debmon
/
openssl1.0
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 1.0.2s

This commit is contained in:
Mario Fetka 2019-08-09 10:00:55 +02:00
commit 33f8b6874c
2289 changed files with 737190 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ACKNOWLEDGMENTS Normal file
View File

@ -0,0 +1,2 @@
Please https://www.openssl.org/community/thanks.html for the current
acknowledgements.

11683
CHANGES Normal file
View File

File diff suppressed because it is too large Load Diff

968
CHANGES.SSLeay Normal file
View File

@ -0,0 +1,968 @@
This file contains the changes for the SSLeay library up to version
0.9.0b. For later changes, see the file "CHANGES".
SSLeay CHANGES
______________
Changes between 0.8.x and 0.9.0b
10-Apr-1998
I said the next version would go out at easter, and so it shall.
I expect a 0.9.1 will follow with portability fixes in the next few weeks.
This is a quick, meet the deadline. Look to ssl-users for comments on what
is new etc.
eric (about to go bushwalking for the 4 day easter break :-)
16-Mar-98
- Patch for Cray T90 from Wayne Schroeder <schroede@SDSC.EDU>
- Lots and lots of changes
29-Jan-98
- ASN1_BIT_STRING_set_bit()/ASN1_BIT_STRING_get_bit() from
Goetz Babin-Ebell <babinebell@trustcenter.de>.
- SSL_version() now returns SSL2_VERSION, SSL3_VERSION or
TLS1_VERSION.
7-Jan-98
- Finally reworked the cipher string to ciphers again, so it
works correctly
- All the app_data stuff is now ex_data with funcion calls to access.
The index is supplied by a function and 'methods' can be setup
for the types that are called on XXX_new/XXX_free. This lets
applications get notified on creation and destruction. Some of
the RSA methods could be implemented this way and I may do so.
- Oh yes, SSL under perl5 is working at the basic level.
15-Dec-97
- Warning - the gethostbyname cache is not fully thread safe,
but it should work well enough.
- Major internal reworking of the app_data stuff. More functions
but if you were accessing ->app_data directly, things will
stop working.
- The perlv5 stuff is working. Currently on message digests,
ciphers and the bignum library.
9-Dec-97
- Modified re-negotiation so that server initated re-neg
will cause a SSL_read() to return -1 should retry.
The danger otherwise was that the server and the
client could end up both trying to read when using non-blocking
sockets.
4-Dec-97
- Lots of small changes
- Fix for binaray mode in Windows for the FILE BIO, thanks to
Bob Denny <rdenny@dc3.com>
17-Nov-97
- Quite a few internal cleanups, (removal of errno, and using macros
defined in e_os.h).
- A bug in ca.c, pointed out by yasuyuki-ito@d-cruise.co.jp, where
the automactic naming out output files was being stuffed up.
29-Oct-97
- The Cast5 cipher has been added. MD5 and SHA-1 are now in assember
for x86.
21-Oct-97
- Fixed a bug in the BIO_gethostbyname() cache.
15-Oct-97
- cbc mode for blowfish/des/3des is now in assember. Blowfish asm
has also been improved. At this point in time, on the pentium,
md5 is %80 faster, the unoptimesed sha-1 is %79 faster,
des-cbc is %28 faster, des-ede3-cbc is %9 faster and blowfish-cbc
is %62 faster.
12-Oct-97
- MEM_BUF_grow() has been fixed so that it always sets the buf->length
to the value we are 'growing' to. Think of MEM_BUF_grow() as the
way to set the length value correctly.
10-Oct-97
- I now hash for certificate lookup on the raw DER encoded RDN (md5).
This breaks things again :-(. This is efficent since I cache
the DER encoding of the RDN.
- The text DN now puts in the numeric OID instead of UNKNOWN.
- req can now process arbitary OIDs in the config file.
- I've been implementing md5 in x86 asm, much faster :-).
- Started sha1 in x86 asm, needs more work.
- Quite a few speedups in the BN stuff. RSA public operation
has been made faster by caching the BN_MONT_CTX structure.
The calulating of the Ai where A*Ai === 1 mod m was rather
expensive. Basically a 40-50% speedup on public operations.
The RSA speedup is now 15% on pentiums and %20 on pentium
pro.
30-Sep-97
- After doing some profiling, I added x86 adm for bn_add_words(),
which just adds 2 arrays of longs together. A %10 speedup
for 512 and 1024 bit RSA on the pentium pro.
29-Sep-97
- Converted the x86 bignum assembler to us the perl scripts
for generation.
23-Sep-97
- If SSL_set_session() is passed a NULL session, it now clears the
current session-id.
22-Sep-97
- Added a '-ss_cert file' to apps/ca.c. This will sign selfsigned
certificates.
- Bug in crypto/evp/encode.c where by decoding of 65 base64
encoded lines, one line at a time (via a memory BIO) would report
EOF after the first line was decoded.
- Fix in X509_find_by_issuer_and_serial() from
Dr Stephen Henson <shenson@bigfoot.com>
19-Sep-97
- NO_FP_API and NO_STDIO added.
- Put in sh config command. It auto runs Configure with the correct
parameters.
18-Sep-97
- Fix x509.c so if a DSA cert has different parameters to its parent,
they are left in place. Not tested yet.
16-Sep-97
- ssl_create_cipher_list() had some bugs, fixes from
Patrick Eisenacher <eisenach@stud.uni-frankfurt.de>
- Fixed a bug in the Base64 BIO, where it would return 1 instead
of -1 when end of input was encountered but should retry.
Basically a Base64/Memory BIO interaction problem.
- Added a HMAC set of functions in preporarion for TLS work.
15-Sep-97
- Top level makefile tweak - Cameron Simpson <cs@zip.com.au>
- Prime generation spead up %25 (512 bit prime, pentium pro linux)
by using montgomery multiplication in the prime number test.
11-Sep-97
- Ugly bug in ssl3_write_bytes(). Basically if application land
does a SSL_write(ssl,buf,len) where len > 16k, the SSLv3 write code
did not check the size and tried to copy the entire buffer.
This would tend to cause memory overwrites since SSLv3 has
a maximum packet size of 16k. If your program uses
buffers <= 16k, you would probably never see this problem.
- Fixed a few errors that were cause by malloc() not returning
0 initialised memory..
- SSL_OP_NETSCAPE_CA_DN_BUG was being switched on when using
SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL); which was a bad thing
since this flags stops SSLeay being able to handle client
cert requests correctly.
08-Sep-97
- SSL_SESS_CACHE_NO_INTERNAL_LOOKUP option added. When switched
on, the SSL server routines will not use a SSL_SESSION that is
held in it's cache. This in intended to be used with the session-id
callbacks so that while the session-ids are still stored in the
cache, the decision to use them and how to look them up can be
done by the callbacks. The are the 'new', 'get' and 'remove'
callbacks. This can be used to determine the session-id
to use depending on information like which port/host the connection
is coming from. Since the are also SSL_SESSION_set_app_data() and
SSL_SESSION_get_app_data() functions, the application can hold
information against the session-id as well.
03-Sep-97
- Added lookup of CRLs to the by_dir method,
X509_load_crl_file() also added. Basically it means you can
lookup CRLs via the same system used to lookup certificates.
- Changed things so that the X509_NAME structure can contain
ASN.1 BIT_STRINGS which is required for the unique
identifier OID.
- Fixed some problems with the auto flushing of the session-id
cache. It was not occuring on the server side.
02-Sep-97
- Added SSL_CTX_sess_cache_size(SSL_CTX *ctx,unsigned long size)
which is the maximum number of entries allowed in the
session-id cache. This is enforced with a simple FIFO list.
The default size is 20*1024 entries which is rather large :-).
The Timeout code is still always operating.
01-Sep-97
- Added an argument to all the 'generate private key/prime`
callbacks. It is the last parameter so this should not
break existing code but it is needed for C++.
- Added the BIO_FLAGS_BASE64_NO_NL flag for the BIO_f_base64()
BIO. This lets the BIO read and write base64 encoded data
without inserting or looking for '\n' characters. The '-A'
flag turns this on when using apps/enc.c.
- RSA_NO_PADDING added to help BSAFE functionality. This is a
very dangerous thing to use, since RSA private key
operations without random padding bytes (as PKCS#1 adds) can
be attacked such that the private key can be revealed.
- ASN.1 bug and rc2-40-cbc and rc4-40 added by
Dr Stephen Henson <shenson@bigfoot.com>
31-Aug-97 (stuff added while I was away)
- Linux pthreads by Tim Hudson (tjh@cryptsoft.com).
- RSA_flags() added allowing bypass of pub/priv match check
in ssl/ssl_rsa.c - Tim Hudson.
- A few minor bugs.
SSLeay 0.8.1 released.
19-Jul-97
- Server side initated dynamic renegotiation is broken. I will fix
it when I get back from holidays.
15-Jul-97
- Quite a few small changes.
- INVALID_SOCKET usage cleanups from Alex Kiernan <alex@hisoft.co.uk>
09-Jul-97
- Added 2 new values to the SSL info callback.
SSL_CB_START which is passed when the SSL protocol is started
and SSL_CB_DONE when it has finished sucsessfully.
08-Jul-97
- Fixed a few bugs problems in apps/req.c and crypto/asn1/x_pkey.c
that related to DSA public/private keys.
- Added all the relevent PEM and normal IO functions to support
reading and writing RSAPublic keys.
- Changed makefiles to use ${AR} instead of 'ar r'
07-Jul-97
- Error in ERR_remove_state() that would leave a dangling reference
to a free()ed location - thanks to Alex Kiernan <alex@hisoft.co.uk>
- s_client now prints the X509_NAMEs passed from the server
when requesting a client cert.
- Added a ssl->type, which is one of SSL_ST_CONNECT or
SSL_ST_ACCEPT. I had to add it so I could tell if I was
a connect or an accept after the handshake had finished.
- SSL_get_client_CA_list(SSL *s) now returns the CA names
passed by the server if called by a client side SSL.
05-Jul-97
- Bug in X509_NAME_get_text_by_OBJ(), looking starting at index
0, not -1 :-( Fix from Tim Hudson (tjh@cryptsoft.com).
04-Jul-97
- Fixed some things in X509_NAME_add_entry(), thanks to
Matthew Donald <matthew@world.net>.
- I had a look at the cipher section and though that it was a
bit confused, so I've changed it.
- I was not setting up the RC4-64-MD5 cipher correctly. It is
a MS special that appears in exported MS Money.
- Error in all my DH ciphers. Section 7.6.7.3 of the SSLv3
spec. I was missing the two byte length header for the
ClientDiffieHellmanPublic value. This is a packet sent from
the client to the server. The SSL_OP_SSLEAY_080_CLIENT_DH_BUG
option will enable SSLeay server side SSLv3 accept either
the correct or my 080 packet format.
- Fixed a few typos in crypto/pem.org.
02-Jul-97
- Alias mapping for EVP_get_(digest|cipher)byname is now
performed before a lookup for actual cipher. This means
that an alias can be used to 're-direct' a cipher or a
digest.
- ASN1_read_bio() had a bug that only showed up when using a
memory BIO. When EOF is reached in the memory BIO, it is
reported as a -1 with BIO_should_retry() set to true.
01-Jul-97
- Fixed an error in X509_verify_cert() caused by my
miss-understanding how 'do { contine } while(0);' works.
Thanks to Emil Sit <sit@mit.edu> for educating me :-)
30-Jun-97
- Base64 decoding error. If the last data line did not end with
a '=', sometimes extra data would be returned.
- Another 'cut and paste' bug in x509.c related to setting up the
STDout BIO.
27-Jun-97
- apps/ciphers.c was not printing due to an editing error.
- Alex Kiernan <alex@hisoft.co.uk> send in a nice fix for
a library build error in util/mk1mf.pl
26-Jun-97
- Still did not have the auto 'experimental' code removal
script correct.
- A few header tweaks for Watcom 11.0 under Win32 from
Rolf Lindemann <Lindemann@maz-hh.de>
- 0 length OCTET_STRING bug in asn1_parse
- A minor fix with an non-existent function in the MS .def files.
- A few changes to the PKCS7 stuff.
25-Jun-97
SSLeay 0.8.0 finally it gets released.
24-Jun-97
Added a SSL_OP_EPHEMERAL_RSA option which causes all SSLv3 RSA keys to
use a temporary RSA key. This is experimental and needs some more work.
Fixed a few Win16 build problems.
23-Jun-97
SSLv3 bug. I was not doing the 'lookup' of the CERT structure
correctly. I was taking the SSL->ctx->default_cert when I should
have been using SSL->cert. The bug was in ssl/s3_srvr.c
20-Jun-97
X509_ATTRIBUTES were being encoded wrongly by apps/reg.c and the
rest of the library. Even though I had the code required to do
it correctly, apps/req.c was doing the wrong thing. I have fixed
and tested everything.
Missing a few #ifdef FIONBIO sections in crypto/bio/bss_acpt.c.
19-Jun-97
Fixed a bug in the SSLv2 server side first packet handling. When
using the non-blocking test BIO, the ssl->s2->first_packet flag
was being reset when a would-block failure occurred when reading
the first 5 bytes of the first packet. This caused the checking
logic to run at the wrong time and cause an error.
Fixed a problem with specifying cipher. If RC4-MD5 were used,
only the SSLv3 version would be picked up. Now this will pick
up both SSLv2 and SSLv3 versions. This required changing the
SSL_CIPHER->mask values so that they only mask the ciphers,
digests, authentication, export type and key-exchange algorithms.
I found that when a SSLv23 session is established, a reused
session, of type SSLv3 was attempting to write the SSLv2
ciphers, which were invalid. The SSL_METHOD->put_cipher_by_char
method has been modified so it will only write out cipher which
that method knows about.
Changes between 0.8.0 and 0.8.1
*) Mostly bug fixes.
There is an Ephemeral DH cipher problem which is fixed.
SSLeay 0.8.0
This version of SSLeay has quite a lot of things different from the
previous version.
Basically check all callback parameters, I will be producing documentation
about how to use things in th future. Currently I'm just getting 080 out
the door. Please not that there are several ways to do everything, and
most of the applications in the apps directory are hybrids, some using old
methods and some using new methods.
Have a look in demos/bio for some very simple programs and
apps/s_client.c and apps/s_server.c for some more advanced versions.
Notes are definitly needed but they are a week or so away.
Anyway, some quick nots from Tim Hudson (tjh@cryptsoft.com)
---
Quick porting notes for moving from SSLeay-0.6.x to SSLeay-0.8.x to
get those people that want to move to using the new code base off to
a quick start.
Note that Eric has tidied up a lot of the areas of the API that were
less than desirable and renamed quite a few things (as he had to break
the API in lots of places anyrate). There are a whole pile of additional
functions for making dealing with (and creating) certificates a lot
cleaner.
01-Jul-97
Tim Hudson
tjh@cryptsoft.com
---8<---
To maintain code that uses both SSLeay-0.6.x and SSLeay-0.8.x you could
use something like the following (assuming you #include "crypto.h" which
is something that you really should be doing).
#if SSLEAY_VERSION_NUMBER >= 0x0800
#define SSLEAY8
#endif
buffer.h -> splits into buffer.h and bio.h so you need to include bio.h
too if you are working with BIO internal stuff (as distinct
from simply using the interface in an opaque manner)
#include "bio.h" - required along with "buffer.h" if you write
your own BIO routines as the buffer and bio
stuff that was intermixed has been separated
out
envelope.h -> evp.h (which should have been done ages ago)
Initialisation ... don't forget these or you end up with code that
is missing the bits required to do useful things (like ciphers):
SSLeay_add_ssl_algorithms()
(probably also want SSL_load_error_strings() too but you should have
already had that call in place)
SSL_CTX_new() - requires an extra method parameter
SSL_CTX_new(SSLv23_method())
SSL_CTX_new(SSLv2_method())
SSL_CTX_new(SSLv3_method())
OR to only have the server or the client code
SSL_CTX_new(SSLv23_server_method())
SSL_CTX_new(SSLv2_server_method())
SSL_CTX_new(SSLv3_server_method())
or
SSL_CTX_new(SSLv23_client_method())
SSL_CTX_new(SSLv2_client_method())
SSL_CTX_new(SSLv3_client_method())
SSL_set_default_verify_paths() ... renamed to the more appropriate
SSL_CTX_set_default_verify_paths()
If you want to use client certificates then you have to add in a bit
of extra stuff in that a SSLv3 server sends a list of those CAs that
it will accept certificates from ... so you have to provide a list to
SSLeay otherwise certain browsers will not send client certs.
SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(s_cert_file));
X509_NAME_oneline(X) -> X509_NAME_oneline(X,NULL,0)
or provide a buffer and size to copy the
result into
X509_add_cert -> X509_STORE_add_cert (and you might want to read the
notes on X509_NAME structure changes too)
VERIFICATION CODE
=================
The codes have all be renamed from VERIFY_ERR_* to X509_V_ERR_* to
more accurately reflect things.
The verification callback args are now packaged differently so that
extra fields for verification can be added easily in future without
having to break things by adding extra parameters each release :-)
X509_cert_verify_error_string -> X509_verify_cert_error_string
BIO INTERNALS
=============
Eric has fixed things so that extra flags can be introduced in
the BIO layer in future without having to play with all the BIO
modules by adding in some macros.
The ugly stuff using
b->flags ~= (BIO_FLAGS_RW|BIO_FLAGS_SHOULD_RETRY)
becomes
BIO_clear_retry_flags(b)
b->flags |= (BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY)
becomes
BIO_set_retry_read(b)
Also ... BIO_get_retry_flags(b), BIO_set_flags(b)
OTHER THINGS
============
X509_NAME has been altered so that it isn't just a STACK ... the STACK
is now in the "entries" field ... and there are a pile of nice functions
for getting at the details in a much cleaner manner.
SSL_CTX has been altered ... "cert" is no longer a direct member of this
structure ... things are now down under "cert_store" (see x509_vfy.h) and
things are no longer in a CERTIFICATE_CTX but instead in a X509_STORE.
If your code "knows" about this level of detail then it will need some
surgery.
If you depending on the incorrect spelling of a number of the error codes
then you will have to change your code as these have been fixed.
ENV_CIPHER "type" got renamed to "nid" and as that is what it actually
has been all along so this makes things clearer.
ify_cert_error_string(ctx->error));
SSL_R_NO_CIPHER_WE_TRUST -> SSL_R_NO_CIPHER_LIST
and SSL_R_REUSE_CIPHER_LIST_NOT_ZERO
Changes between 0.7.x and 0.8.0
*) There have been lots of changes, mostly the addition of SSLv3.
There have been many additions from people and amongst
others, C2Net has assisted greatly.
Changes between 0.7.x and 0.7.x
*) Internal development version only
SSLeay 0.6.6 13-Jan-1997
The main additions are
- assember for x86 DES improvments.
From 191,000 per second on a pentium 100, I now get 281,000. The inner
loop and the IP/FP modifications are from
Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>. Many thanks for his
contribution.
- The 'DES macros' introduced in 0.6.5 now have 3 types.
DES_PTR1, DES_PTR2 and 'normal'. As per before, des_opts reports which
is best and there is a summery of mine in crypto/des/options.txt
- A few bug fixes.
- Added blowfish. It is not used by SSL but all the other stuff that
deals with ciphers can use it in either ecb, cbc, cfb64 or ofb64 modes.
There are 3 options for optimising Blowfish. BF_PTR, BF_PTR2 and 'normal'.
BF_PTR2 is pentium/x86 specific. The correct option is setup in
the 'Configure' script.
- There is now a 'get client certificate' callback which can be
'non-blocking'. If more details are required, let me know. It will
documented more in SSLv3 when I finish it.
- Bug fixes from 0.6.5 including the infamous 'ca' bug. The 'make test'
now tests the ca program.
- Lots of little things modified and tweaked.
SSLeay 0.6.5
After quite some time (3 months), the new release. I have been very busy
for the last few months and so this is mostly bug fixes and improvments.
The main additions are
- assember for x86 DES. For all those gcc based systems, this is a big
improvement. From 117,000 DES operation a second on a pentium 100,
I now get 191,000. I have also reworked the C version so it
now gives 148,000 DESs per second.
- As mentioned above, the inner DES macros now have some more variant that
sometimes help, sometimes hinder performance. There are now 3 options
DES_PTR (ptr vs array lookup), DES_UNROLL (full vs partial loop unrolling)
and DES_RISC (a more register intensive version of the inner macro).
The crypto/des/des_opts.c program, when compiled and run, will give
an indication of the correct options to use.
- The BIO stuff has been improved. Read doc/bio.doc. There are now
modules for encryption and base64 encoding and a BIO_printf() function.
- The CA program will accept simple one line X509v3 extensions in the
ssleay.cnf file. Have a look at the example. Currently this just
puts the text into the certificate as an OCTET_STRING so currently
the more advanced X509v3 data types are not handled but this is enough
for the netscape extensions.
- There is the start of a nicer higher level interface to the X509
strucutre.
- Quite a lot of bug fixes.
- CRYPTO_malloc_init() (or CRYPTO_set_mem_functions()) can be used
to define the malloc(), free() and realloc() routines to use
(look in crypto/crypto.h). This is mostly needed for Windows NT/95 when
using DLLs and mixing CRT libraries.
In general, read the 'VERSION' file for changes and be aware that some of
the new stuff may not have been tested quite enough yet, so don't just plonk
in SSLeay 0.6.5 when 0.6.4 used to work and expect nothing to break.
SSLeay 0.6.4 30/08/96 eay
I've just finished some test builds on Windows NT, Windows 3.1, Solaris 2.3,
Solaris 2.5, Linux, IRIX, HPUX 10 and everthing seems to work :-).
The main changes in this release
- Thread safe. have a read of doc/threads.doc and play in the mt directory.
For anyone using 0.6.3 with threads, I found 2 major errors so consider
moving to 0.6.4. I have a test program that builds under NT and
solaris.
- The get session-id callback has changed. Have a read of doc/callback.doc.
- The X509_cert_verify callback (the SSL_verify callback) now
has another argument. Have a read of doc/callback.doc
- 'ca -preserve', sign without re-ordering the DN. Not tested much.
- VMS support.
- Compile time memory leak detection can now be built into SSLeay.
Read doc/memory.doc
- CONF routines now understand '\', '\n', '\r' etc. What this means is that
the SPKAC object mentioned in doc/ns-ca.doc can be on multiple lines.
- 'ssleay ciphers' added, lists the default cipher list for SSLeay.
- RC2 key setup is now compatable with Netscape.
- Modifed server side of SSL implementation, big performance difference when
using session-id reuse.
0.6.3
Bug fixes and the addition of some nice stuff to the 'ca' program.
Have a read of doc/ns-ca.doc for how hit has been modified so
it can be driven from a CGI script. The CGI script is not provided,
but that is just being left as an excersize for the reader :-).
0.6.2
This is most bug fixes and functionality improvements.
Additions are
- More thread debugging patches, the thread stuff is still being
tested, but for those keep to play with stuff, have a look in
crypto/cryptlib.c. The application needs to define 1 (or optionaly
a second) callback that is used to implement locking. Compiling
with LOCK_DEBUG spits out lots of locking crud :-).
This is what I'm currently working on.
- SSL_CTX_set_default_passwd_cb() can be used to define the callback
function used in the SSL*_file() functions used to load keys. I was
always of the opinion that people should call
PEM_read_RSAPrivateKey() and pass the callback they want to use, but
it appears they just want to use the SSL_*_file() function() :-(.
- 'enc' now has a -kfile so a key can be read from a file. This is
mostly used so that the passwd does not appear when using 'ps',
which appears imposible to stop under solaris.
- X509v3 certificates now work correctly. I even have more examples
in my tests :-). There is now a X509_EXTENSION type that is used in
X509v3 certificates and CRLv2.
- Fixed that signature type error :-(
- Fixed quite a few potential memory leaks and problems when reusing
X509, CRL and REQ structures.
- EVP_set_pw_prompt() now sets the library wide default password
prompt.
- The 'pkcs7' command will now, given the -print_certs flag, output in
pem format, all certificates and CRL contained within. This is more
of a pre-emtive thing for the new verisign distribution method. I
should also note, that this also gives and example in code, of how
to do this :-), or for that matter, what is involved in going the
other way (list of certs and crl -> pkcs7).
- Added RSA's DESX to the DES library. It is also available via the
EVP_desx_cbc() method and via 'enc desx'.
SSLeay 0.6.1
The main functional changes since 0.6.0 are as follows
- Bad news, the Microsoft 060 DLL's are not compatable, but the good news is
that from now on, I'll keep the .def numbers the same so they will be.
- RSA private key operations are about 2 times faster that 0.6.0
- The SSL_CTX now has more fields so default values can be put against
it. When an SSL structure is created, these default values are used
but can be overwritten. There are defaults for cipher, certificate,
private key, verify mode and callback. This means SSL session
creation can now be
ssl=SSL_new()
SSL_set_fd(ssl,sock);
SSL_accept(ssl)
....
All the other uglyness with having to keep a global copy of the
private key and certificate/verify mode in the server is now gone.
- ssl/ssltest.c - one process talking SSL to its self for testing.
- Storage of Session-id's can be controled via a session_cache_mode
flag. There is also now an automatic default flushing of
old session-id's.
- The X509_cert_verify() function now has another parameter, this
should not effect most people but it now means that the reason for
the failure to verify is now available via SSL_get_verify_result(ssl).
You don't have to use a global variable.
- SSL_get_app_data() and SSL_set_app_data() can be used to keep some
application data against the SSL structure. It is upto the application
to free the data. I don't use it, but it is available.
- SSL_CTX_set_cert_verify_callback() can be used to specify a
verify callback function that completly replaces my certificate
verification code. Xcert should be able to use this :-).
The callback is of the form int app_verify_callback(arg,ssl,cert).
This needs to be documented more.
- I have started playing with shared library builds, have a look in
the shlib directory. It is very simple. If you need a numbered
list of functions, have a look at misc/crypto.num and misc/ssl.num.
- There is some stuff to do locking to make the library thread safe.
I have only started this stuff and have not finished. If anyone is
keen to do so, please send me the patches when finished.
So I have finally made most of the additions to the SSL interface that
I thought were needed.
There will probably be a pause before I make any non-bug/documentation
related changes to SSLeay since I'm feeling like a bit of a break.
eric - 12 Jul 1996
I saw recently a comment by some-one that we now seem to be entering
the age of perpetual Beta software.
Pioneered by packages like linux but refined to an art form by
netscape.
I too wish to join this trend with the anouncement of SSLeay 0.6.0 :-).
There are quite a large number of sections that are 'works in
progress' in this package. I will also list the major changes and
what files you should read.
BIO - this is the new IO structure being used everywhere in SSLeay. I
started out developing this because of microsoft, I wanted a mechanism
to callback to the application for all IO, so Windows 3.1 DLL
perversion could be hidden from me and the 15 different ways to write
to a file under NT would also not be dictated by me at library build
time. What the 'package' is is an API for a data structure containing
functions. IO interfaces can be written to conform to the
specification. This in not intended to hide the underlying data type
from the application, but to hide it from SSLeay :-).
I have only really finished testing the FILE * and socket/fd modules.
There are also 'filter' BIO's. Currently I have only implemented
message digests, and it is in use in the dgst application. This
functionality will allow base64/encrypto/buffering modules to be
'push' into a BIO without it affecting the semantics. I'm also
working on an SSL BIO which will hide the SSL_accept()/SLL_connet()
from an event loop which uses the interface.
It is also possible to 'attach' callbacks to a BIO so they get called
before and after each operation, alowing extensive debug output
to be generated (try running dgst with -d).
Unfortunaly in the conversion from 0.5.x to 0.6.0, quite a few
functions that used to take FILE *, now take BIO *.
The wrappers are easy to write
function_fp(fp,x)
FILE *fp;
{
BIO *b;
int ret;
if ((b=BIO_new(BIO_s_file())) == NULL) error.....
BIO_set_fp(b,fp,BIO_NOCLOSE);
ret=function_bio(b,x);
BIO_free(b);
return(ret);
}
Remember, there are no functions that take FILE * in SSLeay when
compiled for Windows 3.1 DLL's.
--
I have added a general EVP_PKEY type that can hold a public/private
key. This is now what is used by the EVP_ functions and is passed
around internally. I still have not done the PKCS#8 stuff, but
X509_PKEY is defined and waiting :-)
--
For a full function name listings, have a look at ms/crypt32.def and
ms/ssl32.def. These are auto-generated but are complete.
Things like ASN1_INTEGER_get() have been added and are in here if you
look. I have renamed a few things, again, have a look through the
function list and you will probably find what you are after. I intend
to at least put a one line descrition for each one.....
--
Microsoft - thats what this release is about, read the MICROSOFT file.
--
Multi-threading support. I have started hunting through the code and
flaging where things need to be done. In a state of work but high on
the list.
--
For random numbers, edit e_os.h and set DEVRANDOM (it's near the top)
be be you random data device, otherwise 'RFILE' in e_os.h
will be used, in your home directory. It will be updated
periodically. The environment variable RANDFILE will override this
choice and read/write to that file instead. DEVRANDOM is used in
conjunction to the RFILE/RANDFILE. If you wish to 'seed' the random
number generator, pick on one of these files.
--
The list of things to read and do
dgst -d
s_client -state (this uses a callback placed in the SSL state loop and
will be used else-where to help debug/monitor what
is happening.)
doc/why.doc
doc/bio.doc <- hmmm, needs lots of work.
doc/bss_file.doc <- one that is working :-)
doc/session.doc <- it has changed
doc/speed.doc
also play with ssleay version -a. I have now added a SSLeay()
function that returns a version number, eg 0600 for this release
which is primarily to be used to check DLL version against the
application.
util/* Quite a few will not interest people, but some may, like
mk1mf.pl, mkdef.pl,
util/do_ms.sh
try
cc -Iinclude -Icrypto -c crypto/crypto.c
cc -Iinclude -Issl -c ssl/ssl.c
You have just built the SSLeay libraries as 2 object files :-)
Have a general rummage around in the bin stall directory and look at
what is in there, like CA.sh and c_rehash
There are lots more things but it is 12:30am on a Friday night and I'm
heading home :-).
eric 22-Jun-1996
This version has quite a few major bug fixes and improvements. It DOES NOT
do SSLv3 yet.
The main things changed
- A Few days ago I added the s_mult application to ssleay which is
a demo of an SSL server running in an event loop type thing.
It supports non-blocking IO, I have finally gotten it right, SSL_accept()
can operate in non-blocking IO mode, look at the code to see how :-).
Have a read of doc/s_mult as well. This program leaks memory and
file descriptors everywhere but I have not cleaned it up yet.
This is a demo of how to do non-blocking IO.
- The SSL session management has been 'worked over' and there is now
quite an expansive set of functions to manipulate them. Have a read of
doc/session.doc for some-things I quickly whipped up about how it now works.
This assume you know the SSLv2 protocol :-)
- I can now read/write the netscape certificate format, use the
-inform/-outform 'net' options to the x509 command. I have not put support
for this type in the other demo programs, but it would be easy to add.
- asn1parse and 'enc' have been modified so that when reading base64
encoded files (pem format), they do not require '-----BEGIN' header lines.
The 'enc' program had a buffering bug fixed, it can be used as a general
base64 -> binary -> base64 filter by doing 'enc -a -e' and 'enc -a -d'
respecivly. Leaving out the '-a' flag in this case makes the 'enc' command
into a form of 'cat'.
- The 'x509' and 'req' programs have been fixed and modified a little so
that they generate self-signed certificates correctly. The test
script actually generates a 'CA' certificate and then 'signs' a
'user' certificate. Have a look at this shell script (test/sstest)
to see how things work, it tests most possible combinations of what can
be done.
- The 'SSL_set_pref_cipher()' function has been 'fixed' and the prefered name
of SSL_set_cipher_list() is now the correct API (stops confusion :-).
If this function is used in the client, only the specified ciphers can
be used, with preference given to the order the ciphers were listed.
For the server, if this is used, only the specified ciphers will be used
to accept connections. If this 'option' is not used, a default set of
ciphers will be used. The SSL_CTX_set_cipher_list(SSL_CTX *ctx) sets this
list for all ciphers started against the SSL_CTX. So the order is
SSL cipher_list, if not present, SSL_CTX cipher list, if not
present, then the library default.
What this means is that normally ciphers like
NULL-MD5 will never be used. The only way this cipher can be used
for both ends to specify to use it.
To enable or disable ciphers in the library at build time, modify the
first field for the cipher in the ssl_ciphers array in ssl/ssl_lib.c.
This file also contains the 'pref_cipher' list which is the default
cipher preference order.
- I'm not currently sure if the 'rsa -inform net' and the 'rsa -outform net'
options work. They should, and they enable loading and writing the
netscape rsa private key format. I will be re-working this section of
SSLeay for the next version. What is currently in place is a quick and
dirty hack.
- I've re-written parts of the bignum library. This gives speedups
for all platforms. I now provide assembler for use under Windows NT.
I have not tested the Windows 3.1 assembler but it is quite simple code.
This gives RSAprivate_key operation encryption times of 0.047s (512bit key)
and 0.230s (1024bit key) on a pentium 100 which I consider reasonable.
Basically the times available under linux/solaris x86 can be achieve under
Windows NT. I still don't know how these times compare to RSA's BSAFE
library but I have been emailing with people and with their help, I should
be able to get my library's quite a bit faster still (more algorithm changes).
The object file crypto/bn/asm/x86-32.obj should be used when linking
under NT.
- 'make makefile.one' in the top directory will generate a single makefile
called 'makefile.one' This makefile contains no perl references and
will build the SSLeay library into the 'tmp' and 'out' directories.
util/mk1mf.pl >makefile.one is how this makefile is
generated. The mk1mf.pl command take several option to generate the
makefile for use with cc, gcc, Visual C++ and Borland C++. This is
still under development. I have only build .lib's for NT and MSDOS
I will be working on this more. I still need to play with the
correct compiler setups for these compilers and add some more stuff but
basically if you just want to compile the library
on a 'non-unix' platform, this is a very very good file to start with :-).
Have a look in the 'microsoft' directory for my current makefiles.
I have not yet modified things to link with sockets under Windows NT.
You guys should be able to do this since this is actually outside of the
SSLeay scope :-). I will be doing it for myself soon.
util/mk1mf.pl takes quite a few options including no-rc, rsaref and no-sock
to build without RC2/RC4, to require RSAref for linking, and to
build with no socket code.
- Oh yes, the cipher that was reported to be compatible with RSA's RC2 cipher
that was posted to sci.crypt has been added to the library and SSL.
I take the view that if RC2 is going to be included in a standard,
I'll include the cipher to make my package complete.
There are NO_RC2, NO_RC4 and NO_IDEA macros to remove these ciphers
at compile time. I have not tested this recently but it should all work
and if you are in the USA and don't want RSA threatening to sue you,
you could probably remove the RC4/RC2 code inside these sections.
I may in the future include a perl script that does this code
removal automatically for those in the USA :-).
- I have removed all references to sed in the makefiles. So basically,
the development environment requires perl and sh. The build environment
does not (use the makefile.one makefile).
The Configure script still requires perl, this will probably stay that way
since I have perl for Windows NT :-).
eric (03-May-1996)
PS Have a look in the VERSION file for more details on the changes and
bug fixes.
I have fixed a few bugs, added alpha and x86 assembler and generally cleaned
things up. This version will be quite stable, mostly because I'm on
holidays until 10-March-1996. For any problems in the interum, send email
to Tim Hudson <tjh@mincom.oz.au>.
SSLeay 0.5.0
12-12-95
This is going out before it should really be released.
I leave for 11 weeks holidays on the 22-12-95 and so I either sit on
this for 11 weeks or get things out. It is still going to change a
lot in the next week so if you do grab this version, please test and
give me feed back ASAP, inculuding questions on how to do things with
the library. This will prompt me to write documentation so I don't
have to answer the same question again :-).
This 'pre' release version is for people who are interested in the
library. The applications will have to be changed to use
the new version of the SSL interface. I intend to finish more
documentation before I leave but until then, look at the programs in
the apps directory. As far as code goes, it is much much nicer than
the old version.
The current library works, has no memory leaks (as far as I can tell)
and is far more bug free that 0.4.5d. There are no global variable of
consequence (I believe) and I will produce some documentation that
tell where to look for those people that do want to do multi-threaded
stuff.
There should be more documentation. Have a look in the
doc directory. I'll be adding more before I leave, it is a start
by mostly documents the crypto library. Tim Hudson will update
the web page ASAP. The spelling and grammar are crap but
it is better than nothing :-)
Reasons to start playing with version 0.5.0
- All the programs in the apps directory build into one ssleay binary.
- There is a new version of the 'req' program that generates certificate
requests, there is even documentation for this one :-)
- There is a demo certification authorithy program. Currently it will
look at the simple database and update it. It will generate CRL from
the data base. You need to edit the database by hand to revoke a
certificate, it is my aim to use perl5/Tk but I don't have time to do
this right now. It will generate the certificates but the management
scripts still need to be written. This is not a hard task.
- Things have been cleaned up alot.
- Have a look at the enc and dgst programs in the apps directory.
- It supports v3 of x509 certiticates.
Major things missing.
- I have been working on (and thinging about) the distributed x509
hierachy problem. I have not had time to put my solution in place.
It will have to wait until I come back.
- I have not put in CRL checking in the certificate verification but
it would not be hard to do. I was waiting until I could generate my
own CRL (which has only been in the last week) and I don't have time
to put it in correctly.
- Montgomery multiplication need to be implemented. I know the
algorithm, just ran out of time.
- PKCS#7. I can load and write the DER version. I need to re-work
things to support BER (if that means nothing, read the ASN1 spec :-).
- Testing of the higher level digital envelope routines. I have not
played with the *_seal() and *_open() type functions. They are
written but need testing. The *_sign() and *_verify() functions are
rock solid.
- PEM. Doing this and PKCS#7 have been dependant on the distributed
x509 heirachy problem. I started implementing my ideas, got
distracted writing a CA program and then ran out of time. I provide
the functionality of RSAref at least.
- Re work the asm. code for the x86. I've changed by low level bignum
interface again, so I really need to tweak the x86 stuff. gcc is
good enough for the other boxes.

