diff options
| author | levitte <levitte> | 2005-02-10 07:05:37 +0000 |
|---|---|---|
| committer | levitte <levitte> | 2005-02-10 07:05:37 +0000 |
| commit | 84660d124575769ebcb6eab235db1f27d88484b5 (patch) | |
| tree | 29b7a0556cee0fd0323e83f6134366557c5a7782 | |
| parent | 03ecd84b7e83aafb01325353dbcedb971aceee3f (diff) | |
| download | openssl-84660d124575769ebcb6eab235db1f27d88484b5.tar.gz | |
Recent changes from 0.9.7-stable.
45 files changed, 409 insertions, 251 deletions
@@ -270,10 +270,10 @@ my %table=( "hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # IA-64 targets -"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux-shared:+Z::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # Frank Geurts <frank.geurts@nl.abnamro.com> has patiently assisted with # with debugging of the following config. -"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o::::asm/sha1-ia64.o::asm/rc4-ia64.o:::dlfcn:hpux64-shared:+Z::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # More attempts at unified 10.X and 11.X targets for HP C compiler. # @@ -425,7 +425,9 @@ my %table=( "qnx6", "cc:-DL_ENDIAN -DTERMIOS::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:", # Linux on ARM -"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +# ARM comes in both little- and big-endian flavors. The following line is +# endian neutral, but ./config is free to throw in -D[BL]_ENDIAN... +"linux-elf-arm","gcc:-DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # SCO/Caldera targets. # diff --git a/Makefile.org b/Makefile.org index dd7cfc636..afe3d43d1 100644 --- a/Makefile.org +++ b/Makefile.org @@ -505,13 +505,18 @@ do_hpux-shared: if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ + if expr $(PLATFORM) : '.*ia64' > /dev/null; then \ + shlib=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + else \ + shlib=lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + fi; \ + [ -f $$shlib ] && rm -f $$shlib; \ ( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \ +vnocompatwarnings \ -b -z +s \ - -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + -o $$shlib +h $$shlib \ -Fl lib$$i.a -ldld -lc ) || exit 1; \ - chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + chmod a=rx $$shlib; \ done # This assumes that GNU utilities are *not* used @@ -528,12 +533,17 @@ do_hpux64-shared: if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ libs="$(LIBKRB5) $$libs"; \ fi; \ + if expr $(PLATFORM) : '.*ia64' > /dev/null; then \ + shlib=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + else \ + shlib=lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + fi; \ + [ -f $$shlib ] && rm -f $$shlib; \ ( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \ -b -z \ - -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ + -o $$shlib +h $$shlib \ +forceload lib$$i.a -ldl -lc ) || exit 1; \ - chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \ + chmod a=rx $$shlib; \ done # The following method is said to work on all platforms. Tests will @@ -681,20 +691,9 @@ dclean: rehash: rehash.time rehash.time: certs - @(OPENSSL="`pwd`/apps/openssl$(EXE_EXT)"; OPENSSL_DEBUG_MEMORY=on; \ + @(OPENSSL="`pwd`/util/opensslwrap.sh"; \ + OPENSSL_DEBUG_MEMORY=on; \ export OPENSSL OPENSSL_DEBUG_MEMORY; \ - if [ -n "$(SHARED_LIBS)" ]; then \ - LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ - DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ - SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ - LIBPATH="`pwd`:$$LIBPATH"; \ - if [ "$(PLATFORM)" = "Cygwin" ]; then \ - PATH="`pwd`:$$PATH"; \ - fi; \ - LD_PRELOAD="`pwd`/libssl.so `pwd`/libcrypto.so"; \ - export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ - export LD_PRELOAD; \ - fi; \ $(PERL) tools/c_rehash certs) touch rehash.time @@ -703,17 +702,7 @@ test: tests tests: rehash @(cd test && echo "testing..." && \ $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests ); - @if [ -n "$(SHARED_LIBS)" ]; then \ - LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ - DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ - SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ - LIBPATH="`pwd`:$$LIBPATH"; \ - if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \ - LD_PRELOAD="`pwd`/libssl.so `pwd`/libcrypto.so"; \ - export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ - export LD_PRELOAD; \ - fi; \ - apps/openssl version -a + util/shlib_wrap.sh apps/openssl version -a report: @$(PERL) util/selftest.pl @@ -2346,7 +2346,7 @@ $dso_scheme = dlfcn $shared_target= hpux-shared $shared_cflag = +Z $shared_ldflag = -$shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR) +$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = @@ -2621,7 +2621,7 @@ $dso_scheme = dlfcn $shared_target= hpux64-shared $shared_cflag = +Z $shared_ldflag = -$shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR) +$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR) $ranlib = $arflags = @@ -3052,7 +3052,7 @@ $arflags = *** linux-elf-arm $cc = gcc -$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall +$cflags = -DTERMIO -O3 -fomit-frame-pointer -Wall $unistd = $thread_cflag = -D_REENTRANT $sys_id = diff --git a/apps/CA.pl.in b/apps/CA.pl.in index ae7d9c045..39f267d31 100644 --- a/apps/CA.pl.in +++ b/apps/CA.pl.in @@ -36,13 +36,21 @@ # default openssl.cnf file has setup as per the following # demoCA ... where everything is stored +my $openssl; +if(defined $ENV{OPENSSL}) { + $openssl = $ENV{OPENSSL}; +} else { + $openssl = "openssl"; + $ENV{OPENSSL} = $openssl; +} + $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"}; $DAYS="-days 