Import OpenSSL-0.9.8m.
authorPeter Avalos <pavalos@dragonflybsd.org>
Sun, 28 Feb 2010 00:07:00 +0000 (00:07 +0000)
committerPeter Avalos <pavalos@dragonflybsd.org>
Sun, 28 Feb 2010 00:07:00 +0000 (00:07 +0000)
This new OpenSSL version is a security and bugfix release which
implements RFC5746 to address renegotiation vulnerabilities mentioned in
CVE-2009-3555. For a complete list of changes, please see the CHANGES
file.

146 files changed:
crypto/openssl/CHANGES
crypto/openssl/FAQ
crypto/openssl/NEWS
crypto/openssl/README
crypto/openssl/README.DELETED
crypto/openssl/apps/CA.pl
crypto/openssl/apps/CA.sh
crypto/openssl/apps/apps.c
crypto/openssl/apps/ca.c
crypto/openssl/apps/dsa.c
crypto/openssl/apps/dsaparam.c
crypto/openssl/apps/enc.c
crypto/openssl/apps/gendsa.c
crypto/openssl/apps/genrsa.c
crypto/openssl/apps/openssl.c
crypto/openssl/apps/pkcs12.c
crypto/openssl/apps/req.c
crypto/openssl/apps/s_apps.h
crypto/openssl/apps/s_cb.c
crypto/openssl/apps/s_client.c
crypto/openssl/apps/s_server.c
crypto/openssl/apps/s_socket.c
crypto/openssl/apps/speed.c
crypto/openssl/apps/x509.c
crypto/openssl/crypto/aes/aes_cfb.c
crypto/openssl/crypto/asn1/a_mbstr.c
crypto/openssl/crypto/asn1/a_object.c
crypto/openssl/crypto/asn1/asn1.h
crypto/openssl/crypto/asn1/asn1_err.c
crypto/openssl/crypto/asn1/asn1_gen.c
crypto/openssl/crypto/asn1/asn1_par.c
crypto/openssl/crypto/asn1/t_x509.c
crypto/openssl/crypto/bio/bio.h
crypto/openssl/crypto/bio/bss_dgram.c
crypto/openssl/crypto/bio/bss_file.c
crypto/openssl/crypto/bn/bn_div.c
crypto/openssl/crypto/bn/bn_exp.c
crypto/openssl/crypto/bn/bn_gf2m.c
crypto/openssl/crypto/bn/bn_mul.c
crypto/openssl/crypto/cast/c_cfb64.c
crypto/openssl/crypto/cast/c_ecb.c
crypto/openssl/crypto/cast/c_enc.c
crypto/openssl/crypto/cast/c_ofb64.c
crypto/openssl/crypto/cast/cast.h
crypto/openssl/crypto/cms/cms_ess.c
crypto/openssl/crypto/cms/cms_lib.c
crypto/openssl/crypto/comp/c_zlib.c
crypto/openssl/crypto/cryptlib.c
crypto/openssl/crypto/dsa/dsa_asn1.c
crypto/openssl/crypto/dsa/dsa_lib.c
crypto/openssl/crypto/dso/dso_dlfcn.c
crypto/openssl/crypto/ec/ec2_smpl.c
crypto/openssl/crypto/ecdsa/ecs_ossl.c
crypto/openssl/crypto/ecdsa/ecs_sign.c
crypto/openssl/crypto/engine/eng_cnf.c
crypto/openssl/crypto/engine/eng_cryptodev.c
crypto/openssl/crypto/engine/eng_ctrl.c
crypto/openssl/crypto/engine/eng_err.c
crypto/openssl/crypto/engine/eng_table.c
crypto/openssl/crypto/engine/engine.h
crypto/openssl/crypto/err/err_all.c
crypto/openssl/crypto/evp/c_allc.c
crypto/openssl/crypto/evp/c_alld.c
crypto/openssl/crypto/evp/digest.c
crypto/openssl/crypto/evp/evp_lib.c
crypto/openssl/crypto/evp/evp_locl.h
crypto/openssl/crypto/lhash/lhash.c
crypto/openssl/crypto/o_init.c
crypto/openssl/crypto/objects/obj_dat.c
crypto/openssl/crypto/objects/obj_dat.h
crypto/openssl/crypto/objects/obj_mac.h
crypto/openssl/crypto/ocsp/ocsp_prn.c
crypto/openssl/crypto/opensslv.h
crypto/openssl/crypto/pem/pem_seal.c
crypto/openssl/crypto/pkcs12/p12_attr.c
crypto/openssl/crypto/pkcs12/p12_key.c
crypto/openssl/crypto/pkcs12/p12_utl.c
crypto/openssl/crypto/pkcs12/pkcs12.h
crypto/openssl/crypto/pkcs7/pk7_mime.c
crypto/openssl/crypto/pqueue/pqueue.c
crypto/openssl/crypto/pqueue/pqueue.h
crypto/openssl/crypto/rand/randfile.c
crypto/openssl/crypto/rsa/rsa_eng.c
crypto/openssl/crypto/rsa/rsa_oaep.c
crypto/openssl/crypto/rsa/rsa_pss.c
crypto/openssl/crypto/rsa/rsa_sign.c
crypto/openssl/crypto/sha/sha512.c
crypto/openssl/crypto/stack/safestack.h
crypto/openssl/crypto/symhacks.h
crypto/openssl/crypto/ui/ui_openssl.c
crypto/openssl/crypto/x509/by_dir.c
crypto/openssl/crypto/x509/x509.h
crypto/openssl/crypto/x509/x509_lu.c
crypto/openssl/crypto/x509/x509_vfy.c
crypto/openssl/crypto/x509/x509_vfy.h
crypto/openssl/crypto/x509/x509_vpm.c
crypto/openssl/crypto/x509v3/pcy_tree.c
crypto/openssl/crypto/x509v3/v3_alt.c
crypto/openssl/crypto/x509v3/v3_ocsp.c
crypto/openssl/doc/apps/enc.pod
crypto/openssl/doc/apps/verify.pod
crypto/openssl/doc/crypto/ASN1_generate_nconf.pod
crypto/openssl/doc/crypto/EVP_DigestInit.pod
crypto/openssl/doc/crypto/PKCS12_parse.pod
crypto/openssl/doc/crypto/bn_internal.pod
crypto/openssl/doc/crypto/d2i_X509.pod
crypto/openssl/doc/crypto/d2i_X509_CRL.pod
crypto/openssl/doc/crypto/d2i_X509_REQ.pod
crypto/openssl/doc/crypto/hmac.pod
crypto/openssl/doc/crypto/pem.pod
crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod
crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
crypto/openssl/engines/e_ubsec.c
crypto/openssl/ssl/d1_both.c
crypto/openssl/ssl/d1_clnt.c
crypto/openssl/ssl/d1_enc.c
crypto/openssl/ssl/d1_lib.c
crypto/openssl/ssl/d1_pkt.c
crypto/openssl/ssl/d1_srvr.c
crypto/openssl/ssl/dtls1.h
crypto/openssl/ssl/kssl.c
crypto/openssl/ssl/s23_clnt.c
crypto/openssl/ssl/s23_srvr.c
crypto/openssl/ssl/s2_srvr.c
crypto/openssl/ssl/s3_both.c
crypto/openssl/ssl/s3_clnt.c
crypto/openssl/ssl/s3_lib.c
crypto/openssl/ssl/s3_pkt.c
crypto/openssl/ssl/s3_srvr.c
crypto/openssl/ssl/ssl.h
crypto/openssl/ssl/ssl3.h
crypto/openssl/ssl/ssl_algs.c
crypto/openssl/ssl/ssl_asn1.c
crypto/openssl/ssl/ssl_cert.c
crypto/openssl/ssl/ssl_ciph.c
crypto/openssl/ssl/ssl_err.c
crypto/openssl/ssl/ssl_lib.c
crypto/openssl/ssl/ssl_locl.h
crypto/openssl/ssl/ssl_rsa.c
crypto/openssl/ssl/ssl_sess.c
crypto/openssl/ssl/ssl_stat.c
crypto/openssl/ssl/ssl_txt.c
crypto/openssl/ssl/t1_enc.c
crypto/openssl/ssl/t1_lib.c
crypto/openssl/ssl/t1_reneg.c [copied from crypto/openssl/ssl/d1_enc.c with 52% similarity]
crypto/openssl/ssl/tls1.h

index 3c9f51c..97b3810 100644 (file)
@@ -2,6 +2,166 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
+
+  *) Always check bn_wexpend() return values for failure.  (CVE-2009-3245)
+     [Martin Olsson, Neel Mehta]
+
+  *) Fix X509_STORE locking: Every 'objs' access requires a lock (to
+     accommodate for stack sorting, always a write lock!).
+     [Bodo Moeller]
+
+  *) On some versions of WIN32 Heap32Next is very slow. This can cause
+     excessive delays in the RAND_poll(): over a minute. As a workaround
+     include a time check in the inner Heap32Next loop too.
+     [Steve Henson]
+
+  *) The code that handled flushing of data in SSL/TLS originally used the
+     BIO_CTRL_INFO ctrl to see if any data was pending first. This caused
+     the problem outlined in PR#1949. The fix suggested there however can
+     trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions
+     of Apache). So instead simplify the code to flush unconditionally.
+     This should be fine since flushing with no data to flush is a no op.
+     [Steve Henson]
+
+  *) Handle TLS versions 2.0 and later properly and correctly use the
+     highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
+     off ancient servers have a habit of sticking around for a while...
+     [Steve Henson]
+
+  *) Modify compression code so it frees up structures without using the
+     ex_data callbacks. This works around a problem where some applications
+     call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when
+     restarting) then use compression (e.g. SSL with compression) later.
+     This results in significant per-connection memory leaks and
+     has caused some security issues including CVE-2008-1678 and
+     CVE-2009-4355.
+     [Steve Henson]
+
+  *) Constify crypto/cast (i.e., <openssl/cast.h>): a CAST_KEY doesn't
+     change when encrypting or decrypting.
+     [Bodo Moeller]
+
+  *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
+     connect and renegotiate with servers which do not support RI.
+     Until RI is more widely deployed this option is enabled by default.
+     [Steve Henson]
+
+  *) Add "missing" ssl ctrls to clear options and mode.
+     [Steve Henson]
+
+  *) If client attempts to renegotiate and doesn't support RI respond with
+     a no_renegotiation alert as required by RFC5746.  Some renegotiating
+     TLS clients will continue a connection gracefully when they receive
+     the alert. Unfortunately OpenSSL mishandled this alert and would hang
+     waiting for a server hello which it will never receive. Now we treat a
+     received no_renegotiation alert as a fatal error. This is because
+     applications requesting a renegotiation might well expect it to succeed
+     and would have no code in place to handle the server denying it so the
+     only safe thing to do is to terminate the connection.
+     [Steve Henson]
+
+  *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
+     peer supports secure renegotiation and 0 otherwise. Print out peer
+     renegotiation support in s_client/s_server.
+     [Steve Henson]
+
+  *) Replace the highly broken and deprecated SPKAC certification method with
+     the updated NID creation version. This should correctly handle UTF8.
+     [Steve Henson]
+
+  *) Implement RFC5746. Re-enable renegotiation but require the extension
+     as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+     turns out to be a bad idea. It has been replaced by
+     SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
+     SSL_CTX_set_options(). This is really not recommended unless you
+     know what you are doing.
+     [Eric Rescorla <ekr@networkresonance.com>, Ben Laurie, Steve Henson]
+
+  *) Fixes to stateless session resumption handling. Use initial_ctx when
+     issuing and attempting to decrypt tickets in case it has changed during
+     servername handling. Use a non-zero length session ID when attempting
+     stateless session resumption: this makes it possible to determine if
+     a resumption has occurred immediately after receiving server hello
+     (several places in OpenSSL subtly assume this) instead of later in
+     the handshake.
+     [Steve Henson]
+
+  *) The functions ENGINE_ctrl(), OPENSSL_isservice(),
+     CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error
+     fixes for a few places where the return code is not checked
+     correctly.
+     [Julia Lawall <julia@diku.dk>]
+
+  *) Add --strict-warnings option to Configure script to include devteam
+     warnings in other configurations.
+     [Steve Henson]
+
+  *) Add support for --libdir option and LIBDIR variable in makefiles. This
+     makes it possible to install openssl libraries in locations which
+     have names other than "lib", for example "/usr/lib64" which some
+     systems need.
+     [Steve Henson, based on patch from Jeremy Utley]
+
+  *) Don't allow the use of leading 0x80 in OIDs. This is a violation of
+     X690 8.9.12 and can produce some misleading textual output of OIDs.
+     [Steve Henson, reported by Dan Kaminsky]
+
+  *) Delete MD2 from algorithm tables. This follows the recommendation in
+     several standards that it is not used in new applications due to
+     several cryptographic weaknesses. For binary compatibility reasons
+     the MD2 API is still compiled in by default.
+     [Steve Henson]
+
+  *) Add compression id to {d2i,i2d}_SSL_SESSION so it is correctly saved
+     and restored.
+     [Steve Henson]
+
+  *) Rename uni2asc and asc2uni functions to OPENSSL_uni2asc and
+     OPENSSL_asc2uni conditionally on Netware platforms to avoid a name
+     clash.
+     [Guenter <lists@gknw.net>]
+
+  *) Fix the server certificate chain building code to use X509_verify_cert(),
+     it used to have an ad-hoc builder which was unable to cope with anything
+     other than a simple chain.
+     [David Woodhouse <dwmw2@infradead.org>, Steve Henson]
+
+  *) Don't check self signed certificate signatures in X509_verify_cert()
+     by default (a flag can override this): it just wastes time without
+     adding any security. As a useful side effect self signed root CAs
+     with non-FIPS digests are now usable in FIPS mode.
+     [Steve Henson]
+
+  *) In dtls1_process_out_of_seq_message() the check if the current message
+     is already buffered was missing. For every new message was memory
+     allocated, allowing an attacker to perform an denial of service attack
+     with sending out of seq handshake messages until there is no memory
+     left. Additionally every future messege was buffered, even if the
+     sequence number made no sense and would be part of another handshake.
+     So only messages with sequence numbers less than 10 in advance will be
+     buffered.  (CVE-2009-1378)
+     [Robin Seggelmann, discovered by Daniel Mentz]    
+
+  *) Records are buffered if they arrive with a future epoch to be
+     processed after finishing the corresponding handshake. There is
+     currently no limitation to this buffer allowing an attacker to perform
+     a DOS attack with sending records with future epochs until there is no
+     memory left. This patch adds the pqueue_size() function to detemine
+     the size of a buffer and limits the record buffer to 100 entries.
+     (CVE-2009-1377)
+     [Robin Seggelmann, discovered by Daniel Mentz]    
+
+  *) Keep a copy of frag->msg_header.frag_len so it can be used after the
+     parent structure is freed.  (CVE-2009-1379)
+     [Daniel Mentz]    
+
+  *) Handle non-blocking I/O properly in SSL_shutdown() call.
+     [Darryl Miles <darryl-mailinglists@netbauds.net>]
+
+  *) Add 2.5.4.* OIDs
+     [Ilya O. <vrghost@gmail.com>]
+
  Changes between 0.9.8k and 0.9.8l  [5 Nov 2009]
 
   *) Disable renegotiation completely - this fixes a severe security
 
  Changes between 0.9.8h and 0.9.8i  [15 Sep 2008]
 
+  *) Fix NULL pointer dereference if a DTLS server received
+     ChangeCipherSpec as first record (CVE-2009-1386).
+     [PR #1679]
+
   *) Fix a state transitition in s3_srvr.c and d1_srvr.c
      (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
      [Nagendra Modadugu]
      differing sizes.
      [Richard Levitte]
 
- Changes between 0.9.7m and 0.9.7n  [xx XXX xxxx]
-
-  *) In the SSL/TLS server implementation, be strict about session ID
-     context matching (which matters if an application uses a single
-     external cache for different purposes).  Previously,
-     out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
-     set.  This did ensure strict client verification, but meant that,
-     with applications using a single external cache for quite
-     different requirements, clients could circumvent ciphersuite
-     restrictions for a given session ID context by starting a session
-     in a different context.
-     [Bodo Moeller]
-
  Changes between 0.9.7l and 0.9.7m  [23 Feb 2007]
 
   *) Cleanse PEM buffers before freeing them since they may contain 
index 93613bb..8041479 100644 (file)
@@ -78,7 +78,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8l was released on Nov 5th, 2009.
+OpenSSL 0.9.8m was released on Feb 25th, 2010.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
index 87ed364..7bff959 100644 (file)
@@ -5,9 +5,21 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m:
+
+      o Cipher definition fixes.
+      o Workaround for slow RAND_poll() on some WIN32 versions.
+      o Remove MD2 from algorithm tables.
+      o SPKAC handling fixes.
+      o Support for RFC5746 TLS renegotiation extension.
+      o Compression memory leak fixed.
+      o Compression session resumption fixed.
+      o Ticket and SNI coexistence fixes.
+      o Many fixes to DTLS handling. 
+
   Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l:
 
-      o Ban renegotiation.
+      o Temporary work around for CVE-2009-3555: disable renegotiation.
 
   Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k:
 
index b976e2b..0cfba9c 100644 (file)
@@ -1,7 +1,7 @@
 
- OpenSSL 0.9.8l
+ OpenSSL 0.9.8m
 
- Copyright (c) 1998-2008 The OpenSSL Project
+ Copyright (c) 1998-2009 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 
  should be contacted if that algorithm is to be used; their web page is
  http://www.ascom.ch/.
 
- The MDC2 algorithm is patented by IBM.
-
  NTT and Mitsubishi have patents and pending patents on the Camellia
  algorithm, but allow use at no charge without requiring an explicit
  licensing agreement: http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
  SUPPORT
  -------
 
+ See the OpenSSL website www.openssl.org for details of how to obtain
+ commercial technical support.
+
  If you have any problems with OpenSSL then please take the following steps
  first:
 
 
     openssl-bugs@openssl.org
 
+ Note that the request tracker should NOT be used for general assistance
+ or support queries. Just because something doesn't work the way you expect
+ does not mean it is necessarily a bug in OpenSSL.
+
  Note that mail to openssl-bugs@openssl.org is recorded in the publicly
  readable request tracker database and is forwarded to a public
  mailing list. Confidential mail may be sent to openssl-security@openssl.org
 
  Development is coordinated on the openssl-dev mailing list (see
  http://www.openssl.org for information on subscribing). If you
- would like to submit a patch, send it to openssl-dev@openssl.org with
+ would like to submit a patch, send it to openssl-bugs@openssl.org with
  the string "[PATCH]" in the subject. Please be sure to include a
  textual explanation of what your patch does.
 
+ If you are unsure as to whether a feature will be useful for the general
+ OpenSSL community please discuss it on the openssl-dev mailing list first.
+ Someone may be already working on the same thing or there may be a good
+ reason as to why that feature isn't implemented.
+
+ Patches should be as up to date as possible, preferably relative to the
+ current CVS or the last snapshot. They should follow the coding style of
+ OpenSSL and compile without warnings. Some of the core team developer targets
+ can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL
+ compiles on many varied platforms: try to ensure you only use portable
+ features.
+
  Note: For legal reasons, contributions from the US can be accepted only
  if a TSU notification and a copy of the patch are sent to crypt@bis.doc.gov
  (formerly BXA) with a copy to the ENC Encryption Request Coordinator;
index 59d6a27..abb4904 100644 (file)
@@ -33,7 +33,6 @@ apps/dsa-pca.pem
 apps/dsa1024.pem
 apps/dsa512.pem
 apps/dsap.pem
-apps/genpkey.c
 apps/install.com
 apps/makeapps.com
 apps/md4.c
@@ -42,9 +41,6 @@ apps/openssl-vms.cnf
 apps/pca-cert.srl
 apps/pca-key.pem
 apps/pca-req.pem
-apps/pkey.c
-apps/pkeyparam.c
-apps/pkeyutl.c
 apps/privkey.pem
 apps/progs.pl
 apps/req.pem
@@ -58,8 +54,6 @@ apps/server.srl
 apps/server2.pem
 apps/set/
 apps/testCA.pem
-apps/ts.c
-apps/tsget
 apps/winrand.c
 bugs/
 certs/
@@ -71,17 +65,11 @@ crypto/LPdir_win32.c
 crypto/LPdir_wince.c
 crypto/Makefile
 crypto/aes/Makefile
-crypto/aes/aes_x86core.c
 crypto/aes/asm/
 crypto/asn1/Makefile
-crypto/asn1/ameth_lib.c
-crypto/asn1/asn1_locl.h
-crypto/asn1/bio_asn1.c
-crypto/asn1/bio_ndef.c
 crypto/asn1/charmap.pl
 crypto/asn1/p8_key.c
 crypto/asn1/tasn_prn.c
-crypto/asn1/x_nx509.c
 crypto/bf/INSTALL
 crypto/bf/Makefile
 crypto/bf/asm/
@@ -105,7 +93,6 @@ crypto/bn/exptest.c
 crypto/bn/vms-helper.c
 crypto/buffer/Makefile
 crypto/camellia/Makefile
-crypto/camellia/asm/
 crypto/cast/Makefile
 crypto/cast/asm/
 crypto/cast/cast_spd.c
@@ -233,7 +220,6 @@ crypto/pkcs7/server.pem
 crypto/pkcs7/sign.c
 crypto/pkcs7/t/
 crypto/pkcs7/verify.c
-crypto/ppccpuid.pl
 crypto/pqueue/Makefile
 crypto/rand/Makefile
 crypto/rand/rand_os2.c
@@ -263,7 +249,6 @@ crypto/ripemd/rmd160.c
 crypto/ripemd/rmdtest.c
 crypto/rsa/Makefile
 crypto/rsa/rsa_test.c
-crypto/s390xcpuid.S
 crypto/seed/
 crypto/sha/Makefile
 crypto/sha/asm/
@@ -275,7 +260,6 @@ crypto/sha/sha256t.c
 crypto/sha/sha512t.c
 crypto/sha/shatest.c
 crypto/sparccpuid.S
-crypto/sparcv9cap.c
 crypto/stack/Makefile
 crypto/store/Makefile
 crypto/threads/mttest.c
@@ -309,7 +293,7 @@ doc/openssl_button.html
 doc/ssleay.txt
 doc/standards.txt
 engines/Makefile
-engines/axp.opt
+engines/alpha.opt
 engines/e_4758cca.ec
 engines/e_aep.ec
 engines/e_atalla.ec
@@ -324,6 +308,7 @@ engines/e_nuron.ec
 engines/e_sureware.ec
 engines/e_ubsec.ec
 engines/engine_vector.mar
+engines/ia64.opt
 engines/makeengines.com
 engines/vax.opt
 fips/
index 05f11dd..a3965ec 100644 (file)
@@ -1,4 +1,4 @@
-#!/usr/bin/perl5
+#!/usr/bin/perl
 #
 # CA - wrapper around ca to make it easier to use ... basically ca requires
 #      some setup stuff to be done before you can use it and this makes
index a0b20d8..7ad6b8c 100644 (file)
@@ -5,10 +5,10 @@
 #      things easier between now and when Eric is convinced to fix it :-)
 #
 # CA -newca ... will setup the right stuff
-# CA -newreq ... will generate a certificate request 
-# CA -sign ... will sign the generated request and output 
+# CA -newreq ... will generate a certificate request
+# CA -sign ... will sign the generated request and output
 #
-# At the end of that grab newreq.pem and newcert.pem (one has the key 
+# At the end of that grab newreq.pem and newcert.pem (one has the key
 # and the other the certificate) and cat them together and that is what
 # you want/need ... I'll make even this a little cleaner later.
 #
@@ -16,8 +16,8 @@
 # 12-Jan-96 tjh    Added more things ... including CA -signcert which
 #                  converts a certificate to a request and then signs it.
 # 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
-#                 environment variable so this can be driven from
-#                 a script.
+#                  environment variable so this can be driven from
+#                  a script.
 # 25-Jul-96 eay    Cleaned up filenames some more.
 # 11-Jun-96 eay    Fixed a few filename missmatches.
 # 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
 
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
+cp_pem() {
+    infile=$1
+    outfile=$2
+    bound=$3
+    flag=0
+    exec <$infile;
+    while read line; do
+       if [ $flag -eq 1 ]; then
+               echo $line|grep "^-----END.*$bound"  2>/dev/null 1>/dev/null
+               if [ $? -eq 0 ] ; then
+                       echo $line >>$outfile
+                       break
+               else
+                       echo $line >>$outfile
+               fi
+       fi
+
+       echo $line|grep "^-----BEGIN.*$bound"  2>/dev/null 1>/dev/null
+       if [ $? -eq 0 ]; then
+               echo $line >$outfile
+               flag=1
+       fi
+    done
+}
+
+usage() {
+ echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
+}
 
 if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
 
-DAYS="-days 365"       # 1 year
+if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year
 CADAYS="-days 1095"    # 3 years
 REQ="$OPENSSL req $SSLEAY_CONFIG"
 CA="$OPENSSL ca $SSLEAY_CONFIG"
 VERIFY="$OPENSSL verify"
 X509="$OPENSSL x509"
+PKCS12="openssl pkcs12"
 
-CATOP=./demoCA
+if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
 CAKEY=./cakey.pem
 CAREQ=./careq.pem
 CACERT=./cacert.pem
 
-for i
-do
-case $i in
+RET=0
+
+while [ "$1" != "" ] ; do
+case $1 in
 -\?|-h|-help)
-    echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" >&2
+    usage
     exit 0
     ;;
--newcert) 
+-newcert)
     # create a certificate
     $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
     RET=$?
     echo "Certificate is in newcert.pem, private key is in newkey.pem"
     ;;
--newreq) 
+-newreq)
     # create a certificate request
     $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
     RET=$?
     echo "Request is in newreq.pem, private key is in newkey.pem"
     ;;
--newca)     
+-newreq-nodes) 
+    # create a certificate request
+    $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
+    RET=$?
+    echo "Request (and private key) is in newreq.pem"
+    ;;
+-newca)
     # if explicitly asked for or it doesn't exist then setup the directory
-    # structure that Eric likes to manage things 
+    # structure that Eric likes to manage things
     NEW="1"
     if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
        # create the directory hierarchy
-       mkdir ${CATOP} 
-       mkdir ${CATOP}/certs 
-       mkdir ${CATOP}/crl 
-       mkdir ${CATOP}/newcerts
-       mkdir ${CATOP}/private
-       echo "00" > ${CATOP}/serial
+       mkdir -p ${CATOP}
+       mkdir -p ${CATOP}/certs
+       mkdir -p ${CATOP}/crl
+       mkdir -p ${CATOP}/newcerts
+       mkdir -p ${CATOP}/private
        touch ${CATOP}/index.txt
     fi
     if [ ! -f ${CATOP}/private/$CAKEY ]; then
@@ -83,37 +118,60 @@ case $i in
 
