From rsalz at openssl.org Tue Sep 1 15:56:32 2015 From: rsalz at openssl.org (Rich Salz) Date: Tue, 01 Sep 2015 15:56:32 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441122992.765102.31397.nullmailer@dev.openssl.org> The branch master has been updated via 8db78781069697cfa30a2261413f33f5055a2838 (commit) from d7c02691a5e6f2716759eacb6f48c39f15ee57c8 (commit) - Log ----------------------------------------------------------------- commit 8db78781069697cfa30a2261413f33f5055a2838 Author: Rich Salz Date: Thu Aug 27 00:10:55 2015 -0400 RT3767: openssl_button.gif should be PNG No, we should just delete it. And updated the README Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: doc/README | 25 +++++++++++++++++++------ doc/openssl_button.gif | Bin 2063 -> 0 bytes doc/openssl_button.html | 7 ------- 3 files changed, 19 insertions(+), 13 deletions(-) delete mode 100644 doc/openssl_button.gif delete mode 100644 doc/openssl_button.html diff --git a/doc/README b/doc/README index a5e1787..cc76040 100644 --- a/doc/README +++ b/doc/README @@ -1,8 +1,21 @@ - apps/openssl.pod .... Documentation of OpenSSL `openssl' command - crypto/crypto.pod ... Documentation of OpenSSL crypto.h (libcrypto) - ssl/ssl.pod ......... Documentation of OpenSSL ssl.h (libssl) - standards.txt ....... Pointers to standards, RFCs or internet drafts - that are related to OpenSSL. Incomplete. +README This file - HTML versions are on https://www.openssl.org/docs +fingerprints.txt + PGP fingerprints of authoried release signers + +standards.txt + Pointers to standards, RFC's and IETF Drafts that are + related to OpenSSL. Incomplete. + +HOWTO/ + A few how-to documents; not necessarily up-to-date +apps/ + The openssl command-line tools; start with openssl.pod +ssl/ + The SSL library; start with ssl.pod +crypto/ + The cryptographic library; start with crypto.pod + +Formatted versions of the manpages (apps,ssl,crypto) can be found at + https://www.openssl.org/docs/manpages.html diff --git a/doc/openssl_button.gif b/doc/openssl_button.gif deleted file mode 100644 index 3d3c90c..0000000 Binary files a/doc/openssl_button.gif and /dev/null differ diff --git a/doc/openssl_button.html b/doc/openssl_button.html deleted file mode 100644 index 44c91bd..0000000 --- a/doc/openssl_button.html +++ /dev/null @@ -1,7 +0,0 @@ - - - - - - From emilia at openssl.org Tue Sep 1 18:02:34 2015 From: emilia at openssl.org (Emilia Kasper) Date: Tue, 01 Sep 2015 18:02:34 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441130554.134886.30133.nullmailer@dev.openssl.org> The branch master has been updated via 08a721ac613d69217b474a61882971ae9d4586d1 (commit) via 394f7b6fcc38132b8ccff0a3253b9dd15640cfc0 (commit) via 25d6b3401ca40c9a2cbe5080449c1c2a37037777 (commit) from 8db78781069697cfa30a2261413f33f5055a2838 (commit) - Log ----------------------------------------------------------------- commit 08a721ac613d69217b474a61882971ae9d4586d1 Author: Emilia Kasper Date: Tue Sep 1 16:11:47 2015 +0200 apps/speed.c: fix memory leak Reviewed-by: Richard Levitte commit 394f7b6fcc38132b8ccff0a3253b9dd15640cfc0 Author: Emilia Kasper Date: Tue Sep 1 14:56:58 2015 +0200 RT4002: check for NULL cipher in p12_crpt.c The NULL cipher case can't actually happen because we have no EVP_PBE_CTL combinations where cipher_nid is -1 and keygen is PKCS12_PBE_keyivgen. But make the code more obviously correct. Reviewed-by: Matt Caswell commit 25d6b3401ca40c9a2cbe5080449c1c2a37037777 Author: Emilia Kasper Date: Tue Sep 1 13:19:15 2015 +0200 RT 3493: fix RSA test - Pass in the right ciphertext length to ensure we're indeed testing ciphertext corruption (and not truncation). - Only test one mutation per byte to not make the test too slow. - Add a separate test for truncated ciphertexts. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/speed.c | 6 ++---- crypto/pkcs12/p12_crpt.c | 3 +++ test/rsa_test.c | 32 ++++++++++++++++++++------------ 3 files changed, 25 insertions(+), 16 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index b4722f1..297ea52 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -575,7 +575,6 @@ int speed_main(int argc, char **argv) long c[ALGOR_NUM][SIZE_NUM], count = 0, save_count = 0; unsigned char *buf_malloc = NULL, *buf2_malloc = NULL; unsigned char *buf = NULL, *buf2 = NULL; - unsigned char *save_buf = NULL, *save_buf2 = NULL; unsigned char md[EVP_MAX_MD_SIZE]; #ifndef NO_FORK int multi = 0; @@ -2183,8 +2182,8 @@ int speed_main(int argc, char **argv) end: ERR_print_errors(bio_err); - OPENSSL_free(save_buf); - OPENSSL_free(save_buf2); + OPENSSL_free(buf_malloc); + OPENSSL_free(buf2_malloc); #ifndef OPENSSL_NO_RSA for (i = 0; i < RSA_NUM; i++) RSA_free(rsa_key[i]); @@ -2201,7 +2200,6 @@ int speed_main(int argc, char **argv) EC_KEY_free(ecdh_b[i]); } #endif - return (ret); } diff --git a/crypto/pkcs12/p12_crpt.c b/crypto/pkcs12/p12_crpt.c index 08be40c..e7d5ac9 100644 --- a/crypto/pkcs12/p12_crpt.c +++ b/crypto/pkcs12/p12_crpt.c @@ -76,6 +76,9 @@ int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, unsigned char *salt; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; + if (cipher == NULL) + return 0; + /* Extract useful info from parameter */ pbe = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBEPARAM), param); diff --git a/test/rsa_test.c b/test/rsa_test.c index e971295..85c7440 100644 --- a/test/rsa_test.c +++ b/test/rsa_test.c @@ -297,22 +297,30 @@ int main(int argc, char *argv[]) } else printf("OAEP encryption/decryption ok\n"); - /* Try decrypting corrupted ciphertexts */ + /* Try decrypting corrupted ciphertexts. */ for (n = 0; n < clen; ++n) { - int b; - unsigned char saved = ctext[n]; - for (b = 0; b < 256; ++b) { - if (b == saved) - continue; - ctext[n] = b; - num = RSA_private_decrypt(num, ctext, ptext, key, + ctext[n] ^= 1; + num = RSA_private_decrypt(clen, ctext, ptext, key, RSA_PKCS1_OAEP_PADDING); - if (num > 0) { - printf("Corrupt data decrypted!\n"); - err = 1; - } + if (num > 0) { + printf("Corrupt data decrypted!\n"); + err = 1; + break; } + ctext[n] ^= 1; } + + /* Test truncated ciphertexts, as well as negative length. */ + for (n = -1; n < clen; ++n) { + num = RSA_private_decrypt(n, ctext, ptext, key, + RSA_PKCS1_OAEP_PADDING); + if (num > 0) { + printf("Truncated data decrypted!\n"); + err = 1; + break; + } + } + next: RSA_free(key); } From emilia at openssl.org Tue Sep 1 18:08:44 2015 From: emilia at openssl.org (Emilia Kasper) Date: Tue, 01 Sep 2015 18:08:44 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1441130924.229132.911.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via bae16c98c1aed3c67c3328541c8cce015bb4c344 (commit) via 9d4798a9e0e1d2a366adabafcf0f007f42cd5fa7 (commit) from 246a010b781444d8c216851d2ae34a42ade91f38 (commit) - Log ----------------------------------------------------------------- commit bae16c98c1aed3c67c3328541c8cce015bb4c344 Author: Emilia Kasper Date: Tue Sep 1 14:56:58 2015 +0200 RT4002: check for NULL cipher in p12_crpt.c The NULL cipher case can't actually happen because we have no EVP_PBE_CTL combinations where cipher_nid is -1 and keygen is PKCS12_PBE_keyivgen. But make the code more obviously correct. Reviewed-by: Matt Caswell (cherry picked from commit 394f7b6fcc38132b8ccff0a3253b9dd15640cfc0) commit 9d4798a9e0e1d2a366adabafcf0f007f42cd5fa7 Author: Emilia Kasper Date: Tue Sep 1 13:19:15 2015 +0200 RT 3493: fix RSA test - Pass in the right ciphertext length to ensure we're indeed testing ciphertext corruption (and not truncation). - Only test one mutation per byte to not make the test too slow. - Add a separate test for truncated ciphertexts. Reviewed-by: Richard Levitte (cherry picked from commit 25d6b3401ca40c9a2cbe5080449c1c2a37037777) ----------------------------------------------------------------------- Summary of changes: crypto/pkcs12/p12_crpt.c | 3 +++ crypto/rsa/rsa_test.c | 32 ++++++++++++++++++++------------ 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/crypto/pkcs12/p12_crpt.c b/crypto/pkcs12/p12_crpt.c index 3a166e6..9c2dcab 100644 --- a/crypto/pkcs12/p12_crpt.c +++ b/crypto/pkcs12/p12_crpt.c @@ -77,6 +77,9 @@ int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, const unsigned char *pbuf; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; + if (cipher == NULL) + return 0; + /* Extract useful info from parameter */ if (param == NULL || param->type != V_ASN1_SEQUENCE || param->value.sequence == NULL) { diff --git a/crypto/rsa/rsa_test.c b/crypto/rsa/rsa_test.c index e971295..85c7440 100644 --- a/crypto/rsa/rsa_test.c +++ b/crypto/rsa/rsa_test.c @@ -297,22 +297,30 @@ int main(int argc, char *argv[]) } else printf("OAEP encryption/decryption ok\n"); - /* Try decrypting corrupted ciphertexts */ + /* Try decrypting corrupted ciphertexts. */ for (n = 0; n < clen; ++n) { - int b; - unsigned char saved = ctext[n]; - for (b = 0; b < 256; ++b) { - if (b == saved) - continue; - ctext[n] = b; - num = RSA_private_decrypt(num, ctext, ptext, key, + ctext[n] ^= 1; + num = RSA_private_decrypt(clen, ctext, ptext, key, RSA_PKCS1_OAEP_PADDING); - if (num > 0) { - printf("Corrupt data decrypted!\n"); - err = 1; - } + if (num > 0) { + printf("Corrupt data decrypted!\n"); + err = 1; + break; } + ctext[n] ^= 1; } + + /* Test truncated ciphertexts, as well as negative length. */ + for (n = -1; n < clen; ++n) { + num = RSA_private_decrypt(n, ctext, ptext, key, + RSA_PKCS1_OAEP_PADDING); + if (num > 0) { + printf("Truncated data decrypted!\n"); + err = 1; + break; + } + } + next: RSA_free(key); } From emilia at openssl.org Tue Sep 1 18:08:44 2015 From: emilia at openssl.org (Emilia Kasper) Date: Tue, 01 Sep 2015 18:08:44 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1441130924.308253.934.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 59793f5c1e0138928d9e5fc24c743d8e38d450e1 (commit) via 5f623eb61655688501cb1817a7ad0592299d894a (commit) from 542591740667b17642ad300c357b5d8045c8ccda (commit) - Log ----------------------------------------------------------------- commit 59793f5c1e0138928d9e5fc24c743d8e38d450e1 Author: Emilia Kasper Date: Tue Sep 1 14:56:58 2015 +0200 RT4002: check for NULL cipher in p12_crpt.c The NULL cipher case can't actually happen because we have no EVP_PBE_CTL combinations where cipher_nid is -1 and keygen is PKCS12_PBE_keyivgen. But make the code more obviously correct. Reviewed-by: Matt Caswell (cherry picked from commit 394f7b6fcc38132b8ccff0a3253b9dd15640cfc0) commit 5f623eb61655688501cb1817a7ad0592299d894a Author: Emilia Kasper Date: Tue Sep 1 13:19:15 2015 +0200 RT 3493: fix RSA test - Pass in the right ciphertext length to ensure we're indeed testing ciphertext corruption (and not truncation). - Only test one mutation per byte to not make the test too slow. - Add a separate test for truncated ciphertexts. Reviewed-by: Richard Levitte (cherry picked from commit 25d6b3401ca40c9a2cbe5080449c1c2a37037777) ----------------------------------------------------------------------- Summary of changes: crypto/pkcs12/p12_crpt.c | 3 +++ crypto/rsa/rsa_test.c | 32 ++++++++++++++++++++------------ 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/crypto/pkcs12/p12_crpt.c b/crypto/pkcs12/p12_crpt.c index 3a166e6..9c2dcab 100644 --- a/crypto/pkcs12/p12_crpt.c +++ b/crypto/pkcs12/p12_crpt.c @@ -77,6 +77,9 @@ int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, const unsigned char *pbuf; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; + if (cipher == NULL) + return 0; + /* Extract useful info from parameter */ if (param == NULL || param->type != V_ASN1_SEQUENCE || param->value.sequence == NULL) { diff --git a/crypto/rsa/rsa_test.c b/crypto/rsa/rsa_test.c index e971295..85c7440 100644 --- a/crypto/rsa/rsa_test.c +++ b/crypto/rsa/rsa_test.c @@ -297,22 +297,30 @@ int main(int argc, char *argv[]) } else printf("OAEP encryption/decryption ok\n"); - /* Try decrypting corrupted ciphertexts */ + /* Try decrypting corrupted ciphertexts. */ for (n = 0; n < clen; ++n) { - int b; - unsigned char saved = ctext[n]; - for (b = 0; b < 256; ++b) { - if (b == saved) - continue; - ctext[n] = b; - num = RSA_private_decrypt(num, ctext, ptext, key, + ctext[n] ^= 1; + num = RSA_private_decrypt(clen, ctext, ptext, key, RSA_PKCS1_OAEP_PADDING); - if (num > 0) { - printf("Corrupt data decrypted!\n"); - err = 1; - } + if (num > 0) { + printf("Corrupt data decrypted!\n"); + err = 1; + break; } + ctext[n] ^= 1; } + + /* Test truncated ciphertexts, as well as negative length. */ + for (n = -1; n < clen; ++n) { + num = RSA_private_decrypt(n, ctext, ptext, key, + RSA_PKCS1_OAEP_PADDING); + if (num > 0) { + printf("Truncated data decrypted!\n"); + err = 1; + break; + } + } + next: RSA_free(key); } From emilia at openssl.org Tue Sep 1 18:13:42 2015 From: emilia at openssl.org (Emilia Kasper) Date: Tue, 01 Sep 2015 18:13:42 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1441131222.716944.2890.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 5999b897ff6e64a79c97598569361ca15734e6e1 (commit) from bae16c98c1aed3c67c3328541c8cce015bb4c344 (commit) - Log ----------------------------------------------------------------- commit 5999b897ff6e64a79c97598569361ca15734e6e1 Author: Emilia Kasper Date: Tue Sep 1 17:19:52 2015 +0200 OpenSSL 1.0.1n: add missing CHANGES entry Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 6e19f3d..3ac66ae 100644 --- a/CHANGES +++ b/CHANGES @@ -103,6 +103,9 @@ *) Reject DH handshakes with parameters shorter than 768 bits. [Kurt Roeckx and Emilia Kasper] + *) dhparam: generate 2048-bit parameters by default. + [Kurt Roeckx and Emilia Kasper] + Changes between 1.0.1l and 1.0.1m [19 Mar 2015] *) Segmentation fault in ASN1_TYPE_cmp fix From emilia at openssl.org Tue Sep 1 18:13:42 2015 From: emilia at openssl.org (Emilia Kasper) Date: Tue, 01 Sep 2015 18:13:42 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1441131222.831167.2913.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via cc42e4af2cb88279555753a4f167347492ddc523 (commit) from 59793f5c1e0138928d9e5fc24c743d8e38d450e1 (commit) - Log ----------------------------------------------------------------- commit cc42e4af2cb88279555753a4f167347492ddc523 Author: Emilia Kasper Date: Tue Sep 1 17:13:02 2015 +0200 Add missing CHANGES entry for 1.0.2 Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 082e15e..343d847 100644 --- a/CHANGES +++ b/CHANGES @@ -723,6 +723,10 @@ Changes between 1.0.1l and 1.0.2 [22 Jan 2015] + *) Change RSA and DH/DSA key generation apps to generate 2048-bit + keys by default. + [Kurt Roeckx] + *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g. ARMv5 through ARMv8, as opposite to "locking" it to single one. So far those who have to target multiple plaforms would compromise From emilia at openssl.org Tue Sep 1 18:19:56 2015 From: emilia at openssl.org (Emilia Kasper) Date: Tue, 01 Sep 2015 18:19:56 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441131596.531162.3628.nullmailer@dev.openssl.org> The branch master has been updated via fb029cebaeb6b0dbdb05a26a515e38a52a3c0fa1 (commit) from 08a721ac613d69217b474a61882971ae9d4586d1 (commit) - Log ----------------------------------------------------------------- commit fb029cebaeb6b0dbdb05a26a515e38a52a3c0fa1 Author: Adam Eijdenberg Date: Tue Aug 4 19:08:22 2015 -0700 RT3984: Fix clang compiler warning on Mac OS X where %ld is used for uint64_t. clang suggests %llu instead, but it isn't clear that is portable on all platforms. C99 and above define a handy macro for us, so we try to use that definition and fall back to current definition if needed (though we switch to 'u' for unsigned). Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: apps/enc.c | 4 ++-- apps/s_client.c | 2 +- include/openssl/e_os2.h | 16 ++++++++++++++++ 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/apps/enc.c b/apps/enc.c index 628142a..18fcb95 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -567,8 +567,8 @@ int enc_main(int argc, char **argv) ret = 0; if (verbose) { - BIO_printf(bio_err, "bytes read :%8ld\n", BIO_number_read(in)); - BIO_printf(bio_err, "bytes written:%8ld\n", BIO_number_written(out)); + BIO_printf(bio_err, "bytes read :%8"PRIu64"\n", BIO_number_read(in)); + BIO_printf(bio_err, "bytes written:%8"PRIu64"\n", BIO_number_written(out)); } end: ERR_print_errors(bio_err); diff --git a/apps/s_client.c b/apps/s_client.c index 2b69355..819cff3 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -2092,7 +2092,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) ssl_print_tmp_key(bio, s); BIO_printf(bio, - "---\nSSL handshake has read %ld bytes and written %ld bytes\n", + "---\nSSL handshake has read %"PRIu64" bytes and written %"PRIu64" bytes\n", BIO_number_read(SSL_get_rbio(s)), BIO_number_written(SSL_get_wbio(s))); } diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h index 177b098..9f7dcf1 100644 --- a/include/openssl/e_os2.h +++ b/include/openssl/e_os2.h @@ -294,6 +294,22 @@ typedef unsigned __int64 uint64_t; # include # endif +/* + * We need a format operator for some client tools for uint64_t. + * This is an attempt at doing so in a portable manner. + * If we can't use a built-in definition, we'll revert to the previous + * behavior that was hard-coded but now causing compiler warnings on + * some systems (e.g. Mac OS X). + */ +# ifndef PRIu64 +# if (__STDC_VERSION__ >= 199901L) +# include +# endif +# ifndef PRIu64 +# define PRIu64 "lu" +# endif +# endif + #ifdef __cplusplus } #endif From steve at openssl.org Tue Sep 1 20:17:00 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Tue, 01 Sep 2015 20:17:00 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441138620.028298.20172.nullmailer@dev.openssl.org> The branch master has been updated via 6c41ee7c6530b23267ed20f95143a2a682796fef (commit) via 361136f4b39de26edcc275f8fe1471bcb90feb64 (commit) via 063f1f0c693a10aab6a7227df15d4120ed824856 (commit) via af183984c3feaae693f4785be71dc1e098991d6f (commit) from fb029cebaeb6b0dbdb05a26a515e38a52a3c0fa1 (commit) - Log ----------------------------------------------------------------- commit 6c41ee7c6530b23267ed20f95143a2a682796fef Author: Dr. Stephen Henson Date: Tue Sep 1 19:09:20 2015 +0100 make update Reviewed-by: Rich Salz commit 361136f4b39de26edcc275f8fe1471bcb90feb64 Author: Dr. Stephen Henson Date: Tue Sep 1 18:56:58 2015 +0100 Document extension functions Reviewed-by: Rich Salz commit 063f1f0c693a10aab6a7227df15d4120ed824856 Author: Dr. Stephen Henson Date: Tue Sep 1 17:48:05 2015 +0100 functions to retrieve certificate flags Reviewed-by: Rich Salz commit af183984c3feaae693f4785be71dc1e098991d6f Author: Dr. Stephen Henson Date: Tue Sep 1 16:07:05 2015 +0100 use uint32_t for certificate flags Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/x509v3/v3_purp.c | 22 ++++++ doc/crypto/X509_get_extension_flags.pod | 115 ++++++++++++++++++++++++++++++++ include/openssl/x509.h | 8 +-- include/openssl/x509v3.h | 5 ++ util/libeay.num | 3 + 5 files changed, 149 insertions(+), 4 deletions(-) create mode 100644 doc/crypto/X509_get_extension_flags.pod diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 1f9296a..13c5120 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -841,3 +841,25 @@ int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) } return X509_V_OK; } + +uint32_t X509_get_extension_flags(X509 *x) +{ + X509_check_purpose(x, -1, -1); + return x->ex_flags; +} + +uint32_t X509_get_key_usage(X509 *x) +{ + X509_check_purpose(x, -1, -1); + if (x->ex_flags & EXFLAG_KUSAGE) + return x->ex_kusage; + return UINT32_MAX; +} + +uint32_t X509_get_extended_key_usage(X509 *x) +{ + X509_check_purpose(x, -1, -1); + if (x->ex_flags & EXFLAG_XKUSAGE) + return x->ex_xkusage; + return UINT32_MAX; +} diff --git a/doc/crypto/X509_get_extension_flags.pod b/doc/crypto/X509_get_extension_flags.pod new file mode 100644 index 0000000..2950bd7 --- /dev/null +++ b/doc/crypto/X509_get_extension_flags.pod @@ -0,0 +1,115 @@ +=pod + +=head1 NAME + +X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage - +retrieve certificate extension flags. + +=head1 SYNOPSIS + + #include + + uint32_t X509_get_extension_flags(X509 *x); + uint32_t X509_get_key_usage(X509 *x); + uint32_t X509_get_extended_key_usage(X509 *x); + +=head1 DESCRIPTION + +These functions retrieve flags related to commonly used certificate extensions. + +X509_get_extension_flags() retrieves general information about a certificate, +it will return one or more of the following flags ored together. + +=over 4 + +=item B + +The certificate is an obsolete version 1 certificate. + +=item B + +The certificate contains a basic constraints extension. + +=item B + +The certificate contains basic constraints and asserts the CA flag. + +=item B + +The certificate is a valid proxy certificate. + +=item B + +The certificate is self issued (that is subject and issuer names match). + +=item B + +The subject and issuer names match and extension values imply it is self +signed. + +=item B + +The freshest CRL extension is present in the certificate. + +=item B + +The certificate contains an unhandled critical extension. + +=item B + +Some certificate extension values are invalid or inconsistent. The +certificate should be rejected. + +=item B + +The certificate contains a key usage extension. The value can be retrieved +using X509_get_key_usage(). + +=item B + +The certificate contains an extended key usage extension. The value can be +retrieved using X509_get_extended_key_usage(). + +=back + +X509_get_key_usage() returns the value of the key usage extension. If key +usage is present will return zero or more of the flags: +B, B, B, +B, B, B, +B, B or B corresponding to +individual key usage bits. If key usage is absent then B is +returned. + +X509_get_extended_key_usage() returns the value of the extended key usage +extension. If extended key usage is present it will return zero or more of the +flags: B, B, B, B +B, B, B or B. These +correspond to the OIDs B, B, +B, B, B, +B, B and B respectively. +Additionally B is set if either Netscape or Microsoft SGC OIDs are +present. + +=head1 NOTES + +The value of the flags correspond to extension values which are cached +in the B structure. If the flags returned do not provide sufficient +information an application should examine extension values directly. + +If the key usage or extended key usage extension is absent then typically usage +is unrestricted. For this reason X509_get_key_usage() and +X509_get_extended_key_usage() return B when the corresponding +extension is absent. Applications can additionally check the return value of +X509_get_extension_flags() and take appropriate action is an extension is +absent. + +=head1 RETURN VALUE + +These functions all return sets of flags corresponding to the certificate +extension values. + +=head1 SEE ALSO + +L + +=cut diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 4e816ea..5e795c0 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -197,10 +197,10 @@ struct x509_st { /* These contain copies of various extension values */ long ex_pathlen; long ex_pcpathlen; - unsigned long ex_flags; - unsigned long ex_kusage; - unsigned long ex_xkusage; - unsigned long ex_nscert; + uint32_t ex_flags; + uint32_t ex_kusage; + uint32_t ex_xkusage; + uint32_t ex_nscert; ASN1_OCTET_STRING *skid; AUTHORITY_KEYID *akid; X509_POLICY_CACHE *policy_cache; diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h index a46ec5d..19fcb39 100644 --- a/include/openssl/x509v3.h +++ b/include/openssl/x509v3.h @@ -696,6 +696,11 @@ int X509_supported_extension(X509_EXTENSION *ex); int X509_PURPOSE_set(int *p, int purpose); int X509_check_issued(X509 *issuer, X509 *subject); int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid); + +uint32_t X509_get_extension_flags(X509 *x); +uint32_t X509_get_key_usage(X509 *x); +uint32_t X509_get_extended_key_usage(X509 *x); + int X509_PURPOSE_get_count(void); X509_PURPOSE *X509_PURPOSE_get0(int idx); int X509_PURPOSE_get_by_sname(char *sname); diff --git a/util/libeay.num b/util/libeay.num index 1e3671f..080066a 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -4592,3 +4592,6 @@ X509_up_ref 4950 EXIST::FUNCTION: X509_REQ_get_version 4951 EXIST::FUNCTION: X509_REQ_get_subject_name 4952 EXIST::FUNCTION: X509_CRL_up_ref 4953 EXIST::FUNCTION: +X509_get_extension_flags 4954 EXIST::FUNCTION: +X509_get_extended_key_usage 4955 EXIST::FUNCTION: +X509_get_key_usage 4956 EXIST::FUNCTION: From matt at openssl.org Tue Sep 1 22:58:22 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 01 Sep 2015 22:58:22 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1441148302.766470.24559.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 525e13612ee692e9d827c27b99c7e38583f887f3 (commit) from 5999b897ff6e64a79c97598569361ca15734e6e1 (commit) - Log ----------------------------------------------------------------- commit 525e13612ee692e9d827c27b99c7e38583f887f3 Author: Tim Zhang Date: Mon May 11 10:58:51 2015 +0100 Fix the comment for POINT_CONVERSION_UNCOMPRESSED The |z| value should be 0x04 not 0x02 RT#3838 Signed-off-by: Matt Caswell Reviewed-by: Emilia K?sper Reviewed-by: Matt Caswell (cherry picked from commit 91d2728b38b1df930f337e163816a0fc9580b6a6) ----------------------------------------------------------------------- Summary of changes: crypto/ec/ec.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h index c4e7aea..2a935fd 100644 --- a/crypto/ec/ec.h +++ b/crypto/ec/ec.h @@ -106,7 +106,7 @@ typedef enum { /** the point is encoded as z||x, where the octet z specifies * which solution of the quadratic equation y is */ POINT_CONVERSION_COMPRESSED = 2, - /** the point is encoded as z||x||y, where z is the octet 0x02 */ + /** the point is encoded as z||x||y, where z is the octet 0x04 */ POINT_CONVERSION_UNCOMPRESSED = 4, /** the point is encoded as z||x||y, where the octet z specifies * which solution of the quadratic equation y is */ From matt at openssl.org Tue Sep 1 22:58:34 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 01 Sep 2015 22:58:34 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1441148314.453814.24781.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 41fe7d2380617da515581503490f1467ee75a521 (commit) from cc42e4af2cb88279555753a4f167347492ddc523 (commit) - Log ----------------------------------------------------------------- commit 41fe7d2380617da515581503490f1467ee75a521 Author: Tim Zhang Date: Mon May 11 10:58:51 2015 +0100 Fix the comment for POINT_CONVERSION_UNCOMPRESSED The |z| value should be 0x04 not 0x02 RT#3838 Signed-off-by: Matt Caswell Reviewed-by: Emilia K?sper Reviewed-by: Matt Caswell (cherry picked from commit 91d2728b38b1df930f337e163816a0fc9580b6a6) ----------------------------------------------------------------------- Summary of changes: crypto/ec/ec.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h index 6d3178f..81e6faf 100644 --- a/crypto/ec/ec.h +++ b/crypto/ec/ec.h @@ -106,7 +106,7 @@ typedef enum { /** the point is encoded as z||x, where the octet z specifies * which solution of the quadratic equation y is */ POINT_CONVERSION_COMPRESSED = 2, - /** the point is encoded as z||x||y, where z is the octet 0x02 */ + /** the point is encoded as z||x||y, where z is the octet 0x04 */ POINT_CONVERSION_UNCOMPRESSED = 4, /** the point is encoded as z||x||y, where the octet z specifies * which solution of the quadratic equation y is */ From matt at openssl.org Tue Sep 1 22:58:40 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 01 Sep 2015 22:58:40 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441148320.494882.25021.nullmailer@dev.openssl.org> The branch master has been updated via 91d2728b38b1df930f337e163816a0fc9580b6a6 (commit) from 6c41ee7c6530b23267ed20f95143a2a682796fef (commit) - Log ----------------------------------------------------------------- commit 91d2728b38b1df930f337e163816a0fc9580b6a6 Author: Tim Zhang Date: Mon May 11 10:58:51 2015 +0100 Fix the comment for POINT_CONVERSION_UNCOMPRESSED The |z| value should be 0x04 not 0x02 RT#3838 Signed-off-by: Matt Caswell Reviewed-by: Emilia K?sper Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: include/openssl/ec.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/openssl/ec.h b/include/openssl/ec.h index 2d36dd5..6ea4e41 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -106,7 +106,7 @@ typedef enum { /** the point is encoded as z||x, where the octet z specifies * which solution of the quadratic equation y is */ POINT_CONVERSION_COMPRESSED = 2, - /** the point is encoded as z||x||y, where z is the octet 0x02 */ + /** the point is encoded as z||x||y, where z is the octet 0x04 */ POINT_CONVERSION_UNCOMPRESSED = 4, /** the point is encoded as z||x||y, where the octet z specifies * which solution of the quadratic equation y is */ From matt at openssl.org Tue Sep 1 23:19:57 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 01 Sep 2015 23:19:57 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1441149597.771623.30111.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 9a931208d7fc8a3596dda005cdbd6439938f01b0 (commit) from 41fe7d2380617da515581503490f1467ee75a521 (commit) - Log ----------------------------------------------------------------- commit 9a931208d7fc8a3596dda005cdbd6439938f01b0 Author: Matt Caswell Date: Tue Jun 16 14:17:24 2015 -0400 Fix building with OPENSSL_NO_TLSEXT. Builds using no-tlsext in 1.0.0 and 0.9.8 are broken. This commit fixes the issue. The same commit is applied to 1.0.1 and 1.0.2 branches for code consistency. However this commit will not fix no-tlsext in those branches which have always been broken for other reasons. The commit is not applied to master at all, because no-tlsext has been completely removed from that branch. Based on a patch by Marc Branchaud Reviewed-by: Emilia K?sper ----------------------------------------------------------------------- Summary of changes: ssl/ssl_sess.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 07e7379..68390d3 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -256,8 +256,8 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) dest->tlsext_ecpointformatlist = NULL; dest->tlsext_ellipticcurvelist = NULL; # endif -#endif dest->tlsext_tick = NULL; +#endif #ifndef OPENSSL_NO_SRP dest->srp_username = NULL; #endif @@ -324,7 +324,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) goto err; } # endif -#endif if (ticket != 0) { dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen); @@ -334,6 +333,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) dest->tlsext_tick_lifetime_hint = 0; dest->tlsext_ticklen = 0; } +#endif #ifndef OPENSSL_NO_SRP if (src->srp_username) { From matt at openssl.org Tue Sep 1 23:20:09 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 01 Sep 2015 23:20:09 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1441149609.080492.30346.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 927f7a870337157bbb9e7a7d32578eeedb90ddbb (commit) from 525e13612ee692e9d827c27b99c7e38583f887f3 (commit) - Log ----------------------------------------------------------------- commit 927f7a870337157bbb9e7a7d32578eeedb90ddbb Author: Matt Caswell Date: Tue Jun 16 14:17:24 2015 -0400 Fix building with OPENSSL_NO_TLSEXT. Builds using no-tlsext in 1.0.0 and 0.9.8 are broken. This commit fixes the issue. The same commit is applied to 1.0.1 and 1.0.2 branches for code consistency. However this commit will not fix no-tlsext in those branches which have always been broken for other reasons. The commit is not applied to master at all, because no-tlsext has been completely removed from that branch. Based on a patch by Marc Branchaud Reviewed-by: Emilia K?sper (cherry picked from commit 9a931208d7fc8a3596dda005cdbd6439938f01b0) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_sess.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 1ad9dc7..de4c59e 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -256,8 +256,8 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) dest->tlsext_ecpointformatlist = NULL; dest->tlsext_ellipticcurvelist = NULL; # endif -#endif dest->tlsext_tick = NULL; +#endif #ifndef OPENSSL_NO_SRP dest->srp_username = NULL; #endif @@ -324,7 +324,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) goto err; } # endif -#endif if (ticket != 0) { dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen); @@ -334,6 +333,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) dest->tlsext_tick_lifetime_hint = 0; dest->tlsext_ticklen = 0; } +#endif #ifndef OPENSSL_NO_SRP if (src->srp_username) { From matt at openssl.org Tue Sep 1 23:20:19 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 01 Sep 2015 23:20:19 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_0-stable update Message-ID: <1441149619.797553.30609.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_0-stable has been updated via 6ee4fc4853bda4b9163e18dadc797a870daa4519 (commit) from b4a99d8ad728f5a592bacae565d1c3cf50982731 (commit) - Log ----------------------------------------------------------------- commit 6ee4fc4853bda4b9163e18dadc797a870daa4519 Author: Matt Caswell Date: Tue Jun 16 14:17:24 2015 -0400 Fix building with OPENSSL_NO_TLSEXT. Builds using no-tlsext in 1.0.0 and 0.9.8 are broken. This commit fixes the issue. The same commit is applied to 1.0.1 and 1.0.2 branches for code consistency. However this commit will not fix no-tlsext in those branches which have always been broken for other reasons. The commit is not applied to master at all, because no-tlsext has been completely removed from that branch. Based on a patch by Marc Branchaud Reviewed-by: Emilia K?sper (cherry picked from commit 9a931208d7fc8a3596dda005cdbd6439938f01b0) Conflicts: ssl/ssl_sess.c ----------------------------------------------------------------------- Summary of changes: ssl/ssl_sess.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 9fcb632..968f27f 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -253,8 +253,8 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) dest->tlsext_ecpointformatlist = NULL; dest->tlsext_ellipticcurvelist = NULL; # endif -#endif dest->tlsext_tick = NULL; +#endif memset(&dest->ex_data, 0, sizeof(dest->ex_data)); /* We deliberately don't copy the prev and next pointers */ @@ -318,7 +318,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) goto err; } # endif -#endif if (ticket != 0) { dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen); @@ -328,6 +327,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) dest->tlsext_tick_lifetime_hint = 0; dest->tlsext_ticklen = 0; } +#endif return dest; err: From matt at openssl.org Tue Sep 1 23:20:31 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 01 Sep 2015 23:20:31 +0000 Subject: [openssl-commits] [openssl] OpenSSL_0_9_8-stable update Message-ID: <1441149631.812266.30871.nullmailer@dev.openssl.org> The branch OpenSSL_0_9_8-stable has been updated via 27bc0555aa4f5f95a54bef79ecc20b0655bb6451 (commit) from 1cbe0ff56900126fbf67ff03b1fd2e84c2a61f69 (commit) - Log ----------------------------------------------------------------- commit 27bc0555aa4f5f95a54bef79ecc20b0655bb6451 Author: Matt Caswell Date: Tue Jun 16 14:17:24 2015 -0400 Fix building with OPENSSL_NO_TLSEXT. Builds using no-tlsext in 1.0.0 and 0.9.8 are broken. This commit fixes the issue. The same commit is applied to 1.0.1 and 1.0.2 branches for code consistency. However this commit will not fix no-tlsext in those branches which have always been broken for other reasons. The commit is not applied to master at all, because no-tlsext has been completely removed from that branch. Based on a patch by Marc Branchaud Reviewed-by: Emilia K?sper (cherry picked from commit 9a931208d7fc8a3596dda005cdbd6439938f01b0) Conflicts: ssl/ssl_sess.c ----------------------------------------------------------------------- Summary of changes: ssl/ssl_sess.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index e1695ab..51c02dc 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -156,8 +156,8 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) dest->ciphers = NULL; #ifndef OPENSSL_NO_TLSEXT dest->tlsext_hostname = NULL; -#endif dest->tlsext_tick = NULL; +#endif memset(&dest->ex_data, 0, sizeof(dest->ex_data)); /* We deliberately don't copy the prev and next pointers */ @@ -190,7 +190,6 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) goto err; } } -#endif if (ticket != 0) { dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen); @@ -200,6 +199,7 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) dest->tlsext_tick_lifetime_hint = 0; dest->tlsext_ticklen = 0; } +#endif return dest; err: From matt at openssl.org Tue Sep 1 23:33:14 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 01 Sep 2015 23:33:14 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1441150394.385936.2413.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via dc0c888811cebfa2d21c844be0d81335fb2361da (commit) from 9a931208d7fc8a3596dda005cdbd6439938f01b0 (commit) - Log ----------------------------------------------------------------- commit dc0c888811cebfa2d21c844be0d81335fb2361da Author: Matt Caswell Date: Wed Aug 5 13:33:52 2015 +0100 Fix session resumption Commit f0348c842e7 introduced a problem with session resumption. The version for the session is fixed when the session is created. By moving the creation of the session earlier in the process the version is fixed *before* version negotiation has completed when processing the ServerHello on the client side. This fix updates the session version after version neg has completed. Reviewed-by: Emilia K?sper ----------------------------------------------------------------------- Summary of changes: ssl/s23_clnt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index acbbe31..f782010 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -736,6 +736,8 @@ static int ssl23_get_server_hello(SSL *s) goto err; } + s->session->ssl_version = s->version; + /* ensure that TLS_MAX_VERSION is up-to-date */ OPENSSL_assert(s->version <= TLS_MAX_VERSION); From matt at openssl.org Tue Sep 1 23:33:26 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 01 Sep 2015 23:33:26 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1441150406.482497.2677.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via dd642deea83d0f5b4accee9855e36c36699653cc (commit) from 927f7a870337157bbb9e7a7d32578eeedb90ddbb (commit) - Log ----------------------------------------------------------------- commit dd642deea83d0f5b4accee9855e36c36699653cc Author: Matt Caswell Date: Wed Aug 5 13:33:52 2015 +0100 Fix session resumption Commit f0348c842e7 introduced a problem with session resumption. The version for the session is fixed when the session is created. By moving the creation of the session earlier in the process the version is fixed *before* version negotiation has completed when processing the ServerHello on the client side. This fix updates the session version after version neg has completed. Reviewed-by: Emilia K?sper (cherry picked from commit dc0c888811cebfa2d21c844be0d81335fb2361da) ----------------------------------------------------------------------- Summary of changes: ssl/s23_clnt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index fc344b9..2b2855d 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -727,6 +727,8 @@ static int ssl23_get_server_hello(SSL *s) goto err; } + s->session->ssl_version = s->version; + /* ensure that TLS_MAX_VERSION is up-to-date */ OPENSSL_assert(s->version <= TLS_MAX_VERSION); From matt at openssl.org Tue Sep 1 23:37:06 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 01 Sep 2015 23:37:06 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441150626.758639.4178.nullmailer@dev.openssl.org> The branch master has been updated via 246b52f39aac36d1f4bc705c27c6354cb67041f4 (commit) from 91d2728b38b1df930f337e163816a0fc9580b6a6 (commit) - Log ----------------------------------------------------------------- commit 246b52f39aac36d1f4bc705c27c6354cb67041f4 Author: Hiroyuki YAMAMORI Date: Wed Aug 26 14:45:40 2015 +0100 Fix DTLS1.2 buffers Fix the setup of DTLS1.2 buffers to take account of the Header Reviewed-by: Emilia K?sper Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: ssl/record/ssl3_buffer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssl/record/ssl3_buffer.c b/ssl/record/ssl3_buffer.c index 66fb721..7685e69 100644 --- a/ssl/record/ssl3_buffer.c +++ b/ssl/record/ssl3_buffer.c @@ -147,7 +147,7 @@ int ssl3_setup_read_buffer(SSL *s) b = RECORD_LAYER_get_rbuf(&s->rlayer); - if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) + if (SSL_IS_DTLS(s)) headerlen = DTLS1_RT_HEADER_LENGTH; else headerlen = SSL3_RT_HEADER_LENGTH; @@ -189,7 +189,7 @@ int ssl3_setup_write_buffer(SSL *s) wb = RECORD_LAYER_get_wbuf(&s->rlayer); - if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) + if (SSL_IS_DTLS(s)) headerlen = DTLS1_RT_HEADER_LENGTH + 1; else headerlen = SSL3_RT_HEADER_LENGTH; From matt at openssl.org Tue Sep 1 23:40:22 2015 From: matt at openssl.org (Matt Caswell) Date: Tue, 01 Sep 2015 23:40:22 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1441150822.369723.5873.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 31472acf61fce8bbc39390ca96ff2f9da2dfafb8 (commit) via 28643a1615f4b09295a18d7ae0cb13adca8c8d00 (commit) from dc0c888811cebfa2d21c844be0d81335fb2361da (commit) - Log ----------------------------------------------------------------- commit 31472acf61fce8bbc39390ca96ff2f9da2dfafb8 Author: Hiroyuki YAMAMORI Date: Wed Aug 26 15:06:22 2015 +0100 Fix DTLS1.2 compression Backport of equivalent fix from master. The only compression method is stateful and hence incompatible with DTLS. The DTLS test was not working for DTLS1.2 Reviewed-by: Emilia K?sper Reviewed-by: Matt Caswell commit 28643a1615f4b09295a18d7ae0cb13adca8c8d00 Author: Hiroyuki YAMAMORI Date: Wed Aug 26 15:04:09 2015 +0100 Fix DTLS1.2 buffers Fix the setup of DTLS1.2 buffers to take account of the Header Reviewed-by: Emilia K?sper Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: ssl/s3_both.c | 4 ++-- ssl/ssl_lib.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ssl/s3_both.c b/ssl/s3_both.c index 019e21c..09d0661 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -648,7 +648,7 @@ int ssl3_setup_read_buffer(SSL *s) unsigned char *p; size_t len, align = 0, headerlen; - if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) + if (SSL_IS_DTLS(s)) headerlen = DTLS1_RT_HEADER_LENGTH; else headerlen = SSL3_RT_HEADER_LENGTH; @@ -687,7 +687,7 @@ int ssl3_setup_write_buffer(SSL *s) unsigned char *p; size_t len, align = 0, headerlen; - if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) + if (SSL_IS_DTLS(s)) headerlen = DTLS1_RT_HEADER_LENGTH + 1; else headerlen = SSL3_RT_HEADER_LENGTH; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index c0931e7..d72756a 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1980,7 +1980,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->extra_certs = NULL; /* No compression for DTLS */ - if (meth->version != DTLS1_VERSION) + if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)) ret->comp_methods = SSL_COMP_get_compression_methods(); ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; From rsalz at openssl.org Wed Sep 2 01:38:33 2015 From: rsalz at openssl.org (Rich Salz) Date: Wed, 02 Sep 2015 01:38:33 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1441157913.754186.7199.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 0a1682d8b53a61732877edf015438ecd7965bc21 (commit) from 31472acf61fce8bbc39390ca96ff2f9da2dfafb8 (commit) - Log ----------------------------------------------------------------- commit 0a1682d8b53a61732877edf015438ecd7965bc21 Author: Rich Salz Date: Thu Aug 27 00:10:55 2015 -0400 RT3767: openssl_button.gif should be PNG No, we should just delete it. And updated the README Reviewed-by: Matt Caswell (cherry picked from commit 8db78781069697cfa30a2261413f33f5055a2838) ----------------------------------------------------------------------- Summary of changes: doc/README | 27 ++++++++++++++++++--------- doc/openssl_button.gif | Bin 2063 -> 0 bytes doc/openssl_button.html | 7 ------- 3 files changed, 18 insertions(+), 16 deletions(-) delete mode 100644 doc/openssl_button.gif delete mode 100644 doc/openssl_button.html diff --git a/doc/README b/doc/README index 6ecc14d..cc76040 100644 --- a/doc/README +++ b/doc/README @@ -1,12 +1,21 @@ - apps/openssl.pod .... Documentation of OpenSSL `openssl' command - crypto/crypto.pod ... Documentation of OpenSSL crypto.h+libcrypto.a - ssl/ssl.pod ......... Documentation of OpenSSL ssl.h+libssl.a - openssl.txt ......... Assembled documentation files for OpenSSL [not final] - ssleay.txt .......... Assembled documentation of ancestor SSLeay [obsolete] - standards.txt ....... Assembled pointers to standards, RFCs or internet drafts - that are related to OpenSSL. +README This file - An archive of HTML documents for the SSLeay library is available from - http://www.columbia.edu/~ariel/ssleay/ +fingerprints.txt + PGP fingerprints of authoried release signers +standards.txt + Pointers to standards, RFC's and IETF Drafts that are + related to OpenSSL. Incomplete. + +HOWTO/ + A few how-to documents; not necessarily up-to-date +apps/ + The openssl command-line tools; start with openssl.pod +ssl/ + The SSL library; start with ssl.pod +crypto/ + The cryptographic library; start with crypto.pod + +Formatted versions of the manpages (apps,ssl,crypto) can be found at + https://www.openssl.org/docs/manpages.html diff --git a/doc/openssl_button.gif b/doc/openssl_button.gif deleted file mode 100644 index 3d3c90c..0000000 Binary files a/doc/openssl_button.gif and /dev/null differ diff --git a/doc/openssl_button.html b/doc/openssl_button.html deleted file mode 100644 index 44c91bd..0000000 --- a/doc/openssl_button.html +++ /dev/null @@ -1,7 +0,0 @@ - - - - - - From stevem at openssl.org Wed Sep 2 10:22:04 2015 From: stevem at openssl.org (Steve Marquess) Date: Wed, 02 Sep 2015 10:22:04 +0000 Subject: [openssl-commits] [web] master update Message-ID: <1441189324.149382.31947.nullmailer@dev.openssl.org> The branch master has been updated via 7daefd9fb8ada1fb5c919d27217cb39ffcd12ca3 (commit) from 2ce8f60fb1b406aa811ef0f687bbd287621c6aeb (commit) - Log ----------------------------------------------------------------- commit 7daefd9fb8ada1fb5c919d27217cb39ffcd12ca3 Author: Steve Marquess Date: Wed Sep 2 06:21:43 2015 -0400 New version of FIPS user guide ----------------------------------------------------------------------- Summary of changes: docs/fips/UserGuide-2.0.pdf | Bin 1842937 -> 1772315 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/docs/fips/UserGuide-2.0.pdf b/docs/fips/UserGuide-2.0.pdf index 6150d8d..671db85 100644 Binary files a/docs/fips/UserGuide-2.0.pdf and b/docs/fips/UserGuide-2.0.pdf differ From viktor at openssl.org Wed Sep 2 13:53:55 2015 From: viktor at openssl.org (Viktor Dukhovni) Date: Wed, 02 Sep 2015 13:53:55 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441202035.861222.21658.nullmailer@dev.openssl.org> The branch master has been updated via fffc2faeb2b5cad4516cc624352d445284aa7522 (commit) via a0724ef1c9b9e2090bdd96b784f492b6a3952957 (commit) from 246b52f39aac36d1f4bc705c27c6354cb67041f4 (commit) - Log ----------------------------------------------------------------- commit fffc2faeb2b5cad4516cc624352d445284aa7522 Author: Viktor Dukhovni Date: Tue Sep 1 21:59:08 2015 -0400 Cleaner handling of "cnid" in do_x509_check Avoid using cnid = 0, use NID_undef instead, and return early instead of trying to find an instance of that in the subject DN. Reviewed-by: Richard Levitte commit a0724ef1c9b9e2090bdd96b784f492b6a3952957 Author: Viktor Dukhovni Date: Tue Sep 1 21:47:12 2015 -0400 Better handling of verify param id peername field Initialize pointers in param id by the book (explicit NULL assignment, rather than just memset 0). In x509_verify_param_zero() set peername to NULL after freeing it. In x509_vfy.c's internal check_hosts(), avoid potential leak of possibly already non-NULL peername. This is only set when a check succeeds, so don't need to do this repeatedly in the loop. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 4 ++++ crypto/x509/x509_vpm.c | 10 +++++++++- crypto/x509v3/v3_utl.c | 10 +++++++--- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 7d770c5..45d53a0 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -767,6 +767,10 @@ static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id) int n = sk_OPENSSL_STRING_num(id->hosts); char *name; + if (id->peername != NULL) { + OPENSSL_free(id->peername); + id->peername = NULL; + } for (i = 0; i < n; ++i) { name = sk_OPENSSL_STRING_value(id->hosts, i); if (X509_check_host(x, name, 0, id->hostflags, &id->peername) > 0) diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 5d8c5f8..eedc217 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -148,6 +148,7 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) sk_OPENSSL_STRING_pop_free(paramid->hosts, str_free); paramid->hosts = NULL; OPENSSL_free(paramid->peername); + paramid->peername = NULL; OPENSSL_free(paramid->email); paramid->email = NULL; paramid->emaillen = 0; @@ -164,13 +165,20 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) param = OPENSSL_malloc(sizeof(*param)); if (!param) return NULL; + memset(param, 0, sizeof(*param)); + paramid = OPENSSL_malloc(sizeof(*paramid)); if (!paramid) { OPENSSL_free(param); return NULL; } - memset(param, 0, sizeof(*param)); memset(paramid, 0, sizeof(*paramid)); + /* Exotic platforms may have non-zero bit representation of NULL */ + paramid->hosts = NULL; + paramid->peername = NULL; + paramid->email = NULL; + paramid->ip = NULL; + param->id = paramid; x509_verify_param_zero(param); return param; diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c index 15029f9..6494d83 100644 --- a/crypto/x509v3/v3_utl.c +++ b/crypto/x509v3/v3_utl.c @@ -921,7 +921,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, GENERAL_NAMES *gens = NULL; X509_NAME *name = NULL; int i; - int cnid; + int cnid = NID_undef; int alt_type; int san_present = 0; int rv = 0; @@ -944,7 +944,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, else equal = equal_wildcard; } else { - cnid = 0; alt_type = V_ASN1_OCTET_STRING; equal = equal_case; } @@ -975,11 +974,16 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, GENERAL_NAMES_free(gens); if (rv != 0) return rv; - if (!cnid + if (cnid == NID_undef || (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))) return 0; } + + /* We're done if CN-ID is not pertinent */ + if (cnid == NID_undef) + return 0; + i = -1; name = X509_get_subject_name(x); while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) { From viktor at openssl.org Wed Sep 2 14:02:39 2015 From: viktor at openssl.org (Viktor Dukhovni) Date: Wed, 02 Sep 2015 14:02:39 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1441202559.695156.25274.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 40d5689458593aeca0d1a7f3591f7ccb48e459ac (commit) via 39c76ceb2d3e51eaff95e04d6e4448f685718f8d (commit) from 0a1682d8b53a61732877edf015438ecd7965bc21 (commit) - Log ----------------------------------------------------------------- commit 40d5689458593aeca0d1a7f3591f7ccb48e459ac Author: Viktor Dukhovni Date: Tue Sep 1 21:59:08 2015 -0400 Cleaner handling of "cnid" in do_x509_check Avoid using cnid = 0, use NID_undef instead, and return early instead of trying to find an instance of that in the subject DN. Reviewed-by: Richard Levitte (cherry picked from commit fffc2faeb2b5cad4516cc624352d445284aa7522) commit 39c76ceb2d3e51eaff95e04d6e4448f685718f8d Author: Viktor Dukhovni Date: Tue Sep 1 21:47:12 2015 -0400 Better handling of verify param id peername field Initialize pointers in param id by the book (explicit NULL assignment, rather than just memset 0). In x509_verify_param_zero() set peername to NULL after freeing it. In x509_vfy.c's internal check_hosts(), avoid potential leak of possibly already non-NULL peername. This is only set when a check succeeds, so don't need to do this repeatedly in the loop. Reviewed-by: Richard Levitte (cherry picked from commit a0724ef1c9b9e2090bdd96b784f492b6a3952957) ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 4 ++++ crypto/x509/x509_vpm.c | 15 +++++++++++---- crypto/x509v3/v3_utl.c | 10 +++++++--- 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 7bac197..ab94948 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -753,6 +753,10 @@ static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id) int n = sk_OPENSSL_STRING_num(id->hosts); char *name; + if (id->peername != NULL) { + OPENSSL_free(id->peername); + id->peername = NULL; + } for (i = 0; i < n; ++i) { name = sk_OPENSSL_STRING_value(id->hosts, i); if (X509_check_host(x, name, 0, id->hostflags, &id->peername) > 0) diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 1ea0c69..592a8a5 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -155,6 +155,7 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) } if (paramid->peername) OPENSSL_free(paramid->peername); + paramid->peername = NULL; if (paramid->email) { OPENSSL_free(paramid->email); paramid->email = NULL; @@ -165,7 +166,6 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) paramid->ip = NULL; paramid->iplen = 0; } - } X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) @@ -176,13 +176,20 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) param = OPENSSL_malloc(sizeof *param); if (!param) return NULL; - paramid = OPENSSL_malloc(sizeof *paramid); + memset(param, 0, sizeof(*param)); + + paramid = OPENSSL_malloc(sizeof(*paramid)); if (!paramid) { OPENSSL_free(param); return NULL; } - memset(param, 0, sizeof *param); - memset(paramid, 0, sizeof *paramid); + memset(paramid, 0, sizeof(*paramid)); + /* Exotic platforms may have non-zero bit representation of NULL */ + paramid->hosts = NULL; + paramid->peername = NULL; + paramid->email = NULL; + paramid->ip = NULL; + param->id = paramid; x509_verify_param_zero(param); return param; diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c index bdd7b95..4d1ecc5 100644 --- a/crypto/x509v3/v3_utl.c +++ b/crypto/x509v3/v3_utl.c @@ -926,7 +926,7 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, GENERAL_NAMES *gens = NULL; X509_NAME *name = NULL; int i; - int cnid; + int cnid = NID_undef; int alt_type; int san_present = 0; int rv = 0; @@ -949,7 +949,6 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, else equal = equal_wildcard; } else { - cnid = 0; alt_type = V_ASN1_OCTET_STRING; equal = equal_case; } @@ -980,11 +979,16 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, GENERAL_NAMES_free(gens); if (rv != 0) return rv; - if (!cnid + if (cnid == NID_undef || (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))) return 0; } + + /* We're done if CN-ID is not pertinent */ + if (cnid == NID_undef) + return 0; + i = -1; name = X509_get_subject_name(x); while ((i = X509_NAME_get_index_by_NID(name, cnid, i)) >= 0) { From rsalz at openssl.org Wed Sep 2 15:12:53 2015 From: rsalz at openssl.org (Rich Salz) Date: Wed, 02 Sep 2015 15:12:53 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441206773.839551.8734.nullmailer@dev.openssl.org> The branch master has been updated via 8d1d0f4d9e20f825abbaf22f107815668e1d6b6b (commit) from fffc2faeb2b5cad4516cc624352d445284aa7522 (commit) - Log ----------------------------------------------------------------- commit 8d1d0f4d9e20f825abbaf22f107815668e1d6b6b Author: Rich Salz Date: Tue Sep 1 22:44:10 2015 -0400 Move OPENSSL_ITEM to store.h The only place that uses it. Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: include/openssl/crypto.h | 9 --------- include/openssl/store.h | 9 +++++++++ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index 1d1c2b3..f1ff0e0 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -158,15 +158,6 @@ extern "C" { # define SSLEAY_PLATFORM 4 # define SSLEAY_DIR 5 -/* A generic structure to pass assorted data in a expandable way */ -typedef struct openssl_item_st { - int code; - void *value; /* Not used for flag attributes */ - size_t value_size; /* Max size of value for output, length for - * input */ - size_t *value_length; /* Returned length of value for output */ -} OPENSSL_ITEM; - /* * When changing the CRYPTO_LOCK_* list, be sure to maintin the text lock * names in cryptlib.c diff --git a/include/openssl/store.h b/include/openssl/store.h index b732eef..4f88f99 100644 --- a/include/openssl/store.h +++ b/include/openssl/store.h @@ -248,6 +248,15 @@ DECLARE_STACK_OF(STORE_OBJECT) STORE_OBJECT *STORE_OBJECT_new(void); void STORE_OBJECT_free(STORE_OBJECT *data); +/* A generic structure to pass assorted data in a expandable way */ +typedef struct openssl_item_st { + int code; + void *value; /* Not used for flag attributes */ + size_t value_size; /* Max size of value for output, length for + * input */ + size_t *value_length; /* Returned length of value for output */ +} OPENSSL_ITEM; + /* * The following functions handle the storage. They return 0, a negative * number or NULL on error, anything else on success. From steve at openssl.org Wed Sep 2 20:21:40 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Wed, 02 Sep 2015 20:21:40 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441225300.303507.10251.nullmailer@dev.openssl.org> The branch master has been updated via 0b58c6ad9e9651a83f2e25e98c76b1ee4fecaa03 (commit) from 8d1d0f4d9e20f825abbaf22f107815668e1d6b6b (commit) - Log ----------------------------------------------------------------- commit 0b58c6ad9e9651a83f2e25e98c76b1ee4fecaa03 Author: Dr. Stephen Henson Date: Wed Sep 2 18:39:48 2015 +0100 delete unused structure Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: include/openssl/x509.h | 6 ------ 1 file changed, 6 deletions(-) diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 5e795c0..d1ecb29 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -119,12 +119,6 @@ extern "C" { # define X509v3_KU_DECIPHER_ONLY 0x8000 # define X509v3_KU_UNDEF 0xffff -typedef struct X509_objects_st { - int nid; - int (*a2i) (void); - int (*i2a) (void); -} X509_OBJECTS; - struct X509_algor_st { ASN1_OBJECT *algorithm; ASN1_TYPE *parameter; From steve at openssl.org Wed Sep 2 20:24:53 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Wed, 02 Sep 2015 20:24:53 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441225493.113409.12131.nullmailer@dev.openssl.org> The branch master has been updated via cf170f558b6051a66b5e182ac447b7b8ce85c8d2 (commit) via 04dc8b36ef40d7ba8f33ff3d6c7c87a921e0715e (commit) via 6a096889d731a68fb74b7f71de9c9faf206a9da8 (commit) via cb0585c2cb5f3bdc7fe94cfcdc2cef6a9b2810c2 (commit) from 0b58c6ad9e9651a83f2e25e98c76b1ee4fecaa03 (commit) - Log ----------------------------------------------------------------- commit cf170f558b6051a66b5e182ac447b7b8ce85c8d2 Author: Dr. Stephen Henson Date: Wed Aug 26 14:28:38 2015 +0100 Extend ciphersuite test coverage. Add support for testing ECDSA and DSA ciphersuites. Reviewed-by: Matt Caswell commit 04dc8b36ef40d7ba8f33ff3d6c7c87a921e0715e Author: Dr. Stephen Henson Date: Wed Aug 26 14:03:24 2015 +0100 Fix CCM support in DTLS Reviewed-by: Matt Caswell commit 6a096889d731a68fb74b7f71de9c9faf206a9da8 Author: Dr. Stephen Henson Date: Wed Aug 26 12:22:39 2015 +0100 Update ssltest certificate handling. Use SSL_CONF for certificate handling is ssltest.c, this changes the behaviour slightly: the -cert and -key options are no longer recognised and a default certificate file is not used. This change means that -s_cert and -c_cert can be used mode than once to support use of multiple certificates. Reviewed-by: Matt Caswell commit cb0585c2cb5f3bdc7fe94cfcdc2cef6a9b2810c2 Author: Dr. Stephen Henson Date: Wed Aug 26 12:20:32 2015 +0100 Create DSA and ECDSA certificates. If supported create DSA and ECDSA certificates and test them. Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: ssl/d1_both.c | 3 ++- test/Uss.cnf | 33 +++++++++++++++------------ test/ssltest.c | 70 +++++----------------------------------------------------- test/testss | 43 +++++++++++++++++++++++++++++++++++- test/testssl | 47 ++++++++++++++++++++++----------------- 5 files changed, 96 insertions(+), 100 deletions(-) diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 2c3ab54..d2f5def 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -270,7 +270,8 @@ int dtls1_do_write(SSL *s, int type) if (s->write_hash) { if (s->enc_write_ctx - && EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_GCM_MODE) + && ((EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_GCM_MODE) || + (EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CCM_MODE))) mac_size = 0; else mac_size = EVP_MD_CTX_size(s->write_hash); diff --git a/test/Uss.cnf b/test/Uss.cnf index 58ac0ca..f655e74 100644 --- a/test/Uss.cnf +++ b/test/Uss.cnf @@ -4,6 +4,7 @@ # RANDFILE = ./.rnd +CN2 = Brother 2 #################################################################### [ req ] @@ -11,26 +12,30 @@ default_bits = 2048 default_keyfile = keySS.pem distinguished_name = req_distinguished_name encrypt_rsa_key = no -default_md = sha256 +default_md = sha256 +prompt = no [ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_value = AU - -organizationName = Organization Name (eg, company) -organizationName_value = Dodgy Brothers - -0.commonName = Common Name (eg, YOUR name) -0.commonName_value = Brother 1 - -1.commonName = Common Name (eg, YOUR name) -1.commonName_value = Brother 2 +countryName = AU +organizationName = Dodgy Brothers +0.commonName = Brother 1 +1.commonName = $ENV::CN2 [ v3_ee ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always basicConstraints = CA:false keyUsage = nonRepudiation, digitalSignature, keyEncipherment -issuerAltName=issuer:copy + +[ v3_ee_dsa ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always +basicConstraints = CA:false +keyUsage = nonRepudiation, digitalSignature + +[ v3_ee_ec ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always +basicConstraints = CA:false +keyUsage = nonRepudiation, digitalSignature, keyAgreement diff --git a/test/ssltest.c b/test/ssltest.c index 26cf96c..9144191 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -204,20 +204,6 @@ # include OPENSSL_UNISTD #endif -#ifdef OPENSSL_SYS_VMS -# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM" -# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM" -#elif defined(OPENSSL_SYS_WINCE) -# define TEST_SERVER_CERT "\\OpenSSL\\server.pem" -# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem" -#elif defined(OPENSSL_SYS_NETWARE) -# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem" -# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem" -#else -# define TEST_SERVER_CERT "../apps/server.pem" -# define TEST_CLIENT_CERT "../apps/client.pem" -#endif - /* * There is really no standard for this, so let's assign something * only for this test @@ -965,10 +951,6 @@ int main(int argc, char *argv[]) int server_auth = 0, i; struct app_verify_arg app_verify_arg = { APP_CALLBACK_STRING, 0, 0, NULL, NULL }; - char *server_cert = TEST_SERVER_CERT; - char *server_key = NULL; - char *client_cert = TEST_CLIENT_CERT; - char *client_key = NULL; #ifndef OPENSSL_NO_EC char *named_curve = NULL; #endif @@ -1043,14 +1025,18 @@ int main(int argc, char *argv[]) } SSL_CONF_CTX_set_flags(s_cctx, - SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER); + SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER | + SSL_CONF_FLAG_CERTIFICATE | + SSL_CONF_FLAG_REQUIRE_PRIVATE); if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_")) { ERR_print_errors(bio_err); goto end; } SSL_CONF_CTX_set_flags(c_cctx, - SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT); + SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT | + SSL_CONF_FLAG_CERTIFICATE | + SSL_CONF_FLAG_REQUIRE_PRIVATE); if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_")) { ERR_print_errors(bio_err); goto end; @@ -1165,30 +1151,6 @@ int main(int argc, char *argv[]) bytes *= 1024L; if (argv[0][i - 1] == 'm') bytes *= 1024L * 1024L; - } else if (strcmp(*argv, "-cert") == 0) { - if (--argc < 1) - goto bad; - server_cert = *(++argv); - } else if (strcmp(*argv, "-s_cert") == 0) { - if (--argc < 1) - goto bad; - server_cert = *(++argv); - } else if (strcmp(*argv, "-key") == 0) { - if (--argc < 1) - goto bad; - server_key = *(++argv); - } else if (strcmp(*argv, "-s_key") == 0) { - if (--argc < 1) - goto bad; - server_key = *(++argv); - } else if (strcmp(*argv, "-c_cert") == 0) { - if (--argc < 1) - goto bad; - client_cert = *(++argv); - } else if (strcmp(*argv, "-c_key") == 0) { - if (--argc < 1) - goto bad; - client_key = *(++argv); } else if (strcmp(*argv, "-cipher") == 0) { if (--argc < 1) goto bad; @@ -1519,26 +1481,6 @@ int main(int argc, char *argv[]) SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb); #endif - if (!SSL_CTX_use_certificate_file(s_ctx, server_cert, SSL_FILETYPE_PEM)) { - ERR_print_errors(bio_err); - } else if (!SSL_CTX_use_PrivateKey_file(s_ctx, - (server_key ? server_key : - server_cert), - SSL_FILETYPE_PEM)) { - ERR_print_errors(bio_err); - goto end; - } - - if (client_auth) { - if (!SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM) - || !SSL_CTX_use_PrivateKey_file(c_ctx, - (client_key ? client_key : client_cert), - SSL_FILETYPE_PEM)) { - ERR_print_errors(bio_err); - goto end; - } - } - if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) || (!SSL_CTX_set_default_verify_paths(s_ctx)) || (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || diff --git a/test/testss b/test/testss index 5c5389b..45aedc8 100644 --- a/test/testss +++ b/test/testss @@ -18,6 +18,14 @@ Ukey="keyU.ss" Ureq="reqU.ss" Ucert="certU.ss" +Dkey="keyD.ss" +Dreq="reqD.ss" +Dcert="certD.ss" + +Ekey="keyE.ss" +Ereq="reqE.ss" +Ecert="certE.ss" + P1conf="P1ss.cnf" P1key="keyP1.ss" P1req="reqP1.ss" @@ -33,8 +41,10 @@ P2intermediate="tmp_intP2.ss" echo string to make the random number generator think it has entropy >> ./.rnd +req_dsa='-newkey dsa:../apps/dsa1024.pem' + if ../util/shlib_wrap.sh ../apps/openssl no-rsa >/dev/null; then - req_new='-newkey dsa:../apps/dsa512.pem' + req_new=$req_dsa else req_new='-new' fi @@ -67,6 +77,37 @@ $verifycmd -CAfile $CAcert $Ucert || exit 1 echo Certificate details $x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert || exit 1 +if ../util/shlib_wrap.sh ../apps/openssl no-dsa >/dev/null; then + echo skipping DSA certificate creation +else + echo make a DSA user cert request + CN2="DSA Certificate" $reqcmd -config $Uconf -out $Dreq -keyout $Dkey $req_dsa >err.ss || exit 1 + + echo sign DSA user cert request + $x509cmd -CAcreateserial -in $Dreq -days 30 -req -out $Dcert -CA $CAcert -CAkey $CAkey -CAserial $CAserial -extfile $Uconf -extensions v3_ee_dsa >err.ss || exit 1 + $verifycmd -CAfile $CAcert $Dcert || exit 1 + + echo DSA Certificate details + $x509cmd -subject -issuer -startdate -enddate -noout -in $Dcert || exit 1 + +fi + +if ../util/shlib_wrap.sh ../apps/openssl no-ec >/dev/null; then + echo skipping ECDSA/ECDH certificate creation +else + echo make an ECDSA/ECDH user cert request + ../util/shlib_wrap.sh ../apps/openssl ecparam -name P-256 -out ecp.ss || exit 1 + CN2="ECDSA Certificate" $reqcmd -config $Uconf -out $Ereq -keyout $Ekey -newkey ec:ecp.ss >err.ss || exit 1 + + echo sign ECDSA/ECDH user cert request + $x509cmd -CAcreateserial -in $Ereq -days 30 -req -out $Ecert -CA $CAcert -CAkey $CAkey -CAserial $CAserial -extfile $Uconf -extensions v3_ee_ec >err.ss || exit 1 + $verifycmd -CAfile $CAcert $Ecert || exit 1 + + echo ECDSA Certificate details + $x509cmd -subject -issuer -startdate -enddate -noout -in $Ecert || exit 1 + +fi + echo make a proxy cert request $reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss || exit 1 diff --git a/test/testssl b/test/testssl index 81b8a93..d41a4bd 100644 --- a/test/testssl +++ b/test/testssl @@ -10,7 +10,7 @@ if [ "$2" = "" ]; then else cert="$2" fi -ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert" +ssltest="../util/shlib_wrap.sh ./ssltest -s_key $key -s_cert $cert -c_key $key -c_cert $cert" if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then dsa_cert=YES @@ -124,7 +124,8 @@ test_cipher() { if [ $2 = "SSLv3" ] ; then prot="-ssl3" fi - $ssltest -cipher $_cipher $prot + _exarg=$3 + $ssltest $_exarg -cipher $_cipher $prot if [ $? -ne 0 ] ; then echo "Failed $_cipher" exit 1 @@ -132,17 +133,31 @@ test_cipher() { } echo "Testing ciphersuites" +exkeys="" +ciphers="-EXP:-PSK:-SRP:-kDH:-kECDHe" +if ../util/shlib_wrap.sh ../apps/openssl no-dhparam >/dev/null; then + echo "skipping DHE tests" + ciphers="$ciphers:-kDHE" +fi +if ../util/shlib_wrap.sh ../apps/openssl no-dsa >/dev/null; then + echo "skipping DSA tests" + ciphers="$ciphers:-aDSA" +else + exkeys="$exkeys -s_cert certD.ss -s_key keyD.ss" +fi + +if ../util/shlib_wrap.sh ../apps/openssl no-ec >/dev/null; then + echo "skipping EC tests" + ciphers="$ciphers:!aECDSA:!kECDH" +else + exkeys="$exkeys -s_cert certE.ss -s_key keyE.ss" +fi + for protocol in TLSv1.2 SSLv3; do echo "Testing ciphersuites for $protocol" - for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do - test_cipher $cipher $protocol + for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "$protocol:$ciphers" | tr ':' ' '`; do + test_cipher $cipher $protocol "$exkeys" done - if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then - echo "skipping RSA+DHE tests" - else - for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do - test_cipher $cipher $protocol - done echo "testing connection with weak DH, expecting failure" if [ $protocol = "SSLv3" ] ; then $ssltest -s_cipher "EDH" -c_cipher "EDH:@SECLEVEL=1" -dhe512 -ssl3 @@ -153,14 +168,6 @@ for protocol in TLSv1.2 SSLv3; do echo "FAIL: connection with weak DH succeeded" exit 1 fi - fi - if ../util/shlib_wrap.sh ../apps/openssl no-ec; then - echo "skipping RSA+ECDHE tests" - else - for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EECDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do - test_cipher $cipher $protocol - done - fi done ############################################################################# @@ -176,13 +183,13 @@ if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then echo skipping RSA tests else echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes' - ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1 + ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -s_cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1 if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then echo skipping RSA+DHE tests else echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes - ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 + ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -s_cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 fi fi From steve at openssl.org Wed Sep 2 20:29:04 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Wed, 02 Sep 2015 20:29:04 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441225744.169385.15637.nullmailer@dev.openssl.org> The branch master has been updated via 66e87a9f0990198079bf4d2b3ce87581ad5b6b10 (commit) via e3e571925c40f4d9e0adfc7704e5df2057a13a19 (commit) from cf170f558b6051a66b5e182ac447b7b8ce85c8d2 (commit) - Log ----------------------------------------------------------------- commit 66e87a9f0990198079bf4d2b3ce87581ad5b6b10 Author: Dr. Stephen Henson Date: Mon Aug 31 23:48:44 2015 +0100 make update Reviewed-by: Tim Hudson commit e3e571925c40f4d9e0adfc7704e5df2057a13a19 Author: Dr. Stephen Henson Date: Mon Aug 31 21:30:13 2015 +0100 make X509_CRL opaque Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: apps/crl.c | 9 ++++++-- crypto/asn1/Makefile | 4 ++-- crypto/asn1/t_crl.c | 1 + crypto/asn1/x_crl.c | 1 + crypto/include/internal/x509_int.h | 33 ++++++++++++++++++++++++++ crypto/x509/Makefile | 13 +++++++---- crypto/x509/by_dir.c | 1 + crypto/x509/x509_ext.c | 1 + crypto/x509/x509_lu.c | 1 + crypto/x509/x509_vfy.c | 1 + crypto/x509/x509cset.c | 35 ++++++++++++++++++++++++++++ crypto/x509v3/Makefile | 3 ++- crypto/x509v3/v3_conf.c | 1 + include/openssl/x509.h | 47 ++++++++------------------------------ util/libeay.num | 6 +++++ 15 files changed, 109 insertions(+), 48 deletions(-) diff --git a/apps/crl.c b/apps/crl.c index b4c9c75..c0bf874 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -358,8 +358,13 @@ int crl_main(int argc, char **argv) goto end; } - if (badsig) - x->signature->data[x->signature->length - 1] ^= 0x1; + if (badsig) { + ASN1_BIT_STRING *sig; + unsigned char *psig; + X509_CRL_get0_signature(&sig, NULL, x); + psig = ASN1_STRING_data(sig); + psig[ASN1_STRING_length(sig) - 1] ^= 0x1; + } if (outformat == FORMAT_ASN1) i = (int)i2d_X509_CRL_bio(out, x); diff --git a/crypto/asn1/Makefile b/crypto/asn1/Makefile index ffee97b..be5e3c5 100644 --- a/crypto/asn1/Makefile +++ b/crypto/asn1/Makefile @@ -587,7 +587,7 @@ t_crl.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h t_crl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h t_crl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h t_crl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -t_crl.o: ../include/internal/cryptlib.h t_crl.c +t_crl.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h t_crl.c t_pkey.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h t_pkey.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h t_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h @@ -771,7 +771,7 @@ x_crl.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h x_crl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h x_crl.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x_crl.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -x_crl.o: asn1_locl.h x_crl.c +x_crl.o: ../include/internal/x509_int.h asn1_locl.h x_crl.c x_info.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h x_info.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h x_info.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h diff --git a/crypto/asn1/t_crl.c b/crypto/asn1/t_crl.c index 96c5226..06c61ea 100644 --- a/crypto/asn1/t_crl.c +++ b/crypto/asn1/t_crl.c @@ -63,6 +63,7 @@ #include #include #include +#include "internal/x509_int.h" #include #ifndef OPENSSL_NO_STDIO diff --git a/crypto/asn1/x_crl.c b/crypto/asn1/x_crl.c index d264ec7..73f78c4 100644 --- a/crypto/asn1/x_crl.c +++ b/crypto/asn1/x_crl.c @@ -61,6 +61,7 @@ #include #include "asn1_locl.h" #include +#include "internal/x509_int.h" #include static int X509_REVOKED_cmp(const X509_REVOKED *const *a, diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h index 70abb2c..846a320 100644 --- a/crypto/include/internal/x509_int.h +++ b/crypto/include/internal/x509_int.h @@ -105,3 +105,36 @@ struct X509_req_st { ASN1_BIT_STRING *signature; int references; }; + +struct X509_crl_info_st { + ASN1_INTEGER *version; + X509_ALGOR *sig_alg; + X509_NAME *issuer; + ASN1_TIME *lastUpdate; + ASN1_TIME *nextUpdate; + STACK_OF(X509_REVOKED) *revoked; + STACK_OF(X509_EXTENSION) /* [0] */ *extensions; + ASN1_ENCODING enc; +}; + +struct X509_crl_st { + /* actual signature */ + X509_CRL_INFO *crl; + X509_ALGOR *sig_alg; + ASN1_BIT_STRING *signature; + int references; + int flags; + /* Copies of various extensions */ + AUTHORITY_KEYID *akid; + ISSUING_DIST_POINT *idp; + /* Convenient breakdown of IDP */ + int idp_flags; + int idp_reasons; + /* CRL and base CRL numbers for delta processing */ + ASN1_INTEGER *crl_number; + ASN1_INTEGER *base_crl_number; + unsigned char sha1_hash[SHA_DIGEST_LENGTH]; + STACK_OF(GENERAL_NAMES) *issuers; + const X509_CRL_METHOD *meth; + void *meth_data; +}; diff --git a/crypto/x509/Makefile b/crypto/x509/Makefile index 4127646..f2bf8f9 100644 --- a/crypto/x509/Makefile +++ b/crypto/x509/Makefile @@ -84,7 +84,7 @@ by_dir.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h by_dir.o: ../../include/openssl/sha.h ../../include/openssl/stack.h by_dir.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h by_dir.o: ../../include/openssl/x509_vfy.h ../include/internal/cryptlib.h -by_dir.o: by_dir.c +by_dir.o: ../include/internal/x509_int.h by_dir.c by_file.o: ../../e_os.h ../../include/openssl/asn1.h by_file.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h by_file.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h @@ -180,7 +180,8 @@ x509_ext.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h x509_ext.o: ../../include/openssl/sha.h ../../include/openssl/stack.h x509_ext.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h x509_ext.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -x509_ext.o: ../include/internal/cryptlib.h x509_ext.c +x509_ext.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h +x509_ext.o: x509_ext.c x509_lu.o: ../../e_os.h ../../include/openssl/asn1.h x509_lu.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h x509_lu.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -194,7 +195,8 @@ x509_lu.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h x509_lu.o: ../../include/openssl/sha.h ../../include/openssl/stack.h x509_lu.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h x509_lu.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -x509_lu.o: ../include/internal/cryptlib.h x509_lcl.h x509_lu.c +x509_lu.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h +x509_lu.o: x509_lcl.h x509_lu.c x509_obj.o: ../../e_os.h ../../include/openssl/asn1.h x509_obj.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h x509_obj.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h @@ -309,7 +311,8 @@ x509_vfy.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h x509_vfy.o: ../../include/openssl/sha.h ../../include/openssl/stack.h x509_vfy.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h x509_vfy.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -x509_vfy.o: ../include/internal/cryptlib.h x509_lcl.h x509_vfy.c +x509_vfy.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h +x509_vfy.o: x509_lcl.h x509_vfy.c x509_vpm.o: ../../e_os.h ../../include/openssl/asn1.h x509_vpm.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h x509_vpm.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -337,7 +340,7 @@ x509cset.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h x509cset.o: ../../include/openssl/sha.h ../../include/openssl/stack.h x509cset.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h x509cset.o: ../../include/openssl/x509_vfy.h ../include/internal/cryptlib.h -x509cset.o: x509cset.c +x509cset.o: ../include/internal/x509_int.h x509cset.c x509name.o: ../../e_os.h ../../include/openssl/asn1.h x509name.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h x509name.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index cc91db8..bd6c3c8 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -71,6 +71,7 @@ #include #include +#include "internal/x509_int.h" typedef struct lookup_dir_hashes_st { unsigned long hash; diff --git a/crypto/x509/x509_ext.c b/crypto/x509/x509_ext.c index 6bba5bb..dc4670b 100644 --- a/crypto/x509/x509_ext.c +++ b/crypto/x509/x509_ext.c @@ -63,6 +63,7 @@ #include #include #include +#include "internal/x509_int.h" #include int X509_CRL_get_ext_count(X509_CRL *x) diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 3dae7fa..2bd8de6 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -60,6 +60,7 @@ #include "internal/cryptlib.h" #include #include +#include "internal/x509_int.h" #include #include "x509_lcl.h" diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 45d53a0..1376e44 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -69,6 +69,7 @@ #include #include #include +#include "internal/x509_int.h" #include "x509_lcl.h" /* CRL score values */ diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c index c687324..ca3f696 100644 --- a/crypto/x509/x509cset.c +++ b/crypto/x509/x509cset.c @@ -63,6 +63,7 @@ #include #include #include +#include "internal/x509_int.h" int X509_CRL_set_version(X509_CRL *x, long version) { @@ -137,6 +138,40 @@ void X509_CRL_up_ref(X509_CRL *crl) CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL); } +long X509_CRL_get_version(X509_CRL *crl) +{ + return ASN1_INTEGER_get(crl->crl->version); +} + +ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl) +{ + return crl->crl->lastUpdate; +} + +ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl) +{ + return crl->crl->nextUpdate; +} + +X509_NAME *X509_CRL_get_issuer(X509_CRL *crl) +{ + return crl->crl->issuer; +} + +STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl) +{ + return crl->crl->revoked; +} + +void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, + const X509_CRL *crl) +{ + if (psig) + *psig = crl->signature; + if (palg) + *palg = crl->sig_alg; +} + int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm) { ASN1_TIME *in; diff --git a/crypto/x509v3/Makefile b/crypto/x509v3/Makefile index 57d7e1a..516e7ad 100644 --- a/crypto/x509v3/Makefile +++ b/crypto/x509v3/Makefile @@ -270,7 +270,8 @@ v3_conf.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h v3_conf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_conf.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h v3_conf.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -v3_conf.o: ../include/internal/cryptlib.h v3_conf.c +v3_conf.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h +v3_conf.o: v3_conf.c v3_cpols.o: ../../e_os.h ../../include/openssl/asn1.h v3_cpols.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_cpols.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c index 38f198e..f1f8bb4 100644 --- a/crypto/x509v3/v3_conf.c +++ b/crypto/x509v3/v3_conf.c @@ -63,6 +63,7 @@ #include "internal/cryptlib.h" #include #include +#include "internal/x509_int.h" #include static int v3_check_critical(char **value); diff --git a/include/openssl/x509.h b/include/openssl/x509.h index d1ecb29..708a695 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -340,38 +340,7 @@ struct x509_revoked_st { DECLARE_STACK_OF(X509_REVOKED) -typedef struct X509_crl_info_st { - ASN1_INTEGER *version; - X509_ALGOR *sig_alg; - X509_NAME *issuer; - ASN1_TIME *lastUpdate; - ASN1_TIME *nextUpdate; - STACK_OF(X509_REVOKED) *revoked; - STACK_OF(X509_EXTENSION) /* [0] */ *extensions; - ASN1_ENCODING enc; -} X509_CRL_INFO; - -struct X509_crl_st { - /* actual signature */ - X509_CRL_INFO *crl; - X509_ALGOR *sig_alg; - ASN1_BIT_STRING *signature; - int references; - int flags; - /* Copies of various extensions */ - AUTHORITY_KEYID *akid; - ISSUING_DIST_POINT *idp; - /* Convenient breakdown of IDP */ - int idp_flags; - int idp_reasons; - /* CRL and base CRL numbers for delta processing */ - ASN1_INTEGER *crl_number; - ASN1_INTEGER *base_crl_number; - unsigned char sha1_hash[SHA_DIGEST_LENGTH]; - STACK_OF(GENERAL_NAMES) *issuers; - const X509_CRL_METHOD *meth; - void *meth_data; -} /* X509_CRL */ ; +typedef struct X509_crl_info_st X509_CRL_INFO; DECLARE_STACK_OF(X509_CRL) @@ -494,12 +463,6 @@ extern "C" { # define X509_name_cmp(a,b) X509_NAME_cmp((a),(b)) # define X509_get_signature_type(x) EVP_PKEY_type(OBJ_obj2nid((x)->sig_alg->algorithm)) -# define X509_CRL_get_version(x) ASN1_INTEGER_get((x)->crl->version) -# define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate) -# define X509_CRL_get_nextUpdate(x) ((x)->crl->nextUpdate) -# define X509_CRL_get_issuer(x) ((x)->crl->issuer) -# define X509_CRL_get_REVOKED(x) ((x)->crl->revoked) - void X509_CRL_set_default_method(const X509_CRL_METHOD *meth); X509_CRL_METHOD *X509_CRL_METHOD_new(int (*crl_init) (X509_CRL *crl), int (*crl_free) (X509_CRL *crl), @@ -834,6 +797,14 @@ int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm); int X509_CRL_sort(X509_CRL *crl); void X509_CRL_up_ref(X509_CRL *crl); +long X509_CRL_get_version(X509_CRL *crl); +ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl); +ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl); +X509_NAME *X509_CRL_get_issuer(X509_CRL *crl); +STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl); +void X509_CRL_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, + const X509_CRL *crl); + int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial); int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm); diff --git a/util/libeay.num b/util/libeay.num index 080066a..0cf3cb7 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -4595,3 +4595,9 @@ X509_CRL_up_ref 4953 EXIST::FUNCTION: X509_get_extension_flags 4954 EXIST::FUNCTION: X509_get_extended_key_usage 4955 EXIST::FUNCTION: X509_get_key_usage 4956 EXIST::FUNCTION: +X509_CRL_get_issuer 4957 EXIST::FUNCTION: +X509_CRL_get_nextUpdate 4958 EXIST::FUNCTION: +X509_CRL_get0_signature 4959 EXIST::FUNCTION: +X509_CRL_get_REVOKED 4960 EXIST::FUNCTION: +X509_CRL_get_version 4961 EXIST::FUNCTION: +X509_CRL_get_lastUpdate 4962 EXIST::FUNCTION: From rsalz at openssl.org Thu Sep 3 02:09:12 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 03 Sep 2015 02:09:12 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441246152.219179.31182.nullmailer@dev.openssl.org> The branch master has been updated via b51bce942023325e727ca4225252d06c49d8f2b7 (commit) from 66e87a9f0990198079bf4d2b3ce87581ad5b6b10 (commit) - Log ----------------------------------------------------------------- commit b51bce942023325e727ca4225252d06c49d8f2b7 Author: Rich Salz Date: Tue Aug 25 13:25:58 2015 -0400 Add and use OPENSSL_zalloc There are many places (nearly 50) where we malloc and then memset. Add an OPENSSL_zalloc routine to encapsulate that. (Missed one conversion; thanks Richard) Also fixes GH328 Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: crypto/asn1/ameth_lib.c | 5 ++--- crypto/asn1/tasn_new.c | 6 ++---- crypto/asn1/x_pkey.c | 3 +-- crypto/bio/bss_acpt.c | 4 +--- crypto/bio/bss_conn.c | 9 +-------- crypto/bio/bss_dgram.c | 19 ++++++------------- crypto/bn/bn_blind.c | 3 +-- crypto/comp/c_zlib.c | 4 +--- crypto/comp/comp_lib.c | 3 +-- crypto/dso/dso_lib.c | 3 +-- crypto/dso/dso_win32.c | 3 +-- crypto/ec/ecp_nistp224.c | 11 ++++------- crypto/ec/ecp_nistp521.c | 9 +++------ crypto/engine/eng_cryptodev.c | 3 +-- crypto/engine/eng_dyn.c | 3 +-- crypto/engine/eng_lib.c | 3 +-- crypto/evp/evp_enc.c | 3 +-- crypto/evp/pmeth_lib.c | 5 +---- crypto/mem.c | 15 +++++++++++---- crypto/pqueue/pqueue.c | 5 +---- crypto/rsa/rsa_lib.c | 2 +- crypto/rsa/rsa_pk1.c | 3 +-- crypto/sec_mem.c | 9 +++------ crypto/store/str_lib.c | 4 +--- crypto/store/str_mem.c | 3 +-- crypto/store/str_meth.c | 6 ++---- crypto/ts/ts_rsp_sign.c | 3 +-- crypto/ts/ts_verify_ctx.c | 6 ++---- crypto/ui/ui_lib.c | 6 ++---- crypto/x509/x509_vfy.c | 3 +-- crypto/x509/x509_vpm.c | 14 ++------------ crypto/x509v3/pcy_tree.c | 17 +++++------------ engines/ccgost/gost_pmeth.c | 6 ++---- include/openssl/crypto.h | 2 ++ ssl/bio_ssl.c | 3 +-- ssl/d1_both.c | 3 +-- ssl/d1_lib.c | 3 +-- ssl/s3_lib.c | 3 +-- ssl/ssl_cert.c | 7 ++----- ssl/ssl_ciph.c | 3 +-- ssl/ssl_lib.c | 10 ++-------- ssl/ssl_sess.c | 3 +-- test/ecdsatest.c | 4 +--- test/ssltest.c | 7 ++----- util/libeay.num | 1 + 45 files changed, 82 insertions(+), 168 deletions(-) diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c index 8060c18..155de83 100644 --- a/crypto/asn1/ameth_lib.c +++ b/crypto/asn1/ameth_lib.c @@ -283,12 +283,11 @@ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_get0_asn1(EVP_PKEY *pkey) EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags, const char *pem_str, const char *info) { - EVP_PKEY_ASN1_METHOD *ameth; - ameth = OPENSSL_malloc(sizeof(*ameth)); + EVP_PKEY_ASN1_METHOD *ameth = OPENSSL_zalloc(sizeof(*ameth)); + if (!ameth) return NULL; - memset(ameth, 0, sizeof(*ameth)); ameth->pkey_id = id; ameth->pkey_base_id = id; ameth->pkey_flags = flags | ASN1_PKEY_DYNAMIC; diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c index f54bd9b..e7ceda3 100644 --- a/crypto/asn1/tasn_new.c +++ b/crypto/asn1/tasn_new.c @@ -135,10 +135,9 @@ int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it) return 1; } } - *pval = OPENSSL_malloc(it->size); + *pval = OPENSSL_zalloc(it->size); if (!*pval) goto memerr; - memset(*pval, 0, it->size); asn1_set_choice_selector(pval, -1, it); if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL)) goto auxerr; @@ -158,10 +157,9 @@ int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it) return 1; } } - *pval = OPENSSL_malloc(it->size); + *pval = OPENSSL_zalloc(it->size); if (!*pval) goto memerr; - memset(*pval, 0, it->size); asn1_do_lock(pval, 0, it); asn1_enc_init(pval, it); for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) { diff --git a/crypto/asn1/x_pkey.c b/crypto/asn1/x_pkey.c index afd3aab..0710419 100644 --- a/crypto/asn1/x_pkey.c +++ b/crypto/asn1/x_pkey.c @@ -66,10 +66,9 @@ X509_PKEY *X509_PKEY_new(void) { X509_PKEY *ret = NULL; - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (!ret) goto err; - memset(ret, 0, sizeof(*ret)); ret->version = 0; ret->enc_algor = X509_ALGOR_new(); diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c index 16a6608..eba6e25 100644 --- a/crypto/bio/bss_acpt.c +++ b/crypto/bio/bss_acpt.c @@ -137,10 +137,8 @@ static BIO_ACCEPT *BIO_ACCEPT_new(void) { BIO_ACCEPT *ret; - if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) + if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) return (NULL); - - memset(ret, 0, sizeof(*ret)); ret->accept_sock = INVALID_SOCKET; ret->bind_mode = BIO_BIND_NORMAL; return (ret); diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index f23adb2..0733a29 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -286,19 +286,12 @@ BIO_CONNECT *BIO_CONNECT_new(void) { BIO_CONNECT *ret; - if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) + if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) return (NULL); ret->state = BIO_CONN_S_BEFORE; ret->param_hostname = NULL; ret->param_port = NULL; ret->info_callback = NULL; - ret->nbio = 0; - ret->ip[0] = 0; - ret->ip[1] = 0; - ret->ip[2] = 0; - ret->ip[3] = 0; - ret->port = 0; - memset(&ret->them, 0, sizeof(ret->them)); return (ret); } diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index dabfea3..bbb9aca 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -221,16 +221,13 @@ BIO *BIO_new_dgram(int fd, int close_flag) static int dgram_new(BIO *bi) { - bio_dgram_data *data = NULL; + bio_dgram_data *data = OPENSSL_zalloc(sizeof(*data)); - bi->init = 0; - bi->num = 0; - data = OPENSSL_malloc(sizeof(*data)); if (data == NULL) return 0; - memset(data, 0, sizeof(*data)); + bi->init = 0; + bi->num = 0; bi->ptr = data; - bi->flags = 0; return (1); } @@ -997,16 +994,13 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag) * connected socket won't use it. */ sockopt_len = (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t)); - authchunks = OPENSSL_malloc(sockopt_len); + authchunks = OPENSSL_zalloc(sockopt_len); if (!authchunks) { BIO_vfree(bio); return (NULL); } - memset(authchunks, 0, sockopt_len); - ret = - getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks, + ret = getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks, &sockopt_len); - if (ret < 0) { OPENSSL_free(authchunks); BIO_vfree(bio); @@ -1086,10 +1080,9 @@ static int dgram_sctp_new(BIO *bi) bi->init = 0; bi->num = 0; - data = OPENSSL_malloc(sizeof(*data)); + data = OPENSSL_zalloc(sizeof(*data)); if (data == NULL) return 0; - memset(data, 0, sizeof(*data)); # ifdef SCTP_PR_SCTP_NONE data->prinfo.pr_policy = SCTP_PR_SCTP_NONE; # endif diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index 4ae6b09..7ca13bb 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -137,11 +137,10 @@ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) bn_check_top(mod); - if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) { + if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) { BNerr(BN_F_BN_BLINDING_NEW, ERR_R_MALLOC_FAILURE); return (NULL); } - memset(ret, 0, sizeof(*ret)); if (A != NULL) { if ((ret->A = BN_dup(A)) == NULL) goto err; diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c index f0fc0af..4747511 100644 --- a/crypto/comp/c_zlib.c +++ b/crypto/comp/c_zlib.c @@ -91,9 +91,7 @@ static void *zlib_zalloc(void *opaque, unsigned int no, unsigned int size) { void *p; - p = OPENSSL_malloc(no * size); - if (p) - memset(p, 0, no * size); + p = OPENSSL_zalloc(no * size); return p; } diff --git a/crypto/comp/comp_lib.c b/crypto/comp/comp_lib.c index aa82376..83fea93 100644 --- a/crypto/comp/comp_lib.c +++ b/crypto/comp/comp_lib.c @@ -63,9 +63,8 @@ COMP_CTX *COMP_CTX_new(COMP_METHOD *meth) { COMP_CTX *ret; - if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) + if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) return (NULL); - memset(ret, 0, sizeof(*ret)); ret->meth = meth; if ((ret->meth->init != NULL) && !ret->meth->init(ret)) { OPENSSL_free(ret); diff --git a/crypto/dso/dso_lib.c b/crypto/dso/dso_lib.c index 12544b3..17d1732 100644 --- a/crypto/dso/dso_lib.c +++ b/crypto/dso/dso_lib.c @@ -104,12 +104,11 @@ DSO *DSO_new_method(DSO_METHOD *meth) */ default_DSO_meth = DSO_METHOD_openssl(); } - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { DSOerr(DSO_F_DSO_NEW_METHOD, ERR_R_MALLOC_FAILURE); return (NULL); } - memset(ret, 0, sizeof(*ret)); ret->meth_data = sk_void_new_null(); if (ret->meth_data == NULL) { /* sk_new doesn't generate any errors so we do */ diff --git a/crypto/dso/dso_win32.c b/crypto/dso/dso_win32.c index 2da318f..c6fec66 100644 --- a/crypto/dso/dso_win32.c +++ b/crypto/dso/dso_win32.c @@ -304,13 +304,12 @@ static struct file_st *win32_splitter(DSO *dso, const char *filename, return (NULL); } - result = OPENSSL_malloc(sizeof(*result)); + result = OPENSSL_zalloc(sizeof(*result)); if (result == NULL) { DSOerr(DSO_F_WIN32_SPLITTER, ERR_R_MALLOC_FAILURE); return (NULL); } - memset(result, 0, sizeof(*result)); position = IN_DEVICE; if ((filename[0] == '\\' && filename[1] == '\\') diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c index febfcab..8b1deaa 100644 --- a/crypto/ec/ecp_nistp224.c +++ b/crypto/ec/ecp_nistp224.c @@ -1199,13 +1199,12 @@ static void batch_mul(felem x_out, felem y_out, felem z_out, static NISTP224_PRE_COMP *nistp224_pre_comp_new() { - NISTP224_PRE_COMP *ret = NULL; - ret = OPENSSL_malloc(sizeof(*ret)); + NISTP224_PRE_COMP *ret = OPENSSL_zalloc(sizeof(*ret)); + if (!ret) { ECerr(EC_F_NISTP224_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE); return ret; } - memset(ret->g_pre_comp, 0, sizeof(ret->g_pre_comp)); ret->references = 1; return ret; } @@ -1457,8 +1456,8 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, */ mixed = 1; } - secrets = OPENSSL_malloc(sizeof(*secrets) * num_points); - pre_comp = OPENSSL_malloc(sizeof(*pre_comp) * num_points); + secrets = OPENSSL_zalloc(sizeof(*secrets) * num_points); + pre_comp = OPENSSL_zalloc(sizeof(*pre_comp) * num_points); if (mixed) tmp_felems = OPENSSL_malloc(sizeof(felem) * (num_points * 17 + 1)); @@ -1472,8 +1471,6 @@ int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, * we treat NULL scalars as 0, and NULL points as points at infinity, * i.e., they contribute nothing to the linear combination */ - memset(secrets, 0, sizeof(*secrets) * num_points); - memset(pre_comp, 0, sizeof(*pre_comp) * num_points); for (i = 0; i < num_points; ++i) { if (i == num) /* the generator */ diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c index a5d7360..febf5e9 100644 --- a/crypto/ec/ecp_nistp521.c +++ b/crypto/ec/ecp_nistp521.c @@ -1644,13 +1644,12 @@ const EC_METHOD *EC_GFp_nistp521_method(void) static NISTP521_PRE_COMP *nistp521_pre_comp_new() { - NISTP521_PRE_COMP *ret = OPENSSL_malloc(sizeof(*ret)); + NISTP521_PRE_COMP *ret = OPENSSL_zalloc(sizeof(*ret)); if (!ret) { ECerr(EC_F_NISTP521_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE); return ret; } - memset(ret->g_pre_comp, 0, sizeof(ret->g_pre_comp)); ret->references = 1; return ret; } @@ -1902,8 +1901,8 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, */ mixed = 1; } - secrets = OPENSSL_malloc(sizeof(*secrets) * num_points); - pre_comp = OPENSSL_malloc(sizeof(*pre_comp) * num_points); + secrets = OPENSSL_zalloc(sizeof(*secrets) * num_points); + pre_comp = OPENSSL_zalloc(sizeof(*pre_comp) * num_points); if (mixed) tmp_felems = OPENSSL_malloc(sizeof(*tmp_felems) * (num_points * 17 + 1)); @@ -1917,8 +1916,6 @@ int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, * we treat NULL scalars as 0, and NULL points as points at infinity, * i.e., they contribute nothing to the linear combination */ - memset(secrets, 0, sizeof(*secrets) * num_points); - memset(pre_comp, 0, sizeof(*pre_comp) * num_points); for (i = 0; i < num_points; ++i) { if (i == num) /* diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index 49a3989..ca567dc 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -1020,10 +1020,9 @@ static int bn2crparam(const BIGNUM *a, struct crparam *crp) bits = BN_num_bits(a); bytes = BN_num_bytes(a); - b = OPENSSL_malloc(bytes); + b = OPENSSL_zalloc(bytes); if (b == NULL) return (1); - memset(b, 0, bytes); crp->crp_p = (caddr_t) b; crp->crp_nbits = bits; diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c index ae7d1d0..777f440 100644 --- a/crypto/engine/eng_dyn.c +++ b/crypto/engine/eng_dyn.c @@ -202,13 +202,12 @@ static void dynamic_data_ctx_free_func(void *parent, void *ptr, */ static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx) { - dynamic_data_ctx *c = OPENSSL_malloc(sizeof(*c)); + dynamic_data_ctx *c = OPENSSL_zalloc(sizeof(*c)); if (!c) { ENGINEerr(ENGINE_F_DYNAMIC_SET_DATA_CTX, ERR_R_MALLOC_FAILURE); return 0; } - memset(c, 0, sizeof(*c)); c->dynamic_dso = NULL; c->v_check = NULL; c->bind_engine = NULL; diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c index c477c7e..a113ebc 100644 --- a/crypto/engine/eng_lib.c +++ b/crypto/engine/eng_lib.c @@ -66,12 +66,11 @@ ENGINE *ENGINE_new(void) { ENGINE *ret; - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { ENGINEerr(ENGINE_F_ENGINE_NEW, ERR_R_MALLOC_FAILURE); return NULL; } - memset(ret, 0, sizeof(*ret)); ret->struct_ref = 1; engine_ref_debug(ret, 0, 1) CRYPTO_new_ex_data(CRYPTO_EX_INDEX_ENGINE, ret, &ret->ex_data); diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 405cbb0..7f55c41 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -158,12 +158,11 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ctx->cipher = cipher; if (ctx->cipher->ctx_size) { - ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size); + ctx->cipher_data = OPENSSL_zalloc(ctx->cipher->ctx_size); if (!ctx->cipher_data) { EVPerr(EVP_F_EVP_CIPHERINIT_EX, ERR_R_MALLOC_FAILURE); return 0; } - memset(ctx->cipher_data, 0, ctx->cipher->ctx_size); } else { ctx->cipher_data = NULL; } diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index 210c7fa..f317471 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -198,15 +198,12 @@ EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags) { EVP_PKEY_METHOD *pmeth; - pmeth = OPENSSL_malloc(sizeof(*pmeth)); + pmeth = OPENSSL_zalloc(sizeof(*pmeth)); if (!pmeth) return NULL; - memset(pmeth, 0, sizeof(*pmeth)); - pmeth->pkey_id = id; pmeth->flags = flags | EVP_PKEY_FLAG_DYNAMIC; - pmeth->init = 0; pmeth->copy = 0; pmeth->cleanup = 0; diff --git a/crypto/mem.c b/crypto/mem.c index 8b9c8c3..33a76d2 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -312,14 +312,21 @@ void *CRYPTO_malloc(int num, const char *file, int line) return ret; } +void *CRYPTO_zalloc(int num, const char *file, int line) +{ + void *ret = CRYPTO_malloc(num, file, line); + + if (ret != NULL) + memset(ret, 0, num); + return ret; +} + char *CRYPTO_strdup(const char *str, const char *file, int line) { char *ret = CRYPTO_malloc(strlen(str) + 1, file, line); - if (ret == NULL) - return NULL; - - strcpy(ret, str); + if (ret != NULL) + strcpy(ret, str); return ret; } diff --git a/crypto/pqueue/pqueue.c b/crypto/pqueue/pqueue.c index d10088e..b6e19c7 100644 --- a/crypto/pqueue/pqueue.c +++ b/crypto/pqueue/pqueue.c @@ -87,11 +87,8 @@ void pitem_free(pitem *item) pqueue_s *pqueue_new() { - pqueue_s *pq = OPENSSL_malloc(sizeof(*pq)); - if (pq == NULL) - return NULL; + pqueue_s *pq = OPENSSL_zalloc(sizeof(*pq)); - memset(pq, 0, sizeof(*pq)); return pq; } diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index b28021b..f62fd73 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -287,7 +287,7 @@ int RSA_memory_lock(RSA *r) j = 1; for (i = 0; i < 6; i++) j += bn_get_top(*t[i]); - if ((p = OPENSSL_malloc((off + j) * sizeof(BN_ULONG))) == NULL) { + if ((p = OPENSSL_malloc((off + j) * sizeof(*p))) == NULL) { RSAerr(RSA_F_RSA_MEMORY_LOCK, ERR_R_MALLOC_FAILURE); return (0); } diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index 9a8145b..8f8587a 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -203,12 +203,11 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, if (num < 11) goto err; - em = OPENSSL_malloc(num); + em = OPENSSL_zalloc(num); if (em == NULL) { RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE); return -1; } - memset(em, 0, num); /* * Always do this zero-padding copy (even when num == flen) to avoid * leaking that information. The copy still leaks some side-channel diff --git a/crypto/sec_mem.c b/crypto/sec_mem.c index a630cbc..fbed8b4 100644 --- a/crypto/sec_mem.c +++ b/crypto/sec_mem.c @@ -314,23 +314,20 @@ static int sh_init(size_t size, int minsize) for (i = sh.bittable_size; i; i >>= 1) sh.freelist_size++; - sh.freelist = OPENSSL_malloc(sh.freelist_size * sizeof (char *)); + sh.freelist = OPENSSL_zalloc(sh.freelist_size * sizeof (char *)); OPENSSL_assert(sh.freelist != NULL); if (sh.freelist == NULL) goto err; - memset(sh.freelist, 0, sh.freelist_size * sizeof (char *)); - sh.bittable = OPENSSL_malloc(sh.bittable_size >> 3); + sh.bittable = OPENSSL_zalloc(sh.bittable_size >> 3); OPENSSL_assert(sh.bittable != NULL); if (sh.bittable == NULL) goto err; - memset(sh.bittable, 0, sh.bittable_size >> 3); - sh.bitmalloc = OPENSSL_malloc(sh.bittable_size >> 3); + sh.bitmalloc = OPENSSL_zalloc(sh.bittable_size >> 3); OPENSSL_assert(sh.bitmalloc != NULL); if (sh.bitmalloc == NULL) goto err; - memset(sh.bitmalloc, 0, sh.bittable_size >> 3); /* Allocate space for heap, and two extra pages as guards */ #ifdef _SC_PAGE_SIZE diff --git a/crypto/store/str_lib.c b/crypto/store/str_lib.c index 3201da9..55ca19d 100644 --- a/crypto/store/str_lib.c +++ b/crypto/store/str_lib.c @@ -1154,9 +1154,7 @@ int STORE_delete_arbitrary(STORE *s, OPENSSL_ITEM attributes[], STORE_OBJECT *STORE_OBJECT_new(void) { - STORE_OBJECT *object = OPENSSL_malloc(sizeof(*object)); - if (object) - memset(object, 0, sizeof(*object)); + STORE_OBJECT *object = OPENSSL_zalloc(sizeof(*object)); return object; } diff --git a/crypto/store/str_mem.c b/crypto/store/str_mem.c index b14e289..1736f79 100644 --- a/crypto/store/str_mem.c +++ b/crypto/store/str_mem.c @@ -244,7 +244,7 @@ static void *mem_list_start(STORE *s, STORE_OBJECT_TYPES type, OPENSSL_ITEM attributes[], OPENSSL_ITEM parameters[]) { - struct mem_ctx_st *context = OPENSSL_malloc(sizeof(*context)); + struct mem_ctx_st *context = OPENSSL_zalloc(sizeof(*context)); void *attribute_context = NULL; STORE_ATTR_INFO *attrs = NULL; @@ -252,7 +252,6 @@ static void *mem_list_start(STORE *s, STORE_OBJECT_TYPES type, STOREerr(STORE_F_MEM_LIST_START, ERR_R_MALLOC_FAILURE); return 0; } - memset(context, 0, sizeof(*context)); attribute_context = STORE_parse_attrs_start(attributes); if (!attribute_context) { diff --git a/crypto/store/str_meth.c b/crypto/store/str_meth.c index 7487819..c030198 100644 --- a/crypto/store/str_meth.c +++ b/crypto/store/str_meth.c @@ -63,12 +63,10 @@ STORE_METHOD *STORE_create_method(char *name) { - STORE_METHOD *store_method = OPENSSL_malloc(sizeof(*store_method)); + STORE_METHOD *store_method = OPENSSL_zalloc(sizeof(*store_method)); - if (store_method) { - memset(store_method, 0, sizeof(*store_method)); + if (store_method) store_method->name = BUF_strdup(name); - } return store_method; } diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index f0fc503..9cacec8 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -169,11 +169,10 @@ TS_RESP_CTX *TS_RESP_CTX_new() { TS_RESP_CTX *ctx; - if ((ctx = OPENSSL_malloc(sizeof(*ctx))) == NULL) { + if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) { TSerr(TS_F_TS_RESP_CTX_NEW, ERR_R_MALLOC_FAILURE); return NULL; } - memset(ctx, 0, sizeof(*ctx)); /* Setting default callbacks. */ ctx->serial_cb = def_serial_cb; diff --git a/crypto/ts/ts_verify_ctx.c b/crypto/ts/ts_verify_ctx.c index 7465e04..e23ae26 100644 --- a/crypto/ts/ts_verify_ctx.c +++ b/crypto/ts/ts_verify_ctx.c @@ -63,11 +63,9 @@ TS_VERIFY_CTX *TS_VERIFY_CTX_new(void) { - TS_VERIFY_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); + TS_VERIFY_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); - if (ctx) - memset(ctx, 0, sizeof(*ctx)); - else + if (!ctx) TSerr(TS_F_TS_VERIFY_CTX_NEW, ERR_R_MALLOC_FAILURE); return ctx; } diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c index 9ba844e..654d74f 100644 --- a/crypto/ui/ui_lib.c +++ b/crypto/ui/ui_lib.c @@ -582,12 +582,10 @@ const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth) UI_METHOD *UI_create_method(char *name) { - UI_METHOD *ui_method = OPENSSL_malloc(sizeof(*ui_method)); + UI_METHOD *ui_method = OPENSSL_zalloc(sizeof(*ui_method)); - if (ui_method) { - memset(ui_method, 0, sizeof(*ui_method)); + if (ui_method) ui_method->name = BUF_strdup(name); - } return ui_method; } diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 1376e44..bc48b8a 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -2259,13 +2259,12 @@ int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, X509_STORE_CTX *X509_STORE_CTX_new(void) { - X509_STORE_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); + X509_STORE_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); if (!ctx) { X509err(X509_F_X509_STORE_CTX_NEW, ERR_R_MALLOC_FAILURE); return NULL; } - memset(ctx, 0, sizeof(*ctx)); return ctx; } diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index eedc217..cf8784d 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -162,24 +162,14 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) X509_VERIFY_PARAM *param; X509_VERIFY_PARAM_ID *paramid; - param = OPENSSL_malloc(sizeof(*param)); + param = OPENSSL_zalloc(sizeof(*param)); if (!param) return NULL; - memset(param, 0, sizeof(*param)); - - paramid = OPENSSL_malloc(sizeof(*paramid)); + param->id = paramid = OPENSSL_zalloc(sizeof(*paramid)); if (!paramid) { OPENSSL_free(param); return NULL; } - memset(paramid, 0, sizeof(*paramid)); - /* Exotic platforms may have non-zero bit representation of NULL */ - paramid->hosts = NULL; - paramid->peername = NULL; - paramid->email = NULL; - paramid->ip = NULL; - - param->id = paramid; x509_verify_param_zero(param); return param; } diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index 4b0ea15..2a41903 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -217,25 +217,18 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, } /* If we get this far initialize the tree */ - tree = OPENSSL_malloc(sizeof(*tree)); - if (!tree) return 0; - - tree->flags = 0; - tree->levels = OPENSSL_malloc(sizeof(*tree->levels) * n); - tree->nlevel = 0; - tree->extra_data = NULL; - tree->auth_policies = NULL; - tree->user_policies = NULL; - + tree->levels = OPENSSL_zalloc(sizeof(*tree->levels) * n); if (!tree->levels) { OPENSSL_free(tree); return 0; } - - memset(tree->levels, 0, sizeof(*tree->levels) * n); + tree->flags = 0; + tree->extra_data = NULL; + tree->auth_policies = NULL; + tree->user_policies = NULL; tree->nlevel = n; level = tree->levels; diff --git a/engines/ccgost/gost_pmeth.c b/engines/ccgost/gost_pmeth.c index 0574d6e..e70e297 100644 --- a/engines/ccgost/gost_pmeth.c +++ b/engines/ccgost/gost_pmeth.c @@ -24,10 +24,9 @@ static int pkey_gost_init(EVP_PKEY_CTX *ctx) struct gost_pmeth_data *data; EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(ctx); - data = OPENSSL_malloc(sizeof(*data)); + data = OPENSSL_zalloc(sizeof(*data)); if (!data) return 0; - memset(data, 0, sizeof(*data)); if (pkey && EVP_PKEY_get0(pkey)) { switch (EVP_PKEY_base_id(pkey)) { case NID_id_GostR3410_2001: @@ -309,11 +308,10 @@ static int pkey_gost_derive_init(EVP_PKEY_CTX *ctx) /* -------- PKEY_METHOD for GOST MAC algorithm --------------------*/ static int pkey_gost_mac_init(EVP_PKEY_CTX *ctx) { - struct gost_mac_pmeth_data *data = OPENSSL_malloc(sizeof(*data)); + struct gost_mac_pmeth_data *data = OPENSSL_zalloc(sizeof(*data)); if (!data) return 0; - memset(data, 0, sizeof(*data)); EVP_PKEY_CTX_set_data(ctx, data); return 1; } diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index f1ff0e0..56afc51 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -337,6 +337,7 @@ int CRYPTO_is_mem_check_on(void); # define is_MemCheck_on() CRYPTO_is_mem_check_on() # define OPENSSL_malloc(num) CRYPTO_malloc((int)num,__FILE__,__LINE__) +# define OPENSSL_zalloc(num) CRYPTO_zalloc((int)num,__FILE__,__LINE__) # define OPENSSL_strdup(str) CRYPTO_strdup((str),__FILE__,__LINE__) # define OPENSSL_realloc(addr,num) \ CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__) @@ -469,6 +470,7 @@ void CRYPTO_get_mem_debug_functions(void (**m) void (**so) (long), long (**go) (void)); void *CRYPTO_malloc(int num, const char *file, int line); +void *CRYPTO_zalloc(int num, const char *file, int line); char *CRYPTO_strdup(const char *str, const char *file, int line); void CRYPTO_free(void *ptr); void CRYPTO_clear_free(void *ptr, size_t num); diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index aa6d623..639b105 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -101,13 +101,12 @@ BIO_METHOD *BIO_f_ssl(void) static int ssl_new(BIO *bi) { - BIO_SSL *bs = OPENSSL_malloc(sizeof(*bs)); + BIO_SSL *bs = OPENSSL_zalloc(sizeof(*bs)); if (bs == NULL) { BIOerr(BIO_F_SSL_NEW, ERR_R_MALLOC_FAILURE); return (0); } - memset(bs, 0, sizeof(*bs)); bi->init = 0; bi->ptr = (char *)bs; bi->flags = 0; diff --git a/ssl/d1_both.c b/ssl/d1_both.c index d2f5def..52b7304 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -187,13 +187,12 @@ static hm_fragment *dtls1_hm_fragment_new(unsigned long frag_len, /* Initialize reassembly bitmask if necessary */ if (reassembly) { - bitmask = OPENSSL_malloc(RSMBLY_BITMASK_SIZE(frag_len)); + bitmask = OPENSSL_zalloc(RSMBLY_BITMASK_SIZE(frag_len)); if (bitmask == NULL) { OPENSSL_free(buf); OPENSSL_free(frag); return NULL; } - memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len)); } frag->reassembly = bitmask; diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index fc1887a..d3b582a 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -135,11 +135,10 @@ int dtls1_new(SSL *s) if (!ssl3_new(s)) return (0); - if ((d1 = OPENSSL_malloc(sizeof(*d1))) == NULL) { + if ((d1 = OPENSSL_zalloc(sizeof(*d1))) == NULL) { ssl3_free(s); return (0); } - memset(d1, 0, sizeof(*d1)); d1->buffered_messages = pqueue_new(); d1->sent_messages = pqueue_new(); diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 47d28e7..bb090ef 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3836,9 +3836,8 @@ int ssl3_new(SSL *s) { SSL3_STATE *s3; - if ((s3 = OPENSSL_malloc(sizeof(*s3))) == NULL) + if ((s3 = OPENSSL_zalloc(sizeof(*s3))) == NULL) goto err; - memset(s3, 0, sizeof(*s3)); s->s3 = s3; #ifndef OPENSSL_NO_SRP diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 1183961..c3e2c2e 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -167,13 +167,12 @@ int SSL_get_ex_data_X509_STORE_CTX_idx(void) CERT *ssl_cert_new(void) { - CERT *ret = OPENSSL_malloc(sizeof(*ret)); + CERT *ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { SSLerr(SSL_F_SSL_CERT_NEW, ERR_R_MALLOC_FAILURE); return (NULL); } - memset(ret, 0, sizeof(*ret)); ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]); ret->references = 1; @@ -185,7 +184,7 @@ CERT *ssl_cert_new(void) CERT *ssl_cert_dup(CERT *cert) { - CERT *ret = OPENSSL_malloc(sizeof(*ret)); + CERT *ret = OPENSSL_zalloc(sizeof(*ret)); int i; if (ret == NULL) { @@ -193,8 +192,6 @@ CERT *ssl_cert_dup(CERT *cert) return (NULL); } - memset(ret, 0, sizeof(*ret)); - ret->key = &ret->pkeys[cert->key - cert->pkeys]; #ifndef OPENSSL_NO_RSA diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index c048fc2..2dd2379 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1038,12 +1038,11 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, curr = curr->next; } - number_uses = OPENSSL_malloc(sizeof(int) * (max_strength_bits + 1)); + number_uses = OPENSSL_zalloc(sizeof(int) * (max_strength_bits + 1)); if (!number_uses) { SSLerr(SSL_F_SSL_CIPHER_STRENGTH_SORT, ERR_R_MALLOC_FAILURE); return (0); } - memset(number_uses, 0, sizeof(int) * (max_strength_bits + 1)); /* * Now find the strength_bits values actually used diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index fd1561e..b1d4771 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -277,10 +277,9 @@ SSL *SSL_new(SSL_CTX *ctx) return (NULL); } - s = OPENSSL_malloc(sizeof(*s)); + s = OPENSSL_zalloc(sizeof(*s)); if (s == NULL) goto err; - memset(s, 0, sizeof(*s)); RECORD_LAYER_init(&s->rlayer, s); @@ -1684,14 +1683,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); goto err; } - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) goto err; - memset(ret, 0, sizeof(*ret)); - ret->method = meth; - ret->cert_store = NULL; ret->session_cache_mode = SSL_SESS_CACHE_SERVER; ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; @@ -1706,8 +1702,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->get_session_cb = 0; ret->generate_session_id = 0; - memset(&ret->stats, 0, sizeof(ret->stats)); - ret->references = 1; ret->quiet_shutdown = 0; ret->info_callback = NULL; diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 69e6d7f..3e980bf 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -193,12 +193,11 @@ SSL_SESSION *SSL_SESSION_new(void) { SSL_SESSION *ss; - ss = OPENSSL_malloc(sizeof(*ss)); + ss = OPENSSL_zalloc(sizeof(*ss)); if (ss == NULL) { SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE); return (0); } - memset(ss, 0, sizeof(*ss)); ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ ss->references = 1; diff --git a/test/ecdsatest.c b/test/ecdsatest.c index 377e2c5..4b6d044 100644 --- a/test/ecdsatest.c +++ b/test/ecdsatest.c @@ -440,10 +440,8 @@ int test_builtin(BIO *out) goto builtin_err; } buf_len = 2 * bn_len; - if ((raw_buf = OPENSSL_malloc(buf_len)) == NULL) + if ((raw_buf = OPENSSL_zalloc(buf_len)) == NULL) goto builtin_err; - /* Pad the bignums with leading zeroes. */ - memset(raw_buf, 0, buf_len); BN_bn2bin(ecdsa_sig->r, raw_buf + bn_len - r_len); BN_bn2bin(ecdsa_sig->s, raw_buf + buf_len - s_len); diff --git a/test/ssltest.c b/test/ssltest.c index 9144191..adf1368 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -2116,14 +2116,11 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) bufsiz = count > 40 * 1024 ? 40 * 1024 : count; - if ((cbuf = OPENSSL_malloc(bufsiz)) == NULL) + if ((cbuf = OPENSSL_zalloc(bufsiz)) == NULL) goto err; - if ((sbuf = OPENSSL_malloc(bufsiz)) == NULL) + if ((sbuf = OPENSSL_zalloc(bufsiz)) == NULL) goto err; - memset(cbuf, 0, bufsiz); - memset(sbuf, 0, bufsiz); - c_to_s = BIO_new(BIO_s_mem()); s_to_c = BIO_new(BIO_s_mem()); if ((s_to_c == NULL) || (c_to_s == NULL)) { diff --git a/util/libeay.num b/util/libeay.num index 0cf3cb7..6b27c9e 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -4592,6 +4592,7 @@ X509_up_ref 4950 EXIST::FUNCTION: X509_REQ_get_version 4951 EXIST::FUNCTION: X509_REQ_get_subject_name 4952 EXIST::FUNCTION: X509_CRL_up_ref 4953 EXIST::FUNCTION: +CRYPTO_zalloc 4954 EXIST::FUNCTION: X509_get_extension_flags 4954 EXIST::FUNCTION: X509_get_extended_key_usage 4955 EXIST::FUNCTION: X509_get_key_usage 4956 EXIST::FUNCTION: From rsalz at openssl.org Thu Sep 3 03:03:57 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 03 Sep 2015 03:03:57 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441249437.455281.12972.nullmailer@dev.openssl.org> The branch master has been updated via 3a3cb629d9ef66639198f6130f58e30f0606adc8 (commit) from b51bce942023325e727ca4225252d06c49d8f2b7 (commit) - Log ----------------------------------------------------------------- commit 3a3cb629d9ef66639198f6130f58e30f0606adc8 Author: Rich Salz Date: Wed Aug 26 16:22:10 2015 -0400 Check OPENSSL_gmtime_diff It's test code that only runs on 64bit time_t machines. Move it to a standalone test/gmdifftest Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: crypto/o_time.c | 60 --------------- test/Makefile | 21 +++++- crypto/pkcs12/p12_crpt.c => test/gmdifftest.c | 105 +++++++++++++++----------- 3 files changed, 76 insertions(+), 110 deletions(-) copy crypto/pkcs12/p12_crpt.c => test/gmdifftest.c (56%) diff --git a/crypto/o_time.c b/crypto/o_time.c index 4e3dff3..3bd2748 100644 --- a/crypto/o_time.c +++ b/crypto/o_time.c @@ -378,63 +378,3 @@ static void julian_to_date(long jd, int *y, int *m, int *d) *m = j + 2 - (12 * L); *y = 100 * (n - 49) + i + L; } - -#ifdef OPENSSL_TIME_TEST - -# include - -/* - * Time checking test code. Check times are identical for a wide range of - * offsets. This should be run on a machine with 64 bit time_t or it will - * trigger the very errors the routines fix. - */ - -int main(int argc, char **argv) -{ - long offset; - for (offset = 0; offset < 1000000; offset++) { - check_time(offset); - check_time(-offset); - check_time(offset * 1000); - check_time(-offset * 1000); - } -} - -int check_time(long offset) -{ - struct tm tm1, tm2, o1; - int off_day, off_sec; - long toffset; - time_t t1, t2; - time(&t1); - t2 = t1 + offset; - OPENSSL_gmtime(&t2, &tm2); - OPENSSL_gmtime(&t1, &tm1); - o1 = tm1; - OPENSSL_gmtime_adj(&tm1, 0, offset); - if ((tm1.tm_year != tm2.tm_year) || - (tm1.tm_mon != tm2.tm_mon) || - (tm1.tm_mday != tm2.tm_mday) || - (tm1.tm_hour != tm2.tm_hour) || - (tm1.tm_min != tm2.tm_min) || (tm1.tm_sec != tm2.tm_sec)) { - fprintf(stderr, "TIME ERROR!!\n"); - fprintf(stderr, "Time1: %d/%d/%d, %d:%02d:%02d\n", - tm2.tm_mday, tm2.tm_mon + 1, tm2.tm_year + 1900, - tm2.tm_hour, tm2.tm_min, tm2.tm_sec); - fprintf(stderr, "Time2: %d/%d/%d, %d:%02d:%02d\n", - tm1.tm_mday, tm1.tm_mon + 1, tm1.tm_year + 1900, - tm1.tm_hour, tm1.tm_min, tm1.tm_sec); - return 0; - } - OPENSSL_gmtime_diff(&o1, &tm1, &off_day, &off_sec); - toffset = (long)off_day *SECS_PER_DAY + off_sec; - if (offset != toffset) { - fprintf(stderr, "TIME OFFSET ERROR!!\n"); - fprintf(stderr, "Expected %ld, Got %ld (%d:%d)\n", - offset, toffset, off_day, off_sec); - return 0; - } - return 1; -} - -#endif diff --git a/test/Makefile b/test/Makefile index 782a34b..4c41f51 100644 --- a/test/Makefile +++ b/test/Makefile @@ -34,6 +34,7 @@ ECTEST= ectest ECDSATEST= ecdsatest ECDHTEST= ecdhtest EXPTEST= exptest +GMDIFFTEST= gmdifftest IDEATEST= ideatest SHA1TEST= sha1test SHA256TEST= sha256t @@ -78,7 +79,7 @@ SSLSKEWITH0PTEST= sslskewith0ptest.pl TESTS= alltests -EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_EXT) $(ECDSATEST)$(EXE_EXT) $(ECDHTEST)$(EXE_EXT) $(IDEATEST)$(EXE_EXT) \ +EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_EXT) $(ECDSATEST)$(EXE_EXT) $(ECDHTEST)$(EXE_EXT) $(GMDIFFTEST)$(EXE_EXT) $(IDEATEST)$(EXE_EXT) \ $(MD2TEST)$(EXE_EXT) $(MD4TEST)$(EXE_EXT) $(MD5TEST)$(EXE_EXT) $(HMACTEST)$(EXE_EXT) $(WPTEST)$(EXE_EXT) \ $(RC2TEST)$(EXE_EXT) $(RC4TEST)$(EXE_EXT) $(RC5TEST)$(EXE_EXT) \ $(DESTEST)$(EXE_EXT) $(SHA1TEST)$(EXE_EXT) $(SHA256TEST)$(EXE_EXT) $(SHA512TEST)$(EXE_EXT) \ @@ -96,7 +97,7 @@ EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_EXT) $(ECDSATEST)$(EXE_EXT) $(ECDHTEST) # $(METHTEST)$(EXE_EXT) -OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATEST).o $(ECDHTEST).o $(IDEATEST).o \ +OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATEST).o $(ECDHTEST).o $(GMDIFFTEST).o $(IDEATEST).o \ $(MD2TEST).o $(MD4TEST).o $(MD5TEST).o \ $(HMACTEST).o $(WPTEST).o \ $(RC2TEST).o $(RC4TEST).o $(RC5TEST).o \ @@ -109,7 +110,7 @@ OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATEST).o $(ECDHTEST).o $(IDEATEST).o \ $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o $(CLIENTHELLOTEST).o \ $(PACKETTEST).o testutil.o -SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \ +SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(GMDIFFTEST).c $(IDEATEST).c \ $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ $(HMACTEST).c $(WPTEST).c \ $(RC2TEST).c $(RC4TEST).c $(RC5TEST).c \ @@ -150,7 +151,7 @@ apps: @(cd ..; $(MAKE) DIRS=apps all) alltests: \ - test_des test_idea test_sha test_md4 test_md5 test_hmac \ + test_des test_gmdiff test_idea test_sha test_md4 test_md5 test_hmac \ test_md2 test_mdc2 test_wp \ test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast \ test_rand test_bn test_ec test_ecdsa test_ecdh \ @@ -179,6 +180,10 @@ test_des: $(DESTEST)$(EXE_EXT) @echo $(START) $@ ../util/shlib_wrap.sh ./$(DESTEST) +test_gmdiff: $(GMDIFFTEST)$(EXE_EXT) + @echo $(START) $@ + ../util/shlib_wrap.sh ./$(GMDIFFTEST) + test_idea: $(IDEATEST)$(EXE_EXT) @echo $(START) $@ ../util/shlib_wrap.sh ./$(IDEATEST) @@ -496,6 +501,9 @@ $(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO) $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO) @target=$(IDEATEST); $(BUILD_CMD) +$(GMDIFFTEST)$(EXE_EXT): $(GMDIFFTEST).o $(DLIBCRYPTO) + @target=$(GMDIFFTEST); $(BUILD_CMD) + $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO) @target=$(MD2TEST); $(BUILD_CMD) @@ -794,6 +802,11 @@ exptest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h exptest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h exptest.o: ../include/openssl/safestack.h ../include/openssl/stack.h exptest.o: ../include/openssl/symhacks.h exptest.c +gmdifftest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +gmdifftest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h +gmdifftest.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h +gmdifftest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +gmdifftest.o: gmdifftest.c gost2814789test.o: ../e_os.h ../engines/ccgost/gost89.h gost2814789test.o: ../include/openssl/asn1.h ../include/openssl/bio.h gost2814789test.o: ../include/openssl/buffer.h ../include/openssl/conf.h diff --git a/crypto/pkcs12/p12_crpt.c b/test/gmdifftest.c similarity index 56% copy from crypto/pkcs12/p12_crpt.c copy to test/gmdifftest.c index e7d5ac9..57c6a3d 100644 --- a/crypto/pkcs12/p12_crpt.c +++ b/test/gmdifftest.c @@ -1,10 +1,5 @@ -/* p12_crpt.c */ -/* - * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL project - * 1999. - */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 2001-2015 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -57,57 +52,75 @@ * */ +#include #include -#include "internal/cryptlib.h" -#include -/* PKCS#12 PBE algorithms now in static table */ +#define SECS_PER_DAY (24 * 60 * 60) -void PKCS12_PBE_add(void) -{ -} +/* + * Time checking test code. Check times are identical for a wide range of + * offsets. This should be run on a machine with 64 bit time_t or it will + * trigger the very errors the routines fix. + */ -int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, - ASN1_TYPE *param, const EVP_CIPHER *cipher, - const EVP_MD *md, int en_de) +static int check_time(long offset) { - PBEPARAM *pbe; - int saltlen, iter, ret; - unsigned char *salt; - unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; + struct tm tm1, tm2, o1; + int off_day, off_sec; + long toffset; + time_t t1, t2; + time(&t1); - if (cipher == NULL) + t2 = t1 + offset; + OPENSSL_gmtime(&t2, &tm2); + OPENSSL_gmtime(&t1, &tm1); + o1 = tm1; + OPENSSL_gmtime_adj(&tm1, 0, offset); + if ((tm1.tm_year != tm2.tm_year) || + (tm1.tm_mon != tm2.tm_mon) || + (tm1.tm_mday != tm2.tm_mday) || + (tm1.tm_hour != tm2.tm_hour) || + (tm1.tm_min != tm2.tm_min) || (tm1.tm_sec != tm2.tm_sec)) { + fprintf(stderr, "TIME ERROR!!\n"); + fprintf(stderr, "Time1: %d/%d/%d, %d:%02d:%02d\n", + tm2.tm_mday, tm2.tm_mon + 1, tm2.tm_year + 1900, + tm2.tm_hour, tm2.tm_min, tm2.tm_sec); + fprintf(stderr, "Time2: %d/%d/%d, %d:%02d:%02d\n", + tm1.tm_mday, tm1.tm_mon + 1, tm1.tm_year + 1900, + tm1.tm_hour, tm1.tm_min, tm1.tm_sec); return 0; - - /* Extract useful info from parameter */ - - pbe = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBEPARAM), param); - if (pbe == NULL) { - PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_DECODE_ERROR); + } + if (!OPENSSL_gmtime_diff(&off_day, &off_sec, &o1, &tm1)) + return 0; + toffset = (long)off_day *SECS_PER_DAY + off_sec; + if (offset != toffset) { + fprintf(stderr, "TIME OFFSET ERROR!!\n"); + fprintf(stderr, "Expected %ld, Got %ld (%d:%d)\n", + offset, toffset, off_day, off_sec); return 0; } + return 1; +} - if (!pbe->iter) - iter = 1; - else - iter = ASN1_INTEGER_get(pbe->iter); - salt = pbe->salt->data; - saltlen = pbe->salt->length; - if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_KEY_ID, - iter, EVP_CIPHER_key_length(cipher), key, md)) { - PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_KEY_GEN_ERROR); - PBEPARAM_free(pbe); +int main(int argc, char **argv) +{ + long offset; + int fails; + + if (sizeof(time_t) < 8) { + fprintf(stderr, "Skipping; time_t is less than 64-bits\n"); return 0; } - if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_IV_ID, - iter, EVP_CIPHER_iv_length(cipher), iv, md)) { - PKCS12err(PKCS12_F_PKCS12_PBE_KEYIVGEN, PKCS12_R_IV_GEN_ERROR); - PBEPARAM_free(pbe); - return 0; + for (fails = 0, offset = 0; offset < 1000000; offset++) { + if (!check_time(offset)) + fails++; + if (!check_time(-offset)) + fails++; + if (!check_time(offset * 1000)) + fails++; + if (!check_time(-offset * 1000)) + fails++; } - PBEPARAM_free(pbe); - ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, en_de); - OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH); - OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); - return ret; + + return fails ? 1 : 0; } From levitte at openssl.org Thu Sep 3 08:51:09 2015 From: levitte at openssl.org (Richard Levitte) Date: Thu, 03 Sep 2015 08:51:09 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441270269.794452.30166.nullmailer@dev.openssl.org> The branch master has been updated via e56a79784c49b2b197d08a31b449152e96d5b395 (commit) from 3a3cb629d9ef66639198f6130f58e30f0606adc8 (commit) - Log ----------------------------------------------------------------- commit e56a79784c49b2b197d08a31b449152e96d5b395 Author: Richard Levitte Date: Thu Sep 3 10:16:59 2015 +0200 Two changes at ones lead to a confused libeay.num. Fix Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: util/libeay.num | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/util/libeay.num b/util/libeay.num index 6b27c9e..3563dba 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -4593,12 +4593,12 @@ X509_REQ_get_version 4951 EXIST::FUNCTION: X509_REQ_get_subject_name 4952 EXIST::FUNCTION: X509_CRL_up_ref 4953 EXIST::FUNCTION: CRYPTO_zalloc 4954 EXIST::FUNCTION: -X509_get_extension_flags 4954 EXIST::FUNCTION: -X509_get_extended_key_usage 4955 EXIST::FUNCTION: -X509_get_key_usage 4956 EXIST::FUNCTION: -X509_CRL_get_issuer 4957 EXIST::FUNCTION: -X509_CRL_get_nextUpdate 4958 EXIST::FUNCTION: -X509_CRL_get0_signature 4959 EXIST::FUNCTION: -X509_CRL_get_REVOKED 4960 EXIST::FUNCTION: -X509_CRL_get_version 4961 EXIST::FUNCTION: -X509_CRL_get_lastUpdate 4962 EXIST::FUNCTION: +X509_get_extension_flags 4955 EXIST::FUNCTION: +X509_get_extended_key_usage 4956 EXIST::FUNCTION: +X509_get_key_usage 4957 EXIST::FUNCTION: +X509_CRL_get_issuer 4958 EXIST::FUNCTION: +X509_CRL_get_nextUpdate 4959 EXIST::FUNCTION: +X509_CRL_get0_signature 4960 EXIST::FUNCTION: +X509_CRL_get_REVOKED 4961 EXIST::FUNCTION: +X509_CRL_get_version 4962 EXIST::FUNCTION: +X509_CRL_get_lastUpdate 4963 EXIST::FUNCTION: From rsalz at openssl.org Thu Sep 3 13:40:41 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 03 Sep 2015 13:40:41 +0000 Subject: [openssl-commits] [web] master update Message-ID: <1441287641.771148.21162.nullmailer@dev.openssl.org> The branch master has been updated via bd23ccf616b48786b915a72d0f1c345dc74c503a (commit) from 7daefd9fb8ada1fb5c919d27217cb39ffcd12ca3 (commit) - Log ----------------------------------------------------------------- commit bd23ccf616b48786b915a72d0f1c345dc74c503a Author: Rich Salz Date: Thu Sep 3 09:27:23 2015 -0400 Fix UserGuide.pdf links ----------------------------------------------------------------------- Summary of changes: docs/fipsnotes.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/fipsnotes.html b/docs/fipsnotes.html index 7d66084..c3726b1 100644 --- a/docs/fipsnotes.html +++ b/docs/fipsnotes.html @@ -9,7 +9,7 @@

