From fdcc9b48069aefd58aaefa631450a28e12a201af Mon Sep 17 00:00:00 2001 From: Marc Kleine-Budde Date: Fri, 3 Jul 2009 21:43:18 +0200 Subject: [PATCH 1/2] debian patches Signed-off-by: Marc Kleine-Budde --- Configure | 52 +++++++++++++++++++++++++++++++++++++-- Makefile.org | 22 ++++++++++------- Makefile.shared | 4 +- apps/CA.pl | 2 + apps/CA.pl.in | 2 + apps/CA.sh | 1 + apps/s_time.c | 1 + config | 4 +- crypto/Makefile | 4 +- crypto/aes/Makefile | 2 +- crypto/aes/asm/aes-586.pl | 13 +++++++-- crypto/aes/asm/aes-x86_64.pl | 4 +++ crypto/des/asm/desboth.pl | 17 ++++++++++-- crypto/md5/Makefile | 3 +- crypto/perlasm/cbc.pl | 24 +++++++++++++++--- crypto/perlasm/x86_64-xlate.pl | 4 +- crypto/perlasm/x86unix.pl | 33 +++++++++++++++++++++++++ crypto/pkcs7/pk7_mime.c | 2 +- crypto/pqueue/pqueue.c | 14 ++++++++++ crypto/pqueue/pqueue.h | 1 + crypto/rand/md_rand.c | 2 + crypto/rc4/Makefile | 2 +- crypto/rc4/asm/rc4-x86_64.pl | 8 ++++++ crypto/sha/sha.h | 1 + crypto/x86_64cpuid.pl | 4 +++ engines/Makefile | 6 ++-- ssl/d1_both.c | 45 +++++++++++++++++++++------------- ssl/d1_pkt.c | 4 +++ ssl/t1_lib.c | 8 ++++++ tools/c_rehash | 14 +++++++--- tools/c_rehash.in | 12 +++++++-- 31 files changed, 254 insertions(+), 61 deletions(-) diff --git a/Configure b/Configure index c6dbfae..0fe11a5 100755 --- a/Configure +++ b/Configure @@ -128,6 +128,9 @@ my $x86_coff_asm="x86cpuid-cof.o:bn86-cof.o co86-cof.o MAYBE-MO86-cof.o:dx86-cof my $x86_out_asm="x86cpuid-out.o:bn86-out.o co86-out.o MAYBE-MO86-out.o:dx86-out.o yx86-out.o:ax86-out.o:bx86-out.o:mx86-out.o:sx86-out.o s512sse2-out.o:cx86-out.o:rx86-out.o rc4_skey.o:rm86-out.o:r586-out.o"; my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o::"; +# rc4 asm is disabled on amd64 because we configured it with RC4_CHAR while +# the assembler only works with int +my $x86_64_asm_linux="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o::aes-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::::"; my $ia64_asm=":bn-ia64.o::aes_core.o aes_cbc.o aes-ia64.o:::sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o::"; my $no_asm="::::::::::"; @@ -320,6 +323,48 @@ my %table=( "osf1-alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared:::.so", "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared::-msym:.so", +# Debian GNU/* (various architectures) +"debian-alpha","gcc:-DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-alpha-ev4","gcc:-DTERMIO -O3 -Wa,--noexecstack -mcpu=ev4 -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-alpha-ev5","gcc:-DTERMIO -O3 -Wa,--noexecstack -mcpu=ev5 -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-arm","gcc:-DL_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-armeb","gcc:-DB_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-armel","gcc:-DL_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +#"debian-amd64","gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-amd64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm_linux}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-avr32", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG_BF_PTR::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-kfreebsd-amd64","gcc:-m64 -DL_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +#"debian-freebsd-alpha","gcc:-DTERMIOS -O -Wa,--noexecstack -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-kfreebsd-i386","gcc:-DL_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -g -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-hppa","gcc:-DB_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-hurd-i386","gcc:-DL_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -g -mtune=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-ia64","gcc:-DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +#"debian-i386","gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC", +"debian-i386","gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-i386-i486","gcc:-DL_ENDIAN -DTERMIO -O3 -march=i486 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-i386-i586","gcc:-DL_ENDIAN -DTERMIO -O3 -march=i586 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-i386-i686/cmov","gcc:-DL_ENDIAN -DTERMIO -O3 -march=i686 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-m68k","gcc:-DB_ENDIAN -DTERMIO -O2 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-mips", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-mipsel", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-netbsd-i386", "gcc:-DL_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -g -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-netbsd-m68k", "gcc:-DB_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -g -Wall::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-netbsd-sparc", "gcc:-DB_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -g -mv8 -Wall::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-openbsd-alpha","gcc:-DTERMIOS -O3 -Wa,--noexecstack -g::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-openbsd-i386", "gcc:-DL_ENDIAN -DTERMIOS -O3 -Wa,--noexecstack -g -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-openbsd-mips","gcc:-O2 -Wa,--noexecstack -g -DL_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-powerpc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG DES_UNROLL DES_RISC2 DES_PTR MD2_CHAR RC4_INDEX::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sh4eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-m32r","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + #### #### Variety of LINUX:-) #### @@ -488,7 +533,7 @@ my %table=( # Cygwin "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32", "Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_coff_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a", -"debug-Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror:::CYGWIN32:::${no_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a", +-"debug-Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror:::CYGWIN32:::${no_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a", # NetWare from David Ward (dsward@novell.com) # requires either MetroWerks NLM development tools, or gcc / nlmconv @@ -1523,7 +1568,8 @@ while () elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) { my $sotmp = $1; - s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; +# s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; + s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/; } elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) { @@ -1645,7 +1691,7 @@ while () if (/^#define\s+OPENSSLDIR/) { print OUT "#define OPENSSLDIR \"$openssldir\"\n"; } elsif (/^#define\s+ENGINESDIR/) - { print OUT "#define ENGINESDIR \"$prefix/lib/engines\"\n"; } + { print OUT "#define ENGINESDIR \"$prefix/lib/ssl/engines\"\n"; } elsif (/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/) { printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n" if $export_var_as_fn; diff --git a/Makefile.org b/Makefile.org index d1b56b2..f84a876 100644 --- a/Makefile.org +++ b/Makefile.org @@ -131,7 +131,7 @@ FIPSCANLIB= BASEADDR= -DIRS= crypto fips ssl engines apps test tools +DIRS= crypto fips ssl engines apps tools SHLIBDIRS= crypto ssl fips # dirs in crypto to build @@ -152,10 +152,11 @@ TESTS = alltests MAKEFILE= Makefile -MANDIR=$(OPENSSLDIR)/man +MANDIR=/usr/share/man MAN1=1 MAN3=3 -MANSUFFIX= +MANSUFFIX=ssl +MANSECTION=SSL SHELL=/bin/sh TOP= . @@ -443,7 +444,8 @@ libcrypto.pc: Makefile echo 'Description: OpenSSL cryptography