        # ask user for existing CA certificate
        if [ "$FILE" ]; then
-           cp $FILE ${CATOP}/private/$CAKEY
+           cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
+           cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
            RET=$?
+           if [ ! -f "${CATOP}/serial" ]; then
+               $X509 -in ${CATOP}/$CACERT -noout -next_serial \
+                     -out ${CATOP}/serial
+           fi
        else
            echo "Making CA certificate ..."
            $REQ -new -keyout ${CATOP}/private/$CAKEY \
                           -out ${CATOP}/$CAREQ
-           $CA -out ${CATOP}/$CACERT $CADAYS -batch \
+           $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
                           -keyfile ${CATOP}/private/$CAKEY -selfsign \
-                          -infiles ${CATOP}/$CAREQ 
+                          -extensions v3_ca \
+                          -infiles ${CATOP}/$CAREQ
            RET=$?
        fi
     fi
     ;;
 -xsign)
-    $CA -policy policy_anything -infiles newreq.pem 
+    $CA -policy policy_anything -infiles newreq.pem
     RET=$?
     ;;
--sign|-signreq) 
+-pkcs12)
+    if [ -z "$2" ] ; then
+       CNAME="My Certificate"
+    else
+       CNAME="$2"
+    fi
+    $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
+           -out newcert.p12 -export -name "$CNAME"
+    RET=$?
+    exit $RET
+    ;;
+-sign|-signreq)
     $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
     RET=$?
     cat newcert.pem
     echo "Signed certificate is in newcert.pem"
     ;;
--signcert) 
+-signCA)
+    $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
+    RET=$?
+    echo "Signed CA certificate is in newcert.pem"
+    ;;
+-signcert)
     echo "Cert passphrase will be requested twice - bug?"
     $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
     $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
+    RET=$?
     cat newcert.pem
     echo "Signed certificate is in newcert.pem"
     ;;
--verify) 
+-verify)
     shift
     if [ -z "$1" ]; then
            $VERIFY -CAfile $CATOP/$CACERT newcert.pem
@@ -127,13 +185,14 @@ case $i in
            fi
        done
     fi
-    exit 0
+    exit $RET
     ;;
 *)
-    echo "Unknown arg $i";
+    echo "Unknown arg $i" >&2
+    usage
     exit 1
     ;;
 esac
+shift
 done
 exit $RET
-
index 498722a..35b62b8 100644 (file)
@@ -2261,6 +2261,8 @@ int args_verify(char ***pargs, int *pargc,
                flags |= X509_V_FLAG_X509_STRICT;
        else if (!strcmp(arg, "-policy_print"))
                flags |= X509_V_FLAG_NOTIFY_POLICY;
+       else if (!strcmp(arg, "-check_ss_sig"))
+               flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
        else
                return 0;
 
index 68516ee..651c5a6 100644 (file)
@@ -216,7 +216,6 @@ static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
                         char *startdate, char *enddate, long days, char *ext_sect,
                         CONF *conf, int verbose, unsigned long certopt, 
                         unsigned long nameopt, int default_op, int ext_copy);
-static int fix_data(int nid, int *type);
 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
        STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn,
@@ -227,7 +226,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
 static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval);
 static int get_certificate_status(const char *ser_status, CA_DB *db);
 static int do_updatedb(CA_DB *db);
-static int check_time_format(char *str);
+static int check_time_format(const char *str);
 char *make_revocation_str(int rev_type, char *rev_arg);
 int make_revoked(X509_REVOKED *rev, const char *str);
 int old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str);
@@ -858,8 +857,8 @@ bad:
                        perror(outdir);
                        goto err;
                        }
-#ifdef S_IFDIR
-               if (!(sb.st_mode & S_IFDIR))
+#ifdef S_ISDIR
+               if (!S_ISDIR(sb.st_mode))
                        {
                        BIO_printf(bio_err,"%s need to be a directory\n",outdir);
                        perror(outdir);
@@ -895,7 +894,7 @@ bad:
                        BIO_printf(bio_err," in entry %d\n", i+1);
                        goto err;
                        }
-               if (!check_time_format((char *)pp[DB_exp_date]))
+               if (!check_time_format(pp[DB_exp_date]))
                        {
                        BIO_printf(bio_err,"entry %d: invalid expiry date\n",i+1);
                        goto err;
@@ -1249,7 +1248,12 @@ bad:
                                BIO_printf(bio_err,"\n%d out of %d certificate requests certified, commit? [y/n]",total_done,total);
                                (void)BIO_flush(bio_err);
                                buf[0][0]='\0';
-                               fgets(buf[0],10,stdin);
+                               if (!fgets(buf[0],10,stdin))
+                                       {
+                                       BIO_printf(bio_err,"CERTIFICATION CANCELED: I/O error\n"); 
+                                       ret=0;
+                                       goto err;
+                                       }
                                if ((buf[0][0] != 'y') && (buf[0][0] != 'Y'))
                                        {
                                        BIO_printf(bio_err,"CERTIFICATION CANCELED\n"); 
@@ -2091,7 +2095,7 @@ again2:
                }
 
        BIO_printf(bio_err,"Certificate is to be certified until ");
-       ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ret));
+       ASN1_TIME_print(bio_err,X509_get_notAfter(ret));
        if (days) BIO_printf(bio_err," (%ld days)",days);
        BIO_printf(bio_err, "\n");
 
@@ -2101,7 +2105,12 @@ again2:
                BIO_printf(bio_err,"Sign the certificate? [y/n]:");
                (void)BIO_flush(bio_err);
                buf[0]='\0';
-               fgets(buf,sizeof(buf)-1,stdin);
+               if (!fgets(buf,sizeof(buf)-1,stdin))
+                       {
+                       BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n");
+                       ok=0;
+                       goto err;
+                       }
                if (!((buf[0] == 'y') || (buf[0] == 'Y')))
                        {
                        BIO_printf(bio_err,"CERTIFICATE WILL NOT BE CERTIFIED\n");
@@ -2317,25 +2326,9 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
                        continue;
                        }
 
-               /*
-               if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0))
-                       continue;
-               */
-               
-               j=ASN1_PRINTABLE_type((unsigned char *)buf,-1);
-               if (fix_data(nid, &j) == 0)
-                       {
-                       BIO_printf(bio_err,
-                               "invalid characters in string %s\n",buf);
-                       goto err;
-                       }
-
-               if ((ne=X509_NAME_ENTRY_create_by_NID(&ne,nid,j,
-                       (unsigned char *)buf,
-                       strlen(buf))) == NULL)
+               if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
+                               (unsigned char *)buf, -1, -1, 0))
                        goto err;
-
-               if (!X509_NAME_add_entry(n,ne,-1, 0)) goto err;
                }
        if (spki == NULL)
                {
@@ -2378,29 +2371,17 @@ err:
        return(ok);
        }
 
-static int fix_data(int nid, int *type)
-       {
-       if (nid == NID_pkcs9_emailAddress)
-               *type=V_ASN1_IA5STRING;
-       if ((nid == NID_commonName) && (*type == V_ASN1_IA5STRING))
-               *type=V_ASN1_T61STRING;
-       if ((nid == NID_pkcs9_challengePassword) && (*type == V_ASN1_IA5STRING))
-               *type=V_ASN1_T61STRING;
-       if ((nid == NID_pkcs9_unstructuredName) && (*type == V_ASN1_T61STRING))
-               return(0);
-       if (nid == NID_pkcs9_unstructuredName)
-               *type=V_ASN1_IA5STRING;
-       return(1);
-       }
-
-static int check_time_format(char *str)
+static int check_time_format(const char *str)
        {
-       ASN1_UTCTIME tm;
+       ASN1_TIME tm;
 
        tm.data=(unsigned char *)str;
        tm.length=strlen(str);
        tm.type=V_ASN1_UTCTIME;
-       return(ASN1_UTCTIME_check(&tm));
+       if (ASN1_TIME_check(&tm))
+               return 1;
+       tm.type=V_ASN1_GENERALIZEDTIME;
+       return ASN1_TIME_check(&tm);
        }
 
 static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
index cbc1fe3..5e68a56 100644 (file)
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/err.h>
-#include <openssl/dsa.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/bn.h>
+#include <openssl/dsa.h>
 
 #undef PROG
 #define PROG   dsa_main
index c301e81..4305a73 100644 (file)
@@ -475,4 +475,10 @@ static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb)
 #endif
        return 1;
        }
+#else /* !OPENSSL_NO_DSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
 #endif
index f4f9a4c..8f5e5b8 100644 (file)
@@ -226,7 +226,12 @@ int MAIN(int argc, char **argv)
                                goto bad;
                                }
                        buf[0]='\0';
-                       fgets(buf,sizeof buf,infile);
+                       if (!fgets(buf,sizeof buf,infile))
+                               {
+                               BIO_printf(bio_err,"unable to read key from '%s'\n",
+                                       file);
+                               goto bad;
+                               }
                        fclose(infile);
                        i=strlen(buf);
                        if ((i > 0) &&
index 8a296c6..22c3962 100644 (file)
@@ -279,4 +279,10 @@ end:
        apps_shutdown();
        OPENSSL_EXIT(ret);
        }
+#else /* !OPENSSL_NO_DSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
 #endif
index fdc0d4a..5759acb 100644 (file)
@@ -106,9 +106,9 @@ int MAIN(int argc, char **argv)
        char *inrand=NULL;
        BIO *out=NULL;
        BIGNUM *bn = BN_new();
-       RSA *rsa = RSA_new();
+       RSA *rsa = NULL;
 
-       if(!bn || !rsa) goto err;
+       if(!bn) goto err;
 
        apps_startup();
        BN_GENCB_set(&cb, genrsa_cb, bio_err);
@@ -269,6 +269,10 @@ bad:
        BIO_printf(bio_err,"Generating RSA private key, %d bit long modulus\n",
                num);
 
+       rsa = RSA_new();
+       if (!rsa)
+               goto err;
+
        if (use_x931)
                {
                BIGNUM *pubexp;
index 7d2b476..480fef9 100644 (file)
@@ -235,16 +235,19 @@ int main(int Argc, char *Argv[])
 
        in_FIPS_mode = 0;
 
-#ifdef OPENSSL_FIPS
        if(getenv("OPENSSL_FIPS")) {
+#ifdef OPENSSL_FIPS
                if (!FIPS_mode_set(1)) {
                        ERR_load_crypto_strings();
                        ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
                        EXIT(1);
                }
                in_FIPS_mode = 1;
-               }
+#else
+               fprintf(stderr, "FIPS mode not supported.\n");
+               EXIT(1);
 #endif
+               }
 
        if (bio_err == NULL)
                if ((bio_err=BIO_new(BIO_s_file())) != NULL)
@@ -333,7 +336,8 @@ int main(int Argc, char *Argv[])
                        else    prompt="OpenSSL> ";
                        fputs(prompt,stdout);
                        fflush(stdout);
-                       fgets(p,n,stdin);
+                       if (!fgets(p,n,stdin))
+                               goto end;
                        if (p[0] == '\0') goto end;
                        i=strlen(p);
                        if (i <= 1) break;
index 248bc11..0db0b79 100644 (file)
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
 
+#ifdef OPENSSL_SYS_NETWARE
+/* Rename these functions to avoid name clashes on NetWare OS */
+#define uni2asc OPENSSL_uni2asc
+#define asc2uni OPENSSL_asc2uni
+#endif
+
 #define PROG pkcs12_main
 
 const EVP_CIPHER *enc;
index 5ed0896..314197d 100644 (file)
@@ -1538,7 +1538,8 @@ start:
                buf[0]='\0';
                if (!batch)
                        {
-                       fgets(buf,sizeof buf,stdin);
+                       if (!fgets(buf,sizeof buf,stdin))
+                               return 0;
                        }
                else
                        {
@@ -1596,7 +1597,8 @@ start:
                buf[0]='\0';
                if (!batch)
                        {
-                       fgets(buf,sizeof buf,stdin);
+                       if (!fgets(buf,sizeof buf,stdin))
+                               return 0;
                        }
                else
                        {
index 08fbbc2..f5a39ba 100644 (file)
@@ -171,3 +171,6 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
                                        unsigned char *data, int len,
                                        void *arg);
 #endif
+
+int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len);
+int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len);
index a512589..97caffc 100644 (file)
 #undef NON_MAIN
 #undef USE_SOCKETS
 #include <openssl/err.h>
+#include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/ssl.h>
 #include "s_apps.h"
 
+#define        COOKIE_SECRET_LENGTH    16
+
 int verify_depth=0;
 int verify_error=X509_V_OK;
+unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
+int cookie_initialized=0;
 
 int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
        {
@@ -338,6 +343,12 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
                break;
        default:
                str_version = "???";
+       case DTLS1_VERSION:
+               str_version = "DTLS 1.0 ";
+               break;
+       case DTLS1_BAD_VER:
+               str_version = "DTLS 1.0 (bad) ";
+               break;
                }
 
        if (version == SSL2_VERSION)
@@ -401,7 +412,10 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
                        }
                }
 
-       if (version == SSL3_VERSION || version == TLS1_VERSION)
+       if (version == SSL3_VERSION ||
+           version == TLS1_VERSION ||
+           version == DTLS1_VERSION ||
+           version == DTLS1_BAD_VER)
                {
                switch (content_type)
                        {
@@ -540,6 +554,9 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
                                case 15:
                                        str_details1 = ", CertificateVerify";
                                        break;
+                               case 3:
+                                       str_details1 = ", HelloVerifyRequest";
+                                       break;
                                case 16:
                                        str_details1 = ", ClientKeyExchange";
                                        break;
@@ -621,6 +638,9 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
                extname = "server ticket";
                break;
 
+               case TLSEXT_TYPE_renegotiate:
+               extname = "renegotiate";
+               break;
 
                default:
                extname = "unknown";
@@ -634,3 +654,86 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
        BIO_dump(bio, (char *)data, len);
        (void)BIO_flush(bio);
        }
+
+int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)
+       {
+       unsigned char *buffer, result[EVP_MAX_MD_SIZE];
+       unsigned int length, resultlength;
+       struct sockaddr_in peer;
+       
+       /* Initialize a random secret */
+       if (!cookie_initialized)
+               {
+               if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH))
+                       {
+                       BIO_printf(bio_err,"error setting random cookie secret\n");
+                       return 0;
+                       }
+               cookie_initialized = 1;
+               }
+
+       /* Read peer information */
+       (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
+
+       /* Create buffer with peer's address and port */
+       length = sizeof(peer.sin_addr);
+       length += sizeof(peer.sin_port);
+       buffer = OPENSSL_malloc(length);
+
+       if (buffer == NULL)
+               {
+               BIO_printf(bio_err,"out of memory\n");
+               return 0;
+               }
+       
+       memcpy(buffer, &peer.sin_addr, sizeof(peer.sin_addr));
+       memcpy(buffer + sizeof(peer.sin_addr), &peer.sin_port, sizeof(peer.sin_port));
+
+       /* Calculate HMAC of buffer using the secret */
+       HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
+            buffer, length, result, &resultlength);
+       OPENSSL_free(buffer);
+
+       memcpy(cookie, result, resultlength);
+       *cookie_len = resultlength;
+
+       return 1;
+       }
+
+int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)
+       {
+       unsigned char *buffer, result[EVP_MAX_MD_SIZE];
+       unsigned int length, resultlength;
+       struct sockaddr_in peer;
+       
+       /* If secret isn't initialized yet, the cookie can't be valid */
+       if (!cookie_initialized)
+               return 0;
+
+       /* Read peer information */
+       (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
+
+       /* Create buffer with peer's address and port */
+       length = sizeof(peer.sin_addr);
+       length += sizeof(peer.sin_port);
+       buffer = (unsigned char*) OPENSSL_malloc(length);
+       
+       if (buffer == NULL)
+               {
+               BIO_printf(bio_err,"out of memory\n");
+               return 0;
+               }
+       
+       memcpy(buffer, &peer.sin_addr, sizeof(peer.sin_addr));
+       memcpy(buffer + sizeof(peer.sin_addr), &peer.sin_port, sizeof(peer.sin_port));
+
+       /* Calculate HMAC of buffer using the secret */
+       HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
+            buffer, length, result, &resultlength);
+       OPENSSL_free(buffer);
+       
+       if (cookie_len == resultlength && memcmp(result, cookie, resultlength) == 0)
+               return 1;
+
+       return 0;
+       }
index 4974f5f..2f743f0 100644 (file)
@@ -226,7 +226,7 @@ static void sc_usage(void)
        BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
        BIO_printf(bio_err," -tls1         - just use TLSv1\n");
        BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
-       BIO_printf(bio_err," -mtu          - set the MTU\n");
+       BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
        BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
        BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
        BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
@@ -249,6 +249,7 @@ static void sc_usage(void)
        BIO_printf(bio_err," -status           - request certificate status from server\n");
        BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
 #endif
+       BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
        }
 
 #ifndef OPENSSL_NO_TLSEXT
@@ -286,7 +287,7 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
        {
-       int off=0;
+       int off=0, clr = 0;
        SSL *con=NULL,*con2=NULL;
        X509_STORE *store = NULL;
        int s,k,width,state=0;
@@ -318,6 +319,7 @@ int MAIN(int argc, char **argv)
        BIO *sbio;
        char *inrand=NULL;
        int mbuf_len=0;
+       struct timeval timeout, *timeoutp;
 #ifndef OPENSSL_NO_ENGINE
        char *engine_id=NULL;
        char *ssl_client_engine_id=NULL;
@@ -338,7 +340,7 @@ int MAIN(int argc, char **argv)
        struct sockaddr peer;
        int peerlen = sizeof(peer);
        int enable_timeouts = 0 ;
-       long mtu = 0;
+       long socket_mtu = 0;
 #ifndef OPENSSL_NO_JPAKE
        char *jpake_secret = NULL;
 #endif
@@ -489,7 +491,7 @@ int MAIN(int argc, char **argv)
                else if (strcmp(*argv,"-mtu") == 0)
                        {
                        if (--argc < 1) goto bad;
-                       mtu = atol(*(++argv));
+                       socket_mtu = atol(*(++argv));
                        }
 #endif
                else if (strcmp(*argv,"-bugs") == 0)
@@ -535,6 +537,12 @@ int MAIN(int argc, char **argv)
 #endif
                else if (strcmp(*argv,"-serverpref") == 0)
                        off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
+               else if (strcmp(*argv,"-legacy_renegotiation") == 0)
+                       off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+               else if (strcmp(*argv,"-legacy_server_connect") == 0)
+                       { off|=SSL_OP_LEGACY_SERVER_CONNECT; }
+               else if (strcmp(*argv,"-no_legacy_server_connect") == 0)
+                       { clr|=SSL_OP_LEGACY_SERVER_CONNECT; }
                else if (strcmp(*argv,"-cipher") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -709,6 +717,9 @@ bad:
                SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
        else
                SSL_CTX_set_options(ctx,off);
+
+       if (clr)
+               SSL_CTX_clear_options(ctx, clr);
        /* DTLS: partial reads end up discarding unread UDP bytes :-( 
         * Setting read ahead solves this problem.
         */
@@ -819,7 +830,6 @@ re_start:
 
        if ( SSL_version(con) == DTLS1_VERSION)
                {
-               struct timeval timeout;
 
                sbio=BIO_new_dgram(s,BIO_NOCLOSE);
                if (getsockname(s, &peer, (void *)&peerlen) < 0)
@@ -843,10 +853,10 @@ re_start:
                        BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
                        }
 
-               if ( mtu > 0)
+               if (socket_mtu > 28)
                        {
                        SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
-                       SSL_set_mtu(con, mtu);
+                       SSL_set_mtu(con, socket_mtu - 28);
                        }
                else
                        /* want to do MTU discovery */
@@ -1036,6 +1046,12 @@ SSL_set_tlsext_status_ids(con, ids);
                FD_ZERO(&readfds);
                FD_ZERO(&writefds);
 
+               if ((SSL_version(con) == DTLS1_VERSION) &&
+                       DTLSv1_get_timeout(con, &timeout))
+                       timeoutp = &timeout;
+               else
+                       timeoutp = NULL;
+
                if (SSL_in_init(con) && !SSL_total_renegotiations(con))
                        {
                        in_init=1;
@@ -1132,7 +1148,7 @@ SSL_set_tlsext_status_ids(con, ids);
                                        if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
 #endif
                                } else  i=select(width,(void *)&readfds,(void *)&writefds,
-                                        NULL,NULL);
+                                        NULL,timeoutp);
                        }
 #elif defined(OPENSSL_SYS_NETWARE)
                        if(!write_tty) {
@@ -1142,11 +1158,11 @@ SSL_set_tlsext_status_ids(con, ids);
                                        i=select(width,(void *)&readfds,(void *)&writefds,
                                                NULL,&tv);
                                } else  i=select(width,(void *)&readfds,(void *)&writefds,
-                                       NULL,NULL);
+                                       NULL,timeoutp);
                        }
 #else
                        i=select(width,(void *)&readfds,(void *)&writefds,
-                                NULL,NULL);
+                                NULL,timeoutp);
 #endif
                        if ( i < 0)
                                {
@@ -1157,6 +1173,11 @@ SSL_set_tlsext_status_ids(con, ids);
                                }
                        }
 
+               if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
+                       {
+                       BIO_printf(bio_err,"TIMEOUT occured\n");
+                       }
+
                if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
                        {
                        k=SSL_write(con,&(cbuf[cbuf_off]),
@@ -1511,6 +1532,8 @@ static void print_stuff(BIO *bio, SSL *s, int full)
                                                         EVP_PKEY_bits(pktmp));
                EVP_PKEY_free(pktmp);
        }
+       BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
+                       SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
 #ifndef OPENSSL_NO_COMP
        comp=SSL_get_current_compression(s);
        expansion=SSL_get_current_expansion(s);
index 84b1b28..88b308c 100644 (file)
@@ -283,11 +283,10 @@ static char *engine_id=NULL;
 static const char *session_id_prefix=NULL;
 
 static int enable_timeouts = 0;
-#ifdef mtu
-#undef mtu
-#endif
-static long mtu;
+static long socket_mtu;
+#ifndef OPENSSL_NO_DTLS1
 static int cert_chain = 0;
+#endif
 
 
 #ifdef MONOLITH
@@ -375,7 +374,7 @@ static void sv_usage(void)
        BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
        BIO_printf(bio_err," -dtls1        - Just talk DTLSv1\n");
        BIO_printf(bio_err," -timeout      - Enable timeouts\n");
-       BIO_printf(bio_err," -mtu          - Set MTU\n");
+       BIO_printf(bio_err," -mtu          - Set link layer MTU\n");
        BIO_printf(bio_err," -chain        - Read a certificate chain\n");
        BIO_printf(bio_err," -no_ssl2      - Just disable SSLv2\n");
        BIO_printf(bio_err," -no_ssl3      - Just disable SSLv3\n");
@@ -405,6 +404,7 @@ static void sv_usage(void)
        BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT2);
        BIO_printf(bio_err," -tlsextdebug  - hex dump of all TLS extensions received\n");
        BIO_printf(bio_err," -no_ticket    - disable use of RFC4507bis session tickets\n");
+       BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
 #endif
        }
 
@@ -772,6 +772,7 @@ int MAIN(int argc, char *argv[])
        int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
        X509 *s_cert = NULL, *s_dcert = NULL;
        EVP_PKEY *s_key = NULL, *s_dkey = NULL;
+       int no_cache = 0;
 #ifndef OPENSSL_NO_TLSEXT
        EVP_PKEY *s_key2 = NULL;
        X509 *s_cert2 = NULL;
@@ -911,6 +912,8 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        CApath= *(++argv);
                        }
+               else if (strcmp(*argv,"-no_cache") == 0)
+                       no_cache = 1;
                else if (strcmp(*argv,"-crl_check") == 0)
                        {
                        vflags |= X509_V_FLAG_CRL_CHECK;
@@ -921,6 +924,8 @@ int MAIN(int argc, char *argv[])
                        }
                else if (strcmp(*argv,"-serverpref") == 0)
                        { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
+               else if (strcmp(*argv,"-legacy_renegotiation") == 0)
+                       off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
                else if (strcmp(*argv,"-cipher") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -1032,7 +1037,7 @@ int MAIN(int argc, char *argv[])
                else if (strcmp(*argv,"-mtu") == 0)
                        {
                        if (--argc < 1) goto bad;
-                       mtu = atol(*(++argv));
+                       socket_mtu = atol(*(++argv));
                        }
                else if (strcmp(*argv, "-chain") == 0)
                        cert_chain = 1;
@@ -1253,8 +1258,10 @@ bad:
        if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
 
        if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
-
-       SSL_CTX_sess_set_cache_size(ctx,128);
+       if (no_cache)
+               SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+       else
+               SSL_CTX_sess_set_cache_size(ctx,128);
 
 #if 0
        if (cipher == NULL) cipher=getenv("SSL_CIPHER");
@@ -1321,7 +1328,10 @@ bad:
 
                if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback);
 
-               SSL_CTX_sess_set_cache_size(ctx2,128);
+               if (no_cache)
+                       SSL_CTX_set_session_cache_mode(ctx2,SSL_SESS_CACHE_OFF);
+               else
+                       SSL_CTX_sess_set_cache_size(ctx2,128);
 
                if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
                        (!SSL_CTX_set_default_verify_paths(ctx2)))
@@ -1498,6 +1508,10 @@ bad:
        SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
                sizeof s_server_session_id_context);
 
+       /* Set DTLS cookie generation and verification callbacks */
+       SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
+       SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
+
 #ifndef OPENSSL_NO_TLSEXT
        if (ctx2)
                {
@@ -1591,8 +1605,11 @@ static int sv_body(char *hostname, int s, unsigned char *context)
        unsigned long l;
        SSL *con=NULL;
        BIO *sbio;
+       struct timeval timeout;
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
        struct timeval tv;
+#else
+       struct timeval *timeoutp;
 #endif
 
        if ((buf=OPENSSL_malloc(bufsize)) == NULL)
@@ -1644,7 +1661,6 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 
        if (SSL_version(con) == DTLS1_VERSION)
                {
-               struct timeval timeout;
 
                sbio=BIO_new_dgram(s,BIO_NOCLOSE);
 
@@ -1660,10 +1676,10 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                        }
 
                
-               if ( mtu > 0)
+               if (socket_mtu > 28)
                        {
                        SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
-                       SSL_set_mtu(con, mtu);
+                       SSL_set_mtu(con, socket_mtu - 28);
                        }
                else
                        /* want to do MTU discovery */
@@ -1745,7 +1761,19 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                        if(_kbhit())
                                read_from_terminal = 1;
 #else
-                       i=select(width,(void *)&readfds,NULL,NULL,NULL);
+                       if ((SSL_version(con) == DTLS1_VERSION) &&
+                               DTLSv1_get_timeout(con, &timeout))
+                               timeoutp = &timeout;
+                       else
+                               timeoutp = NULL;
+
+                       i=select(width,(void *)&readfds,NULL,NULL,timeoutp);
+
+                       if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
+                               {
+                               BIO_printf(bio_err,"TIMEOUT occured\n");
+                               }
+
                        if (i <= 0) continue;
                        if (FD_ISSET(fileno(stdin),&readfds))
                                read_from_terminal = 1;
@@ -2002,6 +2030,8 @@ static int init_ssl_connection(SSL *con)
                        con->kssl_ctx->client_princ);
                }
 #endif /* OPENSSL_NO_KRB5 */
+       BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
+                     SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
        return(1);
        }
 
index 4a922e1..cf82358 100644 (file)
 #include <errno.h>
 #include <signal.h>
 
+#ifdef FLAT_INC
+#include "e_os2.h"
+#else
+#include "../e_os2.h"
+#endif
+
 /* With IPv6, it looks like Digital has mixed up the proper order of
    recursive header file inclusion, resulting in the compiler complaining
    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
index af077b5..07f0ae0 100644 (file)
 # endif
 #endif
 
-#if !defined(OPENSSL_SYS_VMS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MACINTOSH_CLASSIC) && !defined(OPENSSL_SYS_OS2) && !defined(OPENSSL_SYS_NETWARE)
-# define HAVE_FORK 1
+#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE)
+# define NO_FORK 1
+#elif HAVE_FORK
+# undef NO_FORK
+#else
+# define NO_FORK 1
 #endif
 
 #undef BUFSIZE
@@ -271,7 +275,7 @@ static void print_message(const char *s,long num,int length);
 static void pkey_print_message(const char *str, const char *str2,
        long num, int bits, int sec);
 static void print_result(int alg,int run_no,int count,double time_used);
-#ifdef HAVE_FORK
+#ifndef NO_FORK
 static int do_multi(int multi);
 #endif
 
@@ -293,8 +297,12 @@ static const char *names[ALGOR_NUM]={
   "aes-128 ige","aes-192 ige","aes-256 ige"};
 static double results[ALGOR_NUM][SIZE_NUM];
 static int lengths[SIZE_NUM]={16,64,256,1024,8*1024};
+#ifndef OPENSSL_NO_RSA
 static double rsa_results[RSA_NUM][2];
+#endif
+#ifndef OPENSSL_NO_DSA
 static double dsa_results[DSA_NUM][2];
+#endif
 #ifndef OPENSSL_NO_ECDSA
 static double ecdsa_results[EC_NUM][2];
 #endif
@@ -749,7 +757,7 @@ int MAIN(int argc, char **argv)
        const EVP_CIPHER *evp_cipher=NULL;
        const EVP_MD *evp_md=NULL;
        int decrypt=0;
-#ifdef HAVE_FORK
+#ifndef NO_FORK
        int multi=0;
 #endif
 
@@ -877,7 +885,7 @@ int MAIN(int argc, char **argv)
                        j--;
                        }
 #endif
-#ifdef HAVE_FORK
+#ifndef NO_FORK
                else if ((argc > 0) && (strcmp(*argv,"-multi") == 0))
                        {
                        argc--;
@@ -1257,7 +1265,7 @@ int MAIN(int argc, char **argv)
                        BIO_printf(bio_err,"-evp e          use EVP e.\n");
                        BIO_printf(bio_err,"-decrypt        time decryption instead of encryption (only EVP).\n");
                        BIO_printf(bio_err,"-mr             produce machine readable output.\n");
-#ifdef HAVE_FORK
+#ifndef NO_FORK
                        BIO_printf(bio_err,"-multi n        run n benchmarks in parallel.\n");
 #endif
                        goto end;
@@ -1267,7 +1275,7 @@ int MAIN(int argc, char **argv)
                j++;
                }
 
-#ifdef HAVE_FORK
+#ifndef NO_FORK
        if(multi && do_multi(multi))
                goto show_res;
 #endif
@@ -2462,7 +2470,7 @@ int MAIN(int argc, char **argv)
                }
        if (rnd_fake) RAND_cleanup();
 #endif
-#ifdef HAVE_FORK
+#ifndef NO_FORK
 show_res:
 #endif
        if(!mr)
@@ -2717,7 +2725,7 @@ static void print_result(int alg,int run_no,int count,double time_used)
        results[alg][run_no]=((double)count)/time_used*lengths[run_no];
        }
 
