Import OpenSSL-0.9.8i.
authorPeter Avalos <pavalos@dragonflybsd.org>
Sat, 27 Sep 2008 20:51:29 +0000 (20:51 +0000)
committerPeter Avalos <pavalos@dragonflybsd.org>
Sat, 27 Sep 2008 20:51:29 +0000 (20:51 +0000)
68 files changed:
crypto/openssl-0.9/CHANGES
crypto/openssl-0.9/FAQ
crypto/openssl-0.9/NEWS
crypto/openssl-0.9/README
crypto/openssl-0.9/apps/dsa.c
crypto/openssl-0.9/apps/openssl.c
crypto/openssl-0.9/apps/pkcs12.c
crypto/openssl-0.9/apps/s_client.c
crypto/openssl-0.9/crypto/asn1/asn_mime.c
crypto/openssl-0.9/crypto/asn1/t_x509.c
crypto/openssl-0.9/crypto/bio/bss_dgram.c
crypto/openssl-0.9/crypto/bn/bn_div.c
crypto/openssl-0.9/crypto/bn/bn_gf2m.c
crypto/openssl-0.9/crypto/bn/bn_nist.c
crypto/openssl-0.9/crypto/cms/cms_smime.c
crypto/openssl-0.9/crypto/cryptlib.h
crypto/openssl-0.9/crypto/crypto.h
crypto/openssl-0.9/crypto/engine/eng_all.c
crypto/openssl-0.9/crypto/engine/eng_cnf.c
crypto/openssl-0.9/crypto/engine/eng_err.c
crypto/openssl-0.9/crypto/engine/eng_int.h
crypto/openssl-0.9/crypto/engine/eng_pkey.c
crypto/openssl-0.9/crypto/engine/engine.h
crypto/openssl-0.9/crypto/err/err.c
crypto/openssl-0.9/crypto/err/err.h
crypto/openssl-0.9/crypto/evp/evp.h
crypto/openssl-0.9/crypto/evp/evp_enc.c
crypto/openssl-0.9/crypto/hmac/hmac.c
crypto/openssl-0.9/crypto/hmac/hmac.h
crypto/openssl-0.9/crypto/md32_common.h
crypto/openssl-0.9/crypto/objects/obj_dat.h
crypto/openssl-0.9/crypto/objects/obj_mac.h
crypto/openssl-0.9/crypto/opensslv.h
crypto/openssl-0.9/crypto/ossl_typ.h
crypto/openssl-0.9/crypto/pkcs12/p12_crt.c
crypto/openssl-0.9/crypto/rsa/rsa.h
crypto/openssl-0.9/crypto/rsa/rsa_eay.c
crypto/openssl-0.9/crypto/rsa/rsa_ssl.c
crypto/openssl-0.9/crypto/stack/safestack.h
crypto/openssl-0.9/crypto/x509/x509_att.c
crypto/openssl-0.9/crypto/x509/x509_vfy.c
crypto/openssl-0.9/crypto/x509v3/pcy_data.c
crypto/openssl-0.9/crypto/x509v3/pcy_tree.c
crypto/openssl-0.9/crypto/x509v3/v3_addr.c
crypto/openssl-0.9/crypto/x509v3/v3_asid.c
crypto/openssl-0.9/crypto/x509v3/v3_purp.c
crypto/openssl-0.9/crypto/x509v3/x509v3.h
crypto/openssl-0.9/engines/e_gmp.c
crypto/openssl-0.9/ssl/d1_clnt.c
crypto/openssl-0.9/ssl/d1_pkt.c
crypto/openssl-0.9/ssl/d1_srvr.c
crypto/openssl-0.9/ssl/dtls1.h
crypto/openssl-0.9/ssl/s23_clnt.c
crypto/openssl-0.9/ssl/s23_srvr.c
crypto/openssl-0.9/ssl/s3_clnt.c
crypto/openssl-0.9/ssl/s3_enc.c
crypto/openssl-0.9/ssl/s3_lib.c
crypto/openssl-0.9/ssl/s3_pkt.c
crypto/openssl-0.9/ssl/s3_srvr.c
crypto/openssl-0.9/ssl/ssl.h
crypto/openssl-0.9/ssl/ssl_asn1.c
crypto/openssl-0.9/ssl/ssl_ciph.c
crypto/openssl-0.9/ssl/ssl_err.c
crypto/openssl-0.9/ssl/ssl_lib.c
crypto/openssl-0.9/ssl/ssl_locl.h
crypto/openssl-0.9/ssl/ssl_sess.c
crypto/openssl-0.9/ssl/t1_enc.c
crypto/openssl-0.9/ssl/t1_lib.c

index 217aa70..72cc168 100644 (file)
@@ -2,6 +2,60 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.8h and 0.9.8i  [15 Sep 2008]
+
+  *) Fix a state transitition in s3_srvr.c and d1_srvr.c
+     (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
+     [Nagendra Modadugu]
+
+  *) The fix in 0.9.8c that supposedly got rid of unsafe
+     double-checked locking was incomplete for RSA blinding,
+     addressing just one layer of what turns out to have been
+     doubly unsafe triple-checked locking.
+
+     So now fix this for real by retiring the MONT_HELPER macro
+     in crypto/rsa/rsa_eay.c.
+
+     [Bodo Moeller; problem pointed out by Marius Schilder]
+
+  *) Various precautionary measures:
+
+     - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
+
+     - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
+       (NB: This would require knowledge of the secret session ticket key
+       to exploit, in which case you'd be SOL either way.)
+
+     - Change bn_nist.c so that it will properly handle input BIGNUMs
+       outside the expected range.
+
+     - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
+       builds.
+
+     [Neel Mehta, Bodo Moeller]
+
+  *) Add support for Local Machine Keyset attribute in PKCS#12 files.
+     [Steve Henson]
+
+  *) Fix BN_GF2m_mod_arr() top-bit cleanup code.
+     [Huang Ying]
+
+  *) Expand ENGINE to support engine supplied SSL client certificate functions.
+
+     This work was sponsored by Logica.
+     [Steve Henson]
+
+  *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
+     keystores. Support for SSL/TLS client authentication too.
+     Not compiled unless enable-capieng specified to Configure.
+
+     This work was sponsored by Logica.
+     [Steve Henson]
+
+  *) Allow engines to be "soft loaded" - i.e. optionally don't die if
+     the load fails. Useful for distros.
+     [Ben Laurie and the FreeBSD team]
+
  Changes between 0.9.8g and 0.9.8h  [28 May 2008]
 
   *) Fix flaw if 'Server Key exchange message' is omitted from a TLS
index 09f700c..1b14ffe 100644 (file)
@@ -32,6 +32,7 @@ OpenSSL  -  Frequently Asked Questions
 * How do I install a CA certificate into a browser?
 * Why is OpenSSL x509 DN output not conformant to RFC2253?
 * What is a "128 bit certificate"? Can I create one with OpenSSL?
+* Why does OpenSSL set the authority key identifier extension incorrectly?
 * How can I set up a bundle of commercial root CA certificates?
 
 [BUILD] Questions about building and testing OpenSSL
@@ -68,6 +69,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
 * I think I've detected a memory leak, is this a bug?
 * Why does Valgrind complain about the use of uninitialized data?
+* Why doesn't a memory BIO work when a file does?
 
 ===============================================================================
 
@@ -76,7 +78,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8h was released on May 28th, 2008.
+OpenSSL 0.9.8i was released on Sep 15th, 2008.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -403,10 +405,10 @@ You can't generally create such a certificate using OpenSSL but there is no
 need to any more. Nowadays web browsers using unrestricted strong encryption
 are generally available.
 
-When there were tight export restrictions on the export of strong encryption
+When there were tight restrictions on the export of strong encryption
 software from the US only weak encryption algorithms could be freely exported
 (initially 40 bit and then 56 bit). It was widely recognised that this was
-inadequate. A relaxation the rules allowed the use of strong encryption but
+inadequate. A relaxation of the rules allowed the use of strong encryption but
 only to an authorised server.
 
 Two slighly different techniques were developed to support this, one used by
@@ -427,6 +429,25 @@ The export laws were later changed to allow almost unrestricted use of strong
 encryption so these certificates are now obsolete.
 
 
+* Why does OpenSSL set the authority key identifier (AKID) extension incorrectly?
+
+It doesn't: this extension is often the cause of confusion.
+
+Consider a certificate chain A->B->C so that A signs B and B signs C. Suppose
+certificate C contains AKID.
+
+The purpose of this extension is to identify the authority certificate B. This
+can be done either by including the subject key identifier of B or its issuer
+name and serial number.
+
+In this latter case because it is identifying certifcate B it must contain the
+issuer name and serial number of B.
+
+It is often wrongly assumed that it should contain the subject name of B. If it
+did this would be redundant information because it would duplicate the issuer
+name of C.
+
+
 * How can I set up a bundle of commercial root CA certificates?
 
 The OpenSSL software is shipped without any root CA certificate as the
@@ -920,5 +941,25 @@ OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY)
 to get rid of these warnings.
 
 
-===============================================================================
+* Why doesn't a memory BIO work when a file does?
 
+This can occur in several cases for example reading an S/MIME email message.
+The reason is that a memory BIO can do one of two things when all the data
+has been read from it.
+
+The default behaviour is to indicate that no more data is available and that
+the call should be retried, this is to allow the application to fill up the BIO
+again if necessary.
+
+Alternatively it can indicate that no more data is available and that EOF has
+been reached.
+
+If a memory BIO is to behave in the same way as a file this second behaviour
+is needed. This must be done by calling:
+
+   BIO_set_mem_eof_return(bio, 0);
+
+See the manual pages for more details.
+
+
+===============================================================================
index 40ded1a..6488ffa 100644 (file)
@@ -5,8 +5,16 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h:
+
+      o CryptoAPI ENGINE support.
+      o Various precautionary measures.
+      o Fix for bugs affecting certificate request creation.
+      o Support for local machine keyset attribute in PKCS#12 files.
+
   Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g:
 
+      o Backport of CMS functionality to 0.9.8.
       o Fixes for bugs introduced with 0.9.8f.
 
   Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f:
index df02ae0..a2d87d4 100644 (file)
@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.8h
+ OpenSSL 0.9.8i
 
  Copyright (c) 1998-2008 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
index 9e10303..7518a2f 100644 (file)
@@ -240,37 +240,27 @@ bad:
                goto end;
        }
 
-       in=BIO_new(BIO_s_file());
        out=BIO_new(BIO_s_file());
-       if ((in == NULL) || (out == NULL))
+       if (out == NULL)
                {
                ERR_print_errors(bio_err);
                goto end;
                }
 
-       if (infile == NULL)
-               BIO_set_fp(in,stdin,BIO_NOCLOSE);
-       else
-               {
-               if (BIO_read_filename(in,infile) <= 0)
-                       {
-                       perror(infile);
-                       goto end;
-                       }
-               }
-
        BIO_printf(bio_err,"read DSA key\n");
-       if      (informat == FORMAT_ASN1) {
-               if(pubin) dsa=d2i_DSA_PUBKEY_bio(in,NULL);
-               else dsa=d2i_DSAPrivateKey_bio(in,NULL);
-       } else if (informat == FORMAT_PEM) {
-               if(pubin) dsa=PEM_read_bio_DSA_PUBKEY(in,NULL, NULL, NULL);
-               else dsa=PEM_read_bio_DSAPrivateKey(in,NULL,NULL,passin);
-       } else
-               {
-               BIO_printf(bio_err,"bad input format specified for key\n");
-               goto end;
-               }
+       {
+               EVP_PKEY        *pkey;
+               if (pubin)
+                       pkey = load_pubkey(bio_err, infile, informat, 1,
+                               passin, e, "Public Key");
+               else
+                       pkey = load_key(bio_err, infile, informat, 1,
+                               passin, e, "Private Key");
+
+               if (pkey != NULL)
+               dsa = pkey == NULL ? NULL : EVP_PKEY_get1_DSA(pkey);
+               EVP_PKEY_free(pkey);
+       }
        if (dsa == NULL)
                {
                BIO_printf(bio_err,"unable to load Key\n");
index 47aee5b..ec25f99 100644 (file)
@@ -273,9 +273,21 @@ int main(int Argc, char *Argv[])
        i=NCONF_load(config,p,&errline);
        if (i == 0)
                {
-               NCONF_free(config);
-               config = NULL;
-               ERR_clear_error();
+               if (ERR_GET_REASON(ERR_peek_last_error())
+                   == CONF_R_NO_SUCH_FILE)
+                       {
+                       BIO_printf(bio_err,
+                                  "WARNING: can't open config file: %s\n",p);
+                       ERR_clear_error();
+                       NCONF_free(config);
+                       config = NULL;
+                       }
+               else
+                       {
+                       ERR_print_errors(bio_err);
+                       NCONF_free(config);
+                       exit(1);
+                       }
                }
 
        prog=prog_init();
index 7c71b1a..268390e 100644 (file)
@@ -100,6 +100,7 @@ int MAIN(int argc, char **argv)
     char **args;
     char *name = NULL;
     char *csp_name = NULL;
+    int add_lmk = 0;
     PKCS12 *p12 = NULL;
     char pass[50], macpass[50];
     int export_cert = 0;
@@ -224,7 +225,9 @@ int MAIN(int argc, char **argv)
                        args++; 
                        name = *args;
                    } else badarg = 1;
-               } else if (!strcmp (*args, "-CSP")) {
+               } else if (!strcmp (*args, "-LMK"))
+                       add_lmk = 1;
+               else if (!strcmp (*args, "-CSP")) {
                    if (args[1]) {
                        args++; 
                        csp_name = *args;
@@ -338,6 +341,8 @@ int MAIN(int argc, char **argv)
        BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
        BIO_printf(bio_err,  "              load the file (or the files in the directory) into\n");
        BIO_printf(bio_err,  "              the random number generator\n");
+       BIO_printf(bio_err,  "-CSP name     Microsoft CSP name\n");
+       BIO_printf(bio_err,  "-LMK          Add local machine keyset attribute to private key\n");
        goto end;
     }
 
@@ -562,7 +567,9 @@ int MAIN(int argc, char **argv)
        if (csp_name && key)
                EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name,
                                MBSTRING_ASC, (unsigned char *)csp_name, -1);
-               
+
+       if (add_lmk && key)
+               EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1);
 
 #ifdef CRYPTO_MDEBUG
        CRYPTO_pop_info();
index a4983c1..60a8d13 100644 (file)
@@ -317,7 +317,8 @@ int MAIN(int argc, char **argv)
        int mbuf_len=0;
 #ifndef OPENSSL_NO_ENGINE
        char *engine_id=NULL;
-       ENGINE *e=NULL;
+       char *ssl_client_engine_id=NULL;
+       ENGINE *e=NULL, *ssl_client_engine=NULL;
 #endif
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
        struct timeval tv;
@@ -555,6 +556,11 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        engine_id = *(++argv);
                        }
+               else if (strcmp(*argv,"-ssl_client_engine") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       ssl_client_engine_id = *(++argv);
+                       }
 #endif
                else if (strcmp(*argv,"-rand") == 0)
                        {
@@ -590,6 +596,16 @@ bad:
 
 #ifndef OPENSSL_NO_ENGINE
         e = setup_engine(bio_err, engine_id, 1);
+       if (ssl_client_engine_id)
+               {
+               ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
+               if (!ssl_client_engine)
+                       {
+                       BIO_printf(bio_err,
+                                       "Error getting client auth engine\n");
+                       goto end;
+                       }
+               }
 #endif
        if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
                {
@@ -657,6 +673,20 @@ bad:
                goto end;
                }
 
+#ifndef OPENSSL_NO_ENGINE
+       if (ssl_client_engine)
+               {
+               if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine))
+                       {
+                       BIO_puts(bio_err, "Error setting client auth engine\n");
+                       ERR_print_errors(bio_err);
+                       ENGINE_free(ssl_client_engine);
+                       goto end;
+                       }
+               ENGINE_free(ssl_client_engine);
+               }
+#endif
+
        if (bugs)
                SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
        else
index fe7c4ec..bc80b20 100644 (file)
@@ -526,6 +526,8 @@ int SMIME_text(BIO *in, BIO *out)
        sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
        while ((len = BIO_read(in, iobuf, sizeof(iobuf))) > 0)
                                                BIO_write(out, iobuf, len);
+       if (len < 0)
+               return 0;
        return 1;
 }
 
index eb776b7..ae72b52 100644 (file)
@@ -393,8 +393,9 @@ int ASN1_GENERALIZEDTIME_print(BIO *bp, ASN1_GENERALIZEDTIME *tm)
        d= (v[6]-'0')*10+(v[7]-'0');
        h= (v[8]-'0')*10+(v[9]-'0');
        m=  (v[10]-'0')*10+(v[11]-'0');
-       if (    (v[12] >= '0') && (v[12] <= '9') &&
-               (v[13] >= '0') && (v[13] <= '9'))
+       if (i >= 14 &&
+           (v[12] >= '0') && (v[12] <= '9') &&
+           (v[13] >= '0') && (v[13] <= '9'))
                s=  (v[12]-'0')*10+(v[13]-'0');
 
        if (BIO_printf(bp,"%s %2d %02d:%02d:%02d %d%s",
@@ -428,8 +429,9 @@ int ASN1_UTCTIME_print(BIO *bp, ASN1_UTCTIME *tm)
        d= (v[4]-'0')*10+(v[5]-'0');
        h= (v[6]-'0')*10+(v[7]-'0');
        m=  (v[8]-'0')*10+(v[9]-'0');
-       if (    (v[10] >= '0') && (v[10] <= '9') &&
-               (v[11] >= '0') && (v[11] <= '9'))
+       if (i >=12 &&
+           (v[10] >= '0') && (v[10] <= '9') &&
+           (v[11] >= '0') && (v[11] <= '9'))
                s=  (v[10]-'0')*10+(v[11]-'0');
 
        if (BIO_printf(bp,"%s %2d %02d:%02d:%02d %d%s",
@@ -501,4 +503,3 @@ err:
        OPENSSL_free(b);
        return(ret);
        }
-
index ea2c3ff..c3da6dc 100644 (file)
@@ -82,7 +82,7 @@ static int dgram_new(BIO *h);
 static int dgram_free(BIO *data);
 static int dgram_clear(BIO *bio);
 
-int BIO_dgram_should_retry(int s);
+static int BIO_dgram_should_retry(int s);
 
 static BIO_METHOD methods_dgramp=
        {
@@ -345,30 +345,90 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 
         memcpy(&(data->peer), to, sizeof(struct sockaddr));
         break;
+#if defined(SO_RCVTIMEO)
        case BIO_CTRL_DGRAM_SET_RECV_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+               {
+               struct timeval *tv = (struct timeval *)ptr;
+               int timeout = tv->tv_sec * 1000 + tv->tv_usec/1000;
+               if (setsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
+                       (void*)&timeout, sizeof(timeout)) < 0)
+                       { perror("setsockopt"); ret = -1; }
+               }
+#else
                if ( setsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, ptr,
                        sizeof(struct timeval)) < 0)
                        { perror("setsockopt"); ret = -1; }
+#endif
                break;
        case BIO_CTRL_DGRAM_GET_RECV_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+               {
+               int timeout, sz = sizeof(timeout);
+               struct timeval *tv = (struct timeval *)ptr;
+               if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
+                       (void*)&timeout, &sz) < 0)
+                       { perror("getsockopt"); ret = -1; }
+               else
+                       {
+                       tv->tv_sec = timeout / 1000;
+                       tv->tv_usec = (timeout % 1000) * 1000;
+                       ret = sizeof(*tv);
+                       }
+               }
+#else
                if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, 
                        ptr, (void *)&ret) < 0)
                        { perror("getsockopt"); ret = -1; }
+#endif
                break;
+#endif
+#if defined(SO_SNDTIMEO)
        case BIO_CTRL_DGRAM_SET_SEND_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+               {
+               struct timeval *tv = (struct timeval *)ptr;
+               int timeout = tv->tv_sec * 1000 + tv->tv_usec/1000;
+               if (setsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO,
+                       (void*)&timeout, sizeof(timeout)) < 0)
+                       { perror("setsockopt"); ret = -1; }
+               }
+#else
                if ( setsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, ptr,
                        sizeof(struct timeval)) < 0)
                        { perror("setsockopt"); ret = -1; }
+#endif
                break;
        case BIO_CTRL_DGRAM_GET_SEND_TIMEOUT:
+#ifdef OPENSSL_SYS_WINDOWS
+               {
+               int timeout, sz = sizeof(timeout);
+               struct timeval *tv = (struct timeval *)ptr;
+               if (getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO,
+                       (void*)&timeout, &sz) < 0)
+                       { perror("getsockopt"); ret = -1; }
+               else
+                       {
+                       tv->tv_sec = timeout / 1000;
+                       tv->tv_usec = (timeout % 1000) * 1000;
+                       ret = sizeof(*tv);
+                       }
+               }
+#else
                if ( getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, 
                        ptr, (void *)&ret) < 0)
                        { perror("getsockopt"); ret = -1; }
+#endif
                break;
+#endif
        case BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP:
                /* fall-through */
        case BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP:
+#ifdef OPENSSL_SYS_WINDOWS
+               if ( data->_errno == WSAETIMEDOUT)
+#else
                if ( data->_errno == EAGAIN)
+#endif
                        {
                        ret = 1;
                        data->_errno = 0;
@@ -403,7 +463,7 @@ static int dgram_puts(BIO *bp, const char *str)
        return(ret);
        }
 
