diff options
Diffstat (limited to 'openssl')
50 files changed, 1625 insertions, 253 deletions
diff --git a/openssl/CHANGES b/openssl/CHANGES index 4cbf61ddf..5d4c23436 100644 --- a/openssl/CHANGES +++ b/openssl/CHANGES @@ -2,6 +2,21 @@ OpenSSL CHANGES _______________ + Changes between 1.0.2c and 1.0.2d [9 Jul 2015] + + *) Alternate chains certificate forgery + + During certificate verfification, OpenSSL will attempt to find an + alternative certificate chain if the first attempt to build such a chain + fails. An error in the implementation of this logic can mean that an + attacker could cause certain checks on untrusted certificates to be + bypassed, such as the CA flag, enabling them to use a valid leaf + certificate to act as a CA and "issue" an invalid certificate. + + This issue was reported to OpenSSL by Adam Langley/David Benjamin + (Google/BoringSSL). + [Matt Caswell] + Changes between 1.0.2b and 1.0.2c [12 Jun 2015] *) Fix HMAC ABI incompatibility. The previous version introduced an ABI diff --git a/openssl/Makefile.bak b/openssl/Makefile.bak new file mode 100644 index 000000000..9a3e50df6 --- /dev/null +++ b/openssl/Makefile.bak @@ -0,0 +1,679 @@ +### Generated automatically from Makefile.org by Configure. + +## +## Makefile for OpenSSL +## + +VERSION=1.0.2d-dev +MAJOR=1 +MINOR=0.2 +SHLIB_VERSION_NUMBER=1.0.0 +SHLIB_VERSION_HISTORY= +SHLIB_MAJOR=1 +SHLIB_MINOR=0.0 +SHLIB_EXT= +PLATFORM=gcc +OPTIONS= no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-libunbound no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-ssl-trace no-store no-unit-test no-zlib no-zlib-dynamic static-engine +CONFIGURE_ARGS=gcc +SHLIB_TARGET= + +# HERE indicates where this Makefile lives. This can be used to indicate +# where sub-Makefiles are expected to be. Currently has very limited usage, +# and should probably not be bothered with at all. +HERE=. + +# INSTALL_PREFIX is for package builders so that they can configure +# for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/. +# Normally it is left empty. +INSTALL_PREFIX= +INSTALLTOP=/usr/local/ssl + +# Do not edit this manually. Use Configure --openssldir=DIR do change this! +OPENSSLDIR=/usr/local/ssl + +# NO_IDEA - Define to build without the IDEA algorithm +# NO_RC4 - Define to build without the RC4 algorithm +# NO_RC2 - Define to build without the RC2 algorithm +# THREADS - Define when building with threads, you will probably also need any +# system defines as well, i.e. _REENTERANT for Solaris 2.[34] +# TERMIO - Define the termio terminal subsystem, needed if sgtty is missing. +# TERMIOS - Define the termios terminal subsystem, Silicon Graphics. +# LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3). +# DEVRANDOM - Give this the value of the 'random device' if your OS supports +# one. 32 bytes will be read from this when the random +# number generator is initalised. +# SSL_FORBID_ENULL - define if you want the server to be not able to use the +# NULL encryption ciphers. +# +# LOCK_DEBUG - turns on lots of lock debug output :-) +# REF_CHECK - turn on some xyz_free() assertions. +# REF_PRINT - prints some stuff on structure free. +# CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff +# MFUNC - Make all Malloc/Free/Realloc calls call +# CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to +# call application defined callbacks via CRYPTO_set_mem_functions() +# MD5_ASM needs to be defined to use the x86 assembler for MD5 +# SHA1_ASM needs to be defined to use the x86 assembler for SHA1 +# RMD160_ASM needs to be defined to use the x86 assembler for RIPEMD160 +# Do not define B_ENDIAN or L_ENDIAN if 'unsigned long' == 8. It must +# equal 4. +# PKCS1_CHECK - pkcs1 tests. + +CC= gcc +CFLAG= -O3 +DEPFLAG= -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST +PEX_LIBS= +EX_LIBS= +EXE_EXT= +ARFLAGS= +AR= ar $(ARFLAGS) r +RANLIB= /usr/bin/ranlib +NM= nm +PERL= /usr/bin/perl +TAR= tar +TARFLAGS= --no-recursion +MAKEDEPPROG= gcc +LIBDIR=lib + +# We let the C compiler driver to take care of .s files. This is done in +# order to be excused from maintaining a separate set of architecture +# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC +# gcc, then the driver will automatically translate it to -xarch=v8plus +# and pass it down to assembler. +AS=$(CC) -c +ASFLAG=$(CFLAG) + +# For x86 assembler: Set PROCESSOR to 386 if you want to support +# the 80386. +PROCESSOR= + +# CPUID module collects small commonly used assembler snippets +CPUID_OBJ= mem_clr.o +BN_ASM= bn_asm.o +EC_ASM= +DES_ENC= des_enc.o fcrypt_b.o +AES_ENC= aes_core.o aes_cbc.o +BF_ENC= bf_enc.o +CAST_ENC= c_enc.o +RC4_ENC= rc4_enc.o rc4_skey.o +RC5_ENC= rc5_enc.o +MD5_ASM_OBJ= +SHA1_ASM_OBJ= +RMD160_ASM_OBJ= +WP_ASM_OBJ= wp_block.o +CMLL_ENC= camellia.o cmll_misc.o cmll_cbc.o +MODES_ASM_OBJ= +ENGINES_ASM_OBJ= +PERLASM_SCHEME= + +# KRB5 stuff +KRB5_INCLUDES= +LIBKRB5= + +# Zlib stuff +ZLIB_INCLUDE= +LIBZLIB= + +# TOP level FIPS install directory. +FIPSDIR=/usr/local/ssl/fips-2.0 + +# This is the location of fipscanister.o and friends. +# The FIPS module build will place it $(INSTALLTOP)/lib +# but since $(INSTALLTOP) can only take the default value +# when the module is built it will be in /usr/local/ssl/lib +# $(INSTALLTOP) for this build may be different so hard +# code the path. + +FIPSLIBDIR= + +# The location of the library which contains fipscanister.o +# normally it will be libcrypto unless fipsdso is set in which +# case it will be libfips. If not compiling in FIPS mode at all +# this is empty making it a useful test for a FIPS compile. + +FIPSCANLIB= + +# Shared library base address. Currently only used on Windows. +# + +BASEADDR=0xFB00000 + +DIRS= crypto ssl engines apps test tools +ENGDIRS= ccgost +SHLIBDIRS= crypto ssl + +# dirs in crypto to build +SDIRS= \ + objects \ + md4 md5 sha mdc2 hmac ripemd whrlpool \ + des aes rc2 rc4 idea bf cast camellia seed modes \ + bn ec rsa dsa ecdsa dh ecdh dso engine \ + buffer bio stack lhash rand err \ + evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \ + cms pqueue ts srp cmac +# keep in mind that the above list is adjusted by ./Configure +# according to no-xxx arguments... + +# tests to perform. "alltests" is a special word indicating that all tests +# should be performed. +TESTS = alltests + +MAKEFILE= Makefile + +MANDIR=$(OPENSSLDIR)/man +MAN1=1 +MAN3=3 +MANSUFFIX= +HTMLSUFFIX=html +HTMLDIR=$(OPENSSLDIR)/html +SHELL=/bin/sh + +TOP= . +ONEDIRS=out tmp +EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS +WDIRS= windows +LIBS= libcrypto.a libssl.a +SHARED_CRYPTO=libcrypto$(SHLIB_EXT) +SHARED_SSL=libssl$(SHLIB_EXT) +SHARED_LIBS= +SHARED_LIBS_LINK_EXTS= +SHARED_LDFLAGS= + +GENERAL= Makefile +BASENAME= openssl +NAME= $(BASENAME)-$(VERSION) +TARFILE= $(NAME).tar +WTARFILE= $(NAME)-win.tar +EXHEADER= e_os2.h +HEADER= e_os.h + +all: Makefile build_all + +# as we stick to -e, CLEARENV ensures that local variables in lower +# Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn +# shell, which [annoyingly enough] terminates unset with error if VAR +# is not present:-( TOP= && unset TOP is tribute to HP-UX /bin/sh, +# which terminates unset with error if no variable was present:-( +CLEARENV= TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS} \ + $${INCLUDE+INCLUDE} $${INCLUDES+INCLUDES} \ + $${DIR+DIR} $${DIRS+DIRS} $${SRC+SRC} \ + $${LIBSRC+LIBSRC} $${LIBOBJ+LIBOBJ} $${ALL+ALL} \ + $${EXHEADER+EXHEADER} $${HEADER+HEADER} \ + $${GENERAL+GENERAL} $${CFLAGS+CFLAGS} \ + $${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \ + $${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \ + $${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \ + $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} + +BUILDENV= PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \ + CC='$(CC)' CFLAG='$(CFLAG)' \ + AS='$(CC)' ASFLAG='$(CFLAG) -c' \ + AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)' \ + CROSS_COMPILE='$(CROSS_COMPILE)' \ + PERL='$(PERL)' ENGDIRS='$(ENGDIRS)' \ + SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)' \ + INSTALL_PREFIX='$(INSTALL_PREFIX)' \ + INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)' \ + LIBDIR='$(LIBDIR)' \ + MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \ + DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)' \ + MAKEDEPPROG='$(MAKEDEPPROG)' \ + SHARED_LDFLAGS='$(SHARED_LDFLAGS)' \ + KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)' \ + ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)' \ + EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)' \ + SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)' \ + PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)' \ + CPUID_OBJ='$(CPUID_OBJ)' BN_ASM='$(BN_ASM)' \ + EC_ASM='$(EC_ASM)' DES_ENC='$(DES_ENC)' \ + AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)' \ + BF_ENC='$(BF_ENC)' CAST_ENC='$(CAST_ENC)' \ + RC4_ENC='$(RC4_ENC)' RC5_ENC='$(RC5_ENC)' \ + SHA1_ASM_OBJ='$(SHA1_ASM_OBJ)' \ + MD5_ASM_OBJ='$(MD5_ASM_OBJ)' \ + RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)' \ + WP_ASM_OBJ='$(WP_ASM_OBJ)' \ + MODES_ASM_OBJ='$(MODES_ASM_OBJ)' \ + ENGINES_ASM_OBJ='$(ENGINES_ASM_OBJ)' \ + PERLASM_SCHEME='$(PERLASM_SCHEME)' \ + FIPSLIBDIR='${FIPSLIBDIR}' \ + FIPSDIR='${FIPSDIR}' \ + FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \ + THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES= +# MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors, +# which in turn eliminates ambiguities in variable treatment with -e. + +# BUILD_CMD is a generic macro to build a given target in a given +# subdirectory. The target must be given through the shell variable +# `target' and the subdirectory to build in must be given through `dir'. +# This macro shouldn't be used directly, use RECURSIVE_BUILD_CMD or +# BUILD_ONE_CMD instead. +# +# BUILD_ONE_CMD is a macro to build a given target in a given +# subdirectory if that subdirectory is part of $(DIRS). It requires +# exactly the same shell variables as BUILD_CMD. +# +# RECURSIVE_BUILD_CMD is a macro to build a given target in all +# subdirectories defined in $(DIRS). It requires that the target +# is given through the shell variable `target'. +BUILD_CMD= if [ -d "$$dir" ]; then \ + ( cd $$dir && echo "making $$target in $$dir..." && \ + $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \ + ) || exit 1; \ + fi +RECURSIVE_BUILD_CMD=for dir in $(DIRS); do $(BUILD_CMD); done +BUILD_ONE_CMD=\ + if expr " $(DIRS) " : ".* $$dir " >/dev/null 2>&1; then \ + $(BUILD_CMD); \ + fi + +reflect: + @[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV) + +sub_all: build_all + +build_all: build_libs build_apps build_tests build_tools + +build_libs: build_libcrypto build_libssl openssl.pc + +build_libcrypto: build_crypto build_engines libcrypto.pc +build_libssl: build_ssl libssl.pc + +build_crypto: + @dir=crypto; target=all; $(BUILD_ONE_CMD) +build_ssl: build_crypto + @dir=ssl; target=all; $(BUILD_ONE_CMD) +build_engines: build_crypto + @dir=engines; target=all; $(BUILD_ONE_CMD) +build_apps: build_libs + @dir=apps; target=all; $(BUILD_ONE_CMD) +build_tests: build_libs + @dir=test; target=all; $(BUILD_ONE_CMD) +build_tools: build_libs + @dir=tools; target=all; $(BUILD_ONE_CMD) + +all_testapps: build_libs build_testapps +build_testapps: + @dir=crypto; target=testapps; $(BUILD_ONE_CMD) + +fips_premain_dso$(EXE_EXT): libcrypto.a + [ -z "$(FIPSCANLIB)" ] || $(CC) $(CFLAG) -Iinclude \ + -DFINGERPRINT_PREMAIN_DSO_LOAD -o $@ \ + $(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fipscanister.o \ + libcrypto.a $(EX_LIBS) + +libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT) + @if [ "$(SHLIB_TARGET)" != "" ]; then \ + if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \ + FIPSLD_LIBCRYPTO=libcrypto.a ; \ + FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \ + export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \ + fi; \ + $(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared && \ + (touch -c fips_premain_dso$(EXE_EXT) || :); \ + else \ + echo "There's no support for shared libraries on this platform" >&2; \ + exit 1; \ + fi + +libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a + @if [ "$(SHLIB_TARGET)" != "" ]; then \ + $(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \ + else \ + echo "There's no support for shared libraries on this platform" >&2; \ + exit 1; \ + fi + +clean-shared: + @set -e; for i in $(SHLIBDIRS); do \ + if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \ + tmp="$(SHARED_LIBS_LINK_EXTS)"; \ + for j in $${tmp:-x}; do \ + ( set -x; rm -f lib$$i$$j ); \ + done; \ + fi; \ + ( set -x; rm -f lib$$i$(SHLIB_EXT) ); \ + if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \ + ( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \ + fi; \ + done + +link-shared: + @ set -e; for i in $(SHLIBDIRS); do \ + $(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \ + LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \ + LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \ + symlink.