-#ifdef HAVE_FORK
+#ifndef NO_FORK
 static char *sstrsep(char **string, const char *delim)
     {
     char isdelim[256];
index 6debce4..b25508a 100644 (file)
@@ -1151,6 +1151,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
        /* NOTE: this certificate can/should be self signed, unless it was
         * a certificate request in which case it is not. */
        X509_STORE_CTX_set_cert(&xsc,x);
+       X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
        if (!reqfile && X509_verify_cert(&xsc) <= 0)
                goto end;
 
index 49f0411..9384ba6 100644 (file)
@@ -201,7 +201,6 @@ void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out,
     assert(in && out && key && ivec && num);
     assert(*num == 0);
 
-    memset(out,0,(length+7)/8);
     for(n=0 ; n < length ; ++n)
        {
        c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
index 1bcd046..1538e0a 100644 (file)
@@ -93,7 +93,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
        int str_type;
        int ret;
        char free_out;
-       int outform, outlen;
+       int outform, outlen = 0;
        ASN1_STRING *dest;
        unsigned char *p;
        int nchar;
index dc98042..d169f8c 100644 (file)
@@ -291,6 +291,17 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
        ASN1_OBJECT *ret=NULL;
        const unsigned char *p;
        int i;
+       /* Sanity check OID encoding: can't have 0x80 in subidentifiers, see:
+        * X.690 8.19.2
+        */
+       for (i = 0, p = *pp + 1; i < len - 1; i++, p++)
+               {
+               if (*p == 0x80)
+                       {
+                       ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING);
+                       return NULL;
+                       }
+               }
 
        /* only the ASN1_OBJECTs from the 'table' will have values
         * for ->sn or ->ln */
index b57aac0..1958298 100644 (file)
@@ -344,6 +344,8 @@ typedef struct ASN1_VALUE_st ASN1_VALUE;
     ((void*) (1 ? p : (type*)0))
 #define CHECKED_PPTR_OF(type, p) \
     ((void**) (1 ? p : (type**)0))
+#define CHECKED_PTR_OF_TO_CHAR(type, p) \
+    ((char*) (1 ? p : (type*)0))
 
 #define TYPEDEF_D2I_OF(type) typedef type *d2i_of_##type(type **,const unsigned char **,long)
 #define TYPEDEF_I2D_OF(type) typedef int i2d_of_##type(type *,unsigned char **)
@@ -933,12 +935,12 @@ void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, char *x);
 #define ASN1_dup_of(type,i2d,d2i,x) \
     ((type*)ASN1_dup(CHECKED_I2D_OF(type, i2d), \
                     CHECKED_D2I_OF(type, d2i), \
-                    CHECKED_PTR_OF(type, x)))
+                    CHECKED_PTR_OF_TO_CHAR(type, x)))
 
 #define ASN1_dup_of_const(type,i2d,d2i,x) \
     ((type*)ASN1_dup(CHECKED_I2D_OF(const type, i2d), \
                     CHECKED_D2I_OF(type, d2i), \
-                    CHECKED_PTR_OF(const type, x)))
+                    CHECKED_PTR_OF_TO_CHAR(const type, x)))
 
 void *ASN1_item_dup(const ASN1_ITEM *it, void *x);
 
@@ -1158,7 +1160,6 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_VERIFY                              137
 #define ASN1_F_B64_READ_ASN1                            208
 #define ASN1_F_B64_WRITE_ASN1                           209
-#define ASN1_F_BIO_NEW_NDEF                             212
 #define ASN1_F_BITSTR_CB                                180
 #define ASN1_F_BN_TO_ASN1_ENUMERATED                    138
 #define ASN1_F_BN_TO_ASN1_INTEGER                       139
@@ -1264,6 +1265,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_INVALID_MIME_TYPE                        200
 #define ASN1_R_INVALID_MODIFIER                                 186
 #define ASN1_R_INVALID_NUMBER                           187
+#define ASN1_R_INVALID_OBJECT_ENCODING                  212
 #define ASN1_R_INVALID_SEPARATOR                        131
 #define ASN1_R_INVALID_TIME_FORMAT                      132
 #define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH           133
index 1cf41e5..ba88eb3 100644 (file)
@@ -132,7 +132,6 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_FUNC(ASN1_F_ASN1_VERIFY), "ASN1_verify"},
 {ERR_FUNC(ASN1_F_B64_READ_ASN1),       "B64_READ_ASN1"},
 {ERR_FUNC(ASN1_F_B64_WRITE_ASN1),      "B64_WRITE_ASN1"},
-{ERR_FUNC(ASN1_F_BIO_NEW_NDEF),        "BIO_NEW_NDEF"},
 {ERR_FUNC(ASN1_F_BITSTR_CB),   "BITSTR_CB"},
 {ERR_FUNC(ASN1_F_BN_TO_ASN1_ENUMERATED),       "BN_to_ASN1_ENUMERATED"},
 {ERR_FUNC(ASN1_F_BN_TO_ASN1_INTEGER),  "BN_to_ASN1_INTEGER"},
@@ -241,6 +240,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_INVALID_MIME_TYPE)    ,"invalid mime type"},
 {ERR_REASON(ASN1_R_INVALID_MODIFIER)     ,"invalid modifier"},
 {ERR_REASON(ASN1_R_INVALID_NUMBER)       ,"invalid number"},
+{ERR_REASON(ASN1_R_INVALID_OBJECT_ENCODING),"invalid object encoding"},
 {ERR_REASON(ASN1_R_INVALID_SEPARATOR)    ,"invalid separator"},
 {ERR_REASON(ASN1_R_INVALID_TIME_FORMAT)  ,"invalid time format"},
 {ERR_REASON(ASN1_R_INVALID_UNIVERSALSTRING_LENGTH),"invalid universalstring length"},
index 2da3829..213a8e9 100644 (file)
@@ -227,6 +227,8 @@ ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf)
        /* Allocate buffer for new encoding */
 
        new_der = OPENSSL_malloc(len);
+       if (!new_der)
+               goto err;
 
        /* Generate tagged encoding */
 
@@ -446,6 +448,8 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf)
        int derlen;
        int i, is_set;
        sk = sk_ASN1_TYPE_new_null();
+       if (!sk)
+               goto bad;
        if (section)
                {
                if (!cnf)
@@ -458,7 +462,8 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf)
                        typ = ASN1_generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf);
                        if (!typ)
                                goto bad;
-                       sk_ASN1_TYPE_push(sk, typ);
+                       if (!sk_ASN1_TYPE_push(sk, typ))
+                               goto bad;
                        typ = NULL;
                        }
                }
@@ -474,6 +479,8 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf)
        derlen = i2d_ASN1_SET_OF_ASN1_TYPE(sk, NULL, i2d_ASN1_TYPE, utype,
                                           V_ASN1_UNIVERSAL, is_set);
        der = OPENSSL_malloc(derlen);
+       if (!der)
+               goto bad;
        p = der;
        i2d_ASN1_SET_OF_ASN1_TYPE(sk, &p, i2d_ASN1_TYPE, utype,
                                  V_ASN1_UNIVERSAL, is_set);
index 8657f73..cb08e15 100644 (file)
@@ -246,7 +246,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse
                                ii=d2i_ASN1_BOOLEAN(NULL,&opp,len+hl);
                                if (ii < 0)
                                        {
-                                       if (BIO_write(bp,"Bad boolean\n",12))
+                                       if (BIO_write(bp,"Bad boolean\n",12) <= 0)
                                                goto end;
                                        }
                                BIO_printf(bp,":%d",ii);
index 8f746f9..6f295b4 100644 (file)
@@ -379,6 +379,8 @@ int ASN1_GENERALIZEDTIME_print(BIO *bp, ASN1_GENERALIZEDTIME *tm)
        int gmt=0;
        int i;
        int y=0,M=0,d=0,h=0,m=0,s=0;
+       char *f = NULL;
+       int f_len = 0;
 
        i=tm->length;
        v=(char *)tm->data;
@@ -396,10 +398,21 @@ int ASN1_GENERALIZEDTIME_print(BIO *bp, ASN1_GENERALIZEDTIME *tm)
        if (tm->length >= 14 &&
            (v[12] >= '0') && (v[12] <= '9') &&
            (v[13] >= '0') && (v[13] <= '9'))
+               {
                s=  (v[12]-'0')*10+(v[13]-'0');
+               /* Check for fractions of seconds. */
+               if (tm->length >= 15 && v[14] == '.')
+                       {
+                       int l = tm->length;
+                       f = &v[14];     /* The decimal point. */
+                       f_len = 1;
+                       while (14 + f_len < l && f[f_len] >= '0' && f[f_len] <= '9')
+                               ++f_len;
+                       }
+               }
 
-       if (BIO_printf(bp,"%s %2d %02d:%02d:%02d %d%s",
-               mon[M-1],d,h,m,s,y,(gmt)?" GMT":"") <= 0)
+       if (BIO_printf(bp,"%s %2d %02d:%02d:%02d%.*s %d%s",
+               mon[M-1],d,h,m,s,f_len,f,y,(gmt)?" GMT":"") <= 0)
                return(0);
        else
                return(1);
index cecb6a7..ebb4278 100644 (file)
@@ -156,8 +156,11 @@ extern "C" {
                                              * previous write
                                              * operation */
 
+#define BIO_CTRL_DGRAM_GET_PEER           46
 #define BIO_CTRL_DGRAM_SET_PEER           44 /* Destination for the data */
 
+#define BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT   45 /* Next DTLS handshake timeout to
+                                                                                         * adjust socket timeouts */
 
 /* modifiers */
 #define BIO_FP_READ            0x02
@@ -405,7 +408,7 @@ typedef struct bio_f_buffer_ctx_struct
 #define BIO_get_conn_hostname(b)  BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0)
 #define BIO_get_conn_port(b)      BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1)
 #define BIO_get_conn_ip(b)              BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2)
-#define BIO_get_conn_int_port(b) BIO_int_ctrl(b,BIO_C_GET_CONNECT,3)
+#define BIO_get_conn_int_port(b) BIO_int_ctrl(b,BIO_C_GET_CONNECT,3,0)
 
 
 #define BIO_set_nbio(b,n)      BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL)
@@ -414,7 +417,7 @@ typedef struct bio_f_buffer_ctx_struct
 #define BIO_set_accept_port(b,name) BIO_ctrl(b,BIO_C_SET_ACCEPT,0,(char *)name)
 #define BIO_get_accept_port(b) BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,0)
 /* #define BIO_set_nbio(b,n)   BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) */
-#define BIO_set_nbio_accept(b,n) BIO_ctrl(b,BIO_C_SET_ACCEPT,1,(n)?"a":NULL)
+#define BIO_set_nbio_accept(b,n) BIO_ctrl(b,BIO_C_SET_ACCEPT,1,(n)?(void *)"a":NULL)
 #define BIO_set_accept_bios(b,bio) BIO_ctrl(b,BIO_C_SET_ACCEPT,2,(char *)bio)
 
 #define BIO_BIND_NORMAL                        0
@@ -541,6 +544,8 @@ int BIO_ctrl_reset_read_request(BIO *b);
          (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP, 0, NULL)
 #define BIO_dgram_send_timedout(b) \
          (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP, 0, NULL)
+#define BIO_dgram_get_peer(b,peer) \
+         (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_PEER, 0, (char *)peer)
 #define BIO_dgram_set_peer(b,peer) \
          (int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, (char *)peer)
 
index c3da6dc..14ca854 100644 (file)
 
 #include <openssl/bio.h>
 
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS)
+#include <sys/timeb.h>
+#endif
+
+#ifdef OPENSSL_SYS_LINUX
 #define IP_MTU      14 /* linux is lame */
+#endif
 
 #ifdef WATT32
 #define sock_write SockWrite  /* Watt-32 uses same names */
@@ -84,6 +90,8 @@ static int dgram_clear(BIO *bio);
 
 static int BIO_dgram_should_retry(int s);
 
+static void get_current_time(struct timeval *t);
+
 static BIO_METHOD methods_dgramp=
        {
        BIO_TYPE_DGRAM,
@@ -104,6 +112,8 @@ typedef struct bio_dgram_data_st
        unsigned int connected;
        unsigned int _errno;
        unsigned int mtu;
+       struct timeval next_timeout;
+       struct timeval socket_timeout;
        } bio_dgram_data;
 
 BIO_METHOD *BIO_s_datagram(void)
@@ -165,7 +175,100 @@ static int dgram_clear(BIO *a)
                }
        return(1);
        }
-       
+
+static void dgram_adjust_rcv_timeout(BIO *b)
+       {
+#if defined(SO_RCVTIMEO)
+       bio_dgram_data *data = (bio_dgram_data *)b->ptr;
+       int sz = sizeof(int);
+
+       /* Is a timer active? */
+       if (data->next_timeout.tv_sec > 0 || data->next_timeout.tv_usec > 0)
+               {
+               struct timeval timenow, timeleft;
+
+               /* Read current socket timeout */
+#ifdef OPENSSL_SYS_WINDOWS
+               int timeout;
+               if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
+                                          (void*)&timeout, &sz) < 0)
+                       { perror("getsockopt"); }
+               else
+                       {
+                       data->socket_timeout.tv_sec = timeout / 1000;
+                       data->socket_timeout.tv_usec = (timeout % 1000) * 1000;
+                       }
+#else
+               if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, 
+                                               &(data->socket_timeout), (void *)&sz) < 0)
+                       { perror("getsockopt"); }
+#endif
+
+               /* Get current time */
+               get_current_time(&timenow);
+
+               /* Calculate time left until timer expires */
+               memcpy(&timeleft, &(data->next_timeout), sizeof(struct timeval));
+               timeleft.tv_sec -= timenow.tv_sec;
+               timeleft.tv_usec -= timenow.tv_usec;
+               if (timeleft.tv_usec < 0)
+                       {
+                       timeleft.tv_sec--;
+                       timeleft.tv_usec += 1000000;
+                       }
+
+               if (timeleft.tv_sec < 0)
+                       {
+                       timeleft.tv_sec = 0;
+                       timeleft.tv_usec = 1;
+                       }
+
+               /* Adjust socket timeout if next handhake message timer
+                * will expire earlier.
+                */
+               if ((data->socket_timeout.tv_sec == 0 && data->socket_timeout.tv_usec == 0) ||
+                       (data->socket_timeout.tv_sec > timeleft.tv_sec) ||
+                       (data->socket_timeout.tv_sec == timeleft.tv_sec &&
+                        data->socket_timeout.tv_usec >= timeleft.tv_usec))
+                       {
+#ifdef OPENSSL_SYS_WINDOWS
+                       timeout = timeleft.tv_sec * 1000 + timeleft.tv_usec / 1000;
+                       if (setsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
+                                                  (void*)&timeout, sizeof(timeout)) < 0)
+                               { perror("setsockopt"); }
+#else
+                       if ( setsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, &timeleft,
+                                                       sizeof(struct timeval)) < 0)
+                               { perror("setsockopt"); }
+#endif
+                       }
+               }
+#endif
+       }
+
+static void dgram_reset_rcv_timeout(BIO *b)
+       {
+#if defined(SO_RCVTIMEO)
+       bio_dgram_data *data = (bio_dgram_data *)b->ptr;
+
+       /* Is a timer active? */
+       if (data->next_timeout.tv_sec > 0 || data->next_timeout.tv_usec > 0)
+               {
+#ifdef OPENSSL_SYS_WINDOWS
+               int timeout = data->socket_timeout.tv_sec * 1000 +
+                                         data->socket_timeout.tv_usec / 1000;
+               if (setsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
+                                          (void*)&timeout, sizeof(timeout)) < 0)
+                       { perror("setsockopt"); }
+#else
+               if ( setsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, &(data->socket_timeout),
+                                               sizeof(struct timeval)) < 0)
+                       { perror("setsockopt"); }
+#endif
+               }
+#endif
+       }
+
 static int dgram_read(BIO *b, char *out, int outl)
        {
        int ret=0;
@@ -183,13 +286,15 @@ static int dgram_read(BIO *b, char *out, int outl)
                 * but this is not universal. Cast to (void *) to avoid
                 * compiler warnings.
                 */
+               dgram_adjust_rcv_timeout(b);
                ret=recvfrom(b->num,out,outl,0,&peer,(void *)&peerlen);
+               dgram_reset_rcv_timeout(b);
 
-               if ( ! data->connected  && ret > 0)
-                       BIO_ctrl(b, BIO_CTRL_DGRAM_CONNECT, 0, &peer);
+               if ( ! data->connected  && ret >= 0)
+                       BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &peer);
 
                BIO_clear_retry_flags(b);
-               if (ret <= 0)
+               if (ret < 0)
                        {
                        if (BIO_dgram_should_retry(ret))
                                {
@@ -219,7 +324,7 @@ static int dgram_write(BIO *b, const char *in, int inl)
        BIO_clear_retry_flags(b);
        if (ret <= 0)
                {
-               if (BIO_sock_should_retry(ret))
+               if (BIO_dgram_should_retry(ret))
                        {
                        BIO_set_retry_write(b);  
                        data->_errno = get_last_socket_error();
@@ -240,8 +345,14 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
        int *ip;
        struct sockaddr *to = NULL;
        bio_dgram_data *data = NULL;
+#if defined(IP_MTU_DISCOVER) || defined(IP_MTU)
        long sockopt_val = 0;
        unsigned int sockopt_len = 0;
+#endif
+#ifdef OPENSSL_SYS_LINUX
+       socklen_t addr_len;
+       struct sockaddr_storage addr;
+#endif
 
        data = (bio_dgram_data *)b->ptr;
 
@@ -300,24 +411,87 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 #endif
                break;
                /* (Linux)kernel sets DF bit on outgoing IP packets */
-#ifdef IP_MTU_DISCOVER
        case BIO_CTRL_DGRAM_MTU_DISCOVER:
-               sockopt_val = IP_PMTUDISC_DO;
-               if ((ret = setsockopt(b->num, IPPROTO_IP, IP_MTU_DISCOVER,
-                       &sockopt_val, sizeof(sockopt_val))) < 0)
-                       perror("setsockopt");
+#ifdef OPENSSL_SYS_LINUX
+               addr_len = (socklen_t)sizeof(struct sockaddr_storage);
+               memset((void *)&addr, 0, sizeof(struct sockaddr_storage));
+               if (getsockname(b->num, (void *)&addr, &addr_len) < 0)
+                       {
+                       ret = 0;
+                       break;
+                       }
+               sockopt_len = sizeof(sockopt_val);
+               switch (addr.ss_family)
+                       {
+               case AF_INET:
+                       sockopt_val = IP_PMTUDISC_DO;
+                       if ((ret = setsockopt(b->num, IPPROTO_IP, IP_MTU_DISCOVER,
+                               &sockopt_val, sizeof(sockopt_val))) < 0)
+                               perror("setsockopt");
+                       break;
+               case AF_INET6:
+                       sockopt_val = IPV6_PMTUDISC_DO;
+                       if ((ret = setsockopt(b->num, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
+                               &sockopt_val, sizeof(sockopt_val))) < 0)
+                               perror("setsockopt");
+                       break;
+               default:
+                       ret = -1;
+                       break;
+                       }
+               ret = -1;
+#else
                break;
 #endif
        case BIO_CTRL_DGRAM_QUERY_MTU:
-         sockopt_len = sizeof(sockopt_val);
-               if ((ret = getsockopt(b->num, IPPROTO_IP, IP_MTU, (void *)&sockopt_val,
-                       &sockopt_len)) < 0 || sockopt_val < 0)
-                       { ret = 0; }
-               else
+#ifdef OPENSSL_SYS_LINUX
+               addr_len = (socklen_t)sizeof(struct sockaddr_storage);
+               memset((void *)&addr, 0, sizeof(struct sockaddr_storage));
+               if (getsockname(b->num, (void *)&addr, &addr_len) < 0)
                        {
-                       data->mtu = sockopt_val;
-                       ret = data->mtu;
+                       ret = 0;
+                       break;
                        }
+               sockopt_len = sizeof(sockopt_val);
+               switch (addr.ss_family)
+                       {
+               case AF_INET:
+                       if ((ret = getsockopt(b->num, IPPROTO_IP, IP_MTU, (void *)&sockopt_val,
+                               &sockopt_len)) < 0 || sockopt_val < 0)
+                               {
+                               ret = 0;
+                               }
+                       else
+                               {
+                               /* we assume that the transport protocol is UDP and no
+                                * IP options are used.
+                                */
+                               data->mtu = sockopt_val - 8 - 20;
+                               ret = data->mtu;
+                               }
+                       break;
+               case AF_INET6:
+                       if ((ret = getsockopt(b->num, IPPROTO_IPV6, IPV6_MTU, (void *)&sockopt_val,
+                               &sockopt_len)) < 0 || sockopt_val < 0)
+                               {
+                               ret = 0;
+                               }
+                       else
+                               {
+                               /* we assume that the transport protocol is UDP and no
+                                * IPV6 options are used.
+                                */
+                               data->mtu = sockopt_val - 8 - 40;
+                               ret = data->mtu;
+                               }
+                       break;
+               default:
+                       ret = 0;
+                       break;
+                       }
+#else
+               ret = 0;
+#endif
                break;
        case BIO_CTRL_DGRAM_GET_MTU:
                return data->mtu;
@@ -340,11 +514,20 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
                        memset(&(data->peer), 0x00, sizeof(struct sockaddr));
                        }
                break;
+    case BIO_CTRL_DGRAM_GET_PEER:
+        to = (struct sockaddr *) ptr;
+
+        memcpy(to, &(data->peer), sizeof(struct sockaddr));
+               ret = sizeof(struct sockaddr);
+        break;
     case BIO_CTRL_DGRAM_SET_PEER:
         to = (struct sockaddr *) ptr;
 
         memcpy(&(data->peer), to, sizeof(struct sockaddr));
         break;
+       case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT:
+               memcpy(&(data->next_timeout), ptr, sizeof(struct timeval));             
+               break;
 #if defined(SO_RCVTIMEO)
        case BIO_CTRL_DGRAM_SET_RECV_TIMEOUT:
 #ifdef OPENSSL_SYS_WINDOWS
@@ -507,10 +690,6 @@ int BIO_dgram_non_fatal_error(int err)
 # endif
 #endif
 
-#if defined(ENOTCONN)
-       case ENOTCONN:
-#endif
-
 #ifdef EINTR
        case EINTR:
 #endif
@@ -533,11 +712,6 @@ int BIO_dgram_non_fatal_error(int err)
        case EALREADY:
 #endif
 
-/* DF bit set, and packet larger than MTU */
-#ifdef EMSGSIZE
-       case EMSGSIZE:
-#endif
-
                return(1);
                /* break; */
        default:
@@ -546,3 +720,20 @@ int BIO_dgram_non_fatal_error(int err)
        return(0);
        }
 #endif
+
+static void get_current_time(struct timeval *t)
+       {
+#ifdef OPENSSL_SYS_WIN32
+       struct _timeb tb;
+       _ftime(&tb);
+       t->tv_sec = (long)tb.time;
+       t->tv_usec = (long)tb.millitm * 1000;
+#elif defined(OPENSSL_SYS_VMS)
+       struct timeb tb;
+       ftime(&tb);
+       t->tv_sec = (long)tb.time;
+       t->tv_usec = (long)tb.millitm * 1000;
+#else
+       gettimeofday(t, NULL);
+#endif
+       }
index 9ad46fa..62c1073 100644 (file)
@@ -404,11 +404,18 @@ static int MS_CALLBACK file_gets(BIO *bp, char *buf, int size)
 
        buf[0]='\0';
        if (bp->flags&BIO_FLAGS_UPLINK)
-               UP_fgets(buf,size,bp->ptr);
+               {
+               if (!UP_fgets(buf,size,bp->ptr))
+                       goto err;
+               }
        else
-               fgets(buf,size,(FILE *)bp->ptr);
+               {
+               if (!fgets(buf,size,(FILE *)bp->ptr))
+                       goto err;
+               }
        if (buf[0] != '\0')
                ret=strlen(buf);
+       err:
        return(ret);
        }
 
index 1e8e576..7c35545 100644 (file)
@@ -102,7 +102,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
        /* The next 2 are needed so we can do a dv->d[0]|=1 later
         * since BN_lshift1 will only work once there is a value :-) */
        BN_zero(dv);
-       bn_wexpand(dv,1);
+       if(bn_wexpand(dv,1) == NULL) goto end;
        dv->top=1;
 
        if (!BN_lshift(D,D,nm-nd)) goto end;
@@ -229,7 +229,8 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
        if (dv == NULL)
                res=BN_CTX_get(ctx);
        else    res=dv;
-       if (sdiv == NULL || res == NULL) goto err;
+       if (sdiv == NULL || res == NULL || tmp == NULL || snum == NULL)
+               goto err;
 
        /* First we normalise the numbers */
        norm_shift=BN_BITS2-((BN_num_bits(divisor))%BN_BITS2);
index 70a33f0..d9b6c73 100644 (file)
@@ -134,7 +134,8 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
                rr = BN_CTX_get(ctx);
        else
                rr = r;
-       if ((v = BN_CTX_get(ctx)) == NULL) goto err;
+       v = BN_CTX_get(ctx);
+       if (rr == NULL || v == NULL) goto err;
 
        if (BN_copy(v,a) == NULL) goto err;
        bits=BN_num_bits(p);
index 306f029..ae642cc 100644 (file)
@@ -294,7 +294,8 @@ int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
        if (a->top < b->top) { at = b; bt = a; }
        else { at = a; bt = b; }
 
-       bn_wexpand(r, at->top);
+       if(bn_wexpand(r, at->top) == NULL)
+               return 0;
 
        for (i = 0; i < bt->top; i++)
                {
index b848c8c..a0e9ec3 100644 (file)
@@ -1028,17 +1028,19 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
                        assert(j <= al || j <= bl);
                        k = j+j;
                        t = BN_CTX_get(ctx);
+                       if (t == NULL)
+                               goto err;
                        if (al > j || bl > j)
                                {
-                               bn_wexpand(t,k*4);
-                               bn_wexpand(rr,k*4);
+                               if (bn_wexpand(t,k*4) == NULL) goto err;
+                               if (bn_wexpand(rr,k*4) == NULL) goto err;
                                bn_mul_part_recursive(rr->d,a->d,b->d,
                                        j,al-j,bl-j,t->d);
                                }
                        else    /* al <= j || bl <= j */
                                {
-                               bn_wexpand(t,k*2);
-                               bn_wexpand(rr,k*2);
+                               if (bn_wexpand(t,k*2) == NULL) goto err;
+                               if (bn_wexpand(rr,k*2) == NULL) goto err;
                                bn_mul_recursive(rr->d,a->d,b->d,
                                        j,al-j,bl-j,t->d);
                                }
index 514c005..dcec13a 100644 (file)
@@ -65,7 +65,7 @@
  */
 
 void CAST_cfb64_encrypt(const unsigned char *in, unsigned char *out,
-                       long length, CAST_KEY *schedule, unsigned char *ivec,
+                       long length, const CAST_KEY *schedule, unsigned char *ivec,
                        int *num, int enc)
        {
        register CAST_LONG v0,v1,t;
@@ -119,4 +119,3 @@ void CAST_cfb64_encrypt(const unsigned char *in, unsigned char *out,
        v0=v1=ti[0]=ti[1]=t=c=cc=0;
        *num=n;
        }
-
index f2dc606..b6a3b1f 100644 (file)
@@ -63,7 +63,7 @@
 const char CAST_version[]="CAST" OPENSSL_VERSION_PTEXT;
 
 void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out,
-                     CAST_KEY *ks, int enc)
+                     const CAST_KEY *ks, int enc)
        {
        CAST_LONG l,d[2];
 
@@ -77,4 +77,3 @@ void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out,
        l=d[1]; l2n(l,out);
        l=d[0]=d[1]=0;
        }
-
index 0fe2cff..357c41e 100644 (file)
 #include <openssl/cast.h>
 #include "cast_lcl.h"
 
-void CAST_encrypt(CAST_LONG *data, CAST_KEY *key)
+void CAST_encrypt(CAST_LONG *data, const CAST_KEY *key)
        {
-       register CAST_LONG l,r,*k,t;
+       register CAST_LONG l,r,t;
+       const register CAST_LONG *k;
 
        k= &(key->data[0]);
        l=data[0];
@@ -91,9 +92,10 @@ void CAST_encrypt(CAST_LONG *data, CAST_KEY *key)
        data[0]=r&0xffffffffL;
        }
 