365"; -$REQ="openssl req $SSLEAY_CONFIG"; -$CA="openssl ca $SSLEAY_CONFIG"; -$VERIFY="openssl verify"; -$X509="openssl x509"; -$PKCS12="openssl pkcs12"; +$REQ="$openssl req $SSLEAY_CONFIG"; +$CA="$openssl ca $SSLEAY_CONFIG"; +$VERIFY="$openssl verify"; +$X509="$openssl x509"; +$PKCS12="$openssl pkcs12"; $CATOP="./demoCA"; $CAKEY="cakey.pem"; diff --git a/apps/CA.sh b/apps/CA.sh index 1942b985a..030a11fc2 100644 --- a/apps/CA.sh +++ b/apps/CA.sh @@ -27,14 +27,16 @@ # tjh@cryptsoft.com # -# default ssleay.cnf file has setup as per the following +# default openssl.cnf file has setup as per the following # demoCA ... where everything is stored +if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi + DAYS="-days 365" -REQ="ssleay req $SSLEAY_CONFIG" -CA="ssleay ca $SSLEAY_CONFIG" -VERIFY="ssleay verify" -X509="ssleay x509" +REQ="$OPENSSL req $SSLEAY_CONFIG" +CA="$OPENSSL ca $SSLEAY_CONFIG" +VERIFY="$OPENSSL verify" +X509="$OPENSSL x509" CATOP=./demoCA CAKEY=./cakey.pem @@ -60,7 +62,7 @@ case $i in echo "Request (and private key) is in newreq.pem" ;; -newca) - # if explictly asked for or it doesn't exist then setup the directory + # if explicitly asked for or it doesn't exist then setup the directory # structure that Eric likes to manage things NEW="1" if [ "$NEW" -o ! -f ${CATOP}/serial ]; then diff --git a/apps/Makefile b/apps/Makefile index f734415bf..4ea4ba6f7 100644 --- a/apps/Makefile +++ b/apps/Makefile @@ -152,20 +152,9 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(EXE); \ fi + @case "../*.dll" in *\**) ;; *) cp -p ../*.dll .;; esac -(cd ..; \ - OPENSSL="`pwd`/apps/$(EXE)"; export OPENSSL; \ - if [ -n "$(SHARED_LIBS)" ]; then \ - LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \ - DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \ - SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \ - LIBPATH="`pwd`:$$LIBPATH"; \ - if [ "$(PLATFORM)" = "Cygwin" ]; then \ - PATH="`pwd`:$$PATH"; \ - fi; \ - LD_PRELOAD="`pwd`/libssl.so `pwd`/libcrypto.so"; \ - export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ - export LD_PRELOAD; \ - fi; \ + OPENSSL="`pwd`/util/opensslwrap.sh"; export OPENSSL; \ $(PERL) tools/c_rehash certs) progs.h: progs.pl diff --git a/apps/dgst.c b/apps/dgst.c index b30bf4e00..17fb87b77 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -355,7 +355,8 @@ int MAIN(int argc, char **argv) /* we use md as a filter, reading from 'in' */ if (!BIO_set_md(bmd,md)) { - BIO_printf(bio_err, "Error setting digest %s\n", pname); + BIO_printf(bio_err, "Error setting digest %s\n", + EVP_MD_name(md)); ERR_print_errors(bio_err); goto end; } diff --git a/apps/enc.c b/apps/enc.c index cf1d98cd6..6f3161395 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -118,6 +118,7 @@ int MAIN(int argc, char **argv) int enc=1,printkey=0,i,base64=0; int debug=0,olb64=0,nosalt=0; const EVP_CIPHER *cipher=NULL,*c; + EVP_CIPHER_CTX *ctx = NULL; char *inf=NULL,*outf=NULL; BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL; #define PROG_NAME_SIZE 39 @@ -126,6 +127,7 @@ int MAIN(int argc, char **argv) char *engine = NULL; #endif const EVP_MD *dgst=NULL; + int non_fips_allow = 0; apps_startup(); @@ -260,6 +262,8 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; md= *(++argv); } + else if (strcmp(*argv,"-non-fips-allow") == 0) + non_fips_allow = 1; else if ((argv[0][0] == '-') && ((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) { @@ -539,13 +543,43 @@ bad: if ((benc=BIO_new(BIO_f_cipher())) == NULL) goto end; - BIO_set_cipher(benc,cipher,key,iv,enc); - if (nopad) + + /* Since we may be changing parameters work on the encryption + * context rather than calling BIO_set_cipher(). + */ + + BIO_get_cipher_ctx(benc, &ctx); + if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) + { + BIO_printf(bio_err, "Error setting cipher %s\n", + EVP_CIPHER_name(cipher)); + ERR_print_errors(bio_err); + goto end; + } + + if (non_fips_allow) + EVP_CIPHER_CTX_set_flags(ctx, + EVP_CIPH_FLAG_NON_FIPS_ALLOW); + + if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc)) { - EVP_CIPHER_CTX *ctx; - BIO_get_cipher_ctx(benc, &ctx); + BIO_printf(bio_err, "Error setting cipher %s\n", + EVP_CIPHER_name(cipher)); + ERR_print_errors(bio_err); + goto end; + } + + if (nopad) EVP_CIPHER_CTX_set_padding(ctx, 0); + + if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc)) + { + BIO_printf(bio_err, "Error setting cipher %s\n", + EVP_CIPHER_name(cipher)); + ERR_print_errors(bio_err); + goto end; } + if (debug) { BIO_set_callback(benc,BIO_debug_callback); diff --git a/apps/req.c b/apps/req.c index d33cddc94..eebe71b15 100644 --- a/apps/req.c +++ b/apps/req.c @@ -175,7 +175,7 @@ int MAIN(int argc, char **argv) char *passin = NULL, *passout = NULL; char *p; char *subj = NULL; - const EVP_MD *md_alg=NULL,*digest=EVP_md5(); + const EVP_MD *md_alg=NULL,*digest; unsigned long chtype = MBSTRING_ASC; #ifndef MONOLITH char *to_free; @@ -197,6 +197,13 @@ int MAIN(int argc, char **argv) informat=FORMAT_PEM; outformat=FORMAT_PEM; +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + digest = EVP_sha1(); + else +#endif + digest = EVP_md5(); + prog=argv[0]; argc--; argv++; diff --git a/apps/x509.c b/apps/x509.c index 7a998523c..e7115cac6 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -179,7 +179,7 @@ int MAIN(int argc, char **argv) X509_REQ *rq=NULL; int fingerprint=0; char buf[256]; - const EVP_MD *md_alg,*digest=EVP_md5(); + const EVP_MD *md_alg,*digest; CONF *extconf = NULL; char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL; int