Important Notes about OpenSSL and FIPS 140

-

Please please read the User Guide. +

Please please read the User Guide. Nothing will make sense otherwise (it still may not afterwards, but at least you've a better chance).

@@ -20,7 +20,7 @@

Ok, so your company needs FIPS validated cryptography to land that big sale, and your product currently uses OpenSSL. You haven't worked up the motivation to wade through the entire User Guide and want the quick "executive + href="fips/UserGuide.pdf">User Guide and want the quick "executive summary". Here is a grossly oversimplified account:

@@ -91,7 +91,7 @@ href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf">Security Policy and source at a minimum. And did we mention the - User Guide?

+ User Guide?

Performance at Startup

From rsalz at openssl.org Thu Sep 3 13:41:54 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 03 Sep 2015 13:41:54 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441287714.373474.21646.nullmailer@dev.openssl.org> The branch master has been updated via 66c103bdaba21749555c8073a3f20b7741fa5869 (commit) from e56a79784c49b2b197d08a31b449152e96d5b395 (commit) - Log ----------------------------------------------------------------- commit 66c103bdaba21749555c8073a3f20b7741fa5869 Author: Alessandro Ghedini Date: Thu Aug 20 00:12:29 2015 +0200 Add initial Travis CI configuration Closes #63 Signed-off-by: Rich Salz Reviewed-by: Ben Laurie ----------------------------------------------------------------------- Summary of changes: .travis.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..2862473 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,24 @@ +language: c + +os: + - linux + - osx + +compiler: + - clang + - gcc + +env: + - CONFIG_OPTS="" + - CONFIG_OPTS="--debug" + - CONFIG_OPTS="shared" + +script: + - ./config $CONFIG_OPTS && make && make test + +notifications: + recipient: + - openssl-dev at openssl.org + email: + on_success: change + on_failure: always From rsalz at openssl.org Thu Sep 3 16:40:30 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 03 Sep 2015 16:40:30 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1441298430.693139.14323.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via cef9dcbb45c936024cda5d741aee586aa530f052 (commit) from 40d5689458593aeca0d1a7f3591f7ccb48e459ac (commit) - Log ----------------------------------------------------------------- commit cef9dcbb45c936024cda5d741aee586aa530f052 Author: Alessandro Ghedini Date: Thu Aug 20 00:12:29 2015 +0200 Add initial Travis CI configuration Closes #63 Signed-off-by: Rich Salz Reviewed-by: Ben Laurie (cherry picked from commit 66c103bdaba21749555c8073a3f20b7741fa5869) ----------------------------------------------------------------------- Summary of changes: .travis.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..2862473 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,24 @@ +language: c + +os: + - linux + - osx + +compiler: + - clang + - gcc + +env: + - CONFIG_OPTS="" + - CONFIG_OPTS="--debug" + - CONFIG_OPTS="shared" + +script: + - ./config $CONFIG_OPTS && make && make test + +notifications: + recipient: + - openssl-dev at openssl.org + email: + on_success: change + on_failure: always From steve at openssl.org Thu Sep 3 17:38:23 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Thu, 03 Sep 2015 17:38:23 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441301903.327607.22813.nullmailer@dev.openssl.org> The branch master has been updated via 231efb936548320e81c3259b41c26bb71e83720a (commit) via d95466931ddf6f26f840ae3e42594924d25f395e (commit) from 66c103bdaba21749555c8073a3f20b7741fa5869 (commit) - Log ----------------------------------------------------------------- commit 231efb936548320e81c3259b41c26bb71e83720a Author: Dr. Stephen Henson Date: Thu Sep 3 16:25:03 2015 +0100 make update Reviewed-by: Matt Caswell commit d95466931ddf6f26f840ae3e42594924d25f395e Author: Dr. Stephen Henson Date: Thu Sep 3 15:46:43 2015 +0100 PBE lookup test Add test to check PBE lookups: these can fail if the PBE table is not correctly orders. Add to "make test". Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: crypto/evp/evp_pbe.c | 40 ++++++++----------- include/openssl/evp.h | 1 + test/Makefile | 23 +++++++++-- crypto/rsa/rsa_prn.c => test/pbelutest.c | 66 ++++++++++++++++---------------- util/libeay.num | 1 + 5 files changed, 69 insertions(+), 62 deletions(-) copy crypto/rsa/rsa_prn.c => test/pbelutest.c (72%) diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c index 13d9658..b9330f5 100644 --- a/crypto/evp/evp_pbe.c +++ b/crypto/evp/evp_pbe.c @@ -122,31 +122,6 @@ static const EVP_PBE_CTL builtin_pbe[] = { {EVP_PBE_TYPE_KDF, NID_id_scrypt, -1, -1, PKCS5_v2_scrypt_keyivgen} }; -#ifdef TEST -int main(int argc, char **argv) -{ - int i, nid_md, nid_cipher; - EVP_PBE_CTL *tpbe, *tpbe2; - /* - * OpenSSL_add_all_algorithms(); - */ - - for (i = 0; i < OSSL_NELEM(builtin_pbe); i++) { - tpbe = builtin_pbe + i; - fprintf(stderr, "%d %d %s ", tpbe->pbe_type, tpbe->pbe_nid, - OBJ_nid2sn(tpbe->pbe_nid)); - if (EVP_PBE_find(tpbe->pbe_type, tpbe->pbe_nid, - &nid_cipher, &nid_md, 0)) - fprintf(stderr, "Found %s %s\n", - OBJ_nid2sn(nid_cipher), OBJ_nid2sn(nid_md)); - else - fprintf(stderr, "Find ERROR!!\n"); - } - - return 0; -} -#endif - int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen, ASN1_TYPE *param, EVP_CIPHER_CTX *ctx, int en_de) { @@ -302,3 +277,18 @@ void EVP_PBE_cleanup(void) sk_EVP_PBE_CTL_pop_free(pbe_algs, free_evp_pbe_ctl); pbe_algs = NULL; } + +int EVP_PBE_get(int *ptype, int *ppbe_nid, size_t num) +{ + const EVP_PBE_CTL *tpbe; + + if (num >= OSSL_NELEM(builtin_pbe)) + return 0; + + tpbe = builtin_pbe + num; + if (ptype) + *ptype = tpbe->pbe_type; + if (ppbe_nid) + *ppbe_nid = tpbe->pbe_nid; + return 1; +} diff --git a/include/openssl/evp.h b/include/openssl/evp.h index ddefbf6..d5333e2 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1105,6 +1105,7 @@ int EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md, int EVP_PBE_find(int type, int pbe_nid, int *pcnid, int *pmnid, EVP_PBE_KEYGEN **pkeygen); void EVP_PBE_cleanup(void); +int EVP_PBE_get(int *ptype, int *ppbe_nid, size_t num); # define ASN1_PKEY_ALIAS 0x1 # define ASN1_PKEY_DYNAMIC 0x2 diff --git a/test/Makefile b/test/Makefile index 4c41f51..8692347 100644 --- a/test/Makefile +++ b/test/Makefile @@ -35,6 +35,7 @@ ECDSATEST= ecdsatest ECDHTEST= ecdhtest EXPTEST= exptest GMDIFFTEST= gmdifftest +PBELUTEST= pbelutest IDEATEST= ideatest SHA1TEST= sha1test SHA256TEST= sha256t @@ -79,7 +80,7 @@ SSLSKEWITH0PTEST= sslskewith0ptest.pl TESTS= alltests -EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_EXT) $(ECDSATEST)$(EXE_EXT) $(ECDHTEST)$(EXE_EXT) $(GMDIFFTEST)$(EXE_EXT) $(IDEATEST)$(EXE_EXT) \ +EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_EXT) $(ECDSATEST)$(EXE_EXT) $(ECDHTEST)$(EXE_EXT) $(GMDIFFTEST)$(EXE_EXT) $(PBELUTEST)$(EXE_EXT) $(IDEATEST)$(EXE_EXT) \ $(MD2TEST)$(EXE_EXT) $(MD4TEST)$(EXE_EXT) $(MD5TEST)$(EXE_EXT) $(HMACTEST)$(EXE_EXT) $(WPTEST)$(EXE_EXT) \ $(RC2TEST)$(EXE_EXT) $(RC4TEST)$(EXE_EXT) $(RC5TEST)$(EXE_EXT) \ $(DESTEST)$(EXE_EXT) $(SHA1TEST)$(EXE_EXT) $(SHA256TEST)$(EXE_EXT) $(SHA512TEST)$(EXE_EXT) \ @@ -97,7 +98,7 @@ EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_EXT) $(ECDSATEST)$(EXE_EXT) $(ECDHTEST) # $(METHTEST)$(EXE_EXT) -OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATEST).o $(ECDHTEST).o $(GMDIFFTEST).o $(IDEATEST).o \ +OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATEST).o $(ECDHTEST).o $(GMDIFFTEST).o $(PBELUTEST).o $(IDEATEST).o \ $(MD2TEST).o $(MD4TEST).o $(MD5TEST).o \ $(HMACTEST).o $(WPTEST).o \ $(RC2TEST).o $(RC4TEST).o $(RC5TEST).o \ @@ -110,7 +111,7 @@ OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATEST).o $(ECDHTEST).o $(GMDIFFTEST).o $(IDE $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o $(CLIENTHELLOTEST).o \ $(PACKETTEST).o testutil.o -SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(GMDIFFTEST).c $(IDEATEST).c \ +SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(GMDIFFTEST).c $(PBELUTEST).c $(IDEATEST).c \ $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ $(HMACTEST).c $(WPTEST).c \ $(RC2TEST).c $(RC4TEST).c $(RC5TEST).c \ @@ -152,7 +153,7 @@ apps: alltests: \ test_des test_gmdiff test_idea test_sha test_md4 test_md5 test_hmac \ - test_md2 test_mdc2 test_wp \ + test_pbelu test_md2 test_mdc2 test_wp \ test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast \ test_rand test_bn test_ec test_ecdsa test_ecdh \ test_enc test_x509 test_rsa test_crl test_sid \ @@ -184,6 +185,10 @@ test_gmdiff: $(GMDIFFTEST)$(EXE_EXT) @echo $(START) $@ ../util/shlib_wrap.sh ./$(GMDIFFTEST) +test_pbelu: $(PBELUTEST)$(EXE_EXT) + @echo $(START) $@ + ../util/shlib_wrap.sh ./$(PBELUTEST) + test_idea: $(IDEATEST)$(EXE_EXT) @echo $(START) $@ ../util/shlib_wrap.sh ./$(IDEATEST) @@ -504,6 +509,9 @@ $(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO) $(GMDIFFTEST)$(EXE_EXT): $(GMDIFFTEST).o $(DLIBCRYPTO) @target=$(GMDIFFTEST); $(BUILD_CMD) +$(PBELUTEST)$(EXE_EXT): $(PBELUTEST).o $(DLIBCRYPTO) + @target=$(PBELUTEST); $(BUILD_CMD) + $(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO) @target=$(MD2TEST); $(BUILD_CMD) @@ -902,6 +910,13 @@ packettest.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h packettest.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h packettest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h packettest.o: ../ssl/packet_locl.h packettest.c +pbelutest.o: ../include/openssl/asn1.h ../include/openssl/bio.h +pbelutest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h +pbelutest.o: ../include/openssl/evp.h ../include/openssl/obj_mac.h +pbelutest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +pbelutest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +pbelutest.o: ../include/openssl/safestack.h ../include/openssl/stack.h +pbelutest.o: ../include/openssl/symhacks.h pbelutest.c randtest.o: ../e_os.h ../include/openssl/e_os2.h randtest.o: ../include/openssl/opensslconf.h ../include/openssl/ossl_typ.h randtest.o: ../include/openssl/rand.h randtest.c diff --git a/crypto/rsa/rsa_prn.c b/test/pbelutest.c similarity index 72% copy from crypto/rsa/rsa_prn.c copy to test/pbelutest.c index 3d8c800..dafae78 100644 --- a/crypto/rsa/rsa_prn.c +++ b/test/pbelutest.c @@ -1,10 +1,5 @@ -/* crypto/rsa/rsa_prn.c */ -/* - * Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL project - * 2006. - */ /* ==================================================================== - * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 2015 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -57,36 +52,41 @@ * */ -#include -#include "internal/cryptlib.h" -#include #include +#include +#include -#ifndef OPENSSL_NO_STDIO -int RSA_print_fp(FILE *fp, const RSA *x, int off) -{ - BIO *b; - int ret; - - if ((b = BIO_new(BIO_s_file())) == NULL) { - RSAerr(RSA_F_RSA_PRINT_FP, ERR_R_BUF_LIB); - return (0); - } - BIO_set_fp(b, fp, BIO_NOCLOSE); - ret = RSA_print(b, x, off); - BIO_free(b); - return (ret); -} -#endif +/* + * Password based encryption (PBE) table ordering test. + * Attempt to look up all supported algorithms. + */ -int RSA_print(BIO *bp, const RSA *x, int off) +int main(int argc, char **argv) { - EVP_PKEY *pk; - int ret; - pk = EVP_PKEY_new(); - if (!pk || !EVP_PKEY_set1_RSA(pk, (RSA *)x)) + size_t i; + int rv = 0; + int pbe_type, pbe_nid; + int last_type = -1, last_nid = -1; + for (i = 0; EVP_PBE_get(&pbe_type, &pbe_nid, i) != 0; i++) { + if (EVP_PBE_find(pbe_type, pbe_nid, NULL, NULL, 0) == 0) { + rv = 1; + break; + } + } + if (rv == 0) return 0; - ret = EVP_PKEY_print_private(bp, pk, off, NULL); - EVP_PKEY_free(pk); - return ret; + /* Error: print out whole table */ + for (i = 0; EVP_PBE_get(&pbe_type, &pbe_nid, i) != 0; i++) { + if (pbe_type > last_type) + rv = 0; + else if (pbe_type < last_type || pbe_nid < last_nid) + rv = 1; + else + rv = 0; + fprintf(stderr, "PBE type=%d %d (%s): %s\n", pbe_type, pbe_nid, + OBJ_nid2sn(pbe_nid), rv ? "ERROR" : "OK"); + last_type = pbe_type; + last_nid = pbe_nid; + } + return 1; } diff --git a/util/libeay.num b/util/libeay.num index 3563dba..bfdd162 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -4602,3 +4602,4 @@ X509_CRL_get0_signature 4960 EXIST::FUNCTION: X509_CRL_get_REVOKED 4961 EXIST::FUNCTION: X509_CRL_get_version 4962 EXIST::FUNCTION: X509_CRL_get_lastUpdate 4963 EXIST::FUNCTION: +EVP_PBE_get 4964 EXIST::FUNCTION: From rsalz at openssl.org Thu Sep 3 18:45:30 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 03 Sep 2015 18:45:30 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441305930.994518.4256.nullmailer@dev.openssl.org> The branch master has been updated via e968561d5e762e6c05e74541137916b4f20a144b (commit) from 231efb936548320e81c3259b41c26bb71e83720a (commit) - Log ----------------------------------------------------------------- commit e968561d5e762e6c05e74541137916b4f20a144b Author: David Bar Date: Mon Aug 3 12:45:26 2015 -0400 RT3674: Make no-cms build work. Also has changes from from David Woodhouse and some tweaks from me. Signed-off-by: Rich Salz Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: crypto/dh/Makefile | 2 +- crypto/dh/dh_kdf.c | 6 ++++++ crypto/dh/dh_pmeth.c | 12 ++++++++++-- crypto/ec/ec_ameth.c | 2 ++ crypto/rsa/rsa_ameth.c | 8 ++++++++ include/openssl/dh.h | 4 ++++ test/cms-test.pl | 7 +++++++ util/libeay.num | 2 +- 8 files changed, 39 insertions(+), 4 deletions(-) diff --git a/crypto/dh/Makefile b/crypto/dh/Makefile index f9be501..655bca0 100644 --- a/crypto/dh/Makefile +++ b/crypto/dh/Makefile @@ -120,7 +120,7 @@ dh_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h dh_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h dh_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h dh_gen.o: ../include/internal/cryptlib.h dh_gen.c -dh_kdf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +dh_kdf.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h dh_kdf.o: ../../include/openssl/buffer.h ../../include/openssl/cms.h dh_kdf.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h dh_kdf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h diff --git a/crypto/dh/dh_kdf.c b/crypto/dh/dh_kdf.c index b812d82..5597960 100644 --- a/crypto/dh/dh_kdf.c +++ b/crypto/dh/dh_kdf.c @@ -51,13 +51,18 @@ * ==================================================================== */ +#include + +#ifndef OPENSSL_NO_CMS #include #include #include #include #include + /* Key derivation from X9.42/RFC2631 */ +/* Uses CMS functions, hence the #ifdef wrapper. */ #define DH_KDF_MAX (1L << 30) @@ -184,3 +189,4 @@ int DH_KDF_X9_42(unsigned char *out, size_t outlen, EVP_MD_CTX_cleanup(&mctx); return rv; } +#endif diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index 763e42f..751428c 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -205,7 +205,11 @@ static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) case EVP_PKEY_CTRL_DH_KDF_TYPE: if (p1 == -2) return dctx->kdf_type; +#ifdef OPENSSL_NO_CMS + if (p1 != EVP_PKEY_DH_KDF_NONE) +#else if (p1 != EVP_PKEY_DH_KDF_NONE && p1 != EVP_PKEY_DH_KDF_X9_42) +#endif return -2; dctx->kdf_type = p1; return 1; @@ -447,7 +451,10 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, return ret; *keylen = ret; return 1; - } else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) { + } +#ifndef OPENSSL_NO_CMS + else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) { + unsigned char *Z = NULL; size_t Zlen = 0; if (!dctx->kdf_outlen || !dctx->kdf_oid) @@ -475,7 +482,8 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, OPENSSL_clear_free(Z, Zlen); return ret; } - return 1; +#endif + return 0; } const EVP_PKEY_METHOD dh_pkey_meth = { diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index edb68d1..e2f3287 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -67,8 +67,10 @@ #include #include "internal/asn1_int.h" +#ifndef OPENSSL_NO_CMS static int ecdh_cms_decrypt(CMS_RecipientInfo *ri); static int ecdh_cms_encrypt(CMS_RecipientInfo *ri); +#endif static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key) { diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index d409631..63f88e5 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -68,10 +68,12 @@ #endif #include "internal/asn1_int.h" +#ifndef OPENSSL_NO_CMS static int rsa_cms_sign(CMS_SignerInfo *si); static int rsa_cms_verify(CMS_SignerInfo *si); static int rsa_cms_decrypt(CMS_RecipientInfo *ri); static int rsa_cms_encrypt(CMS_RecipientInfo *ri); +#endif static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) { @@ -653,6 +655,7 @@ static int rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx, return rv; } +#ifndef OPENSSL_NO_CMS static int rsa_cms_verify(CMS_SignerInfo *si) { int nid, nid2; @@ -671,6 +674,7 @@ static int rsa_cms_verify(CMS_SignerInfo *si) } return 0; } +#endif /* * Customised RSA item verification routine. This is called when a signature @@ -693,6 +697,7 @@ static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, return -1; } +#ifndef OPENSSL_NO_CMS static int rsa_cms_sign(CMS_SignerInfo *si) { int pad_mode = RSA_PKCS1_PADDING; @@ -717,6 +722,7 @@ static int rsa_cms_sign(CMS_SignerInfo *si) X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE, os); return 1; } +#endif static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, X509_ALGOR *alg1, X509_ALGOR *alg2, @@ -750,6 +756,7 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, return 2; } +#ifndef OPENSSL_NO_CMS static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg, X509_ALGOR **pmaskHash) { @@ -900,6 +907,7 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri) ASN1_STRING_free(os); return rv; } +#endif const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = { { diff --git a/include/openssl/dh.h b/include/openssl/dh.h index f1de53d..f5b03d3 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -239,11 +239,13 @@ DH *DH_get_1024_160(void); DH *DH_get_2048_224(void); DH *DH_get_2048_256(void); +# ifndef OPENSSL_NO_CMS /* RFC2631 KDF */ int DH_KDF_X9_42(unsigned char *out, size_t outlen, const unsigned char *Z, size_t Zlen, ASN1_OBJECT *key_oid, const unsigned char *ukm, size_t ukmlen, const EVP_MD *md); +# endif # define EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, len) \ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_PARAMGEN, \ @@ -336,7 +338,9 @@ int DH_KDF_X9_42(unsigned char *out, size_t outlen, /* KDF types */ # define EVP_PKEY_DH_KDF_NONE 1 +# ifndef OPENSSL_NO_CMS # define EVP_PKEY_DH_KDF_X9_42 2 +# endif /* BEGIN ERROR CODES */ /* diff --git a/test/cms-test.pl b/test/cms-test.pl index baa3b59..1ee3f02 100644 --- a/test/cms-test.pl +++ b/test/cms-test.pl @@ -100,6 +100,13 @@ my $no_ec2m; my $no_ecdh; my $ossl8 = `$ossl_path version -v` =~ /0\.9\.8/; +system ("$ossl_path no-cms > $null_path"); +if ($? == 0) + { + print "CMS disabled\n"; + exit 0; + } + system ("$ossl_path no-ec > $null_path"); if ($? == 0) { diff --git a/util/libeay.num b/util/libeay.num index bfdd162..fd8375d 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -4368,7 +4368,7 @@ DH_compute_key_padded 4732 EXIST::FUNCTION:DH ECDSA_METHOD_set_sign 4733 EXIST::FUNCTION:EC CMS_RecipientEncryptedKey_cert_cmp 4734 EXIST:!VMS:FUNCTION:CMS CMS_RecipEncryptedKey_cert_cmp 4734 EXIST:VMS:FUNCTION:CMS -DH_KDF_X9_42 4735 EXIST::FUNCTION:DH +DH_KDF_X9_42 4735 EXIST::FUNCTION:CMS,DH RSA_OAEP_PARAMS_free 4736 EXIST::FUNCTION:RSA EVP_des_ede3_wrap 4737 EXIST::FUNCTION:DES RSA_OAEP_PARAMS_it 4738 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA From levitte at openssl.org Thu Sep 3 18:56:20 2015 From: levitte at openssl.org (Richard Levitte) Date: Thu, 03 Sep 2015 18:56:20 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441306580.204271.7404.nullmailer@dev.openssl.org> The branch master has been updated via 1912c5d811f053e7cba6d30098abf4c52954a94c (commit) from e968561d5e762e6c05e74541137916b4f20a144b (commit) - Log ----------------------------------------------------------------- commit 1912c5d811f053e7cba6d30098abf4c52954a94c Author: Richard Levitte Date: Thu Sep 3 14:03:54 2015 +0200 Win32 build fix: include internal/numbers.h to get UIN32_MAX Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/x509v3/v3_purp.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 13c5120..b03c323 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -59,6 +59,7 @@ #include #include "internal/cryptlib.h" +#include "internal/numbers.h" #include #include From rsalz at openssl.org Thu Sep 3 19:42:15 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 03 Sep 2015 19:42:15 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441309335.669596.15029.nullmailer@dev.openssl.org> The branch master has been updated via fb4844bbc62fb014c115cd8fd2fc4304cba6eb89 (commit) from 1912c5d811f053e7cba6d30098abf4c52954a94c (commit) - Log ----------------------------------------------------------------- commit fb4844bbc62fb014c115cd8fd2fc4304cba6eb89 Author: Long, Qin Date: Wed Jul 22 10:04:18 2015 +0100 Add UEFI flag for rand build Add OPENSSL_SYS_UEFI flag for RAND handling; Signed-off-by: Rich Salz Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: crypto/rand/rand_unix.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c index 72f8617..bb70a5b 100644 --- a/crypto/rand/rand_unix.c +++ b/crypto/rand/rand_unix.c @@ -116,7 +116,7 @@ #include #include "rand_lcl.h" -#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE)) +#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_UEFI)) # include # include @@ -419,7 +419,7 @@ int RAND_poll(void) * defined(OPENSSL_SYS_VXWORKS) || * defined(OPENSSL_SYS_NETWARE)) */ -#if defined(OPENSSL_SYS_VXWORKS) +#if defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI) int RAND_poll(void) { return 0; From rsalz at openssl.org Thu Sep 3 20:26:43 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 03 Sep 2015 20:26:43 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441312003.206850.21793.nullmailer@dev.openssl.org> The branch master has been updated via 64b25758edca688a30f02c260262150f7ad0bc7d (commit) from fb4844bbc62fb014c115cd8fd2fc4304cba6eb89 (commit) - Log ----------------------------------------------------------------- commit 64b25758edca688a30f02c260262150f7ad0bc7d Author: Rich Salz Date: Thu Sep 3 09:15:26 2015 -0400 remove 0 assignments. After openssl_zalloc, cleanup more "set to 0/NULL" assignments. Many are from github feedback. Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: apps/s_cb.c | 9 +-------- crypto/asn1/a_object.c | 7 +------ crypto/asn1/ameth_lib.c | 35 ++--------------------------------- crypto/asn1/asn1_lib.c | 5 +---- crypto/asn1/tasn_prn.c | 8 ++------ crypto/asn1/x_info.c | 12 ++---------- crypto/asn1/x_pkey.c | 7 ------- crypto/bio/bf_buff.c | 10 +++------- crypto/bio/bf_nbio.c | 3 +-- crypto/bio/bss_dgram.c | 3 --- crypto/bn/bn_ctx.c | 6 +----- crypto/bn/bn_lib.c | 6 +----- crypto/buffer/buffer.c | 6 +----- crypto/comp/c_zlib.c | 19 ++----------------- crypto/conf/conf_mod.c | 3 +-- crypto/dh/dh_lib.c | 15 +-------------- crypto/dh/dh_pmeth.c | 12 ++---------- crypto/dsa/dsa_lib.c | 15 +-------------- crypto/ec/ec_key.c | 8 +------- crypto/ec/ec_lib.c | 16 ++-------------- crypto/ec/ec_mult.c | 5 +---- crypto/ec/ec_pmeth.c | 11 +---------- crypto/ecdsa/ecs_lib.c | 9 +-------- crypto/engine/eng_dyn.c | 13 +++---------- crypto/engine/eng_openssl.c | 7 ++----- crypto/evp/bio_b64.c | 8 +------- crypto/evp/bio_enc.c | 8 ++------ crypto/evp/bio_ok.c | 10 +--------- crypto/evp/pmeth_lib.c | 30 +----------------------------- crypto/hmac/hm_pmeth.c | 7 ++----- crypto/lhash/lhash.c | 26 +++----------------------- crypto/objects/o_names.c | 6 +----- crypto/ocsp/ocsp_ht.c | 3 +-- crypto/rsa/rsa_lib.c | 18 +----------------- crypto/rsa/rsa_pmeth.c | 11 +---------- crypto/stack/stack.c | 8 ++------ crypto/ui/ui_lib.c | 5 +---- crypto/x509/x509_lu.c | 20 ++------------------ crypto/x509/x_name.c | 4 +--- crypto/x509v3/Makefile | 29 +++++++++++++++-------------- crypto/x509v3/pcy_data.c | 7 ++----- crypto/x509v3/pcy_node.c | 4 ++-- crypto/x509v3/pcy_tree.c | 6 +----- engines/e_capi.c | 7 +------ ssl/ssl_conf.c | 18 +----------------- ssl/ssl_lib.c | 43 +------------------------------------------ ssl/ssl_sess.c | 19 +------------------ 47 files changed, 78 insertions(+), 469 deletions(-) diff --git a/apps/s_cb.c b/apps/s_cb.c index 07ce997..a1305d3 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -991,14 +991,7 @@ static int ssl_excert_prepend(SSL_EXCERT **pexc) { SSL_EXCERT *exc = app_malloc(sizeof(*exc), "prepend cert"); - exc->certfile = NULL; - exc->keyfile = NULL; - exc->chainfile = NULL; - exc->cert = NULL; - exc->key = NULL; - exc->chain = NULL; - exc->prev = NULL; - exc->build_chain = 0; + memset(exc, 0, sizeof(*exc)); exc->next = *pexc; *pexc = exc; diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index ab37fa3..44473dc 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -345,16 +345,11 @@ ASN1_OBJECT *ASN1_OBJECT_new(void) { ASN1_OBJECT *ret; - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { ASN1err(ASN1_F_ASN1_OBJECT_NEW, ERR_R_MALLOC_FAILURE); return (NULL); } - ret->length = 0; - ret->data = NULL; - ret->nid = 0; - ret->sn = NULL; - ret->ln = NULL; ret->flags = ASN1_OBJECT_FLAG_DYNAMIC; return (ret); } diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c index 155de83..feef015 100644 --- a/crypto/asn1/ameth_lib.c +++ b/crypto/asn1/ameth_lib.c @@ -296,48 +296,17 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags, ameth->info = BUF_strdup(info); if (!ameth->info) goto err; - } else - ameth->info = NULL; + } if (pem_str) { ameth->pem_str = BUF_strdup(pem_str); if (!ameth->pem_str) goto err; - } else - ameth->pem_str = NULL; - - ameth->pub_decode = 0; - ameth->pub_encode = 0; - ameth->pub_cmp = 0; - ameth->pub_print = 0; - - ameth->priv_decode = 0; - ameth->priv_encode = 0; - ameth->priv_print = 0; - - ameth->old_priv_encode = 0; - ameth->old_priv_decode = 0; - - ameth->item_verify = 0; - ameth->item_sign = 0; - - ameth->pkey_size = 0; - ameth->pkey_bits = 0; - - ameth->param_decode = 0; - ameth->param_encode = 0; - ameth->param_missing = 0; - ameth->param_copy = 0; - ameth->param_cmp = 0; - ameth->param_print = 0; - - ameth->pkey_free = 0; - ameth->pkey_ctrl = 0; + } return ameth; err: - EVP_PKEY_asn1_free(ameth); return NULL; diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 94b5ad5..3b36644 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -348,15 +348,12 @@ ASN1_STRING *ASN1_STRING_type_new(int type) { ASN1_STRING *ret; - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { ASN1err(ASN1_F_ASN1_STRING_TYPE_NEW, ERR_R_MALLOC_FAILURE); return (NULL); } - ret->length = 0; ret->type = type; - ret->data = NULL; - ret->flags = 0; return (ret); } diff --git a/crypto/asn1/tasn_prn.c b/crypto/asn1/tasn_prn.c index 716db8f..5314c61 100644 --- a/crypto/asn1/tasn_prn.c +++ b/crypto/asn1/tasn_prn.c @@ -85,16 +85,12 @@ ASN1_PCTX default_pctx = { ASN1_PCTX *ASN1_PCTX_new(void) { ASN1_PCTX *ret; - ret = OPENSSL_malloc(sizeof(*ret)); + + ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { ASN1err(ASN1_F_ASN1_PCTX_NEW, ERR_R_MALLOC_FAILURE); return NULL; } - ret->flags = 0; - ret->nm_flags = 0; - ret->cert_flags = 0; - ret->oid_flags = 0; - ret->str_flags = 0; return ret; } diff --git a/crypto/asn1/x_info.c b/crypto/asn1/x_info.c index 5be934c..0a75e49 100644 --- a/crypto/asn1/x_info.c +++ b/crypto/asn1/x_info.c @@ -64,22 +64,14 @@ X509_INFO *X509_INFO_new(void) { - X509_INFO *ret = NULL; + X509_INFO *ret; - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { ASN1err(ASN1_F_X509_INFO_NEW, ERR_R_MALLOC_FAILURE); return (NULL); } - - ret->enc_cipher.cipher = NULL; - ret->enc_len = 0; - ret->enc_data = NULL; - ret->references = 1; - ret->x509 = NULL; - ret->crl = NULL; - ret->x_pkey = NULL; return (ret); } diff --git a/crypto/asn1/x_pkey.c b/crypto/asn1/x_pkey.c index 0710419..0665aab 100644 --- a/crypto/asn1/x_pkey.c +++ b/crypto/asn1/x_pkey.c @@ -70,17 +70,10 @@ X509_PKEY *X509_PKEY_new(void) if (!ret) goto err; - ret->version = 0; ret->enc_algor = X509_ALGOR_new(); ret->enc_pkey = ASN1_OCTET_STRING_new(); if (!ret->enc_algor || !ret->enc_pkey) goto err; - ret->dec_pkey = NULL; - ret->key_length = 0; - ret->key_data = NULL; - ret->key_free = 0; - ret->cipher.cipher = NULL; - memset(ret->cipher.iv, 0, EVP_MAX_IV_LENGTH); ret->references = 1; return ret; err: diff --git a/crypto/bio/bf_buff.c b/crypto/bio/bf_buff.c index 4fd8d15..b7a3772 100644 --- a/crypto/bio/bf_buff.c +++ b/crypto/bio/bf_buff.c @@ -91,27 +91,23 @@ BIO_METHOD *BIO_f_buffer(void) static int buffer_new(BIO *bi) { - BIO_F_BUFFER_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); + BIO_F_BUFFER_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx == NULL) return (0); + ctx->ibuf_size = DEFAULT_BUFFER_SIZE; ctx->ibuf = OPENSSL_malloc(DEFAULT_BUFFER_SIZE); if (ctx->ibuf == NULL) { OPENSSL_free(ctx); return (0); } + ctx->obuf_size = DEFAULT_BUFFER_SIZE; ctx->obuf = OPENSSL_malloc(DEFAULT_BUFFER_SIZE); if (ctx->obuf == NULL) { OPENSSL_free(ctx->ibuf); OPENSSL_free(ctx); return (0); } - ctx->ibuf_size = DEFAULT_BUFFER_SIZE; - ctx->obuf_size = DEFAULT_BUFFER_SIZE; - ctx->ibuf_len = 0; - ctx->ibuf_off = 0; - ctx->obuf_len = 0; - ctx->obuf_off = 0; bi->init = 1; bi->ptr = (char *)ctx; diff --git a/crypto/bio/bf_nbio.c b/crypto/bio/bf_nbio.c index 7980711..2a2e314 100644 --- a/crypto/bio/bf_nbio.c +++ b/crypto/bio/bf_nbio.c @@ -102,13 +102,12 @@ static int nbiof_new(BIO *bi) { NBIO_TEST *nt; - if ((nt = OPENSSL_malloc(sizeof(*nt))) == NULL) + if ((nt = OPENSSL_zalloc(sizeof(*nt))) == NULL) return (0); nt->lrn = -1; nt->lwn = -1; bi->ptr = (char *)nt; bi->init = 1; - bi->flags = 0; return (1); } diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index bbb9aca..91474fc 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -225,10 +225,7 @@ static int dgram_new(BIO *bi) if (data == NULL) return 0; - bi->init = 0; - bi->num = 0; bi->ptr = data; - bi->flags = 0; return (1); } diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index 660e626..756d404 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -190,17 +190,13 @@ BN_CTX *BN_CTX_new(void) { BN_CTX *ret; - if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) { + if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) { BNerr(BN_F_BN_CTX_NEW, ERR_R_MALLOC_FAILURE); return NULL; } /* Initialise the structure */ BN_POOL_init(&ret->pool); BN_STACK_init(&ret->stack); - ret->used = 0; - ret->err_stack = 0; - ret->too_many = 0; - ret->flags = 0; return ret; } diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 2ca6bea..3b07d7d 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -275,15 +275,11 @@ BIGNUM *BN_new(void) { BIGNUM *ret; - if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) { + if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) { BNerr(BN_F_BN_NEW, ERR_R_MALLOC_FAILURE); return (NULL); } ret->flags = BN_FLG_MALLOCED; - ret->top = 0; - ret->neg = 0; - ret->dmax = 0; - ret->d = NULL; bn_check_top(ret); return (ret); } diff --git a/crypto/buffer/buffer.c b/crypto/buffer/buffer.c index 5ee11f4..705037b 100644 --- a/crypto/buffer/buffer.c +++ b/crypto/buffer/buffer.c @@ -81,15 +81,11 @@ BUF_MEM *BUF_MEM_new(void) { BUF_MEM *ret; - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { BUFerr(BUF_F_BUF_MEM_NEW, ERR_R_MALLOC_FAILURE); return (NULL); } - ret->flags = 0; - ret->length = 0; - ret->max = 0; - ret->data = NULL; return (ret); } diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c index 4747511..ea01ba4 100644 --- a/crypto/comp/c_zlib.c +++ b/crypto/comp/c_zlib.c @@ -166,7 +166,7 @@ struct zlib_state { static int zlib_stateful_init(COMP_CTX *ctx) { int err; - struct zlib_state *state = OPENSSL_malloc(sizeof(*state)); + struct zlib_state *state = OPENSSL_zalloc(sizeof(*state)); if (state == NULL) goto err; @@ -176,8 +176,6 @@ static int zlib_stateful_init(COMP_CTX *ctx) state->istream.opaque = Z_NULL; state->istream.next_in = Z_NULL; state->istream.next_out = Z_NULL; - state->istream.avail_in = 0; - state->istream.avail_out = 0; err = inflateInit_(&state->istream, ZLIB_VERSION, sizeof(z_stream)); if (err != Z_OK) goto err; @@ -187,8 +185,6 @@ static int zlib_stateful_init(COMP_CTX *ctx) state->ostream.opaque = Z_NULL; state->ostream.next_in = Z_NULL; state->ostream.next_out = Z_NULL; - state->ostream.avail_in = 0; - state->ostream.avail_out = 0; err = deflateInit_(&state->ostream, Z_DEFAULT_COMPRESSION, ZLIB_VERSION, sizeof(z_stream)); if (err != Z_OK) @@ -367,28 +363,17 @@ static int bio_zlib_new(BIO *bi) return 0; } # endif - ctx = OPENSSL_malloc(sizeof(*ctx)); + ctx = OPENSSL_zalloc(sizeof(*ctx)); if (!ctx) { COMPerr(COMP_F_BIO_ZLIB_NEW, ERR_R_MALLOC_FAILURE); return 0; } - ctx->ibuf = NULL; - ctx->obuf = NULL; ctx->ibufsize = ZLIB_DEFAULT_BUFSIZE; ctx->obufsize = ZLIB_DEFAULT_BUFSIZE; ctx->zin.zalloc = Z_NULL; ctx->zin.zfree = Z_NULL; - ctx->zin.next_in = NULL; - ctx->zin.avail_in = 0; - ctx->zin.next_out = NULL; - ctx->zin.avail_out = 0; ctx->zout.zalloc = Z_NULL; ctx->zout.zfree = Z_NULL; - ctx->zout.next_in = NULL; - ctx->zout.avail_in = 0; - ctx->zout.next_out = NULL; - ctx->zout.avail_out = 0; - ctx->odone = 0; ctx->comp_level = Z_DEFAULT_COMPRESSION; bi->init = 1; bi->ptr = (char *)ctx; diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c index 7fbb4ad..c23a0f6 100644 --- a/crypto/conf/conf_mod.c +++ b/crypto/conf/conf_mod.c @@ -281,7 +281,7 @@ static CONF_MODULE *module_add(DSO *dso, const char *name, supported_modules = sk_CONF_MODULE_new_null(); if (supported_modules == NULL) return NULL; - tmod = OPENSSL_malloc(sizeof(*tmod)); + tmod = OPENSSL_zalloc(sizeof(*tmod)); if (tmod == NULL) return NULL; @@ -289,7 +289,6 @@ static CONF_MODULE *module_add(DSO *dso, const char *name, tmod->name = BUF_strdup(name); tmod->init = ifunc; tmod->finish = ffunc; - tmod->links = 0; if (!sk_CONF_MODULE_push(supported_modules, tmod)) { OPENSSL_free(tmod); diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index 4e087d0..49f82d8 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -107,7 +107,7 @@ DH *DH_new(void) DH *DH_new_method(ENGINE *engine) { - DH *ret = OPENSSL_malloc(sizeof(*ret)); + DH *ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { DHerr(DH_F_DH_NEW_METHOD, ERR_R_MALLOC_FAILURE); @@ -136,19 +136,6 @@ DH *DH_new_method(ENGINE *engine) } #endif - ret->pad = 0; - ret->version = 0; - ret->p = NULL; - ret->g = NULL; - ret->length = 0; - ret->pub_key = NULL; - ret->priv_key = NULL; - ret->q = NULL; - ret->j = NULL; - ret->seed = NULL; - ret->seedlen = 0; - ret->counter = NULL; - ret->method_mont_p = NULL; ret->references = 1; ret->flags = ret->meth->flags; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data); diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index 751428c..ff27221 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -98,22 +98,14 @@ typedef struct { static int pkey_dh_init(EVP_PKEY_CTX *ctx) { DH_PKEY_CTX *dctx; - dctx = OPENSSL_malloc(sizeof(*dctx)); + + dctx = OPENSSL_zalloc(sizeof(*dctx)); if (!dctx) return 0; dctx->prime_len = 1024; dctx->subprime_len = -1; dctx->generator = 2; - dctx->use_dsa = 0; - dctx->md = NULL; - dctx->rfc5114_param = 0; - dctx->kdf_type = EVP_PKEY_DH_KDF_NONE; - dctx->kdf_oid = NULL; - dctx->kdf_md = NULL; - dctx->kdf_ukm = NULL; - dctx->kdf_ukmlen = 0; - dctx->kdf_outlen = 0; ctx->data = dctx; ctx->keygen_info = dctx->gentmp; diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index a4a8163..b78a2bf 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -115,7 +115,7 @@ DSA *DSA_new_method(ENGINE *engine) { DSA *ret; - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { DSAerr(DSA_F_DSA_NEW_METHOD, ERR_R_MALLOC_FAILURE); return (NULL); @@ -142,19 +142,6 @@ DSA *DSA_new_method(ENGINE *engine) } #endif - ret->pad = 0; - ret->version = 0; - ret->p = NULL; - ret->q = NULL; - ret->g = NULL; - - ret->pub_key = NULL; - ret->priv_key = NULL; - - ret->kinv = NULL; - ret->r = NULL; - ret->method_mont_p = NULL; - ret->references = 1; ret->flags = ret->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data); diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index a954c8e..2380097 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -67,7 +67,7 @@ EC_KEY *EC_KEY_new(void) { - EC_KEY *ret = OPENSSL_malloc(sizeof(*ret)); + EC_KEY *ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { ECerr(EC_F_EC_KEY_NEW, ERR_R_MALLOC_FAILURE); @@ -75,14 +75,8 @@ EC_KEY *EC_KEY_new(void) } ret->version = 1; - ret->flags = 0; - ret->group = NULL; - ret->pub_key = NULL; - ret->priv_key = NULL; - ret->enc_flag = 0; ret->conv_form = POINT_CONVERSION_UNCOMPRESSED; ret->references = 1; - ret->method_data = NULL; return (ret); } diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index cd08a55..793645d 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -83,37 +83,25 @@ EC_GROUP *EC_GROUP_new(const EC_METHOD *meth) return NULL; } - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { ECerr(EC_F_EC_GROUP_NEW, ERR_R_MALLOC_FAILURE); return NULL; } ret->meth = meth; - - ret->extra_data = NULL; - ret->mont_data = NULL; - - ret->generator = NULL; ret->order = BN_new(); - ret->cofactor = NULL; if (!ret->order) goto err; ret->cofactor = BN_new(); if (!ret->cofactor) goto err; - - ret->curve_name = 0; ret->asn1_flag = OPENSSL_EC_NAMED_CURVE; ret->asn1_form = POINT_CONVERSION_UNCOMPRESSED; - - ret->seed = NULL; - ret->seed_len = 0; - if (!meth->group_init(ret)) goto err; - return ret; + err: BN_free(ret->order); BN_free(ret->cofactor); diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 09f042e..a3d9885 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -100,17 +100,14 @@ static EC_PRE_COMP *ec_pre_comp_new(const EC_GROUP *group) if (!group) return NULL; - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (!ret) { ECerr(EC_F_EC_PRE_COMP_NEW, ERR_R_MALLOC_FAILURE); return ret; } ret->group = group; ret->blocksize = 8; /* default */ - ret->numblocks = 0; ret->w = 4; /* default */ - ret->points = NULL; - ret->num = 0; ret->references = 1; return ret; } diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c index 5ca8ed9..aa1fa9f 100644 --- a/crypto/ec/ec_pmeth.c +++ b/crypto/ec/ec_pmeth.c @@ -92,22 +92,13 @@ static int pkey_ec_init(EVP_PKEY_CTX *ctx) { EC_PKEY_CTX *dctx; - dctx = OPENSSL_malloc(sizeof(*dctx)); + dctx = OPENSSL_zalloc(sizeof(*dctx)); if (!dctx) return 0; - dctx->gen_group = NULL; - dctx->md = NULL; dctx->cofactor_mode = -1; - dctx->co_key = NULL; dctx->kdf_type = EVP_PKEY_ECDH_KDF_NONE; - dctx->kdf_md = NULL; - dctx->kdf_outlen = 0; - dctx->kdf_ukm = NULL; - dctx->kdf_ukmlen = 0; - ctx->data = dctx; - return 1; } diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c index 0db3534..f3007e5 100644 --- a/crypto/ecdsa/ecs_lib.c +++ b/crypto/ecdsa/ecs_lib.c @@ -251,7 +251,7 @@ ECDSA_METHOD *ECDSA_METHOD_new(ECDSA_METHOD *ecdsa_meth) { ECDSA_METHOD *ret; - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { ECDSAerr(ECDSA_F_ECDSA_METHOD_NEW, ERR_R_MALLOC_FAILURE); return NULL; @@ -259,13 +259,6 @@ ECDSA_METHOD *ECDSA_METHOD_new(ECDSA_METHOD *ecdsa_meth) if (ecdsa_meth) *ret = *ecdsa_meth; - else { - ret->ecdsa_sign_setup = 0; - ret->ecdsa_do_sign = 0; - ret->ecdsa_do_verify = 0; - ret->name = NULL; - ret->flags = 0; - } ret->flags |= ECDSA_METHOD_FLAG_ALLOCATED; return ret; } diff --git a/crypto/engine/eng_dyn.c b/crypto/engine/eng_dyn.c index 777f440..100b050 100644 --- a/crypto/engine/eng_dyn.c +++ b/crypto/engine/eng_dyn.c @@ -208,22 +208,15 @@ static int dynamic_set_data_ctx(ENGINE *e, dynamic_data_ctx **ctx) ENGINEerr(ENGINE_F_DYNAMIC_SET_DATA_CTX, ERR_R_MALLOC_FAILURE); return 0; } - c->dynamic_dso = NULL; - c->v_check = NULL; - c->bind_engine = NULL; - c->DYNAMIC_LIBNAME = NULL; - c->no_vcheck = 0; - c->engine_id = NULL; - c->list_add_value = 0; - c->DYNAMIC_F1 = "v_check"; - c->DYNAMIC_F2 = "bind_engine"; - c->dir_load = 1; c->dirs = sk_OPENSSL_STRING_new_null(); if (!c->dirs) { ENGINEerr(ENGINE_F_DYNAMIC_SET_DATA_CTX, ERR_R_MALLOC_FAILURE); OPENSSL_free(c); return 0; } + c->DYNAMIC_F1 = "v_check"; + c->DYNAMIC_F2 = "bind_engine"; + c->dir_load = 1; CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); if ((*ctx = (dynamic_data_ctx *)ENGINE_get_ex_data(e, dynamic_ex_data_idx)) diff --git a/crypto/engine/eng_openssl.c b/crypto/engine/eng_openssl.c index eaf0618..4bc9b2e 100644 --- a/crypto/engine/eng_openssl.c +++ b/crypto/engine/eng_openssl.c @@ -425,13 +425,10 @@ typedef struct { static int ossl_hmac_init(EVP_PKEY_CTX *ctx) { OSSL_HMAC_PKEY_CTX *hctx; - hctx = OPENSSL_malloc(sizeof(*hctx)); + + hctx = OPENSSL_zalloc(sizeof(*hctx)); if (!hctx) return 0; - hctx->md = NULL; - hctx->ktmp.data = NULL; - hctx->ktmp.length = 0; - hctx->ktmp.flags = 0; hctx->ktmp.type = V_ASN1_OCTET_STRING; HMAC_CTX_init(&hctx->ctx); EVP_PKEY_CTX_set_data(ctx, hctx); diff --git a/crypto/evp/bio_b64.c b/crypto/evp/bio_b64.c index dcb9695..00febc7 100644 --- a/crypto/evp/bio_b64.c +++ b/crypto/evp/bio_b64.c @@ -115,18 +115,12 @@ static int b64_new(BIO *bi) { BIO_B64_CTX *ctx; - ctx = OPENSSL_malloc(sizeof(*ctx)); + ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx == NULL) return (0); - ctx->buf_len = 0; - ctx->tmp_len = 0; - ctx->tmp_nl = 0; - ctx->buf_off = 0; ctx->cont = 1; ctx->start = 1; - ctx->encode = 0; - bi->init = 1; bi->ptr = (char *)ctx; bi->flags = 0; diff --git a/crypto/evp/bio_enc.c b/crypto/evp/bio_enc.c index bf74a0a..2e6ce33 100644 --- a/crypto/evp/bio_enc.c +++ b/crypto/evp/bio_enc.c @@ -112,17 +112,13 @@ static int enc_new(BIO *bi) { BIO_ENC_CTX *ctx; - ctx = OPENSSL_malloc(sizeof(*ctx)); + ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx == NULL) return (0); - EVP_CIPHER_CTX_init(&ctx->cipher); - ctx->buf_len = 0; - ctx->buf_off = 0; + EVP_CIPHER_CTX_init(&ctx->cipher); ctx->cont = 1; - ctx->finished = 0; ctx->ok = 1; - bi->init = 0; bi->ptr = (char *)ctx; bi->flags = 0; diff --git a/crypto/evp/bio_ok.c b/crypto/evp/bio_ok.c index 9fdf6bc..8658f88 100644 --- a/crypto/evp/bio_ok.c +++ b/crypto/evp/bio_ok.c @@ -176,21 +176,13 @@ static int ok_new(BIO *bi) { BIO_OK_CTX *ctx; - ctx = OPENSSL_malloc(sizeof(*ctx)); + ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx == NULL) return (0); - ctx->buf_len = 0; - ctx->buf_off = 0; - ctx->buf_len_save = 0; - ctx->buf_off_save = 0; ctx->cont = 1; - ctx->finished = 0; - ctx->blockout = 0; ctx->sigio = 1; - EVP_MD_CTX_init(&ctx->md); - bi->init = 0; bi->ptr = (char *)ctx; bi->flags = 0; diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index f317471..a2d8382 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -165,7 +165,7 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id) return NULL; } - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (!ret) { #ifndef OPENSSL_NO_ENGINE if (e) @@ -178,8 +178,6 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id) ret->pmeth = pmeth; ret->operation = EVP_PKEY_OP_UNDEFINED; ret->pkey = pkey; - ret->peerkey = NULL; - ret->pkey_gencb = 0; if (pkey) CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); ret->data = NULL; @@ -204,32 +202,6 @@ EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags) pmeth->pkey_id = id; pmeth->flags = flags | EVP_PKEY_FLAG_DYNAMIC; - pmeth->init = 0; - pmeth->copy = 0; - pmeth->cleanup = 0; - pmeth->paramgen_init = 0; - pmeth->paramgen = 0; - pmeth->keygen_init = 0; - pmeth->keygen = 0; - pmeth->sign_init = 0; - pmeth->sign = 0; - pmeth->verify_init = 0; - pmeth->verify = 0; - pmeth->verify_recover_init = 0; - pmeth->verify_recover = 0; - pmeth->signctx_init = 0; - pmeth->signctx = 0; - pmeth->verifyctx_init = 0; - pmeth->verifyctx = 0; - pmeth->encrypt_init = 0; - pmeth->encrypt = 0; - pmeth->decrypt_init = 0; - pmeth->decrypt = 0; - pmeth->derive_init = 0; - pmeth->derive = 0; - pmeth->ctrl = 0; - pmeth->ctrl_str = 0; - return pmeth; } diff --git a/crypto/hmac/hm_pmeth.c b/crypto/hmac/hm_pmeth.c index fcccb58..ff9dbe3 100644 --- a/crypto/hmac/hm_pmeth.c +++ b/crypto/hmac/hm_pmeth.c @@ -75,13 +75,10 @@ typedef struct { static int pkey_hmac_init(EVP_PKEY_CTX *ctx) { HMAC_PKEY_CTX *hctx; - hctx = OPENSSL_malloc(sizeof(*hctx)); + + hctx = OPENSSL_zalloc(sizeof(*hctx)); if (!hctx) return 0; - hctx->md = NULL; - hctx->ktmp.data = NULL; - hctx->ktmp.length = 0; - hctx->ktmp.flags = 0; hctx->ktmp.type = V_ASN1_OCTET_STRING; HMAC_CTX_init(&hctx->ctx); diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c index 0c9ce8f..4018b60 100644 --- a/crypto/lhash/lhash.c +++ b/crypto/lhash/lhash.c @@ -113,40 +113,20 @@ static LHASH_NODE **getrn(_LHASH *lh, const void *data, unsigned long *rhash); _LHASH *lh_new(LHASH_HASH_FN_TYPE h, LHASH_COMP_FN_TYPE c) { _LHASH *ret; - int i; - if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) + if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) goto err0; - if ((ret->b = OPENSSL_malloc(sizeof(*ret->b) * MIN_NODES)) == NULL) + if ((ret->b = OPENSSL_zalloc(sizeof(*ret->b) * MIN_NODES)) == NULL) goto err1; - for (i = 0; i < MIN_NODES; i++) - ret->b[i] = NULL; ret->comp = ((c == NULL) ? (LHASH_COMP_FN_TYPE)strcmp : c); ret->hash = ((h == NULL) ? (LHASH_HASH_FN_TYPE)lh_strhash : h); ret->num_nodes = MIN_NODES / 2; ret->num_alloc_nodes = MIN_NODES; - ret->p = 0; ret->pmax = MIN_NODES / 2; ret->up_load = UP_LOAD; ret->down_load = DOWN_LOAD; - ret->num_items = 0; - - ret->num_expands = 0; - ret->num_expand_reallocs = 0; - ret->num_contracts = 0; - ret->num_contract_reallocs = 0; - ret->num_hash_calls = 0; - ret->num_comp_calls = 0; - ret->num_insert = 0; - ret->num_replace = 0; - ret->num_delete = 0; - ret->num_no_delete = 0; - ret->num_retrieve = 0; - ret->num_retrieve_miss = 0; - ret->num_hash_comps = 0; - - ret->error = 0; return (ret); + err1: OPENSSL_free(ret); err0: diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c index d861b6d..7a24ad0 100644 --- a/crypto/objects/o_names.c +++ b/crypto/objects/o_names.c @@ -83,7 +83,7 @@ int OBJ_NAME_new_index(unsigned long (*hash_func) (const char *), names_type_num++; for (i = sk_NAME_FUNCS_num(name_funcs_stack); i < names_type_num; i++) { MemCheck_off(); - name_funcs = OPENSSL_malloc(sizeof(*name_funcs)); + name_funcs = OPENSSL_zalloc(sizeof(*name_funcs)); MemCheck_on(); if (!name_funcs) { OBJerr(OBJ_F_OBJ_NAME_NEW_INDEX, ERR_R_MALLOC_FAILURE); @@ -91,10 +91,6 @@ int OBJ_NAME_new_index(unsigned long (*hash_func) (const char *), } name_funcs->hash_func = lh_strhash; name_funcs->cmp_func = OPENSSL_strcmp; - name_funcs->free_func = 0; /* NULL is often declared to * ((void - * *)0), which according * to Compaq C is - * not really * compatible with a function - * * pointer. -- Richard Levitte */ MemCheck_off(); sk_NAME_FUNCS_push(name_funcs_stack, name_funcs); MemCheck_on(); diff --git a/crypto/ocsp/ocsp_ht.c b/crypto/ocsp/ocsp_ht.c index 582ef9c..2c92ee7 100644 --- a/crypto/ocsp/ocsp_ht.c +++ b/crypto/ocsp/ocsp_ht.c @@ -113,7 +113,7 @@ static int parse_http_line1(char *line); OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *io, int maxline) { - OCSP_REQ_CTX *rctx = OPENSSL_malloc(sizeof(*rctx)); + OCSP_REQ_CTX *rctx = OPENSSL_zalloc(sizeof(*rctx)); if (!rctx) return NULL; @@ -121,7 +121,6 @@ OCSP_REQ_CTX *OCSP_REQ_CTX_new(BIO *io, int maxline) rctx->max_resp_len = OCSP_MAX_RESP_LENGTH; rctx->mem = BIO_new(BIO_s_mem()); rctx->io = io; - rctx->asn1_len = 0; if (maxline > 0) rctx->iobuflen = maxline; else diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index f62fd73..c64dad4 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -125,7 +125,7 @@ RSA *RSA_new_method(ENGINE *engine) { RSA *ret; - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_MALLOC_FAILURE); return NULL; @@ -153,23 +153,7 @@ RSA *RSA_new_method(ENGINE *engine) } #endif - ret->pad = 0; - ret->version = 0; - ret->n = NULL; - ret->e = NULL; - ret->d = NULL; - ret->p = NULL; - ret->q = NULL; - ret->dmp1 = NULL; - ret->dmq1 = NULL; - ret->iqmp = NULL; ret->references = 1; - ret->_method_mod_n = NULL; - ret->_method_mod_p = NULL; - ret->_method_mod_q = NULL; - ret->blinding = NULL; - ret->mt_blinding = NULL; - ret->bignum_data = NULL; ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { #ifndef OPENSSL_NO_ENGINE diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index ac83de3..dd7b7dd 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -97,21 +97,12 @@ typedef struct { static int pkey_rsa_init(EVP_PKEY_CTX *ctx) { RSA_PKEY_CTX *rctx; - rctx = OPENSSL_malloc(sizeof(*rctx)); + rctx = OPENSSL_zalloc(sizeof(*rctx)); if (!rctx) return 0; rctx->nbits = 1024; - rctx->pub_exp = NULL; rctx->pad_mode = RSA_PKCS1_PADDING; - rctx->md = NULL; - rctx->mgf1md = NULL; - rctx->tbuf = NULL; - rctx->saltlen = -2; - - rctx->oaep_label = NULL; - rctx->oaep_labellen = 0; - ctx->data = rctx; ctx->keygen_info = rctx->gentmp; ctx->keygen_info_count = 2; diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c index c7643db..e9d80a7 100644 --- a/crypto/stack/stack.c +++ b/crypto/stack/stack.c @@ -150,19 +150,15 @@ _STACK *sk_new_null(void) _STACK *sk_new(int (*c) (const void *, const void *)) { _STACK *ret; - int i; - if ((ret = OPENSSL_malloc(sizeof(_STACK))) == NULL) + if ((ret = OPENSSL_zalloc(sizeof(_STACK))) == NULL) goto err; if ((ret->data = OPENSSL_malloc(sizeof(*ret->data) * MIN_NODES)) == NULL) goto err; - for (i = 0; i < MIN_NODES; i++) - ret->data[i] = NULL; ret->comp = c; ret->num_alloc = MIN_NODES; - ret->num = 0; - ret->sorted = 0; return (ret); + err: OPENSSL_free(ret); return (NULL); diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c index 654d74f..6837bd6 100644 --- a/crypto/ui/ui_lib.c +++ b/crypto/ui/ui_lib.c @@ -74,7 +74,7 @@ UI *UI_new(void) UI *UI_new_method(const UI_METHOD *method) { - UI *ret = OPENSSL_malloc(sizeof(*ret)); + UI *ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { UIerr(UI_F_UI_NEW_METHOD, ERR_R_MALLOC_FAILURE); @@ -85,9 +85,6 @@ UI *UI_new_method(const UI_METHOD *method) else ret->meth = method; - ret->strings = NULL; - ret->user_data = NULL; - ret->flags = 0; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_UI, ret, &ret->ex_data); return ret; } diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 2bd8de6..c53f1e5 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -68,15 +68,11 @@ X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) { X509_LOOKUP *ret; - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) return NULL; - ret->init = 0; - ret->skip = 0; ret->method = method; - ret->method_data = NULL; - ret->store_ctx = NULL; if ((method->new_item != NULL) && !method->new_item(ret)) { OPENSSL_free(ret); return NULL; @@ -185,27 +181,15 @@ X509_STORE *X509_STORE_new(void) { X509_STORE *ret; - if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) + if ((ret = OPENSSL_zalloc(sizeof(*ret))) == NULL) return NULL; ret->objs = sk_X509_OBJECT_new(x509_object_cmp); ret->cache = 1; ret->get_cert_methods = sk_X509_LOOKUP_new_null(); - ret->verify = 0; - ret->verify_cb = 0; if ((ret->param = X509_VERIFY_PARAM_new()) == NULL) return NULL; - ret->get_issuer = 0; - ret->check_issued = 0; - ret->check_revocation = 0; - ret->get_crl = 0; - ret->check_crl = 0; - ret->cert_crl = 0; - ret->lookup_certs = 0; - ret->lookup_crls = 0; - ret->cleanup = 0; - if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data)) { sk_X509_OBJECT_free(ret->objs); OPENSSL_free(ret); diff --git a/crypto/x509/x_name.c b/crypto/x509/x_name.c index f8fd337..9bf1523 100644 --- a/crypto/x509/x_name.c +++ b/crypto/x509/x_name.c @@ -133,7 +133,7 @@ IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME) static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it) { - X509_NAME *ret = OPENSSL_malloc(sizeof(*ret)); + X509_NAME *ret = OPENSSL_zalloc(sizeof(*ret)); if (!ret) goto memerr; @@ -141,8 +141,6 @@ static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it) goto memerr; if ((ret->bytes = BUF_MEM_new()) == NULL) goto memerr; - ret->canon_enc = NULL; - ret->canon_enclen = 0; ret->modified = 1; *val = (ASN1_VALUE *)ret; return 1; diff --git a/crypto/x509v3/Makefile b/crypto/x509v3/Makefile index 516e7ad..5c47467 100644 --- a/crypto/x509v3/Makefile +++ b/crypto/x509v3/Makefile @@ -505,20 +505,21 @@ v3_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_prn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_prn.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h v3_prn.o: v3_prn.c -v3_purp.o: ../../e_os.h ../../include/openssl/asn1.h -v3_purp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h -v3_purp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h -v3_purp.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h -v3_purp.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h -v3_purp.o: ../../include/openssl/err.h ../../include/openssl/evp.h -v3_purp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -v3_purp.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h -v3_purp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -v3_purp.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h -v3_purp.o: ../../include/openssl/sha.h ../../include/openssl/stack.h -v3_purp.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h -v3_purp.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -v3_purp.o: ../include/internal/cryptlib.h v3_purp.c +v3_purp.o: ../../e_os.h ../../include/internal/numbers.h +v3_purp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +v3_purp.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h +v3_purp.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +v3_purp.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h +v3_purp.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h +v3_purp.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +v3_purp.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +v3_purp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +v3_purp.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h +v3_purp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +v3_purp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +v3_purp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +v3_purp.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h +v3_purp.o: v3_purp.c v3_scts.o: ../../e_os.h ../../include/openssl/asn1.h v3_scts.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h v3_scts.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c index c29641f..bb2760a 100644 --- a/crypto/x509v3/pcy_data.c +++ b/crypto/x509v3/pcy_data.c @@ -98,7 +98,7 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, return NULL; } else id = NULL; - ret = OPENSSL_malloc(sizeof(*ret)); + ret = OPENSSL_zalloc(sizeof(*ret)); if (!ret) return NULL; ret->expected_policy_set = sk_ASN1_OBJECT_new_null(); @@ -110,8 +110,6 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, if (crit) ret->flags = POLICY_DATA_FLAG_CRITICAL; - else - ret->flags = 0; if (id) ret->valid_policy = id; @@ -123,8 +121,7 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, if (policy) { ret->qualifier_set = policy->qualifiers; policy->qualifiers = NULL; - } else - ret->qualifier_set = NULL; + } return ret; } diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509v3/pcy_node.c index 855fe3e..64f979a 100644 --- a/crypto/x509v3/pcy_node.c +++ b/crypto/x509v3/pcy_node.c @@ -114,12 +114,12 @@ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, X509_POLICY_TREE *tree) { X509_POLICY_NODE *node; - node = OPENSSL_malloc(sizeof(*node)); + + node = OPENSSL_zalloc(sizeof(*node)); if (!node) return NULL; node->data = data; node->parent = parent; - node->nchild = 0; if (level) { if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { if (level->anyPolicy) diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index 2a41903..c6be015 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -217,7 +217,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, } /* If we get this far initialize the tree */ - tree = OPENSSL_malloc(sizeof(*tree)); + tree = OPENSSL_zalloc(sizeof(*tree)); if (!tree) return 0; tree->levels = OPENSSL_zalloc(sizeof(*tree->levels) * n); @@ -225,10 +225,6 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, OPENSSL_free(tree); return 0; } - tree->flags = 0; - tree->extra_data = NULL; - tree->auth_policies = NULL; - tree->user_policies = NULL; tree->nlevel = n; level = tree->levels; diff --git a/engines/e_capi.c b/engines/e_capi.c index 450f89e..8b3cfee 100644 --- a/engines/e_capi.c +++ b/engines/e_capi.c @@ -1573,23 +1573,18 @@ void capi_free_key(CAPI_KEY * key) static CAPI_CTX *capi_ctx_new() { - CAPI_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); + CAPI_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); if (!ctx) { CAPIerr(CAPI_F_CAPI_CTX_NEW, ERR_R_MALLOC_FAILURE); return NULL; } - ctx->cspname = NULL; ctx->csptype = PROV_RSA_FULL; ctx->dump_flags = CAPI_DMP_SUMMARY | CAPI_DMP_FNAME; ctx->keytype = AT_KEYEXCHANGE; - ctx->storename = NULL; - ctx->ssl_client_store = NULL; ctx->store_flags = CERT_STORE_OPEN_EXISTING_FLAG | CERT_STORE_READONLY_FLAG | CERT_SYSTEM_STORE_CURRENT_USER; ctx->lookup_method = CAPI_LU_SUBSTR; - ctx->debug_level = 0; - ctx->debug_file = NULL; ctx->client_cert_select = cert_select_simple; return ctx; } diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 5c320cb..0a4625c 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -771,24 +771,8 @@ int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd) SSL_CONF_CTX *SSL_CONF_CTX_new(void) { - SSL_CONF_CTX *ret = OPENSSL_malloc(sizeof(*ret)); - size_t i; + SSL_CONF_CTX *ret = OPENSSL_zalloc(sizeof(*ret)); - if (ret) { - ret->flags = 0; - ret->prefix = NULL; - ret->prefixlen = 0; - ret->ssl = NULL; - ret->ctx = NULL; - ret->poptions = NULL; - ret->pcert_flags = NULL; - ret->pvfy_flags = NULL; - ret->tbl = NULL; - ret->ntbl = 0; - for (i = 0; i < SSL_PKEY_NUM; i++) - ret->cert_filename[i] = NULL; - ret->canames = NULL; - } return ret; } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index b1d4771..fe07d2c 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1688,41 +1688,16 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) goto err; ret->method = meth; - ret->cert_store = NULL; ret->session_cache_mode = SSL_SESS_CACHE_SERVER; ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; - ret->session_cache_head = NULL; - ret->session_cache_tail = NULL; - - /* We take the system default */ + /* We take the system default. */ ret->session_timeout = meth->get_timeout(); - - ret->new_session_cb = 0; - ret->remove_session_cb = 0; - ret->get_session_cb = 0; - ret->generate_session_id = 0; - ret->references = 1; - ret->quiet_shutdown = 0; - ret->info_callback = NULL; - ret->app_verify_callback = 0; - ret->app_verify_arg = NULL; ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; - ret->read_ahead = 0; - ret->msg_callback = 0; - ret->msg_callback_arg = NULL; ret->verify_mode = SSL_VERIFY_NONE; - ret->sid_ctx_length = 0; - ret->default_verify_callback = NULL; if ((ret->cert = ssl_cert_new()) == NULL) goto err; - ret->default_passwd_callback = 0; - ret->default_passwd_callback_userdata = NULL; - ret->client_cert_cb = 0; - ret->app_gen_cookie_cb = 0; - ret->app_verify_cookie_cb = 0; - ret->sessions = lh_SSL_SESSION_new(); if (ret->sessions == NULL) goto err; @@ -1756,39 +1731,23 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); - ret->extra_certs = NULL; /* No compression for DTLS */ if (!(meth->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)) ret->comp_methods = SSL_COMP_get_compression_methods(); ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; - ret->tlsext_servername_callback = 0; - ret->tlsext_servername_arg = NULL; /* Setup RFC4507 ticket keys */ if ((RAND_bytes(ret->tlsext_tick_key_name, 16) <= 0) || (RAND_bytes(ret->tlsext_tick_hmac_key, 16) <= 0) || (RAND_bytes(ret->tlsext_tick_aes_key, 16) <= 0)) ret->options |= SSL_OP_NO_TICKET; - ret->tlsext_status_cb = 0; - ret->tlsext_status_arg = NULL; - -#ifndef OPENSSL_NO_NEXTPROTONEG - ret->next_protos_advertised_cb = 0; - ret->next_proto_select_cb = 0; -#endif -#ifndef OPENSSL_NO_PSK - ret->psk_identity_hint = NULL; - ret->psk_client_callback = NULL; - ret->psk_server_callback = NULL; -#endif #ifndef OPENSSL_NO_SRP if (!SSL_CTX_SRP_CTX_init(ret)) goto err; #endif #ifndef OPENSSL_NO_ENGINE - ret->client_cert_engine = NULL; # ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO # define eng_strx(x) #x # define eng_str(x) eng_strx(x) diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 3e980bf..3774db4 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -196,31 +196,14 @@ SSL_SESSION *SSL_SESSION_new(void) ss = OPENSSL_zalloc(sizeof(*ss)); if (ss == NULL) { SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE); - return (0); + return (NULL); } ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ ss->references = 1; ss->timeout = 60 * 5 + 4; /* 5 minute timeout by default */ ss->time = (unsigned long)time(NULL); - ss->prev = NULL; - ss->next = NULL; - ss->compress_meth = 0; - ss->tlsext_hostname = NULL; -#ifndef OPENSSL_NO_EC - ss->tlsext_ecpointformatlist_length = 0; - ss->tlsext_ecpointformatlist = NULL; - ss->tlsext_ellipticcurvelist_length = 0; - ss->tlsext_ellipticcurvelist = NULL; -#endif CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); -#ifndef OPENSSL_NO_PSK - ss->psk_identity_hint = NULL; - ss->psk_identity = NULL; -#endif -#ifndef OPENSSL_NO_SRP - ss->srp_username = NULL; -#endif return (ss); } From rsalz at openssl.org Thu Sep 3 21:46:29 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 03 Sep 2015 21:46:29 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441316789.860851.2601.nullmailer@dev.openssl.org> The branch master has been updated via 47bbaa5b607f592009ed40f5678fde21c10a873c (commit) from 64b25758edca688a30f02c260262150f7ad0bc7d (commit) - Log ----------------------------------------------------------------- commit 47bbaa5b607f592009ed40f5678fde21c10a873c Author: David Woodhouse Date: Thu Jul 23 17:30:06 2015 +0100 Revert "OPENSSL_NO_xxx cleanup: RFC3779" This reverts the non-cleanup parts of commit c73ad69017. We do actually have a reasonable use case for OPENSSL_NO_RFC3779 in the EDK2 UEFI build, since we don't have a strspn() function in our runtime environment and we don't want the RFC3779 functionality anyway. In addition, it changes the default behaviour of the Configure script so that RFC3779 support isn't disabled by default. It was always disabled from when it was first added in 2006, right up until the point where OPENSSL_NO_RFC3779 was turned into a no-op, and the code in the Configure script was left *trying* to disable it, but not actually working. Signed-off-by: Rich Salz Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: Configure | 5 +- crypto/asn1/x_x509.c | 4 ++ crypto/x509/x509_vfy.c | 2 + crypto/x509v3/ext_dat.h | 2 + crypto/x509v3/v3_addr.c | 3 ++ crypto/x509v3/v3_asid.c | 3 ++ crypto/x509v3/v3_purp.c | 4 ++ include/openssl/x509.h | 2 + include/openssl/x509v3.h | 2 + makevms.com | 1 + util/libeay.num | 134 +++++++++++++++++++++++------------------------ util/mkdef.pl | 6 ++- 12 files changed, 97 insertions(+), 71 deletions(-) diff --git a/Configure b/Configure index fb20e85..f6007c1 100755 --- a/Configure +++ b/Configure @@ -769,7 +769,7 @@ my $no_threads=0; my $threads=0; my $no_shared=0; # but "no-shared" is default my $zlib=1; # but "no-zlib" is default -my $no_rfc3779=1; # but "no-rfc3779" is default +my $no_rfc3779=0; my $no_asm=0; my $no_dso=0; my $no_gmp=0; @@ -806,7 +806,6 @@ my %disabled = ( # "what" => "comment" [or special keyword "experimental "jpake" => "experimental", "md2" => "default", "rc5" => "default", - "rfc3779" => "default", "sctp" => "default", "shared" => "default", "ssl-trace" => "default", @@ -819,7 +818,7 @@ my @experimental = (); # This is what $depflags will look like with the above defaults # (we need this to see if we should advise the user to run "make depend"): -my $default_depflags = " -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST"; +my $default_depflags = " -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST"; # Explicit "no-..." options will be collected in %disabled along with the defaults. # To remove something from %disabled, use "enable-foo" (unless it's experimental). diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index 17bbb91..6e7850c 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -95,8 +95,10 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, ret->ex_pathlen = -1; ret->skid = NULL; ret->akid = NULL; +#ifndef OPENSSL_NO_RFC3779 ret->rfc3779_addr = NULL; ret->rfc3779_asid = NULL; +#endif ret->aux = NULL; ret->crldp = NULL; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data); @@ -116,8 +118,10 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, policy_cache_free(ret->policy_cache); GENERAL_NAMES_free(ret->altname); NAME_CONSTRAINTS_free(ret->nc); +#ifndef OPENSSL_NO_RFC3779 sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); ASIdentifiers_free(ret->rfc3779_asid); +#endif OPENSSL_free(ret->name); break; diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index bc48b8a..6169db1 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -485,6 +485,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (!ok) goto end; +#ifndef OPENSSL_NO_RFC3779 /* RFC 3779 path validation, now that CRL check has been done */ ok = v3_asid_validate_path(ctx); if (!ok) @@ -492,6 +493,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) ok = v3_addr_validate_path(ctx); if (!ok) goto end; +#endif /* If we get this far evaluate policies */ if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h index d43c86c..9c3529b 100644 --- a/crypto/x509v3/ext_dat.h +++ b/crypto/x509v3/ext_dat.h @@ -103,8 +103,10 @@ static const X509V3_EXT_METHOD *standard_exts[] = { #endif &v3_sxnet, &v3_info, +#ifndef OPENSSL_NO_RFC3779 &v3_addr, &v3_asid, +#endif #ifndef OPENSSL_NO_OCSP &v3_ocsp_nonce, &v3_ocsp_crlid, diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c index 5c22c6d..c1c38a0 100644 --- a/crypto/x509v3/v3_addr.c +++ b/crypto/x509v3/v3_addr.c @@ -69,6 +69,7 @@ #include #include +#ifndef OPENSSL_NO_RFC3779 /* * OpenSSL ASN.1 template translation of RFC 3779 2.2.3. @@ -1339,3 +1340,5 @@ int v3_addr_validate_resource_set(STACK_OF(X509) *chain, return 0; return v3_addr_validate_path_internal(NULL, chain, ext); } + +#endif /* OPENSSL_NO_RFC3779 */ diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c index f390c2d..d40279a 100644 --- a/crypto/x509v3/v3_asid.c +++ b/crypto/x509v3/v3_asid.c @@ -69,6 +69,7 @@ #include #include +#ifndef OPENSSL_NO_RFC3779 /* * OpenSSL ASN.1 template translation of RFC 3779 3.2.3. @@ -893,3 +894,5 @@ int v3_asid_validate_resource_set(STACK_OF(X509) *chain, return 0; return v3_asid_validate_path_internal(NULL, chain, ext); } + +#endif /* OPENSSL_NO_RFC3779 */ diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index b03c323..61d9772 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -322,8 +322,10 @@ int X509_supported_extension(X509_EXTENSION *ex) NID_basic_constraints, /* 87 */ NID_certificate_policies, /* 89 */ NID_ext_key_usage, /* 126 */ +#ifndef OPENSSL_NO_RFC3779 NID_sbgp_ipAddrBlock, /* 290 */ NID_sbgp_autonomousSysNum, /* 291 */ +#endif NID_policy_constraints, /* 401 */ NID_proxyCertInfo, /* 663 */ NID_name_constraints, /* 666 */ @@ -503,9 +505,11 @@ static void x509v3_cache_extensions(X509 *x) x->ex_flags |= EXFLAG_INVALID; setup_crldp(x); +#ifndef OPENSSL_NO_RFC3779 x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, NULL, NULL); x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, NULL, NULL); +#endif for (i = 0; i < X509_get_ext_count(x); i++) { ex = X509_get_ext(x, i); if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 708a695..02138cb 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -201,8 +201,10 @@ struct x509_st { STACK_OF(DIST_POINT) *crldp; STACK_OF(GENERAL_NAME) *altname; NAME_CONSTRAINTS *nc; +#ifndef OPENSSL_NO_RFC3779 STACK_OF(IPAddressFamily) *rfc3779_addr; struct ASIdentifiers_st *rfc3779_asid; +# endif unsigned char sha1_hash[SHA_DIGEST_LENGTH]; X509_CERT_AUX *aux; } /* X509 */ ; diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h index 19fcb39..280b9c1 100644 --- a/include/openssl/x509v3.h +++ b/include/openssl/x509v3.h @@ -756,6 +756,7 @@ int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk, void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent); DECLARE_STACK_OF(X509_POLICY_NODE) +#ifndef OPENSSL_NO_RFC3779 typedef struct ASRange_st { ASN1_INTEGER *min, *max; } ASRange; @@ -898,6 +899,7 @@ int v3_asid_validate_resource_set(STACK_OF(X509) *chain, int v3_addr_validate_resource_set(STACK_OF(X509) *chain, IPAddrBlocks *ext, int allow_inheritance); +#endif /* OPENSSL_NO_RFC3779 */ /* BEGIN ERROR CODES */ /* * The following lines are auto generated by the script mkerr.pl. Any changes diff --git a/makevms.com b/makevms.com index c1c3060..35c44ec 100755 --- a/makevms.com +++ b/makevms.com @@ -292,6 +292,7 @@ $ CONFIG_LOGICALS := AES,- RC2,- RC4,- RC5,- + RFC3779,- RMD160,- RSA,- SCTP,- diff --git a/util/libeay.num b/util/libeay.num index fd8375d..d7d4049 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -3412,106 +3412,106 @@ EVP_camellia_256_cfb8 3810 EXIST::FUNCTION:CAMELLIA EVP_camellia_256_ecb 3811 EXIST::FUNCTION:CAMELLIA EVP_camellia_256_ofb 3812 EXIST::FUNCTION:CAMELLIA a2i_ipadd 3813 EXIST::FUNCTION: -ASIdentifiers_free 3814 EXIST::FUNCTION: -i2d_ASIdOrRange 3815 EXIST::FUNCTION: +ASIdentifiers_free 3814 EXIST::FUNCTION:RFC3779 +i2d_ASIdOrRange 3815 EXIST::FUNCTION:RFC3779 EVP_CIPHER_block_size 3816 EXIST::FUNCTION: -v3_asid_is_canonical 3817 EXIST::FUNCTION: -IPAddressChoice_free 3818 EXIST::FUNCTION: +v3_asid_is_canonical 3817 EXIST::FUNCTION:RFC3779 +IPAddressChoice_free 3818 EXIST::FUNCTION:RFC3779 EVP_CIPHER_CTX_set_app_data 3819 EXIST::FUNCTION: BIO_set_callback_arg 3820 EXIST::FUNCTION: -v3_addr_add_prefix 3821 EXIST::FUNCTION: -IPAddressOrRange_it 3822 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: -IPAddressOrRange_it 3822 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +v3_addr_add_prefix 3821 EXIST::FUNCTION:RFC3779 +IPAddressOrRange_it 3822 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +IPAddressOrRange_it 3822 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 BIO_set_flags 3823 EXIST::FUNCTION: -ASIdentifiers_it 3824 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: -ASIdentifiers_it 3824 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -v3_addr_get_range 3825 EXIST::FUNCTION: +ASIdentifiers_it 3824 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +ASIdentifiers_it 3824 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 +v3_addr_get_range 3825 EXIST::FUNCTION:RFC3779 BIO_method_type 3826 EXIST::FUNCTION: -v3_addr_inherits 3827 EXIST::FUNCTION: -IPAddressChoice_it 3828 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: -IPAddressChoice_it 3828 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +v3_addr_inherits 3827 EXIST::FUNCTION:RFC3779 +IPAddressChoice_it 3828 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +IPAddressChoice_it 3828 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 AES_ige_encrypt 3829 EXIST::FUNCTION:AES -v3_addr_add_range 3830 EXIST::FUNCTION: +v3_addr_add_range 3830 EXIST::FUNCTION:RFC3779 EVP_CIPHER_CTX_nid 3831 EXIST::FUNCTION: -d2i_ASRange 3832 EXIST::FUNCTION: -v3_addr_add_inherit 3833 EXIST::FUNCTION: -v3_asid_add_id_or_range 3834 EXIST::FUNCTION: -v3_addr_validate_resource_set 3835 EXIST::FUNCTION: +d2i_ASRange 3832 EXIST::FUNCTION:RFC3779 +v3_addr_add_inherit 3833 EXIST::FUNCTION:RFC3779 +v3_asid_add_id_or_range 3834 EXIST::FUNCTION:RFC3779 +v3_addr_validate_resource_set 3835 EXIST::FUNCTION:RFC3779 EVP_CIPHER_iv_length 3836 EXIST::FUNCTION: EVP_MD_type 3837 EXIST::FUNCTION: -v3_asid_canonize 3838 EXIST::FUNCTION: -IPAddressRange_free 3839 EXIST::FUNCTION: -v3_asid_add_inherit 3840 EXIST::FUNCTION: +v3_asid_canonize 3838 EXIST::FUNCTION:RFC3779 +IPAddressRange_free 3839 EXIST::FUNCTION:RFC3779 +v3_asid_add_inherit 3840 EXIST::FUNCTION:RFC3779 EVP_CIPHER_CTX_key_length 3841 EXIST::FUNCTION: -IPAddressRange_new 3842 EXIST::FUNCTION: -ASIdOrRange_new 3843 EXIST::FUNCTION: +IPAddressRange_new 3842 EXIST::FUNCTION:RFC3779 +ASIdOrRange_new 3843 EXIST::FUNCTION:RFC3779 EVP_MD_size 3844 EXIST::FUNCTION: EVP_MD_CTX_test_flags 3845 EXIST::FUNCTION: BIO_clear_flags 3846 EXIST::FUNCTION: -i2d_ASRange 3847 EXIST::FUNCTION: -IPAddressRange_it 3848 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: -IPAddressRange_it 3848 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -IPAddressChoice_new 3849 EXIST::FUNCTION: -ASIdentifierChoice_new 3850 EXIST::FUNCTION: -ASRange_free 3851 EXIST::FUNCTION: +i2d_ASRange 3847 EXIST::FUNCTION:RFC3779 +IPAddressRange_it 3848 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +IPAddressRange_it 3848 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 +IPAddressChoice_new 3849 EXIST::FUNCTION:RFC3779 +ASIdentifierChoice_new 3850 EXIST::FUNCTION:RFC3779 +ASRange_free 3851 EXIST::FUNCTION:RFC3779 EVP_MD_pkey_type 3852 EXIST::FUNCTION: EVP_MD_CTX_clear_flags 3853 EXIST::FUNCTION: -IPAddressFamily_free 3854 EXIST::FUNCTION: -i2d_IPAddressFamily 3855 EXIST::FUNCTION: -IPAddressOrRange_new 3856 EXIST::FUNCTION: +IPAddressFamily_free 3854 EXIST::FUNCTION:RFC3779 +i2d_IPAddressFamily 3855 EXIST::FUNCTION:RFC3779 +IPAddressOrRange_new 3856 EXIST::FUNCTION:RFC3779 EVP_CIPHER_flags 3857 EXIST::FUNCTION: -v3_asid_validate_resource_set 3858 EXIST::FUNCTION: -d2i_IPAddressRange 3859 EXIST::FUNCTION: +v3_asid_validate_resource_set 3858 EXIST::FUNCTION:RFC3779 +d2i_IPAddressRange 3859 EXIST::FUNCTION:RFC3779 AES_bi_ige_encrypt 3860 EXIST::FUNCTION:AES BIO_get_callback 3861 EXIST::FUNCTION: -IPAddressOrRange_free 3862 EXIST::FUNCTION: -v3_addr_subset 3863 EXIST::FUNCTION: -d2i_IPAddressFamily 3864 EXIST::FUNCTION: -v3_asid_subset 3865 EXIST::FUNCTION: +IPAddressOrRange_free 3862 EXIST::FUNCTION:RFC3779 +v3_addr_subset 3863 EXIST::FUNCTION:RFC3779 +d2i_IPAddressFamily 3864 EXIST::FUNCTION:RFC3779 +v3_asid_subset 3865 EXIST::FUNCTION:RFC3779 BIO_test_flags 3866 EXIST::FUNCTION: -i2d_ASIdentifierChoice 3867 EXIST::FUNCTION: -ASRange_it 3868 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: -ASRange_it 3868 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -d2i_ASIdentifiers 3869 EXIST::FUNCTION: -ASRange_new 3870 EXIST::FUNCTION: -d2i_IPAddressChoice 3871 EXIST::FUNCTION: -v3_addr_get_afi 3872 EXIST::FUNCTION: +i2d_ASIdentifierChoice 3867 EXIST::FUNCTION:RFC3779 +ASRange_it 3868 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +ASRange_it 3868 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 +d2i_ASIdentifiers 3869 EXIST::FUNCTION:RFC3779 +ASRange_new 3870 EXIST::FUNCTION:RFC3779 +d2i_IPAddressChoice 3871 EXIST::FUNCTION:RFC3779 +v3_addr_get_afi 3872 EXIST::FUNCTION:RFC3779 EVP_CIPHER_key_length 3873 EXIST::FUNCTION: EVP_Cipher 3874 EXIST::FUNCTION: -i2d_IPAddressOrRange 3875 EXIST::FUNCTION: -ASIdOrRange_it 3876 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: -ASIdOrRange_it 3876 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +i2d_IPAddressOrRange 3875 EXIST::FUNCTION:RFC3779 +ASIdOrRange_it 3876 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +ASIdOrRange_it 3876 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 EVP_CIPHER_nid 3877 EXIST::FUNCTION: -i2d_IPAddressChoice 3878 EXIST::FUNCTION: +i2d_IPAddressChoice 3878 EXIST::FUNCTION:RFC3779 EVP_CIPHER_CTX_block_size 3879 EXIST::FUNCTION: -ASIdentifiers_new 3880 EXIST::FUNCTION: -v3_addr_validate_path 3881 EXIST::FUNCTION: -IPAddressFamily_new 3882 EXIST::FUNCTION: +ASIdentifiers_new 3880 EXIST::FUNCTION:RFC3779 +v3_addr_validate_path 3881 EXIST::FUNCTION:RFC3779 +IPAddressFamily_new 3882 EXIST::FUNCTION:RFC3779 EVP_MD_CTX_set_flags 3883 EXIST::FUNCTION: -v3_addr_is_canonical 3884 EXIST::FUNCTION: -i2d_IPAddressRange 3885 EXIST::FUNCTION: -IPAddressFamily_it 3886 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: -IPAddressFamily_it 3886 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: -v3_asid_inherits 3887 EXIST::FUNCTION: +v3_addr_is_canonical 3884 EXIST::FUNCTION:RFC3779 +i2d_IPAddressRange 3885 EXIST::FUNCTION:RFC3779 +IPAddressFamily_it 3886 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +IPAddressFamily_it 3886 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 +v3_asid_inherits 3887 EXIST::FUNCTION:RFC3779 EVP_CIPHER_CTX_cipher 3888 EXIST::FUNCTION: EVP_CIPHER_CTX_get_app_data 3889 EXIST::FUNCTION: EVP_MD_block_size 3890 EXIST::FUNCTION: EVP_CIPHER_CTX_flags 3891 EXIST::FUNCTION: -v3_asid_validate_path 3892 EXIST::FUNCTION: -d2i_IPAddressOrRange 3893 EXIST::FUNCTION: -v3_addr_canonize 3894 EXIST::FUNCTION: -ASIdentifierChoice_it 3895 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: -ASIdentifierChoice_it 3895 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: +v3_asid_validate_path 3892 EXIST::FUNCTION:RFC3779 +d2i_IPAddressOrRange 3893 EXIST::FUNCTION:RFC3779 +v3_addr_canonize 3894 EXIST::FUNCTION:RFC3779 +ASIdentifierChoice_it 3895 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RFC3779 +ASIdentifierChoice_it 3895 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RFC3779 EVP_MD_CTX_md 3896 EXIST::FUNCTION: -d2i_ASIdentifierChoice 3897 EXIST::FUNCTION: +d2i_ASIdentifierChoice 3897 EXIST::FUNCTION:RFC3779 BIO_method_name 3898 EXIST::FUNCTION: EVP_CIPHER_CTX_iv_length 3899 EXIST::FUNCTION: -ASIdOrRange_free 3900 EXIST::FUNCTION: -ASIdentifierChoice_free 3901 EXIST::FUNCTION: +ASIdOrRange_free 3900 EXIST::FUNCTION:RFC3779 +ASIdentifierChoice_free 3901 EXIST::FUNCTION:RFC3779 BIO_get_callback_arg 3902 EXIST::FUNCTION: BIO_set_callback 3903 EXIST::FUNCTION: -d2i_ASIdOrRange 3904 EXIST::FUNCTION: -i2d_ASIdentifiers 3905 EXIST::FUNCTION: +d2i_ASIdOrRange 3904 EXIST::FUNCTION:RFC3779 +i2d_ASIdentifiers 3905 EXIST::FUNCTION:RFC3779 CRYPTO_memcmp 3906 EXIST::FUNCTION: BN_consttime_swap 3907 EXIST::FUNCTION: SEED_decrypt 3908 EXIST::FUNCTION:SEED diff --git a/util/mkdef.pl b/util/mkdef.pl index b21d03b..26fa209 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -80,6 +80,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", "FP_API", "STDIO", "SOCK", "DGRAM", # Engines "STATIC_ENGINE", "ENGINE", "HW", "GMP", + # RFC3779 + "RFC3779", # TLS "PSK", "SRP", "HEARTBEATS", # CMS @@ -124,7 +126,7 @@ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2; my $no_rsa; my $no_dsa; my $no_dh; my $no_aes; my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated; -my $no_psk; my $no_cms; my $no_capieng; +my $no_rfc3779; my $no_psk; my $no_cms; my $no_capieng; my $no_jpake; my $no_srp; my $no_ec2m; my $no_nistp_gcc; my $no_nextprotoneg; my $no_sctp; my $no_srtp; my $no_ssl_trace; my $no_unit_test; my $no_ssl3_method; my $no_ocb; @@ -213,6 +215,7 @@ foreach (@ARGV, split(/ /, $options)) elsif (/^no-engine$/) { $no_engine=1; } elsif (/^no-hw$/) { $no_hw=1; } elsif (/^no-gmp$/) { $no_gmp=1; } + elsif (/^no-rfc3779$/) { $no_rfc3779=1; } elsif (/^no-cms$/) { $no_cms=1; } elsif (/^no-ec2m$/) { $no_ec2m=1; } elsif (/^no-ec-nistp224-64-gcc-128$/) { $no_nistp_gcc=1; } @@ -1197,6 +1200,7 @@ sub is_valid if ($keyword eq "FP_API" && $no_fp_api) { return 0; } if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; } if ($keyword eq "GMP" && $no_gmp) { return 0; } + if ($keyword eq "RFC3779" && $no_rfc3779) { return 0; } if ($keyword eq "PSK" && $no_psk) { return 0; } if ($keyword eq "CMS" && $no_cms) { return 0; } if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc) From rsalz at openssl.org Fri Sep 4 15:45:55 2015 From: rsalz at openssl.org (Rich Salz) Date: Fri, 04 Sep 2015 15:45:55 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441381555.671547.25060.nullmailer@dev.openssl.org> The branch master has been updated via a939b0aab5deb3678308df804d25a340240deee5 (commit) from 47bbaa5b607f592009ed40f5678fde21c10a873c (commit) - Log ----------------------------------------------------------------- commit a939b0aab5deb3678308df804d25a340240deee5 Author: Rich Salz Date: Fri Sep 4 08:13:19 2015 -0400 More zalloc nits Found on GitHub by dimman Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: crypto/evp/pmeth_lib.c | 1 - crypto/stack/stack.c | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index a2d8382..cff3dd2 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -180,7 +180,6 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id) ret->pkey = pkey; if (pkey) CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); - ret->data = NULL; if (pmeth->init) { if (pmeth->init(ret) <= 0) { diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c index e9d80a7..9d2d4f4 100644 --- a/crypto/stack/stack.c +++ b/crypto/stack/stack.c @@ -153,7 +153,7 @@ _STACK *sk_new(int (*c) (const void *, const void *)) if ((ret = OPENSSL_zalloc(sizeof(_STACK))) == NULL) goto err; - if ((ret->data = OPENSSL_malloc(sizeof(*ret->data) * MIN_NODES)) == NULL) + if ((ret->data = OPENSSL_zalloc(sizeof(*ret->data) * MIN_NODES)) == NULL) goto err; ret->comp = c; ret->num_alloc = MIN_NODES; From rsalz at openssl.org Fri Sep 4 18:09:41 2015 From: rsalz at openssl.org (Rich Salz) Date: Fri, 04 Sep 2015 18:09:41 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441390181.927670.12909.nullmailer@dev.openssl.org> The branch master has been updated via b0809bc8ffb34bf89de9e68d8caeb4d8c2aa08f9 (commit) from a939b0aab5deb3678308df804d25a340240deee5 (commit) - Log ----------------------------------------------------------------- commit b0809bc8ffb34bf89de9e68d8caeb4d8c2aa08f9 Author: Rich Salz Date: Fri Sep 4 13:07:10 2015 -0400 RT3998: Allow scrypt to be disabled This does 64-bit division and multiplication, and on 32-bit platforms pulls in libgcc symbols (and MSVC does similar) which may not be available. Mostly done by David Woodhouse. Reviewed-by: Dr. Stephen Henson ----------------------------------------------------------------------- Summary of changes: apps/pkcs8.c | 14 ++++++++++++-- crypto/asn1/p5_scrypt.c | 2 ++ crypto/evp/evp_pbe.c | 2 ++ crypto/evp/scrypt.c | 3 +++ include/openssl/evp.h | 2 ++ include/openssl/x509.h | 2 ++ makevms.com | 1 + test/evp_test.c | 14 +++++++++++--- util/libeay.num | 6 +++--- util/mkdef.pl | 5 ++++- 10 files changed, 42 insertions(+), 9 deletions(-) diff --git a/apps/pkcs8.c b/apps/pkcs8.c index 919b8f1..b120b93 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -68,8 +68,10 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT, OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT, OPT_NOOCT, OPT_NSDB, OPT_EMBED, - OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT, - OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P +#ifndef OPENSSL_NO_SCRYPT + OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P, +#endif + OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT } OPTION_CHOICE; OPTIONS pkcs8_options[] = { @@ -94,10 +96,12 @@ OPTIONS pkcs8_options[] = { #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif +#ifndef OPENSSL_NO_SCRYPT {"scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm"}, {"scrypt_N", OPT_SCRYPT_N, 's', "Set scrypt N parameter"}, {"scrypt_r", OPT_SCRYPT_R, 's', "Set scrypt r parameter"}, {"scrypt_p", OPT_SCRYPT_P, 's', "Set scrypt p parameter"}, +#endif {NULL} }; @@ -116,7 +120,9 @@ int pkcs8_main(int argc, char **argv) int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER, p8_broken = PKCS8_OK; int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1; int private = 0; +#ifndef OPENSSL_NO_SCRYPT unsigned long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0; +#endif prog = opt_init(argc, argv, pkcs8_options); while ((o = opt_next()) != OPT_EOF) { @@ -195,6 +201,7 @@ int pkcs8_main(int argc, char **argv) case OPT_ENGINE: e = setup_engine(opt_arg(), 0); break; +#ifndef OPENSSL_NO_SCRYPT case OPT_SCRYPT: scrypt_N = 1024; scrypt_r = 8; @@ -214,6 +221,7 @@ int pkcs8_main(int argc, char **argv) if (!opt_ulong(opt_arg(), &scrypt_p)) goto opthelp; break; +#endif } } argc = opt_num_rest(); @@ -260,10 +268,12 @@ int pkcs8_main(int argc, char **argv) } else { X509_ALGOR *pbe; if (cipher) { +#ifndef OPENSSL_NO_SCRYPT if (scrypt_N && scrypt_r && scrypt_p) pbe = PKCS5_pbe2_set_scrypt(cipher, NULL, 0, NULL, scrypt_N, scrypt_r, scrypt_p); else +#endif pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, 0, NULL, pbe_nid); } else { diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c index 5c4de79..35ff396 100644 --- a/crypto/asn1/p5_scrypt.c +++ b/crypto/asn1/p5_scrypt.c @@ -65,6 +65,7 @@ #include #include +#ifndef OPENSSL_NO_SCRYPT /* PKCS#5 scrypt password based encryption structures */ typedef struct { @@ -330,3 +331,4 @@ int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, SCRYPT_PARAMS_free(sparam); return rv; } +#endif /* OPENSSL_NO_SCRYPT */ diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c index b9330f5..6172d95 100644 --- a/crypto/evp/evp_pbe.c +++ b/crypto/evp/evp_pbe.c @@ -119,7 +119,9 @@ static const EVP_PBE_CTL builtin_pbe[] = { {EVP_PBE_TYPE_PRF, NID_hmacWithSHA512, -1, NID_sha512, 0}, {EVP_PBE_TYPE_PRF, NID_id_HMACGostR3411_94, -1, NID_id_GostR3411_94, 0}, {EVP_PBE_TYPE_KDF, NID_id_pbkdf2, -1, -1, PKCS5_v2_PBKDF2_keyivgen}, +#ifndef OPENSSL_NO_SCRYPT {EVP_PBE_TYPE_KDF, NID_id_scrypt, -1, -1, PKCS5_v2_scrypt_keyivgen} +#endif }; int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen, diff --git a/crypto/evp/scrypt.c b/crypto/evp/scrypt.c index 09dfdf2..380e1fa 100644 --- a/crypto/evp/scrypt.c +++ b/crypto/evp/scrypt.c @@ -64,6 +64,8 @@ #include #include +#ifndef OPENSSL_NO_SCRYPT + #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) static void salsa208_word_specification(uint32_t inout[16]) { @@ -296,3 +298,4 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, OPENSSL_clear_free(B, Blen + Vlen); return rv; } +#endif diff --git a/include/openssl/evp.h b/include/openssl/evp.h index d5333e2..374c926 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1075,6 +1075,7 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de); +#ifndef OPENSSL_NO_SCRYPT int EVP_PBE_scrypt(const char *pass, size_t passlen, const unsigned char *salt, size_t saltlen, uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, @@ -1083,6 +1084,7 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, int PKCS5_v2_scrypt_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *c, const EVP_MD *md, int en_de); +#endif void PKCS5_PBE_add(void); diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 02138cb..da6514d 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -1052,10 +1052,12 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, unsigned char *salt, int saltlen, unsigned char *aiv, int prf_nid); +#ifndef OPENSSL_NO_SCRYPT X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher, const unsigned char *salt, int saltlen, unsigned char *aiv, uint64_t N, uint64_t r, uint64_t p); +#endif X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, int prf_nid, int keylen); diff --git a/makevms.com b/makevms.com index 35c44ec..4b9a3d7 100755 --- a/makevms.com +++ b/makevms.com @@ -295,6 +295,7 @@ $ CONFIG_LOGICALS := AES,- RFC3779,- RMD160,- RSA,- + SCRYPT,- SCTP,- SEED,- SOCK,- diff --git a/test/evp_test.c b/test/evp_test.c index 90441f3..c5c6e07 100644 --- a/test/evp_test.c +++ b/test/evp_test.c @@ -1311,6 +1311,7 @@ struct pbe_data { size_t key_len; }; +#ifndef OPENSSL_NO_SCRYPT static int scrypt_test_parse(struct evp_test *t, const char *keyword, const char *value) { @@ -1326,6 +1327,7 @@ static int scrypt_test_parse(struct evp_test *t, return test_uint64(value, &pdata->maxmem); return 0; } +#endif static int pbkdf2_test_parse(struct evp_test *t, const char *keyword, const char *value) @@ -1366,8 +1368,10 @@ static int pbe_test_init(struct evp_test *t, const char *alg) struct pbe_data *pdat; int pbe_type = 0; +#ifndef OPENSSL_NO_SCRYPT if (strcmp(alg, "scrypt") == 0) pbe_type = PBE_TYPE_SCRYPT; +#endif else if (strcmp(alg, "pbkdf2") == 0) pbe_type = PBE_TYPE_PBKDF2; else if (strcmp(alg, "pkcs12") == 0) @@ -1408,12 +1412,14 @@ static int pbe_test_parse(struct evp_test *t, return test_bin(value, &pdata->salt, &pdata->salt_len); if (strcmp(keyword, "Key") == 0) return test_bin(value, &pdata->key, &pdata->key_len); - if (pdata->pbe_type == PBE_TYPE_SCRYPT) - return scrypt_test_parse(t, keyword, value); - else if (pdata->pbe_type == PBE_TYPE_PBKDF2) + if (pdata->pbe_type == PBE_TYPE_PBKDF2) return pbkdf2_test_parse(t, keyword, value); else if (pdata->pbe_type == PBE_TYPE_PKCS12) return pkcs12_test_parse(t, keyword, value); +#ifndef OPENSSL_NO_SCRYPT + else if (pdata->pbe_type == PBE_TYPE_SCRYPT) + return scrypt_test_parse(t, keyword, value); +#endif return 0; } @@ -1433,6 +1439,7 @@ static int pbe_test_run(struct evp_test *t) pdata->iter, pdata->md, pdata->key_len, key) == 0) goto err; +#ifndef OPENSSL_NO_SCRYPT } else if (pdata->pbe_type == PBE_TYPE_SCRYPT) { err = "SCRYPT_ERROR"; if (EVP_PBE_scrypt((const char *)pdata->pass, pdata->pass_len, @@ -1440,6 +1447,7 @@ static int pbe_test_run(struct evp_test *t) pdata->N, pdata->r, pdata->p, pdata->maxmem, key, pdata->key_len) == 0) goto err; +#endif } else if (pdata->pbe_type == PBE_TYPE_PKCS12) { err = "PKCS12_ERROR"; if (PKCS12_key_gen_uni(pdata->pass, pdata->pass_len, diff --git a/util/libeay.num b/util/libeay.num index d7d4049..612fff6 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -4563,13 +4563,13 @@ COMP_get_name 4921 EXIST::FUNCTION: COMP_get_type 4922 EXIST::FUNCTION: ASN1_INTEGER_get_int64 4923 EXIST::FUNCTION: ASN1_ENUMERATED_set_int64 4924 EXIST::FUNCTION: -EVP_PBE_scrypt 4925 EXIST::FUNCTION: +EVP_PBE_scrypt 4925 EXIST::FUNCTION:SCRYPT ASN1_INTEGER_set_int64 4926 EXIST::FUNCTION: ASN1_ENUMERATED_get_int64 4927 EXIST::FUNCTION: -PKCS5_v2_scrypt_keyivgen 4928 EXIST::FUNCTION: +PKCS5_v2_scrypt_keyivgen 4928 EXIST::FUNCTION:SCRYPT ASN1_INTEGER_get_uint64 4929 EXIST::FUNCTION: ASN1_INTEGER_set_uint64 4930 EXIST::FUNCTION: -PKCS5_pbe2_set_scrypt 4931 EXIST::FUNCTION: +PKCS5_pbe2_set_scrypt 4931 EXIST::FUNCTION:SCRYPT PKCS8_set0_pbe 4932 EXIST::FUNCTION: DH_bits 4933 EXIST::FUNCTION:DH RSA_bits 4934 EXIST::FUNCTION:RSA diff --git a/util/mkdef.pl b/util/mkdef.pl index 26fa209..c07a3c6 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -69,6 +69,7 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", "SHA256", "SHA512", "RMD160", "MDC2", "WHIRLPOOL", "RSA", "DSA", "DH", "EC", "ECDH", "ECDSA", "EC2M", "HMAC", "AES", "CAMELLIA", "SEED", "GOST", + "SCRYPT", # EC_NISTP_64_GCC_128 "EC_NISTP_64_GCC_128", # Envelope "algorithms" @@ -123,7 +124,7 @@ close(IN); my $no_rc2; my $no_rc4; my $no_rc5; my $no_idea; my $no_des; my $no_bf; my $no_cast; my $no_whirlpool; my $no_camellia; my $no_seed; my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2; -my $no_rsa; my $no_dsa; my $no_dh; my $no_aes; +my $no_rsa; my $no_dsa; my $no_dh; my $no_aes; my $no_scrypt; my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated; my $no_rfc3779; my $no_psk; my $no_cms; my $no_capieng; @@ -203,6 +204,7 @@ foreach (@ARGV, split(/ /, $options)) elsif (/^no-aes$/) { $no_aes=1; } elsif (/^no-camellia$/) { $no_camellia=1; } elsif (/^no-seed$/) { $no_seed=1; } + elsif (/^no-scrypt$/) { $no_scrypt=1; } elsif (/^no-evp$/) { $no_evp=1; } elsif (/^no-lhash$/) { $no_lhash=1; } elsif (/^no-stack$/) { $no_stack=1; } @@ -1187,6 +1189,7 @@ sub is_valid if ($keyword eq "AES" && $no_aes) { return 0; } if ($keyword eq "CAMELLIA" && $no_camellia) { return 0; } if ($keyword eq "SEED" && $no_seed) { return 0; } + if ($keyword eq "SCRYPT" && $no_scrypt) { return 0; } if ($keyword eq "EVP" && $no_evp) { return 0; } if ($keyword eq "LHASH" && $no_lhash) { return 0; } if ($keyword eq "STACK" && $no_stack) { return 0; } From rsalz at openssl.org Fri Sep 4 18:30:52 2015 From: rsalz at openssl.org (Rich Salz) Date: Fri, 04 Sep 2015 18:30:52 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441391452.549568.16404.nullmailer@dev.openssl.org> The branch master has been updated via d4ab70f27cb7e518e6a9d6323c996cc3feb7496b (commit) from b0809bc8ffb34bf89de9e68d8caeb4d8c2aa08f9 (commit) - Log ----------------------------------------------------------------- commit d4ab70f27cb7e518e6a9d6323c996cc3feb7496b Author: Rich Salz Date: Thu Sep 3 16:56:28 2015 -0400 Test for NULL ptr == 0 Add a test to ensure that "char *p = NULL" is equivalent to all-bytes-zero. Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: test/Makefile | 17 ++++++++++++++--- engines/ccgost/e_gost_err.proto => test/nptest.c | 21 +++++++++++++-------- 2 files changed, 27 insertions(+), 11 deletions(-) copy engines/ccgost/e_gost_err.proto => test/nptest.c (90%) diff --git a/test/Makefile b/test/Makefile index 8692347..364e887 100644 --- a/test/Makefile +++ b/test/Makefile @@ -29,6 +29,7 @@ LIBFIPS= -L.. -lfips # Prefix for logline for each test START= @@@ START +NPTEST= nptest BNTEST= bntest ECTEST= ectest ECDSATEST= ecdsatest @@ -80,7 +81,9 @@ SSLSKEWITH0PTEST= sslskewith0ptest.pl TESTS= alltests -EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_EXT) $(ECDSATEST)$(EXE_EXT) $(ECDHTEST)$(EXE_EXT) $(GMDIFFTEST)$(EXE_EXT) $(PBELUTEST)$(EXE_EXT) $(IDEATEST)$(EXE_EXT) \ +EXE= $(NPTEST)$(EXE_EXT) $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_EXT) \ + $(ECDSATEST)$(EXE_EXT) $(ECDHTEST)$(EXE_EXT) $(GMDIFFTEST)$(EXE_EXT) \ + $(PBELUTEST)$(EXE_EXT) $(IDEATEST)$(EXE_EXT) \ $(MD2TEST)$(EXE_EXT) $(MD4TEST)$(EXE_EXT) $(MD5TEST)$(EXE_EXT) $(HMACTEST)$(EXE_EXT) $(WPTEST)$(EXE_EXT) \ $(RC2TEST)$(EXE_EXT) $(RC4TEST)$(EXE_EXT) $(RC5TEST)$(EXE_EXT) \ $(DESTEST)$(EXE_EXT) $(SHA1TEST)$(EXE_EXT) $(SHA256TEST)$(EXE_EXT) $(SHA512TEST)$(EXE_EXT) \ @@ -98,7 +101,8 @@ EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_EXT) $(ECDSATEST)$(EXE_EXT) $(ECDHTEST) # $(METHTEST)$(EXE_EXT) -OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATEST).o $(ECDHTEST).o $(GMDIFFTEST).o $(PBELUTEST).o $(IDEATEST).o \ +OBJ= $(NPTEST).o $(BNTEST).o $(ECTEST).o \ + $(ECDSATEST).o $(ECDHTEST).o $(GMDIFFTEST).o $(PBELUTEST).o $(IDEATEST).o \ $(MD2TEST).o $(MD4TEST).o $(MD5TEST).o \ $(HMACTEST).o $(WPTEST).o \ $(RC2TEST).o $(RC4TEST).o $(RC5TEST).o \ @@ -111,7 +115,8 @@ OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATEST).o $(ECDHTEST).o $(GMDIFFTEST).o $(PBE $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o $(CLIENTHELLOTEST).o \ $(PACKETTEST).o testutil.o -SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(GMDIFFTEST).c $(PBELUTEST).c $(IDEATEST).c \ +SRC= $(NPTEST).c $(BNTEST).c $(ECTEST).c \ + $(ECDSATEST).c $(ECDHTEST).c $(GMDIFFTEST).c $(PBELUTEST).c $(IDEATEST).c \ $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ $(HMACTEST).c $(WPTEST).c \ $(RC2TEST).c $(RC4TEST).c $(RC5TEST).c \ @@ -152,6 +157,7 @@ apps: @(cd ..; $(MAKE) DIRS=apps all) alltests: \ + test_np \ test_des test_gmdiff test_idea test_sha test_md4 test_md5 test_hmac \ test_pbelu test_md2 test_mdc2 test_wp \ test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast \ @@ -165,6 +171,10 @@ alltests: \ test_constant_time test_verify_extra test_clienthello test_packet \ test_sslvertol test_sslextension test_sslsessionticket test_sslskewith0p +test_np: $(NPTEST)$(EXE_EXT) + @echo $(START) $@ + ./$(NPTEST) + test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt @echo $(START) $@ ../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt @@ -891,6 +901,7 @@ mdc2test.