54
CONTRIBUTING Normal file
View File

@ -0,0 +1,54 @@
HOW TO CONTRIBUTE TO OpenSSL
----------------------------
(Please visit https://www.openssl.org/community/getting-started.html for
other ideas about how to contribute.)
Development is done on GitHub, https://github.com/openssl/openssl.
To request new features or report bugs, please open an issue on GitHub
To submit a patch, please open a pull request on GitHub. If you are thinking
of making a large contribution, open an issue for it before starting work,
to get comments from the community. Someone may be already working on
the same thing or there may be reasons why that feature isn't implemented.
To make it easier to review and accept your pull request, please follow these
guidelines:
1. Anything other than a trivial contribution requires a Contributor
License Agreement (CLA), giving us permission to use your code. See
https://www.openssl.org/policies/cla.html for details. If your
contribution is too small to require a CLA, put "CLA: trivial" on a
line by itself in your commit message body.
2. All source files should start with the following text (with
appropriate comment characters at the start of each line and the
year(s) updated):
Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
https://www.openssl.org/source/license.html
3. Patches should be as current as possible; expect to have to rebase
often. We do not accept merge commits, you will have to remove them
(usually by rebasing) before it will be acceptable.
4. Patches should follow our coding style (see
https://www.openssl.org/policies/codingstyle.html) and compile
without warnings. Where gcc or clang is available you should use the
--strict-warnings Configure option. OpenSSL compiles on many varied
platforms: try to ensure you only use portable features. Clean builds
via Travis and AppVeyor are required, and they are started automatically
whenever a PR is created or updated.
5. When at all possible, patches should include tests. These can
either be added to an existing test, or completely new. Please see
test/README for information on the test framework.
6. New features or changed functionality must include
documentation. Please look at the "pod" files in doc for
examples of our style.