need_rand = 0; @@ -216,6 +216,13 @@ int MAIN(int argc, char **argv) if (ctx == NULL) goto end; X509_STORE_set_verify_cb_func(ctx,callb); +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + digest = EVP_sha1(); + else +#endif + digest = EVP_md5(); + argc--; argv++; num=0; @@ -598,7 +598,9 @@ EOF options="$options -mschedule=$CPUSCHEDULE -march=$CPUARCH" OUT="linux-parisc" ;; - arm*-*-linux2) OUT="linux-elf-arm" ;; + arm*b-*-linux2) OUT="linux-elf-arm"; options="$options -DB_ENDIAN" ;; + arm*l-*-linux2) OUT="linux-elf-arm"; options="$options -DL_ENDIAN" ;; + arm*-*-linux2) OUT="linux-elf-arm" ;; s390-*-linux2) OUT="linux-s390" ;; s390x-*-linux?) OUT="linux-s390x" ;; x86_64-*-linux?) OUT="linux-x86_64" ;; diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c index b91678a9f..18ef0acf0 100644 --- a/crypto/asn1/a_verify.c +++ b/crypto/asn1/a_verify.c @@ -142,6 +142,13 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat goto err; } + if (!EVP_VerifyInit_ex(&ctx,type, NULL)) + { + ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB); + ret=0; + goto err; + } + inl = ASN1_item_i2d(asn, &buf_in, it); if (buf_in == NULL) @@ -150,12 +157,6 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat goto err; } - if (!EVP_VerifyInit_ex(&ctx,type, NULL)) - { - ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB); - ret=0; - goto err; - } EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl); OPENSSL_cleanse(buf_in,(unsigned int)inl); diff --git a/crypto/evp/e_rc4.c b/crypto/evp/e_rc4.c index d58f50783..8aa70585b 100644 --- a/crypto/evp/e_rc4.c +++ b/crypto/evp/e_rc4.c @@ -62,6 +62,7 @@ #include "cryptlib.h" #include <openssl/evp.h> #include <openssl/objects.h> +#include "evp_locl.h" #include <openssl/rc4.h> /* FIXME: surely this is available elsewhere? */ diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index 8aab0a5cb..5cde88ae7 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -490,6 +490,9 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, #define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d)) #define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c)) #define EVP_CIPHER_CTX_flags(e) ((e)->cipher->flags) +#define EVP_CIPHER_CTX_set_flags(ctx,flgs) ((ctx)->flags|=(flgs)) +#define EVP_CIPHER_CTX_clear_flags(ctx,flgs) ((ctx)->flags&=~(flgs)) +#define EVP_CIPHER_CTX_test_flags(ctx,flgs) ((ctx)->flags&(flgs)) #define EVP_CIPHER_CTX_mode(e) ((e)->cipher->flags & EVP_CIPH_MODE) #define EVP_ENCODE_LENGTH(l) (((l+2)/3*4)+(l/48+1)*2+80) diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index d8ff552d3..f549eeb43 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -82,6 +82,48 @@ int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, return EVP_CipherInit_ex(ctx,cipher,NULL,key,iv,enc); } +#ifdef OPENSSL_FIPS + +/* The purpose of these is to trap programs that attempt to use non FIPS + * algorithms in FIPS mode and ignore the errors. + */ + +int bad_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) + { FIPS_ERROR_IGNORED("Cipher init"); return 0;} + +int bad_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, unsigned int inl) + { FIPS_ERROR_IGNORED("Cipher update"); return 0;} + +/* NB: no cleanup because it is allowed after failed init */ + +int bad_set_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ) + { FIPS_ERROR_IGNORED("Cipher set_asn1"); return 0;} +int bad_get_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *typ) + { FIPS_ERROR_IGNORED("Cipher get_asn1"); return 0;} +int bad_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) + { FIPS_ERROR_IGNORED("Cipher ctrl"); return 0;} + +static const EVP_CIPHER bad_cipher = + { + 0, + 0, + 0, + 0, + 0, + bad_init, + bad_do_cipher, + NULL, + 0, + bad_set_asn1, + bad_get_asn1, + bad_ctrl, + NULL + }; + +#endif + int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc) { @@ -146,18 +188,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp else ctx->engine = NULL; #endif -#ifdef OPENSSL_FIPS - if (FIPS_mode()) - { - if (!(cipher->flags & EVP_CIPH_FLAG_FIPS) - & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) - { - EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_DISABLED_FOR_FIPS); - ERR_add_error_data(2, "cipher=", EVP_CIPHER_name(cipher)); - return 0; - } - } -#endif ctx->cipher=cipher; if (ctx->cipher->ctx_size) { @@ -221,6 +251,24 @@ skip_to_init: } } +#ifdef OPENSSL_FIPS + /* After 'key' is set no further parameters changes are permissible. + * So only check for non FIPS enabling at this point. + */ + if (key && FIPS_mode()) + { + if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS) + & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) + { + EVPerr(EVP_F_EVP_CIPHERINIT, EVP_R_DISABLED_FOR_FIPS); + ERR_add_error_data(2, "cipher=", + EVP_CIPHER_name(ctx->cipher)); + ctx->cipher = &bad_cipher; + return 0; + } + } +#endif + if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { if(!ctx->cipher->init(ctx,key,iv,enc)) return 0; } @@ -282,9 +330,6 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, int i,j,bl; OPENSSL_assert(inl > 0); -#ifdef OPENSSL_FIPS - OPENSSL_assert(!FIPS_mode() || ctx->cipher->flags & EVP_CIPH_FLAG_FIPS); -#endif if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0) { if(ctx->cipher->do_cipher(ctx,out,in,inl)) diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h index 845f222ee..f8c534362 100644 --- a/crypto/evp/evp_locl.h +++ b/crypto/evp/evp_locl.h @@ -241,6 +241,7 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; } #define CAST_set_key private_CAST_set_key #define RC5_32_set_key private_RC5_32_set_key #define BF_set_key private_BF_set_key +#define idea_set_encrypt_key private_idea_set_encrypt_key #define MD5_Init private_MD5_Init #define MD4_Init private_MD4_Init diff --git a/ms/testss.bat b/ms/testss.bat index f7e58e275..b4aaf3c60 100755 --- a/ms/testss.bat +++ b/ms/testss.bat @@ -4,7 +4,7 @@ rem set ssleay=..\out\ssleay set ssleay=%1
