @@ -2991,7 +2991,7 @@ int ssl3_send_client_key_exchange(SSL *s) goto err; } - if(!ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n)) { + if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, n)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; @@ -3044,7 +3044,7 @@ int ssl3_send_client_key_exchange(SSL *s) OPENSSL_cleanse(pms, pmslen); OPENSSL_free(pms); s->cert->pms = NULL; - if(s->session->master_key_length < 0) { + if (s->session->master_key_length < 0) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; @@ -3194,7 +3194,7 @@ int ssl3_send_client_verify(SSL *s) SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); goto err; } - if(!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n)) { + if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n)) { SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); goto err; } diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 1db2f77..8fc5bc4 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -253,7 +253,7 @@ int ssl3_change_cipher_state(SSL *s, int which) EVP_CIPHER_CTX_init(s->enc_read_ctx); dd = s->enc_read_ctx; - if(!ssl_replace_hash(&s->read_hash, m)) { + if (!ssl_replace_hash(&s->read_hash, m)) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; } @@ -270,7 +270,7 @@ int ssl3_change_cipher_state(SSL *s, int which) SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } - if(!RECORD_LAYER_setup_comp_buffer(&s->rlayer)) + if (!RECORD_LAYER_setup_comp_buffer(&s->rlayer)) goto err; } #endif @@ -288,7 +288,7 @@ int ssl3_change_cipher_state(SSL *s, int which) */ EVP_CIPHER_CTX_init(s->enc_write_ctx); dd = s->enc_write_ctx; - if(!ssl_replace_hash(&s->write_hash, m)) { + if (!ssl_replace_hash(&s->write_hash, m)) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; } diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index a7dbbf6..7bb3a92 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3104,7 +3104,7 @@ int ssl3_new(SSL *s) s->s3 = s3; #ifndef OPENSSL_NO_SRP - if(!SSL_SRP_CTX_init(s)) + if (!SSL_SRP_CTX_init(s)) goto err; #endif s->method->ssl_clear(s); diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 7376fe6..223a764 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -227,7 +227,7 @@ int ssl3_accept(SSL *s) /* init things to blank */ s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) { - if(!SSL_clear(s)) + if (!SSL_clear(s)) return -1; } @@ -882,7 +882,7 @@ int ssl3_send_hello_request(SSL *s) { if (s->state == SSL3_ST_SW_HELLO_REQ_A) { - if(!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) { + if (!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) { SSLerr(SSL_F_SSL3_SEND_HELLO_REQUEST, ERR_R_INTERNAL_ERROR); return -1; } @@ -1541,7 +1541,7 @@ int ssl3_send_server_hello(SSL *s) #endif /* do the header */ l = (p - d); - if(!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) { + if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) { SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); return -1; } @@ -1556,7 +1556,7 @@ int ssl3_send_server_done(SSL *s) { if (s->state == SSL3_ST_SW_SRVR_DONE_A) { - if(!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) { + if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) { SSLerr(SSL_F_SSL3_SEND_SERVER_DONE, ERR_R_INTERNAL_ERROR); return -1; } @@ -2006,7 +2006,7 @@ int ssl3_send_server_key_exchange(SSL *s) } } - if(!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) { + if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; @@ -2088,7 +2088,7 @@ int ssl3_send_certificate_request(SSL *s) p = ssl_handshake_start(s) + off; s2n(nl, p); - if(!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) { + if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) { SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); return -1; } @@ -2278,7 +2278,7 @@ int ssl3_get_client_key_exchange(SSL *s) sizeof (rand_premaster_secret)); OPENSSL_cleanse(p, sizeof(rand_premaster_secret)); - if(s->session->master_key_length < 0) { + if (s->session->master_key_length < 0) { al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; @@ -2375,7 +2375,7 @@ int ssl3_get_client_key_exchange(SSL *s) session->master_key, p, i); OPENSSL_cleanse(p, i); - if(s->session->master_key_length < 0) { + if (s->session->master_key_length < 0) { al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; @@ -2545,7 +2545,7 @@ int ssl3_get_client_key_exchange(SSL *s) s-> session->master_key, pms, outl); - if(s->session->master_key_length < 0) { + if (s->session->master_key_length < 0) { al = SSL_INTERNAL_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; @@ -2698,7 +2698,7 @@ int ssl3_get_client_key_exchange(SSL *s) p, i); OPENSSL_cleanse(p, i); - if(s->session->master_key_length < 0) { + if (s->session->master_key_length < 0) { al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; @@ -2787,7 +2787,7 @@ int ssl3_get_client_key_exchange(SSL *s) session->master_key, psk_or_pre_ms, pre_ms_len); - if(s->session->master_key_length < 0) { + if (s->session->master_key_length < 0) { al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto psk_err; @@ -2893,7 +2893,7 @@ int ssl3_get_client_key_exchange(SSL *s) s-> session->master_key, premaster_secret, 32); - if(s->session->master_key_length < 0) { + if (s->session->master_key_length < 0) { al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; @@ -3469,7 +3469,7 @@ int ssl3_send_newsession_ticket(SSL *s) /* Skip ticket lifetime hint */ p = ssl_handshake_start(s) + 4; s2n(len - 6, p); - if(!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) + if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) goto err; s->state = SSL3_ST_SW_SESSION_TICKET_B; OPENSSL_free(senc); diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 0f6758b..cd86fcc 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -533,7 +533,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, *comp = NULL; } /* If were only interested in comp then return success */ - if((enc == NULL) && (md == NULL)) + if ((enc == NULL) && (md == NULL)) return 1; } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 42ee3a9..35a3c9d 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -381,7 +381,7 @@ SSL *SSL_new(SSL_CTX *ctx) s->references = 1; s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1; - if(!SSL_clear(s)) + if (!SSL_clear(s)) goto err; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); @@ -884,7 +884,7 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s) int SSL_copy_session_id(SSL *t, const SSL *f) { /* Do we need to to SSL locking? */ - if(!SSL_set_session(t, SSL_get_session(f))) { + if (!SSL_set_session(t, SSL_get_session(f))) { return 0; } @@ -900,7 +900,7 @@ int SSL_copy_session_id(SSL *t, const SSL *f) CRYPTO_add(&f->cert->references, 1, CRYPTO_LOCK_SSL_CERT); ssl_cert_free(t->cert); t->cert = f->cert; - if(!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length)) { + if (!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length)) { return 0; } @@ -1920,7 +1920,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) if (ret->cert_store == NULL) goto err; - if(!ssl_create_cipher_list(ret->method, + if (!ssl_create_cipher_list(ret->method, &ret->cipher_list, &ret->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST, ret->cert) || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { @@ -1976,7 +1976,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->psk_server_callback = NULL; #endif #ifndef OPENSSL_NO_SRP - if(!SSL_CTX_SRP_CTX_init(ret)) + if (!SSL_CTX_SRP_CTX_init(ret)) goto err; #endif #ifndef OPENSSL_NO_ENGINE @@ -2756,7 +2756,7 @@ SSL *SSL_dup(SSL *s) if (s->session != NULL) { /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */ - if(!SSL_copy_session_id(ret, s)) + if (!SSL_copy_session_id(ret, s)) goto err; } else { /* @@ -2777,7 +2777,7 @@ SSL *SSL_dup(SSL *s) goto err; } - if(!SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length)) + if (!SSL_set_session_id_context(ret, s->sid_ctx, s->sid_ctx_length)) goto err; } diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 90fe8c8..b5d457a 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -687,7 +687,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) int r; unsigned long err; - if(!SSL_CTX_clear_chain_certs(ctx)) { + if (!SSL_CTX_clear_chain_certs(ctx)) { ret = 0; goto end; } diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 3d0f950..483c778 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -518,7 +518,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, * The following should not return 1, otherwise, things are * very strange */ - if(SSL_CTX_add_session(s->session_ctx, ret)) + if (SSL_CTX_add_session(s->session_ctx, ret)) goto err; } } @@ -861,7 +861,7 @@ void SSL_SESSION_get0_ticket(const SSL_SESSION *s, unsigned char **tick, size_t *len) { *len = s->tlsext_ticklen; - if(tick != NULL) + if (tick != NULL) *tick = s->tlsext_tick; } diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index ccdf8ec..9277d2c 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -214,7 +214,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (x->compress_meth != 0) { SSL_COMP *comp = NULL; - if(!ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp, 0)) + if (!ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp, 0)) goto err; if (comp == NULL) { if (BIO_printf(bp, "\n Compression: %d", x->compress_meth) <= diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 19b79e9..6e926d4 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -260,7 +260,7 @@ static int tls1_PRF(long digest_mask, if ((m << TLS1_PRF_DGST_SHIFT) & digest_mask) count++; } - if(!count) { + if (!count) { /* Should never happen */ SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR); goto err; @@ -801,7 +801,7 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, * exchange and before certificate verify) */ s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; - if(!ssl3_digest_cached_records(s)) + if (!ssl3_digest_cached_records(s)) return -1; } hashlen = ssl_handshake_hash(s, hash, sizeof(hash)); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index aef0ef6..985c357 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1606,7 +1606,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, int el; /* Returns 0 on success!! */ - if(ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) { + if (ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0)) { SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR); return NULL; } diff --git a/test/hmactest.c b/test/hmactest.c index 5e90dba..13344d6 100644 --- a/test/hmactest.c +++ b/test/hmactest.c @@ -166,22 +166,22 @@ int main(int argc, char *argv[]) /* test4 */ HMAC_CTX_init(&ctx); - if(HMAC_Init_ex(&ctx, NULL, 0, NULL, NULL)) { + if (HMAC_Init_ex(&ctx, NULL, 0, NULL, NULL)) { printf("Should fail to initialise HMAC with empty MD and key (test 4)\n"); err++; goto test5; } - if(HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + if (HMAC_Update(&ctx, test[4].data, test[4].data_len)) { printf("Should fail HMAC_Update with ctx not set up (test 4)\n"); err++; goto test5; } - if(HMAC_Init_ex(&ctx, NULL, 0, EVP_sha1(), NULL)) { + if (HMAC_Init_ex(&ctx, NULL, 0, EVP_sha1(), NULL)) { printf("Should fail to initialise HMAC with empty key (test 4)\n"); err++; goto test5; } - if(HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + if (HMAC_Update(&ctx, test[4].data, test[4].data_len)) { printf("Should fail HMAC_Update with ctx not set up (test 4)\n"); err++; goto test5; @@ -189,32 +189,32 @@ int main(int argc, char *argv[]) printf("test 4 ok\n"); test5: HMAC_CTX_init(&ctx); - if(HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, NULL, NULL)) { + if (HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, NULL, NULL)) { printf("Should fail to initialise HMAC with empty MD (test 5)\n"); err++; goto test6; } - if(HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + if (HMAC_Update(&ctx, test[4].data, test[4].data_len)) { printf("Should fail HMAC_Update with ctx not set up (test 5)\n"); err++; goto test6; } - if(HMAC_Init_ex(&ctx, test[4].key, -1, EVP_sha1(), NULL)) { + if (HMAC_Init_ex(&ctx, test[4].key, -1, EVP_sha1(), NULL)) { printf("Should fail to initialise HMAC with invalid key len(test 5)\n"); err++; goto test6; } - if(!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha1(), NULL)) { + if (!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha1(), NULL)) { printf("Failed to initialise HMAC (test 5)\n"); err++; goto test6; } - if(!HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + if (!HMAC_Update(&ctx, test[4].data, test[4].data_len)) { printf("Error updating HMAC with data (test 5)\n"); err++; goto test6; } - if(!HMAC_Final(&ctx, buf, &len)) { + if (!HMAC_Final(&ctx, buf, &len)) { printf("Error finalising data (test 5)\n"); err++; goto test6; @@ -226,17 +226,17 @@ test5: err++; goto test6; } - if(!HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) { + if (!HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) { printf("Failed to reinitialise HMAC (test 5)\n"); err++; goto test6; } - if(!HMAC_Update(&ctx, test[5].data, test[5].data_len)) { + if (!HMAC_Update(&ctx, test[5].data, test[5].data_len)) { printf("Error updating HMAC with data (sha256) (test 5)\n"); err++; goto test6; } - if(!HMAC_Final(&ctx, buf, &len)) { + if (!HMAC_Final(&ctx, buf, &len)) { printf("Error finalising data (sha256) (test 5)\n"); err++; goto test6; @@ -248,17 +248,17 @@ test5: err++; goto test6; } - if(!HMAC_Init_ex(&ctx, test[6].key, test[6].key_len, NULL, NULL)) { + if (!HMAC_Init_ex(&ctx, test[6].key, test[6].key_len, NULL, NULL)) { printf("Failed to reinitialise HMAC with key (test 5)\n"); err++; goto test6; } - if(!HMAC_Update(&ctx, test[6].data, test[6].data_len)) { + if (!HMAC_Update(&ctx, test[6].data, test[6].data_len)) { printf("Error updating HMAC with data (new key) (test 5)\n"); err++; goto test6; } - if(!HMAC_Final(&ctx, buf, &len)) { + if (!HMAC_Final(&ctx, buf, &len)) { printf("Error finalising data (new key) (test 5)\n"); err++; goto test6; @@ -273,22 +273,22 @@ test5: } test6: HMAC_CTX_init(&ctx); - if(!HMAC_Init_ex(&ctx, test[7].key, test[7].key_len, EVP_sha1(), NULL)) { + if (!HMAC_Init_ex(&ctx, test[7].key, test[7].key_len, EVP_sha1(), NULL)) { printf("Failed to initialise HMAC (test 6)\n"); err++; goto end; } - if(!HMAC_Update(&ctx, test[7].data, test[7].data_len)) { + if (!HMAC_Update(&ctx, test[7].data, test[7].data_len)) { printf("Error updating HMAC with data (test 6)\n"); err++; goto end; } - if(!HMAC_CTX_copy(&ctx2, &ctx)) { + if (!HMAC_CTX_copy(&ctx2, &ctx)) { printf("Failed to copy HMAC_CTX (test 6)\n"); err++; goto end; } - if(!HMAC_Final(&ctx2, buf, &len)) { + if (!HMAC_Final(&ctx2, buf, &len)) { printf("Error finalising data (test 6)\n"); err++; goto end; diff --git a/test/ssltest.c b/test/ssltest.c index 25bec77..6ca99ae 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -1445,7 +1445,7 @@ int main(int argc, char *argv[]) SSL_CTX_set_security_level(s_ctx, 0); if (cipher != NULL) { - if(!SSL_CTX_set_cipher_list(c_ctx, cipher) + if (!SSL_CTX_set_cipher_list(c_ctx, cipher) || !SSL_CTX_set_cipher_list(s_ctx, cipher)) { ERR_print_errors(bio_err); goto end; @@ -1542,7 +1542,7 @@ int main(int argc, char *argv[]) } if (client_auth) { - if(!SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM) + if (!SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(c_ctx, (client_key ? client_key : client_cert), SSL_FILETYPE_PEM)) { @@ -1577,7 +1577,7 @@ int main(int argc, char *argv[]) { int session_id_context = 0; - if(!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, + if (!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context)) { ERR_print_errors(bio_err); goto end; @@ -1649,7 +1649,7 @@ int main(int argc, char *argv[]) #endif if (serverinfo_sct) { - if(!SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE, + if (!SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE, NULL, NULL, NULL, serverinfo_cli_parse_cb, NULL)) { BIO_printf(bio_err, "Error adding SCT extension\n"); @@ -1657,7 +1657,7 @@ int main(int argc, char *argv[]) } } if (serverinfo_tack) { - if(!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE, + if (!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE, NULL, NULL, NULL, serverinfo_cli_parse_cb, NULL)) { BIO_printf(bio_err, "Error adding TACK extension\n"); @@ -1671,35 +1671,35 @@ int main(int argc, char *argv[]) } if (custom_ext) { - if(!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0, + if (!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0, custom_ext_0_cli_add_cb, NULL, NULL, custom_ext_0_cli_parse_cb, NULL) - || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1, + || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1, custom_ext_1_cli_add_cb, NULL, NULL, custom_ext_1_cli_parse_cb, NULL) - || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2, + || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2, custom_ext_2_cli_add_cb, NULL, NULL, custom_ext_2_cli_parse_cb, NULL) - || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3, + || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3, custom_ext_3_cli_add_cb, NULL, NULL, custom_ext_3_cli_parse_cb, NULL) - || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0, + || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0, custom_ext_0_srv_add_cb, NULL, NULL, custom_ext_0_srv_parse_cb, NULL) - || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1, + || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1, custom_ext_1_srv_add_cb, NULL, NULL, custom_ext_1_srv_parse_cb, NULL) - || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2, + || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2, custom_ext_2_srv_add_cb, NULL, NULL, custom_ext_2_srv_parse_cb, NULL) - || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3, + || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3, custom_ext_3_srv_add_cb, NULL, NULL, custom_ext_3_srv_parse_cb, NULL)) { @@ -1720,7 +1720,7 @@ int main(int argc, char *argv[]) goto end; } /* Returns 0 on success!! */ - if(SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) { + if (SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) { BIO_printf(bio_err, "Error setting ALPN\n"); OPENSSL_free(alpn); goto end; @@ -1748,7 +1748,7 @@ int main(int argc, char *argv[]) for (i = 0; i < number; i++) { if (!reuse) { - if(!SSL_set_session(c_ssl, NULL)) { + if (!SSL_set_session(c_ssl, NULL)) { BIO_printf(bio_err, "Failed to set session\n"); goto end; } From viktor at openssl.org Thu Apr 16 17:50:25 2015 From: viktor at openssl.org (Viktor Dukhovni) Date: Thu, 16 Apr 2015 17:50:25 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429206625.090543.23197.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 3b38646d1345b5ec4ff7fd13c8b8bd8d46105b7e (commit) from bf5b8ff17dd7039b15cbc6468cd865cbc219581d (commit) - Log ----------------------------------------------------------------- commit 3b38646d1345b5ec4ff7fd13c8b8bd8d46105b7e Author: Viktor Dukhovni Date: Thu Apr 16 01:50:03 2015 -0400 Code style: space after 'if' Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 4 ++-- apps/ca.c | 10 +++++----- apps/cms.c | 2 +- apps/s_cb.c | 2 +- apps/s_client.c | 2 +- apps/s_server.c | 12 ++++++------ apps/s_time.c | 2 +- apps/speed.c | 6 +++--- apps/srp.c | 4 ++-- crypto/asn1/asn_mime.c | 2 +- crypto/asn1/bio_ndef.c | 4 ++-- crypto/asn1/tasn_prn.c | 2 +- crypto/asn1/x_x509.c | 4 ++-- crypto/bio/b_print.c | 4 ++-- crypto/bio/bf_nbio.c | 4 ++-- crypto/bio/bss_dgram.c | 4 ++-- crypto/bn/bn_rand.c | 2 +- crypto/cms/cms_pwri.c | 2 +- crypto/des/des.c | 2 +- crypto/des/enc_writ.c | 2 +- crypto/dh/dh_ameth.c | 2 +- crypto/dh/dh_pmeth.c | 2 +- crypto/dsa/dsa_gen.c | 2 +- crypto/dsa/dsa_ossl.c | 8 ++++---- crypto/dso/dso_lib.c | 2 +- crypto/dso/dso_vms.c | 2 +- crypto/evp/bio_ok.c | 2 +- crypto/evp/e_des3.c | 2 +- crypto/evp/encode.c | 2 +- crypto/hmac/hmac.c | 12 ++++++------ crypto/hmac/hmactest.c | 40 ++++++++++++++++++++-------------------- crypto/objects/o_names.c | 2 +- crypto/ocsp/ocsp_ext.c | 2 +- crypto/rand/rand_os2.c | 2 +- crypto/srp/srp_vfy.c | 6 +++--- crypto/threads/th-lock.c | 12 ++++++------ crypto/x509v3/v3_cpols.c | 8 ++++---- demos/easy_tls/easy-tls.c | 2 +- ssl/d1_both.c | 6 +++--- ssl/s3_clnt.c | 2 +- ssl/s3_pkt.c | 2 +- ssl/t1_enc.c | 2 +- ssl/t1_lib.c | 6 +++--- ssl/tls_srp.c | 2 +- 44 files changed, 103 insertions(+), 103 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index b0acbc7..6d22a08 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -574,7 +574,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) char *prompt = NULL; prompt = UI_construct_prompt(ui, "pass phrase", prompt_info); - if(!prompt) { + if (!prompt) { BIO_printf(bio_err, "Out of memory\n"); UI_free(ui); return 0; @@ -588,7 +588,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) PW_MIN_LENGTH, bufsiz - 1); if (ok >= 0 && verify) { buff = (char *)OPENSSL_malloc(bufsiz); - if(!buff) { + if (!buff) { BIO_printf(bio_err, "Out of memory\n"); UI_free(ui); OPENSSL_free(prompt); diff --git a/apps/ca.c b/apps/ca.c index d64ec4f..3b7336c 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -563,7 +563,7 @@ int MAIN(int argc, char **argv) #ifdef OPENSSL_SYS_VMS len = strlen(s) + sizeof(CONFIG_FILE); tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } @@ -571,7 +571,7 @@ int MAIN(int argc, char **argv) #else len = strlen(s) + sizeof(CONFIG_FILE) + 1; tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } @@ -2821,7 +2821,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME *comp_time = NULL; tmp = BUF_strdup(str); - if(!tmp) { + if (!tmp) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } @@ -2843,7 +2843,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, if (prevtm) { *prevtm = ASN1_UTCTIME_new(); - if(!*prevtm) { + if (!*prevtm) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } @@ -2887,7 +2887,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, goto err; } comp_time = ASN1_GENERALIZEDTIME_new(); - if(!comp_time) { + if (!comp_time) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } diff --git a/apps/cms.c b/apps/cms.c index 2c92253..d287a2b 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -463,7 +463,7 @@ int MAIN(int argc, char **argv) if (key_param == NULL || key_param->idx != keyidx) { cms_key_param *nparam; nparam = OPENSSL_malloc(sizeof(cms_key_param)); - if(!nparam) { + if (!nparam) { BIO_printf(bio_err, "Out of memory\n"); goto argerr; } diff --git a/apps/s_cb.c b/apps/s_cb.c index 36e2284..ee57537 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -456,7 +456,7 @@ int ssl_print_curves(BIO *out, SSL *s, int noshared) if (ncurves <= 0) return 1; curves = OPENSSL_malloc(ncurves * sizeof(int)); - if(!curves) { + if (!curves) { BIO_puts(out, "Malloc error getting supported curves\n"); return 0; } diff --git a/apps/s_client.c b/apps/s_client.c index 6c244ac..d53bca1 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -560,7 +560,7 @@ static char *MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg) PW_CB_DATA cb_tmp; int l; - if(!pass) { + if (!pass) { BIO_printf(bio_err, "Malloc failure\n"); return NULL; } diff --git a/apps/s_server.c b/apps/s_server.c index 083cc4c..2597e8c 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -754,7 +754,7 @@ static int ebcdic_write(BIO *b, const char *in, int inl) num = inl; wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num); - if(!wbuf) + if (!wbuf) return 0; OPENSSL_free(b->ptr); @@ -3281,7 +3281,7 @@ static int generate_session_id(const SSL *ssl, unsigned char *id, { unsigned int count = 0; do { - if(RAND_pseudo_bytes(id, *id_len) < 0) + if (RAND_pseudo_bytes(id, *id_len) < 0) return 0; /* * Prefix the session_id with the required prefix. NB: If our prefix @@ -3324,7 +3324,7 @@ static int add_session(SSL *ssl, SSL_SESSION *session) unsigned char *p; sess = OPENSSL_malloc(sizeof(simple_ssl_session)); - if(!sess) { + if (!sess) { BIO_printf(bio_err, "Out of memory adding session to external cache\n"); return 0; } @@ -3335,12 +3335,12 @@ static int add_session(SSL *ssl, SSL_SESSION *session) sess->id = BUF_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen); sess->der = OPENSSL_malloc(sess->derlen); - if(!sess->id || !sess->der) { + if (!sess->id || !sess->der) { BIO_printf(bio_err, "Out of memory adding session to external cache\n"); - if(sess->id) + if (sess->id) OPENSSL_free(sess->id); - if(sess->der) + if (sess->der) OPENSSL_free(sess->der); OPENSSL_free(sess); return 0; diff --git a/apps/s_time.c b/apps/s_time.c index a40997a..38788f7 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -302,7 +302,7 @@ static int parseArgs(int argc, char **argv) if (--argc < 1) goto bad; maxTime = atoi(*(++argv)); - if(maxTime <= 0) { + if (maxTime <= 0) { BIO_printf(bio_err, "time must be > 0\n"); badop = 1; } diff --git a/apps/speed.c b/apps/speed.c index 7b1acc1..8c350ee 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -2775,7 +2775,7 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher) inp = OPENSSL_malloc(mblengths[num - 1]); out = OPENSSL_malloc(mblengths[num - 1] + 1024); - if(!inp || !out) { + if (!inp || !out) { BIO_printf(bio_err,"Out of memory\n"); goto end; } @@ -2865,9 +2865,9 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher) } end: - if(inp) + if (inp) OPENSSL_free(inp); - if(out) + if (out) OPENSSL_free(out); } #endif diff --git a/apps/srp.c b/apps/srp.c index c679448..c0ff417 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -435,7 +435,7 @@ int MAIN(int argc, char **argv) # ifdef OPENSSL_SYS_VMS len = strlen(s) + sizeof(CONFIG_FILE); tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } @@ -443,7 +443,7 @@ int MAIN(int argc, char **argv) # else len = strlen(s) + sizeof(CONFIG_FILE) + 1; tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } diff --git a/crypto/asn1/asn_mime.c b/crypto/asn1/asn_mime.c index fa4dd82..96110c5 100644 --- a/crypto/asn1/asn_mime.c +++ b/crypto/asn1/asn_mime.c @@ -289,7 +289,7 @@ int SMIME_write_ASN1(BIO *bio, ASN1_VALUE *val, BIO *data, int flags, if ((flags & SMIME_DETACHED) && data) { /* We want multipart/signed */ /* Generate a random boundary */ - if(RAND_pseudo_bytes((unsigned char *)bound, 32) < 0) + if (RAND_pseudo_bytes((unsigned char *)bound, 32) < 0) return 0; for (i = 0; i < 32; i++) { c = bound[i] & 0xf; diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c index 4a73ca9..31949b8 100644 --- a/crypto/asn1/bio_ndef.c +++ b/crypto/asn1/bio_ndef.c @@ -162,7 +162,7 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg) derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it); p = OPENSSL_malloc(derlen); - if(!p) + if (!p) return 0; ndef_aux->derbuf = p; @@ -232,7 +232,7 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg) derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it); p = OPENSSL_malloc(derlen); - if(!p) + if (!p) return 0; ndef_aux->derbuf = p; diff --git a/crypto/asn1/tasn_prn.c b/crypto/asn1/tasn_prn.c index 7c54f9d..5e7d53e 100644 --- a/crypto/asn1/tasn_prn.c +++ b/crypto/asn1/tasn_prn.c @@ -290,7 +290,7 @@ static int asn1_item_print_ctx(BIO *out, ASN1_VALUE **fld, int indent, for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { const ASN1_TEMPLATE *seqtt; seqtt = asn1_do_adb(fld, tt, 1); - if(!seqtt) + if (!seqtt) return 0; tmpfld = asn1_get_field_ptr(fld, seqtt); if (!asn1_template_print_ctx(out, tmpfld, diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index 55319ac..5f266a2 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -177,7 +177,7 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) /* Save start position */ q = *pp; - if(!a || *a == NULL) { + if (!a || *a == NULL) { freeret = 1; } ret = d2i_X509(a, pp, length); @@ -192,7 +192,7 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) goto err; return ret; err: - if(freeret) { + if (freeret) { X509_free(ret); if (a) *a = NULL; diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index c2cf6e6..452e5cf 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -710,7 +710,7 @@ doapr_outch(char **sbuffer, if (*maxlen == 0) *maxlen = 1024; *buffer = OPENSSL_malloc(*maxlen); - if(!*buffer) { + if (!*buffer) { /* Panic! Can't really do anything sensible. Just return */ return; } @@ -722,7 +722,7 @@ doapr_outch(char **sbuffer, } else { *maxlen += 1024; *buffer = OPENSSL_realloc(*buffer, *maxlen); - if(!*buffer) { + if (!*buffer) { /* Panic! Can't really do anything sensible. Just return */ return; } diff --git a/crypto/bio/bf_nbio.c b/crypto/bio/bf_nbio.c index 44d1029..a04f32a 100644 --- a/crypto/bio/bf_nbio.c +++ b/crypto/bio/bf_nbio.c @@ -139,7 +139,7 @@ static int nbiof_read(BIO *b, char *out, int outl) BIO_clear_retry_flags(b); #if 1 - if(RAND_pseudo_bytes(&n, 1) < 0) + if (RAND_pseudo_bytes(&n, 1) < 0) return -1; num = (n & 0x07); @@ -179,7 +179,7 @@ static int nbiof_write(BIO *b, const char *in, int inl) num = nt->lwn; nt->lwn = 0; } else { - if(RAND_pseudo_bytes(&n, 1) < 0) + if (RAND_pseudo_bytes(&n, 1) < 0) return -1; num = (n & 7); } diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index de80b99..ac03a6d 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -1012,7 +1012,7 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag) */ sockopt_len = (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t)); authchunks = OPENSSL_malloc(sockopt_len); - if(!authchunks) { + if (!authchunks) { BIO_vfree(bio); return (NULL); } @@ -1423,7 +1423,7 @@ static int dgram_sctp_write(BIO *b, const char *in, int inl) if (data->save_shutdown && !BIO_dgram_sctp_wait_for_dry(b)) { char *tmp; data->saved_message.bio = b; - if(!(tmp = OPENSSL_malloc(inl))) { + if (!(tmp = OPENSSL_malloc(inl))) { BIOerr(BIO_F_DGRAM_SCTP_WRITE, ERR_R_MALLOC_FAILURE); return -1; } diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index 48de9cb..9e78d4d 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -157,7 +157,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) unsigned char c; for (i = 0; i < bytes; i++) { - if(RAND_pseudo_bytes(&c, 1) < 0) + if (RAND_pseudo_bytes(&c, 1) < 0) goto err; if (c >= 128 && i > 0) buf[i] = buf[i - 1]; diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c index b9c560d..a8322dc 100644 --- a/crypto/cms/cms_pwri.c +++ b/crypto/cms/cms_pwri.c @@ -231,7 +231,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, return 0; } tmp = OPENSSL_malloc(inlen); - if(!tmp) + if (!tmp) return 0; /* setup IV by decrypting last two blocks */ EVP_DecryptUpdate(ctx, tmp + inlen - 2 * blocklen, &outl, diff --git a/crypto/des/des.c b/crypto/des/des.c index dcdb8dd..586aed7 100644 --- a/crypto/des/des.c +++ b/crypto/des/des.c @@ -456,7 +456,7 @@ void doencryption(void) len = l - rem; if (feof(DES_IN)) { for (i = 7 - rem; i > 0; i--) { - if(RAND_pseudo_bytes(buf + l++, 1) < 0) + if (RAND_pseudo_bytes(buf + l++, 1) < 0) goto problems; } buf[l++] = rem; diff --git a/crypto/des/enc_writ.c b/crypto/des/enc_writ.c index 0777b4f..25041f2 100644 --- a/crypto/des/enc_writ.c +++ b/crypto/des/enc_writ.c @@ -132,7 +132,7 @@ int DES_enc_write(int fd, const void *_buf, int len, if (len < 8) { cp = shortbuf; memcpy(shortbuf, buf, len); - if(RAND_pseudo_bytes(shortbuf + len, 8 - len) < 0) { + if (RAND_pseudo_bytes(shortbuf + len, 8 - len) < 0) { return -1; } rnum = 8; diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index c6bfc2d..ac72468 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -160,7 +160,7 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) dh = pkey->pkey.dh; str = ASN1_STRING_new(); - if(!str) { + if (!str) { DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE); goto err; } diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index b3a3147..b58e3fa 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -462,7 +462,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, ret = 0; Zlen = DH_size(dh); Z = OPENSSL_malloc(Zlen); - if(!Z) { + if (!Z) { goto err; } if (DH_compute_key_padded(Z, dhpub, dh) <= 0) diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index 4a6560d..5a328aa 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -204,7 +204,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, goto err; if (!seed_len) { - if(RAND_pseudo_bytes(seed, qsize) < 0) + if (RAND_pseudo_bytes(seed, qsize) < 0) goto err; seed_is_random = 1; } else { diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 665f40a..f0ec8fa 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -106,23 +106,23 @@ static DSA_METHOD openssl_dsa_meth = { #define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \ do { \ int _tmp_res53; \ - if((dsa)->meth->dsa_mod_exp) \ + if ((dsa)->meth->dsa_mod_exp) \ _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \ (a2), (p2), (m), (ctx), (in_mont)); \ else \ _tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \ (m), (ctx), (in_mont)); \ - if(!_tmp_res53) err_instr; \ + if (!_tmp_res53) err_instr; \ } while(0) #define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \ do { \ int _tmp_res53; \ - if((dsa)->meth->bn_mod_exp) \ + if ((dsa)->meth->bn_mod_exp) \ _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \ (m), (ctx), (m_ctx)); \ else \ _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \ - if(!_tmp_res53) err_instr; \ + if (!_tmp_res53) err_instr; \ } while(0) const DSA_METHOD *DSA_OpenSSL(void) diff --git a/crypto/dso/dso_lib.c b/crypto/dso/dso_lib.c index d2a48bb..09b8eaf 100644 --- a/crypto/dso/dso_lib.c +++ b/crypto/dso/dso_lib.c @@ -285,7 +285,7 @@ DSO_FUNC_TYPE DSO_bind_func(DSO *dso, const char *symname) * honest. For one thing, I think I have to return a negative value for any * error because possible DSO_ctrl() commands may return values such as * "size"s that can legitimately be zero (making the standard - * "if(DSO_cmd(...))" form that works almost everywhere else fail at odd + * "if (DSO_cmd(...))" form that works almost everywhere else fail at odd * times. I'd prefer "output" values to be passed by reference and the return * value as success/failure like usual ... but we conform when we must... :-) */ diff --git a/crypto/dso/dso_vms.c b/crypto/dso/dso_vms.c index 0eff96e..d0794b8 100644 --- a/crypto/dso/dso_vms.c +++ b/crypto/dso/dso_vms.c @@ -539,7 +539,7 @@ static char *vms_name_converter(DSO *dso, const char *filename) { int len = strlen(filename); char *not_translated = OPENSSL_malloc(len + 1); - if(not_translated) + if (not_translated) strcpy(not_translated, filename); return (not_translated); } diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c index 859712f..5c32e35 100644 --- a/crypto/evp/bio_ok.c +++ b/crypto/evp/bio_ok.c @@ -491,7 +491,7 @@ static int sig_out(BIO *b) * FIXME: there's absolutely no guarantee this makes any sense at all, * particularly now EVP_MD_CTX has been restructured. */ - if(RAND_pseudo_bytes(md->md_data, md->digest->md_size) < 0) + if (RAND_pseudo_bytes(md->md_data, md->digest->md_size) < 0) goto berr; memcpy(&(ctx->buf[ctx->buf_len]), md->md_data, md->digest->md_size); longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size); diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index 6aa4d09..96f272e 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -447,7 +447,7 @@ static int des_ede3_wrap(EVP_CIPHER_CTX *ctx, unsigned char *out, memcpy(out + inl + 8, sha1tmp, 8); OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH); /* Generate random IV */ - if(RAND_bytes(ctx->iv, 8) <= 0) + if (RAND_bytes(ctx->iv, 8) <= 0) return -1; memcpy(out, ctx->iv, 8); /* Encrypt everything after IV in place */ diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c index d1d8a07..53cc586 100644 --- a/crypto/evp/encode.c +++ b/crypto/evp/encode.c @@ -248,7 +248,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, /* We parse the input data */ for (i = 0; i < inl; i++) { - /* If the current line is > 80 characters, scream alot */ + /* If the current line is > 80 characters, scream a lot */ if (ln >= 80) { rv = -1; goto end; diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c index 0eea562..5ca3894 100644 --- a/crypto/hmac/hmac.c +++ b/crypto/hmac/hmac.c @@ -101,13 +101,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, if (md != NULL) { reset = 1; ctx->md = md; - } else if(ctx->md) { + } else if (ctx->md) { md = ctx->md; } else { return 0; } - if(!ctx->key_init && key == NULL) + if (!ctx->key_init && key == NULL) return 0; if (key != NULL) { @@ -123,7 +123,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, &ctx->key_length)) goto err; } else { - if(len < 0 || len > (int)sizeof(ctx->key)) + if (len < 0 || len > (int)sizeof(ctx->key)) return 0; memcpy(ctx->key, key, len); ctx->key_length = len; @@ -169,7 +169,7 @@ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) if (FIPS_mode() && !ctx->i_ctx.engine) return FIPS_hmac_update(ctx, data, len); #endif - if(!ctx->key_init) + if (!ctx->key_init) return 0; return EVP_DigestUpdate(&ctx->md_ctx, data, len); @@ -184,7 +184,7 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) return FIPS_hmac_final(ctx, md, len); #endif - if(!ctx->key_init) + if (!ctx->key_init) goto err; if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i)) @@ -218,7 +218,7 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) if (!EVP_MD_CTX_copy(&dctx->md_ctx, &sctx->md_ctx)) goto err; dctx->key_init = sctx->key_init; - if(sctx->key_init) { + if (sctx->key_init) { memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK); dctx->key_length = sctx->key_length; } diff --git a/crypto/hmac/hmactest.c b/crypto/hmac/hmactest.c index 5c8ec4c..86b6c25 100644 --- a/crypto/hmac/hmactest.c +++ b/crypto/hmac/hmactest.c @@ -173,22 +173,22 @@ int main(int argc, char *argv[]) /* test4 */ HMAC_CTX_init(&ctx); - if(HMAC_Init_ex(&ctx, NULL, 0, NULL, NULL)) { + if (HMAC_Init_ex(&ctx, NULL, 0, NULL, NULL)) { printf("Should fail to initialise HMAC with empty MD and key (test 4)\n"); err++; goto test5; } - if(HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + if (HMAC_Update(&ctx, test[4].data, test[4].data_len)) { printf("Should fail HMAC_Update with ctx not set up (test 4)\n"); err++; goto test5; } - if(HMAC_Init_ex(&ctx, NULL, 0, EVP_sha1(), NULL)) { + if (HMAC_Init_ex(&ctx, NULL, 0, EVP_sha1(), NULL)) { printf("Should fail to initialise HMAC with empty key (test 4)\n"); err++; goto test5; } - if(HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + if (HMAC_Update(&ctx, test[4].data, test[4].data_len)) { printf("Should fail HMAC_Update with ctx not set up (test 4)\n"); err++; goto test5; @@ -196,32 +196,32 @@ int main(int argc, char *argv[]) printf("test 4 ok\n"); test5: HMAC_CTX_init(&ctx); - if(HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, NULL, NULL)) { + if (HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, NULL, NULL)) { printf("Should fail to initialise HMAC with empty MD (test 5)\n"); err++; goto test6; } - if(HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + if (HMAC_Update(&ctx, test[4].data, test[4].data_len)) { printf("Should fail HMAC_Update with ctx not set up (test 5)\n"); err++; goto test6; } - if(HMAC_Init_ex(&ctx, test[4].key, -1, EVP_sha1(), NULL)) { + if (HMAC_Init_ex(&ctx, test[4].key, -1, EVP_sha1(), NULL)) { printf("Should fail to initialise HMAC with invalid key len(test 5)\n"); err++; goto test6; } - if(!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha1(), NULL)) { + if (!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha1(), NULL)) { printf("Failed to initialise HMAC (test 5)\n"); err++; goto test6; } - if(!HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + if (!HMAC_Update(&ctx, test[4].data, test[4].data_len)) { printf("Error updating HMAC with data (test 5)\n"); err++; goto test6; } - if(!HMAC_Final(&ctx, buf, &len)) { + if (!HMAC_Final(&ctx, buf, &len)) { printf("Error finalising data (test 5)\n"); err++; goto test6; @@ -233,17 +233,17 @@ test5: err++; goto test6; } - if(!HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) { + if (!HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) { printf("Failed to reinitialise HMAC (test 5)\n"); err++; goto test6; } - if(!HMAC_Update(&ctx, test[5].data, test[5].data_len)) { + if (!HMAC_Update(&ctx, test[5].data, test[5].data_len)) { printf("Error updating HMAC with data (sha256) (test 5)\n"); err++; goto test6; } - if(!HMAC_Final(&ctx, buf, &len)) { + if (!HMAC_Final(&ctx, buf, &len)) { printf("Error finalising data (sha256) (test 5)\n"); err++; goto test6; @@ -255,17 +255,17 @@ test5: err++; goto test6; } - if(!HMAC_Init_ex(&ctx, test[6].key, test[6].key_len, NULL, NULL)) { + if (!HMAC_Init_ex(&ctx, test[6].key, test[6].key_len, NULL, NULL)) { printf("Failed to reinitialise HMAC with key (test 5)\n"); err++; goto test6; } - if(!HMAC_Update(&ctx, test[6].data, test[6].data_len)) { + if (!HMAC_Update(&ctx, test[6].data, test[6].data_len)) { printf("Error updating HMAC with data (new key) (test 5)\n"); err++; goto test6; } - if(!HMAC_Final(&ctx, buf, &len)) { + if (!HMAC_Final(&ctx, buf, &len)) { printf("Error finalising data (new key) (test 5)\n"); err++; goto test6; @@ -280,22 +280,22 @@ test5: } test6: HMAC_CTX_init(&ctx); - if(!HMAC_Init_ex(&ctx, test[7].key, test[7].key_len, EVP_sha1(), NULL)) { + if (!HMAC_Init_ex(&ctx, test[7].key, test[7].key_len, EVP_sha1(), NULL)) { printf("Failed to initialise HMAC (test 6)\n"); err++; goto end; } - if(!HMAC_Update(&ctx, test[7].data, test[7].data_len)) { + if (!HMAC_Update(&ctx, test[7].data, test[7].data_len)) { printf("Error updating HMAC with data (test 6)\n"); err++; goto end; } - if(!HMAC_CTX_copy(&ctx2, &ctx)) { + if (!HMAC_CTX_copy(&ctx2, &ctx)) { printf("Failed to copy HMAC_CTX (test 6)\n"); err++; goto end; } - if(!HMAC_Final(&ctx2, buf, &len)) { + if (!HMAC_Final(&ctx2, buf, &len)) { printf("Error finalising data (test 6)\n"); err++; goto end; diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c index c6774f4..2485992 100644 --- a/crypto/objects/o_names.c +++ b/crypto/objects/o_names.c @@ -313,7 +313,7 @@ void OBJ_NAME_do_all_sorted(int type, d.names = OPENSSL_malloc(lh_OBJ_NAME_num_items(names_lh) * sizeof *d.names); /* Really should return an error if !d.names...but its a void function! */ - if(d.names) { + if (d.names) { d.n = 0; OBJ_NAME_do_all(type, do_all_sorted_fn, &d); diff --git a/crypto/ocsp/ocsp_ext.c b/crypto/ocsp/ocsp_ext.c index fdfddf9..c19648c 100644 --- a/crypto/ocsp/ocsp_ext.c +++ b/crypto/ocsp/ocsp_ext.c @@ -361,7 +361,7 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL); if (val) memcpy(tmpval, val, len); - else if(RAND_pseudo_bytes(tmpval, len) < 0) + else if (RAND_pseudo_bytes(tmpval, len) < 0) goto err; if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0, X509V3_ADD_REPLACE)) diff --git a/crypto/rand/rand_os2.c b/crypto/rand/rand_os2.c index 02148d5..706ab1e 100644 --- a/crypto/rand/rand_os2.c +++ b/crypto/rand/rand_os2.c @@ -149,7 +149,7 @@ int RAND_poll(void) if (DosQuerySysState) { char *buffer = OPENSSL_malloc(256 * 1024); - if(!buffer) + if (!buffer) return 0; if (DosQuerySysState(0x1F, 0, 0, 0, buffer, 256 * 1024) == 0) { diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 902df10..50f75d7 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -497,7 +497,7 @@ SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username) if (!SRP_user_pwd_set_ids(user, username, NULL)) goto err; - if(RAND_pseudo_bytes(digv, SHA_DIGEST_LENGTH) < 0) + if (RAND_pseudo_bytes(digv, SHA_DIGEST_LENGTH) < 0) goto err; EVP_MD_CTX_init(&ctxt); EVP_DigestInit_ex(&ctxt, EVP_sha1(), NULL); @@ -550,7 +550,7 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, } if (*salt == NULL) { - if(RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0) + if (RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0) goto err; s = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); @@ -611,7 +611,7 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, srp_bn_print(g); if (*salt == NULL) { - if(RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0) + if (RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0) goto err; *salt = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); diff --git a/crypto/threads/th-lock.c b/crypto/threads/th-lock.c index 28884c2..cc8cf25 100644 --- a/crypto/threads/th-lock.c +++ b/crypto/threads/th-lock.c @@ -117,7 +117,7 @@ void CRYPTO_thread_setup(void) int i; lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(HANDLE)); - if(!lock_cs) { + if (!lock_cs) { /* Nothing we can do about this...void function! */ return; } @@ -172,7 +172,7 @@ void CRYPTO_thread_setup(void) # else lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(rwlock_t)); # endif - if(!lock_cs) { + if (!lock_cs) { /* Nothing we can do about this...void function! */ return; } @@ -260,7 +260,7 @@ void CRYPTO_thread_setup(void) char filename[20]; lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(usema_t *)); - if(!lock_cs) { + if (!lock_cs) { /* Nothing we can do about this...void function! */ return; } @@ -328,11 +328,11 @@ void CRYPTO_thread_setup(void) lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); - if(!lock_cs || !lock_count) { + if (!lock_cs || !lock_count) { /* Nothing we can do about this...void function! */ - if(lock_cs) + if (lock_cs) OPENSSL_free(lock_cs); - if(lock_count) + if (lock_count) OPENSSL_free(lock_count); return; } diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c index dca6ab2..0febc1b 100644 --- a/crypto/x509v3/v3_cpols.c +++ b/crypto/x509v3/v3_cpols.c @@ -230,11 +230,11 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx, goto merr; if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) goto merr; - if(!(qual->pqualid = OBJ_nid2obj(NID_id_qt_cps))) { + if (!(qual->pqualid = OBJ_nid2obj(NID_id_qt_cps))) { X509V3err(X509V3_F_POLICY_SECTION, ERR_R_INTERNAL_ERROR); goto err; } - if(!(qual->d.cpsuri = M_ASN1_IA5STRING_new())) + if (!(qual->d.cpsuri = M_ASN1_IA5STRING_new())) goto merr; if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value, strlen(cnf->value))) @@ -294,7 +294,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, POLICYQUALINFO *qual; if (!(qual = POLICYQUALINFO_new())) goto merr; - if(!(qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice))) { + if (!(qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice))) { X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_INTERNAL_ERROR); goto err; } @@ -304,7 +304,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, for (i = 0; i < sk_CONF_VALUE_num(unot); i++) { cnf = sk_CONF_VALUE_value(unot, i); if (!strcmp(cnf->name, "explicitText")) { - if(!(not->exptext = M_ASN1_VISIBLESTRING_new())) + if (!(not->exptext = M_ASN1_VISIBLESTRING_new())) goto merr; if (!ASN1_STRING_set(not->exptext, cnf->value, strlen(cnf->value))) diff --git a/demos/easy_tls/easy-tls.c b/demos/easy_tls/easy-tls.c index df6ae6c..5682e91 100644 --- a/demos/easy_tls/easy-tls.c +++ b/demos/easy_tls/easy-tls.c @@ -761,7 +761,7 @@ SSL_CTX *tls_create_ctx(struct tls_create_ctx_args a, void *apparg) if (tls_dhe1024 == NULL) { int i; - if(RAND_bytes((unsigned char *)&i, sizeof i) <= 0) + if (RAND_bytes((unsigned char *)&i, sizeof i) <= 0) goto err_return; /* * make sure that i is non-negative -- pick one of the provided diff --git a/ssl/d1_both.c b/ssl/d1_both.c index d4150cb..ae8239a 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -1420,7 +1420,7 @@ int dtls1_process_heartbeat(SSL *s) memcpy(bp, pl, payload); bp += payload; /* Random padding */ - if(RAND_pseudo_bytes(bp, padding) < 0) { + if (RAND_pseudo_bytes(bp, padding) < 0) { OPENSSL_free(buffer); return -1; } @@ -1505,11 +1505,11 @@ int dtls1_heartbeat(SSL *s) /* Sequence number */ s2n(s->tlsext_hb_seq, p); /* 16 random bytes */ - if(RAND_pseudo_bytes(p, 16) < 0) + if (RAND_pseudo_bytes(p, 16) < 0) goto err; p += 16; /* Random padding */ - if(RAND_pseudo_bytes(p, padding) < 0) + if (RAND_pseudo_bytes(p, padding) < 0) goto err; ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index c7f3f1d..40e49cf 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -2847,7 +2847,7 @@ int ssl3_send_client_key_exchange(SSL *s) EVP_PKEY_encrypt_init(pkey_ctx); /* Generate session key */ - if(RAND_bytes(premaster_secret, 32) <= 0) { + if (RAND_bytes(premaster_secret, 32) <= 0) { EVP_PKEY_CTX_free(pkey_ctx); goto err; } diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 221ae03..8440f1e 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -708,7 +708,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) packlen *= 4; wb->buf = OPENSSL_malloc(packlen); - if(!wb->buf) { + if (!wb->buf) { SSLerr(SSL_F_SSL3_WRITE_BYTES, ERR_R_MALLOC_FAILURE); return -1; } diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 6869909..0563191 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -260,7 +260,7 @@ static int tls1_PRF(long digest_mask, if ((m << TLS1_PRF_DGST_SHIFT) & digest_mask) count++; } - if(!count) { + if (!count) { /* Should never happen */ SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR); goto err; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 5568df6..26ebdb3 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -3849,7 +3849,7 @@ int tls1_process_heartbeat(SSL *s) memcpy(bp, pl, payload); bp += payload; /* Random padding */ - if(RAND_pseudo_bytes(bp, padding) < 0) { + if (RAND_pseudo_bytes(bp, padding) < 0) { OPENSSL_free(buffer); return -1; } @@ -3935,13 +3935,13 @@ int tls1_heartbeat(SSL *s) /* Sequence number */ s2n(s->tlsext_hb_seq, p); /* 16 random bytes */ - if(RAND_pseudo_bytes(p, 16) < 0) { + if (RAND_pseudo_bytes(p, 16) < 0) { SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); goto err; } p += 16; /* Random padding */ - if(RAND_pseudo_bytes(p, padding) < 0) { + if (RAND_pseudo_bytes(p, padding) < 0) { SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); goto err; } diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c index 6bdf7f3..bb719ba 100644 --- a/ssl/tls_srp.c +++ b/ssl/tls_srp.c @@ -454,7 +454,7 @@ int SRP_Calc_A_param(SSL *s) { unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH]; - if(RAND_bytes(rnd, sizeof(rnd)) <= 0) + if (RAND_bytes(rnd, sizeof(rnd)) <= 0) return -1; s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a); OPENSSL_cleanse(rnd, sizeof(rnd)); From viktor at openssl.org Thu Apr 16 17:52:15 2015 From: viktor at openssl.org (Viktor Dukhovni) Date: Thu, 16 Apr 2015 17:52:15 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1429206735.332788.23730.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via c70908d247d1f6866139185b8c6940412bcdd87f (commit) from e963109fcd4973a6ba13415421b21c1b8aebaf74 (commit) - Log ----------------------------------------------------------------- commit c70908d247d1f6866139185b8c6940412bcdd87f Author: Viktor Dukhovni Date: Thu Apr 16 02:51:52 2015 -0400 Code style: space after 'if' Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 4 ++-- apps/ca.c | 10 +++++----- apps/s_client.c | 2 +- apps/s_server.c | 4 ++-- apps/s_time.c | 2 +- apps/srp.c | 4 ++-- crypto/asn1/asn_mime.c | 2 +- crypto/asn1/bio_ndef.c | 4 ++-- crypto/asn1/tasn_prn.c | 2 +- crypto/asn1/x_x509.c | 4 ++-- crypto/bio/b_print.c | 4 ++-- crypto/bio/bf_nbio.c | 4 ++-- crypto/bio/bss_dgram.c | 4 ++-- crypto/bn/bn_rand.c | 2 +- crypto/cms/cms_pwri.c | 2 +- crypto/des/des.c | 2 +- crypto/des/enc_writ.c | 2 +- crypto/dh/dh_ameth.c | 2 +- crypto/dsa/dsa_gen.c | 2 +- crypto/dsa/dsa_ossl.c | 8 ++++---- crypto/dso/dso_lib.c | 2 +- crypto/dso/dso_vms.c | 2 +- crypto/evp/bio_ok.c | 2 +- crypto/hmac/hmac.c | 12 ++++++------ crypto/hmac/hmactest.c | 40 ++++++++++++++++++++-------------------- crypto/objects/o_names.c | 2 +- crypto/ocsp/ocsp_ext.c | 2 +- crypto/rand/rand_os2.c | 2 +- crypto/srp/srp_vfy.c | 6 +++--- crypto/threads/th-lock.c | 12 ++++++------ crypto/x509v3/v3_cpols.c | 8 ++++---- demos/easy_tls/easy-tls.c | 2 +- ssl/d1_both.c | 6 +++--- ssl/s3_clnt.c | 2 +- ssl/t1_enc.c | 2 +- ssl/t1_lib.c | 6 +++--- ssl/tls_srp.c | 2 +- 37 files changed, 90 insertions(+), 90 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 9862afd..5b7aedc 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -572,7 +572,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) char *prompt = NULL; prompt = UI_construct_prompt(ui, "pass phrase", prompt_info); - if(!prompt) { + if (!prompt) { BIO_printf(bio_err, "Out of memory\n"); UI_free(ui); return 0; @@ -586,7 +586,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) PW_MIN_LENGTH, bufsiz - 1); if (ok >= 0 && verify) { buff = (char *)OPENSSL_malloc(bufsiz); - if(!buff) { + if (!buff) { BIO_printf(bio_err, "Out of memory\n"); UI_free(ui); OPENSSL_free(prompt); diff --git a/apps/ca.c b/apps/ca.c index 5d29a64..97ad0c1 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -558,7 +558,7 @@ int MAIN(int argc, char **argv) #ifdef OPENSSL_SYS_VMS len = strlen(s) + sizeof(CONFIG_FILE); tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } @@ -566,7 +566,7 @@ int MAIN(int argc, char **argv) #else len = strlen(s) + sizeof(CONFIG_FILE) + 1; tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } @@ -2803,7 +2803,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME *comp_time = NULL; tmp = BUF_strdup(str); - if(!tmp) { + if (!tmp) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } @@ -2825,7 +2825,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, if (prevtm) { *prevtm = ASN1_UTCTIME_new(); - if(!*prevtm) { + if (!*prevtm) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } @@ -2869,7 +2869,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, goto err; } comp_time = ASN1_GENERALIZEDTIME_new(); - if(!comp_time) { + if (!comp_time) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } diff --git a/apps/s_client.c b/apps/s_client.c index 1f37239..b9b7975 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -547,7 +547,7 @@ static char *MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg) PW_CB_DATA cb_tmp; int l; - if(!pass) { + if (!pass) { BIO_printf(bio_err, "Malloc failure\n"); return NULL; } diff --git a/apps/s_server.c b/apps/s_server.c index 35b4061..648dc6a 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -720,7 +720,7 @@ static int ebcdic_write(BIO *b, const char *in, int inl) num = inl; wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num); - if(!wbuf) + if (!wbuf) return 0; OPENSSL_free(b->ptr); @@ -2916,7 +2916,7 @@ static int generate_session_id(const SSL *ssl, unsigned char *id, { unsigned int count = 0; do { - if(RAND_pseudo_bytes(id, *id_len) < 0) + if (RAND_pseudo_bytes(id, *id_len) < 0) return 0; /* * Prefix the session_id with the required prefix. NB: If our prefix diff --git a/apps/s_time.c b/apps/s_time.c index a40997a..38788f7 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -302,7 +302,7 @@ static int parseArgs(int argc, char **argv) if (--argc < 1) goto bad; maxTime = atoi(*(++argv)); - if(maxTime <= 0) { + if (maxTime <= 0) { BIO_printf(bio_err, "time must be > 0\n"); badop = 1; } diff --git a/apps/srp.c b/apps/srp.c index c679448..c0ff417 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -435,7 +435,7 @@ int MAIN(int argc, char **argv) # ifdef OPENSSL_SYS_VMS len = strlen(s) + sizeof(CONFIG_FILE); tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } @@ -443,7 +443,7 @@ int MAIN(int argc, char **argv) # else len = strlen(s) + sizeof(CONFIG_FILE) + 1; tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } diff --git a/crypto/asn1/asn_mime.c b/crypto/asn1/asn_mime.c index fa4dd82..96110c5 100644 --- a/crypto/asn1/asn_mime.c +++ b/crypto/asn1/asn_mime.c @@ -289,7 +289,7 @@ int SMIME_write_ASN1(BIO *bio, ASN1_VALUE *val, BIO *data, int flags, if ((flags & SMIME_DETACHED) && data) { /* We want multipart/signed */ /* Generate a random boundary */ - if(RAND_pseudo_bytes((unsigned char *)bound, 32) < 0) + if (RAND_pseudo_bytes((unsigned char *)bound, 32) < 0) return 0; for (i = 0; i < 32; i++) { c = bound[i] & 0xf; diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c index 4a73ca9..31949b8 100644 --- a/crypto/asn1/bio_ndef.c +++ b/crypto/asn1/bio_ndef.c @@ -162,7 +162,7 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg) derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it); p = OPENSSL_malloc(derlen); - if(!p) + if (!p) return 0; ndef_aux->derbuf = p; @@ -232,7 +232,7 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg) derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it); p = OPENSSL_malloc(derlen); - if(!p) + if (!p) return 0; ndef_aux->derbuf = p; diff --git a/crypto/asn1/tasn_prn.c b/crypto/asn1/tasn_prn.c index 7c54f9d..5e7d53e 100644 --- a/crypto/asn1/tasn_prn.c +++ b/crypto/asn1/tasn_prn.c @@ -290,7 +290,7 @@ static int asn1_item_print_ctx(BIO *out, ASN1_VALUE **fld, int indent, for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { const ASN1_TEMPLATE *seqtt; seqtt = asn1_do_adb(fld, tt, 1); - if(!seqtt) + if (!seqtt) return 0; tmpfld = asn1_get_field_ptr(fld, seqtt); if (!asn1_template_print_ctx(out, tmpfld, diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index d51b76e..f56e837 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -177,7 +177,7 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) /* Save start position */ q = *pp; - if(!a || *a == NULL) { + if (!a || *a == NULL) { freeret = 1; } ret = d2i_X509(a, pp, length); @@ -192,7 +192,7 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) goto err; return ret; err: - if(freeret) { + if (freeret) { X509_free(ret); if (a) *a = NULL; diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index c2cf6e6..452e5cf 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -710,7 +710,7 @@ doapr_outch(char **sbuffer, if (*maxlen == 0) *maxlen = 1024; *buffer = OPENSSL_malloc(*maxlen); - if(!*buffer) { + if (!*buffer) { /* Panic! Can't really do anything sensible. Just return */ return; } @@ -722,7 +722,7 @@ doapr_outch(char **sbuffer, } else { *maxlen += 1024; *buffer = OPENSSL_realloc(*buffer, *maxlen); - if(!*buffer) { + if (!*buffer) { /* Panic! Can't really do anything sensible. Just return */ return; } diff --git a/crypto/bio/bf_nbio.c b/crypto/bio/bf_nbio.c index 44d1029..a04f32a 100644 --- a/crypto/bio/bf_nbio.c +++ b/crypto/bio/bf_nbio.c @@ -139,7 +139,7 @@ static int nbiof_read(BIO *b, char *out, int outl) BIO_clear_retry_flags(b); #if 1 - if(RAND_pseudo_bytes(&n, 1) < 0) + if (RAND_pseudo_bytes(&n, 1) < 0) return -1; num = (n & 0x07); @@ -179,7 +179,7 @@ static int nbiof_write(BIO *b, const char *in, int inl) num = nt->lwn; nt->lwn = 0; } else { - if(RAND_pseudo_bytes(&n, 1) < 0) + if (RAND_pseudo_bytes(&n, 1) < 0) return -1; num = (n & 7); } diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index 2e78fd1..8035213 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -953,7 +953,7 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag) */ sockopt_len = (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t)); authchunks = OPENSSL_malloc(sockopt_len); - if(!authchunks) { + if (!authchunks) { BIO_vfree(bio); return (NULL); } @@ -1364,7 +1364,7 @@ static int dgram_sctp_write(BIO *b, const char *in, int inl) if (data->save_shutdown && !BIO_dgram_sctp_wait_for_dry(b)) { char *tmp; data->saved_message.bio = b; - if(!(tmp = OPENSSL_malloc(inl))) { + if (!(tmp = OPENSSL_malloc(inl))) { BIOerr(BIO_F_DGRAM_SCTP_WRITE, ERR_R_MALLOC_FAILURE); return -1; } diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index 48de9cb..9e78d4d 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -157,7 +157,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) unsigned char c; for (i = 0; i < bytes; i++) { - if(RAND_pseudo_bytes(&c, 1) < 0) + if (RAND_pseudo_bytes(&c, 1) < 0) goto err; if (c >= 128 && i > 0) buf[i] = buf[i - 1]; diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c index b9c560d..a8322dc 100644 --- a/crypto/cms/cms_pwri.c +++ b/crypto/cms/cms_pwri.c @@ -231,7 +231,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, return 0; } tmp = OPENSSL_malloc(inlen); - if(!tmp) + if (!tmp) return 0; /* setup IV by decrypting last two blocks */ EVP_DecryptUpdate(ctx, tmp + inlen - 2 * blocklen, &outl, diff --git a/crypto/des/des.c b/crypto/des/des.c index dcdb8dd..586aed7 100644 --- a/crypto/des/des.c +++ b/crypto/des/des.c @@ -456,7 +456,7 @@ void doencryption(void) len = l - rem; if (feof(DES_IN)) { for (i = 7 - rem; i > 0; i--) { - if(RAND_pseudo_bytes(buf + l++, 1) < 0) + if (RAND_pseudo_bytes(buf + l++, 1) < 0) goto problems; } buf[l++] = rem; diff --git a/crypto/des/enc_writ.c b/crypto/des/enc_writ.c index 0777b4f..25041f2 100644 --- a/crypto/des/enc_writ.c +++ b/crypto/des/enc_writ.c @@ -132,7 +132,7 @@ int DES_enc_write(int fd, const void *_buf, int len, if (len < 8) { cp = shortbuf; memcpy(shortbuf, buf, len); - if(RAND_pseudo_bytes(shortbuf + len, 8 - len) < 0) { + if (RAND_pseudo_bytes(shortbuf + len, 8 - len) < 0) { return -1; } rnum = 8; diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 1dec109..873eb2e 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -135,7 +135,7 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) dh = pkey->pkey.dh; str = ASN1_STRING_new(); - if(!str) { + if (!str) { DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE); goto err; } diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index 3123352..d686ab0 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -202,7 +202,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, goto err; if (!seed_len) { - if(RAND_pseudo_bytes(seed, qsize) < 0) + if (RAND_pseudo_bytes(seed, qsize) < 0) goto err; seed_is_random = 1; } else { diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index b30eab0..6edb26d 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -106,23 +106,23 @@ static DSA_METHOD openssl_dsa_meth = { #define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \ do { \ int _tmp_res53; \ - if((dsa)->meth->dsa_mod_exp) \ + if ((dsa)->meth->dsa_mod_exp) \ _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \ (a2), (p2), (m), (ctx), (in_mont)); \ else \ _tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \ (m), (ctx), (in_mont)); \ - if(!_tmp_res53) err_instr; \ + if (!_tmp_res53) err_instr; \ } while(0) #define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \ do { \ int _tmp_res53; \ - if((dsa)->meth->bn_mod_exp) \ + if ((dsa)->meth->bn_mod_exp) \ _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \ (m), (ctx), (m_ctx)); \ else \ _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \ - if(!_tmp_res53) err_instr; \ + if (!_tmp_res53) err_instr; \ } while(0) const DSA_METHOD *DSA_OpenSSL(void) diff --git a/crypto/dso/dso_lib.c b/crypto/dso/dso_lib.c index d2a48bb..09b8eaf 100644 --- a/crypto/dso/dso_lib.c +++ b/crypto/dso/dso_lib.c @@ -285,7 +285,7 @@ DSO_FUNC_TYPE DSO_bind_func(DSO *dso, const char *symname) * honest. For one thing, I think I have to return a negative value for any * error because possible DSO_ctrl() commands may return values such as * "size"s that can legitimately be zero (making the standard - * "if(DSO_cmd(...))" form that works almost everywhere else fail at odd + * "if (DSO_cmd(...))" form that works almost everywhere else fail at odd * times. I'd prefer "output" values to be passed by reference and the return * value as success/failure like usual ... but we conform when we must... :-) */ diff --git a/crypto/dso/dso_vms.c b/crypto/dso/dso_vms.c index 0eff96e..d0794b8 100644 --- a/crypto/dso/dso_vms.c +++ b/crypto/dso/dso_vms.c @@ -539,7 +539,7 @@ static char *vms_name_converter(DSO *dso, const char *filename) { int len = strlen(filename); char *not_translated = OPENSSL_malloc(len + 1); - if(not_translated) + if (not_translated) strcpy(not_translated, filename); return (not_translated); } diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c index 859712f..5c32e35 100644 --- a/crypto/evp/bio_ok.c +++ b/crypto/evp/bio_ok.c @@ -491,7 +491,7 @@ static int sig_out(BIO *b) * FIXME: there's absolutely no guarantee this makes any sense at all, * particularly now EVP_MD_CTX has been restructured. */ - if(RAND_pseudo_bytes(md->md_data, md->digest->md_size) < 0) + if (RAND_pseudo_bytes(md->md_data, md->digest->md_size) < 0) goto berr; memcpy(&(ctx->buf[ctx->buf_len]), md->md_data, md->digest->md_size); longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size); diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c index 2daacf6..b1f7317 100644 --- a/crypto/hmac/hmac.c +++ b/crypto/hmac/hmac.c @@ -91,13 +91,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, if (md != NULL) { reset = 1; ctx->md = md; - } else if(ctx->md) { + } else if (ctx->md) { md = ctx->md; } else { return 0; } - if(!ctx->key_init && key == NULL) + if (!ctx->key_init && key == NULL) return 0; if (key != NULL) { @@ -113,7 +113,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, &ctx->key_length)) goto err; } else { - if(len < 0 || len > (int)sizeof(ctx->key)) + if (len < 0 || len > (int)sizeof(ctx->key)) return 0; memcpy(ctx->key, key, len); ctx->key_length = len; @@ -159,7 +159,7 @@ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) if (FIPS_mode() && !ctx->i_ctx.engine) return FIPS_hmac_update(ctx, data, len); #endif - if(!ctx->key_init) + if (!ctx->key_init) return 0; return EVP_DigestUpdate(&ctx->md_ctx, data, len); @@ -174,7 +174,7 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) return FIPS_hmac_final(ctx, md, len); #endif - if(!ctx->key_init) + if (!ctx->key_init) goto err; if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i)) @@ -208,7 +208,7 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) if (!EVP_MD_CTX_copy(&dctx->md_ctx, &sctx->md_ctx)) goto err; dctx->key_init = sctx->key_init; - if(sctx->key_init) { + if (sctx->key_init) { memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK); dctx->key_length = sctx->key_length; } diff --git a/crypto/hmac/hmactest.c b/crypto/hmac/hmactest.c index 5c8ec4c..86b6c25 100644 --- a/crypto/hmac/hmactest.c +++ b/crypto/hmac/hmactest.c @@ -173,22 +173,22 @@ int main(int argc, char *argv[]) /* test4 */ HMAC_CTX_init(&ctx); - if(HMAC_Init_ex(&ctx, NULL, 0, NULL, NULL)) { + if (HMAC_Init_ex(&ctx, NULL, 0, NULL, NULL)) { printf("Should fail to initialise HMAC with empty MD and key (test 4)\n"); err++; goto test5; } - if(HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + if (HMAC_Update(&ctx, test[4].data, test[4].data_len)) { printf("Should fail HMAC_Update with ctx not set up (test 4)\n"); err++; goto test5; } - if(HMAC_Init_ex(&ctx, NULL, 0, EVP_sha1(), NULL)) { + if (HMAC_Init_ex(&ctx, NULL, 0, EVP_sha1(), NULL)) { printf("Should fail to initialise HMAC with empty key (test 4)\n"); err++; goto test5; } - if(HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + if (HMAC_Update(&ctx, test[4].data, test[4].data_len)) { printf("Should fail HMAC_Update with ctx not set up (test 4)\n"); err++; goto test5; @@ -196,32 +196,32 @@ int main(int argc, char *argv[]) printf("test 4 ok\n"); test5: HMAC_CTX_init(&ctx); - if(HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, NULL, NULL)) { + if (HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, NULL, NULL)) { printf("Should fail to initialise HMAC with empty MD (test 5)\n"); err++; goto test6; } - if(HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + if (HMAC_Update(&ctx, test[4].data, test[4].data_len)) { printf("Should fail HMAC_Update with ctx not set up (test 5)\n"); err++; goto test6; } - if(HMAC_Init_ex(&ctx, test[4].key, -1, EVP_sha1(), NULL)) { + if (HMAC_Init_ex(&ctx, test[4].key, -1, EVP_sha1(), NULL)) { printf("Should fail to initialise HMAC with invalid key len(test 5)\n"); err++; goto test6; } - if(!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha1(), NULL)) { + if (!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha1(), NULL)) { printf("Failed to initialise HMAC (test 5)\n"); err++; goto test6; } - if(!HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + if (!HMAC_Update(&ctx, test[4].data, test[4].data_len)) { printf("Error updating HMAC with data (test 5)\n"); err++; goto test6; } - if(!HMAC_Final(&ctx, buf, &len)) { + if (!HMAC_Final(&ctx, buf, &len)) { printf("Error finalising data (test 5)\n"); err++; goto test6; @@ -233,17 +233,17 @@ test5: err++; goto test6; } - if(!HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) { + if (!HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) { printf("Failed to reinitialise HMAC (test 5)\n"); err++; goto test6; } - if(!HMAC_Update(&ctx, test[5].data, test[5].data_len)) { + if (!HMAC_Update(&ctx, test[5].data, test[5].data_len)) { printf("Error updating HMAC with data (sha256) (test 5)\n"); err++; goto test6; } - if(!HMAC_Final(&ctx, buf, &len)) { + if (!HMAC_Final(&ctx, buf, &len)) { printf("Error finalising data (sha256) (test 5)\n"); err++; goto test6; @@ -255,17 +255,17 @@ test5: err++; goto test6; } - if(!HMAC_Init_ex(&ctx, test[6].key, test[6].key_len, NULL, NULL)) { + if (!HMAC_Init_ex(&ctx, test[6].key, test[6].key_len, NULL, NULL)) { printf("Failed to reinitialise HMAC with key (test 5)\n"); err++; goto test6; } - if(!HMAC_Update(&ctx, test[6].data, test[6].data_len)) { + if (!HMAC_Update(&ctx, test[6].data, test[6].data_len)) { printf("Error updating HMAC with data (new key) (test 5)\n"); err++; goto test6; } - if(!HMAC_Final(&ctx, buf, &len)) { + if (!HMAC_Final(&ctx, buf, &len)) { printf("Error finalising data (new key) (test 5)\n"); err++; goto test6; @@ -280,22 +280,22 @@ test5: } test6: HMAC_CTX_init(&ctx); - if(!HMAC_Init_ex(&ctx, test[7].key, test[7].key_len, EVP_sha1(), NULL)) { + if (!HMAC_Init_ex(&ctx, test[7].key, test[7].key_len, EVP_sha1(), NULL)) { printf("Failed to initialise HMAC (test 6)\n"); err++; goto end; } - if(!HMAC_Update(&ctx, test[7].data, test[7].data_len)) { + if (!HMAC_Update(&ctx, test[7].data, test[7].data_len)) { printf("Error updating HMAC with data (test 6)\n"); err++; goto end; } - if(!HMAC_CTX_copy(&ctx2, &ctx)) { + if (!HMAC_CTX_copy(&ctx2, &ctx)) { printf("Failed to copy HMAC_CTX (test 6)\n"); err++; goto end; } - if(!HMAC_Final(&ctx2, buf, &len)) { + if (!HMAC_Final(&ctx2, buf, &len)) { printf("Error finalising data (test 6)\n"); err++; goto end; diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c index c6774f4..2485992 100644 --- a/crypto/objects/o_names.c +++ b/crypto/objects/o_names.c @@ -313,7 +313,7 @@ void OBJ_NAME_do_all_sorted(int type, d.names = OPENSSL_malloc(lh_OBJ_NAME_num_items(names_lh) * sizeof *d.names); /* Really should return an error if !d.names...but its a void function! */ - if(d.names) { + if (d.names) { d.n = 0; OBJ_NAME_do_all(type, do_all_sorted_fn, &d); diff --git a/crypto/ocsp/ocsp_ext.c b/crypto/ocsp/ocsp_ext.c index fdfddf9..c19648c 100644 --- a/crypto/ocsp/ocsp_ext.c +++ b/crypto/ocsp/ocsp_ext.c @@ -361,7 +361,7 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL); if (val) memcpy(tmpval, val, len); - else if(RAND_pseudo_bytes(tmpval, len) < 0) + else if (RAND_pseudo_bytes(tmpval, len) < 0) goto err; if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0, X509V3_ADD_REPLACE)) diff --git a/crypto/rand/rand_os2.c b/crypto/rand/rand_os2.c index 02148d5..706ab1e 100644 --- a/crypto/rand/rand_os2.c +++ b/crypto/rand/rand_os2.c @@ -149,7 +149,7 @@ int RAND_poll(void) if (DosQuerySysState) { char *buffer = OPENSSL_malloc(256 * 1024); - if(!buffer) + if (!buffer) return 0; if (DosQuerySysState(0x1F, 0, 0, 0, buffer, 256 * 1024) == 0) { diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 902df10..50f75d7 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -497,7 +497,7 @@ SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username) if (!SRP_user_pwd_set_ids(user, username, NULL)) goto err; - if(RAND_pseudo_bytes(digv, SHA_DIGEST_LENGTH) < 0) + if (RAND_pseudo_bytes(digv, SHA_DIGEST_LENGTH) < 0) goto err; EVP_MD_CTX_init(&ctxt); EVP_DigestInit_ex(&ctxt, EVP_sha1(), NULL); @@ -550,7 +550,7 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, } if (*salt == NULL) { - if(RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0) + if (RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0) goto err; s = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); @@ -611,7 +611,7 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, srp_bn_print(g); if (*salt == NULL) { - if(RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0) + if (RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0) goto err; *salt = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); diff --git a/crypto/threads/th-lock.c b/crypto/threads/th-lock.c index 28884c2..cc8cf25 100644 --- a/crypto/threads/th-lock.c +++ b/crypto/threads/th-lock.c @@ -117,7 +117,7 @@ void CRYPTO_thread_setup(void) int i; lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(HANDLE)); - if(!lock_cs) { + if (!lock_cs) { /* Nothing we can do about this...void function! */ return; } @@ -172,7 +172,7 @@ void CRYPTO_thread_setup(void) # else lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(rwlock_t)); # endif - if(!lock_cs) { + if (!lock_cs) { /* Nothing we can do about this...void function! */ return; } @@ -260,7 +260,7 @@ void CRYPTO_thread_setup(void) char filename[20]; lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(usema_t *)); - if(!lock_cs) { + if (!lock_cs) { /* Nothing we can do about this...void function! */ return; } @@ -328,11 +328,11 @@ void CRYPTO_thread_setup(void) lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); - if(!lock_cs || !lock_count) { + if (!lock_cs || !lock_count) { /* Nothing we can do about this...void function! */ - if(lock_cs) + if (lock_cs) OPENSSL_free(lock_cs); - if(lock_count) + if (lock_count) OPENSSL_free(lock_count); return; } diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c index dca6ab2..0febc1b 100644 --- a/crypto/x509v3/v3_cpols.c +++ b/crypto/x509v3/v3_cpols.c @@ -230,11 +230,11 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx, goto merr; if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) goto merr; - if(!(qual->pqualid = OBJ_nid2obj(NID_id_qt_cps))) { + if (!(qual->pqualid = OBJ_nid2obj(NID_id_qt_cps))) { X509V3err(X509V3_F_POLICY_SECTION, ERR_R_INTERNAL_ERROR); goto err; } - if(!(qual->d.cpsuri = M_ASN1_IA5STRING_new())) + if (!(qual->d.cpsuri = M_ASN1_IA5STRING_new())) goto merr; if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value, strlen(cnf->value))) @@ -294,7 +294,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, POLICYQUALINFO *qual; if (!(qual = POLICYQUALINFO_new())) goto merr; - if(!(qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice))) { + if (!(qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice))) { X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_INTERNAL_ERROR); goto err; } @@ -304,7 +304,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, for (i = 0; i < sk_CONF_VALUE_num(unot); i++) { cnf = sk_CONF_VALUE_value(unot, i); if (!strcmp(cnf->name, "explicitText")) { - if(!(not->exptext = M_ASN1_VISIBLESTRING_new())) + if (!(not->exptext = M_ASN1_VISIBLESTRING_new())) goto merr; if (!ASN1_STRING_set(not->exptext, cnf->value, strlen(cnf->value))) diff --git a/demos/easy_tls/easy-tls.c b/demos/easy_tls/easy-tls.c index df6ae6c..5682e91 100644 --- a/demos/easy_tls/easy-tls.c +++ b/demos/easy_tls/easy-tls.c @@ -761,7 +761,7 @@ SSL_CTX *tls_create_ctx(struct tls_create_ctx_args a, void *apparg) if (tls_dhe1024 == NULL) { int i; - if(RAND_bytes((unsigned char *)&i, sizeof i) <= 0) + if (RAND_bytes((unsigned char *)&i, sizeof i) <= 0) goto err_return; /* * make sure that i is non-negative -- pick one of the provided diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 5cb30a5..68218e7 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -1540,7 +1540,7 @@ int dtls1_process_heartbeat(SSL *s) memcpy(bp, pl, payload); bp += payload; /* Random padding */ - if(RAND_pseudo_bytes(bp, padding) < 0) { + if (RAND_pseudo_bytes(bp, padding) < 0) { OPENSSL_free(buffer); return -1; } @@ -1625,11 +1625,11 @@ int dtls1_heartbeat(SSL *s) /* Sequence number */ s2n(s->tlsext_hb_seq, p); /* 16 random bytes */ - if(RAND_pseudo_bytes(p, 16) < 0) + if (RAND_pseudo_bytes(p, 16) < 0) goto err; p += 16; /* Random padding */ - if(RAND_pseudo_bytes(p, padding) < 0) + if (RAND_pseudo_bytes(p, padding) < 0) goto err; ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 30ca11a..3d6b491 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -2729,7 +2729,7 @@ int ssl3_send_client_key_exchange(SSL *s) EVP_PKEY_encrypt_init(pkey_ctx); /* Generate session key */ - if(RAND_bytes(premaster_secret, 32) <= 0) { + if (RAND_bytes(premaster_secret, 32) <= 0) { EVP_PKEY_CTX_free(pkey_ctx); goto err; } diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 4e2845f..2736238 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -261,7 +261,7 @@ static int tls1_PRF(long digest_mask, if ((m << TLS1_PRF_DGST_SHIFT) & digest_mask) count++; } - if(!count) { + if (!count) { /* Should never happen */ SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR); goto err; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index f011248..1ad2507 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2612,7 +2612,7 @@ int tls1_process_heartbeat(SSL *s) memcpy(bp, pl, payload); bp += payload; /* Random padding */ - if(RAND_pseudo_bytes(bp, padding) < 0) { + if (RAND_pseudo_bytes(bp, padding) < 0) { OPENSSL_free(buffer); return -1; } @@ -2698,13 +2698,13 @@ int tls1_heartbeat(SSL *s) /* Sequence number */ s2n(s->tlsext_hb_seq, p); /* 16 random bytes */ - if(RAND_pseudo_bytes(p, 16) < 0) { + if (RAND_pseudo_bytes(p, 16) < 0) { SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); goto err; } p += 16; /* Random padding */ - if(RAND_pseudo_bytes(p, padding) < 0) { + if (RAND_pseudo_bytes(p, padding) < 0) { SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); goto err; } diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c index 6bdf7f3..bb719ba 100644 --- a/ssl/tls_srp.c +++ b/ssl/tls_srp.c @@ -454,7 +454,7 @@ int SRP_Calc_A_param(SSL *s) { unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH]; - if(RAND_bytes(rnd, sizeof(rnd)) <= 0) + if (RAND_bytes(rnd, sizeof(rnd)) <= 0) return -1; s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a); OPENSSL_cleanse(rnd, sizeof(rnd)); From viktor at openssl.org Thu Apr 16 17:53:40 2015 From: viktor at openssl.org (Viktor Dukhovni) Date: Thu, 16 Apr 2015 17:53:40 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_0-stable update Message-ID: <1429206820.789097.24199.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_0-stable has been updated via 6b7d6c440433b65f401880662050c0b8215ee2ff (commit) from 21220998f33adaa1d29f80b6946170458e97fa9a (commit) - Log ----------------------------------------------------------------- commit 6b7d6c440433b65f401880662050c0b8215ee2ff Author: Viktor Dukhovni Date: Thu Apr 16 02:53:29 2015 -0400 Code style: space after 'if' Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: crypto/asn1/x_x509.c | 4 ++-- crypto/dsa/dsa_ossl.c | 8 ++++---- crypto/dso/dso_lib.c | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index d51b76e..f56e837 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -177,7 +177,7 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) /* Save start position */ q = *pp; - if(!a || *a == NULL) { + if (!a || *a == NULL) { freeret = 1; } ret = d2i_X509(a, pp, length); @@ -192,7 +192,7 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) goto err; return ret; err: - if(freeret) { + if (freeret) { X509_free(ret); if (a) *a = NULL; diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index fb0e1b5..0fb3014 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -106,23 +106,23 @@ static DSA_METHOD openssl_dsa_meth = { #define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \ do { \ int _tmp_res53; \ - if((dsa)->meth->dsa_mod_exp) \ + if ((dsa)->meth->dsa_mod_exp) \ _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \ (a2), (p2), (m), (ctx), (in_mont)); \ else \ _tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \ (m), (ctx), (in_mont)); \ - if(!_tmp_res53) err_instr; \ + if (!_tmp_res53) err_instr; \ } while(0) #define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \ do { \ int _tmp_res53; \ - if((dsa)->meth->bn_mod_exp) \ + if ((dsa)->meth->bn_mod_exp) \ _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \ (m), (ctx), (m_ctx)); \ else \ _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \ - if(!_tmp_res53) err_instr; \ + if (!_tmp_res53) err_instr; \ } while(0) const DSA_METHOD *DSA_OpenSSL(void) diff --git a/crypto/dso/dso_lib.c b/crypto/dso/dso_lib.c index d2a48bb..09b8eaf 100644 --- a/crypto/dso/dso_lib.c +++ b/crypto/dso/dso_lib.c @@ -285,7 +285,7 @@ DSO_FUNC_TYPE DSO_bind_func(DSO *dso, const char *symname) * honest. For one thing, I think I have to return a negative value for any * error because possible DSO_ctrl() commands may return values such as * "size"s that can legitimately be zero (making the standard - * "if(DSO_cmd(...))" form that works almost everywhere else fail at odd + * "if (DSO_cmd(...))" form that works almost everywhere else fail at odd * times. I'd prefer "output" values to be passed by reference and the return * value as success/failure like usual ... but we conform when we must... :-) */ From viktor at openssl.org Thu Apr 16 17:55:27 2015 From: viktor at openssl.org (Viktor Dukhovni) Date: Thu, 16 Apr 2015 17:55:27 +0000 Subject: [openssl-commits] [openssl] OpenSSL_0_9_8-stable update Message-ID: <1429206927.091364.24557.nullmailer@dev.openssl.org> The branch OpenSSL_0_9_8-stable has been updated via 1a38987de0d57286fac67f19ebb35c82fc1555b3 (commit) from 5d28381ae44725254e92bab9797593c6d3fa1e86 (commit) - Log ----------------------------------------------------------------- commit 1a38987de0d57286fac67f19ebb35c82fc1555b3 Author: Viktor Dukhovni Date: Thu Apr 16 02:55:35 2015 -0400 Code style: space after 'if' Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: crypto/asn1/x_x509.c | 4 ++-- crypto/dsa/dsa_ossl.c | 8 ++++---- crypto/dso/dso_lib.c | 2 +- fips/rsa/fips_rsa_eay.c | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index d6958f6..6ec257f 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -184,7 +184,7 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) /* Save start position */ q = *pp; - if(!a || *a == NULL) { + if (!a || *a == NULL) { freeret = 1; } ret = d2i_X509(a, pp, length); @@ -199,7 +199,7 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) goto err; return ret; err: - if(freeret) { + if (freeret) { X509_free(ret); if (a) *a = NULL; diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index f993844..c44a4e3 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -107,23 +107,23 @@ static DSA_METHOD openssl_dsa_meth = { # define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \ do { \ int _tmp_res53; \ - if((dsa)->meth->dsa_mod_exp) \ + if ((dsa)->meth->dsa_mod_exp) \ _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \ (a2), (p2), (m), (ctx), (in_mont)); \ else \ _tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \ (m), (ctx), (in_mont)); \ - if(!_tmp_res53) err_instr; \ + if (!_tmp_res53) err_instr; \ } while(0) # define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \ do { \ int _tmp_res53; \ - if((dsa)->meth->bn_mod_exp) \ + if ((dsa)->meth->bn_mod_exp) \ _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \ (m), (ctx), (m_ctx)); \ else \ _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \ - if(!_tmp_res53) err_instr; \ + if (!_tmp_res53) err_instr; \ } while(0) const DSA_METHOD *DSA_OpenSSL(void) diff --git a/crypto/dso/dso_lib.c b/crypto/dso/dso_lib.c index f158466..d019475 100644 --- a/crypto/dso/dso_lib.c +++ b/crypto/dso/dso_lib.c @@ -285,7 +285,7 @@ DSO_FUNC_TYPE DSO_bind_func(DSO *dso, const char *symname) * honest. For one thing, I think I have to return a negative value for any * error because possible DSO_ctrl() commands may return values such as * "size"s that can legitimately be zero (making the standard - * "if(DSO_cmd(...))" form that works almost everywhere else fail at odd + * "if (DSO_cmd(...))" form that works almost everywhere else fail at odd * times. I'd prefer "output" values to be passed by reference and the return * value as success/failure like usual ... but we conform when we must... :-) */ diff --git a/fips/rsa/fips_rsa_eay.c b/fips/rsa/fips_rsa_eay.c index 82f370f..c8ccf37 100644 --- a/fips/rsa/fips_rsa_eay.c +++ b/fips/rsa/fips_rsa_eay.c @@ -158,7 +158,7 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void) * RSA_FLAG_CACHE_PRIVATE, goto err); */ # define MONT_HELPER(rsa, ctx, m, pre_cond, err_instr) \ - if((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \ + if ((pre_cond) && ((rsa)->_method_mod_##m == NULL) && \ !BN_MONT_CTX_set_locked(&((rsa)->_method_mod_##m), \ CRYPTO_LOCK_RSA, \ (rsa)->m, (ctx))) \ From stevem at openssl.org Thu Apr 16 20:58:08 2015 From: stevem at openssl.org (Steve Marquess) Date: Thu, 16 Apr 2015 20:58:08 +0000 Subject: [openssl-commits] [web] master update Message-ID: <1429217888.356519.11532.nullmailer@dev.openssl.org> The branch master has been updated via 42ceeddd707ebf61021cac9febf5f5753403457a (commit) from 59fbd633e29f9bf81f90a63d96c3a8152980bece (commit) - Log ----------------------------------------------------------------- commit 42ceeddd707ebf61021cac9febf5f5753403457a Author: Steve Marquess Date: Thu Apr 16 16:57:36 2015 -0400 Added new donations page with Chinese instructions ----------------------------------------------------------------------- Summary of changes: support/UnionPay.jpg | Bin 0 -> 2103 bytes support/donations-cn.wml | 119 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+) create mode 100644 support/UnionPay.jpg create mode 100644 support/donations-cn.wml diff --git a/support/UnionPay.jpg b/support/UnionPay.jpg new file mode 100644 index 0000000..1a745b5 Binary files /dev/null and b/support/UnionPay.jpg differ diff --git a/support/donations-cn.wml b/support/donations-cn.wml new file mode 100644 index 0000000..5cad838 --- /dev/null +++ b/support/donations-cn.wml @@ -0,0 +1,119 @@ + +#use wml::openssl area=support page=donations + + +Donations + +

Donations - China

+ + +??????Paypal????????????? +
+We accept donations in any amount via PayPal and UnionPay: + + +
+
+ + +??????????????????????????????. ?????? + +Paypal?? + +???????????????????????? +

+???? 1 +
+????Paypal????????? +
+1. ??? + +Paypal?? + +??????????????????????Paypal??? + +???? + +. +
+2. ??????????Paypal??????????????????Paypal??????????????????????????????????????? ?paypal at opensslfoundation.org??????????????????? +
+3. ???Paypal??????????? + +????? + +??????2???????? +
+

+???? 2 +
+??Paypal????????? +
+1. ??????Donate??; +
+2. ????????????????????????????????Paypal???Paypal???????????????????????????????? +
+3. ???????????????????????? +
+

+???????????? + +fangxie at opensslfoundation.org + +, ????????????????OpenSSL???! + +

+(English Translation) +

+Dear donors, we have figured out a way for you to donate to OpenSSL through your UnionPay card. This can be done +by opening an account with Paypal China + and associating +your UnionPay card with this Paypal account. This is the most convenient method we have been able to find for Chinese donors. +

+Instruction 1 +
+For those who have no Paypal China account: +
+1. Please open an account on PayPal China, and associate your UnionPay card with this account. PayPal China has instructions on how make that association. +
+2. Once you are signed in on Paypal China, click the "send money? button on the MyPaypal page. Please choose the US dollar as +the currency. Paypal China will pay in US dollars but charge you in RMB based on the current exchange rate. There is no need +to go to a bank for the currency exchange. +then fill in our email address paypal at opensslfoundation.org as the receiver, then follow the instructions of Paypal +itself to complete the donation. +
+3. After you have an account with Paypal China, you can also go to the OpenSSL Donations web page, +and follow our ?Instruction 2? (below) to complete your donation. +

+Instruction 2 +
+For those who already have a Paypal China account: +
+1. Click the yellow ?Donate? button above. +
+2. Go into the donation page and fill in the amount you want to donate. +Please choose the US dollar as +the currency, and log in to Paypal China through this page. Paypal China will pay in US dollars but +charge you in RMB based on the current exchange rate. There is no need to go to a bank for the currency exchange. +
+3. After you have logged in to Paypal China, click the ?donate? button at the bottom to complete your donation. +

+If you have any questions please send an email to fangxie at opensslfoundation.org. We will reply as soon as possible. +We really appreciate your support of the OpenSSL project! + + + + +
+
+ +
+
+As noted above these donations are currently not tax-deductible!
+For further information please contact the OpenSSL Software Foundation. From stevem at openssl.org Thu Apr 16 21:02:28 2015 From: stevem at openssl.org (Steve Marquess) Date: Thu, 16 Apr 2015 21:02:28 +0000 Subject: [openssl-commits] [web] master update Message-ID: <1429218148.015010.19122.nullmailer@dev.openssl.org> The branch master has been updated via 75a9eabfc38b3f8a23712c89c4c11786cfb436d8 (commit) from 42ceeddd707ebf61021cac9febf5f5753403457a (commit) - Log ----------------------------------------------------------------- commit 75a9eabfc38b3f8a23712c89c4c11786cfb436d8 Author: Steve Marquess Date: Thu Apr 16 17:02:03 2015 -0400 Change existing donations page to reference new Chinese instructions ----------------------------------------------------------------------- Summary of changes: support/donations.wml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/support/donations.wml b/support/donations.wml index a33827d..04ad7fc 100644 --- a/support/donations.wml +++ b/support/donations.wml @@ -87,9 +87,10 @@ We also accept donations in any amount via credit card or PayPal:

-Alipay coming soon:
-????PayPal??????????????????? ??????????????????????????????????????????????????????? + +?????????????????????????????? +

From viktor at openssl.org Fri Apr 17 05:35:16 2015 From: viktor at openssl.org (Viktor Dukhovni) Date: Fri, 17 Apr 2015 05:35:16 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429248916.158023.12348.nullmailer@dev.openssl.org> The branch master has been updated via 323daa74fc608860ebee86c7e93ab8b4e926cb1e (commit) from 61986d32f37cbaeaed08bd955ff27d35b72ea29a (commit) - Log ----------------------------------------------------------------- commit 323daa74fc608860ebee86c7e93ab8b4e926cb1e Author: Viktor Dukhovni Date: Fri Apr 17 01:06:46 2015 -0400 SunOS non-posix shells do not grok export name=value Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: test/testca | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/test/testca b/test/testca index 4bcb1fd..ee52463 100644 --- a/test/testca +++ b/test/testca @@ -11,14 +11,16 @@ else fi export PATH -export SSLEAY_CONFIG="-config CAss.cnf" -export OPENSSL="`pwd`/../util/opensslwrap.sh" +export SSLEAY_CONFIG OPENSSL /bin/rm -fr demoCA +SSLEAY_CONFIG="-config CAss.cnf" +OPENSSL="`pwd`/../util/opensslwrap.sh" + OPENSSL_CONFIG=/dev/null $PERL ../apps/CA.pl -newca The branch master has been updated via 13efe9d17e7ee522c5aaa07f3076184161ede61f (commit) from 323daa74fc608860ebee86c7e93ab8b4e926cb1e (commit) - Log ----------------------------------------------------------------- commit 13efe9d17e7ee522c5aaa07f3076184161ede61f Author: Emilia Kasper Date: Tue Apr 14 16:04:40 2015 +0200 Use -Wall -Wextra with clang The disabled set of -Weverything is hard to maintain across versions. Use -Wall -Wextra but also document other useful warnings that currently trigger. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: Configurations/10-main.conf | 9 ++++++++- Configure | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index ab269ba..aa4c76a 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -641,7 +641,14 @@ "linux-x86_64-clang" => { inherit_from => [ "linux-x86_64" ], cc => "clang", - cflags => "-m64 -DL_ENDIAN -Weverything $clang_disabled_warnings -Qunused-arguments", + # TODO(openssl-team): fix problems and investigate if (at least) the + # following warnings can also be enabled: + # -Wconditional-uninitialized, -Wswitch-enum, -Wunused-macros, + # -Wmissing-field-initializers, -Wmissing-variable-declarations, + # -Wincompatible-pointer-types-discards-qualifiers, -Wcast-align, + # -Wunreachable-code -Wunused-parameter -Wlanguage-extension-token + # -Wextended-offsetof + cflags => "-m64 -DL_ENDIAN -Wall -Wextra $clang_disabled_warnings -Qunused-arguments", }, "linux-x32" => { inherit_from => [ "linux-generic32", asm("x86_64_asm") ], diff --git a/Configure b/Configure index 1c6b424..2e70238 100755 --- a/Configure +++ b/Configure @@ -112,7 +112,7 @@ my $usage="Usage: Configure [no- ...] [enable- ...] [experimenta my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Wtype-limits -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DDEBUG_UNUSED"; -my $clang_disabled_warnings = "-Wno-language-extension-token -Wno-extended-offsetof -Wno-padded -Wno-shorten-64-to-32 -Wno-format-nonliteral -Wno-missing-noreturn -Wno-unused-parameter -Wno-sign-conversion -Wno-unreachable-code -Wno-conversion -Wno-documentation -Wno-missing-variable-declarations -Wno-cast-align -Wno-incompatible-pointer-types-discards-qualifiers -Wno-missing-variable-declarations -Wno-missing-field-initializers -Wno-unused-macros -Wno-disabled-macro-expansion -Wno-conditional-uninitialized -Wno-switch-enum -Wno-gnu-statement-expression"; +my $clang_disabled_warnings = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof"; my $strict_warnings = 0; From emilia at openssl.org Fri Apr 17 16:37:23 2015 From: emilia at openssl.org (Emilia Kasper) Date: Fri, 17 Apr 2015 16:37:23 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429288643.071124.1487.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 5613feaacc1334dce9809d60bc23f3081e6d35e6 (commit) from 3b38646d1345b5ec4ff7fd13c8b8bd8d46105b7e (commit) - Log ----------------------------------------------------------------- commit 5613feaacc1334dce9809d60bc23f3081e6d35e6 Author: Emilia Kasper Date: Thu Apr 16 18:46:52 2015 +0200 Use -Wall -Wextra with clang The disabled set of -Weverything is hard to maintain across versions. Use -Wall -Wextra but also document other useful warnings that currently trigger. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: Configure | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/Configure b/Configure index f4847ae..149e15c 100755 --- a/Configure +++ b/Configure @@ -105,7 +105,14 @@ my $usage="Usage: Configure [no- ...] [enable- ...] [experimenta my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED"; -my $clang_disabled_warnings = "-Wno-language-extension-token -Wno-extended-offsetof -Wno-padded -Wno-shorten-64-to-32 -Wno-format-nonliteral -Wno-missing-noreturn -Wno-unused-parameter -Wno-sign-conversion -Wno-unreachable-code -Wno-conversion -Wno-documentation -Wno-missing-variable-declarations -Wno-cast-align -Wno-incompatible-pointer-types-discards-qualifiers -Wno-missing-variable-declarations -Wno-missing-field-initializers -Wno-unused-macros -Wno-disabled-macro-expansion -Wno-conditional-uninitialized -Wno-switch-enum -Wno-gnu-statement-expression"; +# TODO(openssl-team): fix problems and investigate if (at least) the following +# warnings can also be enabled: +# -Wconditional-uninitialized, -Wswitch-enum, -Wunused-macros, +# -Wmissing-field-initializers, -Wmissing-variable-declarations, +# -Wincompatible-pointer-types-discards-qualifiers, -Wcast-align, +# -Wunreachable-code -Wunused-parameter -Wlanguage-extension-token +# -Wextended-offsetof +my $clang_disabled_warnings = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof"; my $strict_warnings = 0; @@ -398,7 +405,7 @@ my %table=( "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", -"linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Weverything $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", +"linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32", "linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", From emilia at openssl.org Fri Apr 17 16:52:58 2015 From: emilia at openssl.org (Emilia Kasper) Date: Fri, 17 Apr 2015 16:52:58 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1429289578.040866.3798.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 31d085ca74a7305f83663d19eaa0bf1469953b0e (commit) from c70908d247d1f6866139185b8c6940412bcdd87f (commit) - Log ----------------------------------------------------------------- commit 31d085ca74a7305f83663d19eaa0bf1469953b0e Author: Emilia Kasper Date: Wed Apr 15 14:18:55 2015 +0200 Error out immediately on empty ciphers list. A 0-length ciphers list is never permitted. The old code only used to reject an empty ciphers list for connections with a session ID. It would later error out on a NULL structure, so this change just moves the alert closer to the problem source. Reviewed-by: Rich Salz (cherry picked from commit 3ae91cfb327c9ed689b9aaf7bca01a3f5a0657cb) ----------------------------------------------------------------------- Summary of changes: ssl/s3_srvr.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 3cdc73c..92acb0ab 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1160,8 +1160,8 @@ int ssl3_get_client_hello(SSL *s) goto f_err; } n2s(p, i); - if ((i == 0) && (j != 0)) { - /* we need a cipher if we are not resuming a session */ + + if (i == 0) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED); goto f_err; @@ -1174,14 +1174,13 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; } - if ((i > 0) && (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) - == NULL)) { + if (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL) { goto err; } p += i; /* If it is a hit, check that the cipher is in the list */ - if ((s->hit) && (i > 0)) { + if (s->hit) { j = 0; id = s->session->cipher->id; @@ -1417,8 +1416,8 @@ int ssl3_get_client_hello(SSL *s) sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers = ciphers; if (ciphers == NULL) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_PASSED); + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); goto f_err; } ciphers = NULL; From emilia at openssl.org Fri Apr 17 16:52:58 2015 From: emilia at openssl.org (Emilia Kasper) Date: Fri, 17 Apr 2015 16:52:58 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429289578.321250.3841.nullmailer@dev.openssl.org> The branch master has been updated via 3ae91cfb327c9ed689b9aaf7bca01a3f5a0657cb (commit) from 13efe9d17e7ee522c5aaa07f3076184161ede61f (commit) - Log ----------------------------------------------------------------- commit 3ae91cfb327c9ed689b9aaf7bca01a3f5a0657cb Author: Emilia Kasper Date: Wed Apr 15 14:18:55 2015 +0200 Error out immediately on empty ciphers list. A 0-length ciphers list is never permitted. The old code only used to reject an empty ciphers list for connections with a session ID. It would later error out on a NULL structure, so this change just moves the alert closer to the problem source. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: ssl/s3_srvr.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 223a764..6c1ba3a 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1126,8 +1126,8 @@ int ssl3_get_client_hello(SSL *s) goto f_err; } n2s(p, i); - if ((i == 0) && (j != 0)) { - /* we need a cipher if we are not resuming a session */ + + if (i == 0) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED); goto f_err; @@ -1140,14 +1140,13 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; } - if ((i > 0) && (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) - == NULL)) { + if (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL) { goto err; } p += i; /* If it is a hit, check that the cipher is in the list */ - if ((s->hit) && (i > 0)) { + if (s->hit) { j = 0; id = s->session->cipher->id; @@ -1376,8 +1375,8 @@ int ssl3_get_client_hello(SSL *s) sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers = ciphers; if (ciphers == NULL) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_PASSED); + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); goto f_err; } ciphers = NULL; From emilia at openssl.org Fri Apr 17 16:52:58 2015 From: emilia at openssl.org (Emilia Kasper) Date: Fri, 17 Apr 2015 16:52:58 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429289578.138484.3820.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via e697a4c3d7d2267e9d82d88dbfa5084475794cb3 (commit) from 5613feaacc1334dce9809d60bc23f3081e6d35e6 (commit) - Log ----------------------------------------------------------------- commit e697a4c3d7d2267e9d82d88dbfa5084475794cb3 Author: Emilia Kasper Date: Wed Apr 15 14:18:55 2015 +0200 Error out immediately on empty ciphers list. A 0-length ciphers list is never permitted. The old code only used to reject an empty ciphers list for connections with a session ID. It would later error out on a NULL structure, so this change just moves the alert closer to the problem source. Reviewed-by: Rich Salz (cherry picked from commit 3ae91cfb327c9ed689b9aaf7bca01a3f5a0657cb) ----------------------------------------------------------------------- Summary of changes: ssl/s3_srvr.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 00bc757..2e7cb7a 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1125,8 +1125,8 @@ int ssl3_get_client_hello(SSL *s) goto f_err; } n2s(p, i); - if ((i == 0) && (j != 0)) { - /* we need a cipher if we are not resuming a session */ + + if (i == 0) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED); goto f_err; @@ -1139,14 +1139,13 @@ int ssl3_get_client_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; } - if ((i > 0) && (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) - == NULL)) { + if (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL) { goto err; } p += i; /* If it is a hit, check that the cipher is in the list */ - if ((s->hit) && (i > 0)) { + if (s->hit) { j = 0; id = s->session->cipher->id; @@ -1375,8 +1374,8 @@ int ssl3_get_client_hello(SSL *s) sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers = ciphers; if (ciphers == NULL) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_PASSED); + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); goto f_err; } ciphers = NULL; From steve at openssl.org Sat Apr 18 13:42:45 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Sat, 18 Apr 2015 13:42:45 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429364565.104254.14425.nullmailer@dev.openssl.org> The branch master has been updated via a0eed48d37a4b7beea0c966caf09ad46f4a92a44 (commit) from 3ae91cfb327c9ed689b9aaf7bca01a3f5a0657cb (commit) - Log ----------------------------------------------------------------- commit a0eed48d37a4b7beea0c966caf09ad46f4a92a44 Author: Dr. Stephen Henson Date: Thu Apr 16 16:43:09 2015 +0100 Fix encoding bug in i2c_ASN1_INTEGER Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as negative. Thanks to Huzaifa Sidhpurwala and Hanno B?ck for reporting this issue. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/asn1/a_int.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c index f7f90ff..3920d5c 100644 --- a/crypto/asn1/a_int.c +++ b/crypto/asn1/a_int.c @@ -125,6 +125,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) else { ret = a->length; i = a->data[0]; + if (ret == 1 && i == 0) + neg = 0; if (!neg && (i > 127)) { pad = 1; pb = 0; @@ -163,7 +165,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) p += a->length - 1; i = a->length; /* Copy zeros to destination as long as source is zero */ - while (!*n) { + while (!*n && i > 1) { *(p--) = 0; n--; i--; @@ -418,7 +420,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai) ASN1err(ASN1_F_BN_TO_ASN1_INTEGER, ERR_R_NESTED_ASN1_ERROR); goto err; } - if (BN_is_negative(bn)) + if (BN_is_negative(bn) && !BN_is_zero(bn)) ret->type = V_ASN1_NEG_INTEGER; else ret->type = V_ASN1_INTEGER; From steve at openssl.org Sat Apr 18 13:53:56 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Sat, 18 Apr 2015 13:53:56 +0000 Subject: [openssl-commits] [openssl] OpenSSL_0_9_8-stable update Message-ID: <1429365236.040691.15634.nullmailer@dev.openssl.org> The branch OpenSSL_0_9_8-stable has been updated via 303845a3b5ee7b999bf79e2e42c1489c2cc9f371 (commit) from 1a38987de0d57286fac67f19ebb35c82fc1555b3 (commit) - Log ----------------------------------------------------------------- commit 303845a3b5ee7b999bf79e2e42c1489c2cc9f371 Author: Dr. Stephen Henson Date: Thu Apr 16 16:43:09 2015 +0100 Fix encoding bug in i2c_ASN1_INTEGER Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as negative. Thanks to Huzaifa Sidhpurwala and Hanno B?ck for reporting this issue. Reviewed-by: Rich Salz (cherry picked from commit a0eed48d37a4b7beea0c966caf09ad46f4a92a44) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/a_int.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c index b788617..4ff7826 100644 --- a/crypto/asn1/a_int.c +++ b/crypto/asn1/a_int.c @@ -124,6 +124,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) else { ret = a->length; i = a->data[0]; + if (ret == 1 && i == 0) + neg = 0; if (!neg && (i > 127)) { pad = 1; pb = 0; @@ -162,7 +164,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) p += a->length - 1; i = a->length; /* Copy zeros to destination as long as source is zero */ - while (!*n) { + while (!*n && i > 1) { *(p--) = 0; n--; i--; @@ -419,7 +421,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai) ASN1err(ASN1_F_BN_TO_ASN1_INTEGER, ERR_R_NESTED_ASN1_ERROR); goto err; } - if (BN_is_negative(bn)) + if (BN_is_negative(bn) && !BN_is_zero(bn)) ret->type = V_ASN1_NEG_INTEGER; else ret->type = V_ASN1_INTEGER; From steve at openssl.org Sat Apr 18 13:53:56 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Sat, 18 Apr 2015 13:53:56 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429365236.222078.15698.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 3661bb4e7934668bd99ca777ea8b30eedfafa871 (commit) from e697a4c3d7d2267e9d82d88dbfa5084475794cb3 (commit) - Log ----------------------------------------------------------------- commit 3661bb4e7934668bd99ca777ea8b30eedfafa871 Author: Dr. Stephen Henson Date: Thu Apr 16 16:43:09 2015 +0100 Fix encoding bug in i2c_ASN1_INTEGER Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as negative. Thanks to Huzaifa Sidhpurwala and Hanno B?ck for reporting this issue. Reviewed-by: Rich Salz (cherry picked from commit a0eed48d37a4b7beea0c966caf09ad46f4a92a44) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/a_int.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c index 70c2b8e..7e26704 100644 --- a/crypto/asn1/a_int.c +++ b/crypto/asn1/a_int.c @@ -124,6 +124,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) else { ret = a->length; i = a->data[0]; + if (ret == 1 && i == 0) + neg = 0; if (!neg && (i > 127)) { pad = 1; pb = 0; @@ -162,7 +164,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) p += a->length - 1; i = a->length; /* Copy zeros to destination as long as source is zero */ - while (!*n) { + while (!*n && i > 1) { *(p--) = 0; n--; i--; @@ -419,7 +421,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai) ASN1err(ASN1_F_BN_TO_ASN1_INTEGER, ERR_R_NESTED_ASN1_ERROR); goto err; } - if (BN_is_negative(bn)) + if (BN_is_negative(bn) && !BN_is_zero(bn)) ret->type = V_ASN1_NEG_INTEGER; else ret->type = V_ASN1_INTEGER; From steve at openssl.org Sat Apr 18 13:53:56 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Sat, 18 Apr 2015 13:53:56 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_0-stable update Message-ID: <1429365236.084789.15656.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_0-stable has been updated via a6202a74f9fd459607adaec9e4c7aa8d103dbd11 (commit) from 6b7d6c440433b65f401880662050c0b8215ee2ff (commit) - Log ----------------------------------------------------------------- commit a6202a74f9fd459607adaec9e4c7aa8d103dbd11 Author: Dr. Stephen Henson Date: Thu Apr 16 16:43:09 2015 +0100 Fix encoding bug in i2c_ASN1_INTEGER Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as negative. Thanks to Huzaifa Sidhpurwala and Hanno B?ck for reporting this issue. Reviewed-by: Rich Salz (cherry picked from commit a0eed48d37a4b7beea0c966caf09ad46f4a92a44) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/a_int.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c index 70c2b8e..7e26704 100644 --- a/crypto/asn1/a_int.c +++ b/crypto/asn1/a_int.c @@ -124,6 +124,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) else { ret = a->length; i = a->data[0]; + if (ret == 1 && i == 0) + neg = 0; if (!neg && (i > 127)) { pad = 1; pb = 0; @@ -162,7 +164,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) p += a->length - 1; i = a->length; /* Copy zeros to destination as long as source is zero */ - while (!*n) { + while (!*n && i > 1) { *(p--) = 0; n--; i--; @@ -419,7 +421,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai) ASN1err(ASN1_F_BN_TO_ASN1_INTEGER, ERR_R_NESTED_ASN1_ERROR); goto err; } - if (BN_is_negative(bn)) + if (BN_is_negative(bn) && !BN_is_zero(bn)) ret->type = V_ASN1_NEG_INTEGER; else ret->type = V_ASN1_INTEGER; From steve at openssl.org Sat Apr 18 13:53:56 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Sat, 18 Apr 2015 13:53:56 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1429365236.149733.15677.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 32d3b0f52f77ce86d53f38685336668d47c5bdfe (commit) from 31d085ca74a7305f83663d19eaa0bf1469953b0e (commit) - Log ----------------------------------------------------------------- commit 32d3b0f52f77ce86d53f38685336668d47c5bdfe Author: Dr. Stephen Henson Date: Thu Apr 16 16:43:09 2015 +0100 Fix encoding bug in i2c_ASN1_INTEGER Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as negative. Thanks to Huzaifa Sidhpurwala and Hanno B?ck for reporting this issue. Reviewed-by: Rich Salz (cherry picked from commit a0eed48d37a4b7beea0c966caf09ad46f4a92a44) ----------------------------------------------------------------------- Summary of changes: crypto/asn1/a_int.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c index 70c2b8e..7e26704 100644 --- a/crypto/asn1/a_int.c +++ b/crypto/asn1/a_int.c @@ -124,6 +124,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) else { ret = a->length; i = a->data[0]; + if (ret == 1 && i == 0) + neg = 0; if (!neg && (i > 127)) { pad = 1; pb = 0; @@ -162,7 +164,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) p += a->length - 1; i = a->length; /* Copy zeros to destination as long as source is zero */ - while (!*n) { + while (!*n && i > 1) { *(p--) = 0; n--; i--; @@ -419,7 +421,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai) ASN1err(ASN1_F_BN_TO_ASN1_INTEGER, ERR_R_NESTED_ASN1_ERROR); goto err; } - if (BN_is_negative(bn)) + if (BN_is_negative(bn) && !BN_is_zero(bn)) ret->type = V_ASN1_NEG_INTEGER; else ret->type = V_ASN1_INTEGER; From rsalz at openssl.org Mon Apr 20 11:24:56 2015 From: rsalz at openssl.org (Rich Salz) Date: Mon, 20 Apr 2015 11:24:56 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429529096.441237.11818.nullmailer@dev.openssl.org> The branch master has been updated via 3b34b7319ecc53cac459b532f95681a0cb245ffc (commit) via fec669388cbde9dea813209fbc3b88ac293db183 (commit) from a0eed48d37a4b7beea0c966caf09ad46f4a92a44 (commit) - Log ----------------------------------------------------------------- commit 3b34b7319ecc53cac459b532f95681a0cb245ffc Author: Rich Salz Date: Mon Apr 20 07:24:23 2015 -0400 Remove SET oid config file and SET certs Reviewed-by: Andy Polyakov commit fec669388cbde9dea813209fbc3b88ac293db183 Author: Rich Salz Date: Mon Apr 20 07:23:04 2015 -0400 Use 2K RSA and SHA256 in tests Reviewed-by: Andy Polyakov ----------------------------------------------------------------------- Summary of changes: apps/oid.cnf | 6 ------ apps/set/set-g-ca.pem | 21 --------------------- apps/set/set-m-ca.pem | 21 --------------------- apps/set/set_b_ca.pem | 23 ----------------------- apps/set/set_c_ca.pem | 21 --------------------- apps/set/set_d_ct.pem | 21 --------------------- apps/set/set_root.pem | 21 --------------------- test/CAss.cnf | 2 +- test/CAtsa.cnf | 2 +- test/P1ss.cnf | 4 ++-- test/P2ss.cnf | 4 ++-- test/Uss.cnf | 4 ++-- test/test.cnf | 2 +- 13 files changed, 9 insertions(+), 143 deletions(-) delete mode 100644 apps/oid.cnf delete mode 100644 apps/set/set-g-ca.pem delete mode 100644 apps/set/set-m-ca.pem delete mode 100644 apps/set/set_b_ca.pem delete mode 100644 apps/set/set_c_ca.pem delete mode 100644 apps/set/set_d_ct.pem delete mode 100644 apps/set/set_root.pem diff --git a/apps/oid.cnf b/apps/oid.cnf deleted file mode 100644 index faf425a..0000000 --- a/apps/oid.cnf +++ /dev/null @@ -1,6 +0,0 @@ -2.99999.1 SET.ex1 SET x509v3 extension 1 -2.99999.2 SET.ex2 SET x509v3 extension 2 -2.99999.3 SET.ex3 SET x509v3 extension 3 -2.99999.4 SET.ex4 SET x509v3 extension 4 -2.99999.5 SET.ex5 SET x509v3 extension 5 -2.99999.6 SET.ex6 SET x509v3 extension 6 diff --git a/apps/set/set-g-ca.pem b/apps/set/set-g-ca.pem deleted file mode 100644 index 78499f0..0000000 --- a/apps/set/set-g-ca.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDeDCCAuGgAwIBAgIgYCYUeg8NJ9kO1q3z6vGCkAmPRfu5+Nur0FyGF79MADMw -DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0JDQTEwMTcx -MTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjIw -MDAwMDBaFw05NjExMjEyMzU5NTlaMEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtQ -Q0ExMDIxMTgyODEgMB4GA1UEAxMXQnJhbmQgTmFtZTpQcm9kdWN0IFR5cGUwgZ8w -DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJyi5V7l1HohY6hN/2N9x6mvWeMy8rD1 -6lfXjgmiuGmhpaszWYaalesMcS2OGuG8Lq3PkaSzpVzqASKfIOjxLMsdpYyYJRub -vRPDWi3xd8wlp9xUwWHKqn+ki8mPo0yN4eONwZZ4rcZr6K+tWd+5EJZSjuENJoQ/ -SRRmGRzdcS7XAgMBAAGjggFXMIIBUzBUBgNVHSMETTBLoSekJTAjMQswCQYDVQQG -EwJVUzEUMBIGA1UEChMLUkNBMTAxMTE4MjmCIGApUs14Ad7t9VTGq2PpV8DylPQ7 -aATM2mor7lc1fWvZMA4GA1UdDwEB/wQEAwIBBjAuBgNVHRABAf8EJDAigA8xOTk2 -MTAyMjAxMjIwMFqBDzE5OTYxMTIxMjM1OTU5WjAbBgNVHSABAf8EETAPMA0GC2CG -SAGG+EUBBwEBMBIGA1UdEwEB/wQIMAYBAf8CAQAwDwYEho1vAwEB/wQEAwICBDB5 -BgSGjW8HAQH/BG4wbDAkAgEAMAkGBSsOAwIaBQAEFDJmNzRiMWFmNGZjYzA2MGY3 -Njc2Ew90ZXJzZSBzdGF0ZW1lbnSAF2h0dHA6Ly93d3cudmVyaXNpZ24uY29tgRpn -ZXRzZXQtY2VudGVyQHZlcmlzaWduLmNvbTANBgkqhkiG9w0BAQUFAAOBgQBn19R2 -AgGvpJDmfXrHTDdCoYyMkaP2MPzw0hFRwh+wqnw0/pqUXa7MrLXMqtD3rUyOWaNR -9fYpJZd0Bh/1OeIc2+U+VNfUovLLuZ8nNemdxyq2KMYnHtnh7UdO7atZ+PFLVu8x -a+J2Mtj8MGy12CJNTJcjLSrJ/1f3AuVrwELjlQ== ------END CERTIFICATE----- diff --git a/apps/set/set-m-ca.pem b/apps/set/set-m-ca.pem deleted file mode 100644 index 0e74caf..0000000 --- a/apps/set/set-m-ca.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDeDCCAuGgAwIBAgIgEGvcf5aUnufALdVMa/dmPdflq1CoORGeK5DUwbqhVYcw -DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0JDQTEwMTcx -MTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjIw -MDAwMDBaFw05NjExMjEyMzU5NTlaMEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtN -Q0ExMDIxMTgyNzEgMB4GA1UEAxMXQnJhbmQgTmFtZTpQcm9kdWN0IFR5cGUwgZ8w -DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALuWwr63YrT1GIZpYKfIeiVFHESG/FZO -7RAJKml/p12ZyZ7D5YPP4BBXVsa1H8e8arR1LKC4rdCArrtKKlBeBiMo9+NB+u35 -FnLnTmfzM4iZ2Syw35DXY8+Xn/LM7RJ1RG+vMNcTqpoUg7QPye7flq2Pt7vVROPn -SZxPyVxmILe3AgMBAAGjggFXMIIBUzBUBgNVHSMETTBLoSekJTAjMQswCQYDVQQG -EwJVUzEUMBIGA1UEChMLUkNBMTAxMTE4MjmCIGApUs14Ad7t9VTGq2PpV8DylPQ7 -aATM2mor7lc1fWvZMA4GA1UdDwEB/wQEAwIBBjAuBgNVHRABAf8EJDAigA8xOTk2 -MTAyMjAxMjEwMFqBDzE5OTYxMTIxMjM1OTU5WjAbBgNVHSABAf8EETAPMA0GC2CG -SAGG+EUBBwEBMBIGA1UdEwEB/wQIMAYBAf8CAQAwDwYEho1vAwEB/wQEAwIDCDB5 -BgSGjW8HAQH/BG4wbDAkAgEAMAkGBSsOAwIaBQAEFDJmNzRiMWFmNGZjYzA2MGY3 -Njc2Ew90ZXJzZSBzdGF0ZW1lbnSAF2h0dHA6Ly93d3cudmVyaXNpZ24uY29tgRpn -ZXRzZXQtY2VudGVyQHZlcmlzaWduLmNvbTANBgkqhkiG9w0BAQUFAAOBgQApaj0W -GgyR47URZEZ7z83yivvnVErqtodub/nR1fMgJ4bDC0ofjA0SzXBP1/3eDq9VkPuS -EKUw9BpM2XrSUKhJ6F1CbBjWpM0M7GC1nTSxMxmV+XL+Ab/Gn2SwozUApWtht29/ -x9VLB8qsi6wN2aOsVdQMl5iVCjGQYfEkyuoIgA== ------END CERTIFICATE----- diff --git a/apps/set/set_b_ca.pem b/apps/set/set_b_ca.pem deleted file mode 100644 index eba7d5c..0000000 --- a/apps/set/set_b_ca.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID1zCCAr+gAwIBAgIgYClSzXgB3u31VMarY+lXwPKU9DtoBMzaaivuVzV9a9kw -DQYJKoZIhvcNAQEFBQAwIzELMAkGA1UEBhMCVVMxFDASBgNVBAoTC1JDQTEwMTEx -ODI5MB4XDTk2MTAxNzAwMDAwMFoXDTk2MTExNjIzNTk1OVowRTELMAkGA1UEBhMC -VVMxFDASBgNVBAoTC0JDQTEwMTcxMTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlBy -b2R1Y3QgVHlwZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApPewvR0BwV02 -9E12ic48pMY/aMB6SkMEWPDx2hURr0DKYGJ6qMvzZn2pSfaVH1BqDtK6oK4Ye5Mj -ItywwQIdXXO9Ut8+TLnvtzq9ByCJ0YThjZJBc7ZcpJxSV7QAoBON/lzxZuAVq3+L -3uc39MgRwmBpRllZEpWrkojxs6166X0CAwEAAaOCAVcwggFTMFQGA1UdIwRNMEuh -J6QlMCMxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtSQ0ExMDExMTgyOYIgVqenwCYv -mmxUIvi9gUMCa+uJGJ60mZecw9HrISXnLaYwDgYDVR0PAQH/BAQDAgEGMC4GA1Ud -EAEB/wQkMCKADzE5OTYxMDE3MTc1NzAwWoEPMTk5NjExMTYyMzU5NTlaMBsGA1Ud -IAEB/wQRMA8wDQYLYIZIAYb4RQEHAQEwEgYDVR0TAQH/BAgwBgEB/wIBATAPBgSG -jW8DAQH/BAQDAgABMHkGBIaNbwcBAf8EbjBsMCQCAQAwCQYFKw4DAhoFAAQUMmY3 -NGIxYWY0ZmNjMDYwZjc2NzYTD3RlcnNlIHN0YXRlbWVudIAXaHR0cDovL3d3dy52 -ZXJpc2lnbi5jb22BGmdldHNldC1jZW50ZXJAdmVyaXNpZ24uY29tMA0GCSqGSIb3 -DQEBBQUAA4IBAQAWoMS8Aj2sO0LDxRoMcnWTKY8nd8Jw2vl2Mgsm+0qCvcndICM5 -43N0y9uHlP8WeCZULbFz95gTL8mfP/QTu4EctMUkQgRHJnx80f0XSF3HE/X6zBbI -9rit/bF6yP1mhkdss/vGanReDpki7q8pLx+VIIcxWst/366HP3dW1Fb7ECW/WmVV -VMN93f/xqk9I4sXchVZcVKQT3W4tzv+qQvugrEi1dSEkbAy1CITEAEGiaFhGUyCe -WPox3guRXaEHoINNeajGrISe6d//alsz5EEroBoLnM2ryqWfLAtRsf4rjNzTgklw -lbiz0fw7bNkXKp5ZVr0wlnOjQnoSM6dTI0AV ------END CERTIFICATE----- diff --git a/apps/set/set_c_ca.pem b/apps/set/set_c_ca.pem deleted file mode 100644 index 48b2cbd..0000000 --- a/apps/set/set_c_ca.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDeDCCAuGgAwIBAgIgOnl8J6lAYNDdTWtIojWCGnloNf4ufHjOZ4Fkxwg5xOsw -DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0JDQTEwMTcx -MTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjIw -MDAwMDBaFw05NjExMjEyMzU5NTlaMEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtD -Q0ExMDIxMTYxNjEgMB4GA1UEAxMXQnJhbmQgTmFtZTpQcm9kdWN0IFR5cGUwgZ8w -DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANA3a9+U8oXU3Dv1wJf8g0A7HjCRZAXc -Y8E4OLOdye5aUssxifCE05qTPVqHMXo6cnCYcfroMdURhjQlswyTGtjQybgUnXjp -pchw+V4D1DkN0ThErrMCh9ZFSykC0lUhQTRLESvbIb4Gal/HMAFAF5sj0GoOFi2H -RRj7gpzBIU3xAgMBAAGjggFXMIIBUzBUBgNVHSMETTBLoSekJTAjMQswCQYDVQQG -EwJVUzEUMBIGA1UEChMLUkNBMTAxMTE4MjmCIGApUs14Ad7t9VTGq2PpV8DylPQ7 -aATM2mor7lc1fWvZMA4GA1UdDwEB/wQEAwIBBjAuBgNVHRABAf8EJDAigA8xOTk2 -MTAyMjAxMTAwMFqBDzE5OTYxMTIxMjM1OTU5WjAbBgNVHSABAf8EETAPMA0GC2CG -SAGG+EUBBwEBMBIGA1UdEwEB/wQIMAYBAf8CAQAwDwYEho1vAwEB/wQEAwIEEDB5 -BgSGjW8HAQH/BG4wbDAkAgEAMAkGBSsOAwIaBQAEFDJmNzRiMWFmNGZjYzA2MGY3 -Njc2Ew90ZXJzZSBzdGF0ZW1lbnSAF2h0dHA6Ly93d3cudmVyaXNpZ24uY29tgRpn -ZXRzZXQtY2VudGVyQHZlcmlzaWduLmNvbTANBgkqhkiG9w0BAQUFAAOBgQBteLaZ -u/TASC64UWPfhxYAUdys9DQ1pG/J1qPWNTkjOmpXFvW+7l/3nkxyRPgUoFNwx1e7 -XVVPr6zhy8LaaXppwfIZvVryzAUdbtijiUf/MO0hvV3w7e9NlCVProdU5H9EvCXr -+IV8rH8fdEkirIVyw0JGHkuWhkmtS1HEwai9vg== ------END CERTIFICATE----- diff --git a/apps/set/set_d_ct.pem b/apps/set/set_d_ct.pem deleted file mode 100644 index 9f8c7d8..0000000 --- a/apps/set/set_d_ct.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDdjCCAt+gAwIBAgIgRU5t24v72xVDpZ4iHpyoOAQaQmfio1yhTZAOkBfT2uUw -DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0NDQTEwMjEx -NjE2MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjQw -MDAwMDBaFw05NjExMjMyMzU5NTlaMG4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdC -cmFuZElEMSYwJAYDVQQLEx1Jc3N1aW5nIEZpbmFuY2lhbCBJbnN0aXR1dGlvbjEl -MCMGA1UEAxMcR2lYb0t0VjViN1V0MHZKa2hkSG5RYmNzc2JrPTBcMA0GCSqGSIb3 -DQEBAQUAA0sAMEgCQQDIUxgpNB1aoSW585WErtN8WInCRWCqDj3RGT2mJye0F4SM -/iT5ywdWMasmw18vpEpDlMypfZnRkUAdfyHcRABVAgMBAAGjggFwMIIBbDB2BgNV -HSMEbzBtoUmkRzBFMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLQkNBMTAxNzExMDQx -IDAeBgNVBAMTF0JyYW5kIE5hbWU6UHJvZHVjdCBUeXBlgiA6eXwnqUBg0N1Na0ii -NYIaeWg1/i58eM5ngWTHCDnE6zAOBgNVHQ8BAf8EBAMCB4AwLgYDVR0QAQH/BCQw -IoAPMTk5NjEwMjQwMTA0MDBagQ8xOTk2MTEyMzIzNTk1OVowGAYDVR0gBBEwDzAN -BgtghkgBhvhFAQcBATAMBgNVHRMBAf8EAjAAMA8GBIaNbwMBAf8EBAMCB4AweQYE -ho1vBwEB/wRuMGwwJAIBADAJBgUrDgMCGgUABBQzOTgyMzk4NzIzNzg5MTM0OTc4 -MhMPdGVyc2Ugc3RhdGVtZW50gBdodHRwOi8vd3d3LnZlcmlzaWduLmNvbYEaZ2V0 -c2V0LWNlbnRlckB2ZXJpc2lnbi5jb20wDQYJKoZIhvcNAQEFBQADgYEAVHCjhxeD -mIFSkm3DpQAq7pGfcAFPWvSM9I9bK8qeFT1M5YQ+5fbPqaWlNcQlGKIe3cHd4+0P -ndL5lb6UBhhA0kTzEYA38+HtBxPe/lokCv0bYfyWY9asUmvfbUrTYta0yjN7ixnV -UqvxxHQHOAwhf6bcc7xNHapOxloWzGUU0RQ= ------END CERTIFICATE----- diff --git a/apps/set/set_root.pem b/apps/set/set_root.pem deleted file mode 100644 index 8dd104f..0000000 --- a/apps/set/set_root.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDZzCCAk+gAwIBAgIgVqenwCYvmmxUIvi9gUMCa+uJGJ60mZecw9HrISXnLaYw -DQYJKoZIhvcNAQEFBQAwIzELMAkGA1UEBhMCVVMxFDASBgNVBAoTC1JDQTEwMTEx -ODI5MB4XDTk2MTAxMjAwMDAwMFoXDTk2MTExMTIzNTk1OVowIzELMAkGA1UEBhMC -VVMxFDASBgNVBAoTC1JDQTEwMTExODI5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAukca0PVUGFIYX7EyrShi+dVi9GTNzG0V2Wtdw6DqFzKfedba/KpE -zqnRDV/wRZlBn3oXPS6kNCFiBPRV9mEFXI7y2W+q8/vPurjRDIXMsqQ+dAhKwf4q -rofJBTiET4NUN0YTtpx6aYuoVubjiOgKdbqnUArxAWWP2Dkco17ipEYyUtd4sTAe -/xKR02AHpbYGYPSHjMDS/nzUJ7uX4d51phs0rt7If48ExJSnDV/KoHMfm42mdmH2 -g23005qdHKY3UXeh10tZmb3QtGTSvF6OqpRZ+e9/ALklu7ZcIjqbb944ci4QWemb -ZNWiDFrWWUoO1k942BI/iZ8Fh8pETYSDBQIDAQABo4GGMIGDMA4GA1UdDwEB/wQE -AwIBBjAuBgNVHRABAf8EJDAigA8xOTk2MTAxMjAxMzQwMFqBDzE5OTYxMTExMjM1 -OTU5WjAbBgNVHSABAf8EETAPMA0GC2CGSAGG+EUBBwEBMBIGA1UdEwEB/wQIMAYB -Af8CAQIwEAYEho1vAwEB/wQFAwMHAIAwDQYJKoZIhvcNAQEFBQADggEBAK4tntea -y+ws7PdULwfqAS5osaoNvw73uBn5lROTpx91uhQbJyf0oZ3XG9GUuHZBpqG9qmr9 -vIL40RsvRpNMYgaNHKTxF716yx6rZmruAYZsrE3SpV63tQJCckKLPSge2E5uDhSQ -O8UjusG+IRT9fKMXUHLv4OmZPOQVOSl1qTCN2XoJFqEPtC3Y9P4YR4xHL0P2jb1l -DLdIbruuh+6omH+0XUZd5fKnQZTTi6gjl0iunj3wGnkcqGZtwr3j87ONiB/8tDwY -vz8ceII4YYdX12PrNzn+fu3R5rChvPW4/ah/SaYQ2VQ0AupaIF4xrNJ/gLYYw0YO -bxCrVJLd8tu9WgA= ------END CERTIFICATE----- diff --git a/test/CAss.cnf b/test/CAss.cnf index 1ec96af..b4a7030 100644 --- a/test/CAss.cnf +++ b/test/CAss.cnf @@ -7,7 +7,7 @@ RANDFILE = ./.rnd #################################################################### [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = keySS.pem distinguished_name = req_distinguished_name encrypt_rsa_key = no diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf index b497b50..9bdc614 100644 --- a/test/CAtsa.cnf +++ b/test/CAtsa.cnf @@ -51,7 +51,7 @@ emailAddress = optional #---------------------------------------------------------------------- [ req ] -default_bits = 1024 +default_bits = 2048 default_md = sha1 distinguished_name = $ENV::TSDNSECT encrypt_rsa_key = no diff --git a/test/P1ss.cnf b/test/P1ss.cnf index 326cce2..e6118dc 100644 --- a/test/P1ss.cnf +++ b/test/P1ss.cnf @@ -7,11 +7,11 @@ RANDFILE = ./.rnd #################################################################### [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = keySS.pem distinguished_name = req_distinguished_name encrypt_rsa_key = no -default_md = md2 +default_md = sha256 [ req_distinguished_name ] countryName = Country Name (2 letter code) diff --git a/test/P2ss.cnf b/test/P2ss.cnf index 8b50232..d530e31 100644 --- a/test/P2ss.cnf +++ b/test/P2ss.cnf @@ -7,11 +7,11 @@ RANDFILE = ./.rnd #################################################################### [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = keySS.pem distinguished_name = req_distinguished_name encrypt_rsa_key = no -default_md = md2 +default_md = sha256 [ req_distinguished_name ] countryName = Country Name (2 letter code) diff --git a/test/Uss.cnf b/test/Uss.cnf index 98b2e05..58ac0ca 100644 --- a/test/Uss.cnf +++ b/test/Uss.cnf @@ -7,11 +7,11 @@ RANDFILE = ./.rnd #################################################################### [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = keySS.pem distinguished_name = req_distinguished_name encrypt_rsa_key = no -default_md = md2 +default_md = sha256 [ req_distinguished_name ] countryName = Country Name (2 letter code) diff --git a/test/test.cnf b/test/test.cnf index 1083444..718b0bf 100644 --- a/test/test.cnf +++ b/test/test.cnf @@ -56,7 +56,7 @@ emailAddress = optional #################################################################### [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = testkey.pem distinguished_name = req_distinguished_name encrypt_rsa_key = no From appro at openssl.org Mon Apr 20 12:31:43 2015 From: appro at openssl.org (Andy Polyakov) Date: Mon, 20 Apr 2015 12:31:43 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429533103.929141.24993.nullmailer@dev.openssl.org> The branch master has been updated via 35141544e2994f0f3b87be7d7c9a43ea3cd9840a (commit) from 3b34b7319ecc53cac459b532f95681a0cb245ffc (commit) - Log ----------------------------------------------------------------- commit 35141544e2994f0f3b87be7d7c9a43ea3cd9840a Author: Andy Polyakov Date: Mon Apr 20 14:30:50 2015 +0200 aes/asm/vpaes-armv8.pl: make it compile on iOS. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: crypto/aes/asm/vpaes-armv8.pl | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/crypto/aes/asm/vpaes-armv8.pl b/crypto/aes/asm/vpaes-armv8.pl index 1144536..bc90b9f 100755 --- a/crypto/aes/asm/vpaes-armv8.pl +++ b/crypto/aes/asm/vpaes-armv8.pl @@ -20,11 +20,14 @@ # Cortex-A53 21.5 18.1/20.6 [17.5/19.8 ] # Cortex-A57 36.0(**) 20.4/24.9(**) [14.4/16.6 ] # X-Gene 45.9(**) 45.8/57.7(**) [33.1/37.6(**) ] +# Denver(***) 16.6(**) 15.1/17.8(**) [8.80/9.93 ] +# Apple A7(***) 22.7(**) 10.9/14.3 [8.45/10.0 ] # # (*) ECB denotes approximate result for parallelizeable modes # such as CBC decrypt, CTR, etc.; # (**) these results are worse than scalar compiler-generated # code, but it's constant-time and therefore preferred; +# (***) presented for reference/comparison purposes; $flavour = shift; while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} @@ -206,7 +209,7 @@ _vpaes_encrypt_core: eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3 # 0 = 2A+B tbl v4.16b, {v3.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm4 # 0 = 2B+C eor v0.16b, v0.16b, v3.16b // vpxor %xmm3, %xmm0, %xmm0 # 3 = 2A+B+D - bic x11, x11, #1<<6 // and \$0x30, %r11 # ... mod 4 + and x11, x11, #~(1<<6) // and \$0x30, %r11 # ... mod 4 eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 0 = 2A+3B+C+D sub w8, w8, #1 // nr-- @@ -309,7 +312,7 @@ _vpaes_encrypt_2x: tbl v12.16b, {v11.16b},v1.16b eor v0.16b, v0.16b, v3.16b // vpxor %xmm3, %xmm0, %xmm0 # 3 = 2A+B+D eor v8.16b, v8.16b, v11.16b - bic x11, x11, #1<<6 // and \$0x30, %r11 # ... mod 4 + and x11, x11, #~(1<<6) // and \$0x30, %r11 # ... mod 4 eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 0 = 2A+3B+C+D eor v8.16b, v8.16b, v12.16b sub w8, w8, #1 // nr-- @@ -683,8 +686,8 @@ _vpaes_schedule_core: .Lschedule_go: cmp $bits, #192 // cmp \$192, %esi - bhi .Lschedule_256 - beq .Lschedule_192 + b.hi .Lschedule_256 + b.eq .Lschedule_192 // 128: fall though ## @@ -1021,7 +1024,7 @@ _vpaes_schedule_mangle: .Lschedule_mangle_both: tbl v3.16b, {v3.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm3 add x8, x8, #64-16 // add \$-16, %r8 - bic x8, x8, #1<<6 // and \$0x30, %r8 + and x8, x8, #~(1<<6) // and \$0x30, %r8 st1 {v3.2d}, [$out] // vmovdqu %xmm3, (%rdx) ret .size _vpaes_schedule_mangle,.-_vpaes_schedule_mangle From appro at openssl.org Mon Apr 20 12:41:34 2015 From: appro at openssl.org (Andy Polyakov) Date: Mon, 20 Apr 2015 12:41:34 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429533694.198377.30592.nullmailer@dev.openssl.org> The branch master has been updated via 2c6343bfa3665f1e574b9f93db185ac28037c095 (commit) via cb2ed545828065e4099137ba3e3568328348f473 (commit) from 35141544e2994f0f3b87be7d7c9a43ea3cd9840a (commit) - Log ----------------------------------------------------------------- commit 2c6343bfa3665f1e574b9f93db185ac28037c095 Author: Andy Polyakov Date: Sat Mar 21 13:54:55 2015 +0100 Configure: engage ARMv8 Montgomery multiplication module. Reviewed-by: Rich Salz commit cb2ed545828065e4099137ba3e3568328348f473 Author: Andy Polyakov Date: Sat Mar 21 13:54:17 2015 +0100 Add ARMv8 Montgomery multiplication module. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: Configure | 1 + crypto/bn/asm/armv8-mont.pl | 244 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 245 insertions(+) create mode 100755 crypto/bn/asm/armv8-mont.pl diff --git a/Configure b/Configure index 2e70238..95a9d3b 100755 --- a/Configure +++ b/Configure @@ -425,6 +425,7 @@ my %table=( aarch64_asm => { template => 1, cpuid_obj => "armcap.o arm64cpuid.o mem_clr.o", + bn_obj => "bn_asm.o armv8-mont.o", aes_obj => "aes_core.o aes_cbc.o aesv8-armx.o vpaes-armv8.o", sha1_obj => "sha1-armv8.o sha256-armv8.o sha512-armv8.o", modes_obj => "ghashv8-armx.o", diff --git a/crypto/bn/asm/armv8-mont.pl b/crypto/bn/asm/armv8-mont.pl new file mode 100755 index 0000000..0bf9bf3 --- /dev/null +++ b/crypto/bn/asm/armv8-mont.pl @@ -0,0 +1,244 @@ +#!/usr/bin/env perl + +# ==================================================================== +# Written by Andy Polyakov for the OpenSSL +# project. The module is, however, dual licensed under OpenSSL and +# CRYPTOGAMS licenses depending on where you obtain it. For further +# details see http://www.openssl.org/~appro/cryptogams/. +# ==================================================================== + +# March 2015 +# +# "Teaser" Montgomery multiplication module for ARMv8. Needs more +# work. While it does improve RSA sign performance by 20-30% (less for +# longer keys) on most processors, for some reason RSA2048 is not +# faster and RSA4096 goes 15-20% slower on Cortex-A57. Multiplication +# instruction issue rate is limited on processor in question, meaning +# that dedicated squaring procedure is a must. Well, actually all +# contemporary AArch64 processors seem to have limited multiplication +# issue rate, i.e. they can't issue multiplication every cycle, which +# explains moderate improvement coefficients in comparison to +# compiler-generated code. Recall that compiler is instructed to use +# umulh and therefore uses same amount of multiplication instructions +# to do the job. Assembly's edge is to minimize number of "collateral" +# instructions and of course instruction scheduling. + +$flavour = shift; +$output = shift; + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or +die "can't locate arm-xlate.pl"; + +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; + +($lo0,$hi0,$aj,$m0,$alo,$ahi, + $lo1,$hi1,$nj,$m1,$nlo,$nhi, + $ovf, $i,$j,$tp,$tj) = map("x$_",6..17,19..24); + +# int bn_mul_mont( +$rp="x0"; # BN_ULONG *rp, +$ap="x1"; # const BN_ULONG *ap, +$bp="x2"; # const BN_ULONG *bp, +$np="x3"; # const BN_ULONG *np, +$n0="x4"; # const BN_ULONG *n0, +$num="x5"; # int num); + +$code.=<<___; +.text + +.globl bn_mul_mont +.type bn_mul_mont,%function +.align 5 +bn_mul_mont: + stp x29,x30,[sp,#-64]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + + ldr $m0,[$bp],#8 // bp[0] + sub $tp,sp,$num,lsl#3 + ldp $hi0,$aj,[$ap],#16 // ap[0..1] + lsl $num,$num,#3 + ldr $n0,[$n0] // *n0 + and $tp,$tp,#-16 // ABI says so + ldp $hi1,$nj,[$np],#16 // np[0..1] + + mul $lo0,$hi0,$m0 // ap[0]*bp[0] + sub $j,$num,#16 // j=num-2 + umulh $hi0,$hi0,$m0 + mul $alo,$aj,$m0 // ap[1]*bp[0] + umulh $ahi,$aj,$m0 + + mul $m1,$lo0,$n0 // "tp[0]"*n0 + mov sp,$tp // alloca + + mul $lo1,$hi1,$m1 // np[0]*m1 + umulh $hi1,$hi1,$m1 + mul $nlo,$nj,$m1 // np[1]*m1 + adds $lo1,$lo1,$lo0 // discarded + umulh $nhi,$nj,$m1 + adc $hi1,$hi1,xzr + cbz $j,.L1st_skip + +.L1st: + ldr $aj,[$ap],#8 + adds $lo0,$alo,$hi0 + sub $j,$j,#8 // j-- + adc $hi0,$ahi,xzr + + ldr $nj,[$np],#8 + adds $lo1,$nlo,$hi1 + mul $alo,$aj,$m0 // ap[j]*bp[0] + adc $hi1,$nhi,xzr + umulh $ahi,$aj,$m0 + + adds $lo1,$lo1,$lo0 + mul $nlo,$nj,$m1 // np[j]*m1 + adc $hi1,$hi1,xzr + umulh $nhi,$nj,$m1 + str $lo1,[$tp],#8 // tp[j-1] + cbnz $j,.L1st + +.L1st_skip: + adds $lo0,$alo,$hi0 + sub $ap,$ap,$num // rewind $ap + adc $hi0,$ahi,xzr + + adds $lo1,$nlo,$hi1 + sub $np,$np,$num // rewind $np + adc $hi1,$nhi,xzr + + adds $lo1,$lo1,$lo0 + sub $i,$num,#8 // i=num-1 + adcs $hi1,$hi1,$hi0 + + adc $ovf,xzr,xzr // upmost overflow bit + stp $lo1,$hi1,[$tp] + +.Louter: + ldr $m0,[$bp],#8 // bp[i] + ldp $hi0,$aj,[$ap],#16 + ldr $tj,[sp] // tp[0] + add $tp,sp,#8 + + mul $lo0,$hi0,$m0 // ap[0]*bp[i] + sub $j,$num,#16 // j=num-2 + umulh $hi0,$hi0,$m0 + ldp $hi1,$nj,[$np],#16 + mul $alo,$aj,$m0 // ap[1]*bp[i] + adds $lo0,$lo0,$tj + umulh $ahi,$aj,$m0 + adc $hi0,$hi0,xzr + + mul $m1,$lo0,$n0 + sub $i,$i,#8 // i-- + + mul $lo1,$hi1,$m1 // np[0]*m1 + umulh $hi1,$hi1,$m1 + mul $nlo,$nj,$m1 // np[1]*m1 + adds $lo1,$lo1,$lo0 + umulh $nhi,$nj,$m1 + cbz $j,.Linner_skip + +.Linner: + ldr $aj,[$ap],#8 + adc $hi1,$hi1,xzr + ldr $tj,[$tp],#8 // tp[j] + adds $lo0,$alo,$hi0 + sub $j,$j,#8 // j-- + adc $hi0,$ahi,xzr + + adds $lo1,$nlo,$hi1 + ldr $nj,[$np],#8 + adc $hi1,$nhi,xzr + + mul $alo,$aj,$m0 // ap[j]*bp[i] + adds $lo0,$lo0,$tj + umulh $ahi,$aj,$m0 + adc $hi0,$hi0,xzr + + mul $nlo,$nj,$m1 // np[j]*m1 + adds $lo1,$lo1,$lo0 + umulh $nhi,$nj,$m1 + str $lo1,[$tp,#-16] // tp[j-1] + cbnz $j,.Linner + +.Linner_skip: + ldr $tj,[$tp],#8 // tp[j] + adc $hi1,$hi1,xzr + adds $lo0,$alo,$hi0 + sub $ap,$ap,$num // rewind $ap + adc $hi0,$ahi,xzr + + adds $lo1,$nlo,$hi1 + sub $np,$np,$num // rewind $np + adc $hi1,$nhi,$ovf + + adds $lo0,$lo0,$tj + adc $hi0,$hi0,xzr + + adds $lo1,$lo1,$lo0 + adcs $hi1,$hi1,$hi0 + adc $ovf,xzr,xzr // upmost overflow bit + stp $lo1,$hi1,[$tp,#-16] + + cbnz $i,.Louter + + // Final step. We see if result is larger than modulus, and + // if it is, subtract the modulus. But comparison implies + // subtraction. So we subtract modulus, see if it borrowed, + // and conditionally copy original value. + ldr $tj,[sp] // tp[0] + add $tp,sp,#8 + ldr $nj,[$np],#8 // np[0] + subs $j,$num,#8 // j=num-1 and clear borrow + mov $ap,$rp +.Lsub: + sbcs $aj,$tj,$nj // tp[j]-np[j] + ldr $tj,[$tp],#8 + sub $j,$j,#8 // j-- + ldr $nj,[$np],#8 + str $aj,[$ap],#8 // rp[j]=tp[j]-np[j] + cbnz $j,.Lsub + + sbcs $aj,$tj,$nj + sbcs $ovf,$ovf,xzr // did it borrow? + str $aj,[$ap],#8 // rp[num-1] + + ldr $tj,[sp] // tp[0] + add $tp,sp,#8 + ldr $aj,[$rp],#8 // rp[0] + sub $num,$num,#8 // num-- + nop +.Lcond_copy: + sub $num,$num,#8 // num-- + csel $nj,$aj,$tj,cs // did it borrow? + ldr $tj,[$tp],#8 + ldr $aj,[$rp],#8 + str xzr,[$tp,#-16] // wipe tp + str $nj,[$rp,#-16] + cbnz $num,.Lcond_copy + + csel $nj,$aj,$tj,cs + str xzr,[$tp,#-8] // wipe tp + str $nj,[$rp,#-8] + + ldp x19,x20,[x29,#16] + mov sp,x29 + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldr x29,[sp],#64 + ret +.size bn_mul_mont,.-bn_mul_mont + +.asciz "Montgomery Multiplication for ARMv8, CRYPTOGAMS by " +.align 4 +___ + +print $code; + +close STDOUT; From matt at openssl.org Mon Apr 20 12:44:47 2015 From: matt at openssl.org (Matt Caswell) Date: Mon, 20 Apr 2015 12:44:47 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429533887.436535.31582.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 47daa155a31b0a54ce09ad2ed4d55fad74096dab (commit) via be856c0391d65c8c179721ffa8f35374fddf5892 (commit) via 017a06c7d1ed92a5dfbe2586ca96bef268c04895 (commit) via dfd3322d72a2d49f597b86dab6f37a8cf0f26dbf (commit) via 6281abc79623419eae6a64768c478272d5d3a426 (commit) from 3661bb4e7934668bd99ca777ea8b30eedfafa871 (commit) - Log ----------------------------------------------------------------- commit 47daa155a31b0a54ce09ad2ed4d55fad74096dab Author: Dr. Stephen Henson Date: Tue Mar 24 16:21:21 2015 +0000 Fix verify algorithm. Disable loop checking when we retry verification with an alternative path. This fixes the case where an intermediate CA is explicitly trusted and part of the untrusted certificate list. By disabling loop checking for this case the untrusted CA can be replaced by the explicitly trusted case and verification will succeed. Signed-off-by: Matt Caswell (cherry picked from commit e5991ec528b1c339062440811e2641f5ea2b328b) Reviewed-by: Rich Salz commit be856c0391d65c8c179721ffa8f35374fddf5892 Author: Matt Caswell Date: Tue Jan 27 11:15:15 2015 +0000 Add documentation for the -no_alt_chains option for various apps, as well as the X509_V_FLAG_NO_ALT_CHAINS flag. Conflicts: doc/apps/cms.pod doc/apps/ocsp.pod doc/apps/s_client.pod doc/apps/s_server.pod doc/apps/smime.pod doc/apps/verify.pod Reviewed-by: Rich Salz commit 017a06c7d1ed92a5dfbe2586ca96bef268c04895 Author: Matt Caswell Date: Tue Jan 27 10:50:38 2015 +0000 Add -no_alt_chains option to apps to implement the new X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building certificate chains, the first chain found will be the one used. Without this flag, if the first chain found is not trusted then we will keep looking to see if we can build an alternative chain instead. Conflicts: apps/cms.c apps/ocsp.c apps/s_client.c apps/s_server.c apps/smime.c apps/verify.c Reviewed-by: Rich Salz commit dfd3322d72a2d49f597b86dab6f37a8cf0f26dbf Author: Matt Caswell Date: Tue Jan 27 10:35:27 2015 +0000 Add flag to inhibit checking for alternate certificate chains. Setting this behaviour will force behaviour as per previous versions of OpenSSL Reviewed-by: Rich Salz commit 6281abc79623419eae6a64768c478272d5d3a426 Author: Matt Caswell Date: Tue Jan 27 10:03:29 2015 +0000 In certain situations the server provided certificate chain may no longer be valid. However the issuer of the leaf, or some intermediate cert is in fact in the trust store. When building a trust chain if the first attempt fails, then try to see if alternate chains could be constructed that are trusted. RT3637 RT3621 Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 2 + apps/cms.c | 2 + apps/ocsp.c | 2 + apps/s_client.c | 2 + apps/s_server.c | 2 + apps/smime.c | 2 + apps/verify.c | 2 +- crypto/x509/x509_vfy.c | 185 ++++++++++++++++++----------- crypto/x509/x509_vfy.h | 6 + doc/apps/cms.pod | 5 +- doc/apps/ocsp.pod | 11 ++ doc/apps/s_client.pod | 7 +- doc/apps/s_server.pod | 9 ++ doc/apps/smime.pod | 4 +- doc/apps/verify.pod | 13 ++ doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 8 +- 16 files changed, 187 insertions(+), 75 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 6d22a08..7478fc3 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2371,6 +2371,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_SUITEB_192_LOS; else if (!strcmp(arg, "-partial_chain")) flags |= X509_V_FLAG_PARTIAL_CHAIN; + else if (!strcmp(arg, "-no_alt_chains")) + flags |= X509_V_FLAG_NO_ALT_CHAINS; else return 0; diff --git a/apps/cms.c b/apps/cms.c index d287a2b..6047937 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -646,6 +646,8 @@ int MAIN(int argc, char **argv) "-CApath dir trusted certificates directory\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, + "-no_alt_chains only ever use the first certificate chain found\n"); + BIO_printf(bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf(bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); diff --git a/apps/ocsp.c b/apps/ocsp.c index ebb3732..b858b8d 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -536,6 +536,8 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, + "-no_alt_chains only ever use the first certificate chain found\n"); + BIO_printf(bio_err, "-VAfile file validator certificates file\n"); BIO_printf(bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); diff --git a/apps/s_client.c b/apps/s_client.c index d53bca1..e55f2c5 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -332,6 +332,8 @@ static void sc_usage(void) BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, + " -no_alt_chains - only ever use the first certificate chain found\n"); + BIO_printf(bio_err, " -reconnect - Drop and re-make the connection with the same Session-ID\n"); BIO_printf(bio_err, " -pause - sleep(1) after each read(2) and write(2) system call\n"); diff --git a/apps/s_server.c b/apps/s_server.c index 2597e8c..5d58fe0 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -554,6 +554,8 @@ static void sv_usage(void) BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, + " -no_alt_chains - only ever use the first certificate chain found\n"); + BIO_printf(bio_err, " -nocert - Don't use any certificates (Anon-DH)\n"); BIO_printf(bio_err, " -cipher arg - play with 'openssl ciphers' to see what goes here\n"); diff --git a/apps/smime.c b/apps/smime.c index 764509f..6044ccf 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -442,6 +442,8 @@ int MAIN(int argc, char **argv) "-CApath dir trusted certificates directory\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, + "-no_alt_chains only ever use the first certificate chain found\n"); + BIO_printf(bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf(bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); diff --git a/apps/verify.c b/apps/verify.c index b3ba53d..78e729f 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -232,7 +232,7 @@ int MAIN(int argc, char **argv) if (ret == 1) { BIO_printf(bio_err, "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); - BIO_printf(bio_err, " [-attime timestamp]"); + BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, " [-engine e]"); #endif diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 1196a2a..c0f6a5d 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -187,11 +187,11 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) int X509_verify_cert(X509_STORE_CTX *ctx) { - X509 *x, *xtmp, *chain_ss = NULL; + X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; int bad_chain = 0; X509_VERIFY_PARAM *param = ctx->param; int depth, i, ok = 0; - int num; + int num, j, retry; int (*cb) (int xok, X509_STORE_CTX *xctx); STACK_OF(X509) *sktmp = NULL; if (ctx->cert == NULL) { @@ -276,91 +276,136 @@ int X509_verify_cert(X509_STORE_CTX *ctx) break; } + /* Remember how many untrusted certs we have */ + j = num; /* * at this point, chain should contain a list of untrusted certificates. * We now need to add at least one trusted one, if possible, otherwise we * complain. */ - /* - * Examine last certificate in chain and see if it is self signed. - */ - - i = sk_X509_num(ctx->chain); - x = sk_X509_value(ctx->chain, i - 1); - if (cert_self_signed(x)) { - /* we have a self signed certificate */ - if (sk_X509_num(ctx->chain) == 1) { - /* - * We have a single self signed certificate: see if we can find - * it in the store. We must have an exact match to avoid possible - * impersonation. - */ - ok = ctx->get_issuer(&xtmp, ctx, x); - if ((ok <= 0) || X509_cmp(x, xtmp)) { - ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; - ctx->current_cert = x; - ctx->error_depth = i - 1; - if (ok == 1) - X509_free(xtmp); - bad_chain = 1; - ok = cb(0, ctx); - if (!ok) - goto end; + do { + /* + * Examine last certificate in chain and see if it is self signed. + */ + i = sk_X509_num(ctx->chain); + x = sk_X509_value(ctx->chain, i - 1); + if (cert_self_signed(x)) { + /* we have a self signed certificate */ + if (sk_X509_num(ctx->chain) == 1) { + /* + * We have a single self signed certificate: see if we can + * find it in the store. We must have an exact match to avoid + * possible impersonation. + */ + ok = ctx->get_issuer(&xtmp, ctx, x); + if ((ok <= 0) || X509_cmp(x, xtmp)) { + ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; + ctx->current_cert = x; + ctx->error_depth = i - 1; + if (ok == 1) + X509_free(xtmp); + bad_chain = 1; + ok = cb(0, ctx); + if (!ok) + goto end; + } else { + /* + * We have a match: replace certificate with store + * version so we get any trust settings. + */ + X509_free(x); + x = xtmp; + (void)sk_X509_set(ctx->chain, i - 1, x); + ctx->last_untrusted = 0; + } } else { /* - * We have a match: replace certificate with store version so - * we get any trust settings. + * extract and save self signed certificate for later use */ - X509_free(x); - x = xtmp; - (void)sk_X509_set(ctx->chain, i - 1, x); - ctx->last_untrusted = 0; + chain_ss = sk_X509_pop(ctx->chain); + ctx->last_untrusted--; + num--; + j--; + x = sk_X509_value(ctx->chain, num - 1); } - } else { - /* - * extract and save self signed certificate for later use - */ - chain_ss = sk_X509_pop(ctx->chain); - ctx->last_untrusted--; - num--; - x = sk_X509_value(ctx->chain, num - 1); } - } - - /* We now lookup certs from the certificate store */ - for (;;) { - /* If we have enough, we break */ - if (depth < num) - break; + /* We now lookup certs from the certificate store */ + for (;;) { + /* If we have enough, we break */ + if (depth < num) + break; + /* If we are self signed, we break */ + if (cert_self_signed(x)) + break; + ok = ctx->get_issuer(&xtmp, ctx, x); - /* If we are self signed, we break */ - if (cert_self_signed(x)) - break; + if (ok < 0) + return ok; + if (ok == 0) + break; + x = xtmp; + if (!sk_X509_push(ctx->chain, x)) { + X509_free(xtmp); + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + return 0; + } + num++; + } - ok = ctx->get_issuer(&xtmp, ctx, x); + /* we now have our chain, lets check it... */ + i = check_trust(ctx); - if (ok < 0) - return ok; - if (ok == 0) - break; + /* If explicitly rejected error */ + if (i == X509_TRUST_REJECTED) + goto end; + /* + * If it's not explicitly trusted then check if there is an alternative + * chain that could be used. We only do this if we haven't already + * checked via TRUSTED_FIRST and the user hasn't switched off alternate + * chain checking + */ + retry = 0; + if (i != X509_TRUST_TRUSTED + && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) + && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { + while (j-- > 1) { + STACK_OF(X509) *chtmp = ctx->chain; + xtmp2 = sk_X509_value(ctx->chain, j - 1); + /* + * Temporarily set chain to NULL so we don't discount + * duplicates: the same certificate could be an untrusted + * CA found in the trusted store. + */ + ctx->chain = NULL; + ok = ctx->get_issuer(&xtmp, ctx, xtmp2); + ctx->chain = chtmp; + if (ok < 0) + goto end; + /* Check if we found an alternate chain */ + if (ok > 0) { + /* + * Free up the found cert we'll add it again later + */ + X509_free(xtmp); - x = xtmp; - if (!sk_X509_push(ctx->chain, x)) { - X509_free(xtmp); - X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); - return 0; + /* + * Dump all the certs above this point - we've found an + * alternate chain + */ + while (num > j) { + xtmp = sk_X509_pop(ctx->chain); + X509_free(xtmp); + num--; + ctx->last_untrusted--; + } + retry = 1; + break; + } + } } - num++; - } + } while (retry); - /* we now have our chain, lets check it... */ - - i = check_trust(ctx); - - /* If explicitly rejected error */ - if (i == X509_TRUST_REJECTED) - goto end; /* * If not explicitly trusted then indicate error unless it's a single * self signed certificate in which case we've indicated an error already diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h index a6f0df5..bd8613c 100644 --- a/crypto/x509/x509_vfy.h +++ b/crypto/x509/x509_vfy.h @@ -432,6 +432,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); /* Allow partial chains if at least one certificate is in trusted store */ # define X509_V_FLAG_PARTIAL_CHAIN 0x80000 +/* + * If the initial chain is not trusted, do not attempt to build an alternative + * chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag + * will force the behaviour to match that of previous versions. + */ +# define X509_V_FLAG_NO_ALT_CHAINS 0x100000 # define X509_VP_FLAG_DEFAULT 0x1 # define X509_VP_FLAG_OVERWRITE 0x2 diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod index 76dbf2c..4eaedbc 100644 --- a/doc/apps/cms.pod +++ b/doc/apps/cms.pod @@ -35,6 +35,7 @@ B B [B<-print>] [B<-CAfile file>] [B<-CApath dir>] +[B<-no_alt_chains>] [B<-md digest>] [B<-[cipher]>] [B<-nointern>] @@ -419,7 +420,7 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> Set various certificate chain valiadition option. See the L|verify(1)> manual page for details. @@ -655,4 +656,6 @@ Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.1.0. The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added to OpenSSL 1.1.0. +The -no_alt_chains options was first added to OpenSSL 1.0.2b. + =cut diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 2372b37..4639502 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -29,6 +29,7 @@ B B [B<-path>] [B<-CApath dir>] [B<-CAfile file>] +[B<-no_alt_chains>]] [B<-VAfile file>] [B<-validity_period n>] [B<-status_age n>] @@ -143,6 +144,10 @@ connection timeout to the OCSP responder in seconds file or pathname containing trusted CA certificates. These are used to verify the signature on the OCSP response. +=item B<-no_alt_chains> + +See L|verify(1)> manual page for details. + =item B<-verify_other file> file containing additional certificates to search when attempting to locate @@ -379,3 +384,9 @@ second file. openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -reqin req.der -respout resp.der + +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.2b. + +=cut diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index aad59b1..84d0527 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -19,6 +19,7 @@ B B [B<-pass arg>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-no_alt_chains>] [B<-reconnect>] [B<-pause>] [B<-showcerts>] @@ -120,7 +121,7 @@ also used when building the client certificate chain. A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> Set various certificate chain valiadition option. See the L|verify(1)> manual page for details. @@ -361,4 +362,8 @@ information whenever a session is renegotiated. L, L, L +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.2b. + =cut diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index b37f410..baca779 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -33,6 +33,7 @@ B B [B<-state>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-no_alt_chains>] [B<-nocert>] [B<-cipher cipherlist>] [B<-serverpref>] @@ -174,6 +175,10 @@ and to use when attempting to build the server certificate chain. The list is also used in the list of acceptable client CAs passed to the client when a certificate is requested. +=item B<-no_alt_chains> + +See the L|verify(1)> manual page for details. + =item B<-state> prints out the SSL session states. @@ -406,4 +411,8 @@ unknown cipher suites a client says it supports. L, L, L +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.2b. + =cut diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index d39a59a..d5618c8 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -15,6 +15,7 @@ B B [B<-pk7out>] [B<-[cipher]>] [B<-in file>] +[B<-no_alt_chains>] [B<-certfile file>] [B<-signer file>] [B<-recip file>] @@ -259,7 +260,7 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> Set various options of certificate chain verification. See L|verify(1)> manual page for details. @@ -441,5 +442,6 @@ structures may cause parsing errors. The use of multiple B<-signer> options and the B<-resign> command were first added in OpenSSL 1.0.0 +The -no_alt_chains options was first added to OpenSSL 1.0.2b. =cut diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod index df01534..df1b86d 100644 --- a/doc/apps/verify.pod +++ b/doc/apps/verify.pod @@ -25,6 +25,7 @@ B B [B<-extended_crl>] [B<-use_deltas>] [B<-policy_print>] +[B<-no_alt_chains>] [B<-untrusted file>] [B<-help>] [B<-issuer_checks>] @@ -124,6 +125,14 @@ Set policy variable inhibit-any-policy (see RFC5280). Set policy variable inhibit-policy-mapping (see RFC5280). +=item B<-no_alt_chains> + +When building a certificate chain, if the first certificate chain found is not +trusted, then OpenSSL will continue to check to see if an alternative chain can +be found that is trusted. With this option that behaviour is suppressed so that +only the first chain found is ever used. Using this option will force the +behaviour to match that of previous OpenSSL versions. + =item B<-policy_print> Print out diagnostics related to policy processing. @@ -425,4 +434,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes. L +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.2b. + =cut diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 347d48d..44792f9 100644 --- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -197,6 +197,12 @@ verification. If this flag is set then additional status codes will be sent to the verification callback and it B be prepared to handle such cases without assuming they are hard errors. +The B flag suppresses checking for alternative +chains. By default, when building a certificate chain, if the first certificate +chain found is not trusted, then OpenSSL will continue to check to see if an +alternative chain can be found that is trusted. With this flag set the behaviour +will match that of OpenSSL versions prior to 1.0.2b. + =head1 NOTES The above functions should be used to manipulate verification parameters @@ -233,6 +239,6 @@ L =head1 HISTORY -TBA +The B flag was added in OpenSSL 1.0.2b =cut From appro at openssl.org Mon Apr 20 12:46:08 2015 From: appro at openssl.org (Andy Polyakov) Date: Mon, 20 Apr 2015 12:46:08 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429533968.052458.31891.nullmailer@dev.openssl.org> The branch master has been updated via 4eb504aedf49a4acb55fa0a4fa9942d241ca8230 (commit) via ace8f54691005da351bdc9cf8a03e94d4a1a7ac8 (commit) from 2c6343bfa3665f1e574b9f93db185ac28037c095 (commit) - Log ----------------------------------------------------------------- commit 4eb504aedf49a4acb55fa0a4fa9942d241ca8230 Author: Andy Polyakov Date: Fri Mar 13 11:47:24 2015 +0100 crypto/ec/ecp_nistp[224|521].c: fix formatting. Reviewed-by: Rich Salz commit ace8f54691005da351bdc9cf8a03e94d4a1a7ac8 Author: Andy Polyakov Date: Fri Mar 13 11:28:16 2015 +0100 ec/ecp_nistp*.c: fix SEGVs. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/ec/ecp_nistp224.c | 153 +++++++++++++++++------------------------ crypto/ec/ecp_nistp256.c | 20 +++--- crypto/ec/ecp_nistp521.c | 173 +++++++++++++++++++++++++---------------------- 3 files changed, 166 insertions(+), 180 deletions(-) diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c index 76adc8a..6269cce 100644 --- a/crypto/ec/ecp_nistp224.c +++ b/crypto/ec/ecp_nistp224.c @@ -127,84 +127,55 @@ static const felem_bytearray nistp224_curve_params[5] = { * locations when doing simple scalar multiplies against the base point, * and then another four locations using the second 16 elements. */ -static const felem gmul[2][16][3] = { {{{0, 0, 0, 0}, - {0, 0, 0, 0}, - {0, 0, 0, 0}}, - {{0x3280d6115c1d21, 0xc1d356c2112234, - 0x7f321390b94a03, 0xb70e0cbd6bb4bf}, - {0xd5819985007e34, 0x75a05a07476444, - 0xfb4c22dfe6cd43, 0xbd376388b5f723}, - {1, 0, 0, 0}}, - {{0xfd9675666ebbe9, 0xbca7664d40ce5e, - 0x2242df8d8a2a43, 0x1f49bbb0f99bc5}, - {0x29e0b892dc9c43, 0xece8608436e662, - 0xdc858f185310d0, 0x9812dd4eb8d321}, - {1, 0, 0, 0}}, - {{0x6d3e678d5d8eb8, 0x559eed1cb362f1, - 0x16e9a3bbce8a3f, 0xeedcccd8c2a748}, - {0xf19f90ed50266d, 0xabf2b4bf65f9df, - 0x313865468fafec, 0x5cb379ba910a17}, - {1, 0, 0, 0}}, - {{0x0641966cab26e3, 0x91fb2991fab0a0, - 0xefec27a4e13a0b, 0x0499aa8a5f8ebe}, - {0x7510407766af5d, 0x84d929610d5450, - 0x81d77aae82f706, 0x6916f6d4338c5b}, - {1, 0, 0, 0}}, - {{0xea95ac3b1f15c6, 0x086000905e82d4, - 0xdd323ae4d1c8b1, 0x932b56be7685a3}, - {0x9ef93dea25dbbf, 0x41665960f390f0, - 0xfdec76dbe2a8a7, 0x523e80f019062a}, - {1, 0, 0, 0}}, - {{0x822fdd26732c73, 0xa01c83531b5d0f, - 0x363f37347c1ba4, 0xc391b45c84725c}, - {0xbbd5e1b2d6ad24, 0xddfbcde19dfaec, - 0xc393da7e222a7f, 0x1efb7890ede244}, - {1, 0, 0, 0}}, - {{0x4c9e90ca217da1, 0xd11beca79159bb, - 0xff8d33c2c98b7c, 0x2610b39409f849}, - {0x44d1352ac64da0, 0xcdbb7b2c46b4fb, - 0x966c079b753c89, 0xfe67e4e820b112}, - {1, 0, 0, 0}}, - {{0xe28cae2df5312d, 0xc71b61d16f5c6e, - 0x79b7619a3e7c4c, 0x05c73240899b47}, - {0x9f7f6382c73e3a, 0x18615165c56bda, - 0x641fab2116fd56, 0x72855882b08394}, - {1, 0, 0, 0}}, - {{0x0469182f161c09, 0x74a98ca8d00fb5, - 0xb89da93489a3e0, 0x41c98768fb0c1d}, - {0xe5ea05fb32da81, 0x3dce9ffbca6855, - 0x1cfe2d3fbf59e6, 0x0e5e03408738a7}, - {1, 0, 0, 0}}, - {{0xdab22b2333e87f, 0x4430137a5dd2f6, - 0xe03ab9f738beb8, 0xcb0c5d0dc34f24}, - {0x764a7df0c8fda5, 0x185ba5c3fa2044, - 0x9281d688bcbe50, 0xc40331df893881}, - {1, 0, 0, 0}}, - {{0xb89530796f0f60, 0xade92bd26909a3, - 0x1a0c83fb4884da, 0x1765bf22a5a984}, - {0x772a9ee75db09e, 0x23bc6c67cec16f, - 0x4c1edba8b14e2f, 0xe2a215d9611369}, - {1, 0, 0, 0}}, - {{0x571e509fb5efb3, 0xade88696410552, - 0xc8ae85fada74fe, 0x6c7e4be83bbde3}, - {0xff9f51160f4652, 0xb47ce2495a6539, - 0xa2946c53b582f4, 0x286d2db3ee9a60}, - {1, 0, 0, 0}}, - {{0x40bbd5081a44af, 0x0995183b13926c, - 0xbcefba6f47f6d0, 0x215619e9cc0057}, - {0x8bc94d3b0df45e, 0xf11c54a3694f6f, - 0x8631b93cdfe8b5, 0xe7e3f4b0982db9}, - {1, 0, 0, 0}}, - {{0xb17048ab3e1c7b, 0xac38f36ff8a1d8, - 0x1c29819435d2c6, 0xc813132f4c07e9}, - {0x2891425503b11f, 0x08781030579fea, - 0xf5426ba5cc9674, 0x1e28ebf18562bc}, - {1, 0, 0, 0}}, - {{0x9f31997cc864eb, 0x06cd91d28b5e4c, - 0xff17036691a973, 0xf1aef351497c58}, - {0xdd1f2d600564ff, 0xdead073b1402db, - 0x74a684435bd693, 0xeea7471f962558}, - {1, 0, 0, 0}}}, +static const felem gmul[2][16][3] = { +{{{0, 0, 0, 0}, + {0, 0, 0, 0}, + {0, 0, 0, 0}}, + {{0x3280d6115c1d21, 0xc1d356c2112234, 0x7f321390b94a03, 0xb70e0cbd6bb4bf}, + {0xd5819985007e34, 0x75a05a07476444, 0xfb4c22dfe6cd43, 0xbd376388b5f723}, + {1, 0, 0, 0}}, + {{0xfd9675666ebbe9, 0xbca7664d40ce5e, 0x2242df8d8a2a43, 0x1f49bbb0f99bc5}, + {0x29e0b892dc9c43, 0xece8608436e662, 0xdc858f185310d0, 0x9812dd4eb8d321}, + {1, 0, 0, 0}}, + {{0x6d3e678d5d8eb8, 0x559eed1cb362f1, 0x16e9a3bbce8a3f, 0xeedcccd8c2a748}, + {0xf19f90ed50266d, 0xabf2b4bf65f9df, 0x313865468fafec, 0x5cb379ba910a17}, + {1, 0, 0, 0}}, + {{0x0641966cab26e3, 0x91fb2991fab0a0, 0xefec27a4e13a0b, 0x0499aa8a5f8ebe}, + {0x7510407766af5d, 0x84d929610d5450, 0x81d77aae82f706, 0x6916f6d4338c5b}, + {1, 0, 0, 0}}, + {{0xea95ac3b1f15c6, 0x086000905e82d4, 0xdd323ae4d1c8b1, 0x932b56be7685a3}, + {0x9ef93dea25dbbf, 0x41665960f390f0, 0xfdec76dbe2a8a7, 0x523e80f019062a}, + {1, 0, 0, 0}}, + {{0x822fdd26732c73, 0xa01c83531b5d0f, 0x363f37347c1ba4, 0xc391b45c84725c}, + {0xbbd5e1b2d6ad24, 0xddfbcde19dfaec, 0xc393da7e222a7f, 0x1efb7890ede244}, + {1, 0, 0, 0}}, + {{0x4c9e90ca217da1, 0xd11beca79159bb, 0xff8d33c2c98b7c, 0x2610b39409f849}, + {0x44d1352ac64da0, 0xcdbb7b2c46b4fb, 0x966c079b753c89, 0xfe67e4e820b112}, + {1, 0, 0, 0}}, + {{0xe28cae2df5312d, 0xc71b61d16f5c6e, 0x79b7619a3e7c4c, 0x05c73240899b47}, + {0x9f7f6382c73e3a, 0x18615165c56bda, 0x641fab2116fd56, 0x72855882b08394}, + {1, 0, 0, 0}}, + {{0x0469182f161c09, 0x74a98ca8d00fb5, 0xb89da93489a3e0, 0x41c98768fb0c1d}, + {0xe5ea05fb32da81, 0x3dce9ffbca6855, 0x1cfe2d3fbf59e6, 0x0e5e03408738a7}, + {1, 0, 0, 0}}, + {{0xdab22b2333e87f, 0x4430137a5dd2f6, 0xe03ab9f738beb8, 0xcb0c5d0dc34f24}, + {0x764a7df0c8fda5, 0x185ba5c3fa2044, 0x9281d688bcbe50, 0xc40331df893881}, + {1, 0, 0, 0}}, + {{0xb89530796f0f60, 0xade92bd26909a3, 0x1a0c83fb4884da, 0x1765bf22a5a984}, + {0x772a9ee75db09e, 0x23bc6c67cec16f, 0x4c1edba8b14e2f, 0xe2a215d9611369}, + {1, 0, 0, 0}}, + {{0x571e509fb5efb3, 0xade88696410552, 0xc8ae85fada74fe, 0x6c7e4be83bbde3}, + {0xff9f51160f4652, 0xb47ce2495a6539, 0xa2946c53b582f4, 0x286d2db3ee9a60}, + {1, 0, 0, 0}}, + {{0x40bbd5081a44af, 0x0995183b13926c, 0xbcefba6f47f6d0, 0x215619e9cc0057}, + {0x8bc94d3b0df45e, 0xf11c54a3694f6f, 0x8631b93cdfe8b5, 0xe7e3f4b0982db9}, + {1, 0, 0, 0}}, + {{0xb17048ab3e1c7b, 0xac38f36ff8a1d8, 0x1c29819435d2c6, 0xc813132f4c07e9}, + {0x2891425503b11f, 0x08781030579fea, 0xf5426ba5cc9674, 0x1e28ebf18562bc}, + {1, 0, 0, 0}}, + {{0x9f31997cc864eb, 0x06cd91d28b5e4c, 0xff17036691a973, 0xf1aef351497c58}, + {0xdd1f2d600564ff, 0xdead073b1402db, 0x74a684435bd693, 0xeea7471f962558}, + {1, 0, 0, 0}}}, {{{0, 0, 0, 0}, {0, 0, 0, 0}, {0, 0, 0, 0}}, @@ -544,11 +515,11 @@ static void felem_mul(widefelem out, const felem in1, const felem in2) out[0] = ((widelimb) in1[0]) * in2[0]; out[1] = ((widelimb) in1[0]) * in2[1] + ((widelimb) in1[1]) * in2[0]; out[2] = ((widelimb) in1[0]) * in2[2] + ((widelimb) in1[1]) * in2[1] + - ((widelimb) in1[2]) * in2[0]; + ((widelimb) in1[2]) * in2[0]; out[3] = ((widelimb) in1[0]) * in2[3] + ((widelimb) in1[1]) * in2[2] + - ((widelimb) in1[2]) * in2[1] + ((widelimb) in1[3]) * in2[0]; + ((widelimb) in1[2]) * in2[1] + ((widelimb) in1[3]) * in2[0]; out[4] = ((widelimb) in1[1]) * in2[3] + ((widelimb) in1[2]) * in2[2] + - ((widelimb) in1[3]) * in2[1]; + ((widelimb) in1[3]) * in2[1]; out[5] = ((widelimb) in1[2]) * in2[3] + ((widelimb) in1[3]) * in2[2]; out[6] = ((widelimb) in1[3]) * in2[3]; } @@ -1343,8 +1314,8 @@ int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group, EC_R_POINT_AT_INFINITY); return 0; } - if ((!BN_to_felem(x_in, &point->X)) || (!BN_to_felem(y_in, &point->Y)) || - (!BN_to_felem(z1, &point->Z))) + if ((!BN_to_felem(x_in, point->X)) || (!BN_to_felem(y_in, point->Y)) || + (!BN_to_felem(z1, point->Z))) return 0; felem_inv(z2, z1); felem_square(tmp, z2); @@ -1525,7 +1496,7 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, * this is an unusual input, and we don't guarantee * constant-timeness */ - if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx)) { + if (!BN_nnmod(tmp_scalar, p_scalar, group->order, ctx)) { ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB); goto err; } @@ -1534,9 +1505,9 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, num_bytes = BN_bn2bin(p_scalar, tmp); flip_endian(secrets[i], tmp, num_bytes); /* precompute multiples */ - if ((!BN_to_felem(x_out, &p->X)) || - (!BN_to_felem(y_out, &p->Y)) || - (!BN_to_felem(z_out, &p->Z))) + if ((!BN_to_felem(x_out, p->X)) || + (!BN_to_felem(y_out, p->Y)) || + (!BN_to_felem(z_out, p->Z))) goto err; felem_assign(pre_comp[i][1][0], x_out); felem_assign(pre_comp[i][1][1], y_out); @@ -1571,7 +1542,7 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, * this is an unusual input, and we don't guarantee * constant-timeness */ - if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx)) { + if (!BN_nnmod(tmp_scalar, scalar, group->order, ctx)) { ECerr(EC_F_EC_GFP_NISTP224_POINTS_MUL, ERR_R_BN_LIB); goto err; } @@ -1654,9 +1625,9 @@ int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx) ret = 1; goto err; } - if ((!BN_to_felem(pre->g_pre_comp[0][1][0], &group->generator->X)) || - (!BN_to_felem(pre->g_pre_comp[0][1][1], &group->generator->Y)) || - (!BN_to_felem(pre->g_pre_comp[0][1][2], &group->generator->Z))) + if ((!BN_to_felem(pre->g_pre_comp[0][1][0], group->generator->X)) || + (!BN_to_felem(pre->g_pre_comp[0][1][1], group->generator->Y)) || + (!BN_to_felem(pre->g_pre_comp[0][1][2], group->generator->Z))) goto err; /* * compute 2^56*G, 2^112*G, 2^168*G for the first table, 2^28*G, 2^84*G, diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c index 794520e..b42e96a 100644 --- a/crypto/ec/ecp_nistp256.c +++ b/crypto/ec/ecp_nistp256.c @@ -1930,8 +1930,8 @@ int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group, EC_R_POINT_AT_INFINITY); return 0; } - if ((!BN_to_felem(x_in, &point->X)) || (!BN_to_felem(y_in, &point->Y)) || - (!BN_to_felem(z1, &point->Z))) + if ((!BN_to_felem(x_in, point->X)) || (!BN_to_felem(y_in, point->Y)) || + (!BN_to_felem(z1, point->Z))) return 0; felem_inv(z2, z1); felem_square(tmp, z2); @@ -2114,7 +2114,7 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, * this is an unusual input, and we don't guarantee * constant-timeness */ - if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx)) { + if (!BN_nnmod(tmp_scalar, p_scalar, group->order, ctx)) { ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB); goto err; } @@ -2123,9 +2123,9 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, num_bytes = BN_bn2bin(p_scalar, tmp); flip_endian(secrets[i], tmp, num_bytes); /* precompute multiples */ - if ((!BN_to_felem(x_out, &p->X)) || - (!BN_to_felem(y_out, &p->Y)) || - (!BN_to_felem(z_out, &p->Z))) + if ((!BN_to_felem(x_out, p->X)) || + (!BN_to_felem(y_out, p->Y)) || + (!BN_to_felem(z_out, p->Z))) goto err; felem_shrink(pre_comp[i][1][0], x_out); felem_shrink(pre_comp[i][1][1], y_out); @@ -2162,7 +2162,7 @@ int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, * this is an unusual input, and we don't guarantee * constant-timeness */ - if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx)) { + if (!BN_nnmod(tmp_scalar, scalar, group->order, ctx)) { ECerr(EC_F_EC_GFP_NISTP256_POINTS_MUL, ERR_R_BN_LIB); goto err; } @@ -2246,9 +2246,9 @@ int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx) ret = 1; goto err; } - if ((!BN_to_felem(x_tmp, &group->generator->X)) || - (!BN_to_felem(y_tmp, &group->generator->Y)) || - (!BN_to_felem(z_tmp, &group->generator->Z))) + if ((!BN_to_felem(x_tmp, group->generator->X)) || + (!BN_to_felem(y_tmp, group->generator->Y)) || + (!BN_to_felem(z_tmp, group->generator->Z))) goto err; felem_shrink(pre->g_pre_comp[0][1][0], x_tmp); felem_shrink(pre->g_pre_comp[0][1][1], y_tmp); diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c index 7ceb1bc..2e4a651 100644 --- a/crypto/ec/ecp_nistp521.c +++ b/crypto/ec/ecp_nistp521.c @@ -430,19 +430,19 @@ static void felem_square(largefelem out, const felem in) out[2] = ((uint128_t) in[0]) * inx2[2] + ((uint128_t) in[1]) * in[1]; out[3] = ((uint128_t) in[0]) * inx2[3] + ((uint128_t) in[1]) * inx2[2]; out[4] = ((uint128_t) in[0]) * inx2[4] + - ((uint128_t) in[1]) * inx2[3] + ((uint128_t) in[2]) * in[2]; + ((uint128_t) in[1]) * inx2[3] + ((uint128_t) in[2]) * in[2]; out[5] = ((uint128_t) in[0]) * inx2[5] + - ((uint128_t) in[1]) * inx2[4] + ((uint128_t) in[2]) * inx2[3]; + ((uint128_t) in[1]) * inx2[4] + ((uint128_t) in[2]) * inx2[3]; out[6] = ((uint128_t) in[0]) * inx2[6] + - ((uint128_t) in[1]) * inx2[5] + - ((uint128_t) in[2]) * inx2[4] + ((uint128_t) in[3]) * in[3]; + ((uint128_t) in[1]) * inx2[5] + + ((uint128_t) in[2]) * inx2[4] + ((uint128_t) in[3]) * in[3]; out[7] = ((uint128_t) in[0]) * inx2[7] + - ((uint128_t) in[1]) * inx2[6] + - ((uint128_t) in[2]) * inx2[5] + ((uint128_t) in[3]) * inx2[4]; + ((uint128_t) in[1]) * inx2[6] + + ((uint128_t) in[2]) * inx2[5] + ((uint128_t) in[3]) * inx2[4]; out[8] = ((uint128_t) in[0]) * inx2[8] + - ((uint128_t) in[1]) * inx2[7] + - ((uint128_t) in[2]) * inx2[6] + - ((uint128_t) in[3]) * inx2[5] + ((uint128_t) in[4]) * in[4]; + ((uint128_t) in[1]) * inx2[7] + + ((uint128_t) in[2]) * inx2[6] + + ((uint128_t) in[3]) * inx2[5] + ((uint128_t) in[4]) * in[4]; /* * The remaining limbs fall above 2^521, with the first falling at 2^522. @@ -455,21 +455,21 @@ static void felem_square(largefelem out, const felem in) /* 9 */ out[0] += ((uint128_t) in[1]) * inx4[8] + - ((uint128_t) in[2]) * inx4[7] + - ((uint128_t) in[3]) * inx4[6] + ((uint128_t) in[4]) * inx4[5]; + ((uint128_t) in[2]) * inx4[7] + + ((uint128_t) in[3]) * inx4[6] + ((uint128_t) in[4]) * inx4[5]; /* 10 */ out[1] += ((uint128_t) in[2]) * inx4[8] + - ((uint128_t) in[3]) * inx4[7] + - ((uint128_t) in[4]) * inx4[6] + ((uint128_t) in[5]) * inx2[5]; + ((uint128_t) in[3]) * inx4[7] + + ((uint128_t) in[4]) * inx4[6] + ((uint128_t) in[5]) * inx2[5]; /* 11 */ out[2] += ((uint128_t) in[3]) * inx4[8] + - ((uint128_t) in[4]) * inx4[7] + ((uint128_t) in[5]) * inx4[6]; + ((uint128_t) in[4]) * inx4[7] + ((uint128_t) in[5]) * inx4[6]; /* 12 */ out[3] += ((uint128_t) in[4]) * inx4[8] + - ((uint128_t) in[5]) * inx4[7] + ((uint128_t) in[6]) * inx2[6]; + ((uint128_t) in[5]) * inx4[7] + ((uint128_t) in[6]) * inx2[6]; /* 13 */ out[4] += ((uint128_t) in[5]) * inx4[8] + ((uint128_t) in[6]) * inx4[7]; @@ -499,87 +499,101 @@ static void felem_mul(largefelem out, const felem in1, const felem in2) out[0] = ((uint128_t) in1[0]) * in2[0]; - out[1] = ((uint128_t) in1[0]) * in2[1] + ((uint128_t) in1[1]) * in2[0]; + out[1] = ((uint128_t) in1[0]) * in2[1] + + ((uint128_t) in1[1]) * in2[0]; out[2] = ((uint128_t) in1[0]) * in2[2] + - ((uint128_t) in1[1]) * in2[1] + ((uint128_t) in1[2]) * in2[0]; + ((uint128_t) in1[1]) * in2[1] + + ((uint128_t) in1[2]) * in2[0]; out[3] = ((uint128_t) in1[0]) * in2[3] + - ((uint128_t) in1[1]) * in2[2] + - ((uint128_t) in1[2]) * in2[1] + ((uint128_t) in1[3]) * in2[0]; + ((uint128_t) in1[1]) * in2[2] + + ((uint128_t) in1[2]) * in2[1] + + ((uint128_t) in1[3]) * in2[0]; out[4] = ((uint128_t) in1[0]) * in2[4] + - ((uint128_t) in1[1]) * in2[3] + - ((uint128_t) in1[2]) * in2[2] + - ((uint128_t) in1[3]) * in2[1] + ((uint128_t) in1[4]) * in2[0]; + ((uint128_t) in1[1]) * in2[3] + + ((uint128_t) in1[2]) * in2[2] + + ((uint128_t) in1[3]) * in2[1] + + ((uint128_t) in1[4]) * in2[0]; out[5] = ((uint128_t) in1[0]) * in2[5] + - ((uint128_t) in1[1]) * in2[4] + - ((uint128_t) in1[2]) * in2[3] + - ((uint128_t) in1[3]) * in2[2] + - ((uint128_t) in1[4]) * in2[1] + ((uint128_t) in1[5]) * in2[0]; + ((uint128_t) in1[1]) * in2[4] + + ((uint128_t) in1[2]) * in2[3] + + ((uint128_t) in1[3]) * in2[2] + + ((uint128_t) in1[4]) * in2[1] + + ((uint128_t) in1[5]) * in2[0]; out[6] = ((uint128_t) in1[0]) * in2[6] + - ((uint128_t) in1[1]) * in2[5] + - ((uint128_t) in1[2]) * in2[4] + - ((uint128_t) in1[3]) * in2[3] + - ((uint128_t) in1[4]) * in2[2] + - ((uint128_t) in1[5]) * in2[1] + ((uint128_t) in1[6]) * in2[0]; + ((uint128_t) in1[1]) * in2[5] + + ((uint128_t) in1[2]) * in2[4] + + ((uint128_t) in1[3]) * in2[3] + + ((uint128_t) in1[4]) * in2[2] + + ((uint128_t) in1[5]) * in2[1] + + ((uint128_t) in1[6]) * in2[0]; out[7] = ((uint128_t) in1[0]) * in2[7] + - ((uint128_t) in1[1]) * in2[6] + - ((uint128_t) in1[2]) * in2[5] + - ((uint128_t) in1[3]) * in2[4] + - ((uint128_t) in1[4]) * in2[3] + - ((uint128_t) in1[5]) * in2[2] + - ((uint128_t) in1[6]) * in2[1] + ((uint128_t) in1[7]) * in2[0]; + ((uint128_t) in1[1]) * in2[6] + + ((uint128_t) in1[2]) * in2[5] + + ((uint128_t) in1[3]) * in2[4] + + ((uint128_t) in1[4]) * in2[3] + + ((uint128_t) in1[5]) * in2[2] + + ((uint128_t) in1[6]) * in2[1] + + ((uint128_t) in1[7]) * in2[0]; out[8] = ((uint128_t) in1[0]) * in2[8] + - ((uint128_t) in1[1]) * in2[7] + - ((uint128_t) in1[2]) * in2[6] + - ((uint128_t) in1[3]) * in2[5] + - ((uint128_t) in1[4]) * in2[4] + - ((uint128_t) in1[5]) * in2[3] + - ((uint128_t) in1[6]) * in2[2] + - ((uint128_t) in1[7]) * in2[1] + ((uint128_t) in1[8]) * in2[0]; + ((uint128_t) in1[1]) * in2[7] + + ((uint128_t) in1[2]) * in2[6] + + ((uint128_t) in1[3]) * in2[5] + + ((uint128_t) in1[4]) * in2[4] + + ((uint128_t) in1[5]) * in2[3] + + ((uint128_t) in1[6]) * in2[2] + + ((uint128_t) in1[7]) * in2[1] + + ((uint128_t) in1[8]) * in2[0]; /* See comment in felem_square about the use of in2x2 here */ out[0] += ((uint128_t) in1[1]) * in2x2[8] + - ((uint128_t) in1[2]) * in2x2[7] + - ((uint128_t) in1[3]) * in2x2[6] + - ((uint128_t) in1[4]) * in2x2[5] + - ((uint128_t) in1[5]) * in2x2[4] + - ((uint128_t) in1[6]) * in2x2[3] + - ((uint128_t) in1[7]) * in2x2[2] + ((uint128_t) in1[8]) * in2x2[1]; + ((uint128_t) in1[2]) * in2x2[7] + + ((uint128_t) in1[3]) * in2x2[6] + + ((uint128_t) in1[4]) * in2x2[5] + + ((uint128_t) in1[5]) * in2x2[4] + + ((uint128_t) in1[6]) * in2x2[3] + + ((uint128_t) in1[7]) * in2x2[2] + + ((uint128_t) in1[8]) * in2x2[1]; out[1] += ((uint128_t) in1[2]) * in2x2[8] + - ((uint128_t) in1[3]) * in2x2[7] + - ((uint128_t) in1[4]) * in2x2[6] + - ((uint128_t) in1[5]) * in2x2[5] + - ((uint128_t) in1[6]) * in2x2[4] + - ((uint128_t) in1[7]) * in2x2[3] + ((uint128_t) in1[8]) * in2x2[2]; + ((uint128_t) in1[3]) * in2x2[7] + + ((uint128_t) in1[4]) * in2x2[6] + + ((uint128_t) in1[5]) * in2x2[5] + + ((uint128_t) in1[6]) * in2x2[4] + + ((uint128_t) in1[7]) * in2x2[3] + + ((uint128_t) in1[8]) * in2x2[2]; out[2] += ((uint128_t) in1[3]) * in2x2[8] + - ((uint128_t) in1[4]) * in2x2[7] + - ((uint128_t) in1[5]) * in2x2[6] + - ((uint128_t) in1[6]) * in2x2[5] + - ((uint128_t) in1[7]) * in2x2[4] + ((uint128_t) in1[8]) * in2x2[3]; + ((uint128_t) in1[4]) * in2x2[7] + + ((uint128_t) in1[5]) * in2x2[6] + + ((uint128_t) in1[6]) * in2x2[5] + + ((uint128_t) in1[7]) * in2x2[4] + + ((uint128_t) in1[8]) * in2x2[3]; out[3] += ((uint128_t) in1[4]) * in2x2[8] + - ((uint128_t) in1[5]) * in2x2[7] + - ((uint128_t) in1[6]) * in2x2[6] + - ((uint128_t) in1[7]) * in2x2[5] + ((uint128_t) in1[8]) * in2x2[4]; + ((uint128_t) in1[5]) * in2x2[7] + + ((uint128_t) in1[6]) * in2x2[6] + + ((uint128_t) in1[7]) * in2x2[5] + + ((uint128_t) in1[8]) * in2x2[4]; out[4] += ((uint128_t) in1[5]) * in2x2[8] + - ((uint128_t) in1[6]) * in2x2[7] + - ((uint128_t) in1[7]) * in2x2[6] + ((uint128_t) in1[8]) * in2x2[5]; + ((uint128_t) in1[6]) * in2x2[7] + + ((uint128_t) in1[7]) * in2x2[6] + + ((uint128_t) in1[8]) * in2x2[5]; out[5] += ((uint128_t) in1[6]) * in2x2[8] + - ((uint128_t) in1[7]) * in2x2[7] + ((uint128_t) in1[8]) * in2x2[6]; + ((uint128_t) in1[7]) * in2x2[7] + + ((uint128_t) in1[8]) * in2x2[6]; out[6] += ((uint128_t) in1[7]) * in2x2[8] + - ((uint128_t) in1[8]) * in2x2[7]; + ((uint128_t) in1[8]) * in2x2[7]; out[7] += ((uint128_t) in1[8]) * in2x2[8]; } @@ -1335,9 +1349,10 @@ static void point_add(felem x3, felem y3, felem z3, * Tables for other points have table[i] = iG for i in 0 .. 16. */ /* gmul is the table of precomputed base points */ -static const felem gmul[16][3] = { {{0, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0, 0, 0, 0, 0}}, +static const felem gmul[16][3] = { +{{0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0, 0, 0, 0, 0}, + {0, 0, 0, 0, 0, 0, 0, 0, 0}}, {{0x017e7e31c2e5bd66, 0x022cf0615a90a6fe, 0x00127a2ffa8de334, 0x01dfbf9d64a3f877, 0x006b4d3dbaa14b5e, 0x014fed487e0a2bd8, 0x015b4429c6481390, 0x03a73678fb2d988e, 0x00c6858e06b70404}, @@ -1743,8 +1758,8 @@ int ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group, EC_R_POINT_AT_INFINITY); return 0; } - if ((!BN_to_felem(x_in, &point->X)) || (!BN_to_felem(y_in, &point->Y)) || - (!BN_to_felem(z1, &point->Z))) + if ((!BN_to_felem(x_in, point->X)) || (!BN_to_felem(y_in, point->Y)) || + (!BN_to_felem(z1, point->Z))) return 0; felem_inv(z2, z1); felem_square(tmp, z2); @@ -1928,7 +1943,7 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, * this is an unusual input, and we don't guarantee * constant-timeness */ - if (!BN_nnmod(tmp_scalar, p_scalar, &group->order, ctx)) { + if (!BN_nnmod(tmp_scalar, p_scalar, group->order, ctx)) { ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB); goto err; } @@ -1937,9 +1952,9 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, num_bytes = BN_bn2bin(p_scalar, tmp); flip_endian(secrets[i], tmp, num_bytes); /* precompute multiples */ - if ((!BN_to_felem(x_out, &p->X)) || - (!BN_to_felem(y_out, &p->Y)) || - (!BN_to_felem(z_out, &p->Z))) + if ((!BN_to_felem(x_out, p->X)) || + (!BN_to_felem(y_out, p->Y)) || + (!BN_to_felem(z_out, p->Z))) goto err; memcpy(pre_comp[i][1][0], x_out, sizeof(felem)); memcpy(pre_comp[i][1][1], y_out, sizeof(felem)); @@ -1974,7 +1989,7 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, * this is an unusual input, and we don't guarantee * constant-timeness */ - if (!BN_nnmod(tmp_scalar, scalar, &group->order, ctx)) { + if (!BN_nnmod(tmp_scalar, scalar, group->order, ctx)) { ECerr(EC_F_EC_GFP_NISTP521_POINTS_MUL, ERR_R_BN_LIB); goto err; } @@ -2058,9 +2073,9 @@ int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx) ret = 1; goto err; } - if ((!BN_to_felem(pre->g_pre_comp[1][0], &group->generator->X)) || - (!BN_to_felem(pre->g_pre_comp[1][1], &group->generator->Y)) || - (!BN_to_felem(pre->g_pre_comp[1][2], &group->generator->Z))) + if ((!BN_to_felem(pre->g_pre_comp[1][0], group->generator->X)) || + (!BN_to_felem(pre->g_pre_comp[1][1], group->generator->Y)) || + (!BN_to_felem(pre->g_pre_comp[1][2], group->generator->Z))) goto err; /* compute 2^130*G, 2^260*G, 2^390*G */ for (i = 1; i <= 4; i <<= 1) { From appro at openssl.org Mon Apr 20 12:49:57 2015 From: appro at openssl.org (Andy Polyakov) Date: Mon, 20 Apr 2015 12:49:57 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429534197.515863.548.nullmailer@dev.openssl.org> The branch master has been updated via 5a3d915d77a6083b886eb7de6d31b370bafb4818 (commit) from 4eb504aedf49a4acb55fa0a4fa9942d241ca8230 (commit) - Log ----------------------------------------------------------------- commit 5a3d915d77a6083b886eb7de6d31b370bafb4818 Author: Andy Polyakov Date: Thu Apr 2 23:18:10 2015 +0200 Configure: add initial support for 64-bit Android. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: Configurations/10-main.conf | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index aa4c76a..a26fc6e 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -816,6 +816,18 @@ perlasm_scheme => "o32", }, + "android64" => { + inherit_from => [ "linux-generic64" ], + cflags => "-mandroid -fPIC --sysroot=\$(CROSS_SYSROOT) -Wa,--noexecstack -Wall", + debug_cflags => "-O0 -g", + lflags => "-pie%-ldl", + shared_cflag => "", + }, + "android64-aarch64" => { + inherit_from => [ "android64", asm("aarch64_asm") ], + perlasm_scheme => "linux64", + }, + #### *BSD "BSD-generic32" => { # As for thread_cflag. Idea is to maintain "collective" set of From appro at openssl.org Mon Apr 20 12:58:45 2015 From: appro at openssl.org (Andy Polyakov) Date: Mon, 20 Apr 2015 12:58:45 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429534725.477815.2394.nullmailer@dev.openssl.org> The branch master has been updated via cc98b998b82c4cf4e83ccaf4c3cc4963d2f9eace (commit) via e1613e7c0c692bd9071e04e8fcf1b2a18ebebf0c (commit) from 5a3d915d77a6083b886eb7de6d31b370bafb4818 (commit) - Log ----------------------------------------------------------------- commit cc98b998b82c4cf4e83ccaf4c3cc4963d2f9eace Author: Andy Polyakov Date: Mon Apr 20 14:58:01 2015 +0200 Configure: Engage ecp_nistz256-armv8 module. Reviewed-by: Richard Levitte commit e1613e7c0c692bd9071e04e8fcf1b2a18ebebf0c Author: Andy Polyakov Date: Sun Feb 15 22:26:08 2015 +0100 Add ecp_nistz256-armv8 module. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: Configure | 1 + crypto/ec/Makefile | 1 + crypto/ec/asm/ecp_nistz256-armv8.pl | 1567 +++++++++++++++++++++++++++++++++++ 3 files changed, 1569 insertions(+) create mode 100644 crypto/ec/asm/ecp_nistz256-armv8.pl diff --git a/Configure b/Configure index 95a9d3b..ba18ac3 100755 --- a/Configure +++ b/Configure @@ -425,6 +425,7 @@ my %table=( aarch64_asm => { template => 1, cpuid_obj => "armcap.o arm64cpuid.o mem_clr.o", + ec_obj => "ecp_nistz256.o ecp_nistz256-armv8.o", bn_obj => "bn_asm.o armv8-mont.o", aes_obj => "aes_core.o aes_cbc.o aesv8-armx.o vpaes-armv8.o", sha1_obj => "sha1-armv8.o sha256-armv8.o sha512-armv8.o", diff --git a/crypto/ec/Makefile b/crypto/ec/Makefile index 5425967..fa2fc4c 100644 --- a/crypto/ec/Makefile +++ b/crypto/ec/Makefile @@ -56,6 +56,7 @@ ecp_nistz256-avx2.s: asm/ecp_nistz256-avx2.pl ecp_nistz256-%.S: asm/ecp_nistz256-%.pl; $(PERL) $< $(PERLASM_SCHEME) $@ ecp_nistz256-armv4.o: ecp_nistz256-armv4.S +ecp_nistz256-armv8.o: ecp_nistz256-armv8.S files: $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO diff --git a/crypto/ec/asm/ecp_nistz256-armv8.pl b/crypto/ec/asm/ecp_nistz256-armv8.pl new file mode 100644 index 0000000..1c9eb6b --- /dev/null +++ b/crypto/ec/asm/ecp_nistz256-armv8.pl @@ -0,0 +1,1567 @@ +#!/usr/bin/env perl + +# ==================================================================== +# Written by Andy Polyakov for the OpenSSL +# project. The module is, however, dual licensed under OpenSSL and +# CRYPTOGAMS licenses depending on where you obtain it. For further +# details see http://www.openssl.org/~appro/cryptogams/. +# ==================================================================== +# +# ECP_NISTZ256 module for ARMv8. +# +# February 2015. +# +# Original ECP_NISTZ256 submission targeting x86_64 is detailed in +# http://eprint.iacr.org/2013/816. +# +# with/without -DECP_NISTZ256_ASM(*) +# Apple A7 +140-590% +# Cortex-A53 +135-720% +# Cortex-A57 +145-570% +# X-Gene +120-700% +# Denver +150-740% +# +# (*) comparison is not really "fair", because it's compared to C +# implementation, unlike other similar cases that is; +# +# Ranges denote minimum and maximum improvement coefficients depending +# on benchmark. Lower coefficients are for ECDSA sign, server-side +# operation. Keep in mind that +500% means 6x improvement. + +$flavour = shift; +while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or +die "can't locate arm-xlate.pl"; + +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; + +{ +my ($rp,$ap,$bp,$bi,$a0,$a1,$a2,$a3,$t0,$t1,$t2,$t3,$poly1,$poly3, + $acc0,$acc1,$acc2,$acc3,$acc4,$acc5) = + map("x$_",(0..17,19,20)); + +my ($acc6,$acc7)=($ap,$bp); # used in __ecp_nistz256_sqr_mont + +$code.=<<___; +#include "arm_arch.h" + +.text +___ +######################################################################## +# Convert ecp_nistz256_table.c to layout expected by ecp_nistz_gather_w7 +# +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +open TABLE,") { + s/TOBN$\s*(0x[0-9a-f]+),\s*(0x[0-9a-f]+)\s*$/push @arr,hex($2),hex($1)/geo; +} +close TABLE; + +# See ecp_nistz256_table.c for explanation for why it's 64*16*37. +# 64*16*37-1 is because $#arr returns last valid index or @arr, not +# amount of elements. +die "insane number of elements" if ($#arr != 64*16*37-1); + +$code.=<<___; +.globl ecp_nistz256_precomputed +.type ecp_nistz256_precomputed,%object +.align 12 +ecp_nistz256_precomputed: +___ +######################################################################## +# this conversion smashes P256_POINT_AFFINE by individual bytes with +# 64 byte interval, similar to +# 1111222233334444 +# 1234123412341234 +for(1..37) { + @tbl = splice(@arr,0,64*16); + for($i=0;$i<64;$i++) { + undef @line; + for($j=0;$j<64;$j++) { + push @line,(@tbl[$j*16+$i/4]>>(($i%4)*8))&0xff; + } + $code.=".byte\t"; + $code.=join(',',map { sprintf "0x%02x",$_} @line); + $code.="\n"; + } +} +$code.=<<___; +.size ecp_nistz256_precomputed,.-ecp_nistz256_precomputed +.align 5 +.Lpoly: +.quad 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001 +.LRR: // 2^512 mod P precomputed for NIST P256 polynomial +.quad 0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd +.Lone_mont: +.quad 0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe +.Lone: +.quad 1,0,0,0 +.asciz "ECP_NISTZ256 for ARMv8, CRYPTOGAMS by " + +// void ecp_nistz256_to_mont(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_to_mont +.type ecp_nistz256_to_mont,%function +.align 6 +ecp_nistz256_to_mont: + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + + ldr $bi,.LRR // bp[0] + ldp $a0,$a1,[$ap] + ldp $a2,$a3,[$ap,#16] + ldr $poly1,.Lpoly+8 + ldr $poly3,.Lpoly+24 + adr $bp,.LRR // &bp[0] + + bl __ecp_nistz256_mul_mont + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + ret +.size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont + +// void ecp_nistz256_from_mont(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_from_mont +.type ecp_nistz256_from_mont,%function +.align 4 +ecp_nistz256_from_mont: + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + + mov $bi,#1 // bp[0] + ldp $a0,$a1,[$ap] + ldp $a2,$a3,[$ap,#16] + ldr $poly1,.Lpoly+8 + ldr $poly3,.Lpoly+24 + adr $bp,.Lone // &bp[0] + + bl __ecp_nistz256_mul_mont + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + ret +.size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont + +// void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4], +// const BN_ULONG x2[4]); +.globl ecp_nistz256_mul_mont +.type ecp_nistz256_mul_mont,%function +.align 4 +ecp_nistz256_mul_mont: + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + + ldr $bi,[$bp] // bp[0] + ldp $a0,$a1,[$ap] + ldp $a2,$a3,[$ap,#16] + ldr $poly1,.Lpoly+8 + ldr $poly3,.Lpoly+24 + + bl __ecp_nistz256_mul_mont + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + ret +.size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont + +// void ecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_sqr_mont +.type ecp_nistz256_sqr_mont,%function +.align 4 +ecp_nistz256_sqr_mont: + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + + ldp $a0,$a1,[$ap] + ldp $a2,$a3,[$ap,#16] + ldr $poly1,.Lpoly+8 + ldr $poly3,.Lpoly+24 + + bl __ecp_nistz256_sqr_mont + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + ret +.size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont + +// void ecp_nistz256_add(BN_ULONG x0[4],const BN_ULONG x1[4], +// const BN_ULONG x2[4]); +.globl ecp_nistz256_add +.type ecp_nistz256_add,%function +.align 4 +ecp_nistz256_add: + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp $acc0,$acc1,[$ap] + ldp $t0,$t1,[$bp] + ldp $acc2,$acc3,[$ap,#16] + ldp $t2,$t3,[$bp,#16] + ldr $poly1,.Lpoly+8 + ldr $poly3,.Lpoly+24 + + bl __ecp_nistz256_add + + ldp x29,x30,[sp],#16 + ret +.size ecp_nistz256_add,.-ecp_nistz256_add + +// void ecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_div_by_2 +.type ecp_nistz256_div_by_2,%function +.align 4 +ecp_nistz256_div_by_2: + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp $acc0,$acc1,[$ap] + ldp $acc2,$acc3,[$ap,#16] + ldr $poly1,.Lpoly+8 + ldr $poly3,.Lpoly+24 + + bl __ecp_nistz256_div_by_2 + + ldp x29,x30,[sp],#16 + ret +.size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2 + +// void ecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_mul_by_2 +.type ecp_nistz256_mul_by_2,%function +.align 4 +ecp_nistz256_mul_by_2: + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp $acc0,$acc1,[$ap] + ldp $acc2,$acc3,[$ap,#16] + ldr $poly1,.Lpoly+8 + ldr $poly3,.Lpoly+24 + mov $t0,$acc0 + mov $t1,$acc1 + mov $t2,$acc2 + mov $t3,$acc3 + + bl __ecp_nistz256_add // ret = a+a // 2*a + + ldp x29,x30,[sp],#16 + ret +.size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2 + +// void ecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_mul_by_3 +.type ecp_nistz256_mul_by_3,%function +.align 4 +ecp_nistz256_mul_by_3: + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp $acc0,$acc1,[$ap] + ldp $acc2,$acc3,[$ap,#16] + ldr $poly1,.Lpoly+8 + ldr $poly3,.Lpoly+24 + mov $t0,$acc0 + mov $t1,$acc1 + mov $t2,$acc2 + mov $t3,$acc3 + mov $a0,$acc0 + mov $a1,$acc1 + mov $a2,$acc2 + mov $a3,$acc3 + + bl __ecp_nistz256_add // ret = a+a // 2*a + + mov $t0,$a0 + mov $t1,$a1 + mov $t2,$a2 + mov $t3,$a3 + + bl __ecp_nistz256_add // ret += a // 2*a+a=3*a + + ldp x29,x30,[sp],#16 + ret +.size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3 + +// void ecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4], +// const BN_ULONG x2[4]); +.globl ecp_nistz256_sub +.type ecp_nistz256_sub,%function +.align 4 +ecp_nistz256_sub: + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp $acc0,$acc1,[$ap] + ldp $acc2,$acc3,[$ap,#16] + ldr $poly1,.Lpoly+8 + ldr $poly3,.Lpoly+24 + + bl __ecp_nistz256_sub_from + + ldp x29,x30,[sp],#16 + ret +.size ecp_nistz256_sub,.-ecp_nistz256_sub + +// void ecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_neg +.type ecp_nistz256_neg,%function +.align 4 +ecp_nistz256_neg: + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + mov $bp,$ap + mov $acc0,xzr // a = 0 + mov $acc1,xzr + mov $acc2,xzr + mov $acc3,xzr + ldr $poly1,.Lpoly+8 + ldr $poly3,.Lpoly+24 + + bl __ecp_nistz256_sub_from + + ldp x29,x30,[sp],#16 + ret +.size ecp_nistz256_neg,.-ecp_nistz256_neg + +// note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded +// to $a0-$a3 and b[0] - to $bi +.type __ecp_nistz256_mul_mont,%function +.align 4 +__ecp_nistz256_mul_mont: + mul $acc0,$a0,$bi // a[0]*b[0] + umulh $t0,$a0,$bi + + mul $acc1,$a1,$bi // a[1]*b[0] + umulh $t1,$a1,$bi + + mul $acc2,$a2,$bi // a[2]*b[0] + umulh $t2,$a2,$bi + + mul $acc3,$a3,$bi // a[3]*b[0] + umulh $t3,$a3,$bi + ldr $bi,[$bp,#8] // b[1] + + adds $acc1,$acc1,$t0 // accumulate high parts of multiplication + lsl $t0,$acc0,#32 + adcs $acc2,$acc2,$t1 + lsr $t1,$acc0,#32 + adcs $acc3,$acc3,$t2 + adc $acc4,xzr,$t3 + mov $acc5,xzr +___ +for($i=1;$i<4;$i++) { + # Reduction iteration is normally performed by accumulating + # result of multiplication of modulus by "magic" digit [and + # omitting least significant word, which is guaranteed to + # be 0], but thanks to special form of modulus and "magic" + # digit being equal to least significant word, it can be + # performed with additions and subtractions alone. Indeed: + # + # ffff0001.00000000.0000ffff.ffffffff + # * abcdefgh + # + xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh + # + # Now observing that ff..ff*x = (2^n-1)*x = 2^n*x-x, we + # rewrite above as: + # + # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh + # + abcdefgh.abcdefgh.0000abcd.efgh0000.00000000 + # - 0000abcd.efgh0000.00000000.00000000.abcdefgh + # + # or marking redundant operations: + # + # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.-------- + # + abcdefgh.abcdefgh.0000abcd.efgh0000.-------- + # - 0000abcd.efgh0000.--------.--------.-------- + +$code.=<<___; + subs $t2,$acc0,$t0 // "*0xffff0001" + sbc $t3,$acc0,$t1 + adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0] + mul $t0,$a0,$bi // lo(a[0]*b[i]) + adcs $acc1,$acc2,$t1 + mul $t1,$a1,$bi // lo(a[1]*b[i]) + adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001 + mul $t2,$a2,$bi // lo(a[2]*b[i]) + adcs $acc3,$acc4,$t3 + mul $t3,$a3,$bi // lo(a[3]*b[i]) + adc $acc4,$acc5,xzr + + adds $acc0,$acc0,$t0 // accumulate low parts of multiplication + umulh $t0,$a0,$bi // hi(a[0]*b[i]) + adcs $acc1,$acc1,$t1 + umulh $t1,$a1,$bi // hi(a[1]*b[i]) + adcs $acc2,$acc2,$t2 + umulh $t2,$a2,$bi // hi(a[2]*b[i]) + adcs $acc3,$acc3,$t3 + umulh $t3,$a3,$bi // hi(a[3]*b[i]) + adc $acc4,$acc4,xzr +___ +$code.=<<___ if ($i<3); + ldr $bi,[$bp,#8*($i+1)] // b[$i+1] +___ +$code.=<<___; + adds $acc1,$acc1,$t0 // accumulate high parts of multiplication + lsl $t0,$acc0,#32 + adcs $acc2,$acc2,$t1 + lsr $t1,$acc0,#32 + adcs $acc3,$acc3,$t2 + adcs $acc4,$acc4,$t3 + adc $acc5,xzr,xzr +___ +} +$code.=<<___; + // last reduction + subs $t2,$acc0,$t0 // "*0xffff0001" + sbc $t3,$acc0,$t1 + adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0] + adcs $acc1,$acc2,$t1 + adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001 + adcs $acc3,$acc4,$t3 + adc $acc4,$acc5,xzr + + adds $t0,$acc0,#1 // subs $t0,$acc0,#-1 // tmp = ret-modulus + sbcs $t1,$acc1,$poly1 + sbcs $t2,$acc2,xzr + sbcs $t3,$acc3,$poly3 + sbcs xzr,$acc4,xzr // did it borrow? + + csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus + csel $acc1,$acc1,$t1,lo + csel $acc2,$acc2,$t2,lo + stp $acc0,$acc1,[$rp] + csel $acc3,$acc3,$t3,lo + stp $acc2,$acc3,[$rp,#16] + + ret +.size __ecp_nistz256_mul_mont,.-__ecp_nistz256_mul_mont + +// note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded +// to $a0-$a3 +.type __ecp_nistz256_sqr_mont,%function +.align 4 +__ecp_nistz256_sqr_mont: + // | | | | | |a1*a0| | + // | | | | |a2*a0| | | + // | |a3*a2|a3*a0| | | | + // | | | |a2*a1| | | | + // | | |a3*a1| | | | | + // *| | | | | | | | 2| + // +|a3*a3|a2*a2|a1*a1|a0*a0| + // |--+--+--+--+--+--+--+--| + // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is $accx, i.e. follow $accx + // + // "can't overflow" below mark carrying into high part of + // multiplication result, which can't overflow, because it + // can never be all ones. + + mul $acc1,$a1,$a0 // a[1]*a[0] + umulh $t1,$a1,$a0 + mul $acc2,$a2,$a0 // a[2]*a[0] + umulh $t2,$a2,$a0 + mul $acc3,$a3,$a0 // a[3]*a[0] + umulh $acc4,$a3,$a0 + + adds $acc2,$acc2,$t1 // accumulate high parts of multiplication + mul $t0,$a2,$a1 // a[2]*a[1] + umulh $t1,$a2,$a1 + adcs $acc3,$acc3,$t2 + mul $t2,$a3,$a1 // a[3]*a[1] + umulh $t3,$a3,$a1 + adc $acc4,$acc4,xzr // can't overflow + + mul $acc5,$a3,$a2 // a[3]*a[2] + umulh $acc6,$a3,$a2 + + adds $t1,$t1,$t2 // accumulate high parts of multiplication + mul $acc0,$a0,$a0 // a[0]*a[0] + adc $t2,$t3,xzr // can't overflow + + adds $acc3,$acc3,$t0 // accumulate low parts of multiplication + umulh $a0,$a0,$a0 + adcs $acc4,$acc4,$t1 + mul $t1,$a1,$a1 // a[1]*a[1] + adcs $acc5,$acc5,$t2 + umulh $a1,$a1,$a1 + adc $acc6,$acc6,xzr // can't overflow + + adds $acc1,$acc1,$acc1 // acc[1-6]*=2 + mul $t2,$a2,$a2 // a[2]*a[2] + adcs $acc2,$acc2,$acc2 + umulh $a2,$a2,$a2 + adcs $acc3,$acc3,$acc3 + mul $t3,$a3,$a3 // a[3]*a[3] + adcs $acc4,$acc4,$acc4 + umulh $a3,$a3,$a3 + adcs $acc5,$acc5,$acc5 + adcs $acc6,$acc6,$acc6 + adc $acc7,xzr,xzr + + adds $acc1,$acc1,$a0 // +a[i]*a[i] + adcs $acc2,$acc2,$t1 + adcs $acc3,$acc3,$a1 + adcs $acc4,$acc4,$t2 + adcs $acc5,$acc5,$a2 + lsl $t0,$acc0,#32 + adcs $acc6,$acc6,$t3 + lsr $t1,$acc0,#32 + adc $acc7,$acc7,$a3 +___ +for($i=0;$i<3;$i++) { # reductions, see commentary in + # multiplication for details +$code.=<<___; + subs $t2,$acc0,$t0 // "*0xffff0001" + sbc $t3,$acc0,$t1 + adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0] + adcs $acc1,$acc2,$t1 + lsl $t0,$acc0,#32 + adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001 + lsr $t1,$acc0,#32 + adc $acc3,$t3,xzr // can't overflow +___ +} +$code.=<<___; + subs $t2,$acc0,$t0 // "*0xffff0001" + sbc $t3,$acc0,$t1 + adds $acc0,$acc1,$t0 // +=acc[0]<<96 and omit acc[0] + adcs $acc1,$acc2,$t1 + adcs $acc2,$acc3,$t2 // +=acc[0]*0xffff0001 + adc $acc3,$t3,xzr // can't overflow + + adds $acc0,$acc0,$acc4 // accumulate upper half + adcs $acc1,$acc1,$acc5 + adcs $acc2,$acc2,$acc6 + adcs $acc3,$acc3,$acc7 + adc $acc4,xzr,xzr + + adds $t0,$acc0,#1 // subs $t0,$acc0,#-1 // tmp = ret-modulus + sbcs $t1,$acc1,$poly1 + sbcs $t2,$acc2,xzr + sbcs $t3,$acc3,$poly3 + sbcs xzr,$acc4,xzr // did it borrow? + + csel $acc0,$acc0,$t0,lo // ret = borrow ? ret : ret-modulus + csel $acc1,$acc1,$t1,lo + csel $acc2,$acc2,$t2,lo + stp $acc0,$acc1,[$rp] + csel $acc3,$acc3,$t3,lo + stp $acc2,$acc3,[$rp,#16] + + ret +.size __ecp_nistz256_sqr_mont,.-__ecp_nistz256_sqr_mont + +// Note that __ecp_nistz256_add expects both input vectors pre-loaded to +// $a0-$a3 and $t0-$t3. This is done because it's used in multiple +// contexts, e.g. in multiplication by 2 and 3... +.type __ecp_nistz256_add,%function +.align 4 +__ecp_nistz256_add: + adds $acc0,$acc0,$t0 // ret = a+b + adcs $acc1,$acc1,$t1 + adcs $acc2,$acc2,$t2 + adcs $acc3,$acc3,$t3 + adc $ap,xzr,xzr // zap $ap + + adds $t0,$acc0,#1 // subs $t0,$a0,#-1 // tmp = ret-modulus + sbcs $t1,$acc1,$poly1 + sbcs $t2,$acc2,xzr + sbc $t3,$acc3,$poly3 + cmp $ap,xzr // did addition carry? + + csel $acc0,$acc0,$t0,eq // ret = carry ? ret-modulus : ret + csel $acc1,$acc1,$t1,eq + csel $acc2,$acc2,$t2,eq + stp $acc0,$acc1,[$rp] + csel $acc3,$acc3,$t3,eq + stp $acc2,$acc3,[$rp,#16] + + ret +.size __ecp_nistz256_add,.-__ecp_nistz256_add + +.type __ecp_nistz256_sub_from,%function +.align 4 +__ecp_nistz256_sub_from: + ldp $t0,$t1,[$bp] + ldp $t2,$t3,[$bp,#16] + subs $acc0,$acc0,$t0 // ret = a-b + sbcs $acc1,$acc1,$t1 + sbcs $acc2,$acc2,$t2 + sbcs $acc3,$acc3,$t3 + sbc $ap,xzr,xzr // zap $ap + + subs $t0,$acc0,#1 // adds $t0,$a0,#-1 // tmp = ret+modulus + adcs $t1,$acc1,$poly1 + adcs $t2,$acc2,xzr + adc $t3,$acc3,$poly3 + cmp $ap,xzr // did subtraction borrow? + + csel $acc0,$acc0,$t0,eq // ret = borrow ? ret+modulus : ret + csel $acc1,$acc1,$t1,eq + csel $acc2,$acc2,$t2,eq + stp $acc0,$acc1,[$rp] + csel $acc3,$acc3,$t3,eq + stp $acc2,$acc3,[$rp,#16] + + ret +.size __ecp_nistz256_sub_from,.-__ecp_nistz256_sub_from + +.type __ecp_nistz256_sub_morf,%function +.align 4 +__ecp_nistz256_sub_morf: + ldp $t0,$t1,[$bp] + ldp $t2,$t3,[$bp,#16] + subs $acc0,$t0,$acc0 // ret = b-a + sbcs $acc1,$t1,$acc1 + sbcs $acc2,$t2,$acc2 + sbcs $acc3,$t3,$acc3 + sbc $ap,xzr,xzr // zap $ap + + subs $t0,$acc0,#1 // adds $t0,$a0,#-1 // tmp = ret+modulus + adcs $t1,$acc1,$poly1 + adcs $t2,$acc2,xzr + adc $t3,$acc3,$poly3 + cmp $ap,xzr // did subtraction borrow? + + csel $acc0,$acc0,$t0,eq // ret = borrow ? ret+modulus : ret + csel $acc1,$acc1,$t1,eq + csel $acc2,$acc2,$t2,eq + stp $acc0,$acc1,[$rp] + csel $acc3,$acc3,$t3,eq + stp $acc2,$acc3,[$rp,#16] + + ret +.size __ecp_nistz256_sub_morf,.-__ecp_nistz256_sub_morf + +.type __ecp_nistz256_div_by_2,%function +.align 4 +__ecp_nistz256_div_by_2: + subs $t0,$acc0,#1 // adds $t0,$a0,#-1 // tmp = a+modulus + adcs $t1,$acc1,$poly1 + adcs $t2,$acc2,xzr + adcs $t3,$acc3,$poly3 + adc $ap,xzr,xzr // zap $ap + tst $acc0,#1 // is a even? + + csel $acc0,$acc0,$t0,eq // ret = even ? a : a+modulus + csel $acc1,$acc1,$t1,eq + csel $acc2,$acc2,$t2,eq + csel $acc3,$acc3,$t3,eq + csel $ap,xzr,$ap,eq + + lsr $acc0,$acc0,#1 // ret >>= 1 + orr $acc0,$acc0,$acc1,lsl#63 + lsr $acc1,$acc1,#1 + orr $acc1,$acc1,$acc2,lsl#63 + lsr $acc2,$acc2,#1 + orr $acc2,$acc2,$acc3,lsl#63 + lsr $acc3,$acc3,#1 + stp $acc0,$acc1,[$rp] + orr $acc3,$acc3,$ap,lsl#63 + stp $acc2,$acc3,[$rp,#16] + + ret +.size __ecp_nistz256_div_by_2,.-__ecp_nistz256_div_by_2 +___ +######################################################################## +# following subroutines are "literal" implemetation of those found in +# ecp_nistz256.c +# +######################################################################## +# void ecp_nistz256_point_double(P256_POINT *out,const P256_POINT *inp); +# +{ +my ($S,$M,$Zsqr,$tmp0)=map(32*$_,(0..3)); +# above map() describes stack layout with 4 temporary +# 256-bit vectors on top. +my ($rp_real,$ap_real) = map("x$_",(21,22)); + +$code.=<<___; +.globl ecp_nistz256_point_double +.type ecp_nistz256_point_double,%function +.align 5 +ecp_nistz256_point_double: + stp x29,x30,[sp,#-48]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + sub sp,sp,#32*4 + + ldp $acc0,$acc1,[$ap,#32] + mov $rp_real,$rp + ldp $acc2,$acc3,[$ap,#48] + mov $ap_real,$ap + ldr $poly1,.Lpoly+8 + mov $t0,$acc0 + ldr $poly3,.Lpoly+24 + mov $t1,$acc1 + ldp $a0,$a1,[$ap_real,#64] // forward load for p256_sqr_mont + mov $t2,$acc2 + mov $t3,$acc3 + ldp $a2,$a3,[$ap_real,#64+16] + add $rp,sp,#$S + bl __ecp_nistz256_add // p256_mul_by_2(S, in_y); + + add $rp,sp,#$Zsqr + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Zsqr, in_z); + + ldp $t0,$t1,[$ap_real] + ldp $t2,$t3,[$ap_real,#16] + mov $a0,$acc0 // put Zsqr aside for p256_sub + mov $a1,$acc1 + mov $a2,$acc2 + mov $a3,$acc3 + add $rp,sp,#$M + bl __ecp_nistz256_add // p256_add(M, Zsqr, in_x); + + add $bp,$ap_real,#0 + mov $acc0,$a0 // restore Zsqr + mov $acc1,$a1 + ldp $a0,$a1,[sp,#$S] // forward load for p256_sqr_mont + mov $acc2,$a2 + mov $acc3,$a3 + ldp $a2,$a3,[sp,#$S+16] + add $rp,sp,#$Zsqr + bl __ecp_nistz256_sub_morf // p256_sub(Zsqr, in_x, Zsqr); + + add $rp,sp,#$S + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(S, S); + + ldr $bi,[$ap_real,#32] + ldp $a0,$a1,[$ap_real,#64] + ldp $a2,$a3,[$ap_real,#64+16] + add $bp,$ap_real,#32 + add $rp,sp,#$tmp0 + bl __ecp_nistz256_mul_mont // p256_mul_mont(tmp0, in_z, in_y); + + mov $t0,$acc0 + mov $t1,$acc1 + ldp $a0,$a1,[sp,#$S] // forward load for p256_sqr_mont + mov $t2,$acc2 + mov $t3,$acc3 + ldp $a2,$a3,[sp,#$S+16] + add $rp,$rp_real,#64 + bl __ecp_nistz256_add // p256_mul_by_2(res_z, tmp0); + + add $rp,sp,#$tmp0 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(tmp0, S); + + ldr $bi,[sp,#$Zsqr] // forward load for p256_mul_mont + ldp $a0,$a1,[sp,#$M] + ldp $a2,$a3,[sp,#$M+16] + add $rp,$rp_real,#32 + bl __ecp_nistz256_div_by_2 // p256_div_by_2(res_y, tmp0); + + add $bp,sp,#$Zsqr + add $rp,sp,#$M + bl __ecp_nistz256_mul_mont // p256_mul_mont(M, M, Zsqr); + + mov $t0,$acc0 // duplicate M + mov $t1,$acc1 + mov $t2,$acc2 + mov $t3,$acc3 + mov $a0,$acc0 // put M aside + mov $a1,$acc1 + mov $a2,$acc2 + mov $a3,$acc3 + add $rp,sp,#$M + bl __ecp_nistz256_add + mov $t0,$a0 // restore M + mov $t1,$a1 + ldr $bi,[$ap_real] // forward load for p256_mul_mont + mov $t2,$a2 + ldp $a0,$a1,[sp,#$S] + mov $t3,$a3 + ldp $a2,$a3,[sp,#$S+16] + bl __ecp_nistz256_add // p256_mul_by_3(M, M); + + add $bp,$ap_real,#0 + add $rp,sp,#$S + bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, in_x); + + mov $t0,$acc0 + mov $t1,$acc1 + ldp $a0,$a1,[sp,#$M] // forward load for p256_sqr_mont + mov $t2,$acc2 + mov $t3,$acc3 + ldp $a2,$a3,[sp,#$M+16] + add $rp,sp,#$tmp0 + bl __ecp_nistz256_add // p256_mul_by_2(tmp0, S); + + add $rp,$rp_real,#0 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(res_x, M); + + add $bp,sp,#$tmp0 + bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, tmp0); + + add $bp,sp,#$S + add $rp,sp,#$S + bl __ecp_nistz256_sub_morf // p256_sub(S, S, res_x); + + ldr $bi,[sp,#$M] + mov $a0,$acc0 // copy S + mov $a1,$acc1 + mov $a2,$acc2 + mov $a3,$acc3 + add $bp,sp,#$M + bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, M); + + add $bp,$rp_real,#32 + add $rp,$rp_real,#32 + bl __ecp_nistz256_sub_from // p256_sub(res_y, S, res_y); + + add sp,x29,#0 // destroy frame + ldp x19,x20,[x29,#16] + ldp x21,x22,[x29,#32] + ldp x29,x30,[sp],#48 + ret +.size ecp_nistz256_point_double,.-ecp_nistz256_point_double +___ +} + +######################################################################## +# void ecp_nistz256_point_add(P256_POINT *out,const P256_POINT *in1, +# const P256_POINT *in2); +{ +my ($res_x,$res_y,$res_z, + $H,$Hsqr,$R,$Rsqr,$Hcub, + $U1,$U2,$S1,$S2)=map(32*$_,(0..11)); +my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr); +# above map() describes stack layout with 12 temporary +# 256-bit vectors on top. +my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp)=map("x$_",(21..26)); + +$code.=<<___; +.globl ecp_nistz256_point_add +.type ecp_nistz256_point_add,%function +.align 5 +ecp_nistz256_point_add: + stp x29,x30,[sp,#-80]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + sub sp,sp,#32*12 + + ldp $a0,$a1,[$bp] + ldp $a2,$a3,[$bp,#16] + ldp $t0,$t1,[$bp,#32] + ldp $t2,$t3,[$bp,#48] + mov $rp_real,$rp + mov $ap_real,$ap + mov $bp_real,$bp + orr $a0,$a0,$a1 + orr $a2,$a2,$a3 + ldp $acc0,$acc1,[$ap] + orr $t0,$t0,$t1 + orr $t2,$t2,$t3 + ldp $acc2,$acc3,[$ap,#16] + orr $a0,$a0,$a2 + orr $t2,$t0,$t2 + ldp $t0,$t1,[$ap,#32] + orr $in2infty,$a0,$t2 + cmp $in2infty,#0 + ldp $t2,$t3,[$ap,#48] + csetm $in2infty,ne // !in2infty + + ldp $a0,$a1,[$bp_real,#64] // forward load for p256_sqr_mont + orr $acc0,$acc0,$acc1 + orr $acc2,$acc2,$acc3 + ldp $a2,$a3,[$bp_real,#64+16] + orr $t0,$t0,$t1 + orr $t2,$t2,$t3 + orr $acc0,$acc0,$acc2 + orr $t0,$t0,$t2 + orr $in1infty,$acc0,$t0 + cmp $in1infty,#0 + ldr $poly1,.Lpoly+8 + ldr $poly3,.Lpoly+24 + csetm $in1infty,ne // !in1infty + + add $rp,sp,#$Z2sqr + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z); + + ldp $a0,$a1,[$ap_real,#64] + ldp $a2,$a3,[$ap_real,#64+16] + add $rp,sp,#$Z1sqr + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); + + ldr $bi,[$bp_real,#64] + ldp $a0,$a1,[sp,#$Z2sqr] + ldp $a2,$a3,[sp,#$Z2sqr+16] + add $bp,$bp_real,#64 + add $rp,sp,#$S1 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, Z2sqr, in2_z); + + ldr $bi,[$ap_real,#64] + ldp $a0,$a1,[sp,#$Z1sqr] + ldp $a2,$a3,[sp,#$Z1sqr+16] + add $bp,$ap_real,#64 + add $rp,sp,#$S2 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z); + + ldr $bi,[$ap_real,#32] + ldp $a0,$a1,[sp,#$S1] + ldp $a2,$a3,[sp,#$S1+16] + add $bp,$ap_real,#32 + add $rp,sp,#$S1 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, S1, in1_y); + + ldr $bi,[$bp_real,#32] + ldp $a0,$a1,[sp,#$S2] + ldp $a2,$a3,[sp,#$S2+16] + add $bp,$bp_real,#32 + add $rp,sp,#$S2 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y); + + add $bp,sp,#$S1 + ldr $bi,[sp,#$Z2sqr] // forward load for p256_mul_mont + ldp $a0,$a1,[$ap_real] + ldp $a2,$a3,[$ap_real,#16] + add $rp,sp,#$R + bl __ecp_nistz256_sub_from // p256_sub(R, S2, S1); + + orr $acc0,$acc0,$acc1 // see if result is zero + orr $acc2,$acc2,$acc3 + orr $temp,$acc0,$acc2 + + add $bp,sp,#$Z2sqr + add $rp,sp,#$U1 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U1, in1_x, Z2sqr); + + ldr $bi,[sp,#$Z1sqr] + ldp $a0,$a1,[$bp_real] + ldp $a2,$a3,[$bp_real,#16] + add $bp,sp,#$Z1sqr + add $rp,sp,#$U2 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in2_x, Z1sqr); + + add $bp,sp,#$U1 + ldp $a0,$a1,[sp,#$R] // forward load for p256_sqr_mont + ldp $a2,$a3,[sp,#$R+16] + add $rp,sp,#$H + bl __ecp_nistz256_sub_from // p256_sub(H, U2, U1); + + orr $acc0,$acc0,$acc1 // see if result is zero + orr $acc2,$acc2,$acc3 + orr $acc0,$acc0,$acc2 + tst $acc0,$acc0 + b.ne .Ladd_proceed // is_equal(U1,U2)? + + tst $in1infty,$in2infty + b.eq .Ladd_proceed // (in1infty || in2infty)? + + tst $temp,$temp + b.eq .Ladd_proceed // is_equal(S1,S2)? + + eor $a0,$a0,$a0 + eor $a1,$a1,$a1 + stp $a0,$a1,[$rp_real] + stp $a0,$a1,[$rp_real,#16] + stp $a0,$a1,[$rp_real,#32] + stp $a0,$a1,[$rp_real,#48] + stp $a0,$a1,[$rp_real,#64] + stp $a0,$a1,[$rp_real,#80] + b .Ladd_done + +.align 4 +.Ladd_proceed: + add $rp,sp,#$Rsqr + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R); + + ldr $bi,[$ap_real,#64] + ldp $a0,$a1,[sp,#$H] + ldp $a2,$a3,[sp,#$H+16] + add $bp,$ap_real,#64 + add $rp,sp,#$res_z + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z); + + ldp $a0,$a1,[sp,#$H] + ldp $a2,$a3,[sp,#$H+16] + add $rp,sp,#$Hsqr + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H); + + ldr $bi,[$bp_real,#64] + ldp $a0,$a1,[sp,#$res_z] + ldp $a2,$a3,[sp,#$res_z+16] + add $bp,$bp_real,#64 + add $rp,sp,#$res_z + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, res_z, in2_z); + + ldr $bi,[sp,#$H] + ldp $a0,$a1,[sp,#$Hsqr] + ldp $a2,$a3,[sp,#$Hsqr+16] + add $bp,sp,#$H + add $rp,sp,#$Hcub + bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H); + + ldr $bi,[sp,#$Hsqr] + ldp $a0,$a1,[sp,#$U1] + ldp $a2,$a3,[sp,#$U1+16] + add $bp,sp,#$Hsqr + add $rp,sp,#$U2 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, U1, Hsqr); + + mov $t0,$acc0 + mov $t1,$acc1 + mov $t2,$acc2 + mov $t3,$acc3 + add $rp,sp,#$Hsqr + bl __ecp_nistz256_add // p256_mul_by_2(Hsqr, U2); + + add $bp,sp,#$Rsqr + add $rp,sp,#$res_x + bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr); + + add $bp,sp,#$Hcub + bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub); + + add $bp,sp,#$U2 + ldr $bi,[sp,#$Hcub] // forward load for p256_mul_mont + ldp $a0,$a1,[sp,#$S1] + ldp $a2,$a3,[sp,#$S1+16] + add $rp,sp,#$res_y + bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x); + + add $bp,sp,#$Hcub + add $rp,sp,#$S2 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S1, Hcub); + + ldr $bi,[sp,#$R] + ldp $a0,$a1,[sp,#$res_y] + ldp $a2,$a3,[sp,#$res_y+16] + add $bp,sp,#$R + add $rp,sp,#$res_y + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R); + + add $bp,sp,#$S2 + bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2); + + ldp $a0,$a1,[sp,#$res_x] // res + ldp $a2,$a3,[sp,#$res_x+16] + ldp $t0,$t1,[$bp_real] // in2 + ldp $t2,$t3,[$bp_real,#16] +___ +for($i=0;$i<64;$i+=32) { # conditional moves +$code.=<<___; + ldp $acc0,$acc1,[$ap_real,#$i] // in1 + cmp $in1infty,#0 // !$in1intfy, remember? + ldp $acc2,$acc3,[$ap_real,#$i+16] + csel $t0,$a0,$t0,ne + csel $t1,$a1,$t1,ne + ldp $a0,$a1,[sp,#$res_x+$i+32] // res + csel $t2,$a2,$t2,ne + csel $t3,$a3,$t3,ne + cmp $in2infty,#0 // !$in2intfy, remember? + ldp $a2,$a3,[sp,#$res_x+$i+48] + csel $acc0,$t0,$acc0,ne + csel $acc1,$t1,$acc1,ne + ldp $t0,$t1,[$bp_real,#$i+32] // in2 + csel $acc2,$t2,$acc2,ne + csel $acc3,$t3,$acc3,ne + ldp $t2,$t3,[$bp_real,#$i+48] + stp $acc0,$acc1,[$rp_real,#$i] + stp $acc2,$acc3,[$rp_real,#$i+16] +___ +} +$code.=<<___; + ldp $acc0,$acc1,[$ap_real,#$i] // in1 + cmp $in1infty,#0 // !$in1intfy, remember? + ldp $acc2,$acc3,[$ap_real,#$i+16] + csel $t0,$a0,$t0,ne + csel $t1,$a1,$t1,ne + csel $t2,$a2,$t2,ne + csel $t3,$a3,$t3,ne + cmp $in2infty,#0 // !$in2intfy, remember? + csel $acc0,$t0,$acc0,ne + csel $acc1,$t1,$acc1,ne + csel $acc2,$t2,$acc2,ne + csel $acc3,$t3,$acc3,ne + stp $acc0,$acc1,[$rp_real,#$i] + stp $acc2,$acc3,[$rp_real,#$i+16] + +.Ladd_done: + add sp,x29,#0 // destroy frame + ldp x19,x20,[x29,#16] + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x29,x30,[sp],#80 + ret +.size ecp_nistz256_point_add,.-ecp_nistz256_point_add +___ +} + +######################################################################## +# void ecp_nistz256_point_add_affine(P256_POINT *out,const P256_POINT *in1, +# const P256_POINT_AFFINE *in2); +{ +my ($res_x,$res_y,$res_z, + $U2,$S2,$H,$R,$Hsqr,$Hcub,$Rsqr)=map(32*$_,(0..9)); +my $Z1sqr = $S2; +# above map() describes stack layout with 10 temporary +# 256-bit vectors on top. +my ($rp_real,$ap_real,$bp_real,$in1infty,$in2infty,$temp)=map("x$_",(21..26)); + +$code.=<<___; +.globl ecp_nistz256_point_add_affine +.type ecp_nistz256_point_add_affine,%function +.align 5 +ecp_nistz256_point_add_affine: + stp x29,x30,[sp,#-80]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + sub sp,sp,#32*10 + + mov $rp_real,$rp + mov $ap_real,$ap + mov $bp_real,$bp + ldr $poly1,.Lpoly+8 + ldr $poly3,.Lpoly+24 + + ldp $a0,$a1,[$ap] + ldp $a2,$a3,[$ap,#16] + ldp $t0,$t1,[$ap,#32] + ldp $t2,$t3,[$ap,#48] + orr $a0,$a0,$a1 + orr $a2,$a2,$a3 + orr $t0,$t0,$t1 + orr $t2,$t2,$t3 + orr $a0,$a0,$a2 + orr $t0,$t0,$t2 + orr $in1infty,$a0,$t0 + cmp $in1infty,#0 + csetm $in1infty,ne // !in1infty + + ldp $a0,$a1,[$bp] + ldp $a2,$a3,[$bp,#16] + ldp $t0,$t1,[$bp,#32] + ldp $t2,$t3,[$bp,#48] + orr $a0,$a0,$a1 + orr $a2,$a2,$a3 + orr $t0,$t0,$t1 + orr $t2,$t2,$t3 + orr $a0,$a0,$a2 + orr $t0,$t0,$t2 + orr $in2infty,$a0,$t0 + cmp $in2infty,#0 + csetm $in2infty,ne // !in2infty + + ldp $a0,$a1,[$ap_real,#64] + ldp $a2,$a3,[$ap_real,#64+16] + add $rp,sp,#$Z1sqr + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); + + mov $a0,$acc0 + mov $a1,$acc1 + mov $a2,$acc2 + mov $a3,$acc3 + ldr $bi,[$bp_real] + add $bp,$bp_real,#0 + add $rp,sp,#$U2 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, Z1sqr, in2_x); + + add $bp,$ap_real,#0 + ldr $bi,[$ap_real,#64] // forward load for p256_mul_mont + ldp $a0,$a1,[sp,#$Z1sqr] + ldp $a2,$a3,[sp,#$Z1sqr+16] + add $rp,sp,#$H + bl __ecp_nistz256_sub_from // p256_sub(H, U2, in1_x); + + add $bp,$ap_real,#64 + add $rp,sp,#$S2 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z); + + ldr $bi,[$ap_real,#64] + ldp $a0,$a1,[sp,#$H] + ldp $a2,$a3,[sp,#$H+16] + add $bp,$ap_real,#64 + add $rp,sp,#$res_z + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z); + + ldr $bi,[$bp_real,#32] + ldp $a0,$a1,[sp,#$S2] + ldp $a2,$a3,[sp,#$S2+16] + add $bp,$bp_real,#32 + add $rp,sp,#$S2 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y); + + add $bp,$ap_real,#32 + ldp $a0,$a1,[sp,#$H] // forward load for p256_sqr_mont + ldp $a2,$a3,[sp,#$H+16] + add $rp,sp,#$R + bl __ecp_nistz256_sub_from // p256_sub(R, S2, in1_y); + + add $rp,sp,#$Hsqr + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H); + + ldp $a0,$a1,[sp,#$R] + ldp $a2,$a3,[sp,#$R+16] + add $rp,sp,#$Rsqr + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R); + + ldr $bi,[sp,#$H] + ldp $a0,$a1,[sp,#$Hsqr] + ldp $a2,$a3,[sp,#$Hsqr+16] + add $bp,sp,#$H + add $rp,sp,#$Hcub + bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H); + + ldr $bi,[$ap_real] + ldp $a0,$a1,[sp,#$Hsqr] + ldp $a2,$a3,[sp,#$Hsqr+16] + add $bp,$ap_real,#0 + add $rp,sp,#$U2 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in1_x, Hsqr); + + mov $t0,$acc0 + mov $t1,$acc1 + mov $t2,$acc2 + mov $t3,$acc3 + add $rp,sp,#$Hsqr + bl __ecp_nistz256_add // p256_mul_by_2(Hsqr, U2); + + add $bp,sp,#$Rsqr + add $rp,sp,#$res_x + bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr); + + add $bp,sp,#$Hcub + bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub); + + add $bp,sp,#$U2 + ldr $bi,[$ap_real,#32] // forward load for p256_mul_mont + ldp $a0,$a1,[sp,#$Hcub] + ldp $a2,$a3,[sp,#$Hcub+16] + add $rp,sp,#$res_y + bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x); + + add $bp,$ap_real,#32 + add $rp,sp,#$S2 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, in1_y, Hcub); + + ldr $bi,[sp,#$R] + ldp $a0,$a1,[sp,#$res_y] + ldp $a2,$a3,[sp,#$res_y+16] + add $bp,sp,#$R + add $rp,sp,#$res_y + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R); + + add $bp,sp,#$S2 + bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2); + + ldp $a0,$a1,[sp,#$res_x] // res + ldp $a2,$a3,[sp,#$res_x+16] + ldp $t0,$t1,[$bp_real] // in2 + ldp $t2,$t3,[$bp_real,#16] +___ +for($i=0;$i<64;$i+=32) { # conditional moves +$code.=<<___; + ldp $acc0,$acc1,[$ap_real,#$i] // in1 + cmp $in1infty,#0 // !$in1intfy, remember? + ldp $acc2,$acc3,[$ap_real,#$i+16] + csel $t0,$a0,$t0,ne + csel $t1,$a1,$t1,ne + ldp $a0,$a1,[sp,#$res_x+$i+32] // res + csel $t2,$a2,$t2,ne + csel $t3,$a3,$t3,ne + cmp $in2infty,#0 // !$in2intfy, remember? + ldp $a2,$a3,[sp,#$res_x+$i+48] + csel $acc0,$t0,$acc0,ne + csel $acc1,$t1,$acc1,ne + ldp $t0,$t1,[$bp_real,#$i+32] // in2 + csel $acc2,$t2,$acc2,ne + csel $acc3,$t3,$acc3,ne + ldp $t2,$t3,[$bp_real,#$i+48] + stp $acc0,$acc1,[$rp_real,#$i] + stp $acc2,$acc3,[$rp_real,#$i+16] +___ +} +$code.=<<___; + ldp $acc0,$acc1,[$ap_real,#$i] // in1 + cmp $in1infty,#0 // !$in1intfy, remember? + ldp $acc2,$acc3,[$ap_real,#$i+16] + csel $t0,$a0,$t0,ne + csel $t1,$a1,$t1,ne + csel $t2,$a2,$t2,ne + csel $t3,$a3,$t3,ne + cmp $in2infty,#0 // !$in2intfy, remember? + csel $acc0,$t0,$acc0,ne + csel $acc1,$t1,$acc1,ne + csel $acc2,$t2,$acc2,ne + csel $acc3,$t3,$acc3,ne + stp $acc0,$acc1,[$rp_real,#$i] + stp $acc2,$acc3,[$rp_real,#$i+16] + + add sp,x29,#0 // destroy frame + ldp x19,x20,[x29,#16] + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x29,x30,[sp],#80 + ret +.size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine +___ +} } + +######################################################################## +# scatter-gather subroutines +{ +my ($out,$inp,$index,$mask)=map("x$_",(0..3)); +$code.=<<___; +// void ecp_nistz256_scatter_w5(void *x0,const P256_POINT *x1, +// int x2); +.globl ecp_nistz256_scatter_w5 +.type ecp_nistz256_scatter_w5,%function +.align 4 +ecp_nistz256_scatter_w5: + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + add $out,$out,$index,lsl#2 + + ldp x4,x5,[$inp] // X + ldp x6,x7,[$inp,#16] + str w4,[$out,#64*0-4] + lsr x4,x4,#32 + str w5,[$out,#64*1-4] + lsr x5,x5,#32 + str w6,[$out,#64*2-4] + lsr x6,x6,#32 + str w7,[$out,#64*3-4] + lsr x7,x7,#32 + str w4,[$out,#64*4-4] + str w5,[$out,#64*5-4] + str w6,[$out,#64*6-4] + str w7,[$out,#64*7-4] + add $out,$out,#64*8 + + ldp x4,x5,[$inp,#32] // Y + ldp x6,x7,[$inp,#48] + str w4,[$out,#64*0-4] + lsr x4,x4,#32 + str w5,[$out,#64*1-4] + lsr x5,x5,#32 + str w6,[$out,#64*2-4] + lsr x6,x6,#32 + str w7,[$out,#64*3-4] + lsr x7,x7,#32 + str w4,[$out,#64*4-4] + str w5,[$out,#64*5-4] + str w6,[$out,#64*6-4] + str w7,[$out,#64*7-4] + add $out,$out,#64*8 + + ldp x4,x5,[$inp,#64] // Z + ldp x6,x7,[$inp,#80] + str w4,[$out,#64*0-4] + lsr x4,x4,#32 + str w5,[$out,#64*1-4] + lsr x5,x5,#32 + str w6,[$out,#64*2-4] + lsr x6,x6,#32 + str w7,[$out,#64*3-4] + lsr x7,x7,#32 + str w4,[$out,#64*4-4] + str w5,[$out,#64*5-4] + str w6,[$out,#64*6-4] + str w7,[$out,#64*7-4] + + ldr x29,[sp],#16 + ret +.size ecp_nistz256_scatter_w5,.-ecp_nistz256_scatter_w5 + +// void ecp_nistz256_gather_w5(P256_POINT *x0,const void *x1, +// int x2); +.globl ecp_nistz256_gather_w5 +.type ecp_nistz256_gather_w5,%function +.align 4 +ecp_nistz256_gather_w5: + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + cmp $index,xzr + csetm x3,ne + add $index,$index,x3 + add $inp,$inp,$index,lsl#2 + + ldr w4,[$inp,#64*0] + ldr w5,[$inp,#64*1] + ldr w6,[$inp,#64*2] + ldr w7,[$inp,#64*3] + ldr w8,[$inp,#64*4] + ldr w9,[$inp,#64*5] + ldr w10,[$inp,#64*6] + ldr w11,[$inp,#64*7] + add $inp,$inp,#64*8 + orr x4,x4,x8,lsl#32 + orr x5,x5,x9,lsl#32 + orr x6,x6,x10,lsl#32 + orr x7,x7,x11,lsl#32 + csel x4,x4,xzr,ne + csel x5,x5,xzr,ne + csel x6,x6,xzr,ne + csel x7,x7,xzr,ne + stp x4,x5,[$out] // X + stp x6,x7,[$out,#16] + + ldr w4,[$inp,#64*0] + ldr w5,[$inp,#64*1] + ldr w6,[$inp,#64*2] + ldr w7,[$inp,#64*3] + ldr w8,[$inp,#64*4] + ldr w9,[$inp,#64*5] + ldr w10,[$inp,#64*6] + ldr w11,[$inp,#64*7] + add $inp,$inp,#64*8 + orr x4,x4,x8,lsl#32 + orr x5,x5,x9,lsl#32 + orr x6,x6,x10,lsl#32 + orr x7,x7,x11,lsl#32 + csel x4,x4,xzr,ne + csel x5,x5,xzr,ne + csel x6,x6,xzr,ne + csel x7,x7,xzr,ne + stp x4,x5,[$out,#32] // Y + stp x6,x7,[$out,#48] + + ldr w4,[$inp,#64*0] + ldr w5,[$inp,#64*1] + ldr w6,[$inp,#64*2] + ldr w7,[$inp,#64*3] + ldr w8,[$inp,#64*4] + ldr w9,[$inp,#64*5] + ldr w10,[$inp,#64*6] + ldr w11,[$inp,#64*7] + orr x4,x4,x8,lsl#32 + orr x5,x5,x9,lsl#32 + orr x6,x6,x10,lsl#32 + orr x7,x7,x11,lsl#32 + csel x4,x4,xzr,ne + csel x5,x5,xzr,ne + csel x6,x6,xzr,ne + csel x7,x7,xzr,ne + stp x4,x5,[$out,#64] // Z + stp x6,x7,[$out,#80] + + ldr x29,[sp],#16 + ret +.size ecp_nistz256_gather_w5,.-ecp_nistz256_gather_w5 + +// void ecp_nistz256_scatter_w7(void *x0,const P256_POINT_AFFINE *x1, +// int x2); +.globl ecp_nistz256_scatter_w7 +.type ecp_nistz256_scatter_w7,%function +.align 4 +ecp_nistz256_scatter_w7: + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + add $out,$out,$index + mov $index,#64/8 +.Loop_scatter_w7: + ldr x3,[$inp],#8 + subs $index,$index,#1 + prfm pstl1strm,[$out,#4096+64*0] + prfm pstl1strm,[$out,#4096+64*1] + prfm pstl1strm,[$out,#4096+64*2] + prfm pstl1strm,[$out,#4096+64*3] + prfm pstl1strm,[$out,#4096+64*4] + prfm pstl1strm,[$out,#4096+64*5] + prfm pstl1strm,[$out,#4096+64*6] + prfm pstl1strm,[$out,#4096+64*7] + strb w3,[$out,#64*0-1] + lsr x3,x3,#8 + strb w3,[$out,#64*1-1] + lsr x3,x3,#8 + strb w3,[$out,#64*2-1] + lsr x3,x3,#8 + strb w3,[$out,#64*3-1] + lsr x3,x3,#8 + strb w3,[$out,#64*4-1] + lsr x3,x3,#8 + strb w3,[$out,#64*5-1] + lsr x3,x3,#8 + strb w3,[$out,#64*6-1] + lsr x3,x3,#8 + strb w3,[$out,#64*7-1] + add $out,$out,#64*8 + b.ne .Loop_scatter_w7 + + ldr x29,[sp],#16 + ret +.size ecp_nistz256_scatter_w7,.-ecp_nistz256_scatter_w7 + +// void ecp_nistz256_gather_w7(P256_POINT_AFFINE *x0,const void *x1, +// int x2); +.globl ecp_nistz256_gather_w7 +.type ecp_nistz256_gather_w7,%function +.align 4 +ecp_nistz256_gather_w7: + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + cmp $index,xzr + csetm x3,ne + add $index,$index,x3 + add $inp,$inp,$index + mov $index,#64/8 + nop +.Loop_gather_w7: + ldrb w4,[$inp,#64*0] + prfm pldl1strm,[$inp,#4096+64*0] + subs $index,$index,#1 + ldrb w5,[$inp,#64*1] + prfm pldl1strm,[$inp,#4096+64*1] + ldrb w6,[$inp,#64*2] + prfm pldl1strm,[$inp,#4096+64*2] + ldrb w7,[$inp,#64*3] + prfm pldl1strm,[$inp,#4096+64*3] + ldrb w8,[$inp,#64*4] + prfm pldl1strm,[$inp,#4096+64*4] + ldrb w9,[$inp,#64*5] + prfm pldl1strm,[$inp,#4096+64*5] + ldrb w10,[$inp,#64*6] + prfm pldl1strm,[$inp,#4096+64*6] + ldrb w11,[$inp,#64*7] + prfm pldl1strm,[$inp,#4096+64*7] + add $inp,$inp,#64*8 + orr x4,x4,x5,lsl#8 + orr x6,x6,x7,lsl#8 + orr x8,x8,x9,lsl#8 + orr x4,x4,x6,lsl#16 + orr x10,x10,x11,lsl#8 + orr x4,x4,x8,lsl#32 + orr x4,x4,x10,lsl#48 + and x4,x4,x3 + str x4,[$out],#8 + b.ne .Loop_gather_w7 + + ldr x29,[sp],#16 + ret +.size ecp_nistz256_gather_w7,.-ecp_nistz256_gather_w7 +___ +} + +foreach (split("\n",$code)) { + s/\`([^\`]*)\`/eval $1/ge; + + print $_,"\n"; +} +close STDOUT; # enforce flush From appro at openssl.org Mon Apr 20 13:07:13 2015 From: appro at openssl.org (Andy Polyakov) Date: Mon, 20 Apr 2015 13:07:13 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429535233.767260.4177.nullmailer@dev.openssl.org> The branch master has been updated via 313e6ec11fb8a7bda1676ce5804bee8755664141 (commit) from cc98b998b82c4cf4e83ccaf4c3cc4963d2f9eace (commit) - Log ----------------------------------------------------------------- commit 313e6ec11fb8a7bda1676ce5804bee8755664141 Author: Andy Polyakov Date: Thu Apr 2 10:17:42 2015 +0200 Add assembly support for 32-bit iOS. Reviewed-by: Matt Caswell Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: Configurations/10-main.conf | 9 ++ crypto/Makefile | 1 + crypto/aes/asm/aes-armv4.pl | 38 +++++-- crypto/aes/asm/bsaes-armv7.pl | 44 +++++++- crypto/armcap.c | 2 +- crypto/{armv4cpuid.S => armv4cpuid.pl} | 27 ++++- crypto/bn/asm/armv4-gf2m.pl | 20 +++- crypto/bn/asm/armv4-mont.pl | 22 +++- crypto/ec/asm/ecp_nistz256-armv4.pl | 184 +++++++++++++++++---------------- crypto/modes/asm/ghash-armv4.pl | 37 +++++-- crypto/perlasm/arm-xlate.pl | 2 +- crypto/sha/asm/sha1-armv4-large.pl | 19 +++- crypto/sha/asm/sha256-armv4.pl | 32 ++++-- crypto/sha/asm/sha512-armv4.pl | 26 ++++- 14 files changed, 327 insertions(+), 136 deletions(-) rename crypto/{armv4cpuid.S => armv4cpuid.pl} (88%) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index a26fc6e..025bd86 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -1391,6 +1391,15 @@ cflags => "-isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common", sys_id => "iOS", }, + "ios-cross" => { + inherit_from => [ "darwin-common", asm("armv4_asm") ], + # It should be possible to go below iOS 6 and even add -arch armv6, + # thus targeting iPhone pre-3GS, but it's assumed to be irrelevant + # at this point (and impossible to download SDK for). + cflags => "-arch armv7 -mios-version-min=6.0.0 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common", + sys_id => "iOS", + perlasm_scheme => "ios32", + }, "ios64-cross" => { inherit_from => [ "darwin-common", asm("aarch64_asm") ], cflags => "-arch arm64 -mios-version-min=7.0.0 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fno-common", diff --git a/crypto/Makefile b/crypto/Makefile index ec5af47..5270d75 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -84,6 +84,7 @@ alphacpuid.s: alphacpuid.pl $(PERL) alphacpuid.pl > $$preproc && \ $(CC) -E -P $$preproc > $@ && rm $$preproc) arm64cpuid.S: arm64cpuid.pl; $(PERL) arm64cpuid.pl $(PERLASM_SCHEME) > $@ +armv4cpuid.S: armv4cpuid.pl; $(PERL) armv4cpuid.pl $(PERLASM_SCHEME) > $@ subdirs: @target=all; $(RECURSIVE_MAKE) diff --git a/crypto/aes/asm/aes-armv4.pl b/crypto/aes/asm/aes-armv4.pl index a620a7c..0f7ec39 100644 --- a/crypto/aes/asm/aes-armv4.pl +++ b/crypto/aes/asm/aes-armv4.pl @@ -32,8 +32,20 @@ # Profiler-assisted and platform-specific optimization resulted in 16% # improvement on Cortex A8 core and ~21.5 cycles per byte. -while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} -open STDOUT,">$output"; +$flavour = shift; +if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; } +else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} } + +if ($flavour && $flavour ne "void") { + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; + ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or + ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or + die "can't locate arm-xlate.pl"; + + open STDOUT,"| \"$^X\" $xlate $flavour $output"; +} else { + open STDOUT,">$output"; +} $s0="r0"; $s1="r1"; @@ -62,7 +74,7 @@ $code=<<___; .code 32 #else .syntax unified -# ifdef __thumb2__ +# if defined(__thumb2__) && !defined(__APPLE__) .thumb # else .code 32 @@ -187,9 +199,13 @@ AES_encrypt: adr r3,AES_encrypt #endif stmdb sp!,{r1,r4-r12,lr} +#ifdef __APPLE__ + adr $tbl,AES_Te +#else + sub $tbl,r3,#AES_encrypt-AES_Te @ Te +#endif mov $rounds,r0 @ inp mov $key,r2 - sub $tbl,r3,#AES_encrypt-AES_Te @ Te #if __ARM_ARCH__<7 ldrb $s0,[$rounds,#3] @ load input data in endian-neutral ldrb $t1,[$rounds,#2] @ manner... @@ -457,12 +473,16 @@ _armv4_AES_set_encrypt_key: bne .Labrt .Lok: stmdb sp!,{r4-r12,lr} - sub $tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024 @ Te4 - mov $rounds,r0 @ inp mov lr,r1 @ bits mov $key,r2 @ key +#ifdef __APPLE__ + adr $tbl,AES_Te+1024 @ Te4 +#else + sub $tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024 @ Te4 +#endif + #if __ARM_ARCH__<7 ldrb $s0,[$rounds,#3] @ load input data in endian-neutral ldrb $t1,[$rounds,#2] @ manner... @@ -955,9 +975,13 @@ AES_decrypt: adr r3,AES_decrypt #endif stmdb sp!,{r1,r4-r12,lr} +#ifdef __APPLE__ + adr $tbl,AES_Td +#else + sub $tbl,r3,#AES_decrypt-AES_Td @ Td +#endif mov $rounds,r0 @ inp mov $key,r2 - sub $tbl,r3,#AES_decrypt-AES_Td @ Td #if __ARM_ARCH__<7 ldrb $s0,[$rounds,#3] @ load input data in endian-neutral ldrb $t1,[$rounds,#2] @ manner... diff --git a/crypto/aes/asm/bsaes-armv7.pl b/crypto/aes/asm/bsaes-armv7.pl index a4d3856..043fa38 100644 --- a/crypto/aes/asm/bsaes-armv7.pl +++ b/crypto/aes/asm/bsaes-armv7.pl @@ -47,8 +47,20 @@ # # -while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} -open STDOUT,">$output"; +$flavour = shift; +if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; } +else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} } + +if ($flavour && $flavour ne "void") { + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; + ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or + ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or + die "can't locate arm-xlate.pl"; + + open STDOUT,"| \"$^X\" $xlate $flavour $output"; +} else { + open STDOUT,">$output"; +} my ($inp,$out,$len,$key)=("r0","r1","r2","r3"); my @XMM=map("q$_",(0..15)); @@ -715,7 +727,7 @@ $code.=<<___; .text .syntax unified @ ARMv7-capable assembler is expected to handle this -#ifdef __thumb2__ +#if defined(__thumb2__) && !defined(__APPLE__) .thumb #else .code 32 @@ -726,7 +738,11 @@ $code.=<<___; _bsaes_decrypt8: adr $const,_bsaes_decrypt8 vldmia $key!, {@XMM[9]} @ round 0 key +#ifdef __APPLE__ + adr $const,.LM0ISR +#else add $const,$const,#.LM0ISR-_bsaes_decrypt8 +#endif vldmia $const!, {@XMM[8]} @ .LM0ISR veor @XMM[10], @XMM[0], @XMM[9] @ xor with round0 key @@ -821,7 +837,11 @@ _bsaes_const: _bsaes_encrypt8: adr $const,_bsaes_encrypt8 vldmia $key!, {@XMM[9]} @ round 0 key +#ifdef __APPLE__ + adr $const,.LM0SR +#else sub $const,$const,#_bsaes_encrypt8-.LM0SR +#endif vldmia $const!, {@XMM[8]} @ .LM0SR _bsaes_encrypt8_alt: @@ -925,7 +945,11 @@ $code.=<<___; _bsaes_key_convert: adr $const,_bsaes_key_convert vld1.8 {@XMM[7]}, [$inp]! @ load round 0 key +#ifdef __APPLE__ + adr $const,.LM0 +#else sub $const,$const,#_bsaes_key_convert-.LM0 +#endif vld1.8 {@XMM[15]}, [$inp]! @ load round 1 key vmov.i8 @XMM[8], #0x01 @ bit masks @@ -1392,7 +1416,12 @@ bsaes_ctr32_encrypt_blocks: vstmia r12, {@XMM[7]} @ save last round key vld1.8 {@XMM[0]}, [$ctr] @ load counter +#ifdef __APPLE__ + mov $ctr, #.LREVM0SR-.LM0 + add $ctr, $const, $ctr +#else add $ctr, $const, #.LREVM0SR-.LM0 @ borrow $ctr +#endif vldmia $keysched, {@XMM[4]} @ load round0 key #else ldr r12, [$key, #244] @@ -1449,7 +1478,12 @@ bsaes_ctr32_encrypt_blocks: vldmia $ctr, {@XMM[8]} @ .LREVM0SR mov r5, $rounds @ pass rounds vstmia $fp, {@XMM[10]} @ save next counter +#ifdef __APPLE__ + mov $const, #.LREVM0SR-.LSR + sub $const, $ctr, $const +#else sub $const, $ctr, #.LREVM0SR-.LSR @ pass constants +#endif bl _bsaes_encrypt8_alt @@ -1550,7 +1584,7 @@ bsaes_ctr32_encrypt_blocks: rev r8, r8 #endif sub sp, sp, #0x10 - vst1.8 {@XMM[1]}, [sp,:64] @ copy counter value + vst1.8 {@XMM[1]}, [sp] @ copy counter value sub sp, sp, #0x10 .Lctr_enc_short_loop: @@ -1561,7 +1595,7 @@ bsaes_ctr32_encrypt_blocks: bl AES_encrypt vld1.8 {@XMM[0]}, [r4]! @ load input - vld1.8 {@XMM[1]}, [sp,:64] @ load encrypted counter + vld1.8 {@XMM[1]}, [sp] @ load encrypted counter add r8, r8, #1 #ifdef __ARMEL__ rev r0, r8 diff --git a/crypto/armcap.c b/crypto/armcap.c index 3dbe574..1afbc9f 100644 --- a/crypto/armcap.c +++ b/crypto/armcap.c @@ -3,7 +3,7 @@ #include #include #include -#include +#include #include "arm_arch.h" diff --git a/crypto/armv4cpuid.S b/crypto/armv4cpuid.pl similarity index 88% rename from crypto/armv4cpuid.S rename to crypto/armv4cpuid.pl index 65010ae..1c44718 100644 --- a/crypto/armv4cpuid.S +++ b/crypto/armv4cpuid.pl @@ -1,3 +1,17 @@ +#!/usr/bin/env perl + +$flavour = shift; +$output = shift; + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or +( $xlate="${dir}perlasm/arm-xlate.pl" and -f $xlate) or +die "can't locate arm-xlate.pl"; + +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; + +$code.=<<___; #include "arm_arch.h" .text @@ -91,7 +105,11 @@ _armv7_neon_probe: .global _armv7_tick .type _armv7_tick,%function _armv7_tick: +#ifdef __APPLE__ + mrrc p15,0,r0,r1,c14 @ CNTPCT +#else mrrc p15,1,r0,r1,c14 @ CNTVCT +#endif bx lr .size _armv7_tick,.-_armv7_tick @@ -130,6 +148,9 @@ OPENSSL_wipe_cpu: ldr r0,.LOPENSSL_armcap adr r1,.LOPENSSL_armcap ldr r0,[r1,r0] +#ifdef __APPLE__ + ldr r0,[r0] +#endif #endif eor r2,r2,r2 eor r3,r3,r3 @@ -190,7 +211,7 @@ OPENSSL_instrument_bus2: .align 5 #if __ARM_MAX_ARCH__>=7 .LOPENSSL_armcap: -.word OPENSSL_armcap_P-.LOPENSSL_armcap +.word OPENSSL_armcap_P-. #endif #if __ARM_ARCH__>=6 .align 5 @@ -207,3 +228,7 @@ atomic_add_spinlock: .comm OPENSSL_armcap_P,4,4 .hidden OPENSSL_armcap_P +___ + +print $code; +close STDOUT; diff --git a/crypto/bn/asm/armv4-gf2m.pl b/crypto/bn/asm/armv4-gf2m.pl index 8f529c9..f05461a 100644 --- a/crypto/bn/asm/armv4-gf2m.pl +++ b/crypto/bn/asm/armv4-gf2m.pl @@ -32,8 +32,20 @@ # # http://conradoplg.cryptoland.net/files/2010/12/mocrysen13.pdf -while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} -open STDOUT,">$output"; +$flavour = shift; +if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; } +else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} } + +if ($flavour && $flavour ne "void") { + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; + ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or + ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or + die "can't locate arm-xlate.pl"; + + open STDOUT,"| \"$^X\" $xlate $flavour $output"; +} else { + open STDOUT,">$output"; +} $code=<<___; #include "arm_arch.h" @@ -213,8 +225,8 @@ $code.=<<___; .align 5 .LNEON: ldr r12, [sp] @ 5th argument - vmov.32 $a, r2, r1 - vmov.32 $b, r12, r3 + vmov $a, r2, r1 + vmov $b, r12, r3 vmov.i64 $k48, #0x0000ffffffffffff vmov.i64 $k32, #0x00000000ffffffff vmov.i64 $k16, #0x000000000000ffff diff --git a/crypto/bn/asm/armv4-mont.pl b/crypto/bn/asm/armv4-mont.pl index 1d330e9..59f218b 100644 --- a/crypto/bn/asm/armv4-mont.pl +++ b/crypto/bn/asm/armv4-mont.pl @@ -38,8 +38,20 @@ # for execution on all NEON-capable processors, because gain on # others outweighs the marginal loss on Cortex-A9. -while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} -open STDOUT,">$output"; +$flavour = shift; +if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; } +else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} } + +if ($flavour && $flavour ne "void") { + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; + ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or + ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or + die "can't locate arm-xlate.pl"; + + open STDOUT,"| \"$^X\" $xlate $flavour $output"; +} else { + open STDOUT,">$output"; +} $num="r0"; # starts as num argument, but holds &tp[num-1] $ap="r1"; @@ -75,7 +87,7 @@ $code=<<___; #if __ARM_MAX_ARCH__>=7 .align 5 .LOPENSSL_armcap: -.word OPENSSL_armcap_P-bn_mul_mont +.word OPENSSL_armcap_P-.Lbn_mul_mont #endif .global bn_mul_mont @@ -83,6 +95,7 @@ $code=<<___; .align 5 bn_mul_mont: +.Lbn_mul_mont: ldr ip,[sp,#4] @ load num stmdb sp!,{r0,r2} @ sp points at argument block #if __ARM_MAX_ARCH__>=7 @@ -91,6 +104,9 @@ bn_mul_mont: adr r0,bn_mul_mont ldr r2,.LOPENSSL_armcap ldr r0,[r0,r2] +#ifdef __APPLE__ + ldr r0,[r0] +#endif tst r0,#1 @ NEON available? ldmia sp, {r0,r2} beq .Lialu diff --git a/crypto/ec/asm/ecp_nistz256-armv4.pl b/crypto/ec/asm/ecp_nistz256-armv4.pl index 9f5500e..b49b77e 100755 --- a/crypto/ec/asm/ecp_nistz256-armv4.pl +++ b/crypto/ec/asm/ecp_nistz256-armv4.pl @@ -27,15 +27,19 @@ # operation. Keep in mind that +200% means 3x improvement. $flavour = shift; -while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} - -$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or -( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or -die "can't locate arm-xlate.pl"; - -open OUT,"| \"$^X\" $xlate $flavour $output"; -*STDOUT=*OUT; +if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; } +else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} } + +if ($flavour && $flavour ne "void") { + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; + ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or + ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or + die "can't locate arm-xlate.pl"; + + open STDOUT,"| \"$^X\" $xlate $flavour $output"; +} else { + open STDOUT,">$output"; +} $code.=<<___; #include "arm_arch.h" @@ -129,7 +133,7 @@ ecp_nistz256_from_mont: .align 4 ecp_nistz256_mul_by_2: stmdb sp!,{r4-r12,lr} - bl _ecp_nistz256_mul_by_2 + bl __ecp_nistz256_mul_by_2 #if __ARM_ARCH__>=5 || !defined(__thumb__) ldmia sp!,{r4-r12,pc} #else @@ -138,9 +142,9 @@ ecp_nistz256_mul_by_2: #endif .size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2 -.type _ecp_nistz256_mul_by_2,%function +.type __ecp_nistz256_mul_by_2,%function .align 4 -_ecp_nistz256_mul_by_2: +__ecp_nistz256_mul_by_2: ldr $a0,[$a_ptr,#0] ldr $a1,[$a_ptr,#4] ldr $a2,[$a_ptr,#8] @@ -161,7 +165,7 @@ _ecp_nistz256_mul_by_2: movcs $ff,#-1 @ $ff = carry ? -1 : 0 b .Lreduce_by_sub -.size _ecp_nistz256_mul_by_2,.-_ecp_nistz256_mul_by_2 +.size __ecp_nistz256_mul_by_2,.-__ecp_nistz256_mul_by_2 @ void ecp_nistz256_add(BN_ULONG r0[8],const BN_ULONG r1[8], @ const BN_ULONG r2[8]); @@ -170,7 +174,7 @@ _ecp_nistz256_mul_by_2: .align 4 ecp_nistz256_add: stmdb sp!,{r4-r12,lr} - bl _ecp_nistz256_add + bl __ecp_nistz256_add #if __ARM_ARCH__>=5 || !defined(__thumb__) ldmia sp!,{r4-r12,pc} #else @@ -179,9 +183,9 @@ ecp_nistz256_add: #endif .size ecp_nistz256_add,.-ecp_nistz256_add -.type _ecp_nistz256_add,%function +.type __ecp_nistz256_add,%function .align 4 -_ecp_nistz256_add: +__ecp_nistz256_add: str lr,[sp,#-4]! @ push lr ldr $a0,[$a_ptr,#0] @@ -239,7 +243,7 @@ _ecp_nistz256_add: str $a7,[$r_ptr,#28] mov pc,lr -.size _ecp_nistz256_add,.-_ecp_nistz256_add +.size __ecp_nistz256_add,.-__ecp_nistz256_add @ void ecp_nistz256_mul_by_3(BN_ULONG r0[8],const BN_ULONG r1[8]); .globl ecp_nistz256_mul_by_3 @@ -247,7 +251,7 @@ _ecp_nistz256_add: .align 4 ecp_nistz256_mul_by_3: stmdb sp!,{r4-r12,lr} - bl _ecp_nistz256_mul_by_3 + bl __ecp_nistz256_mul_by_3 #if __ARM_ARCH__>=5 || !defined(__thumb__) ldmia sp!,{r4-r12,pc} #else @@ -256,13 +260,13 @@ ecp_nistz256_mul_by_3: #endif .size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3 -.type _ecp_nistz256_mul_by_3,%function +.type __ecp_nistz256_mul_by_3,%function .align 4 -_ecp_nistz256_mul_by_3: +__ecp_nistz256_mul_by_3: str lr,[sp,#-4]! @ push lr @ As multiplication by 3 is performed as 2*n+n, below are inline - @ copies of _ecp_nistz256_mul_by_2 and _ecp_nistz256_add, see + @ copies of __ecp_nistz256_mul_by_2 and __ecp_nistz256_add, see @ corresponding subroutines for details. ldr $a0,[$a_ptr,#0] @@ -326,7 +330,7 @@ _ecp_nistz256_mul_by_3: .align 4 ecp_nistz256_div_by_2: stmdb sp!,{r4-r12,lr} - bl _ecp_nistz256_div_by_2 + bl __ecp_nistz256_div_by_2 #if __ARM_ARCH__>=5 || !defined(__thumb__) ldmia sp!,{r4-r12,pc} #else @@ -335,9 +339,9 @@ ecp_nistz256_div_by_2: #endif .size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2 -.type _ecp_nistz256_div_by_2,%function +.type __ecp_nistz256_div_by_2,%function .align 4 -_ecp_nistz256_div_by_2: +__ecp_nistz256_div_by_2: @ ret = (a is odd ? a+mod : a) >> 1 ldr $a0,[$a_ptr,#0] @@ -392,16 +396,16 @@ _ecp_nistz256_div_by_2: str $a7,[$r_ptr,#28] mov pc,lr -.size _ecp_nistz256_div_by_2,.-_ecp_nistz256_div_by_2 +.size __ecp_nistz256_div_by_2,.-__ecp_nistz256_div_by_2 @ void ecp_nistz256_sub(BN_ULONG r0[8],const BN_ULONG r1[8], -@ const BN_ULONG r2[8]); +@ const BN_ULONG r2[8]); .globl ecp_nistz256_sub .type ecp_nistz256_sub,%function .align 4 ecp_nistz256_sub: stmdb sp!,{r4-r12,lr} - bl _ecp_nistz256_sub + bl __ecp_nistz256_sub #if __ARM_ARCH__>=5 || !defined(__thumb__) ldmia sp!,{r4-r12,pc} #else @@ -410,9 +414,9 @@ ecp_nistz256_sub: #endif .size ecp_nistz256_sub,.-ecp_nistz256_sub -.type _ecp_nistz256_sub,%function +.type __ecp_nistz256_sub,%function .align 4 -_ecp_nistz256_sub: +__ecp_nistz256_sub: str lr,[sp,#-4]! @ push lr ldr $a0,[$a_ptr,#0] @@ -469,7 +473,7 @@ _ecp_nistz256_sub: str $a7,[$r_ptr,#28] mov pc,lr -.size _ecp_nistz256_sub,.-_ecp_nistz256_sub +.size __ecp_nistz256_sub,.-__ecp_nistz256_sub @ void ecp_nistz256_neg(BN_ULONG r0[8],const BN_ULONG r1[8]); .globl ecp_nistz256_neg @@ -477,7 +481,7 @@ _ecp_nistz256_sub: .align 4 ecp_nistz256_neg: stmdb sp!,{r4-r12,lr} - bl _ecp_nistz256_neg + bl __ecp_nistz256_neg #if __ARM_ARCH__>=5 || !defined(__thumb__) ldmia sp!,{r4-r12,pc} #else @@ -486,9 +490,9 @@ ecp_nistz256_neg: #endif .size ecp_nistz256_neg,.-ecp_nistz256_neg -.type _ecp_nistz256_neg,%function +.type __ecp_nistz256_neg,%function .align 4 -_ecp_nistz256_neg: +__ecp_nistz256_neg: ldr $a0,[$a_ptr,#0] eor $ff,$ff,$ff ldr $a1,[$a_ptr,#4] @@ -509,7 +513,7 @@ _ecp_nistz256_neg: sbc $ff,$ff,$ff b .Lreduce_by_add -.size _ecp_nistz256_neg,.-_ecp_nistz256_neg +.size __ecp_nistz256_neg,.-__ecp_nistz256_neg ___ { my @acc=map("r$_",(3..11)); @@ -533,7 +537,7 @@ ecp_nistz256_sqr_mont: ecp_nistz256_mul_mont: .Lecp_nistz256_mul_mont: stmdb sp!,{r4-r12,lr} - bl _ecp_nistz256_mul_mont + bl __ecp_nistz256_mul_mont #if __ARM_ARCH__>=5 || !defined(__thumb__) ldmia sp!,{r4-r12,pc} #else @@ -542,9 +546,9 @@ ecp_nistz256_mul_mont: #endif .size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont -.type _ecp_nistz256_mul_mont,%function +.type __ecp_nistz256_mul_mont,%function .align 4 -_ecp_nistz256_mul_mont: +__ecp_nistz256_mul_mont: stmdb sp!,{r0-r2,lr} @ make a copy of arguments too ldr $bj,[$b_ptr,#0] @ b[0] @@ -675,14 +679,14 @@ $code.=<<___; @ "other way around", namely subtract modulus from result @ and if it borrowed, add modulus back. - subs @acc[1], at acc[1],#-1 @ compare to modulus - sbcs @acc[2], at acc[2],#-1 - sbcs @acc[3], at acc[3],#-1 + adds @acc[1], at acc[1],#1 @ subs @acc[1], at acc[1],#-1 + adcs @acc[2], at acc[2],#0 @ sbcs @acc[2], at acc[2],#-1 + adcs @acc[3], at acc[3],#0 @ sbcs @acc[3], at acc[3],#-1 sbcs @acc[4], at acc[4],#0 sbcs @acc[5], at acc[5],#0 sbcs @acc[6], at acc[6],#0 sbcs @acc[7], at acc[7],#1 - sbcs @acc[8], at acc[8],#-1 + adcs @acc[8], at acc[8],#0 @ sbcs @acc[8], at acc[8],#-1 ldr lr,[sp,#44] @ restore lr sbc @acc[0], at acc[0],#0 @ broadcast borrow bit add sp,sp,#48 @@ -710,7 +714,7 @@ $code.