ag/cpython-source-deps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ag:openssl-1.1.1a
Branches Tags
ag:master ag:tcl ag:tk ag:sqlite ag:libffi ag:openssl-1.1.1 ag:bzip2 ag:openssl-1.0.2 ag:openssl ag:tk85 ag:tcl85 ag:zlib ag:bsddb ag:xz ag:tix
ag:tcl-core-8.6.12.0 ag:tk-8.6.12.0 ag:sqlite-3.36.0.0 ag:libffi-3.4.2 ag:openssl-1.1.1l ag:bzip2-1.0.8 ag:sqlite-3.35.5.0 ag:sqlite-3.35.0.0 ag:tk-8.6.11.1 ag:tk-8.6.11.0 ag:tcl-core-8.6.11.1 ag:tcl-core-8.6.11.0 ag:openssl-1.1.1k ag:sqlite-3.34.0.0 ag:openssl-1.1.1i ag:sqlite-3.33.0.0 ag:tk-8.6.10.0 ag:tk-8.6.10 ag:tcl-core-8.6.10.0 ag:sqlite-3.32.3.0 ag:openssl-1.1.1g ag:sqlite-3.32.2.0 ag:sqlite-3.32.1.0 ag:openssl-1.1.1f ag:sqlite-3.31.1.0 ag:sqlite-3.30.1.0 ag:libffi-3.3.0 ag:openssl-1.0.2t ag:openssl-1.1.0l ag:openssl-1.1.1d ag:sqlite-3.28.0.0 ag:openssl-1.0.2s ag:openssl-1.1.1c ag:openssl-1.1.1b ag:libffi-3.3.0-rc0-r1 ag:openssl-1.1.1a ag:tcl-core-8.6.9.0 ag:tk-8.6.9.0 ag:openssl-1.1.0j ag:openssl-1.0.2q ag:openssl-1.0.2p ag:openssl-1.1.0i ag:openssl-1.1.0h ag:openssl-1.0.2o ag:tcl-core-8.6.8.0 ag:tk-8.6.8.0 ag:tk-8.5.19.0 ag:tcl-8.5.19.0 ag:sqlite-3.21.0.0 ag:openssl-1.1.0f ag:zlib-1.2.11 ag:tk-8.5.15.0 ag:tcl-8.5.15.0 ag:bsddb-4.7.25.0 ag:xz-5.2.2 ag:tix-8.4.3.6 ag:tix-8.4.3.5 ag:sqlite-3.14.2.0 ag:tk-8.6.6.0 ag:tcl-core-8.6.6.0 ag:openssl-1.0.2k ag:bzip2-1.0.6
...
compare: ag:openssl-1.1.1k
Branches Tags
ag:tcl ag:tk ag:sqlite ag:master ag:libffi ag:openssl-1.1.1 ag:bzip2 ag:openssl-1.0.2 ag:openssl ag:tk85 ag:tcl85 ag:zlib ag:bsddb ag:xz ag:tix
ag:tcl-core-8.6.12.0 ag:tk-8.6.12.0 ag:sqlite-3.36.0.0 ag:libffi-3.4.2 ag:openssl-1.1.1l ag:bzip2-1.0.8 ag:sqlite-3.35.5.0 ag:sqlite-3.35.0.0 ag:tk-8.6.11.1 ag:tk-8.6.11.0 ag:tcl-core-8.6.11.1 ag:tcl-core-8.6.11.0 ag:openssl-1.1.1k ag:sqlite-3.34.0.0 ag:openssl-1.1.1i ag:sqlite-3.33.0.0 ag:tk-8.6.10.0 ag:tk-8.6.10 ag:tcl-core-8.6.10.0 ag:sqlite-3.32.3.0 ag:openssl-1.1.1g ag:sqlite-3.32.2.0 ag:sqlite-3.32.1.0 ag:openssl-1.1.1f ag:sqlite-3.31.1.0 ag:sqlite-3.30.1.0 ag:libffi-3.3.0 ag:openssl-1.0.2t ag:openssl-1.1.0l ag:openssl-1.1.1d ag:sqlite-3.28.0.0 ag:openssl-1.0.2s ag:openssl-1.1.1c ag:openssl-1.1.1b ag:libffi-3.3.0-rc0-r1 ag:openssl-1.1.1a ag:tcl-core-8.6.9.0 ag:tk-8.6.9.0 ag:openssl-1.1.0j ag:openssl-1.0.2q ag:openssl-1.0.2p ag:openssl-1.1.0i ag:openssl-1.1.0h ag:openssl-1.0.2o ag:tcl-core-8.6.8.0 ag:tk-8.6.8.0 ag:tk-8.5.19.0 ag:tcl-8.5.19.0 ag:sqlite-3.21.0.0 ag:openssl-1.1.0f ag:zlib-1.2.11 ag:tk-8.5.15.0 ag:tcl-8.5.15.0 ag:bsddb-4.7.25.0 ag:xz-5.2.2 ag:tix-8.4.3.6 ag:tix-8.4.3.5 ag:sqlite-3.14.2.0 ag:tk-8.6.6.0 ag:tcl-core-8.6.6.0 ag:openssl-1.0.2k ag:bzip2-1.0.6

8 Commits
openssl-1. ... openssl-1.

Author SHA1 Message Date
Steve Dower
b439f09b29 Import OpenSSL1.1.1k 2021-03-29 21:47:40 +01:00
Steve Dower
ae8aba4cbc Import OpenSSL 1.1.1i 2021-01-05 19:44:35 +00:00
Steve Dower
7f34c3085f Import OpenSSL 1.1.1g 2020-06-12 20:28:47 +01:00
Steve Dower
e531386a2f Import OpenSSL 1.1.1f 2020-04-03 21:53:21 +01:00
Steve Dower
6f2f71e7ea Imported OpenSSL 1.1.1d 2019-09-16 11:16:33 +01:00
Steve Dower
ea3c37b9ec Imported OpenSSL 1.1.1c 2019-06-17 08:35:38 -07:00
Paul Monson
cf34d7b72e Add WSAECONNRESET to conn_is_closed (#13) 2019-04-29 22:04:24 +00:00
Steve Dower
8f99635588 Imported OpenSSL 1.1.1b 2019-03-07 09:36:23 -08:00
1519 changed files with 82142 additions and 25777 deletions
Expand all files Collapse all files

3
.gitattributes vendored
View File

@@ -1,3 +0,0 @@
*.der binary
/fuzz/corpora/** binary
*.pfx binary

14
.github/PULL_REQUEST_TEMPLATE.md vendored
View File

@@ -1,14 +0,0 @@
<!--
Thank you for your pull request. Please review these requirements:
Contributors guide: https://github.com/openssl/openssl/blob/master/CONTRIBUTING
Other than that, provide a description above this comment if there isn't one already
If this fixes a github issue, make sure to have a line saying 'Fixes #XXXX' (without quotes) in the commit message.
-->
##### Checklist
<!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->
- [ ] documentation is added or updated
- [ ] tests are added or updated

185
.gitignore vendored
View File

@@ -1,185 +0,0 @@
# Ignore editor artefacts
/.dir-locals.el
# Top level excludes
/Makefile.orig
/MINFO
/TABLE
/*.pc
/rehash.time
/inc.*
/makefile.*
/out.*
/tmp.*
/configdata.pm
# *all* Makefiles
Makefile
# ... except in demos
!/demos/*/Makefile
# Links under apps
/apps/CA.pl
/apps/tsget
/apps/tsget.pl
/apps/md4.c
# Auto generated headers
/crypto/buildinf.h
/apps/progs.h
/crypto/include/internal/*_conf.h
/openssl/include/opensslconf.h
/util/domd
# error code files
/crypto/err/openssl.txt.old
/engines/e_afalg.txt.old
/engines/e_capi.txt.old
/engines/e_dasync.txt.old
/engines/e_ossltest.txt.old
# Executables
/apps/openssl
/test/sha256t
/test/sha512t
/test/gost2814789t
/test/ssltest_old
/test/*test
/test/fips_aesavs
/test/fips_desmovs
/test/fips_dhvs
/test/fips_drbgvs
/test/fips_dssvs
/test/fips_ecdhvs
/test/fips_ecdsavs
/test/fips_rngvs
/test/fips_test_suite
/test/ssltest_old
/test/x509aux
/test/v3ext
/test/versions
/test/ossl_shim/ossl_shim
/test/rsa_complex
# Certain files that get created by tests on the fly
/test/test-runs
/test/buildtest_*
# Fuzz stuff.
# Anything without an extension is an executable on Unix, so we keep files
# with extensions. And we keep the corpora subddir versioned as well.
# Anything more generic with extensions that should be ignored will be taken
# care of by general ignores for those extensions (*.o, *.obj, *.exe, ...)
/fuzz/*
!/fuzz/README*
!/fuzz/corpora
!/fuzz/*.*
# Misc auto generated files
/include/openssl/opensslconf.h
/tools/c_rehash
/tools/c_rehash.pl
/util/shlib_wrap.sh
/tags
/TAGS
/libcrypto.map
/libssl.map
# Windows (legacy)
/tmp32
/tmp32.dbg
/tmp32dll
/tmp32dll.dbg
/out32
/out32.dbg
/out32dll
/out32dll.dbg
/inc32
/MINFO
/ms/.rnd
/ms/bcb.mak
/ms/libeay32.def
/ms/nt.mak
/ms/ntdll.mak
/ms/ssleay32.def
/ms/version32.rc
# Files created on other branches that are not held in git, and are not
# needed on this branch
/include/openssl/asn1_mac.h
/include/openssl/des_old.h
/include/openssl/fips.h
/include/openssl/fips_rand.h
/include/openssl/krb5_asn.h
/include/openssl/kssl.h
/include/openssl/pq_compat.h
/include/openssl/ssl23.h
/include/openssl/tmdiff.h
/include/openssl/ui_compat.h
/test/fips_aesavs.c
/test/fips_desmovs.c
/test/fips_dsatest.c
/test/fips_dssvs.c
/test/fips_hmactest.c
/test/fips_randtest.c
/test/fips_rngvs.c
/test/fips_rsagtest.c
/test/fips_rsastest.c
/test/fips_rsavtest.c
/test/fips_shatest.c
/test/fips_test_suite.c
/test/shatest.c
##### Generic patterns
# Auto generated assembly language source files
*.s
!/crypto/*/asm/*.s
/crypto/arm*.S
/crypto/*/*.S
*.asm
!/crypto/*/asm/*.asm
# Object files
*.o
*.obj
# editor artefacts
*.swp
.#*
\#*#
*~
# Certificate symbolic links
*.0
# All kinds of libraries and executables
*.a
*.so
*.so.*
*.dylib
*.dylib.*
*.dll
*.dll.*
*.exe
*.pyc
*.exp
*.lib
*.pdb
*.ilk
*.def
*.rc
*.res
# Misc generated stuff
Makefile.save
/crypto/**/lib
/engines/**/lib
/ssl/**/lib
*.bak
cscope.*
*.d
pod2htmd.tmp
# Windows manifest files
*.manifest
doc-nits

11
.gitmodules vendored
View File

@@ -1,11 +0,0 @@
[submodule "boringssl"]
path = boringssl
url = https://boringssl.googlesource.com/boringssl
[submodule "pyca.cryptography"]
path = pyca-cryptography
url = https://github.com/pyca/cryptography.git
[submodule "krb5"]
path = krb5
url = https://github.com/krb5/krb5

15
.travis-apt-pin.preferences
View File

@@ -1,15 +0,0 @@
Package: clang-3.9
Pin: release o=Ubuntu
Pin-Priority: -1
Package: libclang-common-3.9-dev
Pin: release o=Ubuntu
Pin-Priority: -1
Package: libclang1-3.9
Pin: release o=Ubuntu
Pin-Priority: -1
Package: libllvm3.9v4
Pin: release o=Ubuntu
Pin-Priority: -1

11
.travis-create-release.sh
View File

@@ -1,11 +0,0 @@
#! /bin/sh
# $1 is expected to be $TRAVIS_OS_NAME
./Configure dist
if [ "$1" == osx ]; then
make NAME='_srcdist' TARFILE='_srcdist.tar' \
TAR_COMMAND='$(TAR) $(TARFLAGS) -cf -' tar
else
make TARFILE='_srcdist.tar' NAME='_srcdist' dist
fi

254
.travis.yml
View File

@@ -1,254 +0,0 @@
dist: trusty
sudo: required
osx_image: xcode9.3
language: c
cache: ccache
git:
submodules: false
quiet: true
before_install:
- if [ -n "$COVERALLS" ]; then
pip install --user cpp-coveralls;
fi;
- if expr "$CONFIG_OPTS" ":" ".*enable-external-tests" > /dev/null; then
git submodule update --init --recursive;
fi;
os:
- linux
- osx
compiler:
- clang
- gcc
env:
- CONFIG_OPTS="" DESTDIR="_install"
- CONFIG_OPTS="no-asm -Werror --debug no-afalgeng no-shared enable-crypto-mdebug enable-rc5 enable-md2"
- CONFIG_OPTS="no-asm no-makedepend --strict-warnings -std=c89 -D_DEFAULT_SOURCE" BUILDONLY="yes" CHECKDOCS="yes" GENERATE="yes"
matrix:
include:
- os: linux-ppc64le
sudo: false
compiler: clang
env: CONFIG_OPTS="--strict-warnings -D__NO_STRING_INLINES"
- os: linux
addons:
apt:
packages:
- gcc-5
- g++-5
sources:
- ubuntu-toolchain-r-test
compiler: gcc-5
env: CONFIG_OPTS="--strict-warnings" COMMENT="Move to the BORINGTEST build when interoperable"
- os: linux
compiler: clang
env: CONFIG_OPTS="--strict-warnings -D__NO_STRING_INLINES no-deprecated" BUILDONLY="yes"
- os: linux
addons:
apt:
packages:
- binutils-mingw-w64
- gcc-mingw-w64
compiler: i686-w64-mingw32-gcc
env: CONFIG_OPTS="no-stdio" BUILDONLY="yes"
# Uncomment if there is reason to believe that PPC-specific problem
# can be diagnosed with this possibly >30 mins sanitizer build...
#- os: linux-ppc64le
# sudo: false
# compiler: gcc
# env: EXTENDED_TEST="yes" CONFIG_OPTS="no-asm enable-asan enable-ubsan no-shared -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -D__NO_STRING_INLINES"
- os: linux
addons:
apt:
packages:
- gcc-5
- g++-5
- golang-1.6
sources:
- ubuntu-toolchain-r-test
compiler: gcc-5
env: EXTENDED_TEST="yes" CONFIG_OPTS="--debug --coverage no-asm enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-ssl3 enable-ssl3-method enable-nextprotoneg enable-weak-ssl-ciphers no-shared -DPEDANTIC -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION" COVERALLS="yes" BORINGSSL_TESTS="yes" CXX="g++-5"
- os: linux
addons:
apt:
packages:
- gcc-5
- g++-5
- golang-1.6
sources:
- ubuntu-toolchain-r-test
compiler: gcc-5
env: EXTENDED_TEST="yes" CONFIG_OPTS="--debug enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-external-tests" BORINGSSL_TESTS="yes" CXX="g++-5" TESTS=95
- os: linux
compiler: clang
env: EXTENDED_TEST="yes" CONFIG_OPTS="enable-msan -D__NO_STRING_INLINES -Wno-unused-command-line-argument"
- os: linux
compiler: clang
env: EXTENDED_TEST="yes" CONFIG_OPTS="no-asm enable-ubsan enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-nextprotoneg no-shared -fno-sanitize=alignment -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -D__NO_STRING_INLINES -Wno-unused-command-line-argument"
- os: linux
compiler: clang
env: EXTENDED_TEST="yes" CONFIG_OPTS="no-asm enable-asan enable-rc5 enable-md2 no-shared -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -D__NO_STRING_INLINES -Wno-unused-command-line-argument"
- os: linux
addons:
apt:
packages:
- gcc-5
- g++-5
sources:
- ubuntu-toolchain-r-test
compiler: gcc-5
env: UBUNTU_GCC_HACK="yes" EXTENDED_TEST="yes" CONFIG_OPTS="--debug no-asm enable-ubsan enable-rc5 enable-md2 -DPEDANTIC" OPENSSL_TEST_RAND_ORDER=0
- os: linux
addons:
apt:
packages:
- binutils-mingw-w64
- gcc-mingw-w64
compiler: i686-w64-mingw32-gcc
env: EXTENDED_TEST="yes" CONFIG_OPTS="no-pic"
- os: linux
addons:
apt:
packages:
- binutils-mingw-w64
- gcc-mingw-w64
compiler: x86_64-w64-mingw32-gcc
env: EXTENDED_TEST="yes" CONFIG_OPTS="no-pic"
exclude:
- os: linux
compiler: clang
- os: osx
compiler: gcc
before_script:
- env
- if [ "$TRAVIS_PULL_REQUEST" != "false" -a -n "$EXTENDED_TEST" ]; then
(git log -1 $TRAVIS_COMMIT_RANGE | grep '\[extended tests\]' > /dev/null) || exit 0;
fi
- if [ -n "$DESTDIR" ]; then
sh .travis-create-release.sh $TRAVIS_OS_NAME;
tar -xzf _srcdist.tar.gz;
mkdir _build;
cd _build;
srcdir=../_srcdist;
top=..;
else
srcdir=.;
top=.;
fi
- if [ -n "$UBUNTU_GCC_HACK" ]; then
$CC -dumpspecs | sed "s/--push-state//g; s/--pop-state/--as-needed/g" > gcc-specs.txt;
CC="$CC -specs=gcc-specs.txt";
fi
- if [ "$CC" = i686-w64-mingw32-gcc ]; then
export CROSS_COMPILE=${CC%%gcc}; unset CC;
$srcdir/Configure mingw $CONFIG_OPTS -Wno-pedantic-ms-format;
elif [ "$CC" = x86_64-w64-mingw32-gcc ]; then
export CROSS_COMPILE=${CC%%gcc}; unset CC;
$srcdir/Configure mingw64 $CONFIG_OPTS -Wno-pedantic-ms-format;
else
if [ "$CC" = clang-3.9 ]; then
sudo cp .travis-apt-pin.preferences /etc/apt/preferences.d/no-ubuntu-clang;
curl -sSL "http://apt.llvm.org/llvm-snapshot.gpg.key" | sudo -E apt-key add -;
echo "deb http://apt.llvm.org/trusty/ llvm-toolchain-trusty-3.9 main" | sudo tee -a /etc/apt/sources.list > /dev/null;
sudo -E apt-add-repository -y "ppa:ubuntu-toolchain-r/test";
sudo -E apt-get -yq update;
sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install clang-3.9;
elif which ccache >/dev/null; then
CC="ccache $CC";
fi;
$srcdir/config -v $CONFIG_OPTS;
fi
- ./configdata.pm --dump
- cd $top
script:
- if [ -z "$BUILDONLY" ]; then
make="make -s";
else
make="make";
fi
- if [ -n "$GENERATE" ]; then
make2="$make PERL=no-perl";
else
make2="$make";
fi
- top=${PWD}
- if [ -n "$DESTDIR" ]; then
cd _build;
fi
- if $make update; then
echo -e '+\057 MAKE UPDATE OK';
else
echo -e '+\057 MAKE UPDATE FAILED'; false;
fi
- git diff --exit-code
- if [ -n "$CHECKDOCS" ]; then
if $make doc-nits; then
echo -e '+\057\057 MAKE DOC-NITS OK';
else
echo -e '+\057\057 MAKE DOC-NITS FAILED'; false;
fi;
fi
- if [ -n "$GENERATE" ]; then
if $make build_all_generated; then
echo -e '+\057\057\057 MAKE BUILD_ALL_GENERATED OK';
else
echo -e '+\057\057\057 MAKE BUILD_ALL_GENERATED FAILED'; false;
fi;
fi
- if $make2; then
echo -e '+\057\057\057\057 MAKE OK';
else
echo -e '+\057\057\057\057 MAKE FAILED'; false;
fi;
- if [ -z "$BUILDONLY" ]; then
if [ -n "$CROSS_COMPILE" ]; then
sudo dpkg --add-architecture i386;
sudo apt-get update;
sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install wine;
export EXE_SHELL="wine" WINEPREFIX=`pwd`;
fi;
if [ -e krb5/src ]; then
sudo apt-get -yq install bison dejagnu gettext keyutils ldap-utils libldap2-dev libkeyutils-dev python-cjson python-paste python-pyrad slapd tcl-dev tcsh;
fi;
if HARNESS_VERBOSE=yes BORING_RUNNER_DIR=$top/boringssl/ssl/test/runner make test; then
echo -e '+\057\057\057\057\057 MAKE TEST OK';
else
echo -e '+\057\057\057\057\057 MAKE TEST FAILED'; false;
fi;
else
if $make build_tests >~/build.log 2>&1; then
echo -e '+\057\057\057\057\057\057 MAKE BUILD_TESTS OK';
else
echo -e '+\057\057\057\057\057\057 MAKE BUILD_TESTS FAILED';
cat ~/build.log
false;
fi;
fi
- if [ -n "$DESTDIR" ]; then
mkdir "$top/$DESTDIR";
if $make install DESTDIR="$top/$DESTDIR" >~/install.log 2>&1 ; then
echo -e '+\057\057\057\057\057\057\057 MAKE INSTALL OK';
else
echo -e '+\057\057\057\057\057\057\057 MAKE INSTALL FAILED';
cat ~/install.log;
false;
fi;
fi
- cd $top
after_success:
- if [ -n "$COVERALLS" ]; then
coveralls -b . --gcov gcov-5 --gcov-options '\-lpbc';
fi;
notifications:
email:
secure: "xeGNgWO7aoaDgRvcZubposqMsj36aU8c6F0oHfw+rUqltCQ14IgYCUwzocmR2O+Pa7B3Cx5VjMfBFHbQaajZsfod8vu7g+aGq/zkjwbhsr/SR4dljJjFJXLGZjIalm9KgP6KInmVDuINfCqP+MHIY5lZkNI7DMcyHDhVc5nSKvCXV7xTDNgmstvh8rB/z51WfHDqGqfBtiuK5FDNxmvYK8OFJ5W94Lu9LDlizcxwK3GAj7arOui7Z5w8bQ6p4seUE3IvJL1Zbj0pZHxvNb6Zeb2Pn8QF1qLlN8YmBktD4aiw0ce4wYRiL87uLgcOxZY7SVXtv2XYFIYWapU/FKjCqa6vK93V/H9eZWEIYNMKnN3wXm2beqVdnKek3OeGJ8v0y7MbSfuLfRtBqbTSNYnpU1Zuo4MQAvHvEPuwCAYkYQajOSRplMH5sULFKptuVqNtOMfjL8jHb8AEoL1acYIk43ydxeYrzzas4fqgCDJ52573/u0RNdF1lkQBLkuM365OB8VRqtpnoxcdEIY/qBc/8TzZ24fxyrs5qdHFcxGSgpN2EP6cJMqpvkemnCNSdhxUqfzm22N7a3O8+4LFSBGOnHto/PwdsvF/01yGYL0LoZTnoO1i6x7AMJPBh+eyDU0ZjGhj/msjmqeb9C8vRqQ+1WjHrIS1iqCD0Czib8tUPD4="

7
AUTHORS
View File

@@ -13,6 +13,8 @@ Ben Kaduk
Bernd Edlinger
Bodo Möller
David Benjamin
David von Oheimb
Dmitry Belyavskiy (Дмитрий Белявский)
Emilia Käsper
Eric Young
Geoff Thorpe
@@ -22,14 +24,19 @@ Lutz Jänicke
Mark J. Cox
Matt Caswell
Matthias St. Pierre
Nicola Tuveri
Nils Larsch
Patrick Steuer
Paul Dale
Paul C. Sutton
Paul Yang
Ralf S. Engelschall
Rich Salz
Richard Levitte
Shane Lontis
Stephen Henson
Steve Marquess
Tim Hudson
Tomáš Mráz
Ulf Möller
Viktor Dukhovni

488
CHANGES
View File

@@ -7,6 +7,470 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
Changes between 1.1.1j and 1.1.1k [25 Mar 2021]
*) Fixed a problem with verifying a certificate chain when using the
X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks
of the certificates present in a certificate chain. It is not set by
default.
Starting from OpenSSL version 1.1.1h a check to disallow certificates in
the chain that have explicitly encoded elliptic curve parameters was added
as an additional strict check.
An error in the implementation of this check meant that the result of a
previous check to confirm that certificates in the chain are valid CA
certificates was overwritten. This effectively bypasses the check
that non-CA certificates must not be able to issue other certificates.
If a "purpose" has been configured then there is a subsequent opportunity
for checks that the certificate is a valid CA. All of the named "purpose"
values implemented in libcrypto perform this check. Therefore, where
a purpose is set the certificate chain will still be rejected even when the
strict flag has been used. A purpose is set by default in libssl client and
server certificate verification routines, but it can be overridden or
removed by an application.
In order to be affected, an application must explicitly set the
X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
for the certificate verification or, in the case of TLS client or server
applications, override the default purpose.
(CVE-2021-3450)
[Tomáš Mráz]
*) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously
crafted renegotiation ClientHello message from a client. If a TLSv1.2
renegotiation ClientHello omits the signature_algorithms extension (where
it was present in the initial ClientHello), but includes a
signature_algorithms_cert extension then a NULL pointer dereference will
result, leading to a crash and a denial of service attack.
A server is only vulnerable if it has TLSv1.2 and renegotiation enabled
(which is the default configuration). OpenSSL TLS clients are not impacted
by this issue.
(CVE-2021-3449)
[Peter Kästle and Samuel Sapalski]
Changes between 1.1.1i and 1.1.1j [16 Feb 2021]
*) Fixed the X509_issuer_and_serial_hash() function. It attempts to
create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it was failing to correctly
handle any errors that may occur while parsing the issuer field (which might
occur if the issuer field is maliciously constructed). This may subsequently
result in a NULL pointer deref and a crash leading to a potential denial of
service attack.
(CVE-2021-23841)
[Matt Caswell]
*) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
padding mode to correctly check for rollback attacks. This is considered a
bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is
CVE-2021-23839.
[Matt Caswell]
*) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate
functions. Previously they could overflow the output length argument in some
cases where the input length is close to the maximum permissable length for
an integer on the platform. In such cases the return value from the function
call would be 1 (indicating success), but the output length value would be
negative. This could cause applications to behave incorrectly or crash.
(CVE-2021-23840)
[Matt Caswell]
*) Fixed SRP_Calc_client_key so that it runs in constant time. The previous
implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This
could be exploited in a side channel attack to recover the password. Since
the attack is local host only this is outside of the current OpenSSL
threat model and therefore no CVE is assigned.
Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
issue.
[Matt Caswell]
Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
*) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME.
If an attacker can control both items being compared then this could lead
to a possible denial of service attack. OpenSSL itself uses the
GENERAL_NAME_cmp function for two purposes:
1) Comparing CRL distribution point names between an available CRL and a
CRL distribution point embedded in an X509 certificate
2) When verifying that a timestamp response token signer matches the
timestamp authority name (exposed via the API functions
TS_RESP_verify_response and TS_RESP_verify_token)
(CVE-2020-1971)
[Matt Caswell]
*) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc target.
[Stuart Carnie]
*) The security callback, which can be customised by application code, supports
the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
in the "other" parameter. In most places this is what is passed. All these
places occur server side. However there was one client side call of this
security operation and it passed a DH object instead. This is incorrect
according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
of the other locations. Therefore this client side call has been changed to
pass an EVP_PKEY instead.
[Matt Caswell]
*) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected
when validating a certificate path. This check is restored in 1.1.1i.
[David von Oheimb]
Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
*) Certificates with explicit curve parameters are now disallowed in
verification chains if the X509_V_FLAG_X509_STRICT flag is used.
[Tomas Mraz]
*) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configuring DTLS-based contexts, and
conversely, silently ignore DTLS protocol version bounds when configuring
TLS-based contexts. The commands can be repeated to set bounds of both
types. The same applies with the corresponding "min_protocol" and
"max_protocol" command-line switches, in case some application uses both TLS
and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
[Viktor Dukhovni]
*) Handshake now fails if Extended Master Secret extension is dropped
on renegotiation.
[Tomas Mraz]
*) Accidentally, an expired trusted (root) certificate is not anymore rejected
when validating a certificate path.
[David von Oheimb]
*) The Oracle Developer Studio compiler will start reporting deprecated APIs
Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
*) Fixed segmentation fault in SSL_check_chain()
Server or client applications that call the SSL_check_chain() function
during or after a TLS 1.3 handshake may crash due to a NULL pointer
dereference as a result of incorrect handling of the
"signature_algorithms_cert" TLS extension. The crash occurs if an invalid
or unrecognised signature algorithm is received from the peer. This could
be exploited by a malicious peer in a Denial of Service attack.
(CVE-2020-1967)
[Benjamin Kaduk]
*) Added AES consttime code for no-asm configurations
an optional constant time support for AES was added
when building openssl for no-asm.
Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
At this time this feature is by default disabled.
It will be enabled by default in 3.0.
[Bernd Edlinger]
Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
*) Revert the change of EOF detection while reading in libssl to avoid
regressions in applications depending on the current way of reporting
the EOF. As the existing method is not fully accurate the change to
reporting the EOF via SSL_ERROR_SSL is kept on the current development
branch and will be present in the 3.0 release.
[Tomas Mraz]
*) Revised BN_generate_prime_ex to not avoid factors 3..17863 in p-1
when primes for RSA keys are computed.
Since we previously always generated primes == 2 (mod 3) for RSA keys,
the 2-prime and 3-prime RSA modules were easy to distinguish, since
N = p*q = 1 (mod 3), but N = p*q*r = 2 (mod 3). Therefore fingerprinting
2-prime vs. 3-prime RSA keys was possible by computing N mod 3.
This avoids possible fingerprinting of newly generated RSA modules.
[Bernd Edlinger]
Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
*) Properly detect EOF while reading in libssl. Previously if we hit an EOF
while reading in libssl then we would report an error back to the
application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
an error to the stack (which means we instead return SSL_ERROR_SSL) and
therefore give a hint as to what went wrong.
[Matt Caswell]
*) Check that ed25519 and ed448 are allowed by the security level. Previously
signature algorithms not using an MD were not being checked that they were
allowed by the security level.
[Kurt Roeckx]
*) Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
was not quite right. The behaviour was not consistent between resumption
and normal handshakes, and also not quite consistent with historical
behaviour. The behaviour in various scenarios has been clarified and
it has been updated to make it match historical behaviour as closely as
possible.
[Matt Caswell]
*) [VMS only] The header files that the VMS compilers include automatically,
__DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, use pragmas that
the C++ compiler doesn't understand. This is a shortcoming in the
compiler, but can be worked around with __cplusplus guards.
C++ applications that use OpenSSL libraries must be compiled using the
qualifier '/NAMES=(AS_IS,SHORTENED)' to be able to use all the OpenSSL
functions. Otherwise, only functions with symbols of less than 31
characters can be used, as the linker will not be able to successfully
resolve symbols with longer names.
[Richard Levitte]
*) Corrected the documentation of the return values from the EVP_DigestSign*
set of functions. The documentation mentioned negative values for some
errors, but this was never the case, so the mention of negative values
was removed.
Code that followed the documentation and thereby check with something
like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed.
[Richard Levitte]
*) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli. No EC algorithms are
affected. Analysis suggests that attacks against 2-prime RSA1024,
3-prime RSA1536, and DSA1024 as a result of this defect would be very
difficult to perform and are not believed likely. Attacks against DH512
are considered just feasible. However, for an attack the target would
have to re-use the DH512 private key, which is not recommended anyway.
Also applications directly using the low level API BN_mod_exp may be
affected if they use BN_FLG_CONSTTIME.
(CVE-2019-1551)
[Andy Polyakov]
*) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
The presence of this system service is determined at run-time.
[Richard Levitte]
*) Added newline escaping functionality to a filename when using openssl dgst.
This output format is to replicate the output format found in the '*sum'
checksum programs. This aims to preserve backward compatibility.
[Matt Eaton, Richard Levitte, and Paul Dale]
*) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
the first value.
[Jon Spillett]
Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
*) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
number generator (RNG). This was intended to include protection in the
event of a fork() system call in order to ensure that the parent and child
processes did not share the same RNG state. However this protection was not
being used in the default case.
A partial mitigation for this issue is that the output from a high
precision timer is mixed into the RNG state so the likelihood of a parent
and child process sharing state is significantly reduced.
If an application already calls OPENSSL_init_crypto() explicitly using
OPENSSL_INIT_ATFORK then this problem does not occur at all.
(CVE-2019-1549)
[Matthias St. Pierre]
*) For built-in EC curves, ensure an EC_GROUP built from the curve name is
used even when parsing explicit parameters, when loading a serialized key
or calling `EC_GROUP_new_from_ecpkparameters()`/
`EC_GROUP_new_from_ecparameters()`.
This prevents bypass of security hardening and performance gains,
especially for curves with specialized EC_METHODs.
By default, if a key encoded with explicit parameters is loaded and later
serialized, the output is still encoded with explicit parameters, even if
internally a "named" EC_GROUP is used for computation.
[Nicola Tuveri]
*) Compute ECC cofactors if not provided during EC_GROUP construction. Before
this change, EC_GROUP_set_generator would accept order and/or cofactor as
NULL. After this change, only the cofactor parameter can be NULL. It also
does some minimal sanity checks on the passed order.
(CVE-2019-1547)
[Billy Bob Brumley]
*) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
An attack is simple, if the first CMS_recipientInfo is valid but the
second CMS_recipientInfo is chosen ciphertext. If the second
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
encryption key will be replaced by garbage, and the message cannot be
decoded, but if the RSA decryption fails, the correct encryption key is
used and the recipient will not notice the attack.
As a work around for this potential attack the length of the decrypted
key must be equal to the cipher default key length, in case the
certifiate is not given and all recipientInfo are tried out.
The old behaviour can be re-enabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag.
(CVE-2019-1563)
[Bernd Edlinger]
*) Early start up entropy quality from the DEVRANDOM seed source has been
improved for older Linux systems. The RAND subsystem will wait for
/dev/random to be producing output before seeding from /dev/urandom.
The seeded state is stored for future library initialisations using
a system global shared memory segment. The shared memory identifier
can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
the desired value. The default identifier is 114.
[Paul Dale]
*) Correct the extended master secret constant on EBCDIC systems. Without this
fix TLS connections between an EBCDIC system and a non-EBCDIC system that
negotiate EMS will fail. Unfortunately this also means that TLS connections
between EBCDIC systems with this fix, and EBCDIC systems without this
fix will fail if they negotiate EMS.
[Matt Caswell]
*) Use Windows installation paths in the mingw builds
Mingw isn't a POSIX environment per se, which means that Windows
paths should be used for installation.
(CVE-2019-1552)
[Richard Levitte]
*) Changed DH_check to accept parameters with order q and 2q subgroups.
With order 2q subgroups the bit 0 of the private key is not secret
but DH_generate_key works around that by clearing bit 0 of the
private key for those. This avoids leaking bit 0 of the private key.
[Bernd Edlinger]
*) Significantly reduce secure memory usage by the randomness pools.
[Paul Dale]
*) Revert the DEVRANDOM_WAIT feature for Linux systems
The DEVRANDOM_WAIT feature added a select() call to wait for the
/dev/random device to become readable before reading from the
/dev/urandom device.
It turned out that this change had negative side effects on
performance which were not acceptable. After some discussion it
was decided to revert this feature and leave it up to the OS
resp. the platform maintainer to ensure a proper initialization
during early boot time.
[Matthias St. Pierre]
Changes between 1.1.1b and 1.1.1c [28 May 2019]
*) Add build tests for C++. These are generated files that only do one
thing, to include one public OpenSSL head file each. This tests that
the public header files can be usefully included in a C++ application.
This test isn't enabled by default. It can be enabled with the option
'enable-buildtest-c++'.
[Richard Levitte]
*) Enable SHA3 pre-hashing for ECDSA and DSA.
[Patrick Steuer]
*) Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
This changes the size when using the genpkey app when no size is given. It
fixes an omission in earlier changes that changed all RSA, DSA and DH
generation apps to use 2048 bits by default.
[Kurt Roeckx]
*) Reorganize the manual pages to consistently have RETURN VALUES,
EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
util/fix-doc-nits accordingly.
[Paul Yang, Joshua Lock]
*) Add the missing accessor EVP_PKEY_get0_engine()
[Matt Caswell]
*) Have apps like 's_client' and 's_server' output the signature scheme
along with other cipher suite parameters when debugging.
[Lorinczy Zsigmond]
*) Make OPENSSL_config() error agnostic again.
[Richard Levitte]
*) Do the error handling in RSA decryption constant time.
[Bernd Edlinger]
*) Prevent over long nonces in ChaCha20-Poly1305.
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
for every encryption operation. RFC 7539 specifies that the nonce value
(IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
and front pads the nonce with 0 bytes if it is less than 12
bytes. However it also incorrectly allows a nonce to be set of up to 16
bytes. In this case only the last 12 bytes are significant and any
additional leading bytes are ignored.
It is a requirement of using this cipher that nonce values are
unique. Messages encrypted using a reused nonce value are susceptible to
serious confidentiality and integrity attacks. If an application changes
the default nonce length to be longer than 12 bytes and then makes a
change to the leading bytes of the nonce expecting the new value to be a
new unique nonce then such an application could inadvertently encrypt
messages with a reused nonce.
Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher. Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further
affected. Any OpenSSL internal use of this cipher, including in SSL/TLS,
is safe because no such use sets such a long nonce value. However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.
This issue was reported to OpenSSL on 16th of March 2019 by Joran Dirk
Greef of Ronomon.
(CVE-2019-1543)
[Matt Caswell]
*) Add DEVRANDOM_WAIT feature for Linux systems
On older Linux systems where the getrandom() system call is not available,
OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
Contrary to getrandom(), the /dev/urandom device will not block during
early boot when the kernel CSPRNG has not been seeded yet.
To mitigate this known weakness, use select() to wait for /dev/random to
become readable before reading from /dev/urandom.
*) Ensure that SM2 only uses SM3 as digest algorithm
[Paul Yang]
Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
*) Added SCA hardening for modular field inversion in EC_GROUP through
a new dedicated field_inv() pointer in EC_METHOD.
This also addresses a leakage affecting conversions from projective
to affine coordinates.
[Billy Bob Brumley, Nicola Tuveri]
*) Change the info callback signals for the start and end of a post-handshake
message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
confused by this and assume that a TLSv1.2 renegotiation has started. This
can break KeyUpdate handling. Instead we no longer signal the start and end
of a post handshake message exchange (although the messages themselves are
still signalled). This could break some applications that were expecting
the old signals. However without this KeyUpdate is not usable for many
applications.
[Matt Caswell]
*) Fix a bug in the computation of the endpoint-pair shared secret used
by DTLS over SCTP. This breaks interoperability with older versions
of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
interoperability with such broken implementations. However, enabling
this switch breaks interoperability with correct implementations.
*) Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
re-used X509_PUBKEY object if the second PUBKEY is malformed.
[Bernd Edlinger]
*) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
[Richard Levitte]
*) Remove the 'dist' target and add a tarball building script. The
'dist' target has fallen out of use, and it shouldn't be
necessary to configure just to create a source distribution.
[Richard Levitte]
Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
*) Timing vulnerability in DSA signature generation
@@ -213,7 +677,7 @@
SSL_set_ciphersuites()
[Matt Caswell]
*) Memory allocation failures consistenly add an error to the error
*) Memory allocation failures consistently add an error to the error
stack.
[Rich Salz]
@@ -419,9 +883,9 @@
bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
alerts across multiple records (some of which could be empty). In practice
it make no sense to send an empty alert record, or to fragment one. TLSv1.3
prohibts this altogether and other libraries (BoringSSL, NSS) do not
prohibits this altogether and other libraries (BoringSSL, NSS) do not
support this at all. Supporting it adds significant complexity to the
record layer, and its removal is unlikely to cause inter-operability
record layer, and its removal is unlikely to cause interoperability
issues.
[Matt Caswell]
@@ -3438,7 +3902,7 @@
implementations).
[Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
*) Use type ossl_ssize_t instad of ssize_t which isn't available on
*) Use type ossl_ssize_t instead of ssize_t which isn't available on
all platforms. Move ssize_t definition from e_os.h to the public
header file e_os2.h as it now appears in public header file cms.h
[Steve Henson]
@@ -6751,7 +7215,7 @@
reason texts, thereby removing some of the footprint that may not
be interesting if those errors aren't displayed anyway.
NOTE: it's still possible for any application or module to have it's
NOTE: it's still possible for any application or module to have its
own set of error texts inserted. The routines are there, just not
used by default when no-err is given.
[Richard Levitte]
@@ -8159,7 +8623,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) New OCSP utility. Allows OCSP requests to be generated or
read. The request can be sent to a responder and the output
parsed, outputed or printed in text form. Not complete yet:
parsed, outputted or printed in text form. Not complete yet:
still needs to check the OCSP response validity.
[Steve Henson]
@@ -8717,7 +9181,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
*) New function OPENSSL_cleanse(), which is used to cleanse a section of
memory from it's contents. This is done with a counter that will
memory from its contents. This is done with a counter that will
place alternating values in each byte. This can be used to solve
two issues: 1) the removal of calls to memset() by highly optimizing
compilers, and 2) cleansing with other values than 0, since those can
@@ -9154,7 +9618,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Andy Polyakov]
*) Modified SSL library such that the verify_callback that has been set
specificly for an SSL object with SSL_set_verify() is actually being
specifically for an SSL object with SSL_set_verify() is actually being
used. Before the change, a verify_callback set with this function was
ignored and the verify_callback() set in the SSL_CTX at the time of
the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
@@ -10271,10 +10735,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
as other interfaces in OpenSSL, like the BIO interface.
NCONF_dump_* dump the internal storage of the configuration file,
which is useful for debugging. All other functions take the same
arguments as the old CONF_* functions wth the exception of the
arguments as the old CONF_* functions with the exception of the
first that must be a `CONF *' instead of a `LHASH *'.
To make it easer to use the new classes with the old CONF_* functions,
To make it easier to use the new classes with the old CONF_* functions,
the function CONF_set_default_method is provided.
[Richard Levitte]
@@ -12117,7 +12581,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
than the old method: it now uses a modified version of Ulf's parser to
read the ANSI prototypes in all header files (thus the old K&R definitions
aren't needed for error creation any more) and do a better job of
translating function codes into names. The old 'ASN1 error code imbedded
translating function codes into names. The old 'ASN1 error code embedded
in a comment' is no longer necessary and it doesn't use .err files which
have now been deleted. Also the error code call doesn't have to appear all
on one line (which resulted in some large lines...).
@@ -12418,7 +12882,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) Add a useful kludge to allow package maintainers to specify compiler and
other platforms details on the command line without having to patch the
Configure script everytime: One now can use ``perl Configure
Configure script every time: One now can use ``perl Configure
<id>:<details>'', i.e. platform ids are allowed to have details appended
to them (separated by colons). This is treated as there would be a static
pre-configured entry in Configure's %table under key <id> with value