-void CAST_decrypt(CAST_LONG *data, CAST_KEY *key)
+void CAST_decrypt(CAST_LONG *data, const CAST_KEY *key)
        {
-       register CAST_LONG l,r,*k,t;
+       register CAST_LONG l,r,t;
+       const register CAST_LONG *k;
 
        k= &(key->data[0]);
        l=data[0];
@@ -124,7 +126,7 @@ void CAST_decrypt(CAST_LONG *data, CAST_KEY *key)
        }
 
 void CAST_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
-            CAST_KEY *ks, unsigned char *iv, int enc)
+            const CAST_KEY *ks, unsigned char *iv, int enc)
        {
        register CAST_LONG tin0,tin1;
        register CAST_LONG tout0,tout1,xor0,xor1;
@@ -204,4 +206,3 @@ void CAST_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
        tin0=tin1=tout0=tout1=xor0=xor1=0;
        tin[0]=tin[1]=0;
        }
-
index fd0469a..cb32224 100644 (file)
@@ -64,7 +64,7 @@
  * 64bit block we have used is contained in *num;
  */
 void CAST_ofb64_encrypt(const unsigned char *in, unsigned char *out,
-                       long length, CAST_KEY *schedule, unsigned char *ivec,
+                       long length, const CAST_KEY *schedule, unsigned char *ivec,
                        int *num)
        {
        register CAST_LONG v0,v1,t;
@@ -108,4 +108,3 @@ void CAST_ofb64_encrypt(const unsigned char *in, unsigned char *out,
        t=v0=v1=ti[0]=ti[1]=0;
        *num=n;
        }
-
index 1faf580..6e0cd31 100644 (file)
@@ -87,17 +87,17 @@ typedef struct cast_key_st
 void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
 #endif
 void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
-void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key,
+void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAST_KEY *key,
                      int enc);
-void CAST_encrypt(CAST_LONG *data,CAST_KEY *key);
-void CAST_decrypt(CAST_LONG *data,CAST_KEY *key);
+void CAST_encrypt(CAST_LONG *data, const CAST_KEY *key);
+void CAST_decrypt(CAST_LONG *data, const CAST_KEY *key);
 void CAST_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
-                     CAST_KEY *ks, unsigned char *iv, int enc);
+                     const CAST_KEY *ks, unsigned char *iv, int enc);
 void CAST_cfb64_encrypt(const unsigned char *in, unsigned char *out,
-                       long length, CAST_KEY *schedule, unsigned char *ivec,
+                       long length, const CAST_KEY *schedule, unsigned char *ivec,
                        int *num, int enc);
 void CAST_ofb64_encrypt(const unsigned char *in, unsigned char *out, 
-                       long length, CAST_KEY *schedule, unsigned char *ivec,
+                       long length, const CAST_KEY *schedule, unsigned char *ivec,
                        int *num);
 
 #ifdef  __cplusplus
index ed34ff3..65613aa 100644 (file)
@@ -344,7 +344,7 @@ int cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms)
 
        /* Get original receipt request details */
 
-       if (!CMS_get1_ReceiptRequest(osi, &rr))
+       if (CMS_get1_ReceiptRequest(osi, &rr) <= 0)
                {
                CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NO_RECEIPT_REQUEST);
                goto err;
@@ -385,7 +385,7 @@ ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si)
 
        /* Get original receipt request details */
 
-       if (!CMS_get1_ReceiptRequest(si, &rr))
+       if (CMS_get1_ReceiptRequest(si, &rr) <= 0)
                {
                CMSerr(CMS_F_CMS_ENCODE_RECEIPT, CMS_R_NO_RECEIPT_REQUEST);
                goto err;
index 8e6c1d2..cc00526 100644 (file)
@@ -415,7 +415,11 @@ int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain,
                        return 0;
                        }
                BIO_get_md_ctx(chain, &mtmp);
-               if (EVP_MD_CTX_type(mtmp) == nid)
+               if (EVP_MD_CTX_type(mtmp) == nid
+               /* Workaround for broken implementations that use signature
+                * algorithm  OID instead of digest.
+                */
+                       || EVP_MD_pkey_type(EVP_MD_CTX_md(mtmp)) == nid)
                        {
                        EVP_MD_CTX_copy_ex(mctx, mtmp);
                        return 1;
index eccfd09..8df7792 100644 (file)
@@ -136,15 +136,6 @@ struct zlib_state
 
 static int zlib_stateful_ex_idx = -1;
 
-static void zlib_stateful_free_ex_data(void *obj, void *item,
-       CRYPTO_EX_DATA *ad, int ind,long argl, void *argp)
-       {
-       struct zlib_state *state = (struct zlib_state *)item;
-       inflateEnd(&state->istream);
-       deflateEnd(&state->ostream);
-       OPENSSL_free(state);
-       }
-
 static int zlib_stateful_init(COMP_CTX *ctx)
        {
        int err;
@@ -188,6 +179,12 @@ static int zlib_stateful_init(COMP_CTX *ctx)
 
 static void zlib_stateful_finish(COMP_CTX *ctx)
        {
+       struct zlib_state *state =
+               (struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
+                       zlib_stateful_ex_idx);
+       inflateEnd(&state->istream);
+       deflateEnd(&state->ostream);
+       OPENSSL_free(state);
        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data);
        }
 
@@ -402,7 +399,7 @@ COMP_METHOD *COMP_zlib(void)
                        if (zlib_stateful_ex_idx == -1)
                                zlib_stateful_ex_idx =
                                        CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP,
-                                               0,NULL,NULL,NULL,zlib_stateful_free_ex_data);
+                                               0,NULL,NULL,NULL,NULL);
                        CRYPTO_w_unlock(CRYPTO_LOCK_COMP);
                        if (zlib_stateful_ex_idx == -1)
                                goto err;
index 8f9e88e..497d003 100644 (file)
@@ -513,7 +513,7 @@ void OPENSSL_showfatal (const char *fmta,...)
 
 #if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
     /* this -------------v--- guards NT-specific calls */
-    if (GetVersion() < 0x80000000 && OPENSSL_isservice())
+    if (GetVersion() < 0x80000000 && OPENSSL_isservice() > 0)
     {  HANDLE h = RegisterEventSource(0,_T("OPENSSL"));
        const TCHAR *pmsg=buf;
        ReportEvent(h,EVENTLOG_ERROR_TYPE,0,0,0,1,0,&pmsg,0);
index 0645fac..bc7d7a0 100644 (file)
@@ -62,6 +62,7 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
+#include <openssl/rand.h>
 #ifdef OPENSSL_FIPS
 #include <openssl/fips.h>
 #endif
@@ -155,6 +156,7 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
                return 0;
                }
 #endif
+       RAND_seed(dgst, dlen);
        s=DSA_do_sign(dgst,dlen,dsa);
        if (s == NULL)
                {
index 7ac9dc8..85556d1 100644 (file)
@@ -190,7 +190,7 @@ DSA *DSA_new_method(ENGINE *engine)
        ret->method_mont_p=NULL;
 
        ret->references=1;
-       ret->flags=ret->meth->flags;
+       ret->flags=ret->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
        if ((ret->meth->init != NULL) && !ret->meth->init(ret))
                {
index 1fd1010..d91e821 100644 (file)
@@ -237,7 +237,10 @@ static void *dlfcn_bind_var(DSO *dso, const char *symname)
 static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
        {
        void *ptr;
-       DSO_FUNC_TYPE sym, *tsym = &sym;
+       union {
+               DSO_FUNC_TYPE sym;
+               void *dlret;
+       } u;
 
        if((dso == NULL) || (symname == NULL))
                {
@@ -255,14 +258,14 @@ static DSO_FUNC_TYPE dlfcn_bind_func(DSO *dso, const char *symname)
                DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_NULL_HANDLE);
                return(NULL);
                }
-       *(void **)(tsym) = dlsym(ptr, symname);
-       if(sym == NULL)
+       u.dlret = dlsym(ptr, symname);
+       if(u.dlret == NULL)
                {
                DSOerr(DSO_F_DLFCN_BIND_FUNC,DSO_R_SYM_FAILURE);
                ERR_add_error_data(4, "symname(", symname, "): ", dlerror());
                return(NULL);
                }
-       return(sym);
+       return u.sym;
        }
 
 static char *dlfcn_merger(DSO *dso, const char *filespec1,
@@ -332,6 +335,15 @@ static char *dlfcn_merger(DSO *dso, const char *filespec1,
        return(merged);
        }
 
+#ifdef OPENSSL_SYS_MACOSX
+#define DSO_ext        ".dylib"
+#define DSO_extlen 6
+#else
+#define DSO_ext        ".so"
+#define DSO_extlen 3
+#endif
+
+
 static char *dlfcn_name_converter(DSO *dso, const char *filename)
        {
        char *translated;
@@ -342,8 +354,8 @@ static char *dlfcn_name_converter(DSO *dso, const char *filename)
        transform = (strstr(filename, "/") == NULL);
        if(transform)
                {
-               /* We will convert this to "%s.so" or "lib%s.so" */
-               rsize += 3;     /* The length of ".so" */
+               /* We will convert this to "%s.so" or "lib%s.so" etc */
+               rsize += DSO_extlen;    /* The length of ".so" */
                if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
                        rsize += 3; /* The length of "lib" */
                }
@@ -357,9 +369,9 @@ static char *dlfcn_name_converter(DSO *dso, const char *filename)
        if(transform)
                {
                if ((DSO_flags(dso) & DSO_FLAG_NAME_TRANSLATION_EXT_ONLY) == 0)
-                       sprintf(translated, "lib%s.so", filename);
+                       sprintf(translated, "lib%s" DSO_ext, filename);
                else
-                       sprintf(translated, "%s.so", filename);
+                       sprintf(translated, "%s" DSO_ext, filename);
                }
        else
                sprintf(translated, "%s", filename);
index 5cd1eac..522d036 100644 (file)
@@ -174,8 +174,10 @@ int ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
        dest->poly[2] = src->poly[2];
        dest->poly[3] = src->poly[3];
        dest->poly[4] = src->poly[4];
-       bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
-       bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+       if(bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)
+               return 0;
+       if(bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)
+               return 0;
        for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0;
        for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0;
        return 1;
@@ -199,12 +201,12 @@ int ec_GF2m_simple_group_set_curve(EC_GROUP *group,
 
        /* group->a */
        if (!BN_GF2m_mod_arr(&group->a, a, group->poly)) goto err;
-       bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+       if(bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) goto err;
        for (i = group->a.top; i < group->a.dmax; i++) group->a.d[i] = 0;
        
        /* group->b */
        if (!BN_GF2m_mod_arr(&group->b, b, group->poly)) goto err;
-       bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+       if(bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) goto err;
        for (i = group->b.top; i < group->b.dmax; i++) group->b.d[i] = 0;
                
        ret = 1;
index 3ead1af..551cf50 100644 (file)
@@ -212,7 +212,7 @@ err:
 static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, 
                const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey)
 {
-       int     ok = 0;
+       int     ok = 0, i;
        BIGNUM *kinv=NULL, *s, *m=NULL,*tmp=NULL,*order=NULL;
        const BIGNUM *ckinv;
        BN_CTX     *ctx = NULL;
@@ -251,22 +251,19 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
                goto err;
        }
-       if (8 * dgst_len > BN_num_bits(order))
+       i = BN_num_bits(order);
+       /* Need to truncate digest if it is too long: first truncate whole
+        * bytes.
+        */
+       if (8 * dgst_len > i)
+               dgst_len = (i + 7)/8;
+       if (!BN_bin2bn(dgst, dgst_len, m))
        {
-               /* XXX
-                * 
-                * Should provide for optional hash truncation:
-                * Keep the BN_num_bits(order) leftmost bits of dgst
-                * (see March 2006 FIPS 186-3 draft, which has a few
-                * confusing errors in this part though)
-                */
-
-               ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
-                       ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+               ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
                goto err;
        }
-
-       if (!BN_bin2bn(dgst, dgst_len, m))
+       /* If still too long truncate remaining bits with a shift */
+       if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7)))
        {
                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
                goto err;
@@ -346,7 +343,7 @@ err:
 static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
                const ECDSA_SIG *sig, EC_KEY *eckey)
 {
-       int ret = -1;
+       int ret = -1, i;
        BN_CTX   *ctx;
        BIGNUM   *order, *u1, *u2, *m, *X;
        EC_POINT *point = NULL;
@@ -384,21 +381,6 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
                goto err;
        }
-       if (8 * dgst_len > BN_num_bits(order))
-       {
-               /* XXX
-                * 
-                * Should provide for optional hash truncation:
-                * Keep the BN_num_bits(order) leftmost bits of dgst
-                * (see March 2006 FIPS 186-3 draft, which has a few
-                * confusing errors in this part though)
-                */
-
-               ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY,
-                       ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-               ret = 0;
-               goto err;
-       }
 
        if (BN_is_zero(sig->r)          || BN_is_negative(sig->r) || 
            BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s)  ||
@@ -415,11 +397,23 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
                goto err;
        }
        /* digest -> m */
+       i = BN_num_bits(order);
+       /* Need to truncate digest if it is too long: first truncate whole
+        * bytes.
+        */
+       if (8 * dgst_len > i)
+               dgst_len = (i + 7)/8;
        if (!BN_bin2bn(dgst, dgst_len, m))
        {
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
                goto err;
        }
+       /* If still too long truncate remaining bits with a shift */
+       if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7)))
+       {
+               ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
+               goto err;
+       }
        /* u1 = m * tmp mod order */
        if (!BN_mod_mul(u1, m, u2, order, ctx))
        {
index 74b1fe8..353d5af 100644 (file)
@@ -57,6 +57,7 @@
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
+#include <openssl/rand.h>
 
 ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey)
 {
@@ -83,6 +84,7 @@ int ECDSA_sign_ex(int type, const unsigned char *dgst, int dlen, unsigned char
        EC_KEY *eckey)
 {
        ECDSA_SIG *s;
+       RAND_seed(dgst, dlen);
        s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey);
        if (s == NULL)
        {
index 08066ce..95c4070 100644 (file)
@@ -95,7 +95,7 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
        int ret = 0;
        long do_init = -1;
        STACK_OF(CONF_VALUE) *ecmds;
-       CONF_VALUE *ecmd;
+       CONF_VALUE *ecmd = NULL;
        char *ctrlname, *ctrlvalue;
        ENGINE *e = NULL;
        int soft = 0;
@@ -157,7 +157,7 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
                                        return 1;
                                        }
                                if (!e)
-                                       return 0;
+                                       goto err;
                                }
                        /* Allow "EMPTY" to mean no value: this allows a valid
                         * "value" to be passed to ctrls of type NO_INPUT
@@ -186,16 +186,27 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
                                }
                        else if (!ENGINE_ctrl_cmd_string(e,
                                        ctrlname, ctrlvalue, 0))
-                               return 0;
+                               goto err;
                        }
 
 
 
                }
        if (e && (do_init == -1) && !int_engine_init(e))
+               {
+               ecmd = NULL;
                goto err;
+               }
        ret = 1;
        err:
+       if (ret != 1)
+               {
+               ENGINEerr(ENGINE_F_INT_ENGINE_CONFIGURE, ENGINE_R_ENGINE_CONFIGURATION_ERROR);
+               if (ecmd)
+                       ERR_add_error_data(6, "section=", ecmd->section, 
+                                               ", name=", ecmd->name,
+                                               ", value=", ecmd->value);
+               }
        if (e)
                ENGINE_free(e);
        return ret;
index ab38cd5..1a1e1c2 100644 (file)
 #include <openssl/engine.h>
 #include <openssl/evp.h>
 #include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rsa.h>
+#include <openssl/dh.h>
+#include <openssl/err.h>
 
 #if (defined(__unix__) || defined(unix)) && !defined(USG) && \
-       (defined(OpenBSD) || defined(__FreeBSD_version))
+       (defined(OpenBSD) || defined(__FreeBSD__))
 #include <sys/param.h>
 # if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041)
 #  define HAVE_CRYPTODEV
@@ -79,7 +83,7 @@ static int cryptodev_max_iv(int cipher);
 static int cryptodev_key_length_valid(int cipher, int len);
 static int cipher_nid_to_cryptodev(int nid);
 static int get_cryptodev_ciphers(const int **cnids);
-static int get_cryptodev_digests(const int **cnids);
+/*static int get_cryptodev_digests(const int **cnids);*/
 static int cryptodev_usable_ciphers(const int **nids);
 static int cryptodev_usable_digests(const int **nids);
 static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
@@ -100,7 +104,7 @@ static int cryptodev_asym(struct crypt_kop *kop, int rlen, BIGNUM *r,
 static int cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a,
     const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
 static int cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I,
-    RSA *rsa);
+    RSA *rsa, BN_CTX *ctx);
 static int cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);
 static int cryptodev_dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a,
     const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
@@ -139,6 +143,7 @@ static struct {
        { 0,                            NID_undef,              0,       0, },
 };
 
+#if 0
 static struct {
        int     id;
        int     nid;
@@ -151,6 +156,7 @@ static struct {
        { CRYPTO_SHA1,                  NID_undef,              },
        { 0,                            NID_undef,              },
 };
+#endif
 
 /*
  * Return a fd if /dev/crypto seems usable, 0 otherwise.
@@ -285,6 +291,7 @@ get_cryptodev_ciphers(const int **cnids)
        return (count);
 }
 
+#if 0  /* unused */
 /*
  * Find out what digests /dev/crypto will let us have a session for.
  * XXX note, that some of these openssl doesn't deal with yet!
@@ -321,6 +328,8 @@ get_cryptodev_digests(const int **cnids)
        return (count);
 }
 
+#endif
+
 /*
  * Find the useable ciphers|digests from dev/crypto - this is the first
  * thing called by the engine init crud which determines what it
@@ -374,7 +383,7 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
        struct crypt_op cryp;
        struct dev_crypto_state *state = ctx->cipher_data;
        struct session_op *sess = &state->d_sess;
-       void *iiv;
+       const void *iiv;
        unsigned char save_iv[EVP_MAX_IV_LENGTH];
 
        if (state->d_fd < 0)
@@ -398,7 +407,7 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
        if (ctx->cipher->iv_len) {
                cryp.iv = (caddr_t) ctx->iv;
                if (!ctx->encrypt) {
-                       iiv = (void *) in + inl - ctx->cipher->iv_len;
+                       iiv = in + inl - ctx->cipher->iv_len;
                        memcpy(save_iv, iiv, ctx->cipher->iv_len);
                }
        } else
@@ -413,7 +422,7 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 
        if (ctx->cipher->iv_len) {
                if (ctx->encrypt)
-                       iiv = (void *) out + inl - ctx->cipher->iv_len;
+                       iiv = out + inl - ctx->cipher->iv_len;
                else
                        iiv = save_iv;
                memcpy(ctx->iv, iiv, ctx->cipher->iv_len);
@@ -443,7 +452,7 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
        if ((state->d_fd = get_dev_crypto()) < 0)
                return (0);
 
-       sess->key = (unsigned char *)key;
+       sess->key = (char *)key;
        sess->keylen = ctx->key_len;
        sess->cipher = cipher;
 
@@ -625,7 +634,7 @@ static int
 bn2crparam(const BIGNUM *a, struct crparam *crp)
 {
        int i, j, k;
-       ssize_t words, bytes, bits;
+       ssize_t bytes, bits;
        u_char *b;
 
        crp->crp_p = NULL;
@@ -638,7 +647,7 @@ bn2crparam(const BIGNUM *a, struct crparam *crp)
        if (b == NULL)
                return (1);
 
-       crp->crp_p = b;
+       crp->crp_p = (char *)b;
        crp->crp_nbits = bits;
 
        for (i = 0, j = 0; i < a->top; i++) {
@@ -756,14 +765,11 @@ err:
 }
 
 static int
-cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
+cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
 {
        int r;
-       BN_CTX *ctx;
 
-       ctx = BN_CTX_new();
        r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL);
-       BN_CTX_free(ctx);
        return (r);
 }
 
@@ -994,7 +1000,7 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
                goto err;
        kop.crk_iparams = 3;
 
-       kop.crk_param[3].crp_p = key;
+       kop.crk_param[3].crp_p = (char *)key;
        kop.crk_param[3].crp_nbits = keylen * 8;
        kop.crk_oparams = 1;
 
index 95b6b45..5ce25d9 100644 (file)
@@ -280,7 +280,7 @@ int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name,
                }
        /* Force the result of the control command to 0 or 1, for the reasons
         * mentioned before. */
-        if (ENGINE_ctrl(e, num, i, p, f))
+        if (ENGINE_ctrl(e, num, i, p, f) > 0)
                 return 1;
         return 0;
         }
@@ -345,7 +345,7 @@ int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
                 * usage of these commands is consistent across applications and
                 * that certain applications don't understand it one way, and
                 * others another. */
-               if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL))
+               if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL) > 0)
                        return 1;
                return 0;
                }
@@ -360,7 +360,7 @@ int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
        if(flags & ENGINE_CMD_FLAG_STRING)
                {
                /* Same explanation as above */
-               if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL))
+               if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL) > 0)
                        return 1;
                return 0;
                }
@@ -383,7 +383,7 @@ int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg,
                }
        /* Force the result of the control command to 0 or 1, for the reasons
         * mentioned before. */
-       if(ENGINE_ctrl(e, num, l, NULL, NULL))
+       if(ENGINE_ctrl(e, num, l, NULL, NULL) > 0)
                return 1;
        return 0;
        }
index 574ffbb..ac74dd1 100644 (file)
@@ -1,6 +1,6 @@
 /* crypto/engine/eng_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -124,6 +124,7 @@ static ERR_STRING_DATA ENGINE_str_reasons[]=
 {ERR_REASON(ENGINE_R_DSO_FAILURE)        ,"DSO failure"},
 {ERR_REASON(ENGINE_R_DSO_NOT_FOUND)      ,"dso not found"},
 {ERR_REASON(ENGINE_R_ENGINES_SECTION_ERROR),"engines section error"},
+{ERR_REASON(ENGINE_R_ENGINE_CONFIGURATION_ERROR),"engine configuration error"},
 {ERR_REASON(ENGINE_R_ENGINE_IS_NOT_IN_LIST),"engine is not in the list"},
 {ERR_REASON(ENGINE_R_ENGINE_SECTION_ERROR),"engine section error"},
 {ERR_REASON(ENGINE_R_FAILED_LOADING_PRIVATE_KEY),"failed loading private key"},
index 8879a26..8fc47b3 100644 (file)
@@ -237,6 +237,7 @@ ENGINE *engine_table_select_tmp(ENGINE_TABLE **table, int nid, const char *f, in
 #endif
                return NULL;
                }
+       ERR_set_mark();
        CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
        /* Check again inside the lock otherwise we could race against cleanup
         * operations. But don't worry about a fprintf(stderr). */
@@ -310,6 +311,6 @@ end:
        CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
        /* Whatever happened, any failed init()s are not failures in this
         * context, so clear our error state. */
-       ERR_clear_error();
+       ERR_pop_to_mark();
        return ret;
        }
index f503595..d4bc1ef 100644 (file)
@@ -339,9 +339,11 @@ void ENGINE_load_ubsec(void);
 void ENGINE_load_cryptodev(void);
 void ENGINE_load_padlock(void);
 void ENGINE_load_builtin_engines(void);
+#ifdef OPENSSL_SYS_WIN32
 #ifndef OPENSSL_NO_CAPIENG
 void ENGINE_load_capi(void);
 #endif
+#endif
 
 /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
  * "registry" handling. */
@@ -767,6 +769,7 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_R_DSO_FAILURE                            104
 #define ENGINE_R_DSO_NOT_FOUND                          132
 #define ENGINE_R_ENGINES_SECTION_ERROR                  148
+#define ENGINE_R_ENGINE_CONFIGURATION_ERROR             101
 #define ENGINE_R_ENGINE_IS_NOT_IN_LIST                  105
 #define ENGINE_R_ENGINE_SECTION_ERROR                   149
 #define ENGINE_R_FAILED_LOADING_PRIVATE_KEY             128
index f21a527..39796f7 100644 (file)
 #ifndef OPENSSL_NO_JPAKE
 #include <openssl/jpake.h>
 #endif
+#include <openssl/comp.h>
 
 void ERR_load_crypto_strings(void)
        {
@@ -157,5 +158,6 @@ void ERR_load_crypto_strings(void)
 #ifndef OPENSSL_NO_JPAKE
        ERR_load_JPAKE_strings();
 #endif
+       ERR_load_COMP_strings();
 #endif
        }
index 7054d81..e45cee8 100644 (file)
@@ -71,6 +71,8 @@ void OpenSSL_add_all_ciphers(void)
        EVP_add_cipher(EVP_des_cfb8());
        EVP_add_cipher(EVP_des_ede_cfb());
        EVP_add_cipher(EVP_des_ede3_cfb());
+       EVP_add_cipher(EVP_des_ede3_cfb1());
+       EVP_add_cipher(EVP_des_ede3_cfb8());
 
        EVP_add_cipher(EVP_des_ofb());
        EVP_add_cipher(EVP_des_ede_ofb());
index d270b0e..e0841d1 100644 (file)
@@ -64,9 +64,6 @@
 
 void OpenSSL_add_all_digests(void)
        {
-#ifndef OPENSSL_NO_MD2
-       EVP_add_digest(EVP_md2());
-#endif
 #ifndef OPENSSL_NO_MD4
        EVP_add_digest(EVP_md4());
 #endif
index 3bc2d12..6a8f39b 100644 (file)
@@ -127,7 +127,8 @@ EVP_MD_CTX *EVP_MD_CTX_create(void)
        {
        EVP_MD_CTX *ctx=OPENSSL_malloc(sizeof *ctx);
 
-       EVP_MD_CTX_init(ctx);
+       if (ctx)
+               EVP_MD_CTX_init(ctx);
 
        return ctx;
        }
@@ -299,7 +300,14 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
                        OPENSSL_free(ctx->md_data);
                ctx->digest=type;
                if (type->ctx_size)
+                       {
                        ctx->md_data=OPENSSL_malloc(type->ctx_size);
+                       if (!ctx->md_data)
+                               {
+                               EVPerr(EVP_F_EVP_DIGESTINIT_EX, ERR_R_MALLOC_FAILURE);
+                               return 0;
+                               }
+                       }
                }
 #ifndef OPENSSL_NO_ENGINE
        skip_to_init:
@@ -380,8 +388,17 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
 
        if (out->digest->ctx_size)
                {
-               if (tmp_buf) out->md_data = tmp_buf;
-               else out->md_data=OPENSSL_malloc(out->digest->ctx_size);
+               if (tmp_buf)
+                       out->md_data = tmp_buf;
+               else
+                       {
+                       out->md_data=OPENSSL_malloc(out->digest->ctx_size);
+                       if (!out->md_data)
+                               {
+                               EVPerr(EVP_F_EVP_MD_CTX_COPY_EX,ERR_R_MALLOC_FAILURE);
+                               return 0;
+                               }
+                       }
                memcpy(out->md_data,in->md_data,out->digest->ctx_size);
                }
 
index 174cf6c..9c20061 100644 (file)
@@ -163,6 +163,12 @@ int EVP_CIPHER_type(const EVP_CIPHER *ctx)
 
                return NID_des_cfb64;
 
+               case NID_des_ede3_cfb64:
+               case NID_des_ede3_cfb8:
+               case NID_des_ede3_cfb1:
+
+               return NID_des_cfb64;
+
                default:
                /* Check it has an OID and it is valid */
                otmp = OBJ_nid2obj(nid);
index eabcc96..72105b0 100644 (file)
@@ -127,9 +127,9 @@ BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \
 #define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \
                             iv_len, cbits, flags, init_key, cleanup, \
                             set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \
-                 key_len, iv_len, flags, init_key, cleanup, set_asn1, \
-                 get_asn1, ctrl)
+BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, \
+                       (cbits + 7)/8, key_len, iv_len, \
+               flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
 
 #define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, \
                             iv_len, cbits, flags, init_key, cleanup, \
@@ -139,10 +139,10 @@ BLOCK_CIPHER_def1(cname, ofb##cbits, ofb, OFB, kstruct, nid, 1, \
                  get_asn1, ctrl)
 
 #define BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, \
-                            iv_len, flags, init_key, cleanup, set_asn1, \
+                            flags, init_key, cleanup, set_asn1, \
                             get_asn1, ctrl) \
 BLOCK_CIPHER_def1(cname, ecb, ecb, ECB, kstruct, nid, block_size, key_len, \
-                 iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+                 0, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
 
 #define BLOCK_CIPHER_defs(cname, kstruct, \
                          nid, block_size, key_len, iv_len, cbits, flags, \
@@ -153,7 +153,7 @@ BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, iv_len, cbits, \
                     flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
 BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, iv_len, cbits, \
                     flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
+BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, flags, \
                     init_key, cleanup, set_asn1, get_asn1, ctrl)
 
 
index 04ea802..0b41f87 100644 (file)
@@ -305,16 +305,40 @@ void lh_doall_arg(LHASH *lh, LHASH_DOALL_ARG_FN_TYPE func, void *arg)
 static void expand(LHASH *lh)
        {
        LHASH_NODE **n,**n1,**n2,*np;
-       unsigned int p,i,j;
+       unsigned int p,i,j,pmax;
        unsigned long hash,nni;
 