=<<___; str @acc[8],[$r_ptr,#28] mov pc,lr -.size _ecp_nistz256_mul_mont,.-_ecp_nistz256_mul_mont +.size __ecp_nistz256_mul_mont,.-__ecp_nistz256_mul_mont ___ } @@ -1064,7 +1068,7 @@ ___ {{{ ######################################################################## # Below $aN assignment matches order in which 256-bit result appears in -# register bank at return from _ecp_nistz256_mul_mont, so that we can +# register bank at return from __ecp_nistz256_mul_mont, so that we can # skip over reloading it from memory. This means that below functions # use custom calling sequence accepting 256-bit input in registers, # output pointer in r0, $r_ptr, and optional pointer in r2, $b_ptr. @@ -1164,9 +1168,9 @@ __ecp_nistz256_sub_morf: mov pc,lr .size __ecp_nistz256_sub_morf,.-__ecp_nistz256_sub_morf -.type __ecp_nistz256_mul_by_2,%function +.type __ecp_nistz256_add_self,%function .align 4 -__ecp_nistz256_mul_by_2: +__ecp_nistz256_add_self: adds $a0,$a0,$a0 @ a[0:7]+=a[0:7] adcs $a1,$a1,$a1 adcs $a2,$a2,$a2 @@ -1196,7 +1200,7 @@ __ecp_nistz256_mul_by_2: str $a7,[$r_ptr,#28] mov pc,lr -.size __ecp_nistz256_mul_by_2,.-__ecp_nistz256_mul_by_2 +.size __ecp_nistz256_add_self,.-__ecp_nistz256_add_self ___ @@ -1227,69 +1231,69 @@ ecp_nistz256_point_double: stmia r3,{r4-r11} add $r_ptr,sp,#$S - bl _ecp_nistz256_mul_by_2 @ p256_mul_by_2(S, in_y); + bl __ecp_nistz256_mul_by_2 @ p256_mul_by_2(S, in_y); add $b_ptr,$a_ptr,#32 add $a_ptr,$a_ptr,#32 add $r_ptr,sp,#$Zsqr - bl _ecp_nistz256_mul_mont @ p256_sqr_mont(Zsqr, in_z); + bl __ecp_nistz256_mul_mont @ p256_sqr_mont(Zsqr, in_z); add $a_ptr,sp,#$S add $b_ptr,sp,#$S add $r_ptr,sp,#$S - bl _ecp_nistz256_mul_mont @ p256_sqr_mont(S, S); + bl __ecp_nistz256_mul_mont @ p256_sqr_mont(S, S); ldr $b_ptr,[sp,#32*5+4] add $a_ptr,$b_ptr,#32 add $b_ptr,$b_ptr,#64 add $r_ptr,sp,#$tmp0 - bl _ecp_nistz256_mul_mont @ p256_mul_mont(tmp0, in_z, in_y); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(tmp0, in_z, in_y); ldr $r_ptr,[sp,#32*5] add $r_ptr,$r_ptr,#64 - bl __ecp_nistz256_mul_by_2 @ p256_mul_by_2(res_z, tmp0); + bl __ecp_nistz256_add_self @ p256_mul_by_2(res_z, tmp0); add $a_ptr,sp,#$in_x add $b_ptr,sp,#$Zsqr add $r_ptr,sp,#$M - bl _ecp_nistz256_add @ p256_add(M, in_x, Zsqr); + bl __ecp_nistz256_add @ p256_add(M, in_x, Zsqr); add $a_ptr,sp,#$in_x add $b_ptr,sp,#$Zsqr add $r_ptr,sp,#$Zsqr - bl _ecp_nistz256_sub @ p256_sub(Zsqr, in_x, Zsqr); + bl __ecp_nistz256_sub @ p256_sub(Zsqr, in_x, Zsqr); add $a_ptr,sp,#$S add $b_ptr,sp,#$S add $r_ptr,sp,#$tmp0 - bl _ecp_nistz256_mul_mont @ p256_sqr_mont(tmp0, S); + bl __ecp_nistz256_mul_mont @ p256_sqr_mont(tmp0, S); add $a_ptr,sp,#$Zsqr add $b_ptr,sp,#$M add $r_ptr,sp,#$M - bl _ecp_nistz256_mul_mont @ p256_mul_mont(M, M, Zsqr); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(M, M, Zsqr); ldr $r_ptr,[sp,#32*5] add $a_ptr,sp,#$tmp0 add $r_ptr,$r_ptr,#32 - bl _ecp_nistz256_div_by_2 @ p256_div_by_2(res_y, tmp0); + bl __ecp_nistz256_div_by_2 @ p256_div_by_2(res_y, tmp0); add $a_ptr,sp,#$M add $r_ptr,sp,#$M - bl _ecp_nistz256_mul_by_3 @ p256_mul_by_3(M, M); + bl __ecp_nistz256_mul_by_3 @ p256_mul_by_3(M, M); add $a_ptr,sp,#$in_x add $b_ptr,sp,#$S add $r_ptr,sp,#$S - bl _ecp_nistz256_mul_mont @ p256_mul_mont(S, S, in_x); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(S, S, in_x); add $r_ptr,sp,#$tmp0 - bl __ecp_nistz256_mul_by_2 @ p256_mul_by_2(tmp0, S); + bl __ecp_nistz256_add_self @ p256_mul_by_2(tmp0, S); ldr $r_ptr,[sp,#32*5] add $a_ptr,sp,#$M add $b_ptr,sp,#$M - bl _ecp_nistz256_mul_mont @ p256_sqr_mont(res_x, M); + bl __ecp_nistz256_mul_mont @ p256_sqr_mont(res_x, M); add $b_ptr,sp,#$tmp0 bl __ecp_nistz256_sub_from @ p256_sub(res_x, res_x, tmp0); @@ -1300,7 +1304,7 @@ ecp_nistz256_point_double: add $a_ptr,sp,#$M add $b_ptr,sp,#$S - bl _ecp_nistz256_mul_mont @ p256_mul_mont(S, S, M); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(S, S, M); ldr $r_ptr,[sp,#32*5] add $b_ptr,$r_ptr,#32 @@ -1398,32 +1402,32 @@ ecp_nistz256_point_add: add $a_ptr,sp,#$in2_z add $b_ptr,sp,#$in2_z add $r_ptr,sp,#$Z2sqr - bl _ecp_nistz256_mul_mont @ p256_sqr_mont(Z2sqr, in2_z); + bl __ecp_nistz256_mul_mont @ p256_sqr_mont(Z2sqr, in2_z); add $a_ptr,sp,#$in1_z add $b_ptr,sp,#$in1_z add $r_ptr,sp,#$Z1sqr - bl _ecp_nistz256_mul_mont @ p256_sqr_mont(Z1sqr, in1_z); + bl __ecp_nistz256_mul_mont @ p256_sqr_mont(Z1sqr, in1_z); add $a_ptr,sp,#$in2_z add $b_ptr,sp,#$Z2sqr add $r_ptr,sp,#$S1 - bl _ecp_nistz256_mul_mont @ p256_mul_mont(S1, Z2sqr, in2_z); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(S1, Z2sqr, in2_z); add $a_ptr,sp,#$in1_z add $b_ptr,sp,#$Z1sqr add $r_ptr,sp,#$S2 - bl _ecp_nistz256_mul_mont @ p256_mul_mont(S2, Z1sqr, in1_z); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(S2, Z1sqr, in1_z); add $a_ptr,sp,#$in1_y add $b_ptr,sp,#$S1 add $r_ptr,sp,#$S1 - bl _ecp_nistz256_mul_mont @ p256_mul_mont(S1, S1, in1_y); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(S1, S1, in1_y); add $a_ptr,sp,#$in2_y add $b_ptr,sp,#$S2 add $r_ptr,sp,#$S2 - bl _ecp_nistz256_mul_mont @ p256_mul_mont(S2, S2, in2_y); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(S2, S2, in2_y); add $b_ptr,sp,#$S1 add $r_ptr,sp,#$R @@ -1441,12 +1445,12 @@ ecp_nistz256_point_add: str $a0,[sp,#32*18+12] add $r_ptr,sp,#$U1 - bl _ecp_nistz256_mul_mont @ p256_mul_mont(U1, in1_x, Z2sqr); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(U1, in1_x, Z2sqr); add $a_ptr,sp,#$in2_x add $b_ptr,sp,#$Z1sqr add $r_ptr,sp,#$U2 - bl _ecp_nistz256_mul_mont @ p256_mul_mont(U2, in2_x, Z1sqr); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(U2, in2_x, Z1sqr); add $b_ptr,sp,#$U1 add $r_ptr,sp,#$H @@ -1489,35 +1493,35 @@ ecp_nistz256_point_add: add $a_ptr,sp,#$R add $b_ptr,sp,#$R add $r_ptr,sp,#$Rsqr - bl _ecp_nistz256_mul_mont @ p256_sqr_mont(Rsqr, R); + bl __ecp_nistz256_mul_mont @ p256_sqr_mont(Rsqr, R); add $a_ptr,sp,#$H add $b_ptr,sp,#$in1_z add $r_ptr,sp,#$res_z - bl _ecp_nistz256_mul_mont @ p256_mul_mont(res_z, H, in1_z); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(res_z, H, in1_z); add $a_ptr,sp,#$H add $b_ptr,sp,#$H add $r_ptr,sp,#$Hsqr - bl _ecp_nistz256_mul_mont @ p256_sqr_mont(Hsqr, H); + bl __ecp_nistz256_mul_mont @ p256_sqr_mont(Hsqr, H); add $a_ptr,sp,#$in2_z add $b_ptr,sp,#$res_z add $r_ptr,sp,#$res_z - bl _ecp_nistz256_mul_mont @ p256_mul_mont(res_z, res_z, in2_z); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(res_z, res_z, in2_z); add $a_ptr,sp,#$H add $b_ptr,sp,#$Hsqr add $r_ptr,sp,#$Hcub - bl _ecp_nistz256_mul_mont @ p256_mul_mont(Hcub, Hsqr, H); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(Hcub, Hsqr, H); add $a_ptr,sp,#$Hsqr add $b_ptr,sp,#$U1 add $r_ptr,sp,#$U2 - bl _ecp_nistz256_mul_mont @ p256_mul_mont(U2, U1, Hsqr); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(U2, U1, Hsqr); add $r_ptr,sp,#$Hsqr - bl __ecp_nistz256_mul_by_2 @ p256_mul_by_2(Hsqr, U2); + bl __ecp_nistz256_add_self @ p256_mul_by_2(Hsqr, U2); add $b_ptr,sp,#$Rsqr add $r_ptr,sp,#$res_x @@ -1533,12 +1537,12 @@ ecp_nistz256_point_add: add $a_ptr,sp,#$Hcub add $b_ptr,sp,#$S1 add $r_ptr,sp,#$S2 - bl _ecp_nistz256_mul_mont @ p256_mul_mont(S2, S1, Hcub); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(S2, S1, Hcub); add $a_ptr,sp,#$R add $b_ptr,sp,#$res_y add $r_ptr,sp,#$res_y - bl _ecp_nistz256_mul_mont @ p256_mul_mont(res_y, res_y, R); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(res_y, res_y, R); add $b_ptr,sp,#$S2 bl __ecp_nistz256_sub_from @ p256_sub(res_y, res_y, S2); @@ -1663,12 +1667,12 @@ ecp_nistz256_point_add_affine: add $a_ptr,sp,#$in1_z add $b_ptr,sp,#$in1_z add $r_ptr,sp,#$Z1sqr - bl _ecp_nistz256_mul_mont @ p256_sqr_mont(Z1sqr, in1_z); + bl __ecp_nistz256_mul_mont @ p256_sqr_mont(Z1sqr, in1_z); add $a_ptr,sp,#$Z1sqr add $b_ptr,sp,#$in2_x add $r_ptr,sp,#$U2 - bl _ecp_nistz256_mul_mont @ p256_mul_mont(U2, Z1sqr, in2_x); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(U2, Z1sqr, in2_x); add $b_ptr,sp,#$in1_x add $r_ptr,sp,#$H @@ -1677,17 +1681,17 @@ ecp_nistz256_point_add_affine: add $a_ptr,sp,#$Z1sqr add $b_ptr,sp,#$in1_z add $r_ptr,sp,#$S2 - bl _ecp_nistz256_mul_mont @ p256_mul_mont(S2, Z1sqr, in1_z); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(S2, Z1sqr, in1_z); add $a_ptr,sp,#$H add $b_ptr,sp,#$in1_z add $r_ptr,sp,#$res_z - bl _ecp_nistz256_mul_mont @ p256_mul_mont(res_z, H, in1_z); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(res_z, H, in1_z); add $a_ptr,sp,#$in2_y add $b_ptr,sp,#$S2 add $r_ptr,sp,#$S2 - bl _ecp_nistz256_mul_mont @ p256_mul_mont(S2, S2, in2_y); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(S2, S2, in2_y); add $b_ptr,sp,#$in1_y add $r_ptr,sp,#$R @@ -1696,25 +1700,25 @@ ecp_nistz256_point_add_affine: add $a_ptr,sp,#$H add $b_ptr,sp,#$H add $r_ptr,sp,#$Hsqr - bl _ecp_nistz256_mul_mont @ p256_sqr_mont(Hsqr, H); + bl __ecp_nistz256_mul_mont @ p256_sqr_mont(Hsqr, H); add $a_ptr,sp,#$R add $b_ptr,sp,#$R add $r_ptr,sp,#$Rsqr - bl _ecp_nistz256_mul_mont @ p256_sqr_mont(Rsqr, R); + bl __ecp_nistz256_mul_mont @ p256_sqr_mont(Rsqr, R); add $a_ptr,sp,#$H add $b_ptr,sp,#$Hsqr add $r_ptr,sp,#$Hcub - bl _ecp_nistz256_mul_mont @ p256_mul_mont(Hcub, Hsqr, H); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(Hcub, Hsqr, H); add $a_ptr,sp,#$Hsqr add $b_ptr,sp,#$in1_x add $r_ptr,sp,#$U2 - bl _ecp_nistz256_mul_mont @ p256_mul_mont(U2, in1_x, Hsqr); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(U2, in1_x, Hsqr); add $r_ptr,sp,#$Hsqr - bl __ecp_nistz256_mul_by_2 @ p256_mul_by_2(Hsqr, U2); + bl __ecp_nistz256_add_self @ p256_mul_by_2(Hsqr, U2); add $b_ptr,sp,#$Rsqr add $r_ptr,sp,#$res_x @@ -1730,12 +1734,12 @@ ecp_nistz256_point_add_affine: add $a_ptr,sp,#$Hcub add $b_ptr,sp,#$in1_y add $r_ptr,sp,#$S2 - bl _ecp_nistz256_mul_mont @ p256_mul_mont(S2, in1_y, Hcub); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(S2, in1_y, Hcub); add $a_ptr,sp,#$R add $b_ptr,sp,#$res_y add $r_ptr,sp,#$res_y - bl _ecp_nistz256_mul_mont @ p256_mul_mont(res_y, res_y, R); + bl __ecp_nistz256_mul_mont @ p256_mul_mont(res_y, res_y, R); add $b_ptr,sp,#$S2 bl __ecp_nistz256_sub_from @ p256_sub(res_y, res_y, S2); diff --git a/crypto/modes/asm/ghash-armv4.pl b/crypto/modes/asm/ghash-armv4.pl index 44521f8..7311ad2 100644 --- a/crypto/modes/asm/ghash-armv4.pl +++ b/crypto/modes/asm/ghash-armv4.pl @@ -71,8 +71,20 @@ # *native* byte order on current platform. See gcm128.c for working # example... -while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} -open STDOUT,">$output"; +$flavour = shift; +if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; } +else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} } + +if ($flavour && $flavour ne "void") { + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; + ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or + ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or + die "can't locate arm-xlate.pl"; + + open STDOUT,"| \"$^X\" $xlate $flavour $output"; +} else { + open STDOUT,">$output"; +} $Xi="r0"; # argument block $Htbl="r1"; @@ -126,6 +138,11 @@ $code=<<___; .text .code 32 +#ifdef __APPLE__ +#define ldrplb ldrbpl +#define ldrneb ldrbne +#endif + .type rem_4bit,%object .align 5 rem_4bit: @@ -373,9 +390,9 @@ $code.=<<___; .type gcm_init_neon,%function .align 4 gcm_init_neon: - vld1.64 $IN#hi,[r1,:64]! @ load H + vld1.64 $IN#hi,[r1]! @ load H vmov.i8 $t0,#0xe1 - vld1.64 $IN#lo,[r1,:64] + vld1.64 $IN#lo,[r1] vshl.i64 $t0#hi,#57 vshr.u64 $t0#lo,#63 @ t0=0xc2....01 vdup.8 $t1,$IN#hi[7] @@ -394,8 +411,8 @@ gcm_init_neon: .type gcm_gmult_neon,%function .align 4 gcm_gmult_neon: - vld1.64 $IN#hi,[$Xi,:64]! @ load Xi - vld1.64 $IN#lo,[$Xi,:64]! + vld1.64 $IN#hi,[$Xi]! @ load Xi + vld1.64 $IN#lo,[$Xi]! vmov.i64 $k48,#0x0000ffffffffffff vldmia $Htbl,{$Hlo-$Hhi} @ load twisted H vmov.i64 $k32,#0x00000000ffffffff @@ -412,8 +429,8 @@ gcm_gmult_neon: .type gcm_ghash_neon,%function .align 4 gcm_ghash_neon: - vld1.64 $Xl#hi,[$Xi,:64]! @ load Xi - vld1.64 $Xl#lo,[$Xi,:64]! + vld1.64 $Xl#hi,[$Xi]! @ load Xi + vld1.64 $Xl#lo,[$Xi]! vmov.i64 $k48,#0x0000ffffffffffff vldmia $Htbl,{$Hlo-$Hhi} @ load twisted H vmov.i64 $k32,#0x00000000ffffffff @@ -468,8 +485,8 @@ $code.=<<___; vrev64.8 $Xl,$Xl #endif sub $Xi,#16 - vst1.64 $Xl#hi,[$Xi,:64]! @ write out Xi - vst1.64 $Xl#lo,[$Xi,:64] + vst1.64 $Xl#hi,[$Xi]! @ write out Xi + vst1.64 $Xl#lo,[$Xi] ret @ bx lr .size gcm_ghash_neon,.-gcm_ghash_neon diff --git a/crypto/perlasm/arm-xlate.pl b/crypto/perlasm/arm-xlate.pl index 22dc7e4..81ceb31 100755 --- a/crypto/perlasm/arm-xlate.pl +++ b/crypto/perlasm/arm-xlate.pl @@ -154,7 +154,7 @@ while($line=<>) { $line = &$opcode($arg); } elsif ($mnemonic) { $line = $c.$mnemonic; - $line.= "\t$arg" if ($arg); + $line.= "\t$arg" if ($arg ne ""); } } diff --git a/crypto/sha/asm/sha1-armv4-large.pl b/crypto/sha/asm/sha1-armv4-large.pl index 61307b7..356b52f 100644 --- a/crypto/sha/asm/sha1-armv4-large.pl +++ b/crypto/sha/asm/sha1-armv4-large.pl @@ -68,8 +68,20 @@ # # Add ARMv8 code path performing at 2.35 cpb on Apple A7. -while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} -open STDOUT,">$output"; +$flavour = shift; +if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; } +else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} } + +if ($flavour && $flavour ne "void") { + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; + ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or + ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or + die "can't locate arm-xlate.pl"; + + open STDOUT,"| \"$^X\" $xlate $flavour $output"; +} else { + open STDOUT,">$output"; +} $ctx="r0"; $inp="r1"; @@ -180,6 +192,9 @@ sha1_block_data_order: sub r3,pc,#8 @ sha1_block_data_order ldr r12,.LOPENSSL_armcap ldr r12,[r3,r12] @ OPENSSL_armcap_P +#ifdef __APPLE__ + ldr r12,[r12] +#endif tst r12,#ARMV8_SHA1 bne .LARMv8 tst r12,#ARMV7_NEON diff --git a/crypto/sha/asm/sha256-armv4.pl b/crypto/sha/asm/sha256-armv4.pl index fac0533..efee1fb 100644 --- a/crypto/sha/asm/sha256-armv4.pl +++ b/crypto/sha/asm/sha256-armv4.pl @@ -37,8 +37,20 @@ # # Add ARMv8 code path performing at 2.0 cpb on Apple A7. -while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} -open STDOUT,">$output"; +$flavour = shift; +if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; } +else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} } + +if ($flavour && $flavour ne "void") { + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; + ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or + ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or + die "can't locate arm-xlate.pl"; + + open STDOUT,"| \"$^X\" $xlate $flavour $output"; +} else { + open STDOUT,">$output"; +} $ctx="r0"; $t0="r0"; $inp="r1"; $t4="r1"; @@ -167,7 +179,7 @@ $code=<<___; .code 32 #else .syntax unified -# ifdef __thumb2__ +# if defined(__thumb2__) && !defined(__APPLE__) # define adrl adr .thumb # else @@ -198,13 +210,14 @@ K256: .word 0 @ terminator #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) .LOPENSSL_armcap: -.word OPENSSL_armcap_P-sha256_block_data_order +.word OPENSSL_armcap_P-.Lsha256_block_data_order #endif .align 5 .global sha256_block_data_order .type sha256_block_data_order,%function sha256_block_data_order: +.Lsha256_block_data_order: #if __ARM_ARCH__<7 sub r3,pc,#8 @ sha256_block_data_order #else @@ -213,6 +226,9 @@ sha256_block_data_order: #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) ldr r12,.LOPENSSL_armcap ldr r12,[r3,r12] @ OPENSSL_armcap_P +#ifdef __APPLE__ + ldr r12,[r12] +#endif tst r12,#ARMV8_SHA256 bne .LARMv8 tst r12,#ARMV7_NEON @@ -463,7 +479,7 @@ sha256_block_data_order_neon: stmdb sp!,{r4-r12,lr} sub $H,sp,#16*4+16 - adrl $Ktbl,K256 + adr $Ktbl,K256 bic $H,$H,#15 @ align for 128-bit stores mov $t2,sp mov sp,$H @ alloca @@ -583,7 +599,7 @@ my $Ktbl="r3"; $code.=<<___; #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -# ifdef __thumb2__ +# if defined(__thumb2__) && !defined(__APPLE__) # define INST(a,b,c,d) .byte c,d|0xc,a,b # else # define INST(a,b,c,d) .byte a,b,c,d @@ -594,7 +610,9 @@ $code.=<<___; sha256_block_data_order_armv8: .LARMv8: vld1.32 {$ABCD,$EFGH},[$ctx] -# ifdef __thumb2__ +# ifdef __APPLE__ + sub $Ktbl,$Ktbl,#256+32 +# elif defined(__thumb2__) adr $Ktbl,.LARMv8 sub $Ktbl,$Ktbl,#.LARMv8-K256 # else diff --git a/crypto/sha/asm/sha512-armv4.pl b/crypto/sha/asm/sha512-armv4.pl index a2b11a8..77d6c5e 100644 --- a/crypto/sha/asm/sha512-armv4.pl +++ b/crypto/sha/asm/sha512-armv4.pl @@ -50,8 +50,20 @@ $hi="HI"; $lo="LO"; # ==================================================================== -while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} -open STDOUT,">$output"; +$flavour = shift; +if ($flavour=~/^\w[\w\-]*\.\w+$/) { $output=$flavour; undef $flavour; } +else { while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {} } + +if ($flavour && $flavour ne "void") { + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; + ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or + ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or + die "can't locate arm-xlate.pl"; + + open STDOUT,"| \"$^X\" $xlate $flavour $output"; +} else { + open STDOUT,">$output"; +} $ctx="r0"; # parameter block $inp="r1"; @@ -200,7 +212,7 @@ $code=<<___; #endif .text -#if __ARM_ARCH__<7 +#if __ARM_ARCH__<7 || defined(__APPLE__) .code 32 #else .syntax unified @@ -258,7 +270,7 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817) .size K512,.-K512 #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) .LOPENSSL_armcap: -.word OPENSSL_armcap_P-sha512_block_data_order +.word OPENSSL_armcap_P-.Lsha512_block_data_order .skip 32-4 #else .skip 32 @@ -267,6 +279,7 @@ WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817) .global sha512_block_data_order .type sha512_block_data_order,%function sha512_block_data_order: +.Lsha512_block_data_order: #if __ARM_ARCH__<7 sub r3,pc,#8 @ sha512_block_data_order #else @@ -275,6 +288,9 @@ sha512_block_data_order: #if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) ldr r12,.LOPENSSL_armcap ldr r12,[r3,r12] @ OPENSSL_armcap_P +#ifdef __APPLE__ + ldr r12,[r12] +#endif tst r12,#1 bne .LNEON #endif @@ -593,8 +609,8 @@ sha512_block_data_order_neon: .LNEON: dmb @ errata #451034 on early Cortex A8 add $len,$inp,$len,lsl#7 @ len to point at the end of inp + adr $Ktbl,K512 VFP_ABI_PUSH - adrl $Ktbl,K512 vldmia $ctx,{$A-$H} @ load context .Loop_neon: ___ From appro at openssl.org Mon Apr 20 13:44:50 2015 From: appro at openssl.org (Andy Polyakov) Date: Mon, 20 Apr 2015 13:44:50 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429537490.185549.9435.nullmailer@dev.openssl.org> The branch master has been updated via 23f6eec71dbd472044db7dc854599f1de14a1f48 (commit) from 313e6ec11fb8a7bda1676ce5804bee8755664141 (commit) - Log ----------------------------------------------------------------- commit 23f6eec71dbd472044db7dc854599f1de14a1f48 Author: Andy Polyakov Date: Fri Jan 23 17:27:10 2015 +0100 aes/asm/aesni-x86[_64].pl update. This addresses - request for improvement for faster key setup in RT#3576; - clearing registers and stack in RT#3554 (this is more of a gesture to see if there will be some traction from compiler side); - more commentary around input parameters handling and stack layout (desired when RT#3553 was reviewed); - minor size and single block performance optimization (was lying around); Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: crypto/aes/asm/aesni-x86.pl | 319 +++++++++++++- crypto/aes/asm/aesni-x86_64.pl | 945 +++++++++++++++++++++++++++++++---------- 2 files changed, 1025 insertions(+), 239 deletions(-) diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl index 3deb86a..847695f 100644 --- a/crypto/aes/asm/aesni-x86.pl +++ b/crypto/aes/asm/aesni-x86.pl @@ -51,7 +51,7 @@ # Westmere 3.77/1.37 1.37 1.52 1.27 # * Bridge 5.07/0.98 0.99 1.09 0.91 # Haswell 4.44/0.80 0.97 1.03 0.72 -# Atom 5.77/3.56 3.67 4.03 3.46 +# Silvermont 5.77/3.56 3.67 4.03 3.46 # Bulldozer 5.80/0.98 1.05 1.24 0.93 $PREFIX="aesni"; # if $PREFIX is set to "AES", the script @@ -65,6 +65,9 @@ require "x86asm.pl"; &asm_init($ARGV[0],$0); +&external_label("OPENSSL_ia32cap_P"); +&static_label("key_const"); + if ($PREFIX eq "aesni") { $movekey=\&movups; } else { $movekey=\&movups; } @@ -181,7 +184,10 @@ sub aesni_generate1 # fully unrolled loop { &aesni_inline_generate1("enc"); } else { &call ("_aesni_encrypt1"); } + &pxor ($rndkey0,$rndkey0); # clear register bank + &pxor ($rndkey1,$rndkey1); &movups (&QWP(0,"eax"),$inout0); + &pxor ($inout0,$inout0); &ret (); &function_end_B("${PREFIX}_encrypt"); @@ -197,7 +203,10 @@ sub aesni_generate1 # fully unrolled loop { &aesni_inline_generate1("dec"); } else { &call ("_aesni_decrypt1"); } + &pxor ($rndkey0,$rndkey0); # clear register bank + &pxor ($rndkey1,$rndkey1); &movups (&QWP(0,"eax"),$inout0); + &pxor ($inout0,$inout0); &ret (); &function_end_B("${PREFIX}_decrypt"); @@ -349,17 +358,15 @@ sub aesni_generate6 &neg ($rounds); eval"&aes${p} ($inout2,$rndkey1)"; &pxor ($inout5,$rndkey0); + &$movekey ($rndkey0,&QWP(0,$key,$rounds)); &add ($rounds,16); - eval"&aes${p} ($inout3,$rndkey1)"; - eval"&aes${p} ($inout4,$rndkey1)"; - eval"&aes${p} ($inout5,$rndkey1)"; - &$movekey ($rndkey0,&QWP(-16,$key,$rounds)); - &jmp (&label("_aesni_${p}rypt6_enter")); + &jmp (&label("_aesni_${p}rypt6_inner")); &set_label("${p}6_loop",16); eval"&aes${p} ($inout0,$rndkey1)"; eval"&aes${p} ($inout1,$rndkey1)"; eval"&aes${p} ($inout2,$rndkey1)"; + &set_label("_aesni_${p}rypt6_inner"); eval"&aes${p} ($inout3,$rndkey1)"; eval"&aes${p} ($inout4,$rndkey1)"; eval"&aes${p} ($inout5,$rndkey1)"; @@ -615,6 +622,14 @@ if ($PREFIX eq "aesni") { &movups (&QWP(0x30,$out),$inout3); &set_label("ecb_ret"); + &pxor ("xmm0","xmm0"); # clear register bank + &pxor ("xmm1","xmm1"); + &pxor ("xmm2","xmm2"); + &pxor ("xmm3","xmm3"); + &pxor ("xmm4","xmm4"); + &pxor ("xmm5","xmm5"); + &pxor ("xmm6","xmm6"); + &pxor ("xmm7","xmm7"); &function_end("aesni_ecb_encrypt"); ###################################################################### @@ -704,6 +719,15 @@ if ($PREFIX eq "aesni") { &mov ("esp",&DWP(48,"esp")); &mov ($out,&wparam(5)); &movups (&QWP(0,$out),$cmac); + + &pxor ("xmm0","xmm0"); # clear register bank + &pxor ("xmm1","xmm1"); + &pxor ("xmm2","xmm2"); + &pxor ("xmm3","xmm3"); + &pxor ("xmm4","xmm4"); + &pxor ("xmm5","xmm5"); + &pxor ("xmm6","xmm6"); + &pxor ("xmm7","xmm7"); &function_end("aesni_ccm64_encrypt_blocks"); &function_begin("aesni_ccm64_decrypt_blocks"); @@ -804,6 +828,15 @@ if ($PREFIX eq "aesni") { &mov ("esp",&DWP(48,"esp")); &mov ($out,&wparam(5)); &movups (&QWP(0,$out),$cmac); + + &pxor ("xmm0","xmm0"); # clear register bank + &pxor ("xmm1","xmm1"); + &pxor ("xmm2","xmm2"); + &pxor ("xmm3","xmm3"); + &pxor ("xmm4","xmm4"); + &pxor ("xmm5","xmm5"); + &pxor ("xmm6","xmm6"); + &pxor ("xmm7","xmm7"); &function_end("aesni_ccm64_decrypt_blocks"); } @@ -1053,6 +1086,17 @@ if ($PREFIX eq "aesni") { &movups (&QWP(0x30,$out),$inout3); &set_label("ctr32_ret"); + &pxor ("xmm0","xmm0"); # clear register bank + &pxor ("xmm1","xmm1"); + &pxor ("xmm2","xmm2"); + &pxor ("xmm3","xmm3"); + &pxor ("xmm4","xmm4"); + &movdqa (&QWP(32,"esp"),"xmm0"); # clear stack + &pxor ("xmm5","xmm5"); + &movdqa (&QWP(48,"esp"),"xmm0"); + &pxor ("xmm6","xmm6"); + &movdqa (&QWP(64,"esp"),"xmm0"); + &pxor ("xmm7","xmm7"); &mov ("esp",&DWP(80,"esp")); &function_end("aesni_ctr32_encrypt_blocks"); @@ -1394,6 +1438,20 @@ if ($PREFIX eq "aesni") { &movups (&QWP(-16,$out),$inout0); # write output &set_label("xts_enc_ret"); + &pxor ("xmm0","xmm0"); # clear register bank + &pxor ("xmm1","xmm1"); + &pxor ("xmm2","xmm2"); + &movdqa (&QWP(16*0,"esp"),"xmm0"); # clear stack + &pxor ("xmm3","xmm3"); + &movdqa (&QWP(16*1,"esp"),"xmm0"); + &pxor ("xmm4","xmm4"); + &movdqa (&QWP(16*2,"esp"),"xmm0"); + &pxor ("xmm5","xmm5"); + &movdqa (&QWP(16*3,"esp"),"xmm0"); + &pxor ("xmm6","xmm6"); + &movdqa (&QWP(16*4,"esp"),"xmm0"); + &pxor ("xmm7","xmm7"); + &movdqa (&QWP(16*5,"esp"),"xmm0"); &mov ("esp",&DWP(16*7+4,"esp")); # restore %esp &function_end("aesni_xts_encrypt"); @@ -1756,6 +1814,20 @@ if ($PREFIX eq "aesni") { &movups (&QWP(0,$out),$inout0); # write output &set_label("xts_dec_ret"); + &pxor ("xmm0","xmm0"); # clear register bank + &pxor ("xmm1","xmm1"); + &pxor ("xmm2","xmm2"); + &movdqa (&QWP(16*0,"esp"),"xmm0"); # clear stack + &pxor ("xmm3","xmm3"); + &movdqa (&QWP(16*1,"esp"),"xmm0"); + &pxor ("xmm4","xmm4"); + &movdqa (&QWP(16*2,"esp"),"xmm0"); + &pxor ("xmm5","xmm5"); + &movdqa (&QWP(16*3,"esp"),"xmm0"); + &pxor ("xmm6","xmm6"); + &movdqa (&QWP(16*4,"esp"),"xmm0"); + &pxor ("xmm7","xmm7"); + &movdqa (&QWP(16*5,"esp"),"xmm0"); &mov ("esp",&DWP(16*7+4,"esp")); # restore %esp &function_end("aesni_xts_decrypt"); } @@ -1808,6 +1880,7 @@ if ($PREFIX eq "aesni") { &add ($len,16); &jnz (&label("cbc_enc_tail")); &movaps ($ivec,$inout0); + &pxor ($inout0,$inout0); &jmp (&label("cbc_ret")); &set_label("cbc_enc_tail"); @@ -1871,7 +1944,7 @@ if ($PREFIX eq "aesni") { &movaps ($inout0,$inout5); &movaps ($ivec,$rndkey0); &add ($len,0x50); - &jle (&label("cbc_dec_tail_collected")); + &jle (&label("cbc_dec_clear_tail_collected")); &movups (&QWP(0,$out),$inout0); &lea ($out,&DWP(0x10,$out)); &set_label("cbc_dec_tail"); @@ -1910,10 +1983,14 @@ if ($PREFIX eq "aesni") { &xorps ($inout4,$rndkey0); &movups (&QWP(0,$out),$inout0); &movups (&QWP(0x10,$out),$inout1); + &pxor ($inout1,$inout1); &movups (&QWP(0x20,$out),$inout2); + &pxor ($inout2,$inout2); &movups (&QWP(0x30,$out),$inout3); + &pxor ($inout3,$inout3); &lea ($out,&DWP(0x40,$out)); &movaps ($inout0,$inout4); + &pxor ($inout4,$inout4); &sub ($len,0x50); &jmp (&label("cbc_dec_tail_collected")); @@ -1933,6 +2010,7 @@ if ($PREFIX eq "aesni") { &xorps ($inout1,$in0); &movups (&QWP(0,$out),$inout0); &movaps ($inout0,$inout1); + &pxor ($inout1,$inout1); &lea ($out,&DWP(0x10,$out)); &movaps ($ivec,$in1); &sub ($len,0x20); @@ -1945,7 +2023,9 @@ if ($PREFIX eq "aesni") { &xorps ($inout2,$in1); &movups (&QWP(0,$out),$inout0); &movaps ($inout0,$inout2); + &pxor ($inout2,$inout2); &movups (&QWP(0x10,$out),$inout1); + &pxor ($inout1,$inout1); &lea ($out,&DWP(0x20,$out)); &movups ($ivec,&QWP(0x20,$inp)); &sub ($len,0x30); @@ -1961,29 +2041,44 @@ if ($PREFIX eq "aesni") { &movups (&QWP(0,$out),$inout0); &xorps ($inout2,$rndkey1); &movups (&QWP(0x10,$out),$inout1); + &pxor ($inout1,$inout1); &xorps ($inout3,$rndkey0); &movups (&QWP(0x20,$out),$inout2); + &pxor ($inout2,$inout2); &lea ($out,&DWP(0x30,$out)); &movaps ($inout0,$inout3); + &pxor ($inout3,$inout3); &sub ($len,0x40); + &jmp (&label("cbc_dec_tail_collected")); +&set_label("cbc_dec_clear_tail_collected",16); + &pxor ($inout1,$inout1); + &pxor ($inout2,$inout2); + &pxor ($inout3,$inout3); + &pxor ($inout4,$inout4); &set_label("cbc_dec_tail_collected"); &and ($len,15); &jnz (&label("cbc_dec_tail_partial")); &movups (&QWP(0,$out),$inout0); + &pxor ($rndkey0,$rndkey0); &jmp (&label("cbc_ret")); &set_label("cbc_dec_tail_partial",16); &movaps (&QWP(0,"esp"),$inout0); + &pxor ($rndkey0,$rndkey0); &mov ("ecx",16); &mov ($inp,"esp"); &sub ("ecx",$len); &data_word(0xA4F3F689); # rep movsb + &movdqa (&QWP(0,"esp"),$inout0); &set_label("cbc_ret"); &mov ("esp",&DWP(16,"esp")); # pull original %esp &mov ($key_,&wparam(4)); + &pxor ($inout0,$inout0); + &pxor ($rndkey1,$rndkey1); &movups (&QWP(0,$key_),$ivec); # output IV + &pxor ($ivec,$ivec); &set_label("cbc_abort"); &function_end("${PREFIX}_cbc_encrypt"); @@ -2000,14 +2095,24 @@ if ($PREFIX eq "aesni") { # $round rounds &function_begin_B("_aesni_set_encrypt_key"); + &push ("ebp"); + &push ("ebx"); &test ("eax","eax"); &jz (&label("bad_pointer")); &test ($key,$key); &jz (&label("bad_pointer")); + &call (&label("pic")); +&set_label("pic"); + &blindpop("ebx"); + &lea ("ebx",&DWP(&label("key_const")."-".&label("pic"),"ebx")); + + &picmeup("ebp","OPENSSL_ia32cap_P","ebx",&label("key_const")); &movups ("xmm0",&QWP(0,"eax")); # pull first 128 bits of *userKey &xorps ("xmm4","xmm4"); # low dword of xmm4 is assumed 0 + &mov ("ebp",&DWP(4,"ebp")); &lea ($key,&DWP(16,$key)); + &and ("ebp",1<<28|1<<11); # AVX and XOP bits &cmp ($rounds,256); &je (&label("14rounds")); &cmp ($rounds,192); @@ -2016,6 +2121,9 @@ if ($PREFIX eq "aesni") { &jne (&label("bad_keybits")); &set_label("10rounds",16); + &cmp ("ebp",1<<28); + &je (&label("10rounds_alt")); + &mov ($rounds,9); &$movekey (&QWP(-16,$key),"xmm0"); # round 0 &aeskeygenassist("xmm1","xmm0",0x01); # round 1 @@ -2040,8 +2148,8 @@ if ($PREFIX eq "aesni") { &call (&label("key_128")); &$movekey (&QWP(0,$key),"xmm0"); &mov (&DWP(80,$key),$rounds); - &xor ("eax","eax"); - &ret(); + + &jmp (&label("good_key")); &set_label("key_128",16); &$movekey (&QWP(0,$key),"xmm0"); @@ -2055,8 +2163,76 @@ if ($PREFIX eq "aesni") { &xorps ("xmm0","xmm1"); &ret(); +&set_label("10rounds_alt",16); + &movdqa ("xmm5",&QWP(0x00,"ebx")); + &mov ($rounds,8); + &movdqa ("xmm4",&QWP(0x20,"ebx")); + &movdqa ("xmm2","xmm0"); + &movdqu (&DWP(-16,$key),"xmm0"); + +&set_label("loop_key128"); + &pshufb ("xmm0","xmm5"); + &aesenclast ("xmm0","xmm4"); + &pslld ("xmm4",1); + &lea ($key,&DWP(16,$key)); + + &movdqa ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm2","xmm3"); + + &pxor ("xmm0","xmm2"); + &movdqu (&QWP(-16,$key),"xmm0"); + &movdqa ("xmm2","xmm0"); + + &dec ($rounds); + &jnz (&label("loop_key128")); + + &movdqa ("xmm4",&QWP(0x30,"ebx")); + + &pshufb ("xmm0","xmm5"); + &aesenclast ("xmm0","xmm4"); + &pslld ("xmm4",1); + + &movdqa ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm2","xmm3"); + + &pxor ("xmm0","xmm2"); + &movdqu (&QWP(0,$key),"xmm0"); + + &movdqa ("xmm2","xmm0"); + &pshufb ("xmm0","xmm5"); + &aesenclast ("xmm0","xmm4"); + + &movdqa ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm2","xmm3"); + + &pxor ("xmm0","xmm2"); + &movdqu (&QWP(16,$key),"xmm0"); + + &mov ($rounds,9); + &mov (&DWP(96,$key),$rounds); + + &jmp (&label("good_key")); + &set_label("12rounds",16); &movq ("xmm2",&QWP(16,"eax")); # remaining 1/3 of *userKey + &cmp ("ebp",1<<28); + &je (&label("12rounds_alt")); + &mov ($rounds,11); &$movekey (&QWP(-16,$key),"xmm0"); # round 0 &aeskeygenassist("xmm1","xmm2",0x01); # round 1,2 @@ -2077,8 +2253,8 @@ if ($PREFIX eq "aesni") { &call (&label("key_192b")); &$movekey (&QWP(0,$key),"xmm0"); &mov (&DWP(48,$key),$rounds); - &xor ("eax","eax"); - &ret(); + + &jmp (&label("good_key")); &set_label("key_192a",16); &$movekey (&QWP(0,$key),"xmm0"); @@ -2108,10 +2284,52 @@ if ($PREFIX eq "aesni") { &lea ($key,&DWP(32,$key)); &jmp (&label("key_192b_warm")); +&set_label("12rounds_alt",16); + &movdqa ("xmm5",&QWP(0x10,"ebx")); + &movdqa ("xmm4",&QWP(0x20,"ebx")); + &mov ($rounds,8); + &movdqu (&QWP(-16,$key),"xmm0"); + +&set_label("loop_key192"); + &movq (&QWP(0,$key),"xmm2"); + &movdqa ("xmm1","xmm2"); + &pshufb ("xmm2","xmm5"); + &aesenclast ("xmm2","xmm4"); + &pslld ("xmm4",1); + &lea ($key,&DWP(24,$key)); + + &movdqa ("xmm3","xmm0"); + &pslldq ("xmm0",4); + &pxor ("xmm3","xmm0"); + &pslldq ("xmm0",4); + &pxor ("xmm3","xmm0"); + &pslldq ("xmm0",4); + &pxor ("xmm0","xmm3"); + + &pshufd ("xmm3","xmm0",0xff); + &pxor ("xmm3","xmm1"); + &pslldq ("xmm1",4); + &pxor ("xmm3","xmm1"); + + &pxor ("xmm0","xmm2"); + &pxor ("xmm2","xmm3"); + &movdqu (&QWP(-16,$key),"xmm0"); + + &dec ($rounds); + &jnz (&label("loop_key192")); + + &mov ($rounds,11); + &mov (&DWP(32,$key),$rounds); + + &jmp (&label("good_key")); + &set_label("14rounds",16); &movups ("xmm2",&QWP(16,"eax")); # remaining half of *userKey - &mov ($rounds,13); &lea ($key,&DWP(16,$key)); + &cmp ("ebp",1<<28); + &je (&label("14rounds_alt")); + + &mov ($rounds,13); &$movekey (&QWP(-32,$key),"xmm0"); # round 0 &$movekey (&QWP(-16,$key),"xmm2"); # round 1 &aeskeygenassist("xmm1","xmm2",0x01); # round 2 @@ -2143,7 +2361,8 @@ if ($PREFIX eq "aesni") { &$movekey (&QWP(0,$key),"xmm0"); &mov (&DWP(16,$key),$rounds); &xor ("eax","eax"); - &ret(); + + &jmp (&label("good_key")); &set_label("key_256a",16); &$movekey (&QWP(0,$key),"xmm2"); @@ -2169,11 +2388,77 @@ if ($PREFIX eq "aesni") { &xorps ("xmm2","xmm1"); &ret(); +&set_label("14rounds_alt",16); + &movdqa ("xmm5",&QWP(0x00,"ebx")); + &movdqa ("xmm4",&QWP(0x20,"ebx")); + &mov ($rounds,7); + &movdqu (&QWP(-32,$key),"xmm0"); + &movdqa ("xmm1","xmm2"); + &movdqu (&QWP(-16,$key),"xmm2"); + +&set_label("loop_key256"); + &pshufb ("xmm2","xmm5"); + &aesenclast ("xmm2","xmm4"); + + &movdqa ("xmm3","xmm0"); + &pslldq ("xmm0",4); + &pxor ("xmm3","xmm0"); + &pslldq ("xmm0",4); + &pxor ("xmm3","xmm0"); + &pslldq ("xmm0",4); + &pxor ("xmm0","xmm3"); + &pslld ("xmm4",1); + + &pxor ("xmm0","xmm2"); + &movdqu (&QWP(0,$key),"xmm0"); + + &dec ($rounds); + &jz (&label("done_key256")); + + &pshufd ("xmm2","xmm0",0xff); + &pxor ("xmm3","xmm3"); + &aesenclast ("xmm2","xmm3"); + + &movdqa ("xmm3","xmm1") + &pslldq ("xmm1",4); + &pxor ("xmm3","xmm1"); + &pslldq ("xmm1",4); + &pxor ("xmm3","xmm1"); + &pslldq ("xmm1",4); + &pxor ("xmm1","xmm3"); + + &pxor ("xmm2","xmm1"); + &movdqu (&QWP(16,$key),"xmm2"); + &lea ($key,&DWP(32,$key)); + &movdqa ("xmm1","xmm2"); + &jmp (&label("loop_key256")); + +&set_label("done_key256"); + &mov ($rounds,13); + &mov (&DWP(16,$key),$rounds); + +&set_label("good_key"); + &pxor ("xmm0","xmm0"); + &pxor ("xmm1","xmm1"); + &pxor ("xmm2","xmm2"); + &pxor ("xmm3","xmm3"); + &pxor ("xmm4","xmm4"); + &pxor ("xmm5","xmm5"); + &xor ("eax","eax"); + &pop ("ebx"); + &pop ("ebp"); + &ret (); + &set_label("bad_pointer",4); &mov ("eax",-1); + &pop ("ebx"); + &pop ("ebp"); &ret (); &set_label("bad_keybits",4); + &pxor ("xmm0","xmm0"); &mov ("eax",-2); + &pop ("ebx"); + &pop ("ebp"); &ret (); &function_end_B("_aesni_set_encrypt_key"); @@ -2223,10 +2508,18 @@ if ($PREFIX eq "aesni") { &aesimc ("xmm0","xmm0"); &$movekey (&QWP(0,$key),"xmm0"); + &pxor ("xmm0","xmm0"); + &pxor ("xmm1","xmm1"); &xor ("eax","eax"); # return success &set_label("dec_key_ret"); &ret (); &function_end_B("${PREFIX}_set_decrypt_key"); + +&set_label("key_const",64); +&data_word(0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d); +&data_word(0x04070605,0x04070605,0x04070605,0x04070605); +&data_word(1,1,1,1); +&data_word(0x1b,0x1b,0x1b,0x1b); &asciz("AES for Intel AES-NI, CRYPTOGAMS by "); &asm_finish(); diff --git a/crypto/aes/asm/aesni-x86_64.pl b/crypto/aes/asm/aesni-x86_64.pl index 5f61746..25ca574 100644 --- a/crypto/aes/asm/aesni-x86_64.pl +++ b/crypto/aes/asm/aesni-x86_64.pl @@ -165,11 +165,11 @@ # Westmere 3.77/1.25 1.25 1.25 1.26 # * Bridge 5.07/0.74 0.75 0.90 0.85 # Haswell 4.44/0.63 0.63 0.73 0.63 -# Atom 5.75/3.54 3.56 4.12 3.87(*) +# Silvermont 5.75/3.54 3.56 4.12 3.87(*) # Bulldozer 5.77/0.70 0.72 0.90 0.70 # -# (*) Atom ECB result is suboptimal because of penalties incurred -# by operations on %xmm8-15. As ECB is not considered +# (*) Atom Silvermont ECB result is suboptimal because of penalties +# incurred by operations on %xmm8-15. As ECB is not considered # critical, nothing was done to mitigate the problem. $PREFIX="aesni"; # if $PREFIX is set to "AES", the script @@ -263,7 +263,10 @@ ${PREFIX}_encrypt: ___ &aesni_generate1("enc",$key,$rounds); $code.=<<___; + pxor $rndkey0,$rndkey0 # clear register bank + pxor $rndkey1,$rndkey1 movups $inout0,($out) # output + pxor $inout0,$inout0 ret .size ${PREFIX}_encrypt,.-${PREFIX}_encrypt @@ -276,7 +279,10 @@ ${PREFIX}_decrypt: ___ &aesni_generate1("dec",$key,$rounds); $code.=<<___; + pxor $rndkey0,$rndkey0 # clear register bank + pxor $rndkey1,$rndkey1 movups $inout0,($out) # output + pxor $inout0,$inout0 ret .size ${PREFIX}_decrypt, .-${PREFIX}_decrypt ___ @@ -445,21 +451,18 @@ _aesni_${dir}rypt6: pxor $rndkey0,$inout4 aes${dir} $rndkey1,$inout2 pxor $rndkey0,$inout5 + $movkey ($key,%rax),$rndkey0 add \$16,%rax - aes${dir} $rndkey1,$inout3 - aes${dir} $rndkey1,$inout4 - aes${dir} $rndkey1,$inout5 - $movkey -16($key,%rax),$rndkey0 jmp .L${dir}_loop6_enter .align 16 .L${dir}_loop6: aes${dir} $rndkey1,$inout0 aes${dir} $rndkey1,$inout1 aes${dir} $rndkey1,$inout2 +.L${dir}_loop6_enter: aes${dir} $rndkey1,$inout3 aes${dir} $rndkey1,$inout4 aes${dir} $rndkey1,$inout5 -.L${dir}_loop6_enter: $movkey ($key,%rax),$rndkey1 add \$32,%rax aes${dir} $rndkey0,$inout0 @@ -506,23 +509,18 @@ _aesni_${dir}rypt8: lea 32($key,$rounds),$key neg %rax # $rounds aes${dir} $rndkey1,$inout0 - add \$16,%rax pxor $rndkey0,$inout5 - aes${dir} $rndkey1,$inout1 pxor $rndkey0,$inout6 + aes${dir} $rndkey1,$inout1 pxor $rndkey0,$inout7 - aes${dir} $rndkey1,$inout2 - aes${dir} $rndkey1,$inout3 - aes${dir} $rndkey1,$inout4 - aes${dir} $rndkey1,$inout5 - aes${dir} $rndkey1,$inout6 - aes${dir} $rndkey1,$inout7 - $movkey -16($key,%rax),$rndkey0 - jmp .L${dir}_loop8_enter + $movkey ($key,%rax),$rndkey0 + add \$16,%rax + jmp .L${dir}_loop8_inner .align 16 .L${dir}_loop8: aes${dir} $rndkey1,$inout0 aes${dir} $rndkey1,$inout1 +.L${dir}_loop8_inner: aes${dir} $rndkey1,$inout2 aes${dir} $rndkey1,$inout3 aes${dir} $rndkey1,$inout4 @@ -587,15 +585,15 @@ aesni_ecb_encrypt: ___ $code.=<<___ if ($win64); lea -0x58(%rsp),%rsp - movaps %xmm6,(%rsp) + movaps %xmm6,(%rsp) # offload $inout4..7 movaps %xmm7,0x10(%rsp) movaps %xmm8,0x20(%rsp) movaps %xmm9,0x30(%rsp) .Lecb_enc_body: ___ $code.=<<___; - and \$-16,$len - jz .Lecb_ret + and \$-16,$len # if ($len<16) + jz .Lecb_ret # return mov 240($key),$rounds # key->rounds $movkey ($key),$rndkey0 @@ -604,10 +602,10 @@ $code.=<<___; test %r8d,%r8d # 5th argument jz .Lecb_decrypt #--------------------------- ECB ENCRYPT ------------------------------# - cmp \$0x80,$len - jb .Lecb_enc_tail + cmp \$0x80,$len # if ($len<8*16) + jb .Lecb_enc_tail # short input - movdqu ($inp),$inout0 + movdqu ($inp),$inout0 # load 8 input blocks movdqu 0x10($inp),$inout1 movdqu 0x20($inp),$inout2 movdqu 0x30($inp),$inout3 @@ -615,14 +613,14 @@ $code.=<<___; movdqu 0x50($inp),$inout5 movdqu 0x60($inp),$inout6 movdqu 0x70($inp),$inout7 - lea 0x80($inp),$inp - sub \$0x80,$len + lea 0x80($inp),$inp # $inp+=8*16 + sub \$0x80,$len # $len-=8*16 (can be zero) jmp .Lecb_enc_loop8_enter .align 16 .Lecb_enc_loop8: - movups $inout0,($out) + movups $inout0,($out) # store 8 output blocks mov $key_,$key # restore $key - movdqu ($inp),$inout0 + movdqu ($inp),$inout0 # load 8 input blocks mov $rnds_,$rounds # restore $rounds movups $inout1,0x10($out) movdqu 0x10($inp),$inout1 @@ -637,17 +635,17 @@ $code.=<<___; movups $inout6,0x60($out) movdqu 0x60($inp),$inout6 movups $inout7,0x70($out) - lea 0x80($out),$out + lea 0x80($out),$out # $out+=8*16 movdqu 0x70($inp),$inout7 - lea 0x80($inp),$inp + lea 0x80($inp),$inp # $inp+=8*16 .Lecb_enc_loop8_enter: call _aesni_encrypt8 sub \$0x80,$len - jnc .Lecb_enc_loop8 + jnc .Lecb_enc_loop8 # loop if $len-=8*16 didn't borrow - movups $inout0,($out) + movups $inout0,($out) # store 8 output blocks mov $key_,$key # restore $key movups $inout1,0x10($out) mov $rnds_,$rounds # restore $rounds @@ -657,11 +655,11 @@ $code.=<<___; movups $inout5,0x50($out) movups $inout6,0x60($out) movups $inout7,0x70($out) - lea 0x80($out),$out - add \$0x80,$len - jz .Lecb_ret + lea 0x80($out),$out # $out+=8*16 + add \$0x80,$len # restore real remaining $len + jz .Lecb_ret # done if ($len==0) -.Lecb_enc_tail: +.Lecb_enc_tail: # $len is less than 8*16 movups ($inp),$inout0 cmp \$0x20,$len jb .Lecb_enc_one @@ -678,8 +676,9 @@ $code.=<<___; movups 0x50($inp),$inout5 je .Lecb_enc_six movdqu 0x60($inp),$inout6 + xorps $inout7,$inout7 call _aesni_encrypt8 - movups $inout0,($out) + movups $inout0,($out) # store 7 output blocks movups $inout1,0x10($out) movups $inout2,0x20($out) movups $inout3,0x30($out) @@ -692,25 +691,25 @@ $code.=<<___; ___ &aesni_generate1("enc",$key,$rounds); $code.=<<___; - movups $inout0,($out) + movups $inout0,($out) # store one output block jmp .Lecb_ret .align 16 .Lecb_enc_two: call _aesni_encrypt2 - movups $inout0,($out) + movups $inout0,($out) # store 2 output blocks movups $inout1,0x10($out) jmp .Lecb_ret .align 16 .Lecb_enc_three: call _aesni_encrypt3 - movups $inout0,($out) + movups $inout0,($out) # store 3 output blocks movups $inout1,0x10($out) movups $inout2,0x20($out) jmp .Lecb_ret .align 16 .Lecb_enc_four: call _aesni_encrypt4 - movups $inout0,($out) + movups $inout0,($out) # store 4 output blocks movups $inout1,0x10($out) movups $inout2,0x20($out) movups $inout3,0x30($out) @@ -719,7 +718,7 @@ $code.=<<___; .Lecb_enc_five: xorps $inout5,$inout5 call _aesni_encrypt6 - movups $inout0,($out) + movups $inout0,($out) # store 5 output blocks movups $inout1,0x10($out) movups $inout2,0x20($out) movups $inout3,0x30($out) @@ -728,7 +727,7 @@ $code.=<<___; .align 16 .Lecb_enc_six: call _aesni_encrypt6 - movups $inout0,($out) + movups $inout0,($out) # store 6 output blocks movups $inout1,0x10($out) movups $inout2,0x20($out) movups $inout3,0x30($out) @@ -738,10 +737,10 @@ $code.=<<___; #--------------------------- ECB DECRYPT ------------------------------# .align 16 .Lecb_decrypt: - cmp \$0x80,$len - jb .Lecb_dec_tail + cmp \$0x80,$len # if ($len<8*16) + jb .Lecb_dec_tail # short input - movdqu ($inp),$inout0 + movdqu ($inp),$inout0 # load 8 input blocks movdqu 0x10($inp),$inout1 movdqu 0x20($inp),$inout2 movdqu 0x30($inp),$inout3 @@ -749,14 +748,14 @@ $code.=<<___; movdqu 0x50($inp),$inout5 movdqu 0x60($inp),$inout6 movdqu 0x70($inp),$inout7 - lea 0x80($inp),$inp - sub \$0x80,$len + lea 0x80($inp),$inp # $inp+=8*16 + sub \$0x80,$len # $len-=8*16 (can be zero) jmp .Lecb_dec_loop8_enter .align 16 .Lecb_dec_loop8: - movups $inout0,($out) + movups $inout0,($out) # store 8 output blocks mov $key_,$key # restore $key - movdqu ($inp),$inout0 + movdqu ($inp),$inout0 # load 8 input blocks mov $rnds_,$rounds # restore $rounds movups $inout1,0x10($out) movdqu 0x10($inp),$inout1 @@ -771,30 +770,38 @@ $code.=<<___; movups $inout6,0x60($out) movdqu 0x60($inp),$inout6 movups $inout7,0x70($out) - lea 0x80($out),$out + lea 0x80($out),$out # $out+=8*16 movdqu 0x70($inp),$inout7 - lea 0x80($inp),$inp + lea 0x80($inp),$inp # $inp+=8*16 .Lecb_dec_loop8_enter: call _aesni_decrypt8 $movkey ($key_),$rndkey0 sub \$0x80,$len - jnc .Lecb_dec_loop8 + jnc .Lecb_dec_loop8 # loop if $len-=8*16 didn't borrow - movups $inout0,($out) + movups $inout0,($out) # store 8 output blocks + pxor $inout0,$inout0 # clear register bank mov $key_,$key # restore $key movups $inout1,0x10($out) + pxor $inout1,$inout1 mov $rnds_,$rounds # restore $rounds movups $inout2,0x20($out) + pxor $inout2,$inout2 movups $inout3,0x30($out) + pxor $inout3,$inout3 movups $inout4,0x40($out) + pxor $inout4,$inout4 movups $inout5,0x50($out) + pxor $inout5,$inout5 movups $inout6,0x60($out) + pxor $inout6,$inout6 movups $inout7,0x70($out) - lea 0x80($out),$out - add \$0x80,$len - jz .Lecb_ret + pxor $inout7,$inout7 + lea 0x80($out),$out # $out+=8*16 + add \$0x80,$len # restore real remaining $len + jz .Lecb_ret # done if ($len==0) .Lecb_dec_tail: movups ($inp),$inout0 @@ -814,70 +821,107 @@ $code.=<<___; je .Lecb_dec_six movups 0x60($inp),$inout6 $movkey ($key),$rndkey0 + xorps $inout7,$inout7 call _aesni_decrypt8 - movups $inout0,($out) + movups $inout0,($out) # store 7 output blocks + pxor $inout0,$inout0 # clear register bank movups $inout1,0x10($out) + pxor $inout1,$inout1 movups $inout2,0x20($out) + pxor $inout2,$inout2 movups $inout3,0x30($out) + pxor $inout3,$inout3 movups $inout4,0x40($out) + pxor $inout4,$inout4 movups $inout5,0x50($out) + pxor $inout5,$inout5 movups $inout6,0x60($out) + pxor $inout6,$inout6 + pxor $inout7,$inout7 jmp .Lecb_ret .align 16 .Lecb_dec_one: ___ &aesni_generate1("dec",$key,$rounds); $code.=<<___; - movups $inout0,($out) + movups $inout0,($out) # store one output block + pxor $inout0,$inout0 # clear register bank jmp .Lecb_ret .align 16 .Lecb_dec_two: call _aesni_decrypt2 - movups $inout0,($out) + movups $inout0,($out) # store 2 output blocks + pxor $inout0,$inout0 # clear register bank movups $inout1,0x10($out) + pxor $inout1,$inout1 jmp .Lecb_ret .align 16 .Lecb_dec_three: call _aesni_decrypt3 - movups $inout0,($out) + movups $inout0,($out) # store 3 output blocks + pxor $inout0,$inout0 # clear register bank movups $inout1,0x10($out) + pxor $inout1,$inout1 movups $inout2,0x20($out) + pxor $inout2,$inout2 jmp .Lecb_ret .align 16 .Lecb_dec_four: call _aesni_decrypt4 - movups $inout0,($out) + movups $inout0,($out) # store 4 output blocks + pxor $inout0,$inout0 # clear register bank movups $inout1,0x10($out) + pxor $inout1,$inout1 movups $inout2,0x20($out) + pxor $inout2,$inout2 movups $inout3,0x30($out) + pxor $inout3,$inout3 jmp .Lecb_ret .align 16 .Lecb_dec_five: xorps $inout5,$inout5 call _aesni_decrypt6 - movups $inout0,($out) + movups $inout0,($out) # store 5 output blocks + pxor $inout0,$inout0 # clear register bank movups $inout1,0x10($out) + pxor $inout1,$inout1 movups $inout2,0x20($out) + pxor $inout2,$inout2 movups $inout3,0x30($out) + pxor $inout3,$inout3 movups $inout4,0x40($out) + pxor $inout4,$inout4 + pxor $inout5,$inout5 jmp .Lecb_ret .align 16 .Lecb_dec_six: call _aesni_decrypt6 - movups $inout0,($out) + movups $inout0,($out) # store 6 output blocks + pxor $inout0,$inout0 # clear register bank movups $inout1,0x10($out) + pxor $inout1,$inout1 movups $inout2,0x20($out) + pxor $inout2,$inout2 movups $inout3,0x30($out) + pxor $inout3,$inout3 movups $inout4,0x40($out) + pxor $inout4,$inout4 movups $inout5,0x50($out) + pxor $inout5,$inout5 .Lecb_ret: + xorps $rndkey0,$rndkey0 # %xmm0 + pxor $rndkey1,$rndkey1 ___ $code.=<<___ if ($win64); movaps (%rsp),%xmm6 + movaps %xmm0,(%rsp) # clear stack movaps 0x10(%rsp),%xmm7 + movaps %xmm0,0x10(%rsp) movaps 0x20(%rsp),%xmm8 + movaps %xmm0,0x20(%rsp) movaps 0x30(%rsp),%xmm9 + movaps %xmm0,0x30(%rsp) lea 0x58(%rsp),%rsp .Lecb_enc_ret: ___ @@ -911,10 +955,10 @@ aesni_ccm64_encrypt_blocks: ___ $code.=<<___ if ($win64); lea -0x58(%rsp),%rsp - movaps %xmm6,(%rsp) - movaps %xmm7,0x10(%rsp) - movaps %xmm8,0x20(%rsp) - movaps %xmm9,0x30(%rsp) + movaps %xmm6,(%rsp) # $iv + movaps %xmm7,0x10(%rsp) # $bswap_mask + movaps %xmm8,0x20(%rsp) # $in0 + movaps %xmm9,0x30(%rsp) # $increment .Lccm64_enc_body: ___ $code.=<<___; @@ -956,7 +1000,7 @@ $code.=<<___; aesenc $rndkey1,$inout0 aesenc $rndkey1,$inout1 paddq $increment,$iv - dec $len + dec $len # $len-- ($len is in blocks) aesenclast $rndkey0,$inout0 aesenclast $rndkey0,$inout1 @@ -965,16 +1009,26 @@ $code.=<<___; movdqa $iv,$inout0 movups $in0,($out) # save output pshufb $bswap_mask,$inout0 - lea 16($out),$out - jnz .Lccm64_enc_outer + lea 16($out),$out # $out+=16 + jnz .Lccm64_enc_outer # loop if ($len!=0) - movups $inout1,($cmac) + pxor $rndkey0,$rndkey0 # clear register bank + pxor $rndkey1,$rndkey1 + pxor $inout0,$inout0 + movups $inout1,($cmac) # store resulting mac + pxor $inout1,$inout1 + pxor $in0,$in0 + pxor $iv,$iv ___ $code.=<<___ if ($win64); movaps (%rsp),%xmm6 + movaps %xmm0,(%rsp) # clear stack movaps 0x10(%rsp),%xmm7 + movaps %xmm0,0x10(%rsp) movaps 0x20(%rsp),%xmm8 + movaps %xmm0,0x20(%rsp) movaps 0x30(%rsp),%xmm9 + movaps %xmm0,0x30(%rsp) lea 0x58(%rsp),%rsp .Lccm64_enc_ret: ___ @@ -991,10 +1045,10 @@ aesni_ccm64_decrypt_blocks: ___ $code.=<<___ if ($win64); lea -0x58(%rsp),%rsp - movaps %xmm6,(%rsp) - movaps %xmm7,0x10(%rsp) - movaps %xmm8,0x20(%rsp) - movaps %xmm9,0x30(%rsp) + movaps %xmm6,(%rsp) # $iv + movaps %xmm7,0x10(%rsp) # $bswap_mask + movaps %xmm8,0x20(%rsp) # $in8 + movaps %xmm9,0x30(%rsp) # $increment .Lccm64_dec_body: ___ $code.=<<___; @@ -1015,7 +1069,7 @@ $code.=<<___; mov \$16,$rounds movups ($inp),$in0 # load inp paddq $increment,$iv - lea 16($inp),$inp + lea 16($inp),$inp # $inp+=16 sub %r10,%rax # twisted $rounds lea 32($key_,$rnds_),$key # end of key schedule mov %rax,%r10 @@ -1025,11 +1079,11 @@ $code.=<<___; xorps $inout0,$in0 # inp ^= E(iv) movdqa $iv,$inout0 movups $in0,($out) # save output - lea 16($out),$out + lea 16($out),$out # $out+=16 pshufb $bswap_mask,$inout0 - sub \$1,$len - jz .Lccm64_dec_break + sub \$1,$len # $len-- ($len is in blocks) + jz .Lccm64_dec_break # if ($len==0) break $movkey ($key_),$rndkey0 mov %r10,%rax @@ -1049,13 +1103,13 @@ $code.=<<___; aesenc $rndkey0,$inout1 $movkey -16($key,%rax),$rndkey0 jnz .Lccm64_dec2_loop - movups ($inp),$in0 # load inp + movups ($inp),$in0 # load input paddq $increment,$iv aesenc $rndkey1,$inout0 aesenc $rndkey1,$inout1 aesenclast $rndkey0,$inout0 aesenclast $rndkey0,$inout1 - lea 16($inp),$inp + lea 16($inp),$inp # $inp+=16 jmp .Lccm64_dec_outer .align 16 @@ -1065,13 +1119,23 @@ $code.=<<___; ___ &aesni_generate1("enc",$key_,$rounds,$inout1,$in0); $code.=<<___; - movups $inout1,($cmac) + pxor $rndkey0,$rndkey0 # clear register bank + pxor $rndkey1,$rndkey1 + pxor $inout0,$inout0 + movups $inout1,($cmac) # store resulting mac + pxor $inout1,$inout1 + pxor $in0,$in0 + pxor $iv,$iv ___ $code.=<<___ if ($win64); movaps (%rsp),%xmm6 + movaps %xmm0,(%rsp) # clear stack movaps 0x10(%rsp),%xmm7 + movaps %xmm0,0x10(%rsp) movaps 0x20(%rsp),%xmm8 + movaps %xmm0,0x20(%rsp) movaps 0x30(%rsp),%xmm9 + movaps %xmm0,0x30(%rsp) lea 0x58(%rsp),%rsp .Lccm64_dec_ret: ___ @@ -1102,13 +1166,34 @@ $code.=<<___; .type aesni_ctr32_encrypt_blocks,\@function,5 .align 16 aesni_ctr32_encrypt_blocks: + cmp \$1,$len + jne .Lctr32_bulk + + # handle single block without allocating stack frame, + # useful when handling edges + movups ($ivp),$inout0 + movups ($inp),$inout1 + mov 240($key),%edx # key->rounds +___ + &aesni_generate1("enc",$key,"%edx"); +$code.=<<___; + pxor $rndkey0,$rndkey0 # clear register bank + pxor $rndkey1,$rndkey1 + xorps $inout1,$inout0 + pxor $inout1,$inout1 + movups $inout0,($out) + xorps $inout0,$inout0 + jmp .Lctr32_epilogue + +.align 16 +.Lctr32_bulk: lea (%rsp),%rax push %rbp sub \$$frame_size,%rsp and \$-16,%rsp # Linux kernel stack can be incorrectly seeded ___ $code.=<<___ if ($win64); - movaps %xmm6,-0xa8(%rax) + movaps %xmm6,-0xa8(%rax) # offload everything movaps %xmm7,-0x98(%rax) movaps %xmm8,-0x88(%rax) movaps %xmm9,-0x78(%rax) @@ -1123,8 +1208,8 @@ ___ $code.=<<___; lea -8(%rax),%rbp - cmp \$1,$len - je .Lctr32_one_shortcut + # 8 16-byte words on top of stack are counter values + # xor-ed with zero-round key movdqu ($ivp),$inout0 movdqu ($key),$rndkey0 @@ -1139,7 +1224,7 @@ $code.=<<___; movdqa $inout0,0x40(%rsp) movdqa $inout0,0x50(%rsp) movdqa $inout0,0x60(%rsp) - mov %rdx,%r10 # borrow %rdx + mov %rdx,%r10 # about to borrow %rdx movdqa $inout0,0x70(%rsp) lea 1($ctr),%rax @@ -1183,15 +1268,15 @@ $code.=<<___; movdqa 0x40(%rsp),$inout4 movdqa 0x50(%rsp),$inout5 - cmp \$8,$len - jb .Lctr32_tail + cmp \$8,$len # $len is in blocks + jb .Lctr32_tail # short input if ($len<8) - sub \$6,$len + sub \$6,$len # $len is biased by -6 cmp \$`1<<22`,%r10d # check for MOVBE without XSAVE - je .Lctr32_6x + je .Lctr32_6x # [which denotes Atom Silvermont] lea 0x80($key),$key # size optimization - sub \$2,$len + sub \$2,$len # $len is biased by -8 jmp .Lctr32_loop8 .align 16 @@ -1205,13 +1290,13 @@ $code.=<<___; .align 16 .Lctr32_loop6: - add \$6,$ctr + add \$6,$ctr # next counter value $movkey -48($key,$rnds_),$rndkey0 aesenc $rndkey1,$inout0 mov $ctr,%eax xor $key0,%eax aesenc $rndkey1,$inout1 - movbe %eax,`0x00+12`(%rsp) + movbe %eax,`0x00+12`(%rsp) # store next counter value lea 1($ctr),%eax aesenc $rndkey1,$inout2 xor $key0,%eax @@ -1244,16 +1329,16 @@ $code.=<<___; call .Lenc_loop6 - movdqu ($inp),$inout6 + movdqu ($inp),$inout6 # load 6 input blocks movdqu 0x10($inp),$inout7 movdqu 0x20($inp),$in0 movdqu 0x30($inp),$in1 movdqu 0x40($inp),$in2 movdqu 0x50($inp),$in3 - lea 0x60($inp),$inp + lea 0x60($inp),$inp # $inp+=6*16 $movkey -64($key,$rnds_),$rndkey1 - pxor $inout0,$inout6 - movaps 0x00(%rsp),$inout0 + pxor $inout0,$inout6 # inp^=E(ctr) + movaps 0x00(%rsp),$inout0 # load next counter [xor-ed with 0 round] pxor $inout1,$inout7 movaps 0x10(%rsp),$inout1 pxor $inout2,$in0 @@ -1264,19 +1349,19 @@ $code.=<<___; movaps 0x40(%rsp),$inout4 pxor $inout5,$in3 movaps 0x50(%rsp),$inout5 - movdqu $inout6,($out) + movdqu $inout6,($out) # store 6 output blocks movdqu $inout7,0x10($out) movdqu $in0,0x20($out) movdqu $in1,0x30($out) movdqu $in2,0x40($out) movdqu $in3,0x50($out) - lea 0x60($out),$out - + lea 0x60($out),$out # $out+=6*16 + sub \$6,$len - jnc .Lctr32_loop6 + jnc .Lctr32_loop6 # loop if $len-=6 didn't borrow - add \$6,$len - jz .Lctr32_done + add \$6,$len # restore real remaining $len + jz .Lctr32_done # done if ($len==0) lea -48($rnds_),$rounds lea -80($key,$rnds_),$key # restore $key @@ -1286,7 +1371,7 @@ $code.=<<___; .align 32 .Lctr32_loop8: - add \$8,$ctr + add \$8,$ctr # next counter value movdqa 0x60(%rsp),$inout6 aesenc $rndkey1,$inout0 mov $ctr,%r9d @@ -1298,7 +1383,7 @@ $code.=<<___; xor $key0,%r9d nop aesenc $rndkey1,$inout3 - mov %r9d,0x00+12(%rsp) + mov %r9d,0x00+12(%rsp) # store next counter value lea 1($ctr),%r9 aesenc $rndkey1,$inout4 aesenc $rndkey1,$inout5 @@ -1331,7 +1416,7 @@ $code.=<<___; aesenc $rndkey0,$inout1 aesenc $rndkey0,$inout2 xor $key0,%r9d - movdqu 0x00($inp),$in0 + movdqu 0x00($inp),$in0 # start loading input aesenc $rndkey0,$inout3 mov %r9d,0x70+12(%rsp) cmp \$11,$rounds @@ -1388,7 +1473,7 @@ $code.=<<___; .align 16 .Lctr32_enc_done: movdqu 0x10($inp),$in1 - pxor $rndkey0,$in0 + pxor $rndkey0,$in0 # input^=round[last] movdqu 0x20($inp),$in2 pxor $rndkey0,$in1 movdqu 0x30($inp),$in3 @@ -1406,11 +1491,11 @@ $code.=<<___; aesenc $rndkey1,$inout5 aesenc $rndkey1,$inout6 aesenc $rndkey1,$inout7 - movdqu 0x60($inp),$rndkey1 - lea 0x80($inp),$inp + movdqu 0x60($inp),$rndkey1 # borrow $rndkey1 for inp[6] + lea 0x80($inp),$inp # $inp+=8*16 - aesenclast $in0,$inout0 - pxor $rndkey0,$rndkey1 + aesenclast $in0,$inout0 # $inN is inp[N]^round[last] + pxor $rndkey0,$rndkey1 # borrowed $rndkey movdqu 0x70-0x80($inp),$in0 aesenclast $in1,$inout1 pxor $rndkey0,$in0 @@ -1425,10 +1510,10 @@ $code.=<<___; movdqa 0x40(%rsp),$in5 aesenclast $rndkey1,$inout6 movdqa 0x50(%rsp),$rndkey0 - $movkey 0x10-0x80($key),$rndkey1 + $movkey 0x10-0x80($key),$rndkey1#real 1st-round key aesenclast $in0,$inout7 - movups $inout0,($out) # store output + movups $inout0,($out) # store 8 output blocks movdqa $in1,$inout0 movups $inout1,0x10($out) movdqa $in2,$inout1 @@ -1442,21 +1527,24 @@ $code.=<<___; movdqa $rndkey0,$inout5 movups $inout6,0x60($out) movups $inout7,0x70($out) - lea 0x80($out),$out - + lea 0x80($out),$out # $out+=8*16 + sub \$8,$len - jnc .Lctr32_loop8 + jnc .Lctr32_loop8 # loop if $len-=8 didn't borrow - add \$8,$len - jz .Lctr32_done + add \$8,$len # restore real remainig $len + jz .Lctr32_done # done if ($len==0) lea -0x80($key),$key .Lctr32_tail: + # note that at this point $inout0..5 are populated with + # counter values xor-ed with 0-round key lea 16($key),$key cmp \$4,$len jb .Lctr32_loop3 je .Lctr32_loop4 + # if ($len>4) compute 7 E(counter) shl \$4,$rounds movdqa 0x60(%rsp),$inout6 pxor $inout7,$inout7 @@ -1464,14 +1552,14 @@ $code.=<<___; $movkey 16($key),$rndkey0 aesenc $rndkey1,$inout0 aesenc $rndkey1,$inout1 - lea 32-16($key,$rounds),$key + lea 32-16($key,$rounds),$key# prepare for .Lenc_loop8_enter neg %rax aesenc $rndkey1,$inout2 - add \$16,%rax + add \$16,%rax # prepare for .Lenc_loop8_enter movups ($inp),$in0 aesenc $rndkey1,$inout3 aesenc $rndkey1,$inout4 - movups 0x10($inp),$in1 + movups 0x10($inp),$in1 # pre-load input movups 0x20($inp),$in2 aesenc $rndkey1,$inout5 aesenc $rndkey1,$inout6 @@ -1482,7 +1570,7 @@ $code.=<<___; pxor $in0,$inout0 movdqu 0x40($inp),$in0 pxor $in1,$inout1 - movdqu $inout0,($out) + movdqu $inout0,($out) # store output pxor $in2,$inout2 movdqu $inout1,0x10($out) pxor $in3,$inout3 @@ -1491,17 +1579,17 @@ $code.=<<___; movdqu $inout3,0x30($out) movdqu $inout4,0x40($out) cmp \$6,$len - jb .Lctr32_done + jb .Lctr32_done # $len was 5, stop store movups 0x50($inp),$in1 xorps $in1,$inout5 movups $inout5,0x50($out) - je .Lctr32_done + je .Lctr32_done # $len was 6, stop store movups 0x60($inp),$in2 xorps $in2,$inout6 movups $inout6,0x60($out) - jmp .Lctr32_done + jmp .Lctr32_done # $len was 7, stop store .align 32 .Lctr32_loop4: @@ -1515,7 +1603,7 @@ $code.=<<___; jnz .Lctr32_loop4 aesenclast $rndkey1,$inout0 aesenclast $rndkey1,$inout1 - movups ($inp),$in0 + movups ($inp),$in0 # load input movups 0x10($inp),$in1 aesenclast $rndkey1,$inout2 aesenclast $rndkey1,$inout3 @@ -1523,14 +1611,14 @@ $code.=<<___; movups 0x30($inp),$in3 xorps $in0,$inout0 - movups $inout0,($out) + movups $inout0,($out) # store output xorps $in1,$inout1 movups $inout1,0x10($out) pxor $in2,$inout2 movdqu $inout2,0x20($out) pxor $in3,$inout3 movdqu $inout3,0x30($out) - jmp .Lctr32_done + jmp .Lctr32_done # $len was 4, stop store .align 32 .Lctr32_loop3: @@ -1545,48 +1633,79 @@ $code.=<<___; aesenclast $rndkey1,$inout1 aesenclast $rndkey1,$inout2 - movups ($inp),$in0 + movups ($inp),$in0 # load input xorps $in0,$inout0 - movups $inout0,($out) + movups $inout0,($out) # store output cmp \$2,$len - jb .Lctr32_done + jb .Lctr32_done # $len was 1, stop store movups 0x10($inp),$in1 xorps $in1,$inout1 movups $inout1,0x10($out) - je .Lctr32_done + je .Lctr32_done # $len was 2, stop store movups 0x20($inp),$in2 xorps $in2,$inout2 - movups $inout2,0x20($out) - jmp .Lctr32_done - -.align 16 -.Lctr32_one_shortcut: - movups ($ivp),$inout0 - movups ($inp),$in0 - mov 240($key),$rounds # key->rounds -___ - &aesni_generate1("enc",$key,$rounds); -$code.=<<___; - xorps $in0,$inout0 - movups $inout0,($out) - jmp .Lctr32_done + movups $inout2,0x20($out) # $len was 3, stop store -.align 16 .Lctr32_done: + xorps %xmm0,%xmm0 # clear regiser bank + xor $key0,$key0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 +___ +$code.=<<___ if (!$win64); + pxor %xmm6,%xmm6 + pxor %xmm7,%xmm7 + movaps %xmm0,0x00(%rsp) # clear stack + pxor %xmm8,%xmm8 + movaps %xmm0,0x10(%rsp) + pxor %xmm9,%xmm9 + movaps %xmm0,0x20(%rsp) + pxor %xmm10,%xmm10 + movaps %xmm0,0x30(%rsp) + pxor %xmm11,%xmm11 + movaps %xmm0,0x40(%rsp) + pxor %xmm12,%xmm12 + movaps %xmm0,0x50(%rsp) + pxor %xmm13,%xmm13 + movaps %xmm0,0x60(%rsp) + pxor %xmm14,%xmm14 + movaps %xmm0,0x70(%rsp) + pxor %xmm15,%xmm15 ___ $code.=<<___ if ($win64); movaps -0xa0(%rbp),%xmm6 + movaps %xmm0,-0xa0(%rbp) # clear stack movaps -0x90(%rbp),%xmm7 + movaps %xmm0,-0x90(%rbp) movaps -0x80(%rbp),%xmm8 + movaps %xmm0,-0x80(%rbp) movaps -0x70(%rbp),%xmm9 + movaps %xmm0,-0x70(%rbp) movaps -0x60(%rbp),%xmm10 + movaps %xmm0,-0x60(%rbp) movaps -0x50(%rbp),%xmm11 + movaps %xmm0,-0x50(%rbp) movaps -0x40(%rbp),%xmm12 + movaps %xmm0,-0x40(%rbp) movaps -0x30(%rbp),%xmm13 + movaps %xmm0,-0x30(%rbp) movaps -0x20(%rbp),%xmm14 + movaps %xmm0,-0x20(%rbp) movaps -0x10(%rbp),%xmm15 + movaps %xmm0,-0x10(%rbp) + movaps %xmm0,0x00(%rsp) + movaps %xmm0,0x10(%rsp) + movaps %xmm0,0x20(%rsp) + movaps %xmm0,0x30(%rsp) + movaps %xmm0,0x40(%rsp) + movaps %xmm0,0x50(%rsp) + movaps %xmm0,0x60(%rsp) + movaps %xmm0,0x70(%rsp) ___ $code.=<<___; lea (%rbp),%rsp @@ -1619,7 +1738,7 @@ aesni_xts_encrypt: and \$-16,%rsp # Linux kernel stack can be incorrectly seeded ___ $code.=<<___ if ($win64); - movaps %xmm6,-0xa8(%rax) + movaps %xmm6,-0xa8(%rax) # offload everything movaps %xmm7,-0x98(%rax) movaps %xmm8,-0x88(%rax) movaps %xmm9,-0x78(%rax) @@ -1679,7 +1798,7 @@ $code.=<<___; movaps $rndkey1,0x60(%rsp) # save round[0]^round[last] sub \$16*6,$len - jc .Lxts_enc_short + jc .Lxts_enc_short # if $len-=6*16 borrowed mov \$16+96,$rounds lea 32($key_,$rnds_),$key # end of key schedule @@ -1694,7 +1813,7 @@ $code.=<<___; movdqu `16*0`($inp),$inout0 # load input movdqa $rndkey0,$twmask movdqu `16*1`($inp),$inout1 - pxor @tweak[0],$inout0 + pxor @tweak[0],$inout0 # input^=tweak^round[0] movdqu `16*2`($inp),$inout2 pxor @tweak[1],$inout1 aesenc $rndkey1,$inout0 @@ -1713,10 +1832,10 @@ $code.=<<___; lea `16*6`($inp),$inp pxor $twmask,$inout5 - pxor $twres, at tweak[0] + pxor $twres, at tweak[0] # calclulate tweaks^round[last] aesenc $rndkey1,$inout4 pxor $twres, at tweak[1] - movdqa @tweak[0],`16*0`(%rsp) # put aside tweaks^last round key + movdqa @tweak[0],`16*0`(%rsp) # put aside tweaks^round[last] aesenc $rndkey1,$inout5 $movkey 48($key_),$rndkey1 pxor $twres, at tweak[2] @@ -1757,7 +1876,7 @@ $code.=<<___; $movkey -80($key,%rax),$rndkey0 jnz .Lxts_enc_loop6 - movdqa (%r8),$twmask + movdqa (%r8),$twmask # start calculating next tweak movdqa $twres,$twtmp paddd $twres,$twres aesenc $rndkey1,$inout0 @@ -1851,15 +1970,15 @@ $code.=<<___; aesenclast `16*5`(%rsp),$inout5 pxor $twres, at tweak[5] - lea `16*6`($out),$out - movups $inout0,`-16*6`($out) # write output + lea `16*6`($out),$out # $out+=6*16 + movups $inout0,`-16*6`($out) # store 6 output blocks movups $inout1,`-16*5`($out) movups $inout2,`-16*4`($out) movups $inout3,`-16*3`($out) movups $inout4,`-16*2`($out) movups $inout5,`-16*1`($out) sub \$16*6,$len - jnc .Lxts_enc_grandloop + jnc .Lxts_enc_grandloop # loop if $len-=6*16 didn't borrow mov \$16+96,$rounds sub $rnds_,$rounds @@ -1867,34 +1986,36 @@ $code.=<<___; shr \$4,$rounds # restore original value .Lxts_enc_short: + # at the point @tweak[0..5] are populated with tweak values mov $rounds,$rnds_ # backup $rounds pxor $rndkey0, at tweak[0] - add \$16*6,$len - jz .Lxts_enc_done + add \$16*6,$len # restore real remaining $len + jz .Lxts_enc_done # done if ($len==0) pxor $rndkey0, at tweak[1] cmp \$0x20,$len - jb .Lxts_enc_one + jb .Lxts_enc_one # $len is 1*16 pxor $rndkey0, at tweak[2] - je .Lxts_enc_two + je .Lxts_enc_two # $len is 2*16 pxor $rndkey0, at tweak[3] cmp \$0x40,$len - jb .Lxts_enc_three + jb .Lxts_enc_three # $len is 3*16 pxor $rndkey0, at tweak[4] - je .Lxts_enc_four + je .Lxts_enc_four # $len is 4*16 - movdqu ($inp),$inout0 + movdqu ($inp),$inout0 # $len is 5*16 movdqu 16*1($inp),$inout1 movdqu 16*2($inp),$inout2 pxor @tweak[0],$inout0 movdqu 16*3($inp),$inout3 pxor @tweak[1],$inout1 movdqu 16*4($inp),$inout4 - lea 16*5($inp),$inp + lea 16*5($inp),$inp # $inp+=5*16 pxor @tweak[2],$inout2 pxor @tweak[3],$inout3 pxor @tweak[4],$inout4 + pxor $inout5,$inout5 call _aesni_encrypt6 @@ -1902,35 +2023,35 @@ $code.=<<___; movdqa @tweak[5], at tweak[0] xorps @tweak[1],$inout1 xorps @tweak[2],$inout2 - movdqu $inout0,($out) + movdqu $inout0,($out) # store 5 output blocks xorps @tweak[3],$inout3 movdqu $inout1,16*1($out) xorps @tweak[4],$inout4 movdqu $inout2,16*2($out) movdqu $inout3,16*3($out) movdqu $inout4,16*4($out) - lea 16*5($out),$out + lea 16*5($out),$out # $out+=5*16 jmp .Lxts_enc_done .align 16 .Lxts_enc_one: movups ($inp),$inout0 - lea 16*1($inp),$inp + lea 16*1($inp),$inp # inp+=1*16 xorps @tweak[0],$inout0 ___ &aesni_generate1("enc",$key,$rounds); $code.=<<___; xorps @tweak[0],$inout0 movdqa @tweak[1], at tweak[0] - movups $inout0,($out) - lea 16*1($out),$out + movups $inout0,($out) # store one output block + lea 16*1($out),$out # $out+=1*16 jmp .Lxts_enc_done .align 16 .Lxts_enc_two: movups ($inp),$inout0 movups 16($inp),$inout1 - lea 32($inp),$inp + lea 32($inp),$inp # $inp+=2*16 xorps @tweak[0],$inout0 xorps @tweak[1],$inout1 @@ -1939,9 +2060,9 @@ $code.=<<___; xorps @tweak[0],$inout0 movdqa @tweak[2], at tweak[0] xorps @tweak[1],$inout1 - movups $inout0,($out) + movups $inout0,($out) # store 2 output blocks movups $inout1,16*1($out) - lea 16*2($out),$out + lea 16*2($out),$out # $out+=2*16 jmp .Lxts_enc_done .align 16 @@ -1949,7 +2070,7 @@ $code.=<<___; movups ($inp),$inout0 movups 16*1($inp),$inout1 movups 16*2($inp),$inout2 - lea 16*3($inp),$inp + lea 16*3($inp),$inp # $inp+=3*16 xorps @tweak[0],$inout0 xorps @tweak[1],$inout1 xorps @tweak[2],$inout2 @@ -1960,10 +2081,10 @@ $code.=<<___; movdqa @tweak[3], at tweak[0] xorps @tweak[1],$inout1 xorps @tweak[2],$inout2 - movups $inout0,($out) + movups $inout0,($out) # store 3 output blocks movups $inout1,16*1($out) movups $inout2,16*2($out) - lea 16*3($out),$out + lea 16*3($out),$out # $out+=3*16 jmp .Lxts_enc_done .align 16 @@ -1973,7 +2094,7 @@ $code.=<<___; movups 16*2($inp),$inout2 xorps @tweak[0],$inout0 movups 16*3($inp),$inout3 - lea 16*4($inp),$inp + lea 16*4($inp),$inp # $inp+=4*16 xorps @tweak[1],$inout1 xorps @tweak[2],$inout2 xorps @tweak[3],$inout3 @@ -1984,17 +2105,17 @@ $code.=<<___; movdqa @tweak[4], at tweak[0] pxor @tweak[1],$inout1 pxor @tweak[2],$inout2 - movdqu $inout0,($out) + movdqu $inout0,($out) # store 4 output blocks pxor @tweak[3],$inout3 movdqu $inout1,16*1($out) movdqu $inout2,16*2($out) movdqu $inout3,16*3($out) - lea 16*4($out),$out + lea 16*4($out),$out # $out+=4*16 jmp .Lxts_enc_done .align 16 .Lxts_enc_done: - and \$15,$len_ + and \$15,$len_ # see if $len%16 is 0 jz .Lxts_enc_ret mov $len_,$len @@ -2021,18 +2142,60 @@ $code.=<<___; movups $inout0,-16($out) .Lxts_enc_ret: + xorps %xmm0,%xmm0 # clear register bank + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 +___ +$code.=<<___ if (!$win64); + pxor %xmm6,%xmm6 + pxor %xmm7,%xmm7 + movaps %xmm0,0x00(%rsp) # clear stack + pxor %xmm8,%xmm8 + movaps %xmm0,0x10(%rsp) + pxor %xmm9,%xmm9 + movaps %xmm0,0x20(%rsp) + pxor %xmm10,%xmm10 + movaps %xmm0,0x30(%rsp) + pxor %xmm11,%xmm11 + movaps %xmm0,0x40(%rsp) + pxor %xmm12,%xmm12 + movaps %xmm0,0x50(%rsp) + pxor %xmm13,%xmm13 + movaps %xmm0,0x60(%rsp) + pxor %xmm14,%xmm14 + pxor %xmm15,%xmm15 ___ $code.=<<___ if ($win64); movaps -0xa0(%rbp),%xmm6 + movaps %xmm0,-0xa0(%rbp) # clear stack movaps -0x90(%rbp),%xmm7 + movaps %xmm0,-0x90(%rbp) movaps -0x80(%rbp),%xmm8 + movaps %xmm0,-0x80(%rbp) movaps -0x70(%rbp),%xmm9 + movaps %xmm0,-0x70(%rbp) movaps -0x60(%rbp),%xmm10 + movaps %xmm0,-0x60(%rbp) movaps -0x50(%rbp),%xmm11 + movaps %xmm0,-0x50(%rbp) movaps -0x40(%rbp),%xmm12 + movaps %xmm0,-0x40(%rbp) movaps -0x30(%rbp),%xmm13 + movaps %xmm0,-0x30(%rbp) movaps -0x20(%rbp),%xmm14 + movaps %xmm0,-0x20(%rbp) movaps -0x10(%rbp),%xmm15 + movaps %xmm0,-0x10(%rbp) + movaps %xmm0,0x00(%rsp) + movaps %xmm0,0x10(%rsp) + movaps %xmm0,0x20(%rsp) + movaps %xmm0,0x30(%rsp) + movaps %xmm0,0x40(%rsp) + movaps %xmm0,0x50(%rsp) + movaps %xmm0,0x60(%rsp) ___ $code.=<<___; lea (%rbp),%rsp @@ -2053,7 +2216,7 @@ aesni_xts_decrypt: and \$-16,%rsp # Linux kernel stack can be incorrectly seeded ___ $code.=<<___ if ($win64); - movaps %xmm6,-0xa8(%rax) + movaps %xmm6,-0xa8(%rax) # offload everything movaps %xmm7,-0x98(%rax) movaps %xmm8,-0x88(%rax) movaps %xmm9,-0x78(%rax) @@ -2116,7 +2279,7 @@ $code.=<<___; movaps $rndkey1,0x60(%rsp) # save round[0]^round[last] sub \$16*6,$len - jc .Lxts_dec_short + jc .Lxts_dec_short # if $len-=6*16 borrowed mov \$16+96,$rounds lea 32($key_,$rnds_),$key # end of key schedule @@ -2131,7 +2294,7 @@ $code.=<<___; movdqu `16*0`($inp),$inout0 # load input movdqa $rndkey0,$twmask movdqu `16*1`($inp),$inout1 - pxor @tweak[0],$inout0 + pxor @tweak[0],$inout0 # intput^=tweak^round[0] movdqu `16*2`($inp),$inout2 pxor @tweak[1],$inout1 aesdec $rndkey1,$inout0 @@ -2150,7 +2313,7 @@ $code.=<<___; lea `16*6`($inp),$inp pxor $twmask,$inout5 - pxor $twres, at tweak[0] + pxor $twres, at tweak[0] # calclulate tweaks^round[last] aesdec $rndkey1,$inout4 pxor $twres, at tweak[1] movdqa @tweak[0],`16*0`(%rsp) # put aside tweaks^last round key @@ -2194,7 +2357,7 @@ $code.=<<___; $movkey -80($key,%rax),$rndkey0 jnz .Lxts_dec_loop6 - movdqa (%r8),$twmask + movdqa (%r8),$twmask # start calculating next tweak movdqa $twres,$twtmp paddd $twres,$twres aesdec $rndkey1,$inout0 @@ -2288,15 +2451,15 @@ $code.=<<___; aesdeclast `16*5`(%rsp),$inout5 pxor $twres, at tweak[5] - lea `16*6`($out),$out - movups $inout0,`-16*6`($out) # write output + lea `16*6`($out),$out # $out+=6*16 + movups $inout0,`-16*6`($out) # store 6 output blocks movups $inout1,`-16*5`($out) movups $inout2,`-16*4`($out) movups $inout3,`-16*3`($out) movups $inout4,`-16*2`($out) movups $inout5,`-16*1`($out) sub \$16*6,$len - jnc .Lxts_dec_grandloop + jnc .Lxts_dec_grandloop # loop if $len-=6*16 didn't borrow mov \$16+96,$rounds sub $rnds_,$rounds @@ -2304,31 +2467,32 @@ $code.=<<___; shr \$4,$rounds # restore original value .Lxts_dec_short: + # at the point @tweak[0..5] are populated with tweak values mov $rounds,$rnds_ # backup $rounds pxor $rndkey0, at tweak[0] pxor $rndkey0, at tweak[1] - add \$16*6,$len - jz .Lxts_dec_done + add \$16*6,$len # restore real remaining $len + jz .Lxts_dec_done # done if ($len==0) pxor $rndkey0, at tweak[2] cmp \$0x20,$len - jb .Lxts_dec_one + jb .Lxts_dec_one # $len is 1*16 pxor $rndkey0, at tweak[3] - je .Lxts_dec_two + je .Lxts_dec_two # $len is 2*16 pxor $rndkey0, at tweak[4] cmp \$0x40,$len - jb .Lxts_dec_three - je .Lxts_dec_four + jb .Lxts_dec_three # $len is 3*16 + je .Lxts_dec_four # $len is 4*16 - movdqu ($inp),$inout0 + movdqu ($inp),$inout0 # $len is 5*16 movdqu 16*1($inp),$inout1 movdqu 16*2($inp),$inout2 pxor @tweak[0],$inout0 movdqu 16*3($inp),$inout3 pxor @tweak[1],$inout1 movdqu 16*4($inp),$inout4 - lea 16*5($inp),$inp + lea 16*5($inp),$inp # $inp+=5*16 pxor @tweak[2],$inout2 pxor @tweak[3],$inout3 pxor @tweak[4],$inout4 @@ -2338,7 +2502,7 @@ $code.=<<___; xorps @tweak[0],$inout0 xorps @tweak[1],$inout1 xorps @tweak[2],$inout2 - movdqu $inout0,($out) + movdqu $inout0,($out) # store 5 output blocks xorps @tweak[3],$inout3 movdqu $inout1,16*1($out) xorps @tweak[4],$inout4 @@ -2347,7 +2511,7 @@ $code.=<<___; movdqu $inout3,16*3($out) pcmpgtd @tweak[5],$twtmp movdqu $inout4,16*4($out) - lea 16*5($out),$out + lea 16*5($out),$out # $out+=5*16 pshufd \$0x13,$twtmp, at tweak[1] # $twres and \$15,$len_ jz .Lxts_dec_ret @@ -2361,23 +2525,23 @@ $code.=<<___; .align 16 .Lxts_dec_one: movups ($inp),$inout0 - lea 16*1($inp),$inp + lea 16*1($inp),$inp # $inp+=1*16 xorps @tweak[0],$inout0 ___ &aesni_generate1("dec",$key,$rounds); $code.=<<___; xorps @tweak[0],$inout0 movdqa @tweak[1], at tweak[0] - movups $inout0,($out) + movups $inout0,($out) # store one output block movdqa @tweak[2], at tweak[1] - lea 16*1($out),$out + lea 16*1($out),$out # $out+=1*16 jmp .Lxts_dec_done .align 16 .Lxts_dec_two: movups ($inp),$inout0 movups 16($inp),$inout1 - lea 32($inp),$inp + lea 32($inp),$inp # $inp+=2*16 xorps @tweak[0],$inout0 xorps @tweak[1],$inout1 @@ -2387,9 +2551,9 @@ $code.=<<___; movdqa @tweak[2], at tweak[0] xorps @tweak[1],$inout1 movdqa @tweak[3], at tweak[1] - movups $inout0,($out) + movups $inout0,($out) # store 2 output blocks movups $inout1,16*1($out) - lea 16*2($out),$out + lea 16*2($out),$out # $out+=2*16 jmp .Lxts_dec_done .align 16 @@ -2397,7 +2561,7 @@ $code.=<<___; movups ($inp),$inout0 movups 16*1($inp),$inout1 movups 16*2($inp),$inout2 - lea 16*3($inp),$inp + lea 16*3($inp),$inp # $inp+=3*16 xorps @tweak[0],$inout0 xorps @tweak[1],$inout1 xorps @tweak[2],$inout2 @@ -2409,10 +2573,10 @@ $code.=<<___; xorps @tweak[1],$inout1 movdqa @tweak[4], at tweak[1] xorps @tweak[2],$inout2 - movups $inout0,($out) + movups $inout0,($out) # store 3 output blocks movups $inout1,16*1($out) movups $inout2,16*2($out) - lea 16*3($out),$out + lea 16*3($out),$out # $out+=3*16 jmp .Lxts_dec_done .align 16 @@ -2422,7 +2586,7 @@ $code.=<<___; movups 16*2($inp),$inout2 xorps @tweak[0],$inout0 movups 16*3($inp),$inout3 - lea 16*4($inp),$inp + lea 16*4($inp),$inp # $inp+=4*16 xorps @tweak[1],$inout1 xorps @tweak[2],$inout2 xorps @tweak[3],$inout3 @@ -2434,17 +2598,17 @@ $code.=<<___; pxor @tweak[1],$inout1 movdqa @tweak[5], at tweak[1] pxor @tweak[2],$inout2 - movdqu $inout0,($out) + movdqu $inout0,($out) # store 4 output blocks pxor @tweak[3],$inout3 movdqu $inout1,16*1($out) movdqu $inout2,16*2($out) movdqu $inout3,16*3($out) - lea 16*4($out),$out + lea 16*4($out),$out # $out+=4*16 jmp .Lxts_dec_done .align 16 .Lxts_dec_done: - and \$15,$len_ + and \$15,$len_ # see if $len%16 is 0 jz .Lxts_dec_ret .Lxts_dec_done2: mov $len_,$len @@ -2482,18 +2646,60 @@ $code.=<<___; movups $inout0,($out) .Lxts_dec_ret: + xorps %xmm0,%xmm0 # clear register bank + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 +___ +$code.=<<___ if (!$win64); + pxor %xmm6,%xmm6 + pxor %xmm7,%xmm7 + movaps %xmm0,0x00(%rsp) # clear stack + pxor %xmm8,%xmm8 + movaps %xmm0,0x10(%rsp) + pxor %xmm9,%xmm9 + movaps %xmm0,0x20(%rsp) + pxor %xmm10,%xmm10 + movaps %xmm0,0x30(%rsp) + pxor %xmm11,%xmm11 + movaps %xmm0,0x40(%rsp) + pxor %xmm12,%xmm12 + movaps %xmm0,0x50(%rsp) + pxor %xmm13,%xmm13 + movaps %xmm0,0x60(%rsp) + pxor %xmm14,%xmm14 + pxor %xmm15,%xmm15 ___ $code.=<<___ if ($win64); movaps -0xa0(%rbp),%xmm6 + movaps %xmm0,-0xa0(%rbp) # clear stack movaps -0x90(%rbp),%xmm7 + movaps %xmm0,-0x90(%rbp) movaps -0x80(%rbp),%xmm8 + movaps %xmm0,-0x80(%rbp) movaps -0x70(%rbp),%xmm9 + movaps %xmm0,-0x70(%rbp) movaps -0x60(%rbp),%xmm10 + movaps %xmm0,-0x60(%rbp) movaps -0x50(%rbp),%xmm11 + movaps %xmm0,-0x50(%rbp) movaps -0x40(%rbp),%xmm12 + movaps %xmm0,-0x40(%rbp) movaps -0x30(%rbp),%xmm13 + movaps %xmm0,-0x30(%rbp) movaps -0x20(%rbp),%xmm14 + movaps %xmm0,-0x20(%rbp) movaps -0x10(%rbp),%xmm15 + movaps %xmm0,-0x10(%rbp) + movaps %xmm0,0x00(%rsp) + movaps %xmm0,0x10(%rsp) + movaps %xmm0,0x20(%rsp) + movaps %xmm0,0x30(%rsp) + movaps %xmm0,0x40(%rsp) + movaps %xmm0,0x50(%rsp) + movaps %xmm0,0x60(%rsp) ___ $code.=<<___; lea (%rbp),%rsp @@ -2548,7 +2754,11 @@ $code.=<<___; jnc .Lcbc_enc_loop add \$16,$len jnz .Lcbc_enc_tail + pxor $rndkey0,$rndkey0 # clear register bank + pxor $rndkey1,$rndkey1 movups $inout0,($ivp) + pxor $inout0,$inout0 + pxor $inout1,$inout1 jmp .Lcbc_ret .Lcbc_enc_tail: @@ -2568,6 +2778,27 @@ $code.=<<___; #--------------------------- CBC DECRYPT ------------------------------# .align 16 .Lcbc_decrypt: + cmp \$16,$len + jne .Lcbc_decrypt_bulk + + # handle single block without allocating stack frame, + # useful in ciphertext stealing mode + movdqu ($inp),$inout0 # load input + movdqu ($ivp),$inout1 # load iv + movdqa $inout0,$inout2 # future iv +___ + &aesni_generate1("dec",$key,$rnds_); +$code.=<<___; + pxor $rndkey0,$rndkey0 # clear register bank + pxor $rndkey1,$rndkey1 + movdqu $inout2,($ivp) # store iv + xorps $inout1,$inout0 # ^=iv + pxor $inout1,$inout1 + movups $inout0,($out) # store output + pxor $inout0,$inout0 + jmp .Lcbc_ret +.align 16 +.Lcbc_decrypt_bulk: lea (%rsp),%rax push %rbp sub \$$frame_size,%rsp @@ -2609,11 +2840,11 @@ $code.=<<___; cmp \$0x70,$len jbe .Lcbc_dec_six_or_seven - and \$`1<<26|1<<22`,%r9d # isolate XSAVE+MOVBE - sub \$0x50,$len + and \$`1<<26|1<<22`,%r9d # isolate XSAVE+MOVBE + sub \$0x50,$len # $len is biased by -5*16 cmp \$`1<<22`,%r9d # check for MOVBE without XSAVE - je .Lcbc_dec_loop6_enter - sub \$0x20,$len + je .Lcbc_dec_loop6_enter # [which denotes Atom Silvermont] + sub \$0x20,$len # $len is biased by -7*16 lea 0x70($key),$key # size optimization jmp .Lcbc_dec_loop8_enter .align 16 @@ -2740,7 +2971,7 @@ $code.=<<___; movaps $inout7,$inout0 lea -0x70($key),$key add \$0x70,$len - jle .Lcbc_dec_tail_collected + jle .Lcbc_dec_clear_tail_collected movups $inout7,($out) lea 0x10($out),$out cmp \$0x50,$len @@ -2759,14 +2990,19 @@ $code.=<<___; movdqu $inout0,($out) pxor $in1,$inout2 movdqu $inout1,0x10($out) + pxor $inout1,$inout1 # clear register bank pxor $in2,$inout3 movdqu $inout2,0x20($out) + pxor $inout2,$inout2 pxor $in3,$inout4 movdqu $inout3,0x30($out) + pxor $inout3,$inout3 pxor $in4,$inout5 movdqu $inout4,0x40($out) + pxor $inout4,$inout4 lea 0x50($out),$out movdqa $inout5,$inout0 + pxor $inout5,$inout5 jmp .Lcbc_dec_tail_collected .align 16 @@ -2781,16 +3017,23 @@ $code.=<<___; movdqu $inout0,($out) pxor $in1,$inout2 movdqu $inout1,0x10($out) + pxor $inout1,$inout1 # clear register bank pxor $in2,$inout3 movdqu $inout2,0x20($out) + pxor $inout2,$inout2 pxor $in3,$inout4 movdqu $inout3,0x30($out) + pxor $inout3,$inout3 pxor $in4,$inout5 movdqu $inout4,0x40($out) + pxor $inout4,$inout4 pxor $inout7,$inout6 movdqu $inout5,0x50($out) + pxor $inout5,$inout5 lea 0x60($out),$out movdqa $inout6,$inout0 + pxor $inout6,$inout6 + pxor $inout7,$inout7 jmp .Lcbc_dec_tail_collected .align 16 @@ -2834,31 +3077,31 @@ $code.=<<___; movdqa $inout5,$inout0 add \$0x50,$len - jle .Lcbc_dec_tail_collected + jle .Lcbc_dec_clear_tail_collected movups $inout5,($out) lea 0x10($out),$out .Lcbc_dec_tail: movups ($inp),$inout0 sub \$0x10,$len - jbe .Lcbc_dec_one + jbe .Lcbc_dec_one # $len is 1*16 or less movups 0x10($inp),$inout1 movaps $inout0,$in0 sub \$0x10,$len - jbe .Lcbc_dec_two + jbe .Lcbc_dec_two # $len is 2*16 or less movups 0x20($inp),$inout2 movaps $inout1,$in1 sub \$0x10,$len - jbe .Lcbc_dec_three + jbe .Lcbc_dec_three # $len is 3*16 or less movups 0x30($inp),$inout3 movaps $inout2,$in2 sub \$0x10,$len - jbe .Lcbc_dec_four + jbe .Lcbc_dec_four # $len is 4*16 or less - movups 0x40($inp),$inout4 + movups 0x40($inp),$inout4 # $len is 5*16 or less movaps $inout3,$in3 movaps $inout4,$in4 xorps $inout5,$inout5 @@ -2869,12 +3112,17 @@ $code.=<<___; movdqu $inout0,($out) pxor $in1,$inout2 movdqu $inout1,0x10($out) + pxor $inout1,$inout1 # clear register bank pxor $in2,$inout3 movdqu $inout2,0x20($out) + pxor $inout2,$inout2 pxor $in3,$inout4 movdqu $inout3,0x30($out) + pxor $inout3,$inout3 lea 0x40($out),$out movdqa $inout4,$inout0 + pxor $inout4,$inout4 + pxor $inout5,$inout5 sub \$0x10,$len jmp .Lcbc_dec_tail_collected @@ -2896,6 +3144,7 @@ $code.=<<___; pxor $in0,$inout1 movdqu $inout0,($out) movdqa $inout1,$inout0 + pxor $inout1,$inout1 # clear register bank lea 0x10($out),$out jmp .Lcbc_dec_tail_collected .align 16 @@ -2908,7 +3157,9 @@ $code.=<<___; movdqu $inout0,($out) pxor $in1,$inout2 movdqu $inout1,0x10($out) + pxor $inout1,$inout1 # clear register bank movdqa $inout2,$inout0 + pxor $inout2,$inout2 lea 0x20($out),$out jmp .Lcbc_dec_tail_collected .align 16 @@ -2921,41 +3172,71 @@ $code.=<<___; movdqu $inout0,($out) pxor $in1,$inout2 movdqu $inout1,0x10($out) + pxor $inout1,$inout1 # clear register bank pxor $in2,$inout3 movdqu $inout2,0x20($out) + pxor $inout2,$inout2 movdqa $inout3,$inout0 + pxor $inout3,$inout3 lea 0x30($out),$out jmp .Lcbc_dec_tail_collected .align 16 +.Lcbc_dec_clear_tail_collected: + pxor $inout1,$inout1 # clear register bank + pxor $inout2,$inout2 + pxor $inout3,$inout3 +___ +$code.=<<___ if (!$win64); + pxor $inout4,$inout4 # %xmm6..9 + pxor $inout5,$inout5 + pxor $inout6,$inout6 + pxor $inout7,$inout7 +___ +$code.=<<___; .Lcbc_dec_tail_collected: movups $iv,($ivp) and \$15,$len jnz .Lcbc_dec_tail_partial movups $inout0,($out) + pxor $inout0,$inout0 jmp .Lcbc_dec_ret .align 16 .Lcbc_dec_tail_partial: movaps $inout0,(%rsp) + pxor $inout0,$inout0 mov \$16,%rcx mov $out,%rdi sub $len,%rcx lea (%rsp),%rsi - .long 0x9066A4F3 # rep movsb + .long 0x9066A4F3 # rep movsb + movdqa $inout0,(%rsp) .Lcbc_dec_ret: + xorps $rndkey0,$rndkey0 # %xmm0 + pxor $rndkey1,$rndkey1 ___ $code.=<<___ if ($win64); movaps 0x10(%rsp),%xmm6 + movaps %xmm0,0x10(%rsp) # clear stack movaps 0x20(%rsp),%xmm7 + movaps %xmm0,0x20(%rsp) movaps 0x30(%rsp),%xmm8 + movaps %xmm0,0x30(%rsp) movaps 0x40(%rsp),%xmm9 + movaps %xmm0,0x40(%rsp) movaps 0x50(%rsp),%xmm10 + movaps %xmm0,0x50(%rsp) movaps 0x60(%rsp),%xmm11 + movaps %xmm0,0x60(%rsp) movaps 0x70(%rsp),%xmm12 + movaps %xmm0,0x70(%rsp) movaps 0x80(%rsp),%xmm13 + movaps %xmm0,0x80(%rsp) movaps 0x90(%rsp),%xmm14 + movaps %xmm0,0x90(%rsp) movaps 0xa0(%rsp),%xmm15 + movaps %xmm0,0xa0(%rsp) ___ $code.=<<___; lea (%rbp),%rsp @@ -2965,8 +3246,15 @@ $code.=<<___; .size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt ___ } -# int $PREFIX_set_[en|de]crypt_key (const unsigned char *userKey, +# int ${PREFIX}_set_decrypt_key(const unsigned char *inp, # int bits, AES_KEY *key) +# +# input: $inp user-supplied key +# $bits $inp length in bits +# $key pointer to key schedule +# output: %eax 0 denoting success, -1 or -2 - failure (see C) +# *$key key schedule +# { my ($inp,$bits,$key) = @_4args; $bits =~ s/%r/%e/; @@ -3003,7 +3291,9 @@ ${PREFIX}_set_decrypt_key: $movkey ($key),%xmm0 # inverse middle aesimc %xmm0,%xmm0 + pxor %xmm1,%xmm1 $movkey %xmm0,($inp) + pxor %xmm0,%xmm0 .Ldec_key_ret: add \$8,%rsp ret @@ -3020,6 +3310,22 @@ ___ # Agressively optimized in respect to aeskeygenassist's critical path # and is contained in %xmm0-5 to meet Win64 ABI requirement. # +# int ${PREFIX}_set_encrypt_key(const unsigned char *inp, +# int bits, AES_KEY * const key); +# +# input: $inp user-supplied key +# $bits $inp length in bits +# $key pointer to key schedule +# output: %eax 0 denoting success, -1 or -2 - failure (see C) +# $bits rounds-1 (used in aesni_set_decrypt_key) +# *$key key schedule +# $key pointer to key schedule (used in +# aesni_set_decrypt_key) +# +# Subroutine is frame-less, which means that only volatile registers +# are used. Note that it's declared "abi-omnipotent", which means that +# amount of volatile registers is smaller on Windows. +# $code.=<<___; .globl ${PREFIX}_set_encrypt_key .type ${PREFIX}_set_encrypt_key,\@abi-omnipotent @@ -3033,9 +3339,11 @@ __aesni_set_encrypt_key: test $key,$key jz .Lenc_key_ret + mov \$`1<<28|1<<11`,%r10d # AVX and XOP bits movups ($inp),%xmm0 # pull first 128 bits of *userKey xorps %xmm4,%xmm4 # low dword of xmm4 is assumed 0 - lea 16($key),%rax + and OPENSSL_ia32cap_P+4(%rip),%r10d + lea 16($key),%rax # %rax is used as modifiable copy of $key cmp \$256,$bits je .L14rounds cmp \$192,$bits @@ -3045,6 +3353,9 @@ __aesni_set_encrypt_key: .L10rounds: mov \$9,$bits # 10 rounds for 128-bit key + cmp \$`1<<28`,%r10d # AVX, bit no XOP + je .L10rounds_alt + $movkey %xmm0,($key) # round 0 aeskeygenassist \$0x1,%xmm0,%xmm1 # round 1 call .Lkey_expansion_128_cold @@ -3072,9 +3383,79 @@ __aesni_set_encrypt_key: jmp .Lenc_key_ret .align 16 +.L10rounds_alt: + movdqa .Lkey_rotate(%rip),%xmm5 + mov \$8,%r10d + movdqa .Lkey_rcon1(%rip),%xmm4 + movdqa %xmm0,%xmm2 + movdqu %xmm0,($key) + jmp .Loop_key128 + +.align 16 +.Loop_key128: + pshufb %xmm5,%xmm0 + aesenclast %xmm4,%xmm0 + pslld \$1,%xmm4 + lea 16(%rax),%rax + + movdqa %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm3,%xmm2 + + pxor %xmm2,%xmm0 + movdqu %xmm0,-16(%rax) + movdqa %xmm0,%xmm2 + + dec %r10d + jnz .Loop_key128 + + movdqa .Lkey_rcon1b(%rip),%xmm4 + + pshufb %xmm5,%xmm0 + aesenclast %xmm4,%xmm0 + pslld \$1,%xmm4 + + movdqa %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm3,%xmm2 + + pxor %xmm2,%xmm0 + movdqu %xmm0,(%rax) + + movdqa %xmm0,%xmm2 + pshufb %xmm5,%xmm0 + aesenclast %xmm4,%xmm0 + + movdqa %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm3,%xmm2 + + pxor %xmm2,%xmm0 + movdqu %xmm0,16(%rax) + + mov $bits,96(%rax) # 240($key) + xor %eax,%eax + jmp .Lenc_key_ret + +.align 16 .L12rounds: movq 16($inp),%xmm2 # remaining 1/3 of *userKey mov \$11,$bits # 12 rounds for 192 + cmp \$`1<<28`,%r10d # AVX, but no XOP + je .L12rounds_alt + $movkey %xmm0,($key) # round 0 aeskeygenassist \$0x1,%xmm2,%xmm1 # round 1,2 call .Lkey_expansion_192a_cold @@ -3098,10 +3479,54 @@ __aesni_set_encrypt_key: jmp .Lenc_key_ret .align 16 +.L12rounds_alt: + movdqa .Lkey_rotate192(%rip),%xmm5 + movdqa .Lkey_rcon1(%rip),%xmm4 + mov \$8,%r10d + movdqu %xmm0,($key) + jmp .Loop_key192 + +.align 16 +.Loop_key192: + movq %xmm2,0(%rax) + movdqa %xmm2,%xmm1 + pshufb %xmm5,%xmm2 + aesenclast %xmm4,%xmm2 + pslld \$1, %xmm4 + lea 24(%rax),%rax + + movdqa %xmm0,%xmm3 + pslldq \$4,%xmm0 + pxor %xmm0,%xmm3 + pslldq \$4,%xmm0 + pxor %xmm0,%xmm3 + pslldq \$4,%xmm0 + pxor %xmm3,%xmm0 + + pshufd \$0xff,%xmm0,%xmm3 + pxor %xmm1,%xmm3 + pslldq \$4,%xmm1 + pxor %xmm1,%xmm3 + + pxor %xmm2,%xmm0 + pxor %xmm3,%xmm2 + movdqu %xmm0,-16(%rax) + + dec %r10d + jnz .Loop_key192 + + mov $bits,32(%rax) # 240($key) + xor %eax,%eax + jmp .Lenc_key_ret + +.align 16 .L14rounds: movups 16($inp),%xmm2 # remaning half of *userKey mov \$13,$bits # 14 rounds for 256 lea 16(%rax),%rax + cmp \$`1<<28`,%r10d # AVX, but no XOP + je .L14rounds_alt + $movkey %xmm0,($key) # round 0 $movkey %xmm2,16($key) # round 1 aeskeygenassist \$0x1,%xmm2,%xmm1 # round 2 @@ -3136,9 +3561,69 @@ __aesni_set_encrypt_key: jmp .Lenc_key_ret .align 16 +.L14rounds_alt: + movdqa .Lkey_rotate(%rip),%xmm5 + movdqa .Lkey_rcon1(%rip),%xmm4 + mov \$7,%r10d + movdqu %xmm0,0($key) + movdqa %xmm2,%xmm1 + movdqu %xmm2,16($key) + jmp .Loop_key256 + +.align 16 +.Loop_key256: + pshufb %xmm5,%xmm2 + aesenclast %xmm4,%xmm2 + + movdqa %xmm0,%xmm3 + pslldq \$4,%xmm0 + pxor %xmm0,%xmm3 + pslldq \$4,%xmm0 + pxor %xmm0,%xmm3 + pslldq \$4,%xmm0 + pxor %xmm3,%xmm0 + pslld \$1,%xmm4 + + pxor %xmm2,%xmm0 + movdqu %xmm0,(%rax) + + dec %r10d + jz .Ldone_key256 + + pshufd \$0xff,%xmm0,%xmm2 + pxor %xmm3,%xmm3 + aesenclast %xmm3,%xmm2 + + movdqa %xmm1,%xmm3 + pslldq \$4,%xmm1 + pxor %xmm1,%xmm3 + pslldq \$4,%xmm1 + pxor %xmm1,%xmm3 + pslldq \$4,%xmm1 + pxor %xmm3,%xmm1 + + pxor %xmm1,%xmm2 + movdqu %xmm2,16(%rax) + lea 32(%rax),%rax + movdqa %xmm2,%xmm1 + + jmp .Loop_key256 + +.Ldone_key256: + mov $bits,16(%rax) # 240($key) + xor %eax,%eax + jmp .Lenc_key_ret + +.align 16 .Lbad_keybits: mov \$-2,%rax .Lenc_key_ret: + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 add \$8,%rsp ret .LSEH_end_set_encrypt_key: @@ -3228,6 +3713,14 @@ $code.=<<___; .long 0x87,0,1,0 .Lincrement1: .byte 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 +.Lkey_rotate: + .long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d +.Lkey_rotate192: + .long 0x04070605,0x04070605,0x04070605,0x04070605 +.Lkey_rcon1: + .long 1,1,1,1 +.Lkey_rcon1b: + .long 0x1b,0x1b,0x1b,0x1b .asciz "AES for Intel AES-NI, CRYPTOGAMS by " .align 64 @@ -3345,7 +3838,7 @@ cbc_se_handler: mov 152($context),%rax # pull context->Rsp mov 248($context),%rbx # pull context->Rip - lea .Lcbc_decrypt(%rip),%r10 + lea .Lcbc_decrypt_bulk(%rip),%r10 cmp %r10,%rbx # context->Rip<"prologue" label jb .Lcommon_seh_tail From appro at openssl.org Mon Apr 20 13:44:50 2015 From: appro at openssl.org (Andy Polyakov) Date: Mon, 20 Apr 2015 13:44:50 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429537490.097574.9413.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via e95e22af50fdb433b074c663693a2b94db74ce87 (commit) from 47daa155a31b0a54ce09ad2ed4d55fad74096dab (commit) - Log ----------------------------------------------------------------- commit e95e22af50fdb433b074c663693a2b94db74ce87 Author: Andy Polyakov Date: Fri Jan 23 17:27:10 2015 +0100 aes/asm/aesni-x86[_64].pl update. This addresses - request for improvement for faster key setup in RT#3576; - clearing registers and stack in RT#3554 (this is more of a gesture to see if there will be some traction from compiler side); - more commentary around input parameters handling and stack layout (desired when RT#3553 was reviewed); - minor size and single block performance optimization (was lying around); Reviewed-by: Matt Caswell (cherry picked from commit 23f6eec71dbd472044db7dc854599f1de14a1f48) ----------------------------------------------------------------------- Summary of changes: crypto/aes/asm/aesni-x86.pl | 319 +++++++++++++- crypto/aes/asm/aesni-x86_64.pl | 945 +++++++++++++++++++++++++++++++---------- 2 files changed, 1025 insertions(+), 239 deletions(-) diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl index 3deb86a..847695f 100644 --- a/crypto/aes/asm/aesni-x86.pl +++ b/crypto/aes/asm/aesni-x86.pl @@ -51,7 +51,7 @@ # Westmere 3.77/1.37 1.37 1.52 1.27 # * Bridge 5.07/0.98 0.99 1.09 0.91 # Haswell 4.44/0.80 0.97 1.03 0.72 -# Atom 5.77/3.56 3.67 4.03 3.46 +# Silvermont 5.77/3.56 3.67 4.03 3.46 # Bulldozer 5.80/0.98 1.05 1.24 0.93 $PREFIX="aesni"; # if $PREFIX is set to "AES", the script @@ -65,6 +65,9 @@ require "x86asm.pl"; &asm_init($ARGV[0],$0); +&external_label("OPENSSL_ia32cap_P"); +&static_label("key_const"); + if ($PREFIX eq "aesni") { $movekey=\&movups; } else { $movekey=\&movups; } @@ -181,7 +184,10 @@ sub aesni_generate1 # fully unrolled loop { &aesni_inline_generate1("enc"); } else { &call ("_aesni_encrypt1"); } + &pxor ($rndkey0,$rndkey0); # clear register bank + &pxor ($rndkey1,$rndkey1); &movups (&QWP(0,"eax"),$inout0); + &pxor ($inout0,$inout0); &ret (); &function_end_B("${PREFIX}_encrypt"); @@ -197,7 +203,10 @@ sub aesni_generate1 # fully unrolled loop { &aesni_inline_generate1("dec"); } else { &call ("_aesni_decrypt1"); } + &pxor ($rndkey0,$rndkey0); # clear register bank + &pxor ($rndkey1,$rndkey1); &movups (&QWP(0,"eax"),$inout0); + &pxor ($inout0,$inout0); &ret (); &function_end_B("${PREFIX}_decrypt"); @@ -349,17 +358,15 @@ sub aesni_generate6 &neg ($rounds); eval"&aes${p} ($inout2,$rndkey1)"; &pxor ($inout5,$rndkey0); + &$movekey ($rndkey0,&QWP(0,$key,$rounds)); &add ($rounds,16); - eval"&aes${p} ($inout3,$rndkey1)"; - eval"&aes${p} ($inout4,$rndkey1)"; - eval"&aes${p} ($inout5,$rndkey1)"; - &$movekey ($rndkey0,&QWP(-16,$key,$rounds)); - &jmp (&label("_aesni_${p}rypt6_enter")); + &jmp (&label("_aesni_${p}rypt6_inner")); &set_label("${p}6_loop",16); eval"&aes${p} ($inout0,$rndkey1)"; eval"&aes${p} ($inout1,$rndkey1)"; eval"&aes${p} ($inout2,$rndkey1)"; + &set_label("_aesni_${p}rypt6_inner"); eval"&aes${p} ($inout3,$rndkey1)"; eval"&aes${p} ($inout4,$rndkey1)"; eval"&aes${p} ($inout5,$rndkey1)"; @@ -615,6 +622,14 @@ if ($PREFIX eq "aesni") { &movups (&QWP(0x30,$out),$inout3); &set_label("ecb_ret"); + &pxor ("xmm0","xmm0"); # clear register bank + &pxor ("xmm1","xmm1"); + &pxor ("xmm2","xmm2"); + &pxor ("xmm3","xmm3"); + &pxor ("xmm4","xmm4"); + &pxor ("xmm5","xmm5"); + &pxor ("xmm6","xmm6"); + &pxor ("xmm7","xmm7"); &function_end("aesni_ecb_encrypt"); ###################################################################### @@ -704,6 +719,15 @@ if ($PREFIX eq "aesni") { &mov ("esp",&DWP(48,"esp")); &mov ($out,&wparam(5)); &movups (&QWP(0,$out),$cmac); + + &pxor ("xmm0","xmm0"); # clear register bank + &pxor ("xmm1","xmm1"); + &pxor ("xmm2","xmm2"); + &pxor ("xmm3","xmm3"); + &pxor ("xmm4","xmm4"); + &pxor ("xmm5","xmm5"); + &pxor ("xmm6","xmm6"); + &pxor ("xmm7","xmm7"); &function_end("aesni_ccm64_encrypt_blocks"); &function_begin("aesni_ccm64_decrypt_blocks"); @@ -804,6 +828,15 @@ if ($PREFIX eq "aesni") { &mov ("esp",&DWP(48,"esp")); &mov ($out,&wparam(5)); &movups (&QWP(0,$out),$cmac); + + &pxor ("xmm0","xmm0"); # clear register bank + &pxor ("xmm1","xmm1"); + &pxor ("xmm2","xmm2"); + &pxor ("xmm3","xmm3"); + &pxor ("xmm4","xmm4"); + &pxor ("xmm5","xmm5"); + &pxor ("xmm6","xmm6"); + &pxor ("xmm7","xmm7"); &function_end("aesni_ccm64_decrypt_blocks"); } @@ -1053,6 +1086,17 @@ if ($PREFIX eq "aesni") { &movups (&QWP(0x30,$out),$inout3); &set_label("ctr32_ret"); + &pxor ("xmm0","xmm0"); # clear register bank + &pxor ("xmm1","xmm1"); + &pxor ("xmm2","xmm2"); + &pxor ("xmm3","xmm3"); + &pxor ("xmm4","xmm4"); + &movdqa (&QWP(32,"esp"),"xmm0"); # clear stack + &pxor ("xmm5","xmm5"); + &movdqa (&QWP(48,"esp"),"xmm0"); + &pxor ("xmm6","xmm6"); + &movdqa (&QWP(64,"esp"),"xmm0"); + &pxor ("xmm7","xmm7"); &mov ("esp",&DWP(80,"esp")); &function_end("aesni_ctr32_encrypt_blocks"); @@ -1394,6 +1438,20 @@ if ($PREFIX eq "aesni") { &movups (&QWP(-16,$out),$inout0); # write output &set_label("xts_enc_ret"); + &pxor ("xmm0","xmm0"); # clear register bank + &pxor ("xmm1","xmm1"); + &pxor ("xmm2","xmm2"); + &movdqa (&QWP(16*0,"esp"),"xmm0"); # clear stack + &pxor ("xmm3","xmm3"); + &movdqa (&QWP(16*1,"esp"),"xmm0"); + &pxor ("xmm4","xmm4"); + &movdqa (&QWP(16*2,"esp"),"xmm0"); + &pxor ("xmm5","xmm5"); + &movdqa (&QWP(16*3,"esp"),"xmm0"); + &pxor ("xmm6","xmm6"); + &movdqa (&QWP(16*4,"esp"),"xmm0"); + &pxor ("xmm7","xmm7"); + &movdqa (&QWP(16*5,"esp"),"xmm0"); &mov ("esp",&DWP(16*7+4,"esp")); # restore %esp &function_end("aesni_xts_encrypt"); @@ -1756,6 +1814,20 @@ if ($PREFIX eq "aesni") { &movups (&QWP(0,$out),$inout0); # write output &set_label("xts_dec_ret"); + &pxor ("xmm0","xmm0"); # clear register bank + &pxor ("xmm1","xmm1"); + &pxor ("xmm2","xmm2"); + &movdqa (&QWP(16*0,"esp"),"xmm0"); # clear stack + &pxor ("xmm3","xmm3"); + &movdqa (&QWP(16*1,"esp"),"xmm0"); + &pxor ("xmm4","xmm4"); + &movdqa (&QWP(16*2,"esp"),"xmm0"); + &pxor ("xmm5","xmm5"); + &movdqa (&QWP(16*3,"esp"),"xmm0"); + &pxor ("xmm6","xmm6"); + &movdqa (&QWP(16*4,"esp"),"xmm0"); + &pxor ("xmm7","xmm7"); + &movdqa (&QWP(16*5,"esp"),"xmm0"); &mov ("esp",&DWP(16*7+4,"esp")); # restore %esp &function_end("aesni_xts_decrypt"); } @@ -1808,6 +1880,7 @@ if ($PREFIX eq "aesni") { &add ($len,16); &jnz (&label("cbc_enc_tail")); &movaps ($ivec,$inout0); + &pxor ($inout0,$inout0); &jmp (&label("cbc_ret")); &set_label("cbc_enc_tail"); @@ -1871,7 +1944,7 @@ if ($PREFIX eq "aesni") { &movaps ($inout0,$inout5); &movaps ($ivec,$rndkey0); &add ($len,0x50); - &jle (&label("cbc_dec_tail_collected")); + &jle (&label("cbc_dec_clear_tail_collected")); &movups (&QWP(0,$out),$inout0); &lea ($out,&DWP(0x10,$out)); &set_label("cbc_dec_tail"); @@ -1910,10 +1983,14 @@ if ($PREFIX eq "aesni") { &xorps ($inout4,$rndkey0); &movups (&QWP(0,$out),$inout0); &movups (&QWP(0x10,$out),$inout1); + &pxor ($inout1,$inout1); &movups (&QWP(0x20,$out),$inout2); + &pxor ($inout2,$inout2); &movups (&QWP(0x30,$out),$inout3); + &pxor ($inout3,$inout3); &lea ($out,&DWP(0x40,$out)); &movaps ($inout0,$inout4); + &pxor ($inout4,$inout4); &sub ($len,0x50); &jmp (&label("cbc_dec_tail_collected")); @@ -1933,6 +2010,7 @@ if ($PREFIX eq "aesni") { &xorps ($inout1,$in0); &movups (&QWP(0,$out),$inout0); &movaps ($inout0,$inout1); + &pxor ($inout1,$inout1); &lea ($out,&DWP(0x10,$out)); &movaps ($ivec,$in1); &sub ($len,0x20); @@ -1945,7 +2023,9 @@ if ($PREFIX eq "aesni") { &xorps ($inout2,$in1); &movups (&QWP(0,$out),$inout0); &movaps ($inout0,$inout2); + &pxor ($inout2,$inout2); &movups (&QWP(0x10,$out),$inout1); + &pxor ($inout1,$inout1); &lea ($out,&DWP(0x20,$out)); &movups ($ivec,&QWP(0x20,$inp)); &sub ($len,0x30); @@ -1961,29 +2041,44 @@ if ($PREFIX eq "aesni") { &movups (&QWP(0,$out),$inout0); &xorps ($inout2,$rndkey1); &movups (&QWP(0x10,$out),$inout1); + &pxor ($inout1,$inout1); &xorps ($inout3,$rndkey0); &movups (&QWP(0x20,$out),$inout2); + &pxor ($inout2,$inout2); &lea ($out,&DWP(0x30,$out)); &movaps ($inout0,$inout3); + &pxor ($inout3,$inout3); &sub ($len,0x40); + &jmp (&label("cbc_dec_tail_collected")); +&set_label("cbc_dec_clear_tail_collected",16); + &pxor ($inout1,$inout1); + &pxor ($inout2,$inout2); + &pxor ($inout3,$inout3); + &pxor ($inout4,$inout4); &set_label("cbc_dec_tail_collected"); &and ($len,15); &jnz (&label("cbc_dec_tail_partial")); &movups (&QWP(0,$out),$inout0); + &pxor ($rndkey0,$rndkey0); &jmp (&label("cbc_ret")); &set_label("cbc_dec_tail_partial",16); &movaps (&QWP(0,"esp"),$inout0); + &pxor ($rndkey0,$rndkey0); &mov ("ecx",16); &mov ($inp,"esp"); &sub ("ecx",$len); &data_word(0xA4F3F689); # rep movsb + &movdqa (&QWP(0,"esp"),$inout0); &set_label("cbc_ret"); &mov ("esp",&DWP(16,"esp")); # pull original %esp &mov ($key_,&wparam(4)); + &pxor ($inout0,$inout0); + &pxor ($rndkey1,$rndkey1); &movups (&QWP(0,$key_),$ivec); # output IV + &pxor ($ivec,$ivec); &set_label("cbc_abort"); &function_end("${PREFIX}_cbc_encrypt"); @@ -2000,14 +2095,24 @@ if ($PREFIX eq "aesni") { # $round rounds &function_begin_B("_aesni_set_encrypt_key"); + &push ("ebp"); + &push ("ebx"); &test ("eax","eax"); &jz (&label("bad_pointer")); &test ($key,$key); &jz (&label("bad_pointer")); + &call (&label("pic")); +&set_label("pic"); + &blindpop("ebx"); + &lea ("ebx",&DWP(&label("key_const")."-".&label("pic"),"ebx")); + + &picmeup("ebp","OPENSSL_ia32cap_P","ebx",&label("key_const")); &movups ("xmm0",&QWP(0,"eax")); # pull first 128 bits of *userKey &xorps ("xmm4","xmm4"); # low dword of xmm4 is assumed 0 + &mov ("ebp",&DWP(4,"ebp")); &lea ($key,&DWP(16,$key)); + &and ("ebp",1<<28|1<<11); # AVX and XOP bits &cmp ($rounds,256); &je (&label("14rounds")); &cmp ($rounds,192); @@ -2016,6 +2121,9 @@ if ($PREFIX eq "aesni") { &jne (&label("bad_keybits")); &set_label("10rounds",16); + &cmp ("ebp",1<<28); + &je (&label("10rounds_alt")); + &mov ($rounds,9); &$movekey (&QWP(-16,$key),"xmm0"); # round 0 &aeskeygenassist("xmm1","xmm0",0x01); # round 1 @@ -2040,8 +2148,8 @@ if ($PREFIX eq "aesni") { &call (&label("key_128")); &$movekey (&QWP(0,$key),"xmm0"); &mov (&DWP(80,$key),$rounds); - &xor ("eax","eax"); - &ret(); + + &jmp (&label("good_key")); &set_label("key_128",16); &$movekey (&QWP(0,$key),"xmm0"); @@ -2055,8 +2163,76 @@ if ($PREFIX eq "aesni") { &xorps ("xmm0","xmm1"); &ret(); +&set_label("10rounds_alt",16); + &movdqa ("xmm5",&QWP(0x00,"ebx")); + &mov ($rounds,8); + &movdqa ("xmm4",&QWP(0x20,"ebx")); + &movdqa ("xmm2","xmm0"); + &movdqu (&DWP(-16,$key),"xmm0"); + +&set_label("loop_key128"); + &pshufb ("xmm0","xmm5"); + &aesenclast ("xmm0","xmm4"); + &pslld ("xmm4",1); + &lea ($key,&DWP(16,$key)); + + &movdqa ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm2","xmm3"); + + &pxor ("xmm0","xmm2"); + &movdqu (&QWP(-16,$key),"xmm0"); + &movdqa ("xmm2","xmm0"); + + &dec ($rounds); + &jnz (&label("loop_key128")); + + &movdqa ("xmm4",&QWP(0x30,"ebx")); + + &pshufb ("xmm0","xmm5"); + &aesenclast ("xmm0","xmm4"); + &pslld ("xmm4",1); + + &movdqa ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm2","xmm3"); + + &pxor ("xmm0","xmm2"); + &movdqu (&QWP(0,$key),"xmm0"); + + &movdqa ("xmm2","xmm0"); + &pshufb ("xmm0","xmm5"); + &aesenclast ("xmm0","xmm4"); + + &movdqa ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm3","xmm2"); + &pslldq ("xmm2",4); + &pxor ("xmm2","xmm3"); + + &pxor ("xmm0","xmm2"); + &movdqu (&QWP(16,$key),"xmm0"); + + &mov ($rounds,9); + &mov (&DWP(96,$key),$rounds); + + &jmp (&label("good_key")); + &set_label("12rounds",16); &movq ("xmm2",&QWP(16,"eax")); # remaining 1/3 of *userKey + &cmp ("ebp",1<<28); + &je (&label("12rounds_alt")); + &mov ($rounds,11); &$movekey (&QWP(-16,$key),"xmm0"); # round 0 &aeskeygenassist("xmm1","xmm2",0x01); # round 1,2 @@ -2077,8 +2253,8 @@ if ($PREFIX eq "aesni") { &call (&label("key_192b")); &$movekey (&QWP(0,$key),"xmm0"); &mov (&DWP(48,$key),$rounds); - &xor ("eax","eax"); - &ret(); + + &jmp (&label("good_key")); &set_label("key_192a",16); &$movekey (&QWP(0,$key),"xmm0"); @@ -2108,10 +2284,52 @@ if ($PREFIX eq "aesni") { &lea ($key,&DWP(32,$key)); &jmp (&label("key_192b_warm")); +&set_label("12rounds_alt",16); + &movdqa ("xmm5",&QWP(0x10,"ebx")); + &movdqa ("xmm4",&QWP(0x20,"ebx")); + &mov ($rounds,8); + &movdqu (&QWP(-16,$key),"xmm0"); + +&set_label("loop_key192"); + &movq (&QWP(0,$key),"xmm2"); + &movdqa ("xmm1","xmm2"); + &pshufb ("xmm2","xmm5"); + &aesenclast ("xmm2","xmm4"); + &pslld ("xmm4",1); + &lea ($key,&DWP(24,$key)); + + &movdqa ("xmm3","xmm0"); + &pslldq ("xmm0",4); + &pxor ("xmm3","xmm0"); + &pslldq ("xmm0",4); + &pxor ("xmm3","xmm0"); + &pslldq ("xmm0",4); + &pxor ("xmm0","xmm3"); + + &pshufd ("xmm3","xmm0",0xff); + &pxor ("xmm3","xmm1"); + &pslldq ("xmm1",4); + &pxor ("xmm3","xmm1"); + + &pxor ("xmm0","xmm2"); + &pxor ("xmm2","xmm3"); + &movdqu (&QWP(-16,$key),"xmm0"); + + &dec ($rounds); + &jnz (&label("loop_key192")); + + &mov ($rounds,11); + &mov (&DWP(32,$key),$rounds); + + &jmp (&label("good_key")); + &set_label("14rounds",16); &movups ("xmm2",&QWP(16,"eax")); # remaining half of *userKey - &mov ($rounds,13); &lea ($key,&DWP(16,$key)); + &cmp ("ebp",1<<28); + &je (&label("14rounds_alt")); + + &mov ($rounds,13); &$movekey (&QWP(-32,$key),"xmm0"); # round 0 &$movekey (&QWP(-16,$key),"xmm2"); # round 1 &aeskeygenassist("xmm1","xmm2",0x01); # round 2 @@ -2143,7 +2361,8 @@ if ($PREFIX eq "aesni") { &$movekey (&QWP(0,$key),"xmm0"); &mov (&DWP(16,$key),$rounds); &xor ("eax","eax"); - &ret(); + + &jmp (&label("good_key")); &set_label("key_256a",16); &$movekey (&QWP(0,$key),"xmm2"); @@ -2169,11 +2388,77 @@ if ($PREFIX eq "aesni") { &xorps ("xmm2","xmm1"); &ret(); +&set_label("14rounds_alt",16); + &movdqa ("xmm5",&QWP(0x00,"ebx")); + &movdqa ("xmm4",&QWP(0x20,"ebx")); + &mov ($rounds,7); + &movdqu (&QWP(-32,$key),"xmm0"); + &movdqa ("xmm1","xmm2"); + &movdqu (&QWP(-16,$key),"xmm2"); + +&set_label("loop_key256"); + &pshufb ("xmm2","xmm5"); + &aesenclast ("xmm2","xmm4"); + + &movdqa ("xmm3","xmm0"); + &pslldq ("xmm0",4); + &pxor ("xmm3","xmm0"); + &pslldq ("xmm0",4); + &pxor ("xmm3","xmm0"); + &pslldq ("xmm0",4); + &pxor ("xmm0","xmm3"); + &pslld ("xmm4",1); + + &pxor ("xmm0","xmm2"); + &movdqu (&QWP(0,$key),"xmm0"); + + &dec ($rounds); + &jz (&label("done_key256")); + + &pshufd ("xmm2","xmm0",0xff); + &pxor ("xmm3","xmm3"); + &aesenclast ("xmm2","xmm3"); + + &movdqa ("xmm3","xmm1") + &pslldq ("xmm1",4); + &pxor ("xmm3","xmm1"); + &pslldq ("xmm1",4); + &pxor ("xmm3","xmm1"); + &pslldq ("xmm1",4); + &pxor ("xmm1","xmm3"); + + &pxor ("xmm2","xmm1"); + &movdqu (&QWP(16,$key),"xmm2"); + &lea ($key,&DWP(32,$key)); + &movdqa ("xmm1","xmm2"); + &jmp (&label("loop_key256")); + +&set_label("done_key256"); + &mov ($rounds,13); + &mov (&DWP(16,$key),$rounds); + +&set_label("good_key"); + &pxor ("xmm0","xmm0"); + &pxor ("xmm1","xmm1"); + &pxor ("xmm2","xmm2"); + &pxor ("xmm3","xmm3"); + &pxor ("xmm4","xmm4"); + &pxor ("xmm5","xmm5"); + &xor ("eax","eax"); + &pop ("ebx"); + &pop ("ebp"); + &ret (); + &set_label("bad_pointer",4); &mov ("eax",-1); + &pop ("ebx"); + &pop ("ebp"); &ret (); &set_label("bad_keybits",4); + &pxor ("xmm0","xmm0"); &mov ("eax",-2); + &pop ("ebx"); + &pop ("ebp"); &ret (); &function_end_B("_aesni_set_encrypt_key"); @@ -2223,10 +2508,18 @@ if ($PREFIX eq "aesni") { &aesimc ("xmm0","xmm0"); &$movekey (&QWP(0,$key),"xmm0"); + &pxor ("xmm0","xmm0"); + &pxor ("xmm1","xmm1"); &xor ("eax","eax"); # return success &set_label("dec_key_ret"); &ret (); &function_end_B("${PREFIX}_set_decrypt_key"); + +&set_label("key_const",64); +&data_word(0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d); +&data_word(0x04070605,0x04070605,0x04070605,0x04070605); +&data_word(1,1,1,1); +&data_word(0x1b,0x1b,0x1b,0x1b); &asciz("AES for Intel AES-NI, CRYPTOGAMS by "); &asm_finish(); diff --git a/crypto/aes/asm/aesni-x86_64.pl b/crypto/aes/asm/aesni-x86_64.pl index 5f61746..25ca574 100644 --- a/crypto/aes/asm/aesni-x86_64.pl +++ b/crypto/aes/asm/aesni-x86_64.pl @@ -165,11 +165,11 @@ # Westmere 3.77/1.25 1.25 1.25 1.26 # * Bridge 5.07/0.74 0.75 0.90 0.85 # Haswell 4.44/0.63 0.63 0.73 0.63 -# Atom 5.75/3.54 3.56 4.12 3.87(*) +# Silvermont 5.75/3.54 3.56 4.12 3.87(*) # Bulldozer 5.77/0.70 0.72 0.90 0.70 # -# (*) Atom ECB result is suboptimal because of penalties incurred -# by operations on %xmm8-15. As ECB is not considered +# (*) Atom Silvermont ECB result is suboptimal because of penalties +# incurred by operations on %xmm8-15. As ECB is not considered # critical, nothing was done to mitigate the problem. $PREFIX="aesni"; # if $PREFIX is set to "AES", the script @@ -263,7 +263,10 @@ ${PREFIX}_encrypt: ___ &aesni_generate1("enc",$key,$rounds); $code.=<<___; + pxor $rndkey0,$rndkey0 # clear register bank + pxor $rndkey1,$rndkey1 movups $inout0,($out) # output + pxor $inout0,$inout0 ret .size ${PREFIX}_encrypt,.-${PREFIX}_encrypt @@ -276,7 +279,10 @@ ${PREFIX}_decrypt: ___ &aesni_generate1("dec",$key,$rounds); $code.=<<___; + pxor $rndkey0,$rndkey0 # clear register bank + pxor $rndkey1,$rndkey1 movups $inout0,($out) # output + pxor $inout0,$inout0 ret .size ${PREFIX}_decrypt, .-${PREFIX}_decrypt ___ @@ -445,21 +451,18 @@ _aesni_${dir}rypt6: pxor $rndkey0,$inout4 aes${dir} $rndkey1,$inout2 pxor $rndkey0,$inout5 + $movkey ($key,%rax),$rndkey0 add \$16,%rax - aes${dir} $rndkey1,$inout3 - aes${dir} $rndkey1,$inout4 - aes${dir} $rndkey1,$inout5 - $movkey -16($key,%rax),$rndkey0 jmp .L${dir}_loop6_enter .align 16 .L${dir}_loop6: aes${dir} $rndkey1,$inout0 aes${dir} $rndkey1,$inout1 aes${dir} $rndkey1,$inout2 +.L${dir}_loop6_enter: aes${dir} $rndkey1,$inout3 aes${dir} $rndkey1,$inout4 aes${dir} $rndkey1,$inout5 -.L${dir}_loop6_enter: $movkey ($key,%rax),$rndkey1 add \$32,%rax aes${dir} $rndkey0,$inout0 @@ -506,23 +509,18 @@ _aesni_${dir}rypt8: lea 32($key,$rounds),$key neg %rax # $rounds aes${dir} $rndkey1,$inout0 - add \$16,%rax pxor $rndkey0,$inout5 - aes${dir} $rndkey1,$inout1 pxor $rndkey0,$inout6 + aes${dir} $rndkey1,$inout1 pxor $rndkey0,$inout7 - aes${dir} $rndkey1,$inout2 - aes${dir} $rndkey1,$inout3 - aes${dir} $rndkey1,$inout4 - aes${dir} $rndkey1,$inout5 - aes${dir} $rndkey1,$inout6 - aes${dir} $rndkey1,$inout7 - $movkey -16($key,%rax),$rndkey0 - jmp .L${dir}_loop8_enter + $movkey ($key,%rax),$rndkey0 + add \$16,%rax + jmp .L${dir}_loop8_inner .align 16 .L${dir}_loop8: aes${dir} $rndkey1,$inout0 aes${dir} $rndkey1,$inout1 +.L${dir}_loop8_inner: aes${dir} $rndkey1,$inout2 aes${dir} $rndkey1,$inout3 aes${dir} $rndkey1,$inout4 @@ -587,15 +585,15 @@ aesni_ecb_encrypt: ___ $code.=<<___ if ($win64); lea -0x58(%rsp),%rsp - movaps %xmm6,(%rsp) + movaps %xmm6,(%rsp) # offload $inout4..7 movaps %xmm7,0x10(%rsp) movaps %xmm8,0x20(%rsp) movaps %xmm9,0x30(%rsp) .Lecb_enc_body: ___ $code.=<<___; - and \$-16,$len - jz .Lecb_ret + and \$-16,$len # if ($len<16) + jz .Lecb_ret # return mov 240($key),$rounds # key->rounds $movkey ($key),$rndkey0 @@ -604,10 +602,10 @@ $code.=<<___; test %r8d,%r8d # 5th argument jz .Lecb_decrypt #--------------------------- ECB ENCRYPT ------------------------------# - cmp \$0x80,$len - jb .Lecb_enc_tail + cmp \$0x80,$len # if ($len<8*16) + jb .Lecb_enc_tail # short input - movdqu ($inp),$inout0 + movdqu ($inp),$inout0 # load 8 input blocks movdqu 0x10($inp),$inout1 movdqu 0x20($inp),$inout2 movdqu 0x30($inp),$inout3 @@ -615,14 +613,14 @@ $code.=<<___; movdqu 0x50($inp),$inout5 movdqu 0x60($inp),$inout6 movdqu 0x70($inp),$inout7 - lea 0x80($inp),$inp - sub \$0x80,$len + lea 0x80($inp),$inp # $inp+=8*16 + sub \$0x80,$len # $len-=8*16 (can be zero) jmp .Lecb_enc_loop8_enter .align 16 .Lecb_enc_loop8: - movups $inout0,($out) + movups $inout0,($out) # store 8 output blocks mov $key_,$key # restore $key - movdqu ($inp),$inout0 + movdqu ($inp),$inout0 # load 8 input blocks mov $rnds_,$rounds # restore $rounds movups $inout1,0x10($out) movdqu 0x10($inp),$inout1 @@ -637,17 +635,17 @@ $code.=<<___; movups $inout6,0x60($out) movdqu 0x60($inp),$inout6 movups $inout7,0x70($out) - lea 0x80($out),$out + lea 0x80($out),$out # $out+=8*16 movdqu 0x70($inp),$inout7 - lea 0x80($inp),$inp + lea 0x80($inp),$inp # $inp+=8*16 .Lecb_enc_loop8_enter: call _aesni_encrypt8 sub \$0x80,$len - jnc .Lecb_enc_loop8 + jnc .Lecb_enc_loop8 # loop if $len-=8*16 didn't borrow - movups $inout0,($out) + movups $inout0,($out) # store 8 output blocks mov $key_,$key # restore $key movups $inout1,0x10($out) mov $rnds_,$rounds # restore $rounds @@ -657,11 +655,11 @@ $code.=<<___; movups $inout5,0x50($out) movups $inout6,0x60($out) movups $inout7,0x70($out) - lea 0x80($out),$out - add \$0x80,$len - jz .Lecb_ret + lea 0x80($out),$out # $out+=8*16 + add \$0x80,$len # restore real remaining $len + jz .Lecb_ret # done if ($len==0) -.Lecb_enc_tail: +.Lecb_enc_tail: # $len is less than 8*16 movups ($inp),$inout0 cmp \$0x20,$len jb .Lecb_enc_one @@ -678,8 +676,9 @@ $code.=<<___; movups 0x50($inp),$inout5 je .Lecb_enc_six movdqu 0x60($inp),$inout6 + xorps $inout7,$inout7 call _aesni_encrypt8 - movups $inout0,($out) + movups $inout0,($out) # store 7 output blocks movups $inout1,0x10($out) movups $inout2,0x20($out) movups $inout3,0x30($out) @@ -692,25 +691,25 @@ $code.=<<___; ___ &aesni_generate1("enc",$key,$rounds); $code.=<<___; - movups $inout0,($out) + movups $inout0,($out) # store one output block jmp .Lecb_ret .align 16 .Lecb_enc_two: call _aesni_encrypt2 - movups $inout0,($out) + movups $inout0,($out) # store 2 output blocks movups $inout1,0x10($out) jmp .Lecb_ret .align 16 .Lecb_enc_three: call _aesni_encrypt3 - movups $inout0,($out) + movups $inout0,($out) # store 3 output blocks movups $inout1,0x10($out) movups $inout2,0x20($out) jmp .Lecb_ret .align 16 .Lecb_enc_four: call _aesni_encrypt4 - movups $inout0,($out) + movups $inout0,($out) # store 4 output blocks movups $inout1,0x10($out) movups $inout2,0x20($out) movups $inout3,0x30($out) @@ -719,7 +718,7 @@ $code.=<<___; .Lecb_enc_five: xorps $inout5,$inout5 call _aesni_encrypt6 - movups $inout0,($out) + movups $inout0,($out) # store 5 output blocks movups $inout1,0x10($out) movups $inout2,0x20($out) movups $inout3,0x30($out) @@ -728,7 +727,7 @@ $code.=<<___; .align 16 .Lecb_enc_six: call _aesni_encrypt6 - movups $inout0,($out) + movups $inout0,($out) # store 6 output blocks movups $inout1,0x10($out) movups $inout2,0x20($out) movups $inout3,0x30($out) @@ -738,10 +737,10 @@ $code.=<<___; #--------------------------- ECB DECRYPT ------------------------------# .align 16 .Lecb_decrypt: - cmp \$0x80,$len - jb .Lecb_dec_tail + cmp \$0x80,$len # if ($len<8*16) + jb .Lecb_dec_tail # short input - movdqu ($inp),$inout0 + movdqu ($inp),$inout0 # load 8 input blocks movdqu 0x10($inp),$inout1 movdqu 0x20($inp),$inout2 movdqu 0x30($inp),$inout3 @@ -749,14 +748,14 @@ $code.=<<___; movdqu 0x50($inp),$inout5 movdqu 0x60($inp),$inout6 movdqu 0x70($inp),$inout7 - lea 0x80($inp),$inp - sub \$0x80,$len + lea 0x80($inp),$inp # $inp+=8*16 + sub \$0x80,$len # $len-=8*16 (can be zero) jmp .Lecb_dec_loop8_enter .align 16 .Lecb_dec_loop8: - movups $inout0,($out) + movups $inout0,($out) # store 8 output blocks mov $key_,$key # restore $key - movdqu ($inp),$inout0 + movdqu ($inp),$inout0 # load 8 input blocks mov $rnds_,$rounds # restore $rounds movups $inout1,0x10($out) movdqu 0x10($inp),$inout1 @@ -771,30 +770,38 @@ $code.=<<___; movups $inout6,0x60($out) movdqu 0x60($inp),$inout6 movups $inout7,0x70($out) - lea 0x80($out),$out + lea 0x80($out),$out # $out+=8*16 movdqu 0x70($inp),$inout7 - lea 0x80($inp),$inp + lea 0x80($inp),$inp # $inp+=8*16 .Lecb_dec_loop8_enter: call _aesni_decrypt8 $movkey ($key_),$rndkey0 sub \$0x80,$len - jnc .Lecb_dec_loop8 + jnc .Lecb_dec_loop8 # loop if $len-=8*16 didn't borrow - movups $inout0,($out) + movups $inout0,($out) # store 8 output blocks + pxor $inout0,$inout0 # clear register bank mov $key_,$key # restore $key movups $inout1,0x10($out) + pxor $inout1,$inout1 mov $rnds_,$rounds # restore $rounds movups $inout2,0x20($out) + pxor $inout2,$inout2 movups $inout3,0x30($out) + pxor $inout3,$inout3 movups $inout4,0x40($out) + pxor $inout4,$inout4 movups $inout5,0x50($out) + pxor $inout5,$inout5 movups $inout6,0x60($out) + pxor $inout6,$inout6 movups $inout7,0x70($out) - lea 0x80($out),$out - add \$0x80,$len - jz .Lecb_ret + pxor $inout7,$inout7 + lea 0x80($out),$out # $out+=8*16 + add \$0x80,$len # restore real remaining $len + jz .Lecb_ret # done if ($len==0) .Lecb_dec_tail: movups ($inp),$inout0 @@ -814,70 +821,107 @@ $code.=<<___; je .Lecb_dec_six movups 0x60($inp),$inout6 $movkey ($key),$rndkey0 + xorps $inout7,$inout7 call _aesni_decrypt8 - movups $inout0,($out) + movups $inout0,($out) # store 7 output blocks + pxor $inout0,$inout0 # clear register bank movups $inout1,0x10($out) + pxor $inout1,$inout1 movups $inout2,0x20($out) + pxor $inout2,$inout2 movups $inout3,0x30($out) + pxor $inout3,$inout3 movups $inout4,0x40($out) + pxor $inout4,$inout4 movups $inout5,0x50($out) + pxor $inout5,$inout5 movups $inout6,0x60($out) + pxor $inout6,$inout6 + pxor $inout7,$inout7 jmp .Lecb_ret .align 16 .Lecb_dec_one: ___ &aesni_generate1("dec",$key,$rounds); $code.=<<___; - movups $inout0,($out) + movups $inout0,($out) # store one output block + pxor $inout0,$inout0 # clear register bank jmp .Lecb_ret .align 16 .Lecb_dec_two: call _aesni_decrypt2 - movups $inout0,($out) + movups $inout0,($out) # store 2 output blocks + pxor $inout0,$inout0 # clear register bank movups $inout1,0x10($out) + pxor $inout1,$inout1 jmp .Lecb_ret .align 16 .Lecb_dec_three: call _aesni_decrypt3 - movups $inout0,($out) + movups $inout0,($out) # store 3 output blocks + pxor $inout0,$inout0 # clear register bank movups $inout1,0x10($out) + pxor $inout1,$inout1 movups $inout2,0x20($out) + pxor $inout2,$inout2 jmp .Lecb_ret .align 16 .Lecb_dec_four: call _aesni_decrypt4 - movups $inout0,($out) + movups $inout0,($out) # store 4 output blocks + pxor $inout0,$inout0 # clear register bank movups $inout1,0x10($out) + pxor $inout1,$inout1 movups $inout2,0x20($out) + pxor $inout2,$inout2 movups $inout3,0x30($out) + pxor $inout3,$inout3 jmp .Lecb_ret .align 16 .Lecb_dec_five: xorps $inout5,$inout5 call _aesni_decrypt6 - movups $inout0,($out) + movups $inout0,($out) # store 5 output blocks + pxor $inout0,$inout0 # clear register bank movups $inout1,0x10($out) + pxor $inout1,$inout1 movups $inout2,0x20($out) + pxor $inout2,$inout2 movups $inout3,0x30($out) + pxor $inout3,$inout3 movups $inout4,0x40($out) + pxor $inout4,$inout4 + pxor $inout5,$inout5 jmp .Lecb_ret .align 16 .Lecb_dec_six: call _aesni_decrypt6 - movups $inout0,($out) + movups $inout0,($out) # store 6 output blocks + pxor $inout0,$inout0 # clear register bank movups $inout1,0x10($out) + pxor $inout1,$inout1 movups $inout2,0x20($out) + pxor $inout2,$inout2 movups $inout3,0x30($out) + pxor $inout3,$inout3 movups $inout4,0x40($out) + pxor $inout4,$inout4 movups $inout5,0x50($out) + pxor $inout5,$inout5 .Lecb_ret: + xorps $rndkey0,$rndkey0 # %xmm0 + pxor $rndkey1,$rndkey1 ___ $code.=<<___ if ($win64); movaps (%rsp),%xmm6 + movaps %xmm0,(%rsp) # clear stack movaps 0x10(%rsp),%xmm7 + movaps %xmm0,0x10(%rsp) movaps 0x20(%rsp),%xmm8 + movaps %xmm0,0x20(%rsp) movaps 0x30(%rsp),%xmm9 + movaps %xmm0,0x30(%rsp) lea 0x58(%rsp),%rsp .Lecb_enc_ret: ___ @@ -911,10 +955,10 @@ aesni_ccm64_encrypt_blocks: ___ $code.=<<___ if ($win64); lea -0x58(%rsp),%rsp - movaps %xmm6,(%rsp) - movaps %xmm7,0x10(%rsp) - movaps %xmm8,0x20(%rsp) - movaps %xmm9,0x30(%rsp) + movaps %xmm6,(%rsp) # $iv + movaps %xmm7,0x10(%rsp) # $bswap_mask + movaps %xmm8,0x20(%rsp) # $in0 + movaps %xmm9,0x30(%rsp) # $increment .Lccm64_enc_body: ___ $code.=<<___; @@ -956,7 +1000,7 @@ $code.=<<___; aesenc $rndkey1,$inout0 aesenc $rndkey1,$inout1 paddq $increment,$iv - dec $len + dec $len # $len-- ($len is in blocks) aesenclast $rndkey0,$inout0 aesenclast $rndkey0,$inout1 @@ -965,16 +1009,26 @@ $code.=<<___; movdqa $iv,$inout0 movups $in0,($out) # save output pshufb $bswap_mask,$inout0 - lea 16($out),$out - jnz .Lccm64_enc_outer + lea 16($out),$out # $out+=16 + jnz .Lccm64_enc_outer # loop if ($len!=0) - movups $inout1,($cmac) + pxor $rndkey0,$rndkey0 # clear register bank + pxor $rndkey1,$rndkey1 + pxor $inout0,$inout0 + movups $inout1,($cmac) # store resulting mac + pxor $inout1,$inout1 + pxor $in0,$in0 + pxor $iv,$iv ___ $code.=<<___ if ($win64); movaps (%rsp),%xmm6 + movaps %xmm0,(%rsp) # clear stack movaps 0x10(%rsp),%xmm7 + movaps %xmm0,0x10(%rsp) movaps 0x20(%rsp),%xmm8 + movaps %xmm0,0x20(%rsp) movaps 0x30(%rsp),%xmm9 + movaps %xmm0,0x30(%rsp) lea 0x58(%rsp),%rsp .Lccm64_enc_ret: ___ @@ -991,10 +1045,10 @@ aesni_ccm64_decrypt_blocks: ___ $code.=<<___ if ($win64); lea -0x58(%rsp),%rsp - movaps %xmm6,(%rsp) - movaps %xmm7,0x10(%rsp) - movaps %xmm8,0x20(%rsp) - movaps %xmm9,0x30(%rsp) + movaps %xmm6,(%rsp) # $iv + movaps %xmm7,0x10(%rsp) # $bswap_mask + movaps %xmm8,0x20(%rsp) # $in8 + movaps %xmm9,0x30(%rsp) # $increment .Lccm64_dec_body: ___ $code.=<<___; @@ -1015,7 +1069,7 @@ $code.=<<___; mov \$16,$rounds movups ($inp),$in0 # load inp paddq $increment,$iv - lea 16($inp),$inp + lea 16($inp),$inp # $inp+=16 sub %r10,%rax # twisted $rounds lea 32($key_,$rnds_),$key # end of key schedule mov %rax,%r10 @@ -1025,11 +1079,11 @@ $code.=<<___; xorps $inout0,$in0 # inp ^= E(iv) movdqa $iv,$inout0 movups $in0,($out) # save output - lea 16($out),$out + lea 16($out),$out # $out+=16 pshufb $bswap_mask,$inout0 - sub \$1,$len - jz .Lccm64_dec_break + sub \$1,$len # $len-- ($len is in blocks) + jz .Lccm64_dec_break # if ($len==0) break $movkey ($key_),$rndkey0 mov %r10,%rax @@ -1049,13 +1103,13 @@ $code.=<<___; aesenc $rndkey0,$inout1 $movkey -16($key,%rax),$rndkey0 jnz .Lccm64_dec2_loop - movups ($inp),$in0 # load inp + movups ($inp),$in0 # load input paddq $increment,$iv aesenc $rndkey1,$inout0 aesenc $rndkey1,$inout1 aesenclast $rndkey0,$inout0 aesenclast $rndkey0,$inout1 - lea 16($inp),$inp + lea 16($inp),$inp # $inp+=16 jmp .Lccm64_dec_outer .align 16 @@ -1065,13 +1119,23 @@ $code.=<<___; ___ &aesni_generate1("enc",$key_,$rounds,$inout1,$in0); $code.=<<___; - movups $inout1,($cmac) + pxor $rndkey0,$rndkey0 # clear register bank + pxor $rndkey1,$rndkey1 + pxor $inout0,$inout0 + movups $inout1,($cmac) # store resulting mac + pxor $inout1,$inout1 + pxor $in0,$in0 + pxor $iv,$iv ___ $code.=<<___ if ($win64); movaps (%rsp),%xmm6 + movaps %xmm0,(%rsp) # clear stack movaps 0x10(%rsp),%xmm7 + movaps %xmm0,0x10(%rsp) movaps 0x20(%rsp),%xmm8 + movaps %xmm0,0x20(%rsp) movaps 0x30(%rsp),%xmm9 + movaps %xmm0,0x30(%rsp) lea 0x58(%rsp),%rsp .Lccm64_dec_ret: ___ @@ -1102,13 +1166,34 @@ $code.=<<___; .type aesni_ctr32_encrypt_blocks,\@function,5 .align 16 aesni_ctr32_encrypt_blocks: + cmp \$1,$len + jne .Lctr32_bulk + + # handle single block without allocating stack frame, + # useful when handling edges + movups ($ivp),$inout0 + movups ($inp),$inout1 + mov 240($key),%edx # key->rounds +___ + &aesni_generate1("enc",$key,"%edx"); +$code.=<<___; + pxor $rndkey0,$rndkey0 # clear register bank + pxor $rndkey1,$rndkey1 + xorps $inout1,$inout0 + pxor $inout1,$inout1 + movups $inout0,($out) + xorps $inout0,$inout0 + jmp .Lctr32_epilogue + +.align 16 +.Lctr32_bulk: lea (%rsp),%rax push %rbp sub \$$frame_size,%rsp and \$-16,%rsp # Linux kernel stack can be incorrectly seeded ___ $code.=<<___ if ($win64); - movaps %xmm6,-0xa8(%rax) + movaps %xmm6,-0xa8(%rax) # offload everything movaps %xmm7,-0x98(%rax) movaps %xmm8,-0x88(%rax) movaps %xmm9,-0x78(%rax) @@ -1123,8 +1208,8 @@ ___ $code.=<<___; lea -8(%rax),%rbp - cmp \$1,$len - je .Lctr32_one_shortcut + # 8 16-byte words on top of stack are counter values + # xor-ed with zero-round key movdqu ($ivp),$inout0 movdqu ($key),$rndkey0 @@ -1139,7 +1224,7 @@ $code.=<<___; movdqa $inout0,0x40(%rsp) movdqa $inout0,0x50(%rsp) movdqa $inout0,0x60(%rsp) - mov %rdx,%r10 # borrow %rdx + mov %rdx,%r10 # about to borrow %rdx movdqa $inout0,0x70(%rsp) lea 1($ctr),%rax @@ -1183,15 +1268,15 @@ $code.=<<___; movdqa 0x40(%rsp),$inout4 movdqa 0x50(%rsp),$inout5 - cmp \$8,$len - jb .Lctr32_tail + cmp \$8,$len # $len is in blocks + jb .Lctr32_tail # short input if ($len<8) - sub \$6,$len + sub \$6,$len # $len is biased by -6 cmp \$`1<<22`,%r10d # check for MOVBE without XSAVE - je .Lctr32_6x + je .Lctr32_6x # [which denotes Atom Silvermont] lea 0x80($key),$key # size optimization - sub \$2,$len + sub \$2,$len # $len is biased by -8 jmp .Lctr32_loop8 .align 16 @@ -1205,13 +1290,13 @@ $code.=<<___; .align 16 .Lctr32_loop6: - add \$6,$ctr + add \$6,$ctr # next counter value $movkey -48($key,$rnds_),$rndkey0 aesenc $rndkey1,$inout0 mov $ctr,%eax xor $key0,%eax aesenc $rndkey1,$inout1 - movbe %eax,`0x00+12`(%rsp) + movbe %eax,`0x00+12`(%rsp) # store next counter value lea 1($ctr),%eax aesenc $rndkey1,$inout2 xor $key0,%eax @@ -1244,16 +1329,16 @@ $code.=<<___; call .Lenc_loop6 - movdqu ($inp),$inout6 + movdqu ($inp),$inout6 # load 6 input blocks movdqu 0x10($inp),$inout7 movdqu 0x20($inp),$in0 movdqu 0x30($inp),$in1 movdqu 0x40($inp),$in2 movdqu 0x50($inp),$in3 - lea 0x60($inp),$inp + lea 0x60($inp),$inp # $inp+=6*16 $movkey -64($key,$rnds_),$rndkey1 - pxor $inout0,$inout6 - movaps 0x00(%rsp),$inout0 + pxor $inout0,$inout6 # inp^=E(ctr) + movaps 0x00(%rsp),$inout0 # load next counter [xor-ed with 0 round] pxor $inout1,$inout7 movaps 0x10(%rsp),$inout1 pxor $inout2,$in0 @@ -1264,19 +1349,19 @@ $code.=<<___; movaps 0x40(%rsp),$inout4 pxor $inout5,$in3 movaps 0x50(%rsp),$inout5 - movdqu $inout6,($out) + movdqu $inout6,($out) # store 6 output blocks movdqu $inout7,0x10($out) movdqu $in0,0x20($out) movdqu $in1,0x30($out) movdqu $in2,0x40($out) movdqu $in3,0x50($out) - lea 0x60($out),$out - + lea 0x60($out),$out # $out+=6*16 + sub \$6,$len - jnc .Lctr32_loop6 + jnc .Lctr32_loop6 # loop if $len-=6 didn't borrow - add \$6,$len - jz .Lctr32_done + add \$6,$len # restore real remaining $len + jz .Lctr32_done # done if ($len==0) lea -48($rnds_),$rounds lea -80($key,$rnds_),$key # restore $key @@ -1286,7 +1371,7 @@ $code.=<<___; .align 32 .Lctr32_loop8: - add \$8,$ctr + add \$8,$ctr # next counter value movdqa 0x60(%rsp),$inout6 aesenc $rndkey1,$inout0 mov $ctr,%r9d @@ -1298,7 +1383,7 @@ $code.=<<___; xor $key0,%r9d nop aesenc $rndkey1,$inout3 - mov %r9d,0x00+12(%rsp) + mov %r9d,0x00+12(%rsp) # store next counter value lea 1($ctr),%r9 aesenc $rndkey1,$inout4 aesenc $rndkey1,$inout5 @@ -1331,7 +1416,7 @@ $code.=<<___; aesenc $rndkey0,$inout1 aesenc $rndkey0,$inout2 xor $key0,%r9d - movdqu 0x00($inp),$in0 + movdqu 0x00($inp),$in0 # start loading input aesenc $rndkey0,$inout3 mov %r9d,0x70+12(%rsp) cmp \$11,$rounds @@ -1388,7 +1473,7 @@ $code.=<<___; .align 16 .Lctr32_enc_done: movdqu 0x10($inp),$in1 - pxor $rndkey0,$in0 + pxor $rndkey0,$in0 # input^=round[last] movdqu 0x20($inp),$in2 pxor $rndkey0,$in1 movdqu 0x30($inp),$in3 @@ -1406,11 +1491,11 @@ $code.=<<___; aesenc $rndkey1,$inout5 aesenc $rndkey1,$inout6 aesenc $rndkey1,$inout7 - movdqu 0x60($inp),$rndkey1 - lea 0x80($inp),$inp + movdqu 0x60($inp),$rndkey1 # borrow $rndkey1 for inp[6] + lea 0x80($inp),$inp # $inp+=8*16 - aesenclast $in0,$inout0 - pxor $rndkey0,$rndkey1 + aesenclast $in0,$inout0 # $inN is inp[N]^round[last] + pxor $rndkey0,$rndkey1 # borrowed $rndkey movdqu 0x70-0x80($inp),$in0 aesenclast $in1,$inout1 pxor $rndkey0,$in0 @@ -1425,10 +1510,10 @@ $code.=<<___; movdqa 0x40(%rsp),$in5 aesenclast $rndkey1,$inout6 movdqa 0x50(%rsp),$rndkey0 - $movkey 0x10-0x80($key),$rndkey1 + $movkey 0x10-0x80($key),$rndkey1#real 1st-round key aesenclast $in0,$inout7 - movups $inout0,($out) # store output + movups $inout0,($out) # store 8 output blocks movdqa $in1,$inout0 movups $inout1,0x10($out) movdqa $in2,$inout1 @@ -1442,21 +1527,24 @@ $code.=<<___; movdqa $rndkey0,$inout5 movups $inout6,0x60($out) movups $inout7,0x70($out) - lea 0x80($out),$out - + lea 0x80($out),$out # $out+=8*16 + sub \$8,$len - jnc .Lctr32_loop8 + jnc .Lctr32_loop8 # loop if $len-=8 didn't borrow - add \$8,$len - jz .Lctr32_done + add \$8,$len # restore real remainig $len + jz .Lctr32_done # done if ($len==0) lea -0x80($key),$key .Lctr32_tail: + # note that at this point $inout0..5 are populated with + # counter values xor-ed with 0-round key lea 16($key),$key cmp \$4,$len jb .Lctr32_loop3 je .Lctr32_loop4 + # if ($len>4) compute 7 E(counter) shl \$4,$rounds movdqa 0x60(%rsp),$inout6 pxor $inout7,$inout7 @@ -1464,14 +1552,14 @@ $code.=<<___; $movkey 16($key),$rndkey0 aesenc $rndkey1,$inout0 aesenc $rndkey1,$inout1 - lea 32-16($key,$rounds),$key + lea 32-16($key,$rounds),$key# prepare for .Lenc_loop8_enter neg %rax aesenc $rndkey1,$inout2 - add \$16,%rax + add \$16,%rax # prepare for .Lenc_loop8_enter movups ($inp),$in0 aesenc $rndkey1,$inout3 aesenc $rndkey1,$inout4 - movups 0x10($inp),$in1 + movups 0x10($inp),$in1 # pre-load input movups 0x20($inp),$in2 aesenc $rndkey1,$inout5 aesenc $rndkey1,$inout6 @@ -1482,7 +1570,7 @@ $code.=<<___; pxor $in0,$inout0 movdqu 0x40($inp),$in0 pxor $in1,$inout1 - movdqu $inout0,($out) + movdqu $inout0,($out) # store output pxor $in2,$inout2 movdqu $inout1,0x10($out) pxor $in3,$inout3 @@ -1491,17 +1579,17 @@ $code.=<<___; movdqu $inout3,0x30($out) movdqu $inout4,0x40($out) cmp \$6,$len - jb .Lctr32_done + jb .Lctr32_done # $len was 5, stop store movups 0x50($inp),$in1 xorps $in1,$inout5 movups $inout5,0x50($out) - je .Lctr32_done + je .Lctr32_done # $len was 6, stop store movups 0x60($inp),$in2 xorps $in2,$inout6 movups $inout6,0x60($out) - jmp .Lctr32_done + jmp .Lctr32_done # $len was 7, stop store .align 32 .Lctr32_loop4: @@ -1515,7 +1603,7 @@ $code.=<<___; jnz .Lctr32_loop4 aesenclast $rndkey1,$inout0 aesenclast $rndkey1,$inout1 - movups ($inp),$in0 + movups ($inp),$in0 # load input movups 0x10($inp),$in1 aesenclast $rndkey1,$inout2 aesenclast $rndkey1,$inout3 @@ -1523,14 +1611,14 @@ $code.=<<___; movups 0x30($inp),$in3 xorps $in0,$inout0 - movups $inout0,($out) + movups $inout0,($out) # store output xorps $in1,$inout1 movups $inout1,0x10($out) pxor $in2,$inout2 movdqu $inout2,0x20($out) pxor $in3,$inout3 movdqu $inout3,0x30($out) - jmp .Lctr32_done + jmp .Lctr32_done # $len was 4, stop store .align 32 .Lctr32_loop3: @@ -1545,48 +1633,79 @@ $code.=<<___; aesenclast $rndkey1,$inout1 aesenclast $rndkey1,$inout2 - movups ($inp),$in0 + movups ($inp),$in0 # load input xorps $in0,$inout0 - movups $inout0,($out) + movups $inout0,($out) # store output cmp \$2,$len - jb .Lctr32_done + jb .Lctr32_done # $len was 1, stop store movups 0x10($inp),$in1 xorps $in1,$inout1 movups $inout1,0x10($out) - je .Lctr32_done + je .Lctr32_done # $len was 2, stop store movups 0x20($inp),$in2 xorps $in2,$inout2 - movups $inout2,0x20($out) - jmp .Lctr32_done - -.align 16 -.Lctr32_one_shortcut: - movups ($ivp),$inout0 - movups ($inp),$in0 - mov 240($key),$rounds # key->rounds -___ - &aesni_generate1("enc",$key,$rounds); -$code.=<<___; - xorps $in0,$inout0 - movups $inout0,($out) - jmp .Lctr32_done + movups $inout2,0x20($out) # $len was 3, stop store -.align 16 .Lctr32_done: + xorps %xmm0,%xmm0 # clear regiser bank + xor $key0,$key0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 +___ +$code.=<<___ if (!$win64); + pxor %xmm6,%xmm6 + pxor %xmm7,%xmm7 + movaps %xmm0,0x00(%rsp) # clear stack + pxor %xmm8,%xmm8 + movaps %xmm0,0x10(%rsp) + pxor %xmm9,%xmm9 + movaps %xmm0,0x20(%rsp) + pxor %xmm10,%xmm10 + movaps %xmm0,0x30(%rsp) + pxor %xmm11,%xmm11 + movaps %xmm0,0x40(%rsp) + pxor %xmm12,%xmm12 + movaps %xmm0,0x50(%rsp) + pxor %xmm13,%xmm13 + movaps %xmm0,0x60(%rsp) + pxor %xmm14,%xmm14 + movaps %xmm0,0x70(%rsp) + pxor %xmm15,%xmm15 ___ $code.=<<___ if ($win64); movaps -0xa0(%rbp),%xmm6 + movaps %xmm0,-0xa0(%rbp) # clear stack movaps -0x90(%rbp),%xmm7 + movaps %xmm0,-0x90(%rbp) movaps -0x80(%rbp),%xmm8 + movaps %xmm0,-0x80(%rbp) movaps -0x70(%rbp),%xmm9 + movaps %xmm0,-0x70(%rbp) movaps -0x60(%rbp),%xmm10 + movaps %xmm0,-0x60(%rbp) movaps -0x50(%rbp),%xmm11 + movaps %xmm0,-0x50(%rbp) movaps -0x40(%rbp),%xmm12 + movaps %xmm0,-0x40(%rbp) movaps -0x30(%rbp),%xmm13 + movaps %xmm0,-0x30(%rbp) movaps -0x20(%rbp),%xmm14 + movaps %xmm0,-0x20(%rbp) movaps -0x10(%rbp),%xmm15 + movaps %xmm0,-0x10(%rbp) + movaps %xmm0,0x00(%rsp) + movaps %xmm0,0x10(%rsp) + movaps %xmm0,0x20(%rsp) + movaps %xmm0,0x30(%rsp) + movaps %xmm0,0x40(%rsp) + movaps %xmm0,0x50(%rsp) + movaps %xmm0,0x60(%rsp) + movaps %xmm0,0x70(%rsp) ___ $code.=<<___; lea (%rbp),%rsp @@ -1619,7 +1738,7 @@ aesni_xts_encrypt: and \$-16,%rsp # Linux kernel stack can be incorrectly seeded ___ $code.=<<___ if ($win64); - movaps %xmm6,-0xa8(%rax) + movaps %xmm6,-0xa8(%rax) # offload everything movaps %xmm7,-0x98(%rax) movaps %xmm8,-0x88(%rax) movaps %xmm9,-0x78(%rax) @@ -1679,7 +1798,7 @@ $code.=<<___; movaps $rndkey1,0x60(%rsp) # save round[0]^round[last] sub \$16*6,$len - jc .Lxts_enc_short + jc .Lxts_enc_short # if $len-=6*16 borrowed mov \$16+96,$rounds lea 32($key_,$rnds_),$key # end of key schedule @@ -1694,7 +1813,7 @@ $code.=<<___; movdqu `16*0`($inp),$inout0 # load input movdqa $rndkey0,$twmask movdqu `16*1`($inp),$inout1 - pxor @tweak[0],$inout0 + pxor @tweak[0],$inout0 # input^=tweak^round[0] movdqu `16*2`($inp),$inout2 pxor @tweak[1],$inout1 aesenc $rndkey1,$inout0 @@ -1713,10 +1832,10 @@ $code.=<<___; lea `16*6`($inp),$inp pxor $twmask,$inout5 - pxor $twres, at tweak[0] + pxor $twres, at tweak[0] # calclulate tweaks^round[last] aesenc $rndkey1,$inout4 pxor $twres, at tweak[1] - movdqa @tweak[0],`16*0`(%rsp) # put aside tweaks^last round key + movdqa @tweak[0],`16*0`(%rsp) # put aside tweaks^round[last] aesenc $rndkey1,$inout5 $movkey 48($key_),$rndkey1 pxor $twres, at tweak[2] @@ -1757,7 +1876,7 @@ $code.=<<___; $movkey -80($key,%rax),$rndkey0 jnz .Lxts_enc_loop6 - movdqa (%r8),$twmask + movdqa (%r8),$twmask # start calculating next tweak movdqa $twres,$twtmp paddd $twres,$twres aesenc $rndkey1,$inout0 @@ -1851,15 +1970,15 @@ $code.=<<___; aesenclast `16*5`(%rsp),$inout5 pxor $twres, at tweak[5] - lea `16*6`($out),$out - movups $inout0,`-16*6`($out) # write output + lea `16*6`($out),$out # $out+=6*16 + movups $inout0,`-16*6`($out) # store 6 output blocks movups $inout1,`-16*5`($out) movups $inout2,`-16*4`($out) movups $inout3,`-16*3`($out) movups $inout4,`-16*2`($out) movups $inout5,`-16*1`($out) sub \$16*6,$len - jnc .Lxts_enc_grandloop + jnc .Lxts_enc_grandloop # loop if $len-=6*16 didn't borrow mov \$16+96,$rounds sub $rnds_,$rounds @@ -1867,34 +1986,36 @@ $code.=<<___; shr \$4,$rounds # restore original value .Lxts_enc_short: + # at the point @tweak[0..5] are populated with tweak values mov $rounds,$rnds_ # backup $rounds pxor $rndkey0, at tweak[0] - add \$16*6,$len - jz .Lxts_enc_done + add \$16*6,$len # restore real remaining $len + jz .Lxts_enc_done # done if ($len==0) pxor $rndkey0, at tweak[1] cmp \$0x20,$len - jb .Lxts_enc_one + jb .Lxts_enc_one # $len is 1*16 pxor $rndkey0, at tweak[2] - je .Lxts_enc_two + je .Lxts_enc_two # $len is 2*16 pxor $rndkey0, at tweak[3] cmp \$0x40,$len - jb .Lxts_enc_three + jb .Lxts_enc_three # $len is 3*16 pxor $rndkey0, at tweak[4] - je .Lxts_enc_four + je .Lxts_enc_four # $len is 4*16 - movdqu ($inp),$inout0 + movdqu ($inp),$inout0 # $len is 5*16 movdqu 16*1($inp),$inout1 movdqu 16*2($inp),$inout2 pxor @tweak[0],$inout0 movdqu 16*3($inp),$inout3 pxor @tweak[1],$inout1 movdqu 16*4($inp),$inout4 - lea 16*5($inp),$inp + lea 16*5($inp),$inp # $inp+=5*16 pxor @tweak[2],$inout2 pxor @tweak[3],$inout3 pxor @tweak[4],$inout4 + pxor $inout5,$inout5 call _aesni_encrypt6 @@ -1902,35 +2023,35 @@ $code.=<<___; movdqa @tweak[5], at tweak[0] xorps @tweak[1],$inout1 xorps @tweak[2],$inout2 - movdqu $inout0,($out) + movdqu $inout0,($out) # store 5 output blocks xorps @tweak[3],$inout3 movdqu $inout1,16*1($out) xorps @tweak[4],$inout4 movdqu $inout2,16*2($out) movdqu $inout3,16*3($out) movdqu $inout4,16*4($out) - lea 16*5($out),$out + lea 16*5($out),$out # $out+=5*16 jmp .Lxts_enc_done .align 16 .Lxts_enc_one: movups ($inp),$inout0 - lea 16*1($inp),$inp + lea 16*1($inp),$inp # inp+=1*16 xorps @tweak[0],$inout0 ___ &aesni_generate1("enc",$key,$rounds); $code.=<<___; xorps @tweak[0],$inout0 movdqa @tweak[1], at tweak[0] - movups $inout0,($out) - lea 16*1($out),$out + movups $inout0,($out) # store one output block + lea 16*1($out),$out # $out+=1*16 jmp .Lxts_enc_done .align 16 .Lxts_enc_two: movups ($inp),$inout0 movups 16($inp),$inout1 - lea 32($inp),$inp + lea 32($inp),$inp # $inp+=2*16 xorps @tweak[0],$inout0 xorps @tweak[1],$inout1 @@ -1939,9 +2060,9 @@ $code.=<<___; xorps @tweak[0],$inout0 movdqa @tweak[2], at tweak[0] xorps @tweak[1],$inout1 - movups $inout0,($out) + movups $inout0,($out) # store 2 output blocks movups $inout1,16*1($out) - lea 16*2($out),$out + lea 16*2($out),$out # $out+=2*16 jmp .Lxts_enc_done .align 16 @@ -1949,7 +2070,7 @@ $code.=<<___; movups ($inp),$inout0 movups 16*1($inp),$inout1 movups 16*2($inp),$inout2 - lea 16*3($inp),$inp + lea 16*3($inp),$inp # $inp+=3*16 xorps @tweak[0],$inout0 xorps @tweak[1],$inout1 xorps @tweak[2],$inout2 @@ -1960,10 +2081,10 @@ $code.=<<___; movdqa @tweak[3], at tweak[0] xorps @tweak[1],$inout1 xorps @tweak[2],$inout2 - movups $inout0,($out) + movups $inout0,($out) # store 3 output blocks movups $inout1,16*1($out) movups $inout2,16*2($out) - lea 16*3($out),$out + lea 16*3($out),$out # $out+=3*16 jmp .Lxts_enc_done .align 16 @@ -1973,7 +2094,7 @@ $code.=<<___; movups 16*2($inp),$inout2 xorps @tweak[0],$inout0 movups 16*3($inp),$inout3 - lea 16*4($inp),$inp + lea 16*4($inp),$inp # $inp+=4*16 xorps @tweak[1],$inout1 xorps @tweak[2],$inout2 xorps @tweak[3],$inout3 @@ -1984,17 +2105,17 @@ $code.=<<___; movdqa @tweak[4], at tweak[0] pxor @tweak[1],$inout1 pxor @tweak[2],$inout2 - movdqu $inout0,($out) + movdqu $inout0,($out) # store 4 output blocks pxor @tweak[3],$inout3 movdqu $inout1,16*1($out) movdqu $inout2,16*2($out) movdqu $inout3,16*3($out) - lea 16*4($out),$out + lea 16*4($out),$out # $out+=4*16 jmp .Lxts_enc_done .align 16 .Lxts_enc_done: - and \$15,$len_ + and \$15,$len_ # see if $len%16 is 0 jz .Lxts_enc_ret mov $len_,$len @@ -2021,18 +2142,60 @@ $code.=<<___; movups $inout0,-16($out) .Lxts_enc_ret: + xorps %xmm0,%xmm0 # clear register bank + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 +___ +$code.=<<___ if (!$win64); + pxor %xmm6,%xmm6 + pxor %xmm7,%xmm7 + movaps %xmm0,0x00(%rsp) # clear stack + pxor %xmm8,%xmm8 + movaps %xmm0,0x10(%rsp) + pxor %xmm9,%xmm9 + movaps %xmm0,0x20(%rsp) + pxor %xmm10,%xmm10 + movaps %xmm0,0x30(%rsp) + pxor %xmm11,%xmm11 + movaps %xmm0,0x40(%rsp) + pxor %xmm12,%xmm12 + movaps %xmm0,0x50(%rsp) + pxor %xmm13,%xmm13 + movaps %xmm0,0x60(%rsp) + pxor %xmm14,%xmm14 + pxor %xmm15,%xmm15 ___ $code.=<<___ if ($win64); movaps -0xa0(%rbp),%xmm6 + movaps %xmm0,-0xa0(%rbp) # clear stack movaps -0x90(%rbp),%xmm7 + movaps %xmm0,-0x90(%rbp) movaps -0x80(%rbp),%xmm8 + movaps %xmm0,-0x80(%rbp) movaps -0x70(%rbp),%xmm9 + movaps %xmm0,-0x70(%rbp) movaps -0x60(%rbp),%xmm10 + movaps %xmm0,-0x60(%rbp) movaps -0x50(%rbp),%xmm11 + movaps %xmm0,-0x50(%rbp) movaps -0x40(%rbp),%xmm12 + movaps %xmm0,-0x40(%rbp) movaps -0x30(%rbp),%xmm13 + movaps %xmm0,-0x30(%rbp) movaps -0x20(%rbp),%xmm14 + movaps %xmm0,-0x20(%rbp) movaps -0x10(%rbp),%xmm15 + movaps %xmm0,-0x10(%rbp) + movaps %xmm0,0x00(%rsp) + movaps %xmm0,0x10(%rsp) + movaps %xmm0,0x20(%rsp) + movaps %xmm0,0x30(%rsp) + movaps %xmm0,0x40(%rsp) + movaps %xmm0,0x50(%rsp) + movaps %xmm0,0x60(%rsp) ___ $code.=<<___; lea (%rbp),%rsp @@ -2053,7 +2216,7 @@ aesni_xts_decrypt: and \$-16,%rsp # Linux kernel stack can be incorrectly seeded ___ $code.=<<___ if ($win64); - movaps %xmm6,-0xa8(%rax) + movaps %xmm6,-0xa8(%rax) # offload everything movaps %xmm7,-0x98(%rax) movaps %xmm8,-0x88(%rax) movaps %xmm9,-0x78(%rax) @@ -2116,7 +2279,7 @@ $code.=<<___; movaps $rndkey1,0x60(%rsp) # save round[0]^round[last] sub \$16*6,$len - jc .Lxts_dec_short + jc .Lxts_dec_short # if $len-=6*16 borrowed mov \$16+96,$rounds lea 32($key_,$rnds_),$key # end of key schedule @@ -2131,7 +2294,7 @@ $code.=<<___; movdqu `16*0`($inp),$inout0 # load input movdqa $rndkey0,$twmask movdqu `16*1`($inp),$inout1 - pxor @tweak[0],$inout0 + pxor @tweak[0],$inout0 # intput^=tweak^round[0] movdqu `16*2`($inp),$inout2 pxor @tweak[1],$inout1 aesdec $rndkey1,$inout0 @@ -2150,7 +2313,7 @@ $code.=<<___; lea `16*6`($inp),$inp pxor $twmask,$inout5 - pxor $twres, at tweak[0] + pxor $twres, at tweak[0] # calclulate tweaks^round[last] aesdec $rndkey1,$inout4 pxor $twres, at tweak[1] movdqa @tweak[0],`16*0`(%rsp) # put aside tweaks^last round key @@ -2194,7 +2357,7 @@ $code.=<<___; $movkey -80($key,%rax),$rndkey0 jnz .Lxts_dec_loop6 - movdqa (%r8),$twmask + movdqa (%r8),$twmask # start calculating next tweak movdqa $twres,$twtmp paddd $twres,$twres aesdec $rndkey1,$inout0 @@ -2288,15 +2451,15 @@ $code.=<<___; aesdeclast `16*5`(%rsp),$inout5 pxor $twres, at tweak[5] - lea `16*6`($out),$out - movups $inout0,`-16*6`($out) # write output + lea `16*6`($out),$out # $out+=6*16 + movups $inout0,`-16*6`($out) # store 6 output blocks movups $inout1,`-16*5`($out) movups $inout2,`-16*4`($out) movups $inout3,`-16*3`($out) movups $inout4,`-16*2`($out) movups $inout5,`-16*1`($out) sub \$16*6,$len - jnc .Lxts_dec_grandloop + jnc .Lxts_dec_grandloop # loop if $len-=6*16 didn't borrow mov \$16+96,$rounds sub $rnds_,$rounds @@ -2304,31 +2467,32 @@ $code.=<<___; shr \$4,$rounds # restore original value .Lxts_dec_short: + # at the point @tweak[0..5] are populated with tweak values mov $rounds,$rnds_ # backup $rounds pxor $rndkey0, at tweak[0] pxor $rndkey0, at tweak[1] - add \$16*6,$len - jz .Lxts_dec_done + add \$16*6,$len # restore real remaining $len + jz .Lxts_dec_done # done if ($len==0) pxor $rndkey0, at tweak[2] cmp \$0x20,$len - jb .Lxts_dec_one + jb .Lxts_dec_one # $len is 1*16 pxor $rndkey0, at tweak[3] - je .Lxts_dec_two + je .Lxts_dec_two # $len is 2*16 pxor $rndkey0, at tweak[4] cmp \$0x40,$len - jb .Lxts_dec_three - je .Lxts_dec_four + jb .Lxts_dec_three # $len is 3*16 + je .Lxts_dec_four # $len is 4*16 - movdqu ($inp),$inout0 + movdqu ($inp),$inout0 # $len is 5*16 movdqu 16*1($inp),$inout1 movdqu 16*2($inp),$inout2 pxor @tweak[0],$inout0 movdqu 16*3($inp),$inout3 pxor @tweak[1],$inout1 movdqu 16*4($inp),$inout4 - lea 16*5($inp),$inp + lea 16*5($inp),$inp # $inp+=5*16 pxor @tweak[2],$inout2 pxor @tweak[3],$inout3 pxor @tweak[4],$inout4 @@ -2338,7 +2502,7 @@ $code.=<<___; xorps @tweak[0],$inout0 xorps @tweak[1],$inout1 xorps @tweak[2],$inout2 - movdqu $inout0,($out) + movdqu $inout0,($out) # store 5 output blocks xorps @tweak[3],$inout3 movdqu $inout1,16*1($out) xorps @tweak[4],$inout4 @@ -2347,7 +2511,7 @@ $code.=<<___; movdqu $inout3,16*3($out) pcmpgtd @tweak[5],$twtmp movdqu $inout4,16*4($out) - lea 16*5($out),$out + lea 16*5($out),$out # $out+=5*16 pshufd \$0x13,$twtmp, at tweak[1] # $twres and \$15,$len_ jz .Lxts_dec_ret @@ -2361,23 +2525,23 @@ $code.=<<___; .align 16 .Lxts_dec_one: movups ($inp),$inout0 - lea 16*1($inp),$inp + lea 16*1($inp),$inp # $inp+=1*16 xorps @tweak[0],$inout0 ___ &aesni_generate1("dec",$key,$rounds); $code.=<<___; xorps @tweak[0],$inout0 movdqa @tweak[1], at tweak[0] - movups $inout0,($out) + movups $inout0,($out) # store one output block movdqa @tweak[2], at tweak[1] - lea 16*1($out),$out + lea 16*1($out),$out # $out+=1*16 jmp .Lxts_dec_done .align 16 .Lxts_dec_two: movups ($inp),$inout0 movups 16($inp),$inout1 - lea 32($inp),$inp + lea 32($inp),$inp # $inp+=2*16 xorps @tweak[0],$inout0 xorps @tweak[1],$inout1 @@ -2387,9 +2551,9 @@ $code.=<<___; movdqa @tweak[2], at tweak[0] xorps @tweak[1],$inout1 movdqa @tweak[3], at tweak[1] - movups $inout0,($out) + movups $inout0,($out) # store 2 output blocks movups $inout1,16*1($out) - lea 16*2($out),$out + lea 16*2($out),$out # $out+=2*16 jmp .Lxts_dec_done .align 16 @@ -2397,7 +2561,7 @@ $code.=<<___; movups ($inp),$inout0 movups 16*1($inp),$inout1 movups 16*2($inp),$inout2 - lea 16*3($inp),$inp + lea 16*3($inp),$inp # $inp+=3*16 xorps @tweak[0],$inout0 xorps @tweak[1],$inout1 xorps @tweak[2],$inout2 @@ -2409,10 +2573,10 @@ $code.=<<___; xorps @tweak[1],$inout1 movdqa @tweak[4], at tweak[1] xorps @tweak[2],$inout2 - movups $inout0,($out) + movups $inout0,($out) # store 3 output blocks movups $inout1,16*1($out) movups $inout2,16*2($out) - lea 16*3($out),$out + lea 16*3($out),$out # $out+=3*16 jmp .Lxts_dec_done .align 16 @@ -2422,7 +2586,7 @@ $code.=<<___; movups 16*2($inp),$inout2 xorps @tweak[0],$inout0 movups 16*3($inp),$inout3 - lea 16*4($inp),$inp + lea 16*4($inp),$inp # $inp+=4*16 xorps @tweak[1],$inout1 xorps @tweak[2],$inout2 xorps @tweak[3],$inout3 @@ -2434,17 +2598,17 @@ $code.=<<___; pxor @tweak[1],$inout1 movdqa @tweak[5], at tweak[1] pxor @tweak[2],$inout2 - movdqu $inout0,($out) + movdqu $inout0,($out) # store 4 output blocks pxor @tweak[3],$inout3 movdqu $inout1,16*1($out) movdqu $inout2,16*2($out) movdqu $inout3,16*3($out) - lea 16*4($out),$out + lea 16*4($out),$out # $out+=4*16 jmp .Lxts_dec_done .align 16 .Lxts_dec_done: - and \$15,$len_ + and \$15,$len_ # see if $len%16 is 0 jz .Lxts_dec_ret .Lxts_dec_done2: mov $len_,$len @@ -2482,18 +2646,60 @@ $code.=<<___; movups $inout0,($out) .Lxts_dec_ret: + xorps %xmm0,%xmm0 # clear register bank + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 +___ +$code.=<<___ if (!$win64); + pxor %xmm6,%xmm6 + pxor %xmm7,%xmm7 + movaps %xmm0,0x00(%rsp) # clear stack + pxor %xmm8,%xmm8 + movaps %xmm0,0x10(%rsp) + pxor %xmm9,%xmm9 + movaps %xmm0,0x20(%rsp) + pxor %xmm10,%xmm10 + movaps %xmm0,0x30(%rsp) + pxor %xmm11,%xmm11 + movaps %xmm0,0x40(%rsp) + pxor %xmm12,%xmm12 + movaps %xmm0,0x50(%rsp) + pxor %xmm13,%xmm13 + movaps %xmm0,0x60(%rsp) + pxor %xmm14,%xmm14 + pxor %xmm15,%xmm15 ___ $code.=<<___ if ($win64); movaps -0xa0(%rbp),%xmm6 + movaps %xmm0,-0xa0(%rbp) # clear stack movaps -0x90(%rbp),%xmm7 + movaps %xmm0,-0x90(%rbp) movaps -0x80(%rbp),%xmm8 + movaps %xmm0,-0x80(%rbp) movaps -0x70(%rbp),%xmm9 + movaps %xmm0,-0x70(%rbp) movaps -0x60(%rbp),%xmm10 + movaps %xmm0,-0x60(%rbp) movaps -0x50(%rbp),%xmm11 + movaps %xmm0,-0x50(%rbp) movaps -0x40(%rbp),%xmm12 + movaps %xmm0,-0x40(%rbp) movaps -0x30(%rbp),%xmm13 + movaps %xmm0,-0x30(%rbp) movaps -0x20(%rbp),%xmm14 + movaps %xmm0,-0x20(%rbp) movaps -0x10(%rbp),%xmm15 + movaps %xmm0,-0x10(%rbp) + movaps %xmm0,0x00(%rsp) + movaps %xmm0,0x10(%rsp) + movaps %xmm0,0x20(%rsp) + movaps %xmm0,0x30(%rsp) + movaps %xmm0,0x40(%rsp) + movaps %xmm0,0x50(%rsp) + movaps %xmm0,0x60(%rsp) ___ $code.=<<___; lea (%rbp),%rsp @@ -2548,7 +2754,11 @@ $code.=<<___; jnc .Lcbc_enc_loop add \$16,$len jnz .Lcbc_enc_tail + pxor $rndkey0,$rndkey0 # clear register bank + pxor $rndkey1,$rndkey1 movups $inout0,($ivp) + pxor $inout0,$inout0 + pxor $inout1,$inout1 jmp .Lcbc_ret .Lcbc_enc_tail: @@ -2568,6 +2778,27 @@ $code.=<<___; #--------------------------- CBC DECRYPT ------------------------------# .align 16 .Lcbc_decrypt: + cmp \$16,$len + jne .Lcbc_decrypt_bulk + + # handle single block without allocating stack frame, + # useful in ciphertext stealing mode + movdqu ($inp),$inout0 # load input + movdqu ($ivp),$inout1 # load iv + movdqa $inout0,$inout2 # future iv +___ + &aesni_generate1("dec",$key,$rnds_); +$code.=<<___; + pxor $rndkey0,$rndkey0 # clear register bank + pxor $rndkey1,$rndkey1 + movdqu $inout2,($ivp) # store iv + xorps $inout1,$inout0 # ^=iv + pxor $inout1,$inout1 + movups $inout0,($out) # store output + pxor $inout0,$inout0 + jmp .Lcbc_ret +.align 16 +.Lcbc_decrypt_bulk: lea (%rsp),%rax push %rbp sub \$$frame_size,%rsp @@ -2609,11 +2840,11 @@ $code.=<<___; cmp \$0x70,$len jbe .Lcbc_dec_six_or_seven - and \$`1<<26|1<<22`,%r9d # isolate XSAVE+MOVBE - sub \$0x50,$len + and \$`1<<26|1<<22`,%r9d # isolate XSAVE+MOVBE + sub \$0x50,$len # $len is biased by -5*16 cmp \$`1<<22`,%r9d # check for MOVBE without XSAVE - je .Lcbc_dec_loop6_enter - sub \$0x20,$len + je .Lcbc_dec_loop6_enter # [which denotes Atom Silvermont] + sub \$0x20,$len # $len is biased by -7*16 lea 0x70($key),$key # size optimization jmp .Lcbc_dec_loop8_enter .align 16 @@ -2740,7 +2971,7 @@ $code.=<<___; movaps $inout7,$inout0 lea -0x70($key),$key add \$0x70,$len - jle .Lcbc_dec_tail_collected + jle .Lcbc_dec_clear_tail_collected movups $inout7,($out) lea 0x10($out),$out cmp \$0x50,$len @@ -2759,14 +2990,19 @@ $code.=<<___; movdqu $inout0,($out) pxor $in1,$inout2 movdqu $inout1,0x10($out) + pxor $inout1,$inout1 # clear register bank pxor $in2,$inout3 movdqu $inout2,0x20($out) + pxor $inout2,$inout2 pxor $in3,$inout4 movdqu $inout3,0x30($out) + pxor $inout3,$inout3 pxor $in4,$inout5 movdqu $inout4,0x40($out) + pxor $inout4,$inout4 lea 0x50($out),$out movdqa $inout5,$inout0 + pxor $inout5,$inout5 jmp .Lcbc_dec_tail_collected .align 16 @@ -2781,16 +3017,23 @@ $code.=<<___; movdqu $inout0,($out) pxor $in1,$inout2 movdqu $inout1,0x10($out) + pxor $inout1,$inout1 # clear register bank pxor $in2,$inout3 movdqu $inout2,0x20($out) + pxor $inout2,$inout2 pxor $in3,$inout4 movdqu $inout3,0x30($out) + pxor $inout3,$inout3 pxor $in4,$inout5 movdqu $inout4,0x40($out) + pxor $inout4,$inout4 pxor $inout7,$inout6 movdqu $inout5,0x50($out) + pxor $inout5,$inout5 lea 0x60($out),$out movdqa $inout6,$inout0 + pxor $inout6,$inout6 + pxor $inout7,$inout7 jmp .Lcbc_dec_tail_collected .align 16 @@ -2834,31 +3077,31 @@ $code.=<<___; movdqa $inout5,$inout0 add \$0x50,$len - jle .Lcbc_dec_tail_collected + jle .Lcbc_dec_clear_tail_collected movups $inout5,($out) lea 0x10($out),$out .Lcbc_dec_tail: movups ($inp),$inout0 sub \$0x10,$len - jbe .Lcbc_dec_one + jbe .Lcbc_dec_one # $len is 1*16 or less movups 0x10($inp),$inout1 movaps $inout0,$in0 sub \$0x10,$len - jbe .Lcbc_dec_two + jbe .Lcbc_dec_two # $len is 2*16 or less movups 0x20($inp),$inout2 movaps $inout1,$in1 sub \$0x10,$len - jbe .Lcbc_dec_three + jbe .Lcbc_dec_three # $len is 3*16 or less movups 0x30($inp),$inout3 movaps $inout2,$in2 sub \$0x10,$len - jbe .Lcbc_dec_four + jbe .Lcbc_dec_four # $len is 4*16 or less - movups 0x40($inp),$inout4 + movups 0x40($inp),$inout4 # $len is 5*16 or less movaps $inout3,$in3 movaps $inout4,$in4 xorps $inout5,$inout5 @@ -2869,12 +3112,17 @@ $code.=<<___; movdqu $inout0,($out) pxor $in1,$inout2 movdqu $inout1,0x10($out) + pxor $inout1,$inout1 # clear register bank pxor $in2,$inout3 movdqu $inout2,0x20($out) + pxor $inout2,$inout2 pxor $in3,$inout4 movdqu $inout3,0x30($out) + pxor $inout3,$inout3 lea 0x40($out),$out movdqa $inout4,$inout0 + pxor $inout4,$inout4 + pxor $inout5,$inout5 sub \$0x10,$len jmp .Lcbc_dec_tail_collected @@ -2896,6 +3144,7 @@ $code.=<<___; pxor $in0,$inout1 movdqu $inout0,($out) movdqa $inout1,$inout0 + pxor $inout1,$inout1 # clear register bank lea 0x10($out),$out jmp .Lcbc_dec_tail_collected .align 16 @@ -2908,7 +3157,9 @@ $code.=<<___; movdqu $inout0,($out) pxor $in1,$inout2 movdqu $inout1,0x10($out) + pxor $inout1,$inout1 # clear register bank movdqa $inout2,$inout0 + pxor $inout2,$inout2 lea 0x20($out),$out jmp .Lcbc_dec_tail_collected .align 16 @@ -2921,41 +3172,71 @@ $code.=<<___; movdqu $inout0,($out) pxor $in1,$inout2 movdqu $inout1,0x10($out) + pxor $inout1,$inout1 # clear register bank pxor $in2,$inout3 movdqu $inout2,0x20($out) + pxor $inout2,$inout2 movdqa $inout3,$inout0 + pxor $inout3,$inout3 lea 0x30($out),$out jmp .Lcbc_dec_tail_collected .align 16 +.Lcbc_dec_clear_tail_collected: + pxor $inout1,$inout1 # clear register bank + pxor $inout2,$inout2 + pxor $inout3,$inout3 +___ +$code.=<<___ if (!$win64); + pxor $inout4,$inout4 # %xmm6..9 + pxor $inout5,$inout5 + pxor $inout6,$inout6 + pxor $inout7,$inout7 +___ +$code.=<<___; .Lcbc_dec_tail_collected: movups $iv,($ivp) and \$15,$len jnz .Lcbc_dec_tail_partial movups $inout0,($out) + pxor $inout0,$inout0 jmp .Lcbc_dec_ret .align 16 .Lcbc_dec_tail_partial: movaps $inout0,(%rsp) + pxor $inout0,$inout0 mov \$16,%rcx mov $out,%rdi sub $len,%rcx lea (%rsp),%rsi - .long 0x9066A4F3 # rep movsb + .long 0x9066A4F3 # rep movsb + movdqa $inout0,(%rsp) .Lcbc_dec_ret: + xorps $rndkey0,$rndkey0 # %xmm0 + pxor $rndkey1,$rndkey1 ___ $code.=<<___ if ($win64); movaps 0x10(%rsp),%xmm6 + movaps %xmm0,0x10(%rsp) # clear stack movaps 0x20(%rsp),%xmm7 + movaps %xmm0,0x20(%rsp) movaps 0x30(%rsp),%xmm8 + movaps %xmm0,0x30(%rsp) movaps 0x40(%rsp),%xmm9 + movaps %xmm0,0x40(%rsp) movaps 0x50(%rsp),%xmm10 + movaps %xmm0,0x50(%rsp) movaps 0x60(%rsp),%xmm11 + movaps %xmm0,0x60(%rsp) movaps 0x70(%rsp),%xmm12 + movaps %xmm0,0x70(%rsp) movaps 0x80(%rsp),%xmm13 + movaps %xmm0,0x80(%rsp) movaps 0x90(%rsp),%xmm14 + movaps %xmm0,0x90(%rsp) movaps 0xa0(%rsp),%xmm15 + movaps %xmm0,0xa0(%rsp) ___ $code.=<<___; lea (%rbp),%rsp @@ -2965,8 +3246,15 @@ $code.=<<___; .size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt ___ } -# int $PREFIX_set_[en|de]crypt_key (const unsigned char *userKey, +# int ${PREFIX}_set_decrypt_key(const unsigned char *inp, # int bits, AES_KEY *key) +# +# input: $inp user-supplied key +# $bits $inp length in bits +# $key pointer to key schedule +# output: %eax 0 denoting success, -1 or -2 - failure (see C) +# *$key key schedule +# { my ($inp,$bits,$key) = @_4args; $bits =~ s/%r/%e/; @@ -3003,7 +3291,9 @@ ${PREFIX}_set_decrypt_key: $movkey ($key),%xmm0 # inverse middle aesimc %xmm0,%xmm0 + pxor %xmm1,%xmm1 $movkey %xmm0,($inp) + pxor %xmm0,%xmm0 .Ldec_key_ret: add \$8,%rsp ret @@ -3020,6 +3310,22 @@ ___ # Agressively optimized in respect to aeskeygenassist's critical path # and is contained in %xmm0-5 to meet Win64 ABI requirement. # +# int ${PREFIX}_set_encrypt_key(const unsigned char *inp, +# int bits, AES_KEY * const key); +# +# input: $inp user-supplied key +# $bits $inp length in bits +# $key pointer to key schedule +# output: %eax 0 denoting success, -1 or -2 - failure (see C) +# $bits rounds-1 (used in aesni_set_decrypt_key) +# *$key key schedule +# $key pointer to key schedule (used in +# aesni_set_decrypt_key) +# +# Subroutine is frame-less, which means that only volatile registers +# are used. Note that it's declared "abi-omnipotent", which means that +# amount of volatile registers is smaller on Windows. +# $code.=<<___; .globl ${PREFIX}_set_encrypt_key .type ${PREFIX}_set_encrypt_key,\@abi-omnipotent @@ -3033,9 +3339,11 @@ __aesni_set_encrypt_key: test $key,$key jz .Lenc_key_ret + mov \$`1<<28|1<<11`,%r10d # AVX and XOP bits movups ($inp),%xmm0 # pull first 128 bits of *userKey xorps %xmm4,%xmm4 # low dword of xmm4 is assumed 0 - lea 16($key),%rax + and OPENSSL_ia32cap_P+4(%rip),%r10d + lea 16($key),%rax # %rax is used as modifiable copy of $key cmp \$256,$bits je .L14rounds cmp \$192,$bits @@ -3045,6 +3353,9 @@ __aesni_set_encrypt_key: .L10rounds: mov \$9,$bits # 10 rounds for 128-bit key + cmp \$`1<<28`,%r10d # AVX, bit no XOP + je .L10rounds_alt + $movkey %xmm0,($key) # round 0 aeskeygenassist \$0x1,%xmm0,%xmm1 # round 1 call .Lkey_expansion_128_cold @@ -3072,9 +3383,79 @@ __aesni_set_encrypt_key: jmp .Lenc_key_ret .align 16 +.L10rounds_alt: + movdqa .Lkey_rotate(%rip),%xmm5 + mov \$8,%r10d + movdqa .Lkey_rcon1(%rip),%xmm4 + movdqa %xmm0,%xmm2 + movdqu %xmm0,($key) + jmp .Loop_key128 + +.align 16 +.Loop_key128: + pshufb %xmm5,%xmm0 + aesenclast %xmm4,%xmm0 + pslld \$1,%xmm4 + lea 16(%rax),%rax + + movdqa %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm3,%xmm2 + + pxor %xmm2,%xmm0 + movdqu %xmm0,-16(%rax) + movdqa %xmm0,%xmm2 + + dec %r10d + jnz .Loop_key128 + + movdqa .Lkey_rcon1b(%rip),%xmm4 + + pshufb %xmm5,%xmm0 + aesenclast %xmm4,%xmm0 + pslld \$1,%xmm4 + + movdqa %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm3,%xmm2 + + pxor %xmm2,%xmm0 + movdqu %xmm0,(%rax) + + movdqa %xmm0,%xmm2 + pshufb %xmm5,%xmm0 + aesenclast %xmm4,%xmm0 + + movdqa %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm2,%xmm3 + pslldq \$4,%xmm2 + pxor %xmm3,%xmm2 + + pxor %xmm2,%xmm0 + movdqu %xmm0,16(%rax) + + mov $bits,96(%rax) # 240($key) + xor %eax,%eax + jmp .Lenc_key_ret + +.align 16 .L12rounds: movq 16($inp),%xmm2 # remaining 1/3 of *userKey mov \$11,$bits # 12 rounds for 192 + cmp \$`1<<28`,%r10d # AVX, but no XOP + je .L12rounds_alt + $movkey %xmm0,($key) # round 0 aeskeygenassist \$0x1,%xmm2,%xmm1 # round 1,2 call .Lkey_expansion_192a_cold @@ -3098,10 +3479,54 @@ __aesni_set_encrypt_key: jmp .Lenc_key_ret .align 16 +.L12rounds_alt: + movdqa .Lkey_rotate192(%rip),%xmm5 + movdqa .Lkey_rcon1(%rip),%xmm4 + mov \$8,%r10d + movdqu %xmm0,($key) + jmp .Loop_key192 + +.align 16 +.Loop_key192: + movq %xmm2,0(%rax) + movdqa %xmm2,%xmm1 + pshufb %xmm5,%xmm2 + aesenclast %xmm4,%xmm2 + pslld \$1, %xmm4 + lea 24(%rax),%rax + + movdqa %xmm0,%xmm3 + pslldq \$4,%xmm0 + pxor %xmm0,%xmm3 + pslldq \$4,%xmm0 + pxor %xmm0,%xmm3 + pslldq \$4,%xmm0 + pxor %xmm3,%xmm0 + + pshufd \$0xff,%xmm0,%xmm3 + pxor %xmm1,%xmm3 + pslldq \$4,%xmm1 + pxor %xmm1,%xmm3 + + pxor %xmm2,%xmm0 + pxor %xmm3,%xmm2 + movdqu %xmm0,-16(%rax) + + dec %r10d + jnz .Loop_key192 + + mov $bits,32(%rax) # 240($key) + xor %eax,%eax + jmp .Lenc_key_ret + +.align 16 .L14rounds: movups 16($inp),%xmm2 # remaning half of *userKey mov \$13,$bits # 14 rounds for 256 lea 16(%rax),%rax + cmp \$`1<<28`,%r10d # AVX, but no XOP + je .L14rounds_alt + $movkey %xmm0,($key) # round 0 $movkey %xmm2,16($key) # round 1 aeskeygenassist \$0x1,%xmm2,%xmm1 # round 2 @@ -3136,9 +3561,69 @@ __aesni_set_encrypt_key: jmp .Lenc_key_ret .align 16 +.L14rounds_alt: + movdqa .Lkey_rotate(%rip),%xmm5 + movdqa .Lkey_rcon1(%rip),%xmm4 + mov \$7,%r10d + movdqu %xmm0,0($key) + movdqa %xmm2,%xmm1 + movdqu %xmm2,16($key) + jmp .Loop_key256 + +.align 16 +.Loop_key256: + pshufb %xmm5,%xmm2 + aesenclast %xmm4,%xmm2 + + movdqa %xmm0,%xmm3 + pslldq \$4,%xmm0 + pxor %xmm0,%xmm3 + pslldq \$4,%xmm0 + pxor %xmm0,%xmm3 + pslldq \$4,%xmm0 + pxor %xmm3,%xmm0 + pslld \$1,%xmm4 + + pxor %xmm2,%xmm0 + movdqu %xmm0,(%rax) + + dec %r10d + jz .Ldone_key256 + + pshufd \$0xff,%xmm0,%xmm2 + pxor %xmm3,%xmm3 + aesenclast %xmm3,%xmm2 + + movdqa %xmm1,%xmm3 + pslldq \$4,%xmm1 + pxor %xmm1,%xmm3 + pslldq \$4,%xmm1 + pxor %xmm1,%xmm3 + pslldq \$4,%xmm1 + pxor %xmm3,%xmm1 + + pxor %xmm1,%xmm2 + movdqu %xmm2,16(%rax) + lea 32(%rax),%rax + movdqa %xmm2,%xmm1 + + jmp .Loop_key256 + +.Ldone_key256: + mov $bits,16(%rax) # 240($key) + xor %eax,%eax + jmp .Lenc_key_ret + +.align 16 .Lbad_keybits: mov \$-2,%rax .Lenc_key_ret: + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 add \$8,%rsp ret .LSEH_end_set_encrypt_key: @@ -3228,6 +3713,14 @@ $code.=<<___; .long 0x87,0,1,0 .Lincrement1: .byte 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 +.Lkey_rotate: + .long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d +.Lkey_rotate192: + .long 0x04070605,0x04070605,0x04070605,0x04070605 +.Lkey_rcon1: + .long 1,1,1,1 +.Lkey_rcon1b: + .long 0x1b,0x1b,0x1b,0x1b .asciz "AES for Intel AES-NI, CRYPTOGAMS by " .align 64 @@ -3345,7 +3838,7 @@ cbc_se_handler: mov 152($context),%rax # pull context->Rsp mov 248($context),%rbx # pull context->Rip - lea .Lcbc_decrypt(%rip),%r10 + lea .Lcbc_decrypt_bulk(%rip),%r10 cmp %r10,%rbx # context->Rip<"prologue" label jb .Lcommon_seh_tail From appro at openssl.org Mon Apr 20 16:40:52 2015 From: appro at openssl.org (Andy Polyakov) Date: Mon, 20 Apr 2015 16:40:52 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429548052.735694.30238.nullmailer@dev.openssl.org> The branch master has been updated via 7be6bc68c6baef87d4d730c2505a05810a5a1684 (commit) from 23f6eec71dbd472044db7dc854599f1de14a1f48 (commit) - Log ----------------------------------------------------------------- commit 7be6bc68c6baef87d4d730c2505a05810a5a1684 Author: Andy Polyakov Date: Mon Apr 20 17:49:29 2015 +0200 aes/asm/aesni-x86.pl: fix typo affecting Windows build. Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: crypto/aes/asm/aesni-x86.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl index 847695f..f67df8c 100644 --- a/crypto/aes/asm/aesni-x86.pl +++ b/crypto/aes/asm/aesni-x86.pl @@ -2168,7 +2168,7 @@ if ($PREFIX eq "aesni") { &mov ($rounds,8); &movdqa ("xmm4",&QWP(0x20,"ebx")); &movdqa ("xmm2","xmm0"); - &movdqu (&DWP(-16,$key),"xmm0"); + &movdqu (&QWP(-16,$key),"xmm0"); &set_label("loop_key128"); &pshufb ("xmm0","xmm5"); From appro at openssl.org Mon Apr 20 16:40:52 2015 From: appro at openssl.org (Andy Polyakov) Date: Mon, 20 Apr 2015 16:40:52 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429548052.672131.30216.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 73824ba8fe30e3f52c7839d1b8fed2fbe47f3a68 (commit) from e95e22af50fdb433b074c663693a2b94db74ce87 (commit) - Log ----------------------------------------------------------------- commit 73824ba8fe30e3f52c7839d1b8fed2fbe47f3a68 Author: Andy Polyakov Date: Mon Apr 20 17:49:29 2015 +0200 aes/asm/aesni-x86.pl: fix typo affecting Windows build. Reviewed-by: Matt Caswell (cherry picked from commit 7be6bc68c6baef87d4d730c2505a05810a5a1684) ----------------------------------------------------------------------- Summary of changes: crypto/aes/asm/aesni-x86.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl index 847695f..f67df8c 100644 --- a/crypto/aes/asm/aesni-x86.pl +++ b/crypto/aes/asm/aesni-x86.pl @@ -2168,7 +2168,7 @@ if ($PREFIX eq "aesni") { &mov ($rounds,8); &movdqa ("xmm4",&QWP(0x20,"ebx")); &movdqa ("xmm2","xmm0"); - &movdqu (&DWP(-16,$key),"xmm0"); + &movdqu (&QWP(-16,$key),"xmm0"); &set_label("loop_key128"); &pshufb ("xmm0","xmm5"); From matt at openssl.org Mon Apr 20 22:14:24 2015 From: matt at openssl.org (Matt Caswell) Date: Mon, 20 Apr 2015 22:14:24 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1429568064.159251.1467.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 5fa7c10bc4693349ebbfcab00f644545b21b544b (commit) via 96d96746462d3477095100fe476b40a4f727ed7a (commit) from 32d3b0f52f77ce86d53f38685336668d47c5bdfe (commit) - Log ----------------------------------------------------------------- commit 5fa7c10bc4693349ebbfcab00f644545b21b544b Author: Matt Caswell Date: Fri Mar 13 16:48:01 2015 +0000 Fix return checks in GOST engine Filled in lots of return value checks that were missing the GOST engine, and added appropriate error handling. Reviewed-by: Richard Levitte (cherry picked from commit 8817e2e0c998757d3bd036d7f45fe8d0a49fbe2d) commit 96d96746462d3477095100fe476b40a4f727ed7a Author: Matt Caswell Date: Fri Mar 13 15:04:54 2015 +0000 Fix misc NULL derefs in sureware engine Fix miscellaneous NULL pointer derefs in the sureware engine. Reviewed-by: Richard Levitte (cherry picked from commit 7b611e5fe8eaac9512f72094c460f3ed6040076a) ----------------------------------------------------------------------- Summary of changes: engines/ccgost/e_gost_err.c | 3 +- engines/ccgost/e_gost_err.h | 1 + engines/ccgost/gost2001.c | 229 ++++++++++++++++++++++++++++++++++---------- engines/ccgost/gost_ameth.c | 36 ++++++- engines/ccgost/gost_pmeth.c | 2 +- engines/ccgost/gost_sign.c | 79 ++++++++++++--- engines/e_sureware.c | 27 +++--- 7 files changed, 295 insertions(+), 82 deletions(-) diff --git a/engines/ccgost/e_gost_err.c b/engines/ccgost/e_gost_err.c index 3201b64..80ef58f 100644 --- a/engines/ccgost/e_gost_err.c +++ b/engines/ccgost/e_gost_err.c @@ -1,6 +1,6 @@ /* e_gost_err.c */ /* ==================================================================== - * Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -90,6 +90,7 @@ static ERR_STRING_DATA GOST_str_functs[] = { {ERR_FUNC(GOST_F_GOST_IMIT_CTRL), "GOST_IMIT_CTRL"}, {ERR_FUNC(GOST_F_GOST_IMIT_FINAL), "GOST_IMIT_FINAL"}, {ERR_FUNC(GOST_F_GOST_IMIT_UPDATE), "GOST_IMIT_UPDATE"}, + {ERR_FUNC(GOST_F_GOST_SIGN_KEYGEN), "GOST_SIGN_KEYGEN"}, {ERR_FUNC(GOST_F_PARAM_COPY_GOST01), "PARAM_COPY_GOST01"}, {ERR_FUNC(GOST_F_PARAM_COPY_GOST94), "PARAM_COPY_GOST94"}, {ERR_FUNC(GOST_F_PKEY_GOST01CP_DECRYPT), "PKEY_GOST01CP_DECRYPT"}, diff --git a/engines/ccgost/e_gost_err.h b/engines/ccgost/e_gost_err.h index 92be558..a2018ec 100644 --- a/engines/ccgost/e_gost_err.h +++ b/engines/ccgost/e_gost_err.h @@ -90,6 +90,7 @@ void ERR_GOST_error(int function, int reason, char *file, int line); # define GOST_F_GOST_IMIT_CTRL 114 # define GOST_F_GOST_IMIT_FINAL 140 # define GOST_F_GOST_IMIT_UPDATE 115 +# define GOST_F_GOST_SIGN_KEYGEN 142 # define GOST_F_PARAM_COPY_GOST01 116 # define GOST_F_PARAM_COPY_GOST94 117 # define GOST_F_PKEY_GOST01CP_DECRYPT 118 diff --git a/engines/ccgost/gost2001.c b/engines/ccgost/gost2001.c index 2b96694..9536295 100644 --- a/engines/ccgost/gost2001.c +++ b/engines/ccgost/gost2001.c @@ -41,6 +41,11 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) BN_CTX *ctx = BN_CTX_new(); int ok = 0; + if(!ctx) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); + goto err; + } + BN_CTX_start(ctx); p = BN_CTX_get(ctx); a = BN_CTX_get(ctx); @@ -48,6 +53,10 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) x = BN_CTX_get(ctx); y = BN_CTX_get(ctx); q = BN_CTX_get(ctx); + if(!p || !a || !b || !x || !y || !q) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); + goto err; + } while (params->nid != NID_undef && params->nid != nid) params++; if (params->nid == NID_undef) { @@ -55,18 +64,33 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) GOST_R_UNSUPPORTED_PARAMETER_SET); goto err; } - BN_hex2bn(&p, params->p); - BN_hex2bn(&a, params->a); - BN_hex2bn(&b, params->b); + if(!BN_hex2bn(&p, params->p) + || !BN_hex2bn(&a, params->a) + || !BN_hex2bn(&b, params->b)) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, + ERR_R_INTERNAL_ERROR); + goto err; + } grp = EC_GROUP_new_curve_GFp(p, a, b, ctx); + if(!grp) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); + goto err; + } P = EC_POINT_new(grp); + if(!P) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); + goto err; + } - BN_hex2bn(&x, params->x); - BN_hex2bn(&y, params->y); - EC_POINT_set_affine_coordinates_GFp(grp, P, x, y, ctx); - BN_hex2bn(&q, params->q); + if(!BN_hex2bn(&x, params->x) + || !BN_hex2bn(&y, params->y) + || !EC_POINT_set_affine_coordinates_GFp(grp, P, x, y, ctx) + || !BN_hex2bn(&q, params->q)) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef DEBUG_KEYS fprintf(stderr, "Set params index %d oid %s\nq=", (params - R3410_2001_paramset), OBJ_nid2sn(params->nid)); @@ -74,16 +98,23 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) fprintf(stderr, "\n"); #endif - EC_GROUP_set_generator(grp, P, q, NULL); + if(!EC_GROUP_set_generator(grp, P, q, NULL)) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_INTERNAL_ERROR); + goto err; + } EC_GROUP_set_curve_name(grp, params->nid); - - EC_KEY_set_group(eckey, grp); + if(!EC_KEY_set_group(eckey, grp)) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_INTERNAL_ERROR); + goto err; + } ok = 1; err: - EC_POINT_free(P); - EC_GROUP_free(grp); - BN_CTX_end(ctx); - BN_CTX_free(ctx); + if (P) EC_POINT_free(P); + if (grp) EC_GROUP_free(grp); + if (ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } return ok; } @@ -94,7 +125,7 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) */ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) { - DSA_SIG *newsig = NULL; + DSA_SIG *newsig = NULL, *ret = NULL; BIGNUM *md = hashsum2bn(dgst); BIGNUM *order = NULL; const EC_GROUP *group; @@ -103,6 +134,10 @@ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) NULL, *e = NULL; EC_POINT *C = NULL; BN_CTX *ctx = BN_CTX_new(); + if(!ctx || !md) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } BN_CTX_start(ctx); OPENSSL_assert(dlen == 32); newsig = DSA_SIG_new(); @@ -111,11 +146,25 @@ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) goto err; } group = EC_KEY_get0_group(eckey); + if(!group) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } order = BN_CTX_get(ctx); - EC_GROUP_get_order(group, order, ctx); + if(!order || !EC_GROUP_get_order(group, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } priv_key = EC_KEY_get0_private_key(eckey); + if(!priv_key) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } e = BN_CTX_get(ctx); - BN_mod(e, md, order, ctx); + if(!e || !BN_mod(e, md, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef DEBUG_SIGN fprintf(stderr, "digest as bignum="); BN_print_fp(stderr, md); @@ -128,55 +177,80 @@ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) } k = BN_CTX_get(ctx); C = EC_POINT_new(group); + if(!k || !C) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } do { do { if (!BN_rand_range(k, order)) { GOSTerr(GOST_F_GOST2001_DO_SIGN, GOST_R_RANDOM_NUMBER_GENERATOR_FAILED); - DSA_SIG_free(newsig); - newsig = NULL; goto err; } if (!EC_POINT_mul(group, C, k, NULL, NULL, ctx)) { GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_EC_LIB); - DSA_SIG_free(newsig); - newsig = NULL; goto err; } if (!X) X = BN_CTX_get(ctx); + if (!r) + r = BN_CTX_get(ctx); + if (!X || !r) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } if (!EC_POINT_get_affine_coordinates_GFp(group, C, X, NULL, ctx)) { GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_EC_LIB); - DSA_SIG_free(newsig); - newsig = NULL; goto err; } - if (!r) - r = BN_CTX_get(ctx); - BN_nnmod(r, X, order, ctx); + + if(!BN_nnmod(r, X, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } } while (BN_is_zero(r)); /* s = (r*priv_key+k*e) mod order */ if (!tmp) tmp = BN_CTX_get(ctx); - BN_mod_mul(tmp, priv_key, r, order, ctx); if (!tmp2) tmp2 = BN_CTX_get(ctx); - BN_mod_mul(tmp2, k, e, order, ctx); if (!s) s = BN_CTX_get(ctx); - BN_mod_add(s, tmp, tmp2, order, ctx); + if (!tmp || !tmp2 || !s) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } + + if(!BN_mod_mul(tmp, priv_key, r, order, ctx) + || !BN_mod_mul(tmp2, k, e, order, ctx) + || !BN_mod_add(s, tmp, tmp2, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } } while (BN_is_zero(s)); newsig->s = BN_dup(s); newsig->r = BN_dup(r); + if(!newsig->s || !newsig->r) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } + + ret = newsig; err: - BN_CTX_end(ctx); - BN_CTX_free(ctx); - EC_POINT_free(C); - BN_free(md); - return newsig; + if(ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } + if (C) EC_POINT_free(C); + if (md) BN_free(md); + if (!ret && newsig) { + DSA_SIG_free(newsig); + } + return ret; } /* @@ -196,6 +270,11 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, const EC_POINT *pub_key = NULL; int ok = 0; + if(!ctx || !group) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } + BN_CTX_start(ctx); order = BN_CTX_get(ctx); e = BN_CTX_get(ctx); @@ -205,9 +284,17 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, X = BN_CTX_get(ctx); R = BN_CTX_get(ctx); v = BN_CTX_get(ctx); + if(!order || !e || !z1 || !z2 || !tmp || !X || !R || !v) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; + } - EC_GROUP_get_order(group, order, ctx); pub_key = EC_KEY_get0_public_key(ec); + if(!pub_key || !EC_GROUP_get_order(group, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } + if (BN_is_zero(sig->s) || BN_is_zero(sig->r) || (BN_cmp(sig->s, order) >= 1) || (BN_cmp(sig->r, order) >= 1)) { GOSTerr(GOST_F_GOST2001_DO_VERIFY, @@ -217,19 +304,28 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, } md = hashsum2bn(dgst); - BN_mod(e, md, order, ctx); + if(!md || !BN_mod(e, md, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef DEBUG_SIGN fprintf(stderr, "digest as bignum: "); BN_print_fp(stderr, md); fprintf(stderr, "\ndigest mod q: "); BN_print_fp(stderr, e); #endif - if (BN_is_zero(e)) - BN_one(e); + if (BN_is_zero(e) && !BN_one(e)) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } v = BN_mod_inverse(v, e, order, ctx); - BN_mod_mul(z1, sig->s, v, order, ctx); - BN_sub(tmp, order, sig->r); - BN_mod_mul(z2, tmp, v, order, ctx); + if(!v + || !BN_mod_mul(z1, sig->s, v, order, ctx) + || !BN_sub(tmp, order, sig->r) + || !BN_mod_mul(z2, tmp, v, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef DEBUG_SIGN fprintf(stderr, "\nInverted digest value: "); BN_print_fp(stderr, v); @@ -239,6 +335,10 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, BN_print_fp(stderr, z2); #endif C = EC_POINT_new(group); + if (!C) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; + } if (!EC_POINT_mul(group, C, z1, pub_key, z2, ctx)) { GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_EC_LIB); goto err; @@ -247,7 +347,10 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_EC_LIB); goto err; } - BN_mod(R, X, order, ctx); + if(!BN_mod(R, X, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef DEBUG_SIGN fprintf(stderr, "\nX="); BN_print_fp(stderr, X); @@ -261,10 +364,12 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, ok = 1; } err: - EC_POINT_free(C); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - BN_free(md); + if (C) EC_POINT_free(C); + if (ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } + if (md) BN_free(md); return ok; } @@ -287,6 +392,10 @@ int gost2001_compute_public(EC_KEY *ec) return 0; } ctx = BN_CTX_new(); + if(!ctx) { + GOSTerr(GOST_F_GOST2001_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); + goto err; + } BN_CTX_start(ctx); if (!(priv_key = EC_KEY_get0_private_key(ec))) { GOSTerr(GOST_F_GOST2001_COMPUTE_PUBLIC, ERR_R_EC_LIB); @@ -294,6 +403,10 @@ int gost2001_compute_public(EC_KEY *ec) } pub_key = EC_POINT_new(group); + if(!pub_key) { + GOSTerr(GOST_F_GOST2001_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); + goto err; + } if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, ctx)) { GOSTerr(GOST_F_GOST2001_COMPUTE_PUBLIC, ERR_R_EC_LIB); goto err; @@ -304,9 +417,11 @@ int gost2001_compute_public(EC_KEY *ec) } ok = 256; err: - BN_CTX_end(ctx); - EC_POINT_free(pub_key); - BN_CTX_free(ctx); + if (pub_key) EC_POINT_free(pub_key); + if (ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } return ok; } @@ -320,7 +435,13 @@ int gost2001_keygen(EC_KEY *ec) { BIGNUM *order = BN_new(), *d = BN_new(); const EC_GROUP *group = EC_KEY_get0_group(ec); - EC_GROUP_get_order(group, order, NULL); + + if(!group || !EC_GROUP_get_order(group, order, NULL)) { + GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_INTERNAL_ERROR); + BN_free(d); + BN_free(order); + return 0; + } do { if (!BN_rand_range(d, order)) { @@ -332,7 +453,13 @@ int gost2001_keygen(EC_KEY *ec) } } while (BN_is_zero(d)); - EC_KEY_set_private_key(ec, d); + + if(!EC_KEY_set_private_key(ec, d)) { + GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_INTERNAL_ERROR); + BN_free(d); + BN_free(order); + return 0; + } BN_free(d); BN_free(order); return gost2001_compute_public(ec); diff --git a/engines/ccgost/gost_ameth.c b/engines/ccgost/gost_ameth.c index 713a0fa..b7c5354 100644 --- a/engines/ccgost/gost_ameth.c +++ b/engines/ccgost/gost_ameth.c @@ -115,7 +115,10 @@ static int decode_gost_algor_params(EVP_PKEY *pkey, X509_ALGOR *palg) } param_nid = OBJ_obj2nid(gkp->key_params); GOST_KEY_PARAMS_free(gkp); - EVP_PKEY_set_type(pkey, pkey_nid); + if(!EVP_PKEY_set_type(pkey, pkey_nid)) { + GOSTerr(GOST_F_DECODE_GOST_ALGOR_PARAMS, ERR_R_INTERNAL_ERROR); + return 0; + } switch (pkey_nid) { case NID_id_GostR3410_94: { @@ -552,9 +555,19 @@ static int param_copy_gost01(EVP_PKEY *to, const EVP_PKEY *from) } if (!eto) { eto = EC_KEY_new(); - EVP_PKEY_assign(to, EVP_PKEY_base_id(from), eto); + if(!eto) { + GOSTerr(GOST_F_PARAM_COPY_GOST01, ERR_R_MALLOC_FAILURE); + return 0; + } + if(!EVP_PKEY_assign(to, EVP_PKEY_base_id(from), eto)) { + GOSTerr(GOST_F_PARAM_COPY_GOST01, ERR_R_INTERNAL_ERROR); + return 0; + } + } + if(!EC_KEY_set_group(eto, EC_KEY_get0_group(efrom))) { + GOSTerr(GOST_F_PARAM_COPY_GOST01, ERR_R_INTERNAL_ERROR); + return 0; } - EC_KEY_set_group(eto, EC_KEY_get0_group(efrom)); if (EC_KEY_get0_private_key(eto)) { gost2001_compute_public(eto); } @@ -729,8 +742,21 @@ static int pub_encode_gost01(X509_PUBKEY *pub, const EVP_PKEY *pk) } X = BN_new(); Y = BN_new(); - EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec), - pub_key, X, Y, NULL); + if(!X || !Y) { + GOSTerr(GOST_F_PUB_ENCODE_GOST01, ERR_R_MALLOC_FAILURE); + if(X) BN_free(X); + if(Y) BN_free(Y); + BN_free(order); + return 0; + } + if(!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec), + pub_key, X, Y, NULL)) { + GOSTerr(GOST_F_PUB_ENCODE_GOST01, ERR_R_INTERNAL_ERROR); + BN_free(X); + BN_free(Y); + BN_free(order); + return 0; + } data_len = 2 * BN_num_bytes(order); BN_free(order); databuf = OPENSSL_malloc(data_len); diff --git a/engines/ccgost/gost_pmeth.c b/engines/ccgost/gost_pmeth.c index 9af7b06..b6275b2 100644 --- a/engines/ccgost/gost_pmeth.c +++ b/engines/ccgost/gost_pmeth.c @@ -502,7 +502,7 @@ static int pkey_gost_mac_ctrl_str(EVP_PKEY_CTX *ctx, long keylen; int ret; unsigned char *keybuf = string_to_hex(value, &keylen); - if (keylen != 32) { + if (!keybuf || keylen != 32) { GOSTerr(GOST_F_PKEY_GOST_MAC_CTRL_STR, GOST_R_INVALID_MAC_KEY_LENGTH); OPENSSL_free(keybuf); diff --git a/engines/ccgost/gost_sign.c b/engines/ccgost/gost_sign.c index 0116e47..073c5af 100644 --- a/engines/ccgost/gost_sign.c +++ b/engines/ccgost/gost_sign.c @@ -12,6 +12,7 @@ #include #include #include +#include #include "gost_params.h" #include "gost_lcl.h" @@ -52,11 +53,16 @@ void dump_dsa_sig(const char *message, DSA_SIG *sig) DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { BIGNUM *k = NULL, *tmp = NULL, *tmp2 = NULL; - DSA_SIG *newsig = DSA_SIG_new(); + DSA_SIG *newsig, *ret = NULL; BIGNUM *md = hashsum2bn(dgst); /* check if H(M) mod q is zero */ BN_CTX *ctx = BN_CTX_new(); + if(!ctx) { + GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } BN_CTX_start(ctx); + newsig = DSA_SIG_new(); if (!newsig) { GOSTerr(GOST_F_GOST_DO_SIGN, GOST_R_NO_MEMORY); goto err; @@ -64,6 +70,10 @@ DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) tmp = BN_CTX_get(ctx); k = BN_CTX_get(ctx); tmp2 = BN_CTX_get(ctx); + if(!tmp || !k || !tmp2) { + GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } BN_mod(tmp, md, dsa->q, ctx); if (BN_is_zero(tmp)) { BN_one(md); @@ -76,24 +86,41 @@ DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) BN_rand_range(k, dsa->q); /* generate r = (a^x mod p) mod q */ BN_mod_exp(tmp, dsa->g, k, dsa->p, ctx); - if (!(newsig->r)) + if (!(newsig->r)) { newsig->r = BN_new(); + if(!newsig->r) { + GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } + } BN_mod(newsig->r, tmp, dsa->q, ctx); } while (BN_is_zero(newsig->r)); /* generate s = (xr + k(Hm)) mod q */ BN_mod_mul(tmp, dsa->priv_key, newsig->r, dsa->q, ctx); BN_mod_mul(tmp2, k, md, dsa->q, ctx); - if (!newsig->s) + if (!newsig->s) { newsig->s = BN_new(); + if(!newsig->s) { + GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } + } BN_mod_add(newsig->s, tmp, tmp2, dsa->q, ctx); } while (BN_is_zero(newsig->s)); + + ret = newsig; err: BN_free(md); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - return newsig; + if(ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } + if(!ret && newsig) { + DSA_SIG_free(newsig); + } + return ret; } /* @@ -135,17 +162,21 @@ int pack_sign_cp(DSA_SIG *s, int order, unsigned char *sig, size_t *siglen) int gost_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) { - BIGNUM *md, *tmp = NULL; + BIGNUM *md = NULL, *tmp = NULL; BIGNUM *q2 = NULL; BIGNUM *u = NULL, *v = NULL, *z1 = NULL, *z2 = NULL; BIGNUM *tmp2 = NULL, *tmp3 = NULL; int ok; BN_CTX *ctx = BN_CTX_new(); + if(!ctx) { + GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; + } BN_CTX_start(ctx); if (BN_cmp(sig->s, dsa->q) >= 1 || BN_cmp(sig->r, dsa->q) >= 1) { GOSTerr(GOST_F_GOST_DO_VERIFY, GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q); - return 0; + goto err; } md = hashsum2bn(dgst); @@ -157,6 +188,10 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, tmp2 = BN_CTX_get(ctx); tmp3 = BN_CTX_get(ctx); u = BN_CTX_get(ctx); + if(!tmp || !v || !q2 || !z1 || !z2 || !tmp2 || !tmp3 || !u) { + GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; + } BN_mod(tmp, md, dsa->q, ctx); if (BN_is_zero(tmp)) { @@ -174,12 +209,15 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, BN_mod(u, tmp3, dsa->q, ctx); ok = BN_cmp(u, sig->r); - BN_free(md); - BN_CTX_end(ctx); - BN_CTX_free(ctx); if (ok != 0) { GOSTerr(GOST_F_GOST_DO_VERIFY, GOST_R_SIGNATURE_MISMATCH); } +err: + if(md) BN_free(md); + if(ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } return (ok == 0); } @@ -190,13 +228,24 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, int gost94_compute_public(DSA *dsa) { /* Now fill algorithm parameters with correct values */ - BN_CTX *ctx = BN_CTX_new(); + BN_CTX *ctx; if (!dsa->g) { GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, GOST_R_KEY_IS_NOT_INITALIZED); return 0; } - /* Compute public key y = a^x mod p */ + ctx = BN_CTX_new(); + if(!ctx) { + GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); + return 0; + } + dsa->pub_key = BN_new(); + if(!dsa->pub_key) { + GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); + BN_CTX_free(ctx); + return 0; + } + /* Compute public key y = a^x mod p */ BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx); BN_CTX_free(ctx); return 1; @@ -243,6 +292,10 @@ int fill_GOST94_params(DSA *dsa, int nid) int gost_sign_keygen(DSA *dsa) { dsa->priv_key = BN_new(); + if(!dsa->priv_key) { + GOSTerr(GOST_F_GOST_SIGN_KEYGEN, ERR_R_MALLOC_FAILURE); + return 0; + } BN_rand_range(dsa->priv_key, dsa->q); return gost94_compute_public(dsa); } diff --git a/engines/e_sureware.c b/engines/e_sureware.c index 1005dfc..8a23763 100644 --- a/engines/e_sureware.c +++ b/engines/e_sureware.c @@ -712,10 +712,12 @@ static EVP_PKEY *sureware_load_public(ENGINE *e, const char *key_id, /* set public big nums */ rsatmp->e = BN_new(); rsatmp->n = BN_new(); + if(!rsatmp->e || !rsatmp->n) + goto err; bn_expand2(rsatmp->e, el / sizeof(BN_ULONG)); bn_expand2(rsatmp->n, el / sizeof(BN_ULONG)); - if (!rsatmp->e || rsatmp->e->dmax != (int)(el / sizeof(BN_ULONG)) || - !rsatmp->n || rsatmp->n->dmax != (int)(el / sizeof(BN_ULONG))) + if (rsatmp->e->dmax != (int)(el / sizeof(BN_ULONG)) || + rsatmp->n->dmax != (int)(el / sizeof(BN_ULONG))) goto err; ret = p_surewarehk_Load_Rsa_Pubkey(msg, key_id, el, (unsigned long *)rsatmp->n->d, @@ -752,15 +754,16 @@ static EVP_PKEY *sureware_load_public(ENGINE *e, const char *key_id, dsatmp->p = BN_new(); dsatmp->q = BN_new(); dsatmp->g = BN_new(); + if(!dsatmp->pub_key || !dsatmp->p || !dsatmp->q || !dsatmp->g) + goto err; bn_expand2(dsatmp->pub_key, el / sizeof(BN_ULONG)); bn_expand2(dsatmp->p, el / sizeof(BN_ULONG)); bn_expand2(dsatmp->q, 20 / sizeof(BN_ULONG)); bn_expand2(dsatmp->g, el / sizeof(BN_ULONG)); - if (!dsatmp->pub_key - || dsatmp->pub_key->dmax != (int)(el / sizeof(BN_ULONG)) - || !dsatmp->p || dsatmp->p->dmax != (int)(el / sizeof(BN_ULONG)) - || !dsatmp->q || dsatmp->q->dmax != 20 / sizeof(BN_ULONG) - || !dsatmp->g || dsatmp->g->dmax != (int)(el / sizeof(BN_ULONG))) + if (dsatmp->pub_key->dmax != (int)(el / sizeof(BN_ULONG)) + || dsatmp->p->dmax != (int)(el / sizeof(BN_ULONG)) + || dsatmp->q->dmax != 20 / sizeof(BN_ULONG) + || dsatmp->g->dmax != (int)(el / sizeof(BN_ULONG))) goto err; ret = p_surewarehk_Load_Dsa_Pubkey(msg, key_id, el, @@ -1038,10 +1041,12 @@ static DSA_SIG *surewarehk_dsa_do_sign(const unsigned char *from, int flen, } psign->r = BN_new(); psign->s = BN_new(); + if(!psign->r || !psign->s) + goto err; bn_expand2(psign->r, 20 / sizeof(BN_ULONG)); bn_expand2(psign->s, 20 / sizeof(BN_ULONG)); - if (!psign->r || psign->r->dmax != 20 / sizeof(BN_ULONG) || - !psign->s || psign->s->dmax != 20 / sizeof(BN_ULONG)) + if (psign->r->dmax != 20 / sizeof(BN_ULONG) || + psign->s->dmax != 20 / sizeof(BN_ULONG)) goto err; ret = p_surewarehk_Dsa_Sign(msg, flen, from, (unsigned long *)psign->r->d, @@ -1070,9 +1075,9 @@ static int surewarehk_modexp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, char msg[64] = "ENGINE_modexp"; if (!p_surewarehk_Mod_Exp) { SUREWAREerr(SUREWARE_F_SUREWAREHK_MODEXP, ENGINE_R_NOT_INITIALISED); - } else { + } else if (r) { bn_expand2(r, m->top); - if (r && r->dmax == m->top) { + if (r->dmax == m->top) { /* do it */ ret = p_surewarehk_Mod_Exp(msg, m->top * sizeof(BN_ULONG), From matt at openssl.org Mon Apr 20 22:14:39 2015 From: matt at openssl.org (Matt Caswell) Date: Mon, 20 Apr 2015 22:14:39 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429568079.784183.1697.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via f4c5cd30851c2c488cfc288dabfcbc568ff04410 (commit) via 0ddf91c5f39aad3b0bc11985872a236e09ce0371 (commit) from 73824ba8fe30e3f52c7839d1b8fed2fbe47f3a68 (commit) - Log ----------------------------------------------------------------- commit f4c5cd30851c2c488cfc288dabfcbc568ff04410 Author: Matt Caswell Date: Fri Mar 13 16:48:01 2015 +0000 Fix return checks in GOST engine Filled in lots of return value checks that were missing the GOST engine, and added appropriate error handling. Reviewed-by: Richard Levitte (cherry picked from commit 8817e2e0c998757d3bd036d7f45fe8d0a49fbe2d) commit 0ddf91c5f39aad3b0bc11985872a236e09ce0371 Author: Matt Caswell Date: Fri Mar 13 15:04:54 2015 +0000 Fix misc NULL derefs in sureware engine Fix miscellaneous NULL pointer derefs in the sureware engine. Reviewed-by: Richard Levitte (cherry picked from commit 7b611e5fe8eaac9512f72094c460f3ed6040076a) ----------------------------------------------------------------------- Summary of changes: engines/ccgost/e_gost_err.c | 3 +- engines/ccgost/e_gost_err.h | 1 + engines/ccgost/gost2001.c | 229 ++++++++++++++++++++++++++++++++++---------- engines/ccgost/gost_ameth.c | 36 ++++++- engines/ccgost/gost_pmeth.c | 2 +- engines/ccgost/gost_sign.c | 79 ++++++++++++--- engines/e_sureware.c | 27 +++--- 7 files changed, 295 insertions(+), 82 deletions(-) diff --git a/engines/ccgost/e_gost_err.c b/engines/ccgost/e_gost_err.c index 3201b64..80ef58f 100644 --- a/engines/ccgost/e_gost_err.c +++ b/engines/ccgost/e_gost_err.c @@ -1,6 +1,6 @@ /* e_gost_err.c */ /* ==================================================================== - * Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -90,6 +90,7 @@ static ERR_STRING_DATA GOST_str_functs[] = { {ERR_FUNC(GOST_F_GOST_IMIT_CTRL), "GOST_IMIT_CTRL"}, {ERR_FUNC(GOST_F_GOST_IMIT_FINAL), "GOST_IMIT_FINAL"}, {ERR_FUNC(GOST_F_GOST_IMIT_UPDATE), "GOST_IMIT_UPDATE"}, + {ERR_FUNC(GOST_F_GOST_SIGN_KEYGEN), "GOST_SIGN_KEYGEN"}, {ERR_FUNC(GOST_F_PARAM_COPY_GOST01), "PARAM_COPY_GOST01"}, {ERR_FUNC(GOST_F_PARAM_COPY_GOST94), "PARAM_COPY_GOST94"}, {ERR_FUNC(GOST_F_PKEY_GOST01CP_DECRYPT), "PKEY_GOST01CP_DECRYPT"}, diff --git a/engines/ccgost/e_gost_err.h b/engines/ccgost/e_gost_err.h index 92be558..a2018ec 100644 --- a/engines/ccgost/e_gost_err.h +++ b/engines/ccgost/e_gost_err.h @@ -90,6 +90,7 @@ void ERR_GOST_error(int function, int reason, char *file, int line); # define GOST_F_GOST_IMIT_CTRL 114 # define GOST_F_GOST_IMIT_FINAL 140 # define GOST_F_GOST_IMIT_UPDATE 115 +# define GOST_F_GOST_SIGN_KEYGEN 142 # define GOST_F_PARAM_COPY_GOST01 116 # define GOST_F_PARAM_COPY_GOST94 117 # define GOST_F_PKEY_GOST01CP_DECRYPT 118 diff --git a/engines/ccgost/gost2001.c b/engines/ccgost/gost2001.c index 2b96694..9536295 100644 --- a/engines/ccgost/gost2001.c +++ b/engines/ccgost/gost2001.c @@ -41,6 +41,11 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) BN_CTX *ctx = BN_CTX_new(); int ok = 0; + if(!ctx) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); + goto err; + } + BN_CTX_start(ctx); p = BN_CTX_get(ctx); a = BN_CTX_get(ctx); @@ -48,6 +53,10 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) x = BN_CTX_get(ctx); y = BN_CTX_get(ctx); q = BN_CTX_get(ctx); + if(!p || !a || !b || !x || !y || !q) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); + goto err; + } while (params->nid != NID_undef && params->nid != nid) params++; if (params->nid == NID_undef) { @@ -55,18 +64,33 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) GOST_R_UNSUPPORTED_PARAMETER_SET); goto err; } - BN_hex2bn(&p, params->p); - BN_hex2bn(&a, params->a); - BN_hex2bn(&b, params->b); + if(!BN_hex2bn(&p, params->p) + || !BN_hex2bn(&a, params->a) + || !BN_hex2bn(&b, params->b)) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, + ERR_R_INTERNAL_ERROR); + goto err; + } grp = EC_GROUP_new_curve_GFp(p, a, b, ctx); + if(!grp) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); + goto err; + } P = EC_POINT_new(grp); + if(!P) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); + goto err; + } - BN_hex2bn(&x, params->x); - BN_hex2bn(&y, params->y); - EC_POINT_set_affine_coordinates_GFp(grp, P, x, y, ctx); - BN_hex2bn(&q, params->q); + if(!BN_hex2bn(&x, params->x) + || !BN_hex2bn(&y, params->y) + || !EC_POINT_set_affine_coordinates_GFp(grp, P, x, y, ctx) + || !BN_hex2bn(&q, params->q)) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef DEBUG_KEYS fprintf(stderr, "Set params index %d oid %s\nq=", (params - R3410_2001_paramset), OBJ_nid2sn(params->nid)); @@ -74,16 +98,23 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) fprintf(stderr, "\n"); #endif - EC_GROUP_set_generator(grp, P, q, NULL); + if(!EC_GROUP_set_generator(grp, P, q, NULL)) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_INTERNAL_ERROR); + goto err; + } EC_GROUP_set_curve_name(grp, params->nid); - - EC_KEY_set_group(eckey, grp); + if(!EC_KEY_set_group(eckey, grp)) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_INTERNAL_ERROR); + goto err; + } ok = 1; err: - EC_POINT_free(P); - EC_GROUP_free(grp); - BN_CTX_end(ctx); - BN_CTX_free(ctx); + if (P) EC_POINT_free(P); + if (grp) EC_GROUP_free(grp); + if (ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } return ok; } @@ -94,7 +125,7 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) */ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) { - DSA_SIG *newsig = NULL; + DSA_SIG *newsig = NULL, *ret = NULL; BIGNUM *md = hashsum2bn(dgst); BIGNUM *order = NULL; const EC_GROUP *group; @@ -103,6 +134,10 @@ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) NULL, *e = NULL; EC_POINT *C = NULL; BN_CTX *ctx = BN_CTX_new(); + if(!ctx || !md) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } BN_CTX_start(ctx); OPENSSL_assert(dlen == 32); newsig = DSA_SIG_new(); @@ -111,11 +146,25 @@ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) goto err; } group = EC_KEY_get0_group(eckey); + if(!group) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } order = BN_CTX_get(ctx); - EC_GROUP_get_order(group, order, ctx); + if(!order || !EC_GROUP_get_order(group, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } priv_key = EC_KEY_get0_private_key(eckey); + if(!priv_key) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } e = BN_CTX_get(ctx); - BN_mod(e, md, order, ctx); + if(!e || !BN_mod(e, md, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef DEBUG_SIGN fprintf(stderr, "digest as bignum="); BN_print_fp(stderr, md); @@ -128,55 +177,80 @@ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) } k = BN_CTX_get(ctx); C = EC_POINT_new(group); + if(!k || !C) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } do { do { if (!BN_rand_range(k, order)) { GOSTerr(GOST_F_GOST2001_DO_SIGN, GOST_R_RANDOM_NUMBER_GENERATOR_FAILED); - DSA_SIG_free(newsig); - newsig = NULL; goto err; } if (!EC_POINT_mul(group, C, k, NULL, NULL, ctx)) { GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_EC_LIB); - DSA_SIG_free(newsig); - newsig = NULL; goto err; } if (!X) X = BN_CTX_get(ctx); + if (!r) + r = BN_CTX_get(ctx); + if (!X || !r) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } if (!EC_POINT_get_affine_coordinates_GFp(group, C, X, NULL, ctx)) { GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_EC_LIB); - DSA_SIG_free(newsig); - newsig = NULL; goto err; } - if (!r) - r = BN_CTX_get(ctx); - BN_nnmod(r, X, order, ctx); + + if(!BN_nnmod(r, X, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } } while (BN_is_zero(r)); /* s = (r*priv_key+k*e) mod order */ if (!tmp) tmp = BN_CTX_get(ctx); - BN_mod_mul(tmp, priv_key, r, order, ctx); if (!tmp2) tmp2 = BN_CTX_get(ctx); - BN_mod_mul(tmp2, k, e, order, ctx); if (!s) s = BN_CTX_get(ctx); - BN_mod_add(s, tmp, tmp2, order, ctx); + if (!tmp || !tmp2 || !s) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } + + if(!BN_mod_mul(tmp, priv_key, r, order, ctx) + || !BN_mod_mul(tmp2, k, e, order, ctx) + || !BN_mod_add(s, tmp, tmp2, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } } while (BN_is_zero(s)); newsig->s = BN_dup(s); newsig->r = BN_dup(r); + if(!newsig->s || !newsig->r) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } + + ret = newsig; err: - BN_CTX_end(ctx); - BN_CTX_free(ctx); - EC_POINT_free(C); - BN_free(md); - return newsig; + if(ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } + if (C) EC_POINT_free(C); + if (md) BN_free(md); + if (!ret && newsig) { + DSA_SIG_free(newsig); + } + return ret; } /* @@ -196,6 +270,11 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, const EC_POINT *pub_key = NULL; int ok = 0; + if(!ctx || !group) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } + BN_CTX_start(ctx); order = BN_CTX_get(ctx); e = BN_CTX_get(ctx); @@ -205,9 +284,17 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, X = BN_CTX_get(ctx); R = BN_CTX_get(ctx); v = BN_CTX_get(ctx); + if(!order || !e || !z1 || !z2 || !tmp || !X || !R || !v) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; + } - EC_GROUP_get_order(group, order, ctx); pub_key = EC_KEY_get0_public_key(ec); + if(!pub_key || !EC_GROUP_get_order(group, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } + if (BN_is_zero(sig->s) || BN_is_zero(sig->r) || (BN_cmp(sig->s, order) >= 1) || (BN_cmp(sig->r, order) >= 1)) { GOSTerr(GOST_F_GOST2001_DO_VERIFY, @@ -217,19 +304,28 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, } md = hashsum2bn(dgst); - BN_mod(e, md, order, ctx); + if(!md || !BN_mod(e, md, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef DEBUG_SIGN fprintf(stderr, "digest as bignum: "); BN_print_fp(stderr, md); fprintf(stderr, "\ndigest mod q: "); BN_print_fp(stderr, e); #endif - if (BN_is_zero(e)) - BN_one(e); + if (BN_is_zero(e) && !BN_one(e)) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } v = BN_mod_inverse(v, e, order, ctx); - BN_mod_mul(z1, sig->s, v, order, ctx); - BN_sub(tmp, order, sig->r); - BN_mod_mul(z2, tmp, v, order, ctx); + if(!v + || !BN_mod_mul(z1, sig->s, v, order, ctx) + || !BN_sub(tmp, order, sig->r) + || !BN_mod_mul(z2, tmp, v, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef DEBUG_SIGN fprintf(stderr, "\nInverted digest value: "); BN_print_fp(stderr, v); @@ -239,6 +335,10 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, BN_print_fp(stderr, z2); #endif C = EC_POINT_new(group); + if (!C) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; + } if (!EC_POINT_mul(group, C, z1, pub_key, z2, ctx)) { GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_EC_LIB); goto err; @@ -247,7 +347,10 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_EC_LIB); goto err; } - BN_mod(R, X, order, ctx); + if(!BN_mod(R, X, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef DEBUG_SIGN fprintf(stderr, "\nX="); BN_print_fp(stderr, X); @@ -261,10 +364,12 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, ok = 1; } err: - EC_POINT_free(C); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - BN_free(md); + if (C) EC_POINT_free(C); + if (ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } + if (md) BN_free(md); return ok; } @@ -287,6 +392,10 @@ int gost2001_compute_public(EC_KEY *ec) return 0; } ctx = BN_CTX_new(); + if(!ctx) { + GOSTerr(GOST_F_GOST2001_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); + goto err; + } BN_CTX_start(ctx); if (!(priv_key = EC_KEY_get0_private_key(ec))) { GOSTerr(GOST_F_GOST2001_COMPUTE_PUBLIC, ERR_R_EC_LIB); @@ -294,6 +403,10 @@ int gost2001_compute_public(EC_KEY *ec) } pub_key = EC_POINT_new(group); + if(!pub_key) { + GOSTerr(GOST_F_GOST2001_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); + goto err; + } if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, ctx)) { GOSTerr(GOST_F_GOST2001_COMPUTE_PUBLIC, ERR_R_EC_LIB); goto err; @@ -304,9 +417,11 @@ int gost2001_compute_public(EC_KEY *ec) } ok = 256; err: - BN_CTX_end(ctx); - EC_POINT_free(pub_key); - BN_CTX_free(ctx); + if (pub_key) EC_POINT_free(pub_key); + if (ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } return ok; } @@ -320,7 +435,13 @@ int gost2001_keygen(EC_KEY *ec) { BIGNUM *order = BN_new(), *d = BN_new(); const EC_GROUP *group = EC_KEY_get0_group(ec); - EC_GROUP_get_order(group, order, NULL); + + if(!group || !EC_GROUP_get_order(group, order, NULL)) { + GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_INTERNAL_ERROR); + BN_free(d); + BN_free(order); + return 0; + } do { if (!BN_rand_range(d, order)) { @@ -332,7 +453,13 @@ int gost2001_keygen(EC_KEY *ec) } } while (BN_is_zero(d)); - EC_KEY_set_private_key(ec, d); + + if(!EC_KEY_set_private_key(ec, d)) { + GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_INTERNAL_ERROR); + BN_free(d); + BN_free(order); + return 0; + } BN_free(d); BN_free(order); return gost2001_compute_public(ec); diff --git a/engines/ccgost/gost_ameth.c b/engines/ccgost/gost_ameth.c index 713a0fa..b7c5354 100644 --- a/engines/ccgost/gost_ameth.c +++ b/engines/ccgost/gost_ameth.c @@ -115,7 +115,10 @@ static int decode_gost_algor_params(EVP_PKEY *pkey, X509_ALGOR *palg) } param_nid = OBJ_obj2nid(gkp->key_params); GOST_KEY_PARAMS_free(gkp); - EVP_PKEY_set_type(pkey, pkey_nid); + if(!EVP_PKEY_set_type(pkey, pkey_nid)) { + GOSTerr(GOST_F_DECODE_GOST_ALGOR_PARAMS, ERR_R_INTERNAL_ERROR); + return 0; + } switch (pkey_nid) { case NID_id_GostR3410_94: { @@ -552,9 +555,19 @@ static int param_copy_gost01(EVP_PKEY *to, const EVP_PKEY *from) } if (!eto) { eto = EC_KEY_new(); - EVP_PKEY_assign(to, EVP_PKEY_base_id(from), eto); + if(!eto) { + GOSTerr(GOST_F_PARAM_COPY_GOST01, ERR_R_MALLOC_FAILURE); + return 0; + } + if(!EVP_PKEY_assign(to, EVP_PKEY_base_id(from), eto)) { + GOSTerr(GOST_F_PARAM_COPY_GOST01, ERR_R_INTERNAL_ERROR); + return 0; + } + } + if(!EC_KEY_set_group(eto, EC_KEY_get0_group(efrom))) { + GOSTerr(GOST_F_PARAM_COPY_GOST01, ERR_R_INTERNAL_ERROR); + return 0; } - EC_KEY_set_group(eto, EC_KEY_get0_group(efrom)); if (EC_KEY_get0_private_key(eto)) { gost2001_compute_public(eto); } @@ -729,8 +742,21 @@ static int pub_encode_gost01(X509_PUBKEY *pub, const EVP_PKEY *pk) } X = BN_new(); Y = BN_new(); - EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec), - pub_key, X, Y, NULL); + if(!X || !Y) { + GOSTerr(GOST_F_PUB_ENCODE_GOST01, ERR_R_MALLOC_FAILURE); + if(X) BN_free(X); + if(Y) BN_free(Y); + BN_free(order); + return 0; + } + if(!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec), + pub_key, X, Y, NULL)) { + GOSTerr(GOST_F_PUB_ENCODE_GOST01, ERR_R_INTERNAL_ERROR); + BN_free(X); + BN_free(Y); + BN_free(order); + return 0; + } data_len = 2 * BN_num_bytes(order); BN_free(order); databuf = OPENSSL_malloc(data_len); diff --git a/engines/ccgost/gost_pmeth.c b/engines/ccgost/gost_pmeth.c index a2c7cf2..4a79a85 100644 --- a/engines/ccgost/gost_pmeth.c +++ b/engines/ccgost/gost_pmeth.c @@ -510,7 +510,7 @@ static int pkey_gost_mac_ctrl_str(EVP_PKEY_CTX *ctx, long keylen; int ret; unsigned char *keybuf = string_to_hex(value, &keylen); - if (keylen != 32) { + if (!keybuf || keylen != 32) { GOSTerr(GOST_F_PKEY_GOST_MAC_CTRL_STR, GOST_R_INVALID_MAC_KEY_LENGTH); OPENSSL_free(keybuf); diff --git a/engines/ccgost/gost_sign.c b/engines/ccgost/gost_sign.c index 0116e47..073c5af 100644 --- a/engines/ccgost/gost_sign.c +++ b/engines/ccgost/gost_sign.c @@ -12,6 +12,7 @@ #include #include #include +#include #include "gost_params.h" #include "gost_lcl.h" @@ -52,11 +53,16 @@ void dump_dsa_sig(const char *message, DSA_SIG *sig) DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { BIGNUM *k = NULL, *tmp = NULL, *tmp2 = NULL; - DSA_SIG *newsig = DSA_SIG_new(); + DSA_SIG *newsig, *ret = NULL; BIGNUM *md = hashsum2bn(dgst); /* check if H(M) mod q is zero */ BN_CTX *ctx = BN_CTX_new(); + if(!ctx) { + GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } BN_CTX_start(ctx); + newsig = DSA_SIG_new(); if (!newsig) { GOSTerr(GOST_F_GOST_DO_SIGN, GOST_R_NO_MEMORY); goto err; @@ -64,6 +70,10 @@ DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) tmp = BN_CTX_get(ctx); k = BN_CTX_get(ctx); tmp2 = BN_CTX_get(ctx); + if(!tmp || !k || !tmp2) { + GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } BN_mod(tmp, md, dsa->q, ctx); if (BN_is_zero(tmp)) { BN_one(md); @@ -76,24 +86,41 @@ DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) BN_rand_range(k, dsa->q); /* generate r = (a^x mod p) mod q */ BN_mod_exp(tmp, dsa->g, k, dsa->p, ctx); - if (!(newsig->r)) + if (!(newsig->r)) { newsig->r = BN_new(); + if(!newsig->r) { + GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } + } BN_mod(newsig->r, tmp, dsa->q, ctx); } while (BN_is_zero(newsig->r)); /* generate s = (xr + k(Hm)) mod q */ BN_mod_mul(tmp, dsa->priv_key, newsig->r, dsa->q, ctx); BN_mod_mul(tmp2, k, md, dsa->q, ctx); - if (!newsig->s) + if (!newsig->s) { newsig->s = BN_new(); + if(!newsig->s) { + GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } + } BN_mod_add(newsig->s, tmp, tmp2, dsa->q, ctx); } while (BN_is_zero(newsig->s)); + + ret = newsig; err: BN_free(md); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - return newsig; + if(ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } + if(!ret && newsig) { + DSA_SIG_free(newsig); + } + return ret; } /* @@ -135,17 +162,21 @@ int pack_sign_cp(DSA_SIG *s, int order, unsigned char *sig, size_t *siglen) int gost_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) { - BIGNUM *md, *tmp = NULL; + BIGNUM *md = NULL, *tmp = NULL; BIGNUM *q2 = NULL; BIGNUM *u = NULL, *v = NULL, *z1 = NULL, *z2 = NULL; BIGNUM *tmp2 = NULL, *tmp3 = NULL; int ok; BN_CTX *ctx = BN_CTX_new(); + if(!ctx) { + GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; + } BN_CTX_start(ctx); if (BN_cmp(sig->s, dsa->q) >= 1 || BN_cmp(sig->r, dsa->q) >= 1) { GOSTerr(GOST_F_GOST_DO_VERIFY, GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q); - return 0; + goto err; } md = hashsum2bn(dgst); @@ -157,6 +188,10 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, tmp2 = BN_CTX_get(ctx); tmp3 = BN_CTX_get(ctx); u = BN_CTX_get(ctx); + if(!tmp || !v || !q2 || !z1 || !z2 || !tmp2 || !tmp3 || !u) { + GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; + } BN_mod(tmp, md, dsa->q, ctx); if (BN_is_zero(tmp)) { @@ -174,12 +209,15 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, BN_mod(u, tmp3, dsa->q, ctx); ok = BN_cmp(u, sig->r); - BN_free(md); - BN_CTX_end(ctx); - BN_CTX_free(ctx); if (ok != 0) { GOSTerr(GOST_F_GOST_DO_VERIFY, GOST_R_SIGNATURE_MISMATCH); } +err: + if(md) BN_free(md); + if(ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } return (ok == 0); } @@ -190,13 +228,24 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, int gost94_compute_public(DSA *dsa) { /* Now fill algorithm parameters with correct values */ - BN_CTX *ctx = BN_CTX_new(); + BN_CTX *ctx; if (!dsa->g) { GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, GOST_R_KEY_IS_NOT_INITALIZED); return 0; } - /* Compute public key y = a^x mod p */ + ctx = BN_CTX_new(); + if(!ctx) { + GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); + return 0; + } + dsa->pub_key = BN_new(); + if(!dsa->pub_key) { + GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); + BN_CTX_free(ctx); + return 0; + } + /* Compute public key y = a^x mod p */ BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx); BN_CTX_free(ctx); return 1; @@ -243,6 +292,10 @@ int fill_GOST94_params(DSA *dsa, int nid) int gost_sign_keygen(DSA *dsa) { dsa->priv_key = BN_new(); + if(!dsa->priv_key) { + GOSTerr(GOST_F_GOST_SIGN_KEYGEN, ERR_R_MALLOC_FAILURE); + return 0; + } BN_rand_range(dsa->priv_key, dsa->q); return gost94_compute_public(dsa); } diff --git a/engines/e_sureware.c b/engines/e_sureware.c index 1005dfc..8a23763 100644 --- a/engines/e_sureware.c +++ b/engines/e_sureware.c @@ -712,10 +712,12 @@ static EVP_PKEY *sureware_load_public(ENGINE *e, const char *key_id, /* set public big nums */ rsatmp->e = BN_new(); rsatmp->n = BN_new(); + if(!rsatmp->e || !rsatmp->n) + goto err; bn_expand2(rsatmp->e, el / sizeof(BN_ULONG)); bn_expand2(rsatmp->n, el / sizeof(BN_ULONG)); - if (!rsatmp->e || rsatmp->e->dmax != (int)(el / sizeof(BN_ULONG)) || - !rsatmp->n || rsatmp->n->dmax != (int)(el / sizeof(BN_ULONG))) + if (rsatmp->e->dmax != (int)(el / sizeof(BN_ULONG)) || + rsatmp->n->dmax != (int)(el / sizeof(BN_ULONG))) goto err; ret = p_surewarehk_Load_Rsa_Pubkey(msg, key_id, el, (unsigned long *)rsatmp->n->d, @@ -752,15 +754,16 @@ static EVP_PKEY *sureware_load_public(ENGINE *e, const char *key_id, dsatmp->p = BN_new(); dsatmp->q = BN_new(); dsatmp->g = BN_new(); + if(!dsatmp->pub_key || !dsatmp->p || !dsatmp->q || !dsatmp->g) + goto err; bn_expand2(dsatmp->pub_key, el / sizeof(BN_ULONG)); bn_expand2(dsatmp->p, el / sizeof(BN_ULONG)); bn_expand2(dsatmp->q, 20 / sizeof(BN_ULONG)); bn_expand2(dsatmp->g, el / sizeof(BN_ULONG)); - if (!dsatmp->pub_key - || dsatmp->pub_key->dmax != (int)(el / sizeof(BN_ULONG)) - || !dsatmp->p || dsatmp->p->dmax != (int)(el / sizeof(BN_ULONG)) - || !dsatmp->q || dsatmp->q->dmax != 20 / sizeof(BN_ULONG) - || !dsatmp->g || dsatmp->g->dmax != (int)(el / sizeof(BN_ULONG))) + if (dsatmp->pub_key->dmax != (int)(el / sizeof(BN_ULONG)) + || dsatmp->p->dmax != (int)(el / sizeof(BN_ULONG)) + || dsatmp->q->dmax != 20 / sizeof(BN_ULONG) + || dsatmp->g->dmax != (int)(el / sizeof(BN_ULONG))) goto err; ret = p_surewarehk_Load_Dsa_Pubkey(msg, key_id, el, @@ -1038,10 +1041,12 @@ static DSA_SIG *surewarehk_dsa_do_sign(const unsigned char *from, int flen, } psign->r = BN_new(); psign->s = BN_new(); + if(!psign->r || !psign->s) + goto err; bn_expand2(psign->r, 20 / sizeof(BN_ULONG)); bn_expand2(psign->s, 20 / sizeof(BN_ULONG)); - if (!psign->r || psign->r->dmax != 20 / sizeof(BN_ULONG) || - !psign->s || psign->s->dmax != 20 / sizeof(BN_ULONG)) + if (psign->r->dmax != 20 / sizeof(BN_ULONG) || + psign->s->dmax != 20 / sizeof(BN_ULONG)) goto err; ret = p_surewarehk_Dsa_Sign(msg, flen, from, (unsigned long *)psign->r->d, @@ -1070,9 +1075,9 @@ static int surewarehk_modexp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, char msg[64] = "ENGINE_modexp"; if (!p_surewarehk_Mod_Exp) { SUREWAREerr(SUREWARE_F_SUREWAREHK_MODEXP, ENGINE_R_NOT_INITIALISED); - } else { + } else if (r) { bn_expand2(r, m->top); - if (r && r->dmax == m->top) { + if (r->dmax == m->top) { /* do it */ ret = p_surewarehk_Mod_Exp(msg, m->top * sizeof(BN_ULONG), From levitte at openssl.org Mon Apr 20 23:46:10 2015 From: levitte at openssl.org (Richard Levitte) Date: Mon, 20 Apr 2015 23:46:10 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429573570.207043.10410.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 186578be459b1d3e84d648fdda99e8b0c2da3084 (commit) from f4c5cd30851c2c488cfc288dabfcbc568ff04410 (commit) - Log ----------------------------------------------------------------- commit 186578be459b1d3e84d648fdda99e8b0c2da3084 Author: Richard Levitte Date: Wed Mar 25 14:41:58 2015 +0100 Initialised 'ok' and redo the logic. The logic with how 'ok' was calculated didn't quite convey what's "ok", so the logic is slightly redone to make it less confusing. Reviewed-by: Andy Polyakov (cherry picked from commit 06affe3dac65592a341547f5a47e52cedb7b71f8) ----------------------------------------------------------------------- Summary of changes: engines/ccgost/gost_sign.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/engines/ccgost/gost_sign.c b/engines/ccgost/gost_sign.c index 073c5af..4b5f49e 100644 --- a/engines/ccgost/gost_sign.c +++ b/engines/ccgost/gost_sign.c @@ -166,7 +166,7 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, BIGNUM *q2 = NULL; BIGNUM *u = NULL, *v = NULL, *z1 = NULL, *z2 = NULL; BIGNUM *tmp2 = NULL, *tmp3 = NULL; - int ok; + int ok = 0; BN_CTX *ctx = BN_CTX_new(); if(!ctx) { GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE); @@ -207,9 +207,9 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, BN_mod_exp(tmp2, dsa->pub_key, z2, dsa->p, ctx); BN_mod_mul(tmp3, tmp, tmp2, dsa->p, ctx); BN_mod(u, tmp3, dsa->q, ctx); - ok = BN_cmp(u, sig->r); + ok = (BN_cmp(u, sig->r) == 0); - if (ok != 0) { + if (!ok) { GOSTerr(GOST_F_GOST_DO_VERIFY, GOST_R_SIGNATURE_MISMATCH); } err: @@ -218,7 +218,7 @@ err: BN_CTX_end(ctx); BN_CTX_free(ctx); } - return (ok == 0); + return ok; } /* From levitte at openssl.org Mon Apr 20 23:46:14 2015 From: levitte at openssl.org (Richard Levitte) Date: Mon, 20 Apr 2015 23:46:14 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1429573574.088203.10591.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 0725acd0712f12aa611846c852a2e20583e438e9 (commit) from 5fa7c10bc4693349ebbfcab00f644545b21b544b (commit) - Log ----------------------------------------------------------------- commit 0725acd0712f12aa611846c852a2e20583e438e9 Author: Richard Levitte Date: Wed Mar 25 14:41:58 2015 +0100 Initialised 'ok' and redo the logic. The logic with how 'ok' was calculated didn't quite convey what's "ok", so the logic is slightly redone to make it less confusing. Reviewed-by: Andy Polyakov (cherry picked from commit 06affe3dac65592a341547f5a47e52cedb7b71f8) ----------------------------------------------------------------------- Summary of changes: engines/ccgost/gost_sign.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/engines/ccgost/gost_sign.c b/engines/ccgost/gost_sign.c index 073c5af..4b5f49e 100644 --- a/engines/ccgost/gost_sign.c +++ b/engines/ccgost/gost_sign.c @@ -166,7 +166,7 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, BIGNUM *q2 = NULL; BIGNUM *u = NULL, *v = NULL, *z1 = NULL, *z2 = NULL; BIGNUM *tmp2 = NULL, *tmp3 = NULL; - int ok; + int ok = 0; BN_CTX *ctx = BN_CTX_new(); if(!ctx) { GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE); @@ -207,9 +207,9 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, BN_mod_exp(tmp2, dsa->pub_key, z2, dsa->p, ctx); BN_mod_mul(tmp3, tmp, tmp2, dsa->p, ctx); BN_mod(u, tmp3, dsa->q, ctx); - ok = BN_cmp(u, sig->r); + ok = (BN_cmp(u, sig->r) == 0); - if (ok != 0) { + if (!ok) { GOSTerr(GOST_F_GOST_DO_VERIFY, GOST_R_SIGNATURE_MISMATCH); } err: @@ -218,7 +218,7 @@ err: BN_CTX_end(ctx); BN_CTX_free(ctx); } - return (ok == 0); + return ok; } /* From appro at openssl.org Tue Apr 21 07:18:37 2015 From: appro at openssl.org (Andy Polyakov) Date: Tue, 21 Apr 2015 07:18:37 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429600717.863104.20479.nullmailer@dev.openssl.org> The branch master has been updated via 9b6b470afee13e011152cd1c5006251cc69d03b2 (commit) from 7be6bc68c6baef87d4d730c2505a05810a5a1684 (commit) - Log ----------------------------------------------------------------- commit 9b6b470afee13e011152cd1c5006251cc69d03b2 Author: Andy Polyakov Date: Mon Apr 20 15:36:35 2015 +0200 modes/asm/ghashv8-armx.pl: additional performance data. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/modes/asm/ghashv8-armx.pl | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/modes/asm/ghashv8-armx.pl b/crypto/modes/asm/ghashv8-armx.pl index 55ba779..3750d25 100644 --- a/crypto/modes/asm/ghashv8-armx.pl +++ b/crypto/modes/asm/ghashv8-armx.pl @@ -27,6 +27,7 @@ # Apple A7 0.92 5.62 # Cortex-A53 1.01 8.39 # Cortex-A57 1.17 7.61 +# Denver 0.71 6.02 # # (*) presented for reference/comparison purposes; From appro at openssl.org Tue Apr 21 07:40:15 2015 From: appro at openssl.org (Andy Polyakov) Date: Tue, 21 Apr 2015 07:40:15 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429602015.937191.23128.nullmailer@dev.openssl.org> The branch master has been updated via c3b9bd11f9908c5103a3b39753bb48e78a9cf0d3 (commit) via 5557d5f2e27ae8265d0b76227c78f2879d7f80a6 (commit) from 9b6b470afee13e011152cd1c5006251cc69d03b2 (commit) - Log ----------------------------------------------------------------- commit c3b9bd11f9908c5103a3b39753bb48e78a9cf0d3 Author: Andy Polyakov Date: Sun Feb 22 18:16:22 2015 +0100 Engage ec/asm/ecp_nistz256-sparcv9 module. Reviewed-by: Richard Levitte Reviewed-by: Rich Salz commit 5557d5f2e27ae8265d0b76227c78f2879d7f80a6 Author: Andy Polyakov Date: Sun Feb 22 18:11:28 2015 +0100 Add ec/asm/ecp_nistz256-sparcv9.pl. Reviewed-by: Richard Levitte Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: Configure | 1 + crypto/ec/Makefile | 3 + crypto/ec/asm/ecp_nistz256-sparcv9.pl | 3045 +++++++++++++++++++++++++++++++++ 3 files changed, 3049 insertions(+) create mode 100755 crypto/ec/asm/ecp_nistz256-sparcv9.pl diff --git a/Configure b/Configure index ba18ac3..53ff45d 100755 --- a/Configure +++ b/Configure @@ -369,6 +369,7 @@ my %table=( template => 1, cpuid_obj => "sparcv9cap.o sparccpuid.o", bn_obj => "bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o vis3-mont.o sparct4-mont.o sparcv9-gf2m.o", + ec_obj => "ecp_nistz256.o ecp_nistz256-sparcv9.o", des_obj => "des_enc-sparc.o fcrypt_b.o dest4-sparcv9.o", aes_obj => "aes_core.o aes_cbc.o aes-sparcv9.o aest4-sparcv9.o", md5_obj => "md5-sparcv9.o", diff --git a/crypto/ec/Makefile b/crypto/ec/Makefile index fa2fc4c..423f60b 100644 --- a/crypto/ec/Makefile +++ b/crypto/ec/Makefile @@ -54,6 +54,9 @@ ecp_nistz256-x86_64.s: asm/ecp_nistz256-x86_64.pl ecp_nistz256-avx2.s: asm/ecp_nistz256-avx2.pl $(PERL) asm/ecp_nistz256-avx2.pl $(PERLASM_SCHEME) > $@ +ecp_nistz256-sparcv9.S: asm/ecp_nistz256-sparcv9.pl + $(PERL) asm/ecp_nistz256-sparcv9.pl $(CFLAGS) > $@ + ecp_nistz256-%.S: asm/ecp_nistz256-%.pl; $(PERL) $< $(PERLASM_SCHEME) $@ ecp_nistz256-armv4.o: ecp_nistz256-armv4.S ecp_nistz256-armv8.o: ecp_nistz256-armv8.S diff --git a/crypto/ec/asm/ecp_nistz256-sparcv9.pl b/crypto/ec/asm/ecp_nistz256-sparcv9.pl new file mode 100755 index 0000000..5693b75 --- /dev/null +++ b/crypto/ec/asm/ecp_nistz256-sparcv9.pl @@ -0,0 +1,3045 @@ +#!/usr/bin/env perl + +# ==================================================================== +# Written by Andy Polyakov for the OpenSSL +# project. The module is, however, dual licensed under OpenSSL and +# CRYPTOGAMS licenses depending on where you obtain it. For further +# details see http://www.openssl.org/~appro/cryptogams/. +# ==================================================================== +# +# ECP_NISTZ256 module for SPARCv9. +# +# February 2015. +# +# Original ECP_NISTZ256 submission targeting x86_64 is detailed in +# http://eprint.iacr.org/2013/816. In the process of adaptation +# original .c module was made 32-bit savvy in order to make this +# implementation possible. +# +# with/without -DECP_NISTZ256_ASM +# UltraSPARC III +12-18% +# SPARC T4 +99-550% (+66-150% on 32-bit Solaris) +# +# Ranges denote minimum and maximum improvement coefficients depending +# on benchmark. Lower coefficients are for ECDSA sign, server-side +# operation. Keep in mind that +200% means 3x improvement. + +$code.=<<___; +#include "sparc_arch.h" + +#define LOCALS (STACK_BIAS+STACK_FRAME) +#ifdef __arch64__ +.register %g2,#scratch +.register %g3,#scratch +# define STACK64_FRAME STACK_FRAME +# define LOCALS64 LOCALS +#else +# define STACK64_FRAME (2047+192) +# define LOCALS64 STACK64_FRAME +#endif + +.section ".text",#alloc,#execinstr +___ +######################################################################## +# Convert ecp_nistz256_table.c to layout expected by ecp_nistz_gather_w7 +# +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +open TABLE,") { + s/TOBN$\s*(0x[0-9a-f]+),\s*(0x[0-9a-f]+)\s*$/push @arr,hex($2),hex($1)/geo; +} +close TABLE; + +# See ecp_nistz256_table.c for explanation for why it's 64*16*37. +# 64*16*37-1 is because $#arr returns last valid index or @arr, not +# amount of elements. +die "insane number of elements" if ($#arr != 64*16*37-1); + +$code.=<<___; +.globl ecp_nistz256_precomputed +.align 4096 +ecp_nistz256_precomputed: +___ +######################################################################## +# this conversion smashes P256_POINT_AFFINE by individual bytes with +# 64 byte interval, similar to +# 1111222233334444 +# 1234123412341234 +for(1..37) { + @tbl = splice(@arr,0,64*16); + for($i=0;$i<64;$i++) { + undef @line; + for($j=0;$j<64;$j++) { + push @line,(@tbl[$j*16+$i/4]>>(($i%4)*8))&0xff; + } + $code.=".byte\t"; + $code.=join(',',map { sprintf "0x%02x",$_} @line); + $code.="\n"; + } +} + +{{{ +my ($rp,$ap,$bp)=map("%i$_",(0..2)); +my @acc=map("%l$_",(0..7)); +my ($t0,$t1,$t2,$t3,$t4,$t5,$t6,$t7)=(map("%o$_",(0..5)),"%g4","%g5"); +my ($bi,$a0,$mask,$carry)=(map("%i$_",(3..5)),"%g1"); +my ($rp_real,$ap_real)=("%g2","%g3"); + +$code.=<<___; +.size ecp_nistz256_precomputed,.-ecp_nistz256_precomputed +.align 64 +.LRR: ! 2^512 mod P precomputed for NIST P256 polynomial +.long 0x00000003, 0x00000000, 0xffffffff, 0xfffffffb +.long 0xfffffffe, 0xffffffff, 0xfffffffd, 0x00000004 +.Lone: +.long 1,0,0,0,0,0,0,0 +.asciz "ECP_NISTZ256 for SPARCv9, CRYPTOGAMS by " + +! void ecp_nistz256_to_mont(BN_ULONG %i0[8],const BN_ULONG %i1[8]); +.globl ecp_nistz256_to_mont +.align 64 +ecp_nistz256_to_mont: + save %sp,-STACK_FRAME,%sp + nop +1: call .+8 + add %o7,.LRR-1b,$bp + call __ecp_nistz256_mul_mont + nop + ret + restore +.size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont + +! void ecp_nistz256_from_mont(BN_ULONG %i0[8],const BN_ULONG %i1[8]); +.globl ecp_nistz256_from_mont +.align 32 +ecp_nistz256_from_mont: + save %sp,-STACK_FRAME,%sp + nop +1: call .+8 + add %o7,.Lone-1b,$bp + call __ecp_nistz256_mul_mont + nop + ret + restore +.size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont + +! void ecp_nistz256_mul_mont(BN_ULONG %i0[8],const BN_ULONG %i1[8], +! const BN_ULONG %i2[8]); +.globl ecp_nistz256_mul_mont +.align 32 +ecp_nistz256_mul_mont: + save %sp,-STACK_FRAME,%sp + nop + call __ecp_nistz256_mul_mont + nop + ret + restore +.size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont + +! void ecp_nistz256_sqr_mont(BN_ULONG %i0[8],const BN_ULONG %i2[8]); +.globl ecp_nistz256_sqr_mont +.align 32 +ecp_nistz256_sqr_mont: + save %sp,-STACK_FRAME,%sp + mov $ap,$bp + call __ecp_nistz256_mul_mont + nop + ret + restore +.size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont +___ + +######################################################################## +# Special thing to keep in mind is that $t0-$t7 hold 64-bit values, +# while all others are meant to keep 32. "Meant to" means that additions +# to @acc[0-7] do "contaminate" upper bits, but they are cleared before +# they can affect outcome (follow 'and' with $mask). Also keep in mind +# that addition with carry is addition with 32-bit carry, even though +# CPU is 64-bit. [Addition with 64-bit carry was introduced in T3, see +# below for VIS3 code paths.] + +$code.=<<___; +.align 32 +__ecp_nistz256_mul_mont: + ld [$bp+0],$bi ! b[0] + mov -1,$mask + ld [$ap+0],$a0 + srl $mask,0,$mask ! 0xffffffff + ld [$ap+4],$t1 + ld [$ap+8],$t2 + ld [$ap+12],$t3 + ld [$ap+16],$t4 + ld [$ap+20],$t5 + ld [$ap+24],$t6 + ld [$ap+28],$t7 + mulx $a0,$bi,$t0 ! a[0-7]*b[0], 64-bit results + mulx $t1,$bi,$t1 + mulx $t2,$bi,$t2 + mulx $t3,$bi,$t3 + mulx $t4,$bi,$t4 + mulx $t5,$bi,$t5 + mulx $t6,$bi,$t6 + mulx $t7,$bi,$t7 + srlx $t0,32, at acc[1] ! extract high parts + srlx $t1,32, at acc[2] + srlx $t2,32, at acc[3] + srlx $t3,32, at acc[4] + srlx $t4,32, at acc[5] + srlx $t5,32, at acc[6] + srlx $t6,32, at acc[7] + srlx $t7,32, at acc[0] ! "@acc[8]" + mov 0,$carry +___ +for($i=1;$i<8;$i++) { +$code.=<<___; + addcc @acc[1],$t1, at acc[1] ! accumulate high parts + ld [$bp+4*$i],$bi ! b[$i] + ld [$ap+4],$t1 ! re-load a[1-7] + addccc @acc[2],$t2, at acc[2] + addccc @acc[3],$t3, at acc[3] + ld [$ap+8],$t2 + ld [$ap+12],$t3 + addccc @acc[4],$t4, at acc[4] + addccc @acc[5],$t5, at acc[5] + ld [$ap+16],$t4 + ld [$ap+20],$t5 + addccc @acc[6],$t6, at acc[6] + addccc @acc[7],$t7, at acc[7] + ld [$ap+24],$t6 + ld [$ap+28],$t7 + addccc @acc[0],$carry, at acc[0] ! "@acc[8]" + addc %g0,%g0,$carry +___ + # Reduction iteration is normally performed by accumulating + # result of multiplication of modulus by "magic" digit [and + # omitting least significant word, which is guaranteed to + # be 0], but thanks to special form of modulus and "magic" + # digit being equal to least significant word, it can be + # performed with additions and subtractions alone. Indeed: + # + # ffff.0001.0000.0000.0000.ffff.ffff.ffff + # * abcd + # + xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.abcd + # + # Now observing that ff..ff*x = (2^n-1)*x = 2^n*x-x, we + # rewrite above as: + # + # xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.abcd + # + abcd.0000.abcd.0000.0000.abcd.0000.0000.0000 + # - abcd.0000.0000.0000.0000.0000.0000.abcd + # + # or marking redundant operations: + # + # xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.---- + # + abcd.0000.abcd.0000.0000.abcd.----.----.---- + # - abcd.----.----.----.----.----.----.---- + +$code.=<<___; + ! multiplication-less reduction + addcc @acc[3],$t0, at acc[3] ! r[3]+=r[0] + addccc @acc[4],%g0, at acc[4] ! r[4]+=0 + and @acc[1],$mask, at acc[1] + and @acc[2],$mask, at acc[2] + addccc @acc[5],%g0, at acc[5] ! r[5]+=0 + addccc @acc[6],$t0, at acc[6] ! r[6]+=r[0] + and @acc[3],$mask, at acc[3] + and @acc[4],$mask, at acc[4] + addccc @acc[7],%g0, at acc[7] ! r[7]+=0 + addccc @acc[0],$t0, at acc[0] ! r[8]+=r[0] "@acc[8]" + and @acc[5],$mask, at acc[5] + and @acc[6],$mask, at acc[6] + addc $carry,%g0,$carry ! top-most carry + subcc @acc[7],$t0, at acc[7] ! r[7]-=r[0] + subccc @acc[0],%g0, at acc[0] ! r[8]-=0 "@acc[8]" + subc $carry,%g0,$carry ! top-most carry + and @acc[7],$mask, at acc[7] + and @acc[0],$mask, at acc[0] ! "@acc[8]" +___ + push(@acc,shift(@acc)); # rotate registers to "omit" acc[0] +$code.=<<___; + mulx $a0,$bi,$t0 ! a[0-7]*b[$i], 64-bit results + mulx $t1,$bi,$t1 + mulx $t2,$bi,$t2 + mulx $t3,$bi,$t3 + mulx $t4,$bi,$t4 + mulx $t5,$bi,$t5 + mulx $t6,$bi,$t6 + mulx $t7,$bi,$t7 + add @acc[0],$t0,$t0 ! accumulate low parts, can't overflow + add @acc[1],$t1,$t1 + srlx $t0,32, at acc[1] ! extract high parts + add @acc[2],$t2,$t2 + srlx $t1,32, at acc[2] + add @acc[3],$t3,$t3 + srlx $t2,32, at acc[3] + add @acc[4],$t4,$t4 + srlx $t3,32, at acc[4] + add @acc[5],$t5,$t5 + srlx $t4,32, at acc[5] + add @acc[6],$t6,$t6 + srlx $t5,32, at acc[6] + add @acc[7],$t7,$t7 + srlx $t6,32, at acc[7] + srlx $t7,32, at acc[0] ! "@acc[8]" +___ +} +$code.=<<___; + addcc @acc[1],$t1, at acc[1] ! accumulate high parts + addccc @acc[2],$t2, at acc[2] + addccc @acc[3],$t3, at acc[3] + addccc @acc[4],$t4, at acc[4] + addccc @acc[5],$t5, at acc[5] + addccc @acc[6],$t6, at acc[6] + addccc @acc[7],$t7, at acc[7] + addccc @acc[0],$carry, at acc[0] ! "@acc[8]" + addc %g0,%g0,$carry + + addcc @acc[3],$t0, at acc[3] ! multiplication-less reduction + addccc @acc[4],%g0, at acc[4] + addccc @acc[5],%g0, at acc[5] + addccc @acc[6],$t0, at acc[6] + addccc @acc[7],%g0, at acc[7] + addccc @acc[0],$t0, at acc[0] ! "@acc[8]" + addc $carry,%g0,$carry + subcc @acc[7],$t0, at acc[7] + subccc @acc[0],%g0, at acc[0] ! "@acc[8]" + subc $carry,%g0,$carry ! top-most carry +___ + push(@acc,shift(@acc)); # rotate registers to omit acc[0] +$code.=<<___; + ! Final step is "if result > mod, subtract mod", but we do it + ! "other way around", namely subtract modulus from result + ! and if it borrowed, add modulus back. + + subcc @acc[0],-1, at acc[0] ! subtract modulus + subccc @acc[1],-1, at acc[1] + subccc @acc[2],-1, at acc[2] + subccc @acc[3],0, at acc[3] + subccc @acc[4],0, at acc[4] + subccc @acc[5],0, at acc[5] + subccc @acc[6],1, at acc[6] + subccc @acc[7],-1, at acc[7] + subc $carry,0,$carry ! broadcast borrow bit + + ! Note that because mod has special form, i.e. consists of + ! 0xffffffff, 1 and 0s, we can conditionally synthesize it by + ! using value of broadcasted borrow and the borrow bit itself. + ! To minimize dependency chain we first broadcast and then + ! extract the bit by negating (follow $bi). + + addcc @acc[0],$carry, at acc[0] ! add modulus or zero + addccc @acc[1],$carry, at acc[1] + neg $carry,$bi + st @acc[0],[$rp] + addccc @acc[2],$carry, at acc[2] + st @acc[1],[$rp+4] + addccc @acc[3],0, at acc[3] + st @acc[2],[$rp+8] + addccc @acc[4],0, at acc[4] + st @acc[3],[$rp+12] + addccc @acc[5],0, at acc[5] + st @acc[4],[$rp+16] + addccc @acc[6],$bi, at acc[6] + st @acc[5],[$rp+20] + addc @acc[7],$carry, at acc[7] + st @acc[6],[$rp+24] + retl + st @acc[7],[$rp+28] +.size __ecp_nistz256_mul_mont,.-__ecp_nistz256_mul_mont + +! void ecp_nistz256_add(BN_ULONG %i0[8],const BN_ULONG %i1[8], +! const BN_ULONG %i2[8]); +.globl ecp_nistz256_add +.align 32 +ecp_nistz256_add: + save %sp,-STACK_FRAME,%sp + ld [$ap], at acc[0] + ld [$ap+4], at acc[1] + ld [$ap+8], at acc[2] + ld [$ap+12], at acc[3] + ld [$ap+16], at acc[4] + ld [$ap+20], at acc[5] + ld [$ap+24], at acc[6] + call __ecp_nistz256_add + ld [$ap+28], at acc[7] + ret + restore +.size ecp_nistz256_add,.-ecp_nistz256_add + +.align 32 +__ecp_nistz256_add: + ld [$bp+0],$t0 ! b[0] + ld [$bp+4],$t1 + ld [$bp+8],$t2 + ld [$bp+12],$t3 + addcc @acc[0],$t0, at acc[0] + ld [$bp+16],$t4 + ld [$bp+20],$t5 + addccc @acc[1],$t1, at acc[1] + ld [$bp+24],$t6 + ld [$bp+28],$t7 + addccc @acc[2],$t2, at acc[2] + addccc @acc[3],$t3, at acc[3] + addccc @acc[4],$t4, at acc[4] + addccc @acc[5],$t5, at acc[5] + addccc @acc[6],$t6, at acc[6] + addccc @acc[7],$t7, at acc[7] + subc %g0,%g0,$carry ! broadcast carry bit + +.Lreduce_by_sub: + + ! if a+b carries, subtract modulus. + ! + ! Note that because mod has special form, i.e. consists of + ! 0xffffffff, 1 and 0s, we can conditionally synthesize it by + ! using value of broadcasted borrow and the borrow bit itself. + ! To minimize dependency chain we first broadcast and then + ! extract the bit by negating (follow $bi). + + subcc @acc[0],$carry, at acc[0] ! subtract synthesized modulus + subccc @acc[1],$carry, at acc[1] + neg $carry,$bi + st @acc[0],[$rp] + subccc @acc[2],$carry, at acc[2] + st @acc[1],[$rp+4] + subccc @acc[3],0, at acc[3] + st @acc[2],[$rp+8] + subccc @acc[4],0, at acc[4] + st @acc[3],[$rp+12] + subccc @acc[5],0, at acc[5] + st @acc[4],[$rp+16] + subccc @acc[6],$bi, at acc[6] + st @acc[5],[$rp+20] + subc @acc[7],$carry, at acc[7] + st @acc[6],[$rp+24] + retl + st @acc[7],[$rp+28] +.size __ecp_nistz256_add,.-__ecp_nistz256_add + +! void ecp_nistz256_mul_by_2(BN_ULONG %i0[8],const BN_ULONG %i1[8]); +.globl ecp_nistz256_mul_by_2 +.align 32 +ecp_nistz256_mul_by_2: + save %sp,-STACK_FRAME,%sp + ld [$ap], at acc[0] + ld [$ap+4], at acc[1] + ld [$ap+8], at acc[2] + ld [$ap+12], at acc[3] + ld [$ap+16], at acc[4] + ld [$ap+20], at acc[5] + ld [$ap+24], at acc[6] + call __ecp_nistz256_mul_by_2 + ld [$ap+28], at acc[7] + ret + restore +.size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2 + +.align 32 +__ecp_nistz256_mul_by_2: + addcc @acc[0], at acc[0], at acc[0] ! a+a=2*a + addccc @acc[1], at acc[1], at acc[1] + addccc @acc[2], at acc[2], at acc[2] + addccc @acc[3], at acc[3], at acc[3] + addccc @acc[4], at acc[4], at acc[4] + addccc @acc[5], at acc[5], at acc[5] + addccc @acc[6], at acc[6], at acc[6] + addccc @acc[7], at acc[7], at acc[7] + b .Lreduce_by_sub + subc %g0,%g0,$carry ! broadcast carry bit +.size __ecp_nistz256_mul_by_2,.-__ecp_nistz256_mul_by_2 + +! void ecp_nistz256_mul_by_3(BN_ULONG %i0[8],const BN_ULONG %i1[8]); +.globl ecp_nistz256_mul_by_3 +.align 32 +ecp_nistz256_mul_by_3: + save %sp,-STACK_FRAME,%sp + ld [$ap], at acc[0] + ld [$ap+4], at acc[1] + ld [$ap+8], at acc[2] + ld [$ap+12], at acc[3] + ld [$ap+16], at acc[4] + ld [$ap+20], at acc[5] + ld [$ap+24], at acc[6] + call __ecp_nistz256_mul_by_3 + ld [$ap+28], at acc[7] + ret + restore +.size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3 + +.align 32 +__ecp_nistz256_mul_by_3: + addcc @acc[0], at acc[0],$t0 ! a+a=2*a + addccc @acc[1], at acc[1],$t1 + addccc @acc[2], at acc[2],$t2 + addccc @acc[3], at acc[3],$t3 + addccc @acc[4], at acc[4],$t4 + addccc @acc[5], at acc[5],$t5 + addccc @acc[6], at acc[6],$t6 + addccc @acc[7], at acc[7],$t7 + subc %g0,%g0,$carry ! broadcast carry bit + + subcc $t0,$carry,$t0 ! .Lreduce_by_sub but without stores + neg $carry,$bi + subccc $t1,$carry,$t1 + subccc $t2,$carry,$t2 + subccc $t3,0,$t3 + subccc $t4,0,$t4 + subccc $t5,0,$t5 + subccc $t6,$bi,$t6 + subc $t7,$carry,$t7 + + addcc $t0, at acc[0], at acc[0] ! 2*a+a=3*a + addccc $t1, at acc[1], at acc[1] + addccc $t2, at acc[2], at acc[2] + addccc $t3, at acc[3], at acc[3] + addccc $t4, at acc[4], at acc[4] + addccc $t5, at acc[5], at acc[5] + addccc $t6, at acc[6], at acc[6] + addccc $t7, at acc[7], at acc[7] + b .Lreduce_by_sub + subc %g0,%g0,$carry ! broadcast carry bit +.size __ecp_nistz256_mul_by_3,.-__ecp_nistz256_mul_by_3 + +! void ecp_nistz256_sub(BN_ULONG %i0[8],const BN_ULONG %i1[8], +! const BN_ULONG %i2[8]); +.globl ecp_nistz256_sub +.align 32 +ecp_nistz256_sub: + save %sp,-STACK_FRAME,%sp + ld [$ap], at acc[0] + ld [$ap+4], at acc[1] + ld [$ap+8], at acc[2] + ld [$ap+12], at acc[3] + ld [$ap+16], at acc[4] + ld [$ap+20], at acc[5] + ld [$ap+24], at acc[6] + call __ecp_nistz256_sub_from + ld [$ap+28], at acc[7] + ret + restore +.size ecp_nistz256_sub,.-ecp_nistz256_sub + +! void ecp_nistz256_neg(BN_ULONG %i0[8],const BN_ULONG %i1[8]); +.globl ecp_nistz256_neg +.align 32 +ecp_nistz256_neg: + save %sp,-STACK_FRAME,%sp + mov $ap,$bp + mov 0, at acc[0] + mov 0, at acc[1] + mov 0, at acc[2] + mov 0, at acc[3] + mov 0, at acc[4] + mov 0, at acc[5] + mov 0, at acc[6] + call __ecp_nistz256_sub_from + mov 0, at acc[7] + ret + restore +.size ecp_nistz256_neg,.-ecp_nistz256_neg + +.align 32 +__ecp_nistz256_sub_from: + ld [$bp+0],$t0 ! b[0] + ld [$bp+4],$t1 + ld [$bp+8],$t2 + ld [$bp+12],$t3 + subcc @acc[0],$t0, at acc[0] + ld [$bp+16],$t4 + ld [$bp+20],$t5 + subccc @acc[1],$t1, at acc[1] + subccc @acc[2],$t2, at acc[2] + ld [$bp+24],$t6 + ld [$bp+28],$t7 + subccc @acc[3],$t3, at acc[3] + subccc @acc[4],$t4, at acc[4] + subccc @acc[5],$t5, at acc[5] + subccc @acc[6],$t6, at acc[6] + subccc @acc[7],$t7, at acc[7] + subc %g0,%g0,$carry ! broadcast borrow bit + +.Lreduce_by_add: + + ! if a-b borrows, add modulus. + ! + ! Note that because mod has special form, i.e. consists of + ! 0xffffffff, 1 and 0s, we can conditionally synthesize it by + ! using value of broadcasted borrow and the borrow bit itself. + ! To minimize dependency chain we first broadcast and then + ! extract the bit by negating (follow $bi). + + addcc @acc[0],$carry, at acc[0] ! add synthesized modulus + addccc @acc[1],$carry, at acc[1] + neg $carry,$bi + st @acc[0],[$rp] + addccc @acc[2],$carry, at acc[2] + st @acc[1],[$rp+4] + addccc @acc[3],0, at acc[3] + st @acc[2],[$rp+8] + addccc @acc[4],0, at acc[4] + st @acc[3],[$rp+12] + addccc @acc[5],0, at acc[5] + st @acc[4],[$rp+16] + addccc @acc[6],$bi, at acc[6] + st @acc[5],[$rp+20] + addc @acc[7],$carry, at acc[7] + st @acc[6],[$rp+24] + retl + st @acc[7],[$rp+28] +.size __ecp_nistz256_sub_from,.-__ecp_nistz256_sub_from + +.align 32 +__ecp_nistz256_sub_morf: + ld [$bp+0],$t0 ! b[0] + ld [$bp+4],$t1 + ld [$bp+8],$t2 + ld [$bp+12],$t3 + subcc $t0, at acc[0], at acc[0] + ld [$bp+16],$t4 + ld [$bp+20],$t5 + subccc $t1, at acc[1], at acc[1] + subccc $t2, at acc[2], at acc[2] + ld [$bp+24],$t6 + ld [$bp+28],$t7 + subccc $t3, at acc[3], at acc[3] + subccc $t4, at acc[4], at acc[4] + subccc $t5, at acc[5], at acc[5] + subccc $t6, at acc[6], at acc[6] + subccc $t7, at acc[7], at acc[7] + b .Lreduce_by_add + subc %g0,%g0,$carry ! broadcast borrow bit +.size __ecp_nistz256_sub_morf,.-__ecp_nistz256_sub_morf + +! void ecp_nistz256_div_by_2(BN_ULONG %i0[8],const BN_ULONG %i1[8]); +.globl ecp_nistz256_div_by_2 +.align 32 +ecp_nistz256_div_by_2: + save %sp,-STACK_FRAME,%sp + ld [$ap], at acc[0] + ld [$ap+4], at acc[1] + ld [$ap+8], at acc[2] + ld [$ap+12], at acc[3] + ld [$ap+16], at acc[4] + ld [$ap+20], at acc[5] + ld [$ap+24], at acc[6] + call __ecp_nistz256_div_by_2 + ld [$ap+28], at acc[7] + ret + restore +.size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2 + +.align 32 +__ecp_nistz256_div_by_2: + ! ret = (a is odd ? a+mod : a) >> 1 + + and @acc[0],1,$bi + neg $bi,$carry + addcc @acc[0],$carry, at acc[0] + addccc @acc[1],$carry, at acc[1] + addccc @acc[2],$carry, at acc[2] + addccc @acc[3],0, at acc[3] + addccc @acc[4],0, at acc[4] + addccc @acc[5],0, at acc[5] + addccc @acc[6],$bi, at acc[6] + addccc @acc[7],$carry, at acc[7] + addc %g0,%g0,$carry + + ! ret >>= 1 + + srl @acc[0],1, at acc[0] + sll @acc[1],31,$t0 + srl @acc[1],1, at acc[1] + or @acc[0],$t0, at acc[0] + sll @acc[2],31,$t1 + srl @acc[2],1, at acc[2] + or @acc[1],$t1, at acc[1] + sll @acc[3],31,$t2 + st @acc[0],[$rp] + srl @acc[3],1, at acc[3] + or @acc[2],$t2, at acc[2] + sll @acc[4],31,$t3 + st @acc[1],[$rp+4] + srl @acc[4],1, at acc[4] + or @acc[3],$t3, at acc[3] + sll @acc[5],31,$t4 + st @acc[2],[$rp+8] + srl @acc[5],1, at acc[5] + or @acc[4],$t4, at acc[4] + sll @acc[6],31,$t5 + st @acc[3],[$rp+12] + srl @acc[6],1, at acc[6] + or @acc[5],$t5, at acc[5] + sll @acc[7],31,$t6 + st @acc[4],[$rp+16] + srl @acc[7],1, at acc[7] + or @acc[6],$t6, at acc[6] + sll $carry,31,$t7 + st @acc[5],[$rp+20] + or @acc[7],$t7, at acc[7] + st @acc[6],[$rp+24] + retl + st @acc[7],[$rp+28] +.size __ecp_nistz256_div_by_2,.-__ecp_nistz256_div_by_2 +___ + +######################################################################## +# following subroutines are "literal" implemetation of those found in +# ecp_nistz256.c +# +######################################################################## +# void ecp_nistz256_point_double(P256_POINT *out,const P256_POINT *inp); +# +{ +my ($S,$M,$Zsqr,$tmp0)=map(32*$_,(0..3)); +# above map() describes stack layout with 4 temporary +# 256-bit vectors on top. + +$code.=<<___; +#ifdef __PIC__ +SPARC_PIC_THUNK(%g1) +#endif + +.globl ecp_nistz256_point_double +.align 32 +ecp_nistz256_point_double: + SPARC_LOAD_ADDRESS_LEAF(OPENSSL_sparcv9cap_P,%g1,%g5) + ld [%g1],%g1 ! OPENSSL_sparcv9cap_P[0] + and %g1,(SPARCV9_VIS3|SPARCV9_64BIT_STACK),%g1 + cmp %g1,(SPARCV9_VIS3|SPARCV9_64BIT_STACK) + be ecp_nistz256_point_double_vis3 + nop + + save %sp,-STACK_FRAME-32*4,%sp + + mov $rp,$rp_real + mov $ap,$ap_real + + ld [$ap+32], at acc[0] + ld [$ap+32+4], at acc[1] + ld [$ap+32+8], at acc[2] + ld [$ap+32+12], at acc[3] + ld [$ap+32+16], at acc[4] + ld [$ap+32+20], at acc[5] + ld [$ap+32+24], at acc[6] + ld [$ap+32+28], at acc[7] + call __ecp_nistz256_mul_by_2 ! p256_mul_by_2(S, in_y); + add %sp,LOCALS+$S,$rp + + add $ap_real,64,$bp + add $ap_real,64,$ap + call __ecp_nistz256_mul_mont ! p256_sqr_mont(Zsqr, in_z); + add %sp,LOCALS+$Zsqr,$rp + + add $ap_real,0,$bp + call __ecp_nistz256_add ! p256_add(M, Zsqr, in_x); + add %sp,LOCALS+$M,$rp + + add %sp,LOCALS+$S,$bp + add %sp,LOCALS+$S,$ap + call __ecp_nistz256_mul_mont ! p256_sqr_mont(S, S); + add %sp,LOCALS+$S,$rp + + ld [$ap_real], at acc[0] + add %sp,LOCALS+$Zsqr,$bp + ld [$ap_real+4], at acc[1] + ld [$ap_real+8], at acc[2] + ld [$ap_real+12], at acc[3] + ld [$ap_real+16], at acc[4] + ld [$ap_real+20], at acc[5] + ld [$ap_real+24], at acc[6] + ld [$ap_real+28], at acc[7] + call __ecp_nistz256_sub_from ! p256_sub(Zsqr, in_x, Zsqr); + add %sp,LOCALS+$Zsqr,$rp + + add $ap_real,32,$bp + add $ap_real,64,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(tmp0, in_z, in_y); + add %sp,LOCALS+$tmp0,$rp + + call __ecp_nistz256_mul_by_2 ! p256_mul_by_2(res_z, tmp0); + add $rp_real,64,$rp + + add %sp,LOCALS+$Zsqr,$bp + add %sp,LOCALS+$M,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(M, M, Zsqr); + add %sp,LOCALS+$M,$rp + + call __ecp_nistz256_mul_by_3 ! p256_mul_by_3(M, M); + add %sp,LOCALS+$M,$rp + + add %sp,LOCALS+$S,$bp + add %sp,LOCALS+$S,$ap + call __ecp_nistz256_mul_mont ! p256_sqr_mont(tmp0, S); + add %sp,LOCALS+$tmp0,$rp + + call __ecp_nistz256_div_by_2 ! p256_div_by_2(res_y, tmp0); + add $rp_real,32,$rp + + add $ap_real,0,$bp + add %sp,LOCALS+$S,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(S, S, in_x); + add %sp,LOCALS+$S,$rp + + call __ecp_nistz256_mul_by_2 ! p256_mul_by_2(tmp0, S); + add %sp,LOCALS+$tmp0,$rp + + add %sp,LOCALS+$M,$bp + add %sp,LOCALS+$M,$ap + call __ecp_nistz256_mul_mont ! p256_sqr_mont(res_x, M); + add $rp_real,0,$rp + + add %sp,LOCALS+$tmp0,$bp + call __ecp_nistz256_sub_from ! p256_sub(res_x, res_x, tmp0); + add $rp_real,0,$rp + + add %sp,LOCALS+$S,$bp + call __ecp_nistz256_sub_morf ! p256_sub(S, S, res_x); + add %sp,LOCALS+$S,$rp + + add %sp,LOCALS+$M,$bp + add %sp,LOCALS+$S,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(S, S, M); + add %sp,LOCALS+$S,$rp + + add $rp_real,32,$bp + call __ecp_nistz256_sub_from ! p256_sub(res_y, S, res_y); + add $rp_real,32,$rp + + ret + restore +.size ecp_nistz256_point_double,.-ecp_nistz256_point_double +___ +} + +######################################################################## +# void ecp_nistz256_point_add(P256_POINT *out,const P256_POINT *in1, +# const P256_POINT *in2); +{ +my ($res_x,$res_y,$res_z, + $H,$Hsqr,$R,$Rsqr,$Hcub, + $U1,$U2,$S1,$S2)=map(32*$_,(0..11)); +my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr); + +# above map() describes stack layout with 12 temporary +# 256-bit vectors on top. Then we reserve some space for +# !in1infty, !in2infty, result of check for zero and return pointer. + +my $bp_real=$rp_real; + +$code.=<<___; +.globl ecp_nistz256_point_add +.align 32 +ecp_nistz256_point_add: + SPARC_LOAD_ADDRESS_LEAF(OPENSSL_sparcv9cap_P,%g1,%g5) + ld [%g1],%g1 ! OPENSSL_sparcv9cap_P[0] + and %g1,(SPARCV9_VIS3|SPARCV9_64BIT_STACK),%g1 + cmp %g1,(SPARCV9_VIS3|SPARCV9_64BIT_STACK) + be ecp_nistz256_point_add_vis3 + nop + + save %sp,-STACK_FRAME-32*12-32,%sp + + stx $rp,[%fp+STACK_BIAS-8] ! off-load $rp + mov $ap,$ap_real + mov $bp,$bp_real + + ld [$bp], at acc[0] ! in2_x + ld [$bp+4], at acc[1] + ld [$bp+8], at acc[2] + ld [$bp+12], at acc[3] + ld [$bp+16], at acc[4] + ld [$bp+20], at acc[5] + ld [$bp+24], at acc[6] + ld [$bp+28], at acc[7] + ld [$bp+32],$t0 ! in2_y + ld [$bp+32+4],$t1 + ld [$bp+32+8],$t2 + ld [$bp+32+12],$t3 + ld [$bp+32+16],$t4 + ld [$bp+32+20],$t5 + ld [$bp+32+24],$t6 + ld [$bp+32+28],$t7 + or @acc[1], at acc[0], at acc[0] + or @acc[3], at acc[2], at acc[2] + or @acc[5], at acc[4], at acc[4] + or @acc[7], at acc[6], at acc[6] + or @acc[2], at acc[0], at acc[0] + or @acc[6], at acc[4], at acc[4] + or @acc[4], at acc[0], at acc[0] + or $t1,$t0,$t0 + or $t3,$t2,$t2 + or $t5,$t4,$t4 + or $t7,$t6,$t6 + or $t2,$t0,$t0 + or $t6,$t4,$t4 + or $t4,$t0,$t0 + or @acc[0],$t0,$t0 ! !in2infty + movrnz $t0,-1,$t0 + st $t0,[%fp+STACK_BIAS-12] + + ld [$ap], at acc[0] ! in1_x + ld [$ap+4], at acc[1] + ld [$ap+8], at acc[2] + ld [$ap+12], at acc[3] + ld [$ap+16], at acc[4] + ld [$ap+20], at acc[5] + ld [$ap+24], at acc[6] + ld [$ap+28], at acc[7] + ld [$ap+32],$t0 ! in1_y + ld [$ap+32+4],$t1 + ld [$ap+32+8],$t2 + ld [$ap+32+12],$t3 + ld [$ap+32+16],$t4 + ld [$ap+32+20],$t5 + ld [$ap+32+24],$t6 + ld [$ap+32+28],$t7 + or @acc[1], at acc[0], at acc[0] + or @acc[3], at acc[2], at acc[2] + or @acc[5], at acc[4], at acc[4] + or @acc[7], at acc[6], at acc[6] + or @acc[2], at acc[0], at acc[0] + or @acc[6], at acc[4], at acc[4] + or @acc[4], at acc[0], at acc[0] + or $t1,$t0,$t0 + or $t3,$t2,$t2 + or $t5,$t4,$t4 + or $t7,$t6,$t6 + or $t2,$t0,$t0 + or $t6,$t4,$t4 + or $t4,$t0,$t0 + or @acc[0],$t0,$t0 ! !in1infty + movrnz $t0,-1,$t0 + st $t0,[%fp+STACK_BIAS-16] + + add $bp_real,64,$bp + add $bp_real,64,$ap + call __ecp_nistz256_mul_mont ! p256_sqr_mont(Z2sqr, in2_z); + add %sp,LOCALS+$Z2sqr,$rp + + add $ap_real,64,$bp + add $ap_real,64,$ap + call __ecp_nistz256_mul_mont ! p256_sqr_mont(Z1sqr, in1_z); + add %sp,LOCALS+$Z1sqr,$rp + + add $bp_real,64,$bp + add %sp,LOCALS+$Z2sqr,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(S1, Z2sqr, in2_z); + add %sp,LOCALS+$S1,$rp + + add $ap_real,64,$bp + add %sp,LOCALS+$Z1sqr,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(S2, Z1sqr, in1_z); + add %sp,LOCALS+$S2,$rp + + add $ap_real,32,$bp + add %sp,LOCALS+$S1,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(S1, S1, in1_y); + add %sp,LOCALS+$S1,$rp + + add $bp_real,32,$bp + add %sp,LOCALS+$S2,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(S2, S2, in2_y); + add %sp,LOCALS+$S2,$rp + + add %sp,LOCALS+$S1,$bp + call __ecp_nistz256_sub_from ! p256_sub(R, S2, S1); + add %sp,LOCALS+$R,$rp + + or @acc[1], at acc[0], at acc[0] ! see if result is zero + or @acc[3], at acc[2], at acc[2] + or @acc[5], at acc[4], at acc[4] + or @acc[7], at acc[6], at acc[6] + or @acc[2], at acc[0], at acc[0] + or @acc[6], at acc[4], at acc[4] + or @acc[4], at acc[0], at acc[0] + st @acc[0],[%fp+STACK_BIAS-20] + + add $ap_real,0,$bp + add %sp,LOCALS+$Z2sqr,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(U1, in1_x, Z2sqr); + add %sp,LOCALS+$U1,$rp + + add $bp_real,0,$bp + add %sp,LOCALS+$Z1sqr,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(U2, in2_x, Z1sqr); + add %sp,LOCALS+$U2,$rp + + add %sp,LOCALS+$U1,$bp + call __ecp_nistz256_sub_from ! p256_sub(H, U2, U1); + add %sp,LOCALS+$H,$rp + + or @acc[1], at acc[0], at acc[0] ! see if result is zero + or @acc[3], at acc[2], at acc[2] + or @acc[5], at acc[4], at acc[4] + or @acc[7], at acc[6], at acc[6] + or @acc[2], at acc[0], at acc[0] + or @acc[6], at acc[4], at acc[4] + orcc @acc[4], at acc[0], at acc[0] + + bne,pt %icc,.Ladd_proceed ! is_equal(U1,U2)? + nop + + ld [%fp+STACK_BIAS-12],$t0 + ld [%fp+STACK_BIAS-16],$t1 + ld [%fp+STACK_BIAS-20],$t2 + andcc $t0,$t1,%g0 + be,pt %icc,.Ladd_proceed ! (in1infty || in2infty)? + nop + andcc $t2,$t2,%g0 + be,pt %icc,.Ladd_proceed ! is_equal(S1,S2)? + nop + + ldx [%fp+STACK_BIAS-8],$rp + st %g0,[$rp] + st %g0,[$rp+4] + st %g0,[$rp+8] + st %g0,[$rp+12] + st %g0,[$rp+16] + st %g0,[$rp+20] + st %g0,[$rp+24] + st %g0,[$rp+28] + st %g0,[$rp+32] + st %g0,[$rp+32+4] + st %g0,[$rp+32+8] + st %g0,[$rp+32+12] + st %g0,[$rp+32+16] + st %g0,[$rp+32+20] + st %g0,[$rp+32+24] + st %g0,[$rp+32+28] + st %g0,[$rp+64] + st %g0,[$rp+64+4] + st %g0,[$rp+64+8] + st %g0,[$rp+64+12] + st %g0,[$rp+64+16] + st %g0,[$rp+64+20] + st %g0,[$rp+64+24] + st %g0,[$rp+64+28] + b .Ladd_done + nop + +.align 16 +.Ladd_proceed: + add %sp,LOCALS+$R,$bp + add %sp,LOCALS+$R,$ap + call __ecp_nistz256_mul_mont ! p256_sqr_mont(Rsqr, R); + add %sp,LOCALS+$Rsqr,$rp + + add $ap_real,64,$bp + add %sp,LOCALS+$H,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(res_z, H, in1_z); + add %sp,LOCALS+$res_z,$rp + + add %sp,LOCALS+$H,$bp + add %sp,LOCALS+$H,$ap + call __ecp_nistz256_mul_mont ! p256_sqr_mont(Hsqr, H); + add %sp,LOCALS+$Hsqr,$rp + + add $bp_real,64,$bp + add %sp,LOCALS+$res_z,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(res_z, res_z, in2_z); + add %sp,LOCALS+$res_z,$rp + + add %sp,LOCALS+$H,$bp + add %sp,LOCALS+$Hsqr,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(Hcub, Hsqr, H); + add %sp,LOCALS+$Hcub,$rp + + add %sp,LOCALS+$U1,$bp + add %sp,LOCALS+$Hsqr,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(U2, U1, Hsqr); + add %sp,LOCALS+$U2,$rp + + call __ecp_nistz256_mul_by_2 ! p256_mul_by_2(Hsqr, U2); + add %sp,LOCALS+$Hsqr,$rp + + add %sp,LOCALS+$Rsqr,$bp + call __ecp_nistz256_sub_morf ! p256_sub(res_x, Rsqr, Hsqr); + add %sp,LOCALS+$res_x,$rp + + add %sp,LOCALS+$Hcub,$bp + call __ecp_nistz256_sub_from ! p256_sub(res_x, res_x, Hcub); + add %sp,LOCALS+$res_x,$rp + + add %sp,LOCALS+$U2,$bp + call __ecp_nistz256_sub_morf ! p256_sub(res_y, U2, res_x); + add %sp,LOCALS+$res_y,$rp + + add %sp,LOCALS+$Hcub,$bp + add %sp,LOCALS+$S1,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(S2, S1, Hcub); + add %sp,LOCALS+$S2,$rp + + add %sp,LOCALS+$R,$bp + add %sp,LOCALS+$res_y,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(res_y, res_y, R); + add %sp,LOCALS+$res_y,$rp + + add %sp,LOCALS+$S2,$bp + call __ecp_nistz256_sub_from ! p256_sub(res_y, res_y, S2); + add %sp,LOCALS+$res_y,$rp + + ld [%fp+STACK_BIAS-16],$t1 ! !in1infty + ld [%fp+STACK_BIAS-12],$t2 ! !in2infty + ldx [%fp+STACK_BIAS-8],$rp +___ +for($i=0;$i<96;$i+=8) { # conditional moves +$code.=<<___; + ld [%sp+LOCALS+$i], at acc[0] ! res + ld [%sp+LOCALS+$i+4], at acc[1] + ld [$bp_real+$i], at acc[2] ! in2 + ld [$bp_real+$i+4], at acc[3] + ld [$ap_real+$i], at acc[4] ! in1 + ld [$ap_real+$i+4], at acc[5] + movrz $t1, at acc[2], at acc[0] + movrz $t1, at acc[3], at acc[1] + movrz $t2, at acc[4], at acc[0] + movrz $t2, at acc[5], at acc[1] + st @acc[0],[$rp+$i] + st @acc[1],[$rp+$i+4] +___ +} +$code.