8
CONTRIBUTING
View File

@@ -41,8 +41,8 @@ guidelines:
https://www.openssl.org/policies/codingstyle.html) and compile
without warnings. Where gcc or clang is available you should use the
--strict-warnings Configure option. OpenSSL compiles on many varied
platforms: try to ensure you only use portable features. Clean builds
via Travis and AppVeyor are required, and they are started automatically
platforms: try to ensure you only use portable features. Clean builds via
GitHub Actions and AppVeyor are required, and they are started automatically
whenever a PR is created or updated.
5. When at all possible, patches should include tests. These can
@@ -57,8 +57,8 @@ guidelines:
7. For user visible changes (API changes, behaviour changes, ...),
consider adding a note in CHANGES. This could be a summarising
description of the change, and could explain the grander details.
Have a look through existing entries for inspiration.
Please note that this is NOT simply a copy of git-log oneliners.
Have a look through existing entries for inspiration.
Please note that this is NOT simply a copy of git-log one-liners.
Also note that security fixes get an entry in CHANGES.
This file helps users get more in depth information of what comes
with a specific release without having to sift through the higher

6
Configurations/00-base-templates.conf
View File

@@ -198,7 +198,7 @@ my %targets=(
bn_asm_src => "bn-586.s co-586.s x86-mont.s x86-gf2m.s",
ec_asm_src => "ecp_nistz256.c ecp_nistz256-x86.s",
des_asm_src => "des-586.s crypt586.s",
aes_asm_src => "aes-586.s vpaes-x86.s aesni-x86.s",
aes_asm_src => "aes_core.c aes_cbc.c vpaes-x86.s aesni-x86.s",
bf_asm_src => "bf-586.s",
md5_asm_src => "md5-586.s",
cast_asm_src => "cast-586.s",
@@ -223,7 +223,7 @@ my %targets=(
cpuid_asm_src => "x86_64cpuid.s",
bn_asm_src => "asm/x86_64-gcc.c x86_64-mont.s x86_64-mont5.s x86_64-gf2m.s rsaz_exp.c rsaz-x86_64.s rsaz-avx2.s",
ec_asm_src => "ecp_nistz256.c ecp_nistz256-x86_64.s x25519-x86_64.s",
aes_asm_src => "aes-x86_64.s vpaes-x86_64.s bsaes-x86_64.s aesni-x86_64.s aesni-sha1-x86_64.s aesni-sha256-x86_64.s aesni-mb-x86_64.s",
aes_asm_src => "aes_core.c aes_cbc.c vpaes-x86_64.s aesni-x86_64.s aesni-sha1-x86_64.s aesni-sha256-x86_64.s aesni-mb-x86_64.s",
md5_asm_src => "md5-x86_64.s",
sha1_asm_src => "sha1-x86_64.s sha256-x86_64.s sha512-x86_64.s sha1-mb-x86_64.s sha256-mb-x86_64.s",
rc4_asm_src => "rc4-x86_64.s rc4-md5-x86_64.s",
@@ -306,7 +306,7 @@ my %targets=(
sha1_asm_src => "sha1-armv4-large.S sha256-armv4.S sha512-armv4.S",
modes_asm_src => "ghash-armv4.S ghashv8-armx.S",
chacha_asm_src => "chacha-armv4.S",
poly1305_asm_src=> "poly1305-armv4.S",
poly1305_asm_src=> "poly1305-armv4.S",
keccak1600_asm_src => "keccak1600-armv4.S",
perlasm_scheme => "void"
},

49
Configurations/10-main.conf
View File

@@ -263,7 +263,7 @@ my %targets = (
# primarily because vendor assembler can't assemble our modules
# with -KPIC flag. As result it, assembly support, was not even
# available as option. But its lack means lack of side-channel
# resistant code, which is incompatible with security by todays
# resistant code, which is incompatible with security by today's
# standards. Fortunately gcc is readily available prepackaged
# option, which we can firmly point at...
#
@@ -360,7 +360,7 @@ my %targets = (
inherit_from => [ "BASE_unix" ],
template => 1,
cppflags => threads("-D_SGI_MP_SOURCE"),
lib_cppflags => "-DB_ENDIAN -DBN_DIV3W",
lib_cppflags => "-DB_ENDIAN",
ex_libs => add(threads("-lpthread")),
thread_scheme => "pthreads",
dso_scheme => "dlfcn",
@@ -434,7 +434,7 @@ my %targets = (
# 32-bit message digests. (For the moment of this writing) HP C
# doesn't seem to "digest" too many local variables (they make "him"
# chew forever:-). For more details look-up MD32_XARRAY comment in
# crypto/sha/sha_lcl.h.
# crypto/sha/sha_local.h.
# - originally there were 32-bit hpux-parisc2-* targets. They were
# scrapped, because a) they were not interchangeable with other 32-bit
# targets; b) performance-critical 32-bit assembly modules implement
@@ -651,7 +651,7 @@ my %targets = (
dso_scheme => "dlfcn",
shared_target => "linux-shared",
shared_cflag => "-fPIC",
shared_ldflag => "-Wl,-znodelete",
shared_ldflag => sub { $disabled{pinshared} ? () : "-Wl,-znodelete" },
shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)",
enable => [ "afalgeng" ],
},
@@ -663,6 +663,7 @@ my %targets = (
"linux-ppc" => {
inherit_from => [ "linux-generic32", asm("ppc32_asm") ],
perlasm_scheme => "linux32",
lib_cppflags => add("-DB_ENDIAN"),
},
"linux-ppc64" => {
inherit_from => [ "linux-generic64", asm("ppc64_asm") ],
@@ -733,7 +734,6 @@ my %targets = (
inherit_from => [ "linux-generic32", asm("mips32_asm") ],
cflags => add("-mabi=32"),
cxxflags => add("-mabi=32"),
lib_cppflags => add("-DBN_DIV3W"),
perlasm_scheme => "o32",
},
# mips32 and mips64 below refer to contemporary MIPS Architecture
@@ -742,8 +742,7 @@ my %targets = (
inherit_from => [ "linux-generic32", asm("mips64_asm") ],
cflags => add("-mabi=n32"),
cxxflags => add("-mabi=n32"),
lib_cppflags => add("-DBN_DIV3W"),
bn_ops => "SIXTY_FOUR_BIT RC4_CHAR",
bn_ops => "RC4_CHAR",
perlasm_scheme => "n32",
multilib => "32",
},
@@ -751,7 +750,6 @@ my %targets = (
inherit_from => [ "linux-generic64", asm("mips64_asm") ],
cflags => add("-mabi=64"),
cxxflags => add("-mabi=64"),
lib_cppflags => add("-DBN_DIV3W"),
perlasm_scheme => "64",
multilib => "64",
},
@@ -1114,8 +1112,8 @@ my %targets = (
thread_scheme => "pthreads",
dso_scheme => "dlfcn",
shared_target => "self",
module_ldflags => "-Wl,-G,-bsymbolic,-bexpall",
shared_ldflag => "-Wl,-G,-bsymbolic",
module_ldflags => "-Wl,-G,-bsymbolic,-bnoentry",
shared_ldflag => "-Wl,-G,-bsymbolic,-bnoentry",
shared_defflag => "-Wl,-bE:",
shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)",
dso_extension => ".so",
@@ -1128,7 +1126,7 @@ my %targets = (
CFLAGS => picker(debug => "-O0 -g",
release => "-O"),
cflags => add(threads("-pthread")),
ex_libs => threads("-pthread"),
ex_libs => add(threads("-pthread")),
bn_ops => "BN_LLONG RC4_CHAR",
perlasm_scheme => "aix32",
shared_ldflag => add_before("-shared -static-libgcc"),
@@ -1141,7 +1139,7 @@ my %targets = (
CFLAGS => picker(debug => "-O0 -g",
release => "-O"),
cflags => combine("-maix64", threads("-pthread")),
ex_libs => threads("-pthread"),
ex_libs => add(threads("-pthread")),
bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
perlasm_scheme => "aix64",
shared_ldflag => add_before("-shared -static-libgcc"),
@@ -1157,7 +1155,7 @@ my %targets = (
cflags => combine("-q32 -qmaxmem=16384 -qro -qroconst",
threads("-qthreaded")),
cppflags => threads("-D_THREAD_SAFE"),
ex_libs => threads("-lpthreads"),
ex_libs => add(threads("-lpthreads")),
bn_ops => "BN_LLONG RC4_CHAR",
perlasm_scheme => "aix32",
shared_cflag => "-qpic",
@@ -1172,7 +1170,7 @@ my %targets = (
cflags => combine("-q64 -qmaxmem=16384 -qro -qroconst",
threads("-qthreaded")),
cppflags => threads("-D_THREAD_SAFE"),
ex_libs => threads("-lpthreads"),
ex_libs => add(threads("-lpthreads")),
bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
perlasm_scheme => "aix64",
dso_scheme => "dlfcn",
@@ -1316,7 +1314,6 @@ my %targets = (
"VC-WIN32" => {
inherit_from => [ "VC-noCE-common", asm("x86_asm"),
sub { $disabled{shared} ? () : "uplink_common" } ],
CFLAGS => add("/WX"),
AS => sub { vc_win32_info()->{AS} },
ASFLAGS => sub { vc_win32_info()->{ASFLAGS} },
asoutflag => sub { vc_win32_info()->{asoutflag} },
@@ -1369,9 +1366,9 @@ my %targets = (
}
push @ex_libs, '$(PORTSDK_LIBPATH)/portlib.lib'
if (defined(env('PORTSDK_LIBPATH')));
push @ex_libs, ' /nodefaultlib coredll.lib corelibc.lib'
if (env('TARGETCPU') eq "X86");
return @ex_libs;
push @ex_libs, '/nodefaultlib coredll.lib corelibc.lib'
if (env('TARGETCPU') =~ /^X86|^ARMV4[IT]/);
return join(" ", @ex_libs);
}),
},
@@ -1400,6 +1397,10 @@ my %targets = (
shared_extension => ".dll",
multilib => "",
apps_aux_src => add("win32_init.c"),
# "WOW" stands for "Windows on Windows", and that word engages
# some installation path heuristics in unix-Makefile.tmpl...
build_scheme => add("WOW", { separator => undef }),
},
"mingw64" => {
# As for OPENSSL_USE_APPLINK. Applink makes it possible to use
@@ -1557,6 +1558,14 @@ my %targets = (
bn_ops => "SIXTY_FOUR_BIT_LONG",
perlasm_scheme => "macosx",
},
"darwin64-arm64-cc" => {
inherit_from => [ "darwin-common", asm("aarch64_asm") ],
CFLAGS => add("-Wall"),
cflags => add("-arch arm64"),
lib_cppflags => add("-DL_ENDIAN"),
bn_ops => "SIXTY_FOUR_BIT_LONG",
perlasm_scheme => "ios64",
},
##### GNU Hurd
"hurd-x86" => {
@@ -1747,6 +1756,8 @@ my %targets = (
asflags => sub { vms_info()->{asflags} },
perlasm_scheme => sub { vms_info()->{perlasm_scheme} },
disable => add('pinshared'),
apps_aux_src => "vms_term_sock.c",
apps_init_src => "vms_decc_init.c",
},
@@ -1782,7 +1793,7 @@ my %targets = (
},
"vms-ia64" => {
inherit_from => [ "vms-generic",
sub { vms_info()->{as}
sub { vms_info()->{AS}
? asm("ia64_asm")->() : () } ],
bn_ops => "SIXTY_FOUR_BIT RC4_INT",
pointer_size => "",

22
Configurations/15-android.conf
View File

@@ -22,13 +22,19 @@
return $android_ndk = { bn_ops => "BN_AUTO" };
}
my $ndk = $ENV{ANDROID_NDK};
die "\$ANDROID_NDK is not defined" if (!$ndk);
my $ndk_var;
my $ndk;
foreach (qw(ANDROID_NDK_HOME ANDROID_NDK)) {
$ndk_var = $_;
$ndk = $ENV{$ndk_var};
last if defined $ndk;
}
die "\$ANDROID_NDK_HOME is not defined" if (!$ndk);
if (!-d "$ndk/platforms" && !-f "$ndk/AndroidVersion.txt") {
# $ndk/platforms is traditional "all-inclusive" NDK, while
# $ndk/AndroidVersion.txt is so-called standalone toolchain
# tailored for specific target down to API level.
die "\$ANDROID_NDK=$ndk is invalid";
die "\$ANDROID_NDK_HOME=$ndk is invalid";
}
$ndk = canonpath($ndk);
@@ -90,7 +96,7 @@
(my $tridefault = $triarch) =~ s/^arm-/$arm-/;
(my $tritools = $triarch) =~ s/(?:x|i6)86(_64)?-.*/x86$1/;
$cflags .= " -target $tridefault "
. "-gcc-toolchain \$(ANDROID_NDK)/toolchains"
. "-gcc-toolchain \$($ndk_var)/toolchains"
. "/$tritools-4.9/prebuilt/$host";
$user{CC} = "clang" if ($user{CC} !~ m|clang|);
$user{CROSS_COMPILE} = undef;
@@ -127,13 +133,13 @@
die "no $incroot/$triarch" if (!-d "$incroot/$triarch");
$incroot =~ s|^$ndk/||;
$cppflags = "-D__ANDROID_API__=$api";
$cppflags .= " -isystem \$(ANDROID_NDK)/$incroot/$triarch";
$cppflags .= " -isystem \$(ANDROID_NDK)/$incroot";
$cppflags .= " -isystem \$($ndk_var)/$incroot/$triarch";
$cppflags .= " -isystem \$($ndk_var)/$incroot";
}
$sysroot =~ s|^$ndk/||;
$android_ndk = {
cflags => "$cflags --sysroot=\$(ANDROID_NDK)/$sysroot",
cflags => "$cflags --sysroot=\$($ndk_var)/$sysroot",
cppflags => $cppflags,
bn_ops => $arch =~ m/64$/ ? "SIXTY_FOUR_BIT_LONG"
: "BN_LLONG",
@@ -235,7 +241,7 @@ my %targets = (
},
####################################################################
# Backward compatible targets, (might) requre $CROSS_SYSROOT
# Backward compatible targets, (might) require $CROSS_SYSROOT
#
"android-armeabi" => {
inherit_from => [ "android-arm" ],

2
Configurations/15-ios.conf
View File

@@ -1,6 +1,6 @@
#### iPhoneOS/iOS
#
# It takes recent enough XCode to use following two targets. It shouldn't
# It takes recent enough Xcode to use following two targets. It shouldn't
# be a problem by now, but if they don't work, original targets below
# that depend on manual definition of environment variables should still
# work...

4
Configurations/50-win-onecore.conf
View File

@@ -1,10 +1,10 @@
# Windows OneCore targets.
#
# OneCore is new API stability "contract" that transends Desktop, IoT and
# OneCore is new API stability "contract" that transcends Desktop, IoT and
# Mobile[?] Windows editions. It's a set up "umbrella" libraries that
# export subset of Win32 API that are common to all Windows 10 devices.
#
# OneCore Configuration temporarly dedicated for console applications
# OneCore Configuration temporarily dedicated for console applications
# due to disabled event logging, which is incompatible with one core.
# Error messages are provided via standard error only.
# TODO: extend error handling to use ETW based eventing

4
Configurations/README
View File

@@ -118,7 +118,7 @@ In each table entry, the following keys are significant:
'<unistd.h>'. This is very rarely needed.
shared_extension => File name extension used for shared
libraries.
libraries.
obj_extension => File name extension used for object files.
On unix, this defaults to ".o" (NOTE: this
is here for future use, it's not
@@ -518,7 +518,7 @@ clash with those generated by Configure, it's possible to tell it
not to generate them with the use of OVERRIDES, for example:
SOURCE[libfoo]=foo.c bar.c
OVERRIDES=bar.o
BEGINRAW[Makefile(unix)]
bar.o: bar.c

8
Configurations/README.design
View File

@@ -86,7 +86,7 @@ depends on the library 'libssl' to function properly.
LIBS=../libcrypto
SOURCE[../libcrypto]=aes.c evp.c cversion.c
DEPEND[cversion.o]=buildinf.h
GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)"
DEPEND[buildinf.h]=../Makefile
DEPEND[../util/mkbuildinf.pl]=../util/Foo.pm
@@ -101,7 +101,7 @@ show that duplicate information isn't an issue.
This build.info file informs us that 'libcrypto' is built from a few
source files, 'crypto/aes.c', 'crypto/evp.c' and 'crypto/cversion.c'.
It also shows us that building the object file inferred from
'crypto/cversion.c' depends on 'crypto/buildinf.h'. Finally, it
'crypto/cversion.c' depends on 'crypto/buildinf.h'. Finally, it
also shows the possibility to declare how some files are generated
using some script, in this case a perl script, and how such scripts
can be declared to depend on other files, in this case a perl module.
@@ -152,7 +152,7 @@ information comes down to this:
SOURCE[libssl]=ssl/tls.c
INCLUDE[libssl]=include
DEPEND[libssl]=libcrypto
PROGRAMS=apps/openssl
SOURCE[apps/openssl]=apps/openssl.c
INCLUDE[apps/openssl]=. include
@@ -167,7 +167,7 @@ information comes down to this:
SOURCE[engines/ossltest]=engines/e_ossltest.c
DEPEND[engines/ossltest]=libcrypto.a
INCLUDE[engines/ossltest]=include
GENERATE[crypto/buildinf.h]=util/mkbuildinf.pl "$(CC) $(CFLAGS)" "$(PLATFORM)"
DEPEND[crypto/buildinf.h]=Makefile
DEPEND[util/mkbuildinf.pl]=util/Foo.pm

2
Configurations/common0.tmpl
View File

@@ -22,7 +22,7 @@
our @generated =
sort ( ( grep { defined $unified_info{generate}->{$_} }
sort keys %generatables ),
# Scripts are assumed to be generated, so add thhem too
# Scripts are assumed to be generated, so add them too
( grep { defined $unified_info{sources}->{$_} }
@{$unified_info{scripts}} ) );

96
Configurations/descrip.mms.tmpl
View File

@@ -343,6 +343,7 @@ CPPFLAGS_Q={- (my $c = $lib_cppflags.$cppflags2.$cppflags1) =~ s|"|""|g;
#
# #include <openssl/foo.h>
# #include "internal/bar.h"
# #include "crypto/something.h"
#
# will use the logical names to find the files. Expecting
# DECompHP C to find files in subdirectories of whatever was
@@ -351,11 +352,13 @@ NODEBUG=@
.FIRST :
$(NODEBUG) openssl_inc1 = F$PARSE("[.include.openssl]","A.;",,,"syntax_only") - "A.;"
$(NODEBUG) openssl_inc2 = F$PARSE("{- catdir($config{sourcedir},"[.include.openssl]") -}","A.;",,,"SYNTAX_ONLY") - "A.;"
$(NODEBUG) internal_inc1 = F$PARSE("[.crypto.include.internal]","A.;",,,"SYNTAX_ONLY") - "A.;"
$(NODEBUG) internal_inc1 = F$PARSE("[.include.internal]","A.;",,,"SYNTAX_ONLY") - "A.;"
$(NODEBUG) internal_inc2 = F$PARSE("{- catdir($config{sourcedir},"[.include.internal]") -}","A.;",,,"SYNTAX_ONLY") - "A.;"
$(NODEBUG) internal_inc3 = F$PARSE("{- catdir($config{sourcedir},"[.crypto.include.internal]") -}","A.;",,,"SYNTAX_ONLY") - "A.;"
$(NODEBUG) crypto_inc1 = F$PARSE("[.include.crypto]","A.;",,,"SYNTAX_ONLY") - "A.;"
$(NODEBUG) crypto_inc2 = F$PARSE("{- catdir($config{sourcedir},"[.include.crypto]") -}","A.;",,,"SYNTAX_ONLY") - "A.;"
$(NODEBUG) DEFINE openssl 'openssl_inc1','openssl_inc2'
$(NODEBUG) DEFINE internal 'internal_inc1','internal_inc2','internal_inc3'
$(NODEBUG) DEFINE internal 'internal_inc1','internal_inc2'
$(NODEBUG) DEFINE crypto 'crypto_inc1','crypto_inc2'
$(NODEBUG) staging_dir = "$(DESTDIR)"
$(NODEBUG) staging_instdir = ""
$(NODEBUG) staging_datadir = ""
@@ -374,8 +377,13 @@ NODEBUG=@
$(NODEBUG) !
$(NODEBUG) ! Installation logical names
$(NODEBUG) !
$(NODEBUG) installtop = F$PARSE(staging_instdir,"$(INSTALLTOP)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
$(NODEBUG) datatop = F$PARSE(staging_datadir,"$(OPENSSLDIR)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
$(NODEBUG) ! This also creates a few DCL variables that are used for
$(NODEBUG) ! the "install_msg" target.
$(NODEBUG) !
$(NODEBUG) installroot = F$PARSE(staging_instdir,"$(INSTALLTOP)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;"
$(NODEBUG) installtop = installroot + ".]"
$(NODEBUG) dataroot = F$PARSE(staging_datadir,"$(OPENSSLDIR)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;"
$(NODEBUG) datatop = dataroot + ".]"
$(NODEBUG) DEFINE ossl_installroot 'installtop'
$(NODEBUG) DEFINE ossl_dataroot 'datatop'
$(NODEBUG) !
@@ -392,6 +400,7 @@ NODEBUG=@
$(NODEBUG) {- join("\n\t\$(NODEBUG) ", map { "DEASSIGN ".uc($_) } @shlibs) || "!" -}
$(NODEBUG) DEASSIGN ossl_dataroot
$(NODEBUG) DEASSIGN ossl_installroot
$(NODEBUG) DEASSIGN crypto
$(NODEBUG) DEASSIGN internal
$(NODEBUG) DEASSIGN openssl
.DEFAULT :
@@ -451,30 +460,19 @@ list-tests :
@ WRITE SYS$OUTPUT "Tests are not supported with your chosen Configure options"
@ ! {- output_on() if !$disabled{tests}; "" -}
install : install_sw install_ssldirs install_docs
install : install_sw install_ssldirs install_docs install_msg
@ !
install_msg :
@ WRITE SYS$OUTPUT ""
@ WRITE SYS$OUTPUT "######################################################################"
@ WRITE SYS$OUTPUT ""
@ IF "$(DESTDIR)" .EQS. "" THEN -
PIPE ( WRITE SYS$OUTPUT "Installation complete" ; -
WRITE SYS$OUTPUT "" ; -
WRITE SYS$OUTPUT "Run @$(SYSTARTUP)openssl_startup{- $osslver -} to set up logical names" ; -
WRITE SYS$OUTPUT "then run @$(SYSTARTUP)openssl_utils{- $osslver -} to define commands" ; -
WRITE SYS$OUTPUT "" )
@{- sourcefile("VMS", "msg_install.com") -} "$(SYSTARTUP)" "{- $osslver -}"
@ IF "$(DESTDIR)" .NES. "" THEN -
PIPE ( WRITE SYS$OUTPUT "Staging installation complete" ; -
WRITE SYS$OUTPUT "" ; -
WRITE SYS$OUTPUT "Finish or package in such a way that the contents of the directory tree" ; -
WRITE SYS$OUTPUT staging_instdir ; -
WRITE SYS$OUTPUT "ends up in $(INSTALLTOP)," ; -
WRITE SYS$OUTPUT "and that the contents of the contents of the directory tree" ; -
WRITE SYS$OUTPUT staging_datadir ; -
WRITE SYS$OUTPUT "ends up in $(OPENSSLDIR)" ; -
WRITE SYS$OUTPUT "" ; -
WRITE SYS$OUTPUT "When in its final destination," ; -
WRITE SYS$OUTPUT "Run @$(SYSTARTUP)openssl_startup{- $osslver -} to set up logical names" ; -
WRITE SYS$OUTPUT "then run @$(SYSTARTUP)openssl_utils{- $osslver -} to define commands" ; -
WRITE SYS$OUTPUT "" )
@{- sourcefile("VMS", "msg_staging.com") -} -
"''installroot']" "''dataroot']" "$(INSTALLTOP)" "$(OPENSSLDIR)" -
"$(SYSTARTUP)" "{- $osslver -}"
check_install :
spawn/nolog @ossl_installroot:[SYSTEST]openssl_ivp{- $osslver -}.com
@@ -795,10 +793,10 @@ $target : $args{generator}->[0] $deps
$generator \$\@-S
\@ $incs_on
PIPE \$(CPP) $cppflags \$\@-S | -
\$(PERL) -ne "/^#(\\s*line)?\\s*[0-9]+\\s+""/ or print" > \$\@-i
\$(PERL) -ne "/^#(\\s*line)?\\s*[0-9]+\\s+""/ or print" > \$\@-i
\@ $incs_off
RENAME \$\@-i \$\@
DELETE \$\@-S
DELETE \$\@-S;
EOF
}
# Otherwise....
@@ -840,19 +838,6 @@ EOF
my $before = $unified_info{before}->{$obj.".OBJ"} || "\@ !";
my $after = $unified_info{after}->{$obj.".OBJ"} || "\@ !";
if ($srcs[0] =~ /\.asm$/) {
my $asflags = { lib => ' $(LIB_ASFLAGS)',
dso => ' $(DSO_ASFLAGS)',
bin => ' $(BIN_ASFLAGS)' } -> {$args{intent}};
return <<"EOF";
$obj.OBJ : $deps
${before}
SET DEFAULT $forward
\$(AS) $asflags \$(ASOUTFLAG)${objd}${objn}.OBJ $srcs
SET DEFAULT $backward
EOF
}
my $cflags;
if ($args{installed}) {
$cflags = { lib => '$(LIB_CFLAGS)',
@@ -866,6 +851,9 @@ EOF
$cflags .= { lib => '$(LIB_CPPFLAGS)',
dso => '$(DSO_CPPFLAGS)',
bin => '$(BIN_CPPFLAGS)' } -> {$args{intent}};
my $asflags = { lib => ' $(LIB_ASFLAGS)',
dso => ' $(DSO_ASFLAGS)',
bin => ' $(BIN_ASFLAGS)' } -> {$args{intent}};
my @incs_cmds = includes({ lib => '$(LIB_INCLUDES)',
dso => '$(DSO_INCLUDES)',
@@ -877,6 +865,34 @@ EOF
} @{$args{incs}});
my $incs_on = join("\n\t\@ ", @{$incs_cmds[0]}) || '!';
my $incs_off = join("\n\t\@ ", @{$incs_cmds[1]}) || '!';
if ($srcs[0] =~ /\.asm$/) {
return <<"EOF";
$obj.OBJ : $deps
${before}
SET DEFAULT $forward
\$(AS) $asflags \$(ASOUTFLAG)${objd}${objn}.OBJ $srcs
SET DEFAULT $backward
${after}
- PURGE $obj.OBJ
EOF
} elsif ($srcs[0] =~ /.S$/) {
return <<"EOF";
$obj.OBJ : $deps
${before}
SET DEFAULT $forward
\@ $incs_on
PIPE \$(CPP) ${cflags} $srcs | -
\$(PERL) -ne "/^#(\\s*line)?\\s*[0-9]+\\s+""/ or print" -
> ${objd}${objn}.asm
\@ $incs_off
SET DEFAULT $backward
${after}
\$(AS) $asflags \$(ASOUTFLAG)$obj.OBJ $obj.asm
- PURGE $obj.OBJ
EOF
}
my $depbuild = $disabled{makedepend} ? ""
: " /MMS=(FILE=${objd}${objn}.D,TARGET=$obj.OBJ)";
@@ -1028,7 +1044,7 @@ EOF
push @lines, "\@ WRITE OPT_FILE \"$x/SHARE\"";
} elsif ($x =~ m|\.OLB$|) {
(my $l = $x) =~ s/\W/_/g;
push @lines,
push @lines,
"\@ IF nomain THEN WRITE OPT_FILE \"$x/LIB\$(INCLUDE_MAIN_$l)\"",
"\@ IF .NOT. nomain THEN WRITE OPT_FILE \"$x/LIB\""
}