$(SHLIB_TARGET); \ + libs="$$libs -l$$i"; \ + done + +build-shared: do_$(SHLIB_TARGET) link-shared + +do_$(SHLIB_TARGET): + @ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \ + if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ + $(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \ + LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \ + LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \ + LIBDEPS="$$libs $(EX_LIBS)" \ + link_a.$(SHLIB_TARGET); \ + libs="-l$$i $$libs"; \ + done + +libcrypto.pc: Makefile + @ ( echo 'prefix=$(INSTALLTOP)'; \ + echo 'exec_prefix=$${prefix}'; \ + echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \ + echo 'includedir=$${prefix}/include'; \ + echo ''; \ + echo 'Name: OpenSSL-libcrypto'; \ + echo 'Description: OpenSSL cryptography library'; \ + echo 'Version: '$(VERSION); \ + echo 'Requires: '; \ + echo 'Libs: -L$${libdir} -lcrypto'; \ + echo 'Libs.private: $(EX_LIBS)'; \ + echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc + +libssl.pc: Makefile + @ ( echo 'prefix=$(INSTALLTOP)'; \ + echo 'exec_prefix=$${prefix}'; \ + echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \ + echo 'includedir=$${prefix}/include'; \ + echo ''; \ + echo 'Name: OpenSSL-libssl'; \ + echo 'Description: Secure Sockets Layer and cryptography libraries'; \ + echo 'Version: '$(VERSION); \ + echo 'Requires.private: libcrypto'; \ + echo 'Libs: -L$${libdir} -lssl'; \ + echo 'Libs.private: $(EX_LIBS)'; \ + echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc + +openssl.pc: Makefile + @ ( echo 'prefix=$(INSTALLTOP)'; \ + echo 'exec_prefix=$${prefix}'; \ + echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \ + echo 'includedir=$${prefix}/include'; \ + echo ''; \ + echo 'Name: OpenSSL'; \ + echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \ + echo 'Version: '$(VERSION); \ + echo 'Requires: libssl libcrypto' ) > openssl.pc + +Makefile: Makefile.org Configure config + @echo "Makefile is older than Makefile.org, Configure or config." + @echo "Reconfigure the source tree (via './config' or 'perl Configure'), please." + @false + +libclean: + rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib + +clean: libclean + rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c + @set -e; target=clean; $(RECURSIVE_BUILD_CMD) + rm -f $(LIBS) + rm -f openssl.pc libssl.pc libcrypto.pc + rm -f speed.* .pure + rm -f $(TARFILE) + @set -e; for i in $(ONEDIRS) ;\ + do \ + rm -fr $$i/*; \ + done + +makefile.one: files + $(PERL) util/mk1mf.pl >makefile.one; \ + sh util/do_ms.sh + +files: + $(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO + @set -e; target=files; $(RECURSIVE_BUILD_CMD) + +links: + @$(PERL) $(TOP)/util/mkdir-p.pl include/openssl + @$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER) + @set -e; target=links; $(RECURSIVE_BUILD_CMD) + +gentests: + @(cd test && echo "generating dummy tests (if needed)..." && \ + $(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate ); + +dclean: + rm -rf *.bak include/openssl certs/.0 + @set -e; target=dclean; $(RECURSIVE_BUILD_CMD) + +rehash: rehash.time +rehash.time: certs apps + @if [ -z "$(CROSS_COMPILE)" ]; then \ + (OPENSSL="`pwd`/util/opensslwrap.sh"; \ + [ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \ + OPENSSL_DEBUG_MEMORY=on; \ + export OPENSSL OPENSSL_DEBUG_MEMORY; \ + $(PERL) tools/c_rehash certs/demo) && \ + touch rehash.time; \ + else :; fi + +test: tests + +tests: rehash + @(cd test && echo "testing..." && \ + $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests ); + OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a + +report: + @$(PERL) util/selftest.pl + +update: errors stacks util/libeay.num util/ssleay.num TABLE + @set -e; target=update; $(RECURSIVE_BUILD_CMD) + +depend: + @set -e; target=depend; $(RECURSIVE_BUILD_CMD) + +lint: + @set -e; target=lint; $(RECURSIVE_BUILD_CMD) + +tags: + rm -f TAGS + find . -name '[^.]*.[ch]' | xargs etags -a + +errors: + $(PERL) util/ck_errf.pl -strict */*.c */*/*.c + $(PERL) util/mkerr.pl -recurse -write + (cd engines; $(MAKE) PERL=$(PERL) errors) + +stacks: + $(PERL) util/mkstack.pl -write + +util/libeay.num:: + $(PERL) util/mkdef.pl crypto update + +util/ssleay.num:: + $(PERL) util/mkdef.pl ssl update + +TABLE: Configure + (echo 'Output of `Configure TABLE'"':"; \ + $(PERL) Configure TABLE) > TABLE + +# Build distribution tar-file. As the list of files returned by "find" is +# pretty long, on several platforms a "too many arguments" error or similar +# would occur. Therefore the list of files is temporarily stored into a file +# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal +# tar does not support the --files-from option. +tar: + find . -type d -print | xargs chmod 755 + find . -type f -print | xargs chmod a+r + find . -type f -perm -0100 -print | xargs chmod a+x + find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \ + $(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \ + tardy --user_number=0 --user_name=openssl \ + --group_number=0 --group_name=openssl \ + --prefix=openssl-$(VERSION) - |\ + gzip --best >../$(TARFILE).gz; \ + rm -f ../$(TARFILE).list; \ + ls -l ../$(TARFILE).gz + +tar-snap: + @$(TAR) $(TARFLAGS) -cvf - \ + `find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\ + tardy --user_number=0 --user_name=openssl \ + --group_number=0 --group_name=openssl \ + --prefix=openssl-$(VERSION) - > ../$(TARFILE);\ + ls -l ../$(TARFILE) + +dist: + $(PERL) Configure dist + @$(MAKE) dist_pem_h + @$(MAKE) SDIRS='$(SDIRS)' clean + @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar + +dist_pem_h: + (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean) + +install: all install_docs install_sw + +install_sw: + @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ + $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \ + $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \ + $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \ + $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \ + $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ + $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \ + $(INSTALL_PREFIX)$(OPENSSLDIR)/private + @set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\ + do \ + (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ + done; + @set -e; target=install; $(RECURSIVE_BUILD_CMD) + @set -e; liblist="$(LIBS)"; for i in $$liblist ;\ + do \ + if [ -f "$$i" ]; then \ + ( echo installing $$i; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \ + $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i ); \ + fi; \ + done; + @set -e; if [ -n "$(SHARED_LIBS)" ]; then \ + tmp="$(SHARED_LIBS)"; \ + for i in $${tmp:-x}; \ + do \ + if [ -f "$$i" -o -f "$$i.a" ]; then \ + ( echo installing $$i; \ + if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \ + c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \ + cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ + chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \ + else \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \ + chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \ + fi ); \ + if expr $(PLATFORM) : 'mingw' > /dev/null; then \ + ( case $$i in \ + *crypto*) i=libeay32.dll;; \ + *ssl*) i=ssleay32.dll;; \ + esac; \ + echo installing $$i; \ + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ + chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \ + fi; \ + fi; \ + done; \ + ( here="`pwd`"; \ + cd $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR); \ + $(MAKE) -f $$here/Makefile HERE="$$here" link-shared ); \ + if [ "$(INSTALLTOP)" != "/usr" ]; then \ + echo 'OpenSSL shared libraries have been installed in:'; \ + echo ' $(INSTALLTOP)'; \ + echo ''; \ + sed -e '1,/^$$/d' doc/openssl-shared.txt; \ + fi; \ + fi + cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc + cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc + cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc + +install_html_docs: + here="`pwd`"; \ + filecase=; \ + case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \ + filecase=-i; \ + esac; \ + for subdir in apps crypto ssl; do \ + mkdir -p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \ + for i in doc/$$subdir/*.pod; do \ + fn=`basename $$i .pod`; \ + echo "installing html/$$fn.$(HTMLSUFFIX)"; \ + cat $$i \ + | sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' \ + | pod2html --podroot=doc --htmlroot=.. --podpath=apps:crypto:ssl \ + | sed -r 's/<!DOCTYPE.*//g' \ + > $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \ + $(PERL) util/extract-names.pl < $$i | \ + grep -v $$filecase "^$$fn\$$" | \ + (cd $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \ + while read n; do \ + PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$(HTMLSUFFIX) "$$n".$(HTMLSUFFIX); \ + done); \ + done; \ + done + +install_docs: + @$(PERL) $(TOP)/util/mkdir-p.pl \ + $(INSTALL_PREFIX)$(MANDIR)/man1 \ + $(INSTALL_PREFIX)$(MANDIR)/man3 \ + $(INSTALL_PREFIX)$(MANDIR)/man5 \ + $(INSTALL_PREFIX)$(MANDIR)/man7 + @pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \ + here="`pwd`"; \ + filecase=; \ + case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \ + filecase=-i; \ + esac; \ + set -e; for i in doc/apps/*.pod; do \ + fn=`basename $$i .pod`; \ + sec=`$(PERL) util/extract-section.pl 1 < $$i`; \ + echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ + (cd `$(PERL) util/dirname.pl $$i`; \ + sh -c "$$pod2man \ + --section=$$sec --center=OpenSSL \ + --release=$(VERSION) `basename $$i`") \ + > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ + $(PERL) util/extract-names.pl < $$i | \ + (grep -v $$filecase "^$$fn\$$"; true) | \ + (grep -v "[ ]"; true) | \ + (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ + while read n; do \ + PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ + done); \ + done; \ + set -e; for i in doc/crypto/*.pod doc/ssl/*.pod; do \ + fn=`basename $$i .pod`; \ + sec=`$(PERL) util/extract-section.pl 3 < $$i`; \ + echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ + (cd `$(PERL) util/dirname.pl $$i`; \ + sh -c "$$pod2man \ + --section=$$sec --center=OpenSSL \ + --release=$(VERSION) `basename $$i`") \ + > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ + $(PERL) util/extract-names.pl < $$i | \ + (grep -v $$filecase "^$$fn\$$"; true) | \ + (grep -v "[ ]"; true) | \ + (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ + while read n; do \ + PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ + done); \ + done + +# DO NOT DELETE THIS LINE -- make depend depends on it. diff --git a/openssl/Makefile.org b/openssl/Makefile.org index 9f4faae2d..d77e26495 100644 --- a/openssl/Makefile.org +++ b/openssl/Makefile.org @@ -269,6 +269,7 @@ reflect: @[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV) sub_all: build_all + build_all: build_libs build_apps build_tests build_tools build_libs: build_libcrypto build_libssl openssl.pc @@ -278,15 +279,15 @@ build_libssl: build_ssl libssl.pc build_crypto: @dir=crypto; target=all; $(BUILD_ONE_CMD) -build_ssl: +build_ssl: build_crypto @dir=ssl; target=all; $(BUILD_ONE_CMD) -build_engines: +build_engines: build_crypto @dir=engines; target=all; $(BUILD_ONE_CMD) -build_apps: +build_apps: build_libs @dir=apps; target=all; $(BUILD_ONE_CMD) -build_tests: +build_tests: build_libs @dir=test; target=all; $(BUILD_ONE_CMD) -build_tools: +build_tools: build_libs @dir=tools; target=all; $(BUILD_ONE_CMD) all_testapps: build_libs build_testapps diff --git a/openssl/NEWS b/openssl/NEWS index f3574cf4c..29e48053e 100644 --- a/openssl/NEWS +++ b/openssl/NEWS @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015] + + o Alternate chains certificate forgery (CVE-2015-1793) + Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015] o Fix HMAC ABI incompatibility diff --git a/openssl/README b/openssl/README index ae0443199..493141b69 100644 --- a/openssl/README +++ b/openssl/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.2c 12 Jun 2015 + OpenSSL 1.0.2d 9 Jul 2015 Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/openssl/apps/ocsp.c b/openssl/apps/ocsp.c index b858b8d3e..926083dd1 100644 --- a/openssl/apps/ocsp.c +++ b/openssl/apps/ocsp.c @@ -209,6 +209,7 @@ int MAIN(int argc, char **argv) OPENSSL_free(tport); if (tpath) OPENSSL_free(tpath); + thost = tport = tpath = NULL; if (args[1]) { args++; if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl)) { diff --git a/openssl/crypto/bio/bio.h b/openssl/crypto/bio/bio.h index 7878fb198..f78796b06 100644 --- a/openssl/crypto/bio/bio.h +++ b/openssl/crypto/bio/bio.h @@ -291,7 +291,7 @@ void BIO_clear_flags(BIO *b, int flags); * BIO_CB_RETURN flag indicates if it is after the call */ # define BIO_CB_RETURN 0x80 -# define BIO_CB_return(a) ((a)|BIO_CB_RETURN)) +# define BIO_CB_return(a) ((a)|BIO_CB_RETURN) # define BIO_cb_pre(a) (!