+       p=(int)lh->p++;
+       nni=lh->num_alloc_nodes;
+       pmax=lh->pmax;
+
+       if ((lh->p) >= lh->pmax)
+               {
+               j=(int)lh->num_alloc_nodes*2;
+               n=(LHASH_NODE **)OPENSSL_realloc(lh->b,
+                       (int)sizeof(LHASH_NODE *)*j);
+               if (n == NULL)
+                       {
+/*                     fputs("realloc error in lhash",stderr); */
+                       lh->error++;
+                       lh->p=0;
+                       return;
+                       }
+               /* else */
+               for (i=(int)lh->num_alloc_nodes; i<j; i++)/* 26/02/92 eay */
+                       n[i]=NULL;                        /* 02/03/92 eay */
+               lh->pmax=lh->num_alloc_nodes;
+               lh->num_alloc_nodes=j;
+               lh->num_expand_reallocs++;
+               lh->p=0;
+               lh->b=n;
+               }
+
        lh->num_nodes++;
        lh->num_expands++;
-       p=(int)lh->p++;
        n1= &(lh->b[p]);
-       n2= &(lh->b[p+(int)lh->pmax]);
+       n2= &(lh->b[p+pmax]);
        *n2=NULL;        /* 27/07/92 - eay - undefined pointer bug */
-       nni=lh->num_alloc_nodes;
        
        for (np= *n1; np != NULL; )
                {
@@ -335,35 +359,14 @@ static void expand(LHASH *lh)
                np= *n1;
                }
 
-       if ((lh->p) >= lh->pmax)
-               {
-               j=(int)lh->num_alloc_nodes*2;
-               n=(LHASH_NODE **)OPENSSL_realloc(lh->b,
-                       (int)(sizeof(LHASH_NODE *)*j));
-               if (n == NULL)
-                       {
-/*                     fputs("realloc error in lhash",stderr); */
-                       lh->error++;
-                       lh->p=0;
-                       return;
-                       }
-               /* else */
-               for (i=(int)lh->num_alloc_nodes; i<j; i++)/* 26/02/92 eay */
-                       n[i]=NULL;                        /* 02/03/92 eay */
-               lh->pmax=lh->num_alloc_nodes;
-               lh->num_alloc_nodes=j;
-               lh->num_expand_reallocs++;
-               lh->p=0;
-               lh->b=n;
-               }
        }
 
 static void contract(LHASH *lh)
        {
        LHASH_NODE **n,*n1,*np;
+       int idx = lh->p+lh->pmax-1;
 
-       np=lh->b[lh->p+lh->pmax-1];
-       lh->b[lh->p+lh->pmax-1]=NULL; /* 24/07-92 - eay - weird but :-( */
+       np=lh->b[idx];
        if (lh->p == 0)
                {
                n=(LHASH_NODE **)OPENSSL_realloc(lh->b,
@@ -383,6 +386,7 @@ static void contract(LHASH *lh)
        else
                lh->p--;
 
+       lh->b[idx] = NULL;
        lh->num_nodes--;
        lh->num_contracts++;
 
index 00ed65a..2a5f5aa 100644 (file)
 
 #include <e_os.h>
 #include <openssl/err.h>
+/* Internal only functions: only ever used here */
+extern void int_ERR_lib_init(void);
+extern void int_EVP_MD_init_engine_callbacks(void );
+extern void int_EVP_CIPHER_init_engine_callbacks(void );
+extern void int_RAND_init_engine_callbacks(void );
 
 /* Perform any essential OpenSSL initialization operations.
  * Currently only sets FIPS callbacks
@@ -73,7 +78,7 @@ void OPENSSL_init(void)
 #ifdef CRYPTO_MDEBUG
                CRYPTO_malloc_debug_init();
 #endif
-#ifdef OPENSSL_ENGINE
+#ifndef OPENSSL_NO_ENGINE
                int_EVP_MD_init_engine_callbacks();
                int_EVP_CIPHER_init_engine_callbacks();
                int_RAND_init_engine_callbacks();
index 7fd7433..760af16 100644 (file)
@@ -456,10 +456,13 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
                s=OBJ_nid2ln(nid);
                if (s == NULL)
                        s=OBJ_nid2sn(nid);
-               if (buf)
-                       BUF_strlcpy(buf,s,buf_len);
-               n=strlen(s);
-               return n;
+               if (s)
+                       {
+                       if (buf)
+                               BUF_strlcpy(buf,s,buf_len);
+                       n=strlen(s);
+                       return n;
+                       }
                }
 
 
index dccc15e..23bdb46 100644 (file)
  * [including the GNU Public Licence.]
  */
 
-#define NUM_NID 859
-#define NUM_SN 852
-#define NUM_LN 852
-#define NUM_OBJ 806
+#define NUM_NID 893
+#define NUM_SN 886
+#define NUM_LN 886
+#define NUM_OBJ 840
 
-static unsigned char lvalues[5722]={
+static unsigned char lvalues[5824]={
 0x00,                                        /* [  0] OBJ_undef */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
@@ -707,7 +707,7 @@ static unsigned char lvalues[5722]={
 0x2B,                                        /* [4582] OBJ_identified_organization */
 0x2B,0x81,0x04,                              /* [4583] OBJ_certicom_arc */
 0x67,0x2B,                                   /* [4586] OBJ_wap */
-0x67,0x2B,0x0D,                              /* [4588] OBJ_wap_wsg */
+0x67,0x2B,0x01,                              /* [4588] OBJ_wap_wsg */
 0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,     /* [4591] OBJ_X9_62_id_characteristic_two_basis */
 0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x01,/* [4599] OBJ_X9_62_onBasis */
 0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x02,/* [4608] OBJ_X9_62_tpBasis */
@@ -763,17 +763,17 @@ static unsigned char lvalues[5722]={
 0x2B,0x81,0x04,0x00,0x25,                    /* [4926] OBJ_sect409r1 */
 0x2B,0x81,0x04,0x00,0x26,                    /* [4931] OBJ_sect571k1 */
 0x2B,0x81,0x04,0x00,0x27,                    /* [4936] OBJ_sect571r1 */
-0x67,0x2B,0x0D,0x04,0x01,                    /* [4941] OBJ_wap_wsg_idm_ecid_wtls1 */
-0x67,0x2B,0x0D,0x04,0x03,                    /* [4946] OBJ_wap_wsg_idm_ecid_wtls3 */
-0x67,0x2B,0x0D,0x04,0x04,                    /* [4951] OBJ_wap_wsg_idm_ecid_wtls4 */
-0x67,0x2B,0x0D,0x04,0x05,                    /* [4956] OBJ_wap_wsg_idm_ecid_wtls5 */
-0x67,0x2B,0x0D,0x04,0x06,                    /* [4961] OBJ_wap_wsg_idm_ecid_wtls6 */
-0x67,0x2B,0x0D,0x04,0x07,                    /* [4966] OBJ_wap_wsg_idm_ecid_wtls7 */
-0x67,0x2B,0x0D,0x04,0x08,                    /* [4971] OBJ_wap_wsg_idm_ecid_wtls8 */
-0x67,0x2B,0x0D,0x04,0x09,                    /* [4976] OBJ_wap_wsg_idm_ecid_wtls9 */
-0x67,0x2B,0x0D,0x04,0x0A,                    /* [4981] OBJ_wap_wsg_idm_ecid_wtls10 */
-0x67,0x2B,0x0D,0x04,0x0B,                    /* [4986] OBJ_wap_wsg_idm_ecid_wtls11 */
-0x67,0x2B,0x0D,0x04,0x0C,                    /* [4991] OBJ_wap_wsg_idm_ecid_wtls12 */
+0x67,0x2B,0x01,0x04,0x01,                    /* [4941] OBJ_wap_wsg_idm_ecid_wtls1 */
+0x67,0x2B,0x01,0x04,0x03,                    /* [4946] OBJ_wap_wsg_idm_ecid_wtls3 */
+0x67,0x2B,0x01,0x04,0x04,                    /* [4951] OBJ_wap_wsg_idm_ecid_wtls4 */
+0x67,0x2B,0x01,0x04,0x05,                    /* [4956] OBJ_wap_wsg_idm_ecid_wtls5 */
+0x67,0x2B,0x01,0x04,0x06,                    /* [4961] OBJ_wap_wsg_idm_ecid_wtls6 */
+0x67,0x2B,0x01,0x04,0x07,                    /* [4966] OBJ_wap_wsg_idm_ecid_wtls7 */
+0x67,0x2B,0x01,0x04,0x08,                    /* [4971] OBJ_wap_wsg_idm_ecid_wtls8 */
+0x67,0x2B,0x01,0x04,0x09,                    /* [4976] OBJ_wap_wsg_idm_ecid_wtls9 */
+0x67,0x2B,0x01,0x04,0x0A,                    /* [4981] OBJ_wap_wsg_idm_ecid_wtls10 */
+0x67,0x2B,0x01,0x04,0x0B,                    /* [4986] OBJ_wap_wsg_idm_ecid_wtls11 */
+0x67,0x2B,0x01,0x04,0x0C,                    /* [4991] OBJ_wap_wsg_idm_ecid_wtls12 */
 0x55,0x1D,0x20,0x00,                         /* [4996] OBJ_any_policy */
 0x55,0x1D,0x21,                              /* [5000] OBJ_policy_mappings */
 0x55,0x1D,0x36,                              /* [5003] OBJ_inhibit_any_policy */
@@ -874,6 +874,40 @@ static unsigned char lvalues[5722]={
 0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x11,0x02,/* [5701] OBJ_LocalKeySet */
 0x55,0x1D,0x2E,                              /* [5710] OBJ_freshest_crl */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x08,0x03,     /* [5713] OBJ_id_on_permanentIdentifier */
+0x55,0x04,0x0E,                              /* [5721] OBJ_searchGuide */
+0x55,0x04,0x0F,                              /* [5724] OBJ_businessCategory */
+0x55,0x04,0x10,                              /* [5727] OBJ_postalAddress */
+0x55,0x04,0x12,                              /* [5730] OBJ_postOfficeBox */
+0x55,0x04,0x13,                              /* [5733] OBJ_physicalDeliveryOfficeName */
+0x55,0x04,0x14,                              /* [5736] OBJ_telephoneNumber */
+0x55,0x04,0x15,                              /* [5739] OBJ_telexNumber */
+0x55,0x04,0x16,                              /* [5742] OBJ_teletexTerminalIdentifier */
+0x55,0x04,0x17,                              /* [5745] OBJ_facsimileTelephoneNumber */
+0x55,0x04,0x18,                              /* [5748] OBJ_x121Address */
+0x55,0x04,0x19,                              /* [5751] OBJ_internationaliSDNNumber */
+0x55,0x04,0x1A,                              /* [5754] OBJ_registeredAddress */
+0x55,0x04,0x1B,                              /* [5757] OBJ_destinationIndicator */
+0x55,0x04,0x1C,                              /* [5760] OBJ_preferredDeliveryMethod */
+0x55,0x04,0x1D,                              /* [5763] OBJ_presentationAddress */
+0x55,0x04,0x1E,                              /* [5766] OBJ_supportedApplicationContext */
+0x55,0x04,0x1F,                              /* [5769] OBJ_member */
+0x55,0x04,0x20,                              /* [5772] OBJ_owner */
+0x55,0x04,0x21,                              /* [5775] OBJ_roleOccupant */
+0x55,0x04,0x22,                              /* [5778] OBJ_seeAlso */
+0x55,0x04,0x23,                              /* [5781] OBJ_userPassword */
+0x55,0x04,0x24,                              /* [5784] OBJ_userCertificate */
+0x55,0x04,0x25,                              /* [5787] OBJ_cACertificate */
+0x55,0x04,0x26,                              /* [5790] OBJ_authorityRevocationList */
+0x55,0x04,0x27,                              /* [5793] OBJ_certificateRevocationList */
+0x55,0x04,0x28,                              /* [5796] OBJ_crossCertificatePair */
+0x55,0x04,0x2F,                              /* [5799] OBJ_enhancedSearchGuide */
+0x55,0x04,0x30,                              /* [5802] OBJ_protocolInformation */
+0x55,0x04,0x31,                              /* [5805] OBJ_distinguishedName */
+0x55,0x04,0x32,                              /* [5808] OBJ_uniqueMember */
+0x55,0x04,0x33,                              /* [5811] OBJ_houseIdentifier */
+0x55,0x04,0x34,                              /* [5814] OBJ_supportedAlgorithms */
+0x55,0x04,0x35,                              /* [5817] OBJ_deltaRevocationList */
+0x55,0x04,0x36,                              /* [5820] OBJ_dmdName */
 };
 
 static ASN1_OBJECT nid_objs[NUM_NID]={
@@ -1928,7 +1962,7 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"DES-CFB8","des-cfb8",NID_des_cfb8,0,NULL,0},
 {"DES-EDE3-CFB1","des-ede3-cfb1",NID_des_ede3_cfb1,0,NULL,0},
 {"DES-EDE3-CFB8","des-ede3-cfb8",NID_des_ede3_cfb8,0,NULL,0},
-{"streetAddress","streetAddress",NID_streetAddress,3,&(lvalues[4462]),0},
+{"street","streetAddress",NID_streetAddress,3,&(lvalues[4462]),0},
 {"postalCode","postalCode",NID_postalCode,3,&(lvalues[4465]),0},
 {"id-ppl","id-ppl",NID_id_ppl,7,&(lvalues[4468]),0},
 {"proxyCertInfo","Proxy Certificate Information",NID_proxyCertInfo,8,
@@ -2262,6 +2296,61 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
        &(lvalues[5710]),0},
 {"id-on-permanentIdentifier","Permanent Identifier",
        NID_id_on_permanentIdentifier,8,&(lvalues[5713]),0},
+{"searchGuide","searchGuide",NID_searchGuide,3,&(lvalues[5721]),0},
+{"businessCategory","businessCategory",NID_businessCategory,3,
+       &(lvalues[5724]),0},
+{"postalAddress","postalAddress",NID_postalAddress,3,&(lvalues[5727]),0},
+{"postOfficeBox","postOfficeBox",NID_postOfficeBox,3,&(lvalues[5730]),0},
+{"physicalDeliveryOfficeName","physicalDeliveryOfficeName",
+       NID_physicalDeliveryOfficeName,3,&(lvalues[5733]),0},
+{"telephoneNumber","telephoneNumber",NID_telephoneNumber,3,
+       &(lvalues[5736]),0},
+{"telexNumber","telexNumber",NID_telexNumber,3,&(lvalues[5739]),0},
+{"teletexTerminalIdentifier","teletexTerminalIdentifier",
+       NID_teletexTerminalIdentifier,3,&(lvalues[5742]),0},
+{"facsimileTelephoneNumber","facsimileTelephoneNumber",
+       NID_facsimileTelephoneNumber,3,&(lvalues[5745]),0},
+{"x121Address","x121Address",NID_x121Address,3,&(lvalues[5748]),0},
+{"internationaliSDNNumber","internationaliSDNNumber",
+       NID_internationaliSDNNumber,3,&(lvalues[5751]),0},
+{"registeredAddress","registeredAddress",NID_registeredAddress,3,
+       &(lvalues[5754]),0},
+{"destinationIndicator","destinationIndicator",
+       NID_destinationIndicator,3,&(lvalues[5757]),0},
+{"preferredDeliveryMethod","preferredDeliveryMethod",
+       NID_preferredDeliveryMethod,3,&(lvalues[5760]),0},
+{"presentationAddress","presentationAddress",NID_presentationAddress,
+       3,&(lvalues[5763]),0},
+{"supportedApplicationContext","supportedApplicationContext",
+       NID_supportedApplicationContext,3,&(lvalues[5766]),0},
+{"member","member",NID_member,3,&(lvalues[5769]),0},
+{"owner","owner",NID_owner,3,&(lvalues[5772]),0},
+{"roleOccupant","roleOccupant",NID_roleOccupant,3,&(lvalues[5775]),0},
+{"seeAlso","seeAlso",NID_seeAlso,3,&(lvalues[5778]),0},
+{"userPassword","userPassword",NID_userPassword,3,&(lvalues[5781]),0},
+{"userCertificate","userCertificate",NID_userCertificate,3,
+       &(lvalues[5784]),0},
+{"cACertificate","cACertificate",NID_cACertificate,3,&(lvalues[5787]),0},
+{"authorityRevocationList","authorityRevocationList",
+       NID_authorityRevocationList,3,&(lvalues[5790]),0},
+{"certificateRevocationList","certificateRevocationList",
+       NID_certificateRevocationList,3,&(lvalues[5793]),0},
+{"crossCertificatePair","crossCertificatePair",
+       NID_crossCertificatePair,3,&(lvalues[5796]),0},
+{"enhancedSearchGuide","enhancedSearchGuide",NID_enhancedSearchGuide,
+       3,&(lvalues[5799]),0},
+{"protocolInformation","protocolInformation",NID_protocolInformation,
+       3,&(lvalues[5802]),0},
+{"distinguishedName","distinguishedName",NID_distinguishedName,3,
+       &(lvalues[5805]),0},
+{"uniqueMember","uniqueMember",NID_uniqueMember,3,&(lvalues[5808]),0},
+{"houseIdentifier","houseIdentifier",NID_houseIdentifier,3,
+       &(lvalues[5811]),0},
+{"supportedAlgorithms","supportedAlgorithms",NID_supportedAlgorithms,
+       3,&(lvalues[5814]),0},
+{"deltaRevocationList","deltaRevocationList",NID_deltaRevocationList,
+       3,&(lvalues[5817]),0},
+{"dmdName","dmdName",NID_dmdName,3,&(lvalues[5820]),0},
 };
 