12
Configurations/dist.conf
View File

@@ -1,12 +0,0 @@
## -*- mode: perl; -*-
## Build configuration targets for openssl-team members
# This is to support 'make dist'
my %targets = (
"dist" => {
inherit_from => [ 'BASE_unix' ],
CC => "cc",
CFLAGS => "-O",
thread_scheme => "(unknown)",
},
);

348
Configurations/unix-Makefile.tmpl
View File

@@ -14,6 +14,26 @@
our $dsoext = $target{dso_extension} || ".so";
our $makedepprog = $disabled{makedepend} ? undef : $config{makedepprog};
# $mingw_installroot and $mingw_commonroot is relevant for mingw only.
my $build_scheme = $target{build_scheme};
my $install_flavour = $build_scheme->[$#$build_scheme]; # last element
my $mingw_installenv = $install_flavour eq "WOW" ? "ProgramFiles(x86)"
: "ProgramW6432";
my $mingw_commonenv = $install_flavour eq "WOW" ? "CommonProgramFiles(x86)"
: "CommonProgramW6432";
our $mingw_installroot =
defined($ENV{$mingw_installenv}) ? $mingw_installenv : 'ProgramFiles';
our $mingw_commonroot =
defined($ENV{$mingw_commonenv}) ? $mingw_commonenv : 'CommonProgramFiles';
my $mingw_installdflt =
$install_flavour eq "WOW" ? "C:/Program Files (x86)"
: "C:/Program Files";
my $mingw_commondflt = "$mingw_installdflt/Common Files";
# expand variables early
$mingw_installroot = $ENV{$mingw_installroot} // $mingw_installdflt;
$mingw_commonroot = $ENV{$mingw_commonroot} // $mingw_commondflt;
sub windowsdll { $config{target} =~ /^(?:Cygwin|mingw)/ }
# Shared AIX support is special. We put libcrypto[64].so.ver into
@@ -132,6 +152,7 @@ APPS_OPENSSL={- use File::Spec::Functions;
# Normally it is left empty.
DESTDIR=
{- output_off() if $config{target} =~ /^mingw/; "" -}
# Do not edit these manually. Use Configure with --prefix or --openssldir
# to change this! Short explanation in the top comment in Configure
INSTALLTOP={- # $prefix is used in the OPENSSLDIR perl snippet
@@ -175,6 +196,83 @@ ENGINESDIR=$(libdir)/engines-{- $sover_dirname -}
# Convenience variable for those who want to set the rpath in shared
# libraries and applications
LIBRPATH=$(libdir)
{- output_on() if $config{target} =~ /^mingw/;
output_off() if $config{target} !~ /^mingw/;
"" -}
# Do not edit these manually. Use Configure with --prefix or --openssldir
# to change this! Short explanation in the top comment in Configure
INSTALLTOP_dev={- # $prefix is used in the OPENSSLDIR perl snippet
#
use File::Spec::Win32;
my $prefix_default = "$mingw_installroot/OpenSSL";
our $prefix =
File::Spec::Win32->canonpath($config{prefix}
|| $prefix_default);
our ($prefix_dev, $prefix_dir, $prefix_file) =
File::Spec::Win32->splitpath($prefix, 1);
$prefix =~ s|\\|/|g;
$prefix_dir =~ s|\\|/|g;
$prefix_dev -}
INSTALLTOP_dir={- my $x = File::Spec::Win32->canonpath($prefix_dir);
$x =~ s|\\|/|g;
$x -}
OPENSSLDIR_dev={- #
# The logic here is that if no --openssldir was given,
# OPENSSLDIR will get the value "$mingw_commonroot/SSL".
# If --openssldir was given and the value is an absolute
# path, OPENSSLDIR will get its value without change.
# If the value from --openssldir is a relative path,
# OPENSSLDIR will get $prefix with the --openssldir
# value appended as a subdirectory.
#
use File::Spec::Win32;
our $openssldir =
$config{openssldir} ?
(File::Spec::Win32->file_name_is_absolute($config{openssldir}) ?
File::Spec::Win32->canonpath($config{openssldir})
: File::Spec::Win32->catdir($prefix, $config{openssldir}))
: File::Spec::Win32->canonpath("$mingw_commonroot/SSL");
our ($openssldir_dev, $openssldir_dir, $openssldir_file) =
File::Spec::Win32->splitpath($openssldir, 1);
$openssldir =~ s|\\|/|g;
$openssldir_dir =~ s|\\|/|g;
$openssldir_dev -}
OPENSSLDIR_dir={- my $x = File::Spec::Win32->canonpath($openssldir_dir);
$x =~ s|\\|/|g;
$x -}
LIBDIR={- our $libdir = $config{libdir} || "lib";
File::Spec::Win32->file_name_is_absolute($libdir) ? "" : $libdir -}
ENGINESDIR_dev={- use File::Spec::Win32;
our $enginesdir =
File::Spec::Win32->catdir($prefix,$libdir,
"engines-$sover_dirname");
our ($enginesdir_dev, $enginesdir_dir, $enginesdir_file) =
File::Spec::Win32->splitpath($enginesdir, 1);
$enginesdir =~ s|\\|/|g;
$enginesdir_dir =~ s|\\|/|g;
$enginesdir_dev -}
ENGINESDIR_dir={- my $x = File::Spec::Win32->canonpath($enginesdir_dir);
$x =~ s|\\|/|g;
$x -}
# In a Windows environment, $(DESTDIR) is harder to contatenate with other
# directory variables, because both may contain devices. What we do here is
# to adapt INSTALLTOP, OPENSSLDIR and ENGINESDIR depending on if $(DESTDIR)
# has a value or not, to ensure that concatenation will always work further
# down.
ifneq "$(DESTDIR)" ""
INSTALLTOP=$(INSTALLTOP_dir)
OPENSSLDIR=$(OPENSSLDIR_dir)
ENGINESDIR=$(ENGINESDIR_dir)
else
INSTALLTOP=$(INSTALLTOP_dev)$(INSTALLTOP_dir)
OPENSSLDIR=$(OPENSSLDIR_dev)$(OPENSSLDIR_dir)
ENGINESDIR=$(ENGINESDIR_dev)$(ENGINESDIR_dir)
endif
# $(libdir) is chosen to be compatible with the GNU coding standards
libdir={- File::Spec::Win32->file_name_is_absolute($libdir)
? $libdir : '$(INSTALLTOP)/$(LIBDIR)' -}
{- output_on() if $config{target} !~ /^mingw/; "" -}
MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
@@ -227,6 +325,7 @@ TARFLAGS= {- $target{TARFLAGS} -}
BASENAME= openssl
NAME= $(BASENAME)-$(VERSION)
# Relative to $(SRCDIR)
TARFILE= ../$(NAME).tar
##### Project flags ##################################################
@@ -259,8 +358,8 @@ LIB_CPPFLAGS={- our $lib_cppflags =
join(' ', $target{lib_cppflags} || (),
$target{shared_cppflag} || (),
(map { '-D'.$_ }
@{$config{lib_defines}},
@{$config{shared_defines}}),
@{$config{lib_defines} || ()},
@{$config{shared_defines} || ()}),
@{$config{lib_cppflags}},
@{$config{shared_cppflag}});
join(' ', $lib_cppflags,
@@ -284,6 +383,9 @@ LIB_LDFLAGS={- join(' ', $target{shared_ldflag} || (),
LIB_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
DSO_CPPFLAGS={- join(' ', $target{dso_cppflags} || (),
$target{module_cppflags} || (),
(map { '-D'.$_ }
@{$config{dso_defines} || ()},
@{$config{module_defines} || ()}),
@{$config{dso_cppflags}},
@{$config{module_cppflags}},
'$(CNF_CPPFLAGS)', '$(CPPFLAGS)') -}
@@ -304,6 +406,7 @@ DSO_LDFLAGS={- join(' ', $target{dso_ldflags} || (),
'$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
DSO_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
BIN_CPPFLAGS={- join(' ', $target{bin_cppflags} || (),
(map { '-D'.$_ } @{$config{bin_defines} || ()}),
@{$config{bin_cppflags}},
'$(CNF_CPPFLAGS)', '$(CPPFLAGS)') -}
BIN_CFLAGS={- join(' ', $target{bin_cflags} || (),
@@ -413,13 +516,13 @@ libclean:
clean: libclean
$(RM) $(PROGRAMS) $(TESTPROGS) $(ENGINES) $(SCRIPTS)
$(RM) $(GENERATED_MANDATORY) $(GENERATED)
-$(RM) `find . -name .git -prune -o -name '*{- $depext -}' -print`
-$(RM) `find . -name .git -prune -o -name '*{- $objext -}' -print`
-$(RM) `find . -name '*{- $depext -}' \! -name '.*' \! -type d -print`
-$(RM) `find . -name '*{- $objext -}' \! -name '.*' \! -type d -print`
$(RM) core
$(RM) tags TAGS doc-nits
$(RM) -r test/test-runs
$(RM) openssl.pc libcrypto.pc libssl.pc
-$(RM) `find . -name .git -prune -o -type l -print`
-$(RM) `find . -type l \! -name '.*' -print`
$(RM) $(TARFILE)
distclean: clean
@@ -444,78 +547,78 @@ uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
install_docs: install_man_docs install_html_docs
uninstall_docs: uninstall_man_docs uninstall_html_docs
$(RM) -r -v $(DESTDIR)$(DOCDIR)
$(RM) -r "$(DESTDIR)$(DOCDIR)"
install_ssldirs:
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/certs
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/private
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/misc
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)/certs"
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)/private"
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)/misc"
@set -e; for x in dummy $(MISC_SCRIPTS); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
x1=`echo "$$x" | cut -f1 -d:`; \
x2=`echo "$$x" | cut -f2 -d:`; \
fn=`basename $$x1`; \
$(ECHO) "install $$x1 -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
cp $$x1 $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \
chmod 755 $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \
mv -f $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new \
$(DESTDIR)$(OPENSSLDIR)/misc/$$fn; \
cp $$x1 "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new"; \
chmod 755 "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new"; \
mv -f "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new" \
"$(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
if [ "$$x1" != "$$x2" ]; then \
ln=`basename "$$x2"`; \
: {- output_off() unless windowsdll(); "" -}; \
$(ECHO) "copy $(DESTDIR)$(OPENSSLDIR)/misc/$$ln -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
cp $(DESTDIR)$(OPENSSLDIR)/misc/$$fn $(DESTDIR)$(OPENSSLDIR)/misc/$$ln; \
cp "$(DESTDIR)$(OPENSSLDIR)/misc/$$fn" "$(DESTDIR)$(OPENSSLDIR)/misc/$$ln"; \
: {- output_on() unless windowsdll();
output_off() if windowsdll(); "" -}; \
$(ECHO) "link $(DESTDIR)$(OPENSSLDIR)/misc/$$ln -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
ln -sf $$fn $(DESTDIR)$(OPENSSLDIR)/misc/$$ln; \
ln -sf $$fn "$(DESTDIR)$(OPENSSLDIR)/misc/$$ln"; \
: {- output_on() if windowsdll(); "" -}; \
fi; \
done
@$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
@cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
@chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
@mv -f $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist
@cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new"
@chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new"
@mv -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
@if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \
$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
fi
@$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist"
@cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new
@chmod 644 $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new
@mv -f $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist
@cp $(SRCDIR)/apps/ct_log_list.cnf "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new"
@chmod 644 "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new"
@mv -f "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist"
@if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf" ]; then \
$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf"; \
cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf; \
chmod 644 $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf; \
cp $(SRCDIR)/apps/ct_log_list.cnf "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf"; \
chmod 644 "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf"; \
fi
install_dev: install_runtime_libs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing development files"
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)/include/openssl"
@ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
@$(ECHO) "install $(SRCDIR)/ms/applink.c -> $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@cp $(SRCDIR)/ms/applink.c $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
@chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
@cp $(SRCDIR)/ms/applink.c "$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@chmod 644 "$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
@set -e; for i in $(SRCDIR)/include/openssl/*.h \
$(BLDDIR)/include/openssl/*.h; do \
fn=`basename $$i`; \
$(ECHO) "install $$i -> $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
cp $$i $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
cp $$i "$(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
chmod 644 "$(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
done
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(libdir)"
@set -e; for l in $(INSTALL_LIBS); do \
fn=`basename $$l`; \
$(ECHO) "install $$l -> $(DESTDIR)$(libdir)/$$fn"; \
cp $$l $(DESTDIR)$(libdir)/$$fn.new; \
$(RANLIB) $(DESTDIR)$(libdir)/$$fn.new; \
chmod 644 $(DESTDIR)$(libdir)/$$fn.new; \
mv -f $(DESTDIR)$(libdir)/$$fn.new \
$(DESTDIR)$(libdir)/$$fn; \
cp $$l "$(DESTDIR)$(libdir)/$$fn.new"; \
$(RANLIB) "$(DESTDIR)$(libdir)/$$fn.new"; \
chmod 644 "$(DESTDIR)$(libdir)/$$fn.new"; \
mv -f "$(DESTDIR)$(libdir)/$$fn.new" \
"$(DESTDIR)$(libdir)/$$fn"; \
done
@ : {- output_off() if $disabled{shared}; "" -}
@set -e; for s in $(INSTALL_SHLIB_INFO); do \
@@ -526,61 +629,61 @@ install_dev: install_runtime_libs
: {- output_off(); output_on() unless windowsdll() or sharedaix(); "" -}; \
if [ "$$fn1" != "$$fn2" ]; then \
$(ECHO) "link $(DESTDIR)$(libdir)/$$fn2 -> $(DESTDIR)$(libdir)/$$fn1"; \
ln -sf $$fn1 $(DESTDIR)$(libdir)/$$fn2; \
ln -sf $$fn1 "$(DESTDIR)$(libdir)/$$fn2"; \
fi; \
: {- output_off() unless windowsdll() or sharedaix(); output_on() if windowsdll(); "" -}; \
$(ECHO) "install $$s2 -> $(DESTDIR)$(libdir)/$$fn2"; \
cp $$s2 $(DESTDIR)$(libdir)/$$fn2.new; \
chmod 755 $(DESTDIR)$(libdir)/$$fn2.new; \
mv -f $(DESTDIR)$(libdir)/$$fn2.new \
$(DESTDIR)$(libdir)/$$fn2; \
cp $$s2 "$(DESTDIR)$(libdir)/$$fn2.new"; \
chmod 755 "$(DESTDIR)$(libdir)/$$fn2.new"; \
mv -f "$(DESTDIR)$(libdir)/$$fn2.new" \
"$(DESTDIR)$(libdir)/$$fn2"; \
: {- output_off() if windowsdll(); output_on() if sharedaix(); "" -}; \
a=$(DESTDIR)$(libdir)/$$fn2; \
a="$(DESTDIR)$(libdir)/$$fn2"; \
$(ECHO) "install $$s1 -> $$a"; \
if [ -f $$a ]; then ( trap "rm -rf /tmp/ar.$$$$" INT 0; \
if [ -f "$$a" ]; then ( trap "rm -rf /tmp/ar.$$$$" INT 0; \
mkdir /tmp/ar.$$$$; ( cd /tmp/ar.$$$$; \
cp -f $$a $$a.new; \
for so in `$(AR) t $$a`; do \
$(AR) x $$a $$so; \
chmod u+w $$so; \
strip -X32_64 -e $$so; \
$(AR) r $$a.new $$so; \
cp -f "$$a" "$$a.new"; \
for so in `$(AR) t "$$a"`; do \
$(AR) x "$$a" "$$so"; \
chmod u+w "$$so"; \
strip -X32_64 -e "$$so"; \
$(AR) r "$$a.new" "$$so"; \
done; \
)); fi; \
$(AR) r $$a.new $$s1; \
mv -f $$a.new $$a; \
$(AR) r "$$a.new" "$$s1"; \
mv -f "$$a.new" "$$a"; \
: {- output_off() if sharedaix(); output_on(); "" -}; \
done
@ : {- output_on() if $disabled{shared}; "" -}
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir)/pkgconfig
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(libdir)/pkgconfig"
@$(ECHO) "install libcrypto.pc -> $(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc"
@cp libcrypto.pc $(DESTDIR)$(libdir)/pkgconfig
@chmod 644 $(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc
@cp libcrypto.pc "$(DESTDIR)$(libdir)/pkgconfig"
@chmod 644 "$(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc"
@$(ECHO) "install libssl.pc -> $(DESTDIR)$(libdir)/pkgconfig/libssl.pc"
@cp libssl.pc $(DESTDIR)$(libdir)/pkgconfig
@chmod 644 $(DESTDIR)$(libdir)/pkgconfig/libssl.pc
@cp libssl.pc "$(DESTDIR)$(libdir)/pkgconfig"
@chmod 644 "$(DESTDIR)$(libdir)/pkgconfig/libssl.pc"
@$(ECHO) "install openssl.pc -> $(DESTDIR)$(libdir)/pkgconfig/openssl.pc"
@cp openssl.pc $(DESTDIR)$(libdir)/pkgconfig
@chmod 644 $(DESTDIR)$(libdir)/pkgconfig/openssl.pc
@cp openssl.pc "$(DESTDIR)$(libdir)/pkgconfig"
@chmod 644 "$(DESTDIR)$(libdir)/pkgconfig/openssl.pc"
uninstall_dev: uninstall_runtime_libs
@$(ECHO) "*** Uninstalling development files"
@ : {- output_off() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
@$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c
@$(RM) "$(DESTDIR)$(INSTALLTOP)/include/openssl/applink.c"
@ : {- output_on() unless grep { $_ eq "OPENSSL_USE_APPLINK" } (@{$target{defines}}, @{$config{defines}}); "" -}
@set -e; for i in $(SRCDIR)/include/openssl/*.h \
$(BLDDIR)/include/openssl/*.h; do \
fn=`basename $$i`; \
$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
$(RM) "$(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
done
-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/include/openssl
-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/include
-$(RMDIR) "$(DESTDIR)$(INSTALLTOP)/include/openssl"
-$(RMDIR) "$(DESTDIR)$(INSTALLTOP)/include"
@set -e; for l in $(INSTALL_LIBS); do \
fn=`basename $$l`; \
$(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn"; \
$(RM) $(DESTDIR)$(libdir)/$$fn; \
$(RM) "$(DESTDIR)$(libdir)/$$fn"; \
done
@ : {- output_off() if $disabled{shared}; "" -}
@set -e; for s in $(INSTALL_SHLIB_INFO); do \
@@ -590,35 +693,35 @@ uninstall_dev: uninstall_runtime_libs
fn2=`basename $$s2`; \
: {- output_off() if windowsdll(); "" -}; \
$(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn2"; \
$(RM) $(DESTDIR)$(libdir)/$$fn2; \
$(RM) "$(DESTDIR)$(libdir)/$$fn2"; \
if [ "$$fn1" != "$$fn2" -a -f "$(DESTDIR)$(libdir)/$$fn1" ]; then \
$(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn1"; \
$(RM) $(DESTDIR)$(libdir)/$$fn1; \
$(RM) "$(DESTDIR)$(libdir)/$$fn1"; \
fi; \
: {- output_on() if windowsdll(); "" -}{- output_off() unless windowsdll(); "" -}; \
$(ECHO) "$(RM) $(DESTDIR)$(libdir)/$$fn2"; \
$(RM) $(DESTDIR)$(libdir)/$$fn2; \
$(RM) "$(DESTDIR)$(libdir)/$$fn2"; \
: {- output_on() unless windowsdll(); "" -}; \
done
@ : {- output_on() if $disabled{shared}; "" -}
$(RM) $(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc
$(RM) $(DESTDIR)$(libdir)/pkgconfig/libssl.pc
$(RM) $(DESTDIR)$(libdir)/pkgconfig/openssl.pc
-$(RMDIR) $(DESTDIR)$(libdir)/pkgconfig
-$(RMDIR) $(DESTDIR)$(libdir)
$(RM) "$(DESTDIR)$(libdir)/pkgconfig/libcrypto.pc"
$(RM) "$(DESTDIR)$(libdir)/pkgconfig/libssl.pc"
$(RM) "$(DESTDIR)$(libdir)/pkgconfig/openssl.pc"
-$(RMDIR) "$(DESTDIR)$(libdir)/pkgconfig"
-$(RMDIR) "$(DESTDIR)$(libdir)"
install_engines: install_runtime_libs build_engines
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(ENGINESDIR)/
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(ENGINESDIR)/"
@$(ECHO) "*** Installing engines"
@set -e; for e in dummy $(INSTALL_ENGINES); do \
if [ "$$e" = "dummy" ]; then continue; fi; \
fn=`basename $$e`; \
$(ECHO) "install $$e -> $(DESTDIR)$(ENGINESDIR)/$$fn"; \
cp $$e $(DESTDIR)$(ENGINESDIR)/$$fn.new; \
chmod 755 $(DESTDIR)$(ENGINESDIR)/$$fn.new; \
mv -f $(DESTDIR)$(ENGINESDIR)/$$fn.new \
$(DESTDIR)$(ENGINESDIR)/$$fn; \
cp $$e "$(DESTDIR)$(ENGINESDIR)/$$fn.new"; \
chmod 755 "$(DESTDIR)$(ENGINESDIR)/$$fn.new"; \
mv -f "$(DESTDIR)$(ENGINESDIR)/$$fn.new" \
"$(DESTDIR)$(ENGINESDIR)/$$fn"; \
done
uninstall_engines:
@@ -630,18 +733,18 @@ uninstall_engines:
continue; \
fi; \
$(ECHO) "$(RM) $(DESTDIR)$(ENGINESDIR)/$$fn"; \
$(RM) $(DESTDIR)$(ENGINESDIR)/$$fn; \
$(RM) "$(DESTDIR)$(ENGINESDIR)/$$fn"; \
done
-$(RMDIR) $(DESTDIR)$(ENGINESDIR)
-$(RMDIR) "$(DESTDIR)$(ENGINESDIR)"
install_runtime: install_programs
install_runtime_libs: build_libs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@ : {- output_off() if windowsdll(); "" -}
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(libdir)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(libdir)"
@ : {- output_on() if windowsdll(); output_off() unless windowsdll(); "" -}
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)/bin"
@ : {- output_on() unless windowsdll(); "" -}
@$(ECHO) "*** Installing runtime libraries"
@set -e; for s in dummy $(INSTALL_SHLIBS); do \
@@ -649,40 +752,40 @@ install_runtime_libs: build_libs
fn=`basename $$s`; \
: {- output_off() unless windowsdll(); "" -}; \
$(ECHO) "install $$s -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
cp $$s $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
chmod 644 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
$(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
cp $$s "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
chmod 755 "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
mv -f "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new" \
"$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
: {- output_on() unless windowsdll(); "" -}{- output_off() if windowsdll(); "" -}; \
$(ECHO) "install $$s -> $(DESTDIR)$(libdir)/$$fn"; \
cp $$s $(DESTDIR)$(libdir)/$$fn.new; \
chmod 755 $(DESTDIR)$(libdir)/$$fn.new; \
mv -f $(DESTDIR)$(libdir)/$$fn.new \
$(DESTDIR)$(libdir)/$$fn; \
cp $$s "$(DESTDIR)$(libdir)/$$fn.new"; \
chmod 755 "$(DESTDIR)$(libdir)/$$fn.new"; \
mv -f "$(DESTDIR)$(libdir)/$$fn.new" \
"$(DESTDIR)$(libdir)/$$fn"; \
: {- output_on() if windowsdll(); "" -}; \
done
install_programs: install_runtime_libs build_programs
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin
@$(PERL) $(SRCDIR)/util/mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)/bin"
@$(ECHO) "*** Installing runtime programs"
@set -e; for x in dummy $(INSTALL_PROGRAMS); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
$(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
cp $$x "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
chmod 755 "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
mv -f "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new" \
"$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
done
@set -e; for x in dummy $(BIN_SCRIPTS); do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
$(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
cp $$x "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
chmod 755 "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new"; \
mv -f "$(DESTDIR)$(INSTALLTOP)/bin/$$fn.new" \
"$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
done
uninstall_runtime: uninstall_programs uninstall_runtime_libs
@@ -694,16 +797,16 @@ uninstall_programs:
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
$(RM) "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
done;
@set -e; for x in dummy $(BIN_SCRIPTS); \
do \
if [ "$$x" = "dummy" ]; then continue; fi; \
fn=`basename $$x`; \
$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
$(RM) "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
done
-$(RMDIR) $(DESTDIR)$(INSTALLTOP)/bin
-$(RMDIR) "$(DESTDIR)$(INSTALLTOP)/bin"
uninstall_runtime_libs:
@$(ECHO) "*** Uninstalling runtime libraries"
@@ -712,7 +815,7 @@ uninstall_runtime_libs:
if [ "$$s" = "dummy" ]; then continue; fi; \
fn=`basename $$s`; \
$(ECHO) "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
$(RM) "$(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
done
@ : {- output_on() unless windowsdll(); "" -}
@@ -721,24 +824,24 @@ install_man_docs:
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing manpages"
$(PERL) $(SRCDIR)/util/process_docs.pl \
--destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
"--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX)
uninstall_man_docs:
@$(ECHO) "*** Uninstalling manpages"
$(PERL) $(SRCDIR)/util/process_docs.pl \
--destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX) \
"--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX) \
--remove
install_html_docs:
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
@$(ECHO) "*** Installing HTML manpages"
$(PERL) $(SRCDIR)/util/process_docs.pl \
--destdir=$(DESTDIR)$(HTMLDIR) --type=html
"--destdir=$(DESTDIR)$(HTMLDIR)" --type=html
uninstall_html_docs:
@$(ECHO) "*** Uninstalling manpages"
$(PERL) $(SRCDIR)/util/process_docs.pl \
--destdir=$(DESTDIR)$(HTMLDIR) --type=html --remove
"--destdir=$(DESTDIR)$(HTMLDIR)" --type=html --remove
# Developer targets (note: these are only available on Unix) #########
@@ -814,8 +917,8 @@ errors:
done )
ordinals:
( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b util/mkdef.pl crypto update )
( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b util/mkdef.pl ssl update )
$(PERL) $(SRCDIR)/util/mkdef.pl crypto update
$(PERL) $(SRCDIR)/util/mkdef.pl ssl update
test_ordinals:
( cd test; \
@@ -830,37 +933,8 @@ tags TAGS: FORCE
# Release targets (note: only available on Unix) #####################
# If your tar command doesn't support --owner and --group, make sure to
# use one that does, for example GNU tar
TAR_COMMAND=$(TAR) $(TARFLAGS) --owner 0 --group 0 -cf -
PREPARE_CMD=:
tar:
set -e; \
TMPDIR=/var/tmp/openssl-copy.$$$$; \
DISTDIR=$(NAME); \
mkdir -p $$TMPDIR/$$DISTDIR; \
(cd $(SRCDIR); \
excl_re=`git submodule status | sed -e 's/^.//' | cut -d' ' -f2`; \
excl_re="^(fuzz/corpora|Configurations/.*\.norelease\.conf|`echo $$excl_re | sed -e 's/ /$$|/g'`\$$)"; \
echo "$$excl_re"; \
git ls-tree -r --name-only --full-tree HEAD \
| egrep -v "$$excl_re" \
| while read F; do \
mkdir -p $$TMPDIR/$$DISTDIR/`dirname $$F`; \
cp $$F $$TMPDIR/$$DISTDIR/$$F; \
done); \
(cd $$TMPDIR/$$DISTDIR; \
$(PREPARE_CMD); \
find . -type d -print | xargs chmod 755; \
find . -type f -print | xargs chmod a+r; \
find . -type f -perm -0100 -print | xargs chmod a+x); \
(cd $$TMPDIR; $(TAR_COMMAND) $$DISTDIR) \
| (cd $(SRCDIR); gzip --best > $(TARFILE).gz); \
rm -rf $$TMPDIR
cd $(SRCDIR); ls -l $(TARFILE).gz
dist:
@$(MAKE) PREPARE_CMD='$(PERL) ./Configure dist' TARFILE="$(TARFILE)" NAME="$(NAME)" tar
(cd $(SRCDIR); ./util/mktar.sh --name='$(NAME)' --tarfile='$(TARFILE)')
# Helper targets #####################################################

7
Configurations/windows-makefile.tmpl
View File

@@ -187,6 +187,7 @@ AS={- $config{AS} -}
ASFLAGS={- join(' ', @{$config{ASFLAGS}}) -}
RC={- $config{RC} -}
RCFLAGS={- join(' ', @{$config{RCFLAGS}}) -}
ECHO="$(PERL)" "$(SRCDIR)\util\echo.pl"
@@ -210,8 +211,8 @@ CNF_CPPFLAGS={- our $cppfags2 =
join(' ', $target{cppflags} || (),
(map { '-D'.quotify1($_) } @{$target{defines}},
@{$config{defines}}),
(map { '-I'.quotify1($_) } @{$target{includes}},
@{$config{includes}}),
(map { '-I'.'"'.$_.'"' } @{$target{includes}},
@{$config{includes}}),
@{$config{cppflags}}) -}
CNF_CFLAGS={- join(' ', $target{cflags} || (),
@{$config{cflags}}) -}
@@ -586,7 +587,7 @@ EOF
if ($srcs[0] =~ /\.rc$/) {
return <<"EOF";
$args{obj}: $deps
\$(RC) \$(RCOUTFLAG)\$\@ $srcs
\$(RC) \$(RCFLAGS) \$(RCOUTFLAG)\$\@ $srcs
EOF
}
(my $obj = $args{obj}) =~ s|\.o$||;

1632
Configure
View File

File diff suppressed because it is too large Load Diff

118
INSTALL
View File

@@ -98,16 +98,26 @@
$ nmake test
$ nmake install
Note that in order to perform the install step above you need to have
appropriate permissions to write to the installation directory.
If any of these steps fails, see section Installation in Detail below.
This will build and install OpenSSL in the default location, which is:
Unix: normal installation directories under /usr/local
OpenVMS: SYS$COMMON:[OPENSSL-'version'...], where 'version' is the
OpenSSL version number with underscores instead of periods.
OpenVMS: SYS$COMMON:[OPENSSL]
Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL
If you want to install it anywhere else, run config like this:
The installation directory should be appropriately protected to ensure
unprivileged users cannot make changes to OpenSSL binaries or files, or install
engines. If you already have a pre-installed version of OpenSSL as part of
your Operating System it is recommended that you do not overwrite the system
version and instead install to somewhere else.
If you want to install it anywhere else, run config like this (the options
--prefix and --openssldir are explained further down, and the values shown
here are mere examples):
On Unix:
@@ -135,7 +145,10 @@
Don't build with support for deprecated APIs below the
specified version number. For example "--api=1.1.0" will
remove support for all APIS that were deprecated in OpenSSL
version 1.1.0 or below.
version 1.1.0 or below. This is a rather specialized option
for developers. If you just intend to remove all deprecated
APIs entirely (up to the current version), it is easier
to add the 'no-deprecated' option instead (see below).
--cross-compile-prefix=PREFIX
The PREFIX to include in front of commands for your
@@ -186,7 +199,7 @@
Unix: /usr/local
Windows: C:\Program Files\OpenSSL
or C:\Program Files (x86)\OpenSSL
OpenVMS: SYS$COMMON:[OPENSSL-'version']
OpenVMS: SYS$COMMON:[OPENSSL]
--release
Build OpenSSL without debugging symbols. This is the default.
@@ -229,7 +242,7 @@
source exists.
getrandom: Use the L<getrandom(2)> or equivalent system
call.
devrandom: Use the the first device from the DEVRANDOM list
devrandom: Use the first device from the DEVRANDOM list
which can be opened to read random bytes. The
DEVRANDOM preprocessor constant expands to
"/dev/urandom","/dev/random","/dev/srandom" on
@@ -287,6 +300,19 @@
Typically OpenSSL will automatically load a system config
file which configures default ssl options.
enable-buildtest-c++
While testing, generate C++ buildtest files that
simply check that the public OpenSSL header files
are usable standalone with C++.
Enabling this option demands extra care. For any
compiler flag given directly as configuration
option, you must ensure that it's valid for both
the C and the C++ compiler. If not, the C++ build
test will most likely break. As an alternative,
you can use the language specific variables, CFLAGS
and CXXFLAGS.
no-capieng
Don't build the CAPI engine. This option will be forced if
on a platform that does not support CAPI.
@@ -329,6 +355,11 @@
no-dso
Don't build support for loading Dynamic Shared Objects.
enable-devcryptoeng
Build the /dev/crypto engine. It is automatically selected
on BSD implementations, in which case it can be disabled with
no-devcryptoeng.
no-dynamic-engine
Don't build the dynamically loaded engines. This only has an
effect in a "shared" build
@@ -402,6 +433,24 @@
no-pic
Don't build with support for Position Independent Code.
no-pinshared By default OpenSSL will attempt to stay in memory until the
process exits. This is so that libcrypto and libssl can be
properly cleaned up automatically via an "atexit()" handler.
The handler is registered by libcrypto and cleans up both
libraries. On some platforms the atexit() handler will run on
unload of libcrypto (if it has been dynamically loaded)
rather than at process exit. This option can be used to stop
OpenSSL from attempting to stay in memory until the process
exits. This could lead to crashes if either libcrypto or
libssl have already been unloaded at the point
that the atexit handler is invoked, e.g. on a platform which
calls atexit() on unload of the library, and libssl is
unloaded before libcrypto then a crash is likely to happen.
Applications can suppress running of the atexit() handler at
run time by using the OPENSSL_INIT_NO_ATEXIT option to
OPENSSL_init_crypto(). See the man page for it for further
details.
no-posix-io
Don't use POSIX IO capabilities.
@@ -487,9 +536,9 @@
conjunction with the "-DPEDANTIC" option (or the
--strict-warnings option).
no-ui
Don't build with the "UI" capability (i.e. the set of
features enabling text based prompts).
no-ui-console
Don't build with the "UI" console method (i.e. the "UI"
method that enables text based console prompts).
enable-unit-test
Enable additional unit test APIs. This should not typically
@@ -560,10 +609,19 @@
Take note of the VAR=value documentation below and how
these flags interact with those variables.
-xxx, +xxx
-xxx, +xxx, /xxx
Additional options that are not otherwise recognised are
passed through as they are to the compiler as well. Again,
consult your compiler documentation.
passed through as they are to the compiler as well.
Unix-style options beginning with a '-' or '+' and
Windows-style options beginning with a '/' are recognized.
Again, consult your compiler documentation.
If the option contains arguments separated by spaces,
then the URL-style notation %20 can be used for the space
character in order to avoid having to quote the option.
For example, -opt%20arg gets expanded to -opt arg.
In fact, any ASCII character can be encoded as %xx using its
hexadecimal encoding.
Take note of the VAR=value documentation below and how
these flags interact with those variables.
@@ -642,6 +700,11 @@
CC=gcc CROSS_COMPILE=x86_64-w64-mingw32- \
./config -DCOOKIE
If CC is set, it is advisable to also set CXX to ensure
both C and C++ compilers are in the same "family". This
becomes relevant with 'enable-external-tests' and
'enable-buildtest-c++'.
reconf
reconfigure
Reconfigure from earlier data. This fetches the previous
@@ -870,8 +933,11 @@
$ mms install ! OpenVMS
$ nmake install # Windows
This will install all the software components in this directory
tree under PREFIX (the directory given with --prefix or its
Note that in order to perform the install step above you need to have
appropriate permissions to write to the installation directory.
The above commands will install all the software components in this
directory tree under PREFIX (the directory given with --prefix or its
default):
Unix:
@@ -896,9 +962,9 @@
share/doc/openssl/html/man7
Contains the HTML rendition of the man-pages.
OpenVMS ('arch' is replaced with the architecture name, "Alpha"
or "ia64", 'sover' is replaced with the shared library version
(0101 for 1.1), and 'pz' is replaced with the pointer size
OpenVMS ('arch' is replaced with the architecture name, "ALPHA"
or "IA64", 'sover' is replaced with the shared library version
(0101 for 1.1.x), and 'pz' is replaced with the pointer size
OpenSSL was built with):
[.EXE.'arch'] Contains the openssl binary.
@@ -927,6 +993,12 @@
for private key files.
misc Various scripts.
The installation directory should be appropriately protected to ensure
unprivileged users cannot make changes to OpenSSL binaries or files, or
install engines. If you already have a pre-installed version of OpenSSL as
part of your Operating System it is recommended that you do not overwrite
the system version and instead install to somewhere else.
Package builders who want to configure the library for standard
locations, but have the package installed somewhere else so that
it can easily be packaged, can use
@@ -941,10 +1013,10 @@
* COMPILING existing applications
OpenSSL 1.1.0 hides a number of structures that were previously
open. This includes all internal libssl structures and a number
of EVP types. Accessor functions have been added to allow
controlled access to the structures' data.
Starting with version 1.1.0, OpenSSL hides a number of structures
that were previously open. This includes all internal libssl
structures and a number of EVP types. Accessor functions have
been added to allow controlled access to the structures' data.
This means that some software needs to be rewritten to adapt to
the new ways of doing things. This often amounts to allocating
@@ -1012,7 +1084,7 @@
HASHBANGPERL
The command string for the Perl executable to insert in the
#! line of perl scripts that will be publically installed.
#! line of perl scripts that will be publicly installed.
Default: /usr/bin/env perl
Note: the value of this variable is added to the same scripts
on all platforms, but it's only relevant on Unix-like platforms.
@@ -1047,7 +1119,7 @@
depend
Rebuild the dependencies in the Makefiles. This is a legacy
option that no longer needs to be used in OpenSSL 1.1.0.
option that no longer needs to be used since OpenSSL 1.1.0.
install
Install all OpenSSL components.