-int BIO_dgram_should_retry(int i)
+static int BIO_dgram_should_retry(int i)
        {
        int err;
 
index 8655eb1..1e8e576 100644 (file)
@@ -187,6 +187,17 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
        BN_ULONG d0,d1;
        int num_n,div_n;
 
+       /* Invalid zero-padding would have particularly bad consequences
+        * in the case of 'num', so don't just rely on bn_check_top() for this one
+        * (bn_check_top() works only for BN_DEBUG builds) */
+       if (num->top > 0 && num->d[num->top - 1] == 0)
+               {
+               BNerr(BN_F_BN_DIV,BN_R_NOT_INITIALIZED);
+               return 0;
+               }
+
+       bn_check_top(num);
+
        if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0))
                {
                return BN_div_no_branch(dv, rm, num, divisor, ctx);
@@ -194,7 +205,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
 
        bn_check_top(dv);
        bn_check_top(rm);
-       bn_check_top(num);
+       /* bn_check_top(num); */ /* 'num' has been checked already */
        bn_check_top(divisor);
 
        if (BN_is_zero(divisor))
@@ -419,7 +430,7 @@ static int BN_div_no_branch(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
 
        bn_check_top(dv);
        bn_check_top(rm);
-       bn_check_top(num);
+       /* bn_check_top(num); */ /* 'num' has been checked in BN_div() */
        bn_check_top(divisor);
 
        if (BN_is_zero(divisor))
index 6a79385..306f029 100644 (file)
@@ -384,7 +384,11 @@ int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[])
                if (zz == 0) break;
                d1 = BN_BITS2 - d0;
                
-               if (d0) z[dN] = (z[dN] << d1) >> d1; /* clear up the top d1 bits */
+               /* clear up the top d1 bits */
+               if (d0)
+                       z[dN] = (z[dN] << d1) >> d1;
+               else
+                       z[dN] = 0;
                z[0] ^= zz; /* reduction t^0 component */
 
                for (k = 1; p[k] != 0; k++)
index e14232f..1fc94f5 100644 (file)
@@ -59,6 +59,7 @@
 #include "bn_lcl.h"
 #include "cryptlib.h"
 
+
 #define BN_NIST_192_TOP        (192+BN_BITS2-1)/BN_BITS2
 #define BN_NIST_224_TOP        (224+BN_BITS2-1)/BN_BITS2
 #define BN_NIST_256_TOP        (256+BN_BITS2-1)/BN_BITS2
@@ -101,60 +102,98 @@ static const BN_ULONG _nist_p_521[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
        0xFFFFFFFF,0x000001FF};
 #endif
 
+
+static const BIGNUM _bignum_nist_p_192 =
+       {
+       (BN_ULONG *)_nist_p_192,
+       BN_NIST_192_TOP,
+       BN_NIST_192_TOP,
+       0,
+       BN_FLG_STATIC_DATA
+       };
+
+static const BIGNUM _bignum_nist_p_224 =
+       {
+       (BN_ULONG *)_nist_p_224,
+       BN_NIST_224_TOP,
+       BN_NIST_224_TOP,
+       0,
+       BN_FLG_STATIC_DATA
+       };
+
+static const BIGNUM _bignum_nist_p_256 =
+       {
+       (BN_ULONG *)_nist_p_256,
+       BN_NIST_256_TOP,
+       BN_NIST_256_TOP,
+       0,
+       BN_FLG_STATIC_DATA
+       };
+
+static const BIGNUM _bignum_nist_p_384 =
+       {
+       (BN_ULONG *)_nist_p_384,
+       BN_NIST_384_TOP,
+       BN_NIST_384_TOP,
+       0,
+       BN_FLG_STATIC_DATA
+       };
+
+static const BIGNUM _bignum_nist_p_521 =
+       {
+       (BN_ULONG *)_nist_p_521,
+       BN_NIST_521_TOP,
+       BN_NIST_521_TOP,
+       0,
+       BN_FLG_STATIC_DATA
+       };
+
+
 const BIGNUM *BN_get0_nist_prime_192(void)
        {
-       static BIGNUM const_nist_192 = { (BN_ULONG *)_nist_p_192,
-               BN_NIST_192_TOP, BN_NIST_192_TOP, 0, BN_FLG_STATIC_DATA };
-       return &const_nist_192;
+       return &_bignum_nist_p_192;
        }
 
 const BIGNUM *BN_get0_nist_prime_224(void)
        {
-       static BIGNUM const_nist_224 = { (BN_ULONG *)_nist_p_224,
-               BN_NIST_224_TOP, BN_NIST_224_TOP, 0, BN_FLG_STATIC_DATA };
-       return &const_nist_224;
+       return &_bignum_nist_p_224;
        }
 
 const BIGNUM *BN_get0_nist_prime_256(void)
        {
-       static BIGNUM const_nist_256 = { (BN_ULONG *)_nist_p_256,
-               BN_NIST_256_TOP, BN_NIST_256_TOP, 0, BN_FLG_STATIC_DATA };
-       return &const_nist_256;
+       return &_bignum_nist_p_256;
        }
 
 const BIGNUM *BN_get0_nist_prime_384(void)
        {
-       static BIGNUM const_nist_384 = { (BN_ULONG *)_nist_p_384,
-               BN_NIST_384_TOP, BN_NIST_384_TOP, 0, BN_FLG_STATIC_DATA };
-       return &const_nist_384;
+       return &_bignum_nist_p_384;
        }
 
 const BIGNUM *BN_get0_nist_prime_521(void)
        {
-       static BIGNUM const_nist_521 = { (BN_ULONG *)_nist_p_521,
-               BN_NIST_521_TOP, BN_NIST_521_TOP, 0, BN_FLG_STATIC_DATA };
-       return &const_nist_521;
+       return &_bignum_nist_p_521;
        }
 
-#define BN_NIST_ADD_ONE(a)     while (!(*(a)=(*(a)+1)&BN_MASK2)) ++(a);
 
 static void nist_cp_bn_0(BN_ULONG *buf, BN_ULONG *a, int top, int max)
-        {
+       {
        int i;
-        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
-        for (i = (top); i != 0; i--)
-                *_tmp1++ = *_tmp2++;
-        for (i = (max) - (top); i != 0; i--)
-                *_tmp1++ = (BN_ULONG) 0;
-        }
+       BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
+
+       OPENSSL_assert(top <= max);
+       for (i = (top); i != 0; i--)
+               *_tmp1++ = *_tmp2++;
+       for (i = (max) - (top); i != 0; i--)
+               *_tmp1++ = (BN_ULONG) 0;
+       }
 
 static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
-        
+       { 
        int i;
-        BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
-        for (i = (top); i != 0; i--)
-                *_tmp1++ = *_tmp2++;
-        }
+       BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
+       for (i = (top); i != 0; i--)
+               *_tmp1++ = *_tmp2++;
+       }
 
 #if BN_BITS2 == 64
 #define bn_cp_64(to, n, from, m)       (to)[n] = (m>=0)?((from)[m]):0;
@@ -199,6 +238,11 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                *res;
        size_t   mask;
 
+       field = &_bignum_nist_p_192; /* just to make sure */
+
+       if (BN_is_negative(a) || a->top > 2*BN_NIST_192_TOP)
+               return BN_nnmod(r, field, a, ctx);
+
        i = BN_ucmp(field, a);
        if (i == 0)
                {
@@ -208,9 +252,6 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
        else if (i > 0)
                return (r == a) ? 1 : (BN_copy(r ,a) != NULL);
 
-       if (top == BN_NIST_192_TOP)
-               return BN_usub(r, a, field);
-
        if (r != a)
                {
                if (!bn_wexpand(r, BN_NIST_192_TOP))
@@ -245,6 +286,11 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
        r->top = BN_NIST_192_TOP;
        bn_correct_top(r);
 
+       if (BN_ucmp(field, r) <= 0)
+               {
+               if (!BN_usub(r, r, field)) return 0;
+               }
+
        return 1;
        }
 
@@ -272,6 +318,11 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                *res;
        size_t   mask;
 
+       field = &_bignum_nist_p_224; /* just to make sure */
+
+       if (BN_is_negative(a) || a->top > 2*BN_NIST_224_TOP)
+               return BN_nnmod(r, field, a, ctx);
+
        i = BN_ucmp(field, a);
        if (i == 0)
                {
@@ -281,9 +332,6 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
        else if (i > 0)
                return (r == a)? 1 : (BN_copy(r ,a) != NULL);
 
-       if (top == BN_NIST_224_TOP)
-               return BN_usub(r, a, field);
-
        if (r != a)
                {
                if (!bn_wexpand(r, BN_NIST_224_TOP))
@@ -333,6 +381,11 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
        r->top = BN_NIST_224_TOP;
        bn_correct_top(r);
 
+       if (BN_ucmp(field, r) <= 0)
+               {
+               if (!BN_usub(r, r, field)) return 0;
+               }
+
        return 1;
 #else  /* BN_BITS!=32 */
        return 0;
@@ -364,6 +417,11 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                *res;
        size_t   mask;
 
+       field = &_bignum_nist_p_256; /* just to make sure */
+
+       if (BN_is_negative(a) || a->top > 2*BN_NIST_256_TOP)
+               return BN_nnmod(r, field, a, ctx);
+
        i = BN_ucmp(field, a);
        if (i == 0)
                {
@@ -373,9 +431,6 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
        else if (i > 0)
                return (r == a)? 1 : (BN_copy(r ,a) != NULL);
 
-       if (top == BN_NIST_256_TOP)
-               return BN_usub(r, a, field);
-
        if (r != a)
                {
                if (!bn_wexpand(r, BN_NIST_256_TOP))
@@ -470,6 +525,11 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
        r->top = BN_NIST_256_TOP;
        bn_correct_top(r);
 
+       if (BN_ucmp(field, r) <= 0)
+               {
+               if (!BN_usub(r, r, field)) return 0;
+               }
+
        return 1;
 #else  /* BN_BITS!=32 */
        return 0;
@@ -505,6 +565,11 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                *res;
        size_t   mask;
 
+       field = &_bignum_nist_p_384; /* just to make sure */
+
+       if (BN_is_negative(a) || a->top > 2*BN_NIST_384_TOP)
+               return BN_nnmod(r, field, a, ctx);
+
        i = BN_ucmp(field, a);
        if (i == 0)
                {
@@ -514,9 +579,6 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
        else if (i > 0)
                return (r == a)? 1 : (BN_copy(r ,a) != NULL);
 
-       if (top == BN_NIST_384_TOP)
-               return BN_usub(r, a, field);
-
        if (r != a)
                {
                if (!bn_wexpand(r, BN_NIST_384_TOP))
@@ -631,6 +693,11 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
        r->top = BN_NIST_384_TOP;
        bn_correct_top(r);
 
+       if (BN_ucmp(field, r) <= 0)
+               {
+               if (!BN_usub(r, r, field)) return 0;
+               }
+
        return 1;
 #else  /* BN_BITS!=32 */
        return 0;
@@ -646,14 +713,35 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 #define BN_NIST_521_TOP_MASK   (BN_ULONG)0x1FF
 #endif
        int     top, ret = 0;
-       BN_ULONG *r_d;
        BIGNUM  *tmp;
 
+       field = &_bignum_nist_p_521; /* just to make sure */
+
+       if (BN_is_negative(a))
+               return BN_nnmod(r, field, a, ctx);
+
        /* check whether a reduction is necessary */
        top = a->top;
        if (top < BN_NIST_521_TOP  || ( top == BN_NIST_521_TOP &&
-           (!(a->d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))))
-               return (r == a)? 1 : (BN_copy(r ,a) != NULL);
+           (!(a->d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))))
+               {
+               int i = BN_ucmp(field, a);
+               if (i == 0)
+                       {
+                       BN_zero(r);
+                       return 1;
+                       }
+               else
+                       {
+#ifdef BN_DEBUG
+                       OPENSSL_assert(i > 0); /* because 'field' is 1111...1111 */
+#endif
+                       return (r == a)? 1 : (BN_copy(r ,a) != NULL);
+                       }
+               }
+
+       if (BN_num_bits(a) > 2*521)
+               return BN_nnmod(r, field, a, ctx);
 
        BN_CTX_start(ctx);
        tmp = BN_CTX_get(ctx);
@@ -673,15 +761,11 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
 
        if (!BN_uadd(r, tmp, r))
                goto err;
-       top = r->top;
-       r_d = r->d;
-       if (top == BN_NIST_521_TOP  && 
-           (r_d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))
+
+       if (BN_ucmp(field, r) <= 0)
                {
-               BN_NIST_ADD_ONE(r_d)
-               r->d[BN_NIST_521_TOP-1] &= BN_NIST_521_TOP_MASK; 
+               if (!BN_usub(r, r, field)) goto err;
                }
-       bn_correct_top(r);
 
        ret = 1;
 err:
index f79c504..b35d28d 100644 (file)
@@ -89,11 +89,13 @@ static int cms_copy_content(BIO *out, BIO *in, unsigned int flags)
                                if (!BIO_get_cipher_status(in))
                                        goto err;
                                }
+                       if (i < 0)
+                               goto err;
                        break;
                        }
                                
-               if (tmpout)
-                       BIO_write(tmpout, buf, i);
+               if (tmpout && (BIO_write(tmpout, buf, i) != i))
+                       goto err;
        }
 
        if(flags & CMS_TEXT)
index 5ceaa96..fc249c5 100644 (file)
@@ -103,7 +103,6 @@ extern unsigned long OPENSSL_ia32cap_P;
 void OPENSSL_showfatal(const char *,...);
 void *OPENSSL_stderr(void);
 extern int OPENSSL_NONPIC_relocated;
-int OPENSSL_isservice(void);
 
 #ifdef  __cplusplus
 }
index d2b5ffe..fe2c1d6 100644 (file)
@@ -521,6 +521,7 @@ void OpenSSLDie(const char *file,int line,const char *assertion);
 
 unsigned long *OPENSSL_ia32cap_loc(void);
 #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
+int OPENSSL_isservice(void);
 
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
index 8599046..d29cd57 100644 (file)
@@ -107,6 +107,9 @@ void ENGINE_load_builtin_engines(void)
 #if defined(__OpenBSD__) || defined(__FreeBSD__)
        ENGINE_load_cryptodev();
 #endif
+#if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
+       ENGINE_load_capi();
+#endif
 #endif
        }
 
index a97e01e..8417dda 100644 (file)
@@ -98,6 +98,8 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
        CONF_VALUE *ecmd;
        char *ctrlname, *ctrlvalue;
        ENGINE *e = NULL;
+        int soft = 0;
+
        name = skip_dot(name);
 #ifdef ENGINE_CONF_DEBUG
        fprintf(stderr, "Configuring engine %s\n", name);
@@ -125,6 +127,8 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
                /* Override engine name to use */
                if (!strcmp(ctrlname, "engine_id"))
                        name = ctrlvalue;
+                else if (!strcmp(ctrlname, "soft_load"))
+                        soft = 1;
                /* Load a dynamic ENGINE */
                else if (!strcmp(ctrlname, "dynamic_path"))
                        {
@@ -147,6 +151,11 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
                        if (!e)
                                {
                                e = ENGINE_by_id(name);
+                                if (!e && soft)
+                                        {
+                                        ERR_clear_error();
+                                        return 1;
+                                        }
                                if (!e)
                                        return 0;
                                }
index 369f2e2..574ffbb 100644 (file)
@@ -1,6 +1,6 @@
 /* crypto/engine/eng_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -92,6 +92,7 @@ static ERR_STRING_DATA ENGINE_str_functs[]=
 {ERR_FUNC(ENGINE_F_ENGINE_LIST_REMOVE),        "ENGINE_LIST_REMOVE"},
 {ERR_FUNC(ENGINE_F_ENGINE_LOAD_PRIVATE_KEY),   "ENGINE_load_private_key"},
 {ERR_FUNC(ENGINE_F_ENGINE_LOAD_PUBLIC_KEY),    "ENGINE_load_public_key"},
+{ERR_FUNC(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT),       "ENGINE_load_ssl_client_cert"},
 {ERR_FUNC(ENGINE_F_ENGINE_NEW),        "ENGINE_new"},
 {ERR_FUNC(ENGINE_F_ENGINE_REMOVE),     "ENGINE_remove"},
 {ERR_FUNC(ENGINE_F_ENGINE_SET_DEFAULT_STRING), "ENGINE_set_default_string"},
index a5b1ede..a66f107 100644 (file)
@@ -170,6 +170,8 @@ struct engine_st
        ENGINE_LOAD_KEY_PTR load_privkey;
        ENGINE_LOAD_KEY_PTR load_pubkey;
 
+       ENGINE_SSL_CLIENT_CERT_PTR load_ssl_client_cert;
+
        const ENGINE_CMD_DEFN *cmd_defns;
        int flags;
        /* reference count on the structure itself */
index bc8b21a..1dfa2e3 100644 (file)
@@ -69,6 +69,13 @@ int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f)
        return 1;
        }
 
+int ENGINE_set_load_ssl_client_cert_function(ENGINE *e,
+                               ENGINE_SSL_CLIENT_CERT_PTR loadssl_f)
+       {
+       e->load_ssl_client_cert = loadssl_f;
+       return 1;
+       }
+
 ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e)
        {
        return e->load_privkey;
@@ -79,6 +86,11 @@ ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e)
        return e->load_pubkey;
        }
 
+ENGINE_SSL_CLIENT_CERT_PTR ENGINE_get_ssl_client_cert_function(const ENGINE *e)
+       {
+       return e->load_ssl_client_cert;
+       }
+
 /* API functions to load public/private keys */
 
 EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
@@ -152,3 +164,33 @@ EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
                }
        return pkey;
        }
+
+int ENGINE_load_ssl_client_cert(ENGINE *e, SSL *s,
+       STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **ppkey,
+       STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data)
+       {
+
+       if(e == NULL)
+               {
+               ENGINEerr(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT,
+                       ERR_R_PASSED_NULL_PARAMETER);
+               return 0;
+               }
+       CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
+       if(e->funct_ref == 0)
+               {
+               CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+               ENGINEerr(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT,
+                       ENGINE_R_NOT_INITIALISED);
+               return 0;
+               }
+       CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
+       if (!e->load_ssl_client_cert)
+               {
+               ENGINEerr(ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT,
+                       ENGINE_R_NO_LOAD_FUNCTION);
+               return 0;
+               }
+       return e->load_ssl_client_cert(e, s, ca_dn, pcert, ppkey, pother,
+                                       ui_method, callback_data);
+       }
index 3ec5933..f503595 100644 (file)
@@ -93,6 +93,8 @@
 #include <openssl/err.h>
 #endif
 
+#include <openssl/x509.h>
+
 #include <openssl/ossl_typ.h>
 #include <openssl/symhacks.h>
 