 static ASN1_OBJECT *sn_objs[NUM_SN]={
@@ -2458,10 +2547,12 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[501]),/* "audio" */
 &(nid_objs[177]),/* "authorityInfoAccess" */
 &(nid_objs[90]),/* "authorityKeyIdentifier" */
+&(nid_objs[882]),/* "authorityRevocationList" */
 &(nid_objs[87]),/* "basicConstraints" */
 &(nid_objs[365]),/* "basicOCSPResponse" */
 &(nid_objs[285]),/* "biometricInfo" */
 &(nid_objs[494]),/* "buildingName" */
+&(nid_objs[860]),/* "businessCategory" */
 &(nid_objs[691]),/* "c2onb191v4" */
 &(nid_objs[692]),/* "c2onb191v5" */
 &(nid_objs[697]),/* "c2onb239v4" */
@@ -2482,6 +2573,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[696]),/* "c2tnb239v3" */
 &(nid_objs[701]),/* "c2tnb359v1" */
 &(nid_objs[703]),/* "c2tnb431r1" */
+&(nid_objs[881]),/* "cACertificate" */
 &(nid_objs[483]),/* "cNAMERecord" */
 &(nid_objs[179]),/* "caIssuers" */
 &(nid_objs[785]),/* "caRepository" */
@@ -2490,6 +2582,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[677]),/* "certicom-arc" */
 &(nid_objs[771]),/* "certificateIssuer" */
 &(nid_objs[89]),/* "certificatePolicies" */
+&(nid_objs[883]),/* "certificateRevocationList" */
 &(nid_objs[54]),/* "challengePassword" */
 &(nid_objs[407]),/* "characteristic-two-field" */
 &(nid_objs[395]),/* "clearance" */
@@ -2500,6 +2593,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[153]),/* "crlBag" */
 &(nid_objs[103]),/* "crlDistributionPoints" */
 &(nid_objs[88]),/* "crlNumber" */
+&(nid_objs[884]),/* "crossCertificatePair" */
 &(nid_objs[806]),/* "cryptocom" */
 &(nid_objs[805]),/* "cryptopro" */
 &(nid_objs[500]),/* "dITRedirect" */
@@ -2508,9 +2602,13 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[434]),/* "data" */
 &(nid_objs[390]),/* "dcobject" */
 &(nid_objs[140]),/* "deltaCRL" */
+&(nid_objs[891]),/* "deltaRevocationList" */
 &(nid_objs[107]),/* "description" */
+&(nid_objs[871]),/* "destinationIndicator" */
 &(nid_objs[28]),/* "dhKeyAgreement" */
 &(nid_objs[382]),/* "directory" */
+&(nid_objs[887]),/* "distinguishedName" */
+&(nid_objs[892]),/* "dmdName" */
 &(nid_objs[174]),/* "dnQualifier" */
 &(nid_objs[447]),/* "document" */
 &(nid_objs[471]),/* "documentAuthor" */
@@ -2533,12 +2631,14 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[792]),/* "ecdsa-with-Specified" */
 &(nid_objs[48]),/* "emailAddress" */
 &(nid_objs[132]),/* "emailProtection" */
+&(nid_objs[885]),/* "enhancedSearchGuide" */
 &(nid_objs[389]),/* "enterprises" */
 &(nid_objs[384]),/* "experimental" */
 &(nid_objs[172]),/* "extReq" */
 &(nid_objs[56]),/* "extendedCertificateAttributes" */
 &(nid_objs[126]),/* "extendedKeyUsage" */
 &(nid_objs[372]),/* "extendedStatus" */
+&(nid_objs[867]),/* "facsimileTelephoneNumber" */
 &(nid_objs[462]),/* "favouriteDrink" */
 &(nid_objs[857]),/* "freshestCRL" */
 &(nid_objs[453]),/* "friendlyCountry" */
@@ -2565,6 +2665,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[486]),/* "homePostalAddress" */
 &(nid_objs[473]),/* "homeTelephoneNumber" */
 &(nid_objs[466]),/* "host" */
+&(nid_objs[889]),/* "houseIdentifier" */
 &(nid_objs[442]),/* "iA5StringSyntax" */
 &(nid_objs[783]),/* "id-DHBasedMac" */
 &(nid_objs[824]),/* "id-Gost28147-89-CryptoPro-A-ParamSet" */
@@ -2794,6 +2895,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[748]),/* "inhibitAnyPolicy" */
 &(nid_objs[101]),/* "initials" */
 &(nid_objs[647]),/* "international-organizations" */
+&(nid_objs[869]),/* "internationaliSDNNumber" */
 &(nid_objs[142]),/* "invalidityDate" */
 &(nid_objs[294]),/* "ipsecEndSystem" */
 &(nid_objs[295]),/* "ipsecTunnel" */
@@ -2811,6 +2913,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[493]),/* "mailPreferenceOption" */
 &(nid_objs[467]),/* "manager" */
 &(nid_objs[809]),/* "md_gost94" */
+&(nid_objs[875]),/* "member" */
 &(nid_objs[182]),/* "member-body" */
 &(nid_objs[51]),/* "messageDigest" */
 &(nid_objs[383]),/* "mgmt" */
@@ -2846,12 +2949,14 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[681]),/* "onBasis" */
 &(nid_objs[491]),/* "organizationalStatus" */
 &(nid_objs[475]),/* "otherMailbox" */
+&(nid_objs[876]),/* "owner" */
 &(nid_objs[489]),/* "pagerTelephoneNumber" */
 &(nid_objs[374]),/* "path" */
 &(nid_objs[112]),/* "pbeWithMD5AndCast5CBC" */
 &(nid_objs[499]),/* "personalSignature" */
 &(nid_objs[487]),/* "personalTitle" */
 &(nid_objs[464]),/* "photo" */
+&(nid_objs[863]),/* "physicalDeliveryOfficeName" */
 &(nid_objs[437]),/* "pilot" */
 &(nid_objs[439]),/* "pilotAttributeSyntax" */
 &(nid_objs[438]),/* "pilotAttributeType" */
@@ -2877,8 +2982,12 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[47]),/* "pkcs9" */
 &(nid_objs[401]),/* "policyConstraints" */
 &(nid_objs[747]),/* "policyMappings" */
+&(nid_objs[862]),/* "postOfficeBox" */
+&(nid_objs[861]),/* "postalAddress" */
 &(nid_objs[661]),/* "postalCode" */
 &(nid_objs[683]),/* "ppBasis" */
+&(nid_objs[872]),/* "preferredDeliveryMethod" */
+&(nid_objs[873]),/* "presentationAddress" */
 &(nid_objs[816]),/* "prf-gostr3411-94" */
 &(nid_objs[406]),/* "prime-field" */
 &(nid_objs[409]),/* "prime192v1" */
@@ -2890,13 +2999,16 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[415]),/* "prime256v1" */
 &(nid_objs[385]),/* "private" */
 &(nid_objs[84]),/* "privateKeyUsagePeriod" */
+&(nid_objs[886]),/* "protocolInformation" */
 &(nid_objs[663]),/* "proxyCertInfo" */
 &(nid_objs[510]),/* "pseudonym" */
 &(nid_objs[435]),/* "pss" */
 &(nid_objs[286]),/* "qcStatements" */
 &(nid_objs[457]),/* "qualityLabelledData" */
 &(nid_objs[450]),/* "rFC822localPart" */
+&(nid_objs[870]),/* "registeredAddress" */
 &(nid_objs[400]),/* "role" */
+&(nid_objs[877]),/* "roleOccupant" */
 &(nid_objs[448]),/* "room" */
 &(nid_objs[463]),/* "roomNumber" */
 &(nid_objs[ 6]),/* "rsaEncryption" */
@@ -2909,6 +3021,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[290]),/* "sbgp-ipAddrBlock" */
 &(nid_objs[292]),/* "sbgp-routerIdentifier" */
 &(nid_objs[159]),/* "sdsiCertificate" */
+&(nid_objs[859]),/* "searchGuide" */
 &(nid_objs[704]),/* "secp112r1" */
 &(nid_objs[705]),/* "secp112r2" */
 &(nid_objs[706]),/* "secp128r1" */
@@ -2943,6 +3056,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[733]),/* "sect571k1" */
 &(nid_objs[734]),/* "sect571r1" */
 &(nid_objs[386]),/* "security" */
+&(nid_objs[878]),/* "seeAlso" */
 &(nid_objs[394]),/* "selected-attribute-types" */
 &(nid_objs[105]),/* "serialNumber" */
 &(nid_objs[129]),/* "serverAuth" */
@@ -3081,14 +3195,19 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[454]),/* "simpleSecurityObject" */
 &(nid_objs[496]),/* "singleLevelQuality" */
 &(nid_objs[387]),/* "snmpv2" */
-&(nid_objs[660]),/* "streetAddress" */
+&(nid_objs[660]),/* "street" */
 &(nid_objs[85]),/* "subjectAltName" */
 &(nid_objs[769]),/* "subjectDirectoryAttributes" */
 &(nid_objs[398]),/* "subjectInfoAccess" */
 &(nid_objs[82]),/* "subjectKeyIdentifier" */
 &(nid_objs[498]),/* "subtreeMaximumQuality" */
 &(nid_objs[497]),/* "subtreeMinimumQuality" */
+&(nid_objs[890]),/* "supportedAlgorithms" */
+&(nid_objs[874]),/* "supportedApplicationContext" */
 &(nid_objs[402]),/* "targetInformation" */
+&(nid_objs[864]),/* "telephoneNumber" */
+&(nid_objs[866]),/* "teletexTerminalIdentifier" */
+&(nid_objs[865]),/* "telexNumber" */
 &(nid_objs[459]),/* "textEncodedORAddress" */
 &(nid_objs[293]),/* "textNotice" */
 &(nid_objs[133]),/* "timeStamping" */
@@ -3096,9 +3215,12 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[682]),/* "tpBasis" */
 &(nid_objs[375]),/* "trustRoot" */
 &(nid_objs[436]),/* "ucl" */
+&(nid_objs[888]),/* "uniqueMember" */
 &(nid_objs[55]),/* "unstructuredAddress" */
 &(nid_objs[49]),/* "unstructuredName" */
+&(nid_objs[880]),/* "userCertificate" */
 &(nid_objs[465]),/* "userClass" */
+&(nid_objs[879]),/* "userPassword" */
 &(nid_objs[373]),/* "valid" */
 &(nid_objs[678]),/* "wap" */
 &(nid_objs[679]),/* "wap-wsg" */
@@ -3114,6 +3236,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[741]),/* "wap-wsg-idm-ecid-wtls8" */
 &(nid_objs[742]),/* "wap-wsg-idm-ecid-wtls9" */
 &(nid_objs[804]),/* "whirlpool" */
+&(nid_objs[868]),/* "x121Address" */
 &(nid_objs[503]),/* "x500UniqueIdentifier" */
 &(nid_objs[158]),/* "x509Certificate" */
 &(nid_objs[160]),/* "x509Crl" */
@@ -3284,11 +3407,13 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[484]),/* "associatedDomain" */
 &(nid_objs[485]),/* "associatedName" */
 &(nid_objs[501]),/* "audio" */
+&(nid_objs[882]),/* "authorityRevocationList" */
 &(nid_objs[91]),/* "bf-cbc" */
 &(nid_objs[93]),/* "bf-cfb" */
 &(nid_objs[92]),/* "bf-ecb" */
 &(nid_objs[94]),/* "bf-ofb" */
 &(nid_objs[494]),/* "buildingName" */
+&(nid_objs[860]),/* "businessCategory" */
 &(nid_objs[691]),/* "c2onb191v4" */
 &(nid_objs[692]),/* "c2onb191v5" */
 &(nid_objs[697]),/* "c2onb239v4" */
@@ -3309,6 +3434,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[696]),/* "c2tnb239v3" */
 &(nid_objs[701]),/* "c2tnb359v1" */
 &(nid_objs[703]),/* "c2tnb431r1" */
+&(nid_objs[881]),/* "cACertificate" */
 &(nid_objs[483]),/* "cNAMERecord" */
 &(nid_objs[751]),/* "camellia-128-cbc" */
 &(nid_objs[757]),/* "camellia-128-cfb" */
@@ -3336,6 +3462,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[152]),/* "certBag" */
 &(nid_objs[677]),/* "certicom-arc" */
 &(nid_objs[517]),/* "certificate extensions" */
+&(nid_objs[883]),/* "certificateRevocationList" */
 &(nid_objs[54]),/* "challengePassword" */
 &(nid_objs[407]),/* "characteristic-two-field" */
 &(nid_objs[395]),/* "clearance" */
@@ -3346,6 +3473,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[53]),/* "countersignature" */
 &(nid_objs[14]),/* "countryName" */
 &(nid_objs[153]),/* "crlBag" */
+&(nid_objs[884]),/* "crossCertificatePair" */
 &(nid_objs[806]),/* "cryptocom" */
 &(nid_objs[805]),/* "cryptopro" */
 &(nid_objs[500]),/* "dITRedirect" */
@@ -3353,6 +3481,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[495]),/* "dSAQuality" */
 &(nid_objs[434]),/* "data" */
 &(nid_objs[390]),/* "dcObject" */
+&(nid_objs[891]),/* "deltaRevocationList" */
 &(nid_objs[31]),/* "des-cbc" */
 &(nid_objs[643]),/* "des-cdmf" */
 &(nid_objs[30]),/* "des-cfb" */
@@ -3371,10 +3500,13 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[63]),/* "des-ede3-ofb" */
 &(nid_objs[45]),/* "des-ofb" */
 &(nid_objs[107]),/* "description" */
+&(nid_objs[871]),/* "destinationIndicator" */
 &(nid_objs[80]),/* "desx-cbc" */
 &(nid_objs[28]),/* "dhKeyAgreement" */
 &(nid_objs[11]),/* "directory services (X.500)" */
 &(nid_objs[378]),/* "directory services - algorithms" */
+&(nid_objs[887]),/* "distinguishedName" */
+&(nid_objs[892]),/* "dmdName" */
 &(nid_objs[174]),/* "dnQualifier" */
 &(nid_objs[447]),/* "document" */
 &(nid_objs[471]),/* "documentAuthor" */
@@ -3404,7 +3536,9 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[792]),/* "ecdsa-with-Specified" */
 &(nid_objs[48]),/* "emailAddress" */
 &(nid_objs[632]),/* "encrypted track 2" */
+&(nid_objs[885]),/* "enhancedSearchGuide" */
 &(nid_objs[56]),/* "extendedCertificateAttributes" */
+&(nid_objs[867]),/* "facsimileTelephoneNumber" */
 &(nid_objs[462]),/* "favouriteDrink" */
 &(nid_objs[453]),/* "friendlyCountry" */
 &(nid_objs[490]),/* "friendlyCountryName" */
@@ -3426,6 +3560,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[486]),/* "homePostalAddress" */
 &(nid_objs[473]),/* "homeTelephoneNumber" */
 &(nid_objs[466]),/* "host" */
+&(nid_objs[889]),/* "houseIdentifier" */
 &(nid_objs[442]),/* "iA5StringSyntax" */
 &(nid_objs[381]),/* "iana" */
 &(nid_objs[824]),/* "id-Gost28147-89-CryptoPro-A-ParamSet" */
@@ -3640,6 +3775,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[676]),/* "identified-organization" */
 &(nid_objs[461]),/* "info" */
 &(nid_objs[101]),/* "initials" */
+&(nid_objs[869]),/* "internationaliSDNNumber" */
 &(nid_objs[749]),/* "ipsec3" */
 &(nid_objs[750]),/* "ipsec4" */
 &(nid_objs[181]),/* "iso" */
@@ -3666,6 +3802,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[ 8]),/* "md5WithRSAEncryption" */
 &(nid_objs[95]),/* "mdc2" */
 &(nid_objs[96]),/* "mdc2WithRSA" */
+&(nid_objs[875]),/* "member" */
 &(nid_objs[602]),/* "merchant initiated auth" */
 &(nid_objs[514]),/* "message extensions" */
 &(nid_objs[51]),/* "messageDigest" */
@@ -3680,6 +3817,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[491]),/* "organizationalStatus" */
 &(nid_objs[18]),/* "organizationalUnitName" */
 &(nid_objs[475]),/* "otherMailbox" */
+&(nid_objs[876]),/* "owner" */
 &(nid_objs[489]),/* "pagerTelephoneNumber" */
 &(nid_objs[782]),/* "password based MAC" */
 &(nid_objs[374]),/* "path" */
@@ -3700,6 +3838,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[499]),/* "personalSignature" */
 &(nid_objs[487]),/* "personalTitle" */
 &(nid_objs[464]),/* "photo" */
+&(nid_objs[863]),/* "physicalDeliveryOfficeName" */
 &(nid_objs[437]),/* "pilot" */
 &(nid_objs[439]),/* "pilotAttributeSyntax" */
 &(nid_objs[438]),/* "pilotAttributeType" */
@@ -3722,8 +3861,12 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[22]),/* "pkcs7-signedData" */
 &(nid_objs[151]),/* "pkcs8ShroudedKeyBag" */
 &(nid_objs[47]),/* "pkcs9" */
+&(nid_objs[862]),/* "postOfficeBox" */
+&(nid_objs[861]),/* "postalAddress" */
 &(nid_objs[661]),/* "postalCode" */
 &(nid_objs[683]),/* "ppBasis" */
+&(nid_objs[872]),/* "preferredDeliveryMethod" */
+&(nid_objs[873]),/* "presentationAddress" */
 &(nid_objs[406]),/* "prime-field" */
 &(nid_objs[409]),/* "prime192v1" */
 &(nid_objs[410]),/* "prime192v2" */
@@ -3732,6 +3875,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[413]),/* "prime239v2" */
 &(nid_objs[414]),/* "prime239v3" */
 &(nid_objs[415]),/* "prime256v1" */
+&(nid_objs[886]),/* "protocolInformation" */
 &(nid_objs[510]),/* "pseudonym" */
 &(nid_objs[435]),/* "pss" */
 &(nid_objs[286]),/* "qcStatements" */
@@ -3749,10 +3893,12 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[122]),/* "rc5-cfb" */
 &(nid_objs[121]),/* "rc5-ecb" */
 &(nid_objs[123]),/* "rc5-ofb" */
+&(nid_objs[870]),/* "registeredAddress" */
 &(nid_objs[460]),/* "rfc822Mailbox" */
 &(nid_objs[117]),/* "ripemd160" */
 &(nid_objs[119]),/* "ripemd160WithRSA" */
 &(nid_objs[400]),/* "role" */
+&(nid_objs[877]),/* "roleOccupant" */
 &(nid_objs[448]),/* "room" */
 &(nid_objs[463]),/* "roomNumber" */
 &(nid_objs[19]),/* "rsa" */
@@ -3766,6 +3912,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[290]),/* "sbgp-ipAddrBlock" */
 &(nid_objs[292]),/* "sbgp-routerIdentifier" */
 &(nid_objs[159]),/* "sdsiCertificate" */
+&(nid_objs[859]),/* "searchGuide" */
 &(nid_objs[704]),/* "secp112r1" */
 &(nid_objs[705]),/* "secp112r2" */
 &(nid_objs[706]),/* "secp128r1" */
@@ -3800,6 +3947,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[733]),/* "sect571k1" */
 &(nid_objs[734]),/* "sect571r1" */
 &(nid_objs[635]),/* "secure device signature" */
+&(nid_objs[878]),/* "seeAlso" */
 &(nid_objs[777]),/* "seed-cbc" */
 &(nid_objs[779]),/* "seed-cfb" */
 &(nid_objs[776]),/* "seed-ecb" */
@@ -3942,17 +4090,25 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[660]),/* "streetAddress" */
 &(nid_objs[498]),/* "subtreeMaximumQuality" */
 &(nid_objs[497]),/* "subtreeMinimumQuality" */
+&(nid_objs[890]),/* "supportedAlgorithms" */
+&(nid_objs[874]),/* "supportedApplicationContext" */
 &(nid_objs[100]),/* "surname" */
+&(nid_objs[864]),/* "telephoneNumber" */
+&(nid_objs[866]),/* "teletexTerminalIdentifier" */
+&(nid_objs[865]),/* "telexNumber" */
 &(nid_objs[459]),/* "textEncodedORAddress" */
 &(nid_objs[293]),/* "textNotice" */
 &(nid_objs[106]),/* "title" */
 &(nid_objs[682]),/* "tpBasis" */
 &(nid_objs[436]),/* "ucl" */
 &(nid_objs[ 0]),/* "undefined" */
+&(nid_objs[888]),/* "uniqueMember" */
 &(nid_objs[55]),/* "unstructuredAddress" */
 &(nid_objs[49]),/* "unstructuredName" */
+&(nid_objs[880]),/* "userCertificate" */
 &(nid_objs[465]),/* "userClass" */
 &(nid_objs[458]),/* "userId" */
+&(nid_objs[879]),/* "userPassword" */
 &(nid_objs[373]),/* "valid" */
 &(nid_objs[678]),/* "wap" */
 &(nid_objs[679]),/* "wap-wsg" */
@@ -3968,6 +4124,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[741]),/* "wap-wsg-idm-ecid-wtls8" */
 &(nid_objs[742]),/* "wap-wsg-idm-ecid-wtls9" */
 &(nid_objs[804]),/* "whirlpool" */
+&(nid_objs[868]),/* "x121Address" */
 &(nid_objs[503]),/* "x500UniqueIdentifier" */
 &(nid_objs[158]),/* "x509Certificate" */
 &(nid_objs[160]),/* "x509Crl" */
@@ -4009,13 +4166,47 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[18]),/* OBJ_organizationalUnitName       2 5 4 11 */
 &(nid_objs[106]),/* OBJ_title                        2 5 4 12 */
 &(nid_objs[107]),/* OBJ_description                  2 5 4 13 */
+&(nid_objs[859]),/* OBJ_searchGuide                  2 5 4 14 */
+&(nid_objs[860]),/* OBJ_businessCategory             2 5 4 15 */
+&(nid_objs[861]),/* OBJ_postalAddress                2 5 4 16 */
 &(nid_objs[661]),/* OBJ_postalCode                   2 5 4 17 */
+&(nid_objs[862]),/* OBJ_postOfficeBox                2 5 4 18 */
+&(nid_objs[863]),/* OBJ_physicalDeliveryOfficeName   2 5 4 19 */
+&(nid_objs[864]),/* OBJ_telephoneNumber              2 5 4 20 */
+&(nid_objs[865]),/* OBJ_telexNumber                  2 5 4 21 */
+&(nid_objs[866]),/* OBJ_teletexTerminalIdentifier    2 5 4 22 */
+&(nid_objs[867]),/* OBJ_facsimileTelephoneNumber     2 5 4 23 */
+&(nid_objs[868]),/* OBJ_x121Address                  2 5 4 24 */
+&(nid_objs[869]),/* OBJ_internationaliSDNNumber      2 5 4 25 */
+&(nid_objs[870]),/* OBJ_registeredAddress            2 5 4 26 */
+&(nid_objs[871]),/* OBJ_destinationIndicator         2 5 4 27 */
+&(nid_objs[872]),/* OBJ_preferredDeliveryMethod      2 5 4 28 */
+&(nid_objs[873]),/* OBJ_presentationAddress          2 5 4 29 */
+&(nid_objs[874]),/* OBJ_supportedApplicationContext  2 5 4 30 */
+&(nid_objs[875]),/* OBJ_member                       2 5 4 31 */
+&(nid_objs[876]),/* OBJ_owner                        2 5 4 32 */
+&(nid_objs[877]),/* OBJ_roleOccupant                 2 5 4 33 */
+&(nid_objs[878]),/* OBJ_seeAlso                      2 5 4 34 */
+&(nid_objs[879]),/* OBJ_userPassword                 2 5 4 35 */
+&(nid_objs[880]),/* OBJ_userCertificate              2 5 4 36 */
+&(nid_objs[881]),/* OBJ_cACertificate                2 5 4 37 */
+&(nid_objs[882]),/* OBJ_authorityRevocationList      2 5 4 38 */
+&(nid_objs[883]),/* OBJ_certificateRevocationList    2 5 4 39 */
+&(nid_objs[884]),/* OBJ_crossCertificatePair         2 5 4 40 */
 &(nid_objs[173]),/* OBJ_name                         2 5 4 41 */
 &(nid_objs[99]),/* OBJ_givenName                    2 5 4 42 */
 &(nid_objs[101]),/* OBJ_initials                     2 5 4 43 */
 &(nid_objs[509]),/* OBJ_generationQualifier          2 5 4 44 */
 &(nid_objs[503]),/* OBJ_x500UniqueIdentifier         2 5 4 45 */
 &(nid_objs[174]),/* OBJ_dnQualifier                  2 5 4 46 */
+&(nid_objs[885]),/* OBJ_enhancedSearchGuide          2 5 4 47 */
+&(nid_objs[886]),/* OBJ_protocolInformation          2 5 4 48 */
+&(nid_objs[887]),/* OBJ_distinguishedName            2 5 4 49 */
+&(nid_objs[888]),/* OBJ_uniqueMember                 2 5 4 50 */
+&(nid_objs[889]),/* OBJ_houseIdentifier              2 5 4 51 */
+&(nid_objs[890]),/* OBJ_supportedAlgorithms          2 5 4 52 */
+&(nid_objs[891]),/* OBJ_deltaRevocationList          2 5 4 53 */
+&(nid_objs[892]),/* OBJ_dmdName                      2 5 4 54 */
 &(nid_objs[510]),/* OBJ_pseudonym                    2 5 4 65 */
 &(nid_objs[400]),/* OBJ_role                         2 5 4 72 */
 &(nid_objs[769]),/* OBJ_subject_directory_attributes 2 5 29 9 */
@@ -4049,7 +4240,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[516]),/* OBJ_set_policy                   2 23 42 5 */
 &(nid_objs[517]),/* OBJ_set_certExt                  2 23 42 7 */
 &(nid_objs[518]),/* OBJ_set_brand                    2 23 42 8 */
-&(nid_objs[679]),/* OBJ_wap_wsg                      2 23 43 13 */
+&(nid_objs[679]),/* OBJ_wap_wsg                      2 23 43 1 */
 &(nid_objs[382]),/* OBJ_Directory                    1 3 6 1 1 */
 &(nid_objs[383]),/* OBJ_Management                   1 3 6 1 2 */
 &(nid_objs[384]),/* OBJ_Experimental                 1 3 6 1 3 */
@@ -4235,17 +4426,17 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[629]),/* OBJ_setAttr_IssCap_T2            2 23 42 3 3 4 */
 &(nid_objs[630]),/* OBJ_setAttr_IssCap_Sig           2 23 42 3 3 5 */
 &(nid_objs[642]),/* OBJ_set_brand_Novus              2 23 42 8 6011 */
-&(nid_objs[735]),/* OBJ_wap_wsg_idm_ecid_wtls1       2 23 43 13 4 1 */
-&(nid_objs[736]),/* OBJ_wap_wsg_idm_ecid_wtls3       2 23 43 13 4 3 */
-&(nid_objs[737]),/* OBJ_wap_wsg_idm_ecid_wtls4       2 23 43 13 4 4 */
-&(nid_objs[738]),/* OBJ_wap_wsg_idm_ecid_wtls5       2 23 43 13 4 5 */
-&(nid_objs[739]),/* OBJ_wap_wsg_idm_ecid_wtls6       2 23 43 13 4 6 */
-&(nid_objs[740]),/* OBJ_wap_wsg_idm_ecid_wtls7       2 23 43 13 4 7 */
-&(nid_objs[741]),/* OBJ_wap_wsg_idm_ecid_wtls8       2 23 43 13 4 8 */
-&(nid_objs[742]),/* OBJ_wap_wsg_idm_ecid_wtls9       2 23 43 13 4 9 */
-&(nid_objs[743]),/* OBJ_wap_wsg_idm_ecid_wtls10      2 23 43 13 4 10 */
-&(nid_objs[744]),/* OBJ_wap_wsg_idm_ecid_wtls11      2 23 43 13 4 11 */
-&(nid_objs[745]),/* OBJ_wap_wsg_idm_ecid_wtls12      2 23 43 13 4 12 */
+&(nid_objs[735]),/* OBJ_wap_wsg_idm_ecid_wtls1       2 23 43 1 4 1 */
+&(nid_objs[736]),/* OBJ_wap_wsg_idm_ecid_wtls3       2 23 43 1 4 3 */
+&(nid_objs[737]),/* OBJ_wap_wsg_idm_ecid_wtls4       2 23 43 1 4 4 */
+&(nid_objs[738]),/* OBJ_wap_wsg_idm_ecid_wtls5       2 23 43 1 4 5 */
+&(nid_objs[739]),/* OBJ_wap_wsg_idm_ecid_wtls6       2 23 43 1 4 6 */
+&(nid_objs[740]),/* OBJ_wap_wsg_idm_ecid_wtls7       2 23 43 1 4 7 */
+&(nid_objs[741]),/* OBJ_wap_wsg_idm_ecid_wtls8       2 23 43 1 4 8 */
+&(nid_objs[742]),/* OBJ_wap_wsg_idm_ecid_wtls9       2 23 43 1 4 9 */
+&(nid_objs[743]),/* OBJ_wap_wsg_idm_ecid_wtls10      2 23 43 1 4 10 */
+&(nid_objs[744]),/* OBJ_wap_wsg_idm_ecid_wtls11      2 23 43 1 4 11 */
+&(nid_objs[745]),/* OBJ_wap_wsg_idm_ecid_wtls12      2 23 43 1 4 12 */
 &(nid_objs[804]),/* OBJ_whirlpool                    1 0 10118 3 0 55 */
 &(nid_objs[124]),/* OBJ_rle_compression              1 1 1 1 666 1 */
 &(nid_objs[773]),/* OBJ_kisa                         1 2 410 200004 */
index ad5f7cf..282f11a 100644 (file)
 
 #define SN_wap_wsg             "wap-wsg"
 #define NID_wap_wsg            679
-#define OBJ_wap_wsg            OBJ_wap,13L
+#define OBJ_wap_wsg            OBJ_wap,1L
 
 #define SN_selected_attribute_types            "selected-attribute-types"
 #define LN_selected_attribute_types            "Selected Attribute Types"
 #define NID_stateOrProvinceName                16
 #define OBJ_stateOrProvinceName                OBJ_X509,8L
 
+#define SN_streetAddress               "street"
 #define LN_streetAddress               "streetAddress"
 #define NID_streetAddress              660
 #define OBJ_streetAddress              OBJ_X509,9L
 #define NID_organizationalUnitName             18
 #define OBJ_organizationalUnitName             OBJ_X509,11L
 
+#define SN_title               "title"
 #define LN_title               "title"
 #define NID_title              106
 #define OBJ_title              OBJ_X509,12L
 #define NID_description                107
 #define OBJ_description                OBJ_X509,13L
 
+#define LN_searchGuide         "searchGuide"
+#define NID_searchGuide                859
+#define OBJ_searchGuide                OBJ_X509,14L
+
+#define LN_businessCategory            "businessCategory"
+#define NID_businessCategory           860
+#define OBJ_businessCategory           OBJ_X509,15L
+
+#define LN_postalAddress               "postalAddress"
+#define NID_postalAddress              861
+#define OBJ_postalAddress              OBJ_X509,16L
+
 #define LN_postalCode          "postalCode"
 #define NID_postalCode         661
 #define OBJ_postalCode         OBJ_X509,17L
 
+#define LN_postOfficeBox               "postOfficeBox"
+#define NID_postOfficeBox              862
+#define OBJ_postOfficeBox              OBJ_X509,18L
+
+#define LN_physicalDeliveryOfficeName          "physicalDeliveryOfficeName"
+#define NID_physicalDeliveryOfficeName         863
+#define OBJ_physicalDeliveryOfficeName         OBJ_X509,19L
+
+#define LN_telephoneNumber             "telephoneNumber"
+#define NID_telephoneNumber            864
+#define OBJ_telephoneNumber            OBJ_X509,20L
+
+#define LN_telexNumber         "telexNumber"
+#define NID_telexNumber                865
+#define OBJ_telexNumber                OBJ_X509,21L
+
+#define LN_teletexTerminalIdentifier           "teletexTerminalIdentifier"
+#define NID_teletexTerminalIdentifier          866
+#define OBJ_teletexTerminalIdentifier          OBJ_X509,22L
+
+#define LN_facsimileTelephoneNumber            "facsimileTelephoneNumber"
+#define NID_facsimileTelephoneNumber           867
+#define OBJ_facsimileTelephoneNumber           OBJ_X509,23L
+
+#define LN_x121Address         "x121Address"
+#define NID_x121Address                868
+#define OBJ_x121Address                OBJ_X509,24L
+
+#define LN_internationaliSDNNumber             "internationaliSDNNumber"
+#define NID_internationaliSDNNumber            869
+#define OBJ_internationaliSDNNumber            OBJ_X509,25L
+
+#define LN_registeredAddress           "registeredAddress"
+#define NID_registeredAddress          870
+#define OBJ_registeredAddress          OBJ_X509,26L
+
+#define LN_destinationIndicator                "destinationIndicator"
+#define NID_destinationIndicator               871
+#define OBJ_destinationIndicator               OBJ_X509,27L
+
+#define LN_preferredDeliveryMethod             "preferredDeliveryMethod"
+#define NID_preferredDeliveryMethod            872
+#define OBJ_preferredDeliveryMethod            OBJ_X509,28L
+
+#define LN_presentationAddress         "presentationAddress"
+#define NID_presentationAddress                873
+#define OBJ_presentationAddress                OBJ_X509,29L
+
+#define LN_supportedApplicationContext         "supportedApplicationContext"
+#define NID_supportedApplicationContext                874
+#define OBJ_supportedApplicationContext                OBJ_X509,30L
+
+#define SN_member              "member"
+#define NID_member             875
+#define OBJ_member             OBJ_X509,31L
+
+#define SN_owner               "owner"
+#define NID_owner              876
+#define OBJ_owner              OBJ_X509,32L
+
+#define LN_roleOccupant                "roleOccupant"
+#define NID_roleOccupant               877
+#define OBJ_roleOccupant               OBJ_X509,33L
+
+#define SN_seeAlso             "seeAlso"
+#define NID_seeAlso            878
+#define OBJ_seeAlso            OBJ_X509,34L
+
+#define LN_userPassword                "userPassword"
+#define NID_userPassword               879
+#define OBJ_userPassword               OBJ_X509,35L
+
+#define LN_userCertificate             "userCertificate"
+#define NID_userCertificate            880
+#define OBJ_userCertificate            OBJ_X509,36L
+
+#define LN_cACertificate               "cACertificate"
+#define NID_cACertificate              881
+#define OBJ_cACertificate              OBJ_X509,37L
+
+#define LN_authorityRevocationList             "authorityRevocationList"
+#define NID_authorityRevocationList            882
+#define OBJ_authorityRevocationList            OBJ_X509,38L
+
+#define LN_certificateRevocationList           "certificateRevocationList"
+#define NID_certificateRevocationList          883
+#define OBJ_certificateRevocationList          OBJ_X509,39L
+
+#define LN_crossCertificatePair                "crossCertificatePair"
+#define NID_crossCertificatePair               884
+#define OBJ_crossCertificatePair               OBJ_X509,40L
+
 #define SN_name                "name"
 #define LN_name                "name"
 #define NID_name               173
 #define NID_givenName          99
 #define OBJ_givenName          OBJ_X509,42L
 
+#define SN_initials            "initials"
 #define LN_initials            "initials"
 #define NID_initials           101
 #define OBJ_initials           OBJ_X509,43L
 #define NID_dnQualifier                174
 #define OBJ_dnQualifier                OBJ_X509,46L
 
+#define LN_enhancedSearchGuide         "enhancedSearchGuide"
+#define NID_enhancedSearchGuide                885
+#define OBJ_enhancedSearchGuide                OBJ_X509,47L
+
+#define LN_protocolInformation         "protocolInformation"
+#define NID_protocolInformation                886
+#define OBJ_protocolInformation                OBJ_X509,48L
+
+#define LN_distinguishedName           "distinguishedName"
+#define NID_distinguishedName          887
+#define OBJ_distinguishedName          OBJ_X509,49L
+
+#define LN_uniqueMember                "uniqueMember"
+#define NID_uniqueMember               888
+#define OBJ_uniqueMember               OBJ_X509,50L
+
+#define LN_houseIdentifier             "houseIdentifier"
+#define NID_houseIdentifier            889
+#define OBJ_houseIdentifier            OBJ_X509,51L
+
+#define LN_supportedAlgorithms         "supportedAlgorithms"
+#define NID_supportedAlgorithms                890
+#define OBJ_supportedAlgorithms                OBJ_X509,52L
+
+#define LN_deltaRevocationList         "deltaRevocationList"
+#define NID_deltaRevocationList                891
+#define OBJ_deltaRevocationList                OBJ_X509,53L
+
+#define SN_dmdName             "dmdName"
+#define NID_dmdName            892
+#define OBJ_dmdName            OBJ_X509,54L
+
 #define LN_pseudonym           "pseudonym"
 #define NID_pseudonym          510
 #define OBJ_pseudonym          OBJ_X509,65L
index 3dfb51c..01f81e7 100644 (file)
@@ -266,12 +266,12 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
                        if (!ASN1_GENERALIZEDTIME_print(bp,single->nextUpdate))
                                goto err;
                        }
-               if (!BIO_write(bp,"\n",1)) goto err;
+               if (BIO_write(bp,"\n",1) <= 0) goto err;
                if (!X509V3_extensions_print(bp,
                                        "Response Single Extensions",
                                        single->singleExtensions, flags, 8))
                                                        goto err;
-               if (!BIO_write(bp,"\n",1)) goto err;
+               if (BIO_write(bp,"\n",1) <= 0) goto err;
                }
        if (!X509V3_extensions_print(bp, "Response Extensions",
                                        rd->responseExtensions, flags, 4))
index c41a38a..3d794d9 100644 (file)
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER 0x009080cfL
+#define OPENSSL_VERSION_NUMBER 0x009080dfL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8l-fips 5 Nov 2009"
+#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8m-fips 25 Feb 2010"
 #else
-#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8l 5 Nov 2009"
+#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8m 25 Feb 2010"
 #endif
 #define OPENSSL_VERSION_PTEXT  " part of " OPENSSL_VERSION_TEXT
 
index 4e554e5..59690b5 100644 (file)
@@ -100,7 +100,7 @@ int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type,
 
        EVP_CIPHER_CTX_init(&ctx->cipher);
        ret=EVP_SealInit(&ctx->cipher,type,ek,ekl,iv,pubk,npubk);
-       if (!ret) goto err;
+       if (ret <= 0) goto err;
 
        /* base64 encode the keys */
        for (i=0; i<npubk; i++)
index 68d6c5a..856933d 100644 (file)
 #include "cryptlib.h"
 #include <openssl/pkcs12.h>
 
+#ifdef OPENSSL_SYS_NETWARE
+/* Rename these functions to avoid name clashes on NetWare OS */
+#define uni2asc OPENSSL_uni2asc
+#define asc2uni OPENSSL_asc2uni
+#endif
+
 /* Add a local keyid to a safebag */
 
 int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name,
index 9e57eee..5cfe727 100644 (file)
@@ -69,6 +69,12 @@ extern BIO *bio_err;
 void h__dump (unsigned char *p, int len);
 #endif
 
+#ifdef OPENSSL_SYS_NETWARE
+/* Rename these functions to avoid name clashes on NetWare OS */
+#define uni2asc OPENSSL_uni2asc
+#define asc2uni OPENSSL_asc2uni
+#endif
+
 /* PKCS12 compatible key/IV generation */
 #ifndef min
 #define min(a,b) ((a) < (b) ? (a) : (b))
index ca30ac4..2edbf90 100644 (file)
 #include "cryptlib.h"
 #include <openssl/pkcs12.h>
 
+#ifdef OPENSSL_SYS_NETWARE
+/* Rename these functions to avoid name clashes on NetWare OS */
+#define uni2asc OPENSSL_uni2asc
+#define asc2uni OPENSSL_asc2uni
+#endif
+
 /* Cheap and nasty Unicode stuff */
 
 unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen)
index 4bee605..78317fb 100644 (file)
@@ -232,9 +232,14 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
                   const EVP_MD *md_type);
 int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt,
                                         int saltlen, const EVP_MD *md_type);
+#if defined(NETWARE) || defined(OPENSSL_SYS_NETWARE)
+/* Rename these functions to avoid name clashes on NetWare OS */
+unsigned char *OPENSSL_asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen);
+char *OPENSSL_uni2asc(unsigned char *uni, int unilen);
+#else
 unsigned char *asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen);
 char *uni2asc(unsigned char *uni, int unilen);
-
+#endif
 DECLARE_ASN1_FUNCTIONS(PKCS12)
 DECLARE_ASN1_FUNCTIONS(PKCS12_MAC_DATA)
 DECLARE_ASN1_FUNCTIONS(PKCS12_SAFEBAG)
index bf19036..7762d64 100644 (file)
  * OF THE POSSIBILITY OF SUCH DAMAGE.
  * ====================================================================
  *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
  */
 