=<<___; +.Ladd_done: + ret + restore +.size ecp_nistz256_point_add,.-ecp_nistz256_point_add +___ +} + +######################################################################## +# void ecp_nistz256_point_add_affine(P256_POINT *out,const P256_POINT *in1, +# const P256_POINT_AFFINE *in2); +{ +my ($res_x,$res_y,$res_z, + $U2,$S2,$H,$R,$Hsqr,$Hcub,$Rsqr)=map(32*$_,(0..9)); +my $Z1sqr = $S2; +# above map() describes stack layout with 10 temporary +# 256-bit vectors on top. Then we reserve some space for +# !in1infty, !in2infty, result of check for zero and return pointer. + +my @ONE_mont=(1,0,0,-1,-1,-1,-2,0); +my $bp_real=$rp_real; + +$code.=<<___; +.globl ecp_nistz256_point_add_affine +.align 32 +ecp_nistz256_point_add_affine: + SPARC_LOAD_ADDRESS_LEAF(OPENSSL_sparcv9cap_P,%g1,%g5) + ld [%g1],%g1 ! OPENSSL_sparcv9cap_P[0] + and %g1,(SPARCV9_VIS3|SPARCV9_64BIT_STACK),%g1 + cmp %g1,(SPARCV9_VIS3|SPARCV9_64BIT_STACK) + be ecp_nistz256_point_add_affine_vis3 + nop + + save %sp,-STACK_FRAME-32*10-32,%sp + + stx $rp,[%fp+STACK_BIAS-8] ! off-load $rp + mov $ap,$ap_real + mov $bp,$bp_real + + ld [$ap], at acc[0] ! in1_x + ld [$ap+4], at acc[1] + ld [$ap+8], at acc[2] + ld [$ap+12], at acc[3] + ld [$ap+16], at acc[4] + ld [$ap+20], at acc[5] + ld [$ap+24], at acc[6] + ld [$ap+28], at acc[7] + ld [$ap+32],$t0 ! in1_y + ld [$ap+32+4],$t1 + ld [$ap+32+8],$t2 + ld [$ap+32+12],$t3 + ld [$ap+32+16],$t4 + ld [$ap+32+20],$t5 + ld [$ap+32+24],$t6 + ld [$ap+32+28],$t7 + or @acc[1], at acc[0], at acc[0] + or @acc[3], at acc[2], at acc[2] + or @acc[5], at acc[4], at acc[4] + or @acc[7], at acc[6], at acc[6] + or @acc[2], at acc[0], at acc[0] + or @acc[6], at acc[4], at acc[4] + or @acc[4], at acc[0], at acc[0] + or $t1,$t0,$t0 + or $t3,$t2,$t2 + or $t5,$t4,$t4 + or $t7,$t6,$t6 + or $t2,$t0,$t0 + or $t6,$t4,$t4 + or $t4,$t0,$t0 + or @acc[0],$t0,$t0 ! !in1infty + movrnz $t0,-1,$t0 + st $t0,[%fp+STACK_BIAS-16] + + ld [$bp], at acc[0] ! in2_x + ld [$bp+4], at acc[1] + ld [$bp+8], at acc[2] + ld [$bp+12], at acc[3] + ld [$bp+16], at acc[4] + ld [$bp+20], at acc[5] + ld [$bp+24], at acc[6] + ld [$bp+28], at acc[7] + ld [$bp+32],$t0 ! in2_y + ld [$bp+32+4],$t1 + ld [$bp+32+8],$t2 + ld [$bp+32+12],$t3 + ld [$bp+32+16],$t4 + ld [$bp+32+20],$t5 + ld [$bp+32+24],$t6 + ld [$bp+32+28],$t7 + or @acc[1], at acc[0], at acc[0] + or @acc[3], at acc[2], at acc[2] + or @acc[5], at acc[4], at acc[4] + or @acc[7], at acc[6], at acc[6] + or @acc[2], at acc[0], at acc[0] + or @acc[6], at acc[4], at acc[4] + or @acc[4], at acc[0], at acc[0] + or $t1,$t0,$t0 + or $t3,$t2,$t2 + or $t5,$t4,$t4 + or $t7,$t6,$t6 + or $t2,$t0,$t0 + or $t6,$t4,$t4 + or $t4,$t0,$t0 + or @acc[0],$t0,$t0 ! !in2infty + movrnz $t0,-1,$t0 + st $t0,[%fp+STACK_BIAS-12] + + add $ap_real,64,$bp + add $ap_real,64,$ap + call __ecp_nistz256_mul_mont ! p256_sqr_mont(Z1sqr, in1_z); + add %sp,LOCALS+$Z1sqr,$rp + + add $bp_real,0,$bp + add %sp,LOCALS+$Z1sqr,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(U2, Z1sqr, in2_x); + add %sp,LOCALS+$U2,$rp + + add $ap_real,0,$bp + call __ecp_nistz256_sub_from ! p256_sub(H, U2, in1_x); + add %sp,LOCALS+$H,$rp + + add $ap_real,64,$bp + add %sp,LOCALS+$Z1sqr,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(S2, Z1sqr, in1_z); + add %sp,LOCALS+$S2,$rp + + add $ap_real,64,$bp + add %sp,LOCALS+$H,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(res_z, H, in1_z); + add %sp,LOCALS+$res_z,$rp + + add $bp_real,32,$bp + add %sp,LOCALS+$S2,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(S2, S2, in2_y); + add %sp,LOCALS+$S2,$rp + + add $ap_real,32,$bp + call __ecp_nistz256_sub_from ! p256_sub(R, S2, in1_y); + add %sp,LOCALS+$R,$rp + + add %sp,LOCALS+$H,$bp + add %sp,LOCALS+$H,$ap + call __ecp_nistz256_mul_mont ! p256_sqr_mont(Hsqr, H); + add %sp,LOCALS+$Hsqr,$rp + + add %sp,LOCALS+$R,$bp + add %sp,LOCALS+$R,$ap + call __ecp_nistz256_mul_mont ! p256_sqr_mont(Rsqr, R); + add %sp,LOCALS+$Rsqr,$rp + + add %sp,LOCALS+$H,$bp + add %sp,LOCALS+$Hsqr,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(Hcub, Hsqr, H); + add %sp,LOCALS+$Hcub,$rp + + add $ap_real,0,$bp + add %sp,LOCALS+$Hsqr,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(U2, in1_x, Hsqr); + add %sp,LOCALS+$U2,$rp + + call __ecp_nistz256_mul_by_2 ! p256_mul_by_2(Hsqr, U2); + add %sp,LOCALS+$Hsqr,$rp + + add %sp,LOCALS+$Rsqr,$bp + call __ecp_nistz256_sub_morf ! p256_sub(res_x, Rsqr, Hsqr); + add %sp,LOCALS+$res_x,$rp + + add %sp,LOCALS+$Hcub,$bp + call __ecp_nistz256_sub_from ! p256_sub(res_x, res_x, Hcub); + add %sp,LOCALS+$res_x,$rp + + add %sp,LOCALS+$U2,$bp + call __ecp_nistz256_sub_morf ! p256_sub(res_y, U2, res_x); + add %sp,LOCALS+$res_y,$rp + + add $ap_real,32,$bp + add %sp,LOCALS+$Hcub,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(S2, in1_y, Hcub); + add %sp,LOCALS+$S2,$rp + + add %sp,LOCALS+$R,$bp + add %sp,LOCALS+$res_y,$ap + call __ecp_nistz256_mul_mont ! p256_mul_mont(res_y, res_y, R); + add %sp,LOCALS+$res_y,$rp + + add %sp,LOCALS+$S2,$bp + call __ecp_nistz256_sub_from ! p256_sub(res_y, res_y, S2); + add %sp,LOCALS+$res_y,$rp + + ld [%fp+STACK_BIAS-16],$t1 ! !in1infty + ld [%fp+STACK_BIAS-12],$t2 ! !in2infty + ldx [%fp+STACK_BIAS-8],$rp +___ +for($i=0;$i<64;$i+=8) { # conditional moves +$code.=<<___; + ld [%sp+LOCALS+$i], at acc[0] ! res + ld [%sp+LOCALS+$i+4], at acc[1] + ld [$bp_real+$i], at acc[2] ! in2 + ld [$bp_real+$i+4], at acc[3] + ld [$ap_real+$i], at acc[4] ! in1 + ld [$ap_real+$i+4], at acc[5] + movrz $t1, at acc[2], at acc[0] + movrz $t1, at acc[3], at acc[1] + movrz $t2, at acc[4], at acc[0] + movrz $t2, at acc[5], at acc[1] + st @acc[0],[$rp+$i] + st @acc[1],[$rp+$i+4] +___ +} +for(;$i<96;$i+=8) { +my $j=($i-64)/4; +$code.=<<___; + ld [%sp+LOCALS+$i], at acc[0] ! res + ld [%sp+LOCALS+$i+4], at acc[1] + ld [$ap_real+$i], at acc[4] ! in1 + ld [$ap_real+$i+4], at acc[5] + movrz $t1, at ONE_mont[$j], at acc[0] + movrz $t1, at ONE_mont[$j+1], at acc[1] + movrz $t2, at acc[4], at acc[0] + movrz $t2, at acc[5], at acc[1] + st @acc[0],[$rp+$i] + st @acc[1],[$rp+$i+4] +___ +} +$code.=<<___; + ret + restore +.size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine +___ +} }}} +{{{ +my ($out,$inp,$index)=map("%i$_",(0..2)); +my $mask="%o0"; + +$code.=<<___; +! void ecp_nistz256_scatter_w5(void *%i0,const P256_POINT *%i1, +! int %i2); +.globl ecp_nistz256_scatter_w5 +.align 32 +ecp_nistz256_scatter_w5: + save %sp,-STACK_FRAME,%sp + + sll $index,2,$index + add $out,$index,$out + + ld [$inp],%l0 ! X + ld [$inp+4],%l1 + ld [$inp+8],%l2 + ld [$inp+12],%l3 + ld [$inp+16],%l4 + ld [$inp+20],%l5 + ld [$inp+24],%l6 + ld [$inp+28],%l7 + add $inp,32,$inp + st %l0,[$out+64*0-4] + st %l1,[$out+64*1-4] + st %l2,[$out+64*2-4] + st %l3,[$out+64*3-4] + st %l4,[$out+64*4-4] + st %l5,[$out+64*5-4] + st %l6,[$out+64*6-4] + st %l7,[$out+64*7-4] + add $out,64*8,$out + + ld [$inp],%l0 ! Y + ld [$inp+4],%l1 + ld [$inp+8],%l2 + ld [$inp+12],%l3 + ld [$inp+16],%l4 + ld [$inp+20],%l5 + ld [$inp+24],%l6 + ld [$inp+28],%l7 + add $inp,32,$inp + st %l0,[$out+64*0-4] + st %l1,[$out+64*1-4] + st %l2,[$out+64*2-4] + st %l3,[$out+64*3-4] + st %l4,[$out+64*4-4] + st %l5,[$out+64*5-4] + st %l6,[$out+64*6-4] + st %l7,[$out+64*7-4] + add $out,64*8,$out + + ld [$inp],%l0 ! Z + ld [$inp+4],%l1 + ld [$inp+8],%l2 + ld [$inp+12],%l3 + ld [$inp+16],%l4 + ld [$inp+20],%l5 + ld [$inp+24],%l6 + ld [$inp+28],%l7 + st %l0,[$out+64*0-4] + st %l1,[$out+64*1-4] + st %l2,[$out+64*2-4] + st %l3,[$out+64*3-4] + st %l4,[$out+64*4-4] + st %l5,[$out+64*5-4] + st %l6,[$out+64*6-4] + st %l7,[$out+64*7-4] + + ret + restore +.size ecp_nistz256_scatter_w5,.-ecp_nistz256_scatter_w5 + +! void ecp_nistz256_gather_w5(P256_POINT *%i0,const void *%i1, +! int %i2); +.globl ecp_nistz256_gather_w5 +.align 32 +ecp_nistz256_gather_w5: + save %sp,-STACK_FRAME,%sp + + neg $index,$mask + srax $mask,63,$mask + + add $index,$mask,$index + sll $index,2,$index + add $inp,$index,$inp + + ld [$inp+64*0],%l0 + ld [$inp+64*1],%l1 + ld [$inp+64*2],%l2 + ld [$inp+64*3],%l3 + ld [$inp+64*4],%l4 + ld [$inp+64*5],%l5 + ld [$inp+64*6],%l6 + ld [$inp+64*7],%l7 + add $inp,64*8,$inp + and %l0,$mask,%l0 + and %l1,$mask,%l1 + st %l0,[$out] ! X + and %l2,$mask,%l2 + st %l1,[$out+4] + and %l3,$mask,%l3 + st %l2,[$out+8] + and %l4,$mask,%l4 + st %l3,[$out+12] + and %l5,$mask,%l5 + st %l4,[$out+16] + and %l6,$mask,%l6 + st %l5,[$out+20] + and %l7,$mask,%l7 + st %l6,[$out+24] + st %l7,[$out+28] + add $out,32,$out + + ld [$inp+64*0],%l0 + ld [$inp+64*1],%l1 + ld [$inp+64*2],%l2 + ld [$inp+64*3],%l3 + ld [$inp+64*4],%l4 + ld [$inp+64*5],%l5 + ld [$inp+64*6],%l6 + ld [$inp+64*7],%l7 + add $inp,64*8,$inp + and %l0,$mask,%l0 + and %l1,$mask,%l1 + st %l0,[$out] ! Y + and %l2,$mask,%l2 + st %l1,[$out+4] + and %l3,$mask,%l3 + st %l2,[$out+8] + and %l4,$mask,%l4 + st %l3,[$out+12] + and %l5,$mask,%l5 + st %l4,[$out+16] + and %l6,$mask,%l6 + st %l5,[$out+20] + and %l7,$mask,%l7 + st %l6,[$out+24] + st %l7,[$out+28] + add $out,32,$out + + ld [$inp+64*0],%l0 + ld [$inp+64*1],%l1 + ld [$inp+64*2],%l2 + ld [$inp+64*3],%l3 + ld [$inp+64*4],%l4 + ld [$inp+64*5],%l5 + ld [$inp+64*6],%l6 + ld [$inp+64*7],%l7 + and %l0,$mask,%l0 + and %l1,$mask,%l1 + st %l0,[$out] ! Z + and %l2,$mask,%l2 + st %l1,[$out+4] + and %l3,$mask,%l3 + st %l2,[$out+8] + and %l4,$mask,%l4 + st %l3,[$out+12] + and %l5,$mask,%l5 + st %l4,[$out+16] + and %l6,$mask,%l6 + st %l5,[$out+20] + and %l7,$mask,%l7 + st %l6,[$out+24] + st %l7,[$out+28] + + ret + restore +.size ecp_nistz256_gather_w5,.-ecp_nistz256_gather_w5 + +! void ecp_nistz256_scatter_w7(void *%i0,const P256_POINT_AFFINE *%i1, +! int %i2); +.globl ecp_nistz256_scatter_w7 +.align 32 +ecp_nistz256_scatter_w7: + save %sp,-STACK_FRAME,%sp + nop + add $out,$index,$out + mov 64/4,$index +.Loop_scatter_w7: + ld [$inp],%l0 + add $inp,4,$inp + subcc $index,1,$index + stb %l0,[$out+64*0-1] + srl %l0,8,%l1 + stb %l1,[$out+64*1-1] + srl %l0,16,%l2 + stb %l2,[$out+64*2-1] + srl %l0,24,%l3 + stb %l3,[$out+64*3-1] + bne .Loop_scatter_w7 + add $out,64*4,$out + + ret + restore +.size ecp_nistz256_scatter_w7,.-ecp_nistz256_scatter_w7 + +! void ecp_nistz256_gather_w7(P256_POINT_AFFINE *%i0,const void *%i1, +! int %i2); +.globl ecp_nistz256_gather_w7 +.align 32 +ecp_nistz256_gather_w7: + save %sp,-STACK_FRAME,%sp + + neg $index,$mask + srax $mask,63,$mask + + add $index,$mask,$index + add $inp,$index,$inp + mov 64/4,$index + +.Loop_gather_w7: + ldub [$inp+64*0],%l0 + prefetch [$inp+3840+64*0],1 + subcc $index,1,$index + ldub [$inp+64*1],%l1 + prefetch [$inp+3840+64*1],1 + ldub [$inp+64*2],%l2 + prefetch [$inp+3840+64*2],1 + ldub [$inp+64*3],%l3 + prefetch [$inp+3840+64*3],1 + add $inp,64*4,$inp + sll %l1,8,%l1 + sll %l2,16,%l2 + or %l0,%l1,%l0 + sll %l3,24,%l3 + or %l0,%l2,%l0 + or %l0,%l3,%l0 + and %l0,$mask,%l0 + st %l0,[$out] + bne .Loop_gather_w7 + add $out,4,$out + + ret + restore +.size ecp_nistz256_gather_w7,.-ecp_nistz256_gather_w7 +___ +}}} +{{{ +######################################################################## +# Following subroutines are VIS3 counterparts of those above that +# implement ones found in ecp_nistz256.c. Key difference is that they +# use 128-bit muliplication and addition with 64-bit carry, and in order +# to do that they perform conversion from uin32_t[8] to uint64_t[4] upon +# entry and vice versa on return. +# +my ($rp,$ap,$bp)=map("%i$_",(0..2)); +my ($t0,$t1,$t2,$t3,$a0,$a1,$a2,$a3)=map("%l$_",(0..7)); +my ($acc0,$acc1,$acc2,$acc3,$acc4,$acc5)=map("%o$_",(0..5)); +my ($bi,$poly1,$poly3,$minus1)=(map("%i$_",(3..5)),"%g1"); +my ($rp_real,$ap_real)=("%g2","%g3"); +my ($acc6,$acc7)=($bp,$bi); # used in squaring + +$code.=<<___; +.align 32 +__ecp_nistz256_mul_by_2_vis3: + addcc $acc0,$acc0,$acc0 + addxccc $acc1,$acc1,$acc1 + addxccc $acc2,$acc2,$acc2 + addxccc $acc3,$acc3,$acc3 + b .Lreduce_by_sub_vis3 + addxc %g0,%g0,$acc4 ! did it carry? +.size __ecp_nistz256_mul_by_2_vis3,.-__ecp_nistz256_mul_by_2_vis3 + +.align 32 +__ecp_nistz256_add_vis3: + ldx [$bp+0],$t0 + ldx [$bp+8],$t1 + ldx [$bp+16],$t2 + ldx [$bp+24],$t3 + +__ecp_nistz256_add_noload_vis3: + + addcc $t0,$acc0,$acc0 + addxccc $t1,$acc1,$acc1 + addxccc $t2,$acc2,$acc2 + addxccc $t3,$acc3,$acc3 + addxc %g0,%g0,$acc4 ! did it carry? + +.Lreduce_by_sub_vis3: + + addcc $acc0,1,$t0 ! add -modulus, i.e. subtract + addxccc $acc1,$poly1,$t1 + addxccc $acc2,$minus1,$t2 + addxc $acc3,$poly3,$t3 + + movrnz $acc4,$t0,$acc0 ! if a+b carried, ret = ret-mod + movrnz $acc4,$t1,$acc1 + stx $acc0,[$rp] + movrnz $acc4,$t2,$acc2 + stx $acc1,[$rp+8] + movrnz $acc4,$t3,$acc3 + stx $acc2,[$rp+16] + retl + stx $acc3,[$rp+24] +.size __ecp_nistz256_add_vis3,.-__ecp_nistz256_add_vis3 + +! Trouble with subtraction is that there is no subtraction with 64-bit +! borrow, only with 32-bit one. For this reason we "decompose" 64-bit +! $acc0-$acc3 to 32-bit values and pick b[4] in 32-bit pieces. But +! recall that SPARC is big-endian, which is why you'll observe that +! b[4] is accessed as 4-0-12-8-20-16-28-24. And prior reduction we +! "collect" result back to 64-bit $acc0-$acc3. +.align 32 +__ecp_nistz256_sub_from_vis3: + ld [$bp+4],$t0 + ld [$bp+0],$t1 + ld [$bp+12],$t2 + ld [$bp+8],$t3 + + srlx $acc0,32,$acc4 + not $poly1,$poly1 + srlx $acc1,32,$acc5 + subcc $acc0,$t0,$acc0 + ld [$bp+20],$t0 + subccc $acc4,$t1,$acc4 + ld [$bp+16],$t1 + subccc $acc1,$t2,$acc1 + ld [$bp+28],$t2 + and $acc0,$poly1,$acc0 + subccc $acc5,$t3,$acc5 + ld [$bp+24],$t3 + sllx $acc4,32,$acc4 + and $acc1,$poly1,$acc1 + sllx $acc5,32,$acc5 + or $acc0,$acc4,$acc0 + srlx $acc2,32,$acc4 + or $acc1,$acc5,$acc1 + srlx $acc3,32,$acc5 + subccc $acc2,$t0,$acc2 + subccc $acc4,$t1,$acc4 + subccc $acc3,$t2,$acc3 + and $acc2,$poly1,$acc2 + subccc $acc5,$t3,$acc5 + sllx $acc4,32,$acc4 + and $acc3,$poly1,$acc3 + sllx $acc5,32,$acc5 + or $acc2,$acc4,$acc2 + subc %g0,%g0,$acc4 ! did it borrow? + b .Lreduce_by_add_vis3 + or $acc3,$acc5,$acc3 +.size __ecp_nistz256_sub_from_vis3,.-__ecp_nistz256_sub_from_vis3 + +.align 32 +__ecp_nistz256_sub_morf_vis3: + ld [$bp+4],$t0 + ld [$bp+0],$t1 + ld [$bp+12],$t2 + ld [$bp+8],$t3 + + srlx $acc0,32,$acc4 + not $poly1,$poly1 + srlx $acc1,32,$acc5 + subcc $t0,$acc0,$acc0 + ld [$bp+20],$t0 + subccc $t1,$acc4,$acc4 + ld [$bp+16],$t1 + subccc $t2,$acc1,$acc1 + ld [$bp+28],$t2 + and $acc0,$poly1,$acc0 + subccc $t3,$acc5,$acc5 + ld [$bp+24],$t3 + sllx $acc4,32,$acc4 + and $acc1,$poly1,$acc1 + sllx $acc5,32,$acc5 + or $acc0,$acc4,$acc0 + srlx $acc2,32,$acc4 + or $acc1,$acc5,$acc1 + srlx $acc3,32,$acc5 + subccc $t0,$acc2,$acc2 + subccc $t1,$acc4,$acc4 + subccc $t2,$acc3,$acc3 + and $acc2,$poly1,$acc2 + subccc $t3,$acc5,$acc5 + sllx $acc4,32,$acc4 + and $acc3,$poly1,$acc3 + sllx $acc5,32,$acc5 + or $acc2,$acc4,$acc2 + subc %g0,%g0,$acc4 ! did it borrow? + or $acc3,$acc5,$acc3 + +.Lreduce_by_add_vis3: + + addcc $acc0,-1,$t0 ! add modulus + not $poly3,$t3 + addxccc $acc1,$poly1,$t1 + not $poly1,$poly1 ! restore $poly1 + addxccc $acc2,%g0,$t2 + addxc $acc3,$t3,$t3 + + movrnz $acc4,$t0,$acc0 ! if a-b borrowed, ret = ret+mod + movrnz $acc4,$t1,$acc1 + stx $acc0,[$rp] + movrnz $acc4,$t2,$acc2 + stx $acc1,[$rp+8] + movrnz $acc4,$t3,$acc3 + stx $acc2,[$rp+16] + retl + stx $acc3,[$rp+24] +.size __ecp_nistz256_sub_morf_vis3,.-__ecp_nistz256_sub_morf_vis3 + +.align 32 +__ecp_nistz256_div_by_2_vis3: + ! ret = (a is odd ? a+mod : a) >> 1 + + not $poly1,$t1 + not $poly3,$t3 + and $acc0,1,$acc5 + addcc $acc0,-1,$t0 ! add modulus + addxccc $acc1,$t1,$t1 + addxccc $acc2,%g0,$t2 + addxccc $acc3,$t3,$t3 + addxc %g0,%g0,$acc4 ! carry bit + + movrnz $acc5,$t0,$acc0 + movrnz $acc5,$t1,$acc1 + movrnz $acc5,$t2,$acc2 + movrnz $acc5,$t3,$acc3 + movrz $acc5,%g0,$acc4 + + ! ret >>= 1 + + srlx $acc0,1,$acc0 + sllx $acc1,63,$t0 + srlx $acc1,1,$acc1 + or $acc0,$t0,$acc0 + sllx $acc2,63,$t1 + srlx $acc2,1,$acc2 + or $acc1,$t1,$acc1 + sllx $acc3,63,$t2 + stx $acc0,[$rp] + srlx $acc3,1,$acc3 + or $acc2,$t2,$acc2 + sllx $acc4,63,$t3 ! don't forget carry bit + stx $acc1,[$rp+8] + or $acc3,$t3,$acc3 + stx $acc2,[$rp+16] + retl + stx $acc3,[$rp+24] +.size __ecp_nistz256_div_by_2_vis3,.-__ecp_nistz256_div_by_2_vis3 + +! compared to __ecp_nistz256_mul_mont it's almost 4x smaller and +! 4x faster [on T4]... +.align 32 +__ecp_nistz256_mul_mont_vis3: + mulx $a0,$bi,$acc0 + not $poly3,$poly3 ! 0xFFFFFFFF00000001 + umulxhi $a0,$bi,$t0 + mulx $a1,$bi,$acc1 + umulxhi $a1,$bi,$t1 + mulx $a2,$bi,$acc2 + umulxhi $a2,$bi,$t2 + mulx $a3,$bi,$acc3 + umulxhi $a3,$bi,$t3 + ldx [$bp+8],$bi ! b[1] + + addcc $acc1,$t0,$acc1 ! accumulate high parts of multiplication + sllx $acc0,32,$t0 + addxccc $acc2,$t1,$acc2 + srlx $acc0,32,$t1 + addxccc $acc3,$t2,$acc3 + addxc %g0,$t3,$acc4 + mov 0,$acc5 +___ +for($i=1;$i<4;$i++) { + # Reduction iteration is normally performed by accumulating + # result of multiplication of modulus by "magic" digit [and + # omitting least significant word, which is guaranteed to + # be 0], but thanks to special form of modulus and "magic" + # digit being equal to least significant word, it can be + # performed with additions and subtractions alone. Indeed: + # + # ffff0001.00000000.0000ffff.ffffffff + # * abcdefgh + # + xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh + # + # Now observing that ff..ff*x = (2^n-1)*x = 2^n*x-x, we + # rewrite above as: + # + # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.abcdefgh + # + abcdefgh.abcdefgh.0000abcd.efgh0000.00000000 + # - 0000abcd.efgh0000.00000000.00000000.abcdefgh + # + # or marking redundant operations: + # + # xxxxxxxx.xxxxxxxx.xxxxxxxx.xxxxxxxx.-------- + # + abcdefgh.abcdefgh.0000abcd.efgh0000.-------- + # - 0000abcd.efgh0000.--------.--------.-------- + # ^^^^^^^^ but this word is calculated with umulxhi, because + # there is no subtract with 64-bit borrow:-( + +$code.=<<___; + sub $acc0,$t0,$t2 ! acc0*0xFFFFFFFF00000001, low part + umulxhi $acc0,$poly3,$t3 ! acc0*0xFFFFFFFF00000001, high part + addcc $acc1,$t0,$acc0 ! +=acc[0]<<96 and omit acc[0] + mulx $a0,$bi,$t0 + addxccc $acc2,$t1,$acc1 + mulx $a1,$bi,$t1 + addxccc $acc3,$t2,$acc2 ! +=acc[0]*0xFFFFFFFF00000001 + mulx $a2,$bi,$t2 + addxccc $acc4,$t3,$acc3 + mulx $a3,$bi,$t3 + addxc $acc5,%g0,$acc4 + + addcc $acc0,$t0,$acc0 ! accumulate low parts of multiplication + umulxhi $a0,$bi,$t0 + addxccc $acc1,$t1,$acc1 + umulxhi $a1,$bi,$t1 + addxccc $acc2,$t2,$acc2 + umulxhi $a2,$bi,$t2 + addxccc $acc3,$t3,$acc3 + umulxhi $a3,$bi,$t3 + addxc $acc4,%g0,$acc4 +___ +$code.=<<___ if ($i<3); + ldx [$bp+8*($i+1)],$bi ! bp[$i+1] +___ +$code.=<<___; + addcc $acc1,$t0,$acc1 ! accumulate high parts of multiplication + sllx $acc0,32,$t0 + addxccc $acc2,$t1,$acc2 + srlx $acc0,32,$t1 + addxccc $acc3,$t2,$acc3 + addxccc $acc4,$t3,$acc4 + addxc %g0,%g0,$acc5 +___ +} +$code.=<<___; + sub $acc0,$t0,$t2 ! acc0*0xFFFFFFFF00000001, low part + umulxhi $acc0,$poly3,$t3 ! acc0*0xFFFFFFFF00000001, high part + addcc $acc1,$t0,$acc0 ! +=acc[0]<<96 and omit acc[0] + addxccc $acc2,$t1,$acc1 + addxccc $acc3,$t2,$acc2 ! +=acc[0]*0xFFFFFFFF00000001 + addxccc $acc4,$t3,$acc3 + b .Lmul_final_vis3 ! see below + addxc $acc5,%g0,$acc4 +.size __ecp_nistz256_mul_mont_vis3,.-__ecp_nistz256_mul_mont_vis3 + +! compared to above __ecp_nistz256_mul_mont_vis3 it's 21% less +! instructions, but only 14% faster [on T4]... +.align 32 +__ecp_nistz256_sqr_mont_vis3: + ! | | | | | |a1*a0| | + ! | | | | |a2*a0| | | + ! | |a3*a2|a3*a0| | | | + ! | | | |a2*a1| | | | + ! | | |a3*a1| | | | | + ! *| | | | | | | | 2| + ! +|a3*a3|a2*a2|a1*a1|a0*a0| + ! |--+--+--+--+--+--+--+--| + ! |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is $accx, i.e. follow $accx + ! + ! "can't overflow" below mark carrying into high part of + ! multiplication result, which can't overflow, because it + ! can never be all ones. + + mulx $a1,$a0,$acc1 ! a[1]*a[0] + umulxhi $a1,$a0,$t1 + mulx $a2,$a0,$acc2 ! a[2]*a[0] + umulxhi $a2,$a0,$t2 + mulx $a3,$a0,$acc3 ! a[3]*a[0] + umulxhi $a3,$a0,$acc4 + + addcc $acc2,$t1,$acc2 ! accumulate high parts of multiplication + mulx $a2,$a1,$t0 ! a[2]*a[1] + umulxhi $a2,$a1,$t1 + addxccc $acc3,$t2,$acc3 + mulx $a3,$a1,$t2 ! a[3]*a[1] + umulxhi $a3,$a1,$t3 + addxc $acc4,%g0,$acc4 ! can't overflow + + mulx $a3,$a2,$acc5 ! a[3]*a[2] + not $poly3,$poly3 ! 0xFFFFFFFF00000001 + umulxhi $a3,$a2,$acc6 + + addcc $t2,$t1,$t1 ! accumulate high parts of multiplication + mulx $a0,$a0,$acc0 ! a[0]*a[0] + addxc $t3,%g0,$t2 ! can't overflow + + addcc $acc3,$t0,$acc3 ! accumulate low parts of multiplication + umulxhi $a0,$a0,$a0 + addxccc $acc4,$t1,$acc4 + mulx $a1,$a1,$t1 ! a[1]*a[1] + addxccc $acc5,$t2,$acc5 + umulxhi $a1,$a1,$a1 + addxc $acc6,%g0,$acc6 ! can't overflow + + addcc $acc1,$acc1,$acc1 ! acc[1-6]*=2 + mulx $a2,$a2,$t2 ! a[2]*a[2] + addxccc $acc2,$acc2,$acc2 + umulxhi $a2,$a2,$a2 + addxccc $acc3,$acc3,$acc3 + mulx $a3,$a3,$t3 ! a[3]*a[3] + addxccc $acc4,$acc4,$acc4 + umulxhi $a3,$a3,$a3 + addxccc $acc5,$acc5,$acc5 + addxccc $acc6,$acc6,$acc6 + addxc %g0,%g0,$acc7 + + addcc $acc1,$a0,$acc1 ! +a[i]*a[i] + addxccc $acc2,$t1,$acc2 + addxccc $acc3,$a1,$acc3 + addxccc $acc4,$t2,$acc4 + sllx $acc0,32,$t0 + addxccc $acc5,$a2,$acc5 + srlx $acc0,32,$t1 + addxccc $acc6,$t3,$acc6 + sub $acc0,$t0,$t2 ! acc0*0xFFFFFFFF00000001, low part + addxc $acc7,$a3,$acc7 +___ +for($i=0;$i<3;$i++) { # reductions, see commentary + # in multiplication for details +$code.=<<___; + umulxhi $acc0,$poly3,$t3 ! acc0*0xFFFFFFFF00000001, high part + addcc $acc1,$t0,$acc0 ! +=acc[0]<<96 and omit acc[0] + sllx $acc0,32,$t0 + addxccc $acc2,$t1,$acc1 + srlx $acc0,32,$t1 + addxccc $acc3,$t2,$acc2 ! +=acc[0]*0xFFFFFFFF00000001 + sub $acc0,$t0,$t2 ! acc0*0xFFFFFFFF00000001, low part + addxc %g0,$t3,$acc3 ! cant't overflow +___ +} +$code.=<<___; + umulxhi $acc0,$poly3,$t3 ! acc0*0xFFFFFFFF00000001, high part + addcc $acc1,$t0,$acc0 ! +=acc[0]<<96 and omit acc[0] + addxccc $acc2,$t1,$acc1 + addxccc $acc3,$t2,$acc2 ! +=acc[0]*0xFFFFFFFF00000001 + addxc %g0,$t3,$acc3 ! can't overflow + + addcc $acc0,$acc4,$acc0 ! accumulate upper half + addxccc $acc1,$acc5,$acc1 + addxccc $acc2,$acc6,$acc2 + addxccc $acc3,$acc7,$acc3 + addxc %g0,%g0,$acc4 + +.Lmul_final_vis3: + + ! Final step is "if result > mod, subtract mod", but as comparison + ! means subtraction, we do the subtraction and then copy outcome + ! if it didn't borrow. But note that as we [have to] replace + ! subtraction with addition with negative, carry/borrow logic is + ! inverse. + + addcc $acc0,1,$t0 ! add -modulus, i.e. subtract + not $poly3,$poly3 ! restore 0x00000000FFFFFFFE + addxccc $acc1,$poly1,$t1 + addxccc $acc2,$minus1,$t2 + addxccc $acc3,$poly3,$t3 + addxccc $acc4,$minus1,%g0 ! did it carry? + + movcs %xcc,$t0,$acc0 + movcs %xcc,$t1,$acc1 + stx $acc0,[$rp] + movcs %xcc,$t2,$acc2 + stx $acc1,[$rp+8] + movcs %xcc,$t3,$acc3 + stx $acc2,[$rp+16] + retl + stx $acc3,[$rp+24] +.size __ecp_nistz256_sqr_mont_vis3,.-__ecp_nistz256_sqr_mont_vis3 +___ + +######################################################################## +# void ecp_nistz256_point_double(P256_POINT *out,const P256_POINT *inp); +# +{ +my ($res_x,$res_y,$res_z, + $in_x,$in_y,$in_z, + $S,$M,$Zsqr,$tmp0)=map(32*$_,(0..9)); +# above map() describes stack layout with 10 temporary +# 256-bit vectors on top. + +$code.=<<___; +.align 32 +ecp_nistz256_point_double_vis3: + save %sp,-STACK64_FRAME-32*10,%sp + + mov $rp,$rp_real + mov -1,$minus1 + mov -2,$poly3 + sllx $minus1,32,$poly1 ! 0xFFFFFFFF00000000 + srl $poly3,0,$poly3 ! 0x00000000FFFFFFFE + + ! convert input to uint64_t[4] + ld [$ap],$a0 ! in_x + ld [$ap+4],$t0 + ld [$ap+8],$a1 + ld [$ap+12],$t1 + ld [$ap+16],$a2 + ld [$ap+20],$t2 + ld [$ap+24],$a3 + ld [$ap+28],$t3 + sllx $t0,32,$t0 + sllx $t1,32,$t1 + ld [$ap+32],$acc0 ! in_y + or $a0,$t0,$a0 + ld [$ap+32+4],$t0 + sllx $t2,32,$t2 + ld [$ap+32+8],$acc1 + or $a1,$t1,$a1 + ld [$ap+32+12],$t1 + sllx $t3,32,$t3 + ld [$ap+32+16],$acc2 + or $a2,$t2,$a2 + ld [$ap+32+20],$t2 + or $a3,$t3,$a3 + ld [$ap+32+24],$acc3 + sllx $t0,32,$t0 + ld [$ap+32+28],$t3 + sllx $t1,32,$t1 + stx $a0,[%sp+LOCALS64+$in_x] + sllx $t2,32,$t2 + stx $a1,[%sp+LOCALS64+$in_x+8] + sllx $t3,32,$t3 + stx $a2,[%sp+LOCALS64+$in_x+16] + or $acc0,$t0,$acc0 + stx $a3,[%sp+LOCALS64+$in_x+24] + or $acc1,$t1,$acc1 + stx $acc0,[%sp+LOCALS64+$in_y] + or $acc2,$t2,$acc2 + stx $acc1,[%sp+LOCALS64+$in_y+8] + or $acc3,$t3,$acc3 + stx $acc2,[%sp+LOCALS64+$in_y+16] + stx $acc3,[%sp+LOCALS64+$in_y+24] + + ld [$ap+64],$a0 ! in_z + ld [$ap+64+4],$t0 + ld [$ap+64+8],$a1 + ld [$ap+64+12],$t1 + ld [$ap+64+16],$a2 + ld [$ap+64+20],$t2 + ld [$ap+64+24],$a3 + ld [$ap+64+28],$t3 + sllx $t0,32,$t0 + sllx $t1,32,$t1 + or $a0,$t0,$a0 + sllx $t2,32,$t2 + or $a1,$t1,$a1 + sllx $t3,32,$t3 + or $a2,$t2,$a2 + or $a3,$t3,$a3 + sllx $t0,32,$t0 + sllx $t1,32,$t1 + stx $a0,[%sp+LOCALS64+$in_z] + sllx $t2,32,$t2 + stx $a1,[%sp+LOCALS64+$in_z+8] + sllx $t3,32,$t3 + stx $a2,[%sp+LOCALS64+$in_z+16] + stx $a3,[%sp+LOCALS64+$in_z+24] + + ! in_y is still in $acc0-$acc3 + call __ecp_nistz256_mul_by_2_vis3 ! p256_mul_by_2(S, in_y); + add %sp,LOCALS64+$S,$rp + + ! in_z is still in $a0-$a3 + call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Zsqr, in_z); + add %sp,LOCALS64+$Zsqr,$rp + + mov $acc0,$a0 ! put Zsqr aside + mov $acc1,$a1 + mov $acc2,$a2 + mov $acc3,$a3 + + add %sp,LOCALS64+$in_x,$bp + call __ecp_nistz256_add_vis3 ! p256_add(M, Zsqr, in_x); + add %sp,LOCALS64+$M,$rp + + mov $a0,$acc0 ! restore Zsqr + ldx [%sp+LOCALS64+$S],$a0 ! forward load + mov $a1,$acc1 + ldx [%sp+LOCALS64+$S+8],$a1 + mov $a2,$acc2 + ldx [%sp+LOCALS64+$S+16],$a2 + mov $a3,$acc3 + ldx [%sp+LOCALS64+$S+24],$a3 + + add %sp,LOCALS64+$in_x,$bp + call __ecp_nistz256_sub_morf_vis3 ! p256_sub(Zsqr, in_x, Zsqr); + add %sp,LOCALS64+$Zsqr,$rp + + call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(S, S); + add %sp,LOCALS64+$S,$rp + + ldx [%sp+LOCALS64+$in_z],$bi + ldx [%sp+LOCALS64+$in_y],$a0 + ldx [%sp+LOCALS64+$in_y+8],$a1 + ldx [%sp+LOCALS64+$in_y+16],$a2 + ldx [%sp+LOCALS64+$in_y+24],$a3 + add %sp,LOCALS64+$in_z,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(tmp0, in_z, in_y); + add %sp,LOCALS64+$tmp0,$rp + + ldx [%sp+LOCALS64+$M],$bi ! forward load + ldx [%sp+LOCALS64+$Zsqr],$a0 + ldx [%sp+LOCALS64+$Zsqr+8],$a1 + ldx [%sp+LOCALS64+$Zsqr+16],$a2 + ldx [%sp+LOCALS64+$Zsqr+24],$a3 + + call __ecp_nistz256_mul_by_2_vis3 ! p256_mul_by_2(res_z, tmp0); + add %sp,LOCALS64+$res_z,$rp + + add %sp,LOCALS64+$M,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(M, M, Zsqr); + add %sp,LOCALS64+$M,$rp + + mov $acc0,$a0 ! put aside M + mov $acc1,$a1 + mov $acc2,$a2 + mov $acc3,$a3 + call __ecp_nistz256_mul_by_2_vis3 + add %sp,LOCALS64+$M,$rp + mov $a0,$t0 ! copy M + ldx [%sp+LOCALS64+$S],$a0 ! forward load + mov $a1,$t1 + ldx [%sp+LOCALS64+$S+8],$a1 + mov $a2,$t2 + ldx [%sp+LOCALS64+$S+16],$a2 + mov $a3,$t3 + ldx [%sp+LOCALS64+$S+24],$a3 + call __ecp_nistz256_add_noload_vis3 ! p256_mul_by_3(M, M); + add %sp,LOCALS64+$M,$rp + + call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(tmp0, S); + add %sp,LOCALS64+$tmp0,$rp + + ldx [%sp+LOCALS64+$S],$bi ! forward load + ldx [%sp+LOCALS64+$in_x],$a0 + ldx [%sp+LOCALS64+$in_x+8],$a1 + ldx [%sp+LOCALS64+$in_x+16],$a2 + ldx [%sp+LOCALS64+$in_x+24],$a3 + + call __ecp_nistz256_div_by_2_vis3 ! p256_div_by_2(res_y, tmp0); + add %sp,LOCALS64+$res_y,$rp + + add %sp,LOCALS64+$S,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S, S, in_x); + add %sp,LOCALS64+$S,$rp + + ldx [%sp+LOCALS64+$M],$a0 ! forward load + ldx [%sp+LOCALS64+$M+8],$a1 + ldx [%sp+LOCALS64+$M+16],$a2 + ldx [%sp+LOCALS64+$M+24],$a3 + + call __ecp_nistz256_mul_by_2_vis3 ! p256_mul_by_2(tmp0, S); + add %sp,LOCALS64+$tmp0,$rp + + call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(res_x, M); + add %sp,LOCALS64+$res_x,$rp + + add %sp,LOCALS64+$tmp0,$bp + call __ecp_nistz256_sub_from_vis3 ! p256_sub(res_x, res_x, tmp0); + add %sp,LOCALS64+$res_x,$rp + + ldx [%sp+LOCALS64+$M],$a0 ! forward load + ldx [%sp+LOCALS64+$M+8],$a1 + ldx [%sp+LOCALS64+$M+16],$a2 + ldx [%sp+LOCALS64+$M+24],$a3 + + add %sp,LOCALS64+$S,$bp + call __ecp_nistz256_sub_morf_vis3 ! p256_sub(S, S, res_x); + add %sp,LOCALS64+$S,$rp + + mov $acc0,$bi + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S, S, M); + add %sp,LOCALS64+$S,$rp + + ldx [%sp+LOCALS64+$res_x],$a0 ! forward load + ldx [%sp+LOCALS64+$res_x+8],$a1 + ldx [%sp+LOCALS64+$res_x+16],$a2 + ldx [%sp+LOCALS64+$res_x+24],$a3 + + add %sp,LOCALS64+$res_y,$bp + call __ecp_nistz256_sub_from_vis3 ! p256_sub(res_y, S, res_y); + add %sp,LOCALS64+$res_y,$bp + + ! convert output to uint_32[8] + srlx $a0,32,$t0 + srlx $a1,32,$t1 + st $a0,[$rp_real] ! res_x + srlx $a2,32,$t2 + st $t0,[$rp_real+4] + srlx $a3,32,$t3 + st $a1,[$rp_real+8] + st $t1,[$rp_real+12] + st $a2,[$rp_real+16] + st $t2,[$rp_real+20] + st $a3,[$rp_real+24] + st $t3,[$rp_real+28] + + ldx [%sp+LOCALS64+$res_z],$a0 ! forward load + srlx $acc0,32,$t0 + ldx [%sp+LOCALS64+$res_z+8],$a1 + srlx $acc1,32,$t1 + ldx [%sp+LOCALS64+$res_z+16],$a2 + srlx $acc2,32,$t2 + ldx [%sp+LOCALS64+$res_z+24],$a3 + srlx $acc3,32,$t3 + st $acc0,[$rp_real+32] ! res_y + st $t0, [$rp_real+32+4] + st $acc1,[$rp_real+32+8] + st $t1, [$rp_real+32+12] + st $acc2,[$rp_real+32+16] + st $t2, [$rp_real+32+20] + st $acc3,[$rp_real+32+24] + st $t3, [$rp_real+32+28] + + srlx $a0,32,$t0 + srlx $a1,32,$t1 + st $a0,[$rp_real+64] ! res_z + srlx $a2,32,$t2 + st $t0,[$rp_real+64+4] + srlx $a3,32,$t3 + st $a1,[$rp_real+64+8] + st $t1,[$rp_real+64+12] + st $a2,[$rp_real+64+16] + st $t2,[$rp_real+64+20] + st $a3,[$rp_real+64+24] + st $t3,[$rp_real+64+28] + + ret + restore +.size ecp_nistz256_point_double_vis3,.-ecp_nistz256_point_double_vis3 +___ +} +######################################################################## +# void ecp_nistz256_point_add(P256_POINT *out,const P256_POINT *in1, +# const P256_POINT *in2); +{ +my ($res_x,$res_y,$res_z, + $in1_x,$in1_y,$in1_z, + $in2_x,$in2_y,$in2_z, + $H,$Hsqr,$R,$Rsqr,$Hcub, + $U1,$U2,$S1,$S2)=map(32*$_,(0..17)); +my ($Z1sqr, $Z2sqr) = ($Hsqr, $Rsqr); + +# above map() describes stack layout with 18 temporary +# 256-bit vectors on top. Then we reserve some space for +# !in1infty, !in2infty and result of check for zero. + +$code.=<<___; +.globl ecp_nistz256_point_add_vis3 +.align 32 +ecp_nistz256_point_add_vis3: + save %sp,-STACK64_FRAME-32*18-32,%sp + + mov $rp,$rp_real + mov -1,$minus1 + mov -2,$poly3 + sllx $minus1,32,$poly1 ! 0xFFFFFFFF00000000 + srl $poly3,0,$poly3 ! 0x00000000FFFFFFFE + + ! convert input to uint64_t[4] + ld [$bp],$a0 ! in2_x + ld [$bp+4],$t0 + ld [$bp+8],$a1 + ld [$bp+12],$t1 + ld [$bp+16],$a2 + ld [$bp+20],$t2 + ld [$bp+24],$a3 + ld [$bp+28],$t3 + sllx $t0,32,$t0 + sllx $t1,32,$t1 + ld [$bp+32],$acc0 ! in2_y + or $a0,$t0,$a0 + ld [$bp+32+4],$t0 + sllx $t2,32,$t2 + ld [$bp+32+8],$acc1 + or $a1,$t1,$a1 + ld [$bp+32+12],$t1 + sllx $t3,32,$t3 + ld [$bp+32+16],$acc2 + or $a2,$t2,$a2 + ld [$bp+32+20],$t2 + or $a3,$t3,$a3 + ld [$bp+32+24],$acc3 + sllx $t0,32,$t0 + ld [$bp+32+28],$t3 + sllx $t1,32,$t1 + stx $a0,[%sp+LOCALS64+$in2_x] + sllx $t2,32,$t2 + stx $a1,[%sp+LOCALS64+$in2_x+8] + sllx $t3,32,$t3 + stx $a2,[%sp+LOCALS64+$in2_x+16] + or $acc0,$t0,$acc0 + stx $a3,[%sp+LOCALS64+$in2_x+24] + or $acc1,$t1,$acc1 + stx $acc0,[%sp+LOCALS64+$in2_y] + or $acc2,$t2,$acc2 + stx $acc1,[%sp+LOCALS64+$in2_y+8] + or $acc3,$t3,$acc3 + stx $acc2,[%sp+LOCALS64+$in2_y+16] + stx $acc3,[%sp+LOCALS64+$in2_y+24] + + or $a1,$a0,$a0 + or $a3,$a2,$a2 + or $acc1,$acc0,$acc0 + or $acc3,$acc2,$acc2 + or $a2,$a0,$a0 + or $acc2,$acc0,$acc0 + or $acc0,$a0,$a0 + movrnz $a0,-1,$a0 ! !in2infty + stx $a0,[%fp+STACK_BIAS-8] + + ld [$bp+64],$acc0 ! in2_z + ld [$bp+64+4],$t0 + ld [$bp+64+8],$acc1 + ld [$bp+64+12],$t1 + ld [$bp+64+16],$acc2 + ld [$bp+64+20],$t2 + ld [$bp+64+24],$acc3 + ld [$bp+64+28],$t3 + sllx $t0,32,$t0 + sllx $t1,32,$t1 + ld [$ap],$a0 ! in1_x + or $acc0,$t0,$acc0 + ld [$ap+4],$t0 + sllx $t2,32,$t2 + ld [$ap+8],$a1 + or $acc1,$t1,$acc1 + ld [$ap+12],$t1 + sllx $t3,32,$t3 + ld [$ap+16],$a2 + or $acc2,$t2,$acc2 + ld [$ap+20],$t2 + or $acc3,$t3,$acc3 + ld [$ap+24],$a3 + sllx $t0,32,$t0 + ld [$ap+28],$t3 + sllx $t1,32,$t1 + stx $acc0,[%sp+LOCALS64+$in2_z] + sllx $t2,32,$t2 + stx $acc1,[%sp+LOCALS64+$in2_z+8] + sllx $t3,32,$t3 + stx $acc2,[%sp+LOCALS64+$in2_z+16] + stx $acc3,[%sp+LOCALS64+$in2_z+24] + + or $a0,$t0,$a0 + ld [$ap+32],$acc0 ! in1_y + or $a1,$t1,$a1 + ld [$ap+32+4],$t0 + or $a2,$t2,$a2 + ld [$ap+32+8],$acc1 + or $a3,$t3,$a3 + ld [$ap+32+12],$t1 + ld [$ap+32+16],$acc2 + ld [$ap+32+20],$t2 + ld [$ap+32+24],$acc3 + sllx $t0,32,$t0 + ld [$ap+32+28],$t3 + sllx $t1,32,$t1 + stx $a0,[%sp+LOCALS64+$in1_x] + sllx $t2,32,$t2 + stx $a1,[%sp+LOCALS64+$in1_x+8] + sllx $t3,32,$t3 + stx $a2,[%sp+LOCALS64+$in1_x+16] + or $acc0,$t0,$acc0 + stx $a3,[%sp+LOCALS64+$in1_x+24] + or $acc1,$t1,$acc1 + stx $acc0,[%sp+LOCALS64+$in1_y] + or $acc2,$t2,$acc2 + stx $acc1,[%sp+LOCALS64+$in1_y+8] + or $acc3,$t3,$acc3 + stx $acc2,[%sp+LOCALS64+$in1_y+16] + stx $acc3,[%sp+LOCALS64+$in1_y+24] + + or $a1,$a0,$a0 + or $a3,$a2,$a2 + or $acc1,$acc0,$acc0 + or $acc3,$acc2,$acc2 + or $a2,$a0,$a0 + or $acc2,$acc0,$acc0 + or $acc0,$a0,$a0 + movrnz $a0,-1,$a0 ! !in1infty + stx $a0,[%fp+STACK_BIAS-16] + + ldx [%sp+LOCALS64+$in2_z],$a0 ! forward load + ldx [%sp+LOCALS64+$in2_z+8],$a1 + ldx [%sp+LOCALS64+$in2_z+16],$a2 + ldx [%sp+LOCALS64+$in2_z+24],$a3 + + ld [$ap+64],$acc0 ! in1_z + ld [$ap+64+4],$t0 + ld [$ap+64+8],$acc1 + ld [$ap+64+12],$t1 + ld [$ap+64+16],$acc2 + ld [$ap+64+20],$t2 + ld [$ap+64+24],$acc3 + ld [$ap+64+28],$t3 + sllx $t0,32,$t0 + sllx $t1,32,$t1 + or $acc0,$t0,$acc0 + sllx $t2,32,$t2 + or $acc1,$t1,$acc1 + sllx $t3,32,$t3 + stx $acc0,[%sp+LOCALS64+$in1_z] + or $acc2,$t2,$acc2 + stx $acc1,[%sp+LOCALS64+$in1_z+8] + or $acc3,$t3,$acc3 + stx $acc2,[%sp+LOCALS64+$in1_z+16] + stx $acc3,[%sp+LOCALS64+$in1_z+24] + + call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Z2sqr, in2_z); + add %sp,LOCALS64+$Z2sqr,$rp + + ldx [%sp+LOCALS64+$in1_z],$a0 + ldx [%sp+LOCALS64+$in1_z+8],$a1 + ldx [%sp+LOCALS64+$in1_z+16],$a2 + ldx [%sp+LOCALS64+$in1_z+24],$a3 + call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Z1sqr, in1_z); + add %sp,LOCALS64+$Z1sqr,$rp + + ldx [%sp+LOCALS64+$Z2sqr],$bi + ldx [%sp+LOCALS64+$in2_z],$a0 + ldx [%sp+LOCALS64+$in2_z+8],$a1 + ldx [%sp+LOCALS64+$in2_z+16],$a2 + ldx [%sp+LOCALS64+$in2_z+24],$a3 + add %sp,LOCALS64+$Z2sqr,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S1, Z2sqr, in2_z); + add %sp,LOCALS64+$S1,$rp + + ldx [%sp+LOCALS64+$Z1sqr],$bi + ldx [%sp+LOCALS64+$in1_z],$a0 + ldx [%sp+LOCALS64+$in1_z+8],$a1 + ldx [%sp+LOCALS64+$in1_z+16],$a2 + ldx [%sp+LOCALS64+$in1_z+24],$a3 + add %sp,LOCALS64+$Z1sqr,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S2, Z1sqr, in1_z); + add %sp,LOCALS64+$S2,$rp + + ldx [%sp+LOCALS64+$S1],$bi + ldx [%sp+LOCALS64+$in1_y],$a0 + ldx [%sp+LOCALS64+$in1_y+8],$a1 + ldx [%sp+LOCALS64+$in1_y+16],$a2 + ldx [%sp+LOCALS64+$in1_y+24],$a3 + add %sp,LOCALS64+$S1,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S1, S1, in1_y); + add %sp,LOCALS64+$S1,$rp + + ldx [%sp+LOCALS64+$S2],$bi + ldx [%sp+LOCALS64+$in2_y],$a0 + ldx [%sp+LOCALS64+$in2_y+8],$a1 + ldx [%sp+LOCALS64+$in2_y+16],$a2 + ldx [%sp+LOCALS64+$in2_y+24],$a3 + add %sp,LOCALS64+$S2,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S2, S2, in2_y); + add %sp,LOCALS64+$S2,$rp + + ldx [%sp+LOCALS64+$Z2sqr],$bi ! forward load + ldx [%sp+LOCALS64+$in1_x],$a0 + ldx [%sp+LOCALS64+$in1_x+8],$a1 + ldx [%sp+LOCALS64+$in1_x+16],$a2 + ldx [%sp+LOCALS64+$in1_x+24],$a3 + + add %sp,LOCALS64+$S1,$bp + call __ecp_nistz256_sub_from_vis3 ! p256_sub(R, S2, S1); + add %sp,LOCALS64+$R,$rp + + or $acc1,$acc0,$acc0 ! see if result is zero + or $acc3,$acc2,$acc2 + or $acc2,$acc0,$acc0 + stx $acc0,[%fp+STACK_BIAS-24] + + add %sp,LOCALS64+$Z2sqr,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(U1, in1_x, Z2sqr); + add %sp,LOCALS64+$U1,$rp + + ldx [%sp+LOCALS64+$Z1sqr],$bi + ldx [%sp+LOCALS64+$in2_x],$a0 + ldx [%sp+LOCALS64+$in2_x+8],$a1 + ldx [%sp+LOCALS64+$in2_x+16],$a2 + ldx [%sp+LOCALS64+$in2_x+24],$a3 + add %sp,LOCALS64+$Z1sqr,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(U2, in2_x, Z1sqr); + add %sp,LOCALS64+$U2,$rp + + ldx [%sp+LOCALS64+$R],$a0 ! forward load + ldx [%sp+LOCALS64+$R+8],$a1 + ldx [%sp+LOCALS64+$R+16],$a2 + ldx [%sp+LOCALS64+$R+24],$a3 + + add %sp,LOCALS64+$U1,$bp + call __ecp_nistz256_sub_from_vis3 ! p256_sub(H, U2, U1); + add %sp,LOCALS64+$H,$rp + + or $acc1,$acc0,$acc0 ! see if result is zero + or $acc3,$acc2,$acc2 + orcc $acc2,$acc0,$acc0 + + bne,pt %xcc,.Ladd_proceed_vis3 ! is_equal(U1,U2)? + nop + + ldx [%fp+STACK_BIAS-8],$t0 + ldx [%fp+STACK_BIAS-16],$t1 + ldx [%fp+STACK_BIAS-24],$t2 + andcc $t0,$t1,%g0 + be,pt %xcc,.Ladd_proceed_vis3 ! (in1infty || in2infty)? + nop + andcc $t2,$t2,%g0 + be,pt %xcc,.Ladd_proceed_vis3 ! is_equal(S1,S2)? + nop + + st %g0,[$rp_real] + st %g0,[$rp_real+4] + st %g0,[$rp_real+8] + st %g0,[$rp_real+12] + st %g0,[$rp_real+16] + st %g0,[$rp_real+20] + st %g0,[$rp_real+24] + st %g0,[$rp_real+28] + st %g0,[$rp_real+32] + st %g0,[$rp_real+32+4] + st %g0,[$rp_real+32+8] + st %g0,[$rp_real+32+12] + st %g0,[$rp_real+32+16] + st %g0,[$rp_real+32+20] + st %g0,[$rp_real+32+24] + st %g0,[$rp_real+32+28] + st %g0,[$rp_real+64] + st %g0,[$rp_real+64+4] + st %g0,[$rp_real+64+8] + st %g0,[$rp_real+64+12] + st %g0,[$rp_real+64+16] + st %g0,[$rp_real+64+20] + st %g0,[$rp_real+64+24] + st %g0,[$rp_real+64+28] + b .Ladd_done_vis3 + nop + +.align 16 +.Ladd_proceed_vis3: + call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Rsqr, R); + add %sp,LOCALS64+$Rsqr,$rp + + ldx [%sp+LOCALS64+$H],$bi + ldx [%sp+LOCALS64+$in1_z],$a0 + ldx [%sp+LOCALS64+$in1_z+8],$a1 + ldx [%sp+LOCALS64+$in1_z+16],$a2 + ldx [%sp+LOCALS64+$in1_z+24],$a3 + add %sp,LOCALS64+$H,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(res_z, H, in1_z); + add %sp,LOCALS64+$res_z,$rp + + ldx [%sp+LOCALS64+$H],$a0 + ldx [%sp+LOCALS64+$H+8],$a1 + ldx [%sp+LOCALS64+$H+16],$a2 + ldx [%sp+LOCALS64+$H+24],$a3 + call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Hsqr, H); + add %sp,LOCALS64+$Hsqr,$rp + + ldx [%sp+LOCALS64+$res_z],$bi + ldx [%sp+LOCALS64+$in2_z],$a0 + ldx [%sp+LOCALS64+$in2_z+8],$a1 + ldx [%sp+LOCALS64+$in2_z+16],$a2 + ldx [%sp+LOCALS64+$in2_z+24],$a3 + add %sp,LOCALS64+$res_z,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(res_z, res_z, in2_z); + add %sp,LOCALS64+$res_z,$rp + + ldx [%sp+LOCALS64+$H],$bi + ldx [%sp+LOCALS64+$Hsqr],$a0 + ldx [%sp+LOCALS64+$Hsqr+8],$a1 + ldx [%sp+LOCALS64+$Hsqr+16],$a2 + ldx [%sp+LOCALS64+$Hsqr+24],$a3 + add %sp,LOCALS64+$H,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(Hcub, Hsqr, H); + add %sp,LOCALS64+$Hcub,$rp + + ldx [%sp+LOCALS64+$U1],$bi + ldx [%sp+LOCALS64+$Hsqr],$a0 + ldx [%sp+LOCALS64+$Hsqr+8],$a1 + ldx [%sp+LOCALS64+$Hsqr+16],$a2 + ldx [%sp+LOCALS64+$Hsqr+24],$a3 + add %sp,LOCALS64+$U1,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(U2, U1, Hsqr); + add %sp,LOCALS64+$U2,$rp + + call __ecp_nistz256_mul_by_2_vis3 ! p256_mul_by_2(Hsqr, U2); + add %sp,LOCALS64+$Hsqr,$rp + + add %sp,LOCALS64+$Rsqr,$bp + call __ecp_nistz256_sub_morf_vis3 ! p256_sub(res_x, Rsqr, Hsqr); + add %sp,LOCALS64+$res_x,$rp + + add %sp,LOCALS64+$Hcub,$bp + call __ecp_nistz256_sub_from_vis3 ! p256_sub(res_x, res_x, Hcub); + add %sp,LOCALS64+$res_x,$rp + + ldx [%sp+LOCALS64+$S1],$bi ! forward load + ldx [%sp+LOCALS64+$Hcub],$a0 + ldx [%sp+LOCALS64+$Hcub+8],$a1 + ldx [%sp+LOCALS64+$Hcub+16],$a2 + ldx [%sp+LOCALS64+$Hcub+24],$a3 + + add %sp,LOCALS64+$U2,$bp + call __ecp_nistz256_sub_morf_vis3 ! p256_sub(res_y, U2, res_x); + add %sp,LOCALS64+$res_y,$rp + + add %sp,LOCALS64+$S1,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S2, S1, Hcub); + add %sp,LOCALS64+$S2,$rp + + ldx [%sp+LOCALS64+$R],$bi + ldx [%sp+LOCALS64+$res_y],$a0 + ldx [%sp+LOCALS64+$res_y+8],$a1 + ldx [%sp+LOCALS64+$res_y+16],$a2 + ldx [%sp+LOCALS64+$res_y+24],$a3 + add %sp,LOCALS64+$R,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(res_y, res_y, R); + add %sp,LOCALS64+$res_y,$rp + + add %sp,LOCALS64+$S2,$bp + call __ecp_nistz256_sub_from_vis3 ! p256_sub(res_y, res_y, S2); + add %sp,LOCALS64+$res_y,$rp + + ldx [%fp+STACK_BIAS-16],$t1 ! !in1infty + ldx [%fp+STACK_BIAS-8],$t2 ! !in2infty +___ +for($i=0;$i<96;$i+=16) { # conditional moves +$code.=<<___; + ldx [%sp+LOCALS64+$res_x+$i],$acc0 ! res + ldx [%sp+LOCALS64+$res_x+$i+8],$acc1 + ldx [%sp+LOCALS64+$in2_x+$i],$acc2 ! in2 + ldx [%sp+LOCALS64+$in2_x+$i+8],$acc3 + ldx [%sp+LOCALS64+$in1_x+$i],$acc4 ! in1 + ldx [%sp+LOCALS64+$in1_x+$i+8],$acc5 + movrz $t1,$acc2,$acc0 + movrz $t1,$acc3,$acc1 + movrz $t2,$acc4,$acc0 + movrz $t2,$acc5,$acc1 + srlx $acc0,32,$acc2 + srlx $acc1,32,$acc3 + st $acc0,[$rp_real+$i] + st $acc2,[$rp_real+$i+4] + st $acc1,[$rp_real+$i+8] + st $acc3,[$rp_real+$i+12] +___ +} +$code.=<<___; +.Ladd_done_vis3: + ret + restore +.size ecp_nistz256_point_add_vis3,.-ecp_nistz256_point_add_vis3 +___ +} +######################################################################## +# void ecp_nistz256_point_add_affine(P256_POINT *out,const P256_POINT *in1, +# const P256_POINT_AFFINE *in2); +{ +my ($res_x,$res_y,$res_z, + $in1_x,$in1_y,$in1_z, + $in2_x,$in2_y, + $U2,$S2,$H,$R,$Hsqr,$Hcub,$Rsqr)=map(32*$_,(0..14)); +my $Z1sqr = $S2; +# above map() describes stack layout with 15 temporary +# 256-bit vectors on top. Then we reserve some space for +# !in1infty and !in2infty. + +$code.=<<___; +.align 32 +ecp_nistz256_point_add_affine_vis3: + save %sp,-STACK64_FRAME-32*15-32,%sp + + mov $rp,$rp_real + mov -1,$minus1 + mov -2,$poly3 + sllx $minus1,32,$poly1 ! 0xFFFFFFFF00000000 + srl $poly3,0,$poly3 ! 0x00000000FFFFFFFE + + ! convert input to uint64_t[4] + ld [$bp],$a0 ! in2_x + ld [$bp+4],$t0 + ld [$bp+8],$a1 + ld [$bp+12],$t1 + ld [$bp+16],$a2 + ld [$bp+20],$t2 + ld [$bp+24],$a3 + ld [$bp+28],$t3 + sllx $t0,32,$t0 + sllx $t1,32,$t1 + ld [$bp+32],$acc0 ! in2_y + or $a0,$t0,$a0 + ld [$bp+32+4],$t0 + sllx $t2,32,$t2 + ld [$bp+32+8],$acc1 + or $a1,$t1,$a1 + ld [$bp+32+12],$t1 + sllx $t3,32,$t3 + ld [$bp+32+16],$acc2 + or $a2,$t2,$a2 + ld [$bp+32+20],$t2 + or $a3,$t3,$a3 + ld [$bp+32+24],$acc3 + sllx $t0,32,$t0 + ld [$bp+32+28],$t3 + sllx $t1,32,$t1 + stx $a0,[%sp+LOCALS64+$in2_x] + sllx $t2,32,$t2 + stx $a1,[%sp+LOCALS64+$in2_x+8] + sllx $t3,32,$t3 + stx $a2,[%sp+LOCALS64+$in2_x+16] + or $acc0,$t0,$acc0 + stx $a3,[%sp+LOCALS64+$in2_x+24] + or $acc1,$t1,$acc1 + stx $acc0,[%sp+LOCALS64+$in2_y] + or $acc2,$t2,$acc2 + stx $acc1,[%sp+LOCALS64+$in2_y+8] + or $acc3,$t3,$acc3 + stx $acc2,[%sp+LOCALS64+$in2_y+16] + stx $acc3,[%sp+LOCALS64+$in2_y+24] + + or $a1,$a0,$a0 + or $a3,$a2,$a2 + or $acc1,$acc0,$acc0 + or $acc3,$acc2,$acc2 + or $a2,$a0,$a0 + or $acc2,$acc0,$acc0 + or $acc0,$a0,$a0 + movrnz $a0,-1,$a0 ! !in2infty + stx $a0,[%fp+STACK_BIAS-8] + + ld [$ap],$a0 ! in1_x + ld [$ap+4],$t0 + ld [$ap+8],$a1 + ld [$ap+12],$t1 + ld [$ap+16],$a2 + ld [$ap+20],$t2 + ld [$ap+24],$a3 + ld [$ap+28],$t3 + sllx $t0,32,$t0 + sllx $t1,32,$t1 + ld [$ap+32],$acc0 ! in1_y + or $a0,$t0,$a0 + ld [$ap+32+4],$t0 + sllx $t2,32,$t2 + ld [$ap+32+8],$acc1 + or $a1,$t1,$a1 + ld [$ap+32+12],$t1 + sllx $t3,32,$t3 + ld [$ap+32+16],$acc2 + or $a2,$t2,$a2 + ld [$ap+32+20],$t2 + or $a3,$t3,$a3 + ld [$ap+32+24],$acc3 + sllx $t0,32,$t0 + ld [$ap+32+28],$t3 + sllx $t1,32,$t1 + stx $a0,[%sp+LOCALS64+$in1_x] + sllx $t2,32,$t2 + stx $a1,[%sp+LOCALS64+$in1_x+8] + sllx $t3,32,$t3 + stx $a2,[%sp+LOCALS64+$in1_x+16] + or $acc0,$t0,$acc0 + stx $a3,[%sp+LOCALS64+$in1_x+24] + or $acc1,$t1,$acc1 + stx $acc0,[%sp+LOCALS64+$in1_y] + or $acc2,$t2,$acc2 + stx $acc1,[%sp+LOCALS64+$in1_y+8] + or $acc3,$t3,$acc3 + stx $acc2,[%sp+LOCALS64+$in1_y+16] + stx $acc3,[%sp+LOCALS64+$in1_y+24] + + or $a1,$a0,$a0 + or $a3,$a2,$a2 + or $acc1,$acc0,$acc0 + or $acc3,$acc2,$acc2 + or $a2,$a0,$a0 + or $acc2,$acc0,$acc0 + or $acc0,$a0,$a0 + movrnz $a0,-1,$a0 ! !in1infty + stx $a0,[%fp+STACK_BIAS-16] + + ld [$ap+64],$a0 ! in1_z + ld [$ap+64+4],$t0 + ld [$ap+64+8],$a1 + ld [$ap+64+12],$t1 + ld [$ap+64+16],$a2 + ld [$ap+64+20],$t2 + ld [$ap+64+24],$a3 + ld [$ap+64+28],$t3 + sllx $t0,32,$t0 + sllx $t1,32,$t1 + or $a0,$t0,$a0 + sllx $t2,32,$t2 + or $a1,$t1,$a1 + sllx $t3,32,$t3 + stx $a0,[%sp+LOCALS64+$in1_z] + or $a2,$t2,$a2 + stx $a1,[%sp+LOCALS64+$in1_z+8] + or $a3,$t3,$a3 + stx $a2,[%sp+LOCALS64+$in1_z+16] + stx $a3,[%sp+LOCALS64+$in1_z+24] + + call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Z1sqr, in1_z); + add %sp,LOCALS64+$Z1sqr,$rp + + ldx [%sp+LOCALS64+$in2_x],$bi + mov $acc0,$a0 + mov $acc1,$a1 + mov $acc2,$a2 + mov $acc3,$a3 + add %sp,LOCALS64+$in2_x,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(U2, Z1sqr, in2_x); + add %sp,LOCALS64+$U2,$rp + + ldx [%sp+LOCALS64+$Z1sqr],$bi ! forward load + ldx [%sp+LOCALS64+$in1_z],$a0 + ldx [%sp+LOCALS64+$in1_z+8],$a1 + ldx [%sp+LOCALS64+$in1_z+16],$a2 + ldx [%sp+LOCALS64+$in1_z+24],$a3 + + add %sp,LOCALS64+$in1_x,$bp + call __ecp_nistz256_sub_from_vis3 ! p256_sub(H, U2, in1_x); + add %sp,LOCALS64+$H,$rp + + add %sp,LOCALS64+$Z1sqr,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S2, Z1sqr, in1_z); + add %sp,LOCALS64+$S2,$rp + + ldx [%sp+LOCALS64+$H],$bi + ldx [%sp+LOCALS64+$in1_z],$a0 + ldx [%sp+LOCALS64+$in1_z+8],$a1 + ldx [%sp+LOCALS64+$in1_z+16],$a2 + ldx [%sp+LOCALS64+$in1_z+24],$a3 + add %sp,LOCALS64+$H,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(res_z, H, in1_z); + add %sp,LOCALS64+$res_z,$rp + + ldx [%sp+LOCALS64+$S2],$bi + ldx [%sp+LOCALS64+$in2_y],$a0 + ldx [%sp+LOCALS64+$in2_y+8],$a1 + ldx [%sp+LOCALS64+$in2_y+16],$a2 + ldx [%sp+LOCALS64+$in2_y+24],$a3 + add %sp,LOCALS64+$S2,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S2, S2, in2_y); + add %sp,LOCALS64+$S2,$rp + + ldx [%sp+LOCALS64+$H],$a0 ! forward load + ldx [%sp+LOCALS64+$H+8],$a1 + ldx [%sp+LOCALS64+$H+16],$a2 + ldx [%sp+LOCALS64+$H+24],$a3 + + add %sp,LOCALS64+$in1_y,$bp + call __ecp_nistz256_sub_from_vis3 ! p256_sub(R, S2, in1_y); + add %sp,LOCALS64+$R,$rp + + call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Hsqr, H); + add %sp,LOCALS64+$Hsqr,$rp + + ldx [%sp+LOCALS64+$R],$a0 + ldx [%sp+LOCALS64+$R+8],$a1 + ldx [%sp+LOCALS64+$R+16],$a2 + ldx [%sp+LOCALS64+$R+24],$a3 + call __ecp_nistz256_sqr_mont_vis3 ! p256_sqr_mont(Rsqr, R); + add %sp,LOCALS64+$Rsqr,$rp + + ldx [%sp+LOCALS64+$H],$bi + ldx [%sp+LOCALS64+$Hsqr],$a0 + ldx [%sp+LOCALS64+$Hsqr+8],$a1 + ldx [%sp+LOCALS64+$Hsqr+16],$a2 + ldx [%sp+LOCALS64+$Hsqr+24],$a3 + add %sp,LOCALS64+$H,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(Hcub, Hsqr, H); + add %sp,LOCALS64+$Hcub,$rp + + ldx [%sp+LOCALS64+$Hsqr],$bi + ldx [%sp+LOCALS64+$in1_x],$a0 + ldx [%sp+LOCALS64+$in1_x+8],$a1 + ldx [%sp+LOCALS64+$in1_x+16],$a2 + ldx [%sp+LOCALS64+$in1_x+24],$a3 + add %sp,LOCALS64+$Hsqr,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(U2, in1_x, Hsqr); + add %sp,LOCALS64+$U2,$rp + + call __ecp_nistz256_mul_by_2_vis3 ! p256_mul_by_2(Hsqr, U2); + add %sp,LOCALS64+$Hsqr,$rp + + add %sp,LOCALS64+$Rsqr,$bp + call __ecp_nistz256_sub_morf_vis3 ! p256_sub(res_x, Rsqr, Hsqr); + add %sp,LOCALS64+$res_x,$rp + + add %sp,LOCALS64+$Hcub,$bp + call __ecp_nistz256_sub_from_vis3 ! p256_sub(res_x, res_x, Hcub); + add %sp,LOCALS64+$res_x,$rp + + ldx [%sp+LOCALS64+$Hcub],$bi ! forward load + ldx [%sp+LOCALS64+$in1_y],$a0 + ldx [%sp+LOCALS64+$in1_y+8],$a1 + ldx [%sp+LOCALS64+$in1_y+16],$a2 + ldx [%sp+LOCALS64+$in1_y+24],$a3 + + add %sp,LOCALS64+$U2,$bp + call __ecp_nistz256_sub_morf_vis3 ! p256_sub(res_y, U2, res_x); + add %sp,LOCALS64+$res_y,$rp + + add %sp,LOCALS64+$Hcub,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(S2, in1_y, Hcub); + add %sp,LOCALS64+$S2,$rp + + ldx [%sp+LOCALS64+$R],$bi + ldx [%sp+LOCALS64+$res_y],$a0 + ldx [%sp+LOCALS64+$res_y+8],$a1 + ldx [%sp+LOCALS64+$res_y+16],$a2 + ldx [%sp+LOCALS64+$res_y+24],$a3 + add %sp,LOCALS64+$R,$bp + call __ecp_nistz256_mul_mont_vis3 ! p256_mul_mont(res_y, res_y, R); + add %sp,LOCALS64+$res_y,$rp + + add %sp,LOCALS64+$S2,$bp + call __ecp_nistz256_sub_from_vis3 ! p256_sub(res_y, res_y, S2); + add %sp,LOCALS64+$res_y,$rp + + ldx [%fp+STACK_BIAS-16],$t1 ! !in1infty + ldx [%fp+STACK_BIAS-8],$t2 ! !in2infty +1: call .+8 + add %o7,.Lone_mont_vis3-1b,$bp +___ +for($i=0;$i<64;$i+=16) { # conditional moves +$code.=<<___; + ldx [%sp+LOCALS64+$res_x+$i],$acc0 ! res + ldx [%sp+LOCALS64+$res_x+$i+8],$acc1 + ldx [%sp+LOCALS64+$in2_x+$i],$acc2 ! in2 + ldx [%sp+LOCALS64+$in2_x+$i+8],$acc3 + ldx [%sp+LOCALS64+$in1_x+$i],$acc4 ! in1 + ldx [%sp+LOCALS64+$in1_x+$i+8],$acc5 + movrz $t1,$acc2,$acc0 + movrz $t1,$acc3,$acc1 + movrz $t2,$acc4,$acc0 + movrz $t2,$acc5,$acc1 + srlx $acc0,32,$acc2 + srlx $acc1,32,$acc3 + st $acc0,[$rp_real+$i] + st $acc2,[$rp_real+$i+4] + st $acc1,[$rp_real+$i+8] + st $acc3,[$rp_real+$i+12] +___ +} +for(;$i<96;$i+=16) { +$code.=<<___; + ldx [%sp+LOCALS64+$res_x+$i],$acc0 ! res + ldx [%sp+LOCALS64+$res_x+$i+8],$acc1 + ldx [$bp+$i-64],$acc2 ! "in2" + ldx [$bp+$i-64+8],$acc3 + ldx [%sp+LOCALS64+$in1_x+$i],$acc4 ! in1 + ldx [%sp+LOCALS64+$in1_x+$i+8],$acc5 + movrz $t1,$acc2,$acc0 + movrz $t1,$acc3,$acc1 + movrz $t2,$acc4,$acc0 + movrz $t2,$acc5,$acc1 + srlx $acc0,32,$acc2 + srlx $acc1,32,$acc3 + st $acc0,[$rp_real+$i] + st $acc2,[$rp_real+$i+4] + st $acc1,[$rp_real+$i+8] + st $acc3,[$rp_real+$i+12] +___ +} +$code.=<<___; + ret + restore +.size ecp_nistz256_point_add_affine_vis3,.-ecp_nistz256_point_add_affine_vis3 +.align 64 +.Lone_mont_vis3: +.long 0x00000000,0x00000001, 0xffffffff,0x00000000 +.long 0xffffffff,0xffffffff, 0x00000000,0xfffffffe +.align 64 +___ +} }}} + +# Purpose of these subroutines is to explicitly encode VIS instructions, +# so that one can compile the module without having to specify VIS +# extensions on compiler command line, e.g. -xarch=v9 vs. -xarch=v9a. +# Idea is to reserve for option to produce "universal" binary and let +# programmer detect if current CPU is VIS capable at run-time. +sub unvis3 { +my ($mnemonic,$rs1,$rs2,$rd)=@_; +my %bias = ( "g" => 0, "o" => 8, "l" => 16, "i" => 24 ); +my ($ref,$opf); +my %visopf = ( "addxc" => 0x011, + "addxccc" => 0x013, + "umulxhi" => 0x016 ); + + $ref = "$mnemonic\t$rs1,$rs2,$rd"; + + if ($opf=$visopf{$mnemonic}) { + foreach ($rs1,$rs2,$rd) { + return $ref if (!/%([goli])([0-9])/); + $_=$bias{$1}+$2; + } + + return sprintf ".word\t0x%08x !%s", + 0x81b00000|$rd<<25|$rs1<<14|$opf<<5|$rs2, + $ref; + } else { + return $ref; + } +} + +foreach (split("\n",$code)) { + s/\`([^\`]*)\`/eval $1/ge; + + s/\b(umulxhi|addxc[c]{0,2})\s+(%[goli][0-7]),\s*(%[goli][0-7]),\s*(%[goli][0-7])/ + &unvis3($1,$2,$3,$4) + /ge; + + print $_,"\n"; +} + +close STDOUT; From emilia at openssl.org Tue Apr 21 15:55:11 2015 From: emilia at openssl.org (Emilia Kasper) Date: Tue, 21 Apr 2015 15:55:11 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1429631711.562105.883.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 92caee08d30b05d5692a304368cf53f17e8dd7a9 (commit) from 0725acd0712f12aa611846c852a2e20583e438e9 (commit) - Log ----------------------------------------------------------------- commit 92caee08d30b05d5692a304368cf53f17e8dd7a9 Author: Emilia Kasper Date: Thu Apr 16 18:11:56 2015 +0200 make update Reviewed-by: Dr. Stephen Henson ----------------------------------------------------------------------- Summary of changes: engines/ccgost/Makefile | 5 +++-- ssl/Makefile | 41 +++++++++++++++++++++-------------------- 2 files changed, 24 insertions(+), 22 deletions(-) diff --git a/engines/ccgost/Makefile b/engines/ccgost/Makefile index d661c10..c246f23 100644 --- a/engines/ccgost/Makefile +++ b/engines/ccgost/Makefile @@ -262,8 +262,9 @@ gost_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h gost_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h gost_sign.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h gost_sign.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h -gost_sign.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h -gost_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +gost_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h +gost_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h +gost_sign.o: ../../include/openssl/objects.h gost_sign.o: ../../include/openssl/opensslconf.h gost_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h gost_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h diff --git a/ssl/Makefile b/ssl/Makefile index 8dd390e..7baf3ab 100644 --- a/ssl/Makefile +++ b/ssl/Makefile @@ -507,26 +507,27 @@ s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_pkt.c s2_pkt.o: ssl_locl.h -s2_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h -s2_srvr.o: ../include/openssl/crypto.h ../include/openssl/dsa.h -s2_srvr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h -s2_srvr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -s2_srvr.o: ../include/openssl/ecdsa.h ../include/openssl/err.h -s2_srvr.o: ../include/openssl/evp.h ../include/openssl/hmac.h -s2_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s2_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s2_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s2_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s2_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rand.h -s2_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s2_srvr.o: ../include/openssl/sha.h ../include/openssl/srtp.h -s2_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s2_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s2_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s2_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s2_srvr.o: ../include/openssl/x509_vfy.h s2_srvr.c ssl_locl.h +s2_srvr.o: ../crypto/constant_time_locl.h ../e_os.h ../include/openssl/asn1.h +s2_srvr.o: ../include/openssl/bio.h ../include/openssl/buffer.h +s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h +s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h +s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +s2_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +s2_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_srvr.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s2_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s2_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h +s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h +s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s2_srvr.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +s2_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s2_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s2_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s2_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_srvr.c +s2_srvr.o: ssl_locl.h s3_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s3_both.o: ../include/openssl/buffer.h ../include/openssl/comp.h s3_both.o: ../include/openssl/crypto.h ../include/openssl/dsa.h From emilia at openssl.org Tue Apr 21 15:55:11 2015 From: emilia at openssl.org (Emilia Kasper) Date: Tue, 21 Apr 2015 15:55:11 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429631711.642123.905.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 496c79f60c96154bd8fcebd01a22edca958c9ebd (commit) from 186578be459b1d3e84d648fdda99e8b0c2da3084 (commit) - Log ----------------------------------------------------------------- commit 496c79f60c96154bd8fcebd01a22edca958c9ebd Author: Emilia Kasper Date: Thu Apr 16 18:07:58 2015 +0200 make update Reviewed-by: Dr. Stephen Henson Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/bn/Makefile | 1 + engines/ccgost/Makefile | 5 +++-- ssl/Makefile | 41 +++++++++++++++++++++-------------------- 3 files changed, 25 insertions(+), 22 deletions(-) diff --git a/crypto/bn/Makefile b/crypto/bn/Makefile index 5361dc8..ad814de 100644 --- a/crypto/bn/Makefile +++ b/crypto/bn/Makefile @@ -251,6 +251,7 @@ bn_exp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_exp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_exp.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_exp.c bn_lcl.h +bn_exp.o: rsaz_exp.h bn_exp2.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_exp2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_exp2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h diff --git a/engines/ccgost/Makefile b/engines/ccgost/Makefile index 2f36580..a1d2197 100644 --- a/engines/ccgost/Makefile +++ b/engines/ccgost/Makefile @@ -261,8 +261,9 @@ gost_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h gost_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h gost_sign.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h gost_sign.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h -gost_sign.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h -gost_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +gost_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h +gost_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h +gost_sign.o: ../../include/openssl/objects.h gost_sign.o: ../../include/openssl/opensslconf.h gost_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h gost_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h diff --git a/ssl/Makefile b/ssl/Makefile index a7bd4ee..1c5b388 100644 --- a/ssl/Makefile +++ b/ssl/Makefile @@ -486,26 +486,27 @@ s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_pkt.c s2_pkt.o: ssl_locl.h -s2_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h -s2_srvr.o: ../include/openssl/crypto.h ../include/openssl/dsa.h -s2_srvr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h -s2_srvr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -s2_srvr.o: ../include/openssl/ecdsa.h ../include/openssl/err.h -s2_srvr.o: ../include/openssl/evp.h ../include/openssl/hmac.h -s2_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s2_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s2_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s2_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s2_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rand.h -s2_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s2_srvr.o: ../include/openssl/sha.h ../include/openssl/srtp.h -s2_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s2_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s2_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s2_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s2_srvr.o: ../include/openssl/x509_vfy.h s2_srvr.c ssl_locl.h +s2_srvr.o: ../crypto/constant_time_locl.h ../e_os.h ../include/openssl/asn1.h +s2_srvr.o: ../include/openssl/bio.h ../include/openssl/buffer.h +s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h +s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h +s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +s2_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +s2_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_srvr.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s2_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s2_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h +s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h +s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s2_srvr.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +s2_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s2_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s2_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s2_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_srvr.c +s2_srvr.o: ssl_locl.h s3_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s3_both.o: ../include/openssl/buffer.h ../include/openssl/comp.h s3_both.o: ../include/openssl/crypto.h ../include/openssl/dsa.h From emilia at openssl.org Tue Apr 21 17:40:38 2015 From: emilia at openssl.org (Emilia Kasper) Date: Tue, 21 Apr 2015 17:40:38 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1429638038.591234.8915.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via d695a0225456f790d1fb93e19784f0c5b8397220 (commit) via a209623fbb5b5cdaaf3a825442cb1ed86a985df6 (commit) from 92caee08d30b05d5692a304368cf53f17e8dd7a9 (commit) - Log ----------------------------------------------------------------- commit d695a0225456f790d1fb93e19784f0c5b8397220 Author: Emilia Kasper Date: Tue Apr 21 18:12:58 2015 +0200 Repair EAP-FAST session resumption EAP-FAST session resumption relies on handshake message lookahead to determine server intentions. Commits 980bc1ec6114f5511b20c2e6ca741e61a39b99d6 and 7b3ba508af5c86afe43e28174aa3c53a0a24f4d9 removed the lookahead so broke session resumption. This change partially reverts the commits and brings the lookahead back in reduced capacity for TLS + EAP-FAST only. Since EAP-FAST does not support regular session tickets, the lookahead now only checks for a Finished message. Regular handshakes are unaffected by this change. Reviewed-by: David Benjamin Reviewed-by: Matt Caswell (cherry picked from commit 6e3d015363ed09c4eff5c02ad41153387ffdf5af) commit a209623fbb5b5cdaaf3a825442cb1ed86a985df6 Author: Emilia Kasper Date: Tue Apr 14 17:42:42 2015 +0200 Initialize variable newsig may be used (freed) uninitialized on a malloc error. Reviewed-by: Rich Salz (cherry picked from commit 68249414405500660578b337f1c8dd5dd4bb5bcc) ----------------------------------------------------------------------- Summary of changes: engines/ccgost/gost_sign.c | 2 +- ssl/s3_clnt.c | 121 ++++++++++++++++++++++++++++++++++++++------- ssl/ssl.h | 1 + ssl/ssl_err.c | 1 + 4 files changed, 107 insertions(+), 18 deletions(-) diff --git a/engines/ccgost/gost_sign.c b/engines/ccgost/gost_sign.c index 4b5f49e..07ad921 100644 --- a/engines/ccgost/gost_sign.c +++ b/engines/ccgost/gost_sign.c @@ -53,7 +53,7 @@ void dump_dsa_sig(const char *message, DSA_SIG *sig) DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { BIGNUM *k = NULL, *tmp = NULL, *tmp2 = NULL; - DSA_SIG *newsig, *ret = NULL; + DSA_SIG *newsig = NULL, *ret = NULL; BIGNUM *md = hashsum2bn(dgst); /* check if H(M) mod q is zero */ BN_CTX *ctx = BN_CTX_new(); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 3d6b491..6025829 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -168,6 +168,9 @@ #endif static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b); +#ifndef OPENSSL_NO_TLSEXT +static int ssl3_check_finished(SSL *s); +#endif #ifndef OPENSSL_NO_SSL3_METHOD static const SSL_METHOD *ssl3_get_client_method(int ver) @@ -317,6 +320,18 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: +#ifndef OPENSSL_NO_TLSEXT + /* Noop (ret = 0) for everything but EAP-FAST. */ + ret = ssl3_check_finished(s); + if (ret < 0) + goto end; + if (ret == 1) { + s->hit = 1; + s->state = SSL3_ST_CR_FINISHED_A; + s->init_num = 0; + break; + } +#endif /* Check if it is anon DH/ECDH, SRP auth */ /* or PSK */ if (! @@ -553,7 +568,8 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: - s->s3->flags |= SSL3_FLAGS_CCS_OK; + if (!s->s3->change_cipher_spec) + s->s3->flags |= SSL3_FLAGS_CCS_OK; ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, SSL3_ST_CR_FINISHED_B); if (ret <= 0) @@ -658,9 +674,17 @@ int ssl3_client_hello(SSL *s) buf = (unsigned char *)s->init_buf->data; if (s->state == SSL3_ST_CW_CLNT_HELLO_A) { SSL_SESSION *sess = s->session; - if ((sess == NULL) || - (sess->ssl_version != s->version) || - !sess->session_id_length || (sess->not_resumable)) { + if ((sess == NULL) || (sess->ssl_version != s->version) || +#ifdef OPENSSL_NO_TLSEXT + !sess->session_id_length || +#else + /* + * In the case of EAP-FAST, we can have a pre-shared + * "ticket" without a session ID. + */ + (!sess->session_id_length && !sess->tlsext_tick) || +#endif + (sess->not_resumable)) { if (!ssl_get_new_session(s, 0)) goto err; } @@ -867,10 +891,19 @@ int ssl3_get_server_hello(SSL *s) } #ifndef OPENSSL_NO_TLSEXT /* - * check if we want to resume the session based on external pre-shared - * secret + * Check if we can resume the session based on external pre-shared secret. + * EAP-FAST (RFC 4851) supports two types of session resumption. + * Resumption based on server-side state works with session IDs. + * Resumption based on pre-shared Protected Access Credentials (PACs) + * works by overriding the SessionTicket extension at the application + * layer, and does not send a session ID. (We do not know whether EAP-FAST + * servers would honour the session ID.) Therefore, the session ID alone + * is not a reliable indicator of session resumption, so we first check if + * we can resume, and later peek at the next handshake message to see if the + * server wants to resume. */ - if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) { + if (s->version >= TLS1_VERSION && s->tls_session_secret_cb && + s->session->tlsext_tick) { SSL_CIPHER *pref_cipher = NULL; s->session->master_key_length = sizeof(s->session->master_key); if (s->tls_session_secret_cb(s, s->session->master_key, @@ -879,12 +912,15 @@ int ssl3_get_server_hello(SSL *s) s->tls_session_secret_cb_arg)) { s->session->cipher = pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s, p + j); - s->hit = 1; + } else { + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); + al = SSL_AD_INTERNAL_ERROR; + goto f_err; } } #endif /* OPENSSL_NO_TLSEXT */ - if (!s->hit && j != 0 && j == s->session->session_id_length + if (j != 0 && j == s->session->session_id_length && memcmp(p, s->session->session_id, j) == 0) { if (s->sid_ctx_length != s->session->sid_ctx_length || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { @@ -895,12 +931,13 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } s->hit = 1; - } - /* a miss or crap from the other end */ - if (!s->hit) { + } else { /* - * If we were trying for session-id reuse, make a new SSL_SESSION so - * we don't stuff up other people + * If we were trying for session-id reuse but the server + * didn't echo the ID, make a new SSL_SESSION. + * In the case of EAP-FAST and PAC, we do not send a session ID, + * so the PAC-based session secret is always preserved. It'll be + * overwritten if the server refuses resumption. */ if (s->session->session_id_length > 0) { if (!ssl_get_new_session(s, 0)) { @@ -3289,7 +3326,57 @@ int ssl3_check_cert_and_algorithm(SSL *s) return (0); } -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#ifndef OPENSSL_NO_TLSEXT +/* + * Normally, we can tell if the server is resuming the session from + * the session ID. EAP-FAST (RFC 4851), however, relies on the next server + * message after the ServerHello to determine if the server is resuming. + * Therefore, we allow EAP-FAST to peek ahead. + * ssl3_check_finished returns 1 if we are resuming from an external + * pre-shared secret, we have a "ticket" and the next server handshake message + * is Finished; and 0 otherwise. It returns -1 upon an error. + */ +static int ssl3_check_finished(SSL *s) +{ + int ok = 0; + + if (s->version < TLS1_VERSION || !s->tls_session_secret_cb || + !s->session->tlsext_tick) + return 0; + + /* Need to permit this temporarily, in case the next message is Finished. */ + s->s3->flags |= SSL3_FLAGS_CCS_OK; + /* + * This function is called when we might get a Certificate message instead, + * so permit appropriate message length. + * We ignore the return value as we're only interested in the message type + * and not its length. + */ + s->method->ssl_get_message(s, + SSL3_ST_CR_CERT_A, + SSL3_ST_CR_CERT_B, + -1, s->max_cert_list, &ok); + s->s3->flags &= ~SSL3_FLAGS_CCS_OK; + + if (!ok) + return -1; + + s->s3->tmp.reuse_message = 1; + + if (s->s3->tmp.message_type == SSL3_MT_FINISHED) + return 1; + + /* If we're not done, then the CCS arrived early and we should bail. */ + if (s->s3->change_cipher_spec) { + SSLerr(SSL_F_SSL3_CHECK_FINISHED, SSL_R_CCS_RECEIVED_EARLY); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); + return -1; + } + + return 0; +} + +# ifndef OPENSSL_NO_NEXTPROTONEG int ssl3_send_next_proto(SSL *s) { unsigned int len, padding_len; @@ -3312,8 +3399,8 @@ int ssl3_send_next_proto(SSL *s) return ssl3_do_write(s, SSL3_RT_HANDSHAKE); } -#endif /* !OPENSSL_NO_TLSEXT && - * !OPENSSL_NO_NEXTPROTONEG */ +#endif /* !OPENSSL_NO_NEXTPROTONEG */ +#endif /* !OPENSSL_NO_TLSEXT */ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) { diff --git a/ssl/ssl.h b/ssl/ssl.h index b93b67b..790589d 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -2303,6 +2303,7 @@ void ERR_load_SSL_strings(void); # define SSL_F_SSL3_CHANGE_CIPHER_STATE 129 # define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130 # define SSL_F_SSL3_CHECK_CLIENT_HELLO 304 +# define SSL_F_SSL3_CHECK_FINISHED 339 # define SSL_F_SSL3_CLIENT_HELLO 131 # define SSL_F_SSL3_CONNECT 132 # define SSL_F_SSL3_CTRL 213 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index ac7312e..835b43c 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -160,6 +160,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "SSL3_DO_CHANGE_CIPHER_SPEC"}, {ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"}, + {ERR_FUNC(SSL_F_SSL3_CHECK_FINISHED), "SSL3_CHECK_FINISHED"}, {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"}, {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"}, From emilia at openssl.org Tue Apr 21 17:40:38 2015 From: emilia at openssl.org (Emilia Kasper) Date: Tue, 21 Apr 2015 17:40:38 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429638038.667528.8938.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 8f0f9ffda301485e665ba075b5422221629579b9 (commit) via 5c4fd8b515ef065d19490a3eda558d2326162bf9 (commit) from 496c79f60c96154bd8fcebd01a22edca958c9ebd (commit) - Log ----------------------------------------------------------------- commit 8f0f9ffda301485e665ba075b5422221629579b9 Author: Emilia Kasper Date: Tue Apr 21 18:12:58 2015 +0200 Repair EAP-FAST session resumption EAP-FAST session resumption relies on handshake message lookahead to determine server intentions. Commits 980bc1ec6114f5511b20c2e6ca741e61a39b99d6 and 7b3ba508af5c86afe43e28174aa3c53a0a24f4d9 removed the lookahead so broke session resumption. This change partially reverts the commits and brings the lookahead back in reduced capacity for TLS + EAP-FAST only. Since EAP-FAST does not support regular session tickets, the lookahead now only checks for a Finished message. Regular handshakes are unaffected by this change. Reviewed-by: David Benjamin Reviewed-by: Matt Caswell (cherry picked from commit 6e3d015363ed09c4eff5c02ad41153387ffdf5af) commit 5c4fd8b515ef065d19490a3eda558d2326162bf9 Author: Emilia Kasper Date: Tue Apr 14 17:42:42 2015 +0200 Initialize variable newsig may be used (freed) uninitialized on a malloc error. Reviewed-by: Rich Salz (cherry picked from commit 68249414405500660578b337f1c8dd5dd4bb5bcc) ----------------------------------------------------------------------- Summary of changes: engines/ccgost/gost_sign.c | 2 +- ssl/s3_clnt.c | 121 ++++++++++++++++++++++++++++++++++++++------- ssl/ssl.h | 1 + ssl/ssl_err.c | 1 + 4 files changed, 107 insertions(+), 18 deletions(-) diff --git a/engines/ccgost/gost_sign.c b/engines/ccgost/gost_sign.c index 4b5f49e..07ad921 100644 --- a/engines/ccgost/gost_sign.c +++ b/engines/ccgost/gost_sign.c @@ -53,7 +53,7 @@ void dump_dsa_sig(const char *message, DSA_SIG *sig) DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { BIGNUM *k = NULL, *tmp = NULL, *tmp2 = NULL; - DSA_SIG *newsig, *ret = NULL; + DSA_SIG *newsig = NULL, *ret = NULL; BIGNUM *md = hashsum2bn(dgst); /* check if H(M) mod q is zero */ BN_CTX *ctx = BN_CTX_new(); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 40e49cf..50544d1 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -168,6 +168,9 @@ #endif static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b); +#ifndef OPENSSL_NO_TLSEXT +static int ssl3_check_finished(SSL *s); +#endif #ifndef OPENSSL_NO_SSL3_METHOD static const SSL_METHOD *ssl3_get_client_method(int ver) @@ -317,6 +320,18 @@ int ssl3_connect(SSL *s) break; case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: +#ifndef OPENSSL_NO_TLSEXT + /* Noop (ret = 0) for everything but EAP-FAST. */ + ret = ssl3_check_finished(s); + if (ret < 0) + goto end; + if (ret == 1) { + s->hit = 1; + s->state = SSL3_ST_CR_FINISHED_A; + s->init_num = 0; + break; + } +#endif /* Check if it is anon DH/ECDH, SRP auth */ /* or PSK */ if (! @@ -553,7 +568,8 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: - s->s3->flags |= SSL3_FLAGS_CCS_OK; + if (!s->s3->change_cipher_spec) + s->s3->flags |= SSL3_FLAGS_CCS_OK; ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, SSL3_ST_CR_FINISHED_B); if (ret <= 0) @@ -659,9 +675,17 @@ int ssl3_client_hello(SSL *s) buf = (unsigned char *)s->init_buf->data; if (s->state == SSL3_ST_CW_CLNT_HELLO_A) { SSL_SESSION *sess = s->session; - if ((sess == NULL) || - (sess->ssl_version != s->version) || - !sess->session_id_length || (sess->not_resumable)) { + if ((sess == NULL) || (sess->ssl_version != s->version) || +#ifdef OPENSSL_NO_TLSEXT + !sess->session_id_length || +#else + /* + * In the case of EAP-FAST, we can have a pre-shared + * "ticket" without a session ID. + */ + (!sess->session_id_length && !sess->tlsext_tick) || +#endif + (sess->not_resumable)) { if (!ssl_get_new_session(s, 0)) goto err; } @@ -952,10 +976,19 @@ int ssl3_get_server_hello(SSL *s) } #ifndef OPENSSL_NO_TLSEXT /* - * check if we want to resume the session based on external pre-shared - * secret + * Check if we can resume the session based on external pre-shared secret. + * EAP-FAST (RFC 4851) supports two types of session resumption. + * Resumption based on server-side state works with session IDs. + * Resumption based on pre-shared Protected Access Credentials (PACs) + * works by overriding the SessionTicket extension at the application + * layer, and does not send a session ID. (We do not know whether EAP-FAST + * servers would honour the session ID.) Therefore, the session ID alone + * is not a reliable indicator of session resumption, so we first check if + * we can resume, and later peek at the next handshake message to see if the + * server wants to resume. */ - if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) { + if (s->version >= TLS1_VERSION && s->tls_session_secret_cb && + s->session->tlsext_tick) { SSL_CIPHER *pref_cipher = NULL; s->session->master_key_length = sizeof(s->session->master_key); if (s->tls_session_secret_cb(s, s->session->master_key, @@ -964,12 +997,15 @@ int ssl3_get_server_hello(SSL *s) s->tls_session_secret_cb_arg)) { s->session->cipher = pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s, p + j); - s->hit = 1; + } else { + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); + al = SSL_AD_INTERNAL_ERROR; + goto f_err; } } #endif /* OPENSSL_NO_TLSEXT */ - if (!s->hit && j != 0 && j == s->session->session_id_length + if (j != 0 && j == s->session->session_id_length && memcmp(p, s->session->session_id, j) == 0) { if (s->sid_ctx_length != s->session->sid_ctx_length || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { @@ -980,12 +1016,13 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } s->hit = 1; - } - /* a miss or crap from the other end */ - if (!s->hit) { + } else { /* - * If we were trying for session-id reuse, make a new SSL_SESSION so - * we don't stuff up other people + * If we were trying for session-id reuse but the server + * didn't echo the ID, make a new SSL_SESSION. + * In the case of EAP-FAST and PAC, we do not send a session ID, + * so the PAC-based session secret is always preserved. It'll be + * overwritten if the server refuses resumption. */ if (s->session->session_id_length > 0) { if (!ssl_get_new_session(s, 0)) { @@ -3459,7 +3496,57 @@ int ssl3_check_cert_and_algorithm(SSL *s) return (0); } -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#ifndef OPENSSL_NO_TLSEXT +/* + * Normally, we can tell if the server is resuming the session from + * the session ID. EAP-FAST (RFC 4851), however, relies on the next server + * message after the ServerHello to determine if the server is resuming. + * Therefore, we allow EAP-FAST to peek ahead. + * ssl3_check_finished returns 1 if we are resuming from an external + * pre-shared secret, we have a "ticket" and the next server handshake message + * is Finished; and 0 otherwise. It returns -1 upon an error. + */ +static int ssl3_check_finished(SSL *s) +{ + int ok = 0; + + if (s->version < TLS1_VERSION || !s->tls_session_secret_cb || + !s->session->tlsext_tick) + return 0; + + /* Need to permit this temporarily, in case the next message is Finished. */ + s->s3->flags |= SSL3_FLAGS_CCS_OK; + /* + * This function is called when we might get a Certificate message instead, + * so permit appropriate message length. + * We ignore the return value as we're only interested in the message type + * and not its length. + */ + s->method->ssl_get_message(s, + SSL3_ST_CR_CERT_A, + SSL3_ST_CR_CERT_B, + -1, s->max_cert_list, &ok); + s->s3->flags &= ~SSL3_FLAGS_CCS_OK; + + if (!ok) + return -1; + + s->s3->tmp.reuse_message = 1; + + if (s->s3->tmp.message_type == SSL3_MT_FINISHED) + return 1; + + /* If we're not done, then the CCS arrived early and we should bail. */ + if (s->s3->change_cipher_spec) { + SSLerr(SSL_F_SSL3_CHECK_FINISHED, SSL_R_CCS_RECEIVED_EARLY); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); + return -1; + } + + return 0; +} + +# ifndef OPENSSL_NO_NEXTPROTONEG int ssl3_send_next_proto(SSL *s) { unsigned int len, padding_len; @@ -3482,8 +3569,8 @@ int ssl3_send_next_proto(SSL *s) return ssl3_do_write(s, SSL3_RT_HANDSHAKE); } -#endif /* !OPENSSL_NO_TLSEXT && - * !OPENSSL_NO_NEXTPROTONEG */ +#endif /* !OPENSSL_NO_NEXTPROTONEG */ +#endif /* !OPENSSL_NO_TLSEXT */ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) { diff --git a/ssl/ssl.h b/ssl/ssl.h index a6d845d..32d1482 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -2670,6 +2670,7 @@ void ERR_load_SSL_strings(void); # define SSL_F_SSL3_CHANGE_CIPHER_STATE 129 # define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130 # define SSL_F_SSL3_CHECK_CLIENT_HELLO 304 +# define SSL_F_SSL3_CHECK_FINISHED 339 # define SSL_F_SSL3_CLIENT_HELLO 131 # define SSL_F_SSL3_CONNECT 132 # define SSL_F_SSL3_CTRL 213 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index ab3aa23..76c92ae 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -151,6 +151,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "ssl3_check_cert_and_algorithm"}, {ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "ssl3_check_client_hello"}, + {ERR_FUNC(SSL_F_SSL3_CHECK_FINISHED), "SSL3_CHECK_FINISHED"}, {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "ssl3_client_hello"}, {ERR_FUNC(SSL_F_SSL3_CONNECT), "ssl3_connect"}, {ERR_FUNC(SSL_F_SSL3_CTRL), "ssl3_ctrl"}, From emilia at openssl.org Tue Apr 21 17:40:38 2015 From: emilia at openssl.org (Emilia Kasper) Date: Tue, 21 Apr 2015 17:40:38 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429638038.820556.8960.nullmailer@dev.openssl.org> The branch master has been updated via 6e3d015363ed09c4eff5c02ad41153387ffdf5af (commit) from c3b9bd11f9908c5103a3b39753bb48e78a9cf0d3 (commit) - Log ----------------------------------------------------------------- commit 6e3d015363ed09c4eff5c02ad41153387ffdf5af Author: Emilia Kasper Date: Tue Apr 21 18:12:58 2015 +0200 Repair EAP-FAST session resumption EAP-FAST session resumption relies on handshake message lookahead to determine server intentions. Commits 980bc1ec6114f5511b20c2e6ca741e61a39b99d6 and 7b3ba508af5c86afe43e28174aa3c53a0a24f4d9 removed the lookahead so broke session resumption. This change partially reverts the commits and brings the lookahead back in reduced capacity for TLS + EAP-FAST only. Since EAP-FAST does not support regular session tickets, the lookahead now only checks for a Finished message. Regular handshakes are unaffected by this change. Reviewed-by: David Benjamin Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: include/openssl/ssl.h | 3 +- ssl/s3_clnt.c | 116 ++++++++++++++++++++++++++++++++++++++++++-------- ssl/ssl_err.c | 1 + 3 files changed, 101 insertions(+), 19 deletions(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index fae706b..a24f742 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1981,6 +1981,7 @@ void ERR_load_SSL_strings(void); # define SSL_F_SSL3_CHANGE_CIPHER_STATE 129 # define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130 # define SSL_F_SSL3_CHECK_CLIENT_HELLO 304 +# define SSL_F_SSL3_CHECK_FINISHED 339 # define SSL_F_SSL3_CLIENT_HELLO 131 # define SSL_F_SSL3_CONNECT 132 # define SSL_F_SSL3_CTRL 213 @@ -2038,7 +2039,7 @@ void ERR_load_SSL_strings(void); # define SSL_F_SSL_BAD_METHOD 160 # define SSL_F_SSL_BUILD_CERT_CHAIN 332 # define SSL_F_SSL_BYTES_TO_CIPHER_LIST 161 -# define SSL_F_SSL_CERT_ADD0_CHAIN_CERT 339 +# define SSL_F_SSL_CERT_ADD0_CHAIN_CERT 346 # define SSL_F_SSL_CERT_DUP 221 # define SSL_F_SSL_CERT_INSTANTIATE 214 # define SSL_F_SSL_CERT_NEW 162 diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 697a3b4..3eb67ef 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -165,6 +165,9 @@ #endif static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b); +#ifndef OPENSSL_NO_TLSEXT +static int ssl3_check_finished(SSL *s); +#endif #ifndef OPENSSL_NO_SSL3_METHOD static const SSL_METHOD *ssl3_get_client_method(int ver) @@ -321,6 +324,18 @@ int ssl3_connect(SSL *s) break; case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: +#ifndef OPENSSL_NO_TLSEXT + /* Noop (ret = 0) for everything but EAP-FAST. */ + ret = ssl3_check_finished(s); + if (ret < 0) + goto end; + if (ret == 1) { + s->hit = 1; + s->state = SSL3_ST_CR_FINISHED_A; + s->init_num = 0; + break; + } +#endif /* Check if it is anon DH/ECDH, SRP auth */ /* or PSK */ if (! @@ -557,7 +572,8 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: - s->s3->flags |= SSL3_FLAGS_CCS_OK; + if (!s->s3->change_cipher_spec) + s->s3->flags |= SSL3_FLAGS_CCS_OK; ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, SSL3_ST_CR_FINISHED_B); if (ret <= 0) @@ -663,9 +679,17 @@ int ssl3_client_hello(SSL *s) buf = (unsigned char *)s->init_buf->data; if (s->state == SSL3_ST_CW_CLNT_HELLO_A) { SSL_SESSION *sess = s->session; - if ((sess == NULL) || - (sess->ssl_version != s->version) || - !sess->session_id_length || (sess->not_resumable)) { + if ((sess == NULL) || (sess->ssl_version != s->version) || +#ifdef OPENSSL_NO_TLSEXT + !sess->session_id_length || +#else + /* + * In the case of EAP-FAST, we can have a pre-shared + * "ticket" without a session ID. + */ + (!sess->session_id_length && !sess->tlsext_tick) || +#endif + (sess->not_resumable)) { if (!ssl_get_new_session(s, 0)) goto err; } @@ -953,10 +977,19 @@ int ssl3_get_server_hello(SSL *s) } #ifndef OPENSSL_NO_TLSEXT /* - * check if we want to resume the session based on external pre-shared - * secret + * Check if we can resume the session based on external pre-shared secret. + * EAP-FAST (RFC 4851) supports two types of session resumption. + * Resumption based on server-side state works with session IDs. + * Resumption based on pre-shared Protected Access Credentials (PACs) + * works by overriding the SessionTicket extension at the application + * layer, and does not send a session ID. (We do not know whether EAP-FAST + * servers would honour the session ID.) Therefore, the session ID alone + * is not a reliable indicator of session resumption, so we first check if + * we can resume, and later peek at the next handshake message to see if the + * server wants to resume. */ - if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) { + if (s->version >= TLS1_VERSION && s->tls_session_secret_cb && + s->session->tlsext_tick) { SSL_CIPHER *pref_cipher = NULL; s->session->master_key_length = sizeof(s->session->master_key); if (s->tls_session_secret_cb(s, s->session->master_key, @@ -965,12 +998,15 @@ int ssl3_get_server_hello(SSL *s) s->tls_session_secret_cb_arg)) { s->session->cipher = pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s, p + j); - s->hit = 1; + } else { + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); + al = SSL_AD_INTERNAL_ERROR; + goto f_err; } } #endif /* OPENSSL_NO_TLSEXT */ - if (!s->hit && j != 0 && j == s->session->session_id_length + if (j != 0 && j == s->session->session_id_length && memcmp(p, s->session->session_id, j) == 0) { if (s->sid_ctx_length != s->session->sid_ctx_length || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { @@ -981,12 +1017,13 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } s->hit = 1; - } - /* a miss or crap from the other end */ - if (!s->hit) { + } else { /* - * If we were trying for session-id reuse, make a new SSL_SESSION so - * we don't stuff up other people + * If we were trying for session-id reuse but the server + * didn't echo the ID, make a new SSL_SESSION. + * In the case of EAP-FAST and PAC, we do not send a session ID, + * so the PAC-based session secret is always preserved. It'll be + * overwritten if the server refuses resumption. */ if (s->session->session_id_length > 0) { if (!ssl_get_new_session(s, 0)) { @@ -3473,13 +3510,56 @@ int ssl3_check_cert_and_algorithm(SSL *s) return (0); } +#ifndef OPENSSL_NO_TLSEXT /* - * Check to see if handshake is full or resumed. Usually this is just a case - * of checking to see if a cache hit has occurred. In the case of session - * tickets we have to check the next message to be sure. + * Normally, we can tell if the server is resuming the session from + * the session ID. EAP-FAST (RFC 4851), however, relies on the next server + * message after the ServerHello to determine if the server is resuming. + * Therefore, we allow EAP-FAST to peek ahead. + * ssl3_check_finished returns 1 if we are resuming from an external + * pre-shared secret, we have a "ticket" and the next server handshake message + * is Finished; and 0 otherwise. It returns -1 upon an error. */ +static int ssl3_check_finished(SSL *s) +{ + int ok = 0; + + if (s->version < TLS1_VERSION || !s->tls_session_secret_cb || + !s->session->tlsext_tick) + return 0; + + /* Need to permit this temporarily, in case the next message is Finished. */ + s->s3->flags |= SSL3_FLAGS_CCS_OK; + /* + * This function is called when we might get a Certificate message instead, + * so permit appropriate message length. + * We ignore the return value as we're only interested in the message type + * and not its length. + */ + s->method->ssl_get_message(s, + SSL3_ST_CR_CERT_A, + SSL3_ST_CR_CERT_B, + -1, s->max_cert_list, &ok); + s->s3->flags &= ~SSL3_FLAGS_CCS_OK; + + if (!ok) + return -1; + + s->s3->tmp.reuse_message = 1; + + if (s->s3->tmp.message_type == SSL3_MT_FINISHED) + return 1; + + /* If we're not done, then the CCS arrived early and we should bail. */ + if (s->s3->change_cipher_spec) { + SSLerr(SSL_F_SSL3_CHECK_FINISHED, SSL_R_CCS_RECEIVED_EARLY); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); + return -1; + } + + return 0; +} -#ifndef OPENSSL_NO_TLSEXT # ifndef OPENSSL_NO_NEXTPROTONEG int ssl3_send_next_proto(SSL *s) { diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 5792906..5c40b49 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -126,6 +126,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "ssl3_check_cert_and_algorithm"}, {ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "ssl3_check_client_hello"}, + {ERR_FUNC(SSL_F_SSL3_CHECK_FINISHED), "SSL3_CHECK_FINISHED"}, {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "ssl3_client_hello"}, {ERR_FUNC(SSL_F_SSL3_CONNECT), "ssl3_connect"}, {ERR_FUNC(SSL_F_SSL3_CTRL), "ssl3_ctrl"}, From levitte at openssl.org Tue Apr 21 19:17:15 2015 From: levitte at openssl.org (Richard Levitte) Date: Tue, 21 Apr 2015 19:17:15 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429643835.072486.22037.nullmailer@dev.openssl.org> The branch master has been updated via a169a93a6f1c7cb555c0a058da360d84375813d3 (commit) from 6e3d015363ed09c4eff5c02ad41153387ffdf5af (commit) - Log ----------------------------------------------------------------- commit a169a93a6f1c7cb555c0a058da360d84375813d3 Author: Richard Levitte Date: Tue Apr 21 01:40:36 2015 +0200 test/Makefile dclean cleans out a few files too many. The files removed are the ones that were symbolic links before, but aren't now, so we should not remove them any more. Reviewed-by: Stephen Henson ----------------------------------------------------------------------- Summary of changes: test/Makefile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/Makefile b/test/Makefile index e3fb791..74fdf45 100644 --- a/test/Makefile +++ b/test/Makefile @@ -405,8 +405,7 @@ depend: dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new mv -f Makefile.new $(MAKEFILE) - rm -f $(SRC) $(SHA256TEST).c $(SHA512TEST).c evptests.txt newkey.pem testkey.pem \ - testreq.pem + rm -f newkey.pem testkey.pem testreq.pem clean: rm -f .rnd tmp.bntest tmp.bctest *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss *.srl log dummytest From rsalz at openssl.org Tue Apr 21 19:53:22 2015 From: rsalz at openssl.org (Rich Salz) Date: Tue, 21 Apr 2015 19:53:22 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429646002.156062.26237.nullmailer@dev.openssl.org> The branch master has been updated via 3dca57f8cadbca2eb6dec93bf12f486acfd274a3 (commit) from a169a93a6f1c7cb555c0a058da360d84375813d3 (commit) - Log ----------------------------------------------------------------- commit 3dca57f8cadbca2eb6dec93bf12f486acfd274a3 Author: Rich Salz Date: Tue Apr 21 15:52:51 2015 -0400 ssltest output cleanup Make only errors go to stderr. Print count and size before the loop, so you can see it's an 838K message that will take a few moments. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: test/ssltest.c | 81 ++++++++++++++++++++++++++-------------------------------- 1 file changed, 36 insertions(+), 45 deletions(-) diff --git a/test/ssltest.c b/test/ssltest.c index 6ca99ae..a716c3c 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -1008,6 +1008,7 @@ int main(int argc, char *argv[]) int fips_mode = 0; #endif int no_protocol = 0; + int n; SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL; STACK_OF(OPENSSL_STRING) *conf_args = NULL; @@ -1394,18 +1395,15 @@ int main(int argc, char *argv[]) } } ssl_comp_methods = SSL_COMP_get_compression_methods(); - fprintf(stderr, "Available compression methods:"); - { - int j, n = sk_SSL_COMP_num(ssl_comp_methods); - if (n == 0) - fprintf(stderr, " NONE\n"); - else { - for (j = 0; j < n; j++) { - SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); - fprintf(stderr, " %s:%d", c->name, c->id); - } - fprintf(stderr, "\n"); + n = sk_SSL_COMP_num(ssl_comp_methods); + if (n) { + int j; + printf("Available compression methods:"); + for (j = 0; j < n; j++) { + SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); + printf(" %s:%d", c->name, c->id); } + printf("\n"); } #endif @@ -1561,7 +1559,7 @@ int main(int argc, char *argv[]) } if (client_auth) { - BIO_printf(bio_err, "client authentication\n"); + printf("client authentication\n"); SSL_CTX_set_verify(s_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); @@ -1569,7 +1567,7 @@ int main(int argc, char *argv[]) &app_verify_arg); } if (server_auth) { - BIO_printf(bio_err, "server authentication\n"); + printf("server authentication\n"); SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, verify_callback); SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg); @@ -1746,6 +1744,7 @@ int main(int argc, char *argv[]) } #endif /* OPENSSL_NO_KRB5 */ + BIO_printf(bio_stdout, "Doing handshakes=%d bytes=%ld\n", number, bytes); for (i = 0; i < number; i++) { if (!reuse) { if (!SSL_set_session(c_ssl, NULL)) { @@ -1763,9 +1762,6 @@ int main(int argc, char *argv[]) if (!verbose) { print_details(c_ssl, ""); } - if ((i > 1) || (bytes > 1L)) - BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n", i, - bytes); if (print_time) { #ifdef CLOCKS_PER_SEC /* @@ -2493,7 +2489,7 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx) sizeof buf); if (s != NULL) { if (ok) - fprintf(stderr, "depth=%d %s\n", ctx->error_depth, buf); + printf("depth=%d %s\n", ctx->error_depth, buf); else { fprintf(stderr, "depth=%d error=%d %s\n", ctx->error_depth, ctx->error, buf); @@ -2501,13 +2497,14 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx) } if (ok == 0) { - fprintf(stderr, "Error string: %s\n", - X509_verify_cert_error_string(ctx->error)); switch (ctx->error) { + default: + fprintf(stderr, "Error string: %s\n", + X509_verify_cert_error_string(ctx->error)); + break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: - fprintf(stderr, " ... ignored.\n"); ok = 1; } } @@ -2566,7 +2563,7 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx) * others. */ - fprintf(stderr, " Certificate proxy rights = %*.*s", i, + printf(" Certificate proxy rights = %*.*s", i, i, s); while (i-- > 0) { int c = *s++; @@ -2584,15 +2581,15 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx) } found_any = 0; - fprintf(stderr, ", resulting proxy rights = "); + printf(", resulting proxy rights = "); for (i = 0; i < 26; i++) if (letters[i]) { - fprintf(stderr, "%c", i + 'A'); + printf("%c", i + 'A'); found_any = 1; } if (!found_any) - fprintf(stderr, "none"); - fprintf(stderr, "\n"); + printf("none"); + printf("\n"); PROXY_CERT_INFO_EXTENSION_free(pci); } @@ -2851,15 +2848,14 @@ static int app_verify_callback(X509_STORE_CTX *ctx, void *arg) if (cb_arg->app_verify) { char *s = NULL, buf[256]; - fprintf(stderr, "In app_verify_callback, allowing cert. "); - fprintf(stderr, "Arg is: %s\n", cb_arg->string); - fprintf(stderr, - "Finished printing do we have a context? 0x%p a cert? 0x%p\n", + printf("In app_verify_callback, allowing cert. "); + printf("Arg is: %s\n", cb_arg->string); + printf("Finished printing do we have a context? 0x%p a cert? 0x%p\n", (void *)ctx, (void *)ctx->cert); if (ctx->cert) s = X509_NAME_oneline(X509_get_subject_name(ctx->cert), buf, 256); if (s != NULL) { - fprintf(stderr, "cert depth=%d %s\n", ctx->error_depth, buf); + printf("cert depth=%d %s\n", ctx->error_depth, buf); } return (1); } @@ -2878,15 +2874,15 @@ static int app_verify_callback(X509_STORE_CTX *ctx, void *arg) } } - fprintf(stderr, " Initial proxy rights = "); + printf(" Initial proxy rights = "); for (i = 0; i < 26; i++) if (letters[i]) { - fprintf(stderr, "%c", i + 'A'); + printf("%c", i + 'A'); found_any = 1; } if (!found_any) - fprintf(stderr, "none"); - fprintf(stderr, "\n"); + printf("none"); + printf("\n"); X509_STORE_CTX_set_ex_data(ctx, get_proxy_auth_ex_data_idx(), letters); @@ -2911,11 +2907,10 @@ static int app_verify_callback(X509_STORE_CTX *ctx, void *arg) } if (!ok) fprintf(stderr, - "Proxy rights check with condition '%s' proved invalid\n", + "Proxy rights check with condition '%s' invalid\n", cb_arg->proxy_cond); else - fprintf(stderr, - "Proxy rights check with condition '%s' proved valid\n", + printf("Proxy rights check with condition '%s' ok\n", cb_arg->proxy_cond); } } @@ -2935,16 +2930,14 @@ static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength) BIO_printf(bio_err, "Memory error..."); goto end; } - BIO_printf(bio_err, "Generating temp (%d bit) RSA key...", keylength); - (void)BIO_flush(bio_err); + printf("Generating temp (%d bit) RSA key...", keylength); if (!RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) { BIO_printf(bio_err, "Error generating key."); RSA_free(rsa_tmp); rsa_tmp = NULL; } end: - BIO_printf(bio_err, "\n"); - (void)BIO_flush(bio_err); + printf("\n"); } if (bn) BN_free(bn); @@ -3174,31 +3167,29 @@ static int do_test_cipherlist(void) const SSL_CIPHER *ci, *tci = NULL; #ifndef OPENSSL_NO_SSL3 - fprintf(stderr, "testing SSLv3 cipher list order: "); meth = SSLv3_method(); tci = NULL; while ((ci = meth->get_cipher(i++)) != NULL) { if (tci != NULL) if (ci->id >= tci->id) { + fprintf(stderr, "testing SSLv3 cipher list order: "); fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); return 0; } tci = ci; } - fprintf(stderr, "ok\n"); #endif - fprintf(stderr, "testing TLSv1 cipher list order: "); meth = TLSv1_method(); tci = NULL; while ((ci = meth->get_cipher(i++)) != NULL) { if (tci != NULL) if (ci->id >= tci->id) { + fprintf(stderr, "testing TLSv1 cipher list order: "); fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); return 0; } tci = ci; } - fprintf(stderr, "ok\n"); return 1; } From rsalz at openssl.org Tue Apr 21 20:58:11 2015 From: rsalz at openssl.org (Rich Salz) Date: Tue, 21 Apr 2015 20:58:11 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429649891.303578.32209.nullmailer@dev.openssl.org> The branch master has been updated via b95de5ecdea29f0ac658b6ea86d0cd2d77efcb13 (commit) from 3dca57f8cadbca2eb6dec93bf12f486acfd274a3 (commit) - Log ----------------------------------------------------------------- commit b95de5ecdea29f0ac658b6ea86d0cd2d77efcb13 Author: Rich Salz Date: Tue Apr 21 16:57:29 2015 -0400 Avoid "no config file" warning message Set config to /dev/null when doing make rehash. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: Makefile.org | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile.org b/Makefile.org index de08a47..301b4d3 100644 --- a/Makefile.org +++ b/Makefile.org @@ -438,8 +438,8 @@ rehash.time: certs apps @if [ -z "$(CROSS_COMPILE)" ]; then \ (OPENSSL="`pwd`/util/opensslwrap.sh"; \ [ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \ - OPENSSL_DEBUG_MEMORY=on; \ - export OPENSSL OPENSSL_DEBUG_MEMORY; \ + OPENSSL_DEBUG_MEMORY=on; OPENSSL_CONFIG=/dev/null ; \ + export OPENSSL OPENSSL_DEBUG_MEMORY OPENSSL_CONFIG; \ $(PERL) tools/c_rehash certs/demo) && \ touch rehash.time; \ else :; fi From steve at openssl.org Wed Apr 22 14:02:39 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Wed, 22 Apr 2015 14:02:39 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429711359.491100.24958.nullmailer@dev.openssl.org> The branch master has been updated via 98c9ce2f55609d00a06c2106df03a5a7e9dbfa75 (commit) from b95de5ecdea29f0ac658b6ea86d0cd2d77efcb13 (commit) - Log ----------------------------------------------------------------- commit 98c9ce2f55609d00a06c2106df03a5a7e9dbfa75 Author: Dr. Stephen Henson Date: Tue Apr 21 15:48:02 2015 +0100 SSL_CIPHER lookup functions. Add tables to convert between SSL_CIPHER fields and indices for ciphers and MACs. Reorganise ssl_ciph.c to use tables to lookup values and load them. New functions SSL_CIPHER_get_cipher_nid and SSL_CIPHER_get_digest_nid. Add documentation. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: doc/ssl/SSL_CIPHER_get_name.pod | 10 ++ include/openssl/ssl.h | 2 + ssl/ssl_ciph.c | 220 +++++++++++++++++----------------------- 3 files changed, 107 insertions(+), 125 deletions(-) diff --git a/doc/ssl/SSL_CIPHER_get_name.pod b/doc/ssl/SSL_CIPHER_get_name.pod index ec7011e..baac900 100644 --- a/doc/ssl/SSL_CIPHER_get_name.pod +++ b/doc/ssl/SSL_CIPHER_get_name.pod @@ -12,6 +12,8 @@ SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_des int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits); char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher); char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size); + int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c); + int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c); =head1 DESCRIPTION @@ -37,6 +39,14 @@ returned. If B is NULL, a buffer of 128 bytes is allocated using OPENSSL_malloc(). If the allocation fails, a pointer to the string "OPENSSL_malloc Error" is returned. +SSL_CIPHER_get_cipher_nid() returns the cipher NID corresponding to B. +If there is no cipher (e.g. for ciphersuites with no encryption) then +B is returned. + +SSL_CIPHER_get_digest_nid() returns the digest NID corresponding to the MAC +used by B. If there is no digest (e.g. for AEAD ciphersuites) then +B is returned. + =head1 NOTES The number of bits processed can be different from the secret bits. An diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index a24f742..ecd6c69 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1789,6 +1789,8 @@ __owur int SSL_COMP_add_compression_method(int id, void *cm); # endif const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr); +int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c); +int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c); /* TLS extensions functions */ __owur int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len); diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index cd86fcc..580098a 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -166,6 +166,31 @@ #define SSL_ENC_AES256GCM_IDX 13 #define SSL_ENC_NUM_IDX 14 +/* NB: make sure indices in these tables match values above */ + +typedef struct { + unsigned long mask; + int nid; +} ssl_cipher_table; + +/* Table of NIDs for each cipher */ +static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = { + {SSL_DES, NID_des_cbc}, /* SSL_ENC_DES_IDX 0 */ + {SSL_3DES, NID_des_ede3_cbc}, /* SSL_ENC_3DES_IDX 1 */ + {SSL_RC4, NID_rc4}, /* SSL_ENC_RC4_IDX 2 */ + {SSL_RC2, NID_rc2_cbc}, /* SSL_ENC_RC2_IDX 3 */ + {SSL_IDEA, NID_idea_cbc}, /* SSL_ENC_IDEA_IDX 4 */ + {SSL_eNULL, NID_undef}, /* SSL_ENC_NULL_IDX 5 */ + {SSL_AES128, NID_aes_128_cbc}, /* SSL_ENC_AES128_IDX 6 */ + {SSL_AES256, NID_aes_256_cbc}, /* SSL_ENC_AES256_IDX 7 */ + {SSL_CAMELLIA128, NID_camellia_128_cbc}, /* SSL_ENC_CAMELLIA128_IDX 8 */ + {SSL_CAMELLIA256, NID_camellia_256_cbc}, /* SSL_ENC_CAMELLIA256_IDX 9 */ + {SSL_eGOST2814789CNT, NID_gost89_cnt}, /* SSL_ENC_GOST89_IDX 10 */ + {SSL_SEED, NID_seed_cbc}, /* SSL_ENC_SEED_IDX 11 */ + {SSL_AES128GCM, NID_aes_128_gcm}, /* SSL_ENC_AES128GCM_IDX 12 */ + {SSL_AES256GCM, NID_aes_256_gcm} /* SSL_ENC_AES256GCM_IDX 13 */ +}; + static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL @@ -187,11 +212,38 @@ static STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; * Constant SSL_MAX_DIGEST equal to size of digests array should be defined * in the ssl_locl.h */ + #define SSL_MD_NUM_IDX SSL_MAX_DIGEST + +/* NB: make sure indices in this table matches values above */ +static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = { + {SSL_MD5, NID_md5}, /* SSL_MD_MD5_IDX 0 */ + {SSL_SHA1, NID_sha1}, /* SSL_MD_SHA1_IDX 1 */ + {SSL_GOST94, NID_id_GostR3411_94}, /* SSL_MD_GOST94_IDX 2 */ + {SSL_GOST89MAC, NID_id_Gost28147_89_MAC}, /* SSL_MD_GOST89MAC_IDX 3 */ + {SSL_SHA256, NID_sha256}, /* SSL_MD_SHA256_IDX 4 */ + {SSL_SHA384, NID_sha384} /* SSL_MD_SHA384_IDX 5 */ +}; + static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = { NULL, NULL, NULL, NULL, NULL, NULL }; +/* Utility function for table lookup */ +static int ssl_cipher_info_find(const ssl_cipher_table * table, + size_t table_cnt, unsigned long mask) +{ + size_t i; + for (i = 0; i < table_cnt; i++, table++) { + if (table->mask == mask) + return i; + } + return -1; +} + +#define ssl_cipher_info_lookup(table, x) \ + ssl_cipher_info_find(table, sizeof(table)/sizeof(*table), x) + /* * PKEY_TYPE for GOST89MAC is known in advance, but, because implementation * is engine-provided, we'll fill it only if corresponding EVP_PKEY_METHOD is @@ -403,61 +455,25 @@ static int get_optional_pkey_id(const char *pkey_name) void ssl_load_ciphers(void) { - ssl_cipher_methods[SSL_ENC_DES_IDX] = EVP_get_cipherbyname(SN_des_cbc); - ssl_cipher_methods[SSL_ENC_3DES_IDX] = - EVP_get_cipherbyname(SN_des_ede3_cbc); - ssl_cipher_methods[SSL_ENC_RC4_IDX] = EVP_get_cipherbyname(SN_rc4); - ssl_cipher_methods[SSL_ENC_RC2_IDX] = EVP_get_cipherbyname(SN_rc2_cbc); -#ifndef OPENSSL_NO_IDEA - ssl_cipher_methods[SSL_ENC_IDEA_IDX] = EVP_get_cipherbyname(SN_idea_cbc); -#else - ssl_cipher_methods[SSL_ENC_IDEA_IDX] = NULL; -#endif - ssl_cipher_methods[SSL_ENC_AES128_IDX] = - EVP_get_cipherbyname(SN_aes_128_cbc); - ssl_cipher_methods[SSL_ENC_AES256_IDX] = - EVP_get_cipherbyname(SN_aes_256_cbc); - ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] = - EVP_get_cipherbyname(SN_camellia_128_cbc); - ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] = - EVP_get_cipherbyname(SN_camellia_256_cbc); - ssl_cipher_methods[SSL_ENC_GOST89_IDX] = - EVP_get_cipherbyname(SN_gost89_cnt); - ssl_cipher_methods[SSL_ENC_SEED_IDX] = EVP_get_cipherbyname(SN_seed_cbc); - - ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] = - EVP_get_cipherbyname(SN_aes_128_gcm); - ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] = - EVP_get_cipherbyname(SN_aes_256_gcm); - - ssl_digest_methods[SSL_MD_MD5_IDX] = EVP_get_digestbyname(SN_md5); - ssl_mac_secret_size[SSL_MD_MD5_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]); - OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0); - ssl_digest_methods[SSL_MD_SHA1_IDX] = EVP_get_digestbyname(SN_sha1); - ssl_mac_secret_size[SSL_MD_SHA1_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]); - OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0); - ssl_digest_methods[SSL_MD_GOST94_IDX] = - EVP_get_digestbyname(SN_id_GostR3411_94); - if (ssl_digest_methods[SSL_MD_GOST94_IDX]) { - ssl_mac_secret_size[SSL_MD_GOST94_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]); - OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0); - } - ssl_digest_methods[SSL_MD_GOST89MAC_IDX] = - EVP_get_digestbyname(SN_id_Gost28147_89_MAC); - ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac"); - if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) { - ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32; + size_t i; + const ssl_cipher_table *t; + for (i = 0, t = ssl_cipher_table_cipher; i < SSL_ENC_NUM_IDX; i++, t++) { + if (t->nid == NID_undef) + ssl_cipher_methods[i] = NULL; + else + ssl_cipher_methods[i] = EVP_get_cipherbynid(t->nid); } - ssl_digest_methods[SSL_MD_SHA256_IDX] = EVP_get_digestbyname(SN_sha256); - ssl_mac_secret_size[SSL_MD_SHA256_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]); - ssl_digest_methods[SSL_MD_SHA384_IDX] = EVP_get_digestbyname(SN_sha384); - ssl_mac_secret_size[SSL_MD_SHA384_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]); + for (i = 0, t = ssl_cipher_table_mac; i < SSL_MD_NUM_IDX; i++, t++) { + ssl_digest_methods[i] = EVP_get_digestbynid(t->nid); + if (ssl_digest_methods[i]) { + ssl_mac_secret_size[i] = EVP_MD_size(ssl_digest_methods[i]); + OPENSSL_assert(ssl_mac_secret_size[i] >= 0); + } + } + /* Make sure we can access MD5 and SHA1 */ + OPENSSL_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL); + OPENSSL_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL); } #ifndef OPENSSL_NO_COMP @@ -540,55 +556,9 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, if ((enc == NULL) || (md == NULL)) return 0; - switch (c->algorithm_enc) { - case SSL_DES: - i = SSL_ENC_DES_IDX; - break; - case SSL_3DES: - i = SSL_ENC_3DES_IDX; - break; - case SSL_RC4: - i = SSL_ENC_RC4_IDX; - break; - case SSL_RC2: - i = SSL_ENC_RC2_IDX; - break; - case SSL_IDEA: - i = SSL_ENC_IDEA_IDX; - break; - case SSL_eNULL: - i = SSL_ENC_NULL_IDX; - break; - case SSL_AES128: - i = SSL_ENC_AES128_IDX; - break; - case SSL_AES256: - i = SSL_ENC_AES256_IDX; - break; - case SSL_CAMELLIA128: - i = SSL_ENC_CAMELLIA128_IDX; - break; - case SSL_CAMELLIA256: - i = SSL_ENC_CAMELLIA256_IDX; - break; - case SSL_eGOST2814789CNT: - i = SSL_ENC_GOST89_IDX; - break; - case SSL_SEED: - i = SSL_ENC_SEED_IDX; - break; - case SSL_AES128GCM: - i = SSL_ENC_AES128GCM_IDX; - break; - case SSL_AES256GCM: - i = SSL_ENC_AES256GCM_IDX; - break; - default: - i = -1; - break; - } + i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc); - if ((i < 0) || (i >= SSL_ENC_NUM_IDX)) + if (i == -1) *enc = NULL; else { if (i == SSL_ENC_NULL_IDX) @@ -597,30 +567,8 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, *enc = ssl_cipher_methods[i]; } - switch (c->algorithm_mac) { - case SSL_MD5: - i = SSL_MD_MD5_IDX; - break; - case SSL_SHA1: - i = SSL_MD_SHA1_IDX; - break; - case SSL_SHA256: - i = SSL_MD_SHA256_IDX; - break; - case SSL_SHA384: - i = SSL_MD_SHA384_IDX; - break; - case SSL_GOST94: - i = SSL_MD_GOST94_IDX; - break; - case SSL_GOST89MAC: - i = SSL_MD_GOST89MAC_IDX; - break; - default: - i = -1; - break; - } - if ((i < 0) || (i >= SSL_MD_NUM_IDX)) { + i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac); + if (i == -1) { *md = NULL; if (mac_pkey_type != NULL) *mac_pkey_type = NID_undef; @@ -2073,3 +2021,25 @@ const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr) { return ssl->method->get_cipher_by_char(ptr); } + +int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c) +{ + int i; + if (c == NULL) + return -1; + i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc); + if (i == -1) + return -1; + return ssl_cipher_table_cipher[i].nid; +} + +int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c) +{ + int i; + if (c == NULL) + return -1; + i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac); + if (i == -1) + return -1; + return ssl_cipher_table_mac[i].nid; +} From matt at openssl.org Wed Apr 22 16:29:22 2015 From: matt at openssl.org (Matt Caswell) Date: Wed, 22 Apr 2015 16:29:22 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_0-stable update Message-ID: <1429720162.548265.13947.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_0-stable has been updated via 50c2c64fe76c65f5dda8fb1180a435198c14fba7 (commit) from a6202a74f9fd459607adaec9e4c7aa8d103dbd11 (commit) - Log ----------------------------------------------------------------- commit 50c2c64fe76c65f5dda8fb1180a435198c14fba7 Author: Loganaden Velvindron Date: Wed Apr 22 16:16:30 2015 +0100 Fix CRYPTO_strdup The function CRYPTO_strdup (aka OPENSSL_strdup) fails to check the return value from CRYPTO_malloc to see if it is NULL before attempting to use it. This patch adds a NULL check. RT3786 Signed-off-by: Matt Caswell (cherry picked from commit 37b0cf936744d9edb99b5dd82cae78a7eac6ad60) Reviewed-by: Rich Salz (cherry picked from commit 20d21389c8b6f5b754573ffb6a4dc4f3986f2ca4) ----------------------------------------------------------------------- Summary of changes: crypto/mem.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/mem.c b/crypto/mem.c index 628b650..5cbf474 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -358,6 +358,9 @@ char *CRYPTO_strdup(const char *str, const char *file, int line) { char *ret = CRYPTO_malloc(strlen(str) + 1, file, line); + if (ret == NULL) + return NULL; + strcpy(ret, str); return ret; } From matt at openssl.org Wed Apr 22 16:29:38 2015 From: matt at openssl.org (Matt Caswell) Date: Wed, 22 Apr 2015 16:29:38 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1429720178.858272.14182.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via e3dd33c25c885ab3bfe707d87ddb12f845d77032 (commit) from d695a0225456f790d1fb93e19784f0c5b8397220 (commit) - Log ----------------------------------------------------------------- commit e3dd33c25c885ab3bfe707d87ddb12f845d77032 Author: Loganaden Velvindron Date: Wed Apr 22 16:16:30 2015 +0100 Fix CRYPTO_strdup The function CRYPTO_strdup (aka OPENSSL_strdup) fails to check the return value from CRYPTO_malloc to see if it is NULL before attempting to use it. This patch adds a NULL check. RT3786 Signed-off-by: Matt Caswell (cherry picked from commit 37b0cf936744d9edb99b5dd82cae78a7eac6ad60) Reviewed-by: Rich Salz (cherry picked from commit 20d21389c8b6f5b754573ffb6a4dc4f3986f2ca4) ----------------------------------------------------------------------- Summary of changes: crypto/mem.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/mem.c b/crypto/mem.c index 2ce3e89..fdad49b 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -365,6 +365,9 @@ char *CRYPTO_strdup(const char *str, const char *file, int line) { char *ret = CRYPTO_malloc(strlen(str) + 1, file, line); + if (ret == NULL) + return NULL; + strcpy(ret, str); return ret; } From matt at openssl.org Wed Apr 22 16:30:11 2015 From: matt at openssl.org (Matt Caswell) Date: Wed, 22 Apr 2015 16:30:11 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429720211.041301.14442.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 6e5d13076503e9ec7f1c2c690339f99284b7d283 (commit) from 8f0f9ffda301485e665ba075b5422221629579b9 (commit) - Log ----------------------------------------------------------------- commit 6e5d13076503e9ec7f1c2c690339f99284b7d283 Author: Loganaden Velvindron Date: Wed Apr 22 16:16:30 2015 +0100 Fix CRYPTO_strdup The function CRYPTO_strdup (aka OPENSSL_strdup) fails to check the return value from CRYPTO_malloc to see if it is NULL before attempting to use it. This patch adds a NULL check. RT3786 Signed-off-by: Matt Caswell (cherry picked from commit 37b0cf936744d9edb99b5dd82cae78a7eac6ad60) Reviewed-by: Rich Salz (cherry picked from commit 20d21389c8b6f5b754573ffb6a4dc4f3986f2ca4) ----------------------------------------------------------------------- Summary of changes: crypto/mem.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/mem.c b/crypto/mem.c index 2ce3e89..fdad49b 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -365,6 +365,9 @@ char *CRYPTO_strdup(const char *str, const char *file, int line) { char *ret = CRYPTO_malloc(strlen(str) + 1, file, line); + if (ret == NULL) + return NULL; + strcpy(ret, str); return ret; } From matt at openssl.org Wed Apr 22 16:30:24 2015 From: matt at openssl.org (Matt Caswell) Date: Wed, 22 Apr 2015 16:30:24 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429720224.677888.14668.nullmailer@dev.openssl.org> The branch master has been updated via 8031d26b0cc7fb277288b106dc4850adf4d77a23 (commit) from 98c9ce2f55609d00a06c2106df03a5a7e9dbfa75 (commit) - Log ----------------------------------------------------------------- commit 8031d26b0cc7fb277288b106dc4850adf4d77a23 Author: Loganaden Velvindron Date: Wed Apr 22 16:16:30 2015 +0100 Fix CRYPTO_strdup The function CRYPTO_strdup (aka OPENSSL_strdup) fails to check the return value from CRYPTO_malloc to see if it is NULL before attempting to use it. This patch adds a NULL check. RT3786 Signed-off-by: Matt Caswell (cherry picked from commit 37b0cf936744d9edb99b5dd82cae78a7eac6ad60) Reviewed-by: Rich Salz (cherry picked from commit 20d21389c8b6f5b754573ffb6a4dc4f3986f2ca4) ----------------------------------------------------------------------- Summary of changes: crypto/mem.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/mem.c b/crypto/mem.c index d059362..2251d57 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -364,6 +364,9 @@ char *CRYPTO_strdup(const char *str, const char *file, int line) { char *ret = CRYPTO_malloc(strlen(str) + 1, file, line); + if (ret == NULL) + return NULL; + strcpy(ret, str); return ret; } From steve at openssl.org Wed Apr 22 20:58:22 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Wed, 22 Apr 2015 20:58:22 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_0-stable update Message-ID: <1429736302.908772.8543.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_0-stable has been updated via b3ac37c69adc8d0c4764ddfb94842428f6f956b2 (commit) from 50c2c64fe76c65f5dda8fb1180a435198c14fba7 (commit) - Log ----------------------------------------------------------------- commit b3ac37c69adc8d0c4764ddfb94842428f6f956b2 Author: Dr. Stephen Henson Date: Thu Apr 16 00:00:40 2015 +0100 Limit depth of nested sequences when generating ASN.1 Reported by Hanno B?ck PR#3800 Reviewed-by: Rich Salz (cherry picked from commit c4137b5e828d8fab0b244defb79257619dad8fc7) Conflicts: crypto/asn1/asn1_gen.c ----------------------------------------------------------------------- Summary of changes: crypto/asn1/asn1_gen.c | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c index e303d11..af52f6d 100644 --- a/crypto/asn1/asn1_gen.c +++ b/crypto/asn1/asn1_gen.c @@ -74,6 +74,8 @@ #define ASN1_GEN_STR(str,val) {str, sizeof(str) - 1, val} #define ASN1_FLAG_EXP_MAX 20 +/* Maximum number of nested sequences */ +#define ASN1_GEN_SEQ_MAX_DEPTH 50 /* Input formats */ @@ -110,13 +112,16 @@ typedef struct { int exp_count; } tag_exp_arg; +static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth, + int *perr); static int bitstr_cb(const char *elem, int len, void *bitstr); static int asn1_cb(const char *elem, int len, void *bitstr); static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class, int exp_constructed, int exp_pad, int imp_ok); static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass); -static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf); +static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf, + int depth, int *perr); static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype); static int asn1_str2tag(const char *tagstr, int len); @@ -133,6 +138,16 @@ ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf) ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf) { + int err = 0; + ASN1_TYPE *ret = generate_v3(str, cnf, 0, &err); + if (err) + ASN1err(ASN1_F_ASN1_GENERATE_V3, err); + return ret; +} + +static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth, + int *perr) +{ ASN1_TYPE *ret; tag_exp_arg asn1_tags; tag_exp_type *etmp; @@ -160,11 +175,14 @@ ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf) if ((asn1_tags.utype == V_ASN1_SEQUENCE) || (asn1_tags.utype == V_ASN1_SET)) { if (!cnf) { - ASN1err(ASN1_F_ASN1_GENERATE_V3, - ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG); + *perr = ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG; + return NULL; + } + if (depth >= ASN1_GEN_SEQ_MAX_DEPTH) { + *perr = ASN1_R_ILLEGAL_NESTED_TAGGING; return NULL; } - ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf); + ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf, depth, perr); } else ret = asn1_str2type(asn1_tags.str, asn1_tags.format, asn1_tags.utype); @@ -433,7 +451,8 @@ static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass) /* Handle multiple types: SET and SEQUENCE */ -static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf) +static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf, + int depth, int *perr) { ASN1_TYPE *ret = NULL; STACK_OF(ASN1_TYPE) *sk = NULL; @@ -452,7 +471,8 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf) goto bad; for (i = 0; i < sk_CONF_VALUE_num(sect); i++) { ASN1_TYPE *typ = - ASN1_generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf); + generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf, + depth + 1, perr); if (!typ) goto bad; if (!sk_ASN1_TYPE_push(sk, typ)) From emilia at openssl.org Fri Apr 24 15:41:04 2015 From: emilia at openssl.org (Emilia Kasper) Date: Fri, 24 Apr 2015 15:41:04 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429890064.322935.13883.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 7238a82c8ae4dbf9043cb7c253f796615b3277a6 (commit) from 6e5d13076503e9ec7f1c2c690339f99284b7d283 (commit) - Log ----------------------------------------------------------------- commit 7238a82c8ae4dbf9043cb7c253f796615b3277a6 Author: Emilia Kasper Date: Fri Apr 24 15:19:15 2015 +0200 Correctly set Z_is_one on the return value in the NISTZ256 implementation. Also add a few comments about constant-timeness. Thanks to Brian Smith for reporting this issue. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/ec/ecp_nistz256.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 2cd6599..911c2a6 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -589,6 +589,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, for (i = 0; i < num; i++) { P256_POINT *row = table[i]; + /* This is an unusual input, we don't guarantee constant-timeness. */ if ((BN_num_bits(scalar[i]) > 256) || BN_is_negative(scalar[i])) { BIGNUM *mod; @@ -1300,9 +1301,11 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, memcpy(r->X.d, p.p.X, sizeof(p.p.X)); memcpy(r->Y.d, p.p.Y, sizeof(p.p.Y)); memcpy(r->Z.d, p.p.Z, sizeof(p.p.Z)); + /* Not constant-time, but we're only operating on the public output. */ bn_correct_top(&r->X); bn_correct_top(&r->Y); bn_correct_top(&r->Z); + r->Z_is_one = is_one(p.p.Z); ret = 1; From emilia at openssl.org Fri Apr 24 15:41:04 2015 From: emilia at openssl.org (Emilia Kasper) Date: Fri, 24 Apr 2015 15:41:04 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429890064.414422.13905.nullmailer@dev.openssl.org> The branch master has been updated via c028254b12a8ea0d0f8a677172eda2e2d78073f3 (commit) from 8031d26b0cc7fb277288b106dc4850adf4d77a23 (commit) - Log ----------------------------------------------------------------- commit c028254b12a8ea0d0f8a677172eda2e2d78073f3 Author: Emilia Kasper Date: Fri Apr 24 15:19:15 2015 +0200 Correctly set Z_is_one on the return value in the NISTZ256 implementation. Also add a few comments about constant-timeness. Thanks to Brian Smith for reporting this issue. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/ec/ecp_nistz256.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index de9fbea..b6eec7d 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -587,6 +587,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, for (i = 0; i < num; i++) { P256_POINT *row = table[i]; + /* This is an unusual input, we don't guarantee constant-timeness. */ if ((BN_num_bits(scalar[i]) > 256) || BN_is_negative(scalar[i])) { BIGNUM *mod; @@ -1331,9 +1332,11 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, bn_set_data(r->X, p.p.X, sizeof(p.p.X)); bn_set_data(r->Y, p.p.Y, sizeof(p.p.Y)); bn_set_data(r->Z, p.p.Z, sizeof(p.p.Z)); + /* Not constant-time, but we're only operating on the public output. */ bn_correct_top(r->X); bn_correct_top(r->Y); bn_correct_top(r->Z); + r->Z_is_one = is_one(p.p.Z); ret = 1; From emilia at openssl.org Fri Apr 24 15:50:12 2015 From: emilia at openssl.org (Emilia Kasper) Date: Fri, 24 Apr 2015 15:50:12 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1429890612.521906.16274.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 9ed55313a71ca68ddea2c207261487954828fe31 (commit) from 7238a82c8ae4dbf9043cb7c253f796615b3277a6 (commit) - Log ----------------------------------------------------------------- commit 9ed55313a71ca68ddea2c207261487954828fe31 Author: Emilia Kasper Date: Fri Apr 24 15:38:24 2015 +0200 Fix error checking and memory leaks in NISTZ256 precomputation. Thanks to Brian Smith for reporting these issues. Reviewed-by: Rich Salz (cherry picked from commit 53dd4ddf71ad79a64be934ca19445b1cf560adab) ----------------------------------------------------------------------- Summary of changes: crypto/ec/ecp_nistz256.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 911c2a6..7e521d8 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -743,6 +743,7 @@ static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) EC_POINT *P = NULL, *T = NULL; const EC_POINT *generator; EC_PRE_COMP *pre_comp; + BN_CTX *new_ctx = NULL; int i, j, k, ret = 0; size_t w; @@ -772,7 +773,7 @@ static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) return 0; if (ctx == NULL) { - ctx = BN_CTX_new(); + ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) goto err; } @@ -803,15 +804,19 @@ static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) P = EC_POINT_new(group); T = EC_POINT_new(group); + if (P == NULL || T == NULL) + goto err; /* * The zero entry is implicitly infinity, and we skip it, storing other * values with -1 offset. */ - EC_POINT_copy(T, generator); + if (!EC_POINT_copy(T, generator)) + goto err; for (k = 0; k < 64; k++) { - EC_POINT_copy(P, T); + if (!EC_POINT_copy(P, T)) + goto err; for (j = 0; j < 37; j++) { /* * It would be faster to use @@ -850,6 +855,8 @@ static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) err: if (ctx != NULL) BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + if (pre_comp) ecp_nistz256_pre_comp_free(pre_comp); if (precomp_storage) From emilia at openssl.org Fri Apr 24 15:50:12 2015 From: emilia at openssl.org (Emilia Kasper) Date: Fri, 24 Apr 2015 15:50:12 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429890612.606598.16296.nullmailer@dev.openssl.org> The branch master has been updated via 53dd4ddf71ad79a64be934ca19445b1cf560adab (commit) from c028254b12a8ea0d0f8a677172eda2e2d78073f3 (commit) - Log ----------------------------------------------------------------- commit 53dd4ddf71ad79a64be934ca19445b1cf560adab Author: Emilia Kasper Date: Fri Apr 24 15:38:24 2015 +0200 Fix error checking and memory leaks in NISTZ256 precomputation. Thanks to Brian Smith for reporting these issues. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/ec/ecp_nistz256.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index b6eec7d..22fe071 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -765,6 +765,7 @@ static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) EC_POINT *P = NULL, *T = NULL; const EC_POINT *generator; EC_PRE_COMP *pre_comp; + BN_CTX *new_ctx = NULL; int i, j, k, ret = 0; size_t w; @@ -794,7 +795,7 @@ static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) return 0; if (ctx == NULL) { - ctx = BN_CTX_new(); + ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) goto err; } @@ -825,15 +826,19 @@ static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) P = EC_POINT_new(group); T = EC_POINT_new(group); + if (P == NULL || T == NULL) + goto err; /* * The zero entry is implicitly infinity, and we skip it, storing other * values with -1 offset. */ - EC_POINT_copy(T, generator); + if (!EC_POINT_copy(T, generator)) + goto err; for (k = 0; k < 64; k++) { - EC_POINT_copy(P, T); + if (!EC_POINT_copy(P, T)) + goto err; for (j = 0; j < 37; j++) { P256_POINT_AFFINE temp; /* @@ -871,6 +876,8 @@ static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) err: if (ctx != NULL) BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + ecp_nistz256_pre_comp_free(pre_comp); if (precomp_storage) OPENSSL_free(precomp_storage); From rsalz at openssl.org Fri Apr 24 19:27:42 2015 From: rsalz at openssl.org (Rich Salz) Date: Fri, 24 Apr 2015 19:27:42 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429903662.646479.24393.nullmailer@dev.openssl.org> The branch master has been updated via 7e1b7485706c2b11091b5fa897fe496a2faa56cc (commit) from 53dd4ddf71ad79a64be934ca19445b1cf560adab (commit) - Log ----------------------------------------------------------------- commit 7e1b7485706c2b11091b5fa897fe496a2faa56cc Author: Rich Salz Date: Fri Apr 24 15:26:15 2015 -0400 Big apps cleanup (option-parsing, etc) This is merges the old "rsalz-monolith" branch over to master. The biggest change is that option parsing switch from cascasding 'else if strcmp("-foo")' to a utility routine and somethin akin to getopt. Also, an error in the command line no longer prints the full summary; use -help (or --help :) for that. There have been many other changes and code-cleanup, see bullet list below. Special thanks to Matt for the long and detailed code review. TEMPORARY: For now, comment out CRYPTO_mem_leaks() at end of main Tickets closed: RT3515: Use 3DES in pkcs12 if built with no-rc2 RT1766: s_client -reconnect and -starttls broke RT2932: Catch write errors RT2604: port should be 'unsigned short' RT2983: total_bytes undeclared #ifdef RENEG RT1523: Add -nocert to fix output in x509 app RT3508: Remove unused variable introduced by b09eb24 RT3511: doc fix; req default serial is random RT1325,2973: Add more extensions to c_rehash RT2119,3407: Updated to dgst.pod RT2379: Additional typo fix RT2693: Extra include of string.h RT2880: HFS is case-insensitive filenames RT3246: req command prints version number wrong Other changes; incompatibilities marked with *: Add SCSV support Add -misalign to speed command Make dhparam, dsaparam, ecparam, x509 output C in proper style Make some internal ocsp.c functions void Only display cert usages with -help in verify Use global bio_err, remove "BIO*err" parameter from functions For filenames, - always means stdin (or stdout as appropriate) Add aliases for -des/aes "wrap" ciphers. *Remove support for IISSGC (server gated crypto) *The undocumented OCSP -header flag is now "-header name=value" *Documented the OCSP -header flag Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: apps/Makefile | 264 +++++----- apps/app_rand.c | 25 +- apps/apps.c | 884 ++++++++------------------------ apps/apps.h | 362 ++++++++++---- apps/asn1pars.c | 269 ++++------ apps/ca.c | 1035 +++++++++++++++++--------------------- apps/ciphers.c | 163 +++--- apps/cms.c | 923 +++++++++++++++++----------------- apps/crl.c | 317 +++++------- apps/crl2p7.c | 183 +++---- apps/dgst.c | 370 ++++++-------- apps/dh.c | 325 ------------ apps/dhparam.c | 351 +++++-------- apps/dsa.c | 314 +++++------- apps/dsaparam.c | 329 +++++------- apps/ec.c | 311 +++++------- apps/ecparam.c | 518 +++++++------------ apps/enc.c | 505 ++++++++----------- apps/engine.c | 232 ++++----- apps/errstr.c | 85 ++-- apps/gendh.c | 243 --------- apps/gendsa.c | 223 +++------ apps/genpkey.c | 242 ++++----- apps/genrsa.c | 250 +++------- apps/makeapps.com | 2 +- apps/nseq.c | 116 ++--- apps/ocsp.c | 929 ++++++++++++++-------------------- apps/openssl.c | 731 ++++++++++++++++----------- apps/opt.c | 915 ++++++++++++++++++++++++++++++++++ apps/passwd.c | 326 ++++++------ apps/pkcs12.c | 710 ++++++++++---------------- apps/pkcs7.c | 257 +++++----- apps/pkcs8.c | 307 +++++------- apps/pkey.c | 220 ++++---- apps/pkeyparam.c | 143 ++---- apps/pkeyutl.c | 370 ++++++-------- apps/prime.c | 135 +++-- apps/progs.h | 417 +++++++++------- apps/progs.pl | 161 +++--- apps/rand.c | 183 +++---- apps/req.c | 686 +++++++++++-------------- apps/rsa.c | 362 +++++++------- apps/rsautl.c | 278 +++++------ apps/s_apps.h | 15 +- apps/s_cb.c | 240 +++------ apps/s_client.c | 1356 ++++++++++++++++++++++++-------------------------- apps/s_server.c | 1211 +++++++++++++++++++++----------------------- apps/s_socket.c | 70 ++- apps/s_time.c | 414 ++++++--------- apps/sess_id.c | 185 +++---- apps/smime.c | 635 +++++++++++------------ apps/speed.c | 1253 ++++++++++++++++++---------------------------- apps/spkac.c | 237 ++++----- apps/srp.c | 464 ++++++++--------- apps/testdsa.h | 53 +- apps/ts.c | 442 ++++++++-------- apps/verify.c | 261 +++++----- apps/version.c | 88 ++-- apps/vms_decc_init.c | 104 +++- apps/winrand.c | 1 - apps/x509.c | 883 +++++++++++++++----------------- crypto/evp/c_allc.c | 7 + ssl/ssl_conf.c | 2 + util/indent.pro | 2 + util/ssleay.num | 2 + 65 files changed, 10760 insertions(+), 13136 deletions(-) delete mode 100644 apps/dh.c delete mode 100644 apps/gendh.c create mode 100644 apps/opt.c diff --git a/apps/Makefile b/apps/Makefile index c7a6094..b6f7b2c 100644 --- a/apps/Makefile +++ b/apps/Makefile @@ -6,7 +6,7 @@ DIR= apps TOP= .. CC= cc INCLUDES= -I$(TOP) -I../include $(KRB5_INCLUDES) -CFLAG= -g -static +CFLAG= -g -static -Wswitch MAKEFILE= Makefile PERL= perl RM= rm -f @@ -20,7 +20,7 @@ EXE_EXT= SHLIB_TARGET= -CFLAGS= -DMONOLITH $(INCLUDES) $(CFLAG) +CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile makeapps.com install.com @@ -29,49 +29,48 @@ DLIBSSL=../libssl.a LIBCRYPTO=-L.. -lcrypto LIBSSL=-L.. -lssl -PROGRAM= openssl - SCRIPTS=CA.pl tsget +EXE= openssl$(EXE_EXT) -EXE= $(PROGRAM)$(EXE_EXT) - -E_EXE= verify asn1pars req dgst dh dhparam enc passwd gendh errstr \ - ca crl rsa rsautl dsa dsaparam ec ecparam \ - x509 genrsa gendsa genpkey s_server s_client speed \ - s_time version pkcs7 cms crl2pkcs7 sess_id ciphers nseq pkcs12 \ - pkcs8 pkey pkeyparam pkeyutl spkac smime rand engine ocsp prime ts srp - -PROGS= $(PROGRAM).c +COMMANDS= \ + asn1pars.o ca.o ciphers.o cms.o crl.o crl2p7.o dgst.o dhparam.o \ + dsa.o dsaparam.o ec.o ecparam.o enc.o engine.o errstr.o gendsa.o \ + genpkey.o genrsa.o nseq.o ocsp.o passwd.o pkcs12.o pkcs7.o pkcs8.o \ + pkey.o pkeyparam.o pkeyutl.o prime.o rand.o req.o rsa.o rsautl.o \ + s_client.o s_server.o s_time.o sess_id.o smime.o speed.o spkac.o \ + srp.o ts.o verify.o version.o x509.o -A_OBJ=apps.o -A_SRC=apps.c +A_OBJ=apps.o opt.o +A_SRC=apps.c opt.c S_OBJ= s_cb.o s_socket.o S_SRC= s_cb.c s_socket.c RAND_OBJ=app_rand.o RAND_SRC=app_rand.c -E_OBJ= verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o \ - ca.o pkcs7.o crl2p7.o crl.o \ - rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o \ - x509.o genrsa.o gendsa.o genpkey.o s_server.o s_client.o speed.o \ - s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \ - ciphers.o nseq.o pkcs12.o pkcs8.o pkey.o pkeyparam.o pkeyutl.o \ - spkac.o smime.o cms.o rand.o engine.o ocsp.o prime.o ts.o srp.o +OBJ = \ + asn1pars.o ca.o ciphers.o cms.o crl.o crl2p7.o dgst.o dhparam.o \ + dsa.o dsaparam.o ec.o ecparam.o enc.o engine.o errstr.o gendsa.o \ + genpkey.o genrsa.o nseq.o ocsp.o passwd.o pkcs12.o pkcs7.o pkcs8.o \ + pkey.o pkeyparam.o pkeyutl.o prime.o rand.o req.o rsa.o rsautl.o \ + s_client.o s_server.o s_time.o sess_id.o smime.o speed.o spkac.o \ + srp.o ts.o verify.o version.o x509.o -E_SRC= verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \ - pkcs7.c crl2p7.c crl.c \ - rsa.c rsautl.c dsa.c dsaparam.c ec.c ecparam.c \ - x509.c genrsa.c gendsa.c genpkey.c s_server.c s_client.c speed.c \ - s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \ - ciphers.c nseq.c pkcs12.c pkcs8.c pkey.c pkeyparam.c pkeyutl.c \ - spkac.c smime.c cms.c rand.c engine.c ocsp.c prime.c ts.c srp.c -SRC=$(E_SRC) +SRC = \ + asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c \ + dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c \ + genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c \ + pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c \ + s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c \ + srp.c ts.c verify.c version.c x509.c + +EXE_OBJ = openssl.o $(OBJ) $(A_OBJ) $(S_OBJ) $(RAND_OBJ) +EXE_SRC = openssl.c $(SRC) $(A_SRC) $(S_SRC) $(RAND_SRC) HEADER= apps.h progs.h s_apps.h \ - testdsa.h testrsa.h + testdsa.h testrsa.h timeouts.h -ALL= $(GENERAL) $(SRC) $(HEADER) +ALL= $(GENERAL) $(EXE_SRC) $(HEADER) top: @(cd ..; $(MAKE) DIRS=$(DIR) all) @@ -80,18 +79,6 @@ all: exe exe: $(EXE) -req: sreq.o $(A_OBJ) $(DLIBCRYPTO) - shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ - shlib_target="$(SHLIB_TARGET)"; \ - fi; \ - $(MAKE) -f $(TOP)/Makefile.shared -e \ - APPNAME=req OBJECTS="sreq.o $(A_OBJ) $(RAND_OBJ)" \ - LIBDEPS="$(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)" \ - link_app.$${shlib_target} - -sreq.o: req.c - $(CC) -c $(INCLUDES) $(CFLAG) -o sreq.o req.c - files: $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO @@ -129,18 +116,18 @@ uninstall: $(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf tags: - ctags $(SRC) + ctags $(EXE_SRC) $(HEADER) tests: lint: - lint -DLINT $(INCLUDES) $(SRC)>fluff + echo nope >fluff depend: @if [ -z "$(THIS)" ]; then \ $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; \ else \ - $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC); \ + $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(EXE_SRC); \ fi dclean: @@ -157,21 +144,22 @@ $(DLIBSSL): $(DLIBCRYPTO): (cd ..; $(MAKE) DIRS=crypto all) -$(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) +$(EXE): progs.h $(EXE_OBJ) $(DLIBCRYPTO) $(DLIBSSL) $(RM) $(EXE) shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ shlib_target="$(SHLIB_TARGET)"; \ fi; \ LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ - APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \ + APPNAME=$(EXE) OBJECTS="$(EXE_OBJ)" \ LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ link_app.$${shlib_target} @(cd ..; $(MAKE) rehash) -progs.h: progs.pl - $(PERL) progs.pl $(E_EXE) >progs.h - $(RM) $(PROGRAM).o +progs.h: progs.pl Makefile + $(RM) progs.h + $(PERL) progs.pl $(COMMANDS) >progs.h + $(RM) openssl.o # DO NOT DELETE THIS LINE -- make depend depends on it. @@ -189,24 +177,30 @@ app_rand.o: ../include/openssl/safestack.h ../include/openssl/sha.h app_rand.o: ../include/openssl/stack.h ../include/openssl/symhacks.h app_rand.o: ../include/openssl/txt_db.h ../include/openssl/x509.h app_rand.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h -app_rand.o: app_rand.c apps.h +app_rand.o: app_rand.c apps.h progs.h apps.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h apps.o: ../include/openssl/bn.h ../include/openssl/buffer.h -apps.o: ../include/openssl/conf.h ../include/openssl/crypto.h +apps.o: ../include/openssl/comp.h ../include/openssl/conf.h +apps.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h apps.o: ../include/openssl/e_os2.h ../include/openssl/ec.h apps.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h apps.o: ../include/openssl/engine.h ../include/openssl/err.h -apps.o: ../include/openssl/evp.h ../include/openssl/lhash.h +apps.o: ../include/openssl/evp.h ../include/openssl/hmac.h +apps.o: ../include/openssl/kssl.h ../include/openssl/lhash.h apps.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h apps.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h apps.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h apps.o: ../include/openssl/pem.h ../include/openssl/pem2.h apps.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h -apps.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -apps.o: ../include/openssl/sha.h ../include/openssl/stack.h -apps.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -apps.o: ../include/openssl/ui.h ../include/openssl/x509.h -apps.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.c apps.h +apps.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h +apps.o: ../include/openssl/safestack.h ../include/openssl/sha.h +apps.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +apps.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +apps.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +apps.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +apps.o: ../include/openssl/txt_db.h ../include/openssl/ui.h +apps.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +apps.o: ../include/openssl/x509v3.h apps.c apps.h progs.h asn1pars.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h asn1pars.o: ../include/openssl/buffer.h ../include/openssl/conf.h asn1pars.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -222,7 +216,7 @@ asn1pars.o: ../include/openssl/safestack.h ../include/openssl/sha.h asn1pars.o: ../include/openssl/stack.h ../include/openssl/symhacks.h asn1pars.o: ../include/openssl/txt_db.h ../include/openssl/x509.h asn1pars.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -asn1pars.o: asn1pars.c +asn1pars.o: asn1pars.c progs.h ca.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ca.o: ../include/openssl/bn.h ../include/openssl/buffer.h ca.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -238,7 +232,7 @@ ca.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h ca.o: ../include/openssl/sha.h ../include/openssl/stack.h ca.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h ca.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -ca.o: ../include/openssl/x509v3.h apps.h ca.c +ca.o: ../include/openssl/x509v3.h apps.h ca.c progs.h ciphers.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ciphers.o: ../include/openssl/buffer.h ../include/openssl/comp.h ciphers.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -259,7 +253,7 @@ ciphers.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h ciphers.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ciphers.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h ciphers.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -ciphers.o: ../include/openssl/x509v3.h apps.h ciphers.c +ciphers.o: ../include/openssl/x509v3.h apps.h ciphers.c progs.h cms.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h cms.o: ../include/openssl/buffer.h ../include/openssl/cms.h cms.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -275,7 +269,7 @@ cms.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h cms.o: ../include/openssl/sha.h ../include/openssl/stack.h cms.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h cms.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -cms.o: ../include/openssl/x509v3.h apps.h cms.c +cms.o: ../include/openssl/x509v3.h apps.h cms.c progs.h crl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h crl.o: ../include/openssl/buffer.h ../include/openssl/conf.h crl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -291,6 +285,7 @@ crl.o: ../include/openssl/safestack.h ../include/openssl/sha.h crl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h crl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h crl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h crl.c +crl.o: progs.h crl2p7.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h crl2p7.o: ../include/openssl/buffer.h ../include/openssl/conf.h crl2p7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -306,7 +301,7 @@ crl2p7.o: ../include/openssl/safestack.h ../include/openssl/sha.h crl2p7.o: ../include/openssl/stack.h ../include/openssl/symhacks.h crl2p7.o: ../include/openssl/txt_db.h ../include/openssl/x509.h crl2p7.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -crl2p7.o: crl2p7.c +crl2p7.o: crl2p7.c progs.h dgst.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h dgst.o: ../include/openssl/buffer.h ../include/openssl/conf.h dgst.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -322,23 +317,24 @@ dgst.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h dgst.o: ../include/openssl/sha.h ../include/openssl/stack.h dgst.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h dgst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -dgst.o: ../include/openssl/x509v3.h apps.h dgst.c -dh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -dh.o: ../include/openssl/bn.h ../include/openssl/buffer.h -dh.o: ../include/openssl/conf.h ../include/openssl/crypto.h -dh.o: ../include/openssl/dh.h ../include/openssl/e_os2.h -dh.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -dh.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -dh.o: ../include/openssl/err.h ../include/openssl/evp.h -dh.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -dh.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -dh.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -dh.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -dh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -dh.o: ../include/openssl/safestack.h ../include/openssl/sha.h -dh.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -dh.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -dh.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h dh.c +dgst.o: ../include/openssl/x509v3.h apps.h dgst.c progs.h +dhparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +dhparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h +dhparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h +dhparam.o: ../include/openssl/dh.h ../include/openssl/dsa.h +dhparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +dhparam.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +dhparam.o: ../include/openssl/engine.h ../include/openssl/err.h +dhparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h +dhparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +dhparam.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +dhparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +dhparam.o: ../include/openssl/pem.h ../include/openssl/pem2.h +dhparam.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +dhparam.o: ../include/openssl/sha.h ../include/openssl/stack.h +dhparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +dhparam.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +dhparam.o: ../include/openssl/x509v3.h apps.h dhparam.c progs.h dsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h dsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h dsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -355,6 +351,7 @@ dsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h dsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h dsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h dsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h dsa.c +dsa.o: progs.h dsaparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h dsaparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h dsaparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -371,7 +368,7 @@ dsaparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h dsaparam.o: ../include/openssl/stack.h ../include/openssl/symhacks.h dsaparam.o: ../include/openssl/txt_db.h ../include/openssl/x509.h dsaparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -dsaparam.o: dsaparam.c +dsaparam.o: dsaparam.c progs.h ec.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ec.o: ../include/openssl/buffer.h ../include/openssl/conf.h ec.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -387,6 +384,7 @@ ec.o: ../include/openssl/safestack.h ../include/openssl/sha.h ec.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ec.o: ../include/openssl/txt_db.h ../include/openssl/x509.h ec.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ec.c +ec.o: progs.h ecparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ecparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h ecparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -402,7 +400,7 @@ ecparam.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h ecparam.o: ../include/openssl/sha.h ../include/openssl/stack.h ecparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h ecparam.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -ecparam.o: ../include/openssl/x509v3.h apps.h ecparam.c +ecparam.o: ../include/openssl/x509v3.h apps.h ecparam.c progs.h enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h enc.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -419,6 +417,7 @@ enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h enc.o: ../include/openssl/txt_db.h ../include/openssl/x509.h enc.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h enc.c +enc.o: progs.h engine.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h engine.o: ../include/openssl/buffer.h ../include/openssl/comp.h engine.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -439,7 +438,7 @@ engine.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h engine.o: ../include/openssl/stack.h ../include/openssl/symhacks.h engine.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h engine.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -engine.o: ../include/openssl/x509v3.h apps.h engine.c +engine.o: ../include/openssl/x509v3.h apps.h engine.c progs.h errstr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h errstr.o: ../include/openssl/buffer.h ../include/openssl/comp.h errstr.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -460,24 +459,7 @@ errstr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h errstr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h errstr.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h errstr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -errstr.o: ../include/openssl/x509v3.h apps.h errstr.c -gendh.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -gendh.o: ../include/openssl/bn.h ../include/openssl/buffer.h -gendh.o: ../include/openssl/conf.h ../include/openssl/crypto.h -gendh.o: ../include/openssl/dh.h ../include/openssl/e_os2.h -gendh.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -gendh.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h -gendh.o: ../include/openssl/err.h ../include/openssl/evp.h -gendh.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h -gendh.o: ../include/openssl/objects.h ../include/openssl/ocsp.h -gendh.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -gendh.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -gendh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -gendh.o: ../include/openssl/rand.h ../include/openssl/safestack.h -gendh.o: ../include/openssl/sha.h ../include/openssl/stack.h -gendh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h -gendh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -gendh.o: ../include/openssl/x509v3.h apps.h gendh.c +errstr.o: ../include/openssl/x509v3.h apps.h errstr.c progs.h gendsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h gendsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h gendsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -494,7 +476,7 @@ gendsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h gendsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h gendsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h gendsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -gendsa.o: gendsa.c +gendsa.o: gendsa.c progs.h genpkey.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h genpkey.o: ../include/openssl/buffer.h ../include/openssl/conf.h genpkey.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -510,7 +492,7 @@ genpkey.o: ../include/openssl/safestack.h ../include/openssl/sha.h genpkey.o: ../include/openssl/stack.h ../include/openssl/symhacks.h genpkey.o: ../include/openssl/txt_db.h ../include/openssl/x509.h genpkey.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -genpkey.o: genpkey.c +genpkey.o: genpkey.c progs.h genrsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h genrsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h genrsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -527,7 +509,7 @@ genrsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h genrsa.o: ../include/openssl/sha.h ../include/openssl/stack.h genrsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h genrsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -genrsa.o: ../include/openssl/x509v3.h apps.h genrsa.c +genrsa.o: ../include/openssl/x509v3.h apps.h genrsa.c progs.h nseq.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h nseq.o: ../include/openssl/buffer.h ../include/openssl/conf.h nseq.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -543,6 +525,7 @@ nseq.o: ../include/openssl/safestack.h ../include/openssl/sha.h nseq.o: ../include/openssl/stack.h ../include/openssl/symhacks.h nseq.o: ../include/openssl/txt_db.h ../include/openssl/x509.h nseq.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h nseq.c +nseq.o: progs.h ocsp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ocsp.o: ../include/openssl/bn.h ../include/openssl/buffer.h ocsp.o: ../include/openssl/comp.h ../include/openssl/conf.h @@ -564,6 +547,7 @@ ocsp.o: ../include/openssl/ssl3.h ../include/openssl/stack.h ocsp.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ocsp.o: ../include/openssl/txt_db.h ../include/openssl/x509.h ocsp.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ocsp.c +ocsp.o: progs.h openssl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h openssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h openssl.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -586,6 +570,20 @@ openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h openssl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h openssl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h openssl.o: openssl.c progs.h s_apps.h +opt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +opt.o: ../include/openssl/buffer.h ../include/openssl/conf.h +opt.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +opt.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +opt.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h +opt.o: ../include/openssl/evp.h ../include/openssl/lhash.h +opt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +opt.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h +opt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +opt.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +opt.o: ../include/openssl/sha.h ../include/openssl/stack.h +opt.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h +opt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +opt.o: ../include/openssl/x509v3.h apps.h opt.c progs.h passwd.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h passwd.o: ../include/openssl/buffer.h ../include/openssl/conf.h passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h @@ -601,7 +599,7 @@ passwd.o: ../include/openssl/rand.h ../include/openssl/safestack.h passwd.o: ../include/openssl/sha.h ../include/openssl/stack.h passwd.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h passwd.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -passwd.o: ../include/openssl/x509v3.h apps.h passwd.c +passwd.o: ../include/openssl/x509v3.h apps.h passwd.c progs.h pkcs12.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h pkcs12.o: ../include/openssl/buffer.h ../include/openssl/conf.h pkcs12.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -617,7 +615,7 @@ pkcs12.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h pkcs12.o: ../include/openssl/sha.h ../include/openssl/stack.h pkcs12.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h pkcs12.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -pkcs12.o: ../include/openssl/x509v3.h apps.h pkcs12.c +pkcs12.o: ../include/openssl/x509v3.h apps.h pkcs12.c progs.h pkcs7.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h pkcs7.o: ../include/openssl/buffer.h ../include/openssl/conf.h pkcs7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -633,7 +631,7 @@ pkcs7.o: ../include/openssl/safestack.h ../include/openssl/sha.h pkcs7.o: ../include/openssl/stack.h ../include/openssl/symhacks.h pkcs7.o: ../include/openssl/txt_db.h ../include/openssl/x509.h pkcs7.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -pkcs7.o: pkcs7.c +pkcs7.o: pkcs7.c progs.h pkcs8.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h pkcs8.o: ../include/openssl/buffer.h ../include/openssl/conf.h pkcs8.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -649,7 +647,7 @@ pkcs8.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h pkcs8.o: ../include/openssl/sha.h ../include/openssl/stack.h pkcs8.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h pkcs8.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -pkcs8.o: ../include/openssl/x509v3.h apps.h pkcs8.c +pkcs8.o: ../include/openssl/x509v3.h apps.h pkcs8.c progs.h pkey.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h pkey.o: ../include/openssl/buffer.h ../include/openssl/conf.h pkey.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -665,6 +663,7 @@ pkey.o: ../include/openssl/safestack.h ../include/openssl/sha.h pkey.o: ../include/openssl/stack.h ../include/openssl/symhacks.h pkey.o: ../include/openssl/txt_db.h ../include/openssl/x509.h pkey.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h pkey.c +pkey.o: progs.h pkeyparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h pkeyparam.o: ../include/openssl/buffer.h ../include/openssl/conf.h pkeyparam.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -680,7 +679,7 @@ pkeyparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h pkeyparam.o: ../include/openssl/stack.h ../include/openssl/symhacks.h pkeyparam.o: ../include/openssl/txt_db.h ../include/openssl/x509.h pkeyparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -pkeyparam.o: pkeyparam.c +pkeyparam.o: pkeyparam.c progs.h pkeyutl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h pkeyutl.o: ../include/openssl/buffer.h ../include/openssl/conf.h pkeyutl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -696,7 +695,7 @@ pkeyutl.o: ../include/openssl/safestack.h ../include/openssl/sha.h pkeyutl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h pkeyutl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h pkeyutl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -pkeyutl.o: pkeyutl.c +pkeyutl.o: pkeyutl.c progs.h prime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h prime.o: ../include/openssl/bn.h ../include/openssl/buffer.h prime.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -711,7 +710,7 @@ prime.o: ../include/openssl/safestack.h ../include/openssl/sha.h prime.o: ../include/openssl/stack.h ../include/openssl/symhacks.h prime.o: ../include/openssl/txt_db.h ../include/openssl/x509.h prime.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -prime.o: prime.c +prime.o: prime.c progs.h rand.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -726,7 +725,7 @@ rand.o: ../include/openssl/rand.h ../include/openssl/safestack.h rand.o: ../include/openssl/sha.h ../include/openssl/stack.h rand.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -rand.o: ../include/openssl/x509v3.h apps.h rand.c +rand.o: ../include/openssl/x509v3.h apps.h progs.h rand.c req.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h req.o: ../include/openssl/bn.h ../include/openssl/buffer.h req.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -743,7 +742,7 @@ req.o: ../include/openssl/rsa.h ../include/openssl/safestack.h req.o: ../include/openssl/sha.h ../include/openssl/stack.h req.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h req.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -req.o: ../include/openssl/x509v3.h apps.h req.c +req.o: ../include/openssl/x509v3.h apps.h progs.h req.c rsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h rsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -759,7 +758,8 @@ rsa.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h rsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h rsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h rsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -rsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h rsa.c +rsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h progs.h +rsa.o: rsa.c rsautl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h rsautl.o: ../include/openssl/buffer.h ../include/openssl/conf.h rsautl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -775,7 +775,7 @@ rsautl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h rsautl.o: ../include/openssl/sha.h ../include/openssl/stack.h rsautl.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h rsautl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -rsautl.o: ../include/openssl/x509v3.h apps.h rsautl.c +rsautl.o: ../include/openssl/x509v3.h apps.h progs.h rsautl.c s_cb.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s_cb.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_cb.o: ../include/openssl/comp.h ../include/openssl/conf.h @@ -798,7 +798,7 @@ s_cb.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s_cb.o: ../include/openssl/txt_db.h ../include/openssl/x509.h s_cb.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -s_cb.o: s_apps.h s_cb.c +s_cb.o: progs.h s_apps.h s_cb.c s_client.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s_client.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_client.o: ../include/openssl/comp.h ../include/openssl/conf.h @@ -821,7 +821,7 @@ s_client.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s_client.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s_client.o: ../include/openssl/txt_db.h ../include/openssl/x509.h s_client.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -s_client.o: s_apps.h s_client.c timeouts.h +s_client.o: progs.h s_apps.h s_client.c timeouts.h s_server.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s_server.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_server.o: ../include/openssl/comp.h ../include/openssl/conf.h @@ -845,7 +845,7 @@ s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s_server.o: ../include/openssl/txt_db.h ../include/openssl/x509.h s_server.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -s_server.o: s_apps.h s_server.c timeouts.h +s_server.o: progs.h s_apps.h s_server.c timeouts.h s_socket.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s_socket.o: ../include/openssl/buffer.h ../include/openssl/comp.h s_socket.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -866,7 +866,7 @@ s_socket.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s_socket.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s_socket.o: ../include/openssl/txt_db.h ../include/openssl/x509.h s_socket.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -s_socket.o: s_apps.h s_socket.c +s_socket.o: progs.h s_apps.h s_socket.c s_time.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s_time.o: ../include/openssl/buffer.h ../include/openssl/comp.h s_time.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -887,7 +887,7 @@ s_time.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s_time.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s_time.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h s_time.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -s_time.o: ../include/openssl/x509v3.h apps.h s_apps.h s_time.c +s_time.o: ../include/openssl/x509v3.h apps.h progs.h s_apps.h s_time.c sess_id.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h sess_id.o: ../include/openssl/buffer.h ../include/openssl/comp.h sess_id.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -908,7 +908,7 @@ sess_id.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h sess_id.o: ../include/openssl/stack.h ../include/openssl/symhacks.h sess_id.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h sess_id.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -sess_id.o: ../include/openssl/x509v3.h apps.h sess_id.c +sess_id.o: ../include/openssl/x509v3.h apps.h progs.h sess_id.c smime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h smime.o: ../include/openssl/buffer.h ../include/openssl/conf.h smime.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -924,7 +924,7 @@ smime.o: ../include/openssl/safestack.h ../include/openssl/sha.h smime.o: ../include/openssl/stack.h ../include/openssl/symhacks.h smime.o: ../include/openssl/txt_db.h ../include/openssl/x509.h smime.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -smime.o: smime.c +smime.o: progs.h smime.c speed.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h speed.o: ../include/openssl/bio.h ../include/openssl/blowfish.h speed.o: ../include/openssl/bn.h ../include/openssl/buffer.h @@ -949,7 +949,7 @@ speed.o: ../include/openssl/sha.h ../include/openssl/stack.h speed.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h speed.o: ../include/openssl/whrlpool.h ../include/openssl/x509.h speed.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -speed.o: speed.c testdsa.h testrsa.h +speed.o: progs.h speed.c testdsa.h testrsa.h spkac.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h spkac.o: ../include/openssl/buffer.h ../include/openssl/conf.h spkac.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -965,7 +965,7 @@ spkac.o: ../include/openssl/safestack.h ../include/openssl/sha.h spkac.o: ../include/openssl/stack.h ../include/openssl/symhacks.h spkac.o: ../include/openssl/txt_db.h ../include/openssl/x509.h spkac.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -spkac.o: spkac.c +spkac.o: progs.h spkac.c srp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h srp.o: ../include/openssl/bn.h ../include/openssl/buffer.h srp.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -980,7 +980,8 @@ srp.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h srp.o: ../include/openssl/sha.h ../include/openssl/srp.h srp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h srp.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -srp.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h srp.c +srp.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h progs.h +srp.o: srp.c ts.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ts.o: ../include/openssl/bn.h ../include/openssl/buffer.h ts.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -998,7 +999,8 @@ ts.o: ../include/openssl/rsa.h ../include/openssl/safestack.h ts.o: ../include/openssl/sha.h ../include/openssl/stack.h ts.o: ../include/openssl/symhacks.h ../include/openssl/ts.h ts.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -ts.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ts.c +ts.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h progs.h +ts.o: ts.c verify.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h verify.o: ../include/openssl/buffer.h ../include/openssl/conf.h verify.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -1014,7 +1016,7 @@ verify.o: ../include/openssl/safestack.h ../include/openssl/sha.h verify.o: ../include/openssl/stack.h ../include/openssl/symhacks.h verify.o: ../include/openssl/txt_db.h ../include/openssl/x509.h verify.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -verify.o: verify.c +verify.o: progs.h verify.c version.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h version.o: ../include/openssl/blowfish.h ../include/openssl/bn.h version.o: ../include/openssl/buffer.h ../include/openssl/conf.h @@ -1031,7 +1033,7 @@ version.o: ../include/openssl/safestack.h ../include/openssl/sha.h version.o: ../include/openssl/stack.h ../include/openssl/symhacks.h version.o: ../include/openssl/txt_db.h ../include/openssl/x509.h version.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -version.o: version.c +version.o: progs.h version.c x509.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h x509.o: ../include/openssl/bn.h ../include/openssl/buffer.h x509.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -1048,4 +1050,4 @@ x509.o: ../include/openssl/rsa.h ../include/openssl/safestack.h x509.o: ../include/openssl/sha.h ../include/openssl/stack.h x509.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h x509.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -x509.o: ../include/openssl/x509v3.h apps.h x509.c +x509.o: ../include/openssl/x509v3.h apps.h progs.h x509.c diff --git a/apps/app_rand.c b/apps/app_rand.c index 595fc78..906144b 100644 --- a/apps/app_rand.c +++ b/apps/app_rand.c @@ -1,4 +1,3 @@ -/* apps/app_rand.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -109,25 +108,23 @@ * */ -#define NON_MAIN #include "apps.h" -#undef NON_MAIN #include #include static int seeded = 0; static int egdsocket = 0; -int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn) +int app_RAND_load_file(const char *file, int dont_warn) { int consider_randfile = (file == NULL); char buffer[200]; #ifdef OPENSSL_SYS_WINDOWS - BIO_printf(bio_e, "Loading 'screen' into random state -"); - BIO_flush(bio_e); + BIO_printf(bio_err, "Loading 'screen' into random state -"); + BIO_flush(bio_err); RAND_screen(); - BIO_printf(bio_e, " done\n"); + BIO_printf(bio_err, " done\n"); #endif if (file == NULL) @@ -143,15 +140,15 @@ int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn) if (file == NULL || !RAND_load_file(file, -1)) { if (RAND_status() == 0) { if (!dont_warn) { - BIO_printf(bio_e, "unable to load 'random state'\n"); - BIO_printf(bio_e, + BIO_printf(bio_err, "unable to load 'random state'\n"); + BIO_printf(bio_err, "This means that the random number generator has not been seeded\n"); - BIO_printf(bio_e, "with much random data.\n"); + BIO_printf(bio_err, "with much random data.\n"); if (consider_randfile) { /* explanation does not apply when a * file is explicitly named */ - BIO_printf(bio_e, + BIO_printf(bio_err, "Consider setting the RANDFILE environment variable to point at a file that\n"); - BIO_printf(bio_e, + BIO_printf(bio_err, "'random' data can be kept in (the file will be overwritten).\n"); } } @@ -193,7 +190,7 @@ long app_RAND_load_files(char *name) return (tot); } -int app_RAND_write_file(const char *file, BIO *bio_e) +int app_RAND_write_file(const char *file) { char buffer[200]; @@ -208,7 +205,7 @@ int app_RAND_write_file(const char *file, BIO *bio_e) if (file == NULL) file = RAND_file_name(buffer, sizeof buffer); if (file == NULL || !RAND_write_file(file)) { - BIO_printf(bio_e, "unable to write 'random state'\n"); + BIO_printf(bio_err, "unable to write 'random state'\n"); return 0; } return 1; diff --git a/apps/apps.c b/apps/apps.c index 76e0ee3..7440d39 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1,4 +1,3 @@ -/* apps/apps.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -143,10 +142,9 @@ #ifndef OPENSSL_NO_JPAKE # include #endif +#include -#define NON_MAIN #include "apps.h" -#undef NON_MAIN #ifdef _WIN32 static int WIN32_rename(const char *from, const char *to); @@ -168,285 +166,58 @@ static int set_multi_opts(unsigned long *flags, const char *arg, #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA) /* Looks like this stuff is worth moving into separate function */ -static EVP_PKEY *load_netscape_key(BIO *err, BIO *key, const char *file, +static EVP_PKEY *load_netscape_key(BIO *key, const char *file, const char *key_descrip, int format); #endif int app_init(long mesgwin); -#ifdef undef /* never finished - probably never will be - * :-) */ -int args_from_file(char *file, int *argc, char **argv[]) -{ - FILE *fp; - int num, i; - unsigned int len; - static char *buf = NULL; - static char **arg = NULL; - char *p; - - fp = fopen(file, "r"); - if (fp == NULL) - return (0); - - if (fseek(fp, 0, SEEK_END) == 0) - len = ftell(fp), rewind(fp); - else - len = -1; - if (len <= 0) { - fclose(fp); - return (0); - } - - *argc = 0; - *argv = NULL; - if (buf != NULL) - OPENSSL_free(buf); - buf = (char *)OPENSSL_malloc(len + 1); - if (buf == NULL) - return (0); - - len = fread(buf, 1, len, fp); - if (len <= 1) - return (0); - buf[len] = '\0'; - - i = 0; - for (p = buf; *p; p++) - if (*p == '\n') - i++; - if (arg != NULL) - OPENSSL_free(arg); - arg = (char **)OPENSSL_malloc(sizeof(char *) * (i * 2)); - - *argv = arg; - num = 0; - p = buf; - for (;;) { - if (!*p) - break; - if (*p == '#') { /* comment line */ - while (*p && (*p != '\n')) - p++; - continue; - } - /* else we have a line */ - *(arg++) = p; - num++; - while (*p && ((*p != ' ') && (*p != '\t') && (*p != '\n'))) - p++; - if (!*p) - break; - if (*p == '\n') { - *(p++) = '\0'; - continue; - } - /* else it is a tab or space */ - p++; - while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\n'))) - p++; - if (!*p) - break; - if (*p == '\n') { - p++; - continue; - } - *(arg++) = p++; - num++; - while (*p && (*p != '\n')) - p++; - if (!*p) - break; - /* else *p == '\n' */ - *(p++) = '\0'; - } - *argc = num; - return (1); -} -#endif - -int str2fmt(char *s) -{ - if (s == NULL) - return FORMAT_UNDEF; - if ((*s == 'D') || (*s == 'd')) - return (FORMAT_ASN1); - else if ((*s == 'T') || (*s == 't')) - return (FORMAT_TEXT); - else if ((strcmp(s, "NSS") == 0) || (strcmp(s, "nss") == 0)) - return (FORMAT_NSS); - else if ((*s == 'N') || (*s == 'n')) - return (FORMAT_NETSCAPE); - else if ((*s == 'S') || (*s == 's')) - return (FORMAT_SMIME); - else if ((*s == 'M') || (*s == 'm')) - return (FORMAT_MSBLOB); - else if ((*s == '1') - || (strcmp(s, "PKCS12") == 0) || (strcmp(s, "pkcs12") == 0) - || (strcmp(s, "P12") == 0) || (strcmp(s, "p12") == 0)) - return (FORMAT_PKCS12); - else if ((*s == 'E') || (*s == 'e')) - return (FORMAT_ENGINE); - else if ((*s == 'H') || (*s == 'h')) - return FORMAT_HTTP; - else if ((*s == 'P') || (*s == 'p')) { - if (s[1] == 'V' || s[1] == 'v') - return FORMAT_PVK; - else - return (FORMAT_PEM); - } else - return (FORMAT_UNDEF); -} - -#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_NETWARE) -void program_name(char *in, char *out, int size) -{ - int i, n; - char *p = NULL; - - n = strlen(in); - /* find the last '/', '\' or ':' */ - for (i = n - 1; i > 0; i--) { - if ((in[i] == '/') || (in[i] == '\\') || (in[i] == ':')) { - p = &(in[i + 1]); - break; - } - } - if (p == NULL) - p = in; - n = strlen(p); - -# if defined(OPENSSL_SYS_NETWARE) - /* strip off trailing .nlm if present. */ - if ((n > 4) && (p[n - 4] == '.') && - ((p[n - 3] == 'n') || (p[n - 3] == 'N')) && - ((p[n - 2] == 'l') || (p[n - 2] == 'L')) && - ((p[n - 1] == 'm') || (p[n - 1] == 'M'))) - n -= 4; -# else - /* strip off trailing .exe if present. */ - if ((n > 4) && (p[n - 4] == '.') && - ((p[n - 3] == 'e') || (p[n - 3] == 'E')) && - ((p[n - 2] == 'x') || (p[n - 2] == 'X')) && - ((p[n - 1] == 'e') || (p[n - 1] == 'E'))) - n -= 4; -# endif - - if (n > size - 1) - n = size - 1; - - for (i = 0; i < n; i++) { - if ((p[i] >= 'A') && (p[i] <= 'Z')) - out[i] = p[i] - 'A' + 'a'; - else - out[i] = p[i]; - } - out[n] = '\0'; -} -#else -# ifdef OPENSSL_SYS_VMS -void program_name(char *in, char *out, int size) +int chopup_args(ARGS *arg, char *buf) { - char *p = in, *q; - char *chars = ":]>"; - - while (*chars != '\0') { - q = strrchr(p, *chars); - if (q > p) - p = q + 1; - chars++; - } + int quoted; + char c, *p; - q = strrchr(p, '.'); - if (q == NULL) - q = p + strlen(p); - strncpy(out, p, size - 1); - if (q - p >= size) { - out[size - 1] = '\0'; - } else { - out[q - p] = '\0'; - } -} -# else -void program_name(char *in, char *out, int size) -{ - char *p; - - p = strrchr(in, '/'); - if (p != NULL) - p++; - else - p = in; - BUF_strlcpy(out, p, size); -} -# endif -#endif - -int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[]) -{ - int num, i; - char *p; - - *argc = 0; - *argv = NULL; - - i = 0; - if (arg->count == 0) { - arg->count = 20; - arg->data = (char **)OPENSSL_malloc(sizeof(char *) * arg->count); - if (arg->data == NULL) + arg->argc = 0; + if (arg->size == 0) { + arg->size = 20; + arg->argv = (char **)OPENSSL_malloc(sizeof(char *) * arg->size); + if (arg->argv == NULL) return 0; } - for (i = 0; i < arg->count; i++) - arg->data[i] = NULL; - num = 0; - p = buf; - for (;;) { - /* first scan over white space */ - if (!*p) - break; - while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\n'))) + for (p = buf;;) { + /* Skip whitespace. */ + while (*p && isspace(*p)) p++; if (!*p) break; /* The start of something good :-) */ - if (num >= arg->count) { - char **tmp_p; - int tlen = arg->count + 20; - tmp_p = (char **)OPENSSL_realloc(arg->data, - sizeof(char *) * tlen); - if (tmp_p == NULL) + if (arg->argc >= arg->size) { + arg->size += 20; + arg->argv = (char **)OPENSSL_realloc(arg->argv, + sizeof(char *) * arg->size); + if (arg->argv == NULL) return 0; - arg->data = tmp_p; - arg->count = tlen; - /* initialize newly allocated data */ - for (i = num; i < arg->count; i++) - arg->data[i] = NULL; } - arg->data[num++] = p; + quoted = *p == '\'' || *p == '"'; + if (quoted) + c = *p++; + arg->argv[arg->argc++] = p; /* now look for the end of this */ - if ((*p == '\'') || (*p == '\"')) { /* scan for closing quote */ - i = *(p++); - arg->data[num - 1]++; /* jump over quote */ - while (*p && (*p != i)) + if (quoted) { + while (*p && *p != c) p++; - *p = '\0'; + *p++ = '\0'; } else { - while (*p && ((*p != ' ') && (*p != '\t') && (*p != '\n'))) + while (*p && !isspace(*p)) p++; - - if (*p == '\0') - p--; - else - *p = '\0'; + if (*p) + *p++ = '\0'; } - p++; } - *argc = num; - *argv = arg->data; + arg->argv[arg->argc] = NULL; return (1); } @@ -457,6 +228,14 @@ int app_init(long mesgwin) } #endif +int ctx_set_verify_locations(SSL_CTX *ctx, + const char *CAfile, const char *CApath) +{ + if (CAfile == NULL && CApath == NULL) + return SSL_CTX_set_default_verify_paths(ctx); + return SSL_CTX_load_verify_locations(ctx, CAfile, CApath); +} + int dump_cert_text(BIO *out, X509 *x) { char *p; @@ -573,7 +352,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) int ok = 0; char *buff = NULL; int ui_flags = 0; - char *prompt = NULL; + char *prompt; prompt = UI_construct_prompt(ui, "pass phrase", prompt_info); if (!prompt) { @@ -629,9 +408,9 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) return res; } -static char *app_get_pass(BIO *err, char *arg, int keepbio); +static char *app_get_pass(char *arg, int keepbio); -int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2) +int app_passwd(char *arg1, char *arg2, char **pass1, char **pass2) { int same; if (!arg2 || !arg1 || strcmp(arg1, arg2)) @@ -639,13 +418,13 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2) else same = 1; if (arg1) { - *pass1 = app_get_pass(err, arg1, same); + *pass1 = app_get_pass(arg1, same); if (!*pass1) return 0; } else if (pass1) *pass1 = NULL; if (arg2) { - *pass2 = app_get_pass(err, arg2, same ? 2 : 0); + *pass2 = app_get_pass(arg2, same ? 2 : 0); if (!*pass2) return 0; } else if (pass2) @@ -653,7 +432,7 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2) return 1; } -static char *app_get_pass(BIO *err, char *arg, int keepbio) +static char *app_get_pass(char *arg, int keepbio) { char *tmp, tpass[APP_PASS_LEN]; static BIO *pwdbio = NULL; @@ -663,7 +442,7 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio) if (!strncmp(arg, "env:", 4)) { tmp = getenv(arg + 4); if (!tmp) { - BIO_printf(err, "Can't read environment variable %s\n", arg + 4); + BIO_printf(bio_err, "Can't read environment variable %s\n", arg + 4); return NULL; } return BUF_strdup(tmp); @@ -672,7 +451,7 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio) if (!strncmp(arg, "file:", 5)) { pwdbio = BIO_new_file(arg + 5, "r"); if (!pwdbio) { - BIO_printf(err, "Can't open file %s\n", arg + 5); + BIO_printf(bio_err, "Can't open file %s\n", arg + 5); return NULL; } #if !defined(_WIN32) @@ -690,7 +469,7 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio) if (i >= 0) pwdbio = BIO_new_fd(i, BIO_NOCLOSE); if ((i < 0) || !pwdbio) { - BIO_printf(err, "Can't access file descriptor %s\n", arg + 3); + BIO_printf(bio_err, "Can't access file descriptor %s\n", arg + 3); return NULL; } /* @@ -700,13 +479,13 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio) pwdbio = BIO_push(btmp, pwdbio); #endif } else if (!strcmp(arg, "stdin")) { - pwdbio = BIO_new_fp(stdin, BIO_NOCLOSE); + pwdbio = dup_bio_in(); if (!pwdbio) { - BIO_printf(err, "Can't open BIO for stdin\n"); + BIO_printf(bio_err, "Can't open BIO for stdin\n"); return NULL; } } else { - BIO_printf(err, "Invalid password argument \"%s\"\n", arg); + BIO_printf(bio_err, "Invalid password argument \"%s\"\n", arg); return NULL; } } @@ -716,7 +495,7 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio) pwdbio = NULL; } if (i <= 0) { - BIO_printf(err, "Error reading password from BIO\n"); + BIO_printf(bio_err, "Error reading password from BIO\n"); return NULL; } tmp = strchr(tpass, '\n'); @@ -725,7 +504,7 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio) return BUF_strdup(tpass); } -int add_oid_section(BIO *err, CONF *conf) +int add_oid_section(CONF *conf) { char *p; STACK_OF(CONF_VALUE) *sktmp; @@ -736,13 +515,13 @@ int add_oid_section(BIO *err, CONF *conf) return 1; } if (!(sktmp = NCONF_get_section(conf, p))) { - BIO_printf(err, "problem loading oid section %s\n", p); + BIO_printf(bio_err, "problem loading oid section %s\n", p); return 0; } for (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) { cnf = sk_CONF_VALUE_value(sktmp, i); if (OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) { - BIO_printf(err, "problem creating object %s=%s\n", + BIO_printf(bio_err, "problem creating object %s=%s\n", cnf->name, cnf->value); return 0; } @@ -750,7 +529,7 @@ int add_oid_section(BIO *err, CONF *conf) return 1; } -static int load_pkcs12(BIO *err, BIO *in, const char *desc, +static int load_pkcs12(BIO *in, const char *desc, pem_password_cb *pem_cb, void *cb_data, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca) { @@ -760,7 +539,7 @@ static int load_pkcs12(BIO *err, BIO *in, const char *desc, PKCS12 *p12; p12 = d2i_PKCS12_bio(in, NULL); if (p12 == NULL) { - BIO_printf(err, "Error loading PKCS12 file for %s\n", desc); + BIO_printf(bio_err, "Error loading PKCS12 file for %s\n", desc); goto die; } /* See if an empty password will do */ @@ -771,13 +550,13 @@ static int load_pkcs12(BIO *err, BIO *in, const char *desc, pem_cb = (pem_password_cb *)password_callback; len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data); if (len < 0) { - BIO_printf(err, "Passpharse callback error for %s\n", desc); + BIO_printf(bio_err, "Passphrase callback error for %s\n", desc); goto die; } if (len < PEM_BUFSIZE) tpass[len] = 0; if (!PKCS12_verify_mac(p12, tpass, len)) { - BIO_printf(err, + BIO_printf(bio_err, "Mac verify error (wrong password?) in PKCS12 file for %s\n", desc); goto die; @@ -790,8 +569,7 @@ static int load_pkcs12(BIO *err, BIO *in, const char *desc, return ret; } -int load_cert_crl_http(const char *url, BIO *err, - X509 **pcert, X509_CRL **pcrl) +int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl) { char *host = NULL, *port = NULL, *path = NULL; BIO *bio = NULL; @@ -800,8 +578,7 @@ int load_cert_crl_http(const char *url, BIO *err, if (!OCSP_parse_url(url, &host, &port, &path, &use_ssl)) goto err; if (use_ssl) { - if (err) - BIO_puts(err, "https not supported\n"); + BIO_puts(bio_err, "https not supported\n"); goto err; } bio = BIO_new_connect(host); @@ -817,8 +594,7 @@ int load_cert_crl_http(const char *url, BIO *err, if (pcert) { do { rv = X509_http_nbio(rctx, pcert); - } - while (rv == -1); + } while (rv == -1); } else { do { rv = X509_CRL_http_nbio(rctx, pcrl); @@ -837,40 +613,31 @@ int load_cert_crl_http(const char *url, BIO *err, if (rctx) OCSP_REQ_CTX_free(rctx); if (rv != 1) { - if (bio && err) - BIO_printf(bio_err, "Error loading %s from %s\n", - pcert ? "certificate" : "CRL", url); + BIO_printf(bio_err, "Error loading %s from %s\n", + pcert ? "certificate" : "CRL", url); ERR_print_errors(bio_err); } return rv; } -X509 *load_cert(BIO *err, const char *file, int format, +X509 *load_cert(const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip) { X509 *x = NULL; BIO *cert; if (format == FORMAT_HTTP) { - load_cert_crl_http(file, err, &x, NULL); + load_cert_crl_http(file, &x, NULL); return x; } - if ((cert = BIO_new(BIO_s_file())) == NULL) { - ERR_print_errors(err); - goto end; - } - if (file == NULL) { - setbuf(stdin, NULL); /* don't do buffered reads */ - BIO_set_fp(cert, stdin, BIO_NOCLOSE); - } else { - if (BIO_read_filename(cert, file) <= 0) { - BIO_printf(err, "Error opening %s %s\n", cert_descrip, file); - ERR_print_errors(err); - goto end; - } - } + unbuffer(stdin); + cert = dup_bio_in(); + } else + cert = bio_open_default(file, RB(format)); + if (cert == NULL) + goto end; if (format == FORMAT_ASN1) x = d2i_X509_bio(cert, NULL); @@ -883,7 +650,7 @@ X509 *load_cert(BIO *err, const char *file, int format, if ((strncmp(NETSCAPE_CERT_HDR, (char *)nx->header->data, nx->header->length) != 0)) { NETSCAPE_X509_free(nx); - BIO_printf(err, "Error reading header on certificate\n"); + BIO_printf(bio_err, "Error reading header on certificate\n"); goto end; } x = nx->cert; @@ -893,16 +660,16 @@ X509 *load_cert(BIO *err, const char *file, int format, x = PEM_read_bio_X509_AUX(cert, NULL, (pem_password_cb *)password_callback, NULL); else if (format == FORMAT_PKCS12) { - if (!load_pkcs12(err, cert, cert_descrip, NULL, NULL, NULL, &x, NULL)) + if (!load_pkcs12(cert, cert_descrip, NULL, NULL, NULL, &x, NULL)) goto end; } else { - BIO_printf(err, "bad input format specified for %s\n", cert_descrip); + BIO_printf(bio_err, "bad input format specified for %s\n", cert_descrip); goto end; } end: if (x == NULL) { - BIO_printf(err, "unable to load certificate\n"); - ERR_print_errors(err); + BIO_printf(bio_err, "unable to load certificate\n"); + ERR_print_errors(bio_err); } if (cert != NULL) BIO_free(cert); @@ -915,24 +682,13 @@ X509_CRL *load_crl(const char *infile, int format) BIO *in = NULL; if (format == FORMAT_HTTP) { - load_cert_crl_http(infile, bio_err, NULL, &x); + load_cert_crl_http(infile, NULL, &x); return x; } - in = BIO_new(BIO_s_file()); - if (in == NULL) { - ERR_print_errors(bio_err); + in = bio_open_default(infile, RB(format)); + if (in == NULL) goto end; - } - - if (infile == NULL) - BIO_set_fp(in, stdin, BIO_NOCLOSE); - else { - if (BIO_read_filename(in, infile) <= 0) { - perror(infile); - goto end; - } - } if (format == FORMAT_ASN1) x = d2i_X509_CRL_bio(in, NULL); else if (format == FORMAT_PEM) @@ -952,7 +708,7 @@ X509_CRL *load_crl(const char *infile, int format) return (x); } -EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, +EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *key_descrip) { BIO *key = NULL; @@ -963,36 +719,30 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, cb_data.prompt_info = file; if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) { - BIO_printf(err, "no keyfile specified\n"); + BIO_printf(bio_err, "no keyfile specified\n"); goto end; } #ifndef OPENSSL_NO_ENGINE if (format == FORMAT_ENGINE) { if (!e) - BIO_printf(err, "no engine specified\n"); + BIO_printf(bio_err, "no engine specified\n"); else { pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data); if (!pkey) { - BIO_printf(err, "cannot load %s from engine\n", key_descrip); - ERR_print_errors(err); + BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip); + ERR_print_errors(bio_err); } } goto end; } #endif - key = BIO_new(BIO_s_file()); - if (key == NULL) { - ERR_print_errors(err); - goto end; - } if (file == NULL && maybe_stdin) { - setbuf(stdin, NULL); /* don't do buffered reads */ - BIO_set_fp(key, stdin, BIO_NOCLOSE); - } else if (BIO_read_filename(key, file) <= 0) { - BIO_printf(err, "Error opening %s %s\n", key_descrip, file); - ERR_print_errors(err); + unbuffer(stdin); + key = dup_bio_in(); + } else + key = bio_open_default(file, RB(format)); + if (key == NULL) goto end; - } if (format == FORMAT_ASN1) { pkey = d2i_PrivateKey_bio(key, NULL); } else if (format == FORMAT_PEM) { @@ -1001,11 +751,11 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, &cb_data); } #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA) - else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC) - pkey = load_netscape_key(err, key, file, key_descrip, format); + else if (format == FORMAT_NETSCAPE) + pkey = load_netscape_key(key, file, key_descrip, format); #endif else if (format == FORMAT_PKCS12) { - if (!load_pkcs12(err, key, key_descrip, + if (!load_pkcs12(key, key_descrip, (pem_password_cb *)password_callback, &cb_data, &pkey, NULL, NULL)) goto end; @@ -1018,20 +768,27 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, &cb_data); #endif else { - BIO_printf(err, "bad input format specified for key file\n"); + BIO_printf(bio_err, "bad input format specified for key file\n"); goto end; } end: if (key != NULL) BIO_free(key); if (pkey == NULL) { - BIO_printf(err, "unable to load %s\n", key_descrip); - ERR_print_errors(err); + BIO_printf(bio_err, "unable to load %s\n", key_descrip); + ERR_print_errors(bio_err); } return (pkey); } -EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, +static const char *key_file_format(int format) +{ + if (format == FORMAT_PEM || format == FORMAT_PEMRSA) + return "r"; + return "rb"; +} + +EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *key_descrip) { BIO *key = NULL; @@ -1042,7 +799,7 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, cb_data.prompt_info = file; if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) { - BIO_printf(err, "no keyfile specified\n"); + BIO_printf(bio_err, "no keyfile specified\n"); goto end; } #ifndef OPENSSL_NO_ENGINE @@ -1054,19 +811,13 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, goto end; } #endif - key = BIO_new(BIO_s_file()); - if (key == NULL) { - ERR_print_errors(err); - goto end; - } if (file == NULL && maybe_stdin) { - setbuf(stdin, NULL); /* don't do buffered reads */ - BIO_set_fp(key, stdin, BIO_NOCLOSE); - } else if (BIO_read_filename(key, file) <= 0) { - BIO_printf(err, "Error opening %s %s\n", key_descrip, file); - ERR_print_errors(err); + unbuffer(stdin); + key = dup_bio_in(); + } else + key = bio_open_default(file, key_file_format(format)); + if (key == NULL) goto end; - } if (format == FORMAT_ASN1) { pkey = d2i_PUBKEY_bio(key, NULL); } @@ -1101,26 +852,23 @@ EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, &cb_data); } #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA) - else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC) - pkey = load_netscape_key(err, key, file, key_descrip, format); + else if (format == FORMAT_NETSCAPE) + pkey = load_netscape_key(key, file, key_descrip, format); #endif #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) else if (format == FORMAT_MSBLOB) pkey = b2i_PublicKey_bio(key); #endif - else { - BIO_printf(err, "bad input format specified for key file\n"); - goto end; - } end: - BIO_free(key); + if (key != NULL) + BIO_free(key); if (pkey == NULL) - BIO_printf(err, "unable to load %s\n", key_descrip); + BIO_printf(bio_err, "unable to load %s\n", key_descrip); return (pkey); } #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA) -static EVP_PKEY *load_netscape_key(BIO *err, BIO *key, const char *file, +static EVP_PKEY *load_netscape_key(BIO *key, const char *file, const char *key_descrip, int format) { EVP_PKEY *pkey; @@ -1142,13 +890,12 @@ static EVP_PKEY *load_netscape_key(BIO *err, BIO *key, const char *file, if (i == 0) break; if (i < 0) { - BIO_printf(err, "Error reading %s %s", key_descrip, file); + BIO_printf(bio_err, "Error reading %s %s", key_descrip, file); goto error; } } p = (unsigned char *)buf->data; - rsa = d2i_RSA_NET(NULL, &p, (long)size, NULL, - (format == FORMAT_IISSGC ? 1 : 0)); + rsa = d2i_RSA_NET(NULL, &p, (long)size, NULL, 0); if (rsa == NULL) goto error; BUF_MEM_free(buf); @@ -1161,7 +908,7 @@ static EVP_PKEY *load_netscape_key(BIO *err, BIO *key, const char *file, } #endif /* ndef OPENSSL_NO_RC4 */ -static int load_certs_crls(BIO *err, const char *file, int format, +static int load_certs_crls(const char *file, int format, const char *pass, ENGINE *e, const char *desc, STACK_OF(X509) **pcerts, STACK_OF(X509_CRL) **pcrls) @@ -1177,20 +924,13 @@ static int load_certs_crls(BIO *err, const char *file, int format, cb_data.prompt_info = file; if (format != FORMAT_PEM) { - BIO_printf(err, "bad input format specified for %s\n", desc); + BIO_printf(bio_err, "bad input format specified for %s\n", desc); return 0; } - if (file == NULL) - bio = BIO_new_fp(stdin, BIO_NOCLOSE); - else - bio = BIO_new_file(file, "r"); - - if (bio == NULL) { - BIO_printf(err, "Error opening %s %s\n", desc, file ? file : "stdin"); - ERR_print_errors(err); + bio = bio_open_default(file, "r"); + if (bio == NULL) return 0; - } xis = PEM_X509_INFO_read_bio(bio, NULL, (pem_password_cb *)password_callback, @@ -1244,27 +984,27 @@ static int load_certs_crls(BIO *err, const char *file, int format, sk_X509_CRL_pop_free(*pcrls, X509_CRL_free); *pcrls = NULL; } - BIO_printf(err, "unable to load %s\n", + BIO_printf(bio_err, "unable to load %s\n", pcerts ? "certificates" : "CRLs"); - ERR_print_errors(err); + ERR_print_errors(bio_err); } return rv; } -STACK_OF(X509) *load_certs(BIO *err, const char *file, int format, +STACK_OF(X509) *load_certs(const char *file, int format, const char *pass, ENGINE *e, const char *desc) { STACK_OF(X509) *certs; - if (!load_certs_crls(err, file, format, pass, e, desc, &certs, NULL)) + if (!load_certs_crls(file, format, pass, e, desc, &certs, NULL)) return NULL; return certs; } -STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format, +STACK_OF(X509_CRL) *load_crls(const char *file, int format, const char *pass, ENGINE *e, const char *desc) { STACK_OF(X509_CRL) *crls; - if (!load_certs_crls(err, file, format, pass, e, desc, NULL, &crls)) + if (!load_certs_crls(file, format, pass, e, desc, NULL, &crls)) return NULL; return crls; } @@ -1469,18 +1209,56 @@ void print_name(BIO *out, const char *title, X509_NAME *nm, } } -X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath) +void print_bignum_var(BIO *out, BIGNUM *in, const char *var, + int len, unsigned char *buffer) { - X509_STORE *store; + BIO_printf(out, " static unsigned char %s_%d[] = {", var, len); + if (BN_is_zero(in)) + BIO_printf(out, "\n\t0x00"); + else { + int i, l; + + l = BN_bn2bin(in, buffer); + for (i = 0; i < l; i++) { + if ((i % 10) == 0) + BIO_printf(out, "\n\t"); + if (i < l - 1) + BIO_printf(out, "0x%02X, ", buffer[i]); + else + BIO_printf(out, "0x%02X", buffer[i]); + } + } + BIO_printf(out, "\n };\n"); +} +void print_array(BIO *out, const char* title, int len, const unsigned char* d) +{ + int i; + + BIO_printf(out, "unsigned char %s[%d] = {", title, len); + for (i = 0; i < len; i++) { + if ((i % 10) == 0) + BIO_printf(out, "\n "); + if (i < len - 1) + BIO_printf(out, "0x%02X, ", d[i]); + else + BIO_printf(out, "0x%02X", d[i]); + } + BIO_printf(out, "\n};\n"); +} + +X509_STORE *setup_verify(char *CAfile, char *CApath) +{ + X509_STORE *store = X509_STORE_new(); X509_LOOKUP *lookup; - if (!(store = X509_STORE_new())) + + if (!store) goto end; lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); if (lookup == NULL) goto end; if (CAfile) { if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) { - BIO_printf(bp, "Error loading file %s\n", CAfile); + BIO_printf(bio_err, "Error loading file %s\n", CAfile); goto end; } } else @@ -1491,7 +1269,7 @@ X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath) goto end; if (CApath) { if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) { - BIO_printf(bp, "Error loading directory %s\n", CApath); + BIO_printf(bio_err, "Error loading directory %s\n", CApath); goto end; } } else @@ -1506,7 +1284,7 @@ X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath) #ifndef OPENSSL_NO_ENGINE /* Try to load an engine in a shareable library */ -static ENGINE *try_load_engine(BIO *err, const char *engine, int debug) +static ENGINE *try_load_engine(const char *engine, int debug) { ENGINE *e = ENGINE_by_id("dynamic"); if (e) { @@ -1519,34 +1297,34 @@ static ENGINE *try_load_engine(BIO *err, const char *engine, int debug) return e; } -ENGINE *setup_engine(BIO *err, const char *engine, int debug) +ENGINE *setup_engine(const char *engine, int debug) { ENGINE *e = NULL; if (engine) { if (strcmp(engine, "auto") == 0) { - BIO_printf(err, "enabling auto ENGINE support\n"); + BIO_printf(bio_err, "enabling auto ENGINE support\n"); ENGINE_register_all_complete(); return NULL; } if ((e = ENGINE_by_id(engine)) == NULL - && (e = try_load_engine(err, engine, debug)) == NULL) { - BIO_printf(err, "invalid engine \"%s\"\n", engine); - ERR_print_errors(err); + && (e = try_load_engine(engine, debug)) == NULL) { + BIO_printf(bio_err, "invalid engine \"%s\"\n", engine); + ERR_print_errors(bio_err); return NULL; } if (debug) { - ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, err, 0); + ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, bio_err, 0); } ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1); if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { - BIO_printf(err, "can't use that engine\n"); - ERR_print_errors(err); + BIO_printf(bio_err, "can't use that engine\n"); + ERR_print_errors(bio_err); ENGINE_free(e); return NULL; } - BIO_printf(err, "engine \"%s\" set.\n", ENGINE_get_id(e)); + BIO_printf(bio_err, "engine \"%s\" set.\n", ENGINE_get_id(e)); /* Free our "structural" reference. */ ENGINE_free(e); @@ -1555,46 +1333,6 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug) } #endif -int load_config(BIO *err, CONF *cnf) -{ - static int load_config_called = 0; - if (load_config_called) - return 1; - load_config_called = 1; - if (!cnf) - cnf = config; - if (!cnf) - return 1; - - OPENSSL_load_builtin_modules(); - - if (CONF_modules_load(cnf, NULL, 0) <= 0) { - BIO_printf(err, "Error configuring OpenSSL\n"); - ERR_print_errors(err); - return 0; - } - return 1; -} - -char *make_config_name() -{ - const char *t = X509_get_default_cert_area(); - size_t len; - char *p; - - len = strlen(t) + strlen(OPENSSL_CONF) + 2; - p = OPENSSL_malloc(len); - if (p == NULL) - return NULL; - BUF_strlcpy(p, t, len); -#ifndef OPENSSL_SYS_VMS - BUF_strlcat(p, "/", len); -#endif - BUF_strlcat(p, OPENSSL_CONF, len); - - return p; -} - static unsigned long index_serial_hash(const OPENSSL_CSTRING *a) { const char *n; @@ -1647,20 +1385,16 @@ BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai) if (ai == NULL) goto err; - if ((in = BIO_new(BIO_s_file())) == NULL) { - ERR_print_errors(bio_err); - goto err; - } - - if (BIO_read_filename(in, serialfile) <= 0) { + in = BIO_new_file(serialfile, "r"); + if (in == NULL) { if (!create) { perror(serialfile); goto err; - } else { - ret = BN_new(); - if (ret == NULL || !rand_serial(ret, ai)) - BIO_printf(bio_err, "Out of memory\n"); } + ERR_clear_error(); + ret = BN_new(); + if (ret == NULL || !rand_serial(ret, ai)) + BIO_printf(bio_err, "Out of memory\n"); } else { if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) { BIO_printf(bio_err, "unable to load number from %s\n", @@ -1716,15 +1450,11 @@ int save_serial(char *serialfile, char *suffix, BIGNUM *serial, #ifdef RL_DEBUG BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]); #endif - out = BIO_new(BIO_s_file()); + out = BIO_new_file(buf[0], "w"); if (out == NULL) { ERR_print_errors(bio_err); goto err; } - if (BIO_write_filename(out, buf[0]) <= 0) { - perror(serialfile); - goto err; - } if ((ai = BN_to_ASN1_INTEGER(serial, NULL)) == NULL) { BIO_printf(bio_err, "error converting serial to ASN.1 format\n"); @@ -1828,20 +1558,16 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr) { CA_DB *retdb = NULL; TXT_DB *tmpdb = NULL; - BIO *in = BIO_new(BIO_s_file()); + BIO *in; CONF *dbattr_conf = NULL; char buf[1][BSIZE]; long errorline = -1; + in = BIO_new_file(dbfile, "r"); if (in == NULL) { ERR_print_errors(bio_err); goto err; } - if (BIO_read_filename(in, dbfile) <= 0) { - perror(dbfile); - BIO_printf(bio_err, "unable to open '%s'\n", dbfile); - goto err; - } if ((tmpdb = TXT_DB_read(in, DB_NUMBER)) == NULL) goto err; @@ -1921,14 +1647,9 @@ int index_index(CA_DB *db) int save_index(const char *dbfile, const char *suffix, CA_DB *db) { char buf[3][BSIZE]; - BIO *out = BIO_new(BIO_s_file()); + BIO *out; int j; - if (out == NULL) { - ERR_print_errors(bio_err); - goto err; - } - j = strlen(dbfile) + strlen(suffix); if (j + 6 >= BSIZE) { BIO_printf(bio_err, "file name too long\n"); @@ -1952,22 +1673,22 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db) #ifdef RL_DEBUG BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]); #endif - if (BIO_write_filename(out, buf[0]) <= 0) { + out = BIO_new_file(buf[0], "w"); + if (out == NULL) { perror(dbfile); BIO_printf(bio_err, "unable to open '%s'\n", dbfile); goto err; } j = TXT_DB_write(out, db->db); + BIO_free(out); if (j <= 0) goto err; - BIO_free(out); - - out = BIO_new(BIO_s_file()); + out = BIO_new_file(buf[1], "w"); #ifdef RL_DEBUG BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[1]); #endif - if (BIO_write_filename(out, buf[1]) <= 0) { + if (out == NULL) { perror(buf[2]); BIO_printf(bio_err, "unable to open '%s'\n", buf[2]); goto err; @@ -2239,189 +1960,6 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn) return NULL; } -int args_verify(char ***pargs, int *pargc, - int *badarg, BIO *err, X509_VERIFY_PARAM **pm) -{ - ASN1_OBJECT *otmp = NULL; - unsigned long flags = 0; - int i; - int purpose = 0, depth = -1; - char **oldargs = *pargs; - char *arg = **pargs, *argn = (*pargs)[1]; - const X509_VERIFY_PARAM *vpm = NULL; - time_t at_time = 0; - char *hostname = NULL; - char *email = NULL; - char *ipasc = NULL; - if (!strcmp(arg, "-policy")) { - if (!argn) - *badarg = 1; - else { - otmp = OBJ_txt2obj(argn, 0); - if (!otmp) { - BIO_printf(err, "Invalid Policy \"%s\"\n", argn); - *badarg = 1; - } - } - (*pargs)++; - } else if (strcmp(arg, "-purpose") == 0) { - X509_PURPOSE *xptmp; - if (!argn) - *badarg = 1; - else { - i = X509_PURPOSE_get_by_sname(argn); - if (i < 0) { - BIO_printf(err, "unrecognized purpose\n"); - *badarg = 1; - } else { - xptmp = X509_PURPOSE_get0(i); - purpose = X509_PURPOSE_get_id(xptmp); - } - } - (*pargs)++; - } else if (strcmp(arg, "-verify_name") == 0) { - if (!argn) - *badarg = 1; - else { - vpm = X509_VERIFY_PARAM_lookup(argn); - if (!vpm) { - BIO_printf(err, "unrecognized verify name\n"); - *badarg = 1; - } - } - (*pargs)++; - } else if (strcmp(arg, "-verify_depth") == 0) { - if (!argn) - *badarg = 1; - else { - depth = atoi(argn); - if (depth < 0) { - BIO_printf(err, "invalid depth\n"); - *badarg = 1; - } - } - (*pargs)++; - } else if (strcmp(arg, "-attime") == 0) { - if (!argn) - *badarg = 1; - else { - long timestamp; - /* - * interpret the -attime argument as seconds since Epoch - */ - if (sscanf(argn, "%li", ×tamp) != 1) { - BIO_printf(bio_err, "Error parsing timestamp %s\n", argn); - *badarg = 1; - } - /* on some platforms time_t may be a float */ - at_time = (time_t)timestamp; - } - (*pargs)++; - } else if (strcmp(arg, "-verify_hostname") == 0) { - if (!argn) - *badarg = 1; - hostname = argn; - (*pargs)++; - } else if (strcmp(arg, "-verify_email") == 0) { - if (!argn) - *badarg = 1; - email = argn; - (*pargs)++; - } else if (strcmp(arg, "-verify_ip") == 0) { - if (!argn) - *badarg = 1; - ipasc = argn; - (*pargs)++; - } else if (!strcmp(arg, "-ignore_critical")) - flags |= X509_V_FLAG_IGNORE_CRITICAL; - else if (!strcmp(arg, "-issuer_checks")) - flags |= X509_V_FLAG_CB_ISSUER_CHECK; - else if (!strcmp(arg, "-crl_check")) - flags |= X509_V_FLAG_CRL_CHECK; - else if (!strcmp(arg, "-crl_check_all")) - flags |= X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL; - else if (!strcmp(arg, "-policy_check")) - flags |= X509_V_FLAG_POLICY_CHECK; - else if (!strcmp(arg, "-explicit_policy")) - flags |= X509_V_FLAG_EXPLICIT_POLICY; - else if (!strcmp(arg, "-inhibit_any")) - flags |= X509_V_FLAG_INHIBIT_ANY; - else if (!strcmp(arg, "-inhibit_map")) - flags |= X509_V_FLAG_INHIBIT_MAP; - else if (!strcmp(arg, "-x509_strict")) - flags |= X509_V_FLAG_X509_STRICT; - else if (!strcmp(arg, "-extended_crl")) - flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT; - else if (!strcmp(arg, "-use_deltas")) - flags |= X509_V_FLAG_USE_DELTAS; - else if (!strcmp(arg, "-policy_print")) - flags |= X509_V_FLAG_NOTIFY_POLICY; - else if (!strcmp(arg, "-check_ss_sig")) - flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; - else if (!strcmp(arg, "-trusted_first")) - flags |= X509_V_FLAG_TRUSTED_FIRST; - else if (!strcmp(arg, "-suiteB_128_only")) - flags |= X509_V_FLAG_SUITEB_128_LOS_ONLY; - else if (!strcmp(arg, "-suiteB_128")) - flags |= X509_V_FLAG_SUITEB_128_LOS; - else if (!strcmp(arg, "-suiteB_192")) - flags |= X509_V_FLAG_SUITEB_192_LOS; - else if (!strcmp(arg, "-partial_chain")) - flags |= X509_V_FLAG_PARTIAL_CHAIN; - else if (!strcmp(arg, "-no_alt_chains")) - flags |= X509_V_FLAG_NO_ALT_CHAINS; - else - return 0; - - if (*badarg) { - if (*pm) - X509_VERIFY_PARAM_free(*pm); - *pm = NULL; - goto end; - } - - if (!*pm && !(*pm = X509_VERIFY_PARAM_new())) { - *badarg = 1; - goto end; - } - - if (vpm) - X509_VERIFY_PARAM_set1(*pm, vpm); - - if (otmp) - X509_VERIFY_PARAM_add0_policy(*pm, otmp); - if (flags) - X509_VERIFY_PARAM_set_flags(*pm, flags); - - if (purpose) - X509_VERIFY_PARAM_set_purpose(*pm, purpose); - - if (depth >= 0) - X509_VERIFY_PARAM_set_depth(*pm, depth); - - if (at_time) - X509_VERIFY_PARAM_set_time(*pm, at_time); - - if (hostname && !X509_VERIFY_PARAM_set1_host(*pm, hostname, 0)) - *badarg = 1; - - if (email && !X509_VERIFY_PARAM_set1_email(*pm, email, 0)) - *badarg = 1; - - if (ipasc && !X509_VERIFY_PARAM_set1_ip_asc(*pm, ipasc)) - *badarg = 1; - - end: - - (*pargs)++; - - if (pargc) - *pargc -= *pargs - oldargs; - - return 1; - -} - /* * Read whole contents of a BIO into an allocated memory buffer and return * it. @@ -2495,11 +2033,6 @@ void policies_print(BIO *out, X509_STORE_CTX *ctx) { X509_POLICY_TREE *tree; int explicit_policy; - int free_out = 0; - if (out == NULL) { - out = BIO_new_fp(stderr, BIO_NOCLOSE); - free_out = 1; - } tree = X509_STORE_CTX_get0_policy_tree(ctx); explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx); @@ -2508,8 +2041,6 @@ void policies_print(BIO *out, X509_STORE_CTX *ctx) nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree)); nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree)); - if (free_out) - BIO_free(out); } #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) @@ -2788,14 +2319,15 @@ void print_cert_checks(BIO *bio, X509 *x, return; if (checkhost) { BIO_printf(bio, "Hostname %s does%s match certificate\n", - checkhost, X509_check_host(x, checkhost, 0, 0, NULL) == 1 - ? "" : " NOT"); + checkhost, + X509_check_host(x, checkhost, 0, 0, NULL) == 1 + ? "" : " NOT"); } if (checkemail) { BIO_printf(bio, "Email %s does%s match certificate\n", - checkemail, X509_check_email(x, checkemail, 0, - 0) ? "" : " NOT"); + checkemail, X509_check_email(x, checkemail, 0, 0) + ? "" : " NOT"); } if (checkip) { @@ -2857,13 +2389,16 @@ static STACK_OF(X509_CRL) *crls_http_cb(X509_STORE_CTX *ctx, X509_NAME *nm) STACK_OF(X509_CRL) *crls = NULL; X509_CRL *crl; STACK_OF(DIST_POINT) *crldp; + + crls = sk_X509_CRL_new_null(); + if (!crls) + return NULL; x = X509_STORE_CTX_get_current_cert(ctx); crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL); crl = load_crl_crldp(crldp); sk_DIST_POINT_pop_free(crldp, DIST_POINT_free); if (!crl) return NULL; - crls = sk_X509_CRL_new_null(); sk_X509_CRL_push(crls, crl); /* Try to download delta CRL */ crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL); @@ -2992,15 +2527,14 @@ double app_tminterval(int stop, int usertime) return (ret); } - #elif defined(OPENSSL_SYS_NETWARE) # include double app_tminterval(int stop, int usertime) { - double ret = 0; static clock_t tmstart; static int warning = 1; + double ret = 0; if (usertime && warning) { BIO_printf(bio_err, "To get meaningful results, run " @@ -3016,6 +2550,7 @@ double app_tminterval(int stop, int usertime) return (ret); } + #elif defined(OPENSSL_SYSTEM_VXWORKS) # include @@ -3136,6 +2671,15 @@ double app_tminterval(int stop, int usertime) } #endif +int app_access(const char* name, int flag) +{ +#ifdef _WIN32 + return _access(name, flag); +#else + return access(name, flag); +#endif +} + /* app_isdir section */ #ifdef _WIN32 int app_isdir(const char *name) diff --git a/apps/apps.h b/apps/apps.h index 2e346f9..ad17b1a 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -126,9 +126,18 @@ # include # endif # include +# ifndef OPENSSL_SYS_NETWARE +# include +# endif -int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn); -int app_RAND_write_file(const char *file, BIO *bio_e); +# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE) +# define openssl_fdset(a,b) FD_SET((unsigned int)a, b) +# else +# define openssl_fdset(a,b) FD_SET(a, b) +# endif + +int app_RAND_load_file(const char *file, int dont_warn); +int app_RAND_write_file(const char *file); /* * When `file' is NULL, use defaults. `bio_e' is for error messages. */ @@ -138,82 +147,246 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read, * (see e_os.h). The string is * destroyed! */ -# ifndef MONOLITH - -# define MAIN(a,v) main(a,v) - -# ifndef NON_MAIN -CONF *config = NULL; -BIO *bio_err = NULL; -# else -extern CONF *config; -extern BIO *bio_err; -# endif - -# else - -# define MAIN(a,v) PROG(a,v) extern CONF *config; extern char *default_config_file; +extern BIO *bio_in; +extern BIO *bio_out; extern BIO *bio_err; +BIO *dup_bio_in(void); +BIO *dup_bio_out(void); +BIO *bio_open_default(const char *filename, const char *mode); +void unbuffer(FILE *fp); -# endif +/* Often used in calls to bio_open_default. */ +# define RB(xformat) ((xformat) == FORMAT_ASN1 ? "rb" : "r") +# define WB(xformat) ((xformat) == FORMAT_ASN1 ? "wb" : "w") -# ifndef OPENSSL_SYS_NETWARE -# include -# endif - -# ifdef SIGPIPE -# define do_pipe_sig() signal(SIGPIPE,SIG_IGN) -# else -# define do_pipe_sig() -# endif +/* + * Common verification options. + */ +# define OPT_V_ENUM \ + OPT_V__FIRST=2000, \ + OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME, OPT_V_VERIFY_DEPTH, \ + OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL, \ + OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS, \ + OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, \ + OPT_V_EXPLICIT_POLICY, OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, \ + OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \ + OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \ + OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \ + OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, \ + OPT_V__LAST + +# define OPT_V_OPTIONS \ + { "policy", OPT_V_POLICY, 's' }, \ + { "purpose", OPT_V_PURPOSE, 's' }, \ + { "verify_name", OPT_V_VERIFY_NAME, 's' }, \ + { "verify_depth", OPT_V_VERIFY_DEPTH, 'p' }, \ + { "attime", OPT_V_ATTIME, 'p' }, \ + { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's' }, \ + { "verify_email", OPT_V_VERIFY_EMAIL, 's' }, \ + { "verify_ip", OPT_V_VERIFY_IP, 's' }, \ + { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-' }, \ + { "issuer_checks", OPT_V_ISSUER_CHECKS, '-' }, \ + { "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \ + { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \ + { "policy_check", OPT_V_POLICY_CHECK, '-' }, \ + { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-' }, \ + { "inhibit_any", OPT_V_INHIBIT_ANY, '-' }, \ + { "inhibit_map", OPT_V_INHIBIT_MAP, '-' }, \ + { "x509_strict", OPT_V_X509_STRICT, '-' }, \ + { "extended_crl", OPT_V_EXTENDED_CRL, '-' }, \ + { "use_deltas", OPT_V_USE_DELTAS, '-' }, \ + { "policy_print", OPT_V_POLICY_PRINT, '-' }, \ + { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-' }, \ + { "trusted_first", OPT_V_TRUSTED_FIRST, '-', "Use locally-trusted CA's first in building chain" }, \ + { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-' }, \ + { "suiteB_128", OPT_V_SUITEB_128, '-' }, \ + { "suiteB_192", OPT_V_SUITEB_192, '-' }, \ + { "partial_chain", OPT_V_PARTIAL_CHAIN, '-' }, \ + { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" } + +# define OPT_V_CASES \ + OPT_V__FIRST: case OPT_V__LAST: break; \ + case OPT_V_POLICY: \ + case OPT_V_PURPOSE: \ + case OPT_V_VERIFY_NAME: \ + case OPT_V_VERIFY_DEPTH: \ + case OPT_V_ATTIME: \ + case OPT_V_VERIFY_HOSTNAME: \ + case OPT_V_VERIFY_EMAIL: \ + case OPT_V_VERIFY_IP: \ + case OPT_V_IGNORE_CRITICAL: \ + case OPT_V_ISSUER_CHECKS: \ + case OPT_V_CRL_CHECK: \ + case OPT_V_CRL_CHECK_ALL: \ + case OPT_V_POLICY_CHECK: \ + case OPT_V_EXPLICIT_POLICY: \ + case OPT_V_INHIBIT_ANY: \ + case OPT_V_INHIBIT_MAP: \ + case OPT_V_X509_STRICT: \ + case OPT_V_EXTENDED_CRL: \ + case OPT_V_USE_DELTAS: \ + case OPT_V_POLICY_PRINT: \ + case OPT_V_CHECK_SS_SIG: \ + case OPT_V_TRUSTED_FIRST: \ + case OPT_V_SUITEB_128_ONLY: \ + case OPT_V_SUITEB_128: \ + case OPT_V_SUITEB_192: \ + case OPT_V_PARTIAL_CHAIN: \ + case OPT_V_NO_ALT_CHAINS -# ifdef OPENSSL_NO_COMP -# define zlib_cleanup() -# else -# define zlib_cleanup() COMP_zlib_cleanup() -# endif +/* + * Common "extended"? options. + */ +# define OPT_X_ENUM \ + OPT_X__FIRST=1000, \ + OPT_X_KEY, OPT_X_CERT, OPT_X_CHAIN, OPT_X_CHAIN_BUILD, \ + OPT_X_CERTFORM, OPT_X_KEYFORM, \ + OPT_X__LAST + +# define OPT_X_OPTIONS \ + { "xkey", OPT_X_KEY, '<' }, \ + { "xcert", OPT_X_CERT, '<' }, \ + { "xchain", OPT_X_CHAIN, '<' }, \ + { "xchain_build", OPT_X_CHAIN_BUILD, '-' }, \ + { "xcertform", OPT_X_CERTFORM, 'F' }, \ + { "xkeyform", OPT_X_KEYFORM, 'F' } + +# define OPT_X_CASES \ + OPT_X__FIRST: case OPT_X__LAST: break; \ + case OPT_X_KEY: \ + case OPT_X_CERT: \ + case OPT_X_CHAIN: \ + case OPT_X_CHAIN_BUILD: \ + case OPT_X_CERTFORM: \ + case OPT_X_KEYFORM -# if defined(MONOLITH) && !defined(OPENSSL_C) -# define apps_startup() \ - do_pipe_sig() -# define apps_shutdown() -# else -# ifndef OPENSSL_NO_ENGINE -# define apps_startup() \ - do { do_pipe_sig(); CRYPTO_malloc_init(); \ - ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ - ENGINE_load_builtin_engines(); setup_ui_method(); } while(0) -# define apps_shutdown() \ - do { CONF_modules_unload(1); destroy_ui_method(); \ - OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \ - CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \ - RAND_cleanup(); \ - ERR_free_strings(); zlib_cleanup();} while(0) -# else -# define apps_startup() \ - do { do_pipe_sig(); CRYPTO_malloc_init(); \ - ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ - setup_ui_method(); } while(0) -# define apps_shutdown() \ - do { CONF_modules_unload(1); destroy_ui_method(); \ - OBJ_cleanup(); EVP_cleanup(); \ - CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \ - RAND_cleanup(); \ - ERR_free_strings(); zlib_cleanup(); } while(0) -# endif -# endif +/* + * Common SSL options. + * Any changes here must be coordinated with ../ssl/ssl_conf.c + */ +# define OPT_S_ENUM \ + OPT_S__FIRST=3000, \ + OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \ + OPT_S_BUGS, OPT_S_NOCOMP, OPT_S_ECDHSINGLE, OPT_S_NOTICKET, \ + OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \ + OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \ + OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \ + OPT_S_DHPARAM, OPT_S_DEBUGBROKE, \ + OPT_S__LAST + +# define OPT_S_OPTIONS \ + {"no_ssl3", OPT_S_NOSSL3, '-' }, \ + {"no_tls1", OPT_S_NOTLS1, '-' }, \ + {"no_tls1_1", OPT_S_NOTLS1_1, '-' }, \ + {"no_tls1_2", OPT_S_NOTLS1_2, '-' }, \ + {"bugs", OPT_S_BUGS, '-' }, \ + {"no_comp", OPT_S_NOCOMP, '-' }, \ + {"ecdh_single", OPT_S_ECDHSINGLE, '-' }, \ + {"no_ticket", OPT_S_NOTICKET, '-' }, \ + {"serverpref", OPT_S_SERVERPREF, '-' }, \ + {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-' }, \ + {"legacy_server_connect", OPT_S_LEGACYCONN, '-' }, \ + {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-' }, \ + {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-' }, \ + {"strict", OPT_S_STRICT, '-' }, \ + {"sigalgs", OPT_S_SIGALGS, 's', }, \ + {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', }, \ + {"curves", OPT_S_CURVES, 's', }, \ + {"named_curve", OPT_S_NAMEDCURVE, 's', }, \ + {"cipher", OPT_S_CIPHER, 's', }, \ + {"dhparam", OPT_S_DHPARAM, '<' }, \ + {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-' } + +# define OPT_S_CASES \ + OPT_S__FIRST: case OPT_S__LAST: break; \ + case OPT_S_NOSSL3: \ + case OPT_S_NOTLS1: \ + case OPT_S_NOTLS1_1: \ + case OPT_S_NOTLS1_2: \ + case OPT_S_BUGS: \ + case OPT_S_NOCOMP: \ + case OPT_S_ECDHSINGLE: \ + case OPT_S_NOTICKET: \ + case OPT_S_SERVERPREF: \ + case OPT_S_LEGACYRENEG: \ + case OPT_S_LEGACYCONN: \ + case OPT_S_ONRESUMP: \ + case OPT_S_NOLEGACYCONN: \ + case OPT_S_STRICT: \ + case OPT_S_SIGALGS: \ + case OPT_S_CLIENTSIGALGS: \ + case OPT_S_CURVES: \ + case OPT_S_NAMEDCURVE: \ + case OPT_S_CIPHER: \ + case OPT_S_DHPARAM: \ + case OPT_S_DEBUGBROKE -# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE) -# define openssl_fdset(a,b) FD_SET((unsigned int)a, b) -# else -# define openssl_fdset(a,b) FD_SET(a, b) -# endif +/* + * Option parsing. + */ +extern const char OPT_HELP_STR[]; +extern const char OPT_MORE_STR[]; +typedef struct options_st { + const char *name; + int retval; + /* + * value type: - no value (also the value zero), n number, p positive + * number, u unsigned, s string, < input file, > output file, f der/pem + * format, F any format identifier. n and u include zero; p does not. + */ + int valtype; + const char *helpstr; +} OPTIONS; + +typedef struct opt_pair_st { + const char *name; + int retval; +} OPT_PAIR; + +/* Flags to pass into opt_format; see FORMAT_xxx, below. */ +# define OPT_FMT_PEMDER (1L << 1) +# define OPT_FMT_PKCS12 (1L << 2) +# define OPT_FMT_SMIME (1L << 3) +# define OPT_FMT_ENGINE (1L << 4) +# define OPT_FMT_MSBLOB (1L << 5) +# define OPT_FMT_NETSCAPE (1L << 6) +# define OPT_FMT_NSS (1L << 7) +# define OPT_FMT_TEXT (1L << 8) +# define OPT_FMT_HTTP (1L << 9) +# define OPT_FMT_PVK (1L << 10) +# define OPT_FMT_ANY ( \ + OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_SMIME | \ + OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NETSCAPE | \ + OPT_FMT_NSS | OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK) + +char *opt_progname(const char *argv0); +char *opt_getprog(void); +char *opt_init(int ac, char **av, const OPTIONS * o); +int opt_next(); +int opt_format(const char *s, unsigned long flags, int *result); +int opt_int(const char *arg, int *result); +int opt_ulong(const char *arg, unsigned long *result); +int opt_long(const char *arg, long *result); +int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result); +int opt_cipher(const char *name, const EVP_CIPHER **cipherp); +int opt_md(const char *name, const EVP_MD **mdp); +char *opt_arg(void); +char *opt_flag(void); +char *opt_unknown(void); +char *opt_reset(void); +char **opt_rest(void); +int opt_num_rest(void); +int opt_verify(int i, X509_VERIFY_PARAM *vpm); +void opt_help(const OPTIONS * list); +int opt_format_error(const char *s, unsigned long flags); +int opt_next(void); typedef struct args_st { - char **data; - int count; + int size; + int argc; + char **argv; } ARGS; # define PW_MIN_LENGTH 4 @@ -227,53 +400,48 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data); int setup_ui_method(void); void destroy_ui_method(void); -int should_retry(int i); -int args_from_file(char *file, int *argc, char **argv[]); -int str2fmt(char *s); -void program_name(char *in, char *out, int size); -int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[]); +int chopup_args(ARGS *arg, char *buf); # ifdef HEADER_X509_H int dump_cert_text(BIO *out, X509 *x); void print_name(BIO *out, const char *title, X509_NAME *nm, unsigned long lflags); # endif +void print_bignum_var(BIO *, BIGNUM *, const char*, int, unsigned char *); +void print_array(BIO *, const char *, int, const unsigned char *); int set_cert_ex(unsigned long *flags, const char *arg); int set_name_ex(unsigned long *flags, const char *arg); int set_ext_copy(int *copy_type, const char *arg); int copy_extensions(X509 *x, X509_REQ *req, int copy_type); -int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2); -int add_oid_section(BIO *err, CONF *conf); -X509 *load_cert(BIO *err, const char *file, int format, +int app_passwd(char *arg1, char *arg2, char **pass1, char **pass2); +int add_oid_section(CONF *conf); +X509 *load_cert(const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip); X509_CRL *load_crl(const char *infile, int format); -int load_cert_crl_http(const char *url, BIO *err, - X509 **pcert, X509_CRL **pcrl); -EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, +int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl); +EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *key_descrip); -EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin, +EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *key_descrip); -STACK_OF(X509) *load_certs(BIO *err, const char *file, int format, +STACK_OF(X509) *load_certs(const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip); -STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format, +STACK_OF(X509_CRL) *load_crls(const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip); -X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath); +X509_STORE *setup_verify(char *CAfile, char *CApath); +int ctx_set_verify_locations(SSL_CTX *ctx, + const char *CAfile, const char *CApath); # ifndef OPENSSL_NO_ENGINE -ENGINE *setup_engine(BIO *err, const char *engine, int debug); +ENGINE *setup_engine(const char *engine, int debug); # endif - # ifndef OPENSSL_NO_OCSP -OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, +OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host, const char *path, const char *port, int use_ssl, const STACK_OF(CONF_VALUE) *headers, int req_timeout); # endif -int load_config(BIO *err, CONF *cnf); -char *make_config_name(void); - /* Functions defined in ca.c and also used in ocsp.c */ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, const char *str); @@ -318,17 +486,17 @@ int parse_yesno(const char *str, int def); X509_NAME *parse_name(char *str, long chtype, int multirdn); int args_verify(char ***pargs, int *pargc, - int *badarg, BIO *err, X509_VERIFY_PARAM **pm); + int *badarg, X509_VERIFY_PARAM **pm); void policies_print(BIO *out, X509_STORE_CTX *ctx); int bio_to_mem(unsigned char **out, int maxlen, BIO *in); int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value); -int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, +int init_gen_str(EVP_PKEY_CTX **pctx, const char *algname, ENGINE *e, int do_param); -int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md, +int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts); -int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, +int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts); -int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, +int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts); # ifndef OPENSSL_NO_PSK extern char *psk_key; @@ -348,6 +516,7 @@ void print_cert_checks(BIO *bio, X509 *x, void store_setup_crl_download(X509_STORE *st); +/* See OPT_FMT_xxx, above. */ # define FORMAT_UNDEF 0 # define FORMAT_ASN1 1 # define FORMAT_TEXT 2 @@ -356,8 +525,6 @@ void store_setup_crl_download(X509_STORE *st); # define FORMAT_PKCS12 5 # define FORMAT_SMIME 6 # define FORMAT_ENGINE 7 -# define FORMAT_IISSGC 8 /* XXX this stupid macro helps us to avoid - * adding yet another param to load_*key() */ # define FORMAT_PEMRSA 9 /* PEM RSAPubicKey format */ # define FORMAT_ASN1RSA 10 /* DER RSAPubicKey format */ # define FORMAT_MSBLOB 11 /* MS Key blob format */ @@ -376,6 +543,7 @@ void store_setup_crl_download(X509_STORE *st); # define SERIAL_RAND_BITS 64 int app_isdir(const char *); +int app_access(const char *, int flag); int raw_read_stdin(void *, int); int raw_write_stdout(const void *, int); @@ -383,4 +551,6 @@ int raw_write_stdout(const void *, int); # define TM_STOP 1 double app_tminterval(int stop, int usertime); +# include "progs.h" + #endif diff --git a/apps/asn1pars.c b/apps/asn1pars.c index 1576f1c..e96491a 100644 --- a/apps/asn1pars.c +++ b/apps/asn1pars.c @@ -1,4 +1,3 @@ -/* apps/asn1pars.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -70,190 +69,136 @@ #include #include -/*- - * -inform arg - input format - default PEM (DER or PEM) - * -in arg - input file - default stdin - * -i - indent the details by depth - * -offset - where in the file to start - * -length - how many bytes to use - * -oid file - extra oid description file - */ - -#undef PROG -#define PROG asn1parse_main - -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_IN, OPT_OUT, OPT_INDENT, OPT_NOOUT, + OPT_OID, OPT_OFFSET, OPT_LENGTH, OPT_DUMP, OPT_DLIMIT, + OPT_STRPARSE, OPT_GENSTR, OPT_GENCONF, OPT_STRICTPEM +} OPTION_CHOICE; + +OPTIONS asn1parse_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "input format - one of DER PEM"}, + {"in", OPT_IN, '<', "input file"}, + {"out", OPT_OUT, '>', "output file (output format is always DER)"}, + {"i", OPT_INDENT, 0, "entries"}, + {"noout", OPT_NOOUT, 0, "don't produce any output"}, + {"offset", OPT_OFFSET, 'p', "offset into file"}, + {"length", OPT_LENGTH, 'p', "length of section in file"}, + {"oid", OPT_OID, '<', "file of extra oid definitions"}, + {"dump", OPT_DUMP, 0, "unknown data in hex form"}, + {"dlimit", OPT_DLIMIT, 'p', + "dump the first arg bytes of unknown data in hex form"}, + {"strparse", OPT_STRPARSE, 's', + "offset; a series of these can be used to 'dig'"}, + {OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"}, + {"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"}, + {"genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from"}, + {OPT_MORE_STR, 0, 0, "(-inform will be ignored)"}, + {"strictpem", OPT_STRICTPEM, 0, + "do not attempt base64 decode outside PEM markers"}, + {NULL} +}; static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf); -int MAIN(int argc, char **argv) +int asn1parse_main(int argc, char **argv) { - int i, badops = 0, offset = 0, ret = 1, j; - unsigned int length = 0; - long num, tmplen; - BIO *in = NULL, *out = NULL, *b64 = NULL, *derout = NULL; - int informat, indent = 0, noout = 0, dump = 0, strictpem = 0; - char *infile = NULL, *str = NULL, *prog, *oidfile = NULL, *derfile = - NULL, *name = NULL, *header = NULL; - char *genstr = NULL, *genconf = NULL; - unsigned char *tmpbuf; - const unsigned char *ctmpbuf; + ASN1_TYPE *at = NULL; + BIO *in = NULL, *b64 = NULL, *derout = NULL; BUF_MEM *buf = NULL; STACK_OF(OPENSSL_STRING) *osk = NULL; - ASN1_TYPE *at = NULL; - - informat = FORMAT_PEM; - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); + char *genstr = NULL, *genconf = NULL; + char *infile = NULL, *str = NULL, *oidfile = NULL, *derfile = NULL; + char *name = NULL, *header = NULL, *prog; + const unsigned char *ctmpbuf; + int indent = 0, noout = 0, dump = 0, strictpem = 0, informat = FORMAT_PEM; + int offset = 0, ret = 1, i, j; + long num, tmplen; + unsigned char *tmpbuf; + unsigned int length = 0; + OPTION_CHOICE o; - if (!load_config(bio_err, NULL)) - goto end; + prog = opt_init(argc, argv, asn1parse_options); - prog = argv[0]; - argc--; - argv++; if ((osk = sk_OPENSSL_STRING_new_null()) == NULL) { - BIO_printf(bio_err, "Memory allocation failure\n"); + BIO_printf(bio_err, "%s: Memory allocation failure\n", prog); goto end; } - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - derfile = *(++argv); - } else if (strcmp(*argv, "-i") == 0) { + + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(asn1parse_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + goto end; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + derfile = opt_arg(); + break; + case OPT_INDENT: indent = 1; - } else if (strcmp(*argv, "-noout") == 0) + break; + case OPT_NOOUT: noout = 1; - else if (strcmp(*argv, "-oid") == 0) { - if (--argc < 1) - goto bad; - oidfile = *(++argv); - } else if (strcmp(*argv, "-offset") == 0) { - if (--argc < 1) - goto bad; - offset = atoi(*(++argv)); - } else if (strcmp(*argv, "-length") == 0) { - if (--argc < 1) - goto bad; - length = atoi(*(++argv)); - if (length == 0) - goto bad; - } else if (strcmp(*argv, "-dump") == 0) { + break; + case OPT_OID: + oidfile = opt_arg(); + break; + case OPT_OFFSET: + offset = strtol(opt_arg(), NULL, 0); + break; + case OPT_LENGTH: + length = atoi(opt_arg()); + break; + case OPT_DUMP: dump = -1; - } else if (strcmp(*argv, "-dlimit") == 0) { - if (--argc < 1) - goto bad; - dump = atoi(*(++argv)); - if (dump <= 0) - goto bad; - } else if (strcmp(*argv, "-strparse") == 0) { - if (--argc < 1) - goto bad; - sk_OPENSSL_STRING_push(osk, *(++argv)); - } else if (strcmp(*argv, "-genstr") == 0) { - if (--argc < 1) - goto bad; - genstr = *(++argv); - } else if (strcmp(*argv, "-genconf") == 0) { - if (--argc < 1) - goto bad; - genconf = *(++argv); - } else if (strcmp(*argv, "-strictpem") == 0) { + break; + case OPT_DLIMIT: + dump = atoi(opt_arg()); + break; + case OPT_STRPARSE: + sk_OPENSSL_STRING_push(osk, opt_arg()); + break; + case OPT_GENSTR: + genstr = opt_arg(); + break; + case OPT_GENCONF: + genconf = opt_arg(); + break; + case OPT_STRICTPEM: strictpem = 1; informat = FORMAT_PEM; - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; break; } - argc--; - argv++; } - - if (badops) { - bad: - BIO_printf(bio_err, "%s [options] ', "Where to put the output file(s)"}, + {"outdir", OPT_OUTDIR, '/', "Where to put output cert"}, + {"sigopt", OPT_SIGOPT, 's'}, + {"notext", OPT_NOTEXT, '-'}, + {"batch", OPT_BATCH, '-', "Don't ask questions"}, + {"preserveDN", OPT_PRESERVEDN, '-', "Don't re-order the DN"}, + {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"}, + {"gencrl", OPT_GENCRL, '-', "Generate a new CRL"}, + {"msie_hack", OPT_MSIE_HACK, '-', + "msie modifications to handle all those universal strings"}, + {"crldays", OPT_CRLDAYS, 'p', "Days is when the next CRL is due"}, + {"crlhours", OPT_CRLHOURS, 'p', "Hours is when the next CRL is due"}, + {"crlsec", OPT_CRLSEC, 'p'}, + {"infiles", OPT_INFILES, '-', "The last argument, requests to process"}, + {"ss_cert", OPT_SS_CERT, '<', "File contains a self signed cert to sign"}, + {"spkac", OPT_SPKAC, '<', + "File contains DN and signed public key and challenge"}, + {"revoke", OPT_REVOKE, '<', "Revoke a cert (given in file)"}, + {"valid", OPT_VALID, 's'}, + {"extensions", OPT_EXTENSIONS, 's', + "Extension section (override value in config file)"}, + {"extfile", OPT_EXTFILE, '<', + "Configuration file with X509v3 extensions to add"}, + {"status", OPT_STATUS, 's', "Shows cert status given the serial number"}, + {"updatedb", OPT_UPDATEDB, '-', "Updates db for expired cert"}, + {"crlexts", OPT_CRLEXTS, 's', + "CRL extension section (override value in config file)"}, + {"crl_reason", OPT_CRL_REASON, 's'}, + {"crl_hold", OPT_CRL_HOLD, 's'}, + {"crl_compromise", OPT_CRL_COMPROMISE, 's'}, + {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's'}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; -int MAIN(int argc, char **argv) +int ca_main(int argc, char **argv) { ENGINE *e = NULL; - char *key = NULL, *passargin = NULL; - int create_ser = 0; - int free_key = 0; - int total = 0; - int total_done = 0; - int badops = 0; - int ret = 1; - int email_dn = 1; - int req = 0; - int verbose = 0; - int gencrl = 0; - int dorevoke = 0; - int doupdatedb = 0; - long crldays = 0; - long crlhours = 0; - long crlsec = 0; - long errorline = -1; - char *configfile = NULL; - char *md = NULL; - char *policy = NULL; - char *keyfile = NULL; - char *certfile = NULL; - int keyform = FORMAT_PEM; - char *infile = NULL; - char *spkac_file = NULL; - char *ss_cert_file = NULL; - char *ser_status = NULL; + BIGNUM *crlnumber = NULL, *serial = NULL; EVP_PKEY *pkey = NULL; - int output_der = 0; - char *outfile = NULL; - char *outdir = NULL; - char *serialfile = NULL; - char *crlnumberfile = NULL; - char *extensions = NULL; - char *extfile = NULL; - char *subj = NULL; - unsigned long chtype = MBSTRING_ASC; - int multirdn = 0; - char *tmp_email_dn = NULL; - char *crl_ext = NULL; - int rev_type = REV_NONE; - char *rev_arg = NULL; - BIGNUM *serial = NULL; - BIGNUM *crlnumber = NULL; - char *startdate = NULL; - char *enddate = NULL; - long days = 0; - int batch = 0; - int notext = 0; - unsigned long nameopt = 0, certopt = 0; - int default_op = 1; - int ext_copy = EXT_COPY_NONE; - int selfsign = 0; - X509 *x509 = NULL, *x509p = NULL; - X509 *x = NULL; BIO *in = NULL, *out = NULL, *Sout = NULL, *Cout = NULL; - char *dbfile = NULL; - CA_DB *db = NULL; - X509_CRL *crl = NULL; - X509_REVOKED *r = NULL; - ASN1_TIME *tmptm; ASN1_INTEGER *tmpser; - char *f; - const char *p; - char *const *pp; - int i, j; - const EVP_MD *dgst = NULL; + ASN1_TIME *tmptm; + CA_DB *db = NULL; + DB_ATTR db_attr; STACK_OF(CONF_VALUE) *attribs = NULL; - STACK_OF(X509) *cert_sk = NULL; STACK_OF(OPENSSL_STRING) *sigopts = NULL; -#undef BSIZE -#define BSIZE 256 + STACK_OF(X509) *cert_sk = NULL; + X509_CRL *crl = NULL; + const EVP_MD *dgst = NULL; + char *configfile = NULL, *md = NULL, *policy = NULL, *keyfile = NULL; + char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL, *enddate = + NULL; + char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL; + char *extensions = NULL, *extfile = NULL, *key = NULL, *passinarg = NULL; + char *outdir = NULL, *outfile = NULL, *rev_arg = NULL, *ser_status = NULL; + char *serialfile = NULL, *startdate = NULL, *subj = NULL, *tmp_email_dn = + NULL; + char *prog; + char *const *pp; + char *dbfile = NULL, *engine = NULL, *f, *randfile = NULL, *tofree = NULL; char buf[3][BSIZE]; - char *randfile = NULL; -#ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -#endif - char *tofree = NULL; - DB_ATTR db_attr; + const char *p; + int create_ser = 0, free_key = 0, total = 0, total_done = 0; + int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE; + int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0; + int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0; + int i, j, rev_type = REV_NONE, selfsign = 0; + long crldays = 0, crlhours = 0, crlsec = 0, errorline = -1, days = 0; + unsigned long chtype = MBSTRING_ASC, nameopt = 0, certopt = 0; + X509 *x509 = NULL, *x509p = NULL, *x = NULL; + X509_REVOKED *r = NULL; + OPTION_CHOICE o; #ifdef EFENCE EF_PROTECT_FREE = 1; @@ -337,220 +321,181 @@ int MAIN(int argc, char **argv) EF_ALIGNMENT = 0; #endif - apps_startup(); - conf = NULL; - key = NULL; section = NULL; - preserve = 0; msie_hack = 0; - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-verbose") == 0) - verbose = 1; - else if (strcmp(*argv, "-config") == 0) { - if (--argc < 1) - goto bad; - configfile = *(++argv); - } else if (strcmp(*argv, "-name") == 0) { - if (--argc < 1) - goto bad; - section = *(++argv); - } else if (strcmp(*argv, "-subj") == 0) { - if (--argc < 1) - goto bad; - subj = *(++argv); - /* preserve=1; */ - } else if (strcmp(*argv, "-utf8") == 0) - chtype = MBSTRING_UTF8; - else if (strcmp(*argv, "-create_serial") == 0) + + prog = opt_init(argc, argv, ca_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: +opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(ca_options); + ret = 0; + goto end; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_VERBOSE: + verbose = 1; + break; + case OPT_CONFIG: + configfile = opt_arg(); + break; + case OPT_NAME: + section = opt_arg(); + break; + case OPT_SUBJ: + subj = opt_arg(); + /* preserve=1; */ + break; + case OPT_UTF8: + chtype = MBSTRING_UTF8; + break; + case OPT_CREATE_SERIAL: create_ser = 1; - else if (strcmp(*argv, "-multivalue-rdn") == 0) + break; + case OPT_MULTIVALUE_RDN: multirdn = 1; - else if (strcmp(*argv, "-startdate") == 0) { - if (--argc < 1) - goto bad; - startdate = *(++argv); - } else if (strcmp(*argv, "-enddate") == 0) { - if (--argc < 1) - goto bad; - enddate = *(++argv); - } else if (strcmp(*argv, "-days") == 0) { - if (--argc < 1) - goto bad; - days = atoi(*(++argv)); - } else if (strcmp(*argv, "-md") == 0) { - if (--argc < 1) - goto bad; - md = *(++argv); - } else if (strcmp(*argv, "-policy") == 0) { - if (--argc < 1) - goto bad; - policy = *(++argv); - } else if (strcmp(*argv, "-keyfile") == 0) { - if (--argc < 1) - goto bad; - keyfile = *(++argv); - } else if (strcmp(*argv, "-keyform") == 0) { - if (--argc < 1) - goto bad; - keyform = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-passin") == 0) { - if (--argc < 1) - goto bad; - passargin = *(++argv); - } else if (strcmp(*argv, "-key") == 0) { - if (--argc < 1) - goto bad; - key = *(++argv); - } else if (strcmp(*argv, "-cert") == 0) { - if (--argc < 1) - goto bad; - certfile = *(++argv); - } else if (strcmp(*argv, "-selfsign") == 0) + break; + case OPT_STARTDATE: + startdate = opt_arg(); + break; + case OPT_ENDDATE: + enddate = opt_arg(); + break; + case OPT_DAYS: + days = atoi(opt_arg()); + break; + case OPT_MD: + md = opt_arg(); + break; + case OPT_POLICY: + policy = opt_arg(); + break; + case OPT_KEYFILE: + keyfile = opt_arg(); + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat)) + goto opthelp; + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_KEY: + key = opt_arg(); + break; + case OPT_CERT: + certfile = opt_arg(); + break; + case OPT_SELFSIGN: selfsign = 1; - else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - req = 1; - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-outdir") == 0) { - if (--argc < 1) - goto bad; - outdir = *(++argv); - } else if (strcmp(*argv, "-sigopt") == 0) { - if (--argc < 1) - goto bad; - if (!sigopts) + break; + case OPT_OUTDIR: + outdir = opt_arg(); + break; + case OPT_SIGOPT: + if (sigopts == NULL) sigopts = sk_OPENSSL_STRING_new_null(); - if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) - goto bad; - } else if (strcmp(*argv, "-notext") == 0) + if (sigopts == NULL + || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) + goto end; + break; + case OPT_NOTEXT: notext = 1; - else if (strcmp(*argv, "-batch") == 0) + break; + case OPT_BATCH: batch = 1; - else if (strcmp(*argv, "-preserveDN") == 0) + break; + case OPT_PRESERVEDN: preserve = 1; - else if (strcmp(*argv, "-noemailDN") == 0) + break; + case OPT_NOEMAILDN: email_dn = 0; - else if (strcmp(*argv, "-gencrl") == 0) + break; + case OPT_GENCRL: gencrl = 1; - else if (strcmp(*argv, "-msie_hack") == 0) + break; + case OPT_MSIE_HACK: msie_hack = 1; - else if (strcmp(*argv, "-crldays") == 0) { - if (--argc < 1) - goto bad; - crldays = atol(*(++argv)); - } else if (strcmp(*argv, "-crlhours") == 0) { - if (--argc < 1) - goto bad; - crlhours = atol(*(++argv)); - } else if (strcmp(*argv, "-crlsec") == 0) { - if (--argc < 1) - goto bad; - crlsec = atol(*(++argv)); - } else if (strcmp(*argv, "-infiles") == 0) { - argc--; - argv++; - req = 1; break; - } else if (strcmp(*argv, "-ss_cert") == 0) { - if (--argc < 1) - goto bad; - ss_cert_file = *(++argv); + case OPT_CRLDAYS: + crldays = atol(opt_arg()); + break; + case OPT_CRLHOURS: + crlhours = atol(opt_arg()); + break; + case OPT_CRLSEC: + crlsec = atol(opt_arg()); + break; + case OPT_INFILES: req = 1; - } else if (strcmp(*argv, "-spkac") == 0) { - if (--argc < 1) - goto bad; - spkac_file = *(++argv); + goto end_of_options; + case OPT_SS_CERT: + ss_cert_file = opt_arg(); req = 1; - } else if (strcmp(*argv, "-revoke") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); + break; + case OPT_SPKAC: + spkac_file = opt_arg(); + req = 1; + break; + case OPT_REVOKE: + infile = opt_arg(); dorevoke = 1; - } else if (strcmp(*argv, "-valid") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); + break; + case OPT_VALID: + infile = opt_arg(); dorevoke = 2; - } else if (strcmp(*argv, "-extensions") == 0) { - if (--argc < 1) - goto bad; - extensions = *(++argv); - } else if (strcmp(*argv, "-extfile") == 0) { - if (--argc < 1) - goto bad; - extfile = *(++argv); - } else if (strcmp(*argv, "-status") == 0) { - if (--argc < 1) - goto bad; - ser_status = *(++argv); - } else if (strcmp(*argv, "-updatedb") == 0) { + break; + case OPT_EXTENSIONS: + extensions = opt_arg(); + break; + case OPT_EXTFILE: + extfile = opt_arg(); + break; + case OPT_STATUS: + ser_status = opt_arg(); + break; + case OPT_UPDATEDB: doupdatedb = 1; - } else if (strcmp(*argv, "-crlexts") == 0) { - if (--argc < 1) - goto bad; - crl_ext = *(++argv); - } else if (strcmp(*argv, "-crl_reason") == 0) { - if (--argc < 1) - goto bad; - rev_arg = *(++argv); + break; + case OPT_CRLEXTS: + crl_ext = opt_arg(); + break; + case OPT_CRL_REASON: + rev_arg = opt_arg(); rev_type = REV_CRL_REASON; - } else if (strcmp(*argv, "-crl_hold") == 0) { - if (--argc < 1) - goto bad; - rev_arg = *(++argv); + break; + case OPT_CRL_HOLD: + rev_arg = opt_arg(); rev_type = REV_HOLD; - } else if (strcmp(*argv, "-crl_compromise") == 0) { - if (--argc < 1) - goto bad; - rev_arg = *(++argv); + break; + case OPT_CRL_COMPROMISE: + rev_arg = opt_arg(); rev_type = REV_KEY_COMPROMISE; - } else if (strcmp(*argv, "-crl_CA_compromise") == 0) { - if (--argc < 1) - goto bad; - rev_arg = *(++argv); + break; + case OPT_CRL_CA_COMPROMISE: + rev_arg = opt_arg(); rev_type = REV_CA_COMPROMISE; - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } -#endif - else { - bad: - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; + break; + case OPT_ENGINE: + engine = opt_arg(); break; } - argc--; - argv++; } +end_of_options: + argc = opt_num_rest(); + argv = opt_rest(); - if (badops) { - const char **pp2; - - for (pp2 = ca_usage; (*pp2 != NULL); pp2++) - BIO_printf(bio_err, "%s", *pp2); - goto err; - } - - ERR_load_crypto_strings(); - - /*****************************************************************/ tofree = NULL; if (configfile == NULL) configfile = getenv("OPENSSL_CONF"); @@ -565,7 +510,7 @@ int MAIN(int argc, char **argv) tofree = OPENSSL_malloc(len); if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); - goto err; + goto end; } strcpy(tofree, s); #else @@ -573,7 +518,7 @@ int MAIN(int argc, char **argv) tofree = OPENSSL_malloc(len); if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); - goto err; + goto end; } BUF_strlcpy(tofree, s, len); BUF_strlcat(tofree, "/", len); @@ -591,18 +536,14 @@ int MAIN(int argc, char **argv) else BIO_printf(bio_err, "error on line %ld of config file '%s'\n", errorline, configfile); - goto err; + goto end; } if (tofree) { OPENSSL_free(tofree); tofree = NULL; } - - if (!load_config(bio_err, conf)) - goto err; - #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + e = setup_engine(engine, 0); #endif /* Lets get the config section we are using */ @@ -610,7 +551,7 @@ int MAIN(int argc, char **argv) section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA); if (section == NULL) { lookup_fail(BASE_SECTION, ENV_DEFAULT_CA); - goto err; + goto end; } } @@ -633,16 +574,16 @@ int MAIN(int argc, char **argv) BIO_free(oid_bio); } } - if (!add_oid_section(bio_err, conf)) { + if (!add_oid_section(conf)) { ERR_print_errors(bio_err); - goto err; + goto end; } } randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE"); if (randfile == NULL) ERR_clear_error(); - app_RAND_load_file(randfile, bio_err, 0); + app_RAND_load_file(randfile, 0); f = NCONF_get_string(conf, section, STRING_MASK); if (!f) @@ -650,7 +591,7 @@ int MAIN(int argc, char **argv) if (f && !ASN1_STRING_set_default_mask_asc(f)) { BIO_printf(bio_err, "Invalid global string mask setting %s\n", f); - goto err; + goto end; } if (chtype != MBSTRING_UTF8) { @@ -664,47 +605,27 @@ int MAIN(int argc, char **argv) db_attr.unique_subject = 1; p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT); if (p) { -#ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: unique_subject = \"%s\"\n", p); -#endif db_attr.unique_subject = parse_yesno(p, 1); } else ERR_clear_error(); -#ifdef RL_DEBUG - if (!p) - BIO_printf(bio_err, "DEBUG: unique_subject undefined\n"); -#endif -#ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n", - db_attr.unique_subject); -#endif - - in = BIO_new(BIO_s_file()); - out = BIO_new(BIO_s_file()); - Sout = BIO_new(BIO_s_file()); - Cout = BIO_new(BIO_s_file()); - if ((in == NULL) || (out == NULL) || (Sout == NULL) || (Cout == NULL)) { - ERR_print_errors(bio_err); - goto err; - } /*****************************************************************/ /* report status of cert with serial number given on command line */ if (ser_status) { if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) { lookup_fail(section, ENV_DATABASE); - goto err; + goto end; } db = load_index(dbfile, &db_attr); if (db == NULL) - goto err; + goto end; if (!index_index(db)) - goto err; + goto end; if (get_certificate_status(ser_status, db) != 1) BIO_printf(bio_err, "Error verifying serial %s!