2327
Configure Executable file
View File

File diff suppressed because it is too large Load Diff

2
FAQ Normal file
View File

@ -0,0 +1,2 @@
The FAQ is now maintained on the web:
https://www.openssl.org/docs/faq.html

8
GitConfigure Executable file
View File

@ -0,0 +1,8 @@
#!/bin/sh
BRANCH=`git rev-parse --abbrev-ref HEAD`
./Configure $@ no-symlinks
make files
util/mk1mf.pl OUT=out.$BRANCH TMP=tmp.$BRANCH INC=inc.$BRANCH copy > makefile.$BRANCH
make -f makefile.$BRANCH init

5
GitMake Executable file
View File

@ -0,0 +1,5 @@
#!/bin/sh
BRANCH=`git rev-parse --abbrev-ref HEAD`
make -f makefile.$BRANCH $@

365
INSTALL Normal file
View File

@ -0,0 +1,365 @@
INSTALLATION ON THE UNIX PLATFORM
---------------------------------
[Installation on DOS (with djgpp), Windows, OpenVMS, MacOS (before MacOS X)
and NetWare is described in INSTALL.DJGPP, INSTALL.W32, INSTALL.VMS,
INSTALL.MacOS and INSTALL.NW.
This document describes installation on operating systems in the Unix
family.]
To install OpenSSL, you will need:
* make
* Perl 5
* an ANSI C compiler
* a development environment in form of development libraries and C
header files
* a supported Unix operating system
Quick Start
-----------
If you want to just get on with it, do:
$ ./config
$ make
$ make test
$ make install
[If any of these steps fails, see section Installation in Detail below.]
This will build and install OpenSSL in the default location, which is (for
historical reasons) /usr/local/ssl. If you want to install it anywhere else,
run config like this:
$ ./config --prefix=/usr/local --openssldir=/usr/local/openssl
Configuration Options
---------------------
There are several options to ./config (or ./Configure) to customize
the build:
--prefix=DIR Install in DIR/bin, DIR/lib, DIR/include/openssl.
Configuration files used by OpenSSL will be in DIR/ssl
or the directory specified by --openssldir.
--openssldir=DIR Directory for OpenSSL files. If no prefix is specified,
the library files and binaries are also installed there.
no-threads Don't try to build with support for multi-threaded
applications.
threads Build with support for multi-threaded applications.
This will usually require additional system-dependent options!
See "Note on multi-threading" below.
no-zlib Don't try to build with support for zlib compression and
decompression.
zlib Build with support for zlib compression/decompression.
zlib-dynamic Like "zlib", but has OpenSSL load the zlib library dynamically
when needed. This is only supported on systems where loading
of shared libraries is supported. This is the default choice.
no-shared Don't try to create shared libraries.
shared In addition to the usual static libraries, create shared
libraries on platforms where it's supported. See "Note on
shared libraries" below.
no-asm Do not use assembler code.
386 In 32-bit x86 builds, when generating assembly modules,
use the 80386 instruction set only (the default x86 code
is more efficient, but requires at least a 486). Note:
This doesn't affect code generated by compiler, you're
likely to complement configuration command line with
suitable compiler-specific option.
no-sse2 Exclude SSE2 code paths from 32-bit x86 assembly modules.
Normally SSE2 extension is detected at run-time, but the
decision whether or not the machine code will be executed
is taken solely on CPU capability vector. This means that
if you happen to run OS kernel which does not support SSE2
extension on Intel P4 processor, then your application
might be exposed to "illegal instruction" exception.
There might be a way to enable support in kernel, e.g.
FreeBSD kernel can be compiled with CPU_ENABLE_SSE, and
there is a way to disengage SSE2 code paths upon application
start-up, but if you aim for wider "audience" running
such kernel, consider no-sse2. Both the 386 and
no-asm options imply no-sse2.
no-<cipher> Build without the specified cipher (bf, cast, des, dh, dsa,
hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha).
The crypto/<cipher> directory can be removed after running
"make depend".
-Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx These system specific options will
be passed through to the compiler to allow you to
define preprocessor symbols, specify additional libraries,
library directories or other compiler options. It might be
worth noting that some compilers generate code specifically
for processor the compiler currently executes on. This is
not necessarily what you might have in mind, since it might
be unsuitable for execution on other, typically older,
processor. Consult your compiler documentation.
-DHAVE_CRYPTODEV Enable the BSD cryptodev engine even if we are not using
BSD. Useful if you are running ocf-linux or something
similar. Once enabled you can also enable the use of
cryptodev digests, which is usually slower unless you have
large amounts data. Use -DUSE_CRYPTODEV_DIGESTS to force
it.
Installation in Detail
----------------------
1a. Configure OpenSSL for your operation system automatically:
$ ./config [options]
This guesses at your operating system (and compiler, if necessary) and
configures OpenSSL based on this guess. Run ./config -t to see
if it guessed correctly. If you want to use a different compiler, you
are cross-compiling for another platform, or the ./config guess was
wrong for other reasons, go to step 1b. Otherwise go to step 2.
On some systems, you can include debugging information as follows:
$ ./config -d [options]
1b. Configure OpenSSL for your operating system manually
OpenSSL knows about a range of different operating system, hardware and
compiler combinations. To see the ones it knows about, run
$ ./Configure
Pick a suitable name from the list that matches your system. For most
operating systems there is a choice between using "cc" or "gcc". When
you have identified your system (and if necessary compiler) use this name
as the argument to ./Configure. For example, a "linux-elf" user would
run:
$ ./Configure linux-elf [options]
If your system is not available, you will have to edit the Configure
program and add the correct configuration for your system. The
generic configurations "cc" or "gcc" should usually work on 32 bit
systems.
Configure creates the file Makefile.ssl from Makefile.org and
defines various macros in crypto/opensslconf.h (generated from
crypto/opensslconf.h.in).
2. Build OpenSSL by running:
$ make
This will build the OpenSSL libraries (libcrypto.a and libssl.a) and the
OpenSSL binary ("openssl"). The libraries will be built in the top-level
directory, and the binary will be in the "apps" directory.
If the build fails, look at the output. There may be reasons
for the failure that aren't problems in OpenSSL itself (like
missing standard headers). If you are having problems you can
get help by sending an email to the openssl-users email list (see
https://www.openssl.org/community/mailinglists.html for details). If
it is a bug with OpenSSL itself, please open an issue on GitHub, at
https://github.com/openssl/openssl/issues. Please review the existing
ones first; maybe the bug was already reported or has already been
fixed.
(If you encounter assembler error messages, try the "no-asm"
configuration option as an immediate fix.)
Compiling parts of OpenSSL with gcc and others with the system
compiler will result in unresolved symbols on some systems.
3. After a successful build, the libraries should be tested. Run:
$ make test
If a test fails, look at the output. There may be reasons for
the failure that isn't a problem in OpenSSL itself (like a missing
or malfunctioning bc). If it is a problem with OpenSSL itself,
try removing any compiler optimization flags from the CFLAG line
in Makefile.ssl and run "make clean; make". To report a bug please open an
issue on GitHub, at https://github.com/openssl/openssl/issues.
4. If everything tests ok, install OpenSSL with
$ make install
This will create the installation directory (if it does not exist) and
then the following subdirectories:
certs Initially empty, this is the default location
for certificate files.
man/man1 Manual pages for the 'openssl' command line tool
man/man3 Manual pages for the libraries (very incomplete)
misc Various scripts.
private Initially empty, this is the default location
for private key files.
If you didn't choose a different installation prefix, the
following additional subdirectories will be created:
bin Contains the openssl binary and a few other
utility programs.
include/openssl Contains the header files needed if you want to
compile programs with libcrypto or libssl.
lib Contains the OpenSSL library files themselves.
Use "make install_sw" to install the software without documentation,
and "install_docs_html" to install HTML renditions of the manual
pages.
Package builders who want to configure the library for standard
locations, but have the package installed somewhere else so that
it can easily be packaged, can use
$ make INSTALL_PREFIX=/tmp/package-root install
(or specify "--install_prefix=/tmp/package-root" as a configure
option). The specified prefix will be prepended to all
installation target filenames.
NOTE: The header files used to reside directly in the include
directory, but have now been moved to include/openssl so that
OpenSSL can co-exist with other libraries which use some of the
same filenames. This means that applications that use OpenSSL
should now use C preprocessor directives of the form
#include <openssl/ssl.h>
instead of "#include <ssl.h>", which was used with library versions
up to OpenSSL 0.9.2b.
If you install a new version of OpenSSL over an old library version,
you should delete the old header files in the include directory.
Compatibility issues:
* COMPILING existing applications
To compile an application that uses old filenames -- e.g.
"#include <ssl.h>" --, it will usually be enough to find
the CFLAGS definition in the application's Makefile and
add a C option such as
-I/usr/local/ssl/include/openssl
to it.
But don't delete the existing -I option that points to
the ..../include directory! Otherwise, OpenSSL header files
could not #include each other.
* WRITING applications
To write an application that is able to handle both the new
and the old directory layout, so that it can still be compiled
with library versions up to OpenSSL 0.9.2b without bothering
the user, you can proceed as follows:
- Always use the new filename of OpenSSL header files,
e.g. #include <openssl/ssl.h>.
- Create a directory "incl" that contains only a symbolic
link named "openssl", which points to the "include" directory
of OpenSSL.
For example, your application's Makefile might contain the
following rule, if OPENSSLDIR is a pathname (absolute or
relative) of the directory where OpenSSL resides:
incl/openssl:
-mkdir incl
cd $(OPENSSLDIR) # Check whether the directory really exists
-ln -s `cd $(OPENSSLDIR); pwd`/include incl/openssl
You will have to add "incl/openssl" to the dependencies
of those C files that include some OpenSSL header file.
- Add "-Iincl" to your CFLAGS.
With these additions, the OpenSSL header files will be available
under both name variants if an old library version is used:
Your application can reach them under names like <openssl/foo.h>,
while the header files still are able to #include each other
with names of the form <foo.h>.
Note on multi-threading
-----------------------
For some systems, the OpenSSL Configure script knows what compiler options
are needed to generate a library that is suitable for multi-threaded
applications. On these systems, support for multi-threading is enabled
by default; use the "no-threads" option to disable (this should never be
necessary).
On other systems, to enable support for multi-threading, you will have
to specify at least two options: "threads", and a system-dependent option.
(The latter is "-D_REENTRANT" on various systems.) The default in this
case, obviously, is not to include support for multi-threading (but
you can still use "no-threads" to suppress an annoying warning message
from the Configure script.)
Note on shared libraries
------------------------
Shared libraries have certain caveats. Binary backward compatibility
can't be guaranteed before OpenSSL version 1.0. The only reason to
use them would be to conserve memory on systems where several programs
are using OpenSSL.
For some systems, the OpenSSL Configure script knows what is needed to
build shared libraries for libcrypto and libssl. On these systems,
the shared libraries are currently not created by default, but giving
the option "shared" will get them created. This method supports Makefile
targets for shared library creation, like linux-shared. Those targets
can currently be used on their own just as well, but this is expected
to change in future versions of OpenSSL.
Note on random number generation
--------------------------------
Availability of cryptographically secure random numbers is required for
secret key generation. OpenSSL provides several options to seed the
internal PRNG. If not properly seeded, the internal PRNG will refuse
to deliver random bytes and a "PRNG not seeded error" will occur.
On systems without /dev/urandom (or similar) device, it may be necessary
to install additional support software to obtain random seed.
Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(),
and the FAQ for more information.
Note on support for multiple builds
-----------------------------------
OpenSSL is usually built in its source tree. Unfortunately, this doesn't
support building for multiple platforms from the same source tree very well.
It is however possible to build in a separate tree through the use of lots
of symbolic links, which should be prepared like this:
mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
cd objtree/"`uname -s`-`uname -r`-`uname -m`"
(cd $OPENSSL_SOURCE; find . -type f) | while read F; do
mkdir -p `dirname $F`
rm -f $F; ln -s $OPENSSL_SOURCE/$F $F
echo $F '->' $OPENSSL_SOURCE/$F
done
make -f Makefile.org clean
OPENSSL_SOURCE is an environment variable that contains the absolute (this
is important!) path to the OpenSSL source tree.
Also, operations like 'make update' should still be made in the source tree.

47
INSTALL.DJGPP Normal file
View File

@ -0,0 +1,47 @@
INSTALLATION ON THE DOS PLATFORM WITH DJGPP
-------------------------------------------
OpenSSL has been ported to DJGPP, a Unix look-alike 32-bit run-time
environment for 16-bit DOS, but only with long filename support.
If you wish to compile on native DOS with 8+3 filenames, you will
have to tweak the installation yourself, including renaming files
with illegal or duplicate names.
You should have a full DJGPP environment installed, including the
latest versions of DJGPP, GCC, BINUTILS, BASH, etc. This package
requires that PERL and BC also be installed.
All of these can be obtained from the usual DJGPP mirror sites or
directly at "http://www.delorie.com/pub/djgpp". For help on which
files to download, see the DJGPP "ZIP PICKER" page at
"http://www.delorie.com/djgpp/zip-picker.html". You also need to have
the WATT-32 networking package installed before you try to compile
OpenSSL. This can be obtained from "http://www.bgnett.no/~giva/".
The Makefile assumes that the WATT-32 code is in the directory
specified by the environment variable WATT_ROOT. If you have watt-32
in directory "watt32" under your main DJGPP directory, specify
WATT_ROOT="/dev/env/DJDIR/watt32".
To compile OpenSSL, start your BASH shell, then configure for DJGPP by
running "./Configure" with appropriate arguments:
./Configure no-threads --prefix=/dev/env/DJDIR DJGPP
And finally fire up "make". You may run out of DPMI selectors when
running in a DOS box under Windows. If so, just close the BASH
shell, go back to Windows, and restart BASH. Then run "make" again.
RUN-TIME CAVEAT LECTOR
--------------
Quoting FAQ:
"Cryptographic software needs a source of unpredictable data to work
correctly. Many open source operating systems provide a "randomness
device" (/dev/urandom or /dev/random) that serves this purpose."
As of version 0.9.7f DJGPP port checks upon /dev/urandom$ for a 3rd
party "randomness" DOS driver. One such driver, NOISE.SYS, can be
obtained from "http://www.rahul.net/dkaufman/index.html".

72
INSTALL.MacOS Normal file
View File

@ -0,0 +1,72 @@
OpenSSL - Port To The Macintosh OS 9 or Earlier
===============================================
Thanks to Roy Wood <roy@centricsystems.ca> initial support for Mac OS (pre
X) is now provided. "Initial" means that unlike other platforms where you
get an SDK and a "swiss army" openssl application, on Macintosh you only
get one sample application which fetches a page over HTTPS(*) and dumps it
in a window. We don't even build the test applications so that we can't
guarantee that all algorithms are operational.
Required software:
- StuffIt Expander 5.5 or later, alternatively MacGzip and SUNtar;
- Scriptable Finder;
- CodeWarrior Pro 5;
Installation procedure:
- fetch the source at ftp://ftp.openssl.org/ (well, you probably already
did, huh?)
- unpack the .tar.gz file:
- if you have StuffIt Expander then just drag it over it;
- otherwise uncompress it with MacGzip and then unpack with SUNtar;
- locate MacOS folder in OpenSSL source tree and open it;
- unbinhex mklinks.as.hqx and OpenSSL.mcp.hqx if present (**), do it
"in-place", i.e. unpacked files should end-up in the very same folder;
- execute mklinks.as;
- open OpenSSL.mcp(***) and build 'GetHTTPS PPC' target(****);
- that's it for now;
(*) URL is hardcoded into ./MacOS/GetHTTPS.src/GetHTTPS.cpp, lines 40
to 42, change appropriately.
(**) If you use SUNtar, then it might have already unbinhexed the files
in question.
(***) The project file was saved with CW Pro 5.3. If you have an earlier
version and it refuses to open it, then download
http://www.openssl.org/~appro/OpenSSL.mcp.xml and import it
overwriting the original OpenSSL.mcp.
(****) Other targets are works in progress. If you feel like giving 'em a
shot, then you should know that OpenSSL* and Lib* targets are
supposed to be built with the GUSI, MacOS library which mimics
BSD sockets and some other POSIX APIs. The GUSI distribution is
expected to be found in the same directory as the openssl source tree,
i.e., in the parent directory to the one where this very file,
namely INSTALL.MacOS, resides. For more information about GUSI, see
http://www.iis.ee.ethz.ch/~neeri/macintosh/gusi-qa.html
Finally some essential comments from our generous contributor:-)
"I've gotten OpenSSL working on the Macintosh. It's probably a bit of a
hack, but it works for what I'm doing. If you don't like the way I've done
it, then feel free to change what I've done. I freely admit that I've done
some less-than-ideal things in my port, and if you don't like the way I've
done something, then feel free to change it-- I won't be offended!
... I've tweaked "bss_sock.c" a little to call routines in a "MacSocket"
library I wrote. My MacSocket library is a wrapper around OpenTransport,
handling stuff like endpoint creation, reading, writing, etc. It is not
designed as a high-performance package such as you'd use in a webserver,
but is fine for lots of other applications. MacSocket also uses some other
code libraries I've written to deal with string manipulations and error
handling. Feel free to use these things in your own code, but give me
credit and/or send me free stuff in appreciation! :-)
...
If you have any questions, feel free to email me as the following:
roy@centricsystems.ca
-Roy Wood"