set reqcmd=%ssleay% req
-set x509cmd=%ssleay% x509
+set x509cmd=%ssleay% x509 -sha1
set verifycmd=%ssleay% verify
set CAkey=keyCA.ss
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index b1db0fb7b..779e94a35 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -249,6 +249,14 @@ static int ssl23_client_hello(SSL *s) *(d++)=TLS1_VERSION_MINOR; s->client_version=TLS1_VERSION; } +#ifdef OPENSSL_FIPS + else if(FIPS_mode()) + { + SSLerr(SSL_F_SSL23_CLIENT_HELLO, + SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); + return -1; + } +#endif else if (!(s->options & SSL_OP_NO_SSLv3)) { *(d++)=SSL3_VERSION_MAJOR; @@ -429,6 +437,14 @@ static int ssl23_get_server_hello(SSL *s) if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) { +#ifdef OPENSSL_FIPS + if(FIPS_mode()) + { + SSLerr(SSL_F_SSL23_GET_SERVER_HELLO, + SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); + goto err; + } +#endif s->version=SSL3_VERSION; s->method=SSLv3_client_method(); } diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index c5404ca0b..92f3391f6 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -407,6 +407,15 @@ int ssl23_get_client_hello(SSL *s) } } +#ifdef OPENSSL_FIPS + if (FIPS_mode() && (s->version < TLS1_VERSION)) + { + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, + SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); + goto err; + } +#endif + if (s->state == SSL23_ST_SR_CLNT_HELLO_B) { /* we have SSLv3/TLSv1 in an SSLv2 header diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index a18be3e2f..a475033f0 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1169,16 +1169,8 @@ static int ssl3_get_key_exchange(SSL *s) EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,param,param_len); -#ifdef OPENSSL_FIPS - if(s->version == TLS1_VERSION && num == 2) - FIPS_allow_md5(1); -#endif EVP_DigestFinal_ex(&md_ctx,q,(unsigned int *)&i); -#ifdef OPENSSL_FIPS - if(s->version == TLS1_VERSION && num == 2) - FIPS_allow_md5(1); -#endif q+=i; j+=i; } diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index beb6c64b9..a012d3f2b 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -644,6 +644,7 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, unsigned int n; EVP_MD_CTX_init(&ctx); + EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); for (i=0; i<3; i++) { EVP_DigestInit_ex(&ctx,s->ctx->sha1, NULL); diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index a7184891c..0a573c6a4 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1220,16 +1220,8 @@ static int ssl3_send_server_key_exchange(SSL *s) EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md_ctx,&(d[4]),n); -#ifdef OPENSSL_FIPS - if(s->version == TLS1_VERSION && num == 2) - FIPS_allow_md5(1); -#endif EVP_DigestFinal_ex(&md_ctx,q, (unsigned int *)&i); -#ifdef OPENSSL_FIPS - if(s->version == TLS1_VERSION && num == 2) - FIPS_allow_md5(0); -#endif q+=i; j+=i; } @@ -1742,6 +1742,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_NULL_SSL_CTX 195 #define SSL_R_NULL_SSL_METHOD_PASSED 196 #define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 197 +#define SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE 1115 #define SSL_R_PACKET_LENGTH_TOO_LONG 198 #define SSL_R_PATH_TOO_LONG 270 #define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 199 diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 0bef96080..6e98de890 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -493,15 +493,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk) else { #ifndef OPENSSL_NO_X509_VERIFY -# ifdef OPENSSL_FIPS - if(s->version == TLS1_VERSION) - FIPS_allow_md5(1); -# endif i=X509_verify_cert(&ctx); -# ifdef OPENSSL_FIPS - if(s->version == TLS1_VERSION) - FIPS_allow_md5(0); -# endif #else i=0; ctx.error=X509_V_ERR_APPLICATION_VERIFICATION; diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index d2cb18150..65eefee19 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -1,6 +1,6 @@ /* ssl/ssl_err.c */ /* ==================================================================== - * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -334,6 +334,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {SSL_R_NULL_SSL_CTX ,"null ssl ctx"}, {SSL_R_NULL_SSL_METHOD_PASSED ,"null ssl method passed"}, {SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED ,"old session cipher not returned"}, +{SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE ,"only tls allowed in fips mode"}, {SSL_R_PACKET_LENGTH_TOO_LONG ,"packet length too long"}, {SSL_R_PATH_TOO_LONG ,"path too long"}, {SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE ,"peer did not return a certificate"}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index f5705af0f..1f625cb07 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1293,6 +1293,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) return(NULL); } +#ifdef OPENSSL_FIPS + if (FIPS_mode() && (meth->version < TLS1_VERSION)) + { + SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE); + return NULL; + } +#endif + if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); @@ -2158,16 +2166,7 @@ int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath) { int