16
LICENSE
View File

@@ -10,14 +10,14 @@
---------------
/* ====================================================================
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -72,21 +72,21 @@
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -101,10 +101,10 @@
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -116,7 +116,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence

75
NEWS
View File

@@ -5,6 +5,79 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.1.1j and OpenSSL 1.1.1k [25 Mar 2021]
o Fixed a problem with verifying a certificate chain when using the
X509_V_FLAG_X509_STRICT flag (CVE-2021-3450)
o Fixed an issue where an OpenSSL TLS server may crash if sent a
maliciously crafted renegotiation ClientHello message from a client
(CVE-2021-3449)
Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021]
o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash()
function (CVE-2021-23841)
o Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING
padding mode to correctly check for rollback attacks
o Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and
EVP_DecryptUpdate functions (CVE-2021-23840)
o Fixed SRP_Calc_client_key so that it runs in constant time
Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]
o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020]
o Disallow explicit curve parameters in verifications chains when
X509_V_FLAG_X509_STRICT is used
o Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS
contexts
o Oracle Developer Studio will start reporting deprecation warnings
Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]
o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)
Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020]
o Revert the unexpected EOF reporting via SSL_ERROR_SSL
Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020]
o Fixed an overflow bug in the x64_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli (CVE-2019-1551)
o Properly detect unexpected EOF while reading in libssl and report
it via SSL_ERROR_SSL
Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019]
o Fixed a fork protection issue (CVE-2019-1549)
o Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
(CVE-2019-1563)
o For built-in EC curves, ensure an EC_GROUP built from the curve name is
used even when parsing explicit parameters
o Compute ECC cofactors if not provided during EC_GROUP construction
(CVE-2019-1547)
o Early start up entropy quality from the DEVRANDOM seed source has been
improved for older Linux systems
o Correct the extended master secret constant on EBCDIC systems
o Use Windows installation paths in the mingw builds (CVE-2019-1552)
o Changed DH_check to accept parameters with order q and 2q subgroups
o Significantly reduce secure memory usage by the randomness pools
o Revert the DEVRANDOM_WAIT feature for Linux systems
Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [28 May 2019]
o Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019]
o Change the info callback signals for the start and end of a post-handshake
message exchange in TLSv1.3.
o Fix a bug in DTLS over SCTP. This breaks interoperability with older versions
of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2.
Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]
o Timing vulnerability in DSA signature generation (CVE-2018-0734)
@@ -590,7 +663,7 @@
Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]:
o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.
o Give EVP_MAX_MD_SIZE its old value, except for a FIPS build.
Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]:

55
NOTES.ANDROID
View File

@@ -6,8 +6,8 @@
-------------------
Beside basic tools like perl and make you'll need to download the Android
NDK. It's available for Linux, Mac OS X and Windows, but only Linux
version was actually tested. There is no reason to believe that Mac OS X
NDK. It's available for Linux, macOS and Windows, but only Linux
version was actually tested. There is no reason to believe that macOS
wouldn't work. And as for Windows, it's unclear which "shell" would be
suitable, MSYS2 might have best chances. NDK version should play lesser
role, the goal is to support a range of most recent versions.
@@ -15,30 +15,41 @@
Configuration
-------------
Android is naturally cross-compiled target and you can't use ./config.
Android is a naturally cross-compiled target and you can't use ./config.
You have to use ./Configure and name your target explicitly; there are
android-arm, android-arm64, android-mips, android-mip64, android-x86
and android-x86_64. Do not pass --cross-compile-prefix (as you might
be tempted), as it will be "calculated" automatically based on chosen
platform. Though you still need to know the prefix to extend your PATH,
in order to invoke $(CROSS_COMPILE)gcc and company. (Configure will fail
and give you a hint if you get it wrong.) Apart from PATH adjustment
you need to set ANDROID_NDK environment to point at NDK directory
as /some/where/android-ndk-<ver>. Both variables are significant at both
configuration and compilation times. NDK customarily supports multiple
Android API levels, e.g. android-14, android-21, etc. By default latest
one available is chosen. If you need to target older platform, pass
additional -D__ANDROID_API__=N to Configure. N is numeric value of the
target platform version. For example, to compile for ICS on ARM with
NDK 10d:
and android-x86_64 (*MIPS targets are no longer supported with NDK R20+).
Do not pass --cross-compile-prefix (as you might be tempted), as it will
be "calculated" automatically based on chosen platform. Though you still
need to know the prefix to extend your PATH, in order to invoke
$(CROSS_COMPILE)clang [*gcc on NDK 19 and lower] and company. (Configure
will fail and give you a hint if you get it wrong.) Apart from PATH
adjustment you need to set ANDROID_NDK_HOME environment to point at the
NDK directory. If you're using a side-by-side NDK the path will look
something like /some/where/android-sdk/ndk/<ver>, and for a standalone
NDK the path will be something like /some/where/android-ndk-<ver>.
Both variables are significant at both configuration and compilation times.
The NDK customarily supports multiple Android API levels, e.g. android-14,
android-21, etc. By default latest API level is chosen. If you need to
target an older platform pass the argument -D__ANDROID_API__=N to Configure,
with N being the numerical value of the target platform version. For example,
to compile for Android 10 arm64 with a side-by-side NDK r20.0.5594570
export ANDROID_NDK=/some/where/android-ndk-10d
PATH=$ANDROID_NDK/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin:$PATH
export ANDROID_NDK_HOME=/home/whoever/Android/android-sdk/ndk/20.0.5594570
PATH=$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64/bin:$ANDROID_NDK_HOME/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin:$PATH
./Configure android-arm64 -D__ANDROID_API__=29
make
Older versions of the NDK have GCC under their common prebuilt tools directory, so the bin path
will be slightly different. EG: to compile for ICS on ARM with NDK 10d:
export ANDROID_NDK_HOME=/some/where/android-ndk-10d
PATH=$ANDROID_NDK_HOME/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin:$PATH
./Configure android-arm -D__ANDROID_API__=14
make
Caveat lector! Earlier OpenSSL versions relied on additional CROSS_SYSROOT
variable set to $ANDROID_NDK/platforms/android-<api>/arch-<arch> to
variable set to $ANDROID_NDK_HOME/platforms/android-<api>/arch-<arch> to
appoint headers-n-libraries' location. It's still recognized in order
to facilitate migration from older projects. However, since API level
appears in CROSS_SYSROOT value, passing -D__ANDROID_API__=N can be in
@@ -53,9 +64,9 @@
Another option is to create so called "standalone toolchain" tailored
for single specific platform including Android API level, and assign its
location to ANDROID_NDK. In such case you have to pass matching target
name to Configure and shouldn't use -D__ANDROID_API__=N. PATH adjusment
becomes simpler, $ANDROID_NDK/bin:$PATH suffices.
location to ANDROID_NDK_HOME. In such case you have to pass matching
target name to Configure and shouldn't use -D__ANDROID_API__=N. PATH
adjustment becomes simpler, $ANDROID_NDK_HOME/bin:$PATH suffices.
Running tests (on Linux)
------------------------

4
NOTES.DJGPP
View File

@@ -1,5 +1,5 @@
INSTALLATION ON THE DOS PLATFORM WITH DJGPP
-------------------------------------------
@@ -29,7 +29,7 @@
running "./Configure" with appropriate arguments:
./Configure no-threads --prefix=/dev/env/DJDIR DJGPP
And finally fire up "make". You may run out of DPMI selectors when
running in a DOS box under Windows. If so, just close the BASH
shell, go back to Windows, and restart BASH. Then run "make" again.

4
NOTES.PERL
View File

@@ -78,7 +78,7 @@
---------------------------------
There are a number of ways to install a perl module. In all
descriptions below, Text::Template will server as an example.
descriptions below, Text::Template will serve as an example.
1. for Linux users, the easiest is to install with the use of your
favorite package manager. Usually, all you need to do is search
@@ -109,7 +109,7 @@
$ cpan -f -i Text::Template
Note: on VMS, you must quote any argument that contains upper case
Note: on VMS, you must quote any argument that contains uppercase
characters, so the lines above would be:
$ cpan -i "Text::Template"

16
NOTES.VMS
View File

@@ -18,7 +18,7 @@
An ANSI C compiled is needed among other things. This means that
VAX C is not and will not be supported.
We have only tested with DEC C (a.k.a HP VMS C / VSI C) and require
We have only tested with DEC C (aka HP VMS C / VSI C) and require
version 7.1 or later. Compiling with a different ANSI C compiler may
require some work.
@@ -42,7 +42,7 @@
for now is to rename the OpenSSL source directory, as follows (please
adjust for the actual source directory name you have):
$ rename openssl-1^.1^.0.DIR openssl-1_1_0.DIR
$ rename openssl-1^.1^.0.DIR openssl-1_1_0.DIR
About MMS and DCL
@@ -90,9 +90,9 @@
Unix mount point.
The easiest way to check if everything got through as it should is to
check for one of the following files:
check that this file exists:
[.crypto]opensslconf^.h.in
[.include.openssl]opensslconf^.h.in
The best way to get a correct distribution is to download the gzipped
tar file from ftp://ftp.openssl.org/source/, use GZIP -d to uncompress
@@ -105,3 +105,11 @@
Should you need it, you can find UnZip for VMS here:
http://www.info-zip.org/UnZip.html
How the value of 'arch' is determined
-------------------------------------
'arch' is mentioned in INSTALL. It's value is determined like this:
arch = f$edit( f$getsyi( "arch_name"), "upcase")

29
NOTES.WIN
View File

@@ -12,11 +12,11 @@
and require --cross-compile-prefix option. While on MSYS[2] it's solved
rather by placing gcc that produces "MinGW binary" code 1st on $PATH.
This is customarily source of confusion. "Hosted" applications "live" in
emulated file system name space with POSIX-y root, mount points, /dev
emulated filesystem name space with POSIX-y root, mount points, /dev
and even /proc. Confusion is intensified by the fact that MSYS2 shell
(or rather emulated execve(2) call) examines the binary it's about to
start, and if it's found *not* to be linked with MSYS2 POSIX-y thing,
command line arguments that look like file names get translated from
command line arguments that look like filenames get translated from
emulated name space to "native". For example '/c/some/where' becomes
'c:\some\where', '/dev/null' - 'nul'. This creates an illusion that
there is no difference between MSYS2 shell and "MinGW binary", but
@@ -26,7 +26,7 @@
it's referred to in quotes here, as "MinGW binary", it's just as
"native" as it can get.)
Visual C++ builds, a.k.a. VC-*
Visual C++ builds, aka VC-*
==============================
Requirement details
@@ -47,7 +47,7 @@
the other hand oldest one is known not to work. Everything between
falls into best-effort category.
- Netwide Assembler, a.k.a. NASM, available from https://www.nasm.us,
- Netwide Assembler, aka NASM, available from https://www.nasm.us,
is required. Note that NASM is the only supported assembler. Even
though Microsoft provided assembler is NOT supported, contemporary
64-bit version is exercised through continuous integration of
@@ -62,8 +62,8 @@
For VC-WIN32, the following defaults are use:
PREFIX: %ProgramFiles(86)%\OpenSSL
OPENSSLDIR: %CommonProgramFiles(86)%\SSL
PREFIX: %ProgramFiles(x86)%\OpenSSL
OPENSSLDIR: %CommonProgramFiles(x86)%\SSL
For VC-WIN64, the following defaults are use:
@@ -109,6 +109,21 @@
This naturally implies that you've installed corresponding add-on
packages.
Independently of the method chosen to build for mingw, the installation
paths are similar to those used when building with VC-* targets, except
that in case the fallbacks mentioned there aren't possible (typically
when cross compiling on Linux), the paths will be the following:
For mingw:
PREFIX: C:/Program Files (x86)/OpenSSL
OPENSSLDIR C:/Program Files (x86)/Common Files/SSL
For mingw64:
PREFIX: C:/Program Files/OpenSSL
OPENSSLDIR C:/Program Files/Common Files/SSL
Linking your application
========================
@@ -117,7 +132,7 @@
If you link with static OpenSSL libraries then you're expected to
additionally link your application with WS2_32.LIB, GDI32.LIB,
ADVAPI32.LIB, CRYPT32.LIB and USER32.LIB. Those developing
non-interactive service applications might feel concerned about
noninteractive service applications might feel concerned about
linking with GDI32.LIB and USER32.LIB, as they are justly associated
with interactive desktop, which is not available to service
processes. The toolkit is designed to detect in which context it's

4
README
View File

@@ -1,7 +1,7 @@
OpenSSL 1.1.1a 20 Nov 2018
OpenSSL 1.1.1k 25 Mar 2021
Copyright (c) 1998-2018 The OpenSSL Project
Copyright (c) 1998-2021 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.

2
README.md Normal file
View File

@@ -0,0 +1,2 @@
# cpython-source-deps
Source for packages that the cpython build process depends on

66
README.rst
View File

@@ -1,66 +0,0 @@
cpython-source-deps
===================
Source for packages that the CPython build process depends on.
It is currently expected that this will only be useful on Windows,
and in any case you should never need to clone this repository
unless you are updating its contents.
.. contents::
Updating Source Dependencies
----------------------------
The procedure for updating the different source dependencies are similar. Below
is an example for updating SQLite::
1. Fork and clone this repository.
2. Checkout a new branch off the ``sqlite`` branch. Assuming this repo is set
as your ``upstream``::
git checkout -b <branch-name>-sqlite upstream/sqlite
3. Download SQLite source from `sqlite.org <https://www.sqlite.org>`_.
4. Unzip it to the branch checked out in step 2.
5. Commit and push the changes.
6. Create the PR, with ``sqlite`` as the base branch.
Once the PR has been merged, tag the commit as ``sqlite-<full version to be used in CPython's PCbuild/get_externals.bat>``.
For updating ``sqlite``, ``bzip2``, ``xz``, and ``zlib``, follow the above
instructions.
For ``tcl`` and ``tk``, after step 5, `cpython-bin-deps
<https://github.com/python/cpython-bin-deps/>`_
needs to be updated. Note though that ``tcl85`` and ``tk85`` are specific
to 2.7 and don't require anything extra.
For ``openssl``, step 5 will be more complicated :)
Download links
--------------
- ``sqlite``: https://www.sqlite.org/download.html
- ``bzip2``: http://www.bzip.org/downloads.html
- ``xz``: https://tukaani.org/xz/
- ``zlib``: https://zlib.net/
- ``tcl``/``tk``: https://tcl.tk/software/tcltk/download.html
- ``openssl``: https://www.openssl.org/source/
Tagging the commit
------------------
Using the ``sqlite`` branch as an example::
git checkout -b sqlite-tag upstream/sqlite
git tag sqlite-3.21.0.0 # replace 3.21.0.0 with the correct version.
git push --tags upstream

19
VMS/msg_install.com Normal file
View File

@@ -0,0 +1,19 @@
$ ! Used by the main descrip.mms to print the installation complete
$ ! message.
$ ! Arguments:
$ ! P1 startup / setup / shutdown scripts directory
$ ! P2 distinguishing version number ("major version")
$
$ systartup = p1
$ osslver = p2
$
$ WRITE SYS$OUTPUT "Installation complete"
$ WRITE SYS$OUTPUT ""
$ WRITE SYS$OUTPUT "The following commands need to be executed to enable you to use OpenSSL:"
$ WRITE SYS$OUTPUT ""
$ WRITE SYS$OUTPUT "- to set up OpenSSL logical names:"
$ WRITE SYS$OUTPUT " @''systartup'openssl_startup''osslver'"
$ WRITE SYS$OUTPUT ""
$ WRITE SYS$OUTPUT "- to define the OpenSSL command"
$ WRITE SYS$OUTPUT " @''systartup'openssl_utils''osslver'"
$ WRITE SYS$OUTPUT ""

37
VMS/msg_staging.com Normal file
View File

@@ -0,0 +1,37 @@
$ ! Used by the main descrip.mms to print the statging installation
$ ! complete
$ ! message.
$ ! Arguments:
$ ! P1 staging software installation directory
$ ! P2 staging data installation directory
$ ! P3 final software installation directory
$ ! P4 final data installation directory
$ ! P5 startup / setup / shutdown scripts directory
$ ! P6 distinguishing version number ("major version")
$
$ staging_instdir = p1
$ staging_datadir = p2
$ final_instdir = p3
$ final_datadir = p4
$ systartup = p5
$ osslver = p6
$
$ WRITE SYS$OUTPUT "Staging installation complete"
$ WRITE SYS$OUTPUT ""
$ WRITE SYS$OUTPUT "Finish or package in such a way that the contents of the following directory"
$ WRITE SYS$OUTPUT "trees end up being copied:"
$ WRITE SYS$OUTPUT ""
$ WRITE SYS$OUTPUT "- from ", staging_instdir
$ WRITE SYS$OUTPUT " to ", final_instdir
$ WRITE SYS$OUTPUT "- from ", staging_datadir
$ WRITE SYS$OUTPUT " to ", final_datadir
$ WRITE SYS$OUTPUT ""
$ WRITE SYS$OUTPUT "When in its final destination, the following commands need to be executed"
$ WRITE SYS$OUTPUT "to use OpenSSL:"
$ WRITE SYS$OUTPUT ""
$ WRITE SYS$OUTPUT "- to set up OpenSSL logical names:"
$ WRITE SYS$OUTPUT " @''systartup'openssl_startup''osslver'"
$ WRITE SYS$OUTPUT ""
$ WRITE SYS$OUTPUT "- to define the OpenSSL command"
$ WRITE SYS$OUTPUT " @''systartup'openssl_utils''osslver'"
$ WRITE SYS$OUTPUT ""

45
apps/apps.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -40,7 +40,6 @@
#endif
#include <openssl/bn.h>
#include <openssl/ssl.h>
#include "s_apps.h"
#include "apps.h"
#ifdef _WIN32
@@ -48,6 +47,14 @@ static int WIN32_rename(const char *from, const char *to);
# define rename(from,to) WIN32_rename((from),(to))
#endif
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
# include <conio.h>
#endif
#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32)
# define _kbhit kbhit
#endif
typedef struct {
const char *name;
unsigned long flag;
@@ -1561,7 +1568,7 @@ CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr)
#else
BIO_snprintf(buf, sizeof(buf), "%s-attr", dbfile);
#endif
dbattr_conf = app_load_config(buf);
dbattr_conf = app_load_config_quiet(buf);
retdb = app_malloc(sizeof(*retdb), "new DB");
retdb->db = tmpdb;
@@ -1955,26 +1962,46 @@ unsigned char *next_protos_parse(size_t *outlen, const char *in)
size_t len;
unsigned char *out;
size_t i, start = 0;
size_t skipped = 0;
len = strlen(in);
if (len >= 65535)
if (len == 0 || len >= 65535)
return NULL;
out = app_malloc(strlen(in) + 1, "NPN buffer");
out = app_malloc(len + 1, "NPN buffer");
for (i = 0; i <= len; ++i) {
if (i == len || in[i] == ',') {
/*
* Zero-length ALPN elements are invalid on the wire, we could be
* strict and reject the entire string, but just ignoring extra
* commas seems harmless and more friendly.
*
* Every comma we skip in this way puts the input buffer another
* byte ahead of the output buffer, so all stores into the output
* buffer need to be decremented by the number commas skipped.
*/
if (i == start) {
++start;
++skipped;
continue;
}
if (i - start > 255) {
OPENSSL_free(out);
return NULL;
}
out[start] = (unsigned char)(i - start);
out[start-skipped] = (unsigned char)(i - start);
start = i + 1;
} else {
out[i + 1] = in[i];
out[i + 1 - skipped] = in[i];
}
}
*outlen = len + 1;
if (len <= skipped) {
OPENSSL_free(out);
return NULL;
}
*outlen = len + 1 - skipped;
return out;
}
@@ -2196,7 +2223,7 @@ double app_tminterval(int stop, int usertime)
return ret;
}
#elif defined(OPENSSL_SYSTEM_VXWORKS)
#elif defined(OPENSSL_SYS_VXWORKS)
# include <time.h>
double app_tminterval(int stop, int usertime)

8
apps/apps.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -7,8 +7,8 @@
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_APPS_H
# define HEADER_APPS_H
#ifndef OSSL_APPS_H
# define OSSL_APPS_H
# include "e_os.h" /* struct timeval for DTLS */
# include "internal/nelem.h"
@@ -444,11 +444,9 @@ void destroy_ui_method(void);
const UI_METHOD *get_ui_method(void);
int chopup_args(ARGS *arg, char *buf);
# ifdef HEADER_X509_H
int dump_cert_text(BIO *out, X509 *x);
void print_name(BIO *out, const char *title, X509_NAME *nm,
unsigned long lflags);
# endif
void print_bignum_var(BIO *, const BIGNUM *, const char*,
int, unsigned char *);
void print_array(BIO *, const char *, int, const unsigned char *);

14
apps/asn1pars.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -170,17 +170,17 @@ int asn1parse_main(int argc, char **argv)
if (derfile && (derout = bio_open_default(derfile, 'w', FORMAT_ASN1)) == NULL)
goto end;
if ((buf = BUF_MEM_new()) == NULL)
goto end;
if (strictpem) {
if (PEM_read_bio(in, &name, &header, &str, &num) !=
1) {
if (PEM_read_bio(in, &name, &header, &str, &num) != 1) {
BIO_printf(bio_err, "Error reading PEM file\n");
ERR_print_errors(bio_err);
goto end;
}
buf->data = (char *)str;
buf->length = buf->max = num;
} else {
if ((buf = BUF_MEM_new()) == NULL)
goto end;
if (!BUF_MEM_grow(buf, BUFSIZ * 8))
goto end; /* Pre-allocate :-) */
@@ -303,8 +303,6 @@ int asn1parse_main(int argc, char **argv)
BUF_MEM_free(buf);
OPENSSL_free(name);
OPENSSL_free(header);
if (strictpem)
OPENSSL_free(str);
ASN1_TYPE_free(at);
sk_OPENSSL_STRING_free(osk);
return ret;

61
apps/build.info
View File

@@ -1,16 +1,17 @@
{- our @apps_openssl_src =
qw(openssl.c
asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c
dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c
genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c
pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c
asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c
enc.c errstr.c
genpkey.c nseq.c passwd.c pkcs7.c pkcs8.c
pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c
s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c
srp.c ts.c verify.c version.c x509.c rehash.c storeutl.c);
verify.c version.c x509.c rehash.c storeutl.c);
our @apps_lib_src =
( qw(apps.c opt.c s_cb.c s_socket.c app_rand.c bf_prefix.c),
split(/\s+/, $target{apps_aux_src}) );
our @apps_init_src = split(/\s+/, $target{apps_init_src});
"" -}
IF[{- !$disabled{apps} -}]
LIBS_NO_INST=libapps.a
SOURCE[libapps.a]={- join(" ", @apps_lib_src) -}
@@ -21,11 +22,51 @@ IF[{- !$disabled{apps} -}]
SOURCE[openssl]={- join(" ", @apps_openssl_src) -}
INCLUDE[openssl]=.. ../include
DEPEND[openssl]=libapps.a ../libssl
IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}]
GENERATE[openssl.rc]=../util/mkrc.pl openssl
SOURCE[openssl]=openssl.rc
ENDIF
IF[{- !$disabled{'des'} -}]
SOURCE[openssl]=pkcs12.c
DEPEND[pkcs12.o]=progs.h
ENDIF
IF[{- !$disabled{'ec'} -}]
SOURCE[openssl]=ec.c ecparam.c
DEPEND[ec.o]=progs.h
DEPEND[ecparam.o]=progs.h
ENDIF
IF[{- !$disabled{'ocsp'} -}]
SOURCE[openssl]=ocsp.c
DEPEND[ocsp.o]=progs.h
ENDIF
IF[{- !$disabled{'srp'} -}]
SOURCE[openssl]=srp.c
DEPEND[srp.o]=progs.h
ENDIF
IF[{- !$disabled{'ts'} -}]
SOURCE[openssl]=ts.c
DEPEND[ts.o]=progs.h
ENDIF
IF[{- !$disabled{'dh'} -}]
SOURCE[openssl]=dhparam.c
DEPEND[dhparam.o]=progs.h
ENDIF
IF[{- !$disabled{'dsa'} -}]
SOURCE[openssl]=dsa.c dsaparam.c gendsa.c
DEPEND[dsa.o]=progs.h
DEPEND[dsaparam.o]=progs.h
DEPEND[gendsa.o]=progs.h
ENDIF
IF[{- !$disabled{'engine'} -}]
SOURCE[openssl]=engine.c
DEPEND[engine.o]=progs.h
ENDIF
IF[{- !$disabled{'rsa'} -}]
SOURCE[openssl]=rsa.c rsautl.c genrsa.c
DEPEND[rsa.o]=progs.h
DEPEND[rsautl.o]=progs.h
DEPEND[genrsa.o]=progs.h
ENDIF
IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}]
GENERATE[openssl.rc]=../util/mkrc.pl openssl
SOURCE[openssl]=openssl.rc
ENDIF
{- join("\n ", map { (my $x = $_) =~ s|\.c$|.o|; "DEPEND[$x]=progs.h" }
@apps_openssl_src) -}

59
apps/ca.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -722,7 +722,7 @@ end_of_options:
/*****************************************************************/
if (req || gencrl) {
if (spkac_file != NULL) {
if (spkac_file != NULL && outfile != NULL) {
output_der = 1;
batch = 1;
}
@@ -1862,8 +1862,8 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
row[DB_exp_date][tm->length] = '\0';
row[DB_rev_date] = NULL;
row[DB_file] = OPENSSL_strdup("unknown");
if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
(row[DB_file] == NULL) || (row[DB_name] == NULL)) {
if ((row[DB_type] == NULL) || (row[DB_file] == NULL)
|| (row[DB_name] == NULL)) {
BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
}
@@ -2223,62 +2223,51 @@ static int get_certificate_status(const char *serial, CA_DB *db)
static int do_updatedb(CA_DB *db)
{
ASN1_UTCTIME *a_tm = NULL;
ASN1_TIME *a_tm = NULL;
int i, cnt = 0;
int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */
char **rrow, *a_tm_s;
char **rrow;
a_tm = ASN1_UTCTIME_new();
a_tm = ASN1_TIME_new();
if (a_tm == NULL)
return -1;
/* get actual time and make a string */
/* get actual time */
if (X509_gmtime_adj(a_tm, 0) == NULL) {
ASN1_UTCTIME_free(a_tm);
ASN1_TIME_free(a_tm);
return -1;
}
a_tm_s = app_malloc(a_tm->length + 1, "time string");
memcpy(a_tm_s, a_tm->data, a_tm->length);
a_tm_s[a_tm->length] = '\0';
if (strncmp(a_tm_s, "49", 2) <= 0)
a_y2k = 1;
else
a_y2k = 0;
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
if (rrow[DB_type][0] == DB_TYPE_VAL) {
/* ignore entries that are not valid */
if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
db_y2k = 1;
else
db_y2k = 0;
ASN1_TIME *exp_date = NULL;
if (db_y2k == a_y2k) {
/* all on the same y2k side */
if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) {
rrow[DB_type][0] = DB_TYPE_EXP;
rrow[DB_type][1] = '\0';
cnt++;
exp_date = ASN1_TIME_new();
if (exp_date == NULL) {
ASN1_TIME_free(a_tm);
return -1;
}
BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]);
}
} else if (db_y2k < a_y2k) {
if (!ASN1_TIME_set_string(exp_date, rrow[DB_exp_date])) {
ASN1_TIME_free(a_tm);
ASN1_TIME_free(exp_date);
return -1;
}
if (ASN1_TIME_compare(exp_date, a_tm) <= 0) {
rrow[DB_type][0] = DB_TYPE_EXP;
rrow[DB_type][1] = '\0';
cnt++;
BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]);
}
ASN1_TIME_free(exp_date);
}
}
ASN1_UTCTIME_free(a_tm);
OPENSSL_free(a_tm_s);
ASN1_TIME_free(a_tm);
return cnt;
}

9
apps/cms.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -545,9 +545,11 @@ int cms_main(int argc, char **argv)
if (key_param == NULL || key_param->idx != keyidx) {
cms_key_param *nparam;
nparam = app_malloc(sizeof(*nparam), "key param buffer");
nparam->idx = keyidx;
if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL)
if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) {
OPENSSL_free(nparam);
goto end;
}
nparam->idx = keyidx;
nparam->next = NULL;
if (key_first == NULL)
key_first = nparam;
@@ -636,6 +638,7 @@ int cms_main(int argc, char **argv)
goto opthelp;
}
} else if (!operation) {
BIO_printf(bio_err, "No operation option (-encrypt|-decrypt|-sign|-verify|...) specified.\n");
goto opthelp;
}

4
apps/ct_log_list.cnf
View File

@@ -2,8 +2,8 @@
# that are to be trusted.
# Google's list of logs can be found here:
# www.certificate-transparency.org/known-logs
# www.certificate-transparency.org/known-logs
# A Python program to convert the log list to OpenSSL's format can be
# found here:
# https://github.com/google/certificate-transparency/blob/master/python/utilities/log_list/print_log_list.py
# https://github.com/google/certificate-transparency/blob/master/python/utilities/log_list/print_log_list.py
# Use the "--openssl_output" flag.

2
apps/demoSRP/srp_verifier.txt
View File

@@ -3,4 +3,4 @@
# records starting with a I followed by the g and N values and the id.
# The exact values ... you have to dig this out from the source of srp.c
# or srp_vfy.c
# The last value of an I is used as the default group for new users.
# The last value of an I is used as the default group for new users.