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h mdc2test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h mdc2test.o: ../include/openssl/safestack.h ../include/openssl/stack.h mdc2test.o: ../include/openssl/symhacks.h mdc2test.c +nptest.o: nptest.c p5_crpt2_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h p5_crpt2_test.o: ../include/openssl/buffer.h ../include/openssl/conf.h p5_crpt2_test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h diff --git a/engines/ccgost/e_gost_err.proto b/test/nptest.c similarity index 90% copy from engines/ccgost/e_gost_err.proto copy to test/nptest.c index c57bd1b..9528851 100644 --- a/engines/ccgost/e_gost_err.proto +++ b/test/nptest.c @@ -1,12 +1,12 @@ /* ==================================================================== - * Copyright (c) 2001-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 2015 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -52,10 +52,15 @@ * */ -#ifndef HEADER_GOST_ERR_H -#define HEADER_GOST_ERR_H -#define GOST_LIB_NAME "GOST engine" -#ifdef __cplusplus - extern "C" { -#endif +#include +#include + +int main() +{ + char *p = NULL; + char bytes[sizeof(p)]; + + memset(bytes, 0, sizeof bytes); + return memcmp(&p, bytes, sizeof(bytes)) == 0 ? 0 : 1; +} From steve at openssl.org Fri Sep 4 20:27:37 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 04 Sep 2015 20:27:37 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441398457.814836.32382.nullmailer@dev.openssl.org> The branch master has been updated via 13e228d6845aff7e454eea7c9ddd392ebfbd2868 (commit) from d4ab70f27cb7e518e6a9d6323c996cc3feb7496b (commit) - Log ----------------------------------------------------------------- commit 13e228d6845aff7e454eea7c9ddd392ebfbd2868 Author: Dr. Stephen Henson Date: Fri Sep 4 00:20:34 2015 +0100 Match SUITEB strings at start of cipher list. PR#4009. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: ssl/ssl_ciph.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 2dd2379..12dac04 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1330,15 +1330,16 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, const char **prule_str) { unsigned int suiteb_flags = 0, suiteb_comb2 = 0; - if (strcmp(*prule_str, "SUITEB128") == 0) - suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; - else if (strcmp(*prule_str, "SUITEB128ONLY") == 0) + if (strncmp(*prule_str, "SUITEB128ONLY", 13) == 0) { suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY; - else if (strcmp(*prule_str, "SUITEB128C2") == 0) { + } else if (strncmp(*prule_str, "SUITEB128C2", 11) == 0) { suiteb_comb2 = 1; suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; - } else if (strcmp(*prule_str, "SUITEB192") == 0) + } else if (strncmp(*prule_str, "SUITEB128", 9) == 0) { + suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; + } else if (strncmp(*prule_str, "SUITEB192", 9) == 0) { suiteb_flags = SSL_CERT_FLAG_SUITEB_192_LOS; + } if (suiteb_flags) { c->cert_flags &= ~SSL_CERT_FLAG_SUITEB_128_LOS; From steve at openssl.org Fri Sep 4 20:36:21 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 04 Sep 2015 20:36:21 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1441398981.998566.2263.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 2df619b06ca0026e40e8689020b0e54ed7165583 (commit) from cef9dcbb45c936024cda5d741aee586aa530f052 (commit) - Log ----------------------------------------------------------------- commit 2df619b06ca0026e40e8689020b0e54ed7165583 Author: Dr. Stephen Henson Date: Fri Sep 4 00:20:34 2015 +0100 Match SUITEB strings at start of cipher list. PR#4009. Reviewed-by: Rich Salz (cherry picked from commit 13e228d6845aff7e454eea7c9ddd392ebfbd2868) Conflicts: ssl/ssl_ciph.c ----------------------------------------------------------------------- Summary of changes: ssl/ssl_ciph.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 2cc9a4a..a53f25b 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1404,15 +1404,16 @@ static int check_suiteb_cipher_list(const SSL_METHOD *meth, CERT *c, const char **prule_str) { unsigned int suiteb_flags = 0, suiteb_comb2 = 0; - if (!strcmp(*prule_str, "SUITEB128")) - suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; - else if (!strcmp(*prule_str, "SUITEB128ONLY")) + if (strncmp(*prule_str, "SUITEB128ONLY", 13) == 0) { suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS_ONLY; - else if (!strcmp(*prule_str, "SUITEB128C2")) { + } else if (strncmp(*prule_str, "SUITEB128C2", 11) == 0) { suiteb_comb2 = 1; suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; - } else if (!strcmp(*prule_str, "SUITEB192")) + } else if (strncmp(*prule_str, "SUITEB128", 9) == 0) { + suiteb_flags = SSL_CERT_FLAG_SUITEB_128_LOS; + } else if (strncmp(*prule_str, "SUITEB192", 9) == 0) { suiteb_flags = SSL_CERT_FLAG_SUITEB_192_LOS; + } if (suiteb_flags) { c->cert_flags &= ~SSL_CERT_FLAG_SUITEB_128_LOS; From rsalz at openssl.org Sat Sep 5 03:01:30 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 05 Sep 2015 03:01:30 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441422090.567203.8529.nullmailer@dev.openssl.org> The branch master has been updated via 18716ba2563fb371d3d25a5d7d8dcb7ddb14341b (commit) from 13e228d6845aff7e454eea7c9ddd392ebfbd2868 (commit) - Log ----------------------------------------------------------------- commit 18716ba2563fb371d3d25a5d7d8dcb7ddb14341b Author: Benjamin Kaduk Date: Fri Sep 4 18:50:24 2015 -0500 Supply a build rule for the recently added nptest Commit d4ab70f27cb7e518e6a9d6323c996cc3feb7496b added a test program to check that the NULL pointer is represented as all zero bits, but did not specify a build rule for that new executable. On many platforms, the implicit rule sufficed, since nptest is a very simple program, but for at least darwin-i386-cc, an explicit rule is needed. On darwin-i386-cc, the implicit rule targetted a 64-bit executable, but the object file containing the definition of main was a 32-bit object, which the linker excluded from consideration, resulting in a link failure due to no definition for _main. Add the missing build rule to fix the build on such platforms. Signed-off-by: Rich Salz Reviewed-by: Dr. Stephen Henson ----------------------------------------------------------------------- Summary of changes: test/Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/Makefile b/test/Makefile index 364e887..0ee38bf 100644 --- a/test/Makefile +++ b/test/Makefile @@ -504,6 +504,9 @@ BUILD_CMD_STATIC=shlib_target=; \ $(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO) @target=$(RSATEST); $(BUILD_CMD) +$(NPTEST)$(EXE_EXT): $(NPTEST).o $(DLIBCRYPTO) + @target=$(NPTEST); $(BUILD_CMD) + $(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO) @target=$(BNTEST); $(BUILD_CMD) From steve at openssl.org Sat Sep 5 11:47:01 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Sat, 05 Sep 2015 11:47:01 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441453621.153653.31367.nullmailer@dev.openssl.org> The branch master has been updated via 44748efc8503b5efe3d9d5aab5c754e4e0d9a442 (commit) from 18716ba2563fb371d3d25a5d7d8dcb7ddb14341b (commit) - Log ----------------------------------------------------------------- commit 44748efc8503b5efe3d9d5aab5c754e4e0d9a442 Author: Dr. Stephen Henson Date: Sat Sep 5 12:28:54 2015 +0100 make X509_REVOKED opaque Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: crypto/include/internal/x509_int.h | 11 +++++++++++ include/openssl/x509.h | 11 ----------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/crypto/include/internal/x509_int.h b/crypto/include/internal/x509_int.h index 846a320..f8677a0 100644 --- a/crypto/include/internal/x509_int.h +++ b/crypto/include/internal/x509_int.h @@ -138,3 +138,14 @@ struct X509_crl_st { const X509_CRL_METHOD *meth; void *meth_data; }; + +struct x509_revoked_st { + ASN1_INTEGER *serialNumber; + ASN1_TIME *revocationDate; + STACK_OF(X509_EXTENSION) /* optional */ *extensions; + /* Set up if indirect CRL */ + STACK_OF(GENERAL_NAME) *issuer; + /* Revocation reason */ + int reason; + int sequence; /* load sequence */ +}; diff --git a/include/openssl/x509.h b/include/openssl/x509.h index da6514d..661d81c 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -329,17 +329,6 @@ DECLARE_STACK_OF(X509_TRUST) XN_FLAG_FN_LN | \ XN_FLAG_FN_ALIGN) -struct x509_revoked_st { - ASN1_INTEGER *serialNumber; - ASN1_TIME *revocationDate; - STACK_OF(X509_EXTENSION) /* optional */ *extensions; - /* Set up if indirect CRL */ - STACK_OF(GENERAL_NAME) *issuer; - /* Revocation reason */ - int reason; - int sequence; /* load sequence */ -}; - DECLARE_STACK_OF(X509_REVOKED) typedef struct X509_crl_info_st X509_CRL_INFO; From stevem at openssl.org Sat Sep 5 12:49:39 2015 From: stevem at openssl.org (Steve Marquess) Date: Sat, 05 Sep 2015 12:49:39 +0000 Subject: [openssl-commits] [web] master update Message-ID: <1441457379.790004.9793.nullmailer@dev.openssl.org> The branch master has been updated via c02b0710e44fb8449df2c8ed43e476ae94d6b76d (commit) from bd23ccf616b48786b915a72d0f1c345dc74c503a (commit) - Log ----------------------------------------------------------------- commit c02b0710e44fb8449df2c8ed43e476ae94d6b76d Author: Steve Marquess Date: Sat Sep 5 08:49:08 2015 -0400 Add revision 2.0.10 documents ----------------------------------------------------------------------- Summary of changes: ...ityPolicy-1.2.pdf => SecurityPolicy-2.0.10.pdf} | Bin 860211 -> 952825 bytes docs/fips/UserGuide-2.0.pdf | Bin 1772315 -> 1776107 bytes 2 files changed, 0 insertions(+), 0 deletions(-) copy docs/fips/{SecurityPolicy-1.2.pdf => SecurityPolicy-2.0.10.pdf} (62%) diff --git a/docs/fips/SecurityPolicy-1.2.pdf b/docs/fips/SecurityPolicy-2.0.10.pdf similarity index 62% copy from docs/fips/SecurityPolicy-1.2.pdf copy to docs/fips/SecurityPolicy-2.0.10.pdf index 9ac0515..83cb360 100644 Binary files a/docs/fips/SecurityPolicy-1.2.pdf and b/docs/fips/SecurityPolicy-2.0.10.pdf differ diff --git a/docs/fips/UserGuide-2.0.pdf b/docs/fips/UserGuide-2.0.pdf index 671db85..8ac47e8 100644 Binary files a/docs/fips/UserGuide-2.0.pdf and b/docs/fips/UserGuide-2.0.pdf differ From rsalz at openssl.org Sat Sep 5 19:56:51 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 05 Sep 2015 19:56:51 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441483011.486265.5562.nullmailer@dev.openssl.org> The branch master has been updated via 2519b4e18101a7e987dad842084cd1da5da5c191 (commit) from 44748efc8503b5efe3d9d5aab5c754e4e0d9a442 (commit) - Log ----------------------------------------------------------------- commit 2519b4e18101a7e987dad842084cd1da5da5c191 Author: Alessandro Ghedini Date: Sat Sep 5 13:06:51 2015 +0200 Use the shlib wrapper when running nptest Since there seems to be no way to avoid linking to libssl and libcrypto, just wrap the test. This unbreaks "shared" builds when using clang and/or OS X. Signed-off-by: Rich Salz Reviewed-by: Ben Laurie ----------------------------------------------------------------------- Summary of changes: test/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/Makefile b/test/Makefile index 0ee38bf..c85e8d8 100644 --- a/test/Makefile +++ b/test/Makefile @@ -173,7 +173,7 @@ alltests: \ test_np: $(NPTEST)$(EXE_EXT) @echo $(START) $@ - ./$(NPTEST) + ../util/shlib_wrap.sh ./$(NPTEST) test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt @echo $(START) $@ From rsalz at openssl.org Sat Sep 5 20:17:28 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 05 Sep 2015 20:17:28 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441484248.163102.8370.nullmailer@dev.openssl.org> The branch master has been updated via d35ff2c0ade0a12e84aaa2e9841b4983a2f3cf45 (commit) from 2519b4e18101a7e987dad842084cd1da5da5c191 (commit) - Log ----------------------------------------------------------------- commit d35ff2c0ade0a12e84aaa2e9841b4983a2f3cf45 Author: David Woodhouse Date: Fri Jul 31 08:49:50 2015 +0100 RT3951: Add X509_V_FLAG_NO_CHECK_TIME to suppress time check In some environments, such as firmware, the current system time is entirely meaningless. Provide a clean mechanism to suppress the checks against it. Signed-off-by: Rich Salz Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: apps/apps.h | 8 +++++--- apps/opt.c | 4 ++++ crypto/x509/x509_vfy.c | 4 ++++ doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 4 ++++ include/openssl/x509_vfy.h | 2 ++ 5 files changed, 19 insertions(+), 3 deletions(-) diff --git a/apps/apps.h b/apps/apps.h index 48c82e8..a134b8d 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -179,7 +179,7 @@ void unbuffer(FILE *fp); OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \ OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \ OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \ - OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, \ + OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \ OPT_V__LAST # define OPT_V_OPTIONS \ @@ -209,7 +209,8 @@ void unbuffer(FILE *fp); { "suiteB_128", OPT_V_SUITEB_128, '-' }, \ { "suiteB_192", OPT_V_SUITEB_192, '-' }, \ { "partial_chain", OPT_V_PARTIAL_CHAIN, '-' }, \ - { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" } + { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }, \ + { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "Do not check validity against current time" } # define OPT_V_CASES \ OPT_V__FIRST: case OPT_V__LAST: break; \ @@ -239,7 +240,8 @@ void unbuffer(FILE *fp); case OPT_V_SUITEB_128: \ case OPT_V_SUITEB_192: \ case OPT_V_PARTIAL_CHAIN: \ - case OPT_V_NO_ALT_CHAINS + case OPT_V_NO_ALT_CHAINS: \ + case OPT_V_NO_CHECK_TIME /* * Common "extended"? options. diff --git a/apps/opt.c b/apps/opt.c index bfb039e..c7dcc43 100644 --- a/apps/opt.c +++ b/apps/opt.c @@ -543,6 +543,10 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm) break; case OPT_V_NO_ALT_CHAINS: X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_ALT_CHAINS); + break; + case OPT_V_NO_CHECK_TIME: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME); + break; } return 1; diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 6169db1..2b2d5ad 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -957,6 +957,8 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) ctx->current_crl = crl; if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) ptime = &ctx->param->check_time; + else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) + return 1; else ptime = NULL; @@ -1677,6 +1679,8 @@ int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet) if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) ptime = &ctx->param->check_time; + else if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) + return 1; else ptime = NULL; diff --git a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index ec91d5d..166e316 100644 --- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -203,6 +203,10 @@ chain found is not trusted, then OpenSSL will continue to check to see if an alternative chain can be found that is trusted. With this flag set the behaviour will match that of OpenSSL versions prior to 1.1.0. +The B flag suppresses checking the validity period +of certificates and CRLs against the current time. If X509_VERIFY_PARAM_set_time() +is used to specify a verification time, the check is not suppressed. + =head1 NOTES The above functions should be used to manipulate verification parameters diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 8e0a225..c78ba98 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -407,6 +407,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); * will force the behaviour to match that of previous versions. */ # define X509_V_FLAG_NO_ALT_CHAINS 0x100000 +/* Do not check certificate/CRL validity against current time */ +# define X509_V_FLAG_NO_CHECK_TIME 0x200000 # define X509_VP_FLAG_DEFAULT 0x1 # define X509_VP_FLAG_OVERWRITE 0x2 From rsalz at openssl.org Sat Sep 5 21:28:01 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 05 Sep 2015 21:28:01 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441488481.782857.22072.nullmailer@dev.openssl.org> The branch master has been updated via ecdaa1aefd30a3624624a28139a1e78e17993725 (commit) from d35ff2c0ade0a12e84aaa2e9841b4983a2f3cf45 (commit) - Log ----------------------------------------------------------------- commit ecdaa1aefd30a3624624a28139a1e78e17993725 Author: mrpre Date: Sat Aug 29 10:26:39 2015 +0800 In X509_STORE_CTX_init, cleanup on failure Signed-off-by: Rich Salz Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: crypto/x509/x509_vfy.c | 60 +++++++++++++++++++++++++++----------------------- 1 file changed, 33 insertions(+), 27 deletions(-) diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 2b2d5ad..9cecde7 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -2286,6 +2286,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain) { int ret = 1; + ctx->ctx = store; ctx->current_method = 0; ctx->cert = x509; @@ -2306,37 +2307,12 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, ctx->tree = NULL; ctx->parent = NULL; - ctx->param = X509_VERIFY_PARAM_new(); - - if (!ctx->param) { - X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); - return 0; - } - - /* - * Inherit callbacks and flags from X509_STORE if not set use defaults. - */ - - if (store) - ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); - else - ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE; - if (store) { ctx->verify_cb = store->verify_cb; ctx->cleanup = store->cleanup; } else ctx->cleanup = 0; - if (ret) - ret = X509_VERIFY_PARAM_inherit(ctx->param, - X509_VERIFY_PARAM_lookup("default")); - - if (ret == 0) { - X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); - return 0; - } - if (store && store->check_issued) ctx->check_issued = store->check_issued; else @@ -2390,16 +2366,46 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, ctx->check_policy = check_policy; /* + * For ctx->cleanup running well in X509_STORE_CTX_cleanup , + * initial all ctx before exceptional handling. + */ + ctx->param = X509_VERIFY_PARAM_new(); + if (ctx->param == NULL) { + X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); + goto err; + } + + /* + * Inherit callbacks and flags from X509_STORE if not set use defaults. + */ + if (store) + ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); + else + ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE; + + if (ret) + ret = X509_VERIFY_PARAM_inherit(ctx->param, + X509_VERIFY_PARAM_lookup("default")); + + if (ret == 0) { + X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); + goto err; + } + + /* * Since X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we * put a corresponding "new" here. */ if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data))) { - OPENSSL_free(ctx); X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); - return 0; + goto err; } return 1; + +err: + X509_STORE_CTX_cleanup(ctx); + return 0; } /* From rsalz at openssl.org Sat Sep 5 21:44:17 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 05 Sep 2015 21:44:17 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441489457.786736.27225.nullmailer@dev.openssl.org> The branch master has been updated via 8e704858f21983383be2b77e986f475b51719a1e (commit) from ecdaa1aefd30a3624624a28139a1e78e17993725 (commit) - Log ----------------------------------------------------------------- commit 8e704858f21983383be2b77e986f475b51719a1e Author: Rich Salz Date: Fri Sep 4 08:13:19 2015 -0400 RT3955: Reduce some stack usage Use malloc/free instead of big onstack buffers. Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: crypto/bn/bn_prime.c | 14 ++++++++----- crypto/pkcs7/pk7_smime.c | 54 ++++++++++++++++++++++++++++++------------------ 2 files changed, 43 insertions(+), 25 deletions(-) diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index c83820c..42d574b 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -131,7 +131,7 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1, const BIGNUM *a1_odd, int k, BN_CTX *ctx, BN_MONT_CTX *mont); -static int probable_prime(BIGNUM *rnd, int bits); +static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods); static int probable_prime_dh_safe(BIGNUM *rnd, int bits, const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx); @@ -211,9 +211,13 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, BIGNUM *t; int found = 0; int i, j, c1 = 0; - BN_CTX *ctx; + BN_CTX *ctx = NULL; + prime_t *mods = NULL; int checks = BN_prime_checks_for_size(bits); + mods = OPENSSL_zalloc(sizeof(*mods) * NUMPRIMES); + if (mods == NULL) + goto err; if (bits < 2) { /* There are no prime numbers this small. */ BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL); @@ -234,7 +238,7 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, loop: /* make a random number and set the top and bottom bits */ if (add == NULL) { - if (!probable_prime(ret, bits)) + if (!probable_prime(ret, bits, mods)) goto err; } else { if (safe) { @@ -285,6 +289,7 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, /* we have a prime :-) */ found = 1; err: + OPENSSL_free(mods); if (ctx != NULL) BN_CTX_end(ctx); BN_CTX_free(ctx); @@ -497,10 +502,9 @@ static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1, return 1; } -static int probable_prime(BIGNUM *rnd, int bits) +static int probable_prime(BIGNUM *rnd, int bits, prime_t *mods) { int i; - prime_t mods[NUMPRIMES]; BN_ULONG delta; BN_ULONG maxdelta = BN_MASK2 - primes[NUMPRIMES - 1]; char is_single_word = bits <= BN_BITS2; diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index 91557af..6522a51 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -64,6 +64,9 @@ #include #include + +#define BUFFERSIZE 4096 + static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si); PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, @@ -113,6 +116,7 @@ int PKCS7_final(PKCS7 *p7, BIO *data, int flags) { BIO *p7bio; int ret = 0; + if ((p7bio = PKCS7_dataInit(p7, NULL)) == NULL) { PKCS7err(PKCS7_F_PKCS7_FINAL, ERR_R_MALLOC_FAILURE); return 0; @@ -253,7 +257,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, STACK_OF(PKCS7_SIGNER_INFO) *sinfos; PKCS7_SIGNER_INFO *si; X509_STORE_CTX cert_ctx; - char buf[4096]; + char *buf = NULL; int i, j = 0, k, ret = 0; BIO *p7bio = NULL; BIO *tmpin = NULL, *tmpout = NULL; @@ -355,8 +359,12 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, tmpout = out; /* We now have to 'read' from p7bio to calculate digests etc. */ + if ((buf = OPENSSL_malloc(BUFFERSIZE)) == NULL) { + PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; + } for (;;) { - i = BIO_read(p7bio, buf, sizeof(buf)); + i = BIO_read(p7bio, buf, BUFFERSIZE); if (i <= 0) break; if (tmpout) @@ -387,6 +395,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, ret = 1; err: + OPENSSL_free(buf); if (tmpin == indata) { if (indata) BIO_pop(p7bio); @@ -505,7 +514,7 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags) { BIO *tmpmem; int ret, i; - char buf[4096]; + char *buf = NULL; if (!p7) { PKCS7err(PKCS7_F_PKCS7_DECRYPT, PKCS7_R_INVALID_NULL_POINTER); @@ -549,24 +558,29 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags) } BIO_free_all(bread); return ret; - } else { - for (;;) { - i = BIO_read(tmpmem, buf, sizeof(buf)); - if (i <= 0) { - ret = 1; - if (BIO_method_type(tmpmem) == BIO_TYPE_CIPHER) { - if (!BIO_get_cipher_status(tmpmem)) - ret = 0; - } - - break; - } - if (BIO_write(data, buf, i) != i) { - ret = 0; - break; + } + if ((buf = OPENSSL_malloc(BUFFERSIZE)) == NULL) { + PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE); + goto err; + } + for (;;) { + i = BIO_read(tmpmem, buf, BUFFERSIZE); + if (i <= 0) { + ret = 1; + if (BIO_method_type(tmpmem) == BIO_TYPE_CIPHER) { + if (!BIO_get_cipher_status(tmpmem)) + ret = 0; } + + break; + } + if (BIO_write(data, buf, i) != i) { + ret = 0; + break; } - BIO_free_all(tmpmem); - return ret; } +err: + OPENSSL_free(buf); + BIO_free_all(tmpmem); + return ret; } From rsalz at openssl.org Sat Sep 5 21:52:58 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 05 Sep 2015 21:52:58 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441489978.691628.30264.nullmailer@dev.openssl.org> The branch master has been updated via ca4a494cb7437a7af155361b0084de8329c0bf25 (commit) from 8e704858f21983383be2b77e986f475b51719a1e (commit) - Log ----------------------------------------------------------------- commit ca4a494cb7437a7af155361b0084de8329c0bf25 Author: Rich Salz Date: Wed Jun 10 14:07:40 2015 -0400 Make TS structures opaque. Most of the accessors existed and were already used so it was easy. TS_VERIFY_CTX didn't have accessors/settors so I added the simple and obvious ones, and changed the app to use them. Also, within crypto/ts, replaced the functions with direct access to the structure members since we generally aren't opaque within a directory. Also fix RT3901. Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: apps/ts.c | 23 +++-- crypto/ts/Makefile | 18 ++-- crypto/ts/ts_asn1.c | 1 + crypto/ts/ts_lcl.h | 230 ++++++++++++++++++++++++++++++++++++++++++++++ crypto/ts/ts_lib.c | 5 +- crypto/ts/ts_req_print.c | 13 ++- crypto/ts/ts_req_utils.c | 1 + crypto/ts/ts_rsp_print.c | 69 +++++--------- crypto/ts/ts_rsp_sign.c | 19 ++-- crypto/ts/ts_rsp_utils.c | 6 ++ crypto/ts/ts_rsp_verify.c | 21 +++-- crypto/ts/ts_verify_ctx.c | 50 +++++++++- include/openssl/ts.h | 223 +++++--------------------------------------- util/libeay.num | 25 +++-- 14 files changed, 398 insertions(+), 306 deletions(-) create mode 100644 crypto/ts/ts_lcl.h diff --git a/apps/ts.c b/apps/ts.c index feec34b..6e6b834 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -724,7 +724,7 @@ static TS_RESP *read_PKCS7(BIO *in_bio) /* Create granted status info. */ if ((si = TS_STATUS_INFO_new()) == NULL) goto end; - if (!(ASN1_INTEGER_set(si->status, TS_STATUS_GRANTED))) + if (!TS_STATUS_INFO_set_status(si, TS_STATUS_GRANTED)) goto end; if (!TS_RESP_set_status_info(resp, si)) goto end; @@ -976,23 +976,24 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest, BIO *input = NULL; TS_REQ *request = NULL; int ret = 0; + int f = 0; if (data != NULL || digest != NULL) { if ((ctx = TS_VERIFY_CTX_new()) == NULL) goto err; - ctx->flags = TS_VFY_VERSION | TS_VFY_SIGNER; + f = TS_VFY_VERSION | TS_VFY_SIGNER; if (data != NULL) { - ctx->flags |= TS_VFY_DATA; - if ((ctx->data = BIO_new_file(data, "rb")) == NULL) + f |= TS_VFY_DATA; + if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) == NULL) goto err; } else if (digest != NULL) { long imprint_len; - ctx->flags |= TS_VFY_IMPRINT; - if ((ctx->imprint = string_to_hex(digest, &imprint_len)) == NULL) { + unsigned char *hexstr = string_to_hex(digest, &imprint_len); + f |= TS_VFY_IMPRINT; + if (TS_VERIFY_CTX_set_imprint(ctx, hexstr, imprint_len) == NULL) { BIO_printf(bio_err, "invalid digest string\n"); goto err; } - ctx->imprint_len = imprint_len; } } else if (queryfile != NULL) { @@ -1010,14 +1011,16 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest, return NULL; /* Add the signature verification flag and arguments. */ - ctx->flags |= TS_VFY_SIGNATURE; + TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE); /* Initialising the X509_STORE object. */ - if ((ctx->store = create_cert_store(CApath, CAfile)) == NULL) + if (TS_VERIFY_CTX_set_store(ctx, create_cert_store(CApath, CAfile)) + == NULL) goto err; /* Loading untrusted certificates. */ - if (untrusted && (ctx->certs = TS_CONF_load_certs(untrusted)) == NULL) + if (untrusted + && TS_VERIFY_CTS_set_certs(ctx, TS_CONF_load_certs(untrusted)) == NULL) goto err; ret = 1; diff --git a/crypto/ts/Makefile b/crypto/ts/Makefile index 673d01b..76d1aea 100644 --- a/crypto/ts/Makefile +++ b/crypto/ts/Makefile @@ -86,7 +86,7 @@ ts_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h ts_asn1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ts_asn1.o: ../../include/openssl/ts.h ../../include/openssl/x509.h ts_asn1.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -ts_asn1.o: ts_asn1.c +ts_asn1.o: ts_asn1.c ts_lcl.h ts_conf.o: ../../e_os.h ../../include/openssl/asn1.h ts_conf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h ts_conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -135,7 +135,7 @@ ts_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h ts_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ts_lib.o: ../../include/openssl/ts.h ../../include/openssl/x509.h ts_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -ts_lib.o: ../include/internal/cryptlib.h ts_lib.c +ts_lib.o: ../include/internal/cryptlib.h ts_lcl.h ts_lib.c ts_req_print.o: ../../e_os.h ../../include/openssl/asn1.h ts_req_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h ts_req_print.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -153,7 +153,7 @@ ts_req_print.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ts_req_print.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h ts_req_print.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ts_req_print.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -ts_req_print.o: ts_req_print.c +ts_req_print.o: ts_lcl.h ts_req_print.c ts_req_utils.o: ../../e_os.h ../../include/openssl/asn1.h ts_req_utils.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h ts_req_utils.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -171,7 +171,7 @@ ts_req_utils.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ts_req_utils.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h ts_req_utils.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ts_req_utils.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -ts_req_utils.o: ts_req_utils.c +ts_req_utils.o: ts_lcl.h ts_req_utils.c ts_rsp_print.o: ../../e_os.h ../../include/openssl/asn1.h ts_rsp_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h ts_rsp_print.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -189,7 +189,7 @@ ts_rsp_print.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ts_rsp_print.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h ts_rsp_print.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ts_rsp_print.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -ts_rsp_print.o: ts_rsp_print.c +ts_rsp_print.o: ts_lcl.h ts_rsp_print.c ts_rsp_sign.o: ../../e_os.h ../../include/openssl/asn1.h ts_rsp_sign.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h ts_rsp_sign.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -207,7 +207,7 @@ ts_rsp_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ts_rsp_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h ts_rsp_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ts_rsp_sign.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -ts_rsp_sign.o: ts_rsp_sign.c +ts_rsp_sign.o: ts_lcl.h ts_rsp_sign.c ts_rsp_utils.o: ../../e_os.h ../../include/openssl/asn1.h ts_rsp_utils.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h ts_rsp_utils.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -225,7 +225,7 @@ ts_rsp_utils.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ts_rsp_utils.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h ts_rsp_utils.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ts_rsp_utils.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -ts_rsp_utils.o: ts_rsp_utils.c +ts_rsp_utils.o: ts_lcl.h ts_rsp_utils.c ts_rsp_verify.o: ../../e_os.h ../../include/openssl/asn1.h ts_rsp_verify.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h ts_rsp_verify.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -243,7 +243,7 @@ ts_rsp_verify.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ts_rsp_verify.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h ts_rsp_verify.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ts_rsp_verify.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -ts_rsp_verify.o: ts_rsp_verify.c +ts_rsp_verify.o: ts_lcl.h ts_rsp_verify.c ts_verify_ctx.o: ../../e_os.h ../../include/openssl/asn1.h ts_verify_ctx.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h ts_verify_ctx.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -261,4 +261,4 @@ ts_verify_ctx.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ts_verify_ctx.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h ts_verify_ctx.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ts_verify_ctx.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -ts_verify_ctx.o: ts_verify_ctx.c +ts_verify_ctx.o: ts_lcl.h ts_verify_ctx.c diff --git a/crypto/ts/ts_asn1.c b/crypto/ts/ts_asn1.c index 99b686f..f4884a2 100644 --- a/crypto/ts/ts_asn1.c +++ b/crypto/ts/ts_asn1.c @@ -59,6 +59,7 @@ #include #include #include +#include "ts_lcl.h" ASN1_SEQUENCE(TS_MSG_IMPRINT) = { ASN1_SIMPLE(TS_MSG_IMPRINT, hash_algo, X509_ALGOR), diff --git a/crypto/ts/ts_lcl.h b/crypto/ts/ts_lcl.h new file mode 100644 index 0000000..7bd23e9 --- /dev/null +++ b/crypto/ts/ts_lcl.h @@ -0,0 +1,230 @@ +/* ==================================================================== + * Copyright (c) 2015 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing at OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay at cryptsoft.com). This product includes software written by Tim + * Hudson (tjh at cryptsoft.com). + * + */ + + +/*- + * MessageImprint ::= SEQUENCE { + * hashAlgorithm AlgorithmIdentifier, + * hashedMessage OCTET STRING } + */ +struct TS_msg_imprint_st { + X509_ALGOR *hash_algo; + ASN1_OCTET_STRING *hashed_msg; +}; + +/*- + * TimeStampResp ::= SEQUENCE { + * status PKIStatusInfo, + * timeStampToken TimeStampToken OPTIONAL } + */ +struct TS_resp_st { + TS_STATUS_INFO *status_info; + PKCS7 *token; + TS_TST_INFO *tst_info; +}; + +/*- + * TimeStampReq ::= SEQUENCE { + * version INTEGER { v1(1) }, + * messageImprint MessageImprint, + * --a hash algorithm OID and the hash value of the data to be + * --time-stamped + * reqPolicy TSAPolicyId OPTIONAL, + * nonce INTEGER OPTIONAL, + * certReq BOOLEAN DEFAULT FALSE, + * extensions [0] IMPLICIT Extensions OPTIONAL } + */ +struct TS_req_st { + ASN1_INTEGER *version; + TS_MSG_IMPRINT *msg_imprint; + ASN1_OBJECT *policy_id; + ASN1_INTEGER *nonce; + ASN1_BOOLEAN cert_req; + STACK_OF(X509_EXTENSION) *extensions; +}; + +/*- + * Accuracy ::= SEQUENCE { + * seconds INTEGER OPTIONAL, + * millis [0] INTEGER (1..999) OPTIONAL, + * micros [1] INTEGER (1..999) OPTIONAL } + */ +struct TS_accuracy_st { + ASN1_INTEGER *seconds; + ASN1_INTEGER *millis; + ASN1_INTEGER *micros; +}; + +/*- + * TSTInfo ::= SEQUENCE { + * version INTEGER { v1(1) }, + * policy TSAPolicyId, + * messageImprint MessageImprint, + * -- MUST have the same value as the similar field in + * -- TimeStampReq + * serialNumber INTEGER, + * -- Time-Stamping users MUST be ready to accommodate integers + * -- up to 160 bits. + * genTime GeneralizedTime, + * accuracy Accuracy OPTIONAL, + * ordering BOOLEAN DEFAULT FALSE, + * nonce INTEGER OPTIONAL, + * -- MUST be present if the similar field was present + * -- in TimeStampReq. In that case it MUST have the same value. + * tsa [0] GeneralName OPTIONAL, + * extensions [1] IMPLICIT Extensions OPTIONAL } + */ +struct TS_tst_info_st { + ASN1_INTEGER *version; + ASN1_OBJECT *policy_id; + TS_MSG_IMPRINT *msg_imprint; + ASN1_INTEGER *serial; + ASN1_GENERALIZEDTIME *time; + TS_ACCURACY *accuracy; + ASN1_BOOLEAN ordering; + ASN1_INTEGER *nonce; + GENERAL_NAME *tsa; + STACK_OF(X509_EXTENSION) *extensions; +}; + +struct TS_status_info_st { + ASN1_INTEGER *status; + STACK_OF(ASN1_UTF8STRING) *text; + ASN1_BIT_STRING *failure_info; +}; + +DECLARE_STACK_OF(ASN1_UTF8STRING) + +/*- + * IssuerSerial ::= SEQUENCE { + * issuer GeneralNames, + * serialNumber CertificateSerialNumber + * } + */ +struct ESS_issuer_serial { + STACK_OF(GENERAL_NAME) *issuer; + ASN1_INTEGER *serial; +}; + +/*- + * ESSCertID ::= SEQUENCE { + * certHash Hash, + * issuerSerial IssuerSerial OPTIONAL + * } + */ +struct ESS_cert_id { + ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */ + ESS_ISSUER_SERIAL *issuer_serial; +}; + +/*- + * SigningCertificate ::= SEQUENCE { + * certs SEQUENCE OF ESSCertID, + * policies SEQUENCE OF PolicyInformation OPTIONAL + * } + */ +struct ESS_signing_cert { + STACK_OF(ESS_CERT_ID) *cert_ids; + STACK_OF(POLICYINFO) *policy_info; +}; + + +struct TS_resp_ctx { + X509 *signer_cert; + EVP_PKEY *signer_key; + STACK_OF(X509) *certs; /* Certs to include in signed data. */ + STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */ + ASN1_OBJECT *default_policy; /* It may appear in policies, too. */ + STACK_OF(EVP_MD) *mds; /* Acceptable message digests. */ + ASN1_INTEGER *seconds; /* accuracy, 0 means not specified. */ + ASN1_INTEGER *millis; /* accuracy, 0 means not specified. */ + ASN1_INTEGER *micros; /* accuracy, 0 means not specified. */ + unsigned clock_precision_digits; /* fraction of seconds in time stamp + * token. */ + unsigned flags; /* Optional info, see values above. */ + /* Callback functions. */ + TS_serial_cb serial_cb; + void *serial_cb_data; /* User data for serial_cb. */ + TS_time_cb time_cb; + void *time_cb_data; /* User data for time_cb. */ + TS_extension_cb extension_cb; + void *extension_cb_data; /* User data for extension_cb. */ + /* These members are used only while creating the response. */ + TS_REQ *request; + TS_RESP *response; + TS_TST_INFO *tst_info; +}; + +struct TS_verify_ctx { + /* Set this to the union of TS_VFY_... flags you want to carry out. */ + unsigned flags; + /* Must be set only with TS_VFY_SIGNATURE. certs is optional. */ + X509_STORE *store; + STACK_OF(X509) *certs; + /* Must be set only with TS_VFY_POLICY. */ + ASN1_OBJECT *policy; + /* + * Must be set only with TS_VFY_IMPRINT. If md_alg is NULL, the + * algorithm from the response is used. + */ + X509_ALGOR *md_alg; + unsigned char *imprint; + unsigned imprint_len; + /* Must be set only with TS_VFY_DATA. */ + BIO *data; + /* Must be set only with TS_VFY_TSA_NAME. */ + ASN1_INTEGER *nonce; + /* Must be set only with TS_VFY_TSA_NAME. */ + GENERAL_NAME *tsa_name; +}; diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c index 2bf7c50..cd9c19f 100644 --- a/crypto/ts/ts_lib.c +++ b/crypto/ts/ts_lib.c @@ -64,6 +64,7 @@ #include #include #include +#include "ts_lcl.h" /* Local function declarations. */ @@ -135,10 +136,10 @@ int TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *a) { ASN1_OCTET_STRING *msg; - TS_X509_ALGOR_print_bio(bio, TS_MSG_IMPRINT_get_algo(a)); + TS_X509_ALGOR_print_bio(bio, a->hash_algo); BIO_printf(bio, "Message data:\n"); - msg = TS_MSG_IMPRINT_get_msg(a); + msg = a->hashed_msg; BIO_dump_indent(bio, (const char *)ASN1_STRING_data(msg), ASN1_STRING_length(msg), 4); diff --git a/crypto/ts/ts_req_print.c b/crypto/ts/ts_req_print.c index eef1b8a..0f618d5 100644 --- a/crypto/ts/ts_req_print.c +++ b/crypto/ts/ts_req_print.c @@ -63,6 +63,7 @@ #include #include #include +#include "ts_lcl.h" /* Function definitions. */ @@ -70,7 +71,6 @@ int TS_REQ_print_bio(BIO *bio, TS_REQ *a) { int v; ASN1_OBJECT *policy_id; - const ASN1_INTEGER *nonce; if (a == NULL) return 0; @@ -78,7 +78,7 @@ int TS_REQ_print_bio(BIO *bio, TS_REQ *a) v = TS_REQ_get_version(a); BIO_printf(bio, "Version: %d\n", v); - TS_MSG_IMPRINT_print_bio(bio, TS_REQ_get_msg_imprint(a)); + TS_MSG_IMPRINT_print_bio(bio, a->msg_imprint); BIO_printf(bio, "Policy OID: "); policy_id = TS_REQ_get_policy_id(a); @@ -88,17 +88,16 @@ int TS_REQ_print_bio(BIO *bio, TS_REQ *a) TS_OBJ_print_bio(bio, policy_id); BIO_printf(bio, "Nonce: "); - nonce = TS_REQ_get_nonce(a); - if (nonce == NULL) + if (a->nonce == NULL) BIO_printf(bio, "unspecified"); else - TS_ASN1_INTEGER_print_bio(bio, nonce); + TS_ASN1_INTEGER_print_bio(bio, a->nonce); BIO_write(bio, "\n", 1); BIO_printf(bio, "Certificate required: %s\n", - TS_REQ_get_cert_req(a) ? "yes" : "no"); + a->cert_req ? "yes" : "no"); - TS_ext_print_bio(bio, TS_REQ_get_exts(a)); + TS_ext_print_bio(bio, a->extensions); return 1; } diff --git a/crypto/ts/ts_req_utils.c b/crypto/ts/ts_req_utils.c index 7f3a4a4..706f442 100644 --- a/crypto/ts/ts_req_utils.c +++ b/crypto/ts/ts_req_utils.c @@ -62,6 +62,7 @@ #include #include #include +#include "ts_lcl.h" int TS_REQ_set_version(TS_REQ *a, long version) { diff --git a/crypto/ts/ts_rsp_print.c b/crypto/ts/ts_rsp_print.c index b71985f..f2fae69 100644 --- a/crypto/ts/ts_rsp_print.c +++ b/crypto/ts/ts_rsp_print.c @@ -63,6 +63,7 @@ #include #include #include +#include "ts_lcl.h" struct status_map_st { int bit; @@ -79,15 +80,12 @@ static int ts_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy); int TS_RESP_print_bio(BIO *bio, TS_RESP *a) { - TS_TST_INFO *tst_info; - BIO_printf(bio, "Status info:\n"); - TS_STATUS_INFO_print_bio(bio, TS_RESP_get_status_info(a)); + TS_STATUS_INFO_print_bio(bio, a->status_info); BIO_printf(bio, "\nTST info:\n"); - tst_info = TS_RESP_get_tst_info(a); - if (tst_info != NULL) - TS_TST_INFO_print_bio(bio, TS_RESP_get_tst_info(a)); + if (a->tst_info != NULL) + TS_TST_INFO_print_bio(bio, a->tst_info); else BIO_printf(bio, "Not included.\n"); @@ -176,102 +174,85 @@ static int ts_status_map_print(BIO *bio, const struct status_map_st *a, int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a) { int v; - ASN1_OBJECT *policy_id; - const ASN1_INTEGER *serial; - const ASN1_GENERALIZEDTIME *gtime; - TS_ACCURACY *accuracy; - const ASN1_INTEGER *nonce; - GENERAL_NAME *tsa_name; if (a == NULL) return 0; /* Print version. */ - v = TS_TST_INFO_get_version(a); + v = ASN1_INTEGER_get(a->version); BIO_printf(bio, "Version: %d\n", v); /* Print policy id. */ BIO_printf(bio, "Policy OID: "); - policy_id = TS_TST_INFO_get_policy_id(a); - TS_OBJ_print_bio(bio, policy_id); + TS_OBJ_print_bio(bio, a->policy_id); /* Print message imprint. */ - TS_MSG_IMPRINT_print_bio(bio, TS_TST_INFO_get_msg_imprint(a)); + TS_MSG_IMPRINT_print_bio(bio, a->msg_imprint); /* Print serial number. */ BIO_printf(bio, "Serial number: "); - serial = TS_TST_INFO_get_serial(a); - if (serial == NULL) + if (a->serial == NULL) BIO_printf(bio, "unspecified"); else - TS_ASN1_INTEGER_print_bio(bio, serial); + TS_ASN1_INTEGER_print_bio(bio, a->serial); BIO_write(bio, "\n", 1); /* Print time stamp. */ BIO_printf(bio, "Time stamp: "); - gtime = TS_TST_INFO_get_time(a); - ASN1_GENERALIZEDTIME_print(bio, gtime); + ASN1_GENERALIZEDTIME_print(bio, a->time); BIO_write(bio, "\n", 1); /* Print accuracy. */ BIO_printf(bio, "Accuracy: "); - accuracy = TS_TST_INFO_get_accuracy(a); - if (accuracy == NULL) + if (a->accuracy == NULL) BIO_printf(bio, "unspecified"); else - ts_ACCURACY_print_bio(bio, accuracy); + ts_ACCURACY_print_bio(bio, a->accuracy); BIO_write(bio, "\n", 1); /* Print ordering. */ - BIO_printf(bio, "Ordering: %s\n", - TS_TST_INFO_get_ordering(a) ? "yes" : "no"); + BIO_printf(bio, "Ordering: %s\n", a->ordering ? "yes" : "no"); /* Print nonce. */ BIO_printf(bio, "Nonce: "); - nonce = TS_TST_INFO_get_nonce(a); - if (nonce == NULL) + if (a->nonce == NULL) BIO_printf(bio, "unspecified"); else - TS_ASN1_INTEGER_print_bio(bio, nonce); + TS_ASN1_INTEGER_print_bio(bio, a->nonce); BIO_write(bio, "\n", 1); /* Print TSA name. */ BIO_printf(bio, "TSA: "); - tsa_name = TS_TST_INFO_get_tsa(a); - if (tsa_name == NULL) + if (a->tsa == NULL) BIO_printf(bio, "unspecified"); else { STACK_OF(CONF_VALUE) *nval; - if ((nval = i2v_GENERAL_NAME(NULL, tsa_name, NULL))) + if ((nval = i2v_GENERAL_NAME(NULL, a->tsa, NULL))) X509V3_EXT_val_prn(bio, nval, 0, 0); sk_CONF_VALUE_pop_free(nval, X509V3_conf_free); } BIO_write(bio, "\n", 1); /* Print extensions. */ - TS_ext_print_bio(bio, TS_TST_INFO_get_exts(a)); + TS_ext_print_bio(bio, a->extensions); return 1; } -static int ts_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy) +static int ts_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *a) { - const ASN1_INTEGER *seconds = TS_ACCURACY_get_seconds(accuracy); - const ASN1_INTEGER *millis = TS_ACCURACY_get_millis(accuracy); - const ASN1_INTEGER *micros = TS_ACCURACY_get_micros(accuracy); - - if (seconds != NULL) - TS_ASN1_INTEGER_print_bio(bio, seconds); + if (a->seconds != NULL) + TS_ASN1_INTEGER_print_bio(bio, a->seconds); else BIO_printf(bio, "unspecified"); BIO_printf(bio, " seconds, "); - if (millis != NULL) - TS_ASN1_INTEGER_print_bio(bio, millis); + if (a->millis != NULL) + TS_ASN1_INTEGER_print_bio(bio, a->millis); else BIO_printf(bio, "unspecified"); BIO_printf(bio, " millis, "); - if (micros != NULL) - TS_ASN1_INTEGER_print_bio(bio, micros); + if (a->micros != NULL) + TS_ASN1_INTEGER_print_bio(bio, a->micros); else BIO_printf(bio, "unspecified"); BIO_printf(bio, " micros"); diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 9cacec8..3343dce 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -66,6 +66,7 @@ #include #include #include +#include "ts_lcl.h" /* Private function declarations. */ @@ -377,7 +378,7 @@ int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx, int status, const char *text) { int ret = 1; - TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response); + TS_STATUS_INFO *si = ctx->response->status_info; if (ASN1_INTEGER_get(si->status) == TS_STATUS_GRANTED) { /* Status has not been set, set it now. */ @@ -388,7 +389,7 @@ int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx, int TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure) { - TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response); + TS_STATUS_INFO *si = ctx->response->status_info; if (si->failure_info == NULL && (si->failure_info = ASN1_BIT_STRING_new()) == NULL) goto err; @@ -526,8 +527,8 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx) } /* Checking message digest algorithm. */ - msg_imprint = TS_REQ_get_msg_imprint(request); - md_alg = TS_MSG_IMPRINT_get_algo(msg_imprint); + msg_imprint = request->msg_imprint; + md_alg = msg_imprint->hash_algo; md_alg_id = OBJ_obj2nid(md_alg->algorithm); for (i = 0; !md && i < sk_EVP_MD_num(ctx->mds); ++i) { EVP_MD *current_md = sk_EVP_MD_value(ctx->mds, i); @@ -551,7 +552,7 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx) return 0; } /* Checking message digest size. */ - digest = TS_MSG_IMPRINT_get_msg(msg_imprint); + digest = msg_imprint->hashed_msg; if (digest->length != EVP_MD_size(md)) { TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, "Bad message digest."); @@ -565,7 +566,7 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx) /* Returns the TSA policy based on the requested and acceptable policies. */ static ASN1_OBJECT *ts_RESP_get_policy(TS_RESP_CTX *ctx) { - ASN1_OBJECT *requested = TS_REQ_get_policy_id(ctx->request); + ASN1_OBJECT *requested = ctx->request->policy_id; ASN1_OBJECT *policy = NULL; int i; @@ -646,7 +647,7 @@ static TS_TST_INFO *ts_RESP_create_tst_info(TS_RESP_CTX *ctx, goto end; /* Setting nonce if needed. */ - if ((nonce = TS_REQ_get_nonce(ctx->request)) != NULL + if ((nonce = ctx->request->nonce) != NULL && !TS_TST_INFO_set_nonce(tst_info, nonce)) goto end; @@ -684,7 +685,7 @@ static TS_TST_INFO *ts_RESP_create_tst_info(TS_RESP_CTX *ctx, /* Processing the extensions of the request. */ static int ts_RESP_process_extensions(TS_RESP_CTX *ctx) { - STACK_OF(X509_EXTENSION) *exts = TS_REQ_get_exts(ctx->request); + STACK_OF(X509_EXTENSION) *exts = ctx->request->extensions; int i; int ok = 1; @@ -733,7 +734,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx) goto err; /* Add signer certificate and optional certificate chain. */ - if (TS_REQ_get_cert_req(ctx->request)) { + if (ctx->request->cert_req) { PKCS7_add_certificate(p7, ctx->signer_cert); if (ctx->certs) { for (i = 0; i < sk_X509_num(ctx->certs); ++i) { diff --git a/crypto/ts/ts_rsp_utils.c b/crypto/ts/ts_rsp_utils.c index 8c66c5f..887d314 100644 --- a/crypto/ts/ts_rsp_utils.c +++ b/crypto/ts/ts_rsp_utils.c @@ -62,6 +62,7 @@ #include #include #include +#include "ts_lcl.h" /* Function definitions. */ @@ -394,3 +395,8 @@ void *TS_TST_INFO_get_ext_d2i(TS_TST_INFO *a, int nid, int *crit, int *idx) { return X509V3_get_d2i(a->extensions, nid, crit, idx); } + +int TS_STATUS_INFO_set_status(TS_STATUS_INFO *a, int i) +{ + return ASN1_INTEGER_set(a->status, i); +} diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 5784e3d..c01d6a6 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -62,6 +62,7 @@ #include #include #include +#include "ts_lcl.h" /* Private function declarations. */ @@ -363,8 +364,8 @@ static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo) */ int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response) { - PKCS7 *token = TS_RESP_get_token(response); - TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response); + PKCS7 *token = response->token; + TS_TST_INFO *tst_info = response->tst_info; int ret = 0; /* Check if we have a successful TS_TST_INFO object in place. */ @@ -411,7 +412,7 @@ static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token, TS_TST_INFO *tst_info) { X509 *signer = NULL; - GENERAL_NAME *tsa_name = TS_TST_INFO_get_tsa(tst_info); + GENERAL_NAME *tsa_name = tst_info->tsa; X509_ALGOR *md_alg = NULL; unsigned char *imprint = NULL; unsigned imprint_len = 0; @@ -476,7 +477,7 @@ static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx, static int ts_check_status_info(TS_RESP *response) { - TS_STATUS_INFO *info = TS_RESP_get_status_info(response); + TS_STATUS_INFO *info = response->status_info; long status = ASN1_INTEGER_get(info->status); const char *status_text = NULL; char *embedded_status_text = NULL; @@ -562,7 +563,7 @@ static char *ts_get_status_text(STACK_OF(ASN1_UTF8STRING) *text) static int ts_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info) { - ASN1_OBJECT *resp_oid = TS_TST_INFO_get_policy_id(tst_info); + ASN1_OBJECT *resp_oid = tst_info->policy_id; if (OBJ_cmp(req_oid, resp_oid) != 0) { TSerr(TS_F_TS_CHECK_POLICY, TS_R_POLICY_MISMATCH); @@ -576,8 +577,8 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **md_alg, unsigned char **imprint, unsigned *imprint_len) { - TS_MSG_IMPRINT *msg_imprint = TS_TST_INFO_get_msg_imprint(tst_info); - X509_ALGOR *md_alg_resp = TS_MSG_IMPRINT_get_algo(msg_imprint); + TS_MSG_IMPRINT *msg_imprint = tst_info->msg_imprint; + X509_ALGOR *md_alg_resp = msg_imprint->hash_algo; const EVP_MD *md; EVP_MD_CTX md_ctx; unsigned char buffer[4096]; @@ -628,8 +629,8 @@ static int ts_check_imprints(X509_ALGOR *algor_a, unsigned char *imprint_a, unsigned len_a, TS_TST_INFO *tst_info) { - TS_MSG_IMPRINT *b = TS_TST_INFO_get_msg_imprint(tst_info); - X509_ALGOR *algor_b = TS_MSG_IMPRINT_get_algo(b); + TS_MSG_IMPRINT *b = tst_info->msg_imprint; + X509_ALGOR *algor_b = b->hash_algo; int ret = 0; /* algor_a is optional. */ @@ -657,7 +658,7 @@ static int ts_check_imprints(X509_ALGOR *algor_a, static int ts_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info) { - const ASN1_INTEGER *b = TS_TST_INFO_get_nonce(tst_info); + const ASN1_INTEGER *b = tst_info->nonce; /* Error if nonce is missing. */ if (!b) { diff --git a/crypto/ts/ts_verify_ctx.c b/crypto/ts/ts_verify_ctx.c index e23ae26..c370137 100644 --- a/crypto/ts/ts_verify_ctx.c +++ b/crypto/ts/ts_verify_ctx.c @@ -60,6 +60,7 @@ #include "internal/cryptlib.h" #include #include +#include "ts_lcl.h" TS_VERIFY_CTX *TS_VERIFY_CTX_new(void) { @@ -85,6 +86,45 @@ void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx) OPENSSL_free(ctx); } +int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int f) +{ + ctx->flags |= f; + return ctx->flags; +} + +int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int f) +{ + ctx->flags = f; + return ctx->flags; +} + +BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *b) +{ + ctx->data = b; + return ctx->data; +} + +X509_STORE *TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *s) +{ + ctx->store = s; + return ctx->store; +} + +STACK_OF(X509) *TS_VERIFY_CTS_set_certs(TS_VERIFY_CTX *ctx, + STACK_OF(X509) *certs) +{ + ctx->certs = certs; + return ctx->certs; +} + +unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, + unsigned char *hexstr, long len) +{ + ctx->imprint = hexstr; + ctx->imprint_len = len; + return ctx->imprint; +} + void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx) { if (!ctx) @@ -126,25 +166,25 @@ TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx) ret->flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE); /* Setting policy. */ - if ((policy = TS_REQ_get_policy_id(req)) != NULL) { + if ((policy = req->policy_id) != NULL) { if ((ret->policy = OBJ_dup(policy)) == NULL) goto err; } else ret->flags &= ~TS_VFY_POLICY; /* Setting md_alg, imprint and imprint_len. */ - imprint = TS_REQ_get_msg_imprint(req); - md_alg = TS_MSG_IMPRINT_get_algo(imprint); + imprint = req->msg_imprint; + md_alg = imprint->hash_algo; if ((ret->md_alg = X509_ALGOR_dup(md_alg)) == NULL) goto err; - msg = TS_MSG_IMPRINT_get_msg(imprint); + msg = imprint->hashed_msg; ret->imprint_len = ASN1_STRING_length(msg); if ((ret->imprint = OPENSSL_malloc(ret->imprint_len)) == NULL) goto err; memcpy(ret->imprint, ASN1_STRING_data(msg), ret->imprint_len); /* Setting nonce. */ - if ((nonce = TS_REQ_get_nonce(req)) != NULL) { + if ((nonce = req->nonce) != NULL) { if ((ret->nonce = ASN1_INTEGER_dup(nonce)) == NULL) goto err; } else diff --git a/include/openssl/ts.h b/include/openssl/ts.h index b983abc..d66b49d 100644 --- a/include/openssl/ts.h +++ b/include/openssl/ts.h @@ -93,99 +93,12 @@ extern "C" { # include # include -/*- -MessageImprint ::= SEQUENCE { - hashAlgorithm AlgorithmIdentifier, - hashedMessage OCTET STRING } -*/ - -typedef struct TS_msg_imprint_st { - X509_ALGOR *hash_algo; - ASN1_OCTET_STRING *hashed_msg; -} TS_MSG_IMPRINT; - -/*- -TimeStampReq ::= SEQUENCE { - version INTEGER { v1(1) }, - messageImprint MessageImprint, - --a hash algorithm OID and the hash value of the data to be - --time-stamped - reqPolicy TSAPolicyId OPTIONAL, - nonce INTEGER OPTIONAL, - certReq BOOLEAN DEFAULT FALSE, - extensions [0] IMPLICIT Extensions OPTIONAL } -*/ - -typedef struct TS_req_st { - ASN1_INTEGER *version; - TS_MSG_IMPRINT *msg_imprint; - ASN1_OBJECT *policy_id; /* OPTIONAL */ - ASN1_INTEGER *nonce; /* OPTIONAL */ - ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */ - STACK_OF(X509_EXTENSION) *extensions; /* [0] OPTIONAL */ -} TS_REQ; - -/*- -Accuracy ::= SEQUENCE { - seconds INTEGER OPTIONAL, - millis [0] INTEGER (1..999) OPTIONAL, - micros [1] INTEGER (1..999) OPTIONAL } -*/ - -typedef struct TS_accuracy_st { - ASN1_INTEGER *seconds; - ASN1_INTEGER *millis; - ASN1_INTEGER *micros; -} TS_ACCURACY; - -/*- -TSTInfo ::= SEQUENCE { - version INTEGER { v1(1) }, - policy TSAPolicyId, - messageImprint MessageImprint, - -- MUST have the same value as the similar field in - -- TimeStampReq - serialNumber INTEGER, - -- Time-Stamping users MUST be ready to accommodate integers - -- up to 160 bits. - genTime GeneralizedTime, - accuracy Accuracy OPTIONAL, - ordering BOOLEAN DEFAULT FALSE, - nonce INTEGER OPTIONAL, - -- MUST be present if the similar field was present - -- in TimeStampReq. In that case it MUST have the same value. - tsa [0] GeneralName OPTIONAL, - extensions [1] IMPLICIT Extensions OPTIONAL } -*/ - -typedef struct TS_tst_info_st { - ASN1_INTEGER *version; - ASN1_OBJECT *policy_id; - TS_MSG_IMPRINT *msg_imprint; - ASN1_INTEGER *serial; - ASN1_GENERALIZEDTIME *time; - TS_ACCURACY *accuracy; - ASN1_BOOLEAN ordering; - ASN1_INTEGER *nonce; - GENERAL_NAME *tsa; - STACK_OF(X509_EXTENSION) *extensions; -} TS_TST_INFO; - -/*- -PKIStatusInfo ::= SEQUENCE { - status PKIStatus, - statusString PKIFreeText OPTIONAL, - failInfo PKIFailureInfo OPTIONAL } - -From RFC 1510 - section 3.1.1: -PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String - -- text encoded as UTF-8 String (note: each UTF8String SHOULD - -- include an RFC 1766 language tag to indicate the language - -- of the contained text) -*/ - -/* Possible values for status. See ts_resp_print.c && ts_resp_verify.c. */ +typedef struct TS_msg_imprint_st TS_MSG_IMPRINT; +typedef struct TS_req_st TS_REQ; +typedef struct TS_accuracy_st TS_ACCURACY; +typedef struct TS_tst_info_st TS_TST_INFO; +/* Possible values for status. */ # define TS_STATUS_GRANTED 0 # define TS_STATUS_GRANTED_WITH_MODS 1 # define TS_STATUS_REJECTION 2 @@ -193,10 +106,7 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String # define TS_STATUS_REVOCATION_WARNING 4 # define TS_STATUS_REVOCATION_NOTIFICATION 5 -/* - * Possible values for failure_info. See ts_resp_print.c && ts_resp_verify.c - */ - +/* Possible values for failure_info. */ # define TS_INFO_BAD_ALG 0 # define TS_INFO_BAD_REQUEST 2 # define TS_INFO_BAD_DATA_FORMAT 5 @@ -206,65 +116,15 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String # define TS_INFO_ADD_INFO_NOT_AVAILABLE 17 # define TS_INFO_SYSTEM_FAILURE 25 -typedef struct TS_status_info_st { - ASN1_INTEGER *status; - STACK_OF(ASN1_UTF8STRING) *text; - ASN1_BIT_STRING *failure_info; -} TS_STATUS_INFO; -DECLARE_STACK_OF(ASN1_UTF8STRING) - -/*- -TimeStampResp ::= SEQUENCE { - status PKIStatusInfo, - timeStampToken TimeStampToken OPTIONAL } -*/ - -typedef struct TS_resp_st { - TS_STATUS_INFO *status_info; - PKCS7 *token; - TS_TST_INFO *tst_info; -} TS_RESP; - -/* The structure below would belong to the ESS component. */ - -/*- -IssuerSerial ::= SEQUENCE { - issuer GeneralNames, - serialNumber CertificateSerialNumber - } -*/ - -typedef struct ESS_issuer_serial { - STACK_OF(GENERAL_NAME) *issuer; - ASN1_INTEGER *serial; -} ESS_ISSUER_SERIAL; - -/*- -ESSCertID ::= SEQUENCE { - certHash Hash, - issuerSerial IssuerSerial OPTIONAL -} -*/ - -typedef struct ESS_cert_id { - ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */ - ESS_ISSUER_SERIAL *issuer_serial; -} ESS_CERT_ID; +typedef struct TS_status_info_st TS_STATUS_INFO; +typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL; +typedef struct ESS_cert_id ESS_CERT_ID; +typedef struct ESS_signing_cert ESS_SIGNING_CERT; DECLARE_STACK_OF(ESS_CERT_ID) -/*- -SigningCertificate ::= SEQUENCE { - certs SEQUENCE OF ESSCertID, - policies SEQUENCE OF PolicyInformation OPTIONAL -} -*/ - -typedef struct ESS_signing_cert { - STACK_OF(ESS_CERT_ID) *cert_ids; - STACK_OF(POLICYINFO) *policy_info; -} ESS_SIGNING_CERT; +typedef struct TS_resp_st TS_RESP; TS_REQ *TS_REQ_new(void); void TS_REQ_free(TS_REQ *a); @@ -356,6 +216,8 @@ void ERR_load_TS_strings(void); int TS_REQ_set_version(TS_REQ *a, long version); long TS_REQ_get_version(const TS_REQ *a); +int TS_STATUS_INFO_set_status(TS_STATUS_INFO *a, int i); + int TS_REQ_set_msg_imprint(TS_REQ *a, TS_MSG_IMPRINT *msg_imprint); TS_MSG_IMPRINT *TS_REQ_get_msg_imprint(TS_REQ *a); @@ -487,31 +349,7 @@ typedef int (*TS_time_cb) (struct TS_resp_ctx *, void *, long *sec, typedef int (*TS_extension_cb) (struct TS_resp_ctx *, X509_EXTENSION *, void *); -typedef struct TS_resp_ctx { - X509 *signer_cert; - EVP_PKEY *signer_key; - STACK_OF(X509) *certs; /* Certs to include in signed data. */ - STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */ - ASN1_OBJECT *default_policy; /* It may appear in policies, too. */ - STACK_OF(EVP_MD) *mds; /* Acceptable message digests. */ - ASN1_INTEGER *seconds; /* accuracy, 0 means not specified. */ - ASN1_INTEGER *millis; /* accuracy, 0 means not specified. */ - ASN1_INTEGER *micros; /* accuracy, 0 means not specified. */ - unsigned clock_precision_digits; /* fraction of seconds in time stamp - * token. */ - unsigned flags; /* Optional info, see values above. */ - /* Callback functions. */ - TS_serial_cb serial_cb; - void *serial_cb_data; /* User data for serial_cb. */ - TS_time_cb time_cb; - void *time_cb_data; /* User data for time_cb. */ - TS_extension_cb extension_cb; - void *extension_cb_data; /* User data for extension_cb. */ - /* These members are used only while creating the response. */ - TS_REQ *request; - TS_RESP *response; - TS_TST_INFO *tst_info; -} TS_RESP_CTX; +typedef struct TS_resp_ctx TS_RESP_CTX; DECLARE_STACK_OF(EVP_MD) @@ -645,42 +483,25 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs, | TS_VFY_SIGNER \ | TS_VFY_TSA_NAME) -typedef struct TS_verify_ctx { - /* Set this to the union of TS_VFY_... flags you want to carry out. */ - unsigned flags; - /* Must be set only with TS_VFY_SIGNATURE. certs is optional. */ - X509_STORE *store; - STACK_OF(X509) *certs; - /* Must be set only with TS_VFY_POLICY. */ - ASN1_OBJECT *policy; - /* - * Must be set only with TS_VFY_IMPRINT. If md_alg is NULL, the - * algorithm from the response is used. - */ - X509_ALGOR *md_alg; - unsigned char *imprint; - unsigned imprint_len; - /* Must be set only with TS_VFY_DATA. */ - BIO *data; - /* Must be set only with TS_VFY_TSA_NAME. */ - ASN1_INTEGER *nonce; - /* Must be set only with TS_VFY_TSA_NAME. */ - GENERAL_NAME *tsa_name; -} TS_VERIFY_CTX; +typedef struct TS_verify_ctx TS_VERIFY_CTX; int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response); int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token); /* * Declarations related to response verification context, - * they are defined in ts/ts_verify_ctx.c. */ - -/* Set all fields to zero. */ TS_VERIFY_CTX *TS_VERIFY_CTX_new(void); void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx); void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx); void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx); +int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int f); +int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int f); +BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *b); +unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, + unsigned char *hexstr, long len); +X509_STORE *TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *s); +STACK_OF(X509) *TS_VERIFY_CTS_set_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs); /*- * If ctx is NULL, it allocates and returns a new object, otherwise diff --git a/util/libeay.num b/util/libeay.num index 612fff6..39c9020 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -4587,19 +4587,26 @@ CRYPTO_secure_free 4945 EXIST::FUNCTION: BIO_s_secmem 4946 EXIST::FUNCTION: CRYPTO_get_secure_mem_ex_functions 4947 EXIST::FUNCTION: CRYPTO_set_secure_mem_functions 4948 EXIST::FUNCTION: +TS_VERIFY_CTX_set_flags 4949 EXIST::FUNCTION: X509_STORE_CTX_get_num_untrusted 4949 EXIST::FUNCTION: +TS_STATUS_INFO_set_status 4950 EXIST::FUNCTION: X509_up_ref 4950 EXIST::FUNCTION: +TS_VERIFY_CTX_set_imprint 4951 EXIST::FUNCTION: X509_REQ_get_version 4951 EXIST::FUNCTION: +TS_VERIFY_CTS_set_certs 4952 EXIST::FUNCTION: X509_REQ_get_subject_name 4952 EXIST::FUNCTION: +TS_VERIFY_CTX_set_data 4953 EXIST::FUNCTION: X509_CRL_up_ref 4953 EXIST::FUNCTION: CRYPTO_zalloc 4954 EXIST::FUNCTION: -X509_get_extension_flags 4955 EXIST::FUNCTION: -X509_get_extended_key_usage 4956 EXIST::FUNCTION: -X509_get_key_usage 4957 EXIST::FUNCTION: -X509_CRL_get_issuer 4958 EXIST::FUNCTION: -X509_CRL_get_nextUpdate 4959 EXIST::FUNCTION: -X509_CRL_get0_signature 4960 EXIST::FUNCTION: -X509_CRL_get_REVOKED 4961 EXIST::FUNCTION: -X509_CRL_get_version 4962 EXIST::FUNCTION: -X509_CRL_get_lastUpdate 4963 EXIST::FUNCTION: +TS_VERIFY_CTX_set_store 4954 EXIST::FUNCTION: +X509_get_extension_flags 4954 EXIST::FUNCTION: +TS_VERIFY_CTX_add_flags 4955 EXIST::FUNCTION: +X509_get_extended_key_usage 4955 EXIST::FUNCTION: +X509_get_key_usage 4956 EXIST::FUNCTION: +X509_CRL_get_issuer 4957 EXIST::FUNCTION: +X509_CRL_get_nextUpdate 4958 EXIST::FUNCTION: +X509_CRL_get0_signature 4959 EXIST::FUNCTION: +X509_CRL_get_REVOKED 4960 EXIST::FUNCTION: +X509_CRL_get_version 4961 EXIST::FUNCTION: +X509_CRL_get_lastUpdate 4962 EXIST::FUNCTION: EVP_PBE_get 4964 EXIST::FUNCTION: From rsalz at openssl.org Sat Sep 5 22:05:24 2015 From: rsalz at openssl.org (Rich Salz) Date: Sat, 05 Sep 2015 22:05:24 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441490724.035500.32717.nullmailer@dev.openssl.org> The branch master has been updated via fda23e2d93761736b880cdfd7eb393cc623d9b7a (commit) from ca4a494cb7437a7af155361b0084de8329c0bf25 (commit) - Log ----------------------------------------------------------------- commit fda23e2d93761736b880cdfd7eb393cc623d9b7a Author: Rich Salz Date: Wed Jun 10 18:53:31 2015 -0400 Cleanup testtsa script Add RUN function; remove single-use functions and use their body inline. Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: test/testtsa | 129 ++++++++++++++++++----------------------------------------- 1 file changed, 40 insertions(+), 89 deletions(-) diff --git a/test/testtsa b/test/testtsa index df9abed..fc68ff9 100644 --- a/test/testtsa +++ b/test/testtsa @@ -21,32 +21,16 @@ export SSLEAY_CONFIG OPENSSL="`pwd`/../util/opensslwrap.sh" export OPENSSL -setup_dir () { - rm -rf tsa 2>/dev/null - mkdir tsa - cd ./tsa -} - -clean_up_dir () { - cd .. - rm -rf tsa -} - -create_ca () { - echo creating a new CA for the TSA tests - TSDNSECT=ts_ca_dn - export TSDNSECT - ../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \ - -out tsaca.pem -keyout tsacakey.pem || exit 1 +RUN () { + ../../util/shlib_wrap.sh ../../apps/openssl ts $* } create_tsa_cert () { - INDEX=$1 export INDEX EXT=$2 TSDNSECT=ts_cert_dn - export TSDNSECT + export TSDNSECT ../../util/shlib_wrap.sh ../../apps/openssl req -new \ -out tsa_req${INDEX}.pem -keyout tsa_key${INDEX}.pem || exit 1 @@ -57,70 +41,19 @@ create_tsa_cert () { -extfile $OPENSSL_CONF -extensions $EXT || exit 1 } -print_request () { - - ../../util/shlib_wrap.sh ../../apps/openssl ts -query -in $1 -text -} - -create_time_stamp_request1 () { - - ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq || exit 1 -} - -create_time_stamp_request2 () { - - ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../testtsa -policy tsa_policy2 -no_nonce \ - -out req2.tsq || exit 1 -} - -create_time_stamp_request3 () { - - ../../util/shlib_wrap.sh ../../apps/openssl ts -query -data ../CAtsa.cnf -no_nonce -out req3.tsq || exit 1 -} - -print_response () { - - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $1 -text || exit 1 -} - create_time_stamp_response () { - - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -section $3 -queryfile $1 -out $2 || exit 1 -} - -time_stamp_response_token_test () { - - RESPONSE2=$2.copy.tsr - TOKEN_DER=$2.token.der - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $TOKEN_DER -token_out || exit 1 - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -out $RESPONSE2 || exit 1 - cmp $RESPONSE2 $2 || exit 1 - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -text -token_out || exit 1 - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $TOKEN_DER -token_in -text -token_out || exit 1 - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -queryfile $1 -text -token_out || exit 1 + RUN -reply -section $3 -queryfile $1 -out $2 || exit 1 } verify_time_stamp_response () { - - ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \ + RUN -verify -queryfile $1 -in $2 -CAfile tsaca.pem \ -untrusted tsa_cert1.pem || exit 1 - ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2 -CAfile tsaca.pem \ + RUN -verify -data $3 -in $2 -CAfile tsaca.pem \ -untrusted tsa_cert1.pem || exit 1 } -verify_time_stamp_token () { - - # create the token from the response first - ../../util/shlib_wrap.sh ../../apps/openssl ts -reply -in $2 -out $2.token -token_out || exit 1 - ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2.token -token_in \ - -CAfile tsaca.pem -untrusted tsa_cert1.pem || exit 1 - ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -data $3 -in $2.token -token_in \ - -CAfile tsaca.pem -untrusted tsa_cert1.pem || exit 1 -} - verify_time_stamp_response_fail () { - - ../../util/shlib_wrap.sh ../../apps/openssl ts -verify -queryfile $1 -in $2 -CAfile tsaca.pem \ + RUN -verify -queryfile $1 -in $2 -CAfile tsaca.pem \ -untrusted tsa_cert1.pem && exit 1 echo ok } @@ -128,10 +61,15 @@ verify_time_stamp_response_fail () { # main functions echo setting up TSA test directory -setup_dir - -echo creating CA for TSA tests -create_ca +rm -rf tsa 2>/dev/null +mkdir tsa +cd ./tsa + +echo creating a new CA for the TSA tests +TSDNSECT=ts_ca_dn +export TSDNSECT +../../util/shlib_wrap.sh ../../apps/openssl req -new -x509 -nodes \ + -out tsaca.pem -keyout tsacakey.pem || exit 1 echo creating tsa_cert1.pem TSA server cert create_tsa_cert 1 tsa_cert @@ -140,37 +78,49 @@ echo creating tsa_cert2.pem non-TSA server cert create_tsa_cert 2 non_tsa_cert echo creating req1.req time stamp request for file testtsa -create_time_stamp_request1 +RUN -query -data ../testtsa -policy tsa_policy1 -cert -out req1.tsq || exit 1 echo printing req1.req -print_request req1.tsq +RUN -query -in req1.tsq -text echo generating valid response for req1.req create_time_stamp_response req1.tsq resp1.tsr tsa_config1 echo printing response -print_response resp1.tsr +RUN -reply -in resp1.tsr -text || exit 1 echo verifying valid response verify_time_stamp_response req1.tsq resp1.tsr ../testtsa echo verifying valid token -verify_time_stamp_token req1.tsq resp1.tsr ../testtsa +RUN -reply -in resp1.tsr -out resp1.tsr.token -token_out || exit 1 +RUN -verify -queryfile req1.tsq -in resp1.tsr.token -token_in \ + -CAfile tsaca.pem -untrusted tsa_cert1.pem || exit 1 +RUN -verify -data ../testtsa -in resp1.tsr.token -token_in \ + -CAfile tsaca.pem -untrusted tsa_cert1.pem || exit 1 echo creating req2.req time stamp request for file testtsa -create_time_stamp_request2 +RUN -query -data ../testtsa -policy tsa_policy2 -no_nonce \ + -out req2.tsq || exit 1 echo printing req2.req -print_request req2.tsq +RUN -query -in req2.tsq -text echo generating valid response for req2.req create_time_stamp_response req2.tsq resp2.tsr tsa_config1 echo checking -token_in and -token_out options with -reply -time_stamp_response_token_test req2.tsq resp2.tsr +RESPONSE2=resp2.tsr.copy.tsr +TOKEN_DER=resp2.tsr.token.der +RUN -reply -in resp2.tsr -out $TOKEN_DER -token_out || exit 1 +RUN -reply -in $TOKEN_DER -token_in -out $RESPONSE2 || exit 1 +cmp $RESPONSE2 resp2.tsr || exit 1 +RUN -reply -in resp2.tsr -text -token_out || exit 1 +RUN -reply -in $TOKEN_DER -token_in -text -token_out || exit 1 +RUN -reply -queryfile req2.tsq -text -token_out || exit 1 echo printing response -print_response resp2.tsr +RUN -reply -in resp2.tsr -text || exit 1 echo verifying valid response verify_time_stamp_response req2.tsq resp2.tsr ../testtsa @@ -182,15 +132,16 @@ echo verifying response against wrong request, it should fail verify_time_stamp_response_fail req2.tsq resp1.tsr echo creating req3.req time stamp request for file CAtsa.cnf -create_time_stamp_request3 +RUN -query -data ../CAtsa.cnf -no_nonce -out req3.tsq || exit 1 echo printing req3.req -print_request req3.tsq +RUN -query -in req3.tsq -text echo verifying response against wrong request, it should fail verify_time_stamp_response_fail req3.tsq resp1.tsr echo cleaning up -clean_up_dir +cd .. +rm -rf tsa exit 0 From steve at openssl.org Sat Sep 5 23:18:43 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Sat, 05 Sep 2015 23:18:43 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441495123.992405.13081.nullmailer@dev.openssl.org> The branch master has been updated via 551a2f26aa54f0a9210128f3b4c1c4a7e8a85e41 (commit) via a8d8e06b0ac06c421fd11cc1772126dcb98f79ae (commit) via f728254a840bf7fdd2252fe09e11a0e99c7df1d4 (commit) from fda23e2d93761736b880cdfd7eb393cc623d9b7a (commit) - Log ----------------------------------------------------------------- commit 551a2f26aa54f0a9210128f3b4c1c4a7e8a85e41 Author: Dr. Stephen Henson Date: Thu Sep 3 18:40:19 2015 +0100 make update Reviewed-by: Tim Hudson commit a8d8e06b0ac06c421fd11cc1772126dcb98f79ae Author: Dr. Stephen Henson Date: Wed Sep 2 22:01:18 2015 +0100 Avoid direct X509 structure access Reviewed-by: Tim Hudson commit f728254a840bf7fdd2252fe09e11a0e99c7df1d4 Author: Dr. Stephen Henson Date: Wed Sep 2 21:46:39 2015 +0100 Replace X509 macros with functions Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: apps/ca.c | 23 ++++++----------------- apps/x509.c | 9 +++++++-- crypto/ocsp/ocsp_vfy.c | 4 ++-- crypto/pkcs7/pk7_doit.c | 6 +++--- crypto/ts/ts_rsp_sign.c | 6 +++--- crypto/ts/ts_rsp_verify.c | 14 +++++++------- crypto/x509/x509_set.c | 25 +++++++++++++++++++++++++ crypto/x509/x509type.c | 2 +- crypto/x509v3/pcy_tree.c | 14 +++++++++----- include/openssl/x509.h | 21 ++++++++++----------- ssl/ssl_cert.c | 3 +-- ssl/ssl_lib.c | 36 ++++++++++++------------------------ test/ssltest.c | 2 +- util/libeay.num | 5 +++++ 14 files changed, 92 insertions(+), 78 deletions(-) diff --git a/apps/ca.c b/apps/ca.c index b93cff5..5cd8002 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1052,13 +1052,14 @@ end_of_options: if (verbose) BIO_printf(bio_err, "writing new certificates\n"); for (i = 0; i < sk_X509_num(cert_sk); i++) { + ASN1_INTEGER *serialNumber = X509_get_serialNumber(x); int k; char *n; x = sk_X509_value(cert_sk, i); - j = x->cert_info->serialNumber->length; - p = (const char *)x->cert_info->serialNumber->data; + j = ASN1_STRING_length(serialNumber); + p = (const char *)ASN1_STRING_data(serialNumber); if (strlen(outdir) >= (size_t)(j ? BSIZE - j * 2 - 6 : BSIZE - 8)) { BIO_printf(bio_err, "certificate file name too long\n"); @@ -1450,7 +1451,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, ASN1_STRING *str, *str2; ASN1_OBJECT *obj; X509 *ret = NULL; - X509_CINF *ci; X509_NAME_ENTRY *ne; X509_NAME_ENTRY *tne, *push; EVP_PKEY *pktmp; @@ -1546,7 +1546,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if (selfsign) CAname = X509_NAME_dup(name); else - CAname = X509_NAME_dup(x509->cert_info->subject); + CAname = X509_NAME_dup(X509_get_subject_name(x509)); if (CAname == NULL) goto end; str = str2 = NULL; @@ -1755,7 +1755,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if ((ret = X509_new()) == NULL) goto end; - ci = ret->cert_info; #ifdef X509_V3 /* Make it an X509 v3 certificate. */ @@ -1763,7 +1762,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, goto end; #endif - if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL) + if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL) goto end; if (selfsign) { if (!X509_set_issuer_name(ret, subject)) @@ -1799,17 +1798,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, /* Lets add the extensions, if there are any */ if (ext_sect) { X509V3_CTX ctx; - if (ci->version == NULL) - if ((ci->version = ASN1_INTEGER_new()) == NULL) - goto end; - ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */ - - /* - * Free the current entries if any, there should not be any I believe - */ - sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free); - - ci->extensions = NULL; + X509_set_version(ret, 2); /* Initialize the context structure */ if (selfsign) diff --git a/apps/x509.c b/apps/x509.c index 6b41a75..acce9e9 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -894,8 +894,13 @@ int x509_main(int argc, char **argv) goto end; } - if (badsig) - x->signature->data[x->signature->length - 1] ^= 0x1; + if (badsig) { + ASN1_BIT_STRING *signature; + unsigned char *s; + X509_get0_signature(&signature, NULL, x); + s = ASN1_STRING_data(signature); + s[ASN1_STRING_length(signature) - 1] ^= 0x1; + } if (outformat == FORMAT_ASN1) i = i2d_X509_bio(out, x); diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index d2693c7..9dd3f3a 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -355,8 +355,8 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, static int ocsp_check_delegated(X509 *x, int flags) { - X509_check_purpose(x, -1, 0); - if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN)) + if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE) + && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN)) return 1; OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE); return 0; diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index cc2f3be..1ac6893 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -393,11 +393,11 @@ static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert) { int ret; ret = X509_NAME_cmp(ri->issuer_and_serial->issuer, - pcert->cert_info->issuer); + X509_get_issuer_name(pcert)); if (ret) return ret; - return ASN1_INTEGER_cmp(pcert->cert_info->serialNumber, - ri->issuer_and_serial->serial); + return ASN1_INTEGER_cmp(X509_get_serialNumber(pcert), + ri->issuer_and_serial->serial); } /* int */ diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 3343dce..f7fb762 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -657,7 +657,7 @@ static TS_TST_INFO *ts_RESP_create_tst_info(TS_RESP_CTX *ctx, goto end; tsa_name->type = GEN_DIRNAME; tsa_name->d.dirn = - X509_NAME_dup(ctx->signer_cert->cert_info->subject); + X509_NAME_dup(X509_get_subject_name(ctx->signer_cert)); if (!tsa_name->d.dirn) goto end; if (!TS_TST_INFO_set_tsa(tst_info, tsa_name)) @@ -869,7 +869,7 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed) if ((name = GENERAL_NAME_new()) == NULL) goto err; name->type = GEN_DIRNAME; - if ((name->d.dirn = X509_NAME_dup(cert->cert_info->issuer)) == NULL) + if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL) goto err; if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name)) goto err; @@ -877,7 +877,7 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed) /* Setting the serial number. */ ASN1_INTEGER_free(cid->issuer_serial->serial); if (!(cid->issuer_serial->serial = - ASN1_INTEGER_dup(cert->cert_info->serialNumber))) + ASN1_INTEGER_dup(X509_get_serialNumber(cert)))) goto err; } diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index c01d6a6..93a775e 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -72,7 +72,7 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain); static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si); static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert); -static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo); +static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert); static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token, TS_TST_INFO *tst_info); static int ts_check_status_info(TS_RESP *response); @@ -328,7 +328,7 @@ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) sizeof(cert->sha1_hash))) { /* Check the issuer/serial as well if specified. */ ESS_ISSUER_SERIAL *is = cid->issuer_serial; - if (!is || !ts_issuer_serial_cmp(is, cert->cert_info)) + if (!is || !ts_issuer_serial_cmp(is, cert)) return i; } } @@ -336,21 +336,21 @@ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) return -1; } -static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo) +static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert) { GENERAL_NAME *issuer; - if (!is || !cinfo || sk_GENERAL_NAME_num(is->issuer) != 1) + if (!is || !cert || sk_GENERAL_NAME_num(is->issuer) != 1) return -1; /* Check the issuer first. It must be a directory name. */ issuer = sk_GENERAL_NAME_value(is->issuer, 0); if (issuer->type != GEN_DIRNAME - || X509_NAME_cmp(issuer->d.dirn, cinfo->issuer)) + || X509_NAME_cmp(issuer->d.dirn, X509_get_issuer_name(cert))) return -1; /* Check the serial number, too. */ - if (ASN1_INTEGER_cmp(is->serial, cinfo->serialNumber)) + if (ASN1_INTEGER_cmp(is->serial, X509_get_serialNumber(cert))) return -1; return 0; @@ -687,7 +687,7 @@ static int ts_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer) /* Check the subject name first. */ if (tsa_name->type == GEN_DIRNAME - && X509_name_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0) + && X509_name_cmp(tsa_name->d.dirn, X509_get_subject_name(signer)) == 0) return 1; /* Check all the alternative names. */ diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c index 1ccfdb9..cfff563 100644 --- a/crypto/x509/x509_set.c +++ b/crypto/x509/x509_set.c @@ -155,3 +155,28 @@ void X509_up_ref(X509 *x) { CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); } + +long X509_get_version(X509 *x) +{ + return ASN1_INTEGER_get(x->cert_info->version); +} + +ASN1_TIME * X509_get_notBefore(X509 *x) +{ + return x->cert_info->validity->notBefore; +} + +ASN1_TIME *X509_get_notAfter(X509 *x) +{ + return x->cert_info->validity->notAfter; +} + +int X509_get_signature_type(const X509 *x) +{ + return EVP_PKEY_type(OBJ_obj2nid(x->sig_alg->algorithm)); +} + +X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x) +{ + return x->cert_info->key; +} diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c index 232ba9b..8332d9e 100644 --- a/crypto/x509/x509type.c +++ b/crypto/x509/x509type.c @@ -100,7 +100,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) break; } - i = OBJ_obj2nid(x->sig_alg->algorithm); + i = X509_get_signature_nid(x); if (i && OBJ_find_sigid_algs(i, NULL, &i)) { switch (i) { diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c index c6be015..bbc9ada 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509v3/pcy_tree.c @@ -184,7 +184,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, * explicit_policy value at this point. */ for (i = n - 2; i >= 0; i--) { + uint32_t ex_flags; x = sk_X509_value(certs, i); + ex_flags = X509_get_extension_flags(x); X509_check_purpose(x, -1, -1); cache = policy_cache_set(x); /* If cache NULL something bad happened: return immediately */ @@ -193,7 +195,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, /* * If inconsistent extensions keep a note of it but continue */ - if (x->ex_flags & EXFLAG_INVALID_POLICY) + if (ex_flags & EXFLAG_INVALID_POLICY) ret = -1; /* * Otherwise if we have no data (hence no CertificatePolicies) and @@ -202,7 +204,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, else if ((ret == 1) && !cache->data) ret = 2; if (explicit_policy > 0) { - if (!(x->ex_flags & EXFLAG_SI)) + if (!(ex_flags & EXFLAG_SI)) explicit_policy--; if ((cache->explicit_skip != -1) && (cache->explicit_skip < explicit_policy)) @@ -235,8 +237,10 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, goto bad_tree; for (i = n - 2; i >= 0; i--) { + uint32_t ex_flags; level++; x = sk_X509_value(certs, i); + ex_flags = X509_get_extension_flags(x); cache = policy_cache_set(x); X509_up_ref(x); level->cert = x; @@ -250,10 +254,10 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, * Any matching allowed if certificate is self issued and not the * last in the chain. */ - if (!(x->ex_flags & EXFLAG_SI) || (i == 0)) + if (!(ex_flags & EXFLAG_SI) || (i == 0)) level->flags |= X509_V_FLAG_INHIBIT_ANY; } else { - if (!(x->ex_flags & EXFLAG_SI)) + if (!(ex_flags & EXFLAG_SI)) any_skip--; if ((cache->any_skip >= 0) && (cache->any_skip < any_skip)) @@ -263,7 +267,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, if (map_skip == 0) level->flags |= X509_V_FLAG_INHIBIT_MAP; else { - if (!(x->ex_flags & EXFLAG_SI)) + if (!(ex_flags & EXFLAG_SI)) map_skip--; if ((cache->map_skip >= 0) && (cache->map_skip < map_skip)) diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 661d81c..751150d 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -445,14 +445,9 @@ extern "C" { # define X509_EXT_PACK_UNKNOWN 1 # define X509_EXT_PACK_STRING 2 -# define X509_get_version(x) ASN1_INTEGER_get((x)->cert_info->version) -/* #define X509_get_serialNumber(x) ((x)->cert_info->serialNumber) */ -# define X509_get_notBefore(x) ((x)->cert_info->validity->notBefore) -# define X509_get_notAfter(x) ((x)->cert_info->validity->notAfter) # define X509_extract_key(x) X509_get_pubkey(x)/*****/ # define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a) # define X509_name_cmp(a,b) X509_NAME_cmp((a),(b)) -# define X509_get_signature_type(x) EVP_PKEY_type(OBJ_obj2nid((x)->sig_alg->algorithm)) void X509_CRL_set_default_method(const X509_CRL_METHOD *meth); X509_CRL_METHOD *X509_CRL_METHOD_new(int (*crl_init) (X509_CRL *crl), @@ -468,12 +463,6 @@ void X509_CRL_METHOD_free(X509_CRL_METHOD *m); void X509_CRL_set_meth_data(X509_CRL *crl, void *dat); void *X509_CRL_get_meth_data(X509_CRL *crl); -/* - * This one is only used so that a binary form can output, as in - * i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf) - */ -# define X509_get_X509_PUBKEY(x) ((x)->cert_info->key) - const char *X509_verify_cert_error_string(long n); int X509_verify(X509 *a, EVP_PKEY *r); @@ -736,6 +725,7 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, ASN1_BIT_STRING *signature, void *asn, EVP_MD_CTX *ctx); +long X509_get_version(X509 *x); int X509_set_version(X509 *x, long version); int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial); ASN1_INTEGER *X509_get_serialNumber(X509 *x); @@ -743,10 +733,19 @@ int X509_set_issuer_name(X509 *x, X509_NAME *name); X509_NAME *X509_get_issuer_name(X509 *a); int X509_set_subject_name(X509 *x, X509_NAME *name); X509_NAME *X509_get_subject_name(X509 *a); +ASN1_TIME * X509_get_notBefore(X509 *x); int X509_set_notBefore(X509 *x, const ASN1_TIME *tm); +ASN1_TIME *X509_get_notAfter(X509 *x); int X509_set_notAfter(X509 *x, const ASN1_TIME *tm); int X509_set_pubkey(X509 *x, EVP_PKEY *pkey); void X509_up_ref(X509 *x); +int X509_get_signature_type(const X509 *x); +/* + * This one is only used so that a binary form can output, as in + * i2d_X509_NAME(X509_get_X509_PUBKEY(x),&buf) + */ +X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x); + EVP_PKEY *X509_get_pubkey(X509 *x); ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x); int X509_certificate_type(X509 *x, EVP_PKEY *pubkey /* optional */ ); diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index c3e2c2e..555b1d7 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1028,8 +1028,7 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags) if (sk_X509_num(chain) > 0) { /* See if last cert is self signed */ x = sk_X509_value(chain, sk_X509_num(chain) - 1); - X509_check_purpose(x, -1, 0); - if (x->ex_flags & EXFLAG_SS) { + if (X509_get_extension_flags(x) & EXFLAG_SS) { x = sk_X509_pop(chain); X509_free(x); } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index fe07d2c..c84ea15 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1900,7 +1900,7 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher) int have_ecdh_tmp, ecdh_ok; X509 *x = NULL; EVP_PKEY *ecc_pkey = NULL; - int signature_nid = 0, pk_nid = 0, md_nid = 0; + int pk_nid = 0, md_nid = 0; #endif if (c == NULL) return; @@ -2004,23 +2004,18 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher) */ #ifndef OPENSSL_NO_EC if (have_ecc_cert) { + uint32_t ex_kusage; cpk = &c->pkeys[SSL_PKEY_ECC]; x = cpk->x509; - /* This call populates extension flags (ex_flags) */ - X509_check_purpose(x, -1, 0); - ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ? - (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; - ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? - (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; + ex_kusage = X509_get_key_usage(x); + ecdh_ok = ex_kusage & X509v3_KU_KEY_AGREEMENT; + ecdsa_ok = ex_kusage & X509v3_KU_DIGITAL_SIGNATURE; if (!(pvalid[SSL_PKEY_ECC] & CERT_PKEY_SIGN)) ecdsa_ok = 0; ecc_pkey = X509_get_pubkey(x); ecc_pkey_size = (ecc_pkey != NULL) ? EVP_PKEY_bits(ecc_pkey) : 0; EVP_PKEY_free(ecc_pkey); - if ((x->sig_alg) && (x->sig_alg->algorithm)) { - signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); - OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); - } + OBJ_find_sigid_algs(X509_get_signature_nid(x), &md_nid, &pk_nid); if (ecdh_ok) { if (pk_nid == NID_rsaEncryption || pk_nid == NID_rsa) { @@ -2074,10 +2069,6 @@ void ssl_set_masks(SSL *s, const SSL_CIPHER *cipher) s->s3->tmp.export_mask_a = emask_a; } -/* This handy macro borrowed from crypto/x509v3/v3_purp.c */ -#define ku_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) - #ifndef OPENSSL_NO_EC int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) @@ -2085,8 +2076,9 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) unsigned long alg_k, alg_a; EVP_PKEY *pkey = NULL; int keysize = 0; - int signature_nid = 0, md_nid = 0, pk_nid = 0; + int md_nid = 0, pk_nid = 0; const SSL_CIPHER *cs = s->s3->tmp.new_cipher; + uint32_t ex_kusage = X509_get_key_usage(x); alg_k = cs->algorithm_mkey; alg_a = cs->algorithm_auth; @@ -2102,15 +2094,11 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) return 0; } - /* This call populates the ex_flags field correctly */ - X509_check_purpose(x, -1, 0); - if ((x->sig_alg) && (x->sig_alg->algorithm)) { - signature_nid = OBJ_obj2nid(x->sig_alg->algorithm); - OBJ_find_sigid_algs(signature_nid, &md_nid, &pk_nid); - } + OBJ_find_sigid_algs(X509_get_signature_nid(x), &md_nid, &pk_nid); + if (alg_k & SSL_kECDHe || alg_k & SSL_kECDHr) { /* key usage, if present, must allow key agreement */ - if (ku_reject(x, X509v3_KU_KEY_AGREEMENT)) { + if (!(ex_kusage & X509v3_KU_KEY_AGREEMENT)) { SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT); return 0; @@ -2135,7 +2123,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) } if (alg_a & SSL_aECDSA) { /* key usage, if present, must allow signing */ - if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE)) { + if (!(ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) { SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_SIGNING); return 0; diff --git a/test/ssltest.c b/test/ssltest.c index adf1368..6f9d16c 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -2422,7 +2422,7 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx) if (ok == 1) { X509 *xs = ctx->current_cert; - if (xs->ex_flags & EXFLAG_PROXY) { + if (X509_get_extension_flags(xs) & EXFLAG_PROXY) { unsigned int *letters = X509_STORE_CTX_get_ex_data(ctx, get_proxy_auth_ex_data_idx ()); diff --git a/util/libeay.num b/util/libeay.num index 39c9020..e5998bc 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -4610,3 +4610,8 @@ X509_CRL_get_REVOKED 4960 EXIST::FUNCTION: X509_CRL_get_version 4961 EXIST::FUNCTION: X509_CRL_get_lastUpdate 4962 EXIST::FUNCTION: EVP_PBE_get 4964 EXIST::FUNCTION: +X509_get_version 4965 EXIST::FUNCTION: +X509_get_X509_PUBKEY 4966 EXIST::FUNCTION: +X509_get_notBefore 4967 EXIST::FUNCTION: +X509_get_notAfter 4968 EXIST::FUNCTION: +X509_get_signature_type 4969 EXIST::FUNCTION: From levitte at openssl.org Sat Sep 5 23:28:48 2015 From: levitte at openssl.org (Richard Levitte) Date: Sat, 05 Sep 2015 23:28:48 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441495728.212785.15102.nullmailer@dev.openssl.org> The branch master has been updated via e9daa8150abc8d96dd1e4dcd764355851f06ef2b (commit) from 551a2f26aa54f0a9210128f3b4c1c4a7e8a85e41 (commit) - Log ----------------------------------------------------------------- commit e9daa8150abc8d96dd1e4dcd764355851f06ef2b Author: Richard Levitte Date: Fri Sep 4 17:04:33 2015 +0200 Make the verify_extra test location agnostic Depending on platform, verify_extra_test may fail because it relies on test/ being the current working directory. Make it get all the required files on the command line instead to solve that issue. Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: test/Makefile | 3 ++- test/verify_extra_test.c | 19 +++++++++++++------ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/test/Makefile b/test/Makefile index c85e8d8..0900a92 100644 --- a/test/Makefile +++ b/test/Makefile @@ -432,7 +432,8 @@ test_constant_time: $(CONSTTIMETEST)$(EXE_EXT) test_verify_extra: $(VERIFYEXTRATEST)$(EXE_EXT) @echo $(START) $@ - ../util/shlib_wrap.sh ./$(VERIFYEXTRATEST) + ../util/shlib_wrap.sh ./$(VERIFYEXTRATEST) \ + certs/roots.pem certs/untrusted.pem certs/bad.pem test_clienthello: $(CLIENTHELLOTEST)$(EXE_EXT) @echo $(START) $@ diff --git a/test/verify_extra_test.c b/test/verify_extra_test.c index 08509f0..7cc6739 100644 --- a/test/verify_extra_test.c +++ b/test/verify_extra_test.c @@ -130,7 +130,9 @@ static STACK_OF(X509) *load_certs_from_file(const char *filename) * CA=FALSE, and will therefore incorrectly verify bad * */ -static int test_alt_chains_cert_forgery(void) +static int test_alt_chains_cert_forgery(const char *roots_f, + const char *untrusted_f, + const char *bad_f) { int ret = 0; int i; @@ -148,12 +150,12 @@ static int test_alt_chains_cert_forgery(void) lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); if (lookup == NULL) goto err; - if(!X509_LOOKUP_load_file(lookup, "certs/roots.pem", X509_FILETYPE_PEM)) + if(!X509_LOOKUP_load_file(lookup, roots_f, X509_FILETYPE_PEM)) goto err; - untrusted = load_certs_from_file("certs/untrusted.pem"); + untrusted = load_certs_from_file(untrusted_f); - if ((bio = BIO_new_file("certs/bad.pem", "r")) == NULL) + if ((bio = BIO_new_file(bad_f, "r")) == NULL) goto err; if((x = PEM_read_bio_X509(bio, NULL, 0, NULL)) == NULL) @@ -183,7 +185,7 @@ static int test_alt_chains_cert_forgery(void) return ret; } -int main(void) +int main(int argc, char **argv) { CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); @@ -192,7 +194,12 @@ int main(void) ERR_load_crypto_strings(); OpenSSL_add_all_digests(); - if (!test_alt_chains_cert_forgery()) { + if (argc != 4) { + fprintf(stderr, "usage: verify_extra_test roots.pem untrusted.pem bad.pem\n"); + return 1; + } + + if (!test_alt_chains_cert_forgery(argv[1], argv[2], argv[3])) { fprintf(stderr, "Test alt chains cert forgery failed\n"); return 1; } From levitte at openssl.org Sat Sep 5 23:37:08 2015 From: levitte at openssl.org (Richard Levitte) Date: Sat, 05 Sep 2015 23:37:08 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441496228.941660.16467.nullmailer@dev.openssl.org> The branch master has been updated via afc12d76f80d6ee14df3fc655e3c7e868ae0f368 (commit) via 0f81f5f78c06bd69a96deb66cd30e50a67310ef2 (commit) via bdd58d98467e9f0f6635c1628e1eae304383afb1 (commit) via d303b9d85e1888494785f87ebd9bd233e63564a9 (commit) from e9daa8150abc8d96dd1e4dcd764355851f06ef2b (commit) - Log ----------------------------------------------------------------- commit afc12d76f80d6ee14df3fc655e3c7e868ae0f368 Author: Richard Levitte Date: Fri Sep 4 15:17:29 2015 +0200 Have binary mode when the format is binary, not the other way around Fixing a small mixup. Reviewed-by: Tim Hudson commit 0f81f5f78c06bd69a96deb66cd30e50a67310ef2 Author: Richard Levitte Date: Fri Sep 4 14:07:57 2015 +0200 Have the test executables output in text mode The test executables use standard output and standard error for text output, so let's open the corresponding BIOs in text mode. Reviewed-by: Tim Hudson commit bdd58d98467e9f0f6635c1628e1eae304383afb1 Author: Richard Levitte Date: Fri Sep 4 12:49:06 2015 +0200 Change the way apps open their input and output files The different apps had the liberty to decide whether they would open their input and output files in binary mode or not, which could be confusing if two different apps were handling the same type of file in different ways. The solution is to centralise the decision of low level file organisation, and that the apps would use a selection of formats to state the intent of the file. Reviewed-by: Tim Hudson commit d303b9d85e1888494785f87ebd9bd233e63564a9 Author: Richard Levitte Date: Fri Sep 4 02:46:47 2015 +0200 Make the handling of output and input formats consistent Most of all, we needed to sort out which ones are binary and which ones are text, and make sure they are treated accordingly and consistently so Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 21 +++++++-------------- apps/apps.h | 42 ++++++++++++++++++++++------------------- apps/asn1pars.c | 6 +++--- apps/ca.c | 5 +++-- apps/cms.c | 19 ++++++------------- apps/crl.c | 2 +- apps/crl2p7.c | 4 ++-- apps/dgst.c | 2 +- apps/dhparam.c | 4 ++-- apps/dsa.c | 2 +- apps/dsaparam.c | 4 ++-- apps/ec.c | 4 ++-- apps/ecparam.c | 4 ++-- apps/enc.c | 16 ++++++++-------- apps/gendsa.c | 4 ++-- apps/genpkey.c | 2 +- apps/genrsa.c | 2 +- apps/nseq.c | 4 ++-- apps/ocsp.c | 10 +++++----- apps/openssl.c | 57 ++++++++++++++++++++++++++++++++++++++++++-------------- apps/passwd.c | 2 +- apps/pkcs12.c | 19 ++++++++++++------- apps/pkcs7.c | 4 ++-- apps/pkcs8.c | 4 ++-- apps/pkey.c | 2 +- apps/pkeyparam.c | 4 ++-- apps/pkeyutl.c | 4 ++-- apps/rand.c | 16 ++++++++-------- apps/req.c | 7 ++++--- apps/rsa.c | 2 +- apps/rsautl.c | 4 ++-- apps/sess_id.c | 7 ++----- apps/smime.c | 19 ++++++------------- apps/spkac.c | 4 ++-- apps/ts.c | 16 ++++++++++------ apps/x509.c | 4 ++-- test/bntest.c | 2 +- test/dhtest.c | 2 +- test/dsatest.c | 2 +- test/ecdhtest.c | 2 +- test/ecdsatest.c | 2 +- test/exptest.c | 2 +- test/jpaketest.c | 2 +- test/srptest.c | 2 +- test/ssltest.c | 2 +- 45 files changed, 185 insertions(+), 165 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 80e7777..f3b2d48 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -514,7 +514,7 @@ CONF *app_load_config(const char *filename) BIO *in; CONF *conf; - in = bio_open_default(filename, "r"); + in = bio_open_default(filename, 'r', FORMAT_TEXT); if (in == NULL) return NULL; @@ -527,7 +527,7 @@ CONF *app_load_config_quiet(const char *filename) BIO *in; CONF *conf; - in = bio_open_default_quiet(filename, "r"); + in = bio_open_default_quiet(filename, 'r', FORMAT_TEXT); if (in == NULL) return NULL; @@ -683,7 +683,7 @@ X509 *load_cert(const char *file, int format, unbuffer(stdin); cert = dup_bio_in(); } else - cert = bio_open_default(file, RB(format)); + cert = bio_open_default(file, 'r', format); if (cert == NULL) goto end; @@ -718,7 +718,7 @@ X509_CRL *load_crl(const char *infile, int format) return x; } - in = bio_open_default(infile, RB(format)); + in = bio_open_default(infile, 'r', format); if (in == NULL) goto end; if (format == FORMAT_ASN1) @@ -772,7 +772,7 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, unbuffer(stdin); key = dup_bio_in(); } else - key = bio_open_default(file, RB(format)); + key = bio_open_default(file, 'r', format); if (key == NULL) goto end; if (format == FORMAT_ASN1) { @@ -808,13 +808,6 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, return (pkey); } -static const char *key_file_format(int format) -{ - if (format == FORMAT_PEM || format == FORMAT_PEMRSA) - return "r"; - return "rb"; -} - EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *key_descrip) { @@ -842,7 +835,7 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, unbuffer(stdin); key = dup_bio_in(); } else - key = bio_open_default(file, key_file_format(format)); + key = bio_open_default(file, 'r', format); if (key == NULL) goto end; if (format == FORMAT_ASN1) { @@ -909,7 +902,7 @@ static int load_certs_crls(const char *file, int format, return 0; } - bio = bio_open_default(file, "r"); + bio = bio_open_default(file, 'r', FORMAT_PEM); if (bio == NULL) return 0; diff --git a/apps/apps.h b/apps/apps.h index a134b8d..c34d22e 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -154,18 +154,14 @@ extern BIO *bio_out; extern BIO *bio_err; BIO *dup_bio_in(void); BIO *dup_bio_out(void); -BIO *bio_open_owner(const char *filename, const char *mode, int private); -BIO *bio_open_default(const char *filename, const char *mode); -BIO *bio_open_default_quiet(const char *filename, const char *mode); +BIO *bio_open_owner(const char *filename, int format, int private); +BIO *bio_open_default(const char *filename, char mode, int format); +BIO *bio_open_default_quiet(const char *filename, char mode, int format); CONF *app_load_config(const char *filename); CONF *app_load_config_quiet(const char *filename); int app_load_modules(const CONF *config); void unbuffer(FILE *fp); -/* Often used in calls to bio_open_default. */ -# define RB(xformat) ((xformat) == FORMAT_ASN1 ? "rb" : "r") -# define WB(xformat) ((xformat) == FORMAT_ASN1 ? "wb" : "w") - /* * Common verification options. */ @@ -535,19 +531,27 @@ void print_cert_checks(BIO *bio, X509 *x, void store_setup_crl_download(X509_STORE *st); /* See OPT_FMT_xxx, above. */ +/* On some platforms, it's important to distinguish between text and binary + * files. On some, there might even be specific file formats for different + * contents. The FORMAT_xxx macros are meant to express an intent with the + * file being read or created. + */ +# define B_FORMAT_TEXT 0x8000 # define FORMAT_UNDEF 0 -# define FORMAT_ASN1 1 -# define FORMAT_TEXT 2 -# define FORMAT_PEM 3 -# define FORMAT_PKCS12 5 -# define FORMAT_SMIME 6 -# define FORMAT_ENGINE 7 -# define FORMAT_PEMRSA 9 /* PEM RSAPubicKey format */ -# define FORMAT_ASN1RSA 10 /* DER RSAPubicKey format */ -# define FORMAT_MSBLOB 11 /* MS Key blob format */ -# define FORMAT_PVK 12 /* MS PVK file format */ -# define FORMAT_HTTP 13 /* Download using HTTP */ -# define FORMAT_NSS 14 /* NSS keylog format */ +# define FORMAT_TEXT (1 | B_FORMAT_TEXT) /* Generic text */ +# define FORMAT_BINARY 2 /* Generic binary */ +# define FORMAT_BASE64 (3 | B_FORMAT_TEXT) /* Base64 */ +# define FORMAT_ASN1 4 /* ASN.1/DER */ +# define FORMAT_PEM (5 | B_FORMAT_TEXT) +# define FORMAT_PKCS12 6 +# define FORMAT_SMIME (7 | B_FORMAT_TEXT) +# define FORMAT_ENGINE 8 /* Not really a file format */ +# define FORMAT_PEMRSA (9 | B_FORMAT_TEXT) /* PEM RSAPubicKey format */ +# define FORMAT_ASN1RSA 10 /* DER RSAPubicKey format */ +# define FORMAT_MSBLOB 11 /* MS Key blob format */ +# define FORMAT_PVK 12 /* MS PVK file format */ +# define FORMAT_HTTP 13 /* Download using HTTP */ +# define FORMAT_NSS 14 /* NSS keylog format */ # define EXT_COPY_NONE 0 # define EXT_COPY_ADD 1 diff --git a/apps/asn1pars.c b/apps/asn1pars.c index 24b5568..89afd5b 100644 --- a/apps/asn1pars.c +++ b/apps/asn1pars.c @@ -190,17 +190,17 @@ int asn1parse_main(int argc, char **argv) goto end; if (oidfile != NULL) { - in = bio_open_default(oidfile, "r"); + in = bio_open_default(oidfile, 'r', FORMAT_TEXT); if (in == NULL) goto end; OBJ_create_objects(in); BIO_free(in); } - if ((in = bio_open_default(infile, "r")) == NULL) + if ((in = bio_open_default(infile, 'r', informat)) == NULL) goto end; - if (derfile && (derout = bio_open_default(derfile, "wb")) == NULL) + if (derfile && (derout = bio_open_default(derfile, 'w', FORMAT_ASN1)) == NULL) goto end; if (strictpem) { diff --git a/apps/ca.c b/apps/ca.c index 5cd8002..defbf00 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -793,9 +793,10 @@ end_of_options: extensions = "default"; } - /*****************************************************************/ + /*****************************************************************/ if (req || gencrl) { - Sout = bio_open_default(outfile, "w"); + /* FIXME: Is it really always text? */ + Sout = bio_open_default(outfile, 'w', FORMAT_TEXT); if (Sout == NULL) goto end; } diff --git a/apps/cms.c b/apps/cms.c index e40686b..2331ea2 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -247,7 +247,6 @@ int cms_main(int argc, char **argv) NULL; char *to = NULL, *from = NULL, *subject = NULL, *prog; cms_key_param *key_first = NULL, *key_param = NULL; - const char *inmode = "r", *outmode = "w"; int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = 0; int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; @@ -689,20 +688,14 @@ int cms_main(int argc, char **argv) if (!(operation & SMIME_SIGNERS)) flags &= ~CMS_DETACHED; - if (operation & SMIME_OP) { - if (outformat == FORMAT_ASN1) - outmode = "wb"; - } else { + if (!(operation & SMIME_OP)) { if (flags & CMS_BINARY) - outmode = "wb"; + outformat = FORMAT_BINARY; } - if (operation & SMIME_IP) { - if (informat == FORMAT_ASN1) - inmode = "rb"; - } else { + if (!(operation & SMIME_IP)) { if (flags & CMS_BINARY) - inmode = "rb"; + informat = FORMAT_BINARY; } if (operation == SMIME_ENCRYPT) { @@ -772,7 +765,7 @@ int cms_main(int argc, char **argv) goto end; } - in = bio_open_default(infile, inmode); + in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; @@ -836,7 +829,7 @@ int cms_main(int argc, char **argv) } } - out = bio_open_default(outfile, outmode); + out = bio_open_default(outfile, 'w', outformat); if (out == NULL) goto end; diff --git a/apps/crl.c b/apps/crl.c index c0bf874..735c8c0 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -346,7 +346,7 @@ int crl_main(int argc, char **argv) } } } - out = bio_open_default(outfile, "w"); + out = bio_open_default(outfile, 'w', outformat); if (out == NULL) goto end; diff --git a/apps/crl2p7.c b/apps/crl2p7.c index e4e39cf..8cc1b62 100644 --- a/apps/crl2p7.c +++ b/apps/crl2p7.c @@ -152,7 +152,7 @@ int crl2pkcs7_main(int argc, char **argv) goto end; if (!nocrl) { - in = bio_open_default(infile, RB(informat)); + in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; @@ -201,7 +201,7 @@ int crl2pkcs7_main(int argc, char **argv) sk_OPENSSL_STRING_free(certflst); - out = bio_open_default(outfile, WB(outformat)); + out = bio_open_default(outfile, 'w', outformat); if (out == NULL) goto end; diff --git a/apps/dgst.c b/apps/dgst.c index e6142ca..99568f4 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -275,7 +275,7 @@ int dgst_main(int argc, char **argv) if (randfile) app_RAND_load_file(randfile, 0); - out = bio_open_default(outfile, out_bin ? "wb" : "w"); + out = bio_open_default(outfile, 'w', out_bin ? FORMAT_BINARY : FORMAT_TEXT); if (out == NULL) goto end; diff --git a/apps/dhparam.c b/apps/dhparam.c index 2e5ce2c..334a129 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -309,7 +309,7 @@ int dhparam_main(int argc, char **argv) app_RAND_write_file(NULL); } else { - in = bio_open_default(infile, RB(informat)); + in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; @@ -352,7 +352,7 @@ int dhparam_main(int argc, char **argv) /* dh != NULL */ } - out = bio_open_default(outfile, "w"); + out = bio_open_default(outfile, 'w', outformat); if (out == NULL) goto end; diff --git a/apps/dsa.c b/apps/dsa.c index 9998bfe..d829f98 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -225,7 +225,7 @@ int dsa_main(int argc, char **argv) goto end; } - out = bio_open_owner(outfile, "w", private); + out = bio_open_owner(outfile, outformat, private); if (out == NULL) goto end; diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 8d48313..1ba93e6 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -195,10 +195,10 @@ int dsaparam_main(int argc, char **argv) } private = genkey ? 1 : 0; - in = bio_open_default(infile, "r"); + in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; - out = bio_open_owner(outfile, "w", private); + out = bio_open_owner(outfile, outformat, private); if (out == NULL) goto end; diff --git a/apps/ec.c b/apps/ec.c index e4f2db3..a30d3f0 100644 --- a/apps/ec.c +++ b/apps/ec.c @@ -205,7 +205,7 @@ int ec_main(int argc, char **argv) if (!app_load_modules(NULL)) goto end; - in = bio_open_default(infile, RB(informat)); + in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; @@ -227,7 +227,7 @@ int ec_main(int argc, char **argv) goto end; } - out = bio_open_owner(outfile, WB(outformat), private); + out = bio_open_owner(outfile, outformat, private); if (out == NULL) goto end; diff --git a/apps/ecparam.c b/apps/ecparam.c index 8464c88..145f55c 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -223,10 +223,10 @@ int ecparam_main(int argc, char **argv) if (!app_load_modules(NULL)) goto end; - in = bio_open_default(infile, RB(informat)); + in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; - out = bio_open_owner(outfile, WB(outformat), private); + out = bio_open_owner(outfile, outformat, private); if (out == NULL) goto end; diff --git a/apps/enc.c b/apps/enc.c index 18fcb95..0bdba38 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -138,7 +138,7 @@ int enc_main(int argc, char **argv) char mbuf[sizeof magic - 1]; OPTION_CHOICE o; int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0; - int enc = 1, printkey = 0, i, k, base64 = 0; + int enc = 1, printkey = 0, i, k, format = FORMAT_BINARY; int ret = 1, inl, nopad = 0, non_fips_allow = 0; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; unsigned char *buff = NULL, salt[PKCS5_SALT_LEN]; @@ -151,7 +151,7 @@ int enc_main(int argc, char **argv) /* first check the program name */ prog = opt_progname(argv[0]); if (strcmp(prog, "base64") == 0) - base64 = 1; + format = FORMAT_BASE64; #ifdef ZLIB else if (strcmp(prog, "zlib") == 0) do_zlib = 1; @@ -223,7 +223,7 @@ int enc_main(int argc, char **argv) olb64 = 1; break; case OPT_A: - base64 = 1; + format = FORMAT_BASE64; break; case OPT_Z: #ifdef ZLIB @@ -246,7 +246,7 @@ int enc_main(int argc, char **argv) str = opt_arg(); break; case OPT_KFILE: - in = bio_open_default(opt_arg(), "r"); + in = bio_open_default(opt_arg(), 'r', FORMAT_TEXT); if (in == NULL) goto opthelp; i = BIO_gets(in, buf, sizeof buf); @@ -311,7 +311,7 @@ int enc_main(int argc, char **argv) dgst = EVP_md5(); /* It must be large enough for a base64 encoded line */ - if (base64 && bsize < 80) + if (format == FORMAT_BASE64 && bsize < 80) bsize = 80; if (verbose) BIO_printf(bio_err, "bufsize=%d\n", bsize); @@ -330,7 +330,7 @@ int enc_main(int argc, char **argv) unbuffer(stdin); in = dup_bio_in(); } else - in = bio_open_default(infile, "r"); + in = bio_open_default(infile, 'r', format); if (in == NULL) goto end; @@ -366,7 +366,7 @@ int enc_main(int argc, char **argv) } } - out = bio_open_default(outfile, "w"); + out = bio_open_default(outfile, 'w', format); if (out == NULL) goto end; @@ -384,7 +384,7 @@ int enc_main(int argc, char **argv) } #endif - if (base64) { + if (format == FORMAT_BASE64) { if ((b64 = BIO_new(BIO_f_base64())) == NULL) goto end; if (debug) { diff --git a/apps/gendsa.c b/apps/gendsa.c index 087a44a..f1e1f54 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -147,7 +147,7 @@ int gendsa_main(int argc, char **argv) if (!app_load_modules(NULL)) goto end; - in = bio_open_default(dsaparams, "r"); + in = bio_open_default(dsaparams, 'r', FORMAT_PEM); if (in == NULL) goto end2; @@ -158,7 +158,7 @@ int gendsa_main(int argc, char **argv) BIO_free(in); in = NULL; - out = bio_open_owner(outfile, "w", private); + out = bio_open_owner(outfile, FORMAT_PEM, private); if (out == NULL) goto end2; diff --git a/apps/genpkey.c b/apps/genpkey.c index dbbedaa..d809833 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -184,7 +184,7 @@ int genpkey_main(int argc, char **argv) if (!app_load_modules(NULL)) goto end; - out = bio_open_owner(outfile, "wb", private); + out = bio_open_owner(outfile, outformat, private); if (out == NULL) goto end; diff --git a/apps/genrsa.c b/apps/genrsa.c index 1fea351..54484b5 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -172,7 +172,7 @@ int genrsa_main(int argc, char **argv) if (!app_load_modules(NULL)) goto end; - out = bio_open_owner(outfile, "w", private); + out = bio_open_owner(outfile, FORMAT_PEM, private); if (out == NULL) goto end; diff --git a/apps/nseq.c b/apps/nseq.c index 5c8ed17..06893c8 100644 --- a/apps/nseq.c +++ b/apps/nseq.c @@ -112,10 +112,10 @@ int nseq_main(int argc, char **argv) if (!app_load_modules(NULL)) goto end; - in = bio_open_default(infile, "r"); + in = bio_open_default(infile, 'r', FORMAT_PEM); if (in == NULL) goto end; - out = bio_open_default(outfile, "w"); + out = bio_open_default(outfile, 'w', FORMAT_PEM); if (out == NULL) goto end; diff --git a/apps/ocsp.c b/apps/ocsp.c index 7193dae..e97d06e 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -486,7 +486,7 @@ int ocsp_main(int argc, char **argv) if (!app_load_modules(NULL)) goto end; - out = bio_open_default(outfile, "w"); + out = bio_open_default(outfile, 'w', FORMAT_TEXT); if (out == NULL) goto end; @@ -494,7 +494,7 @@ int ocsp_main(int argc, char **argv) add_nonce = 0; if (!req && reqin) { - derbio = bio_open_default(reqin, "rb"); + derbio = bio_open_default(reqin, 'r', FORMAT_ASN1); if (derbio == NULL) goto end; req = d2i_OCSP_REQUEST_bio(derbio, NULL); @@ -589,7 +589,7 @@ int ocsp_main(int argc, char **argv) OCSP_REQUEST_print(out, req, 0); if (reqout) { - derbio = bio_open_default(reqout, "wb"); + derbio = bio_open_default(reqout, 'w', FORMAT_ASN1); if (derbio == NULL) goto end; i2d_OCSP_REQUEST_bio(derbio, req); @@ -627,7 +627,7 @@ int ocsp_main(int argc, char **argv) goto end; # endif } else if (respin) { - derbio = bio_open_default(respin, "rb"); + derbio = bio_open_default(respin, 'r', FORMAT_ASN1); if (derbio == NULL) goto end; resp = d2i_OCSP_RESPONSE_bio(derbio, NULL); @@ -644,7 +644,7 @@ int ocsp_main(int argc, char **argv) done_resp: if (respout) { - derbio = bio_open_default(respout, "wb"); + derbio = bio_open_default(respout, 'w', FORMAT_ASN1); if (derbio == NULL) goto end; i2d_OCSP_RESPONSE_bio(derbio, resp); diff --git a/apps/openssl.c b/apps/openssl.c index 7c202cf..bfd77a5 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -299,17 +299,46 @@ void unbuffer(FILE *fp) setbuf(fp, NULL); } +static const char *modestr(char mode, int format) +{ + OPENSSL_assert(mode == 'a' || mode == 'r' || mode == 'w'); + + switch (mode) { + case 'a': + return (format & B_FORMAT_TEXT) ? "a" : "ab"; + case 'r': + return (format & B_FORMAT_TEXT) ? "r" : "rb"; + case 'w': + return (format & B_FORMAT_TEXT) ? "w" : "wb"; + } + /* The assert above should make sure we never reach this point */ + return NULL; +} + +static const char *modeverb(char mode) +{ + switch (mode) { + case 'a': + return "appending"; + case 'r': + return "reading"; + case 'w': + return "writing"; + } + return "(doing something)"; +} + /* * Open a file for writing, owner-read-only. */ -BIO *bio_open_owner(const char *filename, const char *modestr, int private) +BIO *bio_open_owner(const char *filename, int format, int private) { FILE *fp = NULL; BIO *b = NULL; int fd = -1, bflags, mode, binmode; if (!private || filename == NULL || strcmp(filename, "-") == 0) - return bio_open_default(filename, modestr); + return bio_open_default(filename, 'w', format); mode = O_WRONLY; #ifdef O_CREAT @@ -318,7 +347,7 @@ BIO *bio_open_owner(const char *filename, const char *modestr, int private) #ifdef O_TRUNC mode |= O_TRUNC; #endif - binmode = strchr(modestr, 'b') != NULL; + binmode = !(format & B_FORMAT_TEXT); if (binmode) { #ifdef O_BINARY mode |= O_BINARY; @@ -330,7 +359,7 @@ BIO *bio_open_owner(const char *filename, const char *modestr, int private) fd = open(filename, mode, 0600); if (fd < 0) goto err; - fp = fdopen(fd, modestr); + fp = fdopen(fd, modestr('w', format)); if (fp == NULL) goto err; bflags = BIO_CLOSE; @@ -352,12 +381,13 @@ BIO *bio_open_owner(const char *filename, const char *modestr, int private) return NULL; } -static BIO *bio_open_default_(const char *filename, const char *mode, int quiet) +static BIO *bio_open_default_(const char *filename, char mode, int format, + int quiet) { BIO *ret; if (filename == NULL || strcmp(filename, "-") == 0) { - ret = *mode == 'r' ? dup_bio_in() : dup_bio_out(); + ret = mode == 'r' ? dup_bio_in() : dup_bio_out(); if (quiet) { ERR_clear_error(); return ret; @@ -366,9 +396,9 @@ static BIO *bio_open_default_(const char *filename, const char *mode, int quiet) return ret; BIO_printf(bio_err, "Can't open %s, %s\n", - *mode == 'r' ? "stdin" : "stdout", strerror(errno)); + mode == 'r' ? "stdin" : "stdout", strerror(errno)); } else { - ret = BIO_new_file(filename, mode); + ret = BIO_new_file(filename, modestr(mode, format)); if (quiet) { ERR_clear_error(); return ret; @@ -377,21 +407,20 @@ static BIO *bio_open_default_(const char *filename, const char *mode, int quiet) return ret; BIO_printf(bio_err, "Can't open %s for %s, %s\n", - filename, - *mode == 'r' ? "reading" : "writing", strerror(errno)); + filename, modeverb(mode), strerror(errno)); } ERR_print_errors(bio_err); return NULL; } -BIO *bio_open_default(const char *filename, const char *mode) +BIO *bio_open_default(const char *filename, char mode, int format) { - return bio_open_default_(filename, mode, 0); + return bio_open_default_(filename, mode, format, 0); } -BIO *bio_open_default_quiet(const char *filename, const char *mode) +BIO *bio_open_default_quiet(const char *filename, char mode, int format) { - return bio_open_default_(filename, mode, 1); + return bio_open_default_(filename, mode, format, 1); } #if defined( OPENSSL_SYS_VMS) diff --git a/apps/passwd.c b/apps/passwd.c index dbae620..8988313 100644 --- a/apps/passwd.c +++ b/apps/passwd.c @@ -209,7 +209,7 @@ int passwd_main(int argc, char **argv) goto end; } - in = bio_open_default(infile, "r"); + in = bio_open_default(infile, 'r', FORMAT_TEXT); if (in == NULL) goto end; diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 5b14dd5..2e74cd4 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -353,13 +353,6 @@ int pkcs12_main(int argc, char **argv) app_RAND_load_files(inrand)); } - in = bio_open_default(infile, "rb"); - if (in == NULL) - goto end; - out = bio_open_owner(outfile, "wb", private); - if (out == NULL) - goto end; - if (twopass) { if (EVP_read_pw_string (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) { @@ -501,6 +494,11 @@ int pkcs12_main(int argc, char **argv) PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd); assert(private); + + out = bio_open_owner(outfile, FORMAT_PKCS12, private); + if (out == NULL) + goto end; + i2d_PKCS12_bio(out, p12); ret = 0; @@ -515,6 +513,13 @@ int pkcs12_main(int argc, char **argv) } + in = bio_open_default(infile, 'r', FORMAT_PKCS12); + if (in == NULL) + goto end; + out = bio_open_owner(outfile, FORMAT_PEM, private); + if (out == NULL) + goto end; + if ((p12 = d2i_PKCS12_bio(in, NULL)) == NULL) { ERR_print_errors(bio_err); goto end; diff --git a/apps/pkcs7.c b/apps/pkcs7.c index 248e0d6..fff14dc 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -196,7 +196,7 @@ int pkcs7_main(int argc, char **argv) if (!app_load_modules(NULL)) goto end; - in = bio_open_default(infile, RB(informat)); + in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; @@ -210,7 +210,7 @@ int pkcs7_main(int argc, char **argv) goto end; } - out = bio_open_default(outfile, WB(outformat)); + out = bio_open_default(outfile, 'w', outformat); if (out == NULL) goto end; diff --git a/apps/pkcs8.c b/apps/pkcs8.c index b120b93..765744f 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -239,10 +239,10 @@ int pkcs8_main(int argc, char **argv) if ((pbe_nid == -1) && !cipher) pbe_nid = NID_pbeWithMD5AndDES_CBC; - in = bio_open_default(infile, "rb"); + in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; - out = bio_open_owner(outfile, "wb", private); + out = bio_open_owner(outfile, outformat, private); if (out == NULL) goto end; diff --git a/apps/pkey.c b/apps/pkey.c index 80c2e15..d2a66eb 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -172,7 +172,7 @@ int pkey_main(int argc, char **argv) if (!app_load_modules(NULL)) goto end; - out = bio_open_owner(outfile, "wb", private); + out = bio_open_owner(outfile, outformat, private); if (out == NULL) goto end; diff --git a/apps/pkeyparam.c b/apps/pkeyparam.c index 6039dad..215611e 100644 --- a/apps/pkeyparam.c +++ b/apps/pkeyparam.c @@ -121,10 +121,10 @@ int pkeyparam_main(int argc, char **argv) if (!app_load_modules(NULL)) goto end; - in = bio_open_default(infile, "r"); + in = bio_open_default(infile, 'r', FORMAT_PEM); if (in == NULL) goto end; - out = bio_open_default(outfile, "w"); + out = bio_open_default(outfile, 'w', FORMAT_PEM); if (out == NULL) goto end; pkey = PEM_read_bio_Parameters(in, NULL); diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 741dd64..c3e1889 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -249,11 +249,11 @@ int pkeyutl_main(int argc, char **argv) app_RAND_load_file(NULL, 0); if (pkey_op != EVP_PKEY_OP_DERIVE) { - in = bio_open_default(infile, "rb"); + in = bio_open_default(infile, 'r', FORMAT_BINARY); if (in == NULL) goto end; } - out = bio_open_default(outfile, "wb"); + out = bio_open_default(outfile, 'w', FORMAT_BINARY); if (out == NULL) goto end; diff --git a/apps/rand.c b/apps/rand.c index 432e784..315e6be 100644 --- a/apps/rand.c +++ b/apps/rand.c @@ -87,7 +87,7 @@ int rand_main(int argc, char **argv) BIO *out = NULL; char *inrand = NULL, *outfile = NULL, *prog; OPTION_CHOICE o; - int base64 = 0, hex = 0, i, num = -1, r, ret = 1; + int format = FORMAT_BINARY, i, num = -1, r, ret = 1; prog = opt_init(argc, argv, rand_options); while ((o = opt_next()) != OPT_EOF) { @@ -111,17 +111,17 @@ int rand_main(int argc, char **argv) inrand = opt_arg(); break; case OPT_BASE64: - base64 = 1; + format = FORMAT_BASE64; break; case OPT_HEX: - hex = 1; + format = FORMAT_TEXT; break; } } argc = opt_num_rest(); argv = opt_rest(); - if (argc != 1 || (hex && base64)) + if (argc != 1) goto opthelp; if (sscanf(argv[0], "%d", &num) != 1 || num < 0) goto opthelp; @@ -134,11 +134,11 @@ int rand_main(int argc, char **argv) BIO_printf(bio_err, "%ld semi-random bytes loaded\n", app_RAND_load_files(inrand)); - out = bio_open_default(outfile, "w"); + out = bio_open_default(outfile, 'w', format); if (out == NULL) goto end; - if (base64) { + if (format == FORMAT_BASE64) { BIO *b64 = BIO_new(BIO_f_base64()); if (b64 == NULL) goto end; @@ -155,7 +155,7 @@ int rand_main(int argc, char **argv) r = RAND_bytes(buf, chunk); if (r <= 0) goto end; - if (!hex) + if (format != FORMAT_TEXT) /* hex */ BIO_write(out, buf, chunk); else { for (i = 0; i < chunk; i++) @@ -163,7 +163,7 @@ int rand_main(int argc, char **argv) } num -= chunk; } - if (hex) + if (format == FORMAT_TEXT) BIO_puts(out, "\n"); (void)BIO_flush(out); diff --git a/apps/req.c b/apps/req.c index 59cc6b4..ce0fcbc 100644 --- a/apps/req.c +++ b/apps/req.c @@ -566,7 +566,7 @@ int req_main(int argc, char **argv) BIO_printf(bio_err, "writing new private key to stdout\n"); else BIO_printf(bio_err, "writing new private key to '%s'\n", keyout); - out = bio_open_owner(keyout, "w", private); + out = bio_open_owner(keyout, outformat, private); if (out == NULL) goto end; @@ -601,7 +601,7 @@ int req_main(int argc, char **argv) } if (!newreq) { - in = bio_open_default(infile, RB(informat)); + in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; @@ -764,7 +764,8 @@ int req_main(int argc, char **argv) out = bio_open_default(outfile, keyout != NULL && outfile != NULL && - strcmp(keyout, outfile) == 0 ? "a" : "w"); + strcmp(keyout, outfile) == 0 ? 'a' : 'w', + outformat); if (out == NULL) goto end; diff --git a/apps/rsa.c b/apps/rsa.c index c7ad44b..f8a0dec 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -292,7 +292,7 @@ int rsa_main(int argc, char **argv) goto end; } - out = bio_open_owner(outfile, "w", private); + out = bio_open_owner(outfile, outformat, private); if (out == NULL) goto end; diff --git a/apps/rsautl.c b/apps/rsautl.c index 8ba838b..84a1de1 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -251,10 +251,10 @@ int rsautl_main(int argc, char **argv) goto end; } - in = bio_open_default(infile, "rb"); + in = bio_open_default(infile, 'r', FORMAT_BINARY); if (in == NULL) goto end; - out = bio_open_default(outfile, "wb"); + out = bio_open_default(outfile, 'w', FORMAT_BINARY); if (out == NULL) goto end; diff --git a/apps/sess_id.c b/apps/sess_id.c index 6816543..39711e2 100644 --- a/apps/sess_id.c +++ b/apps/sess_id.c @@ -160,10 +160,7 @@ int sess_id_main(int argc, char **argv) } if (!noout || text) { - const char* modeflag = "w"; - if (outformat == FORMAT_ASN1 || outformat == FORMAT_NSS) - modeflag = "wb"; - out = bio_open_default(outfile, modeflag); + out = bio_open_default(outfile, 'w', outformat); if (out == NULL) goto end; } @@ -220,7 +217,7 @@ static SSL_SESSION *load_sess_id(char *infile, int format) SSL_SESSION *x = NULL; BIO *in = NULL; - in = bio_open_default(infile, RB(format)); + in = bio_open_default(infile, 'r', format); if (in == NULL) goto end; if (format == FORMAT_ASN1) diff --git a/apps/smime.c b/apps/smime.c index 45898de..4da56cd 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -170,7 +170,6 @@ int smime_main(int argc, char **argv) NULL; char *passinarg = NULL, *passin = NULL, *to = NULL, *from = NULL, *subject = NULL; - const char *inmode = "r", *outmode = "w"; OPTION_CHOICE o; int flags = PKCS7_DETACHED, operation = 0, ret = 0, need_rand = 0, indef = 0; @@ -426,20 +425,14 @@ int smime_main(int argc, char **argv) if (!(operation & SMIME_SIGNERS)) flags &= ~PKCS7_DETACHED; - if (operation & SMIME_OP) { - if (outformat == FORMAT_ASN1) - outmode = "wb"; - } else { + if (!(operation & SMIME_OP)) { if (flags & PKCS7_BINARY) - outmode = "wb"; + outformat = FORMAT_BINARY; } - if (operation & SMIME_IP) { - if (informat == FORMAT_ASN1) - inmode = "rb"; - } else { + if (!(operation & SMIME_IP)) { if (flags & PKCS7_BINARY) - inmode = "rb"; + informat = FORMAT_BINARY; } if (operation == SMIME_ENCRYPT) { @@ -496,7 +489,7 @@ int smime_main(int argc, char **argv) goto end; } - in = bio_open_default(infile, inmode); + in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; @@ -525,7 +518,7 @@ int smime_main(int argc, char **argv) } } - out = bio_open_default(outfile, outmode); + out = bio_open_default(outfile, 'w', outformat); if (out == NULL) goto end; diff --git a/apps/spkac.c b/apps/spkac.c index d41331c..180f80f 100644 --- a/apps/spkac.c +++ b/apps/spkac.c @@ -175,7 +175,7 @@ int spkac_main(int argc, char **argv) NETSCAPE_SPKI_sign(spki, pkey, EVP_md5()); spkstr = NETSCAPE_SPKI_b64_encode(spki); - out = bio_open_default(outfile, "w"); + out = bio_open_default(outfile, 'w', FORMAT_TEXT); if (out == NULL) goto end; BIO_printf(out, "SPKAC=%s\n", spkstr); @@ -205,7 +205,7 @@ int spkac_main(int argc, char **argv) goto end; } - out = bio_open_default(outfile, "w"); + out = bio_open_default(outfile, 'w', FORMAT_TEXT); if (out == NULL) goto end; diff --git a/apps/ts.c b/apps/ts.c index 6e6b834..70729c5 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -429,13 +429,13 @@ static int query_command(const char *data, char *digest, const EVP_MD *md, /* Build query object either from file or from scratch. */ if (in != NULL) { - if ((in_bio = BIO_new_file(in, "rb")) == NULL) + if ((in_bio = bio_open_default(in, 'r', FORMAT_ASN1)) == NULL) goto end; query = d2i_TS_REQ_bio(in_bio, NULL); } else { /* Open the file if no explicit digest bytes were specified. */ if (digest == NULL - && (data_bio = bio_open_default(data, "rb")) == NULL) + && (data_bio = bio_open_default(data, 'r', FORMAT_ASN1)) == NULL) goto end; query = create_query(data_bio, digest, md, policy, no_nonce, cert); } @@ -443,14 +443,16 @@ static int query_command(const char *data, char *digest, const EVP_MD *md, goto end; /* Write query either in ASN.1 or in text format. */ - if ((out_bio = bio_open_default(out, "wb")) == NULL) - goto end; if (text) { /* Text output. */ + if ((out_bio = bio_open_default(out, 'w', FORMAT_TEXT)) == NULL) + goto end; if (!TS_REQ_print_bio(out_bio, query)) goto end; } else { /* ASN.1 output. */ + if ((out_bio = bio_open_default(out, 'w', FORMAT_ASN1)) == NULL) + goto end; if (!i2d_TS_REQ_bio(out_bio, query)) goto end; } @@ -662,10 +664,10 @@ static int reply_command(CONF *conf, char *section, char *engine, goto end; /* Write response either in ASN.1 or text format. */ - if ((out_bio = bio_open_default(out, "wb")) == NULL) - goto end; if (text) { /* Text output. */ + if ((out_bio = bio_open_default(out, 'w', FORMAT_TEXT)) == NULL) + goto end; if (token_out) { TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response); if (!TS_TST_INFO_print_bio(out_bio, tst_info)) @@ -676,6 +678,8 @@ static int reply_command(CONF *conf, char *section, char *engine, } } else { /* ASN.1 DER output. */ + if ((out_bio = bio_open_default(out, 'w', FORMAT_ASN1)) == NULL) + goto end; if (token_out) { PKCS7 *token = TS_RESP_get_token(response); if (!i2d_PKCS7_bio(out_bio, token)) diff --git a/apps/x509.c b/apps/x509.c index acce9e9..9472b68 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -496,7 +496,7 @@ int x509_main(int argc, char **argv) if (!app_load_modules(NULL)) goto end; - out = bio_open_default(outfile, "w"); + out = bio_open_default(outfile, 'w', outformat); if (out == NULL) goto end; @@ -556,7 +556,7 @@ int x509_main(int argc, char **argv) BIO_printf(bio_err, "We need a private key to sign with\n"); goto end; } - in = bio_open_default(infile, "r"); + in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); diff --git a/test/bntest.c b/test/bntest.c index effbd75..675d0eb 100644 --- a/test/bntest.c +++ b/test/bntest.c @@ -168,7 +168,7 @@ int main(int argc, char *argv[]) if (out == NULL) EXIT(1); if (outfile == NULL) { - BIO_set_fp(out, stdout, BIO_NOCLOSE); + BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); } else { if (!BIO_write_filename(out, outfile)) { perror(outfile); diff --git a/test/dhtest.c b/test/dhtest.c index 7e46166..9ce92ee 100644 --- a/test/dhtest.c +++ b/test/dhtest.c @@ -107,7 +107,7 @@ int main(int argc, char *argv[]) out = BIO_new(BIO_s_file()); if (out == NULL) EXIT(1); - BIO_set_fp(out, stdout, BIO_NOCLOSE); + BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); _cb = BN_GENCB_new(); if (!_cb) diff --git a/test/dsatest.c b/test/dsatest.c index e138c64..1f4b837 100644 --- a/test/dsatest.c +++ b/test/dsatest.c @@ -136,7 +136,7 @@ int main(int argc, char **argv) unsigned int siglen; if (bio_err == NULL) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); + bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); CRYPTO_malloc_debug_init(); CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL); diff --git a/test/ecdhtest.c b/test/ecdhtest.c index 47c8185..0145b36 100644 --- a/test/ecdhtest.c +++ b/test/ecdhtest.c @@ -466,7 +466,7 @@ int main(int argc, char *argv[]) out = BIO_new(BIO_s_file()); if (out == NULL) EXIT(1); - BIO_set_fp(out, stdout, BIO_NOCLOSE); + BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); if ((ctx = BN_CTX_new()) == NULL) goto err; diff --git a/test/ecdsatest.c b/test/ecdsatest.c index 4b6d044..2cf1725 100644 --- a/test/ecdsatest.c +++ b/test/ecdsatest.c @@ -510,7 +510,7 @@ int main(void) int ret = 1; BIO *out; - out = BIO_new_fp(stdout, BIO_NOCLOSE); + out = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT); /* enable memory leak checking unless explicitly disabled */ if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && diff --git a/test/exptest.c b/test/exptest.c index 2da8dc2..97b74d9 100644 --- a/test/exptest.c +++ b/test/exptest.c @@ -151,7 +151,7 @@ int main(int argc, char *argv[]) if (out == NULL) EXIT(1); - BIO_set_fp(out, stdout, BIO_NOCLOSE); + BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT); for (i = 0; i < 200; i++) { RAND_bytes(&c, 1); diff --git a/test/jpaketest.c b/test/jpaketest.c index ef9e54b..15f00cf 100644 --- a/test/jpaketest.c +++ b/test/jpaketest.c @@ -114,7 +114,7 @@ int main(int argc, char **argv) BIGNUM *secret = BN_new(); BIO *bio_err; - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); + bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); CRYPTO_malloc_debug_init(); CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL); diff --git a/test/srptest.c b/test/srptest.c index 8075218..60cdbc3 100644 --- a/test/srptest.c +++ b/test/srptest.c @@ -124,7 +124,7 @@ static int run_srp(const char *username, const char *client_pass, int main(int argc, char **argv) { BIO *bio_err; - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); + bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); CRYPTO_malloc_debug_init(); CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL); diff --git a/test/ssltest.c b/test/ssltest.c index 6f9d16c..4959aed 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -1310,7 +1310,7 @@ int main(int argc, char *argv[]) if (fips_mode) { if (!FIPS_mode_set(1)) { ERR_load_crypto_strings(); - ERR_print_errors(BIO_new_fp(stderr, BIO_NOCLOSE)); + ERR_print_errors(bio_err); EXIT(1); } else fprintf(stderr, "*** IN FIPS MODE ***\n"); From levitte at openssl.org Sun Sep 6 11:17:29 2015 From: levitte at openssl.org (Richard Levitte) Date: Sun, 06 Sep 2015 11:17:29 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441538249.990267.18763.nullmailer@dev.openssl.org> The branch master has been updated via 297172294c5bf2b94976ac6911d4d01176fb1921 (commit) from afc12d76f80d6ee14df3fc655e3c7e868ae0f368 (commit) - Log ----------------------------------------------------------------- commit 297172294c5bf2b94976ac6911d4d01176fb1921 Author: Richard Levitte Date: Sun Sep 6 12:56:33 2015 +0200 Remove warning about use of uninitialised variable Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/pkcs7/pk7_smime.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index 6522a51..16df4ea 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -513,7 +513,7 @@ PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags) { BIO *tmpmem; - int ret, i; + int ret = 0, i; char *buf = NULL; if (!p7) { @@ -575,7 +575,6 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags) break; } if (BIO_write(data, buf, i) != i) { - ret = 0; break; } } From levitte at openssl.org Sun Sep 6 11:36:04 2015 From: levitte at openssl.org (Richard Levitte) Date: Sun, 06 Sep 2015 11:36:04 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441539364.602906.21559.nullmailer@dev.openssl.org> The branch master has been updated via a60994df34fe6a694441471c7f8dcf9661fb091d (commit) via a412b8919821efd00121d28cf2441c5445bee602 (commit) from 297172294c5bf2b94976ac6911d4d01176fb1921 (commit) - Log ----------------------------------------------------------------- commit a60994df34fe6a694441471c7f8dcf9661fb091d Author: Richard Levitte Date: Sun Sep 6 12:20:12 2015 +0200 Change the treatment of stdin and stdout to allow binary data If the output to stdout or the input from stdin is meant to be binary, it's deeply unsetting to get the occasional LF converted to CRLF or the other way around. If someone happens to forget to redirect stdin or stdout, they will get gibberish anyway, line ending conversion will not change that. Therefore, let's not have dup_bio_* decide unilaterally what mode the BIO derived from stdin and stdout, and rather let the app decide by declaring the intended format. Reviewed-by: Tim Hudson commit a412b8919821efd00121d28cf2441c5445bee602 Author: Richard Levitte Date: Sun Sep 6 10:51:04 2015 +0200 dup_bio_* and bio_open_* are utility functions and belong in apps.c Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-- apps/apps.h | 4 +- apps/enc.c | 2 +- apps/engine.c | 2 +- apps/openssl.c | 154 +------------------------------------------------ apps/s_client.c | 4 +- apps/s_server.c | 4 +- 7 files changed, 180 insertions(+), 165 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index f3b2d48..d4af862 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -121,7 +121,13 @@ #if !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_WINCE) && !defined(NETWARE_CLIB) # include #endif -#include +#ifndef NO_SYS_TYPES_H +# include +#endif +#ifndef OPENSSL_NO_POSIX_IO +# include +# include +#endif #include #include #include @@ -464,7 +470,7 @@ static char *app_get_pass(char *arg, int keepbio) pwdbio = BIO_push(btmp, pwdbio); #endif } else if (strcmp(arg, "stdin") == 0) { - pwdbio = dup_bio_in(); + pwdbio = dup_bio_in(FORMAT_TEXT); if (!pwdbio) { BIO_printf(bio_err, "Can't open BIO for stdin\n"); return NULL; @@ -681,7 +687,7 @@ X509 *load_cert(const char *file, int format, if (file == NULL) { unbuffer(stdin); - cert = dup_bio_in(); + cert = dup_bio_in(format); } else cert = bio_open_default(file, 'r', format); if (cert == NULL) @@ -770,7 +776,7 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, #endif if (file == NULL && maybe_stdin) { unbuffer(stdin); - key = dup_bio_in(); + key = dup_bio_in(format); } else key = bio_open_default(file, 'r', format); if (key == NULL) @@ -833,7 +839,7 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, #endif if (file == NULL && maybe_stdin) { unbuffer(stdin); - key = dup_bio_in(); + key = dup_bio_in(format); } else key = bio_open_default(file, 'r', format); if (key == NULL) @@ -2707,3 +2713,162 @@ int raw_write_stdout(const void *buf, int siz) return write(fileno(stdout), buf, siz); } #endif + +/* + * Centralized handling if input and output files with format specification + * The format is meant to show what the input and output is supposed to be, + * and is therefore a show of intent more than anything else. However, it + * does impact behavior on some platform, such as differentiating between + * text and binary input/output on non-Unix platforms + */ +inline int istext(int format) +{ + return (format & B_FORMAT_TEXT) == B_FORMAT_TEXT; +} + +BIO *dup_bio_in(int format) +{ + return BIO_new_fp(stdin, + BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0)); +} + +BIO *dup_bio_out(int format) +{ + BIO *b = BIO_new_fp(stdout, + BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0)); +#ifdef OPENSSL_SYS_VMS + if (istext(format)) + b = BIO_push(BIO_new(BIO_f_linebuffer()), b); +#endif + return b; +} + +void unbuffer(FILE *fp) +{ + setbuf(fp, NULL); +} + +static const char *modestr(char mode, int format) +{ + OPENSSL_assert(mode == 'a' || mode == 'r' || mode == 'w'); + + switch (mode) { + case 'a': + return istext(format) ? "a" : "ab"; + case 'r': + return istext(format) ? "r" : "rb"; + case 'w': + return istext(format) ? "w" : "wb"; + } + /* The assert above should make sure we never reach this point */ + return NULL; +} + +static const char *modeverb(char mode) +{ + switch (mode) { + case 'a': + return "appending"; + case 'r': + return "reading"; + case 'w': + return "writing"; + } + return "(doing something)"; +} + +/* + * Open a file for writing, owner-read-only. + */ +BIO *bio_open_owner(const char *filename, int format, int private) +{ + FILE *fp = NULL; + BIO *b = NULL; + int fd = -1, bflags, mode, binmode; + + if (!private || filename == NULL || strcmp(filename, "-") == 0) + return bio_open_default(filename, 'w', format); + + mode = O_WRONLY; +#ifdef O_CREAT + mode |= O_CREAT; +#endif +#ifdef O_TRUNC + mode |= O_TRUNC; +#endif + binmode = istext(format); + if (binmode) { +#ifdef O_BINARY + mode |= O_BINARY; +#elif defined(_O_BINARY) + mode |= _O_BINARY; +#endif + } + + fd = open(filename, mode, 0600); + if (fd < 0) + goto err; + fp = fdopen(fd, modestr('w', format)); + if (fp == NULL) + goto err; + bflags = BIO_CLOSE; + if (!binmode) + bflags |= BIO_FP_TEXT; + b = BIO_new_fp(fp, bflags); + if (b) + return b; + + err: + BIO_printf(bio_err, "%s: Can't open \"%s\" for writing, %s\n", + opt_getprog(), filename, strerror(errno)); + ERR_print_errors(bio_err); + /* If we have fp, then fdopen took over fd, so don't close both. */ + if (fp) + fclose(fp); + else if (fd >= 0) + close(fd); + return NULL; +} + +static BIO *bio_open_default_(const char *filename, char mode, int format, + int quiet) +{ + BIO *ret; + + if (filename == NULL || strcmp(filename, "-") == 0) { + ret = mode == 'r' ? dup_bio_in(format) : dup_bio_out(format); + if (quiet) { + ERR_clear_error(); + return ret; + } + if (ret != NULL) + return ret; + BIO_printf(bio_err, + "Can't open %s, %s\n", + mode == 'r' ? "stdin" : "stdout", strerror(errno)); + } else { + ret = BIO_new_file(filename, modestr(mode, format)); + if (quiet) { + ERR_clear_error(); + return ret; + } + if (ret != NULL) + return ret; + BIO_printf(bio_err, + "Can't open %s for %s, %s\n", + filename, modeverb(mode), strerror(errno)); + } + ERR_print_errors(bio_err); + return NULL; +} + +BIO *bio_open_default(const char *filename, char mode, int format) +{ + return bio_open_default_(filename, mode, format, 0); +} + +BIO *bio_open_default_quiet(const char *filename, char mode, int format) +{ + return bio_open_default_(filename, mode, format, 1); +} + diff --git a/apps/apps.h b/apps/apps.h index c34d22e..0901c7d 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -152,8 +152,8 @@ extern char *default_config_file; extern BIO *bio_in; extern BIO *bio_out; extern BIO *bio_err; -BIO *dup_bio_in(void); -BIO *dup_bio_out(void); +BIO *dup_bio_in(int format); +BIO *dup_bio_out(int format); BIO *bio_open_owner(const char *filename, int format, int private); BIO *bio_open_default(const char *filename, char mode, int format); BIO *bio_open_default_quiet(const char *filename, char mode, int format); diff --git a/apps/enc.c b/apps/enc.c index 0bdba38..fc7e14c 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -328,7 +328,7 @@ int enc_main(int argc, char **argv) if (infile == NULL) { unbuffer(stdin); - in = dup_bio_in(); + in = dup_bio_in(format); } else in = bio_open_default(infile, 'r', format); if (in == NULL) diff --git a/apps/engine.c b/apps/engine.c index 91af7bf..b1c1371 100644 --- a/apps/engine.c +++ b/apps/engine.c @@ -319,7 +319,7 @@ int engine_main(int argc, char **argv) OPTION_CHOICE o; char *prog; - out = dup_bio_out(); + out = dup_bio_out(FORMAT_TEXT); prog = opt_init(argc, argv, engine_options); if (!engines || !pre_cmds || !post_cmds) goto end; diff --git a/apps/openssl.c b/apps/openssl.c index bfd77a5..39ae64d 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -132,13 +132,6 @@ #ifdef OPENSSL_SYS_VMS # include #endif -#ifndef NO_SYS_TYPES_H -# include -#endif -#ifndef OPENSSL_NO_POSIX_IO -# include -# include -#endif #define INCLUDE_FUNCTION_TABLE #include "apps.h" @@ -280,149 +273,6 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line) } } -BIO *dup_bio_in(void) -{ - return BIO_new_fp(stdin, BIO_NOCLOSE | BIO_FP_TEXT); -} - -BIO *dup_bio_out(void) -{ - BIO *b = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT); -#ifdef OPENSSL_SYS_VMS - b = BIO_push(BIO_new(BIO_f_linebuffer()), b); -#endif - return b; -} - -void unbuffer(FILE *fp) -{ - setbuf(fp, NULL); -} - -static const char *modestr(char mode, int format) -{ - OPENSSL_assert(mode == 'a' || mode == 'r' || mode == 'w'); - - switch (mode) { - case 'a': - return (format & B_FORMAT_TEXT) ? "a" : "ab"; - case 'r': - return (format & B_FORMAT_TEXT) ? "r" : "rb"; - case 'w': - return (format & B_FORMAT_TEXT) ? "w" : "wb"; - } - /* The assert above should make sure we never reach this point */ - return NULL; -} - -static const char *modeverb(char mode) -{ - switch (mode) { - case 'a': - return "appending"; - case 'r': - return "reading"; - case 'w': - return "writing"; - } - return "(doing something)"; -} - -/* - * Open a file for writing, owner-read-only. - */ -BIO *bio_open_owner(const char *filename, int format, int private) -{ - FILE *fp = NULL; - BIO *b = NULL; - int fd = -1, bflags, mode, binmode; - - if (!private || filename == NULL || strcmp(filename, "-") == 0) - return bio_open_default(filename, 'w', format); - - mode = O_WRONLY; -#ifdef O_CREAT - mode |= O_CREAT; -#endif -#ifdef O_TRUNC - mode |= O_TRUNC; -#endif - binmode = !(format & B_FORMAT_TEXT); - if (binmode) { -#ifdef O_BINARY - mode |= O_BINARY; -#elif defined(_O_BINARY) - mode |= _O_BINARY; -#endif - } - - fd = open(filename, mode, 0600); - if (fd < 0) - goto err; - fp = fdopen(fd, modestr('w', format)); - if (fp == NULL) - goto err; - bflags = BIO_CLOSE; - if (!binmode) - bflags |= BIO_FP_TEXT; - b = BIO_new_fp(fp, bflags); - if (b) - return b; - - err: - BIO_printf(bio_err, "%s: Can't open \"%s\" for writing, %s\n", - opt_getprog(), filename, strerror(errno)); - ERR_print_errors(bio_err); - /* If we have fp, then fdopen took over fd, so don't close both. */ - if (fp) - fclose(fp); - else if (fd >= 0) - close(fd); - return NULL; -} - -static BIO *bio_open_default_(const char *filename, char mode, int format, - int quiet) -{ - BIO *ret; - - if (filename == NULL || strcmp(filename, "-") == 0) { - ret = mode == 'r' ? dup_bio_in() : dup_bio_out(); - if (quiet) { - ERR_clear_error(); - return ret; - } - if (ret != NULL) - return ret; - BIO_printf(bio_err, - "Can't open %s, %s\n", - mode == 'r' ? "stdin" : "stdout", strerror(errno)); - } else { - ret = BIO_new_file(filename, modestr(mode, format)); - if (quiet) { - ERR_clear_error(); - return ret; - } - if (ret != NULL) - return ret; - BIO_printf(bio_err, - "Can't open %s for %s, %s\n", - filename, modeverb(mode), strerror(errno)); - } - ERR_print_errors(bio_err); - return NULL; -} - -BIO *bio_open_default(const char *filename, char mode, int format) -{ - return bio_open_default_(filename, mode, format, 0); -} - -BIO *bio_open_default_quiet(const char *filename, char mode, int format) -{ - return bio_open_default_(filename, mode, format, 1); -} - #if defined( OPENSSL_SYS_VMS) extern char **copy_argv(int *argc, char **argv); #endif @@ -443,8 +293,8 @@ int main(int argc, char *argv[]) /* Set up some of the environment. */ default_config_file = make_config_name(); - bio_in = dup_bio_in(); - bio_out = dup_bio_out(); + bio_in = dup_bio_in(FORMAT_TEXT); + bio_out = dup_bio_out(FORMAT_TEXT); bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); #if defined( OPENSSL_SYS_VMS) diff --git a/apps/s_client.c b/apps/s_client.c index 819cff3..3eb495a 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1162,9 +1162,9 @@ int s_client_main(int argc, char **argv) if (c_quiet && !c_debug) { bio_c_out = BIO_new(BIO_s_null()); if (c_msg && !bio_c_msg) - bio_c_msg = dup_bio_out(); + bio_c_msg = dup_bio_out(FORMAT_TEXT); } else if (bio_c_out == NULL) - bio_c_out = dup_bio_out(); + bio_c_out = dup_bio_out(FORMAT_TEXT); } #ifndef OPENSSL_NO_SRP if (!app_passwd(srppass, NULL, &srp_arg.srppassin, NULL)) { diff --git a/apps/s_server.c b/apps/s_server.c index e7c794c..8fe1ebe 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1575,10 +1575,10 @@ int s_server_main(int argc, char *argv[]) if (s_quiet && !s_debug) { bio_s_out = BIO_new(BIO_s_null()); if (s_msg && !bio_s_msg) - bio_s_msg = dup_bio_out(); + bio_s_msg = dup_bio_out(FORMAT_TEXT); } else { if (bio_s_out == NULL) - bio_s_out = dup_bio_out(); + bio_s_out = dup_bio_out(FORMAT_TEXT); } } #if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC) From levitte at openssl.org Sun Sep 6 13:40:00 2015 From: levitte at openssl.org (Richard Levitte) Date: Sun, 06 Sep 2015 13:40:00 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441546800.458715.2830.nullmailer@dev.openssl.org> The branch master has been updated via 8af6082e16a02b4bad63de99fd3e6bc3501ee2b8 (commit) from a60994df34fe6a694441471c7f8dcf9661fb091d (commit) - Log ----------------------------------------------------------------- commit 8af6082e16a02b4bad63de99fd3e6bc3501ee2b8 Author: Richard Levitte Date: Sun Sep 6 14:13:00 2015 +0200 Fixup merge conflicts in util/libeay.num Reviewed-by: Stephen Henson ----------------------------------------------------------------------- Summary of changes: util/libeay.num | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/util/libeay.num b/util/libeay.num index e5998bc..4e511df 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -4587,31 +4587,31 @@ CRYPTO_secure_free 4945 EXIST::FUNCTION: BIO_s_secmem 4946 EXIST::FUNCTION: CRYPTO_get_secure_mem_ex_functions 4947 EXIST::FUNCTION: CRYPTO_set_secure_mem_functions 4948 EXIST::FUNCTION: -TS_VERIFY_CTX_set_flags 4949 EXIST::FUNCTION: X509_STORE_CTX_get_num_untrusted 4949 EXIST::FUNCTION: -TS_STATUS_INFO_set_status 4950 EXIST::FUNCTION: X509_up_ref 4950 EXIST::FUNCTION: -TS_VERIFY_CTX_set_imprint 4951 EXIST::FUNCTION: X509_REQ_get_version 4951 EXIST::FUNCTION: -TS_VERIFY_CTS_set_certs 4952 EXIST::FUNCTION: X509_REQ_get_subject_name 4952 EXIST::FUNCTION: -TS_VERIFY_CTX_set_data 4953 EXIST::FUNCTION: X509_CRL_up_ref 4953 EXIST::FUNCTION: CRYPTO_zalloc 4954 EXIST::FUNCTION: -TS_VERIFY_CTX_set_store 4954 EXIST::FUNCTION: -X509_get_extension_flags 4954 EXIST::FUNCTION: -TS_VERIFY_CTX_add_flags 4955 EXIST::FUNCTION: -X509_get_extended_key_usage 4955 EXIST::FUNCTION: -X509_get_key_usage 4956 EXIST::FUNCTION: -X509_CRL_get_issuer 4957 EXIST::FUNCTION: -X509_CRL_get_nextUpdate 4958 EXIST::FUNCTION: -X509_CRL_get0_signature 4959 EXIST::FUNCTION: -X509_CRL_get_REVOKED 4960 EXIST::FUNCTION: -X509_CRL_get_version 4961 EXIST::FUNCTION: -X509_CRL_get_lastUpdate 4962 EXIST::FUNCTION: +X509_get_extension_flags 4955 EXIST::FUNCTION: +X509_get_extended_key_usage 4956 EXIST::FUNCTION: +X509_get_key_usage 4957 EXIST::FUNCTION: +X509_CRL_get_issuer 4958 EXIST::FUNCTION: +X509_CRL_get_nextUpdate 4959 EXIST::FUNCTION: +X509_CRL_get0_signature 4960 EXIST::FUNCTION: +X509_CRL_get_REVOKED 4961 EXIST::FUNCTION: +X509_CRL_get_version 4962 EXIST::FUNCTION: +X509_CRL_get_lastUpdate 4963 EXIST::FUNCTION: EVP_PBE_get 4964 EXIST::FUNCTION: X509_get_version 4965 EXIST::FUNCTION: X509_get_X509_PUBKEY 4966 EXIST::FUNCTION: X509_get_notBefore 4967 EXIST::FUNCTION: X509_get_notAfter 4968 EXIST::FUNCTION: X509_get_signature_type 4969 EXIST::FUNCTION: +TS_VERIFY_CTX_set_data 4970 EXIST::FUNCTION: +TS_VERIFY_CTX_set_imprint 4971 EXIST::FUNCTION: +TS_VERIFY_CTX_set_flags 4972 EXIST::FUNCTION: +TS_VERIFY_CTS_set_certs 4973 EXIST::FUNCTION: +TS_VERIFY_CTX_add_flags 4974 EXIST::FUNCTION: +TS_STATUS_INFO_set_status 4975 EXIST::FUNCTION: +TS_VERIFY_CTX_set_store 4976 EXIST::FUNCTION: From levitte at openssl.org Sun Sep 6 21:36:41 2015 From: levitte at openssl.org (Richard Levitte) Date: Sun, 06 Sep 2015 21:36:41 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441575401.146276.3230.nullmailer@dev.openssl.org> The branch master has been updated via 5f62e044d3bd4f84378ce354898e8e21583ef169 (commit) from 8af6082e16a02b4bad63de99fd3e6bc3501ee2b8 (commit) - Log ----------------------------------------------------------------- commit 5f62e044d3bd4f84378ce354898e8e21583ef169 Author: Richard Levitte Date: Sun Sep 6 17:12:39 2015 +0200 Fix enc so it properly treats BASE64 as text To set both the incoming and outgoing data when 'encrypting' or 'decrypting' to FORMAT_BASE64 wasn't quite the right thing to do. Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: apps/enc.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/apps/enc.c b/apps/enc.c index fc7e14c..5ffb1f0 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -138,7 +138,8 @@ int enc_main(int argc, char **argv) char mbuf[sizeof magic - 1]; OPTION_CHOICE o; int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0; - int enc = 1, printkey = 0, i, k, format = FORMAT_BINARY; + int enc = 1, printkey = 0, i, k; + int base64 = 0, informat = FORMAT_BINARY, outformat = FORMAT_BINARY; int ret = 1, inl, nopad = 0, non_fips_allow = 0; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; unsigned char *buff = NULL, salt[PKCS5_SALT_LEN]; @@ -151,7 +152,7 @@ int enc_main(int argc, char **argv) /* first check the program name */ prog = opt_progname(argv[0]); if (strcmp(prog, "base64") == 0) - format = FORMAT_BASE64; + base64 = 1; #ifdef ZLIB else if (strcmp(prog, "zlib") == 0) do_zlib = 1; @@ -223,7 +224,7 @@ int enc_main(int argc, char **argv) olb64 = 1; break; case OPT_A: - format = FORMAT_BASE64; + base64 = 1; break; case OPT_Z: #ifdef ZLIB @@ -311,11 +312,18 @@ int enc_main(int argc, char **argv) dgst = EVP_md5(); /* It must be large enough for a base64 encoded line */ - if (format == FORMAT_BASE64 && bsize < 80) + if (base64 && bsize < 80) bsize = 80; if (verbose) BIO_printf(bio_err, "bufsize=%d\n", bsize); + if (base64) { + if (enc) + outformat = FORMAT_BASE64; + else + informat = FORMAT_BASE64; + } + strbuf = app_malloc(SIZE, "strbuf"); buff = app_malloc(EVP_ENCODE_LENGTH(bsize), "evp buffer"); @@ -328,9 +336,9 @@ int enc_main(int argc, char **argv) if (infile == NULL) { unbuffer(stdin); - in = dup_bio_in(format); + in = dup_bio_in(informat); } else - in = bio_open_default(infile, 'r', format); + in = bio_open_default(infile, 'r', informat); if (in == NULL) goto end; @@ -366,7 +374,7 @@ int enc_main(int argc, char **argv) } } - out = bio_open_default(outfile, 'w', format); + out = bio_open_default(outfile, 'w', outformat); if (out == NULL) goto end; @@ -384,7 +392,7 @@ int enc_main(int argc, char **argv) } #endif - if (format == FORMAT_BASE64) { + if (base64) { if ((b64 = BIO_new(BIO_f_base64())) == NULL) goto end; if (debug) { From levitte at openssl.org Sun Sep 6 21:42:24 2015 From: levitte at openssl.org (Richard Levitte) Date: Sun, 06 Sep 2015 21:42:24 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441575744.959573.4641.nullmailer@dev.openssl.org> The branch master has been updated via 496f4f9d6af6f69d604c1cedfeb956159b66846e (commit) from 5f62e044d3bd4f84378ce354898e8e21583ef169 (commit) - Log ----------------------------------------------------------------- commit 496f4f9d6af6f69d604c1cedfeb956159b66846e Author: Richard Levitte Date: Sun Sep 6 22:43:25 2015 +0200 Small fix: make istext static This takes away a build failure in some cases. Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/apps.c b/apps/apps.c index d4af862..5c36a37 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2721,7 +2721,7 @@ int raw_write_stdout(const void *buf, int siz) * does impact behavior on some platform, such as differentiating between * text and binary input/output on non-Unix platforms */ -inline int istext(int format) +static int istext(int format) { return (format & B_FORMAT_TEXT) == B_FORMAT_TEXT; } From rsalz at openssl.org Sun Sep 6 22:15:35 2015 From: rsalz at openssl.org (Rich Salz) Date: Sun, 06 Sep 2015 22:15:35 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441577735.621008.12598.nullmailer@dev.openssl.org> The branch master has been updated via 8f6f1441a368b984b739658778f53db1bf71a543 (commit) from 496f4f9d6af6f69d604c1cedfeb956159b66846e (commit) - Log ----------------------------------------------------------------- commit 8f6f1441a368b984b739658778f53db1bf71a543 Author: Timo Teras Date: Thu May 7 12:48:47 2015 -0400 Add rehash command to openssl On Unix/Linux platforms, merge c_rehash script into openssl as a C program. Signed-off-by: Rich Salz Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: Makefile.org | 2 +- apps/Makefile | 23 +- apps/progs.h | 3 + apps/rehash.c | 451 ++++++++++++++++++++++++++++++++++ doc/apps/{c_rehash.pod => rehash.pod} | 17 +- 5 files changed, 474 insertions(+), 22 deletions(-) create mode 100644 apps/rehash.c rename doc/apps/{c_rehash.pod => rehash.pod} (87%) diff --git a/Makefile.org b/Makefile.org index 3e326c0..30d292a 100644 --- a/Makefile.org +++ b/Makefile.org @@ -428,7 +428,7 @@ rehash.time: certs apps [ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \ OPENSSL_DEBUG_MEMORY=on; OPENSSL_CONF=/dev/null ; \ export OPENSSL OPENSSL_DEBUG_MEMORY OPENSSL_CONF; \ - $(PERL) tools/c_rehash certs/demo) && \ + openssl rehash certs/demo) && \ touch rehash.time; \ else :; fi diff --git a/apps/Makefile b/apps/Makefile index d0c5b8c..932f615 100644 --- a/apps/Makefile +++ b/apps/Makefile @@ -5,7 +5,7 @@ DIR= apps TOP= .. CC= cc -INCLUDES= -I$(TOP) -I../include +INCLUDES= -I$(TOP) -I../crypto -I../include CFLAG= -g -static -Wswitch MAKEFILE= Makefile PERL= perl @@ -35,23 +35,14 @@ COMMANDS= \ genpkey.o genrsa.o nseq.o ocsp.o passwd.o pkcs12.o pkcs7.o pkcs8.o \ pkey.o pkeyparam.o pkeyutl.o prime.o rand.o req.o rsa.o rsautl.o \ s_client.o s_server.o s_time.o sess_id.o smime.o speed.o spkac.o \ - srp.o ts.o verify.o version.o x509.o + srp.o ts.o verify.o version.o x509.o rehash.o -A_OBJ=apps.o opt.o -A_SRC=apps.c opt.c -S_OBJ= s_cb.o s_socket.o -S_SRC= s_cb.c s_socket.c +EXTRA_OBJ=apps.o opt.o s_cb.o s_socket.o +EXTRA_SRC=apps.c opt.c s_cb.c s_socket.c RAND_OBJ=app_rand.o RAND_SRC=app_rand.c -OBJ = \ - asn1pars.o ca.o ciphers.o cms.o crl.o crl2p7.o dgst.o dhparam.o \ - dsa.o dsaparam.o ec.o ecparam.o enc.o engine.o errstr.o gendsa.o \ - genpkey.o genrsa.o nseq.o ocsp.o passwd.o pkcs12.o pkcs7.o pkcs8.o \ - pkey.o pkeyparam.o pkeyutl.o prime.o rand.o req.o rsa.o rsautl.o \ - s_client.o s_server.o s_time.o sess_id.o smime.o speed.o spkac.o \ - srp.o ts.o verify.o version.o x509.o - +OBJ = $(COMMANDS) SRC = \ asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c \ @@ -61,8 +52,8 @@ SRC = \ s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c \ srp.c ts.c verify.c version.c x509.c -EXE_OBJ = openssl.o $(OBJ) $(A_OBJ) $(S_OBJ) $(RAND_OBJ) -EXE_SRC = openssl.c $(SRC) $(A_SRC) $(S_SRC) $(RAND_SRC) +EXE_OBJ = openssl.o $(OBJ) $(EXTRA_OBJ) $(RAND_OBJ) +EXE_SRC = openssl.c $(SRC) $(EXTRA_SRC) $(RAND_SRC) HEADER= apps.h progs.h s_apps.h \ testdsa.h testrsa.h timeouts.h diff --git a/apps/progs.h b/apps/progs.h index 33bdef7..4b9bcb4 100644 --- a/apps/progs.h +++ b/apps/progs.h @@ -60,6 +60,7 @@ extern int ts_main(int argc, char *argv[]); extern int verify_main(int argc, char *argv[]); extern int version_main(int argc, char *argv[]); extern int x509_main(int argc, char *argv[]); +extern int rehash_main(int argc, char *argv[]); extern int list_main(int argc, char *argv[]); extern int help_main(int argc, char *argv[]); extern int exit_main(int argc, char *argv[]); @@ -109,6 +110,7 @@ extern OPTIONS ts_options[]; extern OPTIONS verify_options[]; extern OPTIONS version_options[]; extern OPTIONS x509_options[]; +extern OPTIONS rehash_options[]; extern OPTIONS list_options[]; extern OPTIONS help_options[]; extern OPTIONS exit_options[]; @@ -193,6 +195,7 @@ FUNCTION functions[] = { { FT_general, "verify", verify_main, verify_options }, { FT_general, "version", version_main, version_options }, { FT_general, "x509", x509_main, x509_options }, + { FT_general, "rehash", rehash_main, rehash_options }, { FT_general, "list", list_main, list_options }, { FT_general, "help", help_main, help_options }, { FT_general, "exit", exit_main, exit_options }, diff --git a/apps/rehash.c b/apps/rehash.c new file mode 100644 index 0000000..323fd15 --- /dev/null +++ b/apps/rehash.c @@ -0,0 +1,451 @@ +/* + * C implementation based on the original Perl and shell versions + * + * Copyright (c) 2013-2014 Timo Ter?s + * All rights reserved. + */ +/* ==================================================================== + * Copyright (c) 2015 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing at OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay at cryptsoft.com). This product includes software written by Tim + * Hudson (tjh at cryptsoft.com). + * + */ + +#include "apps.h" + +#ifdef unix +# include +# include +# include +# include +# include +# include +# include + +# include "internal/o_dir.h" +# include +# include +# include + + +# define MAX_COLLISIONS 256 + +typedef struct hentry_st { + struct hentry_st *next; + char *filename; + unsigned short old_id; + unsigned char need_symlink; + unsigned char digest[EVP_MAX_MD_SIZE]; +} HENTRY; + +typedef struct bucket_st { + struct bucket_st *next; + HENTRY *first_entry, *last_entry; + unsigned int hash; + unsigned short type; + unsigned short num_needed; +} BUCKET; + +enum Type { + /* Keep in sync with |suffixes|, below. */ + TYPE_CERT=0, TYPE_CRL=1 +}; + +enum Hash { + HASH_OLD, HASH_NEW, HASH_BOTH +}; + + +static int evpmdsize; +static const EVP_MD *evpmd; +static int remove_links = 1; +static int verbose = 0; +static BUCKET *hash_table[257]; + +static const char *suffixes[] = { "", "r" }; +static const char *extensions[] = { "pem", "crt", "cer", "crl" }; + + +static void bit_set(unsigned char *set, unsigned int bit) +{ + set[bit >> 3] |= 1 << (bit & 0x7); +} + +static int bit_isset(unsigned char *set, unsigned int bit) +{ + return set[bit >> 3] & (1 << (bit & 0x7)); +} + + +static void add_entry(enum Type type, unsigned int hash, const char *filename, + const unsigned char *digest, int need_symlink, + unsigned short old_id) +{ + static BUCKET nilbucket; + static HENTRY nilhentry; + BUCKET *bp; + HENTRY *ep, *found = NULL; + unsigned int ndx = (type + hash) % OSSL_NELEM(hash_table); + + for (bp = hash_table[ndx]; bp; bp = bp->next) + if (bp->type == type && bp->hash == hash) + break; + if (bp == NULL) { + bp = app_malloc(sizeof(*bp), "hash bucket"); + *bp = nilbucket; + bp->next = hash_table[ndx]; + bp->type = type; + bp->hash = hash; + hash_table[ndx] = bp; + } + + for (ep = bp->first_entry; ep; ep = ep->next) { + if (digest && memcmp(digest, ep->digest, evpmdsize) == 0) { + BIO_printf(bio_err, + "%s: skipping duplicate certificate in %s\n", + opt_getprog(), filename); + return; + } + if (strcmp(filename, ep->filename) == 0) { + found = ep; + if (digest == NULL) + break; + } + } + ep = found; + if (ep == NULL) { + if (bp->num_needed >= MAX_COLLISIONS) + return; + ep = app_malloc(sizeof(*ep), "collision bucket"); + *ep = nilhentry; + ep->old_id = ~0; + ep->filename = BUF_strdup(filename); + if (bp->last_entry) + bp->last_entry->next = ep; + if (bp->first_entry == NULL) + bp->first_entry = ep; + bp->last_entry = ep; + } + + if (old_id < ep->old_id) + ep->old_id = old_id; + if (need_symlink && !ep->need_symlink) { + ep->need_symlink = 1; + bp->num_needed++; + memcpy(ep->digest, digest, evpmdsize); + } +} + +static int handle_symlink(const char *filename, const char *fullpath) +{ + unsigned int hash = 0; + int i, type, id; + unsigned char ch; + char linktarget[NAME_MAX], *endptr; + ssize_t n; + + for (i = 0; i < 8; i++) { + ch = filename[i]; + if (!isxdigit(ch)) + return -1; + hash <<= 4; + hash += app_hex(ch); + } + if (filename[i++] != '.') + return -1; + for (type = OSSL_NELEM(suffixes) - 1; type > 0; type--) + if (strcasecmp(suffixes[type], &filename[i]) == 0) + break; + i += strlen(suffixes[type]); + + id = strtoul(&filename[i], &endptr, 10); + if (*endptr != '\0') + return -1; + + n = readlink(fullpath, linktarget, sizeof(linktarget)); + if (n < 0 || n >= (int)sizeof(linktarget)) + return -1; + linktarget[n] = 0; + + add_entry(type, hash, linktarget, NULL, 0, id); + return 0; +} + +static int do_file(const char *filename, const char *fullpath, enum Hash h) +{ + STACK_OF (X509_INFO) *inf; + X509_INFO *x; + X509_NAME *name = NULL; + BIO *b; + const char *ext; + unsigned char digest[EVP_MAX_MD_SIZE]; + int i, type, ret = -1; + + if ((ext = strrchr(filename, '.')) == NULL) + return 0; + for (i = 0; i < (int)OSSL_NELEM(extensions); i++) { + if (strcasecmp(extensions[i], ext + 1) == 0) + break; + } + if (i >= (int)OSSL_NELEM(extensions)) + return -1; + + if ((b = BIO_new_file(fullpath, "r")) == NULL) + return -1; + inf = PEM_X509_INFO_read_bio(b, NULL, NULL, NULL); + BIO_free(b); + if (inf == NULL) + return -1; + + if (sk_X509_INFO_num(inf) != 1) { + BIO_printf(bio_err, + "%s: skipping %s," + "it does not contain exactly one certificate or CRL\n", + opt_getprog(), filename); + goto end; + } + x = sk_X509_INFO_value(inf, 0); + if (x->x509) { + type = TYPE_CERT; + name = X509_get_subject_name(x->x509); + X509_digest(x->x509, evpmd, digest, NULL); + } else if (x->crl) { + type = TYPE_CRL; + name = X509_CRL_get_issuer(x->crl); + X509_CRL_digest(x->crl, evpmd, digest, NULL); + } + if (name) { + if ((h == HASH_NEW) || (h == HASH_BOTH)) + add_entry(type, X509_NAME_hash(name), filename, digest, 1, ~0); + if ((h == HASH_OLD) || (h == HASH_BOTH)) + add_entry(type, X509_NAME_hash_old(name), filename, digest, 1, ~0); + } + +end: + sk_X509_INFO_pop_free(inf, X509_INFO_free); + return ret; +} + +static int do_dir(const char *dirname, enum Hash h) +{ + BUCKET *bp, *nextbp; + HENTRY *ep, *nextep; + OPENSSL_DIR_CTX *d = NULL; + struct stat st; + unsigned char idmask[MAX_COLLISIONS / 8]; + int i, n, nextid, buflen, ret = -1; + const char *pathsep; + const char *filename; + char *buf; + + buflen = strlen(dirname); + pathsep = (buflen && dirname[buflen - 1] == '/') ? "" : "/"; + buflen += NAME_MAX + 2; + buf = app_malloc(buflen, "filename buffer"); + + if (verbose) + BIO_printf(bio_out, "Doing %s\n", dirname); + + while ((filename = OPENSSL_DIR_read(&d, dirname)) != NULL) { + if (snprintf(buf, buflen, "%s%s%s", + dirname, pathsep, filename) >= buflen) + continue; + if (lstat(buf, &st) < 0) + continue; + if (S_ISLNK(st.st_mode) && handle_symlink(filename, buf) == 0) + continue; + do_file(filename, buf, h); + } + OPENSSL_DIR_end(&d); + + for (i = 0; i < (int)OSSL_NELEM(hash_table); i++) { + for (bp = hash_table[i]; bp; bp = nextbp) { + nextbp = bp->next; + nextid = 0; + memset(idmask, 0, (bp->num_needed + 7) / 8); + for (ep = bp->first_entry; ep; ep = ep->next) + if (ep->old_id < bp->num_needed) + bit_set(idmask, ep->old_id); + + for (ep = bp->first_entry; ep; ep = nextep) { + nextep = ep->next; + if (ep->old_id < bp->num_needed) { + /* Link exists, and is used as-is */ + snprintf(buf, buflen, "%08x.%s%d", bp->hash, + suffixes[bp->type], ep->old_id); + if (verbose) + BIO_printf(bio_out, "link %s -> %s\n", + ep->filename, buf); + } else if (ep->need_symlink) { + /* New link needed (it may replace something) */ + while (bit_isset(idmask, nextid)) + nextid++; + + snprintf(buf, buflen, "%s%s%n%08x.%s%d", + dirname, pathsep, &n, bp->hash, + suffixes[bp->type], nextid); + if (verbose) + BIO_printf(bio_out, "link %s -> %s\n", + ep->filename, &buf[n]); + if (unlink(buf) < 0 && errno != ENOENT) + BIO_printf(bio_err, + "%s: Can't unlink %s, %s\n", + opt_getprog(), buf, strerror(errno)); + if (symlink(ep->filename, buf) < 0) + BIO_printf(bio_err, + "%s: Can't symlink %s, %s\n", + opt_getprog(), ep->filename, + strerror(errno)); + } else if (remove_links) { + /* Link to be deleted */ + snprintf(buf, buflen, "%s%s%n%08x.%s%d", + dirname, pathsep, &n, bp->hash, + suffixes[bp->type], ep->old_id); + if (verbose) + BIO_printf(bio_out, "unlink %s\n", + &buf[n]); + if (unlink(buf) < 0 && errno != ENOENT) + BIO_printf(bio_err, + "%s: Can't unlink %s, %s\n", + opt_getprog(), buf, strerror(errno)); + } + OPENSSL_free(ep->filename); + OPENSSL_free(ep); + } + OPENSSL_free(bp); + } + hash_table[i] = NULL; + } + ret = 0; + + OPENSSL_free(buf); + return ret; +} + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_COMPAT, OPT_OLD, OPT_N, OPT_VERBOSE +} OPTION_CHOICE; + +OPTIONS rehash_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert-directory...]\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"compat", OPT_COMPAT, '-', "Create both new- and old-style hash links"}, + {"old", OPT_OLD, '-', "Use old-style hash to generate links"}, + {"n", OPT_N, '-', "Do not remove existing links"}, + {"v", OPT_VERBOSE, '-', "Verbose output"}, + {NULL} +}; + + +int rehash_main(int argc, char **argv) +{ + const char *env, *prog; + char *e, *m; + int ret = 0; + OPTION_CHOICE o; + enum Hash h = HASH_NEW; + + prog = opt_init(argc, argv, rehash_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(rehash_options); + goto end; + case OPT_COMPAT: + h = HASH_BOTH; + break; + case OPT_OLD: + h = HASH_OLD; + break; + case OPT_N: + remove_links = 0; + break; + case OPT_VERBOSE: + verbose = 1; + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + evpmd = EVP_sha1(); + evpmdsize = EVP_MD_size(evpmd); + + if (*argv) { + while (*argv) + ret |= do_dir(*argv++, h); + } else if ((env = getenv("SSL_CERT_DIR")) != NULL) { + m = BUF_strdup(env); + for (e = strtok(m, ":"); e != NULL; e = strtok(NULL, ":")) + ret |= do_dir(e, h); + OPENSSL_free(m); + } else { + ret |= do_dir("/etc/ssl/certs", h); + } + + end: + return ret ? 2 : 0; +} + +#else + +int rehash_main(int argc, char **argv) +{ + BIO_print(bio_err, "Not available; use c_rehash script\n"); + return (1); +} + +#endif diff --git a/doc/apps/c_rehash.pod b/doc/apps/rehash.pod similarity index 87% rename from doc/apps/c_rehash.pod rename to doc/apps/rehash.pod index e0a3d19..00ab29b 100644 --- a/doc/apps/c_rehash.pod +++ b/doc/apps/rehash.pod @@ -5,20 +5,27 @@ Original text by James Westby, contributed under the OpenSSL license. =head1 NAME -c_rehash - Create symbolic links to files named by the hash values +c_rehash, rehash - Create symbolic links to files named by the hash values =head1 SYNOPSIS -B +B +B B<[-old]> B<[-h]> B<[-n]> B<[-v]> [ I...] +B +I + =head1 DESCRIPTION -B scans directories and calculates a hash value of each +On some platforms, the OpenSSL B command is available as +an external script called B. They are functionally equivalent. + +B scans directories and calculates a hash value of each C<.pem>, C<.crt>, C<.cer>, or C<.crl> file in the specified directory list and creates symbolic links for each file, where the name of the link is the hash value. @@ -37,7 +44,7 @@ In order for a directory to be processed, the user must have write permissions on that directory, otherwise it will be skipped. The links created are of the form C, where each B is a hexadecimal character and B is a single decimal digit. -When processing a directory, B will first remove all links +When processing a directory, B will first remove all links that have a name in that syntax. If you have links in that format used for other purposes, they will be removed. To skip the removal step, use the B<-n> flag. @@ -87,7 +94,7 @@ This is needed when keeping new and old-style links in the same directory. =item B<-v> Print messages about old links removed and new links created. -By default, B only lists each directory as it is processed. +By default, B only lists each directory as it is processed. =back From rsalz at openssl.org Sun Sep 6 23:01:59 2015 From: rsalz at openssl.org (Rich Salz) Date: Sun, 06 Sep 2015 23:01:59 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441580519.517635.21574.nullmailer@dev.openssl.org> The branch master has been updated via 9e0da060893ecde200e579f96f6442da445af4e5 (commit) from 8f6f1441a368b984b739658778f53db1bf71a543 (commit) - Log ----------------------------------------------------------------- commit 9e0da060893ecde200e579f96f6442da445af4e5 Author: Rich Salz Date: Sun Sep 6 19:01:24 2015 -0400 Fix typo, that broke build on non-unix Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: apps/rehash.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/rehash.c b/apps/rehash.c index 323fd15..b26cbf2 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -444,7 +444,7 @@ int rehash_main(int argc, char **argv) int rehash_main(int argc, char **argv) { - BIO_print(bio_err, "Not available; use c_rehash script\n"); + BIO_printf(bio_err, "Not available; use c_rehash script\n"); return (1); } From rsalz at openssl.org Mon Sep 7 01:39:53 2015 From: rsalz at openssl.org (Rich Salz) Date: Mon, 07 Sep 2015 01:39:53 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441589993.785006.7006.nullmailer@dev.openssl.org> The branch master has been updated via 62fdf4ee6c55d6d2212d868b02fcab51c6d4080a (commit) from 9e0da060893ecde200e579f96f6442da445af4e5 (commit) - Log ----------------------------------------------------------------- commit 62fdf4ee6c55d6d2212d868b02fcab51c6d4080a Author: Rich Salz Date: Sun Sep 6 21:39:26 2015 -0400 fix build breakage on windows Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: apps/rehash.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apps/rehash.c b/apps/rehash.c index b26cbf2..672a42a 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -441,6 +441,9 @@ int rehash_main(int argc, char **argv) } #else +OPTIONS rehash_options[] = { + {NULL} +}; int rehash_main(int argc, char **argv) { From matt at openssl.org Mon Sep 7 09:33:58 2015 From: matt at openssl.org (Matt Caswell) Date: Mon, 07 Sep 2015 09:33:58 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441618438.636054.9663.nullmailer@dev.openssl.org> The branch master has been updated via 26d57a1a9225db13324d6c699753437da4de910c (commit) from 62fdf4ee6c55d6d2212d868b02fcab51c6d4080a (commit) - Log ----------------------------------------------------------------- commit 26d57a1a9225db13324d6c699753437da4de910c Author: Matt Caswell Date: Mon Sep 7 10:08:38 2015 +0100 Fix build break due to rehash command The build was breaking due to a Makefile recipe expecting an openssl version to be on the PATH with support for the rehash command. Reviewed-by: Ben Laurie ----------------------------------------------------------------------- Summary of changes: Makefile.org | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.org b/Makefile.org index 30d292a..2f8e472 100644 --- a/Makefile.org +++ b/Makefile.org @@ -428,7 +428,7 @@ rehash.time: certs apps [ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \ OPENSSL_DEBUG_MEMORY=on; OPENSSL_CONF=/dev/null ; \ export OPENSSL OPENSSL_DEBUG_MEMORY OPENSSL_CONF; \ - openssl rehash certs/demo) && \ + $$OPENSSL rehash certs/demo) && \ touch rehash.time; \ else :; fi From matt at openssl.org Mon Sep 7 09:38:31 2015 From: matt at openssl.org (Matt Caswell) Date: Mon, 07 Sep 2015 09:38:31 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441618711.472373.11117.nullmailer@dev.openssl.org> The branch master has been updated via 0e2d091103ed5846c72a5c9e8b10e25ead4bf152 (commit) via 68572c8af3ebb0a0729acad2196763df463927c1 (commit) from 26d57a1a9225db13324d6c699753437da4de910c (commit) - Log ----------------------------------------------------------------- commit 0e2d091103ed5846c72a5c9e8b10e25ead4bf152 Author: Matt Caswell Date: Wed Aug 26 13:49:49 2015 +0100 Updates for NumericString support Ensure that EBCDIC support works and update a comment. Reviewed-by: Tim Hudson commit 68572c8af3ebb0a0729acad2196763df463927c1 Author: Dmitry Belyavsky Date: Wed Aug 26 13:34:31 2015 +0100 Add NumericString support GOST requires improved NumericString support. Reviewed-by: Tim Hudson Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: crypto/asn1/a_mbstr.c | 30 +++++++++++++++++++++++++++--- crypto/asn1/a_strnid.c | 5 ++++- 2 files changed, 31 insertions(+), 4 deletions(-) diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c index 241eb60..46100c3 100644 --- a/crypto/asn1/a_mbstr.c +++ b/crypto/asn1/a_mbstr.c @@ -72,13 +72,14 @@ static int cpy_asc(unsigned long value, void *arg); static int cpy_bmp(unsigned long value, void *arg); static int cpy_univ(unsigned long value, void *arg); static int cpy_utf8(unsigned long value, void *arg); +static int is_numeric(unsigned long value); static int is_printable(unsigned long value); /* * These functions take a string in UTF8, ASCII or multibyte form and a mask * of permissible ASN1 string types. It then works out the minimal type - * (using the order Printable < IA5 < T61 < BMP < Universal < UTF8) and - * creates a string of the correct type with the supplied data. Yes this is + * (using the order Numeric < Printable < IA5 < T61 < BMP < Universal < UTF8) + * and creates a string of the correct type with the supplied data. Yes this is * horrible: it has to be :-( The 'ncopy' form checks minimum and maximum * size limits too. */ @@ -169,7 +170,9 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, /* Now work out output format and string type */ outform = MBSTRING_ASC; - if (mask & B_ASN1_PRINTABLESTRING) + if (mask & B_ASN1_NUMERICSTRING) + str_type = V_ASN1_NUMERICSTRING; + else if (mask & B_ASN1_PRINTABLESTRING) str_type = V_ASN1_PRINTABLESTRING; else if (mask & B_ASN1_IA5STRING) str_type = V_ASN1_IA5STRING; @@ -320,6 +323,8 @@ static int type_str(unsigned long value, void *arg) { unsigned long types; types = *((unsigned long *)arg); + if ((types & B_ASN1_NUMERICSTRING) && !is_numeric(value)) + types &= ~B_ASN1_NUMERICSTRING; if ((types & B_ASN1_PRINTABLESTRING) && !is_printable(value)) types &= ~B_ASN1_PRINTABLESTRING; if ((types & B_ASN1_IA5STRING) && (value > 127)) @@ -419,3 +424,22 @@ static int is_printable(unsigned long value) #endif /* CHARSET_EBCDIC */ return 0; } + +/* Return 1 if the character is a digit or space */ +static int is_numeric(unsigned long value) +{ + int ch; + if (value > 0x7f) + return 0; + ch = (int)value; +#ifndef CHARSET_EBCDIC + if (!isdigit(ch) && ch != ' ') + return 0; +#else + if (ch > os_toascii['9']) + return 0; + if (ch < os_toascii['0'] && ch != os_toascii[' ']) + return 0; +#endif + return 1; +} diff --git a/crypto/asn1/a_strnid.c b/crypto/asn1/a_strnid.c index 7bfc768..1c6bbd4 100644 --- a/crypto/asn1/a_strnid.c +++ b/crypto/asn1/a_strnid.c @@ -192,7 +192,10 @@ static const ASN1_STRING_TABLE tbl_standard[] = { {NID_name, 1, ub_name, DIRSTRING_TYPE, 0}, {NID_dnQualifier, -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK}, {NID_domainComponent, 1, -1, B_ASN1_IA5STRING, STABLE_NO_MASK}, - {NID_ms_csp_name, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK} + {NID_ms_csp_name, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK}, + {NID_INN, 1, 12, B_ASN1_NUMERICSTRING, STABLE_NO_MASK}, + {NID_OGRN, 1, 13, B_ASN1_NUMERICSTRING, STABLE_NO_MASK}, + {NID_SNILS, 1, 11, B_ASN1_NUMERICSTRING, STABLE_NO_MASK} }; static int sk_table_cmp(const ASN1_STRING_TABLE *const *a, From matt at openssl.org Mon Sep 7 09:48:04 2015 From: matt at openssl.org (Matt Caswell) Date: Mon, 07 Sep 2015 09:48:04 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441619284.422442.13171.nullmailer@dev.openssl.org> The branch master has been updated via 50932c4af2fdd1da01203e9fabe176f9c106882b (commit) from 0e2d091103ed5846c72a5c9e8b10e25ead4bf152 (commit) - Log ----------------------------------------------------------------- commit 50932c4af2fdd1da01203e9fabe176f9c106882b Author: Matt Caswell Date: Tue Aug 4 17:36:02 2015 +0100 PACKETise ServerHello processing Process ServerHello messages using the PACKET API Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: ssl/d1_srtp.c | 24 +++++------- ssl/s3_clnt.c | 116 +++++++++++++++++++++++++++++++++++++++++++-------------- ssl/ssl_locl.h | 8 ++-- ssl/t1_lib.c | 99 ++++++++++++++++++++++-------------------------- ssl/t1_reneg.c | 25 ++++++------- 5 files changed, 157 insertions(+), 115 deletions(-) diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c index 4384eda..87dbcc6 100644 --- a/ssl/d1_srtp.c +++ b/ssl/d1_srtp.c @@ -358,33 +358,27 @@ int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, return 0; } -int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len, - int *al) +int ssl_parse_serverhello_use_srtp_ext(SSL *s, PACKET *pkt, int *al) { - unsigned id; + unsigned int id, ct, mki; int i; - int ct; STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; SRTP_PROTECTION_PROFILE *prof; - if (len != 5) { - SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, - SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - *al = SSL_AD_DECODE_ERROR; - return 1; - } - - n2s(d, ct); - if (ct != 2) { + if (!PACKET_get_net_2(pkt, &ct) + || ct != 2 + || !PACKET_get_net_2(pkt, &id) + || !PACKET_get_1(pkt, &mki) + || PACKET_remaining(pkt) != 0) { SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); *al = SSL_AD_DECODE_ERROR; return 1; } - n2s(d, id); - if (*d) { /* Must be no MKI, since we never offer one */ + if (mki != 0) { + /* Must be no MKI, since we never offer one */ SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_USE_SRTP_EXT, SSL_R_BAD_SRTP_MKI_VALUE); *al = SSL_AD_ILLEGAL_PARAMETER; diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index ba35fb9..b27cba2 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -930,9 +930,10 @@ int ssl3_get_server_hello(SSL *s) { STACK_OF(SSL_CIPHER) *sk; const SSL_CIPHER *c; - unsigned char *p, *d; + PACKET pkt; + unsigned char *session_id, *cipherchars; int i, al = SSL_AD_INTERNAL_ERROR, ok; - unsigned int j; + unsigned int j, ciphercharlen; long n; #ifndef OPENSSL_NO_COMP SSL_COMP *comp; @@ -971,10 +972,20 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } - d = p = (unsigned char *)s->init_msg; + if (!PACKET_buf_init(&pkt, s->init_msg, n)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); + goto f_err; + } if (s->method->version == TLS_ANY_VERSION) { - int sversion = (p[0] << 8) | p[1]; + unsigned int sversion; + + if (!PACKET_get_net_2(&pkt, &sversion)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } #if TLS_MAX_VERSION != TLS1_2_VERSION #error Code needs updating for new TLS version @@ -1012,8 +1023,16 @@ int ssl3_get_server_hello(SSL *s) } } else if (s->method->version == DTLS_ANY_VERSION) { /* Work out correct protocol version to use */ - int hversion = (p[0] << 8) | p[1]; - int options = s->options; + unsigned int hversion; + int options; + + if (!PACKET_get_net_2(&pkt, &hversion)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + + options = s->options; if (hversion == DTLS1_2_VERSION && !