454
INSTALL.NW Normal file
View File

@ -0,0 +1,454 @@
INSTALLATION ON THE NETWARE PLATFORM
------------------------------------
Notes about building OpenSSL for NetWare.
BUILD PLATFORM:
---------------
The build scripts (batch files, perl scripts, etc) have been developed and
tested on W2K. The scripts should run fine on other Windows platforms
(NT, Win9x, WinXP) but they have not been tested. They may require some
modifications.
Supported NetWare Platforms - NetWare 5.x, NetWare 6.x:
-------------------------------------------------------
OpenSSL can either use the WinSock interfaces introduced in NetWare 5,
or the BSD socket interface. Previous versions of NetWare, 4.x and 3.x,
are only supported if OpenSSL is build for CLIB and BSD sockets;
WinSock builds only support NetWare 5 and up.
On NetWare there are two c-runtime libraries. There is the legacy CLIB
interfaces and the newer LIBC interfaces. Being ANSI-C libraries, the
functionality in CLIB and LIBC is similar but the LIBC interfaces are built
using Novell Kernal Services (NKS) which is designed to leverage
multi-processor environments.
The NetWare port of OpenSSL can be configured to build using CLIB or LIBC.
The CLIB build was developed and tested using NetWare 5.0 sp6.0a. The LIBC
build was developed and tested using the NetWare 6.0 FCS.
The necessary LIBC functionality ships with NetWare 6. However, earlier
NetWare 5.x versions will require updates in order to run the OpenSSL LIBC
build (NetWare 5.1 SP8 is known to work).
As of June 2005, the LIBC build can be configured to use BSD sockets instead
of WinSock sockets. Call Configure (usually through netware\build.bat) using
a target of "netware-libc-bsdsock" instead of "netware-libc".
As of June 2007, support for CLIB and BSD sockets is also now available
using a target of "netware-clib-bsdsock" instead of "netware-clib";
also gcc builds are now supported on both Linux and Win32 (post 0.9.8e).
REQUIRED TOOLS:
---------------
Based upon the configuration and build options used, some or all of the
following tools may be required:
* Perl for Win32 - required (http://www.activestate.com/ActivePerl)
Used to run the various perl scripts on the build platform.
* Perl 5.8.0 for NetWare v3.20 (or later) - required
(http://developer.novell.com) Used to run the test script on NetWare
after building.
* Compiler / Linker - required:
Metrowerks CodeWarrior PDK 2.1 (or later) for NetWare (commercial):
Provides command line tools used for building.
Tools:
mwccnlm.exe - C/C++ Compiler for NetWare
mwldnlm.exe - Linker for NetWare
mwasmnlm.exe - x86 assembler for NetWare (if using assembly option)
gcc / nlmconv Cross-Compiler, available from Novell Forge (free):
http://forge.novell.com/modules/xfmod/project/?aunixnw
* Assemblers - optional:
If you intend to build using the assembly options you will need an
assembler. Work has been completed to support two assemblers, Metrowerks
and NASM. However, during development, a bug was found in the Metrowerks
assembler which generates incorrect code. Until this problem is fixed,
the Metrowerks assembler cannot be used.
mwasmnlm.exe - Metrowerks x86 assembler - part of CodeWarrior tools.
(version 2.2 Built Aug 23, 1999 - not useable due to code
generation bug)
nasmw.exe - Netwide Assembler NASM
version 0.98 was used in development and testing
* Make Tool - required:
In order to build you will need a make tool. Two make tools are
supported, GNU make (gmake.exe) or Microsoft nmake.exe.
make.exe - GNU make for Windows (version 3.75 used for development)
http://gnuwin32.sourceforge.net/packages/make.htm
nmake.exe - Microsoft make (Version 6.00.8168.0 used for development)
http://support.microsoft.com/kb/132084/EN-US/
* Novell Developer Kit (NDK) - required: (http://developer.novell.com)
CLIB - BUILDS:
WinSock2 Developer Components for NetWare:
For initial development, the October 27, 2000 version was used.
However, future versions should also work.
NOTE: The WinSock2 components include headers & import files for
NetWare, but you will also need the winsock2.h and supporting
headers (pshpack4.h, poppack.h, qos.h) delivered in the
Microsoft SDK. Note: The winsock2.h support headers may change
with various versions of winsock2.h. Check the dependencies
section on the NDK WinSock2 download page for the latest
information on dependencies. These components are unsupported by
Novell. They are provided as a courtesy, but it is strongly
suggested that all development be done using LIBC, not CLIB.
As of June 2005, the WinSock2 components are available at:
http://forgeftp.novell.com//ws2comp/
NLM and NetWare libraries for C (including CLIB and XPlat):
If you are going to build a CLIB version of OpenSSL, you will
need the CLIB headers and imports. The March, 2001 NDK release or
later is recommended.
Earlier versions should work but haven't been tested. In recent
versions the import files have been consolidated and function
names moved. This means you may run into link problems
(undefined symbols) when using earlier versions. The functions
are available in earlier versions, but you will have to modifiy
the make files to include additional import files (see
openssl\util\pl\netware.pl).
LIBC - BUILDS:
Libraries for C (LIBC) - LIBC headers and import files
If you are going to build a LIBC version of OpenSSL, you will
need the LIBC headers and imports. The March 14, 2002 NDK release or
later is required.
NOTE: The LIBC SDK includes the necessary WinSock2 support.
It is not necessary to download the WinSock2 NDK when building for
LIBC. The LIBC SDK also includes the appropriate BSD socket support
if configuring to use BSD sockets.
BUILDING:
---------
Before building, you will need to set a few environment variables. You can
set them manually or you can modify the "netware\set_env.bat" file.
The set_env.bat file is a template you can use to set up the path
and environment variables you will need to build. Modify the
various lines to point to YOUR tools and run set_env.bat.
netware\set_env.bat <target> [compiler]
target - "netware-clib" - CLIB NetWare build
- "netware-libc" - LIBC NetWare build
compiler - "gnuc" - GNU GCC Compiler
- "codewarrior" - MetroWerks CodeWarrior (default)
If you don't use set_env.bat, you will need to set up the following
environment variables:
PATH - Set PATH to point to the tools you will use.
INCLUDE - The location of the NDK include files.
CLIB ex: set INCLUDE=c:\ndk\nwsdk\include\nlm
LIBC ex: set INCLUDE=c:\ndk\libc\include
PRELUDE - The absolute path of the prelude object to link with. For
a CLIB build it is recommended you use the "clibpre.o" files shipped
with the Metrowerks PDK for NetWare. For a LIBC build you should
use the "libcpre.o" file delivered with the LIBC NDK components.
CLIB ex: set PRELUDE=c:\ndk\nwsdk\imports\clibpre.o
LIBC ex: set PRELUDE=c:\ndk\libc\imports\libcpre.o
IMPORTS - The locaton of the NDK import files.
CLIB ex: set IMPORTS=c:\ndk\nwsdk\imports
LIBC ex: set IMPORTS=c:\ndk\libc\imports
In order to build, you need to run the Perl scripts to configure the build
process and generate a make file. There is a batch file,
"netware\build.bat", to automate the process.
Build.bat runs the build configuration scripts and generates a make file.
If an assembly option is specified, it also runs the scripts to generate
the assembly code. Always run build.bat from the "openssl" directory.
netware\build [target] [debug opts] [assembly opts] [configure opts]
target - "netware-clib" - CLIB NetWare build (WinSock Sockets)
- "netware-clib-bsdsock" - CLIB NetWare build (BSD Sockets)
- "netware-libc" - LIBC NetWare build (WinSock Sockets)
- "netware-libc-bsdsock" - LIBC NetWare build (BSD Sockets)
debug opts - "debug" - build debug
assembly opts - "nw-mwasm" - use Metrowerks assembler
"nw-nasm" - use NASM assembler
"no-asm" - don't use assembly
configure opts- all unrecognized arguments are passed to the
perl 'configure' script. See that script for
internal documentation regarding options that
are available.
examples:
CLIB build, debug, without assembly:
netware\build.bat netware-clib debug no-asm
LIBC build, non-debug, using NASM assembly, add mdc2 support:
netware\build.bat netware-libc nw-nasm enable-mdc2
LIBC build, BSD sockets, non-debug, without assembly:
netware\build.bat netware-libc-bsdsock no-asm
Running build.bat generates a make file to be processed by your make
tool (gmake or nmake):
CLIB ex: gmake -f netware\nlm_clib_dbg.mak
LIBC ex: gmake -f netware\nlm_libc.mak
LIBC ex: gmake -f netware\nlm_libc_bsdsock.mak
You can also run the build scripts manually if you do not want to use the
build.bat file. Run the following scripts in the "\openssl"
subdirectory (in the order listed below):
perl configure no-asm [other config opts] [netware-clib|netware-libc|netware-libc-bsdsock]
configures no assembly build for specified netware environment
(CLIB or LIBC).
perl util\mkfiles.pl >MINFO
generates a listing of source files (used by mk1mf)
perl util\mk1mf.pl no-asm [other config opts] [netware-clib|netware-libc|netware-libc-bsdsock >netware\nlm.mak
generates the makefile for NetWare
gmake -f netware\nlm.mak
build with the make tool (nmake.exe also works)
NOTE: If you are building using the assembly option, you must also run the
various Perl scripts to generate the assembly files. See build.bat
for an example of running the various assembly scripts. You must use the
"no-asm" option to build without assembly. The configure and mk1mf scripts
also have various other options. See the scripts for more information.
The output from the build is placed in the following directories:
CLIB Debug build:
out_nw_clib.dbg - static libs & test nlm(s)
tmp_nw_clib.dbg - temporary build files
outinc_nw_clib - necessary include files
CLIB Non-debug build:
out_nw_clib - static libs & test nlm(s)
tmp_nw_clib - temporary build files
outinc_nw_clib - necesary include files
LIBC Debug build:
out_nw_libc.dbg - static libs & test nlm(s)
tmp_nw_libc.dbg - temporary build files
outinc_nw_libc - necessary include files
LIBC Non-debug build:
out_nw_libc - static libs & test nlm(s)
tmp_nw_libc - temporary build files
outinc_nw_libc - necesary include files
TESTING:
--------
The build process creates the OpenSSL static libs ( crypto.lib, ssl.lib,
rsaglue.lib ) and several test programs. You should copy the test programs
to your NetWare server and run the tests.
The batch file "netware\cpy_tests.bat" will copy all the necessary files
to your server for testing. In order to run the batch file, you need a
drive mapped to your target server. It will create an "OpenSSL" directory
on the drive and copy the test files to it. CAUTION: If a directory with the
name of "OpenSSL" already exists, it will be deleted.
To run cpy_tests.bat:
netware\cpy_tests [output directory] [NetWare drive]
output directory - "out_nw_clib.dbg", "out_nw_libc", etc.
NetWare drive - drive letter of mapped drive
CLIB ex: netware\cpy_tests out_nw_clib m:
LIBC ex: netware\cpy_tests out_nw_libc m:
The Perl script, "do_tests.pl", in the "OpenSSL" directory on the server
should be used to execute the tests. Before running the script, make sure
your SEARCH PATH includes the "OpenSSL" directory. For example, if you
copied the files to the "sys:" volume you use the command:
SEARCH ADD SYS:\OPENSSL
To run do_tests.pl type (at the console prompt):
perl \openssl\do_tests.pl [options]
options:
-p - pause after executing each test
The do_tests.pl script generates a log file "\openssl\test_out\tests.log"
which should be reviewed for errors. Any errors will be denoted by the word
"ERROR" in the log.
DEVELOPING WITH THE OPENSSL SDK:
--------------------------------
Now that everything is built and tested, you are ready to use the OpenSSL
libraries in your development.
There is no real installation procedure, just copy the static libs and
headers to your build location. The libs (crypto.lib & ssl.lib) are
located in the appropriate "out_nw_XXXX" directory
(out_nw_clib, out_nw_libc, etc).
The headers are located in the appropriate "outinc_nw_XXX" directory
(outinc_nw_clib, outinc_nw_libc).
One suggestion is to create the following directory
structure for the OpenSSL SDK:
\openssl
|- bin
| |- openssl.nlm
| |- (other tests you want)
|
|- lib
| | - crypto.lib
| | - ssl.lib
|
|- include
| | - openssl
| | | - (all the headers in "outinc_nw\openssl")
The program "openssl.nlm" can be very useful. It has dozens of
options and you may want to keep it handy for debugging, testing, etc.
When building your apps using OpenSSL, define "NETWARE". It is needed by
some of the OpenSSL headers. One way to do this is with a compile option,
for example "-DNETWARE".
NOTES:
------
Resource leaks in Tests
------------------------
Some OpenSSL tests do not clean up resources and NetWare reports
the resource leaks when the tests unload. If this really bugs you,
you can stop the messages by setting the developer option off at the console
prompt (set developer option = off). Or better yet, fix the tests to
clean up the resources!
Multi-threaded Development
---------------------------
The NetWare version of OpenSSL is thread-safe, however multi-threaded
applications must provide the necessary locking function callbacks. This
is described in doc\threads.doc. The file "openssl-x.x.x\crypto\threads\mttest.c"
is a multi-threaded test program and demonstrates the locking functions.
What is openssl2.nlm?
---------------------
The openssl program has numerous options and can be used for many different
things. Many of the options operate in an interactive mode requiring the
user to enter data. Because of this, a default screen is created for the
program. However, when running the test script it is not desirable to
have a seperate screen. Therefore, the build also creates openssl2.nlm.
Openssl2.nlm is functionally identical but uses the console screen.
Openssl2 can be used when a non-interactive mode is desired.
NOTE: There are may other possibilities (command line options, etc)
which could have been used to address the screen issue. The openssl2.nlm
option was chosen because it impacted only the build not the code.
Why only static libraries?
--------------------------
Globals, globals, and more globals. The OpenSSL code uses many global
variables that are allocated and initialized when used for the first time.
On NetWare, most applications (at least historically) run in the kernel.
When running in the kernel, there is one instance of global variables.
For regular application type NLM(s) this isn't a problem because they are
the only ones using the globals. However, for a library NLM (an NLM which
exposes functions and has no threads of execution), the globals cause
problems. Applications could inadvertently step on each other if they
change some globals. Even worse, the first application that triggers a
global to be allocated and initialized has the allocated memory charged to
itself. Now when that application unloads, NetWare will clean up all the
applicaton's memory. The global pointer variables inside OpenSSL now
point to freed memory. An abend waiting to happen!
To work correctly in the kernel, library NLM(s) that use globals need to
provide a set of globals (instance data) for each application. Another
option is to require the library only be loaded in a protected address
space along with the application using it.
Modifying the OpenSSL code to provide a set of globals (instance data) for
each application isn't technically difficult, but due to the large number
globals it would require substantial code changes and it wasn't done. Hence,
the build currently only builds static libraries which are then linked
into each application.
NOTE: If you are building a library NLM that uses the OpenSSL static
libraries, you will still have to deal with the global variable issue.
This is because when you link in the OpenSSL code you bring in all the
globals. One possible solution for the global pointer variables is to
register memory functions with OpenSSL which allocate memory and charge it
to your library NLM (see the function CRYPTO_set_mem_functions). However,
be aware that now all memory allocated by OpenSSL is charged to your NLM.
CodeWarrior Tools and W2K
---------------------------
There have been problems reported with the CodeWarrior Linker
(mwldnlm.exe) in the PDK 2.1 for NetWare when running on Windows 2000. The
problems cause the link step to fail. The only work around is to obtain an
updated linker from Metrowerks. It is expected Metrowerks will release
PDK 3.0 (in beta testing at this time - May, 2001) in the near future which
will fix these problems.
Makefile "vclean"
------------------
The generated makefile has a "vclean" target which cleans up the build
directories. If you have been building successfully and suddenly
experience problems, use "vclean" (gmake -f netware\nlm_xxxx.mak vclean) and retry.
"Undefined Symbol" Linker errors
--------------------------------
There have been linker errors reported when doing a CLIB build. The problems
occur because some versions of the CLIB SDK import files inadvertently
left out some symbols. One symbol in particular is "_lrotl". The missing
functions are actually delivered in the binaries, but they were left out of
the import files. The issues should be fixed in the September 2001 release
of the NDK. If you experience the problems you can temporarily
work around it by manually adding the missing symbols to your version of
"clib.imp".

31
INSTALL.OS2 Normal file
View File

@ -0,0 +1,31 @@
Installation on OS/2
--------------------
You need to have the following tools installed:
* EMX GCC
* PERL
* GNU make
To build the makefile, run
> os2\os2-emx
This will configure OpenSSL and create OS2-EMX.mak which you then use to
build the OpenSSL libraries & programs by running
> make -f os2-emx.mak
If that finishes successfully you will find the libraries and programs in the
"out" directory.
Alternatively, you can make a dynamic build that puts the library code into
crypto.dll and ssl.dll by running
> make -f os2-emx-dll.mak
This will build the above mentioned dlls and a matching pair of import
libraries in the "out_dll" directory along with the set of test programs
and the openssl application.

293
INSTALL.VMS Normal file
View File

@ -0,0 +1,293 @@
VMS Installation instructions
written by Richard Levitte
<richard@levitte.org>
Intro:
======
This file is divided in the following parts:
Requirements - Mandatory reading.
Checking the distribution - Mandatory reading.
Compilation - Mandatory reading.
Logical names - Mandatory reading.
Test - Mandatory reading.
Installation - Mandatory reading.
Backward portability - Read if it's an issue.
Possible bugs or quirks - A few warnings on things that
may go wrong or may surprise you.
TODO - Things that are to come.
Requirements:
=============
To build and install OpenSSL, you will need:
* DEC C or some other ANSI C compiler. VAX C is *not* supported.
[Note: OpenSSL has only been tested with DEC C. Compiling with
a different ANSI C compiler may require some work]
Checking the distribution:
==========================
There have been reports of places where the distribution didn't quite get
through, for example if you've copied the tree from a NFS-mounted Unix
mount point.
The easiest way to check if everything got through as it should is to check
for one of the following files:
[.CRYPTO]OPENSSLCONF.H_IN
[.CRYPTO]OPENSSLCONF_H.IN
They should never exist both at once, but one of them should (preferably
the first variant). If you can't find any of those two, something went
wrong.
The best way to get a correct distribution is to download the gzipped tar
file from ftp://ftp.openssl.org/source/, use GUNZIP to uncompress it and
use VMSTAR to unpack the resulting tar file.
GUNZIP is available in many places on the net. One of the distribution
points is the WKU software archive, ftp://ftp.wku.edu/vms/fileserv/ .
VMSTAR is also available in many places on the net. The recommended place
to find information about it is http://www.free.lp.se/vmstar/ .
Compilation:
============
I've used the very good command procedures written by Robert Byer
<byer@mail.all-net.net>, and just slightly modified them, making
them slightly more general and easier to maintain.
You can actually compile in almost any directory separately. Look
for a command procedure name xxx-LIB.COM (in the library directories)
or MAKExxx.COM (in the program directories) and read the comments at
the top to understand how to use them. However, if you want to
compile all you can get, the simplest is to use MAKEVMS.COM in the top
directory. The syntax is the following:
@MAKEVMS <option> <bits> <debug-p> [<compiler>]
<option> must be one of the following:
ALL Just build "everything".
CONFIG Just build the "[.CRYPTO]OPENSSLCONF.H" file.
BUILDINF Just build the "[.INCLUDE]BUILDINF.H" file.
SOFTLINKS Just copies some files, to simulate Unix soft links.
BUILDALL Same as ALL, except CONFIG, BUILDINF and SOFTLINKS aren't done.
RSAREF Just build the "[.xxx.EXE.RSAREF]LIBRSAGLUE.OLB" library.
CRYPTO Just build the "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" library.
SSL Just build the "[.xxx.EXE.SSL]LIBSSL.OLB" library.
SSL_TASK Just build the "[.xxx.EXE.SSL]SSL_TASK.EXE" program.
TEST Just build the "[.xxx.EXE.TEST]" test programs for OpenSSL.
APPS Just build the "[.xxx.EXE.APPS]" application programs for OpenSSL.
<bits> must be one of the following:
"" compile using default pointer size
32 compile using 32 bit pointer size
64 compile using 64 bit pointer size
<debug-p> must be one of the following:
DEBUG compile with debugging info (will not optimize)
NODEBUG compile without debugging info (will optimize)
<compiler> must be one of the following:
DECC For DEC C.
GNUC For GNU C.
You will find the crypto library in [.xxx.EXE.CRYPTO] (where xxx is VAX,
ALPHA or IA64), called SSL_LIBCRYPTO32.OLB or SSL_LIBCRYPTO.OLB depending
on how it was built. You will find the SSL library in [.xxx.EXE.SSL],
named SSL_LIBSSL32.OLB or SSL_LIBSSL.OLB, and you will find a bunch of
useful programs in [.xxx.EXE.APPS]. However, these shouldn't be used
right off unless it's just to test them. For production use, make sure
you install first, see Installation below.
Note 1: Some programs in this package require a TCP/IP library.
Note 2: if you want to compile the crypto library only, please make sure
you have at least done a @MAKEVMS CONFIG, a @MAKEVMS BUILDINF and
a @MAKEVMS SOFTLINKS. A lot of things will break if you don't.
Logical names:
==============
There are a few things that can't currently be given through the command
line. Instead, logical names are used.
Currently, the logical names supported are:
OPENSSL_NO_ASM with value YES, the assembler parts of OpenSSL will
not be used. Instead, plain C implementations are
used. This is good to try if something doesn't work.
OPENSSL_NO_'alg' with value YES, the corresponding crypto algorithm
will not be implemented. Supported algorithms to
do this with are: RSA, DSA, DH, MD2, MD4, MD5, RIPEMD,
SHA, DES, MDC2, CR2, RC4, RC5, IDEA, BF, CAST, HMAC,
SSL2. So, for example, having the logical name
OPENSSL_NO_RSA with the value YES means that the
LIBCRYPTO.OLB library will not contain an RSA
implementation.
Test:
=====
Testing is very simple, just do the following:
@[.TEST]TESTS
If a test fails, try with defining the logical name OPENSSL_NO_ASM (yes,
it's an ugly hack!) and rebuild. Please send a bug report to
<openssl-bugs@openssl.org>, including the output of "openssl version -a"
and of the failed test.
Installation:
=============
Installation is easy, just do the following:
@INSTALL <root> <bits>
<root> is the directory in which everything will be installed,
subdirectories, libraries, header files, programs and startup command
procedures.
<bits> works the same way as for MAKEVMS.COM
N.B.: INSTALL.COM builds a new directory structure, different from
the directory tree where you have now build OpenSSL.
In the [.VMS] subdirectory of the installation, you will find the
following command procedures:
OPENSSL_STARTUP.COM
defines all needed logical names. Takes one argument that
tells it in what logical name table to insert the logical
names. If you insert if it SYS$MANAGER:SYSTARTUP_VMS.COM, the
call should look like this:
@openssldev:[openssldir.VMS]OPENSSL_STARTUP "/SYSTEM"
OPENSSL_UTILS.COM
sets up the symbols to the applications. Should be called
from for example SYS$MANAGER:SYLOGIN.COM
OPENSSL_UNDO.COM
deassigns the logical names created with OPENSSL_STARTUP.COM.
The logical names that are set up are the following:
SSLROOT a dotted concealed logical name pointing at the
root directory.
SSLCERTS Initially an empty directory, this is the default
location for certificate files.
SSLPRIVATE Initially an empty directory, this is the default
location for private key files.
SSLEXE Contains the openssl binary and a few other utility
programs.
SSLINCLUDE Contains the header files needed if you want to
compile programs with libcrypto or libssl.
SSLLIB Contains the OpenSSL library files themselves:
- SSL_LIBCRYPTO32.OLB and SSL_LIBSSL32.OLB or
- SSL_LIBCRYPTO.OLB and SSL_LIBSSL.OLB
OPENSSL Same as SSLINCLUDE. This is because the standard
way to include OpenSSL header files from version
0.9.3 and on is:
#include <openssl/header.h>
For more info on this issue, see the INSTALL. file
(the NOTE in section 4 of "Installation in Detail").
You don't need to "deleting old header files"!!!
Backward portability:
=====================
One great problem when you build a library is making sure it will work
on as many versions of VMS as possible. Especially, code compiled on
OpenVMS version 7.x and above tend to be unusable in version 6.x or
lower, because some C library routines have changed names internally
(the C programmer won't usually see it, because the old name is
maintained through C macros). One obvious solution is to make sure
you have a development machine with an old enough version of OpenVMS.
However, if you are stuck with a bunch of Alphas running OpenVMS version
7.1, you seem to be out of luck. Fortunately, the DEC C header files
are cluttered with conditionals that make some declarations and definitions
dependent on the OpenVMS version or the C library version, *and* you
can use those macros to simulate older OpenVMS or C library versions,
by defining the macros _VMS_V6_SOURCE, __VMS_VER and __CTRL_VER with
correct values. In the compilation scripts, I've provided the possibility
for the user to influence the creation of such macros, through a bunch of
symbols, all having names starting with USER_. Here's the list of them:
USER_CCFLAGS - Used to give additional qualifiers to the
compiler. It can't be used to define macros
since the scripts will do such things as well.
To do such things, use USER_CCDEFS.
USER_CCDEFS - Used to define macros on the command line. The
value of this symbol will be inserted inside a
/DEFINE=(...).
USER_CCDISABLEWARNINGS - Used to disable some warnings. The value is
inserted inside a /DISABLE=WARNING=(...).
So, to maintain backward compatibility with older VMS versions, do the
following before you start compiling:
$ USER_CCDEFS := _VMS_V6_SOURCE=1,__VMS_VER=60000000,__CRTL_VER=60000000
$ USER_CCDISABLEWARNINGS := PREOPTW
The USER_CCDISABLEWARNINGS is there because otherwise, DEC C will complain
that those macros have been changed.
Note: Currently, this is only useful for library compilation. The
programs will still be linked with the current version of the
C library shareable image, and will thus complain if they are
faced with an older version of the same C library shareable image.
This will probably be fixed in a future revision of OpenSSL.
Possible bugs or quirks:
========================
I'm not perfectly sure all the programs will use the SSLCERTS:
directory by default, it may very well be that you have to give them
extra arguments. Please experiment.
TODO:
=====
There are a few things that need to be worked out in the VMS version of
OpenSSL, still:
- Description files. ("Makefile's" :-))
- Script code to link an already compiled build tree.
- A VMSINSTALlable version (way in the future, unless someone else hacks).
- shareable images (DLL for you Windows folks).
There may be other things that I have missed and that may be desirable.
Please send mail to <openssl-users@openssl.org> or to me directly if you
have any ideas.
--
Richard Levitte <richard@levitte.org>
2000-02-27, 2011-03-18