130
apps/dgst.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -19,6 +19,7 @@
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/hmac.h>
#include <ctype.h>
#undef BUFSIZE
#define BUFSIZE 1024*8
@@ -27,9 +28,15 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
const char *file);
static void show_digests(const OBJ_NAME *name, void *bio_);
struct doall_dgst_digests {
BIO *bio;
int n;
};
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_LIST,
OPT_C, OPT_R, OPT_OUT, OPT_SIGN, OPT_PASSIN, OPT_VERIFY,
OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_ENGINE, OPT_ENGINE_IMPL,
OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT,
@@ -43,6 +50,7 @@ const OPTIONS dgst_options[] = {
{OPT_HELP_STR, 1, '-',
" file... files to digest (default is stdin)\n"},
{"help", OPT_HELP, '-', "Display this summary"},
{"list", OPT_LIST, '-', "List digests"},
{"c", OPT_C, '-', "Print the digest with separating colons"},
{"r", OPT_R, '-', "Print the digest in coreutils format"},
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
@@ -91,6 +99,7 @@ int dgst_main(int argc, char **argv)
int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0;
unsigned char *buf = NULL, *sigbuf = NULL;
int engine_impl = 0;
struct doall_dgst_digests dec;
prog = opt_progname(argv[0]);
buf = app_malloc(BUFSIZE, "I/O buffer");
@@ -108,6 +117,15 @@ int dgst_main(int argc, char **argv)
opt_help(dgst_options);
ret = 0;
goto end;
case OPT_LIST:
BIO_printf(bio_out, "Supported digests:\n");
dec.bio = bio_out;
dec.n = 0;
OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_MD_METH,
show_digests, &dec);
BIO_printf(bio_out, "\n");
ret = 0;
goto end;
case OPT_C:
separator = 1;
break;
@@ -413,20 +431,86 @@ int dgst_main(int argc, char **argv)
return ret;
}
static void show_digests(const OBJ_NAME *name, void *arg)
{
struct doall_dgst_digests *dec = (struct doall_dgst_digests *)arg;
const EVP_MD *md = NULL;
/* Filter out signed digests (a.k.a signature algorithms) */
if (strstr(name->name, "rsa") != NULL || strstr(name->name, "RSA") != NULL)
return;
if (!islower((unsigned char)*name->name))
return;
/* Filter out message digests that we cannot use */
md = EVP_get_digestbyname(name->name);
if (md == NULL)
return;
BIO_printf(dec->bio, "-%-25s", name->name);
if (++dec->n == 3) {
BIO_printf(dec->bio, "\n");
dec->n = 0;
} else {
BIO_printf(dec->bio, " ");
}
}
/*
* The newline_escape_filename function performs newline escaping for any
* filename that contains a newline. This function also takes a pointer
* to backslash. The backslash pointer is a flag to indicating whether a newline
* is present in the filename. If a newline is present, the backslash flag is
* set and the output format will contain a backslash at the beginning of the
* digest output. This output format is to replicate the output format found
* in the '*sum' checksum programs. This aims to preserve backward
* compatibility.
*/
static const char *newline_escape_filename(const char *file, int * backslash)
{
size_t i, e = 0, length = strlen(file), newline_count = 0, mem_len = 0;
char *file_cpy = NULL;
for (i = 0; i < length; i++)
if (file[i] == '\n')
newline_count++;
mem_len = length + newline_count + 1;
file_cpy = app_malloc(mem_len, file);
i = 0;
while(e < length) {
const char c = file[e];
if (c == '\n') {
file_cpy[i++] = '\\';
file_cpy[i++] = 'n';
*backslash = 1;
} else {
file_cpy[i++] = c;
}
e++;
}
file_cpy[i] = '\0';
return (const char*)file_cpy;
}
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
const char *file)
{
size_t len;
int i;
size_t len = BUFSIZE;
int i, backslash = 0, ret = 1;
unsigned char *sigbuf = NULL;
for (;;) {
while (BIO_pending(bp) || !BIO_eof(bp)) {
i = BIO_read(bp, (char *)buf, BUFSIZE);
if (i < 0) {
BIO_printf(bio_err, "Read Error in %s\n", file);
ERR_print_errors(bio_err);
return 1;
goto end;
}
if (i == 0)
break;
@@ -439,37 +523,51 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
BIO_printf(out, "Verified OK\n");
} else if (i == 0) {
BIO_printf(out, "Verification Failure\n");
return 1;
goto end;
} else {
BIO_printf(bio_err, "Error Verifying Data\n");
ERR_print_errors(bio_err);
return 1;
goto end;
}
return 0;
ret = 0;
goto end;
}
if (key != NULL) {
EVP_MD_CTX *ctx;
int pkey_len;
BIO_get_md_ctx(bp, &ctx);
len = BUFSIZE;
pkey_len = EVP_PKEY_size(key);
if (pkey_len > BUFSIZE) {
len = pkey_len;
sigbuf = app_malloc(len, "Signature buffer");
buf = sigbuf;
}
if (!EVP_DigestSignFinal(ctx, buf, &len)) {
BIO_printf(bio_err, "Error Signing Data\n");
ERR_print_errors(bio_err);
return 1;
goto end;
}
} else {
len = BIO_gets(bp, (char *)buf, BUFSIZE);
if ((int)len < 0) {
ERR_print_errors(bio_err);
return 1;
goto end;
}
}
if (binout) {
BIO_write(out, buf, len);
} else if (sep == 2) {
file = newline_escape_filename(file, &backslash);
if (backslash == 1)
BIO_puts(out, "\\");
for (i = 0; i < (int)len; i++)
BIO_printf(out, "%02x", buf[i]);
BIO_printf(out, " *%s\n", file);
OPENSSL_free((char *)file);
} else {
if (sig_name != NULL) {
BIO_puts(out, sig_name);
@@ -488,5 +586,11 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
}
BIO_printf(out, "\n");
}
return 0;
ret = 0;
end:
if (sigbuf != NULL)
OPENSSL_clear_free(sigbuf, len);
return ret;
}

2
apps/dh1024.pem
View File

@@ -4,7 +4,7 @@ Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL
/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC
-----END DH PARAMETERS-----
These are the 1024-bit DH parameters from "Internet Key Exchange
These are the 1024-bit DH parameters from "Internet Key Exchange
Protocol Version 2 (IKEv2)": https://tools.ietf.org/html/rfc5996
See https://tools.ietf.org/html/rfc2412 for how they were generated.

4
apps/dh2048.pem
View File

@@ -7,8 +7,8 @@ fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==
-----END DH PARAMETERS-----
These are the 2048-bit DH parameters from "More Modular Exponential
(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
These are the 2048-bit DH parameters from "More Modular Exponential
(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
https://tools.ietf.org/html/rfc3526
See https://tools.ietf.org/html/rfc2412 for how they were generated.

4
apps/dh4096.pem
View File

@@ -12,8 +12,8 @@ ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI=
-----END DH PARAMETERS-----
These are the 4096-bit DH parameters from "More Modular Exponential
(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
These are the 4096-bit DH parameters from "More Modular Exponential
(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
https://tools.ietf.org/html/rfc3526
See https://tools.ietf.org/html/rfc2412 for how they were generated.

59
apps/dhparam.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,28 +8,24 @@
*/
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_DH
NON_EMPTY_TRANSLATION_UNIT
#else
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include "apps.h"
#include "progs.h"
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/bn.h>
#include <openssl/dh.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
# include <stdio.h>
# include <stdlib.h>
# include <time.h>
# include <string.h>
# include "apps.h"
# include "progs.h"
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/bn.h>
# include <openssl/dh.h>
# include <openssl/x509.h>
# include <openssl/pem.h>
#ifndef OPENSSL_NO_DSA
# include <openssl/dsa.h>
#endif
# ifndef OPENSSL_NO_DSA
# include <openssl/dsa.h>
# endif
# define DEFBITS 2048
#define DEFBITS 2048
static int dh_cb(int p, int n, BN_GENCB *cb);
@@ -56,13 +52,13 @@ const OPTIONS dhparam_options[] = {
{"C", OPT_C, '-', "Print C code"},
{"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
{"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
# ifndef OPENSSL_NO_DSA
#ifndef OPENSSL_NO_DSA
{"dsaparam", OPT_DSAPARAM, '-',
"Read or generate DSA parameters, convert to DH"},
# endif
# ifndef OPENSSL_NO_ENGINE
#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
# endif
#endif
{NULL}
};
@@ -146,13 +142,13 @@ int dhparam_main(int argc, char **argv)
if (g && !num)
num = DEFBITS;
# ifndef OPENSSL_NO_DSA
#ifndef OPENSSL_NO_DSA
if (dsaparam && g) {
BIO_printf(bio_err,
"generator may not be chosen for DSA parameters\n");
goto end;
}
# endif
#endif
out = bio_open_default(outfile, 'w', outformat);
if (out == NULL)
@@ -173,7 +169,7 @@ int dhparam_main(int argc, char **argv)
BN_GENCB_set(cb, dh_cb, bio_err);
# ifndef OPENSSL_NO_DSA
#ifndef OPENSSL_NO_DSA
if (dsaparam) {
DSA *dsa = DSA_new();
@@ -196,7 +192,7 @@ int dhparam_main(int argc, char **argv)
goto end;
}
} else
# endif
#endif
{
dh = DH_new();
BIO_printf(bio_err,
@@ -217,7 +213,7 @@ int dhparam_main(int argc, char **argv)
if (in == NULL)
goto end;
# ifndef OPENSSL_NO_DSA
#ifndef OPENSSL_NO_DSA
if (dsaparam) {
DSA *dsa;
@@ -239,7 +235,7 @@ int dhparam_main(int argc, char **argv)
goto end;
}
} else
# endif
#endif
{
if (informat == FORMAT_ASN1) {
/*
@@ -376,4 +372,3 @@ static int dh_cb(int p, int n, BN_GENCB *cb)
(void)BIO_flush(BN_GENCB_get_arg(cb));
return 1;
}
#endif

55
apps/dsa.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,23 +8,19 @@
*/
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_DSA
NON_EMPTY_TRANSLATION_UNIT
#else
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
# include <time.h>
# include "apps.h"
# include "progs.h"
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/dsa.h>
# include <openssl/evp.h>
# include <openssl/x509.h>
# include <openssl/pem.h>
# include <openssl/bn.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include "apps.h"
#include "progs.h"
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/dsa.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/bn.h>
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -49,14 +45,14 @@ const OPTIONS dsa_options[] = {
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
# ifndef OPENSSL_NO_RC4
#ifndef OPENSSL_NO_RC4
{"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
{"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
{"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
# endif
# ifndef OPENSSL_NO_ENGINE
#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
# endif
#endif
{NULL}
};
@@ -71,9 +67,9 @@ int dsa_main(int argc, char **argv)
OPTION_CHOICE o;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
int i, modulus = 0, pubin = 0, pubout = 0, ret = 1;
# ifndef OPENSSL_NO_RC4
#ifndef OPENSSL_NO_RC4
int pvk_encr = 2;
# endif
#endif
int private = 0;
prog = opt_init(argc, argv, dsa_options);
@@ -214,7 +210,7 @@ int dsa_main(int argc, char **argv)
i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
NULL, 0, NULL, passout);
}
# ifndef OPENSSL_NO_RSA
#ifndef OPENSSL_NO_RSA
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
EVP_PKEY *pk;
pk = EVP_PKEY_new();
@@ -229,13 +225,13 @@ int dsa_main(int argc, char **argv)
goto end;
}
assert(private);
# ifdef OPENSSL_NO_RC4
# ifdef OPENSSL_NO_RC4
BIO_printf(bio_err, "PVK format not supported\n");
EVP_PKEY_free(pk);
goto end;
# else
# else
i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
# endif
# endif
} else if (pubin || pubout) {
i = i2b_PublicKey_bio(out, pk);
} else {
@@ -243,7 +239,7 @@ int dsa_main(int argc, char **argv)
i = i2b_PrivateKey_bio(out, pk);
}
EVP_PKEY_free(pk);
# endif
#endif
} else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
@@ -262,4 +258,3 @@ int dsa_main(int argc, char **argv)
OPENSSL_free(passout);
return ret;
}
#endif

35
apps/dsaparam.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,22 +8,18 @@
*/
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_DSA
NON_EMPTY_TRANSLATION_UNIT
#else
# include <stdio.h>
# include <stdlib.h>
# include <time.h>
# include <string.h>
# include "apps.h"
# include "progs.h"
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/bn.h>
# include <openssl/dsa.h>
# include <openssl/x509.h>
# include <openssl/pem.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include "apps.h"
#include "progs.h"
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/bn.h>
#include <openssl/dsa.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
static int dsa_cb(int p, int n, BN_GENCB *cb);
@@ -44,9 +40,9 @@ const OPTIONS dsaparam_options[] = {
{"noout", OPT_NOOUT, '-', "No output"},
{"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
OPT_R_OPTIONS,
# ifndef OPENSSL_NO_ENGINE
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
# endif
#endif
{NULL}
};
@@ -255,4 +251,3 @@ static int dsa_cb(int p, int n, BN_GENCB *cb)
(void)BIO_flush(BN_GENCB_get_arg(cb));
return 1;
}
#endif

29
apps/ec.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,19 +8,15 @@
*/
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_EC
NON_EMPTY_TRANSLATION_UNIT
#else
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
# include "apps.h"
# include "progs.h"
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/evp.h>
# include <openssl/pem.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "apps.h"
#include "progs.h"
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
static OPT_PAIR conv_forms[] = {
{"compressed", POINT_CONVERSION_COMPRESSED},
@@ -62,9 +58,9 @@ const OPTIONS ec_options[] = {
"Specifies the way the ec parameters are encoded"},
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
{"", OPT_CIPHER, '-', "Any supported cipher"},
# ifndef OPENSSL_NO_ENGINE
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
# endif
#endif
{NULL}
};
@@ -280,4 +276,3 @@ int ec_main(int argc, char **argv)
OPENSSL_free(passout);
return ret;
}
#endif

36
apps/ecparam.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -9,22 +9,18 @@
*/
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_EC
NON_EMPTY_TRANSLATION_UNIT
#else
# include <stdio.h>
# include <stdlib.h>
# include <time.h>
# include <string.h>
# include "apps.h"
# include "progs.h"
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/bn.h>
# include <openssl/ec.h>
# include <openssl/x509.h>
# include <openssl/pem.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include "apps.h"
#include "progs.h"
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/bn.h>
#include <openssl/ec.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -55,9 +51,9 @@ const OPTIONS ecparam_options[] = {
"Specifies the way the ec parameters are encoded"},
{"genkey", OPT_GENKEY, '-', "Generate ec key"},
OPT_R_OPTIONS,
# ifndef OPENSSL_NO_ENGINE
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
# endif
#endif
{NULL}
};
@@ -446,5 +442,3 @@ int ecparam_main(int argc, char **argv)
BIO_free_all(out);
return ret;
}
#endif

9
apps/enc.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -50,7 +50,8 @@ typedef enum OPTION_choice {
const OPTIONS enc_options[] = {
{"help", OPT_HELP, '-', "Display this summary"},
{"ciphers", OPT_LIST, '-', "List ciphers"},
{"list", OPT_LIST, '-', "List ciphers"},
{"ciphers", OPT_LIST, '-', "Alias for -list"},
{"in", OPT_IN, '<', "Input file"},
{"out", OPT_OUT, '>', "Output file"},
{"pass", OPT_PASS, 's', "Passphrase source"},
@@ -500,7 +501,7 @@ int enc_main(int argc, char **argv)
if (hiv != NULL) {
int siz = EVP_CIPHER_iv_length(cipher);
if (siz == 0) {
BIO_printf(bio_err, "warning: iv not use by this cipher\n");
BIO_printf(bio_err, "warning: iv not used by this cipher\n");
} else if (!set_hex(hiv, iv, siz)) {
BIO_printf(bio_err, "invalid hex iv value\n");
goto end;
@@ -586,7 +587,7 @@ int enc_main(int argc, char **argv)
if (benc != NULL)
wbio = BIO_push(benc, wbio);
for (;;) {
while (BIO_pending(rbio) || !BIO_eof(rbio)) {
inl = BIO_read(rbio, (char *)buff, bsize);
if (inl <= 0)
break;

25
apps/engine.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,19 +8,15 @@
*/
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_ENGINE
NON_EMPTY_TRANSLATION_UNIT
#else
# include "apps.h"
# include "progs.h"
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
# include <openssl/err.h>
# include <openssl/engine.h>
# include <openssl/ssl.h>
# include <openssl/store.h>
#include "apps.h"
#include "progs.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/err.h>
#include <openssl/engine.h>
#include <openssl/ssl.h>
#include <openssl/store.h>
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -486,4 +482,3 @@ int engine_main(int argc, char **argv)
BIO_free_all(out);
return ret;
}
#endif

35
apps/gendsa.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,22 +8,18 @@
*/
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_DSA
NON_EMPTY_TRANSLATION_UNIT
#else
# include <stdio.h>
# include <string.h>
# include <sys/types.h>
# include <sys/stat.h>
# include "apps.h"
# include "progs.h"
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/bn.h>
# include <openssl/dsa.h>
# include <openssl/x509.h>
# include <openssl/pem.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include "apps.h"
#include "progs.h"
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/bn.h>
#include <openssl/dsa.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -39,9 +35,9 @@ const OPTIONS gendsa_options[] = {
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
OPT_R_OPTIONS,
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
# ifndef OPENSSL_NO_ENGINE
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
# endif
#endif
{NULL}
};
@@ -143,4 +139,3 @@ int gendsa_main(int argc, char **argv)
OPENSSL_free(passout);
return ret;
}
#endif

8
apps/genpkey.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -177,9 +177,12 @@ int genpkey_main(int argc, char **argv)
goto end;
}
ret = 0;
if (rv <= 0) {
BIO_puts(bio_err, "Error writing key\n");
ERR_print_errors(bio_err);
ret = 1;
}
if (text) {
@@ -191,11 +194,10 @@ int genpkey_main(int argc, char **argv)
if (rv <= 0) {
BIO_puts(bio_err, "Error printing key\n");
ERR_print_errors(bio_err);
ret = 1;
}
}
ret = 0;
end:
EVP_PKEY_free(pkey);
EVP_PKEY_CTX_free(ctx);

43
apps/genrsa.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,27 +8,23 @@
*/
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_RSA
NON_EMPTY_TRANSLATION_UNIT
#else
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include "apps.h"
#include "progs.h"
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
# include <stdio.h>
# include <string.h>
# include <sys/types.h>
# include <sys/stat.h>
# include "apps.h"
# include "progs.h"
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/bn.h>
# include <openssl/rsa.h>
# include <openssl/evp.h>
# include <openssl/x509.h>
# include <openssl/pem.h>
# include <openssl/rand.h>
# define DEFBITS 2048
# define DEFPRIMES 2
#define DEFBITS 2048
#define DEFPRIMES 2
static int genrsa_cb(int p, int n, BN_GENCB *cb);
@@ -48,9 +44,9 @@ const OPTIONS genrsa_options[] = {
OPT_R_OPTIONS,
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
# ifndef OPENSSL_NO_ENGINE
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
# endif
#endif
{"primes", OPT_PRIMES, 'p', "Specify number of primes"},
{NULL}
};
@@ -198,4 +194,3 @@ static int genrsa_cb(int p, int n, BN_GENCB *cb)
(void)BIO_flush(BN_GENCB_get_arg(cb));
return 1;
}
#endif

200
apps/ocsp.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -9,52 +9,77 @@
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_OCSP
NON_EMPTY_TRANSLATION_UNIT
#else
# ifdef OPENSSL_SYS_VMS
# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
#ifdef OPENSSL_SYS_VMS
# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
* on OpenVMS */
# endif
#endif
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
# include <time.h>
# include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <ctype.h>
/* Needs to be included before the openssl headers */
# include "apps.h"
# include "progs.h"
# include "internal/sockets.h"
# include <openssl/e_os2.h>
# include <openssl/crypto.h>
# include <openssl/err.h>
# include <openssl/ssl.h>
# include <openssl/evp.h>
# include <openssl/bn.h>
# include <openssl/x509v3.h>
# include <openssl/rand.h>
#include "apps.h"
#include "progs.h"
#include "internal/sockets.h"
#include <openssl/e_os2.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/evp.h>
#include <openssl/bn.h>
#include <openssl/x509v3.h>
#include <openssl/rand.h>
# if defined(OPENSSL_SYS_UNIX) && !defined(OPENSSL_NO_SOCK) \
#ifndef HAVE_FORK
#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
# define HAVE_FORK 0
#else
# define HAVE_FORK 1
#endif
#endif
#if HAVE_FORK
#undef NO_FORK
#else
#define NO_FORK
#endif
#if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
&& !defined(OPENSSL_NO_POSIX_IO)
# define OCSP_DAEMON
# include <sys/types.h>
# include <sys/wait.h>
# include <syslog.h>
# include <signal.h>
# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
# else
# undef LOG_INFO
# undef LOG_WARNING
# undef LOG_ERR
# define LOG_INFO 0
# define LOG_WARNING 1
# define LOG_ERR 2
# endif
# define OCSP_DAEMON
# include <sys/types.h>
# include <sys/wait.h>
# include <syslog.h>
# include <signal.h>
# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
#else
# undef LOG_INFO
# undef LOG_WARNING
# undef LOG_ERR
# define LOG_INFO 0
# define LOG_WARNING 1
# define LOG_ERR 2
#endif
#if defined(OPENSSL_SYS_VXWORKS)
/* not supported */
int setpgid(pid_t pid, pid_t pgid)
{
errno = ENOSYS;
return 0;
}
/* not supported */
pid_t fork(void)
{
errno = ENOSYS;
return (pid_t) -1;
}
#endif
/* Maximum leeway in validity period: default 5 minutes */
# define MAX_VALIDITY_PERIOD (5 * 60)
#define MAX_VALIDITY_PERIOD (5 * 60)
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
const EVP_MD *cert_id_md, X509 *issuer,
@@ -81,20 +106,20 @@ static void log_message(int level, const char *fmt, ...);
static char *prog;
static int multi = 0;
# ifdef OCSP_DAEMON
#ifdef OCSP_DAEMON
static int acfd = (int) INVALID_SOCKET;
static int index_changed(CA_DB *);
static void spawn_loop(void);
static int print_syslog(const char *str, size_t len, void *levPtr);
static void sock_timeout(int signum);
# endif
static void socket_timeout(int signum);
#endif
# ifndef OPENSSL_NO_SOCK
#ifndef OPENSSL_NO_SOCK
static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
const char *path,
const STACK_OF(CONF_VALUE) *headers,
OCSP_REQUEST *req, int req_timeout);
# endif
#endif
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -132,9 +157,9 @@ const OPTIONS ocsp_options[] = {
"Don't include any certificates in response"},
{"resp_key_id", OPT_RESP_KEY_ID, '-',
"Identify response by signing certificate key ID"},
# ifdef OCSP_DAEMON
#ifdef OCSP_DAEMON
{"multi", OPT_MULTI, 'p', "run multiple responder processes"},
# endif
#endif
{"no_certs", OPT_NO_CERTS, '-',
"Don't include any certificates in signed request"},
{"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
@@ -483,9 +508,9 @@ int ocsp_main(int argc, char **argv)
trailing_md = 1;
break;
case OPT_MULTI:
# ifdef OCSP_DAEMON
#ifdef OCSP_DAEMON
multi = atoi(opt_arg());
# endif
#endif
break;
}
}
@@ -565,11 +590,11 @@ int ocsp_main(int argc, char **argv)
}
}
# ifdef OCSP_DAEMON
#ifdef OCSP_DAEMON
if (multi && acbio != NULL)
spawn_loop();
if (acbio != NULL && req_timeout > 0)
signal(SIGALRM, sock_timeout);
signal(SIGALRM, socket_timeout);
#endif
if (acbio != NULL)
@@ -578,7 +603,7 @@ int ocsp_main(int argc, char **argv)
redo_accept:
if (acbio != NULL) {
# ifdef OCSP_DAEMON
#ifdef OCSP_DAEMON
if (index_changed(rdb)) {
CA_DB *newrdb = load_index(ridx_filename, NULL);
@@ -591,7 +616,7 @@ redo_accept:
ridx_filename);
}
}
# endif
#endif
req = NULL;
if (!do_responder(&req, &cbio, acbio, req_timeout))
@@ -613,8 +638,10 @@ redo_accept:
goto end;
}
if (req != NULL && add_nonce)
OCSP_request_add1_nonce(req, NULL, -1);
if (req != NULL && add_nonce) {
if (!OCSP_request_add1_nonce(req, NULL, -1))
goto end;
}
if (signfile != NULL) {
if (keyfile == NULL)
@@ -658,16 +685,16 @@ redo_accept:
if (cbio != NULL)
send_ocsp_response(cbio, resp);
} else if (host != NULL) {
# ifndef OPENSSL_NO_SOCK
#ifndef OPENSSL_NO_SOCK
resp = process_responder(req, host, path,
port, use_ssl, headers, req_timeout);
if (resp == NULL)
goto end;
# else
#else
BIO_printf(bio_err,
"Error creating connect BIO - sockets not supported.\n");
goto end;
# endif
#endif
} else if (respin != NULL) {
derbio = bio_open_default(respin, 'r', FORMAT_ASN1);
if (derbio == NULL)
@@ -810,7 +837,7 @@ log_message(int level, const char *fmt, ...)
va_list ap;
va_start(ap, fmt);
# ifdef OCSP_DAEMON
#ifdef OCSP_DAEMON
if (multi) {
char buf[1024];
if (vsnprintf(buf, sizeof(buf), fmt, ap) > 0) {
@@ -819,7 +846,7 @@ log_message(int level, const char *fmt, ...)
if (level >= LOG_ERR)
ERR_print_errors_cb(print_syslog, &level);
}
# endif
#endif
if (!multi) {
BIO_printf(bio_err, "%s: ", prog);
BIO_vprintf(bio_err, fmt, ap);
@@ -828,7 +855,7 @@ log_message(int level, const char *fmt, ...)
va_end(ap);
}
# ifdef OCSP_DAEMON
#ifdef OCSP_DAEMON
static int print_syslog(const char *str, size_t len, void *levPtr)
{
@@ -863,6 +890,7 @@ static void killall(int ret, pid_t *kidpids)
for (i = 0; i < multi; ++i)
if (kidpids[i] != 0)
(void)kill(kidpids[i], SIGTERM);
OPENSSL_free(kidpids);
sleep(1);
exit(ret);
}
@@ -977,11 +1005,10 @@ static void spawn_loop(void)
}
/* The loop above can only break on termsig */
OPENSSL_free(kidpids);
syslog(LOG_INFO, "terminating on signal: %d", termsig);
killall(0, kidpids);
}
# endif
#endif
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
const EVP_MD *cert_id_md, X509 *issuer,
@@ -1217,7 +1244,10 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
goto end;
}
}
OCSP_basic_sign_ctx(bs, rcert, mctx, rother, flags);
if (!OCSP_basic_sign_ctx(bs, rcert, mctx, rother, flags)) {
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, bs);
goto end;
}
if (badsig) {
const ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs);
@@ -1258,11 +1288,11 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
static BIO *init_responder(const char *port)
{
# ifdef OPENSSL_NO_SOCK
#ifdef OPENSSL_NO_SOCK
BIO_printf(bio_err,
"Error setting up accept BIO - sockets not supported.\n");
return NULL;
# else
#else
BIO *acbio = NULL, *bufbio = NULL;
bufbio = BIO_new(BIO_f_buffer());
@@ -1289,10 +1319,10 @@ static BIO *init_responder(const char *port)
BIO_free_all(acbio);
BIO_free(bufbio);
return NULL;
# endif
#endif
}
# ifndef OPENSSL_NO_SOCK
#ifndef OPENSSL_NO_SOCK
/*
* Decode %xx URL-decoding in-place. Ignores mal-formed sequences.
*/
@@ -1316,22 +1346,22 @@ static int urldecode(char *p)
*out = '\0';
return (int)(out - save);
}
# endif
#endif
# ifdef OCSP_DAEMON
static void sock_timeout(int signum)
#ifdef OCSP_DAEMON
static void socket_timeout(int signum)
{
if (acfd != (int)INVALID_SOCKET)
(void)shutdown(acfd, SHUT_RD);
}
# endif
#endif
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
int timeout)
{
# ifdef OPENSSL_NO_SOCK
#ifdef OPENSSL_NO_SOCK
return 0;
# else
#else
int len;
OCSP_REQUEST *req = NULL;
char inbuf[2048], reqbuf[2048];
@@ -1349,12 +1379,12 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
*pcbio = cbio;
client = BIO_get_peer_name(cbio);
# ifdef OCSP_DAEMON
# ifdef OCSP_DAEMON
if (timeout > 0) {
(void) BIO_get_fd(cbio, &acfd);
alarm(timeout);
}
# endif
# endif
/* Read the request line. */
len = BIO_gets(cbio, reqbuf, sizeof(reqbuf));
@@ -1383,9 +1413,11 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
*q = '\0';
/*
* Skip "GET / HTTP..." requests often used by load-balancers
* Skip "GET / HTTP..." requests often used by load-balancers. Note:
* 'p' was incremented above to point to the first byte *after* the
* leading slash, so with 'GET / ' it is now an empty string.
*/
if (p[1] == '\0')
if (p[0] == '\0')
goto out;
len = urldecode(p);
@@ -1415,11 +1447,11 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
break;
}
# ifdef OCSP_DAEMON
# ifdef OCSP_DAEMON
/* Clear alarm before we close the client socket */
alarm(0);
timeout = 0;
# endif
# endif
/* Try to read OCSP request */
if (getbio != NULL) {
@@ -1435,13 +1467,13 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
*preq = req;
out:
# ifdef OCSP_DAEMON
# ifdef OCSP_DAEMON
if (timeout > 0)
alarm(0);
acfd = (int)INVALID_SOCKET;
# endif
return 1;
# endif
return 1;
#endif
}
static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
@@ -1457,7 +1489,7 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
return 1;
}
# ifndef OPENSSL_NO_SOCK
#ifndef OPENSSL_NO_SOCK
static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
const char *path,
const STACK_OF(CONF_VALUE) *headers,
@@ -1588,6 +1620,4 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
SSL_CTX_free(ctx);
return resp;
}
# endif
#endif

4
apps/openssl-vms.cnf
View File

@@ -18,7 +18,7 @@ oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
@@ -115,7 +115,7 @@ x509_extensions = v3_ca # The extensions to add to the self signed cert
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).

10
apps/openssl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -22,7 +22,6 @@
# include <openssl/engine.h>
#endif
#include <openssl/err.h>
#include "s_apps.h"
/* Needed to get the other O_xxx flags. */
#ifdef OPENSSL_SYS_VMS
# include <unixio.h>
@@ -165,6 +164,13 @@ int main(int argc, char *argv[])
}
prog = prog_init();
if (prog == NULL) {
BIO_printf(bio_err,
"FATAL: Startup failure (dev note: prog_init() failed)\n");
ERR_print_errors(bio_err);
ret = 1;
goto end;
}
pname = opt_progname(argv[0]);
/* first check the program name */

4
apps/openssl.cnf
View File

@@ -18,7 +18,7 @@ oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
@@ -115,7 +115,7 @@ x509_extensions = v3_ca # The extensions to add to the self signed cert
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).

2
apps/passwd.c
View File

@@ -807,7 +807,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
(*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
(*salt_p)[i] = 0;
# ifdef CHARSET_EBCDIC
/* The password encryption funtion will convert back to ASCII */
/* The password encryption function will convert back to ASCII */
ascii2ebcdic(*salt_p, *salt_p, saltlen);
# endif
}

125
apps/pkcs12.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,25 +8,21 @@
*/
#include <openssl/opensslconf.h>
#if defined(OPENSSL_NO_DES)
NON_EMPTY_TRANSLATION_UNIT
#else
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "apps.h"
#include "progs.h"
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
# include "apps.h"
# include "progs.h"
# include <openssl/crypto.h>
# include <openssl/err.h>
# include <openssl/pem.h>
# include <openssl/pkcs12.h>
# define NOKEYS 0x1
# define NOCERTS 0x2
# define INFO 0x4
# define CLCERTS 0x8
# define CACERTS 0x10
#define NOKEYS 0x1
#define NOCERTS 0x2
#define INFO 0x4
#define CLCERTS 0x8
#define CACERTS 0x10
#define PASSWD_BUF_SIZE 2048
@@ -41,6 +37,7 @@ int dump_certs_pkeys_bags(BIO *out, const STACK_OF(PKCS12_SAFEBAG) *bags,
int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bags,
const char *pass, int passlen,
int options, char *pempass, const EVP_CIPHER *enc);
void print_attribute(BIO *out, const ASN1_TYPE *av);
int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
const char *name);
void hex_prin(BIO *out, unsigned char *buf, int len);
@@ -73,15 +70,15 @@ const OPTIONS pkcs12_options[] = {
{"chain", OPT_CHAIN, '-', "Add certificate chain"},
{"twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords"},
{"nomacver", OPT_NOMACVER, '-', "Don't verify MAC"},
# ifndef OPENSSL_NO_RC2
#ifndef OPENSSL_NO_RC2
{"descert", OPT_DESCERT, '-',
"Encrypt output with 3DES (default RC2-40)"},
{"certpbe", OPT_CERTPBE, 's',
"Certificate PBE algorithm (default RC2-40)"},
# else
#else
{"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (the default)"},
{"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default 3DES)"},
# endif
#endif
{"export", OPT_EXPORT, '-', "Output PKCS12 file"},
{"noiter", OPT_NOITER, '-', "Don't use encryption iteration"},
{"maciter", OPT_MACITER, '-', "Use MAC iteration"},
@@ -112,9 +109,9 @@ const OPTIONS pkcs12_options[] = {
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
# ifndef OPENSSL_NO_ENGINE
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
# endif
#endif
{NULL}
};
@@ -125,11 +122,11 @@ int pkcs12_main(int argc, char **argv)
char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = "";
int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER;
# ifndef OPENSSL_NO_RC2
#ifndef OPENSSL_NO_RC2
int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
# else
#else
int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
# endif
#endif
int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
int ret = 1, macver = 1, add_lmk = 0, private = 0;
int noprompt = 0;
@@ -311,6 +308,13 @@ int pkcs12_main(int argc, char **argv)
if (cpass != NULL) {
mpass = cpass;
noprompt = 1;
if (twopass) {
if (export_cert)
BIO_printf(bio_err, "Option -twopass cannot be used with -passout or -password\n");
else
BIO_printf(bio_err, "Option -twopass cannot be used with -passin or -password\n");
goto end;
}
} else {
cpass = pass;
mpass = macpass;
@@ -831,7 +835,7 @@ static int alg_print(const X509_ALGOR *alg)
goto done;
}
BIO_printf(bio_err, ", Salt length: %d, Cost(N): %ld, "
"Block size(r): %ld, Paralelizm(p): %ld",
"Block size(r): %ld, Parallelism(p): %ld",
ASN1_STRING_length(kdf->salt),
ASN1_INTEGER_get(kdf->costParameter),
ASN1_INTEGER_get(kdf->blockSize),
@@ -871,6 +875,38 @@ int cert_load(BIO *in, STACK_OF(X509) *sk)
return ret;
}
/* Generalised x509 attribute value print */
void print_attribute(BIO *out, const ASN1_TYPE *av)
{
char *value;
switch (av->type) {
case V_ASN1_BMPSTRING:
value = OPENSSL_uni2asc(av->value.bmpstring->data,
av->value.bmpstring->length);
BIO_printf(out, "%s\n", value);
OPENSSL_free(value);
break;
case V_ASN1_OCTET_STRING:
hex_prin(out, av->value.octet_string->data,
av->value.octet_string->length);
BIO_printf(out, "\n");
break;
case V_ASN1_BIT_STRING:
hex_prin(out, av->value.bit_string->data,
av->value.bit_string->length);
BIO_printf(out, "\n");
break;
default:
BIO_printf(out, "<Unsupported tag %d>\n", av->type);
break;
}
}
/* Generalised attribute print: handle PKCS#8 and bag attributes */
int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
@@ -878,8 +914,7 @@ int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
{
X509_ATTRIBUTE *attr;
ASN1_TYPE *av;
char *value;
int i, attr_nid;
int i, j, attr_nid;
if (!attrlst) {
BIO_printf(out, "%s: <No Attributes>\n", name);
return 1;
@@ -903,30 +938,10 @@ int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
}
if (X509_ATTRIBUTE_count(attr)) {
av = X509_ATTRIBUTE_get0_type(attr, 0);
switch (av->type) {
case V_ASN1_BMPSTRING:
value = OPENSSL_uni2asc(av->value.bmpstring->data,
av->value.bmpstring->length);
BIO_printf(out, "%s\n", value);
OPENSSL_free(value);
break;
case V_ASN1_OCTET_STRING:
hex_prin(out, av->value.octet_string->data,
av->value.octet_string->length);
BIO_printf(out, "\n");
break;
case V_ASN1_BIT_STRING:
hex_prin(out, av->value.bit_string->data,
av->value.bit_string->length);
BIO_printf(out, "\n");
break;
default:
BIO_printf(out, "<Unsupported tag %d>\n", av->type);
break;
for (j = 0; j < X509_ATTRIBUTE_count(attr); j++)
{
av = X509_ATTRIBUTE_get0_type(attr, j);
print_attribute(out, av);
}
} else {
BIO_printf(out, "<No Values>\n");
@@ -957,5 +972,3 @@ static int set_pbe(int *ppbe, const char *str)
}
return 1;
}
#endif