(options & SSL_OP_NO_DTLSv1_2)) s->method = DTLSv1_2_client_method(); else if (tls1_suiteb(s)) { @@ -1031,30 +1050,43 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } s->session->ssl_version = s->version = s->method->version; - } else if ((p[0] != (s->version >> 8)) || (p[1] != (s->version & 0xff))) { - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION); - s->version = (s->version & 0xff00) | p[1]; - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; + } else { + unsigned char *vers; + + if (!PACKET_get_bytes(&pkt, &vers, 2)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + if ((vers[0] != (s->version >> 8)) + || (vers[1] != (s->version & 0xff))) { + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION); + s->version = (s->version & 0xff00) | vers[1]; + al = SSL_AD_PROTOCOL_VERSION; + goto f_err; + } } - p += 2; /* load the server hello data */ /* load the server random */ - memcpy(s->s3->server_random, p, SSL3_RANDOM_SIZE); - p += SSL3_RANDOM_SIZE; + if (!PACKET_copy_bytes(&pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } s->hit = 0; - /* get the session-id */ - j = *(p++); - - if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE)) { + /* get the session-id length */ + if (!PACKET_get_1(&pkt, &j) + || (j > sizeof s->session->session_id) + || (j > SSL3_SESSION_ID_SIZE)) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_SSL3_SESSION_ID_TOO_LONG); goto f_err; } + ciphercharlen = ssl_put_cipher_by_char(s, NULL, NULL); /* * Check if we can resume the session based on external pre-shared secret. * EAP-FAST (RFC 4851) supports two types of session resumption. @@ -1070,22 +1102,42 @@ int ssl3_get_server_hello(SSL *s) if (s->version >= TLS1_VERSION && s->tls_session_secret_cb && s->session->tlsext_tick) { SSL_CIPHER *pref_cipher = NULL; + size_t bookm; + if (!PACKET_get_bookmark(&pkt, &bookm) + || !PACKET_forward(&pkt, j) + || !PACKET_get_bytes(&pkt, &cipherchars, ciphercharlen)) { + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); + al = SSL_AD_DECODE_ERROR; + goto f_err; + } s->session->master_key_length = sizeof(s->session->master_key); if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length, NULL, &pref_cipher, s->tls_session_secret_cb_arg)) { s->session->cipher = pref_cipher ? - pref_cipher : ssl_get_cipher_by_char(s, p + j); + pref_cipher : ssl_get_cipher_by_char(s, cipherchars); } else { SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); al = SSL_AD_INTERNAL_ERROR; goto f_err; } + if (!PACKET_goto_bookmark(&pkt, bookm)) { + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); + al = SSL_AD_INTERNAL_ERROR; + goto f_err; + } + } + + /* Get the session id */ + if (!PACKET_get_bytes(&pkt, &session_id, j)) { + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); + al = SSL_AD_DECODE_ERROR; + goto f_err; } if (j != 0 && j == s->session->session_id_length - && memcmp(p, s->session->session_id, j) == 0) { + && memcmp(session_id, s->session->session_id, j) == 0) { if (s->sid_ctx_length != s->session->sid_ctx_length || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { /* actually a client application bug */ @@ -1109,10 +1161,15 @@ int ssl3_get_server_hello(SSL *s) } } s->session->session_id_length = j; - memcpy(s->session->session_id, p, j); /* j could be 0 */ + memcpy(s->session->session_id, session_id, j); /* j could be 0 */ } - p += j; - c = ssl_get_cipher_by_char(s, p); + + if (!PACKET_get_bytes(&pkt, &cipherchars, ciphercharlen)) { + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); + al = SSL_AD_DECODE_ERROR; + goto f_err; + } + c = ssl_get_cipher_by_char(s, cipherchars); if (c == NULL) { /* unknown cipher */ al = SSL_AD_ILLEGAL_PARAMETER; @@ -1133,7 +1190,6 @@ int ssl3_get_server_hello(SSL *s) SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_CIPHER_RETURNED); goto f_err; } - p += ssl_put_cipher_by_char(s, NULL, NULL); sk = ssl_get_ciphers_by_id(s); i = sk_SSL_CIPHER_find(sk, c); @@ -1166,8 +1222,13 @@ int ssl3_get_server_hello(SSL *s) goto f_err; /* lets get the compression algorithm */ /* COMPRESSION */ + if (!PACKET_get_1(&pkt, &j)) { + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_LENGTH_MISMATCH); + al = SSL_AD_DECODE_ERROR; + goto f_err; + } #ifdef OPENSSL_NO_COMP - if (*(p++) != 0) { + if (j != 0) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); @@ -1182,7 +1243,6 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } #else - j = *(p++); if (s->hit && j != s->session->compress_meth) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, @@ -1209,12 +1269,12 @@ int ssl3_get_server_hello(SSL *s) #endif /* TLS extensions */ - if (!ssl_parse_serverhello_tlsext(s, &p, d, n)) { + if (!ssl_parse_serverhello_tlsext(s, &pkt)) { SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_PARSE_TLSEXT); goto err; } - if (p != (d + n)) { + if (PACKET_remaining(&pkt) != 0) { /* wrong packet length */ al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_BAD_PACKET_LENGTH); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 79926ff..2539a4e 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -2088,8 +2088,7 @@ __owur unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, __owur int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt); __owur int tls1_set_server_sigalgs(SSL *s); __owur int ssl_check_clienthello_tlsext_late(SSL *s); -__owur int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, - unsigned char *d, int n); +__owur int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt); __owur int ssl_prepare_clienthello_tlsext(SSL *s); __owur int ssl_prepare_serverhello_tlsext(SSL *s); @@ -2126,7 +2125,7 @@ __owur EVP_MD_CTX *ssl_replace_hash(EVP_MD_CTX **hash, const EVP_MD *md); void ssl_clear_hash_ctx(EVP_MD_CTX **hash); __owur int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, int maxlen); -__owur int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len, +__owur int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al); __owur int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, int maxlen); @@ -2147,8 +2146,7 @@ __owur int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, __owur int ssl_parse_clienthello_use_srtp_ext(SSL *s, PACKET *pkt, int *al); __owur int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen); -__owur int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len, - int *al); +__owur int ssl_parse_serverhello_use_srtp_ext(SSL *s, PACKET *pkt, int *al); __owur int ssl_handshake_hash(SSL *s, unsigned char *out, int outlen); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index f004288..95b4fb6 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -2344,28 +2344,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt) * elements of zero length are allowed and the set of elements must exactly * fill the length of the block. */ -static char ssl_next_proto_validate(unsigned char *d, unsigned len) +static char ssl_next_proto_validate(PACKET *pkt) { - unsigned int off = 0; + unsigned int len; - while (off < len) { - if (d[off] == 0) + while (PACKET_remaining(pkt)) { + if (!PACKET_get_1(pkt, &len) + || !PACKET_forward(pkt, len)) return 0; - off += d[off]; - off++; } - return off == len; + return 1; } #endif -static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, - unsigned char *d, int n, int *al) +static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al) { - unsigned short length; - unsigned short type; - unsigned short size; - unsigned char *data = *p; + unsigned int length, type, size; int tlsext_servername = 0; int renegotiate_seen = 0; @@ -2385,27 +2380,27 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC; #endif - if (data >= (d + n - 2)) + if (!PACKET_get_net_2(pkt, &length)) goto ri_check; - n2s(data, length); - if (data + length != d + n) { + if (PACKET_remaining(pkt) != length) { *al = SSL_AD_DECODE_ERROR; return 0; } - while (data <= (d + n - 4)) { - n2s(data, type); - n2s(data, size); + while (PACKET_get_net_2(pkt, &type) && PACKET_get_net_2(pkt, &size)) { + unsigned char *data; + PACKET spkt; - if (data + size > (d + n)) + if (!PACKET_get_sub_packet(pkt, &spkt, size) + || !PACKET_peek_bytes(&spkt, &data, size)) goto ri_check; if (s->tlsext_debug_cb) s->tlsext_debug_cb(s, 1, type, data, size, s->tlsext_debug_arg); if (type == TLSEXT_TYPE_renegotiate) { - if (!ssl_parse_serverhello_renegotiate_ext(s, data, size, al)) + if (!ssl_parse_serverhello_renegotiate_ext(s, &spkt, al)) return 0; renegotiate_seen = 1; } else if (s->version == SSL3_VERSION) { @@ -2418,10 +2413,9 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, } #ifndef OPENSSL_NO_EC else if (type == TLSEXT_TYPE_ec_point_formats) { - unsigned char *sdata = data; - int ecpointformatlist_length = *(sdata++); - - if (ecpointformatlist_length != size - 1) { + unsigned int ecpointformatlist_length; + if (!PACKET_get_1(&spkt, &ecpointformatlist_length) + || ecpointformatlist_length != size - 1) { *al = TLS1_AD_DECODE_ERROR; return 0; } @@ -2435,8 +2429,13 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, } s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; - memcpy(s->session->tlsext_ecpointformatlist, sdata, - ecpointformatlist_length); + if (!PACKET_copy_bytes(&spkt, + s->session->tlsext_ecpointformatlist, + ecpointformatlist_length)) { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } + } } #endif /* OPENSSL_NO_EC */ @@ -2472,14 +2471,13 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, s->s3->tmp.finish_md_len == 0) { unsigned char *selected; unsigned char selected_len; - /* We must have requested it. */ if (s->ctx->next_proto_select_cb == NULL) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; } /* The data must be valid */ - if (!ssl_next_proto_validate(data, size)) { + if (!ssl_next_proto_validate(&spkt)) { *al = TLS1_AD_DECODE_ERROR; return 0; } @@ -2504,31 +2502,21 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, else if (type == TLSEXT_TYPE_application_layer_protocol_negotiation) { unsigned len; - /* We must have requested it. */ if (s->alpn_client_proto_list == NULL) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; } - if (size < 4) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } /*- * The extension data consists of: * uint16 list_length * uint8 proto_length; * uint8 proto[proto_length]; */ - len = data[0]; - len <<= 8; - len |= data[1]; - if (len != (unsigned)size - 2) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } - len = data[2]; - if (len != (unsigned)size - 3) { + if (!PACKET_get_net_2(&spkt, &len) + || PACKET_remaining(&spkt) != len + || !PACKET_get_1(&spkt, &len) + || PACKET_remaining(&spkt) != len) { *al = TLS1_AD_DECODE_ERROR; return 0; } @@ -2538,12 +2526,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, *al = TLS1_AD_INTERNAL_ERROR; return 0; } - memcpy(s->s3->alpn_selected, data + 3, len); + if (!PACKET_copy_bytes(&spkt, s->s3->alpn_selected, len)) { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } s->s3->alpn_selected_len = len; } #ifndef OPENSSL_NO_HEARTBEATS else if (type == TLSEXT_TYPE_heartbeat) { - switch (data[0]) { + unsigned int hbtype; + if (!PACKET_get_1(&spkt, &hbtype)) { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + switch (hbtype) { case 0x01: /* Server allows us to send HB requests */ s->tlsext_heartbeat |= SSL_TLSEXT_HB_ENABLED; break; @@ -2559,7 +2555,7 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, #endif #ifndef OPENSSL_NO_SRTP else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { - if (ssl_parse_serverhello_use_srtp_ext(s, data, size, al)) + if (ssl_parse_serverhello_use_srtp_ext(s, &spkt, al)) return 0; } #endif @@ -2581,11 +2577,9 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, */ else if (custom_ext_parse(s, 0, type, data, size, al) <= 0) return 0; - - data += size; } - if (data != d + n) { + if (PACKET_remaining(pkt) != 0) { *al = SSL_AD_DECODE_ERROR; return 0; } @@ -2605,8 +2599,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, } } - *p = data; - ri_check: /* @@ -2887,13 +2879,12 @@ int ssl_check_serverhello_tlsext(SSL *s) } } -int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, - int n) +int ssl_parse_serverhello_tlsext(SSL *s, PACKET *pkt) { int al = -1; if (s->version < SSL3_VERSION) return 1; - if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0) { + if (ssl_scan_serverhello_tlsext(s, pkt, &al) <= 0) { ssl3_send_alert(s, SSL3_AL_FATAL, al); return 0; } diff --git a/ssl/t1_reneg.c b/ssl/t1_reneg.c index 22a71fe..3fb6a96 100644 --- a/ssl/t1_reneg.c +++ b/ssl/t1_reneg.c @@ -220,29 +220,27 @@ int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, /* * Parse the server's renegotiation binding and abort if it's not right */ -int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len, - int *al) +int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al) { - int expected_len = s->s3->previous_client_finished_len + unsigned int expected_len = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len; - int ilen; + unsigned int ilen; + unsigned char *data; /* Check for logic errors */ OPENSSL_assert(!expected_len || s->s3->previous_client_finished_len); OPENSSL_assert(!expected_len || s->s3->previous_server_finished_len); /* Parse the length byte */ - if (len < 1) { + if (!PACKET_get_1(pkt, &ilen)) { SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR); *al = SSL_AD_ILLEGAL_PARAMETER; return 0; } - ilen = *d; - d++; /* Consistency check */ - if (ilen + 1 != len) { + if (PACKET_remaining(pkt) != ilen) { SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_ENCODING_ERR); *al = SSL_AD_ILLEGAL_PARAMETER; @@ -257,17 +255,18 @@ int ssl_parse_serverhello_renegotiate_ext(SSL *s, unsigned char *d, int len, return 0; } - if (memcmp(d, s->s3->previous_client_finished, - s->s3->previous_client_finished_len)) { + if (!PACKET_get_bytes(pkt, &data, s->s3->previous_client_finished_len) + || memcmp(data, s->s3->previous_client_finished, + s->s3->previous_client_finished_len) != 0) { SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); *al = SSL_AD_HANDSHAKE_FAILURE; return 0; } - d += s->s3->previous_client_finished_len; - if (memcmp(d, s->s3->previous_server_finished, - s->s3->previous_server_finished_len)) { + if (!PACKET_get_bytes(pkt, &data, s->s3->previous_server_finished_len) + || memcmp(data, s->s3->previous_server_finished, + s->s3->previous_server_finished_len) != 0) { SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT, SSL_R_RENEGOTIATION_MISMATCH); *al = SSL_AD_ILLEGAL_PARAMETER; From matt at openssl.org Mon Sep 7 09:54:16 2015 From: matt at openssl.org (Matt Caswell) Date: Mon, 07 Sep 2015 09:54:16 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441619656.784320.14559.nullmailer@dev.openssl.org> The branch master has been updated via 8098fc566351cb76a2c5ad4f465df51f5e7e8c12 (commit) from 50932c4af2fdd1da01203e9fabe176f9c106882b (commit) - Log ----------------------------------------------------------------- commit 8098fc566351cb76a2c5ad4f465df51f5e7e8c12 Author: Matt Caswell Date: Tue Aug 4 21:22:31 2015 +0100 PACKETise ServerKeyExchange Process the ServerKeyExchange message using the PACKET API Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: ssl/s3_clnt.c | 212 ++++++++++++++++++++++++---------------------------------- 1 file changed, 88 insertions(+), 124 deletions(-) diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index b27cba2..0195d09 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1444,9 +1444,9 @@ int ssl3_get_key_exchange(SSL *s) unsigned char *q, md_buf[EVP_MAX_MD_SIZE * 2]; #endif EVP_MD_CTX md_ctx; - unsigned char *param, *p; - int al, j, ok; - long i, param_len, n, alg_k, alg_a; + int al, j, verify_ret, ok; + unsigned int i; + long n, alg_k, alg_a; EVP_PKEY *pkey = NULL; const EVP_MD *md = NULL; #ifndef OPENSSL_NO_RSA @@ -1460,8 +1460,11 @@ int ssl3_get_key_exchange(SSL *s) BN_CTX *bn_ctx = NULL; EC_POINT *srvr_ecpoint = NULL; int curve_nid = 0; - int encoded_pt_len = 0; + unsigned int encoded_pt_len = 0; #endif + PACKET pkt; + unsigned char *data, *param; + size_t startparam, endparam; EVP_MD_CTX_init(&md_ctx); @@ -1493,7 +1496,12 @@ int ssl3_get_key_exchange(SSL *s) return (1); } - param = p = (unsigned char *)s->init_msg; + if (!PACKET_buf_init(&pkt, s->init_msg, n) + || !PACKET_get_bookmark(&pkt, &startparam)) { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + al = SSL_AD_INTERNAL_ERROR; + goto f_err; + } #ifndef OPENSSL_NO_RSA RSA_free(s->s3->peer_rsa_tmp); @@ -1508,9 +1516,6 @@ int ssl3_get_key_exchange(SSL *s) s->s3->peer_ecdh_tmp = NULL; #endif - /* Total length of the parameters including the length prefix */ - param_len = 0; - alg_a = s->s3->tmp.new_cipher->algorithm_auth; al = SSL_AD_DECODE_ERROR; @@ -1519,12 +1524,10 @@ int ssl3_get_key_exchange(SSL *s) /* PSK ciphersuites are preceded by an identity hint */ if (alg_k & SSL_PSK) { - param_len = 2; - if (param_len > n) { + if (!PACKET_get_net_2(&pkt, &i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto f_err; } - n2s(p, i); /* * Store PSK identity hint for later use, hint is used in @@ -1537,16 +1540,21 @@ int ssl3_get_key_exchange(SSL *s) SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG); goto f_err; } - if (i > n - param_len) { + if (PACKET_remaining(&pkt) < i) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); goto f_err; } - param_len += i; OPENSSL_free(s->session->psk_identity_hint); if (i != 0) { - s->session->psk_identity_hint = BUF_strndup((char *)p, i); + unsigned char *hint = NULL; + + if (!PACKET_get_bytes(&pkt, &hint, i)) { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + s->session->psk_identity_hint = BUF_strndup((char *)hint, i); if (s->session->psk_identity_hint == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); @@ -1555,9 +1563,6 @@ int ssl3_get_key_exchange(SSL *s) } else { s->session->psk_identity_hint = NULL; } - - p += i; - n -= param_len; } /* Nothing else to do for plain PSK or RSAPSK */ @@ -1566,86 +1571,65 @@ int ssl3_get_key_exchange(SSL *s) #endif /* !OPENSSL_NO_PSK */ #ifndef OPENSSL_NO_SRP if (alg_k & SSL_kSRP) { - param_len = 2; - if (param_len > n) { + if (!PACKET_get_net_2(&pkt, &i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto f_err; } - n2s(p, i); - if (i > n - param_len) { + if (!PACKET_get_bytes(&pkt, &data, i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_N_LENGTH); goto f_err; } - param_len += i; - if ((s->srp_ctx.N = BN_bin2bn(p, i, NULL)) == NULL) { + if ((s->srp_ctx.N = BN_bin2bn(data, i, NULL)) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); goto err; } - p += i; - if (2 > n - param_len) { + if (!PACKET_get_net_2(&pkt, &i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto f_err; } - param_len += 2; - - n2s(p, i); - if (i > n - param_len) { + if (!PACKET_get_bytes(&pkt, &data, i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_G_LENGTH); goto f_err; } - param_len += i; - if ((s->srp_ctx.g = BN_bin2bn(p, i, NULL)) == NULL) { + if ((s->srp_ctx.g = BN_bin2bn(data, i, NULL)) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); goto err; } - p += i; - if (1 > n - param_len) { + if (!PACKET_get_1(&pkt, &i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto f_err; } - param_len += 1; - i = (unsigned int)(p[0]); - p++; - - if (i > n - param_len) { + if (!PACKET_get_bytes(&pkt, &data, i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_S_LENGTH); goto f_err; } - param_len += i; - if ((s->srp_ctx.s = BN_bin2bn(p, i, NULL)) == NULL) { + if ((s->srp_ctx.s = BN_bin2bn(data, i, NULL)) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); goto err; } - p += i; - if (2 > n - param_len) { + if (!PACKET_get_net_2(&pkt, &i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto f_err; } - param_len += 2; - - n2s(p, i); - if (i > n - param_len) { + if (!PACKET_get_bytes(&pkt, &data, i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_B_LENGTH); goto f_err; } - param_len += i; - if ((s->srp_ctx.B = BN_bin2bn(p, i, NULL)) == NULL) { + if ((s->srp_ctx.B = BN_bin2bn(data, i, NULL)) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); goto err; } - p += i; - n -= param_len; if (!srp_verify_server_param(s, &al)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SRP_PARAMETERS); @@ -1670,45 +1654,35 @@ int ssl3_get_key_exchange(SSL *s) goto err; } - param_len = 2; - if (param_len > n) { + if (!PACKET_get_net_2(&pkt, &i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto f_err; } - n2s(p, i); - if (i > n - param_len) { + if (!PACKET_get_bytes(&pkt, &data, i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_MODULUS_LENGTH); goto f_err; } - param_len += i; - if ((rsa->n = BN_bin2bn(p, i, rsa->n)) == NULL) { + if ((rsa->n = BN_bin2bn(data, i, rsa->n)) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); goto err; } - p += i; - if (2 > n - param_len) { + if (!PACKET_get_net_2(&pkt, &i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto f_err; } - param_len += 2; - - n2s(p, i); - if (i > n - param_len) { + if (!PACKET_get_bytes(&pkt, &data, i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_E_LENGTH); goto f_err; } - param_len += i; - if ((rsa->e = BN_bin2bn(p, i, rsa->e)) == NULL) { + if ((rsa->e = BN_bin2bn(data, i, rsa->e)) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); goto err; } - p += i; - n -= param_len; /* this should be because we are using an export cipher */ if (alg_a & SSL_aRSA) @@ -1737,76 +1711,60 @@ int ssl3_get_key_exchange(SSL *s) goto err; } - param_len = 2; - if (param_len > n) { + if (!PACKET_get_net_2(&pkt, &i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto f_err; } - n2s(p, i); - if (i > n - param_len) { + if (!PACKET_get_bytes(&pkt, &data, i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_LENGTH); goto f_err; } - param_len += i; - if ((dh->p = BN_bin2bn(p, i, NULL)) == NULL) { + if ((dh->p = BN_bin2bn(data, i, NULL)) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); goto err; } - p += i; if (BN_is_zero(dh->p)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_VALUE); goto f_err; } - - if (2 > n - param_len) { + if (!PACKET_get_net_2(&pkt, &i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto f_err; } - param_len += 2; - - n2s(p, i); - if (i > n - param_len) { + if (!PACKET_get_bytes(&pkt, &data, i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_LENGTH); goto f_err; } - param_len += i; - if ((dh->g = BN_bin2bn(p, i, NULL)) == NULL) { + if ((dh->g = BN_bin2bn(data, i, NULL)) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); goto err; } - p += i; if (BN_is_zero(dh->g)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE); goto f_err; } - if (2 > n - param_len) { + if (!PACKET_get_net_2(&pkt, &i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto f_err; } - param_len += 2; - n2s(p, i); - - if (i > n - param_len) { + if (!PACKET_get_bytes(&pkt, &data, i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_PUB_KEY_LENGTH); goto f_err; } - param_len += i; - if ((dh->pub_key = BN_bin2bn(p, i, NULL)) == NULL) { + if ((dh->pub_key = BN_bin2bn(data, i, NULL)) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); goto err; } - p += i; - n -= param_len; if (BN_is_zero(dh->pub_key)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_PUB_KEY_VALUE); @@ -1845,11 +1803,9 @@ int ssl3_get_key_exchange(SSL *s) /* * XXX: For now we only support named (not generic) curves and the - * ECParameters in this case is just three bytes. We also need one - * byte for the length of the encoded point + * ECParameters in this case is just three bytes. */ - param_len = 4; - if (param_len > n) { + if (!PACKET_get_bytes(&pkt, &data, 3)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto f_err; } @@ -1857,12 +1813,12 @@ int ssl3_get_key_exchange(SSL *s) * Check curve is one of our preferences, if not server has sent an * invalid curve. ECParameters is 3 bytes. */ - if (!tls1_check_curve(s, p, 3)) { + if (!tls1_check_curve(s, data, 3)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_CURVE); goto f_err; } - if ((curve_nid = tls1_ec_curve_id2nid(*(p + 2))) == 0) { + if ((curve_nid = tls1_ec_curve_id2nid(*(data + 2))) == 0) { al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS); @@ -1890,8 +1846,6 @@ int ssl3_get_key_exchange(SSL *s) goto f_err; } - p += 3; - /* Next, get the encoded ECPoint */ if (((srvr_ecpoint = EC_POINT_new(group)) == NULL) || ((bn_ctx = BN_CTX_new()) == NULL)) { @@ -1899,19 +1853,17 @@ int ssl3_get_key_exchange(SSL *s) goto err; } - encoded_pt_len = *p; /* length of encoded point */ - p += 1; + if (!PACKET_get_1(&pkt, &encoded_pt_len)) { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } - if ((encoded_pt_len > n - param_len) || + if (!PACKET_get_bytes(&pkt, &data, encoded_pt_len) || (EC_POINT_oct2point(group, srvr_ecpoint, - p, encoded_pt_len, bn_ctx) == 0)) { + data, encoded_pt_len, bn_ctx) == 0)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_ECPOINT); goto f_err; } - param_len += encoded_pt_len; - - n -= param_len; - p += encoded_pt_len; /* * The ECC/TLS specification does not mention the use of DSA to sign @@ -1942,17 +1894,20 @@ int ssl3_get_key_exchange(SSL *s) } #endif /* !OPENSSL_NO_EC */ - /* p points to the next byte, there are 'n' bytes left */ + if (!PACKET_get_bookmark(&pkt, &endparam)) { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto f_err; + } /* if it was signed, check the signature */ if (pkey != NULL) { if (SSL_USE_SIGALGS(s)) { int rv; - if (2 > n) { + if (!PACKET_get_bytes(&pkt, &data, 2)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto f_err; } - rv = tls12_check_peer_sigalg(&md, s, p, pkey); + rv = tls12_check_peer_sigalg(&md, s, data, pkey); if (rv == -1) goto err; else if (rv == 0) { @@ -1961,27 +1916,35 @@ int ssl3_get_key_exchange(SSL *s) #ifdef SSL_DEBUG fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); #endif - p += 2; - n -= 2; } else md = EVP_sha1(); - if (2 > n) { + if (!PACKET_get_net_2(&pkt, &i)) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto f_err; } - n2s(p, i); - n -= 2; j = EVP_PKEY_size(pkey); + if (j < 0) { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto f_err; + } /* - * Check signature length. If n is 0 then signature is empty + * Check signature length */ - if ((i != n) || (n > j) || (n <= 0)) { + if (i > (unsigned int)j + || !PACKET_get_bytes(&pkt, &data, i) + || PACKET_remaining(&pkt) != 0) { /* wrong packet length */ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_WRONG_SIGNATURE_LENGTH); goto f_err; } + if (!PACKET_goto_bookmark(&pkt, startparam) + || !PACKET_get_bytes(&pkt, ¶m, endparam - startparam)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto f_err; + } #ifndef OPENSSL_NO_RSA if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) { int num; @@ -1997,18 +1960,19 @@ int ssl3_get_key_exchange(SSL *s) SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE); - EVP_DigestUpdate(&md_ctx, param, param_len); + EVP_DigestUpdate(&md_ctx, param, endparam - startparam); EVP_DigestFinal_ex(&md_ctx, q, &size); q += size; j += size; } - i = RSA_verify(NID_md5_sha1, md_buf, j, p, n, pkey->pkey.rsa); - if (i < 0) { + verify_ret = + RSA_verify(NID_md5_sha1, md_buf, j, data, i, pkey->pkey.rsa); + if (verify_ret < 0) { al = SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_RSA_DECRYPT); goto f_err; } - if (i == 0) { + if (verify_ret == 0) { /* bad signature */ al = SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE); @@ -2022,8 +1986,8 @@ int ssl3_get_key_exchange(SSL *s) SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE); - EVP_VerifyUpdate(&md_ctx, param, param_len); - if (EVP_VerifyFinal(&md_ctx, p, (int)n, pkey) <= 0) { + EVP_VerifyUpdate(&md_ctx, param, endparam - startparam); + if (EVP_VerifyFinal(&md_ctx, data, (int)i, pkey) <= 0) { /* bad signature */ al = SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_SIGNATURE); @@ -2040,7 +2004,7 @@ int ssl3_get_key_exchange(SSL *s) goto err; } /* still data left over */ - if (n != 0) { + if (PACKET_remaining(&pkt) != 0) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_EXTRA_DATA_IN_MESSAGE); goto f_err; } From levitte at openssl.org Mon Sep 7 14:11:49 2015 From: levitte at openssl.org (Richard Levitte) Date: Mon, 07 Sep 2015 14:11:49 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441635109.899856.28679.nullmailer@dev.openssl.org> The branch master has been updated via a351805733a2c0511c61e7fef06fe645e31a4796 (commit) via eb8cd5dec28313d03025c160f81207ac6137f44a (commit) via 1c73c3bcf02731b4ce693b6e3ece9543cef4f2a0 (commit) via ca5d7dff72b10cb030437a03d779c4fcf8ab832b (commit) via 49b147f85b96482be3931abda306afdf84d75d17 (commit) via e3ff089249a31765c23faaf9d8019b7889dd0c58 (commit) via 5beb63c41e8bc140cd8096af8195b0b95bef1ff5 (commit) via 5ab4f893ce6d10e9286fd746acebe382c36cd32d (commit) via 24d794de25ae419f925b9ccc1e5dbab1b372cce8 (commit) via 50f0a9b3dd41c37875def805c2c48f8b2ed3ef24 (commit) via c27a4049475428b902004a47104c17e1eaaadd20 (commit) via 25be5f44b81e1c45e15e689ba55713e455dfe624 (commit) via 53520ebe8757fea7d2e9ffe3d0c610dd6b9b9cc6 (commit) via 2511c12bf2d5f07f329d1e90cde8791817e4357e (commit) via 8de4f3d3a63f5eb5afa4bd92043953b501d0d7eb (commit) via 2a74b62e3ae1b6916190ff19276ed49a9b728b8f (commit) via ca904707b6df0f5077f9eff94f29bd8035d042a7 (commit) via 8368d46bcadf13dd2c675da8113fcc9400ae12fc (commit) via f5098edb14ce7da8db814dd392358d53c2b81496 (commit) via fd99c6b599a8ed87b726caaa6d88c6915a60e0f4 (commit) via caadc54381af04dd49d9812737d40fea320c8674 (commit) via fb921436f3dc03daf4a7ac1fec9f1e458772e17b (commit) via d6c5b66c1c9457a7f8c8f69c1ad3b4557dcd3fa2 (commit) via 204e41ed504b6deb370bdbf85fd988c03eff363b (commit) via 71a4f2832c3fe02d026af8241767ee80f440e876 (commit) via fd9ad2300b280c0f71d24456bfbf04579331bc94 (commit) via 93de4f58ef8be2cb764343cb3102d41c81f11593 (commit) via d11b43fdd30f084c19136359d0e3e4a06631abf9 (commit) via 7dc11227a385fd7e248e1292653761ec9ce9c105 (commit) via 127d25903fc705756ac211ea373104d8e8858ae1 (commit) via 88b8a5279f452027c193c2de7909dd9f7c9736c6 (commit) via 4fb35f8fcba5b49bdf8223e1964ef4cf640ea0ca (commit) via 4650de3e431d123e988821215f6473e93c3d4b17 (commit) via 0c85cc506916039bba86e8335aa71e0e44f038b0 (commit) via 904ae3342600fe1dae3e0835a784c73b7c237106 (commit) via 13350a0c0eb8937c299c394a88d6cb51d3356d1f (commit) via 894025c6428e7a78fb251e7a16522c3b7351f357 (commit) via f3356b7f49823ddf31683667dfd376312b0a92a3 (commit) via aec27d4d5210234560deab85c97bd453535f66ae (commit) from 8098fc566351cb76a2c5ad4f465df51f5e7e8c12 (commit) - Log ----------------------------------------------------------------- commit a351805733a2c0511c61e7fef06fe645e31a4796 Author: Richard Levitte Date: Mon Sep 7 01:09:23 2015 +0200 Make sure that 80-test_ca.t finds all the config files This recipe counted too much on being called with test/ as its current working directory. That's a mistake on, for example, Windows. Reviewed-by: Rich Salz commit eb8cd5dec28313d03025c160f81207ac6137f44a Author: Richard Levitte Date: Sun Sep 6 16:04:15 2015 +0200 Add a recipe for the new null pointer test Reviewed-by: Rich Salz commit 1c73c3bcf02731b4ce693b6e3ece9543cef4f2a0 Author: Richard Levitte Date: Sun Sep 6 16:03:30 2015 +0200 Change the 80-test_tsa recipe as per changes in testtsa Reviewed-by: Rich Salz commit ca5d7dff72b10cb030437a03d779c4fcf8ab832b Author: Richard Levitte Date: Thu Sep 3 21:17:31 2015 +0200 Add a recipe for the new pbelu test Reviewed-by: Rich Salz commit 49b147f85b96482be3931abda306afdf84d75d17 Author: Richard Levitte Date: Thu Sep 3 20:54:01 2015 +0200 Remake the testsslproxy tests The testsslproxy tests turned out to be useless as they were. They were really just for show and the results were ignore. Now they are changed into a more veerifiable test Reviewed-by: Rich Salz commit e3ff089249a31765c23faaf9d8019b7889dd0c58 Author: Richard Levitte Date: Thu Sep 3 19:41:40 2015 +0200 Small fix in OpenSSL::Test Be careful when shifting in a function argument, you end up changing the caller's value. Instead, when it is an array, make a shallow copy and shift in that instead. Reviewed-by: Rich Salz commit 5beb63c41e8bc140cd8096af8195b0b95bef1ff5 Author: Richard Levitte Date: Thu Sep 3 19:39:58 2015 +0200 Incorporate recent changes that were originally made in test/testssl Reviewed-by: Rich Salz commit 5ab4f893ce6d10e9286fd746acebe382c36cd32d Author: Richard Levitte Date: Thu Sep 3 12:00:28 2015 +0200 Add documentation for the new testing framework Reviewed-by: Rich Salz commit 24d794de25ae419f925b9ccc1e5dbab1b372cce8 Author: Richard Levitte Date: Thu Sep 3 09:24:01 2015 +0200 Add a recipe for the new gmdiff test Reviewed-by: Rich Salz commit 50f0a9b3dd41c37875def805c2c48f8b2ed3ef24 Author: Richard Levitte Date: Thu Sep 3 09:23:32 2015 +0200 Correct test name Some tests were copied from test_jpake, but the title wasn't changed accordingly. This might seem like a small thing, but it does affect the log file name... Reviewed-by: Rich Salz commit c27a4049475428b902004a47104c17e1eaaadd20 Author: Richard Levitte Date: Fri Aug 28 03:07:24 2015 +0200 Remake test/sslsessionticktest.pl into a recipe Reviewed-by: Rich Salz commit 25be5f44b81e1c45e15e689ba55713e455dfe624 Author: Richard Levitte Date: Thu Aug 13 19:38:59 2015 +0200 Adapt the libssl test harness testing scripts to new testing framework This involves adding $TOP/util as perl library in test/run_tests.pl. Reviewed-by: Rich Salz commit 53520ebe8757fea7d2e9ffe3d0c610dd6b9b9cc6 Author: Richard Levitte Date: Sun Aug 9 06:52:50 2015 +0200 Check the validity of MINFO MINFO may be an old file lying around, which might have 00-check_testexes.t produce incorrect results. To make sure this doesn't happen, check the variable VERSION in it against the same variable in the top Makefile. Reviewed-by: Rich Salz commit 2511c12bf2d5f07f329d1e90cde8791817e4357e Author: Richard Levitte Date: Sun Aug 9 05:35:57 2015 +0200 Better method of skipping all the tests in 00-check_testexes.t Before trying to read MINFO, we have no idea how many to test for, and because skip expects to get an exact number somehow, it's better to use 'plan skip_all'. Reviewed-by: Rich Salz commit 8de4f3d3a63f5eb5afa4bd92043953b501d0d7eb Author: Richard Levitte Date: Sat Aug 8 11:45:54 2015 +0200 Remove special x509 test conversions Following the commit from July 2 that removed netscape formated certs, it is no longer necessary to have conversion tests for it. Reviewed-by: Rich Salz commit 2a74b62e3ae1b6916190ff19276ed49a9b728b8f Author: Richard Levitte Date: Sat Aug 8 11:33:10 2015 +0200 Add a few missing tests test_clienthello test_packet test_verify_extra test_secmem Reviewed-by: Rich Salz commit ca904707b6df0f5077f9eff94f29bd8035d042a7 Author: Richard Levitte Date: Thu Apr 30 19:52:36 2015 +0200 Push the line buffer filter on the out BIO on VMS VMS files are normally record oriented rather than stream oriented. This means that every write() will create a new record, which is seen as a line of its own, regardless of if there was a \n in there or not. bntest uses BN_print, which prints out number with more than one write(), thereby dividing up the numbers in several lines, which greatly disturbs the post-bntest checks that expect to find a full formula to calculate on one line. So, for VMS, we need to push the linebuffer filter on the out BIO. Reviewed-by: Rich Salz commit 8368d46bcadf13dd2c675da8113fcc9400ae12fc Author: Richard Levitte Date: Thu Apr 30 19:38:47 2015 +0200 Rework 00-test_checkexes.t for VMS Unfortunately, a file spec with character range globs interfere with paths on VMS, and are therefore disabled. Rework this test to collect a list of expected tests and a list of all recipes and compare the two using grep. Reviewed-by: Rich Salz commit f5098edb14ce7da8db814dd392358d53c2b81496 Author: Richard Levitte Date: Thu Apr 30 14:30:15 2015 +0200 Document OpenSSL::Test and OpenSSL::Test::Simple For OpenSSL::Test, it meant rearranging the code to better suite the structure of the documentation. Reviewed-by: Rich Salz commit fd99c6b599a8ed87b726caaa6d88c6915a60e0f4 Author: Richard Levitte Date: Thu Apr 30 08:51:24 2015 +0200 Change OpenSSL::Test to be an extension of Test::More It became tedious as well as error prone to have all recipes use Test::More as well as OpenSSL::Test. The easier way is to make OpenSSL::Test an extension of Test::More, thereby having all version checks as well as future checks firmly there. Additionally, that allows us to extend existing Test::More functions if the need would arise. Reviewed-by: Rich Salz commit caadc54381af04dd49d9812737d40fea320c8674 Author: Richard Levitte Date: Wed Apr 29 21:51:25 2015 +0200 New feature: STOPTEST When the environment variable STOPTEST is defined (with any value other than the empty string), the test machinery in OpenSSL::Test goes into a different mode that will stop all testing at the end of a failing recipe. Reviewed-by: Rich Salz commit fb921436f3dc03daf4a7ac1fec9f1e458772e17b Author: Richard Levitte Date: Tue Apr 28 20:39:09 2015 +0200 Add version numbers on some modules we use. Reviewed-by: Rich Salz commit d6c5b66c1c9457a7f8c8f69c1ad3b4557dcd3fa2 Author: Richard Levitte Date: Tue Apr 28 17:59:06 2015 +0200 Have 'make clean' clean away the log files. Reviewed-by: Rich Salz commit 204e41ed504b6deb370bdbf85fd988c03eff363b Author: Richard Levitte Date: Thu Apr 23 11:11:14 2015 +0200 Tone down the requirements of a test that will go away. 00-check_testexes.t was a way for me to check that I didn't forget a compiled test app. The way it worked was to require MINFO to be present. Considering the need for this test has diminished considerably at this point, I might as well tone down the requirement, and have it skip the test (and not fail it) if MINFO isn't present. Reviewed-by: Rich Salz commit 71a4f2832c3fe02d026af8241767ee80f440e876 Author: Richard Levitte Date: Tue Apr 21 21:10:01 2015 +0200 Remove old testing scripts out of the way. For now, I'm moving them into Attic/. They will be removed later. Reviewed-by: Rich Salz commit fd9ad2300b280c0f71d24456bfbf04579331bc94 Author: Richard Levitte Date: Tue Apr 21 20:09:36 2015 +0200 Adapt mk1mf.pl and helpers to the new testing framework. With the new testing framework, building a test target with mk1mf.pl becomes a very simple thing. And especially, no more need to do the amount of hackery in unix.pl we did. Also, some tests need a working apps/CA.pl as well as rehashed certs in certs/demo. So, move the code creating those files so it gets done regardless, not just in non-mk1mf environments. Reviewed-by: Rich Salz commit 93de4f58ef8be2cb764343cb3102d41c81f11593 Author: Richard Levitte Date: Tue Apr 21 19:29:01 2015 +0200 Simplify very simple test recipes further. Very simple test recipes easily become tedious, so they might benefit from being made as simple as possible. Therefore, OpenSSL::Test::Simple is born. It currently provides but one function, simple_test(), which takes a minimum of two parameters (test name and program to run), with the optional third, being the algorithm to be checked for before running the test itself. All recipes with that simple thing to do have been rewritten to be as minimal as possible. Reviewed-by: Rich Salz commit d11b43fdd30f084c19136359d0e3e4a06631abf9 Author: Richard Levitte Date: Sun Apr 19 23:49:30 2015 +0200 Remove test targets from Makefile, have it use run_tests.pl Also remove recipes/00-check_testalltests.t, since it will lack the information from the now gone alltests target. Reviewed-by: Rich Salz commit 7dc11227a385fd7e248e1292653761ec9ce9c105 Author: Richard Levitte Date: Sun Apr 19 22:29:46 2015 +0200 Ignore the log files The new test framework produces a lot of log files (one for each test). Git doesn't need to know. Reviewed-by: Rich Salz commit 127d25903fc705756ac211ea373104d8e8858ae1 Author: Richard Levitte Date: Sun Apr 19 22:26:12 2015 +0200 Add recipes for misc other things we want to test Note that this required a change in constant_time_test.c, as it says "ok", which interferes with what Test::Harness expects to see. I had constant_time_test.c say "success" instead. Reviewed-by: Rich Salz commit 88b8a5279f452027c193c2de7909dd9f7c9736c6 Author: Richard Levitte Date: Sun Apr 19 22:24:17 2015 +0200 Add recipes for the larger protocols This covers the certificate authority commands, the cms and smime commands, OCSP, SSL and TSA. Reviewed-by: Rich Salz commit 4fb35f8fcba5b49bdf8223e1964ef4cf640ea0ca Author: Richard Levitte Date: Fri Apr 17 20:16:13 2015 +0200 Add engine and evp test recipes. Reviewed-by: Rich Salz commit 4650de3e431d123e988821215f6473e93c3d4b17 Author: Richard Levitte Date: Fri Apr 17 20:15:22 2015 +0200 Add recipes for tests related to certificates Some of them make use of recipes/tconversion.pl. Reviewed-by: Rich Salz commit 0c85cc506916039bba86e8335aa71e0e44f038b0 Author: Richard Levitte Date: Fri Apr 17 20:13:58 2015 +0200 Add asymetric cipher test recipes Some of them make use of recipes/tconversion.pl. Reviewed-by: Rich Salz commit 904ae3342600fe1dae3e0835a784c73b7c237106 Author: Richard Levitte Date: Fri Apr 17 20:10:24 2015 +0200 Add a helper script for key file format conversion tests As tests are done until now, there are a few scripts that look almost, but not quite the same. tkey, tx509, tcrl, tpkcs7, treq, tsid and probably a few more. recipes/tconversions.pl is a helper script that generalises the function of each of those, and can then be used in a general manner from test recipes. Reviewed-by: Rich Salz commit 13350a0c0eb8937c299c394a88d6cb51d3356d1f Author: Richard Levitte Date: Fri Apr 17 20:07:13 2015 +0200 Add the encryption test recipe This tests all available openssl cipher commands. Reviewed-by: Rich Salz commit 894025c6428e7a78fb251e7a16522c3b7351f357 Author: Richard Levitte Date: Fri Apr 17 20:04:19 2015 +0200 Add recipes for individual block ciphers, stream ciphers and digests These recipes all correspond to a compiled test program. Reviewed-by: Rich Salz commit f3356b7f49823ddf31683667dfd376312b0a92a3 Author: Richard Levitte Date: Fri Apr 17 19:57:55 2015 +0200 Add math tests recipes The math recipes are among the heavier, but also quite important. For the BN test, we have previously relied on bc to verify the numbers. Unfortunately, bc doesn't exist everywhere, making tests on some platforms rather painful. With the new recipe (recipes/10-test_bn.t), we rely on perl's Math::BigInt and a homegrown simple calculator (recipes/bc.pl) that can do enough to cover for bc. Reviewed-by: Rich Salz commit aec27d4d5210234560deab85c97bd453535f66ae Author: Richard Levitte Date: Fri Apr 17 19:44:48 2015 +0200 Groundwork for a perl based testing framework The idea with this perl based testing framework is to make use of what's delivered with perl and exists on all sorts of platforms. The choice came to using Test::More and Test::Harness, as that seems to be the most widely spread foundation, even if perl is aged. The main runner of the show is run_tests.pl. As it currently stands, it's designed to run from inside Makefile, but it's absolutely possible to run it from the command line as well, like so: cd test OPENSSL_SRCDIR=.. perl run_tests.pl The tester scripts themselves are stored in the subdirectory recipes/, and initially, we have two such scripts, recipes/00-check_testalltests.t and recipes/00-check_testexes.t. recipes/00-check_testalltests.t will pick out the dependencies of "alltests" in test/Makefile, and check if it can find recipes with corresponding names. recipes/00-check_testexes.t does something similar, but bases it on existing compiled test binaries. They make it easy to figure out what's to be added, and will be removed when this effort is finished. Individual recipes can be run as well, of course, as they are perl scripts in themselves. For example, you can run only recipes/00-check_testexes.t like so: cd test OPENSSL_SRCDIR=.. perl recipes/00-check_testexes.t To make coding easier, there's a routine library OpenSSL::Test, which is reachable in a perl script like so: use lib 'testlib'; use OpenSSL::Test; Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: .gitignore | 1 + CHANGES | 15 + Configure | 18 +- test/{ => Attic}/VMSca-response.1 | 0 test/{ => Attic}/VMSca-response.2 | 0 test/{ => Attic}/bctest | 0 test/{ => Attic}/bctest.com | 0 test/{ => Attic}/bntest.com | 0 test/{ => Attic}/cms-test.pl | 0 test/{ => Attic}/tcrl | 0 test/{ => Attic}/tcrl.com | 0 test/{ => Attic}/testca | 0 test/{ => Attic}/testca.com | 0 test/{ => Attic}/testenc | 0 test/{ => Attic}/testenc.com | 0 test/{ => Attic}/testgen | 0 test/{ => Attic}/testgen.com | 0 test/{ => Attic}/testss | 0 test/{ => Attic}/testss.com | 0 test/{ => Attic}/testssl | 0 test/{ => Attic}/testssl.com | 0 test/{ => Attic}/testsslproxy | 0 test/{ => Attic}/testtsa | 0 test/{ => Attic}/testtsa.com | 0 test/{ => Attic}/tkey | 0 test/{ => Attic}/tocsp | 0 test/{ => Attic}/tocsp.com | 0 test/{ => Attic}/tpkcs7 | 0 test/{ => Attic}/tpkcs7.com | 0 test/{ => Attic}/tpkcs7d | 0 test/{ => Attic}/tpkcs7d.com | 0 test/{ => Attic}/treq | 0 test/{ => Attic}/treq.com | 0 test/{ => Attic}/trsa.com | 0 test/{ => Attic}/tsid | 0 test/{ => Attic}/tsid.com | 0 test/{ => Attic}/tverify.com | 0 test/{ => Attic}/tx509 | 0 test/{ => Attic}/tx509.com | 0 test/Makefile | 321 +-------- test/README | 107 +++ test/bntest.c | 6 + test/constant_time_test.c | 2 +- test/recipes/00-check_testexes.t | 59 ++ test/recipes/05-test_bf.t | 5 + test/recipes/05-test_cast.t | 5 + test/recipes/05-test_des.t | 5 + test/recipes/05-test_hmac.t | 5 + test/recipes/05-test_idea.t | 5 + test/recipes/05-test_md2.t | 5 + test/recipes/05-test_md4.t | 5 + test/recipes/05-test_md5.t | 5 + test/recipes/05-test_mdc2.t | 5 + test/recipes/05-test_rand.t | 5 + test/recipes/05-test_rc2.t | 5 + test/recipes/05-test_rc4.t | 5 + test/recipes/05-test_rc5.t | 5 + test/recipes/05-test_rmd.t | 5 + test/recipes/05-test_sha1.t | 5 + test/recipes/05-test_sha256.t | 5 + test/recipes/05-test_sha512.t | 5 + test/recipes/05-test_wp.t | 5 + test/recipes/10-test_bn.t | 75 +++ test/recipes/10-test_exp.t | 5 + test/recipes/15-test_dh.t | 5 + test/recipes/15-test_dsa.t | 32 + test/recipes/15-test_ec.t | 30 + test/recipes/15-test_ecdh.t | 5 + test/recipes/15-test_ecdsa.t | 5 + test/recipes/15-test_rsa.t | 31 + test/recipes/20-test_enc.t | 64 ++ test/recipes/25-test_crl.t | 17 + test/recipes/25-test_gen.t | 43 ++ test/recipes/25-test_pkcs7.t | 20 + test/recipes/25-test_req.t | 43 ++ test/recipes/25-test_sid.t | 17 + test/recipes/25-test_verify.t | 15 + test/recipes/25-test_x509.t | 23 + test/recipes/30-test_engine.t | 11 + test/recipes/30-test_evp.t | 12 + test/recipes/30-test_evp_extra.t | 11 + test/recipes/30-test_pbelu.t | 5 + test/recipes/70-test_clienthello.t | 5 + test/recipes/70-test_packet.t | 5 + .../70-test_sslextension.t} | 20 +- .../70-test_sslsessiontick.t} | 91 +-- .../70-test_sslskewith0p.t} | 20 +- .../70-test_sslvertol.t} | 22 +- test/recipes/70-test_verify_extra.t | 5 + test/recipes/80-test_ca.t | 54 ++ test/recipes/80-test_cms.t | 476 +++++++++++++ test/recipes/80-test_ocsp.t | 193 ++++++ test/recipes/80-test_ssl.t | 627 +++++++++++++++++ test/recipes/80-test_tsa.t | 192 ++++++ test/recipes/90-test_constant_time.t | 5 + test/recipes/90-test_gmdiff.t | 5 + test/recipes/90-test_gost2814789.t | 13 + test/recipes/90-test_heartbeat.t | 5 + test/recipes/90-test_ige.t | 5 + test/recipes/90-test_jpake.t | 5 + test/recipes/90-test_np.t | 5 + test/recipes/90-test_p5_crpt2.t | 5 + test/recipes/90-test_secmem.t | 5 + test/recipes/90-test_srp.t | 5 + test/recipes/90-test_v3name.t | 5 + test/recipes/bc.pl | 97 +++ test/recipes/tconversion.pl | 88 +++ test/run_tests.pl | 45 ++ test/testlib/OpenSSL/Test.pm | 741 +++++++++++++++++++++ test/testlib/OpenSSL/Test/Simple.pm | 78 +++ util/mk1mf.pl | 17 +- util/pl/BC-32.pl | 23 + util/pl/VC-32.pl | 23 + util/pl/unix.pl | 279 +------- 114 files changed, 3606 insertions(+), 646 deletions(-) rename test/{ => Attic}/VMSca-response.1 (100%) rename test/{ => Attic}/VMSca-response.2 (100%) rename test/{ => Attic}/bctest (100%) rename test/{ => Attic}/bctest.com (100%) rename test/{ => Attic}/bntest.com (100%) rename test/{ => Attic}/cms-test.pl (100%) rename test/{ => Attic}/tcrl (100%) rename test/{ => Attic}/tcrl.com (100%) rename test/{ => Attic}/testca (100%) rename test/{ => Attic}/testca.com (100%) rename test/{ => Attic}/testenc (100%) rename test/{ => Attic}/testenc.com (100%) rename test/{ => Attic}/testgen (100%) rename test/{ => Attic}/testgen.com (100%) rename test/{ => Attic}/testss (100%) rename test/{ => Attic}/testss.com (100%) rename test/{ => Attic}/testssl (100%) rename test/{ => Attic}/testssl.com (100%) rename test/{ => Attic}/testsslproxy (100%) rename test/{ => Attic}/testtsa (100%) rename test/{ => Attic}/testtsa.com (100%) rename test/{ => Attic}/tkey (100%) rename test/{ => Attic}/tocsp (100%) rename test/{ => Attic}/tocsp.com (100%) rename test/{ => Attic}/tpkcs7 (100%) rename test/{ => Attic}/tpkcs7.com (100%) rename test/{ => Attic}/tpkcs7d (100%) rename test/{ => Attic}/tpkcs7d.com (100%) rename test/{ => Attic}/treq (100%) rename test/{ => Attic}/treq.com (100%) rename test/{ => Attic}/trsa.com (100%) rename test/{ => Attic}/tsid (100%) rename test/{ => Attic}/tsid.com (100%) rename test/{ => Attic}/tverify.com (100%) rename test/{ => Attic}/tx509 (100%) rename test/{ => Attic}/tx509.com (100%) create mode 100644 test/README create mode 100644 test/recipes/00-check_testexes.t create mode 100644 test/recipes/05-test_bf.t create mode 100644 test/recipes/05-test_cast.t create mode 100644 test/recipes/05-test_des.t create mode 100644 test/recipes/05-test_hmac.t create mode 100644 test/recipes/05-test_idea.t create mode 100644 test/recipes/05-test_md2.t create mode 100644 test/recipes/05-test_md4.t create mode 100644 test/recipes/05-test_md5.t create mode 100644 test/recipes/05-test_mdc2.t create mode 100644 test/recipes/05-test_rand.t create mode 100644 test/recipes/05-test_rc2.t create mode 100644 test/recipes/05-test_rc4.t create mode 100644 test/recipes/05-test_rc5.t create mode 100644 test/recipes/05-test_rmd.t create mode 100644 test/recipes/05-test_sha1.t create mode 100644 test/recipes/05-test_sha256.t create mode 100644 test/recipes/05-test_sha512.t create mode 100644 test/recipes/05-test_wp.t create mode 100644 test/recipes/10-test_bn.t create mode 100644 test/recipes/10-test_exp.t create mode 100644 test/recipes/15-test_dh.t create mode 100644 test/recipes/15-test_dsa.t create mode 100644 test/recipes/15-test_ec.t create mode 100644 test/recipes/15-test_ecdh.t create mode 100644 test/recipes/15-test_ecdsa.t create mode 100644 test/recipes/15-test_rsa.t create mode 100644 test/recipes/20-test_enc.t create mode 100644 test/recipes/25-test_crl.t create mode 100644 test/recipes/25-test_gen.t create mode 100644 test/recipes/25-test_pkcs7.t create mode 100644 test/recipes/25-test_req.t create mode 100644 test/recipes/25-test_sid.t create mode 100644 test/recipes/25-test_verify.t create mode 100644 test/recipes/25-test_x509.t create mode 100644 test/recipes/30-test_engine.t create mode 100644 test/recipes/30-test_evp.t create mode 100644 test/recipes/30-test_evp_extra.t create mode 100644 test/recipes/30-test_pbelu.t create mode 100644 test/recipes/70-test_clienthello.t create mode 100644 test/recipes/70-test_packet.t rename test/{sslextensiontest.pl => recipes/70-test_sslextension.t} (85%) rename test/{sslsessionticktest.pl => recipes/70-test_sslsessiontick.t} (75%) rename test/{sslskewith0ptest.pl => recipes/70-test_sslskewith0p.t} (85%) rename test/{sslvertoltest.pl => recipes/70-test_sslvertol.t} (84%) create mode 100644 test/recipes/70-test_verify_extra.t create mode 100644 test/recipes/80-test_ca.t create mode 100644 test/recipes/80-test_cms.t create mode 100644 test/recipes/80-test_ocsp.t create mode 100644 test/recipes/80-test_ssl.t create mode 100644 test/recipes/80-test_tsa.t create mode 100644 test/recipes/90-test_constant_time.t create mode 100644 test/recipes/90-test_gmdiff.t create mode 100644 test/recipes/90-test_gost2814789.t create mode 100644 test/recipes/90-test_heartbeat.t create mode 100644 test/recipes/90-test_ige.t create mode 100644 test/recipes/90-test_jpake.t create mode 100644 test/recipes/90-test_np.t create mode 100644 test/recipes/90-test_p5_crpt2.t create mode 100644 test/recipes/90-test_secmem.t create mode 100644 test/recipes/90-test_srp.t create mode 100644 test/recipes/90-test_v3name.t create mode 100644 test/recipes/bc.pl create mode 100644 test/recipes/tconversion.pl create mode 100644 test/run_tests.pl create mode 100644 test/testlib/OpenSSL/Test.pm create mode 100644 test/testlib/OpenSSL/Test/Simple.pm diff --git a/.gitignore b/.gitignore index 3292837..92f17c6 100644 --- a/.gitignore +++ b/.gitignore @@ -27,6 +27,7 @@ /test/.rnd /test/test*.pem /test/newkey.pem +/test/*.log # Certificate symbolic links *.0 diff --git a/CHANGES b/CHANGES index 384abf8..a7dab6c 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,21 @@ Changes between 1.0.2 and 1.1.0 [xx XXX xxxx] + *) New testing framework + The testing framework has been largely rewritten and is now using + perl and the perl modules Test::Harness and an extended variant of + Test::More called OpenSSL::Test to do its work. All test scripts in + test/ have been rewritten into test recipes, and all direct calls to + executables in test/Makefile have become individual recipes using the + simplified testing OpenSSL::Test::Simple. + + For documentation on our testing modules, do: + + perldoc test/testlib/OpenSSL/Test/Simple.pm + perldoc test/testlib/OpenSSL/Test.pm + + [Richard Levitte] + *) In DSA_generate_parameters_ex, if the provided seed is too short, return an error [Rich Salz and Ismo Puustinen ] diff --git a/Configure b/Configure index f6007c1..2fc1e59 100755 --- a/Configure +++ b/Configure @@ -1983,6 +1983,16 @@ print "RC2 uses u$type[$rc2_int]\n" if $rc2_int != $def_int; print "BF_PTR used\n" if $bf_ptr == 1; print "BF_PTR2 used\n" if $bf_ptr == 2; +{ + my $perlguess = $perl =~ m@^/@ ? $perl : '/usr/local/bin/perl'; + + &dofile("tools/c_rehash",$perlguess, + '^#!/' => '#!%s', + '^my \$dir;$' => 'my $dir = "' . $openssldir . '";', + '^my \$prefix;$' => 'my $prefix = "' . $prefix . '";'); + &dofile("apps/CA.pl",$perl, + '^#!/' => '#!%s'); +} if($IsMK1MF) { open (OUT,">crypto/buildinf.h") || die "Can't open buildinf.h"; printf OUT <tmp.bntest - @echo quit >>tmp.bntest - @echo $(START) $@ -- running bc - @) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0\r?$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"' - @echo $(START) $@ -- $(EXPTEST) - ../util/shlib_wrap.sh ./$(EXPTEST) - -test_ec: $(ECTEST)$(EXE_EXT) tkey testec-p256.pem testecpub-p256.pem - @echo $(START) $@ - ../util/shlib_wrap.sh ./$(ECTEST) - @echo $(START) $@ -- private - @sh ./tkey testec-p256.pem ec private - @echo $(START) $@ -- public - @sh ./tkey testecpub-p256.pem ec public - -test_ecdsa: $(ECDSATEST)$(EXE_EXT) - @echo $(START) $@ - ../util/shlib_wrap.sh ./$(ECDSATEST) - -test_ecdh: $(ECDHTEST)$(EXE_EXT) - @echo $(START) $@ - ../util/shlib_wrap.sh ./$(ECDHTEST) - -test_verify: ../apps/openssl$(EXE_EXT) - @echo $(START) $@ -- expect some failures and expired certificates - ../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo ../certs/demo/*.pem - -test_dh: $(DHTEST)$(EXE_EXT) - @echo $(START) $@ - ../util/shlib_wrap.sh ./$(DHTEST) - -test_dsa: $(DSATEST)$(EXE_EXT) tkey testdsa.pem testdsapub.pem - @echo $(START) $@ - ../util/shlib_wrap.sh ./$(DSATEST) - @echo $(START) $@ -- app2_1 - ../util/shlib_wrap.sh ./$(DSATEST) -app2_1 - @echo $(START) $@ -- private - @sh ./tkey testdsa.pem dsa private - @echo $(START) $@ -- public - @sh ./tkey testdsapub.pem dsa public - -test_gen testreq.pem: ../apps/openssl$(EXE_EXT) testgen test.cnf - @echo $(START) test_gen - @sh ./testgen - -test_ss keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \ - intP1.ss intP2.ss: testss CAss.cnf Uss.cnf P1ss.cnf P2ss.cnf \ - ../apps/openssl$(EXE_EXT) - @echo $(START) test_ss - @sh ./testss - @cat certCA.ss certU.ss > intP1.ss - @cat certCA.ss certU.ss certP1.ss > intP2.ss - -test_engine: $(ENGINETEST)$(EXE_EXT) - @echo $(START) $@ - ../util/shlib_wrap.sh ./$(ENGINETEST) - -test_ssl: keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \ - intP1.ss intP2.ss $(SSLTEST)$(EXE_EXT) testssl testsslproxy \ - ../apps/server2.pem serverinfo.pem - @echo $(START) $@ - ../util/shlib_wrap.sh ./$(SSLTEST) -test_cipherlist - @echo $(START) $@ -- key U - @sh ./testssl keyU.ss certU.ss certCA.ss - @echo $(START) $@ -- key P1 - @sh ./testsslproxy keyP1.ss certP1.ss intP1.ss - @echo $(START) $@ -- key P2 - @sh ./testsslproxy keyP2.ss certP2.ss intP2.ss - -test_ca: ../apps/openssl$(EXE_EXT) testca CAss.cnf Uss.cnf - @if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then \ - echo SKIP $@ -- requires RSA; \ - else \ - echo $(START) $@; \ - sh ./testca $(PERL); \ - fi - -test_tsa: ../apps/openssl$(EXE_EXT) testtsa CAtsa.cnf ../util/shlib_wrap.sh - @if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then \ - echo SKIP $@ -- requires RSA; \ - else \ - echo $(START) $@; \ - sh ./testtsa; \ - fi - -test_ige: $(IGETEST)$(EXE_EXT) - @echo $(START) $@ - ../util/shlib_wrap.sh ./$(IGETEST) - -test_jpake: $(JPAKETEST)$(EXE_EXT) - @echo $(START) $@ - ../util/shlib_wrap.sh ./$(JPAKETEST) - -test_cms: ../apps/openssl$(EXE_EXT) cms-test.pl smcont.txt - @echo $(START) $@ - $(PERL) cms-test.pl - -test_secmem: $(SECMEMTEST)$(EXE_EXT) - @echo $(START) $@ - ../util/shlib_wrap.sh ./secmemtest - -test_srp: $(SRPTEST)$(EXE_EXT) - @echo $(START) $@ - ../util/shlib_wrap.sh ./srptest - -test_v3name: $(V3NAMETEST)$(EXE_EXT) - @echo $(START) $@ - ../util/shlib_wrap.sh ./$(V3NAMETEST) - -test_ocsp: ../apps/openssl$(EXE_EXT) tocsp - @echo $(START) $@ - @sh ./tocsp - -test_heartbeat: $(HEARTBEATTEST)$(EXE_EXT) - @echo $(START) $@ - ../util/shlib_wrap.sh ./$(HEARTBEATTEST) - -test_constant_time: $(CONSTTIMETEST)$(EXE_EXT) - @echo $(START) $@ - ../util/shlib_wrap.sh ./$(CONSTTIMETEST) - -test_verify_extra: $(VERIFYEXTRATEST)$(EXE_EXT) - @echo $(START) $@ - ../util/shlib_wrap.sh ./$(VERIFYEXTRATEST) \ - certs/roots.pem certs/untrusted.pem certs/bad.pem - -test_clienthello: $(CLIENTHELLOTEST)$(EXE_EXT) - @echo $(START) $@ - ../util/shlib_wrap.sh ./$(CLIENTHELLOTEST) - -test_packet: $(PACKETTEST)$(EXE_EXT) - @echo $(START) $@ - ../util/shlib_wrap.sh ./$(PACKETTEST) - -#OPENSSL_ia32cap=... in ssl tests below ensures AES-NI is switched off (AES-NI does not go through the testmode engine) -test_sslvertol: ../apps/openssl$(EXE_EXT) - @echo $(START) $@ - [ -z "$(SHARED_LIBS)" ] || OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh $(PERL) -I../util -w ./$(SSLVERTOLTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem - @[ -n "$(SHARED_LIBS)" ] || echo test_sslvertol can only be performed with OpenSSL configured shared - -test_sslextension: ../apps/openssl$(EXE_EXT) - @echo $(START) $@ - [ -z "$(SHARED_LIBS)" ] || OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh $(PERL) -I../util -w ./$(SSLEXTENSIONTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem - @[ -n "$(SHARED_LIBS)" ] || echo test_sslextension can only be performed with OpenSSL configured shared - -test_sslsessionticket: ../apps/openssl$(EXE_EXT) - @echo $(START) $@ - [ -z "$(SHARED_LIBS)" ] || PERL5LIB=$$PERL5LIB:../util OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh ./$(SSLSESSIONTICKTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem - @[ -n "$(SHARED_LIBS)" ] || echo test_sslsessionticket can only be performed with OpenSSL configured shared - -test_sslskewith0p: ../apps/openssl$(EXE_EXT) - @echo $(START) $@ - [ -z "$(SHARED_LIBS)" ] || OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh $(PERL) -I../util -w ./$(SSLSKEWITH0PTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem - @[ -n "$(SHARED_LIBS)" ] || echo test_sslskewith0p can only be performed with OpenSSL configured shared - update: local_depend @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi @@ -478,7 +171,7 @@ dclean: rm -f newkey.pem testkey.pem testreq.pem clean: - rm -f .rnd tmp.bntest tmp.bctest *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss *.srl log dummytest + rm -f .rnd tmp.bntest tmp.bctest *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss *.srl log *.log dummytest $(DLIBSSL): (cd ..; $(MAKE) build_libssl) diff --git a/test/README b/test/README new file mode 100644 index 0000000..8df35fe --- /dev/null +++ b/test/README @@ -0,0 +1,107 @@ +How to add recipes +================== + +For any test that you want to perform, you write a script located in +test/recipes/, named {nn}-test_{name}.t, where {nn} is a two digit number and +{name} is a unique name of your choice. + +Please note that if a test involves a new testing executable, you will need to +do some additions in test/Makefile. More on this later. + + +Naming convetions +================= + +A test executable is named test/{name}test.c + +A test recipe is named test/recipes/{nn}-test_{name}.t, where {nn} is a two +digit number and {name} is a unique name of your choice. + +The number {nn} is (somewhat loosely) grouped as follows: + +05 individual symmetric cipher algorithms +10 math (bignum) +15 individual asymmetric cipher algorithms +20 openssl enc +25 certificate forms, generation and verification +30 engine and evp +70 PACKET layer +80 "larger" protocols (CA, CMS, OCSP, SSL, TSA) +90 misc + + +A recipe that just runs a test executable +========================================= + +A script that just runs a program looks like this: + + #! /usr/bin/perl + + use OpenSSL::Test::Simple; + + simple_test("test_{name}", "{name}test", "{name}"); + +{name} is the unique name you have chosen for your test. + +The second argument to `simple_test' is the test executable, and `simple_test' +expects it to be located in test/ + +For documentation on OpenSSL::Test::Simple, do +`perldoc test/testlib/OpenSSL/Test/Simple.pm'. + + +A recipe that runs a more complex test +====================================== + +For more complex tests, you will need to read up on Test::More and +OpenSSL::Test. Test::More is normally preinstalled, do `man Test::More' for +documentation. For OpenSSL::Test, do `perldoc test/testlib/OpenSSL/Test.pm'. + +A script to start from could be this: + + #! /usr/bin/perl + + use strict; + use warnings; + use OpenSSL::Test; + + setup("test_{name}"); + + plan tests => 2; # The number of tests being performed + + ok(test1, "test1"); + ok(test2, "test1"); + + sub test1 + { + # test feature 1 + } + + sub test2 + { + # test feature 2 + } + + +Changes to test/Makefile +======================== + +Whenever a new test involves a new test executable you need to do the +following (at all times, replace {NAME} and {name} with the name of your +test): + +* among the variables for test executables at the beginning, add a line like + this: + + {NAME}TEST= {name}test + +* add `$({NAME}TEST)$(EXE_EXT)' to the assignment of EXE: + +* add `$({NAME}TEST).o' to the assignment of OBJ: + +* add `$({NAME}TEST).c' to the assignment of SRC: + +* add the following lines for building the executable: + + $({NAME}TEST)$(EXE_EXT): $({NAME}TEST).o $(DLIBCRYPTO) + @target=$({NAME}TEST); $(BUILD_CMD) diff --git a/test/bntest.c b/test/bntest.c index 675d0eb..be358c8 100644 --- a/test/bntest.c +++ b/test/bntest.c @@ -175,6 +175,12 @@ int main(int argc, char *argv[]) EXIT(1); } } +#ifdef OPENSSL_SYS_VMS + { + BIO *tmpbio = BIO_new(BIO_f_linebuffer()); + out = BIO_push(tmpbio, out); + } +#endif if (!results) BIO_puts(out, "obase=16\nibase=16\n"); diff --git a/test/constant_time_test.c b/test/constant_time_test.c index ed3d7ea..1c04cb7 100644 --- a/test/constant_time_test.c +++ b/test/constant_time_test.c @@ -295,7 +295,7 @@ int main(int argc, char *argv[]) } if (!num_failed) { - fprintf(stdout, "ok (ran %d tests)\n", num_all); + fprintf(stdout, "success (ran %d tests)\n", num_all); return EXIT_SUCCESS; } else { fprintf(stdout, "%d of %d tests failed!\n", num_failed, num_all); diff --git a/test/recipes/00-check_testexes.t b/test/recipes/00-check_testexes.t new file mode 100644 index 0000000..3ab38c7 --- /dev/null +++ b/test/recipes/00-check_testexes.t @@ -0,0 +1,59 @@ +#! /usr/bin/perl + +use strict; + +use File::Spec::Functions; +use File::Basename; +use OpenSSL::Test qw/:DEFAULT top_file/; + +setup("check_testexes"); + +my $OpenSSL_ver = ""; +my $Makefile = top_file("Makefile"); +if (open(FH, $Makefile)) { + $OpenSSL_ver = + (map { chomp; s/^VERSION=([^\s]*)\s*$//; $1 } grep { /^VERSION=/ } )[0]; + close FH; +} + +my $MINFO = top_file("MINFO"); + +plan skip_all => "because MINFO not found. If you want this test to run, please do 'perl util/mkfiles.pl > MINFO'" + unless open(FH,$MINFO); + +my $MINFO_ver = ""; + +while() { + chomp; + if (/^VERSION=([^\s]*)\s*$/) { + $MINFO_ver = $1; + } + last if /^RELATIVE_DIRECTORY=test$/; +} +while() { + chomp; + last if /^EXE=/; +} +close FH; + +plan skip_all => "because MINFO is not from this OpenSSL version. If you want this test to run, please do 'perl util/mkfiles.pl > MINFO'" + unless $OpenSSL_ver eq $MINFO_ver; + +s/^EXE=\s*//; +s/\s*$//; +my @expected_tests = + map { s/\..*$//; # Remove extension + s/_?test$//; # Remove 'test', possibly prefixed with '_' + s/(sha\d+)t/$1/; # sha comes with no t at the end + $_; } split(/\s+/, $_); + +plan tests => scalar @expected_tests; + +my @found_tests = + map { basename($_) } glob(top_file("test", "recipes", "*.t")); + +foreach my $test (sort @expected_tests) { + ok(scalar(grep(/^[0-9][0-9]-test_$test\.t$/, @found_tests)), + "check that a test for $test exists") + || diag("Expected to find something matching '[0-9][0-9]-test_$test.t'"); +} diff --git a/test/recipes/05-test_bf.t b/test/recipes/05-test_bf.t new file mode 100644 index 0000000..4794bf0 --- /dev/null +++ b/test/recipes/05-test_bf.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_bf", "bftest", "bf"); diff --git a/test/recipes/05-test_cast.t b/test/recipes/05-test_cast.t new file mode 100644 index 0000000..621e1ae --- /dev/null +++ b/test/recipes/05-test_cast.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_cast", "casttest", "cast"); diff --git a/test/recipes/05-test_des.t b/test/recipes/05-test_des.t new file mode 100644 index 0000000..71de4b4 --- /dev/null +++ b/test/recipes/05-test_des.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_des", "destest", "des"); diff --git a/test/recipes/05-test_hmac.t b/test/recipes/05-test_hmac.t new file mode 100644 index 0000000..469d43f --- /dev/null +++ b/test/recipes/05-test_hmac.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_hmac", "hmactest", "hmac"); diff --git a/test/recipes/05-test_idea.t b/test/recipes/05-test_idea.t new file mode 100644 index 0000000..c43ba5c --- /dev/null +++ b/test/recipes/05-test_idea.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_idea", "ideatest", "idea"); diff --git a/test/recipes/05-test_md2.t b/test/recipes/05-test_md2.t new file mode 100644 index 0000000..2175c5f --- /dev/null +++ b/test/recipes/05-test_md2.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_md2", "md2test", "md2"); diff --git a/test/recipes/05-test_md4.t b/test/recipes/05-test_md4.t new file mode 100644 index 0000000..2337223 --- /dev/null +++ b/test/recipes/05-test_md4.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_md4", "md4test", "md4"); diff --git a/test/recipes/05-test_md5.t b/test/recipes/05-test_md5.t new file mode 100644 index 0000000..e9331e2 --- /dev/null +++ b/test/recipes/05-test_md5.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_md5", "md5test", "md5"); diff --git a/test/recipes/05-test_mdc2.t b/test/recipes/05-test_mdc2.t new file mode 100644 index 0000000..23e904c --- /dev/null +++ b/test/recipes/05-test_mdc2.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_mdc2", "mdc2test", "mdc2"); diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t new file mode 100644 index 0000000..afa66a6 --- /dev/null +++ b/test/recipes/05-test_rand.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_rand", "randtest", "rand"); diff --git a/test/recipes/05-test_rc2.t b/test/recipes/05-test_rc2.t new file mode 100644 index 0000000..423b3b7 --- /dev/null +++ b/test/recipes/05-test_rc2.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_rc2", "rc2test", "rc2"); diff --git a/test/recipes/05-test_rc4.t b/test/recipes/05-test_rc4.t new file mode 100644 index 0000000..a16455f --- /dev/null +++ b/test/recipes/05-test_rc4.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_rc4", "rc4test", "rc4"); diff --git a/test/recipes/05-test_rc5.t b/test/recipes/05-test_rc5.t new file mode 100644 index 0000000..4c5390a --- /dev/null +++ b/test/recipes/05-test_rc5.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_rc5", "rc5test", "rc5"); diff --git a/test/recipes/05-test_rmd.t b/test/recipes/05-test_rmd.t new file mode 100644 index 0000000..7ad91c4 --- /dev/null +++ b/test/recipes/05-test_rmd.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_rmd", "rmdtest", "rmd"); diff --git a/test/recipes/05-test_sha1.t b/test/recipes/05-test_sha1.t new file mode 100644 index 0000000..9f8a570 --- /dev/null +++ b/test/recipes/05-test_sha1.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_sha1", "sha1test", "sha1"); diff --git a/test/recipes/05-test_sha256.t b/test/recipes/05-test_sha256.t new file mode 100644 index 0000000..cb63aa8 --- /dev/null +++ b/test/recipes/05-test_sha256.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_sha256", "sha256t", "sha256"); diff --git a/test/recipes/05-test_sha512.t b/test/recipes/05-test_sha512.t new file mode 100644 index 0000000..f353ac1 --- /dev/null +++ b/test/recipes/05-test_sha512.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_sha512", "sha512t", "sha512"); diff --git a/test/recipes/05-test_wp.t b/test/recipes/05-test_wp.t new file mode 100644 index 0000000..c05be9c --- /dev/null +++ b/test/recipes/05-test_wp.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_wp", "wptest", "wp"); diff --git a/test/recipes/10-test_bn.t b/test/recipes/10-test_bn.t new file mode 100644 index 0000000..29b449f --- /dev/null +++ b/test/recipes/10-test_bn.t @@ -0,0 +1,75 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use Math::BigInt; + +use OpenSSL::Test qw/:DEFAULT top_file/; + +setup("test_bn"); + +plan tests => 3; + +require_ok(top_file("test","recipes","bc.pl")); + +my $testresults = "tmp.bntest"; +my $init = ok(run(test(["bntest"], stdout => $testresults)), 'initialize'); + + SKIP: { + skip "Initializing failed, skipping", 1 if !$init; + + subtest 'Checking the bn results' => sub { + my @lines = (); + if (open DATA, $testresults) { + @lines = ; + close DATA; + } + chomp(@lines); + + plan tests => scalar grep(/^print /, @lines); + + my $l = ""; + + while (scalar @lines) { + $l = shift @lines; + + last if $l =~ /^print /; + } + + while (1) { + $l =~ s/^print "//; + $l =~ s/\\n"//; + my $t = $l; + my @operations = (); + + $l = undef; + while (scalar @lines) { + $l = shift @lines; + + last if $l =~ /^print /; + push @operations, $l; + $l = undef; + } + + ok(check_operations(@operations), "verify $t"); + + last unless $l; + } + }; +} + +sub check_operations { + my $failcount = 0; + + foreach my $line (@_) { + my $result = calc(split /\s+/, $line); + + if ($result ne "0" && $result ne "0x0") { + $failcount++; + print STDERR "Failed! $line => $result\n"; + } + } + + return $failcount == 0; +} diff --git a/test/recipes/10-test_exp.t b/test/recipes/10-test_exp.t new file mode 100644 index 0000000..b8083e7 --- /dev/null +++ b/test/recipes/10-test_exp.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_exp", "exptest"); diff --git a/test/recipes/15-test_dh.t b/test/recipes/15-test_dh.t new file mode 100644 index 0000000..35e9564 --- /dev/null +++ b/test/recipes/15-test_dh.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_dh", "dhtest", "dh"); diff --git a/test/recipes/15-test_dsa.t b/test/recipes/15-test_dsa.t new file mode 100644 index 0000000..e338b0b --- /dev/null +++ b/test/recipes/15-test_dsa.t @@ -0,0 +1,32 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT top_file/; + +setup("test_dsa"); + +plan tests => 6; + +require_ok(top_file('test','recipes','tconversion.pl')); + +ok(run(test(["dsatest"])), "running dsatest"); +ok(run(test(["dsatest", "-app2_1"])), "running dsatest -app2_1"); + + SKIP: { + skip "Skipping dsa conversion test", 3 + if run(app(["openssl","no-dsa"], stdout => undef)); + + subtest 'dsa conversions -- private key' => sub { + tconversion("dsa", top_file("test","testdsa.pem")); + }; + subtest 'dsa conversions -- private key PKCS#8' => sub { + tconversion("dsa", top_file("test","testdsa.pem"), "pkey"); + }; + subtest 'dsa conversions -- public key' => sub { + tconversion("dsa", top_file("test","testdsapub.pem"), "dsa", + "-pubin", "-pubout"); + }; +} diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t new file mode 100644 index 0000000..bbda19a --- /dev/null +++ b/test/recipes/15-test_ec.t @@ -0,0 +1,30 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT top_file/; + +setup("test_ec"); + +plan tests => 5; + +require_ok(top_file('test','recipes','tconversion.pl')); + +ok(run(test(["ectest"])), "running ectest"); + + SKIP: { + skip "Skipping ec conversion test", 3 + if run(app(["openssl","no-ec"], stdout => undef)); + + subtest 'ec conversions -- private key' => sub { + tconversion("ec", top_file("test","testec-p256.pem")); + }; + subtest 'ec conversions -- private key PKCS#8' => sub { + tconversion("ec", top_file("test","testec-p256.pem"), "pkey"); + }; + subtest 'ec conversions -- public key' => sub { + tconversion("ec", top_file("test","testecpub-p256.pem"), "ec", "-pubin", "-pubout"); + }; +} diff --git a/test/recipes/15-test_ecdh.t b/test/recipes/15-test_ecdh.t new file mode 100644 index 0000000..7cdfea6 --- /dev/null +++ b/test/recipes/15-test_ecdh.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_ecdh", "ecdhtest", "ecdh"); diff --git a/test/recipes/15-test_ecdsa.t b/test/recipes/15-test_ecdsa.t new file mode 100644 index 0000000..aa4622f --- /dev/null +++ b/test/recipes/15-test_ecdsa.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_ecdsa", "ecdsatest", "ecdsa"); diff --git a/test/recipes/15-test_rsa.t b/test/recipes/15-test_rsa.t new file mode 100644 index 0000000..2eaeb0d --- /dev/null +++ b/test/recipes/15-test_rsa.t @@ -0,0 +1,31 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT top_file/; + +setup("test_rsa"); + +plan tests => 5; + +require_ok(top_file('test','recipes','tconversion.pl')); + +ok(run(test(["rsa_test"])), "running rsatest"); + + SKIP: { + skip "Skipping rsa conversion test", 3 + if run(app(["openssl","no-rsa"], stdout => undef)); + + subtest 'rsa conversions -- private key' => sub { + tconversion("rsa", top_file("test","testrsa.pem")); + }; + subtest 'rsa conversions -- private key PKCS#8' => sub { + tconversion("rsa", top_file("test","testrsa.pem"), "pkey"); + }; + subtest 'rsa conversions -- public key' => sub { + tconversion("rsa", top_file("test","testrsapub.pem"), "rsa", + "-pubin", "-pubout"); + }; +} diff --git a/test/recipes/20-test_enc.t b/test/recipes/20-test_enc.t new file mode 100644 index 0000000..bd5a436 --- /dev/null +++ b/test/recipes/20-test_enc.t @@ -0,0 +1,64 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Spec::Functions qw/catfile/; +use File::Copy; +use File::Compare qw/compare_text/; +use File::Basename; +use OpenSSL::Test qw/:DEFAULT top_file/; + +setup("test_enc"); + +# We do it this way, because setup() may have moved us around, +# so the directory portion of $0 might not be correct any more. +# However, the name hasn't changed. +my $testsrc = top_file("test","recipes",basename($0)); + +my $test = catfile(".", "p"); + +my $cmd = "openssl"; + +my @ciphers = + map { chomp; s/^\s+//; s/\s+$//; split /\s+/ } + run(app([$cmd, "list", "-cipher-commands"]), capture => 1); + +plan tests => 1 + (scalar @ciphers)*2; + +my $init = ok(copy($testsrc,$test)); + +if (!$init) { + diag("Trying to copy $testsrc to $test : $!"); +} + + SKIP: { + skip "Not initialized, skipping...", 11 unless $init; + + foreach my $c (@ciphers) { + my %variant = ("$c" => [], + "$c base64" => [ "-a" ]); + + foreach my $t (sort keys %variant) { + my $cipherfile = "$test.$c.cipher"; + my $clearfile = "$test.$c.clear"; + my @e = ( "$c", "-bufsize", "113", @{$variant{$t}}, "-e", "-k", "test" ); + my @d = ( "$c", "-bufsize", "157", @{$variant{$t}}, "-d", "-k", "test" ); + if ($c eq "cat") { + $cipherfile = "$test.cipher"; + $clearfile = "$test.clear"; + @e = ( "enc", @{$variant{$t}}, "-e" ); + @d = ( "enc", @{$variant{$t}}, "-d" ); + } + + ok(run(app([$cmd, @e], + stdin => $test, stdout => $cipherfile)) + && run(app([$cmd, @d], + stdin => $cipherfile, stdout => $clearfile)) + && compare_text($test,$clearfile) == 0, $t); + unlink $cipherfile, $clearfile; + } + } +} + +unlink $test; diff --git a/test/recipes/25-test_crl.t b/test/recipes/25-test_crl.t new file mode 100644 index 0000000..6779a0b --- /dev/null +++ b/test/recipes/25-test_crl.t @@ -0,0 +1,17 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT top_file/; + +setup("test_crl"); + +plan tests => 2; + +require_ok(top_file('test','recipes','tconversion.pl')); + +subtest 'crl conversions' => sub { + tconversion("crl", top_file("test","testcrl.pem")); +}; diff --git a/test/recipes/25-test_gen.t b/test/recipes/25-test_gen.t new file mode 100644 index 0000000..9427bde --- /dev/null +++ b/test/recipes/25-test_gen.t @@ -0,0 +1,43 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT top_file/; + +setup("test_gen"); + +plan tests => 1; + +my $T = "testcert"; +my $KEY = 512; +my $CA = top_file("certs", "testca.pem"); + +unlink "$T.1", "$T.2", "$T.key"; +open RND, ">>", ".rnd"; +print RND "string to make the random number generator think it has entropy"; +close RND; + +subtest "generating certificate requests" => sub { + my @req_new; + if (run(app(["openssl", "no-rsa"], stdout => undef))) { + @req_new = ("-newkey", "dsa:".top_file("apps", "dsa512.pem")); + } else { + @req_new = ("-new"); + note("There should be a 2 sequences of .'s and some +'s."); + note("There should not be more that at most 80 per line"); + } + + unlink "testkey.pem", "testreq.pem"; + + plan tests => 2; + + ok(run(app(["openssl", "req", "-config", top_file("test", "test.cnf"), + @req_new, "-out", "testreq.pem"])), + "Generating request"); + + ok(run(app(["openssl", "req", "-config", top_file("test", "test.cnf"), + "-verify", "-in", "testreq.pem", "-noout"])), + "Verifying signature on request"); +}; diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t new file mode 100644 index 0000000..3a4dbb4 --- /dev/null +++ b/test/recipes/25-test_pkcs7.t @@ -0,0 +1,20 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT top_file/; + +setup("test_pkcs7"); + +plan tests => 3; + +require_ok(top_file('test','recipes','tconversion.pl')); + +subtest 'pkcs7 conversions -- pkcs7' => sub { + tconversion("p7", top_file("test", "testp7.pem"), "pkcs7"); +}; +subtest 'pkcs7 conversions -- pkcs7d' => sub { + tconversion("p7d", top_file("test", "pkcs7-1.pem"), "pkcs7"); +}; diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t new file mode 100644 index 0000000..4f9de77 --- /dev/null +++ b/test/recipes/25-test_req.t @@ -0,0 +1,43 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT top_file/; + +setup("test_req"); + +plan tests => 3; + +require_ok(top_file('test','recipes','tconversion.pl')); + +my @openssl_args = ("req", "-config", "../apps/openssl.cnf"); + +run_conversion('req conversions', + "testreq.pem"); +run_conversion('req conversions -- testreq2', + "testreq2.pem"); + +sub run_conversion { + my $title = shift; + my $reqfile = shift; + + subtest $title => sub { + run(app(["openssl", @openssl_args, + "-in", $reqfile, "-inform", "p", + "-noout", "-text"], + stderr => "req-check.err", stdout => undef)); + open DATA, "req-check.err"; + SKIP: { + plan skip_all => "skipping req conversion test for $reqfile" + if grep /Unknown Public Key/, map { chomp } ; + + tconversion("req", "testreq.pem", @openssl_args); + } + close DATA; + unlink "req-check.err"; + + done_testing(); + }; +} diff --git a/test/recipes/25-test_sid.t b/test/recipes/25-test_sid.t new file mode 100644 index 0000000..b223c0d --- /dev/null +++ b/test/recipes/25-test_sid.t @@ -0,0 +1,17 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT top_file/; + +setup("test_sid"); + +plan tests => 2; + +require_ok(top_file('test','recipes','tconversion.pl')); + +subtest 'sid conversions' => sub { + tconversion("sid", top_file("test","testsid.pem"), "sess_id"); +}; diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t new file mode 100644 index 0000000..10897a1 --- /dev/null +++ b/test/recipes/25-test_verify.t @@ -0,0 +1,15 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Spec::Functions qw/canonpath/; +use OpenSSL::Test qw/:DEFAULT top_dir top_file/; + +setup("test_verify"); + +plan tests => 1; + +note("Expect some failures and expired certificate"); +ok(run(app(["openssl", "verify", "-CApath", top_dir("certs", "demo"), + glob(top_file("certs", "demo", "*.pem"))])), "verying demo certs"); diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t new file mode 100644 index 0000000..e2d795a --- /dev/null +++ b/test/recipes/25-test_x509.t @@ -0,0 +1,23 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Spec; +use OpenSSL::Test qw/:DEFAULT top_file/; + +setup("test_x509"); + +plan tests => 4; + +require_ok(top_file('test','recipes','tconversion.pl')); + +subtest 'x509 -- x.509 v1 certificate' => sub { + tconversion("x509", top_file("test","testx509.pem")); +}; +subtest 'x509 -- first x.509 v3 certificate' => sub { + tconversion("x509", top_file("test","v3-cert1.pem")); +}; +subtest 'x509 -- second x.509 v3 certificate' => sub { + tconversion("x509", top_file("test","v3-cert2.pem")); +}; diff --git a/test/recipes/30-test_engine.t b/test/recipes/30-test_engine.t new file mode 100644 index 0000000..c097b6f --- /dev/null +++ b/test/recipes/30-test_engine.t @@ -0,0 +1,11 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use OpenSSL::Test; + +setup("test_engine"); + +plan tests => 1; +ok(run(test(["enginetest"])), "running enginetest"); diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t new file mode 100644 index 0000000..9d5ce6f --- /dev/null +++ b/test/recipes/30-test_evp.t @@ -0,0 +1,12 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use OpenSSL::Test qw/:DEFAULT top_file/; + +setup("test_evp"); + +plan tests => 1; +ok(run(test(["evp_test", top_file("test", "evptests.txt")])), + "running evp_test evptests.txt"); diff --git a/test/recipes/30-test_evp_extra.t b/test/recipes/30-test_evp_extra.t new file mode 100644 index 0000000..0f90b21 --- /dev/null +++ b/test/recipes/30-test_evp_extra.t @@ -0,0 +1,11 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use OpenSSL::Test; + +setup("test_evp_extra"); + +plan tests => 1; +ok(run(test(["evp_extra_test"])), "running evp_extra_test"); diff --git a/test/recipes/30-test_pbelu.t b/test/recipes/30-test_pbelu.t new file mode 100644 index 0000000..635fb69 --- /dev/null +++ b/test/recipes/30-test_pbelu.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_pbelu", "pbelutest"); diff --git a/test/recipes/70-test_clienthello.t b/test/recipes/70-test_clienthello.t new file mode 100644 index 0000000..73b83f2 --- /dev/null +++ b/test/recipes/70-test_clienthello.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_clienthello", "clienthellotest"); diff --git a/test/recipes/70-test_packet.t b/test/recipes/70-test_packet.t new file mode 100644 index 0000000..b1609d5 --- /dev/null +++ b/test/recipes/70-test_packet.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_packet", "packettest"); diff --git a/test/sslextensiontest.pl b/test/recipes/70-test_sslextension.t similarity index 85% rename from test/sslextensiontest.pl rename to test/recipes/70-test_sslextension.t index 802bac1..4aa3f61 100755 --- a/test/sslextensiontest.pl +++ b/test/recipes/70-test_sslextension.t @@ -53,18 +53,30 @@ # Hudson (tjh at cryptsoft.com). use strict; +use OpenSSL::Test qw/:DEFAULT cmdstr top_file top_dir/; use TLSProxy::Proxy; +my $test_name = "test_sslextension"; +setup($test_name); + +plan skip_all => "$test_name can only be performed with OpenSSL configured shared" + unless (map { chomp; s/^SHARED_LIBS=\s*//; $_ } + grep { /^SHARED_LIBS=/ } + do { local @ARGV = ( top_file("Makefile") ); <> })[0] ne ""; + +$ENV{OPENSSL_ENGINES} = top_dir("engines"); +$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( \&extension_filter, - @ARGV + cmdstr(app(["openssl"])), + top_file("apps", "server.pem") ); +plan tests => 1; + #Test 1: Sending a zero length extension block should pass $proxy->start(); -TLSProxy::Message->success or die "FAILED: Zero extension length test\n"; - -print "SUCCESS: Extension test\n"; +ok(TLSProxy::Message->success, "Zero extension length test"); sub extension_filter { diff --git a/test/sslsessionticktest.pl b/test/recipes/70-test_sslsessiontick.t similarity index 75% rename from test/sslsessionticktest.pl rename to test/recipes/70-test_sslsessiontick.t index 922a359..7f90bea 100755 --- a/test/sslsessionticktest.pl +++ b/test/recipes/70-test_sslsessiontick.t @@ -53,9 +53,24 @@ # Hudson (tjh at cryptsoft.com). use strict; +use OpenSSL::Test qw/:DEFAULT cmdstr top_file top_dir/; use TLSProxy::Proxy; use File::Temp qw(tempfile); +my $test_name = "test_sslsessiontick"; +setup($test_name); + +plan skip_all => "$test_name can only be performed with OpenSSL configured shared" + unless (map { chomp; s/^SHARED_LIBS=\s*//; $_ } + grep { /^SHARED_LIBS=/ } + do { local @ARGV = ( top_file("Makefile") ); <> })[0] ne ""; + +$ENV{OPENSSL_ENGINES} = top_dir("engines"); +$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; + +sub checkmessages($$$$$$); +sub clearall(); + my $chellotickext = 0; my $shellotickext = 0; my $fullhand = 0; @@ -63,9 +78,12 @@ my $ticketseen = 0; my $proxy = TLSProxy::Proxy->new( undef, - @ARGV + cmdstr(app(["openssl"])), + top_file("apps", "server.pem") ); +plan tests => 5; + #Test 1: By default with no existing session we should get a session ticket #Expected result: ClientHello extension seen; ServerHello extension seen # NewSessionTicket message seen; Full handshake @@ -107,7 +125,7 @@ checkmessages(4, "Session resumption session ticket test", 1, 0, 0, 0); #Expected result: ClientHello extension seen; ServerHello extension seen # NewSessionTicket message seen; Abbreviated handshake clearall(); -(my $fh, my $session) = tempfile(); +($fh, $session) = tempfile(); $proxy->serverconnects(2); $proxy->clientflags("-sess_out ".$session." -no_ticket"); $proxy->start(); @@ -117,50 +135,45 @@ $proxy->clientstart(); checkmessages(5, "Session resumption with ticket capable client without a " ."ticket", 1, 1, 1, 0); -sub checkmessages() +sub checkmessages($$$$$$) { my ($testno, $testname, $testch, $testsh, $testtickseen, $testhand) = @_; - foreach my $message (@{$proxy->message_list}) { - if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO + subtest $testname => sub { + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { - #Get the extensions data - my %extensions = %{$message->extension_data}; - if (defined + #Get the extensions data + my %extensions = %{$message->extension_data}; + if (defined $extensions{TLSProxy::ClientHello::EXT_SESSION_TICKET}) { - if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { - $chellotickext = 1; - } else { - $shellotickext = 1; - } - } - } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) { - #Must be doing a full handshake - $fullhand = 1; - } elsif ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) { - $ticketseen = 1; - } - } + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { + $chellotickext = 1; + } else { + $shellotickext = 1; + } + } + } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) { + #Must be doing a full handshake + $fullhand = 1; + } elsif ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) { + $ticketseen = 1; + } + } - TLSProxy::Message->success or die "FAILED: $testname: Hanshake failed " - ."(Test $testno)\n"; - if (($testch && !$chellotickext) || (!$testch && $chellotickext)) { - die "FAILED: $testname: ClientHello extension Session Ticket check " - ."failed (Test $testno)\n"; - } - if (($testsh && !$shellotickext) || (!$testsh && $shellotickext)) { - die "FAILED: $testname: ServerHello extension Session Ticket check " - ."failed (Test $testno)\n"; - } - if (($testtickseen && !$ticketseen) || (!$testtickseen && $ticketseen)) { - die "FAILED: $testname: Session Ticket message presence check failed " - ."(Test $testno)\n"; - } - if (($testhand && !$fullhand) || (!$testhand && $fullhand)) { - die "FAILED: $testname: Session Ticket full handshake check failed " - ."(Test $testno)\n"; + plan tests => 5; + + ok(TLSProxy::Message->success, "Hanshake"); + ok(($testch && $chellotickext) || (!$testch && !$chellotickext), + "ClientHello extension Session Ticket check"); + ok(($testsh && $shellotickext) || (!$testsh && !$shellotickext), + "ServerHello extension Session Ticket check"); + ok(($testtickseen && $ticketseen) || (!$testtickseen && !$ticketseen), + "Session Ticket message presence check"); + ok(($testhand && $fullhand) || (!$testhand && !$fullhand), + "Session Ticket full handshake check"); } - print "SUCCESS: $testname (Test#$testno)\n"; } sub clearall() diff --git a/test/sslskewith0ptest.pl b/test/recipes/70-test_sslskewith0p.t similarity index 85% rename from test/sslskewith0ptest.pl rename to test/recipes/70-test_sslskewith0p.t index 63f8398..d8d74b3 100755 --- a/test/sslskewith0ptest.pl +++ b/test/recipes/70-test_sslskewith0p.t @@ -53,21 +53,33 @@ # Hudson (tjh at cryptsoft.com). use strict; +use OpenSSL::Test qw/:DEFAULT cmdstr top_file top_dir/; use TLSProxy::Proxy; +my $test_name = "test_sslskewith0p"; +setup($test_name); + +plan skip_all => "$test_name can only be performed with OpenSSL configured shared" + unless (map { chomp; s/^SHARED_LIBS=\s*//; $_ } + grep { /^SHARED_LIBS=/ } + do { local @ARGV = ( top_file("Makefile") ); <> })[0] ne ""; + +$ENV{OPENSSL_ENGINES} = top_dir("engines"); +$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( \&ske_0_p_filter, - @ARGV + cmdstr(app(["openssl"])), + top_file("apps", "server.pem") ); +plan tests => 1; + #We must use an anon DHE cipher for this test $proxy->cipherc('ADH-AES128-SHA:@SECLEVEL=0'); $proxy->ciphers('ADH-AES128-SHA:@SECLEVEL=0'); $proxy->start(); -TLSProxy::Message->fail or die "FAILED: ServerKeyExchange with 0 p\n"; - -print "SUCCESS: ServerKeyExchange with 0 p\n"; +ok(TLSProxy::Message->fail, "ServerKeyExchange with 0 p"); sub ske_0_p_filter { diff --git a/test/sslvertoltest.pl b/test/recipes/70-test_sslvertol.t similarity index 84% rename from test/sslvertoltest.pl rename to test/recipes/70-test_sslvertol.t index 1828a7d..9717f80 100755 --- a/test/sslvertoltest.pl +++ b/test/recipes/70-test_sslvertol.t @@ -53,24 +53,36 @@ # Hudson (tjh at cryptsoft.com). use strict; +use OpenSSL::Test qw/:DEFAULT cmdstr top_file top_dir/; use TLSProxy::Proxy; +my $test_name = "test_sslextension"; +setup($test_name); + +plan skip_all => "$test_name can only be performed with OpenSSL configured shared" + unless (map { chomp; s/^SHARED_LIBS=\s*//; $_ } + grep { /^SHARED_LIBS=/ } + do { local @ARGV = ( top_file("Makefile") ); <> })[0] ne ""; + +$ENV{OPENSSL_ENGINES} = top_dir("engines"); +$ENV{OPENSSL_ia32cap} = '~0x200000200000000'; my $proxy = TLSProxy::Proxy->new( \&vers_tolerance_filter, - @ARGV + cmdstr(app(["openssl"])), + top_file("apps", "server.pem") ); +plan tests => 2; + #Test 1: Asking for TLS1.3 should pass my $client_version = TLSProxy::Record::VERS_TLS_1_3; $proxy->start(); -TLSProxy::Message->success or die "FAILED: Version tolerance test\n"; +ok(TLSProxy::Message->success(), "Version tolerance test, TLS 1.3"); #Test 2: Testing something below SSLv3 should fail $client_version = TLSProxy::Record::VERS_SSL_3_0 - 1; $proxy->restart(); -TLSProxy::Message->success and die "FAILED: Version tolerance test\n"; - -print "SUCCESS: Version tolerance test\n"; +ok(TLSProxy::Message->fail(), "Version tolerance test, SSL < 3.0"); sub vers_tolerance_filter { diff --git a/test/recipes/70-test_verify_extra.t b/test/recipes/70-test_verify_extra.t new file mode 100644 index 0000000..3ef4a27 --- /dev/null +++ b/test/recipes/70-test_verify_extra.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_verify_extra", "verify_extra_test"); diff --git a/test/recipes/80-test_ca.t b/test/recipes/80-test_ca.t new file mode 100644 index 0000000..f57fb3c --- /dev/null +++ b/test/recipes/80-test_ca.t @@ -0,0 +1,54 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use POSIX; +use File::Spec::Functions qw/splitdir curdir catfile devnull/; +use File::Path 2.00 qw/remove_tree/; +use OpenSSL::Test qw/:DEFAULT cmdstr top_file quotify/; + +setup("test_ca"); + +my $perl = $^X; +$ENV{OPENSSL} = cmdstr(app(["openssl"])); +my $CA_pl = top_file("apps", "CA.pl"); +my $std_openssl_cnf = top_file("apps", "openssl.cnf"); + +($perl) = quotify($perl) unless $^O eq "VMS"; # never quotify a command on VMS. Ever! + +remove_tree("demoCA", { safe => 0 }); + +plan tests => 4; + SKIP: { + $ENV{SSLEAY_CONFIG} = "-config ".top_file("test", "CAss.cnf"); + skip "failed creating CA structure", 3 + if !is(system("$perl ".$CA_pl." -newca < ".devnull()." 2>&1"), 0, + 'creating CA structure'); + + $ENV{SSLEAY_CONFIG} = "-config ".top_file("test", "Uss.cnf"); + skip "failed creating new certificate request", 2 + if !is(system("$perl ".$CA_pl." -newreq 2>&1"), 0, + 'creating new certificate request'); + + $ENV{SSLEAY_CONFIG} = "-config ".$std_openssl_cnf; + skip "failed to sign certificate request", 1 + if !is(yes("$perl ".$CA_pl." -sign 2>&1"), 0, + 'signing certificate request'); + + is(system("$perl ".$CA_pl." -verify newcert.pem 2>&1"), 0, + 'verifying new certificate'); +} + + +remove_tree("demoCA", { safe => 0 }); +unlink "newcert.pem", "newreq.pem"; + + +sub yes { + open(PIPE, "|-", join(" ", at _)); + local $SIG{PIPE} = "IGNORE"; + 1 while print PIPE "y\n"; + close PIPE; + return 0; +} diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t new file mode 100644 index 0000000..cc2786f --- /dev/null +++ b/test/recipes/80-test_cms.t @@ -0,0 +1,476 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use POSIX; +use File::Spec::Functions qw/catfile/; +use File::Compare qw/compare_text/; +use OpenSSL::Test qw/:DEFAULT top_dir top_file/; + +setup("test_cms"); + +my $smdir = top_dir("test", "smime-certs"); +my $smcont = top_file("test", "smcont.txt"); +my $no_ec = run(app(["openssl", "no-ec"], stdout => undef)); +my $no_ec2m = run(app(["openssl", "no-ec2m"], stdout => undef)); +my $no_ecdh = run(app(["openssl", "no-ecdh"], stdout => undef)); + +plan tests => 4; + +my @smime_pkcs7_tests = ( + + [ "signed content DER format, RSA key", + [ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-certfile", catfile($smdir, "smroot.pem"), + "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed detached content DER format, RSA key", + [ "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt", + "-content", $smcont ] + ], + + [ "signed content test streaming BER format, RSA", + [ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-stream", + "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content DER format, DSA key", + [ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed detached content DER format, DSA key", + [ "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt", + "-content", $smcont ] + ], + + [ "signed detached content DER format, add RSA signer", + [ "-resign", "-inform", "DER", "-in", "test.cms", "-outform", "DER", + "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test2.cms" ], + [ "-verify", "-in", "test2.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt", + "-content", $smcont ] + ], + + [ "signed content test streaming BER format, DSA key", + [ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-stream", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", + [ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-signer", catfile($smdir, "smrsa1.pem"), + "-signer", catfile($smdir, "smrsa2.pem"), + "-signer", catfile($smdir, "smdsa1.pem"), + "-signer", catfile($smdir, "smdsa2.pem"), + "-stream", "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", + [ "-sign", "-in", $smcont, "-outform", "DER", "-noattr", "-nodetach", + "-signer", catfile($smdir, "smrsa1.pem"), + "-signer", catfile($smdir, "smrsa2.pem"), + "-signer", catfile($smdir, "smdsa1.pem"), + "-signer", catfile($smdir, "smdsa2.pem"), + "-stream", "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", + [ "-sign", "-in", $smcont, "-nodetach", + "-signer", catfile($smdir, "smrsa1.pem"), + "-signer", catfile($smdir, "smrsa2.pem"), + "-signer", catfile($smdir, "smdsa1.pem"), + "-signer", catfile($smdir, "smdsa2.pem"), + "-stream", "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", + [ "-sign", "-in", $smcont, + "-signer", catfile($smdir, "smrsa1.pem"), + "-signer", catfile($smdir, "smrsa2.pem"), + "-signer", catfile($smdir, "smdsa1.pem"), + "-signer", catfile($smdir, "smdsa2.pem"), + "-stream", "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, 3 recipients", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + catfile($smdir, "smrsa1.pem"), + catfile($smdir, "smrsa2.pem"), + catfile($smdir, "smrsa3.pem") ], + [ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, 3 recipients, 3rd used", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + catfile($smdir, "smrsa1.pem"), + catfile($smdir, "smrsa2.pem"), + catfile($smdir, "smrsa3.pem") ], + [ "-decrypt", "-recip", catfile($smdir, "smrsa3.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, 3 recipients, key only used", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + catfile($smdir, "smrsa1.pem"), + catfile($smdir, "smrsa2.pem"), + catfile($smdir, "smrsa3.pem") ], + [ "-decrypt", "-inkey", catfile($smdir, "smrsa3.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", + [ "-encrypt", "-in", $smcont, + "-aes256", "-stream", "-out", "test.cms", + catfile($smdir, "smrsa1.pem"), + catfile($smdir, "smrsa2.pem"), + catfile($smdir, "smrsa3.pem") ], + [ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + +); + +my @smime_cms_tests = ( + + [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", + [ "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", "-keyid", + "-signer", catfile($smdir, "smrsa1.pem"), + "-signer", catfile($smdir, "smrsa2.pem"), + "-signer", catfile($smdir, "smdsa1.pem"), + "-signer", catfile($smdir, "smdsa2.pem"), + "-stream", "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", + [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", catfile($smdir, "smrsa1.pem"), + "-signer", catfile($smdir, "smrsa2.pem"), + "-signer", catfile($smdir, "smdsa1.pem"), + "-signer", catfile($smdir, "smdsa2.pem"), + "-stream", "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "PEM", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content MIME format, RSA key, signed receipt request", + [ "-sign", "-in", $smcont, "-signer", catfile($smdir, "smrsa1.pem"), "-nodetach", + "-receipt_request_to", "test\@openssl.org", "-receipt_request_all", + "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed receipt MIME format, RSA key", + [ "-sign_receipt", "-in", "test.cms", + "-signer", catfile($smdir, "smrsa2.pem"), + "-out", "test2.cms" ], + [ "-verify_receipt", "test2.cms", "-in", "test.cms", + "-CAfile", catfile($smdir, "smroot.pem") ] + ], + + [ "enveloped content test streaming S/MIME format, 3 recipients, keyid", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", "-keyid", + catfile($smdir, "smrsa1.pem"), + catfile($smdir, "smrsa2.pem"), + catfile($smdir, "smrsa3.pem") ], + [ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming PEM format, KEK", + [ "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128", + "-stream", "-out", "test.cms", + "-secretkey", "000102030405060708090A0B0C0D0E0F", + "-secretkeyid", "C0FEE0" ], + [ "-decrypt", "-in", "test.cms", "-out", "smtst.txt", "-inform", "PEM", + "-secretkey", "000102030405060708090A0B0C0D0E0F", + "-secretkeyid", "C0FEE0" ] + ], + + [ "enveloped content test streaming PEM format, KEK, key only", + [ "-encrypt", "-in", $smcont, "-outform", "PEM", "-aes128", + "-stream", "-out", "test.cms", + "-secretkey", "000102030405060708090A0B0C0D0E0F", + "-secretkeyid", "C0FEE0" ], + [ "-decrypt", "-in", "test.cms", "-out", "smtst.txt", "-inform", "PEM", + "-secretkey", "000102030405060708090A0B0C0D0E0F" ] + ], + + [ "data content test streaming PEM format", + [ "-data_create", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-stream", "-out", "test.cms" ], + [ "-data_out", "-in", "test.cms", "-inform", "PEM", "-out", "smtst.txt" ] + ], + + [ "encrypted content test streaming PEM format, 128 bit RC2 key", + [ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-rc2", "-secretkey", "000102030405060708090A0B0C0D0E0F", + "-stream", "-out", "test.cms" ], + [ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM", + "-secretkey", "000102030405060708090A0B0C0D0E0F", "-out", "smtst.txt" ] + ], + + [ "encrypted content test streaming PEM format, 40 bit RC2 key", + [ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-rc2", "-secretkey", "0001020304", + "-stream", "-out", "test.cms" ], + [ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM", + "-secretkey", "0001020304", "-out", "smtst.txt" ] + ], + + [ "encrypted content test streaming PEM format, triple DES key", + [ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", + "-stream", "-out", "test.cms" ], + [ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM", + "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", + "-out", "smtst.txt" ] + ], + + [ "encrypted content test streaming PEM format, 128 bit AES key", + [ "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-aes128", "-secretkey", "000102030405060708090A0B0C0D0E0F", + "-stream", "-out", "test.cms" ], + [ "-EncryptedData_decrypt", "-in", "test.cms", "-inform", "PEM", + "-secretkey", "000102030405060708090A0B0C0D0E0F", "-out", "smtst.txt" ] + ], + +); + +my @smime_cms_comp_tests = ( + + [ "compressed content test streaming PEM format", + [ "-compress", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-stream", "-out", "test.cms" ], + [ "-uncompress", "-in", "test.cms", "-inform", "PEM", "-out", "smtst.txt" ] + ] + +); + +my @smime_cms_param_tests = ( + [ "signed content test streaming PEM format, RSA keys, PSS signature", + [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss", + "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "PEM", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content test streaming PEM format, RSA keys, PSS signature, no attributes", + [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", "-noattr", + "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss", + "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "PEM", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1", + [ "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:pss", + "-keyopt", "rsa_mgf1_md:sha384", "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "PEM", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, OAEP default parameters", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + "-recip", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:oaep" ], + [ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, OAEP SHA256", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + "-recip", catfile($smdir, "smrsa1.pem"), "-keyopt", "rsa_padding_mode:oaep", + "-keyopt", "rsa_oaep_md:sha256" ], + [ "-decrypt", "-recip", catfile($smdir, "smrsa1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, ECDH", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + "-recip", catfile($smdir, "smec1.pem") ], + [ "-decrypt", "-recip", catfile($smdir, "smec1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, ECDH, key identifier", + [ "-encrypt", "-keyid", "-in", $smcont, + "-stream", "-out", "test.cms", + "-recip", catfile($smdir, "smec1.pem") ], + [ "-decrypt", "-recip", catfile($smdir, "smec1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + "-recip", catfile($smdir, "smec1.pem"), "-aes128", "-keyopt", "ecdh_kdf_md:sha256" ], + [ "-decrypt", "-recip", catfile($smdir, "smec1.