From 9f0928c6593f937a17b7974b04051c57e3874b20 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 12 Feb 2015 22:22:25 +0100 Subject: Update OpenSSL to AOSP -master --- main/openssl/apps/ca.c | 2 +- main/openssl/apps/dgst.c | 2 + main/openssl/apps/ocsp.c | 98 ++++++++++++++++++++------------------------ main/openssl/apps/openssl.c | 5 ++- main/openssl/apps/s_client.c | 22 ++++++++-- main/openssl/apps/s_server.c | 22 ++++++++-- main/openssl/apps/s_time.c | 6 --- main/openssl/apps/speed.c | 23 +---------- 8 files changed, 89 insertions(+), 91 deletions(-) (limited to 'main/openssl/apps') diff --git a/main/openssl/apps/ca.c b/main/openssl/apps/ca.c index 9c25026a..613f5bee 100644 --- a/main/openssl/apps/ca.c +++ b/main/openssl/apps/ca.c @@ -703,7 +703,7 @@ bad: ERR_clear_error(); #ifdef RL_DEBUG if (!p) - BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p); + BIO_printf(bio_err, "DEBUG: unique_subject undefined\n"); #endif #ifdef RL_DEBUG BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n", diff --git a/main/openssl/apps/dgst.c b/main/openssl/apps/dgst.c index f4aec779..e31a6b18 100644 --- a/main/openssl/apps/dgst.c +++ b/main/openssl/apps/dgst.c @@ -273,6 +273,8 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err,"-d to output debug info\n"); BIO_printf(bio_err,"-hex output as hex dump\n"); BIO_printf(bio_err,"-binary output in binary form\n"); + BIO_printf(bio_err,"-hmac arg set the HMAC key to arg\n"); + BIO_printf(bio_err,"-non-fips-allow allow use of non FIPS digest\n"); BIO_printf(bio_err,"-sign file sign digest using private key in file\n"); BIO_printf(bio_err,"-verify file verify a signature using public key in file\n"); BIO_printf(bio_err,"-prverify file verify a signature using private key in file\n"); diff --git a/main/openssl/apps/ocsp.c b/main/openssl/apps/ocsp.c index 04263ffd..8883afc9 100644 --- a/main/openssl/apps/ocsp.c +++ b/main/openssl/apps/ocsp.c @@ -583,51 +583,52 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "OCSP utility\n"); BIO_printf (bio_err, "Usage ocsp [options]\n"); BIO_printf (bio_err, "where options are\n"); - BIO_printf (bio_err, "-out file output filename\n"); - BIO_printf (bio_err, "-issuer file issuer certificate\n"); - BIO_printf (bio_err, "-cert file certificate to check\n"); - BIO_printf (bio_err, "-serial n serial number to check\n"); - BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n"); - BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n"); - BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n"); - BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n"); - BIO_printf (bio_err, "-req_text print text form of request\n"); - BIO_printf (bio_err, "-resp_text print text form of response\n"); - BIO_printf (bio_err, "-text print text form of request and response\n"); - BIO_printf (bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n"); - BIO_printf (bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n"); - BIO_printf (bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n"); - BIO_printf (bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n"); - BIO_printf (bio_err, "-nonce add OCSP nonce to request\n"); - BIO_printf (bio_err, "-no_nonce don't add OCSP nonce to request\n"); - BIO_printf (bio_err, "-url URL OCSP responder URL\n"); - BIO_printf (bio_err, "-host host:n send OCSP request to host on port n\n"); - BIO_printf (bio_err, "-path path to use in OCSP request\n"); - BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); - BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); - BIO_printf (bio_err, "-VAfile file validator certificates file\n"); - BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); - BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); - BIO_printf (bio_err, "-noverify don't verify response at all\n"); - BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n"); - BIO_printf (bio_err, "-trust_other don't verify additional certificates\n"); - BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n"); + BIO_printf (bio_err, "-out file output filename\n"); + BIO_printf (bio_err, "-issuer file issuer certificate\n"); + BIO_printf (bio_err, "-cert file certificate to check\n"); + BIO_printf (bio_err, "-serial n serial number to check\n"); + BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n"); + BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n"); + BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n"); + BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n"); + BIO_printf (bio_err, "-req_text print text form of request\n"); + BIO_printf (bio_err, "-resp_text print text form of response\n"); + BIO_printf (bio_err, "-text print text form of request and response\n"); + BIO_printf (bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n"); + BIO_printf (bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n"); + BIO_printf (bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n"); + BIO_printf (bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n"); + BIO_printf (bio_err, "-nonce add OCSP nonce to request\n"); + BIO_printf (bio_err, "-no_nonce don't add OCSP nonce to request\n"); + BIO_printf (bio_err, "-url URL OCSP responder URL\n"); + BIO_printf (bio_err, "-host host:n send OCSP request to host on port n\n"); + BIO_printf (bio_err, "-path path to use in OCSP request\n"); + BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); + BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); + BIO_printf (bio_err, "-VAfile file validator certificates file\n"); + BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); + BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); + BIO_printf (bio_err, "-noverify don't verify response at all\n"); + BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n"); + BIO_printf (bio_err, "-trust_other don't verify additional certificates\n"); + BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n"); BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n"); - BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n"); - BIO_printf (bio_err, "-no_chain don't chain verify response\n"); - BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n"); - BIO_printf (bio_err, "-port num port to run responder on\n"); - BIO_printf (bio_err, "-index file certificate status index file\n"); - BIO_printf (bio_err, "-CA file CA certificate\n"); - BIO_printf (bio_err, "-rsigner file responder certificate to sign responses with\n"); - BIO_printf (bio_err, "-rkey file responder key to sign responses with\n"); - BIO_printf (bio_err, "-rother file other certificates to include in response\n"); - BIO_printf (bio_err, "-resp_no_certs don't include any certificates in response\n"); - BIO_printf (bio_err, "-nmin n number of minutes before next update\n"); - BIO_printf (bio_err, "-ndays n number of days before next update\n"); - BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n"); - BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n"); - BIO_printf (bio_err, "- use specified digest in the request\n"); + BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n"); + BIO_printf (bio_err, "-no_chain don't chain verify response\n"); + BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n"); + BIO_printf (bio_err, "-port num port to run responder on\n"); + BIO_printf (bio_err, "-index file certificate status index file\n"); + BIO_printf (bio_err, "-CA file CA certificate\n"); + BIO_printf (bio_err, "-rsigner file responder certificate to sign responses with\n"); + BIO_printf (bio_err, "-rkey file responder key to sign responses with\n"); + BIO_printf (bio_err, "-rother file other certificates to include in response\n"); + BIO_printf (bio_err, "-resp_no_certs don't include any certificates in response\n"); + BIO_printf (bio_err, "-nmin n number of minutes before next update\n"); + BIO_printf (bio_err, "-ndays n number of days before next update\n"); + BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n"); + BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n"); + BIO_printf (bio_err, "- use specified digest in the request\n"); + BIO_printf (bio_err, "-timeout n timeout connection to OCSP responder after n seconds\n"); goto end; } @@ -1398,16 +1399,7 @@ OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, if (use_ssl == 1) { BIO *sbio; -#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) ctx = SSL_CTX_new(SSLv23_client_method()); -#elif !defined(OPENSSL_NO_SSL3) - ctx = SSL_CTX_new(SSLv3_client_method()); -#elif !defined(OPENSSL_NO_SSL2) - ctx = SSL_CTX_new(SSLv2_client_method()); -#else - BIO_printf(err, "SSL is disabled\n"); - goto end; -#endif if (ctx == NULL) { BIO_printf(err, "Error creating SSL context.\n"); diff --git a/main/openssl/apps/openssl.c b/main/openssl/apps/openssl.c index a9fa1e3f..bca79a23 100644 --- a/main/openssl/apps/openssl.c +++ b/main/openssl/apps/openssl.c @@ -437,9 +437,7 @@ end: if (prog != NULL) lh_FUNCTION_free(prog); if (arg.data != NULL) OPENSSL_free(arg.data); - apps_shutdown(); - CRYPTO_mem_leaks(bio_err); if (bio_err != NULL) { BIO_free(bio_err); @@ -452,6 +450,9 @@ end: OPENSSL_free(Argv); } #endif + apps_shutdown(); + CRYPTO_mem_leaks(bio_err); + OPENSSL_EXIT(ret); } diff --git a/main/openssl/apps/s_client.c b/main/openssl/apps/s_client.c index dfe2de1f..afa4c2b9 100644 --- a/main/openssl/apps/s_client.c +++ b/main/openssl/apps/s_client.c @@ -329,10 +329,12 @@ static void sc_usage(void) BIO_printf(bio_err," -srppass arg - password for 'user'\n"); BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n"); BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n"); - BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N); + BIO_printf(bio_err," -srp_strength int - minimal length in bits for N (default %d).