@@ -278,6 +280,9 @@ typedef int (*ENGINE_CTRL_FUNC_PTR)(ENGINE *, int, long, void *, void (*f)(void)
 /* Generic load_key function pointer */
 typedef EVP_PKEY * (*ENGINE_LOAD_KEY_PTR)(ENGINE *, const char *,
        UI_METHOD *ui_method, void *callback_data);
+typedef int (*ENGINE_SSL_CLIENT_CERT_PTR)(ENGINE *, SSL *ssl,
+       STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **pkey,
+       STACK_OF(X509) **pother, UI_METHOD *ui_method, void *callback_data);
 /* These callback types are for an ENGINE's handler for cipher and digest logic.
  * These handlers have these prototypes;
  *   int foo(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid);
@@ -334,6 +339,9 @@ void ENGINE_load_ubsec(void);
 void ENGINE_load_cryptodev(void);
 void ENGINE_load_padlock(void);
 void ENGINE_load_builtin_engines(void);
+#ifndef OPENSSL_NO_CAPIENG
+void ENGINE_load_capi(void);
+#endif
 
 /* Get and set global flags (ENGINE_TABLE_FLAG_***) for the implementation
  * "registry" handling. */
@@ -459,6 +467,8 @@ int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f);
 int ENGINE_set_ctrl_function(ENGINE *e, ENGINE_CTRL_FUNC_PTR ctrl_f);
 int ENGINE_set_load_privkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpriv_f);
 int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f);
+int ENGINE_set_load_ssl_client_cert_function(ENGINE *e,
+                               ENGINE_SSL_CLIENT_CERT_PTR loadssl_f);
 int ENGINE_set_ciphers(ENGINE *e, ENGINE_CIPHERS_PTR f);
 int ENGINE_set_digests(ENGINE *e, ENGINE_DIGESTS_PTR f);
 int ENGINE_set_flags(ENGINE *e, int flags);
@@ -494,6 +504,7 @@ ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e);
 ENGINE_CTRL_FUNC_PTR ENGINE_get_ctrl_function(const ENGINE *e);
 ENGINE_LOAD_KEY_PTR ENGINE_get_load_privkey_function(const ENGINE *e);
 ENGINE_LOAD_KEY_PTR ENGINE_get_load_pubkey_function(const ENGINE *e);
+ENGINE_SSL_CLIENT_CERT_PTR ENGINE_get_ssl_client_cert_function(const ENGINE *e);
 ENGINE_CIPHERS_PTR ENGINE_get_ciphers(const ENGINE *e);
 ENGINE_DIGESTS_PTR ENGINE_get_digests(const ENGINE *e);
 const EVP_CIPHER *ENGINE_get_cipher(ENGINE *e, int nid);
@@ -529,6 +540,10 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
        UI_METHOD *ui_method, void *callback_data);
 EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id,
        UI_METHOD *ui_method, void *callback_data);
+int ENGINE_load_ssl_client_cert(ENGINE *e, SSL *s,
+       STACK_OF(X509_NAME) *ca_dn, X509 **pcert, EVP_PKEY **ppkey,
+       STACK_OF(X509) **pother,
+       UI_METHOD *ui_method, void *callback_data);
 
 /* This returns a pointer for the current ENGINE structure that
  * is (by default) performing any RSA operations. The value returned
@@ -723,6 +738,7 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_F_ENGINE_LIST_REMOVE                     121
 #define ENGINE_F_ENGINE_LOAD_PRIVATE_KEY                150
 #define ENGINE_F_ENGINE_LOAD_PUBLIC_KEY                         151
+#define ENGINE_F_ENGINE_LOAD_SSL_CLIENT_CERT            192
 #define ENGINE_F_ENGINE_NEW                             122
 #define ENGINE_F_ENGINE_REMOVE                          123
 #define ENGINE_F_ENGINE_SET_DEFAULT_STRING              189
index b6ff070..7952e70 100644 (file)
@@ -149,6 +149,7 @@ static ERR_STRING_DATA ERR_str_libraries[]=
 {ERR_PACK(ERR_LIB_DSO,0,0)             ,"DSO support routines"},
 {ERR_PACK(ERR_LIB_ENGINE,0,0)          ,"engine routines"},
 {ERR_PACK(ERR_LIB_OCSP,0,0)            ,"OCSP routines"},
+{ERR_PACK(ERR_LIB_FIPS,0,0)            ,"FIPS routines"},
 {ERR_PACK(ERR_LIB_CMS,0,0)             ,"CMS routines"},
 {0,NULL},
        };
index bf28fce..8d9f0da 100644 (file)
@@ -140,7 +140,8 @@ typedef struct err_state_st
 #define ERR_LIB_ECDSA          42
 #define ERR_LIB_ECDH           43
 #define ERR_LIB_STORE           44
-#define ERR_LIB_CMS            45
+#define ERR_LIB_FIPS           45
+#define ERR_LIB_CMS            46
 
 #define ERR_LIB_USER           128
 
@@ -172,6 +173,7 @@ typedef struct err_state_st
 #define ECDSAerr(f,r)  ERR_PUT_error(ERR_LIB_ECDSA,(f),(r),__FILE__,__LINE__)
 #define ECDHerr(f,r)  ERR_PUT_error(ERR_LIB_ECDH,(f),(r),__FILE__,__LINE__)
 #define STOREerr(f,r) ERR_PUT_error(ERR_LIB_STORE,(f),(r),__FILE__,__LINE__)
+#define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),__FILE__,__LINE__)
 #define CMSerr(f,r) ERR_PUT_error(ERR_LIB_CMS,(f),(r),__FILE__,__LINE__)
 
 /* Borland C seems too stupid to be able to shift and do longs in
index bdd3b7e..09e621b 100644 (file)
@@ -303,6 +303,8 @@ struct env_md_ctx_st
                                                * cleaned */
 #define EVP_MD_CTX_FLAG_REUSE          0x0004 /* Don't free up ctx->md_data
                                                * in EVP_MD_CTX_cleanup */
+#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0x0008  /* Allow use of non FIPS digest
+                                                * in FIPS mode */
 
 struct evp_cipher_st
        {
index a190499..6e582c4 100644 (file)
@@ -279,7 +279,12 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
        {
        int i,j,bl;
 
-       OPENSSL_assert(inl > 0);
+       if (inl <= 0)
+               {
+               *outl = 0;
+               return inl == 0;
+               }
+
        if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0)
                {
                if(ctx->cipher->do_cipher(ctx,out,in,inl))
@@ -381,10 +386,10 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
        int fix_len;
        unsigned int b;
 
-       if (inl == 0)
+       if (inl <= 0)
                {
-               *outl=0;
-               return 1;
+               *outl = 0;
+               return inl == 0;
                }
 
        if (ctx->flags & EVP_CIPH_NO_PADDING)
index c45e001..1d140f7 100644 (file)
@@ -171,3 +171,10 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
        return(md);
        }
 
+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
+       {
+       EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
+       EVP_MD_CTX_set_flags(&ctx->o_ctx, flags);
+       EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
+       }
+
index 719fc40..fc38ffb 100644 (file)
@@ -100,6 +100,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
                    const unsigned char *d, size_t n, unsigned char *md,
                    unsigned int *md_len);
 
+void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags);
 
 #ifdef  __cplusplus
 }
index 089c450..61bcd97 100644 (file)
@@ -301,7 +301,7 @@ int HASH_UPDATE (HASH_CTX *c, const void *data_, size_t len)
                {
                p=(unsigned char *)c->data;
 
-               if ((n+len) >= HASH_CBLOCK)
+               if (len >= HASH_CBLOCK || len+n >= HASH_CBLOCK)
                        {
                        memcpy (p+n,data,HASH_CBLOCK-n);
                        HASH_BLOCK_DATA_ORDER (c,p,1);
index 99acf13..0ccc7c6 100644 (file)
  * [including the GNU Public Licence.]
  */
 
-#define NUM_NID 791
-#define NUM_SN 784
-#define NUM_LN 784
-#define NUM_OBJ 740
+#define NUM_NID 857
+#define NUM_SN 850
+#define NUM_LN 850
+#define NUM_OBJ 804
 
-static unsigned char lvalues[5258]={
+static unsigned char lvalues[5711]={
 0x00,                                        /* [  0] OBJ_undef */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,               /* [  1] OBJ_rsadsi */
 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,          /* [  7] OBJ_pkcs */
@@ -808,6 +808,70 @@ static unsigned char lvalues[5258]={
 0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x05,/* [5230] OBJ_id_aes128_wrap */
 0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x19,/* [5239] OBJ_id_aes192_wrap */
 0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x01,0x2D,/* [5248] OBJ_id_aes256_wrap */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x02,          /* [5257] OBJ_ecdsa_with_Recommended */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,          /* [5264] OBJ_ecdsa_with_Specified */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x01,     /* [5271] OBJ_ecdsa_with_SHA224 */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x02,     /* [5279] OBJ_ecdsa_with_SHA256 */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x03,     /* [5287] OBJ_ecdsa_with_SHA384 */
+0x2A,0x86,0x48,0xCE,0x3D,0x04,0x03,0x04,     /* [5295] OBJ_ecdsa_with_SHA512 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x06,     /* [5303] OBJ_hmacWithMD5 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x08,     /* [5311] OBJ_hmacWithSHA224 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x09,     /* [5319] OBJ_hmacWithSHA256 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0A,     /* [5327] OBJ_hmacWithSHA384 */
+0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0B,     /* [5335] OBJ_hmacWithSHA512 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x01,/* [5343] OBJ_dsa_with_SHA224 */
+0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x02,/* [5352] OBJ_dsa_with_SHA256 */
+0x28,0xCF,0x06,0x03,0x00,0x37,               /* [5361] OBJ_whirlpool */
+0x2A,0x85,0x03,0x02,0x02,                    /* [5367] OBJ_cryptopro */
+0x2A,0x85,0x03,0x02,0x09,                    /* [5372] OBJ_cryptocom */
+0x2A,0x85,0x03,0x02,0x02,0x03,               /* [5377] OBJ_id_GostR3411_94_with_GostR3410_2001 */
+0x2A,0x85,0x03,0x02,0x02,0x04,               /* [5383] OBJ_id_GostR3411_94_with_GostR3410_94 */
+0x2A,0x85,0x03,0x02,0x02,0x09,               /* [5389] OBJ_id_GostR3411_94 */
+0x2A,0x85,0x03,0x02,0x02,0x0A,               /* [5395] OBJ_id_HMACGostR3411_94 */
+0x2A,0x85,0x03,0x02,0x02,0x13,               /* [5401] OBJ_id_GostR3410_2001 */
+0x2A,0x85,0x03,0x02,0x02,0x14,               /* [5407] OBJ_id_GostR3410_94 */
+0x2A,0x85,0x03,0x02,0x02,0x15,               /* [5413] OBJ_id_Gost28147_89 */
+0x2A,0x85,0x03,0x02,0x02,0x16,               /* [5419] OBJ_id_Gost28147_89_MAC */
+0x2A,0x85,0x03,0x02,0x02,0x17,               /* [5425] OBJ_id_GostR3411_94_prf */
+0x2A,0x85,0x03,0x02,0x02,0x62,               /* [5431] OBJ_id_GostR3410_2001DH */
+0x2A,0x85,0x03,0x02,0x02,0x63,               /* [5437] OBJ_id_GostR3410_94DH */
+0x2A,0x85,0x03,0x02,0x02,0x0E,0x01,          /* [5443] OBJ_id_Gost28147_89_CryptoPro_KeyMeshing */
+0x2A,0x85,0x03,0x02,0x02,0x0E,0x00,          /* [5450] OBJ_id_Gost28147_89_None_KeyMeshing */
+0x2A,0x85,0x03,0x02,0x02,0x1E,0x00,          /* [5457] OBJ_id_GostR3411_94_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1E,0x01,          /* [5464] OBJ_id_GostR3411_94_CryptoProParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x00,          /* [5471] OBJ_id_Gost28147_89_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x01,          /* [5478] OBJ_id_Gost28147_89_CryptoPro_A_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x02,          /* [5485] OBJ_id_Gost28147_89_CryptoPro_B_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x03,          /* [5492] OBJ_id_Gost28147_89_CryptoPro_C_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x04,          /* [5499] OBJ_id_Gost28147_89_CryptoPro_D_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x05,          /* [5506] OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x06,          /* [5513] OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x1F,0x07,          /* [5520] OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x00,          /* [5527] OBJ_id_GostR3410_94_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x02,          /* [5534] OBJ_id_GostR3410_94_CryptoPro_A_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x03,          /* [5541] OBJ_id_GostR3410_94_CryptoPro_B_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x04,          /* [5548] OBJ_id_GostR3410_94_CryptoPro_C_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x20,0x05,          /* [5555] OBJ_id_GostR3410_94_CryptoPro_D_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x21,0x01,          /* [5562] OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x21,0x02,          /* [5569] OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x21,0x03,          /* [5576] OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x00,          /* [5583] OBJ_id_GostR3410_2001_TestParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x01,          /* [5590] OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x02,          /* [5597] OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x23,0x03,          /* [5604] OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x24,0x00,          /* [5611] OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x24,0x01,          /* [5618] OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x01,          /* [5625] OBJ_id_GostR3410_94_a */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x02,          /* [5632] OBJ_id_GostR3410_94_aBis */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x03,          /* [5639] OBJ_id_GostR3410_94_b */
+0x2A,0x85,0x03,0x02,0x02,0x14,0x04,          /* [5646] OBJ_id_GostR3410_94_bBis */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x06,0x01,     /* [5653] OBJ_id_Gost28147_89_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x03,     /* [5661] OBJ_id_GostR3410_94_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x05,0x04,     /* [5669] OBJ_id_GostR3410_2001_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x03,     /* [5677] OBJ_id_GostR3411_94_with_GostR3410_94_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x03,0x04,     /* [5685] OBJ_id_GostR3411_94_with_GostR3410_2001_cc */
+0x2A,0x85,0x03,0x02,0x09,0x01,0x08,0x01,     /* [5693] OBJ_id_GostR3410_2001_ParamSet_cc */
+0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x11,0x02,/* [5701] OBJ_LocalKeySet */
 };
 
 static ASN1_OBJECT nid_objs[NUM_NID]={
@@ -2039,6 +2103,159 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
        &(lvalues[5239]),0},
 {"id-aes256-wrap","id-aes256-wrap",NID_id_aes256_wrap,9,
        &(lvalues[5248]),0},
+{"ecdsa-with-Recommended","ecdsa-with-Recommended",
+       NID_ecdsa_with_Recommended,7,&(lvalues[5257]),0},
+{"ecdsa-with-Specified","ecdsa-with-Specified",
+       NID_ecdsa_with_Specified,7,&(lvalues[5264]),0},
+{"ecdsa-with-SHA224","ecdsa-with-SHA224",NID_ecdsa_with_SHA224,8,
+       &(lvalues[5271]),0},
+{"ecdsa-with-SHA256","ecdsa-with-SHA256",NID_ecdsa_with_SHA256,8,
+       &(lvalues[5279]),0},
+{"ecdsa-with-SHA384","ecdsa-with-SHA384",NID_ecdsa_with_SHA384,8,
+       &(lvalues[5287]),0},
+{"ecdsa-with-SHA512","ecdsa-with-SHA512",NID_ecdsa_with_SHA512,8,
+       &(lvalues[5295]),0},
+{"hmacWithMD5","hmacWithMD5",NID_hmacWithMD5,8,&(lvalues[5303]),0},
+{"hmacWithSHA224","hmacWithSHA224",NID_hmacWithSHA224,8,
+       &(lvalues[5311]),0},
+{"hmacWithSHA256","hmacWithSHA256",NID_hmacWithSHA256,8,
+       &(lvalues[5319]),0},
+{"hmacWithSHA384","hmacWithSHA384",NID_hmacWithSHA384,8,
+       &(lvalues[5327]),0},
+{"hmacWithSHA512","hmacWithSHA512",NID_hmacWithSHA512,8,
+       &(lvalues[5335]),0},
+{"dsa_with_SHA224","dsa_with_SHA224",NID_dsa_with_SHA224,9,
+       &(lvalues[5343]),0},
+{"dsa_with_SHA256","dsa_with_SHA256",NID_dsa_with_SHA256,9,
+       &(lvalues[5352]),0},
+{"whirlpool","whirlpool",NID_whirlpool,6,&(lvalues[5361]),0},
+{"cryptopro","cryptopro",NID_cryptopro,5,&(lvalues[5367]),0},
+{"cryptocom","cryptocom",NID_cryptocom,5,&(lvalues[5372]),0},
+{"id-GostR3411-94-with-GostR3410-2001",
+       "GOST R 34.11-94 with GOST R 34.10-2001",
+       NID_id_GostR3411_94_with_GostR3410_2001,6,&(lvalues[5377]),0},
+{"id-GostR3411-94-with-GostR3410-94",
+       "GOST R 34.11-94 with GOST R 34.10-94",
+       NID_id_GostR3411_94_with_GostR3410_94,6,&(lvalues[5383]),0},
+{"md_gost94","GOST R 34.11-94",NID_id_GostR3411_94,6,&(lvalues[5389]),0},
+{"id-HMACGostR3411-94","HMAC GOST 34.11-94",NID_id_HMACGostR3411_94,6,
+       &(lvalues[5395]),0},
+{"gost2001","GOST R 34.10-2001",NID_id_GostR3410_2001,6,
+       &(lvalues[5401]),0},
+{"gost94","GOST R 34.10-94",NID_id_GostR3410_94,6,&(lvalues[5407]),0},
+{"gost89","GOST 28147-89",NID_id_Gost28147_89,6,&(lvalues[5413]),0},
+{"gost89-cnt","gost89-cnt",NID_gost89_cnt,0,NULL,0},
+{"gost-mac","GOST 28147-89 MAC",NID_id_Gost28147_89_MAC,6,
+       &(lvalues[5419]),0},
+{"prf-gostr3411-94","GOST R 34.11-94 PRF",NID_id_GostR3411_94_prf,6,
+       &(lvalues[5425]),0},
+{"id-GostR3410-2001DH","GOST R 34.10-2001 DH",NID_id_GostR3410_2001DH,
+       6,&(lvalues[5431]),0},
+{"id-GostR3410-94DH","GOST R 34.10-94 DH",NID_id_GostR3410_94DH,6,
+       &(lvalues[5437]),0},
+{"id-Gost28147-89-CryptoPro-KeyMeshing",
+       "id-Gost28147-89-CryptoPro-KeyMeshing",
+       NID_id_Gost28147_89_CryptoPro_KeyMeshing,7,&(lvalues[5443]),0},
+{"id-Gost28147-89-None-KeyMeshing","id-Gost28147-89-None-KeyMeshing",
+       NID_id_Gost28147_89_None_KeyMeshing,7,&(lvalues[5450]),0},
+{"id-GostR3411-94-TestParamSet","id-GostR3411-94-TestParamSet",
+       NID_id_GostR3411_94_TestParamSet,7,&(lvalues[5457]),0},
+{"id-GostR3411-94-CryptoProParamSet",
+       "id-GostR3411-94-CryptoProParamSet",
+       NID_id_GostR3411_94_CryptoProParamSet,7,&(lvalues[5464]),0},
+{"id-Gost28147-89-TestParamSet","id-Gost28147-89-TestParamSet",
+       NID_id_Gost28147_89_TestParamSet,7,&(lvalues[5471]),0},
+{"id-Gost28147-89-CryptoPro-A-ParamSet",
+       "id-Gost28147-89-CryptoPro-A-ParamSet",
+       NID_id_Gost28147_89_CryptoPro_A_ParamSet,7,&(lvalues[5478]),0},
+{"id-Gost28147-89-CryptoPro-B-ParamSet",
+       "id-Gost28147-89-CryptoPro-B-ParamSet",
+       NID_id_Gost28147_89_CryptoPro_B_ParamSet,7,&(lvalues[5485]),0},
+{"id-Gost28147-89-CryptoPro-C-ParamSet",
+       "id-Gost28147-89-CryptoPro-C-ParamSet",
+       NID_id_Gost28147_89_CryptoPro_C_ParamSet,7,&(lvalues[5492]),0},
+{"id-Gost28147-89-CryptoPro-D-ParamSet",
+       "id-Gost28147-89-CryptoPro-D-ParamSet",
+       NID_id_Gost28147_89_CryptoPro_D_ParamSet,7,&(lvalues[5499]),0},
+{"id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet",
+       "id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet",
+       NID_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet,7,&(lvalues[5506]),
+       0},
+{"id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet",
+       "id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet",
+       NID_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet,7,&(lvalues[5513]),
+       0},
+{"id-Gost28147-89-CryptoPro-RIC-1-ParamSet",
+       "id-Gost28147-89-CryptoPro-RIC-1-ParamSet",
+       NID_id_Gost28147_89_CryptoPro_RIC_1_ParamSet,7,&(lvalues[5520]),0},
+{"id-GostR3410-94-TestParamSet","id-GostR3410-94-TestParamSet",
+       NID_id_GostR3410_94_TestParamSet,7,&(lvalues[5527]),0},
+{"id-GostR3410-94-CryptoPro-A-ParamSet",
+       "id-GostR3410-94-CryptoPro-A-ParamSet",
+       NID_id_GostR3410_94_CryptoPro_A_ParamSet,7,&(lvalues[5534]),0},
+{"id-GostR3410-94-CryptoPro-B-ParamSet",
+       "id-GostR3410-94-CryptoPro-B-ParamSet",
+       NID_id_GostR3410_94_CryptoPro_B_ParamSet,7,&(lvalues[5541]),0},
+{"id-GostR3410-94-CryptoPro-C-ParamSet",
+       "id-GostR3410-94-CryptoPro-C-ParamSet",
+       NID_id_GostR3410_94_CryptoPro_C_ParamSet,7,&(lvalues[5548]),0},
+{"id-GostR3410-94-CryptoPro-D-ParamSet",
+       "id-GostR3410-94-CryptoPro-D-ParamSet",
+       NID_id_GostR3410_94_CryptoPro_D_ParamSet,7,&(lvalues[5555]),0},
+{"id-GostR3410-94-CryptoPro-XchA-ParamSet",
+       "id-GostR3410-94-CryptoPro-XchA-ParamSet",
+       NID_id_GostR3410_94_CryptoPro_XchA_ParamSet,7,&(lvalues[5562]),0},
+{"id-GostR3410-94-CryptoPro-XchB-ParamSet",
+       "id-GostR3410-94-CryptoPro-XchB-ParamSet",
+       NID_id_GostR3410_94_CryptoPro_XchB_ParamSet,7,&(lvalues[5569]),0},
+{"id-GostR3410-94-CryptoPro-XchC-ParamSet",
+       "id-GostR3410-94-CryptoPro-XchC-ParamSet",
+       NID_id_GostR3410_94_CryptoPro_XchC_ParamSet,7,&(lvalues[5576]),0},
+{"id-GostR3410-2001-TestParamSet","id-GostR3410-2001-TestParamSet",
+       NID_id_GostR3410_2001_TestParamSet,7,&(lvalues[5583]),0},
+{"id-GostR3410-2001-CryptoPro-A-ParamSet",
+       "id-GostR3410-2001-CryptoPro-A-ParamSet",
+       NID_id_GostR3410_2001_CryptoPro_A_ParamSet,7,&(lvalues[5590]),0},
+{"id-GostR3410-2001-CryptoPro-B-ParamSet",
+       "id-GostR3410-2001-CryptoPro-B-ParamSet",
+       NID_id_GostR3410_2001_CryptoPro_B_ParamSet,7,&(lvalues[5597]),0},
+{"id-GostR3410-2001-CryptoPro-C-ParamSet",
+       "id-GostR3410-2001-CryptoPro-C-ParamSet",
+       NID_id_GostR3410_2001_CryptoPro_C_ParamSet,7,&(lvalues[5604]),0},
+{"id-GostR3410-2001-CryptoPro-XchA-ParamSet",
+       "id-GostR3410-2001-CryptoPro-XchA-ParamSet",
+       NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet,7,&(lvalues[5611]),0},
+       
+{"id-GostR3410-2001-CryptoPro-XchB-ParamSet",
+       "id-GostR3410-2001-CryptoPro-XchB-ParamSet",
+       NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet,7,&(lvalues[5618]),0},
+       
+{"id-GostR3410-94-a","id-GostR3410-94-a",NID_id_GostR3410_94_a,7,
+       &(lvalues[5625]),0},
+{"id-GostR3410-94-aBis","id-GostR3410-94-aBis",
+       NID_id_GostR3410_94_aBis,7,&(lvalues[5632]),0},
+{"id-GostR3410-94-b","id-GostR3410-94-b",NID_id_GostR3410_94_b,7,
+       &(lvalues[5639]),0},
+{"id-GostR3410-94-bBis","id-GostR3410-94-bBis",
+       NID_id_GostR3410_94_bBis,7,&(lvalues[5646]),0},
+{"id-Gost28147-89-cc","GOST 28147-89 Cryptocom ParamSet",
+       NID_id_Gost28147_89_cc,8,&(lvalues[5653]),0},
+{"gost94cc","GOST 34.10-94 Cryptocom",NID_id_GostR3410_94_cc,8,
+       &(lvalues[5661]),0},
+{"gost2001cc","GOST 34.10-2001 Cryptocom",NID_id_GostR3410_2001_cc,8,
+       &(lvalues[5669]),0},
+{"id-GostR3411-94-with-GostR3410-94-cc",
+       "GOST R 34.11-94 with GOST R 34.10-94 Cryptocom",
+       NID_id_GostR3411_94_with_GostR3410_94_cc,8,&(lvalues[5677]),0},
+{"id-GostR3411-94-with-GostR3410-2001-cc",
+       "GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom",
+       NID_id_GostR3411_94_with_GostR3410_2001_cc,8,&(lvalues[5685]),0},
+{"id-GostR3410-2001-ParamSet-cc",
+       "GOST R 3410-2001 Parameter Set Cryptocom",
+       NID_id_GostR3410_2001_ParamSet_cc,8,&(lvalues[5693]),0},
+{"HMAC","hmac",NID_hmac,0,NULL,0},
+{"LocalKeySet","Microsoft Local Key set",NID_LocalKeySet,9,
+       &(lvalues[5701]),0},
 };
 