library'; \ echo 'Version: '$(VERSION); \ echo 'Requires: '; \ - echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \ + echo 'Libs: -L$${libdir} -lcrypto'; \ + echo 'Libs.private: $(EX_LIBS)'; \ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc libssl.pc: Makefile @@ -456,7 +458,8 @@ libssl.pc: Makefile echo 'Description: Secure Sockets Layer and cryptography libraries'; \ echo 'Version: '$(VERSION); \ echo 'Requires: '; \ - echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \ + echo 'Libs: -L$${libdir} -lssl'; \ + echo 'Libs.private: -lcrypto $(EX_LIBS)'; \ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc openssl.pc: Makefile @@ -469,7 +472,8 @@ openssl.pc: Makefile echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \ echo 'Version: '$(VERSION); \ echo 'Requires: '; \ - echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \ + echo 'Libs: -L$${libdir} -lssl -lcrypto'; \ + echo 'Libs.private: $(EX_LIBS)'; \ echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc Makefile: Makefile.org Configure config @@ -616,7 +620,7 @@ install: all install_docs install_sw install_sw: @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib \ - $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines \ + $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \ $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \ $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ @@ -694,7 +698,7 @@ install_docs: echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ - --section=$$sec --center=OpenSSL \ + --section=$${sec}$(MANSECTION) --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ @@ -711,7 +715,7 @@ install_docs: echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ - --section=$$sec --center=OpenSSL \ + --section=$${sec}$(MANSECTION) --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ diff --git a/Makefile.shared b/Makefile.shared index 3183436..48e2710 100644 --- a/Makefile.shared +++ b/Makefile.shared @@ -149,9 +149,9 @@ DO_GNU_SO=$(CALC_VERSIONS); \ SHLIB_SUFFIX=; \ ALLSYMSFLAGS='-Wl,--whole-archive'; \ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ - SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" + SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" -DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)" +DO_GNU_APP=LDFLAGS="$(CFLAGS)" #This is rather special. It's a special target with which one can link #applications without bothering with any features that have anything to diff --git a/apps/CA.pl b/apps/CA.pl index a3965ec..afd5c7c 100644 --- a/apps/CA.pl +++ b/apps/CA.pl @@ -65,6 +65,7 @@ $RET = 0; foreach (@ARGV) { if ( /^(-\?|-h|-help)$/ ) { print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; + print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n"; exit 0; } elsif (/^-newcert$/) { # create a certificate @@ -165,6 +166,7 @@ foreach (@ARGV) { } else { print STDERR "Unknown arg $_\n"; print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; + print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n"; exit 1; } } diff --git a/apps/CA.pl.in b/apps/CA.pl.in index c783a6e..fa665b7 100644 --- a/apps/CA.pl.in +++ b/apps/CA.pl.in @@ -65,6 +65,7 @@ $RET = 0; foreach (@ARGV) { if ( /^(-\?