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/rand.h>
 #include <openssl/x509.h>
+#include <openssl/asn1.h>
 
-/* MIME and related routines */
-
-/* MIME format structures
- * Note that all are translated to lower case apart from
- * parameter values. Quotes are stripped off
- */
-
-typedef struct {
-char *param_name;                      /* Param name e.g. "micalg" */
-char *param_value;                     /* Param value e.g. "sha1" */
-} MIME_PARAM;
-
-DECLARE_STACK_OF(MIME_PARAM)
-IMPLEMENT_STACK_OF(MIME_PARAM)
-
-typedef struct {
-char *name;                            /* Name of line e.g. "content-type" */
-char *value;                           /* Value of line e.g. "text/plain" */
-STACK_OF(MIME_PARAM) *params;          /* Zero or more parameters */
-} MIME_HEADER;
-
-DECLARE_STACK_OF(MIME_HEADER)
-IMPLEMENT_STACK_OF(MIME_HEADER)
-
-static int pkcs7_output_data(BIO *bio, BIO *data, PKCS7 *p7, int flags);
-static int B64_write_PKCS7(BIO *bio, PKCS7 *p7);
-static PKCS7 *B64_read_PKCS7(BIO *bio);
-static char * strip_ends(char *name);
-static char * strip_start(char *name);
-static char * strip_end(char *name);
-static MIME_HEADER *mime_hdr_new(char *name, char *value);
-static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value);
-static STACK_OF(MIME_HEADER) *mime_parse_hdr(BIO *bio);
-static int mime_hdr_cmp(const MIME_HEADER * const *a,
-                       const MIME_HEADER * const *b);
-static int mime_param_cmp(const MIME_PARAM * const *a,
-                       const MIME_PARAM * const *b);
-static void mime_param_free(MIME_PARAM *param);
-static int mime_bound_check(char *line, int linelen, char *bound, int blen);
-static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret);
-static int strip_eol(char *linebuf, int *plen);
-static MIME_HEADER *mime_hdr_find(STACK_OF(MIME_HEADER) *hdrs, char *name);
-static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, char *name);
-static void mime_hdr_free(MIME_HEADER *hdr);
+/* PKCS#7 wrappers round generalised MIME routines */
 
-#define MAX_SMLEN 1024
-#define mime_debug(x) /* x */
-
-/* Base 64 read and write of PKCS#7 structure */
-
-static int B64_write_PKCS7(BIO *bio, PKCS7 *p7)
-{
-       BIO *b64;
-       if(!(b64 = BIO_new(BIO_f_base64()))) {
-               PKCS7err(PKCS7_F_B64_WRITE_PKCS7,ERR_R_MALLOC_FAILURE);
-               return 0;
-       }
-       bio = BIO_push(b64, bio);
-       i2d_PKCS7_bio(bio, p7);
-       (void)BIO_flush(bio);
-       bio = BIO_pop(bio);
-       BIO_free(b64);
-       return 1;
-}
-
-static PKCS7 *B64_read_PKCS7(BIO *bio)
-{
-       BIO *b64;
-       PKCS7 *p7;
-       if(!(b64 = BIO_new(BIO_f_base64()))) {
-               PKCS7err(PKCS7_F_B64_READ_PKCS7,ERR_R_MALLOC_FAILURE);
-               return 0;
-       }
-       bio = BIO_push(b64, bio);
-       if(!(p7 = d2i_PKCS7_bio(bio, NULL))) 
-               PKCS7err(PKCS7_F_B64_READ_PKCS7,PKCS7_R_DECODE_ERROR);
-       (void)BIO_flush(bio);
-       bio = BIO_pop(bio);
-       BIO_free(b64);
-       return p7;
-}
-
-/* SMIME sender */
-
-int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
-{
-       char bound[33], c;
-       int i;
-       char *mime_prefix, *mime_eol, *msg_type=NULL;
-       if (flags & PKCS7_NOOLDMIMETYPE)
-               mime_prefix = "application/pkcs7-";
-       else
-               mime_prefix = "application/x-pkcs7-";
-
-       if (flags & PKCS7_CRLFEOL)
-               mime_eol = "\r\n";
-       else
-               mime_eol = "\n";
-       if((flags & PKCS7_DETACHED) && data) {
-       /* We want multipart/signed */
-               /* Generate a random boundary */
-               RAND_pseudo_bytes((unsigned char *)bound, 32);
-               for(i = 0; i < 32; i++) {
-                       c = bound[i] & 0xf;
-                       if(c < 10) c += '0';
-                       else c += 'A' - 10;
-                       bound[i] = c;
-               }
-               bound[32] = 0;
-               BIO_printf(bio, "MIME-Version: 1.0%s", mime_eol);
-               BIO_printf(bio, "Content-Type: multipart/signed;");
-               BIO_printf(bio, " protocol=\"%ssignature\";", mime_prefix);
-               BIO_printf(bio, " micalg=sha1; boundary=\"----%s\"%s%s",
-                                               bound, mime_eol, mime_eol);
-               BIO_printf(bio, "This is an S/MIME signed message%s%s",
-                                               mime_eol, mime_eol);
-               /* Now write out the first part */
-               BIO_printf(bio, "------%s%s", bound, mime_eol);
-               pkcs7_output_data(bio, data, p7, flags);
-               BIO_printf(bio, "%s------%s%s", mime_eol, bound, mime_eol);
-
-               /* Headers for signature */
-
-               BIO_printf(bio, "Content-Type: %ssignature;", mime_prefix); 
-               BIO_printf(bio, " name=\"smime.p7s\"%s", mime_eol);
-               BIO_printf(bio, "Content-Transfer-Encoding: base64%s",
-                                                               mime_eol);
-               BIO_printf(bio, "Content-Disposition: attachment;");
-               BIO_printf(bio, " filename=\"smime.p7s\"%s%s",
-                                                       mime_eol, mime_eol);
-               B64_write_PKCS7(bio, p7);
-               BIO_printf(bio,"%s------%s--%s%s", mime_eol, bound,
-                                                       mime_eol, mime_eol);
-               return 1;
+PKCS7 *SMIME_read_PKCS7(BIO *bio, BIO **bcont)
+       {
+       return (PKCS7 *)SMIME_read_ASN1(bio, bcont, ASN1_ITEM_rptr(PKCS7));
        }
 
-       /* Determine smime-type header */
-
-       if (PKCS7_type_is_enveloped(p7))
-               msg_type = "enveloped-data";
-       else if (PKCS7_type_is_signed(p7))
-               {
-               /* If we have any signers it is signed-data othewise 
-                * certs-only.
-                */
-               STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
-               sinfos = PKCS7_get_signer_info(p7);
-               if (sk_PKCS7_SIGNER_INFO_num(sinfos) > 0)
-                       msg_type = "signed-data";
-               else
-                       msg_type = "certs-only";
-               }
-       /* MIME headers */
-       BIO_printf(bio, "MIME-Version: 1.0%s", mime_eol);
-       BIO_printf(bio, "Content-Disposition: attachment;");
-       BIO_printf(bio, " filename=\"smime.p7m\"%s", mime_eol);
-       BIO_printf(bio, "Content-Type: %smime;", mime_prefix);
-       if (msg_type)
-               BIO_printf(bio, " smime-type=%s;", msg_type);
-       BIO_printf(bio, " name=\"smime.p7m\"%s", mime_eol);
-       BIO_printf(bio, "Content-Transfer-Encoding: base64%s%s",
-                                               mime_eol, mime_eol);
-       B64_write_PKCS7(bio, p7);
-       BIO_printf(bio, "%s", mime_eol);
-       return 1;
-}
-
-/* Handle output of PKCS#7 data */
+/* Callback for int_smime_write_ASN1 */
 
-
-static int pkcs7_output_data(BIO *out, BIO *data, PKCS7 *p7, int flags)
+static int pk7_output_data(BIO *out, BIO *data, ASN1_VALUE *val, int flags,
+                                       const ASN1_ITEM *it)
        {
+       PKCS7 *p7 = (PKCS7 *)val;
        BIO *tmpbio, *p7bio;
+       int r = 0;
 
-       if (!(flags & PKCS7_STREAM))
+       if (!(flags & SMIME_DETACHED))
                {
                SMIME_crlf_copy(data, out, flags);
                return 1;
                }
 
-       /* Partial sign operation */
+       /* Let PKCS7 code prepend any needed BIOs */
 
-       /* Initialize sign operation */
        p7bio = PKCS7_dataInit(p7, out);
 
-       /* Copy data across, computing digests etc */
+       if (!p7bio)
+               return 0;
+
+       /* Copy data across, passing through filter BIOs for processing */
        SMIME_crlf_copy(data, p7bio, flags);
 
-       /* Must be detached */
-       PKCS7_set_detached(p7, 1);
+       /* Finalize structure */
+       if (PKCS7_dataFinal(p7, p7bio) <= 0)
+               goto err;
+
+       r = 1;
 
-       /* Finalize signatures */
-       PKCS7_dataFinal(p7, p7bio);
+       err:
 
        /* Now remove any digests prepended to the BIO */
 
@@ -269,454 +112,17 @@ static int pkcs7_output_data(BIO *out, BIO *data, PKCS7 *p7, int flags)
 
        }
 
-/* SMIME reader: handle multipart/signed and opaque signing.
- * in multipart case the content is placed in a memory BIO
- * pointed to by "bcont". In opaque this is set to NULL
- */
-
-PKCS7 *SMIME_read_PKCS7(BIO *bio, BIO **bcont)
-{
-       BIO *p7in;
-       STACK_OF(MIME_HEADER) *headers = NULL;
-       STACK_OF(BIO) *parts = NULL;
-       MIME_HEADER *hdr;
-       MIME_PARAM *prm;
-       PKCS7 *p7;
-       int ret;
-
-       if(bcont) *bcont = NULL;
-
-       if (!(headers = mime_parse_hdr(bio))) {
-               PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_MIME_PARSE_ERROR);
-               return NULL;
-       }
-
-       if(!(hdr = mime_hdr_find(headers, "content-type")) || !hdr->value) {
-               sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
-               PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_CONTENT_TYPE);
-               return NULL;
-       }
-
-       /* Handle multipart/signed */
-
-       if(!strcmp(hdr->value, "multipart/signed")) {
-               /* Split into two parts */
-               prm = mime_param_find(hdr, "boundary");
-               if(!prm || !prm->param_value) {
-                       sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
-                       PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_MULTIPART_BOUNDARY);
-                       return NULL;
-               }
-               ret = multi_split(bio, prm->param_value, &parts);
-               sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
-               if(!ret || (sk_BIO_num(parts) != 2) ) {
-                       PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_MULTIPART_BODY_FAILURE);
-                       sk_BIO_pop_free(parts, BIO_vfree);
-                       return NULL;
-               }
-
-               /* Parse the signature piece */
-               p7in = sk_BIO_value(parts, 1);
-
-               if (!(headers = mime_parse_hdr(p7in))) {
-                       PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_MIME_SIG_PARSE_ERROR);
-                       sk_BIO_pop_free(parts, BIO_vfree);
-                       return NULL;
-               }
-
-               /* Get content type */
-
-               if(!(hdr = mime_hdr_find(headers, "content-type")) ||
-                                                                !hdr->value) {
-                       sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
-                       PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_NO_SIG_CONTENT_TYPE);
-                       return NULL;
-               }
-
-               if(strcmp(hdr->value, "application/x-pkcs7-signature") &&
-                       strcmp(hdr->value, "application/pkcs7-signature")) {
-                       sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
-                       PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_SIG_INVALID_MIME_TYPE);
-                       ERR_add_error_data(2, "type: ", hdr->value);
-                       sk_BIO_pop_free(parts, BIO_vfree);
-                       return NULL;
-               }
-               sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
-               /* Read in PKCS#7 */
-               if(!(p7 = B64_read_PKCS7(p7in))) {
-                       PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_PKCS7_SIG_PARSE_ERROR);
-                       sk_BIO_pop_free(parts, BIO_vfree);
-                       return NULL;
-               }
-
-               if(bcont) {
-                       *bcont = sk_BIO_value(parts, 0);
-                       BIO_free(p7in);
-                       sk_BIO_free(parts);
-               } else sk_BIO_pop_free(parts, BIO_vfree);
-               return p7;
-       }
-               
-       /* OK, if not multipart/signed try opaque signature */
-
-       if (strcmp (hdr->value, "application/x-pkcs7-mime") &&
-           strcmp (hdr->value, "application/pkcs7-mime")) {
-               PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_INVALID_MIME_TYPE);
-               ERR_add_error_data(2, "type: ", hdr->value);
-               sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
-               return NULL;
-       }
-
-       sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
-       
-       if(!(p7 = B64_read_PKCS7(bio))) {
-               PKCS7err(PKCS7_F_SMIME_READ_PKCS7, PKCS7_R_PKCS7_PARSE_ERROR);
-               return NULL;
-       }
-       return p7;
-
-}
-
-/* Split a multipart/XXX message body into component parts: result is
- * canonical parts in a STACK of bios
- */
-
-static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret)
-{
-       char linebuf[MAX_SMLEN];
-       int len, blen;
-       int eol = 0, next_eol = 0;
-       BIO *bpart = NULL;
-       STACK_OF(BIO) *parts;
-       char state, part, first;
-
-       blen = strlen(bound);
-       part = 0;
-       state = 0;
-       first = 1;
-       parts = sk_BIO_new_null();
-       *ret = parts;
-       while ((len = BIO_gets(bio, linebuf, MAX_SMLEN)) > 0) {
-               state = mime_bound_check(linebuf, len, bound, blen);
-               if(state == 1) {
-                       first = 1;
-                       part++;
-               } else if(state == 2) {
-                       sk_BIO_push(parts, bpart);
-                       return 1;
-               } else if(part) {
-                       /* Strip CR+LF from linebuf */
-                       next_eol = strip_eol(linebuf, &len);
-                       if(first) {
-                               first = 0;
-                               if(bpart) sk_BIO_push(parts, bpart);
-                               bpart = BIO_new(BIO_s_mem());
-                               BIO_set_mem_eof_return(bpart, 0);
-                       } else if (eol)
-                               BIO_write(bpart, "\r\n", 2);
-                       eol = next_eol;
-                       if (len)
-                               BIO_write(bpart, linebuf, len);
-               }
-       }
-       return 0;
-}
-
-/* This is the big one: parse MIME header lines up to message body */
-
-#define MIME_INVALID   0
-#define MIME_START     1
-#define MIME_TYPE      2
-#define MIME_NAME      3
-#define MIME_VALUE     4
-#define MIME_QUOTE     5
-#define MIME_COMMENT   6
-
-
-static STACK_OF(MIME_HEADER) *mime_parse_hdr(BIO *bio)
-{
-       char *p, *q, c;
-       char *ntmp;
-       char linebuf[MAX_SMLEN];
-       MIME_HEADER *mhdr = NULL;
-       STACK_OF(MIME_HEADER) *headers;
-       int len, state, save_state = 0;
-
-       headers = sk_MIME_HEADER_new(mime_hdr_cmp);
-       while ((len = BIO_gets(bio, linebuf, MAX_SMLEN)) > 0) {
-       /* If whitespace at line start then continuation line */
-       if(mhdr && isspace((unsigned char)linebuf[0])) state = MIME_NAME;
-       else state = MIME_START;
-       ntmp = NULL;
-       /* Go through all characters */
-       for(p = linebuf, q = linebuf; (c = *p) && (c!='\r') && (c!='\n'); p++) {
-
-       /* State machine to handle MIME headers
-        * if this looks horrible that's because it *is*
-         */
-
-               switch(state) {
-                       case MIME_START:
-                       if(c == ':') {
-                               state = MIME_TYPE;
-                               *p = 0;
-                               ntmp = strip_ends(q);
-                               q = p + 1;
-                       }
-                       break;
-
-                       case MIME_TYPE:
-                       if(c == ';') {
-                               mime_debug("Found End Value\n");
-                               *p = 0;
-                               mhdr = mime_hdr_new(ntmp, strip_ends(q));
-                               sk_MIME_HEADER_push(headers, mhdr);
-                               ntmp = NULL;
-                               q = p + 1;
-                               state = MIME_NAME;
-                       } else if(c == '(') {
-                               save_state = state;
-                               state = MIME_COMMENT;
-                       }
-                       break;
-
-                       case MIME_COMMENT:
-                       if(c == ')') {
-                               state = save_state;
-                       }
-                       break;
-
-                       case MIME_NAME:
-                       if(c == '=') {
-                               state = MIME_VALUE;
-                               *p = 0;
-                               ntmp = strip_ends(q);
-                               q = p + 1;
-                       }
-                       break ;
-
-                       case MIME_VALUE:
-                       if(c == ';') {
-                               state = MIME_NAME;
-                               *p = 0;
-                               mime_hdr_addparam(mhdr, ntmp, strip_ends(q));
-                               ntmp = NULL;
-                               q = p + 1;
-                       } else if (c == '"') {
-                               mime_debug("Found Quote\n");
-                               state = MIME_QUOTE;
-                       } else if(c == '(') {
-                               save_state = state;
-                               state = MIME_COMMENT;
-                       }
-                       break;
-
-                       case MIME_QUOTE:
-                       if(c == '"') {
-                               mime_debug("Found Match Quote\n");
-                               state = MIME_VALUE;
-                       }
-                       break;
-               }
-       }
-
-       if(state == MIME_TYPE) {
-               mhdr = mime_hdr_new(ntmp, strip_ends(q));
-               sk_MIME_HEADER_push(headers, mhdr);
-       } else if(state == MIME_VALUE)
-                        mime_hdr_addparam(mhdr, ntmp, strip_ends(q));
-       if(p == linebuf) break; /* Blank line means end of headers */
-}
-
-return headers;
-
-}
-
-static char *strip_ends(char *name)
-{
-       return strip_end(strip_start(name));
-}
-
-/* Strip a parameter of whitespace from start of param */
-static char *strip_start(char *name)
-{
-       char *p, c;
-       /* Look for first non white space or quote */
-       for(p = name; (c = *p) ;p++) {
-               if(c == '"') {
-                       /* Next char is start of string if non null */
-                       if(p[1]) return p + 1;
-                       /* Else null string */
-                       return NULL;
-               }
-               if(!isspace((unsigned char)c)) return p;
-       }
-       return NULL;
-}
-
-/* As above but strip from end of string : maybe should handle brackets? */
-static char *strip_end(char *name)
-{
-       char *p, c;
-       if(!name) return NULL;
-       /* Look for first non white space or quote */
-       for(p = name + strlen(name) - 1; p >= name ;p--) {
-               c = *p;
-               if(c == '"') {
-                       if(p - 1 == name) return NULL;
-                       *p = 0;
-                       return name;
-               }
-               if(isspace((unsigned char)c)) *p = 0;   
-               else return name;
-       }
-       return NULL;
-}
-
-static MIME_HEADER *mime_hdr_new(char *name, char *value)
-{
-       MIME_HEADER *mhdr;
-       char *tmpname, *tmpval, *p;
-       int c;
-       if(name) {
-               if(!(tmpname = BUF_strdup(name))) return NULL;
-               for(p = tmpname ; *p; p++) {
-                       c = *p;
-                       if(isupper(c)) {
-                               c = tolower(c);
-                               *p = c;
-                       }
-               }
-       } else tmpname = NULL;
-       if(value) {
-               if(!(tmpval = BUF_strdup(value))) return NULL;
-               for(p = tmpval ; *p; p++) {
-                       c = *p;
-                       if(isupper(c)) {
-                               c = tolower(c);
-                               *p = c;
-                       }
-               }
-       } else tmpval = NULL;
-       mhdr = (MIME_HEADER *) OPENSSL_malloc(sizeof(MIME_HEADER));
-       if(!mhdr) return NULL;
-       mhdr->name = tmpname;
-       mhdr->value = tmpval;
-       if(!(mhdr->params = sk_MIME_PARAM_new(mime_param_cmp))) return NULL;
-       return mhdr;
-}
-               
-static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value)
-{
-       char *tmpname, *tmpval, *p;
-       int c;
-       MIME_PARAM *mparam;
-       if(name) {
-               tmpname = BUF_strdup(name);
-               if(!tmpname) return 0;
-               for(p = tmpname ; *p; p++) {
-                       c = *p;
-                       if(isupper(c)) {
-                               c = tolower(c);
-                               *p = c;
-                       }
-               }
-       } else tmpname = NULL;
-       if(value) {
-               tmpval = BUF_strdup(value);
-               if(!tmpval) return 0;
-       } else tmpval = NULL;
-       /* Parameter values are case sensitive so leave as is */
-       mparam = (MIME_PARAM *) OPENSSL_malloc(sizeof(MIME_PARAM));
-       if(!mparam) return 0;
-       mparam->param_name = tmpname;
-       mparam->param_value = tmpval;
-       sk_MIME_PARAM_push(mhdr->params, mparam);
-       return 1;
-}
-
-static int mime_hdr_cmp(const MIME_HEADER * const *a,
-                       const MIME_HEADER * const *b)
-{
-       return(strcmp((*a)->name, (*b)->name));
-}
-
-static int mime_param_cmp(const MIME_PARAM * const *a,
-                       const MIME_PARAM * const *b)
-{
-       return(strcmp((*a)->param_name, (*b)->param_name));
-}
-
-/* Find a header with a given name (if possible) */
-
-static MIME_HEADER *mime_hdr_find(STACK_OF(MIME_HEADER) *hdrs, char *name)
-{
-       MIME_HEADER htmp;
-       int idx;
-       htmp.name = name;
-       idx = sk_MIME_HEADER_find(hdrs, &htmp);
-       if(idx < 0) return NULL;
-       return sk_MIME_HEADER_value(hdrs, idx);
-}
-
-static MIME_PARAM *mime_param_find(MIME_HEADER *hdr, char *name)
-{
-       MIME_PARAM param;
-       int idx;
-       param.param_name = name;
-       idx = sk_MIME_PARAM_find(hdr->params, &param);
-       if(idx < 0) return NULL;
-       return sk_MIME_PARAM_value(hdr->params, idx);
-}
-
-static void mime_hdr_free(MIME_HEADER *hdr)
-{
-       if(hdr->name) OPENSSL_free(hdr->name);
-       if(hdr->value) OPENSSL_free(hdr->value);
-       if(hdr->params) sk_MIME_PARAM_pop_free(hdr->params, mime_param_free);
-       OPENSSL_free(hdr);
-}
-
-static void mime_param_free(MIME_PARAM *param)
-{
-       if(param->param_name) OPENSSL_free(param->param_name);
-       if(param->param_value) OPENSSL_free(param->param_value);
-       OPENSSL_free(param);
-}
-
-/* Check for a multipart boundary. Returns:
- * 0 : no boundary
- * 1 : part boundary
- * 2 : final boundary
- */
-static int mime_bound_check(char *line, int linelen, char *bound, int blen)
-{
-       if(linelen == -1) linelen = strlen(line);
-       if(blen == -1) blen = strlen(bound);
-       /* Quickly eliminate if line length too short */
-       if(blen + 2 > linelen) return 0;
-       /* Check for part boundary */
-       if(!strncmp(line, "--", 2) && !strncmp(line + 2, bound, blen)) {
-               if(!strncmp(line + blen + 2, "--", 2)) return 2;
-               else return 1;
-       }
-       return 0;
-}
-
-static int strip_eol(char *linebuf, int *plen)
+int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
        {
-       int len = *plen;
-       char *p, c;
-       int is_eol = 0;
-       p = linebuf + len - 1;
-       for (p = linebuf + len - 1; len > 0; len--, p--)
-               {
-               c = *p;
-               if (c == '\n')
-                       is_eol = 1;
-               else if (c != '\r')
-                       break;
-               }
-       *plen = len;
-       return is_eol;
+       STACK_OF(X509_ALGOR) *mdalgs;
+       int ctype_nid = OBJ_obj2nid(p7->type);
+       if (ctype_nid == NID_pkcs7_signed)
+               mdalgs = p7->d.sign->md_algs;
+       else
+               mdalgs = NULL;
+
+       return int_smime_write_ASN1(bio, (ASN1_VALUE *)p7, data, flags,
+                                       ctype_nid, NID_undef, mdalgs,
+                                       pk7_output_data,
+                                       ASN1_ITEM_rptr(PKCS7)); 
        }
index 5cc1852..6c89f06 100644 (file)
@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
 
        return ret;
        }
+
+int
+pqueue_size(pqueue_s *pq)
+{
+       pitem *item = pq->items;
+       int count = 0;
+       
+       while(item != NULL)
+       {
+               count++;
+               item = item->next;
+       }
+       return count;
+}
index 02386d1..16c4072 100644 (file)
@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
 pitem *pqueue_next(piterator *iter);
 
 void   pqueue_print(pqueue pq);
+int    pqueue_size(pqueue pq);
 
 #endif /* ! HEADER_PQUEUE_H */
index d108353..84276d7 100644 (file)
@@ -117,6 +117,15 @@ int RAND_load_file(const char *file, long bytes)
 
        if (file == NULL) return(0);
 
+#ifdef PURIFY
+       /* struct stat can have padding and unused fields that may not be
+        * initialized in the call to stat(). We need to clear the entire
+        * structure before calling RAND_add() to avoid complaints from
+        * applications such as Valgrind.
+        */
+       memset(&sb, 0, sizeof(sb));
+#endif
+
        if (stat(file,&sb) < 0) return(0);
        RAND_add(&sb,sizeof(sb),0.0);
        if (bytes == 0) return(ret);
@@ -127,8 +136,8 @@ int RAND_load_file(const char *file, long bytes)
        in=fopen(file,"rb");
 #endif
        if (in == NULL) goto err;
-#if defined(S_IFBLK) && defined(S_IFCHR)
-       if (sb.st_mode & (S_IFBLK | S_IFCHR)) {
+#if defined(S_ISBLK) && defined(S_ISCHR)
+       if (S_ISBLK(sb.st_mode) || S_ISCHR(sb.st_mode)) {
          /* this file is a device. we don't want read an infinite number
           * of bytes from a random device, nor do we want to use buffered
           * I/O because we will waste system entropy. 
@@ -174,8 +183,8 @@ int RAND_write_file(const char *file)
        
        i=stat(file,&sb);
        if (i != -1) { 
-#if defined(S_IFBLK) && defined(S_IFCHR)
-         if (sb.st_mode & (S_IFBLK | S_IFCHR)) {
+#if defined(S_ISBLK) && defined(S_ISCHR)
+         if (S_ISBLK(sb.st_mode) || S_ISCHR(sb.st_mode)) {
            /* this file is a device. we don't write back to it. 
             * we "succeed" on the assumption this is some sort 
             * of random device. Otherwise attempting to write to 
index 383a704..2f21ddb 100644 (file)
@@ -207,8 +207,17 @@ RSA *RSA_new_method(ENGINE *engine)
        ret->blinding=NULL;
        ret->mt_blinding=NULL;
        ret->bignum_data=NULL;
-       ret->flags=ret->meth->flags;
-       CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
+       ret->flags=ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
+       if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data))
+               {
+#ifndef OPENSSL_NO_ENGINE
+       if (ret->engine)
+               ENGINE_finish(ret->engine);
+#endif
+               OPENSSL_free(ret);
+               return(NULL);
+               }
+
        if ((ret->meth->init != NULL) && !ret->meth->init(ret))
                {
 #ifndef OPENSSL_NO_ENGINE
index 4d30c9d..546ae5f 100644 (file)
@@ -52,13 +52,6 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
                return 0;
                }
 
-       dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
-       if (dbmask == NULL)
-               {
-               RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
-               return 0;
-               }
-
        to[0] = 0;
        seed = to + 1;
        db = to + SHA_DIGEST_LENGTH + 1;
@@ -76,6 +69,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
           20);
 #endif
 
+       dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
+       if (dbmask == NULL)
+               {
+               RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+               return 0;
+               }
+
        MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH);
        for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
                db[i] ^= dbmask[i];
index 9b993ac..2bda491 100644 (file)
@@ -217,7 +217,7 @@ int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
                                ERR_R_MALLOC_FAILURE);
                        goto err;
                        }
-               if (!RAND_bytes(salt, sLen))
+               if (RAND_bytes(salt, sLen) <= 0)
                        goto err;
                }
        maskedDBLen = emLen - hLen - 1;
index 5488c06..743dfd7 100644 (file)
@@ -137,7 +137,12 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
                i2d_X509_SIG(&sig,&p);
                s=tmps;
        }
+#ifdef OPENSSL_FIPS
+       /* Bypass algorithm blocking: this is allowed if we get this far */
+       i=rsa->meth->rsa_priv_enc(i,s,sigret,rsa,RSA_PKCS1_PADDING);
+#else
        i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
+#endif
        if (i <= 0)
                ret=0;
        else
@@ -190,8 +195,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
                RSAerr(RSA_F_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
                return 0;
                }
-#endif
+       /* Bypass algorithm blocking: this is allowed */
+       i=rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
+#else
        i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
+#endif
 
        if (i <= 0) goto err;
 
index f5ed468..9e91bca 100644 (file)
@@ -544,4 +544,13 @@ static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num
 