 static ASN1_OBJECT *sn_objs[NUM_SN]={
@@ -2119,6 +2336,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[67]),/* "DSA-old" */
 &(nid_objs[297]),/* "DVCS" */
 &(nid_objs[99]),/* "GN" */
+&(nid_objs[855]),/* "HMAC" */
 &(nid_objs[780]),/* "HMAC-MD5" */
 &(nid_objs[781]),/* "HMAC-SHA1" */
 &(nid_objs[381]),/* "IANA" */
@@ -2132,6 +2350,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[646]),/* "JOINT-ISO-ITU-T" */
 &(nid_objs[773]),/* "KISA" */
 &(nid_objs[15]),/* "L" */
+&(nid_objs[856]),/* "LocalKeySet" */
 &(nid_objs[ 3]),/* "MD2" */
 &(nid_objs[257]),/* "MD4" */
 &(nid_objs[ 4]),/* "MD5" */
@@ -2275,6 +2494,8 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[153]),/* "crlBag" */
 &(nid_objs[103]),/* "crlDistributionPoints" */
 &(nid_objs[88]),/* "crlNumber" */
+&(nid_objs[806]),/* "cryptocom" */
+&(nid_objs[805]),/* "cryptopro" */
 &(nid_objs[500]),/* "dITRedirect" */
 &(nid_objs[451]),/* "dNSDomain" */
 &(nid_objs[495]),/* "dSAQuality" */
@@ -2295,7 +2516,15 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[470]),/* "documentVersion" */
 &(nid_objs[392]),/* "domain" */
 &(nid_objs[452]),/* "domainRelatedObject" */
+&(nid_objs[802]),/* "dsa_with_SHA224" */
+&(nid_objs[803]),/* "dsa_with_SHA256" */
+&(nid_objs[791]),/* "ecdsa-with-Recommended" */
 &(nid_objs[416]),/* "ecdsa-with-SHA1" */
+&(nid_objs[793]),/* "ecdsa-with-SHA224" */
+&(nid_objs[794]),/* "ecdsa-with-SHA256" */
+&(nid_objs[795]),/* "ecdsa-with-SHA384" */
+&(nid_objs[796]),/* "ecdsa-with-SHA512" */
+&(nid_objs[792]),/* "ecdsa-with-Specified" */
 &(nid_objs[48]),/* "emailAddress" */
 &(nid_objs[132]),/* "emailProtection" */
 &(nid_objs[389]),/* "enterprises" */
@@ -2309,7 +2538,19 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[490]),/* "friendlyCountryName" */
 &(nid_objs[156]),/* "friendlyName" */
 &(nid_objs[509]),/* "generationQualifier" */
+&(nid_objs[815]),/* "gost-mac" */
+&(nid_objs[811]),/* "gost2001" */
+&(nid_objs[851]),/* "gost2001cc" */
+&(nid_objs[813]),/* "gost89" */
+&(nid_objs[814]),/* "gost89-cnt" */
+&(nid_objs[812]),/* "gost94" */
+&(nid_objs[850]),/* "gost94cc" */
+&(nid_objs[797]),/* "hmacWithMD5" */
 &(nid_objs[163]),/* "hmacWithSHA1" */
+&(nid_objs[798]),/* "hmacWithSHA224" */
+&(nid_objs[799]),/* "hmacWithSHA256" */
+&(nid_objs[800]),/* "hmacWithSHA384" */
+&(nid_objs[801]),/* "hmacWithSHA512" */
 &(nid_objs[432]),/* "holdInstructionCallIssuer" */
 &(nid_objs[430]),/* "holdInstructionCode" */
 &(nid_objs[431]),/* "holdInstructionNone" */
@@ -2319,6 +2560,45 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[466]),/* "host" */
 &(nid_objs[442]),/* "iA5StringSyntax" */
 &(nid_objs[783]),/* "id-DHBasedMac" */
+&(nid_objs[824]),/* "id-Gost28147-89-CryptoPro-A-ParamSet" */
+&(nid_objs[825]),/* "id-Gost28147-89-CryptoPro-B-ParamSet" */
+&(nid_objs[826]),/* "id-Gost28147-89-CryptoPro-C-ParamSet" */
+&(nid_objs[827]),/* "id-Gost28147-89-CryptoPro-D-ParamSet" */
+&(nid_objs[819]),/* "id-Gost28147-89-CryptoPro-KeyMeshing" */
+&(nid_objs[829]),/* "id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet" */
+&(nid_objs[828]),/* "id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet" */
+&(nid_objs[830]),/* "id-Gost28147-89-CryptoPro-RIC-1-ParamSet" */
+&(nid_objs[820]),/* "id-Gost28147-89-None-KeyMeshing" */
+&(nid_objs[823]),/* "id-Gost28147-89-TestParamSet" */
+&(nid_objs[849]),/* "id-Gost28147-89-cc" */
+&(nid_objs[840]),/* "id-GostR3410-2001-CryptoPro-A-ParamSet" */
+&(nid_objs[841]),/* "id-GostR3410-2001-CryptoPro-B-ParamSet" */
+&(nid_objs[842]),/* "id-GostR3410-2001-CryptoPro-C-ParamSet" */
+&(nid_objs[843]),/* "id-GostR3410-2001-CryptoPro-XchA-ParamSet" */
+&(nid_objs[844]),/* "id-GostR3410-2001-CryptoPro-XchB-ParamSet" */
+&(nid_objs[854]),/* "id-GostR3410-2001-ParamSet-cc" */
+&(nid_objs[839]),/* "id-GostR3410-2001-TestParamSet" */
+&(nid_objs[817]),/* "id-GostR3410-2001DH" */
+&(nid_objs[832]),/* "id-GostR3410-94-CryptoPro-A-ParamSet" */
+&(nid_objs[833]),/* "id-GostR3410-94-CryptoPro-B-ParamSet" */
+&(nid_objs[834]),/* "id-GostR3410-94-CryptoPro-C-ParamSet" */
+&(nid_objs[835]),/* "id-GostR3410-94-CryptoPro-D-ParamSet" */
+&(nid_objs[836]),/* "id-GostR3410-94-CryptoPro-XchA-ParamSet" */
+&(nid_objs[837]),/* "id-GostR3410-94-CryptoPro-XchB-ParamSet" */
+&(nid_objs[838]),/* "id-GostR3410-94-CryptoPro-XchC-ParamSet" */
+&(nid_objs[831]),/* "id-GostR3410-94-TestParamSet" */
+&(nid_objs[845]),/* "id-GostR3410-94-a" */
+&(nid_objs[846]),/* "id-GostR3410-94-aBis" */
+&(nid_objs[847]),/* "id-GostR3410-94-b" */
+&(nid_objs[848]),/* "id-GostR3410-94-bBis" */
+&(nid_objs[818]),/* "id-GostR3410-94DH" */
+&(nid_objs[822]),/* "id-GostR3411-94-CryptoProParamSet" */
+&(nid_objs[821]),/* "id-GostR3411-94-TestParamSet" */
+&(nid_objs[807]),/* "id-GostR3411-94-with-GostR3410-2001" */
+&(nid_objs[853]),/* "id-GostR3411-94-with-GostR3410-2001-cc" */
+&(nid_objs[808]),/* "id-GostR3411-94-with-GostR3410-94" */
+&(nid_objs[852]),/* "id-GostR3411-94-with-GostR3410-94-cc" */
+&(nid_objs[810]),/* "id-HMACGostR3411-94" */
 &(nid_objs[782]),/* "id-PasswordBasedMAC" */
 &(nid_objs[266]),/* "id-aca" */
 &(nid_objs[355]),/* "id-aca-accessIdentity" */
@@ -2522,6 +2802,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[460]),/* "mail" */
 &(nid_objs[493]),/* "mailPreferenceOption" */
 &(nid_objs[467]),/* "manager" */
+&(nid_objs[809]),/* "md_gost94" */
 &(nid_objs[182]),/* "member-body" */
 &(nid_objs[51]),/* "messageDigest" */
 &(nid_objs[383]),/* "mgmt" */
@@ -2590,6 +2871,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[747]),/* "policyMappings" */
 &(nid_objs[661]),/* "postalCode" */
 &(nid_objs[683]),/* "ppBasis" */
+&(nid_objs[816]),/* "prf-gostr3411-94" */
 &(nid_objs[406]),/* "prime-field" */
 &(nid_objs[409]),/* "prime192v1" */
 &(nid_objs[410]),/* "prime192v2" */
@@ -2823,6 +3105,7 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[740]),/* "wap-wsg-idm-ecid-wtls7" */
 &(nid_objs[741]),/* "wap-wsg-idm-ecid-wtls8" */
 &(nid_objs[742]),/* "wap-wsg-idm-ecid-wtls9" */
+&(nid_objs[804]),/* "whirlpool" */
 &(nid_objs[503]),/* "x500UniqueIdentifier" */
 &(nid_objs[158]),/* "x509Certificate" */
 &(nid_objs[160]),/* "x509Crl" */
@@ -2847,6 +3130,23 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[384]),/* "Experimental" */
 &(nid_objs[372]),/* "Extended OCSP Status" */
 &(nid_objs[172]),/* "Extension Request" */
+&(nid_objs[813]),/* "GOST 28147-89" */
+&(nid_objs[849]),/* "GOST 28147-89 Cryptocom ParamSet" */
+&(nid_objs[815]),/* "GOST 28147-89 MAC" */
+&(nid_objs[851]),/* "GOST 34.10-2001 Cryptocom" */
+&(nid_objs[850]),/* "GOST 34.10-94 Cryptocom" */
+&(nid_objs[811]),/* "GOST R 34.10-2001" */
+&(nid_objs[817]),/* "GOST R 34.10-2001 DH" */
+&(nid_objs[812]),/* "GOST R 34.10-94" */
+&(nid_objs[818]),/* "GOST R 34.10-94 DH" */
+&(nid_objs[809]),/* "GOST R 34.11-94" */
+&(nid_objs[816]),/* "GOST R 34.11-94 PRF" */
+&(nid_objs[807]),/* "GOST R 34.11-94 with GOST R 34.10-2001" */
+&(nid_objs[853]),/* "GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom" */
+&(nid_objs[808]),/* "GOST R 34.11-94 with GOST R 34.10-94" */
+&(nid_objs[852]),/* "GOST R 34.11-94 with GOST R 34.10-94 Cryptocom" */
+&(nid_objs[854]),/* "GOST R 3410-2001 Parameter Set Cryptocom" */
+&(nid_objs[810]),/* "HMAC GOST 34.11-94" */
 &(nid_objs[432]),/* "Hold Instruction Call Issuer" */
 &(nid_objs[430]),/* "Hold Instruction Code" */
 &(nid_objs[431]),/* "Hold Instruction None" */
@@ -2869,6 +3169,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[138]),/* "Microsoft Encrypted File System" */
 &(nid_objs[171]),/* "Microsoft Extension Request" */
 &(nid_objs[134]),/* "Microsoft Individual Code Signing" */
+&(nid_objs[856]),/* "Microsoft Local Key set" */
 &(nid_objs[137]),/* "Microsoft Server Gated Crypto" */
 &(nid_objs[648]),/* "Microsoft Smartcardlogin" */
 &(nid_objs[136]),/* "Microsoft Trust List Signing" */
@@ -3035,6 +3336,8 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[53]),/* "countersignature" */
 &(nid_objs[14]),/* "countryName" */
 &(nid_objs[153]),/* "crlBag" */
+&(nid_objs[806]),/* "cryptocom" */
+&(nid_objs[805]),/* "cryptopro" */
 &(nid_objs[500]),/* "dITRedirect" */
 &(nid_objs[451]),/* "dNSDomain" */
 &(nid_objs[495]),/* "dSAQuality" */
@@ -3079,8 +3382,16 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[66]),/* "dsaWithSHA" */
 &(nid_objs[113]),/* "dsaWithSHA1" */
 &(nid_objs[70]),/* "dsaWithSHA1-old" */
+&(nid_objs[802]),/* "dsa_with_SHA224" */
+&(nid_objs[803]),/* "dsa_with_SHA256" */
 &(nid_objs[297]),/* "dvcs" */
+&(nid_objs[791]),/* "ecdsa-with-Recommended" */
 &(nid_objs[416]),/* "ecdsa-with-SHA1" */
+&(nid_objs[793]),/* "ecdsa-with-SHA224" */
+&(nid_objs[794]),/* "ecdsa-with-SHA256" */
+&(nid_objs[795]),/* "ecdsa-with-SHA384" */
+&(nid_objs[796]),/* "ecdsa-with-SHA512" */
+&(nid_objs[792]),/* "ecdsa-with-Specified" */
 &(nid_objs[48]),/* "emailAddress" */
 &(nid_objs[632]),/* "encrypted track 2" */
 &(nid_objs[56]),/* "extendedCertificateAttributes" */
@@ -3092,14 +3403,51 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[509]),/* "generationQualifier" */
 &(nid_objs[601]),/* "generic cryptogram" */
 &(nid_objs[99]),/* "givenName" */
+&(nid_objs[814]),/* "gost89-cnt" */
+&(nid_objs[855]),/* "hmac" */
 &(nid_objs[780]),/* "hmac-md5" */
 &(nid_objs[781]),/* "hmac-sha1" */
+&(nid_objs[797]),/* "hmacWithMD5" */
 &(nid_objs[163]),/* "hmacWithSHA1" */
+&(nid_objs[798]),/* "hmacWithSHA224" */
+&(nid_objs[799]),/* "hmacWithSHA256" */
+&(nid_objs[800]),/* "hmacWithSHA384" */
+&(nid_objs[801]),/* "hmacWithSHA512" */
 &(nid_objs[486]),/* "homePostalAddress" */
 &(nid_objs[473]),/* "homeTelephoneNumber" */
 &(nid_objs[466]),/* "host" */
 &(nid_objs[442]),/* "iA5StringSyntax" */
 &(nid_objs[381]),/* "iana" */
+&(nid_objs[824]),/* "id-Gost28147-89-CryptoPro-A-ParamSet" */
+&(nid_objs[825]),/* "id-Gost28147-89-CryptoPro-B-ParamSet" */
+&(nid_objs[826]),/* "id-Gost28147-89-CryptoPro-C-ParamSet" */
+&(nid_objs[827]),/* "id-Gost28147-89-CryptoPro-D-ParamSet" */
+&(nid_objs[819]),/* "id-Gost28147-89-CryptoPro-KeyMeshing" */
+&(nid_objs[829]),/* "id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet" */
+&(nid_objs[828]),/* "id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet" */
+&(nid_objs[830]),/* "id-Gost28147-89-CryptoPro-RIC-1-ParamSet" */
+&(nid_objs[820]),/* "id-Gost28147-89-None-KeyMeshing" */
+&(nid_objs[823]),/* "id-Gost28147-89-TestParamSet" */
+&(nid_objs[840]),/* "id-GostR3410-2001-CryptoPro-A-ParamSet" */
+&(nid_objs[841]),/* "id-GostR3410-2001-CryptoPro-B-ParamSet" */
+&(nid_objs[842]),/* "id-GostR3410-2001-CryptoPro-C-ParamSet" */
+&(nid_objs[843]),/* "id-GostR3410-2001-CryptoPro-XchA-ParamSet" */
+&(nid_objs[844]),/* "id-GostR3410-2001-CryptoPro-XchB-ParamSet" */
+&(nid_objs[839]),/* "id-GostR3410-2001-TestParamSet" */
+&(nid_objs[832]),/* "id-GostR3410-94-CryptoPro-A-ParamSet" */
+&(nid_objs[833]),/* "id-GostR3410-94-CryptoPro-B-ParamSet" */
+&(nid_objs[834]),/* "id-GostR3410-94-CryptoPro-C-ParamSet" */
+&(nid_objs[835]),/* "id-GostR3410-94-CryptoPro-D-ParamSet" */
+&(nid_objs[836]),/* "id-GostR3410-94-CryptoPro-XchA-ParamSet" */
+&(nid_objs[837]),/* "id-GostR3410-94-CryptoPro-XchB-ParamSet" */
+&(nid_objs[838]),/* "id-GostR3410-94-CryptoPro-XchC-ParamSet" */
+&(nid_objs[831]),/* "id-GostR3410-94-TestParamSet" */
+&(nid_objs[845]),/* "id-GostR3410-94-a" */
+&(nid_objs[846]),/* "id-GostR3410-94-aBis" */
+&(nid_objs[847]),/* "id-GostR3410-94-b" */
+&(nid_objs[848]),/* "id-GostR3410-94-bBis" */
+&(nid_objs[822]),/* "id-GostR3411-94-CryptoProParamSet" */
+&(nid_objs[821]),/* "id-GostR3411-94-TestParamSet" */
 &(nid_objs[266]),/* "id-aca" */
 &(nid_objs[355]),/* "id-aca-accessIdentity" */
 &(nid_objs[354]),/* "id-aca-authenticationInfo" */
@@ -3609,6 +3957,7 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[740]),/* "wap-wsg-idm-ecid-wtls7" */
 &(nid_objs[741]),/* "wap-wsg-idm-ecid-wtls8" */
 &(nid_objs[742]),/* "wap-wsg-idm-ecid-wtls9" */
+&(nid_objs[804]),/* "whirlpool" */
 &(nid_objs[503]),/* "x500UniqueIdentifier" */
 &(nid_objs[158]),/* "x509Certificate" */
 &(nid_objs[160]),/* "x509Crl" */
@@ -3814,6 +4163,8 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[637]),/* OBJ_set_brand_Diners             2 23 42 8 30 */
 &(nid_objs[638]),/* OBJ_set_brand_AmericanExpress    2 23 42 8 34 */
 &(nid_objs[639]),/* OBJ_set_brand_JCB                2 23 42 8 35 */
+&(nid_objs[805]),/* OBJ_cryptopro                    1 2 643 2 2 */
+&(nid_objs[806]),/* OBJ_cryptocom                    1 2 643 2 9 */
 &(nid_objs[184]),/* OBJ_X9_57                        1 2 840 10040 */
 &(nid_objs[405]),/* OBJ_ansi_X9_62                   1 2 840 10045 */
 &(nid_objs[389]),/* OBJ_Enterprises                  1 3 6 1 4 1 */
@@ -3884,8 +4235,20 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[743]),/* OBJ_wap_wsg_idm_ecid_wtls10      2 23 43 13 4 10 */
 &(nid_objs[744]),/* OBJ_wap_wsg_idm_ecid_wtls11      2 23 43 13 4 11 */
 &(nid_objs[745]),/* OBJ_wap_wsg_idm_ecid_wtls12      2 23 43 13 4 12 */
+&(nid_objs[804]),/* OBJ_whirlpool                    1 0 10118 3 0 55 */
 &(nid_objs[124]),/* OBJ_rle_compression              1 1 1 1 666 1 */
 &(nid_objs[773]),/* OBJ_kisa                         1 2 410 200004 */
+&(nid_objs[807]),/* OBJ_id_GostR3411_94_with_GostR3410_2001 1 2 643 2 2 3 */
+&(nid_objs[808]),/* OBJ_id_GostR3411_94_with_GostR3410_94 1 2 643 2 2 4 */
+&(nid_objs[809]),/* OBJ_id_GostR3411_94              1 2 643 2 2 9 */
+&(nid_objs[810]),/* OBJ_id_HMACGostR3411_94          1 2 643 2 2 10 */
+&(nid_objs[811]),/* OBJ_id_GostR3410_2001            1 2 643 2 2 19 */
+&(nid_objs[812]),/* OBJ_id_GostR3410_94              1 2 643 2 2 20 */
+&(nid_objs[813]),/* OBJ_id_Gost28147_89              1 2 643 2 2 21 */
+&(nid_objs[815]),/* OBJ_id_Gost28147_89_MAC          1 2 643 2 2 22 */
+&(nid_objs[816]),/* OBJ_id_GostR3411_94_prf          1 2 643 2 2 23 */
+&(nid_objs[817]),/* OBJ_id_GostR3410_2001DH          1 2 643 2 2 98 */
+&(nid_objs[818]),/* OBJ_id_GostR3410_94DH            1 2 643 2 2 99 */
 &(nid_objs[ 1]),/* OBJ_rsadsi                       1 2 840 113549 */
 &(nid_objs[185]),/* OBJ_X9cm                         1 2 840 10040 4 */
 &(nid_objs[127]),/* OBJ_id_pkix                      1 3 6 1 5 5 7 */
@@ -3898,6 +4261,36 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[634]),/* OBJ_setAttr_TokICCsig            2 23 42 3 3 5 1 */
 &(nid_objs[635]),/* OBJ_setAttr_SecDevSig            2 23 42 3 3 5 2 */
 &(nid_objs[436]),/* OBJ_ucl                          0 9 2342 19200300 */
+&(nid_objs[820]),/* OBJ_id_Gost28147_89_None_KeyMeshing 1 2 643 2 2 14 0 */
+&(nid_objs[819]),/* OBJ_id_Gost28147_89_CryptoPro_KeyMeshing 1 2 643 2 2 14 1 */
+&(nid_objs[845]),/* OBJ_id_GostR3410_94_a            1 2 643 2 2 20 1 */
+&(nid_objs[846]),/* OBJ_id_GostR3410_94_aBis         1 2 643 2 2 20 2 */
+&(nid_objs[847]),/* OBJ_id_GostR3410_94_b            1 2 643 2 2 20 3 */
+&(nid_objs[848]),/* OBJ_id_GostR3410_94_bBis         1 2 643 2 2 20 4 */
+&(nid_objs[821]),/* OBJ_id_GostR3411_94_TestParamSet 1 2 643 2 2 30 0 */
+&(nid_objs[822]),/* OBJ_id_GostR3411_94_CryptoProParamSet 1 2 643 2 2 30 1 */
+&(nid_objs[823]),/* OBJ_id_Gost28147_89_TestParamSet 1 2 643 2 2 31 0 */
+&(nid_objs[824]),/* OBJ_id_Gost28147_89_CryptoPro_A_ParamSet 1 2 643 2 2 31 1 */
+&(nid_objs[825]),/* OBJ_id_Gost28147_89_CryptoPro_B_ParamSet 1 2 643 2 2 31 2 */
+&(nid_objs[826]),/* OBJ_id_Gost28147_89_CryptoPro_C_ParamSet 1 2 643 2 2 31 3 */
+&(nid_objs[827]),/* OBJ_id_Gost28147_89_CryptoPro_D_ParamSet 1 2 643 2 2 31 4 */
+&(nid_objs[828]),/* OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet 1 2 643 2 2 31 5 */
+&(nid_objs[829]),/* OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet 1 2 643 2 2 31 6 */
+&(nid_objs[830]),/* OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet 1 2 643 2 2 31 7 */
+&(nid_objs[831]),/* OBJ_id_GostR3410_94_TestParamSet 1 2 643 2 2 32 0 */
+&(nid_objs[832]),/* OBJ_id_GostR3410_94_CryptoPro_A_ParamSet 1 2 643 2 2 32 2 */
+&(nid_objs[833]),/* OBJ_id_GostR3410_94_CryptoPro_B_ParamSet 1 2 643 2 2 32 3 */
+&(nid_objs[834]),/* OBJ_id_GostR3410_94_CryptoPro_C_ParamSet 1 2 643 2 2 32 4 */
+&(nid_objs[835]),/* OBJ_id_GostR3410_94_CryptoPro_D_ParamSet 1 2 643 2 2 32 5 */
+&(nid_objs[836]),/* OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet 1 2 643 2 2 33 1 */
+&(nid_objs[837]),/* OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet 1 2 643 2 2 33 2 */
+&(nid_objs[838]),/* OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet 1 2 643 2 2 33 3 */
+&(nid_objs[839]),/* OBJ_id_GostR3410_2001_TestParamSet 1 2 643 2 2 35 0 */
+&(nid_objs[840]),/* OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet 1 2 643 2 2 35 1 */
+&(nid_objs[841]),/* OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet 1 2 643 2 2 35 2 */
+&(nid_objs[842]),/* OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet 1 2 643 2 2 35 3 */
+&(nid_objs[843]),/* OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet 1 2 643 2 2 36 0 */
+&(nid_objs[844]),/* OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet 1 2 643 2 2 36 1 */
 &(nid_objs[ 2]),/* OBJ_pkcs                         1 2 840 113549 1 */
 &(nid_objs[431]),/* OBJ_hold_instruction_none        1 2 840 10040 2 1 */
 &(nid_objs[432]),/* OBJ_hold_instruction_call_issuer 1 2 840 10040 2 2 */
@@ -3908,6 +4301,8 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[407]),/* OBJ_X9_62_characteristic_two_field 1 2 840 10045 1 2 */
 &(nid_objs[408]),/* OBJ_X9_62_id_ecPublicKey         1 2 840 10045 2 1 */
 &(nid_objs[416]),/* OBJ_ecdsa_with_SHA1              1 2 840 10045 4 1 */
+&(nid_objs[791]),/* OBJ_ecdsa_with_Recommended       1 2 840 10045 4 2 */
+&(nid_objs[792]),/* OBJ_ecdsa_with_Specified         1 2 840 10045 4 3 */
 &(nid_objs[258]),/* OBJ_id_pkix_mod                  1 3 6 1 5 5 7 0 */
 &(nid_objs[175]),/* OBJ_id_pe                        1 3 6 1 5 5 7 1 */
 &(nid_objs[259]),/* OBJ_id_qt                        1 3 6 1 5 5 7 2 */
@@ -3940,6 +4335,12 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[777]),/* OBJ_seed_cbc                     1 2 410 200004 1 4 */
 &(nid_objs[779]),/* OBJ_seed_cfb128                  1 2 410 200004 1 5 */
 &(nid_objs[778]),/* OBJ_seed_ofb128                  1 2 410 200004 1 6 */
+&(nid_objs[852]),/* OBJ_id_GostR3411_94_with_GostR3410_94_cc 1 2 643 2 9 1 3 3 */
+&(nid_objs[853]),/* OBJ_id_GostR3411_94_with_GostR3410_2001_cc 1 2 643 2 9 1 3 4 */
+&(nid_objs[850]),/* OBJ_id_GostR3410_94_cc           1 2 643 2 9 1 5 3 */
+&(nid_objs[851]),/* OBJ_id_GostR3410_2001_cc         1 2 643 2 9 1 5 4 */
+&(nid_objs[849]),/* OBJ_id_Gost28147_89_cc           1 2 643 2 9 1 6 1 */
+&(nid_objs[854]),/* OBJ_id_GostR3410_2001_ParamSet_cc 1 2 643 2 9 1 8 1 */
 &(nid_objs[186]),/* OBJ_pkcs1                        1 2 840 113549 1 1 */
 &(nid_objs[27]),/* OBJ_pkcs3                        1 2 840 113549 1 3 */
 &(nid_objs[187]),/* OBJ_pkcs5                        1 2 840 113549 1 5 */
@@ -3948,7 +4349,12 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[ 3]),/* OBJ_md2                          1 2 840 113549 2 2 */
 &(nid_objs[257]),/* OBJ_md4                          1 2 840 113549 2 4 */
 &(nid_objs[ 4]),/* OBJ_md5                          1 2 840 113549 2 5 */
+&(nid_objs[797]),/* OBJ_hmacWithMD5                  1 2 840 113549 2 6 */
 &(nid_objs[163]),/* OBJ_hmacWithSHA1                 1 2 840 113549 2 7 */
+&(nid_objs[798]),/* OBJ_hmacWithSHA224               1 2 840 113549 2 8 */
+&(nid_objs[799]),/* OBJ_hmacWithSHA256               1 2 840 113549 2 9 */
+&(nid_objs[800]),/* OBJ_hmacWithSHA384               1 2 840 113549 2 10 */
+&(nid_objs[801]),/* OBJ_hmacWithSHA512               1 2 840 113549 2 11 */
 &(nid_objs[37]),/* OBJ_rc2_cbc                      1 2 840 113549 3 2 */
 &(nid_objs[ 5]),/* OBJ_rc4                          1 2 840 113549 3 4 */
 &(nid_objs[44]),/* OBJ_des_ede3_cbc                 1 2 840 113549 3 7 */
@@ -3982,6 +4388,10 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[413]),/* OBJ_X9_62_prime239v2             1 2 840 10045 3 1 5 */
 &(nid_objs[414]),/* OBJ_X9_62_prime239v3             1 2 840 10045 3 1 6 */
 &(nid_objs[415]),/* OBJ_X9_62_prime256v1             1 2 840 10045 3 1 7 */
+&(nid_objs[793]),/* OBJ_ecdsa_with_SHA224            1 2 840 10045 4 3 1 */
+&(nid_objs[794]),/* OBJ_ecdsa_with_SHA256            1 2 840 10045 4 3 2 */
+&(nid_objs[795]),/* OBJ_ecdsa_with_SHA384            1 2 840 10045 4 3 3 */
+&(nid_objs[796]),/* OBJ_ecdsa_with_SHA512            1 2 840 10045 4 3 4 */
 &(nid_objs[269]),/* OBJ_id_pkix1_explicit_88         1 3 6 1 5 5 7 0 1 */
 &(nid_objs[270]),/* OBJ_id_pkix1_implicit_88         1 3 6 1 5 5 7 0 2 */
 &(nid_objs[271]),/* OBJ_id_pkix1_explicit_93         1 3 6 1 5 5 7 0 3 */
@@ -4145,6 +4555,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[682]),/* OBJ_X9_62_tpBasis                1 2 840 10045 1 2 3 2 */
 &(nid_objs[683]),/* OBJ_X9_62_ppBasis                1 2 840 10045 1 2 3 3 */
 &(nid_objs[417]),/* OBJ_ms_csp_name                  1 3 6 1 4 1 311 17 1 */
+&(nid_objs[856]),/* OBJ_LocalKeySet                  1 3 6 1 4 1 311 17 2 */
 &(nid_objs[390]),/* OBJ_dcObject                     1 3 6 1 4 1 1466 344 */
 &(nid_objs[91]),/* OBJ_bf_cbc                       1 3 6 1 4 1 3029 1 2 */
 &(nid_objs[315]),/* OBJ_id_regCtrl_regToken          1 3 6 1 5 5 7 5 1 1 */
@@ -4185,6 +4596,8 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[673]),/* OBJ_sha384                       2 16 840 1 101 3 4 2 2 */
 &(nid_objs[674]),/* OBJ_sha512                       2 16 840 1 101 3 4 2 3 */
 &(nid_objs[675]),/* OBJ_sha224                       2 16 840 1 101 3 4 2 4 */
+&(nid_objs[802]),/* OBJ_dsa_with_SHA224              2 16 840 1 101 3 4 3 1 */
+&(nid_objs[803]),/* OBJ_dsa_with_SHA256              2 16 840 1 101 3 4 3 2 */
 &(nid_objs[71]),/* OBJ_netscape_cert_type           2 16 840 1 113730 1 1 */
 &(nid_objs[72]),/* OBJ_netscape_base_url            2 16 840 1 113730 1 2 */
 &(nid_objs[73]),/* OBJ_netscape_revocation_url      2 16 840 1 113730 1 3 */
index 76d5ec9..05fcbe7 100644 (file)
 #define NID_ecdsa_with_SHA1            416
 #define OBJ_ecdsa_with_SHA1            OBJ_X9_62_id_ecSigType,1L
 