|-h|-help)$/ ) { print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; + print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n"; exit 0; } elsif (/^-newcert$/) { # create a certificate @@ -165,6 +166,7 @@ foreach (@ARGV) { } else { print STDERR "Unknown arg $_\n"; print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; + print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n"; exit 1; } } diff --git a/apps/CA.sh b/apps/CA.sh index a0b20d8..670d2dd 100644 --- a/apps/CA.sh +++ b/apps/CA.sh @@ -91,6 +91,7 @@ case $i in -out ${CATOP}/$CAREQ $CA -out ${CATOP}/$CACERT $CADAYS -batch \ -keyfile ${CATOP}/private/$CAKEY -selfsign \ + -extensions v3_ca \ -infiles ${CATOP}/$CAREQ RET=$? fi diff --git a/apps/s_time.c b/apps/s_time.c index 904945e..6fbb822 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -117,6 +117,7 @@ /* The following if from times(3) man page. It may need to be changed */ +#undef HZ #ifndef HZ # ifdef _SC_CLK_TCK # define HZ ((double)sysconf(_SC_CLK_TCK)) diff --git a/config b/config index 68e7ea1..980c6a9 100755 --- a/config +++ b/config @@ -162,8 +162,8 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in echo "${MACHINE}-whatever-linux1"; exit 0 ;; - GNU*) - echo "hurd-x86"; exit 0; + GNU:*|GNU/*:*) + echo "${MACHINE}-gnuish"; exit 0; ;; LynxOS:*) diff --git a/crypto/Makefile b/crypto/Makefile index 6557f2b..71ac792 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -57,7 +57,7 @@ buildinf.h: ../Makefile echo " #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \ echo '#endif' ) >buildinf.h -x86cpuid-elf.s: x86cpuid.pl perlasm/x86asm.pl +x86cpuid-elf.S: x86cpuid.pl perlasm/x86asm.pl $(PERL) x86cpuid.pl elf $(CFLAGS) $(PROCESSOR) > $@ x86cpuid-cof.s: x86cpuid.pl perlasm/x86asm.pl $(PERL) x86cpuid.pl coff $(CFLAGS) $(PROCESSOR) > $@ @@ -70,7 +70,7 @@ uplink.o: ../ms/uplink.c uplink-cof.s: ../ms/uplink.pl $(PERL) ../ms/uplink.pl coff > $@ -x86_64cpuid.s: x86_64cpuid.pl +x86_64cpuid.S: x86_64cpuid.pl $(PERL) x86_64cpuid.pl $@ ia64cpuid.s: ia64cpuid.S $(CC) $(CFLAGS) -E ia64cpuid.S > $@ diff --git a/crypto/aes/Makefile b/crypto/aes/Makefile index 9d174f4..69ad2f8 100644 --- a/crypto/aes/Makefile +++ b/crypto/aes/Makefile @@ -57,7 +57,7 @@ ax86-cof.s: asm/aes-586.pl ../perlasm/x86asm.pl ax86-out.s: asm/aes-586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) aes-586.pl a.out $(CFLAGS) $(PROCESSOR) > ../$@) -aes-x86_64.s: asm/aes-x86_64.pl +aes-x86_64.S: asm/aes-x86_64.pl $(PERL) asm/aes-x86_64.pl $@ files: diff --git a/crypto/aes/asm/aes-586.pl b/crypto/aes/asm/aes-586.pl index 3bc46a9..52f863c 100755 --- a/crypto/aes/asm/aes-586.pl +++ b/crypto/aes/asm/aes-586.pl @@ -250,7 +250,7 @@ sub enclast() sub _data_word() { my $i; while(defined($i=shift)) { &data_word($i,$i); } } &public_label("AES_Te"); -&function_begin_B("_x86_AES_encrypt"); +&function_begin_B_static("_x86_AES_encrypt"); if ($vertical_spin) { # I need high parts of volatile registers to be accessible... &exch ($s1="edi",$key="ebx"); @@ -539,7 +539,7 @@ sub declast() } &public_label("AES_Td"); -&function_begin_B("_x86_AES_decrypt"); +&function_begin_B_static("_x86_AES_decrypt"); # note that caller is expected to allocate stack frame for me! &mov (&DWP(12,"esp"),$key); # save key @@ -1461,15 +1461,22 @@ sub deckey() &public_label("AES_Td"); &public_label("AES_Te"); &function_begin_B("AES_set_decrypt_key"); + &push ("ebx"); &mov ("eax",&wparam(0)); &mov ("ecx",&wparam(1)); &mov ("edx",&wparam(2)); &sub ("esp",12); + + &call (&label("pic_point0")); + &set_label("pic_point0"); + &blindpop("ebx"); + &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]"); &mov (&DWP(0,"esp"),"eax"); &mov (&DWP(4,"esp"),"ecx"); &mov (&DWP(8,"esp"),"edx"); - &call ("AES_set_encrypt_key"); + &call ("AES_set_encrypt_key\@PLT"); &add ("esp",12); + &pop ("ebx"); &cmp ("eax",0); &je (&label("proceed")); &ret (); diff --git a/crypto/aes/asm/aes-x86_64.pl b/crypto/aes/asm/aes-x86_64.pl index f616f17..2be6dd1 100755 --- a/crypto/aes/asm/aes-x86_64.pl +++ b/crypto/aes/asm/aes-x86_64.pl @@ -974,7 +974,11 @@ $code.