((a)&BIO_CB_RETURN)) # define BIO_cb_post(a) ((a)&BIO_CB_RETURN) diff --git a/openssl/crypto/bn/Makefile b/openssl/crypto/bn/Makefile index 61dce05ad..215855eca 100644 --- a/openssl/crypto/bn/Makefile +++ b/openssl/crypto/bn/Makefile @@ -253,6 +253,7 @@ bn_exp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h bn_exp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h bn_exp.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_exp.c bn_lcl.h +bn_exp.o: rsaz_exp.h bn_exp2.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h bn_exp2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h bn_exp2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h diff --git a/openssl/crypto/bn/bn_exp.c b/openssl/crypto/bn/bn_exp.c index 8c46e50bd..24afdd60a 100644 --- a/openssl/crypto/bn/bn_exp.c +++ b/openssl/crypto/bn/bn_exp.c @@ -126,13 +126,7 @@ # include <alloca.h> #endif -#undef RSAZ_ENABLED -#if defined(OPENSSL_BN_ASM_MONT) && \ - (defined(__x86_64) || defined(__x86_64__) || \ - defined(_M_AMD64) || defined(_M_X64)) -# include "rsaz_exp.h" -# define RSAZ_ENABLED -#endif +#include "rsaz_exp.h" #undef SPARC_T4_MONT #if defined(OPENSSL_BN_ASM_MONT) && (defined(__sparc__) || defined(__sparc)) diff --git a/openssl/crypto/bn/bntest.c b/openssl/crypto/bn/bntest.c index 06662c58b..470d5dabf 100644 --- a/openssl/crypto/bn/bntest.c +++ b/openssl/crypto/bn/bntest.c @@ -1042,7 +1042,6 @@ int test_mod_exp_mont_consttime(BIO *bp, BN_CTX *ctx) int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx) { BIGNUM *a, *p, *m, *d, *e; - BN_MONT_CTX *mont; a = BN_new(); @@ -1050,7 +1049,6 @@ int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx) m = BN_new(); d = BN_new(); e = BN_new(); - mont = BN_MONT_CTX_new(); BN_bntest_rand(m, 1024, 0, 1); /* must be odd for montgomery */ @@ -1099,6 +1097,7 @@ int test_mod_exp_mont5(BIO *bp, BN_CTX *ctx) fprintf(stderr, "Modular exponentiation test failed!\n"); return 0; } + BN_MONT_CTX_free(mont); BN_free(a); BN_free(p); BN_free(m); diff --git a/openssl/crypto/bn/rsaz_exp.c b/openssl/crypto/bn/rsaz_exp.c index a486b154c..c54c6feb5 100755 --- a/openssl/crypto/bn/rsaz_exp.c +++ b/openssl/crypto/bn/rsaz_exp.c @@ -42,6 +42,8 @@ #include "rsaz_exp.h" +#ifdef RSAZ_ENABLED + /* * See crypto/bn/asm/rsaz-avx2.pl for further details. */ @@ -334,3 +336,11 @@ void RSAZ_512_mod_exp(BN_ULONG result[8], OPENSSL_cleanse(storage, sizeof(storage)); } + +#else + +# if defined(PEDANTIC) || defined(__DECC) || defined(__clang__) +static void *dummy = &dummy; +# endif + +#endif diff --git a/openssl/crypto/bn/rsaz_exp.h b/openssl/crypto/bn/rsaz_exp.h index bb71fb1e1..33361de99 100755 --- a/openssl/crypto/bn/rsaz_exp.h +++ b/openssl/crypto/bn/rsaz_exp.h @@ -31,7 +31,13 @@ #ifndef RSAZ_EXP_H # define RSAZ_EXP_H -# include <openssl/bn.h> +# undef RSAZ_ENABLED +# if defined(OPENSSL_BN_ASM_MONT) && \ + (defined(__x86_64) || defined(__x86_64__) || \ + defined(_M_AMD64) || defined(_M_X64)) +# define RSAZ_ENABLED + +# include <openssl/bn.h> void RSAZ_1024_mod_exp_avx2(BN_ULONG result[16], const BN_ULONG base_norm[16], @@ -44,4 +50,7 @@ void RSAZ_512_mod_exp(BN_ULONG result[8], const BN_ULONG base_norm[8], const BN_ULONG exponent[8], const BN_ULONG m_norm[8], BN_ULONG k0, const BN_ULONG RR[8]); + +# endif + #endif diff --git a/openssl/crypto/cms/cms_smime.c b/openssl/crypto/cms/cms_smime.c index b39ed4899..5522a376a 100644 --- a/openssl/crypto/cms/cms_smime.c +++ b/openssl/crypto/cms/cms_smime.c @@ -374,7 +374,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, tmpin = BIO_new_mem_buf(ptr, len); if (tmpin == NULL) { CMSerr(CMS_F_CMS_VERIFY, ERR_R_MALLOC_FAILURE); - return 0; + goto err2; } } else tmpin = dcont; @@ -405,6 +405,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, else BIO_free_all(cmsbio); + err2: if (cms_certs) sk_X509_pop_free(cms_certs, X509_free); if (crls) diff --git a/openssl/crypto/evp/e_aes.c b/openssl/crypto/evp/e_aes.c index 33cbed87f..1734a823c 100644 --- a/openssl/crypto/evp/e_aes.c +++ b/openssl/crypto/evp/e_aes.c @@ -1771,7 +1771,7 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) case EVP_CTRL_CCM_SET_TAG: if ((arg & 1) || arg < 4 || arg > 16) return 0; - if ((c->encrypt && ptr) || (!c->encrypt && !ptr)) + if (c->encrypt && ptr) return 0; if (ptr) { cctx->tag_set = 1; diff --git a/openssl/crypto/hmac/hmactest.c b/openssl/crypto/hmac/hmactest.c index 271d0ebf2..5a573950a 100644 --- a/openssl/crypto/hmac/hmactest.c +++ b/openssl/crypto/hmac/hmactest.c @@ -195,6 +195,7 @@ int main(int argc, char *argv[]) } printf("test 4 ok\n"); test5: + HMAC_CTX_cleanup(&ctx); HMAC_CTX_init(&ctx); if (HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, NULL, NULL)) { printf("Should fail to initialise HMAC with empty MD (test 5)\n"); @@ -284,6 +285,7 @@ test5: printf("test 5 ok\n"); } test6: + HMAC_CTX_cleanup(&ctx); HMAC_CTX_init(&ctx); if (!HMAC_Init_ex(&ctx, test[7].key, test[7].key_len, EVP_sha1(), NULL)) { printf("Failed to initialise HMAC (test 6)\n"); @@ -314,6 +316,7 @@ test6: printf("test 6 ok\n"); } end: + HMAC_CTX_cleanup(&ctx); EXIT(err); return (0); } diff --git a/openssl/crypto/opensslconf.h.in b/openssl/crypto/opensslconf.h.in index 97e374556..814309bec 100644 --- a/openssl/crypto/opensslconf.h.in +++ b/openssl/crypto/opensslconf.h.in @@ -101,7 +101,7 @@ #endif #if defined(DES_RISC1) && defined(DES_RISC2) -YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#error YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! #endif /* Unroll the inner loop, this sometimes helps, sometimes hinders. diff --git a/openssl/crypto/opensslv.h b/openssl/crypto/opensslv.h index 7cc19dc51..c06b13ac6 100644 --- a/openssl/crypto/opensslv.h +++ b/openssl/crypto/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1000203fL +# define OPENSSL_VERSION_NUMBER 0x1000204fL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c-fips 12 Jun 2015" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2d-fips 9 Jul 2015" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2c 12 Jun 2015" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2d 9 Jul 2015" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/openssl/crypto/pkcs12/p12_kiss.c b/openssl/crypto/pkcs12/p12_kiss.c index ee476c38f..9aa3c90c4 100644 --- a/openssl/crypto/pkcs12/p12_kiss.c +++ b/openssl/crypto/pkcs12/p12_kiss.c @@ -135,10 +135,12 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, while ((x = sk_X509_pop(ocerts))) { if (pkey && *pkey && cert && !*cert) { + ERR_set_mark(); if (X509_check_private_key(x, *pkey)) { *cert = x; x = NULL; } + ERR_pop_to_mark(); } if (ca && x) { diff --git a/openssl/crypto/srp/srptest.c b/openssl/crypto/srp/srptest.c index 451c70e40..00e001bd6 100644 --- a/openssl/crypto/srp/srptest.c +++ b/openssl/crypto/srp/srptest.c @@ -148,6 +148,7 @@ int main(int argc, char **argv) ERR_remove_thread_state(NULL); ERR_free_strings(); CRYPTO_mem_leaks(bio_err); + BIO_free(bio_err); return 0; } diff --git a/openssl/crypto/threads/mttest.c b/openssl/crypto/threads/mttest.c index 8f67db6ee..dbff4a69f 100644 --- a/openssl/crypto/threads/mttest.c +++ b/openssl/crypto/threads/mttest.c @@ -56,7 +56,6 @@ * [including the GNU Public Licence.] */ -#include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> @@ -86,17 +85,11 @@ #include <openssl/lhash.h> #include <openssl/crypto.h> #include <openssl/buffer.h> -#include "../../e_os.h" #include <openssl/x509.h> #include <openssl/ssl.h> #include <openssl/err.h> #include <openssl/rand.h> -#ifdef OPENSSL_NO_FP_API -# define APPS_WIN16 -# include "../buffer/bss_file.c" -#endif - #ifdef OPENSSL_SYS_NETWARE # define TEST_SERVER_CERT "/openssl/apps/server.pem" # define TEST_CLIENT_CERT "/openssl/apps/client.pem" @@ -107,23 +100,23 @@ #define MAX_THREAD_NUMBER 100 -int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *xs); +int verify_callback(int ok, X509_STORE_CTX *xs); void thread_setup(void); void thread_cleanup(void); void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx); -void irix_locking_callback(int mode, int type, char *file, int line); -void solaris_locking_callback(int mode, int type, char *file, int line); -void win32_locking_callback(int mode, int type, char *file, int line); -void pthreads_locking_callback(int mode, int type, char *file, int line); -void netware_locking_callback(int mode, int type, char *file, int line); +void irix_locking_callback(int mode, int type, const char *file, int line); +void solaris_locking_callback(int mode, int type, const char *file, int line); +void win32_locking_callback(int mode, int type, const char *file, int line); +void pthreads_locking_callback(int mode, int type, const char *file, int line); +void netware_locking_callback(int mode, int type, const char *file, int line); void beos_locking_callback(int mode, int type, const char *file, int line); -unsigned long irix_thread_id(void); -unsigned long solaris_thread_id(void); -unsigned long pthreads_thread_id(void); -unsigned long netware_thread_id(void); -unsigned long beos_thread_id(void); +void irix_thread_id(CRYPTO_THREADID *tid); +void solaris_thread_id(CRYPTO_THREADID *tid); +void pthreads_thread_id(CRYPTO_THREADID *tid); +void netware_thread_id(CRYPTO_THREADID *tid); +void beos_thread_id(CRYPTO_THREADID *tid); #if defined(OPENSSL_SYS_NETWARE) static MPKMutex *lock_cs; @@ -149,39 +142,39 @@ static const char rnd_seed[] = "string to make the random number generator think it has entropy"; int doit(char *ctx[4]); -static void print_stats(FILE *fp, SSL_CTX *ctx) +static void print_stats(BIO *bio, SSL_CTX *ctx) { - fprintf(fp, "%4ld items in the session cache\n", - SSL_CTX_sess_number(ctx)); - fprintf(fp, "%4d client connects (SSL_connect())\n", - SSL_CTX_sess_connect(ctx)); - fprintf(fp, "%4d client connects that finished\n", - SSL_CTX_sess_connect_good(ctx)); - fprintf(fp, "%4d server connects (SSL_accept())\n", - SSL_CTX_sess_accept(ctx)); - fprintf(fp, "%4d server connects that finished\n", - SSL_CTX_sess_accept_good(ctx)); - fprintf(fp, "%4d session cache hits\n", SSL_CTX_sess_hits(ctx)); - fprintf(fp, "%4d session cache misses\n", SSL_CTX_sess_misses(ctx)); - fprintf(fp, "%4d session cache timeouts\n", SSL_CTX_sess_timeouts(ctx)); + BIO_printf(bio, "%4ld items in the session cache\n", + SSL_CTX_sess_number(ctx)); + BIO_printf(bio, "%4d client connects (SSL_connect())\n", + SSL_CTX_sess_connect(ctx)); + BIO_printf(bio, "%4d client connects that finished\n", + SSL_CTX_sess_connect_good(ctx)); + BIO_printf(bio, "%4d server connects (SSL_accept())\n", + SSL_CTX_sess_accept(ctx)); + BIO_printf(bio, "%4d server connects that finished\n", + SSL_CTX_sess_accept_good(ctx)); + BIO_printf(bio, "%4d session cache hits\n", SSL_CTX_sess_hits(ctx)); + BIO_printf(bio, "%4d session cache misses\n", SSL_CTX_sess_misses(ctx)); + BIO_printf(bio, "%4d session cache timeouts\n", SSL_CTX_sess_timeouts(ctx)); } static void sv_usage(void) { - fprintf(stderr, "usage: ssltest [args ...]\n"); - fprintf(stderr, "\n"); - fprintf(stderr, " -server_auth - check server certificate\n"); - fprintf(stderr, " -client_auth - do client authentication\n"); - fprintf(stderr, " -v - more output\n"); - fprintf(stderr, " -CApath arg - PEM format directory of CA's\n"); - fprintf(stderr, " -CAfile arg - PEM format file of CA's\n"); - fprintf(stderr, " -threads arg - number of threads\n"); - fprintf(stderr, " -loops arg - number of 'connections', per thread\n"); - fprintf(stderr, " -reconnect - reuse session-id's\n"); - fprintf(stderr, " -stats - server session-id cache stats\n"); - fprintf(stderr, " -cert arg - server certificate/key\n"); - fprintf(stderr, " -ccert arg - client certificate/key\n"); - fprintf(stderr, " -ssl3 - just SSLv3n\n"); + BIO_printf(bio_err, "usage: ssltest [args ...]