\n",SRP_MINIMAL_N); #endif BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); +#ifndef OPENSSL_NO_SSL3_METHOD BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); +#endif BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n"); BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n"); BIO_printf(bio_err," -tls1 - just use TLSv1\n"); @@ -813,7 +815,7 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-ssl2") == 0) meth=SSLv2_client_method(); #endif -#ifndef OPENSSL_NO_SSL3 +#ifndef OPENSSL_NO_SSL3_METHOD else if (strcmp(*argv,"-ssl3") == 0) meth=SSLv3_client_method(); #endif @@ -1359,10 +1361,22 @@ re_start: BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); } - if (socket_mtu > 28) + if (socket_mtu) { + if(socket_mtu < DTLS_get_link_min_mtu(con)) + { + BIO_printf(bio_err,"MTU too small. Must be at least %ld\n", + DTLS_get_link_min_mtu(con)); + BIO_free(sbio); + goto shut; + } SSL_set_options(con, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(con, socket_mtu - 28); + if(!DTLS_set_link_mtu(con, socket_mtu)) + { + BIO_printf(bio_err, "Failed to set MTU\n"); + BIO_free(sbio); + goto shut; + } } else /* want to do MTU discovery */ diff --git a/main/openssl/apps/s_server.c b/main/openssl/apps/s_server.c index fe7ad882..f47328ab 100644 --- a/main/openssl/apps/s_server.c +++ b/main/openssl/apps/s_server.c @@ -515,7 +515,9 @@ static void sv_usage(void) BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n"); #endif BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); +#ifndef OPENSSL_NO_SSL3_METHOD BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); +#endif BIO_printf(bio_err," -tls1_2 - Just talk TLSv1.2\n"); BIO_printf(bio_err," -tls1_1 - Just talk TLSv1.1\n"); BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); @@ -1251,7 +1253,7 @@ int MAIN(int argc, char *argv[]) else if (strcmp(*argv,"-ssl2") == 0) { meth=SSLv2_server_method(); } #endif -#ifndef OPENSSL_NO_SSL3 +#ifndef OPENSSL_NO_SSL3_METHOD else if (strcmp(*argv,"-ssl3") == 0) { meth=SSLv3_server_method(); } #endif @@ -2049,10 +2051,24 @@ static int sv_body(char *hostname, int s, unsigned char *context) BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); } - if (socket_mtu > 28) + if (socket_mtu) { + if(socket_mtu < DTLS_get_link_min_mtu(con)) + { + BIO_printf(bio_err,"MTU too small. Must be at least %ld\n", + DTLS_get_link_min_mtu(con)); + ret = -1; + BIO_free(sbio); + goto err; + } SSL_set_options(con, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(con, socket_mtu - 28); + if(!DTLS_set_link_mtu(con, socket_mtu)) + { + BIO_printf(bio_err, "Failed to set MTU\n"); + ret = -1; + BIO_free(sbio); + goto err; + } } else /* want to do MTU discovery */ diff --git a/main/openssl/apps/s_time.c b/main/openssl/apps/s_time.c index b823c33c..81dad532 100644 --- a/main/openssl/apps/s_time.c +++ b/main/openssl/apps/s_time.c @@ -349,13 +349,7 @@ int MAIN(int argc, char **argv) if (bio_err == NULL) bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); -#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) s_time_meth=SSLv23_client_method(); -#elif !defined(OPENSSL_NO_SSL3) - s_time_meth=SSLv3_client_method(); -#elif !defined(OPENSSL_NO_SSL2) - s_time_meth=SSLv2_client_method(); -#endif /* parse the command line arguments */ if( parseArgs( argc, argv ) < 0 ) diff --git a/main/openssl/apps/speed.c b/main/openssl/apps/speed.c index 9c251ebe..2e613968 100644 --- a/main/openssl/apps/speed.c +++ b/main/openssl/apps/speed.c @@ -225,7 +225,7 @@ #undef BUFSIZE #define BUFSIZE ((long)1024*8+1) -int run=0; +static volatile int run=0; static int mr=0; static int usertime=1; @@ -2729,27 +2729,6 @@ static int do_multi(int multi) k=atoi(sstrsep(&p,sep)); sstrsep(&p,sep); - d=atof(sstrsep(&p,sep)); - if(n) - rsa_results[k][0]=1/(1/rsa_results[k][0]+1/d); - else - rsa_results[k][0]=d; - - d=atof(sstrsep(&p,sep)); - if(n) - rsa_results[k][1]=1/(1/rsa_results[k][1]+1/d); - else - rsa_results[k][1]=d; - } - else if(!strncmp(buf,"+F2:",4)) - { - int k; - double d; - - p=buf+4; - k=atoi(sstrsep(&p,sep)); - sstrsep(&p,sep); - d=atof(sstrsep(&p,sep)); if(n) rsa_results[k][0]=1/(1/rsa_results[k][0]+1/d); -- cgit v1.2.3