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + "-recip", catfile($smdir, "smec2.pem"), "-aes128", + "-keyopt", "ecdh_kdf_md:sha256", "-keyopt", "ecdh_cofactor_mode:1" ], + [ "-decrypt", "-recip", catfile($smdir, "smec2.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ], + + [ "enveloped content test streaming S/MIME format, X9.42 DH", + [ "-encrypt", "-in", $smcont, + "-stream", "-out", "test.cms", + "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], + [ "-decrypt", "-recip", catfile($smdir, "smdh.pem"), + "-in", "test.cms", "-out", "smtst.txt" ] + ] + ); + +subtest "CMS => PKCS#7 compatibility tests\n" => sub { + plan tests => scalar @smime_pkcs7_tests; + + foreach (@smime_pkcs7_tests) { + SKIP: { + my $skip_reason = check_availability($$_[0]); + skip $skip_reason, 1 if $skip_reason; + + ok(run(app(["openssl", "cms", @{$$_[1]}])) + && run(app(["openssl", "smime", @{$$_[2]}])) + && compare_text($smcont, "smtst.txt") == 0, + $$_[0]); + } + } +}; +subtest "CMS <= PKCS#7 compatibility tests\n" => sub { + plan tests => scalar @smime_pkcs7_tests; + + foreach (@smime_pkcs7_tests) { + SKIP: { + my $skip_reason = check_availability($$_[0]); + skip $skip_reason, 1 if $skip_reason; + + ok(run(app(["openssl", "smime", @{$$_[1]}])) + && run(app(["openssl", "cms", @{$$_[2]}])) + && compare_text($smcont, "smtst.txt") == 0, + $$_[0]); + } + } +}; + +subtest "CMS <=> CMS consistency tests\n" => sub { + plan tests => (scalar @smime_pkcs7_tests) + (scalar @smime_cms_tests); + + foreach (@smime_pkcs7_tests) { + SKIP: { + my $skip_reason = check_availability($$_[0]); + skip $skip_reason, 1 if $skip_reason; + + ok(run(app(["openssl", "cms", @{$$_[1]}])) + && run(app(["openssl", "cms", @{$$_[2]}])) + && compare_text($smcont, "smtst.txt") == 0, + $$_[0]); + } + } + foreach (@smime_cms_tests) { + SKIP: { + my $skip_reason = check_availability($$_[0]); + skip $skip_reason, 1 if $skip_reason; + + ok(run(app(["openssl", "cms", @{$$_[1]}])) + && run(app(["openssl", "cms", @{$$_[2]}])) + && compare_text($smcont, "smtst.txt") == 0, + $$_[0]); + } + } +}; + +subtest "CMS <=> CMS consistency tests, modified key parameters\n" => sub { + plan tests => + (scalar @smime_cms_param_tests) + (scalar @smime_cms_comp_tests); + + foreach (@smime_cms_param_tests) { + SKIP: { + my $skip_reason = check_availability($$_[0]); + skip $skip_reason, 1 if $skip_reason; + + ok(run(app(["openssl", "cms", @{$$_[1]}])) + && run(app(["openssl", "cms", @{$$_[2]}])) + && compare_text($smcont, "smtst.txt") == 0, + $$_[0]); + } + } + + SKIP: { + skip("Zlib not supported: compression tests skipped", + scalar @smime_cms_comp_tests) + unless grep /ZLIB/, run(app(["openssl", "version", "-f"]), + capture => 1); + + foreach (@smime_cms_param_tests) { + SKIP: { + my $skip_reason = check_availability($$_[0]); + skip $skip_reason, 1 if $skip_reason; + + ok(run(app(["openssl", "cms", @{$$_[1]}])) + && run(app(["openssl", "cms", @{$$_[2]}])) + && compare_text($smcont, "smtst.txt") == 0, + $$_[0]); + } + } + } +}; + +unlink "test.cms"; +unlink "test2.cms"; +unlink "smtst.txt"; + +sub check_availability { + my $tnam = shift; + + return "$tnam: skipped, EC disabled\n" + if ($no_ec && $tnam =~ /ECDH/); + return "$tnam: skipped, ECDH disabled\n" + if ($no_ecdh && $tnam =~ /ECDH/); + return "$tnam: skipped, EC2M disabled\n" + if ($no_ec2m && $tnam =~ /K-283/); + return ""; +} diff --git a/test/recipes/80-test_ocsp.t b/test/recipes/80-test_ocsp.t new file mode 100644 index 0000000..7d7c96e --- /dev/null +++ b/test/recipes/80-test_ocsp.t @@ -0,0 +1,193 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use POSIX; +use File::Spec::Functions qw/devnull catfile/; +use File::Copy; +use OpenSSL::Test qw/:DEFAULT with pipe top_dir/; + +setup("test_ocsp"); + +my $ocspdir=top_dir("test", "ocsp-tests"); +# 17 December 2012 so we don't get certificate expiry errors. +my @check_time=("-attime", "1355875200"); + +sub test_ocsp { + my $title = shift; + my $inputfile = shift; + my $CAfile = shift; + my $expected_exit = shift; + + with({ exit_checker => sub { return shift == $expected_exit; } }, + sub { ok(run(pipe(app(["openssl", "base64", "-d", + "-in", catfile($ocspdir,$inputfile)]), + app(["openssl", "ocsp", "-respin", "-", + "-partial_chain", @check_time, + "-CAfile", catfile($ocspdir, $CAfile), + "-verify_other", catfile($ocspdir, $CAfile), + "-CApath", devnull()]))), + $title); }); +} + +plan tests => 10; + +subtest "=== VALID OCSP RESPONSES ===" => sub { + plan tests => 6; + + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "ND1.ors", "ND1_Issuer_ICA.pem", 0); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "ND2.ors", "ND2_Issuer_Root.pem", 0); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "ND3.ors", "ND3_Issuer_Root.pem", 0); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "D1.ors", "D1_Issuer_ICA.pem", 0); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "D2.ors", "D2_Issuer_Root.pem", 0); + test_ocsp("DELEGATED; Root CA -> EE", + "D3.ors", "D3_Issuer_Root.pem", 0); +}; + +subtest "=== INVALID SIGNATURE on the OCSP RESPONSE ===" => sub { + plan tests => 6; + + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "ISOP_ND1.ors", "ND1_Issuer_ICA.pem", 1); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "ISOP_ND2.ors", "ND2_Issuer_Root.pem", 1); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "ISOP_ND3.ors", "ND3_Issuer_Root.pem", 1); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "ISOP_D1.ors", "D1_Issuer_ICA.pem", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "ISOP_D2.ors", "D2_Issuer_Root.pem", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "ISOP_D3.ors", "D3_Issuer_Root.pem", 1); +}; + +subtest "=== WRONG RESPONDERID in the OCSP RESPONSE ===" => sub { + plan tests => 6; + + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "WRID_ND1.ors", "ND1_Issuer_ICA.pem", 1); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "WRID_ND2.ors", "ND2_Issuer_Root.pem", 1); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "WRID_ND3.ors", "ND3_Issuer_Root.pem", 1); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "WRID_D1.ors", "D1_Issuer_ICA.pem", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "WRID_D2.ors", "D2_Issuer_Root.pem", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "WRID_D3.ors", "D3_Issuer_Root.pem", 1); +}; + +subtest "=== WRONG ISSUERNAMEHASH in the OCSP RESPONSE ===" => sub { + plan tests => 6; + + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "WINH_ND1.ors", "ND1_Issuer_ICA.pem", 1); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "WINH_ND2.ors", "ND2_Issuer_Root.pem", 1); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "WINH_ND3.ors", "ND3_Issuer_Root.pem", 1); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "WINH_D1.ors", "D1_Issuer_ICA.pem", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "WINH_D2.ors", "D2_Issuer_Root.pem", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "WINH_D3.ors", "D3_Issuer_Root.pem", 1); +}; + +subtest "=== WRONG ISSUERKEYHASH in the OCSP RESPONSE ===" => sub { + plan tests => 6; + + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "WIKH_ND1.ors", "ND1_Issuer_ICA.pem", 1); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "WIKH_ND2.ors", "ND2_Issuer_Root.pem", 1); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "WIKH_ND3.ors", "ND3_Issuer_Root.pem", 1); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "WIKH_D1.ors", "D1_Issuer_ICA.pem", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "WIKH_D2.ors", "D2_Issuer_Root.pem", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "WIKH_D3.ors", "D3_Issuer_Root.pem", 1); +}; + +subtest "=== WRONG KEY in the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { + plan tests => 3; + + test_ocsp("DELEGATED; Intermediate CA -> EE", + "WKDOSC_D1.ors", "D1_Issuer_ICA.pem", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "WKDOSC_D2.ors", "D2_Issuer_Root.pem", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "WKDOSC_D3.ors", "D3_Issuer_Root.pem", 1); +}; + +subtest "=== INVALID SIGNATURE on the DELEGATED OCSP SIGNING CERTIFICATE ===" => sub { + plan tests => 3; + + test_ocsp("DELEGATED; Intermediate CA -> EE", + "ISDOSC_D1.ors", "D1_Issuer_ICA.pem", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "ISDOSC_D2.ors", "D2_Issuer_Root.pem", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "ISDOSC_D3.ors", "D3_Issuer_Root.pem", 1); +}; + +subtest "=== WRONG SUBJECT NAME in the ISSUER CERTIFICATE ===" => sub { + plan tests => 6; + + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "ND1.ors", "WSNIC_ND1_Issuer_ICA.pem", 1); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "ND2.ors", "WSNIC_ND2_Issuer_Root.pem", 1); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "ND3.ors", "WSNIC_ND3_Issuer_Root.pem", 1); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "D1.ors", "WSNIC_D1_Issuer_ICA.pem", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "D2.ors", "WSNIC_D2_Issuer_Root.pem", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "D3.ors", "WSNIC_D3_Issuer_Root.pem", 1); +}; + +subtest "=== WRONG KEY in the ISSUER CERTIFICATE ===" => sub { + plan tests => 6; + + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "ND1.ors", "WKIC_ND1_Issuer_ICA.pem", 1); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "ND2.ors", "WKIC_ND2_Issuer_Root.pem", 1); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "ND3.ors", "WKIC_ND3_Issuer_Root.pem", 1); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "D1.ors", "WKIC_D1_Issuer_ICA.pem", 1); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "D2.ors", "WKIC_D2_Issuer_Root.pem", 1); + test_ocsp("DELEGATED; Root CA -> EE", + "D3.ors", "WKIC_D3_Issuer_Root.pem", 1); +}; + +subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub { + plan tests => 6; + + # Expect success, because we're explicitly trusting the issuer certificate. + test_ocsp("NON-DELEGATED; Intermediate CA -> EE", + "ND1.ors", "ISIC_ND1_Issuer_ICA.pem", 0); + test_ocsp("NON-DELEGATED; Root CA -> Intermediate CA", + "ND2.ors", "ISIC_ND2_Issuer_Root.pem", 0); + test_ocsp("NON-DELEGATED; Root CA -> EE", + "ND3.ors", "ISIC_ND3_Issuer_Root.pem", 0); + test_ocsp("DELEGATED; Intermediate CA -> EE", + "D1.ors", "ISIC_D1_Issuer_ICA.pem", 0); + test_ocsp("DELEGATED; Root CA -> Intermediate CA", + "D2.ors", "ISIC_D2_Issuer_Root.pem", 0); + test_ocsp("DELEGATED; Root CA -> EE", + "D3.ors", "ISIC_D3_Issuer_Root.pem", 0); +}; diff --git a/test/recipes/80-test_ssl.t b/test/recipes/80-test_ssl.t new file mode 100644 index 0000000..409e68f --- /dev/null +++ b/test/recipes/80-test_ssl.t @@ -0,0 +1,627 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use POSIX; +use File::Spec; +use File::Copy; +use OpenSSL::Test qw/:DEFAULT with top_file cmdstr/; + +setup("test_ssl"); + +my $digest = "-sha1"; +my @reqcmd = ("openssl", "req"); +my @x509cmd = ("openssl", "x509", $digest); +my @verifycmd = ("openssl", "verify"); +my $dummycnf = top_file("apps", "openssl.cnf"); + +my $CAkey = "keyCA.ss"; +my $CAcert="certCA.ss"; +my $CAserial="certCA.srl"; +my $CAreq="reqCA.ss"; +my $CAconf=top_file("test","CAss.cnf"); +my $CAreq2="req2CA.ss"; # temp + +my $Uconf=top_file("test","Uss.cnf"); +my $Ukey="keyU.ss"; +my $Ureq="reqU.ss"; +my $Ucert="certU.ss"; + +my $Dkey="keyD.ss"; +my $Dreq="reqD.ss"; +my $Dcert="certD.ss"; + +my $Ekey="keyE.ss"; +my $Ereq="reqE.ss"; +my $Ecert="certE.ss"; + +my $P1conf=top_file("test","P1ss.cnf"); +my $P1key="keyP1.ss"; +my $P1req="reqP1.ss"; +my $P1cert="certP1.ss"; +my $P1intermediate="tmp_intP1.ss"; + +my $P2conf=top_file("test","P2ss.cnf"); +my $P2key="keyP2.ss"; +my $P2req="reqP2.ss"; +my $P2cert="certP2.ss"; +my $P2intermediate="tmp_intP2.ss"; + +plan tests => + 1 # For testss + + 1 # For ssltest -test_cipherlist + + 8 # For the first testssl + + 16 # For the first testsslproxy + + 16 # For the second testsslproxy + ; + +subtest 'test_ss' => sub { + if (testss()) { + open OUT, ">", "intP1.ss"; + copy($CAcert, \*OUT); copy($Ucert, \*OUT); + close OUT; + + open OUT, ">", "intP2.ss"; + copy($CAcert, \*OUT); copy($Ucert, \*OUT); copy($P1cert, \*OUT); + close OUT; + } +}; + +my $check = ok(run(test(["ssltest","-test_cipherlist"])), "running ssltest"); + + SKIP: { + skip "ssltest ended with error, skipping the rest", 3 + if !$check; + + note('test_ssl -- key U'); + testssl("keyU.ss", $Ucert, $CAcert); + + note('test_ssl -- key P1'); + testsslproxy("keyP1.ss", "certP1.ss", "intP1.ss", "AB"); + + note('test_ssl -- key P2'); + testsslproxy("keyP2.ss", "certP2.ss", "intP2.ss", "BC"); + } + +# ----------- +# subtest functions +sub testss { + open RND, ">>", ".rnd"; + print RND "string to make the random number generator think it has entropy"; + close RND; + + my @req_dsa = ("-newkey", + "dsa:".File::Spec->catfile("..", "apps", "dsa1024.pem"));; + my @req_new; + if (run(app(["openssl", "no-rsa"], stdout => undef))) { + @req_new = @req_dsa; + } else { + @req_new = ("-new"); + } + + plan tests => 17; + + SKIP: { + skip 'failure', 16 unless + ok(run(app([@reqcmd, "-config", $CAconf, + "-out", $CAreq, "-keyout", $CAkey, + @req_new])), + 'make cert request'); + + skip 'failure', 15 unless + ok(run(app([@x509cmd, "-CAcreateserial", "-in", $CAreq, "-days", "30", + "-req", "-out", $CAcert, "-signkey", $CAkey, + "-extfile", $CAconf, "-extensions", "v3_ca"], + stdout => "err.ss")), + 'convert request into self-signed cert'); + + skip 'failure', 14 unless + ok(run(app([@x509cmd, "-in", $CAcert, + "-x509toreq", "-signkey", $CAkey, "-out", $CAreq2], + stdout => "err.ss")), + 'convert cert into a cert request'); + + skip 'failure', 13 unless + ok(run(app([@reqcmd, "-config", $dummycnf, + "-verify", "-in", $CAreq, "-noout"])), + 'verify request 1'); + + + skip 'failure', 12 unless + ok(run(app([@reqcmd, "-config", $dummycnf, + "-verify", "-in", $CAreq2, "-noout"])), + 'verify request 2'); + + skip 'failure', 11 unless + ok(run(app([@verifycmd, "-CAfile", $CAcert, $CAcert])), + 'verify signature'); + + skip 'failure', 10 unless + ok(run(app([@reqcmd, "-config", $Uconf, + "-out", $Ureq, "-keyout", $Ukey, @req_new], + stdout => "err.ss")), + 'make a user cert request'); + + skip 'failure', 9 unless + ok(run(app([@x509cmd, "-CAcreateserial", "-in", $Ureq, "-days", "30", + "-req", "-out", $Ucert, + "-CA", $CAcert, "-CAkey", $CAkey, "-CAserial", $CAserial, + "-extfile", $Uconf, "-extensions", "v3_ee"], + stdout => "err.ss")) + && run(app([@verifycmd, "-CAfile", $CAcert, $Ucert])), + 'sign user cert request'); + + skip 'failure', 8 unless + ok(run(app([@x509cmd, + "-subject", "-issuer", "-startdate", "-enddate", + "-noout", "-in", $Ucert])), + 'Certificate details'); + + skip 'failure', 7 unless + subtest 'DSA certificate creation' => sub { + plan skip_all => "skipping DSA certificate creation" + if run(app(["openssl", "no-dsa"], stdout => undef)); + + plan tests => 4; + + SKIP: { + $ENV{CN2} = "DSA Certificate"; + skip 'failure', 3 unless + ok(run(app([@reqcmd, "-config", $Uconf, + "-out", $Dreq, "-keyout", $Dkey, + @req_dsa], + stdout => "err.ss")), + "make a DSA user cert request"); + skip 'failure', 2 unless + ok(run(app([@x509cmd, "-CAcreateserial", + "-in", $Dreq, + "-days", "30", + "-req", + "-out", $Dcert, + "-CA", $CAcert, "-CAkey", $CAkey, + "-CAserial", $CAserial, + "-extfile", $Uconf, + "-extensions", "v3_ee_dsa"], + stdout => "err.ss")), + "sign DSA user cert request"); + skip 'failure', 1 unless + ok(run(app([@verifycmd, "-CAfile", $CAcert, $Dcert])), + "verify DSA user cert"); + skip 'failure', 0 unless + ok(run(app([@x509cmd, + "-subject", "-issuer", + "-startdate", "-enddate", "-noout", + "-in", $Dcert])), + "DSA Certificate details"); + } + }; + + skip 'failure', 6 unless + subtest 'ECDSA/ECDH certificate creation' => sub { + plan skip_all => "skipping ECDSA/ECDH certificate creation" + if run(app(["openssl", "no-ec"], stdout => undef)); + + plan tests => 5; + + SKIP: { + $ENV{CN2} = "ECDSA Certificate"; + skip 'failure', 4 unless + ok(run(app(["openssl", "ecparam", "-name", "P-256", + "-out", "ecp.ss"])), + "make EC parameters"); + skip 'failure', 3 unless + ok(run(app([@reqcmd, "-config", $Uconf, + "-out", $Ereq, "-keyout", $Ekey, + "-newkey", "ec:ecp.ss"], + stdout => "err.ss")), + "make a ECDSA/ECDH user cert request"); + skip 'failure', 2 unless + ok(run(app([@x509cmd, "-CAcreateserial", + "-in", $Ereq, + "-days", "30", + "-req", + "-out", $Ecert, + "-CA", $CAcert, "-CAkey", $CAkey, + "-CAserial", $CAserial, + "-extfile", $Uconf, + "-extensions", "v3_ee_ec"], + stdout => "err.ss")), + "sign ECDSA/ECDH user cert request"); + skip 'failure', 1 unless + ok(run(app([@verifycmd, "-CAfile", $CAcert, $Ecert])), + "verify ECDSA/ECDH user cert"); + skip 'failure', 0 unless + ok(run(app([@x509cmd, + "-subject", "-issuer", + "-startdate", "-enddate", "-noout", + "-in", $Ecert])), + "ECDSA Certificate details"); + } + }; + + skip 'failure', 5 unless + ok(run(app([@reqcmd, "-config", $P1conf, + "-out", $P1req, "-keyout", $P1key, @req_new], + stdout => "err.ss")), + 'make a proxy cert request'); + + + skip 'failure', 4 unless + ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P1req, "-days", "30", + "-req", "-out", $P1cert, + "-CA", $Ucert, "-CAkey", $Ukey, + "-extfile", $P1conf, "-extensions", "v3_proxy"], + stdout => "err.ss")), + 'sign proxy with user cert'); + + copy($Ucert, $P1intermediate); + run(app([@verifycmd, "-CAfile", $CAcert, + "-untrusted", $P1intermediate, $P1cert])); + ok(run(app([@x509cmd, + "-subject", "-issuer", "-startdate", "-enddate", + "-noout", "-in", $P1cert])), + 'Certificate details'); + + skip 'failure', 2 unless + ok(run(app([@reqcmd, "-config", $P2conf, + "-out", $P2req, "-keyout", $P2key, + @req_new], + stdout => "err.ss")), + 'make another proxy cert request'); + + + skip 'failure', 1 unless + ok(run(app([@x509cmd, "-CAcreateserial", "-in", $P2req, "-days", "30", + "-req", "-out", $P2cert, + "-CA", $P1cert, "-CAkey", $P1key, + "-extfile", $P2conf, "-extensions", "v3_proxy"], + stdout => "err.ss")), + 'sign second proxy cert request with the first proxy cert'); + + + open OUT, ">", $P2intermediate; + copy($Ucert, \*OUT); copy($P1cert, \*OUT); + close OUT; + run(app([@verifycmd, "-CAfile", $CAcert, + "-untrusted", $P2intermediate, $P2cert])); + ok(run(app([@x509cmd, + "-subject", "-issuer", "-startdate", "-enddate", + "-noout", "-in", $P2cert])), + 'Certificate details'); + } +} + +sub testssl { + my $key = shift || top_file("apps","server.pem"); + my $cert = shift || top_file("apps","server.pem"); + my $CAtmp = shift; + my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", top_dir("certs")); + my @extra = @_; + + my @ssltest = ("ssltest", + "-s_key", $key, "-s_cert", $cert, + "-c_key", $key, "-c_cert", $cert); + + my $serverinfo = top_file("test","serverinfo.pem"); + + my $dsa_cert = 0; + if (grep /DSA Public Key/, run(app(["openssl", "x509", "-in", $cert, + "-text", "-noout"]), capture => 1)) { + $dsa_cert = 1; + } + + + # plan tests => 7; + + subtest 'standard SSL tests' => sub { + ###################################################################### + plan tests => 27; + + ok(run(test([@ssltest, "-ssl3", @extra])), + 'test sslv3'); + ok(run(test([@ssltest, "-ssl3", "-server_auth", @CA, @extra])), + 'test sslv3 with server authentication'); + ok(run(test([@ssltest, "-ssl3", "-client_auth", @CA, @extra])), + 'test sslv3 with client authentication'); + ok(run(test([@ssltest, "-ssl3", "-server_auth", "-client_auth", @CA, @extra])), + 'test sslv3 with both server and client authentication'); + ok(run(test([@ssltest, @extra])), + 'test sslv2/sslv3'); + ok(run(test([@ssltest, "-server_auth", @CA, @extra])), + 'test sslv2/sslv3 with server authentication'); + ok(run(test([@ssltest, "-client_auth", @CA, @extra])), + 'test sslv2/sslv3 with client authentication'); + ok(run(test([@ssltest, "-server_auth", "-client_auth", @CA, @extra])), + 'test sslv2/sslv3 with both server and client authentication'); + ok(run(test([@ssltest, "-bio_pair", "-ssl3", @extra])), + 'test sslv3 via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", @CA, @extra])), + 'test sslv3 with server authentication via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-client_auth", @CA, @extra])), + 'test sslv3 with client authentication via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-ssl3", "-server_auth", "-client_auth", @CA, @extra])), + 'test sslv3 with both server and client authentication via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", @extra])), + 'test sslv2/sslv3 via BIO pair'); + ok(run(test([@ssltest, "-dtls1", @extra])), + 'test dtlsv1'); + ok(run(test([@ssltest, "-dtls1", "-server_auth", @CA, @extra])), + 'test dtlsv1 with server authentication'); + ok(run(test([@ssltest, "-dtls1", "-client_auth", @CA, @extra])), + 'test dtlsv1 with client authentication'); + ok(run(test([@ssltest, "-dtls1", "-server_auth", "-client_auth", @CA, @extra])), + 'test dtlsv1 with both server and client authentication'); + ok(run(test([@ssltest, "-dtls12", @extra])), + 'test dtlsv1.2'); + ok(run(test([@ssltest, "-dtls12", "-server_auth", @CA, @extra])), + 'test dtlsv1.2 with server authentication'); + ok(run(test([@ssltest, "-dtls12", "-client_auth", @CA, @extra])), + 'test dtlsv1.2 with client authentication'); + ok(run(test([@ssltest, "-dtls12", "-server_auth", "-client_auth", @CA, @extra])), + 'test dtlsv1.2 with both server and client authentication'); + { + SKIP: { + skip "skipping test of sslv2/sslv3 w/o (EC)DHE test", 1 if $dsa_cert; + + ok(run(test([@ssltest, "-bio_pair", "-no_dhe", "-no_ecdhe", @extra])), + 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'); + } + } + ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v", @extra])), + 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA, @extra])), + 'test sslv2/sslv3 with server authentication'); + ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA, @extra])), + 'test sslv2/sslv3 with client authentication via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", @CA, @extra])), + 'test sslv2/sslv3 with both client and server authentication via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA, @extra])), + 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); + }; + + subtest "Testing ciphersuites" => sub { + + my @exkeys = (); + my $ciphers = "-EXP:-PSK:-SRP:-kDH:-kECDHe"; + + if (run(app(["openssl", "no-dhparam"], stdout => undef))) { + note "skipping DHE tests\n"; + $ciphers .= ":-kDHE"; + } + if (run(app(["openssl", "no-dsa"], stdout => undef))) { + note "skipping DSA tests\n"; + $ciphers .= ":-aDSA"; + } else { + push @exkeys, "-s_cert", "certD.ss", "-s_key", "keyD.ss"; + } + + if (run(app(["openssl", "no-ec"], stdout => undef))) { + note "skipping EC tests\n"; + $ciphers .= ":!aECDSA:!kECDH"; + } else { + push @exkeys, "-s_cert", "certE.ss", "-s_key", "keyE.ss"; + } + + my @protocols = ("TLSv1.2", "SSLv3"); + my $protocolciphersuitcount = 0; + my %ciphersuites = + map { my @c = + map { split(/:/, $_) } + run(app(["openssl", "ciphers", "${_}:$ciphers"]), + capture => 1); + chomp @c; + $protocolciphersuitcount += scalar @c; + $_ => [ @c ] } @protocols; + + # The count of protocols is because in addition to the ciphersuits + # we got above, we're running a weak DH test for each protocol + plan tests => $protocolciphersuitcount + scalar(@protocols); + + foreach my $protocol (@protocols) { + note "Testing ciphersuites for $protocol"; + foreach my $cipher (@{$ciphersuites{$protocol}}) { + ok(run(test([@ssltest, @exkeys, "-cipher", $cipher, + $protocol eq "SSLv3" ? ("-ssl3") : ()])), + "Testing $cipher"); + } + is(run(test([@ssltest, + "-s_cipher", "EDH", + "-c_cipher", 'EDH:@SECLEVEL=1', + "-dhe512", + $protocol eq "SSLv3" ? ("-ssl3") : ()])), 0, + "testing connection with weak DH, expecting failure"); + } + }; + + subtest 'RSA/(EC)DHE/PSK tests' => sub { + ###################################################################### + + plan tests => 5; + + { + SKIP: { + skip "skipping anonymous DH tests", 1 + if (run(app(["openssl", "no-dhparam"], stdout => undef))); + + ok(run(test([@ssltest, "-v", "-bio_pair", "-tls1", "-cipher", "ADH", "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])), + 'test tlsv1 with 1024bit anonymous DH, multiple handshakes'); + } + } + + { + SKIP: { + skip "skipping RSA tests", 2 + if (run(app(["openssl", "no-rsa"], stdout => undef))); + + ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-s_cert", top_file("apps","server2.pem"), "-no_dhe", "-no_ecdhe", "-num", "10", "-f", "-time", @extra])), + 'test tlsv1 with 1024bit RSA, no (EC)DHE, multiple handshakes'); + + skip "skipping RSA+DHE tests", 1 + if (run(app(["openssl", "no-dhparam"], stdout => undef))); + + ok(run(test(["ssltest", "-v", "-bio_pair", "-tls1", "-s_cert", top_file("apps","server2.pem"), "-dhe1024dsa", "-num", "10", "-f", "-time", @extra])), + 'test tlsv1 with 1024bit RSA, 1024bit DHE, multiple handshakes'); + } + } + ok(run(test([@ssltest, "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])), + 'test tls1 with PSK'); + + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "PSK", "-psk", "abc123", @extra])), + 'test tls1 with PSK via BIO pair'); + }; + + subtest 'Next Protocol Negotiation Tests' => sub { + ###################################################################### + + plan tests => 7; + + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_server"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_server_reject"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server_reject"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server", "-num", "2"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-npn_client", "-npn_server", "-num", "2", "-reuse"]))); + }; + + subtest 'Custom Extension tests' => sub { + ###################################################################### + + plan tests => 1; + + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext"])), + 'test tls1 with custom extensions'); + }; + + subtest 'Serverinfo tests' => sub { + ###################################################################### + + plan tests => 5; + + note('echo test tls1 with serverinfo'); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_tack"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"]))); + }; + + subtest 'ALPN tests' => sub { + ###################################################################### + + plan tests => 12; + + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo", "-alpn_server", "bar"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo", "-alpn_server", "foo", "-alpn_expected", "foo"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo,bar", "-alpn_server", "foo", "-alpn_expected", "foo"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "bar,foo", "-alpn_server", "foo", "-alpn_expected", "foo"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "bar,foo", "-alpn_server", "foo,bar", "-alpn_expected", "foo"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "bar,foo", "-alpn_server", "bar,foo", "-alpn_expected", "bar"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "foo,bar", "-alpn_server", "bar,foo", "-alpn_expected", "bar"]))); + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-alpn_client", "baz", "-alpn_server", "bar,foo"]))); + + { + SKIP: { + skip "skipping SRP tests", 4 + if run(app(["openssl", "no-srp"], stdout => undef)); + + ok(run(test([@ssltest, "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])), + 'test tls1 with SRP'); + + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])), + 'test tls1 with SRP via BIO pair'); + + ok(run(test([@ssltest, "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])), + 'test tls1 with SRP auth'); + + ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])), + 'test tls1 with SRP auth via BIO pair'); + } + } + }; + + subtest 'Multi-buffer tests' => sub { + ###################################################################### + + plan tests => 2; + + { + SKIP: { + skip "skipping multi-buffer tests", 2 + if @extra || (POSIX::uname())[4] ne "x86_64"; + ok(run(test([@ssltest, "-cipher", "AES128-SHA", "-bytes", "8m"]))); + ok(run(test([@ssltest, "-cipher", "AES128-SHA256", "-bytes", "8m"]))); + } + } + }; +} + +sub testsslproxy { + my $key = shift || top_file("apps","server.pem"); + my $cert = shift || top_file("apps","server.pem"); + my $CAtmp = shift; + my @CA = $CAtmp ? ("-CAfile", $CAtmp) : ("-CApath", top_dir("certs")); + my @extra = @_; + + my @ssltest = ("ssltest", + "-s_key", $key, "-s_cert", $cert, + "-c_key", $key, "-c_cert", $cert); + + # plan tests => 16; + + note('Testing a lot of proxy conditions.'); + + # We happen to know that certP1.ss has policy letters "AB" and + # certP2.ss has policy letters "BC". However, because certP2.ss + # has certP1.ss as issuer, when it's used, both their policy + # letters get combined into just "B". + # The policy letter(s) then get filtered with the given auth letter + # in the table below, and the result gets tested with the given + # condition. For details, read ssltest.c + # + # certfilename => [ [ auth, cond, expected result ] ... ] + my %expected = ( "certP1.ss" => [ [ [ 'A', 'A' ], 1 ], + [ [ 'A', 'B' ], 0 ], + [ [ 'A', 'C' ], 0 ], + [ [ 'A', 'A|B&!C' ], 1 ], + [ [ 'B', 'A' ], 0 ], + [ [ 'B', 'B' ], 1 ], + [ [ 'B', 'C' ], 0 ], + [ [ 'B', 'A|B&!C' ], 1 ], + [ [ 'C', 'A' ], 0 ], + [ [ 'C', 'B' ], 0 ], + [ [ 'C', 'C' ], 0 ], + [ [ 'C', 'A|B&!C' ], 0 ], + [ [ 'BC', 'A' ], 0 ], + [ [ 'BC', 'B' ], 1 ], + [ [ 'BC', 'C' ], 0 ], + [ [ 'BC', 'A|B&!C' ], 1 ] ], + "certP2.ss" => [ [ [ 'A', 'A' ], 0 ], + [ [ 'A', 'B' ], 0 ], + [ [ 'A', 'C' ], 0 ], + [ [ 'A', 'A|B&!C' ], 0 ], + [ [ 'B', 'A' ], 0 ], + [ [ 'B', 'B' ], 1 ], + [ [ 'B', 'C' ], 0 ], + [ [ 'B', 'A|B&!C' ], 1 ], + [ [ 'C', 'A' ], 0 ], + [ [ 'C', 'B' ], 0 ], + [ [ 'C', 'C' ], 0 ], + [ [ 'C', 'A|B&!C' ], 0 ], + [ [ 'BC', 'A' ], 0 ], + [ [ 'BC', 'B' ], 1 ], + [ [ 'BC', 'C' ], 0 ], + [ [ 'BC', 'A|B&!C' ], 1 ] ] ); + + foreach (@{$expected{$cert}}) { + my $auth = $_->[0]->[0]; + my $cond = $_->[0]->[1]; + my $res = $_->[1]; + is(run(test([@ssltest, "-ssl3", "-server_auth", @CA, + "-proxy", "-proxy_auth", $auth, + "-proxy_cond", $cond])), $res, + "test tlsv1, server auth, proxy auth $auth and cond $cond (expect " + .($res ? "success" : "failure").")"); + } +} diff --git a/test/recipes/80-test_tsa.t b/test/recipes/80-test_tsa.t new file mode 100644 index 0000000..171592a --- /dev/null +++ b/test/recipes/80-test_tsa.t @@ -0,0 +1,192 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use POSIX; +use File::Spec::Functions qw/splitdir curdir catfile/; +use File::Compare; +use OpenSSL::Test qw/:DEFAULT cmdstr top_file/; + +setup("test_tsa"); + +# All these are modified inside indir further down. They need to exist +# here, however, to be available in all subroutines. +my $testtsa; +my $CAtsa; +my @RUN = ("openssl", "ts"); + +sub create_tsa_cert { + my $INDEX = shift; + my $EXT = shift; + my $r = 1; + $ENV{TSDNSECT} = "ts_cert_dn"; + + ok(run(app(["openssl", "req", "-new", + "-out", "tsa_req${INDEX}.pem", + "-keyout", "tsa_key${INDEX}.pem"]))); + note "using extension $EXT"; + ok(run(app(["openssl", "x509", "-req", + "-in", "tsa_req${INDEX}.pem", + "-out", "tsa_cert${INDEX}.pem", + "-CA", "tsaca.pem", "-CAkey", "tsacakey.pem", + "-CAcreateserial", + "-extfile", $ENV{OPENSSL_CONF}, "-extensions", $EXT]))); +} + +sub create_time_stamp_response { + my $queryfile = shift; + my $outputfile = shift; + my $datafile = shift; + + ok(run(app([@RUN, "-reply", "-section", "$datafile", + "-queryfile", "$queryfile", "-out", "$outputfile"]))); +} + +sub verify_time_stamp_response { + my $queryfile = shift; + my $inputfile = shift; + my $datafile = shift; + + ok(run(app([@RUN, "-verify", "-queryfile", "$queryfile", + "-in", "$inputfile", "-CAfile", "tsaca.pem", + "-untrusted", "tsa_cert1.pem"]))); + ok(run(app([@RUN, "-verify", "-data", "$datafile", + "-in", "$inputfile", "-CAfile", "tsaca.pem", + "-untrusted", "tsa_cert1.pem"]))); +} + +sub verify_time_stamp_response_fail { + my $queryfile = shift; + my $inputfile = shift; + + ok(!run(app([@RUN, "-verify", "-queryfile", "$queryfile", + "-in", "$inputfile", "-CAfile", "tsaca.pem", + "-untrusted", "tsa_cert1.pem"]))); +} + +# main functions + +plan tests => 20; + +note "setting up TSA test directory"; +indir "tsa" => sub +{ + $ENV{OPENSSL_CONF} = top_file("test", "CAtsa.cnf"); + # Because that's what ../apps/CA.pl really looks at + $ENV{SSLEAY_CONFIG} = "-config ".$ENV{OPENSSL_CONF}; + $ENV{OPENSSL} = cmdstr(app(["openssl"])); + $testtsa = top_file("test", "recipes", "80-test_tsa.t"); + $CAtsa = top_file("test", "CAtsa.cnf"); + + SKIP: { + $ENV{TSDNSECT} = "ts_ca_dn"; + skip "failed", 19 + unless ok(run(app(["openssl", "req", "-new", "-x509", "-nodes", + "-out", "tsaca.pem", "-keyout", "tsacakey.pem"])), + 'creating a new CA for the TSA tests'); + + skip "failed", 18 + unless subtest 'creating tsa_cert1.pem TSA server cert' => sub { + create_tsa_cert("1", "tsa_cert") + }; + + skip "failed", 17 + unless subtest 'creating tsa_cert2.pem non-TSA server cert' => sub { + create_tsa_cert("2", "non_tsa_cert") + }; + + skip "failed", 16 + unless ok(run(app([@RUN, "-query", "-data", $testtsa, + "-policy", "tsa_policy1", "-cert", + "-out", "req1.tsq"])), + 'creating req1.req time stamp request for file testtsa'); + + ok(run(app([@RUN, "-query", "-in", "req1.tsq", "-text"])), + 'printing req1.req'); + + subtest 'generating valid response for req1.req' => sub { + create_time_stamp_response("req1.tsq", "resp1.tsr", "tsa_config1") + }; + + ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", "-text"])), + 'printing response'); + + subtest 'verifying valid response' => sub { + verify_time_stamp_response("req1.tsq", "resp1.tsr", $testtsa) + }; + + skip "failed", 11 + unless subtest 'verifying valid token' => sub { + ok(run(app([@RUN, "-reply", "-in", "resp1.tsr", + "-out", "resp1.tsr.token", "-token_out"]))); + ok(run(app([@RUN, "-verify", "-queryfile", "req1.tsq", + "-in", "resp1.tsr.token", "-token_in", + "-CAfile", "tsaca.pem", + "-untrusted", "tsa_cert1.pem"]))); + ok(run(app([@RUN, "-verify", "-data", $testtsa, + "-in", "resp1.tsr.token", "-token_in", + "-CAfile", "tsaca.pem", + "-untrusted", "tsa_cert1.pem"]))); + }; + + skip "failed", 10 + unless ok(run(app([@RUN, "-query", "-data", $testtsa, + "-policy", "tsa_policy2", "-no_nonce", + "-out", "req2.tsq"])), + 'creating req2.req time stamp request for file testtsa'); + + ok(run(app([@RUN, "-query", "-in", "req2.tsq", "-text"])), + 'printing req2.req'); + + skip "failed", 8 + unless subtest 'generating valid response for req2.req' => sub { + create_time_stamp_response("req2.tsq", "resp2.tsr", "tsa_config1") + }; + + skip "failed", 7 + unless subtest 'checking -token_in and -token_out options with -reply' => sub { + my $RESPONSE2="resp2.tsr.copy.tsr"; + my $TOKEN_DER="resp2.tsr.token.der"; + + ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", + "-out", "$TOKEN_DER", "-token_out"]))); + ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER", + "-token_in", "-out", "$RESPONSE2"]))); + is(compare($RESPONSE2, "resp2.tsr"), 0); + ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", + "-text", "-token_out"]))); + ok(run(app([@RUN, "-reply", "-in", "$TOKEN_DER", + "-token_in", "-text", "-token_out"]))); + ok(run(app([@RUN, "-reply", "-queryfile", "req2.tsq", + "-text", "-token_out"]))); + }; + + ok(run(app([@RUN, "-reply", "-in", "resp2.tsr", "-text"])), + 'printing response'); + + subtest 'verifying valid response' => sub { + verify_time_stamp_response("req2.tsq", "resp2.tsr", $testtsa) + }; + + subtest 'verifying response against wrong request, it should fail' => sub { + verify_time_stamp_response_fail("req1.tsq", "resp2.tsr") + }; + + subtest 'verifying response against wrong request, it should fail' => sub { + verify_time_stamp_response_fail("req2.tsq", "resp1.tsr") + }; + + skip "failure", 2 + unless ok(run(app([@RUN, "-query", "-data", $CAtsa, + "-no_nonce", "-out", "req3.tsq"])), + "creating req3.req time stamp request for file CAtsa.cnf"); + + ok(run(app([@RUN, "-query", "-in", "req3.tsq", "-text"])), + 'printing req3.req'); + + subtest 'verifying response against wrong request, it should fail' => sub { + verify_time_stamp_response_fail("req3.tsq", "resp1.tsr") + }; + } +}, create => 1, cleanup => 1 diff --git a/test/recipes/90-test_constant_time.t b/test/recipes/90-test_constant_time.t new file mode 100644 index 0000000..cfdb578 --- /dev/null +++ b/test/recipes/90-test_constant_time.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_constant_time", "constant_time_test"); diff --git a/test/recipes/90-test_gmdiff.t b/test/recipes/90-test_gmdiff.t new file mode 100644 index 0000000..115445e --- /dev/null +++ b/test/recipes/90-test_gmdiff.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_gmdiff", "gmdifftest"); diff --git a/test/recipes/90-test_gost2814789.t b/test/recipes/90-test_gost2814789.t new file mode 100644 index 0000000..e97128f --- /dev/null +++ b/test/recipes/90-test_gost2814789.t @@ -0,0 +1,13 @@ +#! /usr/bin/perl + +use strict; +use warnings; +use OpenSSL::Test qw/:DEFAULT top_dir/; + +setup("test_gost2814789"); + +$ENV{OPENSSL_ENGINES} = + $ENV{BIN_D} ? top_dir($ENV{BIN_D}) : top_dir("engines", "ccgost"); + +plan tests => 1; +ok(run(test(["gost2814789test"])), 'running gost2814789test'); diff --git a/test/recipes/90-test_heartbeat.t b/test/recipes/90-test_heartbeat.t new file mode 100644 index 0000000..660f630 --- /dev/null +++ b/test/recipes/90-test_heartbeat.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_heartbeat", "heartbeat_test"); diff --git a/test/recipes/90-test_ige.t b/test/recipes/90-test_ige.t new file mode 100644 index 0000000..f008350 --- /dev/null +++ b/test/recipes/90-test_ige.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_ige", "igetest"); diff --git a/test/recipes/90-test_jpake.t b/test/recipes/90-test_jpake.t new file mode 100644 index 0000000..fa1292a --- /dev/null +++ b/test/recipes/90-test_jpake.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_jpake", "jpaketest"); diff --git a/test/recipes/90-test_np.t b/test/recipes/90-test_np.t new file mode 100644 index 0000000..a0d8b4b --- /dev/null +++ b/test/recipes/90-test_np.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_np", "nptest"); diff --git a/test/recipes/90-test_p5_crpt2.t b/test/recipes/90-test_p5_crpt2.t new file mode 100644 index 0000000..838e0d7 --- /dev/null +++ b/test/recipes/90-test_p5_crpt2.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_p5_crpt2", "p5_crpt2_test"); diff --git a/test/recipes/90-test_secmem.t b/test/recipes/90-test_secmem.t new file mode 100644 index 0000000..59f3bdd --- /dev/null +++ b/test/recipes/90-test_secmem.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_secmem", "secmemtest"); diff --git a/test/recipes/90-test_srp.t b/test/recipes/90-test_srp.t new file mode 100644 index 0000000..6be2c39 --- /dev/null +++ b/test/recipes/90-test_srp.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_srp", "srptest"); diff --git a/test/recipes/90-test_v3name.t b/test/recipes/90-test_v3name.t new file mode 100644 index 0000000..2a8a472 --- /dev/null +++ b/test/recipes/90-test_v3name.t @@ -0,0 +1,5 @@ +#! /usr/bin/perl + +use OpenSSL::Test::Simple; + +simple_test("test_v3name", "v3nametest"); diff --git a/test/recipes/bc.pl b/test/recipes/bc.pl new file mode 100644 index 0000000..29a4a8a --- /dev/null +++ b/test/recipes/bc.pl @@ -0,0 +1,97 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use Math::BigInt; + +sub calc { + @_ = __adder(@_); + if (scalar @_ != 1) { return "NaN"; } + return shift; +} + +sub __canonhex { + my ($sign, $hex) = (shift =~ /^([+\-]?)(.*)$/); + $hex = "0x".$hex if $hex !~ /^0x/; + return $sign.$hex; +} + +sub __adder { + @_ = __multiplier(@_); + while (scalar @_ > 1 && $_[1] =~ /^[\+\-]$/) { + my $operand1 = Math::BigInt->from_hex(__canonhex(shift)); + my $operator = shift; + @_ = __multiplier(@_); + my $operand2 = Math::BigInt->from_hex(__canonhex(shift)); + if ($operator eq "+") { + $operand1->badd($operand2); + } elsif ($operator eq "-") { + $operand1->bsub($operand2); + } else { + die "SOMETHING WENT AWFULLY WRONG"; + } + unshift @_, $operand1->as_hex(); + } + return @_; +} + +sub __multiplier { + @_ = __power(@_); + while (scalar @_ > 1 && $_[1] =~ /^[\*\/%]$/) { + my $operand1 = Math::BigInt->from_hex(__canonhex(shift)); + my $operator = shift; + @_ = __power(@_); + my $operand2 = Math::BigInt->from_hex(__canonhex(shift)); + if ($operator eq "*") { + $operand1->bmul($operand2); + } elsif ($operator eq "/") { + $operand1->bdiv($operand2); + } elsif ($operator eq "%") { + # Here's a bit of a quirk... + # With OpenSSL's BN, as well as bc, the result of -10 % 3 is -1 + # while Math::BigInt, the result is 2. + # The latter is mathematically more correct, but... + my $o1isneg = $operand1->is_neg(); + $operand1->babs(); + # Math::BigInt does something different with a negative modulus, + # while OpenSSL's BN and bc treat it like a positive number... + $operand2->babs(); + $operand1->bmod($operand2); + if ($o1isneg) { $operand1->bneg(); } + } else { + die "SOMETHING WENT AWFULLY WRONG"; + } + unshift @_, $operand1->as_hex(); + } + return @_; +} + +sub __power { + @_ = __paren(@_); + while (scalar @_ > 1 && $_[1] eq "^") { + my $operand1 = Math::BigInt->from_hex(__canonhex(shift)); + shift; + @_ = __paren(@_); + my $operand2 = Math::BigInt->from_hex(__canonhex(shift)); + $operand1->bpow($operand2); + unshift @_, $operand1->as_hex(); + } + return @_; +} + +# returns array ( $result, @remaining ) +sub __paren { + if (scalar @_ > 0 && $_[0] eq "(") { + shift; + my @result = __adder(@_); + if (scalar @_ == 0 || $_[0] ne ")") { + return ("NaN"); + } + shift; + return @result; + } + return @_; +} + +1; diff --git a/test/recipes/tconversion.pl b/test/recipes/tconversion.pl new file mode 100644 index 0000000..011dcbf --- /dev/null +++ b/test/recipes/tconversion.pl @@ -0,0 +1,88 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Compare qw/compare_text/; +use File::Copy; +use lib 'testlib'; +use OpenSSL::Test qw/:DEFAULT top_file/; + +my %conversionforms = ( + # Default conversion forms. Other series may be added with + # specific test types as key. + "*" => [ "d", "p" ], + ); +sub tconversion { + my $testtype = shift; + my $t = shift; + my @conversionforms = + defined($conversionforms{$testtype}) ? + @{$conversionforms{$testtype}} : + @{$conversionforms{"*"}}; + my @openssl_args = @_; + if (!@openssl_args) { @openssl_args = ($testtype); } + + my $n = scalar @conversionforms; + my $totaltests = + 1 # for initializing + + $n # initial conversions from p to all forms (A) + + $n*$n # conversion from result of A to all forms (B) + + 1 # comparing original test file to p form of A + + $n*($n-1); # comparing first conversion to each fom in A with B + $totaltests-- if ($testtype eq "p7d"); # no comparison of original test file + plan tests => $totaltests; + + my @cmd = ("openssl", @openssl_args); + + my $init; + if (scalar @openssl_args > 0 && $openssl_args[0] eq "pkey") { + $init = ok(run(app([@cmd, "-in", $t, "-out", "$testtype-fff.p"])), + 'initializing'); + } else { + $init = ok(copy($t, "$testtype-fff.p"), 'initializing'); + } + if (!$init) { + diag("Trying to copy $t to $testtype-fff.p : $!"); + } + + SKIP: { + skip "Not initialized, skipping...", 22 unless $init; + + foreach my $to (@conversionforms) { + ok(run(app([@cmd, + "-in", "$testtype-fff.p", + "-inform", "p", + "-outform", $to], + stdout => "$testtype-f.$to")), "p -> $to"); + } + + foreach my $to (@conversionforms) { + foreach my $from (@conversionforms) { + ok(run(app([@cmd, + "-in", "$testtype-f.$from", + "-inform", $from, + "-outform", $to], + stdout => "$testtype-ff.$from$to")), "$from -> $to"); + } + } + + if ($testtype ne "p7d") { + is(compare_text("$testtype-fff.p", "$testtype-f.p"), 0, + 'comparing orig to p'); + } + + foreach my $to (@conversionforms) { + next if $to eq "d"; + foreach my $from (@conversionforms) { + is(compare_text("$testtype-f.$to", "$testtype-ff.$from$to"), 0, + "comparing $to to $from$to"); + } + } + } + unlink glob "$testtype-f.*"; + unlink glob "$testtype-ff.*"; + unlink glob "$testtype-fff.*"; +} + +1; diff --git a/test/run_tests.pl b/test/run_tests.pl new file mode 100644 index 0000000..7e61282 --- /dev/null +++ b/test/run_tests.pl @@ -0,0 +1,45 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Spec::Functions qw/catdir catfile curdir abs2rel rel2abs/; +use File::Basename; +use Test::Harness qw/runtests $switches/; + +my $top = $ENV{TOP}; +my $recipesdir = catdir($top, "test", "recipes"); +my $testlib = catdir($top, "test", "testlib"); +my $utillib = catdir($top, "util"); + +# It seems that $switches is getting interpretted with 'eval' or something +# like that, and that we need to take care of backslashes or they will +# disappear along the way. +$testlib =~ s|\\|\\\\|g if $^O eq "MSWin32"; +$utillib =~ s|\\|\\\\|g if $^O eq "MSWin32"; + +# Test::Harness provides the variable $switches to give it +# switches to be used when it calls our recipes. +$switches = "-w \"-I$testlib\" \"-I$utillib\""; + +my @tests = ( "alltests" ); +if (@ARGV) { + @tests = @ARGV; +} +if (grep /^alltests$/, @tests) { + @tests = grep { + basename($_) =~ /^[0-9][0-9]-[^\.]*\.t$/ + } glob(catfile($recipesdir,"*.t")); +} else { + my @t = (); + foreach (@tests) { + push @t, grep { + basename($_) =~ /^[0-9][0-9]-[^\.]*\.t$/ + } glob(catfile($recipesdir,"*-$_.t")); + } + @tests = @t; +} + + at tests = map { abs2rel($_, rel2abs(curdir())); } @tests; + +runtests(sort @tests); diff --git a/test/testlib/OpenSSL/Test.pm b/test/testlib/OpenSSL/Test.pm new file mode 100644 index 0000000..f378351 --- /dev/null +++ b/test/testlib/OpenSSL/Test.pm @@ -0,0 +1,741 @@ +package OpenSSL::Test; + +use strict; +use warnings; + +use Test::More 0.96; + +use Exporter; +use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); +$VERSION = "0.7"; + at ISA = qw(Exporter); + at EXPORT = (@Test::More::EXPORT, qw(setup indir app test run)); + at EXPORT_OK = (@Test::More::EXPORT_OK, qw(top_dir top_file pipe with cmdstr + quotify)); + +=head1 NAME + +OpenSSL::Test - a private extension of Test::More + +=head1 SYNOPSIS + + use OpenSSL::Test; + + setup("my_test_name"); + + ok(run(app(["openssl", "version"])), "check for openssl presence"); + + indir "subdir" => sub { + ok(run(test(["sometest", "arg1"], stdout => "foo.txt")), + "run sometest with output to foo.txt"); + }; + +=head1 DESCRIPTION + +This module is a private extension of L for testing OpenSSL. +In addition to the Test::More functions, it also provides functions that +easily find the diverse programs within a OpenSSL build tree, as well as +some other useful functions. + +This module I on the environment variable C<$TOP>. Without it, +it refuses to work. See L below. + +=cut + +use File::Copy; +use File::Spec::Functions qw/file_name_is_absolute curdir canonpath splitdir + catdir catfile splitpath catpath devnull abs2rel + rel2abs/; +use File::Path 2.00 qw/remove_tree mkpath/; + + +# The name of the test. This is set by setup() and is used in the other +# functions to verify that setup() has been used. +my $test_name = undef; + +# Directories we want to keep track of TOP, APPS, TEST and RESULTS are the +# ones we're interested in, corresponding to the environment variables TOP +# (mandatory), BIN_D, TEST_D and RESULT_D. +my %directories = (); + +# A bool saying if we shall stop all testing if the current recipe has failing +# tests or not. This is set by setup() if the environment variable STOPTEST +# is defined with a non-empty value. +my $end_with_bailout = 0; + +# A set of hooks that is affected by with() and may be used in diverse places. +# All hooks are expected to be CODE references. +my %hooks = ( + + # exit_checker is used by run() directly after completion of a command. + # it receives the exit code from that command and is expected to return + # 1 (for success) or 0 (for failure). This is the value that will be + # returned by run(). + # NOTE: When run() gets the option 'capture => 1', this hook is ignored. + exit_checker => sub { return shift == 0 ? 1 : 0 }, + + ); + +# Declare some utility functions that are defined at the end +sub top_file; +sub top_dir; +sub quotify; + +# Declare some private functions that are defined at the end +sub __env; +sub __cwd; +sub __apps_file; +sub __results_file; +sub __test_log; +sub __cwd; +sub __fixup_cmd; +sub __build_cmd; + +=head2 Main functions + +The following functions are exported by default when using C. + +=cut + +=over 4 + +=item B + +C is used for initial setup, and it is mandatory that it's used. +If it's not used in a OpenSSL test recipe, the rest of the recipe will +most likely refuse to run. + +C checks for environment variables (see L below), +check that C<$TOP/Configure> exists, C into the results directory +(defined by the C<$RESULT_D> environment variable if defined, otherwise +C<$TEST_D> if defined, otherwise C<$TOP/test>). + +=back + +=cut + +sub setup { + $test_name = shift; + + BAIL_OUT("setup() must receive a name") unless $test_name; + BAIL_OUT("setup() needs \$TOP to be defined") unless $ENV{TOP}; + + __env(); + + BAIL_OUT("setup() expects the file Configure in the \$TOP directory") + unless -f top_file("Configure"); + + __cwd($directories{RESULTS}); + + # Loop in case we're on a platform with more than one file generation + 1 while unlink(__test_log()); +} + +=over 4 + +=item B sub BLOCK, OPTS> + +C is used to run a part of the recipe in a different directory than +the one C moved into, usually a subdirectory, given by SUBDIR. +The part of the recipe that's run there is given by the codeblock BLOCK. + +C takes some additional options OPTS that affect the subdirectory: + +=over 4 + +=item B 0|1> + +When set to 1 (or any value that perl preceives as true), the subdirectory +will be created if it doesn't already exist. This happens before BLOCK +is executed. + +=item B 0|1> + +When set to 1 (or any value that perl preceives as true), the subdirectory +will be cleaned out and removed. This happens both before and after BLOCK +is executed. + +=back + +An example: + + indir "foo" => sub { + ok(run(app(["openssl", "version"]), stdout => "foo.txt")); + if (ok(open(RESULT, "foo.txt"), "reading foo.txt")) { + my $line = ; + close RESULT; + is($line, qr/^OpenSSL 1\./, + "check that we're using OpenSSL 1.x.x"); + } + }, create => 1, cleanup => 1; + +=back + +=cut + +sub indir { + my $subdir = shift; + my $codeblock = shift; + my %opts = @_; + + my $reverse = __cwd($subdir,%opts); + BAIL_OUT("FAILURE: indir, \"$subdir\" wasn't possible to move into") + unless $reverse; + + $codeblock->(); + + __cwd($reverse); + + if ($opts{cleanup}) { + remove_tree($subdir, { safe => 0 }); + } +} + +=over 4 + +=item B + +=item B + +Both of these functions take a reference to a list that is a command and +its arguments, and some additional options (described further on). + +C expects to find the given command (the first item in the given list +reference) as an executable in C<$BIN_D> (if defined, otherwise C<$TOP/apps>). + +C expects to find the given command (the first item in the given list +reference) as an executable in C<$TEST_D> (if defined, otherwise C<$TOP/test>). + +Both return a CODEREF to be used by C, C or C. + +The options that both C and C can take are in the form of hash +values: + +=over 4 + +=item B PATH> + +=item B PATH> + +=item B PATH> + +In all three cases, the corresponding standard input, output or error is +redirected from (for stdin) or to (for the others) a file given by the +string PATH, I, if the value is C, C or similar. + +=back + +=back + +=cut + +sub app { + my $cmd = shift; + my %opts = @_; + return sub { my $num = shift; + return __build_cmd($num, \&__apps_file, $cmd, %opts); } +} + +sub test { + my $cmd = shift; + my %opts = @_; + return sub { my $num = shift; + return __build_cmd($num, \&__test_file, $cmd, %opts); } +} + +=over 4 + +=item B + +This CODEREF is expected to be the value return by C or C, +anything else will most likely cause an error unless you know what you're +doing. + +C executes the command returned by CODEREF and return either the +resulting output (if the option C is set true) or a boolean indicating +if the command succeeded or not. + +The options that C can take are in the form of hash values: + +=over 4 + +=item B 0|1> + +If true, the command will be executed with a perl backtick, and C will +return the resulting output as an array of lines. If false or not given, +the command will be executed with C, and C will return 1 if +the command was successful or 0 if it wasn't. + +=back + +For further discussion on what is considered a successful command or not, see +the function C further down. + +=back + +=cut + +sub run { + my ($cmd, $display_cmd, %errlogs) = shift->(0); + my %opts = @_; + + return () if !$cmd; + + my $prefix = ""; + if ( $^O eq "VMS" ) { # VMS + $prefix = "pipe "; + } elsif ($^O eq "MSWin32") { # MSYS + $prefix = "cmd /c "; + } + + my @r = (); + my $r = 0; + my $e = 0; + if ($opts{capture}) { + @r = `$prefix$cmd`; + $e = $? >> 8; + } else { + system("$prefix$cmd"); + $e = $? >> 8; + $r = $hooks{exit_checker}->($e); + } + + # At this point, $? stops being interesting, and unfortunately, + # there are Test::More versions that get picky if we leave it + # non-zero. + $? = 0; + + open ERR, ">>", __test_log(); + { local $| = 1; print ERR "$display_cmd => $e\n"; } + foreach (keys %errlogs) { + copy($_,\*ERR); + copy($_,$errlogs{$_}) if defined($errlogs{$_}); + unlink($_); + } + close ERR; + + if ($opts{capture}) { + return @r; + } else { + return $r; + } +} + +END { + my $tb = Test::More->builder; + my $failure = scalar(grep { $_ == 0; } $tb->summary); + if ($failure && $end_with_bailout) { + BAIL_OUT("Stoptest!"); + } +} + +=head2 Utility functions + +The following functions are exported on request when using C. + + # To only get the top_file function. + use OpenSSL::Test qw/top_file/; + + # To only get the top_file function in addition to the default ones. + use OpenSSL::Test qw/:DEFAULT top_file/; + +=cut + +# Utility functions, exported on request + +=over 4 + +=item B + +LIST is a list of directories that make up a path from the top of the OpenSSL +source directory (as indicated by the environment variable C<$TOP>). +C returns the resulting directory as a string, adapted to the local +operating system. + +=back + +=cut + +sub top_dir { + return __top_file(@_, ""); # This caters for operating systems that have + # a very distinct syntax for directories. +} + +=over 4 + +=item B + +LIST is a list of directories that make up a path from the top of the OpenSSL +source directory (as indicated by the environment variable C<$TOP>) and +FILENAME is the name of a file located in that directory path. +C returns the resulting file path as a string, adapted to the local +operating system. + +=back + +=cut + +sub top_file { + return __top_file(@_); +} + +=over 4 + +=item B + +LIST is a list of CODEREFs returned by C or C, from which C +creates a new command composed of all the given commands put together in a +pipe. C returns a new CODEREF in the same manner as C or C, +to be passed to C for execution. + +=back + +=cut + +sub pipe { + my @cmds = @_; + return + sub { + my @cs = (); + my @dcs = (); + my @els = (); + my $counter = 0; + foreach (@cmds) { + my ($c, $dc, @el) = $_->(++$counter); + + return () if !$c; + + push @cs, $c; + push @dcs, $dc; + push @els, @el; + } + return ( + join(" | ", @cs), + join(" | ", @dcs), + @els + ); + }; +} + +=over 4 + +=item B + +C will temporarly install hooks given by the HASHREF and then execute +the given CODEREF. Hooks are usually expected to have a coderef as value. + +The currently available hoosk are: + +=over 4 + +=item B CODEREF> + +This hook is executed after C has performed its given command. The +CODEREF receives the exit code as only argument and is expected to return +1 (if the exit code indicated success) or 0 (if the exit code indicated +failure). + +=back + +=back + +=cut + +sub with { + my $opts = shift; + my %opts = %{$opts}; + my $codeblock = shift; + + my %saved_hooks = (); + + foreach (keys %opts) { + $saved_hooks{$_} = $hooks{$_} if exists($hooks{$_}); + $hooks{$_} = $opts{$_}; + } + + $codeblock->(); + + foreach (keys %saved_hooks) { + $hooks{$_} = $saved_hooks{$_}; + } +} + +=over 4 + +=item B + +C takes a CODEREF from C or C and simply returns the +command as a string. + +=back + +=cut + +sub cmdstr { + my ($cmd, $display_cmd, %errlogs) = shift->(0); + + return $display_cmd; +} + +=over 4 + +=item B + +LIST is a list of strings that are going to be used as arguments for a +command, and makes sure to inject quotes and escapes as necessary depending +on the content of each string. + +This can also be used to put quotes around the executable of a command. +I + +=back + +=cut + +sub quotify { + # Unix setup (default if nothing else is mentioned) + my $arg_formatter = + sub { $_ = shift; /\s|[\{\}\\\$\[\]\*\?\|\&:;<>]/ ? "'$_'" : $_ }; + + if ( $^O eq "VMS") { # VMS setup + $arg_formatter = sub { + $_ = shift; + if (/\s|["[:upper:]]/) { + s/"/""/g; + '"'.$_.'"'; + } else { + $_; + } + }; + } elsif ( $^O eq "MSWin32") { # MSWin setup + $arg_formatter = sub { + $_ = shift; + if (/\s|["\|\&\*\;<>]/) { + s/(["\\])/\\$1/g; + '"'.$_.'"'; + } else { + $_; + } + }; + } + + return map { $arg_formatter->($_) } @_; +} + +###################################################################### +# private functions. These are never exported. + +=head1 ENVIRONMENT + +OpenSSL::Test depends on some environment variables. + +=over 4 + +=item B + +This environment variable is mandatory. C will check that it's +defined and that it's a directory that contains the file C. +If this isn't so, C will C. + +=item B + +If defined, its value should be the directory where the openssl application +is located. Defaults to C<$TOP/apps> (adapted to the operating system). + +=item B + +If defined, its value should be the directory where the test applications +are located. Defaults to C<$TOP/test> (adapted to the operating system). + +=item B + +If defined, its value should be the directory where the log files are +located. Defaults to C<$TEST_D>. + +=item B + +If defined, it puts testing in a different mode, where a recipe with +failures will result in a C at the end of its run. + +=back + +=cut + +sub __env { + $directories{TOP} = $ENV{TOP}, + $directories{APPS} = $ENV{BIN_D} || catdir($directories{TOP},"apps"); + $directories{TEST} = $ENV{TEST_D} || catdir($directories{TOP},"test"); + $directories{RESULTS} = $ENV{RESULT_D} || $directories{TEST}; + + $end_with_bailout = $ENV{STOPTEST} ? 1 : 0; +}; + +sub __top_file { + BAIL_OUT("Must run setup() first") if (! $test_name); + + my $f = pop; + return catfile($directories{TOP}, at _,$f); +} + +sub __test_file { + BAIL_OUT("Must run setup() first") if (! $test_name); + + my $f = pop; + return catfile($directories{TEST}, at _,$f); +} + +sub __apps_file { + BAIL_OUT("Must run setup() first") if (! $test_name); + + my $f = pop; + return catfile($directories{APPS}, at _,$f); +} + +sub __results_file { + BAIL_OUT("Must run setup() first") if (! $test_name); + + my $f = pop; + return catfile($directories{RESULTS}, at _,$f); +} + +sub __test_log { + return __results_file("$test_name.log"); +} + +sub __cwd { + my $dir = shift; + my %opts = @_; + my $abscurdir = rel2abs(curdir()); + my $absdir = rel2abs($dir); + my $reverse = abs2rel($abscurdir, $absdir); + + # PARANOIA: if we're not moving anywhere, we do nothing more + if ($abscurdir eq $absdir) { + return $reverse; + } + + # Do not support a move to a different volume for now. Maybe later. + BAIL_OUT("FAILURE: \"$dir\" moves to a different volume, not supported") + if $reverse eq $abscurdir; + + # If someone happened to give a directory that leads back to the current, + # it's extremely silly to do anything more, so just simulate that we did + # move. + # In this case, we won't even clean it out, for safety's sake. + return "." if $reverse eq ""; + + $dir = canonpath($dir); + if ($opts{create}) { + mkpath($dir); + } + + # Should we just bail out here as well? I'm unsure. + return undef unless chdir($dir); + + if ($opts{cleanup}) { + remove_tree(".", { safe => 0, keep_root => 1 }); + } + + # For each of these directory variables, figure out where they are relative + # to the directory we want to move to if they aren't absolute (if they are, + # they don't change!) + my @dirtags = ("TOP", "TEST", "APPS", "RESULTS"); + foreach (@dirtags) { + if (!file_name_is_absolute($directories{$_})) { + my $newpath = abs2rel(rel2abs($directories{$_}), rel2abs($dir)); + $directories{$_} = $newpath; + } + } + + if (0) { + print STDERR "DEBUG: __cwd(), directories and files:\n"; + print STDERR " \$directories{TEST} = \"$directories{TEST}\"\n"; + print STDERR " \$directories{RESULTS} = \"$directories{RESULTS}\"\n"; + print STDERR " \$directories{APPS} = \"$directories{APPS}\"\n"; + print STDERR " \$directories{TOP} = \"$directories{TOP}\"\n"; + print STDERR " \$test_log = \"",__test_log(),"\"\n"; + print STDERR "\n"; + print STDERR " current directory is \"",curdir(),"\"\n"; + print STDERR " the way back is \"$reverse\"\n"; + } + + return $reverse; +} + +sub __fixup_cmd { + my $prog = shift; + + my $prefix = __top_file("util", "shlib_wrap.sh")." "; + my $ext = $ENV{"EXE_EXT"} || ""; + + if ( $^O eq "VMS" ) { # VMS + $prefix = "mcr "; + $ext = ".exe"; + } elsif ($^O eq "MSWin32") { # Windows + $prefix = ""; + $ext = ".exe"; + } + + # We test both with and without extension. The reason + # is that we might, for example, be passed a Perl script + # ending with .pl... + my $file = "$prog$ext"; + if ( -x $file ) { + return $prefix.$file; + } elsif ( -f $prog ) { + return $prog; + } + + print STDERR "$prog not found\n"; + return undef; +} + +sub __build_cmd { + BAIL_OUT("Must run setup() first") if (! $test_name); + + my $num = shift; + my $path_builder = shift; + # Make a copy to not destroy the caller's array + my @cmdarray = ( @{$_[0]} ); shift; + my $cmd = __fixup_cmd($path_builder->(shift @cmdarray)); + my @args = @cmdarray; + my %opts = @_; + + return () if !$cmd; + + my $arg_str = ""; + my $null = devnull(); + + + $arg_str = " ".join(" ", quotify @args) if @args; + + my $fileornull = sub { $_[0] ? $_[0] : $null; }; + my $stdin = ""; + my $stdout = ""; + my $stderr = ""; + my $saved_stderr = undef; + $stdin = " < ".$fileornull->($opts{stdin}) if exists($opts{stdin}); + $stdout= " > ".$fileornull->($opts{stdout}) if exists($opts{stdout}); + $stderr=" 2> ".$fileornull->($opts{stderr}) if exists($opts{stderr}); + + $saved_stderr = $opts{stderr} if defined($opts{stderr}); + + my $errlog = $num ? "$test_name.$num.tmp_err" : "$test_name.tmp_err"; + my $display_cmd = "$cmd$arg_str$stdin$stdout$stderr"; + $cmd .= "$arg_str$stdin$stdout 2> $errlog"; + + return ($cmd, $display_cmd, $errlog => $saved_stderr); +} + +=head1 SEE ALSO + +L, L + +=head1 AUTHORS + +Richard Levitte Elevitte at openssl.orgE with assitance and +inspiration from Andy Polyakov Eappro at openssl.org. + +=cut + +1; diff --git a/test/testlib/OpenSSL/Test/Simple.pm b/test/testlib/OpenSSL/Test/Simple.pm new file mode 100644 index 0000000..874a156 --- /dev/null +++ b/test/testlib/OpenSSL/Test/Simple.pm @@ -0,0 +1,78 @@ +package OpenSSL::Test::Simple; + +use strict; +use warnings; + +use Exporter; +use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); +$VERSION = "0.2"; + at ISA = qw(Exporter); + at EXPORT = qw(simple_test); + +=head1 NAME + +OpenSSL::Test::Simple - a few very simple test functions + +=head1 SYNOPSIS + + use OpenSSL::Test::Simple; + + simple_test("my_test_name", "des", "destest"); + +=head1 DESCRIPTION + +Sometimes, the functions in L are quite tedious for some +repetitive tasks. This module provides functions to make life easier. +You could call them hacks if you wish. + +=cut + +use OpenSSL::Test; + +=over 4 + +=item B + +Runs a test named NAME, running the program PROGRAM with no arguments, +to test the algorithm ALGORITHM. + +A complete recipe looks like this: + + use OpenSSL::Test::Simple; + + simple_test("test_bf", "bftest", "bf"); + +=back + +=cut + +# args: +# name (used with setup()) +# algorithm (used to check if it's at all supported) +# name of binary (the program that does the actual test) +sub simple_test { + my ($name, $prgr, $algo, @rest) = @_; + + setup($name); + + plan tests => 1; + SKIP: { + skip "$algo is not supported by this OpenSSL build, skipping this test...", 1 + if $algo && run(app(["openssl", "no-$algo"])); + + ok(run(test([$prgr])), "running $prgr"); + } +} + +=head1 SEE ALSO + +L + +=head1 AUTHORS + +Richard Levitte Elevitte at openssl.orgE with inspiration +from Rich Salz Ersalz at openssl.org. + +=cut + +1; diff --git a/util/mk1mf.pl b/util/mk1mf.pl index 6091a69..9d8a47d 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -752,7 +752,9 @@ headers: \$(HEADER) lib: \$(LIBS_DEP) \$(E_SHLIB) -exe: \$(T_EXE) \$(BIN_D)$o\$(E_EXE)$exep +exe: apps testapps +apps: \$(BIN_D)$o\$(E_EXE)$exep +testapps: \$(T_EXE) install: all \$(MKDIR) \"\$(INSTALLTOP)\" @@ -777,15 +779,8 @@ reallyclean: EOF -if ($orig_platform ne 'copy') - { - $rules .= <<"EOF"; -test: \$(T_EXE) - cd \$(BIN_D) - ..${o}ms${o}test - -EOF - } +$rules .= &do_rehash_rule("rehash", "certs apps"); +$rules .= &do_test_rule("test", "rehash", "run_tests.pl"); my $platform_cpp_symbol = "MK1MF_PLATFORM_$platform"; $platform_cpp_symbol =~ s/-/_/g; @@ -1004,8 +999,6 @@ if ($fips) $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)", ($fips && !$shlib) ? 2 : 0); -$rules .= get_tests('test/Makefile') if $orig_platform eq 'copy'; - print $defs; if ($platform eq "linux-elf") { diff --git a/util/pl/BC-32.pl b/util/pl/BC-32.pl index fd5c4b6..3b2b854 100644 --- a/util/pl/BC-32.pl +++ b/util/pl/BC-32.pl @@ -94,6 +94,29 @@ if ($shlib) $tmp_def="tmp32dll"; } +sub do_rehash_rule { + my ($target, $deps) = @_; + my $ret = <<"EOF"; +$target: $deps + set OPENSSL=\$(BIN_D)${o}openssl.exe + set OPENSSL_DEBUG_MEMORY=on + \$(PERL) tools/c_rehash certs/demo +EOF + return $ret +} +sub do_test_rule { + my ($target, $deps, $test_cmd) = @_; + my $ret = <<"EOF"; +$target: $deps force.$target + set TOP=. + set BIN_D=\$(BIN_D) + set TEST_D=\$(TEST_D) + set PERL=\$(PERL) + \$(PERL) test\\$test_cmd +force.$target: +EOF +} + sub do_lib_rule { local($objs,$target,$name,$shlib)=@_; diff --git a/util/pl/VC-32.pl b/util/pl/VC-32.pl index bf6aebf..a2d35c6 100644 --- a/util/pl/VC-32.pl +++ b/util/pl/VC-32.pl @@ -300,6 +300,29 @@ elsif ($shlib && $FLAVOR =~ /CE/) $lib_cflag.=" -D_DLL" if (!$fipscanisterbuild); } +sub do_rehash_rule { + my ($target, $deps) = @_; + my $ret = <<"EOF"; +$target: $deps + set OPENSSL=\$(BIN_D)${o}openssl.exe + set OPENSSL_DEBUG_MEMORY=on + \$(PERL) tools/c_rehash certs/demo +EOF + return $ret +} +sub do_test_rule { + my ($target, $deps, $test_cmd) = @_; + my $ret = <<"EOF"; +$target: $deps force.$target + set TOP=. + set BIN_D=\$(BIN_D) + set TEST_D=\$(TEST_D) + set PERL=\$(PERL) + \$(PERL) test\\$test_cmd +force.$target: +EOF +} + sub do_lib_rule { my($objs,$target,$name,$shlib,$ign,$base_addr) = @_; diff --git a/util/pl/unix.pl b/util/pl/unix.pl index 40bbe0d..528d4d0 100644 --- a/util/pl/unix.pl +++ b/util/pl/unix.pl @@ -186,267 +186,28 @@ sub which } } -sub fixtests - { - my ($str, $tests) = @_; - - foreach my $t (keys %$tests) - { - $str =~ s/(\.\/)?\$\($t\)/\$(TEST_D)\/$tests->{$t}/g; - } - - return $str; - } - -sub fixdeps - { - my ($str, $fakes) = @_; - - my @t = split(/\s+/, $str); - $str = ''; - foreach my $t (@t) - { - $str .= ' ' if $str ne ''; - if (exists($fakes->{$t})) - { - $str .= $fakes->{$t}; - next; - } - if ($t =~ /^[^\/]+$/) - { - $str .= '$(TEST_D)/' . $t; - } - else - { - $str .= $t; - } - } - - return $str; - } - -sub fixrules - { - my ($str) = @_; - - # Compatible with -j... -# $str =~ s/^(\s+@?)/$1cd \$(TEST_D) && /; -# return $str; - - # Compatible with not -j. - my @t = split("\n", $str); - $str = ''; - my $prev; - foreach my $t (@t) - { - $t =~ s/^\s+//; - if (!$prev) - { - if ($t =~ /^@/) - { - $t =~ s/^@/\@cd \$(TEST_D) && /; - } - elsif ($t !~ /^\s*#/ && $t !~ /^echo/) - { - $t = 'cd $(TEST_D) && ' . $t; - } - } - $str .= "\t$t\n"; - $prev = $t =~/\\$/; - } - return $str; +sub do_rehash_rule { + my ($target, $deps) = @_; + my $ret = <<"EOF"; +$target: $deps + (OPENSSL="`pwd`/util/opensslwrap.sh"; \\ + OPENSSL_DEBUG_MEMORY=on; \\ + export OPENSSL OPENSSL_DEBUG_MEMORY; \\ + \$(PERL) tools/c_rehash certs/demo) +EOF + return $ret } +sub do_test_rule { + my ($target, $deps, $test_cmd) = @_; + my $ret = <<"EOF"; +$target: $deps force.$target + TOP=. BIN_D=\$(BIN_D) TEST_D=\$(TEST_D) \\ + PERL=\$(PERL) \$(PERL) test/$test_cmd +force.$target: -sub copy_scripts - { - my ($sed, $src, @targets) = @_; - - my $s = ''; - foreach my $t (@targets) - { - # Copy first so we get file modes... - $s .= "\$(TEST_D)/$t: \$(SRC_D)/$src/$t\n\tcp \$(SRC_D)/$src/$t \$(TEST_D)/$t\n"; - $s .= "\tsed -e 's/\\.\\.\\/apps/..\\/\$(OUT_D)/' -e 's/\\.\\.\\/util/..\\/\$(TEST_D)/' < \$(SRC_D)/$src/$t > \$(TEST_D)/$t\n" if $sed; - $s .= "\n"; - } - return $s; - } - -sub get_tests - { - my ($makefile) = @_; - - open(M, $makefile) || die "Can't open $makefile: $!"; - my %targets; - my %deps; - my %tests; - my %alltests; - my %fakes; - while (my $line = ) - { - chomp $line; - while ($line =~ /^(.*)\\$/) - { - $line = $1 . ; - } - - if ($line =~ /^alltests:(.*)$/) - { - my @t = split(/\s+/, $1); - foreach my $t (@t) - { - $targets{$t} = ''; - $alltests{$t} = undef; - } - } - - if (($line =~ /^(?\S+):(?.*)$/ && exists $targets{$1}) - || $line =~ /^(?test_(ss|gen) .*):(?.*)/) - { - my $t = $+{t}; - my $d = $+{d}; - # If there are multiple targets stupid FreeBSD make runs the - # rules once for each dependency that matches one of the - # targets. Running the same rule twice concurrently causes - # breakage, so replace with a fake target. - if ($t =~ /\s/) - { - ++$fake; - my @targets = split /\s+/, $t; - $t = "_fake$fake"; - foreach my $f (@targets) - { - $fakes{$f} = $t; - } - } - $deps{$t} = $d; - $deps{$t} =~ s/#.*$//; - for (;;) - { - $line = ; - chomp $line; - last if $line eq ''; - $targets{$t} .= "$line\n"; - } - next; - } - - if ($line =~ /^(\S+TEST)=\s*(\S+)$/) - { - $tests{$1} = $2; - next; - } - } - - delete $alltests{test_jpake} if $no_jpake; - delete $targets{test_ige} if $no_ige; - delete $alltests{test_md2} if $no_md2; - delete $alltests{test_rc5} if $no_rc5; - - my $tests; - foreach my $t (keys %tests) - { - $tests .= "$t = $tests{$t}\n"; - } - - my $each; - foreach my $t (keys %targets) - { - next if $t eq ''; - - my $d = $deps{$t}; - $d =~ s/\.\.\/apps/\$(BIN_D)/g; - $d =~ s/\.\.\/util/\$(TEST_D)/g; - $d = fixtests($d, \%tests); - $d = fixdeps($d, \%fakes); - - my $r = $targets{$t}; - $r =~ s/\.\.\/apps/..\/\$(BIN_D)/g; - $r =~ s/\.\.\/util/..\/\$(TEST_D)/g; - $r =~ s/\.\.\/(\S+)/\$(SRC_D)\/$1/g; - $r = fixrules($r); - - next if $r eq ''; - - $t =~ s/\s+/ \$(TEST_D)\//g; - - $each .= "$t: test_scripts $d\n\t\@echo '$t test started'\n$r\t\@echo '$t test done'\n\n"; - } - - # FIXME: Might be a clever way to figure out what needs copying - my @copies = ( 'bctest', - 'testgen', - 'cms-test.pl', - 'tx509', - 'test.cnf', - 'testenc', - 'tocsp', - 'testca', - 'CAss.cnf', - 'testtsa', - 'CAtsa.cnf', - 'Uss.cnf', - 'P1ss.cnf', - 'P2ss.cnf', - 'tcrl', - 'tsid', - 'treq', - 'tpkcs7', - 'tpkcs7d', - 'tkey', - 'testcrl.pem', - 'testx509.pem', - 'v3-cert1.pem', - 'v3-cert2.pem', - 'testreq2.pem', - 'testp7.pem', - 'pkcs7-1.pem', - 'trsa', - 'testdsa.pem', - 'testdsapub.pem', - 'testec-p256.pem', - 'testecpub-p256.pem', - 'testrsa.pem', - 'testrsapub.pem', - 'testsid.pem', - 'testss', - 'testssl', - 'testsslproxy', - 'serverinfo.pem', - ); - my $copies = copy_scripts(1, 'test', @copies); - $copies .= copy_scripts(0, 'test', ('smcont.txt', 'evptests.txt')); - - - my @utils = ( 'shlib_wrap.sh', - 'opensslwrap.sh', - ); - $copies .= copy_scripts(1, 'util', @utils); - - my @apps = ( 'CA.pl', - 'openssl.cnf', - 'server2.pem', - ); - $copies .= copy_scripts(1, 'apps', @apps); - - $scripts = "test_scripts: \$(TEST_D)/CA.pl \$(TEST_D)/opensslwrap.sh \$(TEST_D)/openssl.cnf \$(TEST_D)/shlib_wrap.sh ocsp smime\n"; - $scripts .= "\nocsp:\n\tcp -R test/ocsp-tests \$(TEST_D)\n"; - $scripts .= "\smime:\n\tcp -R test/smime-certs \$(TEST_D)\n"; - - my $all = 'test:'; - foreach my $t (keys %alltests) - { - if (exists($fakes{$t})) - { - $all .= " $fakes{$t}"; - } - else - { - $all .= " $t"; - } - } +EOF + return $ret; +} - return "$scripts\n$copies\n$tests\n$all\n\n$each"; - } 1; From rsalz at openssl.org Mon Sep 7 18:41:14 2015 From: rsalz at openssl.org (Rich Salz) Date: Mon, 07 Sep 2015 18:41:14 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441651274.887863.28252.nullmailer@dev.openssl.org> The branch master has been updated via ce249fac5770acf9d92f13a223d83f88a7ea56c1 (commit) from a351805733a2c0511c61e7fef06fe645e31a4796 (commit) - Log ----------------------------------------------------------------- commit ce249fac5770acf9d92f13a223d83f88a7ea56c1 Author: Rich Salz Date: Mon Sep 7 10:08:14 2015 -0400 GH391: Apple port Also make internal functions consistently return values, and add a comment documenting them. Reviewed-by: Ben Laurie ----------------------------------------------------------------------- Summary of changes: apps/rehash.c | 85 +++++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 57 insertions(+), 28 deletions(-) diff --git a/apps/rehash.c b/apps/rehash.c index 672a42a..04827f2 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -124,7 +124,10 @@ static int bit_isset(unsigned char *set, unsigned int bit) } -static void add_entry(enum Type type, unsigned int hash, const char *filename, +/* + * Process an entry; return number of errors. + */ +static int add_entry(enum Type type, unsigned int hash, const char *filename, const unsigned char *digest, int need_symlink, unsigned short old_id) { @@ -151,7 +154,7 @@ static void add_entry(enum Type type, unsigned int hash, const char *filename, BIO_printf(bio_err, "%s: skipping duplicate certificate in %s\n", opt_getprog(), filename); - return; + return 1; } if (strcmp(filename, ep->filename) == 0) { found = ep; @@ -161,8 +164,12 @@ static void add_entry(enum Type type, unsigned int hash, const char *filename, } ep = found; if (ep == NULL) { - if (bp->num_needed >= MAX_COLLISIONS) - return; + if (bp->num_needed >= MAX_COLLISIONS) { + BIO_printf(bio_err, + "%s: hash table overflow for %s\n", + opt_getprog(), filename); + return 1; + } ep = app_malloc(sizeof(*ep), "collision bucket"); *ep = nilhentry; ep->old_id = ~0; @@ -181,8 +188,13 @@ static void add_entry(enum Type type, unsigned int hash, const char *filename, bp->num_needed++; memcpy(ep->digest, digest, evpmdsize); } + return 0; } +/* + * Check if a symlink goes to the right spot; return 0 if okay. + * This can be -1 if bad filename, or an error count. + */ static int handle_symlink(const char *filename, const char *fullpath) { unsigned int hash = 0; @@ -214,41 +226,50 @@ static int handle_symlink(const char *filename, const char *fullpath) return -1; linktarget[n] = 0; - add_entry(type, hash, linktarget, NULL, 0, id); - return 0; + return add_entry(type, hash, linktarget, NULL, 0, id); } +/* + * process a file, return number of errors. + */ static int do_file(const char *filename, const char *fullpath, enum Hash h) { - STACK_OF (X509_INFO) *inf; + STACK_OF (X509_INFO) *inf = NULL; X509_INFO *x; X509_NAME *name = NULL; BIO *b; const char *ext; unsigned char digest[EVP_MAX_MD_SIZE]; - int i, type, ret = -1; + int i, type, errs = 0; + /* Does it end with a recognized extension? */ if ((ext = strrchr(filename, '.')) == NULL) - return 0; + goto end; for (i = 0; i < (int)OSSL_NELEM(extensions); i++) { if (strcasecmp(extensions[i], ext + 1) == 0) break; } if (i >= (int)OSSL_NELEM(extensions)) - return -1; + goto end; - if ((b = BIO_new_file(fullpath, "r")) == NULL) - return -1; + /* Does it have X.509 data in it? */ + if ((b = BIO_new_file(fullpath, "r")) == NULL) { + BIO_printf(bio_err, "%s: skipping %s, cannot open file\n", + opt_getprog(), filename); + errs++; + goto end; + } inf = PEM_X509_INFO_read_bio(b, NULL, NULL, NULL); BIO_free(b); if (inf == NULL) - return -1; + goto end; if (sk_X509_INFO_num(inf) != 1) { BIO_printf(bio_err, "%s: skipping %s," "it does not contain exactly one certificate or CRL\n", opt_getprog(), filename); + /* This is not an error. */ goto end; } x = sk_X509_INFO_value(inf, 0); @@ -263,16 +284,19 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h) } if (name) { if ((h == HASH_NEW) || (h == HASH_BOTH)) - add_entry(type, X509_NAME_hash(name), filename, digest, 1, ~0); + errs += add_entry(type, X509_NAME_hash(name), filename, digest, 1, ~0); if ((h == HASH_OLD) || (h == HASH_BOTH)) - add_entry(type, X509_NAME_hash_old(name), filename, digest, 1, ~0); + errs += add_entry(type, X509_NAME_hash_old(name), filename, digest, 1, ~0); } end: sk_X509_INFO_pop_free(inf, X509_INFO_free); - return ret; + return errs; } +/* + * Process a directory; return number of errors found. + */ static int do_dir(const char *dirname, enum Hash h) { BUCKET *bp, *nextbp; @@ -280,7 +304,7 @@ static int do_dir(const char *dirname, enum Hash h) OPENSSL_DIR_CTX *d = NULL; struct stat st; unsigned char idmask[MAX_COLLISIONS / 8]; - int i, n, nextid, buflen, ret = -1; + int i, n, nextid, buflen, errs = 0; const char *pathsep; const char *filename; char *buf; @@ -301,7 +325,7 @@ static int do_dir(const char *dirname, enum Hash h) continue; if (S_ISLNK(st.st_mode) && handle_symlink(filename, buf) == 0) continue; - do_file(filename, buf, h); + errs += do_file(filename, buf, h); } OPENSSL_DIR_end(&d); @@ -334,15 +358,19 @@ static int do_dir(const char *dirname, enum Hash h) if (verbose) BIO_printf(bio_out, "link %s -> %s\n", ep->filename, &buf[n]); - if (unlink(buf) < 0 && errno != ENOENT) + if (unlink(buf) < 0 && errno != ENOENT) { BIO_printf(bio_err, "%s: Can't unlink %s, %s\n", opt_getprog(), buf, strerror(errno)); - if (symlink(ep->filename, buf) < 0) + errs++; + } + if (symlink(ep->filename, buf) < 0) { BIO_printf(bio_err, "%s: Can't symlink %s, %s\n", opt_getprog(), ep->filename, strerror(errno)); + errs++; + } } else if (remove_links) { /* Link to be deleted */ snprintf(buf, buflen, "%s%s%n%08x.%s%d", @@ -351,10 +379,12 @@ static int do_dir(const char *dirname, enum Hash h) if (verbose) BIO_printf(bio_out, "unlink %s\n", &buf[n]); - if (unlink(buf) < 0 && errno != ENOENT) + if (unlink(buf) < 0 && errno != ENOENT) { BIO_printf(bio_err, "%s: Can't unlink %s, %s\n", opt_getprog(), buf, strerror(errno)); + errs++; + } } OPENSSL_free(ep->filename); OPENSSL_free(ep); @@ -363,10 +393,9 @@ static int do_dir(const char *dirname, enum Hash h) } hash_table[i] = NULL; } - ret = 0; OPENSSL_free(buf); - return ret; + return errs; } typedef enum OPTION_choice { @@ -390,7 +419,7 @@ int rehash_main(int argc, char **argv) { const char *env, *prog; char *e, *m; - int ret = 0; + int errs = 0; OPTION_CHOICE o; enum Hash h = HASH_NEW; @@ -426,18 +455,18 @@ int rehash_main(int argc, char **argv) if (*argv) { while (*argv) - ret |= do_dir(*argv++, h); + errs += do_dir(*argv++, h); } else if ((env = getenv("SSL_CERT_DIR")) != NULL) { m = BUF_strdup(env); for (e = strtok(m, ":"); e != NULL; e = strtok(NULL, ":")) - ret |= do_dir(e, h); + errs += do_dir(e, h); OPENSSL_free(m); } else { - ret |= do_dir("/etc/ssl/certs", h); + errs += do_dir("/etc/ssl/certs", h); } end: - return ret ? 2 : 0; + return errs; } #else From levitte at openssl.org Mon Sep 7 22:55:01 2015 From: levitte at openssl.org (Richard Levitte) Date: Mon, 07 Sep 2015 22:55:01 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441666501.383594.440.nullmailer@dev.openssl.org> The branch master has been updated via 6b33d10686993191a99ad758cb59fb89c3d7abda (commit) from ce249fac5770acf9d92f13a223d83f88a7ea56c1 (commit) - Log ----------------------------------------------------------------- commit 6b33d10686993191a99ad758cb59fb89c3d7abda Author: Richard Levitte Date: Mon Sep 7 16:26:04 2015 +0200 Adjust the verify_extra test recipe to its executable The verify_extra_test was recently changed to take its parameters as arguments instead of having them hardcoded. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: test/recipes/70-test_verify_extra.t | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/test/recipes/70-test_verify_extra.t b/test/recipes/70-test_verify_extra.t index 3ef4a27..eec8904 100644 --- a/test/recipes/70-test_verify_extra.t +++ b/test/recipes/70-test_verify_extra.t @@ -1,5 +1,12 @@ #! /usr/bin/perl -use OpenSSL::Test::Simple; +use OpenSSL::Test qw/:DEFAULT top_file/; -simple_test("test_verify_extra", "verify_extra_test"); +setup("test_verify_extra"); + +plan tests => 1; + +ok(run(test(["verify_extra_test", + top_file("test", "certs", "roots.pem"), + top_file("test", "certs", "untrusted.pem"), + top_file("test", "certs", "bad.pem")]))); From levitte at openssl.org Tue Sep 8 00:46:39 2015 From: levitte at openssl.org (Richard Levitte) Date: Tue, 08 Sep 2015 00:46:39 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441673199.623864.16612.nullmailer@dev.openssl.org> The branch master has been updated via e51fb759a6f1d81eee422703dc424aaf1e63a80b (commit) from 6b33d10686993191a99ad758cb59fb89c3d7abda (commit) - Log ----------------------------------------------------------------- commit e51fb759a6f1d81eee422703dc424aaf1e63a80b Author: Richard Levitte Date: Tue Sep 8 00:59:50 2015 +0200 Adjust the general fill-column in doc/dir-locals.example.el Having a general fill-column of 78 may look nice at first sight, but if the edited text gets indented a bit afterward (such as with git comments in 'git log'), it suddenly turns not so nice on a classic 80 columns terminal. A fill-column of 70 will serve us better. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: doc/dir-locals.example.el | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/dir-locals.example.el b/doc/dir-locals.example.el index 79d0b01..dc0d554 100644 --- a/doc/dir-locals.example.el +++ b/doc/dir-locals.example.el @@ -9,7 +9,7 @@ ((nil (indent-tabs-mode . nil) - (fill-column . 78) + (fill-column . 70) ) (c-mode (c-file-style . "OpenSSL-II"))) From levitte at openssl.org Tue Sep 8 00:48:10 2015 From: levitte at openssl.org (Richard Levitte) Date: Tue, 08 Sep 2015 00:48:10 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441673290.242469.17586.nullmailer@dev.openssl.org> The branch master has been updated via 55b2258859da5e8156dc9091911ce182945291fe (commit) from e51fb759a6f1d81eee422703dc424aaf1e63a80b (commit) - Log ----------------------------------------------------------------- commit 55b2258859da5e8156dc9091911ce182945291fe Author: Richard Levitte Date: Tue Sep 8 01:23:49 2015 +0200 Fix a few tests that depended on the wrong algorithm check test_ecdh and test_ecdsa are made to depend on no-ec being false. test_hmac is made not to depend on algorithm at all. Based on a contribution by Alessandro Ghedini Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: test/recipes/05-test_hmac.t | 2 +- test/recipes/15-test_ecdh.t | 2 +- test/recipes/15-test_ecdsa.t | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/recipes/05-test_hmac.t b/test/recipes/05-test_hmac.t index 469d43f..ba7a92b 100644 --- a/test/recipes/05-test_hmac.t +++ b/test/recipes/05-test_hmac.t @@ -2,4 +2,4 @@ use OpenSSL::Test::Simple; -simple_test("test_hmac", "hmactest", "hmac"); +simple_test("test_hmac", "hmactest"); diff --git a/test/recipes/15-test_ecdh.t b/test/recipes/15-test_ecdh.t index 7cdfea6..acccea8 100644 --- a/test/recipes/15-test_ecdh.t +++ b/test/recipes/15-test_ecdh.t @@ -2,4 +2,4 @@ use OpenSSL::Test::Simple; -simple_test("test_ecdh", "ecdhtest", "ecdh"); +simple_test("test_ecdh", "ecdhtest", "ec"); diff --git a/test/recipes/15-test_ecdsa.t b/test/recipes/15-test_ecdsa.t index aa4622f..992bb96 100644 --- a/test/recipes/15-test_ecdsa.t +++ b/test/recipes/15-test_ecdsa.t @@ -2,4 +2,4 @@ use OpenSSL::Test::Simple; -simple_test("test_ecdsa", "ecdsatest", "ecdsa"); +simple_test("test_ecdsa", "ecdsatest", "ec"); From rsalz at openssl.org Tue Sep 8 01:58:12 2015 From: rsalz at openssl.org (Rich Salz) Date: Tue, 08 Sep 2015 01:58:12 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441677492.874719.1477.nullmailer@dev.openssl.org> The branch master has been updated via 5278dec375c9a2d991db4c533b60e09c6c80e6e3 (commit) from 55b2258859da5e8156dc9091911ce182945291fe (commit) - Log ----------------------------------------------------------------- commit 5278dec375c9a2d991db4c533b60e09c6c80e6e3 Author: Rich Salz Date: Mon Sep 7 21:39:44 2015 -0400 add support for apple os/x Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/rehash.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/apps/rehash.c b/apps/rehash.c index 04827f2..b235e1b 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -2,7 +2,6 @@ * C implementation based on the original Perl and shell versions * * Copyright (c) 2013-2014 Timo Ter?s - * All rights reserved. */ /* ==================================================================== * Copyright (c) 2015 The OpenSSL Project. All rights reserved. @@ -60,7 +59,7 @@ #include "apps.h" -#ifdef unix +#if defined(unix) || defined(__APPLE__) # include # include # include @@ -480,4 +479,4 @@ int rehash_main(int argc, char **argv) return (1); } -#endif +#endif /* defined(unix) || defined(__APPLE__) */ From ben at openssl.org Tue Sep 8 04:49:58 2015 From: ben at openssl.org (Ben Laurie) Date: Tue, 08 Sep 2015 04:49:58 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441687798.591657.28835.nullmailer@dev.openssl.org> The branch master has been updated via 8c82de991b73caa25f06a181d86550cfcf457858 (commit) from 5278dec375c9a2d991db4c533b60e09c6c80e6e3 (commit) - Log ----------------------------------------------------------------- commit 8c82de991b73caa25f06a181d86550cfcf457858 Author: Ben Laurie Date: Mon Sep 7 18:33:09 2015 +0100 Fix uninit warning. Remove unnecessary casts. Nothing to add is an error. Reviewed-by: Richard Levitte Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: apps/rehash.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/apps/rehash.c b/apps/rehash.c index b235e1b..8417449 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -239,16 +239,17 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h) BIO *b; const char *ext; unsigned char digest[EVP_MAX_MD_SIZE]; - int i, type, errs = 0; + int type, errs = 0; + size_t i; /* Does it end with a recognized extension? */ if ((ext = strrchr(filename, '.')) == NULL) goto end; - for (i = 0; i < (int)OSSL_NELEM(extensions); i++) { + for (i = 0; i < OSSL_NELEM(extensions); i++) { if (strcasecmp(extensions[i], ext + 1) == 0) break; } - if (i >= (int)OSSL_NELEM(extensions)) + if (i >= OSSL_NELEM(extensions)) goto end; /* Does it have X.509 data in it? */ @@ -280,6 +281,9 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h) type = TYPE_CRL; name = X509_CRL_get_issuer(x->crl); X509_CRL_digest(x->crl, evpmd, digest, NULL); + } else { + ++errs; + goto end; } if (name) { if ((h == HASH_NEW) || (h == HASH_BOTH)) @@ -303,7 +307,8 @@ static int do_dir(const char *dirname, enum Hash h) OPENSSL_DIR_CTX *d = NULL; struct stat st; unsigned char idmask[MAX_COLLISIONS / 8]; - int i, n, nextid, buflen, errs = 0; + int n, nextid, buflen, errs = 0; + size_t i; const char *pathsep; const char *filename; char *buf; @@ -328,7 +333,7 @@ static int do_dir(const char *dirname, enum Hash h) } OPENSSL_DIR_end(&d); - for (i = 0; i < (int)OSSL_NELEM(hash_table); i++) { + for (i = 0; i < OSSL_NELEM(hash_table); i++) { for (bp = hash_table[i]; bp; bp = nextbp) { nextbp = bp->next; nextid = 0; From rsalz at openssl.org Tue Sep 8 15:37:30 2015 From: rsalz at openssl.org (Rich Salz) Date: Tue, 08 Sep 2015 15:37:30 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1441726650.569613.24549.