\n"); + BIO_printf(bio_err, "\n"); + BIO_printf(bio_err, " -server_auth - check server certificate\n"); + BIO_printf(bio_err, " -client_auth - do client authentication\n"); + BIO_printf(bio_err, " -v - more output\n"); + BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); + BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); + BIO_printf(bio_err, " -threads arg - number of threads\n"); + BIO_printf(bio_err, " -loops arg - number of 'connections', per thread\n"); + BIO_printf(bio_err, " -reconnect - reuse session-id's\n"); + BIO_printf(bio_err, " -stats - server session-id cache stats\n"); + BIO_printf(bio_err, " -cert arg - server certificate/key\n"); + BIO_printf(bio_err, " -ccert arg - client certificate/key\n"); + BIO_printf(bio_err, " -ssl3 - just SSLv3n\n"); } int main(int argc, char *argv[]) @@ -195,14 +188,14 @@ int main(int argc, char *argv[]) SSL_CTX *c_ctx = NULL; char *scert = TEST_SERVER_CERT; char *ccert = TEST_CLIENT_CERT; - SSL_METHOD *ssl_method = SSLv23_method(); + const SSL_METHOD *ssl_method = SSLv23_method(); RAND_seed(rnd_seed, sizeof rnd_seed); if (bio_err == NULL) - bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); + bio_err = BIO_new_fd(2, BIO_NOCLOSE); if (bio_stdout == NULL) - bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE); + bio_stdout = BIO_new_fd(1, BIO_NOCLOSE); argc--; argv++; @@ -250,7 +243,7 @@ int main(int argc, char *argv[]) if (number_of_loops == 0) number_of_loops = 1; } else { - fprintf(stderr, "unknown option %s\n", *argv); + BIO_printf(bio_err, "unknown option %s\n", *argv); badop = 1; break; } @@ -284,9 +277,12 @@ int main(int argc, char *argv[]) SSL_SESS_CACHE_SERVER); if (!SSL_CTX_use_certificate_file(s_ctx, scert, SSL_FILETYPE_PEM)) { + BIO_printf(bio_err, "SSL_CTX_use_certificate_file (%s)\n", scert); ERR_print_errors(bio_err); + goto end; } else if (!SSL_CTX_use_RSAPrivateKey_file(s_ctx, scert, SSL_FILETYPE_PEM)) { + BIO_printf(bio_err, "SSL_CTX_use_RSAPrivateKey_file (%s)\n", scert); ERR_print_errors(bio_err); goto end; } @@ -300,19 +296,19 @@ int main(int argc, char *argv[]) (!SSL_CTX_set_default_verify_paths(s_ctx)) || (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || (!SSL_CTX_set_default_verify_paths(c_ctx))) { - fprintf(stderr, "SSL_load_verify_locations\n"); + BIO_printf(bio_err, "SSL_load_verify_locations\n"); ERR_print_errors(bio_err); goto end; } if (client_auth) { - fprintf(stderr, "client authentication\n"); + BIO_printf(bio_err, "client authentication\n"); SSL_CTX_set_verify(s_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); } if (server_auth) { - fprintf(stderr, "server authentication\n"); + BIO_printf(bio_err, "server authentication\n"); SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, verify_callback); } @@ -322,24 +318,24 @@ int main(int argc, char *argv[]) end: if (c_ctx != NULL) { - fprintf(stderr, "Client SSL_CTX stats then free it\n"); - print_stats(stderr, c_ctx); + BIO_printf(bio_err, "Client SSL_CTX stats then free it\n"); + print_stats(bio_err, c_ctx); SSL_CTX_free(c_ctx); } if (s_ctx != NULL) { - fprintf(stderr, "Server SSL_CTX stats then free it\n"); - print_stats(stderr, s_ctx); + BIO_printf(bio_err, "Server SSL_CTX stats then free it\n"); + print_stats(bio_err, s_ctx); if (cache_stats) { - fprintf(stderr, "-----\n"); - lh_stats(SSL_CTX_sessions(s_ctx), stderr); - fprintf(stderr, "-----\n"); - /*- lh_node_stats(SSL_CTX_sessions(s_ctx),stderr); - fprintf(stderr,"-----\n"); */ - lh_node_usage_stats(SSL_CTX_sessions(s_ctx), stderr); - fprintf(stderr, "-----\n"); + BIO_printf(bio_err, "-----\n"); + lh_SSL_SESSION_stats_bio(SSL_CTX_sessions(s_ctx), bio_err); + BIO_printf(bio_err, "-----\n"); + /*- lh_SSL_SESSION_node_stats_bio(SSL_CTX_sessions(s_ctx),bio_err); + BIO_printf(bio_err,"-----\n"); */ + lh_SSL_SESSION_node_usage_stats_bio(SSL_CTX_sessions(s_ctx), bio_err); + BIO_printf(bio_err, "-----\n"); } SSL_CTX_free(s_ctx); - fprintf(stderr, "done free\n"); + BIO_printf(bio_err, "done free\n"); } exit(ret); return (0); @@ -355,6 +351,7 @@ int ndoit(SSL_CTX *ssl_ctx[2]) int i; int ret; char *ctx[4]; + CRYPTO_THREADID thread_id; ctx[0] = (char *)ssl_ctx[0]; ctx[1] = (char *)ssl_ctx[1]; @@ -367,22 +364,24 @@ int ndoit(SSL_CTX *ssl_ctx[2]) ctx[3] = NULL; } - fprintf(stdout, "started thread %lu\n", CRYPTO_thread_id()); + CRYPTO_THREADID_current(&thread_id); + BIO_printf(bio_stdout, "started thread %lu\n", + CRYPTO_THREADID_hash(&thread_id)); for (i = 0; i < number_of_loops; i++) { -/*- fprintf(stderr,"%4d %2d ctx->ref (%3d,%3d)\n", - CRYPTO_thread_id(),i, - ssl_ctx[0]->references, - ssl_ctx[1]->references); */ +/*- BIO_printf(bio_err,"%4d %2d ctx->ref (%3d,%3d)\n", + CRYPTO_THREADID_hash(&thread_id),i, + ssl_ctx[0]->references, + ssl_ctx[1]->references); */ /* pthread_delay_np(&tm); */ ret = doit(ctx); if (ret != 0) { - fprintf(stdout, "error[%d] %lu - %d\n", - i, CRYPTO_thread_id(), ret); + BIO_printf(bio_stdout, "error[%d] %lu - %d\n", + i, CRYPTO_THREADID_hash(&thread_id), ret); return (ret); } } - fprintf(stdout, "DONE %lu\n", CRYPTO_thread_id()); + BIO_printf(bio_stdout, "DONE %lu\n", CRYPTO_THREADID_hash(&thread_id)); if (reconnect) { SSL_free((SSL *)ctx[2]); SSL_free((SSL *)ctx[3]); @@ -467,26 +466,26 @@ int doit(char *ctx[4]) if (do_server && verbose) { if (SSL_in_init(s_ssl)) - printf("server waiting in SSL_accept - %s\n", - SSL_state_string_long(s_ssl)); + BIO_printf(bio_stdout, "server waiting in SSL_accept - %s\n", + SSL_state_string_long(s_ssl)); else if (s_write) - printf("server:SSL_write()\n"); + BIO_printf(bio_stdout, "server:SSL_write()\n"); else - printf("server:SSL_read()\n"); + BIO_printf(bio_stdout, "server:SSL_read()\n"); } if (do_client && verbose) { if (SSL_in_init(c_ssl)) - printf("client waiting in SSL_connect - %s\n", - SSL_state_string_long(c_ssl)); + BIO_printf(bio_stdout, "client waiting in SSL_connect - %s\n", + SSL_state_string_long(c_ssl)); else if (c_write) - printf("client:SSL_write()\n"); + BIO_printf(bio_stdout, "client:SSL_write()\n"); else - printf("client:SSL_read()\n"); + BIO_printf(bio_stdout, "client:SSL_read()\n"); } if (!do_client && !do_server) { - fprintf(stdout, "ERROR IN STARTUP\n"); + BIO_printf(bio_stdout, "ERROR IN STARTUP\n"); break; } if (do_client && !(done & C_DONE)) { @@ -501,12 +500,12 @@ int doit(char *ctx[4]) if (BIO_should_write(c_bio)) c_w = 1; } else { - fprintf(stderr, "ERROR in CLIENT\n"); + BIO_printf(bio_err, "ERROR in CLIENT\n"); ERR_print_errors_fp(stderr); return (1); } } else if (i == 0) { - fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); + BIO_printf(bio_err, "SSL CLIENT STARTUP FAILED\n"); return (1); } else { /* ok */ @@ -523,19 +522,19 @@ int doit(char *ctx[4]) if (BIO_should_write(c_bio)) c_w = 1; } else { - fprintf(stderr, "ERROR in CLIENT\n"); + BIO_printf(bio_err, "ERROR in CLIENT\n"); ERR_print_errors_fp(stderr); return (1); } } else if (i == 0) { - fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); + BIO_printf(bio_err, "SSL CLIENT STARTUP FAILED\n"); return (1); } else { done |= C_DONE; #ifdef undef - fprintf(stdout, "CLIENT:from server:"); - fwrite(cbuf, 1, i, stdout); - fflush(stdout); + BIO_printf(bio_stdout, "CLIENT:from server:"); + BIO_write(bio_stdout, cbuf, i); + BIO_flush(bio_stdout); #endif } } @@ -553,20 +552,20 @@ int doit(char *ctx[4]) if (BIO_should_write(s_bio)) s_w = 1; } else { - fprintf(stderr, "ERROR in SERVER\n"); + BIO_printf(bio_err, "ERROR in SERVER\n"); ERR_print_errors_fp(stderr); return (1); } } else if (i == 0) { - fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); + BIO_printf(bio_err, "SSL SERVER STARTUP FAILED\n"); return (1); } else { s_write = 1; s_w = 1; #ifdef undef - fprintf(stdout, "SERVER:from client:"); - fwrite(sbuf, 1, i, stdout); - fflush(stdout); + BIO_printf(bio_stdout, "SERVER:from client:"); + BIO_write(bio_stdout, sbuf, i); + BIO_flush(bio_stdout); #endif } } else { @@ -580,12 +579,12 @@ int doit(char *ctx[4]) if (BIO_should_write(s_bio)) s_w = 1; } else { - fprintf(stderr, "ERROR in SERVER\n"); + BIO_printf(bio_err, "ERROR in SERVER\n"); ERR_print_errors_fp(stderr); return (1); } } else if (i == 0) { - fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); + BIO_printf(bio_err, "SSL SERVER STARTUP FAILED\n"); return (1); } else { s_write = 0; @@ -606,7 +605,7 @@ int doit(char *ctx[4]) SSL_set_shutdown(s_ssl, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); #ifdef undef - fprintf(stdout, "DONE\n"); + BIO_printf(bio_stdout, "DONE\n"); #endif err: /* @@ -640,7 +639,7 @@ int doit(char *ctx[4]) return (0); } -int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) +int verify_callback(int ok, X509_STORE_CTX *ctx) { char *s, buf[256]; @@ -649,9 +648,9 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) buf, 256); if (s != NULL) { if (ok) - fprintf(stderr, "depth=%d %s\n", ctx->error_depth, buf); + BIO_printf(bio_err, "depth=%d %s\n", ctx->error_depth, buf); else - fprintf(stderr, "depth=%d error=%d %s\n", + BIO_printf(bio_err, "depth=%d error=%d %s\n", ctx->error_depth, ctx->error, buf); } } @@ -688,7 +687,7 @@ void thread_cleanup(void) OPENSSL_free(lock_cs); } -void win32_locking_callback(int mode, int type, char *file, int line) +void win32_locking_callback(int mode, int type, const char *file, int line) { if (mode & CRYPTO_LOCK) { WaitForSingleObject(lock_cs[type], INFINITE); @@ -717,7 +716,7 @@ void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx) (void *)ssl_ctx, 0L, &(thread_id[i])); } - printf("reaping\n"); + BIO_printf(bio_stdout, "reaping\n"); for (i = 0; i < thread_number; i += 50) { int j; @@ -727,7 +726,7 @@ void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx) (CONST HANDLE *) & (thread_handle[i]), TRUE, INFINITE) == WAIT_FAILED) { - fprintf(stderr, "WaitForMultipleObjects failed:%d\n", + BIO_printf(bio_err, "WaitForMultipleObjects failed:%d\n", GetLastError()); exit(1); } @@ -743,7 +742,7 @@ void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx) ret = (ret + end.wSecond - start.wSecond); ret += (end.wMilliseconds - start.wMilliseconds) / 1000.0; - printf("win32 threads done - %.3f seconds\n", ret); + BIO_printf(bio_stdout, "win32 threads done - %.3f seconds\n", ret); } #endif /* OPENSSL_SYS_WIN32 */ @@ -768,8 +767,8 @@ void thread_setup(void) mutex_init(&(lock_cs[i]), USYNC_THREAD, NULL); } - CRYPTO_set_id_callback((unsigned long (*)())solaris_thread_id); - CRYPTO_set_locking_callback((void (*)())solaris_locking_callback); + CRYPTO_set_id_callback(solaris_thread_id); + CRYPTO_set_locking_callback(solaris_locking_callback); } void thread_cleanup(void) @@ -778,34 +777,34 @@ void thread_cleanup(void) CRYPTO_set_locking_callback(NULL); - fprintf(stderr, "cleanup\n"); + BIO_printf(bio_err, "cleanup\n"); for (i = 0; i < CRYPTO_num_locks(); i++) { /* rwlock_destroy(&(lock_cs[i])); */ mutex_destroy(&(lock_cs[i])); - fprintf(stderr, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i)); + BIO_printf(bio_err, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i)); } OPENSSL_free(lock_cs); OPENSSL_free(lock_count); - fprintf(stderr, "done cleanup\n"); + BIO_printf(bio_err, "done cleanup\n"); } -void solaris_locking_callback(int mode, int type, char *file, int line) +void solaris_locking_callback(int mode, int type, const char *file, int line) { # ifdef undef - fprintf(stderr, "thread=%4d mode=%s lock=%s %s:%d\n", - CRYPTO_thread_id(), - (mode & CRYPTO_LOCK) ? "l" : "u", - (type & CRYPTO_READ) ? "r" : "w", file, line); + BIO_printf(bio_err, "thread=%4d mode=%s lock=%s %s:%d\n", + CRYPTO_thread_id(), + (mode & CRYPTO_LOCK) ? "l" : "u", + (type & CRYPTO_READ) ? "r" : "w", file, line); # endif /*- if (CRYPTO_LOCK_SSL_CERT == type) - fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n", - CRYPTO_thread_id(), - mode,file,line); + BIO_printf(bio_err,"(t,m,f,l) %ld %d %s %d\n", + CRYPTO_thread_id(), + mode,file,line); */ if (mode & CRYPTO_LOCK) { /*- @@ -837,21 +836,22 @@ void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx) (void *(*)())ndoit, (void *)ssl_ctx, 0L, &(thread_ctx[i])); } - printf("reaping\n"); + BIO_printf(bio_stdout, "reaping\n"); for (i = 0; i < thread_number; i++) { thr_join(thread_ctx[i], NULL, NULL); } - printf("solaris threads done (%d,%d)\n", - s_ctx->references, c_ctx->references); +#if 0 /* We can't currently find out the reference amount */ + BIO_printf(bio_stdout, "solaris threads done (%d,%d)\n", + s_ctx->references, c_ctx->references); +#else + BIO_printf(bio_stdout, "solaris threads done\n"); +#endif } -unsigned long solaris_thread_id(void) +void solaris_thread_id(CRYPTO_THREADID *tid) { - unsigned long ret; - - ret = (unsigned long)thr_self(); - return (ret); + CRYPTO_THREADID_set_numeric((unsigned long)thr_self()); } #endif /* SOLARIS */ @@ -880,8 +880,8 @@ void thread_setup(void) lock_cs[i] = usnewsema(arena, 1); } - CRYPTO_set_id_callback((unsigned long (*)())irix_thread_id); - CRYPTO_set_locking_callback((void (*)())irix_locking_callback); + CRYPTO_set_id_callback(irix_thread_id); + CRYPTO_set_locking_callback(irix_locking_callback); } void thread_cleanup(void) @@ -899,13 +899,13 @@ void thread_cleanup(void) OPENSSL_free(lock_cs); } -void irix_locking_callback(int mode, int type, char *file, int line) +void irix_locking_callback(int mode, int type, const char *file, int line) { if (mode & CRYPTO_LOCK) { - printf("lock %d\n", type); + BIO_printf(bio_stdout, "lock %d\n", type); uspsema(lock_cs[type]); } else { - printf("unlock %d\n", type); + BIO_printf(bio_stdout, "unlock %d\n", type); usvsema(lock_cs[type]); } } @@ -924,21 +924,22 @@ void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx) PR_SADDR | PR_SFDS, (void *)ssl_ctx); } - printf("reaping\n"); + BIO_printf(bio_stdout, "reaping\n"); for (i = 0; i < thread_number; i++) { wait(NULL); } - printf("irix threads done (%d,%d)\n", - s_ctx->references, c_ctx->references); +#if 0 /* We can't currently find out the reference amount */ + BIO_printf(bio_stdout, "irix threads done (%d,%d)\n", + s_ctx->references, c_ctx->references); +#else + BIO_printf(bio_stdout, "irix threads done\n"); +#endif } unsigned long irix_thread_id(void) { - unsigned long ret; - - ret = (unsigned long)getpid(); - return (ret); + CRYPTO_THREADID_set_numeric((unsigned long)getpid()); } #endif /* IRIX */ @@ -958,8 +959,8 @@ void thread_setup(void) pthread_mutex_init(&(lock_cs[i]), NULL); } - CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id); - CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback); + CRYPTO_THREADID_set_callback(pthreads_thread_id); + CRYPTO_set_locking_callback(pthreads_locking_callback); } void thread_cleanup(void) @@ -967,30 +968,30 @@ void thread_cleanup(void) int i; CRYPTO_set_locking_callback(NULL); - fprintf(stderr, "cleanup\n"); + BIO_printf(bio_err, "cleanup\n"); for (i = 0; i < CRYPTO_num_locks(); i++) { pthread_mutex_destroy(&(lock_cs[i])); - fprintf(stderr, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i)); + BIO_printf(bio_err, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i)); } OPENSSL_free(lock_cs); OPENSSL_free(lock_count); - fprintf(stderr, "done cleanup\n"); + BIO_printf(bio_err, "done cleanup\n"); } -void pthreads_locking_callback(int mode, int type, char *file, int line) +void pthreads_locking_callback(int mode, int type, const char *file, int line) { # ifdef undef - fprintf(stderr, "thread=%4d mode=%s lock=%s %s:%d\n", - CRYPTO_thread_id(), - (mode & CRYPTO_LOCK) ? "l" : "u", - (type & CRYPTO_READ) ? "r" : "w", file, line); + BIO_printf(bio_err, "thread=%4d mode=%s lock=%s %s:%d\n", + CRYPTO_thread_id(), + (mode & CRYPTO_LOCK) ? "l" : "u", + (type & CRYPTO_READ) ? "r" : "w", file, line); # endif /*- if (CRYPTO_LOCK_SSL_CERT == type) - fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n", - CRYPTO_thread_id(), - mode,file,line); + BIO_printf(bio_err,"(t,m,f,l) %ld %d %s %d\n", + CRYPTO_thread_id(), + mode,file,line); */ if (mode & CRYPTO_LOCK) { pthread_mutex_lock(&(lock_cs[type])); @@ -1017,21 +1018,22 @@ void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx) (void *(*)())ndoit, (void *)ssl_ctx); } - printf("reaping\n"); + BIO_printf(bio_stdout, "reaping\n"); for (i = 0; i < thread_number; i++) { pthread_join(thread_ctx[i], NULL); } - printf("pthreads threads done (%d,%d)\n", - s_ctx->references, c_ctx->references); +#if 0 /* We can't currently find out the reference amount */ + BIO_printf(bio_stdout, "pthreads threads done (%d,%d)\n", + s_ctx->references, c_ctx->references); +#else + BIO_printf(bio_stdout, "pthreads threads done\n"); +#endif } -unsigned long pthreads_thread_id(void) +void pthreads_thread_id(CRYPTO_THREADID *tid) { - unsigned long ret; - - ret = (unsigned long)pthread_self(); - return (ret); + CRYPTO_THREADID_set_numeric(tid, (unsigned long)pthread_self()); } #endif /* PTHREADS */ @@ -1051,8 +1053,8 @@ void thread_setup(void) ThreadSem = MPKSemaphoreAlloc("OpenSSL mttest semaphore", 0); - CRYPTO_set_id_callback((unsigned long (*)())netware_thread_id); - CRYPTO_set_locking_callback((void (*)())netware_locking_callback); + CRYPTO_set_id_callback(netware_thread_id); + CRYPTO_set_locking_callback(netware_locking_callback); } void thread_cleanup(void) @@ -1061,21 +1063,21 @@ void thread_cleanup(void) CRYPTO_set_locking_callback(NULL); - fprintf(stdout, "thread_cleanup\n"); + BIO_printf(bio_stdout, "thread_cleanup\n"); for (i = 0; i < CRYPTO_num_locks(); i++) { MPKMutexFree(lock_cs[i]); - fprintf(stdout, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i)); + BIO_printf(bio_stdout, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i)); } OPENSSL_free(lock_cs); OPENSSL_free(lock_count); MPKSemaphoreFree(ThreadSem); - fprintf(stdout, "done cleanup\n"); + BIO_printf(bio_stdout, "done cleanup\n"); } -void netware_locking_callback(int mode, int type, char *file, int line) +void netware_locking_callback(int mode, int type, const char *file, int line) { if (mode & CRYPTO_LOCK) { MPKMutexLock(lock_cs[type]); @@ -1097,22 +1099,23 @@ void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx) ThreadSwitchWithDelay(); } - printf("reaping\n"); + BIO_printf(bio_stdout, "reaping\n"); /* loop until all threads have signaled the semaphore */ for (i = 0; i < thread_number; i++) { MPKSemaphoreWait(ThreadSem); } - printf("netware threads done (%d,%d)\n", - s_ctx->references, c_ctx->references); +#if 0 /* We can't currently find out the reference amount */ + BIO_printf(bio_stdout, "netware threads done (%d,%d)\n", + s_ctx->references, c_ctx->references); +#else + BIO_printf(bio_stdout, "netware threads done\n"); +#endif } unsigned long netware_thread_id(void) { - unsigned long ret; - - ret = (unsigned long)GetThreadID(); - return (ret); + CRYPTO_THREADID_set_numeric((unsigned long)GetThreadID()); } #endif /* NETWARE */ @@ -1144,24 +1147,24 @@ void thread_cleanup(void) int i; CRYPTO_set_locking_callback(NULL); - fprintf(stderr, "cleanup\n"); + BIO_printf(bio_err, "cleanup\n"); for (i = 0; i < CRYPTO_num_locks(); i++) { delete lock_cs[i]; - fprintf(stderr, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i)); + BIO_printf(bio_err, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i)); } OPENSSL_free(lock_cs); OPENSSL_free(lock_count); - fprintf(stderr, "done cleanup\n"); + BIO_printf(bio_err, "done cleanup\n"); } void beos_locking_callback(int mode, int type, const char *file, int line) { # if 0 - fprintf(stderr, "thread=%4d mode=%s lock=%s %s:%d\n", - CRYPTO_thread_id(), - (mode & CRYPTO_LOCK) ? "l" : "u", - (type & CRYPTO_READ) ? "r" : "w", file, line); + BIO_printf(bio_err, "thread=%4d mode=%s lock=%s %s:%d\n", + CRYPTO_thread_id(), + (mode & CRYPTO_LOCK) ? "l" : "u", + (type & CRYPTO_READ) ? "r" : "w", file, line); # endif if (mode & CRYPTO_LOCK) { lock_cs[type]->Lock(); @@ -1187,14 +1190,14 @@ void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx) resume_thread(thread_ctx[i]); } - printf("waiting...\n"); + BIO_printf(bio_stdout, "waiting...\n"); for (i = 0; i < thread_number; i++) { status_t result; wait_for_thread(thread_ctx[i], &result); } - printf("beos threads done (%d,%d)\n", - s_ctx->references, c_ctx->references); + BIO_printf(bio_stdout, "beos threads done (%d,%d)\n", + s_ctx->references, c_ctx->references); } unsigned long beos_thread_id(void) diff --git a/openssl/crypto/threads/pthread2.sh b/openssl/crypto/threads/pthread2.sh index 41264c6a5..ec945c451 100644 --- a/openssl/crypto/threads/pthread2.sh +++ b/openssl/crypto/threads/pthread2.sh @@ -3,5 +3,4 @@ # build using pthreads where it's already built into the system # /bin/rm -f mttest -gcc -DPTHREADS -I../../include -g mttest.c -o mttest -L../.. -lssl -lcrypto -lpthread - +gcc -DPTHREADS -I../../include -g mttest.c -o mttest -L../.. -lssl -lcrypto -lpthread -ldl diff --git a/openssl/crypto/x509/Makefile b/openssl/crypto/x509/Makefile index 01aa3bf38..bf197a1d9 100644 --- a/openssl/crypto/x509/Makefile +++ b/openssl/crypto/x509/Makefile @@ -13,7 +13,7 @@ AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile README -TEST= +TEST=verify_extra_test.c APPS= LIB=$(TOP)/libcrypto.a diff --git a/openssl/crypto/x509/verify_extra_test.c b/openssl/crypto/x509/verify_extra_test.c new file mode 100644 index 000000000..08509f013 --- /dev/null +++ b/openssl/crypto/x509/verify_extra_test.c @@ -0,0 +1,208 @@ +/* + * Written by Matt Caswell for the OpenSSL project. + */ +/* ==================================================================== + * Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include <stdio.h> +#include <openssl/crypto.h> +#include <openssl/bio.h> +#include <openssl/x509.h> +#include <openssl/pem.h> +#include <openssl/err.h> + +static STACK_OF(X509) *load_certs_from_file(const char *filename) +{ + STACK_OF(X509) *certs; + BIO *bio; + X509 *x; + + bio = BIO_new_file(filename, "r"); + + if (bio == NULL) { + return NULL; + } + + certs = sk_X509_new_null(); + if (certs == NULL) { + BIO_free(bio); + return NULL; + } + + ERR_set_mark(); + do { + x = PEM_read_bio_X509(bio, NULL, 0, NULL); + if (x != NULL && !sk_X509_push(certs, x)) { + sk_X509_pop_free(certs, X509_free); + BIO_free(bio); + return NULL; + } else if (x == NULL) { + /* + * We probably just ran out of certs, so ignore any errors + * generated + */ + ERR_pop_to_mark(); + } + } while (x != NULL); + + BIO_free(bio); + + return certs; +} + +/* + * Test for CVE-2015-1793 (Alternate Chains Certificate Forgery) + * + * Chain is as follows: + * + * rootCA (self-signed) + * | + * interCA + * | + * subinterCA subinterCA (self-signed) + * | | + * leaf ------------------ + * | + * bad + * + * rootCA, interCA, subinterCA, subinterCA (ss) all have CA=TRUE + * leaf and bad have CA=FALSE + * + * subinterCA and subinterCA (ss) have the same subject name and keys + * + * interCA (but not rootCA) and subinterCA (ss) are in the trusted store + * (roots.pem) + * leaf and subinterCA are in the untrusted list (untrusted.pem) + * bad is the certificate being verified (bad.pem) + * + * Versions vulnerable to CVE-2015-1793 will fail to detect that leaf has + * CA=FALSE, and will therefore incorrectly verify bad + * + */ +static int test_alt_chains_cert_forgery(void) +{ + int ret = 0; + int i; + X509 *x = NULL; + STACK_OF(X509) *untrusted = NULL; + BIO *bio = NULL; + X509_STORE_CTX *sctx = NULL; + X509_STORE *store = NULL; + X509_LOOKUP *lookup = NULL; + + store = X509_STORE_new(); + if (store == NULL) + goto err; + + lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); + if (lookup == NULL) + goto err; + if(!X509_LOOKUP_load_file(lookup, "certs/roots.pem", X509_FILETYPE_PEM)) + goto err; + + untrusted = load_certs_from_file("certs/untrusted.pem"); + + if ((bio = BIO_new_file("certs/bad.pem", "r")) == NULL) + goto err; + + if((x = PEM_read_bio_X509(bio, NULL, 0, NULL)) == NULL) + goto err; + + sctx = X509_STORE_CTX_new(); + if (sctx == NULL) + goto err; + + if (!X509_STORE_CTX_init(sctx, store, x, untrusted)) + goto err; + + i = X509_verify_cert(sctx); + + if(i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) { + /* This is the result we were expecting: Test passed */ + ret = 1; + } + err: + X509_STORE_CTX_free(sctx); + X509_free(x); + BIO_free(bio); + sk_X509_pop_free(untrusted, X509_free); + X509_STORE_free(store); + if (ret != 1) + ERR_print_errors_fp(stderr); + return ret; +} + +int main(void) +{ + CRYPTO_malloc_debug_init(); + CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); + + ERR_load_crypto_strings(); + OpenSSL_add_all_digests(); + + if (!test_alt_chains_cert_forgery()) { + fprintf(stderr, "Test alt chains cert forgery failed\n"); + return 1; + } + + EVP_cleanup(); + CRYPTO_cleanup_all_ex_data(); + ERR_remove_thread_state(NULL); + ERR_free_strings(); + CRYPTO_mem_leaks_fp(stderr); + + printf("PASS\n"); + return 0; +} diff --git a/openssl/crypto/x509/x509_vfy.c b/openssl/crypto/x509/x509_vfy.c index 8ce41f9c9..a2f1dbefe 100644 --- a/openssl/crypto/x509/x509_vfy.c +++ b/openssl/crypto/x509/x509_vfy.c @@ -198,6 +198,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx) X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); return -1; } + if (ctx->chain != NULL) { + /* + * This X509_STORE_CTX has already been used to verify a cert. We + * cannot do another one. + */ + X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return -1; + } cb = ctx->verify_cb; @@ -205,15 +213,13 @@ int X509_verify_cert(X509_STORE_CTX *ctx) * first we make sure the chain we are going to build is present and that * the first entry is in place */ - if (ctx->chain == NULL) { - if (((ctx->chain = sk_X509_new_null()) == NULL) || - (!sk_X509_push(ctx->chain, ctx->cert))) { - X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); - goto end; - } - CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509); - ctx->last_untrusted = 1; + if (((ctx->chain = sk_X509_new_null()) == NULL) || + (!sk_X509_push(ctx->chain, ctx->cert))) { + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + goto end; } + CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509); + ctx->last_untrusted = 1; /* We use a temporary STACK so we can chop and hack at it */ if (ctx->untrusted != NULL @@ -389,8 +395,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) xtmp = sk_X509_pop(ctx->chain); X509_free(xtmp); num--; - ctx->last_untrusted--; } + ctx->last_untrusted = sk_X509_num(ctx->chain); retry = 1; break; } diff --git a/openssl/doc/apps/verify.pod b/openssl/doc/apps/verify.pod index df1b86dfe..bffa6c0ec 100644 --- a/openssl/doc/apps/verify.pod +++ b/openssl/doc/apps/verify.pod @@ -15,6 +15,7 @@ B<openssl> B<verify> [B<-attime timestamp>] [B<-check_ss_sig>] [B<-crlfile file>] +[B<-crl_download>] [B<-crl_check>] [B<-crl_check_all>] [B<-policy_check>] @@ -29,6 +30,7 @@ B<openssl> B<verify> [B<-untrusted file>] [B<-help>] [B<-issuer_checks>] +[B<-trusted file>] [B<-verbose>] [B<->] [certificates] @@ -69,6 +71,10 @@ because it doesn't add any security. File containing