5
apps/pkeyutl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -299,8 +299,7 @@ int pkeyutl_main(int argc, char **argv)
/* Sanity check the input */
if (buf_inlen > EVP_MAX_MD_SIZE
&& (pkey_op == EVP_PKEY_OP_SIGN
|| pkey_op == EVP_PKEY_OP_VERIFY
|| pkey_op == EVP_PKEY_OP_VERIFYRECOVER)) {
|| pkey_op == EVP_PKEY_OP_VERIFY)) {
BIO_printf(bio_err,
"Error: The input data looks too long to be a hash\n");
goto end;

34
apps/rehash.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2013-2014 Timo Teräs <timo.teras@gmail.com>
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -51,6 +51,26 @@
# endif
# define MAX_COLLISIONS 256
# if defined(OPENSSL_SYS_VXWORKS)
/*
* VxWorks has no symbolic links
*/
# define lstat(path, buf) stat(path, buf)
int symlink(const char *target, const char *linkpath)
{
errno = ENOSYS;
return -1;
}
ssize_t readlink(const char *pathname, char *buf, size_t bufsiz)
{
errno = ENOSYS;
return -1;
}
# endif
typedef struct hentry_st {
struct hentry_st *next;
char *filename;
@@ -254,11 +274,19 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h)
if (x->x509 != NULL) {
type = TYPE_CERT;
name = X509_get_subject_name(x->x509);
X509_digest(x->x509, evpmd, digest, NULL);
if (!X509_digest(x->x509, evpmd, digest, NULL)) {
BIO_printf(bio_err, "out of memory\n");
++errs;
goto end;
}
} else if (x->crl != NULL) {
type = TYPE_CRL;
name = X509_CRL_get_issuer(x->crl);
X509_CRL_digest(x->crl, evpmd, digest, NULL);
if (!X509_CRL_digest(x->crl, evpmd, digest, NULL)) {
BIO_printf(bio_err, "out of memory\n");
++errs;
goto end;
}
} else {
++errs;
goto end;

31
apps/req.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -200,9 +200,12 @@ static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv)
*p = '\0';
/* Finally have a clean "key"; see if it's there [by attempt to add it]. */
if ((p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING*)kv))
!= NULL || lh_OPENSSL_STRING_error(addexts)) {
OPENSSL_free(p != NULL ? p : kv);
p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING*)kv);
if (p != NULL) {
OPENSSL_free(p);
return 1;
} else if (lh_OPENSSL_STRING_error(addexts)) {
OPENSSL_free(kv);
return -1;
}
@@ -435,12 +438,14 @@ int req_main(int argc, char **argv)
if (verbose)
BIO_printf(bio_err, "Using configuration from %s\n", template);
req_conf = app_load_config(template);
if ((req_conf = app_load_config(template)) == NULL)
goto end;
if (addext_bio) {
if (verbose)
BIO_printf(bio_err,
"Using additional configuration from command line\n");
addext_conf = app_load_config_bio(addext_bio, NULL);
if ((addext_conf = app_load_config_bio(addext_bio, NULL)) == NULL)
goto end;
}
if (template != default_config_file && !app_load_modules(req_conf))
goto end;
@@ -881,9 +886,19 @@ int req_main(int argc, char **argv)
if (text) {
if (x509)
X509_print_ex(out, x509ss, get_nameopt(), reqflag);
ret = X509_print_ex(out, x509ss, get_nameopt(), reqflag);
else
X509_REQ_print_ex(out, req, get_nameopt(), reqflag);
ret = X509_REQ_print_ex(out, req, get_nameopt(), reqflag);
if (ret == 0) {
if (x509)
BIO_printf(bio_err, "Error printing certificate\n");
else
BIO_printf(bio_err, "Error printing certificate request\n");
ERR_print_errors(bio_err);
goto end;
}
}
if (subject) {

59
apps/rsa.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,23 +8,19 @@
*/
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_RSA
NON_EMPTY_TRANSLATION_UNIT
#else
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
# include <time.h>
# include "apps.h"
# include "progs.h"
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/rsa.h>
# include <openssl/evp.h>
# include <openssl/x509.h>
# include <openssl/pem.h>
# include <openssl/bn.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include "apps.h"
#include "progs.h"
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/bn.h>
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -53,14 +49,14 @@ const OPTIONS rsa_options[] = {
{"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
{"check", OPT_CHECK, '-', "Verify key consistency"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
{"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
{"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
{"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
# endif
# ifndef OPENSSL_NO_ENGINE
#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
# endif
#endif
{NULL}
};
@@ -75,9 +71,9 @@ int rsa_main(int argc, char **argv)
int i, private = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0;
int noout = 0, modulus = 0, pubin = 0, pubout = 0, ret = 1;
# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
int pvk_encr = 2;
# endif
#endif
OPTION_CHOICE o;
prog = opt_init(argc, argv, rsa_options);
@@ -130,9 +126,9 @@ int rsa_main(int argc, char **argv)
case OPT_PVK_STRONG: /* pvk_encr:= 2 */
case OPT_PVK_WEAK: /* pvk_encr:= 1 */
case OPT_PVK_NONE: /* pvk_encr:= 0 */
# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
pvk_encr = (o - OPT_PVK_NONE);
# endif
#endif
break;
case OPT_NOOUT:
noout = 1;
@@ -265,7 +261,7 @@ int rsa_main(int argc, char **argv)
i = PEM_write_bio_RSAPrivateKey(out, rsa,
enc, NULL, 0, NULL, passout);
}
# ifndef OPENSSL_NO_DSA
#ifndef OPENSSL_NO_DSA
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
EVP_PKEY *pk;
pk = EVP_PKEY_new();
@@ -280,13 +276,13 @@ int rsa_main(int argc, char **argv)
goto end;
}
assert(private);
# ifdef OPENSSL_NO_RC4
# ifdef OPENSSL_NO_RC4
BIO_printf(bio_err, "PVK format not supported\n");
EVP_PKEY_free(pk);
goto end;
# else
# else
i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
# endif
# endif
} else if (pubin || pubout) {
i = i2b_PublicKey_bio(out, pk);
} else {
@@ -294,7 +290,7 @@ int rsa_main(int argc, char **argv)
i = i2b_PrivateKey_bio(out, pk);
}
EVP_PKEY_free(pk);
# endif
#endif
} else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
@@ -313,4 +309,3 @@ int rsa_main(int argc, char **argv)
OPENSSL_free(passout);
return ret;
}
#endif

4
apps/rsa8192.pem
View File

@@ -1,5 +1,4 @@
-----BEGIN RSA PRIVATE KEY-----
MIISKAIBAAKCBAEAiQ2f1X6Bte1DKD0OoCBKEikzPW+5w3oXk3WwnE97Wxzy6wJZ
ebbZC3CZKKBnJeBMrysPf+lK+9+fP6Vm8bp1wvbcSIA59BDrX6irFSuM/bdnkbuF
MFlDjt+uVrxwoyqfPi2IPot1HQg3l5mdyBqcTWvbOnU2L9HZxJfPUCjfzdTMPrMY
@@ -62,7 +61,7 @@ JH1/Qx7C/mTAMRsN5SkOthnGq0djCNWfPv/3JV0H67Uf5krFlnwLebrgfTYoPPdo
yO7iBUNJzv6Qh22malLp4P8gzACkD7DGlSTnoB5cLwcjmDGg+i9WrUBbOiVTeQfZ
kOj1o+Tz35ndpq/DDUVlqliB9krcxva+QHeJPH53EGI+YVg1nD+s/vUDZ3mQMGX9
DQou2L8uU6RnWNv/BihGcL8QvS4Ty6QyPOUPpD3zc70JQAEcQk9BxQNaELgJX0IN
22cYn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU
2cYUn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU
ojF5U6cwextMja1ZIIZgh9eugIRUeIE7319nQNDzuXWjRCcoBLA25P7wnpHWDRpz
D9ovXCIvdja74lL5psqobV6L5+fbLPkSgXoImKR0LQKCAgAIC9Jk8kxumCyIVGCP
PeM5Uby9M3GMuKrfYsn0Y5e97+kSJF1dpojTodBgR2KQar6eVrvXt+8uZCcIjfx8
@@ -98,4 +97,3 @@ TwEgE67iOb2iIoUpon/NyP4LesMzvdpsu2JFlfz13PmmQ34mFI7tWvOb3NA5DP3c
rMlMLtKfp2w8HlMZpsUlToNCx6CI+tJrohzcs3BAVAbjFAXRKWGijB1rxwyDdHPv
I+/wJTNaRNPQ1M0SwtEL/zJd21y3KSPn4eL+GP3efhlDSjtlDvZqkdAUsU8=
-----END RSA PRIVATE KEY-----

37
apps/rsautl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,25 +8,21 @@
*/
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_RSA
NON_EMPTY_TRANSLATION_UNIT
#else
#include "apps.h"
#include "progs.h"
#include <string.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/rsa.h>
# include "apps.h"
# include "progs.h"
# include <string.h>
# include <openssl/err.h>
# include <openssl/pem.h>
# include <openssl/rsa.h>
#define RSA_SIGN 1
#define RSA_VERIFY 2
#define RSA_ENCRYPT 3
#define RSA_DECRYPT 4
# define RSA_SIGN 1
# define RSA_VERIFY 2
# define RSA_ENCRYPT 3
# define RSA_DECRYPT 4
# define KEY_PRIVKEY 1
# define KEY_PUBKEY 2
# define KEY_CERT 3
#define KEY_PRIVKEY 1
#define KEY_PUBKEY 2
#define KEY_CERT 3
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -60,9 +56,9 @@ const OPTIONS rsautl_options[] = {
{"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
OPT_R_OPTIONS,
# ifndef OPENSSL_NO_ENGINE
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
# endif
#endif
{NULL}
};
@@ -279,4 +275,3 @@ int rsautl_main(int argc, char **argv)
OPENSSL_free(passin);
return ret;
}
#endif

20
apps/s_apps.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -9,13 +9,7 @@
#include <openssl/opensslconf.h>
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
# include <conio.h>
#endif
#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32)
# define _kbhit kbhit
#endif
#include <openssl/ssl.h>
#define PORT "4433"
#define PROTOCOL "tcp"
@@ -24,17 +18,15 @@ typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context);
int do_server(int *accept_sock, const char *host, const char *port,
int family, int type, int protocol, do_server_cb cb,
unsigned char *context, int naccept, BIO *bio_s_out);
#ifdef HEADER_X509_H
int verify_callback(int ok, X509_STORE_CTX *ctx);
#endif
#ifdef HEADER_SSL_H
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
STACK_OF(X509) *chain, int build_chain);
int ssl_print_sigalgs(BIO *out, SSL *s);
int ssl_print_point_formats(BIO *out, SSL *s);
int ssl_print_groups(BIO *out, SSL *s, int noshared);
#endif
int ssl_print_tmp_key(BIO *out, SSL *s);
int init_client(int *sock, const char *host, const char *port,
const char *bindhost, const char *bindport,
@@ -44,13 +36,11 @@ int should_retry(int i);
long bio_dump_callback(BIO *bio, int cmd, const char *argp,
int argi, long argl, long ret);
#ifdef HEADER_SSL_H
void apps_ssl_info_callback(const SSL *s, int where, int ret);
void msg_cb(int write_p, int version, int content_type, const void *buf,
size_t len, SSL *ssl, void *arg);
void tlsext_cb(SSL *s, int client_server, int type, const unsigned char *data,
int len, void *arg);
#endif
int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
unsigned int *cookie_len);
@@ -75,7 +65,6 @@ int args_excert(int option, SSL_EXCERT **pexc);
int load_excert(SSL_EXCERT **pexc);
void print_verify_detail(SSL *s, BIO *bio);
void print_ssl_summary(SSL *s);
#ifdef HEADER_SSL_H
int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx);
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
int crl_download);
@@ -86,4 +75,3 @@ int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
int set_keylog_file(SSL_CTX *ctx, const char *keylog_file);
void print_ca_names(BIO *bio, SSL *s);
#endif

119
apps/s_cb.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -24,7 +24,7 @@
#define COOKIE_SECRET_LENGTH 16
VERIFY_CB_ARGS verify_args = { 0, 0, X509_V_OK, 0 };
VERIFY_CB_ARGS verify_args = { -1, 0, X509_V_OK, 0 };
#ifndef OPENSSL_NO_SOCK
static unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
@@ -63,7 +63,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx)
if (!ok) {
BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
X509_verify_cert_error_string(err));
if (verify_args.depth >= depth) {
if (verify_args.depth < 0 || verify_args.depth >= depth) {
if (!verify_args.return_error)
ok = 1;
verify_args.error = err;
@@ -188,6 +188,7 @@ static STRINT_PAIR cert_type_list[] = {
{"RSA fixed ECDH", TLS_CT_RSA_FIXED_ECDH},
{"ECDSA fixed ECDH", TLS_CT_ECDSA_FIXED_ECDH},
{"GOST01 Sign", TLS_CT_GOST01_SIGN},
{"GOST12 Sign", TLS_CT_GOST12_SIGN},
{NULL}
};
@@ -683,6 +684,53 @@ static STRINT_PAIR tlsext_types[] = {
{NULL}
};
/* from rfc8446 4.2.3. + gost (https://tools.ietf.org/id/draft-smyshlyaev-tls12-gost-suites-04.html) */
static STRINT_PAIR signature_tls13_scheme_list[] = {
{"rsa_pkcs1_sha1", 0x0201 /* TLSEXT_SIGALG_rsa_pkcs1_sha1 */},
{"ecdsa_sha1", 0x0203 /* TLSEXT_SIGALG_ecdsa_sha1 */},
/* {"rsa_pkcs1_sha224", 0x0301 TLSEXT_SIGALG_rsa_pkcs1_sha224}, not in rfc8446 */
/* {"ecdsa_sha224", 0x0303 TLSEXT_SIGALG_ecdsa_sha224} not in rfc8446 */
{"rsa_pkcs1_sha256", 0x0401 /* TLSEXT_SIGALG_rsa_pkcs1_sha256 */},
{"ecdsa_secp256r1_sha256", 0x0403 /* TLSEXT_SIGALG_ecdsa_secp256r1_sha256 */},
{"rsa_pkcs1_sha384", 0x0501 /* TLSEXT_SIGALG_rsa_pkcs1_sha384 */},
{"ecdsa_secp384r1_sha384", 0x0503 /* TLSEXT_SIGALG_ecdsa_secp384r1_sha384 */},
{"rsa_pkcs1_sha512", 0x0601 /* TLSEXT_SIGALG_rsa_pkcs1_sha512 */},
{"ecdsa_secp521r1_sha512", 0x0603 /* TLSEXT_SIGALG_ecdsa_secp521r1_sha512 */},
{"rsa_pss_rsae_sha256", 0x0804 /* TLSEXT_SIGALG_rsa_pss_rsae_sha256 */},
{"rsa_pss_rsae_sha384", 0x0805 /* TLSEXT_SIGALG_rsa_pss_rsae_sha384 */},
{"rsa_pss_rsae_sha512", 0x0806 /* TLSEXT_SIGALG_rsa_pss_rsae_sha512 */},
{"ed25519", 0x0807 /* TLSEXT_SIGALG_ed25519 */},
{"ed448", 0x0808 /* TLSEXT_SIGALG_ed448 */},
{"rsa_pss_pss_sha256", 0x0809 /* TLSEXT_SIGALG_rsa_pss_pss_sha256 */},
{"rsa_pss_pss_sha384", 0x080a /* TLSEXT_SIGALG_rsa_pss_pss_sha384 */},
{"rsa_pss_pss_sha512", 0x080b /* TLSEXT_SIGALG_rsa_pss_pss_sha512 */},
{"gostr34102001", 0xeded /* TLSEXT_SIGALG_gostr34102001_gostr3411 */},
{"gostr34102012_256", 0xeeee /* TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 */},
{"gostr34102012_512", 0xefef /* TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 */},
{NULL}
};
/* from rfc5246 7.4.1.4.1. */
static STRINT_PAIR signature_tls12_alg_list[] = {
{"anonymous", TLSEXT_signature_anonymous /* 0 */},
{"RSA", TLSEXT_signature_rsa /* 1 */},
{"DSA", TLSEXT_signature_dsa /* 2 */},
{"ECDSA", TLSEXT_signature_ecdsa /* 3 */},
{NULL}
};
/* from rfc5246 7.4.1.4.1. */
static STRINT_PAIR signature_tls12_hash_list[] = {
{"none", TLSEXT_hash_none /* 0 */},
{"MD5", TLSEXT_hash_md5 /* 1 */},
{"SHA1", TLSEXT_hash_sha1 /* 2 */},
{"SHA224", TLSEXT_hash_sha224 /* 3 */},
{"SHA256", TLSEXT_hash_sha256 /* 4 */},
{"SHA384", TLSEXT_hash_sha384 /* 5 */},
{"SHA512", TLSEXT_hash_sha512 /* 6 */},
{NULL}
};
void tlsext_cb(SSL *s, int client_server, int type,
const unsigned char *data, int len, void *arg)
{
@@ -886,7 +934,8 @@ static int set_cert_cb(SSL *ssl, void *arg)
if (!SSL_build_cert_chain(ssl, 0))
return 0;
} else if (exc->chain != NULL) {
SSL_set1_chain(ssl, exc->chain);
if (!SSL_set1_chain(ssl, exc->chain))
return 0;
}
}
exc = exc->prev;
@@ -1282,9 +1331,9 @@ static STRINT_PAIR callback_types[] = {
{"Supported Curve", SSL_SECOP_CURVE_SUPPORTED},
{"Shared Curve", SSL_SECOP_CURVE_SHARED},
{"Check Curve", SSL_SECOP_CURVE_CHECK},
{"Supported Signature Algorithm digest", SSL_SECOP_SIGALG_SUPPORTED},
{"Shared Signature Algorithm digest", SSL_SECOP_SIGALG_SHARED},
{"Check Signature Algorithm digest", SSL_SECOP_SIGALG_CHECK},
{"Supported Signature Algorithm", SSL_SECOP_SIGALG_SUPPORTED},
{"Shared Signature Algorithm", SSL_SECOP_SIGALG_SHARED},
{"Check Signature Algorithm", SSL_SECOP_SIGALG_CHECK},
{"Signature Algorithm mask", SSL_SECOP_SIGALG_MASK},
{"Certificate chain EE key", SSL_SECOP_EE_KEY},
{"Certificate chain CA key", SSL_SECOP_CA_KEY},
@@ -1304,29 +1353,37 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
security_debug_ex *sdb = ex;
int rv, show_bits = 1, cert_md = 0;
const char *nm;
int show_nm;
rv = sdb->old_cb(s, ctx, op, bits, nid, other, ex);
if (rv == 1 && sdb->verbose < 2)
return 1;
BIO_puts(sdb->out, "Security callback: ");
nm = lookup(op, callback_types, NULL);
show_nm = nm != NULL;
switch (op) {
case SSL_SECOP_TICKET:
case SSL_SECOP_COMPRESSION:
show_bits = 0;
nm = NULL;
show_nm = 0;
break;
case SSL_SECOP_VERSION:
BIO_printf(sdb->out, "Version=%s", lookup(nid, ssl_versions, "???"));
show_bits = 0;
nm = NULL;
show_nm = 0;
break;
case SSL_SECOP_CA_MD:
case SSL_SECOP_PEER_CA_MD:
cert_md = 1;
break;
case SSL_SECOP_SIGALG_SUPPORTED:
case SSL_SECOP_SIGALG_SHARED:
case SSL_SECOP_SIGALG_CHECK:
case SSL_SECOP_SIGALG_MASK:
show_nm = 0;
break;
}
if (nm != NULL)
if (show_nm)
BIO_printf(sdb->out, "%s=", nm);
switch (op & SSL_SECOP_OTHER_TYPE) {
@@ -1373,27 +1430,28 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
{
const unsigned char *salg = other;
const char *sname = NULL;
switch (salg[1]) {
case TLSEXT_signature_anonymous:
sname = "anonymous";
break;
case TLSEXT_signature_rsa:
sname = "RSA";
break;
case TLSEXT_signature_dsa:
sname = "DSA";
break;
case TLSEXT_signature_ecdsa:
sname = "ECDSA";
break;
}
int raw_sig_code = (salg[0] << 8) + salg[1]; /* always big endian (msb, lsb) */
/* raw_sig_code: signature_scheme from tls1.3, or signature_and_hash from tls1.2 */
BIO_puts(sdb->out, OBJ_nid2sn(nid));
if (sname)
BIO_printf(sdb->out, ", algorithm=%s", sname);
if (nm != NULL)
BIO_printf(sdb->out, "%s", nm);
else
BIO_printf(sdb->out, ", algid=%d", salg[1]);
break;
BIO_printf(sdb->out, "s_cb.c:security_callback_debug op=0x%x", op);
sname = lookup(raw_sig_code, signature_tls13_scheme_list, NULL);
if (sname != NULL) {
BIO_printf(sdb->out, " scheme=%s", sname);
} else {
int alg_code = salg[1];
int hash_code = salg[0];
const char *alg_str = lookup(alg_code, signature_tls12_alg_list, NULL);
const char *hash_str = lookup(hash_code, signature_tls12_hash_list, NULL);
if (alg_str != NULL && hash_str != NULL)
BIO_printf(sdb->out, " digest=%s, algorithm=%s", hash_str, alg_str);
else
BIO_printf(sdb->out, " scheme=unknown(0x%04x)", raw_sig_code);
}
}
}
@@ -1469,7 +1527,8 @@ void print_ca_names(BIO *bio, SSL *s)
int i;
if (sk == NULL || sk_X509_NAME_num(sk) == 0) {
BIO_printf(bio, "---\nNo %s certificate CA names sent\n", cs);
if (!SSL_is_server(s))
BIO_printf(bio, "---\nNo %s certificate CA names sent\n", cs);
return;
}

120
apps/s_client.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -74,6 +74,7 @@ static void print_stuff(BIO *berr, SSL *con, int full);
static int ocsp_resp_cb(SSL *s, void *arg);
#endif
static int ldap_ExtendedResponse_parse(const char *buf, long rem);
static int is_dNS_name(const char *host);
static int saved_errno;
@@ -596,6 +597,7 @@ typedef enum OPTION_choice {
#endif
OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
OPT_ENABLE_PHA,
OPT_SCTP_LABEL_BUG,
OPT_R_ENUM
} OPTION_CHOICE;
@@ -750,6 +752,7 @@ const OPTIONS s_client_options[] = {
#endif
#ifndef OPENSSL_NO_SCTP
{"sctp", OPT_SCTP, '-', "Use SCTP"},
{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
#endif
#ifndef OPENSSL_NO_SSL_TRACE
{"trace", OPT_TRACE, '-', "Show trace output of protocol messages"},
@@ -976,6 +979,9 @@ int s_client_main(int argc, char **argv)
#endif
char *psksessf = NULL;
int enable_pha = 0;
#ifndef OPENSSL_NO_SCTP
int sctp_label_bug = 0;
#endif
FD_ZERO(&readfds);
FD_ZERO(&writefds);
@@ -1121,6 +1127,7 @@ int s_client_main(int argc, char **argv)
goto opthelp;
break;
case OPT_VERIFY_RET_ERROR:
verify = SSL_VERIFY_PEER;
verify_args.return_error = 1;
break;
case OPT_VERIFY_QUIET:
@@ -1276,22 +1283,42 @@ int s_client_main(int argc, char **argv)
case OPT_SSL3:
min_version = SSL3_VERSION;
max_version = SSL3_VERSION;
socket_type = SOCK_STREAM;
#ifndef OPENSSL_NO_DTLS
isdtls = 0;
#endif
break;
case OPT_TLS1_3:
min_version = TLS1_3_VERSION;
max_version = TLS1_3_VERSION;
socket_type = SOCK_STREAM;
#ifndef OPENSSL_NO_DTLS
isdtls = 0;
#endif
break;
case OPT_TLS1_2:
min_version = TLS1_2_VERSION;
max_version = TLS1_2_VERSION;
socket_type = SOCK_STREAM;
#ifndef OPENSSL_NO_DTLS
isdtls = 0;
#endif
break;
case OPT_TLS1_1:
min_version = TLS1_1_VERSION;
max_version = TLS1_1_VERSION;
socket_type = SOCK_STREAM;
#ifndef OPENSSL_NO_DTLS
isdtls = 0;
#endif
break;
case OPT_TLS1:
min_version = TLS1_VERSION;
max_version = TLS1_VERSION;
socket_type = SOCK_STREAM;
#ifndef OPENSSL_NO_DTLS
isdtls = 0;
#endif
break;
case OPT_DTLS:
#ifndef OPENSSL_NO_DTLS
@@ -1321,6 +1348,11 @@ int s_client_main(int argc, char **argv)
case OPT_SCTP:
#ifndef OPENSSL_NO_SCTP
protocol = IPPROTO_SCTP;
#endif
break;
case OPT_SCTP_LABEL_BUG:
#ifndef OPENSSL_NO_SCTP
sctp_label_bug = 1;
#endif
break;
case OPT_TIMEOUT:
@@ -1707,6 +1739,11 @@ int s_client_main(int argc, char **argv)
}
}
#ifndef OPENSSL_NO_SCTP
if (protocol == IPPROTO_SCTP && sctp_label_bug == 1)
SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG);
#endif
if (min_version != 0
&& SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
goto end;
@@ -1975,9 +2012,11 @@ int s_client_main(int argc, char **argv)
SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
if (!noservername && (servername != NULL || dane_tlsa_domain == NULL)) {
if (servername == NULL)
servername = (host == NULL) ? "localhost" : host;
if (!SSL_set_tlsext_host_name(con, servername)) {
if (servername == NULL) {
if(host == NULL || is_dNS_name(host))
servername = (host == NULL) ? "localhost" : host;
}
if (servername != NULL && !SSL_set_tlsext_host_name(con, servername)) {
BIO_printf(bio_err, "Unable to set TLS servername extension.\n");
ERR_print_errors(bio_err);
goto end;
@@ -2234,7 +2273,7 @@ int s_client_main(int argc, char **argv)
do {
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
}
while (mbuf_len > 3 && mbuf[3] == '-');
while (mbuf_len > 3 && (!isdigit(mbuf[0]) || !isdigit(mbuf[1]) || !isdigit(mbuf[2]) || mbuf[3] != ' '));
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
@@ -2326,7 +2365,7 @@ int s_client_main(int argc, char **argv)
(void)BIO_flush(fbio);
/*
* The first line is the HTTP response. According to RFC 7230,
* it's formated exactly like this:
* it's formatted exactly like this:
*
* HTTP/d.d ddd Reason text\r\n
*/
@@ -3031,9 +3070,7 @@ int s_client_main(int argc, char **argv)
BIO_printf(bio_err, "RENEGOTIATING\n");
SSL_renegotiate(con);
cbuf_len = 0;
}
if (!c_ign_eof && (cbuf[0] == 'K' || cbuf[0] == 'k' )
} else if (!c_ign_eof && (cbuf[0] == 'K' || cbuf[0] == 'k' )
&& cmdletters) {
BIO_printf(bio_err, "KEYUPDATE\n");
SSL_key_update(con,
@@ -3459,4 +3496,69 @@ static int ldap_ExtendedResponse_parse(const char *buf, long rem)
return ret;
}
/*
* Host dNS Name verifier: used for checking that the hostname is in dNS format
* before setting it as SNI
*/
static int is_dNS_name(const char *host)
{
const size_t MAX_LABEL_LENGTH = 63;
size_t i;
int isdnsname = 0;
size_t length = strlen(host);
size_t label_length = 0;
int all_numeric = 1;
/*
* Deviation from strict DNS name syntax, also check names with '_'
* Check DNS name syntax, any '-' or '.' must be internal,
* and on either side of each '.' we can't have a '-' or '.'.
*
* If the name has just one label, we don't consider it a DNS name.
*/
for (i = 0; i < length && label_length < MAX_LABEL_LENGTH; ++i) {
char c = host[i];
if ((c >= 'a' && c <= 'z')
|| (c >= 'A' && c <= 'Z')
|| c == '_') {
label_length += 1;
all_numeric = 0;
continue;
}
if (c >= '0' && c <= '9') {
label_length += 1;
continue;
}
/* Dot and hyphen cannot be first or last. */
if (i > 0 && i < length - 1) {
if (c == '-') {
label_length += 1;
continue;
}
/*
* Next to a dot the preceding and following characters must not be
* another dot or a hyphen. Otherwise, record that the name is
* plausible, since it has two or more labels.
*/
if (c == '.'
&& host[i + 1] != '.'
&& host[i - 1] != '-'
&& host[i + 1] != '-') {
label_length = 0;
isdnsname = 1;
continue;
}
}
isdnsname = 0;
break;
}
/* dNS name must not be all numeric and labels must be shorter than 64 characters. */
isdnsname &= !all_numeric && !(label_length == MAX_LABEL_LENGTH);
return isdnsname;
}
#endif /* OPENSSL_NO_SOCK */

42
apps/s_server.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -180,9 +180,6 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
}
#endif
#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
size_t identity_len, SSL_SESSION **sess)
{
@@ -751,7 +748,7 @@ typedef enum OPTION_choice {
OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN,
OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY,
OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,
OPT_R_ENUM,
OPT_S_ENUM,
OPT_V_ENUM,
@@ -938,6 +935,7 @@ const OPTIONS s_server_options[] = {
#endif
#ifndef OPENSSL_NO_SCTP
{"sctp", OPT_SCTP, '-', "Use SCTP"},
{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
#endif
#ifndef OPENSSL_NO_DH
{"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
@@ -1047,6 +1045,9 @@ int s_server_main(int argc, char *argv[])
const char *keylog_file = NULL;
int max_early_data = -1, recv_max_early_data = -1;
char *psksessf = NULL;
#ifndef OPENSSL_NO_SCTP
int sctp_label_bug = 0;
#endif
/* Init of few remaining global variables */
local_argc = argc;
@@ -1407,7 +1408,7 @@ int s_server_main(int argc, char *argv[])
for (p = psk_key = opt_arg(); *p; p++) {
if (isxdigit(_UC(*p)))
continue;
BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key);
goto end;
}
break;
@@ -1488,6 +1489,11 @@ int s_server_main(int argc, char *argv[])
case OPT_SCTP:
#ifndef OPENSSL_NO_SCTP
protocol = IPPROTO_SCTP;
#endif
break;
case OPT_SCTP_LABEL_BUG:
#ifndef OPENSSL_NO_SCTP
sctp_label_bug = 1;
#endif
break;
case OPT_TIMEOUT:
@@ -1792,6 +1798,12 @@ int s_server_main(int argc, char *argv[])
goto end;
}
}
#ifndef OPENSSL_NO_SCTP
if (protocol == IPPROTO_SCTP && sctp_label_bug == 1)
SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG);
#endif
if (min_version != 0
&& SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
goto end;
@@ -1892,7 +1904,7 @@ int s_server_main(int argc, char *argv[])
BIO_printf(bio_s_out, "Setting secondary ctx parameters\n");
if (sdebug)
ssl_ctx_security_debug(ctx, sdebug);
ssl_ctx_security_debug(ctx2, sdebug);
if (session_id_prefix) {
if (strlen(session_id_prefix) >= 32)
@@ -2754,6 +2766,8 @@ static int init_ssl_connection(SSL *con)
BIO_ADDR_free(client);
return 0;
}
(void)BIO_ctrl_set_connected(wbio, client);
BIO_ADDR_free(client);
dtlslisten = 0;
} else {
@@ -3191,6 +3205,12 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
if (e[0] == ' ')
break;
if (e[0] == ':') {
/* Windows drive. We treat this the same way as ".." */
dot = -1;
break;
}
switch (dot) {
case 1:
dot = (e[0] == '.') ? 2 : 0;
@@ -3199,11 +3219,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
dot = (e[0] == '.') ? 3 : 0;
break;
case 3:
dot = (e[0] == '/') ? -1 : 0;
dot = (e[0] == '/' || e[0] == '\\') ? -1 : 0;
break;
}
if (dot == 0)
dot = (e[0] == '/') ? 1 : 0;
dot = (e[0] == '/' || e[0] == '\\') ? 1 : 0;
}
dot = (dot == 3) || (dot == -1); /* filename contains ".."
* component */
@@ -3217,11 +3237,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
if (dot) {
BIO_puts(io, text);
BIO_printf(io, "'%s' contains '..' reference\r\n", p);
BIO_printf(io, "'%s' contains '..' or ':'\r\n", p);
break;
}
if (*p == '/') {
if (*p == '/' || *p == '\\') {
BIO_puts(io, text);
BIO_printf(io, "'%s' is an invalid path\r\n", p);
break;

6
apps/s_time.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -62,6 +62,7 @@ const OPTIONS s_time_options[] = {
{"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"},
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
{"cafile", OPT_CAFILE, '<', "PEM format file of CA's"},
{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
@@ -262,7 +263,8 @@ int s_time_main(int argc, char **argv)
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
nConn, (long)time(NULL) - finishtime + maxtime,
nConn > 0 ? bytes_read / nConn : 0l);
/*
* Now loop and time connections using the same session id over and over