+#define SN_ecdsa_with_Recommended              "ecdsa-with-Recommended"
+#define NID_ecdsa_with_Recommended             791
+#define OBJ_ecdsa_with_Recommended             OBJ_X9_62_id_ecSigType,2L
+
+#define SN_ecdsa_with_Specified                "ecdsa-with-Specified"
+#define NID_ecdsa_with_Specified               792
+#define OBJ_ecdsa_with_Specified               OBJ_X9_62_id_ecSigType,3L
+
+#define SN_ecdsa_with_SHA224           "ecdsa-with-SHA224"
+#define NID_ecdsa_with_SHA224          793
+#define OBJ_ecdsa_with_SHA224          OBJ_ecdsa_with_Specified,1L
+
+#define SN_ecdsa_with_SHA256           "ecdsa-with-SHA256"
+#define NID_ecdsa_with_SHA256          794
+#define OBJ_ecdsa_with_SHA256          OBJ_ecdsa_with_Specified,2L
+
+#define SN_ecdsa_with_SHA384           "ecdsa-with-SHA384"
+#define NID_ecdsa_with_SHA384          795
+#define OBJ_ecdsa_with_SHA384          OBJ_ecdsa_with_Specified,3L
+
+#define SN_ecdsa_with_SHA512           "ecdsa-with-SHA512"
+#define NID_ecdsa_with_SHA512          796
+#define OBJ_ecdsa_with_SHA512          OBJ_ecdsa_with_Specified,4L
+
 #define OBJ_secg_ellipticCurve         OBJ_certicom_arc,0L
 
 #define SN_secp112r1           "secp112r1"
 #define NID_ms_csp_name                417
 #define OBJ_ms_csp_name                1L,3L,6L,1L,4L,1L,311L,17L,1L
 
+#define SN_LocalKeySet         "LocalKeySet"
+#define LN_LocalKeySet         "Microsoft Local Key set"
+#define NID_LocalKeySet                856
+#define OBJ_LocalKeySet                1L,3L,6L,1L,4L,1L,311L,17L,2L
+
 #define OBJ_certTypes          OBJ_pkcs9,22L
 
 #define LN_x509Certificate             "x509Certificate"
 #define LN_md5_sha1            "md5-sha1"
 #define NID_md5_sha1           114
 
+#define LN_hmacWithMD5         "hmacWithMD5"
+#define NID_hmacWithMD5                797
+#define OBJ_hmacWithMD5                OBJ_rsadsi,2L,6L
+
 #define LN_hmacWithSHA1                "hmacWithSHA1"
 #define NID_hmacWithSHA1               163
 #define OBJ_hmacWithSHA1               OBJ_rsadsi,2L,7L
 
+#define LN_hmacWithSHA224              "hmacWithSHA224"
+#define NID_hmacWithSHA224             798
+#define OBJ_hmacWithSHA224             OBJ_rsadsi,2L,8L
+
+#define LN_hmacWithSHA256              "hmacWithSHA256"
+#define NID_hmacWithSHA256             799
+#define OBJ_hmacWithSHA256             OBJ_rsadsi,2L,9L
+
+#define LN_hmacWithSHA384              "hmacWithSHA384"
+#define NID_hmacWithSHA384             800
+#define OBJ_hmacWithSHA384             OBJ_rsadsi,2L,10L
+
+#define LN_hmacWithSHA512              "hmacWithSHA512"
+#define NID_hmacWithSHA512             801
+#define OBJ_hmacWithSHA512             OBJ_rsadsi,2L,11L
+
 #define SN_rc2_cbc             "RC2-CBC"
 #define LN_rc2_cbc             "rc2-cbc"
 #define NID_rc2_cbc            37
 #define NID_sha224             675
 #define OBJ_sha224             OBJ_nist_hashalgs,4L
 