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 7b8a9992021c496df1826ca29f65c366b544689c (commit) from 2df619b06ca0026e40e8689020b0e54ed7165583 (commit) - Log ----------------------------------------------------------------- commit 7b8a9992021c496df1826ca29f65c366b544689c Author: Rich Salz Date: Tue Sep 8 11:37:05 2015 -0400 Remove bogus CHANGES entries Reviewed-by: Dr. Stephen Henson ----------------------------------------------------------------------- Summary of changes: CHANGES | 445 ---------------------------------------------------------------- 1 file changed, 445 deletions(-) diff --git a/CHANGES b/CHANGES index 343d847..c2898ab 100644 --- a/CHANGES +++ b/CHANGES @@ -8,451 +8,6 @@ return an error [Rich Salz and Ismo Puustinen ] - *) Rewrite PSK to support ECDHE_PSK, DHE_PSK and RSA_PSK. Add ciphersuites - from RFC4279, RFC4785, RFC5487, RFC5489. - - Thanks to Christian J. Dietrich and Giuseppe D'Angelo for the - original RSA_PSK patch. - [Steve Henson] - - *) Dropped support for the SSL3_FLAGS_DELAY_CLIENT_FINISHED flag. This SSLeay - era flag was never set throughout the codebase (only read). Also removed - SSL3_FLAGS_POP_BUFFER which was only used if - SSL3_FLAGS_DELAY_CLIENT_FINISHED was also set. - [Matt Caswell] - - *) Changed the default name options in the "ca", "crl", "req" and "x509" - to be "oneline" instead of "compat". - [Richard Levitte] - - *) Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're - not aware of clients that still exhibit this bug, and the workaround - hasn't been working properly for a while. - [Emilia K?sper] - - *) The return type of BIO_number_read() and BIO_number_written() as well as - the corresponding num_read and num_write members in the BIO structure has - changed from unsigned long to uint64_t. On platforms where an unsigned - long is 32 bits (e.g. Windows) these counters could overflow if >4Gb is - transferred. - [Matt Caswell] - - *) Given the pervasive nature of TLS extensions it is inadvisable to run - OpenSSL without support for them. It also means that maintaining - the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably - not well tested). Therefore the OPENSSL_NO_TLSEXT option has been removed. - [Matt Caswell] - - *) Removed support for the two export grade static DH ciphersuites - EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites - were newly added (along with a number of other static DH ciphersuites) to - 1.0.2. However the two export ones have *never* worked since they were - introduced. It seems strange in any case to be adding new export - ciphersuites, and given "logjam" it also does not seem correct to fix them. - [Matt Caswell] - - *) Version negotiation has been rewritten. In particular SSLv23_method(), - SSLv23_client_method() and SSLv23_server_method() have been deprecated, - and turned into macros which simply call the new preferred function names - TLS_method(), TLS_client_method() and TLS_server_method(). All new code - should use the new names instead. Also as part of this change the ssl23.h - header file has been removed. - [Matt Caswell] - - *) Support for Kerberos ciphersuites in TLS (RFC2712) has been removed. This - code and the associated standard is no longer considered fit-for-purpose. - [Matt Caswell] - - *) RT2547 was closed. When generating a private key, try to make the - output file readable only by the owner. This behavior change might - be noticeable when interacting with other software. - - *) Added HTTP GET support to the ocsp command. - [Rich Salz] - - *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead. - [Matt Caswell] - - *) Added support for TLS extended master secret from - draft-ietf-tls-session-hash-03.txt. Thanks for Alfredo Pironti for an - initial patch which was a great help during development. - [Steve Henson] - - *) All libssl internal structures have been removed from the public header - files, and the OPENSSL_NO_SSL_INTERN option has been removed (since it is - now redundant). Users should not attempt to access internal structures - directly. Instead they should use the provided API functions. - [Matt Caswell] - - *) config has been changed so that by default OPENSSL_NO_DEPRECATED is used. - Access to deprecated functions can be re-enabled by running config with - "enable-deprecated". In addition applications wishing to use deprecated - functions must define OPENSSL_USE_DEPRECATED. Note that this new behaviour - will, by default, disable some transitive includes that previously existed - in the header files (e.g. ec.h will no longer, by default, include bn.h) - [Matt Caswell] - - *) Added support for OCB mode. OpenSSL has been granted a patent license - compatible with the OpenSSL license for use of OCB. Details are available - at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support - for OCB can be removed by calling config with no-ocb. - [Matt Caswell] - - *) SSLv2 support has been removed. It still supports receiving a SSLv2 - compatible client hello. - [Kurt Roeckx] - - *) Increased the minimal RSA keysize from 256 to 512 bits [Rich Salz], - done while fixing the error code for the key-too-small case. - [Annie Yousar ] - - *) CA.sh has been removmed; use CA.pl instead. - [Rich Salz] - - *) Removed old DES API. - [Rich Salz] - - *) Remove various unsupported platforms: - Sony NEWS4 - BEOS and BEOS_R5 - NeXT - SUNOS - MPE/iX - Sinix/ReliantUNIX RM400 - DGUX - NCR - Tandem - Cray - 16-bit platforms such as WIN16 - [Rich Salz] - - *) Clean up OPENSSL_NO_xxx #define's - Use setbuf() and remove OPENSSL_NO_SETVBUF_IONBF - Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx - OPENSSL_NO_EC{DH,DSA} merged into OPENSSL_NO_EC - OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160 - OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO - Remove OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY - OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP - OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK - OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY - Remove MS_STATIC; it's a relic from platforms <32 bits. - [Rich Salz] - - *) Cleaned up dead code - Remove all but one '#ifdef undef' which is to be looked at. - [Rich Salz] - - *) Clean up calling of xxx_free routines. - Just like free(), fix most of the xxx_free routines to accept - NULL. Remove the non-null checks from callers. Save much code. - [Rich Salz] - - *) Add secure heap for storage of private keys (when possible). - Add BIO_s_secmem(), CBIGNUM, etc. - Contributed by Akamai Technologies under our Corporate CLA. - [Rich Salz] - - *) Experimental support for a new, fast, unbiased prime candidate generator, - bn_probable_prime_dh_coprime(). Not currently used by any prime generator. - [Felix Laurie von Massenbach ] - - *) New output format NSS in the sess_id command line tool. This allows - exporting the session id and the master key in NSS keylog format. - [Martin Kaiser ] - - *) Harmonize version and its documentation. -f flag is used to display - compilation flags. - [mancha ] - - *) Fix eckey_priv_encode so it immediately returns an error upon a failure - in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue. - [mancha ] - - *) Fix some double frees. These are not thought to be exploitable. - [mancha ] - - *) A missing bounds check in the handling of the TLS heartbeat extension - can be used to reveal up to 64k of memory to a connected client or - server. - - Thanks for Neel Mehta of Google Security for discovering this bug and to - Adam Langley and Bodo Moeller for - preparing the fix (CVE-2014-0160) - [Adam Langley, Bodo Moeller] - - *) Fix for the attack described in the paper "Recovering OpenSSL - ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" - by Yuval Yarom and Naomi Benger. Details can be obtained from: - http://eprint.iacr.org/2014/140 - - Thanks to Yuval Yarom and Naomi Benger for discovering this - flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) - [Yuval Yarom and Naomi Benger] - - *) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file(): - this fixes a limitation in previous versions of OpenSSL. - [Steve Henson] - - *) Experimental encrypt-then-mac support. - - Experimental support for encrypt then mac from - draft-gutmann-tls-encrypt-then-mac-02.txt - - To enable it set the appropriate extension number (0x42 for the test - server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x42 - - For non-compliant peers (i.e. just about everything) this should have no - effect. - - WARNING: EXPERIMENTAL, SUBJECT TO CHANGE. - - [Steve Henson] - - *) Add EVP support for key wrapping algorithms, to avoid problems with - existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in - the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap - algorithms and include tests cases. - [Steve Henson] - - *) Extend CMS code to support RSA-PSS signatures and RSA-OAEP for - enveloped data. - [Steve Henson] - - *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest, - MGF1 digest and OAEP label. - [Steve Henson] - - *) Make openssl verify return errors. - [Chris Palmer and Ben Laurie] - - *) New function ASN1_TIME_diff to calculate the difference between two - ASN1_TIME structures or one structure and the current time. - [Steve Henson] - - *) Update fips_test_suite to support multiple command line options. New - test to induce all self test errors in sequence and check expected - failures. - [Steve Henson] - - *) Add FIPS_{rsa,dsa,ecdsa}_{sign,verify} functions which digest and - sign or verify all in one operation. - [Steve Henson] - - *) Add fips_algvs: a multicall fips utility incorporating all the algorithm - test programs and fips_test_suite. Includes functionality to parse - the minimal script output of fipsalgest.pl directly. - [Steve Henson] - - *) Add authorisation parameter to FIPS_module_mode_set(). - [Steve Henson] - - *) Add FIPS selftest for ECDH algorithm using P-224 and B-233 curves. - [Steve Henson] - - *) Use separate DRBG fields for internal and external flags. New function - FIPS_drbg_health_check() to perform on demand health checking. Add - generation tests to fips_test_suite with reduced health check interval to - demonstrate periodic health checking. Add "nodh" option to - fips_test_suite to skip very slow DH test. - [Steve Henson] - - *) New function FIPS_get_cipherbynid() to lookup FIPS supported ciphers - based on NID. - [Steve Henson] - - *) More extensive health check for DRBG checking many more failure modes. - New function FIPS_selftest_drbg_all() to handle every possible DRBG - combination: call this in fips_test_suite. - [Steve Henson] - - *) Add support for Dual EC DRBG from SP800-90. Update DRBG algorithm test - and POST to handle Dual EC cases. - [Steve Henson] - - *) Add support for canonical generation of DSA parameter 'g'. See - FIPS 186-3 A.2.3. - - *) Add support for HMAC DRBG from SP800-90. Update DRBG algorithm test and - POST to handle HMAC cases. - [Steve Henson] - - *) Add functions FIPS_module_version() and FIPS_module_version_text() - to return numerical and string versions of the FIPS module number. - [Steve Henson] - - *) Rename FIPS_mode_set and FIPS_mode to FIPS_module_mode_set and - FIPS_module_mode. FIPS_mode and FIPS_mode_set will be implemented - outside the validated module in the FIPS capable OpenSSL. - [Steve Henson] - - *) Minor change to DRBG entropy callback semantics. In some cases - there is no multiple of the block length between min_len and - max_len. Allow the callback to return more than max_len bytes - of entropy but discard any extra: it is the callback's responsibility - to ensure that the extra data discarded does not impact the - requested amount of entropy. - [Steve Henson] - - *) Add PRNG security strength checks to RSA, DSA and ECDSA using - information in FIPS186-3, SP800-57 and SP800-131A. - [Steve Henson] - - *) CCM support via EVP. Interface is very similar to GCM case except we - must supply all data in one chunk (i.e. no update, final) and the - message length must be supplied if AAD is used. Add algorithm test - support. - [Steve Henson] - - *) Initial version of POST overhaul. Add POST callback to allow the status - of POST to be monitored and/or failures induced. Modify fips_test_suite - to use callback. Always run all selftests even if one fails. - [Steve Henson] - - *) XTS support including algorithm test driver in the fips_gcmtest program. - Note: this does increase the maximum key length from 32 to 64 bytes but - there should be no binary compatibility issues as existing applications - will never use XTS mode. - [Steve Henson] - - *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies - to OpenSSL RAND code and replace with a tiny FIPS RAND API which also - performs algorithm blocking for unapproved PRNG types. Also do not - set PRNG type in FIPS_mode_set(): leave this to the application. - Add default OpenSSL DRBG handling: sets up FIPS PRNG and seeds with - the standard OpenSSL PRNG: set additional data to a date time vector. - [Steve Henson] - - *) Rename old X9.31 PRNG functions of the form FIPS_rand* to FIPS_x931*. - This shouldn't present any incompatibility problems because applications - shouldn't be using these directly and any that are will need to rethink - anyway as the X9.31 PRNG is now deprecated by FIPS 140-2 - [Steve Henson] - - *) Extensive self tests and health checking required by SP800-90 DRBG. - Remove strength parameter from FIPS_drbg_instantiate and always - instantiate at maximum supported strength. - [Steve Henson] - - *) Add ECDH code to fips module and fips_ecdhvs for primitives only testing. - [Steve Henson] - - *) New algorithm test program fips_dhvs to handle DH primitives only testing. - [Steve Henson] - - *) New function DH_compute_key_padded() to compute a DH key and pad with - leading zeroes if needed: this complies with SP800-56A et al. - [Steve Henson] - - *) Initial implementation of SP800-90 DRBGs for Hash and CTR. Not used by - anything, incomplete, subject to change and largely untested at present. - [Steve Henson] - - *) Modify fipscanisteronly build option to only build the necessary object - files by filtering FIPS_EX_OBJ through a perl script in crypto/Makefile. - [Steve Henson] - - *) Add experimental option FIPSSYMS to give all symbols in - fipscanister.o and FIPS or fips prefix. This will avoid - conflicts with future versions of OpenSSL. Add perl script - util/fipsas.pl to preprocess assembly language source files - and rename any affected symbols. - [Steve Henson] - - *) Add selftest checks and algorithm block of non-fips algorithms in - FIPS mode. Remove DES2 from selftests. - [Steve Henson] - - *) Add ECDSA code to fips module. Add tiny fips_ecdsa_check to just - return internal method without any ENGINE dependencies. Add new - tiny fips sign and verify functions. - [Steve Henson] - - *) New build option no-ec2m to disable characteristic 2 code. - [Steve Henson] - - *) New build option "fipscanisteronly". This only builds fipscanister.o - and (currently) associated fips utilities. Uses the file Makefile.fips - instead of Makefile.org as the prototype. - [Steve Henson] - - *) Add some FIPS mode restrictions to GCM. Add internal IV generator. - Update fips_gcmtest to use IV generator. - [Steve Henson] - - *) Initial, experimental EVP support for AES-GCM. AAD can be input by - setting output buffer to NULL. The *Final function must be - called although it will not retrieve any additional data. The tag - can be set or retrieved with a ctrl. The IV length is by default 12 - bytes (96 bits) but can be set to an alternative value. If the IV - length exceeds the maximum IV length (currently 16 bytes) it cannot be - set before the key. - [Steve Henson] - - *) New flag in ciphers: EVP_CIPH_FLAG_CUSTOM_CIPHER. This means the - underlying do_cipher function handles all cipher semantics itself - including padding and finalisation. This is useful if (for example) - an ENGINE cipher handles block padding itself. The behaviour of - do_cipher is subtly changed if this flag is set: the return value - is the number of characters written to the output buffer (zero is - no longer an error code) or a negative error code. Also if the - input buffer is NULL and length 0 finalisation should be performed. - [Steve Henson] - - *) If a candidate issuer certificate is already part of the constructed - path ignore it: new debug notification X509_V_ERR_PATH_LOOP for this case. - [Steve Henson] - - *) Improve forward-security support: add functions - - void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx, int (*cb)(SSL *ssl, int is_forward_secure)) - void SSL_set_not_resumable_session_callback(SSL *ssl, int (*cb)(SSL *ssl, int is_forward_secure)) - - for use by SSL/TLS servers; the callback function will be called whenever a - new session is created, and gets to decide whether the session may be - cached to make it resumable (return 0) or not (return 1). (As by the - SSL/TLS protocol specifications, the session_id sent by the server will be - empty to indicate that the session is not resumable; also, the server will - not generate RFC 4507 (RFC 5077) session tickets.) - - A simple reasonable callback implementation is to return is_forward_secure. - This parameter will be set to 1 or 0 depending on the ciphersuite selected - by the SSL/TLS server library, indicating whether it can provide forward - security. - [Emilia K?sper (Google)] - - *) New -verify_name option in command line utilities to set verification - parameters by name. - [Steve Henson] - - *) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE. - Add CMAC pkey methods. - [Steve Henson] - - *) Experimental renegotiation in s_server -www mode. If the client - browses /reneg connection is renegotiated. If /renegcert it is - renegotiated requesting a certificate. - [Steve Henson] - - *) Add an "external" session cache for debugging purposes to s_server. This - should help trace issues which normally are only apparent in deployed - multi-process servers. - [Steve Henson] - - *) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where - return value is ignored. NB. The functions RAND_add(), RAND_seed(), - BIO_set_cipher() and some obscure PEM functions were changed so they - can now return an error. The RAND changes required a change to the - RAND_METHOD structure. - [Steve Henson] - - *) New macro __owur for "OpenSSL Warn Unused Result". This makes use of - a gcc attribute to warn if the result of a function is ignored. This - is enable if DEBUG_UNUSED is set. Add to several functions in evp.h - whose return value is often ignored. - [Steve Henson] ->>>>>>> f00a10b... GH367: Fix dsa keygen for too-short seed - Changes between 1.0.2c and 1.0.2d [9 Jul 2015] *) Alternate chains certificate forgery From rsalz at openssl.org Tue Sep 8 19:14:12 2015 From: rsalz at openssl.org (Rich Salz) Date: Tue, 08 Sep 2015 19:14:12 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441739652.237098.29884.nullmailer@dev.openssl.org> The branch master has been updated via ff2f6bb0845ef859954f7c36b2b302c60088c4c7 (commit) from 8c82de991b73caa25f06a181d86550cfcf457858 (commit) - Log ----------------------------------------------------------------- commit ff2f6bb0845ef859954f7c36b2b302c60088c4c7 Author: Rich Salz Date: Mon Sep 7 22:21:38 2015 -0400 Fix rehash/c_rehash doc and behavior. Both now warn once if directory isn't writeable. Both now warn on file-write errors (multiple times). Update manpage to describe both program and script correctly. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: apps/rehash.c | 4 ++++ doc/apps/rehash.pod | 22 +++++++++++------- tools/c_rehash.in | 64 +++++++++++++++++++++++++++++++---------------------- 3 files changed, 55 insertions(+), 35 deletions(-) diff --git a/apps/rehash.c b/apps/rehash.c index 8417449..b0d6d9c 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -313,6 +313,10 @@ static int do_dir(const char *dirname, enum Hash h) const char *filename; char *buf; + if (app_access(dirname, W_OK) < 0) { + BIO_printf(bio_err, "Skipping %s, can't write\n", dirname); + return 0; + } buflen = strlen(dirname); pathsep = (buflen && dirname[buflen - 1] == '/') ? "" : "/"; buflen += NAME_MAX + 2; diff --git a/doc/apps/rehash.pod b/doc/apps/rehash.pod index 00ab29b..6c8c607 100644 --- a/doc/apps/rehash.pod +++ b/doc/apps/rehash.pod @@ -23,7 +23,8 @@ I =head1 DESCRIPTION On some platforms, the OpenSSL B command is available as -an external script called B. They are functionally equivalent. +an external script called B. They are functionally equivalent, +except for minor differences noted below. B scans directories and calculates a hash value of each C<.pem>, C<.crt>, C<.cer>, or C<.crl> @@ -41,12 +42,13 @@ If that is not set then the default directory (installation-specific but often B) is processed. In order for a directory to be processed, the user must have write -permissions on that directory, otherwise it will be skipped. +permissions on that directory, otherwise an error will be generated. + The links created are of the form C, where each B is a hexadecimal character and B is a single decimal digit. When processing a directory, B will first remove all links -that have a name in that syntax. If you have links in that format -used for other purposes, they will be removed. +that have a name in that syntax, even if they are being used for some +other purpose. To skip the removal step, use the B<-n> flag. Hashes for CRL's look similar except the letter B appears after the period, like this: C. @@ -57,9 +59,13 @@ full SHA-1 fingerprint. A warning will be displayed if a duplicate is found. A warning will also be displayed if there are files that -cannot be parsed as either a certificate or a CRL. +cannot be parsed as either a certificate or a CRL or if +more than one such object appears in the file. + +=head2 Script Configuration -The program uses the B program to compute the hashes and +The B script +uses the B program to compute the hashes and fingerprints. If not found in the user's B, then set the B environment variable to the full pathname. Any program can be used, it will be invoked as follows for either @@ -79,8 +85,8 @@ optionally prefixed with some text and an equals sign. =item B<-old> Use old-style hashing (MD5, as opposed to SHA-1) for generating -links for releases before 1.0.0. Note that current versions will -not use the old style. +links to be used for releases before 1.0.0. +Note that current versions will not use the old style. =item B<-h> diff --git a/tools/c_rehash.in b/tools/c_rehash.in index b086ff9..6c2ff06 100644 --- a/tools/c_rehash.in +++ b/tools/c_rehash.in @@ -54,24 +54,24 @@ if (defined(&Cwd::getcwd)) { my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; $ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ""); -if(! -x $openssl) { +if (! -x $openssl) { my $found = 0; foreach (split /$path_delim/, $ENV{PATH}) { - if(-x "$_/$openssl") { + if (-x "$_/$openssl") { $found = 1; $openssl = "$_/$openssl"; last; } } - if($found == 0) { + if ($found == 0) { print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n"; exit 0; } } -if(@ARGV) { +if (@ARGV) { @dirlist = @ARGV; -} elsif($ENV{SSL_CERT_DIR}) { +} elsif ($ENV{SSL_CERT_DIR}) { @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR}; } else { $dirlist[0] = "$dir/certs"; @@ -84,8 +84,12 @@ if (-d $dirlist[0]) { } foreach (@dirlist) { - if(-d $_ and -w $_) { + if (-d $_ ) { + if ( -w $_) { hash_dir($_); + } else { + print "Skipping $_, can't write\n"; + } } } @@ -99,21 +103,21 @@ sub hash_dir { if ( $removelinks ) { # Delete any existing symbolic links foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { - if(-l $_) { - unlink $_; + if (-l $_) { print "unlink $_" if $verbose; + unlink $_ || warn "Can't unlink $_, $!\n"; } } } FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { # Check to see if certificates and/or CRLs present. my ($cert, $crl) = check_file($fname); - if(!$cert && !$crl) { + if (!$cert && !$crl) { print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; next; } - link_hash_cert($fname) if($cert); - link_hash_crl($fname) if($crl); + link_hash_cert($fname) if ($cert); + link_hash_crl($fname) if ($crl); } } @@ -122,14 +126,14 @@ sub check_file { my $fname = $_[0]; open IN, $fname; while() { - if(/^-----BEGIN (.*)-----/) { + if (/^-----BEGIN (.*)-----/) { my $hdr = $1; - if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { + if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { $is_cert = 1; - last if($is_crl); - } elsif($hdr eq "X509 CRL") { + last if ($is_crl); + } elsif ($hdr eq "X509 CRL") { $is_crl = 1; - last if($is_cert); + last if ($is_cert); } } } @@ -156,7 +160,7 @@ sub link_hash_cert { # Search for an unused hash filename while(exists $hashlist{"$hash.$suffix"}) { # Hash matches: if fingerprint matches its a duplicate cert - if($hashlist{"$hash.$suffix"} eq $fprint) { + if ($hashlist{"$hash.$suffix"} eq $fprint) { print STDERR "WARNING: Skipping duplicate certificate $fname\n"; return; } @@ -164,15 +168,21 @@ sub link_hash_cert { } $hash .= ".$suffix"; if ($symlink_exists) { - symlink $fname, $hash; print "link $fname -> $hash\n" if $verbose; + symlink $fname, $hash || warn "Can't symlink, $!"; } else { - open IN,"<$fname" or die "can't open $fname for read"; - open OUT,">$hash" or die "can't open $hash for write"; - print OUT ; # does the job for small text files - close OUT; - close IN; print "copy $fname -> $hash\n" if $verbose; + if (open($in, "<", $fname)) { + if (open($out,">", $hash)) { + print $out $_ while (<$in>); + close $out; + } else { + warn "can't open $hash for write, $!"; + } + close $in; + } else { + warn "can't open $fname for read, $!"; + } } $hashlist{$hash} = $fprint; } @@ -191,7 +201,7 @@ sub link_hash_crl { # Search for an unused hash filename while(exists $hashlist{"$hash.r$suffix"}) { # Hash matches: if fingerprint matches its a duplicate cert - if($hashlist{"$hash.r$suffix"} eq $fprint) { + if ($hashlist{"$hash.r$suffix"} eq $fprint) { print STDERR "WARNING: Skipping duplicate CRL $fname\n"; return; } @@ -199,12 +209,12 @@ sub link_hash_crl { } $hash .= ".r$suffix"; if ($symlink_exists) { - symlink $fname, $hash; print "link $fname -> $hash\n" if $verbose; + symlink $fname, $hash || warn "Can't symlink, $!"; } else { - system ("cp", $fname, $hash); print "cp $fname -> $hash\n" if $verbose; + system ("cp", $fname, $hash); + warn "Can't copy, $!" if ($? >> 8) != 0; } $hashlist{$hash} = $fprint; } - From rsalz at openssl.org Wed Sep 9 03:18:46 2015 From: rsalz at openssl.org (Rich Salz) Date: Wed, 09 Sep 2015 03:18:46 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441768726.113335.5844.nullmailer@dev.openssl.org> The branch master has been updated via 4d60c7e10f1d7ebe34842f96e13b64db7fc2dc1b (commit) from ff2f6bb0845ef859954f7c36b2b302c60088c4c7 (commit) - Log ----------------------------------------------------------------- commit 4d60c7e10f1d7ebe34842f96e13b64db7fc2dc1b Author: David Woodhouse Date: Tue Sep 8 22:51:17 2015 -0400 RT3969: Add OPENSSL_SYS_UEFI This provides support for building in the EDK II reference implementation of UEFI. Most UEFI firmware in existence uses OpenSSL for implementing the core cryptographic functionality needed for Secure Boot. This has always previously been handled with external patches to OpenSSL but we are now making a concerted effort to eliminate those. In this mode, we don't actually use the OpenSSL makefiles; we process the MINFO file generated by 'make files' and incorporate it into the EDK2 build system. Since EDK II builds for various targets with varying word size and we need to have a single prepackaged configuration, we deliberately don't hard-code the setting of SIXTY_FOUR_BIT vs. THIRTY_TWO_BIT in opensslconf.h. We bypass that for OPENSSL_SYS_UEFI and allow EDK II itself to set those, depending on the architecture. For x86_64, EDK II sets SIXTY_FOUR_BIT and thus uses 'long long' for the 64-bit type, even when building with GCC where 'long' is also 64-bit. We do this because the Microsoft toolchain has 32-bit 'long'. Signed-off-by: Rich Salz Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: Configurations/10-main.conf | 7 +++++++ crypto/opensslconf.h.in | 2 +- crypto/rand/rand_egd.c | 2 +- e_os.h | 2 +- include/openssl/e_os2.h | 17 ++++++++++++++++- 5 files changed, 26 insertions(+), 4 deletions(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index 15af87e..3230d86 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -1207,6 +1207,13 @@ shared_extension => ".dll.a", }, +#### UEFI + "UEFI" => { + cc => "cc", + cflags => "-DL_ENDIAN -O", + sys_id => "UEFI", + }, + #### UWIN "UWIN" => { cc => "cc", diff --git a/crypto/opensslconf.h.in b/crypto/opensslconf.h.in index 4429c91..c37dbba 100644 --- a/crypto/opensslconf.h.in +++ b/crypto/opensslconf.h.in @@ -73,7 +73,7 @@ #endif #endif -#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) && !defined(OPENSSL_SYS_UEFI) #define CONFIG_HEADER_BN_H #undef BN_LLONG diff --git a/crypto/rand/rand_egd.c b/crypto/rand/rand_egd.c index 44ed4bb..d062dd6 100644 --- a/crypto/rand/rand_egd.c +++ b/crypto/rand/rand_egd.c @@ -95,7 +95,7 @@ * RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255. */ -#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) +#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_VOS) || defined(OPENSSL_SYS_UEFI) int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes) { return (-1); diff --git a/e_os.h b/e_os.h index 4c1b4aa..b3a3338 100644 --- a/e_os.h +++ b/e_os.h @@ -112,7 +112,7 @@ extern "C" { # define MSDOS # endif -# if defined(MSDOS) && !defined(GETPID_IS_MEANINGLESS) +# if (defined(MSDOS) || defined(OPENSSL_SYS_UEFI)) && !defined(GETPID_IS_MEANINGLESS) # define GETPID_IS_MEANINGLESS # endif diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h index 9f7dcf1..6ef1f39 100644 --- a/include/openssl/e_os2.h +++ b/include/openssl/e_os2.h @@ -90,7 +90,13 @@ extern "C" { * For 32 bit environment, there seems to be the CygWin environment and then * all the others that try to do the same thing Microsoft does... */ -# if defined(OPENSSL_SYS_UWIN) +/* + * UEFI lives here because it might be built with a Microsoft toolchain and + * we need to avoid the false positive match on Windows. + */ +# if defined(OPENSSL_SYS_UEFI) +# undef OPENSSL_SYS_UNIX +# elif defined(OPENSSL_SYS_UWIN) # undef OPENSSL_SYS_UNIX # define OPENSSL_SYS_WIN32_UWIN # else @@ -277,6 +283,15 @@ extern "C" { /* Standard integer types */ # if defined(__osf__) || defined(__sgi) || defined(__hpux) || defined(OPENSSL_SYS_VMS) # include +# elif defined(OPENSSL_SYS_UEFI) +typedef INT8 int8_t; +typedef UINT8 uint8_t; +typedef INT16 int16_t; +typedef UINT16 uint16_t; +typedef INT32 int32_t; +typedef UINT32 uint32_t; +typedef INT64 int64_t; +typedef UINT64 uint64_t; # elif defined(_MSC_VER) && _MSC_VER<=1500 /* * minimally required typdefs for systems not supporting inttypes.h or From rsalz at openssl.org Wed Sep 9 03:33:06 2015 From: rsalz at openssl.org (Rich Salz) Date: Wed, 09 Sep 2015 03:33:06 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441769586.410373.8314.nullmailer@dev.openssl.org> The branch master has been updated via d728f0f5f28c9c5347ac371373e3cd4cb350760f (commit) from 4d60c7e10f1d7ebe34842f96e13b64db7fc2dc1b (commit) - Log ----------------------------------------------------------------- commit d728f0f5f28c9c5347ac371373e3cd4cb350760f Author: David Woodhouse Date: Tue Sep 8 23:24:36 2015 -0400 RT3993: Fix error found by VS2008 Cast and then negate, don't negate an unsigned. Signed-off-by: Rich Salz Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: crypto/asn1/a_int.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c index 0d020e0..5d5e7f6 100644 --- a/crypto/asn1/a_int.c +++ b/crypto/asn1/a_int.c @@ -338,7 +338,7 @@ static int asn1_get_int64(int64_t *pr, const unsigned char *b, size_t blen, ASN1err(ASN1_F_ASN1_GET_INT64, ASN1_R_TOO_SMALL); return 0; } - *pr = (int64_t)-r; + *pr = -(int64_t)r; } else { if (r > INT64_MAX) { ASN1err(ASN1_F_ASN1_GET_INT64, ASN1_R_TOO_LARGE); From emilia at openssl.org Wed Sep 9 10:59:13 2015 From: emilia at openssl.org (Emilia Kasper) Date: Wed, 09 Sep 2015 10:59:13 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441796353.023450.26429.nullmailer@dev.openssl.org> The branch master has been updated via 6d41fc80e6152a6bf9d062b2a8e835a388ed0062 (commit) from d728f0f5f28c9c5347ac371373e3cd4cb350760f (commit) - Log ----------------------------------------------------------------- commit 6d41fc80e6152a6bf9d062b2a8e835a388ed0062 Author: Emilia Kasper Date: Tue Sep 1 18:19:14 2015 +0200 PACKET: add PACKET_memdup and PACKET_strndup Use each once in s3_srvr.c to show how they work. Also fix a bug introduced in c3fc7eeab884b6876a1b4006163f190d325aa047 and made apparent by this change: ssl3_get_next_proto wasn't updating next_proto_negotiated_len Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: ssl/packet_locl.h | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- ssl/s3_srvr.c | 41 +++++++++++++--------------------------- test/packettest.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 120 insertions(+), 30 deletions(-) diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h index 3f03fa7..3200c22 100644 --- a/ssl/packet_locl.h +++ b/ssl/packet_locl.h @@ -335,9 +335,12 @@ __owur static inline int PACKET_peek_copy_bytes(const PACKET *pkt, return 1; } -/* Read |len| bytes from |pkt| and copy them to |data| */ +/* + * Read |len| bytes from |pkt| and copy them to |data|. + * The caller is responsible for ensuring that |data| can hold |len| bytes. + */ __owur static inline int PACKET_copy_bytes(PACKET *pkt, unsigned char *data, - size_t len) + size_t len) { if (!PACKET_peek_copy_bytes(pkt, data, len)) return 0; @@ -347,6 +350,55 @@ __owur static inline int PACKET_copy_bytes(PACKET *pkt, unsigned char *data, return 1; } +/* + * Copy |pkt| bytes to a newly allocated buffer and store a pointer to the + * result in |*data|, and the length in |len|. + * If |*data| is not NULL, the old data is OPENSSL_free'd. + * If the packet is empty, or malloc fails, |*data| will be set to NULL. + * Returns 1 if the malloc succeeds and 0 otherwise. + * Does not forward PACKET position (because it is typically the last thing + * done with a given PACKET). + */ +__owur static inline int PACKET_memdup(const PACKET *pkt, unsigned char **data, + size_t *len) +{ + size_t length; + + OPENSSL_free(*data); + *data = NULL; + *len = 0; + + length = PACKET_remaining(pkt); + + if (length == 0) + return 1; + + *data = BUF_memdup(pkt->curr, length); + + if (*data == NULL) + return 0; + + *len = length; + return 1; +} + +/* + * Read a C string from |pkt| and copy to a newly allocated, NUL-terminated + * buffer. Store a pointer to the result in |*data|. + * If |*data| is not NULL, the old data is OPENSSL_free'd. + * If the data in |pkt| does not contain a NUL-byte, the entire data is + * copied and NUL-terminated. + * Returns 1 if the malloc succeeds and 0 otherwise. + * Does not forward PACKET position (because it is typically the last thing done + * with a given PACKET). + */ +__owur static inline int PACKET_strndup(const PACKET *pkt, char **data) +{ + OPENSSL_free(*data); + *data = BUF_strndup((const char*)pkt->curr, PACKET_remaining(pkt)); + return (*data != NULL); +} + /* Move the current reading position back |len| bytes */ __owur static inline int PACKET_back(PACKET *pkt, size_t len) { diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 74c3696..16f4db9 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -2250,13 +2250,14 @@ int ssl3_get_client_key_exchange(SSL *s) if (alg_k & SSL_PSK) { unsigned char psk[PSK_MAX_PSK_LEN]; size_t psklen; + PACKET psk_identity; - if (!PACKET_get_net_2(&pkt, &i)) { + if (!PACKET_get_length_prefixed_2(&pkt, &psk_identity)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH); goto f_err; } - if (i > PSK_MAX_IDENTITY_LEN) { + if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG); @@ -2269,21 +2270,10 @@ int ssl3_get_client_key_exchange(SSL *s) goto f_err; } - OPENSSL_free(s->session->psk_identity); - s->session->psk_identity = OPENSSL_malloc(i + 1); - if (s->session->psk_identity == NULL) { + if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) { al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, - ERR_R_MALLOC_FAILURE); - goto f_err; - } - if (!PACKET_copy_bytes(&pkt, (unsigned char *)s->session->psk_identity, - i)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH); goto f_err; } - s->session->psk_identity[i] = '\0'; psklen = s->psk_server_callback(s, s->session->psk_identity, psk, sizeof(psk)); @@ -3455,9 +3445,9 @@ int ssl3_send_cert_status(SSL *s) int ssl3_get_next_proto(SSL *s) { int ok; - unsigned int proto_len, padding_len; long n; - PACKET pkt; + PACKET pkt, next_proto, padding; + size_t next_proto_len; /* * Clients cannot send a NextProtocol message if we didn't see the @@ -3506,25 +3496,20 @@ int ssl3_get_next_proto(SSL *s) * uint8 padding_len; * uint8 padding[padding_len]; */ - if (!PACKET_get_1(&pkt, &proto_len)){ + if (!PACKET_get_length_prefixed_1(&pkt, &next_proto) + || !PACKET_get_length_prefixed_1(&pkt, &padding) + || PACKET_remaining(&pkt) > 0) { SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_LENGTH_MISMATCH); goto err; } - s->next_proto_negotiated = OPENSSL_malloc(proto_len); - if (s->next_proto_negotiated == NULL) { - SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_MALLOC_FAILURE); + if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated, + &next_proto_len)) { + s->next_proto_negotiated_len = 0; goto err; } - if (!PACKET_copy_bytes(&pkt, s->next_proto_negotiated, proto_len) - || !PACKET_get_1(&pkt, &padding_len) - || PACKET_remaining(&pkt) != padding_len) { - OPENSSL_free(s->next_proto_negotiated); - s->next_proto_negotiated = NULL; - SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_LENGTH_MISMATCH); - goto err; - } + s->next_proto_negotiated_len = (unsigned char)next_proto_len; return 1; err: diff --git a/test/packettest.c b/test/packettest.c index b3f7bbb..23b6085 100644 --- a/test/packettest.c +++ b/test/packettest.c @@ -230,6 +230,57 @@ static int test_PACKET_copy_bytes(PACKET *pkt, size_t start) return 1; } +static int test_PACKET_memdup(PACKET *pkt, size_t start) +{ + unsigned char *data = NULL; + size_t len; + if ( !PACKET_goto_bookmark(pkt, start) + || !PACKET_memdup(pkt, &data, &len) + || len != BUF_LEN + || memcmp(data, PACKET_data(pkt), len) + || !PACKET_forward(pkt, 10) + || !PACKET_memdup(pkt, &data, &len) + || len != BUF_LEN - 10 + || memcmp(data, PACKET_data(pkt), len) + || !PACKET_back(pkt, 1) + || !PACKET_memdup(pkt, &data, &len) + || len != BUF_LEN - 9 + || memcmp(data, PACKET_data(pkt), len)) { + fprintf(stderr, "test_PACKET_memdup() failed\n"); + OPENSSL_free(data); + return 0; + } + + OPENSSL_free(data); + return 1; +} + +static int test_PACKET_strndup() +{ + char buf[10], buf2[10]; + memset(buf, 'x', 10); + memset(buf2, 'y', 10); + buf2[5] = '\0'; + char *data = NULL; + PACKET pkt; + + if ( !PACKET_buf_init(&pkt, (unsigned char*)buf, 10) + || !PACKET_strndup(&pkt, &data) + || strlen(data) != 10 + || strncmp(data, buf, 10) + || !PACKET_buf_init(&pkt, (unsigned char*)buf2, 10) + || !PACKET_strndup(&pkt, &data) + || strlen(data) != 5 + || strcmp(data, buf2)) { + fprintf(stderr, "test_PACKET_strndup failed\n"); + OPENSSL_free(data); + return 0; + } + + OPENSSL_free(data); + return 1; +} + static int test_PACKET_move_funcs(PACKET *pkt, size_t start) { unsigned char *byte; @@ -388,6 +439,8 @@ int main(int argc, char **argv) || !test_PACKET_get_sub_packet(&pkt, start) || !test_PACKET_get_bytes(&pkt, start) || !test_PACKET_copy_bytes(&pkt, start) + || !test_PACKET_memdup(&pkt, start) + || !test_PACKET_strndup() || !test_PACKET_move_funcs(&pkt, start) || !test_PACKET_get_length_prefixed_1() || !test_PACKET_get_length_prefixed_2() From steve at openssl.org Wed Sep 9 16:51:58 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Wed, 09 Sep 2015 16:51:58 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441817518.435833.22792.nullmailer@dev.openssl.org> The branch master has been updated via 2dcac136a8c4e37646b717b68eeccc191d074bf0 (commit) from 6d41fc80e6152a6bf9d062b2a8e835a388ed0062 (commit) - Log ----------------------------------------------------------------- commit 2dcac136a8c4e37646b717b68eeccc191d074bf0 Author: Dr. Stephen Henson Date: Wed Sep 9 17:28:17 2015 +0100 Fix warning about mixed declarations and code. Reviewed-by: Richard Levitte ----------------------------------------------------------------------- Summary of changes: test/packettest.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/test/packettest.c b/test/packettest.c index 23b6085..9844b20 100644 --- a/test/packettest.c +++ b/test/packettest.c @@ -258,11 +258,12 @@ static int test_PACKET_memdup(PACKET *pkt, size_t start) static int test_PACKET_strndup() { char buf[10], buf2[10]; + char *data = NULL; + PACKET pkt; + memset(buf, 'x', 10); memset(buf2, 'y', 10); buf2[5] = '\0'; - char *data = NULL; - PACKET pkt; if ( !PACKET_buf_init(&pkt, (unsigned char*)buf, 10) || !PACKET_strndup(&pkt, &data) From levitte at openssl.org Wed Sep 9 17:12:14 2015 From: levitte at openssl.org (Richard Levitte) Date: Wed, 09 Sep 2015 17:12:14 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441818734.278202.28197.nullmailer@dev.openssl.org> The branch master has been updated via 84d90cf335209e6c1dcb5124d2ddf14ea617212f (commit) via ceffb33db28d067fde07531c3fd36a0ed4b95ded (commit) from 2dcac136a8c4e37646b717b68eeccc191d074bf0 (commit) - Log ----------------------------------------------------------------- commit 84d90cf335209e6c1dcb5124d2ddf14ea617212f Author: Richard Levitte Date: Wed Sep 9 17:36:21 2015 +0200 Add a simple test for the new rehash command Reviewed-by: Rich Salz commit ceffb33db28d067fde07531c3fd36a0ed4b95ded Author: Richard Levitte Date: Wed Sep 9 17:29:06 2015 +0200 Make sure the temporary error log resides in a well defined location If a test recipe does something like this: indir "foo.$$" => sub { chmod 0500, File::Spec->curdir(); ok(run(app(["something"]))); } we get a problem, because we were storing the temporary stderr file in the current directory at all times (so while inside the 'indir', we would attemp to store it in "foo.$$"). So, change our ways to always store that temporary file in the exact same location, defined by the environment variable RESULT_D, or failing that TEST_D, or failing that $TOP/test. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: test/recipes/40-test_rehash.t | 56 +++++++++++++++++++++++++++++++++++++++++++ test/testlib/OpenSSL/Test.pm | 3 ++- 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 test/recipes/40-test_rehash.t diff --git a/test/recipes/40-test_rehash.t b/test/recipes/40-test_rehash.t new file mode 100644 index 0000000..514d0d3 --- /dev/null +++ b/test/recipes/40-test_rehash.t @@ -0,0 +1,56 @@ +#! /usr/bin/perl + +use strict; +use warnings; + +use File::Spec::Functions; +use File::Copy; +use File::Basename; +use OpenSSL::Test qw/:DEFAULT top_file/; + +setup("test_rehash"); + +plan tests => 4; + +indir "rehash.$$" => sub { + prepare(); + ok(run(app(["openssl", "rehash", curdir()])), + 'Testing normal rehash operations'); +}, create => 1, cleanup => 1; + +indir "rehash.$$" => sub { + prepare(sub { chmod 400, $_ foreach (@_); }); + ok(run(app(["openssl", "rehash", curdir()])), + 'Testing rehash operations on readonly files'); +}, create => 1, cleanup => 1; + +indir "rehash.$$" => sub { + ok(run(app(["openssl", "rehash", curdir()])), + 'Testing rehash operations on empty directory'); +}, create => 1, cleanup => 1; + +indir "rehash.$$" => sub { + prepare(); + chmod 0500, curdir(); + isnt(run(app(["openssl", "rehash", curdir()])), 1, + 'Testing rehash operations on readonly directory'); + chmod 0700, curdir(); # make it writable again, so cleanup works +}, create => 1, cleanup => 1; + +sub prepare { + my @sourcefiles = + sort map { glob(top_file('certs', 'demo', "*.$_")) } ('pem', + 'crt', + 'cer', + 'crl'); + my @destfiles = (); + foreach (@sourcefiles) { + copy($_, curdir()); + push @destfiles, catfile(curdir(), basename($_)); + } + foreach (@_) { + die "Internal error, argument is not CODE" + unless (ref($_) eq 'CODE'); + $_->(@destfiles); + } +} diff --git a/test/testlib/OpenSSL/Test.pm b/test/testlib/OpenSSL/Test.pm index f378351..c64d68d 100644 --- a/test/testlib/OpenSSL/Test.pm +++ b/test/testlib/OpenSSL/Test.pm @@ -720,7 +720,8 @@ sub __build_cmd { $saved_stderr = $opts{stderr} if defined($opts{stderr}); - my $errlog = $num ? "$test_name.$num.tmp_err" : "$test_name.tmp_err"; + my $errlog = + __results_file($num ? "$test_name.$num.tmp_err" : "$test_name.tmp_err"); my $display_cmd = "$cmd$arg_str$stdin$stdout$stderr"; $cmd .= "$arg_str$stdin$stdout 2> $errlog"; From rsalz at openssl.org Wed Sep 9 22:28:31 2015 From: rsalz at openssl.org (Rich Salz) Date: Wed, 09 Sep 2015 22:28:31 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441837711.830221.26858.nullmailer@dev.openssl.org> The branch master has been updated via 05d7bf6c5b729b88992b5474c21a24aa542f6e75 (commit) from 84d90cf335209e6c1dcb5124d2ddf14ea617212f (commit) - Log ----------------------------------------------------------------- commit 05d7bf6c5b729b88992b5474c21a24aa542f6e75 Author: David Woodhouse Date: Wed Sep 9 15:29:44 2015 -0400 RT3992: Make SCT #ifdeffable. This code does open-coded division on 64-bit quantities and thus when building with GCC on 32-bit platforms will require functions such as __umoddi3 and __udivdi3 from libgcc. In constrained environments such as firmware, those functions may not be available. So make it possible to compile out SCT support, which in fact (in the case of UEFI) we don't need anyway. Signed-off-by: Rich Salz Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: crypto/x509v3/ext_dat.h | 2 ++ crypto/x509v3/v3_scts.c | 2 ++ makevms.com | 1 + util/mkdef.pl | 8 ++++++-- 4 files changed, 11 insertions(+), 2 deletions(-) diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h index 9c3529b..76be621 100644 --- a/crypto/x509v3/ext_dat.h +++ b/crypto/x509v3/ext_dat.h @@ -127,8 +127,10 @@ static const X509V3_EXT_METHOD *standard_exts[] = { &v3_idp, &v3_alt[2], &v3_freshest_crl, +#ifndef OPENSSL_NO_SCT &v3_ct_scts[0], &v3_ct_scts[1], +#endif }; /* Number of standard extensions */ diff --git a/crypto/x509v3/v3_scts.c b/crypto/x509v3/v3_scts.c index 61e5a83..0ffdfb8 100644 --- a/crypto/x509v3/v3_scts.c +++ b/crypto/x509v3/v3_scts.c @@ -61,6 +61,7 @@ #include #include +#ifndef OPENSSL_NO_SCT /* Signature and hash algorithms from RFC 5246 */ #define TLSEXT_hash_sha256 4 @@ -321,3 +322,4 @@ static int i2r_SCT_LIST(X509V3_EXT_METHOD *method, STACK_OF(SCT) *sct_list, return 1; } +#endif diff --git a/makevms.com b/makevms.com index 4b9a3d7..2888ee2 100755 --- a/makevms.com +++ b/makevms.com @@ -295,6 +295,7 @@ $ CONFIG_LOGICALS := AES,- RFC3779,- RMD160,- RSA,- + SCT,- SCRYPT,- SCTP,- SEED,- diff --git a/util/mkdef.pl b/util/mkdef.pl index c07a3c6..d20bac6 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -80,7 +80,9 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", # External "algorithms" "FP_API", "STDIO", "SOCK", "DGRAM", # Engines - "STATIC_ENGINE", "ENGINE", "HW", "GMP", + "STATIC_ENGINE", "ENGINE", "HW", "GMP", + # X.509v3 Signed Certificate Timestamps + "SCT", # RFC3779 "RFC3779", # TLS @@ -127,7 +129,7 @@ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2; my $no_rsa; my $no_dsa; my $no_dh; my $no_aes; my $no_scrypt; my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated; -my $no_rfc3779; my $no_psk; my $no_cms; my $no_capieng; +my $no_sct; my $no_rfc3779; my $no_psk; my $no_cms; my $no_capieng; my $no_jpake; my $no_srp; my $no_ec2m; my $no_nistp_gcc; my $no_nextprotoneg; my $no_sctp; my $no_srtp; my $no_ssl_trace; my $no_unit_test; my $no_ssl3_method; my $no_ocb; @@ -217,6 +219,7 @@ foreach (@ARGV, split(/ /, $options)) elsif (/^no-engine$/) { $no_engine=1; } elsif (/^no-hw$/) { $no_hw=1; } elsif (/^no-gmp$/) { $no_gmp=1; } + elsif (/^no-sct$/) { $no_sct=1; } elsif (/^no-rfc3779$/) { $no_rfc3779=1; } elsif (/^no-cms$/) { $no_cms=1; } elsif (/^no-ec2m$/) { $no_ec2m=1; } @@ -1203,6 +1206,7 @@ sub is_valid if ($keyword eq "FP_API" && $no_fp_api) { return 0; } if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; } if ($keyword eq "GMP" && $no_gmp) { return 0; } + if ($keyword eq "SCT" && $no_sct) { return 0; } if ($keyword eq "RFC3779" && $no_rfc3779) { return 0; } if ($keyword eq "PSK" && $no_psk) { return 0; } if ($keyword eq "CMS" && $no_cms) { return 0; } From emilia at openssl.org Thu Sep 10 14:42:05 2015 From: emilia at openssl.org (Emilia Kasper) Date: Thu, 10 Sep 2015 14:42:05 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441896125.512519.11387.nullmailer@dev.openssl.org> The branch master has been updated via cdde7b49a4ded6ce25b348314a231b99ce884c06 (commit) from 05d7bf6c5b729b88992b5474c21a24aa542f6e75 (commit) - Log ----------------------------------------------------------------- commit cdde7b49a4ded6ce25b348314a231b99ce884c06 Author: Emilia Kasper Date: Thu Sep 10 14:47:04 2015 +0200 Restore SSLerr on PACKET_strndup failure. Reviewed-by: Dr Stephen Henson ----------------------------------------------------------------------- Summary of changes: ssl/s3_srvr.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 16f4db9..ec09840 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -2271,6 +2271,7 @@ int ssl3_get_client_key_exchange(SSL *s) } if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); al = SSL_AD_INTERNAL_ERROR; goto f_err; } From emilia at openssl.org Thu Sep 10 15:22:38 2015 From: emilia at openssl.org (Emilia Kasper) Date: Thu, 10 Sep 2015 15:22:38 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441898558.553819.18774.nullmailer@dev.openssl.org> The branch master has been updated via e34c66c6b07d69ec4df8e488976e28d851ad87e6 (commit) from cdde7b49a4ded6ce25b348314a231b99ce884c06 (commit) - Log ----------------------------------------------------------------- commit e34c66c6b07d69ec4df8e488976e28d851ad87e6 Author: Emilia Kasper Date: Tue Sep 1 16:31:55 2015 +0200 RT3754: check for NULL pointer Fix both the caller to error out on malloc failure, as well as the eventual callee to handle a NULL gracefully. Reviewed-by: Viktor Dukhovni ----------------------------------------------------------------------- Summary of changes: crypto/evp/p_lib.c | 2 +- crypto/evp/pmeth_gn.c | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index daa3d57..f07d7e5 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -261,7 +261,7 @@ int EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len) int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key) { - if (!EVP_PKEY_set_type(pkey, type)) + if (pkey == NULL || !EVP_PKEY_set_type(pkey, type)) return 0; pkey->pkey.ptr = key; return (key != NULL); diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c index 705801f..9416e1a 100644 --- a/crypto/evp/pmeth_gn.c +++ b/crypto/evp/pmeth_gn.c @@ -96,12 +96,17 @@ int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey) return -1; } - if (!ppkey) + if (ppkey == NULL) return -1; - if (!*ppkey) + if (*ppkey == NULL) *ppkey = EVP_PKEY_new(); + if (*ppkey == NULL) { + EVPerr(EVP_F_EVP_PKEY_PARAMGEN, ERR_R_MALLOC_FAILURE); + return -1; + } + ret = ctx->pmeth->paramgen(ctx, *ppkey); if (ret <= 0) { EVP_PKEY_free(*ppkey); From emilia at openssl.org Thu Sep 10 15:24:09 2015 From: emilia at openssl.org (Emilia Kasper) Date: Thu, 10 Sep 2015 15:24:09 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1441898649.571630.20050.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 4dcdde120bac79979d1ce63cc652e7b53fab4f49 (commit) from 7b8a9992021c496df1826ca29f65c366b544689c (commit) - Log ----------------------------------------------------------------- commit 4dcdde120bac79979d1ce63cc652e7b53fab4f49 Author: Emilia Kasper Date: Tue Sep 1 16:31:55 2015 +0200 RT3754: check for NULL pointer Fix both the caller to error out on malloc failure, as well as the eventual callee to handle a NULL gracefully. Reviewed-by: Viktor Dukhovni ----------------------------------------------------------------------- Summary of changes: crypto/evp/p_lib.c | 2 +- crypto/evp/pmeth_gn.c | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 1171d30..c017124 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -253,7 +253,7 @@ int EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len) int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key) { - if (!EVP_PKEY_set_type(pkey, type)) + if (pkey == NULL || !EVP_PKEY_set_type(pkey, type)) return 0; pkey->pkey.ptr = key; return (key != NULL); diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c index 59f8134..6435f1b 100644 --- a/crypto/evp/pmeth_gn.c +++ b/crypto/evp/pmeth_gn.c @@ -96,12 +96,17 @@ int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey) return -1; } - if (!ppkey) + if (ppkey == NULL) return -1; - if (!*ppkey) + if (*ppkey == NULL) *ppkey = EVP_PKEY_new(); + if (*ppkey == NULL) { + EVPerr(EVP_F_EVP_PKEY_PARAMGEN, ERR_R_MALLOC_FAILURE); + return -1; + } + ret = ctx->pmeth->paramgen(ctx, *ppkey); if (ret <= 0) { EVP_PKEY_free(*ppkey); From emilia at openssl.org Thu Sep 10 15:24:18 2015 From: emilia at openssl.org (Emilia Kasper) Date: Thu, 10 Sep 2015 15:24:18 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1441898658.988787.20284.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 4cb23e12a300b64dd997ca00cee75cde8925df05 (commit) from dd642deea83d0f5b4accee9855e36c36699653cc (commit) - Log ----------------------------------------------------------------- commit 4cb23e12a300b64dd997ca00cee75cde8925df05 Author: Emilia Kasper Date: Tue Sep 1 16:31:55 2015 +0200 RT3754: check for NULL pointer Fix both the caller to error out on malloc failure, as well as the eventual callee to handle a NULL gracefully. Reviewed-by: Viktor Dukhovni ----------------------------------------------------------------------- Summary of changes: crypto/evp/p_lib.c | 2 +- crypto/evp/pmeth_gn.c | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 2b84dc7..375f561 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -253,7 +253,7 @@ int EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len) int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key) { - if (!EVP_PKEY_set_type(pkey, type)) + if (pkey == NULL || !EVP_PKEY_set_type(pkey, type)) return 0; pkey->pkey.ptr = key; return (key != NULL); diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c index 59f8134..6435f1b 100644 --- a/crypto/evp/pmeth_gn.c +++ b/crypto/evp/pmeth_gn.c @@ -96,12 +96,17 @@ int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey) return -1; } - if (!ppkey) + if (ppkey == NULL) return -1; - if (!*ppkey) + if (*ppkey == NULL) *ppkey = EVP_PKEY_new(); + if (*ppkey == NULL) { + EVPerr(EVP_F_EVP_PKEY_PARAMGEN, ERR_R_MALLOC_FAILURE); + return -1; + } + ret = ctx->pmeth->paramgen(ctx, *ppkey); if (ret <= 0) { EVP_PKEY_free(*ppkey); From steve at openssl.org Thu Sep 10 17:22:39 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Thu, 10 Sep 2015 17:22:39 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441905759.178798.14579.nullmailer@dev.openssl.org> The branch master has been updated via e7451ed137450e4bc6c4bec33bc9054bce443feb (commit) from e34c66c6b07d69ec4df8e488976e28d851ad87e6 (commit) - Log ----------------------------------------------------------------- commit e7451ed137450e4bc6c4bec33bc9054bce443feb Author: Dr. Stephen Henson Date: Mon Jul 20 22:05:10 2015 +0100 EVP_PKEY_METHOD accessor functions. Functions to retrieve the function pointer of an existing method: this can be used to create a method which intercepts or modifies the behaviour of an existing method while retaining most of the existing behaviour. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/evp/pmeth_lib.c | 167 +++++++++++++++++++++++++++++++++++++++++++++++++ include/openssl/evp.h | 92 +++++++++++++++++++++++++++ 2 files changed, 259 insertions(+) diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index cff3dd2..ac0767c 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -578,3 +578,170 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth, pmeth->ctrl = ctrl; pmeth->ctrl_str = ctrl_str; } + +void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth, + int (**pinit) (EVP_PKEY_CTX *ctx)) +{ + *pinit = pmeth->init; +} + +void EVP_PKEY_meth_get_copy(EVP_PKEY_METHOD *pmeth, + int (**pcopy) (EVP_PKEY_CTX *dst, + EVP_PKEY_CTX *src)) +{ + *pcopy = pmeth->copy; +} + +void EVP_PKEY_meth_get_cleanup(EVP_PKEY_METHOD *pmeth, + void (**pcleanup) (EVP_PKEY_CTX *ctx)) +{ + *pcleanup = pmeth->cleanup; +} + +void EVP_PKEY_meth_get_paramgen(EVP_PKEY_METHOD *pmeth, + int (**pparamgen_init) (EVP_PKEY_CTX *ctx), + int (**pparamgen) (EVP_PKEY_CTX *ctx, + EVP_PKEY *pkey)) +{ + if (pparamgen_init) + *pparamgen_init = pmeth->paramgen_init; + if (pparamgen) + *pparamgen = pmeth->paramgen; +} + +void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth, + int (**pkeygen_init) (EVP_PKEY_CTX *ctx), + int (**pkeygen) (EVP_PKEY_CTX *ctx, + EVP_PKEY *pkey)) +{ + if (pkeygen_init) + *pkeygen_init = pmeth->keygen_init; + if (pkeygen) + *pkeygen = pmeth->keygen; +} + +void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth, + int (**psign_init) (EVP_PKEY_CTX *ctx), + int (**psign) (EVP_PKEY_CTX *ctx, + unsigned char *sig, size_t *siglen, + const unsigned char *tbs, + size_t tbslen)) +{ + if (psign_init) + *psign_init = pmeth->sign_init; + if (psign) + *psign = pmeth->sign; +} + +void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth, + int (**pverify_init) (EVP_PKEY_CTX *ctx), + int (**pverify) (EVP_PKEY_CTX *ctx, + const unsigned char *sig, + size_t siglen, + const unsigned char *tbs, + size_t tbslen)) +{ + if (pverify_init) + *pverify_init = pmeth->verify_init; + if (pverify) + *pverify = pmeth->verify; +} + +void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth, + int (**pverify_recover_init) (EVP_PKEY_CTX + *ctx), + int (**pverify_recover) (EVP_PKEY_CTX + *ctx, + unsigned char + *sig, + size_t *siglen, + const unsigned + char *tbs, + size_t tbslen)) +{ + if (pverify_recover_init) + *pverify_recover_init = pmeth->verify_recover_init; + if (pverify_recover) + *pverify_recover = pmeth->verify_recover; +} + +void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth, + int (**psignctx_init) (EVP_PKEY_CTX *ctx, + EVP_MD_CTX *mctx), + int (**psignctx) (EVP_PKEY_CTX *ctx, + unsigned char *sig, + size_t *siglen, + EVP_MD_CTX *mctx)) +{ + if (psignctx_init) + *psignctx_init = pmeth->signctx_init; + if (psignctx) + *psignctx = pmeth->signctx; +} + +void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth, + int (**pverifyctx_init) (EVP_PKEY_CTX *ctx, + EVP_MD_CTX *mctx), + int (**pverifyctx) (EVP_PKEY_CTX *ctx, + const unsigned char *sig, + int siglen, + EVP_MD_CTX *mctx)) +{ + if (pverifyctx_init) + *pverifyctx_init = pmeth->verifyctx_init; + if (pverifyctx) + *pverifyctx = pmeth->verifyctx; +} + +void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth, + int (**pencrypt_init) (EVP_PKEY_CTX *ctx), + int (**pencryptfn) (EVP_PKEY_CTX *ctx, + unsigned char *out, + size_t *outlen, + const unsigned char *in, + size_t inlen)) +{ + if (pencrypt_init) + *pencrypt_init = pmeth->encrypt_init; + if (pencryptfn) + *pencryptfn = pmeth->encrypt; +} + +void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth, + int (**pdecrypt_init) (EVP_PKEY_CTX *ctx), + int (**pdecrypt) (EVP_PKEY_CTX *ctx, + unsigned char *out, + size_t *outlen, + const unsigned char *in, + size_t inlen)) +{ + if (pdecrypt_init) + *pdecrypt_init = pmeth->decrypt_init; + if (pdecrypt) + *pdecrypt = pmeth->decrypt; +} + +void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth, + int (**pderive_init) (EVP_PKEY_CTX *ctx), + int (**pderive) (EVP_PKEY_CTX *ctx, + unsigned char *key, + size_t *keylen)) +{ + if (pderive_init) + *pderive_init = pmeth->derive_init; + if (pderive) + *pderive = pmeth->derive; +} + +void EVP_PKEY_meth_get_ctrl(EVP_PKEY_METHOD *pmeth, + int (**pctrl) (EVP_PKEY_CTX *ctx, int type, int p1, + void *p2), + int (**pctrl_str) (EVP_PKEY_CTX *ctx, + const char *type, + const char *value)) +{ + if (pctrl) + *pctrl = pmeth->ctrl; + if (pctrl_str) + *pctrl_str = pmeth->ctrl_str; +} diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 374c926..f92f109 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1430,6 +1430,98 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth, const char *type, const char *value)); +void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth, + int (**pinit) (EVP_PKEY_CTX *ctx)); + +void EVP_PKEY_meth_get_copy(EVP_PKEY_METHOD *pmeth, + int (**pcopy) (EVP_PKEY_CTX *dst, + EVP_PKEY_CTX *src)); + +void EVP_PKEY_meth_get_cleanup(EVP_PKEY_METHOD *pmeth, + void (**pcleanup) (EVP_PKEY_CTX *ctx)); + +void EVP_PKEY_meth_get_paramgen(EVP_PKEY_METHOD *pmeth, + int (**pparamgen_init) (EVP_PKEY_CTX *ctx), + int (**pparamgen) (EVP_PKEY_CTX *ctx, + EVP_PKEY *pkey)); + +void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth, + int (**pkeygen_init) (EVP_PKEY_CTX *ctx), + int (**pkeygen) (EVP_PKEY_CTX *ctx, + EVP_PKEY *pkey)); + +void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth, + int (**psign_init) (EVP_PKEY_CTX *ctx), + int (**psign) (EVP_PKEY_CTX *ctx, + unsigned char *sig, size_t *siglen, + const unsigned char *tbs, + size_t tbslen)); + +void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth, + int (**pverify_init) (EVP_PKEY_CTX *ctx), + int (**pverify) (EVP_PKEY_CTX *ctx, + const unsigned char *sig, + size_t siglen, + const unsigned char *tbs, + size_t tbslen)); + +void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth, + int (**pverify_recover_init) (EVP_PKEY_CTX + *ctx), + int (**pverify_recover) (EVP_PKEY_CTX + *ctx, + unsigned char + *sig, + size_t *siglen, + const unsigned + char *tbs, + size_t tbslen)); + +void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth, + int (**psignctx_init) (EVP_PKEY_CTX *ctx, + EVP_MD_CTX *mctx), + int (**psignctx) (EVP_PKEY_CTX *ctx, + unsigned char *sig, + size_t *siglen, + EVP_MD_CTX *mctx)); + +void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth, + int (**pverifyctx_init) (EVP_PKEY_CTX *ctx, + EVP_MD_CTX *mctx), + int (**pverifyctx) (EVP_PKEY_CTX *ctx, + const unsigned char *sig, + int siglen, + EVP_MD_CTX *mctx)); + +void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth, + int (**pencrypt_init) (EVP_PKEY_CTX *ctx), + int (**pencryptfn) (EVP_PKEY_CTX *ctx, + unsigned char *out, + size_t *outlen, + const unsigned char *in, + size_t inlen)); + +void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth, + int (**pdecrypt_init) (EVP_PKEY_CTX *ctx), + int (**pdecrypt) (EVP_PKEY_CTX *ctx, + unsigned char *out, + size_t *outlen, + const unsigned char *in, + size_t inlen)); + +void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth, + int (**pderive_init) (EVP_PKEY_CTX *ctx), + int (**pderive) (EVP_PKEY_CTX *ctx, + unsigned char *key, + size_t *keylen)); + +void EVP_PKEY_meth_get_ctrl(EVP_PKEY_METHOD *pmeth, + int (**pctrl) (EVP_PKEY_CTX *ctx, int type, int p1, + void *p2), + int (**pctrl_str) (EVP_PKEY_CTX *ctx, + const char *type, + const char *value)); + void EVP_add_alg_module(void); /* BEGIN ERROR CODES */ From rsalz at openssl.org Thu Sep 10 20:14:04 2015 From: rsalz at openssl.org (Rich Salz) Date: Thu, 10 Sep 2015 20:14:04 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441916044.330445.9790.nullmailer@dev.openssl.org> The branch master has been updated via 4c7103a5eee1dc472e256ac8818610c6e98a9a39 (commit) from e7451ed137450e4bc6c4bec33bc9054bce443feb (commit) - Log ----------------------------------------------------------------- commit 4c7103a5eee1dc472e256ac8818610c6e98a9a39 Author: Rich Salz Date: Thu Sep 10 11:46:13 2015 -0400 Unwriteable directories are errors Make the script and app match the documentation. Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: apps/rehash.c | 2 +- tools/c_rehash.in | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/apps/rehash.c b/apps/rehash.c index b0d6d9c..fdaba6a 100644 --- a/apps/rehash.c +++ b/apps/rehash.c @@ -315,7 +315,7 @@ static int do_dir(const char *dirname, enum Hash h) if (app_access(dirname, W_OK) < 0) { BIO_printf(bio_err, "Skipping %s, can't write\n", dirname); - return 0; + return 1; } buflen = strlen(dirname); pathsep = (buflen && dirname[buflen - 1] == '/') ? "" : "/"; diff --git a/tools/c_rehash.in b/tools/c_rehash.in index 6c2ff06..834de78 100644 --- a/tools/c_rehash.in +++ b/tools/c_rehash.in @@ -6,6 +6,7 @@ my $dir; my $prefix; +my $errorcount = 0; my $openssl = $ENV{OPENSSL} || "openssl"; my $pwd; my $x509hash = "-subject_hash"; @@ -89,9 +90,11 @@ foreach (@dirlist) { hash_dir($_); } else { print "Skipping $_, can't write\n"; + $errorcount++; } } } +exit($errorcount); sub hash_dir { my %hashlist; From ben at openssl.org Fri Sep 11 03:56:31 2015 From: ben at openssl.org (Ben Laurie) Date: Fri, 11 Sep 2015 03:56:31 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441943791.160260.25510.nullmailer@dev.openssl.org> The branch master has been updated via df2ee0e27d2db02660c1d15fe6a3e38be9df0a60 (commit) from 4c7103a5eee1dc472e256ac8818610c6e98a9a39 (commit) - Log ----------------------------------------------------------------- commit df2ee0e27d2db02660c1d15fe6a3e38be9df0a60 Author: Ben Laurie Date: Sat Sep 5 13:32:58 2015 +0100 Enable -Wmissing-variable-declarations and -Wincompatible-pointer-types-discards-qualifiers (the latter did not require any code changes). Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: Configure | 5 +- apps/apps.h | 6 + apps/cms.c | 2 +- apps/ecparam.c | 4 +- apps/openssl.c | 2 +- apps/progs.h | 5 +- apps/progs.pl | 6 +- apps/s_cb.c | 4 +- apps/s_client.c | 2 +- apps/s_server.c | 10 +- apps/speed.c | 2 +- crypto/asn1/ameth_lib.c | 8 -- crypto/asn1/evp_asn1.c | 2 +- crypto/asn1/n_pkey.c | 4 +- crypto/asn1/p5_scrypt.c | 2 +- crypto/asn1/tasn_prn.c | 2 +- crypto/bn/Makefile | 8 +- crypto/bn/bn_dh.c | 1 + crypto/bn/bn_srp.c | 2 + crypto/cms/cms_asn1.c | 28 ++--- crypto/cms/cms_dd.c | 2 - crypto/cms/cms_enc.c | 2 - crypto/cms/cms_env.c | 5 - crypto/cms/cms_ess.c | 3 - crypto/cms/cms_kari.c | 5 - crypto/cms/cms_lcl.h | 16 +++ crypto/cms/cms_lib.c | 2 - crypto/cms/cms_sd.c | 2 - crypto/dh/dh_ameth.c | 2 - crypto/dh/dh_asn1.c | 6 +- crypto/dh/dh_rfc5114.c | 9 -- crypto/dsa/dsa_asn1.c | 8 +- crypto/ec/ec_asn1.c | 14 +-- crypto/ecdsa/ecs_asn1.c | 2 +- crypto/engine/Makefile | 15 +-- crypto/engine/eng_cryptodev.c | 16 +-- crypto/evp/Makefile | 23 ++-- crypto/evp/pmeth_lib.c | 13 ++- crypto/include/internal/asn1_int.h | 8 ++ crypto/ocsp/Makefile | 2 +- crypto/ocsp/v3_ocsp.c | 1 + crypto/sec_mem.c | 2 +- crypto/ts/ts_asn1.c | 18 +-- crypto/x509/by_dir.c | 2 +- crypto/x509/by_file.c | 2 +- crypto/x509/x_name.c | 6 +- crypto/x509v3/Makefile | 42 +++---- crypto/x509v3/ext_dat.h | 24 ++-- crypto/x509v3/v3_addr.c | 3 +- crypto/x509v3/v3_akey.c | 1 + crypto/x509v3/v3_alt.c | 1 + crypto/x509v3/v3_asid.c | 1 + crypto/x509v3/v3_bcons.c | 1 + crypto/x509v3/v3_bitst.c | 1 + crypto/x509v3/v3_cpols.c | 1 + crypto/x509v3/v3_crld.c | 1 + crypto/x509v3/v3_enum.c | 1 + crypto/x509v3/v3_extku.c | 1 + crypto/x509v3/v3_ia5.c | 1 + crypto/x509v3/v3_info.c | 1 + crypto/x509v3/v3_int.c | 1 + crypto/x509v3/v3_ncons.c | 1 + crypto/x509v3/v3_pci.c | 1 + crypto/x509v3/v3_pcons.c | 1 + crypto/x509v3/v3_pku.c | 1 + crypto/x509v3/v3_pmaps.c | 1 + crypto/x509v3/v3_scts.c | 1 + crypto/x509v3/v3_skey.c | 1 + crypto/x509v3/v3_sxnet.c | 1 + include/openssl/asn1t.h | 71 +++++++++++- include/openssl/cmac.h | 2 + include/openssl/dh.h | 14 +++ include/openssl/dsa.h | 2 + include/openssl/ec.h | 2 + include/openssl/hmac.h | 2 + include/openssl/rsa.h | 2 + include/openssl/ssl.h | 2 + ssl/Makefile | 224 +++++++++++++++++++------------------ ssl/ssl_asn1.c | 2 +- ssl/ssl_lib.c | 2 +- test/Makefile | 6 +- test/bntest.c | 6 +- test/ecdsatest.c | 4 +- test/gost2814789test.c | 2 +- test/ideatest.c | 22 ++-- test/sha256t.c | 12 +- test/sha512t.c | 12 +- test/ssltest.c | 26 ++--- test/wp_test.c | 18 +-- 89 files changed, 467 insertions(+), 346 deletions(-) diff --git a/Configure b/Configure index 2fc1e59..d7b8190 100755 --- a/Configure +++ b/Configure @@ -103,11 +103,10 @@ my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare # TODO(openssl-team): fix problems and investigate if (at least) the # following warnings can also be enabled: # -Wswitch-enum, -Wunused-macros, -Wmissing-field-initializers, -# -Wmissing-variable-declarations, -# -Wincompatible-pointer-types-discards-qualifiers, -Wcast-align, +# -Wcast-align, # -Wunreachable-code -Wunused-parameter -Wlanguage-extension-token # -Wextended-offsetof -my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Qunused-arguments"; +my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Wconditional-uninitialized -Qunused-arguments -Wincompatible-pointer-types-discards-qualifiers -Wmissing-variable-declarations"; my $strict_warnings = 0; diff --git a/apps/apps.h b/apps/apps.h index 0901c7d..328f8fb 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -573,6 +573,12 @@ int raw_write_stdout(const void *, int); # define TM_STOP 1 double app_tminterval(int stop, int usertime); +/* this is an accident waiting to happen (-Wshadow is your friend) */ +extern int verify_depth; +extern int verify_quiet; +extern int verify_error; +extern int verify_return_error; + # include "progs.h" #endif diff --git a/apps/cms.c b/apps/cms.c index 2331ea2..ae47341 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -95,7 +95,7 @@ static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, # define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP) # define SMIME_VERIFY_RECEIPT (16 | SMIME_IP) -int verify_err = 0; +static int verify_err = 0; typedef struct cms_key_param_st cms_key_param; diff --git a/apps/ecparam.c b/apps/ecparam.c index 145f55c..5a98f45 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -116,14 +116,14 @@ OPTIONS ecparam_options[] = { {NULL} }; -OPT_PAIR forms[] = { +static OPT_PAIR forms[] = { {"compressed", POINT_CONVERSION_COMPRESSED}, {"uncompressed", POINT_CONVERSION_UNCOMPRESSED}, {"hybrid", POINT_CONVERSION_HYBRID}, {NULL} }; -OPT_PAIR encodings[] = { +static OPT_PAIR encodings[] = { {"named_curve", OPENSSL_EC_NAMED_CURVE}, {"explicit", 0}, {NULL} diff --git a/apps/openssl.c b/apps/openssl.c index 39ae64d..58a2d0f 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -160,7 +160,7 @@ static void list_pkey(void); static void list_type(FUNC_TYPE ft); char *default_config_file = NULL; -CONF *config = NULL; +static CONF *config = NULL; BIO *bio_in = NULL; BIO *bio_out = NULL; BIO *bio_err = NULL; diff --git a/apps/progs.h b/apps/progs.h index 4b9bcb4..4a59b64 100644 --- a/apps/progs.h +++ b/apps/progs.h @@ -65,7 +65,6 @@ extern int list_main(int argc, char *argv[]); extern int help_main(int argc, char *argv[]); extern int exit_main(int argc, char *argv[]); -#ifdef INCLUDE_FUNCTION_TABLE extern OPTIONS asn1parse_options[]; extern OPTIONS ca_options[]; extern OPTIONS ciphers_options[]; @@ -114,7 +113,9 @@ extern OPTIONS rehash_options[]; extern OPTIONS list_options[]; extern OPTIONS help_options[]; extern OPTIONS exit_options[]; -FUNCTION functions[] = { + +#ifdef INCLUDE_FUNCTION_TABLE +static FUNCTION functions[] = { { FT_general, "asn1parse", asn1parse_main, asn1parse_options }, { FT_general, "ca", ca_main, ca_options }, #if !defined(OPENSSL_NO_SOCK) diff --git a/apps/progs.pl b/apps/progs.pl index 38e091e..065d954 100644 --- a/apps/progs.pl +++ b/apps/progs.pl @@ -33,11 +33,13 @@ foreach (@ARGV) { printf "extern int %s_main(int argc, char *argv[]);\n", $_; } -printf "\n#ifdef INCLUDE_FUNCTION_TABLE\n"; +print "\n"; + foreach (@ARGV) { printf "extern OPTIONS %s_options[];\n", $_; } -printf "FUNCTION functions[] = {\n"; +print "\n#ifdef INCLUDE_FUNCTION_TABLE\n"; +print "static FUNCTION functions[] = {\n"; foreach (@ARGV) { $str=" { FT_general, \"$_\", ${_}_main, ${_}_options },\n"; if (/^s_/ || /^ciphers$/) { diff --git a/apps/s_cb.c b/apps/s_cb.c index a1305d3..0c1dfc5 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -131,8 +131,8 @@ int verify_depth = 0; int verify_quiet = 0; int verify_error = X509_V_OK; int verify_return_error = 0; -unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; -int cookie_initialized = 0; +static unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; +static int cookie_initialized = 0; static const char *lookup(int val, const STRINT_PAIR* list, const char* def) { diff --git a/apps/s_client.c b/apps/s_client.c index 3eb495a..65e3bb8 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -395,7 +395,7 @@ static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) #endif -char *srtp_profiles = NULL; +static char *srtp_profiles = NULL; #ifndef OPENSSL_NO_NEXTPROTONEG /* This the context that we pass to next_proto_cb */ diff --git a/apps/s_server.c b/apps/s_server.c index 8fe1ebe..9e4a186 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -232,7 +232,7 @@ static char *s_dcert_file = NULL, *s_dkey_file = NULL, *s_dchain_file = NULL; static int s_nbio = 0; #endif static int s_nbio_test = 0; -int s_crlf = 0; +static int s_crlf = 0; static SSL_CTX *ctx = NULL; static SSL_CTX *ctx2 = NULL; static int www = 0; @@ -2366,7 +2366,7 @@ static int init_ssl_connection(SSL *con) int i; const char *str; X509 *peer; - long verify_error; + long verify_err; char buf[BUFSIZ]; #if !defined(OPENSSL_NO_NEXTPROTONEG) const unsigned char *next_proto_neg; @@ -2409,10 +2409,10 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_err, "ERROR\n"); - verify_error = SSL_get_verify_result(con); - if (verify_error != X509_V_OK) { + verify_err = SSL_get_verify_result(con); + if (verify_err != X509_V_OK) { BIO_printf(bio_err, "verify error:%s\n", - X509_verify_cert_error_string(verify_error)); + X509_verify_cert_error_string(verify_err)); } /* Always print any error messages */ ERR_print_errors(bio_err); diff --git a/apps/speed.c b/apps/speed.c index 297ea52..1508076 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -405,7 +405,7 @@ OPTIONS speed_options[] = { #define D_IGE_192_AES 27 #define D_IGE_256_AES 28 #define D_GHASH 29 -OPT_PAIR doit_choices[] = { +static OPT_PAIR doit_choices[] = { #ifndef OPENSSL_NO_MD2 {"md2", D_MD2}, #endif diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c index feef015..2deb679 100644 --- a/crypto/asn1/ameth_lib.c +++ b/crypto/asn1/ameth_lib.c @@ -65,14 +65,6 @@ #endif #include "internal/asn1_int.h" -extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[]; -extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[]; -extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth; -extern const EVP_PKEY_ASN1_METHOD dhx_asn1_meth; -extern const EVP_PKEY_ASN1_METHOD eckey_asn1_meth; -extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth; -extern const EVP_PKEY_ASN1_METHOD cmac_asn1_meth; - /* Keep this sorted in type order !! */ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = { #ifndef OPENSSL_NO_RSA diff --git a/crypto/asn1/evp_asn1.c b/crypto/asn1/evp_asn1.c index 4c3f3e0..b7e5620 100644 --- a/crypto/asn1/evp_asn1.c +++ b/crypto/asn1/evp_asn1.c @@ -103,7 +103,7 @@ typedef struct { ASN1_SEQUENCE(asn1_int_oct) = { ASN1_SIMPLE(asn1_int_oct, num, LONG), ASN1_SIMPLE(asn1_int_oct, oct, ASN1_OCTET_STRING) -} ASN1_SEQUENCE_END(asn1_int_oct) +} static_ASN1_SEQUENCE_END(asn1_int_oct) DECLARE_ASN1_ITEM(asn1_int_oct) diff --git a/crypto/asn1/n_pkey.c b/crypto/asn1/n_pkey.c index 0c9c4c4..c42422c 100644 --- a/crypto/asn1/n_pkey.c +++ b/crypto/asn1/n_pkey.c @@ -86,7 +86,7 @@ typedef struct netscape_encrypted_pkey_st { ASN1_BROKEN_SEQUENCE(NETSCAPE_ENCRYPTED_PKEY) = { ASN1_SIMPLE(NETSCAPE_ENCRYPTED_PKEY, os, ASN1_OCTET_STRING), ASN1_SIMPLE(NETSCAPE_ENCRYPTED_PKEY, enckey, X509_SIG) -} ASN1_BROKEN_SEQUENCE_END(NETSCAPE_ENCRYPTED_PKEY) +} static_ASN1_BROKEN_SEQUENCE_END(NETSCAPE_ENCRYPTED_PKEY) DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY) DECLARE_ASN1_ENCODE_FUNCTIONS_const(NETSCAPE_ENCRYPTED_PKEY,NETSCAPE_ENCRYPTED_PKEY) @@ -96,7 +96,7 @@ ASN1_SEQUENCE(NETSCAPE_PKEY) = { ASN1_SIMPLE(NETSCAPE_PKEY, version, LONG), ASN1_SIMPLE(NETSCAPE_PKEY, algor, X509_ALGOR), ASN1_SIMPLE(NETSCAPE_PKEY, private_key, ASN1_OCTET_STRING) -} ASN1_SEQUENCE_END(NETSCAPE_PKEY) +} static_ASN1_SEQUENCE_END(NETSCAPE_PKEY) DECLARE_ASN1_FUNCTIONS_const(NETSCAPE_PKEY) DECLARE_ASN1_ENCODE_FUNCTIONS_const(NETSCAPE_PKEY,NETSCAPE_PKEY) diff --git a/crypto/asn1/p5_scrypt.c b/crypto/asn1/p5_scrypt.c index 35ff396..3667546 100644 --- a/crypto/asn1/p5_scrypt.c +++ b/crypto/asn1/p5_scrypt.c @@ -82,7 +82,7 @@ ASN1_SEQUENCE(SCRYPT_PARAMS) = { ASN1_SIMPLE(SCRYPT_PARAMS, blockSize, ASN1_INTEGER), ASN1_SIMPLE(SCRYPT_PARAMS, parallelizationParameter, ASN1_INTEGER), ASN1_OPT(SCRYPT_PARAMS, keyLength, ASN1_INTEGER), -} ASN1_SEQUENCE_END(SCRYPT_PARAMS) +} static_ASN1_SEQUENCE_END(SCRYPT_PARAMS) DECLARE_ASN1_ALLOC_FUNCTIONS(SCRYPT_PARAMS) IMPLEMENT_ASN1_ALLOC_FUNCTIONS(SCRYPT_PARAMS) diff --git a/crypto/asn1/tasn_prn.c b/crypto/asn1/tasn_prn.c index 5314c61..329ef94 100644 --- a/crypto/asn1/tasn_prn.c +++ b/crypto/asn1/tasn_prn.c @@ -74,7 +74,7 @@ /* ASN1_PCTX routines */ -ASN1_PCTX default_pctx = { +static ASN1_PCTX default_pctx = { ASN1_PCTX_FLAGS_SHOW_ABSENT, /* flags */ 0, /* nm_flags */ 0, /* cert_flags */ diff --git a/crypto/bn/Makefile b/crypto/bn/Makefile index 7d55778..5d05e1b 100644 --- a/crypto/bn/Makefile +++ b/crypto/bn/Makefile @@ -219,7 +219,8 @@ bn_depr.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h bn_depr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h bn_depr.o: ../include/internal/bn_int.h ../include/internal/cryptlib.h bn_depr.o: bn_depr.c bn_lcl.h -bn_dh.o: ../../e_os.h ../../include/openssl/bn.h ../../include/openssl/crypto.h +bn_dh.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h +bn_dh.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h bn_dh.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h bn_dh.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_dh.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h @@ -399,8 +400,9 @@ bn_srp.o: ../../e_os.h ../../include/openssl/bn.h bn_srp.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h bn_srp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h bn_srp.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h -bn_srp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -bn_srp.o: ../include/internal/bn_int.h bn_lcl.h bn_srp.c +bn_srp.o: ../../include/openssl/srp.h ../../include/openssl/stack.h +bn_srp.o: ../../include/openssl/symhacks.h ../include/internal/bn_int.h +bn_srp.o: ../include/internal/bn_srp.h bn_lcl.h bn_srp.c bn_word.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_word.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_word.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h diff --git a/crypto/bn/bn_dh.c b/crypto/bn/bn_dh.c index cfd8c06..3a7282f 100644 --- a/crypto/bn/bn_dh.c +++ b/crypto/bn/bn_dh.c @@ -56,6 +56,7 @@ * */ +#include #include "bn_lcl.h" #include "e_os.h" diff --git a/crypto/bn/bn_srp.c b/crypto/bn/bn_srp.c index 5dd31fc..c575e6a 100644 --- a/crypto/bn/bn_srp.c +++ b/crypto/bn/bn_srp.c @@ -1,5 +1,7 @@ #include "bn_lcl.h" #include "e_os.h" +#include +#include #ifndef OPENSSL_NO_SRP diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c index 893ad46..2bd3954 100644 --- a/crypto/cms/cms_asn1.c +++ b/crypto/cms/cms_asn1.c @@ -67,7 +67,7 @@ ASN1_SEQUENCE(CMS_IssuerAndSerialNumber) = { ASN1_SEQUENCE(CMS_OtherCertificateFormat) = { ASN1_SIMPLE(CMS_OtherCertificateFormat, otherCertFormat, ASN1_OBJECT), ASN1_OPT(CMS_OtherCertificateFormat, otherCert, ASN1_ANY) -} ASN1_SEQUENCE_END(CMS_OtherCertificateFormat) +} static_ASN1_SEQUENCE_END(CMS_OtherCertificateFormat) ASN1_CHOICE(CMS_CertificateChoices) = { ASN1_SIMPLE(CMS_CertificateChoices, d.certificate, X509), @@ -80,12 +80,12 @@ ASN1_CHOICE(CMS_CertificateChoices) = { ASN1_CHOICE(CMS_SignerIdentifier) = { ASN1_SIMPLE(CMS_SignerIdentifier, d.issuerAndSerialNumber, CMS_IssuerAndSerialNumber), ASN1_IMP(CMS_SignerIdentifier, d.subjectKeyIdentifier, ASN1_OCTET_STRING, 0) -} ASN1_CHOICE_END(CMS_SignerIdentifier) +} static_ASN1_CHOICE_END(CMS_SignerIdentifier) ASN1_NDEF_SEQUENCE(CMS_EncapsulatedContentInfo) = { ASN1_SIMPLE(CMS_EncapsulatedContentInfo, eContentType, ASN1_OBJECT), ASN1_NDEF_EXP_OPT(CMS_EncapsulatedContentInfo, eContent, ASN1_OCTET_STRING_NDEF, 0) -} ASN1_NDEF_SEQUENCE_END(CMS_EncapsulatedContentInfo) +} static_ASN1_NDEF_SEQUENCE_END(CMS_EncapsulatedContentInfo) /* Minor tweak to operation: free up signer key, cert */ static int cms_si_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, @@ -114,7 +114,7 @@ ASN1_SEQUENCE_cb(CMS_SignerInfo, cms_si_cb) = { ASN1_SEQUENCE(CMS_OtherRevocationInfoFormat) = { ASN1_SIMPLE(CMS_OtherRevocationInfoFormat, otherRevInfoFormat, ASN1_OBJECT), ASN1_OPT(CMS_OtherRevocationInfoFormat, otherRevInfo, ASN1_ANY) -} ASN1_SEQUENCE_END(CMS_OtherRevocationInfoFormat) +} static_ASN1_SEQUENCE_END(CMS_OtherRevocationInfoFormat) ASN1_CHOICE(CMS_RevocationInfoChoice) = { ASN1_SIMPLE(CMS_RevocationInfoChoice, d.crl, X509_CRL), @@ -133,13 +133,13 @@ ASN1_NDEF_SEQUENCE(CMS_SignedData) = { ASN1_SEQUENCE(CMS_OriginatorInfo) = { ASN1_IMP_SET_OF_OPT(CMS_OriginatorInfo, certificates, CMS_CertificateChoices, 0), ASN1_IMP_SET_OF_OPT(CMS_OriginatorInfo, crls, CMS_RevocationInfoChoice, 1) -} ASN1_SEQUENCE_END(CMS_OriginatorInfo) +} static_ASN1_SEQUENCE_END(CMS_OriginatorInfo) ASN1_NDEF_SEQUENCE(CMS_EncryptedContentInfo) = { ASN1_SIMPLE(CMS_EncryptedContentInfo, contentType, ASN1_OBJECT), ASN1_SIMPLE(CMS_EncryptedContentInfo, contentEncryptionAlgorithm, X509_ALGOR), ASN1_IMP_OPT(CMS_EncryptedContentInfo, encryptedContent, ASN1_OCTET_STRING_NDEF, 0) -} ASN1_NDEF_SEQUENCE_END(CMS_EncryptedContentInfo) +} static_ASN1_NDEF_SEQUENCE_END(CMS_EncryptedContentInfo) ASN1_SEQUENCE(CMS_KeyTransRecipientInfo) = { ASN1_SIMPLE(CMS_KeyTransRecipientInfo, version, LONG), @@ -162,7 +162,7 @@ ASN1_SEQUENCE(CMS_RecipientKeyIdentifier) = { ASN1_CHOICE(CMS_KeyAgreeRecipientIdentifier) = { ASN1_SIMPLE(CMS_KeyAgreeRecipientIdentifier, d.issuerAndSerialNumber, CMS_IssuerAndSerialNumber), ASN1_IMP(CMS_KeyAgreeRecipientIdentifier, d.rKeyId, CMS_RecipientKeyIdentifier, 0) -} ASN1_CHOICE_END(CMS_KeyAgreeRecipientIdentifier) +} static_ASN1_CHOICE_END(CMS_KeyAgreeRecipientIdentifier) static int cms_rek_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) @@ -188,7 +188,7 @@ ASN1_CHOICE(CMS_OriginatorIdentifierOrKey) = { ASN1_SIMPLE(CMS_OriginatorIdentifierOrKey, d.issuerAndSerialNumber, CMS_IssuerAndSerialNumber), ASN1_IMP(CMS_OriginatorIdentifierOrKey, d.subjectKeyIdentifier, ASN1_OCTET_STRING, 0), ASN1_IMP(CMS_OriginatorIdentifierOrKey, d.originatorKey, CMS_OriginatorPublicKey, 1) -} ASN1_CHOICE_END(CMS_OriginatorIdentifierOrKey) +} static_ASN1_CHOICE_END(CMS_OriginatorIdentifierOrKey) static int cms_kari_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) @@ -217,7 +217,7 @@ ASN1_SEQUENCE(CMS_KEKIdentifier) = { ASN1_SIMPLE(CMS_KEKIdentifier, keyIdentifier, ASN1_OCTET_STRING), ASN1_OPT(CMS_KEKIdentifier, date, ASN1_GENERALIZEDTIME), ASN1_OPT(CMS_KEKIdentifier, other, CMS_OtherKeyAttribute) -} ASN1_SEQUENCE_END(CMS_KEKIdentifier) +} static_ASN1_SEQUENCE_END(CMS_KEKIdentifier) ASN1_SEQUENCE(CMS_KEKRecipientInfo) = { ASN1_SIMPLE(CMS_KEKRecipientInfo, version, LONG), @@ -236,7 +236,7 @@ ASN1_SEQUENCE(CMS_PasswordRecipientInfo) = { ASN1_SEQUENCE(CMS_OtherRecipientInfo) = { ASN1_SIMPLE(CMS_OtherRecipientInfo, oriType, ASN1_OBJECT), ASN1_OPT(CMS_OtherRecipientInfo, oriValue, ASN1_ANY) -} ASN1_SEQUENCE_END(CMS_OtherRecipientInfo) +} static_ASN1_SEQUENCE_END(CMS_OtherRecipientInfo) /* Free up RecipientInfo additional data */ static int cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, @@ -299,13 +299,13 @@ ASN1_NDEF_SEQUENCE(CMS_AuthenticatedData) = { ASN1_IMP_SET_OF_OPT(CMS_AuthenticatedData, authAttrs, X509_ALGOR, 2), ASN1_SIMPLE(CMS_AuthenticatedData, mac, ASN1_OCTET_STRING), ASN1_IMP_SET_OF_OPT(CMS_AuthenticatedData, unauthAttrs, X509_ALGOR, 3) -} ASN1_NDEF_SEQUENCE_END(CMS_AuthenticatedData) +} static_ASN1_NDEF_SEQUENCE_END(CMS_AuthenticatedData) ASN1_NDEF_SEQUENCE(CMS_CompressedData) = { ASN1_SIMPLE(CMS_CompressedData, version, LONG), ASN1_SIMPLE(CMS_CompressedData, compressionAlgorithm, X509_ALGOR), ASN1_SIMPLE(CMS_CompressedData, encapContentInfo, CMS_EncapsulatedContentInfo), -} ASN1_NDEF_SEQUENCE_END(CMS_CompressedData) +} static_ASN1_NDEF_SEQUENCE_END(CMS_CompressedData) /* This is the ANY DEFINED BY table for the top level ContentInfo structure */ @@ -383,7 +383,7 @@ ASN1_ITEM_TEMPLATE_END(CMS_Attributes_Verify) ASN1_CHOICE(CMS_ReceiptsFrom) = { ASN1_IMP(CMS_ReceiptsFrom, d.allOrFirstTier, LONG, 0), ASN1_IMP_SEQUENCE_OF(CMS_ReceiptsFrom, d.receiptList, GENERAL_NAMES, 1) -} ASN1_CHOICE_END(CMS_ReceiptsFrom) +} static_ASN1_CHOICE_END(CMS_ReceiptsFrom) ASN1_SEQUENCE(CMS_ReceiptRequest) = { ASN1_SIMPLE(CMS_ReceiptRequest, signedContentIdentifier, ASN1_OCTET_STRING), @@ -413,7 +413,7 @@ ASN1_SEQUENCE(CMS_SharedInfo) = { ASN1_SIMPLE(CMS_SharedInfo, keyInfo, X509_ALGOR), ASN1_EXP_OPT(CMS_SharedInfo, entityUInfo, ASN1_OCTET_STRING, 0), ASN1_EXP_OPT(CMS_SharedInfo, suppPubInfo, ASN1_OCTET_STRING, 2), -} ASN1_SEQUENCE_END(CMS_SharedInfo) +} static_ASN1_SEQUENCE_END(CMS_SharedInfo) int CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg, ASN1_OCTET_STRING *ukm, int keylen) diff --git a/crypto/cms/cms_dd.c b/crypto/cms/cms_dd.c index d406785..7609b6f 100644 --- a/crypto/cms/cms_dd.c +++ b/crypto/cms/cms_dd.c @@ -60,8 +60,6 @@ #include #include "cms_lcl.h" -DECLARE_ASN1_ITEM(CMS_DigestedData) - /* CMS DigestedData Utilities */ CMS_ContentInfo *cms_DigestedData_create(const EVP_MD *md) diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c index 16b4225..fc66f60 100644 --- a/crypto/cms/cms_enc.c +++ b/crypto/cms/cms_enc.c @@ -63,8 +63,6 @@ /* CMS EncryptedData Utilities */ -DECLARE_ASN1_ITEM(CMS_EncryptedData) - /* Return BIO based on EncryptedContentInfo and key */ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec) diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index f677a9b..e133bcc 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -65,11 +65,6 @@ /* CMS EnvelopedData Utilities */ -DECLARE_ASN1_ITEM(CMS_EnvelopedData) -DECLARE_ASN1_ITEM(CMS_KeyTransRecipientInfo) -DECLARE_ASN1_ITEM(CMS_KEKRecipientInfo) -DECLARE_ASN1_ITEM(CMS_OtherKeyAttribute) - DECLARE_STACK_OF(CMS_RecipientInfo) CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms) diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c index d75ea16..2149749 100644 --- a/crypto/cms/cms_ess.c +++ b/crypto/cms/cms_ess.c @@ -61,9 +61,6 @@ #include #include "cms_lcl.h" -DECLARE_ASN1_ITEM(CMS_ReceiptRequest) -DECLARE_ASN1_ITEM(CMS_Receipt) - IMPLEMENT_ASN1_FUNCTIONS(CMS_ReceiptRequest) /* ESS services: for now just Signed Receipt related */ diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c index d56dd9b..77181bc 100644 --- a/crypto/cms/cms_kari.c +++ b/crypto/cms/cms_kari.c @@ -63,11 +63,6 @@ #include "cms_lcl.h" #include "internal/asn1_int.h" -DECLARE_ASN1_ITEM(CMS_KeyAgreeRecipientInfo) -DECLARE_ASN1_ITEM(CMS_RecipientEncryptedKey) -DECLARE_ASN1_ITEM(CMS_OriginatorPublicKey) -DECLARE_ASN1_ITEM(CMS_RecipientKeyIdentifier) - /* Key Agreement Recipient Info (KARI) routines */ int CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri, diff --git a/crypto/cms/cms_lcl.h b/crypto/cms/cms_lcl.h index 1f27b0c..5b0551c 100644 --- a/crypto/cms/cms_lcl.h +++ b/crypto/cms/cms_lcl.h @@ -464,6 +464,22 @@ int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms, int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, int en_de); +DECLARE_ASN1_ITEM(CMS_CertificateChoices) +DECLARE_ASN1_ITEM(CMS_DigestedData) +DECLARE_ASN1_ITEM(CMS_EncryptedData) +DECLARE_ASN1_ITEM(CMS_EnvelopedData) +DECLARE_ASN1_ITEM(CMS_KEKRecipientInfo) +DECLARE_ASN1_ITEM(CMS_KeyAgreeRecipientInfo) +DECLARE_ASN1_ITEM(CMS_KeyTransRecipientInfo) +DECLARE_ASN1_ITEM(CMS_OriginatorPublicKey) +DECLARE_ASN1_ITEM(CMS_OtherKeyAttribute) +DECLARE_ASN1_ITEM(CMS_Receipt) +DECLARE_ASN1_ITEM(CMS_ReceiptRequest) +DECLARE_ASN1_ITEM(CMS_RecipientEncryptedKey) +DECLARE_ASN1_ITEM(CMS_RecipientKeyIdentifier) +DECLARE_ASN1_ITEM(CMS_RevocationInfoChoice) +DECLARE_ASN1_ITEM(CMS_SignedData) + #ifdef __cplusplus } #endif diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index 0bfad69..ef18418 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -64,8 +64,6 @@ IMPLEMENT_ASN1_FUNCTIONS(CMS_ContentInfo) IMPLEMENT_ASN1_PRINT_FUNCTION(CMS_ContentInfo) -DECLARE_ASN1_ITEM(CMS_CertificateChoices) -DECLARE_ASN1_ITEM(CMS_RevocationInfoChoice) DECLARE_STACK_OF(CMS_CertificateChoices) DECLARE_STACK_OF(CMS_RevocationInfoChoice) diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 338e515..8fc407e 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -64,8 +64,6 @@ /* CMS SignedData Utilities */ -DECLARE_ASN1_ITEM(CMS_SignedData) - static CMS_SignedData *cms_get0_signed(CMS_ContentInfo *cms) { if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_signed) { diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index efb3d80..f0fcd83 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -67,8 +67,6 @@ # include #endif -extern const EVP_PKEY_ASN1_METHOD dhx_asn1_meth; - /* * i2d/d2i like DH parameter functions which use the appropriate routine for * PKCS#3 DH or X9.42 DH. diff --git a/crypto/dh/dh_asn1.c b/crypto/dh/dh_asn1.c index 0c6a1de..cc307dc 100644 --- a/crypto/dh/dh_asn1.c +++ b/crypto/dh/dh_asn1.c @@ -85,7 +85,7 @@ ASN1_SEQUENCE_cb(DHparams, dh_cb) = { ASN1_SIMPLE(DH, p, BIGNUM), ASN1_SIMPLE(DH, g, BIGNUM), ASN1_OPT(DH, length, ZLONG), -} ASN1_SEQUENCE_END_cb(DH, DHparams) +} static_ASN1_SEQUENCE_END_cb(DH, DHparams) IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DH, DHparams, DHparams) @@ -110,7 +110,7 @@ typedef struct { ASN1_SEQUENCE(DHvparams) = { ASN1_SIMPLE(int_dhvparams, seed, ASN1_BIT_STRING), ASN1_SIMPLE(int_dhvparams, counter, BIGNUM) -} ASN1_SEQUENCE_END_name(int_dhvparams, DHvparams) +} static_ASN1_SEQUENCE_END_name(int_dhvparams, DHvparams) ASN1_SEQUENCE(DHxparams) = { ASN1_SIMPLE(int_dhx942_dh, p, BIGNUM), @@ -118,7 +118,7 @@ ASN1_SEQUENCE(DHxparams) = { ASN1_SIMPLE(int_dhx942_dh, q, BIGNUM), ASN1_OPT(int_dhx942_dh, j, BIGNUM), ASN1_OPT(int_dhx942_dh, vparams, DHvparams), -} ASN1_SEQUENCE_END_name(int_dhx942_dh, DHxparams) +} static_ASN1_SEQUENCE_END_name(int_dhx942_dh, DHxparams) int_dhx942_dh *d2i_int_dhx(int_dhx942_dh **a, const unsigned char **pp, long length); diff --git a/crypto/dh/dh_rfc5114.c b/crypto/dh/dh_rfc5114.c index 752bf2c..61cd9ad 100644 --- a/crypto/dh/dh_rfc5114.c +++ b/crypto/dh/dh_rfc5114.c @@ -61,11 +61,6 @@ #include #include -#define make_dh_bn(x) \ - const extern BIGNUM _bignum_dh##x##_p;\ - const extern BIGNUM _bignum_dh##x##_g;\ - const extern BIGNUM _bignum_dh##x##_q; - /* * Macro to make a DH structure from BIGNUM data. NB: although just copying * the BIGNUM static pointers would be more efficient we can't as they get @@ -90,10 +85,6 @@ DH * DH_get_##x(void) \ return dh; \ } -make_dh_bn(1024_160) -make_dh_bn(2048_224) -make_dh_bn(2048_256) - make_dh(1024_160) make_dh(2048_224) make_dh(2048_256) diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c index 85db147..99bca3b 100644 --- a/crypto/dsa/dsa_asn1.c +++ b/crypto/dsa/dsa_asn1.c @@ -86,7 +86,7 @@ static int sig_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, ASN1_SEQUENCE_cb(DSA_SIG, sig_cb) = { ASN1_SIMPLE(DSA_SIG, r, CBIGNUM), ASN1_SIMPLE(DSA_SIG, s, CBIGNUM) -} ASN1_SEQUENCE_END_cb(DSA_SIG, DSA_SIG) +} static_ASN1_SEQUENCE_END_cb(DSA_SIG, DSA_SIG) IMPLEMENT_ASN1_FUNCTIONS_const(DSA_SIG) @@ -114,7 +114,7 @@ ASN1_SEQUENCE_cb(DSAPrivateKey, dsa_cb) = { ASN1_SIMPLE(DSA, g, BIGNUM), ASN1_SIMPLE(DSA, pub_key, BIGNUM), ASN1_SIMPLE(DSA, priv_key, CBIGNUM) -} ASN1_SEQUENCE_END_cb(DSA, DSAPrivateKey) +} static_ASN1_SEQUENCE_END_cb(DSA, DSAPrivateKey) IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DSA, DSAPrivateKey, DSAPrivateKey) @@ -122,7 +122,7 @@ ASN1_SEQUENCE_cb(DSAparams, dsa_cb) = { ASN1_SIMPLE(DSA, p, BIGNUM), ASN1_SIMPLE(DSA, q, BIGNUM), ASN1_SIMPLE(DSA, g, BIGNUM), -} ASN1_SEQUENCE_END_cb(DSA, DSAparams) +} static_ASN1_SEQUENCE_END_cb(DSA, DSAparams) IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DSA, DSAparams, DSAparams) @@ -137,7 +137,7 @@ ASN1_SEQUENCE(DSAPublicKey) = { ASN1_SIMPLE(DSA, p, BIGNUM), ASN1_SIMPLE(DSA, q, BIGNUM), ASN1_SIMPLE(DSA, g, BIGNUM) -} ASN1_SEQUENCE_END_name(DSA, DSAPublicKey) +} static_ASN1_SEQUENCE_END_name(DSA, DSAPublicKey) IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DSA, DSAPublicKey, DSAPublicKey) diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 3f971aa..4e1566d 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -204,7 +204,7 @@ ASN1_SEQUENCE(X9_62_PENTANOMIAL) = { ASN1_SIMPLE(X9_62_PENTANOMIAL, k1, LONG), ASN1_SIMPLE(X9_62_PENTANOMIAL, k2, LONG), ASN1_SIMPLE(X9_62_PENTANOMIAL, k3, LONG) -} ASN1_SEQUENCE_END(X9_62_PENTANOMIAL) +} static_ASN1_SEQUENCE_END(X9_62_PENTANOMIAL) DECLARE_ASN1_ALLOC_FUNCTIONS(X9_62_PENTANOMIAL) IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X9_62_PENTANOMIAL) @@ -221,7 +221,7 @@ ASN1_SEQUENCE(X9_62_CHARACTERISTIC_TWO) = { ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, m, LONG), ASN1_SIMPLE(X9_62_CHARACTERISTIC_TWO, type, ASN1_OBJECT), ASN1_ADB_OBJECT(X9_62_CHARACTERISTIC_TWO) -} ASN1_SEQUENCE_END(X9_62_CHARACTERISTIC_TWO) +} static_ASN1_SEQUENCE_END(X9_62_CHARACTERISTIC_TWO) DECLARE_ASN1_ALLOC_FUNCTIONS(X9_62_CHARACTERISTIC_TWO) IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X9_62_CHARACTERISTIC_TWO) @@ -236,13 +236,13 @@ ASN1_ADB(X9_62_FIELDID) = { ASN1_SEQUENCE(X9_62_FIELDID) = { ASN1_SIMPLE(X9_62_FIELDID, fieldType, ASN1_OBJECT), ASN1_ADB_OBJECT(X9_62_FIELDID) -} ASN1_SEQUENCE_END(X9_62_FIELDID) +} static_ASN1_SEQUENCE_END(X9_62_FIELDID) ASN1_SEQUENCE(X9_62_CURVE) = { ASN1_SIMPLE(X9_62_CURVE, a, ASN1_OCTET_STRING), ASN1_SIMPLE(X9_62_CURVE, b, ASN1_OCTET_STRING), ASN1_OPT(X9_62_CURVE, seed, ASN1_BIT_STRING) -} ASN1_SEQUENCE_END(X9_62_CURVE) +} static_ASN1_SEQUENCE_END(X9_62_CURVE) ASN1_SEQUENCE(ECPARAMETERS) = { ASN1_SIMPLE(ECPARAMETERS, version, LONG), @@ -251,7 +251,7 @@ ASN1_SEQUENCE(ECPARAMETERS) = { ASN1_SIMPLE(ECPARAMETERS, base, ASN1_OCTET_STRING), ASN1_SIMPLE(ECPARAMETERS, order, ASN1_INTEGER), ASN1_OPT(ECPARAMETERS, cofactor, ASN1_INTEGER) -} ASN1_SEQUENCE_END(ECPARAMETERS) +} static_ASN1_SEQUENCE_END(ECPARAMETERS) DECLARE_ASN1_ALLOC_FUNCTIONS(ECPARAMETERS) IMPLEMENT_ASN1_ALLOC_FUNCTIONS(ECPARAMETERS) @@ -260,7 +260,7 @@ ASN1_CHOICE(ECPKPARAMETERS) = { ASN1_SIMPLE(ECPKPARAMETERS, value.named_curve, ASN1_OBJECT), ASN1_SIMPLE(ECPKPARAMETERS, value.parameters, ECPARAMETERS), ASN1_SIMPLE(ECPKPARAMETERS, value.implicitlyCA, ASN1_NULL) -} ASN1_CHOICE_END(ECPKPARAMETERS) +} static_ASN1_CHOICE_END(ECPKPARAMETERS) DECLARE_ASN1_FUNCTIONS_const(ECPKPARAMETERS) DECLARE_ASN1_ENCODE_FUNCTIONS_const(ECPKPARAMETERS, ECPKPARAMETERS) @@ -271,7 +271,7 @@ ASN1_SEQUENCE(EC_PRIVATEKEY) = { ASN1_SIMPLE(EC_PRIVATEKEY, privateKey, ASN1_OCTET_STRING), ASN1_EXP_OPT(EC_PRIVATEKEY, parameters, ECPKPARAMETERS, 0), ASN1_EXP_OPT(EC_PRIVATEKEY, publicKey, ASN1_BIT_STRING, 1) -} ASN1_SEQUENCE_END(EC_PRIVATEKEY) +} static_ASN1_SEQUENCE_END(EC_PRIVATEKEY) DECLARE_ASN1_FUNCTIONS_const(EC_PRIVATEKEY) DECLARE_ASN1_ENCODE_FUNCTIONS_const(EC_PRIVATEKEY, EC_PRIVATEKEY) diff --git a/crypto/ecdsa/ecs_asn1.c b/crypto/ecdsa/ecs_asn1.c index 508b079..0767d3e 100644 --- a/crypto/ecdsa/ecs_asn1.c +++ b/crypto/ecdsa/ecs_asn1.c @@ -60,7 +60,7 @@ ASN1_SEQUENCE(ECDSA_SIG) = { ASN1_SIMPLE(ECDSA_SIG, r, CBIGNUM), ASN1_SIMPLE(ECDSA_SIG, s, CBIGNUM) -} ASN1_SEQUENCE_END(ECDSA_SIG) +} static_ASN1_SEQUENCE_END(ECDSA_SIG) DECLARE_ASN1_FUNCTIONS_const(ECDSA_SIG) DECLARE_ASN1_ENCODE_FUNCTIONS_const(ECDSA_SIG, ECDSA_SIG) diff --git a/crypto/engine/Makefile b/crypto/engine/Makefile index 532fadd..dae2926 100644 --- a/crypto/engine/Makefile +++ b/crypto/engine/Makefile @@ -100,19 +100,20 @@ eng_cnf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h eng_cnf.o: ../include/internal/cryptlib.h eng_cnf.c eng_int.h eng_cryptodev.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h eng_cryptodev.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h -eng_cryptodev.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +eng_cryptodev.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h +eng_cryptodev.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h eng_cryptodev.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h eng_cryptodev.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h -eng_cryptodev.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h -eng_cryptodev.o: ../../include/openssl/obj_mac.h +eng_cryptodev.o: ../../include/openssl/err.h ../../include/openssl/evp.h +eng_cryptodev.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h eng_cryptodev.o: ../../include/openssl/objects.h eng_cryptodev.o: ../../include/openssl/opensslconf.h eng_cryptodev.o: ../../include/openssl/opensslv.h eng_cryptodev.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h -eng_cryptodev.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h -eng_cryptodev.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -eng_cryptodev.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h -eng_cryptodev.o: eng_cryptodev.c +eng_cryptodev.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +eng_cryptodev.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +eng_cryptodev.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h +eng_cryptodev.o: ../../include/openssl/x509_vfy.h eng_cryptodev.c eng_ctrl.o: ../../e_os.h ../../include/openssl/asn1.h eng_ctrl.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h eng_ctrl.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c index ca567dc..65fc29e 100644 --- a/crypto/engine/eng_cryptodev.c +++ b/crypto/engine/eng_cryptodev.c @@ -535,7 +535,7 @@ static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx) */ /* RC4 */ -const EVP_CIPHER cryptodev_rc4 = { +static const EVP_CIPHER cryptodev_rc4 = { NID_rc4, 1, 16, 0, EVP_CIPH_VARIABLE_LENGTH, @@ -549,7 +549,7 @@ const EVP_CIPHER cryptodev_rc4 = { }; /* DES CBC EVP */ -const EVP_CIPHER cryptodev_des_cbc = { +static const EVP_CIPHER cryptodev_des_cbc = { NID_des_cbc, 8, 8, 8, EVP_CIPH_CBC_MODE, @@ -563,7 +563,7 @@ const EVP_CIPHER cryptodev_des_cbc = { }; /* 3DES CBC EVP */ -const EVP_CIPHER cryptodev_3des_cbc = { +static const EVP_CIPHER cryptodev_3des_cbc = { NID_des_ede3_cbc, 8, 24, 8, EVP_CIPH_CBC_MODE, @@ -576,7 +576,7 @@ const EVP_CIPHER cryptodev_3des_cbc = { NULL }; -const EVP_CIPHER cryptodev_bf_cbc = { +static const EVP_CIPHER cryptodev_bf_cbc = { NID_bf_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, @@ -589,7 +589,7 @@ const EVP_CIPHER cryptodev_bf_cbc = { NULL }; -const EVP_CIPHER cryptodev_cast_cbc = { +static const EVP_CIPHER cryptodev_cast_cbc = { NID_cast5_cbc, 8, 16, 8, EVP_CIPH_CBC_MODE, @@ -602,7 +602,7 @@ const EVP_CIPHER cryptodev_cast_cbc = { NULL }; -const EVP_CIPHER cryptodev_aes_cbc = { +static const EVP_CIPHER cryptodev_aes_cbc = { NID_aes_128_cbc, 16, 16, 16, EVP_CIPH_CBC_MODE, @@ -615,7 +615,7 @@ const EVP_CIPHER cryptodev_aes_cbc = { NULL }; -const EVP_CIPHER cryptodev_aes_192_cbc = { +static const EVP_CIPHER cryptodev_aes_192_cbc = { NID_aes_192_cbc, 16, 24, 16, EVP_CIPH_CBC_MODE, @@ -628,7 +628,7 @@ const EVP_CIPHER cryptodev_aes_192_cbc = { NULL }; -const EVP_CIPHER cryptodev_aes_256_cbc = { +static const EVP_CIPHER cryptodev_aes_256_cbc = { NID_aes_256_cbc, 16, 32, 16, EVP_CIPH_CBC_MODE, diff --git a/crypto/evp/Makefile b/crypto/evp/Makefile index 1a65b46..6164f84 100644 --- a/crypto/evp/Makefile +++ b/crypto/evp/Makefile @@ -290,7 +290,6 @@ e_null.