one or more CRL's (in PEM format) to load. +=item B<-crl_download> + +Attempt to download CRL information for this certificate. + =item B<-crl_check> Checks end entity certificate validity by attempting to look up a valid CRL. @@ -133,6 +139,11 @@ be found that is trusted. With this option that behaviour is suppressed so that only the first chain found is ever used. Using this option will force the behaviour to match that of previous OpenSSL versions. +=item B<-trusted file> + +A file of additional trusted certificates. The file should contain multiple +certificates in PEM format concatenated together. + =item B<-policy_print> Print out diagnostics related to policy processing. diff --git a/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod b/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod index c8a812879..109f56132 100644 --- a/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod +++ b/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod @@ -29,6 +29,7 @@ and issuer names. X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ() retrieve the next index matching B<nid> or B<obj> after B<lastpos>. B<lastpos> should initially be set to -1. If there are no more entries -1 is returned. +If B<nid> is invalid (doesn't correspond to a valid OID) then -2 is returned. X509_NAME_entry_count() returns the total number of entries in B<name>. @@ -63,6 +64,10 @@ The list of all relevant B<NID_*> and B<OBJ_* codes> can be found in the source code header files E<lt>openssl/obj_mac.hE<gt> and/or E<lt>openssl/objects.hE<gt>. +Applications which could pass invalid NIDs to X509_NAME_get_index_by_NID() +should check for the return value of -2. Alternatively the NID validity +can be determined first by checking OBJ_nid2obj(nid) is not NULL. + =head1 EXAMPLES Process all entries: @@ -95,6 +100,8 @@ Process all commonName entries: X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ() return the index of the next matching entry or -1 if not found. +X509_NAME_get_index_by_NID() can also return -2 if the supplied +NID is invalid. X509_NAME_entry_count() returns the total number of entries. diff --git a/openssl/doc/crypto/X509_STORE_CTX_new.pod b/openssl/doc/crypto/X509_STORE_CTX_new.pod index b17888f14..eb38b0a10 100644 --- a/openssl/doc/crypto/X509_STORE_CTX_new.pod +++ b/openssl/doc/crypto/X509_STORE_CTX_new.pod @@ -39,10 +39,15 @@ X509_STORE_CTX_free() completely frees up B<ctx>. After this call B<ctx> is no longer valid. X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation. -The trusted certificate store is set to B<store>, the end entity certificate -to be verified is set to B<x509> and a set of additional certificates (which -will be untrusted but may be used to build the chain) in B<chain>. Any or -all of the B<store>, B<x509> and B<chain> parameters can be B<NULL>. +It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only +good for one call to X509_verify_cert(); if you want to verify a second +certificate with the same B<ctx> then you must call X509_XTORE_CTX_cleanup() +and then X509_STORE_CTX_init() again before the second call to +X509_verify_cert(). The trusted certificate store is set to B<store>, the end +entity certificate to be verified is set to B<x509> and a set of additional +certificates (which will be untrusted but may be used to build the chain) in +B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be +B<NULL>. X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B<ctx> to B<sk>. This is an alternative way of specifying trusted certificates diff --git a/openssl/doc/crypto/X509_verify_cert.pod b/openssl/doc/crypto/X509_verify_cert.pod index 5253bdcd7..a22e44118 100644 --- a/openssl/doc/crypto/X509_verify_cert.pod +++ b/openssl/doc/crypto/X509_verify_cert.pod @@ -32,7 +32,8 @@ OpenSSL internally for certificate validation, in both the S/MIME and SSL/TLS code. The negative return value from X509_verify_cert() can only occur if no -certificate is set in B<ctx> (due to a programming error) or if a retry +certificate is set in B<ctx> (due to a programming error); if X509_verify_cert() +twice without reinitialising B<ctx> in between; or if a retry operation is requested during internal lookups (which never happens with standard lookup methods). It is however recommended that application check for <= 0 return value on error. diff --git a/openssl/doc/ssl/SSL_CTX_get0_param.pod b/openssl/doc/ssl/SSL_CTX_get0_param.pod new file mode 100644 index 000000000..332f18118 --- /dev/null +++ b/openssl/doc/ssl/SSL_CTX_get0_param.pod @@ -0,0 +1,55 @@ +=pod + +=head1 NAME + +SSL_CTX_get0_param, SSL_get0_param, SSL_CTX_set1_param, SSL_set1_param - +get and set verification parameters + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx) + X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) + int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm) + int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm) + +=head1 DESCRIPTION + +SSL_CTX_get0_param() and SSL_get0_param() retrieve an internal pointer to +the verification parameters for B<ctx> or B<ssl> respectively. The returned +pointer must not be freed by the calling application. + +SSL_CTX_set1_param() and SSL_set1_param() set the verification parameters +to B<vpm> for B<ctx> or B<ssl>. + +=head1 NOTES + +Typically parameters are retrieved from an B<SSL_CTX> or B<SSL> structure +using SSL_CTX_get0_param() or SSL_get0_param() and an application modifies +them to suit its needs: for example to add a hostname check. + +=head1 EXAMPLE + +Check hostname matches "www.foo.com" in peer certificate: + + X509_VERIFY_PARAM *vpm = SSL_get0_param(ssl); + X509_VERIFY_PARAM_set1_host(vpm, "www.foo.com"); + +=head1 RETURN VALUES + +SSL_CTX_get0_param() and SSL_get0_param() return a pointer to an +B<X509_VERIFY_PARAM> structure. + +SSL_CTX_set1_param() and SSL_set1_param() return 1 for success and 0 +for failure. + +=head1 SEE ALSO + +L<X509_VERIFY_PARAM_set_flags(3)|X509_VERIFY_PARAM_set_flags(3)> + +=head1 HISTORY + +These functions were first added to OpenSSL 1.0.2. + +=cut diff --git a/openssl/doc/ssl/SSL_CTX_use_serverinfo.pod b/openssl/doc/ssl/SSL_CTX_use_serverinfo.pod index da7935c83..318e052e2 100755 --- a/openssl/doc/ssl/SSL_CTX_use_serverinfo.pod +++ b/openssl/doc/ssl/SSL_CTX_use_serverinfo.pod @@ -2,7 +2,7 @@ =head1 NAME -SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file +SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file - use serverinfo extension =head1 SYNOPSIS diff --git a/openssl/openssl.spec b/openssl/openssl.spec index e6c758433..b721d6572 100644 --- a/openssl/openssl.spec +++ b/openssl/openssl.spec @@ -6,7 +6,7 @@ Release: 1 Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl -Version: 1.0.2c +Version: 1.0.2d Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz License: OpenSSL Group: System Environment/Libraries diff --git a/openssl/ssl/s3_clnt.c b/openssl/ssl/s3_clnt.c index 2346ce50c..6af145a8b 100644 --- a/openssl/ssl/s3_clnt.c +++ b/openssl/ssl/s3_clnt.c @@ -1456,8 +1456,6 @@ int ssl3_get_key_exchange(SSL *s) #ifndef OPENSSL_NO_PSK if (alg_k & SSL_kPSK) { - char tmp_id_hint[PSK_MAX_IDENTITY_LEN + 1]; - param_len = 2; if (param_len > n) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); @@ -1483,17 +1481,8 @@ int ssl3_get_key_exchange(SSL *s) } param_len += i; - /* - * If received PSK identity hint contains NULL characters, the hint - * is truncated from the first NULL. p may not be ending with NULL, - * so create a NULL-terminated string. - */ - memcpy(tmp_id_hint, p, i); - memset(tmp_id_hint + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i); - if (s->ctx->psk_identity_hint != NULL) - OPENSSL_free(s->ctx->psk_identity_hint); - s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); - if (s->ctx->psk_identity_hint == NULL) { + s->session->psk_identity_hint = BUF_strndup((char *)p, i); + if (s->session->psk_identity_hint == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); goto f_err; @@ -3077,7 +3066,7 @@ int ssl3_send_client_key_exchange(SSL *s) } memset(identity, 0, sizeof(identity)); - psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, + psk_len = s->psk_client_callback(s, s->session->psk_identity_hint, identity, sizeof(identity) - 1, psk_or_pre_ms, sizeof(psk_or_pre_ms)); diff --git a/openssl/ssl/s3_lib.c b/openssl/ssl/s3_lib.c index 5db349a23..ad9eeb6fd 100644 --- a/openssl/ssl/s3_lib.c +++ b/openssl/ssl/s3_lib.c @@ -3084,7 +3084,7 @@ void ssl3_clear(SSL *s) } #if !defined(OPENSSL_NO_TLSEXT) if (s->s3->alpn_selected) { - free(s->s3->alpn_selected); + OPENSSL_free(s->s3->alpn_selected); s->s3->alpn_selected = NULL; } #endif diff --git a/openssl/ssl/s3_srvr.c b/openssl/ssl/s3_srvr.c index 8885694c0..acd3b9e96 100644 --- a/openssl/ssl/s3_srvr.c +++ b/openssl/ssl/s3_srvr.c @@ -2780,7 +2780,7 @@ int ssl3_get_client_key_exchange(SSL *s) if (s->session->psk_identity != NULL) OPENSSL_free(s->session->psk_identity); - s->session->psk_identity = BUF_strdup((char *)p); + s->session->psk_identity = BUF_strndup((char *)p, i); if (s->session->psk_identity == NULL) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); goto psk_err; diff --git a/openssl/test/Makefile b/openssl/test/Makefile index a570fadf9..e695073fd 100644 --- a/openssl/test/Makefile +++ b/openssl/test/Makefile @@ -68,6 +68,7 @@ V3NAMETEST= v3nametest ASN1TEST= asn1test HEARTBEATTEST= heartbeat_test CONSTTIMETEST= constant_time_test +VERIFYEXTRATEST= verify_extra_test TESTS= alltests @@ -80,7 +81,7 @@ EXE= $(BNTEST)$(EXE_EXT) $(ECTEST)$(EXE_EXT) $(ECDSATEST)$(EXE_EXT) $(ECDHTEST) $(BFTEST)$(EXE_EXT) $(CASTTEST)$(EXE_EXT) $(SSLTEST)$(EXE_EXT) $(EXPTEST)$(EXE_EXT) $(DSATEST)$(EXE_EXT) $(RSATEST)$(EXE_EXT) \ $(EVPTEST)$(EXE_EXT) $(EVPEXTRATEST)$(EXE_EXT) $(IGETEST)$(EXE_EXT) $(JPAKETEST)$(EXE_EXT) $(SRPTEST)$(EXE_EXT) \ $(ASN1TEST)$(EXE_EXT) $(V3NAMETEST)$(EXE_EXT) $(HEARTBEATTEST)$(EXE_EXT) \ - $(CONSTTIMETEST)$(EXE_EXT) + $(CONSTTIMETEST)$(EXE_EXT) $(VERIFYEXTRATEST)$(EXE_EXT) # $(METHTEST)$(EXE_EXT) @@ -93,7 +94,7 @@ OBJ= $(BNTEST).o $(ECTEST).o $(ECDSATEST).o $(ECDHTEST).o $(IDEATEST).o \ $(RANDTEST).o $(DHTEST).o $(ENGINETEST).o $(CASTTEST).o \ $(BFTEST).o $(SSLTEST).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o \ $(EVPTEST).o $(EVPEXTRATEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o $(V3NAMETEST).o \ - $(HEARTBEATTEST).o $(CONSTTIMETEST).o + $(HEARTBEATTEST).o $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \ $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ @@ -103,7 +104,7 @@ SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \ $(RANDTEST).c $(DHTEST).c $(ENGINETEST).c $(CASTTEST).c \ $(BFTEST).c $(SSLTEST).c $(DSATEST).c $(EXPTEST).c $(RSATEST).c \ $(EVPTEST).c $(EVPEXTRATEST).c $(IGETEST).c $(JPAKETEST).c $(SRPTEST).c $(ASN1TEST).c \ - $(V3NAMETEST).c $(HEARTBEATTEST).c $(CONSTTIMETEST).c + $(V3NAMETEST).c $(HEARTBEATTEST).c $(CONSTTIMETEST).c $(VERIFYEXTRATEST).c EXHEADER= HEADER= testutil.h $(EXHEADER) @@ -147,7 +148,7 @@ alltests: \ test_gen test_req test_pkcs7 test_verify test_dh test_dsa \ test_ss test_ca test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \ test_jpake test_srp test_cms test_ocsp test_v3name test_heartbeat \ - test_constant_time + test_constant_time test_verify_extra test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt ../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt @@ -348,6 +349,10 @@ test_constant_time: $(CONSTTIMETEST)$(EXE_EXT) @echo "Test constant time utilites" ../util/shlib_wrap.sh ./$(CONSTTIMETEST) +test_verify_extra: $(VERIFYEXTRATEST)$(EXE_EXT) + @echo $(START) $@ + ../util/shlib_wrap.sh ./$(VERIFYEXTRATEST) + lint: lint -DLINT $(INCLUDES) $(SRC)>fluff @@ -519,6 +524,9 @@ $(HEARTBEATTEST)$(EXE_EXT): $(HEARTBEATTEST).o $(DLIBCRYPTO) $(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o @target=$(CONSTTIMETEST) $(BUILD_CMD) +$(VERIFYEXTRATEST)$(EXE_EXT): $(VERIFYEXTRATEST).o + @target=$(VERIFYEXTRATEST) $(BUILD_CMD) + #$(AESTEST).o: $(AESTEST).c # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c @@ -822,6 +830,21 @@ v3nametest.o: ../include/openssl/sha.h ../include/openssl/stack.h v3nametest.o: ../include/openssl/symhacks.h ../include/openssl/x509.h v3nametest.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h v3nametest.o: v3nametest.c +verify_extra_test.o: ../include/openssl/asn1.h ../include/openssl/bio.h +verify_extra_test.o: ../include/openssl/buffer.h ../include/openssl/crypto.h +verify_extra_test.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +verify_extra_test.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +verify_extra_test.o: ../include/openssl/err.h ../include/openssl/evp.h +verify_extra_test.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +verify_extra_test.o: ../include/openssl/objects.h +verify_extra_test.o: ../include/openssl/opensslconf.h +verify_extra_test.o: ../include/openssl/opensslv.h +verify_extra_test.