 #endif /* SHA512_ASM */
 
+#else /* OPENSSL_NO_SHA512 */
+
+/* Sensitive compilers ("Compaq C V6.4-005 on OpenVMS VAX V7.3", for
+ * example) dislike a statement-free file, complaining:
+ * "%CC-W-EMPTYFILE, Source file does not contain any declarations."
+ */
+
+int sha512_dummy();
+
 #endif /* OPENSSL_NO_SHA512 */
index 5e482a2..78cc485 100644 (file)
@@ -678,28 +678,6 @@ STACK_OF(type) \
 #define sk_ENGINE_CLEANUP_ITEM_sort(st) SKM_sk_sort(ENGINE_CLEANUP_ITEM, (st))
 #define sk_ENGINE_CLEANUP_ITEM_is_sorted(st) SKM_sk_is_sorted(ENGINE_CLEANUP_ITEM, (st))
 
-#define sk_EVP_PKEY_ASN1_METHOD_new(st) SKM_sk_new(EVP_PKEY_ASN1_METHOD, (st))
-#define sk_EVP_PKEY_ASN1_METHOD_new_null() SKM_sk_new_null(EVP_PKEY_ASN1_METHOD)
-#define sk_EVP_PKEY_ASN1_METHOD_free(st) SKM_sk_free(EVP_PKEY_ASN1_METHOD, (st))
-#define sk_EVP_PKEY_ASN1_METHOD_num(st) SKM_sk_num(EVP_PKEY_ASN1_METHOD, (st))
-#define sk_EVP_PKEY_ASN1_METHOD_value(st, i) SKM_sk_value(EVP_PKEY_ASN1_METHOD, (st), (i))
-#define sk_EVP_PKEY_ASN1_METHOD_set(st, i, val) SKM_sk_set(EVP_PKEY_ASN1_METHOD, (st), (i), (val))
-#define sk_EVP_PKEY_ASN1_METHOD_zero(st) SKM_sk_zero(EVP_PKEY_ASN1_METHOD, (st))
-#define sk_EVP_PKEY_ASN1_METHOD_push(st, val) SKM_sk_push(EVP_PKEY_ASN1_METHOD, (st), (val))
-#define sk_EVP_PKEY_ASN1_METHOD_unshift(st, val) SKM_sk_unshift(EVP_PKEY_ASN1_METHOD, (st), (val))
-#define sk_EVP_PKEY_ASN1_METHOD_find(st, val) SKM_sk_find(EVP_PKEY_ASN1_METHOD, (st), (val))
-#define sk_EVP_PKEY_ASN1_METHOD_find_ex(st, val) SKM_sk_find_ex(EVP_PKEY_ASN1_METHOD, (st), (val))
-#define sk_EVP_PKEY_ASN1_METHOD_delete(st, i) SKM_sk_delete(EVP_PKEY_ASN1_METHOD, (st), (i))
-#define sk_EVP_PKEY_ASN1_METHOD_delete_ptr(st, ptr) SKM_sk_delete_ptr(EVP_PKEY_ASN1_METHOD, (st), (ptr))
-#define sk_EVP_PKEY_ASN1_METHOD_insert(st, val, i) SKM_sk_insert(EVP_PKEY_ASN1_METHOD, (st), (val), (i))
-#define sk_EVP_PKEY_ASN1_METHOD_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(EVP_PKEY_ASN1_METHOD, (st), (cmp))
-#define sk_EVP_PKEY_ASN1_METHOD_dup(st) SKM_sk_dup(EVP_PKEY_ASN1_METHOD, st)
-#define sk_EVP_PKEY_ASN1_METHOD_pop_free(st, free_func) SKM_sk_pop_free(EVP_PKEY_ASN1_METHOD, (st), (free_func))
-#define sk_EVP_PKEY_ASN1_METHOD_shift(st) SKM_sk_shift(EVP_PKEY_ASN1_METHOD, (st))
-#define sk_EVP_PKEY_ASN1_METHOD_pop(st) SKM_sk_pop(EVP_PKEY_ASN1_METHOD, (st))
-#define sk_EVP_PKEY_ASN1_METHOD_sort(st) SKM_sk_sort(EVP_PKEY_ASN1_METHOD, (st))
-#define sk_EVP_PKEY_ASN1_METHOD_is_sorted(st) SKM_sk_is_sorted(EVP_PKEY_ASN1_METHOD, (st))
-
 #define sk_GENERAL_NAME_new(st) SKM_sk_new(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_new_null() SKM_sk_new_null(GENERAL_NAME)
 #define sk_GENERAL_NAME_free(st) SKM_sk_free(GENERAL_NAME, (st))
@@ -1008,50 +986,6 @@ STACK_OF(type) \
 #define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st))
 #define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st))
 
-#define sk_MIME_HEADER_new(st) SKM_sk_new(MIME_HEADER, (st))
-#define sk_MIME_HEADER_new_null() SKM_sk_new_null(MIME_HEADER)
-#define sk_MIME_HEADER_free(st) SKM_sk_free(MIME_HEADER, (st))
-#define sk_MIME_HEADER_num(st) SKM_sk_num(MIME_HEADER, (st))
-#define sk_MIME_HEADER_value(st, i) SKM_sk_value(MIME_HEADER, (st), (i))
-#define sk_MIME_HEADER_set(st, i, val) SKM_sk_set(MIME_HEADER, (st), (i), (val))
-#define sk_MIME_HEADER_zero(st) SKM_sk_zero(MIME_HEADER, (st))
-#define sk_MIME_HEADER_push(st, val) SKM_sk_push(MIME_HEADER, (st), (val))
-#define sk_MIME_HEADER_unshift(st, val) SKM_sk_unshift(MIME_HEADER, (st), (val))
-#define sk_MIME_HEADER_find(st, val) SKM_sk_find(MIME_HEADER, (st), (val))
-#define sk_MIME_HEADER_find_ex(st, val) SKM_sk_find_ex(MIME_HEADER, (st), (val))
-#define sk_MIME_HEADER_delete(st, i) SKM_sk_delete(MIME_HEADER, (st), (i))
-#define sk_MIME_HEADER_delete_ptr(st, ptr) SKM_sk_delete_ptr(MIME_HEADER, (st), (ptr))
-#define sk_MIME_HEADER_insert(st, val, i) SKM_sk_insert(MIME_HEADER, (st), (val), (i))
-#define sk_MIME_HEADER_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(MIME_HEADER, (st), (cmp))
-#define sk_MIME_HEADER_dup(st) SKM_sk_dup(MIME_HEADER, st)
-#define sk_MIME_HEADER_pop_free(st, free_func) SKM_sk_pop_free(MIME_HEADER, (st), (free_func))
-#define sk_MIME_HEADER_shift(st) SKM_sk_shift(MIME_HEADER, (st))
-#define sk_MIME_HEADER_pop(st) SKM_sk_pop(MIME_HEADER, (st))
-#define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st))
-#define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st))
-
-#define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st))
-#define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM)
-#define sk_MIME_PARAM_free(st) SKM_sk_free(MIME_PARAM, (st))
-#define sk_MIME_PARAM_num(st) SKM_sk_num(MIME_PARAM, (st))
-#define sk_MIME_PARAM_value(st, i) SKM_sk_value(MIME_PARAM, (st), (i))
-#define sk_MIME_PARAM_set(st, i, val) SKM_sk_set(MIME_PARAM, (st), (i), (val))
-#define sk_MIME_PARAM_zero(st) SKM_sk_zero(MIME_PARAM, (st))
-#define sk_MIME_PARAM_push(st, val) SKM_sk_push(MIME_PARAM, (st), (val))
-#define sk_MIME_PARAM_unshift(st, val) SKM_sk_unshift(MIME_PARAM, (st), (val))
-#define sk_MIME_PARAM_find(st, val) SKM_sk_find(MIME_PARAM, (st), (val))
-#define sk_MIME_PARAM_find_ex(st, val) SKM_sk_find_ex(MIME_PARAM, (st), (val))
-#define sk_MIME_PARAM_delete(st, i) SKM_sk_delete(MIME_PARAM, (st), (i))
-#define sk_MIME_PARAM_delete_ptr(st, ptr) SKM_sk_delete_ptr(MIME_PARAM, (st), (ptr))
-#define sk_MIME_PARAM_insert(st, val, i) SKM_sk_insert(MIME_PARAM, (st), (val), (i))
-#define sk_MIME_PARAM_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(MIME_PARAM, (st), (cmp))
-#define sk_MIME_PARAM_dup(st) SKM_sk_dup(MIME_PARAM, st)
-#define sk_MIME_PARAM_pop_free(st, free_func) SKM_sk_pop_free(MIME_PARAM, (st), (free_func))
-#define sk_MIME_PARAM_shift(st) SKM_sk_shift(MIME_PARAM, (st))
-#define sk_MIME_PARAM_pop(st) SKM_sk_pop(MIME_PARAM, (st))
-#define sk_MIME_PARAM_sort(st) SKM_sk_sort(MIME_PARAM, (st))
-#define sk_MIME_PARAM_is_sorted(st) SKM_sk_is_sorted(MIME_PARAM, (st))
-
 #define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st))
 #define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM)
 #define sk_MIME_PARAM_free(st) SKM_sk_free(MIME_PARAM, (st))
index 8728e61..0114093 100644 (file)
 /* Hacks to solve the problem with linkers incapable of handling very long
    symbol names.  In the case of VMS, the limit is 31 characters on VMS for
    VAX. */
+/* Note that this affects util/libeay.num and util/ssleay.num...  you may
+   change those manually, but that's not recommended, as those files are
+   controlled centrally and updated on Unix, and the central definition
+   may disagree with yours, which in turn may come with shareable library
+   incompatibilities. */
 #ifdef OPENSSL_SYS_VMS
 
 /* Hack a long name in crypto/cryptlib.c */
 #define X509_policy_node_get0_qualifiers       X509_pcy_node_get0_qualifiers
 #undef X509_STORE_CTX_get_explicit_policy
 #define X509_STORE_CTX_get_explicit_policy     X509_STORE_CTX_get_expl_policy
+#undef X509_STORE_CTX_get0_current_issuer
+#define X509_STORE_CTX_get0_current_issuer     X509_STORE_CTX_get0_cur_issuer
 
 /* Hack some long CRYPTO names */
 #undef CRYPTO_set_dynlock_destroy_callback
 #undef SSL_COMP_get_compression_methods
 #define SSL_COMP_get_compression_methods       SSL_COMP_get_compress_methods
 
+#undef ssl_add_clienthello_renegotiate_ext
+#define ssl_add_clienthello_renegotiate_ext    ssl_add_clienthello_reneg_ext
+#undef ssl_add_serverhello_renegotiate_ext
+#define ssl_add_serverhello_renegotiate_ext    ssl_add_serverhello_reneg_ext
+#undef ssl_parse_clienthello_renegotiate_ext
+#define ssl_parse_clienthello_renegotiate_ext  ssl_parse_clienthello_reneg_ext
+#undef ssl_parse_serverhello_renegotiate_ext
+#define ssl_parse_serverhello_renegotiate_ext  ssl_parse_serverhello_reneg_ext
+
 /* Hack some long ENGINE names */
 #undef ENGINE_get_default_BN_mod_exp_crt
 #define ENGINE_get_default_BN_mod_exp_crt      ENGINE_get_def_BN_mod_exp_crt
 #undef cms_SignerIdentifier_get0_signer_id
 #define cms_SignerIdentifier_get0_signer_id    cms_SignerId_get0_signer_id
 
+/* Hack some long DTLS1 names */
+#undef dtls1_retransmit_buffered_messages
+#define dtls1_retransmit_buffered_messages     dtls1_retransmit_buffered_msgs
+
 #endif /* defined OPENSSL_SYS_VMS */
 
 
index ef930bf..06270f0 100644 (file)
@@ -297,7 +297,7 @@ static int is_a_tty;
 
 /* Declare static functions */
 #if !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE)
-static void read_till_nl(FILE *);
+static int read_till_nl(FILE *);
 static void recsig(int);
 static void pushsig(void);
 static void popsig(void);
@@ -390,14 +390,16 @@ static int read_string(UI *ui, UI_STRING *uis)
 
 #if !defined(OPENSSL_SYS_WIN16) && !defined(OPENSSL_SYS_WINCE)
 /* Internal functions to read a string without echoing */
-static void read_till_nl(FILE *in)
+static int read_till_nl(FILE *in)
        {
 #define SIZE 4
        char buf[SIZE+1];
 
        do      {
-               fgets(buf,SIZE,in);
+               if (!fgets(buf,SIZE,in))
+                       return 0;
                } while (strchr(buf,'\n') == NULL);
+       return 1;
        }
 
 static volatile sig_atomic_t intr_signal;
@@ -445,7 +447,8 @@ static int read_string_inner(UI *ui, UI_STRING *uis, int echo, int strip_nl)
                        *p='\0';
                }
        else
-               read_till_nl(tty_in);
+               if (!read_till_nl(tty_in))
+                       goto error;
        if (UI_set_result(ui, uis, result) >= 0)
                ok=1;
 
index 341e0ba..b3acd80 100644 (file)
@@ -360,11 +360,11 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
 
                /* we have added it to the cache so now pull
                 * it out again */
-               CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
+               CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
                j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
                if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j);
                else tmp = NULL;
-               CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
+               CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
 
                if (tmp != NULL)
                        {
@@ -383,4 +383,3 @@ finish:
        if (b != NULL) BUF_MEM_free(b);
        return(ok);
        }
-
index e71b525..8958e34 100644 (file)
@@ -116,6 +116,7 @@ extern "C" {
 /* Under Win32 these are defined in wincrypt.h */
 #undef X509_NAME
 #undef X509_CERT_PAIR
+#undef X509_EXTENSIONS
 #endif
 
 #define X509_FILETYPE_PEM      1
index cd2cfb6..b486171 100644 (file)
@@ -198,7 +198,13 @@ X509_STORE *X509_STORE_new(void)
        ret->cert_crl = 0;
        ret->cleanup = 0;
 
-       CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data);
+       if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data))
+               {
+               sk_X509_OBJECT_free(ret->objs);
+               OPENSSL_free(ret);
+               return NULL;
+               }
+
        ret->references=1;
        return ret;
        }
@@ -286,7 +292,9 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
        X509_OBJECT stmp,*tmp;
        int i,j;
 
+       CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
        tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
+       CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
 
        if (tmp == NULL)
                {
@@ -340,7 +348,6 @@ int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
 
        X509_OBJECT_up_ref_count(obj);
 
-
        if (X509_OBJECT_retrieve_match(ctx->objs, obj))
                {
                X509_OBJECT_free_contents(obj);
@@ -446,15 +453,15 @@ int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
 
 X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,
             X509_NAME *name)
-{
+       {
        int idx;
        idx = X509_OBJECT_idx_by_subject(h, type, name);
        if (idx==-1) return NULL;
        return sk_X509_OBJECT_value(h, idx);
-}
+       }
 
 X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
-{
+       {
        int idx, i;
        X509_OBJECT *obj;
        idx = sk_X509_OBJECT_find(h, x);
@@ -469,13 +476,13 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x
                        return obj;
                }
        return NULL;
-}
+       }
 
 
 /* Try to get issuer certificate from store. Due to limitations
  * of the API this can only retrieve a single certificate matching
  * a given subject name. However it will fill the cache with all
- * matching certificates, so we can examine the cache for all 
+ * matching certificates, so we can examine the cache for all
  * matches.
  *
  * Return values are:
@@ -483,13 +490,11 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x
  *  0 certificate not found.
  * -1 some other error.
  */
-
-
 int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
-{
+       {
        X509_NAME *xn;
        X509_OBJECT obj, *pobj;
-       int i, ok, idx;
+       int i, ok, idx, ret;
        xn=X509_get_issuer_name(x);
        ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
        if (ok != X509_LU_X509)
@@ -515,27 +520,34 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
                return 1;
                }
        X509_OBJECT_free_contents(&obj);
-       /* Else find index of first matching cert */
-       idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
-       /* This shouldn't normally happen since we already have one match */
-       if (idx == -1) return 0;
 
-       /* Look through all matching certificates for a suitable issuer */
-       for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
+       /* Else find index of first cert accepted by 'check_issued' */
+       ret = 0;
+       CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+       idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
+       if (idx != -1) /* should be true as we've had at least one match */
                {
-               pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
-               /* See if we've ran out of matches */
-               if (pobj->type != X509_LU_X509) return 0;
-               if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) return 0;
-               if (ctx->check_issued(ctx, x, pobj->data.x509))
+               /* Look through all matching certs for suitable issuer */
+               for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
                        {
-                       *issuer = pobj->data.x509;
-                       X509_OBJECT_up_ref_count(pobj);
-                       return 1;
+                       pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
+                       /* See if we've run past the matches */
+                       if (pobj->type != X509_LU_X509)
+                               break;
+                       if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
+                               break;
+                       if (ctx->check_issued(ctx, x, pobj->data.x509))
+                               {
+                               *issuer = pobj->data.x509;
+                               X509_OBJECT_up_ref_count(pobj);
+                               ret = 1;
+                               break;
+                               }
                        }
                }
-       return 0;
-}
+       CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+       return ret;
+       }
 
 int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
        {
index 336c40d..b85456e 100644 (file)
@@ -986,7 +986,12 @@ static int internal_verify(X509_STORE_CTX *ctx)
        while (n >= 0)
                {
                ctx->error_depth=n;
-               if (!xs->valid)
+
+               /* Skip signature check for self signed certificates unless
+                * explicitly asked for. It doesn't add any security and
+                * just wastes time.
+                */
+               if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
                        {
                        if ((pkey=X509_get_pubkey(xi)) == NULL)
                                {
@@ -996,13 +1001,6 @@ static int internal_verify(X509_STORE_CTX *ctx)
                                if (!ok) goto end;
                                }
                        else if (X509_verify(xs,pkey) <= 0)
-                               /* XXX  For the final trusted self-signed cert,
-                                * this is a waste of time.  That check should
-                                * optional so that e.g. 'openssl x509' can be
-                                * used to detect invalid self-signatures, but
-                                * we don't verify again and again in SSL
-                                * handshakes and the like once the cert has
-                                * been declared trusted. */
                                {
                                ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
                                ctx->current_cert=xs;
index 76c76e1..86ae35f 100644 (file)
@@ -363,6 +363,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 /* Notify callback that policy is OK */
 #define X509_V_FLAG_NOTIFY_POLICY              0x800
 
+/* Check selfsigned CA signature */
+#define X509_V_FLAG_CHECK_SS_SIGNATURE         0x4000
+
 #define X509_VP_FLAG_DEFAULT                   0x1
 #define X509_VP_FLAG_OVERWRITE                 0x2
 #define X509_VP_FLAG_RESET_FLAGS               0x4
index 2b06718..01c5541 100644 (file)
@@ -198,8 +198,12 @@ int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,
 int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
                                                const X509_VERIFY_PARAM *from)
        {
+       unsigned long save_flags = to->inh_flags;
+       int ret;
        to->inh_flags |= X509_VP_FLAG_DEFAULT;
-       return X509_VERIFY_PARAM_inherit(to, from);
+       ret = X509_VERIFY_PARAM_inherit(to, from);
+       to->inh_flags = save_flags;
+       return ret;
        }
 
 int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name)
index 6c87a7f..89f84bf 100644 (file)
@@ -160,7 +160,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
        tree->auth_policies = NULL;
        tree->user_policies = NULL;
 
-       if (!tree)
+       if (!tree->levels)
                {
                OPENSSL_free(tree);
                return 0;
index 58b2952..69244e4 100644 (file)
@@ -360,6 +360,7 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
                 if (move_p)
                         {
                         X509_NAME_delete_entry(nm, i);
+                       X509_NAME_ENTRY_free(ne);
                         i--;
                         }
                if(!email || !(gen = GENERAL_NAME_new())) {
@@ -577,6 +578,8 @@ static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx)
        if (!ret)
                X509_NAME_free(nm);
        gen->d.dirn = nm;
+
+       X509V3_section_free(ctx, sk);
                
        return ret;
        }
index e426ea9..5c19cf4 100644 (file)
@@ -153,21 +153,21 @@ static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
        OCSP_CRLID *a = in;
        if (a->crlUrl)
                {
-               if (!BIO_printf(bp, "%*scrlUrl: ", ind, "")) goto err;
+               if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0) goto err;
                if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl)) goto err;
-               if (!BIO_write(bp, "\n", 1)) goto err;
+               if (BIO_write(bp, "\n", 1) <= 0) goto err;
                }
        if (a->crlNum)
                {
-               if (!BIO_printf(bp, "%*scrlNum: ", ind, "")) goto err;
-               if (!i2a_ASN1_INTEGER(bp, a->crlNum)) goto err;
-               if (!BIO_write(bp, "\n", 1)) goto err;
+               if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0) goto err;
+               if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0) goto err;
+               if (BIO_write(bp, "\n", 1) <= 0) goto err;
                }
        if (a->crlTime)
                {
-               if (!BIO_printf(bp, "%*scrlTime: ", ind, "")) goto err;
+               if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0) goto err;
                if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) goto err;
-               if (!BIO_write(bp, "\n", 1)) goto err;
+               if (BIO_write(bp, "\n", 1) <= 0) goto err;
                }
        return 1;
        err:
@@ -176,7 +176,7 @@ static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
 
 static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *cutoff, BIO *bp, int ind)
 {
-       if (!BIO_printf(bp, "%*s", ind, "")) return 0;
+       if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0;
        if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0;
        return 1;
 }
@@ -184,8 +184,8 @@ static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *cutoff, BIO *bp, in
 
 static int i2r_object(X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind)
 {
-       if (!BIO_printf(bp, "%*s", ind, "")) return 0;
-       if(!i2a_ASN1_OBJECT(bp, oid)) return 0;
+       if (BIO_printf(bp, "%*s", ind, "") <= 0) return 0;
+       if(i2a_ASN1_OBJECT(bp, oid) <= 0) return 0;
        return 1;
 }
 
index 4391c93..d3049e8 100644 (file)
@@ -50,15 +50,13 @@ see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
 
 =item B<-salt>
 
-use a salt in the key derivation routines. This option should B<ALWAYS>
-be used unless compatibility with previous versions of OpenSSL or SSLeay
-is required. This option is only present on OpenSSL versions 0.9.5 or
-above.
+use a salt in the key derivation routines. This is the default.
 
 =item B<-nosalt>
 
-don't use a salt in the key derivation routines. This is the default for
-compatibility with previous versions of OpenSSL and SSLeay.
+don't use a salt in the key derivation routines. This option B<SHOULD NOT> be
+used except for test purposes or compatibility with ancient versions of OpenSSL
+and SSLeay.
 
 =item B<-e>
 
index ff2629d..3187577 100644 (file)
@@ -66,6 +66,11 @@ certificate was rejected. However the presence of rejection messages
 does not itself imply that anything is wrong: during the normal
 verify process several rejections may take place.
 
+=item B<-check_ss_sig>
+
+Verify the signature on the self-signed root CA. This is disabled by default
+because it doesn't add any security.
+
 =item B<->
 
 marks the last option. All arguments following this are assumed to be
@@ -166,8 +171,8 @@ the operation was successful.
 
 =item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
 
-the issuer certificate could not be found: this occurs if the issuer certificate
-of an untrusted certificate cannot be found.
+the issuer certificate of a looked up certificate could not be found. This
+normally means the list of trusted certificates is not complete.
 
 =item B<3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL>
 
@@ -244,8 +249,8 @@ be found locally.
 
 =item B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate>
 
-the issuer certificate of a locally looked up certificate could not be found. This normally means
-the list of trusted certificates is not complete.
+the issuer certificate could not be found: this occurs if the issuer
+certificate of an untrusted certificate cannot be found.
 
 =item B<21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate>
 
@@ -321,6 +326,10 @@ the certificates in the file will be recognised.
 Previous versions of OpenSSL assume certificates with matching subject name are identical and
 mishandled them.
 
+Previous versions of this documentation swapped the meaning of the
+B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT> and
+B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes.
+
 =head1 SEE ALSO
 
 L<x509(1)|x509(1)>
index 1157cff..179132d 100644 (file)
@@ -175,7 +175,7 @@ An IA5String explicitly tagged using APPLICATION tagging:
 
 A BITSTRING with bits 1 and 5 set and all others zero:
 
- FORMAT=BITLIST,BITSTRING:1,5
+ FORMAT:BITLIST,BITSTRING:1,5
 
 A more complex example using a config file to produce a
 SEQUENCE consiting of a BOOL an OID and a UTF8String:
index 130cd7f..98b1368 100644 (file)
@@ -64,9 +64,9 @@ EVP digest routines
 
 The EVP digest routines are a high level interface to message digests.
 
-EVP_MD_CTX_init() initializes digest contet B<ctx>.
+EVP_MD_CTX_init() initializes digest context B<ctx>.
 
-EVP_MD_CTX_create() allocates, initializes and returns a digest contet.
+EVP_MD_CTX_create() allocates, initializes and returns a digest context.
 
 EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest
 B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this
@@ -102,7 +102,7 @@ the passed context B<ctx> does not have to be initialized, and it always
 uses the default digest implementation.
 
 EVP_DigestFinal() is similar to EVP_DigestFinal_ex() except the digest
-contet B<ctx> is automatically cleaned up.
+context B<ctx> is automatically cleaned up.
 
 EVP_MD_CTX_copy() is similar to EVP_MD_CTX_copy_ex() except the destination
 B<out> does not have to be initialized.
index 51344f8..c54cf2a 100644 (file)
@@ -20,24 +20,31 @@ certificate to B<*cert> and any additional certificates to B<*ca>.
 
 =head1 NOTES
 
-The parameters B<pkey> and B<cert> cannot be B<NULL>. B<ca> can be <NULL>
-in which case additional certificates will be discarded. B<*ca> can also
-be a valid STACK in which case additional certificates are appended to
-B<*ca>. If B<*ca> is B<NULL> a new STACK will be allocated.
+The parameters B<pkey> and B<cert> cannot be B<NULL>. B<ca> can be <NULL> in
+which case additional certificates will be discarded. B<*ca> can also be a
+valid STACK in which case additional certificates are appended to B<*ca>. If
+B<*ca> is B<NULL> a new STACK will be allocated.
 
-The B<friendlyName> and B<localKeyID> attributes (if present) on each certificate
-will be stored in the B<alias> and B<keyid> attributes of the B<X509> structure.
+The B<friendlyName> and B<localKeyID> attributes (if present) on each
+certificate will be stored in the B<alias> and B<keyid> attributes of the
+B<X509> structure.
+
+=head1 RETURN VALUES
+
+PKCS12_parse() returns 1 for success and zero if an error occurred.
+
+The error can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>
 
 =head1 BUGS
 
-Only a single private key and corresponding certificate is returned by this function.
-More complex PKCS#12 files with multiple private keys will only return the first
-match.
+Only a single private key and corresponding certificate is returned by this
+function. More complex PKCS#12 files with multiple private keys will only
+return the first match.
 
-Only B<friendlyName> and B<localKeyID> attributes are currently stored in certificates.
-Other attributes are discarded.
+Only B<friendlyName> and B<localKeyID> attributes are currently stored in
+certificates. Other attributes are discarded.
 
-Attributes currently cannot be store in the private key B<EVP_PKEY> structure.
+Attributes currently cannot be stored in the private key B<EVP_PKEY> structure.
 
 =head1 SEE ALSO
 
index 8919146..d39ce90 100644 (file)
@@ -70,24 +70,34 @@ applications.
 
 =head2 The BIGNUM structure
 
- typedef struct bignum_st
+ typedef struct bignum_st BIGNUM;
+
+ struct bignum_st
         {
-        int top;      /* number of words used in d */
-        BN_ULONG *d;  /* pointer to an array containing the integer value */
-        int max;      /* size of the d array */
-        int neg;      /* sign */
-        } BIGNUM;
+        BN_ULONG *d;    /* Pointer to an array of 'BN_BITS2' bit chunks. */
+        int top;        /* Index of last used d +1. */
+        /* The next are internal book keeping for bn_expand. */
+        int dmax;       /* Size of the d array. */
+        int neg;        /* one if the number is negative */
+        int flags;
+        };
+
 
 The integer value is stored in B<d>, a malloc()ed array of words (B<BN_ULONG>),
 least significant word first. A B<BN_ULONG> can be either 16, 32 or 64 bits
 in size, depending on the&