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h e_null.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h e_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h e_null.o: ../include/internal/cryptlib.h e_null.c -e_old.o: e_old.c e_rc2.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h e_rc2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h e_rc2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h @@ -756,20 +755,22 @@ pmeth_gn.o: ../include/internal/cryptlib.h ../include/internal/evp_int.h pmeth_gn.o: pmeth_gn.c pmeth_lib.o: ../../e_os.h ../../include/openssl/asn1.h pmeth_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h -pmeth_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h -pmeth_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h -pmeth_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h -pmeth_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h +pmeth_lib.o: ../../include/openssl/cmac.h ../../include/openssl/crypto.h +pmeth_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h +pmeth_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h +pmeth_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h +pmeth_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h +pmeth_lib.o: ../../include/openssl/evp.h ../../include/openssl/hmac.h pmeth_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h pmeth_lib.o: ../../include/openssl/objects.h pmeth_lib.o: ../../include/openssl/opensslconf.h pmeth_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -pmeth_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h -pmeth_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h -pmeth_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h -pmeth_lib.o: ../../include/openssl/x509_vfy.h ../include/internal/asn1_int.h -pmeth_lib.o: ../include/internal/cryptlib.h ../include/internal/evp_int.h -pmeth_lib.o: pmeth_lib.c +pmeth_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h +pmeth_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +pmeth_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +pmeth_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +pmeth_lib.o: ../include/internal/asn1_int.h ../include/internal/cryptlib.h +pmeth_lib.o: ../include/internal/evp_int.h pmeth_lib.c scrypt.o: ../../include/internal/numbers.h ../../include/openssl/asn1.h scrypt.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h scrypt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index ac0767c..72a8c1a 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -60,8 +60,13 @@ #include #include #include "internal/cryptlib.h" -#include +#include +#include +#include #include +#include +#include +#include #ifndef OPENSSL_NO_ENGINE # include #endif @@ -71,11 +76,7 @@ typedef int sk_cmp_fn_type(const char *const *a, const char *const *b); DECLARE_STACK_OF(EVP_PKEY_METHOD) -STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL; - -extern const EVP_PKEY_METHOD rsa_pkey_meth, dh_pkey_meth, dsa_pkey_meth; -extern const EVP_PKEY_METHOD ec_pkey_meth, hmac_pkey_meth, cmac_pkey_meth; -extern const EVP_PKEY_METHOD dhx_pkey_meth; +static STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL; static const EVP_PKEY_METHOD *standard_methods[] = { #ifndef OPENSSL_NO_RSA diff --git a/crypto/include/internal/asn1_int.h b/crypto/include/internal/asn1_int.h index 9e74f47..966f3aa 100644 --- a/crypto/include/internal/asn1_int.h +++ b/crypto/include/internal/asn1_int.h @@ -104,6 +104,14 @@ struct evp_pkey_asn1_method_st { ASN1_BIT_STRING *sig); } /* EVP_PKEY_ASN1_METHOD */ ; +extern const EVP_PKEY_ASN1_METHOD cmac_asn1_meth; +extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth; +extern const EVP_PKEY_ASN1_METHOD dhx_asn1_meth; +extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[]; +extern const EVP_PKEY_ASN1_METHOD eckey_asn1_meth; +extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth; +extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[]; + /* * These are used internally in the ASN1_OBJECT to keep track of whether the * names and data need to be free()ed diff --git a/crypto/ocsp/Makefile b/crypto/ocsp/Makefile index ea5f728..20437cc 100644 --- a/crypto/ocsp/Makefile +++ b/crypto/ocsp/Makefile @@ -214,4 +214,4 @@ v3_ocsp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_ocsp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_ocsp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_ocsp.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -v3_ocsp.o: ocsp_lcl.h v3_ocsp.c +v3_ocsp.o: ../x509v3/ext_dat.h ocsp_lcl.h v3_ocsp.c diff --git a/crypto/ocsp/v3_ocsp.c b/crypto/ocsp/v3_ocsp.c index 30ed7d5..ab8c437 100644 --- a/crypto/ocsp/v3_ocsp.c +++ b/crypto/ocsp/v3_ocsp.c @@ -64,6 +64,7 @@ # include # include "ocsp_lcl.h" # include +# include "../x509v3/ext_dat.h" /* * OCSP extensions and a couple of CRL entry extensions diff --git a/crypto/sec_mem.c b/crypto/sec_mem.c index fbed8b4..b7a9d3b 100644 --- a/crypto/sec_mem.c +++ b/crypto/sec_mem.c @@ -31,7 +31,7 @@ #endif #ifdef IMPLEMENTED -size_t secure_mem_used; +static size_t secure_mem_used; static int secure_mem_initialized; static int too_late; diff --git a/crypto/ts/ts_asn1.c b/crypto/ts/ts_asn1.c index f4884a2..59cc8b2 100644 --- a/crypto/ts/ts_asn1.c +++ b/crypto/ts/ts_asn1.c @@ -64,7 +64,7 @@ ASN1_SEQUENCE(TS_MSG_IMPRINT) = { ASN1_SIMPLE(TS_MSG_IMPRINT, hash_algo, X509_ALGOR), ASN1_SIMPLE(TS_MSG_IMPRINT, hashed_msg, ASN1_OCTET_STRING) -} ASN1_SEQUENCE_END(TS_MSG_IMPRINT) +} static_ASN1_SEQUENCE_END(TS_MSG_IMPRINT) IMPLEMENT_ASN1_FUNCTIONS_const(TS_MSG_IMPRINT) IMPLEMENT_ASN1_DUP_FUNCTION(TS_MSG_IMPRINT) @@ -98,7 +98,7 @@ ASN1_SEQUENCE(TS_REQ) = { ASN1_OPT(TS_REQ, nonce, ASN1_INTEGER), ASN1_OPT(TS_REQ, cert_req, ASN1_FBOOLEAN), ASN1_IMP_SEQUENCE_OF_OPT(TS_REQ, extensions, X509_EXTENSION, 0) -} ASN1_SEQUENCE_END(TS_REQ) +} static_ASN1_SEQUENCE_END(TS_REQ) IMPLEMENT_ASN1_FUNCTIONS_const(TS_REQ) IMPLEMENT_ASN1_DUP_FUNCTION(TS_REQ) @@ -127,7 +127,7 @@ ASN1_SEQUENCE(TS_ACCURACY) = { ASN1_OPT(TS_ACCURACY, seconds, ASN1_INTEGER), ASN1_IMP_OPT(TS_ACCURACY, millis, ASN1_INTEGER, 0), ASN1_IMP_OPT(TS_ACCURACY, micros, ASN1_INTEGER, 1) -} ASN1_SEQUENCE_END(TS_ACCURACY) +} static_ASN1_SEQUENCE_END(TS_ACCURACY) IMPLEMENT_ASN1_FUNCTIONS_const(TS_ACCURACY) IMPLEMENT_ASN1_DUP_FUNCTION(TS_ACCURACY) @@ -143,7 +143,7 @@ ASN1_SEQUENCE(TS_TST_INFO) = { ASN1_OPT(TS_TST_INFO, nonce, ASN1_INTEGER), ASN1_EXP_OPT(TS_TST_INFO, tsa, GENERAL_NAME, 0), ASN1_IMP_SEQUENCE_OF_OPT(TS_TST_INFO, extensions, X509_EXTENSION, 1) -} ASN1_SEQUENCE_END(TS_TST_INFO) +} static_ASN1_SEQUENCE_END(TS_TST_INFO) IMPLEMENT_ASN1_FUNCTIONS_const(TS_TST_INFO) IMPLEMENT_ASN1_DUP_FUNCTION(TS_TST_INFO) @@ -174,7 +174,7 @@ ASN1_SEQUENCE(TS_STATUS_INFO) = { ASN1_SIMPLE(TS_STATUS_INFO, status, ASN1_INTEGER), ASN1_SEQUENCE_OF_OPT(TS_STATUS_INFO, text, ASN1_UTF8STRING), ASN1_OPT(TS_STATUS_INFO, failure_info, ASN1_BIT_STRING) -} ASN1_SEQUENCE_END(TS_STATUS_INFO) +} static_ASN1_SEQUENCE_END(TS_STATUS_INFO) IMPLEMENT_ASN1_FUNCTIONS_const(TS_STATUS_INFO) IMPLEMENT_ASN1_DUP_FUNCTION(TS_STATUS_INFO) @@ -223,7 +223,7 @@ static int ts_resp_cb(int op, ASN1_VALUE **pval, const ASN1_ITEM *it, ASN1_SEQUENCE_cb(TS_RESP, ts_resp_cb) = { ASN1_SIMPLE(TS_RESP, status_info, TS_STATUS_INFO), ASN1_OPT(TS_RESP, token, PKCS7), -} ASN1_SEQUENCE_END_cb(TS_RESP, TS_RESP) +} static_ASN1_SEQUENCE_END_cb(TS_RESP, TS_RESP) IMPLEMENT_ASN1_FUNCTIONS_const(TS_RESP) @@ -253,7 +253,7 @@ int i2d_TS_RESP_fp(FILE *fp, TS_RESP *a) ASN1_SEQUENCE(ESS_ISSUER_SERIAL) = { ASN1_SEQUENCE_OF(ESS_ISSUER_SERIAL, issuer, GENERAL_NAME), ASN1_SIMPLE(ESS_ISSUER_SERIAL, serial, ASN1_INTEGER) -} ASN1_SEQUENCE_END(ESS_ISSUER_SERIAL) +} static_ASN1_SEQUENCE_END(ESS_ISSUER_SERIAL) IMPLEMENT_ASN1_FUNCTIONS_const(ESS_ISSUER_SERIAL) IMPLEMENT_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL) @@ -261,7 +261,7 @@ IMPLEMENT_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL) ASN1_SEQUENCE(ESS_CERT_ID) = { ASN1_SIMPLE(ESS_CERT_ID, hash, ASN1_OCTET_STRING), ASN1_OPT(ESS_CERT_ID, issuer_serial, ESS_ISSUER_SERIAL) -} ASN1_SEQUENCE_END(ESS_CERT_ID) +} static_ASN1_SEQUENCE_END(ESS_CERT_ID) IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID) IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID) @@ -269,7 +269,7 @@ IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID) ASN1_SEQUENCE(ESS_SIGNING_CERT) = { ASN1_SEQUENCE_OF(ESS_SIGNING_CERT, cert_ids, ESS_CERT_ID), ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT, policy_info, POLICYINFO) -} ASN1_SEQUENCE_END(ESS_SIGNING_CERT) +} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT) IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT) IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT) diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index bd6c3c8..f55e235 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -99,7 +99,7 @@ static void free_dir(X509_LOOKUP *lu); static int add_cert_dir(BY_DIR *ctx, const char *dir, int type); static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, X509_OBJECT *ret); -X509_LOOKUP_METHOD x509_dir_lookup = { +static X509_LOOKUP_METHOD x509_dir_lookup = { "Load certs from files in a directory", new_dir, /* new */ free_dir, /* free */ diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c index 9b06b34..6fbffe1 100644 --- a/crypto/x509/by_file.c +++ b/crypto/x509/by_file.c @@ -70,7 +70,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret); -X509_LOOKUP_METHOD x509_file_lookup = { +static X509_LOOKUP_METHOD x509_file_lookup = { "Load file into cache", NULL, /* new */ NULL, /* free */ diff --git a/crypto/x509/x_name.c b/crypto/x509/x_name.c index 9bf1523..4c8d57b 100644 --- a/crypto/x509/x_name.c +++ b/crypto/x509/x_name.c @@ -102,11 +102,11 @@ IMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME_ENTRY) ASN1_ITEM_TEMPLATE(X509_NAME_ENTRIES) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF, 0, RDNS, X509_NAME_ENTRY) -ASN1_ITEM_TEMPLATE_END(X509_NAME_ENTRIES) +static_ASN1_ITEM_TEMPLATE_END(X509_NAME_ENTRIES) ASN1_ITEM_TEMPLATE(X509_NAME_INTERNAL) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, Name, X509_NAME_ENTRIES) -ASN1_ITEM_TEMPLATE_END(X509_NAME_INTERNAL) +static_ASN1_ITEM_TEMPLATE_END(X509_NAME_INTERNAL) /* * Normally that's where it would end: we'd have two nested STACK structures @@ -115,7 +115,7 @@ ASN1_ITEM_TEMPLATE_END(X509_NAME_INTERNAL) * convert to the external form. */ -const ASN1_EXTERN_FUNCS x509_name_ff = { +static const ASN1_EXTERN_FUNCS x509_name_ff = { NULL, x509_name_ex_new, x509_name_ex_free, diff --git a/crypto/x509v3/Makefile b/crypto/x509v3/Makefile index 5c47467..a80ec98 100644 --- a/crypto/x509v3/Makefile +++ b/crypto/x509v3/Makefile @@ -168,7 +168,7 @@ v3_addr.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_addr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_addr.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_addr.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -v3_addr.o: v3_addr.c +v3_addr.o: ext_dat.h v3_addr.c v3_akey.o: ../../e_os.h ../../include/openssl/asn1.h v3_akey.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_akey.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -183,7 +183,7 @@ v3_akey.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_akey.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_akey.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_akey.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -v3_akey.o: v3_akey.c +v3_akey.o: ext_dat.h v3_akey.c v3_akeya.o: ../../e_os.h ../../include/openssl/asn1.h v3_akeya.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_akeya.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -212,7 +212,7 @@ v3_alt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_alt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_alt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_alt.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -v3_alt.o: v3_alt.c +v3_alt.o: ext_dat.h v3_alt.c v3_asid.o: ../../e_os.h ../../include/openssl/asn1.h v3_asid.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_asid.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h @@ -227,7 +227,7 @@ v3_asid.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h v3_asid.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_asid.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h v3_asid.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -v3_asid.o: ../include/internal/cryptlib.h v3_asid.c +v3_asid.o: ../include/internal/cryptlib.h ext_dat.h v3_asid.c v3_bcons.o: ../../e_os.h ../../include/openssl/asn1.h v3_bcons.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_bcons.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -242,7 +242,7 @@ v3_bcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h v3_bcons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_bcons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h v3_bcons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -v3_bcons.o: ../include/internal/cryptlib.h v3_bcons.c +v3_bcons.o: ../include/internal/cryptlib.h ext_dat.h v3_bcons.c v3_bitst.o: ../../e_os.h ../../include/openssl/asn1.h v3_bitst.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h v3_bitst.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -256,7 +256,7 @@ v3_bitst.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h v3_bitst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_bitst.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h v3_bitst.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -v3_bitst.o: ../include/internal/cryptlib.h v3_bitst.c +v3_bitst.o: ../include/internal/cryptlib.h ext_dat.h v3_bitst.c v3_conf.o: ../../e_os.h ../../include/openssl/asn1.h v3_conf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h v3_conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -286,7 +286,7 @@ v3_cpols.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h v3_cpols.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_cpols.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h v3_cpols.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -v3_cpols.o: ../include/internal/cryptlib.h pcy_int.h v3_cpols.c +v3_cpols.o: ../include/internal/cryptlib.h ext_dat.h pcy_int.h v3_cpols.c v3_crld.o: ../../e_os.h ../../include/openssl/asn1.h v3_crld.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_crld.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -301,7 +301,7 @@ v3_crld.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_crld.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_crld.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_crld.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -v3_crld.o: ../include/internal/x509_int.h v3_crld.c +v3_crld.o: ../include/internal/x509_int.h ext_dat.h v3_crld.c v3_enum.o: ../../e_os.h ../../include/openssl/asn1.h v3_enum.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h v3_enum.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -315,7 +315,7 @@ v3_enum.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h v3_enum.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_enum.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h v3_enum.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -v3_enum.o: ../include/internal/cryptlib.h v3_enum.c +v3_enum.o: ../include/internal/cryptlib.h ext_dat.h v3_enum.c v3_extku.o: ../../e_os.h ../../include/openssl/asn1.h v3_extku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_extku.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -330,7 +330,7 @@ v3_extku.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h v3_extku.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_extku.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h v3_extku.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -v3_extku.o: ../include/internal/cryptlib.h v3_extku.c +v3_extku.o: ../include/internal/cryptlib.h ext_dat.h v3_extku.c v3_genn.o: ../../e_os.h ../../include/openssl/asn1.h v3_genn.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_genn.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -359,7 +359,7 @@ v3_ia5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_ia5.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_ia5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_ia5.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -v3_ia5.o: v3_ia5.c +v3_ia5.o: ext_dat.h v3_ia5.c v3_info.o: ../../e_os.h ../../include/openssl/asn1.h v3_info.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_info.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -374,7 +374,7 @@ v3_info.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_info.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_info.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_info.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -v3_info.o: v3_info.c +v3_info.o: ext_dat.h v3_info.c v3_int.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h v3_int.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h v3_int.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h @@ -388,7 +388,7 @@ v3_int.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_int.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_int.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_int.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -v3_int.o: v3_int.c +v3_int.o: ext_dat.h v3_int.c v3_lib.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h v3_lib.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h v3_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h @@ -418,7 +418,7 @@ v3_ncons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_ncons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h v3_ncons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3_ncons.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h -v3_ncons.o: v3_ncons.c +v3_ncons.o: ext_dat.h v3_ncons.c v3_pci.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h v3_pci.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h v3_pci.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h @@ -432,7 +432,7 @@ v3_pci.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_pci.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_pci.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_pci.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -v3_pci.o: v3_pci.c +v3_pci.o: ext_dat.h v3_pci.c v3_pcia.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h v3_pcia.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h v3_pcia.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -460,7 +460,7 @@ v3_pcons.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h v3_pcons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_pcons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h v3_pcons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -v3_pcons.o: ../include/internal/cryptlib.h v3_pcons.c +v3_pcons.o: ../include/internal/cryptlib.h ext_dat.h v3_pcons.c v3_pku.o: ../../e_os.h ../../include/openssl/asn1.h v3_pku.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_pku.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -475,7 +475,7 @@ v3_pku.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h v3_pku.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h v3_pku.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h v3_pku.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -v3_pku.o: v3_pku.c +v3_pku.o: ext_dat.h v3_pku.c v3_pmaps.o: ../../e_os.h ../../include/openssl/asn1.h v3_pmaps.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_pmaps.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -490,7 +490,7 @@ v3_pmaps.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h v3_pmaps.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_pmaps.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h v3_pmaps.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -v3_pmaps.o: ../include/internal/cryptlib.h v3_pmaps.c +v3_pmaps.o: ../include/internal/cryptlib.h ext_dat.h v3_pmaps.c v3_prn.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h v3_prn.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h v3_prn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h @@ -533,7 +533,7 @@ v3_scts.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h v3_scts.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_scts.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h v3_scts.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -v3_scts.o: ../include/internal/cryptlib.h v3_scts.c +v3_scts.o: ../include/internal/cryptlib.h ext_dat.h v3_scts.c v3_skey.o: ../../e_os.h ../../include/openssl/asn1.h v3_skey.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h v3_skey.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -548,7 +548,7 @@ v3_skey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_skey.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h v3_skey.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3_skey.o: ../include/internal/cryptlib.h ../include/internal/x509_int.h -v3_skey.o: v3_skey.c +v3_skey.o: ext_dat.h v3_skey.c v3_sxnet.o: ../../e_os.h ../../include/openssl/asn1.h v3_sxnet.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h v3_sxnet.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -563,7 +563,7 @@ v3_sxnet.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h v3_sxnet.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_sxnet.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h v3_sxnet.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -v3_sxnet.o: ../include/internal/cryptlib.h v3_sxnet.c +v3_sxnet.o: ../include/internal/cryptlib.h ext_dat.h v3_sxnet.c v3_utl.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h v3_utl.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h v3_utl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h index 76be621..0e93d82 100644 --- a/crypto/x509v3/ext_dat.h +++ b/crypto/x509v3/ext_dat.h @@ -58,18 +58,18 @@ */ /* This file contains a table of "standard" extensions */ -extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; -extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo; -extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; -extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate; -extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl; -extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; -extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; -extern X509V3_EXT_METHOD v3_crl_hold, v3_pci; -extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; -extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp; -extern X509V3_EXT_METHOD v3_addr, v3_asid; -extern X509V3_EXT_METHOD v3_ct_scts[]; +extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; +extern const X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo; +extern const X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; +extern const X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate; +extern const X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl; +extern const X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; +extern const X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; +extern const X509V3_EXT_METHOD v3_crl_hold, v3_pci; +extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; +extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp; +extern const X509V3_EXT_METHOD v3_addr, v3_asid; +extern const X509V3_EXT_METHOD v3_ct_scts[]; /* * This table will be searched using OBJ_bsearch so it *must* kept in order diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c index c1c38a0..ff6fb32 100644 --- a/crypto/x509v3/v3_addr.c +++ b/crypto/x509v3/v3_addr.c @@ -68,6 +68,7 @@ #include #include #include +#include "ext_dat.h" #ifndef OPENSSL_NO_RFC3779 @@ -98,7 +99,7 @@ ASN1_SEQUENCE(IPAddressFamily) = { ASN1_ITEM_TEMPLATE(IPAddrBlocks) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, IPAddrBlocks, IPAddressFamily) -ASN1_ITEM_TEMPLATE_END(IPAddrBlocks) +static_ASN1_ITEM_TEMPLATE_END(IPAddrBlocks) IMPLEMENT_ASN1_FUNCTIONS(IPAddressRange) IMPLEMENT_ASN1_FUNCTIONS(IPAddressOrRange) diff --git a/crypto/x509v3/v3_akey.c b/crypto/x509v3/v3_akey.c index abad217..1aa6268 100644 --- a/crypto/x509v3/v3_akey.c +++ b/crypto/x509v3/v3_akey.c @@ -63,6 +63,7 @@ #include #include #include +#include "ext_dat.h" static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, AUTHORITY_KEYID *akeyid, diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509v3/v3_alt.c index b3c3644..08614ea 100644 --- a/crypto/x509v3/v3_alt.c +++ b/crypto/x509v3/v3_alt.c @@ -61,6 +61,7 @@ #include "internal/cryptlib.h" #include #include +#include "ext_dat.h" static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c index d40279a..e1cde64 100644 --- a/crypto/x509v3/v3_asid.c +++ b/crypto/x509v3/v3_asid.c @@ -68,6 +68,7 @@ #include #include #include +#include "ext_dat.h" #ifndef OPENSSL_NO_RFC3779 diff --git a/crypto/x509v3/v3_bcons.c b/crypto/x509v3/v3_bcons.c index d49a010..53a8565 100644 --- a/crypto/x509v3/v3_bcons.c +++ b/crypto/x509v3/v3_bcons.c @@ -63,6 +63,7 @@ #include #include #include +#include "ext_dat.h" static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons, diff --git a/crypto/x509v3/v3_bitst.c b/crypto/x509v3/v3_bitst.c index b2f6392..e0787fd 100644 --- a/crypto/x509v3/v3_bitst.c +++ b/crypto/x509v3/v3_bitst.c @@ -61,6 +61,7 @@ #include "internal/cryptlib.h" #include #include +#include "ext_dat.h" static BIT_STRING_BITNAME ns_cert_type_table[] = { {0, "SSL Client", "client"}, diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c index a326876..9331a49 100644 --- a/crypto/x509v3/v3_cpols.c +++ b/crypto/x509v3/v3_cpols.c @@ -65,6 +65,7 @@ #include #include "pcy_int.h" +#include "ext_dat.h" /* Certificate policies extension support: this one is a bit complex... */ diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509v3/v3_crld.c index 9b0d21f..49d282e 100644 --- a/crypto/x509v3/v3_crld.c +++ b/crypto/x509v3/v3_crld.c @@ -65,6 +65,7 @@ #include #include "internal/x509_int.h" +#include "ext_dat.h" static void *v2i_crld(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); diff --git a/crypto/x509v3/v3_enum.c b/crypto/x509v3/v3_enum.c index 774eb34..d2f895d 100644 --- a/crypto/x509v3/v3_enum.c +++ b/crypto/x509v3/v3_enum.c @@ -60,6 +60,7 @@ #include #include "internal/cryptlib.h" #include +#include "ext_dat.h" static ENUMERATED_NAMES crl_reasons[] = { {CRL_REASON_UNSPECIFIED, "Unspecified", "unspecified"}, diff --git a/crypto/x509v3/v3_extku.c b/crypto/x509v3/v3_extku.c index d5da551..fddcdff 100644 --- a/crypto/x509v3/v3_extku.c +++ b/crypto/x509v3/v3_extku.c @@ -62,6 +62,7 @@ #include #include #include +#include "ext_dat.h" static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, diff --git a/crypto/x509v3/v3_ia5.c b/crypto/x509v3/v3_ia5.c index ca15447..ed94a3e 100644 --- a/crypto/x509v3/v3_ia5.c +++ b/crypto/x509v3/v3_ia5.c @@ -62,6 +62,7 @@ #include #include #include +#include "ext_dat.h" const X509V3_EXT_METHOD v3_ns_ia5_list[] = { EXT_IA5STRING(NID_netscape_base_url), diff --git a/crypto/x509v3/v3_info.c b/crypto/x509v3/v3_info.c index 277609e..d1a2455 100644 --- a/crypto/x509v3/v3_info.c +++ b/crypto/x509v3/v3_info.c @@ -63,6 +63,7 @@ #include #include #include +#include "ext_dat.h" static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, AUTHORITY_INFO_ACCESS diff --git a/crypto/x509v3/v3_int.c b/crypto/x509v3/v3_int.c index 9895ac5..2cab28c 100644 --- a/crypto/x509v3/v3_int.c +++ b/crypto/x509v3/v3_int.c @@ -60,6 +60,7 @@ #include #include "internal/cryptlib.h" #include +#include "ext_dat.h" const X509V3_EXT_METHOD v3_crl_num = { NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER), diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c index 315bd3c..3fe20cc 100644 --- a/crypto/x509v3/v3_ncons.c +++ b/crypto/x509v3/v3_ncons.c @@ -64,6 +64,7 @@ #include #include "internal/x509_int.h" +#include "ext_dat.h" static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509v3/v3_pci.c index ef105dc..ad49724 100644 --- a/crypto/x509v3/v3_pci.c +++ b/crypto/x509v3/v3_pci.c @@ -39,6 +39,7 @@ #include "internal/cryptlib.h" #include #include +#include "ext_dat.h" static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext, BIO *out, int indent); diff --git a/crypto/x509v3/v3_pcons.c b/crypto/x509v3/v3_pcons.c index e170b80..18de9e8 100644 --- a/crypto/x509v3/v3_pcons.c +++ b/crypto/x509v3/v3_pcons.c @@ -63,6 +63,7 @@ #include #include #include +#include "ext_dat.h" static STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons, STACK_OF(CONF_VALUE) diff --git a/crypto/x509v3/v3_pku.c b/crypto/x509v3/v3_pku.c index 5056fb3..5b048a3 100644 --- a/crypto/x509v3/v3_pku.c +++ b/crypto/x509v3/v3_pku.c @@ -62,6 +62,7 @@ #include #include #include +#include "ext_dat.h" static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, diff --git a/crypto/x509v3/v3_pmaps.c b/crypto/x509v3/v3_pmaps.c index b862e3e..bd80a12 100644 --- a/crypto/x509v3/v3_pmaps.c +++ b/crypto/x509v3/v3_pmaps.c @@ -62,6 +62,7 @@ #include #include #include +#include "ext_dat.h" static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); diff --git a/crypto/x509v3/v3_scts.c b/crypto/x509v3/v3_scts.c index 0ffdfb8..f93fdfc 100644 --- a/crypto/x509v3/v3_scts.c +++ b/crypto/x509v3/v3_scts.c @@ -60,6 +60,7 @@ #include "internal/cryptlib.h" #include #include +#include "ext_dat.h" #ifndef OPENSSL_NO_SCT /* Signature and hash algorithms from RFC 5246 */ diff --git a/crypto/x509v3/v3_skey.c b/crypto/x509v3/v3_skey.c index a1167cc..4b55fd8 100644 --- a/crypto/x509v3/v3_skey.c +++ b/crypto/x509v3/v3_skey.c @@ -61,6 +61,7 @@ #include "internal/cryptlib.h" #include #include "internal/x509_int.h" +#include "ext_dat.h" static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); diff --git a/crypto/x509v3/v3_sxnet.c b/crypto/x509v3/v3_sxnet.c index 13d7286..941566b 100644 --- a/crypto/x509v3/v3_sxnet.c +++ b/crypto/x509v3/v3_sxnet.c @@ -63,6 +63,7 @@ #include #include #include +#include "ext_dat.h" /* Support for Thawte strong extranet extension */ diff --git a/include/openssl/asn1t.h b/include/openssl/asn1t.h index dfd9dac..6467e4a 100644 --- a/include/openssl/asn1t.h +++ b/include/openssl/asn1t.h @@ -84,7 +84,10 @@ extern "C" { # define ASN1_ITEM_start(itname) \ OPENSSL_GLOBAL const ASN1_ITEM itname##_it = { -# define ASN1_ITEM_end(itname) \ +# define static_ASN1_ITEM_start(itname) \ + static const ASN1_ITEM itname##_it = { + +# define ASN1_ITEM_end(itname) \ }; # else @@ -122,6 +125,17 @@ extern "C" { 0,\ #tname \ ASN1_ITEM_end(tname) +# define static_ASN1_ITEM_TEMPLATE_END(tname) \ + ;\ + static_ASN1_ITEM_start(tname) \ + ASN1_ITYPE_PRIMITIVE,\ + -1,\ + &tname##_item_tt,\ + 0,\ + NULL,\ + 0,\ + #tname \ + ASN1_ITEM_end(tname) /* This is a ASN1 type which just embeds a template */ @@ -151,6 +165,8 @@ extern "C" { # define ASN1_SEQUENCE_END(stname) ASN1_SEQUENCE_END_name(stname, stname) +# define static_ASN1_SEQUENCE_END(stname) static_ASN1_SEQUENCE_END_name(stname, stname) + # define ASN1_SEQUENCE_END_name(stname, tname) \ ;\ ASN1_ITEM_start(tname) \ @@ -163,6 +179,18 @@ extern "C" { #stname \ ASN1_ITEM_end(tname) +# define static_ASN1_SEQUENCE_END_name(stname, tname) \ + ;\ + static_ASN1_ITEM_start(tname) \ + ASN1_ITYPE_SEQUENCE,\ + V_ASN1_SEQUENCE,\ + tname##_seq_tt,\ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ + NULL,\ + sizeof(stname),\ + #stname \ + ASN1_ITEM_end(tname) + # define ASN1_NDEF_SEQUENCE(tname) \ ASN1_SEQUENCE(tname) @@ -196,12 +224,26 @@ extern "C" { sizeof(tname),\ #tname \ ASN1_ITEM_end(tname) +# define static_ASN1_NDEF_SEQUENCE_END(tname) \ + ;\ + static_ASN1_ITEM_start(tname) \ + ASN1_ITYPE_NDEF_SEQUENCE,\ + V_ASN1_SEQUENCE,\ + tname##_seq_tt,\ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ + NULL,\ + sizeof(tname),\ + #tname \ + ASN1_ITEM_end(tname) # define ASN1_BROKEN_SEQUENCE_END(stname) ASN1_SEQUENCE_END_ref(stname, stname) +# define static_ASN1_BROKEN_SEQUENCE_END(stname) \ + static_ASN1_SEQUENCE_END_ref(stname, stname) # define ASN1_SEQUENCE_END_enc(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname) # define ASN1_SEQUENCE_END_cb(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname) +# define static_ASN1_SEQUENCE_END_cb(stname, tname) static_ASN1_SEQUENCE_END_ref(stname, tname) # define ASN1_SEQUENCE_END_ref(stname, tname) \ ;\ @@ -214,6 +256,17 @@ extern "C" { sizeof(stname),\ #stname \ ASN1_ITEM_end(tname) +# define static_ASN1_SEQUENCE_END_ref(stname, tname) \ + ;\ + static_ASN1_ITEM_start(tname) \ + ASN1_ITYPE_SEQUENCE,\ + V_ASN1_SEQUENCE,\ + tname##_seq_tt,\ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ + &tname##_aux,\ + sizeof(stname),\ + #stname \ + ASN1_ITEM_end(tname) # define ASN1_NDEF_SEQUENCE_END_cb(stname, tname) \ ;\ @@ -259,8 +312,12 @@ extern "C" { # define ASN1_CHOICE_END(stname) ASN1_CHOICE_END_name(stname, stname) +# define static_ASN1_CHOICE_END(stname) static_ASN1_CHOICE_END_name(stname, stname) + # define ASN1_CHOICE_END_name(stname, tname) ASN1_CHOICE_END_selector(stname, tname, type) +# define static_ASN1_CHOICE_END_name(stname, tname) static_ASN1_CHOICE_END_selector(stname, tname, type) + # define ASN1_CHOICE_END_selector(stname, tname, selname) \ ;\ ASN1_ITEM_start(tname) \ @@ -273,6 +330,18 @@ extern "C" { #stname \ ASN1_ITEM_end(tname) +# define static_ASN1_CHOICE_END_selector(stname, tname, selname) \ + ;\ + static_ASN1_ITEM_start(tname) \ + ASN1_ITYPE_CHOICE,\ + offsetof(stname,selname) ,\ + tname##_ch_tt,\ + sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\ + NULL,\ + sizeof(stname),\ + #stname \ + ASN1_ITEM_end(tname) + # define ASN1_CHOICE_END_cb(stname, tname, selname) \ ;\ ASN1_ITEM_start(tname) \ diff --git a/include/openssl/cmac.h b/include/openssl/cmac.h index 175be83..cc729c4 100644 --- a/include/openssl/cmac.h +++ b/include/openssl/cmac.h @@ -76,6 +76,8 @@ int CMAC_Update(CMAC_CTX *ctx, const void *data, size_t dlen); int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen); int CMAC_resume(CMAC_CTX *ctx); +extern const EVP_PKEY_METHOD cmac_pkey_meth; + #ifdef __cplusplus } #endif diff --git a/include/openssl/dh.h b/include/openssl/dh.h index f5b03d3..6e928ed 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -342,6 +342,20 @@ int DH_KDF_X9_42(unsigned char *out, size_t outlen, # define EVP_PKEY_DH_KDF_X9_42 2 # endif +extern const EVP_PKEY_METHOD dh_pkey_meth; +extern const EVP_PKEY_METHOD dhx_pkey_meth; + +#define declare_dh_bn(x) \ + const extern BIGNUM _bignum_dh##x##_p;\ + const extern BIGNUM _bignum_dh##x##_g;\ + const extern BIGNUM _bignum_dh##x##_q; + +declare_dh_bn(1024_160) +declare_dh_bn(2048_224) +declare_dh_bn(2048_256) + +#undef declare_dh_bn + /* BEGIN ERROR CODES */ /* * The following lines are auto generated by the script mkerr.pl. Any changes diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h index 8fd5596..589216e 100644 --- a/include/openssl/dsa.h +++ b/include/openssl/dsa.h @@ -276,6 +276,8 @@ DH *DSA_dup_DH(const DSA *r); # define EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS (EVP_PKEY_ALG_CTRL + 2) # define EVP_PKEY_CTRL_DSA_PARAMGEN_MD (EVP_PKEY_ALG_CTRL + 3) +extern const EVP_PKEY_METHOD dsa_pkey_meth; + /* BEGIN ERROR CODES */ /* * The following lines are auto generated by the script mkerr.pl. Any changes diff --git a/include/openssl/ec.h b/include/openssl/ec.h index 6ea4e41..c3cd8ed 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -1067,6 +1067,8 @@ int EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int off); # define EVP_PKEY_ECDH_KDF_NONE 1 # define EVP_PKEY_ECDH_KDF_X9_62 2 +extern const EVP_PKEY_METHOD ec_pkey_meth; + /* BEGIN ERROR CODES */ /* * The following lines are auto generated by the script mkerr.pl. Any changes diff --git a/include/openssl/hmac.h b/include/openssl/hmac.h index 81aa49d..d7ecf54 100644 --- a/include/openssl/hmac.h +++ b/include/openssl/hmac.h @@ -104,6 +104,8 @@ __owur int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx); void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags); +extern const EVP_PKEY_METHOD hmac_pkey_meth; + #ifdef __cplusplus } #endif diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h index 9abb2a1..536a78e 100644 --- a/include/openssl/rsa.h +++ b/include/openssl/rsa.h @@ -508,6 +508,8 @@ RSA *RSAPrivateKey_dup(RSA *rsa); */ # define RSA_FLAG_CHECKED 0x0800 +extern const EVP_PKEY_METHOD rsa_pkey_meth; + /* BEGIN ERROR CODES */ /* * The following lines are auto generated by the script mkerr.pl. Any changes diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 10f8041..1334eb6 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1884,6 +1884,8 @@ __owur void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx); __owur const struct openssl_ssl_test_functions *SSL_test_functions(void); # endif +extern const char SSL_version_str[]; + /* BEGIN ERROR CODES */ /* * The following lines are auto generated by the script mkerr.pl. Any changes diff --git a/ssl/Makefile b/ssl/Makefile index b8ae9c3..760ceae 100644 --- a/ssl/Makefile +++ b/ssl/Makefile @@ -256,71 +256,121 @@ d1_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h d1_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h d1_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h d1_srvr.c d1_srvr.o: packet_locl.h record/record.h ssl_locl.h -dtls1_bitmap.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -dtls1_bitmap.o: ../include/openssl/bn.h ../include/openssl/buffer.h -dtls1_bitmap.o: ../include/openssl/comp.h ../include/openssl/crypto.h -dtls1_bitmap.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h -dtls1_bitmap.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -dtls1_bitmap.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -dtls1_bitmap.o: ../include/openssl/err.h ../include/openssl/evp.h -dtls1_bitmap.o: ../include/openssl/hmac.h ../include/openssl/lhash.h -dtls1_bitmap.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -dtls1_bitmap.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -dtls1_bitmap.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -dtls1_bitmap.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -dtls1_bitmap.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h -dtls1_bitmap.o: ../include/openssl/safestack.h ../include/openssl/sha.h -dtls1_bitmap.o: ../include/openssl/srtp.h ../include/openssl/ssl.h -dtls1_bitmap.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h -dtls1_bitmap.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -dtls1_bitmap.o: ../include/openssl/tls1.h ../include/openssl/x509.h -dtls1_bitmap.o: ../include/openssl/x509_vfy.h dtls1_bitmap.c -dtls1_bitmap.o: record/../packet_locl.h record/../record/record.h -dtls1_bitmap.o: record/../ssl_locl.h record/dtls1_bitmap.c record/record_locl.h -rec_layer_d1.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -rec_layer_d1.o: ../include/openssl/bn.h ../include/openssl/buffer.h -rec_layer_d1.o: ../include/openssl/comp.h ../include/openssl/crypto.h -rec_layer_d1.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h -rec_layer_d1.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -rec_layer_d1.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -rec_layer_d1.o: ../include/openssl/err.h ../include/openssl/evp.h -rec_layer_d1.o: ../include/openssl/hmac.h ../include/openssl/lhash.h -rec_layer_d1.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -rec_layer_d1.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -rec_layer_d1.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -rec_layer_d1.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -rec_layer_d1.o: ../include/openssl/pqueue.h ../include/openssl/rand.h -rec_layer_d1.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -rec_layer_d1.o: ../include/openssl/sha.h ../include/openssl/srtp.h -rec_layer_d1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -rec_layer_d1.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -rec_layer_d1.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -rec_layer_d1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -rec_layer_d1.o: rec_layer_d1.c record/../packet_locl.h -rec_layer_d1.o: record/../record/record.h record/../ssl_locl.h -rec_layer_d1.o: record/rec_layer_d1.c record/record_locl.h -rec_layer_s3.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -rec_layer_s3.o: ../include/openssl/bn.h ../include/openssl/buffer.h -rec_layer_s3.o: ../include/openssl/comp.h ../include/openssl/crypto.h -rec_layer_s3.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h -rec_layer_s3.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -rec_layer_s3.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -rec_layer_s3.o: ../include/openssl/err.h ../include/openssl/evp.h -rec_layer_s3.o: ../include/openssl/hmac.h ../include/openssl/lhash.h -rec_layer_s3.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -rec_layer_s3.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -rec_layer_s3.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -rec_layer_s3.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -rec_layer_s3.o: ../include/openssl/pqueue.h ../include/openssl/rand.h -rec_layer_s3.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -rec_layer_s3.o: ../include/openssl/sha.h ../include/openssl/srtp.h -rec_layer_s3.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -rec_layer_s3.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -rec_layer_s3.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -rec_layer_s3.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -rec_layer_s3.o: rec_layer_s3.c record/../packet_locl.h -rec_layer_s3.o: record/../record/record.h record/../ssl_locl.h -rec_layer_s3.o: record/rec_layer_s3.c record/record_locl.h +record/dtls1_bitmap.o: ../e_os.h ../include/openssl/asn1.h +record/dtls1_bitmap.o: ../include/openssl/bio.h ../include/openssl/bn.h +record/dtls1_bitmap.o: ../include/openssl/buffer.h ../include/openssl/comp.h +record/dtls1_bitmap.o: ../include/openssl/crypto.h ../include/openssl/dsa.h +record/dtls1_bitmap.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +record/dtls1_bitmap.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +record/dtls1_bitmap.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +record/dtls1_bitmap.o: ../include/openssl/evp.h ../include/openssl/hmac.h +record/dtls1_bitmap.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +record/dtls1_bitmap.o: ../include/openssl/objects.h +record/dtls1_bitmap.o: ../include/openssl/opensslconf.h +record/dtls1_bitmap.o: ../include/openssl/opensslv.h +record/dtls1_bitmap.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +record/dtls1_bitmap.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +record/dtls1_bitmap.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h +record/dtls1_bitmap.o: ../include/openssl/safestack.h ../include/openssl/sha.h +record/dtls1_bitmap.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +record/dtls1_bitmap.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h +record/dtls1_bitmap.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +record/dtls1_bitmap.o: ../include/openssl/tls1.h ../include/openssl/x509.h +record/dtls1_bitmap.o: ../include/openssl/x509_vfy.h packet_locl.h +record/dtls1_bitmap.o: record/dtls1_bitmap.c record/record.h +record/dtls1_bitmap.o: record/record_locl.h ssl_locl.h +record/rec_layer_d1.o: ../e_os.h ../include/openssl/asn1.h +record/rec_layer_d1.o: ../include/openssl/bio.h ../include/openssl/bn.h +record/rec_layer_d1.o: ../include/openssl/buffer.h ../include/openssl/comp.h +record/rec_layer_d1.o: ../include/openssl/crypto.h ../include/openssl/dsa.h +record/rec_layer_d1.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +record/rec_layer_d1.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +record/rec_layer_d1.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +record/rec_layer_d1.o: ../include/openssl/evp.h ../include/openssl/hmac.h +record/rec_layer_d1.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +record/rec_layer_d1.o: ../include/openssl/objects.h +record/rec_layer_d1.o: ../include/openssl/opensslconf.h +record/rec_layer_d1.o: ../include/openssl/opensslv.h +record/rec_layer_d1.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +record/rec_layer_d1.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +record/rec_layer_d1.o: ../include/openssl/pqueue.h ../include/openssl/rand.h +record/rec_layer_d1.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +record/rec_layer_d1.o: ../include/openssl/sha.h ../include/openssl/srtp.h +record/rec_layer_d1.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +record/rec_layer_d1.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +record/rec_layer_d1.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +record/rec_layer_d1.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +record/rec_layer_d1.o: packet_locl.h record/rec_layer_d1.c record/record.h +record/rec_layer_d1.o: record/record_locl.h ssl_locl.h +record/rec_layer_s3.o: ../e_os.h ../include/openssl/asn1.h +record/rec_layer_s3.o: ../include/openssl/bio.h ../include/openssl/bn.h +record/rec_layer_s3.o: ../include/openssl/buffer.h ../include/openssl/comp.h +record/rec_layer_s3.o: ../include/openssl/crypto.h ../include/openssl/dsa.h +record/rec_layer_s3.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +record/rec_layer_s3.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +record/rec_layer_s3.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +record/rec_layer_s3.o: ../include/openssl/evp.h ../include/openssl/hmac.h +record/rec_layer_s3.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +record/rec_layer_s3.o: ../include/openssl/objects.h +record/rec_layer_s3.o: ../include/openssl/opensslconf.h +record/rec_layer_s3.o: ../include/openssl/opensslv.h +record/rec_layer_s3.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +record/rec_layer_s3.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +record/rec_layer_s3.o: ../include/openssl/pqueue.h ../include/openssl/rand.h +record/rec_layer_s3.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +record/rec_layer_s3.o: ../include/openssl/sha.h ../include/openssl/srtp.h +record/rec_layer_s3.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +record/rec_layer_s3.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +record/rec_layer_s3.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +record/rec_layer_s3.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +record/rec_layer_s3.o: packet_locl.h record/rec_layer_s3.c record/record.h +record/rec_layer_s3.o: record/record_locl.h ssl_locl.h +record/ssl3_buffer.o: ../e_os.h ../include/openssl/asn1.h +record/ssl3_buffer.o: ../include/openssl/bio.h ../include/openssl/bn.h +record/ssl3_buffer.o: ../include/openssl/buffer.h ../include/openssl/comp.h +record/ssl3_buffer.o: ../include/openssl/crypto.h ../include/openssl/dsa.h +record/ssl3_buffer.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +record/ssl3_buffer.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +record/ssl3_buffer.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +record/ssl3_buffer.o: ../include/openssl/evp.h ../include/openssl/hmac.h +record/ssl3_buffer.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +record/ssl3_buffer.o: ../include/openssl/objects.h +record/ssl3_buffer.o: ../include/openssl/opensslconf.h +record/ssl3_buffer.o: ../include/openssl/opensslv.h +record/ssl3_buffer.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +record/ssl3_buffer.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +record/ssl3_buffer.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h +record/ssl3_buffer.o: ../include/openssl/safestack.h ../include/openssl/sha.h +record/ssl3_buffer.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +record/ssl3_buffer.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h +record/ssl3_buffer.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +record/ssl3_buffer.o: ../include/openssl/tls1.h ../include/openssl/x509.h +record/ssl3_buffer.o: ../include/openssl/x509_vfy.h packet_locl.h +record/ssl3_buffer.o: record/record.h record/record_locl.h record/ssl3_buffer.c +record/ssl3_buffer.o: ssl_locl.h +record/ssl3_record.o: ../e_os.h ../include/internal/constant_time_locl.h +record/ssl3_record.o: ../include/openssl/asn1.h ../include/openssl/bio.h +record/ssl3_record.o: ../include/openssl/bn.h ../include/openssl/buffer.h +record/ssl3_record.o: ../include/openssl/comp.h ../include/openssl/crypto.h +record/ssl3_record.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h +record/ssl3_record.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +record/ssl3_record.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +record/ssl3_record.o: ../include/openssl/err.h ../include/openssl/evp.h +record/ssl3_record.o: ../include/openssl/hmac.h ../include/openssl/lhash.h +record/ssl3_record.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +record/ssl3_record.o: ../include/openssl/opensslconf.h +record/ssl3_record.o: ../include/openssl/opensslv.h +record/ssl3_record.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +record/ssl3_record.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +record/ssl3_record.o: ../include/openssl/pqueue.h ../include/openssl/rand.h +record/ssl3_record.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +record/ssl3_record.o: ../include/openssl/sha.h ../include/openssl/srtp.h +record/ssl3_record.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +record/ssl3_record.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +record/ssl3_record.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +record/ssl3_record.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +record/ssl3_record.o: packet_locl.h record/record.h record/record_locl.h +record/ssl3_record.o: record/ssl3_record.c ssl_locl.h s3_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s3_both.o: ../include/openssl/bn.h ../include/openssl/buffer.h s3_both.o: ../include/openssl/comp.h ../include/openssl/crypto.h @@ -467,50 +517,6 @@ s3_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s3_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s3_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s3_srvr.o: packet_locl.h record/record.h s3_srvr.c ssl_locl.h -ssl3_buffer.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -ssl3_buffer.o: ../include/openssl/bn.h ../include/openssl/buffer.h -ssl3_buffer.o: ../include/openssl/comp.h ../include/openssl/crypto.h -ssl3_buffer.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h -ssl3_buffer.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -ssl3_buffer.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -ssl3_buffer.o: ../include/openssl/err.h ../include/openssl/evp.h -ssl3_buffer.o: ../include/openssl/hmac.h ../include/openssl/lhash.h -ssl3_buffer.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -ssl3_buffer.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -ssl3_buffer.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -ssl3_buffer.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ssl3_buffer.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h -ssl3_buffer.o: ../include/openssl/safestack.h ../include/openssl/sha.h -ssl3_buffer.o: ../include/openssl/srtp.h ../include/openssl/ssl.h -ssl3_buffer.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h -ssl3_buffer.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -ssl3_buffer.o: ../include/openssl/tls1.h ../include/openssl/x509.h -ssl3_buffer.o: ../include/openssl/x509_vfy.h record/../packet_locl.h -ssl3_buffer.o: record/../record/record.h record/../ssl_locl.h -ssl3_buffer.o: record/record_locl.h record/ssl3_buffer.c ssl3_buffer.c -ssl3_record.o: ../e_os.h ../include/internal/constant_time_locl.h -ssl3_record.o: ../include/openssl/asn1.h ../include/openssl/bio.h -ssl3_record.o: ../include/openssl/bn.h ../include/openssl/buffer.h -ssl3_record.o: ../include/openssl/comp.h ../include/openssl/crypto.h -ssl3_record.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h -ssl3_record.o: ../include/openssl/e_os2.h ../include/openssl/ec.h -ssl3_record.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -ssl3_record.o: ../include/openssl/err.h ../include/openssl/evp.h -ssl3_record.o: ../include/openssl/hmac.h ../include/openssl/lhash.h -ssl3_record.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -ssl3_record.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -ssl3_record.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -ssl3_record.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -ssl3_record.o: ../include/openssl/pqueue.h ../include/openssl/rand.h -ssl3_record.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -ssl3_record.o: ../include/openssl/sha.h ../include/openssl/srtp.h -ssl3_record.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -ssl3_record.o: ../include/openssl/ssl3.h ../include/openssl/stack.h -ssl3_record.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h -ssl3_record.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h -ssl3_record.o: record/../packet_locl.h record/../record/record.h -ssl3_record.o: record/../ssl_locl.h record/record_locl.h record/ssl3_record.c -ssl3_record.o: ssl3_record.c ssl_algs.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h ssl_algs.o: ../include/openssl/bn.h ../include/openssl/buffer.h ssl_algs.o: ../include/openssl/comp.h ../include/openssl/crypto.h diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index 7b58518..1d11b21 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -138,7 +138,7 @@ ASN1_SEQUENCE(SSL_SESSION_ASN1) = { ASN1_EXP_OPT(SSL_SESSION_ASN1, srp_username, ASN1_OCTET_STRING, 12), #endif ASN1_EXP_OPT(SSL_SESSION_ASN1, flags, ZLONG, 13) -} ASN1_SEQUENCE_END(SSL_SESSION_ASN1) +} static_ASN1_SEQUENCE_END(SSL_SESSION_ASN1) IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(SSL_SESSION_ASN1) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index c84ea15..c5d4a8e 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -159,7 +159,7 @@ # include #endif -const char *SSL_version_str = OPENSSL_VERSION_TEXT; +const char SSL_version_str[] = OPENSSL_VERSION_TEXT; SSL3_ENC_METHOD ssl3_undef_enc_method = { /* diff --git a/test/Makefile b/test/Makefile index 9ead38e..779d23a 100644 --- a/test/Makefile +++ b/test/Makefile @@ -414,8 +414,7 @@ clienthellotest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h clienthellotest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h clienthellotest.o: clienthellotest.c constant_time_test.o: ../e_os.h ../include/internal/constant_time_locl.h -constant_time_test.o: ../include/openssl/e_os2.h -constant_time_test.o: ../include/openssl/opensslconf.h constant_time_test.c +constant_time_test.o: constant_time_test.c destest.o: ../include/openssl/des.h ../include/openssl/e_os2.h destest.o: ../include/openssl/opensslconf.h destest.c dhtest.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/bn.h @@ -680,8 +679,7 @@ ssltest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssltest.o: ../include/openssl/x509v3.h ../ssl/packet_locl.h ssltest.o: ../ssl/record/record.h ../ssl/ssl_locl.h ssltest.c -testutil.o: ../e_os.h ../include/openssl/e_os2.h -testutil.o: ../include/openssl/opensslconf.h testutil.c testutil.h +testutil.o: ../e_os.h testutil.c testutil.h v3nametest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h v3nametest.o: ../include/openssl/buffer.h ../include/openssl/conf.h v3nametest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h diff --git a/test/bntest.c b/test/bntest.c index be358c8..9caa2c9 100644 --- a/test/bntest.c +++ b/test/bntest.c @@ -83,9 +83,9 @@ #include "../crypto/bn/bn_lcl.h" -const int num0 = 100; /* number of tests */ -const int num1 = 50; /* additional tests for some functions */ -const int num2 = 5; /* number of tests for slow functions */ +static const int num0 = 100; /* number of tests */ +static const int num1 = 50; /* additional tests for some functions */ +static const int num2 = 5; /* number of tests for slow functions */ int test_add(BIO *bp); int test_sub(BIO *bp); diff --git a/test/ecdsatest.c b/test/ecdsatest.c index 2cf1725..9754869 100644 --- a/test/ecdsatest.c +++ b/test/ecdsatest.c @@ -107,8 +107,8 @@ int change_rand(void); int restore_rand(void); int fbytes(unsigned char *buf, int num); -RAND_METHOD fake_rand; -const RAND_METHOD *old_rand; +static RAND_METHOD fake_rand; +static const RAND_METHOD *old_rand; int change_rand(void) { diff --git a/test/gost2814789test.c b/test/gost2814789test.c index 953e1e1..56a8ae3 100644 --- a/test/gost2814789test.c +++ b/test/gost2814789test.c @@ -79,7 +79,7 @@ typedef struct g89_tc_ { */ } g89_tc; -const g89_tc tcs[] = { +static const g89_tc tcs[] = { /* * GOST R 34.11-94 Test cases */ diff --git a/test/ideatest.c b/test/ideatest.c index dd5d9ff..b522013 100644 --- a/test/ideatest.c +++ b/test/ideatest.c @@ -71,34 +71,34 @@ int main(int argc, char *argv[]) #else # include -unsigned char k[16] = { +static const unsigned char k[16] = { 0x00, 0x01, 0x00, 0x02, 0x00, 0x03, 0x00, 0x04, 0x00, 0x05, 0x00, 0x06, 0x00, 0x07, 0x00, 0x08 }; -unsigned char in[8] = { 0x00, 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x03 }; -unsigned char c[8] = { 0x11, 0xFB, 0xED, 0x2B, 0x01, 0x98, 0x6D, 0xE5 }; +static const unsigned char in[8] = { 0x00, 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x03 }; +static const unsigned char c[8] = { 0x11, 0xFB, 0xED, 0x2B, 0x01, 0x98, 0x6D, 0xE5 }; -unsigned char out[80]; +static unsigned char out[80]; -char *text = "Hello to all people out there"; +static const char text[] = "Hello to all people out there"; -static unsigned char cfb_key[16] = { +static const unsigned char cfb_key[16] = { 0xe1, 0xf0, 0xc3, 0xd2, 0xa5, 0xb4, 0x87, 0x96, 0x69, 0x78, 0x4b, 0x5a, 0x2d, 0x3c, 0x0f, 0x1e, }; -static unsigned char cfb_iv[80] = +static const unsigned char cfb_iv[80] = { 0x34, 0x12, 0x78, 0x56, 0xab, 0x90, 0xef, 0xcd }; static unsigned char cfb_buf1[40], cfb_buf2[40], cfb_tmp[8]; # define CFB_TEST_SIZE 24 -static unsigned char plain[CFB_TEST_SIZE] = { +static const unsigned char plain[CFB_TEST_SIZE] = { 0x4e, 0x6f, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x61, 0x6c, 0x6c, 0x20 }; -static unsigned char cfb_cipher64[CFB_TEST_SIZE] = { +static const unsigned char cfb_cipher64[CFB_TEST_SIZE] = { 0x59, 0xD8, 0xE2, 0x65, 0x00, 0x58, 0x6C, 0x3F, 0x2C, 0x17, 0x25, 0xD0, 0x1A, 0x38, 0xB7, 0x2A, 0x39, 0x61, 0x37, 0xDC, 0x79, 0xFB, 0x9F, 0x45 @@ -107,7 +107,7 @@ static unsigned char cfb_cipher64[CFB_TEST_SIZE] = { 0x3D,0x1E,0xAE,0x47,0xFC,0xCF,0x29,0x0B,*/ }; -static int cfb64_test(unsigned char *cfb_cipher); +static int cfb64_test(const unsigned char *cfb_cipher); static char *pt(unsigned char *p); int main(int argc, char *argv[]) { @@ -175,7 +175,7 @@ int main(int argc, char *argv[]) EXIT(err); } -static int cfb64_test(unsigned char *cfb_cipher) +static int cfb64_test(const unsigned char *cfb_cipher) { IDEA_KEY_SCHEDULE eks, dks; int err = 0, i, n; diff --git a/test/sha256t.c b/test/sha256t.c index 0872f34..11f3684 100644 --- a/test/sha256t.c +++ b/test/sha256t.c @@ -10,42 +10,42 @@ #include #include -unsigned char app_b1[SHA256_DIGEST_LENGTH] = { +static const unsigned char app_b1[SHA256_DIGEST_LENGTH] = { 0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad }; -unsigned char app_b2[SHA256_DIGEST_LENGTH] = { +static const unsigned char app_b2[SHA256_DIGEST_LENGTH] = { 0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1 }; -unsigned char app_b3[SHA256_DIGEST_LENGTH] = { +static const unsigned char app_b3[SHA256_DIGEST_LENGTH] = { 0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0 }; -unsigned char addenum_1[SHA224_DIGEST_LENGTH] = { +static const unsigned char addenum_1[SHA224_DIGEST_LENGTH] = { 0x23, 0x09, 0x7d, 0x22, 0x34, 0x05, 0xd8, 0x22, 0x86, 0x42, 0xa4, 0x77, 0xbd, 0xa2, 0x55, 0xb3, 0x2a, 0xad, 0xbc, 0xe4, 0xbd, 0xa0, 0xb3, 0xf7, 0xe3, 0x6c, 0x9d, 0xa7 }; -unsigned char addenum_2[SHA224_DIGEST_LENGTH] = { +static const unsigned char addenum_2[SHA224_DIGEST_LENGTH] = { 0x75, 0x38, 0x8b, 0x16, 0x51, 0x27, 0x76, 0xcc, 0x5d, 0xba, 0x5d, 0xa1, 0xfd, 0x89, 0x01, 0x50, 0xb0, 0xc6, 0x45, 0x5c, 0xb4, 0xf5, 0x8b, 0x19, 0x52, 0x52, 0x25, 0x25 }; -unsigned char addenum_3[SHA224_DIGEST_LENGTH] = { +static const unsigned char addenum_3[SHA224_DIGEST_LENGTH] = { 0x20, 0x79, 0x46, 0x55, 0x98, 0x0c, 0x91, 0xd8, 0xbb, 0xb4, 0xc1, 0xea, 0x97, 0x61, 0x8a, 0x4b, 0xf0, 0x3f, 0x42, 0x58, 0x19, 0x48, 0xb2, 0xee, diff --git a/test/sha512t.c b/test/sha512t.c index a4d4b5e..f60d319 100644 --- a/test/sha512t.c +++ b/test/sha512t.c @@ -11,7 +11,7 @@ #include #include -unsigned char app_c1[SHA512_DIGEST_LENGTH] = { +static const unsigned char app_c1[SHA512_DIGEST_LENGTH] = { 0xdd, 0xaf, 0x35, 0xa1, 0x93, 0x61, 0x7a, 0xba, 0xcc, 0x41, 0x73, 0x49, 0xae, 0x20, 0x41, 0x31, 0x12, 0xe6, 0xfa, 0x4e, 0x89, 0xa9, 0x7e, 0xa2, @@ -22,7 +22,7 @@ unsigned char app_c1[SHA512_DIGEST_LENGTH] = { 0x2a, 0x9a, 0xc9, 0x4f, 0xa5, 0x4c, 0xa4, 0x9f }; -unsigned char app_c2[SHA512_DIGEST_LENGTH] = { +static const unsigned char app_c2[SHA512_DIGEST_LENGTH] = { 0x8e, 0x95, 0x9b, 0x75, 0xda, 0xe3, 0x13, 0xda, 0x8c, 0xf4, 0xf7, 0x28, 0x14, 0xfc, 0x14, 0x3f, 0x8f, 0x77, 0x79, 0xc6, 0xeb, 0x9f, 0x7f, 0xa1, @@ -33,7 +33,7 @@ unsigned char app_c2[SHA512_DIGEST_LENGTH] = { 0x5e, 0x96, 0xe5, 0x5b, 0x87, 0x4b, 0xe9, 0x09 }; -unsigned char app_c3[SHA512_DIGEST_LENGTH] = { +static const unsigned char app_c3[SHA512_DIGEST_LENGTH] = { 0xe7, 0x18, 0x48, 0x3d, 0x0c, 0xe7, 0x69, 0x64, 0x4e, 0x2e, 0x42, 0xc7, 0xbc, 0x15, 0xb4, 0x63, 0x8e, 0x1f, 0x98, 0xb1, 0x3b, 0x20, 0x44, 0x28, @@ -44,7 +44,7 @@ unsigned char app_c3[SHA512_DIGEST_LENGTH] = { 0x4e, 0xad, 0xb2, 0x17, 0xad, 0x8c, 0xc0, 0x9b }; -unsigned char app_d1[SHA384_DIGEST_LENGTH] = { +static const unsigned char app_d1[SHA384_DIGEST_LENGTH] = { 0xcb, 0x00, 0x75, 0x3f, 0x45, 0xa3, 0x5e, 0x8b, 0xb5, 0xa0, 0x3d, 0x69, 0x9a, 0xc6, 0x50, 0x07, 0x27, 0x2c, 0x32, 0xab, 0x0e, 0xde, 0xd1, 0x63, @@ -53,7 +53,7 @@ unsigned char app_d1[SHA384_DIGEST_LENGTH] = { 0x58, 0xba, 0xec, 0xa1, 0x34, 0xc8, 0x25, 0xa7 }; -unsigned char app_d2[SHA384_DIGEST_LENGTH] = { +static const unsigned char app_d2[SHA384_DIGEST_LENGTH] = { 0x09, 0x33, 0x0c, 0x33, 0xf7, 0x11, 0x47, 0xe8, 0x3d, 0x19, 0x2f, 0xc7, 0x82, 0xcd, 0x1b, 0x47, 0x53, 0x11, 0x1b, 0x17, 0x3b, 0x3b, 0x05, 0xd2, @@ -62,7 +62,7 @@ unsigned char app_d2[SHA384_DIGEST_LENGTH] = { 0x66, 0xc3, 0xe9, 0xfa, 0x91, 0x74, 0x60, 0x39 }; -unsigned char app_d3[SHA384_DIGEST_LENGTH] = { +static const unsigned char app_d3[SHA384_DIGEST_LENGTH] = { 0x9d, 0x0e, 0x18, 0x09, 0x71, 0x64, 0x74, 0xcb, 0x08, 0x6e, 0x83, 0x4e, 0x31, 0x0a, 0x4a, 0x1c, 0xed, 0x14, 0x9e, 0x9c, 0x00, 0xf2, 0x48, 0x52, diff --git a/test/ssltest.c b/test/ssltest.c index 4959aed..e951788 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -288,9 +288,9 @@ static BIO *bio_stdout = NULL; #ifndef OPENSSL_NO_NEXTPROTONEG /* Note that this code assumes that this is only a one element list: */ static const char NEXT_PROTO_STRING[] = "\x09testproto"; -int npn_client = 0; -int npn_server = 0; -int npn_server_reject = 0; +static int npn_client = 0; +static int npn_server = 0; +static int npn_server_reject = 0; static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, @@ -500,24 +500,24 @@ static int verify_alpn(SSL *client, SSL *server) #define CUSTOM_EXT_TYPE_2 1002 #define CUSTOM_EXT_TYPE_3 1003 -const char custom_ext_cli_string[] = "abc"; -const char custom_ext_srv_string[] = "defg"; +static const char custom_ext_cli_string[] = "abc"; +static const char custom_ext_srv_string[] = "defg"; /* These set from cmdline */ -char *serverinfo_file = NULL; -int serverinfo_sct = 0; -int serverinfo_tack = 0; +static char *serverinfo_file = NULL; +static int serverinfo_sct = 0; +static int serverinfo_tack = 0; /* These set based on extension callbacks */ -int serverinfo_sct_seen = 0; -int serverinfo_tack_seen = 0; -int serverinfo_other_seen = 0; +static int serverinfo_sct_seen = 0; +static int serverinfo_tack_seen = 0; +static int serverinfo_other_seen = 0; /* This set from cmdline */ -int custom_ext = 0; +static int custom_ext = 0; /* This set based on extension callbacks */ -int custom_ext_error = 0; +static int custom_ext_error = 0; static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in, size_t inlen, diff --git a/test/wp_test.c b/test/wp_test.c index 2ea6251..de7aa3d 100644 --- a/test/wp_test.c +++ b/test/wp_test.c @@ -18,7 +18,7 @@ int main(int argc, char *argv[]) #else /* ISO/IEC 10118-3 test vector set */ -unsigned char iso_test_1[WHIRLPOOL_DIGEST_LENGTH] = { +static const unsigned char iso_test_1[WHIRLPOOL_DIGEST_LENGTH] = { 0x19, 0xFA, 0x61, 0xD7, 0x55, 0x22, 0xA4, 0x66, 0x9B, 0x44, 0xE3, 0x9C, 0x1D, 0x2E, 0x17, 0x26, 0xC5, 0x30, 0x23, 0x21, 0x30, 0xD4, 0x07, 0xF8, @@ -29,7 +29,7 @@ unsigned char iso_test_1[WHIRLPOOL_DIGEST_LENGTH] = { 0x08, 0xB1, 0x38, 0xCC, 0x42, 0xA6, 0x6E, 0xB3 }; -unsigned char iso_test_2[WHIRLPOOL_DIGEST_LENGTH] = { +static const unsigned char iso_test_2[WHIRLPOOL_DIGEST_LENGTH] = { 0x8A, 0xCA, 0x26, 0x02, 0x79, 0x2A, 0xEC, 0x6F, 0x11, 0xA6, 0x72, 0x06, 0x53, 0x1F, 0xB7, 0xD7, 0xF0, 0xDF, 0xF5, 0x94, 0x13, 0x14, 0x5E, 0x69, @@ -40,7 +40,7 @@ unsigned char iso_test_2[WHIRLPOOL_DIGEST_LENGTH] = { 0x3B, 0x47, 0x85, 0x84, 0xFD, 0xAE, 0x23, 0x1A }; -unsigned char iso_test_3[WHIRLPOOL_DIGEST_LENGTH] = { +static const unsigned char iso_test_3[WHIRLPOOL_DIGEST_LENGTH] = { 0x4E, 0x24, 0x48, 0xA4, 0xC6, 0xF4, 0x86, 0xBB, 0x16, 0xB6, 0x56, 0x2C, 0x73, 0xB4, 0x02, 0x0B, 0xF3, 0x04, 0x3E, 0x3A, 0x73, 0x1B, 0xCE, 0x72, @@ -51,7 +51,7 @@ unsigned char iso_test_3[WHIRLPOOL_DIGEST_LENGTH] = { 0xD2, 0x25, 0x29, 0x20, 0x76, 0xD4, 0xEE, 0xF5 }; -unsigned char iso_test_4[WHIRLPOOL_DIGEST_LENGTH] = { +static const unsigned char iso_test_4[WHIRLPOOL_DIGEST_LENGTH] = { 0x37, 0x8C, 0x84, 0xA4, 0x12, 0x6E, 0x2D, 0xC6, 0xE5, 0x6D, 0xCC, 0x74, 0x58, 0x37, 0x7A, 0xAC, 0x83, 0x8D, 0x00, 0x03, 0x22, 0x30, 0xF5, 0x3C, @@ -62,7 +62,7 @@ unsigned char iso_test_4[WHIRLPOOL_DIGEST_LENGTH] = { 0x62, 0xE8, 0x6D, 0xBD, 0x37, 0xA8, 0x90, 0x3E }; -unsigned char iso_test_5[WHIRLPOOL_DIGEST_LENGTH] = { +static const unsigned char iso_test_5[WHIRLPOOL_DIGEST_LENGTH] = { 0xF1, 0xD7, 0x54, 0x66, 0x26, 0x36, 0xFF, 0xE9, 0x2C, 0x82, 0xEB, 0xB9, 0x21, 0x2A, 0x48, 0x4A, 0x8D, 0x38, 0x63, 0x1E, 0xAD, 0x42, 0x38, 0xF5, @@ -73,7 +73,7 @@ unsigned char iso_test_5[WHIRLPOOL_DIGEST_LENGTH] = { 0x5D, 0x98, 0x19, 0xA3, 0xDB, 0xA4, 0xEB, 0x3B }; -unsigned char iso_test_6[WHIRLPOOL_DIGEST_LENGTH] = { +static const unsigned char iso_test_6[WHIRLPOOL_DIGEST_LENGTH] = { 0xDC, 0x37, 0xE0, 0x08, 0xCF, 0x9E, 0xE6, 0x9B, 0xF1, 0x1F, 0x00, 0xED, 0x9A, 0xBA, 0x26, 0x90, 0x1D, 0xD7, 0xC2, 0x8C, 0xDE, 0xC0, 0x66, 0xCC, @@ -84,7 +84,7 @@ unsigned char iso_test_6[WHIRLPOOL_DIGEST_LENGTH] = { 0x42, 0xC6, 0x5F, 0x5A, 0x7A, 0xF0, 0x14, 0x67 }; -unsigned char iso_test_7[WHIRLPOOL_DIGEST_LENGTH] = { +static const unsigned char iso_test_7[WHIRLPOOL_DIGEST_LENGTH] = { 0x46, 0x6E, 0xF1, 0x8B, 0xAB, 0xB0, 0x15, 0x4D, 0x25, 0xB9, 0xD3, 0x8A, 0x64, 0x14, 0xF5, 0xC0, 0x87, 0x84, 0x37, 0x2B, 0xCC, 0xB2, 0x04, 0xD6, @@ -95,7 +95,7 @@ unsigned char iso_test_7[WHIRLPOOL_DIGEST_LENGTH] = { 0x2C, 0x2A, 0x80, 0xCF, 0x3A, 0x9A, 0x08, 0x3B }; -unsigned char iso_test_8[WHIRLPOOL_DIGEST_LENGTH] = { +static const unsigned char iso_test_8[WHIRLPOOL_DIGEST_LENGTH] = { 0x2A, 0x98, 0x7E, 0xA4, 0x0F, 0x91, 0x70, 0x61, 0xF5, 0xD6, 0xF0, 0xA0, 0xE4, 0x64, 0x4F, 0x48, 0x8A, 0x7A, 0x5A, 0x52, 0xDE, 0xEE, 0x65, 0x62, @@ -106,7 +106,7 @@ unsigned char iso_test_8[WHIRLPOOL_DIGEST_LENGTH] = { 0x74, 0x5B, 0x7B, 0x18, 0x1C, 0x3B, 0xE3, 0xFD }; -unsigned char iso_test_9[WHIRLPOOL_DIGEST_LENGTH] = { +static const unsigned char iso_test_9[WHIRLPOOL_DIGEST_LENGTH] = { 0x0C, 0x99, 0x00, 0x5B, 0xEB, 0x57, 0xEF, 0xF5, 0x0A, 0x7C, 0xF0, 0x05, 0x56, 0x0D, 0xDF, 0x5D, 0x29, 0x05, 0x7F, 0xD8, 0x6B, 0x20, 0xBF, 0xD6, From steve at openssl.org Fri Sep 11 17:50:56 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 11 Sep 2015 17:50:56 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1441993856.981066.27601.nullmailer@dev.openssl.org> The branch master has been updated via 8cf2782399c449ecf91f2d292f483e7999a40f6d (commit) from df2ee0e27d2db02660c1d15fe6a3e38be9df0a60 (commit) - Log ----------------------------------------------------------------- commit 8cf2782399c449ecf91f2d292f483e7999a40f6d Author: Dr. Stephen Henson Date: Fri Sep 11 18:16:23 2015 +0100 Fix "defined but not used" warnings. Reviewed-by: Matt Caswell ----------------------------------------------------------------------- Summary of changes: crypto/include/internal/bn_srp.h | 12 -------- crypto/srp/srp_lib.c | 12 ++++++++ crypto/x509v3/ext_dat.h | 66 ---------------------------------------- crypto/x509v3/v3_lib.c | 66 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 78 insertions(+), 78 deletions(-) diff --git a/crypto/include/internal/bn_srp.h b/crypto/include/internal/bn_srp.h index 61befd3..153c8cd 100644 --- a/crypto/include/internal/bn_srp.h +++ b/crypto/include/internal/bn_srp.h @@ -21,16 +21,4 @@ extern const BIGNUM bn_generator_5; extern const BIGNUM bn_generator_2; -static SRP_gN knowngN[] = { - {"8192", (BIGNUM *)&bn_generator_19, (BIGNUM *)&bn_group_8192}, - {"6144", (BIGNUM *)&bn_generator_5, (BIGNUM *)&bn_group_6144}, - {"4096", (BIGNUM *)&bn_generator_5, (BIGNUM *)&bn_group_4096}, - {"3072", (BIGNUM *)&bn_generator_5, (BIGNUM *)&bn_group_3072}, - {"2048", (BIGNUM *)&bn_generator_2, (BIGNUM *)&bn_group_2048}, - {"1536", (BIGNUM *)&bn_generator_2, (BIGNUM *)&bn_group_1536}, - {"1024", (BIGNUM *)&bn_generator_2, (BIGNUM *)&bn_group_1024}, -}; - -# define KNOWN_GN_NUMBER sizeof(knowngN) / sizeof(SRP_gN) - #endif diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c index 8930473..850ec2c 100644 --- a/crypto/srp/srp_lib.c +++ b/crypto/srp/srp_lib.c @@ -306,6 +306,18 @@ int SRP_Verify_A_mod_N(BIGNUM *A, BIGNUM *N) return SRP_Verify_B_mod_N(A, N); } +static SRP_gN knowngN[] = { + {"8192", (BIGNUM *)&bn_generator_19, (BIGNUM *)&bn_group_8192}, + {"6144", (BIGNUM *)&bn_generator_5, (BIGNUM *)&bn_group_6144}, + {"4096", (BIGNUM *)&bn_generator_5, (BIGNUM *)&bn_group_4096}, + {"3072", (BIGNUM *)&bn_generator_5, (BIGNUM *)&bn_group_3072}, + {"2048", (BIGNUM *)&bn_generator_2, (BIGNUM *)&bn_group_2048}, + {"1536", (BIGNUM *)&bn_generator_2, (BIGNUM *)&bn_group_1536}, + {"1024", (BIGNUM *)&bn_generator_2, (BIGNUM *)&bn_group_1024}, +}; + +# define KNOWN_GN_NUMBER sizeof(knowngN) / sizeof(SRP_gN) + /* * Check if G and N are kwown parameters. The values have been generated * from the ietf-tls-srp draft version 8 diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509v3/ext_dat.h index 0e93d82..c1ddedb 100644 --- a/crypto/x509v3/ext_dat.h +++ b/crypto/x509v3/ext_dat.h @@ -70,69 +70,3 @@ extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp; extern const X509V3_EXT_METHOD v3_addr, v3_asid; extern const X509V3_EXT_METHOD v3_ct_scts[]; - -/* - * This table will be searched using OBJ_bsearch so it *must* kept in order - * of the ext_nid values. - */ - -static const X509V3_EXT_METHOD *standard_exts[] = { - &v3_nscert, - &v3_ns_ia5_list[0], - &v3_ns_ia5_list[1], - &v3_ns_ia5_list[2], - &v3_ns_ia5_list[3], - &v3_ns_ia5_list[4], - &v3_ns_ia5_list[5], - &v3_ns_ia5_list[6], - &v3_skey_id, - &v3_key_usage, - &v3_pkey_usage_period, - &v3_alt[0], - &v3_alt[1], - &v3_bcons, - &v3_crl_num, - &v3_cpols, - &v3_akey_id, - &v3_crld, - &v3_ext_ku, - &v3_delta_crl, - &v3_crl_reason, -#ifndef OPENSSL_NO_OCSP - &v3_crl_invdate, -#endif - &v3_sxnet, - &v3_info, -#ifndef OPENSSL_NO_RFC3779 - &v3_addr, - &v3_asid, -#endif -#ifndef OPENSSL_NO_OCSP - &v3_ocsp_nonce, - &v3_ocsp_crlid, - &v3_ocsp_accresp, - &v3_ocsp_nocheck, - &v3_ocsp_acutoff, - &v3_ocsp_serviceloc, -#endif - &v3_sinfo, - &v3_policy_constraints, -#ifndef OPENSSL_NO_OCSP - &v3_crl_hold, -#endif - &v3_pci, - &v3_name_constraints, - &v3_policy_mappings, - &v3_inhibit_anyp, - &v3_idp, - &v3_alt[2], - &v3_freshest_crl, -#ifndef OPENSSL_NO_SCT - &v3_ct_scts[0], - &v3_ct_scts[1], -#endif -}; - -/* Number of standard extensions */ - -#define STANDARD_EXTENSION_COUNT OSSL_NELEM(standard_exts) diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509v3/v3_lib.c index 93af571..5073575 100644 --- a/crypto/x509v3/v3_lib.c +++ b/crypto/x509v3/v3_lib.c @@ -96,6 +96,72 @@ DECLARE_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *, IMPLEMENT_OBJ_BSEARCH_CMP_FN(const X509V3_EXT_METHOD *, const X509V3_EXT_METHOD *, ext); +/* + * This table will be searched using OBJ_bsearch so it *must* kept in order + * of the ext_nid values. + */ + +static const X509V3_EXT_METHOD *standard_exts[] = { + &v3_nscert, + &v3_ns_ia5_list[0], + &v3_ns_ia5_list[1], + &v3_ns_ia5_list[2], + &v3_ns_ia5_list[3], + &v3_ns_ia5_list[4], + &v3_ns_ia5_list[5], + &v3_ns_ia5_list[6], + &v3_skey_id, + &v3_key_usage, + &v3_pkey_usage_period, + &v3_alt[0], + &v3_alt[1], + &v3_bcons, + &v3_crl_num, + &v3_cpols, + &v3_akey_id, + &v3_crld, + &v3_ext_ku, + &v3_delta_crl, + &v3_crl_reason, +#ifndef OPENSSL_NO_OCSP + &v3_crl_invdate, +#endif + &v3_sxnet, + &v3_info, +#ifndef OPENSSL_NO_RFC3779 + &v3_addr, + &v3_asid, +#endif +#ifndef OPENSSL_NO_OCSP + &v3_ocsp_nonce, + &v3_ocsp_crlid, + &v3_ocsp_accresp, + &v3_ocsp_nocheck, + &v3_ocsp_acutoff, + &v3_ocsp_serviceloc, +#endif + &v3_sinfo, + &v3_policy_constraints, +#ifndef OPENSSL_NO_OCSP + &v3_crl_hold, +#endif + &v3_pci, + &v3_name_constraints, + &v3_policy_mappings, + &v3_inhibit_anyp, + &v3_idp, + &v3_alt[2], + &v3_freshest_crl, +#ifndef OPENSSL_NO_SCT + &v3_ct_scts[0], + &v3_ct_scts[1], +#endif +}; + +/* Number of standard extensions */ + +#define STANDARD_EXTENSION_COUNT OSSL_NELEM(standard_exts) + const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid) { X509V3_EXT_METHOD tmp; From steve at openssl.org Fri Sep 11 19:51:56 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 11 Sep 2015 19:51:56 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1442001116.161747.19334.nullmailer@dev.openssl.org> The branch master has been updated via 03706afa30aeb4407287171a9d6f9a765395d0a2 (commit) from 8cf2782399c449ecf91f2d292f483e7999a40f6d (commit) - Log ----------------------------------------------------------------- commit 03706afa30aeb4407287171a9d6f9a765395d0a2 Author: Dr. Stephen Henson Date: Fri Sep 11 16:13:52 2015 +0100 Use default field separator. If the field separator isn't specified through -nameopt then use XN_FLAG_SEP_CPLUS_SPC instead of printing nothing and returing an error. PR#2397 Reviewed-by: Tim Hudson ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 6 +++++- doc/apps/x509.pod | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 5c36a37..5b6a605 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1074,7 +1074,11 @@ int set_name_ex(unsigned long *flags, const char *arg) {"ca_default", XN_FLAG_MULTILINE, 0xffffffffL}, {NULL, 0, 0} }; - return set_multi_opts(flags, arg, ex_tbl); + if (set_multi_opts(flags, arg, ex_tbl) == 0) + return 0; + if ((*flags & XN_FLAG_SEP_MASK) == 0) + *flags |= XN_FLAG_SEP_CPLUS_SPC; + return 1; } int set_ext_copy(int *copy_type, const char *arg) diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index a06393d..d479060 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -542,7 +542,8 @@ very rare and their use is discouraged). The options ending in "space" additionally place a space after the separator to make it more readable. The B uses a linefeed character for the RDN separator and a spaced B<+> for the AVA separator. It also -indents the fields by four characters. +indents the fields by four characters. If no field separator is specified +then B is used by default. =item B From steve at openssl.org Fri Sep 11 19:56:56 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 11 Sep 2015 19:56:56 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_0-stable update Message-ID: <1442001416.545785.20980.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_0-stable has been updated via 01d8ae61f236d24a5a04992866d94ec10f7d69a2 (commit) from 6ee4fc4853bda4b9163e18dadc797a870daa4519 (commit) - Log ----------------------------------------------------------------- commit 01d8ae61f236d24a5a04992866d94ec10f7d69a2 Author: Dr. Stephen Henson Date: Fri Sep 11 16:13:52 2015 +0100 Use default field separator. If the field separator isn't specified through -nameopt then use XN_FLAG_SEP_CPLUS_SPC instead of printing nothing and returing an error. PR#2397 Reviewed-by: Tim Hudson (cherry picked from commit 03706afa30aeb4407287171a9d6f9a765395d0a2) ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 6 +++++- doc/apps/x509.pod | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 5b32c65..9d20710 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1236,7 +1236,11 @@ int set_name_ex(unsigned long *flags, const char *arg) {"ca_default", XN_FLAG_MULTILINE, 0xffffffffL}, {NULL, 0, 0} }; - return set_multi_opts(flags, arg, ex_tbl); + if (set_multi_opts(flags, arg, ex_tbl) == 0) + return 0; + if ((*flags & XN_FLAG_SEP_MASK) == 0) + *flags |= XN_FLAG_SEP_CPLUS_SPC; + return 1; } int set_ext_copy(int *copy_type, const char *arg) diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index a24b466..844da61 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -524,7 +524,8 @@ very rare and their use is discouraged). The options ending in "space" additionally place a space after the separator to make it more readable. The B uses a linefeed character for the RDN separator and a spaced B<+> for the AVA separator. It also -indents the fields by four characters. +indents the fields by four characters. If no field separator is specified +then B is used by default. =item B From steve at openssl.org Fri Sep 11 19:56:56 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 11 Sep 2015 19:56:56 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1442001416.713674.21024.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via ce5ae63ab2f3a85795462cf91e8be3f1be013992 (commit) from 4dcdde120bac79979d1ce63cc652e7b53fab4f49 (commit) - Log ----------------------------------------------------------------- commit ce5ae63ab2f3a85795462cf91e8be3f1be013992 Author: Dr. Stephen Henson Date: Fri Sep 11 16:13:52 2015 +0100 Use default field separator. If the field separator isn't specified through -nameopt then use XN_FLAG_SEP_CPLUS_SPC instead of printing nothing and returing an error. PR#2397 Reviewed-by: Tim Hudson (cherry picked from commit 03706afa30aeb4407287171a9d6f9a765395d0a2) ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 6 +++++- doc/apps/x509.pod | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 7478fc3..68287b1 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1352,7 +1352,11 @@ int set_name_ex(unsigned long *flags, const char *arg) {"ca_default", XN_FLAG_MULTILINE, 0xffffffffL}, {NULL, 0, 0} }; - return set_multi_opts(flags, arg, ex_tbl); + if (set_multi_opts(flags, arg, ex_tbl) == 0) + return 0; + if ((*flags & XN_FLAG_SEP_MASK) == 0) + *flags |= XN_FLAG_SEP_CPLUS_SPC; + return 1; } int set_ext_copy(int *copy_type, const char *arg) diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index a1326ed..26f71c8 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -539,7 +539,8 @@ very rare and their use is discouraged). The options ending in "space" additionally place a space after the separator to make it more readable. The B uses a linefeed character for the RDN separator and a spaced B<+> for the AVA separator. It also -indents the fields by four characters. +indents the fields by four characters. If no field separator is specified +then B is used by default. =item B From steve at openssl.org Fri Sep 11 19:56:56 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 11 Sep 2015 19:56:56 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1442001416.613961.21002.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 8b5ac90e5eb3343ddf768f64a2cf975a14d21387 (commit) from 4cb23e12a300b64dd997ca00cee75cde8925df05 (commit) - Log ----------------------------------------------------------------- commit 8b5ac90e5eb3343ddf768f64a2cf975a14d21387 Author: Dr. Stephen Henson Date: Fri Sep 11 16:13:52 2015 +0100 Use default field separator. If the field separator isn't specified through -nameopt then use XN_FLAG_SEP_CPLUS_SPC instead of printing nothing and returing an error. PR#2397 Reviewed-by: Tim Hudson (cherry picked from commit 03706afa30aeb4407287171a9d6f9a765395d0a2) ----------------------------------------------------------------------- Summary of changes: apps/apps.c | 6 +++++- doc/apps/x509.pod | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/apps/apps.c b/apps/apps.c index 6801238..1e48307 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1247,7 +1247,11 @@ int set_name_ex(unsigned long *flags, const char *arg) {"ca_default", XN_FLAG_MULTILINE, 0xffffffffL}, {NULL, 0, 0} }; - return set_multi_opts(flags, arg, ex_tbl); + if (set_multi_opts(flags, arg, ex_tbl) == 0) + return 0; + if ((*flags & XN_FLAG_SEP_MASK) == 0) + *flags |= XN_FLAG_SEP_CPLUS_SPC; + return 1; } int set_ext_copy(int *copy_type, const char *arg) diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index 6109389..1bb0550 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -529,7 +529,8 @@ very rare and their use is discouraged). The options ending in "space" additionally place a space after the separator to make it more readable. The B uses a linefeed character for the RDN separator and a spaced B<+> for the AVA separator. It also -indents the fields by four characters. +indents the fields by four characters. If no field separator is specified +then B is used by default. =item B From steve at openssl.org Fri Sep 11 22:41:49 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 11 Sep 2015 22:41:49 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1442011309.579893.18335.nullmailer@dev.openssl.org> The branch master has been updated via bc2a15cdfb5a5a91b9166371b41b7e0c71e547c6 (commit) from 03706afa30aeb4407287171a9d6f9a765395d0a2 (commit) - Log ----------------------------------------------------------------- commit bc2a15cdfb5a5a91b9166371b41b7e0c71e547c6 Author: Dr. Stephen Henson Date: Fri Sep 11 23:10:29 2015 +0100 Fix zlib CMS compilation. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/cms/cms_asn1.c | 2 +- crypto/cms/cms_cd.c | 2 -- crypto/cms/cms_lcl.h | 1 + 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c index 2bd3954..e044cf5 100644 --- a/crypto/cms/cms_asn1.c +++ b/crypto/cms/cms_asn1.c @@ -305,7 +305,7 @@ ASN1_NDEF_SEQUENCE(CMS_CompressedData) = { ASN1_SIMPLE(CMS_CompressedData, version, LONG), ASN1_SIMPLE(CMS_CompressedData, compressionAlgorithm, X509_ALGOR), ASN1_SIMPLE(CMS_CompressedData, encapContentInfo, CMS_EncapsulatedContentInfo), -} static_ASN1_NDEF_SEQUENCE_END(CMS_CompressedData) +} ASN1_NDEF_SEQUENCE_END(CMS_CompressedData) /* This is the ANY DEFINED BY table for the top level ContentInfo structure */ diff --git a/crypto/cms/cms_cd.c b/crypto/cms/cms_cd.c index 889133e..81cc6c5 100644 --- a/crypto/cms/cms_cd.c +++ b/crypto/cms/cms_cd.c @@ -64,8 +64,6 @@ #endif #include "cms_lcl.h" -DECLARE_ASN1_ITEM(CMS_CompressedData) - #ifdef ZLIB /* CMS CompressedData Utilities */ diff --git a/crypto/cms/cms_lcl.h b/crypto/cms/cms_lcl.h index 5b0551c..227356b 100644 --- a/crypto/cms/cms_lcl.h +++ b/crypto/cms/cms_lcl.h @@ -479,6 +479,7 @@ DECLARE_ASN1_ITEM(CMS_RecipientEncryptedKey) DECLARE_ASN1_ITEM(CMS_RecipientKeyIdentifier) DECLARE_ASN1_ITEM(CMS_RevocationInfoChoice) DECLARE_ASN1_ITEM(CMS_SignedData) +DECLARE_ASN1_ITEM(CMS_CompressedData) #ifdef __cplusplus } From steve at openssl.org Fri Sep 11 23:51:39 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 11 Sep 2015 23:51:39 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1442015499.887166.4428.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via eac2b837d63fbac8acb3a9d1f65a2d8379edfc93 (commit) from ce5ae63ab2f3a85795462cf91e8be3f1be013992 (commit) - Log ----------------------------------------------------------------- commit eac2b837d63fbac8acb3a9d1f65a2d8379edfc93 Author: John Foley Date: Sat Sep 12 00:11:23 2015 +0100 Use memmove instead of memcpy. PR#4036 Reviewed-by: Tim Hudson Reviewed-by: Stephen Henson ----------------------------------------------------------------------- Summary of changes: crypto/modes/wrap128.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/modes/wrap128.c b/crypto/modes/wrap128.c index 4dcaf03..3849783 100644 --- a/crypto/modes/wrap128.c +++ b/crypto/modes/wrap128.c @@ -76,7 +76,7 @@ size_t CRYPTO_128_wrap(void *key, const unsigned char *iv, return 0; A = B; t = 1; - memcpy(out + 8, in, inlen); + memmove(out + 8, in, inlen); if (!iv) iv = default_iv; @@ -113,7 +113,7 @@ size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv, A = B; t = 6 * (inlen >> 3); memcpy(A, in, 8); - memcpy(out, in + 8, inlen); + memmove(out, in + 8, inlen); for (j = 0; j < 6; j++) { R = out + inlen - 8; for (i = 0; i < inlen; i += 8, t--, R -= 8) { From steve at openssl.org Sat Sep 12 01:42:59 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Sat, 12 Sep 2015 01:42:59 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1442022179.637824.26337.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 2aa5a2c76656f3873fecd0f0bcc628c1861c27a9 (commit) from eac2b837d63fbac8acb3a9d1f65a2d8379edfc93 (commit) - Log ----------------------------------------------------------------- commit 2aa5a2c76656f3873fecd0f0bcc628c1861c27a9 Author: Dr. Stephen Henson Date: Sat Sep 12 00:44:07 2015 +0100 Check for FIPS mode after loading config. PR#3958 Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: apps/pkcs12.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 4ff6449..e41b445 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -134,13 +134,6 @@ int MAIN(int argc, char **argv) apps_startup(); -# ifdef OPENSSL_FIPS - if (FIPS_mode()) - cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - else -# endif - cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; - enc = EVP_des_ede3_cbc(); if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); @@ -148,6 +141,13 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, NULL)) goto end; +# ifdef OPENSSL_FIPS + if (FIPS_mode()) + cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + else +# endif + cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; + args = argv + 1; while (*args) { From steve at openssl.org Sat Sep 12 01:44:09 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Sat, 12 Sep 2015 01:44:09 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_1-stable update Message-ID: <1442022249.155749.26812.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_1-stable has been updated via 421baf1862e5325c1de36dcb171a8a33d44f121f (commit) from 8b5ac90e5eb3343ddf768f64a2cf975a14d21387 (commit) - Log ----------------------------------------------------------------- commit 421baf1862e5325c1de36dcb171a8a33d44f121f Author: Dr. Stephen Henson Date: Sat Sep 12 00:44:07 2015 +0100 Check for FIPS mode after loading config. PR#3958 Reviewed-by: Rich Salz (cherry picked from commit 2aa5a2c76656f3873fecd0f0bcc628c1861c27a9) ----------------------------------------------------------------------- Summary of changes: apps/pkcs12.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 4ff6449..e41b445 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -134,13 +134,6 @@ int MAIN(int argc, char **argv) apps_startup(); -# ifdef OPENSSL_FIPS - if (FIPS_mode()) - cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - else -# endif - cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; - enc = EVP_des_ede3_cbc(); if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); @@ -148,6 +141,13 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, NULL)) goto end; +# ifdef OPENSSL_FIPS + if (FIPS_mode()) + cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + else +# endif + cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; + args = argv + 1; while (*args) { From steve at openssl.org Sat Sep 12 01:47:31 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Sat, 12 Sep 2015 01:47:31 +0000 Subject: [openssl-commits] [openssl] master update Message-ID: <1442022451.440070.27389.nullmailer@dev.openssl.org> The branch master has been updated via aabd49232025807babe995006a46c4c7815ce868 (commit) from bc2a15cdfb5a5a91b9166371b41b7e0c71e547c6 (commit) - Log ----------------------------------------------------------------- commit aabd49232025807babe995006a46c4c7815ce868 Author: Dr. Stephen Henson Date: Sat Sep 12 01:53:52 2015 +0100 Constify ECDSA_METHOD_new. PR#3920. Reviewed-by: Rich Salz ----------------------------------------------------------------------- Summary of changes: crypto/ecdsa/ecs_lib.c | 2 +- include/openssl/ecdsa.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c index f3007e5..4e1c63a 100644 --- a/crypto/ecdsa/ecs_lib.c +++ b/crypto/ecdsa/ecs_lib.c @@ -247,7 +247,7 @@ void *ECDSA_get_ex_data(EC_KEY *d, int idx) return (CRYPTO_get_ex_data(&ecdsa->ex_data, idx)); } -ECDSA_METHOD *ECDSA_METHOD_new(ECDSA_METHOD *ecdsa_meth) +ECDSA_METHOD *ECDSA_METHOD_new(const ECDSA_METHOD *ecdsa_meth) { ECDSA_METHOD *ret; diff --git a/include/openssl/ecdsa.h b/include/openssl/ecdsa.h index f60c229..4a02a01 100644 --- a/include/openssl/ecdsa.h +++ b/include/openssl/ecdsa.h @@ -233,7 +233,7 @@ void *ECDSA_get_ex_data(EC_KEY *d, int idx); * \return pointer to a ECDSA_METHOD structure or NULL if an error occurred */ -ECDSA_METHOD *ECDSA_METHOD_new(ECDSA_METHOD *ecdsa_method); +ECDSA_METHOD *ECDSA_METHOD_new(const ECDSA_METHOD *ecdsa_method); /** frees a ECDSA_METHOD structure * \param ecdsa_method pointer to the ECDSA_METHOD structure From steve at openssl.org Sat Sep 12 01:48:17 2015 From: steve at openssl.org (Dr. Stephen Henson) Date: Sat, 12 Sep 2015 01:48:17 +0000 Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update Message-ID: <1442022497.118145.28245.nullmailer@dev.openssl.org> The branch OpenSSL_1_0_2-stable has been updated via 5116aeeacbac3f22792cfa9a370069f00adc2a49 (commit) from 2aa5a2c76656f3873fecd0f0bcc628c1861c27a9 (commit) - Log ----------------------------------------------------------------- commit 5116aeeacbac3f22792cfa9a370069f00adc2a49 Author: Dr. Stephen Henson Date: Sat Sep 12 01:53:52 2015 +0100 Constify ECDSA_METHOD_new. PR#3920. Reviewed-by: Rich Salz (cherry picked from commit aabd49232025807babe995006a46c4c7815ce868) ----------------------------------------------------------------------- Summary of changes: crypto/ecdsa/ecdsa.h | 2 +- crypto/ecdsa/ecs_lib.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h index c4016ac..a6f0930 100644 --- a/crypto/ecdsa/ecdsa.h +++ b/crypto/ecdsa/ecdsa.h @@ -233,7 +233,7 @@ void *ECDSA_get_ex_data(EC_KEY *d, int idx); * \return pointer to a ECDSA_METHOD structure or NULL if an error occurred */ -ECDSA_METHOD *ECDSA_METHOD_new(ECDSA_METHOD *ecdsa_method); +ECDSA_METHOD *ECDSA_METHOD_new(const ECDSA_METHOD *ecdsa_method); /** frees a ECDSA_METHOD structure * \param ecdsa_method pointer to the ECDSA_METHOD structure diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c index 1c02310..8dc1dda 100644 --- a/crypto/ecdsa/ecs_lib.c +++ b/crypto/ecdsa/ecs_lib.c @@ -276,7 +276,7 @@ void *ECDSA_get_ex_data(EC_KEY *d, int idx) return (CRYPTO_get_ex_data(&ecdsa->ex_data, idx)); } -ECDSA_METHOD *ECDSA_METHOD_new(ECDSA_METHOD *ecdsa_meth) +ECDSA_METHOD *ECDSA_METHOD_new(const ECDSA_METHOD *ecdsa_meth) { ECDSA_METHOD *ret; From matt at openssl.org Mon Sep 14 08:18:08 2015 From: matt at openssl.org (Matt Caswell) Date: Mon, 14 Sep 2015 08:18:08 +0000 Subject: [openssl-commits] [web] master update Message-ID: <1442218688.490818.25015.nullmailer@dev.openssl.org> The branch master has been updated via 2375c6c39fc86635a432868a98b8caf695df0736 (commit) from c02b0710e44fb8449df2c8ed43e476ae94d6b76d (commit) - Log ----------------------------------------------------------------- commit 2375c6c39fc86635a432868a98b8caf695df0736 Author: Matt Caswell Date: Fri Sep 4 09:16:20 2015 +0100 Updated release strategy for 1.1.0 release timetable. ----------------------------------------------------------------------- Summary of changes: policies/releasestrat.html | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/policies/releasestrat.html b/policies/releasestrat.html index 1041334..f27df47 100644 --- a/policies/releasestrat.html +++ b/policies/releasestrat.html @@ -13,7 +13,7 @@

Release Strategy

First issued 23rd December 2014
- Last modified 9th August 2015 + Last modified 14th September 2015
@@ -80,12 +80,33 @@

At this time, we are not planning a 1.0.3 release.

Version 1.1.0 will (moderately) break source compatibility - (for example we will make most structures opaque etc). We - expect a preview version to be available mid 2015, with an - expected release by the end of 2015. Preview means that we - are not planning or expecting major API changes between the - preview release and the final release (but are not categorically - precluding that possibility).

+ (for example we will make most structures opaque etc). Our current plans + for the release timetable are:

+ +
    +
  • 10th December 2015, alpha release 1
    • +
  • 7th January 2016, alpha release 2
    • +
  • 4th February 2016, alpha release 3
    • +
  • 3rd March 2016, 1.1.0 beta 1 release
    • +
  • 31st March 2016, 1.1.0 beta 2 release
    • +
  • 28th April 2016, 1.1.0 public release
    • +
+ +

An alpha release means:

+ +
    +
  • Not (necessarily) feature complete
    • +
  • Not necessarily all new APIs in place yet
    • +
  • Opaque work complete
    • +
+ +

A beta release means:

+ +
    +
  • Feature complete/Feature freeze
    • +
  • Bug fixes only
    • +
+