+#define OBJ_dsa_with_sha2              OBJ_nistAlgorithms,3L
+
+#define SN_dsa_with_SHA224             "dsa_with_SHA224"
+#define NID_dsa_with_SHA224            802
+#define OBJ_dsa_with_SHA224            OBJ_dsa_with_sha2,1L
+
+#define SN_dsa_with_SHA256             "dsa_with_SHA256"
+#define NID_dsa_with_SHA256            803
+#define OBJ_dsa_with_SHA256            OBJ_dsa_with_sha2,2L
+
 #define SN_hold_instruction_code               "holdInstructionCode"
 #define LN_hold_instruction_code               "Hold Instruction Code"
 #define NID_hold_instruction_code              430
 #define LN_ipsec4              "ipsec4"
 #define NID_ipsec4             750
 
+#define SN_whirlpool           "whirlpool"
+#define NID_whirlpool          804
+#define OBJ_whirlpool          OBJ_iso,0L,10118L,3L,0L,55L
+
+#define SN_cryptopro           "cryptopro"
+#define NID_cryptopro          805
+#define OBJ_cryptopro          OBJ_member_body,643L,2L,2L
+
+#define SN_cryptocom           "cryptocom"
+#define NID_cryptocom          806
+#define OBJ_cryptocom          OBJ_member_body,643L,2L,9L
+
+#define SN_id_GostR3411_94_with_GostR3410_2001         "id-GostR3411-94-with-GostR3410-2001"
+#define LN_id_GostR3411_94_with_GostR3410_2001         "GOST R 34.11-94 with GOST R 34.10-2001"
+#define NID_id_GostR3411_94_with_GostR3410_2001                807
+#define OBJ_id_GostR3411_94_with_GostR3410_2001                OBJ_cryptopro,3L
+
+#define SN_id_GostR3411_94_with_GostR3410_94           "id-GostR3411-94-with-GostR3410-94"
+#define LN_id_GostR3411_94_with_GostR3410_94           "GOST R 34.11-94 with GOST R 34.10-94"
+#define NID_id_GostR3411_94_with_GostR3410_94          808
+#define OBJ_id_GostR3411_94_with_GostR3410_94          OBJ_cryptopro,4L
+
+#define SN_id_GostR3411_94             "md_gost94"
+#define LN_id_GostR3411_94             "GOST R 34.11-94"
+#define NID_id_GostR3411_94            809
+#define OBJ_id_GostR3411_94            OBJ_cryptopro,9L
+
+#define SN_id_HMACGostR3411_94         "id-HMACGostR3411-94"
+#define LN_id_HMACGostR3411_94         "HMAC GOST 34.11-94"
+#define NID_id_HMACGostR3411_94                810
+#define OBJ_id_HMACGostR3411_94                OBJ_cryptopro,10L
+
+#define SN_id_GostR3410_2001           "gost2001"
+#define LN_id_GostR3410_2001           "GOST R 34.10-2001"
+#define NID_id_GostR3410_2001          811
+#define OBJ_id_GostR3410_2001          OBJ_cryptopro,19L
+
+#define SN_id_GostR3410_94             "gost94"
+#define LN_id_GostR3410_94             "GOST R 34.10-94"
+#define NID_id_GostR3410_94            812
+#define OBJ_id_GostR3410_94            OBJ_cryptopro,20L
+
+#define SN_id_Gost28147_89             "gost89"
+#define LN_id_Gost28147_89             "GOST 28147-89"
+#define NID_id_Gost28147_89            813
+#define OBJ_id_Gost28147_89            OBJ_cryptopro,21L
+
+#define SN_gost89_cnt          "gost89-cnt"
+#define NID_gost89_cnt         814
+
+#define SN_id_Gost28147_89_MAC         "gost-mac"
+#define LN_id_Gost28147_89_MAC         "GOST 28147-89 MAC"
+#define NID_id_Gost28147_89_MAC                815
+#define OBJ_id_Gost28147_89_MAC                OBJ_cryptopro,22L
+
+#define SN_id_GostR3411_94_prf         "prf-gostr3411-94"
+#define LN_id_GostR3411_94_prf         "GOST R 34.11-94 PRF"
+#define NID_id_GostR3411_94_prf                816
+#define OBJ_id_GostR3411_94_prf                OBJ_cryptopro,23L
+
+#define SN_id_GostR3410_2001DH         "id-GostR3410-2001DH"
+#define LN_id_GostR3410_2001DH         "GOST R 34.10-2001 DH"
+#define NID_id_GostR3410_2001DH                817
+#define OBJ_id_GostR3410_2001DH                OBJ_cryptopro,98L
+
+#define SN_id_GostR3410_94DH           "id-GostR3410-94DH"
+#define LN_id_GostR3410_94DH           "GOST R 34.10-94 DH"
+#define NID_id_GostR3410_94DH          818
+#define OBJ_id_GostR3410_94DH          OBJ_cryptopro,99L
+
+#define SN_id_Gost28147_89_CryptoPro_KeyMeshing                "id-Gost28147-89-CryptoPro-KeyMeshing"
+#define NID_id_Gost28147_89_CryptoPro_KeyMeshing               819
+#define OBJ_id_Gost28147_89_CryptoPro_KeyMeshing               OBJ_cryptopro,14L,1L
+
+#define SN_id_Gost28147_89_None_KeyMeshing             "id-Gost28147-89-None-KeyMeshing"
+#define NID_id_Gost28147_89_None_KeyMeshing            820
+#define OBJ_id_Gost28147_89_None_KeyMeshing            OBJ_cryptopro,14L,0L
+
+#define SN_id_GostR3411_94_TestParamSet                "id-GostR3411-94-TestParamSet"
+#define NID_id_GostR3411_94_TestParamSet               821
+#define OBJ_id_GostR3411_94_TestParamSet               OBJ_cryptopro,30L,0L
+
+#define SN_id_GostR3411_94_CryptoProParamSet           "id-GostR3411-94-CryptoProParamSet"
+#define NID_id_GostR3411_94_CryptoProParamSet          822
+#define OBJ_id_GostR3411_94_CryptoProParamSet          OBJ_cryptopro,30L,1L
+
+#define SN_id_Gost28147_89_TestParamSet                "id-Gost28147-89-TestParamSet"
+#define NID_id_Gost28147_89_TestParamSet               823
+#define OBJ_id_Gost28147_89_TestParamSet               OBJ_cryptopro,31L,0L
+
+#define SN_id_Gost28147_89_CryptoPro_A_ParamSet                "id-Gost28147-89-CryptoPro-A-ParamSet"
+#define NID_id_Gost28147_89_CryptoPro_A_ParamSet               824
+#define OBJ_id_Gost28147_89_CryptoPro_A_ParamSet               OBJ_cryptopro,31L,1L
+
+#define SN_id_Gost28147_89_CryptoPro_B_ParamSet                "id-Gost28147-89-CryptoPro-B-ParamSet"
+#define NID_id_Gost28147_89_CryptoPro_B_ParamSet               825
+#define OBJ_id_Gost28147_89_CryptoPro_B_ParamSet               OBJ_cryptopro,31L,2L
+
+#define SN_id_Gost28147_89_CryptoPro_C_ParamSet                "id-Gost28147-89-CryptoPro-C-ParamSet"
+#define NID_id_Gost28147_89_CryptoPro_C_ParamSet               826
+#define OBJ_id_Gost28147_89_CryptoPro_C_ParamSet               OBJ_cryptopro,31L,3L
+
+#define SN_id_Gost28147_89_CryptoPro_D_ParamSet                "id-Gost28147-89-CryptoPro-D-ParamSet"
+#define NID_id_Gost28147_89_CryptoPro_D_ParamSet               827
+#define OBJ_id_Gost28147_89_CryptoPro_D_ParamSet               OBJ_cryptopro,31L,4L
+
+#define SN_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet                "id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet"
+#define NID_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet               828
+#define OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet               OBJ_cryptopro,31L,5L
+
+#define SN_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet                "id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet"
+#define NID_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet               829
+#define OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet               OBJ_cryptopro,31L,6L
+
+#define SN_id_Gost28147_89_CryptoPro_RIC_1_ParamSet            "id-Gost28147-89-CryptoPro-RIC-1-ParamSet"
+#define NID_id_Gost28147_89_CryptoPro_RIC_1_ParamSet           830
+#define OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet           OBJ_cryptopro,31L,7L
+
+#define SN_id_GostR3410_94_TestParamSet                "id-GostR3410-94-TestParamSet"
+#define NID_id_GostR3410_94_TestParamSet               831
+#define OBJ_id_GostR3410_94_TestParamSet               OBJ_cryptopro,32L,0L
+
+#define SN_id_GostR3410_94_CryptoPro_A_ParamSet                "id-GostR3410-94-CryptoPro-A-ParamSet"
+#define NID_id_GostR3410_94_CryptoPro_A_ParamSet               832
+#define OBJ_id_GostR3410_94_CryptoPro_A_ParamSet               OBJ_cryptopro,32L,2L
+
+#define SN_id_GostR3410_94_CryptoPro_B_ParamSet                "id-GostR3410-94-CryptoPro-B-ParamSet"
+#define NID_id_GostR3410_94_CryptoPro_B_ParamSet               833
+#define OBJ_id_GostR3410_94_CryptoPro_B_ParamSet               OBJ_cryptopro,32L,3L
+
+#define SN_id_GostR3410_94_CryptoPro_C_ParamSet                "id-GostR3410-94-CryptoPro-C-ParamSet"
+#define NID_id_GostR3410_94_CryptoPro_C_ParamSet               834
+#define OBJ_id_GostR3410_94_CryptoPro_C_ParamSet               OBJ_cryptopro,32L,4L
+
+#define SN_id_GostR3410_94_CryptoPro_D_ParamSet                "id-GostR3410-94-CryptoPro-D-ParamSet"
+#define NID_id_GostR3410_94_CryptoPro_D_ParamSet               835
+#define OBJ_id_GostR3410_94_CryptoPro_D_ParamSet               OBJ_cryptopro,32L,5L
+
+#define SN_id_GostR3410_94_CryptoPro_XchA_ParamSet             "id-GostR3410-94-CryptoPro-XchA-ParamSet"
+#define NID_id_GostR3410_94_CryptoPro_XchA_ParamSet            836
+#define OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet            OBJ_cryptopro,33L,1L
+
+#define SN_id_GostR3410_94_CryptoPro_XchB_ParamSet             "id-GostR3410-94-CryptoPro-XchB-ParamSet"
+#define NID_id_GostR3410_94_CryptoPro_XchB_ParamSet            837
+#define OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet            OBJ_cryptopro,33L,2L
+
+#define SN_id_GostR3410_94_CryptoPro_XchC_ParamSet             "id-GostR3410-94-CryptoPro-XchC-ParamSet"
+#define NID_id_GostR3410_94_CryptoPro_XchC_ParamSet            838
+#define OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet            OBJ_cryptopro,33L,3L
+
+#define SN_id_GostR3410_2001_TestParamSet              "id-GostR3410-2001-TestParamSet"
+#define NID_id_GostR3410_2001_TestParamSet             839
+#define OBJ_id_GostR3410_2001_TestParamSet             OBJ_cryptopro,35L,0L
+
+#define SN_id_GostR3410_2001_CryptoPro_A_ParamSet              "id-GostR3410-2001-CryptoPro-A-ParamSet"
+#define NID_id_GostR3410_2001_CryptoPro_A_ParamSet             840
+#define OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet             OBJ_cryptopro,35L,1L
+
+#define SN_id_GostR3410_2001_CryptoPro_B_ParamSet              "id-GostR3410-2001-CryptoPro-B-ParamSet"
+#define NID_id_GostR3410_2001_CryptoPro_B_ParamSet             841
+#define OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet             OBJ_cryptopro,35L,2L
+
+#define SN_id_GostR3410_2001_CryptoPro_C_ParamSet              "id-GostR3410-2001-CryptoPro-C-ParamSet"
+#define NID_id_GostR3410_2001_CryptoPro_C_ParamSet             842
+#define OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet             OBJ_cryptopro,35L,3L
+
+#define SN_id_GostR3410_2001_CryptoPro_XchA_ParamSet           "id-GostR3410-2001-CryptoPro-XchA-ParamSet"
+#define NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet          843
+#define OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet          OBJ_cryptopro,36L,0L
+
+#define SN_id_GostR3410_2001_CryptoPro_XchB_ParamSet           "id-GostR3410-2001-CryptoPro-XchB-ParamSet"
+#define NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet          844
+#define OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet          OBJ_cryptopro,36L,1L
+
+#define SN_id_GostR3410_94_a           "id-GostR3410-94-a"
+#define NID_id_GostR3410_94_a          845
+#define OBJ_id_GostR3410_94_a          OBJ_id_GostR3410_94,1L
+
+#define SN_id_GostR3410_94_aBis                "id-GostR3410-94-aBis"
+#define NID_id_GostR3410_94_aBis               846
+#define OBJ_id_GostR3410_94_aBis               OBJ_id_GostR3410_94,2L
+
+#define SN_id_GostR3410_94_b           "id-GostR3410-94-b"
+#define NID_id_GostR3410_94_b          847
+#define OBJ_id_GostR3410_94_b          OBJ_id_GostR3410_94,3L
+
+#define SN_id_GostR3410_94_bBis                "id-GostR3410-94-bBis"
+#define NID_id_GostR3410_94_bBis               848
+#define OBJ_id_GostR3410_94_bBis               OBJ_id_GostR3410_94,4L
+
+#define SN_id_Gost28147_89_cc          "id-Gost28147-89-cc"
+#define LN_id_Gost28147_89_cc          "GOST 28147-89 Cryptocom ParamSet"
+#define NID_id_Gost28147_89_cc         849
+#define OBJ_id_Gost28147_89_cc         OBJ_cryptocom,1L,6L,1L
+
+#define SN_id_GostR3410_94_cc          "gost94cc"
+#define LN_id_GostR3410_94_cc          "GOST 34.10-94 Cryptocom"
+#define NID_id_GostR3410_94_cc         850
+#define OBJ_id_GostR3410_94_cc         OBJ_cryptocom,1L,5L,3L
+
+#define SN_id_GostR3410_2001_cc                "gost2001cc"
+#define LN_id_GostR3410_2001_cc                "GOST 34.10-2001 Cryptocom"
+#define NID_id_GostR3410_2001_cc               851
+#define OBJ_id_GostR3410_2001_cc               OBJ_cryptocom,1L,5L,4L
+
+#define SN_id_GostR3411_94_with_GostR3410_94_cc                "id-GostR3411-94-with-GostR3410-94-cc"
+#define LN_id_GostR3411_94_with_GostR3410_94_cc                "GOST R 34.11-94 with GOST R 34.10-94 Cryptocom"
+#define NID_id_GostR3411_94_with_GostR3410_94_cc               852
+#define OBJ_id_GostR3411_94_with_GostR3410_94_cc               OBJ_cryptocom,1L,3L,3L
+
+#define SN_id_GostR3411_94_with_GostR3410_2001_cc              "id-GostR3411-94-with-GostR3410-2001-cc"
+#define LN_id_GostR3411_94_with_GostR3410_2001_cc              "GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom"
+#define NID_id_GostR3411_94_with_GostR3410_2001_cc             853
+#define OBJ_id_GostR3411_94_with_GostR3410_2001_cc             OBJ_cryptocom,1L,3L,4L
+
+#define SN_id_GostR3410_2001_ParamSet_cc               "id-GostR3410-2001-ParamSet-cc"
+#define LN_id_GostR3410_2001_ParamSet_cc               "GOST R 3410-2001 Parameter Set Cryptocom"
+#define NID_id_GostR3410_2001_ParamSet_cc              854
+#define OBJ_id_GostR3410_2001_ParamSet_cc              OBJ_cryptocom,1L,8L,1L
+
 #define SN_camellia_128_cbc            "CAMELLIA-128-CBC"
 #define LN_camellia_128_cbc            "camellia-128-cbc"
 #define NID_camellia_128_cbc           751
 #define NID_seed_ofb128                778
 #define OBJ_seed_ofb128                OBJ_kisa,1L,6L
 
+#define SN_hmac                "HMAC"
+#define LN_hmac                "hmac"
+#define NID_hmac               855
+
index b308894..5bdd370 100644 (file)
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER 0x0090808fL
+#define OPENSSL_VERSION_NUMBER 0x0090809fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8h-fips 28 May 2008"
+#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8i-fips 15 Sep 2008"
 #else
-#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8h 28 May 2008"
+#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8i 15 Sep 2008"
 #endif
 #define OPENSSL_VERSION_PTEXT  " part of " OPENSSL_VERSION_TEXT
 
index 345fb1d..7342004 100644 (file)
@@ -140,6 +140,8 @@ typedef struct X509_crl_st X509_CRL;
 typedef struct X509_name_st X509_NAME;
 typedef struct x509_store_st X509_STORE;
 typedef struct x509_store_ctx_st X509_STORE_CTX;
+typedef struct ssl_st SSL;
+typedef struct ssl_ctx_st SSL_CTX;
 
 typedef struct v3_ext_ctx X509V3_CTX;
 typedef struct conf_st CONF;
index dbafda1..9748256 100644 (file)
 
 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag);
 
+static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid)
+       {
+       int idx;
+       X509_ATTRIBUTE *attr;
+       idx = EVP_PKEY_get_attr_by_NID(pkey, nid, -1);
+       if (idx < 0)
+               return 1;
+       attr = EVP_PKEY_get_attr(pkey, idx);
+       if (!X509at_add1_attr(&bag->attrib, attr))
+               return 0;
+       return 1;
+       }
+
 PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
             STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter,
             int keytype)
@@ -122,20 +135,15 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 
        if (pkey)
                {
-               int cspidx;
                bag = PKCS12_add_key(&bags, pkey, keytype, iter, nid_key, pass);
 
                if (!bag)
                        goto err;
 
-               cspidx = EVP_PKEY_get_attr_by_NID(pkey, NID_ms_csp_name, -1);
-               if (cspidx >= 0)
-                       {
-                       X509_ATTRIBUTE *cspattr;
-                       cspattr = EVP_PKEY_get_attr(pkey, cspidx);
-                       if (!X509at_add1_attr(&bag->attrib, cspattr))
-                               goto err;
-                       }
+               if (!copy_bag_attr(bag, pkey, NID_ms_csp_name))
+                       goto err;
+               if (!copy_bag_attr(bag, pkey, NID_LocalKeySet))
+                       goto err;
 
                if(name && !PKCS12_add_friendlyname(bag, name, -1))
                        goto err;
index 6b5e4f8..3699afa 100644 (file)
@@ -281,6 +281,7 @@ int RSA_print_fp(FILE *fp, const RSA *r,int offset);
 int    RSA_print(BIO *bp, const RSA *r,int offset);
 #endif
 
+#ifndef OPENSSL_NO_RC4
 int i2d_RSA_NET(const RSA *a, unsigned char **pp,
                int (*cb)(char *buf, int len, const char *prompt, int verify),
                int sgckey);
@@ -294,6 +295,7 @@ int i2d_Netscape_RSA(const RSA *a, unsigned char **pp,
 RSA *d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length,
                      int (*cb)(char *buf, int len, const char *prompt,
                                int verify));
+#endif
 
 /* The following 2 functions sign and verify a X509_SIG ASN1 object
  * inside PKCS#1 padded RSA encryption */
index ffadaab..283ddd8 100644 (file)
@@ -150,16 +150,6 @@ const RSA_METHOD *RSA_PKCS1_SSLeay(void)
        return(&rsa_pkcs1_eay_meth);
        }
 
-/* Usage example;
- *    MONT_HELPER(rsa->_method_mod_p, bn_ctx, rsa->p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
- */
-#define MONT_HELPER(method_mod, ctx, m, pre_cond, err_instr) \
-       if ((pre_cond) && ((method_mod) == NULL) && \
-                       !BN_MONT_CTX_set_locked(&(method_mod), \
-                               CRYPTO_LOCK_RSA, \
-                               (m), (ctx))) \
-               err_instr
-
 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
             unsigned char *to, RSA *rsa, int padding)
        {
@@ -233,7 +223,9 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
                goto err;
                }
 
-       MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+       if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+               if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                       goto err;
 
        if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
                rsa->_method_mod_n)) goto err;
@@ -438,7 +430,9 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                else
                        d= rsa->d;
 
-               MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+               if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                       if(!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                               goto err;
 
                if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
                                rsa->_method_mod_n)) goto err;
@@ -559,7 +553,9 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                else
                        d = rsa->d;
 