r; - -#ifdef OPENSSL_FIPS - if(ctx->method->version == TLS1_VERSION) - FIPS_allow_md5(1); -#endif r=X509_STORE_load_locations(ctx->cert_store,CAfile,CApath); -#ifdef OPENSSL_FIPS - if(ctx->method->version == TLS1_VERSION) - FIPS_allow_md5(0); -#endif return r; } #endif diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 3dec4099c..2c6246abf 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -180,13 +180,7 @@ static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1, S2= &(sec[len]); len+=(slen&1); /* add for odd, make longer */ -#ifdef OPENSSL_FIPS - FIPS_allow_md5(1); -#endif tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen); -#ifdef OPENSSL_FIPS - FIPS_allow_md5(0); -#endif tls1_P_hash(sha1,S2,len,label,label_len,out2,olen); for (i=0; i<olen; i++) @@ -664,13 +658,7 @@ int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out) EVP_MD_CTX_init(&ctx); EVP_MD_CTX_copy_ex(&ctx,in_ctx); -#ifdef OPENSSL_FIPS - FIPS_allow_md5(1); -#endif EVP_DigestFinal_ex(&ctx,out,&ret); -#ifdef OPENSSL_FIPS - FIPS_allow_md5(0); -#endif EVP_MD_CTX_cleanup(&ctx); return((int)ret); } @@ -689,13 +677,7 @@ int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx, EVP_MD_CTX_init(&ctx); EVP_MD_CTX_copy_ex(&ctx,in1_ctx); -#ifdef OPENSSL_FIPS - FIPS_allow_md5(1); -#endif EVP_DigestFinal_ex(&ctx,q,&i); -#ifdef OPENSSL_FIPS - FIPS_allow_md5(0); -#endif q+=i; EVP_MD_CTX_copy_ex(&ctx,in2_ctx); EVP_DigestFinal_ex(&ctx,q,&i); diff --git a/test/Makefile b/test/Makefile index 8b649b285..cf127b1bd 100644 --- a/test/Makefile +++ b/test/Makefile @@ -124,21 +124,6 @@ tests: exe apps $(TESTS) apps: @(cd ..; $(MAKE) DIRS=apps all) -SET_SO_PATHS=\ - if [ -n "$(SHARED_LIBS)" ]; then \ - OSSL_LIBPATH="`cd ..; pwd`"; \ - LD_LIBRARY_PATH="$$OSSL_LIBPATH:$$LD_LIBRARY_PATH"; \ - DYLD_LIBRARY_PATH="$$OSSL_LIBPATH:$$DYLD_LIBRARY_PATH"; \ - SHLIB_PATH="$$OSSL_LIBPATH:$$SHLIB_PATH"; \ - LIBPATH="$$OSSL_LIBPATH:$$LIBPATH"; \ - if [ "$(PLATFORM)" = "Cygwin" ]; then \ - PATH="$${LIBPATH}:$$PATH"; \ - fi; \ - LD_PRELOAD="$$OSSL_LIBPATH/libssl.so $$OSSL_LIBPATH/libcrypto.so"; \ - export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \ - export LD_PRELOAD; \ - fi - alltests: \ test_des test_idea test_sha test_md4 test_md5 test_hmac \ test_md2 test_mdc2 \ @@ -152,151 +137,151 @@ alltests: \ fips_test_aes: if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ mkdir -p fips_aes_data/rsp; \ - $(SET_SO_PATHS); ./$(FIPS_AESTEST) -d fips_aes_data/list; \ + ../util/shlib_wrap.sh ./$(FIPS_AESTEST) -d fips_aes_data/list; \ fi test_evp: - $(SET_SO_PATHS); ./$(EVPTEST) evptests.txt + ../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt test_des: - $(SET_SO_PATHS); ./$(DESTEST) + ../util/shlib_wrap.sh ./$(DESTEST) test_idea: - $(SET_SO_PATHS); ./$(IDEATEST) + ../util/shlib_wrap.sh ./$(IDEATEST) test_sha: - $(SET_SO_PATHS); ./$(SHATEST) - $(SET_SO_PATHS); ./$(SHA1TEST) + ../util/shlib_wrap.sh ./$(SHATEST) + ../util/shlib_wrap.sh ./$(SHA1TEST) if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ - $(SET_SO_PATHS); ./$(FIPS_SHA1TEST) sha1vectors.txt | sed s/Strings/Hashes/ | cmp sha1hashes.txt - ; \ + ../util/shlib_wrap.sh ./$(FIPS_SHA1TEST) sha1vectors.txt | sed s/Strings/Hashes/ | cmp sha1hashes.txt - ; \ fi test_mdc2: - $(SET_SO_PATHS); ./$(MDC2TEST) + ../util/shlib_wrap.sh ./$(MDC2TEST) test_md5: - $(SET_SO_PATHS); ./$(MD5TEST) + ../util/shlib_wrap.sh ./$(MD5TEST) test_md4: - $(SET_SO_PATHS); ./$(MD4TEST) + ../util/shlib_wrap.sh ./$(MD4TEST) test_hmac: - $(SET_SO_PATHS); ./$(HMACTEST) + ../util/shlib_wrap.sh ./$(HMACTEST) test_md2: - $(SET_SO_PATHS); ./$(MD2TEST) + ../util/shlib_wrap.sh ./$(MD2TEST) test_rmd: - $(SET_SO_PATHS); ./$(RMDTEST) + ../util/shlib_wrap.sh ./$(RMDTEST) test_bf: - $(SET_SO_PATHS); ./$(BFTEST) + ../util/shlib_wrap.sh ./$(BFTEST) test_cast: - $(SET_SO_PATHS); ./$(CASTTEST) + ../util/shlib_wrap.sh ./$(CASTTEST) test_rc2: - $(SET_SO_PATHS); ./$(RC2TEST) + ../util/shlib_wrap.sh ./$(RC2TEST) test_rc4: - $(SET_SO_PATHS); ./$(RC4TEST) + ../util/shlib_wrap.sh ./$(RC4TEST) test_rc5: - $(SET_SO_PATHS); ./$(RC5TEST) + ../util/shlib_wrap.sh ./$(RC5TEST) test_rand: - $(SET_SO_PATHS); ./$(RANDTEST) + ../util/shlib_wrap.sh ./$(RANDTEST) if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ - $(SET_SO_PATHS); ./$(FIPS_RANDTEST); \ + ../util/shlib_wrap.sh ./$(FIPS_RANDTEST); \ fi test_enc: - @$(SET_SO_PATHS); sh ./testenc + @sh ./testenc test_x509: echo test normal x509v1 certificate - $(SET_SO_PATHS); sh ./tx509 2>/dev/null + sh ./tx509 2>/dev/null echo test first x509v3 certificate - $(SET_SO_PATHS); sh ./tx509 v3-cert1.pem 2>/dev/null + sh ./tx509 v3-cert1.pem 2>/dev/null echo test second x509v3 certificate - $(SET_SO_PATHS); sh ./tx509 v3-cert2.pem 2>/dev/null + sh ./tx509 v3-cert2.pem 2>/dev/null test_rsa: - @$(SET_SO_PATHS); sh ./trsa 2>/dev/null - $(SET_SO_PATHS); ./$(RSATEST) + @sh ./trsa 2>/dev/null + ../util/shlib_wrap.sh ./$(RSATEST) test_crl: - @$(SET_SO_PATHS); sh ./tcrl 2>/dev/null + @sh ./tcrl 2>/dev/null test_sid: - @$(SET_SO_PATHS); sh ./tsid 2>/dev/null + @sh ./tsid 2>/dev/null test_req: - @$(SET_SO_PATHS); sh ./treq 2>/dev/null - @$(SET_SO_PATHS); sh ./treq testreq2.pem 2>/dev/null + @sh ./treq 2>/dev/null + @sh ./treq testreq2.pem 2>/dev/null test_pkcs7: - @$(SET_SO_PATHS); sh ./tpkcs7 2>/dev/null - @$(SET_SO_PATHS); sh ./tpkcs7d 2>/dev/null + @sh ./tpkcs7 2>/dev/null + @sh ./tpkcs7d 2>/dev/null test_bn: @echo starting big number library test, could take a while... - @$(SET_SO_PATHS); ./$(BNTEST) >tmp.bntest + @../util/shlib_wrap.sh ./$(BNTEST) >tmp.bntest @echo quit >>tmp.bntest @echo "running bc" @<tmp.bntest sh -c "`sh ./bctest ignore`" | $(PERL) -e '$$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"' @echo 'test a^b%c implementations' - $(SET_SO_PATHS); ./$(EXPTEST) + ../util/shlib_wrap.sh ./$(EXPTEST) test_ec: @echo 'test elliptic curves' - $(SET_SO_PATHS); ./$(ECTEST) + ../util/shlib_wrap.sh ./$(ECTEST) test_verify: @echo "The following command should have some OK's and some failures" @echo "There are definitly a few expired certificates" - -$(SET_SO_PATHS); ../apps/openssl verify -CApath ../certs ../certs/*.pem + -../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs ../certs/*.pem test_dh: @echo "Generate a set of DH parameters" - $(SET_SO_PATHS); ./$(DHTEST) + ../util/shlib_wrap.sh ./$(DHTEST) test_dsa: @echo "Generate a set of DSA parameters" - $(SET_SO_PATHS); ./$(DSATEST) - $(SET_SO_PATHS); ./$(DSATEST) -app2_1 + ../util/shlib_wrap.sh ./$(DSATEST) + ../util/shlib_wrap.sh ./$(DSATEST) -app2_1 if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ - $(SET_SO_PATHS); ./$(FIPS_DSATEST); \ - $(SET_SO_PATHS); ./$(FIPS_DSATEST) -app2_1; \ + ../util/shlib_wrap.sh ./$(FIPS_DSATEST); \ + ../util/shlib_wrap.sh ./$(FIPS_DSATEST) -app2_1; \ fi test_gen: @echo "Generate and verify a certificate request" - @$(SET_SO_PATHS); sh ./testgen + @sh ./testgen test_ss keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \ intP1.ss intP2.ss: testss @echo "Generate and certify a test certificate" - @$(SET_SO_PATHS); sh ./testss + @sh ./testss @cat certCA.ss certU.ss > intP1.ss @cat certCA.ss certU.ss certP1.ss > intP2.ss test_engine: @echo "Manipulate the ENGINE structures" - $(SET_SO_PATHS); ./$(ENGINETEST) + ../util/shlib_wrap.sh ./$(ENGINETEST) test_ssl: keyU.ss certU.ss certCA.ss certP1.ss keyP1.ss certP2.ss keyP2.ss \ intP1.ss intP2.ss @echo "test SSL protocol" @if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \ - $(SET_SO_PATHS); sh ./testfipsssl keyU.ss certU.ss certCA.ss; \ + sh ./testfipsssl keyU.ss certU.ss certCA.ss; \ fi - @$(SET_SO_PATHS); sh ./testssl keyU.ss certU.ss certCA.ss - @$(SET_SO_PATHS); sh ./testsslproxy keyP1.ss certP1.ss intP1.ss - @$(SET_SO_PATHS); sh ./testsslproxy keyP2.ss certP2.ss intP2.ss + @sh ./testssl keyU.ss certU.ss certCA.ss + @sh ./testsslproxy keyP1.ss certP1.ss intP1.ss + @sh ./testsslproxy keyP2.ss certP2.ss intP2.ss test_ca: - @$(SET_SO_PATHS); if ../apps/openssl no-rsa; then \ + @if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then \ echo "skipping CA.sh test -- requires RSA"; \ else \ echo "Generate and certify a test certificate via the 'ca' program"; \ @@ -305,7 +290,7 @@ test_ca: test_aes: #$(AESTEST) # @echo "test Rijndael" -# $(SET_SO_PATHS); ./$(AESTEST) +# ../util/shlib_wrap.sh ./$(AESTEST) lint: lint -DLINT $(INCLUDES) $(SRC)>fluff @@ -606,6 +591,7 @@ dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO) LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o dummytest$(EXE_EXT) $(CFLAGS) dummytest.o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) ; \ fi + @case "../*.dll" in *\**) ;; *) cp -p ../*.dll .;; esac # DO NOT DELETE THIS LINE -- make depend depends on it. @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl crl' +cmd='../util/shlib_wrap.sh ../apps/openssl crl' if [ "$1"x != "x" ]; then t=$1 diff --git a/test/testca b/test/testca index 8215ebb5d..5b2faa78f 100644 --- a/test/testca +++ b/test/testca @@ -11,6 +11,9 @@ export SH PATH SSLEAY_CONFIG="-config CAss.cnf" export SSLEAY_CONFIG +OPENSSL="`pwd`/../util/shlib_wrap.sh openssl" +export OPENSSL + /bin/rm -fr demoCA $SH ../apps/CA.sh -newca <<EOF EOF diff --git a/test/testenc b/test/testenc index 70505f022..4571ea287 100644 --- a/test/testenc +++ b/test/testenc @@ -2,13 +2,13 @@ testsrc=Makefile test=./p -cmd=../apps/openssl +cmd="../util/shlib_wrap.sh ../apps/openssl" cat $testsrc >$test; echo cat -$cmd enc < $test > $test.cipher -$cmd enc < $test.cipher >$test.clear +$cmd enc -non-fips-allow < $test > $test.cipher +$cmd enc -non-fips-allow < $test.cipher >$test.clear cmp $test $test.clear if [ $? != 0 ] then @@ -17,8 +17,8 @@ else /bin/rm $test.cipher $test.clear fi echo base64 -$cmd enc -a -e < $test > $test.cipher -$cmd enc -a -d < $test.cipher >$test.clear +$cmd enc -non-fips-allow -a -e < $test > $test.cipher +$cmd enc -non-fips-allow -a -d < $test.cipher >$test.clear cmp $test $test.clear if [ $? != 0 ] then @@ -30,8 +30,8 @@ fi for i in `$cmd list-cipher-commands` do echo $i - $cmd $i -bufsize 113 -e -k test < $test > $test.$i.cipher - $cmd $i -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear + $cmd $i -non-fips-allow -bufsize 113 -e -k test < $test > $test.$i.cipher + $cmd $i -non-fips-allow -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear cmp $test $test.$i.clear if [ $? != 0 ] then @@ -41,8 +41,8 @@ do fi echo $i base64 - $cmd $i -bufsize 113 -a -e -k test < $test > $test.$i.cipher - $cmd $i -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear + $cmd $i -non-fips-allow -bufsize 113 -a -e -k test < $test > $test.$i.cipher + $cmd $i -non-fips-allow -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear cmp $test $test.