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h +verify_extra_test.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h +verify_extra_test.o: ../include/openssl/safestack.h ../include/openssl/sha.h +verify_extra_test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +verify_extra_test.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h +verify_extra_test.o: verify_extra_test.c wp_test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h wp_test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h wp_test.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h diff --git a/openssl/test/certs/bad.key b/openssl/test/certs/bad.key new file mode 100644 index 000000000..470849520 --- /dev/null +++ b/openssl/test/certs/bad.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAwTqNko5vQiQ5BQohPJ3sySrjT6JedjsKtt1OZ8ndR2C1asUi +HgpVO8QDHKID88Qklx6UCieeKAwIY0VzqWzTyZWTwdqTU9t8arHHJu7IcFlmWsAL +fwTmARWJmpY+K8fGnQx1Kxfi6nQJ8Whq4bcAqJ2HXzG69Wjs3Ki70ScNbQ9RUwXJ +n/FeNrsphKAv5K22zBqjWAQdYMg6vtKZAXCET8jw6OkPVnUb/QvyoBEijWt0+HBh +7wLkSUvMj/7fc88+xtvGqZPyG2Py4DdWW1stpgiZ3TTohEk84t1u5L3qQaRQmVE6 +y5RMImyVY8hegC4zc6aGZDFRv8MR+gk6prcuUwIDAQABAoIBAEkz4YZwJ34rMt7R +452PRrE/ajY1EQxBeeGlHZr8QrRT0ubMIAy5ZWjq7TLfvhePaz1E/FiMgcIyLMtO ++G5rKCDqZbu/DqlqMUxKZWQ+efj2JWyj7LcGKAypGCRUXuE/IeNFYO4ecnzX0Rx/ +rl4scjdu1mYd9PIb+f/ufJjT7qYtykmwlb0MbEJ25yjTC4iHzacvFLJgdXrPp8b9 +ZGlVBKyuk9ZrZDC8/a4QrKt7Hp2SqqO4WqaTgM1G+cQFYuVBmj74bQhJHMmQ+Opr +5KXwBKEHMtJkq1GPVZ34W90V82d+8MJAxymuPomwRXKl1dKgnvny+0eobXkiBDcF +XCBCmIECgYEA8c/fE7Sa1vLZriw0Meq+TxU5hru4YM6OmQ+idc6diCp2U9lW+KJr +YrIRTZFcmhEGmRjAEZrdK0oFY7h5RhsZ+gTftmNZuL8WJCK9+y2DE9dB++md3oVC +PK0d4SmQKsivOTTeiK/VYFGoLc8t8Ud/anu2Q1kFdC+7cH/TrRseV4MCgYEAzJDw +MTil055rYlrAAH8ePEuONomu2MoZRRCX/tWuVvz+eIzA35mryW3OR45l5qNluQoZ +AdpVE68kBak2wIrF2oyWcF1s8VzSbAJCoqK42lKiSGVDVnr6jb69WUujCkYUZIwR +Q20QYBUUQu0JiFBU22tRgILIAK+rRah37EP4RPECgYBN3hKH1fDGpw1R+QoVyPHf +pYYQzQJiqiFhSJeYOCCiaIoSFjrbdfH+pjjMMbMQKctmIYI4KRZvijaSFiV3XeLP +kCI6KWQLCf2nRUjISa+cBAVLib88mMzrnROyHiA+psFGOrAuc/DSQ3lUxxKUT+HH ++G6I4XHQKE7Du2X+qGzs4QKBgBZyJNjRxWhF7rR5Dq4/RHsLM0yKqPPCoSkx2+ur +WJjU47sofpVKUE4mzUaOumGnNicqk3nfkgw54HL6kTZpQ7JqUKt9pNGLBM+zI8qi +njPec04MRmo7zjg1YKNmqDodXGl38QD7+5r/VRzO04fwgI8e5G98aiOhIuLezGHR +R3GRAoGAAyhwtKoC87fSGrpyZQ16UAYuqNy0fVAQtrDgRgP5Nu4esr9QxS/hWjcR +8s2P82wsR4gZna6l6vSz4awGVG4PGKnVjteAtZxok3nBHxPmRke5o7IpdObPjpQP +RJNZYbJ9G/PbYDhciEoTjVyig6Ol5BRe9stSbO7+JIxEYr7VSpA= +-----END RSA PRIVATE KEY----- diff --git a/openssl/test/certs/bad.pem b/openssl/test/certs/bad.pem new file mode 100644 index 000000000..876923151 --- /dev/null +++ b/openssl/test/certs/bad.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIJAJgwOOciuxjSMA0GCSqGSIb3DQEBCwUAMFQxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxDTALBgNVBAMTBGxlYWYwHhcNMTUwNzAyMTMyMDQ2WhcN +MzUwNzAyMTMyMDQ2WjBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0 +ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDEwNi +YWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBOo2Sjm9CJDkFCiE8 +nezJKuNPol52Owq23U5nyd1HYLVqxSIeClU7xAMcogPzxCSXHpQKJ54oDAhjRXOp +bNPJlZPB2pNT23xqsccm7shwWWZawAt/BOYBFYmalj4rx8adDHUrF+LqdAnxaGrh +twConYdfMbr1aOzcqLvRJw1tD1FTBcmf8V42uymEoC/krbbMGqNYBB1gyDq+0pkB +cIRPyPDo6Q9WdRv9C/KgESKNa3T4cGHvAuRJS8yP/t9zzz7G28apk/IbY/LgN1Zb +Wy2mCJndNOiESTzi3W7kvepBpFCZUTrLlEwibJVjyF6ALjNzpoZkMVG/wxH6CTqm +ty5TAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFJoH29IULbskIG8BwYp4 +9yD+q7wbMB8GA1UdIwQYMBaAFBwdxP7xJUYhGU31hO4z2uXPtRl/MA0GCSqGSIb3 +DQEBCwUAA4IBAQBl0tHkWMBHW6r3ywBlWWFdok04xlt2QD8eA4ywwz97t/8JgLht +OpuHO1bQtrZR6bxAgYT1+yHQnYBTfjKxFq+S9EP6nxBe94mEgizLmMv9pf7x5q+H +pfT8ejcY54E/oXlFXSbLDE1BDpfgkWll2/TIsTRJNoM2n8mytEdPqzRburwWnoFR +VchcfO968asdc9/8glSLJSNO+Wh9vQlbtcPzfbd4ZVE5E/P6drQzSwNjWvHQdswJ +ujkY1zkTP2rtVBGN4OyOfkE6enVKpt5lN6AqjEMhJ5i/yFM/jDndTrgd/JkAvyUJ +O2ELtifCd8DeSYNA9Qm8/MEUYq1xXQrGJHCE +-----END CERTIFICATE----- diff --git a/openssl/test/certs/interCA.key b/openssl/test/certs/interCA.key new file mode 100644 index 000000000..c32fe26bc --- /dev/null +++ b/openssl/test/certs/interCA.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAu7NHo76UDp738A/nuEfvVkKL7a7Kjk8PJIYkRKouSZZgBW6Q +xBWptfJ6UZLeoDnBjJ47hc7s+ohLkJnnsodAalgMKTIFjDLXhMyzgGqpBJf/ydvl +oEWwP/KZsB32z1v3fn926euBaA9YUAHpwc15i8VaIREPQQPsRA0ZC/3AN2PpPztQ +vTkYUkKyTbAfWhN8ymxR3fZjph+GjUrBfDp90qpUVTgkIp3uXOgAkndB1BI2MvWj +m6mOO8kjVC281auculTozLNFvthv16q3FZMc3/W1aslQa6wCa529+f8v4itM1oCQ +T/h14cK+ZjE7zbhIqwXlWLs/uoVHq1G7iYa9BQIDAQABAoIBABa8FldNBB3pP1rC +cmytud2W3eACJeKqzMi9vrLachTTs/m0dLBrd0zke9BZm8GIfVsM52TDtYx66bww +CBJls3WuCHsM5gMfPV+Gc8+AG8zEpGTMz7lj938nYVolpvliyE14Hu0ia2AxS58V +PD0PKEO3ubz7lf9n/DwZ4gjDyX5r1Cq+thwPlIf4PbEcGHk5SYxNm2DGR0DNL676 +X7CrRu3JBa2mY+moTV/pMrjvwAInmSxs4RBO7ggdYEief/4cBYyzMdiQ1v0UxvdO +674dBJJFG32akPrnPqza7U41ivoDPlgCpKWHDaZadI0Joozd2pw0Mq0a8cyig0BJ +Wa3d9xkCgYEA9T3j8F52u+QMaMzV1VENUAwo0Sqhk8xU0r/4l5PsvCjOuJ7NZkkW +EQnNOI++zaPCeBRV55X0A5E8Pi3uEdKt6m+wsncJzGEVNRwixfd0Ul7Itntq7u9L +/DHTlwpQ4t4PLNu8/uSBDN9A2slY2WsoXkJsdYPgjkrS2rYkt5bHFN8CgYEAw+8w +Qw/zTCBmerzYLJSsjz9rcD2hTtDw72UF1rvEg4QP/9v0I/OU7Lu0ds0KmKJcJfay +ZDMeBT8tW6LFztqdFi24tKISfodfYdET32lNd4QnMtWhoqXXXNiJY5gQC16YmSJm +R7Dgw9hBrr0323/lhhwDDysq1lgD9QbUVEacJpsCgYAoau/TIK5u3vHQn9mqE3af +N7HObzk785QTO8JLsPx2Mj+Hm9x8PBVf736cEMzAdXnKcoeJ6GPT5q7IDKfM1i0F +kyzK7OV3gpSNMTrl55eLL8XilUqVYGjkgo29udyE11Ym7XwjgiNmrLCynjZ/drKr +fkUDxR1QNjK0CwrYGwhqfwKBgQDAYGn3foK4nRthqWdrJjLjlzZLBwgJldbqhjsc +YlIJezImWnU0k2YGpioDd0DPKqLlV3pCLXptVmGXlpM3jags7YlsObGE8C+zoBAu +DHtWPLgsDltckg6Jh8YltlkSgLe9q2vXOhEF2aBsDDb62nGmonxSeWTe/Z4tB56U +fJu2vwKBgFnGbZIcH8sDR7Vwh0sjSKnFkZ1v0T4qsBKpDz9yCvZVIgIFXPkKnALT ++OEpQTuLVN/MZxVlc8qo8UFflJprDsK1/Rm3iPaw+lwErswgddNUKNLnLPjlxcEe +nTinsfyf4i48+IW55UFVU118nyufNeDdasoU6SSBH/MdeNq4hrTa +-----END RSA PRIVATE KEY----- diff --git a/openssl/test/certs/interCA.pem b/openssl/test/certs/interCA.pem new file mode 100644 index 000000000..35568abe1 --- /dev/null +++ b/openssl/test/certs/interCA.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgDCCAmigAwIBAgIJANnoWlLlEsTgMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAeFw0xNTA3MDIxMzE3MDVa +Fw0zNTA3MDIxMzE3MDVaMFcxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0 +YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMT +B2ludGVyQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7s0ejvpQO +nvfwD+e4R+9WQovtrsqOTw8khiREqi5JlmAFbpDEFam18npRkt6gOcGMnjuFzuz6 +iEuQmeeyh0BqWAwpMgWMMteEzLOAaqkEl//J2+WgRbA/8pmwHfbPW/d+f3bp64Fo +D1hQAenBzXmLxVohEQ9BA+xEDRkL/cA3Y+k/O1C9ORhSQrJNsB9aE3zKbFHd9mOm +H4aNSsF8On3SqlRVOCQine5c6ACSd0HUEjYy9aObqY47ySNULbzVq5y6VOjMs0W+ +2G/XqrcVkxzf9bVqyVBrrAJrnb35/y/iK0zWgJBP+HXhwr5mMTvNuEirBeVYuz+6 +hUerUbuJhr0FAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFBj61iO5 +j11dE30+j6iRx9lhwBcuMB8GA1UdIwQYMBaAFIVWiTXinwAa4YYDC0uvdhJrM239 +MA0GCSqGSIb3DQEBCwUAA4IBAQDAU0MvL/yZpmibhxUsoSsa97UJbejn5IbxpPzZ +4WHw8lsoUGs12ZHzQJ9LxkZVeuccFXy9yFEHW56GTlkBmD2qrddlmQCfQ3m8jtZ9 +Hh5feKAyrqfmfsWF5QPjAmdj/MFdq+yMJVosDftkmUmaBHjzbvbcq1sWh/6drH8U +7pdYRpfeEY8dHSU6FHwVN/H8VaBB7vYYc2wXwtk8On7z2ocIVHn9RPkcLwmwJjb/ +e4jmcYiyZev22KXQudeHc4w6crWiEFkVspomn5PqDmza3rkdB3baXFVZ6sd23ufU +wjkiKKtwRBwU+5tCCagQZoeQ5dZXQThkiH2XEIOCOLxyD/tb +-----END CERTIFICATE----- diff --git a/openssl/test/certs/leaf.key b/openssl/test/certs/leaf.key new file mode 100644 index 000000000..a1b172124 --- /dev/null +++ b/openssl/test/certs/leaf.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAv0Qo9WC/BKA70LtQJdwVGSXqr9dut3cQmiFzTb/SaWldjOT1 +sRNDFxSzdTJjU/8cIDEZvaTIwRxP/dtVQLjc+4jzrUwz93NuZYlsEWUEUg4Lrnfs +0Nz50yHk4rJhVxWjb8Ii/wRBViWHFExP7CwTkXiTclC1bCqTuWkjxF3thTfTsttR +yY7qNkz2JpNx0guD8v4otQoYjA5AEZvK4IXLwOwxol5xBTMvIrvvff2kkh+c7OC2 +QVbUTow/oppjqIKCx2maNHCtLFTJELf3fwtRJLJsy4fKGP0/6kpZc8Sp88WK4B4F +auF9IV1CmoAJUC1vJxhagHIKfVtFjUWs8GPobQIDAQABAoIBAB1fCiskQDElqgnT +uesWcOb7u55lJstlrVb97Ab0fgtR8tvADTq0Colw1F4a7sXnVxpab+l/dJSzFFWX +aPAXc1ftH/5sxU4qm7lb8Qx6xr8TCRgxslwgkvypJ8zoN6p32DFBTr56mM3x1Vx4 +m41Y92hPa9USL8n8f9LpImT1R5Q9ShI/RUCowPyzhC6OGkFSBJu72nyA3WK0znXn +q5TNsTRdJLOug7eoJJvhOPfy3neNQV0f2jQ+2wDKCYvn6i4j9FSLgYC/vorqofEd +vFBHxl374117F6DXdBChyD4CD5vsplB0zcExRUCT5+iBqf5uc8CbLHeyNk6vSaf5 +BljHWsECgYEA93QnlKsVycgCQqHt2q8EIZ5p7ksGYRVfBEzgetsNdpxvSwrLyLQE +L5AKG3upndOofCeJnLuQF1j954FjCs5Y+8Sy2H1D1EPrHSBp4ig2F5aOxT3vYROd +v+/mF4ZUzlIlv3jNDz5IoLaxm9vhXTtLLUtQyTueGDmqwlht0Kr3/gcCgYEAxd86 +Q23jT4DmJqUl+g0lWdc2dgej0jwFfJ2BEw/Q55vHjqj96oAX5QQZFOUhZU8Otd/D +lLzlsFn0pOaSW/RB4l5Kv8ab+ZpxfAV6Gq47nlfzmEGGx4wcoL0xkHufiXg0sqaG +UtEMSKFhxPQZhWojUimK/+YIF69molxA6G9miOsCgYEA8mICSytxwh55qE74rtXz +1AJZfKJcc0f9tDahQ3XBsEb29Kh0h/lciEIsxFLTB9dFF6easb0/HL98pQElxHXu +z14SWOAKSqbka7lOPcppgZ1l52oNSiduw4z28mAQPbBVbUGkiqPVfCa3vhUYoLvt +nUZCsXoGF3CVBJydpGFzXI0CgYEAtt3Jg72PoM8YZEimI0R462F4xHXlEYtE6tjJ +C+vG/fU65P4Kw+ijrJQv9d6YEX+RscXdg51bjLJl5OvuAStopCLOZBPR3Ei+bobF +RNkW4gyYZHLSc6JqZqbSopuNYkeENEKvyuPFvW3f5FxPJbxkbi9UdZCKlBEXAh/O +IMGregcCgYBC8bS7zk6KNDy8q2uC/m/g6LRMxpb8G4jsrcLoyuJs3zDckBjQuLJQ +IOMXcQBWN1h+DKekF2ecr3fJAJyEv4pU4Ct2r/ZTYFMdJTyAbjw0mqOjUR4nsdOh +t/vCbt0QW3HXYTcVdCnFqBtelKnI12KoC0jAO9EAJGZ6kE/NwG6dQg== +-----END RSA PRIVATE KEY----- diff --git a/openssl/test/certs/leaf.pem b/openssl/test/certs/leaf.pem new file mode 100644 index 000000000..bb94d126e --- /dev/null +++ b/openssl/test/certs/leaf.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDfjCCAmagAwIBAgIJAKRNsDKacUqNMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxEzARBgNVBAMTCnN1YmludGVyQ0EwHhcNMTUwNzAyMTMx +OTQ5WhcNMzUwNzAyMTMxOTQ5WjBUMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29t +ZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ0wCwYD +VQQDEwRsZWFmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv0Qo9WC/ +BKA70LtQJdwVGSXqr9dut3cQmiFzTb/SaWldjOT1sRNDFxSzdTJjU/8cIDEZvaTI +wRxP/dtVQLjc+4jzrUwz93NuZYlsEWUEUg4Lrnfs0Nz50yHk4rJhVxWjb8Ii/wRB +ViWHFExP7CwTkXiTclC1bCqTuWkjxF3thTfTsttRyY7qNkz2JpNx0guD8v4otQoY +jA5AEZvK4IXLwOwxol5xBTMvIrvvff2kkh+c7OC2QVbUTow/oppjqIKCx2maNHCt +LFTJELf3fwtRJLJsy4fKGP0/6kpZc8Sp88WK4B4FauF9IV1CmoAJUC1vJxhagHIK +fVtFjUWs8GPobQIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQcHcT+8SVG +IRlN9YTuM9rlz7UZfzAfBgNVHSMEGDAWgBTpZ30QdMGarrhMPwk+HHAV3R8aTzAN +BgkqhkiG9w0BAQsFAAOCAQEAGjmSkF8is+v0/RLcnSRiCXENz+yNi4pFCAt6dOtT +6Gtpqa1tY5It9lVppfWb26JrygMIzOr/fB0r1Q7FtZ/7Ft3P6IXVdk3GDO0QsORD +2dRAejhYpc5c7joHxAw9oRfKrEqE+ihVPUTcfcIuBaalvuhkpQRmKP71ws5DVzOw +QhnMd0TtIrbKHaNQ4kNsmSY5fQolwB0LtNfTus7OEFdcZWhOXrWImKXN9jewPKdV +mSG34NfXOnA6qx0eQg06z+TkdrptH6j1Va2vS1/bL+h1GxjpTHlvTGaZYxaloIjw +y/EzY5jygRoABnR3eBm15CYZwwKL9izIq1H3OhymEi/Ycg== +-----END CERTIFICATE----- diff --git a/openssl/test/certs/rootCA.key b/openssl/test/certs/rootCA.key new file mode 100644 index 000000000..527f3ad75 --- /dev/null +++ b/openssl/test/certs/rootCA.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAwPFrd4isNd/7c1MvkoAvdBYyTfUQIG9sOo7R3GvhLj7DBA+/ +m8TJEtHkC0WX5QbNZjrh4OIr36LE7HvTPTyK/150oKunA2oWW16SxH5beYpp1LyD +Xq5CknSlK+cAwanc1bFTBw9z946tFD4lnuUe5syRzZUMgEQgw/0Xz5E9YxAcFFv7 +w6jBiLJ3/5zb/GpERET3hewILNTfgaN5yf4em5MWU7eXq75PGqXi+kYF5A2cKqTM +uR4hoGzEq1mwQDm7+Yit/d+NtAuvfkHgITzIM0VJhC+TBu79T+1P87yb3vwlXlXV +ddTFezpANQafxIS0bJMMrzdar7ZBTSYjHLgCswIDAQABAoIBAC1EdwJEfqLlOgmE +qtSkXn3N919y76Wsfqf+eh5M8Tf4YajCSSIyuTpBJE/AtDJ3thkWF4i7h6+gcLNL +GfR0D+h6MMLBgx259iTZu3V+b9fEMbBHykqcd+IEm/wA5pyJTdaVE/XEGmEqiFEH +g6wT9XwQ4uRo49X0JfvVlZCNcumapYfPY+BwPQloydm/cLtgUtc1RKUCG7i27aHM +VaUm+NdYZIwwCQs0Aof/h7PkEWvHq0idaxY9qkLbbZHb1Np/IkmvqCo/PSS1whDj +/KIQGJDBGuXX/V+cZ+DYkCXAq1fCto9MjarEVmlLW5Hr5QojdbpvwsxSmrGfCqdH +bfc/9gECgYEA6y6EcYBuvCibmO4G2OA1sNSe5lJF911xUHuUl3CRORdeVFDi9Ch+ +LKzE+XEOlvA+qFSIA/KztevX3dvmvvBMwu0PUWDtBKJZ1mXt4Mgo63MHpYnKIzWz +YuDaMKpvbl3iTFJlKPUkPlv+/uDccd0QYYvk4gbBrWVQDghV3ya9LqMCgYEA0gW6 +Cu5yRWodehCh0z8VtFfOGDkhZEav6B5mZvyDCk5f+zVeRlsTJwY4BsgnoMUJ+SjQ +iQwQX3FbWrwcyYPOIA+ja6Hisgb9p/f+hxsQOOhN9nFsk2MNIHkwrMRcE8pj7pc1 +uBoYqpdX8blEs8wkJI+bTI3/SIZw6vjbogSqbLECgYEAhXuQho9byoXN0p3+2ude +8e+sBJPbzEuH/iM2MkIc2ueNjZOfTO8Sti6VWfK2UisnlQjtbjg5kd67Vdvy+pqP +Ju/ACvNVc5TmIo8V1cglmYVfaLBtP1DCcTOoA4ko196Hi8QUUIvat14lu+pKlIHh +Q0xQa41kLhNbvaszegWVyLsCgYEAxhuGySbw/U9CbNDhhL1eANZOXoUNXWRcK6z5 +VS3dgcw6N2C5A86G+2mfUa5dywXyCWgZhRyvGQh5btZApUlCFvYJZc63Ysy7WkTQ +f6rkm3ltiQimrURirn4CjwVOAZEIwJc7oeRj3g6Scz4acysd8KrRh93trwC55LtH +mcWi6JECgYAlqCQvaAnvaWpR0RX7m/UMpqWOVgIperGR7hrN3d04RaWG4yv1+66T +xANNBA8aDxhFwXjAKev4iOE/rp8SEjYXh3lbKmx+p9dk8REUdIFqoClX9tqctW9g +AkDF34S0mSE4T34zhs2+InfohJa6ojsuiNJSQMBPBxfr6wV2C+UWMQ== +-----END RSA PRIVATE KEY----- diff --git a/openssl/test/certs/rootCA.pem b/openssl/test/certs/rootCA.pem new file mode 100644 index 000000000..ef73d001b --- /dev/null +++ b/openssl/test/certs/rootCA.