95
apps/server.pem
View File

@@ -1,52 +1,47 @@
subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert
issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA
-----BEGIN CERTIFICATE-----
MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt
ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG
A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU
RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgU2VydmVyIENlcnQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDzhPOSNtyyRspmeuUpxfNJ
KCLTuf7g3uQ4zu4iHOmRO5TQci+HhVlLZrHF9XqFXcIP0y4pWDbMSGuiorUmzmfi
R7bfSdI/+qIQt8KXRH6HNG1t8ou0VSvWId5TS5Dq/er5ODUr9OaaDva7EquHIcMv
vPQGuI+OEAcnleVCy9HVEIySrO4P3CNIicnGkwwiAud05yUAq/gPXBC1hTtmlPD7
TVcGVSEiJdvzqqlgv02qedGrkki6GY4S7GjZxrrf7Foc2EP+51LJzwLQx3/JfrCU
41NEWAsu/Sl0tQabXESN+zJ1pDqoZ3uHMgpQjeGiE0olr+YcsSW/tJmiU9OiAr8R
AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI
AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW
BBSCvM8AABPR9zklmifnr9LvIBturDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49
hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAqb1NV0B0/pbpK9Z4/bNjzPQLTRLK
WnSNm/Jh5v0GEUOE/Beg7GNjNrmeNmqxAlpqWz9qoeoFZax+QBpIZYjROU3TS3fp
yLsrnlr0CDQ5R7kCCDGa8dkXxemmpZZLbUCpW2Uoy8sAA4JjN9OtsZY7dvUXFgJ7
vVNTRnI01ghknbtD+2SxSQd3CWF6QhcRMAzZJ1z1cbbwGDDzfvGFPzJ+Sq+zEPds
xoVLLSetCiBc+40ZcDS5dV98h9XD7JMTQfxzA7mNGv73JoZJA6nFgj+ADSlJsY/t
JBv+z1iQRueoh9Qeee+ZbRifPouCB8FDx+AltvHTANdAq0t/K3o+pplMVA==
MIIDJTCCAg2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
IENBMCAXDTE2MDExNDIyMjk0NloYDzIxMTYwMTE1MjIyOTQ2WjAZMRcwFQYDVQQD
DA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANVdYGrf/GHuSKqMEUhDpW22Ul2qmEmxYZI1sfw6BCUMbXn/tNXJ6VwcO+Crs7h9
o95tveDd11q/FEcRQl6mgtBhwX/dE0bmCYUHDvLU/Bpk0gqtIKsga5bwrczEGVNV
3AEdpLPvirRJU12KBRzx3OFEv8XX4ncZV1yXC3XuiENxD8pswbSyUKd3RmxYDxG/
8XYkWq45QrdRZynh0FUwbxfkkeqt+CjCQ2+iZKn7nZiSYkg+6w1PgkqK/z9y7pa1
rqHBmLrvfZB1bf9aUp6r9cB+0IdD24UHBw99OHr90dPuZR3T6jlqhzfuStPgDW71
cKzCvfFu85KVXqnwoWWVk40CAwEAAaN9MHswHQYDVR0OBBYEFMDnhL/oWSczELBS
T1FSLwbWwHrNMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1Ud
EwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4
YW1wbGUwDQYJKoZIhvcNAQELBQADggEBAHvTBEN1ig8RrsT716Ginv4gGNX0LzGI
RrZ1jO7lm5emuaPNYJpGw0iX5Zdo91qGNXPZaZ75X3S55pQTActq3OPEBOll2pyk
iyjz+Zp/v5cfRZLlBbFW5gv2R94eibYr4U3fSn4B0yPcl4xH/l/HzJhGDsSDW8qK
8VIJvmvsPwmL0JMCv+FR59F+NFYZdND/KCXet59WUpF9ICmFCoBEX3EyJXEPwhbi
X2sdPzJbCjx0HLli8e0HUKNttLQxCsBTRGo6iISLLamwN47mGDa9miBADwGSiz2q
YeeuLO02zToHhnQ6KbPXOrQAqcL1kngO4g+j/ru+4AZThFkdkGnltvk=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA84TzkjbcskbKZnrlKcXzSSgi07n+4N7kOM7uIhzpkTuU0HIv
h4VZS2axxfV6hV3CD9MuKVg2zEhroqK1Js5n4ke230nSP/qiELfCl0R+hzRtbfKL
tFUr1iHeU0uQ6v3q+Tg1K/Tmmg72uxKrhyHDL7z0BriPjhAHJ5XlQsvR1RCMkqzu
D9wjSInJxpMMIgLndOclAKv4D1wQtYU7ZpTw+01XBlUhIiXb86qpYL9NqnnRq5JI
uhmOEuxo2ca63+xaHNhD/udSyc8C0Md/yX6wlONTRFgLLv0pdLUGm1xEjfsydaQ6
qGd7hzIKUI3hohNKJa/mHLElv7SZolPTogK/EQIDAQABAoIBAADq9FwNtuE5IRQn
zGtO4q7Y5uCzZ8GDNYr9RKp+P2cbuWDbvVAecYq2NV9QoIiWJOAYZKklOvekIju3
r0UZLA0PRiIrTg6NrESx3JrjWDK8QNlUO7CPTZ39/K+FrmMkV9lem9yxjJjyC34D
AQB+YRTx+l14HppjdxNwHjAVQpIx/uO2F5xAMuk32+3K+pq9CZUtrofe1q4Agj9R
5s8mSy9pbRo9kW9wl5xdEotz1LivFOEiqPUJTUq5J5PeMKao3vdK726XI4Z455Nm
W2/MA0YV0ug2FYinHcZdvKM6dimH8GLfa3X8xKRfzjGjTiMSwsdjgMa4awY3tEHH
674jhAECgYEA/zqMrc0zsbNk83sjgaYIug5kzEpN4ic020rSZsmQxSCerJTgNhmg
utKSCt0Re09Jt3LqG48msahX8ycqDsHNvlEGPQSbMu9IYeO3Wr3fAm75GEtFWePY
BhM73I7gkRt4s8bUiUepMG/wY45c5tRF23xi8foReHFFe9MDzh8fJFECgYEA9EFX
4qAik1pOJGNei9BMwmx0I0gfVEIgu0tzeVqT45vcxbxr7RkTEaDoAG6PlbWP6D9a
WQNLp4gsgRM90ZXOJ4up5DsAWDluvaF4/omabMA+MJJ5kGZ0gCj5rbZbKqUws7x8
bp+6iBfUPJUbcqNqFmi/08Yt7vrDnMnyMw2A/sECgYEAiiuRMxnuzVm34hQcsbhH
6ymVqf7j0PW2qK0F4H1ocT9qhzWFd+RB3kHWrCjnqODQoI6GbGr/4JepHUpre1ex
4UEN5oSS3G0ru0rC3U4C59dZ5KwDHFm7ffZ1pr52ljfQDUsrjjIMRtuiwNK2OoRa
WSsqiaL+SDzSB+nBmpnAizECgYBdt/y6rerWUx4MhDwwtTnel7JwHyo2MDFS6/5g
n8qC2Lj6/fMDRE22w+CA2esp7EJNQJGv+b27iFpbJEDh+/Lf5YzIT4MwVskQ5bYB
JFcmRxUVmf4e09D7o705U/DjCgMH09iCsbLmqQ38ONIRSHZaJtMDtNTHD1yi+jF+
OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX
xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK
UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ==
-----END RSA PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDVXWBq3/xh7kiq
jBFIQ6VttlJdqphJsWGSNbH8OgQlDG15/7TVyelcHDvgq7O4faPebb3g3ddavxRH
EUJepoLQYcF/3RNG5gmFBw7y1PwaZNIKrSCrIGuW8K3MxBlTVdwBHaSz74q0SVNd
igUc8dzhRL/F1+J3GVdclwt17ohDcQ/KbMG0slCnd0ZsWA8Rv/F2JFquOUK3UWcp
4dBVMG8X5JHqrfgowkNvomSp+52YkmJIPusNT4JKiv8/cu6Wta6hwZi6732QdW3/
WlKeq/XAftCHQ9uFBwcPfTh6/dHT7mUd0+o5aoc37krT4A1u9XCswr3xbvOSlV6p
8KFllZONAgMBAAECggEADLTt7A+A2Vg2jamf0dztejY0e42QWjstI2b9PZc67fXq
gyx+WYkX07t+uWegYWliG/oPJ9guXiIpE/5sJHToL37S5kmFP2CtynVcJ4wVo4DD
nY0n9+kLX0bgIuS+2V6wpoRcbbbjXM9NHrH8kfe5ftT4UtEDlLI2qLX6IcDd7p4u
OYjILChR8GSGTw96yIy2Ws/1Uq9PMw64JoT4RcK5QqnkcPMDFRH1SeLOL+zXP2c4
nEl9yOy3HauZKxwl/Ry/XK1s3DdjopIAU29ut+hAuMiTb06kzZnumL9NoplKoZtU
otw/gVcCKhT+Ep+p6i8InLF0XEME8A0qUR0niWebgQKBgQD6vkxR49B8ZZQrzjw4
XKs1lI9cP7cgPiuWlDHMNjYou3WbOaGrMeScvbB1Ldh9A8pjAhxlw8AaV/xs4qcA
trmVmSISVMVyc1wSGlJXWi2nUzTNs9OE3vj22SyStihf8UUZtWwX2b5Y4JrYhA/V
+ThGGqHR03oLNLShNLtJc2c7YQKBgQDZ1nkibEyrepexw/fnwkw61IJKq9wRIh1G
PREakhbe9wU5ie0knuf9razt7awzQiwFmlixmWqsM7UEtLuXNnNPciwdrKhhbvrd
vD/rkbIEHEPllIhFlDtOzn3hRBWTzWmXFjpou/2LvHTSbVis4IYVZymTp2jb1ZLs
7VbiG9JTrQKBgQDc6n75g1szzpdehQT/r33U5j/syeJBUSU8NPMu9fB/sLHsgjlT
SNEf2+y1QSBE/Or6kmiMrIv7advn30W+Vj9qc5HWTsPrk4HiHTjA553jl2alebN5
lK4LZspjtIQcC8mS3goPdXPEgJdM/gWpwzr2YQ6DfOxBJT2j7n64NyoT4QKBgH7/
yx+GhCx1DHtXBPDZFhg2TL+78lEK0oZgk9gp06up2CHzh44SFq6O0oLkTcCUk5Ww
poTkLIy4mJBlzfgahp+KsK2cO46SZS9g0ONFzcMXt33hWpE2Gl2XhUwPpYTF/QlY
rDTjZK5S8Mi9dzVSsNlJi7PJphiEK2R1+nFYRwcBAoGBANWoIG85jpXAOnq/Kcgx
Rl3YivR0Ke6r1tFlP58rT7X3EkiboXyQl5vLIFCAwUte6RGrLl1dy3Qyh80B9ySL
Jx6vj42CK7vgv6A96TuVYhnXTnEI6ZvwAQ2VGaw4BizhjALs/kdSE/og9aSCs3ws
KQypwAFz0tbHxaNag/bSAN0J
-----END PRIVATE KEY-----

134
apps/speed.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -100,7 +100,7 @@
#include <openssl/modes.h>
#ifndef HAVE_FORK
# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_VXWORKS)
# define HAVE_FORK 0
# else
# define HAVE_FORK 1
@@ -489,30 +489,35 @@ static const OPT_PAIR rsa_choices[] = {
static double rsa_results[RSA_NUM][2]; /* 2 ops: sign then verify */
#endif /* OPENSSL_NO_RSA */
#define R_EC_P160 0
#define R_EC_P192 1
#define R_EC_P224 2
#define R_EC_P256 3
#define R_EC_P384 4
#define R_EC_P521 5
#define R_EC_K163 6
#define R_EC_K233 7
#define R_EC_K283 8
#define R_EC_K409 9
#define R_EC_K571 10
#define R_EC_B163 11
#define R_EC_B233 12
#define R_EC_B283 13
#define R_EC_B409 14
#define R_EC_B571 15
#define R_EC_BRP256R1 16
#define R_EC_BRP256T1 17
#define R_EC_BRP384R1 18
#define R_EC_BRP384T1 19
#define R_EC_BRP512R1 20
#define R_EC_BRP512T1 21
#define R_EC_X25519 22
#define R_EC_X448 23
enum {
R_EC_P160,
R_EC_P192,
R_EC_P224,
R_EC_P256,
R_EC_P384,
R_EC_P521,
#ifndef OPENSSL_NO_EC2M
R_EC_K163,
R_EC_K233,
R_EC_K283,
R_EC_K409,
R_EC_K571,
R_EC_B163,
R_EC_B233,
R_EC_B283,
R_EC_B409,
R_EC_B571,
#endif
R_EC_BRP256R1,
R_EC_BRP256T1,
R_EC_BRP384R1,
R_EC_BRP384T1,
R_EC_BRP512R1,
R_EC_BRP512T1,
R_EC_X25519,
R_EC_X448
};
#ifndef OPENSSL_NO_EC
static OPT_PAIR ecdsa_choices[] = {
{"ecdsap160", R_EC_P160},
@@ -521,6 +526,7 @@ static OPT_PAIR ecdsa_choices[] = {
{"ecdsap256", R_EC_P256},
{"ecdsap384", R_EC_P384},
{"ecdsap521", R_EC_P521},
# ifndef OPENSSL_NO_EC2M
{"ecdsak163", R_EC_K163},
{"ecdsak233", R_EC_K233},
{"ecdsak283", R_EC_K283},
@@ -531,6 +537,7 @@ static OPT_PAIR ecdsa_choices[] = {
{"ecdsab283", R_EC_B283},
{"ecdsab409", R_EC_B409},
{"ecdsab571", R_EC_B571},
# endif
{"ecdsabrp256r1", R_EC_BRP256R1},
{"ecdsabrp256t1", R_EC_BRP256T1},
{"ecdsabrp384r1", R_EC_BRP384R1},
@@ -549,6 +556,7 @@ static const OPT_PAIR ecdh_choices[] = {
{"ecdhp256", R_EC_P256},
{"ecdhp384", R_EC_P384},
{"ecdhp521", R_EC_P521},
# ifndef OPENSSL_NO_EC2M
{"ecdhk163", R_EC_K163},
{"ecdhk233", R_EC_K233},
{"ecdhk283", R_EC_K283},
@@ -559,6 +567,7 @@ static const OPT_PAIR ecdh_choices[] = {
{"ecdhb283", R_EC_B283},
{"ecdhb409", R_EC_B409},
{"ecdhb571", R_EC_B571},
# endif
{"ecdhbrp256r1", R_EC_BRP256R1},
{"ecdhbrp256t1", R_EC_BRP256T1},
{"ecdhbrp384r1", R_EC_BRP384R1},
@@ -1233,8 +1242,6 @@ static int run_benchmark(int async_jobs,
OSSL_ASYNC_FD job_fd = 0;
size_t num_job_fds = 0;
run = 1;
if (async_jobs == 0) {
return loop_function((void *)&loopargs);
}
@@ -1499,11 +1506,12 @@ int speed_main(int argc, char **argv)
{"nistp192", NID_X9_62_prime192v1, 192},
{"nistp224", NID_secp224r1, 224},
{"nistp256", NID_X9_62_prime256v1, 256},
{"nistp384", NID_secp384r1, 384},
{"nistp384", NID_secp384r1, 384},
{"nistp521", NID_secp521r1, 521},
# ifndef OPENSSL_NO_EC2M
/* Binary Curves */
{"nistk163", NID_sect163k1, 163},
{"nistk233", NID_sect233k1, 233},
{"nistk233", NID_sect233k1, 233},
{"nistk283", NID_sect283k1, 283},
{"nistk409", NID_sect409k1, 409},
{"nistk571", NID_sect571k1, 571},
@@ -1512,6 +1520,7 @@ int speed_main(int argc, char **argv)
{"nistb283", NID_sect283r1, 283},
{"nistb409", NID_sect409r1, 409},
{"nistb571", NID_sect571r1, 571},
# endif
{"brainpoolP256r1", NID_brainpoolP256r1, 256},
{"brainpoolP256t1", NID_brainpoolP256t1, 256},
{"brainpoolP384r1", NID_brainpoolP384r1, 384},
@@ -1779,7 +1788,7 @@ int speed_main(int argc, char **argv)
}
buflen = lengths[size_num - 1];
if (buflen < 36) /* size of random vector in RSA bencmark */
if (buflen < 36) /* size of random vector in RSA benchmark */
buflen = 36;
buflen += MAX_MISALIGNMENT + 1;
loopargs[i].buf_malloc = app_malloc(buflen, "input buffer");
@@ -2031,6 +2040,7 @@ int speed_main(int argc, char **argv)
}
}
}
# ifndef OPENSSL_NO_EC2M
ecdsa_c[R_EC_K163][0] = count / 1000;
ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
@@ -2059,6 +2069,7 @@ int speed_main(int argc, char **argv)
}
}
}
# endif
ecdh_c[R_EC_P160][0] = count / 1000;
for (i = R_EC_P192; i <= R_EC_P521; i++) {
@@ -2071,6 +2082,7 @@ int speed_main(int argc, char **argv)
}
}
}
# ifndef OPENSSL_NO_EC2M
ecdh_c[R_EC_K163][0] = count / 1000;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
@@ -2093,6 +2105,7 @@ int speed_main(int argc, char **argv)
}
}
}
# endif
/* repeated code good to factorize */
ecdh_c[R_EC_BRP256R1][0] = count / 1000;
for (i = R_EC_BRP384R1; i <= R_EC_BRP512R1; i += 2) {
@@ -2397,7 +2410,7 @@ int speed_main(int argc, char **argv)
print_message(names[D_CBC_128_CML], c[D_CBC_128_CML][testnum],
lengths[testnum], seconds.sym);
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_128_CML][testnum]); count++)
for (count = 0; COND(c[D_CBC_128_CML][testnum]); count++)
Camellia_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &camellia_ks1,
iv, CAMELLIA_ENCRYPT);
@@ -2419,7 +2432,7 @@ int speed_main(int argc, char **argv)
exit(1);
}
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_192_CML][testnum]); count++)
for (count = 0; COND(c[D_CBC_192_CML][testnum]); count++)
Camellia_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &camellia_ks2,
iv, CAMELLIA_ENCRYPT);
@@ -2437,7 +2450,7 @@ int speed_main(int argc, char **argv)
print_message(names[D_CBC_256_CML], c[D_CBC_256_CML][testnum],
lengths[testnum], seconds.sym);
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_256_CML][testnum]); count++)
for (count = 0; COND(c[D_CBC_256_CML][testnum]); count++)
Camellia_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &camellia_ks3,
iv, CAMELLIA_ENCRYPT);
@@ -2457,7 +2470,7 @@ int speed_main(int argc, char **argv)
print_message(names[D_CBC_IDEA], c[D_CBC_IDEA][testnum],
lengths[testnum], seconds.sym);
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_IDEA][testnum]); count++)
for (count = 0; COND(c[D_CBC_IDEA][testnum]); count++)
IDEA_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &idea_ks,
iv, IDEA_ENCRYPT);
@@ -2477,7 +2490,7 @@ int speed_main(int argc, char **argv)
print_message(names[D_CBC_SEED], c[D_CBC_SEED][testnum],
lengths[testnum], seconds.sym);
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_SEED][testnum]); count++)
for (count = 0; COND(c[D_CBC_SEED][testnum]); count++)
SEED_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &seed_ks, iv, 1);
d = Time_F(STOP);
@@ -2500,7 +2513,7 @@ int speed_main(int argc, char **argv)
exit(1);
}
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_RC2][testnum]); count++)
for (count = 0; COND(c[D_CBC_RC2][testnum]); count++)
RC2_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &rc2_ks,
iv, RC2_ENCRYPT);
@@ -2524,7 +2537,7 @@ int speed_main(int argc, char **argv)
exit(1);
}
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_RC5][testnum]); count++)
for (count = 0; COND(c[D_CBC_RC5][testnum]); count++)
RC5_32_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &rc5_ks,
iv, RC5_ENCRYPT);
@@ -2544,7 +2557,7 @@ int speed_main(int argc, char **argv)
print_message(names[D_CBC_BF], c[D_CBC_BF][testnum],
lengths[testnum], seconds.sym);
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_BF][testnum]); count++)
for (count = 0; COND(c[D_CBC_BF][testnum]); count++)
BF_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &bf_ks,
iv, BF_ENCRYPT);
@@ -2564,7 +2577,7 @@ int speed_main(int argc, char **argv)
print_message(names[D_CBC_CAST], c[D_CBC_CAST][testnum],
lengths[testnum], seconds.sym);
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_CAST][testnum]); count++)
for (count = 0; COND(c[D_CBC_CAST][testnum]); count++)
CAST_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &cast_ks,
iv, CAST_ENCRYPT);
@@ -2614,16 +2627,28 @@ int speed_main(int argc, char **argv)
for (k = 0; k < loopargs_len; k++) {
loopargs[k].ctx = EVP_CIPHER_CTX_new();
EVP_CipherInit_ex(loopargs[k].ctx, evp_cipher, NULL, NULL,
iv, decrypt ? 0 : 1);
if (loopargs[k].ctx == NULL) {
BIO_printf(bio_err, "\nEVP_CIPHER_CTX_new failure\n");
exit(1);
}
if (!EVP_CipherInit_ex(loopargs[k].ctx, evp_cipher, NULL,
NULL, iv, decrypt ? 0 : 1)) {
BIO_printf(bio_err, "\nEVP_CipherInit_ex failure\n");
ERR_print_errors(bio_err);
exit(1);
}
EVP_CIPHER_CTX_set_padding(loopargs[k].ctx, 0);
keylen = EVP_CIPHER_CTX_key_length(loopargs[k].ctx);
loopargs[k].key = app_malloc(keylen, "evp_cipher key");
EVP_CIPHER_CTX_rand_key(loopargs[k].ctx, loopargs[k].key);
EVP_CipherInit_ex(loopargs[k].ctx, NULL, NULL,
loopargs[k].key, NULL, -1);
if (!EVP_CipherInit_ex(loopargs[k].ctx, NULL, NULL,
loopargs[k].key, NULL, -1)) {
BIO_printf(bio_err, "\nEVP_CipherInit_ex failure\n");
ERR_print_errors(bio_err);
exit(1);
}
OPENSSL_clear_free(loopargs[k].key, keylen);
}
@@ -2979,7 +3004,7 @@ int speed_main(int argc, char **argv)
pctx = NULL;
}
if (kctx == NULL || /* keygen ctx is not null */
!EVP_PKEY_keygen_init(kctx) /* init keygen ctx */ ) {
EVP_PKEY_keygen_init(kctx) <= 0/* init keygen ctx */ ) {
ecdh_checks = 0;
BIO_printf(bio_err, "ECDH keygen failure.\n");
ERR_print_errors(bio_err);
@@ -2987,12 +3012,12 @@ int speed_main(int argc, char **argv)
break;
}
if (!EVP_PKEY_keygen(kctx, &key_A) || /* generate secret key A */
!EVP_PKEY_keygen(kctx, &key_B) || /* generate secret key B */
if (EVP_PKEY_keygen(kctx, &key_A) <= 0 || /* generate secret key A */
EVP_PKEY_keygen(kctx, &key_B) <= 0 || /* generate secret key B */
!(ctx = EVP_PKEY_CTX_new(key_A, NULL)) || /* derivation ctx from skeyA */
!EVP_PKEY_derive_init(ctx) || /* init derivation ctx */
!EVP_PKEY_derive_set_peer(ctx, key_B) || /* set peer pubkey in ctx */
!EVP_PKEY_derive(ctx, NULL, &outlen) || /* determine max length */
EVP_PKEY_derive_init(ctx) <= 0 || /* init derivation ctx */
EVP_PKEY_derive_set_peer(ctx, key_B) <= 0 || /* set peer pubkey in ctx */
EVP_PKEY_derive(ctx, NULL, &outlen) <= 0 || /* determine max length */
outlen == 0 || /* ensure outlen is a valid size */
outlen > MAX_ECDH_SIZE /* avoid buffer overflow */ ) {
ecdh_checks = 0;
@@ -3079,8 +3104,8 @@ int speed_main(int argc, char **argv)
if ((ed_pctx = EVP_PKEY_CTX_new_id(test_ed_curves[testnum].nid, NULL))
== NULL
|| !EVP_PKEY_keygen_init(ed_pctx)
|| !EVP_PKEY_keygen(ed_pctx, &ed_pkey)) {
|| EVP_PKEY_keygen_init(ed_pctx) <= 0
|| EVP_PKEY_keygen(ed_pctx, &ed_pkey) <= 0) {
st = 0;
EVP_PKEY_CTX_free(ed_pctx);
break;
@@ -3368,6 +3393,7 @@ static void print_message(const char *s, long num, int length, int tm)
mr ? "+DT:%s:%d:%d\n"
: "Doing %s for %ds on %d size blocks: ", s, tm, length);
(void)BIO_flush(bio_err);
run = 1;
alarm(tm);
#else
BIO_printf(bio_err,
@@ -3385,6 +3411,7 @@ static void pkey_print_message(const char *str, const char *str2, long num,
mr ? "+DTP:%d:%s:%s:%d\n"
: "Doing %u bits %s %s's for %ds: ", bits, str, str2, tm);
(void)BIO_flush(bio_err);
run = 1;
alarm(tm);
#else
BIO_printf(bio_err,
@@ -3557,6 +3584,7 @@ static int do_multi(int multi, int size_num)
p = buf + 4;
k = atoi(sstrsep(&p, sep));
sstrsep(&p, sep);
sstrsep(&p, sep);
d = atof(sstrsep(&p, sep));
eddsa_results[k][0] += d;
@@ -3614,7 +3642,7 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single,
for (j = 0; j < num; j++) {
print_message(alg_name, 0, mblengths[j], seconds->sym);
Time_F(START);
for (count = 0, run = 1; run && count < 0x7fffffff; count++) {
for (count = 0; run && count < 0x7fffffff; count++) {
unsigned char aad[EVP_AEAD_TLS1_AAD_LEN];
EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
size_t len = mblengths[j];

41
apps/srp.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2004, EdelKey Project. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -12,28 +12,24 @@
*/
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_SRP
NON_EMPTY_TRANSLATION_UNIT
#else
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/conf.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/txt_db.h>
#include <openssl/buffer.h>
#include <openssl/srp.h>
#include "apps.h"
#include "progs.h"
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
# include <openssl/conf.h>
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/txt_db.h>
# include <openssl/buffer.h>
# include <openssl/srp.h>
# include "apps.h"
# include "progs.h"
# define BASE_SECTION "srp"
# define CONFIG_FILE "openssl.cnf"
#define BASE_SECTION "srp"
#define CONFIG_FILE "openssl.cnf"
# define ENV_DATABASE "srpvfile"
# define ENV_DEFAULT_SRP "default_srp"
#define ENV_DATABASE "srpvfile"
#define ENV_DEFAULT_SRP "default_srp"
static int get_index(CA_DB *db, char *id, char type)
{
@@ -212,9 +208,9 @@ const OPTIONS srp_options[] = {
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
OPT_R_OPTIONS,
# ifndef OPENSSL_NO_ENGINE
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
# endif
#endif
{NULL}
};
@@ -610,4 +606,3 @@ int srp_main(int argc, char **argv)
release_engine(e);
return ret;
}
#endif

4
apps/storeutl.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -125,7 +125,7 @@ int storeutl_main(int argc, char *argv[])
}
/*
* If expected wasn't set at this point, it means the map
* isn't syncronised with the possible options leading here.
* isn't synchronised with the possible options leading here.
*/
OPENSSL_assert(expected != 0);
}

6
apps/timeouts.h
View File

@@ -7,11 +7,11 @@
* https://www.openssl.org/source/license.html
*/
#ifndef INCLUDED_TIMEOUTS_H
# define INCLUDED_TIMEOUTS_H
#ifndef OSSL_APPS_TIMEOUTS_H
# define OSSL_APPS_TIMEOUTS_H
/* numbers in us */
# define DGRAM_RCV_TIMEOUT 250000
# define DGRAM_SND_TIMEOUT 250000
#endif /* ! INCLUDED_TIMEOUTS_H */
#endif /* ! OSSL_APPS_TIMEOUTS_H */

51
apps/ts.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,29 +8,26 @@
*/
#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_TS
NON_EMPTY_TRANSLATION_UNIT
#else
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
# include "apps.h"
# include "progs.h"
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/pem.h>
# include <openssl/rand.h>
# include <openssl/ts.h>
# include <openssl/bn.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "apps.h"
#include "progs.h"
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
#include <openssl/ts.h>
#include <openssl/bn.h>
/* Request nonce length, in bits (must be a multiple of 8). */
# define NONCE_LENGTH 64
#define NONCE_LENGTH 64
/* Name of config entry that defines the OID file. */
# define ENV_OID_FILE "oid_file"
#define ENV_OID_FILE "oid_file"
/* Is |EXACTLY_ONE| of three pointers set? */
# define EXACTLY_ONE(a, b, c) \
#define EXACTLY_ONE(a, b, c) \
(( a && !b && !c) || \
( b && !a && !c) || \
( c && !a && !b))
@@ -114,9 +111,9 @@ const OPTIONS ts_options[] = {
{"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"},
{"untrusted", OPT_UNTRUSTED, '<', "File with untrusted certs"},
{"", OPT_MD, '-', "Any supported digest"},
# ifndef OPENSSL_NO_ENGINE
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
# endif
#endif
{OPT_HELP_STR, 1, '-', "\nOptions specific to 'ts -verify': \n"},
OPT_V_OPTIONS,
{OPT_HELP_STR, 1, '-', "\n"},
@@ -137,11 +134,11 @@ static char* opt_helplist[] = {
" [-signer tsa_cert.pem] [-inkey private_key.pem]",
" [-chain certs_file.pem] [-tspolicy oid]",
" [-in file] [-token_in] [-out file] [-token_out]",
# ifndef OPENSSL_NO_ENGINE
#ifndef OPENSSL_NO_ENGINE
" [-text] [-engine id]",
# else
#else
" [-text]",
# endif
#endif
" or",
"ts -verify -CApath dir -CAfile file.pem -untrusted file.pem",
" [-data file] [-digest hexstring]",
@@ -282,7 +279,8 @@ int ts_main(int argc, char **argv)
goto end;
}
conf = load_config_file(configfile);
if ((conf = load_config_file(configfile)) == NULL)
goto end;
if (configfile != default_config_file && !app_load_modules(conf))
goto end;
@@ -681,10 +679,10 @@ static TS_RESP *create_response(CONF *conf, const char *section, const char *eng
goto end;
if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx))
goto end;
# ifndef OPENSSL_NO_ENGINE
#ifndef OPENSSL_NO_ENGINE
if (!TS_CONF_set_crypto_device(conf, section, engine))
goto end;
# endif
#endif
if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx))
goto end;
if (!TS_CONF_set_certs(conf, section, chain, resp_ctx))
@@ -983,4 +981,3 @@ static int verify_cb(int ok, X509_STORE_CTX *ctx)
{
return ok;
}
#endif /* ndef OPENSSL_NO_TS */

15
apps/verify.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -286,16 +286,19 @@ static int cb(int ok, X509_STORE_CTX *ctx)
cert_error,
X509_STORE_CTX_get_error_depth(ctx),
X509_verify_cert_error_string(cert_error));
/*
* Pretend that some errors are ok, so they don't stop further
* processing of the certificate chain. Setting ok = 1 does this.
* After X509_verify_cert() is done, we verify that there were
* no actual errors, even if the returned value was positive.
*/
switch (cert_error) {
case X509_V_ERR_NO_EXPLICIT_POLICY:
policies_print(ctx);
/* fall thru */
case X509_V_ERR_CERT_HAS_EXPIRED:
/*
* since we are just checking the certificates, it is ok if they
* are self signed. But we should still warn the user.
*/
/* Continue even if the leaf is a self signed cert */
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
/* Continue after extension errors too */
case X509_V_ERR_INVALID_CA:

4
apps/vms_term_sock.h
View File

@@ -8,8 +8,8 @@
* https://www.openssl.org/source/license.html
*/
#ifndef TERM_SOCK_H
# define TERM_SOCK_H
#ifndef OSSL_APPS_VMS_TERM_SOCK_H
# define OSSL_APPS_VMS_TERM_SOCK_H
/*
** Terminal Socket Function Codes

16
apps/x509.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -72,7 +72,7 @@ const OPTIONS x509_options[] = {
{"outform", OPT_OUTFORM, 'f',
"Output format - default PEM (one of DER or PEM)"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
{"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
{"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
{"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"},
{"serial", OPT_SERIAL, '-', "Print serial number value"},
{"subject_hash", OPT_HASH, '-', "Print subject hash value"},
@@ -107,7 +107,7 @@ const OPTIONS x509_options[] = {
{"checkend", OPT_CHECKEND, 'M',
"Check whether the cert expires in the next arg seconds"},
{OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"},
{"signkey", OPT_SIGNKEY, '<', "Self sign cert with arg"},
{"signkey", OPT_SIGNKEY, 's', "Self sign cert with arg"},
{"x509toreq", OPT_X509TOREQ, '-',
"Output a certification request object"},
{"req", OPT_REQ, '-', "Input is a certificate request, sign and output"},
@@ -130,7 +130,7 @@ const OPTIONS x509_options[] = {
{"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"},
{"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"},
{"CAform", OPT_CAFORM, 'F', "CA format - default PEM"},
{"CAkeyform", OPT_CAKEYFORM, 'f', "CA key format - default PEM"},
{"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format - default PEM"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
{"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the Key to put inside certificate"},
{"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"},
@@ -140,9 +140,9 @@ const OPTIONS x509_options[] = {
{"", OPT_MD, '-', "Any supported digest"},
#ifndef OPENSSL_NO_MD5
{"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
"Print old-style (MD5) issuer hash value"},
{"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
"Print old-style (MD5) subject hash value"},
{"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
"Print old-style (MD5) issuer hash value"},
#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
@@ -217,7 +217,7 @@ int x509_main(int argc, char **argv)
goto opthelp;
break;
case OPT_KEYFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyformat))
goto opthelp;
break;
case OPT_CAFORM:
@@ -225,7 +225,7 @@ int x509_main(int argc, char **argv)
goto opthelp;
break;
case OPT_CAKEYFORM:
if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAkeyformat))
if (!opt_format(opt_arg(), OPT_FMT_PDE, &CAkeyformat))
goto opthelp;
break;
case OPT_OUT:

22
appveyor.yml
View File

@@ -1,3 +1,6 @@
image:
- Visual Studio 2017
platform:
- x64
- x86
@@ -5,17 +8,24 @@ platform:
environment:
fast_finish: true
matrix:
- VSVER: 14
- VSVER: 15
configuration:
- shared
- plain
- minimal
before_build:
- ps: >-
Install-Module VSSetup -Scope CurrentUser
- ps: >-
Get-VSSetupInstance -All
- ps: >-
gci env:* | sort-object name
- ps: >-
If ($env:Platform -Match "x86") {
$env:VCVARS_PLATFORM="x86"
$env:TARGET="VC-WIN32 no-asm"
$env:TARGET="VC-WIN32 no-asm --strict-warnings"
} Else {
$env:VCVARS_PLATFORM="amd64"
$env:TARGET="VC-WIN64A-masm"
@@ -23,11 +33,12 @@ before_build:
- ps: >-
If ($env:Configuration -Match "shared") {
$env:SHARED="no-makedepend"
} ElseIf ($env:Configuration -Match "minimal") {
$env:SHARED="no-shared no-dso no-makedepend no-aria no-async no-autoload-config no-blake2 no-bf no-camellia no-cast no-chacha no-cmac no-cms no-comp no-ct no-des no-dgram no-dh no-dsa no-dtls no-ec2m no-engine no-filenames no-gost no-idea no-mdc2 no-md4 no-multiblock no-nextprotoneg no-ocsp no-ocb no-poly1305 no-psk no-rc2 no-rc4 no-rmd160 no-seed no-siphash no-sm2 no-sm3 no-sm4 no-srp no-srtp no-ssl3 no-ssl3-method no-ts no-ui-console no-whirlpool no-asm -DOPENSSL_SMALL_FOOTPRINT"
} Else {
$env:SHARED="no-shared no-makedepend"
}
- ps: $env:VSCOMNTOOLS=(Get-Content ("env:VS" + "$env:VSVER" + "0COMNTOOLS"))
- call "%VSCOMNTOOLS%\..\..\VC\vcvarsall.bat" %VCVARS_PLATFORM%
- call "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvarsall.bat" %VCVARS_PLATFORM%
- mkdir _build
- cd _build
- perl ..\Configure %TARGET% %SHARED%
@@ -35,7 +46,8 @@ before_build:
- cd ..
- ps: >-
if (-not $env:APPVEYOR_PULL_REQUEST_NUMBER`
-or (&git log -2 | Select-String "\[extended tests\]") ) {
-or (&git log -1 $env:APPVEYOR_PULL_REQUEST_HEAD_COMMIT |
Select-String "\[extended tests\]") ) {
$env:EXTENDED_TESTS="yes"
}