-               MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+               if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+                       if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                               goto err;
                if (!rsa->meth->bn_mod_exp(ret,f,d,rsa->n,ctx,
                                rsa->_method_mod_n))
                  goto err;
@@ -669,7 +665,9 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                goto err;
                }
 
-       MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+       if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+               if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                       goto err;
 
        if (!rsa->meth->bn_mod_exp(ret,f,rsa->e,rsa->n,ctx,
                rsa->_method_mod_n)) goto err;
@@ -747,11 +745,18 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
                        q = rsa->q;
                        }
 
-               MONT_HELPER(rsa->_method_mod_p, ctx, p, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
-               MONT_HELPER(rsa->_method_mod_q, ctx, q, rsa->flags & RSA_FLAG_CACHE_PRIVATE, goto err);
+               if (rsa->flags & RSA_FLAG_CACHE_PRIVATE)
+                       {
+                       if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_p, CRYPTO_LOCK_RSA, p, ctx))
+                               goto err;
+                       if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_q, CRYPTO_LOCK_RSA, q, ctx))
+                               goto err;
+                       }
        }
 
-       MONT_HELPER(rsa->_method_mod_n, ctx, rsa->n, rsa->flags & RSA_FLAG_CACHE_PUBLIC, goto err);
+       if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+               if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx))
+                       goto err;
 
        /* compute I mod q */
        if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME))
index ea72629..cfeff15 100644 (file)
@@ -130,7 +130,7 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
                RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_NULL_BEFORE_BLOCK_MISSING);
                return(-1);
                }
-       for (k= -8; k<0; k++)
+       for (k = -9; k<-1; k++)
                {
                if (p[k] !=  0x03) break;
                }
index 78cc485..40b1790 100644 (file)
@@ -986,6 +986,50 @@ STACK_OF(type) \
 #define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st))
 #define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st))
 
+#define sk_MIME_HEADER_new(st) SKM_sk_new(MIME_HEADER, (st))
+#define sk_MIME_HEADER_new_null() SKM_sk_new_null(MIME_HEADER)
+#define sk_MIME_HEADER_free(st) SKM_sk_free(MIME_HEADER, (st))
+#define sk_MIME_HEADER_num(st) SKM_sk_num(MIME_HEADER, (st))
+#define sk_MIME_HEADER_value(st, i) SKM_sk_value(MIME_HEADER, (st), (i))
+#define sk_MIME_HEADER_set(st, i, val) SKM_sk_set(MIME_HEADER, (st), (i), (val))
+#define sk_MIME_HEADER_zero(st) SKM_sk_zero(MIME_HEADER, (st))
+#define sk_MIME_HEADER_push(st, val) SKM_sk_push(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_unshift(st, val) SKM_sk_unshift(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_find(st, val) SKM_sk_find(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_find_ex(st, val) SKM_sk_find_ex(MIME_HEADER, (st), (val))
+#define sk_MIME_HEADER_delete(st, i) SKM_sk_delete(MIME_HEADER, (st), (i))
+#define sk_MIME_HEADER_delete_ptr(st, ptr) SKM_sk_delete_ptr(MIME_HEADER, (st), (ptr))
+#define sk_MIME_HEADER_insert(st, val, i) SKM_sk_insert(MIME_HEADER, (st), (val), (i))
+#define sk_MIME_HEADER_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(MIME_HEADER, (st), (cmp))
+#define sk_MIME_HEADER_dup(st) SKM_sk_dup(MIME_HEADER, st)
+#define sk_MIME_HEADER_pop_free(st, free_func) SKM_sk_pop_free(MIME_HEADER, (st), (free_func))
+#define sk_MIME_HEADER_shift(st) SKM_sk_shift(MIME_HEADER, (st))
+#define sk_MIME_HEADER_pop(st) SKM_sk_pop(MIME_HEADER, (st))
+#define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st))
+#define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st))
+
+#define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st))
+#define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM)
+#define sk_MIME_PARAM_free(st) SKM_sk_free(MIME_PARAM, (st))
+#define sk_MIME_PARAM_num(st) SKM_sk_num(MIME_PARAM, (st))
+#define sk_MIME_PARAM_value(st, i) SKM_sk_value(MIME_PARAM, (st), (i))
+#define sk_MIME_PARAM_set(st, i, val) SKM_sk_set(MIME_PARAM, (st), (i), (val))
+#define sk_MIME_PARAM_zero(st) SKM_sk_zero(MIME_PARAM, (st))
+#define sk_MIME_PARAM_push(st, val) SKM_sk_push(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_unshift(st, val) SKM_sk_unshift(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_find(st, val) SKM_sk_find(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_find_ex(st, val) SKM_sk_find_ex(MIME_PARAM, (st), (val))
+#define sk_MIME_PARAM_delete(st, i) SKM_sk_delete(MIME_PARAM, (st), (i))
+#define sk_MIME_PARAM_delete_ptr(st, ptr) SKM_sk_delete_ptr(MIME_PARAM, (st), (ptr))
+#define sk_MIME_PARAM_insert(st, val, i) SKM_sk_insert(MIME_PARAM, (st), (val), (i))
+#define sk_MIME_PARAM_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(MIME_PARAM, (st), (cmp))
+#define sk_MIME_PARAM_dup(st) SKM_sk_dup(MIME_PARAM, st)
+#define sk_MIME_PARAM_pop_free(st, free_func) SKM_sk_pop_free(MIME_PARAM, (st), (free_func))
+#define sk_MIME_PARAM_shift(st) SKM_sk_shift(MIME_PARAM, (st))
+#define sk_MIME_PARAM_pop(st) SKM_sk_pop(MIME_PARAM, (st))
+#define sk_MIME_PARAM_sort(st) SKM_sk_sort(MIME_PARAM, (st))
+#define sk_MIME_PARAM_is_sorted(st) SKM_sk_is_sorted(MIME_PARAM, (st))
+
 #define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st))
 #define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM)
 #define sk_MIME_PARAM_free(st) SKM_sk_free(MIME_PARAM, (st))
index 511b49d..98460e8 100644 (file)
@@ -245,7 +245,7 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
                goto err;
        if (!X509_ATTRIBUTE_set1_data(ret,atrtype,data,len))
                goto err;
-       
+
        if ((attr != NULL) && (*attr == NULL)) *attr=ret;
        return(ret);
 err:
@@ -302,8 +302,15 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *dat
                atype = attrtype;
        }
        if(!(attr->value.set = sk_ASN1_TYPE_new_null())) goto err;
+       attr->single = 0;
+       /* This is a bit naughty because the attribute should really have
+        * at least one value but some types use and zero length SET and
+        * require this.
+        */
+       if (attrtype == 0)
+               return 1;
        if(!(ttmp = ASN1_TYPE_new())) goto err;
-       if (len == -1)
+       if ((len == -1) && !(attrtype & MBSTRING_FLAG))
                {
                if (!ASN1_TYPE_set1(ttmp, attrtype, data))
                        goto err;
@@ -311,7 +318,6 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *dat
        else
                ASN1_TYPE_set(ttmp, atype, stmp);
        if(!sk_ASN1_TYPE_push(attr->value.set, ttmp)) goto err;
-       attr->single = 0;
        return 1;
        err:
        X509err(X509_F_X509_ATTRIBUTE_SET1_DATA, ERR_R_MALLOC_FAILURE);
index 9a62ebc..336c40d 100644 (file)
@@ -394,7 +394,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 #ifdef OPENSSL_NO_CHAIN_VERIFY
        return 1;
 #else
-       int i, ok=0, must_be_ca;
+       int i, ok=0, must_be_ca, plen = 0;
        X509 *x;
        int (*cb)(int xok,X509_STORE_CTX *xctx);
        int proxy_path_length = 0;
@@ -495,9 +495,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                                if (!ok) goto end;
                                }
                        }
-               /* Check pathlen */
-               if ((i > 1) && (x->ex_pathlen != -1)
-                          && (i > (x->ex_pathlen + proxy_path_length + 1)))
+               /* Check pathlen if not self issued */
+               if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
+                          && (x->ex_pathlen != -1)
+                          && (plen > (x->ex_pathlen + proxy_path_length + 1)))
                        {
                        ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
                        ctx->error_depth = i;
@@ -505,6 +506,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                        ok=cb(0,ctx);
                        if (!ok) goto end;
                        }
+               /* Increment path length if not self issued */
+               if (!(x->ex_flags & EXFLAG_SI))
+                       plen++;
                /* If this certificate is a proxy certificate, the next
                   certificate must be another proxy certificate or a EE
                   certificate.  If not, the next certificate must be a
index 614d2b4..4711b1e 100644 (file)
@@ -87,6 +87,12 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
        X509_POLICY_DATA *ret;
        if (!policy && !id)
                return NULL;
+       if (id)
+               {
+               id = OBJ_dup(id);
+               if (!id)
+                       return NULL;
+               }
        ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
        if (!ret)
                return NULL;
@@ -94,6 +100,8 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
        if (!ret->expected_policy_set)
                {
                OPENSSL_free(ret);
+               if (id)
+                       ASN1_OBJECT_free(id);
                return NULL;
                }
 
index 4fda1d4..b1ce77b 100644 (file)
@@ -130,9 +130,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                        ret = 2;
                if (explicit_policy > 0)
                        {
-                       explicit_policy--;
-                       if (!(x->ex_flags & EXFLAG_SS)
-                               && (cache->explicit_skip != -1)
+                       if (!(x->ex_flags & EXFLAG_SI))
+                               explicit_policy--;
+                       if ((cache->explicit_skip != -1)
                                && (cache->explicit_skip < explicit_policy))
                                explicit_policy = cache->explicit_skip;
                        }
@@ -197,13 +197,14 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                        /* Any matching allowed if certificate is self
                         * issued and not the last in the chain.
                         */
-                       if (!(x->ex_flags & EXFLAG_SS) || (i == 0))
+                       if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
                                level->flags |= X509_V_FLAG_INHIBIT_ANY;
                        }
                else
                        {
-                       any_skip--;
-                       if ((cache->any_skip > 0)
+                       if (!(x->ex_flags & EXFLAG_SI))
+                               any_skip--;
+                       if ((cache->any_skip >= 0)
                                && (cache->any_skip < any_skip))
                                any_skip = cache->any_skip;
                        }
@@ -213,7 +214,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                else
                        {
                        map_skip--;
-                       if ((cache->map_skip > 0)
+                       if ((cache->map_skip >= 0)
                                && (cache->map_skip < map_skip))
                                map_skip = cache->map_skip;
                        }
@@ -310,7 +311,8 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
 
                if (data == NULL)
                        return 0;
-               data->qualifier_set = curr->anyPolicy->data->qualifier_set;
+               /* Curr may not have anyPolicy */
+               data->qualifier_set = cache->anyPolicy->qualifier_set;
                data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
                if (!level_add_node(curr, data, node, tree))
                        {
index ed9847b..c6730ab 100644 (file)
@@ -594,10 +594,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
     return NULL;
   switch (afi) {
   case IANA_AFI_IPV4:
-    sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
+    (void)sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
     break;
   case IANA_AFI_IPV6:
-    sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
+    (void)sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
     break;
   }
   f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
@@ -854,7 +854,7 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
       if (!make_addressRange(&merged, a_min, b_max, length))
        return 0;
       sk_IPAddressOrRange_set(aors, i, merged);
-      sk_IPAddressOrRange_delete(aors, i + 1);
+      (void)sk_IPAddressOrRange_delete(aors, i + 1);
       IPAddressOrRange_free(a);
       IPAddressOrRange_free(b);
       --i;
@@ -1122,7 +1122,7 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
     return 1;
   if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
     return 0;
-  sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
+  (void)sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
   for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
     IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
     int j = sk_IPAddressFamily_find(b, fa);
@@ -1183,7 +1183,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
   }
   if (!v3_addr_is_canonical(ext))
     validation_err(X509_V_ERR_INVALID_EXTENSION);
-  sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
+  (void)sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
   if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
     X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
     ret = 0;
@@ -1209,7 +1209,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
       }
       continue;
     }
-    sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
+    (void)sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
     for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
       IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
       int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
index 271930f..abd497e 100644 (file)
@@ -466,7 +466,7 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
        break;
       }
       ASIdOrRange_free(b);
-      sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
+      (void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
       i--;
       continue;
     }
index b2f5cdf..c54e788 100644 (file)
@@ -291,7 +291,9 @@ int X509_supported_extension(X509_EXTENSION *ex)
                NID_sbgp_ipAddrBlock,   /* 290 */
                NID_sbgp_autonomousSysNum, /* 291 */
 #endif
-               NID_proxyCertInfo       /* 661 */
+               NID_policy_constraints, /* 401 */
+               NID_proxyCertInfo,      /* 661 */
+               NID_inhibit_any_policy  /* 748 */
        };
 
        int ex_nid;
@@ -325,7 +327,7 @@ static void x509v3_cache_extensions(X509 *x)
 #endif
        /* Does subject name match issuer ? */
        if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
-                        x->ex_flags |= EXFLAG_SS;
+                        x->ex_flags |= EXFLAG_SI;
        /* V1 should mean no extensions ... */
        if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
        /* Handle basic constraints */
index db2b048..5ba59f7 100644 (file)
@@ -363,6 +363,8 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define EXFLAG_NSCERT          0x8
 
 #define EXFLAG_CA              0x10
+/* Really self issued not necessarily self signed */
+#define EXFLAG_SI              0x20
 #define EXFLAG_SS              0x20
 #define EXFLAG_V1              0x40
 #define EXFLAG_INVALID         0x80
@@ -370,7 +372,7 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define EXFLAG_CRITICAL                0x200
 #define EXFLAG_PROXY           0x400
 
-#define EXFLAG_INVALID_POLICY  0x400
+#define EXFLAG_INVALID_POLICY  0x800
 
 #define KU_DIGITAL_SIGNATURE   0x0080
 #define KU_NON_REPUDIATION     0x0040
index e62e6fc..a1a2d2b 100644 (file)
@@ -451,9 +451,13 @@ static int e_gmp_rsa_mod_exp(BIGNUM *r, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
        }
 #endif
 
+#endif /* !OPENSSL_NO_GMP */
+
 /* This stuff is needed if this ENGINE is being compiled into a self-contained
  * shared-library. */     
-#ifndef ENGINE_NO_DYNAMIC_SUPPORT
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+IMPLEMENT_DYNAMIC_CHECK_FN()
+#ifndef OPENSSL_NO_GMP
 static int bind_fn(ENGINE *e, const char *id)
        {
        if(id && (strcmp(id, engine_e_gmp_id) != 0))
@@ -462,10 +466,11 @@ static int bind_fn(ENGINE *e, const char *id)
                return 0;
        return 1;
        }       
-IMPLEMENT_DYNAMIC_CHECK_FN()
 IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
-#endif /* ENGINE_DYNAMIC_SUPPORT */
+#else
+OPENSSL_EXPORT
+int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { return 0; }
+#endif
+#endif /* OPENSSL_NO_DYNAMIC_ENGINE */
 
-#endif /* !OPENSSL_NO_GMP */
 #endif /* !OPENSSL_NO_HW */
-
index 5e59dc8..49c6760 100644 (file)
@@ -1095,8 +1095,7 @@ int dtls1_send_client_certificate(SSL *s)
                 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
                 * We then get retied later */
                i=0;
-               if (s->ctx->client_cert_cb != NULL)
-                       i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
+               i = ssl_do_client_cert_cb(s, &x509, &pkey);
                if (i < 0)
                        {
                        s->rwstate=SSL_X509_LOOKUP;
index 377696d..b2765ba 100644 (file)
@@ -811,6 +811,14 @@ start:
              *  may be fragmented--don't always expect dest_maxlen bytes */
                        if ( rr->length < dest_maxlen)
                                {
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+                               /*
+                                * for normal alerts rr->length is 2, while
+                                * dest_maxlen is 7 if we were to handle this
+                                * non-existing alert...
+                                */
+                               FIX ME
+#endif
                                s->rstate=SSL_ST_READ_HEADER;
                                rr->length = 0;
                                goto start;
@@ -1251,7 +1259,7 @@ int dtls1_write_bytes(SSL *s, int type, const void *buf_, int len)
        else 
                s->s3->wnum += i;
 
-       return tot + i;
+       return i;
        }
 
 int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len, int create_empty_fragment)
@@ -1576,7 +1584,7 @@ int dtls1_dispatch_alert(SSL *s)
        {
        int i,j;
        void (*cb)(const SSL *ssl,int type,int val)=NULL;
-       unsigned char buf[2 + 2 + 3]; /* alert level + alert desc + message seq +frag_off */
+       unsigned char buf[DTLS1_AL_HEADER_LENGTH];
        unsigned char *ptr = &buf[0];
 
        s->s3->alert_dispatch=0;
@@ -1585,6 +1593,7 @@ int dtls1_dispatch_alert(SSL *s)
        *ptr++ = s->s3->send_alert[0];
        *ptr++ = s->s3->send_alert[1];
 
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
        if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
                {       
                s2n(s->d1->handshake_read_seq, ptr);
@@ -1600,6 +1609,7 @@ int dtls1_dispatch_alert(SSL *s)
 #endif
                l2n3(s->d1->r_msg_hdr.frag_off, ptr);
                }
+#endif
 
        i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
        if (i <= 0)
@@ -1609,8 +1619,11 @@ int dtls1_dispatch_alert(SSL *s)
                }
        else
                {
-               if ( s->s3->send_alert[0] == SSL3_AL_FATAL ||
-                       s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
+               if (s->s3->send_alert[0] == SSL3_AL_FATAL
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+                   || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+#endif
+                  )
                        (void)BIO_flush(s->wbio);
 
                if (s->msg_callback)
index 927b01f..0bbf8ae 100644 (file)
@@ -732,7 +732,7 @@ int dtls1_send_server_hello(SSL *s)
 
                d = dtls1_set_message_header(s, d, SSL3_MT_SERVER_HELLO, l, 0, l);
 
-               s->state=SSL3_ST_CW_CLNT_HELLO_B;
+               s->state=SSL3_ST_SW_SRVR_HELLO_B;
                /* number of bytes to write */
                s->init_num=p-buf;
                s->init_off=0;
@@ -741,7 +741,7 @@ int dtls1_send_server_hello(SSL *s)
                dtls1_buffer_message(s, 0);
                }
 
-       /* SSL3_ST_CW_CLNT_HELLO_B */
+       /* SSL3_ST_SW_SRVR_HELLO_B */
        return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
        }
 
@@ -765,7 +765,7 @@ int dtls1_send_server_done(SSL *s)
                dtls1_buffer_message(s, 0);
                }
 
-       /* SSL3_ST_CW_CLNT_HELLO_B */
+       /* SSL3_ST_SW_SRVR_DONE_B */
        return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
        }
 
index a663cf8..f159d37 100644 (file)
@@ -70,7 +70,10 @@ extern "C" {
 #define DTLS1_VERSION                  0xFEFF
 #define DTLS1_BAD_VER                  0x0100
 
+#if 0
+/* this alert description is not specified anywhere... */
 #define DTLS1_AD_MISSING_HANDSHAKE_MESSAGE    110
+#endif
 
 /* lengths of messages */
 #define DTLS1_COOKIE_LENGTH                     32
@@ -84,7 +87,11 @@ extern "C" {
 
 #define DTLS1_CCS_HEADER_LENGTH                  1
 
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
 #define DTLS1_AL_HEADER_LENGTH                   7
+#else
+#define DTLS1_AL_HEADER_LENGTH                   2
+#endif
 
 
 typedef struct dtls1_bitmap_st
index c45a8e0..bc91817 100644 (file)
@@ -257,6 +257,14 @@ static int ssl23_client_hello(SSL *s)
                        version_major = TLS1_VERSION_MAJOR;
                        version_minor = TLS1_VERSION_MINOR;
                        }
+#ifdef OPENSSL_FIPS
+               else if(FIPS_mode())
+                       {
+                       SSLerr(SSL_F_SSL23_CLIENT_HELLO,
+                                       SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                       return -1;
+                       }
+#endif
                else if (version == SSL3_VERSION)
                        {
                        version_major = SSL3_VERSION_MAJOR;
@@ -536,6 +544,14 @@ static int ssl23_get_server_hello(SSL *s)
                if ((p[2] == SSL3_VERSION_MINOR) &&
                        !(s->options & SSL_OP_NO_SSLv3))
                        {
+#ifdef OPENSSL_FIPS
+                       if(FIPS_mode())
+                               {
+                               SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
+                                       SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                               goto err;
+                               }
+#endif
                        s->version=SSL3_VERSION;
                        s->method=SSLv3_client_method();
                        }
index 6637bb9..ba06e7a 100644 (file)
@@ -386,6 +386,15 @@ int ssl23_get_client_hello(SSL *s)
                        }
                }
 