$i.clear if [ $? != 0 ] then diff --git a/test/testfipsssl b/test/testfipsssl index da5e5987a..c4836edc2 100644 --- a/test/testfipsssl +++ b/test/testfipsssl @@ -13,9 +13,9 @@ fi ciphers="DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA" -ssltest="./ssltest -F -key $key -cert $cert -c_key $key -c_cert $cert -cipher $ciphers" +ssltest="../util/shlib_wrap.sh ./ssltest -F -key $key -cert $cert -c_key $key -c_cert $cert -cipher $ciphers" -if ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then +if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then dsa_cert=YES else dsa_cert=NO @@ -89,24 +89,24 @@ $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1 ############################################################################# -if ../apps/openssl no-dh; then +if ../util/shlib_wrap.sh ../apps/openssl no-dh; then echo skipping anonymous DH tests else echo test tls1 with 1024bit anonymous DH, multiple handshakes $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1 fi -if ../apps/openssl no-rsa; then +if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then echo skipping RSA tests else echo test tls1 with 1024bit RSA, no DHE, multiple handshakes - ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1 + ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1 - if ../apps/openssl no-dh; then + if ../util/shlib_wrap.sh ../apps/openssl no-dh; then echo skipping RSA+DHE tests else echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes - ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 + ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 fi fi diff --git a/test/testgen b/test/testgen index 3798543e0..524c0d134 100644 --- a/test/testgen +++ b/test/testgen @@ -17,7 +17,7 @@ echo "generating certificate request" echo "string to make the random number generator think it has entropy" >> ./.rnd -if ../apps/openssl no-rsa; then +if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then req_new='-newkey dsa:../apps/dsa512.pem' else req_new='-new' @@ -29,13 +29,13 @@ echo "This could take some time." rm -f testkey.pem testreq.pem -../apps/openssl req -config test.cnf $req_new -out testreq.pem +../util/shlib_wrap.sh ../apps/openssl req -config test.cnf $req_new -out testreq.pem if [ $? != 0 ]; then echo problems creating request exit 1 fi -../apps/openssl req -config test.cnf -verify -in testreq.pem -noout +../util/shlib_wrap.sh ../apps/openssl req -config test.cnf -verify -in testreq.pem -noout if [ $? != 0 ]; then echo signature on req is wrong exit 1 diff --git a/test/testss b/test/testss index e71510bef..1a426857d 100644 --- a/test/testss +++ b/test/testss @@ -1,9 +1,9 @@ #!/bin/sh -digest='-md5' -reqcmd="../apps/openssl req" -x509cmd="../apps/openssl x509 $digest" -verifycmd="../apps/openssl verify" +digest='-sha1' +reqcmd="../util/shlib_wrap.sh ../apps/openssl req" +x509cmd="../util/shlib_wrap.sh ../apps/openssl x509 $digest" +verifycmd="../util/shlib_wrap.sh ../apps/openssl verify" dummycnf="../apps/openssl.cnf" CAkey="keyCA.ss" @@ -34,7 +34,7 @@ echo "make a certificate request using 'req'" echo "string to make the random number generator think it has entropy" >> ./.rnd -if ../apps/openssl no-rsa; then +if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then req_new='-newkey dsa:../apps/dsa512.pem' else req_new='-new' diff --git a/test/testssl b/test/testssl index ca8e71802..8ac90ae5e 100644 --- a/test/testssl +++ b/test/testssl @@ -10,9 +10,9 @@ if [ "$2" = "" ]; then else cert="$2" fi -ssltest="./ssltest -key $key -cert $cert -c_key $key -c_cert $cert" +ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert" -if ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then +if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then dsa_cert=YES else dsa_cert=NO @@ -121,24 +121,24 @@ $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1 ############################################################################# -if ../apps/openssl no-dh; then +if ../util/shlib_wrap.sh ../apps/openssl no-dh; then echo skipping anonymous DH tests else echo test tls1 with 1024bit anonymous DH, multiple handshakes $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1 fi -if ../apps/openssl no-rsa; then +if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then echo skipping RSA tests else echo test tls1 with 1024bit RSA, no DHE, multiple handshakes - ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1 + ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1 - if ../apps/openssl no-dh; then + if ../util/shlib_wrap.sh ../apps/openssl no-dh; then echo skipping RSA+DHE tests else echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes - ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 + ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1 fi fi diff --git a/test/tpkcs7 b/test/tpkcs7 index cf3bd9fad..79bb6e0ed 100644 --- a/test/tpkcs7 +++ b/test/tpkcs7 @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl pkcs7' +cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7' if [ "$1"x != "x" ]; then t=$1 diff --git a/test/tpkcs7d b/test/tpkcs7d index 18f9311b0..20394b34c 100644 --- a/test/tpkcs7d +++ b/test/tpkcs7d @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl pkcs7' +cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7' if [ "$1"x != "x" ]; then t=$1 @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl req -config ../apps/openssl.cnf' +cmd='../util/shlib_wrap.sh ../apps/openssl req -config ../apps/openssl.cnf' if [ "$1"x != "x" ]; then t=$1 @@ -7,12 +7,12 @@ else fi export PATH -if ../apps/openssl no-rsa; then +if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then echo skipping rsa conversion test exit 0 fi -cmd='../apps/openssl rsa' +cmd='../util/shlib_wrap.sh ../apps/openssl rsa' if [ "$1"x != "x" ]; then t=$1 @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl sess_id' +cmd='../util/shlib_wrap.sh ../apps/openssl sess_id' if [ "$1"x != "x" ]; then