=<<___; .align 16 AES_set_decrypt_key: push %rdx +#ifdef OPENSSL_PIC + call AES_set_encrypt_key\@PLT +#else call AES_set_encrypt_key +#endif cmp \$0,%eax je .Lproceed lea 24(%rsp),%rsp diff --git a/crypto/des/asm/desboth.pl b/crypto/des/asm/desboth.pl index eec0088..ab6f524 100644 --- a/crypto/des/asm/desboth.pl +++ b/crypto/des/asm/desboth.pl @@ -16,6 +16,11 @@ sub DES_encrypt3 &push("edi"); + &call (&label("pic_point0")); + &set_label("pic_point0"); + &blindpop("ebp"); + &add ("ebp", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]"); + &comment(""); &comment("Load the data words"); &mov($L,&DWP(0,"ebx","",0)); @@ -47,15 +52,21 @@ sub DES_encrypt3 &mov(&swtmp(2), (DWC(($enc)?"1":"0"))); &mov(&swtmp(1), "eax"); &mov(&swtmp(0), "ebx"); - &call("DES_encrypt2"); + &exch("ebx", "ebp"); + &call("DES_encrypt2\@PLT"); + &exch("ebx", "ebp"); &mov(&swtmp(2), (DWC(($enc)?"0":"1"))); &mov(&swtmp(1), "edi"); &mov(&swtmp(0), "ebx"); - &call("DES_encrypt2"); + &exch("ebx", "ebp"); + &call("DES_encrypt2\@PLT"); + &exch("ebx", "ebp"); &mov(&swtmp(2), (DWC(($enc)?"1":"0"))); &mov(&swtmp(1), "esi"); &mov(&swtmp(0), "ebx"); - &call("DES_encrypt2"); + &exch("ebx", "ebp"); + &call("DES_encrypt2\@PLT"); + &exch("ebx", "ebp"); &stack_pop(3); &mov($L,&DWP(0,"ebx","",0)); diff --git a/crypto/md5/Makefile b/crypto/md5/Makefile index 3c450fc..bb67106 100644 --- a/crypto/md5/Makefile +++ b/crypto/md5/Makefile @@ -52,7 +52,8 @@ mx86-cof.s: asm/md5-586.pl ../perlasm/x86asm.pl mx86-out.s: asm/md5-586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) md5-586.pl a.out $(CFLAGS) > ../$@) -md5-x86_64.s: asm/md5-x86_64.pl; $(PERL) asm/md5-x86_64.pl $@ +md5-x86_64.s: asm/md5-x86_64.pl + $(PERL) asm/md5-x86_64.pl $@ files: $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl index e43dc9a..688d38b 100644 --- a/crypto/perlasm/cbc.pl +++ b/crypto/perlasm/cbc.pl @@ -122,7 +122,11 @@ sub cbc &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call &mov(&DWP($data_off+4,"esp","",0), "ebx"); # - &call($enc_func); + &call (&label("pic_point0")); + &set_label("pic_point0"); + &blindpop("ebx"); + &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]"); + &call("$enc_func\@PLT"); &mov("eax", &DWP($data_off,"esp","",0)); &mov("ebx", &DWP($data_off+4,"esp","",0)); @@ -187,7 +191,11 @@ sub cbc &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call &mov(&DWP($data_off+4,"esp","",0), "ebx"); # - &call($enc_func); + &call (&label("pic_point1")); + &set_label("pic_point1"); + &blindpop("ebx"); + &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point1") . "]"); + &call("$enc_func\@PLT"); &mov("eax", &DWP($data_off,"esp","",0)); &mov("ebx", &DWP($data_off+4,"esp","",0)); @@ -220,7 +228,11 @@ sub cbc &mov(&DWP($data_off,"esp","",0), "eax"); # put back &mov(&DWP($data_off+4,"esp","",0), "ebx"); # - &call($dec_func); + &call (&label("pic_point2")); + &set_label("pic_point2"); + &blindpop("ebx"); + &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point2") . "]"); + &call("$dec_func\@PLT"); &mov("eax", &DWP($data_off,"esp","",0)); # get return &mov("ebx", &DWP($data_off+4,"esp","",0)); # @@ -263,7 +275,11 @@ sub cbc &mov(&DWP($data_off,"esp","",0), "eax"); # put back &mov(&DWP($data_off+4,"esp","",0), "ebx"); # - &call($dec_func); + &call (&label("pic_point3")); + &set_label("pic_point3"); + &blindpop("ebx"); + &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point3") . "]"); + &call("$dec_func\@PLT"); &mov("eax", &DWP($data_off,"esp","",0)); # get return &mov("ebx", &DWP($data_off+4,"esp","",0)); # diff --git a/crypto/perlasm/x86_64-xlate.pl b/crypto/perlasm/x86_64-xlate.pl index a4af769..998aeeb 100755 --- a/crypto/perlasm/x86_64-xlate.pl +++ b/crypto/perlasm/x86_64-xlate.pl @@ -62,7 +62,7 @@ my $output = shift; my ($outdev,$outino,@junk)=stat($output); open STDOUT,">$output" || die "can't open $output: $!" - if ($stddev!=$outdev || $stdino!=$outino); +# if ($stddev!