14
build.info
View File

@@ -9,20 +9,20 @@
"";
-}
LIBS=libcrypto libssl
INCLUDE[libcrypto]=. crypto/include include
INCLUDE[libcrypto]=. include
INCLUDE[libssl]=. include
DEPEND[libssl]=libcrypto
# Empty DEPEND "indices" means the dependencies are expected to be built
# unconditionally before anything else.
DEPEND[]=include/openssl/opensslconf.h crypto/include/internal/bn_conf.h \
crypto/include/internal/dso_conf.h
DEPEND[]=include/openssl/opensslconf.h include/crypto/bn_conf.h \
include/crypto/dso_conf.h
DEPEND[include/openssl/opensslconf.h]=configdata.pm
GENERATE[include/openssl/opensslconf.h]=include/openssl/opensslconf.h.in
DEPEND[crypto/include/internal/bn_conf.h]=configdata.pm
GENERATE[crypto/include/internal/bn_conf.h]=crypto/include/internal/bn_conf.h.in
DEPEND[crypto/include/internal/dso_conf.h]=configdata.pm
GENERATE[crypto/include/internal/dso_conf.h]=crypto/include/internal/dso_conf.h.in
DEPEND[include/crypto/bn_conf.h]=configdata.pm
GENERATE[include/crypto/bn_conf.h]=include/crypto/bn_conf.h.in
DEPEND[include/crypto/dso_conf.h]=configdata.pm
GENERATE[include/crypto/dso_conf.h]=include/crypto/dso_conf.h.in
IF[{- defined $target{shared_defflag} -}]
IF[{- $config{target} =~ /^mingw/ -}]

52
config
View File

@@ -1,5 +1,5 @@
#!/bin/sh
# Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -19,7 +19,7 @@ THERE=`dirname $0`
# pick up any command line args to config
for i
do
case "$i" in
case "$i" in
-d*) options=$options" --debug";;
-t*) DRYRUN="true" VERBOSE="true";;
-v*) VERBOSE="true";;
@@ -59,7 +59,7 @@ __CNF_LDLIBS=
# Now test for ISC and SCO, since it is has a braindamaged uname.
#
# We need to work around FreeBSD 1.1.5.1
# We need to work around FreeBSD 1.1.5.1
(
XREL=`uname -X 2>/dev/null | grep "^Release" | awk '{print $3}'`
if [ "x$XREL" != "x" ]; then
@@ -253,11 +253,8 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
Power*)
echo "ppc-apple-darwin${VERSION}"
;;
x86_64)
echo "x86_64-apple-darwin${VERSION}"
;;
*)
echo "i686-apple-darwin${VERSION}"
echo "${MACHINE}-apple-darwin${VERSION}"
;;
esac
exit 0
@@ -363,7 +360,7 @@ esac
# At this point we gone through all the one's
# we know of: Punt
echo "${MACHINE}-whatever-${SYSTEM}"
echo "${MACHINE}-whatever-${SYSTEM}"
exit 0
) 2>/dev/null | (
@@ -433,7 +430,7 @@ fi
CCVER=${CCVER:-0}
# read the output of the embedded GuessOS
# read the output of the embedded GuessOS
read GUESSOS
echo Operating system: $GUESSOS
@@ -497,22 +494,22 @@ case "$GUESSOS" in
else
OUT="darwin64-x86_64-cc"
fi ;;
$MACHINE-apple-darwin*)
OUT="darwin64-$MACHINE-cc"
;;
armv6+7-*-iphoneos)
__CNF_CFLAGS="$__CNF_CFLAGS -arch%20armv6 -arch%20armv7"
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -arch%20armv6 -arch%20armv7"
__CNF_CFLAGS="$__CNF_CFLAGS -arch armv6 -arch armv7"
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -arch armv6 -arch armv7"
OUT="iphoneos-cross" ;;
*-*-iphoneos)
__CNF_CFLAGS="$__CNF_CFLAGS -arch%20${MACHINE}"
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -arch%20${MACHINE}"
__CNF_CFLAGS="$__CNF_CFLAGS -arch ${MACHINE}"
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -arch ${MACHINE}"
OUT="iphoneos-cross" ;;
arm64-*-iphoneos|*-*-ios64)
OUT="ios64-cross" ;;
alpha-*-linux2)
ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
case ${ISA:-generic} in
*[678]) OUT="linux-alpha+bwx-$CC" ;;
*) OUT="linux-alpha-$CC" ;;
esac
OUT="linux-alpha-$CC"
if [ "$CC" = "gcc" ]; then
case ${ISA:-generic} in
EV5|EV45) __CNF_CFLAGS="$__CNF_CFLAGS -mcpu=ev5"
@@ -732,7 +729,7 @@ case "$GUESSOS" in
*-*-[Uu]nix[Ww]are7)
if [ "$CC" = "gcc" ]; then
OUT="unixware-7-gcc" ; options="$options no-sse2"
else
else
OUT="unixware-7" ; options="$options no-sse2"
__CNF_CPPFLAGS="$__CNF_CPPFLAGS -D__i386__"
fi
@@ -793,7 +790,7 @@ case "$GUESSOS" in
OUT="aix64-gcc"
fi
elif [ $OBJECT_MODE -eq 64 ]; then
echo 'Your $OBJECT_MODE was found to be set to 64'
echo 'Your $OBJECT_MODE was found to be set to 64'
OUT="aix64-cc"
else
OUT="aix-cc"
@@ -897,7 +894,7 @@ if [ ".$PERL" = . ] ; then
exit 1
fi
# run Configure to check to see if we need to specify the
# run Configure to check to see if we need to specify the
# compiler for the platform ... in which case we add it on
# the end ... otherwise we leave it off
@@ -908,8 +905,12 @@ fi
OUT="$OUT"
$PERL $THERE/Configure LIST | grep "$OUT" > /dev/null
if [ $? = "0" ]; then
if [ "$OUT" = "darwin64-x86_64-cc" ]; then
echo "WARNING! If you wish to build 32-bit libraries, then you have to"
echo " invoke 'KERNEL_BITS=32 $THERE/config $options'."
fi
if $PERL $THERE/Configure LIST | grep "$OUT" > /dev/null; then
if [ "$VERBOSE" = "true" ]; then
echo /usr/bin/env \
__CNF_CPPDEFINES="'$__CNF_CPPDEFINES'" \
@@ -920,7 +921,7 @@ if [ $? = "0" ]; then
__CNF_LDFLAGS="'$__CNF_LDFLAGS'" \
__CNF_LDLIBS="'$__CNF_LDLIBS'" \
$PERL $THERE/Configure $OUT $options
fi
fi
if [ "$DRYRUN" = "false" ]; then
# eval to make sure quoted options, possibly with spaces inside,
# are treated right
@@ -939,8 +940,5 @@ else
exit 1
fi
if [ "$OUT" = "darwin64-x86_64-cc" ]; then
echo "WARNING! If you wish to build 32-bit libraries, then you have to"
echo " invoke 'KERNEL_BITS=32 $THERE/config $options'."
fi
# Do not add anothing from here on, so we don't lose the Configure exit code
)

5
crypto/LPdir_unix.c
View File

@@ -131,9 +131,8 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
return 0;
}
strncpy((*ctx)->entry_name, direntry->d_name,
sizeof((*ctx)->entry_name) - 1);
(*ctx)->entry_name[sizeof((*ctx)->entry_name) - 1] = '\0';
OPENSSL_strlcpy((*ctx)->entry_name, direntry->d_name,
sizeof((*ctx)->entry_name));
#ifdef __VMS
if ((*ctx)->expect_file_generations) {
char *p = (*ctx)->entry_name + strlen((*ctx)->entry_name);

636
crypto/aes/aes_core.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -41,9 +41,639 @@
#include <stdlib.h>
#include <openssl/crypto.h>
#include <openssl/aes.h>
#include "aes_locl.h"
#include "aes_local.h"
#ifndef AES_ASM
#if defined(OPENSSL_AES_CONST_TIME) && !defined(AES_ASM)
typedef union {
unsigned char b[8];
u32 w[2];
u64 d;
} uni;
/*
* Compute w := (w * x) mod (x^8 + x^4 + x^3 + x^1 + 1)
* Therefore the name "xtime".
*/
static void XtimeWord(u32 *w)
{
u32 a, b;
a = *w;
b = a & 0x80808080u;
a ^= b;
b -= b >> 7;
b &= 0x1B1B1B1Bu;
b ^= a << 1;
*w = b;
}
static void XtimeLong(u64 *w)
{
u64 a, b;
a = *w;
b = a & 0x8080808080808080uLL;
a ^= b;
b -= b >> 7;
b &= 0x1B1B1B1B1B1B1B1BuLL;
b ^= a << 1;
*w = b;
}
/*
* This computes w := S * w ^ -1 + c, where c = {01100011}.
* Instead of using GF(2^8) mod (x^8+x^4+x^3+x+1} we do the inversion
* in GF(GF(GF(2^2)^2)^2) mod (X^2+X+8)
* and GF(GF(2^2)^2) mod (X^2+X+2)
* and GF(2^2) mod (X^2+X+1)
* The first part of the algorithm below transfers the coordinates
* {0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80} =>
* {1,Y,Y^2,Y^3,Y^4,Y^5,Y^6,Y^7} with Y=0x41:
* {0x01,0x41,0x66,0x6c,0x56,0x9a,0x58,0xc4}
* The last part undoes the coordinate transfer and the final affine
* transformation S:
* b[i] = b[i] + b[(i+4)%8] + b[(i+5)%8] + b[(i+6)%8] + b[(i+7)%8] + c[i]
* in one step.
* The multiplication in GF(2^2^2^2) is done in ordinary coords:
* A = (a0*1 + a1*x^4)
* B = (b0*1 + b1*x^4)
* AB = ((a0*b0 + 8*a1*b1)*1 + (a1*b0 + (a0+a1)*b1)*x^4)
* When A = (a0,a1) is given we want to solve AB = 1:
* (a) 1 = a0*b0 + 8*a1*b1
* (b) 0 = a1*b0 + (a0+a1)*b1
* => multiply (a) by a1 and (b) by a0
* (c) a1 = a1*a0*b0 + (8*a1*a1)*b1
* (d) 0 = a1*a0*b0 + (a0*a0+a1*a0)*b1
* => add (c) + (d)
* (e) a1 = (a0*a0 + a1*a0 + 8*a1*a1)*b1
* => therefore
* b1 = (a0*a0 + a1*a0 + 8*a1*a1)^-1 * a1
* => and adding (a1*b0) to (b) we get
* (f) a1*b0 = (a0+a1)*b1
* => therefore
* b0 = (a0*a0 + a1*a0 + 8*a1*a1)^-1 * (a0+a1)
* Note this formula also works for the case
* (a0+a1)*a0 + 8*a1*a1 = 0
* if the inverse element for 0^-1 is mapped to 0.
* Repeat the same for GF(2^2^2) and GF(2^2).
* We get the following algorithm:
* inv8(a0,a1):
* x0 = a0^a1
* [y0,y1] = mul4([x0,a1],[a0,a1]); (*)
* y1 = mul4(8,y1);
* t = inv4(y0^y1);
* [b0,b1] = mul4([x0,a1],[t,t]); (*)
* return [b0,b1];
* The non-linear multiplies (*) can be done in parallel at no extra cost.
*/
static void SubWord(u32 *w)
{
u32 x, y, a1, a2, a3, a4, a5, a6;
x = *w;
y = ((x & 0xFEFEFEFEu) >> 1) | ((x & 0x01010101u) << 7);
x &= 0xDDDDDDDDu;
x ^= y & 0x57575757u;
y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
x ^= y & 0x1C1C1C1Cu;
y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
x ^= y & 0x4A4A4A4Au;
y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
x ^= y & 0x42424242u;
y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
x ^= y & 0x64646464u;
y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
x ^= y & 0xE0E0E0E0u;
a1 = x;
a1 ^= (x & 0xF0F0F0F0u) >> 4;
a2 = ((x & 0xCCCCCCCCu) >> 2) | ((x & 0x33333333u) << 2);
a3 = x & a1;
a3 ^= (a3 & 0xAAAAAAAAu) >> 1;
a3 ^= (((x << 1) & a1) ^ ((a1 << 1) & x)) & 0xAAAAAAAAu;
a4 = a2 & a1;
a4 ^= (a4 & 0xAAAAAAAAu) >> 1;
a4 ^= (((a2 << 1) & a1) ^ ((a1 << 1) & a2)) & 0xAAAAAAAAu;
a5 = (a3 & 0xCCCCCCCCu) >> 2;
a3 ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCu;
a4 = a5 & 0x22222222u;
a4 |= a4 >> 1;
a4 ^= (a5 << 1) & 0x22222222u;
a3 ^= a4;
a5 = a3 & 0xA0A0A0A0u;
a5 |= a5 >> 1;
a5 ^= (a3 << 1) & 0xA0A0A0A0u;
a4 = a5 & 0xC0C0C0C0u;
a6 = a4 >> 2;
a4 ^= (a5 << 2) & 0xC0C0C0C0u;
a5 = a6 & 0x20202020u;
a5 |= a5 >> 1;
a5 ^= (a6 << 1) & 0x20202020u;
a4 |= a5;
a3 ^= a4 >> 4;
a3 &= 0x0F0F0F0Fu;
a2 = a3;
a2 ^= (a3 & 0x0C0C0C0Cu) >> 2;
a4 = a3 & a2;
a4 ^= (a4 & 0x0A0A0A0A0Au) >> 1;
a4 ^= (((a3 << 1) & a2) ^ ((a2 << 1) & a3)) & 0x0A0A0A0Au;
a5 = a4 & 0x08080808u;
a5 |= a5 >> 1;
a5 ^= (a4 << 1) & 0x08080808u;
a4 ^= a5 >> 2;
a4 &= 0x03030303u;
a4 ^= (a4 & 0x02020202u) >> 1;
a4 |= a4 << 2;
a3 = a2 & a4;
a3 ^= (a3 & 0x0A0A0A0Au) >> 1;
a3 ^= (((a2 << 1) & a4) ^ ((a4 << 1) & a2)) & 0x0A0A0A0Au;
a3 |= a3 << 4;
a2 = ((a1 & 0xCCCCCCCCu) >> 2) | ((a1 & 0x33333333u) << 2);
x = a1 & a3;
x ^= (x & 0xAAAAAAAAu) >> 1;
x ^= (((a1 << 1) & a3) ^ ((a3 << 1) & a1)) & 0xAAAAAAAAu;
a4 = a2 & a3;
a4 ^= (a4 & 0xAAAAAAAAu) >> 1;
a4 ^= (((a2 << 1) & a3) ^ ((a3 << 1) & a2)) & 0xAAAAAAAAu;
a5 = (x & 0xCCCCCCCCu) >> 2;
x ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCu;
a4 = a5 & 0x22222222u;
a4 |= a4 >> 1;
a4 ^= (a5 << 1) & 0x22222222u;
x ^= a4;
y = ((x & 0xFEFEFEFEu) >> 1) | ((x & 0x01010101u) << 7);
x &= 0x39393939u;
x ^= y & 0x3F3F3F3Fu;
y = ((y & 0xFCFCFCFCu) >> 2) | ((y & 0x03030303u) << 6);
x ^= y & 0x97979797u;
y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
x ^= y & 0x9B9B9B9Bu;
y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
x ^= y & 0x3C3C3C3Cu;
y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
x ^= y & 0xDDDDDDDDu;
y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
x ^= y & 0x72727272u;
x ^= 0x63636363u;
*w = x;
}
static void SubLong(u64 *w)
{
u64 x, y, a1, a2, a3, a4, a5, a6;
x = *w;
y = ((x & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((x & 0x0101010101010101uLL) << 7);
x &= 0xDDDDDDDDDDDDDDDDuLL;
x ^= y & 0x5757575757575757uLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0x1C1C1C1C1C1C1C1CuLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0x4A4A4A4A4A4A4A4AuLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0x4242424242424242uLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0x6464646464646464uLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0xE0E0E0E0E0E0E0E0uLL;
a1 = x;
a1 ^= (x & 0xF0F0F0F0F0F0F0F0uLL) >> 4;
a2 = ((x & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((x & 0x3333333333333333uLL) << 2);
a3 = x & a1;
a3 ^= (a3 & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
a3 ^= (((x << 1) & a1) ^ ((a1 << 1) & x)) & 0xAAAAAAAAAAAAAAAAuLL;
a4 = a2 & a1;
a4 ^= (a4 & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
a4 ^= (((a2 << 1) & a1) ^ ((a1 << 1) & a2)) & 0xAAAAAAAAAAAAAAAAuLL;
a5 = (a3 & 0xCCCCCCCCCCCCCCCCuLL) >> 2;
a3 ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCCCCCCCCCuLL;
a4 = a5 & 0x2222222222222222uLL;
a4 |= a4 >> 1;
a4 ^= (a5 << 1) & 0x2222222222222222uLL;
a3 ^= a4;
a5 = a3 & 0xA0A0A0A0A0A0A0A0uLL;
a5 |= a5 >> 1;
a5 ^= (a3 << 1) & 0xA0A0A0A0A0A0A0A0uLL;
a4 = a5 & 0xC0C0C0C0C0C0C0C0uLL;
a6 = a4 >> 2;
a4 ^= (a5 << 2) & 0xC0C0C0C0C0C0C0C0uLL;
a5 = a6 & 0x2020202020202020uLL;
a5 |= a5 >> 1;
a5 ^= (a6 << 1) & 0x2020202020202020uLL;
a4 |= a5;
a3 ^= a4 >> 4;
a3 &= 0x0F0F0F0F0F0F0F0FuLL;
a2 = a3;
a2 ^= (a3 & 0x0C0C0C0C0C0C0C0CuLL) >> 2;
a4 = a3 & a2;
a4 ^= (a4 & 0x0A0A0A0A0A0A0A0AuLL) >> 1;
a4 ^= (((a3 << 1) & a2) ^ ((a2 << 1) & a3)) & 0x0A0A0A0A0A0A0A0AuLL;
a5 = a4 & 0x0808080808080808uLL;
a5 |= a5 >> 1;
a5 ^= (a4 << 1) & 0x0808080808080808uLL;
a4 ^= a5 >> 2;
a4 &= 0x0303030303030303uLL;
a4 ^= (a4 & 0x0202020202020202uLL) >> 1;
a4 |= a4 << 2;
a3 = a2 & a4;
a3 ^= (a3 & 0x0A0A0A0A0A0A0A0AuLL) >> 1;
a3 ^= (((a2 << 1) & a4) ^ ((a4 << 1) & a2)) & 0x0A0A0A0A0A0A0A0AuLL;
a3 |= a3 << 4;
a2 = ((a1 & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((a1 & 0x3333333333333333uLL) << 2);
x = a1 & a3;
x ^= (x & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
x ^= (((a1 << 1) & a3) ^ ((a3 << 1) & a1)) & 0xAAAAAAAAAAAAAAAAuLL;
a4 = a2 & a3;
a4 ^= (a4 & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
a4 ^= (((a2 << 1) & a3) ^ ((a3 << 1) & a2)) & 0xAAAAAAAAAAAAAAAAuLL;
a5 = (x & 0xCCCCCCCCCCCCCCCCuLL) >> 2;
x ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCCCCCCCCCuLL;
a4 = a5 & 0x2222222222222222uLL;
a4 |= a4 >> 1;
a4 ^= (a5 << 1) & 0x2222222222222222uLL;
x ^= a4;
y = ((x & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((x & 0x0101010101010101uLL) << 7);
x &= 0x3939393939393939uLL;
x ^= y & 0x3F3F3F3F3F3F3F3FuLL;
y = ((y & 0xFCFCFCFCFCFCFCFCuLL) >> 2) | ((y & 0x0303030303030303uLL) << 6);
x ^= y & 0x9797979797979797uLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0x9B9B9B9B9B9B9B9BuLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0x3C3C3C3C3C3C3C3CuLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0xDDDDDDDDDDDDDDDDuLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0x7272727272727272uLL;
x ^= 0x6363636363636363uLL;
*w = x;
}
/*
* This computes w := (S^-1 * (w + c))^-1
*/
static void InvSubLong(u64 *w)
{
u64 x, y, a1, a2, a3, a4, a5, a6;
x = *w;
x ^= 0x6363636363636363uLL;
y = ((x & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((x & 0x0101010101010101uLL) << 7);
x &= 0xFDFDFDFDFDFDFDFDuLL;
x ^= y & 0x5E5E5E5E5E5E5E5EuLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0xF3F3F3F3F3F3F3F3uLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0xF5F5F5F5F5F5F5F5uLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0x7878787878787878uLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0x7777777777777777uLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0x1515151515151515uLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0xA5A5A5A5A5A5A5A5uLL;
a1 = x;
a1 ^= (x & 0xF0F0F0F0F0F0F0F0uLL) >> 4;
a2 = ((x & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((x & 0x3333333333333333uLL) << 2);
a3 = x & a1;
a3 ^= (a3 & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
a3 ^= (((x << 1) & a1) ^ ((a1 << 1) & x)) & 0xAAAAAAAAAAAAAAAAuLL;
a4 = a2 & a1;
a4 ^= (a4 & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
a4 ^= (((a2 << 1) & a1) ^ ((a1 << 1) & a2)) & 0xAAAAAAAAAAAAAAAAuLL;
a5 = (a3 & 0xCCCCCCCCCCCCCCCCuLL) >> 2;
a3 ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCCCCCCCCCuLL;
a4 = a5 & 0x2222222222222222uLL;
a4 |= a4 >> 1;
a4 ^= (a5 << 1) & 0x2222222222222222uLL;
a3 ^= a4;
a5 = a3 & 0xA0A0A0A0A0A0A0A0uLL;
a5 |= a5 >> 1;
a5 ^= (a3 << 1) & 0xA0A0A0A0A0A0A0A0uLL;
a4 = a5 & 0xC0C0C0C0C0C0C0C0uLL;
a6 = a4 >> 2;
a4 ^= (a5 << 2) & 0xC0C0C0C0C0C0C0C0uLL;
a5 = a6 & 0x2020202020202020uLL;
a5 |= a5 >> 1;
a5 ^= (a6 << 1) & 0x2020202020202020uLL;
a4 |= a5;
a3 ^= a4 >> 4;
a3 &= 0x0F0F0F0F0F0F0F0FuLL;
a2 = a3;
a2 ^= (a3 & 0x0C0C0C0C0C0C0C0CuLL) >> 2;
a4 = a3 & a2;
a4 ^= (a4 & 0x0A0A0A0A0A0A0A0AuLL) >> 1;
a4 ^= (((a3 << 1) & a2) ^ ((a2 << 1) & a3)) & 0x0A0A0A0A0A0A0A0AuLL;
a5 = a4 & 0x0808080808080808uLL;
a5 |= a5 >> 1;
a5 ^= (a4 << 1) & 0x0808080808080808uLL;
a4 ^= a5 >> 2;
a4 &= 0x0303030303030303uLL;
a4 ^= (a4 & 0x0202020202020202uLL) >> 1;
a4 |= a4 << 2;
a3 = a2 & a4;
a3 ^= (a3 & 0x0A0A0A0A0A0A0A0AuLL) >> 1;
a3 ^= (((a2 << 1) & a4) ^ ((a4 << 1) & a2)) & 0x0A0A0A0A0A0A0A0AuLL;
a3 |= a3 << 4;
a2 = ((a1 & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((a1 & 0x3333333333333333uLL) << 2);
x = a1 & a3;
x ^= (x & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
x ^= (((a1 << 1) & a3) ^ ((a3 << 1) & a1)) & 0xAAAAAAAAAAAAAAAAuLL;
a4 = a2 & a3;
a4 ^= (a4 & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
a4 ^= (((a2 << 1) & a3) ^ ((a3 << 1) & a2)) & 0xAAAAAAAAAAAAAAAAuLL;
a5 = (x & 0xCCCCCCCCCCCCCCCCuLL) >> 2;
x ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCCCCCCCCCuLL;
a4 = a5 & 0x2222222222222222uLL;
a4 |= a4 >> 1;
a4 ^= (a5 << 1) & 0x2222222222222222uLL;
x ^= a4;
y = ((x & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((x & 0x0101010101010101uLL) << 7);
x &= 0xB5B5B5B5B5B5B5B5uLL;
x ^= y & 0x4040404040404040uLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0x8080808080808080uLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0x1616161616161616uLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0xEBEBEBEBEBEBEBEBuLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0x9797979797979797uLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0xFBFBFBFBFBFBFBFBuLL;
y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
x ^= y & 0x7D7D7D7D7D7D7D7DuLL;
*w = x;
}
static void ShiftRows(u64 *state)
{
unsigned char s[4];
unsigned char *s0;
int r;
s0 = (unsigned char *)state;
for (r = 0; r < 4; r++) {
s[0] = s0[0*4 + r];
s[1] = s0[1*4 + r];
s[2] = s0[2*4 + r];
s[3] = s0[3*4 + r];
s0[0*4 + r] = s[(r+0) % 4];
s0[1*4 + r] = s[(r+1) % 4];
s0[2*4 + r] = s[(r+2) % 4];
s0[3*4 + r] = s[(r+3) % 4];
}
}
static void InvShiftRows(u64 *state)
{
unsigned char s[4];
unsigned char *s0;
int r;
s0 = (unsigned char *)state;
for (r = 0; r < 4; r++) {
s[0] = s0[0*4 + r];
s[1] = s0[1*4 + r];
s[2] = s0[2*4 + r];
s[3] = s0[3*4 + r];
s0[0*4 + r] = s[(4-r) % 4];
s0[1*4 + r] = s[(5-r) % 4];
s0[2*4 + r] = s[(6-r) % 4];
s0[3*4 + r] = s[(7-r) % 4];
}
}
static void MixColumns(u64 *state)
{
uni s1;
uni s;
int c;
for (c = 0; c < 2; c++) {
s1.d = state[c];
s.d = s1.d;
s.d ^= ((s.d & 0xFFFF0000FFFF0000uLL) >> 16)
| ((s.d & 0x0000FFFF0000FFFFuLL) << 16);
s.d ^= ((s.d & 0xFF00FF00FF00FF00uLL) >> 8)
| ((s.d & 0x00FF00FF00FF00FFuLL) << 8);
s.d ^= s1.d;
XtimeLong(&s1.d);
s.d ^= s1.d;
s.b[0] ^= s1.b[1];
s.b[1] ^= s1.b[2];
s.b[2] ^= s1.b[3];
s.b[3] ^= s1.b[0];
s.b[4] ^= s1.b[5];
s.b[5] ^= s1.b[6];
s.b[6] ^= s1.b[7];
s.b[7] ^= s1.b[4];
state[c] = s.d;
}
}
static void InvMixColumns(u64 *state)
{
uni s1;
uni s;
int c;
for (c = 0; c < 2; c++) {
s1.d = state[c];
s.d = s1.d;
s.d ^= ((s.d & 0xFFFF0000FFFF0000uLL) >> 16)
| ((s.d & 0x0000FFFF0000FFFFuLL) << 16);
s.d ^= ((s.d & 0xFF00FF00FF00FF00uLL) >> 8)
| ((s.d & 0x00FF00FF00FF00FFuLL) << 8);
s.d ^= s1.d;
XtimeLong(&s1.d);
s.d ^= s1.d;
s.b[0] ^= s1.b[1];
s.b[1] ^= s1.b[2];
s.b[2] ^= s1.b[3];
s.b[3] ^= s1.b[0];
s.b[4] ^= s1.b[5];
s.b[5] ^= s1.b[6];
s.b[6] ^= s1.b[7];
s.b[7] ^= s1.b[4];
XtimeLong(&s1.d);
s1.d ^= ((s1.d & 0xFFFF0000FFFF0000uLL) >> 16)
| ((s1.d & 0x0000FFFF0000FFFFuLL) << 16);
s.d ^= s1.d;
XtimeLong(&s1.d);
s1.d ^= ((s1.d & 0xFF00FF00FF00FF00uLL) >> 8)
| ((s1.d & 0x00FF00FF00FF00FFuLL) << 8);
s.d ^= s1.d;
state[c] = s.d;
}
}
static void AddRoundKey(u64 *state, const u64 *w)
{
state[0] ^= w[0];
state[1] ^= w[1];
}
static void Cipher(const unsigned char *in, unsigned char *out,
const u64 *w, int nr)
{
u64 state[2];
int i;
memcpy(state, in, 16);
AddRoundKey(state, w);
for (i = 1; i < nr; i++) {
SubLong(&state[0]);
SubLong(&state[1]);
ShiftRows(state);
MixColumns(state);
AddRoundKey(state, w + i*2);
}
SubLong(&state[0]);
SubLong(&state[1]);
ShiftRows(state);
AddRoundKey(state, w + nr*2);
memcpy(out, state, 16);
}
static void InvCipher(const unsigned char *in, unsigned char *out,
const u64 *w, int nr)
{
u64 state[2];
int i;
memcpy(state, in, 16);
AddRoundKey(state, w + nr*2);
for (i = nr - 1; i > 0; i--) {
InvShiftRows(state);
InvSubLong(&state[0]);
InvSubLong(&state[1]);
AddRoundKey(state, w + i*2);
InvMixColumns(state);
}
InvShiftRows(state);
InvSubLong(&state[0]);
InvSubLong(&state[1]);
AddRoundKey(state, w);
memcpy(out, state, 16);
}
static void RotWord(u32 *x)
{
unsigned char *w0;
unsigned char tmp;
w0 = (unsigned char *)x;
tmp = w0[0];
w0[0] = w0[1];
w0[1] = w0[2];
w0[2] = w0[3];
w0[3] = tmp;
}
static void KeyExpansion(const unsigned char *key, u64 *w,
int nr, int nk)
{
u32 rcon;
uni prev;
u32 temp;
int i, n;
memcpy(w, key, nk*4);
memcpy(&rcon, "\1\0\0\0", 4);
n = nk/2;
prev.d = w[n-1];
for (i = n; i < (nr+1)*2; i++) {
temp = prev.w[1];
if (i % n == 0) {
RotWord(&temp);
SubWord(&temp);
temp ^= rcon;
XtimeWord(&rcon);
} else if (nk > 6 && i % n == 2) {
SubWord(&temp);
}
prev.d = w[i-n];
prev.w[0] ^= temp;
prev.w[1] ^= prev.w[0];
w[i] = prev.d;
}
}
/**
* Expand the cipher key into the encryption key schedule.
*/
int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
AES_KEY *key)
{
u64 *rk;
if (!userKey || !key)
return -1;
if (bits != 128 && bits != 192 && bits != 256)
return -2;
rk = (u64*)key->rd_key;
if (bits == 128)
key->rounds = 10;
else if (bits == 192)
key->rounds = 12;
else
key->rounds = 14;
KeyExpansion(userKey, rk, key->rounds, bits/32);
return 0;
}
/**
* Expand the cipher key into the decryption key schedule.
*/
int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
AES_KEY *key)
{
return AES_set_encrypt_key(userKey, bits, key);
}
/*
* Encrypt a single block
* in and out can overlap
*/
void AES_encrypt(const unsigned char *in, unsigned char *out,
const AES_KEY *key)
{
const u64 *rk;
assert(in && out && key);
rk = (u64*)key->rd_key;
Cipher(in, out, rk, key->rounds);
}
/*
* Decrypt a single block
* in and out can overlap
*/
void AES_decrypt(const unsigned char *in, unsigned char *out,
const AES_KEY *key)
{
const u64 *rk;
assert(in && out && key);
rk = (u64*)key->rd_key;
InvCipher(in, out, rk, key->rounds);
}
#elif !defined(AES_ASM)
/*-
Te0[x] = S [x].[02, 01, 01, 03];
Te1[x] = S [x].[03, 02, 01, 01];

2
crypto/aes/aes_ecb.c
View File

@@ -10,7 +10,7 @@
#include <assert.h>
#include <openssl/aes.h>
#include "aes_locl.h"
#include "aes_local.h"
void AES_ecb_encrypt(const unsigned char *in, unsigned char *out,
const AES_KEY *key, const int enc)

18
crypto/aes/aes_ige.c
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -10,12 +10,7 @@
#include "internal/cryptlib.h"
#include <openssl/aes.h>
#include "aes_locl.h"
#define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
typedef struct {
unsigned long data[N_WORDS];
} aes_block_t;
#include "aes_local.h"
/* XXX: probably some better way to do this */
#if defined(__i386__) || defined(__x86_64__)
@@ -24,6 +19,15 @@ typedef struct {
# define UNALIGNED_MEMOPS_ARE_FAST 0
#endif
#define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
typedef struct {
unsigned long data[N_WORDS];
#if defined(__GNUC__) && UNALIGNED_MEMOPS_ARE_FAST
} aes_block_t __attribute((__aligned__(1)));
#else
} aes_block_t;
#endif
#if UNALIGNED_MEMOPS_ARE_FAST
# define load_block(d, s) (d) = *(const aes_block_t *)(s)
# define store_block(d, s) *(aes_block_t *)(d) = (s)

9
crypto/aes/aes_locl.h → crypto/aes/aes_local.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -7,8 +7,8 @@
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_AES_LOCL_H
# define HEADER_AES_LOCL_H
#ifndef OSSL_CRYPTO_AES_LOCAL_H
# define OSSL_CRYPTO_AES_LOCAL_H
# include <openssl/e_os2.h>
# include <stdio.h>
@@ -24,6 +24,7 @@
# define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >> 8); (ct)[3] = (u8)(st); }
# endif
typedef unsigned long long u64;
# ifdef AES_LONG
typedef unsigned long u32;
# else
@@ -39,4 +40,4 @@ typedef unsigned char u8;
/* This controls loop-unrolling in aes_core.c */
# undef FULL_UNROLL
#endif /* !HEADER_AES_LOCL_H */
#endif /* !OSSL_CRYPTO_AES_LOCAL_H */

2
crypto/aes/aes_misc.c
View File

@@ -9,7 +9,7 @@
#include <openssl/opensslv.h>
#include <openssl/aes.h>
#include "aes_locl.h"
#include "aes_local.h"
const char *AES_options(void)
{

2
crypto/aes/aes_x86core.c
View File

@@ -46,7 +46,7 @@
#include <stdlib.h>
#include <openssl/aes.h>
#include "aes_locl.h"
#include "aes_local.h"
/*
* These two parameters control which table, 256-byte or 2KB, is

3000
crypto/aes/asm/aes-586.pl
View File

File diff suppressed because it is too large Load Diff

4
crypto/aes/asm/aes-armv4.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1242,4 +1242,4 @@ while(<SELF>) {
close SELF;
print $code;
close STDOUT; # enforce flush
close STDOUT or die "error closing STDOUT: $!"; # enforce flush

4
crypto/aes/asm/aes-c64xplus.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1379,4 +1379,4 @@ AES_Td4:
___
print $code;
close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

4
crypto/aes/asm/aes-mips.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -2167,4 +2167,4 @@ foreach (split("\n",$code)) {
print $_,"\n";
}
close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

4
crypto/aes/asm/aes-parisc.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2009-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1035,4 +1035,4 @@ foreach (split("\n",$code)) {
print $_,"\n";
}
close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

4
crypto/aes/asm/aes-ppc.pl
View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1456,4 +1456,4 @@ ___
$code =~ s/\`([^\`]*)\`/eval $1/gem;
print $code;
close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

Some files were not shown because too many files have changed in this diff Show More