t=$1 diff --git a/test/tx509 b/test/tx509 index d380963ab..1b9c8661f 100644 --- a/test/tx509 +++ b/test/tx509 @@ -7,7 +7,7 @@ else fi export PATH -cmd='../apps/openssl x509' +cmd='../util/shlib_wrap.sh ../apps/openssl x509' if [ "$1"x != "x" ]; then t=$1 diff --git a/util/libeay.num b/util/libeay.num index 3fbe98671..56fb7446e 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -2845,15 +2845,15 @@ X509_check_ca 3286 EXIST::FUNCTION: private_idea_set_encrypt_key 3287 EXIST:OPENSSL_FIPS:FUNCTION:IDEA HMAC_CTX_set_flags 3288 EXIST::FUNCTION:HMAC private_SHA_Init 3289 EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA0 -private_CAST_set_key 3290 EXIST::FUNCTION:CAST +private_CAST_set_key 3290 EXIST:OPENSSL_FIPS:FUNCTION:CAST private_RIPEMD160_Init 3291 EXIST:OPENSSL_FIPS:FUNCTION:RIPEMD -private_RC5_32_set_key 3292 EXIST::FUNCTION:RC5 +private_RC5_32_set_key 3292 EXIST:OPENSSL_FIPS:FUNCTION:RC5 private_MD5_Init 3293 EXIST:OPENSSL_FIPS:FUNCTION:MD5 private_RC4_set_key 3294 EXIST:OPENSSL_FIPS:FUNCTION:RC4 private_MDC2_Init 3295 EXIST:OPENSSL_FIPS:FUNCTION:MDC2 -private_RC2_set_key 3296 EXIST::FUNCTION:RC2 +private_RC2_set_key 3296 EXIST:OPENSSL_FIPS:FUNCTION:RC2 private_MD4_Init 3297 EXIST:OPENSSL_FIPS:FUNCTION:MD4 -private_BF_set_key 3298 EXIST::FUNCTION:BF +private_BF_set_key 3298 EXIST:OPENSSL_FIPS:FUNCTION:BF private_MD2_Init 3299 EXIST:OPENSSL_FIPS:FUNCTION:MD2 d2i_PROXY_CERT_INFO_EXTENSION 3300 EXIST::FUNCTION: PROXY_POLICY_it 3301 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: diff --git a/util/mkdef.pl b/util/mkdef.pl index 443d74d44..9918c3d54 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -472,7 +472,7 @@ sub do_defs push(@tag,$1); $tag{$1}=-1; } - } elsif (/^\#\s*ifdef\s+(.*)/) { + } elsif (/^\#\s*ifdef\s+(\S*)/) { push(@tag,"-"); push(@tag,$1); $tag{$1}=1; diff --git a/util/opensslwrap.sh b/util/opensslwrap.sh new file mode 100755 index 000000000..91d29e2b8 --- /dev/null +++ b/util/opensslwrap.sh @@ -0,0 +1,22 @@ +#!/bin/sh + +HERE="`echo $0 | sed -e 's|[^/]*$||'`" +OPENSSL="${HERE}../apps/openssl" + +if [ -x "${OPENSSL}.exe" ]; then + # The original reason for this script existence is to work around + # certain caveats in run-time linker behaviour. On Windows platforms + # adjusting $PATH used to be sufficient, but with introduction of + # SafeDllSearchMode in XP/2003 the only way to get it right in + # *all* possible situations is to copy newly built .DLLs to apps/ + # and test/, which is now done elsewhere... The $PATH is adjusted + # for backward compatibility (and nostagical reasons:-). + if [ "$OSTYPE" != msdosdjgpp ]; then + PATH="${HERE}..:$PATH"; export PATH + fi + exec "${OPENSSL}.exe" "$@" +elif [ -x "${OPENSSL}" -a -x "${HERE}shlib_wrap.sh" ]; then + exec "${HERE}shlib_wrap.sh" "${OPENSSL}" "$@" +else + exec "${OPENSSL}" "$@" # hope for the best... +fi diff --git a/util/shlib_wrap.sh b/util/shlib_wrap.sh new file mode 100755 index 000000000..dc5f5b1ce --- /dev/null +++ b/util/shlib_wrap.sh @@ -0,0 +1,70 @@ +#!/bin/sh + +[ $# -ne 0 ] || set -x # debug mode without arguments:-) + +THERE="`echo $0 | sed -e 's|[^/]*$||' 2>/dev/null`.." +[ -d "${THERE}" ] || exec "$@" # should never happen... + +# Alternative to this is to parse ${THERE}/Makefile... +LIBCRYPTOSO="${THERE}/libcrypto.so" +if [ -f "$LIBCRYPTOSO" ]; then + while [ -h "$LIBCRYPTOSO" ]; do + LIBCRYPTOSO="${THERE}/`ls -l "$LIBCRYPTOSO" | sed -e 's|.*\-> ||'`" + done + SOSUFFIX=`echo ${LIBCRYPTOSO} | sed -e 's|.*\.so||' 2>/dev/null` + LIBSSLSO="${THERE}/libssl.so${SOSUFFIX}" +fi + +SYSNAME=`(uname -s) 2>/dev/null`; +case "$SYSNAME" in +SunOS|IRIX*) + # SunOS and IRIX run-time linkers evaluate alternative + # variables depending on target ABI... + rld_var=LD_LIBRARY_PATH + case "`(/usr/bin/file "$LIBCRYPTOSO") 2>/dev/null`" in + *ELF\ 64*SPARC*) + [ -n "$LD_LIBRARY_PATH_64" ] && rld_var=LD_LIBRARY_PATH_64 + ;; + *ELF\ N32*MIPS*) + [ -n "$LD_LIBRARYN32_PATH" ] && rld_var=LD_LIBRARYN32_PATH + _RLDN32_LIST="$LIBCRYPTOSO:$LIBSSLSO:DEFAULT"; export _RLDN32_LIST + ;; + *ELF\ 64*MIPS*) + [ -n "$LD_LIBRARY64_PATH" ] && rld_var=LD_LIBRARY64_PATH + _RLD64_LIST="$LIBCRYPTOSO:$LIBSSLSO:DEFAULT"; export _RLD64_LIST + ;; + esac + eval $rld_var=\"${THERE}:'$'$rld_var\"; export $rld_var + unset rld_var + ;; +*) LD_LIBRARY_PATH="${THERE}:$LD_LIBRARY_PATH" # Linux, ELF HP-UX + DYLD_LIBRARY_PATH="${THERE}:$DYLD_LIBRARY_PATH" # MacOS X + SHLIB_PATH="${THERE}:$SHLIB_PATH" # legacy HP-UX + LIBPATH="${THERE}:$LIBPATH" # AIX, OS/2 + export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH + # Even though $PATH is adjusted [for Windows sake], it doesn't + # necessarily does the trick. Trouble is that with introduction + # of SafeDllSearchMode in XP/2003 it's more appropriate to copy + # .DLLs in vicinity of executable, which is done elsewhere... + if [ "$OSTYPE" != msdosdjgpp ]; then + PATH="${THERE}:$PATH"; export PATH + fi + ;; +esac + +if [ -f "$LIBCRYPTOSO" ]; then + # Following three lines are major excuse for isolating them into + # this wrapper script. Original reason for setting LD_PRELOAD + # was to make it possible to pass 'make test' when user linked + # with -rpath pointing to previous version installation. Wrapping + # it into a script makes it possible to do so on multi-ABI + # platforms. + case "$SYSNAME" in + *BSD) LD_PRELOAD="$LIBCRYPTOSO:$LIBSSLSO" ;; # *BSD + *) LD_PRELOAD="$LIBCRYPTOSO $LIBSSLSO" ;; # SunOS, Linux, ELF HP-UX + esac + _RLD_LIST="$LIBCRYPTOSO:$LIBSSLSO:DEFAULT" # Tru64, o32 IRIX + export LD_PRELOAD _RLD_LIST +fi + +exec "$@" |