\n", ser_status); - goto err; + goto end; } /*****************************************************************/ @@ -715,21 +636,21 @@ int MAIN(int argc, char **argv) ENV_PRIVATE_KEY)) == NULL)) { lookup_fail(section, ENV_PRIVATE_KEY); - goto err; + goto end; } if (!key) { free_key = 1; - if (!app_passwd(bio_err, passargin, NULL, &key, NULL)) { + if (!app_passwd(passinarg, NULL, &key, NULL)) { BIO_printf(bio_err, "Error getting password\n"); - goto err; + goto end; } } - pkey = load_key(bio_err, keyfile, keyform, 0, key, e, "CA private key"); + pkey = load_key(keyfile, keyformat, 0, key, e, "CA private key"); if (key) OPENSSL_cleanse(key, strlen(key)); if (pkey == NULL) { /* load_key() has already printed an appropriate message */ - goto err; + goto end; } /*****************************************************************/ @@ -740,17 +661,16 @@ int MAIN(int argc, char **argv) section, ENV_CERTIFICATE)) == NULL)) { lookup_fail(section, ENV_CERTIFICATE); - goto err; + goto end; } - x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL, e, - "CA certificate"); + x509 = load_cert(certfile, FORMAT_PEM, NULL, e, "CA certificate"); if (x509 == NULL) - goto err; + goto end; if (!X509_check_private_key(x509, pkey)) { BIO_printf(bio_err, "CA certificate and CA private key do not match\n"); - goto err; + goto end; } } if (!selfsign) @@ -772,7 +692,7 @@ int MAIN(int argc, char **argv) if (f) { if (!set_name_ex(&nameopt, f)) { BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f); - goto err; + goto end; } default_op = 0; } else @@ -783,7 +703,7 @@ int MAIN(int argc, char **argv) if (f) { if (!set_cert_ex(&certopt, f)) { BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f); - goto err; + goto end; } default_op = 0; } else @@ -794,7 +714,7 @@ int MAIN(int argc, char **argv) if (f) { if (!set_ext_copy(&ext_copy, f)) { BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f); - goto err; + goto end; } } else ERR_clear_error(); @@ -807,7 +727,7 @@ int MAIN(int argc, char **argv) == NULL) { BIO_printf(bio_err, "there needs to be defined a directory for new certificate to be placed in\n"); - goto err; + goto end; } #ifndef OPENSSL_SYS_VMS /* @@ -820,22 +740,18 @@ int MAIN(int argc, char **argv) * routines to convert the directory syntax to Unixly, and give that * to access(). However, time's too short to do that just now. */ -# ifndef _WIN32 - if (access(outdir, R_OK | W_OK | X_OK) != 0) -# else - if (_access(outdir, R_OK | W_OK | X_OK) != 0) -# endif + if (app_access(outdir, R_OK | W_OK | X_OK) != 0) { BIO_printf(bio_err, "I am unable to access the %s directory\n", outdir); perror(outdir); - goto err; + goto end; } if (app_isdir(outdir) <= 0) { BIO_printf(bio_err, "%s need to be a directory\n", outdir); perror(outdir); - goto err; + goto end; } #endif } @@ -844,11 +760,11 @@ int MAIN(int argc, char **argv) /* we need to load the database file */ if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) { lookup_fail(section, ENV_DATABASE); - goto err; + goto end; } db = load_index(dbfile, &db_attr); if (db == NULL) - goto err; + goto end; /* Lets check some fields */ for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { @@ -857,16 +773,16 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "entry %d: not revoked yet, but has a revocation date\n", i + 1); - goto err; + goto end; } if ((pp[DB_type][0] == DB_TYPE_REV) && !make_revoked(NULL, pp[DB_rev_date])) { BIO_printf(bio_err, " in entry %d\n", i + 1); - goto err; + goto end; } if (!check_time_format((char *)pp[DB_exp_date])) { BIO_printf(bio_err, "entry %d: invalid expiry date\n", i + 1); - goto err; + goto end; } p = pp[DB_serial]; j = strlen(p); @@ -877,7 +793,7 @@ int MAIN(int argc, char **argv) if ((j & 1) || (j < 2)) { BIO_printf(bio_err, "entry %d: bad serial number length (%d)\n", i + 1, j); - goto err; + goto end; } while (*p) { if (!(((*p >= '0') && (*p <= '9')) || @@ -886,27 +802,20 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "entry %d: bad serial number characters, char pos %ld, char is '%c'\n", i + 1, (long)(p - pp[DB_serial]), *p); - goto err; + goto end; } p++; } } if (verbose) { - BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); /* cannot fail */ -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - TXT_DB_write(out, db->db); + TXT_DB_write(bio_out, db->db); BIO_printf(bio_err, "%d entries loaded from the database\n", sk_OPENSSL_PSTRING_num(db->db->data)); BIO_printf(bio_err, "generating index\n"); } if (!index_index(db)) - goto err; + goto end; /*****************************************************************/ /* Update the db file for expired certificates */ @@ -917,16 +826,16 @@ int MAIN(int argc, char **argv) i = do_updatedb(db); if (i == -1) { BIO_printf(bio_err, "Malloc failure\n"); - goto err; + goto end; } else if (i == 0) { if (verbose) BIO_printf(bio_err, "No entries found to mark expired\n"); } else { if (!save_index(dbfile, "new", db)) - goto err; + goto end; if (!rotate_index(dbfile, "new", "old")) - goto err; + goto end; if (verbose) BIO_printf(bio_err, @@ -947,7 +856,7 @@ int MAIN(int argc, char **argv) "ERROR: on line %ld of config file '%s'\n", errorline, extfile); ret = 1; - goto err; + goto end; } if (verbose) @@ -963,41 +872,29 @@ int MAIN(int argc, char **argv) /*****************************************************************/ if (req || gencrl) { - if (outfile != NULL) { - if (BIO_write_filename(Sout, outfile) <= 0) { - perror(outfile); - goto err; - } - } else { - BIO_set_fp(Sout, stdout, BIO_NOCLOSE | BIO_FP_TEXT); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - Sout = BIO_push(tmpbio, Sout); - } -#endif - } + Sout = bio_open_default(outfile, "w"); + if (Sout == NULL) + goto end; } if ((md == NULL) && ((md = NCONF_get_string(conf, section, ENV_DEFAULT_MD)) == NULL)) { lookup_fail(section, ENV_DEFAULT_MD); - goto err; + goto end; } if (!strcmp(md, "default")) { int def_nid; if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) { BIO_puts(bio_err, "no default digest\n"); - goto err; + goto end; } md = (char *)OBJ_nid2sn(def_nid); } - if ((dgst = EVP_get_digestbyname(md)) == NULL) { - BIO_printf(bio_err, "%s is an unsupported message digest type\n", md); - goto err; + if (!opt_md(md, &dgst)) { + goto end; } if (req) { @@ -1016,7 +913,7 @@ int MAIN(int argc, char **argv) ENV_POLICY)) == NULL)) { lookup_fail(section, ENV_POLICY); - goto err; + goto end; } if (verbose) BIO_printf(bio_err, "policy is %s\n", policy); @@ -1024,7 +921,7 @@ int MAIN(int argc, char **argv) if ((serialfile = NCONF_get_string(conf, section, ENV_SERIAL)) == NULL) { lookup_fail(section, ENV_SERIAL); - goto err; + goto end; } if (!extconf) { @@ -1047,7 +944,7 @@ int MAIN(int argc, char **argv) "Error Loading extension section %s\n", extensions); ret = 1; - goto err; + goto end; } } } @@ -1061,7 +958,7 @@ int MAIN(int argc, char **argv) if (startdate && !ASN1_TIME_set_string(NULL, startdate)) { BIO_printf(bio_err, "start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n"); - goto err; + goto end; } if (startdate == NULL) startdate = "today"; @@ -1074,7 +971,7 @@ int MAIN(int argc, char **argv) if (enddate && !ASN1_TIME_set_string(NULL, enddate)) { BIO_printf(bio_err, "end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n"); - goto err; + goto end; } if (days == 0) { @@ -1084,19 +981,19 @@ int MAIN(int argc, char **argv) if (!enddate && (days == 0)) { BIO_printf(bio_err, "cannot lookup how many days to certify for\n"); - goto err; + goto end; } if ((serial = load_serial(serialfile, create_ser, NULL)) == NULL) { BIO_printf(bio_err, "error while loading serial number\n"); - goto err; + goto end; } if (verbose) { if (BN_is_zero(serial)) BIO_printf(bio_err, "next serial number is 00\n"); else { if ((f = BN_bn2hex(serial)) == NULL) - goto err; + goto end; BIO_printf(bio_err, "next serial number is %s\n", f); OPENSSL_free(f); } @@ -1104,12 +1001,12 @@ int MAIN(int argc, char **argv) if ((attribs = NCONF_get_section(conf, policy)) == NULL) { BIO_printf(bio_err, "unable to find 'section' for %s\n", policy); - goto err; + goto end; } if ((cert_sk = sk_X509_new_null()) == NULL) { BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; + goto end; } if (spkac_file != NULL) { total++; @@ -1119,15 +1016,15 @@ int MAIN(int argc, char **argv) conf, verbose, certopt, nameopt, default_op, ext_copy); if (j < 0) - goto err; + goto end; if (j > 0) { total_done++; BIO_printf(bio_err, "\n"); if (!BN_add_word(serial, 1)) - goto err; + goto end; if (!sk_X509_push(cert_sk, x)) { BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; + goto end; } if (outfile) { output_der = 1; @@ -1144,15 +1041,15 @@ int MAIN(int argc, char **argv) conf, verbose, certopt, nameopt, default_op, ext_copy, e); if (j < 0) - goto err; + goto end; if (j > 0) { total_done++; BIO_printf(bio_err, "\n"); if (!BN_add_word(serial, 1)) - goto err; + goto end; if (!sk_X509_push(cert_sk, x)) { BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; + goto end; } } } @@ -1163,15 +1060,15 @@ int MAIN(int argc, char **argv) enddate, days, batch, extensions, conf, verbose, certopt, nameopt, default_op, ext_copy, selfsign); if (j < 0) - goto err; + goto end; if (j > 0) { total_done++; BIO_printf(bio_err, "\n"); if (!BN_add_word(serial, 1)) - goto err; + goto end; if (!sk_X509_push(cert_sk, x)) { BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; + goto end; } } } @@ -1182,15 +1079,15 @@ int MAIN(int argc, char **argv) enddate, days, batch, extensions, conf, verbose, certopt, nameopt, default_op, ext_copy, selfsign); if (j < 0) - goto err; + goto end; if (j > 0) { total_done++; BIO_printf(bio_err, "\n"); if (!BN_add_word(serial, 1)) - goto err; + goto end; if (!sk_X509_push(cert_sk, x)) { BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; + goto end; } } } @@ -1210,12 +1107,12 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "CERTIFICATION CANCELED: I/O error\n"); ret = 0; - goto err; + goto end; } if ((buf[0][0] != 'y') && (buf[0][0] != 'Y')) { BIO_printf(bio_err, "CERTIFICATION CANCELED\n"); ret = 0; - goto err; + goto end; } } @@ -1223,10 +1120,10 @@ int MAIN(int argc, char **argv) sk_X509_num(cert_sk)); if (!save_serial(serialfile, "new", serial, NULL)) - goto err; + goto end; if (!save_index(dbfile, "new", db)) - goto err; + goto end; } if (verbose) @@ -1242,7 +1139,7 @@ int MAIN(int argc, char **argv) if (strlen(outdir) >= (size_t)(j ? BSIZE - j * 2 - 6 : BSIZE - 8)) { BIO_printf(bio_err, "certificate file name too long\n"); - goto err; + goto end; } strcpy(buf[2], outdir); @@ -1273,9 +1170,10 @@ int MAIN(int argc, char **argv) if (verbose) BIO_printf(bio_err, "writing %s\n", buf[2]); - if (BIO_write_filename(Cout, buf[2]) <= 0) { + Cout = BIO_new_file(buf[2], "w"); + if (Cout == NULL) { perror(buf[2]); - goto err; + goto end; } write_new_certificate(Cout, x, 0, notext); write_new_certificate(Sout, x, output_der, notext); @@ -1284,10 +1182,10 @@ int MAIN(int argc, char **argv) if (sk_X509_num(cert_sk)) { /* Rename the database and the serial file */ if (!rotate_serial(serialfile, "new", "old")) - goto err; + goto end; if (!rotate_index(dbfile, "new", "old")) - goto err; + goto end; BIO_printf(bio_err, "Data Base Updated\n"); } @@ -1311,7 +1209,7 @@ int MAIN(int argc, char **argv) "Error Loading CRL extension section %s\n", crl_ext); ret = 1; - goto err; + goto end; } } @@ -1319,7 +1217,7 @@ int MAIN(int argc, char **argv) != NULL) if ((crlnumber = load_serial(crlnumberfile, 0, NULL)) == NULL) { BIO_printf(bio_err, "error while loading CRL number\n"); - goto err; + goto end; } if (!crldays && !crlhours && !crlsec) { @@ -1334,25 +1232,25 @@ int MAIN(int argc, char **argv) if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) { BIO_printf(bio_err, "cannot lookup how long until the next CRL is issued\n"); - goto err; + goto end; } if (verbose) BIO_printf(bio_err, "making CRL\n"); if ((crl = X509_CRL_new()) == NULL) - goto err; + goto end; if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) - goto err; + goto end; tmptm = ASN1_TIME_new(); if (!tmptm) - goto err; + goto end; X509_gmtime_adj(tmptm, 0); X509_CRL_set_lastUpdate(crl, tmptm); if (!X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec, NULL)) { BIO_puts(bio_err, "error setting CRL nextUpdate\n"); - goto err; + goto end; } X509_CRL_set_nextUpdate(crl, tmptm); @@ -1362,19 +1260,19 @@ int MAIN(int argc, char **argv) pp = sk_OPENSSL_PSTRING_value(db->db->data, i); if (pp[DB_type][0] == DB_TYPE_REV) { if ((r = X509_REVOKED_new()) == NULL) - goto err; + goto end; j = make_revoked(r, pp[DB_rev_date]); if (!j) - goto err; + goto end; if (j == 2) crl_v2 = 1; if (!BN_hex2bn(&serial, pp[DB_serial])) - goto err; + goto end; tmpser = BN_to_ASN1_INTEGER(serial, NULL); BN_free(serial); serial = NULL; if (!tmpser) - goto err; + goto end; X509_REVOKED_set_serialNumber(r, tmpser); ASN1_INTEGER_free(tmpser); X509_CRL_add0_revoked(crl, r); @@ -1399,72 +1297,72 @@ int MAIN(int argc, char **argv) if (crl_ext) if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, crl_ext, crl)) - goto err; + goto end; if (crlnumberfile != NULL) { tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL); if (!tmpser) - goto err; + goto end; X509_CRL_add1_ext_i2d(crl, NID_crl_number, tmpser, 0, 0); ASN1_INTEGER_free(tmpser); crl_v2 = 1; if (!BN_add_word(crlnumber, 1)) - goto err; + goto end; } } if (crl_ext || crl_v2) { if (!X509_CRL_set_version(crl, 1)) - goto err; /* version 2 CRL */ + goto end; /* version 2 CRL */ } /* we have a CRL number that need updating */ if (crlnumberfile != NULL) if (!save_serial(crlnumberfile, "new", crlnumber, NULL)) - goto err; + goto end; if (crlnumber) { BN_free(crlnumber); crlnumber = NULL; } - if (!do_X509_CRL_sign(bio_err, crl, pkey, dgst, sigopts)) - goto err; + if (!do_X509_CRL_sign(crl, pkey, dgst, sigopts)) + goto end; PEM_write_bio_X509_CRL(Sout, crl); if (crlnumberfile != NULL) /* Rename the crlnumber file */ if (!rotate_serial(crlnumberfile, "new", "old")) - goto err; + goto end; } /*****************************************************************/ if (dorevoke) { if (infile == NULL) { BIO_printf(bio_err, "no input files\n"); - goto err; + goto end; } else { X509 *revcert; - revcert = load_cert(bio_err, infile, FORMAT_PEM, NULL, e, infile); + revcert = load_cert(infile, FORMAT_PEM, NULL, e, infile); if (revcert == NULL) - goto err; + goto end; if (dorevoke == 2) rev_type = -1; j = do_revoke(revcert, db, rev_type, rev_arg); if (j <= 0) - goto err; + goto end; X509_free(revcert); if (!save_index(dbfile, "new", db)) - goto err; + goto end; if (!rotate_index(dbfile, "new", "old")) - goto err; + goto end; BIO_printf(bio_err, "Data Base Updated\n"); } } /*****************************************************************/ ret = 0; - err: + end: if (tofree) OPENSSL_free(tofree); BIO_free_all(Cout); @@ -1477,7 +1375,7 @@ int MAIN(int argc, char **argv) if (ret) ERR_print_errors(bio_err); - app_RAND_write_file(randfile, bio_err); + app_RAND_write_file(randfile); if (free_key && key) OPENSSL_free(key); BN_free(serial); @@ -1492,8 +1390,7 @@ int MAIN(int argc, char **argv) NCONF_free(conf); NCONF_free(extconf); OBJ_cleanup(); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } static void lookup_fail(const char *name, const char *tag) @@ -1515,16 +1412,15 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, EVP_PKEY *pktmp = NULL; int ok = -1, i; - in = BIO_new(BIO_s_file()); - - if (BIO_read_filename(in, infile) <= 0) { - perror(infile); - goto err; + in = BIO_new_file(infile, "r"); + if (in == NULL) { + ERR_print_errors(bio_err); + goto end; } if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) { BIO_printf(bio_err, "Error reading certificate request in %s\n", infile); - goto err; + goto end; } if (verbose) X509_REQ_print(bio_err, req); @@ -1535,11 +1431,11 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, BIO_printf(bio_err, "Certificate request and CA private key do not match\n"); ok = 0; - goto err; + goto end; } if ((pktmp = X509_REQ_get_pubkey(req)) == NULL) { BIO_printf(bio_err, "error unpacking public key\n"); - goto err; + goto end; } i = X509_REQ_verify(req, pktmp); EVP_PKEY_free(pktmp); @@ -1547,14 +1443,14 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, ok = 0; BIO_printf(bio_err, "Signature verification problems....\n"); ERR_print_errors(bio_err); - goto err; + goto end; } if (i == 0) { ok = 0; BIO_printf(bio_err, "Signature did not match the certificate request\n"); ERR_print_errors(bio_err); - goto err; + goto end; } else BIO_printf(bio_err, "Signature ok\n"); @@ -1563,7 +1459,7 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, verbose, req, ext_sect, lconf, certopt, nameopt, default_op, ext_copy, selfsign); - err: + end: if (req != NULL) X509_REQ_free(req); BIO_free(in); @@ -1585,9 +1481,8 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, EVP_PKEY *pktmp = NULL; int ok = -1, i; - if ((req = - load_cert(bio_err, infile, FORMAT_PEM, NULL, e, infile)) == NULL) - goto err; + if ((req = load_cert(infile, FORMAT_PEM, NULL, e, infile)) == NULL) + goto end; if (verbose) X509_print(bio_err, req); @@ -1595,31 +1490,31 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, if ((pktmp = X509_get_pubkey(req)) == NULL) { BIO_printf(bio_err, "error unpacking public key\n"); - goto err; + goto end; } i = X509_verify(req, pktmp); EVP_PKEY_free(pktmp); if (i < 0) { ok = 0; BIO_printf(bio_err, "Signature verification problems....\n"); - goto err; + goto end; } if (i == 0) { ok = 0; BIO_printf(bio_err, "Signature did not match the certificate\n"); - goto err; + goto end; } else BIO_printf(bio_err, "Signature ok\n"); if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL) - goto err; + goto end; ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, chtype, multirdn, email_dn, startdate, enddate, days, batch, verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op, ext_copy, 0); - err: + end: if (rreq != NULL) X509_REQ_free(rreq); if (req != NULL) @@ -1668,7 +1563,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if (!n) { ERR_print_errors(bio_err); - goto err; + goto end; } X509_REQ_set_subject_name(req, n); req->req_info->enc.modified = 1; @@ -1710,7 +1605,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, (str->type != V_ASN1_IA5STRING)) { BIO_printf(bio_err, "\nemailAddress type needs to be of type IA5STRING\n"); - goto err; + goto end; } if ((str->type != V_ASN1_BMPSTRING) && (str->type != V_ASN1_UTF8STRING)) { @@ -1721,7 +1616,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, (str->type == V_ASN1_PRINTABLESTRING))) { BIO_printf(bio_err, "\nThe string contains characters that are illegal for the ASN.1 type\n"); - goto err; + goto end; } } @@ -1732,7 +1627,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, /* Ok, now we check the 'policy' stuff. */ if ((subject = X509_NAME_new()) == NULL) { BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; + goto end; } /* take a copy of the issuer name before we mess with it. */ @@ -1741,7 +1636,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, else CAname = X509_NAME_dup(x509->cert_info->subject); if (CAname == NULL) - goto err; + goto end; str = str2 = NULL; for (i = 0; i < sk_CONF_VALUE_num(policy); i++) { @@ -1750,7 +1645,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, BIO_printf(bio_err, "%s:unknown object type in 'policy' configuration\n", cv->name); - goto err; + goto end; } obj = OBJ_nid2obj(j); @@ -1777,7 +1672,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, BIO_printf(bio_err, "The %s field needed to be supplied and was missing\n", cv->name); - goto err; + goto end; } else push = tne; } else if (strcmp(cv->value, "match") == 0) { @@ -1787,7 +1682,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, BIO_printf(bio_err, "The mandatory %s field was missing\n", cv->name); - goto err; + goto end; } last2 = -1; @@ -1798,7 +1693,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, BIO_printf(bio_err, "The %s field does not exist in the CA certificate,\nthe 'policy' is misconfigured\n", cv->name); - goto err; + goto end; } if (j >= 0) { push = X509_NAME_get_entry(CAname, j); @@ -1814,13 +1709,13 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, cv->name, ((str2 == NULL) ? "NULL" : (char *)str2->data), ((str == NULL) ? "NULL" : (char *)str->data)); - goto err; + goto end; } } else { BIO_printf(bio_err, "%s:invalid type in 'policy' configuration\n", cv->value); - goto err; + goto end; } if (push != NULL) { @@ -1828,7 +1723,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if (push != NULL) X509_NAME_ENTRY_free(push); BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; + goto end; } } if (j < 0) @@ -1841,7 +1736,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */ subject = X509_NAME_dup(name); if (subject == NULL) - goto err; + goto end; } if (verbose) @@ -1864,7 +1759,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, */ if (!(dn_subject = X509_NAME_dup(subject))) { BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; + goto end; } while ((i = X509_NAME_get_index_by_NID(dn_subject, NID_pkcs9_emailAddress, @@ -1881,7 +1776,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, row[DB_serial] = BN_bn2hex(serial); if (row[DB_serial] == NULL) { BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; + goto end; } if (db->attributes.unique_subject) { @@ -1939,7 +1834,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, p = "undef"; BIO_printf(bio_err, "Subject Name :%s\n", p); ok = -1; /* This is now a 'bad' error. */ - goto err; + goto end; } /* We are now totally happy, lets make and sign the certificate */ @@ -1948,23 +1843,23 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, "Everything appears to be ok, creating and signing the certificate\n"); if ((ret = X509_new()) == NULL) - goto err; + goto end; ci = ret->cert_info; #ifdef X509_V3 /* Make it an X509 v3 certificate. */ if (!X509_set_version(ret, 2)) - goto err; + goto end; #endif if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL) - goto err; + goto end; if (selfsign) { if (!X509_set_issuer_name(ret, subject)) - goto err; + goto end; } else { if (!X509_set_issuer_name(ret, X509_get_subject_name(x509))) - goto err; + goto end; } if (strcmp(startdate, "today") == 0) @@ -1982,20 +1877,20 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, } if (!X509_set_subject_name(ret, subject)) - goto err; + goto end; pktmp = X509_REQ_get_pubkey(req); i = X509_set_pubkey(ret, pktmp); EVP_PKEY_free(pktmp); if (!i) - goto err; + goto end; /* Lets add the extensions, if there are any */ if (ext_sect) { X509V3_CTX ctx; if (ci->version == NULL) if ((ci->version = ASN1_INTEGER_new()) == NULL) - goto err; + goto end; ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */ /* @@ -2028,7 +1923,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, "ERROR: adding extensions in section %s\n", ext_sect); ERR_print_errors(bio_err); - goto err; + goto end; } if (verbose) BIO_printf(bio_err, @@ -2042,7 +1937,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, "ERROR: adding extensions in section %s\n", ext_sect); ERR_print_errors(bio_err); - goto err; + goto end; } if (verbose) @@ -2056,13 +1951,13 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if (!copy_extensions(ret, req, ext_copy)) { BIO_printf(bio_err, "ERROR: adding extensions from request\n"); ERR_print_errors(bio_err); - goto err; + goto end; } /* Set the right value for the noemailDN option */ if (email_dn == 0) { if (!X509_set_subject_name(ret, dn_subject)) - goto err; + goto end; } if (!default_op) { @@ -2089,12 +1984,12 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, BIO_printf(bio_err, "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n"); ok = 0; - goto err; + goto end; } if (!((buf[0] == 'y') || (buf[0] == 'Y'))) { BIO_printf(bio_err, "CERTIFICATE WILL NOT BE CERTIFIED\n"); ok = 0; - goto err; + goto end; } } @@ -2104,8 +1999,8 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, EVP_PKEY_copy_parameters(pktmp, pkey); EVP_PKEY_free(pktmp); - if (!do_X509_sign(bio_err, ret, pkey, dgst, sigopts)) - goto err; + if (!do_X509_sign(ret, pkey, dgst, sigopts)) + goto end; /* We now just add it to the database */ row[DB_type] = (char *)OPENSSL_malloc(2); @@ -2124,7 +2019,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || (row[DB_file] == NULL) || (row[DB_name] == NULL)) { BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; + goto end; } BUF_strlcpy(row[DB_file], "unknown", 8); row[DB_type][0] = 'V'; @@ -2133,7 +2028,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if ((irow = (char **)OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) { BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; + goto end; } for (i = 0; i < DB_NUMBER; i++) { @@ -2145,10 +2040,10 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if (!TXT_DB_insert(db->db, irow)) { BIO_printf(bio_err, "failed to update database\n"); BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error); - goto err; + goto end; } ok = 1; - err: + end: for (i = 0; i < DB_NUMBER; i++) if (row[i] != NULL) OPENSSL_free(row[i]); @@ -2216,14 +2111,14 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, if (parms == NULL) { BIO_printf(bio_err, "error on line %ld of %s\n", errline, infile); ERR_print_errors(bio_err); - goto err; + goto end; } sk = CONF_get_section(parms, "default"); if (sk_CONF_VALUE_num(sk) == 0) { BIO_printf(bio_err, "no name/value pairs found in %s\n", infile); CONF_free(parms); - goto err; + goto end; } /* @@ -2236,7 +2131,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, req = X509_REQ_new(); if (req == NULL) { ERR_print_errors(bio_err); - goto err; + goto end; } /* @@ -2270,7 +2165,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, BIO_printf(bio_err, "unable to load Netscape SPKAC structure\n"); ERR_print_errors(bio_err); - goto err; + goto end; } } continue; @@ -2278,12 +2173,12 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char *)buf, -1, -1, 0)) - goto err; + goto end; } if (spki == NULL) { BIO_printf(bio_err, "Netscape SPKAC structure not found in %s\n", infile); - goto err; + goto end; } /* @@ -2295,14 +2190,14 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) { BIO_printf(bio_err, "error unpacking SPKAC public key\n"); - goto err; + goto end; } j = NETSCAPE_SPKI_verify(spki, pktmp); if (j <= 0) { BIO_printf(bio_err, "signature verification failed on SPKAC public key\n"); - goto err; + goto end; } BIO_printf(bio_err, "Signature ok\n"); @@ -2312,7 +2207,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, chtype, multirdn, email_dn, startdate, enddate, days, 1, verbose, req, ext_sect, lconf, certopt, nameopt, default_op, ext_copy, 0); - err: + end: if (req != NULL) X509_REQ_free(req); if (parms != NULL) @@ -2343,7 +2238,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0); bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL); if (!bn) - goto err; + goto end; if (BN_is_zero(bn)) row[DB_serial] = BUF_strdup("00"); else @@ -2351,7 +2246,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) BN_free(bn); if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; + goto end; } /* * We have to lookup by serial number because name lookup skips revoked @@ -2381,7 +2276,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || (row[DB_file] == NULL)) { BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; + goto end; } BUF_strlcpy(row[DB_file], "unknown", 8); row[DB_type][0] = 'V'; @@ -2391,7 +2286,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) (char **)OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) { BIO_printf(bio_err, "Memory allocation failure\n"); - goto err; + goto end; } for (i = 0; i < DB_NUMBER; i++) { @@ -2403,7 +2298,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) if (!TXT_DB_insert(db->db, irow)) { BIO_printf(bio_err, "failed to update database\n"); BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error); - goto err; + goto end; } /* Revoke Certificate */ @@ -2412,32 +2307,32 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) else ok = do_revoke(x509, db, type, value); - goto err; + goto end; } else if (index_name_cmp_noconst(row, rrow)) { BIO_printf(bio_err, "ERROR:name does not match %s\n", row[DB_name]); - goto err; + goto end; } else if (type == -1) { BIO_printf(bio_err, "ERROR:Already present, serial number %s\n", row[DB_serial]); - goto err; + goto end; } else if (rrow[DB_type][0] == 'R') { BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n", row[DB_serial]); - goto err; + goto end; } else { BIO_printf(bio_err, "Revoking Certificate %s.\n", rrow[DB_serial]); rev_str = make_revocation_str(type, value); if (!rev_str) { BIO_printf(bio_err, "Error in revocation arguments\n"); - goto err; + goto end; } rrow[DB_type][0] = 'R'; rrow[DB_type][1] = '\0'; rrow[DB_rev_date] = rev_str; } ok = 1; - err: + end: for (i = 0; i < DB_NUMBER; i++) { if (row[i] != NULL) OPENSSL_free(row[i]); @@ -2458,7 +2353,7 @@ static int get_certificate_status(const char *serial, CA_DB *db) row[DB_serial] = OPENSSL_malloc(strlen(serial) + 2); if (row[DB_serial] == NULL) { BIO_printf(bio_err, "Malloc failure\n"); - goto err; + goto end; } if (strlen(serial) % 2) { @@ -2487,29 +2382,29 @@ static int get_certificate_status(const char *serial, CA_DB *db) if (rrow == NULL) { BIO_printf(bio_err, "Serial %s not present in db.\n", row[DB_serial]); ok = -1; - goto err; + goto end; } else if (rrow[DB_type][0] == 'V') { BIO_printf(bio_err, "%s=Valid (%c)\n", row[DB_serial], rrow[DB_type][0]); - goto err; + goto end; } else if (rrow[DB_type][0] == 'R') { BIO_printf(bio_err, "%s=Revoked (%c)\n", row[DB_serial], rrow[DB_type][0]); - goto err; + goto end; } else if (rrow[DB_type][0] == 'E') { BIO_printf(bio_err, "%s=Expired (%c)\n", row[DB_serial], rrow[DB_type][0]); - goto err; + goto end; } else if (rrow[DB_type][0] == 'S') { BIO_printf(bio_err, "%s=Suspended (%c)\n", row[DB_serial], rrow[DB_type][0]); - goto err; + goto end; } else { BIO_printf(bio_err, "%s=Unknown (%c).\n", row[DB_serial], rrow[DB_type][0]); ok = -1; } - err: + end: for (i = 0; i < DB_NUMBER; i++) { if (row[i] != NULL) OPENSSL_free(row[i]); @@ -2531,7 +2426,7 @@ static int do_updatedb(CA_DB *db) a_tm_s = (char *)OPENSSL_malloc(a_tm->length + 1); if (a_tm_s == NULL) { cnt = -1; - goto err; + goto end; } memcpy(a_tm_s, a_tm->data, a_tm->length); @@ -2572,7 +2467,7 @@ static int do_updatedb(CA_DB *db) } } - err: + end: ASN1_UTCTIME_free(a_tm); OPENSSL_free(a_tm_s); @@ -2716,28 +2611,28 @@ int make_revoked(X509_REVOKED *rev, const char *str) i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str); if (i == 0) - goto err; + goto end; if (rev && !X509_REVOKED_set_revocationDate(rev, revDate)) - goto err; + goto end; if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) { rtmp = ASN1_ENUMERATED_new(); if (!rtmp || !ASN1_ENUMERATED_set(rtmp, reason_code)) - goto err; + goto end; if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) - goto err; + goto end; } if (rev && comp_time) { if (!X509_REVOKED_add1_ext_i2d (rev, NID_invalidity_date, comp_time, 0, 0)) - goto err; + goto end; } if (rev && hold) { if (!X509_REVOKED_add1_ext_i2d (rev, NID_hold_instruction_code, hold, 0, 0)) - goto err; + goto end; } if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS) @@ -2745,7 +2640,7 @@ int make_revoked(X509_REVOKED *rev, const char *str) else ret = 1; - err: + end: if (tmp) OPENSSL_free(tmp); @@ -2799,18 +2694,18 @@ int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str) int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME **pinvtm, const char *str) { - char *tmp = NULL; + char *tmp; char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p; int reason_code = -1; int ret = 0; unsigned int i; ASN1_OBJECT *hold = NULL; ASN1_GENERALIZEDTIME *comp_time = NULL; - tmp = BUF_strdup(str); + tmp = BUF_strdup(str); if (!tmp) { BIO_printf(bio_err, "memory allocation failure\n"); - goto err; + goto end; } p = strchr(tmp, ','); @@ -2832,11 +2727,11 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, *prevtm = ASN1_UTCTIME_new(); if (!*prevtm) { BIO_printf(bio_err, "memory allocation failure\n"); - goto err; + goto end; } if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) { BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str); - goto err; + goto end; } } if (reason_str) { @@ -2848,7 +2743,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, } if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) { BIO_printf(bio_err, "invalid reason code %s\n", reason_str); - goto err; + goto end; } if (reason_code == 7) @@ -2856,7 +2751,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, else if (reason_code == 8) { /* Hold instruction */ if (!arg_str) { BIO_printf(bio_err, "missing hold instruction\n"); - goto err; + goto end; } reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; hold = OBJ_txt2obj(arg_str, 0); @@ -2864,23 +2759,23 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, if (!hold) { BIO_printf(bio_err, "invalid object identifier %s\n", arg_str); - goto err; + goto end; } if (phold) *phold = hold; } else if ((reason_code == 9) || (reason_code == 10)) { if (!arg_str) { BIO_printf(bio_err, "missing compromised time\n"); - goto err; + goto end; } comp_time = ASN1_GENERALIZEDTIME_new(); if (!comp_time) { BIO_printf(bio_err, "memory allocation failure\n"); - goto err; + goto end; } if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str)) { BIO_printf(bio_err, "invalid compromised time %s\n", arg_str); - goto err; + goto end; } if (reason_code == 9) reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE; @@ -2898,7 +2793,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ret = 1; - err: + end: if (tmp) OPENSSL_free(tmp); diff --git a/apps/ciphers.c b/apps/ciphers.c index 4b9a114..3d84a2b 100644 --- a/apps/ciphers.c +++ b/apps/ciphers.c @@ -1,4 +1,3 @@ -/* apps/ciphers.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -63,91 +62,91 @@ #include #include -#undef PROG -#define PROG ciphers_main - -static const char *ciphers_usage[] = { - "usage: ciphers args\n", - " -v - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n", - " -V - even more verbose\n", - " -ssl3 - SSL3 mode\n", - " -tls1 - TLS1 mode\n", - NULL +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, +#ifndef OPENSSL_NO_SSL_TRACE + OPT_STDNAME, +#endif +#ifndef OPENSSL_NO_SSL3 + OPT_SSL3, +#endif + OPT_TLS1, + OPT_V, OPT_UPPER_V, OPT_S +} OPTION_CHOICE; + +OPTIONS ciphers_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"}, + {"V", OPT_UPPER_V, '-', "Even more verbose"}, + {"s", OPT_S, '-', "Only supported ciphers"}, +#ifndef OPENSSL_NO_SSL_TRACE + {"stdname", OPT_STDNAME, '-', "Show standard cipher names"}, +#endif +#ifndef OPENSSL_NO_SSL3 + {"ssl3", OPT_SSL3, '-', "SSL3 mode"}, +#endif + {"tls1", OPT_TLS1, '-', "TLS1 mode"}, + {NULL} }; -int MAIN(int, char **); - -int MAIN(int argc, char **argv) +int ciphers_main(int argc, char **argv) { - int ret = 1, i; - int verbose = 0, Verbose = 0; - int use_supported = 0; + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; + STACK_OF(SSL_CIPHER) *sk = NULL; + const SSL_METHOD *meth = SSLv23_server_method(); + int ret = 1, i, verbose = 0, Verbose = 0, use_supported = 0; #ifndef OPENSSL_NO_SSL_TRACE int stdname = 0; #endif - const char **pp; const char *p; - int badops = 0; - SSL_CTX *ctx = NULL; - SSL *ssl = NULL; - char *ciphers = NULL; - const SSL_METHOD *meth = NULL; - STACK_OF(SSL_CIPHER) *sk = NULL; + char *ciphers = NULL, *prog; char buf[512]; - BIO *STDout = NULL; - - meth = SSLv23_server_method(); - - apps_startup(); - - if (bio_err == NULL) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - STDout = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - STDout = BIO_push(tmpbio, STDout); - } -#endif - if (!load_config(bio_err, NULL)) - goto end; - - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-v") == 0) + OPTION_CHOICE o; + + prog = opt_init(argc, argv, ciphers_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(ciphers_options); + ret = 0; + goto end; + case OPT_V: verbose = 1; - else if (strcmp(*argv, "-V") == 0) + break; + case OPT_UPPER_V: verbose = Verbose = 1; - else if (strcmp(*argv, "-s") == 0) + break; + case OPT_S: use_supported = 1; + break; #ifndef OPENSSL_NO_SSL_TRACE - else if (strcmp(*argv, "-stdname") == 0) + case OPT_STDNAME: stdname = verbose = 1; + break; #endif #ifndef OPENSSL_NO_SSL3 - else if (strcmp(*argv, "-ssl3") == 0) + case OPT_SSL3: meth = SSLv3_client_method(); + break; #endif - else if (strcmp(*argv, "-tls1") == 0) + case OPT_TLS1: meth = TLSv1_client_method(); - else if ((strncmp(*argv, "-h", 2) == 0) || (strcmp(*argv, "-?") == 0)) { - badops = 1; break; - } else { - ciphers = *argv; } - argc--; - argv++; } + argv = opt_rest(); + argc = opt_num_rest(); - if (badops) { - for (pp = ciphers_usage; (*pp != NULL); pp++) - BIO_printf(bio_err, "%s", *pp); - goto end; - } - - OpenSSL_add_ssl_algorithms(); + if (argc == 1) + ciphers = *argv; + else if (argc != 0) + goto opthelp; ctx = SSL_CTX_new(meth); if (ctx == NULL) @@ -174,11 +173,11 @@ int MAIN(int argc, char **argv) if (p == NULL) break; if (i != 0) - BIO_printf(STDout, ":"); - BIO_printf(STDout, "%s", p); + BIO_printf(bio_out, ":"); + BIO_printf(bio_out, "%s", p); } - BIO_printf(STDout, "\n"); - } else { /* verbose */ + BIO_printf(bio_out, "\n"); + } else { for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { SSL_CIPHER *c; @@ -192,40 +191,32 @@ int MAIN(int argc, char **argv) int id2 = (int)((id >> 8) & 0xffL); int id3 = (int)(id & 0xffL); - if ((id & 0xff000000L) == 0x03000000L) { - /* SSL3 cipher */ - BIO_printf(STDout, " 0x%02X,0x%02X - ", id2, - id3); - } else { - /* whatever */ - BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, - id1, id2, id3); - } + if ((id & 0xff000000L) == 0x03000000L) + BIO_printf(bio_out, " 0x%02X,0x%02X - ", id2, id3); /* SSL3 + * cipher */ + else + BIO_printf(bio_out, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */ } #ifndef OPENSSL_NO_SSL_TRACE if (stdname) { const char *nm = SSL_CIPHER_standard_name(c); if (nm == NULL) nm = "UNKNOWN"; - BIO_printf(STDout, "%s - ", nm); + BIO_printf(bio_out, "%s - ", nm); } #endif - BIO_puts(STDout, SSL_CIPHER_description(c, buf, sizeof buf)); + BIO_puts(bio_out, SSL_CIPHER_description(c, buf, sizeof buf)); } } ret = 0; - if (0) { + goto end; err: - SSL_load_error_strings(); - ERR_print_errors(bio_err); - } + ERR_print_errors(bio_err); end: if (use_supported && sk) sk_SSL_CIPHER_free(sk); SSL_CTX_free(ctx); SSL_free(ssl); - BIO_free_all(STDout); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } diff --git a/apps/cms.c b/apps/cms.c index 73f9037..397071c 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -1,4 +1,3 @@ -/* apps/cms.c */ /* * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL * project. @@ -67,8 +66,6 @@ # include # include -# undef PROG -# define PROG cms_main static int save_certs(char *signerfile, STACK_OF(X509) *signers); static int cms_cb(int ok, X509_STORE_CTX *ctx); static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); @@ -108,347 +105,456 @@ struct cms_key_param_st { cms_key_param *next; }; -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT, + OPT_DECRYPT, OPT_SIGN, OPT_SIGN_RECEIPT, OPT_RESIGN, + OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT, + OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY, + OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS, + OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT, + OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS, + OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_KEYID, + OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF, + OPT_NOINDEF, OPT_NOOLDMIME, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT, + OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE, + OPT_CAPATH, OPT_CONTENT, OPT_PRINT, OPT_SECRETKEY, + OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE, OPT_RAND, + OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, + OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM, + OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP, + OPT_3DES_WRAP, OPT_ENGINE, + OPT_V_ENUM, + OPT_CIPHER +} OPTION_CHOICE; + +OPTIONS cms_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"}, + {OPT_HELP_STR, 1, '-', + " cert.pem... recipient certs for encryption\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format SMIME (default), PEM or DER"}, + {"outform", OPT_OUTFORM, 'F', + "Output format SMIME (default), PEM or DER"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"}, + {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"}, + {"sign", OPT_SIGN, '-', "Sign message"}, + {"sign_receipt", OPT_SIGN_RECEIPT, '-'}, + {"resign", OPT_RESIGN, '-'}, + {"verify", OPT_VERIFY, '-', "Verify signed message"}, + {"verify_retcode", OPT_VERIFY_RETCODE, '-'}, + {"verify_receipt", OPT_VERIFY_RECEIPT, '<'}, + {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"}, + {"data_out", OPT_DATA_OUT, '-'}, + {"data_create", OPT_DATA_CREATE, '-'}, + {"digest_verify", OPT_DIGEST_VERIFY, '-'}, + {"digest_create", OPT_DIGEST_CREATE, '-'}, + {"compress", OPT_COMPRESS, '-'}, + {"uncompress", OPT_UNCOMPRESS, '-'}, + {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-'}, + {"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-'}, + {"debug_decrypt", OPT_DEBUG_DECRYPT, '-'}, + {"text", OPT_TEXT, '-', "Include or delete text MIME headers"}, + {"asciicrlf", OPT_ASCIICRLF, '-'}, + {"nointern", OPT_NOINTERN, '-', + "Don't search certificates in message for signer"}, + {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"}, + {"nocerts", OPT_NOCERTS, '-', + "Don't include signers certificate when signing"}, + {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"}, + {"nodetach", OPT_NODETACH, '-', "Use opaque signing"}, + {"nosmimecap", OPT_NOSMIMECAP, '-'}, + {"binary", OPT_BINARY, '-', "Don't translate message to text"}, + {"keyid", OPT_KEYID, '-', "Use subject key identifier"}, + {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"}, + {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-'}, + {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-'}, + {"stream", OPT_INDEF, '-'}, + {"indef", OPT_INDEF, '-'}, + {"noindef", OPT_NOINDEF, '-'}, + {"nooldmime", OPT_NOOLDMIME, '-'}, + {"crlfeol", OPT_CRLFEOL, '-'}, + {"noout", OPT_NOOUT, '-'}, + {"receipt_request_print", OPT_RR_PRINT, '-'}, + {"receipt_request_all", OPT_RR_ALL, '-'}, + {"receipt_request_first", OPT_RR_FIRST, '-'}, + {"rctform", OPT_RCTFORM, 'F'}, + {"certfile", OPT_CERTFILE, '<', "Other certificates file"}, + {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, + {"CApath", OPT_CAPATH, '/', "trusted certificates directory"}, + {"content", OPT_CONTENT, '<', + "Supply or override content for detached signature"}, + {"print", OPT_PRINT, '-'}, + {"secretkey", OPT_SECRETKEY, 's'}, + {"secretkeyid", OPT_SECRETKEYID, 's'}, + {"pwri_password", OPT_PWRI_PASSWORD, 's'}, + {"econtent_type", OPT_ECONTENT_TYPE, 's'}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"to", OPT_TO, 's', "To address"}, + {"from", OPT_FROM, 's', "From address"}, + {"subject", OPT_SUBJECT, 's', "Subject"}, + {"signer", OPT_SIGNER, 's', "Signer certificate file"}, + {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"}, + {"certsout", OPT_CERTSOUT, '>', "Certificate output file"}, + {"md", OPT_MD, 's'}, + {"inkey", OPT_INKEY, '<', + "Input private key (if not signer or recipient)"}, + {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"}, + {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"}, + {"receipt_request_from", OPT_RR_FROM, 's'}, + {"receipt_request_to", OPT_RR_TO, 's'}, +# ifndef OPENSSL_NO_AES + {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"}, + {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"}, + {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"}, +# endif +# ifndef OPENSSL_NO_DES + {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"}, +# endif +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, +# endif + {"", OPT_CIPHER, '-', "Any supported cipher"}, + OPT_V_OPTIONS, + {NULL}, +}; -int MAIN(int argc, char **argv) +int cms_main(int argc, char **argv) { - ENGINE *e = NULL; - int operation = 0; - int ret = 0; - char **args; - const char *inmode = "r", *outmode = "w"; - char *infile = NULL, *outfile = NULL, *rctfile = NULL; - char *signerfile = NULL, *recipfile = NULL; - STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; - char *certfile = NULL, *keyfile = NULL, *contfile = NULL; - char *certsoutfile = NULL; - const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL; - CMS_ContentInfo *cms = NULL, *rcms = NULL; - X509_STORE *store = NULL; - X509 *cert = NULL, *recip = NULL, *signer = NULL; - EVP_PKEY *key = NULL; - STACK_OF(X509) *encerts = NULL, *other = NULL; + ASN1_OBJECT *econtent_type = NULL; BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; - int badarg = 0; - int flags = CMS_DETACHED, noout = 0, print = 0; - int verify_retcode = 0; - int rr_print = 0, rr_allorfirst = -1; - STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; + CMS_ContentInfo *cms = NULL, *rcms = NULL; CMS_ReceiptRequest *rr = NULL; - char *to = NULL, *from = NULL, *subject = NULL; - char *CAfile = NULL, *CApath = NULL; - char *passargin = NULL, *passin = NULL; - char *inrand = NULL; - int need_rand = 0; + ENGINE *e = NULL; + EVP_PKEY *key = NULL; + const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL; const EVP_MD *sign_md = NULL; + STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; + STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; + STACK_OF(X509) *encerts = NULL, *other = NULL; + X509 *cert = NULL, *recip = NULL, *signer = NULL; + X509_STORE *store = NULL; + X509_VERIFY_PARAM *vpm = NULL; + char *certfile = NULL, *keyfile = NULL, *contfile = NULL; + char *CAfile = NULL, *CApath = NULL, *certsoutfile = NULL, *engine = NULL; + char *infile = NULL, *outfile = NULL, *rctfile = NULL, *inrand = NULL; + char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile = + NULL; + char *to = NULL, *from = NULL, *subject = NULL, *prog; + cms_key_param *key_first = NULL, *key_param = NULL; + const char *inmode = "r", *outmode = "w"; + int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = + 0; int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; - int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM; -# ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -# endif - unsigned char *secret_key = NULL, *secret_keyid = NULL; - unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; + int need_rand = 0, operation = 0, ret = 1, rr_print = 0, rr_allorfirst = + -1; + int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_PEM; size_t secret_keylen = 0, secret_keyidlen = 0; + unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; + unsigned char *secret_key = NULL, *secret_keyid = NULL; + long ltmp; + OPTION_CHOICE o; - cms_key_param *key_first = NULL, *key_param = NULL; - - ASN1_OBJECT *econtent_type = NULL; - - X509_VERIFY_PARAM *vpm = NULL; - - args = argv + 1; - ret = 1; - - apps_startup(); - - if (bio_err == NULL) { - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - } - - if (!load_config(bio_err, NULL)) - goto end; + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) + return 1; - while (!badarg && *args && *args[0] == '-') { - if (!strcmp(*args, "-encrypt")) + prog = opt_init(argc, argv, cms_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(cms_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENCRYPT: operation = SMIME_ENCRYPT; - else if (!strcmp(*args, "-decrypt")) + break; + case OPT_DECRYPT: operation = SMIME_DECRYPT; - else if (!strcmp(*args, "-sign")) + break; + case OPT_SIGN: operation = SMIME_SIGN; - else if (!strcmp(*args, "-sign_receipt")) + break; + case OPT_SIGN_RECEIPT: operation = SMIME_SIGN_RECEIPT; - else if (!strcmp(*args, "-resign")) + break; + case OPT_RESIGN: operation = SMIME_RESIGN; - else if (!strcmp(*args, "-verify")) + break; + case OPT_VERIFY: operation = SMIME_VERIFY; - else if (!strcmp(*args, "-verify_retcode")) + break; + case OPT_VERIFY_RETCODE: verify_retcode = 1; - else if (!strcmp(*args, "-verify_receipt")) { + break; + case OPT_VERIFY_RECEIPT: operation = SMIME_VERIFY_RECEIPT; - if (!args[1]) - goto argerr; - args++; - rctfile = *args; - } else if (!strcmp(*args, "-cmsout")) + rctfile = opt_arg(); + break; + case OPT_CMSOUT: operation = SMIME_CMSOUT; - else if (!strcmp(*args, "-data_out")) + break; + case OPT_DATA_OUT: operation = SMIME_DATAOUT; - else if (!strcmp(*args, "-data_create")) + break; + case OPT_DATA_CREATE: operation = SMIME_DATA_CREATE; - else if (!strcmp(*args, "-digest_verify")) + break; + case OPT_DIGEST_VERIFY: operation = SMIME_DIGEST_VERIFY; - else if (!strcmp(*args, "-digest_create")) + break; + case OPT_DIGEST_CREATE: operation = SMIME_DIGEST_CREATE; - else if (!strcmp(*args, "-compress")) + break; + case OPT_COMPRESS: operation = SMIME_COMPRESS; - else if (!strcmp(*args, "-uncompress")) + break; + case OPT_UNCOMPRESS: operation = SMIME_UNCOMPRESS; - else if (!strcmp(*args, "-EncryptedData_decrypt")) + break; + case OPT_ED_DECRYPT: operation = SMIME_ENCRYPTED_DECRYPT; - else if (!strcmp(*args, "-EncryptedData_encrypt")) + break; + case OPT_ED_ENCRYPT: operation = SMIME_ENCRYPTED_ENCRYPT; -# ifndef OPENSSL_NO_DES - else if (!strcmp(*args, "-des3")) - cipher = EVP_des_ede3_cbc(); - else if (!strcmp(*args, "-des")) - cipher = EVP_des_cbc(); - else if (!strcmp(*args, "-des3-wrap")) - wrap_cipher = EVP_des_ede3_wrap(); -# endif -# ifndef OPENSSL_NO_SEED - else if (!strcmp(*args, "-seed")) - cipher = EVP_seed_cbc(); -# endif -# ifndef OPENSSL_NO_RC2 - else if (!strcmp(*args, "-rc2-40")) - cipher = EVP_rc2_40_cbc(); - else if (!strcmp(*args, "-rc2-128")) - cipher = EVP_rc2_cbc(); - else if (!strcmp(*args, "-rc2-64")) - cipher = EVP_rc2_64_cbc(); -# endif -# ifndef OPENSSL_NO_AES - else if (!strcmp(*args, "-aes128")) - cipher = EVP_aes_128_cbc(); - else if (!strcmp(*args, "-aes192")) - cipher = EVP_aes_192_cbc(); - else if (!strcmp(*args, "-aes256")) - cipher = EVP_aes_256_cbc(); - else if (!strcmp(*args, "-aes128-wrap")) - wrap_cipher = EVP_aes_128_wrap(); - else if (!strcmp(*args, "-aes192-wrap")) - wrap_cipher = EVP_aes_192_wrap(); - else if (!strcmp(*args, "-aes256-wrap")) - wrap_cipher = EVP_aes_256_wrap(); -# endif -# ifndef OPENSSL_NO_CAMELLIA - else if (!strcmp(*args, "-camellia128")) - cipher = EVP_camellia_128_cbc(); - else if (!strcmp(*args, "-camellia192")) - cipher = EVP_camellia_192_cbc(); - else if (!strcmp(*args, "-camellia256")) - cipher = EVP_camellia_256_cbc(); -# endif - else if (!strcmp(*args, "-debug_decrypt")) + break; + case OPT_DEBUG_DECRYPT: flags |= CMS_DEBUG_DECRYPT; - else if (!strcmp(*args, "-text")) + break; + case OPT_TEXT: flags |= CMS_TEXT; - else if (!strcmp(*args, "-asciicrlf")) + break; + case OPT_ASCIICRLF: flags |= CMS_ASCIICRLF; - else if (!strcmp(*args, "-nointern")) + break; + case OPT_NOINTERN: flags |= CMS_NOINTERN; - else if (!strcmp(*args, "-noverify") - || !strcmp(*args, "-no_signer_cert_verify")) + break; + case OPT_NOVERIFY: flags |= CMS_NO_SIGNER_CERT_VERIFY; - else if (!strcmp(*args, "-nocerts")) + break; + case OPT_NOCERTS: flags |= CMS_NOCERTS; - else if (!strcmp(*args, "-noattr")) + break; + case OPT_NOATTR: flags |= CMS_NOATTR; - else if (!strcmp(*args, "-nodetach")) + break; + case OPT_NODETACH: flags &= ~CMS_DETACHED; - else if (!strcmp(*args, "-nosmimecap")) + break; + case OPT_NOSMIMECAP: flags |= CMS_NOSMIMECAP; - else if (!strcmp(*args, "-binary")) + break; + case OPT_BINARY: flags |= CMS_BINARY; - else if (!strcmp(*args, "-keyid")) + break; + case OPT_KEYID: flags |= CMS_USE_KEYID; - else if (!strcmp(*args, "-nosigs")) + break; + case OPT_NOSIGS: flags |= CMS_NOSIGS; - else if (!strcmp(*args, "-no_content_verify")) + break; + case OPT_NO_CONTENT_VERIFY: flags |= CMS_NO_CONTENT_VERIFY; - else if (!strcmp(*args, "-no_attr_verify")) + break; + case OPT_NO_ATTR_VERIFY: flags |= CMS_NO_ATTR_VERIFY; - else if (!strcmp(*args, "-stream")) + break; + case OPT_INDEF: flags |= CMS_STREAM; - else if (!strcmp(*args, "-indef")) - flags |= CMS_STREAM; - else if (!strcmp(*args, "-noindef")) + break; + case OPT_NOINDEF: flags &= ~CMS_STREAM; - else if (!strcmp(*args, "-nooldmime")) + break; + case OPT_NOOLDMIME: flags |= CMS_NOOLDMIMETYPE; - else if (!strcmp(*args, "-crlfeol")) + break; + case OPT_CRLFEOL: flags |= CMS_CRLFEOL; - else if (!strcmp(*args, "-noout")) + break; + case OPT_NOOUT: noout = 1; - else if (!strcmp(*args, "-receipt_request_print")) + break; + case OPT_RR_PRINT: rr_print = 1; - else if (!strcmp(*args, "-receipt_request_all")) + break; + case OPT_RR_ALL: rr_allorfirst = 0; - else if (!strcmp(*args, "-receipt_request_first")) + break; + case OPT_RR_FIRST: rr_allorfirst = 1; - else if (!strcmp(*args, "-receipt_request_from")) { - if (!args[1]) - goto argerr; - args++; - if (!rr_from) - rr_from = sk_OPENSSL_STRING_new_null(); - sk_OPENSSL_STRING_push(rr_from, *args); - } else if (!strcmp(*args, "-receipt_request_to")) { - if (!args[1]) - goto argerr; - args++; - if (!rr_to) - rr_to = sk_OPENSSL_STRING_new_null(); - sk_OPENSSL_STRING_push(rr_to, *args); - } else if (!strcmp(*args, "-print")) { - noout = 1; - print = 1; - } else if (!strcmp(*args, "-secretkey")) { - long ltmp; - if (!args[1]) - goto argerr; - args++; - secret_key = string_to_hex(*args, <mp); - if (!secret_key) { - BIO_printf(bio_err, "Invalid key %s\n", *args); - goto argerr; + break; + case OPT_RCTFORM: + if (rctformat == FORMAT_SMIME) + rcms = SMIME_read_CMS(rctin, NULL); + else if (rctformat == FORMAT_PEM) + rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL); + else if (rctformat == FORMAT_ASN1) + if (!opt_format(opt_arg(), + OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat)) + goto opthelp; + break; + case OPT_CERTFILE: + certfile = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_CONTENT: + contfile = opt_arg(); + break; + case OPT_RR_FROM: + if (rr_from == NULL + && (rr_from = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(rr_from, opt_arg()); + break; + case OPT_RR_TO: + if (rr_to == NULL + && (rr_to = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(rr_to, opt_arg()); + break; + case OPT_PRINT: + noout = print = 1; + break; + case OPT_SECRETKEY: + secret_key = string_to_hex(opt_arg(), <mp); + if (secret_key == NULL) { + BIO_printf(bio_err, "Invalid key %s\n", opt_arg()); + goto end; } secret_keylen = (size_t)ltmp; - } else if (!strcmp(*args, "-secretkeyid")) { - long ltmp; - if (!args[1]) - goto argerr; - args++; - secret_keyid = string_to_hex(*args, <mp); - if (!secret_keyid) { - BIO_printf(bio_err, "Invalid id %s\n", *args); - goto argerr; + break; + case OPT_SECRETKEYID: + secret_keyid = string_to_hex(opt_arg(), <mp); + if (secret_keyid == NULL) { + BIO_printf(bio_err, "Invalid id %s\n", opt_arg()); + goto opthelp; } secret_keyidlen = (size_t)ltmp; - } else if (!strcmp(*args, "-pwri_password")) { - if (!args[1]) - goto argerr; - args++; - pwri_pass = (unsigned char *)*args; - } else if (!strcmp(*args, "-econtent_type")) { - if (!args[1]) - goto argerr; - args++; - econtent_type = OBJ_txt2obj(*args, 0); - if (!econtent_type) { - BIO_printf(bio_err, "Invalid OID %s\n", *args); - goto argerr; + break; + case OPT_PWRI_PASSWORD: + pwri_pass = (unsigned char *)opt_arg(); + break; + case OPT_ECONTENT_TYPE: + econtent_type = OBJ_txt2obj(opt_arg(), 0); + if (econtent_type == NULL) { + BIO_printf(bio_err, "Invalid OID %s\n", opt_arg()); + goto opthelp; } - } else if (!strcmp(*args, "-rand")) { - if (!args[1]) - goto argerr; - args++; - inrand = *args; + break; + case OPT_RAND: + inrand = opt_arg(); need_rand = 1; - } -# ifndef OPENSSL_NO_ENGINE - else if (!strcmp(*args, "-engine")) { - if (!args[1]) - goto argerr; - engine = *++args; - } -# endif - else if (!strcmp(*args, "-passin")) { - if (!args[1]) - goto argerr; - passargin = *++args; - } else if (!strcmp(*args, "-to")) { - if (!args[1]) - goto argerr; - to = *++args; - } else if (!strcmp(*args, "-from")) { - if (!args[1]) - goto argerr; - from = *++args; - } else if (!strcmp(*args, "-subject")) { - if (!args[1]) - goto argerr; - subject = *++args; - } else if (!strcmp(*args, "-signer")) { - if (!args[1]) - goto argerr; + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_TO: + to = opt_arg(); + break; + case OPT_FROM: + from = opt_arg(); + break; + case OPT_SUBJECT: + subject = opt_arg(); + break; + case OPT_CERTSOUT: + certsoutfile = opt_arg(); + break; + case OPT_MD: + if (!opt_md(opt_arg(), &sign_md)) + goto end; + break; + case OPT_SIGNER: /* If previous -signer argument add signer to list */ - if (signerfile) { - if (!sksigners) - sksigners = sk_OPENSSL_STRING_new_null(); + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; sk_OPENSSL_STRING_push(sksigners, signerfile); - if (!keyfile) + if (keyfile == NULL) keyfile = signerfile; - if (!skkeys) - skkeys = sk_OPENSSL_STRING_new_null(); + if (skkeys == NULL + && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; sk_OPENSSL_STRING_push(skkeys, keyfile); keyfile = NULL; } - signerfile = *++args; - } else if (!strcmp(*args, "-recip")) { - if (!args[1]) - goto argerr; - if (operation == SMIME_ENCRYPT) { - if (!encerts) - encerts = sk_X509_new_null(); - cert = load_cert(bio_err, *++args, FORMAT_PEM, - NULL, e, "recipient certificate file"); - if (!cert) - goto end; - sk_X509_push(encerts, cert); - cert = NULL; - } else - recipfile = *++args; - } else if (!strcmp(*args, "-certsout")) { - if (!args[1]) - goto argerr; - certsoutfile = *++args; - } else if (!strcmp(*args, "-md")) { - if (!args[1]) - goto argerr; - sign_md = EVP_get_digestbyname(*++args); - if (sign_md == NULL) { - BIO_printf(bio_err, "Unknown digest %s\n", *args); - goto argerr; - } - } else if (!strcmp(*args, "-inkey")) { - if (!args[1]) - goto argerr; + signerfile = opt_arg(); + break; + case OPT_INKEY: /* If previous -inkey arument add signer to list */ if (keyfile) { - if (!signerfile) { + if (signerfile == NULL) { BIO_puts(bio_err, "Illegal -inkey without -signer\n"); - goto argerr; + goto end; } - if (!sksigners) - sksigners = sk_OPENSSL_STRING_new_null(); + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; sk_OPENSSL_STRING_push(sksigners, signerfile); signerfile = NULL; - if (!skkeys) - skkeys = sk_OPENSSL_STRING_new_null(); + if (skkeys == NULL + && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; sk_OPENSSL_STRING_push(skkeys, keyfile); } - keyfile = *++args; - } else if (!strcmp(*args, "-keyform")) { - if (!args[1]) - goto argerr; - keyform = str2fmt(*++args); - } else if (!strcmp(*args, "-keyopt")) { - int keyidx = -1; - if (!args[1]) - goto argerr; + keyfile = opt_arg(); + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) + goto opthelp; + break; + case OPT_RECIP: + if (operation == SMIME_ENCRYPT) { + if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL) + goto end; + cert = load_cert(opt_arg(), FORMAT_PEM, NULL, e, + "recipient certificate file"); + if (cert == NULL) + goto end; + sk_X509_push(encerts, cert); + cert = NULL; + } else + recipfile = opt_arg(); + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &cipher)) + goto end; + break; + case OPT_KEYOPT: + keyidx = -1; if (operation == SMIME_ENCRYPT) { if (encerts) keyidx += sk_X509_num(encerts); @@ -460,17 +566,18 @@ int MAIN(int argc, char **argv) } if (keyidx < 0) { BIO_printf(bio_err, "No key specified\n"); - goto argerr; + goto opthelp; } if (key_param == NULL || key_param->idx != keyidx) { cms_key_param *nparam; nparam = OPENSSL_malloc(sizeof(cms_key_param)); if (!nparam) { BIO_printf(bio_err, "Out of memory\n"); - goto argerr; + goto end; } nparam->idx = keyidx; - nparam->param = sk_OPENSSL_STRING_new_null(); + if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; nparam->next = NULL; if (key_first == NULL) key_first = nparam; @@ -478,83 +585,68 @@ int MAIN(int argc, char **argv) key_param->next = nparam; key_param = nparam; } - sk_OPENSSL_STRING_push(key_param->param, *++args); - } else if (!strcmp(*args, "-rctform")) { - if (!args[1]) - goto argerr; - rctformat = str2fmt(*++args); - } else if (!strcmp(*args, "-certfile")) { - if (!args[1]) - goto argerr; - certfile = *++args; - } else if (!strcmp(*args, "-CAfile")) { - if (!args[1]) - goto argerr; - CAfile = *++args; - } else if (!strcmp(*args, "-CApath")) { - if (!args[1]) - goto argerr; - CApath = *++args; - } else if (!strcmp(*args, "-in")) { - if (!args[1]) - goto argerr; - infile = *++args; - } else if (!strcmp(*args, "-inform")) { - if (!args[1]) - goto argerr; - informat = str2fmt(*++args); - } else if (!strcmp(*args, "-outform")) { - if (!args[1]) - goto argerr; - outformat = str2fmt(*++args); - } else if (!strcmp(*args, "-out")) { - if (!args[1]) - goto argerr; - outfile = *++args; - } else if (!strcmp(*args, "-content")) { - if (!args[1]) - goto argerr; - contfile = *++args; - } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) - continue; - else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL) - badarg = 1; - args++; + sk_OPENSSL_STRING_push(key_param->param, opt_arg()); + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) + goto end; + vpmtouched++; + break; +# ifndef OPENSSL_NO_DES + case OPT_3DES_WRAP: + wrap_cipher = EVP_des_ede3_wrap(); + break; +# endif +# ifndef OPENSSL_NO_AES + case OPT_AES128_WRAP: + wrap_cipher = EVP_aes_128_wrap(); + break; + case OPT_AES192_WRAP: + wrap_cipher = EVP_aes_192_wrap(); + break; + case OPT_AES256_WRAP: + wrap_cipher = EVP_aes_256_wrap(); + break; +# endif + } } + argc = opt_num_rest(); + argv = opt_rest(); if (((rr_allorfirst != -1) || rr_from) && !rr_to) { BIO_puts(bio_err, "No Signed Receipts Recipients\n"); - goto argerr; + goto opthelp; } if (!(operation & SMIME_SIGNERS) && (rr_to || rr_from)) { BIO_puts(bio_err, "Signed receipts only allowed with -sign\n"); - goto argerr; + goto opthelp; } if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) { BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); - goto argerr; + goto opthelp; } if (operation & SMIME_SIGNERS) { if (keyfile && !signerfile) { BIO_puts(bio_err, "Illegal -inkey without -signer\n"); - goto argerr; + goto opthelp; } /* Check to see if any final signer needs to be appended */ if (signerfile) { - if (!sksigners) - sksigners = sk_OPENSSL_STRING_new_null(); + if (!sksigners + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; sk_OPENSSL_STRING_push(sksigners, signerfile); - if (!skkeys) - skkeys = sk_OPENSSL_STRING_new_null(); + if (!skkeys && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; if (!keyfile) keyfile = signerfile; sk_OPENSSL_STRING_push(skkeys, keyfile); } if (!sksigners) { BIO_printf(bio_err, "No signer certificate specified\n"); - badarg = 1; + goto opthelp; } signerfile = NULL; keyfile = NULL; @@ -565,121 +657,28 @@ int MAIN(int argc, char **argv) if (!recipfile && !keyfile && !secret_key && !pwri_pass) { BIO_printf(bio_err, "No recipient certificate or key specified\n"); - badarg = 1; + goto opthelp; } } else if (operation == SMIME_ENCRYPT) { - if (!*args && !secret_key && !pwri_pass && !encerts) { + if (*argv == NULL && !secret_key && !pwri_pass && !encerts) { BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); - badarg = 1; + goto opthelp; } need_rand = 1; } else if (!operation) - badarg = 1; - - if (badarg) { - argerr: - BIO_printf(bio_err, "Usage cms [options] cert.pem ...\n"); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-encrypt encrypt message\n"); - BIO_printf(bio_err, "-decrypt decrypt encrypted message\n"); - BIO_printf(bio_err, "-sign sign message\n"); - BIO_printf(bio_err, "-verify verify signed message\n"); - BIO_printf(bio_err, "-cmsout output CMS structure\n"); -# ifndef OPENSSL_NO_DES - BIO_printf(bio_err, "-des3 encrypt with triple DES\n"); - BIO_printf(bio_err, "-des encrypt with DES\n"); -# endif -# ifndef OPENSSL_NO_SEED - BIO_printf(bio_err, "-seed encrypt with SEED\n"); -# endif -# ifndef OPENSSL_NO_RC2 - BIO_printf(bio_err, "-rc2-40 encrypt with RC2-40 (default)\n"); - BIO_printf(bio_err, "-rc2-64 encrypt with RC2-64\n"); - BIO_printf(bio_err, "-rc2-128 encrypt with RC2-128\n"); -# endif -# ifndef OPENSSL_NO_AES - BIO_printf(bio_err, "-aes128, -aes192, -aes256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc aes\n"); -# endif -# ifndef OPENSSL_NO_CAMELLIA - BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc camellia\n"); -# endif - BIO_printf(bio_err, - "-nointern don't search certificates in message for signer\n"); - BIO_printf(bio_err, - "-nosigs don't verify message signature\n"); - BIO_printf(bio_err, - "-noverify don't verify signers certificate\n"); - BIO_printf(bio_err, - "-nocerts don't include signers certificate when signing\n"); - BIO_printf(bio_err, "-nodetach use opaque signing\n"); - BIO_printf(bio_err, - "-noattr don't include any signed attributes\n"); - BIO_printf(bio_err, - "-binary don't translate message to text\n"); - BIO_printf(bio_err, "-certfile file other certificates file\n"); - BIO_printf(bio_err, "-certsout file certificate output file\n"); - BIO_printf(bio_err, "-signer file signer certificate file\n"); - BIO_printf(bio_err, - "-recip file recipient certificate file for decryption\n"); - BIO_printf(bio_err, "-keyid use subject key identifier\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, - "-inform arg input format SMIME (default), PEM or DER\n"); - BIO_printf(bio_err, - "-inkey file input private key (if not signer or recipient)\n"); - BIO_printf(bio_err, - "-keyform arg input private key format (PEM or ENGINE)\n"); - BIO_printf(bio_err, "-keyopt nm:v set public key parameters\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, - "-outform arg output format SMIME (default), PEM or DER\n"); - BIO_printf(bio_err, - "-content file supply or override content for detached signature\n"); - BIO_printf(bio_err, "-to addr to address\n"); - BIO_printf(bio_err, "-from ad from address\n"); - BIO_printf(bio_err, "-subject s subject\n"); - BIO_printf(bio_err, - "-text include or delete text MIME headers\n"); - BIO_printf(bio_err, - "-CApath dir trusted certificates directory\n"); - BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); - BIO_printf(bio_err, - "-trusted_first use locally trusted certificates first when building trust chain\n"); - BIO_printf(bio_err, - "-no_alt_chains only ever use the first certificate chain found\n"); - BIO_printf(bio_err, - "-crl_check check revocation status of signer's certificate using CRLs\n"); - BIO_printf(bio_err, - "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); -# ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - "-engine e use engine e, possibly a hardware device.\n"); -# endif - BIO_printf(bio_err, "-passin arg input file pass phrase source\n"); - BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, - LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, - " load the file (or the files in the directory) into\n"); - BIO_printf(bio_err, " the random number generator\n"); - BIO_printf(bio_err, - "cert.pem recipient certificate(s) for encryption\n"); - goto end; - } + goto opthelp; + # ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + e = setup_engine(engine, 0); # endif - if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { + if (!app_passwd(passinarg, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } if (need_rand) { - app_RAND_load_file(NULL, bio_err, (inrand != NULL)); + app_RAND_load_file(NULL, (inrand != NULL)); if (inrand != NULL) BIO_printf(bio_err, "%ld semi-random bytes loaded\n", app_RAND_load_files(inrand)); @@ -721,20 +720,21 @@ int MAIN(int argc, char **argv) goto end; } - if (*args && !encerts) - encerts = sk_X509_new_null(); - while (*args) { - if (!(cert = load_cert(bio_err, *args, FORMAT_PEM, + if (*argv && !encerts) + if ((encerts = sk_X509_new_null()) == NULL) + goto end; + while (*argv) { + if (!(cert = load_cert(*argv, FORMAT_PEM, NULL, e, "recipient certificate file"))) goto end; sk_X509_push(encerts, cert); cert = NULL; - args++; + argv++; } } if (certfile) { - if (!(other = load_certs(bio_err, certfile, FORMAT_PEM, NULL, + if (!(other = load_certs(certfile, FORMAT_PEM, NULL, e, "certificate file"))) { ERR_print_errors(bio_err); goto end; @@ -742,7 +742,7 @@ int MAIN(int argc, char **argv) } if (recipfile && (operation == SMIME_DECRYPT)) { - if (!(recip = load_cert(bio_err, recipfile, FORMAT_PEM, NULL, + if (!(recip = load_cert(recipfile, FORMAT_PEM, NULL, e, "recipient certificate file"))) { ERR_print_errors(bio_err); goto end; @@ -750,7 +750,7 @@ int MAIN(int argc, char **argv) } if (operation == SMIME_SIGN_RECEIPT) { - if (!(signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL, + if (!(signer = load_cert(signerfile, FORMAT_PEM, NULL, e, "receipt signer certificate file"))) { ERR_print_errors(bio_err); goto end; @@ -767,19 +767,14 @@ int MAIN(int argc, char **argv) keyfile = NULL; if (keyfile) { - key = load_key(bio_err, keyfile, keyform, 0, passin, e, - "signing key file"); + key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); if (!key) goto end; } - if (infile) { - if (!(in = BIO_new_file(infile, inmode))) { - BIO_printf(bio_err, "Can't open input file %s\n", infile); - goto end; - } - } else - in = BIO_new_fp(stdin, BIO_NOCLOSE); + in = bio_open_default(infile, inmode); + if (in == NULL) + goto end; if (operation & SMIME_IP) { if (informat == FORMAT_SMIME) @@ -841,26 +836,15 @@ int MAIN(int argc, char **argv) } } - if (outfile) { - if (!(out = BIO_new_file(outfile, outmode))) { - BIO_printf(bio_err, "Can't open output file %s\n", outfile); - goto end; - } - } else { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -# endif - } + out = bio_open_default(outfile, outmode); + if (out == NULL) + goto end; if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) { - if (!(store = setup_verify(bio_err, CAfile, CApath))) + if (!(store = setup_verify(CAfile, CApath))) goto end; X509_STORE_set_verify_cb(store, cms_cb); - if (vpm) + if (vpmtouched) X509_STORE_set1_param(store, vpm); } @@ -983,12 +967,11 @@ int MAIN(int argc, char **argv) signerfile = sk_OPENSSL_STRING_value(sksigners, i); keyfile = sk_OPENSSL_STRING_value(skkeys, i); - signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL, + signer = load_cert(signerfile, FORMAT_PEM, NULL, e, "signer certificate"); if (!signer) goto end; - key = load_key(bio_err, keyfile, keyform, 0, passin, e, - "signing key file"); + key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); if (!key) goto end; for (kparam = key_first; kparam; kparam = kparam->next) { @@ -1137,11 +1120,10 @@ int MAIN(int argc, char **argv) if (ret) ERR_print_errors(bio_err); if (need_rand) - app_RAND_write_file(NULL, bio_err); + app_RAND_write_file(NULL); sk_X509_pop_free(encerts, X509_free); sk_X509_pop_free(other, X509_free); - if (vpm) - X509_VERIFY_PARAM_free(vpm); + X509_VERIFY_PARAM_free(vpm); if (sksigners) sk_OPENSSL_STRING_free(sksigners); if (skkeys) @@ -1211,7 +1193,8 @@ static int cms_cb(int ok, X509_STORE_CTX *ctx) && ((error != X509_V_OK) || (ok != 2))) return ok; - policies_print(NULL, ctx); + /* Should be bio_err? */ + policies_print(bio_out, ctx); return ok; diff --git a/apps/crl.c b/apps/crl.c index 6819faa..b8c592c 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -1,4 +1,3 @@ -/* apps/crl.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -66,199 +65,168 @@ #include #include -#undef PROG -#define PROG crl_main +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_IN, OPT_OUTFORM, OPT_OUT, OPT_KEYFORM, OPT_KEY, + OPT_ISSUER, OPT_LASTUPDATE, OPT_NEXTUPDATE, OPT_FINGERPRINT, + OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE, + OPT_VERIFY, OPT_TEXT, OPT_HASH, OPT_HASH_OLD, OPT_NOOUT, + OPT_NAMEOPT, OPT_MD +} OPTION_CHOICE; -#undef POSTFIX -#define POSTFIX ".rvk" - -static const char *crl_usage[] = { - "usage: crl args\n", - "\n", - " -inform arg - input format - default PEM (DER or PEM)\n", - " -outform arg - output format - default PEM\n", - " -text - print out a text format version\n", - " -in arg - input file - default stdin\n", - " -out arg - output file - default stdout\n", - " -hash - print hash value\n", +OPTIONS crl_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format; default PEM"}, + {"in", OPT_IN, '<', "Input file - default stdin"}, + {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"}, + {"out", OPT_OUT, '>', "output file - default stdout"}, + {"keyform", OPT_KEYFORM, 'F'}, + {"key", OPT_KEY, '<'}, + {"issuer", OPT_ISSUER, '-', "Print issuer DN"}, + {"lastupdate", OPT_LASTUPDATE, '-', "Set lastUpdate field"}, + {"nextupdate", OPT_NEXTUPDATE, '-', "Set nextUpdate field"}, + {"noout", OPT_NOOUT, '-', "No CRL output"}, + {"fingerprint", OPT_FINGERPRINT, '-', "Print the crl fingerprint"}, + {"crlnumber", OPT_CRLNUMBER, '-', "Print CRL number"}, + {"badsig", OPT_BADSIG, '-'}, + {"gendelta", OPT_GENDELTA, '<'}, + {"CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir"}, + {"CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name"}, + {"verify", OPT_VERIFY, '-'}, + {"text", OPT_TEXT, '-', "Print out a text format version"}, + {"hash", OPT_HASH, '-', "Print hash value"}, #ifndef OPENSSL_NO_MD5 - " -hash_old - print old-style (MD5) hash value\n", + {"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"}, #endif - " -fingerprint - print the crl fingerprint\n", - " -issuer - print issuer DN\n", - " -lastupdate - lastUpdate field\n", - " -nextupdate - nextUpdate field\n", - " -crlnumber - print CRL number\n", - " -noout - no CRL output\n", - " -CAfile name - verify CRL using certificates in file \"name\"\n", - " -CApath dir - verify CRL using certificates in \"dir\"\n", - " -nameopt arg - various certificate name options\n", - NULL + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + {"", OPT_MD, '-', "Any supported digest"}, + {NULL} }; -static BIO *bio_out = NULL; - -int MAIN(int, char **); - -int MAIN(int argc, char **argv) +int crl_main(int argc, char **argv) { - unsigned long nmflag = 0; X509_CRL *x = NULL; - char *CAfile = NULL, *CApath = NULL; - int ret = 1, i, num, badops = 0, badsig = 0; BIO *out = NULL; - int informat, outformat, keyformat; - char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL; - int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = - 0, text = 0; -#ifndef OPENSSL_NO_MD5 - int hash_old = 0; -#endif - int fingerprint = 0, crlnumber = 0; - const char **pp; X509_STORE *store = NULL; X509_STORE_CTX ctx; X509_LOOKUP *lookup = NULL; X509_OBJECT xobj; EVP_PKEY *pkey; - int do_ver = 0; - const EVP_MD *md_alg, *digest = EVP_sha1(); - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto end; - - if (bio_out == NULL) - if ((bio_out = BIO_new(BIO_s_file())) != NULL) { - BIO_set_fp(bio_out, stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - bio_out = BIO_push(tmpbio, bio_out); - } + const EVP_MD *digest = EVP_sha1(); + unsigned long nmflag = 0; + char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL; + char *CAfile = NULL, *CApath = NULL, *prog; + OPTION_CHOICE o; + int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = + 0, text = 0; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM; + int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = + 0, i, do_ver = 0; +#ifndef OPENSSL_NO_MD5 + int hash_old = 0; #endif - } - - informat = FORMAT_PEM; - outformat = FORMAT_PEM; - keyformat = FORMAT_PEM; - argc--; - argv++; - num = 0; - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-outform") == 0) { - if (--argc < 1) - goto bad; - outformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-gendelta") == 0) { - if (--argc < 1) - goto bad; - crldiff = *(++argv); - } else if (strcmp(*argv, "-key") == 0) { - if (--argc < 1) - goto bad; - keyfile = *(++argv); - } else if (strcmp(*argv, "-keyform") == 0) { - if (--argc < 1) - goto bad; - keyformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-CApath") == 0) { - if (--argc < 1) - goto bad; - CApath = *(++argv); - do_ver = 1; - } else if (strcmp(*argv, "-CAfile") == 0) { - if (--argc < 1) - goto bad; - CAfile = *(++argv); + prog = opt_init(argc, argv, crl_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(crl_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat)) + goto opthelp; + break; + case OPT_KEY: + keyfile = opt_arg(); + break; + case OPT_GENDELTA: + crldiff = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); do_ver = 1; - } else if (strcmp(*argv, "-verify") == 0) + break; + case OPT_CAFILE: + CAfile = opt_arg(); do_ver = 1; - else if (strcmp(*argv, "-text") == 0) - text = 1; - else if (strcmp(*argv, "-hash") == 0) - hash = ++num; + break; #ifndef OPENSSL_NO_MD5 - else if (strcmp(*argv, "-hash_old") == 0) + case OPT_HASH_OLD: hash_old = ++num; + break; #endif - else if (strcmp(*argv, "-nameopt") == 0) { - if (--argc < 1) - goto bad; - if (!set_name_ex(&nmflag, *(++argv))) - goto bad; - } else if (strcmp(*argv, "-issuer") == 0) + case OPT_VERIFY: + do_ver = 1; + break; + case OPT_TEXT: + text = 1; + break; + case OPT_HASH: + hash = ++num; + break; + case OPT_ISSUER: issuer = ++num; - else if (strcmp(*argv, "-lastupdate") == 0) + break; + case OPT_LASTUPDATE: lastupdate = ++num; - else if (strcmp(*argv, "-nextupdate") == 0) + break; + case OPT_NEXTUPDATE: nextupdate = ++num; - else if (strcmp(*argv, "-noout") == 0) + break; + case OPT_NOOUT: noout = ++num; - else if (strcmp(*argv, "-fingerprint") == 0) + break; + case OPT_FINGERPRINT: fingerprint = ++num; - else if (strcmp(*argv, "-crlnumber") == 0) + break; + case OPT_CRLNUMBER: crlnumber = ++num; - else if (strcmp(*argv, "-badsig") == 0) + break; + case OPT_BADSIG: badsig = 1; - else if ((md_alg = EVP_get_digestbyname(*argv + 1))) { - /* ok */ - digest = md_alg; - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; break; + case OPT_NAMEOPT: + if (!set_name_ex(&nmflag, opt_arg())) + goto opthelp; + break; + case OPT_MD: + if (!opt_md(opt_unknown(), &digest)) + goto opthelp; } - argc--; - argv++; - } - - if (badops) { - bad: - for (pp = crl_usage; (*pp != NULL); pp++) - BIO_printf(bio_err, "%s", *pp); - goto end; } + argc = opt_num_rest(); + argv = opt_rest(); - ERR_load_crypto_strings(); x = load_crl(infile, informat); - if (x == NULL) { + if (x == NULL) goto end; - } if (do_ver) { - store = X509_STORE_new(); - lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); - if (lookup == NULL) + if (!(store = setup_verify(CAfile, CApath))) goto end; - if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) - X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT); - - lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); + lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); if (lookup == NULL) goto end; - if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) - X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); - ERR_clear_error(); - if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) { BIO_printf(bio_err, "Error initialising X509 store\n"); goto end; @@ -295,8 +263,7 @@ int MAIN(int argc, char **argv) newcrl = load_crl(crldiff, informat); if (!newcrl) goto end; - pkey = load_key(bio_err, keyfile, keyformat, 0, NULL, NULL, - "CRL signing key"); + pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key"); if (!pkey) { X509_CRL_free(newcrl); goto end; @@ -371,27 +338,9 @@ int MAIN(int argc, char **argv) } } } - - out = BIO_new(BIO_s_file()); - if (out == NULL) { - ERR_print_errors(bio_err); + out = bio_open_default(outfile, "w"); + if (out == NULL) goto end; - } - - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); - goto end; - } - } if (text) X509_CRL_print(out, x); @@ -406,28 +355,22 @@ int MAIN(int argc, char **argv) if (outformat == FORMAT_ASN1) i = (int)i2d_X509_CRL_bio(out, x); - else if (outformat == FORMAT_PEM) + else i = PEM_write_bio_X509_CRL(out, x); - else { - BIO_printf(bio_err, "bad output format specified for outfile\n"); - goto end; - } if (!i) { BIO_printf(bio_err, "unable to write CRL\n"); goto end; } ret = 0; + end: if (ret != 0) ERR_print_errors(bio_err); BIO_free_all(out); - BIO_free_all(bio_out); - bio_out = NULL; X509_CRL_free(x); if (store) { X509_STORE_CTX_cleanup(&ctx); X509_STORE_free(store); } - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } diff --git a/apps/crl2p7.c b/apps/crl2p7.c index 86b3a94..d75b667 100644 --- a/apps/crl2p7.c +++ b/apps/crl2p7.c @@ -1,4 +1,3 @@ -/* apps/crl2p7.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -74,129 +73,89 @@ #include static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile); -#undef PROG -#define PROG crl2pkcs7_main -/*- - * -inform arg - input format - default PEM (DER or PEM) - * -outform arg - output format - default PEM - * -in arg - input file - default stdin - * -out arg - output file - default stdout - */ +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOCRL, OPT_CERTFILE +} OPTION_CHOICE; -int MAIN(int, char **); +OPTIONS crl2pkcs7_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, + {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"nocrl", OPT_NOCRL, '-', "No crl to load, just certs from '-certfile'"}, + {"certfile", OPT_CERTFILE, '<', + "File of chain of certs to a trusted CA; can be repeated"}, + {NULL} +}; -int MAIN(int argc, char **argv) +int crl2pkcs7_main(int argc, char **argv) { - int i, badops = 0; BIO *in = NULL, *out = NULL; - int informat, outformat; - char *infile, *outfile, *prog, *certfile; PKCS7 *p7 = NULL; PKCS7_SIGNED *p7s = NULL; - X509_CRL *crl = NULL; STACK_OF(OPENSSL_STRING) *certflst = NULL; - STACK_OF(X509_CRL) *crl_stack = NULL; STACK_OF(X509) *cert_stack = NULL; - int ret = 1, nocrl = 0; - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - infile = NULL; - outfile = NULL; - informat = FORMAT_PEM; - outformat = FORMAT_PEM; + STACK_OF(X509_CRL) *crl_stack = NULL; + X509_CRL *crl = NULL; + char *infile = NULL, *outfile = NULL, *prog, *certfile; + int i = 0, informat = FORMAT_PEM, outformat = FORMAT_PEM, ret = 1, nocrl = + 0; + OPTION_CHOICE o; - prog = argv[0]; - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-outform") == 0) { - if (--argc < 1) - goto bad; - outformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-nocrl") == 0) { + prog = opt_init(argc, argv, crl2pkcs7_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(crl2pkcs7_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_NOCRL: nocrl = 1; - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-certfile") == 0) { - if (--argc < 1) - goto bad; - if (!certflst) - certflst = sk_OPENSSL_STRING_new_null(); - if (!certflst) + break; + case OPT_CERTFILE: + if (!certflst && !(certflst = sk_OPENSSL_STRING_new_null())) goto end; if (!sk_OPENSSL_STRING_push(certflst, *(++argv))) { sk_OPENSSL_STRING_free(certflst); goto end; } - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; break; } - argc--; - argv++; - } - - if (badops) { - bad: - BIO_printf(bio_err, "%s [options] outfile\n", prog); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, " -inform arg input format - DER or PEM\n"); - BIO_printf(bio_err, " -outform arg output format - DER or PEM\n"); - BIO_printf(bio_err, " -in arg input file\n"); - BIO_printf(bio_err, " -out arg output file\n"); - BIO_printf(bio_err, - " -certfile arg certificates file of chain to a trusted CA\n"); - BIO_printf(bio_err, " (can be used more than once)\n"); - BIO_printf(bio_err, - " -nocrl no crl to load, just certs from '-certfile'\n"); - ret = 1; - goto end; - } - - ERR_load_crypto_strings(); - - in = BIO_new(BIO_s_file()); - out = BIO_new(BIO_s_file()); - if ((in == NULL) || (out == NULL)) { - ERR_print_errors(bio_err); - goto end; } + argc = opt_num_rest(); + argv = opt_rest(); if (!nocrl) { - if (infile == NULL) - BIO_set_fp(in, stdin, BIO_NOCLOSE); - else { - if (BIO_read_filename(in, infile) <= 0) { - perror(infile); - goto end; - } - } + in = bio_open_default(infile, RB(informat)); + if (in == NULL) + goto end; if (informat == FORMAT_ASN1) crl = d2i_X509_CRL_bio(in, NULL); else if (informat == FORMAT_PEM) crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); - else { - BIO_printf(bio_err, "bad input format specified for input crl\n"); - goto end; - } if (crl == NULL) { BIO_printf(bio_err, "unable to load CRL\n"); ERR_print_errors(bio_err); @@ -238,29 +197,14 @@ int MAIN(int argc, char **argv) sk_OPENSSL_STRING_free(certflst); - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); - goto end; - } - } + out = bio_open_default(outfile, WB(outformat)); + if (out == NULL) + goto end; if (outformat == FORMAT_ASN1) i = i2d_PKCS7_bio(out, p7); else if (outformat == FORMAT_PEM) i = PEM_write_bio_PKCS7(out, p7); - else { - BIO_printf(bio_err, "bad output format specified for outfile\n"); - goto end; - } if (!i) { BIO_printf(bio_err, "unable to write pkcs7 object\n"); ERR_print_errors(bio_err); @@ -274,8 +218,7 @@ int MAIN(int argc, char **argv) if (crl != NULL) X509_CRL_free(crl); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } /*- @@ -296,8 +239,8 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile) STACK_OF(X509_INFO) *sk = NULL; X509_INFO *xi; - in = BIO_new(BIO_s_file()); - if ((in == NULL) || (BIO_read_filename(in, certfile) <= 0)) { + in = BIO_new_file(certfile, "r"); + if (in == NULL) { BIO_printf(bio_err, "error opening the file, %s\n", certfile); goto end; } diff --git a/apps/dgst.c b/apps/dgst.c index 7006000..21b8c7f 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -1,4 +1,3 @@ -/* apps/dgst.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -71,221 +70,186 @@ #undef BUFSIZE #define BUFSIZE 1024*8 -#undef PROG -#define PROG dgst_main - int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, EVP_PKEY *key, unsigned char *sigin, int siglen, const char *sig_name, const char *md_name, const char *file, BIO *bmd); -static void list_md_fn(const EVP_MD *m, - const char *from, const char *to, void *arg) -{ - const char *mname; - /* Skip aliases */ - if (!m) - return; - mname = OBJ_nid2ln(EVP_MD_type(m)); - /* Skip shortnames */ - if (strcmp(from, mname)) - return; - /* Skip clones */ - if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST) - return; - if (strchr(mname, ' ')) - mname = EVP_MD_name(m); - BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n", - mname, mname); -} - -int MAIN(int, char **); - -int MAIN(int argc, char **argv) +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_C, OPT_R, OPT_RAND, OPT_OUT, OPT_SIGN, OPT_PASSIN, OPT_VERIFY, + OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_ENGINE, OPT_ENGINE_IMPL, + OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT, + OPT_NON_FIPS_ALLOW, OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT, + OPT_DIGEST +} OPTION_CHOICE; + +OPTIONS dgst_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] [file...]\n"}, + {OPT_HELP_STR, 1, '-', + " file... files to digest (default is stdin)\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"c", OPT_C, '-', "Print the digest with separating colons"}, + {"r", OPT_R, '-', "Print the digest in coreutils format"}, + {"rand", OPT_RAND, 's'}, + {"out", OPT_OUT, '>', "Output to filename rather than stdout"}, + {"passin", OPT_PASSIN, 's'}, + {"sign", OPT_SIGN, '<', "Sign digest using private key in file"}, + {"verify", OPT_VERIFY, '<', + "Verify a signature using public key in file"}, + {"prverify", OPT_PRVERIFY, '<', + "Verify a signature using private key in file"}, + {"signature", OPT_SIGNATURE, '<', "File with signature to verify"}, + {"keyform", OPT_KEYFORM, 'f', "Key file format (PEM or ENGINE)"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, +#endif + {"engine_impl", OPT_ENGINE_IMPL, '-'}, + {"hex", OPT_HEX, '-', "Print as hex dump"}, + {"binary", OPT_BINARY, '-', "Print in binary form"}, + {"d", OPT_DEBUG, '-', "Print debug info"}, + {"debug", OPT_DEBUG, '-'}, + {"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-'}, + {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'}, + {"hmac", OPT_HMAC, 's', "Create hashed MAC with key"}, + {"mac", OPT_MAC, 's', "Create MAC (not neccessarily HMAC)"}, + {"sigop", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, + {"macop", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"}, + {"", OPT_DIGEST, '-', "Any supported digest"}, + {NULL} +}; + +int dgst_main(int argc, char **argv) { + BIO *in = NULL, *inp, *bmd = NULL, *out = NULL; ENGINE *e = NULL, *impl = NULL; - unsigned char *buf = NULL; - int i, err = 1; + EVP_PKEY *sigkey = NULL; + STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL; + char *hmac_key = NULL; + char *mac_name = NULL; + char *passinarg = NULL, *passin = NULL; const EVP_MD *md = NULL, *m; - BIO *in = NULL, *inp; - BIO *bmd = NULL; - BIO *out = NULL; -#define PROG_NAME_SIZE 39 - char pname[PROG_NAME_SIZE + 1]; - int separator = 0; - int debug = 0; - int keyform = FORMAT_PEM; - const char *outfile = NULL, *keyfile = NULL; + const char *outfile = NULL, *keyfile = NULL, *prog = NULL; const char *sigfile = NULL, *randfile = NULL; - int out_bin = -1, want_pub = 0, do_verify = 0; - EVP_PKEY *sigkey = NULL; - unsigned char *sigbuf = NULL; - int siglen = 0; - char *passargin = NULL, *passin = NULL; + OPTION_CHOICE o; + int separator = 0, debug = 0, keyform = FORMAT_PEM, siglen = 0; + int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = + 0, non_fips_allow = 0; + unsigned char *buf = NULL, *sigbuf = NULL; #ifndef OPENSSL_NO_ENGINE char *engine = NULL; int engine_impl = 0; #endif - char *hmac_key = NULL; - char *mac_name = NULL; - int non_fips_allow = 0; - STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL; - - apps_startup(); + prog = opt_progname(argv[0]); if ((buf = (unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL) { - BIO_printf(bio_err, "out of memory\n"); + BIO_printf(bio_err, "%s: out of memory\n", prog); goto end; } - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto end; - - /* first check the program name */ - program_name(argv[0], pname, sizeof pname); - - md = EVP_get_digestbyname(pname); - - argc--; - argv++; - while (argc > 0) { - if ((*argv)[0] != '-') - break; - if (strcmp(*argv, "-c") == 0) + md = EVP_get_digestbyname(prog); + + prog = opt_init(argc, argv, dgst_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(dgst_options); + ret = 0; + goto end; + case OPT_C: separator = 1; - else if (strcmp(*argv, "-r") == 0) + break; + case OPT_R: separator = 2; - else if (strcmp(*argv, "-rand") == 0) { - if (--argc < 1) - break; - randfile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - break; - outfile = *(++argv); - } else if (strcmp(*argv, "-sign") == 0) { - if (--argc < 1) - break; - keyfile = *(++argv); - } else if (!strcmp(*argv, "-passin")) { - if (--argc < 1) - break; - passargin = *++argv; - } else if (strcmp(*argv, "-verify") == 0) { - if (--argc < 1) - break; - keyfile = *(++argv); - want_pub = 1; - do_verify = 1; - } else if (strcmp(*argv, "-prverify") == 0) { - if (--argc < 1) - break; - keyfile = *(++argv); + break; + case OPT_RAND: + randfile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_SIGN: + keyfile = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_VERIFY: + keyfile = opt_arg(); + want_pub = do_verify = 1; + break; + case OPT_PRVERIFY: + keyfile = opt_arg(); do_verify = 1; - } else if (strcmp(*argv, "-signature") == 0) { - if (--argc < 1) - break; - sigfile = *(++argv); - } else if (strcmp(*argv, "-keyform") == 0) { - if (--argc < 1) - break; - keyform = str2fmt(*(++argv)); - } + break; + case OPT_SIGNATURE: + sigfile = opt_arg(); + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) + goto opthelp; + break; #ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - break; - engine = *(++argv); - e = setup_engine(bio_err, engine, 0); - } else if (strcmp(*argv, "-engine_impl") == 0) + case OPT_ENGINE: + engine = opt_arg(); + e = setup_engine(engine, 0); + break; + case OPT_ENGINE_IMPL: engine_impl = 1; + break; #endif - else if (strcmp(*argv, "-hex") == 0) + case OPT_HEX: out_bin = 0; - else if (strcmp(*argv, "-binary") == 0) + break; + case OPT_BINARY: out_bin = 1; - else if (strcmp(*argv, "-d") == 0) + break; + case OPT_DEBUG: debug = 1; - else if (!strcmp(*argv, "-fips-fingerprint")) + break; + case OPT_FIPS_FINGERPRINT: hmac_key = "etaonrishdlcupfm"; - else if (strcmp(*argv, "-non-fips-allow") == 0) + break; + case OPT_NON_FIPS_ALLOW: non_fips_allow = 1; - else if (!strcmp(*argv, "-hmac")) { - if (--argc < 1) - break; - hmac_key = *++argv; - } else if (!strcmp(*argv, "-mac")) { - if (--argc < 1) - break; - mac_name = *++argv; - } else if (strcmp(*argv, "-sigopt") == 0) { - if (--argc < 1) - break; + break; + case OPT_HMAC: + hmac_key = opt_arg(); + break; + case OPT_MAC: + mac_name = opt_arg(); + break; + case OPT_SIGOPT: if (!sigopts) sigopts = sk_OPENSSL_STRING_new_null(); - if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) - break; - } else if (strcmp(*argv, "-macopt") == 0) { - if (--argc < 1) - break; + if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) + goto opthelp; + break; + case OPT_MACOPT: if (!macopts) macopts = sk_OPENSSL_STRING_new_null(); - if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv))) - break; - } else if ((m = EVP_get_digestbyname(&((*argv)[1]))) != NULL) + if (!macopts || !sk_OPENSSL_STRING_push(macopts, opt_arg())) + goto opthelp; + break; + case OPT_DIGEST: + if (!opt_md(opt_unknown(), &m)) + goto opthelp; md = m; - else break; - argc--; - argv++; + } } + argc = opt_num_rest(); + argv = opt_rest(); if (do_verify && !sigfile) { BIO_printf(bio_err, "No signature to verify: use the -signature option\n"); goto end; } - - if ((argc > 0) && (argv[0][0] == '-')) { /* bad option */ - BIO_printf(bio_err, "unknown option '%s'\n", *argv); - BIO_printf(bio_err, "options are\n"); - BIO_printf(bio_err, - "-c to output the digest with separating colons\n"); - BIO_printf(bio_err, - "-r to output the digest in coreutils format\n"); - BIO_printf(bio_err, "-d to output debug info\n"); - BIO_printf(bio_err, "-hex output as hex dump\n"); - BIO_printf(bio_err, "-binary output in binary form\n"); - BIO_printf(bio_err, "-hmac arg set the HMAC key to arg\n"); - BIO_printf(bio_err, "-non-fips-allow allow use of non FIPS digest\n"); - BIO_printf(bio_err, - "-sign file sign digest using private key in file\n"); - BIO_printf(bio_err, - "-verify file verify a signature using public key in file\n"); - BIO_printf(bio_err, - "-prverify file verify a signature using private key in file\n"); - BIO_printf(bio_err, - "-keyform arg key file format (PEM or ENGINE)\n"); - BIO_printf(bio_err, - "-out filename output to filename rather than stdout\n"); - BIO_printf(bio_err, "-signature file signature to verify\n"); - BIO_printf(bio_err, "-sigopt nm:v signature parameter\n"); - BIO_printf(bio_err, "-hmac key create hashed MAC with key\n"); - BIO_printf(bio_err, - "-mac algorithm create MAC (not neccessarily HMAC)\n"); - BIO_printf(bio_err, - "-macopt nm:v MAC algorithm parameters or key\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - "-engine e use engine e, possibly a hardware device.\n"); -#endif - - EVP_MD_do_all_sorted(list_md_fn, bio_err); - goto end; - } #ifndef OPENSSL_NO_ENGINE if (engine_impl) impl = e; @@ -304,7 +268,7 @@ int MAIN(int argc, char **argv) BIO_set_callback_arg(in, (char *)bio_err); } - if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { + if (!app_passwd(passinarg, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } @@ -317,29 +281,12 @@ int MAIN(int argc, char **argv) } if (randfile) - app_RAND_load_file(randfile, bio_err, 0); + app_RAND_load_file(randfile, 0); - if (outfile) { - if (out_bin) - out = BIO_new_file(outfile, "wb"); - else - out = BIO_new_file(outfile, "w"); - } else { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } - - if (!out) { - BIO_printf(bio_err, "Error opening output file %s\n", - outfile ? outfile : "(stdout)"); - ERR_print_errors(bio_err); + out = bio_open_default(outfile, out_bin ? "wb" : "w"); + if (out == NULL) goto end; - } + if ((! !mac_name + ! !keyfile + ! !hmac_key) > 1) { BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n"); goto end; @@ -347,11 +294,9 @@ int MAIN(int argc, char **argv) if (keyfile) { if (want_pub) - sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL, - e, "key file"); + sigkey = load_pubkey(keyfile, keyform, 0, NULL, e, "key file"); else - sigkey = load_key(bio_err, keyfile, keyform, 0, passin, - e, "key file"); + sigkey = load_key(keyfile, keyform, 0, passin, e, "key file"); if (!sigkey) { /* * load_[pub]key() has already printed an appropriate message @@ -363,7 +308,7 @@ int MAIN(int argc, char **argv) if (mac_name) { EVP_PKEY_CTX *mac_ctx = NULL; int r = 0; - if (!init_gen_str(bio_err, &mac_ctx, mac_name, impl, 0)) + if (!init_gen_str(&mac_ctx, mac_name, impl, 0)) goto mac_end; if (macopts) { char *macopt; @@ -443,25 +388,23 @@ int MAIN(int argc, char **argv) if (md == NULL) md = EVP_md5(); if (!EVP_DigestInit_ex(mctx, md, impl)) { - BIO_printf(bio_err, "Error setting digest %s\n", pname); + BIO_printf(bio_err, "Error setting digest\n"); ERR_print_errors(bio_err); goto end; } } if (sigfile && sigkey) { - BIO *sigbio; - sigbio = BIO_new_file(sigfile, "rb"); - siglen = EVP_PKEY_size(sigkey); - sigbuf = OPENSSL_malloc(siglen); + BIO *sigbio = BIO_new_file(sigfile, "rb"); if (!sigbio) { BIO_printf(bio_err, "Error opening signature file %s\n", sigfile); ERR_print_errors(bio_err); goto end; } + siglen = EVP_PKEY_size(sigkey); + sigbuf = OPENSSL_malloc(siglen); if (!sigbuf) { BIO_printf(bio_err, "Out of memory\n"); - ERR_print_errors(bio_err); goto end; } siglen = BIO_read(sigbio, sigbuf, siglen); @@ -482,7 +425,7 @@ int MAIN(int argc, char **argv) if (argc == 0) { BIO_set_fp(in, stdin, BIO_NOCLOSE); - err = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf, + ret = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf, siglen, NULL, NULL, "stdin", bmd); } else { const char *md_name = NULL, *sig_name = NULL; @@ -497,18 +440,18 @@ int MAIN(int argc, char **argv) if (md) md_name = EVP_MD_name(md); } - err = 0; + ret = 0; for (i = 0; i < argc; i++) { int r; if (BIO_read_filename(in, argv[i]) <= 0) { perror(argv[i]); - err++; + ret++; continue; } else r = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf, siglen, sig_name, md_name, argv[i], bmd); if (r) - err = r; + ret = r; (void)BIO_reset(bmd); } } @@ -529,8 +472,7 @@ int MAIN(int argc, char **argv) if (sigbuf) OPENSSL_free(sigbuf); BIO_free(bmd); - apps_shutdown(); - OPENSSL_EXIT(err); + return (ret); } int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, diff --git a/apps/dh.c b/apps/dh.c deleted file mode 100644 index 1b653f5..0000000 --- a/apps/dh.c +++ /dev/null @@ -1,325 +0,0 @@ -/* apps/dh.c */ -/* obsoleted by dhparam.c */ -/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay at cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh at cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay at cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include /* for OPENSSL_NO_DH */ -#ifndef OPENSSL_NO_DH -# include -# include -# include -# include -# include "apps.h" -# include -# include -# include -# include -# include -# include - -# undef PROG -# define PROG dh_main - -/*- - * -inform arg - input format - default PEM (DER or PEM) - * -outform arg - output format - default PEM - * -in arg - input file - default stdin - * -out arg - output file - default stdout - * -check - check the parameters are ok - * -noout - * -text - * -C - */ - -int MAIN(int, char **); - -int MAIN(int argc, char **argv) -{ - DH *dh = NULL; - int i, badops = 0, text = 0; - BIO *in = NULL, *out = NULL; - int informat, outformat, check = 0, noout = 0, C = 0, ret = 1; - char *infile, *outfile, *prog; -# ifndef OPENSSL_NO_ENGINE - char *engine; -# endif - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto end; - -# ifndef OPENSSL_NO_ENGINE - engine = NULL; -# endif - infile = NULL; - outfile = NULL; - informat = FORMAT_PEM; - outformat = FORMAT_PEM; - - prog = argv[0]; - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-outform") == 0) { - if (--argc < 1) - goto bad; - outformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } -# ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } -# endif - else if (strcmp(*argv, "-check") == 0) - check = 1; - else if (strcmp(*argv, "-text") == 0) - text = 1; - else if (strcmp(*argv, "-C") == 0) - C = 1; - else if (strcmp(*argv, "-noout") == 0) - noout = 1; - else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; - break; - } - argc--; - argv++; - } - - if (badops) { - bad: - BIO_printf(bio_err, "%s [options] outfile\n", prog); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, " -inform arg input format - one of DER PEM\n"); - BIO_printf(bio_err, - " -outform arg output format - one of DER PEM\n"); - BIO_printf(bio_err, " -in arg input file\n"); - BIO_printf(bio_err, " -out arg output file\n"); - BIO_printf(bio_err, " -check check the DH parameters\n"); - BIO_printf(bio_err, - " -text print a text form of the DH parameters\n"); - BIO_printf(bio_err, " -C Output C code\n"); - BIO_printf(bio_err, " -noout no output\n"); -# ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - " -engine e use engine e, possibly a hardware device.\n"); -# endif - goto end; - } - - ERR_load_crypto_strings(); - -# ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -# endif - - in = BIO_new(BIO_s_file()); - out = BIO_new(BIO_s_file()); - if ((in == NULL) || (out == NULL)) { - ERR_print_errors(bio_err); - goto end; - } - - if (infile == NULL) - BIO_set_fp(in, stdin, BIO_NOCLOSE); - else { - if (BIO_read_filename(in, infile) <= 0) { - perror(infile); - goto end; - } - } - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -# endif - } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); - goto end; - } - } - - if (informat == FORMAT_ASN1) - dh = d2i_DHparams_bio(in, NULL); - else if (informat == FORMAT_PEM) - dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); - else { - BIO_printf(bio_err, "bad input format specified\n"); - goto end; - } - if (dh == NULL) { - BIO_printf(bio_err, "unable to load DH parameters\n"); - ERR_print_errors(bio_err); - goto end; - } - - if (text) { - DHparams_print(out, dh); - } - - if (check) { - if (!DH_check(dh, &i)) { - ERR_print_errors(bio_err); - goto end; - } - if (i & DH_CHECK_P_NOT_PRIME) - printf("p value is not prime\n"); - if (i & DH_CHECK_P_NOT_SAFE_PRIME) - printf("p value is not a safe prime\n"); - if (i & DH_UNABLE_TO_CHECK_GENERATOR) - printf("unable to check the generator value\n"); - if (i & DH_NOT_SUITABLE_GENERATOR) - printf("the g value is not a generator\n"); - if (i == 0) - printf("DH parameters appear to be ok.\n"); - } - if (C) { - unsigned char *data; - int len, l, bits; - - len = BN_num_bytes(dh->p); - bits = BN_num_bits(dh->p); - data = (unsigned char *)OPENSSL_malloc(len); - if (data == NULL) { - perror("OPENSSL_malloc"); - goto end; - } - l = BN_bn2bin(dh->p, data); - printf("static unsigned char dh%d_p[]={", bits); - for (i = 0; i < l; i++) { - if ((i % 12) == 0) - printf("\n\t"); - printf("0x%02X,", data[i]); - } - printf("\n\t};\n"); - - l = BN_bn2bin(dh->g, data); - printf("static unsigned char dh%d_g[]={", bits); - for (i = 0; i < l; i++) { - if ((i % 12) == 0) - printf("\n\t"); - printf("0x%02X,", data[i]); - } - printf("\n\t};\n\n"); - - printf("DH *get_dh%d()\n\t{\n", bits); - printf("\tDH *dh;\n\n"); - printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n"); - printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n", - bits, bits); - printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n", - bits, bits); - printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n"); - printf("\t\treturn(NULL);\n"); - printf("\treturn(dh);\n\t}\n"); - OPENSSL_free(data); - } - - if (!noout) { - if (outformat == FORMAT_ASN1) - i = i2d_DHparams_bio(out, dh); - else if (outformat == FORMAT_PEM) - i = PEM_write_bio_DHparams(out, dh); - else { - BIO_printf(bio_err, "bad output format specified for outfile\n"); - goto end; - } - if (!i) { - BIO_printf(bio_err, "unable to write DH parameters\n"); - ERR_print_errors(bio_err); - goto end; - } - } - ret = 0; - end: - BIO_free(in); - BIO_free_all(out); - DH_free(dh); - apps_shutdown(); - OPENSSL_EXIT(ret); -} -#else /* !OPENSSL_NO_DH */ - -# if PEDANTIC -static void *dummy = &dummy; -# endif - -#endif diff --git a/apps/dhparam.c b/apps/dhparam.c index fc5962a..e842ca5 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -1,4 +1,3 @@ -/* apps/dhparam.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -127,170 +126,131 @@ # include # endif -# undef PROG -# define PROG dhparam_main - # define DEFBITS 2048 -/*- - * -inform arg - input format - default PEM (DER or PEM) - * -outform arg - output format - default PEM - * -in arg - input file - default stdin - * -out arg - output file - default stdout - * -dsaparam - read or generate DSA parameters, convert to DH - * -check - check the parameters are ok - * -noout - * -text - * -C - */ - static int dh_cb(int p, int n, BN_GENCB *cb); -int MAIN(int, char **); - -int MAIN(int argc, char **argv) -{ - DH *dh = NULL; - int i, badops = 0, text = 0; -# ifndef OPENSSL_NO_DSA - int dsaparam = 0; -# endif - BIO *in = NULL, *out = NULL; - int informat, outformat, check = 0, noout = 0, C = 0, ret = 1; - char *infile, *outfile, *prog; - char *inrand = NULL; +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, + OPT_ENGINE, OPT_CHECK, OPT_TEXT, OPT_NOOUT, + OPT_RAND, OPT_DSAPARAM, OPT_C, OPT_2, OPT_5 +} OPTION_CHOICE; + +OPTIONS dhparam_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [flags] [numbits]\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "Input file"}, + {"inform", OPT_INFORM, 'F', "Input format, DER or PEM"}, + {"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"}, + {"out", OPT_OUT, '>', "Output file"}, + {"check", OPT_CHECK, '-', "Check the DH parameters"}, + {"text", OPT_TEXT, '-', "Print a text form of the DH parameters"}, + {"noout", OPT_NOOUT, '-'}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"C", OPT_C, '-', "Print C code"}, + {"2", OPT_2, '-', "Generate parameters using 2 as the generator value"}, + {"5", OPT_5, '-', "Generate parameters using 5 as the generator value"}, # ifndef OPENSSL_NO_ENGINE - char *engine = NULL; + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, # endif - int num = 0, g = 0; - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto end; - - infile = NULL; - outfile = NULL; - informat = FORMAT_PEM; - outformat = FORMAT_PEM; - - prog = argv[0]; - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-outform") == 0) { - if (--argc < 1) - goto bad; - outformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } -# ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } +# ifndef OPENSSL_NO_DSA + {"dsaparam", OPT_DSAPARAM, '-', + "Read or generate DSA parameters, convert to DH"}, # endif - else if (strcmp(*argv, "-check") == 0) + {NULL} +}; + +int dhparam_main(int argc, char **argv) +{ + BIO *in = NULL, *out = NULL; + DH *dh = NULL; + char *engine = NULL, *infile = NULL, *outfile = NULL, *prog, *inrand = + NULL; + int dsaparam = 0, i, text = 0, C = 0, ret = 1, num = 0, g = 0; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, check = 0, noout = 0; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, dhparam_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(dhparam_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_CHECK: check = 1; - else if (strcmp(*argv, "-text") == 0) + break; + case OPT_TEXT: text = 1; -# ifndef OPENSSL_NO_DSA - else if (strcmp(*argv, "-dsaparam") == 0) + break; + case OPT_DSAPARAM: dsaparam = 1; -# endif - else if (strcmp(*argv, "-C") == 0) + break; + case OPT_C: C = 1; - else if (strcmp(*argv, "-noout") == 0) - noout = 1; - else if (strcmp(*argv, "-2") == 0) + break; + case OPT_2: g = 2; - else if (strcmp(*argv, "-5") == 0) + break; + case OPT_5: g = 5; - else if (strcmp(*argv, "-rand") == 0) { - if (--argc < 1) - goto bad; - inrand = *(++argv); - } else if (((sscanf(*argv, "%d", &num) == 0) || (num <= 0))) - goto bad; - argv++; - argc--; + break; + case OPT_NOOUT: + noout = 1; + break; + case OPT_RAND: + inrand = opt_arg(); + break; + } } + argc = opt_num_rest(); + argv = opt_rest(); - if (badops) { - bad: - BIO_printf(bio_err, "%s [options] [numbits]\n", prog); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, " -inform arg input format - one of DER PEM\n"); - BIO_printf(bio_err, - " -outform arg output format - one of DER PEM\n"); - BIO_printf(bio_err, " -in arg input file\n"); - BIO_printf(bio_err, " -out arg output file\n"); -# ifndef OPENSSL_NO_DSA - BIO_printf(bio_err, - " -dsaparam read or generate DSA parameters, convert to DH\n"); -# endif - BIO_printf(bio_err, " -check check the DH parameters\n"); - BIO_printf(bio_err, - " -text print a text form of the DH parameters\n"); - BIO_printf(bio_err, " -C Output C code\n"); - BIO_printf(bio_err, - " -2 generate parameters using 2 as the generator value\n"); - BIO_printf(bio_err, - " -5 generate parameters using 5 as the generator value\n"); - BIO_printf(bio_err, - " numbits number of bits in to generate (default 2048)\n"); -# ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - " -engine e use engine e, possibly a hardware device.\n"); -# endif - BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, - LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, - " - load the file (or the files in the directory) into\n"); - BIO_printf(bio_err, " the random number generator\n"); - BIO_printf(bio_err, " -noout no output\n"); + if (argv[0] && (!opt_int(argv[0], &num) || num <= 0)) goto end; - } - - ERR_load_crypto_strings(); # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + setup_engine(engine, 0); # endif if (g && !num) num = DEFBITS; # ifndef OPENSSL_NO_DSA - if (dsaparam) { - if (g) { - BIO_printf(bio_err, - "generator may not be chosen for DSA parameters\n"); - goto end; - } - } else -# endif - { - /* DH parameters */ - if (num && !g) - g = 2; + if (dsaparam && g) { + BIO_printf(bio_err, + "generator may not be chosen for DSA parameters\n"); + goto end; } +# endif + /* DH parameters */ + if (num && !g) + g = 2; if (num) { @@ -302,7 +262,7 @@ int MAIN(int argc, char **argv) } BN_GENCB_set(cb, dh_cb, bio_err); - if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL) { + if (!app_RAND_load_file(NULL, 1) && inrand == NULL) { BIO_printf(bio_err, "warning, not much extra random data, consider using the -rand option\n"); } @@ -348,27 +308,13 @@ int MAIN(int argc, char **argv) } BN_GENCB_free(cb); - app_RAND_write_file(NULL, bio_err); + app_RAND_write_file(NULL); } else { - in = BIO_new(BIO_s_file()); - if (in == NULL) { - ERR_print_errors(bio_err); + in = bio_open_default(infile, RB(informat)); + if (in == NULL) goto end; - } - if (infile == NULL) - BIO_set_fp(in, stdin, BIO_NOCLOSE); - else { - if (BIO_read_filename(in, infile) <= 0) { - perror(infile); - goto end; - } - } - if (informat != FORMAT_ASN1 && informat != FORMAT_PEM) { - BIO_printf(bio_err, "bad input format specified\n"); - goto end; - } # ifndef OPENSSL_NO_DSA if (dsaparam) { DSA *dsa; @@ -408,25 +354,9 @@ int MAIN(int argc, char **argv) /* dh != NULL */ } - out = BIO_new(BIO_s_file()); - if (out == NULL) { - ERR_print_errors(bio_err); + out = bio_open_default(outfile, "w"); + if (out == NULL) goto end; - } - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -# endif - } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); - goto end; - } - } if (text) { DHparams_print(out, dh); @@ -450,7 +380,7 @@ int MAIN(int argc, char **argv) } if (C) { unsigned char *data; - int len, l, bits; + int len, bits; len = BN_num_bytes(dh->p); bits = BN_num_bits(dh->p); @@ -459,54 +389,39 @@ int MAIN(int argc, char **argv) perror("OPENSSL_malloc"); goto end; } - printf("#ifndef HEADER_DH_H\n" - "#include \n" "#endif\n"); - printf("DH *get_dh%d()\n\t{\n", bits); - - l = BN_bn2bin(dh->p, data); - printf("\tstatic unsigned char dh%d_p[]={", bits); - for (i = 0; i < l; i++) { - if ((i % 12) == 0) - printf("\n\t\t"); - printf("0x%02X,", data[i]); - } - printf("\n\t\t};\n"); - - l = BN_bn2bin(dh->g, data); - printf("\tstatic unsigned char dh%d_g[]={", bits); - for (i = 0; i < l; i++) { - if ((i % 12) == 0) - printf("\n\t\t"); - printf("0x%02X,", data[i]); - } - printf("\n\t\t};\n"); - - printf("\tDH *dh;\n\n"); - printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n"); - printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n", + BIO_printf(out, "#ifndef HEADER_DH_H\n" + "# include \n" + "#endif\n" + "\n"); + BIO_printf(out, "DH *get_dh%d()\n{\n", bits); + print_bignum_var(out, dh->p, "dhp", bits, data); + print_bignum_var(out, dh->g, "dhg", bits, data); + BIO_printf(out, " DH *dh = DN_new();\n" + "\n" + " if (dh == NULL)\n" + " return NULL;\n"); + BIO_printf(out, " dh->p = BN_bin2bn(dhp_%d, sizeof (dhp_%d), NULL);\n", bits, bits); - printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n", + BIO_printf(out, " dh->g = BN_bin2bn(dhg_%d, sizeof (dhg_%d), NULL);\n", bits, bits); - printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n"); - printf("\t\t{ DH_free(dh); return(NULL); }\n"); + BIO_printf(out, " if (!dh->p || !dh->g) {\n" + " DH_free(dh);\n" + " return NULL;\n" + " }\n"); if (dh->length) - printf("\tdh->length = %ld;\n", dh->length); - printf("\treturn(dh);\n\t}\n"); + BIO_printf(out, + " dh->length = %ld;\n", dh->length); + BIO_printf(out, " return dh;\n}\n"); OPENSSL_free(data); } if (!noout) { if (outformat == FORMAT_ASN1) i = i2d_DHparams_bio(out, dh); - else if (outformat == FORMAT_PEM) { - if (dh->q) - i = PEM_write_bio_DHxparams(out, dh); - else - i = PEM_write_bio_DHparams(out, dh); - } else { - BIO_printf(bio_err, "bad output format specified for outfile\n"); - goto end; - } + else if (dh->q) + i = PEM_write_bio_DHxparams(out, dh); + else + i = PEM_write_bio_DHparams(out, dh); if (!i) { BIO_printf(bio_err, "unable to write DH parameters\n"); ERR_print_errors(bio_err); @@ -518,11 +433,9 @@ int MAIN(int argc, char **argv) BIO_free(in); BIO_free_all(out); DH_free(dh); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } -/* dh_cb is identical to dsa_cb in apps/dsaparam.c */ static int dh_cb(int p, int n, BN_GENCB *cb) { char c = '*'; diff --git a/apps/dsa.c b/apps/dsa.c index 1ea0d73..9d7c97f 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -1,4 +1,3 @@ -/* apps/dsa.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -71,214 +70,145 @@ # include # include -# undef PROG -# define PROG dsa_main +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, + OPT_ENGINE, OPT_PVK_STRONG, OPT_PVK_WEAK, + OPT_PVK_NONE, OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_PUBIN, + OPT_PUBOUT, OPT_CIPHER, OPT_PASSIN, OPT_PASSOUT +} OPTION_CHOICE; -/*- - * -inform arg - input format - default PEM (one of DER, NET or PEM) - * -outform arg - output format - default PEM - * -in arg - input file - default stdin - * -out arg - output file - default stdout - * -des - encrypt output if PEM format with DES in cbc mode - * -des3 - encrypt output if PEM format - * -idea - encrypt output if PEM format - * -aes128 - encrypt output if PEM format - * -aes192 - encrypt output if PEM format - * -aes256 - encrypt output if PEM format - * -camellia128 - encrypt output if PEM format - * -camellia192 - encrypt output if PEM format - * -camellia256 - encrypt output if PEM format - * -seed - encrypt output if PEM format - * -text - print a text version - * -modulus - print the DSA public key - */ - -int MAIN(int, char **); +OPTIONS dsa_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format, DER PEM PVK"}, + {"outform", OPT_OUTFORM, 'F', "Output format, DER PEM PVK"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, +# endif + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"pvk-strong", OPT_PVK_STRONG, '-'}, + {"pvk-weak", OPT_PVK_WEAK, '-'}, + {"pvk-none", OPT_PVK_NONE, '-'}, + {"noout", OPT_NOOUT, '-', "Don't print key out"}, + {"text", OPT_TEXT, '-', "Print the key in text"}, + {"modulus", OPT_MODULUS, '-', "Print the DSA public value"}, + {"pubin", OPT_PUBIN, '-'}, + {"pubout", OPT_PUBOUT, '-'}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"", OPT_CIPHER, '-', "Any supported cipher"}, + {NULL} +}; -int MAIN(int argc, char **argv) +int dsa_main(int argc, char **argv) { - ENGINE *e = NULL; - int ret = 1; + BIO *out = NULL; DSA *dsa = NULL; - int i, badops = 0; + ENGINE *e = NULL; const EVP_CIPHER *enc = NULL; - BIO *in = NULL, *out = NULL; - int informat, outformat, text = 0, noout = 0; - int pubin = 0, pubout = 0; - char *infile, *outfile, *prog; -# ifndef OPENSSL_NO_ENGINE - char *engine; -# endif - char *passargin = NULL, *passargout = NULL; - char *passin = NULL, *passout = NULL; - int modulus = 0; + char *engine = NULL, *infile = NULL, *outfile = NULL, *prog; + char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = + NULL; + OPTION_CHOICE o; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0; + int i, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1; -#ifndef OPENSSL_NO_RC4 - int pvk_encr = 2; + prog = opt_init(argc, argv, dsa_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: +#ifdef OPENSSL_NO_RC4 + case OPT_PVK_STRONG: + case OPT_PVK_WEAK: + case OPT_PVK_NONE: #endif - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto end; - -# ifndef OPENSSL_NO_ENGINE - engine = NULL; -# endif - infile = NULL; - outfile = NULL; - informat = FORMAT_PEM; - outformat = FORMAT_PEM; - - prog = argv[0]; - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-outform") == 0) { - if (--argc < 1) - goto bad; - outformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-passin") == 0) { - if (--argc < 1) - goto bad; - passargin = *(++argv); - } else if (strcmp(*argv, "-passout") == 0) { - if (--argc < 1) - goto bad; - passargout = *(++argv); - } -# ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } -# endif + opthelp: + ret = 0; + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(dsa_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format + (opt_arg(), OPT_FMT_PEMDER | OPT_FMT_PVK, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format + (opt_arg(), OPT_FMT_PEMDER | OPT_FMT_PVK, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; #ifndef OPENSSL_NO_RC4 - else if (strcmp(*argv, "-pvk-strong") == 0) + case OPT_PVK_STRONG: pvk_encr = 2; - else if (strcmp(*argv, "-pvk-weak") == 0) + break; + case OPT_PVK_WEAK: pvk_encr = 1; - else if (strcmp(*argv, "-pvk-none") == 0) + break; + case OPT_PVK_NONE: pvk_encr = 0; + break; #endif - else if (strcmp(*argv, "-noout") == 0) + case OPT_NOOUT: noout = 1; - else if (strcmp(*argv, "-text") == 0) + break; + case OPT_TEXT: text = 1; - else if (strcmp(*argv, "-modulus") == 0) + break; + case OPT_MODULUS: modulus = 1; - else if (strcmp(*argv, "-pubin") == 0) + break; + case OPT_PUBIN: pubin = 1; - else if (strcmp(*argv, "-pubout") == 0) + break; + case OPT_PUBOUT: pubout = 1; - else if ((enc = EVP_get_cipherbyname(&(argv[0][1]))) == NULL) { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &enc)) + goto end; break; } - argc--; - argv++; - } - - if (badops) { - bad: - BIO_printf(bio_err, "%s [options] outfile\n", prog); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, " -inform arg input format - DER or PEM\n"); - BIO_printf(bio_err, " -outform arg output format - DER or PEM\n"); - BIO_printf(bio_err, " -in arg input file\n"); - BIO_printf(bio_err, - " -passin arg input file pass phrase source\n"); - BIO_printf(bio_err, " -out arg output file\n"); - BIO_printf(bio_err, - " -passout arg output file pass phrase source\n"); -# ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - " -engine e use engine e, possibly a hardware device.\n"); -# endif - BIO_printf(bio_err, - " -des encrypt PEM output with cbc des\n"); - BIO_printf(bio_err, - " -des3 encrypt PEM output with ede cbc des using 168 bit key\n"); -# ifndef OPENSSL_NO_IDEA - BIO_printf(bio_err, - " -idea encrypt PEM output with cbc idea\n"); -# endif -# ifndef OPENSSL_NO_AES - BIO_printf(bio_err, " -aes128, -aes192, -aes256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc aes\n"); -# endif -# ifndef OPENSSL_NO_CAMELLIA - BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc camellia\n"); -# endif -# ifndef OPENSSL_NO_SEED - BIO_printf(bio_err, - " -seed encrypt PEM output with cbc seed\n"); -# endif - BIO_printf(bio_err, " -text print the key in text\n"); - BIO_printf(bio_err, " -noout don't print key out\n"); - BIO_printf(bio_err, " -modulus print the DSA public value\n"); - goto end; } - - ERR_load_crypto_strings(); + argc = opt_num_rest(); + argv = opt_rest(); # ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + e = setup_engine(engine, 0); # endif - if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { + if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } - in = BIO_new(BIO_s_file()); - out = BIO_new(BIO_s_file()); - if ((in == NULL) || (out == NULL)) { - ERR_print_errors(bio_err); - goto end; - } - - if (infile == NULL) - BIO_set_fp(in, stdin, BIO_NOCLOSE); - else { - if (BIO_read_filename(in, infile) <= 0) { - perror(infile); - goto end; - } - } - BIO_printf(bio_err, "read DSA key\n"); - { EVP_PKEY *pkey; if (pubin) - pkey = load_pubkey(bio_err, infile, informat, 1, - passin, e, "Public Key"); + pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key"); else - pkey = load_key(bio_err, infile, informat, 1, - passin, e, "Private Key"); + pkey = load_key(infile, informat, 1, passin, e, "Private Key"); if (pkey) { dsa = EVP_PKEY_get1_DSA(pkey); @@ -291,20 +221,9 @@ int MAIN(int argc, char **argv) goto end; } - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -# endif - } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); - goto end; - } - } + out = bio_open_default(outfile, "w"); + if (out == NULL) + goto end; if (text) if (!DSA_print(out, dsa, 0)) { @@ -314,13 +233,15 @@ int MAIN(int argc, char **argv) } if (modulus) { - fprintf(stdout, "Public Key="); + BIO_printf(out, "Public Key="); BN_print(out, dsa->pub_key); - fprintf(stdout, "\n"); + BIO_printf(out, "\n"); } - if (noout) + if (noout) { + ret = 0; goto end; + } BIO_printf(bio_err, "writing DSA key\n"); if (outformat == FORMAT_ASN1) { if (pubin || pubout) @@ -353,18 +274,17 @@ int MAIN(int argc, char **argv) if (i <= 0) { BIO_printf(bio_err, "unable to write private key\n"); ERR_print_errors(bio_err); - } else - ret = 0; + goto end; + } + ret = 0; end: - BIO_free(in); BIO_free_all(out); DSA_free(dsa); if (passin) OPENSSL_free(passin); if (passout) OPENSSL_free(passout); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } #else /* !OPENSSL_NO_DSA */ diff --git a/apps/dsaparam.c b/apps/dsaparam.c index f63ecb2..b314409 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -1,4 +1,3 @@ -/* apps/dsaparam.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -72,24 +71,6 @@ # include # include -# undef PROG -# define PROG dsaparam_main - -/*- - * -inform arg - input format - default PEM (DER or PEM) - * -outform arg - output format - default PEM - * -in arg - input file - default stdin - * -out arg - output file - default stdout - * -noout - * -text - * -C - * -noout - * -genkey - * #ifdef GENCB_TEST - * -timebomb n - interrupt keygen after seconds - * #endif - */ - # ifdef GENCB_TEST static int stop_keygen_flag = 0; @@ -103,169 +84,129 @@ static void timebomb_sigalarm(int foo) static int dsa_cb(int p, int n, BN_GENCB *cb); -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C, + OPT_NOOUT, OPT_GENKEY, OPT_RAND, OPT_NON_FIPS_ALLOW, OPT_ENGINE, + OPT_TIMEBOMB +} OPTION_CHOICE; + +OPTIONS dsaparam_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, + {"in", OPT_IN, '<', "Input file"}, + {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, + {"out", OPT_OUT, '>', "Output file"}, + {"text", OPT_TEXT, '-', "Print as text"}, + {"C", OPT_C, '-', "Output C code"}, + {"noout", OPT_NOOUT, '-', "No output"}, + {"genkey", OPT_GENKEY, '-', "Generate a DSA key"}, + {"rand", OPT_RAND, 's', "Files to use for random number input"}, + {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, +# endif +# ifdef GENCB_TEST + {"timebomb", OPT_TIMEBOMB, 'p', "Interrupt keygen after 'pnum' seconds"}, +# endif + {NULL} +}; -int MAIN(int argc, char **argv) +int dsaparam_main(int argc, char **argv) { DSA *dsa = NULL; - int i, badops = 0, text = 0; BIO *in = NULL, *out = NULL; - int informat, outformat, noout = 0, C = 0, ret = 1; - char *infile, *outfile, *prog, *inrand = NULL; - int numbits = -1, num, genkey = 0; - int need_rand = 0; - int non_fips_allow = 0; BN_GENCB *cb = NULL; -# ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -# endif + int numbits = -1, num, genkey = 0, need_rand = 0, non_fips_allow = 0; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0, ret = + 1; + int i, text = 0; # ifdef GENCB_TEST int timebomb = 0; # endif - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto end; - - infile = NULL; - outfile = NULL; - informat = FORMAT_PEM; - outformat = FORMAT_PEM; - - prog = argv[0]; - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-outform") == 0) { - if (--argc < 1) - goto bad; - outformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } -# ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } -# endif + char *infile = NULL, *outfile = NULL, *prog, *inrand = NULL, *engine = + NULL; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, dsaparam_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(dsaparam_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_TIMEBOMB: # ifdef GENCB_TEST - else if (strcmp(*argv, "-timebomb") == 0) { - if (--argc < 1) - goto bad; - timebomb = atoi(*(++argv)); - } + timebomb = atoi(opt_arg()); + break; # endif - else if (strcmp(*argv, "-text") == 0) + case OPT_TEXT: text = 1; - else if (strcmp(*argv, "-C") == 0) + break; + case OPT_C: C = 1; - else if (strcmp(*argv, "-genkey") == 0) { - genkey = 1; - need_rand = 1; - } else if (strcmp(*argv, "-rand") == 0) { - if (--argc < 1) - goto bad; - inrand = *(++argv); + break; + case OPT_GENKEY: + genkey = need_rand = 1; + break; + case OPT_RAND: + inrand = opt_arg(); need_rand = 1; - } else if (strcmp(*argv, "-noout") == 0) + break; + case OPT_NOOUT: noout = 1; - else if (strcmp(*argv, "-non-fips-allow") == 0) + break; + case OPT_NON_FIPS_ALLOW: non_fips_allow = 1; - else if (sscanf(*argv, "%d", &num) == 1) { - /* generate a key */ - numbits = num; - need_rand = 1; - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; break; } - argc--; - argv++; } + argc = opt_num_rest(); + argv = opt_rest(); - if (badops) { - bad: - BIO_printf(bio_err, "%s [options] [bits] outfile\n", prog); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, " -inform arg input format - DER or PEM\n"); - BIO_printf(bio_err, " -outform arg output format - DER or PEM\n"); - BIO_printf(bio_err, " -in arg input file\n"); - BIO_printf(bio_err, " -out arg output file\n"); - BIO_printf(bio_err, " -text print as text\n"); - BIO_printf(bio_err, " -C Output C code\n"); - BIO_printf(bio_err, " -noout no output\n"); - BIO_printf(bio_err, " -genkey generate a DSA key\n"); - BIO_printf(bio_err, - " -rand files to use for random number input\n"); -# ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - " -engine e use engine e, possibly a hardware device.\n"); -# endif -# ifdef GENCB_TEST - BIO_printf(bio_err, - " -timebomb n interrupt keygen after seconds\n"); -# endif - BIO_printf(bio_err, - " number number of bits to use for generating private key\n"); - goto end; + if (argc == 1) { + if (!opt_int(argv[0], &num)) + goto end; + /* generate a key */ + numbits = num; + need_rand = 1; } - ERR_load_crypto_strings(); - - in = BIO_new(BIO_s_file()); - out = BIO_new(BIO_s_file()); - if ((in == NULL) || (out == NULL)) { - ERR_print_errors(bio_err); + in = bio_open_default(infile, "r"); + if (in == NULL) + goto end; + out = bio_open_default(outfile, "w"); + if (out == NULL) goto end; - } - - if (infile == NULL) - BIO_set_fp(in, stdin, BIO_NOCLOSE); - else { - if (BIO_read_filename(in, infile) <= 0) { - perror(infile); - goto end; - } - } - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -# endif - } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); - goto end; - } - } # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + setup_engine(engine, 0); # endif if (need_rand) { - app_RAND_load_file(NULL, bio_err, (inrand != NULL)); + app_RAND_load_file(NULL, (inrand != NULL)); if (inrand != NULL) BIO_printf(bio_err, "%ld semi-random bytes loaded\n", app_RAND_load_files(inrand)); @@ -319,12 +260,8 @@ int MAIN(int argc, char **argv) } } else if (informat == FORMAT_ASN1) dsa = d2i_DSAparams_bio(in, NULL); - else if (informat == FORMAT_PEM) + else dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL); - else { - BIO_printf(bio_err, "bad input format specified\n"); - goto end; - } if (dsa == NULL) { BIO_printf(bio_err, "unable to load DSA parameters\n"); ERR_print_errors(bio_err); @@ -337,7 +274,7 @@ int MAIN(int argc, char **argv) if (C) { unsigned char *data; - int l, len, bits_p; + int len, bits_p; len = BN_num_bytes(dsa->p); bits_p = BN_num_bits(dsa->p); @@ -346,57 +283,33 @@ int MAIN(int argc, char **argv) perror("OPENSSL_malloc"); goto end; } - l = BN_bn2bin(dsa->p, data); - printf("static unsigned char dsa%d_p[]={", bits_p); - for (i = 0; i < l; i++) { - if ((i % 12) == 0) - printf("\n\t"); - printf("0x%02X,", data[i]); - } - printf("\n\t};\n"); - - l = BN_bn2bin(dsa->q, data); - printf("static unsigned char dsa%d_q[]={", bits_p); - for (i = 0; i < l; i++) { - if ((i % 12) == 0) - printf("\n\t"); - printf("0x%02X,", data[i]); - } - printf("\n\t};\n"); - - l = BN_bn2bin(dsa->g, data); - printf("static unsigned char dsa%d_g[]={", bits_p); - for (i = 0; i < l; i++) { - if ((i % 12) == 0) - printf("\n\t"); - printf("0x%02X,", data[i]); - } - printf("\n\t};\n\n"); - printf("DSA *get_dsa%d()\n\t{\n", bits_p); - printf("\tDSA *dsa;\n\n"); - printf("\tif ((dsa=DSA_new()) == NULL) return(NULL);\n"); - printf("\tdsa->p=BN_bin2bn(dsa%d_p,sizeof(dsa%d_p),NULL);\n", + BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p); + print_bignum_var(bio_out, dsa->p, "dsap", len, data); + print_bignum_var(bio_out, dsa->q, "dsaq", len, data); + print_bignum_var(bio_out, dsa->g, "dsag", len, data); + BIO_printf(bio_out, " DSA *dsa = DSA_new();\n" + "\n"); + BIO_printf(bio_out, " if (dsa == NULL)\n" + " return NULL;\n"); + BIO_printf(bio_out, " dsa->p = BN_bin2bn(dsap_%d, sizeof (dsap_%d), NULL);\n", bits_p, bits_p); - printf("\tdsa->q=BN_bin2bn(dsa%d_q,sizeof(dsa%d_q),NULL);\n", + BIO_printf(bio_out, " dsa->q = BN_bin2bn(dsaq_%d, sizeof (dsaq_%d), NULL);\n", bits_p, bits_p); - printf("\tdsa->g=BN_bin2bn(dsa%d_g,sizeof(dsa%d_g),NULL);\n", + BIO_printf(bio_out, " dsa->g = BN_bin2bn(dsag_%d, sizeof (dsag_%d), NULL);\n", bits_p, bits_p); - printf - ("\tif ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))\n"); - printf("\t\t{ DSA_free(dsa); return(NULL); }\n"); - printf("\treturn(dsa);\n\t}\n"); + BIO_printf(bio_out, " if (!dsa->p || !dsa->q || !dsa->g) {\n" + " DSA_free(dsa);\n" + " return NULL;\n" + " }\n" + " return(dsa);\n}\n"); } if (!noout) { if (outformat == FORMAT_ASN1) i = i2d_DSAparams_bio(out, dsa); - else if (outformat == FORMAT_PEM) + else i = PEM_write_bio_DSAparams(out, dsa); - else { - BIO_printf(bio_err, "bad output format specified for outfile\n"); - goto end; - } if (!i) { BIO_printf(bio_err, "unable to write DSA parameters\n"); ERR_print_errors(bio_err); @@ -418,18 +331,13 @@ int MAIN(int argc, char **argv) } if (outformat == FORMAT_ASN1) i = i2d_DSAPrivateKey_bio(out, dsakey); - else if (outformat == FORMAT_PEM) + else i = PEM_write_bio_DSAPrivateKey(out, dsakey, NULL, NULL, 0, NULL, NULL); - else { - BIO_printf(bio_err, "bad output format specified for outfile\n"); - DSA_free(dsakey); - goto end; - } DSA_free(dsakey); } if (need_rand) - app_RAND_write_file(NULL, bio_err); + app_RAND_write_file(NULL); ret = 0; end: if (cb != NULL) @@ -437,8 +345,7 @@ int MAIN(int argc, char **argv) BIO_free(in); BIO_free_all(out); DSA_free(dsa); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } static int dsa_cb(int p, int n, BN_GENCB *cb) diff --git a/apps/ec.c b/apps/ec.c index aca2854..d6bce6d 100644 --- a/apps/ec.c +++ b/apps/ec.c @@ -1,4 +1,3 @@ -/* apps/ec.c */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -67,198 +66,146 @@ # include # include -# undef PROG -# define PROG ec_main +static OPT_PAIR conv_forms[] = { + {"compressed", POINT_CONVERSION_COMPRESSED}, + {"uncompressed", POINT_CONVERSION_UNCOMPRESSED}, + {"hybrid", POINT_CONVERSION_HYBRID}, + {NULL} +}; -/*- - * -inform arg - input format - default PEM (one of DER, NET or PEM) - * -outform arg - output format - default PEM - * -in arg - input file - default stdin - * -out arg - output file - default stdout - * -des - encrypt output if PEM format with DES in cbc mode - * -text - print a text version - * -param_out - print the elliptic curve parameters - * -conv_form arg - specifies the point encoding form - * -param_enc arg - specifies the parameter encoding - */ +static OPT_PAIR param_enc[] = { + {"named_curve", OPENSSL_EC_NAMED_CURVE}, + {"explicit", 0}, + {NULL} +}; + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT, + OPT_NOOUT, OPT_TEXT, OPT_PARAM_OUT, OPT_PUBIN, OPT_PUBOUT, + OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER +} OPTION_CHOICE; -int MAIN(int, char **); +OPTIONS ec_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "Input file"}, + {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, + {"out", OPT_OUT, '>', "Output file"}, + {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + {"noout", OPT_NOOUT, '-', "Don't print key out"}, + {"text", OPT_TEXT, '-', "Print the key"}, + {"param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters"}, + {"pubin", OPT_PUBIN, '-'}, + {"pubout", OPT_PUBOUT, '-'}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"param_enc", OPT_PARAM_ENC, 's', + "Specifies the way the ec parameters are encoded"}, + {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "}, + {"", OPT_CIPHER, '-', "Any supported cipher"}, + {NULL} +}; -int MAIN(int argc, char **argv) +int ec_main(int argc, char **argv) { - int ret = 1; + BIO *in = NULL, *out = NULL; EC_KEY *eckey = NULL; const EC_GROUP *group; - int i, badops = 0; const EVP_CIPHER *enc = NULL; - BIO *in = NULL, *out = NULL; - int informat, outformat, text = 0, noout = 0; - int pubin = 0, pubout = 0, param_out = 0; - char *infile, *outfile, *prog, *engine; - char *passargin = NULL, *passargout = NULL; - char *passin = NULL, *passout = NULL; point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED; - int new_form = 0; - int asn1_flag = OPENSSL_EC_NAMED_CURVE; - int new_asn1_flag = 0; - - apps_startup(); + char *infile = NULL, *outfile = NULL, *prog, *engine = NULL; + char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = + NULL; + OPTION_CHOICE o; + int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_form = 0, new_asn1_flag = 0; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0; + int pubin = 0, pubout = 0, param_out = 0, i, ret = 1; - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto end; - - engine = NULL; - infile = NULL; - outfile = NULL; - informat = FORMAT_PEM; - outformat = FORMAT_PEM; - - prog = argv[0]; - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-outform") == 0) { - if (--argc < 1) - goto bad; - outformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-passin") == 0) { - if (--argc < 1) - goto bad; - passargin = *(++argv); - } else if (strcmp(*argv, "-passout") == 0) { - if (--argc < 1) - goto bad; - passargout = *(++argv); - } else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } else if (strcmp(*argv, "-noout") == 0) + prog = opt_init(argc, argv, ec_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(ec_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_NOOUT: noout = 1; - else if (strcmp(*argv, "-text") == 0) + break; + case OPT_TEXT: text = 1; - else if (strcmp(*argv, "-conv_form") == 0) { - if (--argc < 1) - goto bad; - ++argv; - new_form = 1; - if (strcmp(*argv, "compressed") == 0) - form = POINT_CONVERSION_COMPRESSED; - else if (strcmp(*argv, "uncompressed") == 0) - form = POINT_CONVERSION_UNCOMPRESSED; - else if (strcmp(*argv, "hybrid") == 0) - form = POINT_CONVERSION_HYBRID; - else - goto bad; - } else if (strcmp(*argv, "-param_enc") == 0) { - if (--argc < 1) - goto bad; - ++argv; - new_asn1_flag = 1; - if (strcmp(*argv, "named_curve") == 0) - asn1_flag = OPENSSL_EC_NAMED_CURVE; - else if (strcmp(*argv, "explicit") == 0) - asn1_flag = 0; - else - goto bad; - } else if (strcmp(*argv, "-param_out") == 0) + break; + case OPT_PARAM_OUT: param_out = 1; - else if (strcmp(*argv, "-pubin") == 0) + break; + case OPT_PUBIN: pubin = 1; - else if (strcmp(*argv, "-pubout") == 0) + break; + case OPT_PUBOUT: pubout = 1; - else if ((enc = EVP_get_cipherbyname(&(argv[0][1]))) == NULL) { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &enc)) + goto opthelp; + case OPT_CONV_FORM: + if (!opt_pair(opt_arg(), conv_forms, &i)) + goto opthelp; + new_form = 1; + form = i; + break; + case OPT_PARAM_ENC: + if (!opt_pair(opt_arg(), param_enc, &i)) + goto opthelp; + new_asn1_flag = 1; + asn1_flag = i; break; } - argc--; - argv++; } - - if (badops) { - bad: - BIO_printf(bio_err, "%s [options] outfile\n", prog); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, " -inform arg input format - " - "DER or PEM\n"); - BIO_printf(bio_err, " -outform arg output format - " - "DER or PEM\n"); - BIO_printf(bio_err, " -in arg input file\n"); - BIO_printf(bio_err, " -passin arg input file pass " - "phrase source\n"); - BIO_printf(bio_err, " -out arg output file\n"); - BIO_printf(bio_err, " -passout arg output file pass " - "phrase source\n"); - BIO_printf(bio_err, " -engine e use engine e, " - "possibly a hardware device.\n"); - BIO_printf(bio_err, " -des encrypt PEM output, " - "instead of 'des' every other \n" - " cipher " - "supported by OpenSSL can be used\n"); - BIO_printf(bio_err, " -text print the key\n"); - BIO_printf(bio_err, " -noout don't print key out\n"); - BIO_printf(bio_err, " -param_out print the elliptic " - "curve parameters\n"); - BIO_printf(bio_err, " -conv_form arg specifies the " - "point conversion form \n"); - BIO_printf(bio_err, " possible values:" - " compressed\n"); - BIO_printf(bio_err, " " - " uncompressed (default)\n"); - BIO_printf(bio_err, " " " hybrid\n"); - BIO_printf(bio_err, " -param_enc arg specifies the way" - " the ec parameters are encoded\n"); - BIO_printf(bio_err, " in the asn1 der " "encoding\n"); - BIO_printf(bio_err, " possible values:" - " named_curve (default)\n"); - BIO_printf(bio_err, " " - "explicit\n"); - goto end; - } - - ERR_load_crypto_strings(); + argc = opt_num_rest(); + argv = opt_rest(); # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + setup_engine(engine, 0); # endif - if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { + if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } - in = BIO_new(BIO_s_file()); - out = BIO_new(BIO_s_file()); - if ((in == NULL) || (out == NULL)) { - ERR_print_errors(bio_err); + in = bio_open_default(infile, RB(informat)); + if (in == NULL) goto end; - } - - if (infile == NULL) - BIO_set_fp(in, stdin, BIO_NOCLOSE); - else { - if (BIO_read_filename(in, infile) <= 0) { - perror(infile); - goto end; - } - } BIO_printf(bio_err, "read EC key\n"); if (informat == FORMAT_ASN1) { @@ -266,14 +213,11 @@ int MAIN(int argc, char **argv) eckey = d2i_EC_PUBKEY_bio(in, NULL); else eckey = d2i_ECPrivateKey_bio(in, NULL); - } else if (informat == FORMAT_PEM) { + } else { if (pubin) eckey = PEM_read_bio_EC_PUBKEY(in, NULL, NULL, NULL); else eckey = PEM_read_bio_ECPrivateKey(in, NULL, NULL, passin); - } else { - BIO_printf(bio_err, "bad input format specified for key\n"); - goto end; } if (eckey == NULL) { BIO_printf(bio_err, "unable to load Key\n"); @@ -281,20 +225,9 @@ int MAIN(int argc, char **argv) goto end; } - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -# endif - } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); - goto end; - } - } + out = bio_open_default(outfile, WB(outformat)); + if (out == NULL) + goto end; group = EC_KEY_get0_group(eckey); @@ -324,7 +257,7 @@ int MAIN(int argc, char **argv) i = i2d_EC_PUBKEY_bio(out, eckey); else i = i2d_ECPrivateKey_bio(out, eckey); - } else if (outformat == FORMAT_PEM) { + } else { if (param_out) i = PEM_write_bio_ECPKParameters(out, group); else if (pubin || pubout) @@ -332,9 +265,6 @@ int MAIN(int argc, char **argv) else i = PEM_write_bio_ECPrivateKey(out, eckey, enc, NULL, 0, NULL, passout); - } else { - BIO_printf(bio_err, "bad output format specified for " "outfile\n"); - goto end; } if (!i) { @@ -350,8 +280,7 @@ int MAIN(int argc, char **argv) OPENSSL_free(passin); if (passout) OPENSSL_free(passout); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } #else /* !OPENSSL_NO_EC */ diff --git a/apps/ecparam.c b/apps/ecparam.c index c6a1751..167ef39 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -1,4 +1,3 @@ -/* apps/ecparam.c */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -84,235 +83,152 @@ # include # include -# undef PROG -# define PROG ecparam_main - -/*- - * -inform arg - input format - default PEM (DER or PEM) - * -outform arg - output format - default PEM - * -in arg - input file - default stdin - * -out arg - output file - default stdout - * -noout - do not print the ec parameter - * -text - print the ec parameters in text form - * -check - validate the ec parameters - * -C - print a 'C' function creating the parameters - * -name arg - use the ec parameters with 'short name' name - * -list_curves - prints a list of all currently available curve 'short names' - * -conv_form arg - specifies the point conversion form - * - possible values: compressed - * uncompressed (default) - * hybrid - * -param_enc arg - specifies the way the ec parameters are encoded - * in the asn1 der encoding - * possible values: named_curve (default) - * explicit - * -no_seed - if 'explicit' parameters are chosen do not use the seed - * -genkey - generate ec key - * -rand file - files to use for random number input - * -engine e - use engine e, possibly a hardware device - */ - -static int ecparam_print_var(BIO *, BIGNUM *, const char *, int, - unsigned char *); - -int MAIN(int, char **); - -int MAIN(int argc, char **argv) +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C, + OPT_CHECK, OPT_LIST_CURVES, OPT_NO_SEED, OPT_NOOUT, OPT_NAME, + OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_RAND, OPT_ENGINE +} OPTION_CHOICE; + +OPTIONS ecparam_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"}, + {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"}, + {"in", OPT_IN, '<', "Input file - default stdin"}, + {"out", OPT_OUT, '>', "Output file - default stdout"}, + {"text", OPT_TEXT, '-', "Print the ec parameters in text form"}, + {"C", OPT_C, '-', "Print a 'C' function creating the parameters"}, + {"check", OPT_CHECK, '-', "Validate the ec parameters"}, + {"list_curves", OPT_LIST_CURVES, '-', + "Prints a list of all curve 'short names'"}, + {"no_seed", OPT_NO_SEED, '-', + "If 'explicit' parameters are chosen do not use the seed"}, + {"noout", OPT_NOOUT, '-', "Do not print the ec parameter"}, + {"name", OPT_NAME, 's', + "Use the ec parameters with specified 'short name'"}, + {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "}, + {"param_enc", OPT_PARAM_ENC, 's', + "Specifies the way the ec parameters are encoded"}, + {"genkey", OPT_GENKEY, '-', "Generate ec key"}, + {"rand", OPT_RAND, 's', "Files to use for random number input"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + {NULL} +}; + +OPT_PAIR forms[] = { + {"compressed", POINT_CONVERSION_COMPRESSED}, + {"uncompressed", POINT_CONVERSION_UNCOMPRESSED}, + {"hybrid", POINT_CONVERSION_HYBRID}, + {NULL} +}; + +OPT_PAIR encodings[] = { + {"named_curve", OPENSSL_EC_NAMED_CURVE}, + {"explicit", 0}, + {NULL} +}; + +int ecparam_main(int argc, char **argv) { + BIGNUM *ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL; + BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL; + BIO *in = NULL, *out = NULL; EC_GROUP *group = NULL; point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED; - int new_form = 0; - int asn1_flag = OPENSSL_EC_NAMED_CURVE; - int new_asn1_flag = 0; char *curve_name = NULL, *inrand = NULL; - int list_curves = 0, no_seed = 0, check = 0, - badops = 0, text = 0, i, need_rand = 0, genkey = 0; - char *infile = NULL, *outfile = NULL, *prog; - BIO *in = NULL, *out = NULL; - int informat, outformat, noout = 0, C = 0, ret = 1; - char *engine = NULL; - - BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL, - *ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL; + char *engine = NULL, *infile = NULL, *outfile = NULL, *prog; unsigned char *buffer = NULL; - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto end; - - informat = FORMAT_PEM; - outformat = FORMAT_PEM; - - prog = argv[0]; - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-outform") == 0) { - if (--argc < 1) - goto bad; - outformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-text") == 0) + OPTION_CHOICE o; + int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_asn1_flag = 0; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0, ret = + 1; + int list_curves = 0, no_seed = 0, check = 0, new_form = 0; + int text = 0, i, need_rand = 0, genkey = 0; + + prog = opt_init(argc, argv, ecparam_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(ecparam_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_TEXT: text = 1; - else if (strcmp(*argv, "-C") == 0) + break; + case OPT_C: C = 1; - else if (strcmp(*argv, "-check") == 0) + break; + case OPT_CHECK: check = 1; - else if (strcmp(*argv, "-name") == 0) { - if (--argc < 1) - goto bad; - curve_name = *(++argv); - } else if (strcmp(*argv, "-list_curves") == 0) + break; + case OPT_LIST_CURVES: list_curves = 1; - else if (strcmp(*argv, "-conv_form") == 0) { - if (--argc < 1) - goto bad; - ++argv; - new_form = 1; - if (strcmp(*argv, "compressed") == 0) - form = POINT_CONVERSION_COMPRESSED; - else if (strcmp(*argv, "uncompressed") == 0) - form = POINT_CONVERSION_UNCOMPRESSED; - else if (strcmp(*argv, "hybrid") == 0) - form = POINT_CONVERSION_HYBRID; - else - goto bad; - } else if (strcmp(*argv, "-param_enc") == 0) { - if (--argc < 1) - goto bad; - ++argv; - new_asn1_flag = 1; - if (strcmp(*argv, "named_curve") == 0) - asn1_flag = OPENSSL_EC_NAMED_CURVE; - else if (strcmp(*argv, "explicit") == 0) - asn1_flag = 0; - else - goto bad; - } else if (strcmp(*argv, "-no_seed") == 0) + break; + case OPT_NO_SEED: no_seed = 1; - else if (strcmp(*argv, "-noout") == 0) + break; + case OPT_NOOUT: noout = 1; - else if (strcmp(*argv, "-genkey") == 0) { - genkey = 1; - need_rand = 1; - } else if (strcmp(*argv, "-rand") == 0) { - if (--argc < 1) - goto bad; - inrand = *(++argv); + break; + case OPT_NAME: + curve_name = opt_arg(); + break; + case OPT_CONV_FORM: + if (!opt_pair(opt_arg(), forms, &new_form)) + goto opthelp; + form = new_form; + new_form = 1; + break; + case OPT_PARAM_ENC: + if (!opt_pair(opt_arg(), encodings, &asn1_flag)) + goto opthelp; + new_asn1_flag = 1; + break; + case OPT_GENKEY: + genkey = need_rand = 1; + break; + case OPT_RAND: + inrand = opt_arg(); need_rand = 1; - } else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; + break; + case OPT_ENGINE: + engine = opt_arg(); break; } - argc--; - argv++; } + argc = opt_num_rest(); + argv = opt_rest(); - if (badops) { - bad: - BIO_printf(bio_err, "%s [options] outfile\n", prog); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, " -inform arg input format - " - "default PEM (DER or PEM)\n"); - BIO_printf(bio_err, " -outform arg output format - " - "default PEM\n"); - BIO_printf(bio_err, " -in arg input file - " - "default stdin\n"); - BIO_printf(bio_err, " -out arg output file - " - "default stdout\n"); - BIO_printf(bio_err, " -noout do not print the " - "ec parameter\n"); - BIO_printf(bio_err, " -text print the ec " - "parameters in text form\n"); - BIO_printf(bio_err, " -check validate the ec " - "parameters\n"); - BIO_printf(bio_err, " -C print a 'C' " - "function creating the parameters\n"); - BIO_printf(bio_err, " -name arg use the " - "ec parameters with 'short name' name\n"); - BIO_printf(bio_err, " -list_curves prints a list of " - "all currently available curve 'short names'\n"); - BIO_printf(bio_err, " -conv_form arg specifies the " - "point conversion form \n"); - BIO_printf(bio_err, " possible values:" - " compressed\n"); - BIO_printf(bio_err, " " - " uncompressed (default)\n"); - BIO_printf(bio_err, " " - " hybrid\n"); - BIO_printf(bio_err, " -param_enc arg specifies the way" - " the ec parameters are encoded\n"); - BIO_printf(bio_err, " in the asn1 der " - "encoding\n"); - BIO_printf(bio_err, " possible values:" - " named_curve (default)\n"); - BIO_printf(bio_err, " " - " explicit\n"); - BIO_printf(bio_err, " -no_seed if 'explicit'" - " parameters are chosen do not" " use the seed\n"); - BIO_printf(bio_err, " -genkey generate ec" " key\n"); - BIO_printf(bio_err, " -rand file files to use for" - " random number input\n"); - BIO_printf(bio_err, " -engine e use engine e, " - "possibly a hardware device\n"); + in = bio_open_default(infile, RB(informat)); + if (in == NULL) goto end; - } - - ERR_load_crypto_strings(); - - in = BIO_new(BIO_s_file()); - out = BIO_new(BIO_s_file()); - if ((in == NULL) || (out == NULL)) { - ERR_print_errors(bio_err); + out = bio_open_default(outfile, WB(outformat)); + if (out == NULL) goto end; - } - - if (infile == NULL) - BIO_set_fp(in, stdin, BIO_NOCLOSE); - else { - if (BIO_read_filename(in, infile) <= 0) { - perror(infile); - goto end; - } - } - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -# endif - } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); - goto end; - } - } # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + setup_engine(engine, 0); # endif if (list_curves) { @@ -385,15 +301,10 @@ int MAIN(int argc, char **argv) } EC_GROUP_set_asn1_flag(group, asn1_flag); EC_GROUP_set_point_conversion_form(group, form); - } else if (informat == FORMAT_ASN1) { + } else if (informat == FORMAT_ASN1) group = d2i_ECPKParameters_bio(in, NULL); - } else if (informat == FORMAT_PEM) { + else group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL); - } else { - BIO_printf(bio_err, "bad input format specified\n"); - goto end; - } - if (group == NULL) { BIO_printf(bio_err, "unable to load elliptic curve parameters\n"); ERR_print_errors(bio_err); @@ -433,24 +344,25 @@ int MAIN(int argc, char **argv) int is_prime, len = 0; const EC_METHOD *meth = EC_GROUP_method_of(group); - if ((ec_p = BN_new()) == NULL || (ec_a = BN_new()) == NULL || - (ec_b = BN_new()) == NULL || (ec_gen = BN_new()) == NULL || - (ec_order = BN_new()) == NULL || - (ec_cofactor = BN_new()) == NULL) { + if ((ec_p = BN_new()) == NULL + || (ec_a = BN_new()) == NULL + || (ec_b = BN_new()) == NULL + || (ec_gen = BN_new()) == NULL + || (ec_order = BN_new()) == NULL + || (ec_cofactor = BN_new()) == NULL) { perror("OPENSSL_malloc"); goto end; } is_prime = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field); - - if (is_prime) { - if (!EC_GROUP_get_curve_GFp(group, ec_p, ec_a, ec_b, NULL)) - goto end; - } else { - /* TODO */ + if (!is_prime) { + BIO_printf(bio_err, "Can only handle X9.62 prime fields\n"); goto end; } + if (!EC_GROUP_get_curve_GFp(group, ec_p, ec_a, ec_b, NULL)) + goto end; + if ((point = EC_GROUP_get0_generator(group)) == NULL) goto end; if (!EC_POINT_point2bn(group, point, @@ -487,77 +399,62 @@ int MAIN(int argc, char **argv) goto end; } - ecparam_print_var(out, ec_p, "ec_p", len, buffer); - ecparam_print_var(out, ec_a, "ec_a", len, buffer); - ecparam_print_var(out, ec_b, "ec_b", len, buffer); - ecparam_print_var(out, ec_gen, "ec_gen", len, buffer); - ecparam_print_var(out, ec_order, "ec_order", len, buffer); - ecparam_print_var(out, ec_cofactor, "ec_cofactor", len, buffer); - - BIO_printf(out, "\n\n"); - - BIO_printf(out, "EC_GROUP *get_ec_group_%d(void)\n\t{\n", len); - BIO_printf(out, "\tint ok=0;\n"); - BIO_printf(out, "\tEC_GROUP *group = NULL;\n"); - BIO_printf(out, "\tEC_POINT *point = NULL;\n"); - BIO_printf(out, "\tBIGNUM *tmp_1 = NULL, *tmp_2 = NULL, " - "*tmp_3 = NULL;\n\n"); - BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_p_%d, " - "sizeof(ec_p_%d), NULL)) == NULL)\n\t\t" - "goto err;\n", len, len); - BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_a_%d, " - "sizeof(ec_a_%d), NULL)) == NULL)\n\t\t" - "goto err;\n", len, len); - BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_b_%d, " - "sizeof(ec_b_%d), NULL)) == NULL)\n\t\t" - "goto err;\n", len, len); - if (is_prime) { - BIO_printf(out, "\tif ((group = EC_GROUP_new_curve_" - "GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL)" - "\n\t\tgoto err;\n\n"); - } else { - /* TODO */ - goto end; - } - BIO_printf(out, "\t/* build generator */\n"); - BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_gen_%d, " - "sizeof(ec_gen_%d), tmp_1)) == NULL)" - "\n\t\tgoto err;\n", len, len); - BIO_printf(out, "\tpoint = EC_POINT_bn2point(group, tmp_1, " - "NULL, NULL);\n"); - BIO_printf(out, "\tif (point == NULL)\n\t\tgoto err;\n"); - BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_order_%d, " - "sizeof(ec_order_%d), tmp_2)) == NULL)" - "\n\t\tgoto err;\n", len, len); - BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_cofactor_%d, " - "sizeof(ec_cofactor_%d), tmp_3)) == NULL)" - "\n\t\tgoto err;\n", len, len); - BIO_printf(out, "\tif (!EC_GROUP_set_generator(group, point," - " tmp_2, tmp_3))\n\t\tgoto err;\n"); - BIO_printf(out, "\n\tok=1;\n"); - BIO_printf(out, "err:\n"); - BIO_printf(out, "\tif (tmp_1)\n\t\tBN_free(tmp_1);\n"); - BIO_printf(out, "\tif (tmp_2)\n\t\tBN_free(tmp_2);\n"); - BIO_printf(out, "\tif (tmp_3)\n\t\tBN_free(tmp_3);\n"); - BIO_printf(out, "\tif (point)\n\t\tEC_POINT_free(point);\n"); - BIO_printf(out, "\tif (!ok)\n"); - BIO_printf(out, "\t\t{\n"); - BIO_printf(out, "\t\tEC_GROUP_free(group);\n"); - BIO_printf(out, "\t\tgroup = NULL;\n"); - BIO_printf(out, "\t\t}\n"); - BIO_printf(out, "\treturn(group);\n\t}\n"); + BIO_printf(out, "EC_GROUP *get_ec_group_%d(void)\n{\n", len); + print_bignum_var(out, ec_p, "ec_p", len, buffer); + print_bignum_var(out, ec_a, "ec_a", len, buffer); + print_bignum_var(out, ec_b, "ec_b", len, buffer); + print_bignum_var(out, ec_gen, "ec_gen", len, buffer); + print_bignum_var(out, ec_order, "ec_order", len, buffer); + print_bignum_var(out, ec_cofactor, "ec_cofactor", len, buffer); + BIO_printf(out, " int ok = 0;\n" + " EC_GROUP *group = NULL;\n" + " EC_POINT *point = NULL;\n" + " BIGNUM *tmp_1 = NULL;\n" + " BIGNUM *tmp_2 = NULL;\n" + " BIGNUM *tmp_3 = NULL;\n" + "\n"); + + BIO_printf(out, " if ((tmp_1 = BN_bin2bn(ec_p_%d, sizeof (ec_p_%d), NULL)) == NULL)\n" + " goto err;\n", len, len); + BIO_printf(out, " if ((tmp_2 = BN_bin2bn(ec_a_%d, sizeof (ec_a_%d), NULL)) == NULL)\n" + " goto err;\n", len, len); + BIO_printf(out, " if ((tmp_3 = BN_bin2bn(ec_b_%d, sizeof (ec_b_%d), NULL)) == NULL)\n" + " goto err;\n", len, len); + BIO_printf(out, " if ((group = EC_GROUP_new_curve_GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL)\n" + " goto err;\n" + "\n"); + BIO_printf(out, " /* build generator */\n"); + BIO_printf(out, " if ((tmp_1 = BN_bin2bn(ec_gen_%d, sizeof (ec_gen_%d), tmp_1)) == NULL)\n" + " goto err;\n", len, len); + BIO_printf(out, " point = EC_POINT_bn2point(group, tmp_1, NULL, NULL);\n"); + BIO_printf(out, " if (point == NULL)\n" + " goto err;\n"); + BIO_printf(out, " if ((tmp_2 = BN_bin2bn(ec_order_%d, sizeof (ec_order_%d), tmp_2)) == NULL)\n" + " goto err;\n", len, len); + BIO_printf(out, " if ((tmp_3 = BN_bin2bn(ec_cofactor_%d, sizeof (ec_cofactor_%d), tmp_3)) == NULL)\n" + " goto err;\n", len, len); + BIO_printf(out, " if (!EC_GROUP_set_generator(group, point, tmp_2, tmp_3))\n" + " goto err;\n" + "ok = 1;" + "\n"); + BIO_printf(out, "err:\n" + " BN_free(tmp_1);\n" + " BN_free(tmp_2);\n" + " BN_free(tmp_3);\n" + " EC_POINT_free(point);\n" + " if (!ok) {\n" + " EC_GROUP_free(group);\n" + " return NULL;\n" + " }\n" + " return (group);\n" + "}\n"); } if (!noout) { if (outformat == FORMAT_ASN1) i = i2d_ECPKParameters_bio(out, group); - else if (outformat == FORMAT_PEM) + else i = PEM_write_bio_ECPKParameters(out, group); - else { - BIO_printf(bio_err, "bad output format specified for" - " outfile\n"); - goto end; - } if (!i) { BIO_printf(bio_err, "unable to write elliptic " "curve parameters\n"); @@ -567,7 +464,7 @@ int MAIN(int argc, char **argv) } if (need_rand) { - app_RAND_load_file(NULL, bio_err, (inrand != NULL)); + app_RAND_load_file(NULL, (inrand != NULL)); if (inrand != NULL) BIO_printf(bio_err, "%ld semi-random bytes loaded\n", app_RAND_load_files(inrand)); @@ -590,20 +487,14 @@ int MAIN(int argc, char **argv) } if (outformat == FORMAT_ASN1) i = i2d_ECPrivateKey_bio(out, eckey); - else if (outformat == FORMAT_PEM) + else i = PEM_write_bio_ECPrivateKey(out, eckey, NULL, NULL, 0, NULL, NULL); - else { - BIO_printf(bio_err, "bad output format specified " - "for outfile\n"); - EC_KEY_free(eckey); - goto end; - } EC_KEY_free(eckey); } if (need_rand) - app_RAND_write_file(NULL, bio_err); + app_RAND_write_file(NULL); ret = 0; end: @@ -624,32 +515,9 @@ int MAIN(int argc, char **argv) BIO_free(in); BIO_free_all(out); EC_GROUP_free(group); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } -static int ecparam_print_var(BIO *out, BIGNUM *in, const char *var, - int len, unsigned char *buffer) -{ - BIO_printf(out, "static unsigned char %s_%d[] = {", var, len); - if (BN_is_zero(in)) - BIO_printf(out, "\n\t0x00"); - else { - int i, l; - - l = BN_bn2bin(in, buffer); - for (i = 0; i < l - 1; i++) { - if ((i % 12) == 0) - BIO_printf(out, "\n\t"); - BIO_printf(out, "0x%02X,", buffer[i]); - } - if ((i % 12) == 0) - BIO_printf(out, "\n\t"); - BIO_printf(out, "0x%02X", buffer[i]); - } - BIO_printf(out, "\n\t};\n\n"); - return 1; -} #else /* !OPENSSL_NO_EC */ # if PEDANTIC diff --git a/apps/enc.c b/apps/enc.c index b95a6a2..06b056b 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -1,4 +1,3 @@ -/* apps/enc.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -72,307 +71,251 @@ #endif #include -int set_hex(char *in, unsigned char *out, int size); #undef SIZE #undef BSIZE -#undef PROG - #define SIZE (512) #define BSIZE (8*1024) -#define PROG enc_main - -static void show_ciphers(const OBJ_NAME *name, void *bio_) -{ - BIO *bio = bio_; - static int n; - - if (!islower((unsigned char)*name->name)) - return; - - BIO_printf(bio, "-%-25s", name->name); - if (++n == 3) { - BIO_printf(bio, "\n"); - n = 0; - } else - BIO_printf(bio, " "); -} -int MAIN(int, char **); - -int MAIN(int argc, char **argv) +static int set_hex(char *in, unsigned char *out, int size); +static void show_ciphers(const OBJ_NAME *name, void *bio_); + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V, + OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A, + OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE, + OPT_UPPER_S, OPT_IV, OPT_MD, OPT_NON_FIPS_ALLOW, OPT_CIPHER +} OPTION_CHOICE; + +OPTIONS enc_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"pass", OPT_PASS, 's', "Passphrase source"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {"e", OPT_E, '-', "Encrypt"}, + {"d", OPT_D, '-', "Decrypt"}, + {"p", OPT_P, '-', "Print the iv/key"}, + {"P", OPT_UPPER_P, '-', "Print the iv/key and exit"}, + {"v", OPT_V, '-'}, + {"nopad", OPT_NOPAD, '-', "Disable standard block padding"}, + {"salt", OPT_SALT, '-'}, + {"nosalt", OPT_NOSALT, '-'}, + {"debug", OPT_DEBUG, '-'}, + {"A", OPT_UPPER_A, '-'}, + {"a", OPT_A, '-', "base64 encode/decode, depending on encryption flag"}, + {"base64", OPT_A, '-', "Base64 output as a single line"}, +#ifdef ZLIB + {"z", OPT_Z, '-', "Use zlib as the 'encryption'"}, +#endif + {"bufsize", OPT_BUFSIZE, 's', "Buffer size"}, + {"k", OPT_K, 's', "Passphrase"}, + {"kfile", OPT_KFILE, '<', "Fead passphrase from file"}, + {"K", OPT_UPPER_K, '-', "Same as -iv"}, + {"S", OPT_UPPER_S, 's', "Salt, in hex"}, + {"iv", OPT_IV, 's', "IV in hex"}, + {"md", OPT_MD, 's', "Use specified digest to create key from passphrase"}, + {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'}, + {"none", OPT_NONE, '-', "Don't encrypt"}, + {"", OPT_CIPHER, '-', "Any supported cipher"}, + {NULL} +}; + +int enc_main(int argc, char **argv) { + static char buf[128]; static const char magic[] = "Salted__"; + BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio = + NULL, *wbio = NULL; + EVP_CIPHER_CTX *ctx = NULL; + const EVP_CIPHER *cipher = NULL, *c; + const EVP_MD *dgst = NULL; + char *engine = NULL, *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p; + char *infile = NULL, *outfile = NULL, *prog; + char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL; char mbuf[sizeof magic - 1]; - char *strbuf = NULL; - unsigned char *buff = NULL, *bufsize = NULL; - int bsize = BSIZE, verbose = 0; - int ret = 1, inl; - int nopad = 0; + OPTION_CHOICE o; + int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0; + int enc = 1, printkey = 0, i, k, base64 = 0; + int ret = 1, inl, nopad = 0, non_fips_allow = 0; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; - unsigned char salt[PKCS5_SALT_LEN]; - char *str = NULL, *passarg = NULL, *pass = NULL; - char *hkey = NULL, *hiv = NULL, *hsalt = NULL; - char *md = NULL; - int enc = 1, printkey = 0, i, base64 = 0; + unsigned char *buff = NULL, salt[PKCS5_SALT_LEN]; + unsigned long n; #ifdef ZLIB int do_zlib = 0; BIO *bzl = NULL; #endif - int debug = 0, olb64 = 0, nosalt = 0; - const EVP_CIPHER *cipher = NULL, *c; - EVP_CIPHER_CTX *ctx = NULL; - char *inf = NULL, *outf = NULL; - BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio = - NULL, *wbio = NULL; -#define PROG_NAME_SIZE 39 - char pname[PROG_NAME_SIZE + 1]; -#ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -#endif - const EVP_MD *dgst = NULL; - int non_fips_allow = 0; - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto end; /* first check the program name */ - program_name(argv[0], pname, sizeof pname); - if (strcmp(pname, "base64") == 0) + prog = opt_progname(argv[0]); + if (strcmp(prog, "base64") == 0) base64 = 1; #ifdef ZLIB - if (strcmp(pname, "zlib") == 0) + else if (strcmp(prog, "zlib") == 0) do_zlib = 1; #endif - - cipher = EVP_get_cipherbyname(pname); -#ifdef ZLIB - if (!do_zlib && !base64 && (cipher == NULL) - && (strcmp(pname, "enc") != 0)) -#else - if (!base64 && (cipher == NULL) && (strcmp(pname, "enc") != 0)) -#endif - { - BIO_printf(bio_err, "%s is an unknown cipher\n", pname); - goto bad; + else { + cipher = EVP_get_cipherbyname(prog); + if (cipher == NULL && strcmp(prog, "enc") != 0) { + BIO_printf(bio_err, "%s is not a known cipher\n", prog); + goto end; + } } - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-e") == 0) + prog = opt_init(argc, argv, enc_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(enc_options); + ret = 0; + BIO_printf(bio_err, "Cipher Types\n"); + OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, + show_ciphers, bio_err); + BIO_printf(bio_err, "\n"); + goto end; + case OPT_E: enc = 1; - else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - inf = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outf = *(++argv); - } else if (strcmp(*argv, "-pass") == 0) { - if (--argc < 1) - goto bad; - passarg = *(++argv); - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } -#endif - else if (strcmp(*argv, "-d") == 0) + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_PASS: + passarg = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_D: enc = 0; - else if (strcmp(*argv, "-p") == 0) + break; + case OPT_P: printkey = 1; - else if (strcmp(*argv, "-v") == 0) + break; + case OPT_V: verbose = 1; - else if (strcmp(*argv, "-nopad") == 0) + break; + case OPT_NOPAD: nopad = 1; - else if (strcmp(*argv, "-salt") == 0) + break; + case OPT_SALT: nosalt = 0; - else if (strcmp(*argv, "-nosalt") == 0) + break; + case OPT_NOSALT: nosalt = 1; - else if (strcmp(*argv, "-debug") == 0) + break; + case OPT_DEBUG: debug = 1; - else if (strcmp(*argv, "-P") == 0) + break; + case OPT_UPPER_P: printkey = 2; - else if (strcmp(*argv, "-A") == 0) + break; + case OPT_UPPER_A: olb64 = 1; - else if (strcmp(*argv, "-a") == 0) - base64 = 1; - else if (strcmp(*argv, "-base64") == 0) + break; + case OPT_A: base64 = 1; + break; + case OPT_Z: #ifdef ZLIB - else if (strcmp(*argv, "-z") == 0) do_zlib = 1; #endif - else if (strcmp(*argv, "-bufsize") == 0) { - if (--argc < 1) - goto bad; - bufsize = (unsigned char *)*(++argv); - } else if (strcmp(*argv, "-k") == 0) { - if (--argc < 1) - goto bad; - str = *(++argv); - } else if (strcmp(*argv, "-kfile") == 0) { - static char buf[128]; - FILE *infile; - char *file; - - if (--argc < 1) - goto bad; - file = *(++argv); - infile = fopen(file, "r"); - if (infile == NULL) { - BIO_printf(bio_err, "unable to read key from '%s'\n", file); - goto bad; - } - buf[0] = '\0'; - if (!fgets(buf, sizeof buf, infile)) { - BIO_printf(bio_err, "unable to read key from '%s'\n", file); - goto bad; + break; + case OPT_BUFSIZE: + p = opt_arg(); + i = (int)strlen(p) - 1; + k = i >= 1 && p[i] == 'k'; + if (k) + p[i] = '\0'; + if (!opt_ulong(opt_arg(), &n)) + goto opthelp; + if (k) + n *= 1024; + bsize = (int)n; + break; + case OPT_K: + str = opt_arg(); + break; + case OPT_KFILE: + in = bio_open_default(opt_arg(), "r"); + if (in == NULL) + goto opthelp; + i = BIO_gets(in, buf, sizeof buf); + BIO_free(in); + in = NULL; + if (i <= 0) { + BIO_printf(bio_err, + "%s Can't read key from %s\n", prog, opt_arg()); + goto opthelp; } - fclose(infile); - i = strlen(buf); - if ((i > 0) && ((buf[i - 1] == '\n') || (buf[i - 1] == '\r'))) - buf[--i] = '\0'; - if ((i > 0) && ((buf[i - 1] == '\n') || (buf[i - 1] == '\r'))) - buf[--i] = '\0'; - if (i < 1) { - BIO_printf(bio_err, "zero length password\n"); - goto bad; + while (--i > 0 && (buf[i] == '\r' || buf[i] == '\n')) + buf[i] = '\0'; + if (i <= 0) { + BIO_printf(bio_err, "%s: zero length password\n", prog); + goto opthelp; } str = buf; - } else if (strcmp(*argv, "-K") == 0) { - if (--argc < 1) - goto bad; - hkey = *(++argv); - } else if (strcmp(*argv, "-S") == 0) { - if (--argc < 1) - goto bad; - hsalt = *(++argv); - } else if (strcmp(*argv, "-iv") == 0) { - if (--argc < 1) - goto bad; - hiv = *(++argv); - } else if (strcmp(*argv, "-md") == 0) { - if (--argc < 1) - goto bad; - md = *(++argv); - } else if (strcmp(*argv, "-non-fips-allow") == 0) + break; + case OPT_UPPER_K: + hkey = opt_arg(); + break; + case OPT_UPPER_S: + hsalt = opt_arg(); + break; + case OPT_IV: + hiv = opt_arg(); + break; + case OPT_MD: + if (!opt_md(opt_arg(), &dgst)) + goto opthelp; + break; + case OPT_NON_FIPS_ALLOW: non_fips_allow = 1; - else if ((argv[0][0] == '-') && - ((c = EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) { + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &c)) + goto opthelp; cipher = c; - } else if (strcmp(*argv, "-none") == 0) + break; + case OPT_NONE: cipher = NULL; - else { - BIO_printf(bio_err, "unknown option '%s'\n", *argv); - bad: - BIO_printf(bio_err, "options are\n"); - BIO_printf(bio_err, "%-14s input file\n", "-in "); - BIO_printf(bio_err, "%-14s output file\n", "-out "); - BIO_printf(bio_err, "%-14s pass phrase source\n", "-pass "); - BIO_printf(bio_err, "%-14s encrypt\n", "-e"); - BIO_printf(bio_err, "%-14s decrypt\n", "-d"); - BIO_printf(bio_err, - "%-14s base64 encode/decode, depending on encryption flag\n", - "-a/-base64"); - BIO_printf(bio_err, "%-14s passphrase is the next argument\n", - "-k"); - BIO_printf(bio_err, - "%-14s passphrase is the first line of the file argument\n", - "-kfile"); - BIO_printf(bio_err, - "%-14s the next argument is the md to use to create a key\n", - "-md"); - BIO_printf(bio_err, - "%-14s from a passphrase. One of md2, md5, sha or sha1\n", - ""); - BIO_printf(bio_err, "%-14s salt in hex is the next argument\n", - "-S"); - BIO_printf(bio_err, "%-14s key/iv in hex is the next argument\n", - "-K/-iv"); - BIO_printf(bio_err, "%-14s print the iv/key (then exit if -P)\n", - "-[pP]"); - BIO_printf(bio_err, "%-14s buffer size\n", "-bufsize "); - BIO_printf(bio_err, "%-14s disable standard block padding\n", - "-nopad"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - "%-14s use engine e, possibly a hardware device.\n", - "-engine e"); -#endif - - BIO_printf(bio_err, "Cipher Types\n"); - OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, - show_ciphers, bio_err); - BIO_printf(bio_err, "\n"); - - goto end; + break; } - argc--; - argv++; } + argc = opt_num_rest(); + argv = opt_rest(); #ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + setup_engine(engine, 0); #endif if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { - BIO_printf(bio_err, - "AEAD ciphers not supported by the enc utility\n"); + BIO_printf(bio_err, "%s: AEAD ciphers not supported\n", prog); goto end; } if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)) { - BIO_printf(bio_err, - "Ciphers in XTS mode are not supported by the enc utility\n"); + BIO_printf(bio_err, "%s XTS ciphers not supported\n", prog); goto end; } - if (md && (dgst = EVP_get_digestbyname(md)) == NULL) { - BIO_printf(bio_err, "%s is an unsupported message digest type\n", md); - goto end; - } - - if (dgst == NULL) { + if (dgst == NULL) dgst = EVP_md5(); - } - - if (bufsize != NULL) { - unsigned long n; - - for (n = 0; *bufsize; bufsize++) { - i = *bufsize; - if ((i <= '9') && (i >= '0')) - n = n * 10 + i - '0'; - else if (i == 'k') { - n *= 1024; - bufsize++; - break; - } - } - if (*bufsize != '\0') { - BIO_printf(bio_err, "invalid 'bufsize' specified.\n"); - goto end; - } - /* It must be large enough for a base64 encoded line */ - if (base64 && n < 80) - n = 80; - - bsize = (int)n; - if (verbose) - BIO_printf(bio_err, "bufsize=%d\n", bsize); - } + /* It must be large enough for a base64 encoded line */ + if (base64 && bsize < 80) + bsize = 80; + if (verbose) + BIO_printf(bio_err, "bufsize=%d\n", bsize); strbuf = OPENSSL_malloc(SIZE); buff = (unsigned char *)OPENSSL_malloc(EVP_ENCODE_LENGTH(bsize)); @@ -382,12 +325,6 @@ int MAIN(int argc, char **argv) goto end; } - in = BIO_new(BIO_s_file()); - out = BIO_new(BIO_s_file()); - if ((in == NULL) || (out == NULL)) { - ERR_print_errors(bio_err); - goto end; - } if (debug) { BIO_set_callback(in, BIO_debug_callback); BIO_set_callback(out, BIO_debug_callback); @@ -395,19 +332,16 @@ int MAIN(int argc, char **argv) BIO_set_callback_arg(out, (char *)bio_err); } - if (inf == NULL) { - if (bufsize != NULL) - setbuf(stdin, NULL); - BIO_set_fp(in, stdin, BIO_NOCLOSE); - } else { - if (BIO_read_filename(in, inf) <= 0) { - perror(inf); - goto end; - } - } + if (infile == NULL) { + unbuffer(stdin); + in = dup_bio_in(); + } else + in = bio_open_default(infile, "r"); + if (in == NULL) + goto end; if (!str && passarg) { - if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) { + if (!app_passwd(passarg, NULL, &pass, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } @@ -416,13 +350,13 @@ int MAIN(int argc, char **argv) if ((str == NULL) && (cipher != NULL) && (hkey == NULL)) { for (;;) { - char buf[200]; + char prompt[200]; - BIO_snprintf(buf, sizeof buf, "enter %s %s password:", + BIO_snprintf(prompt, sizeof prompt, "enter %s %s password:", OBJ_nid2ln(EVP_CIPHER_nid(cipher)), (enc) ? "encryption" : "decryption"); strbuf[0] = '\0'; - i = EVP_read_pw_string((char *)strbuf, SIZE, buf, enc); + i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc); if (i == 0) { if (strbuf[0] == '\0') { ret = 1; @@ -438,28 +372,14 @@ int MAIN(int argc, char **argv) } } - if (outf == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); - if (bufsize != NULL) - setbuf(stdin, NULL); /* don't do buffered reads */ -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } else { - if (BIO_write_filename(out, outf) <= 0) { - perror(outf); - goto end; - } - } + out = bio_open_default(outfile, "w"); + if (out == NULL) + goto end; rbio = in; wbio = out; #ifdef ZLIB - if (do_zlib) { if ((bzl = BIO_new(BIO_f_zlib())) == NULL) goto end; @@ -666,11 +586,26 @@ int MAIN(int argc, char **argv) #endif if (pass) OPENSSL_free(pass); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); +} + +static void show_ciphers(const OBJ_NAME *name, void *bio_) +{ + BIO *bio = bio_; + static int n; + + if (!islower((unsigned char)*name->name)) + return; + + BIO_printf(bio, "-%-25s", name->name); + if (++n == 3) { + BIO_printf(bio, "\n"); + n = 0; + } else + BIO_printf(bio, " "); } -int set_hex(char *in, unsigned char *out, int size) +static int set_hex(char *in, unsigned char *out, int size) { int i, n; unsigned char j; diff --git a/apps/engine.c b/apps/engine.c index 5386465..7dcc1b0 100644 --- a/apps/engine.c +++ b/apps/engine.c @@ -1,4 +1,3 @@ -/* apps/engine.c -*- mode: C; c-file-style: "eay" -*- */ /* * Written by Richard Levitte for the OpenSSL project * 2000. @@ -66,27 +65,26 @@ # include # include -# undef PROG -# define PROG engine_main - -static const char *engine_usage[] = { - "usage: engine opts [engine ...]\n", - " -v[v[v[v]]] - verbose mode, for each engine, list its 'control commands'\n", - " -vv will additionally display each command's description\n", - " -vvv will also add the input flags for each command\n", - " -vvvv will also show internal input flags\n", - " -c - for each engine, also list the capabilities\n", - " -t[t] - for each engine, check that they are really available\n", - " -tt will display error trace for unavailable engines\n", - " -pre - runs command 'cmd' against the ENGINE before any attempts\n", - " to load it (if -t is used)\n", - " -post - runs command 'cmd' against the ENGINE after loading it\n", - " (only used if -t is also provided)\n", - " NB: -pre and -post will be applied to all ENGINEs supplied on the command\n", - " line, or all supported ENGINEs if none are specified.\n", - " Eg. '-pre \"SO_PATH:/lib/libdriver.so\"' calls command \"SO_PATH\" with\n", - " argument \"/lib/libdriver.so\".\n", - NULL +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_C, OPT_T, OPT_TT, OPT_PRE, OPT_POST, + OPT_V = 100, OPT_VV, OPT_VVV, OPT_VVVV +} OPTION_CHOICE; + +OPTIONS engine_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"vvvv", OPT_VVVV, '-', "Also show internal input flags"}, + {"vvv", OPT_VVV, '-', "Also add the input flags for each command"}, + {"vv", OPT_VV, '-', "Also display each command's description"}, + {"v", OPT_V, '-', "For each engine, list its 'control commands'"}, + {"c", OPT_C, '-', "List the capabilities of each engine"}, + {"t", OPT_T, '-', "Check that each engine is available"}, + {"tt", OPT_TT, '-', "Display error trace for unavailable engines"}, + {"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"}, + {"post", OPT_POST, 's', "Run command against the ENGINE after loading it"}, + {OPT_MORE_STR, OPT_EOF, 1, + "Commands are like \"SO_PATH:/lib/libdriver.so\""}, + {NULL} }; static void identity(char *ptr) @@ -124,13 +122,13 @@ static int append_buf(char **buf, const char *s, int *size, int step) return 1; } -static int util_flags(BIO *bio_out, unsigned int flags, const char *indent) +static int util_flags(BIO *out, unsigned int flags, const char *indent) { int started = 0, err = 0; /* Indent before displaying input flags */ - BIO_printf(bio_out, "%s%s(input flags): ", indent, indent); + BIO_printf(out, "%s%s(input flags): ", indent, indent); if (flags == 0) { - BIO_printf(bio_out, "\n"); + BIO_printf(out, "\n"); return 1; } /* @@ -138,11 +136,11 @@ static int util_flags(BIO *bio_out, unsigned int flags, const char *indent) * having it part of all the other flags, even if it really is. */ if (flags & ENGINE_CMD_FLAG_INTERNAL) { - BIO_printf(bio_out, "[Internal] "); + BIO_printf(out, "[Internal] "); } if (flags & ENGINE_CMD_FLAG_NUMERIC) { - BIO_printf(bio_out, "NUMERIC"); + BIO_printf(out, "NUMERIC"); started = 1; } /* @@ -153,18 +151,18 @@ static int util_flags(BIO *bio_out, unsigned int flags, const char *indent) */ if (flags & ENGINE_CMD_FLAG_STRING) { if (started) { - BIO_printf(bio_out, "|"); + BIO_printf(out, "|"); err = 1; } - BIO_printf(bio_out, "STRING"); + BIO_printf(out, "STRING"); started = 1; } if (flags & ENGINE_CMD_FLAG_NO_INPUT) { if (started) { - BIO_printf(bio_out, "|"); + BIO_printf(out, "|"); err = 1; } - BIO_printf(bio_out, "NO_INPUT"); + BIO_printf(out, "NO_INPUT"); started = 1; } /* Check for unknown flags */ @@ -173,17 +171,16 @@ static int util_flags(BIO *bio_out, unsigned int flags, const char *indent) ~ENGINE_CMD_FLAG_NO_INPUT & ~ENGINE_CMD_FLAG_INTERNAL; if (flags) { if (started) - BIO_printf(bio_out, "|"); - BIO_printf(bio_out, "<0x%04X>", flags); + BIO_printf(out, "|"); + BIO_printf(out, "<0x%04X>", flags); } if (err) - BIO_printf(bio_out, " "); - BIO_printf(bio_out, "\n"); + BIO_printf(out, " "); + BIO_printf(out, "\n"); return 1; } -static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, - const char *indent) +static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent) { static const int line_wrap = 78; int num; @@ -200,9 +197,9 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, } cmds = sk_OPENSSL_STRING_new_null(); - if (!cmds) goto err; + do { int len; /* Get the command input flags */ @@ -233,26 +230,26 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, /* Now decide on the output */ if (xpos == 0) /* Do an indent */ - xpos = BIO_puts(bio_out, indent); + xpos = BIO_puts(out, indent); else /* Otherwise prepend a ", " */ - xpos += BIO_printf(bio_out, ", "); + xpos += BIO_printf(out, ", "); if (verbose == 1) { /* * We're just listing names, comma-delimited */ if ((xpos > (int)strlen(indent)) && (xpos + (int)strlen(name) > line_wrap)) { - BIO_printf(bio_out, "\n"); - xpos = BIO_puts(bio_out, indent); + BIO_printf(out, "\n"); + xpos = BIO_puts(out, indent); } - xpos += BIO_printf(bio_out, "%s", name); + xpos += BIO_printf(out, "%s", name); } else { /* We're listing names plus descriptions */ - BIO_printf(bio_out, "%s: %s\n", name, + BIO_printf(out, "%s: %s\n", name, (desc == NULL) ? "" : desc); /* ... and sometimes input flags */ - if ((verbose >= 3) && !util_flags(bio_out, flags, indent)) + if ((verbose >= 3) && !util_flags(out, flags, indent)) goto err; xpos = 0; } @@ -267,7 +264,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, num = ENGINE_ctrl(e, ENGINE_CTRL_GET_NEXT_CMD_TYPE, num, NULL, NULL); } while (num > 0); if (xpos > 0) - BIO_printf(bio_out, "\n"); + BIO_printf(out, "\n"); ret = 1; err: if (cmds) @@ -280,12 +277,12 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, } static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds, - BIO *bio_out, const char *indent) + BIO *out, const char *indent) { int loop, res, num = sk_OPENSSL_STRING_num(cmds); if (num < 0) { - BIO_printf(bio_out, "[Error]: internal stack error\n"); + BIO_printf(out, "[Error]: internal stack error\n"); return; } for (loop = 0; loop < num; loop++) { @@ -299,7 +296,7 @@ static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds, res = 0; } else { if ((int)(arg - cmd) > 254) { - BIO_printf(bio_out, "[Error]: command name too long\n"); + BIO_printf(out, "[Error]: command name too long\n"); return; } memcpy(buf, cmd, (int)(arg - cmd)); @@ -310,90 +307,70 @@ static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds, res = 0; } if (res) - BIO_printf(bio_out, "[Success]: %s\n", cmd); + BIO_printf(out, "[Success]: %s\n", cmd); else { - BIO_printf(bio_out, "[Failure]: %s\n", cmd); - ERR_print_errors(bio_out); + BIO_printf(out, "[Failure]: %s\n", cmd); + ERR_print_errors(out); } } } -int MAIN(int, char **); - -int MAIN(int argc, char **argv) +int engine_main(int argc, char **argv) { int ret = 1, i; - const char **pp; int verbose = 0, list_cap = 0, test_avail = 0, test_avail_noise = 0; ENGINE *e; STACK_OF(OPENSSL_STRING) *engines = sk_OPENSSL_STRING_new_null(); STACK_OF(OPENSSL_STRING) *pre_cmds = sk_OPENSSL_STRING_new_null(); STACK_OF(OPENSSL_STRING) *post_cmds = sk_OPENSSL_STRING_new_null(); - int badops = 1; - BIO *bio_out = NULL; + BIO *out; const char *indent = " "; + OPTION_CHOICE o; + char *prog; - apps_startup(); - SSL_load_error_strings(); - - if (bio_err == NULL) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) + out = dup_bio_out(); + prog = opt_init(argc, argv, engine_options); + if (!engines || !pre_cmds || !post_cmds) goto end; - bio_out = BIO_new_fp(stdout, BIO_NOCLOSE); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - bio_out = BIO_push(tmpbio, bio_out); - } -# endif - - argc--; - argv++; - while (argc >= 1) { - if (strncmp(*argv, "-v", 2) == 0) { - if (strspn(*argv + 1, "v") < strlen(*argv + 1)) - goto skip_arg_loop; - if ((verbose = strlen(*argv + 1)) > 4) - goto skip_arg_loop; - } else if (strcmp(*argv, "-c") == 0) + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(engine_options); + ret = 0; + goto end; + case OPT_VVVV: + case OPT_VVV: + case OPT_VV: + case OPT_V: + /* Convert to an integer from one to four. */ + i = (int)(o - OPT_V) + 1; + if (verbose < i) + verbose = i; + break; + case OPT_C: list_cap = 1; - else if (strncmp(*argv, "-t", 2) == 0) { - test_avail = 1; - if (strspn(*argv + 1, "t") < strlen(*argv + 1)) - goto skip_arg_loop; - if ((test_avail_noise = strlen(*argv + 1) - 1) > 1) - goto skip_arg_loop; - } else if (strcmp(*argv, "-pre") == 0) { - argc--; - argv++; - if (argc == 0) - goto skip_arg_loop; - sk_OPENSSL_STRING_push(pre_cmds, *argv); - } else if (strcmp(*argv, "-post") == 0) { - argc--; - argv++; - if (argc == 0) - goto skip_arg_loop; - sk_OPENSSL_STRING_push(post_cmds, *argv); - } else if ((strncmp(*argv, "-h", 2) == 0) || - (strcmp(*argv, "-?") == 0)) - goto skip_arg_loop; - else - sk_OPENSSL_STRING_push(engines, *argv); - argc--; - argv++; - } - /* Looks like everything went OK */ - badops = 0; - skip_arg_loop: - - if (badops) { - for (pp = engine_usage; (*pp != NULL); pp++) - BIO_printf(bio_err, "%s", *pp); - goto end; + break; + case OPT_TT: + test_avail_noise++; + case OPT_T: + test_avail++; + break; + case OPT_PRE: + sk_OPENSSL_STRING_push(pre_cmds, opt_arg()); + break; + case OPT_POST: + sk_OPENSSL_STRING_push(post_cmds, opt_arg()); + break; + } } + argc = opt_num_rest(); + argv = opt_rest(); + for ( ; *argv; argv++) + sk_OPENSSL_STRING_push(engines, *argv); if (sk_OPENSSL_STRING_num(engines) == 0) { for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) { @@ -408,10 +385,10 @@ int MAIN(int argc, char **argv) /* * Do "id" first, then "name". Easier to auto-parse. */ - BIO_printf(bio_out, "(%s) %s\n", id, name); - util_do_cmds(e, pre_cmds, bio_out, indent); + BIO_printf(out, "(%s) %s\n", id, name); + util_do_cmds(e, pre_cmds, out, indent); if (strcmp(ENGINE_get_id(e), id) != 0) { - BIO_printf(bio_out, "Loaded: (%s) %s\n", + BIO_printf(out, "Loaded: (%s) %s\n", ENGINE_get_id(e), ENGINE_get_name(e)); } if (list_cap) { @@ -466,24 +443,24 @@ int MAIN(int argc, char **argv) goto end; skip_pmeths: if (cap_buf && (*cap_buf != '\0')) - BIO_printf(bio_out, " [%s]\n", cap_buf); + BIO_printf(out, " [%s]\n", cap_buf); OPENSSL_free(cap_buf); } if (test_avail) { - BIO_printf(bio_out, "%s", indent); + BIO_printf(out, "%s", indent); if (ENGINE_init(e)) { - BIO_printf(bio_out, "[ available ]\n"); - util_do_cmds(e, post_cmds, bio_out, indent); + BIO_printf(out, "[ available ]\n"); + util_do_cmds(e, post_cmds, out, indent); ENGINE_finish(e); } else { - BIO_printf(bio_out, "[ unavailable ]\n"); + BIO_printf(out, "[ unavailable ]\n"); if (test_avail_noise) ERR_print_errors_fp(stdout); ERR_clear_error(); } } - if ((verbose > 0) && !util_verbose(e, verbose, bio_out, indent)) + if ((verbose > 0) && !util_verbose(e, verbose, out, indent)) goto end; ENGINE_free(e); } else @@ -497,9 +474,8 @@ int MAIN(int argc, char **argv) sk_OPENSSL_STRING_pop_free(engines, identity); sk_OPENSSL_STRING_pop_free(pre_cmds, identity); sk_OPENSSL_STRING_pop_free(post_cmds, identity); - BIO_free_all(bio_out); - apps_shutdown(); - OPENSSL_EXIT(ret); + BIO_free_all(out); + return (ret); } #else diff --git a/apps/errstr.c b/apps/errstr.c index 668c5f3..960815d 100644 --- a/apps/errstr.c +++ b/apps/errstr.c @@ -1,4 +1,3 @@ -/* apps/errstr.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -65,56 +64,60 @@ #include #include -#undef PROG -#define PROG errstr_main +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_STATS +} OPTION_CHOICE; -int MAIN(int, char **); +OPTIONS errstr_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] errnum...\n"}, + {OPT_HELP_STR, 1, '-', " errnum Error number\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"stats", OPT_STATS, '-', + "Print internal hashtable statistics (long!)"}, + {NULL} +}; -int MAIN(int argc, char **argv) +int errstr_main(int argc, char **argv) { - int i, ret = 0; - char buf[256]; + OPTION_CHOICE o; + char buf[256], *prog; + int ret = 1; unsigned long l; - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - SSL_load_error_strings(); - - if ((argc > 1) && (strcmp(argv[1], "-stats") == 0)) { - BIO *out = NULL; - - out = BIO_new(BIO_s_file()); - if ((out != NULL) && BIO_set_fp(out, stdout, BIO_NOCLOSE)) { -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - lh_ERR_STRING_DATA_node_stats_bio(ERR_get_string_table(), out); - lh_ERR_STRING_DATA_stats_bio(ERR_get_string_table(), out); + prog = opt_init(argc, argv, errstr_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(errstr_options); + ret = 0; + goto end; + case OPT_STATS: + lh_ERR_STRING_DATA_node_stats_bio(ERR_get_string_table(), + bio_out); + lh_ERR_STRING_DATA_stats_bio(ERR_get_string_table(), bio_out); lh_ERR_STRING_DATA_node_usage_stats_bio(ERR_get_string_table(), - out); + bio_out); + ret = 0; + goto end; } - BIO_free_all(out); - argc--; - argv++; } + argc = opt_num_rest(); + argv = opt_rest(); - for (i = 1; i < argc; i++) { - if (sscanf(argv[i], "%lx", &l)) { - ERR_error_string_n(l, buf, sizeof buf); - printf("%s\n", buf); - } else { - printf("%s: bad error code\n", argv[i]); - printf("usage: errstr [-stats] ...\n"); + ret = 0; + for (argv = opt_rest(); *argv; argv++) { + if (!opt_ulong(*argv, &l)) ret++; + else { + ERR_error_string_n(l, buf, sizeof buf); + BIO_printf(bio_out, "%s\n", buf); } } - apps_shutdown(); - OPENSSL_EXIT(ret); + end: + return (ret); } diff --git a/apps/gendh.c b/apps/gendh.c deleted file mode 100644 index 904bcf3..0000000 --- a/apps/gendh.c +++ /dev/null @@ -1,243 +0,0 @@ -/* apps/gendh.c */ -/* obsoleted by dhparam.c */ -/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay at cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh at cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay at cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include - -#ifndef OPENSSL_NO_DH -# include -# include -# include -# include -# include "apps.h" -# include -# include -# include -# include -# include -# include -# include - -# define DEFBITS 2048 -# undef PROG -# define PROG gendh_main - -static int dh_cb(int p, int n, BN_GENCB *cb); - -int MAIN(int, char **); - -int MAIN(int argc, char **argv) -{ - BN_GENCB *cb = NULL; - DH *dh = NULL; - int ret = 1, num = DEFBITS; - int g = 2; - char *outfile = NULL; - char *inrand = NULL; -# ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -# endif - BIO *out = NULL; - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - cb = BN_GENCB_new(); - if (!cb) - goto end; - - BN_GENCB_set(cb, dh_cb, bio_err); - - if (!load_config(bio_err, NULL)) - goto end; - - argv++; - argc--; - for (;;) { - if (argc <= 0) - break; - if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-2") == 0) - g = 2; -/*- else if (strcmp(*argv,"-3") == 0) - g=3; */ - else if (strcmp(*argv, "-5") == 0) - g = 5; -# ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } -# endif - else if (strcmp(*argv, "-rand") == 0) { - if (--argc < 1) - goto bad; - inrand = *(++argv); - } else - break; - argv++; - argc--; - } - if ((argc >= 1) && ((sscanf(*argv, "%d", &num) == 0) || (num < 0))) { - bad: - BIO_printf(bio_err, "usage: gendh [args] [numbits]\n"); - BIO_printf(bio_err, " -out file - output the key to 'file\n"); - BIO_printf(bio_err, " -2 - use 2 as the generator value\n"); - /* - * BIO_printf(bio_err," -3 - use 3 as the generator value\n"); - */ - BIO_printf(bio_err, " -5 - use 5 as the generator value\n"); -# ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - " -engine e - use engine e, possibly a hardware device.\n"); -# endif - BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, - LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, - " - load the file (or the files in the directory) into\n"); - BIO_printf(bio_err, " the random number generator\n"); - goto end; - } -# ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -# endif - - out = BIO_new(BIO_s_file()); - if (out == NULL) { - ERR_print_errors(bio_err); - goto end; - } - - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -# endif - } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); - goto end; - } - } - - if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL) { - BIO_printf(bio_err, - "warning, not much extra random data, consider using the -rand option\n"); - } - if (inrand != NULL) - BIO_printf(bio_err, "%ld semi-random bytes loaded\n", - app_RAND_load_files(inrand)); - - BIO_printf(bio_err, - "Generating DH parameters, %d bit long safe prime, generator %d\n", - num, g); - BIO_printf(bio_err, "This is going to take a long time\n"); - - if (((dh = DH_new()) == NULL) - || !DH_generate_parameters_ex(dh, num, g, cb)) - goto end; - - app_RAND_write_file(NULL, bio_err); - - if (!PEM_write_bio_DHparams(out, dh)) - goto end; - ret = 0; - end: - if (ret != 0) - ERR_print_errors(bio_err); - BIO_free_all(out); - DH_free(dh); - if (cb != NULL) - BN_GENCB_free(cb); - apps_shutdown(); - OPENSSL_EXIT(ret); -} - -static int dh_cb(int p, int n, BN_GENCB *cb) -{ - char c = '*'; - - if (p == 0) - c = '.'; - if (p == 1) - c = '+'; - if (p == 2) - c = '*'; - if (p == 3) - c = '\n'; - BIO_write(BN_GENCB_get_arg(cb), &c, 1); - (void)BIO_flush(BN_GENCB_get_arg(cb)); - return 1; -} -#else /* !OPENSSL_NO_DH */ - -# if PEDANTIC -static void *dummy = &dummy; -# endif - -#endif diff --git a/apps/gendsa.c b/apps/gendsa.c index 8288eb9..1eaaa45 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -1,4 +1,3 @@ -/* apps/gendsa.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -71,155 +70,86 @@ # include # define DEFBITS 512 -# undef PROG -# define PROG gendsa_main -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_OUT, OPT_PASSOUT, OPT_ENGINE, OPT_RAND, OPT_CIPHER +} OPTION_CHOICE; + +OPTIONS gendsa_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [args] dsaparam-file\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"out", OPT_OUT, '>', "Output the key to the specified file"}, + {"passout", OPT_PASSOUT, 's'}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"}, + {NULL} +}; -int MAIN(int argc, char **argv) +int gendsa_main(int argc, char **argv) { - DSA *dsa = NULL; - int ret = 1; - char *outfile = NULL; - char *inrand = NULL, *dsaparams = NULL; - char *passargout = NULL, *passout = NULL; BIO *out = NULL, *in = NULL; + DSA *dsa = NULL; const EVP_CIPHER *enc = NULL; -# ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -# endif - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto end; + char *engine = NULL, *inrand = NULL, *dsaparams = NULL; + char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog; + OPTION_CHOICE o; + int ret = 1; - argv++; - argc--; - for (;;) { - if (argc <= 0) + prog = opt_init(argc, argv, gendsa_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + ret = 0; + opt_help(gendsa_options); + goto end; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_RAND: + inrand = opt_arg(); + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &enc)) + goto end; break; - if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-passout") == 0) { - if (--argc < 1) - goto bad; - passargout = *(++argv); - } -# ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); } -# endif - else if (strcmp(*argv, "-rand") == 0) { - if (--argc < 1) - goto bad; - inrand = *(++argv); - } else if (strcmp(*argv, "-") == 0) - goto bad; -# ifndef OPENSSL_NO_DES - else if (strcmp(*argv, "-des") == 0) - enc = EVP_des_cbc(); - else if (strcmp(*argv, "-des3") == 0) - enc = EVP_des_ede3_cbc(); -# endif -# ifndef OPENSSL_NO_IDEA - else if (strcmp(*argv, "-idea") == 0) - enc = EVP_idea_cbc(); -# endif -# ifndef OPENSSL_NO_SEED - else if (strcmp(*argv, "-seed") == 0) - enc = EVP_seed_cbc(); -# endif -# ifndef OPENSSL_NO_AES - else if (strcmp(*argv, "-aes128") == 0) - enc = EVP_aes_128_cbc(); - else if (strcmp(*argv, "-aes192") == 0) - enc = EVP_aes_192_cbc(); - else if (strcmp(*argv, "-aes256") == 0) - enc = EVP_aes_256_cbc(); -# endif -# ifndef OPENSSL_NO_CAMELLIA - else if (strcmp(*argv, "-camellia128") == 0) - enc = EVP_camellia_128_cbc(); - else if (strcmp(*argv, "-camellia192") == 0) - enc = EVP_camellia_192_cbc(); - else if (strcmp(*argv, "-camellia256") == 0) - enc = EVP_camellia_256_cbc(); -# endif - else if (**argv != '-' && dsaparams == NULL) { - dsaparams = *argv; - } else - goto bad; - argv++; - argc--; } + argc = opt_num_rest(); + argv = opt_rest(); + + if (argc != 1) + goto opthelp; + dsaparams = *argv; - if (dsaparams == NULL) { - bad: - BIO_printf(bio_err, "usage: gendsa [args] dsaparam-file\n"); - BIO_printf(bio_err, " -out file - output the key to 'file'\n"); -# ifndef OPENSSL_NO_DES - BIO_printf(bio_err, - " -des - encrypt the generated key with DES in cbc mode\n"); - BIO_printf(bio_err, - " -des3 - encrypt the generated key with DES in ede cbc mode (168 bit key)\n"); -# endif -# ifndef OPENSSL_NO_IDEA - BIO_printf(bio_err, - " -idea - encrypt the generated key with IDEA in cbc mode\n"); -# endif -# ifndef OPENSSL_NO_SEED - BIO_printf(bio_err, " -seed\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc seed\n"); -# endif -# ifndef OPENSSL_NO_AES - BIO_printf(bio_err, " -aes128, -aes192, -aes256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc aes\n"); -# endif -# ifndef OPENSSL_NO_CAMELLIA - BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc camellia\n"); -# endif -# ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - " -engine e - use engine e, possibly a hardware device.\n"); -# endif - BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, - LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, - " - load the file (or the files in the directory) into\n"); - BIO_printf(bio_err, " the random number generator\n"); - BIO_printf(bio_err, " dsaparam-file\n"); - BIO_printf(bio_err, - " - a DSA parameter file as generated by the dsaparam command\n"); - goto end; - } # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + setup_engine(engine, 0); # endif - if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) { + if (!app_passwd(NULL, passoutarg, NULL, &passout)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } - in = BIO_new(BIO_s_file()); - if (!(BIO_read_filename(in, dsaparams))) { - perror(dsaparams); - goto end; - } + in = bio_open_default(dsaparams, "r"); + if (in == NULL) + goto end2; if ((dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL)) == NULL) { BIO_printf(bio_err, "unable to load DSA parameter file\n"); @@ -228,26 +158,11 @@ int MAIN(int argc, char **argv) BIO_free(in); in = NULL; - out = BIO_new(BIO_s_file()); + out = bio_open_default(outfile, "w"); if (out == NULL) - goto end; - - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -# endif - } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); - goto end; - } - } + goto end2; - if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL) { + if (!app_RAND_load_file(NULL, 1) && inrand == NULL) { BIO_printf(bio_err, "warning, not much extra random data, consider using the -rand option\n"); } @@ -259,7 +174,7 @@ int MAIN(int argc, char **argv) if (!DSA_generate_key(dsa)) goto end; - app_RAND_write_file(NULL, bio_err); + app_RAND_write_file(NULL); if (!PEM_write_bio_DSAPrivateKey(out, dsa, enc, NULL, 0, NULL, passout)) goto end; @@ -267,13 +182,13 @@ int MAIN(int argc, char **argv) end: if (ret != 0) ERR_print_errors(bio_err); + end2: BIO_free(in); BIO_free_all(out); DSA_free(dsa); if (passout) OPENSSL_free(passout); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } #else /* !OPENSSL_NO_DSA */ diff --git a/apps/genpkey.c b/apps/genpkey.c index bd81d51..5130b40 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -1,4 +1,3 @@ -/* apps/genpkey.c */ /* * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL project * 2006 @@ -66,159 +65,125 @@ # include #endif -static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx, - const char *file, ENGINE *e); +static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e); static int genpkey_cb(EVP_PKEY_CTX *ctx); -#define PROG genpkey_main - -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ENGINE, OPT_OUTFORM, OPT_OUT, OPT_PASS, OPT_PARAMFILE, + OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER +} OPTION_CHOICE; + +OPTIONS genpkey_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"out", OPT_OUT, '>', "Output file"}, + {"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"}, + {"pass", OPT_PASS, 's', "Output file pass phrase source"}, + {"paramfile", OPT_PARAMFILE, '<', "Parameters file"}, + {"algorithm", OPT_ALGORITHM, 's', "The public key algorithm"}, + {"pkeyopt", OPT_PKEYOPT, 's', + "Set the public key algorithm option as opt:value"}, + {"genparam", OPT_GENPARAM, '-', "Generate parameters, not key"}, + {"text", OPT_TEXT, '-', "Print the in text"}, + {"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {OPT_HELP_STR, 1, 1, + "Order of options may be important! See the documentation.\n"}, + {NULL} +}; -int MAIN(int argc, char **argv) +int genpkey_main(int argc, char **argv) { - ENGINE *e = NULL; - char **args, *outfile = NULL; - char *passarg = NULL; BIO *in = NULL, *out = NULL; - const EVP_CIPHER *cipher = NULL; - int outformat; - int text = 0; + ENGINE *e = NULL; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; - char *pass = NULL; - int badarg = 0; - int ret = 1, rv; - - int do_param = 0; - - if (bio_err == NULL) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - - outformat = FORMAT_PEM; - - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - args = argv + 1; - while (!badarg && *args && *args[0] == '-') { - if (!strcmp(*args, "-outform")) { - if (args[1]) { - args++; - outformat = str2fmt(*args); - } else - badarg = 1; - } else if (!strcmp(*args, "-pass")) { - if (!args[1]) - goto bad; - passarg = *(++args); - } + char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog; + const EVP_CIPHER *cipher = NULL; + OPTION_CHOICE o; + int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0; + + prog = opt_init(argc, argv, genpkey_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + ret = 0; + opt_help(genpkey_options); + goto end; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + + case OPT_PASS: + passarg = opt_arg(); + break; #ifndef OPENSSL_NO_ENGINE - else if (strcmp(*args, "-engine") == 0) { - if (!args[1]) - goto bad; - e = setup_engine(bio_err, *(++args), 0); - } + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; #endif - else if (!strcmp(*args, "-paramfile")) { - if (!args[1]) - goto bad; - args++; + case OPT_PARAMFILE: if (do_param == 1) - goto bad; - if (!init_keygen_file(bio_err, &ctx, *args, e)) + goto opthelp; + if (!init_keygen_file(&ctx, opt_arg(), e)) goto end; - } else if (!strcmp(*args, "-out")) { - if (args[1]) { - args++; - outfile = *args; - } else - badarg = 1; - } else if (strcmp(*args, "-algorithm") == 0) { - if (!args[1]) - goto bad; - if (!init_gen_str(bio_err, &ctx, *(++args), e, do_param)) + break; + case OPT_ALGORITHM: + if (!init_gen_str(&ctx, opt_arg(), e, do_param)) goto end; - } else if (strcmp(*args, "-pkeyopt") == 0) { - if (!args[1]) - goto bad; - if (!ctx) { - BIO_puts(bio_err, "No keytype specified\n"); - goto bad; - } else if (pkey_ctrl_string(ctx, *(++args)) <= 0) { - BIO_puts(bio_err, "parameter setting error\n"); + break; + case OPT_PKEYOPT: + if (ctx == NULL) { + BIO_printf(bio_err, "%s: No keytype specified.\n", prog); + goto opthelp; + } + if (pkey_ctrl_string(ctx, opt_arg()) <= 0) { + BIO_printf(bio_err, + "%s: Error setting %s parameter:\n", + prog, opt_arg()); ERR_print_errors(bio_err); goto end; } - } else if (strcmp(*args, "-genparam") == 0) { - if (ctx) - goto bad; + break; + case OPT_GENPARAM: + if (ctx != NULL) + goto opthelp; do_param = 1; - } else if (strcmp(*args, "-text") == 0) + break; + case OPT_TEXT: text = 1; - else { - cipher = EVP_get_cipherbyname(*args + 1); - if (!cipher) { - BIO_printf(bio_err, "Unknown cipher %s\n", *args + 1); - badarg = 1; - } - if (do_param == 1) - badarg = 1; + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &cipher) + || do_param == 1) + goto opthelp; } - args++; } + argc = opt_num_rest(); + argv = opt_rest(); - if (!ctx) - badarg = 1; - - if (badarg) { - bad: - BIO_printf(bio_err, "Usage: genpkey [options]\n"); - BIO_printf(bio_err, "where options may be\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, - "-outform X output format (DER or PEM)\n"); - BIO_printf(bio_err, - "-pass arg output file pass phrase source\n"); - BIO_printf(bio_err, - "- use cipher to encrypt the key\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - "-engine e use engine e, possibly a hardware device.\n"); -#endif - BIO_printf(bio_err, "-paramfile file parameters file\n"); - BIO_printf(bio_err, "-algorithm alg the public key algorithm\n"); - BIO_printf(bio_err, - "-pkeyopt opt:value set the public key algorithm option \n" - " to value \n"); - BIO_printf(bio_err, - "-genparam generate parameters, not key\n"); - BIO_printf(bio_err, "-text print the in text\n"); - BIO_printf(bio_err, - "NB: options order may be important! See the manual page.\n"); - goto end; - } + if (ctx == NULL) + goto opthelp; - if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) { + if (!app_passwd(passarg, NULL, &pass, NULL)) { BIO_puts(bio_err, "Error getting password\n"); goto end; } - if (outfile) { - if (!(out = BIO_new_file(outfile, "wb"))) { - BIO_printf(bio_err, "Can't open output file %s\n", outfile); - goto end; - } - } else { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } + out = bio_open_default(outfile, "wb"); + if (out == NULL) + goto end; EVP_PKEY_CTX_set_cb(ctx, genpkey_cb); EVP_PKEY_CTX_set_app_data(ctx, bio_err); @@ -278,20 +243,19 @@ int MAIN(int argc, char **argv) return ret; } -static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx, - const char *file, ENGINE *e) +static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e) { BIO *pbio; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; if (*pctx) { - BIO_puts(err, "Parameters already set!\n"); + BIO_puts(bio_err, "Parameters already set!\n"); return 0; } pbio = BIO_new_file(file, "r"); if (!pbio) { - BIO_printf(err, "Can't open parameter file %s\n", file); + BIO_printf(bio_err, "Can't open parameter file %s\n", file); return 0; } @@ -313,15 +277,15 @@ static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx, return 1; err: - BIO_puts(err, "Error initializing context\n"); - ERR_print_errors(err); + BIO_puts(bio_err, "Error initializing context\n"); + ERR_print_errors(bio_err); EVP_PKEY_CTX_free(ctx); EVP_PKEY_free(pkey); return 0; } -int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, +int init_gen_str(EVP_PKEY_CTX **pctx, const char *algname, ENGINE *e, int do_param) { EVP_PKEY_CTX *ctx = NULL; @@ -330,7 +294,7 @@ int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, int pkey_id; if (*pctx) { - BIO_puts(err, "Algorithm already set!\n"); + BIO_puts(bio_err, "Algorithm already set!\n"); return 0; } @@ -369,8 +333,8 @@ int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, return 1; err: - BIO_printf(err, "Error initializing %s context\n", algname); - ERR_print_errors(err); + BIO_printf(bio_err, "Error initializing %s context\n", algname); + ERR_print_errors(bio_err); EVP_PKEY_CTX_free(ctx); return 0; diff --git a/apps/genrsa.c b/apps/genrsa.c index cf60219..b7275ae 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -1,4 +1,3 @@ -/* apps/genrsa.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -74,192 +73,108 @@ # include # define DEFBITS 2048 -# undef PROG -# define PROG genrsa_main static int genrsa_cb(int p, int n, BN_GENCB *cb); -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_3, OPT_F4, OPT_NON_FIPS_ALLOW, OPT_ENGINE, + OPT_OUT, OPT_RAND, OPT_PASSOUT, OPT_CIPHER +} OPTION_CHOICE; -int MAIN(int argc, char **argv) -{ - BN_GENCB *cb = NULL; +OPTIONS genrsa_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"3", OPT_3, '-', "Use 3 for the E value"}, + {"F4", OPT_F4, '-', "Use F4 (0x10001) for the E value"}, + {"f4", OPT_F4, '-', "Use F4 (0x10001) for the E value"}, + {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'}, + {"out", OPT_OUT, 's', "Output the key to specified file"}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"}, # ifndef OPENSSL_NO_ENGINE - ENGINE *e = NULL; + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, # endif - int ret = 1; - int non_fips_allow = 0; - int num = DEFBITS; + {NULL} +}; + +int genrsa_main(int argc, char **argv) +{ + BN_GENCB *cb = BN_GENCB_new(); + ENGINE *e = NULL; + BIGNUM *bn = BN_new(); + BIO *out = NULL; + RSA *rsa = NULL; const EVP_CIPHER *enc = NULL; + int ret = 1, non_fips_allow = 0, num = DEFBITS; unsigned long f4 = RSA_F4; - char *outfile = NULL; - char *passargout = NULL, *passout = NULL; + char *outfile = NULL, *passoutarg = NULL, *passout = NULL; + char *engine = NULL, *inrand = NULL, *prog; char *hexe, *dece; -# ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -# endif - char *inrand = NULL; - BIO *out = NULL; - BIGNUM *bn = BN_new(); - RSA *rsa = NULL; - if (!bn) - goto err; - - cb = BN_GENCB_new(); - if (!cb) - goto err; + OPTION_CHOICE o; - apps_startup(); + if (!bn || !cb) + goto end; BN_GENCB_set(cb, genrsa_cb, bio_err); - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto err; - if ((out = BIO_new(BIO_s_file())) == NULL) { - BIO_printf(bio_err, "unable to create BIO for output\n"); - goto err; - } - - argv++; - argc--; - for (;;) { - if (argc <= 0) - break; - if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-3") == 0) + prog = opt_init(argc, argv, genrsa_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + ret = 0; + opt_help(genrsa_options); + goto end; + case OPT_3: f4 = 3; - else if (strcmp(*argv, "-F4") == 0 || strcmp(*argv, "-f4") == 0) + break; + case OPT_F4: f4 = RSA_F4; -# ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } -# endif - else if (strcmp(*argv, "-rand") == 0) { - if (--argc < 1) - goto bad; - inrand = *(++argv); - } -# ifndef OPENSSL_NO_DES - else if (strcmp(*argv, "-des") == 0) - enc = EVP_des_cbc(); - else if (strcmp(*argv, "-des3") == 0) - enc = EVP_des_ede3_cbc(); -# endif -# ifndef OPENSSL_NO_IDEA - else if (strcmp(*argv, "-idea") == 0) - enc = EVP_idea_cbc(); -# endif -# ifndef OPENSSL_NO_SEED - else if (strcmp(*argv, "-seed") == 0) - enc = EVP_seed_cbc(); -# endif -# ifndef OPENSSL_NO_AES - else if (strcmp(*argv, "-aes128") == 0) - enc = EVP_aes_128_cbc(); - else if (strcmp(*argv, "-aes192") == 0) - enc = EVP_aes_192_cbc(); - else if (strcmp(*argv, "-aes256") == 0) - enc = EVP_aes_256_cbc(); -# endif -# ifndef OPENSSL_NO_CAMELLIA - else if (strcmp(*argv, "-camellia128") == 0) - enc = EVP_camellia_128_cbc(); - else if (strcmp(*argv, "-camellia192") == 0) - enc = EVP_camellia_192_cbc(); - else if (strcmp(*argv, "-camellia256") == 0) - enc = EVP_camellia_256_cbc(); -# endif - else if (strcmp(*argv, "-passout") == 0) { - if (--argc < 1) - goto bad; - passargout = *(++argv); - } else if (strcmp(*argv, "-non-fips-allow") == 0) + break; + case OPT_NON_FIPS_ALLOW: non_fips_allow = 1; - else break; - argv++; - argc--; - } - if ((argc >= 1) && ((sscanf(*argv, "%d", &num) == 0) || (num < 0))) { - bad: - BIO_printf(bio_err, "usage: genrsa [args] [numbits]\n"); - BIO_printf(bio_err, - " -des encrypt the generated key with DES in cbc mode\n"); - BIO_printf(bio_err, - " -des3 encrypt the generated key with DES in ede cbc mode (168 bit key)\n"); -# ifndef OPENSSL_NO_IDEA - BIO_printf(bio_err, - " -idea encrypt the generated key with IDEA in cbc mode\n"); -# endif -# ifndef OPENSSL_NO_SEED - BIO_printf(bio_err, " -seed\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc seed\n"); -# endif -# ifndef OPENSSL_NO_AES - BIO_printf(bio_err, " -aes128, -aes192, -aes256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc aes\n"); -# endif -# ifndef OPENSSL_NO_CAMELLIA - BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc camellia\n"); -# endif - BIO_printf(bio_err, " -out file output the key to 'file\n"); - BIO_printf(bio_err, - " -passout arg output file pass phrase source\n"); - BIO_printf(bio_err, - " -f4 use F4 (0x10001) for the E value\n"); - BIO_printf(bio_err, " -3 use 3 for the E value\n"); -# ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - " -engine e use engine e, possibly a hardware device.\n"); -# endif - BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, - LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, - " load the file (or the files in the directory) into\n"); - BIO_printf(bio_err, " the random number generator\n"); - goto err; + case OPT_OUT: + outfile = opt_arg(); + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_RAND: + inrand = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &enc)) + goto end; + break; + } } + argc = opt_num_rest(); + argv = opt_rest(); - ERR_load_crypto_strings(); + if (argv[0] && (!opt_int(argv[0], &num) || num <= 0)) + goto end; - if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) { + if (!app_passwd(NULL, passoutarg, NULL, &passout)) { BIO_printf(bio_err, "Error getting password\n"); - goto err; + goto end; } # ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + e = setup_engine(engine, 0); # endif - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -# endif - } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); - goto err; - } - } + out = bio_open_default(outfile, "w"); + if (out == NULL) + goto end; - if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL + if (!app_RAND_load_file(NULL, 1) && inrand == NULL && !RAND_status()) { BIO_printf(bio_err, "warning, not much extra random data, consider using the -rand option\n"); @@ -276,15 +191,15 @@ int MAIN(int argc, char **argv) rsa = RSA_new_method(e); # endif if (!rsa) - goto err; + goto end; if (non_fips_allow) rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW; if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, cb)) - goto err; + goto end; - app_RAND_write_file(NULL, bio_err); + app_RAND_write_file(NULL); hexe = BN_bn2hex(rsa->e); dece = BN_bn2dec(rsa->e); @@ -302,11 +217,11 @@ int MAIN(int argc, char **argv) if (!PEM_write_bio_RSAPrivateKey(out, rsa, enc, NULL, 0, (pem_password_cb *)password_callback, &cb_data)) - goto err; + goto end; } ret = 0; - err: + end: if (bn) BN_free(bn); if (cb) @@ -317,8 +232,7 @@ int MAIN(int argc, char **argv) OPENSSL_free(passout); if (ret != 0) ERR_print_errors(bio_err); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } static int genrsa_cb(int p, int n, BN_GENCB *cb) diff --git a/apps/makeapps.com b/apps/makeapps.com index efc213c..2724cc6 100644 --- a/apps/makeapps.com +++ b/apps/makeapps.com @@ -178,7 +178,7 @@ $! NOTE: Some might think this list ugly. However, it's made this way to $! reflect the E_OBJ variable in Makefile as closely as possible, thereby $! making it fairly easy to verify that the lists are the same. $! -$ LIB_OPENSSL = "VERIFY,ASN1PARS,REQ,DGST,DH,DHPARAM,ENC,PASSWD,GENDH,ERRSTR,"+- +$ LIB_OPENSSL = "VERIFY,ASN1PARS,REQ,DGST,DHPARAM,ENC,PASSWD,ERRSTR,"+- "CA,PKCS7,CRL2P7,CRL,"+- "RSA,RSAUTL,DSA,DSAPARAM,EC,ECPARAM,"+- "X509,GENRSA,GENDSA,GENPKEY,S_SERVER,S_CLIENT,SPEED,"+- diff --git a/apps/nseq.c b/apps/nseq.c index c306738..3fa496c 100644 --- a/apps/nseq.c +++ b/apps/nseq.c @@ -1,4 +1,3 @@ -/* nseq.c */ /* * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL project * 1999. @@ -63,84 +62,71 @@ #include #include -#undef PROG -#define PROG nseq_main +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_TOSEQ, OPT_IN, OPT_OUT +} OPTION_CHOICE; -int MAIN(int, char **); +OPTIONS nseq_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"toseq", OPT_TOSEQ, '-', "Output NS Sequence file"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {NULL} +}; -int MAIN(int argc, char **argv) +int nseq_main(int argc, char **argv) { - char **args, *infile = NULL, *outfile = NULL; BIO *in = NULL, *out = NULL; - int toseq = 0; X509 *x509 = NULL; NETSCAPE_CERT_SEQUENCE *seq = NULL; - int i, ret = 1; - int badarg = 0; - if (bio_err == NULL) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - ERR_load_crypto_strings(); - args = argv + 1; - while (!badarg && *args && *args[0] == '-') { - if (!strcmp(*args, "-toseq")) - toseq = 1; - else if (!strcmp(*args, "-in")) { - if (args[1]) { - args++; - infile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-out")) { - if (args[1]) { - args++; - outfile = *args; - } else - badarg = 1; - } else - badarg = 1; - args++; - } - - if (badarg) { - BIO_printf(bio_err, "Netscape certificate sequence utility\n"); - BIO_printf(bio_err, "Usage nseq [options]\n"); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, "-toseq output NS Sequence file\n"); - OPENSSL_EXIT(1); - } + OPTION_CHOICE o; + int toseq = 0, ret = 1, i; + char *infile = NULL, *outfile = NULL, *prog; - if (infile) { - if (!(in = BIO_new_file(infile, "r"))) { - BIO_printf(bio_err, "Can't open input file %s\n", infile); + prog = opt_init(argc, argv, nseq_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); goto end; - } - } else - in = BIO_new_fp(stdin, BIO_NOCLOSE); - - if (outfile) { - if (!(out = BIO_new_file(outfile, "w"))) { - BIO_printf(bio_err, "Can't open output file %s\n", outfile); + case OPT_HELP: + ret = 0; + opt_help(nseq_options); goto end; + case OPT_TOSEQ: + toseq = 1; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; } - } else { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif } + argc = opt_num_rest(); + argv = opt_rest(); + + in = bio_open_default(infile, "r"); + if (in == NULL) + goto end; + out = bio_open_default(outfile, "w"); + if (out == NULL) + goto end; + if (toseq) { seq = NETSCAPE_CERT_SEQUENCE_new(); seq->certs = sk_X509_new_null(); + if (!seq->certs) + goto end; while ((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL))) sk_X509_push(seq->certs, x509); if (!sk_X509_num(seq->certs)) { - BIO_printf(bio_err, "Error reading certs file %s\n", infile); + BIO_printf(bio_err, "%s: Error reading certs file %s\n", + prog, infile); ERR_print_errors(bio_err); goto end; } @@ -149,8 +135,10 @@ int MAIN(int argc, char **argv) goto end; } - if (!(seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL))) { - BIO_printf(bio_err, "Error reading sequence file %s\n", infile); + seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL); + if (seq == NULL) { + BIO_printf(bio_err, "%s: Error reading sequence file %s\n", + prog, infile); ERR_print_errors(bio_err); goto end; } @@ -166,5 +154,5 @@ int MAIN(int argc, char **argv) BIO_free_all(out); NETSCAPE_CERT_SEQUENCE_free(seq); - OPENSSL_EXIT(ret); + return (ret); } diff --git a/apps/ocsp.c b/apps/ocsp.c index 96f4c67..840e506 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -1,4 +1,3 @@ -/* ocsp.c */ /* * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL project * 2000. @@ -95,7 +94,7 @@ # endif /* Maximum leeway in validity period: default 5 minutes */ -# define MAX_VALIDITY_PERIOD (5 * 60) +# define MAX_VALIDITY_PERIOD (5 * 60) static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, X509 *issuer, @@ -103,12 +102,11 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD *cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); -static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, +static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, STACK_OF(OPENSSL_STRING) *names, STACK_OF(OCSP_CERTID) *ids, long nsec, long maxage); - -static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, +static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, const EVP_MD *md, STACK_OF(X509) *rother, unsigned long flags, @@ -119,498 +117,372 @@ static BIO *init_responder(const char *port); static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, const char *port); static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); -static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path, +static OCSP_RESPONSE *query_responder(BIO *cbio, const char *path, const STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout); -# undef PROG -# define PROG ocsp_main - -int MAIN(int, char **); - -int MAIN(int argc, char **argv) +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT, + OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE, + OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS, + OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN, + OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER, + OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT, + OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER, + OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, + OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT, + OPT_RESPOUT, OPT_PATH, OPT_CERT, OPT_SERIAL, + OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER, + OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_HEADER, + OPT_V_ENUM, + OPT_MD +} OPTION_CHOICE; + +OPTIONS ocsp_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"out", OPT_OUTFILE, '>', "Output filename"}, + {"timeout", OPT_TIMEOUT, 'p'}, + {"url", OPT_URL, 's', "Responder URL"}, + {"host", OPT_HOST, 's', "host:prot top to connect to"}, + {"port", OPT_PORT, 'p', "Port to run responder on"}, + {"ignore_err", OPT_IGNORE_ERR, '-'}, + {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"}, + {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"}, + {"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"}, + {"resp_no_certs", OPT_RESP_NO_CERTS, '-', + "Don't include any certificates in response"}, + {"resp_key_id", OPT_RESP_KEY_ID, '-', + "Identify reponse by signing certificate key ID"}, + {"no_certs", OPT_NO_CERTS, '-', + "Don't include any certificates in signed request"}, + {"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-', + "Don't check signature on response"}, + {"no_cert_verify", OPT_NO_CERT_VERIFY, '-', + "Don't check signing certificate"}, + {"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"}, + {"no_cert_checks", OPT_NO_CERT_CHECKS, '-', + "Don't do additional checks on signing certificate"}, + {"no_explicit", OPT_NO_EXPLICIT, '-'}, + {"trust_other", OPT_TRUST_OTHER, '-', + "Don't verify additional certificates"}, + {"no_intern", OPT_NO_INTERN, '-', + "Don't search certificates contained in response for signer"}, + {"badsig", OPT_BADSIG, '-'}, + {"text", OPT_TEXT, '-', "Print text form of request and response"}, + {"req_text", OPT_REQ_TEXT, '-', "Print text form of request"}, + {"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"}, + {"reqin", OPT_REQIN, 's', "File with the DER-encoded request"}, + {"respin", OPT_RESPIN, 's', "File with the DER-encoded response"}, + {"signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with"}, + {"VAfile", OPT_VAFILE, '<', "Validator certificates file"}, + {"sign_other", OPT_SIGN_OTHER, '<', + "Additional certificates to include in signed request"}, + {"verify_other", OPT_VERIFY_OTHER, '<', + "Additional certificates to search for signer"}, + {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, + {"CApath", OPT_CAPATH, '<', "Trusted certificates directory"}, + {"validity_period", OPT_VALIDITY_PERIOD, 'u', + "Maximum validity discrepancy in seconds"}, + {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"}, + {"signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with"}, + {"reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request"}, + {"respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response"}, + {"path", OPT_PATH, 's', "Path to use in OCSP request"}, + {"cert", OPT_CERT, '<', "Certificate to check"}, + {"serial", OPT_SERIAL, 's', "Nerial number to check"}, + {"index", OPT_INDEX, '<', "Certificate status index file"}, + {"CA", OPT_CA, '<', "CA certificate"}, + {"nmin", OPT_NMIN, 'p', "Number of minutes before next update"}, + {"nrequest", OPT_REQUEST, 'p', + "Number of requests to accept (default unlimited)"}, + {"ndays", OPT_NDAYS, 'p', "Number of days before next update"}, + {"rsigner", OPT_RSIGNER, '<', + "Sesponder certificate to sign responses with"}, + {"rkey", OPT_RKEY, '<', "Responder key to sign responses with"}, + {"rother", OPT_ROTHER, '<', "Other certificates to include in response"}, + {"rmd", OPT_RMD, 's'}, + {"header", OPT_HEADER, 's', "key=value header to add"}, + {"", OPT_MD, '-', "Any supported digest"}, + OPT_V_OPTIONS, + {NULL} +}; + +int ocsp_main(int argc, char **argv) { - ENGINE *e = NULL; - char **args; - char *host = NULL, *port = NULL, *path = "/"; - char *thost = NULL, *tport = NULL, *tpath = NULL; - char *reqin = NULL, *respin = NULL; - char *reqout = NULL, *respout = NULL; - char *signfile = NULL, *keyfile = NULL; - char *rsignfile = NULL, *rkeyfile = NULL; - char *outfile = NULL; - int add_nonce = 1, noverify = 0, use_ssl = -1; - STACK_OF(CONF_VALUE) *headers = NULL; + BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL; + const EVP_MD *cert_id_md = NULL, *rsign_md = NULL; + CA_DB *rdb = NULL; + EVP_PKEY *key = NULL, *rkey = NULL; + OCSP_BASICRESP *bs = NULL; OCSP_REQUEST *req = NULL; OCSP_RESPONSE *resp = NULL; - OCSP_BASICRESP *bs = NULL; - X509 *issuer = NULL, *cert = NULL; + STACK_OF(CONF_VALUE) *headers = NULL; + STACK_OF(OCSP_CERTID) *ids = NULL; + STACK_OF(OPENSSL_STRING) *reqnames = NULL; + STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL; + X509 *issuer = NULL, *cert = NULL, *rca_cert = NULL; X509 *signer = NULL, *rsigner = NULL; - EVP_PKEY *key = NULL, *rkey = NULL; - BIO *acbio = NULL, *cbio = NULL; - BIO *derbio = NULL; - BIO *out = NULL; - int req_timeout = -1; - int req_text = 0, resp_text = 0; - long nsec = MAX_VALIDITY_PERIOD, maxage = -1; - char *CAfile = NULL, *CApath = NULL; X509_STORE *store = NULL; X509_VERIFY_PARAM *vpm = NULL; - STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL; + char *CAfile = NULL, *CApath = NULL, *header, *value; + char *host = NULL, *port = NULL, *path = "/", *outfile = NULL; + char *rca_filename = NULL, *reqin = NULL, *respin = NULL; + char *reqout = NULL, *respout = NULL, *ridx_filename = NULL; + char *rsignfile = NULL, *rkeyfile = NULL; char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL; + char *signfile = NULL, *keyfile = NULL; + char *thost = NULL, *tport = NULL, *tpath = NULL; + int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1; + int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1; + int req_text = 0, resp_text = 0, req_timeout = -1, ret = 1; + long nsec = MAX_VALIDITY_PERIOD, maxage = -1; unsigned long sign_flags = 0, verify_flags = 0, rflags = 0; - int ret = 1; - int accept_count = -1; - int badarg = 0; - int badsig = 0; - int i; - int ignore_err = 0; - STACK_OF(OPENSSL_STRING) *reqnames = NULL; - STACK_OF(OCSP_CERTID) *ids = NULL; - - X509 *rca_cert = NULL; - char *ridx_filename = NULL; - char *rca_filename = NULL; - CA_DB *rdb = NULL; - int nmin = 0, ndays = -1; - const EVP_MD *cert_id_md = NULL, *rsign_md = NULL; + OPTION_CHOICE o; + char *prog; - if (bio_err == NULL) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - SSL_load_error_strings(); - OpenSSL_add_ssl_algorithms(); - args = argv + 1; reqnames = sk_OPENSSL_STRING_new_null(); + if (!reqnames) + goto end; ids = sk_OCSP_CERTID_new_null(); - while (!badarg && *args && *args[0] == '-') { - if (!strcmp(*args, "-out")) { - if (args[1]) { - args++; - outfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-timeout")) { - if (args[1]) { - args++; - req_timeout = atol(*args); - if (req_timeout < 0) { - BIO_printf(bio_err, "Illegal timeout value %s\n", *args); - badarg = 1; - } - } else - badarg = 1; - } else if (!strcmp(*args, "-url")) { + if (!ids) + goto end; + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) + return 1; + + prog = opt_init(argc, argv, ocsp_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + ret = 0; + opt_help(ocsp_options); + goto end; + case OPT_OUTFILE: + outfile = opt_arg(); + break; + case OPT_TIMEOUT: + req_timeout = atoi(opt_arg()); + break; + case OPT_URL: if (thost) OPENSSL_free(thost); if (tport) OPENSSL_free(tport); if (tpath) OPENSSL_free(tpath); - if (args[1]) { - args++; - if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl)) { - BIO_printf(bio_err, "Error parsing URL\n"); - badarg = 1; - } - thost = host; - tport = port; - tpath = path; - } else - badarg = 1; - } else if (!strcmp(*args, "-host")) { - if (args[1]) { - args++; - host = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-port")) { - if (args[1]) { - args++; - port = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-header")) { - if (args[1] && args[2]) { - if (!X509V3_add_value(args[1], args[2], &headers)) - goto end; - args += 2; - } else - badarg = 1; - } else if (!strcmp(*args, "-ignore_err")) + if (!OCSP_parse_url(opt_arg(), &host, &port, &path, &use_ssl)) { + BIO_printf(bio_err, "%s Error parsing URL\n", prog); + goto end; + } + thost = host; + tport = port; + tpath = path; + break; + case OPT_HOST: + host = opt_arg(); + break; + case OPT_PORT: + port = opt_arg(); + break; + case OPT_IGNORE_ERR: ignore_err = 1; - else if (!strcmp(*args, "-noverify")) + break; + case OPT_NOVERIFY: noverify = 1; - else if (!strcmp(*args, "-nonce")) + break; + case OPT_NONCE: add_nonce = 2; - else if (!strcmp(*args, "-no_nonce")) + break; + case OPT_NO_NONCE: add_nonce = 0; - else if (!strcmp(*args, "-resp_no_certs")) + break; + case OPT_RESP_NO_CERTS: rflags |= OCSP_NOCERTS; - else if (!strcmp(*args, "-resp_key_id")) + break; + case OPT_RESP_KEY_ID: rflags |= OCSP_RESPID_KEY; - else if (!strcmp(*args, "-no_certs")) + break; + case OPT_NO_CERTS: sign_flags |= OCSP_NOCERTS; - else if (!strcmp(*args, "-no_signature_verify")) + break; + case OPT_NO_SIGNATURE_VERIFY: verify_flags |= OCSP_NOSIGS; - else if (!strcmp(*args, "-no_cert_verify")) + break; + case OPT_NO_CERT_VERIFY: verify_flags |= OCSP_NOVERIFY; - else if (!strcmp(*args, "-no_chain")) + break; + case OPT_NO_CHAIN: verify_flags |= OCSP_NOCHAIN; - else if (!strcmp(*args, "-no_cert_checks")) + break; + case OPT_NO_CERT_CHECKS: verify_flags |= OCSP_NOCHECKS; - else if (!strcmp(*args, "-no_explicit")) + break; + case OPT_NO_EXPLICIT: verify_flags |= OCSP_NOEXPLICIT; - else if (!strcmp(*args, "-trust_other")) + break; + case OPT_TRUST_OTHER: verify_flags |= OCSP_TRUSTOTHER; - else if (!strcmp(*args, "-no_intern")) + break; + case OPT_NO_INTERN: verify_flags |= OCSP_NOINTERN; - else if (!strcmp(*args, "-badsig")) + break; + case OPT_BADSIG: badsig = 1; - else if (!strcmp(*args, "-text")) { - req_text = 1; - resp_text = 1; - } else if (!strcmp(*args, "-req_text")) + break; + case OPT_TEXT: + req_text = resp_text = 1; + break; + case OPT_REQ_TEXT: req_text = 1; - else if (!strcmp(*args, "-resp_text")) + break; + case OPT_RESP_TEXT: resp_text = 1; - else if (!strcmp(*args, "-reqin")) { - if (args[1]) { - args++; - reqin = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-respin")) { - if (args[1]) { - args++; - respin = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-signer")) { - if (args[1]) { - args++; - signfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-VAfile")) { - if (args[1]) { - args++; - verify_certfile = *args; - verify_flags |= OCSP_TRUSTOTHER; - } else - badarg = 1; - } else if (!strcmp(*args, "-sign_other")) { - if (args[1]) { - args++; - sign_certfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-verify_other")) { - if (args[1]) { - args++; - verify_certfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-CAfile")) { - if (args[1]) { - args++; - CAfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-CApath")) { - if (args[1]) { - args++; - CApath = *args; - } else - badarg = 1; - } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) { - if (badarg) + break; + case OPT_REQIN: + reqin = opt_arg(); + break; + case OPT_RESPIN: + respin = opt_arg(); + break; + case OPT_SIGNER: + signfile = opt_arg(); + break; + case OPT_VAFILE: + verify_certfile = opt_arg(); + verify_flags |= OCSP_TRUSTOTHER; + break; + case OPT_SIGN_OTHER: + sign_certfile = opt_arg(); + break; + case OPT_VERIFY_OTHER: + verify_certfile = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) goto end; - continue; - } else if (!strcmp(*args, "-validity_period")) { - if (args[1]) { - args++; - nsec = atol(*args); - if (nsec < 0) { - BIO_printf(bio_err, - "Illegal validity period %s\n", *args); - badarg = 1; - } - } else - badarg = 1; - } else if (!strcmp(*args, "-status_age")) { - if (args[1]) { - args++; - maxage = atol(*args); - if (maxage < 0) { - BIO_printf(bio_err, "Illegal validity age %s\n", *args); - badarg = 1; - } - } else - badarg = 1; - } else if (!strcmp(*args, "-signkey")) { - if (args[1]) { - args++; - keyfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-reqout")) { - if (args[1]) { - args++; - reqout = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-respout")) { - if (args[1]) { - args++; - respout = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-path")) { - if (args[1]) { - args++; - path = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-issuer")) { - if (args[1]) { - args++; - X509_free(issuer); - issuer = load_cert(bio_err, *args, FORMAT_PEM, - NULL, e, "issuer certificate"); - if (!issuer) - goto end; - } else - badarg = 1; - } else if (!strcmp(*args, "-cert")) { - if (args[1]) { - args++; - X509_free(cert); - cert = load_cert(bio_err, *args, FORMAT_PEM, - NULL, e, "certificate"); - if (!cert) - goto end; - if (!cert_id_md) - cert_id_md = EVP_sha1(); - if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids)) - goto end; - if (!sk_OPENSSL_STRING_push(reqnames, *args)) - goto end; - } else - badarg = 1; - } else if (!strcmp(*args, "-serial")) { - if (args[1]) { - args++; - if (!cert_id_md) - cert_id_md = EVP_sha1(); - if (!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids)) - goto end; - if (!sk_OPENSSL_STRING_push(reqnames, *args)) - goto end; - } else - badarg = 1; - } else if (!strcmp(*args, "-index")) { - if (args[1]) { - args++; - ridx_filename = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-CA")) { - if (args[1]) { - args++; - rca_filename = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-nmin")) { - if (args[1]) { - args++; - nmin = atol(*args); - if (nmin < 0) { - BIO_printf(bio_err, "Illegal update period %s\n", *args); - badarg = 1; - } - } + vpmtouched++; + break; + case OPT_VALIDITY_PERIOD: + opt_long(opt_arg(), &nsec); + break; + case OPT_STATUS_AGE: + opt_long(opt_arg(), &maxage); + break; + case OPT_SIGNKEY: + keyfile = opt_arg(); + break; + case OPT_REQOUT: + reqout = opt_arg(); + break; + case OPT_RESPOUT: + respout = opt_arg(); + break; + case OPT_PATH: + path = opt_arg(); + break; + case OPT_CERT: + X509_free(cert); + cert = load_cert(opt_arg(), FORMAT_PEM, + NULL, NULL, "certificate"); + if (cert == NULL) + goto end; + if (cert_id_md == NULL) + cert_id_md = EVP_sha1(); + if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids)) + goto end; + if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) + goto end; + break; + case OPT_SERIAL: + if (cert_id_md == NULL) + cert_id_md = EVP_sha1(); + if (!add_ocsp_serial(&req, opt_arg(), cert_id_md, issuer, ids)) + goto end; + if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) + goto end; + break; + case OPT_INDEX: + ridx_filename = opt_arg(); + break; + case OPT_CA: + rca_filename = opt_arg(); + break; + case OPT_NMIN: + opt_int(opt_arg(), &nmin); if (ndays == -1) ndays = 0; - else - badarg = 1; - } else if (!strcmp(*args, "-nrequest")) { - if (args[1]) { - args++; - accept_count = atol(*args); - if (accept_count < 0) { - BIO_printf(bio_err, "Illegal accept count %s\n", *args); - badarg = 1; - } - } else - badarg = 1; - } else if (!strcmp(*args, "-ndays")) { - if (args[1]) { - args++; - ndays = atol(*args); - if (ndays < 0) { - BIO_printf(bio_err, "Illegal update period %s\n", *args); - badarg = 1; - } - } else - badarg = 1; - } else if (!strcmp(*args, "-rsigner")) { - if (args[1]) { - args++; - rsignfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-rkey")) { - if (args[1]) { - args++; - rkeyfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-rother")) { - if (args[1]) { - args++; - rcertfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-rmd")) { - if (args[1]) { - args++; - rsign_md = EVP_get_digestbyname(*args); - if (!rsign_md) - badarg = 1; - } else - badarg = 1; - } else if ((cert_id_md = EVP_get_digestbyname((*args) + 1)) == NULL) { - badarg = 1; + break; + case OPT_REQUEST: + opt_int(opt_arg(), &accept_count); + break; + case OPT_NDAYS: + ndays = atoi(opt_arg()); + break; + case OPT_RSIGNER: + rsignfile = opt_arg(); + break; + case OPT_RKEY: + rkeyfile = opt_arg(); + break; + case OPT_ROTHER: + rcertfile = opt_arg(); + break; + case OPT_RMD: + if (!opt_md(opt_arg(), &rsign_md)) + goto end; + break; + case OPT_HEADER: + header = opt_arg(); + value = strchr(header, '='); + if (value == NULL) { + BIO_printf(bio_err, "Missing = in header key=value\n"); + goto opthelp; + } + *value++ = '\0'; + if (!X509V3_add_value(header, value, &headers)) + goto end; + break; + case OPT_MD: + if (cert_id_md != NULL) { + BIO_printf(bio_err, + "%s: Digest must be before -cert or -serial\n", + prog); + goto opthelp; + } + if (!opt_md(opt_unknown(), &cert_id_md)) + goto opthelp; + break; } - args++; } + argc = opt_num_rest(); + argv = opt_rest(); /* Have we anything to do? */ if (!req && !reqin && !respin && !