325
INSTALL.W32 Normal file
View File

@ -0,0 +1,325 @@
INSTALLATION ON THE WIN32 PLATFORM
----------------------------------
[Instructions for building for Windows CE can be found in INSTALL.WCE]
[Instructions for building for Win64 can be found in INSTALL.W64]
Here are a few comments about building OpenSSL for Win32 environments,
such as Windows NT and Windows 9x. It should be noted though that
Windows 9x are not ordinarily tested. Its mention merely means that we
attempt to maintain certain programming discipline and pay attention
to backward compatibility issues, in other words it's kind of expected
to work on Windows 9x, but no regression tests are actually performed.
On additional note newer OpenSSL versions are compiled and linked with
Winsock 2. This means that minimum OS requirement was elevated to NT 4
and Windows 98 [there is Winsock 2 update for Windows 95 though].
- you need Perl for Win32. Unless you will build on Cygwin, you will need
ActiveState Perl, available from http://www.activestate.com/ActivePerl.
- one of the following C compilers:
* Visual C++
* Borland C
* GNU C (Cygwin or MinGW)
- Netwide Assembler, a.k.a. NASM, available from http://nasm.sourceforge.net/
is required if you intend to utilize assembler modules. Note that NASM
is now the only supported assembler.
If you are compiling from a tarball or a Git snapshot then the Win32 files
may well be not up to date. This may mean that some "tweaking" is required to
get it all to work. See the trouble shooting section later on for if (when?)
it goes wrong.
Visual C++
----------
If you want to compile in the assembly language routines with Visual
C++, then you will need already mentioned Netwide Assembler binary,
nasmw.exe or nasm.exe, to be available on your %PATH%.
Firstly you should run Configure with platform VC-WIN32:
> perl Configure VC-WIN32 --prefix=c:\some\openssl\dir
Where the prefix argument specifies where OpenSSL will be installed to.
Next you need to build the Makefiles and optionally the assembly
language files:
- If you are using NASM then run:
> ms\do_nasm
- If you don't want to use the assembly language files at all then run:
> perl Configure VC-WIN32 no-asm --prefix=c:/some/openssl/dir
> ms\do_ms
If you get errors about things not having numbers assigned then check the
troubleshooting section: you probably won't be able to compile it as it
stands.
Then from the VC++ environment at a prompt do:
> nmake -f ms\ntdll.mak
If all is well it should compile and you will have some DLLs and
executables in out32dll. If you want to try the tests then do:
> nmake -f ms\ntdll.mak test
To install OpenSSL to the specified location do:
> nmake -f ms\ntdll.mak install
Tweaks:
There are various changes you can make to the Win32 compile
environment. By default the library is not compiled with debugging
symbols. If you use the platform debug-VC-WIN32 instead of VC-WIN32
then debugging symbols will be compiled in.
By default in 1.0.0 OpenSSL will compile builtin ENGINES into the
separate shared librariesy. If you specify the "enable-static-engine"
option on the command line to Configure the shared library build
(ms\ntdll.mak) will compile the engines into libeay32.dll instead.
The default Win32 environment is to leave out any Windows NT specific
features.
If you want to enable the NT specific features of OpenSSL (currently
only the logging BIO) follow the instructions above but call the batch
file do_nt.bat instead of do_ms.bat.
You can also build a static version of the library using the Makefile
ms\nt.mak
Borland C++ builder 5
---------------------
* Configure for building with Borland Builder:
> perl Configure BC-32
* Create the appropriate makefile
> ms\do_nasm
* Build
> make -f ms\bcb.mak
Borland C++ builder 3 and 4
---------------------------
* Setup PATH. First must be GNU make then bcb4/bin
* Run ms\bcb4.bat
* Run make:
> make -f bcb.mak
GNU C (Cygwin)
--------------
Cygwin implements a Posix/Unix runtime system (cygwin1.dll) on top of
Win32 subsystem and provides a bash shell and GNU tools environment.
Consequently, a make of OpenSSL with Cygwin is virtually identical to
Unix procedure. It is also possible to create Win32 binaries that only
use the Microsoft C runtime system (msvcrt.dll or crtdll.dll) using
MinGW. MinGW can be used in the Cygwin development environment or in a
standalone setup as described in the following section.
To build OpenSSL using Cygwin:
* Install Cygwin (see http://cygwin.com/)
* Install Perl and ensure it is in the path. Both Cygwin perl
(5.6.1-2 or newer) and ActivePerl work.
* Run the Cygwin bash shell
* $ tar zxvf openssl-x.x.x.tar.gz
$ cd openssl-x.x.x
To build the Cygwin version of OpenSSL:
$ ./config
[...]
$ make
[...]
$ make test
$ make install
This will create a default install in /usr/local/ssl.
To build the MinGW version (native Windows) in Cygwin:
$ ./Configure mingw
[...]
$ make
[...]
$ make test
$ make install
Cygwin Notes:
"make test" and normal file operations may fail in directories
mounted as text (i.e. mount -t c:\somewhere /home) due to Cygwin
stripping of carriage returns. To avoid this ensure that a binary
mount is used, e.g. mount -b c:\somewhere /home.
"bc" is not provided in older Cygwin distribution. This causes a
non-fatal error in "make test" but is otherwise harmless. If
desired and needed, GNU bc can be built with Cygwin without change.
GNU C (MinGW/MSYS)
-------------
* Compiler and shell environment installation:
MinGW and MSYS are available from http://www.mingw.org/, both are
required. Run the installers and do whatever magic they say it takes
to start MSYS bash shell with GNU tools on its PATH.
N.B. Since source tar-ball can contain symbolic links, it's essential
that you use accompanying MSYS tar to unpack the source. It will
either handle them in one way or another or fail to extract them,
which does the trick too. Latter means that you may safely ignore all
"cannot create symlink" messages, as they will be "re-created" at
configure stage by copying corresponding files. Alternative programs
were observed to create empty files instead, which results in build
failure.
* Compile OpenSSL:
$ ./config
[...]
$ make
[...]
$ make test
This will create the library and binaries in root source directory
and openssl.exe application in apps directory.
It is also possible to cross-compile it on Linux by configuring
with './Configure --cross-compile-prefix=i386-mingw32- mingw ...'.
'make test' is naturally not applicable then.
libcrypto.a and libssl.a are the static libraries. To use the DLLs,
link with libeay32.a and libssl32.a instead.
See troubleshooting if you get error messages about functions not
having a number assigned.
Installation
------------
If you used the Cygwin procedure above, you have already installed and
can skip this section. For all other procedures, there's currently no real
installation procedure for Win32. There are, however, some suggestions:
- do nothing. The include files are found in the inc32/ subdirectory,
all binaries are found in out32dll/ or out32/ depending if you built
dynamic or static libraries.
- do as is written in INSTALL.Win32 that comes with modssl:
$ md c:\openssl
$ md c:\openssl\bin
$ md c:\openssl\lib
$ md c:\openssl\include
$ md c:\openssl\include\openssl
$ copy /b inc32\openssl\* c:\openssl\include\openssl
$ copy /b out32dll\ssleay32.lib c:\openssl\lib
$ copy /b out32dll\libeay32.lib c:\openssl\lib
$ copy /b out32dll\ssleay32.dll c:\openssl\bin
$ copy /b out32dll\libeay32.dll c:\openssl\bin
$ copy /b out32dll\openssl.exe c:\openssl\bin
Of course, you can choose another device than c:. C: is used here
because that's usually the first (and often only) harddisk device.
Note: in the modssl INSTALL.Win32, p: is used rather than c:.
Troubleshooting
---------------
Since the Win32 build is only occasionally tested it may not always compile
cleanly. If you get an error about functions not having numbers assigned
when you run ms\do_ms then this means the Win32 ordinal files are not up to
date. You can do:
> perl util\mkdef.pl crypto ssl update
then ms\do_XXX should not give a warning any more. However the numbers that
get assigned by this technique may not match those that eventually get
assigned in the Git tree: so anything linked against this version of the
library may need to be recompiled.
If you get errors about unresolved symbols there are several possible
causes.
If this happens when the DLL is being linked and you have disabled some
ciphers then it is possible the DEF file generator hasn't removed all
the disabled symbols: the easiest solution is to edit the DEF files manually
to delete them. The DEF files are ms\libeay32.def ms\ssleay32.def.
Another cause is if you missed or ignored the errors about missing numbers
mentioned above.
If you get warnings in the code then the compilation will halt.
The default Makefile for Win32 halts whenever any warnings occur. Since VC++
has its own ideas about warnings which don't always match up to other
environments this can happen. The best fix is to edit the file with the
warning in and fix it. Alternatively you can turn off the halt on warnings by
editing the CFLAG line in the Makefile and deleting the /WX option.
You might get compilation errors. Again you will have to fix these or report
them.
One final comment about compiling applications linked to the OpenSSL library.
If you don't use the multithreaded DLL runtime library (/MD option) your
program will almost certainly crash because malloc gets confused -- the
OpenSSL DLLs are statically linked to one version, the application must
not use a different one. You might be able to work around such problems
by adding CRYPTO_malloc_init() to your program before any calls to the
OpenSSL libraries: This tells the OpenSSL libraries to use the same
malloc(), free() and realloc() as the application. However there are many
standard library functions used by OpenSSL that call malloc() internally
(e.g. fopen()), and OpenSSL cannot change these; so in general you cannot
rely on CRYPTO_malloc_init() solving your problem, and you should
consistently use the multithreaded library.
Linking your application
------------------------
If you link with static OpenSSL libraries [those built with ms/nt.mak],
then you're expected to additionally link your application with
WS2_32.LIB, GDI32.LIB, ADVAPI32.LIB, CRYPT32.LIB and USER32.LIB. Those
developing non-interactive service applications might feel concerned about
linking with GDI32.LIB and USER32.LIB, as they are justly associated with
interactive desktop, which is not available to service processes. The toolkit
is designed to detect in which context it's currently executed, GUI, console
app or service, and act accordingly, namely whether or not to actually make
GUI calls. Additionally those who wish to /DELAYLOAD:GDI32.DLL and
/DELAYLOAD:USER32.DLL and actually keep them off service process should
consider implementing and exporting from .exe image in question own
_OPENSSL_isservice not relying on USER32.DLL. E.g., on Windows Vista and
later you could:
__declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void)
{ DWORD sess;
if (ProcessIdToSessionId(GetCurrentProcessId(),&sess))
return sess==0;
return FALSE;
}
If you link with OpenSSL .DLLs, then you're expected to include into
your application code small "shim" snippet, which provides glue between
OpenSSL BIO layer and your compiler run-time. Look up OPENSSL_Applink
reference page for further details.

66
INSTALL.W64 Normal file
View File

@ -0,0 +1,66 @@
INSTALLATION ON THE WIN64 PLATFORM
----------------------------------
Caveat lector
-------------
As of moment of this writing Win64 support is classified "initial"
for the following reasons.
- No assembler modules are engaged upon initial 0.9.8 release.
- API might change within 0.9.8 life-span, *but* in a manner which
doesn't break backward binary compatibility. Or in other words,
application programs compiled with initial 0.9.8 headers will
be expected to work with future minor release .DLL without need
to re-compile, even if future minor release features modified API.
- Above mentioned API modifications have everything to do with
elimination of a number of limitations, which are normally
considered inherent to 32-bit platforms. Which in turn is why they
are treated as limitations on 64-bit platform such as Win64:-)
The current list comprises [but not necessarily limited to]:
- null-terminated strings may not be longer than 2G-1 bytes,
longer strings are treated as zero-length;
- dynamically and *internally* allocated chunks can't be larger
than 2G-1 bytes;
- inability to encrypt/decrypt chunks of data larger than 4GB
[it's possibly to *hash* chunks of arbitrary size through];
Neither of these is actually big deal and hardly encountered
in real-life applications.
Compiling procedure
-------------------
You will need Perl. You can run under Cygwin or you can download
ActiveState Perl from http://www.activestate.com/ActivePerl.
You will need Microsoft Platform SDK, available for download at
http://www.microsoft.com/msdownload/platformsdk/sdkupdate/. As per
April 2005 Platform SDK is equipped with Win64 compilers, as well
as assemblers, but it might change in the future.
To build for Win64/x64:
> perl Configure VC-WIN64A
> ms\do_win64a
> nmake -f ms\ntdll.mak
> cd out32dll
> ..\ms\test
To build for Win64/IA64:
> perl Configure VC-WIN64I
> ms\do_win64i
> nmake -f ms\ntdll.mak
> cd out32dll
> ..\ms\test
Naturally test-suite itself has to be executed on the target platform.
Installation
------------
TBD, for now see INSTALL.W32.

95
INSTALL.WCE Normal file
View File

@ -0,0 +1,95 @@
INSTALLATION FOR THE WINDOWS CE PLATFORM
----------------------------------------
Building OpenSSL for Windows CE requires the following external tools:
* Microsoft eMbedded Visual C++ 3.0 or later
* Appropriate SDK might be required
* Perl for Win32 [commonly recommended ActiveState Perl is available
from http://www.activestate.com/Products/ActivePerl/]
* wcecompat compatibility library available at
http://www.essemer.com.au/windowsce/
* Optionally ceutils for running automated tests (same location)
_or_
* PocketConsole driver and PortSDK available at
http://www.symbolictools.de/public/pocketconsole/
* CMD command interpreter (same location)
As Windows CE support in OpenSSL relies on 3rd party compatibility
library, it's appropriate to check corresponding URL for updates. For
example if you choose wcecompat, note that as for the moment of this
writing version 1.2 is available and actually required for WCE 4.2
and newer platforms. All wcecompat issues should be directed to
www.essemer.com.au.
Why compatibility library at all? The C Runtime Library implementation
for Windows CE that is included with Microsoft eMbedded Visual C++ is
incomplete and in some places incorrect. Compatibility library plugs
the holes and tries to bring the Windows CE CRT to [more] usable level.
Most gaping hole in CRT is support for stdin/stdout/stderr IO, which
proposed compatibility libraries solve in two different ways: wcecompat
redirects IO to active sync link, while PortSDK - to NT-like console
driver on the handheld itself.
Building
--------
Setup the eMbedded Visual C++ environment. There are batch files for doing
this installed with eVC++. For an ARM processor, for example, execute:
> "C:\Program Files\Microsoft eMbedded Tools\EVC\WCE300\BIN\WCEARM.BAT"
Next pick compatibility library according to your preferences.
1. To choose wcecompat set up WCECOMPAT environment variable pointing
at the location of wcecompat tree "root":
> set WCECOMPAT=C:\wcecompat
> set PORTSDK_LIBPATH=
2. To choose PortSDK set up PORTSDK_LIBPATH to point at hardware-
specific location where your portlib.lib is installed:
> set PORTSDK_LIBPATH=C:\PortSDK\lib\ARM
> set WCECOMPAT=
Note that you may not set both variables.
Next you should run Configure:
> perl Configure VC-CE
Next you need to build the Makefiles:
> ms\do_ms
If you get errors about things not having numbers assigned then check the
troubleshooting section in INSTALL.W32: you probably won't be able to compile
it as it stands.
Then from the VC++ environment at a prompt do:
> nmake -f ms\cedll.mak
[note that static builds are not supported under CE]
If all is well it should compile and you will have some DLLs and executables
in out32dll*.
<<< everyting below needs revision in respect to wcecompat vs. PortSDK >>>
If you want
to try the tests then make sure the ceutils are in the path and do:
> cd out32
> ..\ms\testce
This will copy each of the test programs to the Windows CE device and execute
them, displaying the output of the tests on this computer. The output should
look similar to the output produced by running the tests for a regular Windows
build.

127
LICENSE Normal file
View File

@ -0,0 +1,127 @@
LICENSE ISSUES
==============
The OpenSSL toolkit stays under a double license, i.e. both the conditions of
the OpenSSL License and the original SSLeay license apply to the toolkit.
See below for the actual license texts. Actually both licenses are BSD-style
Open Source licenses. In case of any license issues related to OpenSSL
please contact openssl-core@openssl.org.
OpenSSL License
---------------
/* ====================================================================
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
Original SSLeay License
-----------------------
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/

62
MacOS/GUSI_Init.cpp Normal file
View File

@ -0,0 +1,62 @@
/**************** BEGIN GUSI CONFIGURATION ****************************
*
* GUSI Configuration section generated by GUSI Configurator
* last modified: Wed Jan 5 20:33:51 2000
*
* This section will be overwritten by the next run of Configurator.
*/
#define GUSI_SOURCE
#include <GUSIConfig.h>
#include <sys/cdefs.h>
/* Declarations of Socket Factories */
__BEGIN_DECLS
void GUSIwithInetSockets();
void GUSIwithLocalSockets();
void GUSIwithMTInetSockets();
void GUSIwithMTTcpSockets();
void GUSIwithMTUdpSockets();
void GUSIwithOTInetSockets();
void GUSIwithOTTcpSockets();
void GUSIwithOTUdpSockets();
void GUSIwithPPCSockets();
void GUSISetupFactories();
__END_DECLS
/* Configure Socket Factories */
void GUSISetupFactories()
{
#ifdef GUSISetupFactories_BeginHook
GUSISetupFactories_BeginHook
#endif
GUSIwithInetSockets();
#ifdef GUSISetupFactories_EndHook
GUSISetupFactories_EndHook
#endif
}
/* Declarations of File Devices */
__BEGIN_DECLS
void GUSIwithDConSockets();
void GUSIwithNullSockets();
void GUSISetupDevices();
__END_DECLS
/* Configure File Devices */
void GUSISetupDevices()
{
#ifdef GUSISetupDevices_BeginHook
GUSISetupDevices_BeginHook
#endif
GUSIwithNullSockets();
#ifdef GUSISetupDevices_EndHook
GUSISetupDevices_EndHook
#endif
}
/**************** END GUSI CONFIGURATION *************************/