=$outdev || $stdino!=$outino); } my $masmref=8 + 50727*2**-32; # 8.00.50727 shipped with VS2005 @@ -433,7 +433,7 @@ while($line=<>) { chomp($line); - $line =~ s|[#!].*$||; # get rid of asm-style comments... +# $line =~ s|[#!].*$||; # get rid of asm-style comments... $line =~ s|/\*.*\*/||; # ... and C-style comments... $line =~ s|^\s+||; # ... and skip white spaces in beginning diff --git a/crypto/perlasm/x86unix.pl b/crypto/perlasm/x86unix.pl index a4c9471..9cc089d 100644 --- a/crypto/perlasm/x86unix.pl +++ b/crypto/perlasm/x86unix.pl @@ -400,6 +400,29 @@ EOF $stack=4; } +sub main'function_begin_B_static + { + local($func,$extra)=@_; + + &main'external_label($func); + $func=$under.$func; + + local($tmp)=<<"EOF"; +.text +EOF + push(@out,$tmp); + if ($main'cpp) + { push(@out,"TYPE($func,\@function)\n"); } + elsif ($main'coff) + { $tmp=push(@out,".def\t$func;\t.scl\t2;\t.type\t32;\t.endef\n"); } + elsif ($main'aout and !$main'pic) + { } + else { push(@out,".type $func,\@function\n"); } + push(@out,".align\t$align\n"); + push(@out,"$func:\n"); + $stack=4; + } + sub main'function_end { local($func)=@_; @@ -694,7 +717,17 @@ sub main'initseg { $tmp=<<___; .section .init +#ifdef OPENSSL_PIC + pushl %ebx + call .pic_point0 +.pic_point0: + popl %ebx + addl \$_GLOBAL_OFFSET_TABLE_+[.-.pic_point0],%ebx + call $under$f\@PLT + popl %ebx +#else call $under$f +#endif jmp .Linitalign .align $align .Linitalign: diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c index bf19036..07c9c89 100644 --- a/crypto/pkcs7/pk7_mime.c +++ b/crypto/pkcs7/pk7_mime.c @@ -335,9 +335,9 @@ PKCS7 *SMIME_read_PKCS7(BIO *bio, BIO **bcont) if(strcmp(hdr->value, "application/x-pkcs7-signature") && strcmp(hdr->value, "application/pkcs7-signature")) { - sk_MIME_HEADER_pop_free(headers, mime_hdr_free); PKCS7err(PKCS7_F_SMIME_READ_PKCS7,PKCS7_R_SIG_INVALID_MIME_TYPE); ERR_add_error_data(2, "type: ", hdr->value); + sk_MIME_HEADER_pop_free(headers, mime_hdr_free); sk_BIO_pop_free(parts, BIO_vfree); return NULL; } diff --git a/crypto/pqueue/pqueue.c b/crypto/pqueue/pqueue.c index 5cc1852..6c89f06 100644 --- a/crypto/pqueue/pqueue.c +++ b/crypto/pqueue/pqueue.c @@ -234,3 +234,17 @@ pqueue_next(pitem **item) return ret; } + +int +pqueue_size(pqueue_s *pq) +{ + pitem *item = pq->items; + int count = 0; + + while(item != NULL) + { + count++; + item = item->next; + } + return count; +} diff --git a/crypto/pqueue/pqueue.h b/crypto/pqueue/pqueue.h index 02386d1..16c4072 100644 --- a/crypto/pqueue/pqueue.h +++ b/crypto/pqueue/pqueue.h @@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq); pitem *pqueue_next(piterator *iter); void pqueue_print(pqueue pq); +int pqueue_size(pqueue pq); #endif /* ! HEADER_PQUEUE_H */ diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index 0f8dd3e..90e3462 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -477,8 +477,10 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) MD_Update(&m,local_md,MD_DIGEST_LENGTH); MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); #ifndef PURIFY +#if 0 /* Don't add uninitialised data. */ MD_Update(&m,buf,j); /* purify complains */ #endif +#endif k=(st_idx+MD_DIGEST_LENGTH/2)-st_num; if (k > 0) { diff --git a/crypto/rc4/Makefile b/crypto/rc4/Makefile index f0bd767..0d476a3 100644 --- a/crypto/rc4/Makefile +++ b/crypto/rc4/Makefile @@ -51,7 +51,7 @@ rx86-cof.s: asm/rc4-586.pl ../perlasm/x86asm.pl rx86-out.s: asm/rc4-586.pl ../perlasm/x86asm.pl (cd asm; $(PERL) rc4-586.pl a.out $(CFLAGS) > ../$@) -rc4-x86_64.s: asm/rc4-x86_64.pl; $(PERL) asm/rc4-x86_64.pl $@ +rc4-x86_64.S: asm/rc4-x86_64.pl; $(PERL) asm/rc4-x86_64.pl $@ rc4-ia64.s: asm/rc4-ia64.S @case `awk '/^#define RC4_INT/{print$$NF}' $(TOP)/include/openssl/opensslconf.h` in \ diff --git a/crypto/rc4/asm/rc4-x86_64.pl b/crypto/rc4/asm/rc4-x86_64.pl index 00c6fa2..cd05f12 100755 --- a/crypto/rc4/asm/rc4-x86_64.pl +++ b/crypto/rc4/asm/rc4-x86_64.pl @@ -270,7 +270,11 @@ RC4_set_key: xor %r10,%r10 xor %r11,%r11 +#ifdef OPENSSL_PIC + mov OPENSSL_ia32cap_P\@GOTPCREL(%rip),$idx#d +#else mov OPENSSL_ia32cap_P(%rip),$idx#d +#endif bt \$20,$idx#d jnc .Lw1stloop bt \$30,$idx#d @@ -338,7 +342,11 @@ RC4_set_key: RC4_options: .picmeup %rax lea .Lopts-.