(port && ridx_filename)) - badarg = 1; - - if (badarg) { - BIO_printf(bio_err, "OCSP utility\n"); - BIO_printf(bio_err, "Usage ocsp [options]\n"); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-out file output filename\n"); - BIO_printf(bio_err, "-issuer file issuer certificate\n"); - BIO_printf(bio_err, "-cert file certificate to check\n"); - BIO_printf(bio_err, "-serial n serial number to check\n"); - BIO_printf(bio_err, - "-signer file certificate to sign OCSP request with\n"); - BIO_printf(bio_err, - "-signkey file private key to sign OCSP request with\n"); - BIO_printf(bio_err, - "-sign_other file additional certificates to include in signed request\n"); - BIO_printf(bio_err, - "-no_certs don't include any certificates in signed request\n"); - BIO_printf(bio_err, - "-req_text print text form of request\n"); - BIO_printf(bio_err, - "-resp_text print text form of response\n"); - BIO_printf(bio_err, - "-text print text form of request and response\n"); - BIO_printf(bio_err, - "-reqout file write DER encoded OCSP request to \"file\"\n"); - BIO_printf(bio_err, - "-respout file write DER encoded OCSP reponse to \"file\"\n"); - BIO_printf(bio_err, - "-reqin file read DER encoded OCSP request from \"file\"\n"); - BIO_printf(bio_err, - "-respin file read DER encoded OCSP reponse from \"file\"\n"); - BIO_printf(bio_err, - "-nonce add OCSP nonce to request\n"); - BIO_printf(bio_err, - "-no_nonce don't add OCSP nonce to request\n"); - BIO_printf(bio_err, "-url URL OCSP responder URL\n"); - BIO_printf(bio_err, - "-host host:n send OCSP request to host on port n\n"); - BIO_printf(bio_err, - "-path path to use in OCSP request\n"); - BIO_printf(bio_err, - "-CApath dir trusted certificates directory\n"); - BIO_printf(bio_err, - "-CAfile file trusted certificates file\n"); - BIO_printf(bio_err, - "-trusted_first use locally trusted CA's first when building trust chain\n"); - BIO_printf(bio_err, - "-no_alt_chains only ever use the first certificate chain found\n"); - BIO_printf(bio_err, - "-VAfile file validator certificates file\n"); - BIO_printf(bio_err, - "-validity_period n maximum validity discrepancy in seconds\n"); - BIO_printf(bio_err, - "-status_age n maximum status age in seconds\n"); - BIO_printf(bio_err, - "-noverify don't verify response at all\n"); - BIO_printf(bio_err, - "-verify_other file additional certificates to search for signer\n"); - BIO_printf(bio_err, - "-trust_other don't verify additional certificates\n"); - BIO_printf(bio_err, - "-no_intern don't search certificates contained in response for signer\n"); - BIO_printf(bio_err, - "-no_signature_verify don't check signature on response\n"); - BIO_printf(bio_err, - "-no_cert_verify don't check signing certificate\n"); - BIO_printf(bio_err, - "-no_chain don't chain verify response\n"); - BIO_printf(bio_err, - "-no_cert_checks don't do additional checks on signing certificate\n"); - BIO_printf(bio_err, - "-port num port to run responder on\n"); - BIO_printf(bio_err, - "-index file certificate status index file\n"); - BIO_printf(bio_err, "-CA file CA certificate\n"); - BIO_printf(bio_err, - "-rsigner file responder certificate to sign responses with\n"); - BIO_printf(bio_err, - "-rkey file responder key to sign responses with\n"); - BIO_printf(bio_err, - "-rother file other certificates to include in response\n"); - BIO_printf(bio_err, - "-resp_no_certs don't include any certificates in response\n"); - BIO_printf(bio_err, - "-nmin n number of minutes before next update\n"); - BIO_printf(bio_err, - "-ndays n number of days before next update\n"); - BIO_printf(bio_err, - "-resp_key_id identify reponse by signing certificate key ID\n"); - BIO_printf(bio_err, - "-nrequest n number of requests to accept (default unlimited)\n"); - BIO_printf(bio_err, - "- use specified digest in the request\n"); - BIO_printf(bio_err, - "-timeout n timeout connection to OCSP responder after n seconds\n"); - goto end; - } + goto opthelp; - if (outfile) - out = BIO_new_file(outfile, "w"); - else - out = BIO_new_fp(stdout, BIO_NOCLOSE); - - if (!out) { - BIO_printf(bio_err, "Error opening output file\n"); + out = bio_open_default(outfile, "w"); + if (out == NULL) goto end; - } if (!req && (add_nonce != 2)) add_nonce = 0; if (!req && reqin) { - if (!strcmp(reqin, "-")) - derbio = BIO_new_fp(stdin, BIO_NOCLOSE); - else - derbio = BIO_new_file(reqin, "rb"); - if (!derbio) { - BIO_printf(bio_err, "Error Opening OCSP request file\n"); + derbio = bio_open_default(reqin, "rb"); + if (derbio == NULL) goto end; - } req = d2i_OCSP_REQUEST_bio(derbio, NULL); BIO_free(derbio); if (!req) { @@ -628,21 +500,21 @@ int MAIN(int argc, char **argv) if (rsignfile && !rdb) { if (!rkeyfile) rkeyfile = rsignfile; - rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM, - NULL, e, "responder certificate"); + rsigner = load_cert(rsignfile, FORMAT_PEM, + NULL, NULL, "responder certificate"); if (!rsigner) { BIO_printf(bio_err, "Error loading responder certificate\n"); goto end; } - rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM, - NULL, e, "CA certificate"); + rca_cert = load_cert(rca_filename, FORMAT_PEM, + NULL, NULL, "CA certificate"); if (rcertfile) { - rother = load_certs(bio_err, rcertfile, FORMAT_PEM, - NULL, e, "responder other certificates"); + rother = load_certs(rcertfile, FORMAT_PEM, + NULL, NULL, "responder other certificates"); if (!rother) goto end; } - rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL, + rkey = load_key(rkeyfile, FORMAT_PEM, 0, NULL, NULL, "responder private key"); if (!rkey) goto end; @@ -675,19 +547,19 @@ int MAIN(int argc, char **argv) if (signfile) { if (!keyfile) keyfile = signfile; - signer = load_cert(bio_err, signfile, FORMAT_PEM, - NULL, e, "signer certificate"); + signer = load_cert(signfile, FORMAT_PEM, + NULL, NULL, "signer certificate"); if (!signer) { BIO_printf(bio_err, "Error loading signer certificate\n"); goto end; } if (sign_certfile) { - sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM, - NULL, e, "signer certificates"); + sign_other = load_certs(sign_certfile, FORMAT_PEM, + NULL, NULL, "signer certificates"); if (!sign_other) goto end; } - key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL, + key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL, "signer private key"); if (!key) goto end; @@ -703,14 +575,9 @@ int MAIN(int argc, char **argv) OCSP_REQUEST_print(out, req, 0); if (reqout) { - if (!strcmp(reqout, "-")) - derbio = BIO_new_fp(stdout, BIO_NOCLOSE); - else - derbio = BIO_new_file(reqout, "wb"); - if (!derbio) { - BIO_printf(bio_err, "Error opening file %s\n", reqout); + derbio = bio_open_default(reqout, "wb"); + if (derbio == NULL) goto end; - } i2d_OCSP_REQUEST_bio(derbio, req); BIO_free(derbio); } @@ -730,13 +597,13 @@ int MAIN(int argc, char **argv) } if (rdb) { - i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, + make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rsign_md, rother, rflags, nmin, ndays, badsig); if (cbio) send_ocsp_response(cbio, resp); } else if (host) { # ifndef OPENSSL_NO_SOCK - resp = process_responder(bio_err, req, host, path, + resp = process_responder(req, host, path, port, use_ssl, headers, req_timeout); if (!resp) goto end; @@ -746,21 +613,15 @@ int MAIN(int argc, char **argv) goto end; # endif } else if (respin) { - if (!strcmp(respin, "-")) - derbio = BIO_new_fp(stdin, BIO_NOCLOSE); - else - derbio = BIO_new_file(respin, "rb"); - if (!derbio) { - BIO_printf(bio_err, "Error Opening OCSP response file\n"); + derbio = bio_open_default(respin, "rb"); + if (derbio == NULL) goto end; - } resp = d2i_OCSP_RESPONSE_bio(derbio, NULL); BIO_free(derbio); if (!resp) { BIO_printf(bio_err, "Error reading OCSP response\n"); goto end; } - } else { ret = 0; goto end; @@ -769,20 +630,14 @@ int MAIN(int argc, char **argv) done_resp: if (respout) { - if (!strcmp(respout, "-")) - derbio = BIO_new_fp(stdout, BIO_NOCLOSE); - else - derbio = BIO_new_file(respout, "wb"); - if (!derbio) { - BIO_printf(bio_err, "Error opening file %s\n", respout); + derbio = bio_open_default(respout, "wb"); + if (derbio == NULL) goto end; - } i2d_OCSP_RESPONSE_bio(derbio, resp); BIO_free(derbio); } i = OCSP_response_status(resp); - if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) { BIO_printf(out, "Responder Error: %s (%d)\n", OCSP_response_status_str(i), i); @@ -797,40 +652,38 @@ int MAIN(int argc, char **argv) /* If running as responder don't verify our own response */ if (cbio) { - if (accept_count > 0) - accept_count--; - /* Redo if more connections needed */ - if (accept_count) { - BIO_free_all(cbio); - cbio = NULL; - OCSP_REQUEST_free(req); - req = NULL; - OCSP_RESPONSE_free(resp); - resp = NULL; - goto redo_accept; + if (--accept_count <= 0) { + ret = 0; + goto end; } - ret = 0; - goto end; - } else if (ridx_filename) { + BIO_free_all(cbio); + cbio = NULL; + OCSP_REQUEST_free(req); + req = NULL; + OCSP_RESPONSE_free(resp); + resp = NULL; + goto redo_accept; + } + if (ridx_filename) { ret = 0; goto end; } - if (!store) - store = setup_verify(bio_err, CAfile, CApath); - if (!store) - goto end; - if (vpm) + if (!store) { + store = setup_verify(CAfile, CApath); + if (!store) + goto end; + } + if (vpmtouched) X509_STORE_set1_param(store, vpm); if (verify_certfile) { - verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM, - NULL, e, "validator certificate"); + verify_other = load_certs(verify_certfile, FORMAT_PEM, + NULL, NULL, "validator certificate"); if (!verify_other) goto end; } bs = OCSP_response_get1_basic(resp); - if (!bs) { BIO_printf(bio_err, "Error parsing response\n"); goto end; @@ -859,8 +712,7 @@ int MAIN(int argc, char **argv) } - if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage)) - ret = 1; + print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage); end: ERR_print_errors(bio_err); @@ -870,7 +722,6 @@ int MAIN(int argc, char **argv) X509_VERIFY_PARAM_free(vpm); EVP_PKEY_free(key); EVP_PKEY_free(rkey); - X509_free(issuer); X509_free(cert); X509_free(rsigner); X509_free(rca_cert); @@ -894,7 +745,7 @@ int MAIN(int argc, char **argv) if (tpath) OPENSSL_free(tpath); - OPENSSL_EXIT(ret); + return (ret); } static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, @@ -958,22 +809,19 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, return 0; } -static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, +static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, STACK_OF(OPENSSL_STRING) *names, STACK_OF(OCSP_CERTID) *ids, long nsec, long maxage) { OCSP_CERTID *id; char *name; - int i; - - int status, reason; - + int i, status, reason; ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; if (!bs || !req || !sk_OPENSSL_STRING_num(names) || !sk_OCSP_CERTID_num(ids)) - return 1; + return; for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) { id = sk_OCSP_CERTID_value(ids, i); @@ -1016,11 +864,9 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, ASN1_GENERALIZEDTIME_print(out, rev); BIO_puts(out, "\n"); } - - return 1; } -static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, +static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, const EVP_MD *rmd, STACK_OF(X509) *rother, unsigned long flags, @@ -1029,7 +875,7 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, ASN1_TIME *thisupd = NULL, *nextupd = NULL; OCSP_CERTID *cid, *ca_id = NULL; OCSP_BASICRESP *bs = NULL; - int i, id_count, ret = 1; + int i, id_count; id_count = OCSP_request_onereq_count(req); @@ -1112,8 +958,7 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, if (badsig) { ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs); - unsigned char *sigptr; - sigptr = ASN1_STRING_data(sig); + unsigned char *sigptr = ASN1_STRING_data(sig); sigptr[ASN1_STRING_length(sig) - 1] ^= 0x1; } @@ -1124,8 +969,6 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, ASN1_TIME_free(nextupd); OCSP_CERTID_free(ca_id); OCSP_BASICRESP_free(bs); - return ret; - } static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser) @@ -1154,6 +997,7 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser) static BIO *init_responder(const char *port) { BIO *acbio = NULL, *bufbio = NULL; + bufbio = BIO_new(BIO_f_buffer()); if (!bufbio) goto err; @@ -1185,9 +1029,9 @@ static BIO *init_responder(const char *port) static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, const char *port) { - int have_post = 0, len; + int len; OCSP_REQUEST *req = NULL; - char inbuf[1024]; + char inbuf[2048]; BIO *cbio = NULL; if (BIO_do_accept(acbio) <= 0) { @@ -1199,25 +1043,24 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, cbio = BIO_pop(acbio); *pcbio = cbio; + /* Read the request line. */ + len = BIO_gets(cbio, inbuf, sizeof inbuf); + if (len <= 0) + return 1; + if (strncmp(inbuf, "POST", 4) != 0) { + BIO_printf(bio_err, "Invalid request\n"); + return 1; + } for (;;) { len = BIO_gets(cbio, inbuf, sizeof inbuf); if (len <= 0) return 1; - /* Look for "POST" signalling start of query */ - if (!have_post) { - if (strncmp(inbuf, "POST", 4)) { - BIO_printf(bio_err, "Invalid request\n"); - return 1; - } - have_post = 1; - } /* Look for end of headers */ if ((inbuf[0] == '\r') || (inbuf[0] == '\n')) break; } /* Try to read OCSP request */ - req = d2i_OCSP_REQUEST_bio(cbio, NULL); if (!req) { @@ -1244,7 +1087,7 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) return 1; } -static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path, +static OCSP_RESPONSE *query_responder(BIO *cbio, const char *path, const STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout) { @@ -1262,12 +1105,12 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path, rv = BIO_do_connect(cbio); if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) { - BIO_puts(err, "Error connecting BIO\n"); + BIO_puts(bio_err, "Error connecting BIO\n"); return NULL; } if (BIO_get_fd(cbio, &fd) <= 0) { - BIO_puts(err, "Can't get connection fd\n"); + BIO_puts(bio_err, "Can't get connection fd\n"); goto err; } @@ -1278,7 +1121,7 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path, tv.tv_sec = req_timeout; rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv); if (rv == 0) { - BIO_puts(err, "Timeout on connect\n"); + BIO_puts(bio_err, "Timeout on connect\n"); return NULL; } } @@ -1311,15 +1154,15 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path, else if (BIO_should_write(cbio)) rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv); else { - BIO_puts(err, "Unexpected retry condition\n"); + BIO_puts(bio_err, "Unexpected retry condition\n"); goto err; } if (rv == 0) { - BIO_puts(err, "Timeout on request\n"); + BIO_puts(bio_err, "Timeout on request\n"); break; } if (rv == -1) { - BIO_puts(err, "Select error\n"); + BIO_puts(bio_err, "Select error\n"); break; } @@ -1331,7 +1174,7 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path, return rsp; } -OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, +OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host, const char *path, const char *port, int use_ssl, const STACK_OF(CONF_VALUE) *headers, @@ -1342,7 +1185,7 @@ OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, OCSP_RESPONSE *resp = NULL; cbio = BIO_new_connect(host); if (!cbio) { - BIO_printf(err, "Error creating connect BIO\n"); + BIO_printf(bio_err, "Error creating connect BIO\n"); goto end; } if (port) @@ -1351,14 +1194,14 @@ OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, BIO *sbio; ctx = SSL_CTX_new(SSLv23_client_method()); if (ctx == NULL) { - BIO_printf(err, "Error creating SSL context.\n"); + BIO_printf(bio_err, "Error creating SSL context.\n"); goto end; } SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); sbio = BIO_new_ssl(ctx, 1); cbio = BIO_push(sbio, cbio); } - resp = query_responder(err, cbio, path, headers, req, req_timeout); + resp = query_responder(cbio, path, headers, req, req_timeout); if (!resp) BIO_printf(bio_err, "Error querying OCSP responder\n"); end: diff --git a/apps/openssl.c b/apps/openssl.c index e93aed7..de73fac 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -1,4 +1,3 @@ -/* apps/openssl.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -112,9 +111,6 @@ #include #include #include -#define OPENSSL_C /* tells apps.h to use complete - * apps_startup() */ -#include "apps.h" #include #include #include @@ -126,14 +122,35 @@ #ifndef OPENSSL_NO_ENGINE # include #endif -#define USE_SOCKETS /* needed for the _O_BINARY defs in the MS - * world */ -#include "progs.h" +/* needed for the _O_BINARY defs in the MS world */ +#define USE_SOCKETS #include "s_apps.h" #include #ifdef OPENSSL_FIPS # include #endif +#define INCLUDE_FUNCTION_TABLE +#include "apps.h" + +#if 1 +# define LIST_STANDARD_COMMANDS "list-standard-commands" +# define LIST_MESSAGE_DIGEST_COMMANDS "list-message-digest-commands" +# define LIST_MESSAGE_DIGEST_ALGORITHMS "list-message-digest-algorithms" +# define LIST_CIPHER_COMMANDS "list-cipher-commands" +# define LIST_CIPHER_ALGORITHMS "list-cipher-algorithms" +# define LIST_PUBLIC_KEY_ALGORITHMS "list-public-key-algorithms" +#endif + +#ifdef OPENSSL_NO_CAMELLIA +# define FORMAT "%-15s" +# define COLUMNS 5 +#else +# define FORMAT "%-18s" +# define COLUMNS 4 +#endif + +/* Special sentinel to exit the program. */ +#define EXIT_THE_PROGRAM (-1) /* * The LHASH callbacks ("hash" & "cmp") have been replaced by functions with @@ -141,28 +158,103 @@ * required type of "FUNCTION*"). This removes the necessity for * macro-generated wrapper functions. */ - +DECLARE_LHASH_OF(FUNCTION); static LHASH_OF(FUNCTION) *prog_init(void); static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[]); -static void list_pkey(BIO *out); -static void list_cipher(BIO *out); -static void list_md(BIO *out); +static int list_pkey(void); +static int list_cipher(void); +static int list_md(void); +static int list_type(FUNC_TYPE list_type); char *default_config_file = NULL; -/* Make sure there is only one when MONOLITH is defined */ -#ifdef MONOLITH CONF *config = NULL; +BIO *bio_in = NULL; +BIO *bio_out = NULL; BIO *bio_err = NULL; + +static void apps_startup() +{ +#ifdef SIGPIPE + signal(SIGPIPE, SIG_IGN); +#endif + CRYPTO_malloc_init(); + ERR_load_crypto_strings(); + ERR_load_SSL_strings(); + OpenSSL_add_all_algorithms(); + OpenSSL_add_ssl_algorithms(); + setup_ui_method(); + /*SSL_library_init();*/ +#ifndef OPENSSL_NO_ENGINE + ENGINE_load_builtin_engines(); +#endif +} + +static void apps_shutdown() +{ +#ifndef OPENSSL_NO_ENGINE + ENGINE_cleanup(); +#endif + destroy_ui_method(); + CONF_modules_unload(1); +#ifndef OPENSSL_NO_COMP + COMP_zlib_cleanup(); +#endif + OBJ_cleanup(); + EVP_cleanup(); + CRYPTO_cleanup_all_ex_data(); + ERR_remove_thread_state(NULL); + RAND_cleanup(); + ERR_free_strings(); +} + +static char *make_config_name() +{ + const char *t = X509_get_default_cert_area(); + size_t len; + char *p; + + len = strlen(t) + strlen(OPENSSL_CONF) + 2; + p = OPENSSL_malloc(len); + if (p == NULL) + return NULL; + BUF_strlcpy(p, t, len); +#ifndef OPENSSL_SYS_VMS + BUF_strlcat(p, "/", len); #endif + BUF_strlcat(p, OPENSSL_CONF, len); + + return p; +} + +static int load_config(CONF *cnf) +{ + static int load_config_called = 0; + + if (load_config_called) + return 1; + load_config_called = 1; + if (!cnf) + cnf = config; + if (!cnf) + return 1; + + OPENSSL_load_builtin_modules(); + + if (CONF_modules_load(cnf, NULL, 0) <= 0) { + BIO_printf(bio_err, "Error configuring OpenSSL\n"); + ERR_print_errors(bio_err); + return 0; + } + return 1; +} static void lock_dbg_cb(int mode, int type, const char *file, int line) { - static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */ + static int modes[CRYPTO_NUM_LOCKS]; const char *errstr = NULL; - int rw; + int rw = mode & (CRYPTO_READ | CRYPTO_WRITE); - rw = mode & (CRYPTO_READ | CRYPTO_WRITE); - if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE))) { + if (rw != CRYPTO_READ && rw != CRYPTO_WRITE) { errstr = "invalid mode"; goto err; } @@ -175,12 +267,9 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line) if (mode & CRYPTO_LOCK) { if (modes[type]) { errstr = "already locked"; - /* - * must not happen in a single-threaded program (would deadlock) - */ + /* must not happen in a single-threaded program --> deadlock! */ goto err; } - modes[type] = rw; } else if (mode & CRYPTO_UNLOCK) { if (!modes[type]) { @@ -209,98 +298,83 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line) } } -#if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64) -# define ARGV _Argv -#else -# define ARGV Argv +BIO *dup_bio_in(void) +{ + return BIO_new_fp(stdin, BIO_NOCLOSE | BIO_FP_TEXT); +} + +BIO *dup_bio_out(void) +{ + BIO *b = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT); +#ifdef OPENSSL_SYS_VMS + b = BIO_push(BIO_new(BIO_f_linebuffer()), b); #endif + return b; +} -int main(int Argc, char *ARGV[]) +void unbuffer(FILE *fp) +{ + setbuf(fp, NULL); +} + +BIO *bio_open_default(const char *filename, const char *mode) +{ + BIO *ret; + + if (filename == NULL || strcmp(filename, "-") == 0) { + ret = *mode == 'r' ? dup_bio_in() : dup_bio_out(); + if (ret != NULL) + return ret; + BIO_printf(bio_err, + "Can't open %s, %s\n", + *mode == 'r' ? "stdin" : "stdout", strerror(errno)); + } else { + ret = BIO_new_file(filename, mode); + if (ret != NULL) + return ret; + BIO_printf(bio_err, + "Can't open %s for %s, %s\n", + filename, + *mode == 'r' ? "reading" : "writing", strerror(errno)); + } + ERR_print_errors(bio_err); + return NULL; +} + +#if defined( OPENSSL_SYS_VMS) +extern char **copy_argv(int *argc, char **argv); +#endif + +int main(int argc, char *argv[]) { - ARGS arg; -#define PROG_NAME_SIZE 39 - char pname[PROG_NAME_SIZE + 1]; FUNCTION f, *fp; - const char *prompt; - char buf[1024]; - char *to_free = NULL; - int n, i, ret = 0; - int argc; - char **argv, *p; LHASH_OF(FUNCTION) *prog = NULL; + char **copied_argv = NULL; + char *p, *pname, *to_free = NULL; + char buf[1024]; + const char *prompt; + ARGS arg; + int first, n, i, ret = 0; long errline; -#if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64) - /*- - * 2011-03-22 SMS. - * If we have 32-bit pointers everywhere, then we're safe, and - * we bypass this mess, as on non-VMS systems. (See ARGV, - * above.) - * Problem 1: Compaq/HP C before V7.3 always used 32-bit - * pointers for argv[]. - * Fix 1: For a 32-bit argv[], when we're using 64-bit pointers - * everywhere else, we always allocate and use a 64-bit - * duplicate of argv[]. - * Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed - * to NULL-terminate a 64-bit argv[]. (As this was written, the - * compiler ECO was available only on IA64.) - * Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a - * 64-bit argv[argc] for NULL, and, if necessary, use a - * (properly) NULL-terminated (64-bit) duplicate of argv[]. - * The same code is used in either case to duplicate argv[]. - * Some of these decisions could be handled in preprocessing, - * but the code tends to get even uglier, and the penalty for - * deciding at compile- or run-time is tiny. - */ - char **Argv = NULL; - int free_Argv = 0; - - if ((sizeof(_Argv) < 8) /* 32-bit argv[]. */ -# if !defined( VMS_TRUST_ARGV) - || (_Argv[Argc] != NULL) /* Untrusted argv[argc] not NULL. */ -# endif - ) { - int i; - Argv = OPENSSL_malloc((Argc + 1) * sizeof(char *)); - if (Argv == NULL) { - ret = -1; - goto end; - } - for (i = 0; i < Argc; i++) - Argv[i] = _Argv[i]; - Argv[Argc] = NULL; /* Certain NULL termination. */ - free_Argv = 1; + arg.argv = NULL; + arg.size = 0; + +#if defined( OPENSSL_SYS_VMS) + copied_argv = argv = copy_argv(&argc, argv); +#endif + + p = getenv("OPENSSL_DEBUG_MEMORY"); + if (p == NULL) + /* if not set, use compiled-in default */ + ; + else if (strcmp(p, "off") != 0) { + CRYPTO_malloc_debug_init(); + CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); } else { - /* - * Use the known-good 32-bit argv[] (which needs the type cast to - * satisfy the compiler), or the trusted or tested-good 64-bit argv[] - * as-is. - */ - Argv = (char **)_Argv; - } -#endif /* defined( OPENSSL_SYS_VMS) && - * (__INITIAL_POINTER_SIZE == 64) */ - - arg.data = NULL; - arg.count = 0; - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (getenv("OPENSSL_DEBUG_MEMORY") != NULL) { /* if not defined, use - * compiled-in library - * defaults */ - if (!(0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))) { - CRYPTO_malloc_debug_init(); - CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); - } else { - /* OPENSSL_DEBUG_MEMORY=off */ - CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); - } + CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); } CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); - CRYPTO_set_locking_callback(lock_dbg_cb); if (getenv("OPENSSL_FIPS")) { @@ -318,21 +392,40 @@ int main(int Argc, char *ARGV[]) apps_startup(); - /* Lets load up our environment a little */ - p = getenv("OPENSSL_CONF"); - if (p == NULL) - p = getenv("SSLEAY_CONF"); - if (p == NULL) - p = to_free = make_config_name(); - - default_config_file = p; + /* + * If first argument is a colon, skip it. Because in "interactive" + * mode our prompt is a colon and we can cut/paste whole lines + * by doing this hack. + */ + if (argv[1] && strcmp(argv[1], ":") == 0) { + argv[1] = argv[0]; + argc--; + argv++; + } + prog = prog_init(); + pname = opt_progname(argv[0]); + /* Lets load up our environment a little */ + bio_in = dup_bio_in(); + bio_out = dup_bio_out(); + bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); + + /* Determine and load the config file. */ + default_config_file = getenv("OPENSSL_CONF"); + if (default_config_file == NULL) + default_config_file = getenv("SSLEAY_CONF"); + if (default_config_file == NULL) + default_config_file = to_free = make_config_name(); + if (!load_config(NULL)) + goto end; config = NCONF_new(NULL); - i = NCONF_load(config, p, &errline); + i = NCONF_load(config, default_config_file, &errline); if (i == 0) { if (ERR_GET_REASON(ERR_peek_last_error()) == CONF_R_NO_SUCH_FILE) { - BIO_printf(bio_err, "WARNING: can't open config file: %s\n", p); + BIO_printf(bio_err, + "%s: WARNING: can't open config file: %s\n", + pname, default_config_file); ERR_clear_error(); NCONF_free(config); config = NULL; @@ -343,45 +436,31 @@ int main(int Argc, char *ARGV[]) } } - prog = prog_init(); - /* first check the program name */ - program_name(Argv[0], pname, sizeof pname); - f.name = pname; fp = lh_FUNCTION_retrieve(prog, &f); if (fp != NULL) { - Argv[0] = pname; - ret = fp->func(Argc, Argv); + argv[0] = pname; + ret = fp->func(argc, argv); goto end; } - /* - * ok, now check that there are not arguments, if there are, run with - * them, shifting the ssleay off the front - */ - if (Argc != 1) { - Argc--; - Argv++; - ret = do_cmd(prog, Argc, Argv); + /* If there is stuff on the command line, run with that. */ + if (argc != 1) { + argc--; + argv++; + ret = do_cmd(prog, argc, argv); if (ret < 0) ret = 0; goto end; } - /* ok, lets enter the old 'OpenSSL>' mode */ - + /* ok, lets enter interactive mode */ for (;;) { ret = 0; - p = buf; - n = sizeof buf; - i = 0; - for (;;) { + for (p = buf, n = sizeof buf, i = 0, first = 1;; first = 0) { + prompt = first ? "OpenSSL> " : "> "; p[0] = '\0'; - if (i++) - prompt = ">"; - else - prompt = "OpenSSL> "; fputs(prompt, stdout); fflush(stdout); if (!fgets(p, n, stdin)) @@ -397,21 +476,25 @@ int main(int Argc, char *ARGV[]) p += i; n -= i; } - if (!chopup_args(&arg, buf, &argc, &argv)) + if (!chopup_args(&arg, buf)) { + BIO_printf(bio_err, "Can't parse (no memory?)\n"); break; + } - ret = do_cmd(prog, argc, argv); - if (ret < 0) { + ret = do_cmd(prog, arg.argc, arg.argv); + if (ret == EXIT_THE_PROGRAM) { ret = 0; goto end; } if (ret != 0) - BIO_printf(bio_err, "error in %s\n", argv[0]); + BIO_printf(bio_err, "error in %s\n", arg.argv[0]); + (void)BIO_flush(bio_out); (void)BIO_flush(bio_err); } - BIO_printf(bio_err, "bad exit\n"); ret = 1; end: + if (copied_argv) + OPENSSL_free(copied_argv); if (to_free) OPENSSL_free(to_free); if (config != NULL) { @@ -420,179 +503,222 @@ int main(int Argc, char *ARGV[]) } if (prog != NULL) lh_FUNCTION_free(prog); - if (arg.data != NULL) - OPENSSL_free(arg.data); + if (arg.argv != NULL) + OPENSSL_free(arg.argv); -#if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64) - /* Free any duplicate Argv[] storage. */ - if (free_Argv) { - OPENSSL_free(Argv); - } -#endif + BIO_free(bio_in); + BIO_free_all(bio_out); apps_shutdown(); - CRYPTO_mem_leaks(bio_err); + /*CRYPTO_mem_leaks(bio_err); + */ BIO_free(bio_err); - bio_err = NULL; + return (ret); +} + +OPTIONS exit_options[] = { + {NULL} +}; + +/* Unified enum for help and list commands. */ +typedef enum HELPLIST_CHOICE { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_COMMANDS, OPT_DIGEST_COMMANDS, + OPT_DIGEST_ALGORITHMS, OPT_CIPHER_COMMANDS, OPT_CIPHER_ALGORITHMS, + OPT_PK_ALGORITHMS +} HELPLIST_CHOICE; + +OPTIONS list_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"commands", OPT_COMMANDS, '-', "List of standard commands"}, + {"digest-commands", OPT_DIGEST_COMMANDS, '-', + "List of message digest commands"}, + {"digest-algorithms", OPT_DIGEST_ALGORITHMS, '-', + "List of message digest algorithms"}, + {"cipher-commands", OPT_CIPHER_COMMANDS, '-', "List of cipher commands"}, + {"cipher-algorithms", OPT_CIPHER_ALGORITHMS, '-', + "List of cipher algorithms"}, + {"public-key-algorithms", OPT_PK_ALGORITHMS, '-', + "List of public key algorithms"}, + {NULL} +}; + +int list_main(int argc, char **argv) +{ + char *prog; + HELPLIST_CHOICE o; + + prog = opt_init(argc, argv, list_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + return 1; + case OPT_HELP: + opt_help(list_options); + break; + case OPT_COMMANDS: + return list_type(FT_general); + case OPT_DIGEST_COMMANDS: + return list_type(FT_md); + case OPT_DIGEST_ALGORITHMS: + return list_md(); + case OPT_CIPHER_COMMANDS: + return list_type(FT_cipher); + case OPT_CIPHER_ALGORITHMS: + return list_cipher(); + case OPT_PK_ALGORITHMS: + return list_pkey(); + } + } + + return 0; +} + +OPTIONS help_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {NULL} +}; + +int help_main(int argc, char **argv) +{ + FUNCTION *fp; + int i, nl; + FUNC_TYPE tp; + char *prog; + HELPLIST_CHOICE o; + + prog = opt_init(argc, argv, help_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + default: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + return 1; + case OPT_HELP: + opt_help(help_options); + return 0; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + if (argc != 0) { + BIO_printf(bio_err, "Usage: %s\n", prog); + return 1; + } + + BIO_printf(bio_err, "\nStandard commands"); + i = 0; + tp = FT_none; + for (fp = functions; fp->name != NULL; fp++) { + nl = 0; + if (((i++) % COLUMNS) == 0) { + BIO_printf(bio_err, "\n"); + nl = 1; + } + if (fp->type != tp) { + tp = fp->type; + if (!nl) + BIO_printf(bio_err, "\n"); + if (tp == FT_md) { + i = 1; + BIO_printf(bio_err, + "\nMessage Digest commands (see the `dgst' command for more details)\n"); + } else if (tp == FT_cipher) { + i = 1; + BIO_printf(bio_err, + "\nCipher commands (see the `enc' command for more details)\n"); + } + } + BIO_printf(bio_err, FORMAT, fp->name); + } + BIO_printf(bio_err, "\n\n"); + return 0; +} - OPENSSL_EXIT(ret); +int exit_main(int argc, char **argv) +{ + return EXIT_THE_PROGRAM; } -#define LIST_STANDARD_COMMANDS "list-standard-commands" -#define LIST_MESSAGE_DIGEST_COMMANDS "list-message-digest-commands" -#define LIST_MESSAGE_DIGEST_ALGORITHMS "list-message-digest-algorithms" -#define LIST_CIPHER_COMMANDS "list-cipher-commands" -#define LIST_CIPHER_ALGORITHMS "list-cipher-algorithms" -#define LIST_PUBLIC_KEY_ALGORITHMS "list-public-key-algorithms" +static int list_type(FUNC_TYPE flist_type) +{ + FUNCTION *fp; + int i = 0; + + for (fp = functions; fp->name != NULL; fp++) + if (fp->type == flist_type) { + if ((i++ % COLUMNS) == 0) + BIO_printf(bio_out, "\n"); + BIO_printf(bio_out, FORMAT, fp->name); + } + BIO_printf(bio_out, "\n"); + return 0; +} static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[]) { FUNCTION f, *fp; - int i, ret = 1, tp, nl; - if ((argc <= 0) || (argv[0] == NULL)) { - ret = 0; - goto end; - } + if (argc <= 0 || argv[0] == NULL) + return (0); f.name = argv[0]; fp = lh_FUNCTION_retrieve(prog, &f); if (fp == NULL) { if (EVP_get_digestbyname(argv[0])) { - f.type = FUNC_TYPE_MD; + f.type = FT_md; f.func = dgst_main; fp = &f; } else if (EVP_get_cipherbyname(argv[0])) { - f.type = FUNC_TYPE_CIPHER; + f.type = FT_cipher; f.func = enc_main; fp = &f; } } if (fp != NULL) { - ret = fp->func(argc, argv); - } else if ((strncmp(argv[0], "no-", 3)) == 0) { - BIO *bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - bio_stdout = BIO_push(tmpbio, bio_stdout); - } -#endif + return (fp->func(argc, argv)); + } + if ((strncmp(argv[0], "no-", 3)) == 0) { + /* + * User is asking if foo is unsupported, by trying to "run" the + * no-foo command. Strange. + */ f.name = argv[0] + 3; - ret = (lh_FUNCTION_retrieve(prog, &f) != NULL); - if (!ret) - BIO_printf(bio_stdout, "%s\n", argv[0]); - else - BIO_printf(bio_stdout, "%s\n", argv[0] + 3); - BIO_free_all(bio_stdout); - goto end; - } else if ((strcmp(argv[0], "quit") == 0) || - (strcmp(argv[0], "q") == 0) || - (strcmp(argv[0], "exit") == 0) || - (strcmp(argv[0], "bye") == 0)) { - ret = -1; - goto end; - } else if ((strcmp(argv[0], LIST_STANDARD_COMMANDS) == 0) || - (strcmp(argv[0], LIST_MESSAGE_DIGEST_COMMANDS) == 0) || - (strcmp(argv[0], LIST_MESSAGE_DIGEST_ALGORITHMS) == 0) || - (strcmp(argv[0], LIST_CIPHER_COMMANDS) == 0) || - (strcmp(argv[0], LIST_CIPHER_ALGORITHMS) == 0) || - (strcmp(argv[0], LIST_PUBLIC_KEY_ALGORITHMS) == 0)) { - int list_type; - BIO *bio_stdout; - - if (strcmp(argv[0], LIST_STANDARD_COMMANDS) == 0) - list_type = FUNC_TYPE_GENERAL; - else if (strcmp(argv[0], LIST_MESSAGE_DIGEST_COMMANDS) == 0) - list_type = FUNC_TYPE_MD; - else if (strcmp(argv[0], LIST_MESSAGE_DIGEST_ALGORITHMS) == 0) - list_type = FUNC_TYPE_MD_ALG; - else if (strcmp(argv[0], LIST_PUBLIC_KEY_ALGORITHMS) == 0) - list_type = FUNC_TYPE_PKEY; - else if (strcmp(argv[0], LIST_CIPHER_ALGORITHMS) == 0) - list_type = FUNC_TYPE_CIPHER_ALG; - else /* strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0 */ - list_type = FUNC_TYPE_CIPHER; - bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - bio_stdout = BIO_push(tmpbio, bio_stdout); + if (lh_FUNCTION_retrieve(prog, &f) == NULL) { + BIO_printf(bio_out, "%s\n", argv[0]); + return (0); } -#endif - - if (!load_config(bio_err, NULL)) - goto end; - - if (list_type == FUNC_TYPE_PKEY) - list_pkey(bio_stdout); - if (list_type == FUNC_TYPE_MD_ALG) - list_md(bio_stdout); - if (list_type == FUNC_TYPE_CIPHER_ALG) - list_cipher(bio_stdout); - else { - for (fp = functions; fp->name != NULL; fp++) - if (fp->type == list_type) - BIO_printf(bio_stdout, "%s\n", fp->name); - } - BIO_free_all(bio_stdout); - ret = 0; - goto end; - } else { - BIO_printf(bio_err, "openssl:Error: '%s' is an invalid command.\n", - argv[0]); - BIO_printf(bio_err, "\nStandard commands"); - i = 0; - tp = 0; - for (fp = functions; fp->name != NULL; fp++) { - nl = 0; -#ifdef OPENSSL_NO_CAMELLIA - if (((i++) % 5) == 0) -#else - if (((i++) % 4) == 0) -#endif - { - BIO_printf(bio_err, "\n"); - nl = 1; - } - if (fp->type != tp) { - tp = fp->type; - if (!nl) - BIO_printf(bio_err, "\n"); - if (tp == FUNC_TYPE_MD) { - i = 1; - BIO_printf(bio_err, - "\nMessage Digest commands (see the `dgst' command for more details)\n"); - } else if (tp == FUNC_TYPE_CIPHER) { - i = 1; - BIO_printf(bio_err, - "\nCipher commands (see the `enc' command for more details)\n"); - } - } -#ifdef OPENSSL_NO_CAMELLIA - BIO_printf(bio_err, "%-15s", fp->name); -#else - BIO_printf(bio_err, "%-18s", fp->name); -#endif - } - BIO_printf(bio_err, "\n\n"); - ret = 0; + BIO_printf(bio_out, "%s\n", argv[0] + 3); + return 1; } - end: - return (ret); -} - -static int SortFnByName(const void *_f1, const void *_f2) -{ - const FUNCTION *f1 = _f1; - const FUNCTION *f2 = _f2; + if (strcmp(argv[0], "quit") == 0 || strcmp(argv[0], "q") == 0 || + strcmp(argv[0], "exit") == 0 || strcmp(argv[0], "bye") == 0) + /* Special value to mean "exit the program. */ + return EXIT_THE_PROGRAM; +#ifdef LIST_STANDARD_COMMANDS + if (strcmp(argv[0], LIST_STANDARD_COMMANDS) == 0) + return list_type(FT_general); + if (strcmp(argv[0], LIST_MESSAGE_DIGEST_ALGORITHMS) == 0) + return list_md(); + if (strcmp(argv[0], LIST_PUBLIC_KEY_ALGORITHMS) == 0) + return list_pkey(); + if (strcmp(argv[0], LIST_CIPHER_ALGORITHMS) == 0) + return list_cipher(); + if (strcmp(argv[0], LIST_CIPHER_COMMANDS) == 0) + return list_type(FT_cipher); + if (strcmp(argv[0], LIST_MESSAGE_DIGEST_COMMANDS) == 0) + return list_type(FT_md); +#endif - if (f1->type != f2->type) - return f1->type - f2->type; - return strcmp(f1->name, f2->name); + BIO_printf(bio_err, "Invalid command '%s'; type \"help\" for a list.\n", + argv[0]); + return (1); } -static void list_pkey(BIO *out) +static int list_pkey(void) { int i; + for (i = 0; i < EVP_PKEY_asn1_get_count(); i++) { const EVP_PKEY_ASN1_METHOD *ameth; int pkey_id, pkey_base_id, pkey_flags; @@ -601,21 +727,22 @@ static void list_pkey(BIO *out) EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, &pinfo, &pem_str, ameth); if (pkey_flags & ASN1_PKEY_ALIAS) { - BIO_printf(out, "Name: %s\n", OBJ_nid2ln(pkey_id)); - BIO_printf(out, "\tType: Alias to %s\n", + BIO_printf(bio_out, "Name: %s\n", OBJ_nid2ln(pkey_id)); + BIO_printf(bio_out, "\tAlias for: %s\n", OBJ_nid2ln(pkey_base_id)); } else { - BIO_printf(out, "Name: %s\n", pinfo); - BIO_printf(out, "\tType: %s Algorithm\n", + BIO_printf(bio_out, "Name: %s\n", pinfo); + BIO_printf(bio_out, "\tType: %s Algorithm\n", pkey_flags & ASN1_PKEY_DYNAMIC ? "External" : "Builtin"); - BIO_printf(out, "\tOID: %s\n", OBJ_nid2ln(pkey_id)); + BIO_printf(bio_out, "\tOID: %s\n", OBJ_nid2ln(pkey_id)); if (pem_str == NULL) pem_str = "(none)"; - BIO_printf(out, "\tPEM string: %s\n", pem_str); + BIO_printf(bio_out, "\tPEM string: %s\n", pem_str); } } + return 0; } static void list_cipher_fn(const EVP_CIPHER *c, @@ -632,9 +759,10 @@ static void list_cipher_fn(const EVP_CIPHER *c, } } -static void list_cipher(BIO *out) +static int list_cipher(void) { - EVP_CIPHER_do_all_sorted(list_cipher_fn, out); + EVP_CIPHER_do_all_sorted(list_cipher_fn, bio_out); + return 0; } static void list_md_fn(const EVP_MD *m, @@ -647,13 +775,14 @@ static void list_md_fn(const EVP_MD *m, from = ""; if (!to) to = ""; - BIO_printf(arg, "%s => %s\n", from, to); + BIO_printf((BIO *)arg, "%s => %s\n", from, to); } } -static void list_md(BIO *out) +static int list_md(void) { - EVP_MD_do_all_sorted(list_md_fn, out); + EVP_MD_do_all_sorted(list_md_fn, bio_out); + return 0; } static int function_cmp(const FUNCTION * a, const FUNCTION * b) @@ -670,13 +799,23 @@ static unsigned long function_hash(const FUNCTION * a) static IMPLEMENT_LHASH_HASH_FN(function, FUNCTION) +static int SortFnByName(const void *_f1, const void *_f2) +{ + const FUNCTION *f1 = _f1; + const FUNCTION *f2 = _f2; + + if (f1->type != f2->type) + return f1->type - f2->type; + return strcmp(f1->name, f2->name); +} + static LHASH_OF(FUNCTION) *prog_init(void) { LHASH_OF(FUNCTION) *ret; FUNCTION *f; size_t i; - /* Purely so it looks nice when the user hits ? */ + /* Sort alphabetically within category. For nicer help displays. */ for (i = 0, f = functions; f->name != NULL; ++f, ++i) ; qsort(functions, i, sizeof *functions, SortFnByName); diff --git a/apps/opt.c b/apps/opt.c new file mode 100644 index 0000000..3706739 --- /dev/null +++ b/apps/opt.c @@ -0,0 +1,915 @@ +/* ==================================================================== + * Copyright (c) 2015 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing at OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +/* #define COMPILE_STANDALONE_TEST_DRIVER */ +#include "apps.h" +#include +#include +#if !defined(OPENSSL_SYS_MSDOS) +# include OPENSSL_UNISTD +#endif +#include +#include +#include +#include +#include + +#define MAX_OPT_HELP_WIDTH 30 +const char OPT_HELP_STR[] = "--"; +const char OPT_MORE_STR[] = "---"; + +/* Our state */ +static char **argv; +static int argc; +static int opt_index; +static char *arg; +static char *flag; +static char *dunno; +static const OPTIONS *unknown; +static const OPTIONS *opts; +static char prog[40]; + +/* + * Return the simple name of the program; removing various platform gunk. + */ +#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_NETWARE) +char *opt_progname(const char *argv0) +{ + int i; + int n; + const char *p; + char *q; + + /* find the last '/', '\' or ':' */ + for (p = argv0 + strlen(argv0); --p > argv0;) + if (*p == '/' || *p == '\\' || *p == ':') { + p++; + break; + } + + /* Strip off trailing nonsense. */ + n = strlen(p); + if (n > 4 && + (strcmp(&p[n - 4], ".exe") == 0 || strcmp(&p[n - 4], ".EXE") == 0) + n -= 4; +#if defined(OPENSSL_SYS_NETWARE) + if (n > 4 && + (strcmp(&p[n - 4], ".nlm") == 0 || strcmp(&p[n - 4], ".NLM") == 0) + n -= 4; +#endif + + /* Copy over the name, in lowercase. */ + if (n > sizeof prog - 1) + n = sizeof prog - 1; + for (q = prog, i = 0; i < n; i++, p++) + q++ = isupper(*p) ? tolower(*p) : *p; + *q = '\0'; + return prog; +} + +#elif defined(OPENSSL_SYS_VMS) + +char *opt_progname(const char *argv0) +{ + const char *p, *q; + + /* Find last special charcter sys:[foo.bar]openssl */ + for (p = argv0 + strlen(argv0); --p > argv0;) + if (*p == ':' || *p == ']' || *p == '>') { + p++; + break; + } + + q = strrchr(p, '.'); + strncpy(prog, p, sizeof prog - 1); + prog[sizeof prog - 1] = '\0'; + if (q == NULL || q - p >= sizeof prog) + prog[q - p] = '\0'; + return prog; +} + +#else + +char *opt_progname(const char *argv0) +{ + const char *p; + + /* Could use strchr, but this is like the ones above. */ + for (p = argv0 + strlen(argv0); --p > argv0;) + if (*p == '/') { + p++; + break; + } + strncpy(prog, p, sizeof prog - 1); + prog[sizeof prog - 1] = '\0'; + return prog; +} +#endif + +char *opt_getprog(void) +{ + return prog; +} + +/* Set up the arg parsing. */ +char *opt_init(int ac, char **av, const OPTIONS *o) +{ + /* Store state. */ + argc = ac; + argv = av; + opt_index = 1; + opts = o; + opt_progname(av[0]); + unknown = NULL; + + for (; o->name; ++o) { + const OPTIONS *next; +#ifndef NDEBUG + int i; +#endif + + if (o->name == OPT_HELP_STR || o->name == OPT_MORE_STR) + continue; +#ifndef NDEBUG + i = o->valtype; + + /* Make sure options are legit. */ + assert(o->name[0] != '-'); + assert(o->retval > 0); + assert(i == 0 || i == '-' + || i == 'n' || i == 'p' || i == 'u' + || i == 's' || i == '<' || i == '>' || i == '/' + || i == 'f' || i == 'F'); + + /* Make sure there are no duplicates. */ + for (next = o; (++next)->name;) { + /* + * do allow aliases: assert(o->retval != next->retval); + */ + assert(strcmp(o->name, next->name) != 0); + } +#endif + if (o->name[0] == '\0') { + assert(unknown == NULL); + unknown = o; + assert(unknown->valtype == 0 || unknown->valtype == '-'); + } + } + return prog; +} + +static OPT_PAIR formats[] = { + {"PEM/DER", OPT_FMT_PEMDER}, + {"pkcs12", OPT_FMT_PKCS12}, + {"smime", OPT_FMT_SMIME}, + {"engine", OPT_FMT_ENGINE}, + {"msblob", OPT_FMT_MSBLOB}, + {"netscape", OPT_FMT_NETSCAPE}, + {"nss", OPT_FMT_NSS}, + {"text", OPT_FMT_TEXT}, + {"http", OPT_FMT_HTTP}, + {"pvk", OPT_FMT_PVK}, + {NULL} +}; + +/* Print an error message about a failed format parse. */ +int opt_format_error(const char *s, unsigned long flags) +{ + OPT_PAIR *ap; + + if (flags == OPT_FMT_PEMDER) + BIO_printf(bio_err, "%s: Bad format \"%s\"; must be pem or der\n", + prog, s); + else { + BIO_printf(bio_err, "%s: Bad format \"%s\"; must be one of:\n", + prog, s); + for (ap = formats; ap->name; ap++) + if (flags & ap->retval) + BIO_printf(bio_err, " %s\n", ap->name); + } + return 0; +} + +/* Parse a format string, put it into *result; return 0 on failure, else 1. */ +int opt_format(const char *s, unsigned long flags, int *result) +{ + switch (*s) { + default: + return 0; + case 'D': + case 'd': + if ((flags & OPT_FMT_PEMDER) == 0) + return opt_format_error(s, flags); + *result = FORMAT_ASN1; + break; + case 'T': + case 't': + if ((flags & OPT_FMT_TEXT) == 0) + return opt_format_error(s, flags); + *result = FORMAT_TEXT; + break; + case 'N': + case 'n': + if (strcmp(s, "NSS") == 0 || strcmp(s, "nss") == 0) { + if ((flags & OPT_FMT_NSS) == 0) + return opt_format_error(s, flags); + *result = FORMAT_NSS; + } else { + if ((flags & OPT_FMT_NETSCAPE) == 0) + return opt_format_error(s, flags); + *result = FORMAT_NETSCAPE; + } + break; + case 'S': + case 's': + if ((flags & OPT_FMT_SMIME) == 0) + return opt_format_error(s, flags); + *result = FORMAT_SMIME; + break; + case 'M': + case 'm': + if ((flags & OPT_FMT_MSBLOB) == 0) + return opt_format_error(s, flags); + *result = FORMAT_MSBLOB; + break; + case 'E': + case 'e': + if ((flags & OPT_FMT_ENGINE) == 0) + return opt_format_error(s, flags); + *result = FORMAT_ENGINE; + break; + case 'H': + case 'h': + if ((flags & OPT_FMT_HTTP) == 0) + return opt_format_error(s, flags); + *result = FORMAT_HTTP; + break; + case '1': + if ((flags & OPT_FMT_PKCS12) == 0) + return opt_format_error(s, flags); + *result = FORMAT_PKCS12; + break; + case 'P': + case 'p': + if (s[1] == '\0' || strcmp(s, "PEM") == 0 || strcmp(s, "pem") == 0) { + if ((flags & OPT_FMT_PEMDER) == 0) + return opt_format_error(s, flags); + *result = FORMAT_PEM; + } else if (strcmp(s, "PVK") == 0 || strcmp(s, "pvk") == 0) { + if ((flags & OPT_FMT_PVK) == 0) + return opt_format_error(s, flags); + *result = FORMAT_PVK; + } else if (strcmp(s, "P12") == 0 || strcmp(s, "p12") == 0 + || strcmp(s, "PKCS12") == 0 || strcmp(s, "pkcs12") == 0) { + if ((flags & OPT_FMT_PKCS12) == 0) + return opt_format_error(s, flags); + *result = FORMAT_PKCS12; + } else + return 0; + break; + } + return 1; +} + +/* Parse a cipher name, put it in *EVP_CIPHER; return 0 on failure, else 1. */ +int opt_cipher(const char *name, const EVP_CIPHER **cipherp) +{ + *cipherp = EVP_get_cipherbyname(name); + if (*cipherp) + return 1; + BIO_printf(bio_err, "%s: Unknown cipher %s\n", prog, name); + return 0; +} + +/* + * Parse message digest name, put it in *EVP_MD; return 0 on failure, else 1. + */ +int opt_md(const char *name, const EVP_MD **mdp) +{ + *mdp = EVP_get_digestbyname(name); + if (*mdp) + return 1; + BIO_printf(bio_err, "%s: Unknown digest %s\n", prog, name); + return 0; +} + +/* Look through a list of name/value pairs. */ +int opt_pair(const char *name, const OPT_PAIR* pairs, int *result) +{ + const OPT_PAIR *pp; + + for (pp = pairs; pp->name; pp++) + if (strcmp(pp->name, name) == 0) { + *result = pp->retval; + return 1; + } + BIO_printf(bio_err, "%s: Value must be one of:\n", prog); + for (pp = pairs; pp->name; pp++) + BIO_printf(bio_err, "\t%s\n", pp->name); + return 0; +} + +/* See if cp looks like a hex number, in case user left off the 0x */ +static int scanforhex(const char *cp) +{ + if (*cp == '0' && (cp[1] == 'x' || cp[1] == 'X')) + return 16; + for (; *cp; cp++) + /* Look for a hex digit that isn't a regular digit. */ + if (isxdigit(*cp) && !isdigit(*cp)) + return 16; + return 0; +} + +/* Parse an int, put it into *result; return 0 on failure, else 1. */ +int opt_int(const char *value, int *result) +{ + const char *fmt = "%d"; + int base = scanforhex(value); + + if (base == 16) + fmt = "%x"; + else if (*value == '0') + fmt = "%o"; + if (sscanf(value, fmt, result) != 1) { + BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n", + prog, value); + return 0; + } + return 1; +} + +/* Parse a long, put it into *result; return 0 on failure, else 1. */ +int opt_long(const char *value, long *result) +{ + char *endptr; + int base = scanforhex(value); + + *result = strtol(value, &endptr, base); + if (*endptr) { + BIO_printf(bio_err, + "%s: Bad char %c in number %s\n", prog, *endptr, value); + return 0; + } + return 1; +} + +/* + * Parse an unsigned long, put it into *result; return 0 on failure, else 1. + */ +int opt_ulong(const char *value, unsigned long *result) +{ + char *endptr; + int base = scanforhex(value); + + *result = strtoul(value, &endptr, base); + if (*endptr) { + BIO_printf(bio_err, + "%s: Bad char %c in number %s\n", prog, *endptr, value); + return 0; + } + return 1; +} + +/* + * We pass opt as an int but cast it to "enum range" so that all the + * items in the OPT_V_ENUM enumeration are caught; this makes -Wswitch + * in gcc do the right thing. + */ +enum range { OPT_V_ENUM }; + +int opt_verify(int opt, X509_VERIFY_PARAM *vpm) +{ + unsigned long ul; + int i; + ASN1_OBJECT *otmp; + X509_PURPOSE *xptmp; + const X509_VERIFY_PARAM *vtmp; + + assert(vpm != NULL); + assert(opt > OPT_V__FIRST); + assert(opt < OPT_V__LAST); + + switch ((enum range)opt) { + case OPT_V__FIRST: + case OPT_V__LAST: + return 0; + case OPT_V_POLICY: + otmp = OBJ_txt2obj(opt_arg(), 0); + if (otmp == NULL) { + BIO_printf(bio_err, "%s: Invalid Policy %s\n", prog, opt_arg()); + return 0; + } + X509_VERIFY_PARAM_add0_policy(vpm, otmp); + break; + case OPT_V_PURPOSE: + i = X509_PURPOSE_get_by_sname(opt_arg()); + if (i < 0) { + BIO_printf(bio_err, "%s: Invalid purpose %s\n", prog, opt_arg()); + return 0; + } + xptmp = X509_PURPOSE_get0(i); + i = X509_PURPOSE_get_id(xptmp); + X509_VERIFY_PARAM_set_purpose(vpm, i); + break; + case OPT_V_VERIFY_NAME: + vtmp = X509_VERIFY_PARAM_lookup(opt_arg()); + if (vtmp == NULL) { + BIO_printf(bio_err, "%s: Invalid verify name %s\n", + prog, opt_arg()); + return 0; + } + X509_VERIFY_PARAM_set1(vpm, vtmp); + break; + case OPT_V_VERIFY_DEPTH: + i = atoi(opt_arg()); + if (i >= 0) + X509_VERIFY_PARAM_set_depth(vpm, i); + break; + case OPT_V_ATTIME: + opt_ulong(opt_arg(), &ul); + if (ul) + X509_VERIFY_PARAM_set_time(vpm, (time_t)ul); + break; + case OPT_V_VERIFY_HOSTNAME: + if (!X509_VERIFY_PARAM_set1_host(vpm, opt_arg(), 0)) + return 0; + break; + case OPT_V_VERIFY_EMAIL: + if (!X509_VERIFY_PARAM_set1_email(vpm, opt_arg(), 0)) + return 0; + break; + case OPT_V_VERIFY_IP: + if (!X509_VERIFY_PARAM_set1_ip_asc(vpm, opt_arg())) + return 0; + break; + case OPT_V_IGNORE_CRITICAL: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL); + break; + case OPT_V_ISSUER_CHECKS: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK); + break; + case OPT_V_CRL_CHECK: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK); + break; + case OPT_V_CRL_CHECK_ALL: + X509_VERIFY_PARAM_set_flags(vpm, + X509_V_FLAG_CRL_CHECK | + X509_V_FLAG_CRL_CHECK_ALL); + break; + case OPT_V_POLICY_CHECK: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_POLICY_CHECK); + break; + case OPT_V_EXPLICIT_POLICY: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_EXPLICIT_POLICY); + break; + case OPT_V_INHIBIT_ANY: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_ANY); + break; + case OPT_V_INHIBIT_MAP: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_MAP); + break; + case OPT_V_X509_STRICT: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_X509_STRICT); + break; + case OPT_V_EXTENDED_CRL: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_EXTENDED_CRL_SUPPORT); + break; + case OPT_V_USE_DELTAS: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_USE_DELTAS); + break; + case OPT_V_POLICY_PRINT: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NOTIFY_POLICY); + break; + case OPT_V_CHECK_SS_SIG: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CHECK_SS_SIGNATURE); + break; + case OPT_V_TRUSTED_FIRST: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_TRUSTED_FIRST); + break; + case OPT_V_SUITEB_128_ONLY: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_128_LOS_ONLY); + break; + case OPT_V_SUITEB_128: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_128_LOS); + break; + case OPT_V_SUITEB_192: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_192_LOS); + break; + case OPT_V_PARTIAL_CHAIN: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN); + break; + case OPT_V_NO_ALT_CHAINS: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_ALT_CHAINS); + } + return 1; + +} + +/* + * Parse the next flag (and value if specified), return 0 if done, -1 on + * error, otherwise the flag's retval. + */ +int opt_next(void) +{ + char *p; + char *endptr; + const OPTIONS *o; + int dummy; + int base; + long val; + + /* Look at current arg; at end of the list? */ + arg = NULL; + p = argv[opt_index]; + if (p == NULL) + return 0; + + /* If word doesn't start with a -, we're done. */ + if (*p != '-') + return 0; + + /* Hit "--" ? We're done. */ + opt_index++; + if (strcmp(p, "--") == 0) + return 0; + + /* Allow -nnn and --nnn */ + if (*++p == '-') + p++; + flag = p - 1; + + /* If we have --flag=foo, snip it off */ + if ((arg = strchr(p, '=')) != NULL) + *arg++ = '\0'; + for (o = opts; o->name; ++o) { + /* If not this option, move on to the next one. */ + if (strcmp(p, o->name) != 0) + continue; + + /* If it doesn't take a value, make sure none was given. */ + if (o->valtype == 0 || o->valtype == '-') { + if (arg) { + BIO_printf(bio_err, + "%s: Option -%s does not take a value\n", prog, p); + return -1; + } + return o->retval; + } + + /* Want a value; get the next param if =foo not used. */ + if (arg == NULL) { + if (argv[opt_index] == NULL) { + BIO_printf(bio_err, + "%s: Option -%s needs a value\n", prog, o->name); + return -1; + } + arg = argv[opt_index++]; + } + + /* Syntax-check value. */ + /* + * Do some basic syntax-checking on the value. These tests aren't + * perfect (ignore range overflow) but they catch common failures. + */ + switch (o->valtype) { + default: + case 's': + /* Just a string. */ + break; + case '/': + if (app_isdir(arg) >= 0) + break; + BIO_printf(bio_err, "%s: Not a directory: %s\n", prog, arg); + return -1; + case '<': + /* Input file. */ + if (strcmp(arg, "-") == 0 || app_access(arg, R_OK) >= 0) + break; + BIO_printf(bio_err, + "%s: Cannot open input file %s, %s\n", + prog, arg, strerror(errno)); + return -1; + case '>': + /* Output file. */ + if (strcmp(arg, "-") == 0 || app_access(arg, W_OK) >= 0 || errno == ENOENT) + break; + BIO_printf(bio_err, + "%s: Cannot open output file %s, %s\n", + prog, arg, strerror(errno)); + return -1; + case 'p': + case 'n': + base = scanforhex(arg); + val = strtol(arg, &endptr, base); + if (*endptr == '\0') { + if (o->valtype == 'p' && val <= 0) { + BIO_printf(bio_err, + "%s: Non-positive number \"%s\" for -%s\n", + prog, arg, o->name); + return -1; + } + break; + } + BIO_printf(bio_err, + "%s: Invalid number \"%s\" for -%s\n", + prog, arg, o->name); + return -1; + case 'u': + base = scanforhex(arg); + strtoul(arg, &endptr, base); + if (*endptr == '\0') + break; + BIO_printf(bio_err, + "%s: Invalid number \"%s\" for -%s\n", + prog, arg, o->name); + return -1; + case 'f': + case 'F': + if (opt_format(arg, + o->valtype == 'F' ? OPT_FMT_PEMDER + : OPT_FMT_ANY, &dummy)) + break; + BIO_printf(bio_err, + "%s: Invalid format \"%s\" for -%s\n", + prog, arg, o->name); + return -1; + } + + /* Return the flag value. */ + return o->retval; + } + if (unknown != NULL) { + dunno = p; + return unknown->retval; + } + BIO_printf(bio_err, "%s: Option unknown option -%s\n", prog, p); + return -1; +} + +/* Return the most recent flag parameter. */ +char *opt_arg(void) +{ + return arg; +} + +/* Return the most recent flag. */ +char *opt_flag(void) +{ + return flag; +} + +/* Return the unknown option. */ +char *opt_unknown(void) +{ + return dunno; +} + +/* Return the rest of the arguments after parsing flags. */ +char **opt_rest(void) +{ + return &argv[opt_index]; +} + +/* How many items in remaining args? */ +int opt_num_rest(void) +{ + int i = 0; + char **pp; + + for (pp = opt_rest(); *pp; pp++, i++) + continue; + return i; +} + +/* Return a string describing the parameter type. */ +static const char *valtype2param(const OPTIONS *o) +{ + switch (o->valtype) { + case '-': + return ""; + case 's': + return "val"; + case '/': + return "dir"; + case '<': + return "infile"; + case '>': + return "outfile"; + case 'p': + return "pnum"; + case 'n': + return "num"; + case 'u': + return "unum"; + case 'F': + return "der/pem"; + case 'f': + return "format"; + } + return "parm"; +} + +void opt_help(const OPTIONS *list) +{ + const OPTIONS *o; + int i; + int standard_prolog; + int width = 5; + char start[80 + 1]; + char *p; + const char *help; + + /* Starts with its own help message? */ + standard_prolog = list[0].name != OPT_HELP_STR; + + /* Find the widest help. */ + for (o = list; o->name; o++) { + if (o->name == OPT_MORE_STR) + continue; + i = 2 + (int)strlen(o->name); + if (o->valtype != '-') + i += 1 + strlen(valtype2param(o)); + if (i < MAX_OPT_HELP_WIDTH && i > width) + width = i; + assert(i < (int)sizeof start); + } + + if (standard_prolog) + BIO_printf(bio_err, "Usage: %s [options]\nValid options are:\n", + prog); + + /* Now let's print. */ + for (o = list; o->name; o++) { + help = o->helpstr ? o->helpstr : "(No additional info)"; + if (o->name == OPT_HELP_STR) { + BIO_printf(bio_err, help, prog); + continue; + } + + /* Pad out prefix */ + memset(start, ' ', sizeof start - 1); + start[sizeof start - 1] = '\0'; + + if (o->name == OPT_MORE_STR) { + /* Continuation of previous line; padd and print. */ + start[width] = '\0'; + BIO_printf(bio_err, "%s %s\n", start, help); + continue; + } + + /* Build up the "-flag [param]" part. */ + p = start; + *p++ = ' '; + *p++ = '-'; + if (o->name[0]) + p += strlen(strcpy(p, o->name)); + else + *p++ = '*'; + if (o->valtype != '-') { + *p++ = ' '; + p += strlen(strcpy(p, valtype2param(o))); + } + *p = ' '; + if ((int)(p - start) >= MAX_OPT_HELP_WIDTH) { + *p = '\0'; + BIO_printf(bio_err, "%s\n", start); + memset(start, ' ', sizeof start); + } + start[width] = '\0'; + BIO_printf(bio_err, "%s %s\n", start, help); + } +} + +#ifdef COMPILE_STANDALONE_TEST_DRIVER +# include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_IN, OPT_INFORM, OPT_OUT, OPT_COUNT, OPT_U, OPT_FLAG, + OPT_STR, OPT_NOTUSED +} OPTION_CHOICE; + +static OPTIONS options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s flags\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "input file"}, + {OPT_MORE_STR, 1, '-', "more detail about input"}, + {"inform", OPT_INFORM, 'f', "input file format; defaults to pem"}, + {"out", OPT_OUT, '>', "output file"}, + {"count", OPT_COUNT, 'p', "a counter greater than zero"}, + {"u", OPT_U, 'u', "an unsigned number"}, + {"flag", OPT_FLAG, 0, "just some flag"}, + {"str", OPT_STR, 's', "the magic word"}, + {"areallyverylongoption", OPT_HELP, '-', "long way for help"}, + {NULL} +}; + +BIO *bio_err; + +int app_isdir(const char *name) +{ + struct stat sb; + + return name != NULL && stat(name, &sb) >= 0 && S_ISDIR(sb.st_mode); +} + +int main(int ac, char **av) +{ + OPTION_CHOICE o; + char **rest; + char *prog; + + bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); + + prog = opt_init(ac, av, options); + while ((o = opt_next()) != OPT_EOF) { + switch (c) { + case OPT_NOTUSED: + case OPT_EOF: + case OPT_ERR: + printf("%s: Usage error; try -help.\n", prog); + return 1; + case OPT_HELP: + opt_help(options); + return 0; + case OPT_IN: + printf("in %s\n", opt_arg()); + break; + case OPT_INFORM: + printf("inform %s\n", opt_arg()); + break; + case OPT_OUT: + printf("out %s\n", opt_arg()); + break; + case OPT_COUNT: + printf("count %s\n", opt_arg()); + break; + case OPT_U: + printf("u %s\n", opt_arg()); + break; + case OPT_FLAG: + printf("flag\n"); + break; + case OPT_STR: + printf("str %s\n", opt_arg()); + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + printf("args = %d\n", argc); + if (argc) + while (*argv) + printf(" %s\n", *argv++); + return 0; +} +#endif diff --git a/apps/passwd.c b/apps/passwd.c index 2814b32..3c6fd52 100644 --- a/apps/passwd.c +++ b/apps/passwd.c @@ -1,4 +1,51 @@ -/* apps/passwd.c */ +/* ==================================================================== + * Copyright (c) 2000-2015 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing at OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ #if defined OPENSSL_NO_MD5 || defined CHARSET_EBCDIC # define NO_MD5CRYPT_1 @@ -22,9 +69,6 @@ # include # endif -# undef PROG -# define PROG passwd_main - static unsigned const char cov_2char[64] = { /* from crypto/des/fcrypt.c */ 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, @@ -42,156 +86,130 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, int reverse, size_t pw_maxlen, int usecrypt, int use1, int useapr1); -/*- - * -crypt - standard Unix password algorithm (default) - * -1 - MD5-based password algorithm - * -apr1 - MD5-based password algorithm, Apache variant - * -salt string - salt - * -in file - read passwords from file - * -stdin - read passwords from stdin - * -noverify - never verify when reading password from terminal - * -quiet - no warnings - * -table - format output as table - * -reverse - switch table columns - */ - -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_IN, + OPT_NOVERIFY, OPT_QUIET, OPT_TABLE, OPT_REVERSE, OPT_APR1, + OPT_1, OPT_CRYPT, OPT_SALT, OPT_STDIN +} OPTION_CHOICE; + +OPTIONS passwd_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "Pead passwords from file"}, + {"noverify", OPT_NOVERIFY, '-', + "Never verify when reading password from terminal"}, + {"quiet", OPT_QUIET, '-', "No warnings"}, + {"table", OPT_TABLE, '-', "Format output as table"}, + {"reverse", OPT_REVERSE, '-', "Switch table columns"}, +# ifndef NO_MD5CRYPT_1 + {"apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant"}, + {"1", OPT_1, '-', "MD5-based password algorithm"}, +# endif +# ifndef OPENSSL_NO_DES + {"crypt", OPT_CRYPT, '-', "Standard Unix password algorithm (default)"}, +# endif + {"salt", OPT_SALT, 's', "Use provided salt"}, + {"stdin", OPT_STDIN, '-', "Read passwords from stdin"}, + {NULL} +}; -int MAIN(int argc, char **argv) +int passwd_main(int argc, char **argv) { - int ret = 1; - char *infile = NULL; - int in_stdin = 0; - int in_noverify = 0; - char *salt = NULL, *passwd = NULL, **passwds = NULL; - char *salt_malloc = NULL, *passwd_malloc = NULL; - size_t passwd_malloc_size = 0; - int pw_source_defined = 0; - BIO *in = NULL, *out = NULL; - int i, badopt, opt_done; + BIO *in = NULL; + char *infile = NULL, *salt = NULL, *passwd = NULL, **passwds = NULL; + char *salt_malloc = NULL, *passwd_malloc = NULL, *prog; + OPTION_CHOICE o; + int in_stdin = 0, in_noverify = 0, pw_source_defined = 0; int passed_salt = 0, quiet = 0, table = 0, reverse = 0; - int usecrypt = 0, use1 = 0, useapr1 = 0; - size_t pw_maxlen = 0; - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto err; - out = BIO_new(BIO_s_file()); - if (out == NULL) - goto err; - BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -# endif - - badopt = 0, opt_done = 0; - i = 0; - while (!badopt && !opt_done && argv[++i] != NULL) { - if (strcmp(argv[i], "-crypt") == 0) - usecrypt = 1; - else if (strcmp(argv[i], "-1") == 0) - use1 = 1; - else if (strcmp(argv[i], "-apr1") == 0) - useapr1 = 1; - else if (strcmp(argv[i], "-salt") == 0) { - if ((argv[i + 1] != NULL) && (salt == NULL)) { - passed_salt = 1; - salt = argv[++i]; - } else - badopt = 1; - } else if (strcmp(argv[i], "-in") == 0) { - if ((argv[i + 1] != NULL) && !pw_source_defined) { - pw_source_defined = 1; - infile = argv[++i]; - } else - badopt = 1; - } else if (strcmp(argv[i], "-stdin") == 0) { - if (!pw_source_defined) { - pw_source_defined = 1; - in_stdin = 1; - } else - badopt = 1; - } else if (strcmp(argv[i], "-noverify") == 0) + int ret = 1, usecrypt = 0, use1 = 0, useapr1 = 0; + size_t passwd_malloc_size = 0, pw_maxlen = 256; + + prog = opt_init(argc, argv, passwd_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(passwd_options); + ret = 0; + goto end; + case OPT_IN: + if (pw_source_defined) + goto opthelp; + infile = opt_arg(); + pw_source_defined = 1; + break; + case OPT_NOVERIFY: in_noverify = 1; - else if (strcmp(argv[i], "-quiet") == 0) + break; + case OPT_QUIET: quiet = 1; - else if (strcmp(argv[i], "-table") == 0) + break; + case OPT_TABLE: table = 1; - else if (strcmp(argv[i], "-reverse") == 0) + break; + case OPT_REVERSE: reverse = 1; - else if (argv[i][0] == '-') - badopt = 1; - else if (!pw_source_defined) - /* non-option arguments, use as passwords */ - { - pw_source_defined = 1; - passwds = &argv[i]; - opt_done = 1; - } else - badopt = 1; + break; + case OPT_1: + use1 = 1; + break; + case OPT_APR1: + useapr1 = 1; + break; + case OPT_CRYPT: + usecrypt = 1; + break; + case OPT_SALT: + passed_salt = 1; + salt = opt_arg(); + break; + case OPT_STDIN: + if (pw_source_defined) + goto opthelp; + in_stdin = 1; + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + if (*argv) { + if (pw_source_defined) + goto opthelp; + pw_source_defined = 1; + passwds = argv; } - if (!usecrypt && !use1 && !useapr1) /* use default */ + if (!usecrypt && !use1 && !useapr1) { + /* use default */ usecrypt = 1; - if (usecrypt + use1 + useapr1 > 1) /* conflict */ - badopt = 1; + } + if (usecrypt + use1 + useapr1 > 1) { + /* conflict */ + goto opthelp; + } - /* reject unsupported algorithms */ # ifdef OPENSSL_NO_DES if (usecrypt) - badopt = 1; + goto opthelp; # endif # ifdef NO_MD5CRYPT_1 if (use1 || useapr1) - badopt = 1; + goto opthelp; # endif - if (badopt) { - BIO_printf(bio_err, "Usage: passwd [options] [passwords]\n"); - BIO_printf(bio_err, "where options are\n"); -# ifndef OPENSSL_NO_DES - BIO_printf(bio_err, - "-crypt standard Unix password algorithm (default)\n"); -# endif -# ifndef NO_MD5CRYPT_1 - BIO_printf(bio_err, - "-1 MD5-based password algorithm\n"); - BIO_printf(bio_err, - "-apr1 MD5-based password algorithm, Apache variant\n"); -# endif - BIO_printf(bio_err, "-salt string use provided salt\n"); - BIO_printf(bio_err, "-in file read passwords from file\n"); - BIO_printf(bio_err, "-stdin read passwords from stdin\n"); - BIO_printf(bio_err, - "-noverify never verify when reading password from terminal\n"); - BIO_printf(bio_err, "-quiet no warnings\n"); - BIO_printf(bio_err, "-table format output as table\n"); - BIO_printf(bio_err, "-reverse switch table columns\n"); - - goto err; + if (infile && in_stdin) { + BIO_printf(bio_err, "%s: Can't combine -in and -stdin\n", prog); + goto end; } - if ((infile != NULL) || in_stdin) { - in = BIO_new(BIO_s_file()); - if (in == NULL) - goto err; - if (infile != NULL) { - assert(in_stdin == 0); - if (BIO_read_filename(in, infile) <= 0) - goto err; - } else { - assert(in_stdin); - BIO_set_fp(in, stdin, BIO_NOCLOSE); - } - } + in = bio_open_default(infile, "r"); + if (in == NULL) + goto end; if (usecrypt) pw_maxlen = 8; @@ -208,7 +226,7 @@ int MAIN(int argc, char **argv) */ passwd = passwd_malloc = OPENSSL_malloc(passwd_malloc_size); if (passwd_malloc == NULL) - goto err; + goto end; } if ((in == NULL) && (passwds == NULL)) { @@ -220,7 +238,7 @@ int MAIN(int argc, char **argv) if (EVP_read_pw_string (passwd_malloc, passwd_malloc_size, "Password: ", !(passed_salt || in_noverify)) != 0) - goto err; + goto end; passwds[0] = passwd_malloc; } @@ -230,10 +248,10 @@ int MAIN(int argc, char **argv) do { /* loop over list of passwords */ passwd = *passwds++; - if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out, + if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, bio_out, quiet, table, reverse, pw_maxlen, usecrypt, use1, useapr1)) - goto err; + goto end; } while (*passwds != NULL); } else @@ -256,10 +274,10 @@ int MAIN(int argc, char **argv) while ((r > 0) && (!strchr(trash, '\n'))); } - if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out, - quiet, table, reverse, pw_maxlen, usecrypt, - use1, useapr1)) - goto err; + if (!do_passwd + (passed_salt, &salt, &salt_malloc, passwd, bio_out, quiet, + table, reverse, pw_maxlen, usecrypt, use1, useapr1)) + goto end; } done = (r <= 0); } @@ -267,16 +285,14 @@ int MAIN(int argc, char **argv) } ret = 0; - err: + end: ERR_print_errors(bio_err); if (salt_malloc) OPENSSL_free(salt_malloc); if (passwd_malloc) OPENSSL_free(passwd_malloc); BIO_free(in); - BIO_free_all(out); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } # ifndef NO_MD5CRYPT_1 @@ -412,10 +428,10 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, if (*salt_malloc_p == NULL) { *salt_p = *salt_malloc_p = OPENSSL_malloc(3); if (*salt_malloc_p == NULL) - goto err; + goto end; } if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0) - goto err; + goto end; (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */ (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */ (*salt_p)[2] = 0; @@ -433,10 +449,10 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, if (*salt_malloc_p == NULL) { *salt_p = *salt_malloc_p = OPENSSL_malloc(9); if (*salt_malloc_p == NULL) - goto err; + goto end; } if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0) - goto err; + goto end; for (i = 0; i < 8; i++) (*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */ @@ -477,16 +493,16 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, BIO_printf(out, "%s\t%s\n", hash, passwd); else BIO_printf(out, "%s\n", hash); - return 1; - - err: return 0; + + end: + return 1; } #else -int MAIN(int argc, char **argv) +int passwd_main(int argc, char **argv) { fputs("Program not available.\n", stderr) - OPENSSL_EXIT(1); + return (1); } #endif diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 43892e5..a031c1b 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -1,4 +1,3 @@ -/* pkcs12.c */ /* * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL * project. @@ -69,10 +68,6 @@ # include # include -# define PROG pkcs12_main - -const EVP_CIPHER *enc; - # define NOKEYS 0x1 # define NOCERTS 0x2 # define INFO 0x4 @@ -81,335 +76,257 @@ const EVP_CIPHER *enc; int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain); int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, - int options, char *pempass); + int options, char *pempass, const EVP_CIPHER *enc); int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, - char *pass, int passlen, int options, - char *pempass); + char *pass, int passlen, int options, char *pempass, + const EVP_CIPHER *enc); int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, - int passlen, int options, char *pempass); + int passlen, int options, char *pempass, + const EVP_CIPHER *enc); int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, const char *name); void hex_prin(BIO *out, unsigned char *buf, int len); int alg_print(BIO *x, X509_ALGOR *alg); int cert_load(BIO *in, STACK_OF(X509) *sk); -static int set_pbe(BIO *err, int *ppbe, const char *str); - -int MAIN(int, char **); +static int set_pbe(int *ppbe, const char *str); + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_CIPHER, OPT_NOKEYS, OPT_KEYEX, OPT_KEYSIG, OPT_NOCERTS, OPT_CLCERTS, + OPT_CACERTS, OPT_NOOUT, OPT_INFO, OPT_CHAIN, OPT_TWOPASS, OPT_NOMACVER, + OPT_DESCERT, OPT_EXPORT, OPT_NOITER, OPT_MACITER, OPT_NOMACITER, + OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE, + OPT_RAND, OPT_INKEY, OPT_CERTFILE, OPT_NAME, OPT_CSP, OPT_CANAME, + OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH, + OPT_CAFILE, OPT_ENGINE +} OPTION_CHOICE; + +OPTIONS pkcs12_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"}, + {"keyex", OPT_KEYEX, '-', "Set MS key exchange type"}, + {"keysig", OPT_KEYSIG, '-', "Set MS key signature type"}, + {"nocerts", OPT_NOCERTS, '-', "Don't output certificates"}, + {"clcerts", OPT_CLCERTS, '-', "Only output client certificates"}, + {"cacerts", OPT_CACERTS, '-', "Only output CA certificates"}, + {"noout", OPT_NOOUT, '-', "Don't output anything, just verify"}, + {"info", OPT_INFO, '-', "Print info about PKCS#12 structure"}, + {"chain", OPT_CHAIN, '-', "Add certificate chain"}, + {"twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords"}, + {"nomacver", OPT_NOMACVER, '-', "Don't verify MAC"}, +# ifndef OPENSSL_NO_RC2 + {"descert", OPT_DESCERT, '-', + "Encrypt output with 3DES (default RC2-40)"}, + {"certpbe", OPT_CERTPBE, 's', + "Certificate PBE algorithm (default RC2-40)"}, +# else + {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (the default)"}, + {"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default 3DES)"}, +# endif + {"export", OPT_EXPORT, '-', "Output PKCS12 file"}, + {"noiter", OPT_NOITER, '-', "Don't use encryption iteration"}, + {"maciter", OPT_MACITER, '-', "Use MAC iteration"}, + {"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration"}, + {"nomac", OPT_NOMAC, '-', "Don't generate MAC"}, + {"LMK", OPT_LMK, '-', + "Add local machine keyset attribute to private key"}, + {"nodes", OPT_NODES, '-', "Don't encrypt private keys"}, + {"macalg", OPT_MACALG, 's', + "Digest algorithm used in MAC (default SHA1)"}, + {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"inkey", OPT_INKEY, '<', "Private key if not infile"}, + {"certfile", OPT_CERTFILE, '<', "Load certs from file"}, + {"name", OPT_NAME, 's', "Use name as friendly name"}, + {"CSP", OPT_CSP, 's', "Microsoft CSP name"}, + {"caname", OPT_CANAME, 's', + "Use name as CA friendly name (can be repeated)"}, + {"in", OPT_IN, '<', "Input filename"}, + {"out", OPT_OUT, '>', "Output filename"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"password", OPT_PASSWORD, 's', "Set import/export password source"}, + {"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"}, + {"CAfile", OPT_CAFILE, '<', "PEM-format file of CA's"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + {"", OPT_CIPHER, '-', "Any supported cipher"}, + {NULL} +}; -int MAIN(int argc, char **argv) +int pkcs12_main(int argc, char **argv) { - ENGINE *e = NULL; - char *infile = NULL, *outfile = NULL, *keyname = NULL; - char *certfile = NULL; - BIO *in = NULL, *out = NULL; - char **args; - char *name = NULL; - char *csp_name = NULL; - int add_lmk = 0; - PKCS12 *p12 = NULL; + char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL; + char *name = NULL, *csp_name = NULL; char pass[50], macpass[50]; - int export_cert = 0; - int options = 0; - int chain = 0; - int badarg = 0; - int iter = PKCS12_DEFAULT_ITER; - int maciter = PKCS12_DEFAULT_ITER; - int twopass = 0; - int keytype = 0; + int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0; + int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER; +# ifndef OPENSSL_NO_RC2 int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; +# else + int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; +# endif int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - int ret = 1; - int macver = 1; - int noprompt = 0; + int ret = 1, macver = 1, noprompt = 0, add_lmk = 0; + char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL; + char *passin = NULL, *passout = NULL, *inrand = NULL, *macalg = NULL; + char *cpass = NULL, *mpass = NULL, *CApath = NULL, *CAfile = NULL; + char *engine = NULL, *prog; + ENGINE *e = NULL; + BIO *in = NULL, *out = NULL; + PKCS12 *p12 = NULL; STACK_OF(OPENSSL_STRING) *canames = NULL; - char *cpass = NULL, *mpass = NULL; - char *passargin = NULL, *passargout = NULL, *passarg = NULL; - char *passin = NULL, *passout = NULL; - char *inrand = NULL; - char *macalg = NULL; - char *CApath = NULL, *CAfile = NULL; -# ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -# endif - - apps_startup(); - - enc = EVP_des_ede3_cbc(); - if (bio_err == NULL) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - - args = argv + 1; - - while (*args) { - if (*args[0] == '-') { - if (!strcmp(*args, "-nokeys")) - options |= NOKEYS; - else if (!strcmp(*args, "-keyex")) - keytype = KEY_EX; - else if (!strcmp(*args, "-keysig")) - keytype = KEY_SIG; - else if (!strcmp(*args, "-nocerts")) - options |= NOCERTS; - else if (!strcmp(*args, "-clcerts")) - options |= CLCERTS; - else if (!strcmp(*args, "-cacerts")) - options |= CACERTS; - else if (!strcmp(*args, "-noout")) - options |= (NOKEYS | NOCERTS); - else if (!strcmp(*args, "-info")) - options |= INFO; - else if (!strcmp(*args, "-chain")) - chain = 1; - else if (!strcmp(*args, "-twopass")) - twopass = 1; - else if (!strcmp(*args, "-nomacver")) - macver = 0; - else if (!strcmp(*args, "-descert")) - cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - else if (!strcmp(*args, "-export")) - export_cert = 1; - else if (!strcmp(*args, "-des")) - enc = EVP_des_cbc(); - else if (!strcmp(*args, "-des3")) - enc = EVP_des_ede3_cbc(); -# ifndef OPENSSL_NO_IDEA - else if (!strcmp(*args, "-idea")) - enc = EVP_idea_cbc(); -# endif -# ifndef OPENSSL_NO_SEED - else if (!strcmp(*args, "-seed")) - enc = EVP_seed_cbc(); -# endif -# ifndef OPENSSL_NO_AES - else if (!strcmp(*args, "-aes128")) - enc = EVP_aes_128_cbc(); - else if (!strcmp(*args, "-aes192")) - enc = EVP_aes_192_cbc(); - else if (!strcmp(*args, "-aes256")) - enc = EVP_aes_256_cbc(); -# endif -# ifndef OPENSSL_NO_CAMELLIA - else if (!strcmp(*args, "-camellia128")) - enc = EVP_camellia_128_cbc(); - else if (!strcmp(*args, "-camellia192")) - enc = EVP_camellia_192_cbc(); - else if (!strcmp(*args, "-camellia256")) - enc = EVP_camellia_256_cbc(); -# endif - else if (!strcmp(*args, "-noiter")) - iter = 1; - else if (!strcmp(*args, "-maciter")) - maciter = PKCS12_DEFAULT_ITER; - else if (!strcmp(*args, "-nomaciter")) - maciter = 1; - else if (!strcmp(*args, "-nomac")) - maciter = -1; - else if (!strcmp(*args, "-macalg")) - if (args[1]) { - args++; - macalg = *args; - } else - badarg = 1; - else if (!strcmp(*args, "-nodes")) - enc = NULL; - else if (!strcmp(*args, "-certpbe")) { - if (!set_pbe(bio_err, &cert_pbe, *++args)) - badarg = 1; - } else if (!strcmp(*args, "-keypbe")) { - if (!set_pbe(bio_err, &key_pbe, *++args)) - badarg = 1; - } else if (!strcmp(*args, "-rand")) { - if (args[1]) { - args++; - inrand = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-inkey")) { - if (args[1]) { - args++; - keyname = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-certfile")) { - if (args[1]) { - args++; - certfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-name")) { - if (args[1]) { - args++; - name = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-LMK")) - add_lmk = 1; - else if (!strcmp(*args, "-CSP")) { - if (args[1]) { - args++; - csp_name = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-caname")) { - if (args[1]) { - args++; - if (!canames) - canames = sk_OPENSSL_STRING_new_null(); - sk_OPENSSL_STRING_push(canames, *args); - } else - badarg = 1; - } else if (!strcmp(*args, "-in")) { - if (args[1]) { - args++; - infile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-out")) { - if (args[1]) { - args++; - outfile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-passin")) { - if (args[1]) { - args++; - passargin = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-passout")) { - if (args[1]) { - args++; - passargout = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-password")) { - if (args[1]) { - args++; - passarg = *args; - noprompt = 1; - } else - badarg = 1; - } else if (!strcmp(*args, "-CApath")) { - if (args[1]) { - args++; - CApath = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-CAfile")) { - if (args[1]) { - args++; - CAfile = *args; - } else - badarg = 1; -# ifndef OPENSSL_NO_ENGINE - } else if (!strcmp(*args, "-engine")) { - if (args[1]) { - args++; - engine = *args; - } else - badarg = 1; -# endif - } else - badarg = 1; - - } else - badarg = 1; - args++; + const EVP_CIPHER *enc = EVP_des_ede3_cbc(); + OPTION_CHOICE o; + + prog = opt_init(argc, argv, pkcs12_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(pkcs12_options); + ret = 0; + goto end; + case OPT_NOKEYS: + options |= NOKEYS; + break; + case OPT_KEYEX: + keytype = KEY_EX; + break; + case OPT_KEYSIG: + keytype = KEY_SIG; + break; + case OPT_NOCERTS: + options |= NOCERTS; + break; + case OPT_CLCERTS: + options |= CLCERTS; + break; + case OPT_CACERTS: + options |= CACERTS; + break; + case OPT_NOOUT: + options |= (NOKEYS | NOCERTS); + break; + case OPT_INFO: + options |= INFO; + break; + case OPT_CHAIN: + chain = 1; + break; + case OPT_TWOPASS: + twopass = 1; + break; + case OPT_NOMACVER: + macver = 0; + break; + case OPT_DESCERT: + cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + break; + case OPT_EXPORT: + export_cert = 1; + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &enc)) + goto opthelp; + break; + case OPT_NOITER: + iter = 1; + break; + case OPT_MACITER: + maciter = PKCS12_DEFAULT_ITER; + break; + case OPT_NOMACITER: + maciter = 1; + break; + case OPT_NOMAC: + maciter = -1; + break; + case OPT_MACALG: + macalg = opt_arg(); + break; + case OPT_NODES: + enc = NULL; + break; + case OPT_CERTPBE: + if (!set_pbe(&cert_pbe, opt_arg())) + goto opthelp; + break; + case OPT_KEYPBE: + if (!set_pbe(&key_pbe, opt_arg())) + goto opthelp; + break; + case OPT_RAND: + inrand = opt_arg(); + break; + case OPT_INKEY: + keyname = opt_arg(); + break; + case OPT_CERTFILE: + certfile = opt_arg(); + break; + case OPT_NAME: + name = opt_arg(); + break; + case OPT_LMK: + add_lmk = 1; + break; + case OPT_CSP: + csp_name = opt_arg(); + break; + case OPT_CANAME: + if (canames == NULL + && (canames = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(canames, opt_arg()); + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_PASSWORD: + passarg = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + } } + argc = opt_num_rest(); + argv = opt_rest(); - if (badarg) { - BIO_printf(bio_err, "Usage: pkcs12 [options]\n"); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-export output PKCS12 file\n"); - BIO_printf(bio_err, "-chain add certificate chain\n"); - BIO_printf(bio_err, "-inkey file private key if not infile\n"); - BIO_printf(bio_err, "-certfile f add all certs in f\n"); - BIO_printf(bio_err, "-CApath arg - PEM format directory of CA's\n"); - BIO_printf(bio_err, "-CAfile arg - PEM format file of CA's\n"); - BIO_printf(bio_err, "-name \"name\" use name as friendly name\n"); - BIO_printf(bio_err, - "-caname \"nm\" use nm as CA friendly name (can be used more than once).\n"); - BIO_printf(bio_err, "-in infile input filename\n"); - BIO_printf(bio_err, "-out outfile output filename\n"); - BIO_printf(bio_err, - "-noout don't output anything, just verify.\n"); - BIO_printf(bio_err, "-nomacver don't verify MAC.\n"); - BIO_printf(bio_err, "-nocerts don't output certificates.\n"); - BIO_printf(bio_err, - "-clcerts only output client certificates.\n"); - BIO_printf(bio_err, "-cacerts only output CA certificates.\n"); - BIO_printf(bio_err, "-nokeys don't output private keys.\n"); - BIO_printf(bio_err, - "-info give info about PKCS#12 structure.\n"); - BIO_printf(bio_err, "-des encrypt private keys with DES\n"); - BIO_printf(bio_err, - "-des3 encrypt private keys with triple DES (default)\n"); -# ifndef OPENSSL_NO_IDEA - BIO_printf(bio_err, "-idea encrypt private keys with idea\n"); -# endif -# ifndef OPENSSL_NO_SEED - BIO_printf(bio_err, "-seed encrypt private keys with seed\n"); -# endif -# ifndef OPENSSL_NO_AES - BIO_printf(bio_err, "-aes128, -aes192, -aes256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc aes\n"); -# endif -# ifndef OPENSSL_NO_CAMELLIA - BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc camellia\n"); -# endif - BIO_printf(bio_err, "-nodes don't encrypt private keys\n"); - BIO_printf(bio_err, "-noiter don't use encryption iteration\n"); - BIO_printf(bio_err, "-nomaciter don't use MAC iteration\n"); - BIO_printf(bio_err, "-maciter use MAC iteration\n"); - BIO_printf(bio_err, "-nomac don't generate MAC\n"); - BIO_printf(bio_err, - "-twopass separate MAC, encryption passwords\n"); - BIO_printf(bio_err, - "-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)\n"); - BIO_printf(bio_err, - "-certpbe alg specify certificate PBE algorithm (default RC2-40)\n"); - BIO_printf(bio_err, - "-keypbe alg specify private key PBE algorithm (default 3DES)\n"); - BIO_printf(bio_err, - "-macalg alg digest algorithm used in MAC (default SHA1)\n"); - BIO_printf(bio_err, "-keyex set MS key exchange type\n"); - BIO_printf(bio_err, "-keysig set MS key signature type\n"); - BIO_printf(bio_err, - "-password p set import/export password source\n"); - BIO_printf(bio_err, "-passin p input file pass phrase source\n"); - BIO_printf(bio_err, "-passout p output file pass phrase source\n"); # ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - "-engine e use engine e, possibly a hardware device.\n"); -# endif - BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, - LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, - " load the file (or the files in the directory) into\n"); - BIO_printf(bio_err, " the random number generator\n"); - BIO_printf(bio_err, "-CSP name Microsoft CSP name\n"); - BIO_printf(bio_err, - "-LMK Add local machine keyset attribute to private key\n"); - goto end; - } -# ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + e = setup_engine(engine, 0); # endif if (passarg) { if (export_cert) - passargout = passarg; + passoutarg = passarg; else - passargin = passarg; + passinarg = passarg; } - if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { + if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } @@ -430,60 +347,26 @@ int MAIN(int argc, char **argv) } if (export_cert || inrand) { - app_RAND_load_file(NULL, bio_err, (inrand != NULL)); + app_RAND_load_file(NULL, (inrand != NULL)); if (inrand != NULL) BIO_printf(bio_err, "%ld semi-random bytes loaded\n", app_RAND_load_files(inrand)); } - ERR_load_crypto_strings(); - -# ifdef CRYPTO_MDEBUG - CRYPTO_push_info("read files"); -# endif - if (!infile) - in = BIO_new_fp(stdin, BIO_NOCLOSE); - else - in = BIO_new_file(infile, "rb"); - if (!in) { - BIO_printf(bio_err, "Error opening input file %s\n", - infile ? infile : ""); - perror(infile); + in = bio_open_default(infile, "rb"); + if (in == NULL) goto end; - } -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); - CRYPTO_push_info("write files"); -# endif - if (!outfile) { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -# endif - } else - out = BIO_new_file(outfile, "wb"); - if (!out) { - BIO_printf(bio_err, "Error opening output file %s\n", - outfile ? outfile : ""); - perror(outfile); + out = bio_open_default(outfile, "wb"); + if (out == NULL) goto end; - } + if (twopass) { -# ifdef CRYPTO_MDEBUG - CRYPTO_push_info("read MAC password"); -# endif if (EVP_read_pw_string (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) { BIO_printf(bio_err, "Can't read Password\n"); goto end; } -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); -# endif } if (export_cert) { @@ -502,24 +385,16 @@ int MAIN(int argc, char **argv) if (options & NOCERTS) chain = 0; -# ifdef CRYPTO_MDEBUG - CRYPTO_push_info("process -export_cert"); - CRYPTO_push_info("reading private key"); -# endif if (!(options & NOKEYS)) { - key = load_key(bio_err, keyname ? keyname : infile, + key = load_key(keyname ? keyname : infile, FORMAT_PEM, 1, passin, e, "private key"); if (!key) goto export_end; } -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); - CRYPTO_push_info("reading certs from input"); -# endif /* Load in all certs in input file */ if (!(options & NOCERTS)) { - certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e, + certs = load_certs(infile, FORMAT_PEM, NULL, e, "certificates"); if (!certs) goto export_end; @@ -546,43 +421,25 @@ int MAIN(int argc, char **argv) } } -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); - CRYPTO_push_info("reading certs from input 2"); -# endif /* Add any more certificates asked for */ if (certfile) { STACK_OF(X509) *morecerts = NULL; - if (!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM, - NULL, e, + if (!(morecerts = load_certs(certfile, FORMAT_PEM, NULL, e, "certificates from certfile"))) goto export_end; while (sk_X509_num(morecerts) > 0) sk_X509_push(certs, sk_X509_shift(morecerts)); sk_X509_free(morecerts); } -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); - CRYPTO_push_info("reading certs from certfile"); -# endif - -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); - CRYPTO_push_info("building chain"); -# endif /* If chaining get chain from user cert */ if (chain) { int vret; STACK_OF(X509) *chain2; - X509_STORE *store = X509_STORE_new(); - if (!store) { - BIO_printf(bio_err, "Memory allocation error\n"); + X509_STORE *store; + if (!(store = setup_verify(CAfile, CApath))) goto export_end; - } - if (!X509_STORE_load_locations(store, CAfile, CApath)) - X509_STORE_set_default_paths(store); vret = get_cert_chain(ucert, store, &chain2); X509_STORE_free(store); @@ -619,11 +476,6 @@ int MAIN(int argc, char **argv) if (add_lmk && key) EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1); -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); - CRYPTO_push_info("reading password"); -# endif - if (!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 1)) { @@ -633,11 +485,6 @@ int MAIN(int argc, char **argv) if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass); -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); - CRYPTO_push_info("creating PKCS#12 structure"); -# endif - p12 = PKCS12_create(cpass, name, key, ucert, certs, key_pbe, cert_pbe, iter, -1, keytype); @@ -647,30 +494,18 @@ int MAIN(int argc, char **argv) } if (macalg) { - macmd = EVP_get_digestbyname(macalg); - if (!macmd) { - BIO_printf(bio_err, "Unknown digest algorithm %s\n", macalg); - } + if (!opt_md(macalg, &macmd)) + goto opthelp; } if (maciter != -1) PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd); -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); - CRYPTO_push_info("writing pkcs12"); -# endif - i2d_PKCS12_bio(out, p12); ret = 0; export_end: -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); - CRYPTO_pop_info(); - CRYPTO_push_info("process -export_cert: freeing"); -# endif EVP_PKEY_free(key); if (certs) @@ -678,9 +513,6 @@ int MAIN(int argc, char **argv) if (ucert) X509_free(ucert); -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); -# endif goto end; } @@ -689,18 +521,13 @@ int MAIN(int argc, char **argv) ERR_print_errors(bio_err); goto end; } -# ifdef CRYPTO_MDEBUG - CRYPTO_push_info("read import password"); -# endif + if (!noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:", 0)) { BIO_printf(bio_err, "Can't read Password\n"); goto end; } -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); -# endif if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass); @@ -709,9 +536,6 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get(p12->mac->iter) : 1); if (macver) { -# ifdef CRYPTO_MDEBUG - CRYPTO_push_info("verify MAC"); -# endif /* If we enter empty password try no password first */ if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { /* If mac and crypto pass the same set it to NULL too */ @@ -722,30 +546,18 @@ int MAIN(int argc, char **argv) ERR_print_errors(bio_err); goto end; } - BIO_printf(bio_err, "MAC verified OK\n"); -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); -# endif } -# ifdef CRYPTO_MDEBUG - CRYPTO_push_info("output keys and certificates"); -# endif - if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout)) { + + if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout, enc)) { BIO_printf(bio_err, "Error outputting keys and certificates\n"); ERR_print_errors(bio_err); goto end; } -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); -# endif ret = 0; end: PKCS12_free(p12); if (export_cert || inrand) - app_RAND_write_file(NULL, bio_err); -# ifdef CRYPTO_MDEBUG - CRYPTO_remove_all_info(); -# endif + app_RAND_write_file(NULL); BIO_free(in); BIO_free_all(out); if (canames) @@ -754,12 +566,12 @@ int MAIN(int argc, char **argv) OPENSSL_free(passin); if (passout) OPENSSL_free(passout); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, - int passlen, int options, char *pempass) + int passlen, int options, char *pempass, + const EVP_CIPHER *enc) { STACK_OF(PKCS7) *asafes = NULL; STACK_OF(PKCS12_SAFEBAG) *bags; @@ -787,7 +599,7 @@ int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, if (!bags) goto err; if (!dump_certs_pkeys_bags(out, bags, pass, passlen, - options, pempass)) { + options, pempass, enc)) { sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); goto err; } @@ -802,20 +614,22 @@ int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, } int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, - char *pass, int passlen, int options, char *pempass) + char *pass, int passlen, int options, char *pempass, + const EVP_CIPHER *enc) { int i; for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) { if (!dump_certs_pkeys_bag(out, sk_PKCS12_SAFEBAG_value(bags, i), - pass, passlen, options, pempass)) + pass, passlen, options, pempass, enc)) return 0; } return 1; } int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass, - int passlen, int options, char *pempass) + int passlen, int options, char *pempass, + const EVP_CIPHER *enc) { EVP_PKEY *pkey; PKCS8_PRIV_KEY_INFO *p8; @@ -881,7 +695,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass, BIO_printf(bio_err, "Safe Contents bag\n"); print_attribs(out, bag->attrib, "Bag Attributes"); return dump_certs_pkeys_bags(out, bag->value.safes, pass, - passlen, options, pempass); + passlen, options, pempass, enc); default: BIO_printf(bio_err, "Warning unsupported bag type: "); @@ -949,22 +763,10 @@ int cert_load(BIO *in, STACK_OF(X509) *sk) int ret; X509 *cert; ret = 0; -# ifdef CRYPTO_MDEBUG - CRYPTO_push_info("cert_load(): reading one cert"); -# endif while ((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) { -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); -# endif ret = 1; sk_X509_push(sk, cert); -# ifdef CRYPTO_MDEBUG - CRYPTO_push_info("cert_load(): reading one cert"); -# endif } -# ifdef CRYPTO_MDEBUG - CRYPTO_pop_info(); -# endif if (ret) ERR_clear_error(); return ret; @@ -1039,7 +841,7 @@ void hex_prin(BIO *out, unsigned char *buf, int len) BIO_printf(out, "%02X ", buf[i]); } -static int set_pbe(BIO *err, int *ppbe, const char *str) +static int set_pbe(int *ppbe, const char *str) { if (!str) return 0; diff --git a/apps/pkcs7.c b/apps/pkcs7.c index 4fcb089..ca05273 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -1,4 +1,3 @@ -/* apps/pkcs7.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -55,6 +54,54 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing at OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ #include #include @@ -68,162 +115,105 @@ #include #include -#undef PROG -#define PROG pkcs7_main - -/*- - * -inform arg - input format - default PEM (DER or PEM) - * -outform arg - output format - default PEM - * -in arg - input file - default stdin - * -out arg - output file - default stdout - * -print_certs - */ +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOOUT, + OPT_TEXT, OPT_PRINT, OPT_PRINT_CERTS, OPT_ENGINE +} OPTION_CHOICE; -int MAIN(int, char **); +OPTIONS pkcs7_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, + {"in", OPT_IN, '<', "Input file"}, + {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, + {"out", OPT_OUT, '>', "Output file"}, + {"noout", OPT_NOOUT, '-', "Don't output encoded data"}, + {"text", OPT_TEXT, '-', "Print full details of certificates"}, + {"print", OPT_PRINT, '-'}, + {"print_certs", OPT_PRINT_CERTS, '-', + "Print_certs print any certs or crl in the input"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; -int MAIN(int argc, char **argv) +int pkcs7_main(int argc, char **argv) { PKCS7 *p7 = NULL; - int i, badops = 0; BIO *in = NULL, *out = NULL; - int informat, outformat; - char *infile, *outfile, *prog; - int print_certs = 0, text = 0, noout = 0, p7_print = 0; - int ret = 1; -#ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -#endif - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto end; + int informat = FORMAT_PEM, outformat = FORMAT_PEM; + char *engine = NULL, *infile = NULL, *outfile = NULL, *prog; + int i, print_certs = 0, text = 0, noout = 0, p7_print = 0, ret = 1; + OPTION_CHOICE o; - infile = NULL; - outfile = NULL; - informat = FORMAT_PEM; - outformat = FORMAT_PEM; - - prog = argv[0]; - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-outform") == 0) { - if (--argc < 1) - goto bad; - outformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-noout") == 0) + prog = opt_init(argc, argv, pkcs7_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(pkcs7_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_NOOUT: noout = 1; - else if (strcmp(*argv, "-text") == 0) + break; + case OPT_TEXT: text = 1; - else if (strcmp(*argv, "-print") == 0) + break; + case OPT_PRINT: p7_print = 1; - else if (strcmp(*argv, "-print_certs") == 0) + break; + case OPT_PRINT_CERTS: print_certs = 1; -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } -#endif - else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; + break; + case OPT_ENGINE: + engine = opt_arg(); break; } - argc--; - argv++; } + argc = opt_num_rest(); + argv = opt_rest(); - if (badops) { - bad: - BIO_printf(bio_err, "%s [options] outfile\n", prog); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, " -inform arg input format - DER or PEM\n"); - BIO_printf(bio_err, " -outform arg output format - DER or PEM\n"); - BIO_printf(bio_err, " -in arg input file\n"); - BIO_printf(bio_err, " -out arg output file\n"); - BIO_printf(bio_err, - " -print_certs print any certs or crl in the input\n"); - BIO_printf(bio_err, - " -text print full details of certificates\n"); - BIO_printf(bio_err, " -noout don't output encoded data\n"); #ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - " -engine e use engine e, possibly a hardware device.\n"); + setup_engine(engine, 0); #endif - ret = 1; - goto end; - } - - ERR_load_crypto_strings(); -#ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -#endif - - in = BIO_new(BIO_s_file()); - out = BIO_new(BIO_s_file()); - if ((in == NULL) || (out == NULL)) { - ERR_print_errors(bio_err); + in = bio_open_default(infile, RB(informat)); + if (in == NULL) goto end; - } - - if (infile == NULL) - BIO_set_fp(in, stdin, BIO_NOCLOSE); - else { - if (BIO_read_filename(in, infile) <= 0) { - BIO_printf(bio_err, "unable to load input file\n"); - ERR_print_errors(bio_err); - goto end; - } - } if (informat == FORMAT_ASN1) p7 = d2i_PKCS7_bio(in, NULL); - else if (informat == FORMAT_PEM) + else p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL); - else { - BIO_printf(bio_err, "bad input format specified for pkcs7 object\n"); - goto end; - } if (p7 == NULL) { BIO_printf(bio_err, "unable to load PKCS7 object\n"); ERR_print_errors(bio_err); goto end; } - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); - goto end; - } - } + out = bio_open_default(outfile, WB(outformat)); + if (out == NULL) + goto end; if (p7_print) PKCS7_print_ctx(out, p7, 0, NULL); @@ -282,12 +272,8 @@ int MAIN(int argc, char **argv) if (!noout) { if (outformat == FORMAT_ASN1) i = i2d_PKCS7_bio(out, p7); - else if (outformat == FORMAT_PEM) + else i = PEM_write_bio_PKCS7(out, p7); - else { - BIO_printf(bio_err, "bad output format specified for outfile\n"); - goto end; - } if (!i) { BIO_printf(bio_err, "unable to write pkcs7 object\n"); @@ -300,6 +286,5 @@ int MAIN(int argc, char **argv) PKCS7_free(p7); BIO_free(in); BIO_free_all(out); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } diff --git a/apps/pkcs8.c b/apps/pkcs8.c index a56b9f4..7b361cf 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -1,4 +1,3 @@ -/* pkcs8.c */ /* * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL project * 1999-2004. @@ -65,180 +64,142 @@ #include #include -#define PROG pkcs8_main +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT, + OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT, OPT_NOOCT, OPT_NSDB, OPT_EMBED, + OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT +} OPTION_CHOICE; -int MAIN(int, char **); +OPTIONS pkcs8_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"}, + {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"topk8", OPT_TOPK8, '-', "Output PKCS8 file"}, + {"noiter", OPT_NOITER, '-', "Use 1 as iteration count"}, + {"nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key"}, + {"nooct", OPT_NOOCT, '-', "Use (nonstandard) no octet format"}, + {"nsdb", OPT_NSDB, '-', "Use (nonstandard) DSA Netscape DB format"}, + {"embed", OPT_EMBED, '-', + "Use (nonstandard) embedded DSA parameters format"}, + {"v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher"}, + {"v1", OPT_V1, 's', "Use PKCS#5 v1.5 and cipher"}, + {"v2prf", OPT_V2PRF, 's'}, + {"iter", OPT_ITER, 'p', "Specify the iteration count"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; -int MAIN(int argc, char **argv) +int pkcs8_main(int argc, char **argv) { - ENGINE *e = NULL; - char **args, *infile = NULL, *outfile = NULL; - char *passargin = NULL, *passargout = NULL; BIO *in = NULL, *out = NULL; - int topk8 = 0; - int pbe_nid = -1; - const EVP_CIPHER *cipher = NULL; - int iter = PKCS12_DEFAULT_ITER; - int informat, outformat; - int p8_broken = PKCS8_OK; - int nocrypt = 0; - X509_SIG *p8 = NULL; - PKCS8_PRIV_KEY_INFO *p8inf = NULL; + ENGINE *e = NULL; EVP_PKEY *pkey = NULL; + PKCS8_PRIV_KEY_INFO *p8inf = NULL; + X509_SIG *p8 = NULL; + const EVP_CIPHER *cipher = NULL; + char *engine = NULL, *infile = NULL, *outfile = NULL; + char *passinarg = NULL, *passoutarg = NULL, *prog; char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL; - int badarg = 0; - int ret = 1; -#ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -#endif - - if (bio_err == NULL) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - - informat = FORMAT_PEM; - outformat = FORMAT_PEM; + OPTION_CHOICE o; + int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER, p8_broken = + PKCS8_OK; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = + -1; - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - args = argv + 1; - while (!badarg && *args && *args[0] == '-') { - if (!strcmp(*args, "-v2")) { - if (args[1]) { - args++; - cipher = EVP_get_cipherbyname(*args); - if (!cipher) { - BIO_printf(bio_err, "Unknown cipher %s\n", *args); - badarg = 1; - } - } else - badarg = 1; - } else if (!strcmp(*args, "-v1")) { - if (args[1]) { - args++; - pbe_nid = OBJ_txt2nid(*args); - if (pbe_nid == NID_undef) { - BIO_printf(bio_err, "Unknown PBE algorithm %s\n", *args); - badarg = 1; - } - } else - badarg = 1; - } else if (!strcmp(*args, "-v2prf")) { - if (args[1]) { - args++; - pbe_nid = OBJ_txt2nid(*args); - if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) { - BIO_printf(bio_err, "Unknown PRF algorithm %s\n", *args); - badarg = 1; - } - } else - badarg = 1; - } else if (!strcmp(*args, "-inform")) { - if (args[1]) { - args++; - informat = str2fmt(*args); - } else - badarg = 1; - } else if (!strcmp(*args, "-outform")) { - if (args[1]) { - args++; - outformat = str2fmt(*args); - } else - badarg = 1; - } else if (!strcmp(*args, "-topk8")) + prog = opt_init(argc, argv, pkcs8_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(pkcs8_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_TOPK8: topk8 = 1; - else if (!strcmp(*args, "-noiter")) + break; + case OPT_NOITER: iter = 1; - else if (!strcmp(*args, "-iter")) { - if (args[1]) { - iter = atoi(*(++args)); - if (iter <= 0) - badarg = 1; - } else - badarg = 1; - } else if (!strcmp(*args, "-nocrypt")) + break; + case OPT_NOCRYPT: nocrypt = 1; - else if (!strcmp(*args, "-nooct")) + break; + case OPT_NOOCT: p8_broken = PKCS8_NO_OCTET; - else if (!strcmp(*args, "-nsdb")) + break; + case OPT_NSDB: p8_broken = PKCS8_NS_DB; - else if (!strcmp(*args, "-embed")) + break; + case OPT_EMBED: p8_broken = PKCS8_EMBEDDED_PARAM; - else if (!strcmp(*args, "-passin")) { - if (args[1]) - passargin = *(++args); - else - badarg = 1; - } else if (!strcmp(*args, "-passout")) { - if (args[1]) - passargout = *(++args); - else - badarg = 1; - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*args, "-engine") == 0) { - if (args[1]) - engine = *(++args); - else - badarg = 1; + break; + case OPT_V2: + if (!opt_cipher(opt_arg(), &cipher)) + goto opthelp; + break; + case OPT_V1: + pbe_nid = OBJ_txt2nid(opt_arg()); + if (pbe_nid == NID_undef) { + BIO_printf(bio_err, + "%s: Unknown PBE algorithm %s\n", prog, opt_arg()); + goto opthelp; + } + break; + case OPT_V2PRF: + pbe_nid = OBJ_txt2nid(opt_arg()); + if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) { + BIO_printf(bio_err, + "%s: Unknown PRF algorithm %s\n", prog, opt_arg()); + goto opthelp; + } + break; + case OPT_ITER: + if (!opt_int(opt_arg(), &iter)) + goto opthelp; + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; } -#endif - else if (!strcmp(*args, "-in")) { - if (args[1]) { - args++; - infile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-out")) { - if (args[1]) { - args++; - outfile = *args; - } else - badarg = 1; - } else - badarg = 1; - args++; } + argc = opt_num_rest(); + argv = opt_rest(); - if (badarg) { - BIO_printf(bio_err, "Usage pkcs8 [options]\n"); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, "-inform X input format (DER or PEM)\n"); - BIO_printf(bio_err, - "-passin arg input file pass phrase source\n"); - BIO_printf(bio_err, "-outform X output format (DER or PEM)\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, - "-passout arg output file pass phrase source\n"); - BIO_printf(bio_err, "-topk8 output PKCS8 file\n"); - BIO_printf(bio_err, - "-nooct use (nonstandard) no octet format\n"); - BIO_printf(bio_err, - "-embed use (nonstandard) embedded DSA parameters format\n"); - BIO_printf(bio_err, - "-nsdb use (nonstandard) DSA Netscape DB format\n"); - BIO_printf(bio_err, "-iter count use count as iteration count\n"); - BIO_printf(bio_err, "-noiter use 1 as iteration count\n"); - BIO_printf(bio_err, - "-nocrypt use or expect unencrypted private key\n"); - BIO_printf(bio_err, - "-v2 alg use PKCS#5 v2.0 and cipher \"alg\"\n"); - BIO_printf(bio_err, - "-v1 obj use PKCS#5 v1.5 and cipher \"alg\"\n"); #ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - " -engine e use engine e, possibly a hardware device.\n"); -#endif - goto end; - } -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + e = setup_engine(engine, 0); #endif - if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { + if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } @@ -246,30 +207,14 @@ int MAIN(int argc, char **argv) if ((pbe_nid == -1) && !cipher) pbe_nid = NID_pbeWithMD5AndDES_CBC; - if (infile) { - if (!(in = BIO_new_file(infile, "rb"))) { - BIO_printf(bio_err, "Can't open input file %s\n", infile); - goto end; - } - } else - in = BIO_new_fp(stdin, BIO_NOCLOSE); - - if (outfile) { - if (!(out = BIO_new_file(outfile, "wb"))) { - BIO_printf(bio_err, "Can't open output file %s\n", outfile); - goto end; - } - } else { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } + in = bio_open_default(infile, "rb"); + if (in == NULL) + goto end; + out = bio_open_default(outfile, "wb"); + if (out == NULL) + goto end; if (topk8) { - pkey = load_key(bio_err, infile, informat, 1, passin, e, "key"); + pkey = load_key(infile, informat, 1, passin, e, "key"); if (!pkey) goto end; if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) { @@ -295,7 +240,7 @@ int MAIN(int argc, char **argv) (pass, sizeof pass, "Enter Encryption Password:", 1)) goto end; } - app_RAND_load_file(NULL, bio_err, 0); + app_RAND_load_file(NULL, 0); if (!(p8 = PKCS8_encrypt(pbe_nid, cipher, p8pass, strlen(p8pass), NULL, 0, iter, p8inf))) { @@ -303,7 +248,7 @@ int MAIN(int argc, char **argv) ERR_print_errors(bio_err); goto end; } - app_RAND_write_file(NULL, bio_err); + app_RAND_write_file(NULL); if (outformat == FORMAT_PEM) PEM_write_bio_PKCS8(out, p8); else if (outformat == FORMAT_ASN1) diff --git a/apps/pkey.c b/apps/pkey.c index e848049..3597be0 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -1,4 +1,3 @@ -/* apps/pkey.c */ /* * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL project * 2006 @@ -63,150 +62,121 @@ #include #include -#define PROG pkey_main - -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE, + OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB, + OPT_TEXT, OPT_NOOUT, OPT_MD +} OPTION_CHOICE; + +OPTIONS pkey_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"}, + {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"pubin", OPT_PUBIN, '-', + "Read public key from input (default is private key)"}, + {"pubout", OPT_PUBOUT, '-', "Output public key, not private"}, + {"text_pub", OPT_TEXT_PUB, '-', "Only output public key components"}, + {"text", OPT_TEXT, '-', "Output in plaintext as well"}, + {"noout", OPT_NOOUT, '-', "Don't output the key"}, + {"", OPT_MD, '-', "Any supported cipher"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; -int MAIN(int argc, char **argv) +int pkey_main(int argc, char **argv) { - ENGINE *e = NULL; - char **args, *infile = NULL, *outfile = NULL; - char *passargin = NULL, *passargout = NULL; BIO *in = NULL, *out = NULL; - const EVP_CIPHER *cipher = NULL; - int informat, outformat; - int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0; + ENGINE *e = NULL; EVP_PKEY *pkey = NULL; - char *passin = NULL, *passout = NULL; - int badarg = 0; -#ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -#endif - int ret = 1; - - if (bio_err == NULL) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - - informat = FORMAT_PEM; - outformat = FORMAT_PEM; - - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - args = argv + 1; - while (!badarg && *args && *args[0] == '-') { - if (!strcmp(*args, "-inform")) { - if (args[1]) { - args++; - informat = str2fmt(*args); - } else - badarg = 1; - } else if (!strcmp(*args, "-outform")) { - if (args[1]) { - args++; - outformat = str2fmt(*args); - } else - badarg = 1; - } else if (!strcmp(*args, "-passin")) { - if (!args[1]) - goto bad; - passargin = *(++args); - } else if (!strcmp(*args, "-passout")) { - if (!args[1]) - goto bad; - passargout = *(++args); - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*args, "-engine") == 0) { - if (!args[1]) - goto bad; - engine = *(++args); - } -#endif - else if (!strcmp(*args, "-in")) { - if (args[1]) { - args++; - infile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-out")) { - if (args[1]) { - args++; - outfile = *args; - } else - badarg = 1; - } else if (strcmp(*args, "-pubin") == 0) { - pubin = 1; - pubout = 1; - pubtext = 1; - } else if (strcmp(*args, "-pubout") == 0) + const EVP_CIPHER *cipher = NULL; + char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL; + char *passinarg = NULL, *passoutarg = NULL, *prog, *engine = NULL; + OPTION_CHOICE o; + int informat = FORMAT_PEM, outformat = FORMAT_PEM; + int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0, ret = 1; + + prog = opt_init(argc, argv, pkey_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(pkey_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_PUBIN: + pubin = pubout = pubtext = 1; + break; + case OPT_PUBOUT: pubout = 1; - else if (strcmp(*args, "-text_pub") == 0) { - pubtext = 1; - text = 1; - } else if (strcmp(*args, "-text") == 0) + break; + case OPT_TEXT_PUB: + pubtext = text = 1; + break; + case OPT_TEXT: text = 1; - else if (strcmp(*args, "-noout") == 0) + break; + case OPT_NOOUT: noout = 1; - else { - cipher = EVP_get_cipherbyname(*args + 1); - if (!cipher) { - BIO_printf(bio_err, "Unknown cipher %s\n", *args + 1); - badarg = 1; - } + break; + case OPT_MD: + if (!opt_cipher(opt_unknown(), &cipher)) + goto opthelp; } - args++; } + argc = opt_num_rest(); + argv = opt_rest(); - if (badarg) { - bad: - BIO_printf(bio_err, "Usage pkey [options]\n"); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, "-inform X input format (DER or PEM)\n"); - BIO_printf(bio_err, - "-passin arg input file pass phrase source\n"); - BIO_printf(bio_err, "-outform X output format (DER or PEM)\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, - "-passout arg output file pass phrase source\n"); #ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - "-engine e use engine e, possibly a hardware device.\n"); -#endif - return 1; - } -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + e = setup_engine(engine, 0); #endif - if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { + if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } - if (outfile) { - if (!(out = BIO_new_file(outfile, "wb"))) { - BIO_printf(bio_err, "Can't open output file %s\n", outfile); - goto end; - } - } else { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } + out = bio_open_default(outfile, "wb"); + if (out == NULL) + goto end; if (pubin) - pkey = load_pubkey(bio_err, infile, informat, 1, - passin, e, "Public Key"); + pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key"); else - pkey = load_key(bio_err, infile, informat, 1, passin, e, "key"); + pkey = load_key(infile, informat, 1, passin, e, "key"); if (!pkey) goto end; diff --git a/apps/pkeyparam.c b/apps/pkeyparam.c index a148a66..5a5caf5 100644 --- a/apps/pkeyparam.c +++ b/apps/pkeyparam.c @@ -1,4 +1,3 @@ -/* apps/pkeyparam.c */ /* * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL project * 2006 @@ -63,104 +62,72 @@ #include #include -#define PROG pkeyparam_main - -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_IN, OPT_OUT, OPT_TEXT, OPT_NOOUT, OPT_ENGINE +} OPTION_CHOICE; + +OPTIONS pkeyparam_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"text", OPT_TEXT, '-', "Print parameters as text"}, + {"noout", OPT_NOOUT, '-', "Don't output encoded parameters"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; -int MAIN(int argc, char **argv) +int pkeyparam_main(int argc, char **argv) { - char **args, *infile = NULL, *outfile = NULL; BIO *in = NULL, *out = NULL; - int text = 0, noout = 0; EVP_PKEY *pkey = NULL; - int badarg = 0; -#ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -#endif - int ret = 1; - - if (bio_err == NULL) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - args = argv + 1; - while (!badarg && *args && *args[0] == '-') { - if (!strcmp(*args, "-in")) { - if (args[1]) { - args++; - infile = *args; - } else - badarg = 1; - } else if (!strcmp(*args, "-out")) { - if (args[1]) { - args++; - outfile = *args; - } else - badarg = 1; - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*args, "-engine") == 0) { - if (!args[1]) - goto bad; - engine = *(++args); - } -#endif - - else if (strcmp(*args, "-text") == 0) + int text = 0, noout = 0, ret = 1; + OPTION_CHOICE o; + char *infile = NULL, *outfile = NULL, *prog, *engine = NULL; + + prog = opt_init(argc, argv, pkeyparam_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(pkeyparam_options); + ret = 0; + goto end; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_TEXT: text = 1; - else if (strcmp(*args, "-noout") == 0) + break; + case OPT_NOOUT: noout = 1; - args++; + break; + } } + argc = opt_num_rest(); + argv = opt_rest(); - if (badarg) { #ifndef OPENSSL_NO_ENGINE - bad: + setup_engine(engine, 0); #endif - BIO_printf(bio_err, "Usage pkeyparam [options]\n"); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, "-text print parameters as text\n"); - BIO_printf(bio_err, - "-noout don't output encoded parameters\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - "-engine e use engine e, possibly a hardware device.\n"); -#endif - return 1; - } -#ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -#endif - - if (infile) { - if (!(in = BIO_new_file(infile, "r"))) { - BIO_printf(bio_err, "Can't open input file %s\n", infile); - goto end; - } - } else - in = BIO_new_fp(stdin, BIO_NOCLOSE); - - if (outfile) { - if (!(out = BIO_new_file(outfile, "w"))) { - BIO_printf(bio_err, "Can't open output file %s\n", outfile); - goto end; - } - } else { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } + in = bio_open_default(infile, "r"); + if (in == NULL) + goto end; + out = bio_open_default(outfile, "w"); + if (out == NULL) + goto end; pkey = PEM_read_bio_Parameters(in, NULL); if (!pkey) { BIO_printf(bio_err, "Error reading parameters\n"); diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 1028686..942ba05 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -66,200 +66,194 @@ #define KEY_PUBKEY 2 #define KEY_CERT 3 -static void usage(void); - -#undef PROG - -#define PROG pkeyutl_main - static EVP_PKEY_CTX *init_ctx(int *pkeysize, char *keyfile, int keyform, int key_type, - char *passargin, int pkey_op, ENGINE *e); + char *passinarg, int pkey_op, ENGINE *e); -static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform, - const char *file); +static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file); static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, unsigned char *out, size_t *poutlen, unsigned char *in, size_t inlen); -int MAIN(int argc, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ENGINE, OPT_IN, OPT_OUT, + OPT_PUBIN, OPT_CERTIN, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_SIGN, + OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT, + OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN, + OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT +} OPTION_CHOICE; + +OPTIONS pkeyutl_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"pubin", OPT_PUBIN, '-', "Input is a public key"}, + {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"}, + {"asn1parse", OPT_ASN1PARSE, '-'}, + {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"}, + {"sign", OPT_SIGN, '-', "Sign with private key"}, + {"verify", OPT_VERIFY, '-', "Verify with public key"}, + {"verifyrecover", OPT_VERIFYRECOVER, '-', + "Verify with public key, recover original data"}, + {"rev", OPT_REV, '-'}, + {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"}, + {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"}, + {"derive", OPT_DERIVE, '-', "Derive shared secret"}, + {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"}, + {"inkey", OPT_INKEY, 's', "Input key"}, + {"peerkey", OPT_PEERKEY, 's'}, + {"passin", OPT_PASSIN, 's', "Pass phrase source"}, + {"peerform", OPT_PEERFORM, 'F'}, + {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"}, + {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; -int MAIN(int argc, char **argv) +int pkeyutl_main(int argc, char **argv) { BIO *in = NULL, *out = NULL; - char *infile = NULL, *outfile = NULL, *sigfile = NULL; ENGINE *e = NULL; - int pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY; - int keyform = FORMAT_PEM, peerform = FORMAT_PEM; - char badarg = 0, rev = 0; - char hexdump = 0, asn1parse = 0; EVP_PKEY_CTX *ctx = NULL; - char *passargin = NULL; - int keysize = -1; - + char *infile = NULL, *outfile = NULL, *sigfile = NULL, *passinarg = NULL; + char hexdump = 0, asn1parse = 0, rev = 0, *prog; unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL; - size_t buf_outlen; - int buf_inlen = 0, siglen = -1; - + OPTION_CHOICE o; + int buf_inlen = 0, siglen = -1, keyform = FORMAT_PEM, peerform = + FORMAT_PEM; + int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY; int ret = 1, rv = -1; + size_t buf_outlen; - argc--; - argv++; - - if (!bio_err) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - - while (argc >= 1) { - if (!strcmp(*argv, "-in")) { - if (--argc < 1) - badarg = 1; - else - infile = *(++argv); - } else if (!strcmp(*argv, "-out")) { - if (--argc < 1) - badarg = 1; - else - outfile = *(++argv); - } else if (!strcmp(*argv, "-sigfile")) { - if (--argc < 1) - badarg = 1; - else - sigfile = *(++argv); - } else if (!strcmp(*argv, "-inkey")) { - if (--argc < 1) - badarg = 1; - else { - ctx = init_ctx(&keysize, - *(++argv), keyform, key_type, - passargin, pkey_op, e); - if (!ctx) { - BIO_puts(bio_err, "Error initializing context\n"); - ERR_print_errors(bio_err); - badarg = 1; - } + prog = opt_init(argc, argv, pkeyutl_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(pkeyutl_options); + ret = 0; + goto end; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_SIGFILE: + sigfile = opt_arg(); + break; + case OPT_INKEY: + ctx = init_ctx(&keysize, opt_arg(), keyform, key_type, + passinarg, pkey_op, e); + if (ctx == NULL) { + BIO_puts(bio_err, "%s: Error initializing context\n"); + ERR_print_errors(bio_err); + goto opthelp; } - } else if (!strcmp(*argv, "-peerkey")) { - if (--argc < 1) - badarg = 1; - else if (!setup_peer(bio_err, ctx, peerform, *(++argv))) - badarg = 1; - } else if (!strcmp(*argv, "-passin")) { - if (--argc < 1) - badarg = 1; - else - passargin = *(++argv); - } else if (strcmp(*argv, "-peerform") == 0) { - if (--argc < 1) - badarg = 1; - else - peerform = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-keyform") == 0) { - if (--argc < 1) - badarg = 1; - else - keyform = str2fmt(*(++argv)); - } + break; + case OPT_PEERKEY: + if (!setup_peer(ctx, peerform, opt_arg())) + goto opthelp; + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PEERFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &peerform)) + goto opthelp; + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyform)) + goto opthelp; + break; #ifndef OPENSSL_NO_ENGINE - else if (!strcmp(*argv, "-engine")) { - if (--argc < 1) - badarg = 1; - else - e = setup_engine(bio_err, *(++argv), 0); - } + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; #endif - else if (!strcmp(*argv, "-pubin")) + case OPT_PUBIN: key_type = KEY_PUBKEY; - else if (!strcmp(*argv, "-certin")) + break; + case OPT_CERTIN: key_type = KEY_CERT; - else if (!strcmp(*argv, "-asn1parse")) + break; + case OPT_ASN1PARSE: asn1parse = 1; - else if (!strcmp(*argv, "-hexdump")) + break; + case OPT_HEXDUMP: hexdump = 1; - else if (!strcmp(*argv, "-sign")) + break; + case OPT_SIGN: pkey_op = EVP_PKEY_OP_SIGN; - else if (!strcmp(*argv, "-verify")) + break; + case OPT_VERIFY: pkey_op = EVP_PKEY_OP_VERIFY; - else if (!strcmp(*argv, "-verifyrecover")) + break; + case OPT_VERIFYRECOVER: pkey_op = EVP_PKEY_OP_VERIFYRECOVER; - else if (!strcmp(*argv, "-rev")) + break; + case OPT_REV: rev = 1; - else if (!strcmp(*argv, "-encrypt")) + case OPT_ENCRYPT: pkey_op = EVP_PKEY_OP_ENCRYPT; - else if (!strcmp(*argv, "-decrypt")) + break; + case OPT_DECRYPT: pkey_op = EVP_PKEY_OP_DECRYPT; - else if (!strcmp(*argv, "-derive")) + break; + case OPT_DERIVE: pkey_op = EVP_PKEY_OP_DERIVE; - else if (strcmp(*argv, "-pkeyopt") == 0) { - if (--argc < 1) - badarg = 1; - else if (!ctx) { - BIO_puts(bio_err, "-pkeyopt command before -inkey\n"); - badarg = 1; - } else if (pkey_ctrl_string(ctx, *(++argv)) <= 0) { - BIO_puts(bio_err, "parameter setting error\n"); + break; + case OPT_PKEYOPT: + if (ctx == NULL) { + BIO_printf(bio_err, + "%s: Must have -inkey before -pkeyopt\n", prog); + goto opthelp; + } + if (pkey_ctrl_string(ctx, opt_arg()) <= 0) { + BIO_printf(bio_err, "%s: Can't set parameter:\n", prog); ERR_print_errors(bio_err); goto end; } - } else - badarg = 1; - if (badarg) { - usage(); - goto end; + break; } - argc--; - argv++; } + argc = opt_num_rest(); + argv = opt_rest(); - if (!ctx) { - usage(); - goto end; - } + if (ctx == NULL) + goto opthelp; if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY)) { - BIO_puts(bio_err, "Signature file specified for non verify\n"); + BIO_printf(bio_err, + "%s: Signature file specified for non verify\n", prog); goto end; } if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY)) { - BIO_puts(bio_err, "No signature file specified for verify\n"); + BIO_printf(bio_err, + "%s: No signature file specified for verify\n", prog); goto end; } /* FIXME: seed PRNG only if needed */ - app_RAND_load_file(NULL, bio_err, 0); + app_RAND_load_file(NULL, 0); if (pkey_op != EVP_PKEY_OP_DERIVE) { - if (infile) { - if (!(in = BIO_new_file(infile, "rb"))) { - BIO_puts(bio_err, "Error Opening Input File\n"); - ERR_print_errors(bio_err); - goto end; - } - } else - in = BIO_new_fp(stdin, BIO_NOCLOSE); - } - - if (outfile) { - if (!(out = BIO_new_file(outfile, "wb"))) { - BIO_printf(bio_err, "Error Creating Output File\n"); - ERR_print_errors(bio_err); + in = bio_open_default(infile, "rb"); + if (in == NULL) goto end; - } - } else { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif } + out = bio_open_default(outfile, "wb"); + if (out == NULL) + goto end; if (sigfile) { BIO *sigbio = BIO_new_file(sigfile, "rb"); @@ -297,32 +291,30 @@ int MAIN(int argc, char **argv) if (pkey_op == EVP_PKEY_OP_VERIFY) { rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen, buf_in, (size_t)buf_inlen); - if (rv == 0) - BIO_puts(out, "Signature Verification Failure\n"); - else if (rv == 1) + if (rv == 1) { BIO_puts(out, "Signature Verified Successfully\n"); - if (rv >= 0) - goto end; - } else { - rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen, - buf_in, (size_t)buf_inlen); - if (rv > 0) { - buf_out = OPENSSL_malloc(buf_outlen); - if (!buf_out) - rv = -1; - else - rv = do_keyop(ctx, pkey_op, - buf_out, (size_t *)&buf_outlen, - buf_in, (size_t)buf_inlen); - } + ret = 0; + } else + BIO_puts(out, "Signature Verification Failure\n"); + goto end; + } + rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen, + buf_in, (size_t)buf_inlen); + if (rv > 0) { + buf_out = OPENSSL_malloc(buf_outlen); + if (!buf_out) + rv = -1; + else + rv = do_keyop(ctx, pkey_op, + buf_out, (size_t *)&buf_outlen, + buf_in, (size_t)buf_inlen); } - if (rv <= 0) { - BIO_printf(bio_err, "Public Key operation error\n"); ERR_print_errors(bio_err); goto end; } ret = 0; + if (asn1parse) { if (!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1)) ERR_print_errors(bio_err); @@ -344,38 +336,9 @@ int MAIN(int argc, char **argv) return ret; } -static void usage() -{ - BIO_printf(bio_err, "Usage: pkeyutl [options]\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, - "-sigfile file signature file (verify operation only)\n"); - BIO_printf(bio_err, "-inkey file input key\n"); - BIO_printf(bio_err, "-keyform arg private key format - default PEM\n"); - BIO_printf(bio_err, "-pubin input is a public key\n"); - BIO_printf(bio_err, - "-certin input is a certificate carrying a public key\n"); - BIO_printf(bio_err, "-pkeyopt X:Y public key options\n"); - BIO_printf(bio_err, "-sign sign with private key\n"); - BIO_printf(bio_err, "-verify verify with public key\n"); - BIO_printf(bio_err, - "-verifyrecover verify with public key, recover original data\n"); - BIO_printf(bio_err, "-encrypt encrypt with public key\n"); - BIO_printf(bio_err, "-decrypt decrypt with private key\n"); - BIO_printf(bio_err, "-derive derive shared secret\n"); - BIO_printf(bio_err, "-hexdump hex dump output\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - "-engine e use engine e, possibly a hardware device.\n"); -#endif - BIO_printf(bio_err, "-passin arg pass phrase source\n"); - -} - static EVP_PKEY_CTX *init_ctx(int *pkeysize, char *keyfile, int keyform, int key_type, - char *passargin, int pkey_op, ENGINE *e) + char *passinarg, int pkey_op, ENGINE *e) { EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; @@ -388,23 +351,21 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize, BIO_printf(bio_err, "A private key is needed for this operation\n"); goto end; } - if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { + if (!app_passwd(passinarg, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } switch (key_type) { case KEY_PRIVKEY: - pkey = load_key(bio_err, keyfile, keyform, 0, - passin, e, "Private Key"); + pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key"); break; case KEY_PUBKEY: - pkey = load_pubkey(bio_err, keyfile, keyform, 0, - NULL, e, "Public Key"); + pkey = load_pubkey(keyfile, keyform, 0, NULL, e, "Public Key"); break; case KEY_CERT: - x = load_cert(bio_err, keyfile, keyform, NULL, e, "Certificate"); + x = load_cert(keyfile, keyform, NULL, e, "Certificate"); if (x) { pkey = X509_get_pubkey(x); X509_free(x); @@ -465,21 +426,20 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize, } -static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform, - const char *file) +static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file) { EVP_PKEY *peer = NULL; int ret; if (!ctx) { - BIO_puts(err, "-peerkey command before -inkey\n"); + BIO_puts(bio_err, "-peerkey command before -inkey\n"); return 0; } - peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key"); + peer = load_pubkey(file, peerform, 0, NULL, NULL, "Peer Key"); if (!peer) { BIO_printf(bio_err, "Error reading peer key %s\n", file); - ERR_print_errors(err); + ERR_print_errors(bio_err); return 0; } @@ -487,7 +447,7 @@ static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform, EVP_PKEY_free(peer); if (ret <= 0) - ERR_print_errors(err); + ERR_print_errors(bio_err); return ret; } diff --git a/apps/prime.c b/apps/prime.c index 1fb1c8d..04a83ab 100644 --- a/apps/prime.c +++ b/apps/prime.c @@ -52,67 +52,66 @@ #include "apps.h" #include -#undef PROG -#define PROG prime_main - -int MAIN(int, char **); - -int MAIN(int argc, char **argv) +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_HEX, OPT_GENERATE, OPT_BITS, OPT_SAFE, OPT_CHECKS +} OPTION_CHOICE; + +OPTIONS prime_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] [number...]\n"}, + {OPT_HELP_STR, 1, '-', + " number Number to check for primarility\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"hex", OPT_HEX, '-', "Hex output"}, + {"generate", OPT_GENERATE, '-', "Generate a prime"}, + {"bits", OPT_BITS, 'p', "Size of number in bits"}, + {"safe", OPT_SAFE, '-', + "When used with -generate, generate a safe prime"}, + {"checks", OPT_CHECKS, 'p', "Number of checks"}, + {NULL} +}; + +int prime_main(int argc, char **argv) { - int hex = 0; - int checks = 20; - int generate = 0; - int bits = 0; - int safe = 0; BIGNUM *bn = NULL; - BIO *bio_out; - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - --argc; - ++argv; - while (argc >= 1 && **argv == '-') { - if (!strcmp(*argv, "-hex")) + int hex = 0, checks = 20, generate = 0, bits = 0, safe = 0, ret = 1; + char *prog; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, prime_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(prime_options); + ret = 0; + goto end; + case OPT_HEX: hex = 1; - else if (!strcmp(*argv, "-generate")) + break; + case OPT_GENERATE: generate = 1; - else if (!strcmp(*argv, "-bits")) - if (--argc < 1) - goto bad; - else - bits = atoi(*++argv); - else if (!strcmp(*argv, "-safe")) + break; + case OPT_BITS: + bits = atoi(opt_arg()); + break; + case OPT_SAFE: safe = 1; - else if (!strcmp(*argv, "-checks")) - if (--argc < 1) - goto bad; - else - checks = atoi(*++argv); - else { - BIO_printf(bio_err, "Unknown option '%s'\n", *argv); - goto bad; + break; + case OPT_CHECKS: + checks = atoi(opt_arg()); + break; } - --argc; - ++argv; } + argc = opt_num_rest(); + argv = opt_rest(); - if (argv[0] == NULL && !generate) { - BIO_printf(bio_err, "No prime specified\n"); - goto bad; - } - - if ((bio_out = BIO_new(BIO_s_file())) != NULL) { - BIO_set_fp(bio_out, stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - bio_out = BIO_push(tmpbio, bio_out); - } -#endif + if (argc == 0 && !generate) { + BIO_printf(bio_err, "%s: No prime specified\n", prog); + goto end; } if (generate) { @@ -120,7 +119,7 @@ int MAIN(int argc, char **argv) if (!bits) { BIO_printf(bio_err, "Specifiy the number of bits.\n"); - return 1; + goto end; } bn = BN_new(); BN_generate_prime_ex(bn, bits, safe, NULL, NULL, NULL); @@ -128,24 +127,22 @@ int MAIN(int argc, char **argv) BIO_printf(bio_out, "%s\n", s); OPENSSL_free(s); } else { - if (hex) - BN_hex2bn(&bn, argv[0]); - else - BN_dec2bn(&bn, argv[0]); + for ( ; *argv; argv++) { + if (hex) + BN_hex2bn(&bn, argv[0]); + else + BN_dec2bn(&bn, argv[0]); - BN_print(bio_out, bn); - BIO_printf(bio_out, " is %sprime\n", - BN_is_prime_ex(bn, checks, NULL, NULL) ? "" : "not "); + BN_print(bio_out, bn); + BIO_printf(bio_out, " (%s) %s prime\n", + argv[0], + BN_is_prime_ex(bn, checks, NULL, NULL) + ? "is" : "is not"); + } } BN_free(bn); - BIO_free_all(bio_out); - - return 0; - bad: - BIO_printf(bio_err, "options are\n"); - BIO_printf(bio_err, "%-14s hex\n", "-hex"); - BIO_printf(bio_err, "%-14s number of checks\n", "-checks "); - return 1; + end: + return ret; } diff --git a/apps/progs.h b/apps/progs.h index 9a8a192..33bdef7 100644 --- a/apps/progs.h +++ b/apps/progs.h @@ -1,364 +1,415 @@ -/* apps/progs.h */ -/* automatically generated by progs.pl for openssl.c */ +/* + * Automatically generated by progs.pl for openssl.c + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * See the openssl.c for copyright details. + */ + +typedef enum FUNC_TYPE { + FT_none, FT_general, FT_md, FT_cipher, FT_pkey, + FT_md_alg, FT_cipher_alg +} FUNC_TYPE; + +typedef struct function_st { + FUNC_TYPE type; + const char *name; + int (*func)(int argc,char *argv[]); + const OPTIONS *help; +} FUNCTION; -extern int verify_main(int argc, char *argv[]); extern int asn1parse_main(int argc, char *argv[]); -extern int req_main(int argc, char *argv[]); -extern int dgst_main(int argc, char *argv[]); -extern int dh_main(int argc, char *argv[]); -extern int dhparam_main(int argc, char *argv[]); -extern int enc_main(int argc, char *argv[]); -extern int passwd_main(int argc, char *argv[]); -extern int gendh_main(int argc, char *argv[]); -extern int errstr_main(int argc, char *argv[]); extern int ca_main(int argc, char *argv[]); +extern int ciphers_main(int argc, char *argv[]); +extern int cms_main(int argc, char *argv[]); extern int crl_main(int argc, char *argv[]); -extern int rsa_main(int argc, char *argv[]); -extern int rsautl_main(int argc, char *argv[]); +extern int crl2pkcs7_main(int argc, char *argv[]); +extern int dgst_main(int argc, char *argv[]); +extern int dhparam_main(int argc, char *argv[]); extern int dsa_main(int argc, char *argv[]); extern int dsaparam_main(int argc, char *argv[]); extern int ec_main(int argc, char *argv[]); extern int ecparam_main(int argc, char *argv[]); -extern int x509_main(int argc, char *argv[]); -extern int genrsa_main(int argc, char *argv[]); +extern int enc_main(int argc, char *argv[]); +extern int engine_main(int argc, char *argv[]); +extern int errstr_main(int argc, char *argv[]); extern int gendsa_main(int argc, char *argv[]); extern int genpkey_main(int argc, char *argv[]); -extern int s_server_main(int argc, char *argv[]); -extern int s_client_main(int argc, char *argv[]); -extern int speed_main(int argc, char *argv[]); -extern int s_time_main(int argc, char *argv[]); -extern int version_main(int argc, char *argv[]); -extern int pkcs7_main(int argc, char *argv[]); -extern int cms_main(int argc, char *argv[]); -extern int crl2pkcs7_main(int argc, char *argv[]); -extern int sess_id_main(int argc, char *argv[]); -extern int ciphers_main(int argc, char *argv[]); +extern int genrsa_main(int argc, char *argv[]); extern int nseq_main(int argc, char *argv[]); +extern int ocsp_main(int argc, char *argv[]); +extern int passwd_main(int argc, char *argv[]); extern int pkcs12_main(int argc, char *argv[]); +extern int pkcs7_main(int argc, char *argv[]); extern int pkcs8_main(int argc, char *argv[]); extern int pkey_main(int argc, char *argv[]); extern int pkeyparam_main(int argc, char *argv[]); extern int pkeyutl_main(int argc, char *argv[]); -extern int spkac_main(int argc, char *argv[]); -extern int smime_main(int argc, char *argv[]); -extern int rand_main(int argc, char *argv[]); -extern int engine_main(int argc, char *argv[]); -extern int ocsp_main(int argc, char *argv[]); extern int prime_main(int argc, char *argv[]); -extern int ts_main(int argc, char *argv[]); +extern int rand_main(int argc, char *argv[]); +extern int req_main(int argc, char *argv[]); +extern int rsa_main(int argc, char *argv[]); +extern int rsautl_main(int argc, char *argv[]); +extern int s_client_main(int argc, char *argv[]); +extern int s_server_main(int argc, char *argv[]); +extern int s_time_main(int argc, char *argv[]); +extern int sess_id_main(int argc, char *argv[]); +extern int smime_main(int argc, char *argv[]); +extern int speed_main(int argc, char *argv[]); +extern int spkac_main(int argc, char *argv[]); extern int srp_main(int argc, char *argv[]); +extern int ts_main(int argc, char *argv[]); +extern int verify_main(int argc, char *argv[]); +extern int version_main(int argc, char *argv[]); +extern int x509_main(int argc, char *argv[]); +extern int list_main(int argc, char *argv[]); +extern int help_main(int argc, char *argv[]); +extern int exit_main(int argc, char *argv[]); -#define FUNC_TYPE_GENERAL 1 -#define FUNC_TYPE_MD 2 -#define FUNC_TYPE_CIPHER 3 -#define FUNC_TYPE_PKEY 4 -#define FUNC_TYPE_MD_ALG 5 -#define FUNC_TYPE_CIPHER_ALG 6 - -typedef struct { - int type; - const char *name; - int (*func) (int argc, char *argv[]); -} FUNCTION; -DECLARE_LHASH_OF(FUNCTION); - +#ifdef INCLUDE_FUNCTION_TABLE +extern OPTIONS asn1parse_options[]; +extern OPTIONS ca_options[]; +extern OPTIONS ciphers_options[]; +extern OPTIONS cms_options[]; +extern OPTIONS crl_options[]; +extern OPTIONS crl2pkcs7_options[]; +extern OPTIONS dgst_options[]; +extern OPTIONS dhparam_options[]; +extern OPTIONS dsa_options[]; +extern OPTIONS dsaparam_options[]; +extern OPTIONS ec_options[]; +extern OPTIONS ecparam_options[]; +extern OPTIONS enc_options[]; +extern OPTIONS engine_options[]; +extern OPTIONS errstr_options[]; +extern OPTIONS gendsa_options[]; +extern OPTIONS genpkey_options[]; +extern OPTIONS genrsa_options[]; +extern OPTIONS nseq_options[]; +extern OPTIONS ocsp_options[]; +extern OPTIONS passwd_options[]; +extern OPTIONS pkcs12_options[]; +extern OPTIONS pkcs7_options[]; +extern OPTIONS pkcs8_options[]; +extern OPTIONS pkey_options[]; +extern OPTIONS pkeyparam_options[]; +extern OPTIONS pkeyutl_options[]; +extern OPTIONS prime_options[]; +extern OPTIONS rand_options[]; +extern OPTIONS req_options[]; +extern OPTIONS rsa_options[]; +extern OPTIONS rsautl_options[]; +extern OPTIONS s_client_options[]; +extern OPTIONS s_server_options[]; +extern OPTIONS s_time_options[]; +extern OPTIONS sess_id_options[]; +extern OPTIONS smime_options[]; +extern OPTIONS speed_options[]; +extern OPTIONS spkac_options[]; +extern OPTIONS srp_options[]; +extern OPTIONS ts_options[]; +extern OPTIONS verify_options[]; +extern OPTIONS version_options[]; +extern OPTIONS x509_options[]; +extern OPTIONS list_options[]; +extern OPTIONS help_options[]; +extern OPTIONS exit_options[]; FUNCTION functions[] = { - {FUNC_TYPE_GENERAL, "verify", verify_main}, - {FUNC_TYPE_GENERAL, "asn1parse", asn1parse_main}, - {FUNC_TYPE_GENERAL, "req", req_main}, - {FUNC_TYPE_GENERAL, "dgst", dgst_main}, -#ifndef OPENSSL_NO_DH - {FUNC_TYPE_GENERAL, "dh", dh_main}, + { FT_general, "asn1parse", asn1parse_main, asn1parse_options }, + { FT_general, "ca", ca_main, ca_options }, +#if !defined(OPENSSL_NO_SOCK) + { FT_general, "ciphers", ciphers_main, ciphers_options }, #endif -#ifndef OPENSSL_NO_DH - {FUNC_TYPE_GENERAL, "dhparam", dhparam_main}, +#ifndef OPENSSL_NO_CMS + { FT_general, "cms", cms_main, cms_options }, #endif - {FUNC_TYPE_GENERAL, "enc", enc_main}, - {FUNC_TYPE_GENERAL, "passwd", passwd_main}, + { FT_general, "crl", crl_main, crl_options }, + { FT_general, "crl2pkcs7", crl2pkcs7_main, crl2pkcs7_options }, + { FT_general, "dgst", dgst_main, dgst_options }, #ifndef OPENSSL_NO_DH - {FUNC_TYPE_GENERAL, "gendh", gendh_main}, -#endif - {FUNC_TYPE_GENERAL, "errstr", errstr_main}, - {FUNC_TYPE_GENERAL, "ca", ca_main}, - {FUNC_TYPE_GENERAL, "crl", crl_main}, -#ifndef OPENSSL_NO_RSA - {FUNC_TYPE_GENERAL, "rsa", rsa_main}, -#endif -#ifndef OPENSSL_NO_RSA - {FUNC_TYPE_GENERAL, "rsautl", rsautl_main}, + { FT_general, "dhparam", dhparam_main, dhparam_options }, #endif #ifndef OPENSSL_NO_DSA - {FUNC_TYPE_GENERAL, "dsa", dsa_main}, + { FT_general, "dsa", dsa_main, dsa_options }, #endif #ifndef OPENSSL_NO_DSA - {FUNC_TYPE_GENERAL, "dsaparam", dsaparam_main}, + { FT_general, "dsaparam", dsaparam_main, dsaparam_options }, #endif #ifndef OPENSSL_NO_EC - {FUNC_TYPE_GENERAL, "ec", ec_main}, + { FT_general, "ec", ec_main, ec_options }, #endif #ifndef OPENSSL_NO_EC - {FUNC_TYPE_GENERAL, "ecparam", ecparam_main}, + { FT_general, "ecparam", ecparam_main, ecparam_options }, #endif - {FUNC_TYPE_GENERAL, "x509", x509_main}, -#ifndef OPENSSL_NO_RSA - {FUNC_TYPE_GENERAL, "genrsa", genrsa_main}, + { FT_general, "enc", enc_main, enc_options }, +#ifndef OPENSSL_NO_ENGINE + { FT_general, "engine", engine_main, engine_options }, #endif + { FT_general, "errstr", errstr_main, errstr_options }, #ifndef OPENSSL_NO_DSA - {FUNC_TYPE_GENERAL, "gendsa", gendsa_main}, + { FT_general, "gendsa", gendsa_main, gendsa_options }, #endif - {FUNC_TYPE_GENERAL, "genpkey", genpkey_main}, -#if !defined(OPENSSL_NO_SOCK) - {FUNC_TYPE_GENERAL, "s_server", s_server_main}, + { FT_general, "genpkey", genpkey_main, genpkey_options }, +#ifndef OPENSSL_NO_RSA + { FT_general, "genrsa", genrsa_main, genrsa_options }, #endif -#if !defined(OPENSSL_NO_SOCK) - {FUNC_TYPE_GENERAL, "s_client", s_client_main}, + { FT_general, "nseq", nseq_main, nseq_options }, +#ifndef OPENSSL_NO_OCSP + { FT_general, "ocsp", ocsp_main, ocsp_options }, #endif - {FUNC_TYPE_GENERAL, "speed", speed_main}, -#if !defined(OPENSSL_NO_SOCK) - {FUNC_TYPE_GENERAL, "s_time", s_time_main}, + { FT_general, "passwd", passwd_main, passwd_options }, +#if !defined(OPENSSL_NO_DES) + { FT_general, "pkcs12", pkcs12_main, pkcs12_options }, +#endif + { FT_general, "pkcs7", pkcs7_main, pkcs7_options }, + { FT_general, "pkcs8", pkcs8_main, pkcs8_options }, + { FT_general, "pkey", pkey_main, pkey_options }, + { FT_general, "pkeyparam", pkeyparam_main, pkeyparam_options }, + { FT_general, "pkeyutl", pkeyutl_main, pkeyutl_options }, + { FT_general, "prime", prime_main, prime_options }, + { FT_general, "rand", rand_main, rand_options }, + { FT_general, "req", req_main, req_options }, +#ifndef OPENSSL_NO_RSA + { FT_general, "rsa", rsa_main, rsa_options }, #endif - {FUNC_TYPE_GENERAL, "version", version_main}, - {FUNC_TYPE_GENERAL, "pkcs7", pkcs7_main}, -#ifndef OPENSSL_NO_CMS - {FUNC_TYPE_GENERAL, "cms", cms_main}, +#ifndef OPENSSL_NO_RSA + { FT_general, "rsautl", rsautl_main, rsautl_options }, #endif - {FUNC_TYPE_GENERAL, "crl2pkcs7", crl2pkcs7_main}, - {FUNC_TYPE_GENERAL, "sess_id", sess_id_main}, #if !defined(OPENSSL_NO_SOCK) - {FUNC_TYPE_GENERAL, "ciphers", ciphers_main}, + { FT_general, "s_client", s_client_main, s_client_options }, #endif - {FUNC_TYPE_GENERAL, "nseq", nseq_main}, -#if !defined(OPENSSL_NO_DES) - {FUNC_TYPE_GENERAL, "pkcs12", pkcs12_main}, -#endif - {FUNC_TYPE_GENERAL, "pkcs8", pkcs8_main}, - {FUNC_TYPE_GENERAL, "pkey", pkey_main}, - {FUNC_TYPE_GENERAL, "pkeyparam", pkeyparam_main}, - {FUNC_TYPE_GENERAL, "pkeyutl", pkeyutl_main}, - {FUNC_TYPE_GENERAL, "spkac", spkac_main}, - {FUNC_TYPE_GENERAL, "smime", smime_main}, - {FUNC_TYPE_GENERAL, "rand", rand_main}, -#ifndef OPENSSL_NO_ENGINE - {FUNC_TYPE_GENERAL, "engine", engine_main}, +#if !defined(OPENSSL_NO_SOCK) + { FT_general, "s_server", s_server_main, s_server_options }, #endif -#ifndef OPENSSL_NO_OCSP - {FUNC_TYPE_GENERAL, "ocsp", ocsp_main}, +#if !defined(OPENSSL_NO_SOCK) + { FT_general, "s_time", s_time_main, s_time_options }, #endif - {FUNC_TYPE_GENERAL, "prime", prime_main}, - {FUNC_TYPE_GENERAL, "ts", ts_main}, + { FT_general, "sess_id", sess_id_main, sess_id_options }, + { FT_general, "smime", smime_main, smime_options }, + { FT_general, "speed", speed_main, speed_options }, + { FT_general, "spkac", spkac_main, spkac_options }, #ifndef OPENSSL_NO_SRP - {FUNC_TYPE_GENERAL, "srp", srp_main}, -#endif + { FT_general, "srp", srp_main, srp_options }, +#endif + { FT_general, "ts", ts_main, ts_options }, + { FT_general, "verify", verify_main, verify_options }, + { FT_general, "version", version_main, version_options }, + { FT_general, "x509", x509_main, x509_options }, + { FT_general, "list", list_main, list_options }, + { FT_general, "help", help_main, help_options }, + { FT_general, "exit", exit_main, exit_options }, #ifndef OPENSSL_NO_MD2 - {FUNC_TYPE_MD, "md2", dgst_main}, + { FT_md, "md2", dgst_main}, #endif #ifndef OPENSSL_NO_MD4 - {FUNC_TYPE_MD, "md4", dgst_main}, + { FT_md, "md4", dgst_main}, #endif #ifndef OPENSSL_NO_MD5 - {FUNC_TYPE_MD, "md5", dgst_main}, + { FT_md, "md5", dgst_main}, #endif - {FUNC_TYPE_MD, "sha", dgst_main}, - {FUNC_TYPE_MD, "sha1", dgst_main}, +#ifndef OPENSSL_NO_MD_GHOST94 + { FT_md, "md_ghost94", dgst_main}, +#endif + { FT_md, "sha", dgst_main}, + { FT_md, "sha1", dgst_main}, + { FT_md, "sha224", dgst_main}, + { FT_md, "sha256", dgst_main}, + { FT_md, "sha384", dgst_main}, + { FT_md, "sha512", dgst_main}, #ifndef OPENSSL_NO_MDC2 - {FUNC_TYPE_MD, "mdc2", dgst_main}, + { FT_md, "mdc2", dgst_main}, #endif #ifndef OPENSSL_NO_RMD160 - {FUNC_TYPE_MD, "rmd160", dgst_main}, + { FT_md, "rmd160", dgst_main}, #endif - {FUNC_TYPE_MD, "sha224", dgst_main}, - {FUNC_TYPE_MD, "sha256", dgst_main}, - {FUNC_TYPE_MD, "sha384", dgst_main}, - {FUNC_TYPE_MD, "sha512", dgst_main}, #ifndef OPENSSL_NO_AES - {FUNC_TYPE_CIPHER, "aes-128-cbc", enc_main}, + { FT_cipher, "aes-128-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_AES - {FUNC_TYPE_CIPHER, "aes-128-ecb", enc_main}, + { FT_cipher, "aes-128-ecb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_AES - {FUNC_TYPE_CIPHER, "aes-192-cbc", enc_main}, + { FT_cipher, "aes-192-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_AES - {FUNC_TYPE_CIPHER, "aes-192-ecb", enc_main}, + { FT_cipher, "aes-192-ecb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_AES - {FUNC_TYPE_CIPHER, "aes-256-cbc", enc_main}, + { FT_cipher, "aes-256-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_AES - {FUNC_TYPE_CIPHER, "aes-256-ecb", enc_main}, + { FT_cipher, "aes-256-ecb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_CAMELLIA - {FUNC_TYPE_CIPHER, "camellia-128-cbc", enc_main}, + { FT_cipher, "camellia-128-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_CAMELLIA - {FUNC_TYPE_CIPHER, "camellia-128-ecb", enc_main}, + { FT_cipher, "camellia-128-ecb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_CAMELLIA - {FUNC_TYPE_CIPHER, "camellia-192-cbc", enc_main}, + { FT_cipher, "camellia-192-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_CAMELLIA - {FUNC_TYPE_CIPHER, "camellia-192-ecb", enc_main}, + { FT_cipher, "camellia-192-ecb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_CAMELLIA - {FUNC_TYPE_CIPHER, "camellia-256-cbc", enc_main}, + { FT_cipher, "camellia-256-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_CAMELLIA - {FUNC_TYPE_CIPHER, "camellia-256-ecb", enc_main}, + { FT_cipher, "camellia-256-ecb", enc_main, enc_options }, #endif - {FUNC_TYPE_CIPHER, "base64", enc_main}, + { FT_cipher, "base64", enc_main, enc_options }, #ifdef ZLIB - {FUNC_TYPE_CIPHER, "zlib", enc_main}, + { FT_cipher, "zlib", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_DES - {FUNC_TYPE_CIPHER, "des", enc_main}, + { FT_cipher, "des", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_DES - {FUNC_TYPE_CIPHER, "des3", enc_main}, + { FT_cipher, "des3", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_DES - {FUNC_TYPE_CIPHER, "desx", enc_main}, + { FT_cipher, "desx", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_IDEA - {FUNC_TYPE_CIPHER, "idea", enc_main}, + { FT_cipher, "idea", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_SEED - {FUNC_TYPE_CIPHER, "seed", enc_main}, + { FT_cipher, "seed", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_RC4 - {FUNC_TYPE_CIPHER, "rc4", enc_main}, + { FT_cipher, "rc4", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_RC4 - {FUNC_TYPE_CIPHER, "rc4-40", enc_main}, + { FT_cipher, "rc4-40", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_RC2 - {FUNC_TYPE_CIPHER, "rc2", enc_main}, + { FT_cipher, "rc2", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_BF - {FUNC_TYPE_CIPHER, "bf", enc_main}, + { FT_cipher, "bf", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_CAST - {FUNC_TYPE_CIPHER, "cast", enc_main}, + { FT_cipher, "cast", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_RC5 - {FUNC_TYPE_CIPHER, "rc5", enc_main}, + { FT_cipher, "rc5", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_DES - {FUNC_TYPE_CIPHER, "des-ecb", enc_main}, + { FT_cipher, "des-ecb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_DES - {FUNC_TYPE_CIPHER, "des-ede", enc_main}, + { FT_cipher, "des-ede", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_DES - {FUNC_TYPE_CIPHER, "des-ede3", enc_main}, + { FT_cipher, "des-ede3", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_DES - {FUNC_TYPE_CIPHER, "des-cbc", enc_main}, + { FT_cipher, "des-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_DES - {FUNC_TYPE_CIPHER, "des-ede-cbc", enc_main}, + { FT_cipher, "des-ede-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_DES - {FUNC_TYPE_CIPHER, "des-ede3-cbc", enc_main}, + { FT_cipher, "des-ede3-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_DES - {FUNC_TYPE_CIPHER, "des-cfb", enc_main}, + { FT_cipher, "des-cfb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_DES - {FUNC_TYPE_CIPHER, "des-ede-cfb", enc_main}, + { FT_cipher, "des-ede-cfb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_DES - {FUNC_TYPE_CIPHER, "des-ede3-cfb", enc_main}, + { FT_cipher, "des-ede3-cfb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_DES - {FUNC_TYPE_CIPHER, "des-ofb", enc_main}, + { FT_cipher, "des-ofb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_DES - {FUNC_TYPE_CIPHER, "des-ede-ofb", enc_main}, + { FT_cipher, "des-ede-ofb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_DES - {FUNC_TYPE_CIPHER, "des-ede3-ofb", enc_main}, + { FT_cipher, "des-ede3-ofb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_IDEA - {FUNC_TYPE_CIPHER, "idea-cbc", enc_main}, + { FT_cipher, "idea-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_IDEA - {FUNC_TYPE_CIPHER, "idea-ecb", enc_main}, + { FT_cipher, "idea-ecb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_IDEA - {FUNC_TYPE_CIPHER, "idea-cfb", enc_main}, + { FT_cipher, "idea-cfb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_IDEA - {FUNC_TYPE_CIPHER, "idea-ofb", enc_main}, + { FT_cipher, "idea-ofb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_SEED - {FUNC_TYPE_CIPHER, "seed-cbc", enc_main}, + { FT_cipher, "seed-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_SEED - {FUNC_TYPE_CIPHER, "seed-ecb", enc_main}, + { FT_cipher, "seed-ecb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_SEED - {FUNC_TYPE_CIPHER, "seed-cfb", enc_main}, + { FT_cipher, "seed-cfb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_SEED - {FUNC_TYPE_CIPHER, "seed-ofb", enc_main}, + { FT_cipher, "seed-ofb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_RC2 - {FUNC_TYPE_CIPHER, "rc2-cbc", enc_main}, + { FT_cipher, "rc2-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_RC2 - {FUNC_TYPE_CIPHER, "rc2-ecb", enc_main}, + { FT_cipher, "rc2-ecb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_RC2 - {FUNC_TYPE_CIPHER, "rc2-cfb", enc_main}, + { FT_cipher, "rc2-cfb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_RC2 - {FUNC_TYPE_CIPHER, "rc2-ofb", enc_main}, + { FT_cipher, "rc2-ofb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_RC2 - {FUNC_TYPE_CIPHER, "rc2-64-cbc", enc_main}, + { FT_cipher, "rc2-64-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_RC2 - {FUNC_TYPE_CIPHER, "rc2-40-cbc", enc_main}, + { FT_cipher, "rc2-40-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_BF - {FUNC_TYPE_CIPHER, "bf-cbc", enc_main}, + { FT_cipher, "bf-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_BF - {FUNC_TYPE_CIPHER, "bf-ecb", enc_main}, + { FT_cipher, "bf-ecb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_BF - {FUNC_TYPE_CIPHER, "bf-cfb", enc_main}, + { FT_cipher, "bf-cfb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_BF - {FUNC_TYPE_CIPHER, "bf-ofb", enc_main}, + { FT_cipher, "bf-ofb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_CAST - {FUNC_TYPE_CIPHER, "cast5-cbc", enc_main}, + { FT_cipher, "cast5-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_CAST - {FUNC_TYPE_CIPHER, "cast5-ecb", enc_main}, + { FT_cipher, "cast5-ecb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_CAST - {FUNC_TYPE_CIPHER, "cast5-cfb", enc_main}, + { FT_cipher, "cast5-cfb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_CAST - {FUNC_TYPE_CIPHER, "cast5-ofb", enc_main}, + { FT_cipher, "cast5-ofb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_CAST - {FUNC_TYPE_CIPHER, "cast-cbc", enc_main}, + { FT_cipher, "cast-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_RC5 - {FUNC_TYPE_CIPHER, "rc5-cbc", enc_main}, + { FT_cipher, "rc5-cbc", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_RC5 - {FUNC_TYPE_CIPHER, "rc5-ecb", enc_main}, + { FT_cipher, "rc5-ecb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_RC5 - {FUNC_TYPE_CIPHER, "rc5-cfb", enc_main}, + { FT_cipher, "rc5-cfb", enc_main, enc_options }, #endif #ifndef OPENSSL_NO_RC5 - {FUNC_TYPE_CIPHER, "rc5-ofb", enc_main}, + { FT_cipher, "rc5-ofb", enc_main, enc_options }, #endif - {0, NULL, NULL} + { 0, NULL, NULL} }; +#endif diff --git a/apps/progs.pl b/apps/progs.pl index 09dd00b..38e091e 100644 --- a/apps/progs.pl +++ b/apps/progs.pl @@ -1,67 +1,80 @@ #!/usr/local/bin/perl - -print "/* apps/progs.h */\n"; -print "/* automatically generated by progs.pl for openssl.c */\n\n"; - -grep(s/^asn1pars$/asn1parse/, at ARGV); - -foreach (@ARGV) - { printf "extern int %s_main(int argc, char *argv[]);\n",$_; } +# Generate progs.h file from list of "programs" passed on the command line. print <<'EOF'; +/* + * Automatically generated by progs.pl for openssl.c + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * See the openssl.c for copyright details. + */ -#define FUNC_TYPE_GENERAL 1 -#define FUNC_TYPE_MD 2 -#define FUNC_TYPE_CIPHER 3 -#define FUNC_TYPE_PKEY 4 -#define FUNC_TYPE_MD_ALG 5 -#define FUNC_TYPE_CIPHER_ALG 6 +typedef enum FUNC_TYPE { + FT_none, FT_general, FT_md, FT_cipher, FT_pkey, + FT_md_alg, FT_cipher_alg +} FUNC_TYPE; -typedef struct { - int type; +typedef struct function_st { + FUNC_TYPE type; const char *name; - int (*func) (int argc, char *argv[]); + int (*func)(int argc,char *argv[]); + const OPTIONS *help; } FUNCTION; -DECLARE_LHASH_OF(FUNCTION); -FUNCTION functions[] = { EOF -foreach (@ARGV) - { - push(@files,$_); - $str=" {FUNC_TYPE_GENERAL, \"$_\", ${_}_main},\n"; - if (($_ =~ /^s_/) || ($_ =~ /^ciphers$/)) - { print "#if !defined(OPENSSL_NO_SOCK)\n${str}#endif\n"; } - elsif ( ($_ =~ /^engine$/)) - { print "#ifndef OPENSSL_NO_ENGINE\n${str}#endif\n"; } - elsif ( ($_ =~ /^rsa$/) || ($_ =~ /^genrsa$/) || ($_ =~ /^rsautl$/)) - { print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n"; } - elsif ( ($_ =~ /^dsa$/) || ($_ =~ /^gendsa$/) || ($_ =~ /^dsaparam$/)) - { print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n"; } - elsif ( ($_ =~ /^ec$/) || ($_ =~ /^ecparam$/)) - { print "#ifndef OPENSSL_NO_EC\n${str}#endif\n";} - elsif ( ($_ =~ /^dh$/) || ($_ =~ /^gendh$/) || ($_ =~ /^dhparam$/)) - { print "#ifndef OPENSSL_NO_DH\n${str}#endif\n"; } - elsif ( ($_ =~ /^pkcs12$/)) - { print "#if !defined(OPENSSL_NO_DES)\n${str}#endif\n"; } - elsif ( ($_ =~ /^cms$/)) - { print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n"; } - elsif ( ($_ =~ /^ocsp$/)) - { print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n"; } - elsif ( ($_ =~ /^srp$/)) - { print "#ifndef OPENSSL_NO_SRP\n${str}#endif\n"; } - else - { print $str; } +grep(s/\.o//, @ARGV); +grep(s/^asn1pars$/asn1parse/, @ARGV); +grep(s/^crl2p7$/crl2pkcs7/, @ARGV); +push @ARGV, 'list'; +push @ARGV, 'help'; +push @ARGV, 'exit'; + +foreach (@ARGV) { + printf "extern int %s_main(int argc, char *argv[]);\n", $_; +} + +printf "\n#ifdef INCLUDE_FUNCTION_TABLE\n"; +foreach (@ARGV) { + printf "extern OPTIONS %s_options[];\n", $_; +} +printf "FUNCTION functions[] = {\n"; +foreach (@ARGV) { + $str=" { FT_general, \"$_\", ${_}_main, ${_}_options },\n"; + if (/^s_/ || /^ciphers$/) { + print "#if !defined(OPENSSL_NO_SOCK)\n${str}#endif\n"; + } elsif (/^engine$/) { + print "#ifndef OPENSSL_NO_ENGINE\n${str}#endif\n"; + } elsif (/^rsa$/ || /^genrsa$/ || /^rsautl$/) { + print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n"; + } elsif (/^dsa$/ || /^gendsa$/ || /^dsaparam$/) { + print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n"; + } elsif (/^ec$/ || /^ecparam$/) { + print "#ifndef OPENSSL_NO_EC\n${str}#endif\n"; + } elsif (/^dh$/ || /^gendh$/ || /^dhparam$/) { + print "#ifndef OPENSSL_NO_DH\n${str}#endif\n"; + } elsif (/^pkcs12$/) { + print "#if !defined(OPENSSL_NO_DES)\n${str}#endif\n"; + } elsif (/^cms$/) { + print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n"; + } elsif (/^ocsp$/) { + print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n"; + } elsif (/^srp$/) { + print "#ifndef OPENSSL_NO_SRP\n${str}#endif\n"; + } else { + print $str; } +} -foreach ("md2","md4","md5","sha","sha1","mdc2","rmd160","sha224","sha256","sha384","sha512") - { - push(@files,$_); +foreach ( + "md2", "md4", "md5", + "md_ghost94", + "sha", "sha1", "sha224", "sha256", "sha384", "sha512", + "mdc2", "rmd160" +) { printf "#ifndef OPENSSL_NO_".uc($_)."\n" if ! /sha/; - printf " {FUNC_TYPE_MD, \"".$_."\", dgst_main},\n"; + printf " { FT_md, \"".$_."\", dgst_main},\n"; printf "#endif\n" if ! /sha/; - } +} foreach ( "aes-128-cbc", "aes-128-ecb", @@ -82,23 +95,35 @@ foreach ( "rc2-cbc", "rc2-ecb", "rc2-cfb","rc2-ofb", "rc2-64-cbc", "rc2-40-cbc", "bf-cbc", "bf-ecb", "bf-cfb", "bf-ofb", "cast5-cbc","cast5-ecb", "cast5-cfb","cast5-ofb", - "cast-cbc", "rc5-cbc", "rc5-ecb", "rc5-cfb", "rc5-ofb") - { - push(@files,$_); - - $t=sprintf(" {FUNC_TYPE_CIPHER, \"%s\", enc_main},\n", $_); - if ($_ =~ /des/) { $t="#ifndef OPENSSL_NO_DES\n${t}#endif\n"; } - elsif ($_ =~ /aes/) { $t="#ifndef OPENSSL_NO_AES\n${t}#endif\n"; } - elsif ($_ =~ /camellia/) { $t="#ifndef OPENSSL_NO_CAMELLIA\n${t}#endif\n"; } - elsif ($_ =~ /idea/) { $t="#ifndef OPENSSL_NO_IDEA\n${t}#endif\n"; } - elsif ($_ =~ /seed/) { $t="#ifndef OPENSSL_NO_SEED\n${t}#endif\n"; } - elsif ($_ =~ /rc4/) { $t="#ifndef OPENSSL_NO_RC4\n${t}#endif\n"; } - elsif ($_ =~ /rc2/) { $t="#ifndef OPENSSL_NO_RC2\n${t}#endif\n"; } - elsif ($_ =~ /bf/) { $t="#ifndef OPENSSL_NO_BF\n${t}#endif\n"; } - elsif ($_ =~ /cast/) { $t="#ifndef OPENSSL_NO_CAST\n${t}#endif\n"; } - elsif ($_ =~ /rc5/) { $t="#ifndef OPENSSL_NO_RC5\n${t}#endif\n"; } - elsif ($_ =~ /zlib/) { $t="#ifdef ZLIB\n${t}#endif\n"; } - print $t; + "cast-cbc", "rc5-cbc", "rc5-ecb", "rc5-cfb", "rc5-ofb" +) { + $str=" { FT_cipher, \"$_\", enc_main, enc_options },\n"; + if (/des/) { + printf "#ifndef OPENSSL_NO_DES\n${str}#endif\n"; + } elsif (/aes/) { + printf "#ifndef OPENSSL_NO_AES\n${str}#endif\n"; + } elsif (/camellia/) { + printf "#ifndef OPENSSL_NO_CAMELLIA\n${str}#endif\n"; + } elsif (/idea/) { + printf "#ifndef OPENSSL_NO_IDEA\n${str}#endif\n"; + } elsif (/seed/) { + printf "#ifndef OPENSSL_NO_SEED\n${str}#endif\n"; + } elsif (/rc4/) { + printf "#ifndef OPENSSL_NO_RC4\n${str}#endif\n"; + } elsif (/rc2/) { + printf "#ifndef OPENSSL_NO_RC2\n${str}#endif\n"; + } elsif (/bf/) { + printf "#ifndef OPENSSL_NO_BF\n${str}#endif\n"; + } elsif (/cast/) { + printf "#ifndef OPENSSL_NO_CAST\n${str}#endif\n"; + } elsif (/rc5/) { + printf "#ifndef OPENSSL_NO_RC5\n${str}#endif\n"; + } elsif (/zlib/) { + printf "#ifdef ZLIB\n${str}#endif\n"; + } else { + print $str; } +} -print " {0, NULL, NULL}\n};\n"; +print " { 0, NULL, NULL}\n};\n"; +printf "#endif\n"; diff --git a/apps/rand.c b/apps/rand.c index 45f16b9..9a73935 100644 --- a/apps/rand.c +++ b/apps/rand.c @@ -1,4 +1,3 @@ -/* apps/rand.c */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * @@ -63,135 +62,87 @@ #include #include -#undef PROG -#define PROG rand_main - -/*- - * -out file - write to file - * -rand file:file - PRNG seed files - * -base64 - base64 encode output - * -hex - hex encode output - * num - write 'num' bytes - */ - -int MAIN(int, char **); - -int MAIN(int argc, char **argv) -{ - int i, r, ret = 1; - int badopt; - char *outfile = NULL; - char *inrand = NULL; - int base64 = 0; - int hex = 0; - BIO *out = NULL; - int num = -1; +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_OUT, OPT_ENGINE, OPT_RAND, OPT_BASE64, OPT_HEX +} OPTION_CHOICE; + +OPTIONS rand_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [flags] num\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"out", OPT_OUT, '>', "Output file"}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"base64", OPT_BASE64, '-', "Base64 encode output"}, + {"hex", OPT_HEX, '-', "Hex encode output"}, #ifndef OPENSSL_NO_ENGINE - char *engine = NULL; + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif + {NULL} +}; - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto err; - - badopt = 0; - i = 0; - while (!badopt && argv[++i] != NULL) { - if (strcmp(argv[i], "-out") == 0) { - if ((argv[i + 1] != NULL) && (outfile == NULL)) - outfile = argv[++i]; - else - badopt = 1; - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(argv[i], "-engine") == 0) { - if ((argv[i + 1] != NULL) && (engine == NULL)) - engine = argv[++i]; - else - badopt = 1; +int rand_main(int argc, char **argv) +{ + BIO *out = NULL; + char *engine = NULL, *inrand = NULL, *outfile = NULL, *prog; + OPTION_CHOICE o; + int base64 = 0, hex = 0, i, num = -1, r, ret = 1; + + prog = opt_init(argc, argv, rand_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(rand_options); + ret = 0; + goto end; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_RAND: + inrand = opt_arg(); + break; + case OPT_BASE64: + base64 = 1; + break; + case OPT_HEX: + hex = 1; + break; } -#endif - else if (strcmp(argv[i], "-rand") == 0) { - if ((argv[i + 1] != NULL) && (inrand == NULL)) - inrand = argv[++i]; - else - badopt = 1; - } else if (strcmp(argv[i], "-base64") == 0) { - if (!base64) - base64 = 1; - else - badopt = 1; - } else if (strcmp(argv[i], "-hex") == 0) { - if (!hex) - hex = 1; - else - badopt = 1; - } else if (isdigit((unsigned char)argv[i][0])) { - if (num < 0) { - r = sscanf(argv[i], "%d", &num); - if (r == 0 || num < 0) - badopt = 1; - } else - badopt = 1; - } else - badopt = 1; } + argc = opt_num_rest(); + argv = opt_rest(); - if (hex && base64) - badopt = 1; + if (argc != 1 || (hex && base64)) + goto opthelp; + if (sscanf(argv[0], "%d", &num) != 1 || num < 0) + goto opthelp; - if (num < 0) - badopt = 1; - - if (badopt) { - BIO_printf(bio_err, "Usage: rand [options] num\n"); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-out file - write to file\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - "-engine e - use engine e, possibly a hardware device.\n"); -#endif - BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", - LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, "-base64 - base64 encode output\n"); - BIO_printf(bio_err, "-hex - hex encode output\n"); - goto err; - } #ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + setup_engine(engine, 0); #endif - app_RAND_load_file(NULL, bio_err, (inrand != NULL)); + app_RAND_load_file(NULL, (inrand != NULL)); if (inrand != NULL) BIO_printf(bio_err, "%ld semi-random bytes loaded\n", app_RAND_load_files(inrand)); - out = BIO_new(BIO_s_file()); + out = bio_open_default(outfile, "w"); if (out == NULL) - goto err; - if (outfile != NULL) - r = BIO_write_filename(out, outfile); - else { - r = BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } - if (r <= 0) - goto err; + goto end; if (base64) { BIO *b64 = BIO_new(BIO_f_base64()); if (b64 == NULL) - goto err; + goto end; out = BIO_push(b64, out); } @@ -204,7 +155,7 @@ int MAIN(int argc, char **argv) chunk = sizeof buf; r = RAND_bytes(buf, chunk); if (r <= 0) - goto err; + goto end; if (!hex) BIO_write(out, buf, chunk); else { @@ -217,12 +168,10 @@ int MAIN(int argc, char **argv) BIO_puts(out, "\n"); (void)BIO_flush(out); - app_RAND_write_file(NULL, bio_err); + app_RAND_write_file(NULL); ret = 0; - err: - ERR_print_errors(bio_err); + end: BIO_free_all(out); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } diff --git a/apps/req.c b/apps/req.c index 3cedf2c..1237c33 100644 --- a/apps/req.c +++ b/apps/req.c @@ -1,4 +1,3 @@ -/* apps/req.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -93,30 +92,6 @@ #define DEFAULT_KEY_LENGTH 512 #define MIN_KEY_LENGTH 384 -#undef PROG -#define PROG req_main - -/*- - * -inform arg - input format - default PEM (DER or PEM) - * -outform arg - output format - default PEM - * -in arg - input file - default stdin - * -out arg - output file - default stdout - * -verify - check request signature - * -noout - don't print stuff out. - * -text - print out human readable text. - * -nodes - no des encryption - * -config file - Load configuration file. - * -key file - make a request using key in file (or use it for verification). - * -keyform arg - key file format. - * -rand file(s) - load the file(s) into the PRNG. - * -newkey - make a key and a request. - * -modulus - print RSA modulus. - * -pubkey - output Public Key. - * -x509 - output a self signed X509 structure instead. - * -asn1-kludge - output new certificate request in a format that some CA's - * require. This format is wrong - */ - static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn, int attribs, unsigned long chtype); static int build_subject(X509_REQ *req, char *subj, unsigned long chtype, @@ -137,323 +112,270 @@ static int add_DN_object(X509_NAME *n, char *text, const char *def, static int genpkey_cb(EVP_PKEY_CTX *ctx); static int req_check_len(int len, int n_min, int n_max); static int check_end(const char *str, const char *end); -static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, +static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, int *pkey_type, long *pkeylen, char **palgnam, ENGINE *keygen_engine); -#ifndef MONOLITH -static char *default_config_file = NULL; -#endif static CONF *req_conf = NULL; static int batch = 0; -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY, + OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT, + OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_RAND, OPT_NEWKEY, + OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS, + OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8, + OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJECT, OPT_TEXT, OPT_X509, + OPT_ASN1_KLUDGE, OPT_NO_ASN1_KLUDGE, OPT_MULTIVALUE_RDN, + OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS, OPT_REQEXTS, OPT_MD +} OPTION_CHOICE; + +OPTIONS req_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, + {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"keygen_engine", OPT_KEYGEN_ENGINE, 's'}, + {"key", OPT_KEY, '<', "Use the private key contained in file"}, + {"keyform", OPT_KEYFORM, 'F', "Key file format"}, + {"pubkey", OPT_PUBKEY, '-', "Output public key"}, + {"new", OPT_NEW, '-', "New request"}, + {"config", OPT_CONFIG, '<', "Request template file"}, + {"keyout", OPT_KEYOUT, '>', "File to send the key to"}, + {"passin", OPT_PASSIN, 's', "Private key password source"}, + {"passout", OPT_PASSOUT, 's'}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"}, + {"pkeyopt", OPT_PKEYOPT, 's'}, + {"sigopt", OPT_SIGOPT, 's'}, + {"batch", OPT_BATCH, '-', + "Do not ask anything during request generation"}, + {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"}, + {"modulus", OPT_MODULUS, '-', "RSA modulus"}, + {"verify", OPT_VERIFY, '-', "Verify signature on REQ"}, + {"nodes", OPT_NODES, '-', "Don't encrypt the output key"}, + {"noout", OPT_NOOUT, '-', "Do not output REQ"}, + {"verbose", OPT_VERBOSE, '-'}, + {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + {"reqopt", OPT_REQOPT, 's', "Various request text options"}, + {"text", OPT_TEXT, '-', "Text form of request"}, + {"x509", OPT_X509, '-', + "Output a x509 structure instead of a cert request"}, + {"asn1-kludge", OPT_ASN1_KLUDGE, '-', + "Output the request in a format that is wrong"}, + {OPT_MORE_STR, 1, 1, "(Required by some CA's)"}, + {"no-asn1-kludge", OPT_NO_ASN1_KLUDGE, '-'}, + {"subject", OPT_SUBJECT, 's', "Output the request's subject"}, + {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', + "Enable support for multivalued RDNs"}, + {"days", OPT_DAYS, 'p', "Number of days cert is valid for"}, + {"set-serial", OPT_SET_SERIAL, 'p', "Serial number to use"}, + {"extensions", OPT_EXTENSIONS, 's', + "Cert extension section (override value in config file)"}, + {"reqexts", OPT_REQEXTS, 's', + "Request extension section (override value in config file)"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {"", OPT_MD, '-', "Any supported digest"}, + {NULL} +}; -int MAIN(int argc, char **argv) +int req_main(int argc, char **argv) { + ASN1_INTEGER *serial = NULL; + BIO *in = NULL, *out = NULL; ENGINE *e = NULL, *gen_eng = NULL; - unsigned long nmflag = 0, reqflag = 0; - int ex = 1, x509 = 0, days = 30; - X509 *x509ss = NULL; - X509_REQ *req = NULL; + EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *genctx = NULL; - const char *keyalg = NULL; - char *keyalgstr = NULL; STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL; - EVP_PKEY *pkey = NULL; - int i = 0, badops = 0, newreq = 0, verbose = 0, pkey_type = -1; - long newkey = -1; - BIO *in = NULL, *out = NULL; - int informat, outformat, verify = 0, noout = 0, text = 0, keyform = - FORMAT_PEM; - int nodes = 0, kludge = 0, newhdr = 0, subject = 0, pubkey = 0; - char *infile, *outfile, *prog, *keyfile = NULL, *template = - NULL, *keyout = NULL; -#ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -#endif - char *extensions = NULL; - char *req_exts = NULL; + X509 *x509ss = NULL; + X509_REQ *req = NULL; const EVP_CIPHER *cipher = NULL; - ASN1_INTEGER *serial = NULL; - int modulus = 0; - char *inrand = NULL; - char *passargin = NULL, *passargout = NULL; - char *passin = NULL, *passout = NULL; - char *p; - char *subj = NULL; - int multirdn = 0; const EVP_MD *md_alg = NULL, *digest = NULL; - unsigned long chtype = MBSTRING_ASC; -#ifndef MONOLITH - char *to_free; - long errline; -#endif + char *engine = NULL, *extensions = NULL, *infile = NULL; + char *outfile = NULL, *keyfile = NULL, *inrand = NULL; + char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL; + char *passin = NULL, *passout = NULL, *req_exts = NULL, *subj = NULL; + char *template = NULL, *keyout = NULL; + const char *keyalg = NULL; + OPTION_CHOICE o; + int ret = 1, x509 = 0, days = 30, i = 0, newreq = 0, verbose = + 0, pkey_type = -1; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM; + int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0; + int nodes = 0, kludge = 0, newhdr = 0, subject = 0, pubkey = 0; + long newkey = -1; + unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0; - req_conf = NULL; #ifndef OPENSSL_NO_DES cipher = EVP_des_ede3_cbc(); #endif - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - infile = NULL; - outfile = NULL; - informat = FORMAT_PEM; - outformat = FORMAT_PEM; - - prog = argv[0]; - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-outform") == 0) { - if (--argc < 1) - goto bad; - outformat = str2fmt(*(++argv)); - } + + prog = opt_init(argc, argv, req_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(req_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; #ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } else if (strcmp(*argv, "-keygen_engine") == 0) { - if (--argc < 1) - goto bad; - gen_eng = ENGINE_by_id(*(++argv)); + case OPT_ENGINE: + engine = optarg; + break; + case OPT_KEYGEN_ENGINE: + gen_eng = ENGINE_by_id(opt_arg()); if (gen_eng == NULL) { BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv); goto end; } - } + break; #endif - else if (strcmp(*argv, "-key") == 0) { - if (--argc < 1) - goto bad; - keyfile = *(++argv); - } else if (strcmp(*argv, "-pubkey") == 0) { + case OPT_KEY: + keyfile = opt_arg(); + break; + case OPT_PUBKEY: pubkey = 1; - } else if (strcmp(*argv, "-new") == 0) { + break; + case OPT_NEW: newreq = 1; - } else if (strcmp(*argv, "-config") == 0) { - if (--argc < 1) - goto bad; - template = *(++argv); - } else if (strcmp(*argv, "-keyform") == 0) { - if (--argc < 1) - goto bad; - keyform = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-keyout") == 0) { - if (--argc < 1) - goto bad; - keyout = *(++argv); - } else if (strcmp(*argv, "-passin") == 0) { - if (--argc < 1) - goto bad; - passargin = *(++argv); - } else if (strcmp(*argv, "-passout") == 0) { - if (--argc < 1) - goto bad; - passargout = *(++argv); - } else if (strcmp(*argv, "-rand") == 0) { - if (--argc < 1) - goto bad; - inrand = *(++argv); - } else if (strcmp(*argv, "-newkey") == 0) { - if (--argc < 1) - goto bad; - keyalg = *(++argv); + break; + case OPT_CONFIG: + template = opt_arg(); + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyform)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_KEYOUT: + keyout = opt_arg(); + break; + case OPT_PASSIN: + passargin = opt_arg(); + break; + case OPT_PASSOUT: + passargout = opt_arg(); + break; + case OPT_RAND: + inrand = opt_arg(); + break; + case OPT_NEWKEY: + keyalg = opt_arg(); newreq = 1; - } else if (strcmp(*argv, "-pkeyopt") == 0) { - if (--argc < 1) - goto bad; + break; + case OPT_PKEYOPT: if (!pkeyopts) pkeyopts = sk_OPENSSL_STRING_new_null(); - if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, *(++argv))) - goto bad; - } else if (strcmp(*argv, "-sigopt") == 0) { - if (--argc < 1) - goto bad; + if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, opt_arg())) + goto opthelp; + break; + case OPT_SIGOPT: if (!sigopts) sigopts = sk_OPENSSL_STRING_new_null(); - if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) - goto bad; - } else if (strcmp(*argv, "-batch") == 0) + if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) + goto opthelp; + break; + case OPT_BATCH: batch = 1; - else if (strcmp(*argv, "-newhdr") == 0) + break; + case OPT_NEWHDR: newhdr = 1; - else if (strcmp(*argv, "-modulus") == 0) + break; + case OPT_MODULUS: modulus = 1; - else if (strcmp(*argv, "-verify") == 0) + break; + case OPT_VERIFY: verify = 1; - else if (strcmp(*argv, "-nodes") == 0) + break; + case OPT_NODES: nodes = 1; - else if (strcmp(*argv, "-noout") == 0) + break; + case OPT_NOOUT: noout = 1; - else if (strcmp(*argv, "-verbose") == 0) + break; + case OPT_VERBOSE: verbose = 1; - else if (strcmp(*argv, "-utf8") == 0) + break; + case OPT_UTF8: chtype = MBSTRING_UTF8; - else if (strcmp(*argv, "-nameopt") == 0) { - if (--argc < 1) - goto bad; - if (!set_name_ex(&nmflag, *(++argv))) - goto bad; - } else if (strcmp(*argv, "-reqopt") == 0) { - if (--argc < 1) - goto bad; - if (!set_cert_ex(&reqflag, *(++argv))) - goto bad; - } else if (strcmp(*argv, "-subject") == 0) - subject = 1; - else if (strcmp(*argv, "-text") == 0) + break; + case OPT_NAMEOPT: + if (!set_name_ex(&nmflag, opt_arg())) + goto opthelp; + break; + case OPT_REQOPT: + if (!set_cert_ex(&reqflag, opt_arg())) + goto opthelp; + break; + case OPT_TEXT: text = 1; - else if (strcmp(*argv, "-x509") == 0) + break; + case OPT_X509: x509 = 1; - else if (strcmp(*argv, "-asn1-kludge") == 0) + break; + case OPT_ASN1_KLUDGE: kludge = 1; - else if (strcmp(*argv, "-no-asn1-kludge") == 0) + break; + case OPT_NO_ASN1_KLUDGE: kludge = 0; - else if (strcmp(*argv, "-subj") == 0) { - if (--argc < 1) - goto bad; - subj = *(++argv); - } else if (strcmp(*argv, "-multivalue-rdn") == 0) + break; + multirdn = 1; + case OPT_DAYS: + days = atoi(opt_arg()); + break; + case OPT_SET_SERIAL: + serial = s2i_ASN1_INTEGER(NULL, opt_arg()); + if (serial == NULL) + goto opthelp; + break; + case OPT_SUBJECT: + subj = opt_arg(); + break; + case OPT_MULTIVALUE_RDN: multirdn = 1; - else if (strcmp(*argv, "-days") == 0) { - if (--argc < 1) - goto bad; - days = atoi(*(++argv)); - if (days == 0) - days = 30; - } else if (strcmp(*argv, "-set_serial") == 0) { - if (--argc < 1) - goto bad; - serial = s2i_ASN1_INTEGER(NULL, *(++argv)); - if (!serial) - goto bad; - } else if (strcmp(*argv, "-extensions") == 0) { - if (--argc < 1) - goto bad; - extensions = *(++argv); - } else if (strcmp(*argv, "-reqexts") == 0) { - if (--argc < 1) - goto bad; - req_exts = *(++argv); - } else if ((md_alg = EVP_get_digestbyname(&((*argv)[1]))) != NULL) { - /* ok */ + break; + case OPT_EXTENSIONS: + extensions = opt_arg(); + break; + case OPT_REQEXTS: + req_exts = opt_arg(); + break; + case OPT_MD: + if (!opt_md(opt_unknown(), &md_alg)) + goto opthelp; digest = md_alg; - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; break; } - argc--; - argv++; - } - - if (badops) { - bad: - BIO_printf(bio_err, "%s [options] outfile\n", prog); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, " -inform arg input format - DER or PEM\n"); - BIO_printf(bio_err, " -outform arg output format - DER or PEM\n"); - BIO_printf(bio_err, " -in arg input file\n"); - BIO_printf(bio_err, " -out arg output file\n"); - BIO_printf(bio_err, " -text text form of request\n"); - BIO_printf(bio_err, " -pubkey output public key\n"); - BIO_printf(bio_err, " -noout do not output REQ\n"); - BIO_printf(bio_err, " -verify verify signature on REQ\n"); - BIO_printf(bio_err, " -modulus RSA modulus\n"); - BIO_printf(bio_err, " -nodes don't encrypt the output key\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - " -engine e use engine e, possibly a hardware device\n"); -#endif - BIO_printf(bio_err, " -subject output the request's subject\n"); - BIO_printf(bio_err, " -passin private key password source\n"); - BIO_printf(bio_err, - " -key file use the private key contained in file\n"); - BIO_printf(bio_err, " -keyform arg key file format\n"); - BIO_printf(bio_err, " -keyout arg file to send the key to\n"); - BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, - LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, - " load the file (or the files in the directory) into\n"); - BIO_printf(bio_err, " the random number generator\n"); - BIO_printf(bio_err, - " -newkey rsa:bits generate a new RSA key of 'bits' in size\n"); - BIO_printf(bio_err, - " -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n"); -#ifndef OPENSSL_NO_EC - BIO_printf(bio_err, - " -newkey ec:file generate a new EC key, parameters taken from CA in 'file'\n"); -#endif - BIO_printf(bio_err, - " -[digest] Digest to sign with (md5, sha1, md2, mdc2, md4)\n"); - BIO_printf(bio_err, " -config file request template file.\n"); - BIO_printf(bio_err, - " -subj arg set or modify request subject\n"); - BIO_printf(bio_err, - " -multivalue-rdn enable support for multivalued RDNs\n"); - BIO_printf(bio_err, " -new new request.\n"); - BIO_printf(bio_err, - " -batch do not ask anything during request generation\n"); - BIO_printf(bio_err, - " -x509 output a x509 structure instead of a cert. req.\n"); - BIO_printf(bio_err, - " -days number of days a certificate generated by -x509 is valid for.\n"); - BIO_printf(bio_err, - " -set_serial serial number to use for a certificate generated by -x509.\n"); - BIO_printf(bio_err, - " -newhdr output \"NEW\" in the header lines\n"); - BIO_printf(bio_err, - " -asn1-kludge Output the 'request' in a format that is wrong but some CA's\n"); - BIO_printf(bio_err, - " have been reported as requiring\n"); - BIO_printf(bio_err, - " -extensions .. specify certificate extension section (override value in config file)\n"); - BIO_printf(bio_err, - " -reqexts .. specify request extension section (override value in config file)\n"); - BIO_printf(bio_err, - " -utf8 input characters are UTF8 (default ASCII)\n"); - BIO_printf(bio_err, - " -nameopt arg - various certificate name options\n"); - BIO_printf(bio_err, - " -reqopt arg - various request text options\n\n"); - goto end; } + argc = opt_num_rest(); + argv = opt_rest(); - ERR_load_crypto_strings(); - if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { + if (!app_passwd(passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } -#ifndef MONOLITH /* else this has happened in openssl.c - * (global `config') */ - /* Lets load up our environment a little */ - p = getenv("OPENSSL_CONF"); - if (p == NULL) - p = getenv("SSLEAY_CONF"); - if (p == NULL) - p = to_free = make_config_name(); - default_config_file = p; - config = NCONF_new(NULL); - i = NCONF_load(config, p, &errline); -#endif if (template != NULL) { long errline = -1; @@ -481,8 +403,6 @@ int MAIN(int argc, char **argv) } if (req_conf != NULL) { - if (!load_config(bio_err, req_conf)) - goto end; p = NCONF_get_string(req_conf, NULL, "oid_file"); if (p == NULL) ERR_clear_error(); @@ -501,16 +421,17 @@ int MAIN(int argc, char **argv) } } } - if (!add_oid_section(bio_err, req_conf)) + if (!add_oid_section(req_conf)) goto end; if (md_alg == NULL) { p = NCONF_get_string(req_conf, SECTION, "default_md"); if (p == NULL) ERR_clear_error(); - if (p != NULL) { - if ((md_alg = EVP_get_digestbyname(p)) != NULL) - digest = md_alg; + else { + if (!opt_md(p, &md_alg)) + goto opthelp; + digest = md_alg; } } @@ -577,29 +498,20 @@ int MAIN(int argc, char **argv) goto end; } } - - in = BIO_new(BIO_s_file()); - out = BIO_new(BIO_s_file()); - if ((in == NULL) || (out == NULL)) - goto end; - #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + e = setup_engine(engine, 0); #endif if (keyfile != NULL) { - pkey = load_key(bio_err, keyfile, keyform, 0, passin, e, - "Private Key"); + pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key"); if (!pkey) { - /* - * load_key() has already printed an appropriate message - */ + /* load_key() has already printed an appropriate message */ goto end; } else { char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE"); if (randfile == NULL) ERR_clear_error(); - app_RAND_load_file(randfile, bio_err, 0); + app_RAND_load_file(randfile, 0); } } @@ -607,7 +519,7 @@ int MAIN(int argc, char **argv) char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE"); if (randfile == NULL) ERR_clear_error(); - app_RAND_load_file(randfile, bio_err, 0); + app_RAND_load_file(randfile, 0); if (inrand) app_RAND_load_files(inrand); @@ -616,7 +528,7 @@ int MAIN(int argc, char **argv) } if (keyalg) { - genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey, + genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey, &keyalgstr, gen_eng); if (!genctx) goto end; @@ -631,7 +543,7 @@ int MAIN(int argc, char **argv) } if (!genctx) { - genctx = set_keygen_ctx(bio_err, NULL, &pkey_type, &newkey, + genctx = set_keygen_ctx(NULL, &pkey_type, &newkey, &keyalgstr, gen_eng); if (!genctx) goto end; @@ -663,7 +575,7 @@ int MAIN(int argc, char **argv) EVP_PKEY_CTX_free(genctx); genctx = NULL; - app_RAND_write_file(randfile, bio_err); + app_RAND_write_file(randfile); if (keyout == NULL) { keyout = NCONF_get_string(req_conf, SECTION, KEYFILE); @@ -671,22 +583,13 @@ int MAIN(int argc, char **argv) ERR_clear_error(); } - if (keyout == NULL) { + if (keyout == NULL) BIO_printf(bio_err, "writing new private key to stdout\n"); - BIO_set_fp(out, stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } else { + else BIO_printf(bio_err, "writing new private key to '%s'\n", keyout); - if (BIO_write_filename(out, keyout) <= 0) { - perror(keyout); - goto end; - } - } + out = bio_open_default(keyout, "w"); + if (out == NULL) + goto end; p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key"); if (p == NULL) { @@ -721,24 +624,14 @@ int MAIN(int argc, char **argv) * 'format' info should not be changed. */ kludge = -1; - if (infile == NULL) - BIO_set_fp(in, stdin, BIO_NOCLOSE); - else { - if (BIO_read_filename(in, infile) <= 0) { - perror(infile); - goto end; - } - } + in = bio_open_default(infile, RB(informat)); + if (in == NULL) + goto end; if (informat == FORMAT_ASN1) req = d2i_X509_REQ_bio(in, NULL); - else if (informat == FORMAT_PEM) + else req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); - else { - BIO_printf(bio_err, - "bad input format specified for X509 request\n"); - goto end; - } if (req == NULL) { BIO_printf(bio_err, "unable to load X509 request\n"); goto end; @@ -814,7 +707,7 @@ int MAIN(int argc, char **argv) goto end; } - i = do_X509_sign(bio_err, x509ss, pkey, digest, sigopts); + i = do_X509_sign(x509ss, pkey, digest, sigopts); if (!i) { ERR_print_errors(bio_err); goto end; @@ -835,7 +728,7 @@ int MAIN(int argc, char **argv) req_exts); goto end; } - i = do_X509_REQ_sign(bio_err, req, pkey, digest, sigopts); + i = do_X509_REQ_sign(req, pkey, digest, sigopts); if (!i) { ERR_print_errors(bio_err); goto end; @@ -857,7 +750,7 @@ int MAIN(int argc, char **argv) if (build_subject(req, subj, chtype, multirdn) == 0) { BIO_printf(bio_err, "ERROR: cannot modify subject\n"); - ex = 1; + ret = 1; goto end; } @@ -874,9 +767,9 @@ int MAIN(int argc, char **argv) if (pkey == NULL) { pkey = X509_REQ_get_pubkey(req); + tmp = 1; if (pkey == NULL) goto end; - tmp = 1; } i = X509_REQ_verify(req, pkey); @@ -895,28 +788,15 @@ int MAIN(int argc, char **argv) } if (noout && !text && !modulus && !subject && !pubkey) { - ex = 0; + ret = 0; goto end; } - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } else { - if ((keyout != NULL) && (strcmp(outfile, keyout) == 0)) - i = (int)BIO_append_filename(out, outfile); - else - i = (int)BIO_write_filename(out, outfile); - if (!i) { - perror(outfile); - goto end; - } - } + out = bio_open_default(outfile, + keyout != NULL && outfile != NULL && + strcmp(keyout, outfile) == 0 ? "a" : "w"); + if (out == NULL) + goto end; if (pubkey) { EVP_PKEY *tpubkey; @@ -971,15 +851,10 @@ int MAIN(int argc, char **argv) if (!noout && !x509) { if (outformat == FORMAT_ASN1) i = i2d_X509_REQ_bio(out, req); - else if (outformat == FORMAT_PEM) { - if (newhdr) - i = PEM_write_bio_X509_REQ_NEW(out, req); - else - i = PEM_write_bio_X509_REQ(out, req); - } else { - BIO_printf(bio_err, "bad output format specified for outfile\n"); - goto end; - } + else if (newhdr) + i = PEM_write_bio_X509_REQ_NEW(out, req); + else + i = PEM_write_bio_X509_REQ(out, req); if (!i) { BIO_printf(bio_err, "unable to write X509 request\n"); goto end; @@ -988,24 +863,16 @@ int MAIN(int argc, char **argv) if (!noout && x509 && (x509ss != NULL)) { if (outformat == FORMAT_ASN1) i = i2d_X509_bio(out, x509ss); - else if (outformat == FORMAT_PEM) + else i = PEM_write_bio_X509(out, x509ss); - else { - BIO_printf(bio_err, "bad output format specified for outfile\n"); - goto end; - } if (!i) { BIO_printf(bio_err, "unable to write X509 certificate\n"); goto end; } } - ex = 0; + ret = 0; end: -#ifndef MONOLITH - if (to_free) - OPENSSL_free(to_free); -#endif - if (ex) { + if (ret) { ERR_print_errors(bio_err); } if ((req_conf != NULL) && (req_conf != config)) @@ -1032,8 +899,7 @@ int MAIN(int argc, char **argv) if (passargout && passout) OPENSSL_free(passout); OBJ_cleanup(); - apps_shutdown(); - OPENSSL_EXIT(ex); + return (ret); } static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn, @@ -1499,7 +1365,7 @@ static int check_end(const char *str, const char *end) return strcmp(tmp, end); } -static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, +static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, int *pkey_type, long *pkeylen, char **palgnam, ENGINE *keygen_engine) { @@ -1536,7 +1402,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len); if (!ameth) { - BIO_printf(err, "Unknown algorithm %.*s\n", len, gstr); + BIO_printf(bio_err, "Unknown algorithm %.*s\n", len, gstr); return NULL; } @@ -1558,7 +1424,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, if (paramfile) { pbio = BIO_new_file(paramfile, "r"); if (!pbio) { - BIO_printf(err, "Can't open parameter file %s\n", paramfile); + BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile); return NULL; } param = PEM_read_bio_Parameters(pbio, NULL); @@ -1576,13 +1442,13 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, BIO_free(pbio); if (!param) { - BIO_printf(err, "Error reading parameter file %s\n", paramfile); + BIO_printf(bio_err, "Error reading parameter file %s\n", paramfile); return NULL; } if (*pkey_type == -1) *pkey_type = EVP_PKEY_id(param); else if (*pkey_type != EVP_PKEY_base_id(param)) { - BIO_printf(err, "Key Type does not match parameters\n"); + BIO_printf(bio_err, "Key Type does not match parameters\n"); EVP_PKEY_free(param); return NULL; } @@ -1594,7 +1460,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, const char *anam; ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type); if (!ameth) { - BIO_puts(err, "Internal error: can't find key algorithm\n"); + BIO_puts(bio_err, "Internal error: can't find key algorithm\n"); return NULL; } EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth); @@ -1613,21 +1479,21 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine); if (!gctx) { - BIO_puts(err, "Error allocating keygen context\n"); - ERR_print_errors(err); + BIO_puts(bio_err, "Error allocating keygen context\n"); + ERR_print_errors(bio_err); return NULL; } if (EVP_PKEY_keygen_init(gctx) <= 0) { - BIO_puts(err, "Error initializing keygen context\n"); - ERR_print_errors(err); + BIO_puts(bio_err, "Error initializing keygen context\n"); + ERR_print_errors(bio_err); return NULL; } #ifndef OPENSSL_NO_RSA if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) { if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) { - BIO_puts(err, "Error setting RSA keysize\n"); - ERR_print_errors(err); + BIO_puts(bio_err, "Error setting RSA keysize\n"); + ERR_print_errors(bio_err); EVP_PKEY_CTX_free(gctx); return NULL; } @@ -1656,18 +1522,19 @@ static int genpkey_cb(EVP_PKEY_CTX *ctx) return 1; } -static int do_sign_init(BIO *err, EVP_MD_CTX *ctx, EVP_PKEY *pkey, +static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) { EVP_PKEY_CTX *pkctx = NULL; int i; + EVP_MD_CTX_init(ctx); if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey)) return 0; for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) { char *sigopt = sk_OPENSSL_STRING_value(sigopts, i); if (pkey_ctrl_string(pkctx, sigopt) <= 0) { - BIO_printf(err, "parameter error \"%s\"\n", sigopt); + BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt); ERR_print_errors(bio_err); return 0; } @@ -1675,39 +1542,42 @@ static int do_sign_init(BIO *err, EVP_MD_CTX *ctx, EVP_PKEY *pkey, return 1; } -int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md, +int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) { int rv; EVP_MD_CTX mctx; + EVP_MD_CTX_init(&mctx); - rv = do_sign_init(err, &mctx, pkey, md, sigopts); + rv = do_sign_init(&mctx, pkey, md, sigopts); if (rv > 0) rv = X509_sign_ctx(x, &mctx); EVP_MD_CTX_cleanup(&mctx); return rv > 0 ? 1 : 0; } -int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, +int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) { int rv; EVP_MD_CTX mctx; + EVP_MD_CTX_init(&mctx); - rv = do_sign_init(err, &mctx, pkey, md, sigopts); + rv = do_sign_init(&mctx, pkey, md, sigopts); if (rv > 0) rv = X509_REQ_sign_ctx(x, &mctx); EVP_MD_CTX_cleanup(&mctx); return rv > 0 ? 1 : 0; } -int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, +int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) { int rv; EVP_MD_CTX mctx; + EVP_MD_CTX_init(&mctx); - rv = do_sign_init(err, &mctx, pkey, md, sigopts); + rv = do_sign_init(&mctx, pkey, md, sigopts); if (rv > 0) rv = X509_CRL_sign_ctx(x, &mctx); EVP_MD_CTX_cleanup(&mctx); diff --git a/apps/rsa.c b/apps/rsa.c index 2f3f871..7f7069c 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -1,4 +1,3 @@ -/* apps/rsa.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -55,6 +54,54 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing at OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ #include #ifndef OPENSSL_NO_RSA @@ -71,197 +118,142 @@ # include # include -# undef PROG -# define PROG rsa_main - -/*- - * -inform arg - input format - default PEM (one of DER, NET or PEM) - * -outform arg - output format - default PEM - * -in arg - input file - default stdin - * -out arg - output file - default stdout - * -des - encrypt output if PEM format with DES in cbc mode - * -des3 - encrypt output if PEM format - * -idea - encrypt output if PEM format - * -seed - encrypt output if PEM format - * -aes128 - encrypt output if PEM format - * -aes192 - encrypt output if PEM format - * -aes256 - encrypt output if PEM format - * -camellia128 - encrypt output if PEM format - * -camellia192 - encrypt output if PEM format - * -camellia256 - encrypt output if PEM format - * -text - print a text version - * -modulus - print the RSA key modulus - * -check - verify key consistency - * -pubin - Expect a public key in input file. - * -pubout - Output a public key. - */ - -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT, + OPT_PUBIN, OPT_PUBOUT, OPT_PASSOUT, OPT_PASSIN, + OPT_RSAPUBKEY_IN, OPT_RSAPUBKEY_OUT, OPT_PVK_STRONG, OPT_PVK_WEAK, + OPT_PVK_NONE, OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_CHECK, OPT_CIPHER +} OPTION_CHOICE; + +OPTIONS rsa_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'f', "Input format, one of DER NET PEM"}, + {"outform", OPT_OUTFORM, 'f', "Output format, one of DER NET PEM PVK"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, + {"pubout", OPT_PUBOUT, '-', "Output a public key"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKye"}, + {"RSAPublicKey_out", OPT_RSAPUBKEY_OUT, '-', "Output is an RSAPublicKye"}, + {"pvk-strong", OPT_PVK_STRONG, '-'}, + {"pvk-weak", OPT_PVK_WEAK, '-'}, + {"pvk-none", OPT_PVK_NONE, '-'}, + {"noout", OPT_NOOUT, '-', "Don't print key out"}, + {"text", OPT_TEXT, '-', "Print the key in text"}, + {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"}, + {"check", OPT_CHECK, '-', "Verify key consistency"}, + {"", OPT_CIPHER, '-', "Any supported cipher"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + {NULL} +}; -int MAIN(int argc, char **argv) +int rsa_main(int argc, char **argv) { ENGINE *e = NULL; - int ret = 1; + BIO *out = NULL; RSA *rsa = NULL; - int i, badops = 0, sgckey = 0; const EVP_CIPHER *enc = NULL; - BIO *out = NULL; - int informat, outformat, text = 0, check = 0, noout = 0; - int pubin = 0, pubout = 0; - char *infile, *outfile, *prog; - char *passargin = NULL, *passargout = NULL; - char *passin = NULL, *passout = NULL; -# ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -# endif - int modulus = 0; -#ifndef OPENSSL_NO_RC4 - int pvk_encr = 2; + char *engine = NULL, *infile = NULL, *outfile = NULL, *prog; + char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; + int i; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0; + int noout = 0, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, rsa_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: +#ifdef OPENSSL_NO_RC4 + case OPT_PVK_STRONG: + case OPT_PVK_WEAK: + case OPT_PVK_NONE: #endif - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto end; - - infile = NULL; - outfile = NULL; - informat = FORMAT_PEM; - outformat = FORMAT_PEM; - - prog = argv[0]; - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-outform") == 0) { - if (--argc < 1) - goto bad; - outformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-passin") == 0) { - if (--argc < 1) - goto bad; - passargin = *(++argv); - } else if (strcmp(*argv, "-passout") == 0) { - if (--argc < 1) - goto bad; - passargout = *(++argv); - } -# ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } -# endif - else if (strcmp(*argv, "-sgckey") == 0) - sgckey = 1; - else if (strcmp(*argv, "-pubin") == 0) + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(rsa_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_PUBIN: pubin = 1; - else if (strcmp(*argv, "-pubout") == 0) + break; + case OPT_PUBOUT: pubout = 1; - else if (strcmp(*argv, "-RSAPublicKey_in") == 0) + break; + case OPT_RSAPUBKEY_IN: pubin = 2; - else if (strcmp(*argv, "-RSAPublicKey_out") == 0) + break; + case OPT_RSAPUBKEY_OUT: pubout = 2; + break; #ifndef OPENSSL_NO_RC4 - else if (strcmp(*argv, "-pvk-strong") == 0) + case OPT_PVK_STRONG: pvk_encr = 2; - else if (strcmp(*argv, "-pvk-weak") == 0) + break; + case OPT_PVK_WEAK: pvk_encr = 1; - else if (strcmp(*argv, "-pvk-none") == 0) + break; + case OPT_PVK_NONE: pvk_encr = 0; + break; #endif - else if (strcmp(*argv, "-noout") == 0) + case OPT_NOOUT: noout = 1; - else if (strcmp(*argv, "-text") == 0) + break; + case OPT_TEXT: text = 1; - else if (strcmp(*argv, "-modulus") == 0) + break; + case OPT_MODULUS: modulus = 1; - else if (strcmp(*argv, "-check") == 0) + break; + case OPT_CHECK: check = 1; - else if ((enc = EVP_get_cipherbyname(&(argv[0][1]))) == NULL) { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &enc)) + goto opthelp; break; } - argc--; - argv++; } + argc = opt_num_rest(); + argv = opt_rest(); - if (badops) { - bad: - BIO_printf(bio_err, "%s [options] outfile\n", prog); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, - " -inform arg input format - one of DER NET PEM\n"); - BIO_printf(bio_err, - " -outform arg output format - one of DER NET PEM\n"); - BIO_printf(bio_err, " -in arg input file\n"); - BIO_printf(bio_err, " -sgckey Use IIS SGC key format\n"); - BIO_printf(bio_err, - " -passin arg input file pass phrase source\n"); - BIO_printf(bio_err, " -out arg output file\n"); - BIO_printf(bio_err, - " -passout arg output file pass phrase source\n"); - BIO_printf(bio_err, - " -des encrypt PEM output with cbc des\n"); - BIO_printf(bio_err, - " -des3 encrypt PEM output with ede cbc des using 168 bit key\n"); -# ifndef OPENSSL_NO_IDEA - BIO_printf(bio_err, - " -idea encrypt PEM output with cbc idea\n"); -# endif -# ifndef OPENSSL_NO_SEED - BIO_printf(bio_err, - " -seed encrypt PEM output with cbc seed\n"); -# endif -# ifndef OPENSSL_NO_AES - BIO_printf(bio_err, " -aes128, -aes192, -aes256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc aes\n"); -# endif -# ifndef OPENSSL_NO_CAMELLIA - BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc camellia\n"); -# endif - BIO_printf(bio_err, " -text print the key in text\n"); - BIO_printf(bio_err, " -noout don't print key out\n"); - BIO_printf(bio_err, " -modulus print the RSA key modulus\n"); - BIO_printf(bio_err, " -check verify key consistency\n"); - BIO_printf(bio_err, - " -pubin expect a public key in input file\n"); - BIO_printf(bio_err, " -pubout output a public key\n"); # ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - " -engine e use engine e, possibly a hardware device.\n"); + e = setup_engine(engine, 0); # endif - goto end; - } - - ERR_load_crypto_strings(); -# ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); -# endif - - if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { + if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; } @@ -271,8 +263,6 @@ int MAIN(int argc, char **argv) goto end; } - out = BIO_new(BIO_s_file()); - { EVP_PKEY *pkey; @@ -283,18 +273,12 @@ int MAIN(int argc, char **argv) tmpformat = FORMAT_PEMRSA; else if (informat == FORMAT_ASN1) tmpformat = FORMAT_ASN1RSA; - } else if (informat == FORMAT_NETSCAPE && sgckey) - tmpformat = FORMAT_IISSGC; - else + } else tmpformat = informat; - pkey = load_pubkey(bio_err, infile, tmpformat, 1, - passin, e, "Public Key"); + pkey = load_pubkey(infile, tmpformat, 1, passin, e, "Public Key"); } else - pkey = load_key(bio_err, infile, - (informat == FORMAT_NETSCAPE && sgckey ? - FORMAT_IISSGC : informat), 1, - passin, e, "Private Key"); + pkey = load_key(infile, informat, 1, passin, e, "Private Key"); if (pkey != NULL) rsa = EVP_PKEY_get1_RSA(pkey); @@ -306,20 +290,9 @@ int MAIN(int argc, char **argv) goto end; } - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -# endif - } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); - goto end; - } - } + out = bio_open_default(outfile, "w"); + if (out == NULL) + goto end; if (text) if (!RSA_print(out, rsa, 0)) { @@ -379,13 +352,13 @@ int MAIN(int argc, char **argv) int size; i = 1; - size = i2d_RSA_NET(rsa, NULL, NULL, sgckey); + size = i2d_RSA_NET(rsa, NULL, NULL, 0); if ((p = (unsigned char *)OPENSSL_malloc(size)) == NULL) { BIO_printf(bio_err, "Memory allocation failure\n"); goto end; } pp = p; - i2d_RSA_NET(rsa, &p, NULL, sgckey); + i2d_RSA_NET(rsa, &p, NULL, 0); BIO_write(out, (char *)pp, size); OPENSSL_free(pp); } @@ -428,8 +401,7 @@ int MAIN(int argc, char **argv) OPENSSL_free(passin); if (passout) OPENSSL_free(passout); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } #else /* !OPENSSL_NO_RSA */ diff --git a/apps/rsautl.c b/apps/rsautl.c index d642f9a..0466746 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -1,4 +1,3 @@ -/* rsautl.c */ /* * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL project * 2000. @@ -75,150 +74,162 @@ # define KEY_PUBKEY 2 # define KEY_CERT 3 -static void usage(void); - -# undef PROG - -# define PROG rsautl_main - -int MAIN(int argc, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ENGINE, OPT_IN, OPT_OUT, OPT_ASN1PARSE, OPT_HEXDUMP, + OPT_RAW, OPT_OAEP, OPT_SSL, OPT_PKCS, OPT_X931, + OPT_SIGN, OPT_VERIFY, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT, + OPT_PUBIN, OPT_CERTIN, OPT_INKEY, OPT_PASSIN, OPT_KEYFORM +} OPTION_CHOICE; + +OPTIONS rsautl_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"inkey", OPT_INKEY, '<', "Input key"}, + {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"}, + {"pubin", OPT_PUBIN, '-', "Input is an RSA public"}, + {"certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key"}, + {"ssl", OPT_SSL, '-', "Use SSL v2 padding"}, + {"raw", OPT_RAW, '-', "Use no padding"}, + {"pkcs", OPT_PKCS, '-', "Use PKCS#1 v1.5 padding (default)"}, + {"oaep", OPT_OAEP, '-', "Use PKCS#1 OAEP"}, + {"sign", OPT_SIGN, '-', "Sign with private key"}, + {"verify", OPT_VERIFY, '-', "Verify with public key"}, + {"asn1parse", OPT_ASN1PARSE, '-'}, + {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"}, + {"x931", OPT_X931, '-', "Use ANSI X9.31 padding"}, + {"rev", OPT_REV, '-'}, + {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"}, + {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"}, + {"passin", OPT_PASSIN, 's', "Pass phrase source"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + {NULL} +}; -int MAIN(int argc, char **argv) +int rsautl_main(int argc, char **argv) { - ENGINE *e = NULL; BIO *in = NULL, *out = NULL; - char *infile = NULL, *outfile = NULL; -# ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -# endif - char *keyfile = NULL; - char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY; - int keyform = FORMAT_PEM; - char need_priv = 0, badarg = 0, rev = 0; - char hexdump = 0, asn1parse = 0; - X509 *x; + ENGINE *e = NULL; EVP_PKEY *pkey = NULL; RSA *rsa = NULL; - unsigned char *rsa_in = NULL, *rsa_out = NULL, pad; - char *passargin = NULL, *passin = NULL; - int rsa_inlen, rsa_outlen = 0; - int keysize; - - int ret = 1; - - argc--; - argv++; - - if (!bio_err) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - pad = RSA_PKCS1_PADDING; - - while (argc >= 1) { - if (!strcmp(*argv, "-in")) { - if (--argc < 1) - badarg = 1; - else - infile = *(++argv); - } else if (!strcmp(*argv, "-out")) { - if (--argc < 1) - badarg = 1; - else - outfile = *(++argv); - } else if (!strcmp(*argv, "-inkey")) { - if (--argc < 1) - badarg = 1; - else - keyfile = *(++argv); - } else if (!strcmp(*argv, "-passin")) { - if (--argc < 1) - badarg = 1; - else - passargin = *(++argv); - } else if (strcmp(*argv, "-keyform") == 0) { - if (--argc < 1) - badarg = 1; - else - keyform = str2fmt(*(++argv)); -# ifndef OPENSSL_NO_ENGINE - } else if (!strcmp(*argv, "-engine")) { - if (--argc < 1) - badarg = 1; - else - engine = *(++argv); -# endif - } else if (!strcmp(*argv, "-pubin")) { - key_type = KEY_PUBKEY; - } else if (!strcmp(*argv, "-certin")) { - key_type = KEY_CERT; - } else if (!strcmp(*argv, "-asn1parse")) + X509 *x; + char *engine = NULL, *infile = NULL, *outfile = NULL, *keyfile = NULL; + char *passinarg = NULL, *passin = NULL, *prog; + char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY; + unsigned char *rsa_in = NULL, *rsa_out = NULL, pad = RSA_PKCS1_PADDING; + int rsa_inlen, keyformat = FORMAT_PEM, keysize, ret = 1; + int rsa_outlen = 0, hexdump = 0, asn1parse = 0, need_priv = 0, rev = 0; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, rsautl_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(rsautl_options); + ret = 0; + goto end; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_ASN1PARSE: asn1parse = 1; - else if (!strcmp(*argv, "-hexdump")) + break; + case OPT_HEXDUMP: hexdump = 1; - else if (!strcmp(*argv, "-raw")) + break; + case OPT_RAW: pad = RSA_NO_PADDING; - else if (!strcmp(*argv, "-oaep")) + break; + case OPT_OAEP: pad = RSA_PKCS1_OAEP_PADDING; - else if (!strcmp(*argv, "-ssl")) + break; + case OPT_SSL: pad = RSA_SSLV23_PADDING; - else if (!strcmp(*argv, "-pkcs")) + break; + case OPT_PKCS: pad = RSA_PKCS1_PADDING; - else if (!strcmp(*argv, "-x931")) + break; + case OPT_X931: pad = RSA_X931_PADDING; - else if (!strcmp(*argv, "-sign")) { + break; + case OPT_SIGN: rsa_mode = RSA_SIGN; need_priv = 1; - } else if (!strcmp(*argv, "-verify")) + break; + case OPT_VERIFY: rsa_mode = RSA_VERIFY; - else if (!strcmp(*argv, "-rev")) + break; + case OPT_REV: rev = 1; - else if (!strcmp(*argv, "-encrypt")) + break; + case OPT_ENCRYPT: rsa_mode = RSA_ENCRYPT; - else if (!strcmp(*argv, "-decrypt")) { + break; + case OPT_DECRYPT: rsa_mode = RSA_DECRYPT; need_priv = 1; - } else - badarg = 1; - if (badarg) { - usage(); - goto end; + break; + case OPT_PUBIN: + key_type = KEY_PUBKEY; + break; + case OPT_CERTIN: + key_type = KEY_CERT; + break; + case OPT_INKEY: + keyfile = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; } - argc--; - argv++; } + argc = opt_num_rest(); + argv = opt_rest(); if (need_priv && (key_type != KEY_PRIVKEY)) { BIO_printf(bio_err, "A private key is needed for this operation\n"); goto end; } # ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + e = setup_engine(engine, 0); # endif - if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { + if (!app_passwd(passinarg, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } /* FIXME: seed PRNG only if needed */ - app_RAND_load_file(NULL, bio_err, 0); + app_RAND_load_file(NULL, 0); switch (key_type) { case KEY_PRIVKEY: - pkey = load_key(bio_err, keyfile, keyform, 0, - passin, e, "Private Key"); + pkey = load_key(keyfile, keyformat, 0, passin, e, "Private Key"); break; case KEY_PUBKEY: - pkey = load_pubkey(bio_err, keyfile, keyform, 0, - NULL, e, "Public Key"); + pkey = load_pubkey(keyfile, keyformat, 0, NULL, e, "Public Key"); break; case KEY_CERT: - x = load_cert(bio_err, keyfile, keyform, NULL, e, "Certificate"); + x = load_cert(keyfile, keyformat, NULL, e, "Certificate"); if (x) { pkey = X509_get_pubkey(x); X509_free(x); @@ -239,30 +250,12 @@ int MAIN(int argc, char **argv) goto end; } - if (infile) { - if (!(in = BIO_new_file(infile, "rb"))) { - BIO_printf(bio_err, "Error Reading Input File\n"); - ERR_print_errors(bio_err); - goto end; - } - } else - in = BIO_new_fp(stdin, BIO_NOCLOSE); - - if (outfile) { - if (!(out = BIO_new_file(outfile, "wb"))) { - BIO_printf(bio_err, "Error Reading Output File\n"); - ERR_print_errors(bio_err); - goto end; - } - } else { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -# ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -# endif - } + in = bio_open_default(infile, "rb"); + if (in == NULL) + goto end; + out = bio_open_default(outfile, "wb"); + if (out == NULL) + goto end; keysize = RSA_size(rsa); @@ -270,7 +263,6 @@ int MAIN(int argc, char **argv) rsa_out = OPENSSL_malloc(keysize); if (!rsa_in || !rsa_out) { BIO_printf(bio_err, "Out of memory\n"); - ERR_print_errors(bio_err); goto end; } @@ -278,7 +270,7 @@ int MAIN(int argc, char **argv) rsa_inlen = BIO_read(in, rsa_in, keysize * 2); if (rsa_inlen <= 0) { BIO_printf(bio_err, "Error reading input Data\n"); - exit(1); + goto end; } if (rev) { int i; @@ -338,34 +330,6 @@ int MAIN(int argc, char **argv) return ret; } -static void usage() -{ - BIO_printf(bio_err, "Usage: rsautl [options]\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, "-inkey file input key\n"); - BIO_printf(bio_err, "-keyform arg private key format - default PEM\n"); - BIO_printf(bio_err, "-pubin input is an RSA public\n"); - BIO_printf(bio_err, - "-certin input is a certificate carrying an RSA public key\n"); - BIO_printf(bio_err, "-ssl use SSL v2 padding\n"); - BIO_printf(bio_err, "-raw use no padding\n"); - BIO_printf(bio_err, - "-pkcs use PKCS#1 v1.5 padding (default)\n"); - BIO_printf(bio_err, "-oaep use PKCS#1 OAEP\n"); - BIO_printf(bio_err, "-sign sign with private key\n"); - BIO_printf(bio_err, "-verify verify with public key\n"); - BIO_printf(bio_err, "-encrypt encrypt with public key\n"); - BIO_printf(bio_err, "-decrypt decrypt with private key\n"); - BIO_printf(bio_err, "-hexdump hex dump output\n"); -# ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - "-engine e use engine e, possibly a hardware device.\n"); - BIO_printf(bio_err, "-passin arg pass phrase source\n"); -# endif - -} - #else /* !OPENSSL_NO_RSA */ # if PEDANTIC diff --git a/apps/s_apps.h b/apps/s_apps.h index b0aeeff..db8d039 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -178,9 +178,9 @@ int init_client(int *sock, const char *server, int port, int type); int init_client_unix(int *sock, const char *server); #endif int should_retry(int i); -int extract_port(const char *str, short *port_ptr); +int extract_port(const char *str, unsigned short *port_ptr); int extract_host_port(char *str, char **host_ptr, unsigned char *ip, - short *p); + unsigned short *p); long bio_dump_callback(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret); @@ -202,15 +202,12 @@ typedef struct ssl_excert_st SSL_EXCERT; void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc); void ssl_excert_free(SSL_EXCERT *exc); -int args_excert(char ***pargs, int *pargc, - int *badarg, BIO *err, SSL_EXCERT **pexc); -int load_excert(SSL_EXCERT **pexc, BIO *err); +int args_excert(int option, SSL_EXCERT **pexc); +int load_excert(SSL_EXCERT **pexc); void print_ssl_summary(BIO *bio, SSL *s); #ifdef HEADER_SSL_H -int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, - int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr); -int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, - STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake); +int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, + SSL_CTX *ctx, int no_ecdhe, int no_jpake); int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download); int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath, diff --git a/apps/s_cb.c b/apps/s_cb.c index 06050db..ddd65a9 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1,4 +1,3 @@ -/* apps/s_cb.c - callback functions used by s_client, s_server, and s_time */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -109,12 +108,12 @@ * */ +/* callback functions used by s_client, s_server, and s_time */ #include #include +#include #define USE_SOCKETS -#define NON_MAIN #include "apps.h" -#undef NON_MAIN #undef USE_SOCKETS #include #include @@ -200,11 +199,6 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) { if (cert_file != NULL) { - /*- - SSL *ssl; - X509 *x509; - */ - if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0) { BIO_printf(bio_err, "unable to get certificate from '%s'\n", @@ -221,21 +215,6 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) return (0); } - /*- - In theory this is no longer needed - ssl=SSL_new(ctx); - x509=SSL_get_certificate(ssl); - - if (x509 != NULL) { - EVP_PKEY *pktmp; - pktmp = X509_get_pubkey(x509); - EVP_PKEY_copy_parameters(pktmp, - SSL_get_privatekey(ssl)); - EVP_PKEY_free(pktmp); - } - SSL_free(ssl); - */ - /* * If we are using DSA, we can copy the parameters from the private * key @@ -456,17 +435,17 @@ int ssl_print_curves(BIO *out, SSL *s, int noshared) { int i, ncurves, *curves, nid; const char *cname; + ncurves = SSL_get1_curves(s, NULL); if (ncurves <= 0) return 1; curves = OPENSSL_malloc(ncurves * sizeof(int)); if (!curves) { - BIO_puts(out, "Malloc error getting supported curves\n"); + BIO_printf(out, "Out of memory\n"); return 0; } SSL_get1_curves(s, curves); - BIO_puts(out, "Supported Elliptic Curves: "); for (i = 0; i < ncurves; i++) { if (i) @@ -1178,11 +1157,10 @@ static int set_cert_cb(SSL *ssl, void *arg) X509_NAME_print_ex(bio_err, X509_get_subject_name(exc->cert), 0, XN_FLAG_ONELINE); BIO_puts(bio_err, "\n"); - print_chain_flags(bio_err, ssl, rv); if (rv & CERT_PKEY_VALID) { if (!SSL_use_certificate(ssl, exc->cert) - || !SSL_use_PrivateKey(ssl, exc->key)) { + || !SSL_use_PrivateKey(ssl, exc->key)) { return 0; } /* @@ -1251,7 +1229,7 @@ void ssl_excert_free(SSL_EXCERT *exc) } } -int load_excert(SSL_EXCERT **pexc, BIO *err) +int load_excert(SSL_EXCERT **pexc) { SSL_EXCERT *exc = *pexc; if (!exc) @@ -1264,25 +1242,24 @@ int load_excert(SSL_EXCERT **pexc, BIO *err) } for (; exc; exc = exc->next) { if (!exc->certfile) { - BIO_printf(err, "Missing filename\n"); + BIO_printf(bio_err, "Missing filename\n"); return 0; } - exc->cert = load_cert(err, exc->certfile, exc->certform, + exc->cert = load_cert(exc->certfile, exc->certform, NULL, NULL, "Server Certificate"); if (!exc->cert) return 0; if (exc->keyfile) { - exc->key = load_key(err, exc->keyfile, exc->keyform, + exc->key = load_key(exc->keyfile, exc->keyform, 0, NULL, NULL, "Server Key"); } else { - exc->key = load_key(err, exc->certfile, exc->certform, + exc->key = load_key(exc->certfile, exc->certform, 0, NULL, NULL, "Server Key"); } if (!exc->key) return 0; if (exc->chainfile) { - exc->chain = load_certs(err, - exc->chainfile, FORMAT_PEM, + exc->chain = load_certs(exc->chainfile, FORMAT_PEM, NULL, NULL, "Server Chain"); if (!exc->chain) return 0; @@ -1291,86 +1268,70 @@ int load_excert(SSL_EXCERT **pexc, BIO *err) return 1; } -int args_excert(char ***pargs, int *pargc, - int *badarg, BIO *err, SSL_EXCERT **pexc) +enum range { OPT_X_ENUM }; + +int args_excert(int opt, SSL_EXCERT **pexc) { - char *arg = **pargs, *argn = (*pargs)[1]; SSL_EXCERT *exc = *pexc; - int narg = 2; - if (!exc) { - if (ssl_excert_prepend(&exc)) - *pexc = exc; - else { - BIO_printf(err, "Error initialising xcert\n"); - *badarg = 1; + + assert(opt > OPT_X__FIRST); + assert(opt < OPT_X__LAST); + + if (exc == NULL) { + if (!ssl_excert_prepend(&exc)) { + BIO_printf(bio_err, " %s: Error initialising xcert\n", + opt_getprog()); goto err; } + *pexc = exc; } - if (strcmp(arg, "-xcert") == 0) { - if (!argn) { - *badarg = 1; - return 1; - } + + switch ((enum range)opt) { + case OPT_X__FIRST: + case OPT_X__LAST: + return 0; + case OPT_X_CERT: if (exc->certfile && !ssl_excert_prepend(&exc)) { - BIO_printf(err, "Error adding xcert\n"); - *badarg = 1; + BIO_printf(bio_err, "%s: Error adding xcert\n", opt_getprog()); goto err; } - exc->certfile = argn; - } else if (strcmp(arg, "-xkey") == 0) { - if (!argn) { - *badarg = 1; - return 1; - } + exc->certfile = opt_arg(); + break; + case OPT_X_KEY: if (exc->keyfile) { - BIO_printf(err, "Key already specified\n"); - *badarg = 1; - return 1; - } - exc->keyfile = argn; - } else if (strcmp(arg, "-xchain") == 0) { - if (!argn) { - *badarg = 1; - return 1; - } - if (exc->chainfile) { - BIO_printf(err, "Chain already specified\n"); - *badarg = 1; - return 1; - } - exc->chainfile = argn; - } else if (strcmp(arg, "-xchain_build") == 0) { - narg = 1; - exc->build_chain = 1; - } else if (strcmp(arg, "-xcertform") == 0) { - if (!argn) { - *badarg = 1; + BIO_printf(bio_err, "%s: Key already specified\n", opt_getprog()); goto err; } - exc->certform = str2fmt(argn); - } else if (strcmp(arg, "-xkeyform") == 0) { - if (!argn) { - *badarg = 1; + exc->keyfile = opt_arg(); + break; + case OPT_X_CHAIN: + if (exc->chainfile) { + BIO_printf(bio_err, "%s: Chain already specified\n", + opt_getprog()); goto err; } - exc->keyform = str2fmt(argn); - } else - return 0; - - (*pargs) += narg; - - if (pargc) - *pargc -= narg; - - *pexc = exc; - + exc->chainfile = opt_arg(); + break; + case OPT_X_CHAIN_BUILD: + exc->build_chain = 1; + break; + case OPT_X_CERTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->certform)) + return 0; + break; + case OPT_X_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->keyform)) + return 0; + break; + } return 1; err: - ERR_print_errors(err); - ssl_excert_free(exc); + ERR_print_errors(bio_err); + if (exc) + ssl_excert_free(exc); *pexc = NULL; - return 1; + return 0; } static void print_raw_cipherlist(BIO *bio, SSL *s) @@ -1438,72 +1399,31 @@ void print_ssl_summary(BIO *bio, SSL *s) #endif } -int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, - int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr) -{ - char *arg = **pargs, *argn = (*pargs)[1]; - int rv; - - /* Attempt to run SSL configuration command */ - rv = SSL_CONF_cmd_argv(cctx, pargc, pargs); - /* If parameter not recognised just return */ - if (rv == 0) - return 0; - /* see if missing argument error */ - if (rv == -3) { - BIO_printf(err, "%s needs an argument\n", arg); - *badarg = 1; - goto end; - } - /* Check for some other error */ - if (rv < 0) { - BIO_printf(err, "Error with command: \"%s %s\"\n", - arg, argn ? argn : ""); - *badarg = 1; - goto end; - } - /* Store command and argument */ - /* If only one argument processed store value as NULL */ - if (rv == 1) - argn = NULL; - if (!*pstr) - *pstr = sk_OPENSSL_STRING_new_null(); - if (!*pstr || !sk_OPENSSL_STRING_push(*pstr, arg) || - !sk_OPENSSL_STRING_push(*pstr, argn)) { - BIO_puts(err, "Memory allocation failure\n"); - goto end; - } - - end: - if (*badarg) - ERR_print_errors(err); - - return 1; -} - -int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, - STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake) +int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, + SSL_CTX *ctx, int no_ecdhe, int no_jpake) { int i; + SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) { - const char *param = sk_OPENSSL_STRING_value(str, i); - const char *value = sk_OPENSSL_STRING_value(str, i + 1); - /* - * If no_ecdhe or named curve already specified don't need a default. - */ - if (!no_ecdhe && !strcmp(param, "-named_curve")) + const char *flag = sk_OPENSSL_STRING_value(str, i); + const char *arg = sk_OPENSSL_STRING_value(str, i + 1); + /* If no_ecdhe or named curve already specified don't need a default. */ + if (!no_ecdhe && !strcmp(flag, "-named_curve")) no_ecdhe = 1; #ifndef OPENSSL_NO_JPAKE - if (!no_jpake && !strcmp(param, "-cipher")) { - BIO_puts(err, "JPAKE sets cipher to PSK\n"); + if (!no_jpake && !strcmp(flag, "-cipher")) { + BIO_puts(bio_err, "JPAKE sets cipher to PSK\n"); return 0; } #endif - if (SSL_CONF_cmd(cctx, param, value) <= 0) { - BIO_printf(err, "Error with command: \"%s %s\"\n", - param, value ? value : ""); - ERR_print_errors(err); + if (SSL_CONF_cmd(cctx, flag, arg) <= 0) { + if (arg) + BIO_printf(bio_err, "Error with command: \"%s %s\"\n", + flag, arg); + else + BIO_printf(bio_err, "Error with command: \"%s\"\n", flag); + ERR_print_errors(bio_err); return 0; } } @@ -1514,23 +1434,23 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, */ if (!no_ecdhe) { if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0) { - BIO_puts(err, "Error setting EC curve\n"); - ERR_print_errors(err); + BIO_puts(bio_err, "Error setting EC curve\n"); + ERR_print_errors(bio_err); return 0; } } #ifndef OPENSSL_NO_JPAKE if (!no_jpake) { if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) { - BIO_puts(err, "Error setting cipher to PSK\n"); - ERR_print_errors(err); + BIO_puts(bio_err, "Error setting cipher to PSK\n"); + ERR_print_errors(bio_err); return 0; } } #endif if (!SSL_CONF_CTX_finish(cctx)) { - BIO_puts(err, "Error finishing context\n"); - ERR_print_errors(err); + BIO_puts(bio_err, "Error finishing context\n"); + ERR_print_errors(bio_err); return 0; } return 1; diff --git a/apps/s_client.c b/apps/s_client.c index 761f352..900efe7 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1,4 +1,3 @@ -/* apps/s_client.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -141,6 +140,7 @@ #include #include #include + /* * With IPv6, it looks like Digital has mixed up the proper order of * recursive header file inclusion, resulting in the compiler complaining @@ -172,22 +172,8 @@ typedef unsigned int u_int; # undef FIONBIO #endif -#undef PROG -#define PROG s_client_main - -/* - * #define SSL_HOST_NAME "www.netscape.com" - */ -/* - * #define SSL_HOST_NAME "193.118.187.102" - */ #define SSL_HOST_NAME "localhost" -/* no default cert. */ -/* - * #define TEST_CERT "client.pem" - */ - #undef BUFSIZZ #define BUFSIZZ 1024*8 @@ -196,32 +182,26 @@ extern int verify_error; extern int verify_return_error; extern int verify_quiet; -#ifdef FIONBIO static int c_nbio = 0; -#endif -static int c_Pause = 0; -static int c_debug = 0; -#ifndef OPENSSL_NO_TLSEXT static int c_tlsextdebug = 0; static int c_status_req = 0; -#endif +static int c_Pause = 0; +static int c_debug = 0; static int c_msg = 0; static int c_showcerts = 0; - static char *keymatexportlabel = NULL; static int keymatexportlen = 20; - -static void sc_usage(void); -static void print_stuff(BIO *berr, SSL *con, int full); -#ifndef OPENSSL_NO_TLSEXT -static int ocsp_resp_cb(SSL *s, void *arg); -#endif static BIO *bio_c_out = NULL; static BIO *bio_c_msg = NULL; static int c_quiet = 0; static int c_ign_eof = 0; static int c_brief = 0; +static void print_stuff(BIO *berr, SSL *con, int full); +#ifndef OPENSSL_NO_TLSEXT +static int ocsp_resp_cb(SSL *s, void *arg); +#endif + #ifndef OPENSSL_NO_PSK /* Default PSK identity and key */ static char *psk_identity = "Client_identity"; @@ -290,147 +270,6 @@ static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity, } #endif -static void sc_usage(void) -{ - BIO_printf(bio_err, "usage: s_client args\n"); - BIO_printf(bio_err, "\n"); - BIO_printf(bio_err, " -host host - use -connect instead\n"); - BIO_printf(bio_err, " -port port - use -connect instead\n"); - BIO_printf(bio_err, - " -connect host:port - connect over TCP/IP (default is %s:%s)\n", - SSL_HOST_NAME, PORT_STR); - BIO_printf(bio_err, - " -unix path - connect over unix domain sockets\n"); - BIO_printf(bio_err, - " -verify arg - turn on peer certificate verification\n"); - BIO_printf(bio_err, - " -verify_return_error - return verification errors\n"); - BIO_printf(bio_err, - " -cert arg - certificate file to use, PEM format assumed\n"); - BIO_printf(bio_err, - " -certform arg - certificate format (PEM or DER) PEM default\n"); - BIO_printf(bio_err, - " -key arg - Private key file to use, in cert file if\n"); - BIO_printf(bio_err, " not specified but cert file is.\n"); - BIO_printf(bio_err, - " -keyform arg - key format (PEM or DER) PEM default\n"); - BIO_printf(bio_err, - " -pass arg - private key file pass phrase source\n"); - BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); - BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); - BIO_printf(bio_err, - " -trusted_first - Use local CA's first when building trust chain\n"); - BIO_printf(bio_err, - " -no_alt_chains - only ever use the first certificate chain found\n"); - BIO_printf(bio_err, - " -reconnect - Drop and re-make the connection with the same Session-ID\n"); - BIO_printf(bio_err, - " -pause - sleep(1) after each read(2) and write(2) system call\n"); - BIO_printf(bio_err, - " -prexit - print session information even on connection failure\n"); - BIO_printf(bio_err, - " -showcerts - show all certificates in the chain\n"); - BIO_printf(bio_err, " -debug - extra output\n"); -#ifdef WATT32 - BIO_printf(bio_err, " -wdebug - WATT-32 tcp debugging\n"); -#endif - BIO_printf(bio_err, " -msg - Show protocol messages\n"); - BIO_printf(bio_err, " -nbio_test - more ssl protocol testing\n"); - BIO_printf(bio_err, " -state - print the 'ssl' states\n"); -#ifdef FIONBIO - BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n"); -#endif - BIO_printf(bio_err, - " -crlf - convert LF from terminal into CRLF\n"); - BIO_printf(bio_err, " -quiet - no s_client output\n"); - BIO_printf(bio_err, - " -ign_eof - ignore input eof (default when -quiet)\n"); - BIO_printf(bio_err, " -no_ign_eof - don't ignore input eof\n"); -#ifndef OPENSSL_NO_PSK - BIO_printf(bio_err, " -psk_identity arg - PSK identity\n"); - BIO_printf(bio_err, " -psk arg - PSK in hex (without 0x)\n"); -# ifndef OPENSSL_NO_JPAKE - BIO_printf(bio_err, " -jpake arg - JPAKE secret to use\n"); -# endif -#endif -#ifndef OPENSSL_NO_SRP - BIO_printf(bio_err, - " -srpuser user - SRP authentification for 'user'\n"); - BIO_printf(bio_err, " -srppass arg - password for 'user'\n"); - BIO_printf(bio_err, - " -srp_lateuser - SRP username into second ClientHello message\n"); - BIO_printf(bio_err, - " -srp_moregroups - Tolerate other than the known g N values.\n"); - BIO_printf(bio_err, - " -srp_strength int - minimal length in bits for N (default %d).\n", - SRP_MINIMAL_N); -#endif -#ifndef OPENSSL_NO_SSL3_METHOD - BIO_printf(bio_err, " -ssl3 - just use SSLv3\n"); -#endif - BIO_printf(bio_err, " -tls1_2 - just use TLSv1.2\n"); - BIO_printf(bio_err, " -tls1_1 - just use TLSv1.1\n"); - BIO_printf(bio_err, " -tls1 - just use TLSv1\n"); - BIO_printf(bio_err, " -dtls1 - just use DTLSv1\n"); - BIO_printf(bio_err, " -fallback_scsv - send TLS_FALLBACK_SCSV\n"); - BIO_printf(bio_err, " -mtu - set the link layer MTU\n"); - BIO_printf(bio_err, - " -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3 - turn off that protocol\n"); - BIO_printf(bio_err, - " -bugs - Switch on all SSL implementation bug workarounds\n"); - BIO_printf(bio_err, - " -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); - BIO_printf(bio_err, - " command to see what is available\n"); - BIO_printf(bio_err, - " -starttls prot - use the STARTTLS command before starting TLS\n"); - BIO_printf(bio_err, - " for those protocols that support it, where\n"); - BIO_printf(bio_err, - " 'prot' defines which one to assume. Currently,\n"); - BIO_printf(bio_err, - " only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); - BIO_printf(bio_err, " are supported.\n"); - BIO_printf(bio_err, - " -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - " -engine id - Initialise and use the specified engine\n"); -#endif - BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, - LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, " -sess_out arg - file to write SSL session to\n"); - BIO_printf(bio_err, " -sess_in arg - file to read SSL session from\n"); -#ifndef OPENSSL_NO_TLSEXT - BIO_printf(bio_err, - " -servername host - Set TLS extension servername in ClientHello\n"); - BIO_printf(bio_err, - " -tlsextdebug - hex dump of all TLS extensions received\n"); - BIO_printf(bio_err, - " -status - request certificate status from server\n"); - BIO_printf(bio_err, - " -no_ticket - disable use of RFC4507bis session tickets\n"); - BIO_printf(bio_err, - " -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n"); -# ifndef OPENSSL_NO_NEXTPROTONEG - BIO_printf(bio_err, - " -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); -# endif - BIO_printf(bio_err, - " -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n"); -#endif - BIO_printf(bio_err, - " -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); -#ifndef OPENSSL_NO_SRTP - BIO_printf(bio_err, - " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); -#endif - BIO_printf(bio_err, - " -keymatexport label - Export keying material using label\n"); - BIO_printf(bio_err, - " -keymatexportlen len - Export len bytes of keying material (default 20)\n"); -} - #ifndef OPENSSL_NO_TLSEXT /* This is a context that we pass to callbacks */ @@ -551,10 +390,9 @@ static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) int l; if (!pass) { - BIO_printf(bio_err, "Malloc failure\n"); + BIO_printf(bio_err, "Out of memory\n"); return NULL; } - cb_tmp.password = (char *)srp_arg->srppassin; cb_tmp.prompt_info = "SRP user"; if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) { @@ -568,9 +406,8 @@ static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) } # endif -# ifndef OPENSSL_NO_SRTP + char *srtp_profiles = NULL; -# endif # ifndef OPENSSL_NO_NEXTPROTONEG /* This the context that we pass to next_proto_cb */ @@ -629,503 +466,586 @@ static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type, #endif -enum { - PROTO_OFF = 0, +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX, OPT_VERIFY, + OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SESS_OUT, OPT_SESS_IN, + OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET, + OPT_BRIEF, OPT_PREXIT, OPT_CRLF, OPT_QUIET, OPT_NBIO, + OPT_SSL_CLIENT_ENGINE, OPT_RAND, OPT_IGN_EOF, OPT_NO_IGN_EOF, + OPT_PAUSE, OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_WDEBUG, + OPT_MSG, OPT_MSGFILE, OPT_ENGINE, OPT_TRACE, OPT_SECURITY_DEBUG, + OPT_SECURITY_DEBUG_VERBOSE, OPT_SHOWCERTS, OPT_NBIO_TEST, OPT_STATE, + OPT_PSK_IDENTITY, OPT_PSK, OPT_SRPUSER, OPT_SRPPASS, OPT_SRP_STRENGTH, + OPT_SRP_LATEUSER, OPT_SRP_MOREGROUPS, OPT_SSL3, + OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1, + OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS, + OPT_CERT_CHAIN, OPT_CAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, + OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_KRB5SVC, + OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN, + OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_JPAKE, + OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, + OPT_V_ENUM, + OPT_X_ENUM, + OPT_S_ENUM, + OPT_FALLBACKSCSV +} OPTION_CHOICE; + +OPTIONS s_client_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"host", OPT_HOST, 's', "Use -connect instead"}, + {"port", OPT_PORT, 'p', "Use -connect instead"}, + {"connect", OPT_CONNECT, 's', + "TCP/IP where to connect (default is " SSL_HOST_NAME ":" PORT_STR ")"}, + {"unix", OPT_UNIX, 's', "Connect over unix domain sockets"}, + {"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"}, + {"cert", OPT_CERT, '<', "Certificate file to use, PEM format assumed"}, + {"certform", OPT_CERTFORM, 'F', + "Certificate format (PEM or DER) PEM default"}, + {"key", OPT_KEY, '<', "Private key file to use, if not in -cert file"}, + {"keyform", OPT_KEYFORM, 'F', "Key format (PEM or DER) PEM default"}, + {"pass", OPT_PASS, 's', "Private key file pass phrase source"}, + {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, + {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"}, + {"reconnect", OPT_RECONNECT, '-', + "Drop and re-make the connection with the same Session-ID"}, + {"pause", OPT_PAUSE, '-', "Sleep after each read and write system call"}, + {"showcerts", OPT_SHOWCERTS, '-', "Show all certificates in the chain"}, + {"debug", OPT_DEBUG, '-', "Extra output"}, + {"msg", OPT_MSG, '-', "Show protocol messages"}, + {"msgfile", OPT_MSGFILE, '>'}, + {"nbio_test", OPT_NBIO_TEST, '-', "More ssl protocol testing"}, + {"state", OPT_STATE, '-', "Print the ssl states"}, + {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"}, + {"quiet", OPT_QUIET, '-', "No s_client output"}, + {"ign_eof", OPT_IGN_EOF, '-', "Ignore input eof (default when -quiet)"}, + {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Don't ignore input eof"}, +#ifndef OPENSSL_NO_SSL3 + {"ssl3", OPT_SSL3, '-', "Just use SSLv3"}, +#endif + {"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"}, + {"tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1"}, + {"tls1", OPT_TLS1, '-', "Just use TLSv1"}, + {"dtls", OPT_DTLS, '-'}, + {"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"}, + {"dtls1_2", OPT_DTLS1_2, '-'}, + {"timeout", OPT_TIMEOUT, '-'}, + {"mtu", OPT_MTU, 'p', "Set the link layer MTU"}, + {"starttls", OPT_STARTTLS, 's', + "Use the STARTTLS command before starting TLS"}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"}, + {"sess_in", OPT_SESS_IN, '<', "File to read SSL session from"}, + {"use_srtp", OPT_USE_SRTP, '<', + "Offer SRTP key management with a colon-separated profile list"}, + {"keymatexport", OPT_KEYMATEXPORT, 's', + "Export keying material using label"}, + {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p', + "Export len bytes of keying material (default 20)"}, + {"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"}, +#ifdef WATT32 + {"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"}, +#endif +#ifdef FIONBIO + {"nbio", OPT_NBIO, '-', "Use non-blocking IO"}, +#endif +#ifndef OPENSSL_NO_PSK + {"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity"}, + {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"}, +# ifndef OPENSSL_NO_JPAKE + {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"}, +# endif +#endif +#ifndef OPENSSL_NO_KRB5 + {"krb5svc", OPT_KRB5SVC, 's', "Kerberos service name"}, +#endif +#ifndef OPENSSL_NO_SRP + {"srpuser", OPT_SRPUSER, 's', "SRP authentification for 'user'"}, + {"srppass", OPT_SRPPASS, 's', "Password for 'user'"}, + {"srp_lateuser", OPT_SRP_LATEUSER, '-', + "SRP username into second ClientHello message"}, + {"srp_moregroups", OPT_SRP_MOREGROUPS, '-', + "Tolerate other than the known g N values."