2753
MacOS/GetHTTPS.src/CPStringUtils.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

104
MacOS/GetHTTPS.src/CPStringUtils.hpp Normal file
View File

@ -0,0 +1,104 @@
#pragma once
#ifdef __cplusplus
extern "C" {
#endif
void CopyPStrToCStr(const unsigned char *thePStr,char *theCStr,const int maxCStrLength);
void CopyPStrToPStr(const unsigned char *theSrcPStr,unsigned char *theDstPStr,const int maxDstStrLength);
void CopyCStrToCStr(const char *theSrcCStr,char *theDstCStr,const int maxDstStrLength);
void CopyCStrToPStr(const char *theSrcCStr,unsigned char *theDstPStr,const int maxDstStrLength);
void ConcatPStrToCStr(const unsigned char *thePStr,char *theCStr,const int maxCStrLength);
void ConcatPStrToPStr(const unsigned char *theSrcPStr,unsigned char *theDstPStr,const int maxDstStrLength);
void ConcatCStrToPStr(const char *theSrcCStr,unsigned char *theDstPStr,const int maxDstStrLength);
void ConcatCStrToCStr(const char *theSrcCStr,char *theDstCStr,const int maxCStrLength);
void ConcatCharToCStr(const char theChar,char *theDstCStr,const int maxCStrLength);
void ConcatCharToPStr(const char theChar,unsigned char *theDstPStr,const int maxPStrLength);
int ComparePStrs(const unsigned char *theFirstPStr,const unsigned char *theSecondPStr,const Boolean ignoreCase = true);
int CompareCStrs(const char *theFirstCStr,const char *theSecondCStr,const Boolean ignoreCase = true);
int CompareCStrToPStr(const char *theCStr,const unsigned char *thePStr,const Boolean ignoreCase = true);
Boolean CStrsAreEqual(const char *theFirstCStr,const char *theSecondCStr,const Boolean ignoreCase = true);
Boolean PStrsAreEqual(const unsigned char *theFirstCStr,const unsigned char *theSecondCStr,const Boolean ignoreCase = true);
void CopyLongIntToCStr(const long theNum,char *theCStr,const int maxCStrLength,const int numDigits = -1);
void CopyUnsignedLongIntToCStr(const unsigned long theNum,char *theCStr,const int maxCStrLength);
void ConcatLongIntToCStr(const long theNum,char *theCStr,const int maxCStrLength,const int numDigits = -1);
void CopyCStrAndConcatLongIntToCStr(const char *theSrcCStr,const long theNum,char *theDstCStr,const int maxDstStrLength);
void CopyLongIntToPStr(const long theNum,unsigned char *thePStr,const int maxPStrLength,const int numDigits = -1);
void ConcatLongIntToPStr(const long theNum,unsigned char *thePStr,const int maxPStrLength,const int numDigits = -1);
long CStrLength(const char *theCString);
long PStrLength(const unsigned char *thePString);
OSErr CopyCStrToExistingHandle(const char *theCString,Handle theHandle);
OSErr CopyLongIntToExistingHandle(const long inTheLongInt,Handle theHandle);
OSErr CopyCStrToNewHandle(const char *theCString,Handle *theHandle);
OSErr CopyPStrToNewHandle(const unsigned char *thePString,Handle *theHandle);
OSErr CopyLongIntToNewHandle(const long inTheLongInt,Handle *theHandle);
OSErr AppendCStrToHandle(const char *theCString,Handle theHandle,long *currentLength = nil,long *maxLength = nil);
OSErr AppendCharsToHandle(const char *theChars,const int numChars,Handle theHandle,long *currentLength = nil,long *maxLength = nil);
OSErr AppendPStrToHandle(const unsigned char *thePString,Handle theHandle,long *currentLength = nil);
OSErr AppendLongIntToHandle(const long inTheLongInt,Handle theHandle,long *currentLength = nil);
void ZeroMem(void *theMemPtr,const unsigned long numBytes);
char *FindCharInCStr(const char theChar,const char *theCString);
long FindCharOffsetInCStr(const char theChar,const char *theCString,const Boolean inIgnoreCase = false);
long FindCStrOffsetInCStr(const char *theCSubstring,const char *theCString,const Boolean inIgnoreCase = false);
void CopyCSubstrToCStr(const char *theSrcCStr,const int maxCharsToCopy,char *theDstCStr,const int maxDstStrLength);
void CopyCSubstrToPStr(const char *theSrcCStr,const int maxCharsToCopy,unsigned char *theDstPStr,const int maxDstStrLength);
void InsertCStrIntoCStr(const char *theSrcCStr,const int theInsertionOffset,char *theDstCStr,const int maxDstStrLength);
void InsertPStrIntoCStr(const unsigned char *theSrcPStr,const int theInsertionOffset,char *theDstCStr,const int maxDstStrLength);
OSErr InsertCStrIntoHandle(const char *theCString,Handle theHandle,const long inInsertOffset);
void CopyCStrAndInsertCStrIntoCStr(const char *theSrcCStr,const char *theInsertCStr,char *theDstCStr,const int maxDstStrLength);
void CopyCStrAndInsertCStrsLongIntsIntoCStr(const char *theSrcCStr,const char **theInsertCStrs,const long *theLongInts,char *theDstCStr,const int maxDstStrLength);
void CopyCStrAndInsert1LongIntIntoCStr(const char *theSrcCStr,const long theNum,char *theDstCStr,const int maxDstStrLength);
void CopyCStrAndInsert2LongIntsIntoCStr(const char *theSrcCStr,const long long1,const long long2,char *theDstCStr,const int maxDstStrLength);
void CopyCStrAndInsert3LongIntsIntoCStr(const char *theSrcCStr,const long long1,const long long2,const long long3,char *theDstCStr,const int maxDstStrLength);
void CopyCStrAndInsertCStrLongIntIntoCStr(const char *theSrcCStr,const char *theInsertCStr,const long theNum,char *theDstCStr,const int maxDstStrLength);
OSErr CopyCStrAndInsertCStrLongIntIntoHandle(const char *theSrcCStr,const char *theInsertCStr,const long theNum,Handle *theHandle);
OSErr CopyIndexedWordToCStr(char *theSrcCStr,int whichWord,char *theDstCStr,int maxDstCStrLength);
OSErr CopyIndexedWordToNewHandle(char *theSrcCStr,int whichWord,Handle *outTheHandle);
OSErr CopyIndexedLineToCStr(const char *theSrcCStr,int inWhichLine,int *lineEndIndex,Boolean *gotLastLine,char *theDstCStr,const int maxDstCStrLength);
OSErr CopyIndexedLineToNewHandle(const char *theSrcCStr,int inWhichLine,Handle *outNewHandle);
OSErr ExtractIntFromCStr(const char *theSrcCStr,int *outInt,Boolean skipLeadingSpaces = true);
OSErr ExtractIntFromPStr(const unsigned char *theSrcPStr,int *outInt,Boolean skipLeadingSpaces = true);
void ConvertCStrToUpperCase(char *theSrcCStr);
int CountOccurencesOfCharInCStr(const char inChar,const char *inSrcCStr);
int CountWordsInCStr(const char *inSrcCStr);
OSErr CountDigits(const char *inCStr,int *outNumIntegerDigits,int *outNumFractDigits);
void ExtractCStrItemFromCStr(const char *inSrcCStr,const char inItemDelimiter,const int inItemNumber,Boolean *foundItem,char *outDstCharPtr,const int inDstCharPtrMaxLength,const Boolean inTreatMultipleDelimsAsSingleDelim = false);
OSErr ExtractCStrItemFromCStrIntoNewHandle(const char *inSrcCStr,const char inItemDelimiter,const int inItemNumber,Boolean *foundItem,Handle *outNewHandle,const Boolean inTreatMultipleDelimsAsSingleDelim = false);
OSErr ExtractFloatFromCStr(const char *inCString,extended80 *outFloat);
OSErr CopyFloatToCStr(const extended80 *theFloat,char *theCStr,const int maxCStrLength,const int inMaxNumIntDigits = -1,const int inMaxNumFractDigits = -1);
void SkipWhiteSpace(char **ioSrcCharPtr,const Boolean inStopAtEOL = false);
#ifdef __cplusplus
}
#endif

170
MacOS/GetHTTPS.src/ErrorHandling.cpp Normal file
View File

@ -0,0 +1,170 @@
/* ====================================================================
* Copyright (c) 1998-1999 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include "ErrorHandling.hpp"
#include "CPStringUtils.hpp"
#ifdef __EXCEPTIONS_ENABLED__
#include "CMyException.hpp"
#endif
static char gErrorMessageBuffer[512];
char *gErrorMessage = gErrorMessageBuffer;
int gErrorMessageMaxLength = sizeof(gErrorMessageBuffer);
void SetErrorMessage(const char *theErrorMessage)
{
if (theErrorMessage != nil)
{
CopyCStrToCStr(theErrorMessage,gErrorMessage,gErrorMessageMaxLength);
}
}
void SetErrorMessageAndAppendLongInt(const char *theErrorMessage,const long theLongInt)
{
if (theErrorMessage != nil)
{
CopyCStrAndConcatLongIntToCStr(theErrorMessage,theLongInt,gErrorMessage,gErrorMessageMaxLength);
}
}
void SetErrorMessageAndCStrAndLongInt(const char *theErrorMessage,const char * theCStr,const long theLongInt)
{
if (theErrorMessage != nil)
{
CopyCStrAndInsertCStrLongIntIntoCStr(theErrorMessage,theCStr,theLongInt,gErrorMessage,gErrorMessageMaxLength);
}
}
void SetErrorMessageAndCStr(const char *theErrorMessage,const char * theCStr)
{
if (theErrorMessage != nil)
{
CopyCStrAndInsertCStrLongIntIntoCStr(theErrorMessage,theCStr,-1,gErrorMessage,gErrorMessageMaxLength);
}
}
void AppendCStrToErrorMessage(const char *theErrorMessage)
{
if (theErrorMessage != nil)
{
ConcatCStrToCStr(theErrorMessage,gErrorMessage,gErrorMessageMaxLength);
}
}
void AppendLongIntToErrorMessage(const long theLongInt)
{
ConcatLongIntToCStr(theLongInt,gErrorMessage,gErrorMessageMaxLength);
}
char *GetErrorMessage(void)
{
return gErrorMessage;
}
OSErr GetErrorMessageInNewHandle(Handle *inoutHandle)
{
OSErr errCode;
errCode = CopyCStrToNewHandle(gErrorMessage,inoutHandle);
return(errCode);
}
OSErr GetErrorMessageInExistingHandle(Handle inoutHandle)
{
OSErr errCode;
errCode = CopyCStrToExistingHandle(gErrorMessage,inoutHandle);
return(errCode);
}
OSErr AppendErrorMessageToHandle(Handle inoutHandle)
{
OSErr errCode;
errCode = AppendCStrToHandle(gErrorMessage,inoutHandle,nil);
return(errCode);
}
#ifdef __EXCEPTIONS_ENABLED__
void ThrowErrorMessageException(void)
{
ThrowDescriptiveException(gErrorMessage);
}
#endif

147
MacOS/GetHTTPS.src/ErrorHandling.hpp Normal file
View File

@ -0,0 +1,147 @@
#ifdef __cplusplus
extern "C" {
#endif
#ifndef kGenericError
#define kGenericError -1
#endif
extern char *gErrorMessage;
void SetErrorMessage(const char *theErrorMessage);
void SetErrorMessageAndAppendLongInt(const char *theErrorMessage,const long theLongInt);
void SetErrorMessageAndCStrAndLongInt(const char *theErrorMessage,const char * theCStr,const long theLongInt);
void SetErrorMessageAndCStr(const char *theErrorMessage,const char * theCStr);
void AppendCStrToErrorMessage(const char *theErrorMessage);
void AppendLongIntToErrorMessage(const long theLongInt);
char *GetErrorMessage(void);
OSErr GetErrorMessageInNewHandle(Handle *inoutHandle);
OSErr GetErrorMessageInExistingHandle(Handle inoutHandle);
OSErr AppendErrorMessageToHandle(Handle inoutHandle);
#ifdef __EXCEPTIONS_ENABLED__
void ThrowErrorMessageException(void);
#endif
// A bunch of evil macros that would be unnecessary if I were always using C++ !
#define SetErrorMessageAndBailIfNil(theArg,theMessage) \
{ \
if (theArg == nil) \
{ \
SetErrorMessage(theMessage); \
errCode = kGenericError; \
goto EXITPOINT; \
} \
}
#define SetErrorMessageAndBail(theMessage) \
{ \
SetErrorMessage(theMessage); \
errCode = kGenericError; \
goto EXITPOINT; \
}
#define SetErrorMessageAndLongIntAndBail(theMessage,theLongInt) \
{ \
SetErrorMessageAndAppendLongInt(theMessage,theLongInt); \
errCode = kGenericError; \
goto EXITPOINT; \
}
#define SetErrorMessageAndLongIntAndBailIfError(theErrCode,theMessage,theLongInt) \
{ \
if (theErrCode != noErr) \
{ \
SetErrorMessageAndAppendLongInt(theMessage,theLongInt); \
errCode = theErrCode; \
goto EXITPOINT; \
} \
}
#define SetErrorMessageCStrLongIntAndBailIfError(theErrCode,theMessage,theCStr,theLongInt) \
{ \
if (theErrCode != noErr) \
{ \
SetErrorMessageAndCStrAndLongInt(theMessage,theCStr,theLongInt); \
errCode = theErrCode; \
goto EXITPOINT; \
} \
}
#define SetErrorMessageAndCStrAndBail(theMessage,theCStr) \
{ \
SetErrorMessageAndCStr(theMessage,theCStr); \
errCode = kGenericError; \
goto EXITPOINT; \
}
#define SetErrorMessageAndBailIfError(theErrCode,theMessage) \
{ \
if (theErrCode != noErr) \
{ \
SetErrorMessage(theMessage); \
errCode = theErrCode; \
goto EXITPOINT; \
} \
}
#define SetErrorMessageAndLongIntAndBailIfNil(theArg,theMessage,theLongInt) \
{ \
if (theArg == nil) \
{ \
SetErrorMessageAndAppendLongInt(theMessage,theLongInt); \
errCode = kGenericError; \
goto EXITPOINT; \
} \
}
#define BailIfError(theErrCode) \
{ \
if ((theErrCode) != noErr) \
{ \
goto EXITPOINT; \
} \
}
#define SetErrCodeAndBail(theErrCode) \
{ \
errCode = theErrCode; \
\
goto EXITPOINT; \
}
#define SetErrorCodeAndMessageAndBail(theErrCode,theMessage) \
{ \
SetErrorMessage(theMessage); \
errCode = theErrCode; \
goto EXITPOINT; \
}
#define BailNow() \
{ \
errCode = kGenericError; \
goto EXITPOINT; \
}
#ifdef __cplusplus
}
#endif

209
MacOS/GetHTTPS.src/GetHTTPS.cpp Normal file
View File

@ -0,0 +1,209 @@
/*
* An demo illustrating how to retrieve a URI from a secure HTTP server.
*
* Author: Roy Wood
* Date: September 7, 1999
* Comments: This relies heavily on my MacSockets library.
* This project is also set up so that it expects the OpenSSL source folder (0.9.4 as I write this)
* to live in a folder called "OpenSSL-0.9.4" in this project's parent folder. For example:
*
* Macintosh HD:
* Development:
* OpenSSL-0.9.4:
* (OpenSSL sources here)
* OpenSSL Example:
* (OpenSSL example junk here)
*
*
* Also-- before attempting to compile this, make sure the aliases in "OpenSSL-0.9.4:include:openssl"
* are installed! Use the AppleScript applet in the "openssl-0.9.4" folder to do this!
*/
/* modified to seed the PRNG */
/* modified to use CRandomizer for seeding */
// Include some funky libs I've developed over time
#include "CPStringUtils.hpp"
#include "ErrorHandling.hpp"
#include "MacSocket.h"
#include "Randomizer.h"
// We use the OpenSSL implementation of SSL....
// This was a lot of work to finally get going, though you wouldn't know it by the results!
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <timer.h>
// Let's try grabbing some data from here:
#define kHTTPS_DNS "www.apache-ssl.org"
#define kHTTPS_Port 443
#define kHTTPS_URI "/"
// Forward-declare this
OSErr MyMacSocket_IdleWaitCallback(void *inUserRefPtr);
// My idle-wait callback. Doesn't do much, does it? Silly cooperative multitasking.
OSErr MyMacSocket_IdleWaitCallback(void *inUserRefPtr)
{
#pragma unused(inUserRefPtr)
EventRecord theEvent;
::EventAvail(everyEvent,&theEvent);
CRandomizer *randomizer = (CRandomizer*)inUserRefPtr;
if (randomizer)
randomizer->PeriodicAction();
return(noErr);
}
// Finally!
void main(void)
{
OSErr errCode;
int theSocket = -1;
int theTimeout = 30;
SSL_CTX *ssl_ctx = nil;
SSL *ssl = nil;
char tempString[256];
UnsignedWide microTickCount;
CRandomizer randomizer;
printf("OpenSSL Demo by Roy Wood, roy@centricsystems.ca\n\n");
BailIfError(errCode = MacSocket_Startup());
// Create a socket-like object
BailIfError(errCode = MacSocket_socket(&theSocket,false,theTimeout * 60,MyMacSocket_IdleWaitCallback,&randomizer));
// Set up the connect string and try to connect
CopyCStrAndInsertCStrLongIntIntoCStr("%s:%ld",kHTTPS_DNS,kHTTPS_Port,tempString,sizeof(tempString));
printf("Connecting to %s....\n",tempString);
BailIfError(errCode = MacSocket_connect(theSocket,tempString));
// Init SSL stuff
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
// Pick the SSL method
// ssl_ctx = SSL_CTX_new(SSLv2_client_method());
ssl_ctx = SSL_CTX_new(SSLv23_client_method());
// ssl_ctx = SSL_CTX_new(SSLv3_client_method());
// Create an SSL thingey and try to negotiate the connection
ssl = SSL_new(ssl_ctx);
SSL_set_fd(ssl,theSocket);
errCode = SSL_connect(ssl);
if (errCode < 0)
{
SetErrorMessageAndLongIntAndBail("OpenSSL: Can't initiate SSL connection, SSL_connect() = ",errCode);
}
// Request the URI from the host
CopyCStrToCStr("GET ",tempString,sizeof(tempString));
ConcatCStrToCStr(kHTTPS_URI,tempString,sizeof(tempString));
ConcatCStrToCStr(" HTTP/1.0\r\n\r\n",tempString,sizeof(tempString));
errCode = SSL_write(ssl,tempString,CStrLength(tempString));
if (errCode < 0)
{
SetErrorMessageAndLongIntAndBail("OpenSSL: Error writing data via ssl, SSL_write() = ",errCode);
}
for (;;)
{
char tempString[256];
int bytesRead;
// Read some bytes and dump them to the console
bytesRead = SSL_read(ssl,tempString,sizeof(tempString) - 1);
if (bytesRead == 0 && MacSocket_RemoteEndIsClosing(theSocket))
{
break;
}
else if (bytesRead < 0)
{
SetErrorMessageAndLongIntAndBail("OpenSSL: Error reading data via ssl, SSL_read() = ",bytesRead);
}
tempString[bytesRead] = '\0';
printf("%s", tempString);
}
printf("\n\n\n");
// All done!
errCode = noErr;
EXITPOINT:
// Clean up and go home
if (theSocket >= 0)
{
MacSocket_close(theSocket);
}
if (ssl != nil)
{
SSL_free(ssl);
}
if (ssl_ctx != nil)
{
SSL_CTX_free(ssl_ctx);
}
if (errCode != noErr)
{
printf("An error occurred:\n");
printf("%s",GetErrorMessage());
}
MacSocket_Shutdown();
}