(%rax),%rax +#ifdef OPENSSL_PIC + mov OPENSSL_ia32cap_P\@GOTPCREL(%rip),%edx +#else mov OPENSSL_ia32cap_P(%rip),%edx +#endif bt \$20,%edx jnc .Ldone add \$12,%rax diff --git a/crypto/sha/sha.h b/crypto/sha/sha.h index 47a2c29..dc5f0fe 100644 --- a/crypto/sha/sha.h +++ b/crypto/sha/sha.h @@ -59,6 +59,7 @@ #ifndef HEADER_SHA_H #define HEADER_SHA_H +#include #include #include diff --git a/crypto/x86_64cpuid.pl b/crypto/x86_64cpuid.pl index 2616a03..c274275 100644 --- a/crypto/x86_64cpuid.pl +++ b/crypto/x86_64cpuid.pl @@ -95,7 +95,11 @@ OPENSSL_wipe_cpu: .size OPENSSL_wipe_cpu,.-OPENSSL_wipe_cpu .section .init +#ifdef OPENSSL_PIC + call OPENSSL_cpuid_setup\@PLT +#else call OPENSSL_cpuid_setup +#endif ___ diff --git a/engines/Makefile b/engines/Makefile index 002d40c..4513346 100644 --- a/engines/Makefile +++ b/engines/Makefile @@ -100,13 +100,13 @@ install: *DSO_DL*) sfx="sl";; \ *) sfx="bad";; \ esac; \ - cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \ + cp lib$$l.$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.$$sfx.new; \ else \ sfx="so"; \ cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \ fi; \ - chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new; \ - mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines/lib$$l.$$sfx ); \ + chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.$$sfx.new; \ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/ssl/engines/lib$$l.$$sfx ); \ done; \ fi diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 15a201a..7b97664 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -530,13 +530,14 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) frag->fragment,frag->msg_header.frag_len); } + unsigned long frag_len = frag->msg_header.frag_len; dtls1_hm_fragment_free(frag); pitem_free(item); if (al==0) { *ok = 1; - return frag->msg_header.frag_len; + return frag_len; } ssl3_send_alert(s,SSL3_AL_FATAL,al); @@ -561,7 +562,16 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) goto err; - if (msg_hdr->seq <= s->d1->handshake_read_seq) + /* Try to find item in queue, to prevent duplicate entries */ + pq_64bit_init(&seq64); + pq_64bit_assign_word(&seq64, msg_hdr->seq); + item = pqueue_find(s->d1->buffered_messages, seq64); + pq_64bit_free(&seq64); + + /* Discard the message if sequence number was already there, is + * too far in the future or the fragment is already in the queue */ + if (msg_hdr->seq <= s->d1->handshake_read_seq || + msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL) { unsigned char devnull [256]; @@ -575,30 +585,31 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) } } - frag = dtls1_hm_fragment_new(frag_len); - if ( frag == NULL) - goto err; + if (frag_len) + { + frag = dtls1_hm_fragment_new(frag_len); + if ( frag == NULL) + goto err; - memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); + memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); - if (frag_len) - { - /* read the body of the fragment (header has already been read */ + /* read the body of the fragment (header has already been read) */ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, frag->fragment,frag_len,0); if (i<=0 || (unsigned long)i!