}, + {"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal mength in bits for N"}, +#endif +#ifndef OPENSSL_NO_TLSEXT + {"servername", OPT_SERVERNAME, 's', + "Set TLS extension servername in ClientHello"}, + {"tlsextdebug", OPT_TLSEXTDEBUG, '-', + "Hex dump of all TLS extensions received"}, + {"status", OPT_STATUS, '-', "Request certificate status from server"}, + {"serverinfo", OPT_SERVERINFO, 's', + "types Send empty ClientHello extensions (comma-separated numbers)"}, + {"alpn", OPT_ALPN, 's', + "Enable ALPN extension, considering named protocols supported (comma-separated list)"}, +# ifndef OPENSSL_NO_NEXTPROTONEG + {"nextprotoneg", OPT_NEXTPROTONEG, 's', + "Enable NPN extension, considering named protocols supported (comma-separated list)"}, +# endif +#endif + {"CRL", OPT_CRL, '<'}, + {"crl_download", OPT_CRL_DOWNLOAD, '-'}, + {"CRLform", OPT_CRLFORM, 'F'}, + {"verify_return_error", OPT_VERIFY_RET_ERROR, '-'}, + {"verify_quiet", OPT_VERIFY_QUIET, '-'}, + {"brief", OPT_BRIEF, '-'}, + {"prexit", OPT_PREXIT, '-'}, + {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's'}, + {"trace", OPT_TRACE, '-'}, + {"security_debug", OPT_SECURITY_DEBUG, '-'}, + {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'}, + {"cert_chain", OPT_CERT_CHAIN, '<'}, + {"chainCApath", OPT_CHAINCAPATH, '/'}, + {"verifyCApath", OPT_VERIFYCAPATH, '/'}, + {"build_chain", OPT_BUILD_CHAIN, '-'}, + {"chainCAfile", OPT_CHAINCAFILE, '<'}, + {"verifyCAfile", OPT_VERIFYCAFILE, '<'}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + OPT_S_OPTIONS, + OPT_V_OPTIONS, + OPT_X_OPTIONS, + {NULL} +}; + +typedef enum PROTOCOL_choice { + PROTO_OFF, PROTO_SMTP, PROTO_POP3, PROTO_IMAP, PROTO_FTP, PROTO_XMPP +} PROTOCOL_CHOICE; + +static OPT_PAIR services[] = { + {"smtp", PROTO_SMTP}, + {"pop3", PROTO_POP3}, + {"imap", PROTO_IMAP}, + {"ftp", PROTO_FTP}, + {"xmpp", PROTO_XMPP}, + {NULL} }; -int MAIN(int, char **); - -int MAIN(int argc, char **argv) +int s_client_main(int argc, char **argv) { - int build_chain = 0; - SSL *con = NULL; -#ifndef OPENSSL_NO_KRB5 - KSSL_CTX *kctx; -#endif - int s, k, width, state = 0; - char *cbuf = NULL, *sbuf = NULL, *mbuf = NULL; - int cbuf_len, cbuf_off; - int sbuf_len, sbuf_off; - fd_set readfds, writefds; - short port = PORT; - int full_log = 1; - char *host = SSL_HOST_NAME; - const char *unix_path = NULL; - char *xmpphost = NULL; - char *cert_file = NULL, *key_file = NULL, *chain_file = NULL; - int cert_format = FORMAT_PEM, key_format = FORMAT_PEM; - char *passarg = NULL, *pass = NULL; - X509 *cert = NULL; + BIO *sbio; EVP_PKEY *key = NULL; - STACK_OF(X509) *chain = NULL; - char *CApath = NULL, *CAfile = NULL; - char *chCApath = NULL, *chCAfile = NULL; - char *vfyCApath = NULL, *vfyCAfile = NULL; - int reconnect = 0, badop = 0, verify = SSL_VERIFY_NONE; - int crlf = 0; - int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending; + SSL *con = NULL; SSL_CTX *ctx = NULL; - int ret = 1, in_init = 1, i, nbio_test = 0; - int starttls_proto = PROTO_OFF; - int prexit = 0; + STACK_OF(X509) *chain = NULL; + X509 *cert = NULL; X509_VERIFY_PARAM *vpm = NULL; - int badarg = 0; - const SSL_METHOD *meth = NULL; - int socket_type = SOCK_STREAM; - BIO *sbio; - char *inrand = NULL; - int mbuf_len = 0; + SSL_EXCERT *exc = NULL; + SSL_CONF_CTX *cctx = NULL; + STACK_OF(OPENSSL_STRING) *ssl_args = NULL; + STACK_OF(X509_CRL) *crls = NULL; + const SSL_METHOD *meth = SSLv23_client_method(); + char *CApath = NULL, *CAfile = NULL, *cbuf = NULL, *sbuf = NULL, *mbuf = + NULL; + char *cert_file = NULL, *key_file = NULL, *chain_file = NULL, *prog; + char *chCApath = NULL, *chCAfile = NULL, *host = SSL_HOST_NAME, *inrand = + NULL; + char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL; + char *sess_in = NULL, *sess_out = NULL, *crl_file = NULL, *p; + char *engine_id = NULL, *ssl_client_engine_id = NULL; + char *jpake_secret = NULL; + const char *unix_path = NULL; + struct sockaddr peer; struct timeval timeout, *timeoutp; + fd_set readfds, writefds; + int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_PEM; + int key_format = FORMAT_PEM, crlf = 0, full_log = 1, mbuf_len = 0; + int prexit = 0; + int enable_timeouts = 0, sdebug = 0, peerlen = sizeof peer; + int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0; + int ret = 1, in_init = 1, i, nbio_test = 0, s, k, width, state = 0; + int sbuf_len, sbuf_off, socket_type = SOCK_STREAM; + int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0; + int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending; + int fallback_scsv = 0; + long socket_mtu = 0, randamt = 0; + unsigned short port = PORT; + OPTION_CHOICE o; +#ifndef OPENSSL_NO_KRB5 + KSSL_CTX *kctx; + const char *krb5svc = NULL; +#endif #ifndef OPENSSL_NO_ENGINE - char *engine_id = NULL; - char *ssl_client_engine_id = NULL; ENGINE *ssl_client_engine = NULL; -#endif ENGINE *e = NULL; +#endif #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) struct timeval tv; #endif #ifndef OPENSSL_NO_TLSEXT char *servername = NULL; + const char *alpn_in = NULL; tlsextctx tlsextcbp = { NULL, 0 }; +# define MAX_SI_TYPES 100 + unsigned short serverinfo_types[MAX_SI_TYPES]; + int serverinfo_count = 0, start = 0, len; # ifndef OPENSSL_NO_NEXTPROTONEG const char *next_proto_neg_in = NULL; # endif - const char *alpn_in = NULL; -# define MAX_SI_TYPES 100 - unsigned short serverinfo_types[MAX_SI_TYPES]; - int serverinfo_types_count = 0; -#endif - char *sess_in = NULL; - char *sess_out = NULL; - struct sockaddr peer; - int peerlen = sizeof(peer); - int fallback_scsv = 0; - int enable_timeouts = 0; - long socket_mtu = 0; -#ifndef OPENSSL_NO_JPAKE - static char *jpake_secret = NULL; -# define no_jpake !jpake_secret -#else -# define no_jpake 1 #endif #ifndef OPENSSL_NO_SRP char *srppass = NULL; int srp_lateuser = 0; SRP_ARG srp_arg = { NULL, NULL, 0, 0, 0, 1024 }; #endif - SSL_EXCERT *exc = NULL; - - SSL_CONF_CTX *cctx = NULL; - STACK_OF(OPENSSL_STRING) *ssl_args = NULL; - - char *crl_file = NULL; - int crl_format = FORMAT_PEM; - int crl_download = 0; - STACK_OF(X509_CRL) *crls = NULL; - int sdebug = 0; - - meth = SSLv23_client_method(); - apps_startup(); + prog = opt_progname(argv[0]); c_Pause = 0; c_quiet = 0; c_ign_eof = 0; c_debug = 0; c_msg = 0; c_showcerts = 0; - - if (bio_err == NULL) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; + c_nbio = 0; + verify_depth = 0; + verify_error = X509_V_OK; + vpm = X509_VERIFY_PARAM_new(); + cbuf = OPENSSL_malloc(BUFSIZZ); + sbuf = OPENSSL_malloc(BUFSIZZ); + mbuf = OPENSSL_malloc(BUFSIZZ); cctx = SSL_CONF_CTX_new(); - if (!cctx) - goto end; - SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); - SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE); - if (((cbuf = OPENSSL_malloc(BUFSIZZ)) == NULL) || - ((sbuf = OPENSSL_malloc(BUFSIZZ)) == NULL) || - ((mbuf = OPENSSL_malloc(BUFSIZZ)) == NULL)) { - BIO_printf(bio_err, "out of memory\n"); + if (vpm == NULL || cctx == NULL + || cbuf == NULL || sbuf == NULL || mbuf == NULL) { + BIO_printf(bio_err, "%s: out of memory\n", prog); goto end; } - verify_depth = 0; - verify_error = X509_V_OK; -#ifdef FIONBIO - c_nbio = 0; -#endif + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT | SSL_CONF_FLAG_CMDLINE); - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-host") == 0) { - if (--argc < 1) - goto bad; - host = *(++argv); - } else if (strcmp(*argv, "-port") == 0) { - if (--argc < 1) - goto bad; - port = atoi(*(++argv)); - if (port == 0) - goto bad; - } else if (strcmp(*argv, "-connect") == 0) { - if (--argc < 1) - goto bad; - if (!extract_host_port(*(++argv), &host, NULL, &port)) - goto bad; - } else if (strcmp(*argv, "-unix") == 0) { - if (--argc < 1) - goto bad; - unix_path = *(++argv); - } else if (strcmp(*argv, "-xmpphost") == 0) { - if (--argc < 1) - goto bad; - xmpphost = *(++argv); - } else if (strcmp(*argv, "-verify") == 0) { + prog = opt_init(argc, argv, s_client_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { +#ifndef WATT32 + case OPT_WDEBUG: +#endif +#ifdef OPENSSL_NO_JPAKE + case OPT_JPAKE: +#endif +#ifdef OPENSSL_NO_SSL_TRACE + case OPT_TRACE: +#endif + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(s_client_options); + ret = 0; + goto end; + case OPT_HOST: + host = opt_arg(); + break; + case OPT_PORT: + port = atoi(opt_arg()); + break; + case OPT_CONNECT: + if (!extract_host_port(opt_arg(), &host, NULL, &port)) + goto end; + break; + case OPT_UNIX: + unix_path = opt_arg(); + break; + case OPT_VERIFY: verify = SSL_VERIFY_PEER; - if (--argc < 1) - goto bad; - verify_depth = atoi(*(++argv)); + verify_depth = atoi(opt_arg()); if (!c_quiet) BIO_printf(bio_err, "verify depth is %d\n", verify_depth); - } else if (strcmp(*argv, "-cert") == 0) { - if (--argc < 1) - goto bad; - cert_file = *(++argv); - } else if (strcmp(*argv, "-CRL") == 0) { - if (--argc < 1) - goto bad; - crl_file = *(++argv); - } else if (strcmp(*argv, "-crl_download") == 0) + break; + case OPT_CERT: + cert_file = opt_arg(); + break; + case OPT_CRL: + crl_file = opt_arg(); + break; + case OPT_CRL_DOWNLOAD: crl_download = 1; - else if (strcmp(*argv, "-sess_out") == 0) { - if (--argc < 1) - goto bad; - sess_out = *(++argv); - } else if (strcmp(*argv, "-sess_in") == 0) { - if (--argc < 1) - goto bad; - sess_in = *(++argv); - } else if (strcmp(*argv, "-certform") == 0) { - if (--argc < 1) - goto bad; - cert_format = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-CRLform") == 0) { - if (--argc < 1) - goto bad; - crl_format = str2fmt(*(++argv)); - } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { - if (badarg) - goto bad; - continue; - } else if (strcmp(*argv, "-verify_return_error") == 0) + break; + case OPT_SESS_OUT: + sess_out = opt_arg(); + break; + case OPT_SESS_IN: + sess_in = opt_arg(); + break; + case OPT_CERTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &cert_format)) + goto opthelp; + break; + case OPT_CRLFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &crl_format)) + goto opthelp; + break; + case OPT_VERIFY_RET_ERROR: verify_return_error = 1; - else if (strcmp(*argv, "-verify_quiet") == 0) - verify_quiet = 1; - else if (strcmp(*argv, "-brief") == 0) { - c_brief = 1; + break; + case OPT_VERIFY_QUIET: verify_quiet = 1; - c_quiet = 1; - } else if (args_excert(&argv, &argc, &badarg, bio_err, &exc)) { - if (badarg) - goto bad; - continue; - } else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args)) { - if (badarg) - goto bad; - continue; - } else if (strcmp(*argv, "-prexit") == 0) + break; + case OPT_BRIEF: + c_brief = verify_quiet = c_quiet = 1; + break; + case OPT_S_CASES: + if (ssl_args == NULL) + ssl_args = sk_OPENSSL_STRING_new_null(); + if (ssl_args == NULL + || !sk_OPENSSL_STRING_push(ssl_args, opt_flag()) + || !sk_OPENSSL_STRING_push(ssl_args, opt_arg())) { + BIO_printf(bio_err, "%s: Memory allocation failure\n", prog); + goto end; + } + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) + goto end; + vpmtouched++; + break; + case OPT_X_CASES: + if (!args_excert(o, &exc)) + goto end; + break; + case OPT_PREXIT: prexit = 1; - else if (strcmp(*argv, "-crlf") == 0) + break; + case OPT_CRLF: crlf = 1; - else if (strcmp(*argv, "-quiet") == 0) { - c_quiet = 1; - c_ign_eof = 1; - } else if (strcmp(*argv, "-ign_eof") == 0) + break; + case OPT_QUIET: + c_quiet = c_ign_eof = 1; + break; + case OPT_NBIO: + c_nbio = 1; + break; + case OPT_KRB5SVC: +#ifndef OPENSSL_NO_KRB5 + krb5svc = opt_arg(); +#endif + break; + case OPT_ENGINE: + engine_id = opt_arg(); + break; + case OPT_SSL_CLIENT_ENGINE: + ssl_client_engine_id = opt_arg(); + break; + case OPT_RAND: + inrand = opt_arg(); + break; + case OPT_IGN_EOF: c_ign_eof = 1; - else if (strcmp(*argv, "-no_ign_eof") == 0) + break; + case OPT_NO_IGN_EOF: c_ign_eof = 0; - else if (strcmp(*argv, "-pause") == 0) + break; + case OPT_PAUSE: c_Pause = 1; - else if (strcmp(*argv, "-debug") == 0) + break; + case OPT_DEBUG: c_debug = 1; + break; #ifndef OPENSSL_NO_TLSEXT - else if (strcmp(*argv, "-tlsextdebug") == 0) + case OPT_TLSEXTDEBUG: c_tlsextdebug = 1; - else if (strcmp(*argv, "-status") == 0) + break; + case OPT_STATUS: c_status_req = 1; + break; #endif #ifdef WATT32 - else if (strcmp(*argv, "-wdebug") == 0) + case OPT_WDEBUG: dbug_init(); + break; #endif - else if (strcmp(*argv, "-msg") == 0) + case OPT_MSG: c_msg = 1; - else if (strcmp(*argv, "-msgfile") == 0) { - if (--argc < 1) - goto bad; - bio_c_msg = BIO_new_file(*(++argv), "w"); - } + break; + case OPT_MSGFILE: + bio_c_msg = BIO_new_file(opt_arg(), "w"); + break; #ifndef OPENSSL_NO_SSL_TRACE - else if (strcmp(*argv, "-trace") == 0) + case OPT_TRACE: c_msg = 2; + break; #endif - else if (strcmp(*argv, "-security_debug") == 0) { + case OPT_SECURITY_DEBUG: sdebug = 1; - } else if (strcmp(*argv, "-security_debug_verbose") == 0) { + break; + case OPT_SECURITY_DEBUG_VERBOSE: sdebug = 2; - } else if (strcmp(*argv, "-showcerts") == 0) + break; + case OPT_SHOWCERTS: c_showcerts = 1; - else if (strcmp(*argv, "-nbio_test") == 0) + break; + case OPT_NBIO_TEST: nbio_test = 1; - else if (strcmp(*argv, "-state") == 0) + break; + case OPT_STATE: state = 1; + break; #ifndef OPENSSL_NO_PSK - else if (strcmp(*argv, "-psk_identity") == 0) { - if (--argc < 1) - goto bad; - psk_identity = *(++argv); - } else if (strcmp(*argv, "-psk") == 0) { - size_t j; - - if (--argc < 1) - goto bad; - psk_key = *(++argv); - for (j = 0; j < strlen(psk_key); j++) { - if (isxdigit((unsigned char)psk_key[j])) + case OPT_PSK_IDENTITY: + psk_identity = opt_arg(); + break; + case OPT_PSK: + for (p = psk_key = opt_arg(); *p; p++) { + if (isxdigit(*p)) continue; - BIO_printf(bio_err, "Not a hex number '%s'\n", *argv); - goto bad; + BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key); + goto end; } - } + break; #endif #ifndef OPENSSL_NO_SRP - else if (strcmp(*argv, "-srpuser") == 0) { - if (--argc < 1) - goto bad; - srp_arg.srplogin = *(++argv); + case OPT_SRPUSER: + srp_arg.srplogin = opt_arg(); meth = TLSv1_client_method(); - } else if (strcmp(*argv, "-srppass") == 0) { - if (--argc < 1) - goto bad; - srppass = *(++argv); + break; + case OPT_SRPPASS: + srppass = opt_arg(); meth = TLSv1_client_method(); - } else if (strcmp(*argv, "-srp_strength") == 0) { - if (--argc < 1) - goto bad; - srp_arg.strength = atoi(*(++argv)); + break; + case OPT_SRP_STRENGTH: + srp_arg.strength = atoi(opt_arg()); BIO_printf(bio_err, "SRP minimal length for N is %d\n", srp_arg.strength); meth = TLSv1_client_method(); - } else if (strcmp(*argv, "-srp_lateuser") == 0) { + break; + case OPT_SRP_LATEUSER: srp_lateuser = 1; meth = TLSv1_client_method(); - } else if (strcmp(*argv, "-srp_moregroups") == 0) { + break; + case OPT_SRP_MOREGROUPS: srp_arg.amp = 1; meth = TLSv1_client_method(); - } + break; #endif -#ifndef OPENSSL_NO_SSL3_METHOD - else if (strcmp(*argv, "-ssl3") == 0) +#ifndef OPENSSL_NO_SSL3 + case OPT_SSL3: meth = SSLv3_client_method(); + break; #endif - else if (strcmp(*argv, "-tls1_2") == 0) + case OPT_TLS1_2: meth = TLSv1_2_client_method(); - else if (strcmp(*argv, "-tls1_1") == 0) + break; + case OPT_TLS1_1: meth = TLSv1_1_client_method(); - else if (strcmp(*argv, "-tls1") == 0) + break; + case OPT_TLS1: meth = TLSv1_client_method(); + break; #ifndef OPENSSL_NO_DTLS1 - else if (strcmp(*argv, "-dtls") == 0) { + case OPT_DTLS: meth = DTLS_client_method(); socket_type = SOCK_DGRAM; - } else if (strcmp(*argv, "-dtls1") == 0) { + break; + case OPT_DTLS1: meth = DTLSv1_client_method(); socket_type = SOCK_DGRAM; - } else if (strcmp(*argv, "-dtls1_2") == 0) { + break; + case OPT_DTLS1_2: meth = DTLSv1_2_client_method(); socket_type = SOCK_DGRAM; - } else if (strcmp(*argv, "-timeout") == 0) + break; + case OPT_TIMEOUT: enable_timeouts = 1; - else if (strcmp(*argv, "-mtu") == 0) { - if (--argc < 1) - goto bad; - socket_mtu = atol(*(++argv)); - } + break; + case OPT_MTU: + socket_mtu = atol(opt_arg()); + break; #endif - else if (strcmp(*argv, "-fallback_scsv") == 0) { + case OPT_FALLBACKSCSV: fallback_scsv = 1; - } else if (strcmp(*argv, "-keyform") == 0) { - if (--argc < 1) - goto bad; - key_format = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-pass") == 0) { - if (--argc < 1) - goto bad; - passarg = *(++argv); - } else if (strcmp(*argv, "-cert_chain") == 0) { - if (--argc < 1) - goto bad; - chain_file = *(++argv); - } else if (strcmp(*argv, "-key") == 0) { - if (--argc < 1) - goto bad; - key_file = *(++argv); - } else if (strcmp(*argv, "-reconnect") == 0) { + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &key_format)) + goto opthelp; + break; + case OPT_PASS: + passarg = opt_arg(); + break; + case OPT_CERT_CHAIN: + chain_file = opt_arg(); + break; + case OPT_KEY: + key_file = opt_arg(); + break; + case OPT_RECONNECT: reconnect = 5; - } else if (strcmp(*argv, "-CApath") == 0) { - if (--argc < 1) - goto bad; - CApath = *(++argv); - } else if (strcmp(*argv, "-chainCApath") == 0) { - if (--argc < 1) - goto bad; - chCApath = *(++argv); - } else if (strcmp(*argv, "-verifyCApath") == 0) { - if (--argc < 1) - goto bad; - vfyCApath = *(++argv); - } else if (strcmp(*argv, "-build_chain") == 0) + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_CHAINCAPATH: + chCApath = opt_arg(); + break; + case OPT_VERIFYCAPATH: + vfyCApath = opt_arg(); + break; + case OPT_BUILD_CHAIN: build_chain = 1; - else if (strcmp(*argv, "-CAfile") == 0) { - if (--argc < 1) - goto bad; - CAfile = *(++argv); - } else if (strcmp(*argv, "-chainCAfile") == 0) { - if (--argc < 1) - goto bad; - chCAfile = *(++argv); - } else if (strcmp(*argv, "-verifyCAfile") == 0) { - if (--argc < 1) - goto bad; - vfyCAfile = *(++argv); - } + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_CHAINCAFILE: + chCAfile = opt_arg(); + break; + case OPT_VERIFYCAFILE: + vfyCAfile = opt_arg(); + break; #ifndef OPENSSL_NO_TLSEXT -# ifndef OPENSSL_NO_NEXTPROTONEG - else if (strcmp(*argv, "-nextprotoneg") == 0) { - if (--argc < 1) - goto bad; - next_proto_neg_in = *(++argv); - } -# endif - else if (strcmp(*argv, "-alpn") == 0) { - if (--argc < 1) - goto bad; - alpn_in = *(++argv); - } else if (strcmp(*argv, "-serverinfo") == 0) { - char *c; - int start = 0; - int len; - - if (--argc < 1) - goto bad; - c = *(++argv); - serverinfo_types_count = 0; - len = strlen(c); - for (i = 0; i <= len; ++i) { - if (i == len || c[i] == ',') { - serverinfo_types[serverinfo_types_count] - = atoi(c + start); - serverinfo_types_count++; + case OPT_NEXTPROTONEG: + next_proto_neg_in = opt_arg(); + break; + case OPT_ALPN: + alpn_in = opt_arg(); + break; + case OPT_SERVERINFO: + p = opt_arg(); + len = strlen(p); + for (start = 0, i = 0; i <= len; ++i) { + if (i == len || p[i] == ',') { + serverinfo_types[serverinfo_count] = atoi(p + start); + if (++serverinfo_count == MAX_SI_TYPES) + break; start = i + 1; } - if (serverinfo_types_count == MAX_SI_TYPES) - break; } - } -#endif -#ifdef FIONBIO - else if (strcmp(*argv, "-nbio") == 0) { - c_nbio = 1; - } -#endif - else if (strcmp(*argv, "-starttls") == 0) { - if (--argc < 1) - goto bad; - ++argv; - if (strcmp(*argv, "smtp") == 0) - starttls_proto = PROTO_SMTP; - else if (strcmp(*argv, "pop3") == 0) - starttls_proto = PROTO_POP3; - else if (strcmp(*argv, "imap") == 0) - starttls_proto = PROTO_IMAP; - else if (strcmp(*argv, "ftp") == 0) - starttls_proto = PROTO_FTP; - else if (strcmp(*argv, "xmpp") == 0) - starttls_proto = PROTO_XMPP; - else - goto bad; - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine_id = *(++argv); - } else if (strcmp(*argv, "-ssl_client_engine") == 0) { - if (--argc < 1) - goto bad; - ssl_client_engine_id = *(++argv); - } + break; #endif - else if (strcmp(*argv, "-rand") == 0) { - if (--argc < 1) - goto bad; - inrand = *(++argv); - } + case OPT_STARTTLS: + if (!opt_pair(opt_arg(), services, &starttls_proto)) + goto end; #ifndef OPENSSL_NO_TLSEXT - else if (strcmp(*argv, "-servername") == 0) { - if (--argc < 1) - goto bad; - servername = *(++argv); + case OPT_SERVERNAME: + servername = opt_arg(); /* meth=TLSv1_client_method(); */ - } + break; #endif #ifndef OPENSSL_NO_JPAKE - else if (strcmp(*argv, "-jpake") == 0) { - if (--argc < 1) - goto bad; - jpake_secret = *++argv; - } -#endif -#ifndef OPENSSL_NO_SRTP - else if (strcmp(*argv, "-use_srtp") == 0) { - if (--argc < 1) - goto bad; - srtp_profiles = *(++argv); - } + case OPT_JPAKE: + jpake_secret = opt_arg(); + break; #endif - else if (strcmp(*argv, "-keymatexport") == 0) { - if (--argc < 1) - goto bad; - keymatexportlabel = *(++argv); - } else if (strcmp(*argv, "-keymatexportlen") == 0) { - if (--argc < 1) - goto bad; - keymatexportlen = atoi(*(++argv)); - if (keymatexportlen == 0) - goto bad; - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badop = 1; + case OPT_USE_SRTP: + srtp_profiles = opt_arg(); + break; + case OPT_KEYMATEXPORT: + keymatexportlabel = opt_arg(); + break; + case OPT_KEYMATEXPORTLEN: + keymatexportlen = atoi(opt_arg()); break; } - argc--; - argv++; - } - if (badop) { - bad: - sc_usage(); - goto end; } + argc = opt_num_rest(); + argv = opt_rest(); if (unix_path && (socket_type != SOCK_STREAM)) { BIO_printf(bio_err, @@ -1142,9 +1062,6 @@ int MAIN(int argc, char **argv) } #endif - OpenSSL_add_ssl_algorithms(); - SSL_load_error_strings(); - #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) next_proto.status = -1; if (next_proto_neg_in) { @@ -1159,16 +1076,17 @@ int MAIN(int argc, char **argv) #endif #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine_id, 1); + e = setup_engine(engine_id, 1); if (ssl_client_engine_id) { ssl_client_engine = ENGINE_by_id(ssl_client_engine_id); - if (!ssl_client_engine) { + if (ssl_client_engine == NULL) { BIO_printf(bio_err, "Error getting client auth engine\n"); goto end; } } #endif - if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) { + + if (!app_passwd(passarg, NULL, &pass, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } @@ -1177,28 +1095,25 @@ int MAIN(int argc, char **argv) key_file = cert_file; if (key_file) { - - key = load_key(bio_err, key_file, key_format, 0, pass, e, + key = load_key(key_file, key_format, 0, pass, e, "client certificate private key file"); - if (!key) { + if (key == NULL) { ERR_print_errors(bio_err); goto end; } - } if (cert_file) { - cert = load_cert(bio_err, cert_file, cert_format, + cert = load_cert(cert_file, cert_format, NULL, e, "client certificate file"); - - if (!cert) { + if (cert == NULL) { ERR_print_errors(bio_err); goto end; } } if (chain_file) { - chain = load_certs(bio_err, chain_file, FORMAT_PEM, + chain = load_certs(chain_file, FORMAT_PEM, NULL, e, "client certificate chain"); if (!chain) goto end; @@ -1207,13 +1122,13 @@ int MAIN(int argc, char **argv) if (crl_file) { X509_CRL *crl; crl = load_crl(crl_file, crl_format); - if (!crl) { + if (crl == NULL) { BIO_puts(bio_err, "Error loading CRL\n"); ERR_print_errors(bio_err); goto end; } crls = sk_X509_CRL_new_null(); - if (!crls || !sk_X509_CRL_push(crls, crl)) { + if (crls == NULL || !sk_X509_CRL_push(crls, crl)) { BIO_puts(bio_err, "Error adding CRL\n"); ERR_print_errors(bio_err); X509_CRL_free(crl); @@ -1221,30 +1136,29 @@ int MAIN(int argc, char **argv) } } - if (!load_excert(&exc, bio_err)) + if (!load_excert(&exc)) goto end; - if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL + if (!app_RAND_load_file(NULL, 1) && inrand == NULL && !RAND_status()) { BIO_printf(bio_err, "warning, not much extra random data, consider using the -rand option\n"); } - if (inrand != NULL) - BIO_printf(bio_err, "%ld semi-random bytes loaded\n", - app_RAND_load_files(inrand)); + if (inrand != NULL) { + randamt = app_RAND_load_files(inrand); + BIO_printf(bio_err, "%ld semi-random bytes loaded\n", randamt); + } if (bio_c_out == NULL) { if (c_quiet && !c_debug) { bio_c_out = BIO_new(BIO_s_null()); if (c_msg && !bio_c_msg) - bio_c_msg = BIO_new_fp(stdout, BIO_NOCLOSE); - } else { - if (bio_c_out == NULL) - bio_c_out = BIO_new_fp(stdout, BIO_NOCLOSE); - } + bio_c_msg = dup_bio_out(); + } else if (bio_c_out == NULL) + bio_c_out = dup_bio_out(); } #ifndef OPENSSL_NO_SRP - if (!app_passwd(bio_err, srppass, NULL, &srp_arg.srppassin, NULL)) { + if (!app_passwd(srppass, NULL, &srp_arg.srppassin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } @@ -1259,16 +1173,14 @@ int MAIN(int argc, char **argv) if (sdebug) ssl_ctx_security_debug(ctx, bio_err, sdebug); - if (vpm && !SSL_CTX_set1_param(ctx, vpm)) { + if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) { BIO_printf(bio_err, "Error setting verify params\n"); ERR_print_errors(bio_err); goto end; } - if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake)) { - ERR_print_errors(bio_err); + if (!config_ctx(cctx, ssl_args, ctx, 1, jpake_secret == NULL)) goto end; - } if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls, crl_download)) { @@ -1289,12 +1201,7 @@ int MAIN(int argc, char **argv) #endif #ifndef OPENSSL_NO_PSK -# ifdef OPENSSL_NO_JPAKE - if (psk_key != NULL) -# else - if (psk_key != NULL || jpake_secret) -# endif - { + if (psk_key != NULL || jpake_secret) { if (c_debug) BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n"); @@ -1303,14 +1210,15 @@ int MAIN(int argc, char **argv) #endif #ifndef OPENSSL_NO_SRTP if (srtp_profiles != NULL) { - /* Returns 0 on success!! */ - if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles)) { + /* Returns 0 on success! */ + if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles) != 0) { BIO_printf(bio_err, "Error setting SRTP profile\n"); ERR_print_errors(bio_err); goto end; } } #endif + if (exc) ssl_ctx_set_excert(ctx, exc); @@ -1327,22 +1235,23 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "Error parsing -alpn argument\n"); goto end; } - /* Returns 0 on success!! */ - if (SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len)) { - BIO_printf(bio_err, "Error setting ALPN\n"); + /* Returns 0 on success! */ + if (SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len) != 0) { + BIO_printf(bio_err, "Error setting ALPN\n"); goto end; } OPENSSL_free(alpn); } #endif #ifndef OPENSSL_NO_TLSEXT - for (i = 0; i < serverinfo_types_count; i++) { + for (i = 0; i < serverinfo_count; i++) { if (!SSL_CTX_add_client_custom_ext(ctx, - serverinfo_types[i], - NULL, NULL, NULL, - serverinfo_cli_parse_cb, NULL)) { - BIO_printf(bio_err, "Warning: Unable to add custom extension %u. " - "Skipping\n", serverinfo_types[i]); + serverinfo_types[i], + NULL, NULL, NULL, + serverinfo_cli_parse_cb, NULL)) { + BIO_printf(bio_err, + "Warning: Unable to add custom extension %u, skipping\n", + serverinfo_types[i]); } } #endif @@ -1352,12 +1261,9 @@ int MAIN(int argc, char **argv) SSL_CTX_set_verify(ctx, verify, verify_callback); - if ((CAfile || CApath) - && !SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) { - ERR_print_errors(bio_err); - } - if (!SSL_CTX_set_default_verify_paths(ctx)) { + if (!ctx_set_verify_locations(ctx, CAfile, CApath)) { ERR_print_errors(bio_err); + goto end; } ssl_ctx_add_crls(ctx, crls, crl_download); @@ -1429,6 +1335,8 @@ int MAIN(int argc, char **argv) if (con && (kctx = kssl_ctx_new()) != NULL) { SSL_set0_kssl_ctx(con, kctx); kssl_ctx_setstring(kctx, KSSL_SERVER, host); + if (krb5svc) + kssl_ctx_setstring(kctx, KSSL_SERVICE, krb5svc); } #endif /* OPENSSL_NO_KRB5 */ @@ -1554,111 +1462,131 @@ int MAIN(int argc, char **argv) sbuf_len = 0; sbuf_off = 0; - /* This is an ugly hack that does a lot of assumptions */ - /* - * We do have to handle multi-line responses which may come in a single - * packet or not. We therefore have to use BIO_gets() which does need a - * buffering BIO. So during the initial chitchat we do push a buffering - * BIO into the chain that is removed again later on to not disturb the - * rest of the s_client operation. - */ - if (starttls_proto == PROTO_SMTP) { - int foundit = 0; - BIO *fbio = BIO_new(BIO_f_buffer()); - BIO_push(fbio, sbio); - /* wait for multi-line response to end from SMTP */ - do { - mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); + switch ((PROTOCOL_CHOICE) starttls_proto) { + case PROTO_OFF: + break; + case PROTO_SMTP: + { + /* + * This is an ugly hack that does a lot of assumptions. We do + * have to handle multi-line responses which may come in a single + * packet or not. We therefore have to use BIO_gets() which does + * need a buffering BIO. So during the initial chitchat we do + * push a buffering BIO into the chain that is removed again + * later on to not disturb the rest of the s_client operation. + */ + int foundit = 0; + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + /* wait for multi-line response to end from SMTP */ + do { + mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); + } + while (mbuf_len > 3 && mbuf[3] == '-'); + BIO_printf(fbio, "EHLO openssl.client.net\r\n"); + (void)BIO_flush(fbio); + /* wait for multi-line response to end EHLO SMTP response */ + do { + mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); + if (strstr(mbuf, "STARTTLS")) + foundit = 1; + } + while (mbuf_len > 3 && mbuf[3] == '-'); + (void)BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (!foundit) + BIO_printf(bio_err, + "didn't found starttls in server response," + " try anyway...\n"); + BIO_printf(sbio, "STARTTLS\r\n"); + BIO_read(sbio, sbuf, BUFSIZZ); } - while (mbuf_len > 3 && mbuf[3] == '-'); - /* STARTTLS command requires EHLO... */ - BIO_printf(fbio, "EHLO openssl.client.net\r\n"); - (void)BIO_flush(fbio); - /* wait for multi-line response to end EHLO SMTP response */ - do { - mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); - if (strstr(mbuf, "STARTTLS")) - foundit = 1; + break; + case PROTO_POP3: + { + BIO_read(sbio, mbuf, BUFSIZZ); + BIO_printf(sbio, "STLS\r\n"); + mbuf_len = BIO_read(sbio, sbuf, BUFSIZZ); + if (mbuf_len < 0) { + BIO_printf(bio_err, "BIO_read failed\n"); + goto end; + } } - while (mbuf_len > 3 && mbuf[3] == '-'); - (void)BIO_flush(fbio); - BIO_pop(fbio); - BIO_free(fbio); - if (!foundit) - BIO_printf(bio_err, - "didn't found starttls in server response," - " try anyway...\n"); - BIO_printf(sbio, "STARTTLS\r\n"); - BIO_read(sbio, sbuf, BUFSIZZ); - } else if (starttls_proto == PROTO_POP3) { - BIO_read(sbio, mbuf, BUFSIZZ); - BIO_printf(sbio, "STLS\r\n"); - BIO_read(sbio, sbuf, BUFSIZZ); - } else if (starttls_proto == PROTO_IMAP) { - int foundit = 0; - BIO *fbio = BIO_new(BIO_f_buffer()); - BIO_push(fbio, sbio); - BIO_gets(fbio, mbuf, BUFSIZZ); - /* STARTTLS command requires CAPABILITY... */ - BIO_printf(fbio, ". CAPABILITY\r\n"); - (void)BIO_flush(fbio); - /* wait for multi-line CAPABILITY response */ - do { - mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); - if (strstr(mbuf, "STARTTLS")) - foundit = 1; + break; + case PROTO_IMAP: + { + int foundit = 0; + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + BIO_gets(fbio, mbuf, BUFSIZZ); + /* STARTTLS command requires CAPABILITY... */ + BIO_printf(fbio, ". CAPABILITY\r\n"); + (void)BIO_flush(fbio); + /* wait for multi-line CAPABILITY response */ + do { + mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); + if (strstr(mbuf, "STARTTLS")) + foundit = 1; + } + while (mbuf_len > 3 && mbuf[0] != '.'); + (void)BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (!foundit) + BIO_printf(bio_err, + "didn't found STARTTLS in server response," + " try anyway...\n"); + BIO_printf(sbio, ". STARTTLS\r\n"); + BIO_read(sbio, sbuf, BUFSIZZ); } - while (mbuf_len > 3 && mbuf[0] != '.'); - (void)BIO_flush(fbio); - BIO_pop(fbio); - BIO_free(fbio); - if (!foundit) - BIO_printf(bio_err, - "didn't found STARTTLS in server response," - " try anyway...\n"); - BIO_printf(sbio, ". STARTTLS\r\n"); - BIO_read(sbio, sbuf, BUFSIZZ); - } else if (starttls_proto == PROTO_FTP) { - BIO *fbio = BIO_new(BIO_f_buffer()); - BIO_push(fbio, sbio); - /* wait for multi-line response to end from FTP */ - do { - mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); + break; + case PROTO_FTP: + { + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + /* wait for multi-line response to end from FTP */ + do { + mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); + } + while (mbuf_len > 3 && mbuf[3] == '-'); + (void)BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + BIO_printf(sbio, "AUTH TLS\r\n"); + BIO_read(sbio, sbuf, BUFSIZZ); } - while (mbuf_len > 3 && mbuf[3] == '-'); - (void)BIO_flush(fbio); - BIO_pop(fbio); - BIO_free(fbio); - BIO_printf(sbio, "AUTH TLS\r\n"); - BIO_read(sbio, sbuf, BUFSIZZ); - } - if (starttls_proto == PROTO_XMPP) { - int seen = 0; - BIO_printf(sbio, "", xmpphost ? - xmpphost : host); - seen = BIO_read(sbio, mbuf, BUFSIZZ); - mbuf[seen] = 0; - while (!strstr - (mbuf, "", + host); seen = BIO_read(sbio, mbuf, BUFSIZZ); + mbuf[seen] = 0; + while (!strstr + (mbuf, ""); + seen = BIO_read(sbio, sbuf, BUFSIZZ); + sbuf[seen] = 0; + if (!strstr(sbuf, ""); - seen = BIO_read(sbio, sbuf, BUFSIZZ); - sbuf[seen] = 0; - if (!strstr(sbuf, " HTTP/1.0' with file ./\n"); - BIO_printf(bio_err, - " -HTTP - Respond to a 'GET / HTTP/1.0' with file ./\n"); - BIO_printf(bio_err, - " with the assumption it contains a complete HTTP response.\n"); #ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - " -engine id - Initialise and use the specified engine\n"); -#endif - BIO_printf(bio_err, - " -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n"); - BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, - LIST_SEPARATOR_CHAR); -#ifndef OPENSSL_NO_TLSEXT - BIO_printf(bio_err, - " -servername host - servername for HostName TLS extension\n"); - BIO_printf(bio_err, - " -servername_fatal - on mismatch send fatal alert (default warning alert)\n"); - BIO_printf(bio_err, - " -cert2 arg - certificate file to use for servername\n"); - BIO_printf(bio_err, " (default is %s)\n", TEST_CERT2); - BIO_printf(bio_err, - " -key2 arg - Private Key file to use for servername, in cert file if\n"); - BIO_printf(bio_err, " not specified (default is %s)\n", - TEST_CERT2); - BIO_printf(bio_err, - " -tlsextdebug - hex dump of all TLS extensions received\n"); - BIO_printf(bio_err, - " -no_ticket - disable use of RFC4507bis session tickets\n"); - BIO_printf(bio_err, - " -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); -# ifndef OPENSSL_NO_NEXTPROTONEG - BIO_printf(bio_err, - " -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n"); -# endif -# ifndef OPENSSL_NO_SRTP - BIO_printf(bio_err, - " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); -# endif - BIO_printf(bio_err, - " -alpn arg - set the advertised protocols for the ALPN extension (comma-separated list)\n"); + engine_id = NULL; #endif - BIO_printf(bio_err, - " -keymatexport label - Export keying material using label\n"); - BIO_printf(bio_err, - " -keymatexportlen len - Export len bytes of keying material (default 20)\n"); - BIO_printf(bio_err, - " -status - respond to certificate status requests\n"); - BIO_printf(bio_err, - " -status_verbose - enable status request verbose printout\n"); - BIO_printf(bio_err, - " -status_timeout n - status request responder timeout\n"); - BIO_printf(bio_err, " -status_url URL - status request fallback URL\n"); } static int local_argc = 0; @@ -705,8 +514,7 @@ static int ebcdic_write(BIO *b, const char *in, int inl) num = num + num; /* double the size */ if (num < inl) num = inl; - wbuf = - (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num); + wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num); if (!wbuf) return 0; OPENSSL_free(b->ptr); @@ -807,11 +615,10 @@ typedef struct tlsextstatusctx_st { char *host, *path, *port; int use_ssl; int timeout; - BIO *err; int verbose; } tlsextstatusctx; -static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, NULL, 0 }; +static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, 0 }; /* * Certificate Status callback. This is called when a client includes a @@ -825,7 +632,6 @@ static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, NULL, 0 }; static int cert_status_cb(SSL *s, void *arg) { tlsextstatusctx *srctx = arg; - BIO *err = srctx->err; char *host, *port, *path; int use_ssl; unsigned char *rspder = NULL; @@ -840,23 +646,24 @@ static int cert_status_cb(SSL *s, void *arg) STACK_OF(X509_EXTENSION) *exts; int ret = SSL_TLSEXT_ERR_NOACK; int i; + if (srctx->verbose) - BIO_puts(err, "cert_status: callback called\n"); + BIO_puts(bio_err, "cert_status: callback called\n"); /* Build up OCSP query from server certificate */ x = SSL_get_certificate(s); aia = X509_get1_ocsp(x); if (aia) { if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0), &host, &port, &path, &use_ssl)) { - BIO_puts(err, "cert_status: can't parse AIA URL\n"); + BIO_puts(bio_err, "cert_status: can't parse AIA URL\n"); goto err; } if (srctx->verbose) - BIO_printf(err, "cert_status: AIA URL: %s\n", + BIO_printf(bio_err, "cert_status: AIA URL: %s\n", sk_OPENSSL_STRING_value(aia, 0)); } else { if (!srctx->host) { - BIO_puts(srctx->err, + BIO_puts(bio_err, "cert_status: no AIA and no default responder URL\n"); goto done; } @@ -872,7 +679,7 @@ static int cert_status_cb(SSL *s, void *arg) goto err; if (X509_STORE_get_by_subject(&inctx, X509_LU_X509, X509_get_issuer_name(x), &obj) <= 0) { - BIO_puts(err, "cert_status: Can't retrieve issuer certificate.\n"); + BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n"); X509_STORE_CTX_cleanup(&inctx); goto done; } @@ -894,10 +701,10 @@ static int cert_status_cb(SSL *s, void *arg) if (!OCSP_REQUEST_add_ext(req, ext, -1)) goto err; } - resp = process_responder(err, req, host, path, port, use_ssl, NULL, + resp = process_responder(req, host, path, port, use_ssl, NULL, srctx->timeout); if (!resp) { - BIO_puts(err, "cert_status: error querying responder\n"); + BIO_puts(bio_err, "cert_status: error querying responder\n"); goto done; } rspderlen = i2d_OCSP_RESPONSE(resp, &rspder); @@ -905,13 +712,13 @@ static int cert_status_cb(SSL *s, void *arg) goto err; SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen); if (srctx->verbose) { - BIO_puts(err, "cert_status: ocsp response sent:\n"); - OCSP_RESPONSE_print(err, resp, 2); + BIO_puts(bio_err, "cert_status: ocsp response sent:\n"); + OCSP_RESPONSE_print(bio_err, resp, 2); } ret = SSL_TLSEXT_ERR_OK; done: if (ret != SSL_TLSEXT_ERR_OK) - ERR_print_errors(err); + ERR_print_errors(bio_err); if (aia) { OPENSSL_free(host); OPENSSL_free(path); @@ -995,14 +802,7 @@ static int not_resumable_sess_cb(SSL *s, int is_forward_secure) return is_forward_secure; } -int MAIN(int, char **); - -#ifndef OPENSSL_NO_JPAKE static char *jpake_secret = NULL; -# define no_jpake !jpake_secret -#else -# define no_jpake 1 -#endif #ifndef OPENSSL_NO_SRP static srpsrvparm srp_callback_parm; #endif @@ -1010,41 +810,214 @@ static srpsrvparm srp_callback_parm; static char *srtp_profiles = NULL; #endif -int MAIN(int argc, char *argv[]) +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ENGINE, OPT_PORT, OPT_UNIX, OPT_UNLINK, OPT_NACCEPT, + OPT_VERIFY, OPT_UPPER_V_VERIFY, OPT_CONTEXT, OPT_CERT, OPT_CRL, + OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM, + OPT_PASS, OPT_CERT_CHAIN, OPT_DHPARAM, OPT_DCERTFORM, OPT_DCERT, + OPT_DKEYFORM, OPT_DPASS, OPT_DKEY, OPT_DCERT_CHAIN, OPT_NOCERT, + OPT_CAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE, + OPT_EXT_CACHE, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET, + OPT_BUILD_CHAIN, OPT_CAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE, + OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF, OPT_DEBUG, + OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE, OPT_STATUS_TIMEOUT, + OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE, OPT_SECURITY_DEBUG, + OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF, OPT_QUIET, + OPT_BRIEF, OPT_NO_TMP_RSA, OPT_NO_DHE, OPT_NO_ECDHE, + OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE, + OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, +#ifndef OPENSSL_NO_SSL3 + OPT_SSL3, +#endif + OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1, + OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN, + OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL, + OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_JPAKE, + OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, + OPT_S_ENUM, + OPT_V_ENUM, + OPT_X_ENUM +} OPTION_CHOICE; + +OPTIONS s_server_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + + {"port", OPT_PORT, 'p'}, + {"accept", OPT_PORT, 'p', + "TCP/IP port to accept on (default is " PORT_STR ")"}, + {"unix", OPT_UNIX, 's', "Unix domain socket to accept on"}, + {"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"}, + {"context", OPT_CONTEXT, 's', "Set session ID context"}, + {"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"}, + {"Verify", OPT_UPPER_V_VERIFY, 'n', + "Turn on peer certificate verification, must have a cert"}, + {"cert", OPT_CERT, '<', "Certificate file to use; default is " TEST_CERT}, + {"naccept", OPT_NACCEPT, 'p', "Terminate after pnum connections"}, +#ifndef OPENSSL_NO_TLSEXT + {"serverinfo", OPT_SERVERINFO, 's', + "PEM serverinfo file for certificate"}, +#endif + {"certform", OPT_CERTFORM, 'F', + "Certificate format (PEM or DER) PEM default"}, + {"key", OPT_KEY, '<', + "Private Key if not in -cert; default is " TEST_CERT}, + {"keyform", OPT_KEYFORM, 'f', + "Key format (PEM, DER or ENGINE) PEM default"}, + {"pass", OPT_PASS, 's', "Private key file pass phrase source"}, + {"dcert", OPT_DCERT, '<', + "Second certificate file to use (usually for DSA)"}, + {"dcertform", OPT_DCERTFORM, 'F', + "Second certificate format (PEM or DER) PEM default"}, + {"dkey", OPT_DKEY, '<', + "Second private key file to use (usually for DSA)"}, + {"dkeyform", OPT_DKEYFORM, 'F', + "Second key format (PEM, DER or ENGINE) PEM default"}, + {"dpass", OPT_DPASS, 's', "Second private key file pass phrase source"}, +#ifdef FIONBIO + {"nbio", OPT_NBIO, '-', "Use non-blocking IO"}, +#endif + {"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"}, + {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"}, + {"debug", OPT_DEBUG, '-', "Print more output"}, + {"msg", OPT_MSG, '-', "Show protocol messages"}, + {"msgfile", OPT_MSGFILE, '>'}, + {"state", OPT_STATE, '-', "Print the SSL states"}, + {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, + {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"}, + {"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"}, + {"quiet", OPT_QUIET, '-', "No server output"}, + {"no_tmp_rsa", OPT_NO_TMP_RSA, '-', "Do not generate a tmp RSA key"}, +#ifndef OPENSSL_NO_PSK + {"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"}, + {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"}, +# ifndef OPENSSL_NO_JPAKE + {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"}, +# endif +#endif +#ifndef OPENSSL_NO_SRP + {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"}, + {"srpuserseed", OPT_SRPUSERSEED, 's', + "A seed string for a default user salt"}, +#endif +#ifndef OPENSSL_NO_SSL3 + {"ssl3", OPT_SSL3, '-', "Just talk SSLv3"}, +#endif + {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"}, + {"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"}, + {"tls1", OPT_TLS1, '-', "Just talk TLSv1"}, +#ifndef OPENSSL_NO_DTLS1 + {"dtls", OPT_DTLS, '-'}, + {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"}, + {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"}, + {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"}, + {"mtu", OPT_MTU, 'p', "Set link layer MTU"}, + {"chain", OPT_CHAIN, '-', "Read a certificate chain"}, +#endif +#ifndef OPENSSL_NO_DH + {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"}, +#endif +#ifndef OPENSSL_NO_EC + {"no_ecdhe", OPT_NO_ECDHE, '-', "Disable ephemeral ECDH"}, +#endif + {"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-', + "Disable caching and tickets if ephemeral (EC)DH is used"}, + {"www", OPT_WWW, '-', "Respond to a 'GET /' with a status page"}, + {"WWW", OPT_UPPER_WWW, '-', "Respond to a 'GET with the file ./path"}, + {"HTTP", OPT_HTTP, '-', "Like -WWW but ./path incluedes HTTP headers"}, + {"id_prefix", OPT_ID_PREFIX, 's', + "Generate SSL/TLS session IDs prefixed by arg"}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, +#ifndef OPENSSL_NO_TLSEXT + {"servername", OPT_SERVERNAME, 's', + "Servername for HostName TLS extension"}, + {"servername_fatal", OPT_SERVERNAME_FATAL, '-', + "mismatch send fatal alert (default warning alert)"}, + {"cert2", OPT_CERT2, '<', + "Certificate file to use for servername; default is" TEST_CERT2}, + {"key2", OPT_KEY2, '<', + "-Private Key file to use for servername if not in -cert2"}, + {"tlsextdebug", OPT_TLSEXTDEBUG, '-', + "Hex dump of all TLS extensions received"}, +# ifndef OPENSSL_NO_NEXTPROTONEG + {"nextprotoneg", OPT_NEXTPROTONEG, 's', + "Set the advertised protocols for the NPN extension (comma-separated list)"}, +# endif + {"use_srtp", OPT_SRTP_PROFILES, '<', + "Offer SRTP key management with a colon-separated profile list"}, + {"alpn", OPT_ALPN, 's', + "Set the advertised protocols for the ALPN extension (comma-separated list)"}, +#endif + {"keymatexport", OPT_KEYMATEXPORT, 's', + "Export keying material using label"}, + {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p', + "Export len bytes of keying material (default 20)"}, + {"CRL", OPT_CRL, '<'}, + {"crl_download", OPT_CRL_DOWNLOAD, '-'}, + {"cert_chain", OPT_CERT_CHAIN, '<'}, + {"dcert_chain", OPT_DCERT_CHAIN, '<'}, + {"chainCApath", OPT_CHAINCAPATH, '/'}, + {"verifyCApath", OPT_VERIFYCAPATH, '/'}, + {"no_cache", OPT_NO_CACHE, '-'}, + {"ext_cache", OPT_EXT_CACHE, '-'}, + {"CRLform", OPT_CRLFORM, 'F'}, + {"verify_return_error", OPT_VERIFY_RET_ERROR, '-'}, + {"verify_quiet", OPT_VERIFY_QUIET, '-'}, + {"build_chain", OPT_BUILD_CHAIN, '-'}, + {"chainCAfile", OPT_CHAINCAFILE, '<'}, + {"verifyCAfile", OPT_VERIFYCAFILE, '<'}, + {"ign_eof", OPT_IGN_EOF, '-'}, + {"no_ign_eof", OPT_NO_IGN_EOF, '-'}, + {"status", OPT_STATUS, '-'}, + {"status_verbose", OPT_STATUS_VERBOSE, '-'}, + {"status_timeout", OPT_STATUS_TIMEOUT, 'n'}, + {"status_url", OPT_STATUS_URL, 's'}, + {"trace", OPT_TRACE, '-'}, + {"security_debug", OPT_SECURITY_DEBUG, '-'}, + {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'}, + {"brief", OPT_BRIEF, '-'}, + {"rev", OPT_REV, '-'}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's'}, +#endif + OPT_S_OPTIONS, + OPT_V_OPTIONS, + OPT_X_OPTIONS, + {NULL} +}; + +int s_server_main(int argc, char *argv[]) { + ENGINE *e = NULL; + EVP_PKEY *s_key = NULL, *s_dkey = NULL; + SSL_CONF_CTX *cctx = NULL; + const SSL_METHOD *meth = SSLv23_server_method(); + SSL_EXCERT *exc = NULL; + STACK_OF(OPENSSL_STRING) *ssl_args = NULL; + STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL; + STACK_OF(X509_CRL) *crls = NULL; + X509 *s_cert = NULL, *s_dcert = NULL; X509_VERIFY_PARAM *vpm = NULL; - int badarg = 0; - short port = PORT; + char *CApath = NULL, *CAfile = NULL, *chCApath = NULL, *chCAfile = NULL; + char *dhfile = NULL, *dpassarg = NULL, *dpass = NULL, *inrand = NULL; + char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL; + char *crl_file = NULL, *prog, *p; const char *unix_path = NULL; #ifndef NO_SYS_UN_H int unlink_unix_path = 0; #endif int (*server_cb) (char *hostname, int s, int stype, unsigned char *context); - char *CApath = NULL, *CAfile = NULL; - char *chCApath = NULL, *chCAfile = NULL; - char *vfyCApath = NULL, *vfyCAfile = NULL; - unsigned char *context = NULL; - char *dhfile = NULL; - int badop = 0; - int ret = 1; - int build_chain = 0; - int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0; - int state = 0; - const SSL_METHOD *meth = NULL; - int socket_type = SOCK_STREAM; - ENGINE *e = NULL; - char *inrand = NULL; + int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0; + int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0, ret = 1; int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; - char *passarg = NULL, *pass = NULL; - char *dpassarg = NULL, *dpass = NULL; int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; - X509 *s_cert = NULL, *s_dcert = NULL; - STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL; - EVP_PKEY *s_key = NULL, *s_dkey = NULL; - int no_cache = 0, ext_cache = 0; - int rev = 0, naccept = -1; - int sdebug = 0; + int rev = 0, naccept = -1, sdebug = 0, socket_type = SOCK_STREAM; + int state = 0, crl_format = FORMAT_PEM, crl_download = 0; + unsigned short port = PORT; + unsigned char *context = NULL; + OPTION_CHOICE o; #ifndef OPENSSL_NO_TLSEXT EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; @@ -1064,449 +1037,394 @@ int MAIN(int argc, char *argv[]) char *srpuserseed = NULL; char *srp_verifier_file = NULL; #endif - SSL_EXCERT *exc = NULL; - SSL_CONF_CTX *cctx = NULL; - STACK_OF(OPENSSL_STRING) *ssl_args = NULL; - - char *crl_file = NULL; - int crl_format = FORMAT_PEM; - int crl_download = 0; - STACK_OF(X509_CRL) *crls = NULL; - - meth = SSLv23_server_method(); local_argc = argc; local_argv = argv; - apps_startup(); -#ifdef MONOLITH s_server_init(); -#endif - - if (bio_err == NULL) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - cctx = SSL_CONF_CTX_new(); - if (!cctx) + vpm = X509_VERIFY_PARAM_new(); + if (cctx == NULL || vpm == NULL) goto end; - SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); - SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE); - - verify_depth = 0; -#ifdef FIONBIO - s_nbio = 0; -#endif - s_nbio_test = 0; - - argc--; - argv++; + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CMDLINE); + + prog = opt_init(argc, argv, s_server_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(s_server_options); + ret = 0; + goto end; - while (argc >= 1) { - if ((strcmp(*argv, "-port") == 0) || (strcmp(*argv, "-accept") == 0)) { - if (--argc < 1) - goto bad; - if (!extract_port(*(++argv), &port)) - goto bad; - } else if (strcmp(*argv, "-unix") == 0) { + case OPT_PORT: + if (!extract_port(opt_arg(), &port)) + goto end; + break; + case OPT_UNIX: #ifdef NO_SYS_UN_H BIO_printf(bio_err, "unix domain sockets unsupported\n"); - goto bad; + goto end; #else - if (--argc < 1) - goto bad; - unix_path = *(++argv); + unix_path = opt_arg(); #endif - } else if (strcmp(*argv, "-unlink") == 0) { + break; + case OPT_UNLINK: #ifdef NO_SYS_UN_H BIO_printf(bio_err, "unix domain sockets unsupported\n"); - goto bad; + goto end; #else unlink_unix_path = 1; #endif - } else if (strcmp(*argv, "-naccept") == 0) { - if (--argc < 1) - goto bad; - naccept = atol(*(++argv)); - if (naccept <= 0) { - BIO_printf(bio_err, "bad accept value %s\n", *argv); - goto bad; - } - } else if (strcmp(*argv, "-verify") == 0) { + break; + case OPT_NACCEPT: + naccept = atol(opt_arg()); + break; + case OPT_VERIFY: s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; - if (--argc < 1) - goto bad; - verify_depth = atoi(*(++argv)); + verify_depth = atoi(opt_arg()); if (!s_quiet) BIO_printf(bio_err, "verify depth is %d\n", verify_depth); - } else if (strcmp(*argv, "-Verify") == 0) { + break; + case OPT_UPPER_V_VERIFY: s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE; - if (--argc < 1) - goto bad; - verify_depth = atoi(*(++argv)); + verify_depth = atoi(opt_arg()); if (!s_quiet) BIO_printf(bio_err, "verify depth is %d, must return a certificate\n", verify_depth); - } else if (strcmp(*argv, "-context") == 0) { - if (--argc < 1) - goto bad; - context = (unsigned char *)*(++argv); - } else if (strcmp(*argv, "-cert") == 0) { - if (--argc < 1) - goto bad; - s_cert_file = *(++argv); - } else if (strcmp(*argv, "-CRL") == 0) { - if (--argc < 1) - goto bad; - crl_file = *(++argv); - } else if (strcmp(*argv, "-crl_download") == 0) + break; + case OPT_CONTEXT: + context = (unsigned char *)opt_arg(); + break; + case OPT_CERT: + s_cert_file = opt_arg(); + break; + case OPT_CRL: + crl_file = opt_arg(); + break; + case OPT_CRL_DOWNLOAD: crl_download = 1; + break; #ifndef OPENSSL_NO_TLSEXT - else if (strcmp(*argv, "-serverinfo") == 0) { - if (--argc < 1) - goto bad; - s_serverinfo_file = *(++argv); - } + case OPT_SERVERINFO: + s_serverinfo_file = opt_arg(); + break; #endif - else if (strcmp(*argv, "-certform") == 0) { - if (--argc < 1) - goto bad; - s_cert_format = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-key") == 0) { - if (--argc < 1) - goto bad; - s_key_file = *(++argv); - } else if (strcmp(*argv, "-keyform") == 0) { - if (--argc < 1) - goto bad; - s_key_format = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-pass") == 0) { - if (--argc < 1) - goto bad; - passarg = *(++argv); - } else if (strcmp(*argv, "-cert_chain") == 0) { - if (--argc < 1) - goto bad; - s_chain_file = *(++argv); - } else if (strcmp(*argv, "-dhparam") == 0) { - if (--argc < 1) - goto bad; - dhfile = *(++argv); - } else if (strcmp(*argv, "-dcertform") == 0) { - if (--argc < 1) - goto bad; - s_dcert_format = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-dcert") == 0) { - if (--argc < 1) - goto bad; - s_dcert_file = *(++argv); - } else if (strcmp(*argv, "-dkeyform") == 0) { - if (--argc < 1) - goto bad; - s_dkey_format = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-dpass") == 0) { - if (--argc < 1) - goto bad; - dpassarg = *(++argv); - } else if (strcmp(*argv, "-dkey") == 0) { - if (--argc < 1) - goto bad; - s_dkey_file = *(++argv); - } else if (strcmp(*argv, "-dcert_chain") == 0) { - if (--argc < 1) - goto bad; - s_dchain_file = *(++argv); - } else if (strcmp(*argv, "-nocert") == 0) { + case OPT_CERTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_cert_format)) + goto opthelp; + break; + case OPT_KEY: + s_key_file = opt_arg(); + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_key_format)) + goto opthelp; + break; + case OPT_PASS: + passarg = opt_arg(); + break; + case OPT_CERT_CHAIN: + s_chain_file = opt_arg(); + break; + case OPT_DHPARAM: + dhfile = opt_arg(); + break; + case OPT_DCERTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_dcert_format)) + goto opthelp; + break; + case OPT_DCERT: + s_dcert_file = opt_arg(); + break; + case OPT_DKEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_dkey_format)) + goto opthelp; + break; + case OPT_DPASS: + dpassarg = opt_arg(); + break; + case OPT_DKEY: + s_dkey_file = opt_arg(); + break; + case OPT_DCERT_CHAIN: + s_dchain_file = opt_arg(); + break; + case OPT_NOCERT: nocert = 1; - } else if (strcmp(*argv, "-CApath") == 0) { - if (--argc < 1) - goto bad; - CApath = *(++argv); - } else if (strcmp(*argv, "-chainCApath") == 0) { - if (--argc < 1) - goto bad; - chCApath = *(++argv); - } else if (strcmp(*argv, "-verifyCApath") == 0) { - if (--argc < 1) - goto bad; - vfyCApath = *(++argv); - } else if (strcmp(*argv, "-no_cache") == 0) + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_CHAINCAPATH: + chCApath = opt_arg(); + break; + case OPT_VERIFYCAPATH: + vfyCApath = opt_arg(); + break; + case OPT_NO_CACHE: no_cache = 1; - else if (strcmp(*argv, "-ext_cache") == 0) + break; + case OPT_EXT_CACHE: ext_cache = 1; - else if (strcmp(*argv, "-CRLform") == 0) { - if (--argc < 1) - goto bad; - crl_format = str2fmt(*(++argv)); - } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { - if (badarg) - goto bad; - continue; - } else if (args_excert(&argv, &argc, &badarg, bio_err, &exc)) { - if (badarg) - goto bad; - continue; - } else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args)) { - if (badarg) - goto bad; - continue; - } else if (strcmp(*argv, "-verify_return_error") == 0) + break; + case OPT_CRLFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &crl_format)) + goto opthelp; + break; + case OPT_S_CASES: + if (ssl_args == NULL) + ssl_args = sk_OPENSSL_STRING_new_null(); + if (ssl_args == NULL + || !sk_OPENSSL_STRING_push(ssl_args, opt_flag()) + || !sk_OPENSSL_STRING_push(ssl_args, opt_arg())) { + BIO_printf(bio_err, "%s: Memory allocation failure\n", prog); + goto end; + } + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) + goto end; + vpmtouched++; + break; + case OPT_X_CASES: + if (!args_excert(o, &exc)) + goto end; + break; + case OPT_VERIFY_RET_ERROR: verify_return_error = 1; - else if (strcmp(*argv, "-verify_quiet") == 0) + break; + case OPT_VERIFY_QUIET: verify_quiet = 1; - else if (strcmp(*argv, "-build_chain") == 0) + break; + case OPT_BUILD_CHAIN: build_chain = 1; - else if (strcmp(*argv, "-CAfile") == 0) { - if (--argc < 1) - goto bad; - CAfile = *(++argv); - } else if (strcmp(*argv, "-chainCAfile") == 0) { - if (--argc < 1) - goto bad; - chCAfile = *(++argv); - } else if (strcmp(*argv, "-verifyCAfile") == 0) { - if (--argc < 1) - goto bad; - vfyCAfile = *(++argv); - } -#ifdef FIONBIO - else if (strcmp(*argv, "-nbio") == 0) { - s_nbio = 1; - } -#endif - else if (strcmp(*argv, "-nbio_test") == 0) { -#ifdef FIONBIO + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_CHAINCAFILE: + chCAfile = opt_arg(); + break; + case OPT_VERIFYCAFILE: + vfyCAfile = opt_arg(); + break; + case OPT_NBIO: s_nbio = 1; -#endif - s_nbio_test = 1; - } else if (strcmp(*argv, "-ign_eof") == 0) + break; + case OPT_NBIO_TEST: + s_nbio = s_nbio_test = 1; + break; + case OPT_IGN_EOF: s_ign_eof = 1; - else if (strcmp(*argv, "-no_ign_eof") == 0) + break; + case OPT_NO_IGN_EOF: s_ign_eof = 0; - else if (strcmp(*argv, "-debug") == 0) { + break; + case OPT_DEBUG: s_debug = 1; - } + break; #ifndef OPENSSL_NO_TLSEXT - else if (strcmp(*argv, "-tlsextdebug") == 0) + case OPT_TLSEXTDEBUG: s_tlsextdebug = 1; - else if (strcmp(*argv, "-status") == 0) - s_tlsextstatus = 1; - else if (strcmp(*argv, "-status_verbose") == 0) { + break; + case OPT_STATUS: s_tlsextstatus = 1; - tlscstatp.verbose = 1; - } else if (!strcmp(*argv, "-status_timeout")) { + break; + case OPT_STATUS_VERBOSE: + s_tlsextstatus = tlscstatp.verbose = 1; + break; + case OPT_STATUS_TIMEOUT: s_tlsextstatus = 1; - if (--argc < 1) - goto bad; - tlscstatp.timeout = atoi(*(++argv)); - } else if (!strcmp(*argv, "-status_url")) { + tlscstatp.timeout = atoi(opt_arg()); + break; + case OPT_STATUS_URL: s_tlsextstatus = 1; - if (--argc < 1) - goto bad; - if (!OCSP_parse_url(*(++argv), + if (!OCSP_parse_url(opt_arg(), &tlscstatp.host, &tlscstatp.port, &tlscstatp.path, &tlscstatp.use_ssl)) { BIO_printf(bio_err, "Error parsing URL\n"); - goto bad; + goto end; } - } + break; #endif - else if (strcmp(*argv, "-msg") == 0) { + case OPT_MSG: s_msg = 1; - } else if (strcmp(*argv, "-msgfile") == 0) { - if (--argc < 1) - goto bad; - bio_s_msg = BIO_new_file(*(++argv), "w"); - } + break; + case OPT_MSGFILE: + bio_s_msg = BIO_new_file(opt_arg(), "w"); + break; #ifndef OPENSSL_NO_SSL_TRACE - else if (strcmp(*argv, "-trace") == 0) { + case OPT_TRACE: s_msg = 2; - } + break; +#else + case OPT_TRACE: + goto opthelp; #endif - else if (strcmp(*argv, "-security_debug") == 0) { + case OPT_SECURITY_DEBUG: sdebug = 1; - } else if (strcmp(*argv, "-security_debug_verbose") == 0) { + break; + case OPT_SECURITY_DEBUG_VERBOSE: sdebug = 2; - } else if (strcmp(*argv, "-state") == 0) { + break; + case OPT_STATE: state = 1; - } else if (strcmp(*argv, "-crlf") == 0) { + break; + case OPT_CRLF: s_crlf = 1; - } else if (strcmp(*argv, "-quiet") == 0) { - s_quiet = 1; - } else if (strcmp(*argv, "-brief") == 0) { + break; + case OPT_QUIET: s_quiet = 1; - s_brief = 1; - verify_quiet = 1; - } else if (strcmp(*argv, "-no_tmp_rsa") == 0) { + break; + case OPT_BRIEF: + s_quiet = s_brief = verify_quiet = 1; + break; + case OPT_NO_TMP_RSA: no_tmp_rsa = 1; - } else if (strcmp(*argv, "-no_dhe") == 0) { + break; + case OPT_NO_DHE: no_dhe = 1; - } else if (strcmp(*argv, "-no_ecdhe") == 0) { + break; + case OPT_NO_ECDHE: no_ecdhe = 1; - } else if (strcmp(*argv, "-no_resume_ephemeral") == 0) { + break; + case OPT_NO_RESUME_EPHEMERAL: no_resume_ephemeral = 1; - } + break; #ifndef OPENSSL_NO_PSK - else if (strcmp(*argv, "-psk_hint") == 0) { - if (--argc < 1) - goto bad; - psk_identity_hint = *(++argv); - } else if (strcmp(*argv, "-psk") == 0) { - size_t i; - - if (--argc < 1) - goto bad; - psk_key = *(++argv); - for (i = 0; i < strlen(psk_key); i++) { - if (isxdigit((unsigned char)psk_key[i])) + case OPT_PSK_HINT: + psk_identity_hint = opt_arg(); + break; + case OPT_PSK: + for (p = psk_key = opt_arg(); *p; p++) { + if (isxdigit(*p)) continue; BIO_printf(bio_err, "Not a hex number '%s'\n", *argv); - goto bad; + goto end; } - } + break; #endif #ifndef OPENSSL_NO_SRP - else if (strcmp(*argv, "-srpvfile") == 0) { - if (--argc < 1) - goto bad; - srp_verifier_file = *(++argv); + case OPT_SRPVFILE: + srp_verifier_file = opt_arg(); meth = TLSv1_server_method(); - } else if (strcmp(*argv, "-srpuserseed") == 0) { - if (--argc < 1) - goto bad; - srpuserseed = *(++argv); + break; + case OPT_SRPUSERSEED: + srpuserseed = opt_arg(); meth = TLSv1_server_method(); - } + break; #endif - else if (strcmp(*argv, "-rev") == 0) { + case OPT_REV: rev = 1; - } else if (strcmp(*argv, "-www") == 0) { + break; + case OPT_WWW: www = 1; - } else if (strcmp(*argv, "-WWW") == 0) { + break; + case OPT_UPPER_WWW: www = 2; - } else if (strcmp(*argv, "-HTTP") == 0) { + break; + case OPT_HTTP: www = 3; - } -#ifndef OPENSSL_NO_SSL3_METHOD - else if (strcmp(*argv, "-ssl3") == 0) { - meth = SSLv3_server_method(); - } + break; +#ifndef OPENSSL_NO_SSL3 + case OPT_SSL3: + meth = SSLv3_client_method(); + break; #endif - else if (strcmp(*argv, "-tls1") == 0) { - meth = TLSv1_server_method(); - } else if (strcmp(*argv, "-tls1_1") == 0) { - meth = TLSv1_1_server_method(); - } else if (strcmp(*argv, "-tls1_2") == 0) { - meth = TLSv1_2_server_method(); - } + case OPT_TLS1_2: + meth = TLSv1_2_client_method(); + break; + case OPT_TLS1_1: + meth = TLSv1_1_client_method(); + break; + case OPT_TLS1: + meth = TLSv1_client_method(); + break; #ifndef OPENSSL_NO_DTLS1 - else if (strcmp(*argv, "-dtls") == 0) { - meth = DTLS_server_method(); + case OPT_DTLS: + meth = DTLS_client_method(); socket_type = SOCK_DGRAM; - } else if (strcmp(*argv, "-dtls1") == 0) { - meth = DTLSv1_server_method(); + break; + case OPT_DTLS1: + meth = DTLSv1_client_method(); socket_type = SOCK_DGRAM; - } else if (strcmp(*argv, "-dtls1_2") == 0) { - meth = DTLSv1_2_server_method(); + break; + case OPT_DTLS1_2: + meth = DTLSv1_2_client_method(); socket_type = SOCK_DGRAM; - } else if (strcmp(*argv, "-timeout") == 0) + break; + case OPT_TIMEOUT: enable_timeouts = 1; - else if (strcmp(*argv, "-mtu") == 0) { - if (--argc < 1) - goto bad; - socket_mtu = atol(*(++argv)); - } else if (strcmp(*argv, "-chain") == 0) + break; + case OPT_MTU: + socket_mtu = atol(opt_arg()); + break; + case OPT_CHAIN: cert_chain = 1; + break; #endif - else if (strcmp(*argv, "-id_prefix") == 0) { - if (--argc < 1) - goto bad; - session_id_prefix = *(++argv); - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine_id = *(++argv); - } -#endif - else if (strcmp(*argv, "-rand") == 0) { - if (--argc < 1) - goto bad; - inrand = *(++argv); - } + case OPT_ID_PREFIX: + session_id_prefix = opt_arg(); + break; + case OPT_ENGINE: + engine_id = opt_arg(); + break; + case OPT_RAND: + inrand = opt_arg(); + break; #ifndef OPENSSL_NO_TLSEXT - else if (strcmp(*argv, "-servername") == 0) { - if (--argc < 1) - goto bad; - tlsextcbp.servername = *(++argv); - } else if (strcmp(*argv, "-servername_fatal") == 0) { + case OPT_SERVERNAME: + tlsextcbp.servername = opt_arg(); + break; + case OPT_SERVERNAME_FATAL: tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL; - } else if (strcmp(*argv, "-cert2") == 0) { - if (--argc < 1) - goto bad; - s_cert_file2 = *(++argv); - } else if (strcmp(*argv, "-key2") == 0) { - if (--argc < 1) - goto bad; - s_key_file2 = *(++argv); - } + break; + case OPT_CERT2: + s_cert_file2 = opt_arg(); + break; + case OPT_KEY2: + s_key_file2 = opt_arg(); + break; # ifndef OPENSSL_NO_NEXTPROTONEG - else if (strcmp(*argv, "-nextprotoneg") == 0) { - if (--argc < 1) - goto bad; - next_proto_neg_in = *(++argv); - } + case OPT_NEXTPROTONEG: + next_proto_neg_in = opt_arg(); + break; # endif - else if (strcmp(*argv, "-alpn") == 0) { - if (--argc < 1) - goto bad; - alpn_in = *(++argv); - } + case OPT_ALPN: + alpn_in = opt_arg(); + break; #endif #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) - else if (strcmp(*argv, "-jpake") == 0) { - if (--argc < 1) - goto bad; - jpake_secret = *(++argv); - } -#endif -#ifndef OPENSSL_NO_SRTP - else if (strcmp(*argv, "-use_srtp") == 0) { - if (--argc < 1) - goto bad; - srtp_profiles = *(++argv); - } + case OPT_JPAKE: + jpake_secret = opt_arg(); + break; +#else + case OPT_JPAKE: + goto opthelp; #endif - else if (strcmp(*argv, "-keymatexport") == 0) { - if (--argc < 1) - goto bad; - keymatexportlabel = *(++argv); - } else if (strcmp(*argv, "-keymatexportlen") == 0) { - if (--argc < 1) - goto bad; - keymatexportlen = atoi(*(++argv)); - if (keymatexportlen == 0) - goto bad; - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badop = 1; + case OPT_SRTP_PROFILES: + srtp_profiles = opt_arg(); + break; + case OPT_KEYMATEXPORT: + keymatexportlabel = opt_arg(); + break; + case OPT_KEYMATEXPORTLEN: + keymatexportlen = atoi(opt_arg()); break; } - argc--; - argv++; - } - if (badop) { - bad: - sv_usage(); - goto end; } + argc = opt_num_rest(); + argv = opt_rest(); + #ifndef OPENSSL_NO_DTLS1 if (www && socket_type == SOCK_DGRAM) { BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n"); @@ -1529,14 +1447,11 @@ int MAIN(int argc, char *argv[]) } #endif - SSL_load_error_strings(); - OpenSSL_add_ssl_algorithms(); - #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine_id, 1); + e = setup_engine(engine_id, 1); #endif - if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) { + if (!app_passwd(passarg, dpassarg, &pass, &dpass)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } @@ -1548,18 +1463,18 @@ int MAIN(int argc, char *argv[]) s_key_file2 = s_cert_file2; #endif - if (!load_excert(&exc, bio_err)) + if (!load_excert(&exc)) goto end; if (nocert == 0) { - s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e, + s_key = load_key(s_key_file, s_key_format, 0, pass, e, "server certificate private key file"); if (!s_key) { ERR_print_errors(bio_err); goto end; } - s_cert = load_cert(bio_err, s_cert_file, s_cert_format, + s_cert = load_cert(s_cert_file, s_cert_format, NULL, e, "server certificate file"); if (!s_cert) { @@ -1567,21 +1482,21 @@ int MAIN(int argc, char *argv[]) goto end; } if (s_chain_file) { - s_chain = load_certs(bio_err, s_chain_file, FORMAT_PEM, + s_chain = load_certs(s_chain_file, FORMAT_PEM, NULL, e, "server certificate chain"); if (!s_chain) goto end; } #ifndef OPENSSL_NO_TLSEXT if (tlsextcbp.servername) { - s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e, + s_key2 = load_key(s_key_file2, s_key_format, 0, pass, e, "second server certificate private key file"); if (!s_key2) { ERR_print_errors(bio_err); goto end; } - s_cert2 = load_cert(bio_err, s_cert_file2, s_cert_format, + s_cert2 = load_cert(s_cert_file2, s_cert_format, NULL, e, "second server certificate file"); if (!s_cert2) { @@ -1635,14 +1550,14 @@ int MAIN(int argc, char *argv[]) if (s_dkey_file == NULL) s_dkey_file = s_dcert_file; - s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format, + s_dkey = load_key(s_dkey_file, s_dkey_format, 0, dpass, e, "second certificate private key file"); if (!s_dkey) { ERR_print_errors(bio_err); goto end; } - s_dcert = load_cert(bio_err, s_dcert_file, s_dcert_format, + s_dcert = load_cert(s_dcert_file, s_dcert_format, NULL, e, "second server certificate file"); if (!s_dcert) { @@ -1650,7 +1565,7 @@ int MAIN(int argc, char *argv[]) goto end; } if (s_dchain_file) { - s_dchain = load_certs(bio_err, s_dchain_file, FORMAT_PEM, + s_dchain = load_certs(s_dchain_file, FORMAT_PEM, NULL, e, "second server certificate chain"); if (!s_dchain) goto end; @@ -1658,7 +1573,7 @@ int MAIN(int argc, char *argv[]) } - if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL + if (!app_RAND_load_file(NULL, 1) && inrand == NULL && !RAND_status()) { BIO_printf(bio_err, "warning, not much extra random data, consider using the -rand option\n"); @@ -1671,10 +1586,10 @@ int MAIN(int argc, char *argv[]) if (s_quiet && !s_debug) { bio_s_out = BIO_new(BIO_s_null()); if (s_msg && !bio_s_msg) - bio_s_msg = BIO_new_fp(stdout, BIO_NOCLOSE); + bio_s_msg = dup_bio_out(); } else { if (bio_s_out == NULL) - bio_s_out = BIO_new_fp(stdout, BIO_NOCLOSE); + bio_s_out = dup_bio_out(); } } #if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC) @@ -1724,8 +1639,8 @@ int MAIN(int argc, char *argv[]) #ifndef OPENSSL_NO_SRTP if (srtp_profiles != NULL) { - /* Returns 0 on success!! */ - if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles)) { + /* Returns 0 on success! */ + if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles) != 0) { BIO_printf(bio_err, "Error setting SRTP profile\n"); ERR_print_errors(bio_err); goto end; @@ -1733,20 +1648,18 @@ int MAIN(int argc, char *argv[]) } #endif - if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) || - (!SSL_CTX_set_default_verify_paths(ctx))) { - /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ + if (!ctx_set_verify_locations(ctx, CAfile, CApath)) { ERR_print_errors(bio_err); - /* goto end; */ + goto end; } - if (vpm && !SSL_CTX_set1_param(ctx, vpm)) { - BIO_printf(bio_err, "Error setting X509 params\n"); + if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) { + BIO_printf(bio_err, "Error setting verify params\n"); ERR_print_errors(bio_err); goto end; } ssl_ctx_add_crls(ctx, crls, 0); - if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe, no_jpake)) + if (!config_ctx(cctx, ssl_args, ctx, no_ecdhe, jpake_secret == NULL)) goto end; if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, @@ -1799,14 +1712,14 @@ int MAIN(int argc, char *argv[]) (!SSL_CTX_set_default_verify_paths(ctx2))) { ERR_print_errors(bio_err); } - if (vpm && !SSL_CTX_set1_param(ctx2, vpm)) { - BIO_printf(bio_err, "Error setting X509 params\n"); + if (vpmtouched && !SSL_CTX_set1_param(ctx2, vpm)) { + BIO_printf(bio_err, "Error setting verify params\n"); ERR_print_errors(bio_err); goto end; } ssl_ctx_add_crls(ctx2, crls, 0); - if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe, no_jpake)) + if (!config_ctx(cctx, ssl_args, ctx2, no_ecdhe, jpake_secret == NULL)) goto end; } # ifndef OPENSSL_NO_NEXTPROTONEG @@ -1926,8 +1839,8 @@ int MAIN(int argc, char *argv[]) SSL_CTX_set_verify(ctx, s_server_verify, verify_callback); if (!SSL_CTX_set_session_id_context(ctx, - (void *)&s_server_session_id_context, - sizeof s_server_session_id_context)) { + (void *)&s_server_session_id_context, + sizeof s_server_session_id_context)) { BIO_printf(bio_err, "error setting session id context\n"); ERR_print_errors(bio_err); goto end; @@ -1941,13 +1854,12 @@ int MAIN(int argc, char *argv[]) if (ctx2) { SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback); if (!SSL_CTX_set_session_id_context(ctx2, - (void *)&s_server_session_id_context, - sizeof s_server_session_id_context)) { + (void *)&s_server_session_id_context, + sizeof s_server_session_id_context)) { BIO_printf(bio_err, "error setting session id context\n"); ERR_print_errors(bio_err); goto end; } - tlsextcbp.biodebug = bio_s_out; SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb); SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp); @@ -2043,8 +1955,7 @@ int MAIN(int argc, char *argv[]) OPENSSL_free(alpn_ctx.data); #endif ssl_excert_free(exc); - if (ssl_args) - sk_OPENSSL_STRING_free(ssl_args); + sk_OPENSSL_STRING_free(ssl_args); SSL_CONF_CTX_free(cctx); #ifndef OPENSSL_NO_JPAKE if (jpake_secret && psk_key) @@ -2054,8 +1965,7 @@ int MAIN(int argc, char *argv[]) bio_s_out = NULL; BIO_free(bio_s_msg); bio_s_msg = NULL; - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } static void print_stats(BIO *bio, SSL_CTX *ssl_ctx) @@ -2129,19 +2039,21 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) } if (s_tlsextstatus) { SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb); - tlscstatp.err = bio_err; SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp); } #endif #ifndef OPENSSL_NO_KRB5 if ((kctx = kssl_ctx_new()) != NULL) { SSL_set0_kssl_ctx(con, kctx); - kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC); - kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB); + kssl_ctx_setstring(kctx, KSSL_SERVICE, + krb5svc ? krb5svc : KRB5SVC); + if (krb5tab) + kssl_ctx_setstring(kctx, KSSL_KEYTAB, krb5tab); } #endif /* OPENSSL_NO_KRB5 */ - if (context && !SSL_set_session_id_context(con, context, - strlen((char *)context))) { + if (context + && !SSL_set_session_id_context(con, + context, strlen((char *)context))) { BIO_printf(bio_err, "Error setting session id context\n"); ret = -1; goto err; @@ -2308,6 +2220,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) if (!s_quiet && !s_brief) { if ((i <= 0) || (buf[0] == 'Q')) { BIO_printf(bio_s_out, "DONE\n"); + (void)BIO_flush(bio_s_out); SHUTDOWN(s); close_accept_socket(); ret = -11; @@ -2315,6 +2228,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) } if ((i <= 0) || (buf[0] == 'q')) { BIO_printf(bio_s_out, "DONE\n"); + (void)BIO_flush(bio_s_out); if (SSL_version(con) != DTLS1_VERSION) SHUTDOWN(s); /* @@ -2403,12 +2317,14 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) case SSL_ERROR_SYSCALL: case SSL_ERROR_SSL: BIO_printf(bio_s_out, "ERROR\n"); + (void)BIO_flush(bio_s_out); ERR_print_errors(bio_err); ret = 1; goto err; /* break; */ case SSL_ERROR_ZERO_RETURN: BIO_printf(bio_s_out, "DONE\n"); + (void)BIO_flush(bio_s_out); ret = 1; goto err; } @@ -2462,11 +2378,13 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) case SSL_ERROR_SYSCALL: case SSL_ERROR_SSL: BIO_printf(bio_s_out, "ERROR\n"); + (void)BIO_flush(bio_s_out); ERR_print_errors(bio_err); ret = 1; goto err; case SSL_ERROR_ZERO_RETURN: BIO_printf(bio_s_out, "DONE\n"); + (void)BIO_flush(bio_s_out); ret = 1; goto err; } @@ -2547,6 +2465,7 @@ static int init_ssl_connection(SSL *con) } BIO_printf(bio_err, "ERROR\n"); + verify_error = SSL_get_verify_result(con); if (verify_error != X509_V_OK) { BIO_printf(bio_err, "verify error:%s\n", @@ -2666,6 +2585,9 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) #ifndef OPENSSL_NO_KRB5 KSSL_CTX *kctx; #endif +#ifdef RENEG + int total_bytes = 0; +#endif buf = OPENSSL_malloc(bufsize); if (buf == NULL) @@ -2705,9 +2627,8 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) } #endif /* OPENSSL_NO_KRB5 */ if (context && !SSL_set_session_id_context(con, context, - strlen((char *)context))) { + strlen((char *)context))) goto err; - } sbio = BIO_new_socket(s, BIO_NOCLOSE); if (s_nbio_test) { @@ -2821,7 +2742,7 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) j = sk_SSL_CIPHER_num(sk); for (i = 0; i < j; i++) { c = sk_SSL_CIPHER_value(sk, i); - BIO_printf(io, "%-11s:%-25s", + BIO_printf(io, "%-11s:%-25s ", SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c)); if ((((i + 1) % 2) == 0) && (i + 1 != j)) BIO_puts(io, "\n"); @@ -3003,10 +2924,8 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); err: - if (ret >= 0) BIO_printf(bio_s_out, "ACCEPT\n"); - if (buf != NULL) OPENSSL_free(buf); BIO_free_all(io); @@ -3051,7 +2970,7 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context) } #endif /* OPENSSL_NO_KRB5 */ if (context && !SSL_set_session_id_context(con, context, - strlen((char *)context))) { + strlen((char *)context))) { ERR_print_errors(bio_err); goto err; } @@ -3228,19 +3147,21 @@ static int add_session(SSL *ssl, SSL_SESSION *session) sess = OPENSSL_malloc(sizeof(simple_ssl_session)); if (!sess) { - BIO_printf(bio_err, "Out of memory adding session to external cache\n"); + BIO_printf(bio_err, "Out of memory adding to external cache\n"); return 0; } SSL_SESSION_get_id(session, &sess->idlen); sess->derlen = i2d_SSL_SESSION(session, NULL); + if (sess->derlen < 0) { + BIO_printf(bio_err, "Error encoding session\n"); + return 0; + } sess->id = BUF_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen); - sess->der = OPENSSL_malloc(sess->derlen); if (!sess->id || !sess->der) { - BIO_printf(bio_err, "Out of memory adding session to external cache\n"); - + BIO_printf(bio_err, "Out of memory adding to external cache\n"); if (sess->id) OPENSSL_free(sess->id); if (sess->der) @@ -3249,7 +3170,9 @@ static int add_session(SSL *ssl, SSL_SESSION *session) return 0; } p = sess->der; - if (i2d_SSL_SESSION(session, &p) < 0) { + + /* Assume it still works. */ + if (i2d_SSL_SESSION(session, &p) != sess->derlen) { BIO_printf(bio_err, "Error encoding session\n"); return 0; } diff --git a/apps/s_socket.c b/apps/s_socket.c index 5bdfc6c..4c440dc 100644 --- a/apps/s_socket.c +++ b/apps/s_socket.c @@ -1,6 +1,3 @@ -/* - * apps/s_socket.c - socket-related functions used by s_client and s_server - */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -57,7 +54,56 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +/* ==================================================================== + * Copyright (c) 199-2015 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing at OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ +/* socket-related functions used by s_client and s_server */ #include #include #include @@ -76,10 +122,8 @@ typedef unsigned int u_int; #endif #define USE_SOCKETS -#define NON_MAIN #include "apps.h" #undef USE_SOCKETS -#undef NON_MAIN #include "s_apps.h" #include @@ -185,7 +229,7 @@ static int ssl_sock_init(void) return (0); } } -# endif /* OPENSSL_SYS_WINDOWS */ +# endif return (1); } @@ -503,16 +547,6 @@ static int do_accept(int acc_sock, int *sock, char **host) return (0); } -/*- - ling.l_onoff=1; - ling.l_linger=0; - i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling)); - if (i < 0) { perror("linger"); return(0); } - i=0; - i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i)); - if (i < 0) { perror("keepalive"); return(0); } -*/ - if (host == NULL) goto end; # ifndef BIT_FIELD_LIMITS @@ -580,7 +614,7 @@ static int do_accept_unix(int acc_sock, int *sock) # endif int extract_host_port(char *str, char **host_ptr, unsigned char *ip, - short *port_ptr) + unsigned short *port_ptr) { char *h, *p; @@ -645,7 +679,7 @@ static int host_ip(const char *str, unsigned char ip[4]) return (0); } -int extract_port(const char *str, short *port_ptr) +int extract_port(const char *str, unsigned short *port_ptr) { int i; struct servent *s; diff --git a/apps/s_time.c b/apps/s_time.c index 8f4980b..5bca72b 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -1,4 +1,3 @@ -/* apps/s_time.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -82,9 +81,6 @@ # include OPENSSL_UNISTD #endif -#undef PROG -#define PROG s_time_main - #undef ioctl #define ioctl ioctlsocket @@ -107,286 +103,171 @@ #undef SECONDS #define SECONDS 30 +#define SECONDSSTR "30" + extern int verify_depth; extern int verify_error; -static void s_time_usage(void); -static int parseArgs(int argc, char **argv); -static SSL *doConnection(SSL *scon); -static void s_time_init(void); - -/*********************************************************************** - * Static data declarations - */ +static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx); -/* static char *port=PORT_STR;*/ -static char *host = SSL_CONNECT_NAME; -static char *t_cert_file = NULL; -static char *t_key_file = NULL; -static char *CApath = NULL; -static char *CAfile = NULL; -static char *tm_cipher = NULL; -static int tm_verify = SSL_VERIFY_NONE; -static int maxTime = SECONDS; -static SSL_CTX *tm_ctx = NULL; -static const SSL_METHOD *s_time_meth = NULL; -static char *s_www_path = NULL; -static long bytes_read = 0; -static int st_bugs = 0; -static int perform = 0; -#ifdef FIONBIO -static int t_nbio = 0; +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_CONNECT, OPT_CIPHER, OPT_CERT, OPT_KEY, OPT_CAPATH, + OPT_CAFILE, OPT_NEW, OPT_REUSE, OPT_BUGS, OPT_VERIFY, OPT_TIME, +#ifndef OPENSSL_NO_SSL3 + OPT_SSL3, #endif -#ifdef OPENSSL_SYS_WIN32 -static int exitNow = 0; /* Set when it's time to exit main */ + OPT_WWW +} OPTION_CHOICE; + +OPTIONS s_time_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"connect", OPT_CONNECT, 's', + "Where to connect as post:port (default is " SSL_CONNECT_NAME ")"}, + {"cipher", OPT_CIPHER, 's', "Cipher to use, see 'openssl ciphers'"}, + {"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"}, + {"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"}, + {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, + {"cafile", OPT_CAFILE, '<', "PEM format file of CA's"}, + {"new", OPT_NEW, '-', "Just time new connections"}, + {"reuse", OPT_REUSE, '-', "Just time connection reuse"}, + {"bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility"}, + {"verify", OPT_VERIFY, 'p', + "Turn on peer certificate verification, set depth"}, + {"time", OPT_TIME, 'p', "Sf seconds to collect data, default" SECONDSSTR}, + {"www", OPT_WWW, 's', "Fetch specified page from the site"}, +#ifndef OPENSSL_NO_SSL3 + {"ssl3", OPT_SSL3, '-', "Just use SSLv3"}, #endif + {NULL} +}; -static void s_time_init(void) -{ - host = SSL_CONNECT_NAME; - t_cert_file = NULL; - t_key_file = NULL; - CApath = NULL; - CAfile = NULL; - tm_cipher = NULL; - tm_verify = SSL_VERIFY_NONE; - maxTime = SECONDS; - tm_ctx = NULL; - s_time_meth = NULL; - s_www_path = NULL; - bytes_read = 0; - st_bugs = 0; - perform = 0; - -#ifdef FIONBIO - t_nbio = 0; -#endif -#ifdef OPENSSL_SYS_WIN32 - exitNow = 0; /* Set when it's time to exit main */ -#endif -} +#define START 0 +#define STOP 1 -/*********************************************************************** - * usage - display usage message - */ -static void s_time_usage(void) +static double tm_Time_F(int s) { - static char umsg[] = "\ --time arg - max number of seconds to collect data, default %d\n\ --verify arg - turn on peer certificate verification, arg == depth\n\ --cert arg - certificate file to use, PEM format assumed\n\ --key arg - RSA file to use, PEM format assumed, key is in cert file\n\ - file if not specified by this option\n\ --CApath arg - PEM format directory of CA's\n\ --CAfile arg - PEM format file of CA's\n\ --cipher - preferred cipher to use, play with 'openssl ciphers'\n\n"; - - printf("usage: s_time \n\n"); - - printf("-connect host:port - host:port to connect to (default is %s)\n", - SSL_CONNECT_NAME); -#ifdef FIONBIO - printf("-nbio - Run with non-blocking IO\n"); - printf("-ssl3 - Just use SSLv3\n"); - printf("-bugs - Turn on SSL bug compatibility\n"); - printf("-new - Just time new connections\n"); - printf("-reuse - Just time connection reuse\n"); - printf("-www page - Retrieve 'page' from the site\n"); -#endif - printf(umsg, SECONDS); + return app_tminterval(s, 1); } -/*********************************************************************** - * parseArgs - Parse command line arguments and initialize data - * - * Returns 0 if ok, -1 on bad args - */ -static int parseArgs(int argc, char **argv) +int s_time_main(int argc, char **argv) { - int badop = 0; + char buf[1024 * 8]; + SSL *scon = NULL; + SSL_CTX *ctx = NULL; + const SSL_METHOD *meth = NULL; + char *CApath = NULL, *CAfile = NULL, *cipher = NULL, *www_path = NULL; + char *host = SSL_CONNECT_NAME, *certfile = NULL, *keyfile = NULL, *prog; + double totalTime = 0.0; + int maxtime = SECONDS, nConn = 0, perform = 3, ret = 1, i, st_bugs = + 0, ver; + long bytes_read = 0, finishtime = 0; + OPTION_CHOICE o; +#ifdef OPENSSL_SYS_WIN32 + int exitNow = 0; /* Set when it's time to exit main */ +#endif + meth = SSLv23_client_method(); verify_depth = 0; verify_error = X509_V_OK; - argc--; - argv++; - - while (argc >= 1) { - if (strcmp(*argv, "-connect") == 0) { - if (--argc < 1) - goto bad; - host = *(++argv); - } - else if (strcmp(*argv, "-reuse") == 0) + prog = opt_init(argc, argv, s_time_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(s_time_options); + ret = 0; + goto end; + case OPT_CONNECT: + host = opt_arg(); + break; + case OPT_REUSE: perform = 2; - else if (strcmp(*argv, "-new") == 0) + break; + case OPT_NEW: perform = 1; - else if (strcmp(*argv, "-verify") == 0) { - - tm_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; - if (--argc < 1) - goto bad; - verify_depth = atoi(*(++argv)); - BIO_printf(bio_err, "verify depth is %d\n", verify_depth); - - } else if (strcmp(*argv, "-cert") == 0) { - - if (--argc < 1) - goto bad; - t_cert_file = *(++argv); - - } else if (strcmp(*argv, "-key") == 0) { - - if (--argc < 1) - goto bad; - t_key_file = *(++argv); - - } else if (strcmp(*argv, "-CApath") == 0) { - - if (--argc < 1) - goto bad; - CApath = *(++argv); - - } else if (strcmp(*argv, "-CAfile") == 0) { - - if (--argc < 1) - goto bad; - CAfile = *(++argv); - - } else if (strcmp(*argv, "-cipher") == 0) { - - if (--argc < 1) - goto bad; - tm_cipher = *(++argv); - } -#ifdef FIONBIO - else if (strcmp(*argv, "-nbio") == 0) { - t_nbio = 1; - } -#endif - else if (strcmp(*argv, "-www") == 0) { - if (--argc < 1) - goto bad; - s_www_path = *(++argv); - if (strlen(s_www_path) > MYBUFSIZ - 100) { - BIO_printf(bio_err, "-www option too long\n"); - badop = 1; - } - } else if (strcmp(*argv, "-bugs") == 0) + break; + case OPT_VERIFY: + if (!opt_int(opt_arg(), &verify_depth)) + goto opthelp; + BIO_printf(bio_err, "%s: verify depth is %d\n", + prog, verify_depth); + break; + case OPT_CERT: + certfile = opt_arg(); + break; + case OPT_KEY: + keyfile = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_CIPHER: + cipher = opt_arg(); + break; + case OPT_BUGS: st_bugs = 1; -#ifndef OPENSSL_NO_SSL3 - else if (strcmp(*argv, "-ssl3") == 0) - s_time_meth = SSLv3_client_method(); -#endif - else if (strcmp(*argv, "-time") == 0) { - - if (--argc < 1) - goto bad; - maxTime = atoi(*(++argv)); - if (maxTime <= 0) { - BIO_printf(bio_err, "time must be > 0\n"); - badop = 1; + break; + case OPT_TIME: + if (!opt_int(opt_arg(), &maxtime)) + goto opthelp; + break; + case OPT_WWW: + www_path = opt_arg(); + if (strlen(www_path) > MYBUFSIZ - 100) { + BIO_printf(bio_err, "%s: -www option too long\n", prog); + goto end; } - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badop = 1; break; +#ifndef OPENSSL_NO_SSL3 + case OPT_SSL3: + meth = SSLv3_client_method(); + break; +#endif } - - argc--; - argv++; } + argc = opt_num_rest(); + argv = opt_rest(); - if (perform == 0) - perform = 3; - - if (badop) { - bad: - s_time_usage(); - return -1; + if (cipher == NULL) + cipher = getenv("SSL_CIPHER"); + if (cipher == NULL) { + fprintf(stderr, "No CIPHER specified\n"); + goto end; } - return 0; /* Valid args */ -} - -/*********************************************************************** - * TIME - time functions - */ -#define START 0 -#define STOP 1 - -static double tm_Time_F(int s) -{ - return app_tminterval(s, 1); -} - -/*********************************************************************** - * MAIN - main processing area for client - * real name depends on MONOLITH - */ -int MAIN(int, char **); - -int MAIN(int argc, char **argv) -{ - double totalTime = 0.0; - int nConn = 0; - SSL *scon = NULL; - long finishtime = 0; - int ret = 1, i; - char buf[1024 * 8]; - int ver; - - apps_startup(); - s_time_init(); - - if (bio_err == NULL) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - s_time_meth = SSLv23_client_method(); - - /* parse the command line arguments */ - if (parseArgs(argc, argv) < 0) + if ((ctx = SSL_CTX_new(meth)) == NULL) goto end; - OpenSSL_add_ssl_algorithms(); - if ((tm_ctx = SSL_CTX_new(s_time_meth)) == NULL) - return (1); - - SSL_CTX_set_quiet_shutdown(tm_ctx, 1); + SSL_CTX_set_quiet_shutdown(ctx, 1); if (st_bugs) - SSL_CTX_set_options(tm_ctx, SSL_OP_ALL); - if (!SSL_CTX_set_cipher_list(tm_ctx, tm_cipher)) + SSL_CTX_set_options(ctx, SSL_OP_ALL); + if (!SSL_CTX_set_cipher_list(ctx, cipher)) goto end; - if (!set_cert_stuff(tm_ctx, t_cert_file, t_key_file)) + if (!set_cert_stuff(ctx, certfile, keyfile)) goto end; - SSL_load_error_strings(); - - if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) || - (!SSL_CTX_set_default_verify_paths(tm_ctx))) { - /* - * BIO_printf(bio_err,"error setting default verify locations\n"); - */ + if (!ctx_set_verify_locations(ctx, CAfile, CApath)) { ERR_print_errors(bio_err); - /* goto end; */ - } - - if (tm_cipher == NULL) - tm_cipher = getenv("SSL_CIPHER"); - - if (tm_cipher == NULL) { - fprintf(stderr, "No CIPHER specified\n"); + goto end; } - if (!(perform & 1)) goto next; - printf("Collecting connection statistics for %d seconds\n", maxTime); + printf("Collecting connection statistics for %d seconds\n", maxtime); /* Loop and time how long it takes to make connections */ bytes_read = 0; - finishtime = (long)time(NULL) + maxTime; + finishtime = (long)time(NULL) + maxtime; tm_Time_F(START); for (;;) { if (finishtime < (long)time(NULL)) @@ -400,12 +281,12 @@ int MAIN(int argc, char **argv) goto end; #endif - if ((scon = doConnection(NULL)) == NULL) + if ((scon = doConnection(NULL, host, ctx)) == NULL) goto end; - if (s_www_path != NULL) { + if (www_path != NULL) { BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", - s_www_path); + www_path); if (SSL_write(scon, buf, strlen(buf)) <= 0) goto end; while ((i = SSL_read(scon, buf, sizeof(buf))) > 0) @@ -438,13 +319,13 @@ int MAIN(int argc, char **argv) } totalTime += tm_Time_F(STOP); /* Add the time for this iteration */ - i = (int)((long)time(NULL) - finishtime + maxTime); + i = (int)((long)time(NULL) - finishtime + maxtime); printf ("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn / totalTime), bytes_read); printf ("%d connections in %ld real seconds, %ld bytes read per connection\n", - nConn, (long)time(NULL) - finishtime + maxTime, bytes_read / nConn); + nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn); /* * Now loop and time connections using the same session id over and over @@ -456,16 +337,17 @@ int MAIN(int argc, char **argv) printf("\n\nNow timing with session id reuse.\n"); /* Get an SSL object so we can reuse the session id */ - if ((scon = doConnection(NULL)) == NULL) { + if ((scon = doConnection(NULL, host, ctx)) == NULL) { fprintf(stderr, "Unable to get connection\n"); goto end; } - if (s_www_path != NULL) { - BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", s_www_path); + if (www_path != NULL) { + BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", www_path); if (SSL_write(scon, buf, strlen(buf)) <= 0) goto end; - while (SSL_read(scon, buf, sizeof(buf)) > 0) ; + while (SSL_read(scon, buf, sizeof(buf)) > 0) + continue; } #ifdef NO_SHUTDOWN SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); @@ -477,7 +359,7 @@ int MAIN(int argc, char **argv) nConn = 0; totalTime = 0.0; - finishtime = (long)time(NULL) + maxTime; + finishtime = (long)time(NULL) + maxtime; printf("starting\n"); bytes_read = 0; @@ -495,12 +377,12 @@ int MAIN(int argc, char **argv) goto end; #endif - if ((doConnection(scon)) == NULL) + if ((doConnection(scon, host, ctx)) == NULL) goto end; - if (s_www_path) { + if (www_path) { BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", - s_www_path); + www_path); if (SSL_write(scon, buf, strlen(buf)) <= 0) goto end; while ((i = SSL_read(scon, buf, sizeof(buf))) > 0) @@ -535,27 +417,20 @@ int MAIN(int argc, char **argv) nConn, totalTime, ((double)nConn / totalTime), bytes_read); printf ("%d connections in %ld real seconds, %ld bytes read per connection\n", - nConn, (long)time(NULL) - finishtime + maxTime, - bytes_read / (nConn?nConn:1)); + nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn); ret = 0; + end: SSL_free(scon); - - SSL_CTX_free(tm_ctx); - tm_ctx = NULL; - apps_shutdown(); - OPENSSL_EXIT(ret); + SSL_CTX_free(ctx); + return (ret); } /*- * doConnection - make a connection - * Args: - * scon = earlier ssl connection for session id, or NULL - * Returns: - * SSL * = the connection pointer. */ -static SSL *doConnection(SSL *scon) +static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx) { BIO *conn; SSL *serverCon; @@ -565,11 +440,10 @@ static SSL *doConnection(SSL *scon) if ((conn = BIO_new(BIO_s_connect())) == NULL) return (NULL); -/* BIO_set_conn_port(conn,port);*/ BIO_set_conn_hostname(conn, host); if (scon == NULL) - serverCon = SSL_new(tm_ctx); + serverCon = SSL_new(ctx); else { serverCon = scon; SSL_set_connect_state(serverCon); diff --git a/apps/sess_id.c b/apps/sess_id.c index 9421e40..cfecd86 100644 --- a/apps/sess_id.c +++ b/apps/sess_id.c @@ -1,4 +1,3 @@ -/* apps/sess_id.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -66,94 +65,81 @@ #include #include -#undef PROG -#define PROG sess_id_main - -static const char *sess_id_usage[] = { - "usage: sess_id args\n", - "\n", - " -inform arg - input format - default PEM (DER or PEM)\n", - " -outform arg - output format - default PEM (PEM, DER or NSS)\n", - " -in arg - input file - default stdin\n", - " -out arg - output file - default stdout\n", - " -text - print ssl session id details\n", - " -cert - output certificate \n", - " -noout - no output of encoded session info\n", - " -context arg - set the session ID context\n", - NULL +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, + OPT_TEXT, OPT_CERT, OPT_NOOUT, OPT_CONTEXT +} OPTION_CHOICE; + +OPTIONS sess_id_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"}, + {"outform", OPT_OUTFORM, 'F', + "Output format - default PEM (PEM, DER or NSS)"}, + {"in", OPT_IN, 's', "Input file - default stdin"}, + {"out", OPT_OUT, 's', "Output file - default stdout"}, + {"text", OPT_TEXT, '-', "Print ssl session id details"}, + {"cert", OPT_CERT, '-', "Output certificate "}, + {"noout", OPT_NOOUT, '-', "Don't output the encoded session info"}, + {"context", OPT_CONTEXT, 's', "Set the session ID context"}, + {NULL} }; static SSL_SESSION *load_sess_id(char *file, int format); -int MAIN(int, char **); - -int MAIN(int argc, char **argv) +int sess_id_main(int argc, char **argv) { SSL_SESSION *x = NULL; X509 *peer = NULL; - int ret = 1, i, num, badops = 0; BIO *out = NULL; - int informat, outformat; - char *infile = NULL, *outfile = NULL, *context = NULL; - int cert = 0, noout = 0, text = 0; - const char **pp; - - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - informat = FORMAT_PEM; - outformat = FORMAT_PEM; - - argc--; - argv++; - num = 0; - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-outform") == 0) { - if (--argc < 1) - goto bad; - outformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-text") == 0) + char *infile = NULL, *outfile = NULL, *context = NULL, *prog; + int informat = FORMAT_PEM, outformat = FORMAT_PEM; + int cert = 0, noout = 0, text = 0, ret = 1, i, num = 0; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, sess_id_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(sess_id_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_TEXT: text = ++num; - else if (strcmp(*argv, "-cert") == 0) + break; + case OPT_CERT: cert = ++num; - else if (strcmp(*argv, "-noout") == 0) + break; + case OPT_NOOUT: noout = ++num; - else if (strcmp(*argv, "-context") == 0) { - if (--argc < 1) - goto bad; - context = *++argv; - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; + break; + case OPT_CONTEXT: + context = opt_arg(); break; } - argc--; - argv++; } + argc = opt_num_rest(); + argv = opt_rest(); - if (badops) { - bad: - for (pp = sess_id_usage; (*pp != NULL); pp++) - BIO_printf(bio_err, "%s", *pp); - goto end; - } - - ERR_load_crypto_strings(); x = load_sess_id(infile, informat); if (x == NULL) { goto end; @@ -166,33 +152,20 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "Context too long\n"); goto end; } - if (!SSL_SESSION_set1_id_context(x, (unsigned char *)context, ctx_len)) { + if (!SSL_SESSION_set1_id_context(x, (unsigned char *)context, + ctx_len)) { BIO_printf(bio_err, "Error setting id context\n"); goto end; } } if (!noout || text) { - out = BIO_new(BIO_s_file()); - if (out == NULL) { - ERR_print_errors(bio_err); + const char* modeflag = "w"; + if (outformat == FORMAT_ASN1 || outformat == FORMAT_NSS) + modeflag = "wb"; + out = bio_open_default(outfile, modeflag); + if (out == NULL) goto end; - } - - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); - goto end; - } - } } if (text) { @@ -240,8 +213,7 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (x != NULL) SSL_SESSION_free(x); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } static SSL_SESSION *load_sess_id(char *infile, int format) @@ -249,28 +221,13 @@ static SSL_SESSION *load_sess_id(char *infile, int format) SSL_SESSION *x = NULL; BIO *in = NULL; - in = BIO_new(BIO_s_file()); - if (in == NULL) { - ERR_print_errors(bio_err); + in = bio_open_default(infile, RB(format)); + if (in == NULL) goto end; - } - - if (infile == NULL) - BIO_set_fp(in, stdin, BIO_NOCLOSE); - else { - if (BIO_read_filename(in, infile) <= 0) { - perror(infile); - goto end; - } - } if (format == FORMAT_ASN1) x = d2i_SSL_SESSION_bio(in, NULL); - else if (format == FORMAT_PEM) + else x = PEM_read_bio_SSL_SESSION(in, NULL, NULL, NULL); - else { - BIO_printf(bio_err, "bad input format specified for input crl\n"); - goto end; - } if (x == NULL) { BIO_printf(bio_err, "unable to load SSL_SESSION\n"); ERR_print_errors(bio_err); diff --git a/apps/smime.c b/apps/smime.c index 930978f..532446f 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -1,4 +1,3 @@ -/* smime.c */ /* * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL * project. @@ -68,8 +67,6 @@ #include #include -#undef PROG -#define PROG smime_main static int save_certs(char *signerfile, STACK_OF(X509) *signers); static int smime_cb(int ok, X509_STORE_CTX *ctx); @@ -83,277 +80,315 @@ static int smime_cb(int ok, X509_STORE_CTX *ctx); #define SMIME_PK7OUT (5 | SMIME_IP | SMIME_OP) #define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS) -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ENCRYPT, OPT_DECRYPT, OPT_SIGN, OPT_RESIGN, OPT_VERIFY, + OPT_PK7OUT, OPT_TEXT, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCHAIN, + OPT_NOCERTS, OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, + OPT_BINARY, OPT_NOSIGS, OPT_STREAM, OPT_INDEF, OPT_NOINDEF, + OPT_NOOLDMIME, OPT_CRLFEOL, OPT_RAND, OPT_ENGINE, OPT_PASSIN, + OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, OPT_MD, + OPT_CIPHER, OPT_INKEY, OPT_KEYFORM, OPT_CERTFILE, OPT_CAFILE, + OPT_V_ENUM, + OPT_CAPATH, OPT_IN, OPT_INFORM, OPT_OUT, OPT_OUTFORM, OPT_CONTENT +} OPTION_CHOICE; + +OPTIONS smime_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"}, + {OPT_HELP_STR, 1, '-', + " cert.pem... recipient certs for encryption\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"}, + {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"}, + {"sign", OPT_SIGN, '-', "Sign message"}, + {"verify", OPT_VERIFY, '-', "Verify signed message"}, + {"pk7out", OPT_PK7OUT, '-', "Output PKCS#7 structure"}, + {"nointern", OPT_NOINTERN, '-', + "Don't search certificates in message for signer"}, + {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"}, + {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"}, + {"nocerts", OPT_NOCERTS, '-', + "Don't include signers certificate when signing"}, + {"nodetach", OPT_NODETACH, '-', "Use opaque signing"}, + {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"}, + {"binary", OPT_BINARY, '-', "Don't translate message to text"}, + {"certfile", OPT_CERTFILE, '<', "Other certificates file"}, + {"signer", OPT_SIGNER, '<', "Signer certificate file"}, + {"recip", OPT_RECIP, '<', "Recipient certificate file for decryption"}, + {"in", OPT_IN, '<', "Input file"}, + {"inform", OPT_INFORM, 'F', "Input format SMIME (default), PEM or DER"}, + {"inkey", OPT_INKEY, '<', + "Input private key (if not signer or recipient)"}, + {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"}, + {"out", OPT_OUT, '>', "Output file"}, + {"outform", OPT_OUTFORM, 'F', + "Output format SMIME (default), PEM or DER"}, + {"content", OPT_CONTENT, '<', + "Supply or override content for detached signature"}, + {"to", OPT_TO, 's', "To address"}, + {"from", OPT_FROM, 's', "From address"}, + {"subject", OPT_SUBJECT, 's', "Subject"}, + {"text", OPT_TEXT, '-', "Include or delete text MIME headers"}, + {"CApath", OPT_CAPATH, '/', "Trusted certificates directory"}, + {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, + {"resign", OPT_RESIGN, '-'}, + {"nochain", OPT_NOCHAIN, '-'}, + {"nosmimecap", OPT_NOSMIMECAP, '-'}, + {"stream", OPT_STREAM, '-'}, + {"indef", OPT_INDEF, '-'}, + {"noindef", OPT_NOINDEF, '-'}, + {"nooldmime", OPT_NOOLDMIME, '-'}, + {"crlfeol", OPT_CRLFEOL, '-'}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"md", OPT_MD, 's'}, + {"", OPT_CIPHER, '-', "Any supported cipher"}, + OPT_V_OPTIONS, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; -int MAIN(int argc, char **argv) +int smime_main(int argc, char **argv) { - ENGINE *e = NULL; - int operation = 0; - int ret = 0; - char **args; - const char *inmode = "r", *outmode = "w"; - char *infile = NULL, *outfile = NULL; - char *signerfile = NULL, *recipfile = NULL; - STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; - char *certfile = NULL, *keyfile = NULL, *contfile = NULL; - const EVP_CIPHER *cipher = NULL; - PKCS7 *p7 = NULL; - X509_STORE *store = NULL; - X509 *cert = NULL, *recip = NULL, *signer = NULL; + BIO *in = NULL, *out = NULL, *indata = NULL; EVP_PKEY *key = NULL; + PKCS7 *p7 = NULL; + STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; STACK_OF(X509) *encerts = NULL, *other = NULL; - BIO *in = NULL, *out = NULL, *indata = NULL; - int badarg = 0; - int flags = PKCS7_DETACHED; - char *to = NULL, *from = NULL, *subject = NULL; - char *CAfile = NULL, *CApath = NULL; - char *passargin = NULL, *passin = NULL; - char *inrand = NULL; - int need_rand = 0; - int indef = 0; + X509 *cert = NULL, *recip = NULL, *signer = NULL; + X509_STORE *store = NULL; + X509_VERIFY_PARAM *vpm = NULL; + const EVP_CIPHER *cipher = NULL; const EVP_MD *sign_md = NULL; - int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; - int keyform = FORMAT_PEM; + char *CAfile = NULL, *CApath = NULL, *inrand = NULL, *engine = NULL; + char *certfile = NULL, *keyfile = NULL, *contfile = NULL, *prog; + char *infile = NULL, *outfile = NULL, *signerfile = NULL, *recipfile = + NULL; + char *passinarg = NULL, *passin = NULL, *to = NULL, *from = + NULL, *subject = NULL; + const char *inmode = "r", *outmode = "w"; + OPTION_CHOICE o; + int flags = PKCS7_DETACHED, operation = 0, ret = 0, need_rand = 0, indef = + 0; + int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform = + FORMAT_PEM; + int vpmtouched = 0, rv = 0; #ifndef OPENSSL_NO_ENGINE - char *engine = NULL; + ENGINE *e = NULL; #endif - X509_VERIFY_PARAM *vpm = NULL; - - args = argv + 1; - ret = 1; - - apps_startup(); - - if (bio_err == NULL) { - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - } - - if (!load_config(bio_err, NULL)) - goto end; + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) + return 1; - while (!badarg && *args && *args[0] == '-') { - if (!strcmp(*args, "-encrypt")) + prog = opt_init(argc, argv, smime_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(smime_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENCRYPT: operation = SMIME_ENCRYPT; - else if (!strcmp(*args, "-decrypt")) + break; + case OPT_DECRYPT: operation = SMIME_DECRYPT; - else if (!strcmp(*args, "-sign")) + break; + case OPT_SIGN: operation = SMIME_SIGN; - else if (!strcmp(*args, "-resign")) + break; + case OPT_RESIGN: operation = SMIME_RESIGN; - else if (!strcmp(*args, "-verify")) + break; + case OPT_VERIFY: operation = SMIME_VERIFY; - else if (!strcmp(*args, "-pk7out")) + break; + case OPT_PK7OUT: operation = SMIME_PK7OUT; -#ifndef OPENSSL_NO_DES - else if (!strcmp(*args, "-des3")) - cipher = EVP_des_ede3_cbc(); - else if (!strcmp(*args, "-des")) - cipher = EVP_des_cbc(); -#endif -#ifndef OPENSSL_NO_SEED - else if (!strcmp(*args, "-seed")) - cipher = EVP_seed_cbc(); -#endif -#ifndef OPENSSL_NO_RC2 - else if (!strcmp(*args, "-rc2-40")) - cipher = EVP_rc2_40_cbc(); - else if (!strcmp(*args, "-rc2-128")) - cipher = EVP_rc2_cbc(); - else if (!strcmp(*args, "-rc2-64")) - cipher = EVP_rc2_64_cbc(); -#endif -#ifndef OPENSSL_NO_AES - else if (!strcmp(*args, "-aes128")) - cipher = EVP_aes_128_cbc(); - else if (!strcmp(*args, "-aes192")) - cipher = EVP_aes_192_cbc(); - else if (!strcmp(*args, "-aes256")) - cipher = EVP_aes_256_cbc(); -#endif -#ifndef OPENSSL_NO_CAMELLIA - else if (!strcmp(*args, "-camellia128")) - cipher = EVP_camellia_128_cbc(); - else if (!strcmp(*args, "-camellia192")) - cipher = EVP_camellia_192_cbc(); - else if (!strcmp(*args, "-camellia256")) - cipher = EVP_camellia_256_cbc(); -#endif - else if (!strcmp(*args, "-text")) + break; + case OPT_TEXT: flags |= PKCS7_TEXT; - else if (!strcmp(*args, "-nointern")) + break; + case OPT_NOINTERN: flags |= PKCS7_NOINTERN; - else if (!strcmp(*args, "-noverify")) + break; + case OPT_NOVERIFY: flags |= PKCS7_NOVERIFY; - else if (!strcmp(*args, "-nochain")) + break; + case OPT_NOCHAIN: flags |= PKCS7_NOCHAIN; - else if (!strcmp(*args, "-nocerts")) + break; + case OPT_NOCERTS: flags |= PKCS7_NOCERTS; - else if (!strcmp(*args, "-noattr")) + break; + case OPT_NOATTR: flags |= PKCS7_NOATTR; - else if (!strcmp(*args, "-nodetach")) + break; + case OPT_NODETACH: flags &= ~PKCS7_DETACHED; - else if (!strcmp(*args, "-nosmimecap")) + break; + case OPT_NOSMIMECAP: flags |= PKCS7_NOSMIMECAP; - else if (!strcmp(*args, "-binary")) + break; + case OPT_BINARY: flags |= PKCS7_BINARY; - else if (!strcmp(*args, "-nosigs")) + break; + case OPT_NOSIGS: flags |= PKCS7_NOSIGS; - else if (!strcmp(*args, "-stream")) + break; + case OPT_STREAM: + case OPT_INDEF: indef = 1; - else if (!strcmp(*args, "-indef")) - indef = 1; - else if (!strcmp(*args, "-noindef")) + break; + case OPT_NOINDEF: indef = 0; - else if (!strcmp(*args, "-nooldmime")) + break; + case OPT_NOOLDMIME: flags |= PKCS7_NOOLDMIMETYPE; - else if (!strcmp(*args, "-crlfeol")) + break; + case OPT_CRLFEOL: flags |= PKCS7_CRLFEOL; - else if (!strcmp(*args, "-rand")) { - if (!args[1]) - goto argerr; - args++; - inrand = *args; + break; + case OPT_RAND: + inrand = opt_arg(); need_rand = 1; - } -#ifndef OPENSSL_NO_ENGINE - else if (!strcmp(*args, "-engine")) { - if (!args[1]) - goto argerr; - engine = *++args; - } -#endif - else if (!strcmp(*args, "-passin")) { - if (!args[1]) - goto argerr; - passargin = *++args; - } else if (!strcmp(*args, "-to")) { - if (!args[1]) - goto argerr; - to = *++args; - } else if (!strcmp(*args, "-from")) { - if (!args[1]) - goto argerr; - from = *++args; - } else if (!strcmp(*args, "-subject")) { - if (!args[1]) - goto argerr; - subject = *++args; - } else if (!strcmp(*args, "-signer")) { - if (!args[1]) - goto argerr; + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_TO: + to = opt_arg(); + break; + case OPT_FROM: + from = opt_arg(); + break; + case OPT_SUBJECT: + subject = opt_arg(); + break; + case OPT_SIGNER: /* If previous -signer argument add signer to list */ - if (signerfile) { - if (!sksigners) - sksigners = sk_OPENSSL_STRING_new_null(); + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; sk_OPENSSL_STRING_push(sksigners, signerfile); - if (!keyfile) + if (keyfile == NULL) keyfile = signerfile; - if (!skkeys) - skkeys = sk_OPENSSL_STRING_new_null(); + if (skkeys == NULL + && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; sk_OPENSSL_STRING_push(skkeys, keyfile); keyfile = NULL; } - signerfile = *++args; - } else if (!strcmp(*args, "-recip")) { - if (!args[1]) - goto argerr; - recipfile = *++args; - } else if (!strcmp(*args, "-md")) { - if (!args[1]) - goto argerr; - sign_md = EVP_get_digestbyname(*++args); - if (sign_md == NULL) { - BIO_printf(bio_err, "Unknown digest %s\n", *args); - goto argerr; - } - } else if (!strcmp(*args, "-inkey")) { - if (!args[1]) - goto argerr; + signerfile = opt_arg(); + break; + case OPT_RECIP: + recipfile = opt_arg(); + break; + case OPT_MD: + if (!opt_md(opt_arg(), &sign_md)) + goto opthelp; + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &cipher)) + goto opthelp; + break; + case OPT_INKEY: /* If previous -inkey arument add signer to list */ if (keyfile) { - if (!signerfile) { - BIO_puts(bio_err, "Illegal -inkey without -signer\n"); - goto argerr; + if (signerfile == NULL) { + BIO_printf(bio_err, + "%s: Must have -signer before -inkey\n", prog); + goto opthelp; } - if (!sksigners) - sksigners = sk_OPENSSL_STRING_new_null(); + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; sk_OPENSSL_STRING_push(sksigners, signerfile); signerfile = NULL; - if (!skkeys) - skkeys = sk_OPENSSL_STRING_new_null(); + if (skkeys == NULL + && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; sk_OPENSSL_STRING_push(skkeys, keyfile); } - keyfile = *++args; - } else if (!strcmp(*args, "-keyform")) { - if (!args[1]) - goto argerr; - keyform = str2fmt(*++args); - } else if (!strcmp(*args, "-certfile")) { - if (!args[1]) - goto argerr; - certfile = *++args; - } else if (!strcmp(*args, "-CAfile")) { - if (!args[1]) - goto argerr; - CAfile = *++args; - } else if (!strcmp(*args, "-CApath")) { - if (!args[1]) - goto argerr; - CApath = *++args; - } else if (!strcmp(*args, "-in")) { - if (!args[1]) - goto argerr; - infile = *++args; - } else if (!strcmp(*args, "-inform")) { - if (!args[1]) - goto argerr; - informat = str2fmt(*++args); - } else if (!strcmp(*args, "-outform")) { - if (!args[1]) - goto argerr; - outformat = str2fmt(*++args); - } else if (!strcmp(*args, "-out")) { - if (!args[1]) - goto argerr; - outfile = *++args; - } else if (!strcmp(*args, "-content")) { - if (!args[1]) - goto argerr; - contfile = *++args; - } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) - continue; - else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL) - badarg = 1; - args++; + keyfile = opt_arg(); + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) + goto opthelp; + break; + case OPT_CERTFILE: + certfile = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_CONTENT: + contfile = opt_arg(); + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) + goto opthelp; + vpmtouched++; + break; + } } + argc = opt_num_rest(); + argv = opt_rest(); if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) { BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); - goto argerr; + goto opthelp; } if (operation & SMIME_SIGNERS) { /* Check to see if any final signer needs to be appended */ if (keyfile && !signerfile) { BIO_puts(bio_err, "Illegal -inkey without -signer\n"); - goto argerr; + goto opthelp; } if (signerfile) { - if (!sksigners) - sksigners = sk_OPENSSL_STRING_new_null(); + if (!sksigners + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; sk_OPENSSL_STRING_push(sksigners, signerfile); - if (!skkeys) - skkeys = sk_OPENSSL_STRING_new_null(); + if (!skkeys && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; if (!keyfile) keyfile = signerfile; sk_OPENSSL_STRING_push(skkeys, keyfile); } if (!sksigners) { BIO_printf(bio_err, "No signer certificate specified\n"); - badarg = 1; + goto opthelp; } signerfile = NULL; keyfile = NULL; @@ -362,118 +397,28 @@ int MAIN(int argc, char **argv) if (!recipfile && !keyfile) { BIO_printf(bio_err, "No recipient certificate or key specified\n"); - badarg = 1; + goto opthelp; } } else if (operation == SMIME_ENCRYPT) { - if (!*args) { + if (argc == 0) { BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); - badarg = 1; + goto opthelp; } need_rand = 1; } else if (!operation) - badarg = 1; - - if (badarg) { - argerr: - BIO_printf(bio_err, "Usage smime [options] cert.pem ...\n"); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, "-encrypt encrypt message\n"); - BIO_printf(bio_err, "-decrypt decrypt encrypted message\n"); - BIO_printf(bio_err, "-sign sign message\n"); - BIO_printf(bio_err, "-verify verify signed message\n"); - BIO_printf(bio_err, "-pk7out output PKCS#7 structure\n"); -#ifndef OPENSSL_NO_DES - BIO_printf(bio_err, "-des3 encrypt with triple DES\n"); - BIO_printf(bio_err, "-des encrypt with DES\n"); -#endif -#ifndef OPENSSL_NO_SEED - BIO_printf(bio_err, "-seed encrypt with SEED\n"); -#endif -#ifndef OPENSSL_NO_RC2 - BIO_printf(bio_err, "-rc2-40 encrypt with RC2-40 (default)\n"); - BIO_printf(bio_err, "-rc2-64 encrypt with RC2-64\n"); - BIO_printf(bio_err, "-rc2-128 encrypt with RC2-128\n"); -#endif -#ifndef OPENSSL_NO_AES - BIO_printf(bio_err, "-aes128, -aes192, -aes256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc aes\n"); -#endif -#ifndef OPENSSL_NO_CAMELLIA - BIO_printf(bio_err, "-camellia128, -camellia192, -camellia256\n"); - BIO_printf(bio_err, - " encrypt PEM output with cbc camellia\n"); -#endif - BIO_printf(bio_err, - "-nointern don't search certificates in message for signer\n"); - BIO_printf(bio_err, - "-nosigs don't verify message signature\n"); - BIO_printf(bio_err, - "-noverify don't verify signers certificate\n"); - BIO_printf(bio_err, - "-nocerts don't include signers certificate when signing\n"); - BIO_printf(bio_err, "-nodetach use opaque signing\n"); - BIO_printf(bio_err, - "-noattr don't include any signed attributes\n"); - BIO_printf(bio_err, - "-binary don't translate message to text\n"); - BIO_printf(bio_err, "-certfile file other certificates file\n"); - BIO_printf(bio_err, "-signer file signer certificate file\n"); - BIO_printf(bio_err, - "-recip file recipient certificate file for decryption\n"); - BIO_printf(bio_err, "-in file input file\n"); - BIO_printf(bio_err, - "-inform arg input format SMIME (default), PEM or DER\n"); - BIO_printf(bio_err, - "-inkey file input private key (if not signer or recipient)\n"); - BIO_printf(bio_err, - "-keyform arg input private key format (PEM or ENGINE)\n"); - BIO_printf(bio_err, "-out file output file\n"); - BIO_printf(bio_err, - "-outform arg output format SMIME (default), PEM or DER\n"); - BIO_printf(bio_err, - "-content file supply or override content for detached signature\n"); - BIO_printf(bio_err, "-to addr to address\n"); - BIO_printf(bio_err, "-from ad from address\n"); - BIO_printf(bio_err, "-subject s subject\n"); - BIO_printf(bio_err, - "-text include or delete text MIME headers\n"); - BIO_printf(bio_err, - "-CApath dir trusted certificates directory\n"); - BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); - BIO_printf(bio_err, - "-trusted_first use locally trusted CA's first when building trust chain\n"); - BIO_printf(bio_err, - "-no_alt_chains only ever use the first certificate chain found\n"); - BIO_printf(bio_err, - "-crl_check check revocation status of signer's certificate using CRLs\n"); - BIO_printf(bio_err, - "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - "-engine e use engine e, possibly a hardware device.\n"); -#endif - BIO_printf(bio_err, "-passin arg input file pass phrase source\n"); - BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, - LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, - " load the file (or the files in the directory) into\n"); - BIO_printf(bio_err, " the random number generator\n"); - BIO_printf(bio_err, - "cert.pem recipient certificate(s) for encryption\n"); - goto end; - } + goto opthelp; + #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + e = setup_engine(engine, 0); #endif - if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { + if (!app_passwd(passinarg, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } if (need_rand) { - app_RAND_load_file(NULL, bio_err, (inrand != NULL)); + app_RAND_load_file(NULL, (inrand != NULL)); if (inrand != NULL) BIO_printf(bio_err, "%ld semi-random bytes loaded\n", app_RAND_load_files(inrand)); @@ -510,19 +455,21 @@ int MAIN(int argc, char **argv) #endif } encerts = sk_X509_new_null(); - while (*args) { - if (!(cert = load_cert(bio_err, *args, FORMAT_PEM, - NULL, e, "recipient certificate file"))) { + if (!encerts) + goto end; + while (*argv) { + cert = load_cert(*argv, FORMAT_PEM, + NULL, e, "recipient certificate file"); + if (cert == NULL) goto end; - } sk_X509_push(encerts, cert); cert = NULL; - args++; + argv++; } } if (certfile) { - if (!(other = load_certs(bio_err, certfile, FORMAT_PEM, NULL, + if (!(other = load_certs(certfile, FORMAT_PEM, NULL, e, "certificate file"))) { ERR_print_errors(bio_err); goto end; @@ -530,7 +477,7 @@ int MAIN(int argc, char **argv) } if (recipfile && (operation == SMIME_DECRYPT)) { - if (!(recip = load_cert(bio_err, recipfile, FORMAT_PEM, NULL, + if (!(recip = load_cert(recipfile, FORMAT_PEM, NULL, e, "recipient certificate file"))) { ERR_print_errors(bio_err); goto end; @@ -547,19 +494,14 @@ int MAIN(int argc, char **argv) keyfile = NULL; if (keyfile) { - key = load_key(bio_err, keyfile, keyform, 0, passin, e, - "signing key file"); + key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); if (!key) goto end; } - if (infile) { - if (!(in = BIO_new_file(infile, inmode))) { - BIO_printf(bio_err, "Can't open input file %s\n", infile); - goto end; - } - } else - in = BIO_new_fp(stdin, BIO_NOCLOSE); + in = bio_open_default(infile, inmode); + if (in == NULL) + goto end; if (operation & SMIME_IP) { if (informat == FORMAT_SMIME) @@ -586,26 +528,15 @@ int MAIN(int argc, char **argv) } } - if (outfile) { - if (!(out = BIO_new_file(outfile, outmode))) { - BIO_printf(bio_err, "Can't open output file %s\n", outfile); - goto end; - } - } else { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } + out = bio_open_default(outfile, outmode); + if (out == NULL) + goto end; if (operation == SMIME_VERIFY) { - if (!(store = setup_verify(bio_err, CAfile, CApath))) + if (!(store = setup_verify(CAfile, CApath))) goto end; X509_STORE_set_verify_cb(store, smime_cb); - if (vpm) + if (vpmtouched) X509_STORE_set1_param(store, vpm); } @@ -642,12 +573,11 @@ int MAIN(int argc, char **argv) for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { signerfile = sk_OPENSSL_STRING_value(sksigners, i); keyfile = sk_OPENSSL_STRING_value(skkeys, i); - signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL, + signer = load_cert(signerfile, FORMAT_PEM, NULL, e, "signer certificate"); if (!signer) goto end; - key = load_key(bio_err, keyfile, keyform, 0, passin, e, - "signing key file"); + key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); if (!key) goto end; if (!PKCS7_sign_add_signer(p7, signer, key, sign_md, flags)) @@ -701,22 +631,27 @@ int MAIN(int argc, char **argv) BIO_printf(out, "Subject: %s\n", subject); if (outformat == FORMAT_SMIME) { if (operation == SMIME_RESIGN) - SMIME_write_PKCS7(out, p7, indata, flags); + rv = SMIME_write_PKCS7(out, p7, indata, flags); else - SMIME_write_PKCS7(out, p7, in, flags); + rv = SMIME_write_PKCS7(out, p7, in, flags); } else if (outformat == FORMAT_PEM) - PEM_write_bio_PKCS7_stream(out, p7, in, flags); + rv = PEM_write_bio_PKCS7_stream(out, p7, in, flags); else if (outformat == FORMAT_ASN1) - i2d_PKCS7_bio_stream(out, p7, in, flags); + rv = i2d_PKCS7_bio_stream(out, p7, in, flags); else { BIO_printf(bio_err, "Bad output format for PKCS#7 file\n"); goto end; } + if (rv == 0) { + BIO_printf(bio_err, "Error writing output\n"); + ret = 3; + goto end; + } } ret = 0; end: if (need_rand) - app_RAND_write_file(NULL, bio_err); + app_RAND_write_file(NULL); if (ret) ERR_print_errors(bio_err); sk_X509_pop_free(encerts, X509_free); @@ -768,7 +703,7 @@ static int smime_cb(int ok, X509_STORE_CTX *ctx) && ((error != X509_V_OK) || (ok != 2))) return ok; - policies_print(NULL, ctx); + policies_print(bio_err, ctx); return ok; diff --git a/apps/speed.c b/apps/speed.c index 71aa74a..1a01d33 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -1,4 +1,3 @@ -/* apps/speed.c -*- mode:C; c-file-style: "eay" -*- */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -77,12 +76,8 @@ #define ECDSA_SECONDS 10 #define ECDH_SECONDS 10 -#undef PROG -#define PROG speed_main - #include #include - #include #include #include "apps.h" @@ -133,9 +128,9 @@ #ifndef OPENSSL_NO_MD5 # include #endif -# include +#include #include -# include +#include #ifndef OPENSSL_NO_RMD160 # include #endif @@ -220,6 +215,7 @@ static int do_multi(int multi); #define EC_NUM 16 #define MAX_ECDH_SIZE 256 +#define MISALIGN 64 static const char *names[ALGOR_NUM] = { "md2", "mdc2", "md4", "md5", "hmac(md5)", "sha1", "rmd160", "rc4", @@ -232,7 +228,9 @@ static const char *names[ALGOR_NUM] = { }; static double results[ALGOR_NUM][SIZE_NUM]; -static int lengths[SIZE_NUM] = { 16, 64, 256, 1024, 8 * 1024 }; +static int lengths[SIZE_NUM] = { + 16, 64, 256, 1024, 8 * 1024 +}; #ifndef OPENSSL_NO_RSA static double rsa_results[RSA_NUM][2]; @@ -340,22 +338,253 @@ static void *KDF1_SHA1(const void *in, size_t inlen, void *out, static void multiblock_speed(const EVP_CIPHER *evp_cipher); -int MAIN(int, char **); +static int found(const char *name, const OPT_PAIR * pairs, int *result) +{ + for (; pairs->name; pairs++) + if (strcmp(name, pairs->name) == 0) { + *result = pairs->retval; + return 1; + } + return 0; +} + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ELAPSED, OPT_EVP, OPT_DECRYPT, OPT_ENGINE, OPT_MULTI, + OPT_MR, OPT_MB, OPT_MISALIGN +} OPTION_CHOICE; + +OPTIONS speed_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] ciphers...\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, +#if defined(TIMES) || defined(USE_TOD) + {"elapsed", OPT_ELAPSED, '-', + "Measure time in real time instead of CPU user time"}, +#endif + {"evp", OPT_EVP, 's', "Use specified EVP cipher"}, + {"decrypt", OPT_DECRYPT, '-', + "Time decryption instead of encryption (only EVP)"}, +#ifndef NO_FORK + {"multi", OPT_MULTI, 'p', "Run benchmarks in parallel"}, +#endif + {"mr", OPT_MR, '-', "Produce machine readable output"}, + {"mb", OPT_MB, '-'}, + {"misalign", OPT_MISALIGN, 'n', "Amount to mis-align buffers"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif +}; + +#define D_MD2 0 +#define D_MDC2 1 +#define D_MD4 2 +#define D_MD5 3 +#define D_HMAC 4 +#define D_SHA1 5 +#define D_RMD160 6 +#define D_RC4 7 +#define D_CBC_DES 8 +#define D_EDE3_DES 9 +#define D_CBC_IDEA 10 +#define D_CBC_SEED 11 +#define D_CBC_RC2 12 +#define D_CBC_RC5 13 +#define D_CBC_BF 14 +#define D_CBC_CAST 15 +#define D_CBC_128_AES 16 +#define D_CBC_192_AES 17 +#define D_CBC_256_AES 18 +#define D_CBC_128_CML 19 +#define D_CBC_192_CML 20 +#define D_CBC_256_CML 21 +#define D_EVP 22 +#define D_SHA256 23 +#define D_SHA512 24 +#define D_WHIRLPOOL 25 +#define D_IGE_128_AES 26 +#define D_IGE_192_AES 27 +#define D_IGE_256_AES 28 +#define D_GHASH 29 +OPT_PAIR doit_choices[] = { +#ifndef OPENSSL_NO_MD2 + {"md2", D_MD2}, +#endif +#ifndef OPENSSL_NO_MDC2 + {"mdc2", D_MDC2}, +#endif +#ifndef OPENSSL_NO_MD4 + {"md4", D_MD4}, +#endif +#ifndef OPENSSL_NO_MD5 + {"md5", D_MD5}, +#endif +#ifndef OPENSSL_NO_MD5 + {"hmac", D_HMAC}, +#endif + {"sha1", D_SHA1}, + {"sha256", D_SHA256}, + {"sha512", D_SHA512}, +#ifndef OPENSSL_NO_WHIRLPOOL + {"whirlpool", D_WHIRLPOOL}, +#endif +#ifndef OPENSSL_NO_RIPEMD + {"ripemd", D_RMD160}, + {"rmd160", D_RMD160}, + {"ripemd160", D_RMD160}, +#endif +#ifndef OPENSSL_NO_RC4 + {"rc4", D_RC4}, +#endif +#ifndef OPENSSL_NO_DES + {"des-cbc", D_CBC_DES}, + {"des-ede3", D_EDE3_DES}, +#endif +#ifndef OPENSSL_NO_AES + {"aes-128-cbc", D_CBC_128_AES}, + {"aes-192-cbc", D_CBC_192_AES}, + {"aes-256-cbc", D_CBC_256_AES}, + {"aes-128-ige", D_IGE_128_AES}, + {"aes-192-ige", D_IGE_192_AES}, + {"aes-256-ige", D_IGE_256_AES}, +#endif +#ifndef OPENSSL_NO_RC2 + {"rc2-cbc", D_CBC_RC2}, + {"rc2", D_CBC_RC2}, +#endif +#ifndef OPENSSL_NO_RC5 + {"rc5-cbc", D_CBC_RC5}, + {"rc5", D_CBC_RC5}, +#endif +#ifndef OPENSSL_NO_IDEA + {"idea-cbc", D_CBC_IDEA}, + {"idea", D_CBC_IDEA}, +#endif +#ifndef OPENSSL_NO_SEED + {"seed-cbc", D_CBC_SEED}, + {"seed", D_CBC_SEED}, +#endif +#ifndef OPENSSL_NO_BF + {"bf-cbc", D_CBC_BF}, + {"blowfish", D_CBC_BF}, + {"bf", D_CBC_BF}, +#endif +#ifndef OPENSSL_NO_CAST + {"cast-cbc", D_CBC_CAST}, + {"cast", D_CBC_CAST}, + {"cast5", D_CBC_CAST}, +#endif + {"ghash", D_GHASH}, + {NULL} +}; + +#define R_DSA_512 0 +#define R_DSA_1024 1 +#define R_DSA_2048 2 +static OPT_PAIR dsa_choices[] = { + {"dsa512", R_DSA_512}, + {"dsa1024", R_DSA_1024}, + {"dsa2048", R_DSA_2048}, + {NULL}, +}; -int MAIN(int argc, char **argv) +#define R_RSA_512 0 +#define R_RSA_1024 1 +#define R_RSA_2048 2 +#define R_RSA_3072 3 +#define R_RSA_4096 4 +#define R_RSA_7680 5 +#define R_RSA_15360 6 +static OPT_PAIR rsa_choices[] = { + {"rsa512", R_RSA_512}, + {"rsa1024", R_RSA_1024}, + {"rsa2048", R_RSA_2048}, + {"rsa3072", R_RSA_3072}, + {"rsa4096", R_RSA_4096}, + {"rsa7680", R_RSA_7680}, + {"rsa15360", R_RSA_15360}, + {NULL} +}; + +#define R_EC_P160 0 +#define R_EC_P192 1 +#define R_EC_P224 2 +#define R_EC_P256 3 +#define R_EC_P384 4 +#define R_EC_P521 5 +#define R_EC_K163 6 +#define R_EC_K233 7 +#define R_EC_K283 8 +#define R_EC_K409 9 +#define R_EC_K571 10 +#define R_EC_B163 11 +#define R_EC_B233 12 +#define R_EC_B283 13 +#define R_EC_B409 14 +#define R_EC_B571 15 +#ifndef OPENSSL_NO_ECA +static OPT_PAIR ecdsa_choices[] = { + {"ecdsap160", R_EC_P160}, + {"ecdsap192", R_EC_P192}, + {"ecdsap224", R_EC_P224}, + {"ecdsap256", R_EC_P256}, + {"ecdsap384", R_EC_P384}, + {"ecdsap521", R_EC_P521}, + {"ecdsak163", R_EC_K163}, + {"ecdsak233", R_EC_K233}, + {"ecdsak283", R_EC_K283}, + {"ecdsak409", R_EC_K409}, + {"ecdsak571", R_EC_K571}, + {"ecdsab163", R_EC_B163}, + {"ecdsab233", R_EC_B233}, + {"ecdsab283", R_EC_B283}, + {"ecdsab409", R_EC_B409}, + {"ecdsab571", R_EC_B571}, + {NULL} +}; +static OPT_PAIR ecdh_choices[] = { + {"ecdhp160", R_EC_P160}, + {"ecdhp192", R_EC_P192}, + {"ecdhp224", R_EC_P224}, + {"ecdhp256", R_EC_P256}, + {"ecdhp384", R_EC_P384}, + {"ecdhp521", R_EC_P521}, + {"ecdhk163", R_EC_K163}, + {"ecdhk233", R_EC_K233}, + {"ecdhk283", R_EC_K283}, + {"ecdhk409", R_EC_K409}, + {"ecdhk571", R_EC_K571}, + {"ecdhb163", R_EC_B163}, + {"ecdhb233", R_EC_B233}, + {"ecdhb283", R_EC_B283}, + {"ecdhb409", R_EC_B409}, + {"ecdhb571", R_EC_B571}, + {NULL} +}; +#endif + +int speed_main(int argc, char **argv) { + char *prog; + const EVP_CIPHER *evp_cipher = NULL; + const EVP_MD *evp_md = NULL; + double d = 0.0; + OPTION_CHOICE o; + int decrypt = 0, multiblock = 0, doit[ALGOR_NUM], pr_header = 0; + int dsa_doit[DSA_NUM], rsa_doit[RSA_NUM]; + int ret = 1, i, j, k, misalign = MAX_MISALIGNMENT + 1; + long c[ALGOR_NUM][SIZE_NUM], count = 0, save_count = 0; unsigned char *buf_malloc = NULL, *buf2_malloc = NULL; unsigned char *buf = NULL, *buf2 = NULL; - int mret = 1; - long count = 0, save_count = 0; - int i, j, k; + unsigned char *save_buf = NULL, *save_buf2 = NULL; + unsigned char md[EVP_MAX_MD_SIZE]; +#ifndef NO_FORK + int multi = 0; +#endif + /* What follows are the buffers and key material. */ #if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) long rsa_count; #endif -#ifndef OPENSSL_NO_RSA - unsigned rsa_num; -#endif - unsigned char md[EVP_MAX_MD_SIZE]; #ifndef OPENSSL_NO_MD2 unsigned char md2[MD2_DIGEST_LENGTH]; #endif @@ -375,7 +604,7 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_WHIRLPOOL unsigned char whirlpool[WHIRLPOOL_DIGEST_LENGTH]; #endif -#ifndef OPENSSL_NO_RMD160 +#ifndef OPENSSL_NO_RIPEMD unsigned char rmd160[RIPEMD160_DIGEST_LENGTH]; #endif #ifndef OPENSSL_NO_RC4 @@ -428,6 +657,7 @@ int MAIN(int argc, char **argv) 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56 }; + CAMELLIA_KEY camellia_ks1, camellia_ks2, camellia_ks3; #endif #ifndef OPENSSL_NO_AES # define MAX_BLOCK_SIZE 128 @@ -437,12 +667,15 @@ int MAIN(int argc, char **argv) unsigned char DES_iv[8]; unsigned char iv[2 * MAX_BLOCK_SIZE / 8]; #ifndef OPENSSL_NO_DES - static DES_cblock key = - { 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0 }; - static DES_cblock key2 = - { 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12 }; - static DES_cblock key3 = - { 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34 }; + static DES_cblock key = { + 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0 + }; + static DES_cblock key2 = { + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12 + }; + static DES_cblock key3 = { + 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34 + }; DES_key_schedule sch; DES_key_schedule sch2; DES_key_schedule sch3; @@ -450,73 +683,8 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_AES AES_KEY aes_ks1, aes_ks2, aes_ks3; #endif -#ifndef OPENSSL_NO_CAMELLIA - CAMELLIA_KEY camellia_ks1, camellia_ks2, camellia_ks3; -#endif -#define D_MD2 0 -#define D_MDC2 1 -#define D_MD4 2 -#define D_MD5 3 -#define D_HMAC 4 -#define D_SHA1 5 -#define D_RMD160 6 -#define D_RC4 7 -#define D_CBC_DES 8 -#define D_EDE3_DES 9 -#define D_CBC_IDEA 10 -#define D_CBC_SEED 11 -#define D_CBC_RC2 12 -#define D_CBC_RC5 13 -#define D_CBC_BF 14 -#define D_CBC_CAST 15 -#define D_CBC_128_AES 16 -#define D_CBC_192_AES 17 -#define D_CBC_256_AES 18 -#define D_CBC_128_CML 19 -#define D_CBC_192_CML 20 -#define D_CBC_256_CML 21 -#define D_EVP 22 -#define D_SHA256 23 -#define D_SHA512 24 -#define D_WHIRLPOOL 25 -#define D_IGE_128_AES 26 -#define D_IGE_192_AES 27 -#define D_IGE_256_AES 28 -#define D_GHASH 29 - double d = 0.0; - long c[ALGOR_NUM][SIZE_NUM]; - -#ifndef OPENSSL_SYS_WIN32 -#endif -#define R_DSA_512 0 -#define R_DSA_1024 1 -#define R_DSA_2048 2 -#define R_RSA_512 0 -#define R_RSA_1024 1 -#define R_RSA_2048 2 -#define R_RSA_3072 3 -#define R_RSA_4096 4 -#define R_RSA_7680 5 -#define R_RSA_15360 6 - -#define R_EC_P160 0 -#define R_EC_P192 1 -#define R_EC_P224 2 -#define R_EC_P256 3 -#define R_EC_P384 4 -#define R_EC_P521 5 -#define R_EC_K163 6 -#define R_EC_K233 7 -#define R_EC_K283 8 -#define R_EC_K409 9 -#define R_EC_K571 10 -#define R_EC_B163 11 -#define R_EC_B233 12 -#define R_EC_B283 13 -#define R_EC_B409 14 -#define R_EC_B571 15 - #ifndef OPENSSL_NO_RSA + unsigned rsa_num; RSA *rsa_key[RSA_NUM]; long rsa_c[RSA_NUM][2]; static unsigned int rsa_bits[RSA_NUM] = { @@ -545,85 +713,51 @@ int MAIN(int argc, char **argv) */ static unsigned int test_curves[EC_NUM] = { /* Prime Curves */ - NID_secp160r1, - NID_X9_62_prime192v1, - NID_secp224r1, - NID_X9_62_prime256v1, - NID_secp384r1, - NID_secp521r1, + NID_secp160r1, NID_X9_62_prime192v1, NID_secp224r1, + NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1, /* Binary Curves */ - NID_sect163k1, - NID_sect233k1, - NID_sect283k1, - NID_sect409k1, - NID_sect571k1, - NID_sect163r2, - NID_sect233r1, - NID_sect283r1, - NID_sect409r1, + NID_sect163k1, NID_sect233k1, NID_sect283k1, + NID_sect409k1, NID_sect571k1, NID_sect163r2, + NID_sect233r1, NID_sect283r1, NID_sect409r1, NID_sect571r1 }; static const char *test_curves_names[EC_NUM] = { /* Prime Curves */ - "secp160r1", - "nistp192", - "nistp224", - "nistp256", - "nistp384", - "nistp521", + "secp160r1", "nistp192", "nistp224", + "nistp256", "nistp384", "nistp521", /* Binary Curves */ - "nistk163", - "nistk233", - "nistk283", - "nistk409", - "nistk571", - "nistb163", - "nistb233", - "nistb283", - "nistb409", + "nistk163", "nistk233", "nistk283", + "nistk409", "nistk571", "nistb163", + "nistb233", "nistb283", "nistb409", "nistb571" }; static int test_curves_bits[EC_NUM] = { - 160, 192, 224, 256, 384, 521, - 163, 233, 283, 409, 571, - 163, 233, 283, 409, 571 + 160, 192, 224, + 256, 384, 521, + 163, 233, 283, + 409, 571, 163, + 233, 283, 409, + 571 }; - #endif - #ifndef OPENSSL_NO_EC unsigned char ecdsasig[256]; unsigned int ecdsasiglen; EC_KEY *ecdsa[EC_NUM]; long ecdsa_c[EC_NUM][2]; + int ecdsa_doit[EC_NUM]; EC_KEY *ecdh_a[EC_NUM], *ecdh_b[EC_NUM]; unsigned char secret_a[MAX_ECDH_SIZE], secret_b[MAX_ECDH_SIZE]; int secret_size_a, secret_size_b; int ecdh_checks = 0; int secret_idx = 0; long ecdh_c[EC_NUM][2]; - int ecdsa_doit[EC_NUM]; int ecdh_doit[EC_NUM]; #endif - - int rsa_doit[RSA_NUM]; - int dsa_doit[DSA_NUM]; - int doit[ALGOR_NUM]; - int pr_header = 0; - const EVP_CIPHER *evp_cipher = NULL; - const EVP_MD *evp_md = NULL; - int decrypt = 0; -#ifndef NO_FORK - int multi = 0; -#endif - int multiblock = 0; - int misalign = MAX_MISALIGNMENT + 1; - #ifndef TIMES usertime = -1; #endif - apps_startup(); memset(results, 0, sizeof(results)); #ifndef OPENSSL_NO_DSA memset(dsa_key, 0, sizeof(dsa_key)); @@ -631,41 +765,15 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_EC for (i = 0; i < EC_NUM; i++) ecdsa[i] = NULL; - for (i = 0; i < EC_NUM; i++) { - ecdh_a[i] = NULL; - ecdh_b[i] = NULL; - } + for (i = 0; i < EC_NUM; i++) + ecdh_a[i] = ecdh_b[i] = NULL; #endif - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto end; - #ifndef OPENSSL_NO_RSA memset(rsa_key, 0, sizeof(rsa_key)); for (i = 0; i < RSA_NUM; i++) rsa_key[i] = NULL; #endif - if ((buf_malloc = - (unsigned char *)OPENSSL_malloc(BUFSIZE + misalign)) == NULL) { - BIO_printf(bio_err, "out of memory\n"); - goto end; - } - if ((buf2_malloc = - (unsigned char *)OPENSSL_malloc(BUFSIZE + misalign)) == NULL) { - BIO_printf(bio_err, "out of memory\n"); - goto end; - } - - misalign = 0; /* set later and buf/buf2 are adjusted - * accordingly */ - buf = buf_malloc; - buf2 = buf2_malloc; - memset(c, 0, sizeof(c)); memset(DES_iv, 0, sizeof(DES_iv)); memset(iv, 0, sizeof(iv)); @@ -683,521 +791,164 @@ int MAIN(int argc, char **argv) ecdh_doit[i] = 0; #endif - j = 0; - argc--; - argv++; - while (argc) { - if ((argc > 0) && (strcmp(*argv, "-elapsed") == 0)) { + if ((buf_malloc = + (unsigned char *)OPENSSL_malloc((int)BUFSIZE + misalign)) == NULL) { + BIO_printf(bio_err, "out of memory\n"); + goto end; + } + if ((buf2_malloc = + (unsigned char *)OPENSSL_malloc((int)BUFSIZE + misalign)) == NULL) { + BIO_printf(bio_err, "out of memory\n"); + goto end; + } + misalign = 0; + buf = buf_malloc; + buf2 = buf2_malloc; + + prog = opt_init(argc, argv, speed_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opterr: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(speed_options); + ret = 0; + goto end; + case OPT_ELAPSED: usertime = 0; - j--; /* Otherwise, -elapsed gets confused with an - * algorithm. */ - } else if ((argc > 0) && (strcmp(*argv, "-evp") == 0)) { - argc--; - argv++; - if (argc == 0) { - BIO_printf(bio_err, "no EVP given\n"); - goto end; - } - evp_cipher = EVP_get_cipherbyname(*argv); - if (!evp_cipher) { - evp_md = EVP_get_digestbyname(*argv); - } - if (!evp_cipher && !evp_md) { - BIO_printf(bio_err, "%s is an unknown cipher or digest\n", - *argv); + break; + case OPT_EVP: + evp_cipher = EVP_get_cipherbyname(opt_arg()); + if (evp_cipher == NULL) + evp_md = EVP_get_digestbyname(opt_arg()); + if (evp_cipher == NULL && evp_md == NULL) { + BIO_printf(bio_err, + "%s: %s an unknown cipher or digest\n", + prog, opt_arg()); goto end; } doit[D_EVP] = 1; - } else if (argc > 0 && !strcmp(*argv, "-decrypt")) { + break; + case OPT_DECRYPT: decrypt = 1; - j--; /* Otherwise, -elapsed gets confused with an - * algorithm. */ - } + break; #ifndef OPENSSL_NO_ENGINE - else if ((argc > 0) && (strcmp(*argv, "-engine") == 0)) { - argc--; - argv++; - if (argc == 0) { - BIO_printf(bio_err, "no engine given\n"); - goto end; - } - setup_engine(bio_err, *argv, 0); - /* - * j will be increased again further down. We just don't want - * speed to confuse an engine with an algorithm, especially when - * none is given (which means all of them should be run) - */ - j--; - } + case OPT_ENGINE: + setup_engine(opt_arg(), 0); + break; #endif #ifndef NO_FORK - else if ((argc > 0) && (strcmp(*argv, "-multi") == 0)) { - argc--; - argv++; - if (argc == 0) { - BIO_printf(bio_err, "no multi count given\n"); - goto end; - } - multi = atoi(argv[0]); - if (multi <= 0) { - BIO_printf(bio_err, "bad multi count\n"); - goto end; - } - j--; /* Otherwise, -mr gets confused with an - * algorithm. */ - } + case OPT_MULTI: + multi = atoi(opt_arg()); + break; #endif - else if (argc > 0 && !strcmp(*argv, "-mr")) { - mr = 1; - j--; /* Otherwise, -mr gets confused with an - * algorithm. */ - } else if (argc > 0 && !strcmp(*argv, "-mb")) { - multiblock = 1; - j--; - } else if (argc > 0 && !strcmp(*argv, "-misalign")) { - argc--; - argv++; - if (argc == 0) { - BIO_printf(bio_err, "no misalignment given\n"); + case OPT_MISALIGN: + if (!opt_int(opt_arg(), &misalign)) goto end; - } - misalign = atoi(argv[0]); - if (misalign < 0 || misalign > MAX_MISALIGNMENT) { + if (misalign > MISALIGN) { BIO_printf(bio_err, - "misalignment is outsize permitted range 0-%d\n", - MAX_MISALIGNMENT); - goto end; + "%s: Maximum offset is %d\n", prog, MISALIGN); + goto opterr; } buf = buf_malloc + misalign; buf2 = buf2_malloc + misalign; - j--; - } else -#ifndef OPENSSL_NO_MD2 - if (strcmp(*argv, "md2") == 0) - doit[D_MD2] = 1; - else -#endif -#ifndef OPENSSL_NO_MDC2 - if (strcmp(*argv, "mdc2") == 0) - doit[D_MDC2] = 1; - else -#endif -#ifndef OPENSSL_NO_MD4 - if (strcmp(*argv, "md4") == 0) - doit[D_MD4] = 1; - else -#endif -#ifndef OPENSSL_NO_MD5 - if (strcmp(*argv, "md5") == 0) - doit[D_MD5] = 1; - else -#endif -#ifndef OPENSSL_NO_MD5 - if (strcmp(*argv, "hmac") == 0) - doit[D_HMAC] = 1; - else -#endif - if (strcmp(*argv, "sha1") == 0) - doit[D_SHA1] = 1; - else if (strcmp(*argv, "sha") == 0) - doit[D_SHA1] = 1, doit[D_SHA256] = 1, doit[D_SHA512] = 1; - else if (strcmp(*argv, "sha256") == 0) - doit[D_SHA256] = 1; - else if (strcmp(*argv, "sha512") == 0) - doit[D_SHA512] = 1; - else -#ifndef OPENSSL_NO_WHIRLPOOL - if (strcmp(*argv, "whirlpool") == 0) - doit[D_WHIRLPOOL] = 1; - else -#endif -#ifndef OPENSSL_NO_RMD160 - if (strcmp(*argv, "ripemd") == 0) - doit[D_RMD160] = 1; - else if (strcmp(*argv, "rmd160") == 0) - doit[D_RMD160] = 1; - else if (strcmp(*argv, "ripemd160") == 0) - doit[D_RMD160] = 1; - else -#endif -#ifndef OPENSSL_NO_RC4 - if (strcmp(*argv, "rc4") == 0) - doit[D_RC4] = 1; - else -#endif + break; + case OPT_MR: + mr = 1; + break; + case OPT_MB: + multiblock = 1; + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + /* Remaining arguments are algorithms. */ + for ( ; *argv; argv++) { + if (found(*argv, doit_choices, &i)) { + doit[i] = 1; + continue; + } #ifndef OPENSSL_NO_DES - if (strcmp(*argv, "des-cbc") == 0) - doit[D_CBC_DES] = 1; - else if (strcmp(*argv, "des-ede3") == 0) - doit[D_EDE3_DES] = 1; - else -#endif -#ifndef OPENSSL_NO_AES - if (strcmp(*argv, "aes-128-cbc") == 0) - doit[D_CBC_128_AES] = 1; - else if (strcmp(*argv, "aes-192-cbc") == 0) - doit[D_CBC_192_AES] = 1; - else if (strcmp(*argv, "aes-256-cbc") == 0) - doit[D_CBC_256_AES] = 1; - else if (strcmp(*argv, "aes-128-ige") == 0) - doit[D_IGE_128_AES] = 1; - else if (strcmp(*argv, "aes-192-ige") == 0) - doit[D_IGE_192_AES] = 1; - else if (strcmp(*argv, "aes-256-ige") == 0) - doit[D_IGE_256_AES] = 1; - else -#endif -#ifndef OPENSSL_NO_CAMELLIA - if (strcmp(*argv, "camellia-128-cbc") == 0) - doit[D_CBC_128_CML] = 1; - else if (strcmp(*argv, "camellia-192-cbc") == 0) - doit[D_CBC_192_CML] = 1; - else if (strcmp(*argv, "camellia-256-cbc") == 0) - doit[D_CBC_256_CML] = 1; - else + if (strcmp(*argv, "des") == 0) { + doit[D_CBC_DES] = doit[D_EDE3_DES] = 1; + continue; + } #endif + if (strcmp(*argv, "sha") == 0) { + doit[D_SHA1] = doit[D_SHA256] = doit[D_SHA512] = 1; + continue; + } #ifndef OPENSSL_NO_RSA # ifndef RSA_NULL if (strcmp(*argv, "openssl") == 0) { RSA_set_default_method(RSA_PKCS1_SSLeay()); - j--; - } else + continue; + } # endif -#endif /* !OPENSSL_NO_RSA */ - if (strcmp(*argv, "dsa512") == 0) - dsa_doit[R_DSA_512] = 2; - else if (strcmp(*argv, "dsa1024") == 0) - dsa_doit[R_DSA_1024] = 2; - else if (strcmp(*argv, "dsa2048") == 0) - dsa_doit[R_DSA_2048] = 2; - else if (strcmp(*argv, "rsa512") == 0) - rsa_doit[R_RSA_512] = 2; - else if (strcmp(*argv, "rsa1024") == 0) - rsa_doit[R_RSA_1024] = 2; - else if (strcmp(*argv, "rsa2048") == 0) - rsa_doit[R_RSA_2048] = 2; - else if (strcmp(*argv, "rsa3072") == 0) - rsa_doit[R_RSA_3072] = 2; - else if (strcmp(*argv, "rsa4096") == 0) - rsa_doit[R_RSA_4096] = 2; - else if (strcmp(*argv, "rsa7680") == 0) - rsa_doit[R_RSA_7680] = 2; - else if (strcmp(*argv, "rsa15360") == 0) - rsa_doit[R_RSA_15360] = 2; - else -#ifndef OPENSSL_NO_RC2 - if (strcmp(*argv, "rc2-cbc") == 0) - doit[D_CBC_RC2] = 1; - else if (strcmp(*argv, "rc2") == 0) - doit[D_CBC_RC2] = 1; - else -#endif -#ifndef OPENSSL_NO_RC5 - if (strcmp(*argv, "rc5-cbc") == 0) - doit[D_CBC_RC5] = 1; - else if (strcmp(*argv, "rc5") == 0) - doit[D_CBC_RC5] = 1; - else -#endif -#ifndef OPENSSL_NO_IDEA - if (strcmp(*argv, "idea-cbc") == 0) - doit[D_CBC_IDEA] = 1; - else if (strcmp(*argv, "idea") == 0) - doit[D_CBC_IDEA] = 1; - else -#endif -#ifndef OPENSSL_NO_SEED - if (strcmp(*argv, "seed-cbc") == 0) - doit[D_CBC_SEED] = 1; - else if (strcmp(*argv, "seed") == 0) - doit[D_CBC_SEED] = 1; - else -#endif -#ifndef OPENSSL_NO_BF - if (strcmp(*argv, "bf-cbc") == 0) - doit[D_CBC_BF] = 1; - else if (strcmp(*argv, "blowfish") == 0) - doit[D_CBC_BF] = 1; - else if (strcmp(*argv, "bf") == 0) - doit[D_CBC_BF] = 1; - else -#endif -#ifndef OPENSSL_NO_CAST - if (strcmp(*argv, "cast-cbc") == 0) - doit[D_CBC_CAST] = 1; - else if (strcmp(*argv, "cast") == 0) - doit[D_CBC_CAST] = 1; - else if (strcmp(*argv, "cast5") == 0) - doit[D_CBC_CAST] = 1; - else + if (strcmp(*argv, "rsa") == 0) { + rsa_doit[R_RSA_512] = rsa_doit[R_RSA_1024] = + rsa_doit[R_RSA_2048] = rsa_doit[R_RSA_3072] = + rsa_doit[R_RSA_4096] = rsa_doit[R_RSA_7680] = + rsa_doit[R_RSA_15360] = 1; + continue; + } + if (found(*argv, rsa_choices, &i)) { + rsa_doit[i] = 1; + continue; + } #endif -#ifndef OPENSSL_NO_DES - if (strcmp(*argv, "des") == 0) { - doit[D_CBC_DES] = 1; - doit[D_EDE3_DES] = 1; - } else +#ifndef OPENSSL_NO_DSA + if (strcmp(*argv, "dsa") == 0) { + dsa_doit[R_DSA_512] = dsa_doit[R_DSA_1024] = + dsa_doit[R_DSA_2048] = 1; + continue; + } + if (found(*argv, dsa_choices, &i)) { + dsa_doit[i] = 2; + continue; + } #endif #ifndef OPENSSL_NO_AES if (strcmp(*argv, "aes") == 0) { - doit[D_CBC_128_AES] = 1; - doit[D_CBC_192_AES] = 1; - doit[D_CBC_256_AES] = 1; - } else if (strcmp(*argv, "ghash") == 0) { - doit[D_GHASH] = 1; - } else + doit[D_CBC_128_AES] = doit[D_CBC_192_AES] = + doit[D_CBC_256_AES] = 1; + continue; + } #endif #ifndef OPENSSL_NO_CAMELLIA if (strcmp(*argv, "camellia") == 0) { - doit[D_CBC_128_CML] = 1; - doit[D_CBC_192_CML] = 1; - doit[D_CBC_256_CML] = 1; - } else -#endif -#ifndef OPENSSL_NO_RSA - if (strcmp(*argv, "rsa") == 0) { - rsa_doit[R_RSA_512] = 1; - rsa_doit[R_RSA_1024] = 1; - rsa_doit[R_RSA_2048] = 1; - rsa_doit[R_RSA_3072] = 1; - rsa_doit[R_RSA_4096] = 1; - rsa_doit[R_RSA_7680] = 1; - rsa_doit[R_RSA_15360] = 1; - } else -#endif -#ifndef OPENSSL_NO_DSA - if (strcmp(*argv, "dsa") == 0) { - dsa_doit[R_DSA_512] = 1; - dsa_doit[R_DSA_1024] = 1; - dsa_doit[R_DSA_2048] = 1; - } else + doit[D_CBC_128_CML] = doit[D_CBC_192_CML] = + doit[D_CBC_256_CML] = 1; + continue; + } #endif #ifndef OPENSSL_NO_EC - if (strcmp(*argv, "ecdsap160") == 0) - ecdsa_doit[R_EC_P160] = 2; - else if (strcmp(*argv, "ecdsap192") == 0) - ecdsa_doit[R_EC_P192] = 2; - else if (strcmp(*argv, "ecdsap224") == 0) - ecdsa_doit[R_EC_P224] = 2; - else if (strcmp(*argv, "ecdsap256") == 0) - ecdsa_doit[R_EC_P256] = 2; - else if (strcmp(*argv, "ecdsap384") == 0) - ecdsa_doit[R_EC_P384] = 2; - else if (strcmp(*argv, "ecdsap521") == 0) - ecdsa_doit[R_EC_P521] = 2; - else if (strcmp(*argv, "ecdsak163") == 0) - ecdsa_doit[R_EC_K163] = 2; - else if (strcmp(*argv, "ecdsak233") == 0) - ecdsa_doit[R_EC_K233] = 2; - else if (strcmp(*argv, "ecdsak283") == 0) - ecdsa_doit[R_EC_K283] = 2; - else if (strcmp(*argv, "ecdsak409") == 0) - ecdsa_doit[R_EC_K409] = 2; - else if (strcmp(*argv, "ecdsak571") == 0) - ecdsa_doit[R_EC_K571] = 2; - else if (strcmp(*argv, "ecdsab163") == 0) - ecdsa_doit[R_EC_B163] = 2; - else if (strcmp(*argv, "ecdsab233") == 0) - ecdsa_doit[R_EC_B233] = 2; - else if (strcmp(*argv, "ecdsab283") == 0) - ecdsa_doit[R_EC_B283] = 2; - else if (strcmp(*argv, "ecdsab409") == 0) - ecdsa_doit[R_EC_B409] = 2; - else if (strcmp(*argv, "ecdsab571") == 0) - ecdsa_doit[R_EC_B571] = 2; - else if (strcmp(*argv, "ecdsa") == 0) { + if (strcmp(*argv, "ecdsa") == 0) { for (i = 0; i < EC_NUM; i++) ecdsa_doit[i] = 1; - } else if (strcmp(*argv, "ecdhp160") == 0) - ecdh_doit[R_EC_P160] = 2; - else if (strcmp(*argv, "ecdhp192") == 0) - ecdh_doit[R_EC_P192] = 2; - else if (strcmp(*argv, "ecdhp224") == 0) - ecdh_doit[R_EC_P224] = 2; - else if (strcmp(*argv, "ecdhp256") == 0) - ecdh_doit[R_EC_P256] = 2; - else if (strcmp(*argv, "ecdhp384") == 0) - ecdh_doit[R_EC_P384] = 2; - else if (strcmp(*argv, "ecdhp521") == 0) - ecdh_doit[R_EC_P521] = 2; - else if (strcmp(*argv, "ecdhk163") == 0) - ecdh_doit[R_EC_K163] = 2; - else if (strcmp(*argv, "ecdhk233") == 0) - ecdh_doit[R_EC_K233] = 2; - else if (strcmp(*argv, "ecdhk283") == 0) - ecdh_doit[R_EC_K283] = 2; - else if (strcmp(*argv, "ecdhk409") == 0) - ecdh_doit[R_EC_K409] = 2; - else if (strcmp(*argv, "ecdhk571") == 0) - ecdh_doit[R_EC_K571] = 2; - else if (strcmp(*argv, "ecdhb163") == 0) - ecdh_doit[R_EC_B163] = 2; - else if (strcmp(*argv, "ecdhb233") == 0) - ecdh_doit[R_EC_B233] = 2; - else if (strcmp(*argv, "ecdhb283") == 0) - ecdh_doit[R_EC_B283] = 2; - else if (strcmp(*argv, "ecdhb409") == 0) - ecdh_doit[R_EC_B409] = 2; - else if (strcmp(*argv, "ecdhb571") == 0) - ecdh_doit[R_EC_B571] = 2; - else if (strcmp(*argv, "ecdh") == 0) { + continue; + } + if (found(*argv, ecdsa_choices, &i)) { + ecdsa_doit[i] = 2; + continue; + } + if (strcmp(*argv, "ecdh") == 0) { for (i = 0; i < EC_NUM; i++) ecdh_doit[i] = 1; - } else -#endif - { - BIO_printf(bio_err, "Error: bad option or value\n"); - BIO_printf(bio_err, "\n"); - BIO_printf(bio_err, "Available values:\n"); -#ifndef OPENSSL_NO_MD2 - BIO_printf(bio_err, "md2 "); -#endif -#ifndef OPENSSL_NO_MDC2 - BIO_printf(bio_err, "mdc2 "); -#endif -#ifndef OPENSSL_NO_MD4 - BIO_printf(bio_err, "md4 "); -#endif -#ifndef OPENSSL_NO_MD5 - BIO_printf(bio_err, "md5 "); - BIO_printf(bio_err, "hmac "); -#endif - BIO_printf(bio_err, "sha1 "); - BIO_printf(bio_err, "sha256 "); - BIO_printf(bio_err, "sha512 "); -#ifndef OPENSSL_NO_WHIRLPOOL - BIO_printf(bio_err, "whirlpool"); -#endif -#ifndef OPENSSL_NO_RMD160 - BIO_printf(bio_err, "rmd160"); -#endif - BIO_printf(bio_err, "\n"); - -#ifndef OPENSSL_NO_IDEA - BIO_printf(bio_err, "idea-cbc "); -#endif -#ifndef OPENSSL_NO_SEED - BIO_printf(bio_err, "seed-cbc "); -#endif -#ifndef OPENSSL_NO_RC2 - BIO_printf(bio_err, "rc2-cbc "); -#endif -#ifndef OPENSSL_NO_RC5 - BIO_printf(bio_err, "rc5-cbc "); -#endif -#ifndef OPENSSL_NO_BF - BIO_printf(bio_err, "bf-cbc"); -#endif -#if !defined(OPENSSL_NO_IDEA) || !defined(OPENSSL_NO_SEED) || !defined(OPENSSL_NO_RC2) || \ - !defined(OPENSSL_NO_BF) || !defined(OPENSSL_NO_RC5) - BIO_printf(bio_err, "\n"); -#endif -#ifndef OPENSSL_NO_DES - BIO_printf(bio_err, "des-cbc des-ede3 "); -#endif -#ifndef OPENSSL_NO_AES - BIO_printf(bio_err, "aes-128-cbc aes-192-cbc aes-256-cbc "); - BIO_printf(bio_err, "aes-128-ige aes-192-ige aes-256-ige "); -#endif -#ifndef OPENSSL_NO_CAMELLIA - BIO_printf(bio_err, "\n"); - BIO_printf(bio_err, - "camellia-128-cbc camellia-192-cbc camellia-256-cbc "); -#endif -#ifndef OPENSSL_NO_RC4 - BIO_printf(bio_err, "rc4"); -#endif - BIO_printf(bio_err, "\n"); - -#ifndef OPENSSL_NO_RSA - BIO_printf(bio_err, - "rsa512 rsa1024 rsa2048 rsa3072 rsa4096\n"); - BIO_printf(bio_err, "rsa7680 rsa15360\n"); -#endif - -#ifndef OPENSSL_NO_DSA - BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n"); -#endif -#ifndef OPENSSL_NO_EC - BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 " - "ecdsap256 ecdsap384 ecdsap521\n"); - BIO_printf(bio_err, - "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n"); - BIO_printf(bio_err, - "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n"); - BIO_printf(bio_err, "ecdsa\n"); - BIO_printf(bio_err, "ecdhp160 ecdhp192 ecdhp224 " - "ecdhp256 ecdhp384 ecdhp521\n"); - BIO_printf(bio_err, - "ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n"); - BIO_printf(bio_err, - "ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n"); - BIO_printf(bio_err, "ecdh\n"); -#endif - -#ifndef OPENSSL_NO_IDEA - BIO_printf(bio_err, "idea "); -#endif -#ifndef OPENSSL_NO_SEED - BIO_printf(bio_err, "seed "); -#endif -#ifndef OPENSSL_NO_RC2 - BIO_printf(bio_err, "rc2 "); -#endif -#ifndef OPENSSL_NO_DES - BIO_printf(bio_err, "des "); -#endif -#ifndef OPENSSL_NO_AES - BIO_printf(bio_err, "aes "); -#endif -#ifndef OPENSSL_NO_CAMELLIA - BIO_printf(bio_err, "camellia "); -#endif -#ifndef OPENSSL_NO_RSA - BIO_printf(bio_err, "rsa "); -#endif -#ifndef OPENSSL_NO_BF - BIO_printf(bio_err, "blowfish"); -#endif -#if !defined(OPENSSL_NO_IDEA) || !defined(OPENSSL_NO_SEED) || \ - !defined(OPENSSL_NO_RC2) || !defined(OPENSSL_NO_DES) || \ - !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_BF) || \ - !defined(OPENSSL_NO_AES) || !defined(OPENSSL_NO_CAMELLIA) - BIO_printf(bio_err, "\n"); -#endif - - BIO_printf(bio_err, "\n"); - BIO_printf(bio_err, "Available options:\n"); -#if defined(TIMES) || defined(USE_TOD) - BIO_printf(bio_err, "-elapsed " - "measure time in real time instead of CPU user time.\n"); -#endif -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - "-engine e " - "use engine e, possibly a hardware device.\n"); -#endif - BIO_printf(bio_err, "-evp e " "use EVP e.\n"); - BIO_printf(bio_err, - "-decrypt " - "time decryption instead of encryption (only EVP).\n"); - BIO_printf(bio_err, - "-mr " - "produce machine readable output.\n"); - BIO_printf(bio_err, - "-mb " - "perform multi-block benchmark (for specific ciphers)\n"); - BIO_printf(bio_err, - "-misalign n " - "perform benchmark with misaligned data\n"); -#ifndef NO_FORK - BIO_printf(bio_err, - "-multi n " "run n benchmarks in parallel.\n"); -#endif - goto end; + continue; } - argc--; - argv++; - j++; + if (found(*argv, ecdh_choices, &i)) { + ecdh_doit[i] = 2; + continue; + } +#endif + BIO_printf(bio_err, "%s: Unknown algorithm %s\n", prog, *argv); + goto end; } #ifndef NO_FORK @@ -1205,11 +956,11 @@ int MAIN(int argc, char **argv) goto show_res; #endif - if (j == 0) { - for (i = 0; i < ALGOR_NUM; i++) { + /* No parameters; turn on everything. */ + if (argc == 0) { + for (i = 0; i < ALGOR_NUM; i++) if (i != D_EVP) doit[i] = 1; - } for (i = 0; i < RSA_NUM; i++) rsa_doit[i] = 1; for (i = 0; i < DSA_NUM; i++) @@ -1449,6 +1200,7 @@ int MAIN(int argc, char **argv) } } } + ecdh_c[R_EC_P160][0] = count / 1000; ecdh_c[R_EC_P160][1] = count / 1000; for (i = R_EC_P192; i <= R_EC_P521; i++) { @@ -1910,7 +1662,7 @@ int MAIN(int argc, char **argv) goto end; } multiblock_speed(evp_cipher); - mret = 0; + ret = 0; goto end; } #endif @@ -1965,16 +1717,15 @@ int MAIN(int argc, char **argv) print_result(D_EVP, j, count, d); } } -#ifndef OPENSSL_SYS_WIN32 -#endif + RAND_bytes(buf, 36); #ifndef OPENSSL_NO_RSA for (j = 0; j < RSA_NUM; j++) { - int ret; + int st; if (!rsa_doit[j]) continue; - ret = RSA_sign(NID_md5_sha1, buf, 36, buf2, &rsa_num, rsa_key[j]); - if (ret == 0) { + st = RSA_sign(NID_md5_sha1, buf, 36, buf2, &rsa_num, rsa_key[j]); + if (st == 0) { BIO_printf(bio_err, "RSA sign failure. No RSA sign will be done.\n"); ERR_print_errors(bio_err); @@ -1985,9 +1736,9 @@ int MAIN(int argc, char **argv) /* RSA_blinding_on(rsa_key[j],NULL); */ Time_F(START); for (count = 0, run = 1; COND(rsa_c[j][0]); count++) { - ret = RSA_sign(NID_md5_sha1, buf, 36, buf2, - &rsa_num, rsa_key[j]); - if (ret == 0) { + st = RSA_sign(NID_md5_sha1, buf, 36, buf2, + &rsa_num, rsa_key[j]); + if (st == 0) { BIO_printf(bio_err, "RSA sign failure\n"); ERR_print_errors(bio_err); count = 1; @@ -2003,8 +1754,8 @@ int MAIN(int argc, char **argv) rsa_count = count; } - ret = RSA_verify(NID_md5_sha1, buf, 36, buf2, rsa_num, rsa_key[j]); - if (ret <= 0) { + st = RSA_verify(NID_md5_sha1, buf, 36, buf2, rsa_num, rsa_key[j]); + if (st <= 0) { BIO_printf(bio_err, "RSA verify failure. No RSA verify will be done.\n"); ERR_print_errors(bio_err); @@ -2014,9 +1765,9 @@ int MAIN(int argc, char **argv) rsa_c[j][1], rsa_bits[j], RSA_SECONDS); Time_F(START); for (count = 0, run = 1; COND(rsa_c[j][1]); count++) { - ret = RSA_verify(NID_md5_sha1, buf, 36, buf2, - rsa_num, rsa_key[j]); - if (ret <= 0) { + st = RSA_verify(NID_md5_sha1, buf, 36, buf2, + rsa_num, rsa_key[j]); + if (st <= 0) { BIO_printf(bio_err, "RSA verify failure\n"); ERR_print_errors(bio_err); count = 1; @@ -2047,15 +1798,15 @@ int MAIN(int argc, char **argv) } for (j = 0; j < DSA_NUM; j++) { unsigned int kk; - int ret; + int st; if (!dsa_doit[j]) continue; /* DSA_generate_key(dsa_key[j]); */ /* DSA_sign_setup(dsa_key[j],NULL); */ - ret = DSA_sign(EVP_PKEY_DSA, buf, 20, buf2, &kk, dsa_key[j]); - if (ret == 0) { + st = DSA_sign(EVP_PKEY_DSA, buf, 20, buf2, &kk, dsa_key[j]); + if (st == 0) { BIO_printf(bio_err, "DSA sign failure. No DSA sign will be done.\n"); ERR_print_errors(bio_err); @@ -2065,8 +1816,8 @@ int MAIN(int argc, char **argv) dsa_c[j][0], dsa_bits[j], DSA_SECONDS); Time_F(START); for (count = 0, run = 1; COND(dsa_c[j][0]); count++) { - ret = DSA_sign(EVP_PKEY_DSA, buf, 20, buf2, &kk, dsa_key[j]); - if (ret == 0) { + st = DSA_sign(EVP_PKEY_DSA, buf, 20, buf2, &kk, dsa_key[j]); + if (st == 0) { BIO_printf(bio_err, "DSA sign failure\n"); ERR_print_errors(bio_err); count = 1; @@ -2082,8 +1833,8 @@ int MAIN(int argc, char **argv) rsa_count = count; } - ret = DSA_verify(EVP_PKEY_DSA, buf, 20, buf2, kk, dsa_key[j]); - if (ret <= 0) { + st = DSA_verify(EVP_PKEY_DSA, buf, 20, buf2, kk, dsa_key[j]); + if (st <= 0) { BIO_printf(bio_err, "DSA verify failure. No DSA verify will be done.\n"); ERR_print_errors(bio_err); @@ -2093,8 +1844,8 @@ int MAIN(int argc, char **argv) dsa_c[j][1], dsa_bits[j], DSA_SECONDS); Time_F(START); for (count = 0, run = 1; COND(dsa_c[j][1]); count++) { - ret = DSA_verify(EVP_PKEY_DSA, buf, 20, buf2, kk, dsa_key[j]); - if (ret <= 0) { + st = DSA_verify(EVP_PKEY_DSA, buf, 20, buf2, kk, dsa_key[j]); + if (st <= 0) { BIO_printf(bio_err, "DSA verify failure\n"); ERR_print_errors(bio_err); count = 1; @@ -2125,7 +1876,7 @@ int MAIN(int argc, char **argv) rnd_fake = 1; } for (j = 0; j < EC_NUM; j++) { - int ret; + int st; if (!ecdsa_doit[j]) continue; /* Ignore Curve */ @@ -2136,11 +1887,10 @@ int MAIN(int argc, char **argv) rsa_count = 1; } else { EC_KEY_precompute_mult(ecdsa[j], NULL); - /* Perform ECDSA signature test */ EC_KEY_generate_key(ecdsa[j]); - ret = ECDSA_sign(0, buf, 20, ecdsasig, &ecdsasiglen, ecdsa[j]); - if (ret == 0) { + st = ECDSA_sign(0, buf, 20, ecdsasig, &ecdsasiglen, ecdsa[j]); + if (st == 0) { BIO_printf(bio_err, "ECDSA sign failure. No ECDSA sign will be done.\n"); ERR_print_errors(bio_err); @@ -2152,9 +1902,9 @@ int MAIN(int argc, char **argv) Time_F(START); for (count = 0, run = 1; COND(ecdsa_c[j][0]); count++) { - ret = ECDSA_sign(0, buf, 20, - ecdsasig, &ecdsasiglen, ecdsa[j]); - if (ret == 0) { + st = ECDSA_sign(0, buf, 20, + ecdsasig, &ecdsasiglen, ecdsa[j]); + if (st == 0) { BIO_printf(bio_err, "ECDSA sign failure\n"); ERR_print_errors(bio_err); count = 1; @@ -2172,8 +1922,8 @@ int MAIN(int argc, char **argv) } /* Perform ECDSA verification test */ - ret = ECDSA_verify(0, buf, 20, ecdsasig, ecdsasiglen, ecdsa[j]); - if (ret != 1) { + st = ECDSA_verify(0, buf, 20, ecdsasig, ecdsasiglen, ecdsa[j]); + if (st != 1) { BIO_printf(bio_err, "ECDSA verify failure. No ECDSA verify will be done.\n"); ERR_print_errors(bio_err); @@ -2184,10 +1934,9 @@ int MAIN(int argc, char **argv) test_curves_bits[j], ECDSA_SECONDS); Time_F(START); for (count = 0, run = 1; COND(ecdsa_c[j][1]); count++) { - ret = - ECDSA_verify(0, buf, 20, ecdsasig, ecdsasiglen, - ecdsa[j]); - if (ret != 1) { + st = ECDSA_verify(0, buf, 20, ecdsasig, ecdsasiglen, + ecdsa[j]); + if (st != 1) { BIO_printf(bio_err, "ECDSA verify failure\n"); ERR_print_errors(bio_err); count = 1; @@ -2211,6 +1960,9 @@ int MAIN(int argc, char **argv) } if (rnd_fake) RAND_cleanup(); +#endif + +#ifndef OPENSSL_NO_EC if (RAND_status() != 1) { RAND_seed(rnd_seed, sizeof rnd_seed); rnd_fake = 1; @@ -2306,8 +2058,8 @@ int MAIN(int argc, char **argv) show_res: #endif if (!mr) { - fprintf(stdout, "%s\n", SSLeay_version(SSLEAY_VERSION)); - fprintf(stdout, "%s\n", SSLeay_version(SSLEAY_BUILT_ON)); + printf("%s\n", SSLeay_version(SSLEAY_VERSION)); + printf("%s\n", SSLeay_version(SSLEAY_BUILT_ON)); printf("options:"); printf("%s ", BN_options()); #ifndef OPENSSL_NO_MD2 @@ -2328,36 +2080,36 @@ int MAIN(int argc, char **argv) #ifndef OPENSSL_NO_BF printf("%s ", BF_options()); #endif - fprintf(stdout, "\n%s\n", SSLeay_version(SSLEAY_CFLAGS)); + printf("\n%s\n", SSLeay_version(SSLEAY_CFLAGS)); } if (pr_header) { if (mr) - fprintf(stdout, "+H"); + printf("+H"); else { - fprintf(stdout, - "The 'numbers' are in 1000s of bytes per second processed.\n"); - fprintf(stdout, "type "); + printf + ("The 'numbers' are in 1000s of bytes per second processed.\n"); + printf("type "); } for (j = 0; j < SIZE_NUM; j++) - fprintf(stdout, mr ? ":%d" : "%7d bytes", lengths[j]); - fprintf(stdout, "\n"); + printf(mr ? ":%d" : "%7d bytes", lengths[j]); + printf("\n"); } for (k = 0; k < ALGOR_NUM; k++) { if (!doit[k]) continue; if (mr) - fprintf(stdout, "+F:%d:%s", k, names[k]); + printf("+F:%d:%s", k, names[k]); else - fprintf(stdout, "%-13s", names[k]); + printf("%-13s", names[k]); for (j = 0; j < SIZE_NUM; j++) { if (results[k][j] > 10000 && !mr) - fprintf(stdout, " %11.2fk", results[k][j] / 1e3); + printf(" %11.2fk", results[k][j] / 1e3); else - fprintf(stdout, mr ? ":%.2f" : " %11.2f ", results[k][j]); + printf(mr ? ":%.2f" : " %11.2f ", results[k][j]); } - fprintf(stdout, "\n"); + printf("\n"); } #ifndef OPENSSL_NO_RSA j = 1; @@ -2369,12 +2121,12 @@ int MAIN(int argc, char **argv) j = 0; } if (mr) - fprintf(stdout, "+F2:%u:%u:%f:%f\n", - k, rsa_bits[k], rsa_results[k][0], rsa_results[k][1]); + printf("+F2:%u:%u:%f:%f\n", + k, rsa_bits[k], rsa_results[k][0], rsa_results[k][1]); else - fprintf(stdout, "rsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n", - rsa_bits[k], rsa_results[k][0], rsa_results[k][1], - 1.0 / rsa_results[k][0], 1.0 / rsa_results[k][1]); + printf("rsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n", + rsa_bits[k], rsa_results[k][0], rsa_results[k][1], + 1.0 / rsa_results[k][0], 1.0 / rsa_results[k][1]); } #endif #ifndef OPENSSL_NO_DSA @@ -2387,12 +2139,12 @@ int MAIN(int argc, char **argv) j = 0; } if (mr) - fprintf(stdout, "+F3:%u:%u:%f:%f\n", - k, dsa_bits[k], dsa_results[k][0], dsa_results[k][1]); + printf("+F3:%u:%u:%f:%f\n", + k, dsa_bits[k], dsa_results[k][0], dsa_results[k][1]); else - fprintf(stdout, "dsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n", - dsa_bits[k], dsa_results[k][0], dsa_results[k][1], - 1.0 / dsa_results[k][0], 1.0 / dsa_results[k][1]); + printf("dsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n", + dsa_bits[k], dsa_results[k][0], dsa_results[k][1], + 1.0 / dsa_results[k][0], 1.0 / dsa_results[k][1]); } #endif #ifndef OPENSSL_NO_EC @@ -2406,17 +2158,19 @@ int MAIN(int argc, char **argv) } if (mr) - fprintf(stdout, "+F4:%u:%u:%f:%f\n", - k, test_curves_bits[k], - ecdsa_results[k][0], ecdsa_results[k][1]); + printf("+F4:%u:%u:%f:%f\n", + k, test_curves_bits[k], + ecdsa_results[k][0], ecdsa_results[k][1]); else - fprintf(stdout, - "%4u bit ecdsa (%s) %8.4fs %8.4fs %8.1f %8.1f\n", - test_curves_bits[k], - test_curves_names[k], - ecdsa_results[k][0], ecdsa_results[k][1], - 1.0 / ecdsa_results[k][0], 1.0 / ecdsa_results[k][1]); + printf("%4u bit ecdsa (%s) %8.4fs %8.4fs %8.1f %8.1f\n", + test_curves_bits[k], + test_curves_names[k], + ecdsa_results[k][0], ecdsa_results[k][1], + 1.0 / ecdsa_results[k][0], 1.0 / ecdsa_results[k][1]); } +#endif + +#ifndef OPENSSL_NO_EC j = 1; for (k = 0; k < EC_NUM; k++) { if (!ecdh_doit[k]) @@ -2426,26 +2180,24 @@ int MAIN(int argc, char **argv) j = 0; } if (mr) - fprintf(stdout, "+F5:%u:%u:%f:%f\n", - k, test_curves_bits[k], - ecdh_results[k][0], 1.0 / ecdh_results[k][0]); + printf("+F5:%u:%u:%f:%f\n", + k, test_curves_bits[k], + ecdh_results[k][0], 1.0 / ecdh_results[k][0]); else - fprintf(stdout, "%4u bit ecdh (%s) %8.4fs %8.1f\n", - test_curves_bits[k], - test_curves_names[k], - ecdh_results[k][0], 1.0 / ecdh_results[k][0]); + printf("%4u bit ecdh (%s) %8.4fs %8.1f\n", + test_curves_bits[k], + test_curves_names[k], + ecdh_results[k][0], 1.0 / ecdh_results[k][0]); } #endif - mret = 0; + ret = 0; end: ERR_print_errors(bio_err); - if (buf_malloc != NULL) - OPENSSL_free(buf_malloc); - if (buf2_malloc != NULL) - OPENSSL_free(buf2_malloc); + OPENSSL_free(save_buf); + OPENSSL_free(save_buf2); #ifndef OPENSSL_NO_RSA for (i = 0; i < RSA_NUM; i++) RSA_free(rsa_key[i]); @@ -2456,16 +2208,14 @@ int MAIN(int argc, char **argv) #endif #ifndef OPENSSL_NO_EC - for (i = 0; i < EC_NUM; i++) - EC_KEY_free(ecdsa[i]); for (i = 0; i < EC_NUM; i++) { + EC_KEY_free(ecdsa[i]); EC_KEY_free(ecdh_a[i]); EC_KEY_free(ecdh_b[i]); } #endif - apps_shutdown(); - OPENSSL_EXIT(mret); + return (ret); } static void print_message(const char *s, long num, int length) @@ -2617,25 +2367,6 @@ static int do_multi(int multi) rsa_results[k][1] = 1 / (1 / rsa_results[k][1] + 1 / d); else rsa_results[k][1] = d; - } else if (!strncmp(buf, "+F2:", 4)) { - int k; - double d; - - p = buf + 4; - k = atoi(sstrsep(&p, sep)); - sstrsep(&p, sep); - - d = atof(sstrsep(&p, sep)); - if (n) - rsa_results[k][0] = 1 / (1 / rsa_results[k][0] + 1 / d); - else - rsa_results[k][0] = d; - - d = atof(sstrsep(&p, sep)); - if (n) - rsa_results[k][1] = 1 / (1 / rsa_results[k][1] + 1 / d); - else - rsa_results[k][1] = d; } # ifndef OPENSSL_NO_DSA else if (!strncmp(buf, "+F3:", 4)) { @@ -2682,6 +2413,9 @@ static int do_multi(int multi) else ecdsa_results[k][1] = d; } +# endif + +# ifndef OPENSSL_NO_EC else if (!strncmp(buf, "+F5:", 4)) { int k; double d; @@ -2700,6 +2434,7 @@ static int do_multi(int multi) # endif else if (!strncmp(buf, "+H:", 3)) { + ; } else fprintf(stderr, "Unknown type '%s' from child %d\n", buf, n); } @@ -2724,11 +2459,10 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher) inp = OPENSSL_malloc(mblengths[num - 1]); out = OPENSSL_malloc(mblengths[num - 1] + 1024); if (!inp || !out) { - BIO_printf(bio_err,"Out of memory\n"); + BIO_printf(bio_err, "Out of memory\n"); goto end; } - EVP_CIPHER_CTX_init(&ctx); EVP_EncryptInit_ex(&ctx, evp_cipher, NULL, no_key, no_iv); EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_AEAD_SET_MAC_KEY, sizeof(no_key), @@ -2779,8 +2513,7 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher) } } d = Time_F(STOP); - BIO_printf(bio_err, - mr ? "+R:%d:%s:%f\n" + BIO_printf(bio_err, mr ? "+R:%d:%s:%f\n" : "%d %s's in %.2fs\n", count, "evp", d); results[D_EVP][j] = ((double)count) / d * mblengths[j]; } diff --git a/apps/spkac.c b/apps/spkac.c index 8b06ec4..ee2e596 100644 --- a/apps/spkac.c +++ b/apps/spkac.c @@ -1,5 +1,3 @@ -/* apps/spkac.c */ - /* * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL project * 1999. Based on an original idea by Massimiliano Pala (madwolf at openca.org). @@ -70,128 +68,105 @@ #include #include -#undef PROG -#define PROG spkac_main - -/*- - * -in arg - input file - default stdin - * -out arg - output file - default stdout - */ - -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_NOOUT, OPT_PUBKEY, OPT_VERIFY, OPT_IN, OPT_OUT, + OPT_ENGINE, OPT_KEY, OPT_CHALLENGE, OPT_PASSIN, OPT_SPKAC, + OPT_SPKSECT +} OPTION_CHOICE; + +OPTIONS spkac_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"key", OPT_KEY, '<', "Create SPKAC using private key"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"challenge", OPT_CHALLENGE, 's', "Challenge string"}, + {"spkac", OPT_SPKAC, 's', "Alternative SPKAC name"}, + {"noout", OPT_NOOUT, '-', "Don't print SPKAC"}, + {"pubkey", OPT_PUBKEY, '-', "Output public key"}, + {"verify", OPT_VERIFY, '-', "Verify SPKAC signature"}, + {"spksect", OPT_SPKSECT, 's'}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; -int MAIN(int argc, char **argv) +int spkac_main(int argc, char **argv) { - ENGINE *e = NULL; - int i, badops = 0, ret = 1; BIO *in = NULL, *out = NULL; - int verify = 0, noout = 0, pubkey = 0; - char *infile = NULL, *outfile = NULL, *prog; - char *passargin = NULL, *passin = NULL; - const char *spkac = "SPKAC", *spksect = "default"; - char *spkstr = NULL; - char *challenge = NULL, *keyfile = NULL; CONF *conf = NULL; - NETSCAPE_SPKI *spki = NULL; + ENGINE *e = NULL; EVP_PKEY *pkey = NULL; -#ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -#endif - - apps_startup(); - - if (!bio_err) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - - prog = argv[0]; - argc--; - argv++; - while (argc >= 1) { - if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-passin") == 0) { - if (--argc < 1) - goto bad; - passargin = *(++argv); - } else if (strcmp(*argv, "-key") == 0) { - if (--argc < 1) - goto bad; - keyfile = *(++argv); - } else if (strcmp(*argv, "-challenge") == 0) { - if (--argc < 1) - goto bad; - challenge = *(++argv); - } else if (strcmp(*argv, "-spkac") == 0) { - if (--argc < 1) - goto bad; - spkac = *(++argv); - } else if (strcmp(*argv, "-spksect") == 0) { - if (--argc < 1) - goto bad; - spksect = *(++argv); - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } -#endif - else if (strcmp(*argv, "-noout") == 0) + NETSCAPE_SPKI *spki = NULL; + char *challenge = NULL, *keyfile = NULL, *engine = NULL; + char *infile = NULL, *outfile = NULL, *passinarg = NULL, *passin = NULL; + char *spkstr = NULL, *prog; + const char *spkac = "SPKAC", *spksect = "default"; + int i, ret = 1, verify = 0, noout = 0, pubkey = 0; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, spkac_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(spkac_options); + ret = 0; + goto end; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_NOOUT: noout = 1; - else if (strcmp(*argv, "-pubkey") == 0) + break; + case OPT_PUBKEY: pubkey = 1; - else if (strcmp(*argv, "-verify") == 0) + break; + case OPT_VERIFY: verify = 1; - else - badops = 1; - argc--; - argv++; - } + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_KEY: + keyfile = opt_arg(); + break; + case OPT_CHALLENGE: + challenge = opt_arg(); + break; + case OPT_SPKAC: + spkac = opt_arg(); + break; + case OPT_SPKSECT: + spksect = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; - if (badops) { - bad: - BIO_printf(bio_err, "%s [options]\n", prog); - BIO_printf(bio_err, "where options are\n"); - BIO_printf(bio_err, " -in arg input file\n"); - BIO_printf(bio_err, " -out arg output file\n"); - BIO_printf(bio_err, - " -key arg create SPKAC using private key\n"); - BIO_printf(bio_err, - " -passin arg input file pass phrase source\n"); - BIO_printf(bio_err, " -challenge arg challenge string\n"); - BIO_printf(bio_err, " -spkac arg alternative SPKAC name\n"); - BIO_printf(bio_err, " -noout don't print SPKAC\n"); - BIO_printf(bio_err, " -pubkey output public key\n"); - BIO_printf(bio_err, " -verify verify SPKAC signature\n"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, - " -engine e use engine e, possibly a hardware device.\n"); -#endif - goto end; + } } + argc = opt_num_rest(); + argv = opt_rest(); - ERR_load_crypto_strings(); - if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { + if (!app_passwd(passinarg, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + e = setup_engine(engine, 0); #endif if (keyfile) { - pkey = load_key(bio_err, - strcmp(keyfile, "-") ? keyfile : NULL, + pkey = load_key(strcmp(keyfile, "-") ? keyfile : NULL, FORMAT_PEM, 1, passin, e, "private key"); if (!pkey) { goto end; @@ -204,39 +179,18 @@ int MAIN(int argc, char **argv) NETSCAPE_SPKI_sign(spki, pkey, EVP_md5()); spkstr = NETSCAPE_SPKI_b64_encode(spki); - if (outfile) - out = BIO_new_file(outfile, "w"); - else { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } - - if (!out) { - BIO_printf(bio_err, "Error opening output file\n"); - ERR_print_errors(bio_err); + out = bio_open_default(outfile, "w"); + if (out == NULL) goto end; - } BIO_printf(out, "SPKAC=%s\n", spkstr); OPENSSL_free(spkstr); ret = 0; goto end; } - if (infile) - in = BIO_new_file(infile, "r"); - else - in = BIO_new_fp(stdin, BIO_NOCLOSE); - - if (!in) { - BIO_printf(bio_err, "Error opening input file\n"); - ERR_print_errors(bio_err); + in = bio_open_default(infile, "r"); + if (in == NULL) goto end; - } conf = NCONF_new(NULL); i = NCONF_load_bio(conf, in, NULL); @@ -263,23 +217,9 @@ int MAIN(int argc, char **argv) goto end; } - if (outfile) - out = BIO_new_file(outfile, "w"); - else { - out = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } - - if (!out) { - BIO_printf(bio_err, "Error opening output file\n"); - ERR_print_errors(bio_err); + out = bio_open_default(outfile, "w"); + if (out == NULL) goto end; - } if (!noout) NETSCAPE_SPKI_print(out, spki); @@ -307,6 +247,5 @@ int MAIN(int argc, char **argv) EVP_PKEY_free(pkey); if (passin) OPENSSL_free(passin); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } diff --git a/apps/srp.c b/apps/srp.c index 5acc783..bacd670 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -1,4 +1,3 @@ -/* apps/srp.c */ /* * Written by Peter Sylvester (peter.sylvester at edelweb.fr) for the EdelKey * project and contributed to the OpenSSL project 2004. @@ -71,9 +70,6 @@ # include "apps.h" -# undef PROG -# define PROG srp_main - # define BASE_SECTION "srp" # define CONFIG_FILE "openssl.cnf" @@ -82,41 +78,12 @@ # define ENV_DATABASE "srpvfile" # define ENV_DEFAULT_SRP "default_srp" -static char *srp_usage[] = { - "usage: srp [args] [user] \n", - "\n", - " -verbose Talk a lot while doing things\n", - " -config file A config file\n", - " -name arg The particular srp definition to use\n", - " -srpvfile arg The srp verifier file name\n", - " -add add an user and srp verifier\n", - " -modify modify the srp verifier of an existing user\n", - " -delete delete user from verifier file\n", - " -list list user\n", - " -gn arg g and N values to be used for new verifier\n", - " -userinfo arg additional info to be set for user\n", - " -passin arg input file pass phrase source\n", - " -passout arg output file pass phrase source\n", -# ifndef OPENSSL_NO_ENGINE - " -engine e - use engine e, possibly a hardware device.\n", -# endif - NULL -}; - # ifdef EFENCE extern int EF_PROTECT_FREE; extern int EF_PROTECT_BELOW; extern int EF_ALIGNMENT; # endif -static CONF *conf = NULL; -static char *section = NULL; - -# define VERBOSE if (verbose) -# define VVERBOSE if (verbose>1) - -int MAIN(int, char **); - static int get_index(CA_DB *db, char *id, char type) { char **pp; @@ -216,18 +183,17 @@ static char *srp_verify_user(const char *user, const char *srp_verifier, cb_tmp.password = passin; if (password_callback(password, 1024, 0, &cb_tmp) > 0) { - VERBOSE BIO_printf(bio, - "Validating\n" - " user=\"%s\"\n" - " srp_verifier=\"%s\"\n" - " srp_usersalt=\"%s\"\n" - " g=\"%s\"\n N=\"%s\"\n", - user, srp_verifier, srp_usersalt, g, N); + if (verbose) + BIO_printf(bio, + "Validating\n user=\"%s\"\n srp_verifier=\"%s\"\n srp_usersalt=\"%s\"\n g=\"%s\"\n N=\"%s\"\n", + user, srp_verifier, srp_usersalt, g, N); BIO_printf(bio, "Pass %s\n", password); OPENSSL_assert(srp_usersalt != NULL); - if (!(gNid = SRP_create_verifier(user, password, &srp_usersalt, - &verifier, N, g))) { + if (! + (gNid = + SRP_create_verifier(user, password, &srp_usersalt, &verifier, N, + g))) { BIO_printf(bio, "Internal error validating SRP verifier\n"); } else { if (strcmp(verifier, srp_verifier)) @@ -250,56 +216,66 @@ static char *srp_create_user(char *user, char **srp_verifier, cb_tmp.password = passout; if (password_callback(password, 1024, 1, &cb_tmp) > 0) { - VERBOSE BIO_printf(bio, - "Creating\n" - " user=\"%s\"\n" - " g=\"%s\"\n" " N=\"%s\"\n", user, g, N); - if (!(gNid = SRP_create_verifier(user, password, &salt, - srp_verifier, N, g))) { + if (verbose) + BIO_printf(bio, "Creating\n user=\"%s\"\n g=\"%s\"\n N=\"%s\"\n", + user, g, N); + if (! + (gNid = + SRP_create_verifier(user, password, &salt, srp_verifier, N, + g))) { BIO_printf(bio, "Internal error creating SRP verifier\n"); } else *srp_usersalt = salt; - VVERBOSE BIO_printf(bio, "gNid=%s salt =\"%s\"\n verifier =\"%s\"\n", - gNid, salt, *srp_verifier); + if (verbose > 1) + BIO_printf(bio, "gNid=%s salt =\"%s\"\n verifier =\"%s\"\n", gNid, + salt, *srp_verifier); } return gNid; } -int MAIN(int argc, char **argv) -{ - int add_user = 0; - int list_user = 0; - int delete_user = 0; - int modify_user = 0; - char *user = NULL; - - char *passargin = NULL, *passargout = NULL; - char *passin = NULL, *passout = NULL; - char *gN = NULL; - int gNindex = -1; - char **gNrow = NULL; - int maxgN = -1; - - char *userinfo = NULL; - - int badops = 0; - int ret = 1; - int errors = 0; - int verbose = 0; - int doupdatedb = 0; - char *configfile = NULL; - char *dbfile = NULL; - CA_DB *db = NULL; - char **pp; - int i; - long errorline = -1; - char *randfile = NULL; +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SRPVFILE, OPT_ADD, + OPT_DELETE, OPT_MODIFY, OPT_LIST, OPT_GN, OPT_USERINFO, + OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE +} OPTION_CHOICE; + +OPTIONS srp_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"verbose", OPT_VERBOSE, '-', "Talk a lot while doing things"}, + {"config", OPT_CONFIG, '<', "A config file"}, + {"name", OPT_NAME, 's', "The particular srp definition to use"}, + {"srpvfile", OPT_SRPVFILE, '<', "The srp verifier file name"}, + {"add", OPT_ADD, '-', "Add a user and srp verifier"}, + {"modify", OPT_MODIFY, '-', + "Modify the srp verifier of an existing user"}, + {"delete", OPT_DELETE, '-', "Delete user from verifier file"}, + {"list", OPT_LIST, '-', "List users"}, + {"gn", OPT_GN, 's', "Set g and N values to be used for new verifier"}, + {"userinfo", OPT_USERINFO, 's', "Additional info to be set for user"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, # ifndef OPENSSL_NO_ENGINE - char *engine = NULL; + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, # endif - char *tofree = NULL; + {NULL} +}; + +int srp_main(int argc, char **argv) +{ + CA_DB *db = NULL; DB_ATTR db_attr; + CONF *conf = NULL; + int gNindex = -1, maxgN = -1, ret = 1, errors = 0, verbose = + 0, i, doupdatedb = 0; + int mode = OPT_ERR; + char *user = NULL, *passinarg = NULL, *passoutarg = NULL; + char *passin = NULL, *passout = NULL, *gN = NULL, *userinfo = NULL; + char *randfile = NULL, *engine = NULL, *tofree = NULL, *section = NULL; + char **gNrow = NULL, *configfile = NULL, *dbfile = NULL, **pp, *prog; + long errorline = -1; + OPTION_CHOICE o; # ifdef EFENCE EF_PROTECT_FREE = 1; @@ -307,119 +283,89 @@ int MAIN(int argc, char **argv) EF_ALIGNMENT = 0; # endif - apps_startup(); - - conf = NULL; - section = NULL; - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - argc--; - argv++; - while (argc >= 1 && badops == 0) { - if (strcmp(*argv, "-verbose") == 0) + prog = opt_init(argc, argv, srp_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(srp_options); + ret = 0; + goto end; + case OPT_VERBOSE: verbose++; - else if (strcmp(*argv, "-config") == 0) { - if (--argc < 1) - goto bad; - configfile = *(++argv); - } else if (strcmp(*argv, "-name") == 0) { - if (--argc < 1) - goto bad; - section = *(++argv); - } else if (strcmp(*argv, "-srpvfile") == 0) { - if (--argc < 1) - goto bad; - dbfile = *(++argv); - } else if (strcmp(*argv, "-add") == 0) - add_user = 1; - else if (strcmp(*argv, "-delete") == 0) - delete_user = 1; - else if (strcmp(*argv, "-modify") == 0) - modify_user = 1; - else if (strcmp(*argv, "-list") == 0) - list_user = 1; - else if (strcmp(*argv, "-gn") == 0) { - if (--argc < 1) - goto bad; - gN = *(++argv); - } else if (strcmp(*argv, "-userinfo") == 0) { - if (--argc < 1) - goto bad; - userinfo = *(++argv); - } else if (strcmp(*argv, "-passin") == 0) { - if (--argc < 1) - goto bad; - passargin = *(++argv); - } else if (strcmp(*argv, "-passout") == 0) { - if (--argc < 1) - goto bad; - passargout = *(++argv); - } -# ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } -# endif - - else if (**argv == '-') { - bad: - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; break; - } else + case OPT_CONFIG: + configfile = opt_arg(); break; - - argc--; - argv++; + case OPT_NAME: + section = opt_arg(); + break; + case OPT_SRPVFILE: + dbfile = opt_arg(); + break; + case OPT_ADD: + case OPT_DELETE: + case OPT_MODIFY: + case OPT_LIST: + if (mode != OPT_ERR) { + BIO_printf(bio_err, + "%s: Only one of -add/delete-modify/-list\n", + prog); + goto opthelp; + } + mode = o; + break; + case OPT_GN: + gN = opt_arg(); + break; + case OPT_USERINFO: + userinfo = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + } } + argc = opt_num_rest(); + argv = opt_rest(); if (dbfile && configfile) { BIO_printf(bio_err, "-dbfile and -configfile cannot be specified together.\n"); - badops = 1; + goto end; } - if (add_user + delete_user + modify_user + list_user != 1) { - BIO_printf(bio_err, "Exactly one of the options " - "-add, -delete, -modify -list must be specified.\n"); - badops = 1; + if (mode == OPT_ERR) { + BIO_printf(bio_err, + "Exactly one of the options -add, -delete, -modify -list must be specified.\n"); + goto opthelp; } - if (delete_user + modify_user + delete_user == 1 && argc <= 0) { - BIO_printf(bio_err, "Need at least one user for options " - "-add, -delete, -modify. \n"); - badops = 1; + if ((mode == OPT_DELETE || mode == OPT_MODIFY || OPT_ADD) && argc < 1) { + BIO_printf(bio_err, + "Need at least one user for options -add, -delete, -modify. \n"); + goto opthelp; } if ((passin || passout) && argc != 1) { BIO_printf(bio_err, "-passin, -passout arguments only valid with one user.\n"); - badops = 1; + goto opthelp; } - - if (badops) { - for (pp = srp_usage; (*pp != NULL); pp++) - BIO_printf(bio_err, "%s", *pp); - - BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, - LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, - " load the file (or the files in the directory) into\n"); - BIO_printf(bio_err, " the random number generator\n"); - goto err; - } - - ERR_load_crypto_strings(); - # ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); + setup_engine(engine, 0); # endif - if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { + if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); - goto err; + goto end; } if (!dbfile) { @@ -439,7 +385,7 @@ int MAIN(int argc, char **argv) tofree = OPENSSL_malloc(len); if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); - goto err; + goto end; } strcpy(tofree, s); # else @@ -447,7 +393,7 @@ int MAIN(int argc, char **argv) tofree = OPENSSL_malloc(len); if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); - goto err; + goto end; } BUF_strlcpy(tofree, s, len); BUF_strlcat(tofree, "/", len); @@ -456,8 +402,8 @@ int MAIN(int argc, char **argv) configfile = tofree; } - VERBOSE BIO_printf(bio_err, "Using configuration from %s\n", - configfile); + if (verbose) + BIO_printf(bio_err, "Using configuration from %s\n", configfile); conf = NCONF_new(NULL); if (NCONF_load(conf, configfile, &errorline) <= 0) { if (errorline <= 0) @@ -466,53 +412,53 @@ int MAIN(int argc, char **argv) else BIO_printf(bio_err, "error on line %ld of config file '%s'\n", errorline, configfile); - goto err; + goto end; } if (tofree) { OPENSSL_free(tofree); tofree = NULL; } - if (!load_config(bio_err, conf)) - goto err; - /* Lets get the config section we are using */ if (section == NULL) { - VERBOSE BIO_printf(bio_err, - "trying to read " ENV_DEFAULT_SRP - " in \" BASE_SECTION \"\n"); + if (verbose) + BIO_printf(bio_err, + "trying to read " ENV_DEFAULT_SRP + " in \" BASE_SECTION \"\n"); section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_SRP); if (section == NULL) { lookup_fail(BASE_SECTION, ENV_DEFAULT_SRP); - goto err; + goto end; } } if (randfile == NULL && conf) randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE"); - VERBOSE BIO_printf(bio_err, - "trying to read " ENV_DATABASE - " in section \"%s\"\n", section); + if (verbose) + BIO_printf(bio_err, + "trying to read " ENV_DATABASE " in section \"%s\"\n", + section); if ((dbfile = NCONF_get_string(conf, section, ENV_DATABASE)) == NULL) { lookup_fail(section, ENV_DATABASE); - goto err; + goto end; } } if (randfile == NULL) ERR_clear_error(); else - app_RAND_load_file(randfile, bio_err, 0); + app_RAND_load_file(randfile, 0); - VERBOSE BIO_printf(bio_err, "Trying to read SRP verifier file \"%s\"\n", - dbfile); + if (verbose) + BIO_printf(bio_err, "Trying to read SRP verifier file \"%s\"\n", + dbfile); db = load_index(dbfile, &db_attr); if (db == NULL) - goto err; + goto end; /* Lets check some fields */ for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { @@ -527,46 +473,50 @@ int MAIN(int argc, char **argv) } } - VERBOSE BIO_printf(bio_err, "Database initialised\n"); + if (verbose) + BIO_printf(bio_err, "Database initialised\n"); if (gNindex >= 0) { gNrow = sk_OPENSSL_PSTRING_value(db->db->data, gNindex); print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N"); } else if (maxgN > 0 && !SRP_get_default_gN(gN)) { BIO_printf(bio_err, "No g and N value for index \"%s\"\n", gN); - goto err; + goto end; } else { - VERBOSE BIO_printf(bio_err, "Database has no g N information.\n"); + if (verbose) + BIO_printf(bio_err, "Database has no g N information.\n"); gNrow = NULL; } - VVERBOSE BIO_printf(bio_err, "Starting user processing\n"); + if (verbose > 1) + BIO_printf(bio_err, "Starting user processing\n"); if (argc > 0) user = *(argv++); - while (list_user || user) { + while (mode == OPT_LIST || user) { int userindex = -1; if (user) - VVERBOSE BIO_printf(bio_err, "Processing user \"%s\"\n", user); + if (verbose > 1) + BIO_printf(bio_err, "Processing user \"%s\"\n", user); if ((userindex = get_index(db, user, 'U')) >= 0) { - print_user(db, bio_err, userindex, (verbose > 0) || list_user); + print_user(db, bio_err, userindex, (verbose > 0) + || mode == OPT_LIST); } - if (list_user) { + if (mode == OPT_LIST) { if (user == NULL) { BIO_printf(bio_err, "List all users\n"); for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { print_user(db, bio_err, i, 1); } - list_user = 0; } else if (userindex < 0) { BIO_printf(bio_err, "user \"%s\" does not exist, ignored. t\n", user); errors++; } - } else if (add_user) { + } else if (mode == OPT_ADD) { if (userindex >= 0) { /* reactivation of a new user */ char **row = @@ -581,26 +531,31 @@ int MAIN(int argc, char **argv) row[DB_srpverifier] = NULL; row[DB_srpsalt] = NULL; row[DB_srpinfo] = NULL; - if (!(gNid = srp_create_user(user, &(row[DB_srpverifier]), - &(row[DB_srpsalt]), - gNrow ? gNrow[DB_srpsalt] : gN, - gNrow ? gNrow[DB_srpverifier] : - NULL, passout, bio_err, - verbose))) { + if (! + (gNid = + srp_create_user(user, &(row[DB_srpverifier]), + &(row[DB_srpsalt]), + gNrow ? gNrow[DB_srpsalt] : gN, + gNrow ? gNrow[DB_srpverifier] : NULL, + passout, bio_err, verbose))) { BIO_printf(bio_err, - "Cannot create srp verifier for user \"%s\"," - " operation abandoned .\n", user); + "Cannot create srp verifier for user \"%s\", operation abandoned .\n", + user); errors++; - goto err; + goto end; } row[DB_srpid] = BUF_strdup(user); row[DB_srptype] = BUF_strdup("v"); row[DB_srpgN] = BUF_strdup(gNid); if (!row[DB_srpid] || !row[DB_srpgN] || !row[DB_srptype] - || !row[DB_srpverifier] || !row[DB_srpsalt] - || (userinfo - && (!(row[DB_srpinfo] = BUF_strdup(userinfo)))) + || !row[DB_srpverifier] || !row[DB_srpsalt] || (userinfo + && + (!(row + [DB_srpinfo] + = + BUF_strdup + (userinfo)))) || !update_index(db, bio_err, row)) { if (row[DB_srpid]) OPENSSL_free(row[DB_srpid]); @@ -614,11 +569,11 @@ int MAIN(int argc, char **argv) OPENSSL_free(row[DB_srpverifier]); if (row[DB_srpsalt]) OPENSSL_free(row[DB_srpsalt]); - goto err; + goto end; } doupdatedb = 1; } - } else if (modify_user) { + } else if (mode == OPT_MODIFY) { if (userindex < 0) { BIO_printf(bio_err, "user \"%s\" does not exist, operation ignored.\n", @@ -640,9 +595,10 @@ int MAIN(int argc, char **argv) if (row[DB_srptype][0] == 'V') { int user_gN; char **irow = NULL; - VERBOSE BIO_printf(bio_err, - "Verifying password for user \"%s\"\n", - user); + if (verbose) + BIO_printf(bio_err, + "Verifying password for user \"%s\"\n", + user); if ((user_gN = get_index(db, row[DB_srpgN], DB_SRP_INDEX)) >= 0) irow = @@ -658,25 +614,25 @@ int MAIN(int argc, char **argv) "Invalid password for user \"%s\", operation abandoned.\n", user); errors++; - goto err; + goto end; } } - VERBOSE BIO_printf(bio_err, - "Password for user \"%s\" ok.\n", - user); - - if (!(gNid = srp_create_user(user, &(row[DB_srpverifier]), - &(row[DB_srpsalt]), - gNrow ? gNrow[DB_srpsalt] : - NULL, - gNrow ? gNrow[DB_srpverifier] - : NULL, passout, bio_err, - verbose))) { + if (verbose) + BIO_printf(bio_err, "Password for user \"%s\" ok.\n", + user); + + if (! + (gNid = + srp_create_user(user, &(row[DB_srpverifier]), + &(row[DB_srpsalt]), + gNrow ? gNrow[DB_srpsalt] : NULL, + gNrow ? gNrow[DB_srpverifier] : NULL, + passout, bio_err, verbose))) { BIO_printf(bio_err, - "Cannot create srp verifier for user \"%s\"," - " operation abandoned.\n", user); + "Cannot create srp verifier for user \"%s\", operation abandoned.\n", + user); errors++; - goto err; + goto end; } row[DB_srptype][0] = 'v'; @@ -686,12 +642,12 @@ int MAIN(int argc, char **argv) || !row[DB_srpverifier] || !row[DB_srpsalt] || (userinfo && (!(row[DB_srpinfo] = BUF_strdup(userinfo))))) - goto err; + goto end; doupdatedb = 1; } } - } else if (delete_user) { + } else if (mode == OPT_DELETE) { if (userindex < 0) { BIO_printf(bio_err, "user \"%s\" does not exist, operation ignored. t\n", @@ -711,11 +667,11 @@ int MAIN(int argc, char **argv) user = *(argv++); else { user = NULL; - list_user = 0; } } - VERBOSE BIO_printf(bio_err, "User procession done.\n"); + if (verbose) + BIO_printf(bio_err, "User procession done.\n"); if (doupdatedb) { /* Lets check some fields */ @@ -728,37 +684,41 @@ int MAIN(int argc, char **argv) } } - VERBOSE BIO_printf(bio_err, "Trying to update srpvfile.\n"); + if (verbose) + BIO_printf(bio_err, "Trying to update srpvfile.\n"); if (!save_index(dbfile, "new", db)) - goto err; + goto end; - VERBOSE BIO_printf(bio_err, "Temporary srpvfile created.\n"); + if (verbose) + BIO_printf(bio_err, "Temporary srpvfile created.\n"); if (!rotate_index(dbfile, "new", "old")) - goto err; + goto end; - VERBOSE BIO_printf(bio_err, "srpvfile updated.\n"); + if (verbose) + BIO_printf(bio_err, "srpvfile updated.\n"); } ret = (errors != 0); - err: + end: if (errors != 0) - VERBOSE BIO_printf(bio_err, "User errors %d.\n", errors); + if (verbose) + BIO_printf(bio_err, "User errors %d.\n", errors); - VERBOSE BIO_printf(bio_err, "SRP terminating with code %d.\n", ret); + if (verbose) + BIO_printf(bio_err, "SRP terminating with code %d.\n", ret); if (tofree) OPENSSL_free(tofree); if (ret) ERR_print_errors(bio_err); if (randfile) - app_RAND_write_file(randfile, bio_err); + app_RAND_write_file(randfile); if (conf) NCONF_free(conf); if (db) free_index(db); OBJ_cleanup(); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } #endif diff --git a/apps/testdsa.h b/apps/testdsa.h index 550c625..4eb13d1 100644 --- a/apps/testdsa.h +++ b/apps/testdsa.h @@ -1,8 +1,57 @@ -/* NOCW */ -/* used by apps/speed.c */ +/* ==================================================================== + * Copyright (c) 199-2015 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing at OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +/* used by speed.c */ DSA *get_dsa512(void); DSA *get_dsa1024(void); DSA *get_dsa2048(void); + static unsigned char dsa512_priv[] = { 0x65, 0xe5, 0xc7, 0x38, 0x60, 0x24, 0xb5, 0x89, 0xd4, 0x9c, 0xeb, 0x4c, 0x9c, 0x1d, 0x7a, 0x22, 0xbd, 0xd1, 0xc2, 0xd2, diff --git a/apps/ts.c b/apps/ts.c index 4c32ada..e0f4313 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -1,4 +1,3 @@ -/* apps/ts.c */ /* * Written by Zoltan Glozik (zglozik at stones.com) for the OpenSSL project * 2002. @@ -68,9 +67,6 @@ #include #include -#undef PROG -#define PROG ts_main - /* Length of the nonce of the request in bits (must be a multiple of 8). */ #define NONCE_LENGTH 64 @@ -86,8 +82,6 @@ static CONF *load_config_file(const char *configfile); static int query_command(const char *data, char *digest, const EVP_MD *md, const char *policy, int no_nonce, int cert, const char *in, const char *out, int text); -static BIO *BIO_open_with_default(const char *file, const char *mode, - FILE *default_fp); static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md, const char *policy, int no_nonce, int cert); static int create_digest(BIO *input, char *digest, @@ -102,8 +96,8 @@ static int reply_command(CONF *conf, char *section, char *engine, int text); static TS_RESP *read_PKCS7(BIO *in_bio); static TS_RESP *create_response(CONF *conf, const char *section, char *engine, - char *queryfile, char *passin, char *inkey, - char *signer, char *chain, + char *queryfile, char *passin, + char *inkey, char *signer, char *chain, const char *policy); static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data); static ASN1_INTEGER *next_serial(const char *serialfile); @@ -112,163 +106,201 @@ static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial); /* Verify related functions. */ static int verify_command(char *data, char *digest, char *queryfile, char *in, int token_in, - char *ca_path, char *ca_file, char *untrusted); + char *CApath, char *CAfile, char *untrusted); static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest, char *queryfile, - char *ca_path, char *ca_file, + char *CApath, char *CAfile, char *untrusted); -static X509_STORE *create_cert_store(char *ca_path, char *ca_file); +static X509_STORE *create_cert_store(char *CApath, char *CAfile); static int verify_cb(int ok, X509_STORE_CTX *ctx); -/* Main function definition. */ -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ENGINE, OPT_CONFIG, OPT_SECTION, OPT_QUERY, OPT_DATA, + OPT_DIGEST, OPT_RAND, OPT_POLICY, OPT_NO_NONCE, OPT_CERT, + OPT_IN, OPT_TOKEN_IN, OPT_OUT, OPT_TOKEN_OUT, OPT_TEXT, + OPT_REPLY, OPT_QUERYFILE, OPT_PASSIN, OPT_INKEY, OPT_SIGNER, + OPT_CHAIN, OPT_VERIFY, OPT_CAPATH, OPT_CAFILE, OPT_UNTRUSTED, + OPT_MD +} OPTION_CHOICE; + +OPTIONS ts_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"config", OPT_CONFIG, '<', "Configuration file"}, + {"section", OPT_SECTION, 's', "Section to use within config file"}, + {"query", OPT_QUERY, '-', "Generate a TS query"}, + {"data", OPT_DATA, '<', "File to hash"}, + {"digest", OPT_DIGEST, 's', "Digest (as a hex string)"}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"policy", OPT_POLICY, 's', "Policy OID to use"}, + {"no_nonce", OPT_NO_NONCE, '-', "Do not include a nonce"}, + {"cert", OPT_CERT, '-', "Put cert request into query"}, + {"in", OPT_IN, '<', "Input file"}, + {"token_in", OPT_TOKEN_IN, '-', "Input is a PKCS#7 file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"token_out", OPT_TOKEN_OUT, '-', "Output is a PKCS#7 file"}, + {"text", OPT_TEXT, '-', "Output text (not DER)"}, + {"reply", OPT_REPLY, '-', "Generate a TS reply"}, + {"queryfile", OPT_QUERYFILE, '<', "File containing a TS query"}, + {"passin", OPT_PASSIN, 's'}, + {"inkey", OPT_INKEY, '<', "File with private key for reply"}, + {"signer", OPT_SIGNER, 's'}, + {"chain", OPT_CHAIN, '<', "File with signer CA chain"}, + {"verify", OPT_VERIFY, '-', "Verify a TS response"}, + {"CApath", OPT_CAPATH, '/', "Path to trusted CA files"}, + {"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"}, + {"untrusted", OPT_UNTRUSTED, '<', "File with untrusted certs"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {"", OPT_MD, '-', "Any supported digest"}, + {NULL} +}; -int MAIN(int argc, char **argv) +/* + * This comand is so complex, special help is needed. + */ +static char* opt_helplist[] = { + "Typical uses:", + "ts -query [-rand file...] [-config file] [-data file]", + " [-digest hexstring] [-policy oid] [-no_nonce] [-cert]", + " [-in file] [-out file] [-text]", + " or", + "ts -reply [-config file] [-section tsa_section]", + " [-queryfile file] [-passin password]", + " [-signer tsa_cert.pem] [-inkey private_key.pem]", + " [-chain certs_file.pem] [-policy oid]", + " [-in file] [-token_in] [-out file] [-token_out]", +#ifndef OPENSSL_NO_ENGINE + " [-text]", +#else + " [-text] [-engine id]", +#endif + " or", + "ts -verify -CApath dir -CAfile file.pem -untrusted file.pem", + " [-data file] [-digest hexstring]", + " [-queryfile file] -in file [-token_in]", + NULL, +}; + +int ts_main(int argc, char **argv) { - int ret = 1; - char *configfile = NULL; - char *section = NULL; CONF *conf = NULL; - enum mode { - CMD_NONE, CMD_QUERY, CMD_REPLY, CMD_VERIFY - } mode = CMD_NONE; - char *data = NULL; - char *digest = NULL; + char *CAfile = NULL, *untrusted = NULL, *engine = NULL, *prog, **helpp; + char *configfile = NULL, *section = NULL, *password = NULL; + char *data = NULL, *digest = NULL, *rnd = NULL, *policy = NULL; + char *in = NULL, *out = NULL, *queryfile = NULL, *passin = NULL; + char *inkey = NULL, *signer = NULL, *chain = NULL, *CApath = NULL; const EVP_MD *md = NULL; - char *rnd = NULL; - char *policy = NULL; - int no_nonce = 0; - int cert = 0; - char *in = NULL; - char *out = NULL; - int text = 0; - char *queryfile = NULL; - char *passin = NULL; /* Password source. */ - char *password = NULL; /* Password itself. */ - char *inkey = NULL; - char *signer = NULL; - char *chain = NULL; - char *ca_path = NULL; - char *ca_file = NULL; - char *untrusted = NULL; - char *engine = NULL; + OPTION_CHOICE o, mode = OPT_ERR; + int ret = 1, no_nonce = 0, cert = 0, text = 0; /* Input is ContentInfo instead of TimeStampResp. */ int token_in = 0; /* Output is ContentInfo instead of TimeStampResp. */ int token_out = 0; - int free_bio_err = 0; - ERR_load_crypto_strings(); - apps_startup(); - - if (bio_err == NULL && (bio_err = BIO_new(BIO_s_file())) != NULL) { - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - free_bio_err = 1; - } - - if (!load_config(bio_err, NULL)) - goto cleanup; - - for (argc--, argv++; argc > 0; argc--, argv++) { - if (strcmp(*argv, "-config") == 0) { - if (argc-- < 1) - goto usage; - configfile = *++argv; - } else if (strcmp(*argv, "-section") == 0) { - if (argc-- < 1) - goto usage; - section = *++argv; - } else if (strcmp(*argv, "-query") == 0) { - if (mode != CMD_NONE) - goto usage; - mode = CMD_QUERY; - } else if (strcmp(*argv, "-data") == 0) { - if (argc-- < 1) - goto usage; - data = *++argv; - } else if (strcmp(*argv, "-digest") == 0) { - if (argc-- < 1) - goto usage; - digest = *++argv; - } else if (strcmp(*argv, "-rand") == 0) { - if (argc-- < 1) - goto usage; - rnd = *++argv; - } else if (strcmp(*argv, "-policy") == 0) { - if (argc-- < 1) - goto usage; - policy = *++argv; - } else if (strcmp(*argv, "-no_nonce") == 0) { + prog = opt_init(argc, argv, ts_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(ts_options); + for (helpp = opt_helplist; *helpp; ++helpp) + BIO_printf(bio_err, "%s\n", *helpp); + ret = 0; + goto end; + case OPT_CONFIG: + configfile = opt_arg(); + break; + case OPT_SECTION: + section = opt_arg(); + break; + case OPT_QUERY: + case OPT_REPLY: + case OPT_VERIFY: + if (mode != OPT_ERR) + goto opthelp; + mode = o; + break; + case OPT_DATA: + data = opt_arg(); + break; + case OPT_DIGEST: + digest = opt_arg(); + break; + case OPT_RAND: + rnd = opt_arg(); + break; + case OPT_POLICY: + policy = opt_arg(); + break; + case OPT_NO_NONCE: no_nonce = 1; - } else if (strcmp(*argv, "-cert") == 0) { + break; + case OPT_CERT: cert = 1; - } else if (strcmp(*argv, "-in") == 0) { - if (argc-- < 1) - goto usage; - in = *++argv; - } else if (strcmp(*argv, "-token_in") == 0) { + break; + case OPT_IN: + in = opt_arg(); + break; + case OPT_TOKEN_IN: token_in = 1; - } else if (strcmp(*argv, "-out") == 0) { - if (argc-- < 1) - goto usage; - out = *++argv; - } else if (strcmp(*argv, "-token_out") == 0) { + break; + case OPT_OUT: + out = opt_arg(); + break; + case OPT_TOKEN_OUT: token_out = 1; - } else if (strcmp(*argv, "-text") == 0) { + break; + case OPT_TEXT: text = 1; - } else if (strcmp(*argv, "-reply") == 0) { - if (mode != CMD_NONE) - goto usage; - mode = CMD_REPLY; - } else if (strcmp(*argv, "-queryfile") == 0) { - if (argc-- < 1) - goto usage; - queryfile = *++argv; - } else if (strcmp(*argv, "-passin") == 0) { - if (argc-- < 1) - goto usage; - passin = *++argv; - } else if (strcmp(*argv, "-inkey") == 0) { - if (argc-- < 1) - goto usage; - inkey = *++argv; - } else if (strcmp(*argv, "-signer") == 0) { - if (argc-- < 1) - goto usage; - signer = *++argv; - } else if (strcmp(*argv, "-chain") == 0) { - if (argc-- < 1) - goto usage; - chain = *++argv; - } else if (strcmp(*argv, "-verify") == 0) { - if (mode != CMD_NONE) - goto usage; - mode = CMD_VERIFY; - } else if (strcmp(*argv, "-CApath") == 0) { - if (argc-- < 1) - goto usage; - ca_path = *++argv; - } else if (strcmp(*argv, "-CAfile") == 0) { - if (argc-- < 1) - goto usage; - ca_file = *++argv; - } else if (strcmp(*argv, "-untrusted") == 0) { - if (argc-- < 1) - goto usage; - untrusted = *++argv; - } else if (strcmp(*argv, "-engine") == 0) { - if (argc-- < 1) - goto usage; - engine = *++argv; - } else if ((md = EVP_get_digestbyname(*argv + 1)) != NULL) { - /* empty. */ - } else - goto usage; + break; + case OPT_QUERYFILE: + queryfile = opt_arg(); + break; + case OPT_PASSIN: + passin = opt_arg(); + break; + case OPT_INKEY: + inkey = opt_arg(); + break; + case OPT_SIGNER: + signer = opt_arg(); + break; + case OPT_CHAIN: + chain = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_UNTRUSTED: + untrusted = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_MD: + if (!opt_md(opt_unknown(), &md)) + goto opthelp; + break; + } } + argc = opt_num_rest(); + argv = opt_rest(); + if (mode == OPT_ERR || argc != 0) + goto opthelp; /* Seed the random number generator if it is going to be used. */ - if (mode == CMD_QUERY && !no_nonce) { - if (!app_RAND_load_file(NULL, bio_err, 1) && rnd == NULL) + if (mode == OPT_QUERY && !no_nonce) { + if (!app_RAND_load_file(NULL, 1) && rnd == NULL) BIO_printf(bio_err, "warning, not much extra random " "data, consider using the -rand option\n"); if (rnd != NULL) @@ -277,95 +309,68 @@ int MAIN(int argc, char **argv) } /* Get the password if required. */ - if (mode == CMD_REPLY && passin && - !app_passwd(bio_err, passin, NULL, &password, NULL)) { + if (mode == OPT_REPLY && passin && + !app_passwd(passin, NULL, &password, NULL)) { BIO_printf(bio_err, "Error getting password.\n"); - goto cleanup; + goto end; } /* * Check consistency of parameters and execute the appropriate function. */ switch (mode) { - case CMD_NONE: - goto usage; - case CMD_QUERY: + default: + case OPT_ERR: + goto opthelp; + case OPT_QUERY: /* * Data file and message imprint cannot be specified at the same * time. */ ret = data != NULL && digest != NULL; if (ret) - goto usage; + goto opthelp; /* Load the config file for possible policy OIDs. */ conf = load_config_file(configfile); ret = !query_command(data, digest, md, policy, no_nonce, cert, in, out, text); break; - case CMD_REPLY: + case OPT_REPLY: conf = load_config_file(configfile); if (in == NULL) { ret = !(queryfile != NULL && conf != NULL && !token_in); if (ret) - goto usage; + goto opthelp; } else { /* 'in' and 'queryfile' are exclusive. */ ret = !(queryfile == NULL); if (ret) - goto usage; + goto opthelp; } - ret = !reply_command(conf, section, engine, queryfile, password, inkey, signer, chain, policy, in, token_in, out, token_out, text); break; - case CMD_VERIFY: + case OPT_VERIFY: ret = !(((queryfile && !data && !digest) || (!queryfile && data && !digest) || (!queryfile && !data && digest)) && in != NULL); if (ret) - goto usage; + goto opthelp; ret = !verify_command(data, digest, queryfile, in, token_in, - ca_path, ca_file, untrusted); + CApath, CAfile, untrusted); } - goto cleanup; - - usage: - BIO_printf(bio_err, "usage:\n" - "ts -query [-rand file%cfile%c...] [-config configfile] " - "[-data file_to_hash] [-digest digest_bytes]" - "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] " - "[-policy object_id] [-no_nonce] [-cert] " - "[-in request.tsq] [-out request.tsq] [-text]\n", - LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, "or\n" - "ts -reply [-config configfile] [-section tsa_section] " - "[-queryfile request.tsq] [-passin password] " - "[-signer tsa_cert.pem] [-inkey private_key.pem] " - "[-chain certs_file.pem] [-policy object_id] " - "[-in response.tsr] [-token_in] " - "[-out response.tsr] [-token_out] [-text] [-engine id]\n"); - BIO_printf(bio_err, "or\n" - "ts -verify [-data file_to_hash] [-digest digest_bytes] " - "[-queryfile request.tsq] " - "-in response.tsr [-token_in] " - "-CApath ca_path -CAfile ca_file.pem " - "-untrusted cert_file.pem\n"); - cleanup: + end: /* Clean up. */ - app_RAND_write_file(NULL, bio_err); + app_RAND_write_file(NULL); NCONF_free(conf); OPENSSL_free(password); OBJ_cleanup(); - if (free_bio_err) { - BIO_free_all(bio_err); - bio_err = NULL; - } - OPENSSL_EXIT(ret); + return (ret); } /* @@ -418,7 +423,7 @@ static CONF *load_config_file(const char *configfile) } } else ERR_clear_error(); - if (!add_oid_section(bio_err, conf)) + if (!add_oid_section(conf)) ERR_print_errors(bio_err); } return conf; @@ -427,7 +432,6 @@ static CONF *load_config_file(const char *configfile) /* * Query-related method definitions. */ - static int query_command(const char *data, char *digest, const EVP_MD *md, const char *policy, int no_nonce, int cert, const char *in, const char *out, int text) @@ -444,20 +448,16 @@ static int query_command(const char *data, char *digest, const EVP_MD *md, goto end; query = d2i_TS_REQ_bio(in_bio, NULL); } else { - /* - * Open the file if no explicit digest bytes were specified. - */ - if (!digest && !(data_bio = BIO_open_with_default(data, "rb", stdin))) + /* Open the file if no explicit digest bytes were specified. */ + if (!digest && !(data_bio = bio_open_default(data, "rb"))) goto end; - /* Creating the query object. */ query = create_query(data_bio, digest, md, policy, no_nonce, cert); - /* Saving the random number generator state. */ } if (query == NULL) goto end; /* Write query either in ASN.1 or in text format. */ - if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL) + if ((out_bio = bio_open_default(out, "wb")) == NULL) goto end; if (text) { /* Text output. */ @@ -483,13 +483,6 @@ static int query_command(const char *data, char *digest, const EVP_MD *md, return ret; } -static BIO *BIO_open_with_default(const char *file, const char *mode, - FILE *default_fp) -{ - return file == NULL ? BIO_new_fp(default_fp, BIO_NOCLOSE) - : BIO_new_file(file, mode); -} - static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md, const char *policy, int no_nonce, int cert) { @@ -686,7 +679,7 @@ static int reply_command(CONF *conf, char *section, char *engine, goto end; /* Write response either in ASN.1 or text format. */ - if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL) + if ((out_bio = bio_open_default(out, "wb")) == NULL) goto end; if (text) { /* Text output. */ @@ -771,8 +764,9 @@ static TS_RESP *read_PKCS7(BIO *in_bio) } static TS_RESP *create_response(CONF *conf, const char *section, char *engine, - char *queryfile, char *passin, char *inkey, - char *signer, char *chain, const char *policy) + char *queryfile, char *passin, + char *inkey, char *signer, char *chain, + const char *policy) { int ret = 0; TS_RESP *response = NULL; @@ -944,7 +938,7 @@ static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial) static int verify_command(char *data, char *digest, char *queryfile, char *in, int token_in, - char *ca_path, char *ca_file, char *untrusted) + char *CApath, char *CAfile, char *untrusted) { BIO *in_bio = NULL; PKCS7 *token = NULL; @@ -964,7 +958,7 @@ static int verify_command(char *data, char *digest, char *queryfile, } if (!(verify_ctx = create_verify_ctx(data, digest, queryfile, - ca_path, ca_file, untrusted))) + CApath, CAfile, untrusted))) goto end; /* Checking the token or response against the request. */ @@ -992,7 +986,7 @@ static int verify_command(char *data, char *digest, char *queryfile, static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest, char *queryfile, - char *ca_path, char *ca_file, + char *CApath, char *CAfile, char *untrusted) { TS_VERIFY_CTX *ctx = NULL; @@ -1036,7 +1030,7 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest, ctx->flags |= TS_VFY_SIGNATURE; /* Initialising the X509_STORE object. */ - if (!(ctx->store = create_cert_store(ca_path, ca_file))) + if (!(ctx->store = create_cert_store(CApath, CAfile))) goto err; /* Loading untrusted certificates. */ @@ -1054,7 +1048,7 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest, return ctx; } -static X509_STORE *create_cert_store(char *ca_path, char *ca_file) +static X509_STORE *create_cert_store(char *CApath, char *CAfile) { X509_STORE *cert_ctx = NULL; X509_LOOKUP *lookup = NULL; @@ -1067,29 +1061,29 @@ static X509_STORE *create_cert_store(char *ca_path, char *ca_file) X509_STORE_set_verify_cb(cert_ctx, verify_cb); /* Adding a trusted certificate directory source. */ - if (ca_path) { + if (CApath) { lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir()); if (lookup == NULL) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } - i = X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM); + i = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM); if (!i) { - BIO_printf(bio_err, "Error loading directory %s\n", ca_path); + BIO_printf(bio_err, "Error loading directory %s\n", CApath); goto err; } } /* Adding a trusted certificate file source. */ - if (ca_file) { + if (CAfile) { lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); if (lookup == NULL) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } - i = X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM); + i = X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM); if (!i) { - BIO_printf(bio_err, "Error loading file %s\n", ca_file); + BIO_printf(bio_err, "Error loading file %s\n", CAfile); goto err; } } @@ -1102,19 +1096,5 @@ static X509_STORE *create_cert_store(char *ca_path, char *ca_file) static int verify_cb(int ok, X509_STORE_CTX *ctx) { - /*- - char buf[256]; - - if (!ok) - { - X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), - buf, sizeof(buf)); - printf("%s\n", buf); - printf("error %d at %d depth lookup: %s\n", - ctx->error, ctx->error_depth, - X509_verify_cert_error_string(ctx->error)); - } - */ - return ok; } diff --git a/apps/verify.c b/apps/verify.c index e771be2..61e85ce 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -1,4 +1,3 @@ -/* apps/verify.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -66,209 +65,173 @@ #include #include -#undef PROG -#define PROG verify_main - static int cb(int ok, X509_STORE_CTX *ctx); static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, STACK_OF(X509_CRL) *crls, ENGINE *e, int show_chain); static int v_verbose = 0, vflags = 0; -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_UNTRUSTED, OPT_TRUSTED, + OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN, + OPT_V_ENUM, + OPT_VERBOSE +} OPTION_CHOICE; + +OPTIONS verify_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"verbose", OPT_VERBOSE, '-'}, + {"CApath", OPT_CAPATH, '/'}, + {"CAfile", OPT_CAFILE, '<'}, + {"untrusted", OPT_UNTRUSTED, '<'}, + {"trusted", OPT_TRUSTED, '<'}, + {"CRLfile", OPT_CRLFILE, '<'}, + {"crl_download", OPT_CRL_DOWNLOAD, '-'}, + {"show_chain", OPT_SHOW_CHAIN, '-'}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + OPT_V_OPTIONS, + {NULL} +}; -int MAIN(int argc, char **argv) +int verify_main(int argc, char **argv) { ENGINE *e = NULL; - int i, ret = 1, badarg = 0; - char *CApath = NULL, *CAfile = NULL; - char *untfile = NULL, *trustfile = NULL, *crlfile = NULL; STACK_OF(X509) *untrusted = NULL, *trusted = NULL; STACK_OF(X509_CRL) *crls = NULL; - X509_STORE *cert_ctx = NULL; - X509_LOOKUP *lookup = NULL; + X509_STORE *store = NULL; X509_VERIFY_PARAM *vpm = NULL; - int crl_download = 0, show_chain = 0; -#ifndef OPENSSL_NO_ENGINE - char *engine = NULL; -#endif + char *prog, *CApath = NULL, *CAfile = NULL, *engine = NULL; + char *untfile = NULL, *trustfile = NULL, *crlfile = NULL; + int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1; + OPTION_CHOICE o; - cert_ctx = X509_STORE_new(); - if (cert_ctx == NULL) + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) goto end; - X509_STORE_set_verify_cb(cert_ctx, cb); - - ERR_load_crypto_strings(); - - apps_startup(); - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (!load_config(bio_err, NULL)) - goto end; + prog = opt_init(argc, argv, verify_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(verify_options); + BIO_printf(bio_err, "Recognized usages:\n"); + for (i = 0; i < X509_PURPOSE_get_count(); i++) { + X509_PURPOSE *ptmp; + ptmp = X509_PURPOSE_get0(i); + BIO_printf(bio_err, "\t%-10s\t%s\n", + X509_PURPOSE_get0_sname(ptmp), + X509_PURPOSE_get0_name(ptmp)); + } - argc--; - argv++; - for (;;) { - if (argc >= 1) { - if (strcmp(*argv, "-CApath") == 0) { - if (argc-- < 1) - goto end; - CApath = *(++argv); - } else if (strcmp(*argv, "-CAfile") == 0) { - if (argc-- < 1) - goto end; - CAfile = *(++argv); - } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { - if (badarg) - goto end; - continue; - } else if (strcmp(*argv, "-untrusted") == 0) { - if (argc-- < 1) - goto end; - untfile = *(++argv); - } else if (strcmp(*argv, "-trusted") == 0) { - if (argc-- < 1) - goto end; - trustfile = *(++argv); - } else if (strcmp(*argv, "-CRLfile") == 0) { - if (argc-- < 1) - goto end; - crlfile = *(++argv); - } else if (strcmp(*argv, "-crl_download") == 0) - crl_download = 1; - else if (strcmp(*argv, "-show_chain") == 0) - show_chain = 1; -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto end; - engine = *(++argv); + BIO_printf(bio_err, "Recognized verify names:\n"); + for (i = 0; i < X509_VERIFY_PARAM_get_count(); i++) { + const X509_VERIFY_PARAM *vptmp; + vptmp = X509_VERIFY_PARAM_get0(i); + BIO_printf(bio_err, "\t%-10s\n", + X509_VERIFY_PARAM_get0_name(vptmp)); } -#endif - else if (strcmp(*argv, "-help") == 0) - goto end; - else if (strcmp(*argv, "-verbose") == 0) - v_verbose = 1; - else if (argv[0][0] == '-') + ret = 0; + goto end; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) goto end; - else - break; - argc--; - argv++; - } else + vpmtouched++; + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_UNTRUSTED: + untfile = opt_arg(); + break; + case OPT_TRUSTED: + trustfile = opt_arg(); + break; + case OPT_CRLFILE: + crlfile = opt_arg(); + break; + case OPT_CRL_DOWNLOAD: + crl_download = 1; break; + case OPT_SHOW_CHAIN: + show_chain = 1; + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_VERBOSE: + v_verbose = 1; + break; + } } + argc = opt_num_rest(); + argv = opt_rest(); #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + e = setup_engine(engine, 0); #endif + if (!(store = setup_verify(CAfile, CApath))) + goto end; + X509_STORE_set_verify_cb(store, cb); - if (vpm) - X509_STORE_set1_param(cert_ctx, vpm); - - lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); - if (lookup == NULL) - abort(); - if (CAfile) { - i = X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM); - if (!i) { - BIO_printf(bio_err, "Error loading file %s\n", CAfile); - ERR_print_errors(bio_err); - goto end; - } - } else - X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT); - - lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir()); - if (lookup == NULL) - abort(); - if (CApath) { - i = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM); - if (!i) { - BIO_printf(bio_err, "Error loading directory %s\n", CApath); - ERR_print_errors(bio_err); - goto end; - } - } else - X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); + if (vpmtouched) + X509_STORE_set1_param(store, vpm); ERR_clear_error(); if (untfile) { - untrusted = load_certs(bio_err, untfile, FORMAT_PEM, + untrusted = load_certs(untfile, FORMAT_PEM, NULL, e, "untrusted certificates"); if (!untrusted) goto end; } if (trustfile) { - trusted = load_certs(bio_err, trustfile, FORMAT_PEM, + trusted = load_certs(trustfile, FORMAT_PEM, NULL, e, "trusted certificates"); if (!trusted) goto end; } if (crlfile) { - crls = load_crls(bio_err, crlfile, FORMAT_PEM, NULL, e, "other CRLs"); + crls = load_crls(crlfile, FORMAT_PEM, NULL, e, "other CRLs"); if (!crls) goto end; } if (crl_download) - store_setup_crl_download(cert_ctx); + store_setup_crl_download(store); ret = 0; if (argc < 1) { - if (1 != - check(cert_ctx, NULL, untrusted, trusted, crls, e, show_chain)) + if (check(store, NULL, untrusted, trusted, crls, e, show_chain) != 1) ret = -1; } else { for (i = 0; i < argc; i++) - if (1 != - check(cert_ctx, argv[i], untrusted, trusted, crls, e, - show_chain)) + if (check(store, argv[i], untrusted, trusted, crls, e, + show_chain) != 1) ret = -1; } end: - if (ret == 1) { - BIO_printf(bio_err, - "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check] [-no_alt_chains]"); -#ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err, " [-engine e]"); -#endif - BIO_printf(bio_err, " cert1 cert2 ...\n"); - - BIO_printf(bio_err, "recognized usages:\n"); - for (i = 0; i < X509_PURPOSE_get_count(); i++) { - X509_PURPOSE *ptmp; - ptmp = X509_PURPOSE_get0(i); - BIO_printf(bio_err, "\t%-10s\t%s\n", - X509_PURPOSE_get0_sname(ptmp), - X509_PURPOSE_get0_name(ptmp)); - } - - BIO_printf(bio_err, "recognized verify names:\n"); - for (i = 0; i < X509_VERIFY_PARAM_get_count(); i++) { - const X509_VERIFY_PARAM *vptmp; - vptmp = X509_VERIFY_PARAM_get0(i); - BIO_printf(bio_err, "\t%-10s\n", - X509_VERIFY_PARAM_get0_name(vptmp)); - } - - } if (vpm) X509_VERIFY_PARAM_free(vpm); - if (cert_ctx != NULL) - X509_STORE_free(cert_ctx); + if (store != NULL) + X509_STORE_free(store); sk_X509_pop_free(untrusted, X509_free); sk_X509_pop_free(trusted, X509_free); sk_X509_CRL_pop_free(crls, X509_CRL_free); - apps_shutdown(); - OPENSSL_EXIT(ret < 0 ? 2 : ret); + return (ret < 0 ? 2 : ret); } static int check(X509_STORE *ctx, char *file, @@ -280,10 +243,10 @@ static int check(X509_STORE *ctx, char *file, X509_STORE_CTX *csc; STACK_OF(X509) *chain = NULL; - x = load_cert(bio_err, file, FORMAT_PEM, NULL, e, "certificate file"); + x = load_cert(file, FORMAT_PEM, NULL, e, "certificate file"); if (x == NULL) goto end; - fprintf(stdout, "%s: ", (file == NULL) ? "stdin" : file); + printf("%s: ", (file == NULL) ? "stdin" : file); csc = X509_STORE_CTX_new(); if (csc == NULL) { @@ -307,7 +270,7 @@ static int check(X509_STORE *ctx, char *file, ret = 0; end: if (i > 0) { - fprintf(stdout, "OK\n"); + printf("OK\n"); ret = 1; } else ERR_print_errors(bio_err); @@ -348,7 +311,7 @@ static int cb(int ok, X509_STORE_CTX *ctx) X509_verify_cert_error_string(cert_error)); switch (cert_error) { case X509_V_ERR_NO_EXPLICIT_POLICY: - policies_print(NULL, ctx); + policies_print(bio_err, ctx); case X509_V_ERR_CERT_HAS_EXPIRED: /* @@ -373,7 +336,7 @@ static int cb(int ok, X509_STORE_CTX *ctx) } if (cert_error == X509_V_OK && ok == 2) - policies_print(NULL, ctx); + policies_print(bio_out, ctx); if (!v_verbose) ERR_clear_error(); return (ok); diff --git a/apps/version.c b/apps/version.c index 8807d4c..1fa7cfe 100644 --- a/apps/version.c +++ b/apps/version.c @@ -1,4 +1,3 @@ -/* apps/version.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -132,45 +131,66 @@ # include #endif -#undef PROG -#define PROG version_main +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_B, OPT_D, OPT_F, OPT_O, OPT_P, OPT_V, OPT_A +} OPTION_CHOICE; -int MAIN(int, char **); +OPTIONS version_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"a", OPT_A, '-', "Show all data"}, + {"b", OPT_B, '-', "Show build date"}, + {"d", OPT_D, '-', "Show configuration directory"}, + {"f", OPT_F, '-', "Show compiler flags used"}, + {"o", OPT_O, '-', "Show some internal datatype options"}, + {"p", OPT_P, '-', "Show target build platform"}, + {"v", OPT_V, '-', "Show library version"}, + {NULL} +}; -int MAIN(int argc, char **argv) +int version_main(int argc, char **argv) { - int i, ret = 0; + int ret = 1, dirty = 0; int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0; + char *prog; + OPTION_CHOICE o; - apps_startup(); - - if (bio_err == NULL) - if ((bio_err = BIO_new(BIO_s_file())) != NULL) - BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT); - - if (argc == 1) - version = 1; - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "-v") == 0) - version = 1; - else if (strcmp(argv[i], "-b") == 0) - date = 1; - else if (strcmp(argv[i], "-f") == 0) - cflags = 1; - else if (strcmp(argv[i], "-o") == 0) - options = 1; - else if (strcmp(argv[i], "-p") == 0) - platform = 1; - else if (strcmp(argv[i], "-d") == 0) - dir = 1; - else if (strcmp(argv[i], "-a") == 0) - date = version = cflags = options = platform = dir = 1; - else { - BIO_printf(bio_err, "usage:version -[avbofpd]\n"); - ret = 1; + prog = opt_init(argc, argv, version_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); goto end; + case OPT_HELP: + opt_help(version_options); + ret = 0; + goto end; + case OPT_B: + dirty = date = 1; + break; + case OPT_D: + dirty = dir = 1; + break; + case OPT_F: + dirty = cflags = 1; + break; + case OPT_O: + dirty = options = 1; + break; + case OPT_P: + dirty = platform = 1; + break; + case OPT_V: + dirty = version = 1; + break; + case OPT_A: + cflags = version = date = platform = dir = 1; + break; } } + if (!dirty) + version = 1; if (version) { if (SSLeay() == SSLEAY_VERSION_NUMBER) { @@ -208,7 +228,7 @@ int MAIN(int argc, char **argv) printf("%s\n", SSLeay_version(SSLEAY_CFLAGS)); if (dir) printf("%s\n", SSLeay_version(SSLEAY_DIR)); + ret = 0; end: - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } diff --git a/apps/vms_decc_init.c b/apps/vms_decc_init.c index 3b6de11..3c953aa 100644 --- a/apps/vms_decc_init.c +++ b/apps/vms_decc_init.c @@ -1,3 +1,55 @@ +/* + * Written by sms and contributed to the OpenSSL project. + */ +/* ==================================================================== + * Copyright (c) 2010 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing at OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + #if defined( __VMS) && !defined( OPENSSL_NO_DECC_INIT) && \ defined( __DECC) && !defined( __VAX) && (__CRTL_VER >= 70301000) # define USE_DECC_INIT 1 @@ -5,17 +57,11 @@ #ifdef USE_DECC_INIT -/*- - * 2010-04-26 SMS. - * - *---------------------------------------------------------------------- - * - * decc_init() - * - * On non-VAX systems, uses LIB$INITIALIZE to set a collection of C - * RTL features without using the DECC$* logical name method. - * - *---------------------------------------------------------------------- +/* + * ---------------------------------------------------------------------- + * decc_init() On non-VAX systems, uses LIB$INITIALIZE to set a collection + * of C RTL features without using the DECC$* logical name method. + * ---------------------------------------------------------------------- */ # include @@ -57,6 +103,42 @@ decc_feat_t decc_feat_array[] = { {(char *)NULL, 0} }; +char **copy_argv(int *argc, char *argv[]) +{ + /*- + * The note below is for historical purpose. On VMS now we always + * copy argv "safely." + * + * 2011-03-22 SMS. + * If we have 32-bit pointers everywhere, then we're safe, and + * we bypass this mess, as on non-VMS systems. + * Problem 1: Compaq/HP C before V7.3 always used 32-bit + * pointers for argv[]. + * Fix 1: For a 32-bit argv[], when we're using 64-bit pointers + * everywhere else, we always allocate and use a 64-bit + * duplicate of argv[]. + * Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed + * to NULL-terminate a 64-bit argv[]. (As this was written, the + * compiler ECO was available only on IA64.) + * Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a + * 64-bit argv[argc] for NULL, and, if necessary, use a + * (properly) NULL-terminated (64-bit) duplicate of argv[]. + * The same code is used in either case to duplicate argv[]. + * Some of these decisions could be handled in preprocessing, + * but the code tends to get even uglier, and the penalty for + * deciding at compile- or run-time is tiny. + */ + + int i, count = *argc; + char **newargv = (char **)OPENSSL_malloc((count + 1) * sizeof *newargv); + + for (i = 0; i < count; i++) + newargv[i] = argv[i]; + newargv[i] = NULL; + *argc = i; + return newargv; +} + /* LIB$INITIALIZE initialization function. */ static void decc_init(void) diff --git a/apps/winrand.c b/apps/winrand.c index 44f57a3..a5fe791 100644 --- a/apps/winrand.c +++ b/apps/winrand.c @@ -1,4 +1,3 @@ -/* apps/winrand.c */ /* ==================================================================== * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. * diff --git a/apps/x509.c b/apps/x509.c index 380f0f0..903e6b9 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -1,4 +1,3 @@ -/* apps/x509.c */ /* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com) * All rights reserved. * @@ -77,82 +76,10 @@ # include #endif -#undef PROG -#define PROG x509_main - #undef POSTFIX #define POSTFIX ".srl" #define DEF_DAYS 30 -static const char *x509_usage[] = { - "usage: x509 args\n", - " -inform arg - input format - default PEM (one of DER, NET or PEM)\n", - " -outform arg - output format - default PEM (one of DER, NET or PEM)\n", - " -keyform arg - private key format - default PEM\n", - " -CAform arg - CA format - default PEM\n", - " -CAkeyform arg - CA key format - default PEM\n", - " -in arg - input file - default stdin\n", - " -out arg - output file - default stdout\n", - " -passin arg - private key password source\n", - " -serial - print serial number value\n", - " -subject_hash - print subject hash value\n", -#ifndef OPENSSL_NO_MD5 - " -subject_hash_old - print old-style (MD5) subject hash value\n", -#endif - " -issuer_hash - print issuer hash value\n", -#ifndef OPENSSL_NO_MD5 - " -issuer_hash_old - print old-style (MD5) issuer hash value\n", -#endif - " -hash - synonym for -subject_hash\n", - " -subject - print subject DN\n", - " -issuer - print issuer DN\n", - " -email - print email address(es)\n", - " -startdate - notBefore field\n", - " -enddate - notAfter field\n", - " -purpose - print out certificate purposes\n", - " -dates - both Before and After dates\n", - " -modulus - print the RSA key modulus\n", - " -pubkey - output the public key\n", - " -fingerprint - print the certificate fingerprint\n", - " -alias - output certificate alias\n", - " -noout - no certificate output\n", - " -ocspid - print OCSP hash values for the subject name and public key\n", - " -ocsp_uri - print OCSP Responder URL(s)\n", - " -trustout - output a \"trusted\" certificate\n", - " -clrtrust - clear all trusted purposes\n", - " -clrreject - clear all rejected purposes\n", - " -addtrust arg - trust certificate for a given purpose\n", - " -addreject arg - reject certificate for a given purpose\n", - " -setalias arg - set certificate alias\n", - " -days arg - How long till expiry of a signed certificate - def 30 days\n", - " -checkend arg - check whether the cert expires in the next arg seconds\n", - " exit 1 if so, 0 if not\n", - " -signkey arg - self sign cert with arg\n", - " -x509toreq - output a certification request object\n", - " -req - input is a certificate request, sign and output.\n", - " -CA arg - set the CA certificate, must be PEM format.\n", - " -CAkey arg - set the CA key, must be PEM format\n", - " missing, it is assumed to be in the CA file.\n", - " -CAcreateserial - create serial number file if it does not exist\n", - " -CAserial arg - serial file\n", - " -set_serial - serial number to use\n", - " -text - print the certificate in text form\n", - " -C - print out C code forms\n", - " -md2/-md5/-sha1/-mdc2 - digest to use\n", - " -extfile - configuration file with X509V3 extensions to add\n", - " -extensions - section from config file with X509V3 extensions to add\n", - " -clrext - delete extensions before signing and input certificate\n", - " -nameopt arg - various certificate name options\n", -#ifndef OPENSSL_NO_ENGINE - " -engine e - use engine e, possibly a hardware device.\n", -#endif - " -certopt arg - various certificate text options\n", - " -checkhost host - check certificate matches \"host\"\n", - " -checkemail email - check certificate matches \"email\"\n", - " -checkip ipaddr - check certificate matches \"ipaddr\"\n", - NULL -}; - static int callb(int ok, X509_STORE_CTX *ctx); static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, CONF *conf, char *section); @@ -160,347 +87,425 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, X509 *x, X509 *xca, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *sigopts, char *serial, int create, int days, int clrext, CONF *conf, - char *section, ASN1_INTEGER *sno); + char *section, ASN1_INTEGER *sno, int reqfile); static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); -static int reqfile = 0; + #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL static int force_version = 2; #endif -int MAIN(int, char **); +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM, + OPT_CAKEYFORM, OPT_SIGOPT, OPT_DAYS, OPT_PASSIN, OPT_EXTFILE, + OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_SIGNKEY, OPT_CA, + OPT_CAKEY, OPT_CASERIAL, OPT_SET_SERIAL, OPT_FORCE_PUBKEY, + OPT_ADDTRUST, OPT_ADDREJECT, OPT_SETALIAS, OPT_CERTOPT, OPT_NAMEOPT, + OPT_C, OPT_EMAIL, OPT_OCSP_URI, OPT_SERIAL, OPT_NEXT_SERIAL, + OPT_MODULUS, OPT_PUBKEY, OPT_X509TOREQ, OPT_TEXT, OPT_HASH, + OPT_ISSUER_HASH, OPT_SUBJECT, OPT_ISSUER, OPT_FINGERPRINT, OPT_DATES, + OPT_PURPOSE, OPT_STARTDATE, OPT_ENDDATE, OPT_CHECKEND, OPT_CHECKHOST, + OPT_CHECKEMAIL, OPT_CHECKIP, OPT_NOOUT, OPT_TRUSTOUT, OPT_CLRTRUST, + OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID, +#ifndef OPENSSL_NO_MD5 + OPT_SUBJECT_HASH_OLD, + OPT_ISSUER_HASH_OLD, +#endif +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + OPT_FORCE_VERSION, +#endif + OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT +} OPTION_CHOICE; + +OPTIONS x509_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'f', + "Input format - default PEM (one of DER, NET or PEM)"}, + {"in", OPT_IN, '<', "Input file - default stdin"}, + {"outform", OPT_OUTFORM, 'f', + "Output format - default PEM (one of DER, NET or PEM)"}, + {"out", OPT_OUT, '>', "Output file - default stdout"}, + {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"}, + {"passin", OPT_PASSIN, 's', "Private key password source"}, + {"serial", OPT_SERIAL, '-', "Print serial number value"}, + {"subject_hash", OPT_HASH, '-', "Print subject hash value"}, + {"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"}, +#ifndef OPENSSL_NO_MD5 + {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-', + "Print old-style (MD5) issuer hash value"}, + {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', + "Print old-style (MD5) subject hash value"}, +#endif + {"hash", OPT_HASH, '-', "Synonym for -subject_hash"}, + {"subject", OPT_SUBJECT, '-', "Print subject DN"}, + {"issuer", OPT_ISSUER, '-', "Print issuer DN"}, + {"email", OPT_EMAIL, '-', "Print email address(es)"}, + {"startdate", OPT_STARTDATE, '-', "Set notBefore field"}, + {"enddate", OPT_ENDDATE, '-', "Set notAfter field"}, + {"purpose", OPT_PURPOSE, '-', "Print out certificate purposes"}, + {"dates", OPT_DATES, '-', "Both Before and After dates"}, + {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"}, + {"pubkey", OPT_PUBKEY, '-', "Output the public key"}, + {"fingerprint", OPT_FINGERPRINT, '-', + "Print the certificate fingerprint"}, + {"alias", OPT_ALIAS, '-', "Output certificate alias"}, + {"noout", OPT_NOOUT, '-', "No output, just status"}, + {"nocert", OPT_NOCERT, '-', "No certificate output"}, + {"ocspid", OPT_OCSPID, '-', + "Print OCSP hash values for the subject name and public key"}, + {"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"}, + {"trustout", OPT_TRUSTOUT, '-', "Output a trusted certificate"}, + {"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"}, + {"clrext", OPT_CLREXT, '-', "Clear all rejected purposes"}, + {"addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose"}, + {"addreject", OPT_ADDREJECT, 's', + "Reject certificate for a given purpose"}, + {"setalias", OPT_SETALIAS, 's', "Set certificate alias"}, + {"days", OPT_DAYS, 'n', + "How long till expiry of a signed certificate - def 30 days"}, + {"checkend", OPT_CHECKEND, 'p', + "Check whether the cert expires in the next arg seconds"}, + {OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"}, + {"signkey", OPT_SIGNKEY, '<', "Self sign cert with arg"}, + {"x509toreq", OPT_X509TOREQ, '-', + "Output a certification request object"}, + {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"}, + {"CA", OPT_CA, '<', "Set the CA certificate, must be PEM format"}, + {"CAkey", OPT_CAKEY, '<', + "The CA key, must be PEM format; if not in CAfile"}, + {"CAcreateserial", OPT_CACREATESERIAL, '-', + "Create serial number file if it does not exist"}, + {"CAserial", OPT_CASERIAL, '<', "Serial file"}, + {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, + {"text", OPT_TEXT, '-', "Print the certificate in text form"}, + {"C", OPT_C, '-', "Print out C code forms"}, + {"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"}, + {"extensions", OPT_EXTENSIONS, 's', "Section from config file to use"}, + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + {"certopt", OPT_CERTOPT, 's', "Various certificate text options"}, + {"checkhost", OPT_CHECKHOST, 's', "Check certificate matches host"}, + {"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"}, + {"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"}, + {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"}, + {"CAkeyform", OPT_CAKEYFORM, 'F', "CA key format - default PEM"}, + {"sigopt", OPT_SIGOPT, 's'}, + {"force_pubkey", OPT_FORCE_PUBKEY, '<'}, + {"next_serial", OPT_NEXT_SERIAL, '-'}, + {"clrreject", OPT_CLRREJECT, '-'}, + {"badsig", OPT_BADSIG, '-'}, + {"", OPT_MD, '-', "Any supported digest"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif +#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL + {"force_version", OPT_FORCE_VERSION, 'p'}, +#endif + {NULL} +}; -int MAIN(int argc, char **argv) +int x509_main(int argc, char **argv) { - ENGINE *e = NULL; - int ret = 1; - X509_REQ *req = NULL; - X509 *x = NULL, *xca = NULL; - ASN1_OBJECT *objtmp; - STACK_OF(OPENSSL_STRING) *sigopts = NULL; - EVP_PKEY *Upkey = NULL, *CApkey = NULL, *fkey = NULL; ASN1_INTEGER *sno = NULL; - int i, num, badops = 0, badsig = 0; + ASN1_OBJECT *objtmp; BIO *out = NULL; - BIO *STDout = NULL; + CONF *extconf = NULL; + EVP_PKEY *Upkey = NULL, *CApkey = NULL, *fkey = NULL; STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; - int informat, outformat, keyformat, CAformat, CAkeyformat; + STACK_OF(OPENSSL_STRING) *sigopts = NULL; + X509 *x = NULL, *xca = NULL; + X509_REQ *req = NULL, *rq = NULL; + X509_STORE *ctx = NULL; + const EVP_MD *digest = NULL; + char *CAkeyfile = NULL, *CAserial = NULL, *fkeyfile = NULL, *alias = NULL; + char *checkhost = NULL, *checkemail = NULL, *checkip = NULL; + char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL; char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL; - char *CAkeyfile = NULL, *CAserial = NULL; - char *fkeyfile = NULL; - char *alias = NULL; + char buf[256]; + char *engine = NULL, *prog; + int C = 0, x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0, pprint = + 0; + int CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM; + int fingerprint = 0, reqfile = 0, need_rand = 0, checkend = + 0, checkoffset = 0; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM; + int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0; + int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0, email = 0; + int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0; + int ret = 1, i, num = 0, badsig = 0, clrext = 0, nocert = 0; int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0, enddate = 0; - int next_serial = 0; - int subject_hash = 0, issuer_hash = 0, ocspid = 0; -#ifndef OPENSSL_NO_MD5 - int subject_hash_old = 0, issuer_hash_old = 0; -#endif - int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0, email = 0; - int ocsp_uri = 0; - int trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0, clrext = 0; - int C = 0; - int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0; - int pprint = 0; - const char **pp; - X509_STORE *ctx = NULL; - X509_REQ *rq = NULL; - int fingerprint = 0; - char buf[256]; - const EVP_MD *md_alg, *digest = NULL; - CONF *extconf = NULL; - char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; - int need_rand = 0; - int checkend = 0, checkoffset = 0; unsigned long nmflag = 0, certflag = 0; - char *checkhost = NULL; - char *checkemail = NULL; - char *checkip = NULL; + OPTION_CHOICE o; #ifndef OPENSSL_NO_ENGINE - char *engine = NULL; + ENGINE *e = NULL; #endif - - reqfile = 0; - - apps_startup(); - - if (bio_err == NULL) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); - - if (!load_config(bio_err, NULL)) - goto end; - STDout = BIO_new_fp(stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - STDout = BIO_push(tmpbio, STDout); - } +#ifndef OPENSSL_NO_MD5 + int subject_hash_old = 0, issuer_hash_old = 0; #endif - informat = FORMAT_PEM; - outformat = FORMAT_PEM; - keyformat = FORMAT_PEM; - CAformat = FORMAT_PEM; - CAkeyformat = FORMAT_PEM; - ctx = X509_STORE_new(); if (ctx == NULL) goto end; X509_STORE_set_verify_cb(ctx, callb); - argc--; - argv++; - num = 0; - while (argc >= 1) { - if (strcmp(*argv, "-inform") == 0) { - if (--argc < 1) - goto bad; - informat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-outform") == 0) { - if (--argc < 1) - goto bad; - outformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-keyform") == 0) { - if (--argc < 1) - goto bad; - keyformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-req") == 0) { - reqfile = 1; - need_rand = 1; - } else if (strcmp(*argv, "-CAform") == 0) { - if (--argc < 1) - goto bad; - CAformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-CAkeyform") == 0) { - if (--argc < 1) - goto bad; - CAkeyformat = str2fmt(*(++argv)); - } else if (strcmp(*argv, "-sigopt") == 0) { - if (--argc < 1) - goto bad; + prog = opt_init(argc, argv, x509_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(x509_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &outformat)) + goto opthelp; + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat)) + goto opthelp; + break; + case OPT_CAFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAformat)) + goto opthelp; + break; + case OPT_CAKEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAkeyformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_REQ: + reqfile = need_rand = 1; + break; + + case OPT_SIGOPT: if (!sigopts) sigopts = sk_OPENSSL_STRING_new_null(); - if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) - goto bad; - } + if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) + goto opthelp; + break; #ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - else if (strcmp(*argv, "-force_version") == 0) { - if (--argc < 1) - goto bad; - force_version = atoi(*(++argv)) - 1; - } + case OPT_FORCE_VERSION: + force_version = atoi(opt_arg()) - 1; + break; #endif - else if (strcmp(*argv, "-days") == 0) { - if (--argc < 1) - goto bad; - days = atoi(*(++argv)); - if (days == 0) { - BIO_printf(bio_err, "bad number of days\n"); - goto bad; - } - } else if (strcmp(*argv, "-passin") == 0) { - if (--argc < 1) - goto bad; - passargin = *(++argv); - } else if (strcmp(*argv, "-extfile") == 0) { - if (--argc < 1) - goto bad; - extfile = *(++argv); - } else if (strcmp(*argv, "-extensions") == 0) { - if (--argc < 1) - goto bad; - extsect = *(++argv); - } else if (strcmp(*argv, "-in") == 0) { - if (--argc < 1) - goto bad; - infile = *(++argv); - } else if (strcmp(*argv, "-out") == 0) { - if (--argc < 1) - goto bad; - outfile = *(++argv); - } else if (strcmp(*argv, "-signkey") == 0) { - if (--argc < 1) - goto bad; - keyfile = *(++argv); + case OPT_DAYS: + days = atoi(opt_arg()); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_EXTFILE: + extfile = opt_arg(); + break; + case OPT_EXTENSIONS: + extsect = opt_arg(); + break; + case OPT_SIGNKEY: + keyfile = opt_arg(); sign_flag = ++num; need_rand = 1; - } else if (strcmp(*argv, "-CA") == 0) { - if (--argc < 1) - goto bad; - CAfile = *(++argv); + break; + case OPT_CA: + CAfile = opt_arg(); CA_flag = ++num; need_rand = 1; - } else if (strcmp(*argv, "-CAkey") == 0) { - if (--argc < 1) - goto bad; - CAkeyfile = *(++argv); - } else if (strcmp(*argv, "-CAserial") == 0) { - if (--argc < 1) - goto bad; - CAserial = *(++argv); - } else if (strcmp(*argv, "-set_serial") == 0) { - if (--argc < 1) - goto bad; - if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv)))) - goto bad; - } else if (strcmp(*argv, "-force_pubkey") == 0) { - if (--argc < 1) - goto bad; - fkeyfile = *(++argv); - } else if (strcmp(*argv, "-addtrust") == 0) { - if (--argc < 1) - goto bad; - if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) { - BIO_printf(bio_err, "Invalid trust object value %s\n", *argv); - goto bad; + break; + case OPT_CAKEY: + CAkeyfile = opt_arg(); + break; + case OPT_CASERIAL: + CAserial = opt_arg(); + break; + case OPT_SET_SERIAL: + if ((sno = s2i_ASN1_INTEGER(NULL, opt_arg())) == NULL) + goto opthelp; + break; + case OPT_FORCE_PUBKEY: + fkeyfile = opt_arg(); + break; + case OPT_ADDTRUST: + if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) { + BIO_printf(bio_err, + "%s: Invalid trust object value %s\n", + prog, opt_arg()); + goto opthelp; } - if (!trust) - trust = sk_ASN1_OBJECT_new_null(); + if (trust == NULL && (trust = sk_ASN1_OBJECT_new_null()) == NULL) + goto end; sk_ASN1_OBJECT_push(trust, objtmp); trustout = 1; - } else if (strcmp(*argv, "-addreject") == 0) { - if (--argc < 1) - goto bad; - if (!