1607
MacOS/GetHTTPS.src/MacSocket.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

104
MacOS/GetHTTPS.src/MacSocket.h Normal file
View File

@ -0,0 +1,104 @@
#pragma once
#ifdef __cplusplus
extern "C" {
#endif
enum {
kMacSocket_TimeoutErr = -2
};
// Since MacSocket does busy waiting, I do a callback while waiting
typedef OSErr(*MacSocket_IdleWaitCallback) (void *);
// Call this before anything else!
OSErr MacSocket_Startup(void);
// Call this to cleanup before quitting
OSErr MacSocket_Shutdown(void);
// Call this to allocate a "socket" (reference number is returned in
// outSocketNum)
// Note that inDoThreadSwitching is pretty much irrelevant right now, since I
// ignore it
// The inTimeoutTicks parameter is applied during reads/writes of data
// The inIdleWaitCallback parameter specifies a callback which is called
// during busy-waiting periods
// The inUserRefPtr parameter is passed back to the idle-wait callback
OSErr MacSocket_socket(int *outSocketNum, const Boolean inDoThreadSwitching,
const long inTimeoutTicks,
MacSocket_IdleWaitCallback inIdleWaitCallback,
void *inUserRefPtr);
// Call this to connect to an IP/DNS address
// Note that inTargetAddressAndPort is in "IP:port" format-- e.g.
// 10.1.1.1:123
OSErr MacSocket_connect(const int inSocketNum, char *inTargetAddressAndPort);
// Call this to listen on a port
// Since this a low-performance implementation, I allow a maximum of 1 (one!)
// incoming request when I listen
OSErr MacSocket_listen(const int inSocketNum, const int inPortNum);
// Call this to close a socket
OSErr MacSocket_close(const int inSocketNum);
// Call this to receive data on a socket
// Most parameters' purpose are obvious-- except maybe "inBlock" which
// controls whether I wait for data or return immediately
int MacSocket_recv(const int inSocketNum, void *outBuff, int outBuffLength,
const Boolean inBlock);
// Call this to send data on a socket
int MacSocket_send(const int inSocketNum, const void *inBuff,
int inBuffLength);
// If zero bytes were read in a call to MacSocket_recv(), it may be that the
// remote end has done a half-close
// This function will let you check whether that's true or not
Boolean MacSocket_RemoteEndIsClosing(const int inSocketNum);
// Call this to see if the listen has completed after a call to
// MacSocket_listen()
Boolean MacSocket_ListenCompleted(const int inSocketNum);
// These really aren't very useful anymore
Boolean MacSocket_LocalEndIsOpen(const int inSocketNum);
Boolean MacSocket_RemoteEndIsOpen(const int inSocketNum);
// You may wish to change the userRefPtr for a socket callback-- use this to
// do it
void MacSocket_SetUserRefPtr(const int inSocketNum, void *inNewRefPtr);
// Call these to get the socket's IP:port descriptor
void MacSocket_GetLocalIPAndPort(const int inSocketNum, char *outIPAndPort,
const int inIPAndPortLength);
void MacSocket_GetRemoteIPAndPort(const int inSocketNum, char *outIPAndPort,
const int inIPAndPortLength);
// Call this to get error info from a socket
void MacSocket_GetSocketErrorInfo(const int inSocketNum,
int *outSocketErrCode,
char *outSocketErrString,
const int inSocketErrStringMaxLength);
#ifdef __cplusplus
}
#endif

4940
MacOS/OpenSSL.mcp.hqx Normal file
View File

File diff suppressed because it is too large Load Diff

476
MacOS/Randomizer.cpp Normal file
View File

@ -0,0 +1,476 @@
/*
------- Strong random data generation on a Macintosh (pre - OS X) ------
-- GENERAL: We aim to generate unpredictable bits without explicit
user interaction. A general review of the problem may be found
in RFC 1750, "Randomness Recommendations for Security", and some
more discussion, of general and Mac-specific issues has appeared
in "Using and Creating Cryptographic- Quality Random Numbers" by
Jon Callas (www.merrymeet.com/jon/usingrandom.html).
The data and entropy estimates provided below are based on my
limited experimentation and estimates, rather than by any
rigorous study, and the entropy estimates tend to be optimistic.
They should not be considered absolute.
Some of the information being collected may be correlated in
subtle ways. That includes mouse positions, timings, and disk
size measurements. Some obvious correlations will be eliminated
by the programmer, but other, weaker ones may remain. The
reliability of the code depends on such correlations being
poorly understood, both by us and by potential interceptors.
This package has been planned to be used with OpenSSL, v. 0.9.5.
It requires the OpenSSL function RAND_add.
-- OTHER WORK: Some source code and other details have been
published elsewhere, but I haven't found any to be satisfactory
for the Mac per se:
* The Linux random number generator (by Theodore Ts'o, in
drivers/char/random.c), is a carefully designed open-source
crypto random number package. It collects data from a variety
of sources, including mouse, keyboard and other interrupts.
One nice feature is that it explicitly estimates the entropy
of the data it collects. Some of its features (e.g. interrupt
timing) cannot be reliably exported to the Mac without using
undocumented APIs.
* Truerand by Don P. Mitchell and Matt Blaze uses variations
between different timing mechanisms on the same system. This
has not been tested on the Mac, but requires preemptive
multitasking, and is hardware-dependent, and can't be relied
on to work well if only one oscillator is present.
* Cryptlib's RNG for the Mac (RNDMAC.C by Peter Gutmann),
gathers a lot of information about the machine and system
environment. Unfortunately, much of it is constant from one
startup to the next. In other words, the random seed could be
the same from one day to the next. Some of the APIs are
hardware-dependent, and not all are compatible with Carbon (OS
X). Incidentally, the EGD library is based on the UNIX entropy
gathering methods in cryptlib, and isn't suitable for MacOS
either.
* Mozilla (and perhaps earlier versions of Netscape) uses the
time of day (in seconds) and an uninitialized local variable
to seed the random number generator. The time of day is known
to an outside interceptor (to within the accuracy of the
system clock). The uninitialized variable could easily be
identical between subsequent launches of an application, if it
is reached through the same path.
* OpenSSL provides the function RAND_screen(), by G. van
Oosten, which hashes the contents of the screen to generate a
seed. This is not useful for an extension or for an
application which launches at startup time, since the screen
is likely to look identical from one launch to the next. This
method is also rather slow.
* Using variations in disk drive seek times has been proposed
(Davis, Ihaka and Fenstermacher, world.std.com/~dtd/;
Jakobsson, Shriver, Hillyer and Juels,
www.bell-labs.com/user/shriver/random.html). These variations
appear to be due to air turbulence inside the disk drive
mechanism, and are very strongly unpredictable. Unfortunately
this technique is slow, and some implementations of it may be
patented (see Shriver's page above.) It of course cannot be
used with a RAM disk.
-- TIMING: On the 601 PowerPC the time base register is guaranteed
to change at least once every 10 addi instructions, i.e. 10
cycles. On a 60 MHz machine (slowest PowerPC) this translates to
a resolution of 1/6 usec. Newer machines seem to be using a 10
cycle resolution as well.
For 68K Macs, the Microseconds() call may be used. See Develop
issue 29 on the Apple developer site
(developer.apple.com/dev/techsupport/develop/issue29/minow.html)
for information on its accuracy and resolution. The code below
has been tested only on PowerPC based machines.
The time from machine startup to the launch of an application in
the startup folder has a variance of about 1.6 msec on a new G4
machine with a defragmented and optimized disk, most extensions
off and no icons on the desktop. This can be reasonably taken as
a lower bound on the variance. Most of this variation is likely
due to disk seek time variability. The distribution of startup
times is probably not entirely even or uncorrelated. This needs
to be investigated, but I am guessing that it not a majpor
problem. Entropy = log2 (1600/0.166) ~= 13 bits on a 60 MHz
machine, ~16 bits for a 450 MHz machine.
User-launched application startup times will have a variance of
a second or more relative to machine startup time. Entropy >~22
bits.
Machine startup time is available with a 1-second resolution. It
is predictable to no better a minute or two, in the case of
people who show up punctually to work at the same time and
immediately start their computer. Using the scheduled startup
feature (when available) will cause the machine to start up at
the same time every day, making the value predictable. Entropy
>~7 bits, or 0 bits with scheduled startup.
The time of day is of course known to an outsider and thus has 0
entropy if the system clock is regularly calibrated.
-- KEY TIMING: A very fast typist (120 wpm) will have a typical
inter-key timing interval of 100 msec. We can assume a variance
of no less than 2 msec -- maybe. Do good typists have a constant
rhythm, like drummers? Since what we measure is not the
key-generated interrupt but the time at which the key event was
taken off the event queue, our resolution is roughly the time
between process switches, at best 1 tick (17 msec). I therefore
consider this technique questionable and not very useful for
obtaining high entropy data on the Mac.
-- MOUSE POSITION AND TIMING: The high bits of the mouse position
are far from arbitrary, since the mouse tends to stay in a few
limited areas of the screen. I am guessing that the position of
the mouse is arbitrary within a 6 pixel square. Since the mouse
stays still for long periods of time, it should be sampled only
after it was moved, to avoid correlated data. This gives an
entropy of log2(6*6) ~= 5 bits per measurement.
The time during which the mouse stays still can vary from zero
to, say, 5 seconds (occasionally longer). If the still time is
measured by sampling the mouse during null events, and null
events are received once per tick, its resolution is 1/60th of a
second, giving an entropy of log2 (60*5) ~= 8 bits per
measurement. Since the distribution of still times is uneven,
this estimate is on the high side.
For simplicity and compatibility across system versions, the
mouse is to be sampled explicitly (e.g. in the event loop),
rather than in a time manager task.
-- STARTUP DISK TOTAL FILE SIZE: Varies typically by at least 20k
from one startup to the next, with 'minimal' computer use. Won't
vary at all if machine is started again immediately after
startup (unless virtual memory is on), but any application which
uses the web and caches information to disk is likely to cause
this much variation or more. The variation is probably not
random, but I don't know in what way. File sizes tend to be
divisible by 4 bytes since file format fields are often
long-aligned. Entropy > log2 (20000/4) ~= 12 bits.
-- STARTUP DISK FIRST AVAILABLE ALLOCATION BLOCK: As the volume
gets fragmented this could be anywhere in principle. In a
perfectly unfragmented volume this will be strongly correlated
with the total file size on the disk. With more fragmentation
comes less certainty. I took the variation in this value to be
1/8 of the total file size on the volume.
-- SYSTEM REQUIREMENTS: The code here requires System 7.0 and above
(for Gestalt and Microseconds calls). All the calls used are
Carbon-compatible.
*/
/*------------------------------ Includes ----------------------------*/
#include "Randomizer.h"
// Mac OS API
#include <Files.h>
#include <Folders.h>
#include <Events.h>
#include <Processes.h>
#include <Gestalt.h>
#include <Resources.h>
#include <LowMem.h>
// Standard C library
#include <stdlib.h>
#include <math.h>
/*---------------------- Function declarations -----------------------*/
// declared in OpenSSL/crypto/rand/rand.h
extern "C" void RAND_add (const void *buf, int num, double entropy);
unsigned long GetPPCTimer (bool is601); // Make it global if needed
// elsewhere
/*---------------------------- Constants -----------------------------*/
#define kMouseResolution 6 // Mouse position has to differ
// from the last one by this
// much to be entered
#define kMousePositionEntropy 5.16 // log2 (kMouseResolution**2)
#define kTypicalMouseIdleTicks 300.0 // I am guessing that a typical
// amount of time between mouse
// moves is 5 seconds
#define kVolumeBytesEntropy 12.0 // about log2 (20000/4),
// assuming a variation of 20K
// in total file size and
// long-aligned file formats.
#define kApplicationUpTimeEntropy 6.0 // Variance > 1 second, uptime
// in ticks
#define kSysStartupEntropy 7.0 // Entropy for machine startup
// time
/*------------------------ Function definitions ----------------------*/
CRandomizer::CRandomizer (void)
{
long result;
mSupportsLargeVolumes =
(Gestalt(gestaltFSAttr, &result) == noErr) &&
((result & (1L << gestaltFSSupports2TBVols)) != 0);
if (Gestalt (gestaltNativeCPUtype, &result) != noErr)
{
mIsPowerPC = false;
mIs601 = false;
}
else
{
mIs601 = (result == gestaltCPU601);
mIsPowerPC = (result >= gestaltCPU601);
}
mLastMouse.h = mLastMouse.v = -10; // First mouse will
// always be recorded
mLastPeriodicTicks = TickCount();
GetTimeBaseResolution ();
// Add initial entropy
AddTimeSinceMachineStartup ();
AddAbsoluteSystemStartupTime ();
AddStartupVolumeInfo ();
AddFiller ();
}
void CRandomizer::PeriodicAction (void)
{
AddCurrentMouse ();
AddNow (0.0); // Should have a better entropy estimate here
mLastPeriodicTicks = TickCount();
}
/*------------------------- Private Methods --------------------------*/
void CRandomizer::AddCurrentMouse (void)
{
Point mouseLoc;
unsigned long lastCheck; // Ticks since mouse was last
// sampled
#if TARGET_API_MAC_CARBON
GetGlobalMouse (&mouseLoc);
#else
mouseLoc = LMGetMouseLocation();
#endif
if (labs (mLastMouse.h - mouseLoc.h) > kMouseResolution/2 &&
labs (mLastMouse.v - mouseLoc.v) > kMouseResolution/2)
AddBytes (&mouseLoc, sizeof(mouseLoc),
kMousePositionEntropy);
if (mLastMouse.h == mouseLoc.h && mLastMouse.v == mouseLoc.v)
mMouseStill ++;
else
{
double entropy;
// Mouse has moved. Add the number of measurements for
// which it's been still. If the resolution is too
// coarse, assume the entropy is 0.
lastCheck = TickCount() - mLastPeriodicTicks;
if (lastCheck <= 0)
lastCheck = 1;
entropy = log2l
(kTypicalMouseIdleTicks/(double)lastCheck);
if (entropy < 0.0)
entropy = 0.0;
AddBytes (&mMouseStill, sizeof(mMouseStill), entropy);
mMouseStill = 0;
}
mLastMouse = mouseLoc;
}
void CRandomizer::AddAbsoluteSystemStartupTime (void)
{
unsigned long now; // Time in seconds since
// 1/1/1904
GetDateTime (&now);
now -= TickCount() / 60; // Time in ticks since machine
// startup
AddBytes (&now, sizeof(now), kSysStartupEntropy);
}
void CRandomizer::AddTimeSinceMachineStartup (void)
{
AddNow (1.5); // Uncertainty in app startup
// time is > 1.5 msec (for
// automated app startup).
}
void CRandomizer::AddAppRunningTime (void)
{
ProcessSerialNumber PSN;
ProcessInfoRec ProcessInfo;
ProcessInfo.processInfoLength = sizeof(ProcessInfoRec);
ProcessInfo.processName = nil;
ProcessInfo.processAppSpec = nil;
GetCurrentProcess (&PSN);
GetProcessInformation (&PSN, &ProcessInfo);
// Now add the amount of time in ticks that the current process
// has been active
AddBytes (&ProcessInfo, sizeof(ProcessInfoRec),
kApplicationUpTimeEntropy);
}
void CRandomizer::AddStartupVolumeInfo (void)
{
short vRefNum;
long dirID;
XVolumeParam pb;
OSErr err;
if (!mSupportsLargeVolumes)
return;
FindFolder (kOnSystemDisk, kSystemFolderType, kDontCreateFolder,
&vRefNum, &dirID);
pb.ioVRefNum = vRefNum;
pb.ioCompletion = 0;
pb.ioNamePtr = 0;
pb.ioVolIndex = 0;
err = PBXGetVolInfoSync (&pb);
if (err != noErr)
return;
// Base the entropy on the amount of space used on the disk and
// on the next available allocation block. A lot else might be
// unpredictable, so might as well toss the whole block in. See
// comments for entropy estimate justifications.
AddBytes (&pb, sizeof(pb),
kVolumeBytesEntropy +
log2l (((pb.ioVTotalBytes.hi - pb.ioVFreeBytes.hi)
* 4294967296.0D +
(pb.ioVTotalBytes.lo - pb.ioVFreeBytes.lo))
/ pb.ioVAlBlkSiz - 3.0));
}
/*
On a typical startup CRandomizer will come up with about 60
bits of good, unpredictable data. Assuming no more input will
be available, we'll need some more lower-quality data to give
OpenSSL the 128 bits of entropy it desires. AddFiller adds some
relatively predictable data into the soup.
*/
void CRandomizer::AddFiller (void)
{
struct
{
ProcessSerialNumber psn; // Front process serial
// number
RGBColor hiliteRGBValue; // User-selected
// highlight color
long processCount; // Number of active
// processes
long cpuSpeed; // Processor speed
long totalMemory; // Total logical memory
// (incl. virtual one)
long systemVersion; // OS version
short resFile; // Current resource file
} data;
GetNextProcess ((ProcessSerialNumber*) kNoProcess);
while (GetNextProcess (&data.psn) == noErr)
data.processCount++;
GetFrontProcess (&data.psn);
LMGetHiliteRGB (&data.hiliteRGBValue);
Gestalt (gestaltProcClkSpeed, &data.cpuSpeed);
Gestalt (gestaltLogicalRAMSize, &data.totalMemory);
Gestalt (gestaltSystemVersion, &data.systemVersion);
data.resFile = CurResFile ();
// Here we pretend to feed the PRNG completely random data. This
// is of course false, as much of the above data is predictable
// by an outsider. At this point we don't have any more
// randomness to add, but with OpenSSL we must have a 128 bit
// seed before we can start. We just add what we can, without a
// real entropy estimate, and hope for the best.
AddBytes (&data, sizeof(data), 8.0 * sizeof(data));
AddCurrentMouse ();
AddNow (1.0);
}
//------------------- LOW LEVEL ---------------------
void CRandomizer::AddBytes (void *data, long size, double entropy)
{
RAND_add (data, size, entropy * 0.125); // Convert entropy bits
// to bytes
}
void CRandomizer::AddNow (double millisecondUncertainty)
{
long time = SysTimer();
AddBytes (&time, sizeof(time), log2l (millisecondUncertainty *
mTimebaseTicksPerMillisec));
}
//----------------- TIMING SUPPORT ------------------
void CRandomizer::GetTimeBaseResolution (void)
{
#ifdef __powerc
long speed;
// gestaltProcClkSpeed available on System 7.5.2 and above
if (Gestalt (gestaltProcClkSpeed, &speed) != noErr)
// Only PowerPCs running pre-7.5.2 are 60-80 MHz
// machines.
mTimebaseTicksPerMillisec = 6000.0D;
// Assume 10 cycles per clock update, as in 601 spec. Seems true
// for later chips as well.
mTimebaseTicksPerMillisec = speed / 1.0e4D;
#else
// 68K VIA-based machines (see Develop Magazine no. 29)
mTimebaseTicksPerMillisec = 783.360D;
#endif
}
unsigned long CRandomizer::SysTimer (void) // returns the lower 32
// bit of the chip timer
{
#ifdef __powerc
return GetPPCTimer (mIs601);
#else
UnsignedWide usec;
Microseconds (&usec);
return usec.lo;
#endif
}
#ifdef __powerc
// The timebase is available through mfspr on 601, mftb on later chips.
// Motorola recommends that an 601 implementation map mftb to mfspr
// through an exception, but I haven't tested to see if MacOS actually
// does this. We only sample the lower 32 bits of the timer (i.e. a
// few minutes of resolution)
asm unsigned long GetPPCTimer (register bool is601)
{
cmplwi is601, 0 // Check if 601
bne _601 // if non-zero goto _601
mftb r3 // Available on 603 and later.
blr // return with result in r3
_601:
mfspr r3, spr5 // Available on 601 only.
// blr inserted automatically
}
#endif

42
MacOS/Randomizer.h Normal file
View File

@ -0,0 +1,42 @@
// Gathers unpredictable system data to be used for generating
// random bits
#include <MacTypes.h>
class CRandomizer {
public:
CRandomizer(void);
void PeriodicAction(void);
private:
// Private calls
void AddTimeSinceMachineStartup(void);
void AddAbsoluteSystemStartupTime(void);
void AddAppRunningTime(void);
void AddStartupVolumeInfo(void);
void AddFiller(void);
void AddCurrentMouse(void);
void AddNow(double millisecondUncertainty);
void AddBytes(void *data, long size, double entropy);
void GetTimeBaseResolution(void);
unsigned long SysTimer(void);
// System Info
bool mSupportsLargeVolumes;
bool mIsPowerPC;
bool mIs601;
// Time info
double mTimebaseTicksPerMillisec;
unsigned long mLastPeriodicTicks;
// Mouse info
long mSamplePeriod;
Point mLastMouse;
long mMouseStill;
};

18
MacOS/TODO Normal file
View File

@ -0,0 +1,18 @@
-------------------------------------------------------------------
Verify server certificate
-------------------------------------------------------------------
Currently omitted from the project:
crypto/tmdiff.c
crypto/bio/bss_conn.c
crypto/bio/b_sock.c
crypto/bio/bss_acpt.c
crypto/bio/bss_log.h
-------------------------------------------------------------------
Build libraries to link with...
-------------------------------------------------------------------
Port openssl application.
-------------------------------------------------------------------
BN optimizations (currently PPC version is compiled with BN_LLONG)
-------------------------------------------------------------------

9
MacOS/_MWERKS_GUSI_prefix.h Normal file
View File

@ -0,0 +1,9 @@
#include <MacHeaders.h>
#define B_ENDIAN
#ifdef __POWERPC__
# pragma longlong on
#endif
#if 1
# define MAC_OS_GUSI_SOURCE
#endif
#define MONOLITH

9
MacOS/_MWERKS_prefix.h Normal file
View File

@ -0,0 +1,9 @@
#include <MacHeaders.h>
#define B_ENDIAN
#ifdef __POWERPC__
# pragma longlong on
#endif
#if 0
# define MAC_OS_GUSI_SOURCE
#endif
#define MONOLITH

5
MacOS/buildinf.h Normal file
View File

@ -0,0 +1,5 @@
#ifndef MK1MF_BUILD
# define CFLAGS "-DB_ENDIAN"
# define PLATFORM "macos"
# define DATE "Sun Feb 27 19:44:16 MET 2000"
#endif