=frag_len) goto err; - } - pq_64bit_init(&seq64); - pq_64bit_assign_word(&seq64, msg_hdr->seq); + pq_64bit_init(&seq64); + pq_64bit_assign_word(&seq64, msg_hdr->seq); - item = pitem_new(seq64, frag); - pq_64bit_free(&seq64); - if ( item == NULL) - goto err; + item = pitem_new(seq64, frag); + pq_64bit_free(&seq64); + if ( item == NULL) + goto err; + + pqueue_insert(s->d1->buffered_messages, item); + } - pqueue_insert(s->d1->buffered_messages, item); return DTLS1_HM_FRAGMENT_RETRY; err: diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index eb56cf9..4ae9be5 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, PQ_64BIT priority) DTLS1_RECORD_DATA *rdata; pitem *item; + /* Limit the size of the queue to prevent DOS attacks */ + if (pqueue_size(queue->q) >= 100) + return 0; + rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); item = pitem_new(priority, rdata); if (rdata == NULL || item == NULL) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 9ce7269..ded4b14 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -133,6 +133,10 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha int extdatalen=0; unsigned char *ret = p; + /* don't add extensions for SSLv3 */ + if (s->client_version == SSL3_VERSION) + return p; + ret+=2; if (ret>=limit) return NULL; /* this really never occurs, but ... */ @@ -251,6 +255,10 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha int extdatalen=0; unsigned char *ret = p; + /* don't add extensions for SSLv3 */ + if (s->version == SSL3_VERSION) + return p; + ret+=2; if (ret>=limit) return NULL; /* this really never occurs, but ... */ diff --git a/tools/c_rehash b/tools/c_rehash index e614fb5..4bd6628 100644 --- a/tools/c_rehash +++ b/tools/c_rehash @@ -6,7 +6,7 @@ my $openssl; -my $dir = "/usr/local/ssl"; +my $dir = "/usr/lib/ssl"; if(defined $ENV{OPENSSL}) { $openssl = $ENV{OPENSSL}; @@ -59,12 +59,15 @@ sub hash_dir { } } closedir DIR; - FILE: foreach $fname (grep {/\.pem$/} @flist) { + FILE: foreach $fname (grep {/\.pem$|\.crt$/} @flist) { # Check to see if certificates and/or CRLs present. my ($cert, $crl) = check_file($fname); if(!$cert && !$crl) { - print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; - next; + ($cert, $crl) = check_file("$openssl x509 -in \"$fname\" -inform der -outform pem | "); + if(!$cert && !$crl) { + print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; + next; + } } link_hash_cert($fname) if($cert); link_hash_crl($fname) if($crl); @@ -102,6 +105,9 @@ sub link_hash_cert { my $fname = $_[0]; $fname =~ s/'/'\\''/g; my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in '$fname'`; + if(!$hash || !fprint) { + ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in '$fname' -inform der`; + } chomp $hash; chomp $fprint; $fprint =~ s/^.*=//; diff --git a/tools/c_rehash.in b/tools/c_rehash.in index 4497cbd..d76e693 100644 --- a/tools/c_rehash.in +++ b/tools/c_rehash.in @@ -59,12 +59,15 @@ sub hash_dir { } } closedir DIR; - FILE: foreach $fname (grep {/\.pem$/} @flist) { + FILE: foreach $fname (grep {/\.pem$|\.crt$/} @flist) { # Check to see if certificates and/or CRLs present. my ($cert, $crl) = check_file($fname); if(!$cert && !$crl) { - print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; - next; + ($cert, $crl) = check_file("$openssl x509 -in \"$fname\" -inform der -outform pem | "); + if(!$cert && !$crl) { + print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; + next; + } } link_hash_cert($fname) if($cert); link_hash_crl($fname) if($crl); @@ -102,6 +105,9 @@ sub link_hash_cert { my $fname = $_[0]; $fname =~ s/'/'\\''/g; my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in '$fname'`; + if(!$hash || !fprint) { + ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in '$fname' -inform der`; + } chomp $hash; chomp $fprint; $fprint =~ s/^.*=//; -- 1.6.3.3