(objtmp = OBJ_txt2obj(*(++argv), 0))) { + break; + case OPT_ADDREJECT: + if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) { BIO_printf(bio_err, - "Invalid reject object value %s\n", *argv); - goto bad; + "%s: Invalid reject object value %s\n", + prog, opt_arg()); + goto opthelp; } - if (!reject) - reject = sk_ASN1_OBJECT_new_null(); + if (reject == NULL + && (reject = sk_ASN1_OBJECT_new_null()) == NULL) + goto end; sk_ASN1_OBJECT_push(reject, objtmp); trustout = 1; - } else if (strcmp(*argv, "-setalias") == 0) { - if (--argc < 1) - goto bad; - alias = *(++argv); + break; + case OPT_SETALIAS: + alias = opt_arg(); trustout = 1; - } else if (strcmp(*argv, "-certopt") == 0) { - if (--argc < 1) - goto bad; - if (!set_cert_ex(&certflag, *(++argv))) - goto bad; - } else if (strcmp(*argv, "-nameopt") == 0) { - if (--argc < 1) - goto bad; - if (!set_name_ex(&nmflag, *(++argv))) - goto bad; - } -#ifndef OPENSSL_NO_ENGINE - else if (strcmp(*argv, "-engine") == 0) { - if (--argc < 1) - goto bad; - engine = *(++argv); - } -#endif - else if (strcmp(*argv, "-C") == 0) + break; + case OPT_CERTOPT: + if (!set_cert_ex(&certflag, opt_arg())) + goto opthelp; + break; + case OPT_NAMEOPT: + if (!set_name_ex(&nmflag, opt_arg())) + goto opthelp; + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_C: C = ++num; - else if (strcmp(*argv, "-email") == 0) + break; + case OPT_EMAIL: email = ++num; - else if (strcmp(*argv, "-ocsp_uri") == 0) + break; + case OPT_OCSP_URI: ocsp_uri = ++num; - else if (strcmp(*argv, "-serial") == 0) + break; + case OPT_SERIAL: serial = ++num; - else if (strcmp(*argv, "-next_serial") == 0) + break; + case OPT_NEXT_SERIAL: next_serial = ++num; - else if (strcmp(*argv, "-modulus") == 0) + break; + case OPT_MODULUS: modulus = ++num; - else if (strcmp(*argv, "-pubkey") == 0) + break; + case OPT_PUBKEY: pubkey = ++num; - else if (strcmp(*argv, "-x509toreq") == 0) + break; + case OPT_X509TOREQ: x509req = ++num; - else if (strcmp(*argv, "-text") == 0) + break; + case OPT_TEXT: text = ++num; - else if (strcmp(*argv, "-hash") == 0 - || strcmp(*argv, "-subject_hash") == 0) - subject_hash = ++num; -#ifndef OPENSSL_NO_MD5 - else if (strcmp(*argv, "-subject_hash_old") == 0) - subject_hash_old = ++num; -#endif - else if (strcmp(*argv, "-issuer_hash") == 0) - issuer_hash = ++num; -#ifndef OPENSSL_NO_MD5 - else if (strcmp(*argv, "-issuer_hash_old") == 0) - issuer_hash_old = ++num; -#endif - else if (strcmp(*argv, "-subject") == 0) + break; + case OPT_SUBJECT: subject = ++num; - else if (strcmp(*argv, "-issuer") == 0) + break; + case OPT_ISSUER: issuer = ++num; - else if (strcmp(*argv, "-fingerprint") == 0) + break; + case OPT_FINGERPRINT: fingerprint = ++num; - else if (strcmp(*argv, "-dates") == 0) { - startdate = ++num; - enddate = ++num; - } else if (strcmp(*argv, "-purpose") == 0) + break; + case OPT_HASH: + subject_hash = ++num; + break; + case OPT_ISSUER_HASH: + issuer_hash = ++num; + break; + case OPT_PURPOSE: pprint = ++num; - else if (strcmp(*argv, "-startdate") == 0) + break; + case OPT_STARTDATE: startdate = ++num; - else if (strcmp(*argv, "-enddate") == 0) + break; + case OPT_ENDDATE: enddate = ++num; - else if (strcmp(*argv, "-checkend") == 0) { - if (--argc < 1) - goto bad; - checkoffset = atoi(*(++argv)); - checkend = 1; - } else if (strcmp(*argv, "-checkhost") == 0) { - if (--argc < 1) - goto bad; - checkhost = *(++argv); - } else if (strcmp(*argv, "-checkemail") == 0) { - if (--argc < 1) - goto bad; - checkemail = *(++argv); - } else if (strcmp(*argv, "-checkip") == 0) { - if (--argc < 1) - goto bad; - checkip = *(++argv); - } else if (strcmp(*argv, "-noout") == 0) + break; + case OPT_NOOUT: noout = ++num; - else if (strcmp(*argv, "-trustout") == 0) + break; + case OPT_NOCERT: + nocert = 1; + break; + case OPT_TRUSTOUT: trustout = 1; - else if (strcmp(*argv, "-clrtrust") == 0) + break; + case OPT_CLRTRUST: clrtrust = ++num; - else if (strcmp(*argv, "-clrreject") == 0) + break; + case OPT_CLRREJECT: clrreject = ++num; - else if (strcmp(*argv, "-alias") == 0) + break; + case OPT_ALIAS: aliasout = ++num; - else if (strcmp(*argv, "-CAcreateserial") == 0) + break; + case OPT_CACREATESERIAL: CA_createserial = ++num; - else if (strcmp(*argv, "-clrext") == 0) + break; + case OPT_CLREXT: clrext = 1; - else if (strcmp(*argv, "-ocspid") == 0) + break; + case OPT_OCSPID: ocspid = ++num; - else if (strcmp(*argv, "-badsig") == 0) + break; + case OPT_BADSIG: badsig = 1; - else if ((md_alg = EVP_get_digestbyname(*argv + 1))) { - /* ok */ - digest = md_alg; - } else { - BIO_printf(bio_err, "unknown option %s\n", *argv); - badops = 1; break; +#ifndef OPENSSL_NO_MD5 + case OPT_SUBJECT_HASH_OLD: + subject_hash_old = ++num; + break; + case OPT_ISSUER_HASH_OLD: + issuer_hash_old = ++num; + break; +#endif + case OPT_DATES: + startdate = ++num; + enddate = ++num; + break; + case OPT_CHECKEND: + checkoffset = atoi(opt_arg()); + checkend = 1; + break; + case OPT_CHECKHOST: + checkhost = opt_arg(); + break; + case OPT_CHECKEMAIL: + checkemail = opt_arg(); + break; + case OPT_CHECKIP: + checkip = opt_arg(); + break; + case OPT_MD: + if (!opt_md(opt_unknown(), &digest)) + goto opthelp; } - argc--; - argv++; + } + argc = opt_num_rest(); + argv = opt_rest(); + if (argc != 0) { + BIO_printf(bio_err, "%s: Unknown parameter %s\n", prog, argv[0]); + goto opthelp; } - if (badops) { - bad: - for (pp = x509_usage; (*pp != NULL); pp++) - BIO_printf(bio_err, "%s", *pp); + out = bio_open_default(outfile, "w"); + if (out == NULL) goto end; - } + #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + e = setup_engine(engine, 0); #endif if (need_rand) - app_RAND_load_file(NULL, bio_err, 0); - - ERR_load_crypto_strings(); + app_RAND_load_file(NULL, 0); - if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { + if (!app_passwd(passinarg, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } @@ -511,8 +516,7 @@ int MAIN(int argc, char **argv) } if (fkeyfile) { - fkey = load_pubkey(bio_err, fkeyfile, keyformat, 0, - NULL, e, "Forced key"); + fkey = load_pubkey(fkeyfile, keyformat, 0, NULL, e, "Forced key"); if (fkey == NULL) goto end; } @@ -564,21 +568,9 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "We need a private key to sign with\n"); goto end; } - in = BIO_new(BIO_s_file()); - if (in == NULL) { - ERR_print_errors(bio_err); + in = bio_open_default(infile, "r"); + if (in == NULL) goto end; - } - - if (infile == NULL) - BIO_set_fp(in, stdin, BIO_NOCLOSE | BIO_FP_TEXT); - else { - if (BIO_read_filename(in, infile) <= 0) { - perror(infile); - BIO_free(in); - goto end; - } - } req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); BIO_free(in); @@ -646,12 +638,12 @@ int MAIN(int argc, char **argv) EVP_PKEY_free(pkey); } } else - x = load_cert(bio_err, infile, informat, NULL, e, "Certificate"); + x = load_cert(infile, informat, NULL, e, "Certificate"); if (x == NULL) goto end; if (CA_flag) { - xca = load_cert(bio_err, CAfile, CAformat, NULL, e, "CA Certificate"); + xca = load_cert(CAfile, CAformat, NULL, e, "CA Certificate"); if (xca == NULL) goto end; } @@ -659,25 +651,6 @@ int MAIN(int argc, char **argv) if (!noout || text || next_serial) { OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3"); - out = BIO_new(BIO_s_file()); - if (out == NULL) { - ERR_print_errors(bio_err); - goto end; - } - if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); -#ifdef OPENSSL_SYS_VMS - { - BIO *tmpbio = BIO_new(BIO_f_linebuffer()); - out = BIO_push(tmpbio, out); - } -#endif - } else { - if (BIO_write_filename(out, outfile) <= 0) { - perror(outfile); - goto end; - } - } } if (alias) @@ -705,15 +678,14 @@ int MAIN(int argc, char **argv) if (num) { for (i = 1; i <= num; i++) { if (issuer == i) { - print_name(STDout, "issuer= ", - X509_get_issuer_name(x), nmflag); + print_name(out, "issuer= ", X509_get_issuer_name(x), nmflag); } else if (subject == i) { - print_name(STDout, "subject= ", + print_name(out, "subject= ", X509_get_subject_name(x), nmflag); } else if (serial == i) { - BIO_printf(STDout, "serial="); - i2a_ASN1_INTEGER(STDout, X509_get_serialNumber(x)); - BIO_printf(STDout, "\n"); + BIO_printf(out, "serial="); + i2a_ASN1_INTEGER(out, X509_get_serialNumber(x)); + BIO_printf(out, "\n"); } else if (next_serial == i) { BIGNUM *bnser; ASN1_INTEGER *ser; @@ -738,39 +710,39 @@ int MAIN(int argc, char **argv) else emlst = X509_get1_ocsp(x); for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) - BIO_printf(STDout, "%s\n", + BIO_printf(out, "%s\n", sk_OPENSSL_STRING_value(emlst, j)); X509_email_free(emlst); } else if (aliasout == i) { unsigned char *alstr; alstr = X509_alias_get0(x, NULL); if (alstr) - BIO_printf(STDout, "%s\n", alstr); + BIO_printf(out, "%s\n", alstr); else - BIO_puts(STDout, "\n"); + BIO_puts(out, "\n"); } else if (subject_hash == i) { - BIO_printf(STDout, "%08lx\n", X509_subject_name_hash(x)); + BIO_printf(out, "%08lx\n", X509_subject_name_hash(x)); } #ifndef OPENSSL_NO_MD5 else if (subject_hash_old == i) { - BIO_printf(STDout, "%08lx\n", X509_subject_name_hash_old(x)); + BIO_printf(out, "%08lx\n", X509_subject_name_hash_old(x)); } #endif else if (issuer_hash == i) { - BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash(x)); + BIO_printf(out, "%08lx\n", X509_issuer_name_hash(x)); } #ifndef OPENSSL_NO_MD5 else if (issuer_hash_old == i) { - BIO_printf(STDout, "%08lx\n", X509_issuer_name_hash_old(x)); + BIO_printf(out, "%08lx\n", X509_issuer_name_hash_old(x)); } #endif else if (pprint == i) { X509_PURPOSE *ptmp; int j; - BIO_printf(STDout, "Certificate purposes:\n"); + BIO_printf(out, "Certificate purposes:\n"); for (j = 0; j < X509_PURPOSE_get_count(); j++) { ptmp = X509_PURPOSE_get0(j); - purpose_print(STDout, x, ptmp); + purpose_print(out, x, ptmp); } } else if (modulus == i) { EVP_PKEY *pkey; @@ -781,19 +753,19 @@ int MAIN(int argc, char **argv) ERR_print_errors(bio_err); goto end; } - BIO_printf(STDout, "Modulus="); + BIO_printf(out, "Modulus="); #ifndef OPENSSL_NO_RSA if (pkey->type == EVP_PKEY_RSA) - BN_print(STDout, pkey->pkey.rsa->n); + BN_print(out, pkey->pkey.rsa->n); else #endif #ifndef OPENSSL_NO_DSA if (pkey->type == EVP_PKEY_DSA) - BN_print(STDout, pkey->pkey.dsa->pub_key); + BN_print(out, pkey->pkey.dsa->pub_key); else #endif - BIO_printf(STDout, "Wrong Algorithm type"); - BIO_printf(STDout, "\n"); + BIO_printf(out, "Wrong Algorithm type"); + BIO_printf(out, "\n"); EVP_PKEY_free(pkey); } else if (pubkey == i) { EVP_PKEY *pkey; @@ -804,77 +776,48 @@ int MAIN(int argc, char **argv) ERR_print_errors(bio_err); goto end; } - PEM_write_bio_PUBKEY(STDout, pkey); + PEM_write_bio_PUBKEY(out, pkey); EVP_PKEY_free(pkey); } else if (C == i) { unsigned char *d; char *m; - int y, z; + int len; X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof buf); - BIO_printf(STDout, "/* subject:%s */\n", buf); - m = X509_NAME_oneline(X509_get_issuer_name(x), buf, - sizeof buf); - BIO_printf(STDout, "/* issuer :%s */\n", buf); + BIO_printf(out, "/*\n" + " * Subject: %s\n", buf); + + m = X509_NAME_oneline(X509_get_issuer_name(x), buf, sizeof buf); + BIO_printf(out, " * Issuer: %s\n" + " */\n", buf); - z = i2d_X509(x, NULL); - m = OPENSSL_malloc(z); + len = i2d_X509(x, NULL); + m = OPENSSL_malloc(len); if (!m) { BIO_printf(bio_err, "Out of memory\n"); - ERR_print_errors(bio_err); goto end; } d = (unsigned char *)m; - z = i2d_X509_NAME(X509_get_subject_name(x), &d); - BIO_printf(STDout, "unsigned char XXX_subject_name[%d]={\n", - z); - d = (unsigned char *)m; - for (y = 0; y < z; y++) { - BIO_printf(STDout, "0x%02X,", d[y]); - if ((y & 0x0f) == 0x0f) - BIO_printf(STDout, "\n"); - } - if (y % 16 != 0) - BIO_printf(STDout, "\n"); - BIO_printf(STDout, "};\n"); - - z = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d); - BIO_printf(STDout, "unsigned char XXX_public_key[%d]={\n", z); + len = i2d_X509_NAME(X509_get_subject_name(x), &d); + print_array(out, "the_subject_name", len, (unsigned char *)m); d = (unsigned char *)m; - for (y = 0; y < z; y++) { - BIO_printf(STDout, "0x%02X,", d[y]); - if ((y & 0x0f) == 0x0f) - BIO_printf(STDout, "\n"); - } - if (y % 16 != 0) - BIO_printf(STDout, "\n"); - BIO_printf(STDout, "};\n"); - - z = i2d_X509(x, &d); - BIO_printf(STDout, "unsigned char XXX_certificate[%d]={\n", - z); + len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d); + print_array(out, "the_public_key", len, (unsigned char *)m); d = (unsigned char *)m; - for (y = 0; y < z; y++) { - BIO_printf(STDout, "0x%02X,", d[y]); - if ((y & 0x0f) == 0x0f) - BIO_printf(STDout, "\n"); - } - if (y % 16 != 0) - BIO_printf(STDout, "\n"); - BIO_printf(STDout, "};\n"); - + len = i2d_X509(x, &d); + print_array(out, "the_certificate", len, (unsigned char *)m); OPENSSL_free(m); } else if (text == i) { - X509_print_ex(STDout, x, nmflag, certflag); + X509_print_ex(out, x, nmflag, certflag); } else if (startdate == i) { - BIO_puts(STDout, "notBefore="); - ASN1_TIME_print(STDout, X509_get_notBefore(x)); - BIO_puts(STDout, "\n"); + BIO_puts(out, "notBefore="); + ASN1_TIME_print(out, X509_get_notBefore(x)); + BIO_puts(out, "\n"); } else if (enddate == i) { - BIO_puts(STDout, "notAfter="); - ASN1_TIME_print(STDout, X509_get_notAfter(x)); - BIO_puts(STDout, "\n"); + BIO_puts(out, "notAfter="); + ASN1_TIME_print(out, X509_get_notAfter(x)); + BIO_puts(out, "\n"); } else if (fingerprint == i) { int j; unsigned int n; @@ -888,10 +831,10 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "out of memory\n"); goto end; } - BIO_printf(STDout, "%s Fingerprint=", + BIO_printf(out, "%s Fingerprint=", OBJ_nid2sn(EVP_MD_type(fdig))); for (j = 0; j < (int)n; j++) { - BIO_printf(STDout, "%02X%c", md[j], (j + 1 == (int)n) + BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n) ? '\n' : ':'); } } @@ -900,8 +843,7 @@ int MAIN(int argc, char **argv) else if ((sign_flag == i) && (x509req == 0)) { BIO_printf(bio_err, "Getting Private key\n"); if (Upkey == NULL) { - Upkey = load_key(bio_err, - keyfile, keyformat, 0, + Upkey = load_key(keyfile, keyformat, 0, passin, e, "Private key"); if (Upkey == NULL) goto end; @@ -913,8 +855,7 @@ int MAIN(int argc, char **argv) } else if (CA_flag == i) { BIO_printf(bio_err, "Getting CA Private Key\n"); if (CAkeyfile != NULL) { - CApkey = load_key(bio_err, - CAkeyfile, CAkeyformat, + CApkey = load_key(CAkeyfile, CAkeyformat, 0, passin, e, "CA Private Key"); if (CApkey == NULL) goto end; @@ -924,7 +865,7 @@ int MAIN(int argc, char **argv) if (!x509_certify(ctx, CAfile, digest, x, xca, CApkey, sigopts, CAserial, CA_createserial, days, clrext, - extconf, extsect, sno)) + extconf, extsect, sno, reqfile)) goto end; } else if (x509req == i) { EVP_PKEY *pk; @@ -934,8 +875,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "no request key file specified\n"); goto end; } else { - pk = load_key(bio_err, - keyfile, keyformat, 0, + pk = load_key(keyfile, keyformat, 0, passin, e, "request key"); if (pk == NULL) goto end; @@ -973,9 +913,9 @@ int MAIN(int argc, char **argv) goto end; } - print_cert_checks(STDout, x, checkhost, checkemail, checkip); + print_cert_checks(out, x, checkhost, checkemail, checkip); - if (noout) { + if (noout || nocert) { ret = 0; goto end; } @@ -1012,11 +952,10 @@ int MAIN(int argc, char **argv) ret = 0; end: if (need_rand) - app_RAND_write_file(NULL, bio_err); + app_RAND_write_file(NULL); OBJ_cleanup(); NCONF_free(extconf); BIO_free_all(out); - BIO_free_all(STDout); X509_STORE_free(ctx); X509_REQ_free(req); X509_free(x); @@ -1032,8 +971,7 @@ int MAIN(int argc, char **argv) sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); if (passin) OPENSSL_free(passin); - apps_shutdown(); - OPENSSL_EXIT(ret); + return (ret); } static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, @@ -1087,7 +1025,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, STACK_OF(OPENSSL_STRING) *sigopts, char *serialfile, int create, int days, int clrext, CONF *conf, char *section, - ASN1_INTEGER *sno) + ASN1_INTEGER *sno, int reqfile) { int ret = 0; ASN1_INTEGER *bs = NULL; @@ -1154,7 +1092,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, goto end; } - if (!do_X509_sign(bio_err, x, pkey, digest, sigopts)) + if (!do_X509_sign(x, pkey, digest, sigopts)) goto end; ret = 1; end: @@ -1204,22 +1142,11 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, CONF *conf, char *section) { - EVP_PKEY *pktmp; - - pktmp = X509_get_pubkey(x); - EVP_PKEY_copy_parameters(pktmp, pkey); - EVP_PKEY_save_parameters(pktmp, 1); - EVP_PKEY_free(pktmp); - if (!X509_set_issuer_name(x, X509_get_subject_name(x))) goto err; if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL) goto err; - /* Lets just make it 12:00am GMT, Jan 1 1970 */ - /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */ - /* 28 days to be certified */ - if (X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * days) == NULL) goto err; diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c index 7ae36d7..0a889ef 100644 --- a/crypto/evp/c_allc.c +++ b/crypto/evp/c_allc.c @@ -94,6 +94,7 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher(EVP_des_ede()); EVP_add_cipher(EVP_des_ede3()); EVP_add_cipher(EVP_des_ede3_wrap()); + EVP_add_cipher_alias(SN_id_smime_alg_CMS3DESwrap, "des3-wrap"); #endif #ifndef OPENSSL_NO_RC4 @@ -131,6 +132,9 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher(EVP_rc2_64_cbc()); EVP_add_cipher_alias(SN_rc2_cbc, "RC2"); EVP_add_cipher_alias(SN_rc2_cbc, "rc2"); + EVP_add_cipher_alias(SN_rc2_cbc, "rc2-128"); + EVP_add_cipher_alias(SN_rc2_64_cbc, "rc2-64"); + EVP_add_cipher_alias(SN_rc2_40_cbc, "rc2-40"); #endif #ifndef OPENSSL_NO_BF @@ -178,6 +182,7 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher(EVP_aes_128_xts()); EVP_add_cipher(EVP_aes_128_ccm()); EVP_add_cipher(EVP_aes_128_wrap()); + EVP_add_cipher_alias(SN_id_aes128_wrap, "aes128-wrap"); EVP_add_cipher(EVP_aes_128_wrap_pad()); EVP_add_cipher_alias(SN_aes_128_cbc, "AES128"); EVP_add_cipher_alias(SN_aes_128_cbc, "aes128"); @@ -194,6 +199,7 @@ void OpenSSL_add_all_ciphers(void) # endif EVP_add_cipher(EVP_aes_192_ccm()); EVP_add_cipher(EVP_aes_192_wrap()); + EVP_add_cipher_alias(SN_id_aes192_wrap, "aes192-wrap"); EVP_add_cipher(EVP_aes_192_wrap_pad()); EVP_add_cipher_alias(SN_aes_192_cbc, "AES192"); EVP_add_cipher_alias(SN_aes_192_cbc, "aes192"); @@ -211,6 +217,7 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher(EVP_aes_256_xts()); EVP_add_cipher(EVP_aes_256_ccm()); EVP_add_cipher(EVP_aes_256_wrap()); + EVP_add_cipher_alias(SN_id_aes256_wrap, "aes256-wrap"); EVP_add_cipher(EVP_aes_256_wrap_pad()); EVP_add_cipher_alias(SN_aes_256_cbc, "AES256"); EVP_add_cipher_alias(SN_aes_256_cbc, "aes256"); diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 43821f6..97b4fb9 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -192,6 +192,7 @@ static int ssl_set_option_list(const char *elem, int len, void *usr) /* Single command line switches with no argument e.g. -no_ssl3 */ static int ctrl_str_option(SSL_CONF_CTX *cctx, const char *cmd) { + /* See apps/apps.h if you change this table. */ static const ssl_flag_tbl ssl_option_single[] = { SSL_FLAG_TBL("no_ssl3", SSL_OP_NO_SSLv3), SSL_FLAG_TBL("no_tls1", SSL_OP_NO_TLSv1), @@ -457,6 +458,7 @@ typedef struct { #define SSL_CONF_CMD_STRING(name, cmdopt) \ SSL_CONF_CMD(name, cmdopt, SSL_CONF_TYPE_STRING) +/* See apps/apps.h if you change this table. */ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs"), SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs"), diff --git a/util/indent.pro b/util/indent.pro index e871431..c2427a3 100644 --- a/util/indent.pro +++ b/util/indent.pro @@ -749,3 +749,5 @@ -T ssl_trace_tbl -T _stdcall -T tls12_lookup +-T OPTIONS +-T OPT_PAIR diff --git a/util/ssleay.num b/util/ssleay.num index 7ea4a8a..f5f85ab 100755 --- a/util/ssleay.num +++ b/util/ssleay.num @@ -393,3 +393,5 @@ SSL_set_wbio 427 EXIST::FUNCTION: SSL_SESSION_get0_ticket 428 EXIST::FUNCTION: SSL_SESSION_get_ticket_lifetime_hint 429 EXIST::FUNCTION: SSL_set_rbio 430 EXIST::FUNCTION: +SSL_CIPHER_get_digest_nid 431 EXIST::FUNCTION: +SSL_CIPHER_get_cipher_nid 432 EXIST::FUNCTION: From rsalz at openssl.org Sat Apr 25 13:27:15 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 25 Apr 2015 13:27:15 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429968435.706781.22380.nullmailer@dev.openssl.org> The branch master has been updated via c54cc2b15d96944fcf13ccd24baca79f9593cbf0 (commit) from 7e1b7485706c2b11091b5fa897fe496a2faa56cc (commit) - Log ----------------------------------------------------------------- commit c54cc2b15d96944fcf13ccd24baca79f9593cbf0 Author: Rich Salz Date: Sat Apr 25 09:26:48 2015 -0400 Add missing BIO_flush() calls Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/s_server.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apps/s_server.c b/apps/s_server.c index 2aaa2cb..8199b88 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -338,6 +338,8 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, out_err: if (s_debug) BIO_printf(bio_err, "Error in PSK server callback\n"); + (void)BIO_flush(bio_err); + (void)BIO_flush(bio_s_out); return 0; } #endif @@ -2404,6 +2406,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) } if (ret >= 0) BIO_printf(bio_s_out, "ACCEPT\n"); + (void)BIO_flush(bio_s_out); return (ret); } From rsalz at openssl.org Sat Apr 25 19:41:48 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 25 Apr 2015 19:41:48 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429990908.506521.29000.nullmailer@dev.openssl.org> The branch master has been updated via 333b070ec06d7a67538ee9d5312656a19e802dc1 (commit) from c54cc2b15d96944fcf13ccd24baca79f9593cbf0 (commit) - Log ----------------------------------------------------------------- commit 333b070ec06d7a67538ee9d5312656a19e802dc1 Author: Rich Salz Date: Sat Apr 25 15:41:29 2015 -0400 fewer NO_ENGINE #ifdef's Make setup_engine be a dummy if NO_ENGINE is enabled. The option is not enabled if NO_ENGINE is enabled, so the one "wasted" variable just sits there. Removes some variables and code. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/apps.h | 4 +++- apps/ca.c | 17 ++++++----------- apps/cms.c | 7 ++----- apps/dgst.c | 18 +++++------------- apps/dhparam.c | 9 ++------- apps/dsa.c | 11 +++-------- apps/dsaparam.c | 9 ++------- apps/ec.c | 11 +++-------- apps/ecparam.c | 8 ++------ apps/enc.c | 8 ++------ apps/gendsa.c | 8 ++------ apps/genpkey.c | 2 -- apps/genrsa.c | 14 +++----------- apps/pkcs12.c | 8 ++------ apps/pkcs7.c | 8 ++------ apps/pkcs8.c | 14 ++++---------- apps/pkey.c | 8 ++------ apps/pkeyparam.c | 8 ++------ apps/pkeyutl.c | 2 -- apps/rand.c | 8 ++------ apps/req.c | 15 ++++++--------- apps/rsa.c | 8 ++------ apps/rsautl.c | 8 +++----- apps/s_client.c | 27 +++++++++++---------------- apps/s_server.c | 6 +----- apps/smime.c | 10 ++-------- apps/speed.c | 4 +--- apps/spkac.c | 9 ++------- apps/srp.c | 7 ++----- apps/verify.c | 7 ++----- apps/x509.c | 23 +++++++---------------- 31 files changed, 88 insertions(+), 218 deletions(-) diff --git a/apps/apps.h b/apps/apps.h index ad17b1a..5d1b98f 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -431,7 +431,9 @@ STACK_OF(X509_CRL) *load_crls(const char *file, int format, X509_STORE *setup_verify(char *CAfile, char *CApath); int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); -# ifndef OPENSSL_NO_ENGINE +# ifdef OPENSSL_NO_ENGINE +# define setup_engine(engine, debug) NULL +# else ENGINE *setup_engine(const char *engine, int debug); # endif # ifndef OPENSSL_NO_OCSP diff --git a/apps/ca.c b/apps/ca.c index af3afaa..38c96ae 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -292,17 +292,15 @@ int ca_main(int argc, char **argv) X509_CRL *crl = NULL; const EVP_MD *dgst = NULL; char *configfile = NULL, *md = NULL, *policy = NULL, *keyfile = NULL; - char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL, *enddate = - NULL; + char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL; char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL; char *extensions = NULL, *extfile = NULL, *key = NULL, *passinarg = NULL; char *outdir = NULL, *outfile = NULL, *rev_arg = NULL, *ser_status = NULL; - char *serialfile = NULL, *startdate = NULL, *subj = NULL, *tmp_email_dn = - NULL; - char *prog; - char *const *pp; - char *dbfile = NULL, *engine = NULL, *f, *randfile = NULL, *tofree = NULL; + char *serialfile = NULL, *startdate = NULL, *subj = NULL; + char *prog, *enddate = NULL, *tmp_email_dn = NULL; + char *dbfile = NULL, *f, *randfile = NULL, *tofree = NULL; char buf[3][BSIZE]; + char *const *pp; const char *p; int create_ser = 0, free_key = 0, total = 0, total_done = 0; int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE; @@ -488,7 +486,7 @@ opthelp: rev_type = REV_CA_COMPROMISE; break; case OPT_ENGINE: - engine = opt_arg(); + e = setup_engine(opt_arg(), 0); break; } } @@ -542,9 +540,6 @@ end_of_options: OPENSSL_free(tofree); tofree = NULL; } -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine, 0); -#endif /* Lets get the config section we are using */ if (section == NULL) { diff --git a/apps/cms.c b/apps/cms.c index 397071c..e3e8656 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -241,7 +241,7 @@ int cms_main(int argc, char **argv) X509_STORE *store = NULL; X509_VERIFY_PARAM *vpm = NULL; char *certfile = NULL, *keyfile = NULL, *contfile = NULL; - char *CAfile = NULL, *CApath = NULL, *certsoutfile = NULL, *engine = NULL; + char *CAfile = NULL, *CApath = NULL, *certsoutfile = NULL; char *infile = NULL, *outfile = NULL, *rctfile = NULL, *inrand = NULL; char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile = NULL; @@ -475,7 +475,7 @@ int cms_main(int argc, char **argv) need_rand = 1; break; case OPT_ENGINE: - engine = opt_arg(); + e = setup_engine(opt_arg(), 0); break; case OPT_PASSIN: passinarg = opt_arg(); @@ -668,9 +668,6 @@ int cms_main(int argc, char **argv) } else if (!operation) goto opthelp; -# ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine, 0); -# endif if (!app_passwd(passinarg, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); diff --git a/apps/dgst.c b/apps/dgst.c index 21b8c7f..adfa2a6 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -101,10 +101,6 @@ OPTIONS dgst_options[] = { "Verify a signature using private key in file"}, {"signature", OPT_SIGNATURE, '<', "File with signature to verify"}, {"keyform", OPT_KEYFORM, 'f', "Key file format (PEM or ENGINE)"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, -#endif - {"engine_impl", OPT_ENGINE_IMPL, '-'}, {"hex", OPT_HEX, '-', "Print as hex dump"}, {"binary", OPT_BINARY, '-', "Print in binary form"}, {"d", OPT_DEBUG, '-', "Print debug info"}, @@ -115,6 +111,10 @@ OPTIONS dgst_options[] = { {"mac", OPT_MAC, 's', "Create MAC (not neccessarily HMAC)"}, {"sigop", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, {"macop", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, + {"engine_impl", OPT_ENGINE_IMPL, '-'}, +#endif {"", OPT_DIGEST, '-', "Any supported digest"}, {NULL} }; @@ -136,10 +136,7 @@ int dgst_main(int argc, char **argv) int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0, non_fips_allow = 0; unsigned char *buf = NULL, *sigbuf = NULL; -#ifndef OPENSSL_NO_ENGINE - char *engine = NULL; int engine_impl = 0; -#endif prog = opt_progname(argv[0]); if ((buf = (unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL) { @@ -193,15 +190,12 @@ int dgst_main(int argc, char **argv) if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) goto opthelp; break; -#ifndef OPENSSL_NO_ENGINE case OPT_ENGINE: - engine = opt_arg(); - e = setup_engine(engine, 0); + e = setup_engine(opt_arg(), 0); break; case OPT_ENGINE_IMPL: engine_impl = 1; break; -#endif case OPT_HEX: out_bin = 0; break; @@ -250,10 +244,8 @@ int dgst_main(int argc, char **argv) "No signature to verify: use the -signature option\n"); goto end; } -#ifndef OPENSSL_NO_ENGINE if (engine_impl) impl = e; -#endif in = BIO_new(BIO_s_file()); bmd = BIO_new(BIO_f_md()); diff --git a/apps/dhparam.c b/apps/dhparam.c index e842ca5..6e51c0b 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -167,8 +167,7 @@ int dhparam_main(int argc, char **argv) { BIO *in = NULL, *out = NULL; DH *dh = NULL; - char *engine = NULL, *infile = NULL, *outfile = NULL, *prog, *inrand = - NULL; + char *infile = NULL, *outfile = NULL, *prog, *inrand = NULL; int dsaparam = 0, i, text = 0, C = 0, ret = 1, num = 0, g = 0; int informat = FORMAT_PEM, outformat = FORMAT_PEM, check = 0, noout = 0; OPTION_CHOICE o; @@ -200,7 +199,7 @@ int dhparam_main(int argc, char **argv) outfile = opt_arg(); break; case OPT_ENGINE: - engine = opt_arg(); + (void)setup_engine(opt_arg(), 0); break; case OPT_CHECK: check = 1; @@ -234,10 +233,6 @@ int dhparam_main(int argc, char **argv) if (argv[0] && (!opt_int(argv[0], &num) || num <= 0)) goto end; -# ifndef OPENSSL_NO_ENGINE - setup_engine(engine, 0); -# endif - if (g && !num) num = DEFBITS; diff --git a/apps/dsa.c b/apps/dsa.c index 9d7c97f..c23ed5d 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -107,9 +107,8 @@ int dsa_main(int argc, char **argv) DSA *dsa = NULL; ENGINE *e = NULL; const EVP_CIPHER *enc = NULL; - char *engine = NULL, *infile = NULL, *outfile = NULL, *prog; - char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = - NULL; + char *infile = NULL, *outfile = NULL, *prog; + char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; OPTION_CHOICE o; int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0; int i, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1; @@ -149,7 +148,7 @@ int dsa_main(int argc, char **argv) outfile = opt_arg(); break; case OPT_ENGINE: - engine = opt_arg(); + e = setup_engine(opt_arg(), 0); break; case OPT_PASSIN: passinarg = opt_arg(); @@ -192,10 +191,6 @@ int dsa_main(int argc, char **argv) argc = opt_num_rest(); argv = opt_rest(); -# ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine, 0); -# endif - if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; diff --git a/apps/dsaparam.c b/apps/dsaparam.c index b314409..f7365b9 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -124,8 +124,7 @@ int dsaparam_main(int argc, char **argv) # ifdef GENCB_TEST int timebomb = 0; # endif - char *infile = NULL, *outfile = NULL, *prog, *inrand = NULL, *engine = - NULL; + char *infile = NULL, *outfile = NULL, *prog, *inrand = NULL; OPTION_CHOICE o; prog = opt_init(argc, argv, dsaparam_options); @@ -155,7 +154,7 @@ int dsaparam_main(int argc, char **argv) outfile = opt_arg(); break; case OPT_ENGINE: - engine = opt_arg(); + (void)setup_engine(opt_arg(), 0); break; case OPT_TIMEBOMB: # ifdef GENCB_TEST @@ -201,10 +200,6 @@ int dsaparam_main(int argc, char **argv) if (out == NULL) goto end; -# ifndef OPENSSL_NO_ENGINE - setup_engine(engine, 0); -# endif - if (need_rand) { app_RAND_load_file(NULL, (inrand != NULL)); if (inrand != NULL) diff --git a/apps/ec.c b/apps/ec.c index d6bce6d..471de47 100644 --- a/apps/ec.c +++ b/apps/ec.c @@ -116,9 +116,8 @@ int ec_main(int argc, char **argv) const EC_GROUP *group; const EVP_CIPHER *enc = NULL; point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED; - char *infile = NULL, *outfile = NULL, *prog, *engine = NULL; - char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = - NULL; + char *infile = NULL, *outfile = NULL, *prog; + char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; OPTION_CHOICE o; int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_form = 0, new_asn1_flag = 0; int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0; @@ -172,7 +171,7 @@ int ec_main(int argc, char **argv) passoutarg = opt_arg(); break; case OPT_ENGINE: - engine = opt_arg(); + (void)setup_engine(opt_arg(), 0); break; case OPT_CIPHER: if (!opt_cipher(opt_unknown(), &enc)) @@ -194,10 +193,6 @@ int ec_main(int argc, char **argv) argc = opt_num_rest(); argv = opt_rest(); -# ifndef OPENSSL_NO_ENGINE - setup_engine(engine, 0); -# endif - if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; diff --git a/apps/ecparam.c b/apps/ecparam.c index 167ef39..049fc78 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -138,7 +138,7 @@ int ecparam_main(int argc, char **argv) EC_GROUP *group = NULL; point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED; char *curve_name = NULL, *inrand = NULL; - char *engine = NULL, *infile = NULL, *outfile = NULL, *prog; + char *infile = NULL, *outfile = NULL, *prog; unsigned char *buffer = NULL; OPTION_CHOICE o; int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_asn1_flag = 0; @@ -213,7 +213,7 @@ int ecparam_main(int argc, char **argv) need_rand = 1; break; case OPT_ENGINE: - engine = opt_arg(); + (void)setup_engine(opt_arg(), 0); break; } } @@ -227,10 +227,6 @@ int ecparam_main(int argc, char **argv) if (out == NULL) goto end; -# ifndef OPENSSL_NO_ENGINE - setup_engine(engine, 0); -# endif - if (list_curves) { EC_builtin_curve *curves = NULL; size_t crv_len = 0; diff --git a/apps/enc.c b/apps/enc.c index 06b056b..61a64d4 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -132,7 +132,7 @@ int enc_main(int argc, char **argv) EVP_CIPHER_CTX *ctx = NULL; const EVP_CIPHER *cipher = NULL, *c; const EVP_MD *dgst = NULL; - char *engine = NULL, *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p; + char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p; char *infile = NULL, *outfile = NULL, *prog; char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL; char mbuf[sizeof magic - 1]; @@ -193,7 +193,7 @@ int enc_main(int argc, char **argv) passarg = opt_arg(); break; case OPT_ENGINE: - engine = opt_arg(); + (void)setup_engine(opt_arg(), 0); break; case OPT_D: enc = 0; @@ -294,10 +294,6 @@ int enc_main(int argc, char **argv) argc = opt_num_rest(); argv = opt_rest(); -#ifndef OPENSSL_NO_ENGINE - setup_engine(engine, 0); -#endif - if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { BIO_printf(bio_err, "%s: AEAD ciphers not supported\n", prog); goto end; diff --git a/apps/gendsa.c b/apps/gendsa.c index 1eaaa45..21988a0 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -96,7 +96,7 @@ int gendsa_main(int argc, char **argv) BIO *out = NULL, *in = NULL; DSA *dsa = NULL; const EVP_CIPHER *enc = NULL; - char *engine = NULL, *inrand = NULL, *dsaparams = NULL; + char *inrand = NULL, *dsaparams = NULL; char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog; OPTION_CHOICE o; int ret = 1; @@ -120,7 +120,7 @@ int gendsa_main(int argc, char **argv) passoutarg = opt_arg(); break; case OPT_ENGINE: - engine = opt_arg(); + (void)setup_engine(opt_arg(), 0); break; case OPT_RAND: inrand = opt_arg(); @@ -138,10 +138,6 @@ int gendsa_main(int argc, char **argv) goto opthelp; dsaparams = *argv; -# ifndef OPENSSL_NO_ENGINE - setup_engine(engine, 0); -# endif - if (!app_passwd(NULL, passoutarg, NULL, &passout)) { BIO_printf(bio_err, "Error getting password\n"); goto end; diff --git a/apps/genpkey.c b/apps/genpkey.c index 5130b40..ae68e7a 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -128,11 +128,9 @@ int genpkey_main(int argc, char **argv) case OPT_PASS: passarg = opt_arg(); break; -#ifndef OPENSSL_NO_ENGINE case OPT_ENGINE: e = setup_engine(opt_arg(), 0); break; -#endif case OPT_PARAMFILE: if (do_param == 1) goto opthelp; diff --git a/apps/genrsa.c b/apps/genrsa.c index b7275ae..7d0466a 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -110,8 +110,7 @@ int genrsa_main(int argc, char **argv) int ret = 1, non_fips_allow = 0, num = DEFBITS; unsigned long f4 = RSA_F4; char *outfile = NULL, *passoutarg = NULL, *passout = NULL; - char *engine = NULL, *inrand = NULL, *prog; - char *hexe, *dece; + char *inrand = NULL, *prog, *hexe, *dece; OPTION_CHOICE o; if (!bn || !cb) @@ -142,7 +141,7 @@ int genrsa_main(int argc, char **argv) case OPT_OUT: outfile = opt_arg(); case OPT_ENGINE: - engine = opt_arg(); + e = setup_engine(opt_arg(), 0); break; case OPT_RAND: inrand = opt_arg(); @@ -166,9 +165,6 @@ int genrsa_main(int argc, char **argv) BIO_printf(bio_err, "Error getting password\n"); goto end; } -# ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine, 0); -# endif out = bio_open_default(outfile, "w"); if (out == NULL) @@ -185,11 +181,7 @@ int genrsa_main(int argc, char **argv) BIO_printf(bio_err, "Generating RSA private key, %d bit long modulus\n", num); -# ifdef OPENSSL_NO_ENGINE - rsa = RSA_new(); -# else - rsa = RSA_new_method(e); -# endif + rsa = e ? RSA_new_method(e) : RSA_new(); if (!rsa) goto end; diff --git a/apps/pkcs12.c b/apps/pkcs12.c index a031c1b..5cdd71b 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -173,7 +173,7 @@ int pkcs12_main(int argc, char **argv) char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL; char *passin = NULL, *passout = NULL, *inrand = NULL, *macalg = NULL; char *cpass = NULL, *mpass = NULL, *CApath = NULL, *CAfile = NULL; - char *engine = NULL, *prog; + char *prog; ENGINE *e = NULL; BIO *in = NULL, *out = NULL; PKCS12 *p12 = NULL; @@ -308,17 +308,13 @@ int pkcs12_main(int argc, char **argv) CAfile = opt_arg(); break; case OPT_ENGINE: - engine = opt_arg(); + e = setup_engine(opt_arg(), 0); break; } } argc = opt_num_rest(); argv = opt_rest(); -# ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine, 0); -# endif - if (passarg) { if (export_cert) passoutarg = passarg; diff --git a/apps/pkcs7.c b/apps/pkcs7.c index ca05273..7c62a86 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -143,7 +143,7 @@ int pkcs7_main(int argc, char **argv) PKCS7 *p7 = NULL; BIO *in = NULL, *out = NULL; int informat = FORMAT_PEM, outformat = FORMAT_PEM; - char *engine = NULL, *infile = NULL, *outfile = NULL, *prog; + char *infile = NULL, *outfile = NULL, *prog; int i, print_certs = 0, text = 0, noout = 0, p7_print = 0, ret = 1; OPTION_CHOICE o; @@ -186,17 +186,13 @@ int pkcs7_main(int argc, char **argv) print_certs = 1; break; case OPT_ENGINE: - engine = opt_arg(); + (void)setup_engine(opt_arg(), 0); break; } } argc = opt_num_rest(); argv = opt_rest(); -#ifndef OPENSSL_NO_ENGINE - setup_engine(engine, 0); -#endif - in = bio_open_default(infile, RB(informat)); if (in == NULL) goto end; diff --git a/apps/pkcs8.c b/apps/pkcs8.c index 7b361cf..105c1cb 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -104,14 +104,12 @@ int pkcs8_main(int argc, char **argv) PKCS8_PRIV_KEY_INFO *p8inf = NULL; X509_SIG *p8 = NULL; const EVP_CIPHER *cipher = NULL; - char *engine = NULL, *infile = NULL, *outfile = NULL; + char *infile = NULL, *outfile = NULL; char *passinarg = NULL, *passoutarg = NULL, *prog; char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL; OPTION_CHOICE o; - int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER, p8_broken = - PKCS8_OK; - int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = - -1; + int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER, p8_broken = PKCS8_OK; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1; prog = opt_init(argc, argv, pkcs8_options); while ((o = opt_next()) != OPT_EOF) { @@ -188,17 +186,13 @@ int pkcs8_main(int argc, char **argv) passoutarg = opt_arg(); break; case OPT_ENGINE: - engine = opt_arg(); + e = setup_engine(opt_arg(), 0); break; } } argc = opt_num_rest(); argv = opt_rest(); -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine, 0); -#endif - if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; diff --git a/apps/pkey.c b/apps/pkey.c index 3597be0..716d6d0 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -97,7 +97,7 @@ int pkey_main(int argc, char **argv) EVP_PKEY *pkey = NULL; const EVP_CIPHER *cipher = NULL; char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL; - char *passinarg = NULL, *passoutarg = NULL, *prog, *engine = NULL; + char *passinarg = NULL, *passoutarg = NULL, *prog; OPTION_CHOICE o; int informat = FORMAT_PEM, outformat = FORMAT_PEM; int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0, ret = 1; @@ -129,7 +129,7 @@ int pkey_main(int argc, char **argv) passoutarg = opt_arg(); break; case OPT_ENGINE: - engine = opt_arg(); + e = setup_engine(opt_arg(), 0); break; case OPT_IN: infile = opt_arg(); @@ -160,10 +160,6 @@ int pkey_main(int argc, char **argv) argc = opt_num_rest(); argv = opt_rest(); -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine, 0); -#endif - if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; diff --git a/apps/pkeyparam.c b/apps/pkeyparam.c index 5a5caf5..fbd19a7 100644 --- a/apps/pkeyparam.c +++ b/apps/pkeyparam.c @@ -85,7 +85,7 @@ int pkeyparam_main(int argc, char **argv) EVP_PKEY *pkey = NULL; int text = 0, noout = 0, ret = 1; OPTION_CHOICE o; - char *infile = NULL, *outfile = NULL, *prog, *engine = NULL; + char *infile = NULL, *outfile = NULL, *prog; prog = opt_init(argc, argv, pkeyparam_options); while ((o = opt_next()) != OPT_EOF) { @@ -105,7 +105,7 @@ int pkeyparam_main(int argc, char **argv) outfile = opt_arg(); break; case OPT_ENGINE: - engine = opt_arg(); + (void)setup_engine(opt_arg(), 0); break; case OPT_TEXT: text = 1; @@ -118,10 +118,6 @@ int pkeyparam_main(int argc, char **argv) argc = opt_num_rest(); argv = opt_rest(); -#ifndef OPENSSL_NO_ENGINE - setup_engine(engine, 0); -#endif - in = bio_open_default(infile, "r"); if (in == NULL) goto end; diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 942ba05..da7dc2e 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -174,11 +174,9 @@ int pkeyutl_main(int argc, char **argv) if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyform)) goto opthelp; break; -#ifndef OPENSSL_NO_ENGINE case OPT_ENGINE: e = setup_engine(opt_arg(), 0); break; -#endif case OPT_PUBIN: key_type = KEY_PUBKEY; break; diff --git a/apps/rand.c b/apps/rand.c index 9a73935..498e7da 100644 --- a/apps/rand.c +++ b/apps/rand.c @@ -85,7 +85,7 @@ OPTIONS rand_options[] = { int rand_main(int argc, char **argv) { BIO *out = NULL; - char *engine = NULL, *inrand = NULL, *outfile = NULL, *prog; + char *inrand = NULL, *outfile = NULL, *prog; OPTION_CHOICE o; int base64 = 0, hex = 0, i, num = -1, r, ret = 1; @@ -105,7 +105,7 @@ int rand_main(int argc, char **argv) outfile = opt_arg(); break; case OPT_ENGINE: - engine = opt_arg(); + (void)setup_engine(opt_arg(), 0); break; case OPT_RAND: inrand = opt_arg(); @@ -126,10 +126,6 @@ int rand_main(int argc, char **argv) if (sscanf(argv[0], "%d", &num) != 1 || num < 0) goto opthelp; -#ifndef OPENSSL_NO_ENGINE - setup_engine(engine, 0); -#endif - app_RAND_load_file(NULL, (inrand != NULL)); if (inrand != NULL) BIO_printf(bio_err, "%ld semi-random bytes loaded\n", diff --git a/apps/req.c b/apps/req.c index 1237c33..0502a64 100644 --- a/apps/req.c +++ b/apps/req.c @@ -136,7 +136,6 @@ OPTIONS req_options[] = { {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, {"in", OPT_IN, '<', "Input file"}, {"out", OPT_OUT, '>', "Output file"}, - {"keygen_engine", OPT_KEYGEN_ENGINE, 's'}, {"key", OPT_KEY, '<', "Use the private key contained in file"}, {"keyform", OPT_KEYFORM, 'F', "Key file format"}, {"pubkey", OPT_PUBKEY, '-', "Output public key"}, @@ -179,6 +178,7 @@ OPTIONS req_options[] = { "Request extension section (override value in config file)"}, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, + {"keygen_engine", OPT_KEYGEN_ENGINE, 's'}, #endif {"", OPT_MD, '-', "Any supported digest"}, {NULL} @@ -196,7 +196,7 @@ int req_main(int argc, char **argv) X509_REQ *req = NULL; const EVP_CIPHER *cipher = NULL; const EVP_MD *md_alg = NULL, *digest = NULL; - char *engine = NULL, *extensions = NULL, *infile = NULL; + char *extensions = NULL, *infile = NULL; char *outfile = NULL, *keyfile = NULL, *inrand = NULL; char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL, *req_exts = NULL, *subj = NULL; @@ -235,18 +235,18 @@ int req_main(int argc, char **argv) if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) goto opthelp; break; -#ifndef OPENSSL_NO_ENGINE case OPT_ENGINE: - engine = optarg; + (void)setup_engine(opt_arg(), 0); break; case OPT_KEYGEN_ENGINE: +#ifndef OPENSSL_NO_ENGINE gen_eng = ENGINE_by_id(opt_arg()); if (gen_eng == NULL) { BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv); - goto end; + goto opthelp; } - break; #endif + break; case OPT_KEY: keyfile = opt_arg(); break; @@ -498,9 +498,6 @@ int req_main(int argc, char **argv) goto end; } } -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine, 0); -#endif if (keyfile != NULL) { pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key"); diff --git a/apps/rsa.c b/apps/rsa.c index 7f7069c..07cc5fb 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -158,7 +158,7 @@ int rsa_main(int argc, char **argv) BIO *out = NULL; RSA *rsa = NULL; const EVP_CIPHER *enc = NULL; - char *engine = NULL, *infile = NULL, *outfile = NULL, *prog; + char *infile = NULL, *outfile = NULL, *prog; char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; int i; int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0; @@ -203,7 +203,7 @@ int rsa_main(int argc, char **argv) passoutarg = opt_arg(); break; case OPT_ENGINE: - engine = opt_arg(); + e = setup_engine(opt_arg(), 0); break; case OPT_PUBIN: pubin = 1; @@ -249,10 +249,6 @@ int rsa_main(int argc, char **argv) argc = opt_num_rest(); argv = opt_rest(); -# ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine, 0); -# endif - if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); goto end; diff --git a/apps/rsautl.c b/apps/rsautl.c index 0466746..67cb76e 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -116,7 +116,7 @@ int rsautl_main(int argc, char **argv) EVP_PKEY *pkey = NULL; RSA *rsa = NULL; X509 *x; - char *engine = NULL, *infile = NULL, *outfile = NULL, *keyfile = NULL; + char *infile = NULL, *outfile = NULL, *keyfile = NULL; char *passinarg = NULL, *passin = NULL, *prog; char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY; unsigned char *rsa_in = NULL, *rsa_out = NULL, pad = RSA_PKCS1_PADDING; @@ -147,7 +147,7 @@ int rsautl_main(int argc, char **argv) outfile = opt_arg(); break; case OPT_ENGINE: - engine = opt_arg(); + e = setup_engine(opt_arg(), 0); break; case OPT_ASN1PARSE: asn1parse = 1; @@ -208,9 +208,7 @@ int rsautl_main(int argc, char **argv) BIO_printf(bio_err, "A private key is needed for this operation\n"); goto end; } -# ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine, 0); -# endif + if (!app_passwd(passinarg, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; diff --git a/apps/s_client.c b/apps/s_client.c index 900efe7..0d03005 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -591,7 +591,6 @@ OPTIONS s_client_options[] = { {"verify_quiet", OPT_VERIFY_QUIET, '-'}, {"brief", OPT_BRIEF, '-'}, {"prexit", OPT_PREXIT, '-'}, - {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's'}, {"trace", OPT_TRACE, '-'}, {"security_debug", OPT_SECURITY_DEBUG, '-'}, {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'}, @@ -603,6 +602,7 @@ OPTIONS s_client_options[] = { {"verifyCAfile", OPT_VERIFYCAFILE, '<'}, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, + {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's'}, #endif OPT_S_OPTIONS, OPT_V_OPTIONS, @@ -649,7 +649,6 @@ int s_client_main(int argc, char **argv) NULL; char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL; char *sess_in = NULL, *sess_out = NULL, *crl_file = NULL, *p; - char *engine_id = NULL, *ssl_client_engine_id = NULL; char *jpake_secret = NULL; const char *unix_path = NULL; struct sockaddr peer; @@ -674,8 +673,8 @@ int s_client_main(int argc, char **argv) #endif #ifndef OPENSSL_NO_ENGINE ENGINE *ssl_client_engine = NULL; - ENGINE *e = NULL; #endif + ENGINE *e = NULL; #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) struct timeval tv; #endif @@ -829,10 +828,17 @@ int s_client_main(int argc, char **argv) #endif break; case OPT_ENGINE: - engine_id = opt_arg(); + e = setup_engine(opt_arg(), 1); break; case OPT_SSL_CLIENT_ENGINE: - ssl_client_engine_id = opt_arg(); +#ifndef OPENSSL_NO_ENGINE + ssl_client_engine = ENGINE_by_id(opt_arg()); + if (ssl_client_engine == NULL) { + BIO_printf(bio_err, "Error getting client auth engine\n"); + goto opthelp; + } + break; +#endif break; case OPT_RAND: inrand = opt_arg(); @@ -1075,17 +1081,6 @@ int s_client_main(int argc, char **argv) next_proto.data = NULL; #endif -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine_id, 1); - if (ssl_client_engine_id) { - ssl_client_engine = ENGINE_by_id(ssl_client_engine_id); - if (ssl_client_engine == NULL) { - BIO_printf(bio_err, "Error getting client auth engine\n"); - goto end; - } - } -#endif - if (!app_passwd(passarg, NULL, &pass, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; diff --git a/apps/s_server.c b/apps/s_server.c index 8199b88..3644381 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1378,7 +1378,7 @@ int s_server_main(int argc, char *argv[]) session_id_prefix = opt_arg(); break; case OPT_ENGINE: - engine_id = opt_arg(); + e = setup_engine(opt_arg(), 1); break; case OPT_RAND: inrand = opt_arg(); @@ -1449,10 +1449,6 @@ int s_server_main(int argc, char *argv[]) } #endif -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine_id, 1); -#endif - if (!app_passwd(passarg, dpassarg, &pass, &dpass)) { BIO_printf(bio_err, "Error getting password\n"); goto end; diff --git a/apps/smime.c b/apps/smime.c index 532446f..0c683f5 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -164,7 +164,7 @@ int smime_main(int argc, char **argv) X509_VERIFY_PARAM *vpm = NULL; const EVP_CIPHER *cipher = NULL; const EVP_MD *sign_md = NULL; - char *CAfile = NULL, *CApath = NULL, *inrand = NULL, *engine = NULL; + char *CAfile = NULL, *CApath = NULL, *inrand = NULL; char *certfile = NULL, *keyfile = NULL, *contfile = NULL, *prog; char *infile = NULL, *outfile = NULL, *signerfile = NULL, *recipfile = NULL; @@ -177,9 +177,7 @@ int smime_main(int argc, char **argv) int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform = FORMAT_PEM; int vpmtouched = 0, rv = 0; -#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; -#endif if ((vpm = X509_VERIFY_PARAM_new()) == NULL) return 1; @@ -276,7 +274,7 @@ int smime_main(int argc, char **argv) need_rand = 1; break; case OPT_ENGINE: - engine = opt_arg(); + e = setup_engine(opt_arg(), 0); break; case OPT_PASSIN: passinarg = opt_arg(); @@ -408,10 +406,6 @@ int smime_main(int argc, char **argv) } else if (!operation) goto opthelp; -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine, 0); -#endif - if (!app_passwd(passinarg, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; diff --git a/apps/speed.c b/apps/speed.c index 1a01d33..5758705 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -835,11 +835,9 @@ int speed_main(int argc, char **argv) case OPT_DECRYPT: decrypt = 1; break; -#ifndef OPENSSL_NO_ENGINE case OPT_ENGINE: - setup_engine(opt_arg(), 0); + (void)setup_engine(opt_arg(), 0); break; -#endif #ifndef NO_FORK case OPT_MULTI: multi = atoi(opt_arg()); diff --git a/apps/spkac.c b/apps/spkac.c index ee2e596..7ceff9f 100644 --- a/apps/spkac.c +++ b/apps/spkac.c @@ -100,7 +100,7 @@ int spkac_main(int argc, char **argv) ENGINE *e = NULL; EVP_PKEY *pkey = NULL; NETSCAPE_SPKI *spki = NULL; - char *challenge = NULL, *keyfile = NULL, *engine = NULL; + char *challenge = NULL, *keyfile = NULL; char *infile = NULL, *outfile = NULL, *passinarg = NULL, *passin = NULL; char *spkstr = NULL, *prog; const char *spkac = "SPKAC", *spksect = "default"; @@ -149,9 +149,8 @@ int spkac_main(int argc, char **argv) spksect = opt_arg(); break; case OPT_ENGINE: - engine = opt_arg(); + e = setup_engine(opt_arg(), 0); break; - } } argc = opt_num_rest(); @@ -161,9 +160,6 @@ int spkac_main(int argc, char **argv) BIO_printf(bio_err, "Error getting password\n"); goto end; } -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine, 0); -#endif if (keyfile) { pkey = load_key(strcmp(keyfile, "-") ? keyfile : NULL, @@ -194,7 +190,6 @@ int spkac_main(int argc, char **argv) conf = NCONF_new(NULL); i = NCONF_load_bio(conf, in, NULL); - if (!i) { BIO_printf(bio_err, "Error parsing config file\n"); ERR_print_errors(bio_err); diff --git a/apps/srp.c b/apps/srp.c index bacd670..0585952 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -272,7 +272,7 @@ int srp_main(int argc, char **argv) int mode = OPT_ERR; char *user = NULL, *passinarg = NULL, *passoutarg = NULL; char *passin = NULL, *passout = NULL, *gN = NULL, *userinfo = NULL; - char *randfile = NULL, *engine = NULL, *tofree = NULL, *section = NULL; + char *randfile = NULL, *tofree = NULL, *section = NULL; char **gNrow = NULL, *configfile = NULL, *dbfile = NULL, **pp, *prog; long errorline = -1; OPTION_CHOICE o; @@ -332,7 +332,7 @@ int srp_main(int argc, char **argv) passoutarg = opt_arg(); break; case OPT_ENGINE: - engine = opt_arg(); + (void)setup_engine(opt_arg(), 0); break; } } @@ -359,9 +359,6 @@ int srp_main(int argc, char **argv) "-passin, -passout arguments only valid with one user.\n"); goto opthelp; } -# ifndef OPENSSL_NO_ENGINE - setup_engine(engine, 0); -# endif if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); diff --git a/apps/verify.c b/apps/verify.c index 61e85ce..35085e7 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -105,7 +105,7 @@ int verify_main(int argc, char **argv) STACK_OF(X509_CRL) *crls = NULL; X509_STORE *store = NULL; X509_VERIFY_PARAM *vpm = NULL; - char *prog, *CApath = NULL, *CAfile = NULL, *engine = NULL; + char *prog, *CApath = NULL, *CAfile = NULL; char *untfile = NULL, *trustfile = NULL, *crlfile = NULL; int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1; OPTION_CHOICE o; @@ -167,7 +167,7 @@ int verify_main(int argc, char **argv) show_chain = 1; break; case OPT_ENGINE: - engine = opt_arg(); + e = setup_engine(opt_arg(), 0); break; case OPT_VERBOSE: v_verbose = 1; @@ -177,9 +177,6 @@ int verify_main(int argc, char **argv) argc = opt_num_rest(); argv = opt_rest(); -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine, 0); -#endif if (!(store = setup_verify(CAfile, CApath))) goto end; X509_STORE_set_verify_cb(store, cb); diff --git a/apps/x509.c b/apps/x509.c index 903e6b9..e1cc3cd 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -220,25 +220,20 @@ int x509_main(int argc, char **argv) char *checkhost = NULL, *checkemail = NULL, *checkip = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL; char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL; - char buf[256]; - char *engine = NULL, *prog; - int C = 0, x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0, pprint = - 0; - int CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM; - int fingerprint = 0, reqfile = 0, need_rand = 0, checkend = - 0, checkoffset = 0; + char buf[256], *prog; + int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0, pprint = 0; + int C = 0, CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM; + int fingerprint = 0, reqfile = 0, need_rand = 0, checkend = 0; int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM; int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0; int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0, email = 0; int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0; int ret = 1, i, num = 0, badsig = 0, clrext = 0, nocert = 0; - int text = 0, serial = 0, subject = 0, issuer = 0, startdate = - 0, enddate = 0; + int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0; + int checkoffset = 0, enddate = 0; unsigned long nmflag = 0, certflag = 0; OPTION_CHOICE o; -#ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; -#endif #ifndef OPENSSL_NO_MD5 int subject_hash_old = 0, issuer_hash_old = 0; #endif @@ -374,7 +369,7 @@ int x509_main(int argc, char **argv) goto opthelp; break; case OPT_ENGINE: - engine = opt_arg(); + e = setup_engine(opt_arg(), 0); break; case OPT_C: C = ++num; @@ -498,10 +493,6 @@ int x509_main(int argc, char **argv) if (out == NULL) goto end; -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine, 0); -#endif - if (need_rand) app_RAND_load_file(NULL, 0); From rsalz at openssl.org Sat Apr 25 19:58:53 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 25 Apr 2015 19:58:53 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429991933.974748.418.nullmailer@dev.openssl.org> The branch master has been updated via 6ba8a5b77af5792bf0755388bc0ce4003af7cf86 (commit) from 333b070ec06d7a67538ee9d5312656a19e802dc1 (commit) - Log ----------------------------------------------------------------- commit 6ba8a5b77af5792bf0755388bc0ce4003af7cf86 Author: Rich Salz Date: Sat Apr 25 15:58:22 2015 -0400 Add -nocommands to s_client. Add flag to disable the 'command letters' from s_client. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/s_client.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index 0d03005..d3fc397 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -488,7 +488,7 @@ typedef enum OPTION_choice { OPT_V_ENUM, OPT_X_ENUM, OPT_S_ENUM, - OPT_FALLBACKSCSV + OPT_FALLBACKSCSV, OPT_NOCMDS } OPTION_CHOICE; OPTIONS s_client_options[] = { @@ -600,6 +600,7 @@ OPTIONS s_client_options[] = { {"build_chain", OPT_BUILD_CHAIN, '-'}, {"chainCAfile", OPT_CHAINCAFILE, '<'}, {"verifyCAfile", OPT_VERIFYCAFILE, '<'}, + {"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"}, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's'}, @@ -660,7 +661,7 @@ int s_client_main(int argc, char **argv) int enable_timeouts = 0, sdebug = 0, peerlen = sizeof peer; int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0; int ret = 1, in_init = 1, i, nbio_test = 0, s, k, width, state = 0; - int sbuf_len, sbuf_off, socket_type = SOCK_STREAM; + int sbuf_len, sbuf_off, socket_type = SOCK_STREAM, cmdletters = 1; int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0; int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending; int fallback_scsv = 0; @@ -822,6 +823,9 @@ int s_client_main(int argc, char **argv) case OPT_NBIO: c_nbio = 1; break; + case OPT_NOCMDS: + cmdletters = 0; + break; case OPT_KRB5SVC: #ifndef OPENSSL_NO_KRB5 krb5svc = opt_arg(); @@ -1906,19 +1910,19 @@ int s_client_main(int argc, char **argv) } else i = raw_read_stdin(cbuf, BUFSIZZ); - if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) { + if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q' && cmdletters))) { BIO_printf(bio_err, "DONE\n"); ret = 0; goto shut; } - if ((!c_ign_eof) && (cbuf[0] == 'R')) { + if ((!c_ign_eof) && (cbuf[0] == 'R' && cmdletters)) { BIO_printf(bio_err, "RENEGOTIATING\n"); SSL_renegotiate(con); cbuf_len = 0; } #ifndef OPENSSL_NO_HEARTBEATS - else if ((!c_ign_eof) && (cbuf[0] == 'B')) { + else if ((!c_ign_eof) && (cbuf[0] == 'B' && cmdletters)) { BIO_printf(bio_err, "HEARTBEATING\n"); SSL_heartbeat(con); cbuf_len = 0; From rsalz at openssl.org Sat Apr 25 20:01:52 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 25 Apr 2015 20:01:52 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429992112.659500.1314.nullmailer@dev.openssl.org> The branch master has been updated via d8c25de595019e2948ed2a25847b695b41cdea3c (commit) from 6ba8a5b77af5792bf0755388bc0ce4003af7cf86 (commit) - Log ----------------------------------------------------------------- commit d8c25de595019e2948ed2a25847b695b41cdea3c Author: Rich Salz Date: Sat Apr 25 16:01:21 2015 -0400 RT2451: Add telnet to s_client -starttls Also add -xmpphost and -smtphost flags. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/s_client.c | 50 +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 45 insertions(+), 5 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index d3fc397..13191a0 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -468,7 +468,7 @@ static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type, typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, - OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX, OPT_VERIFY, + OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX, OPT_XMPPHOST, OPT_VERIFY, OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SESS_OUT, OPT_SESS_IN, OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET, OPT_BRIEF, OPT_PREXIT, OPT_CRLF, OPT_QUIET, OPT_NBIO, @@ -484,7 +484,7 @@ typedef enum OPTION_choice { OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_KRB5SVC, OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN, OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_JPAKE, - OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, + OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_SMTPHOST, OPT_V_ENUM, OPT_X_ENUM, OPT_S_ENUM, @@ -533,6 +533,7 @@ OPTIONS s_client_options[] = { {"mtu", OPT_MTU, 'p', "Set the link layer MTU"}, {"starttls", OPT_STARTTLS, 's', "Use the STARTTLS command before starting TLS"}, + {"xmpphost", OPT_XMPPHOST, 's', "Host to use with \"-starttls xmpp\""}, {"rand", OPT_RAND, 's', "Load the file(s) into the random number generator"}, {"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"}, @@ -569,6 +570,7 @@ OPTIONS s_client_options[] = { "Tolerate other than the known g N values."}, {"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal mength in bits for N"}, #endif + {"name", OPT_SMTPHOST, 's', "Hostname to use for \"-starttls smtp\""}, #ifndef OPENSSL_NO_TLSEXT {"servername", OPT_SERVERNAME, 's', "Set TLS extension servername in ClientHello"}, @@ -617,6 +619,7 @@ typedef enum PROTOCOL_choice { PROTO_POP3, PROTO_IMAP, PROTO_FTP, + PROTO_TELNET, PROTO_XMPP } PROTOCOL_CHOICE; @@ -626,6 +629,7 @@ static OPT_PAIR services[] = { {"imap", PROTO_IMAP}, {"ftp", PROTO_FTP}, {"xmpp", PROTO_XMPP}, + {"telnet", PROTO_TELNET}, {NULL} }; @@ -650,8 +654,9 @@ int s_client_main(int argc, char **argv) NULL; char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL; char *sess_in = NULL, *sess_out = NULL, *crl_file = NULL, *p; - char *jpake_secret = NULL; + char *jpake_secret = NULL, *xmpphost; const char *unix_path = NULL; + const char *ehlo = "mail.example.com"; struct sockaddr peer; struct timeval timeout, *timeoutp; fd_set readfds, writefds; @@ -754,6 +759,12 @@ int s_client_main(int argc, char **argv) case OPT_UNIX: unix_path = opt_arg(); break; + case OPT_XMPPHOST: + xmpphost = opt_arg(); + break; + case OPT_SMTPHOST: + ehlo = opt_arg(); + break; case OPT_VERIFY: verify = SSL_VERIFY_PEER; verify_depth = atoi(opt_arg()); @@ -1482,7 +1493,7 @@ int s_client_main(int argc, char **argv) mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); } while (mbuf_len > 3 && mbuf[3] == '-'); - BIO_printf(fbio, "EHLO openssl.client.net\r\n"); + BIO_printf(fbio, "EHLO %s\r\n", ehlo); (void)BIO_flush(fbio); /* wait for multi-line response to end EHLO SMTP response */ do { @@ -1562,7 +1573,7 @@ int s_client_main(int argc, char **argv) BIO_printf(sbio, "", - host); + xmpphost ? xmpphost : host); seen = BIO_read(sbio, mbuf, BUFSIZZ); mbuf[seen] = 0; while (!strstr @@ -1586,6 +1597,35 @@ int s_client_main(int argc, char **argv) mbuf[0] = 0; } break; + case PROTO_TELNET: + { + static const unsigned char tls_do[] = { + /* IAC DO START_TLS */ + 255, 253, 46 + }; + static const unsigned char tls_will[] = { + /* IAC WILL START_TLS */ + 255, 251, 46 + }; + static const unsigned char tls_follows[] = { + /* IAC SB START_TLS FOLLOWS IAC SE */ + 255, 250, 46, 1, 255, 240 + }; + int bytes; + + /* Telnet server should demand we issue START_TLS */ + bytes = BIO_read(sbio, mbuf, BUFSIZZ); + if (bytes != 3 || memcmp(mbuf, tls_do, 3) != 0) + goto shut; + /* Agree to issue START_TLS and send the FOLLOWS sub-command */ + BIO_write(sbio, tls_will, 3); + BIO_write(sbio, tls_follows, 6); + (void)BIO_flush(sbio); + /* Telnet server also sent the FOLLOWS sub-command */ + bytes = BIO_read(sbio, mbuf, BUFSIZZ); + if (bytes != 6 || memcmp(mbuf, tls_follows, 6) != 0) + goto shut; + } } for (;;) { From rsalz at openssl.org Sat Apr 25 20:03:30 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 25 Apr 2015 20:03:30 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429992210.258281.1945.nullmailer@dev.openssl.org> The branch master has been updated via 239f2771e13ddc2fa50d01d62c10078befa8c86e (commit) from d8c25de595019e2948ed2a25847b695b41cdea3c (commit) - Log ----------------------------------------------------------------- commit 239f2771e13ddc2fa50d01d62c10078befa8c86e Author: Rich Salz Date: Sat Apr 25 16:03:07 2015 -0400 Remove EFENCE support. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/ca.c | 12 ------------ apps/srp.c | 12 ------------ 2 files changed, 24 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index 38c96ae..218a407 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -144,12 +144,6 @@ #define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */ #define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */ -#ifdef EFENCE -extern int EF_PROTECT_FREE; -extern int EF_PROTECT_BELOW; -extern int EF_ALIGNMENT; -#endif - static void lookup_fail(const char *name, const char *tag); static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, @@ -313,12 +307,6 @@ int ca_main(int argc, char **argv) X509_REVOKED *r = NULL; OPTION_CHOICE o; -#ifdef EFENCE - EF_PROTECT_FREE = 1; - EF_PROTECT_BELOW = 1; - EF_ALIGNMENT = 0; -#endif - conf = NULL; section = NULL; preserve = 0; diff --git a/apps/srp.c b/apps/srp.c index 0585952..c62d55d 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -78,12 +78,6 @@ # define ENV_DATABASE "srpvfile" # define ENV_DEFAULT_SRP "default_srp" -# ifdef EFENCE -extern int EF_PROTECT_FREE; -extern int EF_PROTECT_BELOW; -extern int EF_ALIGNMENT; -# endif - static int get_index(CA_DB *db, char *id, char type) { char **pp; @@ -277,12 +271,6 @@ int srp_main(int argc, char **argv) long errorline = -1; OPTION_CHOICE o; -# ifdef EFENCE - EF_PROTECT_FREE = 1; - EF_PROTECT_BELOW = 1; - EF_ALIGNMENT = 0; -# endif - prog = opt_init(argc, argv, srp_options); while ((o = opt_next()) != OPT_EOF) { switch (o) { From rsalz at openssl.org Sat Apr 25 20:04:57 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 25 Apr 2015 20:04:57 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429992297.589892.2476.nullmailer@dev.openssl.org> The branch master has been updated via c6724060e267f55cb5c5088b771c9ded9af0e16b (commit) from 239f2771e13ddc2fa50d01d62c10078befa8c86e (commit) - Log ----------------------------------------------------------------- commit c6724060e267f55cb5c5088b771c9ded9af0e16b Author: Rich Salz Date: Sat Apr 25 16:04:42 2015 -0400 RT2206: Add -issuer flag to ocsp command Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/ocsp.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/apps/ocsp.c b/apps/ocsp.c index 840e506..c58cd44 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -132,7 +132,7 @@ typedef enum OPTION_choice { OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER, OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT, - OPT_RESPOUT, OPT_PATH, OPT_CERT, OPT_SERIAL, + OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL, OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER, OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_HEADER, OPT_V_ENUM, @@ -189,6 +189,7 @@ OPTIONS ocsp_options[] = { {"reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request"}, {"respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response"}, {"path", OPT_PATH, 's', "Path to use in OCSP request"}, + {"issuer", OPT_ISSUER, '<', "Issuer certificate"}, {"cert", OPT_CERT, '<', "Certificate to check"}, {"serial", OPT_SERIAL, 's', "Nerial number to check"}, {"index", OPT_INDEX, '<', "Certificate status index file"}, @@ -391,6 +392,16 @@ int ocsp_main(int argc, char **argv) case OPT_PATH: path = opt_arg(); break; + case OPT_ISSUER: + X509_free(issuer); + issuer = load_cert(opt_arg(), FORMAT_PEM, + NULL, NULL, "issuer certificate"); + if (issuer == NULL) + goto end; + if ((issuers = sk_X509_new_null()) == NULL) + goto end; + sk_X509_push(issuers, issuer); + break; case OPT_CERT: X509_free(cert); cert = load_cert(opt_arg(), FORMAT_PEM, @@ -703,6 +714,11 @@ int ocsp_main(int argc, char **argv) } i = OCSP_basic_verify(bs, verify_other, store, verify_flags); + if (i <= 0 && issuers) { + i = OCSP_basic_verify(bs, issuers, store, OCSP_TRUSTOTHER); + if (i > 0) + ERR_clear_error(); + } if (i <= 0) { BIO_printf(bio_err, "Response Verify Failure\n"); ERR_print_errors(bio_err); From rsalz at openssl.org Sat Apr 25 20:06:32 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 25 Apr 2015 20:06:32 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429992392.222368.3062.nullmailer@dev.openssl.org> The branch master has been updated via f92beb98de0c8fdbf18f29642264258cc2ff05e7 (commit) from c6724060e267f55cb5c5088b771c9ded9af0e16b (commit) - Log ----------------------------------------------------------------- commit f92beb98de0c8fdbf18f29642264258cc2ff05e7 Author: Rich Salz Date: Sat Apr 25 16:06:19 2015 -0400 Quote HTML entities in s_server output Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/s_server.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/apps/s_server.c b/apps/s_server.c index 3644381..88309a6 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -2723,7 +2723,22 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) /* BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/ BIO_puts(io, "\n"); for (i = 0; i < local_argc; i++) { - BIO_puts(io, local_argv[i]); + const char *myp; + for (myp = local_argv[i]; *myp; myp++) + switch (*myp) { + case '<': + BIO_puts(io, "<"); + break; + case '>': + BIO_puts(io, ">"); + break; + case '&': + BIO_puts(io, "&"); + break; + default: + BIO_write(io, myp, 1); + break; + } BIO_write(io, " ", 1); } BIO_puts(io, "\n"); From rsalz at openssl.org Sat Apr 25 20:07:41 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 25 Apr 2015 20:07:41 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1429992461.495205.3399.nullmailer@dev.openssl.org> The branch master has been updated via 46aa6078675132bce25c1d06878ae0fcc5f7cd55 (commit) from f92beb98de0c8fdbf18f29642264258cc2ff05e7 (commit) - Log ----------------------------------------------------------------- commit 46aa6078675132bce25c1d06878ae0fcc5f7cd55 Author: Rich Salz Date: Sat Apr 25 16:07:28 2015 -0400 apps-cleanup: the doc fixes Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: doc/apps/ocsp.pod | 9 ++++++++- doc/apps/rsa.pod | 9 +-------- doc/apps/x509.pod | 8 ++++---- doc/crypto/ui.pod | 1 + 4 files changed, 14 insertions(+), 13 deletions(-) diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index d5565c9..a9b29b0 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -25,7 +25,8 @@ B B [B<-nonce>] [B<-no_nonce>] [B<-url URL>] -[B<-host host:n>] +[B<-host host:port>] +[B<-header>] [B<-path>] [B<-CApath dir>] [B<-CAfile file>] @@ -161,6 +162,12 @@ if the B option is present then the OCSP request is sent to the host B on port B. B specifies the HTTP path name to use or "/" by default. +=item B<-header name=value> + +Adds the header B with the specified B to the OCSP request +that is sent to the responder. +This may be repeated. + =item B<-timeout seconds> connection timeout to the OCSP responder in seconds diff --git a/doc/apps/rsa.pod b/doc/apps/rsa.pod index 21cbf8e..734c602 100644 --- a/doc/apps/rsa.pod +++ b/doc/apps/rsa.pod @@ -14,7 +14,6 @@ B B [B<-passin arg>] [B<-out filename>] [B<-passout arg>] -[B<-sgckey>] [B<-aes128>] [B<-aes192>] [B<-aes256>] @@ -83,11 +82,6 @@ filename. the output file password source. For more information about the format of B see the B section in L. -=item B<-sgckey> - -use the modified NET algorithm used with some versions of Microsoft IIS and SGC -keys. - =item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea> These options encrypt the private key with the specified @@ -165,8 +159,7 @@ files. To use these with the utility, view the file with a binary editor and look for the string "private-key", then trace back to the byte sequence 0x30, 0x82 (this is an ASN1 SEQUENCE). Copy all the data from this point onwards to another file and use that as the input -to the B utility with the B<-inform NET> option. If you get -an error after entering the password try the B<-sgckey> option. +to the B utility with the B<-inform NET> option. =head1 EXAMPLES diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index a1326ed..062a919 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -366,8 +366,7 @@ the B<-signkey> or B<-CA> options. If used in conjunction with the B<-CA> option the serial number file (as specified by the B<-CAserial> or B<-CAcreateserial> options) is not used. -The serial number can be decimal or hex (if preceded by B<0x>). Negative -serial numbers can also be specified but their use is not recommended. +The serial number can be decimal or hex (if preceded by B<0x>). =item B<-CA filename> @@ -402,8 +401,9 @@ The default filename consists of the CA certificate file base name with with this option the CA serial number file is created if it does not exist: it will contain the serial number "02" and the certificate being signed will -have the 1 as its serial number. Normally if the B<-CA> option is specified -and the serial number file does not exist it is an error. +have the 1 as its serial number. If the B<-CA> option is specified +and the serial number file does not exist a random number is generated; +this is the recommended practice. =item B<-extfile filename> diff --git a/doc/crypto/ui.pod b/doc/crypto/ui.pod index 04f8e9c..9dbc2da 100644 --- a/doc/crypto/ui.pod +++ b/doc/crypto/ui.pod @@ -106,6 +106,7 @@ most problems when porting. UI_free() removes a UI from memory, along with all other pieces of memory that's connected to it, like duplicated input strings, results and others. +If B is NULL nothing is done. UI_add_input_string() and UI_add_verify_string() add a prompt to the UI, as well as flags and a result buffer and the desired minimum and maximum From rsalz at openssl.org Sun Apr 26 02:56:03 2015 From: rsalz at openssl.org (Rich Salz) Date: Sun, 26 Apr 2015 02:56:03 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430016963.991740.31696.nullmailer@dev.openssl.org> The branch master has been updated via a194ee7b9aab3c8fae2d5b840ce1ae81de940b48 (commit) from 46aa6078675132bce25c1d06878ae0fcc5f7cd55 (commit) - Log ----------------------------------------------------------------- commit a194ee7b9aab3c8fae2d5b840ce1ae81de940b48 Author: Rich Salz Date: Sat Apr 25 22:55:36 2015 -0400 Free malloc data on encoding errors. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/s_server.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/apps/s_server.c b/apps/s_server.c index 88309a6..da725e7 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -3169,6 +3169,7 @@ static int add_session(SSL *ssl, SSL_SESSION *session) sess->derlen = i2d_SSL_SESSION(session, NULL); if (sess->derlen < 0) { BIO_printf(bio_err, "Error encoding session\n"); + OPENSSL_free(sess); return 0; } @@ -3176,10 +3177,8 @@ static int add_session(SSL *ssl, SSL_SESSION *session) sess->der = OPENSSL_malloc(sess->derlen); if (!sess->id || !sess->der) { BIO_printf(bio_err, "Out of memory adding to external cache\n"); - if (sess->id) - OPENSSL_free(sess->id); - if (sess->der) - OPENSSL_free(sess->der); + OPENSSL_free(sess->id); + OPENSSL_free(sess->der); OPENSSL_free(sess); return 0; } @@ -3187,7 +3186,10 @@ static int add_session(SSL *ssl, SSL_SESSION *session) /* Assume it still works. */ if (i2d_SSL_SESSION(session, &p) != sess->derlen) { - BIO_printf(bio_err, "Error encoding session\n"); + BIO_printf(bio_err, "Re-encoding session strangeness\n"); + OPENSSL_free(sess->id); + OPENSSL_free(sess->der); + OPENSSL_free(sess); return 0; } From rsalz at openssl.org Sun Apr 26 03:08:19 2015 From: rsalz at openssl.org (Rich Salz) Date: Sun, 26 Apr 2015 03:08:19 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430017699.633109.2976.nullmailer@dev.openssl.org> The branch master has been updated via 5d307e7b5a62941920d3651f5a3f9c74b787cd0c (commit) from a194ee7b9aab3c8fae2d5b840ce1ae81de940b48 (commit) - Log ----------------------------------------------------------------- commit 5d307e7b5a62941920d3651f5a3f9c74b787cd0c Author: Rich Salz Date: Sat Apr 25 23:08:00 2015 -0400 RT2962: add -keytab and -krb5svc flags. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/s_server.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/apps/s_server.c b/apps/s_server.c index da725e7..20f6375 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -228,6 +228,8 @@ static int s_server_verify = SSL_VERIFY_NONE; static int s_server_session_id_context = 1; /* anything will do */ static const char *s_cert_file = TEST_CERT, *s_key_file = NULL, *s_chain_file = NULL; +static const char *krb5svc = NULL; +static const char *krb5tab = NULL; #ifndef OPENSSL_NO_TLSEXT static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL; #endif @@ -839,7 +841,8 @@ typedef enum OPTION_choice { OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_S_ENUM, OPT_V_ENUM, - OPT_X_ENUM + OPT_X_ENUM, + OPT_KRB5SVC, OPT_KRBTAB } OPTION_CHOICE; OPTIONS s_server_options[] = { @@ -897,6 +900,8 @@ OPTIONS s_server_options[] = { {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"}, # endif #endif + {"krb5svc", OPT_KRB5SVC, 's', "Kerberos service name"}, + {"keytab", OPT_KRBTAB, '<', "Kerberos keytab file"}, #ifndef OPENSSL_NO_SRP {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"}, {"srpuserseed", OPT_SRPUSERSEED, 's', @@ -1413,6 +1418,12 @@ int s_server_main(int argc, char *argv[]) case OPT_JPAKE: goto opthelp; #endif + case OPT_KRB5SVC: + krb5svc = opt_arg(); + break; + case OPT_KRBTAB: + krb5tab = opt_arg(); + break; case OPT_SRTP_PROFILES: srtp_profiles = opt_arg(); break; From rsalz at openssl.org Sun Apr 26 14:32:41 2015 From: rsalz at openssl.org (Rich Salz) Date: Sun, 26 Apr 2015 14:32:41 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430058761.156549.7151.nullmailer@dev.openssl.org> The branch master has been updated via 2f58faad668ee1b4270611d6548c9fbe78589fe6 (commit) from 5d307e7b5a62941920d3651f5a3f9c74b787cd0c (commit) - Log ----------------------------------------------------------------- commit 2f58faad668ee1b4270611d6548c9fbe78589fe6 Author: Rich Salz Date: Sun Apr 26 10:31:48 2015 -0400 Remove the special list-xxxx commands There's a new "list" command, which takes a flag to say what to list. Removing the old hacky commands. Re-ordered some functions to remove some needless declarations. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/openssl.c | 122 ++++++++++++++++++++----------------------------------- test/testenc | 2 +- test/testenc.com | 2 +- 3 files changed, 47 insertions(+), 79 deletions(-) diff --git a/apps/openssl.c b/apps/openssl.c index de73fac..2a85145 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -132,14 +132,6 @@ #define INCLUDE_FUNCTION_TABLE #include "apps.h" -#if 1 -# define LIST_STANDARD_COMMANDS "list-standard-commands" -# define LIST_MESSAGE_DIGEST_COMMANDS "list-message-digest-commands" -# define LIST_MESSAGE_DIGEST_ALGORITHMS "list-message-digest-algorithms" -# define LIST_CIPHER_COMMANDS "list-cipher-commands" -# define LIST_CIPHER_ALGORITHMS "list-cipher-algorithms" -# define LIST_PUBLIC_KEY_ALGORITHMS "list-public-key-algorithms" -#endif #ifdef OPENSSL_NO_CAMELLIA # define FORMAT "%-15s" @@ -161,10 +153,8 @@ DECLARE_LHASH_OF(FUNCTION); static LHASH_OF(FUNCTION) *prog_init(void); static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[]); -static int list_pkey(void); -static int list_cipher(void); -static int list_md(void); -static int list_type(FUNC_TYPE list_type); +static void list_pkey(void); +static void list_type(FUNC_TYPE ft); char *default_config_file = NULL; CONF *config = NULL; @@ -519,6 +509,34 @@ OPTIONS exit_options[] = { {NULL} }; +static void list_cipher_fn(const EVP_CIPHER *c, + const char *from, const char *to, void *arg) +{ + if (c) + BIO_printf(arg, "%s\n", EVP_CIPHER_name(c)); + else { + if (!from) + from = ""; + if (!to) + to = ""; + BIO_printf(arg, "%s => %s\n", from, to); + } +} + +static void list_md_fn(const EVP_MD *m, + const char *from, const char *to, void *arg) +{ + if (m) + BIO_printf(arg, "%s\n", EVP_MD_name(m)); + else { + if (!from) + from = ""; + if (!to) + to = ""; + BIO_printf((BIO *)arg, "%s => %s\n", from, to); + } +} + /* Unified enum for help and list commands. */ typedef enum HELPLIST_CHOICE { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, @@ -558,17 +576,23 @@ int list_main(int argc, char **argv) opt_help(list_options); break; case OPT_COMMANDS: - return list_type(FT_general); + list_type(FT_general); + break; case OPT_DIGEST_COMMANDS: - return list_type(FT_md); + list_type(FT_md); + break; case OPT_DIGEST_ALGORITHMS: - return list_md(); + EVP_MD_do_all_sorted(list_md_fn, bio_out); + break; case OPT_CIPHER_COMMANDS: - return list_type(FT_cipher); + list_type(FT_cipher); + break; case OPT_CIPHER_ALGORITHMS: - return list_cipher(); + EVP_CIPHER_do_all_sorted(list_cipher_fn, bio_out); + break; case OPT_PK_ALGORITHMS: - return list_pkey(); + list_pkey(); + break; } } @@ -641,19 +665,18 @@ int exit_main(int argc, char **argv) return EXIT_THE_PROGRAM; } -static int list_type(FUNC_TYPE flist_type) +static void list_type(FUNC_TYPE ft) { FUNCTION *fp; int i = 0; for (fp = functions; fp->name != NULL; fp++) - if (fp->type == flist_type) { + if (fp->type == ft) { if ((i++ % COLUMNS) == 0) BIO_printf(bio_out, "\n"); BIO_printf(bio_out, FORMAT, fp->name); } BIO_printf(bio_out, "\n"); - return 0; } static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[]) @@ -695,27 +718,13 @@ static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[]) strcmp(argv[0], "exit") == 0 || strcmp(argv[0], "bye") == 0) /* Special value to mean "exit the program. */ return EXIT_THE_PROGRAM; -#ifdef LIST_STANDARD_COMMANDS - if (strcmp(argv[0], LIST_STANDARD_COMMANDS) == 0) - return list_type(FT_general); - if (strcmp(argv[0], LIST_MESSAGE_DIGEST_ALGORITHMS) == 0) - return list_md(); - if (strcmp(argv[0], LIST_PUBLIC_KEY_ALGORITHMS) == 0) - return list_pkey(); - if (strcmp(argv[0], LIST_CIPHER_ALGORITHMS) == 0) - return list_cipher(); - if (strcmp(argv[0], LIST_CIPHER_COMMANDS) == 0) - return list_type(FT_cipher); - if (strcmp(argv[0], LIST_MESSAGE_DIGEST_COMMANDS) == 0) - return list_type(FT_md); -#endif BIO_printf(bio_err, "Invalid command '%s'; type \"help\" for a list.\n", argv[0]); return (1); } -static int list_pkey(void) +static void list_pkey(void) { int i; @@ -742,47 +751,6 @@ static int list_pkey(void) } } - return 0; -} - -static void list_cipher_fn(const EVP_CIPHER *c, - const char *from, const char *to, void *arg) -{ - if (c) - BIO_printf(arg, "%s\n", EVP_CIPHER_name(c)); - else { - if (!from) - from = ""; - if (!to) - to = ""; - BIO_printf(arg, "%s => %s\n", from, to); - } -} - -static int list_cipher(void) -{ - EVP_CIPHER_do_all_sorted(list_cipher_fn, bio_out); - return 0; -} - -static void list_md_fn(const EVP_MD *m, - const char *from, const char *to, void *arg) -{ - if (m) - BIO_printf(arg, "%s\n", EVP_MD_name(m)); - else { - if (!from) - from = ""; - if (!to) - to = ""; - BIO_printf((BIO *)arg, "%s => %s\n", from, to); - } -} - -static int list_md(void) -{ - EVP_MD_do_all_sorted(list_md_fn, bio_out); - return 0; } static int function_cmp(const FUNCTION * a, const FUNCTION * b) diff --git a/test/testenc b/test/testenc index 3a07398..87b70ec 100644 --- a/test/testenc +++ b/test/testenc @@ -20,7 +20,7 @@ $cmd enc -a -d < $test.cipher >$test.clear cmp $test $test.clear || exit 1 /bin/rm $test.cipher $test.clear -for i in `$cmd list-cipher-commands` +for i in `$cmd list -cipher-commands` do echo $i $cmd $i -bufsize 113 -e -k test < $test > $test.$i.cipher diff --git a/test/testenc.com b/test/testenc.com index 75acd6f..fcd6639 100644 --- a/test/testenc.com +++ b/test/testenc.com @@ -35,7 +35,7 @@ $ if $severity .ne. 1 then exit 3 $ delete 'test'-cipher;*,'test'-clear;* $ $ define/user sys$output 'test'-cipher-commands -$ 'cmd' list-cipher-commands +$ 'cmd' list -cipher-commands $ open/read f 'test'-cipher-commands $ loop_cipher_commands: $ read/end=loop_cipher_commands_end f i From rsalz at openssl.org Sun Apr 26 17:12:39 2015 From: rsalz at openssl.org (Rich Salz) Date: Sun, 26 Apr 2015 17:12:39 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430068359.597469.11135.nullmailer@dev.openssl.org> The branch master has been updated via 88806cfc611935981e3752dccda1685022be2e2b (commit) from 2f58faad668ee1b4270611d6548c9fbe78589fe6 (commit) - Log ----------------------------------------------------------------- commit 88806cfc611935981e3752dccda1685022be2e2b Author: Rich Salz Date: Sun Apr 26 13:12:04 2015 -0400 Fix main build breakage. A variable declaration got dropped during a merge. And if a compiler inlines strcmp() and you put a strcmp in an assert message, the resultant stringification exceeds ANSI string limits. Reviewed-by: Viktor Dukhovni ----------------------------------------------------------------------- Summary of changes: apps/ocsp.c | 1 + apps/opt.c | 9 +++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/apps/ocsp.c b/apps/ocsp.c index c58cd44..d22ce7d 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -222,6 +222,7 @@ int ocsp_main(int argc, char **argv) STACK_OF(OCSP_CERTID) *ids = NULL; STACK_OF(OPENSSL_STRING) *reqnames = NULL; STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL; + STACK_OF(X509) *issuers = NULL; X509 *issuer = NULL, *cert = NULL, *rca_cert = NULL; X509 *signer = NULL, *rsigner = NULL; X509_STORE *store = NULL; diff --git a/apps/opt.c b/apps/opt.c index 3706739..df2bea5 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -171,7 +171,7 @@ char *opt_init(int ac, char **av, const OPTIONS *o) for (; o->name; ++o) { const OPTIONS *next; #ifndef NDEBUG - int i; + int duplicated, i; #endif if (o->name == OPT_HELP_STR || o->name == OPT_MORE_STR) @@ -188,11 +188,12 @@ char *opt_init(int ac, char **av, const OPTIONS *o) || i == 'f' || i == 'F'); /* Make sure there are no duplicates. */ - for (next = o; (++next)->name;) { + for (next = o + 1; next->name; ++next) { /* - * do allow aliases: assert(o->retval != next->retval); + * Some compilers inline strcmp and the assert string is too long. */ - assert(strcmp(o->name, next->name) != 0); + duplicated = strcmp(o->name, next->name) == 0; + assert(!duplicated); } #endif if (o->name[0] == '\0') { From rsalz at openssl.org Sun Apr 26 20:43:30 2015 From: rsalz at openssl.org (Rich Salz) Date: Sun, 26 Apr 2015 20:43:30 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430081010.879082.22191.nullmailer@dev.openssl.org> The branch master has been updated via ce6766de69030b66634518e54dbd301308a51e11 (commit) from 88806cfc611935981e3752dccda1685022be2e2b (commit) - Log ----------------------------------------------------------------- commit ce6766de69030b66634518e54dbd301308a51e11 Author: Rich Salz Date: Sun Apr 26 16:43:18 2015 -0400 Fix error message Reviewed-by: Viktor Dukhovni ----------------------------------------------------------------------- Summary of changes: apps/s_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/s_server.c b/apps/s_server.c index 20f6375..e12db0c 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -3197,7 +3197,7 @@ static int add_session(SSL *ssl, SSL_SESSION *session) /* Assume it still works. */ if (i2d_SSL_SESSION(session, &p) != sess->derlen) { - BIO_printf(bio_err, "Re-encoding session strangeness\n"); + BIO_printf(bio_err, "Unexpected session encoding length\n"); OPENSSL_free(sess->id); OPENSSL_free(sess->der); OPENSSL_free(sess); From rsalz at openssl.org Mon Apr 27 01:28:58 2015 From: rsalz at openssl.org (Rich Salz) Date: Mon, 27 Apr 2015 01:28:58 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430098138.595724.28216.nullmailer@dev.openssl.org> The branch master has been updated via 1bb2daead8cf3962098647efa1f74c3bce3e9009 (commit) via bc2f5803ccca07d099e39a291644ded46d52a3b0 (commit) from ce6766de69030b66634518e54dbd301308a51e11 (commit) - Log ----------------------------------------------------------------- commit 1bb2daead8cf3962098647efa1f74c3bce3e9009 Author: Rich Salz Date: Sun Apr 26 21:28:38 2015 -0400 Simplify parse_yesno; remove local variable Reviewed-by: Tim Hudson commit bc2f5803ccca07d099e39a291644ded46d52a3b0 Author: Rich Salz Date: Sun Apr 26 21:23:43 2015 -0400 Fix typo in help & comment formatting Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 12 +++--------- apps/rsa.c | 8 ++++---- 2 files changed, 7 insertions(+), 13 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 7440d39..462e2b6 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1803,7 +1803,6 @@ void free_index(CA_DB *db) int parse_yesno(const char *str, int def) { - int ret = def; if (str) { switch (*str) { case 'f': /* false */ @@ -1811,21 +1810,16 @@ int parse_yesno(const char *str, int def) case 'n': /* no */ case 'N': /* NO */ case '0': /* 0 */ - ret = 0; - break; + return 0; case 't': /* true */ case 'T': /* TRUE */ case 'y': /* yes */ case 'Y': /* YES */ case '1': /* 1 */ - ret = 1; - break; - default: - ret = def; - break; + return 1; } } - return ret; + return def; } /* diff --git a/apps/rsa.c b/apps/rsa.c index 07cc5fb..8e93dd2 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -136,8 +136,8 @@ OPTIONS rsa_options[] = { {"pubout", OPT_PUBOUT, '-', "Output a public key"}, {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, - {"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKye"}, - {"RSAPublicKey_out", OPT_RSAPUBKEY_OUT, '-', "Output is an RSAPublicKye"}, + {"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey"}, + {"RSAPublicKey_out", OPT_RSAPUBKEY_OUT, '-', "Output is an RSAPublicKey"}, {"pvk-strong", OPT_PVK_STRONG, '-'}, {"pvk-weak", OPT_PVK_WEAK, '-'}, {"pvk-none", OPT_PVK_NONE, '-'}, @@ -321,8 +321,8 @@ int rsa_main(int argc, char **argv) } } - if (r == -1 || ERR_peek_error() != 0) { /* should happen only if r == - * -1 */ + /* should happen only if r == -1 */ + if (r == -1 || ERR_peek_error() != 0) { ERR_print_errors(bio_err); goto end; } From rsalz at openssl.org Mon Apr 27 03:45:27 2015 From: rsalz at openssl.org (Rich Salz) Date: Mon, 27 Apr 2015 03:45:27 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430106327.062783.30218.nullmailer@dev.openssl.org> The branch master has been updated via 57d5edada75686fb1c19ce1bbf3e16f4f2784303 (commit) from 1bb2daead8cf3962098647efa1f74c3bce3e9009 (commit) - Log ----------------------------------------------------------------- commit 57d5edada75686fb1c19ce1bbf3e16f4f2784303 Author: Rich Salz Date: Sun Apr 26 23:45:12 2015 -0400 Add readline (etc) support Compile with -DREADLINE and the appropriate library. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/openssl.c | 32 ++++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/apps/openssl.c b/apps/openssl.c index 2a85145..b42d031 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -448,9 +448,11 @@ int main(int argc, char *argv[]) /* ok, lets enter interactive mode */ for (;;) { ret = 0; - for (p = buf, n = sizeof buf, i = 0, first = 1;; first = 0) { - prompt = first ? "OpenSSL> " : "> "; + /* Read a line, continue reading if line ends with \ */ + for (p = buf, n = sizeof buf, i = 0, first = 1; n > 0; first = 0) { + prompt = first ? "openssl : " : "> "; p[0] = '\0'; +#ifndef READLINE fputs(prompt, stdout); fflush(stdout); if (!fgets(p, n, stdin)) @@ -465,7 +467,33 @@ int main(int argc, char *argv[]) i -= 2; p += i; n -= i; +#else + { + extern char *readline(const char *); + extern void add_history(const char *cp); + char *text; + + char *text = readline(prompt); + if (text == NULL) + goto end; + i = strlen(text); + if (i == 0 || i > n) + break; + if (text[i - 1] != '\\') { + p += strlen(strcpy(p, text)); + free(text); + add_history(buf); + break; + } + + text[i - 1] = '\0'; + p += strlen(strcpy(p, text)); + free(text); + n -= i; + } +#endif } + if (!chopup_args(&arg, buf)) { BIO_printf(bio_err, "Can't parse (no memory?)\n"); break; From levitte at openssl.org Mon Apr 27 13:55:19 2015 From: levitte at openssl.org (Richard Levitte) Date: Mon, 27 Apr 2015 13:55:19 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430142919.244186.31528.nullmailer@dev.openssl.org> The branch master has been updated via 4c1408962aeb8100846c01536b2f69f5e781f7d8 (commit) from 57d5edada75686fb1c19ce1bbf3e16f4f2784303 (commit) - Log ----------------------------------------------------------------- commit 4c1408962aeb8100846c01536b2f69f5e781f7d8 Author: Richard Levitte Date: Mon Apr 27 11:02:36 2015 +0200 Small fixes after the Big apps cleanup This fixes util/mk1mf.pl, which was looking for old variable names from apps/Makefile. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: util/mk1mf.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/mk1mf.pl b/util/mk1mf.pl index e0a44cc..454dcd2 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -399,7 +399,7 @@ for (;;) if ($key =~ /^[A-Z0-9_]*TEST$/ && (!$fipscanisteronly || $dir =~ /^fips/ )) { $test.=&var_add($dir,$val, 0); } - if (($key eq "PROGS") || ($key eq "E_OBJ")) + if ($key eq "EXE_OBJ") { $e_exe.=&var_add($dir,$val, 0); } if ($key eq "LIB") From levitte at openssl.org Mon Apr 27 13:58:09 2015 From: levitte at openssl.org (Richard Levitte) Date: Mon, 27 Apr 2015 13:58:09 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430143089.448711.343.nullmailer@dev.openssl.org> The branch master has been updated via 9e842a5292d035bf3dfa4bc70dd3270b104bdf57 (commit) from 4c1408962aeb8100846c01536b2f69f5e781f7d8 (commit) - Log ----------------------------------------------------------------- commit 9e842a5292d035bf3dfa4bc70dd3270b104bdf57 Author: Richard Levitte Date: Mon Apr 27 11:10:17 2015 +0200 Fix the check of test apps in util/mk1mf.pl The previous check assumed that the variables for each test app, ending with TEST would be indication enough. Experience showed that this isn't the best way. Instead, simply look for the EXE variable in test/Makefile. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: util/mk1mf.pl | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/util/mk1mf.pl b/util/mk1mf.pl index 454dcd2..7b57055 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -396,8 +396,15 @@ for (;;) if ($key eq "EX_LIBS") { $ex_libs .= " $val" if $val ne "";} - if ($key =~ /^[A-Z0-9_]*TEST$/ && (!$fipscanisteronly || $dir =~ /^fips/ )) - { $test.=&var_add($dir,$val, 0); } + # There was a condition here before: + # !$fipscanisteronly || $dir =~ /^fips/ + # It currently fills no function and needs to be rewritten anyway, so + # removed for now. + if ($dir eq "test" && $key eq "EXE") + { + foreach my $t (split /\s+/, $val) { + $test.=&var_add($dir,$t, 0) if $t; } + } if ($key eq "EXE_OBJ") { $e_exe.=&var_add($dir,$val, 0); } From emilia at openssl.org Mon Apr 27 14:17:56 2015 From: emilia at openssl.org (Emilia Kasper) Date: Mon, 27 Apr 2015 14:17:56 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430144276.182685.5066.nullmailer@dev.openssl.org> The branch master has been updated via 2f5997b7b9dc6b4206780ecadcb3de2eac88216e (commit) from 9e842a5292d035bf3dfa4bc70dd3270b104bdf57 (commit) - Log ----------------------------------------------------------------- commit 2f5997b7b9dc6b4206780ecadcb3de2eac88216e Author: Emilia Kasper Date: Mon Apr 27 15:58:39 2015 +0200 Fix Wmaybe-uninitialized: initialize variable Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/s_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/s_client.c b/apps/s_client.c index 13191a0..431a106 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -654,7 +654,7 @@ int s_client_main(int argc, char **argv) NULL; char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL; char *sess_in = NULL, *sess_out = NULL, *crl_file = NULL, *p; - char *jpake_secret = NULL, *xmpphost; + char *jpake_secret = NULL, *xmpphost = NULL; const char *unix_path = NULL; const char *ehlo = "mail.example.com"; struct sockaddr peer; From emilia at openssl.org Mon Apr 27 14:23:55 2015 From: emilia at openssl.org (Emilia Kasper) Date: Mon, 27 Apr 2015 14:23:55 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430144635.493403.6957.nullmailer@dev.openssl.org> The branch master has been updated via e22d2199e2a5cc9b243f45c2b633d1e31fadecd7 (commit) from 2f5997b7b9dc6b4206780ecadcb3de2eac88216e (commit) - Log ----------------------------------------------------------------- commit e22d2199e2a5cc9b243f45c2b633d1e31fadecd7 Author: Emilia Kasper Date: Mon Apr 27 16:21:48 2015 +0200 Error checking and memory leak fixes in NISTZ256. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: crypto/bn/bn_err.c | 3 ++- crypto/bn/bn_intern.c | 13 ++++++++-- crypto/ec/ecp_nistz256.c | 55 ++++++++++++++++++++++------------------ crypto/include/internal/bn_int.h | 11 +++++--- include/openssl/bn.h | 1 + 5 files changed, 52 insertions(+), 31 deletions(-) diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c index 69679d3..13742ff 100644 --- a/crypto/bn/bn_err.c +++ b/crypto/bn/bn_err.c @@ -1,6 +1,6 @@ /* crypto/bn/bn_err.c */ /* ==================================================================== - * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -113,6 +113,7 @@ static ERR_STRING_DATA BN_str_functs[] = { {ERR_FUNC(BN_F_BN_NEW), "BN_new"}, {ERR_FUNC(BN_F_BN_RAND), "BN_rand"}, {ERR_FUNC(BN_F_BN_RAND_RANGE), "BN_rand_range"}, + {ERR_FUNC(BN_F_BN_SET_WORDS), "bn_set_words"}, {ERR_FUNC(BN_F_BN_USUB), "BN_usub"}, {0, NULL} }; diff --git a/crypto/bn/bn_intern.c b/crypto/bn/bn_intern.c index cf2b336..32ad505 100644 --- a/crypto/bn/bn_intern.c +++ b/crypto/bn/bn_intern.c @@ -233,11 +233,20 @@ void bn_set_static_words(BIGNUM *a, BN_ULONG *words, int size) a->dmax = a->top = size; a->neg = 0; a->flags |= BN_FLG_STATIC_DATA; + bn_correct_top(a); } -void bn_set_data(BIGNUM *a, const void *data, size_t size) +int bn_set_words(BIGNUM *a, BN_ULONG *words, int num_words) { - memcpy(a->d, data, size); + if (bn_wexpand(a, num_words) == NULL) { + BNerr(BN_F_BN_SET_WORDS, ERR_R_MALLOC_FAILURE); + return 0; + } + + memcpy(a->d, words, sizeof(BN_ULONG) * num_words); + a->top = num_words; + bn_correct_top(a); + return 1; } size_t bn_sizeof_BIGNUM(void) diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 22fe071..fd4898d 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -1133,6 +1133,7 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, const PRECOMP256_ROW *preComputedTable = NULL; const EC_PRE_COMP *pre_comp = NULL; const EC_POINT *generator = NULL; + BN_CTX *new_ctx = NULL; unsigned int idx = 0; const unsigned int window_size = 7; const unsigned int mask = (1 << (window_size + 1)) - 1; @@ -1152,6 +1153,7 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } + if ((scalar == NULL) && (num == 0)) return EC_POINT_set_to_infinity(group, r); @@ -1162,13 +1164,13 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, } } - /* Need 256 bits for space for all coordinates. */ - bn_wexpand(r->X, P256_LIMBS); - bn_wexpand(r->Y, P256_LIMBS); - bn_wexpand(r->Z, P256_LIMBS); - bn_set_top(r->X, P256_LIMBS); - bn_set_top(r->Y, P256_LIMBS); - bn_set_top(r->Z, P256_LIMBS); + if (ctx == NULL) { + ctx = new_ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + } + + BN_CTX_start(ctx); if (scalar) { generator = EC_GROUP_get0_generator(group); @@ -1194,8 +1196,10 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, if (!ecp_nistz256_set_from_affine(pre_comp_generator, group, pre_comp->precomp[0], - ctx)) + ctx)) { + EC_POINT_free(pre_comp_generator); goto err; + } if (0 == EC_POINT_cmp(group, generator, pre_comp_generator, ctx)) preComputedTable = (const PRECOMP256_ROW *)pre_comp->precomp; @@ -1300,14 +1304,14 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, new_scalars = OPENSSL_malloc((num + 1) * sizeof(BIGNUM *)); if (!new_scalars) { ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, ERR_R_MALLOC_FAILURE); - return 0; + goto err; } new_points = OPENSSL_malloc((num + 1) * sizeof(EC_POINT *)); if (!new_points) { OPENSSL_free(new_scalars); ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, ERR_R_MALLOC_FAILURE); - return 0; + goto err; } memcpy(new_scalars, scalars, num * sizeof(BIGNUM *)); @@ -1336,18 +1340,20 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, OPENSSL_free(scalars); } - bn_set_data(r->X, p.p.X, sizeof(p.p.X)); - bn_set_data(r->Y, p.p.Y, sizeof(p.p.Y)); - bn_set_data(r->Z, p.p.Z, sizeof(p.p.Z)); /* Not constant-time, but we're only operating on the public output. */ - bn_correct_top(r->X); - bn_correct_top(r->Y); - bn_correct_top(r->Z); + if (!bn_set_words(r->X, p.p.X, P256_LIMBS) || + !bn_set_words(r->Y, p.p.Y, P256_LIMBS) || + !bn_set_words(r->Z, p.p.Z, P256_LIMBS)) { + goto err; + } r->Z_is_one = is_one(p.p.Z); ret = 1; - err: +err: + if (ctx) + BN_CTX_end(ctx); + BN_CTX_free(new_ctx); return ret; } @@ -1360,6 +1366,7 @@ static int ecp_nistz256_get_affine(const EC_GROUP *group, BN_ULONG x_aff[P256_LIMBS]; BN_ULONG y_aff[P256_LIMBS]; BN_ULONG point_x[P256_LIMBS], point_y[P256_LIMBS], point_z[P256_LIMBS]; + BN_ULONG x_ret[P256_LIMBS], y_ret[P256_LIMBS]; if (EC_POINT_is_at_infinity(group, point)) { ECerr(EC_F_ECP_NISTZ256_GET_AFFINE, EC_R_POINT_AT_INFINITY); @@ -1378,19 +1385,17 @@ static int ecp_nistz256_get_affine(const EC_GROUP *group, ecp_nistz256_mul_mont(x_aff, z_inv2, point_x); if (x != NULL) { - bn_wexpand(x, P256_LIMBS); - bn_set_top(x, P256_LIMBS); - ecp_nistz256_from_mont(bn_get_words(x), x_aff); - bn_correct_top(x); + ecp_nistz256_from_mont(x_ret, x_aff); + if (!bn_set_words(x, x_ret, P256_LIMBS)) + return 0; } if (y != NULL) { ecp_nistz256_mul_mont(z_inv3, z_inv3, z_inv2); ecp_nistz256_mul_mont(y_aff, z_inv3, point_y); - bn_wexpand(y, P256_LIMBS); - bn_set_top(y, P256_LIMBS); - ecp_nistz256_from_mont(bn_get_words(y), y_aff); - bn_correct_top(y); + ecp_nistz256_from_mont(y_ret, y_aff); + if (!bn_set_words(y, y_ret, P256_LIMBS)) + return 0; } return 1; diff --git a/crypto/include/internal/bn_int.h b/crypto/include/internal/bn_int.h index 4673340..a7c0fd4 100644 --- a/crypto/include/internal/bn_int.h +++ b/crypto/include/internal/bn_int.h @@ -102,10 +102,15 @@ BN_ULONG *bn_get_words(const BIGNUM *a); void bn_set_static_words(BIGNUM *a, BN_ULONG *words, int size); /* - * Copy data into the BIGNUM. The caller must check that dmax is sufficient to - * hold the data + * Copy words into the BIGNUM |a|, reallocating space as necessary. + * The negative flag of |a| is not modified. + * Returns 1 on success and 0 on failure. */ -void bn_set_data(BIGNUM *a, const void *data, size_t size); +/* + * |num_words| is int because bn_expand2 takes an int. This is an internal + * function so we simply trust callers not to pass negative values. + */ +int bn_set_words(BIGNUM *a, BN_ULONG *words, int num_words); size_t bn_sizeof_BIGNUM(void); diff --git a/include/openssl/bn.h b/include/openssl/bn.h index f137605..5a2e8db 100644 --- a/include/openssl/bn.h +++ b/include/openssl/bn.h @@ -730,6 +730,7 @@ void ERR_load_BN_strings(void); # define BN_F_BN_NEW 113 # define BN_F_BN_RAND 114 # define BN_F_BN_RAND_RANGE 122 +# define BN_F_BN_SET_WORDS 144 # define BN_F_BN_USUB 115 /* Reason codes. */ From emilia at openssl.org Mon Apr 27 14:47:10 2015 From: emilia at openssl.org (Emilia Kasper) Date: Mon, 27 Apr 2015 14:47:10 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1430146030.238342.12924.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via c30a1b3b33dad17db8a221bc1a2bc80b4f5f56a2 (commit) from 9ed55313a71ca68ddea2c207261487954828fe31 (commit) - Log ----------------------------------------------------------------- commit c30a1b3b33dad17db8a221bc1a2bc80b4f5f56a2 Author: Emilia Kasper Date: Fri Apr 24 16:53:30 2015 +0200 Error checking and memory leak fixes in NISTZ256. Thanks to Brian Smith for reporting these issues. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: crypto/ec/ec.h | 11 ++++---- crypto/ec/ec_err.c | 15 ++++++----- crypto/ec/ecp_nistz256.c | 67 ++++++++++++++++++++++++++++++------------------ 3 files changed, 56 insertions(+), 37 deletions(-) diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h index 98edfdf..6d3178f 100644 --- a/crypto/ec/ec.h +++ b/crypto/ec/ec.h @@ -1097,6 +1097,12 @@ void ERR_load_EC_strings(void); # define EC_F_ECPARAMETERS_PRINT_FP 148 # define EC_F_ECPKPARAMETERS_PRINT 149 # define EC_F_ECPKPARAMETERS_PRINT_FP 150 +# define EC_F_ECP_NISTZ256_GET_AFFINE 240 +# define EC_F_ECP_NISTZ256_MULT_PRECOMPUTE 243 +# define EC_F_ECP_NISTZ256_POINTS_MUL 241 +# define EC_F_ECP_NISTZ256_PRE_COMP_NEW 244 +# define EC_F_ECP_NISTZ256_SET_WORDS 245 +# define EC_F_ECP_NISTZ256_WINDOWED_MUL 242 # define EC_F_ECP_NIST_MOD_192 203 # define EC_F_ECP_NIST_MOD_224 204 # define EC_F_ECP_NIST_MOD_256 205 @@ -1208,11 +1214,6 @@ void ERR_load_EC_strings(void); # define EC_F_NISTP224_PRE_COMP_NEW 227 # define EC_F_NISTP256_PRE_COMP_NEW 236 # define EC_F_NISTP521_PRE_COMP_NEW 237 -# define EC_F_ECP_NISTZ256_GET_AFFINE 240 -# define EC_F_ECP_NISTZ256_POINTS_MUL 241 -# define EC_F_ECP_NISTZ256_WINDOWED_MUL 242 -# define EC_F_ECP_NISTZ256_MULT_PRECOMPUTE 243 -# define EC_F_ECP_NISTZ256_PRE_COMP_NEW 244 # define EC_F_O2I_ECPUBLICKEY 152 # define EC_F_OLD_EC_PRIV_DECODE 222 # define EC_F_PKEY_EC_CTRL 197 diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c index 13b32c7..6fe5baa 100644 --- a/crypto/ec/ec_err.c +++ b/crypto/ec/ec_err.c @@ -1,6 +1,6 @@ /* crypto/ec/ec_err.c */ /* ==================================================================== - * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -89,6 +89,13 @@ static ERR_STRING_DATA EC_str_functs[] = { {ERR_FUNC(EC_F_ECPARAMETERS_PRINT_FP), "ECParameters_print_fp"}, {ERR_FUNC(EC_F_ECPKPARAMETERS_PRINT), "ECPKParameters_print"}, {ERR_FUNC(EC_F_ECPKPARAMETERS_PRINT_FP), "ECPKParameters_print_fp"}, + {ERR_FUNC(EC_F_ECP_NISTZ256_GET_AFFINE), "ecp_nistz256_get_affine"}, + {ERR_FUNC(EC_F_ECP_NISTZ256_MULT_PRECOMPUTE), + "ecp_nistz256_mult_precompute"}, + {ERR_FUNC(EC_F_ECP_NISTZ256_POINTS_MUL), "ecp_nistz256_points_mul"}, + {ERR_FUNC(EC_F_ECP_NISTZ256_PRE_COMP_NEW), "ecp_nistz256_pre_comp_new"}, + {ERR_FUNC(EC_F_ECP_NISTZ256_SET_WORDS), "ecp_nistz256_set_words"}, + {ERR_FUNC(EC_F_ECP_NISTZ256_WINDOWED_MUL), "ecp_nistz256_windowed_mul"}, {ERR_FUNC(EC_F_ECP_NIST_MOD_192), "ECP_NIST_MOD_192"}, {ERR_FUNC(EC_F_ECP_NIST_MOD_224), "ECP_NIST_MOD_224"}, {ERR_FUNC(EC_F_ECP_NIST_MOD_256), "ECP_NIST_MOD_256"}, @@ -239,12 +246,6 @@ static ERR_STRING_DATA EC_str_functs[] = { {ERR_FUNC(EC_F_NISTP224_PRE_COMP_NEW), "NISTP224_PRE_COMP_NEW"}, {ERR_FUNC(EC_F_NISTP256_PRE_COMP_NEW), "NISTP256_PRE_COMP_NEW"}, {ERR_FUNC(EC_F_NISTP521_PRE_COMP_NEW), "NISTP521_PRE_COMP_NEW"}, - {ERR_FUNC(EC_F_ECP_NISTZ256_GET_AFFINE), "ecp_nistz256_get_affine"}, - {ERR_FUNC(EC_F_ECP_NISTZ256_POINTS_MUL), "ecp_nistz256_points_mul"}, - {ERR_FUNC(EC_F_ECP_NISTZ256_WINDOWED_MUL), "ecp_nistz256_windowed_mul"}, - {ERR_FUNC(EC_F_ECP_NISTZ256_MULT_PRECOMPUTE), - "ecp_nistz256_mult_precompute"}, - {ERR_FUNC(EC_F_ECP_NISTZ256_PRE_COMP_NEW), "ecp_nistz256_pre_comp_new"}, {ERR_FUNC(EC_F_O2I_ECPUBLICKEY), "o2i_ECPublicKey"}, {ERR_FUNC(EC_F_OLD_EC_PRIV_DECODE), "OLD_EC_PRIV_DECODE"}, {ERR_FUNC(EC_F_PKEY_EC_CTRL), "PKEY_EC_CTRL"}, diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 7e521d8..35c56c7 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -222,6 +222,18 @@ static BN_ULONG is_one(const BN_ULONG a[P256_LIMBS]) return is_zero(res); } +static int ecp_nistz256_set_words(BIGNUM *a, BN_ULONG words[P256_LIMBS]) + { + if (bn_wexpand(a, P256_LIMBS) == NULL) { + ECerr(EC_F_ECP_NISTZ256_SET_WORDS, ERR_R_MALLOC_FAILURE); + return 0; + } + memcpy(a->d, words, sizeof(BN_ULONG) * P256_LIMBS); + a->top = P256_LIMBS; + bn_correct_top(a); + return 1; +} + #ifndef ECP_NISTZ256_REFERENCE_IMPLEMENTATION void ecp_nistz256_point_double(P256_POINT *r, const P256_POINT *a); void ecp_nistz256_point_add(P256_POINT *r, @@ -1110,6 +1122,7 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, const EC_PRE_COMP *pre_comp = NULL; const EC_POINT *generator = NULL; unsigned int index = 0; + BN_CTX *new_ctx = NULL; const unsigned int window_size = 7; const unsigned int mask = (1 << (window_size + 1)) - 1; unsigned int wvalue; @@ -1123,6 +1136,7 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS); return 0; } + if ((scalar == NULL) && (num == 0)) return EC_POINT_set_to_infinity(group, r); @@ -1133,13 +1147,13 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, } } - /* Need 256 bits for space for all coordinates. */ - bn_wexpand(&r->X, P256_LIMBS); - bn_wexpand(&r->Y, P256_LIMBS); - bn_wexpand(&r->Z, P256_LIMBS); - r->X.top = P256_LIMBS; - r->Y.top = P256_LIMBS; - r->Z.top = P256_LIMBS; + if (ctx == NULL) { + ctx = new_ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + } + + BN_CTX_start(ctx); if (scalar) { generator = EC_GROUP_get0_generator(group); @@ -1164,8 +1178,10 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, goto err; if (!ecp_nistz256_set_from_affine - (pre_comp_generator, group, pre_comp->precomp[0], ctx)) + (pre_comp_generator, group, pre_comp->precomp[0], ctx)) { + EC_POINT_free(pre_comp_generator); goto err; + } if (0 == EC_POINT_cmp(group, generator, pre_comp_generator, ctx)) preComputedTable = (const PRECOMP256_ROW *)pre_comp->precomp; @@ -1269,14 +1285,14 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, new_scalars = OPENSSL_malloc((num + 1) * sizeof(BIGNUM *)); if (!new_scalars) { ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, ERR_R_MALLOC_FAILURE); - return 0; + goto err; } new_points = OPENSSL_malloc((num + 1) * sizeof(EC_POINT *)); if (!new_points) { OPENSSL_free(new_scalars); ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, ERR_R_MALLOC_FAILURE); - return 0; + goto err; } memcpy(new_scalars, scalars, num * sizeof(BIGNUM *)); @@ -1305,18 +1321,20 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, OPENSSL_free(scalars); } - memcpy(r->X.d, p.p.X, sizeof(p.p.X)); - memcpy(r->Y.d, p.p.Y, sizeof(p.p.Y)); - memcpy(r->Z.d, p.p.Z, sizeof(p.p.Z)); /* Not constant-time, but we're only operating on the public output. */ - bn_correct_top(&r->X); - bn_correct_top(&r->Y); - bn_correct_top(&r->Z); + if (!ecp_nistz256_set_words(&r->X, p.p.X) || + !ecp_nistz256_set_words(&r->Y, p.p.Y) || + !ecp_nistz256_set_words(&r->Z, p.p.Z)) { + goto err; + } r->Z_is_one = is_one(p.p.Z); ret = 1; - err: +err: + if (ctx) + BN_CTX_end(ctx); + BN_CTX_free(new_ctx); return ret; } @@ -1329,6 +1347,7 @@ static int ecp_nistz256_get_affine(const EC_GROUP *group, BN_ULONG x_aff[P256_LIMBS]; BN_ULONG y_aff[P256_LIMBS]; BN_ULONG point_x[P256_LIMBS], point_y[P256_LIMBS], point_z[P256_LIMBS]; + BN_ULONG x_ret[P256_LIMBS], y_ret[P256_LIMBS]; if (EC_POINT_is_at_infinity(group, point)) { ECerr(EC_F_ECP_NISTZ256_GET_AFFINE, EC_R_POINT_AT_INFINITY); @@ -1347,19 +1366,17 @@ static int ecp_nistz256_get_affine(const EC_GROUP *group, ecp_nistz256_mul_mont(x_aff, z_inv2, point_x); if (x != NULL) { - bn_wexpand(x, P256_LIMBS); - x->top = P256_LIMBS; - ecp_nistz256_from_mont(x->d, x_aff); - bn_correct_top(x); + ecp_nistz256_from_mont(x_ret, x_aff); + if (!ecp_nistz256_set_words(x, x_ret)) + return 0; } if (y != NULL) { ecp_nistz256_mul_mont(z_inv3, z_inv3, z_inv2); ecp_nistz256_mul_mont(y_aff, z_inv3, point_y); - bn_wexpand(y, P256_LIMBS); - y->top = P256_LIMBS; - ecp_nistz256_from_mont(y->d, y_aff); - bn_correct_top(y); + ecp_nistz256_from_mont(y_ret, y_aff); + if (!ecp_nistz256_set_words(y, y_ret)) + return 0; } return 1; From emilia at openssl.org Mon Apr 27 14:50:49 2015 From: emilia at openssl.org (Emilia Kasper) Date: Mon, 27 Apr 2015 14:50:49 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430146249.914452.13937.nullmailer@dev.openssl.org> The branch master has been updated via 4446044a793a9103a4bc70c0214005e6a4463767 (commit) from e22d2199e2a5cc9b243f45c2b633d1e31fadecd7 (commit) - Log ----------------------------------------------------------------- commit 4446044a793a9103a4bc70c0214005e6a4463767 Author: Emilia Kasper Date: Mon Apr 27 15:41:52 2015 +0200 NISTZ256: set Z_is_one to boolean 0/1 as is customary. Cosmetic, no real effect. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: crypto/ec/ecp_nistz256.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index fd4898d..7574f26 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -1346,7 +1346,7 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, !bn_set_words(r->Z, p.p.Z, P256_LIMBS)) { goto err; } - r->Z_is_one = is_one(p.p.Z); + r->Z_is_one = is_one(p.p.Z) & 1; ret = 1; From emilia at openssl.org Mon Apr 27 14:50:49 2015 From: emilia at openssl.org (Emilia Kasper) Date: Mon, 27 Apr 2015 14:50:49 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1430146249.774518.13915.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via df6c736fbd0c1779df3464c8dfdaae723d65e8e5 (commit) from c30a1b3b33dad17db8a221bc1a2bc80b4f5f56a2 (commit) - Log ----------------------------------------------------------------- commit df6c736fbd0c1779df3464c8dfdaae723d65e8e5 Author: Emilia Kasper Date: Mon Apr 27 15:41:52 2015 +0200 NISTZ256: set Z_is_one to boolean 0/1 as is customary. Cosmetic, no real effect. Reviewed-by: Richard Levitte (cherry picked from commit 4446044a793a9103a4bc70c0214005e6a4463767) ----------------------------------------------------------------------- Summary of changes: crypto/ec/ecp_nistz256.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 35c56c7..a951657 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -1327,7 +1327,7 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, !ecp_nistz256_set_words(&r->Z, p.p.Z)) { goto err; } - r->Z_is_one = is_one(p.p.Z); + r->Z_is_one = is_one(p.p.Z) & 1; ret = 1; From emilia at openssl.org Mon Apr 27 16:09:15 2015 From: emilia at openssl.org (Emilia Kasper) Date: Mon, 27 Apr 2015 16:09:15 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1430150955.909941.29150.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via c7e78b6bed84534ca864545d7a58aaae22f187cf (commit) from df6c736fbd0c1779df3464c8dfdaae723d65e8e5 (commit) - Log ----------------------------------------------------------------- commit c7e78b6bed84534ca864545d7a58aaae22f187cf Author: Emilia Kasper Date: Mon Apr 27 16:16:15 2015 +0200 NISTZ256: don't swallow malloc errors Reviewed-by: Rich Salz (cherry picked from commit a4d5269e6d0dba0c276c968448a3576f7604666a) ----------------------------------------------------------------------- Summary of changes: crypto/ec/ecp_nistz256.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index a951657..bd09312 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -569,13 +569,14 @@ static int ecp_nistz256_bignum_to_field_elem(BN_ULONG out[P256_LIMBS], } /* r = sum(scalar[i]*point[i]) */ -static void ecp_nistz256_windowed_mul(const EC_GROUP *group, +static int ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r, const BIGNUM **scalar, const EC_POINT **point, int num, BN_CTX *ctx) { - int i, j; + + int i, j, ret = 0; unsigned int index; unsigned char (*p_str)[33] = NULL; const unsigned int window_size = 5; @@ -710,6 +711,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, ecp_nistz256_point_add(r, r, &h); } + ret = 1; err: if (table_storage) OPENSSL_free(table_storage); @@ -717,6 +719,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, OPENSSL_free(p_str); if (scalars) OPENSSL_free(scalars); + return ret; } /* Coordinates of G, for which we have precomputed tables */ @@ -1123,6 +1126,8 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, const EC_POINT *generator = NULL; unsigned int index = 0; BN_CTX *new_ctx = NULL; + const BIGNUM **new_scalars = NULL; + const EC_POINT **new_points = NULL; const unsigned int window_size = 7; const unsigned int mask = (1 << (window_size + 1)) - 1; unsigned int wvalue; @@ -1279,9 +1284,6 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, * Without a precomputed table for the generator, it has to be * handled like a normal point. */ - const BIGNUM **new_scalars; - const EC_POINT **new_points; - new_scalars = OPENSSL_malloc((num + 1) * sizeof(BIGNUM *)); if (!new_scalars) { ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, ERR_R_MALLOC_FAILURE); @@ -1290,7 +1292,6 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, new_points = OPENSSL_malloc((num + 1) * sizeof(EC_POINT *)); if (!new_points) { - OPENSSL_free(new_scalars); ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, ERR_R_MALLOC_FAILURE); goto err; } @@ -1310,17 +1311,13 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, if (p_is_infinity) out = &p.p; - ecp_nistz256_windowed_mul(group, out, scalars, points, num, ctx); + if (!ecp_nistz256_windowed_mul(group, out, scalars, points, num, ctx)) + goto err; if (!p_is_infinity) ecp_nistz256_point_add(&p.p, &p.p, out); } - if (no_precomp_for_generator) { - OPENSSL_free(points); - OPENSSL_free(scalars); - } - /* Not constant-time, but we're only operating on the public output. */ if (!ecp_nistz256_set_words(&r->X, p.p.X) || !ecp_nistz256_set_words(&r->Y, p.p.Y) || @@ -1335,6 +1332,10 @@ err: if (ctx) BN_CTX_end(ctx); BN_CTX_free(new_ctx); + if (new_points) + OPENSSL_free(new_points); + if (new_scalars) + OPENSSL_free(new_scalars); return ret; } From emilia at openssl.org Mon Apr 27 16:09:16 2015 From: emilia at openssl.org (Emilia Kasper) Date: Mon, 27 Apr 2015 16:09:16 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430150956.078173.29171.nullmailer@dev.openssl.org> The branch master has been updated via a4d5269e6d0dba0c276c968448a3576f7604666a (commit) from 4446044a793a9103a4bc70c0214005e6a4463767 (commit) - Log ----------------------------------------------------------------- commit a4d5269e6d0dba0c276c968448a3576f7604666a Author: Emilia Kasper Date: Mon Apr 27 16:16:15 2015 +0200 NISTZ256: don't swallow malloc errors Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/ec/ecp_nistz256.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 7574f26..f8d4bdd 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -553,14 +553,14 @@ static int ecp_nistz256_bignum_to_field_elem(BN_ULONG out[P256_LIMBS], } /* r = sum(scalar[i]*point[i]) */ -static void ecp_nistz256_windowed_mul(const EC_GROUP *group, +static int ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r, const BIGNUM **scalar, const EC_POINT **point, size_t num, BN_CTX *ctx) { size_t i; - int j; + int j, ret = 0; unsigned int idx; unsigned char (*p_str)[33] = NULL; const unsigned int window_size = 5; @@ -719,6 +719,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, ecp_nistz256_point_add(r, r, &temp[0]); } + ret = 1; err: if (table_storage) OPENSSL_free(table_storage); @@ -726,6 +727,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, OPENSSL_free(p_str); if (scalars) OPENSSL_free(scalars); + return ret; } /* Coordinates of G, for which we have precomputed tables */ @@ -1134,6 +1136,8 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, const EC_PRE_COMP *pre_comp = NULL; const EC_POINT *generator = NULL; BN_CTX *new_ctx = NULL; + const BIGNUM **new_scalars = NULL; + const EC_POINT **new_points = NULL; unsigned int idx = 0; const unsigned int window_size = 7; const unsigned int mask = (1 << (window_size + 1)) - 1; @@ -1298,9 +1302,6 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, * Without a precomputed table for the generator, it has to be * handled like a normal point. */ - const BIGNUM **new_scalars; - const EC_POINT **new_points; - new_scalars = OPENSSL_malloc((num + 1) * sizeof(BIGNUM *)); if (!new_scalars) { ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, ERR_R_MALLOC_FAILURE); @@ -1309,7 +1310,6 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, new_points = OPENSSL_malloc((num + 1) * sizeof(EC_POINT *)); if (!new_points) { - OPENSSL_free(new_scalars); ECerr(EC_F_ECP_NISTZ256_POINTS_MUL, ERR_R_MALLOC_FAILURE); goto err; } @@ -1329,17 +1329,13 @@ static int ecp_nistz256_points_mul(const EC_GROUP *group, if (p_is_infinity) out = &p.p; - ecp_nistz256_windowed_mul(group, out, scalars, points, num, ctx); + if (!ecp_nistz256_windowed_mul(group, out, scalars, points, num, ctx)) + goto err; if (!p_is_infinity) ecp_nistz256_point_add(&p.p, &p.p, out); } - if (no_precomp_for_generator) { - OPENSSL_free(points); - OPENSSL_free(scalars); - } - /* Not constant-time, but we're only operating on the public output. */ if (!bn_set_words(r->X, p.p.X, P256_LIMBS) || !bn_set_words(r->Y, p.p.Y, P256_LIMBS) || @@ -1354,6 +1350,10 @@ err: if (ctx) BN_CTX_end(ctx); BN_CTX_free(new_ctx); + if (new_points) + OPENSSL_free(new_points); + if (new_scalars) + OPENSSL_free(new_scalars); return ret; } From rsalz at openssl.org Mon Apr 27 16:29:57 2015 From: rsalz at openssl.org (Rich Salz) Date: Mon, 27 Apr 2015 16:29:57 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430152197.443272.1012.nullmailer@dev.openssl.org> The branch master has been updated via 31b222da1ea6fadd22f5cb134f6ba289f81a2adc (commit) from a4d5269e6d0dba0c276c968448a3576f7604666a (commit) - Log ----------------------------------------------------------------- commit 31b222da1ea6fadd22f5cb134f6ba289f81a2adc Author: Rich Salz Date: Mon Apr 27 12:29:39 2015 -0400 CRYPTO_mem_leaks should ignore it's BIO argument. CRYPTO_mem_leaks takes a BIO* argument. It's not a leak if that argument hasn't been free'd. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/openssl.c | 3 +-- crypto/mem_dbg.c | 12 +++++++++++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/apps/openssl.c b/apps/openssl.c index b42d031..786f5d3 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -527,8 +527,7 @@ int main(int argc, char *argv[]) BIO_free(bio_in); BIO_free_all(bio_out); apps_shutdown(); - /*CRYPTO_mem_leaks(bio_err); - */ + CRYPTO_mem_leaks(bio_err); BIO_free(bio_err); return (ret); } diff --git a/crypto/mem_dbg.c b/crypto/mem_dbg.c index 982aebb..36593ed 100644 --- a/crypto/mem_dbg.c +++ b/crypto/mem_dbg.c @@ -623,6 +623,7 @@ void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num, typedef struct mem_leak_st { BIO *bio; int chunks; + int seen; long bytes; } MEM_LEAK; @@ -637,8 +638,11 @@ static void print_leak_doall_arg(const MEM *m, MEM_LEAK *l) #define BUF_REMAIN (sizeof buf - (size_t)(bufp - buf)) - if (m->addr == (char *)l->bio) + /* Is one "leak" the BIO we were given? */ + if (m->addr == (char *)l->bio) { + l->seen = 1; return; + } if (options & V_CRYPTO_MDEBUG_TIME) { lcl = localtime(&m->time); @@ -722,8 +726,14 @@ void CRYPTO_mem_leaks(BIO *b) ml.bio = b; ml.bytes = 0; ml.chunks = 0; + ml.seen = 0; if (mh != NULL) lh_MEM_doall_arg(mh, LHASH_DOALL_ARG_FN(print_leak), MEM_LEAK, &ml); + /* Don't count the BIO that was passed in as a "leak" */ + if (ml.seen && ml.chunks >= 1 && ml.bytes >= (int)sizeof (*b)) { + ml.chunks--; + ml.bytes -= (int)sizeof (*b); + } if (ml.chunks != 0) { BIO_printf(b, "%ld bytes leaked in %d chunks\n", ml.bytes, ml.chunks); #ifdef CRYPTO_MDEBUG_ABORT From emilia at openssl.org Mon Apr 27 17:53:17 2015 From: emilia at openssl.org (Emilia Kasper) Date: Mon, 27 Apr 2015 17:53:17 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1430157197.618188.18408.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 07977739f0eaa1dd6845518b590932ba5cbf75d1 (commit) from c7e78b6bed84534ca864545d7a58aaae22f187cf (commit) - Log ----------------------------------------------------------------- commit 07977739f0eaa1dd6845518b590932ba5cbf75d1 Author: Emilia Kasper Date: Mon Apr 27 18:49:43 2015 +0200 NISTZ256: use EC_POINT API and check errors. Reviewed-by: Rich Salz (cherry picked from commit 6038354cf8ca0792420c1ac0ce50d6d2f0aedebf) ----------------------------------------------------------------------- Summary of changes: crypto/ec/ecp_nistz256.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index bd09312..ca44d0a 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -834,19 +834,26 @@ static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) goto err; for (j = 0; j < 37; j++) { /* - * It would be faster to use - * ec_GFp_simple_points_make_affine and make multiple - * points affine at the same time. + * It would be faster to use EC_POINTs_make_affine and + * make multiple points affine at the same time. */ - ec_GFp_simple_make_affine(group, P, ctx); - ecp_nistz256_bignum_to_field_elem(preComputedTable[j] - [k].X, &P->X); - ecp_nistz256_bignum_to_field_elem(preComputedTable[j] - [k].Y, &P->Y); - for (i = 0; i < 7; i++) - ec_GFp_simple_dbl(group, P, P, ctx); + if (!EC_POINT_make_affine(group, P, ctx)) + goto err; + if (!ecp_nistz256_bignum_to_field_elem(preComputedTable[j][k].X, + &P->X) || + !ecp_nistz256_bignum_to_field_elem(preComputedTable[j][k].Y, + &P->Y)) { + ECerr(EC_F_ECP_NISTZ256_MULT_PRECOMPUTE, + EC_R_COORDINATES_OUT_OF_RANGE); + goto err; + } + for (i = 0; i < 7; i++) { + if (!EC_POINT_dbl(group, P, P, ctx)) + goto err; + } } - ec_GFp_simple_add(group, T, T, generator, ctx); + if (!EC_POINT_add(group, T, T, generator, ctx)) + goto err; } pre_comp->group = group; From emilia at openssl.org Mon Apr 27 17:53:17 2015 From: emilia at openssl.org (Emilia Kasper) Date: Mon, 27 Apr 2015 17:53:17 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430157197.698488.18430.nullmailer@dev.openssl.org> The branch master has been updated via 6038354cf8ca0792420c1ac0ce50d6d2f0aedebf (commit) from 31b222da1ea6fadd22f5cb134f6ba289f81a2adc (commit) - Log ----------------------------------------------------------------- commit 6038354cf8ca0792420c1ac0ce50d6d2f0aedebf Author: Emilia Kasper Date: Mon Apr 27 18:49:43 2015 +0200 NISTZ256: use EC_POINT API and check errors. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/ec/ecp_nistz256.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index f8d4bdd..d938bee 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -844,17 +844,25 @@ static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) for (j = 0; j < 37; j++) { P256_POINT_AFFINE temp; /* - * It would be faster to use ec_GFp_simple_points_make_affine and + * It would be faster to use EC_POINTs_make_affine and * make multiple points affine at the same time. */ - ec_GFp_simple_make_affine(group, P, ctx); - ecp_nistz256_bignum_to_field_elem(temp.X, P->X); - ecp_nistz256_bignum_to_field_elem(temp.Y, P->Y); + if (!EC_POINT_make_affine(group, P, ctx)) + goto err; + if (!ecp_nistz256_bignum_to_field_elem(temp.X, P->X) || + !ecp_nistz256_bignum_to_field_elem(temp.Y, P->Y)) { + ECerr(EC_F_ECP_NISTZ256_MULT_PRECOMPUTE, + EC_R_COORDINATES_OUT_OF_RANGE); + goto err; + } ecp_nistz256_scatter_w7(preComputedTable[j], &temp, k); - for (i = 0; i < 7; i++) - ec_GFp_simple_dbl(group, P, P, ctx); + for (i = 0; i < 7; i++) { + if (!EC_POINT_dbl(group, P, P, ctx)) + goto err; + } } - ec_GFp_simple_add(group, T, T, generator, ctx); + if (!EC_POINT_add(group, T, T, generator, ctx)) + goto err; } pre_comp->group = group; From emilia at openssl.org Tue Apr 28 10:50:29 2015 From: emilia at openssl.org (Emilia Kasper) Date: Tue, 28 Apr 2015 10:50:29 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430218229.490357.12537.nullmailer@dev.openssl.org> The branch master has been updated via 5956b110e3d6137be07e52b1b3ea483a991ab84f (commit) from 6038354cf8ca0792420c1ac0ce50d6d2f0aedebf (commit) - Log ----------------------------------------------------------------- commit 5956b110e3d6137be07e52b1b3ea483a991ab84f Author: Emilia Kasper Date: Mon Apr 27 18:14:32 2015 +0200 NISTZ256: owur'ize. __owur'ize static methods to catch calling errors within the module. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/ec/ecp_nistz256.c | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index d938bee..6937314 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -546,18 +546,18 @@ static void ecp_nistz256_mod_inverse(BN_ULONG r[P256_LIMBS], * ecp_nistz256_bignum_to_field_elem copies the contents of |in| to |out| and * returns one if it fits. Otherwise it returns zero. */ -static int ecp_nistz256_bignum_to_field_elem(BN_ULONG out[P256_LIMBS], - const BIGNUM *in) +__owur static int ecp_nistz256_bignum_to_field_elem(BN_ULONG out[P256_LIMBS], + const BIGNUM *in) { return bn_copy_words(out, in, P256_LIMBS); } /* r = sum(scalar[i]*point[i]) */ -static int ecp_nistz256_windowed_mul(const EC_GROUP *group, - P256_POINT *r, - const BIGNUM **scalar, - const EC_POINT **point, - size_t num, BN_CTX *ctx) +__owur static int ecp_nistz256_windowed_mul(const EC_GROUP *group, + P256_POINT *r, + const BIGNUM **scalar, + const EC_POINT **point, + size_t num, BN_CTX *ctx) { size_t i; int j, ret = 0; @@ -755,7 +755,7 @@ static int ecp_nistz256_is_affine_G(const EC_POINT *generator) is_one(bn_get_words(generator->Z)); } -static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) +__owur static int ecp_nistz256_mult_precompute(EC_GROUP *group, BN_CTX *ctx) { /* * We precompute a table for a Booth encoded exponent (wNAF) based @@ -1097,9 +1097,9 @@ static void ecp_nistz256_avx2_mul_g(P256_POINT *r, # endif #endif -static int ecp_nistz256_set_from_affine(EC_POINT *out, const EC_GROUP *group, - const P256_POINT_AFFINE *in, - BN_CTX *ctx) +__owur static int ecp_nistz256_set_from_affine(EC_POINT *out, const EC_GROUP *group, + const P256_POINT_AFFINE *in, + BN_CTX *ctx) { BIGNUM *x, *y; BN_ULONG d_x[P256_LIMBS], d_y[P256_LIMBS]; @@ -1130,12 +1130,12 @@ static int ecp_nistz256_set_from_affine(EC_POINT *out, const EC_GROUP *group, } /* r = scalar*G + sum(scalars[i]*points[i]) */ -static int ecp_nistz256_points_mul(const EC_GROUP *group, - EC_POINT *r, - const BIGNUM *scalar, - size_t num, - const EC_POINT *points[], - const BIGNUM *scalars[], BN_CTX *ctx) +__owur static int ecp_nistz256_points_mul(const EC_GROUP *group, + EC_POINT *r, + const BIGNUM *scalar, + size_t num, + const EC_POINT *points[], + const BIGNUM *scalars[], BN_CTX *ctx) { int i = 0, ret = 0, no_precomp_for_generator = 0, p_is_infinity = 0; size_t j; @@ -1365,9 +1365,9 @@ err: return ret; } -static int ecp_nistz256_get_affine(const EC_GROUP *group, - const EC_POINT *point, - BIGNUM *x, BIGNUM *y, BN_CTX *ctx) +__owur static int ecp_nistz256_get_affine(const EC_GROUP *group, + const EC_POINT *point, + BIGNUM *x, BIGNUM *y, BN_CTX *ctx) { BN_ULONG z_inv2[P256_LIMBS]; BN_ULONG z_inv3[P256_LIMBS]; From levitte at openssl.org Tue Apr 28 12:43:05 2015 From: levitte at openssl.org (Richard Levitte) Date: Tue, 28 Apr 2015 12:43:05 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430224985.065619.22363.nullmailer@dev.openssl.org> The branch master has been updated via 0223ca0987aa8c3b0c4adc084c1f03a5e4e32288 (commit) from 5956b110e3d6137be07e52b1b3ea483a991ab84f (commit) - Log ----------------------------------------------------------------- commit 0223ca0987aa8c3b0c4adc084c1f03a5e4e32288 Author: Richard Levitte Date: Tue Apr 28 14:34:58 2015 +0200 Allow for types with leading underscore when checking error macros. We have an increasing number of function declarations starting with '__owur'. Unfortunately, util/ck_errf.pl fails to detect them. A simple change fixes that issue. Reviewed-by: Emilia K?sper ----------------------------------------------------------------------- Summary of changes: util/ck_errf.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/ck_errf.pl b/util/ck_errf.pl index 1a8665a..922e5f6 100755 --- a/util/ck_errf.pl +++ b/util/ck_errf.pl @@ -21,7 +21,7 @@ foreach $file (@ARGV) $func=""; while () { - if (!/;$/ && /^\**([a-zA-Z].*[\s*])?([A-Za-z_0-9]+)$.*([),]|$)/) + if (!/;$/ && /^\**([a-zA-Z_].*[\s*])?([A-Za-z_0-9]+)\(.*([),]|$)/) { /^([^()]*(\([^()]*$[^()]*)*)\(/; $1 =~ /([A-Za-z_0-9]*)$/; From rsalz at openssl.org Tue Apr 28 14:51:22 2015 From: rsalz at openssl.org (Rich Salz) Date: Tue, 28 Apr 2015 14:51:22 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430232682.482236.2336.nullmailer@dev.openssl.org> The branch master has been updated via 3e47caff4830d2a117eda15b57a5feab89b846ae (commit) from 0223ca0987aa8c3b0c4adc084c1f03a5e4e32288 (commit) - Log ----------------------------------------------------------------- commit 3e47caff4830d2a117eda15b57a5feab89b846ae Author: Rich Salz Date: Tue Apr 28 10:50:54 2015 -0400 ERR_ cleanup Remove ERR_[gs]et_implementation as they were not undocumented and useless (the data structure was opaque). Halve the number of lock/unlock calls in almost all ERR_ functions by letting the caller of get_hash or int_thread_set able to lock. Very useful when looping, such as adding errors, or when getting the hash and immediately doing a lookup on it. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: crypto/engine/eng_dyn.c | 1 - crypto/err/err.c | 311 +++++++++++++-------------------------------- include/openssl/engine.h | 2 - include/openssl/err.h | 13 -- include/openssl/ossl_typ.h | 2 - util/indent.pro | 1 - util/libeay.num | 4 +- 7 files changed, 89 insertions(+), 245 deletions(-) diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c index 3169b09..31ec324 100644 --- a/crypto/engine/eng_dyn.c +++ b/crypto/engine/eng_dyn.c @@ -519,7 +519,6 @@ static int dynamic_load(ENGINE *e, dynamic_data_ctx *ctx) * would also increase opaqueness. */ fns.static_state = ENGINE_get_static_state(); - fns.err_fns = ERR_get_implementation(); fns.ex_data_fns = CRYPTO_get_ex_data_implementation(); CRYPTO_get_mem_functions(&fns.mem_fns.malloc_cb, &fns.mem_fns.realloc_cb, &fns.mem_fns.free_cb); diff --git a/crypto/err/err.c b/crypto/err/err.c index 50865b8..b078442 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -223,63 +223,17 @@ static ERR_STRING_DATA ERR_str_reasons[] = { }; #endif -/* Define the predeclared (but externally opaque) "ERR_FNS" type */ -struct st_ERR_FNS { - /* Works on the "error_hash" string table */ - LHASH_OF(ERR_STRING_DATA) *(*cb_err_get) (int create); - void (*cb_err_del) (void); - ERR_STRING_DATA *(*cb_err_get_item) (const ERR_STRING_DATA *); - ERR_STRING_DATA *(*cb_err_set_item) (ERR_STRING_DATA *); - ERR_STRING_DATA *(*cb_err_del_item) (ERR_STRING_DATA *); - /* Works on the "thread_hash" error-state table */ - LHASH_OF(ERR_STATE) *(*cb_thread_get) (int create); - void (*cb_thread_release) (LHASH_OF(ERR_STATE) **hash); - ERR_STATE *(*cb_thread_get_item) (const ERR_STATE *); - ERR_STATE *(*cb_thread_set_item) (ERR_STATE *); - void (*cb_thread_del_item) (const ERR_STATE *); - /* Returns the next available error "library" numbers */ - int (*cb_get_next_lib) (void); -}; - /* Predeclarations of the "err_defaults" functions */ -static LHASH_OF(ERR_STRING_DATA) *int_err_get(int create); -static void int_err_del(void); +static LHASH_OF(ERR_STRING_DATA) *get_hash(int create, int lockit); static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *); -static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *); -static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *); -static LHASH_OF(ERR_STATE) *int_thread_get(int create); +static LHASH_OF(ERR_STATE) *int_thread_get(int create, int lockit); static void int_thread_release(LHASH_OF(ERR_STATE) **hash); static ERR_STATE *int_thread_get_item(const ERR_STATE *); static ERR_STATE *int_thread_set_item(ERR_STATE *); static void int_thread_del_item(const ERR_STATE *); -static int int_err_get_next_lib(void); -/* The static ERR_FNS table using these defaults functions */ -static const ERR_FNS err_defaults = { - int_err_get, - int_err_del, - int_err_get_item, - int_err_set_item, - int_err_del_item, - int_thread_get, - int_thread_release, - int_thread_get_item, - int_thread_set_item, - int_thread_del_item, - int_err_get_next_lib -}; - -/* The replacable table of ERR_FNS functions we use at run-time */ -static const ERR_FNS *err_fns = NULL; - -/* Eg. rather than using "err_get()", use "ERRFN(err_get)()". */ -#define ERRFN(a) err_fns->cb_##a /* - * The internal state used by "err_defaults" - as such, the setting, reading, - * creating, and deleting of this data should only be permitted via the - * "err_defaults" functions. This way, a linked module can completely defer - * all ERR state operation (together with requisite locking) to the - * implementations and state in the loading application. + * The internal state */ static LHASH_OF(ERR_STRING_DATA) *int_error_hash = NULL; static LHASH_OF(ERR_STATE) *int_thread_hash = NULL; @@ -287,46 +241,6 @@ static int int_thread_hash_references = 0; static int int_err_library_number = ERR_LIB_USER; /* - * Internal function that checks whether "err_fns" is set and if not, sets it - * to the defaults. - */ -static void err_fns_check(void) -{ - if (err_fns) - return; - - CRYPTO_w_lock(CRYPTO_LOCK_ERR); - if (!err_fns) - err_fns = &err_defaults; - CRYPTO_w_unlock(CRYPTO_LOCK_ERR); -} - -/* API functions to get or set the underlying ERR functions. */ - -const ERR_FNS *ERR_get_implementation(void) -{ - err_fns_check(); - return err_fns; -} - -int ERR_set_implementation(const ERR_FNS *fns) -{ - int ret = 0; - - CRYPTO_w_lock(CRYPTO_LOCK_ERR); - /* - * It's too late if 'err_fns' is non-NULL. BTW: not much point setting an - * error is there?! - */ - if (!err_fns) { - err_fns = fns; - ret = 1; - } - CRYPTO_w_unlock(CRYPTO_LOCK_ERR); - return ret; -} - -/* * These are the callbacks provided to "lh_new()" when creating the LHASH * tables internal to the "err_defaults" implementation. */ @@ -335,8 +249,6 @@ static unsigned long get_error_values(int inc, int top, const char **file, int *line, const char **data, int *flags); -/* The internal functions used in the "err_defaults" implementation */ - static unsigned long err_string_data_hash(const ERR_STRING_DATA *a) { unsigned long ret, l; @@ -356,84 +268,39 @@ static int err_string_data_cmp(const ERR_STRING_DATA *a, static IMPLEMENT_LHASH_COMP_FN(err_string_data, ERR_STRING_DATA) -static LHASH_OF(ERR_STRING_DATA) *int_err_get(int create) +static LHASH_OF(ERR_STRING_DATA) *get_hash(int create, int lockit) { LHASH_OF(ERR_STRING_DATA) *ret = NULL; - CRYPTO_w_lock(CRYPTO_LOCK_ERR); + if (lockit) + CRYPTO_w_lock(CRYPTO_LOCK_ERR); if (!int_error_hash && create) { - CRYPTO_push_info("int_err_get (err.c)"); + CRYPTO_push_info("get_hash (err.c)"); int_error_hash = lh_ERR_STRING_DATA_new(); CRYPTO_pop_info(); } if (int_error_hash) ret = int_error_hash; - CRYPTO_w_unlock(CRYPTO_LOCK_ERR); + if (lockit) + CRYPTO_w_unlock(CRYPTO_LOCK_ERR); return ret; } -static void int_err_del(void) -{ - CRYPTO_w_lock(CRYPTO_LOCK_ERR); - if (int_error_hash) { - lh_ERR_STRING_DATA_free(int_error_hash); - int_error_hash = NULL; - } - CRYPTO_w_unlock(CRYPTO_LOCK_ERR); -} - static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d) { - ERR_STRING_DATA *p; + ERR_STRING_DATA *p = NULL; LHASH_OF(ERR_STRING_DATA) *hash; - err_fns_check(); - hash = ERRFN(err_get) (0); - if (!hash) - return NULL; - CRYPTO_r_lock(CRYPTO_LOCK_ERR); - p = lh_ERR_STRING_DATA_retrieve(hash, d); + hash = get_hash(0, 0); + if (hash) + p = lh_ERR_STRING_DATA_retrieve(hash, d); CRYPTO_r_unlock(CRYPTO_LOCK_ERR); return p; } -static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *d) -{ - ERR_STRING_DATA *p; - LHASH_OF(ERR_STRING_DATA) *hash; - - err_fns_check(); - hash = ERRFN(err_get) (1); - if (!hash) - return NULL; - - CRYPTO_w_lock(CRYPTO_LOCK_ERR); - p = lh_ERR_STRING_DATA_insert(hash, d); - CRYPTO_w_unlock(CRYPTO_LOCK_ERR); - - return p; -} - -static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *d) -{ - ERR_STRING_DATA *p; - LHASH_OF(ERR_STRING_DATA) *hash; - - err_fns_check(); - hash = ERRFN(err_get) (0); - if (!hash) - return NULL; - - CRYPTO_w_lock(CRYPTO_LOCK_ERR); - p = lh_ERR_STRING_DATA_delete(hash, d); - CRYPTO_w_unlock(CRYPTO_LOCK_ERR); - - return p; -} - static unsigned long err_state_hash(const ERR_STATE *a) { return CRYPTO_THREADID_hash(&a->tid) * 13; @@ -448,11 +315,12 @@ static int err_state_cmp(const ERR_STATE *a, const ERR_STATE *b) static IMPLEMENT_LHASH_COMP_FN(err_state, ERR_STATE) -static LHASH_OF(ERR_STATE) *int_thread_get(int create) +static LHASH_OF(ERR_STATE) *int_thread_get(int create, int lockit) { LHASH_OF(ERR_STATE) *ret = NULL; - CRYPTO_w_lock(CRYPTO_LOCK_ERR); + if (lockit) + CRYPTO_w_lock(CRYPTO_LOCK_ERR); if (!int_thread_hash && create) { CRYPTO_push_info("int_thread_get (err.c)"); int_thread_hash = lh_ERR_STATE_new(); @@ -462,7 +330,8 @@ static LHASH_OF(ERR_STATE) *int_thread_get(int create) int_thread_hash_references++; ret = int_thread_hash; } - CRYPTO_w_unlock(CRYPTO_LOCK_ERR); + if (lockit) + CRYPTO_w_unlock(CRYPTO_LOCK_ERR); return ret; } @@ -491,76 +360,59 @@ static void int_thread_release(LHASH_OF(ERR_STATE) **hash) static ERR_STATE *int_thread_get_item(const ERR_STATE *d) { - ERR_STATE *p; + ERR_STATE *p = NULL; LHASH_OF(ERR_STATE) *hash; - err_fns_check(); - hash = ERRFN(thread_get) (0); - if (!hash) - return NULL; - CRYPTO_r_lock(CRYPTO_LOCK_ERR); - p = lh_ERR_STATE_retrieve(hash, d); + hash = int_thread_get(0, 0); + if (hash) + p = lh_ERR_STATE_retrieve(hash, d); CRYPTO_r_unlock(CRYPTO_LOCK_ERR); - ERRFN(thread_release) (&hash); + int_thread_release(&hash); return p; } static ERR_STATE *int_thread_set_item(ERR_STATE *d) { - ERR_STATE *p; + ERR_STATE *p = NULL; LHASH_OF(ERR_STATE) *hash; - err_fns_check(); - hash = ERRFN(thread_get) (1); - if (!hash) - return NULL; - CRYPTO_w_lock(CRYPTO_LOCK_ERR); - p = lh_ERR_STATE_insert(hash, d); + hash = int_thread_get(1, 0); + if (hash) + p = lh_ERR_STATE_insert(hash, d); CRYPTO_w_unlock(CRYPTO_LOCK_ERR); - ERRFN(thread_release) (&hash); + int_thread_release(&hash); return p; } static void int_thread_del_item(const ERR_STATE *d) { - ERR_STATE *p; + ERR_STATE *p = NULL; LHASH_OF(ERR_STATE) *hash; - err_fns_check(); - hash = ERRFN(thread_get) (0); - if (!hash) - return; - CRYPTO_w_lock(CRYPTO_LOCK_ERR); - p = lh_ERR_STATE_delete(hash, d); - /* make sure we don't leak memory */ - if (int_thread_hash_references == 1 - && int_thread_hash && lh_ERR_STATE_num_items(int_thread_hash) == 0) { - lh_ERR_STATE_free(int_thread_hash); - int_thread_hash = NULL; + hash = int_thread_get(0, 0); + if (hash) { + p = lh_ERR_STATE_delete(hash, d); + /* If there are no other references, and we just removed the + * last item, delete the int_thread_hash */ + if (int_thread_hash_references == 1 + && int_thread_hash + && lh_ERR_STATE_num_items(int_thread_hash) == 0) { + lh_ERR_STATE_free(int_thread_hash); + int_thread_hash = NULL; + } } CRYPTO_w_unlock(CRYPTO_LOCK_ERR); - ERRFN(thread_release) (&hash); + int_thread_release(&hash); if (p) ERR_STATE_free(p); } -static int int_err_get_next_lib(void) -{ - int ret; - - CRYPTO_w_lock(CRYPTO_LOCK_ERR); - ret = int_err_library_number++; - CRYPTO_w_unlock(CRYPTO_LOCK_ERR); - - return ret; -} - #ifndef OPENSSL_NO_ERR # define NUM_SYS_STR_REASONS 127 # define LEN_SYS_STR_REASON 32 @@ -580,8 +432,8 @@ static void build_SYS_str_reasons(void) { /* OPENSSL_malloc cannot be used here, use static storage instead */ static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON]; - int i; static int init = 1; + int i; CRYPTO_r_lock(CRYPTO_LOCK_ERR); if (!init) { @@ -659,7 +511,6 @@ static void ERR_STATE_free(ERR_STATE *s) void ERR_load_ERR_strings(void) { - err_fns_check(); #ifndef OPENSSL_NO_ERR err_load_strings(0, ERR_str_libraries); err_load_strings(0, ERR_str_reasons); @@ -671,12 +522,18 @@ void ERR_load_ERR_strings(void) static void err_load_strings(int lib, ERR_STRING_DATA *str) { - while (str->error) { - if (lib) - str->error |= ERR_PACK(lib, 0, 0); - ERRFN(err_set_item) (str); - str++; + LHASH_OF(ERR_STRING_DATA) *hash; + + CRYPTO_w_lock(CRYPTO_LOCK_ERR); + hash = get_hash(1, 0); + if (hash) { + for (; str->error; str++) { + if (lib) + str->error |= ERR_PACK(lib, 0, 0); + (void)lh_ERR_STRING_DATA_insert(hash, str); + } } + CRYPTO_w_unlock(CRYPTO_LOCK_ERR); } void ERR_load_strings(int lib, ERR_STRING_DATA *str) @@ -687,18 +544,28 @@ void ERR_load_strings(int lib, ERR_STRING_DATA *str) void ERR_unload_strings(int lib, ERR_STRING_DATA *str) { - while (str->error) { - if (lib) - str->error |= ERR_PACK(lib, 0, 0); - ERRFN(err_del_item) (str); - str++; + LHASH_OF(ERR_STRING_DATA) *hash; + + CRYPTO_w_lock(CRYPTO_LOCK_ERR); + hash = get_hash(0, 0); + if (hash) { + for (; str->error; str++) { + if (lib) + str->error |= ERR_PACK(lib, 0, 0); + (void)lh_ERR_STRING_DATA_delete(hash, str); + } } + CRYPTO_w_unlock(CRYPTO_LOCK_ERR); } void ERR_free_strings(void) { - err_fns_check(); - ERRFN(err_del) (); + CRYPTO_w_lock(CRYPTO_LOCK_ERR); + if (int_error_hash) { + lh_ERR_STRING_DATA_free(int_error_hash); + int_error_hash = NULL; + } + CRYPTO_w_unlock(CRYPTO_LOCK_ERR); } /********************************************************/ @@ -932,20 +799,17 @@ char *ERR_error_string(unsigned long e, char *ret) LHASH_OF(ERR_STRING_DATA) *ERR_get_string_table(void) { - err_fns_check(); - return ERRFN(err_get) (0); + return get_hash(0, 1); } LHASH_OF(ERR_STATE) *ERR_get_err_state_table(void) { - err_fns_check(); - return ERRFN(thread_get) (0); + return int_thread_get(0, 1); } void ERR_release_err_state_table(LHASH_OF(ERR_STATE) **hash) { - err_fns_check(); - ERRFN(thread_release) (hash); + int_thread_release(hash); } const char *ERR_lib_error_string(unsigned long e) @@ -953,10 +817,9 @@ const char *ERR_lib_error_string(unsigned long e) ERR_STRING_DATA d, *p; unsigned long l; - err_fns_check(); l = ERR_GET_LIB(e); d.error = ERR_PACK(l, 0, 0); - p = ERRFN(err_get_item) (&d); + p = int_err_get_item(&d); return ((p == NULL) ? NULL : p->string); } @@ -965,11 +828,10 @@ const char *ERR_func_error_string(unsigned long e) ERR_STRING_DATA d, *p; unsigned long l, f; - err_fns_check(); l = ERR_GET_LIB(e); f = ERR_GET_FUNC(e); d.error = ERR_PACK(l, f, 0); - p = ERRFN(err_get_item) (&d); + p = int_err_get_item(&d); return ((p == NULL) ? NULL : p->string); } @@ -978,14 +840,13 @@ const char *ERR_reason_error_string(unsigned long e) ERR_STRING_DATA d, *p = NULL; unsigned long l, r; - err_fns_check(); l = ERR_GET_LIB(e); r = ERR_GET_REASON(e); d.error = ERR_PACK(l, 0, r); - p = ERRFN(err_get_item) (&d); + p = int_err_get_item(&d); if (!p) { d.error = ERR_PACK(0, 0, r); - p = ERRFN(err_get_item) (&d); + p = int_err_get_item(&d); } return ((p == NULL) ? NULL : p->string); } @@ -998,12 +859,11 @@ void ERR_remove_thread_state(const CRYPTO_THREADID *id) CRYPTO_THREADID_cpy(&tmp.tid, id); else CRYPTO_THREADID_current(&tmp.tid); - err_fns_check(); /* * thread_del_item automatically destroys the LHASH if the number of * items reaches zero. */ - ERRFN(thread_del_item) (&tmp); + int_thread_del_item(&tmp); } #ifndef OPENSSL_NO_DEPRECATED @@ -1020,10 +880,9 @@ ERR_STATE *ERR_get_state(void) int i; CRYPTO_THREADID tid; - err_fns_check(); CRYPTO_THREADID_current(&tid); CRYPTO_THREADID_cpy(&tmp.tid, &tid); - ret = ERRFN(thread_get_item) (&tmp); + ret = int_thread_get_item(&tmp); /* ret == the error state, if NULL, make a new one */ if (ret == NULL) { @@ -1037,9 +896,9 @@ ERR_STATE *ERR_get_state(void) ret->err_data[i] = NULL; ret->err_data_flags[i] = 0; } - tmpp = ERRFN(thread_set_item) (ret); + tmpp = int_thread_set_item(ret); /* To check if insertion failed, do a get. */ - if (ERRFN(thread_get_item) (ret) != ret) { + if (int_thread_get_item(ret) != ret) { ERR_STATE_free(ret); /* could not insert it */ return (&fallback); } @@ -1055,8 +914,12 @@ ERR_STATE *ERR_get_state(void) int ERR_get_next_error_library(void) { - err_fns_check(); - return ERRFN(get_next_lib) (); + int ret; + + CRYPTO_w_lock(CRYPTO_LOCK_ERR); + ret = int_err_library_number++; + CRYPTO_w_unlock(CRYPTO_LOCK_ERR); + return ret; } void ERR_set_error_data(char *data, int flags) diff --git a/include/openssl/engine.h b/include/openssl/engine.h index e2f3e5c..fa1d694 100644 --- a/include/openssl/engine.h +++ b/include/openssl/engine.h @@ -776,7 +776,6 @@ typedef struct st_dynamic_LOCK_fns { /* The top-level structure */ typedef struct st_dynamic_fns { void *static_state; - const ERR_FNS *err_fns; const CRYPTO_EX_DATA_IMPL *ex_data_fns; dynamic_MEM_fns mem_fns; dynamic_LOCK_fns lock_fns; @@ -837,7 +836,6 @@ typedef int (*dynamic_bind_engine) (ENGINE *e, const char *id, CRYPTO_set_dynlock_destroy_callback(fns->lock_fns.dynlock_destroy_cb); \ if(!CRYPTO_set_ex_data_implementation(fns->ex_data_fns)) \ return 0; \ - if(!ERR_set_implementation(fns->err_fns)) return 0; \ skip_cbs: \ if(!fn(e,id)) return 0; \ return 1; } diff --git a/include/openssl/err.h b/include/openssl/err.h index 577a121..e17706c 100644 --- a/include/openssl/err.h +++ b/include/openssl/err.h @@ -362,19 +362,6 @@ int ERR_get_next_error_library(void); int ERR_set_mark(void); int ERR_pop_to_mark(void); -/* Already defined in ossl_typ.h */ -/* typedef struct st_ERR_FNS ERR_FNS; */ -/* - * An application can use this function and provide the return value to - * loaded modules that should use the application's ERR state/functionality - */ -const ERR_FNS *ERR_get_implementation(void); -/* - * A loaded module should call this function prior to any ERR operations - * using the application's "ERR_FNS". - */ -int ERR_set_implementation(const ERR_FNS *fns); - #ifdef __cplusplus } #endif diff --git a/include/openssl/ossl_typ.h b/include/openssl/ossl_typ.h index 85fb7b9..b32ce66 100644 --- a/include/openssl/ossl_typ.h +++ b/include/openssl/ossl_typ.h @@ -172,8 +172,6 @@ typedef struct store_method_st STORE_METHOD; typedef struct ui_st UI; typedef struct ui_method_st UI_METHOD; -typedef struct st_ERR_FNS ERR_FNS; - typedef struct engine_st ENGINE; typedef struct ssl_st SSL; typedef struct ssl_ctx_st SSL_CTX; diff --git a/util/indent.pro b/util/indent.pro index c2427a3..87e2b3b 100644 --- a/util/indent.pro +++ b/util/indent.pro @@ -251,7 +251,6 @@ -T ENGINE_SSL_CLIENT_CERT_PTR -T ENGINE_TABLE -T ENUMERATED_NAMES --T ERR_FNS -T ERR_STATE -T ERR_STRING_DATA -T ESS_CERT_ID diff --git a/util/libeay.num b/util/libeay.num index c5d6ae9..553a160 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -2033,7 +2033,7 @@ EC_POINT_set_compr_coords_GFp 2597 EXIST:VMS:FUNCTION:EC OCSP_response_status_str 2598 EXIST::FUNCTION: d2i_OCSP_REVOKEDINFO 2599 EXIST::FUNCTION: OCSP_basic_add1_cert 2600 EXIST::FUNCTION: -ERR_get_implementation 2601 EXIST::FUNCTION: +ERR_get_implementation 2601 NOEXIST::FUNCTION: EVP_CipherFinal_ex 2602 EXIST::FUNCTION: OCSP_CERTSTATUS_new 2603 EXIST::FUNCTION: CRYPTO_cleanup_all_ex_data 2604 EXIST::FUNCTION: @@ -2337,7 +2337,7 @@ UI_get0_result_string 2845 EXIST::FUNCTION: ASN1_GENERALSTRING_new 2846 EXIST::FUNCTION: X509_SIG_it 2847 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: X509_SIG_it 2847 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -ERR_set_implementation 2848 EXIST::FUNCTION: +ERR_set_implementation 2848 NOEXIST::FUNCTION: ERR_load_EC_strings 2849 EXIST::FUNCTION:EC UI_get0_action_string 2850 EXIST::FUNCTION: OCSP_ONEREQ_get_ext 2851 EXIST::FUNCTION: From rsalz at openssl.org Tue Apr 28 19:28:35 2015 From: rsalz at openssl.org (Rich Salz) Date: Tue, 28 Apr 2015 19:28:35 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430249315.274916.24285.nullmailer@dev.openssl.org> The branch master has been updated via b196e7d936fb377d9c5b305748ac25ff0e53ef6d (commit) from 3e47caff4830d2a117eda15b57a5feab89b846ae (commit) - Log ----------------------------------------------------------------- commit b196e7d936fb377d9c5b305748ac25ff0e53ef6d Author: Rich Salz Date: Tue Apr 28 15:28:14 2015 -0400 remove malloc casts Following ANSI C rules, remove the casts from calls to OPENSSL_malloc and OPENSSL_realloc. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 7 +++---- apps/ca.c | 21 +++++++++------------ apps/dgst.c | 2 +- apps/dhparam.c | 2 +- apps/dsaparam.c | 2 +- apps/ecparam.c | 3 +-- apps/enc.c | 2 +- apps/rsa.c | 2 +- apps/s_client.c | 2 +- apps/s_server.c | 4 ++-- apps/s_socket.c | 2 +- apps/speed.c | 6 ++---- apps/srp.c | 3 +-- apps/vms_decc_init.c | 2 +- crypto/asn1/a_bitstr.c | 7 +++---- crypto/asn1/a_digest.c | 2 +- crypto/asn1/a_enum.c | 3 +-- crypto/asn1/a_i2d_fp.c | 2 +- crypto/asn1/a_int.c | 7 +++---- crypto/asn1/a_object.c | 4 ++-- crypto/asn1/a_sign.c | 4 ++-- crypto/asn1/asn1_lib.c | 2 +- crypto/asn1/asn_mime.c | 4 ++-- crypto/asn1/f_enum.c | 7 ++----- crypto/asn1/f_int.c | 3 +-- crypto/asn1/f_string.c | 7 ++----- crypto/asn1/n_pkey.c | 2 +- crypto/asn1/t_x509.c | 2 +- crypto/asn1/x_info.c | 2 +- crypto/bio/bf_buff.c | 10 +++++----- crypto/bio/bf_lbuf.c | 6 +++--- crypto/bio/bf_nbio.c | 2 +- crypto/bio/bio_lib.c | 2 +- crypto/bio/bss_acpt.c | 2 +- crypto/bio/bss_conn.c | 2 +- crypto/bio/bss_log.c | 2 +- crypto/bn/bn_blind.c | 2 +- crypto/bn/bn_exp.c | 3 +-- crypto/bn/bn_gf2m.c | 10 +++++----- crypto/bn/bn_lib.c | 6 +++--- crypto/bn/bn_mont.c | 2 +- crypto/bn/bn_print.c | 7 +++---- crypto/bn/bn_rand.c | 2 +- crypto/bn/bn_recp.c | 2 +- crypto/comp/c_zlib.c | 3 +-- crypto/comp/comp_lib.c | 2 +- crypto/conf/conf_def.c | 6 +++--- crypto/dh/dh_lib.c | 3 +-- crypto/dsa/dsa_ameth.c | 2 +- crypto/dsa/dsa_lib.c | 2 +- crypto/dso/dso_lib.c | 5 +++-- crypto/dso/dso_win32.c | 2 +- crypto/ec/ec_ameth.c | 2 +- crypto/ec/ec_key.c | 2 +- crypto/ec/ec_mult.c | 2 +- crypto/ec/ec_print.c | 2 +- crypto/ec/ecp_nistp224.c | 2 +- crypto/ec/ecp_nistp256.c | 2 +- crypto/ec/ecp_nistp521.c | 2 +- crypto/ec/ecp_nistz256.c | 2 +- crypto/ecdh/ech_lib.c | 2 +- crypto/ecdsa/ecs_lib.c | 2 +- crypto/engine/eng_cryptodev.c | 2 +- crypto/engine/eng_lib.c | 2 +- crypto/err/err.c | 2 +- crypto/evp/bio_b64.c | 2 +- crypto/evp/bio_enc.c | 2 +- crypto/evp/bio_ok.c | 2 +- crypto/evp/evp_pbe.c | 2 +- crypto/evp/p_lib.c | 2 +- crypto/evp/p_open.c | 2 +- crypto/ex_data.c | 3 +-- crypto/lhash/lhash.c | 15 ++++++--------- crypto/lock.c | 2 +- crypto/mem.c | 2 +- crypto/mem_dbg.c | 4 ++-- crypto/modes/gcm128.c | 2 +- crypto/modes/ocb128.c | 2 +- crypto/objects/o_names.c | 2 +- crypto/objects/obj_dat.c | 14 ++++++-------- crypto/pem/pem_lib.c | 2 +- crypto/pem/pem_seal.c | 4 ++-- crypto/pem/pem_sign.c | 2 +- crypto/pqueue/pqueue.c | 4 ++-- crypto/rsa/rsa_ameth.c | 2 +- crypto/rsa/rsa_lib.c | 2 +- crypto/rsa/rsa_saos.c | 4 ++-- crypto/rsa/rsa_sign.c | 4 ++-- crypto/srp/srp_vfy.c | 7 +++---- crypto/stack/stack.c | 5 ++--- crypto/store/str_lib.c | 4 ++-- crypto/store/str_mem.c | 3 +-- crypto/store/str_meth.c | 3 +-- crypto/ts/ts_rsp_sign.c | 4 ++-- crypto/ts/ts_verify_ctx.c | 4 ++-- crypto/ui/ui_lib.c | 9 ++++----- crypto/x509/by_dir.c | 2 +- crypto/x509/x509_lu.c | 8 ++++---- crypto/x509/x509_req.c | 2 +- crypto/x509/x509_vfy.c | 3 ++- crypto/x509v3/v3_lib.c | 4 +--- crypto/x509v3/v3_utl.c | 2 +- demos/b64.c | 2 +- engines/ccgost/gost_crypt.c | 2 +- engines/e_cswift.c | 2 +- ssl/bio_ssl.c | 2 +- ssl/d1_both.c | 7 +++---- ssl/ssl_cert.c | 4 ++-- ssl/ssl_ciph.c | 7 +++---- ssl/ssl_lib.c | 4 ++-- ssl/ssl_sess.c | 4 ++-- ssl/t1_enc.c | 4 ++-- test/dhtest.c | 4 ++-- test/ecdhtest.c | 4 ++-- 114 files changed, 191 insertions(+), 226 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 462e2b6..66e3796 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -180,7 +180,7 @@ int chopup_args(ARGS *arg, char *buf) arg->argc = 0; if (arg->size == 0) { arg->size = 20; - arg->argv = (char **)OPENSSL_malloc(sizeof(char *) * arg->size); + arg->argv = OPENSSL_malloc(sizeof(char *) * arg->size); if (arg->argv == NULL) return 0; } @@ -195,8 +195,7 @@ int chopup_args(ARGS *arg, char *buf) /* The start of something good :-) */ if (arg->argc >= arg->size) { arg->size += 20; - arg->argv = (char **)OPENSSL_realloc(arg->argv, - sizeof(char *) * arg->size); + arg->argv = OPENSSL_realloc(arg->argv, sizeof(char *) * arg->size); if (arg->argv == NULL) return 0; } @@ -368,7 +367,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) ok = UI_add_input_string(ui, prompt, ui_flags, buf, PW_MIN_LENGTH, bufsiz - 1); if (ok >= 0 && verify) { - buff = (char *)OPENSSL_malloc(bufsiz); + buff = OPENSSL_malloc(bufsiz); if (!buff) { BIO_printf(bio_err, "Out of memory\n"); UI_free(ui); diff --git a/apps/ca.c b/apps/ca.c index 218a407..ac720db 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1986,17 +1986,17 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, goto end; /* We now just add it to the database */ - row[DB_type] = (char *)OPENSSL_malloc(2); + row[DB_type] = OPENSSL_malloc(2); tm = X509_get_notAfter(ret); - row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1); + row[DB_exp_date] = OPENSSL_malloc(tm->length + 1); memcpy(row[DB_exp_date], tm->data, tm->length); row[DB_exp_date][tm->length] = '\0'; row[DB_rev_date] = NULL; /* row[DB_serial] done already */ - row[DB_file] = (char *)OPENSSL_malloc(8); + row[DB_file] = OPENSSL_malloc(8); row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0); if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || @@ -2008,8 +2008,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, row[DB_type][0] = 'V'; row[DB_type][1] = '\0'; - if ((irow = - (char **)OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) { + if ((irow = OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) { BIO_printf(bio_err, "Memory allocation failure\n"); goto end; } @@ -2242,17 +2241,17 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) row[DB_serial], row[DB_name]); /* We now just add it to the database */ - row[DB_type] = (char *)OPENSSL_malloc(2); + row[DB_type] = OPENSSL_malloc(2); tm = X509_get_notAfter(x509); - row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1); + row[DB_exp_date] = OPENSSL_malloc(tm->length + 1); memcpy(row[DB_exp_date], tm->data, tm->length); row[DB_exp_date][tm->length] = '\0'; row[DB_rev_date] = NULL; /* row[DB_serial] done already */ - row[DB_file] = (char *)OPENSSL_malloc(8); + row[DB_file] = OPENSSL_malloc(8); /* row[DB_name] done already */ @@ -2265,9 +2264,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) row[DB_type][0] = 'V'; row[DB_type][1] = '\0'; - if ((irow = - (char **)OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == - NULL) { + if ((irow = OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) { BIO_printf(bio_err, "Memory allocation failure\n"); goto end; } @@ -2406,7 +2403,7 @@ static int do_updatedb(CA_DB *db) /* get actual time and make a string */ a_tm = X509_gmtime_adj(a_tm, 0); - a_tm_s = (char *)OPENSSL_malloc(a_tm->length + 1); + a_tm_s = OPENSSL_malloc(a_tm->length + 1); if (a_tm_s == NULL) { cnt = -1; goto end; diff --git a/apps/dgst.c b/apps/dgst.c index adfa2a6..106e939 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -139,7 +139,7 @@ int dgst_main(int argc, char **argv) int engine_impl = 0; prog = opt_progname(argv[0]); - if ((buf = (unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL) { + if ((buf = OPENSSL_malloc(BUFSIZE)) == NULL) { BIO_printf(bio_err, "%s: out of memory\n", prog); goto end; } diff --git a/apps/dhparam.c b/apps/dhparam.c index 6e51c0b..e7fa7ae 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -379,7 +379,7 @@ int dhparam_main(int argc, char **argv) len = BN_num_bytes(dh->p); bits = BN_num_bits(dh->p); - data = (unsigned char *)OPENSSL_malloc(len); + data = OPENSSL_malloc(len); if (data == NULL) { perror("OPENSSL_malloc"); goto end; diff --git a/apps/dsaparam.c b/apps/dsaparam.c index f7365b9..5aa6e2c 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -273,7 +273,7 @@ int dsaparam_main(int argc, char **argv) len = BN_num_bytes(dsa->p); bits_p = BN_num_bits(dsa->p); - data = (unsigned char *)OPENSSL_malloc(len + 20); + data = OPENSSL_malloc(len + 20); if (data == NULL) { perror("OPENSSL_malloc"); goto end; diff --git a/apps/ecparam.c b/apps/ecparam.c index 049fc78..f316793 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -388,8 +388,7 @@ int ecparam_main(int argc, char **argv) if ((tmp_len = (size_t)BN_num_bytes(ec_cofactor)) > buf_len) buf_len = tmp_len; - buffer = (unsigned char *)OPENSSL_malloc(buf_len); - + buffer = OPENSSL_malloc(buf_len); if (buffer == NULL) { perror("OPENSSL_malloc"); goto end; diff --git a/apps/enc.c b/apps/enc.c index 61a64d4..794fce1 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -314,7 +314,7 @@ int enc_main(int argc, char **argv) BIO_printf(bio_err, "bufsize=%d\n", bsize); strbuf = OPENSSL_malloc(SIZE); - buff = (unsigned char *)OPENSSL_malloc(EVP_ENCODE_LENGTH(bsize)); + buff = OPENSSL_malloc(EVP_ENCODE_LENGTH(bsize)); if ((buff == NULL) || (strbuf == NULL)) { BIO_printf(bio_err, "OPENSSL_malloc failure %ld\n", (long)EVP_ENCODE_LENGTH(bsize)); diff --git a/apps/rsa.c b/apps/rsa.c index 8e93dd2..c8b05e6 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -349,7 +349,7 @@ int rsa_main(int argc, char **argv) i = 1; size = i2d_RSA_NET(rsa, NULL, NULL, 0); - if ((p = (unsigned char *)OPENSSL_malloc(size)) == NULL) { + if ((p = OPENSSL_malloc(size)) == NULL) { BIO_printf(bio_err, "Memory allocation failure\n"); goto end; } diff --git a/apps/s_client.c b/apps/s_client.c index 431a106..9181c75 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -385,7 +385,7 @@ static int ssl_srp_verify_param_cb(SSL *s, void *arg) static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) { SRP_ARG *srp_arg = (SRP_ARG *)arg; - char *pass = (char *)OPENSSL_malloc(PWD_STRLEN + 1); + char *pass = OPENSSL_malloc(PWD_STRLEN + 1); PW_CB_DATA cb_tmp; int l; diff --git a/apps/s_server.c b/apps/s_server.c index e12db0c..fb6fd3d 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -461,7 +461,7 @@ static int ebcdic_new(BIO *bi) { EBCDIC_OUTBUFF *wbuf; - wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024); + wbuf = OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024); if (!wbuf) return 0; wbuf->alloced = 1024; @@ -518,7 +518,7 @@ static int ebcdic_write(BIO *b, const char *in, int inl) num = num + num; /* double the size */ if (num < inl) num = inl; - wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num); + wbuf = OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num); if (!wbuf) return 0; OPENSSL_free(b->ptr); diff --git a/apps/s_socket.c b/apps/s_socket.c index 4c440dc..050426a 100644 --- a/apps/s_socket.c +++ b/apps/s_socket.c @@ -562,7 +562,7 @@ static int do_accept(int acc_sock, int *sock, char **host) *host = NULL; /* return(0); */ } else { - if ((*host = (char *)OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) { + if ((*host = OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) { perror("OPENSSL_malloc"); closesocket(ret); return (0); diff --git a/apps/speed.c b/apps/speed.c index 5758705..7dfdda8 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -791,13 +791,11 @@ int speed_main(int argc, char **argv) ecdh_doit[i] = 0; #endif - if ((buf_malloc = - (unsigned char *)OPENSSL_malloc((int)BUFSIZE + misalign)) == NULL) { + if ((buf_malloc = OPENSSL_malloc((int)BUFSIZE + misalign)) == NULL) { BIO_printf(bio_err, "out of memory\n"); goto end; } - if ((buf2_malloc = - (unsigned char *)OPENSSL_malloc((int)BUFSIZE + misalign)) == NULL) { + if ((buf2_malloc = OPENSSL_malloc((int)BUFSIZE + misalign)) == NULL) { BIO_printf(bio_err, "out of memory\n"); goto end; } diff --git a/apps/srp.c b/apps/srp.c index c62d55d..0acbb8a 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -138,8 +138,7 @@ static int update_index(CA_DB *db, BIO *bio, char **row) char **irow; int i; - if ((irow = - (char **)OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) { + if ((irow = OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) { BIO_printf(bio_err, "Memory allocation failure\n"); return 0; } diff --git a/apps/vms_decc_init.c b/apps/vms_decc_init.c index 3c953aa..1717dae 100644 --- a/apps/vms_decc_init.c +++ b/apps/vms_decc_init.c @@ -130,7 +130,7 @@ char **copy_argv(int *argc, char *argv[]) */ int i, count = *argc; - char **newargv = (char **)OPENSSL_malloc((count + 1) * sizeof *newargv); + char **newargv = OPENSSL_malloc((count + 1) * sizeof *newargv); for (i = 0; i < count; i++) newargv[i] = argv[i]; diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c index 24cdb0f..8a9e17c 100644 --- a/crypto/asn1/a_bitstr.c +++ b/crypto/asn1/a_bitstr.c @@ -156,7 +156,7 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, ret->flags |= (ASN1_STRING_FLAG_BITS_LEFT | i); /* set */ if (len-- > 1) { /* using one because of the bits left byte */ - s = (unsigned char *)OPENSSL_malloc((int)len); + s = OPENSSL_malloc((int)len); if (s == NULL) { i = ERR_R_MALLOC_FAILURE; goto err; @@ -206,10 +206,9 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value) if (!value) return (1); /* Don't need to set */ if (a->data == NULL) - c = (unsigned char *)OPENSSL_malloc(w + 1); + c = OPENSSL_malloc(w + 1); else - c = (unsigned char *)OPENSSL_realloc_clean(a->data, - a->length, w + 1); + c = OPENSSL_realloc_clean(a->data, a->length, w + 1); if (c == NULL) { ASN1err(ASN1_F_ASN1_BIT_STRING_SET_BIT, ERR_R_MALLOC_FAILURE); return 0; diff --git a/crypto/asn1/a_digest.c b/crypto/asn1/a_digest.c index 7cbc475..8fac13b 100644 --- a/crypto/asn1/a_digest.c +++ b/crypto/asn1/a_digest.c @@ -79,7 +79,7 @@ int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data, unsigned char *str, *p; i = i2d(data, NULL); - if ((str = (unsigned char *)OPENSSL_malloc(i)) == NULL) { + if ((str = OPENSSL_malloc(i)) == NULL) { ASN1err(ASN1_F_ASN1_DIGEST, ERR_R_MALLOC_FAILURE); return (0); } diff --git a/crypto/asn1/a_enum.c b/crypto/asn1/a_enum.c index 00312b0..54d6542 100644 --- a/crypto/asn1/a_enum.c +++ b/crypto/asn1/a_enum.c @@ -77,8 +77,7 @@ int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v) if (a->length < (int)(sizeof(long) + 1)) { if (a->data != NULL) OPENSSL_free(a->data); - if ((a->data = - (unsigned char *)OPENSSL_malloc(sizeof(long) + 1)) != NULL) + if ((a->data = OPENSSL_malloc(sizeof(long) + 1)) != NULL) memset((char *)a->data, 0, sizeof(long) + 1); } if (a->data == NULL) { diff --git a/crypto/asn1/a_i2d_fp.c b/crypto/asn1/a_i2d_fp.c index 746e34a..e0f236e 100644 --- a/crypto/asn1/a_i2d_fp.c +++ b/crypto/asn1/a_i2d_fp.c @@ -87,7 +87,7 @@ int ASN1_i2d_bio(i2d_of_void *i2d, BIO *out, unsigned char *x) int i, j = 0, n, ret = 1; n = i2d(x, NULL); - b = (char *)OPENSSL_malloc(n); + b = OPENSSL_malloc(n); if (b == NULL) { ASN1err(ASN1_F_ASN1_I2D_BIO, ERR_R_MALLOC_FAILURE); return (0); diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c index 3920d5c..b5246a6 100644 --- a/crypto/asn1/a_int.c +++ b/crypto/asn1/a_int.c @@ -206,7 +206,7 @@ ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, * We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies * a missing NULL parameter. */ - s = (unsigned char *)OPENSSL_malloc((int)len + 1); + s = OPENSSL_malloc((int)len + 1); if (s == NULL) { i = ERR_R_MALLOC_FAILURE; goto err; @@ -312,7 +312,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp, * We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies * a missing NULL parameter. */ - s = (unsigned char *)OPENSSL_malloc((int)len + 1); + s = OPENSSL_malloc((int)len + 1); if (s == NULL) { i = ERR_R_MALLOC_FAILURE; goto err; @@ -351,8 +351,7 @@ int ASN1_INTEGER_set(ASN1_INTEGER *a, long v) if (a->length < (int)(sizeof(long) + 1)) { if (a->data != NULL) OPENSSL_free(a->data); - if ((a->data = - (unsigned char *)OPENSSL_malloc(sizeof(long) + 1)) != NULL) + if ((a->data = OPENSSL_malloc(sizeof(long) + 1)) != NULL) memset((char *)a->data, 0, sizeof(long) + 1); } if (a->data == NULL) { diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index 845413c..166eb65 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -317,7 +317,7 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, ret->length = 0; if (data != NULL) OPENSSL_free(data); - data = (unsigned char *)OPENSSL_malloc(length); + data = OPENSSL_malloc(length); if (data == NULL) { i = ERR_R_MALLOC_FAILURE; goto err; @@ -348,7 +348,7 @@ ASN1_OBJECT *ASN1_OBJECT_new(void) { ASN1_OBJECT *ret; - ret = (ASN1_OBJECT *)OPENSSL_malloc(sizeof(ASN1_OBJECT)); + ret = OPENSSL_malloc(sizeof(ASN1_OBJECT)); if (ret == NULL) { ASN1err(ASN1_F_ASN1_OBJECT_NEW, ERR_R_MALLOC_FAILURE); return (NULL); diff --git a/crypto/asn1/a_sign.c b/crypto/asn1/a_sign.c index 9fe6665..21cbe0c 100644 --- a/crypto/asn1/a_sign.c +++ b/crypto/asn1/a_sign.c @@ -171,9 +171,9 @@ int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2, } } inl = i2d(data, NULL); - buf_in = (unsigned char *)OPENSSL_malloc((unsigned int)inl); + buf_in = OPENSSL_malloc((unsigned int)inl); outll = outl = EVP_PKEY_size(pkey); - buf_out = (unsigned char *)OPENSSL_malloc((unsigned int)outl); + buf_out = OPENSSL_malloc((unsigned int)outl); if ((buf_in == NULL) || (buf_out == NULL)) { outl = 0; ASN1err(ASN1_F_ASN1_SIGN, ERR_R_MALLOC_FAILURE); diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index b29e636..97f1d23 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -354,7 +354,7 @@ ASN1_STRING *ASN1_STRING_type_new(int type) { ASN1_STRING *ret; - ret = (ASN1_STRING *)OPENSSL_malloc(sizeof(ASN1_STRING)); + ret = OPENSSL_malloc(sizeof(ASN1_STRING)); if (ret == NULL) { ASN1err(ASN1_F_ASN1_STRING_TYPE_NEW, ERR_R_MALLOC_FAILURE); return (NULL); diff --git a/crypto/asn1/asn_mime.c b/crypto/asn1/asn_mime.c index e810345..9b397ae 100644 --- a/crypto/asn1/asn_mime.c +++ b/crypto/asn1/asn_mime.c @@ -844,7 +844,7 @@ static MIME_HEADER *mime_hdr_new(char *name, char *value) } } } - mhdr = (MIME_HEADER *)OPENSSL_malloc(sizeof(MIME_HEADER)); + mhdr = OPENSSL_malloc(sizeof(MIME_HEADER)); if (!mhdr) goto err; mhdr->name = tmpname; @@ -886,7 +886,7 @@ static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value) goto err; } /* Parameter values are case sensitive so leave as is */ - mparam = (MIME_PARAM *)OPENSSL_malloc(sizeof(MIME_PARAM)); + mparam = OPENSSL_malloc(sizeof(MIME_PARAM)); if (!mparam) goto err; mparam->param_name = tmpname; diff --git a/crypto/asn1/f_enum.c b/crypto/asn1/f_enum.c index 591c3b5..c623cdc 100644 --- a/crypto/asn1/f_enum.c +++ b/crypto/asn1/f_enum.c @@ -152,12 +152,9 @@ int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size) i /= 2; if (num + i > slen) { if (s == NULL) - sp = (unsigned char *)OPENSSL_malloc((unsigned int)num + - i * 2); + sp = OPENSSL_malloc((unsigned int)num + i * 2); else - sp = (unsigned char *)OPENSSL_realloc(s, - (unsigned int)num + - i * 2); + sp = OPENSSL_realloc(s, (unsigned int)num + i * 2); if (sp == NULL) { ASN1err(ASN1_F_A2I_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE); if (s != NULL) diff --git a/crypto/asn1/f_int.c b/crypto/asn1/f_int.c index 4a81f81..39c9a61 100644 --- a/crypto/asn1/f_int.c +++ b/crypto/asn1/f_int.c @@ -166,8 +166,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size) i /= 2; if (num + i > slen) { if (s == NULL) - sp = (unsigned char *)OPENSSL_malloc((unsigned int)num + - i * 2); + sp = OPENSSL_malloc((unsigned int)num + i * 2); else sp = OPENSSL_realloc_clean(s, slen, num + i * 2); if (sp == NULL) { diff --git a/crypto/asn1/f_string.c b/crypto/asn1/f_string.c index 6a6cf34..6cb4cfd 100644 --- a/crypto/asn1/f_string.c +++ b/crypto/asn1/f_string.c @@ -158,12 +158,9 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size) i /= 2; if (num + i > slen) { if (s == NULL) - sp = (unsigned char *)OPENSSL_malloc((unsigned int)num + - i * 2); + sp = OPENSSL_malloc((unsigned int)num + i * 2); else - sp = (unsigned char *)OPENSSL_realloc(s, - (unsigned int)num + - i * 2); + sp = OPENSSL_realloc(s, (unsigned int)num + i * 2); if (sp == NULL) { ASN1err(ASN1_F_A2I_ASN1_STRING, ERR_R_MALLOC_FAILURE); if (s != NULL) diff --git a/crypto/asn1/n_pkey.c b/crypto/asn1/n_pkey.c index cd6391e..0d8480b 100644 --- a/crypto/asn1/n_pkey.c +++ b/crypto/asn1/n_pkey.c @@ -167,7 +167,7 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp, } /* Since its RC4 encrypted length is actual length */ - if ((zz = (unsigned char *)OPENSSL_malloc(rsalen)) == NULL) { + if ((zz = OPENSSL_malloc(rsalen)) == NULL) { ASN1err(ASN1_F_I2D_RSA_NET, ERR_R_MALLOC_FAILURE); goto err; } diff --git a/crypto/asn1/t_x509.c b/crypto/asn1/t_x509.c index e972220..da73b6d 100644 --- a/crypto/asn1/t_x509.c +++ b/crypto/asn1/t_x509.c @@ -268,7 +268,7 @@ int X509_ocspid_print(BIO *bp, X509 *x) if (BIO_printf(bp, " Subject OCSP hash: ") <= 0) goto err; derlen = i2d_X509_NAME(x->cert_info->subject, NULL); - if ((der = dertmp = (unsigned char *)OPENSSL_malloc(derlen)) == NULL) + if ((der = dertmp = OPENSSL_malloc(derlen)) == NULL) goto err; i2d_X509_NAME(x->cert_info->subject, &dertmp); diff --git a/crypto/asn1/x_info.c b/crypto/asn1/x_info.c index a847277..fff54c8 100644 --- a/crypto/asn1/x_info.c +++ b/crypto/asn1/x_info.c @@ -66,7 +66,7 @@ X509_INFO *X509_INFO_new(void) { X509_INFO *ret = NULL; - ret = (X509_INFO *)OPENSSL_malloc(sizeof(X509_INFO)); + ret = OPENSSL_malloc(sizeof(X509_INFO)); if (ret == NULL) { ASN1err(ASN1_F_X509_INFO_NEW, ERR_R_MALLOC_FAILURE); return (NULL); diff --git a/crypto/bio/bf_buff.c b/crypto/bio/bf_buff.c index 0e998d6..d82385a 100644 --- a/crypto/bio/bf_buff.c +++ b/crypto/bio/bf_buff.c @@ -93,15 +93,15 @@ static int buffer_new(BIO *bi) { BIO_F_BUFFER_CTX *ctx; - ctx = (BIO_F_BUFFER_CTX *)OPENSSL_malloc(sizeof(BIO_F_BUFFER_CTX)); + ctx = OPENSSL_malloc(sizeof(BIO_F_BUFFER_CTX)); if (ctx == NULL) return (0); - ctx->ibuf = (char *)OPENSSL_malloc(DEFAULT_BUFFER_SIZE); + ctx->ibuf = OPENSSL_malloc(DEFAULT_BUFFER_SIZE); if (ctx->ibuf == NULL) { OPENSSL_free(ctx); return (0); } - ctx->obuf = (char *)OPENSSL_malloc(DEFAULT_BUFFER_SIZE); + ctx->obuf = OPENSSL_malloc(DEFAULT_BUFFER_SIZE); if (ctx->obuf == NULL) { OPENSSL_free(ctx->ibuf); OPENSSL_free(ctx); @@ -366,12 +366,12 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr) p1 = ctx->ibuf; p2 = ctx->obuf; if ((ibs > DEFAULT_BUFFER_SIZE) && (ibs != ctx->ibuf_size)) { - p1 = (char *)OPENSSL_malloc((int)num); + p1 = OPENSSL_malloc((int)num); if (p1 == NULL) goto malloc_error; } if ((obs > DEFAULT_BUFFER_SIZE) && (obs != ctx->obuf_size)) { - p2 = (char *)OPENSSL_malloc((int)num); + p2 = OPENSSL_malloc((int)num); if (p2 == NULL) { if (p1 != ctx->ibuf) OPENSSL_free(p1); diff --git a/crypto/bio/bf_lbuf.c b/crypto/bio/bf_lbuf.c index 3b75b7e..ef12820 100644 --- a/crypto/bio/bf_lbuf.c +++ b/crypto/bio/bf_lbuf.c @@ -104,10 +104,10 @@ static int linebuffer_new(BIO *bi) { BIO_LINEBUFFER_CTX *ctx; - ctx = (BIO_LINEBUFFER_CTX *)OPENSSL_malloc(sizeof(BIO_LINEBUFFER_CTX)); + ctx = OPENSSL_malloc(sizeof(BIO_LINEBUFFER_CTX)); if (ctx == NULL) return (0); - ctx->obuf = (char *)OPENSSL_malloc(DEFAULT_LINEBUFFER_SIZE); + ctx->obuf = OPENSSL_malloc(DEFAULT_LINEBUFFER_SIZE); if (ctx->obuf == NULL) { OPENSSL_free(ctx); return (0); @@ -278,7 +278,7 @@ static long linebuffer_ctrl(BIO *b, int cmd, long num, void *ptr) obs = (int)num; p = ctx->obuf; if ((obs > DEFAULT_LINEBUFFER_SIZE) && (obs != ctx->obuf_size)) { - p = (char *)OPENSSL_malloc((int)num); + p = OPENSSL_malloc((int)num); if (p == NULL) goto malloc_error; } diff --git a/crypto/bio/bf_nbio.c b/crypto/bio/bf_nbio.c index 0ba6055..df547a1 100644 --- a/crypto/bio/bf_nbio.c +++ b/crypto/bio/bf_nbio.c @@ -102,7 +102,7 @@ static int nbiof_new(BIO *bi) { NBIO_TEST *nt; - if (!(nt = (NBIO_TEST *)OPENSSL_malloc(sizeof(NBIO_TEST)))) + if (!(nt = OPENSSL_malloc(sizeof(NBIO_TEST)))) return (0); nt->lrn = -1; nt->lwn = -1; diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index a5d8680..e7957a7 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -67,7 +67,7 @@ BIO *BIO_new(BIO_METHOD *method) { BIO *ret = NULL; - ret = (BIO *)OPENSSL_malloc(sizeof(BIO)); + ret = OPENSSL_malloc(sizeof(BIO)); if (ret == NULL) { BIOerr(BIO_F_BIO_NEW, ERR_R_MALLOC_FAILURE); return (NULL); diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c index 72f7bd2..d6f6678 100644 --- a/crypto/bio/bss_acpt.c +++ b/crypto/bio/bss_acpt.c @@ -137,7 +137,7 @@ static BIO_ACCEPT *BIO_ACCEPT_new(void) { BIO_ACCEPT *ret; - if ((ret = (BIO_ACCEPT *)OPENSSL_malloc(sizeof(BIO_ACCEPT))) == NULL) + if ((ret = OPENSSL_malloc(sizeof(BIO_ACCEPT))) == NULL) return (NULL); memset(ret, 0, sizeof(BIO_ACCEPT)); diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index e95b4b3..e44bb32 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -287,7 +287,7 @@ BIO_CONNECT *BIO_CONNECT_new(void) { BIO_CONNECT *ret; - if ((ret = (BIO_CONNECT *)OPENSSL_malloc(sizeof(BIO_CONNECT))) == NULL) + if ((ret = OPENSSL_malloc(sizeof(BIO_CONNECT))) == NULL) return (NULL); ret->state = BIO_CONN_S_BEFORE; ret->param_hostname = NULL; diff --git a/crypto/bio/bss_log.c b/crypto/bio/bss_log.c index 5f9ab57..2399ff8 100644 --- a/crypto/bio/bss_log.c +++ b/crypto/bio/bss_log.c @@ -239,7 +239,7 @@ static int slg_write(BIO *b, const char *in, int inl) /* The default */ }; - if ((buf = (char *)OPENSSL_malloc(inl + 1)) == NULL) { + if ((buf = OPENSSL_malloc(inl + 1)) == NULL) { return (0); } strncpy(buf, in, inl); diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index 1cd6fb8..f045904 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -137,7 +137,7 @@ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) bn_check_top(mod); - if ((ret = (BN_BLINDING *)OPENSSL_malloc(sizeof(BN_BLINDING))) == NULL) { + if ((ret = OPENSSL_malloc(sizeof(BN_BLINDING))) == NULL) { BNerr(BN_F_BN_BLINDING_NEW, ERR_R_MALLOC_FAILURE); return (NULL); } diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index 8c46e50..153a970 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -758,8 +758,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, else #endif if ((powerbufFree = - (unsigned char *)OPENSSL_malloc(powerbufLen + - MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) + OPENSSL_malloc(powerbufLen + MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH)) == NULL) goto err; diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c index aeee49a..fc7ad24 100644 --- a/crypto/bn/bn_gf2m.c +++ b/crypto/bn/bn_gf2m.c @@ -551,7 +551,7 @@ int BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, bn_check_top(a); bn_check_top(b); bn_check_top(p); - if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL) + if ((arr = OPENSSL_malloc(sizeof(int) * max)) == NULL) goto err; ret = BN_GF2m_poly2arr(p, arr, max); if (!ret || ret > max) { @@ -610,7 +610,7 @@ int BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) bn_check_top(a); bn_check_top(p); - if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL) + if ((arr = OPENSSL_malloc(sizeof(int) * max)) == NULL) goto err; ret = BN_GF2m_poly2arr(p, arr, max); if (!ret || ret > max) { @@ -1027,7 +1027,7 @@ int BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, bn_check_top(a); bn_check_top(b); bn_check_top(p); - if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL) + if ((arr = OPENSSL_malloc(sizeof(int) * max)) == NULL) goto err; ret = BN_GF2m_poly2arr(p, arr, max); if (!ret || ret > max) { @@ -1087,7 +1087,7 @@ int BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) int *arr = NULL; bn_check_top(a); bn_check_top(p); - if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL) + if ((arr = OPENSSL_malloc(sizeof(int) * max)) == NULL) goto err; ret = BN_GF2m_poly2arr(p, arr, max); if (!ret || ret > max) { @@ -1218,7 +1218,7 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, int *arr = NULL; bn_check_top(a); bn_check_top(p); - if ((arr = (int *)OPENSSL_malloc(sizeof(int) * max)) == NULL) + if ((arr = OPENSSL_malloc(sizeof(int) * max)) == NULL) goto err; ret = BN_GF2m_poly2arr(p, arr, max); if (!ret || ret > max) { diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index c3164fa..9cffba8 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -268,7 +268,7 @@ BIGNUM *BN_new(void) { BIGNUM *ret; - if ((ret = (BIGNUM *)OPENSSL_malloc(sizeof(BIGNUM))) == NULL) { + if ((ret = OPENSSL_malloc(sizeof(BIGNUM))) == NULL) { BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE); return (NULL); } @@ -299,7 +299,7 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, int words) BNerr(BN_F_BN_EXPAND_INTERNAL, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA); return (NULL); } - a = A = (BN_ULONG *)OPENSSL_malloc(sizeof(BN_ULONG) * words); + a = A = OPENSSL_malloc(sizeof(BN_ULONG) * words); if (A == NULL) { BNerr(BN_F_BN_EXPAND_INTERNAL, ERR_R_MALLOC_FAILURE); return (NULL); @@ -921,7 +921,7 @@ BN_GENCB *BN_GENCB_new(void) { BN_GENCB *ret; - if ((ret = (BN_GENCB *)OPENSSL_malloc(sizeof(BN_GENCB))) == NULL) { + if ((ret = OPENSSL_malloc(sizeof(BN_GENCB))) == NULL) { BNerr(BN_F_BN_GENCB_NEW, ERR_R_MALLOC_FAILURE); return (NULL); } diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c index 45deed7..f19910d 100644 --- a/crypto/bn/bn_mont.c +++ b/crypto/bn/bn_mont.c @@ -314,7 +314,7 @@ BN_MONT_CTX *BN_MONT_CTX_new(void) { BN_MONT_CTX *ret; - if ((ret = (BN_MONT_CTX *)OPENSSL_malloc(sizeof(BN_MONT_CTX))) == NULL) + if ((ret = OPENSSL_malloc(sizeof(BN_MONT_CTX))) == NULL) return (NULL); BN_MONT_CTX_init(ret); diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c index 1000e69..9b03240 100644 --- a/crypto/bn/bn_print.c +++ b/crypto/bn/bn_print.c @@ -71,7 +71,7 @@ char *BN_bn2hex(const BIGNUM *a) char *buf; char *p; - buf = (char *)OPENSSL_malloc(a->top * BN_BYTES * 2 + 2); + buf = OPENSSL_malloc(a->top * BN_BYTES * 2 + 2); if (buf == NULL) { BNerr(BN_F_BN_BN2HEX, ERR_R_MALLOC_FAILURE); goto err; @@ -114,9 +114,8 @@ char *BN_bn2dec(const BIGNUM *a) */ i = BN_num_bits(a) * 3; num = (i / 10 + i / 1000 + 1) + 1; - bn_data = - (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG)); - buf = (char *)OPENSSL_malloc(num + 3); + bn_data = OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG)); + buf = OPENSSL_malloc(num + 3); if ((buf == NULL) || (bn_data == NULL)) { BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE); goto err; diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index be58a5a..1096464 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -131,7 +131,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) bit = (bits - 1) % 8; mask = 0xff << (bit + 1); - buf = (unsigned char *)OPENSSL_malloc(bytes); + buf = OPENSSL_malloc(bytes); if (buf == NULL) { BNerr(BN_F_BNRAND, ERR_R_MALLOC_FAILURE); goto err; diff --git a/crypto/bn/bn_recp.c b/crypto/bn/bn_recp.c index 4f94408..ef1972b 100644 --- a/crypto/bn/bn_recp.c +++ b/crypto/bn/bn_recp.c @@ -71,7 +71,7 @@ BN_RECP_CTX *BN_RECP_CTX_new(void) { BN_RECP_CTX *ret; - if ((ret = (BN_RECP_CTX *)OPENSSL_malloc(sizeof(BN_RECP_CTX))) == NULL) + if ((ret = OPENSSL_malloc(sizeof(BN_RECP_CTX))) == NULL) return (NULL); BN_RECP_CTX_init(ret); diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c index c3b064c..aa03f8f 100644 --- a/crypto/comp/c_zlib.c +++ b/crypto/comp/c_zlib.c @@ -119,8 +119,7 @@ static int zlib_stateful_ex_idx = -1; static int zlib_stateful_init(COMP_CTX *ctx) { int err; - struct zlib_state *state = - (struct zlib_state *)OPENSSL_malloc(sizeof(struct zlib_state)); + struct zlib_state *state = OPENSSL_malloc(sizeof(struct zlib_state)); if (state == NULL) goto err; diff --git a/crypto/comp/comp_lib.c b/crypto/comp/comp_lib.c index bd4eb7a..7bcdd6b 100644 --- a/crypto/comp/comp_lib.c +++ b/crypto/comp/comp_lib.c @@ -8,7 +8,7 @@ COMP_CTX *COMP_CTX_new(COMP_METHOD *meth) { COMP_CTX *ret; - if ((ret = (COMP_CTX *)OPENSSL_malloc(sizeof(COMP_CTX))) == NULL) { + if ((ret = OPENSSL_malloc(sizeof(COMP_CTX))) == NULL) { /* ZZZZZZZZZZZZZZZZ */ return (NULL); } diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index c8744e6..ef3fef4 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -225,7 +225,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) goto err; } - section = (char *)OPENSSL_malloc(10); + section = OPENSSL_malloc(10); if (section == NULL) { CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE); goto err; @@ -357,13 +357,13 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) p++; *p = '\0'; - if (!(v = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) { + if (!(v = OPENSSL_malloc(sizeof(CONF_VALUE)))) { CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE); goto err; } if (psection == NULL) psection = section; - v->name = (char *)OPENSSL_malloc(strlen(pname) + 1); + v->name = OPENSSL_malloc(strlen(pname) + 1); v->value = NULL; if (v->name == NULL) { CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE); diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index 4f07a27..68a54a6 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -109,9 +109,8 @@ DH *DH_new(void) DH *DH_new_method(ENGINE *engine) { - DH *ret; + DH *ret = OPENSSL_malloc(sizeof(DH)); - ret = (DH *)OPENSSL_malloc(sizeof(DH)); if (ret == NULL) { DHerr(DH_F_DH_NEW_METHOD, ERR_R_MALLOC_FAILURE); return (NULL); diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index 65e07fd..c155e5b 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -451,7 +451,7 @@ static int do_dsa_print(BIO *bp, const DSA *x, int off, int ptype) update_buflen(priv_key, &buf_len); update_buflen(pub_key, &buf_len); - m = (unsigned char *)OPENSSL_malloc(buf_len + 10); + m = OPENSSL_malloc(buf_len + 10); if (m == NULL) { DSAerr(DSA_F_DO_DSA_PRINT, ERR_R_MALLOC_FAILURE); goto err; diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index c94be9d..5cf1824 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -117,7 +117,7 @@ DSA *DSA_new_method(ENGINE *engine) { DSA *ret; - ret = (DSA *)OPENSSL_malloc(sizeof(DSA)); + ret = OPENSSL_malloc(sizeof(DSA)); if (ret == NULL) { DSAerr(DSA_F_DSA_NEW_METHOD, ERR_R_MALLOC_FAILURE); return (NULL); diff --git a/crypto/dso/dso_lib.c b/crypto/dso/dso_lib.c index 09b8eaf..c1d6d25 100644 --- a/crypto/dso/dso_lib.c +++ b/crypto/dso/dso_lib.c @@ -96,14 +96,15 @@ DSO *DSO_new_method(DSO_METHOD *meth) { DSO *ret; - if (default_DSO_meth == NULL) + if (default_DSO_meth == NULL) { /* * We default to DSO_METH_openssl() which in turn defaults to * stealing the "best available" method. Will fallback to * DSO_METH_null() in the worst case. */ default_DSO_meth = DSO_METHOD_openssl(); - ret = (DSO *)OPENSSL_malloc(sizeof(DSO)); + } + ret = OPENSSL_malloc(sizeof(DSO)); if (ret == NULL) { DSOerr(DSO_F_DSO_NEW_METHOD, ERR_R_MALLOC_FAILURE); return (NULL); diff --git a/crypto/dso/dso_win32.c b/crypto/dso/dso_win32.c index e671672..2499fc1 100644 --- a/crypto/dso/dso_win32.c +++ b/crypto/dso/dso_win32.c @@ -168,7 +168,7 @@ static int win32_load(DSO *dso) ERR_add_error_data(3, "filename(", filename, ")"); goto err; } - p = (HINSTANCE *) OPENSSL_malloc(sizeof(HINSTANCE)); + p = OPENSSL_malloc(sizeof(HINSTANCE)); if (p == NULL) { DSOerr(DSO_F_WIN32_LOAD, ERR_R_MALLOC_FAILURE); goto err; diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index 65c3d56..5a7b0b7 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -324,7 +324,7 @@ static int eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB); return 0; } - ep = (unsigned char *)OPENSSL_malloc(eplen); + ep = OPENSSL_malloc(eplen); if (!ep) { EC_KEY_set_enc_flags(ec_key, old_flags); ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_MALLOC_FAILURE); diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index a74ccf7..b73263d 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -69,7 +69,7 @@ EC_KEY *EC_KEY_new(void) { EC_KEY *ret; - ret = (EC_KEY *)OPENSSL_malloc(sizeof(EC_KEY)); + ret = OPENSSL_malloc(sizeof(EC_KEY)); if (ret == NULL) { ECerr(EC_F_EC_KEY_NEW, ERR_R_MALLOC_FAILURE); return (NULL); diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 243b539..979b454 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -100,7 +100,7 @@ static EC_PRE_COMP *ec_pre_comp_new(const EC_GROUP *group) if (!group) return NULL; - ret = (EC_PRE_COMP *)OPENSSL_malloc(sizeof(EC_PRE_COMP)); + ret = OPENSSL_malloc(sizeof(EC_PRE_COMP)); if (!ret) { ECerr(EC_F_EC_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE); return ret; diff --git a/crypto/ec/ec_print.c b/crypto/ec/ec_print.c index 7c34694..5ae85cc 100644 --- a/crypto/ec/ec_print.c +++ b/crypto/ec/ec_print.c @@ -143,7 +143,7 @@ char *EC_POINT_point2hex(const EC_GROUP *group, return NULL; } - ret = (char *)OPENSSL_malloc(buf_len * 2 + 2); + ret = OPENSSL_malloc(buf_len * 2 + 2); if (ret == NULL) { OPENSSL_free(buf); return NULL; diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c index 6269cce..5afe71c 100644 --- a/crypto/ec/ecp_nistp224.c +++ b/crypto/ec/ecp_nistp224.c @@ -1200,7 +1200,7 @@ static void batch_mul(felem x_out, felem y_out, felem z_out, static NISTP224_PRE_COMP *nistp224_pre_comp_new() { NISTP224_PRE_COMP *ret = NULL; - ret = (NISTP224_PRE_COMP *) OPENSSL_malloc(sizeof *ret); + ret = OPENSSL_malloc(sizeof *ret); if (!ret) { ECerr(EC_F_NISTP224_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE); return ret; diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c index b42e96a..2f394bf 100644 --- a/crypto/ec/ecp_nistp256.c +++ b/crypto/ec/ecp_nistp256.c @@ -1815,7 +1815,7 @@ const EC_METHOD *EC_GFp_nistp256_method(void) static NISTP256_PRE_COMP *nistp256_pre_comp_new() { NISTP256_PRE_COMP *ret = NULL; - ret = (NISTP256_PRE_COMP *) OPENSSL_malloc(sizeof *ret); + ret = OPENSSL_malloc(sizeof *ret); if (!ret) { ECerr(EC_F_NISTP256_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE); return ret; diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c index 2e4a651..b2fe653 100644 --- a/crypto/ec/ecp_nistp521.c +++ b/crypto/ec/ecp_nistp521.c @@ -1644,7 +1644,7 @@ const EC_METHOD *EC_GFp_nistp521_method(void) static NISTP521_PRE_COMP *nistp521_pre_comp_new() { NISTP521_PRE_COMP *ret = NULL; - ret = (NISTP521_PRE_COMP *) OPENSSL_malloc(sizeof(NISTP521_PRE_COMP)); + ret = OPENSSL_malloc(sizeof(NISTP521_PRE_COMP)); if (!ret) { ECerr(EC_F_NISTP521_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE); return ret; diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 6937314..c527797 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -1416,7 +1416,7 @@ static EC_PRE_COMP *ecp_nistz256_pre_comp_new(const EC_GROUP *group) if (!group) return NULL; - ret = (EC_PRE_COMP *)OPENSSL_malloc(sizeof(EC_PRE_COMP)); + ret = OPENSSL_malloc(sizeof(EC_PRE_COMP)); if (!ret) { ECerr(EC_F_ECP_NISTZ256_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE); diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c index 5147368..7b57ec4 100644 --- a/crypto/ecdh/ech_lib.c +++ b/crypto/ecdh/ech_lib.c @@ -117,7 +117,7 @@ static ECDH_DATA *ECDH_DATA_new_method(ENGINE *engine) { ECDH_DATA *ret; - ret = (ECDH_DATA *)OPENSSL_malloc(sizeof(ECDH_DATA)); + ret = OPENSSL_malloc(sizeof(ECDH_DATA)); if (ret == NULL) { ECDHerr(ECDH_F_ECDH_DATA_NEW_METHOD, ERR_R_MALLOC_FAILURE); return (NULL); diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c index 67e521f..cdb7b60 100644 --- a/crypto/ecdsa/ecs_lib.c +++ b/crypto/ecdsa/ecs_lib.c @@ -105,7 +105,7 @@ static ECDSA_DATA *ECDSA_DATA_new_method(ENGINE *engine) { ECDSA_DATA *ret; - ret = (ECDSA_DATA *)OPENSSL_malloc(sizeof(ECDSA_DATA)); + ret = OPENSSL_malloc(sizeof(ECDSA_DATA)); if (ret == NULL) { ECDSAerr(ECDSA_F_ECDSA_DATA_NEW_METHOD, ERR_R_MALLOC_FAILURE); return (NULL); diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index d005e01..a3be0d7 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -1045,7 +1045,7 @@ static int crparam2bn(struct crparam *crp, BIGNUM *a) if (bytes == 0) return (-1); - if ((pd = (u_int8_t *) OPENSSL_malloc(bytes)) == NULL) + if ((pd = OPENSSL_malloc(bytes)) == NULL) return (-1); for (i = 0; i < bytes; i++) diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c index dc2abd2..6083440 100644 --- a/crypto/engine/eng_lib.c +++ b/crypto/engine/eng_lib.c @@ -66,7 +66,7 @@ ENGINE *ENGINE_new(void) { ENGINE *ret; - ret = (ENGINE *)OPENSSL_malloc(sizeof(ENGINE)); + ret = OPENSSL_malloc(sizeof(ENGINE)); if (ret == NULL) { ENGINEerr(ENGINE_F_ENGINE_NEW, ERR_R_MALLOC_FAILURE); return NULL; diff --git a/crypto/err/err.c b/crypto/err/err.c index b078442..4752148 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -886,7 +886,7 @@ ERR_STATE *ERR_get_state(void) /* ret == the error state, if NULL, make a new one */ if (ret == NULL) { - ret = (ERR_STATE *)OPENSSL_malloc(sizeof(ERR_STATE)); + ret = OPENSSL_malloc(sizeof(ERR_STATE)); if (ret == NULL) return (&fallback); CRYPTO_THREADID_cpy(&ret->tid, &tid); diff --git a/crypto/evp/bio_b64.c b/crypto/evp/bio_b64.c index 8cbbf02..fe772fc 100644 --- a/crypto/evp/bio_b64.c +++ b/crypto/evp/bio_b64.c @@ -115,7 +115,7 @@ static int b64_new(BIO *bi) { BIO_B64_CTX *ctx; - ctx = (BIO_B64_CTX *)OPENSSL_malloc(sizeof(BIO_B64_CTX)); + ctx = OPENSSL_malloc(sizeof(BIO_B64_CTX)); if (ctx == NULL) return (0); diff --git a/crypto/evp/bio_enc.c b/crypto/evp/bio_enc.c index faaed4d..4409a91 100644 --- a/crypto/evp/bio_enc.c +++ b/crypto/evp/bio_enc.c @@ -112,7 +112,7 @@ static int enc_new(BIO *bi) { BIO_ENC_CTX *ctx; - ctx = (BIO_ENC_CTX *)OPENSSL_malloc(sizeof(BIO_ENC_CTX)); + ctx = OPENSSL_malloc(sizeof(BIO_ENC_CTX)); if (ctx == NULL) return (0); EVP_CIPHER_CTX_init(&ctx->cipher); diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c index ffdde6c..1aab200 100644 --- a/crypto/evp/bio_ok.c +++ b/crypto/evp/bio_ok.c @@ -176,7 +176,7 @@ static int ok_new(BIO *bi) { BIO_OK_CTX *ctx; - ctx = (BIO_OK_CTX *)OPENSSL_malloc(sizeof(BIO_OK_CTX)); + ctx = OPENSSL_malloc(sizeof(BIO_OK_CTX)); if (ctx == NULL) return (0); diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c index 7db9511..00fa72d 100644 --- a/crypto/evp/evp_pbe.c +++ b/crypto/evp/evp_pbe.c @@ -228,7 +228,7 @@ int EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid, EVP_PBE_CTL *pbe_tmp; if (!pbe_algs) pbe_algs = sk_EVP_PBE_CTL_new(pbe_cmp); - if (!(pbe_tmp = (EVP_PBE_CTL *)OPENSSL_malloc(sizeof(EVP_PBE_CTL)))) { + if (!(pbe_tmp = OPENSSL_malloc(sizeof(EVP_PBE_CTL)))) { EVPerr(EVP_F_EVP_PBE_ALG_ADD_TYPE, ERR_R_MALLOC_FAILURE); return 0; } diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index fb8f175..c9e971e 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -185,7 +185,7 @@ EVP_PKEY *EVP_PKEY_new(void) { EVP_PKEY *ret; - ret = (EVP_PKEY *)OPENSSL_malloc(sizeof(EVP_PKEY)); + ret = OPENSSL_malloc(sizeof(EVP_PKEY)); if (ret == NULL) { EVPerr(EVP_F_EVP_PKEY_NEW, ERR_R_MALLOC_FAILURE); return (NULL); diff --git a/crypto/evp/p_open.c b/crypto/evp/p_open.c index 229eb64..adaa42f 100644 --- a/crypto/evp/p_open.c +++ b/crypto/evp/p_open.c @@ -88,7 +88,7 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, } size = RSA_size(priv->pkey.rsa); - key = (unsigned char *)OPENSSL_malloc(size + 2); + key = OPENSSL_malloc(size + 2); if (key == NULL) { /* ERROR */ EVPerr(EVP_F_EVP_OPENINIT, ERR_R_MALLOC_FAILURE); diff --git a/crypto/ex_data.c b/crypto/ex_data.c index d55985b..6a567c9 100644 --- a/crypto/ex_data.c +++ b/crypto/ex_data.c @@ -350,8 +350,7 @@ static int def_add_index(EX_CLASS_ITEM *item, long argl, void *argp, CRYPTO_EX_free *free_func) { int toret = -1; - CRYPTO_EX_DATA_FUNCS *a = - (CRYPTO_EX_DATA_FUNCS *)OPENSSL_malloc(sizeof(CRYPTO_EX_DATA_FUNCS)); + CRYPTO_EX_DATA_FUNCS *a = OPENSSL_malloc(sizeof(CRYPTO_EX_DATA_FUNCS)); if (!a) { CRYPTOerr(CRYPTO_F_DEF_ADD_INDEX, ERR_R_MALLOC_FAILURE); return -1; diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c index 5e9bfb8..ac3b5f6 100644 --- a/crypto/lhash/lhash.c +++ b/crypto/lhash/lhash.c @@ -188,7 +188,7 @@ void *lh_insert(_LHASH *lh, void *data) rn = getrn(lh, data, &hash); if (*rn == NULL) { - if ((nn = (LHASH_NODE *)OPENSSL_malloc(sizeof(LHASH_NODE))) == NULL) { + if ((nn = OPENSSL_malloc(sizeof(LHASH_NODE))) == NULL) { lh->error++; return (NULL); } @@ -325,15 +325,13 @@ static void expand(_LHASH *lh) if ((lh->p) >= lh->pmax) { j = (int)lh->num_alloc_nodes * 2; - n = (LHASH_NODE **)OPENSSL_realloc(lh->b, - (int)(sizeof(LHASH_NODE *) * j)); + n = OPENSSL_realloc(lh->b, (int)(sizeof(LHASH_NODE *) * j)); if (n == NULL) { -/* fputs("realloc error in lhash",stderr); */ + /* fputs("realloc error in lhash",stderr); */ lh->error++; lh->p = 0; return; } - /* else */ for (i = (int)lh->num_alloc_nodes; i < j; i++) /* 26/02/92 eay */ n[i] = NULL; /* 02/03/92 eay */ lh->pmax = lh->num_alloc_nodes; @@ -351,11 +349,10 @@ static void contract(_LHASH *lh) np = lh->b[lh->p + lh->pmax - 1]; lh->b[lh->p + lh->pmax - 1] = NULL; /* 24/07-92 - eay - weird but :-( */ if (lh->p == 0) { - n = (LHASH_NODE **)OPENSSL_realloc(lh->b, - (unsigned int)(sizeof(LHASH_NODE *) - * lh->pmax)); + n = OPENSSL_realloc(lh->b, + (unsigned int)(sizeof(LHASH_NODE *) * lh->pmax)); if (n == NULL) { -/* fputs("realloc error in lhash",stderr); */ + /* fputs("realloc error in lhash",stderr); */ lh->error++; return; } diff --git a/crypto/lock.c b/crypto/lock.c index c718878..cc5f47a 100644 --- a/crypto/lock.c +++ b/crypto/lock.c @@ -251,7 +251,7 @@ int CRYPTO_get_new_dynlockid(void) } CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK); - pointer = (CRYPTO_dynlock *) OPENSSL_malloc(sizeof(CRYPTO_dynlock)); + pointer = OPENSSL_malloc(sizeof(CRYPTO_dynlock)); if (pointer == NULL) { CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID, ERR_R_MALLOC_FAILURE); return (0); diff --git a/crypto/mem.c b/crypto/mem.c index 2251d57..afdce77 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -447,7 +447,7 @@ void *CRYPTO_remalloc(void *a, int num, const char *file, int line) { if (a != NULL) OPENSSL_free(a); - a = (char *)OPENSSL_malloc(num); + a = OPENSSL_malloc(num); return (a); } diff --git a/crypto/mem_dbg.c b/crypto/mem_dbg.c index 36593ed..402df01 100644 --- a/crypto/mem_dbg.c +++ b/crypto/mem_dbg.c @@ -394,7 +394,7 @@ int CRYPTO_push_info_(const char *info, const char *file, int line) if (is_MemCheck_on()) { MemCheck_off(); /* obtain MALLOC2 lock */ - if ((ami = (APP_INFO *)OPENSSL_malloc(sizeof(APP_INFO))) == NULL) { + if ((ami = OPENSSL_malloc(sizeof(APP_INFO))) == NULL) { ret = 0; goto err; } @@ -478,7 +478,7 @@ void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line, if (is_MemCheck_on()) { MemCheck_off(); /* make sure we hold MALLOC2 lock */ - if ((m = (MEM *)OPENSSL_malloc(sizeof(MEM))) == NULL) { + if ((m = OPENSSL_malloc(sizeof(MEM))) == NULL) { OPENSSL_free(addr); MemCheck_on(); /* release MALLOC2 lock if num_disabled drops * to 0 */ diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c index 1d1b0d9..4ac28b3 100644 --- a/crypto/modes/gcm128.c +++ b/crypto/modes/gcm128.c @@ -1701,7 +1701,7 @@ GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block) { GCM128_CONTEXT *ret; - if ((ret = (GCM128_CONTEXT *)OPENSSL_malloc(sizeof(GCM128_CONTEXT)))) + if ((ret = OPENSSL_malloc(sizeof(GCM128_CONTEXT)))) CRYPTO_gcm128_init(ret, key, block); return ret; diff --git a/crypto/modes/ocb128.c b/crypto/modes/ocb128.c index cbcb7f6..0d82e50 100644 --- a/crypto/modes/ocb128.c +++ b/crypto/modes/ocb128.c @@ -210,7 +210,7 @@ OCB128_CONTEXT *CRYPTO_ocb128_new(void *keyenc, void *keydec, OCB128_CONTEXT *octx; int ret; - if ((octx = (OCB128_CONTEXT *)OPENSSL_malloc(sizeof(OCB128_CONTEXT)))) { + if ((octx = OPENSSL_malloc(sizeof(OCB128_CONTEXT)))) { ret = CRYPTO_ocb128_init(octx, keyenc, keydec, encrypt, decrypt); if (ret) return octx; diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c index fa8709f..1fa6426 100644 --- a/crypto/objects/o_names.c +++ b/crypto/objects/o_names.c @@ -187,7 +187,7 @@ int OBJ_NAME_add(const char *name, int type, const char *data) alias = type & OBJ_NAME_ALIAS; type &= ~OBJ_NAME_ALIAS; - onp = (OBJ_NAME *)OPENSSL_malloc(sizeof(OBJ_NAME)); + onp = OPENSSL_malloc(sizeof(OBJ_NAME)); if (onp == NULL) { /* ERROR */ return (0); diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index 5c861d1..376169c 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -255,21 +255,19 @@ int OBJ_add_object(const ASN1_OBJECT *obj) return (0); if ((o = OBJ_dup(obj)) == NULL) goto err; - if (!(ao[ADDED_NID] = (ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) + if (!(ao[ADDED_NID] = OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2; if ((o->length != 0) && (obj->data != NULL)) if (! - (ao[ADDED_DATA] = (ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) + (ao[ADDED_DATA] = OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2; if (o->sn != NULL) if (! - (ao[ADDED_SNAME] = - (ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) + (ao[ADDED_SNAME] = OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2; if (o->ln != NULL) if (! - (ao[ADDED_LNAME] = - (ADDED_OBJ *)OPENSSL_malloc(sizeof(ADDED_OBJ)))) + (ao[ADDED_LNAME] = OPENSSL_malloc(sizeof(ADDED_OBJ)))) goto err2; for (i = ADDED_DATA; i <= ADDED_NID; i++) { @@ -450,7 +448,7 @@ ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name) /* Work out total size */ j = ASN1_object_size(0, i, V_ASN1_OBJECT); - if ((buf = (unsigned char *)OPENSSL_malloc(j)) == NULL) + if ((buf = OPENSSL_malloc(j)) == NULL) return NULL; p = buf; @@ -766,7 +764,7 @@ int OBJ_create(const char *oid, const char *sn, const char *ln) if (i <= 0) return (0); - if ((buf = (unsigned char *)OPENSSL_malloc(i)) == NULL) { + if ((buf = OPENSSL_malloc(i)) == NULL) { OBJerr(OBJ_F_OBJ_CREATE, ERR_R_MALLOC_FAILURE); return (0); } diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index 70e6a70..431e368 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -361,7 +361,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, } /* dzise + 8 bytes are needed */ /* actually it needs the cipher block size extra... */ - data = (unsigned char *)OPENSSL_malloc((unsigned int)dsize + 20); + data = OPENSSL_malloc((unsigned int)dsize + 20); if (data == NULL) { PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, ERR_R_MALLOC_FAILURE); goto err; diff --git a/crypto/pem/pem_seal.c b/crypto/pem/pem_seal.c index e82ab6f..374273d 100644 --- a/crypto/pem/pem_seal.c +++ b/crypto/pem/pem_seal.c @@ -85,7 +85,7 @@ int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type, if (j > max) max = j; } - s = (char *)OPENSSL_malloc(max * 2); + s = OPENSSL_malloc(max * 2); if (s == NULL) { PEMerr(PEM_F_PEM_SEALINIT, ERR_R_MALLOC_FAILURE); goto err; @@ -159,7 +159,7 @@ int PEM_SealFinal(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *sig, int *sigl, i = RSA_size(priv->pkey.rsa); if (i < 100) i = 100; - s = (unsigned char *)OPENSSL_malloc(i * 2); + s = OPENSSL_malloc(i * 2); if (s == NULL) { PEMerr(PEM_F_PEM_SEALFINAL, ERR_R_MALLOC_FAILURE); goto err; diff --git a/crypto/pem/pem_sign.c b/crypto/pem/pem_sign.c index a3d5c17..87cc727 100644 --- a/crypto/pem/pem_sign.c +++ b/crypto/pem/pem_sign.c @@ -81,7 +81,7 @@ int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, int i, ret = 0; unsigned int m_len; - m = (unsigned char *)OPENSSL_malloc(EVP_PKEY_size(pkey) + 2); + m = OPENSSL_malloc(EVP_PKEY_size(pkey) + 2); if (m == NULL) { PEMerr(PEM_F_PEM_SIGNFINAL, ERR_R_MALLOC_FAILURE); goto err; diff --git a/crypto/pqueue/pqueue.c b/crypto/pqueue/pqueue.c index 675ac60..a4af9f9 100644 --- a/crypto/pqueue/pqueue.c +++ b/crypto/pqueue/pqueue.c @@ -68,7 +68,7 @@ typedef struct _pqueue { pitem *pitem_new(unsigned char *prio64be, void *data) { - pitem *item = (pitem *)OPENSSL_malloc(sizeof(pitem)); + pitem *item = OPENSSL_malloc(sizeof(pitem)); if (item == NULL) return NULL; @@ -90,7 +90,7 @@ void pitem_free(pitem *item) pqueue_s *pqueue_new() { - pqueue_s *pq = (pqueue_s *)OPENSSL_malloc(sizeof(pqueue_s)); + pqueue_s *pq = OPENSSL_malloc(sizeof(pqueue_s)); if (pq == NULL) return NULL; diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 379bf4c..4e02531 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -206,7 +206,7 @@ static int do_rsa_print(BIO *bp, const RSA *x, int off, int priv) update_buflen(x->iqmp, &buf_len); } - m = (unsigned char *)OPENSSL_malloc(buf_len + 10); + m = OPENSSL_malloc(buf_len + 10); if (m == NULL) { RSAerr(RSA_F_DO_RSA_PRINT, ERR_R_MALLOC_FAILURE); goto err; diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 57ba1cb..5b4ce73 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -127,7 +127,7 @@ RSA *RSA_new_method(ENGINE *engine) { RSA *ret; - ret = (RSA *)OPENSSL_malloc(sizeof(RSA)); + ret = OPENSSL_malloc(sizeof(RSA)); if (ret == NULL) { RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_MALLOC_FAILURE); return NULL; diff --git a/crypto/rsa/rsa_saos.c b/crypto/rsa/rsa_saos.c index 0f15f00..80709f5 100644 --- a/crypto/rsa/rsa_saos.c +++ b/crypto/rsa/rsa_saos.c @@ -83,7 +83,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); return (0); } - s = (unsigned char *)OPENSSL_malloc((unsigned int)j + 1); + s = OPENSSL_malloc((unsigned int)j + 1); if (s == NULL) { RSAerr(RSA_F_RSA_SIGN_ASN1_OCTET_STRING, ERR_R_MALLOC_FAILURE); return (0); @@ -117,7 +117,7 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype, return (0); } - s = (unsigned char *)OPENSSL_malloc((unsigned int)siglen); + s = OPENSSL_malloc((unsigned int)siglen); if (s == NULL) { RSAerr(RSA_F_RSA_VERIFY_ASN1_OCTET_STRING, ERR_R_MALLOC_FAILURE); goto err; diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index a521d11..ec1575a 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -116,7 +116,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, return (0); } if (type != NID_md5_sha1) { - tmps = (unsigned char *)OPENSSL_malloc((unsigned int)j + 1); + tmps = OPENSSL_malloc((unsigned int)j + 1); if (tmps == NULL) { RSAerr(RSA_F_RSA_SIGN, ERR_R_MALLOC_FAILURE); return (0); @@ -181,7 +181,7 @@ int int_rsa_verify(int dtype, const unsigned char *m, return 1; } - s = (unsigned char *)OPENSSL_malloc((unsigned int)siglen); + s = OPENSSL_malloc((unsigned int)siglen); if (s == NULL) { RSAerr(RSA_F_INT_RSA_VERIFY, ERR_R_MALLOC_FAILURE); goto err; diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 82b9a77..e8bdbf5 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -249,7 +249,7 @@ static int SRP_user_pwd_set_sv_BN(SRP_user_pwd *vinfo, BIGNUM *s, BIGNUM *v) SRP_VBASE *SRP_VBASE_new(char *seed_key) { - SRP_VBASE *vb = (SRP_VBASE *)OPENSSL_malloc(sizeof(SRP_VBASE)); + SRP_VBASE *vb = OPENSSL_malloc(sizeof(SRP_VBASE)); if (vb == NULL) return NULL; @@ -283,9 +283,8 @@ static SRP_gN_cache *SRP_gN_new_init(const char *ch) { unsigned char tmp[MAX_LEN]; int len; + SRP_gN_cache *newgN = OPENSSL_malloc(sizeof(SRP_gN_cache)); - SRP_gN_cache *newgN = - (SRP_gN_cache *)OPENSSL_malloc(sizeof(SRP_gN_cache)); if (newgN == NULL) return NULL; @@ -391,7 +390,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file) * we add this couple in the internal Stack */ - if ((gN = (SRP_gN *) OPENSSL_malloc(sizeof(SRP_gN))) == NULL) + if ((gN = OPENSSL_malloc(sizeof(SRP_gN))) == NULL) goto err; if (!(gN->id = BUF_strdup(pp[DB_srpid])) diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c index 7d97c2c..d4ac91e 100644 --- a/crypto/stack/stack.c +++ b/crypto/stack/stack.c @@ -93,9 +93,8 @@ _STACK *sk_dup(_STACK *sk) if ((ret = sk_new(sk->comp)) == NULL) goto err; - s = (char **)OPENSSL_realloc((char *)ret->data, - (unsigned int)sizeof(char *) * - sk->num_alloc); + s = OPENSSL_realloc((char *)ret->data, + (unsigned int)sizeof(char *) * sk->num_alloc); if (s == NULL) goto err; ret->data = s; diff --git a/crypto/store/str_lib.c b/crypto/store/str_lib.c index d683fd8..1a4f237 100644 --- a/crypto/store/str_lib.c +++ b/crypto/store/str_lib.c @@ -109,7 +109,7 @@ STORE *STORE_new_method(const STORE_METHOD *method) return NULL; } - ret = (STORE *)OPENSSL_malloc(sizeof(STORE)); + ret = OPENSSL_malloc(sizeof(STORE)); if (ret == NULL) { STOREerr(STORE_F_STORE_NEW_METHOD, ERR_R_MALLOC_FAILURE); return NULL; @@ -1206,7 +1206,7 @@ struct STORE_attr_info_st { STORE_ATTR_INFO *STORE_ATTR_INFO_new(void) { - return (STORE_ATTR_INFO *)OPENSSL_malloc(sizeof(STORE_ATTR_INFO)); + return OPENSSL_malloc(sizeof(STORE_ATTR_INFO)); } static void STORE_ATTR_INFO_attr_free(STORE_ATTR_INFO *attrs, diff --git a/crypto/store/str_mem.c b/crypto/store/str_mem.c index 8edd0eb..f949b34 100644 --- a/crypto/store/str_mem.c +++ b/crypto/store/str_mem.c @@ -244,8 +244,7 @@ static void *mem_list_start(STORE *s, STORE_OBJECT_TYPES type, OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[]) { - struct mem_ctx_st *context = - (struct mem_ctx_st *)OPENSSL_malloc(sizeof(struct mem_ctx_st)); + struct mem_ctx_st *context = OPENSSL_malloc(sizeof(struct mem_ctx_st)); void *attribute_context = NULL; STORE_ATTR_INFO *attrs = NULL; diff --git a/crypto/store/str_meth.c b/crypto/store/str_meth.c index d83a6de..781b160 100644 --- a/crypto/store/str_meth.c +++ b/crypto/store/str_meth.c @@ -63,8 +63,7 @@ STORE_METHOD *STORE_create_method(char *name) { - STORE_METHOD *store_method = - (STORE_METHOD *)OPENSSL_malloc(sizeof(STORE_METHOD)); + STORE_METHOD *store_method = OPENSSL_malloc(sizeof(STORE_METHOD)); if (store_method) { memset(store_method, 0, sizeof(*store_method)); diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 037ab64..a8d683b 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -169,7 +169,7 @@ TS_RESP_CTX *TS_RESP_CTX_new() { TS_RESP_CTX *ctx; - if (!(ctx = (TS_RESP_CTX *)OPENSSL_malloc(sizeof(TS_RESP_CTX)))) { + if (!(ctx = OPENSSL_malloc(sizeof(TS_RESP_CTX)))) { TSerr(TS_F_TS_RESP_CTX_NEW, ERR_R_MALLOC_FAILURE); return NULL; } @@ -919,7 +919,7 @@ static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc) int len; len = i2d_ESS_SIGNING_CERT(sc, NULL); - if (!(pp = (unsigned char *)OPENSSL_malloc(len))) { + if (!(pp = OPENSSL_malloc(len))) { TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE); goto err; } diff --git a/crypto/ts/ts_verify_ctx.c b/crypto/ts/ts_verify_ctx.c index 3e6fcb5..f328c33 100644 --- a/crypto/ts/ts_verify_ctx.c +++ b/crypto/ts/ts_verify_ctx.c @@ -63,8 +63,8 @@ TS_VERIFY_CTX *TS_VERIFY_CTX_new(void) { - TS_VERIFY_CTX *ctx = - (TS_VERIFY_CTX *)OPENSSL_malloc(sizeof(TS_VERIFY_CTX)); + TS_VERIFY_CTX *ctx = OPENSSL_malloc(sizeof(TS_VERIFY_CTX)); + if (ctx) memset(ctx, 0, sizeof(TS_VERIFY_CTX)); else diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c index 06e6cd8..d2732f5 100644 --- a/crypto/ui/ui_lib.c +++ b/crypto/ui/ui_lib.c @@ -74,9 +74,8 @@ UI *UI_new(void) UI *UI_new_method(const UI_METHOD *method) { - UI *ret; + UI *ret = OPENSSL_malloc(sizeof(UI)); - ret = (UI *)OPENSSL_malloc(sizeof(UI)); if (ret == NULL) { UIerr(UI_F_UI_NEW_METHOD, ERR_R_MALLOC_FAILURE); return NULL; @@ -142,7 +141,7 @@ static UI_STRING *general_allocate_prompt(UI *ui, const char *prompt, } else if ((type == UIT_PROMPT || type == UIT_VERIFY || type == UIT_BOOLEAN) && result_buf == NULL) { UIerr(UI_F_GENERAL_ALLOCATE_PROMPT, UI_R_NO_RESULT_BUFFER); - } else if ((ret = (UI_STRING *)OPENSSL_malloc(sizeof(UI_STRING)))) { + } else if ((ret = OPENSSL_malloc(sizeof(UI_STRING)))) { ret->out_string = prompt; ret->flags = prompt_freeable ? OUT_STRING_FREEABLE : 0; ret->input_flags = input_flags; @@ -410,7 +409,7 @@ char *UI_construct_prompt(UI *ui, const char *object_desc, len += sizeof(prompt2) - 1 + strlen(object_name); len += sizeof(prompt3) - 1; - prompt = (char *)OPENSSL_malloc(len + 1); + prompt = OPENSSL_malloc(len + 1); if (prompt == NULL) return NULL; BUF_strlcpy(prompt, prompt1, len + 1); @@ -587,7 +586,7 @@ const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth) UI_METHOD *UI_create_method(char *name) { - UI_METHOD *ui_method = (UI_METHOD *)OPENSSL_malloc(sizeof(UI_METHOD)); + UI_METHOD *ui_method = OPENSSL_malloc(sizeof(UI_METHOD)); if (ui_method) { memset(ui_method, 0, sizeof(*ui_method)); diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index 80444ff..b30fa30 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -148,7 +148,7 @@ static int new_dir(X509_LOOKUP *lu) { BY_DIR *a; - if ((a = (BY_DIR *)OPENSSL_malloc(sizeof(BY_DIR))) == NULL) + if ((a = OPENSSL_malloc(sizeof(BY_DIR))) == NULL) return (0); if ((a->buffer = BUF_MEM_new()) == NULL) { OPENSSL_free(a); diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index f77e59d..08bbc39 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -67,7 +67,7 @@ X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) { X509_LOOKUP *ret; - ret = (X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP)); + ret = OPENSSL_malloc(sizeof(X509_LOOKUP)); if (ret == NULL) return NULL; @@ -184,7 +184,7 @@ X509_STORE *X509_STORE_new(void) { X509_STORE *ret; - if ((ret = (X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL) + if ((ret = OPENSSL_malloc(sizeof(X509_STORE))) == NULL) return NULL; ret->objs = sk_X509_OBJECT_new(x509_object_cmp); ret->cache = 1; @@ -341,7 +341,7 @@ int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) if (x == NULL) return 0; - obj = (X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT)); + obj = OPENSSL_malloc(sizeof(X509_OBJECT)); if (obj == NULL) { X509err(X509_F_X509_STORE_ADD_CERT, ERR_R_MALLOC_FAILURE); return 0; @@ -374,7 +374,7 @@ int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) if (x == NULL) return 0; - obj = (X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT)); + obj = OPENSSL_malloc(sizeof(X509_OBJECT)); if (obj == NULL) { X509err(X509_F_X509_STORE_ADD_CRL, ERR_R_MALLOC_FAILURE); return 0; diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c index 682c2c2..e01fc79 100644 --- a/crypto/x509/x509_req.c +++ b/crypto/x509/x509_req.c @@ -83,7 +83,7 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) ri = ret->req_info; ri->version->length = 1; - ri->version->data = (unsigned char *)OPENSSL_malloc(1); + ri->version->data = OPENSSL_malloc(1); if (ri->version->data == NULL) goto err; ri->version->data[0] = 0; /* version == 0 */ diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 9cf39db..85dc714 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -2218,7 +2218,8 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, X509_STORE_CTX *X509_STORE_CTX_new(void) { X509_STORE_CTX *ctx; - ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX)); + + ctx = OPENSSL_malloc(sizeof(X509_STORE_CTX)); if (!ctx) { X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE); return NULL; diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c index 7e3e984..3396ff1 100644 --- a/crypto/x509v3/v3_lib.c +++ b/crypto/x509v3/v3_lib.c @@ -140,9 +140,7 @@ int X509V3_EXT_add_alias(int nid_to, int nid_from) X509V3_R_EXTENSION_NOT_FOUND); return 0; } - if (! - (tmpext = - (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)))) { + if (!(tmpext = OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)))) { X509V3err(X509V3_F_X509V3_EXT_ADD_ALIAS, ERR_R_MALLOC_FAILURE); return 0; } diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c index cd7a980..aa3a4de 100644 --- a/crypto/x509v3/v3_utl.c +++ b/crypto/x509v3/v3_utl.c @@ -88,7 +88,7 @@ int X509V3_add_value(const char *name, const char *value, goto err; if (value && !(tvalue = BUF_strdup(value))) goto err; - if (!(vtmp = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) + if (!(vtmp = OPENSSL_malloc(sizeof(CONF_VALUE)))) goto err; if (!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) goto err; diff --git a/demos/b64.c b/demos/b64.c index fcc6956..2fa4e98 100644 --- a/demos/b64.c +++ b/demos/b64.c @@ -169,7 +169,7 @@ char **argv; } strbuf = OPENSSL_malloc(SIZE); - buff = (unsigned char *)OPENSSL_malloc(EVP_ENCODE_LENGTH(bsize)); + buff = OPENSSL_malloc(EVP_ENCODE_LENGTH(bsize)); if ((buff == NULL) || (strbuf == NULL)) { BIO_printf(bio_err, "OPENSSL_malloc failure\n"); goto end; diff --git a/engines/ccgost/gost_crypt.c b/engines/ccgost/gost_crypt.c index 6c95497..5f50fcc 100644 --- a/engines/ccgost/gost_crypt.c +++ b/engines/ccgost/gost_crypt.c @@ -446,7 +446,7 @@ int gost89_set_asn1_parameters(EVP_CIPHER_CTX *ctx, ASN1_TYPE *params) gcp->enc_param_set = OBJ_nid2obj(c->paramNID); len = i2d_GOST_CIPHER_PARAMS(gcp, NULL); - p = buf = (unsigned char *)OPENSSL_malloc(len); + p = buf = OPENSSL_malloc(len); if (!buf) { GOST_CIPHER_PARAMS_free(gcp); GOSTerr(GOST_F_GOST89_SET_ASN1_PARAMETERS, ERR_R_MALLOC_FAILURE); diff --git a/engines/e_cswift.c b/engines/e_cswift.c index db94bf2..adab4d4 100644 --- a/engines/e_cswift.c +++ b/engines/e_cswift.c @@ -586,7 +586,7 @@ int cswift_bn_32copy(SW_LARGENUMBER *out, const BIGNUM *in) while (((out->nbytes = (numbytes + mod)) % 32)) { mod++; } - out->value = (unsigned char *)OPENSSL_malloc(out->nbytes); + out->value = OPENSSL_malloc(out->nbytes); if (!out->value) { return 0; } diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index 473b3ff..da98ea0 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -103,7 +103,7 @@ static int ssl_new(BIO *bi) { BIO_SSL *bs; - bs = (BIO_SSL *)OPENSSL_malloc(sizeof(BIO_SSL)); + bs = OPENSSL_malloc(sizeof(BIO_SSL)); if (bs == NULL) { BIOerr(BIO_F_SSL_NEW, ERR_R_MALLOC_FAILURE); return (0); diff --git a/ssl/d1_both.c b/ssl/d1_both.c index c3552e9..2a76474 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -170,12 +170,12 @@ static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len, unsigned char *buf = NULL; unsigned char *bitmask = NULL; - frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment)); + frag = OPENSSL_malloc(sizeof(hm_fragment)); if (frag == NULL) return NULL; if (frag_len) { - buf = (unsigned char *)OPENSSL_malloc(frag_len); + buf = OPENSSL_malloc(frag_len); if (buf == NULL) { OPENSSL_free(frag); return NULL; @@ -187,8 +187,7 @@ static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len, /* Initialize reassembly bitmask if necessary */ if (reassembly) { - bitmask = - (unsigned char *)OPENSSL_malloc(RSMBLY_BITMASK_SIZE(frag_len)); + bitmask = OPENSSL_malloc(RSMBLY_BITMASK_SIZE(frag_len)); if (bitmask == NULL) { if (buf != NULL) OPENSSL_free(buf); diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index d6401b4..4daa296 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -184,7 +184,7 @@ CERT *ssl_cert_new(void) { CERT *ret; - ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); + ret = OPENSSL_malloc(sizeof(CERT)); if (ret == NULL) { SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_MALLOC_FAILURE); return (NULL); @@ -205,7 +205,7 @@ CERT *ssl_cert_dup(CERT *cert) CERT *ret; int i; - ret = (CERT *)OPENSSL_malloc(sizeof(CERT)); + ret = OPENSSL_malloc(sizeof(CERT)); if (ret == NULL) { SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE); return (NULL); diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 580098a..14decbc 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -499,7 +499,7 @@ static void load_builtin_compressions(void) MemCheck_off(); ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp); if (ssl_comp_methods != NULL) { - comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); + comp = OPENSSL_malloc(sizeof(SSL_COMP)); if (comp != NULL) { comp->method = COMP_zlib(); if (comp->method && comp->method->type == NID_undef) @@ -1452,8 +1452,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK fprintf(stderr, "ssl_create_cipher_list() for %d ciphers\n", num_of_ciphers); #endif /* KSSL_DEBUG */ - co_list = - (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); + co_list = OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); if (co_list == NULL) { SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); return (NULL); /* Failure */ @@ -1935,7 +1934,7 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) } MemCheck_off(); - comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); + comp = OPENSSL_malloc(sizeof(SSL_COMP)); if (comp == NULL) { MemCheck_on(); SSLerr(SSL_F_SSL_COMP_ADD_COMPRESSION_METHOD, ERR_R_MALLOC_FAILURE); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 35a3c9d..73eafdb 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -276,7 +276,7 @@ SSL *SSL_new(SSL_CTX *ctx) return (NULL); } - s = (SSL *)OPENSSL_malloc(sizeof(SSL)); + s = OPENSSL_malloc(sizeof(SSL)); if (s == NULL) goto err; memset(s, 0, sizeof(SSL)); @@ -1868,7 +1868,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); goto err; } - ret = (SSL_CTX *)OPENSSL_malloc(sizeof(SSL_CTX)); + ret = OPENSSL_malloc(sizeof(SSL_CTX)); if (ret == NULL) goto err; diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 483c778..51f30fb 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -193,7 +193,7 @@ SSL_SESSION *SSL_SESSION_new(void) { SSL_SESSION *ss; - ss = (SSL_SESSION *)OPENSSL_malloc(sizeof(SSL_SESSION)); + ss = OPENSSL_malloc(sizeof(SSL_SESSION)); if (ss == NULL) { SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE); return (0); @@ -786,7 +786,7 @@ int SSL_set_session(SSL *s, SSL_SESSION *session) if (s->kssl_ctx && !s->kssl_ctx->client_princ && session->krb5_client_princ_len > 0) { s->kssl_ctx->client_princ = - (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1); + OPENSSL_malloc(session->krb5_client_princ_len + 1); if (s->kssl_ctx->client_princ == NULL) { SSLerr(SSL_F_SSL_SET_SESSION, ERR_R_MALLOC_FAILURE); return (0); diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 6e926d4..1f58ed0 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -649,7 +649,7 @@ int tls1_setup_key_block(SSL *s) ssl3_cleanup_key_block(s); - if ((p1 = (unsigned char *)OPENSSL_malloc(num)) == NULL) { + if ((p1 = OPENSSL_malloc(num)) == NULL) { SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); goto err; } @@ -657,7 +657,7 @@ int tls1_setup_key_block(SSL *s) s->s3->tmp.key_block_length = num; s->s3->tmp.key_block = p1; - if ((p2 = (unsigned char *)OPENSSL_malloc(num)) == NULL) { + if ((p2 = OPENSSL_malloc(num)) == NULL) { SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); OPENSSL_free(p1); goto err; diff --git a/test/dhtest.c b/test/dhtest.c index 6c063da..35bd298 100644 --- a/test/dhtest.c +++ b/test/dhtest.c @@ -165,7 +165,7 @@ int main(int argc, char *argv[]) BIO_puts(out, "\n"); alen = DH_size(a); - abuf = (unsigned char *)OPENSSL_malloc(alen); + abuf = OPENSSL_malloc(alen); aout = DH_compute_key(abuf, b->pub_key, a); BIO_puts(out, "key1 ="); @@ -176,7 +176,7 @@ int main(int argc, char *argv[]) BIO_puts(out, "\n"); blen = DH_size(b); - bbuf = (unsigned char *)OPENSSL_malloc(blen); + bbuf = OPENSSL_malloc(blen); bout = DH_compute_key(bbuf, a->pub_key, b); BIO_puts(out, "key2 ="); diff --git a/test/ecdhtest.c b/test/ecdhtest.c index a89177e..5c451e5 100644 --- a/test/ecdhtest.c +++ b/test/ecdhtest.c @@ -201,7 +201,7 @@ static int test_ecdh_curve(int nid, const char *text, BN_CTX *ctx, BIO *out) # endif alen = KDF1_SHA1_len; - abuf = (unsigned char *)OPENSSL_malloc(alen); + abuf = OPENSSL_malloc(alen); aout = ECDH_compute_key(abuf, alen, EC_KEY_get0_public_key(b), a, KDF1_SHA1); @@ -218,7 +218,7 @@ static int test_ecdh_curve(int nid, const char *text, BN_CTX *ctx, BIO *out) # endif blen = KDF1_SHA1_len; - bbuf = (unsigned char *)OPENSSL_malloc(blen); + bbuf = OPENSSL_malloc(blen); bout = ECDH_compute_key(bbuf, blen, EC_KEY_get0_public_key(a), b, KDF1_SHA1); From rsalz at openssl.org Tue Apr 28 20:35:09 2015 From: rsalz at openssl.org (Rich Salz) Date: Tue, 28 Apr 2015 20:35:09 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430253309.610937.632.nullmailer@dev.openssl.org> The branch master has been updated via 2d29e2df0c9040e139d68c8659ee0342a6ac3dd1 (commit) from b196e7d936fb377d9c5b305748ac25ff0e53ef6d (commit) - Log ----------------------------------------------------------------- commit 2d29e2df0c9040e139d68c8659ee0342a6ac3dd1 Author: Rich Salz Date: Tue Apr 28 16:34:52 2015 -0400 realloc of NULL is like malloc ANSI C, and OpenSSL's malloc wrapper do this, also. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: crypto/asn1/a_bitstr.c | 5 +---- crypto/asn1/asn1_lib.c | 6 +----- crypto/asn1/f_enum.c | 5 +---- crypto/asn1/f_int.c | 5 +---- crypto/asn1/f_string.c | 5 +---- crypto/bio/b_sock.c | 7 ++----- crypto/buffer/buffer.c | 10 ++-------- crypto/err/err.c | 4 ++-- 8 files changed, 11 insertions(+), 36 deletions(-) diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c index 8a9e17c..ba243f1 100644 --- a/crypto/asn1/a_bitstr.c +++ b/crypto/asn1/a_bitstr.c @@ -205,10 +205,7 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value) if ((a->length < (w + 1)) || (a->data == NULL)) { if (!value) return (1); /* Don't need to set */ - if (a->data == NULL) - c = OPENSSL_malloc(w + 1); - else - c = OPENSSL_realloc_clean(a->data, a->length, w + 1); + c = OPENSSL_realloc_clean(a->data, a->length, w + 1); if (c == NULL) { ASN1err(ASN1_F_ASN1_BIT_STRING_SET_BIT, ERR_R_MALLOC_FAILURE); return 0; diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 97f1d23..a892d7f 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -317,11 +317,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len) } if ((str->length < len) || (str->data == NULL)) { c = str->data; - if (c == NULL) - str->data = OPENSSL_malloc(len + 1); - else - str->data = OPENSSL_realloc(c, len + 1); - + str->data = OPENSSL_realloc(c, len + 1); if (str->data == NULL) { ASN1err(ASN1_F_ASN1_STRING_SET, ERR_R_MALLOC_FAILURE); str->data = c; diff --git a/crypto/asn1/f_enum.c b/crypto/asn1/f_enum.c index c623cdc..2ec99a5 100644 --- a/crypto/asn1/f_enum.c +++ b/crypto/asn1/f_enum.c @@ -151,10 +151,7 @@ int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size) } i /= 2; if (num + i > slen) { - if (s == NULL) - sp = OPENSSL_malloc((unsigned int)num + i * 2); - else - sp = OPENSSL_realloc(s, (unsigned int)num + i * 2); + sp = OPENSSL_realloc(s, (unsigned int)num + i * 2); if (sp == NULL) { ASN1err(ASN1_F_A2I_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE); if (s != NULL) diff --git a/crypto/asn1/f_int.c b/crypto/asn1/f_int.c index 39c9a61..f74252c 100644 --- a/crypto/asn1/f_int.c +++ b/crypto/asn1/f_int.c @@ -165,10 +165,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size) } i /= 2; if (num + i > slen) { - if (s == NULL) - sp = OPENSSL_malloc((unsigned int)num + i * 2); - else - sp = OPENSSL_realloc_clean(s, slen, num + i * 2); + sp = OPENSSL_realloc_clean(s, slen, num + i * 2); if (sp == NULL) { ASN1err(ASN1_F_A2I_ASN1_INTEGER, ERR_R_MALLOC_FAILURE); if (s != NULL) diff --git a/crypto/asn1/f_string.c b/crypto/asn1/f_string.c index 6cb4cfd..53f8cf3 100644 --- a/crypto/asn1/f_string.c +++ b/crypto/asn1/f_string.c @@ -157,10 +157,7 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size) } i /= 2; if (num + i > slen) { - if (s == NULL) - sp = OPENSSL_malloc((unsigned int)num + i * 2); - else - sp = OPENSSL_realloc(s, (unsigned int)num + i * 2); + sp = OPENSSL_realloc(s, (unsigned int)num + i * 2); if (sp == NULL) { ASN1err(ASN1_F_A2I_ASN1_STRING, ERR_R_MALLOC_FAILURE); if (s != NULL) diff --git a/crypto/bio/b_sock.c b/crypto/bio/b_sock.c index ca485d9..a4fded5 100644 --- a/crypto/bio/b_sock.c +++ b/crypto/bio/b_sock.c @@ -673,12 +673,9 @@ int BIO_accept(int sock, char **addr) break; nl = strlen(h) + strlen(s) + 2; p = *addr; - if (p) { + if (p) *p = '\0'; - p = OPENSSL_realloc(p, nl); - } else { - p = OPENSSL_malloc(nl); - } + p = OPENSSL_realloc(p, nl); if (p == NULL) { BIOerr(BIO_F_BIO_ACCEPT, ERR_R_MALLOC_FAILURE); goto end; diff --git a/crypto/buffer/buffer.c b/crypto/buffer/buffer.c index 0859974..c77fdc5 100644 --- a/crypto/buffer/buffer.c +++ b/crypto/buffer/buffer.c @@ -114,10 +114,7 @@ size_t BUF_MEM_grow(BUF_MEM *str, size_t len) return 0; } n = (len + 3) / 3 * 4; - if (str->data == NULL) - ret = OPENSSL_malloc(n); - else - ret = OPENSSL_realloc(str->data, n); + ret = OPENSSL_realloc(str->data, n); if (ret == NULL) { BUFerr(BUF_F_BUF_MEM_GROW, ERR_R_MALLOC_FAILURE); len = 0; @@ -151,10 +148,7 @@ size_t BUF_MEM_grow_clean(BUF_MEM *str, size_t len) return 0; } n = (len + 3) / 3 * 4; - if (str->data == NULL) - ret = OPENSSL_malloc(n); - else - ret = OPENSSL_realloc_clean(str->data, str->max, n); + ret = OPENSSL_realloc_clean(str->data, str->max, n); if (ret == NULL) { BUFerr(BUF_F_BUF_MEM_GROW_CLEAN, ERR_R_MALLOC_FAILURE); len = 0; diff --git a/crypto/err/err.c b/crypto/err/err.c index 4752148..ec7da22 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -969,8 +969,8 @@ void ERR_add_error_vdata(int num, va_list args) if (p == NULL) { OPENSSL_free(str); return; - } else - str = p; + } + str = p; } BUF_strlcat(str, a, (size_t)s + 1); } From rsalz at openssl.org Wed Apr 29 01:49:01 2015 From: rsalz at openssl.org (Rich Salz) Date: Wed, 29 Apr 2015 01:49:01 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430272141.932804.26432.nullmailer@dev.openssl.org> The branch master has been updated via bea6cd3e1c551b48007eedbb0cb0f3a8aa473138 (commit) from 2d29e2df0c9040e139d68c8659ee0342a6ac3dd1 (commit) - Log ----------------------------------------------------------------- commit bea6cd3e1c551b48007eedbb0cb0f3a8aa473138 Author: Rich Salz Date: Tue Apr 28 21:48:44 2015 -0400 Make "make rehash" quiet Don't complain about missing config file. (Got the right env var name this time) Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: Makefile.org | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile.org b/Makefile.org index 301b4d3..dcc2c44 100644 --- a/Makefile.org +++ b/Makefile.org @@ -438,8 +438,8 @@ rehash.time: certs apps @if [ -z "$(CROSS_COMPILE)" ]; then \ (OPENSSL="`pwd`/util/opensslwrap.sh"; \ [ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \ - OPENSSL_DEBUG_MEMORY=on; OPENSSL_CONFIG=/dev/null ; \ - export OPENSSL OPENSSL_DEBUG_MEMORY OPENSSL_CONFIG; \ + OPENSSL_DEBUG_MEMORY=on; OPENSSL_CONF=/dev/null ; \ + export OPENSSL OPENSSL_DEBUG_MEMORY OPENSSL_CONF; \ $(PERL) tools/c_rehash certs/demo) && \ touch rehash.time; \ else :; fi From matt at openssl.org Wed Apr 29 14:47:33 2015 From: matt at openssl.org (Matt Caswell) Date: Wed, 29 Apr 2015 14:47:33 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1430318853.944847.3168.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 937a766982229fd4aa3d9ceb544517f81a193206 (commit) from 07977739f0eaa1dd6845518b590932ba5cbf75d1 (commit) - Log ----------------------------------------------------------------- commit 937a766982229fd4aa3d9ceb544517f81a193206 Author: Matt Caswell Date: Tue Apr 21 11:28:41 2015 +0100 Revert "Fix verify algorithm." This reverts commit 47daa155a31b0a54ce09ad2ed4d55fad74096dab. The above commit was backported to the 1.0.2 branch as part of backporting the alternative chain verify algorithm changes. However it has been pointed out (credit to Shigeki Ohtsu) that this is unnecessary in 1.0.2 as this commit is a work around for loop checking that only exists in master. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index c0f6a5d..f3e9c56 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -370,16 +370,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { while (j-- > 1) { - STACK_OF(X509) *chtmp = ctx->chain; xtmp2 = sk_X509_value(ctx->chain, j - 1); - /* - * Temporarily set chain to NULL so we don't discount - * duplicates: the same certificate could be an untrusted - * CA found in the trusted store. - */ - ctx->chain = NULL; ok = ctx->get_issuer(&xtmp, ctx, xtmp2); - ctx->chain = chtmp; if (ok < 0) goto end; /* Check if we found an alternate chain */ From rsalz at openssl.org Wed Apr 29 15:28:24 2015 From: rsalz at openssl.org (Rich Salz) Date: Wed, 29 Apr 2015 15:28:24 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430321304.594455.9799.nullmailer@dev.openssl.org> The branch master has been updated via ecf3a1fb181c08540342cceb6549e0408b32d135 (commit) from bea6cd3e1c551b48007eedbb0cb0f3a8aa473138 (commit) - Log ----------------------------------------------------------------- commit ecf3a1fb181c08540342cceb6549e0408b32d135 Author: Rich Salz Date: Wed Apr 29 11:27:08 2015 -0400 Remove needless bio_err argument Many functions had a BIO* parameter, and it was always called with bio_err. Remove the param and just use bio_err. Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 20 ++++++++-------- apps/apps.h | 2 +- apps/asn1pars.c | 12 +++++----- apps/ca.c | 30 ++++++++++++------------ apps/cms.c | 38 +++++++++++++++--------------- apps/pkcs12.c | 12 +++++----- apps/s_apps.h | 4 ++-- apps/s_cb.c | 71 +++++++++++++++++++++++++++++---------------------------- apps/s_client.c | 4 ++-- apps/s_server.c | 8 +++---- apps/smime.c | 2 +- apps/srp.c | 54 +++++++++++++++++++++---------------------- apps/verify.c | 16 ++++++------- 13 files changed, 136 insertions(+), 137 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 66e3796..a4eecae 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2006,34 +2006,34 @@ int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value) return rv; } -static void nodes_print(BIO *out, const char *name, - STACK_OF(X509_POLICY_NODE) *nodes) +static void nodes_print(const char *name, STACK_OF(X509_POLICY_NODE) *nodes) { X509_POLICY_NODE *node; int i; - BIO_printf(out, "%s Policies:", name); + + BIO_printf(bio_err, "%s Policies:", name); if (nodes) { - BIO_puts(out, "\n"); + BIO_puts(bio_err, "\n"); for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) { node = sk_X509_POLICY_NODE_value(nodes, i); - X509_POLICY_NODE_print(out, node, 2); + X509_POLICY_NODE_print(bio_err, node, 2); } } else - BIO_puts(out, " \n"); + BIO_puts(bio_err, " \n"); } -void policies_print(BIO *out, X509_STORE_CTX *ctx) +void policies_print(X509_STORE_CTX *ctx) { X509_POLICY_TREE *tree; int explicit_policy; tree = X509_STORE_CTX_get0_policy_tree(ctx); explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx); - BIO_printf(out, "Require explicit Policy: %s\n", + BIO_printf(bio_err, "Require explicit Policy: %s\n", explicit_policy ? "True" : "False"); - nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree)); - nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree)); + nodes_print("Authority", X509_policy_tree_get0_policies(tree)); + nodes_print("User", X509_policy_tree_get0_user_policies(tree)); } #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) diff --git a/apps/apps.h b/apps/apps.h index 5d1b98f..db67957 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -489,7 +489,7 @@ int parse_yesno(const char *str, int def); X509_NAME *parse_name(char *str, long chtype, int multirdn); int args_verify(char ***pargs, int *pargc, int *badarg, X509_VERIFY_PARAM **pm); -void policies_print(BIO *out, X509_STORE_CTX *ctx); +void policies_print(X509_STORE_CTX *ctx); int bio_to_mem(unsigned char **out, int maxlen, BIO *in); int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value); int init_gen_str(EVP_PKEY_CTX **pctx, diff --git a/apps/asn1pars.c b/apps/asn1pars.c index e96491a..6214625 100644 --- a/apps/asn1pars.c +++ b/apps/asn1pars.c @@ -100,7 +100,7 @@ OPTIONS asn1parse_options[] = { {NULL} }; -static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf); +static int do_generate(char *genstr, char *genconf, BUF_MEM *buf); int asn1parse_main(int argc, char **argv) { @@ -215,7 +215,7 @@ int asn1parse_main(int argc, char **argv) goto end; /* Pre-allocate :-) */ if (genstr || genconf) { - num = do_generate(bio_err, genstr, genconf, buf); + num = do_generate(genstr, genconf, buf); if (num < 0) { ERR_print_errors(bio_err); goto end; @@ -335,7 +335,7 @@ int asn1parse_main(int argc, char **argv) return (ret); } -static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf) +static int do_generate(char *genstr, char *genconf, BUF_MEM *buf) { CONF *cnf = NULL; int len; @@ -350,7 +350,7 @@ static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf) if (!genstr) genstr = NCONF_get_string(cnf, "default", "asn1"); if (!genstr) { - BIO_printf(bio, "Can't find 'asn1' in '%s'\n", genconf); + BIO_printf(bio_err, "Can't find 'asn1' in '%s'\n", genconf); goto err; } } @@ -380,10 +380,10 @@ static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf) conferr: if (errline > 0) - BIO_printf(bio, "Error on line %ld of config file '%s'\n", + BIO_printf(bio_err, "Error on line %ld of config file '%s'\n", errline, genconf); else - BIO_printf(bio, "Error loading config file '%s'\n", genconf); + BIO_printf(bio_err, "Error loading config file '%s'\n", genconf); err: NCONF_free(cnf); diff --git a/apps/ca.c b/apps/ca.c index ac720db..ba666ee 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -187,7 +187,7 @@ static int do_updatedb(CA_DB *db); static int check_time_format(const char *str); char *make_revocation_str(int rev_type, char *rev_arg); int make_revoked(X509_REVOKED *rev, const char *str); -int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str); +static int old_entry_print(ASN1_OBJECT *obj, ASN1_STRING *str); static CONF *conf = NULL; static CONF *extconf = NULL; @@ -1604,7 +1604,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, } if (default_op) - old_entry_print(bio_err, obj, str); + old_entry_print(obj, str); } /* Ok, now we check the 'policy' stuff. */ @@ -2632,42 +2632,42 @@ int make_revoked(X509_REVOKED *rev, const char *str) return ret; } -int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str) +static int old_entry_print(ASN1_OBJECT *obj, ASN1_STRING *str) { char buf[25], *pbuf, *p; int j; - j = i2a_ASN1_OBJECT(bp, obj); + j = i2a_ASN1_OBJECT(bio_err, obj); pbuf = buf; for (j = 22 - j; j > 0; j--) *(pbuf++) = ' '; *(pbuf++) = ':'; *(pbuf++) = '\0'; - BIO_puts(bp, buf); + BIO_puts(bio_err, buf); if (str->type == V_ASN1_PRINTABLESTRING) - BIO_printf(bp, "PRINTABLE:'"); + BIO_printf(bio_err, "PRINTABLE:'"); else if (str->type == V_ASN1_T61STRING) - BIO_printf(bp, "T61STRING:'"); + BIO_printf(bio_err, "T61STRING:'"); else if (str->type == V_ASN1_IA5STRING) - BIO_printf(bp, "IA5STRING:'"); + BIO_printf(bio_err, "IA5STRING:'"); else if (str->type == V_ASN1_UNIVERSALSTRING) - BIO_printf(bp, "UNIVERSALSTRING:'"); + BIO_printf(bio_err, "UNIVERSALSTRING:'"); else - BIO_printf(bp, "ASN.1 %2d:'", str->type); + BIO_printf(bio_err, "ASN.1 %2d:'", str->type); p = (char *)str->data; for (j = str->length; j > 0; j--) { if ((*p >= ' ') && (*p <= '~')) - BIO_printf(bp, "%c", *p); + BIO_printf(bio_err, "%c", *p); else if (*p & 0x80) - BIO_printf(bp, "\\0x%02X", *p); + BIO_printf(bio_err, "\\0x%02X", *p); else if ((unsigned char)*p == 0xf7) - BIO_printf(bp, "^?"); + BIO_printf(bio_err, "^?"); else - BIO_printf(bp, "^%c", *p + '@'); + BIO_printf(bio_err, "^%c", *p + '@'); p++; } - BIO_printf(bp, "'\n"); + BIO_printf(bio_err, "'\n"); return 1; } diff --git a/apps/cms.c b/apps/cms.c index e3e8656..16dbc0c 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -68,7 +68,7 @@ static int save_certs(char *signerfile, STACK_OF(X509) *signers); static int cms_cb(int ok, X509_STORE_CTX *ctx); -static void receipt_request_print(BIO *out, CMS_ContentInfo *cms); +static void receipt_request_print(CMS_ContentInfo *cms); static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING) *rr_from); @@ -1075,7 +1075,7 @@ int cms_main(int argc, char **argv) sk_X509_free(signers); } if (rr_print) - receipt_request_print(bio_err, cms); + receipt_request_print(cms); } else if (operation == SMIME_VERIFY_RECEIPT) { if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0) @@ -1190,31 +1190,31 @@ static int cms_cb(int ok, X509_STORE_CTX *ctx) && ((error != X509_V_OK) || (ok != 2))) return ok; - /* Should be bio_err? */ - policies_print(bio_out, ctx); + policies_print(ctx); return ok; } -static void gnames_stack_print(BIO *out, STACK_OF(GENERAL_NAMES) *gns) +static void gnames_stack_print(STACK_OF(GENERAL_NAMES) *gns) { STACK_OF(GENERAL_NAME) *gens; GENERAL_NAME *gen; int i, j; + for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++) { gens = sk_GENERAL_NAMES_value(gns, i); for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) { gen = sk_GENERAL_NAME_value(gens, j); - BIO_puts(out, " "); - GENERAL_NAME_print(out, gen); - BIO_puts(out, "\n"); + BIO_puts(bio_err, " "); + GENERAL_NAME_print(bio_err, gen); + BIO_puts(bio_err, "\n"); } } return; } -static void receipt_request_print(BIO *out, CMS_ContentInfo *cms) +static void receipt_request_print(CMS_ContentInfo *cms) { STACK_OF(CMS_SignerInfo) *sis; CMS_SignerInfo *si; @@ -1238,22 +1238,22 @@ static void receipt_request_print(BIO *out, CMS_ContentInfo *cms) int idlen; CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst, &rlist, &rto); - BIO_puts(out, " Signed Content ID:\n"); + BIO_puts(bio_err, " Signed Content ID:\n"); idlen = ASN1_STRING_length(scid); id = (char *)ASN1_STRING_data(scid); - BIO_dump_indent(out, id, idlen, 4); - BIO_puts(out, " Receipts From"); + BIO_dump_indent(bio_err, id, idlen, 4); + BIO_puts(bio_err, " Receipts From"); if (rlist) { - BIO_puts(out, " List:\n"); - gnames_stack_print(out, rlist); + BIO_puts(bio_err, " List:\n"); + gnames_stack_print(rlist); } else if (allorfirst == 1) - BIO_puts(out, ": First Tier\n"); + BIO_puts(bio_err, ": First Tier\n"); else if (allorfirst == 0) - BIO_puts(out, ": All\n"); + BIO_puts(bio_err, ": All\n"); else - BIO_printf(out, " Unknown (%d)\n", allorfirst); - BIO_puts(out, " Receipts To:\n"); - gnames_stack_print(out, rto); + BIO_printf(bio_err, " Unknown (%d)\n", allorfirst); + BIO_puts(bio_err, " Receipts To:\n"); + gnames_stack_print(rto); } if (rr) CMS_ReceiptRequest_free(rr); diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 5cdd71b..ec7a1d9 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -86,7 +86,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, const char *name); void hex_prin(BIO *out, unsigned char *buf, int len); -int alg_print(BIO *x, X509_ALGOR *alg); +static int alg_print(X509_ALGOR *alg); int cert_load(BIO *in, STACK_OF(X509) *sk); static int set_pbe(int *ppbe, const char *str); @@ -587,7 +587,7 @@ int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, } else if (bagnid == NID_pkcs7_encrypted) { if (options & INFO) { BIO_printf(bio_err, "PKCS7 Encrypted data: "); - alg_print(bio_err, p7->d.encrypted->enc_data->algorithm); + alg_print(p7->d.encrypted->enc_data->algorithm); } bags = PKCS12_unpack_p7encdata(p7, pass, passlen); } else @@ -649,7 +649,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass, case NID_pkcs8ShroudedKeyBag: if (options & INFO) { BIO_printf(bio_err, "Shrouded Keybag: "); - alg_print(bio_err, bag->value.shkeybag->algor); + alg_print(bag->value.shkeybag->algor); } if (options & NOKEYS) return 1; @@ -737,11 +737,11 @@ int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain) return i; } -int alg_print(BIO *x, X509_ALGOR *alg) +static int alg_print(X509_ALGOR *alg) { PBEPARAM *pbe; - const unsigned char *p; - p = alg->parameter->value.sequence->data; + const unsigned char *p = alg->parameter->value.sequence->data; + pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length); if (!pbe) return 1; diff --git a/apps/s_apps.h b/apps/s_apps.h index db8d039..cf3026d 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -204,7 +204,7 @@ void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc); void ssl_excert_free(SSL_EXCERT *exc); int args_excert(int option, SSL_EXCERT **pexc); int load_excert(SSL_EXCERT **pexc); -void print_ssl_summary(BIO *bio, SSL *s); +void print_ssl_summary(SSL *s); #ifdef HEADER_SSL_H int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx, int no_ecdhe, int no_jpake); @@ -214,5 +214,5 @@ int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath, const char *vfyCAfile, const char *chCApath, const char *chCAfile, STACK_OF(X509_CRL) *crls, int crl_download); -void ssl_ctx_security_debug(SSL_CTX *ctx, BIO *out, int verbose); +void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose); #endif diff --git a/apps/s_cb.c b/apps/s_cb.c index ddd65a9..76aeadb 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -186,11 +186,11 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) break; case X509_V_ERR_NO_EXPLICIT_POLICY: if (!verify_quiet) - policies_print(bio_err, ctx); + policies_print(ctx); break; } if (err == X509_V_OK && ok == 2 && !verify_quiet) - policies_print(bio_err, ctx); + policies_print(ctx); if (ok && !verify_quiet) BIO_printf(bio_err, "verify return:%d\n", ok); return (ok); @@ -1104,19 +1104,20 @@ struct chain_flags chain_flags_list[] = { {0, NULL} }; -static void print_chain_flags(BIO *out, SSL *s, int flags) +static void print_chain_flags(SSL *s, int flags) { struct chain_flags *ctmp = chain_flags_list; + while (ctmp->name) { - BIO_printf(out, "\t%s: %s\n", ctmp->name, + BIO_printf(bio_err, "\t%s: %s\n", ctmp->name, flags & ctmp->flag ? "OK" : "NOT OK"); ctmp++; } - BIO_printf(out, "\tSuite B: "); + BIO_printf(bio_err, "\tSuite B: "); if (SSL_set_cert_flags(s, 0) & SSL_CERT_FLAG_SUITEB_128_LOS) - BIO_puts(out, flags & CERT_PKEY_SUITEB ? "OK\n" : "NOT OK\n"); + BIO_puts(bio_err, flags & CERT_PKEY_SUITEB ? "OK\n" : "NOT OK\n"); else - BIO_printf(out, "not tested\n"); + BIO_printf(bio_err, "not tested\n"); } /* @@ -1157,7 +1158,7 @@ static int set_cert_cb(SSL *ssl, void *arg) X509_NAME_print_ex(bio_err, X509_get_subject_name(exc->cert), 0, XN_FLAG_ONELINE); BIO_puts(bio_err, "\n"); - print_chain_flags(bio_err, ssl, rv); + print_chain_flags(ssl, rv); if (rv & CERT_PKEY_VALID) { if (!SSL_use_certificate(ssl, exc->cert) || !SSL_use_PrivateKey(ssl, exc->key)) { @@ -1334,7 +1335,7 @@ int args_excert(int opt, SSL_EXCERT **pexc) return 0; } -static void print_raw_cipherlist(BIO *bio, SSL *s) +static void print_raw_cipherlist(SSL *s) { const unsigned char *rlist; static const unsigned char scsv_id[] = { 0, 0, 0xFF }; @@ -1343,59 +1344,58 @@ static void print_raw_cipherlist(BIO *bio, SSL *s) return; num = SSL_get0_raw_cipherlist(s, NULL); rlistlen = SSL_get0_raw_cipherlist(s, &rlist); - BIO_puts(bio, "Client cipher list: "); + BIO_puts(bio_err, "Client cipher list: "); for (i = 0; i < rlistlen; i += num, rlist += num) { const SSL_CIPHER *c = SSL_CIPHER_find(s, rlist); if (i) - BIO_puts(bio, ":"); + BIO_puts(bio_err, ":"); if (c) - BIO_puts(bio, SSL_CIPHER_get_name(c)); + BIO_puts(bio_err, SSL_CIPHER_get_name(c)); else if (!memcmp(rlist, scsv_id - num + 3, num)) - BIO_puts(bio, "SCSV"); + BIO_puts(bio_err, "SCSV"); else { size_t j; - BIO_puts(bio, "0x"); + BIO_puts(bio_err, "0x"); for (j = 0; j < num; j++) - BIO_printf(bio, "%02X", rlist[j]); + BIO_printf(bio_err, "%02X", rlist[j]); } } - BIO_puts(bio, "\n"); + BIO_puts(bio_err, "\n"); } -void print_ssl_summary(BIO *bio, SSL *s) +void print_ssl_summary(SSL *s) { const SSL_CIPHER *c; X509 *peer; - /* - * const char *pnam = SSL_is_server(s) ? "client" : "server"; - */ - BIO_printf(bio, "Protocol version: %s\n", SSL_get_version(s)); - print_raw_cipherlist(bio, s); + /* const char *pnam = SSL_is_server(s) ? "client" : "server"; */ + + BIO_printf(bio_err, "Protocol version: %s\n", SSL_get_version(s)); + print_raw_cipherlist(s); c = SSL_get_current_cipher(s); - BIO_printf(bio, "Ciphersuite: %s\n", SSL_CIPHER_get_name(c)); - do_print_sigalgs(bio, s, 0); + BIO_printf(bio_err, "Ciphersuite: %s\n", SSL_CIPHER_get_name(c)); + do_print_sigalgs(bio_err, s, 0); peer = SSL_get_peer_certificate(s); if (peer) { int nid; - BIO_puts(bio, "Peer certificate: "); - X509_NAME_print_ex(bio, X509_get_subject_name(peer), + BIO_puts(bio_err, "Peer certificate: "); + X509_NAME_print_ex(bio_err, X509_get_subject_name(peer), 0, XN_FLAG_ONELINE); - BIO_puts(bio, "\n"); + BIO_puts(bio_err, "\n"); if (SSL_get_peer_signature_nid(s, &nid)) - BIO_printf(bio, "Hash used: %s\n", OBJ_nid2sn(nid)); + BIO_printf(bio_err, "Hash used: %s\n", OBJ_nid2sn(nid)); } else - BIO_puts(bio, "No peer certificate\n"); + BIO_puts(bio_err, "No peer certificate\n"); if (peer) X509_free(peer); #ifndef OPENSSL_NO_EC - ssl_print_point_formats(bio, s); + ssl_print_point_formats(bio_err, s); if (SSL_is_server(s)) - ssl_print_curves(bio, s, 1); + ssl_print_curves(bio_err, s, 1); else - ssl_print_tmp_key(bio, s); + ssl_print_tmp_key(bio_err, s); #else if (!SSL_is_server(s)) - ssl_print_tmp_key(bio, s); + ssl_print_tmp_key(bio_err, s); #endif } @@ -1681,10 +1681,11 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx, return rv; } -void ssl_ctx_security_debug(SSL_CTX *ctx, BIO *out, int verbose) +void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose) { static security_debug_ex sdb; - sdb.out = out; + + sdb.out = bio_err; sdb.verbose = verbose; sdb.old_cb = SSL_CTX_get_security_callback(ctx); SSL_CTX_set_security_callback(ctx, security_callback_debug); diff --git a/apps/s_client.c b/apps/s_client.c index 9181c75..9d0d6f0 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1181,7 +1181,7 @@ int s_client_main(int argc, char **argv) } if (sdebug) - ssl_ctx_security_debug(ctx, bio_err, sdebug); + ssl_ctx_security_debug(ctx, sdebug); if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) { BIO_printf(bio_err, "Error setting verify params\n"); @@ -1663,7 +1663,7 @@ int s_client_main(int argc, char **argv) } if (c_brief) { BIO_puts(bio_err, "CONNECTION ESTABLISHED\n"); - print_ssl_summary(bio_err, con); + print_ssl_summary(con); } print_stuff(bio_c_out, con, full_log); diff --git a/apps/s_server.c b/apps/s_server.c index fb6fd3d..701f52d 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1617,7 +1617,7 @@ int s_server_main(int argc, char *argv[]) ctx = SSL_CTX_new(meth); if (sdebug) - ssl_ctx_security_debug(ctx, bio_err, sdebug); + ssl_ctx_security_debug(ctx, sdebug); if (ctx == NULL) { ERR_print_errors(bio_err); goto end; @@ -1690,7 +1690,7 @@ int s_server_main(int argc, char *argv[]) BIO_printf(bio_s_out, "Setting secondary ctx parameters\n"); if (sdebug) - ssl_ctx_security_debug(ctx, bio_err, sdebug); + ssl_ctx_security_debug(ctx, sdebug); if (session_id_prefix) { if (strlen(session_id_prefix) >= 32) @@ -2487,7 +2487,7 @@ static int init_ssl_connection(SSL *con) } if (s_brief) - print_ssl_summary(bio_err, con); + print_ssl_summary(con); PEM_write_bio_SSL_SESSION(bio_s_out, SSL_get_session(con)); @@ -3036,7 +3036,7 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context) } } BIO_printf(bio_err, "CONNECTION ESTABLISHED\n"); - print_ssl_summary(bio_err, con); + print_ssl_summary(con); for (;;) { i = BIO_gets(io, buf, bufsize - 1); diff --git a/apps/smime.c b/apps/smime.c index 0c683f5..21e9daa 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -697,7 +697,7 @@ static int smime_cb(int ok, X509_STORE_CTX *ctx) && ((error != X509_V_OK) || (ok != 2))) return ok; - policies_print(bio_err, ctx); + policies_print(ctx); return ok; diff --git a/apps/srp.c b/apps/srp.c index 0acbb8a..adc6a6f 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -102,38 +102,38 @@ static int get_index(CA_DB *db, char *id, char type) return -1; } -static void print_entry(CA_DB *db, BIO *bio, int indx, int verbose, char *s) +static void print_entry(CA_DB *db, int indx, int verbose, char *s) { if (indx >= 0 && verbose) { int j; char **pp = sk_OPENSSL_PSTRING_value(db->db->data, indx); - BIO_printf(bio, "%s \"%s\"\n", s, pp[DB_srpid]); + BIO_printf(bio_err, "%s \"%s\"\n", s, pp[DB_srpid]); for (j = 0; j < DB_NUMBER; j++) { BIO_printf(bio_err, " %d = \"%s\"\n", j, pp[j]); } } } -static void print_index(CA_DB *db, BIO *bio, int indexindex, int verbose) +static void print_index(CA_DB *db, int indexindex, int verbose) { - print_entry(db, bio, indexindex, verbose, "g N entry"); + print_entry(db, indexindex, verbose, "g N entry"); } -static void print_user(CA_DB *db, BIO *bio, int userindex, int verbose) +static void print_user(CA_DB *db, int userindex, int verbose) { if (verbose > 0) { char **pp = sk_OPENSSL_PSTRING_value(db->db->data, userindex); if (pp[DB_srptype][0] != 'I') { - print_entry(db, bio, userindex, verbose, "User entry"); - print_entry(db, bio, get_index(db, pp[DB_srpgN], 'I'), verbose, + print_entry(db, userindex, verbose, "User entry"); + print_entry(db, get_index(db, pp[DB_srpgN], 'I'), verbose, "g N entry"); } } } -static int update_index(CA_DB *db, BIO *bio, char **row) +static int update_index(CA_DB *db, char **row) { char **irow; int i; @@ -150,8 +150,8 @@ static int update_index(CA_DB *db, BIO *bio, char **row) irow[DB_NUMBER] = NULL; if (!TXT_DB_insert(db->db, irow)) { - BIO_printf(bio, "failed to update srpvfile\n"); - BIO_printf(bio, "TXT_DB error number %ld\n", db->db->error); + BIO_printf(bio_err, "failed to update srpvfile\n"); + BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error); OPENSSL_free(irow); return 0; } @@ -165,7 +165,7 @@ static void lookup_fail(const char *name, const char *tag) static char *srp_verify_user(const char *user, const char *srp_verifier, char *srp_usersalt, const char *g, const char *N, - const char *passin, BIO *bio, int verbose) + const char *passin, int verbose) { char password[1024]; PW_CB_DATA cb_tmp; @@ -177,17 +177,17 @@ static char *srp_verify_user(const char *user, const char *srp_verifier, if (password_callback(password, 1024, 0, &cb_tmp) > 0) { if (verbose) - BIO_printf(bio, + BIO_printf(bio_err, "Validating\n user=\"%s\"\n srp_verifier=\"%s\"\n srp_usersalt=\"%s\"\n g=\"%s\"\n N=\"%s\"\n", user, srp_verifier, srp_usersalt, g, N); - BIO_printf(bio, "Pass %s\n", password); + BIO_printf(bio_err, "Pass %s\n", password); OPENSSL_assert(srp_usersalt != NULL); if (! (gNid = SRP_create_verifier(user, password, &srp_usersalt, &verifier, N, g))) { - BIO_printf(bio, "Internal error validating SRP verifier\n"); + BIO_printf(bio_err, "Internal error validating SRP verifier\n"); } else { if (strcmp(verifier, srp_verifier)) gNid = NULL; @@ -199,7 +199,7 @@ static char *srp_verify_user(const char *user, const char *srp_verifier, static char *srp_create_user(char *user, char **srp_verifier, char **srp_usersalt, char *g, char *N, - char *passout, BIO *bio, int verbose) + char *passout, int verbose) { char password[1024]; PW_CB_DATA cb_tmp; @@ -210,17 +210,17 @@ static char *srp_create_user(char *user, char **srp_verifier, if (password_callback(password, 1024, 1, &cb_tmp) > 0) { if (verbose) - BIO_printf(bio, "Creating\n user=\"%s\"\n g=\"%s\"\n N=\"%s\"\n", + BIO_printf(bio_err, "Creating\n user=\"%s\"\n g=\"%s\"\n N=\"%s\"\n", user, g, N); if (! (gNid = SRP_create_verifier(user, password, &salt, srp_verifier, N, g))) { - BIO_printf(bio, "Internal error creating SRP verifier\n"); + BIO_printf(bio_err, "Internal error creating SRP verifier\n"); } else *srp_usersalt = salt; if (verbose > 1) - BIO_printf(bio, "gNid=%s salt =\"%s\"\n verifier =\"%s\"\n", gNid, + BIO_printf(bio_err, "gNid=%s salt =\"%s\"\n verifier =\"%s\"\n", gNid, salt, *srp_verifier); } @@ -453,7 +453,7 @@ int srp_main(int argc, char **argv) if (gNindex < 0 && gN != NULL && !strcmp(gN, pp[DB_srpid])) gNindex = i; - print_index(db, bio_err, i, verbose > 1); + print_index(db, i, verbose > 1); } } @@ -462,7 +462,7 @@ int srp_main(int argc, char **argv) if (gNindex >= 0) { gNrow = sk_OPENSSL_PSTRING_value(db->db->data, gNindex); - print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N"); + print_entry(db, gNindex, verbose > 1, "Default g and N"); } else if (maxgN > 0 && !SRP_get_default_gN(gN)) { BIO_printf(bio_err, "No g and N value for index \"%s\"\n", gN); goto end; @@ -484,7 +484,7 @@ int srp_main(int argc, char **argv) if (verbose > 1) BIO_printf(bio_err, "Processing user \"%s\"\n", user); if ((userindex = get_index(db, user, 'U')) >= 0) { - print_user(db, bio_err, userindex, (verbose > 0) + print_user(db, userindex, (verbose > 0) || mode == OPT_LIST); } @@ -493,7 +493,7 @@ int srp_main(int argc, char **argv) BIO_printf(bio_err, "List all users\n"); for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { - print_user(db, bio_err, i, 1); + print_user(db, i, 1); } } else if (userindex < 0) { BIO_printf(bio_err, @@ -521,7 +521,7 @@ int srp_main(int argc, char **argv) &(row[DB_srpsalt]), gNrow ? gNrow[DB_srpsalt] : gN, gNrow ? gNrow[DB_srpverifier] : NULL, - passout, bio_err, verbose))) { + passout, verbose))) { BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned .\n", user); @@ -540,7 +540,7 @@ int srp_main(int argc, char **argv) = BUF_strdup (userinfo)))) - || !update_index(db, bio_err, row)) { + || !update_index(db, row)) { if (row[DB_srpid]) OPENSSL_free(row[DB_srpid]); if (row[DB_srpgN]) @@ -593,7 +593,7 @@ int srp_main(int argc, char **argv) (user, row[DB_srpverifier], row[DB_srpsalt], irow ? irow[DB_srpsalt] : row[DB_srpgN], irow ? irow[DB_srpverifier] : NULL, passin, - bio_err, verbose)) { + verbose)) { BIO_printf(bio_err, "Invalid password for user \"%s\", operation abandoned.\n", user); @@ -611,7 +611,7 @@ int srp_main(int argc, char **argv) &(row[DB_srpsalt]), gNrow ? gNrow[DB_srpsalt] : NULL, gNrow ? gNrow[DB_srpverifier] : NULL, - passout, bio_err, verbose))) { + passout, verbose))) { BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user); @@ -664,7 +664,7 @@ int srp_main(int argc, char **argv) if (pp[DB_srptype][0] == 'v') { pp[DB_srptype][0] = 'V'; - print_user(db, bio_err, i, verbose); + print_user(db, i, verbose); } } diff --git a/apps/verify.c b/apps/verify.c index 35085e7..1faca96 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -296,26 +296,25 @@ static int cb(int ok, X509_STORE_CTX *ctx) if (!ok) { if (current_cert) { - X509_NAME_print_ex_fp(stdout, - X509_get_subject_name(current_cert), - 0, XN_FLAG_ONELINE); - printf("\n"); + X509_NAME_print_ex(bio_err, + X509_get_subject_name(current_cert), + 0, XN_FLAG_ONELINE); + BIO_printf(bio_err, "\n"); } - printf("%serror %d at %d depth lookup:%s\n", + BIO_printf(bio_err, "%serror %d at %d depth lookup:%s\n", X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path]" : "", cert_error, X509_STORE_CTX_get_error_depth(ctx), X509_verify_cert_error_string(cert_error)); switch (cert_error) { case X509_V_ERR_NO_EXPLICIT_POLICY: - policies_print(bio_err, ctx); + policies_print(ctx); case X509_V_ERR_CERT_HAS_EXPIRED: /* * since we are just checking the certificates, it is ok if they * are self signed. But we should still warn the user. */ - case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: /* Continue after extension errors too */ case X509_V_ERR_INVALID_CA: @@ -326,14 +325,13 @@ static int cb(int ok, X509_STORE_CTX *ctx) case X509_V_ERR_CRL_NOT_YET_VALID: case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: ok = 1; - } return ok; } if (cert_error == X509_V_OK && ok == 2) - policies_print(bio_out, ctx); + policies_print(ctx); if (!v_verbose) ERR_clear_error(); return (ok); From matt at openssl.org Wed Apr 29 16:45:46 2015 From: matt at openssl.org (Matt Caswell) Date: Wed, 29 Apr 2015 16:45:46 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1430325946.109640.17293.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via c5f8cd7bc661f90dc012c9d2bae1808a4281985f (commit) from 937a766982229fd4aa3d9ceb544517f81a193206 (commit) - Log ----------------------------------------------------------------- commit c5f8cd7bc661f90dc012c9d2bae1808a4281985f Author: Matt Caswell Date: Wed Apr 29 16:15:40 2015 +0100 Add length sanity check in SSLv2 n_do_ssl_write() Fortify flagged up a problem in n_do_ssl_write() in SSLv2. Analysing the code I do not believe there is a real problem here. However the logic flows are complicated enough that a sanity check of |len| is probably worthwhile. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: ssl/s2_pkt.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/ssl/s2_pkt.c b/ssl/s2_pkt.c index 614b9a3..7a61888 100644 --- a/ssl/s2_pkt.c +++ b/ssl/s2_pkt.c @@ -576,6 +576,20 @@ static int n_do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) s->s2->padding = p; s->s2->mac_data = &(s->s2->wbuf[3]); s->s2->wact_data = &(s->s2->wbuf[3 + mac_size]); + + /* + * It would be clearer to write this as follows: + * if (mac_size + len + p > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER) + * However |len| is user input that could in theory be very large. We + * know |mac_size| and |p| are small, so to avoid any possibility of + * overflow we write it like this. + * + * In theory this should never fail because the logic above should have + * modified |len| if it is too big. But we are being cautious. + */ + if (len > (SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER - (mac_size + p))) { + return -1; + } /* we copy the data into s->s2->wbuf */ memcpy(s->s2->wact_data, buf, len); if (p) From matt at openssl.org Wed Apr 29 16:45:57 2015 From: matt at openssl.org (Matt Caswell) Date: Wed, 29 Apr 2015 16:45:57 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1430325957.015516.17522.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 80a06268ae329a1d7e01292029f9ae3af172b4b8 (commit) from e3dd33c25c885ab3bfe707d87ddb12f845d77032 (commit) - Log ----------------------------------------------------------------- commit 80a06268ae329a1d7e01292029f9ae3af172b4b8 Author: Matt Caswell Date: Wed Apr 29 16:15:40 2015 +0100 Add length sanity check in SSLv2 n_do_ssl_write() Fortify flagged up a problem in n_do_ssl_write() in SSLv2. Analysing the code I do not believe there is a real problem here. However the logic flows are complicated enough that a sanity check of |len| is probably worthwhile. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Rich Salz (cherry picked from commit c5f8cd7bc661f90dc012c9d2bae1808a4281985f) ----------------------------------------------------------------------- Summary of changes: ssl/s2_pkt.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/ssl/s2_pkt.c b/ssl/s2_pkt.c index 614b9a3..7a61888 100644 --- a/ssl/s2_pkt.c +++ b/ssl/s2_pkt.c @@ -576,6 +576,20 @@ static int n_do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) s->s2->padding = p; s->s2->mac_data = &(s->s2->wbuf[3]); s->s2->wact_data = &(s->s2->wbuf[3 + mac_size]); + + /* + * It would be clearer to write this as follows: + * if (mac_size + len + p > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER) + * However |len| is user input that could in theory be very large. We + * know |mac_size| and |p| are small, so to avoid any possibility of + * overflow we write it like this. + * + * In theory this should never fail because the logic above should have + * modified |len| if it is too big. But we are being cautious. + */ + if (len > (SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER - (mac_size + p))) { + return -1; + } /* we copy the data into s->s2->wbuf */ memcpy(s->s2->wact_data, buf, len); if (p) From rsalz at openssl.org Wed Apr 29 18:16:10 2015 From: rsalz at openssl.org (Rich Salz) Date: Wed, 29 Apr 2015 18:16:10 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430331370.618128.26128.nullmailer@dev.openssl.org> The branch master has been updated via 2fa45e6ee722078bc55311c66bdba1ca2fc69c28 (commit) from ecf3a1fb181c08540342cceb6549e0408b32d135 (commit) - Log ----------------------------------------------------------------- commit 2fa45e6ee722078bc55311c66bdba1ca2fc69c28 Author: Rich Salz Date: Wed Apr 29 14:15:50 2015 -0400 use isxdigit and apps_tohex Replace ad-hoc ascii->hex with isxdigit and new app_tohex. Reviewed-by: Andy Polyakov ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 39 +++++++++++++++++++++++++++++++++++++++ apps/apps.h | 1 + apps/ca.c | 11 ++++------- apps/enc.c | 9 ++------- 4 files changed, 46 insertions(+), 14 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index a4eecae..bec10a2 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2673,6 +2673,45 @@ int app_access(const char* name, int flag) #endif } +int app_hex(char c) +{ + switch (c) { + default: + case '0': + return 0; + case '1': + return 1; + case '2': + return 2; + case '3': + return 3; + case '4': + return 4; + case '5': + return 5; + case '6': + return 6; + case '7': + return 7; + case '8': + return 8; + case '9': + return 9; + case 'a': case 'A': + return 0x0A; + case 'b': case 'B': + return 0x0B; + case 'c': case 'C': + return 0x0C; + case 'd': case 'D': + return 0x0D; + case 'e': case 'E': + return 0x0E; + case 'f': case 'F': + return 0x0F; + } +} + /* app_isdir section */ #ifdef _WIN32 int app_isdir(const char *name) diff --git a/apps/apps.h b/apps/apps.h index db67957..1ba6485 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -544,6 +544,7 @@ void store_setup_crl_download(X509_STORE *st); # define SERIAL_RAND_BITS 64 +int app_hex(char); int app_isdir(const char *); int app_access(const char *, int flag); int raw_read_stdin(void *, int); diff --git a/apps/ca.c b/apps/ca.c index ba666ee..9c96417 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -778,16 +778,13 @@ end_of_options: i + 1, j); goto end; } - while (*p) { - if (!(((*p >= '0') && (*p <= '9')) || - ((*p >= 'A') && (*p <= 'F')) || - ((*p >= 'a') && (*p <= 'f')))) { + for ( ; *p; p++) { + if (!isxdigit(*p)) { BIO_printf(bio_err, - "entry %d: bad serial number characters, char pos %ld, char is '%c'\n", - i + 1, (long)(p - pp[DB_serial]), *p); + "entry %d: bad char 0%o '%c' in serial number\n", + i + 1, *p, *p); goto end; } - p++; } } if (verbose) { diff --git a/apps/enc.c b/apps/enc.c index 794fce1..c6b8d2b 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -617,16 +617,11 @@ static int set_hex(char *in, unsigned char *out, int size) *(in++) = '\0'; if (j == 0) break; - if ((j >= '0') && (j <= '9')) - j -= '0'; - else if ((j >= 'A') && (j <= 'F')) - j = j - 'A' + 10; - else if ((j >= 'a') && (j <= 'f')) - j = j - 'a' + 10; - else { + if (!isxdigit(j)) { BIO_printf(bio_err, "non-hex digit\n"); return (0); } + j = (unsigned char)app_hex(j); if (i & 1) out[i / 2] |= j; else From rsalz at openssl.org Wed Apr 29 18:50:31 2015 From: rsalz at openssl.org (Rich Salz) Date: Wed, 29 Apr 2015 18:50:31 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430333431.489508.29064.nullmailer@dev.openssl.org> The branch master has been updated via db4c08f0194d58c6192f0d8311bf3f20e251cf4f (commit) from 2fa45e6ee722078bc55311c66bdba1ca2fc69c28 (commit) - Log ----------------------------------------------------------------- commit db4c08f0194d58c6192f0d8311bf3f20e251cf4f Author: Rich Salz Date: Wed Apr 29 14:50:00 2015 -0400 Rewrite parse_name Remove need for multiple arrays, parse the X509 name one RDN at a time. Thanks to Andy for careful review. Reviewed-by: Andy Polyakov ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 166 +++++++++++++++++++++--------------------------------------- apps/apps.h | 2 +- 2 files changed, 59 insertions(+), 109 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index bec10a2..a93151c 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1822,134 +1822,84 @@ int parse_yesno(const char *str, int def) } /* - * subject is expected to be in the format /type0=value0/type1=value1/type2=... + * name is expected to be in the format /type0=value0/type1=value1/type2=... * where characters may be escaped by \ */ -X509_NAME *parse_name(char *subject, long chtype, int multirdn) +X509_NAME *parse_name(const char *cp, long chtype, int canmulti) { - size_t buflen = strlen(subject) + 1; /* to copy the types and values - * into. due to escaping, the copy - * can only become shorter */ - char *buf = OPENSSL_malloc(buflen); - size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */ - char **ne_types = OPENSSL_malloc(max_ne * sizeof(char *)); - char **ne_values = OPENSSL_malloc(max_ne * sizeof(char *)); - int *mval = OPENSSL_malloc(max_ne * sizeof(int)); + int nextismulti = 0; + char *work; + X509_NAME *n; - char *sp = subject, *bp = buf; - int i, ne_num = 0; - - X509_NAME *n = NULL; - int nid; + if (*cp++ != '/') + return NULL; - if (!buf || !ne_types || !ne_values || !mval) { - BIO_printf(bio_err, "malloc error\n"); - goto error; - } + n = X509_NAME_new(); + if (n == NULL) + return NULL; + work = strdup(cp); + if (work == NULL) + goto err; - if (*subject != '/') { - BIO_printf(bio_err, "Subject does not start with '/'.\n"); - goto error; - } - sp++; /* skip leading / */ - - /* no multivalued RDN by default */ - mval[ne_num] = 0; - - while (*sp) { - /* collect type */ - ne_types[ne_num] = bp; - while (*sp) { - if (*sp == '\\') { /* is there anything to escape in the - * type...? */ - if (*++sp) - *bp++ = *sp++; - else { - BIO_printf(bio_err, - "escape character at end of string\n"); - goto error; - } - } else if (*sp == '=') { - sp++; - *bp++ = '\0'; - break; - } else - *bp++ = *sp++; - } - if (!*sp) { + while (*cp) { + char *bp = work; + char *typestr = bp; + unsigned char *valstr; + int nid; + int ismulti = nextismulti; + nextismulti = 0; + + /* Collect the type */ + while (*cp && *cp != '=') + *bp++ = *cp++; + if (*cp == '\0') { BIO_printf(bio_err, - "end of string encountered while processing type of subject name element #%d\n", - ne_num); - goto error; + "%s: Hit end of string before finding the equals.\n", + opt_getprog()); + goto err; } - ne_values[ne_num] = bp; - while (*sp) { - if (*sp == '\\') { - if (*++sp) - *bp++ = *sp++; - else { - BIO_printf(bio_err, - "escape character at end of string\n"); - goto error; - } - } else if (*sp == '/') { - sp++; - /* no multivalued RDN by default */ - mval[ne_num + 1] = 0; - break; - } else if (*sp == '+' && multirdn) { - /* - * a not escaped + signals a mutlivalued RDN - */ - sp++; - mval[ne_num + 1] = -1; + *bp++ = '\0'; + ++cp; + + /* Collect the value. */ + valstr = (unsigned char *)bp; + for (; *cp && *cp != '/'; *bp++ = *cp++) { + if (canmulti && *cp == '+') { + nextismulti = 1; break; - } else - *bp++ = *sp++; + } + if (*cp == '\\' && *++cp == '\0') { + BIO_printf(bio_err, + "%s: escape character at end of string\n", + opt_getprog()); + goto err; + } } *bp++ = '\0'; - ne_num++; - } - if (!(n = X509_NAME_new())) - goto error; - - for (i = 0; i < ne_num; i++) { - if ((nid = OBJ_txt2nid(ne_types[i])) == NID_undef) { - BIO_printf(bio_err, - "Subject Attribute %s has no known NID, skipped\n", - ne_types[i]); - continue; - } + /* If not at EOS (must be + or /), move forward. */ + if (*cp) + ++cp; - if (!*ne_values[i]) { - BIO_printf(bio_err, - "No value provided for Subject Attribute %s, skipped\n", - ne_types[i]); + /* Parse */ + nid = OBJ_txt2nid(typestr); + if (nid == NID_undef) { + BIO_printf(bio_err, "%s: Skipping unknown attribute \"%s\"\n", + opt_getprog(), typestr); continue; } - - if (!X509_NAME_add_entry_by_NID - (n, nid, chtype, (unsigned char *)ne_values[i], -1, -1, mval[i])) - goto error; + if (!X509_NAME_add_entry_by_NID(n, nid, chtype, + valstr, strlen((char *)valstr), + -1, ismulti ? -1 : 0)) + goto err; } - OPENSSL_free(ne_values); - OPENSSL_free(ne_types); - OPENSSL_free(buf); - OPENSSL_free(mval); + free(work); return n; - error: + err: X509_NAME_free(n); - if (ne_values) - OPENSSL_free(ne_values); - if (ne_types) - OPENSSL_free(ne_types); - if (mval) - OPENSSL_free(mval); - if (buf) - OPENSSL_free(buf); + free(work); return NULL; } diff --git a/apps/apps.h b/apps/apps.h index 1ba6485..5b24233 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -486,7 +486,7 @@ void free_index(CA_DB *db); int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b); int parse_yesno(const char *str, int def); -X509_NAME *parse_name(char *str, long chtype, int multirdn); +X509_NAME *parse_name(const char *str, long chtype, int multirdn); int args_verify(char ***pargs, int *pargc, int *badarg, X509_VERIFY_PARAM **pm); void policies_print(X509_STORE_CTX *ctx); From rsalz at openssl.org Wed Apr 29 21:37:31 2015 From: rsalz at openssl.org (Rich Salz) Date: Wed, 29 Apr 2015 21:37:31 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430343451.681903.15749.nullmailer@dev.openssl.org> The branch master has been updated via 995101d6547c9bc88e10fc85cfa2cbc3a92ede93 (commit) from db4c08f0194d58c6192f0d8311bf3f20e251cf4f (commit) - Log ----------------------------------------------------------------- commit 995101d6547c9bc88e10fc85cfa2cbc3a92ede93 Author: Rich Salz Date: Wed Apr 29 17:37:04 2015 -0400 Add HTTP GET support to OCSP server Reviewed-by: Andy Polyakov ----------------------------------------------------------------------- Summary of changes: CHANGES | 3 +++ apps/ocsp.c | 51 ++++++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 51 insertions(+), 3 deletions(-) diff --git a/CHANGES b/CHANGES index b44f645..b6342bd 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,9 @@ Changes between 1.0.2 and 1.1.0 [xx XXX xxxx] + *) Added HTTP GET support to the ocsp command. + [Rich Salz] + *) RAND_pseudo_bytes has been deprecated. Users should use RAND bytes instead. *) Added support for TLS extended master secret from diff --git a/apps/ocsp.c b/apps/ocsp.c index d22ce7d..fb60e3b 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -1043,13 +1043,32 @@ static BIO *init_responder(const char *port) return NULL; } + +static char *urldecode(char *p) +{ + unsigned char *out = (unsigned char *)p; + char *save = p; + + for (; *p; p++) { + if (*p != '%') + *out++ = *p; + else if (p[1] && p[2]) { + *out++ = (app_hex(p[1]) << 4) | app_hex(p[2]); + p += 2; + } + } + *p = '\0'; + return save; +} + static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, const char *port) { int len; OCSP_REQUEST *req = NULL; char inbuf[2048]; - BIO *cbio = NULL; + char *p, *q; + BIO *cbio = NULL, *getbio = NULL, *b64 = NULL; if (BIO_do_accept(acbio) <= 0) { BIO_printf(bio_err, "Error accepting connection\n"); @@ -1064,7 +1083,29 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, len = BIO_gets(cbio, inbuf, sizeof inbuf); if (len <= 0) return 1; - if (strncmp(inbuf, "POST", 4) != 0) { + if (strncmp(inbuf, "GET", 3) == 0) { + /* Expecting GET {sp} /URL {sp} HTTP/1.x */ + for (p = inbuf + 3; *p == ' ' || *p == '\t'; ++p) + continue; + if (*p) { + /* Move past the slash before the URL part. */ + p++; + } + /* Splice off the HTTP version identifier. */ + for (q = p; *q; q++) + if (*q == ' ' || *q == '\t') + break; + if (*q == '\0') { + BIO_printf(bio_err, "Invalid request\n"); + return 1; + } + *q = '\0'; + p = urldecode(p); + getbio = BIO_new_mem_buf(p, strlen(p)); + b64 = BIO_new(BIO_f_base64()); + BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); + getbio = BIO_push(b64, getbio); + } else if (strncmp(inbuf, "POST", 4) != 0) { BIO_printf(bio_err, "Invalid request\n"); return 1; } @@ -1078,7 +1119,11 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, } /* Try to read OCSP request */ - req = d2i_OCSP_REQUEST_bio(cbio, NULL); + if (getbio) { + req = d2i_OCSP_REQUEST_bio(getbio, NULL); + BIO_free_all(getbio); + } else + req = d2i_OCSP_REQUEST_bio(cbio, NULL); if (!req) { BIO_printf(bio_err, "Error parsing OCSP request\n"); From matt at openssl.org Thu Apr 30 10:37:28 2015 From: matt at openssl.org (Matt Caswell) Date: Thu, 30 Apr 2015 10:37:28 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430390248.838036.320.nullmailer@dev.openssl.org> The branch master has been updated via a3ed492f58d1febb9e048fb6ab5b96983569bf3b (commit) via fb456902758d1c9a36ebb1327e81e98e53c26df6 (commit) from 995101d6547c9bc88e10fc85cfa2cbc3a92ede93 (commit) - Log ----------------------------------------------------------------- commit a3ed492f58d1febb9e048fb6ab5b96983569bf3b Author: Matt Caswell Date: Thu Apr 30 09:43:11 2015 +0100 Fix windows build The big apps cleanup broke the windows build. This commit fixes some miscellaneous issues so that it builds again. Reviewed-by: Andy Polyakov commit fb456902758d1c9a36ebb1327e81e98e53c26df6 Author: Matt Caswell Date: Thu Apr 30 09:40:55 2015 +0100 Remove redundant includes from dtls1.h There were a set of includes in dtls1.h which are now redundant due to the libssl opaque work. This commit removes those includes, which also has the effect of resolving one issue preventing building on windows (i.e. the include of winsock.h) Reviewed-by: Andy Polyakov ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 6 +++--- apps/opt.c | 8 ++++---- include/openssl/dtls1.h | 19 ------------------- ssl/d1_lib.c | 6 ++++++ ssl/record/record.h | 2 ++ 5 files changed, 15 insertions(+), 26 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index a93151c..ff832bd 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1837,7 +1837,7 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti) n = X509_NAME_new(); if (n == NULL) return NULL; - work = strdup(cp); + work = OPENSSL_strdup(cp); if (work == NULL) goto err; @@ -1894,12 +1894,12 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti) goto err; } - free(work); + OPENSSL_free(work); return n; err: X509_NAME_free(n); - free(work); + OPENSSL_free(work); return NULL; } diff --git a/apps/opt.c b/apps/opt.c index df2bea5..fbe4c4b 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -54,7 +54,7 @@ #if !defined(OPENSSL_SYS_MSDOS) # include OPENSSL_UNISTD #endif -#include + #include #include #include @@ -96,11 +96,11 @@ char *opt_progname(const char *argv0) /* Strip off trailing nonsense. */ n = strlen(p); if (n > 4 && - (strcmp(&p[n - 4], ".exe") == 0 || strcmp(&p[n - 4], ".EXE") == 0) + (strcmp(&p[n - 4], ".exe") == 0 || strcmp(&p[n - 4], ".EXE") == 0)) n -= 4; #if defined(OPENSSL_SYS_NETWARE) if (n > 4 && - (strcmp(&p[n - 4], ".nlm") == 0 || strcmp(&p[n - 4], ".NLM") == 0) + (strcmp(&p[n - 4], ".nlm") == 0 || strcmp(&p[n - 4], ".NLM") == 0)) n -= 4; #endif @@ -108,7 +108,7 @@ char *opt_progname(const char *argv0) if (n > sizeof prog - 1) n = sizeof prog - 1; for (q = prog, i = 0; i < n; i++, p++) - q++ = isupper(*p) ? tolower(*p) : *p; + *q++ = isupper(*p) ? tolower(*p) : *p; *q = '\0'; return prog; } diff --git a/include/openssl/dtls1.h b/include/openssl/dtls1.h index 542ae04..f214296 100644 --- a/include/openssl/dtls1.h +++ b/include/openssl/dtls1.h @@ -60,25 +60,6 @@ #ifndef HEADER_DTLS1_H # define HEADER_DTLS1_H -# include -# include -# ifdef OPENSSL_SYS_VMS -# include -# include -# endif -# ifdef OPENSSL_SYS_WIN32 -/* Needed for struct timeval */ -# include -# elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_) -# include -# else -# if defined(OPENSSL_SYS_VXWORKS) -# include -# else -# include -# endif -# endif - #ifdef __cplusplus extern "C" { #endif diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index a1d2032..6946b32 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -64,6 +64,12 @@ #if defined(OPENSSL_SYS_VMS) # include +#elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_) +# include +#elif defined(OPENSSL_SYS_VXWORKS) +# include +#elif !defined(OPENSSL_SYS_WIN32) +# include #endif static void get_current_time(struct timeval *t); diff --git a/ssl/record/record.h b/ssl/record/record.h index 29c74d7..6bccb71 100644 --- a/ssl/record/record.h +++ b/ssl/record/record.h @@ -109,6 +109,8 @@ * */ +#include + /***************************************************************************** * * * These structures should be considered PRIVATE to the record layer. No * From rsalz at openssl.org Thu Apr 30 15:34:48 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 30 Apr 2015 15:34:48 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430408088.885417.28468.nullmailer@dev.openssl.org> The branch master has been updated via 2ace745022f5af0709297e96eb0b0829c87c4291 (commit) via 5a80d9fbfe445420ffe6b649f29e2e0c412aba5d (commit) from a3ed492f58d1febb9e048fb6ab5b96983569bf3b (commit) - Log ----------------------------------------------------------------- commit 2ace745022f5af0709297e96eb0b0829c87c4291 Author: Rich Salz Date: Thu Apr 30 11:30:03 2015 -0400 free NULL cleanup 8 Do not check for NULL before calling a free routine. This addresses: ASN1_BIT_STRING_free ASN1_GENERALIZEDTIME_free ASN1_INTEGER_free ASN1_OBJECT_free ASN1_OCTET_STRING_free ASN1_PCTX_free ASN1_SCTX_free ASN1_STRING_clear_free ASN1_STRING_free ASN1_TYPE_free ASN1_UTCTIME_free M_ASN1_free_of Reviewed-by: Richard Levitte commit 5a80d9fbfe445420ffe6b649f29e2e0c412aba5d Author: Rich Salz Date: Thu Apr 30 11:13:49 2015 -0400 Fix bug, "what mode" test was wrong. Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 6 ++---- apps/asn1pars.c | 3 +-- apps/ca.c | 16 +++++++--------- apps/srp.c | 3 ++- crypto/asn1/a_object.c | 2 +- crypto/asn1/asn1_gen.c | 3 +-- crypto/asn1/tasn_prn.c | 3 ++- crypto/asn1/tasn_scn.c | 3 ++- crypto/asn1/x_algor.c | 6 ++---- crypto/asn1/x_x509a.c | 4 ++-- crypto/cms/cms_env.c | 6 ++---- crypto/cms/cms_ess.c | 3 +-- crypto/cms/cms_lib.c | 15 +++++---------- crypto/cms/cms_sd.c | 6 ++---- crypto/dh/dh_ameth.c | 9 +++------ crypto/dsa/dsa_ameth.c | 9 +++------ crypto/ec/ec_asn1.c | 9 +++------ crypto/ocsp/ocsp_ext.c | 6 ++---- crypto/pkcs12/p12_decr.c | 3 +-- crypto/ts/ts_rsp_sign.c | 3 +-- crypto/x509/x509_vpm.c | 16 ++++++---------- crypto/x509/x_attrib.c | 3 +-- crypto/x509v3/pcy_cache.c | 3 +-- crypto/x509v3/v3_pci.c | 18 ++++++------------ crypto/x509v3/v3_utl.c | 3 +-- 25 files changed, 60 insertions(+), 101 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index ff832bd..5eadc72 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1414,8 +1414,7 @@ BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai) } err: BIO_free(in); - if (ai != NULL) - ASN1_INTEGER_free(ai); + ASN1_INTEGER_free(ai); return (ret); } @@ -1468,8 +1467,7 @@ int save_serial(char *serialfile, char *suffix, BIGNUM *serial, } err: BIO_free_all(out); - if (ai != NULL) - ASN1_INTEGER_free(ai); + ASN1_INTEGER_free(ai); return (ret); } diff --git a/apps/asn1pars.c b/apps/asn1pars.c index 6214625..7e1dfb7 100644 --- a/apps/asn1pars.c +++ b/apps/asn1pars.c @@ -327,8 +327,7 @@ int asn1parse_main(int argc, char **argv) OPENSSL_free(header); if (strictpem && str != NULL) OPENSSL_free(str); - if (at != NULL) - ASN1_TYPE_free(at); + ASN1_TYPE_free(at); if (osk != NULL) sk_OPENSSL_STRING_free(osk); OBJ_cleanup(); diff --git a/apps/ca.c b/apps/ca.c index 9c96417..5535603 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -2033,8 +2033,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, X509_NAME_free(subject); if ((dn_subject != NULL) && !email_dn) X509_NAME_free(dn_subject); - if (tmptm != NULL) - ASN1_UTCTIME_free(tmptm); + ASN1_UTCTIME_free(tmptm); if (ok <= 0) { if (ret != NULL) X509_free(ret); @@ -2740,6 +2739,8 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, } if (phold) *phold = hold; + else + ASN1_OBJECT_free(hold); } else if ((reason_code == 9) || (reason_code == 10)) { if (!arg_str) { BIO_printf(bio_err, "missing compromised time\n"); @@ -2763,10 +2764,10 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, if (preason) *preason = reason_code; - if (pinvtm) + if (pinvtm) { *pinvtm = comp_time; - else - ASN1_GENERALIZEDTIME_free(comp_time); + comp_time = NULL; + } ret = 1; @@ -2774,10 +2775,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, if (tmp) OPENSSL_free(tmp); - if (!phold) - ASN1_OBJECT_free(hold); - if (!pinvtm) - ASN1_GENERALIZEDTIME_free(comp_time); + ASN1_GENERALIZEDTIME_free(comp_time); return ret; } diff --git a/apps/srp.c b/apps/srp.c index adc6a6f..bbbe1a9 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -336,7 +336,8 @@ int srp_main(int argc, char **argv) "Exactly one of the options -add, -delete, -modify -list must be specified.\n"); goto opthelp; } - if ((mode == OPT_DELETE || mode == OPT_MODIFY || OPT_ADD) && argc < 1) { + if ((mode == OPT_DELETE || mode == OPT_MODIFY || mode == OPT_ADD) + && argc < 1) { BIO_printf(bio_err, "Need at least one user for options -add, -delete, -modify. \n"); goto opthelp; diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index 166eb65..2b5a494 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -339,7 +339,7 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, return (ret); err: ASN1err(ASN1_F_C2I_ASN1_OBJECT, i); - if ((ret != NULL) && ((a == NULL) || (*a != ret))) + if ((a == NULL) || (*a != ret)) ASN1_OBJECT_free(ret); return (NULL); } diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c index cee3749..3e066bc 100644 --- a/crypto/asn1/asn1_gen.c +++ b/crypto/asn1/asn1_gen.c @@ -513,8 +513,7 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf, if (der) OPENSSL_free(der); - if (sk) - sk_ASN1_TYPE_pop_free(sk, ASN1_TYPE_free); + sk_ASN1_TYPE_pop_free(sk, ASN1_TYPE_free); if (sect) X509V3_section_free(cnf, sect); diff --git a/crypto/asn1/tasn_prn.c b/crypto/asn1/tasn_prn.c index 76d584b..10974eb 100644 --- a/crypto/asn1/tasn_prn.c +++ b/crypto/asn1/tasn_prn.c @@ -100,7 +100,8 @@ ASN1_PCTX *ASN1_PCTX_new(void) void ASN1_PCTX_free(ASN1_PCTX *p) { - OPENSSL_free(p); + if (p) + OPENSSL_free(p); } unsigned long ASN1_PCTX_get_flags(ASN1_PCTX *p) diff --git a/crypto/asn1/tasn_scn.c b/crypto/asn1/tasn_scn.c index cedea9c..8305405 100644 --- a/crypto/asn1/tasn_scn.c +++ b/crypto/asn1/tasn_scn.c @@ -86,7 +86,8 @@ ASN1_SCTX *ASN1_SCTX_new(int (*scan_cb) (ASN1_SCTX *ctx)) void ASN1_SCTX_free(ASN1_SCTX *p) { - OPENSSL_free(p); + if (p) + OPENSSL_free(p); } const ASN1_ITEM *ASN1_SCTX_get_item(ASN1_SCTX *p) diff --git a/crypto/asn1/x_algor.c b/crypto/asn1/x_algor.c index 30d6481..ca27491 100644 --- a/crypto/asn1/x_algor.c +++ b/crypto/asn1/x_algor.c @@ -92,10 +92,8 @@ int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval) if (ptype == 0) return 1; if (ptype == V_ASN1_UNDEF) { - if (alg->parameter) { - ASN1_TYPE_free(alg->parameter); - alg->parameter = NULL; - } + ASN1_TYPE_free(alg->parameter); + alg->parameter = NULL; } else ASN1_TYPE_set(alg->parameter, ptype, pval); return 1; diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c index 8be50b5..775e46f 100644 --- a/crypto/asn1/x_x509a.c +++ b/crypto/asn1/x_x509a.c @@ -178,7 +178,7 @@ int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj) void X509_trust_clear(X509 *x) { - if (x->aux && x->aux->trust) { + if (x->aux) { sk_ASN1_OBJECT_pop_free(x->aux->trust, ASN1_OBJECT_free); x->aux->trust = NULL; } @@ -186,7 +186,7 @@ void X509_trust_clear(X509 *x) void X509_reject_clear(X509 *x) { - if (x->aux && x->aux->reject) { + if (x->aux) { sk_ASN1_OBJECT_pop_free(x->aux->reject, ASN1_OBJECT_free); x->aux->reject = NULL; } diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 3b4b930..98c1fe0 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -277,8 +277,7 @@ CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms, merr: CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT, ERR_R_MALLOC_FAILURE); err: - if (ri) - M_ASN1_free_of(ri, CMS_RecipientInfo); + M_ASN1_free_of(ri, CMS_RecipientInfo); EVP_PKEY_free(pk); return NULL; @@ -616,8 +615,7 @@ CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid, merr: CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY, ERR_R_MALLOC_FAILURE); err: - if (ri) - M_ASN1_free_of(ri, CMS_RecipientInfo); + M_ASN1_free_of(ri, CMS_RecipientInfo); return NULL; } diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c index 8212560..6d5fa90 100644 --- a/crypto/cms/cms_ess.c +++ b/crypto/cms/cms_ess.c @@ -340,8 +340,7 @@ int cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms) err: if (rr) CMS_ReceiptRequest_free(rr); - if (rct) - M_ASN1_free_of(rct, CMS_Receipt); + M_ASN1_free_of(rct, CMS_Receipt); return r; diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index 6d2a0e8..8525ff8 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -314,10 +314,8 @@ int CMS_set_detached(CMS_ContentInfo *cms, int detached) if (!pos) return 0; if (detached) { - if (*pos) { - ASN1_OCTET_STRING_free(*pos); - *pos = NULL; - } + ASN1_OCTET_STRING_free(*pos); + *pos = NULL; return 1; } if (!*pos) @@ -605,13 +603,11 @@ int cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert) goto err; if (!ASN1_STRING_copy(ias->serialNumber, X509_get_serialNumber(cert))) goto err; - if (*pias) - M_ASN1_free_of(*pias, CMS_IssuerAndSerialNumber); + M_ASN1_free_of(*pias, CMS_IssuerAndSerialNumber); *pias = ias; return 1; err: - if (ias) - M_ASN1_free_of(ias, CMS_IssuerAndSerialNumber); + M_ASN1_free_of(ias, CMS_IssuerAndSerialNumber); CMSerr(CMS_F_CMS_SET1_IAS, ERR_R_MALLOC_FAILURE); return 0; } @@ -629,8 +625,7 @@ int cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert) CMSerr(CMS_F_CMS_SET1_KEYID, ERR_R_MALLOC_FAILURE); return 0; } - if (*pkeyid) - ASN1_OCTET_STRING_free(*pkeyid); + ASN1_OCTET_STRING_free(*pkeyid); *pkeyid = keyid; return 1; } diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 71c234c..c0a9780 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -404,8 +404,7 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, merr: CMSerr(CMS_F_CMS_ADD1_SIGNER, ERR_R_MALLOC_FAILURE); err: - if (si) - M_ASN1_free_of(si, CMS_SignerInfo); + M_ASN1_free_of(si, CMS_SignerInfo); return NULL; } @@ -904,8 +903,7 @@ int CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **algs, } alg = X509_ALGOR_new(); if (!alg) { - if (key) - ASN1_INTEGER_free(key); + ASN1_INTEGER_free(key); return 0; } diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 4b22ec4..8cd90b6 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -140,8 +140,7 @@ static int dh_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) return 1; err: - if (public_key) - ASN1_INTEGER_free(public_key); + ASN1_INTEGER_free(public_key); DH_free(dh); return 0; @@ -296,8 +295,7 @@ static int dh_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) if (dp != NULL) OPENSSL_free(dp); ASN1_STRING_free(params); - if (prkey != NULL) - ASN1_STRING_clear_free(prkey); + ASN1_STRING_clear_free(prkey); return 0; } @@ -706,8 +704,7 @@ static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx, if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0) rv = 1; err: - if (public_key) - ASN1_INTEGER_free(public_key); + ASN1_INTEGER_free(public_key); EVP_PKEY_free(pkpeer); DH_free(dhpeer); return rv; diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index c155e5b..76fc2ce 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -118,8 +118,7 @@ static int dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) return 1; err: - if (public_key) - ASN1_INTEGER_free(public_key); + ASN1_INTEGER_free(public_key); DSA_free(dsa); return 0; @@ -279,8 +278,7 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR); dsaerr: BN_CTX_free(ctx); - if (privkey) - ASN1_STRING_clear_free(privkey); + ASN1_STRING_clear_free(privkey); sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); DSA_free(dsa); return 0; @@ -334,8 +332,7 @@ static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) if (dp != NULL) OPENSSL_free(dp); ASN1_STRING_free(params); - if (prkey != NULL) - ASN1_STRING_clear_free(prkey); + ASN1_STRING_clear_free(prkey); return 0; } diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 97c5906..36dcb96 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -318,8 +318,7 @@ static int ec_asn1_group2fieldid(const EC_GROUP *group, X9_62_FIELDID *field) /* clear the old values (if necessary) */ ASN1_OBJECT_free(field->fieldType); - if (field->p.other != NULL) - ASN1_TYPE_free(field->p.other); + ASN1_TYPE_free(field->p.other); nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group)); /* set OID for the field */ @@ -519,10 +518,8 @@ static int ec_asn1_group2curve(const EC_GROUP *group, X9_62_CURVE *curve) goto err; } } else { - if (curve->seed) { - ASN1_BIT_STRING_free(curve->seed); - curve->seed = NULL; - } + ASN1_BIT_STRING_free(curve->seed); + curve->seed = NULL; } ok = 1; diff --git a/crypto/ocsp/ocsp_ext.c b/crypto/ocsp/ocsp_ext.c index b564259..520b55a 100644 --- a/crypto/ocsp/ocsp_ext.c +++ b/crypto/ocsp/ocsp_ext.c @@ -460,8 +460,7 @@ X509_EXTENSION *OCSP_accept_responses_new(char **oids) } x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk); err: - if (sk) - sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free); + sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free); return x; } @@ -477,8 +476,7 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char *tim) goto err; x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt); err: - if (gt) - ASN1_GENERALIZEDTIME_free(gt); + ASN1_GENERALIZEDTIME_free(gt); return x; } diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c index 7a9d3ca..19efd96 100644 --- a/crypto/pkcs12/p12_decr.c +++ b/crypto/pkcs12/p12_decr.c @@ -194,7 +194,6 @@ ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, OPENSSL_free(in); return oct; err: - if (oct) - ASN1_OCTET_STRING_free(oct); + ASN1_OCTET_STRING_free(oct); return NULL; } diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index a8d683b..0cdeb06 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -225,8 +225,7 @@ int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key) int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy) { - if (ctx->default_policy) - ASN1_OBJECT_free(ctx->default_policy); + ASN1_OBJECT_free(ctx->default_policy); if (!(ctx->default_policy = OBJ_dup(def_policy))) goto err; return 1; diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 2c30ff4..009255e 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -144,15 +144,11 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) param->inh_flags = 0; param->flags = 0; param->depth = -1; - if (param->policies) { - sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); - param->policies = NULL; - } + sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); + param->policies = NULL; paramid = param->id; - if (paramid->hosts) { - string_stack_free(paramid->hosts); - paramid->hosts = NULL; - } + string_stack_free(paramid->hosts); + paramid->hosts = NULL; if (paramid->peername) OPENSSL_free(paramid->peername); if (paramid->email) { @@ -426,10 +422,10 @@ int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, { int i; ASN1_OBJECT *oid, *doid; + if (!param) return 0; - if (param->policies) - sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); + sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); if (!policies) { param->policies = NULL; diff --git a/crypto/x509/x_attrib.c b/crypto/x509/x_attrib.c index a07a5da..9ff6dcc 100644 --- a/crypto/x509/x_attrib.c +++ b/crypto/x509/x_attrib.c @@ -100,7 +100,6 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value) err: if (ret != NULL) X509_ATTRIBUTE_free(ret); - if (val != NULL) - ASN1_TYPE_free(val); + ASN1_TYPE_free(val); return (NULL); } diff --git a/crypto/x509v3/pcy_cache.c b/crypto/x509v3/pcy_cache.c index c8f41f2..eff4291 100644 --- a/crypto/x509v3/pcy_cache.c +++ b/crypto/x509v3/pcy_cache.c @@ -209,8 +209,7 @@ static int policy_cache_new(X509 *x) if (ext_pcons) POLICY_CONSTRAINTS_free(ext_pcons); - if (ext_any) - ASN1_INTEGER_free(ext_any); + ASN1_INTEGER_free(ext_any); return 1; diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c index 4139b34..2568ea8 100644 --- a/crypto/x509v3/v3_pci.c +++ b/crypto/x509v3/v3_pci.c @@ -306,18 +306,12 @@ static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, goto end; err: ASN1_OBJECT_free(language); - if (pathlen) { - ASN1_INTEGER_free(pathlen); - pathlen = NULL; - } - if (policy) { - ASN1_OCTET_STRING_free(policy); - policy = NULL; - } - if (pci) { - PROXY_CERT_INFO_EXTENSION_free(pci); - pci = NULL; - } + ASN1_INTEGER_free(pathlen); + pathlen = NULL; + ASN1_OCTET_STRING_free(policy); + policy = NULL; + PROXY_CERT_INFO_EXTENSION_free(pci); + pci = NULL; end: sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); return pci; diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c index aa3a4de..5de60ce 100644 --- a/crypto/x509v3/v3_utl.c +++ b/crypto/x509v3/v3_utl.c @@ -1110,8 +1110,7 @@ ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc) err: if (iptmp) OPENSSL_free(iptmp); - if (ret) - ASN1_OCTET_STRING_free(ret); + ASN1_OCTET_STRING_free(ret); return NULL; } From rsalz at openssl.org Thu Apr 30 21:34:36 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 30 Apr 2015 21:34:36 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430429676.281693.25129.nullmailer@dev.openssl.org> The branch master has been updated via 222561fe8ef510f336417a666f69f81ddc9b8fe4 (commit) from 2ace745022f5af0709297e96eb0b0829c87c4291 (commit) - Log ----------------------------------------------------------------- commit 222561fe8ef510f336417a666f69f81ddc9b8fe4 Author: Rich Salz Date: Thu Apr 30 17:33:59 2015 -0400 free NULL cleanup 5a Don't check for NULL before calling a free routine. This gets X509_.*free: x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free X509_STORE_free X509_STORE_CTX_free X509_PKEY_free X509_OBJECT_free_contents X509_LOOKUP_free X509_INFO_free Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 3 +-- apps/ca.c | 44 +++++++++++++------------------------ apps/crl2p7.c | 6 ++--- apps/ocsp.c | 3 +-- apps/pkcs12.c | 6 ++--- apps/s_cb.c | 15 +++++-------- apps/s_client.c | 12 ++++------ apps/s_server.c | 22 +++++++------------ apps/smime.c | 3 +-- apps/verify.c | 9 +++----- crypto/asn1/x_info.c | 9 +++----- crypto/asn1/x_pkey.c | 3 +-- crypto/asn1/x_pubkey.c | 9 +++----- crypto/cms/cms_asn1.c | 6 ++--- crypto/cms/cms_pwri.c | 3 +-- crypto/cms/cms_sd.c | 3 +-- crypto/cms/cms_smime.c | 6 ++--- crypto/dh/dh_ameth.c | 12 ++++------ crypto/ec/ec_ameth.c | 12 ++++------ crypto/evp/p_lib.c | 3 +-- crypto/ocsp/ocsp_vfy.c | 3 +-- crypto/pem/pem_info.c | 3 +-- crypto/pkcs12/p12_kiss.c | 14 +++++------- crypto/pkcs7/pk7_doit.c | 6 ++--- crypto/pkcs7/pk7_smime.c | 3 +-- crypto/rsa/rsa_ameth.c | 12 ++++------ crypto/rsa/rsa_sign.c | 3 +-- crypto/ts/ts_rsp_sign.c | 9 +++----- crypto/x509/by_file.c | 6 ++--- crypto/x509/x509_att.c | 6 ++--- crypto/x509/x509_lu.c | 7 ++++-- crypto/x509/x509_r2x.c | 9 ++++---- crypto/x509/x509_v3.c | 6 ++--- crypto/x509/x509_vfy.c | 29 ++++++++++-------------- crypto/x509/x509_vpm.c | 6 ++--- crypto/x509/x509name.c | 3 +-- crypto/x509/x_attrib.c | 3 +-- crypto/x509/x_name.c | 15 +++++-------- crypto/x509v3/pcy_cache.c | 3 +-- crypto/x509v3/pcy_tree.c | 10 +++------ crypto/x509v3/v3_crld.c | 6 ++--- demos/cms/cms_ddec.c | 3 +-- demos/cms/cms_dec.c | 3 +-- demos/cms/cms_denc.c | 6 ++--- demos/cms/cms_enc.c | 6 ++--- demos/cms/cms_sign.c | 3 +-- demos/cms/cms_sign2.c | 8 ++----- demos/cms/cms_ver.c | 3 +-- demos/easy_tls/easy-tls.c | 3 +-- demos/smime/smdec.c | 3 +-- demos/smime/smenc.c | 6 ++--- demos/smime/smsign.c | 3 +-- demos/smime/smsign2.c | 6 ++--- demos/smime/smver.c | 3 +-- demos/spkigen.c | 3 +-- doc/crypto/X509_STORE_CTX_new.pod | 1 + doc/crypto/X509_new.pod | 1 + ssl/s3_clnt.c | 18 +++++---------- ssl/s3_lib.c | 12 ++++------ ssl/s3_srvr.c | 12 ++++------ ssl/ssl_cert.c | 46 +++++++++++++-------------------------- ssl/ssl_lib.c | 25 +++++++-------------- ssl/ssl_rsa.c | 9 +++----- ssl/ssl_sess.c | 3 +-- ssl/t1_lib.c | 7 ++---- 65 files changed, 189 insertions(+), 355 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 5eadc72..9475fe3 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -971,8 +971,7 @@ static int load_certs_crls(const char *file, int format, end: - if (xis) - sk_X509_INFO_pop_free(xis, X509_INFO_free); + sk_X509_INFO_pop_free(xis, X509_INFO_free); if (rv == 0) { if (pcerts) { diff --git a/apps/ca.c b/apps/ca.c index 5535603..a3e0bda 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1349,9 +1349,7 @@ end_of_options: BIO_free_all(Sout); BIO_free_all(out); BIO_free_all(in); - - if (cert_sk) - sk_X509_pop_free(cert_sk, X509_free); + sk_X509_pop_free(cert_sk, X509_free); if (ret) ERR_print_errors(bio_err); @@ -1364,8 +1362,7 @@ end_of_options: if (sigopts) sk_OPENSSL_STRING_free(sigopts); EVP_PKEY_free(pkey); - if (x509) - X509_free(x509); + X509_free(x509); X509_CRL_free(crl); NCONF_free(conf); NCONF_free(extconf); @@ -1440,8 +1437,7 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, ext_copy, selfsign); end: - if (req != NULL) - X509_REQ_free(req); + X509_REQ_free(req); BIO_free(in); return (ok); } @@ -1495,10 +1491,8 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509, ext_copy, 0); end: - if (rreq != NULL) - X509_REQ_free(rreq); - if (req != NULL) - X509_free(req); + X509_REQ_free(rreq); + X509_free(req); return (ok); } @@ -1700,8 +1694,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if (push != NULL) { if (!X509_NAME_add_entry(subject, push, -1, 0)) { - if (push != NULL) - X509_NAME_ENTRY_free(push); + X509_NAME_ENTRY_free(push); BIO_printf(bio_err, "Memory allocation failure\n"); goto end; } @@ -1876,8 +1869,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, /* * Free the current entries if any, there should not be any I believe */ - if (ci->extensions != NULL) - sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free); + sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free); ci->extensions = NULL; @@ -2027,18 +2019,14 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if (row[i] != NULL) OPENSSL_free(row[i]); - if (CAname != NULL) - X509_NAME_free(CAname); - if (subject != NULL) - X509_NAME_free(subject); - if ((dn_subject != NULL) && !email_dn) + X509_NAME_free(CAname); + X509_NAME_free(subject); + if (dn_subject != subject) X509_NAME_free(dn_subject); ASN1_UTCTIME_free(tmptm); - if (ok <= 0) { - if (ret != NULL) - X509_free(ret); - ret = NULL; - } else + if (ok <= 0) + X509_free(ret); + else *xret = ret; return (ok); } @@ -2186,14 +2174,12 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, verbose, req, ext_sect, lconf, certopt, nameopt, default_op, ext_copy, 0); end: - if (req != NULL) - X509_REQ_free(req); + X509_REQ_free(req); if (parms != NULL) CONF_free(parms); if (spki != NULL) NETSCAPE_SPKI_free(spki); - if (ne != NULL) - X509_NAME_ENTRY_free(ne); + X509_NAME_ENTRY_free(ne); return (ok); } diff --git a/apps/crl2p7.c b/apps/crl2p7.c index d75b667..fb2b085 100644 --- a/apps/crl2p7.c +++ b/apps/crl2p7.c @@ -215,8 +215,7 @@ int crl2pkcs7_main(int argc, char **argv) BIO_free(in); BIO_free_all(out); PKCS7_free(p7); - if (crl != NULL) - X509_CRL_free(crl); + X509_CRL_free(crl); return (ret); } @@ -267,7 +266,6 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile) end: /* never need to OPENSSL_free x */ BIO_free(in); - if (sk != NULL) - sk_X509_INFO_free(sk); + sk_X509_INFO_free(sk); return (ret); } diff --git a/apps/ocsp.c b/apps/ocsp.c index fb60e3b..680cc0a 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -735,8 +735,7 @@ int ocsp_main(int argc, char **argv) ERR_print_errors(bio_err); X509_free(signer); X509_STORE_free(store); - if (vpm) - X509_VERIFY_PARAM_free(vpm); + X509_VERIFY_PARAM_free(vpm); EVP_PKEY_free(key); EVP_PKEY_free(rkey); X509_free(cert); diff --git a/apps/pkcs12.c b/apps/pkcs12.c index ec7a1d9..b4b3730 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -504,10 +504,8 @@ int pkcs12_main(int argc, char **argv) export_end: EVP_PKEY_free(key); - if (certs) - sk_X509_pop_free(certs, X509_free); - if (ucert) - X509_free(ucert); + sk_X509_pop_free(certs, X509_free); + X509_free(ucert); goto end; diff --git a/apps/s_cb.c b/apps/s_cb.c index 76aeadb..1d026b6 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1219,11 +1219,9 @@ void ssl_excert_free(SSL_EXCERT *exc) { SSL_EXCERT *curr; while (exc) { - if (exc->cert) - X509_free(exc->cert); + X509_free(exc->cert); EVP_PKEY_free(exc->key); - if (exc->chain) - sk_X509_pop_free(exc->chain, X509_free); + sk_X509_pop_free(exc->chain, X509_free); curr = exc; exc = exc->next; OPENSSL_free(curr); @@ -1385,8 +1383,7 @@ void print_ssl_summary(SSL *s) BIO_printf(bio_err, "Hash used: %s\n", OBJ_nid2sn(nid)); } else BIO_puts(bio_err, "No peer certificate\n"); - if (peer) - X509_free(peer); + X509_free(peer); #ifndef OPENSSL_NO_EC ssl_print_point_formats(bio_err, s); if (SSL_is_server(s)) @@ -1501,10 +1498,8 @@ int ssl_load_stores(SSL_CTX *ctx, } rv = 1; err: - if (vfy) - X509_STORE_free(vfy); - if (ch) - X509_STORE_free(ch); + X509_STORE_free(vfy); + X509_STORE_free(ch); return rv; } diff --git a/apps/s_client.c b/apps/s_client.c index 9d0d6f0..fdd1f5c 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1998,17 +1998,14 @@ int s_client_main(int argc, char **argv) OPENSSL_free(next_proto.data); #endif SSL_CTX_free(ctx); - if (cert) - X509_free(cert); + X509_free(cert); if (crls) sk_X509_CRL_pop_free(crls, X509_CRL_free); EVP_PKEY_free(key); - if (chain) - sk_X509_pop_free(chain, X509_free); + sk_X509_pop_free(chain, X509_free); if (pass) OPENSSL_free(pass); - if (vpm) - X509_VERIFY_PARAM_free(vpm); + X509_VERIFY_PARAM_free(vpm); ssl_excert_free(exc); sk_OPENSSL_STRING_free(ssl_args); SSL_CONF_CTX_free(cctx); @@ -2197,8 +2194,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) } } BIO_printf(bio, "---\n"); - if (peer != NULL) - X509_free(peer); + X509_free(peer); /* flush, or debugging output gets mixed with http response */ (void)BIO_flush(bio); } diff --git a/apps/s_server.c b/apps/s_server.c index 701f52d..f8bec24 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1925,24 +1925,18 @@ int s_server_main(int argc, char *argv[]) ret = 0; end: SSL_CTX_free(ctx); - if (s_cert) - X509_free(s_cert); - if (crls) - sk_X509_CRL_pop_free(crls, X509_CRL_free); - if (s_dcert) - X509_free(s_dcert); + X509_free(s_cert); + sk_X509_CRL_pop_free(crls, X509_CRL_free); + X509_free(s_dcert); EVP_PKEY_free(s_key); EVP_PKEY_free(s_dkey); - if (s_chain) - sk_X509_pop_free(s_chain, X509_free); - if (s_dchain) - sk_X509_pop_free(s_dchain, X509_free); + sk_X509_pop_free(s_chain, X509_free); + sk_X509_pop_free(s_dchain, X509_free); if (pass) OPENSSL_free(pass); if (dpass) OPENSSL_free(dpass); - if (vpm) - X509_VERIFY_PARAM_free(vpm); + X509_VERIFY_PARAM_free(vpm); free_sessions(); #ifndef OPENSSL_NO_TLSEXT if (tlscstatp.host) @@ -1951,9 +1945,9 @@ int s_server_main(int argc, char *argv[]) OPENSSL_free(tlscstatp.port); if (tlscstatp.path) OPENSSL_free(tlscstatp.path); + if (ctx2 != NULL) SSL_CTX_free(ctx2); - if (s_cert2) - X509_free(s_cert2); + X509_free(s_cert2); EVP_PKEY_free(s_key2); BIO_free(serverinfo_in); # ifndef OPENSSL_NO_NEXTPROTONEG diff --git a/apps/smime.c b/apps/smime.c index 21e9daa..0fda865 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -650,8 +650,7 @@ int smime_main(int argc, char **argv) ERR_print_errors(bio_err); sk_X509_pop_free(encerts, X509_free); sk_X509_pop_free(other, X509_free); - if (vpm) - X509_VERIFY_PARAM_free(vpm); + X509_VERIFY_PARAM_free(vpm); if (sksigners) sk_OPENSSL_STRING_free(sksigners); if (skkeys) diff --git a/apps/verify.c b/apps/verify.c index 1faca96..f4e18f0 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -221,10 +221,8 @@ int verify_main(int argc, char **argv) } end: - if (vpm) - X509_VERIFY_PARAM_free(vpm); - if (store != NULL) - X509_STORE_free(store); + X509_VERIFY_PARAM_free(vpm); + X509_STORE_free(store); sk_X509_pop_free(untrusted, X509_free); sk_X509_pop_free(trusted, X509_free); sk_X509_CRL_pop_free(crls, X509_CRL_free); @@ -283,8 +281,7 @@ static int check(X509_STORE *ctx, char *file, } sk_X509_pop_free(chain, X509_free); } - if (x != NULL) - X509_free(x); + X509_free(x); return (ret); } diff --git a/crypto/asn1/x_info.c b/crypto/asn1/x_info.c index fff54c8..4783fc4 100644 --- a/crypto/asn1/x_info.c +++ b/crypto/asn1/x_info.c @@ -103,12 +103,9 @@ void X509_INFO_free(X509_INFO *x) } #endif - if (x->x509 != NULL) - X509_free(x->x509); - if (x->crl != NULL) - X509_CRL_free(x->crl); - if (x->x_pkey != NULL) - X509_PKEY_free(x->x_pkey); + X509_free(x->x509); + X509_CRL_free(x->crl); + X509_PKEY_free(x->x_pkey); if (x->enc_data != NULL) OPENSSL_free(x->enc_data); OPENSSL_free(x); diff --git a/crypto/asn1/x_pkey.c b/crypto/asn1/x_pkey.c index 98e4a3d..fc5de8a 100644 --- a/crypto/asn1/x_pkey.c +++ b/crypto/asn1/x_pkey.c @@ -110,8 +110,7 @@ void X509_PKEY_free(X509_PKEY *x) } #endif - if (x->enc_algor != NULL) - X509_ALGOR_free(x->enc_algor); + X509_ALGOR_free(x->enc_algor); ASN1_OCTET_STRING_free(x->enc_pkey); EVP_PKEY_free(x->dec_pkey); if ((x->key_data != NULL) && (x->key_free)) diff --git a/crypto/asn1/x_pubkey.c b/crypto/asn1/x_pubkey.c index 3c72997..158c240 100644 --- a/crypto/asn1/x_pubkey.c +++ b/crypto/asn1/x_pubkey.c @@ -112,15 +112,12 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) goto error; } - if (*x != NULL) - X509_PUBKEY_free(*x); - + X509_PUBKEY_free(*x); *x = pk; - return 1; + error: - if (pk != NULL) - X509_PUBKEY_free(pk); + X509_PUBKEY_free(pk); return 0; } diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c index 03de7af..2b61768 100644 --- a/crypto/cms/cms_asn1.c +++ b/crypto/cms/cms_asn1.c @@ -94,8 +94,7 @@ static int cms_si_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, if (operation == ASN1_OP_FREE_POST) { CMS_SignerInfo *si = (CMS_SignerInfo *)*pval; EVP_PKEY_free(si->pkey); - if (si->signer) - X509_free(si->signer); + X509_free(si->signer); if (si->pctx) EVP_MD_CTX_cleanup(&si->mctx); } @@ -248,8 +247,7 @@ static int cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, if (ri->type == CMS_RECIPINFO_TRANS) { CMS_KeyTransRecipientInfo *ktri = ri->d.ktri; EVP_PKEY_free(ktri->pkey); - if (ktri->recip) - X509_free(ktri->recip); + X509_free(ktri->recip); EVP_PKEY_CTX_free(ktri->pctx); } else if (ri->type == CMS_RECIPINFO_KEK) { CMS_KEKRecipientInfo *kekri = ri->d.kekri; diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c index e11b1fa..ece5ce3 100644 --- a/crypto/cms/cms_pwri.c +++ b/crypto/cms/cms_pwri.c @@ -204,8 +204,7 @@ CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, EVP_CIPHER_CTX_cleanup(&ctx); if (ri) M_ASN1_free_of(ri, CMS_RecipientInfo); - if (encalg) - X509_ALGOR_free(encalg); + X509_ALGOR_free(encalg); return NULL; } diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index c0a9780..31398ac 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -489,8 +489,7 @@ void CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer) EVP_PKEY_free(si->pkey); si->pkey = X509_get_pubkey(signer); } - if (si->signer) - X509_free(si->signer); + X509_free(si->signer); si->signer = signer; } diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index f491ec9..8066602 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -455,10 +455,8 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, if (out != tmpout) BIO_free_all(tmpout); - if (cms_certs) - sk_X509_pop_free(cms_certs, X509_free); - if (crls) - sk_X509_CRL_pop_free(crls, X509_CRL_free); + sk_X509_pop_free(cms_certs, X509_free); + sk_X509_CRL_pop_free(crls, X509_CRL_free); return ret; } diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 8cd90b6..f3abe07 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -782,10 +782,8 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) rv = 1; err: - if (kekalg) - X509_ALGOR_free(kekalg); - if (dukm) - OPENSSL_free(dukm); + X509_ALGOR_free(kekalg); + OPENSSL_free(dukm); return rv; } @@ -945,10 +943,8 @@ static int dh_cms_encrypt(CMS_RecipientInfo *ri) rv = 1; err: - if (penc) - OPENSSL_free(penc); - if (wrap_alg) - X509_ALGOR_free(wrap_alg); + OPENSSL_free(penc); + X509_ALGOR_free(wrap_alg); return rv; } diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index 5a7b0b7..6b34be3 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -796,10 +796,8 @@ static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) rv = 1; err: - if (kekalg) - X509_ALGOR_free(kekalg); - if (der) - OPENSSL_free(der); + X509_ALGOR_free(kekalg); + OPENSSL_free(der); return rv; } @@ -967,10 +965,8 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri) rv = 1; err: - if (penc) - OPENSSL_free(penc); - if (wrap_alg) - X509_ALGOR_free(wrap_alg); + OPENSSL_free(penc); + X509_ALGOR_free(wrap_alg); return rv; } diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index c9e971e..c163e47 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -401,8 +401,7 @@ void EVP_PKEY_free(EVP_PKEY *x) } #endif EVP_PKEY_free_it(x); - if (x->attributes) - sk_X509_ATTRIBUTE_pop_free(x->attributes, X509_ATTRIBUTE_free); + sk_X509_ATTRIBUTE_pop_free(x->attributes, X509_ATTRIBUTE_free); OPENSSL_free(x); } diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 40a3b01..9bf1ff5 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -171,8 +171,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, } end: - if (chain) - sk_X509_pop_free(chain, X509_free); + sk_X509_pop_free(chain, X509_free); if (bs->certs && certs) sk_X509_free(untrusted); return ret; diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c index b814741..0e7338b 100644 --- a/crypto/pem/pem_info.c +++ b/crypto/pem/pem_info.c @@ -276,8 +276,7 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, } ok = 1; err: - if (xi != NULL) - X509_INFO_free(xi); + X509_INFO_free(xi); if (!ok) { for (i = 0; ((int)i) < sk_X509_INFO_num(ret); i++) { xi = sk_X509_INFO_value(ret, i); diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c index fcfa986..cd18427 100644 --- a/crypto/pkcs12/p12_kiss.c +++ b/crypto/pkcs12/p12_kiss.c @@ -150,12 +150,10 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, goto err; x = NULL; } - if (x) - X509_free(x); + X509_free(x); } - if (ocerts) - sk_X509_pop_free(ocerts, X509_free); + sk_X509_pop_free(ocerts, X509_free); return 1; @@ -163,12 +161,10 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, if (pkey) EVP_PKEY_free(*pkey); - if (cert && *cert) + if (cert) X509_free(*cert); - if (x) - X509_free(x); - if (ocerts) - sk_X509_pop_free(ocerts, X509_free); + X509_free(x); + sk_X509_pop_free(ocerts, X509_free); return 0; } diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 639e217..51e9c6e 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -1134,8 +1134,7 @@ int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, { int i; - if (p7si->auth_attr != NULL) - sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr, X509_ATTRIBUTE_free); + sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr, X509_ATTRIBUTE_free); p7si->auth_attr = sk_X509_ATTRIBUTE_dup(sk); if (p7si->auth_attr == NULL) return 0; @@ -1154,8 +1153,7 @@ int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, { int i; - if (p7si->unauth_attr != NULL) - sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, X509_ATTRIBUTE_free); + sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, X509_ATTRIBUTE_free); p7si->unauth_attr = sk_X509_ATTRIBUTE_dup(sk); if (p7si->unauth_attr == NULL) return 0; diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index e659af8..33bdda2 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -208,8 +208,7 @@ PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert, } return si; err: - if (smcap) - sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free); + sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free); return NULL; } diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 4e02531..38b850a 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -381,8 +381,7 @@ static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, rv = rsa_pss_param_print(bp, pss, maskHash, indent); if (pss) RSA_PSS_PARAMS_free(pss); - if (maskHash) - X509_ALGOR_free(maskHash); + X509_ALGOR_free(maskHash); if (!rv) return 0; } else if (!sig && BIO_puts(bp, "\n") <= 0) @@ -474,8 +473,7 @@ static int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) stmp = NULL; err: ASN1_STRING_free(stmp); - if (algtmp) - X509_ALGOR_free(algtmp); + X509_ALGOR_free(algtmp); if (*palg) return 1; return 0; @@ -652,8 +650,7 @@ static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx, err: RSA_PSS_PARAMS_free(pss); - if (maskHash) - X509_ALGOR_free(maskHash); + X509_ALGOR_free(maskHash); return rv; } @@ -840,8 +837,7 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri) err: RSA_OAEP_PARAMS_free(oaep); - if (maskHash) - X509_ALGOR_free(maskHash); + X509_ALGOR_free(maskHash); return rv; } diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index ec1575a..3b2ba56 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -266,8 +266,7 @@ int int_rsa_verify(int dtype, const unsigned char *m, ret = 1; } err: - if (sig != NULL) - X509_SIG_free(sig); + X509_SIG_free(sig); if (s != NULL) { OPENSSL_cleanse(s, (unsigned int)siglen); OPENSSL_free(s); diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 0cdeb06..58068cf 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -207,8 +207,7 @@ int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer) TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE); return 0; } - if (ctx->signer_cert) - X509_free(ctx->signer_cert); + X509_free(ctx->signer_cert); ctx->signer_cert = signer; CRYPTO_add(&ctx->signer_cert->references, +1, CRYPTO_LOCK_X509); return 1; @@ -237,10 +236,8 @@ int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy) int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs) { - if (ctx->certs) { - sk_X509_pop_free(ctx->certs, X509_free); - ctx->certs = NULL; - } + sk_X509_pop_free(ctx->certs, X509_free); + ctx->certs = NULL; if (!certs) return 1; if (!(ctx->certs = X509_chain_up_ref(certs))) { diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c index bc1c90c..d82a0db 100644 --- a/crypto/x509/by_file.c +++ b/crypto/x509/by_file.c @@ -174,8 +174,7 @@ int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type) goto err; } err: - if (x != NULL) - X509_free(x); + X509_free(x); BIO_free(in); return (ret); } @@ -232,8 +231,7 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type) goto err; } err: - if (x != NULL) - X509_CRL_free(x); + X509_CRL_free(x); BIO_free(in); return (ret); } diff --git a/crypto/x509/x509_att.c b/crypto/x509/x509_att.c index 292546b..df49b0b 100644 --- a/crypto/x509/x509_att.c +++ b/crypto/x509/x509_att.c @@ -147,10 +147,8 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x, err: X509err(X509_F_X509AT_ADD1_ATTR, ERR_R_MALLOC_FAILURE); err2: - if (new_attr != NULL) - X509_ATTRIBUTE_free(new_attr); - if (sk != NULL) - sk_X509_ATTRIBUTE_free(sk); + X509_ATTRIBUTE_free(new_attr); + sk_X509_ATTRIBUTE_free(sk); return (NULL); } diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 08bbc39..7fbc8e3 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -217,6 +217,8 @@ X509_STORE *X509_STORE_new(void) static void cleanup(X509_OBJECT *a) { + if (!a) + return; if (a->type == X509_LU_X509) { X509_free(a->data.x509); } else if (a->type == X509_LU_CRL) { @@ -260,8 +262,7 @@ void X509_STORE_free(X509_STORE *vfy) sk_X509_OBJECT_pop_free(vfy->objs, cleanup); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data); - if (vfy->param) - X509_VERIFY_PARAM_free(vfy->param); + X509_VERIFY_PARAM_free(vfy->param); OPENSSL_free(vfy); } @@ -413,6 +414,8 @@ void X509_OBJECT_up_ref_count(X509_OBJECT *a) void X509_OBJECT_free_contents(X509_OBJECT *a) { + if (!a) + return; switch (a->type) { case X509_LU_X509: X509_free(a->data.x509); diff --git a/crypto/x509/x509_r2x.c b/crypto/x509/x509_r2x.c index 3cd7280..e715904 100644 --- a/crypto/x509/x509_r2x.c +++ b/crypto/x509/x509_r2x.c @@ -104,10 +104,9 @@ X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) if (!X509_sign(ret, pkey, EVP_md5())) goto err; - if (0) { + return ret; + err: - X509_free(ret); - ret = NULL; - } - return (ret); + X509_free(ret); + return NULL; } diff --git a/crypto/x509/x509_v3.c b/crypto/x509/x509_v3.c index d70bfae..ad33be6 100644 --- a/crypto/x509/x509_v3.c +++ b/crypto/x509/x509_v3.c @@ -176,10 +176,8 @@ STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, err: X509err(X509_F_X509V3_ADD_EXT, ERR_R_MALLOC_FAILURE); err2: - if (new_ex != NULL) - X509_EXTENSION_free(new_ex); - if (sk != NULL) - sk_X509_EXTENSION_free(sk); + X509_EXTENSION_free(new_ex); + sk_X509_EXTENSION_free(sk); return (NULL); } diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 85dc714..3cdf453 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -495,10 +495,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) end: X509_get_pubkey_parameters(NULL, ctx->chain); } - if (sktmp != NULL) - sk_X509_free(sktmp); - if (chain_ss != NULL) - X509_free(chain_ss); + sk_X509_free(sktmp); + X509_free(chain_ss); return ok; } @@ -1016,8 +1014,7 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, } if (best_crl) { - if (*pcrl) - X509_CRL_free(*pcrl); + X509_CRL_free(*pcrl); *pcrl = best_crl; *pissuer = best_crl_issuer; *pscore = best_score; @@ -2058,8 +2055,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, memerr: X509err(X509_F_X509_CRL_DIFF, ERR_R_MALLOC_FAILURE); - if (crl) - X509_CRL_free(crl); + X509_CRL_free(crl); return NULL; } @@ -2230,6 +2226,8 @@ X509_STORE_CTX *X509_STORE_CTX_new(void) void X509_STORE_CTX_free(X509_STORE_CTX *ctx) { + if (!ctx) + return; X509_STORE_CTX_cleanup(ctx); OPENSSL_free(ctx); } @@ -2376,14 +2374,10 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) X509_VERIFY_PARAM_free(ctx->param); ctx->param = NULL; } - if (ctx->tree != NULL) { - X509_policy_tree_free(ctx->tree); - ctx->tree = NULL; - } - if (ctx->chain != NULL) { - sk_X509_pop_free(ctx->chain, X509_free); - ctx->chain = NULL; - } + X509_policy_tree_free(ctx->tree); + ctx->tree = NULL; + sk_X509_pop_free(ctx->chain, X509_free); + ctx->chain = NULL; CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA)); } @@ -2436,7 +2430,6 @@ X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) { - if (ctx->param) - X509_VERIFY_PARAM_free(ctx->param); + X509_VERIFY_PARAM_free(ctx->param); ctx->param = param; } diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 009255e..57c2606 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -168,6 +168,7 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) { X509_VERIFY_PARAM *param; X509_VERIFY_PARAM_ID *paramid; + param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM)); if (!param) return NULL; @@ -185,7 +186,7 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) { - if (param == NULL) + if (!param) return; x509_verify_param_zero(param); OPENSSL_free(param->id); @@ -644,7 +645,6 @@ const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) void X509_VERIFY_PARAM_table_cleanup(void) { - if (param_table) - sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free); + sk_X509_VERIFY_PARAM_pop_free(param_table, X509_VERIFY_PARAM_free); param_table = NULL; } diff --git a/crypto/x509/x509name.c b/crypto/x509/x509name.c index 6bb1e5d..5a70845 100644 --- a/crypto/x509/x509name.c +++ b/crypto/x509/x509name.c @@ -277,8 +277,7 @@ int X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc, } return (1); err: - if (new_name != NULL) - X509_NAME_ENTRY_free(new_name); + X509_NAME_ENTRY_free(new_name); return (0); } diff --git a/crypto/x509/x_attrib.c b/crypto/x509/x_attrib.c index 9ff6dcc..9782fda 100644 --- a/crypto/x509/x_attrib.c +++ b/crypto/x509/x_attrib.c @@ -98,8 +98,7 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value) ASN1_TYPE_set(val, atrtype, value); return (ret); err: - if (ret != NULL) - X509_ATTRIBUTE_free(ret); + X509_ATTRIBUTE_free(ret); ASN1_TYPE_free(val); return (NULL); } diff --git a/crypto/x509/x_name.c b/crypto/x509/x_name.c index e6a862e..cdc4c97 100644 --- a/crypto/x509/x_name.c +++ b/crypto/x509/x_name.c @@ -150,8 +150,7 @@ static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it) memerr: ASN1err(ASN1_F_X509_NAME_EX_NEW, ERR_R_MALLOC_FAILURE); if (ret) { - if (ret->entries) - sk_X509_NAME_ENTRY_free(ret->entries); + sk_X509_NAME_ENTRY_free(ret->entries); OPENSSL_free(ret); } return 0; @@ -160,6 +159,7 @@ static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it) static void x509_name_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it) { X509_NAME *a; + if (!pval || !*pval) return; a = (X509_NAME *)*pval; @@ -232,8 +232,7 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, *in = p; return ret; err: - if (nm.x != NULL) - X509_NAME_free(nm.x); + X509_NAME_free(nm.x); ASN1err(ASN1_F_X509_NAME_EX_D2I, ERR_R_NESTED_ASN1_ERROR); return 0; } @@ -394,11 +393,9 @@ static int x509_name_canon(X509_NAME *a) err: - if (tmpentry) - X509_NAME_ENTRY_free(tmpentry); - if (intname) - sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname, - local_sk_X509_NAME_ENTRY_pop_free); + X509_NAME_ENTRY_free(tmpentry); + sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname, + local_sk_X509_NAME_ENTRY_pop_free); return ret; } diff --git a/crypto/x509v3/pcy_cache.c b/crypto/x509v3/pcy_cache.c index eff4291..125b311 100644 --- a/crypto/x509v3/pcy_cache.c +++ b/crypto/x509v3/pcy_cache.c @@ -221,8 +221,7 @@ void policy_cache_free(X509_POLICY_CACHE *cache) return; if (cache->anyPolicy) policy_data_free(cache->anyPolicy); - if (cache->data) - sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); + sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); OPENSSL_free(cache); } diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index cc52fa2..1f85c37 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -655,17 +655,13 @@ void X509_policy_tree_free(X509_POLICY_TREE *tree) sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free); for (i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) { - if (curr->cert) - X509_free(curr->cert); - if (curr->nodes) - sk_X509_POLICY_NODE_pop_free(curr->nodes, policy_node_free); + X509_free(curr->cert); + sk_X509_POLICY_NODE_pop_free(curr->nodes, policy_node_free); if (curr->anyPolicy) policy_node_free(curr->anyPolicy); } - if (tree->extra_data) - sk_X509_POLICY_DATA_pop_free(tree->extra_data, policy_data_free); - + sk_X509_POLICY_DATA_pop_free(tree->extra_data, policy_data_free); OPENSSL_free(tree->levels); OPENSSL_free(tree); diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509v3/v3_crld.c index e38632f..48a6a9d 100644 --- a/crypto/x509v3/v3_crld.c +++ b/crypto/x509v3/v3_crld.c @@ -175,8 +175,7 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx, err: if (fnm) sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free); - if (rnm) - sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free); + sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free); return -1; } @@ -354,8 +353,7 @@ static int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, break; case ASN1_OP_FREE_POST: - if (dpn->dpname) - X509_NAME_free(dpn->dpname); + X509_NAME_free(dpn->dpname); break; } return 1; diff --git a/demos/cms/cms_ddec.c b/demos/cms/cms_ddec.c index 1e06cea..36bb4ee 100644 --- a/demos/cms/cms_ddec.c +++ b/demos/cms/cms_ddec.c @@ -70,8 +70,7 @@ int main(int argc, char **argv) if (cms) CMS_ContentInfo_free(cms); - if (rcert) - X509_free(rcert); + X509_free(rcert); EVP_PKEY_free(rkey); BIO_free(in); diff --git a/demos/cms/cms_dec.c b/demos/cms/cms_dec.c index 71a0e4f..832b54d 100644 --- a/demos/cms/cms_dec.c +++ b/demos/cms/cms_dec.c @@ -61,8 +61,7 @@ int main(int argc, char **argv) if (cms) CMS_ContentInfo_free(cms); - if (rcert) - X509_free(rcert); + X509_free(rcert); EVP_PKEY_free(rkey); BIO_free(in); diff --git a/demos/cms/cms_denc.c b/demos/cms/cms_denc.c index 8526717..f91fec1 100644 --- a/demos/cms/cms_denc.c +++ b/demos/cms/cms_denc.c @@ -79,10 +79,8 @@ int main(int argc, char **argv) if (cms) CMS_ContentInfo_free(cms); - if (rcert) - X509_free(rcert); - if (recips) - sk_X509_pop_free(recips, X509_free); + X509_free(rcert); + sk_X509_pop_free(recips, X509_free); BIO_free(in); BIO_free(out); diff --git a/demos/cms/cms_enc.c b/demos/cms/cms_enc.c index 4395e6b..ba62f79 100644 --- a/demos/cms/cms_enc.c +++ b/demos/cms/cms_enc.c @@ -75,10 +75,8 @@ int main(int argc, char **argv) if (cms) CMS_ContentInfo_free(cms); - if (rcert) - X509_free(rcert); - if (recips) - sk_X509_pop_free(recips, X509_free); + X509_free(rcert); + sk_X509_pop_free(recips, X509_free); BIO_free(in); BIO_free(out); diff --git a/demos/cms/cms_sign.c b/demos/cms/cms_sign.c index 3ad5ce8..e9871df 100644 --- a/demos/cms/cms_sign.c +++ b/demos/cms/cms_sign.c @@ -71,8 +71,7 @@ int main(int argc, char **argv) if (cms) CMS_ContentInfo_free(cms); - if (scert) - X509_free(scert); + X509_free(scert); EVP_PKEY_free(skey); BIO_free(in); diff --git a/demos/cms/cms_sign2.c b/demos/cms/cms_sign2.c index 3276de1..127f586 100644 --- a/demos/cms/cms_sign2.c +++ b/demos/cms/cms_sign2.c @@ -80,14 +80,10 @@ int main(int argc, char **argv) if (cms) CMS_ContentInfo_free(cms); - if (scert) - X509_free(scert); + X509_free(scert); EVP_PKEY_free(skey); - - if (scert2) - X509_free(scert2); + X509_free(scert2); EVP_PKEY_free(skey2); - BIO_free(in); BIO_free(out); BIO_free(tbio); diff --git a/demos/cms/cms_ver.c b/demos/cms/cms_ver.c index 4227531..0f34bbf 100644 --- a/demos/cms/cms_ver.c +++ b/demos/cms/cms_ver.c @@ -70,8 +70,7 @@ int main(int argc, char **argv) if (cms) CMS_ContentInfo_free(cms); - if (cacert) - X509_free(cacert); + X509_free(cacert); BIO_free(in); BIO_free(out); diff --git a/demos/easy_tls/easy-tls.c b/demos/easy_tls/easy-tls.c index 1a0a03a..9346720 100644 --- a/demos/easy_tls/easy-tls.c +++ b/demos/easy_tls/easy-tls.c @@ -943,8 +943,7 @@ static void write_info(SSL *ssl, int *info_fd) peercert = SSL_get_peer_certificate(ssl); tls_get_x509_subject_name_oneline(peercert, &peer); - if (peercert != NULL) - X509_free(peercert); + X509_free(peercert); } if (peer.str[0] == '\0') v_ok = '0'; /* no cert at all */ diff --git a/demos/smime/smdec.c b/demos/smime/smdec.c index 9752dea..f1a987a 100644 --- a/demos/smime/smdec.c +++ b/demos/smime/smdec.c @@ -58,8 +58,7 @@ int main(int argc, char **argv) ERR_print_errors_fp(stderr); } PKCS7_free(p7); - if (rcert) - X509_free(rcert); + X509_free(rcert); EVP_PKEY_free(rkey); BIO_free(in); BIO_free(out); diff --git a/demos/smime/smenc.c b/demos/smime/smenc.c index 2e594ee..79fe2d0 100644 --- a/demos/smime/smenc.c +++ b/demos/smime/smenc.c @@ -72,10 +72,8 @@ int main(int argc, char **argv) ERR_print_errors_fp(stderr); } PKCS7_free(p7); - if (rcert) - X509_free(rcert); - if (recips) - sk_X509_pop_free(recips, X509_free); + X509_free(rcert); + sk_X509_pop_free(recips, X509_free); BIO_free(in); BIO_free(out); BIO_free(tbio); diff --git a/demos/smime/smsign.c b/demos/smime/smsign.c index 91ab8e4..8505e71 100644 --- a/demos/smime/smsign.c +++ b/demos/smime/smsign.c @@ -68,8 +68,7 @@ int main(int argc, char **argv) ERR_print_errors_fp(stderr); } PKCS7_free(p7); - if (scert) - X509_free(scert); + X509_free(scert); EVP_PKEY_free(skey); BIO_free(in); BIO_free(out); diff --git a/demos/smime/smsign2.c b/demos/smime/smsign2.c index 0ad709d..415ecf3 100644 --- a/demos/smime/smsign2.c +++ b/demos/smime/smsign2.c @@ -76,11 +76,9 @@ int main(int argc, char **argv) ERR_print_errors_fp(stderr); } PKCS7_free(p7); - if (scert) - X509_free(scert); + X509_free(scert); EVP_PKEY_free(skey); - if (scert2) - X509_free(scert2); + X509_free(scert2); EVP_PKEY_free(skey2); BIO_free(in); BIO_free(out); diff --git a/demos/smime/smver.c b/demos/smime/smver.c index c4b6e75..13ba18b 100644 --- a/demos/smime/smver.c +++ b/demos/smime/smver.c @@ -66,8 +66,7 @@ int main(int argc, char **argv) ERR_print_errors_fp(stderr); } PKCS7_free(p7); - if (cacert) - X509_free(cacert); + X509_free(cacert); BIO_free(in); BIO_free(out); BIO_free(tbio); diff --git a/demos/spkigen.c b/demos/spkigen.c index c272a8c..7df8f34 100644 --- a/demos/spkigen.c +++ b/demos/spkigen.c @@ -166,7 +166,6 @@ EVP_PKEY *pkey; pk = NULL; ok = 1; err: - if (pk != NULL) - X509_PUBKEY_free(pk); + X509_PUBKEY_free(pk); return (ok); } diff --git a/doc/crypto/X509_STORE_CTX_new.pod b/doc/crypto/X509_STORE_CTX_new.pod index b17888f..bad12e4 100644 --- a/doc/crypto/X509_STORE_CTX_new.pod +++ b/doc/crypto/X509_STORE_CTX_new.pod @@ -37,6 +37,7 @@ The context can then be reused with an new call to X509_STORE_CTX_init(). X509_STORE_CTX_free() completely frees up B. After this call B is no longer valid. +If B is NULL nothing is done. X509_STORE_CTX_init() sets up B for a subsequent verification operation. The trusted certificate store is set to B, the end entity certificate diff --git a/doc/crypto/X509_new.pod b/doc/crypto/X509_new.pod index d388723..d6f3d30 100644 --- a/doc/crypto/X509_new.pod +++ b/doc/crypto/X509_new.pod @@ -19,6 +19,7 @@ X509 structure, which represents an X509 certificate. X509_new() allocates and initializes a X509 structure. X509_free() frees up the B structure B. +If B is NULL nothing is done. =head1 RETURN VALUES diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 3eb67ef..bbff778 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1314,21 +1314,18 @@ int ssl3_get_server_certificate(SSL *s) * Why would the following ever happen? We just created sc a couple * of lines ago. */ - if (sc->peer_pkeys[i].x509 != NULL) - X509_free(sc->peer_pkeys[i].x509); + X509_free(sc->peer_pkeys[i].x509); sc->peer_pkeys[i].x509 = x; sc->peer_key = &(sc->peer_pkeys[i]); - if (s->session->peer != NULL) - X509_free(s->session->peer); + X509_free(s->session->peer); CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); s->session->peer = x; } else { sc->peer_cert_type = i; sc->peer_key = NULL; - if (s->session->peer != NULL) - X509_free(s->session->peer); + X509_free(s->session->peer); s->session->peer = NULL; } s->session->verify_result = s->verify_result; @@ -2149,15 +2146,13 @@ int ssl3_get_certificate_request(SSL *s) /* we should setup a certificate to return.... */ s->s3->tmp.cert_req = 1; s->s3->tmp.ctype_num = ctype_num; - if (s->s3->tmp.ca_names != NULL) - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); s->s3->tmp.ca_names = ca_sk; ca_sk = NULL; ret = 1; err: - if (ca_sk != NULL) - sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); + sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); return (ret); } @@ -3339,8 +3334,7 @@ int ssl3_send_client_certificate(SSL *s) SSL_R_BAD_DATA_RETURNED_BY_CALLBACK); } - if (x509 != NULL) - X509_free(x509); + X509_free(x509); if (pkey != NULL) EVP_PKEY_free(pkey); if (i && !ssl3_check_client_certificate(s)) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 7bb3a92..ef2ddb4 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3126,8 +3126,7 @@ void ssl3_free(SSL *s) EC_KEY_free(s->s3->tmp.ecdh); #endif - if (s->s3->tmp.ca_names != NULL) - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); BIO_free(s->s3->handshake_buffer); if (s->s3->handshake_dgst) ssl3_free_digest_list(s); @@ -3149,8 +3148,7 @@ void ssl3_clear(SSL *s) int init_extra; ssl3_cleanup_key_block(s); - if (s->s3->tmp.ca_names != NULL) - sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); + sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); #ifndef OPENSSL_NO_DH DH_free(s->s3->tmp.dh); @@ -3925,10 +3923,8 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) break; case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: - if (ctx->extra_certs) { - sk_X509_pop_free(ctx->extra_certs, X509_free); - ctx->extra_certs = NULL; - } + sk_X509_pop_free(ctx->extra_certs, X509_free); + ctx->extra_certs = NULL; break; case SSL_CTRL_CHAIN: diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 6c1ba3a..77420a1 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -3271,8 +3271,7 @@ int ssl3_get_client_certificate(SSL *s) EVP_PKEY_free(pkey); } - if (s->session->peer != NULL) /* This should not be needed */ - X509_free(s->session->peer); + X509_free(s->session->peer); s->session->peer = sk_X509_shift(sk); s->session->verify_result = s->verify_result; @@ -3287,8 +3286,7 @@ int ssl3_get_client_certificate(SSL *s) goto err; } } - if (s->session->sess_cert->cert_chain != NULL) - sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); + sk_X509_pop_free(s->session->sess_cert->cert_chain, X509_free); s->session->sess_cert->cert_chain = sk; /* * Inconsistency alert: cert_chain does *not* include the peer's own @@ -3303,10 +3301,8 @@ int ssl3_get_client_certificate(SSL *s) ssl3_send_alert(s, SSL3_AL_FATAL, al); } err: - if (x != NULL) - X509_free(x); - if (sk != NULL) - sk_X509_pop_free(sk, X509_free); + X509_free(x); + sk_X509_pop_free(sk, X509_free); return (ret); } diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 4daa296..0ae9646 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -398,16 +398,12 @@ void ssl_cert_clear_certs(CERT *c) return; for (i = 0; i < SSL_PKEY_NUM; i++) { CERT_PKEY *cpk = c->pkeys + i; - if (cpk->x509) { - X509_free(cpk->x509); - cpk->x509 = NULL; - } + X509_free(cpk->x509); + cpk->x509 = NULL; EVP_PKEY_free(cpk->privatekey); cpk->privatekey = NULL; - if (cpk->chain) { - sk_X509_pop_free(cpk->chain, X509_free); - cpk->chain = NULL; - } + sk_X509_pop_free(cpk->chain, X509_free); + cpk->chain = NULL; #ifndef OPENSSL_NO_TLSEXT if (cpk->serverinfo) { OPENSSL_free(cpk->serverinfo); @@ -461,10 +457,8 @@ void ssl_cert_free(CERT *c) OPENSSL_free(c->shared_sigalgs); if (c->ctypes) OPENSSL_free(c->ctypes); - if (c->verify_store) - X509_STORE_free(c->verify_store); - if (c->chain_store) - X509_STORE_free(c->chain_store); + X509_STORE_free(c->verify_store); + X509_STORE_free(c->chain_store); if (c->ciphers_raw) OPENSSL_free(c->ciphers_raw); #ifndef OPENSSL_NO_TLSEXT @@ -485,8 +479,7 @@ int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain) CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key; if (!cpk) return 0; - if (cpk->chain) - sk_X509_pop_free(cpk->chain, X509_free); + sk_X509_pop_free(cpk->chain, X509_free); for (i = 0; i < sk_X509_num(chain); i++) { r = ssl_security_cert(s, ctx, sk_X509_value(chain, i), 0, 0); if (r != 1) { @@ -629,11 +622,9 @@ void ssl_sess_cert_free(SESS_CERT *sc) #endif /* i == 0 */ - if (sc->cert_chain != NULL) - sk_X509_pop_free(sc->cert_chain, X509_free); + sk_X509_pop_free(sc->cert_chain, X509_free); for (i = 0; i < SSL_PKEY_NUM; i++) { - if (sc->peer_pkeys[i].x509 != NULL) - X509_free(sc->peer_pkeys[i].x509); + X509_free(sc->peer_pkeys[i].x509); #if 0 /* * We don't have the peer's private key. These lines are just @@ -726,9 +717,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list, STACK_OF(X509_NAME) *name_list) { - if (*ca_list != NULL) - sk_X509_NAME_pop_free(*ca_list, X509_NAME_free); - + sk_X509_NAME_pop_free(*ca_list, X509_NAME_free); *ca_list = name_list; } @@ -867,15 +856,12 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) if (0) { err: - if (ret != NULL) - sk_X509_NAME_pop_free(ret, X509_NAME_free); + sk_X509_NAME_pop_free(ret, X509_NAME_free); ret = NULL; } - if (sk != NULL) - sk_X509_NAME_free(sk); + sk_X509_NAME_free(sk); BIO_free(in); - if (x != NULL) - X509_free(x); + X509_free(x); if (ret != NULL) ERR_clear_error(); return (ret); @@ -1205,8 +1191,7 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags) goto err; } } - if (cpk->chain) - sk_X509_pop_free(cpk->chain, X509_free); + sk_X509_pop_free(cpk->chain, X509_free); cpk->chain = chain; if (rv == 0) rv = 1; @@ -1224,8 +1209,7 @@ int ssl_cert_set_cert_store(CERT *c, X509_STORE *store, int chain, int ref) pstore = &c->chain_store; else pstore = &c->verify_store; - if (*pstore) - X509_STORE_free(*pstore); + X509_STORE_free(*pstore); *pstore = store; if (ref && store) CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 73eafdb..7319cd8 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -532,9 +532,7 @@ void SSL_free(SSL *s) } #endif - if (s->param) - X509_VERIFY_PARAM_free(s->param); - + X509_VERIFY_PARAM_free(s->param); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); if (s->bbio != NULL) { @@ -581,8 +579,7 @@ void SSL_free(SSL *s) if (s->tlsext_ellipticcurvelist) OPENSSL_free(s->tlsext_ellipticcurvelist); # endif /* OPENSSL_NO_EC */ - if (s->tlsext_ocsp_exts) - sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free); + sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free); if (s->tlsext_ocsp_ids) sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); if (s->tlsext_ocsp_resp) @@ -591,8 +588,7 @@ void SSL_free(SSL *s) OPENSSL_free(s->alpn_client_proto_list); #endif - if (s->client_CA != NULL) - sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free); + sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free); if (s->method != NULL) s->method->ssl_free(s); @@ -2032,8 +2028,7 @@ void SSL_CTX_free(SSL_CTX *a) } #endif - if (a->param) - X509_VERIFY_PARAM_free(a->param); + X509_VERIFY_PARAM_free(a->param); /* * Free internal session cache. However: the remove_cb() may reference @@ -2052,17 +2047,14 @@ void SSL_CTX_free(SSL_CTX *a) if (a->sessions != NULL) lh_SSL_SESSION_free(a->sessions); - if (a->cert_store != NULL) - X509_STORE_free(a->cert_store); + X509_STORE_free(a->cert_store); if (a->cipher_list != NULL) sk_SSL_CIPHER_free(a->cipher_list); if (a->cipher_list_by_id != NULL) sk_SSL_CIPHER_free(a->cipher_list_by_id); ssl_cert_free(a->cert); - if (a->client_CA != NULL) - sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free); - if (a->extra_certs != NULL) - sk_X509_pop_free(a->extra_certs, X509_free); + sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free); + sk_X509_pop_free(a->extra_certs, X509_free); a->comp_methods = NULL; #ifndef OPENSSL_NO_SRTP @@ -3186,8 +3178,7 @@ X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) { - if (ctx->cert_store != NULL) - X509_STORE_free(ctx->cert_store); + X509_STORE_free(ctx->cert_store); ctx->cert_store = store; } diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index b5d457a..e4798e9 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -119,8 +119,7 @@ int SSL_use_certificate_file(SSL *ssl, const char *file, int type) ret = SSL_use_certificate(ssl, x); end: - if (x != NULL) - X509_free(x); + X509_free(x); BIO_free(in); return (ret); } @@ -418,8 +417,7 @@ static int ssl_set_cert(CERT *c, X509 *x) EVP_PKEY_free(pkey); - if (c->pkeys[i].x509 != NULL) - X509_free(c->pkeys[i].x509); + X509_free(c->pkeys[i].x509); CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); c->pkeys[i].x509 = x; c->key = &(c->pkeys[i]); @@ -465,8 +463,7 @@ int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) ret = SSL_CTX_use_certificate(ctx, x); end: - if (x != NULL) - X509_free(x); + X509_free(x); BIO_free(in); return (ret); } diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 51f30fb..eed38ca 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -732,8 +732,7 @@ void SSL_SESSION_free(SSL_SESSION *ss) OPENSSL_cleanse(ss->master_key, sizeof ss->master_key); OPENSSL_cleanse(ss->session_id, sizeof ss->session_id); ssl_sess_cert_free(ss->sess_cert); - if (ss->peer != NULL) - X509_free(ss->peer); + X509_free(ss->peer); if (ss->ciphers != NULL) sk_SSL_CIPHER_free(ss->ciphers); #ifndef OPENSSL_NO_TLSEXT diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 985c357..b77074a 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2219,11 +2219,8 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, } sdata = data; if (dsize > 0) { - if (s->tlsext_ocsp_exts) { - sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, - X509_EXTENSION_free); - } - + sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, + X509_EXTENSION_free); s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, &sdata, dsize); if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) { From rsalz at openssl.org Thu Apr 30 21:48:56 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 30 Apr 2015 21:48:56 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430430536.424282.19612.nullmailer@dev.openssl.org> The branch master has been updated via 68dc682499ea3fe27d909c946d7abd39062d6efd (commit) from 222561fe8ef510f336417a666f69f81ddc9b8fe4 (commit) - Log ----------------------------------------------------------------- commit 68dc682499ea3fe27d909c946d7abd39062d6efd Author: Rich Salz Date: Thu Apr 30 17:48:31 2015 -0400 In apps, malloc or die No point in proceeding if you're out of memory. So change *all* OPENSSL_malloc calls in apps to use the new routine which prints a message and exits. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 36 +++++++++++++++-------------- apps/apps.h | 1 + apps/ca.c | 64 +++++++++++----------------------------------------- apps/cms.c | 6 +---- apps/dgst.c | 11 ++------- apps/dhparam.c | 6 +---- apps/dsaparam.c | 13 +++-------- apps/ecparam.c | 20 ++++------------ apps/enc.c | 9 ++------ apps/engine.c | 10 +++----- apps/openssl.c | 4 +--- apps/passwd.c | 17 ++++---------- apps/pkeyutl.c | 11 ++++----- apps/rsa.c | 17 +++++--------- apps/rsautl.c | 8 ++----- apps/s_cb.c | 26 ++++----------------- apps/s_client.c | 43 +++++++++++++++-------------------- apps/s_server.c | 62 ++++++++++++++++++-------------------------------- apps/s_socket.c | 6 +---- apps/speed.c | 22 ++++-------------- apps/srp.c | 21 +++-------------- apps/ts.c | 8 ++----- apps/vms_decc_init.c | 2 +- apps/x509.c | 13 ++--------- 24 files changed, 126 insertions(+), 310 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 9475fe3..f74b968 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -180,7 +180,7 @@ int chopup_args(ARGS *arg, char *buf) arg->argc = 0; if (arg->size == 0) { arg->size = 20; - arg->argv = OPENSSL_malloc(sizeof(char *) * arg->size); + arg->argv = app_malloc(sizeof(char *) * arg->size, "argv space"); if (arg->argv == NULL) return 0; } @@ -367,13 +367,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) ok = UI_add_input_string(ui, prompt, ui_flags, buf, PW_MIN_LENGTH, bufsiz - 1); if (ok >= 0 && verify) { - buff = OPENSSL_malloc(bufsiz); - if (!buff) { - BIO_printf(bio_err, "Out of memory\n"); - UI_free(ui); - OPENSSL_free(prompt); - return 0; - } + buff = app_malloc(bufsiz, "password buffer"); ok = UI_add_verify_string(ui, prompt, ui_flags, buff, PW_MIN_LENGTH, bufsiz - 1, buf); } @@ -989,6 +983,21 @@ static int load_certs_crls(const char *file, int format, return rv; } +void* app_malloc(int sz, const char *what) +{ + void *vp = OPENSSL_malloc(sz); + + if (vp == NULL) { + BIO_printf(bio_err, "%s: Could not allocate %d bytes for %s\n", + opt_getprog(), sz, what); + ERR_print_errors(bio_err); + exit(1); + } + return vp; +} + + + STACK_OF(X509) *load_certs(const char *file, int format, const char *pass, ENGINE *e, const char *desc) { @@ -1585,11 +1594,7 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr) } } - if ((retdb = OPENSSL_malloc(sizeof(CA_DB))) == NULL) { - fprintf(stderr, "Out of memory\n"); - goto err; - } - + retdb = app_malloc(sizeof *retdb, "new DB"); retdb->db = tmpdb; tmpdb = NULL; if (db_attr) @@ -2230,10 +2235,7 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in) if (len >= 65535) return NULL; - out = OPENSSL_malloc(strlen(in) + 1); - if (!out) - return NULL; - + out = app_malloc(strlen(in) + 1, "NPN buffer"); for (i = 0; i <= len; ++i) { if (i == len || in[i] == ',') { if (i - start > 255) { diff --git a/apps/apps.h b/apps/apps.h index 5b24233..e55dcd6 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -469,6 +469,7 @@ typedef struct ca_db_st { TXT_DB *db; } CA_DB; +void* app_malloc(int sz, const char *what); BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai); int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai); diff --git a/apps/ca.c b/apps/ca.c index a3e0bda..bc7c3fd 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -491,21 +491,11 @@ end_of_options: const char *s = X509_get_default_cert_area(); size_t len; + len = strlen(s) + 1 + sizeof(CONFIG_FILE); + tofree = app_malloc(len, "config filename"); #ifdef OPENSSL_SYS_VMS - len = strlen(s) + sizeof(CONFIG_FILE); - tofree = OPENSSL_malloc(len); - if (!tofree) { - BIO_printf(bio_err, "Out of memory\n"); - goto end; - } strcpy(tofree, s); #else - len = strlen(s) + sizeof(CONFIG_FILE) + 1; - tofree = OPENSSL_malloc(len); - if (!tofree) { - BIO_printf(bio_err, "Out of memory\n"); - goto end; - } BUF_strlcpy(tofree, s, len); BUF_strlcat(tofree, "/", len); #endif @@ -1975,17 +1965,17 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, goto end; /* We now just add it to the database */ - row[DB_type] = OPENSSL_malloc(2); + row[DB_type] = app_malloc(2, "row db type"); tm = X509_get_notAfter(ret); - row[DB_exp_date] = OPENSSL_malloc(tm->length + 1); + row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate"); memcpy(row[DB_exp_date], tm->data, tm->length); row[DB_exp_date][tm->length] = '\0'; row[DB_rev_date] = NULL; /* row[DB_serial] done already */ - row[DB_file] = OPENSSL_malloc(8); + row[DB_file] = app_malloc(8, "row file"); row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0); if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || @@ -1997,11 +1987,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, row[DB_type][0] = 'V'; row[DB_type][1] = '\0'; - if ((irow = OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) { - BIO_printf(bio_err, "Memory allocation failure\n"); - goto end; - } - + irow = app_malloc(sizeof(char *) * (DB_NUMBER + 1), "row space"); for (i = 0; i < DB_NUMBER; i++) { irow[i] = row[i]; row[i] = NULL; @@ -2223,34 +2209,25 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) row[DB_serial], row[DB_name]); /* We now just add it to the database */ - row[DB_type] = OPENSSL_malloc(2); + row[DB_type] = app_malloc(2, "row type"); tm = X509_get_notAfter(x509); - row[DB_exp_date] = OPENSSL_malloc(tm->length + 1); + row[DB_exp_date] = app_malloc(tm->length + 1, "row exp_data"); memcpy(row[DB_exp_date], tm->data, tm->length); row[DB_exp_date][tm->length] = '\0'; row[DB_rev_date] = NULL; /* row[DB_serial] done already */ - row[DB_file] = OPENSSL_malloc(8); + row[DB_file] = app_malloc(8, "row filename"); /* row[DB_name] done already */ - if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || - (row[DB_file] == NULL)) { - BIO_printf(bio_err, "Memory allocation failure\n"); - goto end; - } BUF_strlcpy(row[DB_file], "unknown", 8); row[DB_type][0] = 'V'; row[DB_type][1] = '\0'; - if ((irow = OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) { - BIO_printf(bio_err, "Memory allocation failure\n"); - goto end; - } - + irow = app_malloc(sizeof(char *) * (DB_NUMBER + 1), "row ptr"); for (i = 0; i < DB_NUMBER; i++) { irow[i] = row[i]; row[i] = NULL; @@ -2312,11 +2289,7 @@ static int get_certificate_status(const char *serial, CA_DB *db) row[i] = NULL; /* Malloc needed char spaces */ - row[DB_serial] = OPENSSL_malloc(strlen(serial) + 2); - if (row[DB_serial] == NULL) { - BIO_printf(bio_err, "Malloc failure\n"); - goto end; - } + row[DB_serial] = app_malloc(strlen(serial) + 2, "row serial#"); if (strlen(serial) % 2) { /* @@ -2385,11 +2358,7 @@ static int do_updatedb(CA_DB *db) /* get actual time and make a string */ a_tm = X509_gmtime_adj(a_tm, 0); - a_tm_s = OPENSSL_malloc(a_tm->length + 1); - if (a_tm_s == NULL) { - cnt = -1; - goto end; - } + a_tm_s = (char *)OPENSSL_malloc(a_tm->length + 1); memcpy(a_tm_s, a_tm->data, a_tm->length); a_tm_s[a_tm->length] = '\0'; @@ -2429,11 +2398,8 @@ static int do_updatedb(CA_DB *db) } } - end: - ASN1_UTCTIME_free(a_tm); OPENSSL_free(a_tm_s); - return (cnt); } @@ -2533,11 +2499,7 @@ char *make_revocation_str(int rev_type, char *rev_arg) if (other) i += strlen(other) + 1; - str = OPENSSL_malloc(i); - - if (!str) - return NULL; - + str = app_malloc(i, "revocation reason"); BUF_strlcpy(str, (char *)revtm->data, i); if (reason) { BUF_strlcat(str, ",", i); diff --git a/apps/cms.c b/apps/cms.c index 16dbc0c..907b108 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -570,11 +570,7 @@ int cms_main(int argc, char **argv) } if (key_param == NULL || key_param->idx != keyidx) { cms_key_param *nparam; - nparam = OPENSSL_malloc(sizeof(cms_key_param)); - if (!nparam) { - BIO_printf(bio_err, "Out of memory\n"); - goto end; - } + nparam = app_malloc(sizeof *nparam, "key param buffer"); nparam->idx = keyidx; if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) goto end; diff --git a/apps/dgst.c b/apps/dgst.c index 106e939..3ff4750 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -139,10 +139,7 @@ int dgst_main(int argc, char **argv) int engine_impl = 0; prog = opt_progname(argv[0]); - if ((buf = OPENSSL_malloc(BUFSIZE)) == NULL) { - BIO_printf(bio_err, "%s: out of memory\n", prog); - goto end; - } + buf = app_malloc(BUFSIZE, "I/O buffer"); md = EVP_get_digestbyname(prog); prog = opt_init(argc, argv, dgst_options); @@ -394,11 +391,7 @@ int dgst_main(int argc, char **argv) goto end; } siglen = EVP_PKEY_size(sigkey); - sigbuf = OPENSSL_malloc(siglen); - if (!sigbuf) { - BIO_printf(bio_err, "Out of memory\n"); - goto end; - } + sigbuf = app_malloc(siglen, "signature buffer"); siglen = BIO_read(sigbio, sigbuf, siglen); BIO_free(sigbio); if (siglen <= 0) { diff --git a/apps/dhparam.c b/apps/dhparam.c index e7fa7ae..c66c591 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -379,11 +379,7 @@ int dhparam_main(int argc, char **argv) len = BN_num_bytes(dh->p); bits = BN_num_bits(dh->p); - data = OPENSSL_malloc(len); - if (data == NULL) { - perror("OPENSSL_malloc"); - goto end; - } + data = app_malloc(len, "print a BN"); BIO_printf(out, "#ifndef HEADER_DH_H\n" "# include \n" "#endif\n" diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 5aa6e2c..afc8a82 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -268,16 +268,9 @@ int dsaparam_main(int argc, char **argv) } if (C) { - unsigned char *data; - int len, bits_p; - - len = BN_num_bytes(dsa->p); - bits_p = BN_num_bits(dsa->p); - data = OPENSSL_malloc(len + 20); - if (data == NULL) { - perror("OPENSSL_malloc"); - goto end; - } + int len = BN_num_bytes(dsa->p); + int bits_p = BN_num_bits(dsa->p); + unsigned char *data = app_malloc(len + 20, "BN space"); BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p); print_bignum_var(bio_out, dsa->p, "dsap", len, data); diff --git a/apps/ecparam.c b/apps/ecparam.c index f316793..5b39e83 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -229,16 +229,10 @@ int ecparam_main(int argc, char **argv) if (list_curves) { EC_builtin_curve *curves = NULL; - size_t crv_len = 0; - size_t n = 0; - - crv_len = EC_get_builtin_curves(NULL, 0); - - curves = OPENSSL_malloc((int)(sizeof(EC_builtin_curve) * crv_len)); - - if (curves == NULL) - goto end; + size_t crv_len = EC_get_builtin_curves(NULL, 0); + size_t n; + curves = app_malloc((int)(sizeof *curves * crv_len), "list curves"); if (!EC_get_builtin_curves(curves, crv_len)) { OPENSSL_free(curves); goto end; @@ -346,7 +340,7 @@ int ecparam_main(int argc, char **argv) || (ec_gen = BN_new()) == NULL || (ec_order = BN_new()) == NULL || (ec_cofactor = BN_new()) == NULL) { - perror("OPENSSL_malloc"); + perror("Can't allocate BN"); goto end; } @@ -388,11 +382,7 @@ int ecparam_main(int argc, char **argv) if ((tmp_len = (size_t)BN_num_bytes(ec_cofactor)) > buf_len) buf_len = tmp_len; - buffer = OPENSSL_malloc(buf_len); - if (buffer == NULL) { - perror("OPENSSL_malloc"); - goto end; - } + buffer = app_malloc(buf_len, "BN buffer"); BIO_printf(out, "EC_GROUP *get_ec_group_%d(void)\n{\n", len); print_bignum_var(out, ec_p, "ec_p", len, buffer); diff --git a/apps/enc.c b/apps/enc.c index c6b8d2b..83067b8 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -313,13 +313,8 @@ int enc_main(int argc, char **argv) if (verbose) BIO_printf(bio_err, "bufsize=%d\n", bsize); - strbuf = OPENSSL_malloc(SIZE); - buff = OPENSSL_malloc(EVP_ENCODE_LENGTH(bsize)); - if ((buff == NULL) || (strbuf == NULL)) { - BIO_printf(bio_err, "OPENSSL_malloc failure %ld\n", - (long)EVP_ENCODE_LENGTH(bsize)); - goto end; - } + strbuf = app_malloc(SIZE, "strbuf"); + buff = app_malloc(EVP_ENCODE_LENGTH(bsize), "evp buffer"); if (debug) { BIO_set_callback(in, BIO_debug_callback); diff --git a/apps/engine.c b/apps/engine.c index 7dcc1b0..448802b 100644 --- a/apps/engine.c +++ b/apps/engine.c @@ -98,9 +98,7 @@ static int append_buf(char **buf, const char *s, int *size, int step) if (*buf == NULL) { *size = step; - *buf = OPENSSL_malloc(*size); - if (*buf == NULL) - return 0; + *buf = app_malloc(*size, "engine buffer"); **buf = '\0'; } @@ -211,8 +209,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent) if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_LEN_FROM_CMD, num, NULL, NULL)) <= 0) goto err; - if ((name = OPENSSL_malloc(len + 1)) == NULL) - goto err; + name = app_malloc(len + 1, "name buffer"); if (ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_FROM_CMD, num, name, NULL) <= 0) goto err; @@ -221,8 +218,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent) NULL, NULL)) < 0) goto err; if (len > 0) { - if ((desc = OPENSSL_malloc(len + 1)) == NULL) - goto err; + desc = app_malloc(len + 1, "description buffer"); if (ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_FROM_CMD, num, desc, NULL) <= 0) goto err; diff --git a/apps/openssl.c b/apps/openssl.c index 786f5d3..f6013f7 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -204,9 +204,7 @@ static char *make_config_name() char *p; len = strlen(t) + strlen(OPENSSL_CONF) + 2; - p = OPENSSL_malloc(len); - if (p == NULL) - return NULL; + p = app_malloc(len, "config filename buffer"); BUF_strlcpy(p, t, len); #ifndef OPENSSL_SYS_VMS BUF_strlcat(p, "/", len); diff --git a/apps/passwd.c b/apps/passwd.c index 3c6fd52..c529792 100644 --- a/apps/passwd.c +++ b/apps/passwd.c @@ -221,12 +221,9 @@ int passwd_main(int argc, char **argv) /* no passwords on the command line */ passwd_malloc_size = pw_maxlen + 2; - /* - * longer than necessary so that we can warn about truncation - */ - passwd = passwd_malloc = OPENSSL_malloc(passwd_malloc_size); - if (passwd_malloc == NULL) - goto end; + /* longer than necessary so that we can warn about truncation */ + passwd = passwd_malloc = + app_malloc(passwd_malloc_size, "password buffer"); } if ((in == NULL) && (passwds == NULL)) { @@ -426,9 +423,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, # ifndef OPENSSL_NO_DES if (usecrypt) { if (*salt_malloc_p == NULL) { - *salt_p = *salt_malloc_p = OPENSSL_malloc(3); - if (*salt_malloc_p == NULL) - goto end; + *salt_p = *salt_malloc_p = app_malloc(3, "salt buffer"); } if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0) goto end; @@ -447,9 +442,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, int i; if (*salt_malloc_p == NULL) { - *salt_p = *salt_malloc_p = OPENSSL_malloc(9); - if (*salt_malloc_p == NULL) - goto end; + *salt_p = *salt_malloc_p = app_malloc(9, "salt buffer"); } if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0) goto end; diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index da7dc2e..3afe0eb 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -299,13 +299,10 @@ int pkeyutl_main(int argc, char **argv) rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen, buf_in, (size_t)buf_inlen); if (rv > 0) { - buf_out = OPENSSL_malloc(buf_outlen); - if (!buf_out) - rv = -1; - else - rv = do_keyop(ctx, pkey_op, - buf_out, (size_t *)&buf_outlen, - buf_in, (size_t)buf_inlen); + buf_out = app_malloc(buf_outlen, "buffer output"); + rv = do_keyop(ctx, pkey_op, + buf_out, (size_t *)&buf_outlen, + buf_in, (size_t)buf_inlen); } if (rv <= 0) { ERR_print_errors(bio_err); diff --git a/apps/rsa.c b/apps/rsa.c index c8b05e6..0a8e198 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -344,19 +344,14 @@ int rsa_main(int argc, char **argv) } # ifndef OPENSSL_NO_RC4 else if (outformat == FORMAT_NETSCAPE) { - unsigned char *p, *pp; - int size; + unsigned char *p, *save; + int size = i2d_RSA_NET(rsa, NULL, NULL, 0); - i = 1; - size = i2d_RSA_NET(rsa, NULL, NULL, 0); - if ((p = OPENSSL_malloc(size)) == NULL) { - BIO_printf(bio_err, "Memory allocation failure\n"); - goto end; - } - pp = p; + save = p = app_malloc(size, "RSA i2d buffer"); i2d_RSA_NET(rsa, &p, NULL, 0); - BIO_write(out, (char *)pp, size); - OPENSSL_free(pp); + BIO_write(out, (char *)save, size); + OPENSSL_free(save); + i = 1; } # endif else if (outformat == FORMAT_PEM) { diff --git a/apps/rsautl.c b/apps/rsautl.c index 67cb76e..f138293 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -257,12 +257,8 @@ int rsautl_main(int argc, char **argv) keysize = RSA_size(rsa); - rsa_in = OPENSSL_malloc(keysize * 2); - rsa_out = OPENSSL_malloc(keysize); - if (!rsa_in || !rsa_out) { - BIO_printf(bio_err, "Out of memory\n"); - goto end; - } + rsa_in = app_malloc(keysize * 2, "hold rsa key"); + rsa_out = app_malloc(keysize, "output rsa key"); /* Read the input data */ rsa_inlen = BIO_read(in, rsa_in, keysize * 2); diff --git a/apps/s_cb.c b/apps/s_cb.c index 1d026b6..1f2d371 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -439,11 +439,7 @@ int ssl_print_curves(BIO *out, SSL *s, int noshared) ncurves = SSL_get1_curves(s, NULL); if (ncurves <= 0) return 1; - curves = OPENSSL_malloc(ncurves * sizeof(int)); - if (!curves) { - BIO_printf(out, "Out of memory\n"); - return 0; - } + curves = app_malloc(ncurves * sizeof(int), "curves to print"); SSL_get1_curves(s, curves); BIO_puts(out, "Supported Elliptic Curves: "); @@ -955,12 +951,7 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie, OPENSSL_assert(0); break; } - buffer = OPENSSL_malloc(length); - - if (buffer == NULL) { - BIO_printf(bio_err, "out of memory\n"); - return 0; - } + buffer = app_malloc(length, "cookie generate buffer"); switch (peer.sa.sa_family) { case AF_INET: @@ -1028,12 +1019,7 @@ int verify_cookie_callback(SSL *ssl, unsigned char *cookie, OPENSSL_assert(0); break; } - buffer = OPENSSL_malloc(length); - - if (buffer == NULL) { - BIO_printf(bio_err, "out of memory\n"); - return 0; - } + buffer = app_malloc(length, "cookie verify buffer"); switch (peer.sa.sa_family) { case AF_INET: @@ -1187,10 +1173,8 @@ void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc) static int ssl_excert_prepend(SSL_EXCERT **pexc) { - SSL_EXCERT *exc; - exc = OPENSSL_malloc(sizeof(SSL_EXCERT)); - if (!exc) - return 0; + SSL_EXCERT *exc = app_malloc(sizeof *exc, "prepend cert"); + exc->certfile = NULL; exc->keyfile = NULL; exc->chainfile = NULL; diff --git a/apps/s_client.c b/apps/s_client.c index fdd1f5c..344c88c 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -385,14 +385,10 @@ static int ssl_srp_verify_param_cb(SSL *s, void *arg) static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) { SRP_ARG *srp_arg = (SRP_ARG *)arg; - char *pass = OPENSSL_malloc(PWD_STRLEN + 1); + char *pass = app_malloc(PWD_STRLEN + 1, "SRP password buffer"); PW_CB_DATA cb_tmp; int l; - if (!pass) { - BIO_printf(bio_err, "Out of memory\n"); - return NULL; - } cb_tmp.password = (char *)srp_arg->srppassin; cb_tmp.prompt_info = "SRP user"; if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) { @@ -712,13 +708,12 @@ int s_client_main(int argc, char **argv) verify_depth = 0; verify_error = X509_V_OK; vpm = X509_VERIFY_PARAM_new(); - cbuf = OPENSSL_malloc(BUFSIZZ); - sbuf = OPENSSL_malloc(BUFSIZZ); - mbuf = OPENSSL_malloc(BUFSIZZ); + cbuf = app_malloc(BUFSIZZ, "cbuf"); + sbuf = app_malloc(BUFSIZZ, "sbuf"); + mbuf = app_malloc(BUFSIZZ, "mbuf"); cctx = SSL_CONF_CTX_new(); - if (vpm == NULL || cctx == NULL - || cbuf == NULL || sbuf == NULL || mbuf == NULL) { + if (vpm == NULL || cctx == NULL) { BIO_printf(bio_err, "%s: out of memory\n", prog); goto end; } @@ -2176,22 +2171,20 @@ static void print_stuff(BIO *bio, SSL *s, int full) BIO_printf(bio, "Keying material exporter:\n"); BIO_printf(bio, " Label: '%s'\n", keymatexportlabel); BIO_printf(bio, " Length: %i bytes\n", keymatexportlen); - exportedkeymat = OPENSSL_malloc(keymatexportlen); - if (exportedkeymat != NULL) { - if (!SSL_export_keying_material(s, exportedkeymat, - keymatexportlen, - keymatexportlabel, - strlen(keymatexportlabel), - NULL, 0, 0)) { - BIO_printf(bio, " Error\n"); - } else { - BIO_printf(bio, " Keying material: "); - for (i = 0; i < keymatexportlen; i++) - BIO_printf(bio, "%02X", exportedkeymat[i]); - BIO_printf(bio, "\n"); - } - OPENSSL_free(exportedkeymat); + exportedkeymat = app_malloc(keymatexportlen, "export key"); + if (!SSL_export_keying_material(s, exportedkeymat, + keymatexportlen, + keymatexportlabel, + strlen(keymatexportlabel), + NULL, 0, 0)) { + BIO_printf(bio, " Error\n"); + } else { + BIO_printf(bio, " Keying material: "); + for (i = 0; i < keymatexportlen; i++) + BIO_printf(bio, "%02X", exportedkeymat[i]); + BIO_printf(bio, "\n"); } + OPENSSL_free(exportedkeymat); } BIO_printf(bio, "---\n"); X509_free(peer); diff --git a/apps/s_server.c b/apps/s_server.c index f8bec24..21d2d37 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -447,6 +447,7 @@ static BIO_METHOD methods_ebcdic = { ebcdic_free, }; +/* This struct is "unwarranted chumminess with the compiler." */ typedef struct { size_t alloced; char buff[1]; @@ -461,9 +462,7 @@ static int ebcdic_new(BIO *bi) { EBCDIC_OUTBUFF *wbuf; - wbuf = OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024); - if (!wbuf) - return 0; + wbuf = app_malloc(sizeof(EBCDIC_OUTBUFF) + 1024, "ebcdef wbuf"); wbuf->alloced = 1024; wbuf->buff[0] = '\0'; @@ -518,9 +517,7 @@ static int ebcdic_write(BIO *b, const char *in, int inl) num = num + num; /* double the size */ if (num < inl) num = inl; - wbuf = OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num); - if (!wbuf) - return 0; + wbuf = app_malloc(sizeof(EBCDIC_OUTBUFF) + num, "grow ebcdic wbuf"); OPENSSL_free(b->ptr); wbuf->alloced = num; @@ -2018,10 +2015,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) struct timeval *timeoutp; #endif - if ((buf = OPENSSL_malloc(bufsize)) == NULL) { - BIO_printf(bio_err, "out of memory\n"); - goto err; - } + buf = app_malloc(bufsize, "server buffer"); #ifdef FIONBIO if (s_nbio) { unsigned long sl = 1; @@ -2542,22 +2536,20 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out, "Keying material exporter:\n"); BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel); BIO_printf(bio_s_out, " Length: %i bytes\n", keymatexportlen); - exportedkeymat = OPENSSL_malloc(keymatexportlen); - if (exportedkeymat != NULL) { - if (!SSL_export_keying_material(con, exportedkeymat, - keymatexportlen, - keymatexportlabel, - strlen(keymatexportlabel), - NULL, 0, 0)) { - BIO_printf(bio_s_out, " Error\n"); - } else { - BIO_printf(bio_s_out, " Keying material: "); - for (i = 0; i < keymatexportlen; i++) - BIO_printf(bio_s_out, "%02X", exportedkeymat[i]); - BIO_printf(bio_s_out, "\n"); - } - OPENSSL_free(exportedkeymat); + exportedkeymat = app_malloc(keymatexportlen, "export key"); + if (!SSL_export_keying_material(con, exportedkeymat, + keymatexportlen, + keymatexportlabel, + strlen(keymatexportlabel), + NULL, 0, 0)) { + BIO_printf(bio_s_out, " Error\n"); + } else { + BIO_printf(bio_s_out, " Keying material: "); + for (i = 0; i < keymatexportlen; i++) + BIO_printf(bio_s_out, "%02X", exportedkeymat[i]); + BIO_printf(bio_s_out, "\n"); } + OPENSSL_free(exportedkeymat); } return (1); @@ -2593,9 +2585,7 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) int total_bytes = 0; #endif - buf = OPENSSL_malloc(bufsize); - if (buf == NULL) - return (0); + buf = app_malloc(bufsize, "server www buffer"); io = BIO_new(BIO_f_buffer()); ssl_bio = BIO_new(BIO_f_ssl()); if ((io == NULL) || (ssl_bio == NULL)) @@ -2962,9 +2952,7 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context) KSSL_CTX *kctx; #endif - buf = OPENSSL_malloc(bufsize); - if (buf == NULL) - return (0); + buf = app_malloc(bufsize, "server rev buffer"); io = BIO_new(BIO_f_buffer()); ssl_bio = BIO_new(BIO_f_ssl()); if ((io == NULL) || (ssl_bio == NULL)) @@ -3161,15 +3149,9 @@ static simple_ssl_session *first = NULL; static int add_session(SSL *ssl, SSL_SESSION *session) { - simple_ssl_session *sess; + simple_ssl_session *sess = app_malloc(sizeof *sess, "get session"); unsigned char *p; - sess = OPENSSL_malloc(sizeof(simple_ssl_session)); - if (!sess) { - BIO_printf(bio_err, "Out of memory adding to external cache\n"); - return 0; - } - SSL_SESSION_get_id(session, &sess->idlen); sess->derlen = i2d_SSL_SESSION(session, NULL); if (sess->derlen < 0) { @@ -3179,8 +3161,8 @@ static int add_session(SSL *ssl, SSL_SESSION *session) } sess->id = BUF_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen); - sess->der = OPENSSL_malloc(sess->derlen); - if (!sess->id || !sess->der) { + sess->der = app_malloc(sess->derlen, "get session buffer"); + if (!sess->id) { BIO_printf(bio_err, "Out of memory adding to external cache\n"); OPENSSL_free(sess->id); OPENSSL_free(sess->der); diff --git a/apps/s_socket.c b/apps/s_socket.c index 050426a..caa5b61 100644 --- a/apps/s_socket.c +++ b/apps/s_socket.c @@ -562,11 +562,7 @@ static int do_accept(int acc_sock, int *sock, char **host) *host = NULL; /* return(0); */ } else { - if ((*host = OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) { - perror("OPENSSL_malloc"); - closesocket(ret); - return (0); - } + *host = app_malloc(strlen(h1->h_name) + 1, "copy hostname"); BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1); h2 = GetHostByName(*host); diff --git a/apps/speed.c b/apps/speed.c index 7dfdda8..720ab1c 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -791,17 +791,9 @@ int speed_main(int argc, char **argv) ecdh_doit[i] = 0; #endif - if ((buf_malloc = OPENSSL_malloc((int)BUFSIZE + misalign)) == NULL) { - BIO_printf(bio_err, "out of memory\n"); - goto end; - } - if ((buf2_malloc = OPENSSL_malloc((int)BUFSIZE + misalign)) == NULL) { - BIO_printf(bio_err, "out of memory\n"); - goto end; - } + buf = buf_malloc = app_malloc((int)BUFSIZE + misalign, "input buffer"); + buf2 = buf2_malloc = app_malloc((int)BUFSIZE + misalign, "output buffer"); misalign = 0; - buf = buf_malloc; - buf2 = buf2_malloc; prog = opt_init(argc, argv, speed_options); while ((o = opt_next()) != OPT_EOF) { @@ -2452,13 +2444,8 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher) EVP_CIPHER_CTX ctx; double d = 0.0; - inp = OPENSSL_malloc(mblengths[num - 1]); - out = OPENSSL_malloc(mblengths[num - 1] + 1024); - if (!inp || !out) { - BIO_printf(bio_err, "Out of memory\n"); - goto end; - } - + inp = app_malloc(mblengths[num - 1], "multiblock input buffer"); + out = app_malloc(mblengths[num - 1] + 1024, "multiblock output buffer"); EVP_CIPHER_CTX_init(&ctx); EVP_EncryptInit_ex(&ctx, evp_cipher, NULL, no_key, no_iv); EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_AEAD_SET_MAC_KEY, sizeof(no_key), @@ -2541,7 +2528,6 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher) fprintf(stdout, "\n"); } -end: if (inp) OPENSSL_free(inp); if (out) diff --git a/apps/srp.c b/apps/srp.c index bbbe1a9..b984c14 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -138,11 +138,7 @@ static int update_index(CA_DB *db, char **row) char **irow; int i; - if ((irow = OPENSSL_malloc(sizeof(char *) * (DB_NUMBER + 1))) == NULL) { - BIO_printf(bio_err, "Memory allocation failure\n"); - return 0; - } - + irow = app_malloc(sizeof(char *) * (DB_NUMBER + 1), "row pointers"); for (i = 0; i < DB_NUMBER; i++) { irow[i] = row[i]; row[i] = NULL; @@ -363,23 +359,12 @@ int srp_main(int argc, char **argv) configfile = getenv("SSLEAY_CONF"); if (configfile == NULL) { const char *s = X509_get_default_cert_area(); - size_t len; + size_t len = strlen(s) + 1 + sizeof(CONFIG_FILE); + tofree = app_malloc(len, "config filename space"); # ifdef OPENSSL_SYS_VMS - len = strlen(s) + sizeof(CONFIG_FILE); - tofree = OPENSSL_malloc(len); - if (!tofree) { - BIO_printf(bio_err, "Out of memory\n"); - goto end; - } strcpy(tofree, s); # else - len = strlen(s) + sizeof(CONFIG_FILE) + 1; - tofree = OPENSSL_malloc(len); - if (!tofree) { - BIO_printf(bio_err, "Out of memory\n"); - goto end; - } BUF_strlcpy(tofree, s, len); BUF_strlcat(tofree, "/", len); # endif diff --git a/apps/ts.c b/apps/ts.c index e0f4313..3cfdc79 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -576,10 +576,7 @@ static int create_digest(BIO *input, char *digest, const EVP_MD *md, unsigned char buffer[4096]; int length; - *md_value = OPENSSL_malloc(md_value_len); - if (*md_value == 0) - goto err; - + *md_value = app_malloc(md_value_len, "digest buffer"); EVP_DigestInit(&md_ctx, md); while ((length = BIO_read(input, buffer, sizeof(buffer))) > 0) { EVP_DigestUpdate(&md_ctx, buffer, length); @@ -624,8 +621,7 @@ static ASN1_INTEGER *create_nonce(int bits) OPENSSL_free(nonce->data); /* Allocate at least one byte. */ nonce->length = len - i; - if (!(nonce->data = OPENSSL_malloc(nonce->length + 1))) - goto err; + nonce->data = app_malloc(nonce->length + 1, "nonce buffer"); memcpy(nonce->data, buf + i, nonce->length); return nonce; diff --git a/apps/vms_decc_init.c b/apps/vms_decc_init.c index 1717dae..3ec7b54 100644 --- a/apps/vms_decc_init.c +++ b/apps/vms_decc_init.c @@ -130,7 +130,7 @@ char **copy_argv(int *argc, char *argv[]) */ int i, count = *argc; - char **newargv = OPENSSL_malloc((count + 1) * sizeof *newargv); + char **newargv = app_malloc((count + 1) * sizeof *newargv, "argv copy"); for (i = 0; i < count; i++) newargv[i] = argv[i]; diff --git a/apps/x509.c b/apps/x509.c index e1cc3cd..5418cce 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -783,12 +783,7 @@ int x509_main(int argc, char **argv) " */\n", buf); len = i2d_X509(x, NULL); - m = OPENSSL_malloc(len); - if (!m) { - BIO_printf(bio_err, "Out of memory\n"); - goto end; - } - + m = app_malloc(len, "x509 name buffer"); d = (unsigned char *)m; len = i2d_X509_NAME(X509_get_subject_name(x), &d); print_array(out, "the_subject_name", len, (unsigned char *)m); @@ -976,11 +971,7 @@ static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, len = ((serialfile == NULL) ? (strlen(CAfile) + strlen(POSTFIX) + 1) : (strlen(serialfile))) + 1; - buf = OPENSSL_malloc(len); - if (buf == NULL) { - BIO_printf(bio_err, "out of mem\n"); - goto end; - } + buf = app_malloc(len, "serial# buffer"); if (serialfile == NULL) { BUF_strlcpy(buf, CAfile, len); for (p = buf; *p; p++) From rsalz at openssl.org Thu Apr 30 21:58:09 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 30 Apr 2015 21:58:09 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430431089.067091.21199.nullmailer@dev.openssl.org> The branch master has been updated via 4b45c6e52b208deff7da333d1c7f84bcd3986609 (commit) from 68dc682499ea3fe27d909c946d7abd39062d6efd (commit) - Log ----------------------------------------------------------------- commit 4b45c6e52b208deff7da333d1c7f84bcd3986609 Author: Rich Salz Date: Thu Apr 30 17:57:32 2015 -0400 free cleanup almost the finale Add OPENSSL_clear_free which merges cleanse and free. (Names was picked to be similar to BN_clear_free, etc.) Removed OPENSSL_freeFunc macro. Fixed the small simple ones that are left: CRYPTO_free CRYPTO_free_locked OPENSSL_free_locked Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 5 +---- apps/dgst.c | 5 +---- apps/s_client.c | 18 ++++------------- apps/s_server.c | 5 +---- crypto/asn1/a_sign.c | 20 ++++--------------- crypto/asn1/a_verify.c | 6 ++---- crypto/bn/bn_rand.c | 5 +---- crypto/cms/cms_asn1.c | 10 ++-------- crypto/cms/cms_enc.c | 11 +++-------- crypto/cms/cms_env.c | 15 ++++---------- crypto/cms/cms_kari.c | 5 +---- crypto/cms/cms_pwri.c | 3 +-- crypto/dh/dh_pmeth.c | 5 +---- crypto/dsa/dsa_asn1.c | 5 +---- crypto/ec/ec_key.c | 4 +--- crypto/ec/ec_lib.c | 13 +++--------- crypto/ec/ec_mult.c | 3 +-- crypto/ec/ec_pmeth.c | 5 +---- crypto/ec/ecp_nistp224.c | 3 +-- crypto/ec/ecp_nistp256.c | 3 +-- crypto/ec/ecp_nistp521.c | 3 +-- crypto/ec/ecp_nistz256.c | 10 +++------- crypto/ecdh/ech_lib.c | 5 +---- crypto/ecdsa/ecs_lib.c | 4 +--- crypto/ecdsa/ecs_vrf.c | 5 +---- crypto/engine/eng_openssl.c | 11 +++-------- crypto/evp/bio_enc.c | 3 +-- crypto/evp/bio_ok.c | 3 +-- crypto/evp/digest.c | 3 +-- crypto/evp/evp_pbe.c | 2 +- crypto/evp/p_open.c | 4 +--- crypto/hmac/hm_pmeth.c | 8 ++------ crypto/mem.c | 12 ++++++++++-- crypto/modes/gcm128.c | 5 +---- crypto/modes/ocb128.c | 5 +---- crypto/pem/pem_lib.c | 13 +++--------- crypto/pem/pem_pkey.c | 3 +-- crypto/pem/pvkfmt.c | 5 +---- crypto/pkcs12/p12_key.c | 5 +---- crypto/pkcs7/pk7_doit.c | 48 ++++++++++++++------------------------------- crypto/rand/rand_lib.c | 5 +---- crypto/rsa/rsa_eay.c | 20 ++++--------------- crypto/rsa/rsa_lib.c | 3 +-- crypto/rsa/rsa_saos.c | 8 ++------ crypto/rsa/rsa_sign.c | 14 ++++--------- engines/e_4758cca.c | 12 ++++-------- engines/e_sureware.c | 5 +---- include/openssl/crypto.h | 3 ++- ssl/s3_clnt.c | 10 +++------- ssl/s3_enc.c | 7 ++----- ssl/s3_lib.c | 3 +-- ssl/ssl_cert.c | 7 ++----- ssl/ssl_sess.c | 3 +-- ssl/t1_enc.c | 5 +---- ssl/tls_srp.c | 19 +++++------------- util/libeay.num | 2 ++ 56 files changed, 121 insertions(+), 311 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index f74b968..aecd612 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -377,10 +377,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) } while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0)); - if (buff) { - OPENSSL_cleanse(buff, (unsigned int)bufsiz); - OPENSSL_free(buff); - } + OPENSSL_clear_free(buff, (unsigned int)bufsiz); if (ok >= 0) res = strlen(buf); diff --git a/apps/dgst.c b/apps/dgst.c index 3ff4750..69211d3 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -441,10 +441,7 @@ int dgst_main(int argc, char **argv) } } end: - if (buf != NULL) { - OPENSSL_cleanse(buf, BUFSIZE); - OPENSSL_free(buf); - } + OPENSSL_clear_free(buf, BUFSIZE); BIO_free(in); if (passin) OPENSSL_free(passin); diff --git a/apps/s_client.c b/apps/s_client.c index 344c88c..e7e6684 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1994,8 +1994,7 @@ int s_client_main(int argc, char **argv) #endif SSL_CTX_free(ctx); X509_free(cert); - if (crls) - sk_X509_CRL_pop_free(crls, X509_CRL_free); + sk_X509_CRL_pop_free(crls, X509_CRL_free); EVP_PKEY_free(key); sk_X509_pop_free(chain, X509_free); if (pass) @@ -2008,18 +2007,9 @@ int s_client_main(int argc, char **argv) if (jpake_secret && psk_key) OPENSSL_free(psk_key); #endif - if (cbuf != NULL) { - OPENSSL_cleanse(cbuf, BUFSIZZ); - OPENSSL_free(cbuf); - } - if (sbuf != NULL) { - OPENSSL_cleanse(sbuf, BUFSIZZ); - OPENSSL_free(sbuf); - } - if (mbuf != NULL) { - OPENSSL_cleanse(mbuf, BUFSIZZ); - OPENSSL_free(mbuf); - } + OPENSSL_clear_free(cbuf, BUFSIZZ); + OPENSSL_clear_free(sbuf, BUFSIZZ); + OPENSSL_clear_free(mbuf, BUFSIZZ); BIO_free(bio_c_out); bio_c_out = NULL; BIO_free(bio_c_msg); diff --git a/apps/s_server.c b/apps/s_server.c index 21d2d37..ef32d5a 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -2395,10 +2395,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) SSL_free(con); } BIO_printf(bio_s_out, "CONNECTION CLOSED\n"); - if (buf != NULL) { - OPENSSL_cleanse(buf, bufsize); - OPENSSL_free(buf); - } + OPENSSL_clear_free(buf, bufsize); if (ret >= 0) BIO_printf(bio_s_out, "ACCEPT\n"); (void)BIO_flush(bio_s_out); diff --git a/crypto/asn1/a_sign.c b/crypto/asn1/a_sign.c index 21cbe0c..fb7536d 100644 --- a/crypto/asn1/a_sign.c +++ b/crypto/asn1/a_sign.c @@ -203,14 +203,8 @@ int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2, signature->flags |= ASN1_STRING_FLAG_BITS_LEFT; err: EVP_MD_CTX_cleanup(&ctx); - if (buf_in != NULL) { - OPENSSL_cleanse((char *)buf_in, (unsigned int)inl); - OPENSSL_free(buf_in); - } - if (buf_out != NULL) { - OPENSSL_cleanse((char *)buf_out, outll); - OPENSSL_free(buf_out); - } + OPENSSL_clear_free((char *)buf_in, (unsigned int)inl); + OPENSSL_clear_free((char *)buf_out, outll); return (outl); } @@ -319,13 +313,7 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it, signature->flags |= ASN1_STRING_FLAG_BITS_LEFT; err: EVP_MD_CTX_cleanup(ctx); - if (buf_in != NULL) { - OPENSSL_cleanse((char *)buf_in, (unsigned int)inl); - OPENSSL_free(buf_in); - } - if (buf_out != NULL) { - OPENSSL_cleanse((char *)buf_out, outll); - OPENSSL_free(buf_out); - } + OPENSSL_clear_free((char *)buf_in, (unsigned int)inl); + OPENSSL_clear_free((char *)buf_out, outll); return (outl); } diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c index 6023b14..b452999 100644 --- a/crypto/asn1/a_verify.c +++ b/crypto/asn1/a_verify.c @@ -107,8 +107,7 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature, ret = EVP_VerifyInit_ex(&ctx, type, NULL) && EVP_VerifyUpdate(&ctx, (unsigned char *)buf_in, inl); - OPENSSL_cleanse(buf_in, (unsigned int)inl); - OPENSSL_free(buf_in); + OPENSSL_clear_free(buf_in, (unsigned int)inl); if (!ret) { ASN1err(ASN1_F_ASN1_VERIFY, ERR_R_EVP_LIB); @@ -208,8 +207,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ret = EVP_DigestVerifyUpdate(&ctx, buf_in, inl); - OPENSSL_cleanse(buf_in, (unsigned int)inl); - OPENSSL_free(buf_in); + OPENSSL_clear_free(buf_in, (unsigned int)inl); if (!ret) { ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_EVP_LIB); diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index 1096464..4681154 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -187,10 +187,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) goto err; ret = 1; err: - if (buf != NULL) { - OPENSSL_cleanse(buf, bytes); - OPENSSL_free(buf); - } + OPENSSL_clear_free(buf, bytes); bn_check_top(rnd); return (ret); } diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c index 2b61768..893ad46 100644 --- a/crypto/cms/cms_asn1.c +++ b/crypto/cms/cms_asn1.c @@ -251,16 +251,10 @@ static int cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, EVP_PKEY_CTX_free(ktri->pctx); } else if (ri->type == CMS_RECIPINFO_KEK) { CMS_KEKRecipientInfo *kekri = ri->d.kekri; - if (kekri->key) { - OPENSSL_cleanse(kekri->key, kekri->keylen); - OPENSSL_free(kekri->key); - } + OPENSSL_clear_free(kekri->key, kekri->keylen); } else if (ri->type == CMS_RECIPINFO_PASS) { CMS_PasswordRecipientInfo *pwri = ri->d.pwri; - if (pwri->pass) { - OPENSSL_cleanse(pwri->pass, pwri->passlen); - OPENSSL_free(pwri->pass); - } + OPENSSL_clear_free(pwri->pass, pwri->passlen); } } return 1; diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c index ffa85fc..f1ac1d5 100644 --- a/crypto/cms/cms_enc.c +++ b/crypto/cms/cms_enc.c @@ -164,8 +164,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec) goto err; } else { /* Use random key */ - OPENSSL_cleanse(ec->key, ec->keylen); - OPENSSL_free(ec->key); + OPENSSL_clear_free(ec->key, ec->keylen); ec->key = tkey; ec->keylen = tkeylen; tkey = NULL; @@ -196,14 +195,10 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec) err: if (ec->key && !keep_key) { - OPENSSL_cleanse(ec->key, ec->keylen); - OPENSSL_free(ec->key); + OPENSSL_clear_free(ec->key, ec->keylen); ec->key = NULL; } - if (tkey) { - OPENSSL_cleanse(tkey, tkeylen); - OPENSSL_free(tkey); - } + OPENSSL_clear_free(tkey, tkeylen); if (ok) return b; BIO_free(b); diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index 98c1fe0..d146f84 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -465,11 +465,7 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, ret = 1; - if (ec->key) { - OPENSSL_cleanse(ec->key, ec->keylen); - OPENSSL_free(ec->key); - } - + OPENSSL_clear_free(ec->key, ec->keylen); ec->key = ek; ec->keylen = eklen; @@ -937,12 +933,9 @@ BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms) err: ec->cipher = NULL; - if (ec->key) { - OPENSSL_cleanse(ec->key, ec->keylen); - OPENSSL_free(ec->key); - ec->key = NULL; - ec->keylen = 0; - } + OPENSSL_clear_free(ec->key, ec->keylen); + ec->key = NULL; + ec->keylen = 0; if (ok) return ret; BIO_free(ret); diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c index 69a5115..17b62dd 100644 --- a/crypto/cms/cms_kari.c +++ b/crypto/cms/cms_kari.c @@ -294,10 +294,7 @@ int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms, if (!cms_kek_cipher(&cek, &ceklen, enckey, enckeylen, ri->d.kari, 0)) goto err; ec = cms->d.envelopedData->encryptedContentInfo; - if (ec->key) { - OPENSSL_cleanse(ec->key, ec->keylen); - OPENSSL_free(ec->key); - } + OPENSSL_clear_free(ec->key, ec->keylen); ec->key = cek; ec->keylen = ceklen; cek = NULL; diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c index ece5ce3..6416502 100644 --- a/crypto/cms/cms_pwri.c +++ b/crypto/cms/cms_pwri.c @@ -263,8 +263,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, memcpy(out, tmp + 4, *outlen); rv = 1; err: - OPENSSL_cleanse(tmp, inlen); - OPENSSL_free(tmp); + OPENSSL_clear_free(tmp, inlen); return rv; } diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index 3fad054..e3ebc02 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -477,10 +477,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, *keylen = dctx->kdf_outlen; ret = 1; err: - if (Z) { - OPENSSL_cleanse(Z, Zlen); - OPENSSL_free(Z); - } + OPENSSL_clear_free(Z, Zlen); return ret; } return 1; diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c index e7f80a8..d79f261 100644 --- a/crypto/dsa/dsa_asn1.c +++ b/crypto/dsa/dsa_asn1.c @@ -188,10 +188,7 @@ int DSA_verify(int type, const unsigned char *dgst, int dgst_len, goto err; ret = DSA_do_verify(dgst, dgst_len, s, dsa); err: - if (derlen > 0) { - OPENSSL_cleanse(der, derlen); - OPENSSL_free(der); - } + OPENSSL_clear_free(der, derlen); DSA_SIG_free(s); return (ret); } diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index b73263d..dbd91d6 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -127,9 +127,7 @@ void EC_KEY_free(EC_KEY *r) EC_EX_DATA_free_all_data(&r->method_data); - OPENSSL_cleanse((void *)r, sizeof(EC_KEY)); - - OPENSSL_free(r); + OPENSSL_clear_free((void *)r, sizeof(EC_KEY)); } EC_KEY *EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 0e850d6..b2a5d79 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -166,14 +166,8 @@ void EC_GROUP_clear_free(EC_GROUP *group) EC_POINT_clear_free(group->generator); BN_clear_free(group->order); BN_clear_free(group->cofactor); - - if (group->seed) { - OPENSSL_cleanse(group->seed, group->seed_len); - OPENSSL_free(group->seed); - } - - OPENSSL_cleanse(group, sizeof *group); - OPENSSL_free(group); + OPENSSL_clear_free(group->seed, group->seed_len); + OPENSSL_clear_free(group, sizeof *group); } int EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) @@ -751,8 +745,7 @@ void EC_POINT_clear_free(EC_POINT *point) point->meth->point_clear_finish(point); else if (point->meth->point_finish != 0) point->meth->point_finish(point); - OPENSSL_cleanse(point, sizeof *point); - OPENSSL_free(point); + OPENSSL_clear_free(point, sizeof *point); } int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src) diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 979b454..6dabfc8 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -169,8 +169,7 @@ static void ec_pre_comp_clear_free(void *pre_) } OPENSSL_free(pre->points); } - OPENSSL_cleanse(pre, sizeof *pre); - OPENSSL_free(pre); + OPENSSL_clear_free(pre, sizeof *pre); } /* diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c index 37f8fa1..5b3d197 100644 --- a/crypto/ec/ec_pmeth.c +++ b/crypto/ec/ec_pmeth.c @@ -268,10 +268,7 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx, rv = 1; err: - if (ktmp) { - OPENSSL_cleanse(ktmp, ktmplen); - OPENSSL_free(ktmp); - } + OPENSSL_clear_free(ktmp, ktmplen); return rv; } #endif diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c index 5afe71c..a5e76f4 100644 --- a/crypto/ec/ecp_nistp224.c +++ b/crypto/ec/ecp_nistp224.c @@ -1247,8 +1247,7 @@ static void nistp224_pre_comp_clear_free(void *pre_) if (i > 0) return; - OPENSSL_cleanse(pre, sizeof *pre); - OPENSSL_free(pre); + OPENSSL_clear_free(pre, sizeof *pre); } /******************************************************************************/ diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c index 2f394bf..6fce22e 100644 --- a/crypto/ec/ecp_nistp256.c +++ b/crypto/ec/ecp_nistp256.c @@ -1862,8 +1862,7 @@ static void nistp256_pre_comp_clear_free(void *pre_) if (i > 0) return; - OPENSSL_cleanse(pre, sizeof *pre); - OPENSSL_free(pre); + OPENSSL_clear_free(pre, sizeof *pre); } /******************************************************************************/ diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c index b2fe653..8657a8f 100644 --- a/crypto/ec/ecp_nistp521.c +++ b/crypto/ec/ecp_nistp521.c @@ -1691,8 +1691,7 @@ static void nistp521_pre_comp_clear_free(void *pre_) if (i > 0) return; - OPENSSL_cleanse(pre, sizeof(*pre)); - OPENSSL_free(pre); + OPENSSL_clear_free(pre, sizeof(*pre)); } /******************************************************************************/ diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index c527797..417c29a 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -1471,13 +1471,9 @@ static void ecp_nistz256_pre_comp_clear_free(void *pre_) if (i > 0) return; - if (pre->precomp_storage) { - OPENSSL_cleanse(pre->precomp, - 32 * sizeof(unsigned char) * (1 << pre->w) * 2 * 37); - OPENSSL_free(pre->precomp_storage); - } - OPENSSL_cleanse(pre, sizeof *pre); - OPENSSL_free(pre); + OPENSSL_clear_free(pre->precomp, + 32 * sizeof(unsigned char) * (1 << pre->w) * 2 * 37); + OPENSSL_clear_free(pre, sizeof *pre); } static int ecp_nistz256_window_have_precompute_mult(const EC_GROUP *group) diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c index 7b57ec4..82f8850 100644 --- a/crypto/ecdh/ech_lib.c +++ b/crypto/ecdh/ech_lib.c @@ -172,10 +172,7 @@ void ecdh_data_free(void *data) #endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDH, r, &r->ex_data); - - OPENSSL_cleanse((void *)r, sizeof(ECDH_DATA)); - - OPENSSL_free(r); + OPENSSL_clear_free((void *)r, sizeof(ECDH_DATA)); } ECDH_DATA *ecdh_check(EC_KEY *key) diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c index cdb7b60..55324f7 100644 --- a/crypto/ecdsa/ecs_lib.c +++ b/crypto/ecdsa/ecs_lib.c @@ -160,9 +160,7 @@ static void ecdsa_data_free(void *data) #endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDSA, r, &r->ex_data); - OPENSSL_cleanse((void *)r, sizeof(ECDSA_DATA)); - - OPENSSL_free(r); + OPENSSL_clear_free((void *)r, sizeof(ECDSA_DATA)); } ECDSA_DATA *ecdsa_check(EC_KEY *key) diff --git a/crypto/ecdsa/ecs_vrf.c b/crypto/ecdsa/ecs_vrf.c index e909aeb..b9bd32f 100644 --- a/crypto/ecdsa/ecs_vrf.c +++ b/crypto/ecdsa/ecs_vrf.c @@ -103,10 +103,7 @@ int ECDSA_verify(int type, const unsigned char *dgst, int dgst_len, goto err; ret = ECDSA_do_verify(dgst, dgst_len, s, eckey); err: - if (derlen > 0) { - OPENSSL_cleanse(der, derlen); - OPENSSL_free(der); - } + OPENSSL_clear_free(der, derlen); ECDSA_SIG_free(s); return (ret); } diff --git a/crypto/engine/eng_openssl.c b/crypto/engine/eng_openssl.c index 78fa3c8..cc91044 100644 --- a/crypto/engine/eng_openssl.c +++ b/crypto/engine/eng_openssl.c @@ -463,15 +463,10 @@ static int ossl_hmac_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) static void ossl_hmac_cleanup(EVP_PKEY_CTX *ctx) { - OSSL_HMAC_PKEY_CTX *hctx; - hctx = EVP_PKEY_CTX_get_data(ctx); + OSSL_HMAC_PKEY_CTX *hctx = EVP_PKEY_CTX_get_data(ctx); + HMAC_CTX_cleanup(&hctx->ctx); - if (hctx->ktmp.data) { - if (hctx->ktmp.length) - OPENSSL_cleanse(hctx->ktmp.data, hctx->ktmp.length); - OPENSSL_free(hctx->ktmp.data); - hctx->ktmp.data = NULL; - } + OPENSSL_clear_free(hctx->ktmp.data, hctx->ktmp.length); OPENSSL_free(hctx); } diff --git a/crypto/evp/bio_enc.c b/crypto/evp/bio_enc.c index 4409a91..0afd8cc 100644 --- a/crypto/evp/bio_enc.c +++ b/crypto/evp/bio_enc.c @@ -137,8 +137,7 @@ static int enc_free(BIO *a) return (0); b = (BIO_ENC_CTX *)a->ptr; EVP_CIPHER_CTX_cleanup(&(b->cipher)); - OPENSSL_cleanse(a->ptr, sizeof(BIO_ENC_CTX)); - OPENSSL_free(a->ptr); + OPENSSL_clear_free(a->ptr, sizeof(BIO_ENC_CTX)); a->ptr = NULL; a->init = 0; a->flags = 0; diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c index 1aab200..eced061 100644 --- a/crypto/evp/bio_ok.c +++ b/crypto/evp/bio_ok.c @@ -202,8 +202,7 @@ static int ok_free(BIO *a) if (a == NULL) return (0); EVP_MD_CTX_cleanup(&((BIO_OK_CTX *)a->ptr)->md); - OPENSSL_cleanse(a->ptr, sizeof(BIO_OK_CTX)); - OPENSSL_free(a->ptr); + OPENSSL_clear_free(a->ptr, sizeof(BIO_OK_CTX)); a->ptr = NULL; a->init = 0; a->flags = 0; diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index ce95350..043830d 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -349,8 +349,7 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) ctx->digest->cleanup(ctx); if (ctx->digest && ctx->digest->ctx_size && ctx->md_data && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) { - OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size); - OPENSSL_free(ctx->md_data); + OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); } EVP_PKEY_CTX_free(ctx->pctx); #ifndef OPENSSL_NO_ENGINE diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c index 00fa72d..7a71637 100644 --- a/crypto/evp/evp_pbe.c +++ b/crypto/evp/evp_pbe.c @@ -292,7 +292,7 @@ int EVP_PBE_find(int type, int pbe_nid, static void free_evp_pbe_ctl(EVP_PBE_CTL *pbe) { - OPENSSL_freeFunc(pbe); + OPENSSL_free(pbe); } void EVP_PBE_cleanup(void) diff --git a/crypto/evp/p_open.c b/crypto/evp/p_open.c index adaa42f..481c855 100644 --- a/crypto/evp/p_open.c +++ b/crypto/evp/p_open.c @@ -105,9 +105,7 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, ret = 1; err: - if (key != NULL) - OPENSSL_cleanse(key, size); - OPENSSL_free(key); + OPENSSL_clear_free(key, size); return (ret); } diff --git a/crypto/hmac/hm_pmeth.c b/crypto/hmac/hm_pmeth.c index f2be144..f53f78c 100644 --- a/crypto/hmac/hm_pmeth.c +++ b/crypto/hmac/hm_pmeth.c @@ -113,13 +113,9 @@ static int pkey_hmac_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) static void pkey_hmac_cleanup(EVP_PKEY_CTX *ctx) { HMAC_PKEY_CTX *hctx = ctx->data; + HMAC_CTX_cleanup(&hctx->ctx); - if (hctx->ktmp.data) { - if (hctx->ktmp.length) - OPENSSL_cleanse(hctx->ktmp.data, hctx->ktmp.length); - OPENSSL_free(hctx->ktmp.data); - hctx->ktmp.data = NULL; - } + OPENSSL_clear_free(hctx->ktmp.data, hctx->ktmp.length); OPENSSL_free(hctx); } diff --git a/crypto/mem.c b/crypto/mem.c index afdce77..6176b38 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -417,8 +417,7 @@ void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file, ret = malloc_ex_func(num, file, line); if (ret) { memcpy(ret, str, old_len); - OPENSSL_cleanse(str, old_len); - free_func(str); + OPENSSL_clear_free(str, old_len); } #ifdef LEVITTE_DEBUG_MEM fprintf(stderr, @@ -443,6 +442,15 @@ void CRYPTO_free(void *str) free_debug_func(NULL, 1); } +void CRYPTO_clear_free(void *str, size_t num) +{ + if (!str) + return; + if (num) + OPENSSL_cleanse(str, num); + CRYPTO_free(str); +} + void *CRYPTO_remalloc(void *a, int num, const char *file, int line) { if (a != NULL) diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c index 4ac28b3..780b326 100644 --- a/crypto/modes/gcm128.c +++ b/crypto/modes/gcm128.c @@ -1709,10 +1709,7 @@ GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block) void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx) { - if (ctx) { - OPENSSL_cleanse(ctx, sizeof(*ctx)); - OPENSSL_free(ctx); - } + OPENSSL_clear_free(ctx, sizeof(*ctx)); } #if defined(SELFTEST) diff --git a/crypto/modes/ocb128.c b/crypto/modes/ocb128.c index 0d82e50..efa403b 100644 --- a/crypto/modes/ocb128.c +++ b/crypto/modes/ocb128.c @@ -588,10 +588,7 @@ int CRYPTO_ocb128_tag(OCB128_CONTEXT *ctx, unsigned char *tag, size_t len) void CRYPTO_ocb128_cleanup(OCB128_CONTEXT *ctx) { if (ctx) { - if (ctx->l) { - OPENSSL_cleanse(ctx->l, ctx->max_l_index * 16); - OPENSSL_free(ctx->l); - } + OPENSSL_clear_free(ctx->l, ctx->max_l_index * 16); OPENSSL_cleanse(ctx, sizeof(*ctx)); } } diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index 431e368..143d001 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -429,10 +429,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, OPENSSL_cleanse(iv, sizeof(iv)); OPENSSL_cleanse((char *)&ctx, sizeof(ctx)); OPENSSL_cleanse(buf, PEM_BUFSIZE); - if (data != NULL) { - OPENSSL_cleanse(data, (unsigned int)dsize); - OPENSSL_free(data); - } + OPENSSL_clear_free(data, (unsigned int)dsize); return (ret); } @@ -637,8 +634,7 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header, EVP_EncodeFinal(&ctx, buf, &outl); if ((outl > 0) && (BIO_write(bp, (char *)buf, outl) != outl)) goto err; - OPENSSL_cleanse(buf, PEM_BUFSIZE * 8); - OPENSSL_free(buf); + OPENSSL_clear_free(buf, PEM_BUFSIZE * 8); buf = NULL; if ((BIO_write(bp, "-----END ", 9) != 9) || (BIO_write(bp, name, nlen) != nlen) || @@ -646,10 +642,7 @@ int PEM_write_bio(BIO *bp, const char *name, const char *header, goto err; return (i + outl); err: - if (buf) { - OPENSSL_cleanse(buf, PEM_BUFSIZE * 8); - OPENSSL_free(buf); - } + OPENSSL_clear_free(buf, PEM_BUFSIZE * 8); PEMerr(PEM_F_PEM_WRITE_BIO, reason); return (0); } diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index 80c316e..0a110e1 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -139,8 +139,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, PEMerr(PEM_F_PEM_READ_BIO_PRIVATEKEY, ERR_R_ASN1_LIB); err: OPENSSL_free(nm); - OPENSSL_cleanse(data, len); - OPENSSL_free(data); + OPENSSL_clear_free(data, len); return (ret); } diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index 14ddb33..8ac9348 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -772,10 +772,7 @@ EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u) ret = do_PVK_body(&p, saltlen, keylen, cb, u); err: - if (buf) { - OPENSSL_cleanse(buf, buflen); - OPENSSL_free(buf); - } + OPENSSL_clear_free(buf, buflen); return ret; } diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c index 5a06208..45cac04 100644 --- a/crypto/pkcs12/p12_key.c +++ b/crypto/pkcs12/p12_key.c @@ -96,10 +96,7 @@ int PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, id, iter, n, out, md_type); if (ret <= 0) return 0; - if (unipass) { - OPENSSL_cleanse(unipass, uniplen); /* Clear password from memory */ - OPENSSL_free(unipass); - } + OPENSSL_clear_free(unipass, uniplen); return ret; } diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 51e9c6e..4bc06b9 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -229,11 +229,7 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, ret = 1; - if (*pek) { - OPENSSL_cleanse(*pek, *peklen); - OPENSSL_free(*pek); - } - + OPENSSL_clear_free(*pek, *peklen); *pek = ek; *peklen = eklen; @@ -576,8 +572,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) */ if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) { /* Use random key as MMA defence */ - OPENSSL_cleanse(ek, eklen); - OPENSSL_free(ek); + OPENSSL_clear_free(ek, eklen); ek = tkey; eklen = tkeylen; tkey = NULL; @@ -588,16 +583,10 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) if (EVP_CipherInit_ex(evp_ctx, NULL, NULL, ek, NULL, 0) <= 0) goto err; - if (ek) { - OPENSSL_cleanse(ek, eklen); - OPENSSL_free(ek); - ek = NULL; - } - if (tkey) { - OPENSSL_cleanse(tkey, tkeylen); - OPENSSL_free(tkey); - tkey = NULL; - } + OPENSSL_clear_free(ek, eklen); + ek = NULL; + OPENSSL_clear_free(tkey, tkeylen); + tkey = NULL; if (out == NULL) out = etmp; @@ -619,23 +608,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) } BIO_push(out, bio); bio = NULL; - if (0) { + return out; + err: - if (ek) { - OPENSSL_cleanse(ek, eklen); - OPENSSL_free(ek); - } - if (tkey) { - OPENSSL_cleanse(tkey, tkeylen); - OPENSSL_free(tkey); - } - BIO_free_all(out); - BIO_free_all(btmp); - BIO_free_all(etmp); - BIO_free_all(bio); - out = NULL; - } - return (out); + OPENSSL_clear_free(ek, eklen); + OPENSSL_clear_free(tkey, tkeylen); + BIO_free_all(out); + BIO_free_all(btmp); + BIO_free_all(etmp); + BIO_free_all(bio); + return NULL; } static BIO *PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid) diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index 0bbaf67..acc116b 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -207,10 +207,7 @@ static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout, static void drbg_free_entropy(DRBG_CTX *ctx, unsigned char *out, size_t olen) { - if (out) { - OPENSSL_cleanse(out, olen); - OPENSSL_free(out); - } + OPENSSL_clear_free(out, olen); } /* diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 73a8e07..49c157a 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -243,10 +243,7 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from, BN_CTX_end(ctx); BN_CTX_free(ctx); } - if (buf != NULL) { - OPENSSL_cleanse(buf, num); - OPENSSL_free(buf); - } + OPENSSL_clear_free(buf, num); return (r); } @@ -480,10 +477,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, BN_CTX_end(ctx); BN_CTX_free(ctx); } - if (buf != NULL) { - OPENSSL_cleanse(buf, num); - OPENSSL_free(buf); - } + OPENSSL_clear_free(buf, num); return (r); } @@ -622,10 +616,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from, BN_CTX_end(ctx); BN_CTX_free(ctx); } - if (buf != NULL) { - OPENSSL_cleanse(buf, num); - OPENSSL_free(buf); - } + OPENSSL_clear_free(buf, num); return (r); } @@ -725,10 +716,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, BN_CTX_end(ctx); BN_CTX_free(ctx); } - if (buf != NULL) { - OPENSSL_cleanse(buf, num); - OPENSSL_free(buf); - } + OPENSSL_clear_free(buf, num); return (r); } diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 5b4ce73..1430d5b 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -243,8 +243,7 @@ void RSA_free(RSA *r) BN_BLINDING_free(r->blinding); if (r->mt_blinding != NULL) BN_BLINDING_free(r->mt_blinding); - if (r->bignum_data != NULL) - OPENSSL_free_locked(r->bignum_data); + OPENSSL_free_locked(r->bignum_data); OPENSSL_free(r); } diff --git a/crypto/rsa/rsa_saos.c b/crypto/rsa/rsa_saos.c index 80709f5..c462ae1 100644 --- a/crypto/rsa/rsa_saos.c +++ b/crypto/rsa/rsa_saos.c @@ -96,8 +96,7 @@ int RSA_sign_ASN1_OCTET_STRING(int type, else *siglen = i; - OPENSSL_cleanse(s, (unsigned int)j + 1); - OPENSSL_free(s); + OPENSSL_clear_free(s, (unsigned int)j + 1); return (ret); } @@ -139,9 +138,6 @@ int RSA_verify_ASN1_OCTET_STRING(int dtype, ret = 1; err: ASN1_OCTET_STRING_free(sig); - if (s != NULL) { - OPENSSL_cleanse(s, (unsigned int)siglen); - OPENSSL_free(s); - } + OPENSSL_clear_free(s, (unsigned int)siglen); return (ret); } diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index 3b2ba56..6965797 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -131,10 +131,8 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, else *siglen = i; - if (type != NID_md5_sha1) { - OPENSSL_cleanse(tmps, (unsigned int)j + 1); - OPENSSL_free(tmps); - } + if (type != NID_md5_sha1) + OPENSSL_clear_free(tmps, (unsigned int)j + 1); return (ret); } @@ -153,8 +151,7 @@ static int rsa_check_digestinfo(X509_SIG *sig, const unsigned char *dinfo, return 0; if (derlen == dinfolen && !memcmp(dinfo, der, derlen)) ret = 1; - OPENSSL_cleanse(der, derlen); - OPENSSL_free(der); + OPENSSL_clear_free(der, derlen); return ret; } @@ -267,10 +264,7 @@ int int_rsa_verify(int dtype, const unsigned char *m, } err: X509_SIG_free(sig); - if (s != NULL) { - OPENSSL_cleanse(s, (unsigned int)siglen); - OPENSSL_free(s); - } + OPENSSL_clear_free(s, (unsigned int)siglen); return (ret); } diff --git a/engines/e_4758cca.c b/engines/e_4758cca.c index 3b593c7..b605a79 100644 --- a/engines/e_4758cca.c +++ b/engines/e_4758cca.c @@ -709,10 +709,8 @@ static int cca_rsa_verify(int type, const unsigned char *m, &keyTokenLength, keyToken, &length, hashBuffer, &lsiglen, (unsigned char *)sigbuf); - if (type == NID_sha1 || type == NID_md5) { - OPENSSL_cleanse(hashBuffer, keyLength + 1); - OPENSSL_free(hashBuffer); - } + if (type == NID_sha1 || type == NID_md5) + OPENSSL_clear_free(hashBuffer, keyLength + 1); return ((returnCode || reasonCode) ? 0 : 1); } @@ -820,10 +818,8 @@ static int cca_rsa_sign(int type, const unsigned char *m, unsigned int m_len, &keyTokenLength, keyToken, &length, hashBuffer, &outputLength, &outputBitLength, sigret); - if (type == NID_sha1 || type == NID_md5) { - OPENSSL_cleanse(hashBuffer, keyLength + 1); - OPENSSL_free(hashBuffer); - } + if (type == NID_sha1 || type == NID_md5) + OPENSSL_clear_free(hashBuffer, keyLength + 1); *siglen = outputLength; diff --git a/engines/e_sureware.c b/engines/e_sureware.c index 4580250..9e56a7d 100644 --- a/engines/e_sureware.c +++ b/engines/e_sureware.c @@ -948,10 +948,7 @@ static int surewarehk_rsa_priv_dec(int flen, const unsigned char *from, SUREWARE_R_PADDING_CHECK_FAILED); } err: - if (buf) { - OPENSSL_cleanse(buf, tlen); - OPENSSL_free(buf); - } + OPENSSL_clear_free(buf, tlen); return ret; } diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index 9762398..f05084f 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -373,7 +373,7 @@ int CRYPTO_is_mem_check_on(void); CRYPTO_realloc_clean(addr,old_num,num,__FILE__,__LINE__) # define OPENSSL_remalloc(addr,num) \ CRYPTO_remalloc((char **)addr,(int)num,__FILE__,__LINE__) -# define OPENSSL_freeFunc CRYPTO_free +# define OPENSSL_clear_free(addr, num) CRYPTO_clear_free(addr, num) # define OPENSSL_free(addr) CRYPTO_free(addr) # define OPENSSL_malloc_locked(num) \ @@ -526,6 +526,7 @@ void CRYPTO_free_locked(void *ptr); void *CRYPTO_malloc(int num, const char *file, int line); char *CRYPTO_strdup(const char *str, const char *file, int line); void CRYPTO_free(void *ptr); +void CRYPTO_clear_free(void *ptr, size_t num); void *CRYPTO_realloc(void *addr, int num, const char *file, int line); void *CRYPTO_realloc_clean(void *addr, int old_num, int num, const char *file, int line); diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index bbff778..71756cd 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -3073,8 +3073,7 @@ int ssl3_send_client_key_exchange(SSL *s) s-> session->master_key, pms, pmslen); - OPENSSL_cleanse(pms, pmslen); - OPENSSL_free(pms); + OPENSSL_clear_free(pms, pmslen); s->cert->pms = NULL; if (s->session->master_key_length < 0) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); @@ -3087,11 +3086,8 @@ int ssl3_send_client_key_exchange(SSL *s) ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); err: - if (pms) { - OPENSSL_cleanse(pms, pmslen); - OPENSSL_free(pms); - s->cert->pms = NULL; - } + OPENSSL_clear_free(pms, pmslen); + s->cert->pms = NULL; #ifndef OPENSSL_NO_EC BN_CTX_free(bn_ctx); if (encodedPoint != NULL) diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 8fc5bc4..df86f5b 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -471,11 +471,8 @@ int ssl3_setup_key_block(SSL *s) void ssl3_cleanup_key_block(SSL *s) { - if (s->s3->tmp.key_block != NULL) { - OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length); - OPENSSL_free(s->s3->tmp.key_block); - s->s3->tmp.key_block = NULL; - } + OPENSSL_clear_free(s->s3->tmp.key_block, s->s3->tmp.key_block_length); + s->s3->tmp.key_block = NULL; s->s3->tmp.key_block_length = 0; } diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index ef2ddb4..190d0f1 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3138,8 +3138,7 @@ void ssl3_free(SSL *s) #ifndef OPENSSL_NO_SRP SSL_SRP_CTX_free(s); #endif - OPENSSL_cleanse(s->s3, sizeof *s->s3); - OPENSSL_free(s->s3); + OPENSSL_clear_free(s->s3, sizeof *s->s3); s->s3 = NULL; } diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 0ae9646..a15c5f9 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -465,11 +465,8 @@ void ssl_cert_free(CERT *c) custom_exts_free(&c->cli_ext); custom_exts_free(&c->srv_ext); #endif - if (c->pms) { - OPENSSL_cleanse(c->pms, c->pmslen); - OPENSSL_free(c->pms); - c->pms = NULL; - } + OPENSSL_clear_free(c->pms, c->pmslen); + c->pms = NULL; OPENSSL_free(c); } diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index eed38ca..cec5905 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -759,8 +759,7 @@ void SSL_SESSION_free(SSL_SESSION *ss) if (ss->srp_username != NULL) OPENSSL_free(ss->srp_username); #endif - OPENSSL_cleanse(ss, sizeof(*ss)); - OPENSSL_free(ss); + OPENSSL_clear_free(ss, sizeof(*ss)); } int SSL_set_session(SSL *s, SSL_SESSION *session) diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 1f58ed0..edb6558 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -717,10 +717,7 @@ int tls1_setup_key_block(SSL *s) ret = 1; err: - if (p2) { - OPENSSL_cleanse(p2, num); - OPENSSL_free(p2); - } + OPENSSL_clear_free(p2, num); return (ret); } diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c index 33d398f..5d895cc 100644 --- a/ssl/tls_srp.c +++ b/ssl/tls_srp.c @@ -339,7 +339,7 @@ int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g, int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key) { BIGNUM *K = NULL, *u = NULL; - int ret = -1, tmp_len; + int ret = -1, tmp_len = 0; unsigned char *tmp = NULL; if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N)) @@ -360,10 +360,7 @@ int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key) s->method->ssl3_enc->generate_master_secret(s, master_key, tmp, tmp_len); err: - if (tmp) { - OPENSSL_cleanse(tmp, tmp_len); - OPENSSL_free(tmp); - } + OPENSSL_clear_free(tmp, tmp_len); BN_clear_free(K); BN_clear_free(u); return ret; @@ -373,7 +370,7 @@ int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key) int SRP_generate_client_master_secret(SSL *s, unsigned char *master_key) { BIGNUM *x = NULL, *u = NULL, *K = NULL; - int ret = -1, tmp_len; + int ret = -1, tmp_len = 0; char *passwd = NULL; unsigned char *tmp = NULL; @@ -407,16 +404,10 @@ int SRP_generate_client_master_secret(SSL *s, unsigned char *master_key) s->method->ssl3_enc->generate_master_secret(s, master_key, tmp, tmp_len); err: - if (tmp) { - OPENSSL_cleanse(tmp, tmp_len); - OPENSSL_free(tmp); - } + OPENSSL_clear_free(tmp, tmp_len); BN_clear_free(K); BN_clear_free(x); - if (passwd) { - OPENSSL_cleanse(passwd, strlen(passwd)); - OPENSSL_free(passwd); - } + OPENSSL_clear_free(passwd, strlen(passwd)); BN_clear_free(u); return ret; } diff --git a/util/libeay.num b/util/libeay.num index 553a160..bc4bb44 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -4555,3 +4555,5 @@ OBJ_get0_data 4913 EXIST::FUNCTION: X509_NAME_ENTRY_set 4914 EXIST::FUNCTION: ASN1_TYPE_pack_sequence 4915 EXIST::FUNCTION: ASN1_TYPE_unpack_sequence 4916 EXIST::FUNCTION: +CRYPTO_clean_free 4917 NOEXIST::FUNCTION: +CRYPTO_clear_free 4918 EXIST::FUNCTION: From matt at openssl.org Thu Apr 30 22:01:24 2015 From: matt at openssl.org (Matt Caswell) Date: Thu, 30 Apr 2015 22:01:24 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430431284.134559.22325.nullmailer@dev.openssl.org> The branch master has been updated via b0696f8b0b6e9a837e0abe4d79a8219e287c9036 (commit) from 4b45c6e52b208deff7da333d1c7f84bcd3986609 (commit) - Log ----------------------------------------------------------------- commit b0696f8b0b6e9a837e0abe4d79a8219e287c9036 Author: Matt Caswell Date: Thu Apr 30 23:00:44 2015 +0100 make update Run make update following previous header file changes. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: apps/Makefile | 206 ++++++++++++++++++++++++++++------------------------------ ssl/Makefile | 43 ++++++------ 2 files changed, 122 insertions(+), 127 deletions(-) diff --git a/apps/Makefile b/apps/Makefile index b6f7b2c..6253687 100644 --- a/apps/Makefile +++ b/apps/Makefile @@ -192,15 +192,15 @@ apps.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h apps.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h apps.o: ../include/openssl/pem.h ../include/openssl/pem2.h apps.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h -apps.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h -apps.o: ../include/openssl/safestack.h ../include/openssl/sha.h -apps.o: ../include/openssl/srtp.h ../include/openssl/ssl.h -apps.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -apps.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -apps.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -apps.o: ../include/openssl/txt_db.h ../include/openssl/ui.h -apps.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -apps.o: ../include/openssl/x509v3.h apps.c apps.h progs.h +apps.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +apps.o: ../include/openssl/sha.h ../include/openssl/srtp.h +apps.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +apps.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +apps.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +apps.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +apps.o: ../include/openssl/ui.h ../include/openssl/x509.h +apps.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.c apps.h +apps.o: progs.h asn1pars.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h asn1pars.o: ../include/openssl/buffer.h ../include/openssl/conf.h asn1pars.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -246,14 +246,14 @@ ciphers.o: ../include/openssl/objects.h ../include/openssl/ocsp.h ciphers.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h ciphers.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h ciphers.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ciphers.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h -ciphers.o: ../include/openssl/sha.h ../include/openssl/srtp.h -ciphers.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -ciphers.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -ciphers.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ciphers.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -ciphers.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -ciphers.o: ../include/openssl/x509v3.h apps.h ciphers.c progs.h +ciphers.o: ../include/openssl/safestack.h ../include/openssl/sha.h +ciphers.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +ciphers.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +ciphers.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +ciphers.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +ciphers.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +ciphers.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +ciphers.o: ciphers.c progs.h cms.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h cms.o: ../include/openssl/buffer.h ../include/openssl/cms.h cms.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -431,14 +431,14 @@ engine.o: ../include/openssl/objects.h ../include/openssl/ocsp.h engine.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h engine.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h engine.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -engine.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h -engine.o: ../include/openssl/sha.h ../include/openssl/srtp.h -engine.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -engine.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -engine.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -engine.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -engine.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -engine.o: ../include/openssl/x509v3.h apps.h engine.c progs.h +engine.o: ../include/openssl/safestack.h ../include/openssl/sha.h +engine.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +engine.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +engine.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +engine.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +engine.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +engine.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +engine.o: engine.c progs.h errstr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h errstr.o: ../include/openssl/buffer.h ../include/openssl/comp.h errstr.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -452,14 +452,14 @@ errstr.o: ../include/openssl/objects.h ../include/openssl/ocsp.h errstr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h errstr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h errstr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -errstr.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h -errstr.o: ../include/openssl/sha.h ../include/openssl/srtp.h -errstr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -errstr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -errstr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -errstr.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -errstr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -errstr.o: ../include/openssl/x509v3.h apps.h errstr.c progs.h +errstr.o: ../include/openssl/safestack.h ../include/openssl/sha.h +errstr.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +errstr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +errstr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +errstr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +errstr.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +errstr.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +errstr.o: errstr.c progs.h gendsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h gendsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h gendsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -539,15 +539,14 @@ ocsp.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h ocsp.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h ocsp.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ocsp.o: ../include/openssl/pem.h ../include/openssl/pem2.h -ocsp.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h -ocsp.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ocsp.o: ../include/openssl/srtp.h ../include/openssl/ssl.h -ocsp.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -ocsp.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -ocsp.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ocsp.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -ocsp.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ocsp.c -ocsp.o: progs.h +ocsp.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +ocsp.o: ../include/openssl/sha.h ../include/openssl/srtp.h +ocsp.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +ocsp.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +ocsp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ocsp.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +ocsp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +ocsp.o: ../include/openssl/x509v3.h apps.h ocsp.c progs.h openssl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h openssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h openssl.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -561,15 +560,14 @@ openssl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h openssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -openssl.o: ../include/openssl/pqueue.h ../include/openssl/rand.h -openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h -openssl.o: ../include/openssl/srtp.h ../include/openssl/ssl.h -openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -openssl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -openssl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -openssl.o: openssl.c progs.h s_apps.h +openssl.o: ../include/openssl/rand.h ../include/openssl/safestack.h +openssl.o: ../include/openssl/sha.h ../include/openssl/srtp.h +openssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +openssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +openssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +openssl.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +openssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +openssl.o: ../include/openssl/x509v3.h apps.h openssl.c progs.h s_apps.h opt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h opt.o: ../include/openssl/buffer.h ../include/openssl/conf.h opt.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h @@ -790,15 +788,14 @@ s_cb.o: ../include/openssl/objects.h ../include/openssl/ocsp.h s_cb.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h s_cb.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h s_cb.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s_cb.o: ../include/openssl/pqueue.h ../include/openssl/rand.h -s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s_cb.o: ../include/openssl/srtp.h ../include/openssl/ssl.h -s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s_cb.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s_cb.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -s_cb.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -s_cb.o: progs.h s_apps.h s_cb.c +s_cb.o: ../include/openssl/rand.h ../include/openssl/safestack.h +s_cb.o: ../include/openssl/sha.h ../include/openssl/srtp.h +s_cb.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s_cb.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s_cb.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s_cb.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +s_cb.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +s_cb.o: ../include/openssl/x509v3.h apps.h progs.h s_apps.h s_cb.c s_client.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s_client.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_client.o: ../include/openssl/comp.h ../include/openssl/conf.h @@ -812,16 +809,16 @@ s_client.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h s_client.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h s_client.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s_client.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h -s_client.o: ../include/openssl/rand.h ../include/openssl/safestack.h -s_client.o: ../include/openssl/sha.h ../include/openssl/srp.h -s_client.o: ../include/openssl/srtp.h ../include/openssl/ssl.h -s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s_client.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s_client.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s_client.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -s_client.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -s_client.o: progs.h s_apps.h s_client.c timeouts.h +s_client.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h +s_client.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s_client.o: ../include/openssl/srp.h ../include/openssl/srtp.h +s_client.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s_client.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s_client.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s_client.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +s_client.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +s_client.o: ../include/openssl/x509v3.h apps.h progs.h s_apps.h s_client.c +s_client.o: timeouts.h s_server.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s_server.o: ../include/openssl/bn.h ../include/openssl/buffer.h s_server.o: ../include/openssl/comp.h ../include/openssl/conf.h @@ -836,16 +833,16 @@ s_server.o: ../include/openssl/objects.h ../include/openssl/ocsp.h s_server.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h s_server.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h s_server.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s_server.o: ../include/openssl/pqueue.h ../include/openssl/rand.h -s_server.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s_server.o: ../include/openssl/sha.h ../include/openssl/srp.h -s_server.o: ../include/openssl/srtp.h ../include/openssl/ssl.h -s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s_server.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -s_server.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -s_server.o: progs.h s_apps.h s_server.c timeouts.h +s_server.o: ../include/openssl/rand.h ../include/openssl/rsa.h +s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s_server.o: ../include/openssl/srp.h ../include/openssl/srtp.h +s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s_server.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s_server.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +s_server.o: ../include/openssl/x509v3.h apps.h progs.h s_apps.h s_server.c +s_server.o: timeouts.h s_socket.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s_socket.o: ../include/openssl/buffer.h ../include/openssl/comp.h s_socket.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -858,15 +855,14 @@ s_socket.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h s_socket.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h s_socket.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s_socket.o: ../include/openssl/pem.h ../include/openssl/pem2.h -s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h -s_socket.o: ../include/openssl/safestack.h ../include/openssl/sha.h -s_socket.o: ../include/openssl/srtp.h ../include/openssl/ssl.h -s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -s_socket.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -s_socket.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -s_socket.o: ../include/openssl/txt_db.h ../include/openssl/x509.h -s_socket.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h -s_socket.o: progs.h s_apps.h s_socket.c +s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +s_socket.o: ../include/openssl/sha.h ../include/openssl/srtp.h +s_socket.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s_socket.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s_socket.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s_socket.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h +s_socket.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +s_socket.o: ../include/openssl/x509v3.h apps.h progs.h s_apps.h s_socket.c s_time.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s_time.o: ../include/openssl/buffer.h ../include/openssl/comp.h s_time.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -880,14 +876,14 @@ s_time.o: ../include/openssl/objects.h ../include/openssl/ocsp.h s_time.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h s_time.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h s_time.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s_time.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h -s_time.o: ../include/openssl/sha.h ../include/openssl/srtp.h -s_time.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s_time.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s_time.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s_time.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -s_time.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -s_time.o: ../include/openssl/x509v3.h apps.h progs.h s_apps.h s_time.c +s_time.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s_time.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +s_time.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s_time.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s_time.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s_time.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +s_time.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +s_time.o: progs.h s_apps.h s_time.c sess_id.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h sess_id.o: ../include/openssl/buffer.h ../include/openssl/comp.h sess_id.o: ../include/openssl/conf.h ../include/openssl/crypto.h @@ -901,14 +897,14 @@ sess_id.o: ../include/openssl/objects.h ../include/openssl/ocsp.h sess_id.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h sess_id.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h sess_id.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -sess_id.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h -sess_id.o: ../include/openssl/sha.h ../include/openssl/srtp.h -sess_id.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -sess_id.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -sess_id.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -sess_id.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h -sess_id.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -sess_id.o: ../include/openssl/x509v3.h apps.h progs.h sess_id.c +sess_id.o: ../include/openssl/safestack.h ../include/openssl/sha.h +sess_id.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +sess_id.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +sess_id.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +sess_id.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +sess_id.o: ../include/openssl/txt_db.h ../include/openssl/x509.h +sess_id.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h +sess_id.o: progs.h sess_id.c smime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h smime.o: ../include/openssl/buffer.h ../include/openssl/conf.h smime.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h diff --git a/ssl/Makefile b/ssl/Makefile index ef10a11..bff2b9a 100644 --- a/ssl/Makefile +++ b/ssl/Makefile @@ -289,14 +289,13 @@ kssl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h kssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h kssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h kssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h -kssl.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h -kssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h -kssl.o: ../include/openssl/srtp.h ../include/openssl/ssl.h -kssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -kssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -kssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -kssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h kssl.c -kssl.o: kssl_lcl.h +kssl.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +kssl.o: ../include/openssl/sha.h ../include/openssl/srtp.h +kssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +kssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +kssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +kssl.o: ../include/openssl/tls1.h ../include/openssl/x509.h +kssl.o: ../include/openssl/x509_vfy.h kssl.c kssl_lcl.h rec_layer_d1.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h rec_layer_d1.o: ../include/openssl/buffer.h ../include/openssl/comp.h rec_layer_d1.o: ../include/openssl/crypto.h ../include/openssl/dsa.h @@ -768,13 +767,13 @@ ssl_err.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h ssl_err.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h ssl_err.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ssl_err.o: ../include/openssl/pem.h ../include/openssl/pem2.h -ssl_err.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h -ssl_err.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ssl_err.o: ../include/openssl/srtp.h ../include/openssl/ssl.h -ssl_err.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -ssl_err.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -ssl_err.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_err.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_err.c +ssl_err.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +ssl_err.o: ../include/openssl/sha.h ../include/openssl/srtp.h +ssl_err.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +ssl_err.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +ssl_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ssl_err.o: ../include/openssl/tls1.h ../include/openssl/x509.h +ssl_err.o: ../include/openssl/x509_vfy.h ssl_err.c ssl_err2.o: ../include/openssl/asn1.h ../include/openssl/bio.h ssl_err2.o: ../include/openssl/buffer.h ../include/openssl/comp.h ssl_err2.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h @@ -786,13 +785,13 @@ ssl_err2.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h ssl_err2.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h ssl_err2.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h ssl_err2.o: ../include/openssl/pem.h ../include/openssl/pem2.h -ssl_err2.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h -ssl_err2.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ssl_err2.o: ../include/openssl/srtp.h ../include/openssl/ssl.h -ssl_err2.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h -ssl_err2.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -ssl_err2.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl_err2.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_err2.c +ssl_err2.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h +ssl_err2.o: ../include/openssl/sha.h ../include/openssl/srtp.h +ssl_err2.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +ssl_err2.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +ssl_err2.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +ssl_err2.o: ../include/openssl/tls1.h ../include/openssl/x509.h +ssl_err2.o: ../include/openssl/x509_vfy.h ssl_err2.c ssl_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ssl_lib.o: ../include/openssl/buffer.h ../include/openssl/comp.h ssl_lib.o: ../include/openssl/conf.h ../include/openssl/crypto.h From rsalz at openssl.org Thu Apr 30 22:11:15 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 30 Apr 2015 22:11:15 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430431875.812936.24118.nullmailer@dev.openssl.org> The branch master has been updated via 895cba195a0c8430dcc8d1aa22b75eccaaee8f49 (commit) from b0696f8b0b6e9a837e0abe4d79a8219e287c9036 (commit) - Log ----------------------------------------------------------------- commit 895cba195a0c8430dcc8d1aa22b75eccaaee8f49 Author: Rich Salz Date: Thu Apr 30 18:10:52 2015 -0400 free cleanup 12 Don't check for NULL before calling free function. This gets: NAME_CONSTRAINTS_free GENERAL_SUBTREE_free ECDSA_METHOD_free JPAKE_CTX_free OCSP_REQ_CTX_free SCT_free SRP_VBASE_free SRP_gN_free SRP_user_pwd_free TXT_DB_free Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 9 +++------ apps/ocsp.c | 3 +-- crypto/ecdsa/ecs_lib.c | 2 ++ crypto/jpake/jpake.c | 2 ++ crypto/ocsp/ocsp_ht.c | 2 ++ crypto/srp/srp_vfy.c | 11 ++++++----- crypto/x509v3/v3_ncons.c | 6 ++---- crypto/x509v3/v3_scts.c | 10 +++++----- include/openssl/srp.h | 2 +- 9 files changed, 24 insertions(+), 23 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index aecd612..904629b 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -600,8 +600,7 @@ int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl) OPENSSL_free(port); if (bio) BIO_free_all(bio); - if (rctx) - OCSP_REQ_CTX_free(rctx); + OCSP_REQ_CTX_free(rctx); if (rv != 1) { BIO_printf(bio_err, "Error loading %s from %s\n", pcert ? "certificate" : "CRL", url); @@ -1614,8 +1613,7 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr) err: if (dbattr_conf) NCONF_free(dbattr_conf); - if (tmpdb) - TXT_DB_free(tmpdb); + TXT_DB_free(tmpdb); BIO_free_all(in); return retdb; } @@ -1793,8 +1791,7 @@ int rotate_index(const char *dbfile, const char *new_suffix, void free_index(CA_DB *db) { if (db) { - if (db->db) - TXT_DB_free(db->db); + TXT_DB_free(db->db); OPENSSL_free(db); } } diff --git a/apps/ocsp.c b/apps/ocsp.c index 680cc0a..20dc1ae 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -1229,8 +1229,7 @@ static OCSP_RESPONSE *query_responder(BIO *cbio, const char *path, } err: - if (ctx) - OCSP_REQ_CTX_free(ctx); + OCSP_REQ_CTX_free(ctx); return rsp; } diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c index 55324f7..3d01212 100644 --- a/crypto/ecdsa/ecs_lib.c +++ b/crypto/ecdsa/ecs_lib.c @@ -312,6 +312,8 @@ void ECDSA_METHOD_set_name(ECDSA_METHOD *ecdsa_method, char *name) void ECDSA_METHOD_free(ECDSA_METHOD *ecdsa_method) { + if (!ecdsa_method) + return; if (ecdsa_method->flags & ECDSA_METHOD_FLAG_ALLOCATED) OPENSSL_free(ecdsa_method); } diff --git a/crypto/jpake/jpake.c b/crypto/jpake/jpake.c index eb6654d..b097c7f 100644 --- a/crypto/jpake/jpake.c +++ b/crypto/jpake/jpake.c @@ -125,6 +125,8 @@ JPAKE_CTX *JPAKE_CTX_new(const char *name, const char *peer_name, void JPAKE_CTX_free(JPAKE_CTX *ctx) { + if (!ctx) + return; JPAKE_CTX_release(ctx); OPENSSL_free(ctx); } diff --git a/crypto/ocsp/ocsp_ht.c b/crypto/ocsp/ocsp_ht.c index 4a06a8e..266b43b 100644 --- a/crypto/ocsp/ocsp_ht.c +++ b/crypto/ocsp/ocsp_ht.c @@ -136,6 +136,8 @@ OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *io, int maxline) void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx) { + if (!rctx) + return; BIO_free(rctx->mem); if (rctx->iobuf) OPENSSL_free(rctx->iobuf); diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index e8bdbf5..cd07f70 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -270,13 +270,14 @@ SRP_VBASE *SRP_VBASE_new(char *seed_key) return vb; } -int SRP_VBASE_free(SRP_VBASE *vb) +void SRP_VBASE_free(SRP_VBASE *vb) { + if (!vb) + return; sk_SRP_user_pwd_pop_free(vb->users_pwd, SRP_user_pwd_free); sk_SRP_gN_cache_free(vb->gN_cache); OPENSSL_free(vb->seed_key); OPENSSL_free(vb); - return 0; } static SRP_gN_cache *SRP_gN_new_init(const char *ch) @@ -457,8 +458,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file) SRP_user_pwd_free(user_pwd); - if (tmpdb) - TXT_DB_free(tmpdb); + TXT_DB_free(tmpdb); BIO_free_all(in); sk_SRP_gN_free(SRP_gN_tab); @@ -509,7 +509,8 @@ SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username) BN_bin2bn(digv, SHA_DIGEST_LENGTH, NULL))) return user; - err:SRP_user_pwd_free(user); + err: + SRP_user_pwd_free(user); return NULL; } diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c index c66e080..1e6fae8 100644 --- a/crypto/x509v3/v3_ncons.c +++ b/crypto/x509v3/v3_ncons.c @@ -149,10 +149,8 @@ static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, memerr: X509V3err(X509V3_F_V2I_NAME_CONSTRAINTS, ERR_R_MALLOC_FAILURE); err: - if (ncons) - NAME_CONSTRAINTS_free(ncons); - if (sub) - GENERAL_SUBTREE_free(sub); + NAME_CONSTRAINTS_free(ncons); + GENERAL_SUBTREE_free(sub); return NULL; } diff --git a/crypto/x509v3/v3_scts.c b/crypto/x509v3/v3_scts.c index e70d5e9..ecfc68d 100644 --- a/crypto/x509v3/v3_scts.c +++ b/crypto/x509v3/v3_scts.c @@ -161,11 +161,11 @@ static void timestamp_print(BIO *out, SCT_TIMESTAMP timestamp) static void SCT_free(SCT *sct) { - if (sct) { - if (sct->sct) - OPENSSL_free(sct->sct); - OPENSSL_free(sct); - } + if (!sct) + return; + if (sct->sct) + OPENSSL_free(sct->sct); + OPENSSL_free(sct); } static void SCT_LIST_free(STACK_OF(SCT) *a) diff --git a/include/openssl/srp.h b/include/openssl/srp.h index 49cf960..de6631d 100644 --- a/include/openssl/srp.h +++ b/include/openssl/srp.h @@ -113,7 +113,7 @@ typedef struct SRP_gN_st { DECLARE_STACK_OF(SRP_gN) SRP_VBASE *SRP_VBASE_new(char *seed_key); -int SRP_VBASE_free(SRP_VBASE *vb); +void SRP_VBASE_free(SRP_VBASE *vb); int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file); SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username); char *SRP_create_verifier(const char *user, const char *pass, char **salt, From matt at openssl.org Thu Apr 30 22:29:20 2015 From: matt at openssl.org (Matt Caswell) Date: Thu, 30 Apr 2015 22:29:20 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1430432960.160308.26485.nullmailer@dev.openssl.org> The branch master has been updated via 34166d41892643a36ad2d1f53cc0025e2edc2a39 (commit) via 3deeeeb61b0c5b9b5f0993a67b7967d2f85186da (commit) via cb0f400b0cea2d2943f99b1e89c04ff6ed748cd5 (commit) via c427570e5098e120cbcb66e799f85c317aac7b91 (commit) via 29b0a15a480626544dd0c803d5de671552544de6 (commit) via 9d9e37744cd5119f9921315864d1cd28717173cd (commit) via b86d7dca69f5c80abd60896c8ed3039fc56210cc (commit) via c8269881093324b881b81472be037055571f73f3 (commit) via 873fb39f20b6763daba226b74e83fb194924c7bf (commit) from 895cba195a0c8430dcc8d1aa22b75eccaaee8f49 (commit) - Log ----------------------------------------------------------------- commit 34166d41892643a36ad2d1f53cc0025e2edc2a39 Author: Matt Caswell Date: Wed Apr 29 13:22:18 2015 +0100 Fix buffer overrun in RSA signing The problem occurs in EVP_PKEY_sign() when using RSA with X931 padding. It is only triggered if the RSA key size is smaller than the digest length. So with SHA512 you can trigger the overflow with anything less than an RSA 512 bit key. I managed to trigger a 62 byte overflow when using a 16 bit RSA key. This wasn't sufficient to cause a crash, although your mileage may vary. In practice RSA keys of this length are never used and X931 padding is very rare. Even if someone did use an excessively short RSA key, the chances of them combining that with a longer digest and X931 padding is very small. For these reasons I do not believe there is a security implication to this. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov commit 3deeeeb61b0c5b9b5f0993a67b7967d2f85186da Author: Matt Caswell Date: Wed Apr 29 09:58:10 2015 +0100 Add sanity check to print_bin function Add a sanity check to the print_bin function to ensure that the |off| argument is positive. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov commit cb0f400b0cea2d2943f99b1e89c04ff6ed748cd5 Author: Matt Caswell Date: Tue Apr 28 15:28:23 2015 +0100 Add sanity check to ssl_get_prev_session Sanity check the |len| parameter to ensure it is positive. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov commit c427570e5098e120cbcb66e799f85c317aac7b91 Author: Matt Caswell Date: Tue Apr 28 15:19:50 2015 +0100 Sanity check the return from final_finish_mac The return value is checked for 0. This is currently safe but we should really check for <= 0 since -1 is frequently used for error conditions. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov commit 29b0a15a480626544dd0c803d5de671552544de6 Author: Matt Caswell Date: Mon Apr 27 15:41:42 2015 +0100 Add sanity check in ssl3_cbc_digest_record For SSLv3 the code assumes that |header_length| > |md_block_size|. Whilst this is true for all SSLv3 ciphersuites, this fact is far from obvious by looking at the code. If this were not the case then an integer overflow would occur, leading to a subsequent buffer overflow. Therefore I have added an explicit sanity check to ensure header_length is always valid. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov commit 9d9e37744cd5119f9921315864d1cd28717173cd Author: Matt Caswell Date: Mon Apr 27 15:41:03 2015 +0100 Clarify logic in BIO_*printf functions The static function dynamically allocates an output buffer if the output grows larger than the static buffer that is normally used. The original logic implied that |currlen| could be greater than |maxlen| which is incorrect (and if so would cause a buffer overrun). Also the original logic would call OPENSSL_malloc to create a dynamic buffer equal to the size of the static buffer, and then immediately call OPENSSL_realloc to make it bigger, rather than just creating a buffer than was big enough in the first place. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov commit b86d7dca69f5c80abd60896c8ed3039fc56210cc Author: Matt Caswell Date: Mon Apr 27 11:13:56 2015 +0100 Sanity check EVP_EncodeUpdate buffer len There was already a sanity check to ensure the passed buffer length is not zero. Extend this to ensure that it also not negative. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov commit c8269881093324b881b81472be037055571f73f3 Author: Matt Caswell Date: Mon Apr 27 11:07:06 2015 +0100 Sanity check EVP_CTRL_AEAD_TLS_AAD The various implementations of EVP_CTRL_AEAD_TLS_AAD expect a buffer of at least 13 bytes long. Add sanity checks to ensure that the length is at least that. Also add a new constant (EVP_AEAD_TLS1_AAD_LEN) to evp.h to represent this length. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov commit 873fb39f20b6763daba226b74e83fb194924c7bf Author: Matt Caswell Date: Mon Apr 27 11:04:56 2015 +0100 Sanity check DES_enc_write buffer length Add a sanity check to DES_enc_write to ensure the buffer length provided is not negative. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov ----------------------------------------------------------------------- Summary of changes: apps/speed.c | 5 +++-- crypto/bio/b_print.c | 45 ++++++++++++++++++-------------------- crypto/des/enc_writ.c | 3 +++ crypto/ec/eck_prn.c | 4 +++- crypto/evp/e_aes.c | 2 +- crypto/evp/e_aes_cbc_hmac_sha1.c | 9 +++++--- crypto/evp/e_aes_cbc_hmac_sha256.c | 7 ++++-- crypto/evp/e_rc4_hmac_md5.c | 7 +++++- crypto/evp/encode.c | 2 +- crypto/rsa/rsa_pmeth.c | 8 ++++++- include/openssl/evp.h | 3 +++ ssl/record/ssl3_record.c | 7 ++++-- ssl/s3_both.c | 2 +- ssl/s3_cbc.c | 14 ++++++++++-- ssl/ssl_locl.h | 1 - ssl/ssl_sess.c | 2 +- 16 files changed, 78 insertions(+), 43 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index 720ab1c..08ab9c5 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -2456,7 +2456,7 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher) print_message(alg_name, 0, mblengths[j]); Time_F(START); for (count = 0, run = 1; run && count < 0x7fffffff; count++) { - unsigned char aad[13]; + unsigned char aad[EVP_AEAD_TLS1_AAD_LEN]; EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; size_t len = mblengths[j]; int packlen; @@ -2491,7 +2491,8 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher) aad[11] = len >> 8; aad[12] = len; pad = EVP_CIPHER_CTX_ctrl(&ctx, - EVP_CTRL_AEAD_TLS1_AAD, 13, aad); + EVP_CTRL_AEAD_TLS1_AAD, + EVP_AEAD_TLS1_AAD_LEN, aad); EVP_Cipher(&ctx, out, inp, len + pad); } } diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index 452e5cf..7c81e25 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -704,32 +704,29 @@ doapr_outch(char **sbuffer, /* If we haven't at least one buffer, someone has doe a big booboo */ assert(*sbuffer != NULL || buffer != NULL); - if (buffer) { - while (*currlen >= *maxlen) { - if (*buffer == NULL) { - if (*maxlen == 0) - *maxlen = 1024; - *buffer = OPENSSL_malloc(*maxlen); - if (!*buffer) { - /* Panic! Can't really do anything sensible. Just return */ - return; - } - if (*currlen > 0) { - assert(*sbuffer != NULL); - memcpy(*buffer, *sbuffer, *currlen); - } - *sbuffer = NULL; - } else { - *maxlen += 1024; - *buffer = OPENSSL_realloc(*buffer, *maxlen); - if (!*buffer) { - /* Panic! Can't really do anything sensible. Just return */ - return; - } + /* |currlen| must always be <= |*maxlen| */ + assert(*currlen <= *maxlen); + + if (buffer && *currlen == *maxlen) { + *maxlen += 1024; + if (*buffer == NULL) { + *buffer = OPENSSL_malloc(*maxlen); + if (!*buffer) { + /* Panic! Can't really do anything sensible. Just return */ + return; + } + if (*currlen > 0) { + assert(*sbuffer != NULL); + memcpy(*buffer, *sbuffer, *currlen); + } + *sbuffer = NULL; + } else { + *buffer = OPENSSL_realloc(*buffer, *maxlen); + if (!*buffer) { + /* Panic! Can't really do anything sensible. Just return */ + return; } } - /* What to do if *buffer is NULL? */ - assert(*sbuffer != NULL || *buffer != NULL); } if (*currlen < *maxlen) { diff --git a/crypto/des/enc_writ.c b/crypto/des/enc_writ.c index 55cc7fc..9ea7c5a 100644 --- a/crypto/des/enc_writ.c +++ b/crypto/des/enc_writ.c @@ -96,6 +96,9 @@ int DES_enc_write(int fd, const void *_buf, int len, const unsigned char *cp; static int start = 1; + if (len < 0) + return -1; + if (outbuf == NULL) { outbuf = OPENSSL_malloc(BSIZE + HDRSIZE); if (outbuf == NULL) diff --git a/crypto/ec/eck_prn.c b/crypto/ec/eck_prn.c index e39aa71..e1f5b69 100644 --- a/crypto/ec/eck_prn.c +++ b/crypto/ec/eck_prn.c @@ -345,12 +345,14 @@ static int print_bin(BIO *fp, const char *name, const unsigned char *buf, if (buf == NULL) return 1; - if (off) { + if (off > 0) { if (off > 128) off = 128; memset(str, ' ', off); if (BIO_write(fp, str, off) <= 0) return 0; + } else { + off = 0; } if (BIO_printf(fp, "%s", name) <= 0) diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 7b4d84f..0b7838e 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -1327,7 +1327,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) case EVP_CTRL_AEAD_TLS1_AAD: /* Save the AAD for later use */ - if (arg != 13) + if (arg != EVP_AEAD_TLS1_AAD_LEN) return 0; memcpy(c->buf, ptr, arg); gctx->tls_aad_len = arg; diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c index 960be3c..7f2848e 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -845,7 +845,12 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, case EVP_CTRL_AEAD_TLS1_AAD: { unsigned char *p = ptr; - unsigned int len = p[arg - 2] << 8 | p[arg - 1]; + unsigned int len; + + if (arg != EVP_AEAD_TLS1_AAD_LEN) + return -1; + + len = p[arg - 2] << 8 | p[arg - 1]; if (ctx->encrypt) { key->payload_length = len; @@ -862,8 +867,6 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) - len); } else { - if (arg > 13) - arg = 13; memcpy(key->aux.tls_aad, ptr, arg); key->payload_length = arg; diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c index bea8f6d..3b6827a 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha256.c +++ b/crypto/evp/e_aes_cbc_hmac_sha256.c @@ -817,6 +817,11 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, unsigned char *p = ptr; unsigned int len = p[arg - 2] << 8 | p[arg - 1]; + if (arg != EVP_AEAD_TLS1_AAD_LEN) + return -1; + + len = p[arg - 2] << 8 | p[arg - 1]; + if (ctx->encrypt) { key->payload_length = len; if ((key->aux.tls_ver = @@ -832,8 +837,6 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) - len); } else { - if (arg > 13) - arg = 13; memcpy(key->aux.tls_aad, ptr, arg); key->payload_length = arg; diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c index 7c4bd34..1ba690d 100644 --- a/crypto/evp/e_rc4_hmac_md5.c +++ b/crypto/evp/e_rc4_hmac_md5.c @@ -257,7 +257,12 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, case EVP_CTRL_AEAD_TLS1_AAD: { unsigned char *p = ptr; - unsigned int len = p[arg - 2] << 8 | p[arg - 1]; + unsigned int len; + + if (arg != EVP_AEAD_TLS1_AAD_LEN) + return -1; + + len = p[arg - 2] << 8 | p[arg - 1]; if (!ctx->encrypt) { len -= MD5_DIGEST_LENGTH; diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c index 682a914..053c1d8 100644 --- a/crypto/evp/encode.c +++ b/crypto/evp/encode.c @@ -137,7 +137,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, unsigned int total = 0; *outl = 0; - if (inl == 0) + if (inl <= 0) return; OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); if ((ctx->num + inl) < ctx->length) { diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index 0aaca9e..91dc668 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -195,8 +195,14 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, return ret; ret = sltmp; } else if (rctx->pad_mode == RSA_X931_PADDING) { - if (!setup_tbuf(rctx, ctx)) + if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { + RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL); + return -1; + } + if (!setup_tbuf(rctx, ctx)) { + RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE); return -1; + } memcpy(rctx->tbuf, tbs, tbslen); rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 0d26fd3..4df3ce7 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -426,6 +426,9 @@ struct evp_cipher_st { # define EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT 0x1b # define EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE 0x1c +/* RFC 5246 defines additional data to be 13 bytes in length */ +# define EVP_AEAD_TLS1_AAD_LEN 13 + typedef struct { unsigned char *out; const unsigned char *inp; diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index cfd8290..33d0b30 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -658,7 +658,7 @@ int tls1_enc(SSL *s, int send) bs = EVP_CIPHER_block_size(ds->cipher); if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { - unsigned char buf[13], *seq; + unsigned char buf[EVP_AEAD_TLS1_AAD_LEN], *seq; seq = send ? RECORD_LAYER_get_write_sequence(&s->rlayer) : RECORD_LAYER_get_read_sequence(&s->rlayer); @@ -684,7 +684,10 @@ int tls1_enc(SSL *s, int send) buf[10] = (unsigned char)(s->version); buf[11] = rec->length >> 8; buf[12] = rec->length & 0xff; - pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf); + pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, + EVP_AEAD_TLS1_AAD_LEN, buf); + if (pad <= 0) + return -1; if (send) { l += pad; rec->length += pad; diff --git a/ssl/s3_both.c b/ssl/s3_both.c index d0cb763..bf5e8c7 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -168,7 +168,7 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) i = s->method->ssl3_enc->final_finish_mac(s, sender, slen, s->s3->tmp.finish_md); - if (i == 0) + if (i <= 0) return 0; s->s3->tmp.finish_md_len = i; memcpy(p, s->s3->tmp.finish_md, i); diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index b20c564..ac0c5f3 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -397,12 +397,22 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, if (k > 0) { if (is_sslv3) { + unsigned overhang; + /* * The SSLv3 header is larger than a single block. overhang is * the number of bytes beyond a single block that the header - * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). + * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no + * ciphersuites in SSLv3 that are not SHA1 or MD5 based and + * therefore we can be confident that the header_length will be + * greater than |md_block_size|. However we add a sanity check just + * in case */ - unsigned overhang = header_length - md_block_size; + if (header_length <= md_block_size) { + /* Should never happen */ + return; + } + overhang = header_length - md_block_size; md_transform(md_state.c, header); memcpy(first_block, header + md_block_size, overhang); memcpy(first_block + overhang, data, md_block_size - overhang); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 8b4c615..9ae1a07 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -2073,7 +2073,6 @@ void dtls1_set_message_header(SSL *s, __owur int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len); __owur int dtls1_send_change_cipher_spec(SSL *s, int a, int b); -__owur int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen); __owur int dtls1_read_failed(SSL *s, int code); __owur int dtls1_buffer_message(SSL *s, int ccs); __owur int dtls1_retransmit_message(SSL *s, unsigned short seq, diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index cec5905..34b6fac 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -439,7 +439,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, int r; #endif - if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) + if (len < 0 || len > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; if (session_id + len > limit) { From matt at openssl.org Thu Apr 30 22:29:31 2015 From: matt at openssl.org (Matt Caswell) Date: Thu, 30 Apr 2015 22:29:31 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1430432971.272399.27222.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via f296e411efc2d3ebbf37bdc9c1111e84a5982ec6 (commit) via 5bea7975a6b8b83cce938618a9fcaaa248c10712 (commit) via 9c5efc9c65be2d29fd01c02bba081b72ba025453 (commit) via 75862f7741d52651eefc2ae71e81a0d0e9d4c5ec (commit) via 99ceb2d40c70fa8405151669578afb3be1d7c8c6 (commit) via abc7a266a38b3122977bbf9049c61b6297343004 (commit) via 33c99f2c8169807660b46d49c3e735cfa09a6e0c (commit) via 1a3701f4fe0530a40ec073cd78d02cfcc26c0f8e (commit) via 4ce06271aac5ebddf02854191611613af5ec83f8 (commit) from c5f8cd7bc661f90dc012c9d2bae1808a4281985f (commit) - Log ----------------------------------------------------------------- commit f296e411efc2d3ebbf37bdc9c1111e84a5982ec6 Author: Matt Caswell Date: Wed Apr 29 13:22:18 2015 +0100 Fix buffer overrun in RSA signing The problem occurs in EVP_PKEY_sign() when using RSA with X931 padding. It is only triggered if the RSA key size is smaller than the digest length. So with SHA512 you can trigger the overflow with anything less than an RSA 512 bit key. I managed to trigger a 62 byte overflow when using a 16 bit RSA key. This wasn't sufficient to cause a crash, although your mileage may vary. In practice RSA keys of this length are never used and X931 padding is very rare. Even if someone did use an excessively short RSA key, the chances of them combining that with a longer digest and X931 padding is very small. For these reasons I do not believe there is a security implication to this. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit 34166d41892643a36ad2d1f53cc0025e2edc2a39) commit 5bea7975a6b8b83cce938618a9fcaaa248c10712 Author: Matt Caswell Date: Wed Apr 29 09:58:10 2015 +0100 Add sanity check to print_bin function Add a sanity check to the print_bin function to ensure that the |off| argument is positive. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit 3deeeeb61b0c5b9b5f0993a67b7967d2f85186da) commit 9c5efc9c65be2d29fd01c02bba081b72ba025453 Author: Matt Caswell Date: Tue Apr 28 15:28:23 2015 +0100 Add sanity check to ssl_get_prev_session Sanity check the |len| parameter to ensure it is positive. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit cb0f400b0cea2d2943f99b1e89c04ff6ed748cd5) commit 75862f7741d52651eefc2ae71e81a0d0e9d4c5ec Author: Matt Caswell Date: Tue Apr 28 15:19:50 2015 +0100 Sanity check the return from final_finish_mac The return value is checked for 0. This is currently safe but we should really check for <= 0 since -1 is frequently used for error conditions. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit c427570e5098e120cbcb66e799f85c317aac7b91) Conflicts: ssl/ssl_locl.h commit 99ceb2d40c70fa8405151669578afb3be1d7c8c6 Author: Matt Caswell Date: Mon Apr 27 15:41:42 2015 +0100 Add sanity check in ssl3_cbc_digest_record For SSLv3 the code assumes that |header_length| > |md_block_size|. Whilst this is true for all SSLv3 ciphersuites, this fact is far from obvious by looking at the code. If this were not the case then an integer overflow would occur, leading to a subsequent buffer overflow. Therefore I have added an explicit sanity check to ensure header_length is always valid. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit 29b0a15a480626544dd0c803d5de671552544de6) commit abc7a266a38b3122977bbf9049c61b6297343004 Author: Matt Caswell Date: Mon Apr 27 15:41:03 2015 +0100 Clarify logic in BIO_*printf functions The static function dynamically allocates an output buffer if the output grows larger than the static buffer that is normally used. The original logic implied that |currlen| could be greater than |maxlen| which is incorrect (and if so would cause a buffer overrun). Also the original logic would call OPENSSL_malloc to create a dynamic buffer equal to the size of the static buffer, and then immediately call OPENSSL_realloc to make it bigger, rather than just creating a buffer than was big enough in the first place. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit 9d9e37744cd5119f9921315864d1cd28717173cd) commit 33c99f2c8169807660b46d49c3e735cfa09a6e0c Author: Matt Caswell Date: Mon Apr 27 11:13:56 2015 +0100 Sanity check EVP_EncodeUpdate buffer len There was already a sanity check to ensure the passed buffer length is not zero. Extend this to ensure that it also not negative. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit b86d7dca69f5c80abd60896c8ed3039fc56210cc) commit 1a3701f4fe0530a40ec073cd78d02cfcc26c0f8e Author: Matt Caswell Date: Mon Apr 27 11:07:06 2015 +0100 Sanity check EVP_CTRL_AEAD_TLS_AAD The various implementations of EVP_CTRL_AEAD_TLS_AAD expect a buffer of at least 13 bytes long. Add sanity checks to ensure that the length is at least that. Also add a new constant (EVP_AEAD_TLS1_AAD_LEN) to evp.h to represent this length. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit c8269881093324b881b81472be037055571f73f3) Conflicts: ssl/record/ssl3_record.c commit 4ce06271aac5ebddf02854191611613af5ec83f8 Author: Matt Caswell Date: Mon Apr 27 11:04:56 2015 +0100 Sanity check DES_enc_write buffer length Add a sanity check to DES_enc_write to ensure the buffer length provided is not negative. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit 873fb39f20b6763daba226b74e83fb194924c7bf) ----------------------------------------------------------------------- Summary of changes: apps/speed.c | 5 +++-- crypto/bio/b_print.c | 45 ++++++++++++++++++-------------------- crypto/des/enc_writ.c | 3 +++ crypto/ec/eck_prn.c | 4 +++- crypto/evp/e_aes.c | 2 +- crypto/evp/e_aes_cbc_hmac_sha1.c | 9 +++++--- crypto/evp/e_aes_cbc_hmac_sha256.c | 7 ++++-- crypto/evp/e_rc4_hmac_md5.c | 7 +++++- crypto/evp/encode.c | 2 +- crypto/evp/evp.h | 3 +++ crypto/rsa/rsa_pmeth.c | 8 ++++++- ssl/s3_both.c | 2 +- ssl/s3_cbc.c | 14 ++++++++++-- ssl/ssl_locl.h | 1 - ssl/ssl_sess.c | 2 +- ssl/t1_enc.c | 7 ++++-- 16 files changed, 78 insertions(+), 43 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index 8c350ee..3697b71 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -2791,7 +2791,7 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher) print_message(alg_name, 0, mblengths[j]); Time_F(START); for (count = 0, run = 1; run && count < 0x7fffffff; count++) { - unsigned char aad[13]; + unsigned char aad[EVP_AEAD_TLS1_AAD_LEN]; EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; size_t len = mblengths[j]; int packlen; @@ -2826,7 +2826,8 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher) aad[11] = len >> 8; aad[12] = len; pad = EVP_CIPHER_CTX_ctrl(&ctx, - EVP_CTRL_AEAD_TLS1_AAD, 13, aad); + EVP_CTRL_AEAD_TLS1_AAD, + EVP_AEAD_TLS1_AAD_LEN, aad); EVP_Cipher(&ctx, out, inp, len + pad); } } diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index 452e5cf..7c81e25 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -704,32 +704,29 @@ doapr_outch(char **sbuffer, /* If we haven't at least one buffer, someone has doe a big booboo */ assert(*sbuffer != NULL || buffer != NULL); - if (buffer) { - while (*currlen >= *maxlen) { - if (*buffer == NULL) { - if (*maxlen == 0) - *maxlen = 1024; - *buffer = OPENSSL_malloc(*maxlen); - if (!*buffer) { - /* Panic! Can't really do anything sensible. Just return */ - return; - } - if (*currlen > 0) { - assert(*sbuffer != NULL); - memcpy(*buffer, *sbuffer, *currlen); - } - *sbuffer = NULL; - } else { - *maxlen += 1024; - *buffer = OPENSSL_realloc(*buffer, *maxlen); - if (!*buffer) { - /* Panic! Can't really do anything sensible. Just return */ - return; - } + /* |currlen| must always be <= |*maxlen| */ + assert(*currlen <= *maxlen); + + if (buffer && *currlen == *maxlen) { + *maxlen += 1024; + if (*buffer == NULL) { + *buffer = OPENSSL_malloc(*maxlen); + if (!*buffer) { + /* Panic! Can't really do anything sensible. Just return */ + return; + } + if (*currlen > 0) { + assert(*sbuffer != NULL); + memcpy(*buffer, *sbuffer, *currlen); + } + *sbuffer = NULL; + } else { + *buffer = OPENSSL_realloc(*buffer, *maxlen); + if (!*buffer) { + /* Panic! Can't really do anything sensible. Just return */ + return; } } - /* What to do if *buffer is NULL? */ - assert(*sbuffer != NULL || *buffer != NULL); } if (*currlen < *maxlen) { diff --git a/crypto/des/enc_writ.c b/crypto/des/enc_writ.c index 25041f2..bfaabde 100644 --- a/crypto/des/enc_writ.c +++ b/crypto/des/enc_writ.c @@ -96,6 +96,9 @@ int DES_enc_write(int fd, const void *_buf, int len, const unsigned char *cp; static int start = 1; + if (len < 0) + return -1; + if (outbuf == NULL) { outbuf = OPENSSL_malloc(BSIZE + HDRSIZE); if (outbuf == NULL) diff --git a/crypto/ec/eck_prn.c b/crypto/ec/eck_prn.c index 515b262..df9b37a 100644 --- a/crypto/ec/eck_prn.c +++ b/crypto/ec/eck_prn.c @@ -346,12 +346,14 @@ static int print_bin(BIO *fp, const char *name, const unsigned char *buf, if (buf == NULL) return 1; - if (off) { + if (off > 0) { if (off > 128) off = 128; memset(str, ' ', off); if (BIO_write(fp, str, off) <= 0) return 0; + } else { + off = 0; } if (BIO_printf(fp, "%s", name) <= 0) diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 8161b26..af4aa18 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -1227,7 +1227,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) case EVP_CTRL_AEAD_TLS1_AAD: /* Save the AAD for later use */ - if (arg != 13) + if (arg != EVP_AEAD_TLS1_AAD_LEN) return 0; memcpy(c->buf, ptr, arg); gctx->tls_aad_len = arg; diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c index e0127a9..a277d0f 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -845,7 +845,12 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, case EVP_CTRL_AEAD_TLS1_AAD: { unsigned char *p = ptr; - unsigned int len = p[arg - 2] << 8 | p[arg - 1]; + unsigned int len; + + if (arg != EVP_AEAD_TLS1_AAD_LEN) + return -1; + + len = p[arg - 2] << 8 | p[arg - 1]; if (ctx->encrypt) { key->payload_length = len; @@ -862,8 +867,6 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) - len); } else { - if (arg > 13) - arg = 13; memcpy(key->aux.tls_aad, ptr, arg); key->payload_length = arg; diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c index 30398c7..b74bd80 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha256.c +++ b/crypto/evp/e_aes_cbc_hmac_sha256.c @@ -813,6 +813,11 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, unsigned char *p = ptr; unsigned int len = p[arg - 2] << 8 | p[arg - 1]; + if (arg != EVP_AEAD_TLS1_AAD_LEN) + return -1; + + len = p[arg - 2] << 8 | p[arg - 1]; + if (ctx->encrypt) { key->payload_length = len; if ((key->aux.tls_ver = @@ -828,8 +833,6 @@ static int aesni_cbc_hmac_sha256_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) - len); } else { - if (arg > 13) - arg = 13; memcpy(key->aux.tls_aad, ptr, arg); key->payload_length = arg; diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c index 80735d3..e6b0cdf 100644 --- a/crypto/evp/e_rc4_hmac_md5.c +++ b/crypto/evp/e_rc4_hmac_md5.c @@ -258,7 +258,12 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, case EVP_CTRL_AEAD_TLS1_AAD: { unsigned char *p = ptr; - unsigned int len = p[arg - 2] << 8 | p[arg - 1]; + unsigned int len; + + if (arg != EVP_AEAD_TLS1_AAD_LEN) + return -1; + + len = p[arg - 2] << 8 | p[arg - 1]; if (!ctx->encrypt) { len -= MD5_DIGEST_LENGTH; diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c index 53cc586..c361d1f 100644 --- a/crypto/evp/encode.c +++ b/crypto/evp/encode.c @@ -137,7 +137,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, unsigned int total = 0; *outl = 0; - if (inl == 0) + if (inl <= 0) return; OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); if ((ctx->num + inl) < ctx->length) { diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index 47abbac..4891133 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -424,6 +424,9 @@ struct evp_cipher_st { # define EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT 0x1b # define EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE 0x1c +/* RFC 5246 defines additional data to be 13 bytes in length */ +# define EVP_AEAD_TLS1_AAD_LEN 13 + typedef struct { unsigned char *out; const unsigned char *inp; diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index ddda0dd..2036355 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -254,8 +254,14 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, return ret; ret = sltmp; } else if (rctx->pad_mode == RSA_X931_PADDING) { - if (!setup_tbuf(rctx, ctx)) + if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { + RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL); + return -1; + } + if (!setup_tbuf(rctx, ctx)) { + RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE); return -1; + } memcpy(rctx->tbuf, tbs, tbslen); rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, diff --git a/ssl/s3_both.c b/ssl/s3_both.c index c92fd72..019e21c 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -168,7 +168,7 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) i = s->method->ssl3_enc->final_finish_mac(s, sender, slen, s->s3->tmp.finish_md); - if (i == 0) + if (i <= 0) return 0; s->s3->tmp.finish_md_len = i; memcpy(p, s->s3->tmp.finish_md, i); diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index f31dc04..c43402d 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -639,12 +639,22 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, if (k > 0) { if (is_sslv3) { + unsigned overhang; + /* * The SSLv3 header is larger than a single block. overhang is * the number of bytes beyond a single block that the header - * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). + * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no + * ciphersuites in SSLv3 that are not SHA1 or MD5 based and + * therefore we can be confident that the header_length will be + * greater than |md_block_size|. However we add a sanity check just + * in case */ - unsigned overhang = header_length - md_block_size; + if (header_length <= md_block_size) { + /* Should never happen */ + return; + } + overhang = header_length - md_block_size; md_transform(md_state.c, header); memcpy(first_block, header + md_block_size, overhang); memcpy(first_block + overhang, data, md_block_size - overhang); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 79b85b9..fb65fed 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1230,7 +1230,6 @@ int dtls1_write_app_data_bytes(SSL *s, int type, const void *buf, int len); int dtls1_write_bytes(SSL *s, int type, const void *buf, int len); int dtls1_send_change_cipher_spec(SSL *s, int a, int b); -int dtls1_send_finished(SSL *s, int a, int b, const char *sender, int slen); int dtls1_read_failed(SSL *s, int code); int dtls1_buffer_message(SSL *s, int ccs); int dtls1_retransmit_message(SSL *s, unsigned short seq, diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index dce9088..8b9945b 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -449,7 +449,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, int r; #endif - if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) + if (len < 0 || len > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; if (session_id + len > limit) { diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 0563191..e2a8f86 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -803,7 +803,7 @@ int tls1_enc(SSL *s, int send) bs = EVP_CIPHER_block_size(ds->cipher); if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { - unsigned char buf[13], *seq; + unsigned char buf[EVP_AEAD_TLS1_AAD_LEN], *seq; seq = send ? s->s3->write_sequence : s->s3->read_sequence; @@ -827,7 +827,10 @@ int tls1_enc(SSL *s, int send) buf[10] = (unsigned char)(s->version); buf[11] = rec->length >> 8; buf[12] = rec->length & 0xff; - pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf); + pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, + EVP_AEAD_TLS1_AAD_LEN, buf); + if (pad <= 0) + return -1; if (send) { l += pad; rec->length += pad; From matt at openssl.org Thu Apr 30 22:29:40 2015 From: matt at openssl.org (Matt Caswell) Date: Thu, 30 Apr 2015 22:29:40 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1430432980.792510.27499.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 017f695f2ca06ba45f6d9dd7be508934fb2a37e3 (commit) via ee900ed1f7865d12682f5dd640d7554655cb4255 (commit) via 39b36cb438f7fba7dd3cce1d51d5c6c149f3e48d (commit) via 26800340dba2bf056d508007ee4d30e41d4e8f5f (commit) via 592ac25342a7863f38a3b316b183e90596f528b1 (commit) via d889682208e4e75bca78f862b8e509a5b61b01f6 (commit) via 951ede2a06eba9a71c5d40b25f924e97f443c437 (commit) via 974d4d675cc6f3e1aa50b294ae12a5ba2acebd62 (commit) via 3be5df227259628cea91faffbea5054b872f793a (commit) from 80a06268ae329a1d7e01292029f9ae3af172b4b8 (commit) - Log ----------------------------------------------------------------- commit 017f695f2ca06ba45f6d9dd7be508934fb2a37e3 Author: Matt Caswell Date: Wed Apr 29 13:22:18 2015 +0100 Fix buffer overrun in RSA signing The problem occurs in EVP_PKEY_sign() when using RSA with X931 padding. It is only triggered if the RSA key size is smaller than the digest length. So with SHA512 you can trigger the overflow with anything less than an RSA 512 bit key. I managed to trigger a 62 byte overflow when using a 16 bit RSA key. This wasn't sufficient to cause a crash, although your mileage may vary. In practice RSA keys of this length are never used and X931 padding is very rare. Even if someone did use an excessively short RSA key, the chances of them combining that with a longer digest and X931 padding is very small. For these reasons I do not believe there is a security implication to this. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit 34166d41892643a36ad2d1f53cc0025e2edc2a39) commit ee900ed1f7865d12682f5dd640d7554655cb4255 Author: Matt Caswell Date: Wed Apr 29 09:58:10 2015 +0100 Add sanity check to print_bin function Add a sanity check to the print_bin function to ensure that the |off| argument is positive. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit 3deeeeb61b0c5b9b5f0993a67b7967d2f85186da) commit 39b36cb438f7fba7dd3cce1d51d5c6c149f3e48d Author: Matt Caswell Date: Tue Apr 28 15:28:23 2015 +0100 Add sanity check to ssl_get_prev_session Sanity check the |len| parameter to ensure it is positive. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit cb0f400b0cea2d2943f99b1e89c04ff6ed748cd5) commit 26800340dba2bf056d508007ee4d30e41d4e8f5f Author: Matt Caswell Date: Tue Apr 28 15:19:50 2015 +0100 Sanity check the return from final_finish_mac The return value is checked for 0. This is currently safe but we should really check for <= 0 since -1 is frequently used for error conditions. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit c427570e5098e120cbcb66e799f85c317aac7b91) Conflicts: ssl/ssl_locl.h Conflicts: ssl/ssl_locl.h commit 592ac25342a7863f38a3b316b183e90596f528b1 Author: Matt Caswell Date: Mon Apr 27 15:41:42 2015 +0100 Add sanity check in ssl3_cbc_digest_record For SSLv3 the code assumes that |header_length| > |md_block_size|. Whilst this is true for all SSLv3 ciphersuites, this fact is far from obvious by looking at the code. If this were not the case then an integer overflow would occur, leading to a subsequent buffer overflow. Therefore I have added an explicit sanity check to ensure header_length is always valid. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit 29b0a15a480626544dd0c803d5de671552544de6) commit d889682208e4e75bca78f862b8e509a5b61b01f6 Author: Matt Caswell Date: Mon Apr 27 15:41:03 2015 +0100 Clarify logic in BIO_*printf functions The static function dynamically allocates an output buffer if the output grows larger than the static buffer that is normally used. The original logic implied that |currlen| could be greater than |maxlen| which is incorrect (and if so would cause a buffer overrun). Also the original logic would call OPENSSL_malloc to create a dynamic buffer equal to the size of the static buffer, and then immediately call OPENSSL_realloc to make it bigger, rather than just creating a buffer than was big enough in the first place. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit 9d9e37744cd5119f9921315864d1cd28717173cd) commit 951ede2a06eba9a71c5d40b25f924e97f443c437 Author: Matt Caswell Date: Mon Apr 27 11:13:56 2015 +0100 Sanity check EVP_EncodeUpdate buffer len There was already a sanity check to ensure the passed buffer length is not zero. Extend this to ensure that it also not negative. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit b86d7dca69f5c80abd60896c8ed3039fc56210cc) commit 974d4d675cc6f3e1aa50b294ae12a5ba2acebd62 Author: Matt Caswell Date: Mon Apr 27 11:07:06 2015 +0100 Sanity check EVP_CTRL_AEAD_TLS_AAD The various implementations of EVP_CTRL_AEAD_TLS_AAD expect a buffer of at least 13 bytes long. Add sanity checks to ensure that the length is at least that. Also add a new constant (EVP_AEAD_TLS1_AAD_LEN) to evp.h to represent this length. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit c8269881093324b881b81472be037055571f73f3) Conflicts: ssl/record/ssl3_record.c Conflicts: apps/speed.c crypto/evp/e_aes_cbc_hmac_sha256.c crypto/evp/evp.h commit 3be5df227259628cea91faffbea5054b872f793a Author: Matt Caswell Date: Mon Apr 27 11:04:56 2015 +0100 Sanity check DES_enc_write buffer length Add a sanity check to DES_enc_write to ensure the buffer length provided is not negative. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for reporting this issue. Reviewed-by: Andy Polyakov (cherry picked from commit 873fb39f20b6763daba226b74e83fb194924c7bf) ----------------------------------------------------------------------- Summary of changes: crypto/bio/b_print.c | 45 +++++++++++++++++++--------------------- crypto/des/enc_writ.c | 3 +++ crypto/ec/eck_prn.c | 4 +++- crypto/evp/e_aes.c | 2 +- crypto/evp/e_aes_cbc_hmac_sha1.c | 9 +++++--- crypto/evp/e_rc4_hmac_md5.c | 7 ++++++- crypto/evp/encode.c | 2 +- crypto/evp/evp.h | 3 +++ crypto/rsa/rsa_pmeth.c | 8 ++++++- ssl/s3_both.c | 2 +- ssl/s3_cbc.c | 14 +++++++++++-- ssl/ssl_sess.c | 2 +- ssl/t1_enc.c | 7 +++++-- 13 files changed, 70 insertions(+), 38 deletions(-) diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index 452e5cf..7c81e25 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -704,32 +704,29 @@ doapr_outch(char **sbuffer, /* If we haven't at least one buffer, someone has doe a big booboo */ assert(*sbuffer != NULL || buffer != NULL); - if (buffer) { - while (*currlen >= *maxlen) { - if (*buffer == NULL) { - if (*maxlen == 0) - *maxlen = 1024; - *buffer = OPENSSL_malloc(*maxlen); - if (!*buffer) { - /* Panic! Can't really do anything sensible. Just return */ - return; - } - if (*currlen > 0) { - assert(*sbuffer != NULL); - memcpy(*buffer, *sbuffer, *currlen); - } - *sbuffer = NULL; - } else { - *maxlen += 1024; - *buffer = OPENSSL_realloc(*buffer, *maxlen); - if (!*buffer) { - /* Panic! Can't really do anything sensible. Just return */ - return; - } + /* |currlen| must always be <= |*maxlen| */ + assert(*currlen <= *maxlen); + + if (buffer && *currlen == *maxlen) { + *maxlen += 1024; + if (*buffer == NULL) { + *buffer = OPENSSL_malloc(*maxlen); + if (!*buffer) { + /* Panic! Can't really do anything sensible. Just return */ + return; + } + if (*currlen > 0) { + assert(*sbuffer != NULL); + memcpy(*buffer, *sbuffer, *currlen); + } + *sbuffer = NULL; + } else { + *buffer = OPENSSL_realloc(*buffer, *maxlen); + if (!*buffer) { + /* Panic! Can't really do anything sensible. Just return */ + return; } } - /* What to do if *buffer is NULL? */ - assert(*sbuffer != NULL || *buffer != NULL); } if (*currlen < *maxlen) { diff --git a/crypto/des/enc_writ.c b/crypto/des/enc_writ.c index 25041f2..bfaabde 100644 --- a/crypto/des/enc_writ.c +++ b/crypto/des/enc_writ.c @@ -96,6 +96,9 @@ int DES_enc_write(int fd, const void *_buf, int len, const unsigned char *cp; static int start = 1; + if (len < 0) + return -1; + if (outbuf == NULL) { outbuf = OPENSSL_malloc(BSIZE + HDRSIZE); if (outbuf == NULL) diff --git a/crypto/ec/eck_prn.c b/crypto/ec/eck_prn.c index a911a0a..5ef12ec 100644 --- a/crypto/ec/eck_prn.c +++ b/crypto/ec/eck_prn.c @@ -338,12 +338,14 @@ static int print_bin(BIO *fp, const char *name, const unsigned char *buf, if (buf == NULL) return 1; - if (off) { + if (off > 0) { if (off > 128) off = 128; memset(str, ' ', off); if (BIO_write(fp, str, off) <= 0) return 0; + } else { + off = 0; } if (BIO_printf(fp, "%s", name) <= 0) diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 245c18a..bde4804 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -753,7 +753,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) case EVP_CTRL_AEAD_TLS1_AAD: /* Save the AAD for later use */ - if (arg != 13) + if (arg != EVP_AEAD_TLS1_AAD_LEN) return 0; memcpy(c->buf, ptr, arg); gctx->tls_aad_len = arg; diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c index 3f8a5ae..d1f5928 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -503,7 +503,12 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, case EVP_CTRL_AEAD_TLS1_AAD: { unsigned char *p = ptr; - unsigned int len = p[arg - 2] << 8 | p[arg - 1]; + unsigned int len; + + if (arg != EVP_AEAD_TLS1_AAD_LEN) + return -1; + + len = p[arg - 2] << 8 | p[arg - 1]; if (ctx->encrypt) { key->payload_length = len; @@ -520,8 +525,6 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) - len); } else { - if (arg > 13) - arg = 13; memcpy(key->aux.tls_aad, ptr, arg); key->payload_length = arg; diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c index 80735d3..e6b0cdf 100644 --- a/crypto/evp/e_rc4_hmac_md5.c +++ b/crypto/evp/e_rc4_hmac_md5.c @@ -258,7 +258,12 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, case EVP_CTRL_AEAD_TLS1_AAD: { unsigned char *p = ptr; - unsigned int len = p[arg - 2] << 8 | p[arg - 1]; + unsigned int len; + + if (arg != EVP_AEAD_TLS1_AAD_LEN) + return -1; + + len = p[arg - 2] << 8 | p[arg - 1]; if (!ctx->encrypt) { len -= MD5_DIGEST_LENGTH; diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c index d1d8a07..5c5988f 100644 --- a/crypto/evp/encode.c +++ b/crypto/evp/encode.c @@ -137,7 +137,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, unsigned int total = 0; *outl = 0; - if (inl == 0) + if (inl <= 0) return; OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); if ((ctx->num + inl) < ctx->length) { diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index b00997b..01bdeeb 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -409,6 +409,9 @@ struct evp_cipher_st { /* Set the GCM invocation field, decrypt only */ # define EVP_CTRL_GCM_SET_IV_INV 0x18 +/* RFC 5246 defines additional data to be 13 bytes in length */ +# define EVP_AEAD_TLS1_AAD_LEN 13 + /* GCM TLS constants */ /* Length of fixed part of IV derived from PRF */ # define EVP_GCM_TLS_FIXED_IV_LEN 4 diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index d61d6e8..6a7c67c 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -228,8 +228,14 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, return ret; ret = sltmp; } else if (rctx->pad_mode == RSA_X931_PADDING) { - if (!setup_tbuf(rctx, ctx)) + if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { + RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL); + return -1; + } + if (!setup_tbuf(rctx, ctx)) { + RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE); return -1; + } memcpy(rctx->tbuf, tbs, tbslen); rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, diff --git a/ssl/s3_both.c b/ssl/s3_both.c index 77374f4..107b460 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -169,7 +169,7 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) i = s->method->ssl3_enc->final_finish_mac(s, sender, slen, s->s3->tmp.finish_md); - if (i == 0) + if (i <= 0) return 0; s->s3->tmp.finish_md_len = i; memcpy(p, s->s3->tmp.finish_md, i); diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 598d27e..00b534f 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -639,12 +639,22 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, if (k > 0) { if (is_sslv3) { + unsigned overhang; + /* * The SSLv3 header is larger than a single block. overhang is * the number of bytes beyond a single block that the header - * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). + * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no + * ciphersuites in SSLv3 that are not SHA1 or MD5 based and + * therefore we can be confident that the header_length will be + * greater than |md_block_size|. However we add a sanity check just + * in case */ - unsigned overhang = header_length - md_block_size; + if (header_length <= md_block_size) { + /* Should never happen */ + return; + } + overhang = header_length - md_block_size; md_transform(md_state.c, header); memcpy(first_block, header + md_block_size, overhang); memcpy(first_block + overhang, data, md_block_size - overhang); diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 4c7f5d8..eb7936b 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -478,7 +478,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, int r; #endif - if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) + if (len < 0 || len > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; if (session_id + len > limit) { diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 2736238..8f45294 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -785,7 +785,7 @@ int tls1_enc(SSL *s, int send) bs = EVP_CIPHER_block_size(ds->cipher); if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { - unsigned char buf[13], *seq; + unsigned char buf[EVP_AEAD_TLS1_AAD_LEN], *seq; seq = send ? s->s3->write_sequence : s->s3->read_sequence; @@ -809,7 +809,10 @@ int tls1_enc(SSL *s, int send) buf[10] = (unsigned char)(s->version); buf[11] = rec->length >> 8; buf[12] = rec->length & 0xff; - pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf); + pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, + EVP_AEAD_TLS1_AAD_LEN, buf); + if (pad <= 0) + return -1; if (send) { l += pad; rec->length += pad;