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDfzCCAmegAwIBAgIJAIhDKcvC6xWaMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAeFw0xNTA3MDIxMzE1MTFa +Fw0zNTA3MDIxMzE1MTFaMFYxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0 +YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMM +BnJvb3RDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMDxa3eIrDXf ++3NTL5KAL3QWMk31ECBvbDqO0dxr4S4+wwQPv5vEyRLR5AtFl+UGzWY64eDiK9+i +xOx70z08iv9edKCrpwNqFlteksR+W3mKadS8g16uQpJ0pSvnAMGp3NWxUwcPc/eO +rRQ+JZ7lHubMkc2VDIBEIMP9F8+RPWMQHBRb+8OowYiyd/+c2/xqRERE94XsCCzU +34Gjecn+HpuTFlO3l6u+Txql4vpGBeQNnCqkzLkeIaBsxKtZsEA5u/mIrf3fjbQL +r35B4CE8yDNFSYQvkwbu/U/tT/O8m978JV5V1XXUxXs6QDUGn8SEtGyTDK83Wq+2 +QU0mIxy4ArMCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUhVaJNeKf +ABrhhgMLS692Emszbf0wHwYDVR0jBBgwFoAUhVaJNeKfABrhhgMLS692Emszbf0w +DQYJKoZIhvcNAQELBQADggEBADIKvyoK4rtPQ86I2lo5EDeAuzctXi2I3SZpnOe0 +mCCxJeZhWW0S7JuHvlfhEgXFBPEXzhS4HJLUlZUsWyiJ+3KcINMygaiF7MgIe6hZ +WzpsMatS4mbNFElc89M+YryRFrQc9d1Uqjxhl3ms5MhDNcMP/PNwHa/wnIoqkpNI +qtDoR741wcZ7bdr6XVdF8+pBjzbBPPRSf24x3bqavHBWcTjcSVcM/ZEXxeqH5SN0 +GbK2mQxrogX4UWjtl+DfYvl+ejpEcYNXKEmIabUUHtpG42544cuPtZizLW5bt/aT +JBQfpPZpvf9MUlACxUONFOLQdZ8SXpSJ0e93iX2J2Z52mSQ= +-----END CERTIFICATE----- diff --git a/openssl/test/certs/roots.pem b/openssl/test/certs/roots.pem new file mode 100644 index 000000000..0bc69127d --- /dev/null +++ b/openssl/test/certs/roots.pem @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIIDgDCCAmigAwIBAgIJANnoWlLlEsTgMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAeFw0xNTA3MDIxMzE3MDVa +Fw0zNTA3MDIxMzE3MDVaMFcxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0 +YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMT +B2ludGVyQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7s0ejvpQO +nvfwD+e4R+9WQovtrsqOTw8khiREqi5JlmAFbpDEFam18npRkt6gOcGMnjuFzuz6 +iEuQmeeyh0BqWAwpMgWMMteEzLOAaqkEl//J2+WgRbA/8pmwHfbPW/d+f3bp64Fo +D1hQAenBzXmLxVohEQ9BA+xEDRkL/cA3Y+k/O1C9ORhSQrJNsB9aE3zKbFHd9mOm +H4aNSsF8On3SqlRVOCQine5c6ACSd0HUEjYy9aObqY47ySNULbzVq5y6VOjMs0W+ +2G/XqrcVkxzf9bVqyVBrrAJrnb35/y/iK0zWgJBP+HXhwr5mMTvNuEirBeVYuz+6 +hUerUbuJhr0FAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFBj61iO5 +j11dE30+j6iRx9lhwBcuMB8GA1UdIwQYMBaAFIVWiTXinwAa4YYDC0uvdhJrM239 +MA0GCSqGSIb3DQEBCwUAA4IBAQDAU0MvL/yZpmibhxUsoSsa97UJbejn5IbxpPzZ +4WHw8lsoUGs12ZHzQJ9LxkZVeuccFXy9yFEHW56GTlkBmD2qrddlmQCfQ3m8jtZ9 +Hh5feKAyrqfmfsWF5QPjAmdj/MFdq+yMJVosDftkmUmaBHjzbvbcq1sWh/6drH8U +7pdYRpfeEY8dHSU6FHwVN/H8VaBB7vYYc2wXwtk8On7z2ocIVHn9RPkcLwmwJjb/ +e4jmcYiyZev22KXQudeHc4w6crWiEFkVspomn5PqDmza3rkdB3baXFVZ6sd23ufU +wjkiKKtwRBwU+5tCCagQZoeQ5dZXQThkiH2XEIOCOLxyD/tb +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDhzCCAm+gAwIBAgIJAJTed6XmFiu/MA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxEzARBgNVBAMMCnN1YmludGVyQ0EwHhcNMTUwNzAyMTMy +MTU4WhcNMzUwNzAyMTMyMTU4WjBaMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD +VQQDDApzdWJpbnRlckNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +/zQjvhbU7RWDsRaEkVUBZWR/PqZ49GoE9p3OyRN4pkt1c1yb2ARVkYZP5e9gHb04 +wPVz2+FYy+2mNkl+uAZbcK5w5fWO3WJIEn57he4MkWu3ew1nJeSv3na8gyOoCheG +64kWVbA2YL92mR7QoSCo4SP7RmykLrwj6TlDxqgH6DxKSD/CpdCHE3DKAzAiri3G +Vc90OJAszYHlje4/maVIOayGROVET3xa5cbtRJl8IBgmqhMywtz4hhY/XZTvdEn2 +90aL857Hk7JjogA7mLKi07yKzknMxHV+k6JX7xJEttkcNQRFHONWZG1T4mRY1Drh +6VbJGb+0GNIldNLQqigkfwIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQW +BBTpZ30QdMGarrhMPwk+HHAV3R8aTzAfBgNVHSMEGDAWgBTpZ30QdMGarrhMPwk+ +HHAV3R8aTzANBgkqhkiG9w0BAQsFAAOCAQEAF8UAMtV1DClUWRw1h+THdAhjeo8S +9BOp6QphtlYuc9o+tQri5m+WqbyUZKIBEtumNhFb7QI1e4hO64y1kKbSs2AjWcJ2 +QxAyGiMM3wl2UfxPohDtgNhm0GFgQ1tUTeSnW3kAom9NqI7U/2lPpLh4rrFYTepR +wy0FV3NpRuHPtJE0VfqYnwWiTRdCJ7w1XzknKOUSHP/hRbyJVlwQp3VEQ9SIOYU6 +C+QEVGIgQiST6MRlCvoNP43guaRtrMuBZJaHKy/hLPvkdRpXHoUeKQFDuH77sZsF +sBv3EHNKoBvpSpSJndZN6UcH7Z1yn41Y6AnO4u492jiRAjQpP9+Nf/x1eg== +-----END CERTIFICATE----- diff --git a/openssl/test/certs/subinterCA-ss.pem b/openssl/test/certs/subinterCA-ss.pem new file mode 100644 index 000000000..a436b4b00 --- /dev/null +++ b/openssl/test/certs/subinterCA-ss.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDhzCCAm+gAwIBAgIJAJTed6XmFiu/MA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxEzARBgNVBAMMCnN1YmludGVyQ0EwHhcNMTUwNzAyMTMy +MTU4WhcNMzUwNzAyMTMyMTU4WjBaMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD +VQQDDApzdWJpbnRlckNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +/zQjvhbU7RWDsRaEkVUBZWR/PqZ49GoE9p3OyRN4pkt1c1yb2ARVkYZP5e9gHb04 +wPVz2+FYy+2mNkl+uAZbcK5w5fWO3WJIEn57he4MkWu3ew1nJeSv3na8gyOoCheG +64kWVbA2YL92mR7QoSCo4SP7RmykLrwj6TlDxqgH6DxKSD/CpdCHE3DKAzAiri3G +Vc90OJAszYHlje4/maVIOayGROVET3xa5cbtRJl8IBgmqhMywtz4hhY/XZTvdEn2 +90aL857Hk7JjogA7mLKi07yKzknMxHV+k6JX7xJEttkcNQRFHONWZG1T4mRY1Drh +6VbJGb+0GNIldNLQqigkfwIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQW +BBTpZ30QdMGarrhMPwk+HHAV3R8aTzAfBgNVHSMEGDAWgBTpZ30QdMGarrhMPwk+ +HHAV3R8aTzANBgkqhkiG9w0BAQsFAAOCAQEAF8UAMtV1DClUWRw1h+THdAhjeo8S +9BOp6QphtlYuc9o+tQri5m+WqbyUZKIBEtumNhFb7QI1e4hO64y1kKbSs2AjWcJ2 +QxAyGiMM3wl2UfxPohDtgNhm0GFgQ1tUTeSnW3kAom9NqI7U/2lPpLh4rrFYTepR +wy0FV3NpRuHPtJE0VfqYnwWiTRdCJ7w1XzknKOUSHP/hRbyJVlwQp3VEQ9SIOYU6 +C+QEVGIgQiST6MRlCvoNP43guaRtrMuBZJaHKy/hLPvkdRpXHoUeKQFDuH77sZsF +sBv3EHNKoBvpSpSJndZN6UcH7Z1yn41Y6AnO4u492jiRAjQpP9+Nf/x1eg== +-----END CERTIFICATE----- diff --git a/openssl/test/certs/subinterCA.key b/openssl/test/certs/subinterCA.key new file mode 100644 index 000000000..c867af946 --- /dev/null +++ b/openssl/test/certs/subinterCA.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA/zQjvhbU7RWDsRaEkVUBZWR/PqZ49GoE9p3OyRN4pkt1c1yb +2ARVkYZP5e9gHb04wPVz2+FYy+2mNkl+uAZbcK5w5fWO3WJIEn57he4MkWu3ew1n +JeSv3na8gyOoCheG64kWVbA2YL92mR7QoSCo4SP7RmykLrwj6TlDxqgH6DxKSD/C +pdCHE3DKAzAiri3GVc90OJAszYHlje4/maVIOayGROVET3xa5cbtRJl8IBgmqhMy +wtz4hhY/XZTvdEn290aL857Hk7JjogA7mLKi07yKzknMxHV+k6JX7xJEttkcNQRF +HONWZG1T4mRY1Drh6VbJGb+0GNIldNLQqigkfwIDAQABAoIBAQDg14MWGu+F4gqg +nwI1OPt95UjmXaz7Sd0NmoNxTKJjgN/9v33emBL7n6YNIxU/nlK+ToLBGo0tPjfO +ZHoskA1H/aiiMfKowcpV4PHbUZvpE0oYM/rIu+7mxR3ZPDT0jz3jjmgLHrEKFCXd +SfTtwOSJVzYvGdCdDE1nUXiRMcGlrJYxPf+0k3sGK7G90rYJkgffz92yuJote/s5 +P5nsK1h30yjKaWEzvf3ABladplykFN3GkICRGaCq0Nj5YWiG7qX9H9smYrioG0VH +VqgIbV2sHnmUYZaOTmC0RnwDWSZR25xOHVbugZ7rGnf4NdoM2S/oTI/SAXcDsaDX +lDpiEEuBAoGBAP/TISpeDRtUWzfVQxH+wbMdSbABjawf5sT7op7IsWsurY7u+KVh +ubhaSdeR7YbTyVUqbAc4mg9TIZxDe6+/I2S8LibQAa8wnv5aR1iPj/tZJOKrtu+Z +uHUyXMDR+8pIjQS0N+ukFp0tw9nicPNUt23JpqDFMvpASF+kUlnHOWAvAoGBAP9g +5rDid235QnnAhNJGkxE1ZwICPSo66AD/kF8XsMnAVasR0EPJCQ1+Zmh7wsXGq6Im +S65F4m0tsw4jeD67D1o5yuAnk/LLcdOdHW1w7iHuIhYKuWf1fqsOIqJLy7gdzwj4 +hImECoE40cqlLTge7xByxeHJwKF9ssXcwHFBIJyxAoGBAI5SeyUC5e/KYmURdBrS +zBhFtvUAKD0WEmCMTdBgfrPOaCgYsqPvVk9Fi8cuHCLiOCP1UdxClRLpgM1ajbkc +cShduJ9HIWjBd/KxbvfKBqQi1+5y8Xci4gfxWMC9EYNcEXgIewPRafNPvqG85HG7 +M8EUamsOymmG0bzDwjzIJRdpAoGAOUoVtmy3ehZG0WVc5ocqitu+BfdWnViln0O1 +sX9xC3F4Rm4ymGJLA5ntg1bwNMoCytdodun6h5+O4YcXfIseQJFib7KxP/Bf0qcW +aOzCnx36y5MQUMAD8H+1SU9TnjQhs9N8eBUE/kQu3BT99e8KllgJCEPoUNIP/s8s +5LtFg6ECgYEAgLwJoJ3hBwr0LmUi3kpFYdbZ+tAKIvKQH3xYMnQulOqtlXJFy0bu +ZcIAwsigRUqdCC2JuyAUw52HCtVVlpQjNs4BnUzaKooLOCm3w3i6X27mnHE0200S +zqC0rcB0xNz/IltGc7IP+T8UK5xX38uhJ/vUW75OvAjqheJSBwR9h5c= +-----END RSA PRIVATE KEY----- diff --git a/openssl/test/certs/subinterCA.pem b/openssl/test/certs/subinterCA.pem new file mode 100644 index 000000000..2cdf48011 --- /dev/null +++ b/openssl/test/certs/subinterCA.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDhDCCAmygAwIBAgIJAJkv2OGshkmUMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMTB2ludGVyQ0EwHhcNMTUwNzAyMTMxODIz +WhcNMzUwNzAyMTMxODIzWjBaMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1T +dGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQD +EwpzdWJpbnRlckNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/zQj +vhbU7RWDsRaEkVUBZWR/PqZ49GoE9p3OyRN4pkt1c1yb2ARVkYZP5e9gHb04wPVz +2+FYy+2mNkl+uAZbcK5w5fWO3WJIEn57he4MkWu3ew1nJeSv3na8gyOoCheG64kW +VbA2YL92mR7QoSCo4SP7RmykLrwj6TlDxqgH6DxKSD/CpdCHE3DKAzAiri3GVc90 +OJAszYHlje4/maVIOayGROVET3xa5cbtRJl8IBgmqhMywtz4hhY/XZTvdEn290aL +857Hk7JjogA7mLKi07yKzknMxHV+k6JX7xJEttkcNQRFHONWZG1T4mRY1Drh6VbJ +Gb+0GNIldNLQqigkfwIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTp +Z30QdMGarrhMPwk+HHAV3R8aTzAfBgNVHSMEGDAWgBQY+tYjuY9dXRN9Po+okcfZ +YcAXLjANBgkqhkiG9w0BAQsFAAOCAQEAgVUsOf9rdHlQDw4clP8GMY7QahfXbvd8 +8o++P18KeInQXH6+sCg0axZXzhOmKwn+Ina3EsOP7xk4aKIYwJ4A1xBuT7fKxquQ +pbJyjkEBsNRVLC9t4gOA0FC791v5bOCZjyff5uN+hy8r0828nVxha6CKLqwrPd+E +mC7DtilSZIgO2vwbTBL6ifmw9n1dd/Bl8Wdjnl7YJqTIf0Ozc2SZSMRUq9ryn4Wq +YrjRl8NwioGb1LfjEJ0wJi2ngL3IgaN94qmDn10OJs8hlsufwP1n+Bca3fsl0m5U +gUMG+CXxbF0kdCKZ9kQb1MJE4vOk6zfyBGQndmQnxHjt5botI/xpXg== +-----END CERTIFICATE----- diff --git a/openssl/test/certs/untrusted.pem b/openssl/test/certs/untrusted.pem new file mode 100644 index 000000000..d93d312dd --- /dev/null +++ b/openssl/test/certs/untrusted.pem @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIIDhDCCAmygAwIBAgIJAJkv2OGshkmUMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMTB2ludGVyQ0EwHhcNMTUwNzAyMTMxODIz +WhcNMzUwNzAyMTMxODIzWjBaMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1T +dGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQD +EwpzdWJpbnRlckNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/zQj +vhbU7RWDsRaEkVUBZWR/PqZ49GoE9p3OyRN4pkt1c1yb2ARVkYZP5e9gHb04wPVz +2+FYy+2mNkl+uAZbcK5w5fWO3WJIEn57he4MkWu3ew1nJeSv3na8gyOoCheG64kW +VbA2YL92mR7QoSCo4SP7RmykLrwj6TlDxqgH6DxKSD/CpdCHE3DKAzAiri3GVc90 +OJAszYHlje4/maVIOayGROVET3xa5cbtRJl8IBgmqhMywtz4hhY/XZTvdEn290aL +857Hk7JjogA7mLKi07yKzknMxHV+k6JX7xJEttkcNQRFHONWZG1T4mRY1Drh6VbJ +Gb+0GNIldNLQqigkfwIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTp +Z30QdMGarrhMPwk+HHAV3R8aTzAfBgNVHSMEGDAWgBQY+tYjuY9dXRN9Po+okcfZ +YcAXLjANBgkqhkiG9w0BAQsFAAOCAQEAgVUsOf9rdHlQDw4clP8GMY7QahfXbvd8 +8o++P18KeInQXH6+sCg0axZXzhOmKwn+Ina3EsOP7xk4aKIYwJ4A1xBuT7fKxquQ +pbJyjkEBsNRVLC9t4gOA0FC791v5bOCZjyff5uN+hy8r0828nVxha6CKLqwrPd+E +mC7DtilSZIgO2vwbTBL6ifmw9n1dd/Bl8Wdjnl7YJqTIf0Ozc2SZSMRUq9ryn4Wq +YrjRl8NwioGb1LfjEJ0wJi2ngL3IgaN94qmDn10OJs8hlsufwP1n+Bca3fsl0m5U +gUMG+CXxbF0kdCKZ9kQb1MJE4vOk6zfyBGQndmQnxHjt5botI/xpXg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDfjCCAmagAwIBAgIJAKRNsDKacUqNMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxEzARBgNVBAMTCnN1YmludGVyQ0EwHhcNMTUwNzAyMTMx +OTQ5WhcNMzUwNzAyMTMxOTQ5WjBUMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29t +ZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ0wCwYD +VQQDEwRsZWFmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv0Qo9WC/ +BKA70LtQJdwVGSXqr9dut3cQmiFzTb/SaWldjOT1sRNDFxSzdTJjU/8cIDEZvaTI +wRxP/dtVQLjc+4jzrUwz93NuZYlsEWUEUg4Lrnfs0Nz50yHk4rJhVxWjb8Ii/wRB +ViWHFExP7CwTkXiTclC1bCqTuWkjxF3thTfTsttRyY7qNkz2JpNx0guD8v4otQoY +jA5AEZvK4IXLwOwxol5xBTMvIrvvff2kkh+c7OC2QVbUTow/oppjqIKCx2maNHCt +LFTJELf3fwtRJLJsy4fKGP0/6kpZc8Sp88WK4B4FauF9IV1CmoAJUC1vJxhagHIK +fVtFjUWs8GPobQIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQcHcT+8SVG +IRlN9YTuM9rlz7UZfzAfBgNVHSMEGDAWgBTpZ30QdMGarrhMPwk+HHAV3R8aTzAN +BgkqhkiG9w0BAQsFAAOCAQEAGjmSkF8is+v0/RLcnSRiCXENz+yNi4pFCAt6dOtT +6Gtpqa1tY5It9lVppfWb26JrygMIzOr/fB0r1Q7FtZ/7Ft3P6IXVdk3GDO0QsORD +2dRAejhYpc5c7joHxAw9oRfKrEqE+ihVPUTcfcIuBaalvuhkpQRmKP71ws5DVzOw +QhnMd0TtIrbKHaNQ4kNsmSY5fQolwB0LtNfTus7OEFdcZWhOXrWImKXN9jewPKdV +mSG34NfXOnA6qx0eQg06z+TkdrptH6j1Va2vS1/bL+h1GxjpTHlvTGaZYxaloIjw +y/EzY5jygRoABnR3eBm15CYZwwKL9izIq1H3OhymEi/Ycg== +-----END CERTIFICATE----- diff --git a/openssl/test/testssl b/openssl/test/testssl index ddebf0853..747e4ba38 100644 --- a/openssl/test/testssl +++ b/openssl/test/testssl @@ -146,16 +146,15 @@ echo test sslv2/sslv3 with both client and server authentication via BIO pair an $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1 test_cipher() { - local cipher=$1 - local protocol=$2 - echo "Testing $cipher" + _cipher=$1 + echo "Testing $_cipher" prot="" - if [ $protocol = "SSLv3" ] ; then + if [ $2 = "SSLv3" ] ; then prot="-ssl3" fi - $ssltest -cipher $cipher $prot + $ssltest -cipher $_cipher $prot if [ $? -ne 0 ] ; then - echo "Failed $cipher" + echo "Failed $_cipher" exit 1 fi } @@ -254,16 +253,16 @@ if ../util/shlib_wrap.sh ../apps/openssl no-srp; then echo skipping SRP tests else echo test tls1 with SRP - $ssltest -tls1 -cipher SRP -srpuser test -srppass abc123 + $ssltest -tls1 -cipher SRP -srpuser test -srppass abc123 || exit 1 echo test tls1 with SRP via BIO pair - $ssltest -bio_pair -tls1 -cipher SRP -srpuser test -srppass abc123 + $ssltest -bio_pair -tls1 -cipher SRP -srpuser test -srppass abc123 || exit 1 echo test tls1 with SRP auth - $ssltest -tls1 -cipher aSRP -srpuser test -srppass abc123 + $ssltest -tls1 -cipher aSRP -srpuser test -srppass abc123 || exit 1 echo test tls1 with SRP auth via BIO pair - $ssltest -bio_pair -tls1 -cipher aSRP -srpuser test -srppass abc123 + $ssltest -bio_pair -tls1 -cipher aSRP -srpuser test -srppass abc123 || exit 1 fi ############################################################################# diff --git a/openssl/test/verify_extra_test.c b/openssl/test/verify_extra_test.c new file mode 120000 index 000000000..11d837c6f --- /dev/null +++ b/openssl/test/verify_extra_test.c @@ -0,0 +1 @@ +../crypto/x509/verify_extra_test.c
\ No newline at end of file |