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode() && (s->version < TLS1_VERSION))
+               {
+               SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
+                                       SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+               goto err;
+               }
+#endif
+
        if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
                {
                /* we have SSLv3/TLSv1 in an SSLv2 header
index f6864cd..d583ebc 100644 (file)
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/md5.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
 #include <openssl/bn.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 
 static SSL_METHOD *ssl3_get_client_method(int ver);
 static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
@@ -1415,6 +1422,8 @@ int ssl3_get_key_exchange(SSL *s)
                        q=md_buf;
                        for (num=2; num > 0; num--)
                                {
+                               EVP_MD_CTX_set_flags(&md_ctx,
+                                       EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
                                EVP_DigestInit_ex(&md_ctx,(num == 2)
                                        ?s->ctx->md5:s->ctx->sha1, NULL);
                                EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
@@ -2061,12 +2070,12 @@ int ssl3_send_client_key_exchange(SSL *s)
                        {
                        DH *dh_srvr,*dh_clnt;
 
-                        if (s->session->sess_cert == NULL) 
-                                {
-                                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
-                                goto err;
-                                }
+                       if (s->session->sess_cert == NULL) 
+                               {
+                               ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
+                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
+                               goto err;
+                               }
 
                        if (s->session->sess_cert->peer_dh_tmp != NULL)
                                dh_srvr=s->session->sess_cert->peer_dh_tmp;
@@ -2448,8 +2457,7 @@ int ssl3_send_client_certificate(SSL *s)
                 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
                 * We then get retied later */
                i=0;
-               if (s->ctx->client_cert_cb != NULL)
-                       i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
+               i = ssl_do_client_cert_cb(s, &x509, &pkey);
                if (i < 0)
                        {
                        s->rwstate=SSL_X509_LOOKUP;
@@ -2716,3 +2724,21 @@ static int ssl3_check_finished(SSL *s)
        return 1;
        }
 #endif
+
+int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
+       {
+       int i = 0;
+#ifndef OPENSSL_NO_ENGINE
+       if (s->ctx->client_cert_engine)
+               {
+               i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
+                                               SSL_get_client_CA_list(s),
+                                               px509, ppkey, NULL, NULL, NULL);
+               if (i != 0)
+                       return i;
+               }
+#endif
+       if (s->ctx->client_cert_cb)
+               i = s->ctx->client_cert_cb(s,px509,ppkey);
+       return i;
+       }
index 2859351..06e5466 100644 (file)
@@ -146,6 +146,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 #endif
        k=0;
        EVP_MD_CTX_init(&m5);
+       EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
        EVP_MD_CTX_init(&s1);
        for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
                {
@@ -518,6 +519,8 @@ int ssl3_enc(SSL *s, int send)
 
 void ssl3_init_finished_mac(SSL *s)
        {
+       EVP_MD_CTX_set_flags(&(s->s3->finish_dgst1),
+               EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
        EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->ctx->md5, NULL);
        EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->ctx->sha1, NULL);
        }
@@ -554,6 +557,7 @@ static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
        EVP_MD_CTX ctx;
 
        EVP_MD_CTX_init(&ctx);
+       EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
        EVP_MD_CTX_copy_ex(&ctx,in_ctx);
 
        n=EVP_MD_CTX_size(&ctx);
index bdbcd44..8916a0b 100644 (file)
@@ -158,7 +158,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_NULL_SHA,
        SSL3_CK_RSA_NULL_SHA,
        SSL_kRSA|SSL_aRSA|SSL_eNULL |SSL_SHA1|SSL_SSLV3,
-       SSL_NOT_EXP|SSL_STRONG_NONE,
+       SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
        0,
        0,
        0,
@@ -264,7 +264,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_RSA_DES_192_CBC3_SHA,
        SSL3_CK_RSA_DES_192_CBC3_SHA,
        SSL_kRSA|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -304,7 +304,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_DH_DSS_DES_192_CBC3_SHA,
        SSL3_CK_DH_DSS_DES_192_CBC3_SHA,
        SSL_kDHd |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -343,7 +343,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_DH_RSA_DES_192_CBC3_SHA,
        SSL3_CK_DH_RSA_DES_192_CBC3_SHA,
        SSL_kDHr |SSL_aDH|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -384,7 +384,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA,
        SSL3_CK_EDH_DSS_DES_192_CBC3_SHA,
        SSL_kEDH|SSL_aDSS|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -423,7 +423,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA,
        SSL3_CK_EDH_RSA_DES_192_CBC3_SHA,
        SSL_kEDH|SSL_aRSA|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -488,7 +488,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_ADH_DES_192_CBC_SHA,
        SSL3_CK_ADH_DES_192_CBC_SHA,
        SSL_kEDH |SSL_aNULL|SSL_3DES |SSL_SHA1|SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -563,7 +563,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL3_TXT_KRB5_DES_192_CBC3_SHA,
        SSL3_CK_KRB5_DES_192_CBC3_SHA,
        SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        168,
        168,
@@ -747,7 +747,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        TLS1_TXT_RSA_WITH_AES_128_SHA,
        TLS1_CK_RSA_WITH_AES_128_SHA,
        SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        128,
        128,
@@ -760,7 +760,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
        TLS1_CK_DH_DSS_WITH_AES_128_SHA,
        SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        128,
        128,
@@ -773,7 +773,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
        TLS1_CK_DH_RSA_WITH_AES_128_SHA,
        SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        128,
        128,
@@ -786,7 +786,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
        TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
        SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        128,
        128,
@@ -799,7 +799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
        TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
        SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        128,
        128,
@@ -812,7 +812,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        TLS1_TXT_ADH_WITH_AES_128_SHA,
        TLS1_CK_ADH_WITH_AES_128_SHA,
        SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        128,
        128,
@@ -826,7 +826,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        TLS1_TXT_RSA_WITH_AES_256_SHA,
        TLS1_CK_RSA_WITH_AES_256_SHA,
        SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        256,
        256,
@@ -839,7 +839,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        TLS1_TXT_DH_DSS_WITH_AES_256_SHA,
        TLS1_CK_DH_DSS_WITH_AES_256_SHA,
        SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        256,
        256,
@@ -852,7 +852,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        TLS1_TXT_DH_RSA_WITH_AES_256_SHA,
        TLS1_CK_DH_RSA_WITH_AES_256_SHA,
        SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        256,
        256,
@@ -865,7 +865,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        TLS1_TXT_DHE_DSS_WITH_AES_256_SHA,
        TLS1_CK_DHE_DSS_WITH_AES_256_SHA,
        SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        256,
        256,
@@ -878,7 +878,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        TLS1_TXT_DHE_RSA_WITH_AES_256_SHA,
        TLS1_CK_DHE_RSA_WITH_AES_256_SHA,
        SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        256,
        256,
@@ -891,7 +891,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        TLS1_TXT_ADH_WITH_AES_256_SHA,
        TLS1_CK_ADH_WITH_AES_256_SHA,
        SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-       SSL_NOT_EXP|SSL_HIGH,
+       SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        0,
        256,
        256,
index 44c7c14..72853a2 100644 (file)
@@ -1225,6 +1225,13 @@ int ssl3_do_change_cipher_spec(SSL *s)
 
        if (s->s3->tmp.key_block == NULL)
                {
+               if (s->session == NULL) 
+                       {
+                       /* might happen if dtls1_read_bytes() calls this */
+                       SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
+                       return (0);
+                       }
+
                s->session->cipher=s->s3->tmp.new_cipher;
                if (!s->method->ssl3_enc->setup_key_block(s)) return(0);
                }
index 903522a..398ce46 100644 (file)
@@ -1172,13 +1172,13 @@ int ssl3_send_server_hello(SSL *s)
                *(d++)=SSL3_MT_SERVER_HELLO;
                l2n3(l,d);
 
-               s->state=SSL3_ST_CW_CLNT_HELLO_B;
+               s->state=SSL3_ST_SW_SRVR_HELLO_B;
                /* number of bytes to write */
                s->init_num=p-buf;
                s->init_off=0;
                }
 
-       /* SSL3_ST_CW_CLNT_HELLO_B */
+       /* SSL3_ST_SW_SRVR_HELLO_B */
        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
        }
 
@@ -1202,7 +1202,7 @@ int ssl3_send_server_done(SSL *s)
                s->init_off=0;
                }
 
-       /* SSL3_ST_CW_CLNT_HELLO_B */
+       /* SSL3_ST_SW_SRVR_DONE_B */
        return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
        }
 
@@ -1540,6 +1540,8 @@ int ssl3_send_server_key_exchange(SSL *s)
                                j=0;
                                for (num=2; num > 0; num--)
                                        {
+                                       EVP_MD_CTX_set_flags(&md_ctx,
+                                               EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
                                        EVP_DigestInit_ex(&md_ctx,(num == 2)
                                                ?s->ctx->md5:s->ctx->sha1, NULL);
                                        EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
index 6df921f..ff8a128 100644 (file)
@@ -252,6 +252,7 @@ extern "C" {
 #define SSL_TXT_LOW            "LOW"
 #define SSL_TXT_MEDIUM         "MEDIUM"
 #define SSL_TXT_HIGH           "HIGH"
+#define SSL_TXT_FIPS           "FIPS"
 #define SSL_TXT_kFZA           "kFZA"
 #define        SSL_TXT_aFZA            "aFZA"
 #define SSL_TXT_eFZA           "eFZA"
@@ -361,9 +362,6 @@ typedef struct ssl_cipher_st
 
 DECLARE_STACK_OF(SSL_CIPHER)
 
-typedef struct ssl_st SSL;
-typedef struct ssl_ctx_st SSL_CTX;
-
 /* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
 typedef struct ssl_method_st
        {
@@ -760,6 +758,12 @@ struct ssl_ctx_st
 
        int quiet_shutdown;
 
+#ifndef OPENSSL_ENGINE
+       /* Engine to pass requests for client certs to
+        */
+       ENGINE *client_cert_engine;
+#endif
+
 #ifndef OPENSSL_NO_TLSEXT
        /* TLS extensions servername callback */
        int (*tlsext_servername_callback)(SSL*, int *, void *);
@@ -829,6 +833,9 @@ void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,
 void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val);
 void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+#ifndef OPENSSL_NO_ENGINE
+int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
+#endif
 void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len));
 void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len));
 
@@ -1702,6 +1709,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL3_CONNECT                              132
 #define SSL_F_SSL3_CTRL                                         213
 #define SSL_F_SSL3_CTX_CTRL                             133
+#define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC                279
 #define SSL_F_SSL3_ENC                                  134
 #define SSL_F_SSL3_GENERATE_KEY_BLOCK                   238
 #define SSL_F_SSL3_GET_CERTIFICATE_REQUEST              135
@@ -1755,6 +1763,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY                         168
 #define SSL_F_SSL_CTX_NEW                               169
 #define SSL_F_SSL_CTX_SET_CIPHER_LIST                   269
+#define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE            278
 #define SSL_F_SSL_CTX_SET_PURPOSE                       226
 #define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT            219
 #define SSL_F_SSL_CTX_SET_SSL_VERSION                   170
@@ -1935,6 +1944,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_NO_CIPHERS_SPECIFIED                      183
 #define SSL_R_NO_CIPHER_LIST                            184
 #define SSL_R_NO_CIPHER_MATCH                           185
+#define SSL_R_NO_CLIENT_CERT_METHOD                     317
 #define SSL_R_NO_CLIENT_CERT_RECEIVED                   186
 #define SSL_R_NO_COMPRESSION_SPECIFIED                  187
 #define SSL_R_NO_METHOD_SPECIFIED                       188
index 6e14f4d..0f9a348 100644 (file)
@@ -353,7 +353,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
        memcpy(ret->session_id,os.data,os.length);
 
        M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
-       if (ret->master_key_length > SSL_MAX_MASTER_KEY_LENGTH)
+       if (os.length > SSL_MAX_MASTER_KEY_LENGTH)
                ret->master_key_length=SSL_MAX_MASTER_KEY_LENGTH;
        else
                ret->master_key_length=os.length;
index 725f7f3..1a40012 100644 (file)
@@ -222,6 +222,7 @@ static const SSL_CIPHER cipher_aliases[]={
        {0,SSL_TXT_LOW,   0, 0,   SSL_LOW, 0,0,0,0,SSL_STRONG_MASK},
        {0,SSL_TXT_MEDIUM,0, 0,SSL_MEDIUM, 0,0,0,0,SSL_STRONG_MASK},
        {0,SSL_TXT_HIGH,  0, 0,  SSL_HIGH, 0,0,0,0,SSL_STRONG_MASK},
+       {0,SSL_TXT_FIPS,  0, 0,  SSL_FIPS, 0,0,0,0,SSL_FIPS|SSL_STRONG_NONE},
        };
 
 void ssl_load_ciphers(void)
@@ -515,7 +516,12 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
                c = ssl_method->get_cipher(i);
 #define IS_MASKED(c) ((c)->algorithms & (((c)->alg_bits == 256) ? m256 : mask))
                /* drop those that use any of that is not available */
+#ifdef OPENSSL_FIPS
+               if ((c != NULL) && c->valid && !IS_MASKED(c)
+                       && (!FIPS_mode() || (c->algo_strength & SSL_FIPS)))
+#else
                if ((c != NULL) && c->valid && !IS_MASKED(c))
+#endif
                        {
                        co_list[co_list_num].cipher = c;
                        co_list[co_list_num].next = NULL;
@@ -1054,7 +1060,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
         */
        for (curr = head; curr != NULL; curr = curr->next)
                {
+#ifdef OPENSSL_FIPS
+               if (curr->active && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS))
+#else
                if (curr->active)
+#endif
                        {
                        sk_SSL_CIPHER_push(cipherstack, curr->cipher);
 #ifdef CIPHER_DEBUG
index 50779c1..24a994f 100644 (file)
@@ -1,6 +1,6 @@
 /* ssl/ssl_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -138,6 +138,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
 {ERR_FUNC(SSL_F_SSL3_CTRL),    "SSL3_CTRL"},
 {ERR_FUNC(SSL_F_SSL3_CTX_CTRL),        "SSL3_CTX_CTRL"},
+{ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC),   "SSL3_DO_CHANGE_CIPHER_SPEC"},
 {ERR_FUNC(SSL_F_SSL3_ENC),     "SSL3_ENC"},
 {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK),      "SSL3_GENERATE_KEY_BLOCK"},
 {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"},
@@ -191,6 +192,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY),    "SSL_CTX_check_private_key"},
 {ERR_FUNC(SSL_F_SSL_CTX_NEW),  "SSL_CTX_new"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST),      "SSL_CTX_set_cipher_list"},
+{ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE),       "SSL_CTX_set_client_cert_engine"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE),  "SSL_CTX_set_purpose"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT),       "SSL_CTX_set_session_id_context"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION),      "SSL_CTX_set_ssl_version"},
@@ -374,6 +376,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED)  ,"no ciphers specified"},
 {ERR_REASON(SSL_R_NO_CIPHER_LIST)        ,"no cipher list"},
 {ERR_REASON(SSL_R_NO_CIPHER_MATCH)       ,"no cipher match"},
+{ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) ,"no client cert method"},
 {ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"},
 {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"},
 {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED)   ,"no method specified"},
index 065411a..68eee77 100644 (file)
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 
 const char *SSL_version_str=OPENSSL_VERSION_TEXT;
 
@@ -1393,6 +1396,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
                return(NULL);
                }
 
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode() && (meth->version < TLS1_VERSION))      
+               {
+               SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+               return NULL;
+               }
+#endif
+
        if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
                {
                SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
@@ -1511,6 +1522,27 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
        ret->tlsext_status_cb = 0;
        ret->tlsext_status_arg = NULL;
 
+#endif
+
+#ifndef OPENSSL_NO_ENGINE
+       ret->client_cert_engine = NULL;
+#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
+#define eng_strx(x)    #x
+#define eng_str(x)     eng_strx(x)
+       /* Use specific client engine automatically... ignore errors */
+       {
+       ENGINE *eng;
+       eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
+       if (!eng)
+               {
+               ERR_clear_error();
+               ENGINE_load_builtin_engines();
+               eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
+               }
+       if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
+               ERR_clear_error();
+       }
+#endif
 #endif
 
        return(ret);
@@ -1582,6 +1614,10 @@ void SSL_CTX_free(SSL_CTX *a)
                sk_SSL_COMP_pop_free(a->comp_methods,SSL_COMP_free);
 #else
        a->comp_methods = NULL;
+#endif
+#ifndef OPENSSL_NO_ENGINE
+       if (a->client_cert_engine)
+               ENGINE_finish(a->client_cert_engine);
 #endif
        OPENSSL_free(a);
        }
index de94c0d..735db39 100644 (file)
 #define SSL_LOW                        0x00000020L
 #define SSL_MEDIUM             0x00000040L
 #define SSL_HIGH               0x00000080L
+#define SSL_FIPS               0x00000100L
 
-/* we have used 000000ff - 24 bits left to go */
+/* we have used 000001ff - 23 bits left to go */
 
 /*
  * Macros to check the export status and cipher strength for export ciphers.
@@ -874,6 +875,7 @@ int ssl3_get_new_session_ticket(SSL *s);
 int ssl3_get_cert_status(SSL *s);
 int ssl3_get_server_done(SSL *s);
 int ssl3_send_client_verify(SSL *s);
+int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
 int ssl3_send_client_certificate(SSL *s);
 int ssl3_send_client_key_exchange(SSL *s);
 int ssl3_get_key_exchange(SSL *s);
index ee88be2..8391d62 100644 (file)
@@ -59,6 +59,9 @@
 #include <stdio.h>
 #include <openssl/lhash.h>
 #include <openssl/rand.h>
+#ifndef OPENSSL_NO_ENGINE
+#include <openssl/engine.h>
+#endif
 #include "ssl_locl.h"
 
 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
@@ -870,6 +873,25 @@ int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PK
        return ctx->client_cert_cb;
        }
 
+#ifndef OPENSSL_NO_ENGINE
+int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
+       {
+       if (!ENGINE_init(e))
+               {
+               SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
+               return 0;
+               }
+       if(!ENGINE_get_ssl_client_cert_function(e))
+               {
+               SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD);
+               ENGINE_finish(e);
+               return 0;
+               }
+       ctx->client_cert_engine = e;
+       return 1;
+       }
+#endif
+
 void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
        int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
        {
index ed5a4a7..3c4dec7 100644 (file)
@@ -131,6 +131,8 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 
        HMAC_CTX_init(&ctx);
        HMAC_CTX_init(&ctx_tmp);
+       HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+       HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
        HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
        HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
        HMAC_Update(&ctx,seed,seed_len);
@@ -852,8 +854,10 @@ int tls1_alert_code(int code)
        case SSL_AD_INTERNAL_ERROR:     return(TLS1_AD_INTERNAL_ERROR);
        case SSL_AD_USER_CANCELLED:     return(TLS1_AD_USER_CANCELLED);
        case SSL_AD_NO_RENEGOTIATION:   return(TLS1_AD_NO_RENEGOTIATION);
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
        case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return 
                                          (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
+#endif
        default:                        return(-1);
                }
        }
index 35f04af..9ce7269 100644 (file)
@@ -734,6 +734,13 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
        /* Point after session ID in client hello */
        const unsigned char *p = session_id + len;
        unsigned short i;
+
+       /* If tickets disabled behave as if no ticket present
+        * to permit stateful resumption.
+        */
+       if (SSL_get_options(s) & SSL_OP_NO_TICKET)
+               return 1;
+
        if ((s->version <= SSL3_VERSION) || !limit)
                return 1;
        if (p >= limit)
@@ -761,12 +768,7 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
                        return 1;
                if (type == TLSEXT_TYPE_session_ticket)
                        {
-                       /* If tickets disabled indicate cache miss which will
-                        * trigger a full handshake
-                        */
-                       if (SSL_get_options(s) & SSL_OP_NO_TICKET)
-                               return 0;
-                       /* If zero length not client will accept a ticket
+                       /* If zero length note client will accept a ticket
                         * and indicate cache miss to trigger full handshake
                         */
                        if (size == 0)