820
MacOS/mklinks.as.hqx Normal file
View File

@ -0,0 +1,820 @@
(This file must be converted with BinHex 4.0)
:#QeVE'PZDh-ZBA-!39"36'&`E(3J!!!!!!!!!*LiI6m!!!!!!3!!!*G#!!#@3J!
!!AChFQPd!!!!K3)"!3m(Fh9`F'pbG!!!!)B#!3%$"(0eFQ8!!!#(!J-%"!3("3C
cGfPdBfJ!!!#)!J%"#39cH@jMD!!!!)N#"J%$!`-&"3-'FhPcG'9Y!!!!LJ)&"3)
%!J8("!-#!`4dB@*X!!!!L`))!3-$!`-$!`-$"(4PE'`!!!#-!J)"#38$G'KP!!!
!M3))(J)@!Ki#!J))!K)#!`)B!Kd%G'KPE3!!!)i#!J%&#`4dD'9j!!!!M`)#!J)
#$3TdD(*[G@GSEh9d!!!!N!!#!3%&"(4TCQB!!!#4!J%"!`4dD@eP!!!!NJ)"!JS
#!h4T!!!!'N!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!H!!!!!!!#!!!!!!
!!!!!!!!!!!!!rrrrr`!!!$3!!!!N!!!!!#"[!!5JAb"[!!5K++!M6R9$9'mJFR9
Z)(4SDA-JFf0bDA"d)'&`F'aTBf&dD@pZ,#"jEh8JEA9cG#"QDA*cG#"TER0dB@a
X)%&`F'aP8f0bDA"d,J!!!)C8D'Pc)(0MFQP`G#"MFQ9KG'9c)#iZ,fPZBfaeC'8
[Eh"PER0cE#"KEQ3JCQPXE(-JDA3JGfPdD#"ZC@0PFh0KFRNJB@aTBA0PFbi0$8P
d)'eTCfKd)(4KDf8JB5"hD'PXC5"dEb"MEfe`E'9dC5"cEb"`E'9KFf8JBQ8JF'&
dD@9ZG$SY+3!!!#S!!J!!!!!!$3!+!"!!!!!-!!!!!!!!!!!!63!0!!S!%!%!!!`
!!!!!!!!!!!!B!!!!+!!!!!!!!!!)!!!!)!#N2c`!!DR`!!!!l!!!!!&19[ri,`0
f!#m$-$bKVDG'*KmY52ri,`-`2+LITdBQ(b!ZrrLa`'FJ,`-J2'0`ER4"l[rm)NL
KV5+)*Kp+3'B)5Ulrr'F#GJ%3!bBZrr41ANje6PB!!#m-@Bm[2%j29%Nr2!#!U"m
SAb!-CJK`!cm!UFKJ+#m-UC)J9#!)d+J!'#&!!"JJ9#!)d+J!(#&!!"a9Mbm8)&q
JAMk!9%mSE[rm6Pj1G8j@!!![$%kkre4+!'FU@Bm[2'&`E(3[2(0MF(4`)DJU+&m
J$'F5@Bm[$#mm!!!!!A!!U#UTp&K26VVrG#KZrra1ANje!!!!('&`E(3!!!!"4P*
&4J!!!!!!J%P$6L-!!!!!!*B!!!!"!!!!!!G"8&"-!!!!!!!"!!!"!!!!!S!!!!4
!!!"i)!!!K"!!!3))!!)#"!!%"!)!#!J"!"!8!)!J)J"!3%%!)2#!J"#*!%!)KJ!
J")3!)!*!!"!")!!3!K!!%!3)!"!)"!!J%!)!3#!"!)"!!S%!J!5#!3!)4!)!#%J
%!!KB#!!%C"!!!m)J!!!"3!!!!)!!!!%!!!!$J!!!"m!!!(rJ!!$rm!!"rrJ!!rr
m!!IrrJ!2rrm!(rrrJ$rrrm"rrrrJrrrrm2rrrrMrrrrmrrrrrRrrrrmrrrrq(rr
rr!rrrrJ(rrr`!rrri!(rrm!$rrq!"rrr!!rrrJ!2rr`!$rri!!IRm!!$`q!!!!(
!!!!!J!!!!!)!!!!!!!!!!!m!!!!!!!!!!!!!!!!!!!$`m!!!!!!!!!!!!!!!!!!
2!!m!!!!!!!!!!!!!!!rrm!!!m!!!!!!!!!!!!!$`c0m!!!m!!!!!!!!!!!!2!!c
-m!!!m!!!!!!!!!!!m!$-cI!!!!m!!!!!!!!!$`!-c0m!!!!!m!!!!!!!!2!!c-h
`!!!!!!m!!!!!!!m!$-cIh`!!!!!!m!!!!!$`!-c0rGh`!!!!!!m!!!!2!!c-hph
-h`!!!!!!m!!!rrr-cIhF`-h`!!!!!!m!!2lFr0rGc!`-h`!!!!!!m!$pc-rph-$
!`-h`!!!!!!m!r-`2cF`-$!!-r3!!!!!!m!m!`-c!`-!!$0m!!!!!$-m!m!`-$!`
!!-cI!!!!!-c`!!m!`-$!!!`-h`!!!!c2!!!!m!`-!!$!c0m!!!$-m!!!!!m!`!!
-$-hm!!!-c`!!!!!!m!!!`-cIc!!!c2!!!!!!!!m!$!c0r-`!$-m!!!!!!!$pm-$
-hmc!!-c`!!!!!!!2hI`-cIc-!!c2!!!!!!!!rGc2c0r-`!$-m!!!!!!!!2h-cmh
mc!!-c`!!!!!!!!$mc!rIr-!!c2!!!!!!!!!!$m$2m!r-$-m!!!!!!!!!!!$rr`!
!r-c`!!!!!!!!!!!!!!!!!!r2!!!!!!!!!!!!!!!!!!!!m!!!!!!!!!!!!!"!!B!
13"%J)4"##18%Q)+3!%&!)5!L%%3BL#83*L!G3!#!!B!2`"rJ2r"rq2rmrrlrrhr
r2riIr"ri2r!ri"h!!)!!!!#!!!!!$r!!!!!!!2r`$`!!!!!2$!m!m!!!!2$!c`!
2!!!2$!c`!!$`!2r`cpm!!!m!rGrpc2!!!2$p$p`-c`!!$`m!`-$0m!$2!2!-$-h
`$2!!$`$-hm$2!!!2m-hm$2!!!2h2hm$2!!!!r-rm$2!!!!!2r`r2!!!!!!!!!2!
!!!!!!!#D8f0bDA"d)%&`F'aTBf&dD@pZ$3e8D'Pc)(0MFQP`G#"MFQ9KG'9c)#i
Z,fPZBfaeC'8[Eh"PER0cE#"KEQ3JCQPXE(-JDA3JGfPdD#"ZC@0PFh0KFRNJB@a
TBA0PFbi0$8Pd)'eTCfKd)(4KDf8JB5"hD'PXC5"dEb"MEfe`E'9dC5"cEb"`E'9
KFf8JBQ8JF'&dD@9ZG$SY+3!!!")!!J!!!!!!!!!!!!%!"J!'%iN!!!!+@1!!!b!
!!!-J!!!!!"3!+`!(!Cm#@!!V!!F"f!*B!!!!!3!!M`C'BA0N98&6)$%Z-6!a,M%
`$J!!!!32rrm!!3!#!!-"rrm!!!d!!3!"D`!!!!!!!!!%!J!%!!)!"3!'$3!&!!*
X!!)!!!U`!!IrrJd!"`!#6`!!!!!+X!!)!!N0!!J!!@X!!!!%#Um!#J)!#J!#!!X
!$!d!#`!#E!!#!!3!"2rprr`"rrd!!!(rr!!!!J!-!!)!$3!1$3!0!!*X!!%!"!!
%rrX!$`(rq`!!$!!2!&N!8b"(CA3JF'&dD#"dEb"dD'Pc)%&`F'aP8f0bDA"d)'&
`F'aPG$XJGA0P)'Pd)(4[)'C[FQdJG'KP)("KG'JJG'mJG'KP)'PZBfaeC'8JCQp
XC'9b!!)!!!)!$J!#!"!!%3d!%!!#E!!"!!3!"2rk!")"rrS!!!`!%J!Q!#!JB@j
N)(4SC5"[G'KPFL"bC@aPGQ&ZG#"QEfaNCA*c,J!#!!!#!"%!!J!6!"30!"-!!R-
!!!!%!"%!&3!@$3!9!!*M!!!!"!!1!"F!'!d!&`!#E!!&!!3!$!!CrrN0!"N!!Qi
!!!!%!!`!'J!E$3!D!!)d!!!!"3!-rrJ!(!Vrq!!%#Q0[BQS0!"`!!Q`!"3!'!!X
!(Irh$3!G!!0*!!)!"J!,rrB!([re#[rf!"JZC@&bFfCQC(*KE'Pc!!!!!!!!)!"
KCQ4b$3!H!!"Q!!!!"J!(![re!!!"rrF!!!d!'`!"E3!!!!3!"3!I$`!I!6J)ER9
XE!!!!!!!!Gq!rrm!!!!A"NCTEQ4PFJ!!(`*[Me!!ASfm!Qq,i!"HA[!!I&M!!!!
!!!!!'mi!!JN#!Qq-1!!!Kb%#Ei`J!!!!!%C14&*038e"3e-!!"%!B@aTF`!!!!!
!fJ!#!!!-6@&MD@jdEh0S)%K%!!!!!!!!!!!!!!!!!!!!XSA5h%*%!!!!!!!A"NC
TEQ4PFJ!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!3rLc#@a!4Nj%8Ne"3e2rrrrr!!!!!!!!!!!!!!!!!!!
!!!!!!!e6HA0dC@dJ4QpXC'9b!!!"!!3!!!!A!!)!)8eKBfPZG'pcD#")4$T6HA0
dC@dJ4QpXC'9b1NCTEQ4PFJ$rr`!!!Irj!!!0!"J!!@d!!!!-!!hrp!Vrp!!%#Q0
dH(30!"B!!@m!!!!!!!$rm`[rm`!5-!!(G'KPF'&dD!!(G'KP8'&dD!)!&!!#!#!
!)3d!)!!#E!!#!")!%[rbrr%"rr)!!!(rm3!!!J!K!!)!)J!M$3!L!!*b!!!!%J!
A!#3!*3d!*!!#EJ!$!")!&3!Q!#F0!#B!!6%!!!!6!"Arm!Vrm!!%#R4iC'`0!#F
!!6%!!!!5!"2rl`Vrl`!%#Q&cBh)0!#8!!@m!!!!!!!$rlJ[rlJ!F-!!-G'KPEfa
NC'9XD@ec!!adD'92E'4%C@aTEA-#!#-!!J!S!#N0!#J!!R)!!!!B!"d!+J!V$3!
U!!&Y!!!!'!!C!#`-!#`!"`!"1J!#!!!0!#X!!Qi!!`!!!!!!,3!Z$3!Y!!%a!!!
!'J!Frqd+rqd!"!TdH'4X$3!Z!!%a!!!!'3!Drq`+rq`!"!TKFf0b!J!T!!)!,`!
`$3![!!*X!!)!(J!Hrq[rkJ(rk`!!!IrU!!!#!$!!!J!a!$)0!$%!!R)!!!!H!#X
!-`!d$3!c!!*X!!8!(J!T!$Ark3d!03!#EJ!!!"i!+3!f!$F0!$B!!cF"!!!I!#R
rk!!i!$N+rqJ!"!TMDA4Y$3!i!!&Y!!!!)`!PrqF$rqF!!3d!13!"E3!!!#B!+2r
Q!rrQrrd0!$F!!@m!!!!H!"rrj3[rj3!5-!!(G'KPF'&dD!!(G'KP8'&dD!(rk3!
!$3!d!!&[!!!!!!!!rq3,rq3!)$!!$R4SCA"bEfTPBh4`BA4S!!jdD'93FQpUC@0
d8'&dD!)!-J!#!$S!1`d!1J!#FJ!!!#`!1`!m!$d0!$`!!Q-!!!!X!$N!2J!r$3!
q!!*X!!8!,!!h!%$ri`d!3!!#EJ!!!#`!0`""!%)0!%%!!cF"!!!Y!$IriJ"$!%3
+rq)!"!TMDA4Y$3"$!!&Y!!!!-3!crq%$rq%!!3d!4!!"E3!!!$3!0[rJ!rrJrri
0!%)!!@m!!!!X!#hrh`[rh`!5-!!(G'KPF'&dD!!(G'KP8'&dD!(ri`!!$3!r!!&
Y!!!!0`!irpi+rpi!"!T849K8$3!p!!&[!!!!!!!!rpd,rpd!&M!!#A4SC@ePF'&
dD!!*G'KP6@93BA4S!J!l!!)!43"'$3"&!!*X!!)!2!!mrpcrf`(rh!!!!IrE!!!
#!%B!!J"(!%J0!%F!!R)!!!!m!%8!53"+$3"*!!*M!!!!2!""!%X!6!d!5`!#BJ!
!!$`!2`"0!%i0!%d!!@m!!!!m!$hrfJ[rfJ!J-!!1G'KPF(*[DQ9MG("KG'J!$R4
SC9"bEfTPBh43BA4S$3"1!!&Y!!!!23!q!%m-!%m!$3!(D@jME(9NC3!#!!!0!%`
!!@d!!!!r!%$rf3Vrf3!%#P4&@&30!%S!!@m!!!!!!!$rf![rf!!Q-!!4D@jME(9
NC@C[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S!J")!!)!8!"4$3"3!!*b!!!
!4J"9!&)!8`d!8J!#B`!!!%B!83"8!&80!&3!!Q)!!!"'!%m!9J"A$3"@!!*L!!!
!4J",!&J!@3d!@!!"E`!!!%B!4rrA#rrA!#!`!!jdD'9`FQpUC@0dF'&dD!!1G'K
P8(*[DQ9MG&"KG'J0!&N!!@d!!!"(!%S!@J`!@J!0!!GTEQ0XG@4P!!)!!!d!9`!
"E3!!!%X!6J"E$!"E!!d!"fp`C@jcFf`!!J!!$3"9!!&Y!!!!6`"3rpB+rpB!"!T
849K8$3"6!!&[!!!!!!!!rp8,rp8!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&
dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S!J"4!!)!A!"G$3"F!!*b!!!!9J"
K!&i!A`d!AJ!#B`!!!&B!A3"J!'%0!'!!!Q)!!!"@!&X!BJ"M$3"L!!&[!!!!9J"
Arp3,rp3!)$!!$R4SCA"bEfTPBh4`BA4S!!jdD'93FQpUC@0d8'&dD!d!B`!"E3!
!!&F!@J"N$!"N!!`!"Q0bHA"dE`!#!!!0!'%!!@d!!!"E!&crd`Vrd`!%#P4&@&3
0!&m!!@m!!!!!!!$rdJ[rdJ!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4Qp
XC'9b8'&dD!)!A3!#!'8!CJd!C3!#FJ!!!')!E3"R!'J0!'F!!Q-!!!"L!'N!D3"
U$3"T!!*L!!!!BJ"R!'X!E!d!D`!"E`!!!')!Brr4#rr4!#!`!!jdD'9`FQpUC@0
dF'&dD!!1G'KP8(*[DQ9MG&"KG'J0!'`!!@d!!!"M!'B!E3`!E3!*!!0cFf`!!J!
!$3"U!!&Y!!!!C`"Srp!+rp!!"!T849K8$3"S!!&[!!!!!!!!rmm,rmm!(M!!$A0
cE'C[E'4PFR"KG'J!$A0cE%C[E'4PFP"KG'J#!'B!!J"Z!'m0!'i!!R)!!!"Z!(8
!F!"a$3"`!!*M!!!!EJ"a!()!F`d!FJ!"E`!!!'i!Err1#rr1!#!`!!jdD'9`FQp
UC@0dF'&dD!!1G'KP8(*[DQ9MG&"KG'J0!(-!!@d!!!"[!($rc3Vrc3!%#P4&@&3
0!(%!!@m!!!!!!!$rc![rc!!Q-!!4Eh"PER0cE'C[E'4PFR"KG'J!%@p`C@jcFfa
'EfaNCA*3BA4S!J"[!!)!G!"e$3"d!!*X!!)!GJ"frm[rbJ(rb`!!!Ir+!!!#!(8
!!J"f!(F0!(B!!R)!!!"f!(X!H!"j$3"i!!&[!!!!GJ"hrmN,rmN!($!!$(4SC@p
XC'4PE'PYF`!-G'KP6faN4'9XD@ec$3"j!!*Z!!-!!!!!!(S!H`d!HJ!"-3!!!(J
!H[r)#[r)!!3+G(KNE!d!H`!"-3!!!(F!H2r(#[r(!!3+BA0MFJ)!G`!#!(`!I3d
!I!!#E!!#!(`!I2r'rm8"rmB!!!(ra3!!!J"p!!)!IJ"r$3"q!!*X!!%!I!"mrm3
!J!(ra!!!$!#!!%!!1L"NC@aPG'8JEfaN)'PZBfaeC'8kEh"PER0cE#"QEfaNCA)
JB@jN)(*PBh*PBA4P)'Pd)'0XC@&ZE(N!!J!!!J"r!!)!J3##$3#"!!*X!!)!I!"
mrm2r`J(r``!!!Ir#!!!#!))!!J#$!)30!)-!!e%!!!"m!+8!K3#'!)F0!)8!!@X
!!!"r!*`!L!)!L!!#!)N!LJd!L3!$53!#!(m!N[r"!)[r`!Vr`3!B,QeTFf0cE'0
d+LSU+J!!!!!!!*!!!#SU+LS0!)X!!Qi!!!"r!)i!M!#0$3#-!!)d!!!!K`#1rlm
!MJVr[`!%#Q0QEf`0!)i!!@d!!!#+!)d!M``!M`!0!!G[F'9ZFh0X!!)!!!d!M3!
#0!!!!(m!Krqq!*!!#[qq!!3+BfC[E!d!N!!!!@m!!!#$!)Er[3[r[3!Q-!!4D@j
ME(9NC@C[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S![r!!!!#!)S!!J#4rl`
0!*%!!dN!!J#6!*crZ`#5rlS+rlX!'#jMEh*PC'9XEbSU+LS!!!!!!!#3!!!U+LS
U$3#5!!%a!!!!N`#BrlN+rlN!"!TcC@aP![qk!!!#rl`!!!d!KJ!$8J!!!!!!!2q
irlIrYJVrZ!!B,Q&cBh*PFR)J+LSU+J!!!!!!!*!!!#SU+LS"rlF!!!,rYJ!!$3#
(!!*X!!%!T!#Nrl8!N`(rY3!!$!#6!"-!$5"TCfj[FQ8JCA*bEh)!!J!!!J#%!!)
!P!#9$3#8!!*X!!)!TJ#Qrl6rX`(rY!!!!Iqc!!!#!*8!!J#@!*F0!*B!!dN!!J#
Q!,lrX[qa!*J+rl)!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Iqa!!!'!*J
!!rq`!*N!QJVrX!!%#QY[Bf`0!*N!!@d!!!#U!+hrV`VrV`!%#Q0QEf`'!*S!!rq
Z!*[rV3VrVJ!%#QPZFfJ0!*X!!M3!!!#`!,MrV!#F#[qX!!3+BfC[E!d!R!!"E`!
!!,3!YrqV#rqV!#B`!"&TEQ0XG@4PCQpXC'9bF'&dD!!4D@jME(9NC8C[E'4PFP"
KG'J'rkd!!!)!P`!#!*d!RJd!R3!#FJ!!!,m!aJ#I!+!0!*m!!Q`"!!#r!-)!SIq
U$3#K!!%a!!!![`$#rkN+rkN!"!TbFfad!IqU!!!0!+!!!@m!!!!!!!$rU![rU!!
Z-!!9G'KPEQ9hCQpXC'9bFQ9QCA*PEQ0P!"9dD'91CAG'EfaNCA*5C@CPFQ9ZBf8
#!*i!!J#L!+-0!+)!!dN!!J$(!-lrT`#NrkB+rkF!'#jYDA0MFfaMG#SU+LS!!!!
!!!#3!!!U+LSU$3#N!!&[!!!!a`$+rk8,rk8!,M!!&A4SC@jPGfC[E'4PFR*PCQ9
bC@jMC3!9G'KP6Q9h4QpXC'9b8Q9QCA*PEQ0P![qQ!!!#!+-!!J#P!+B0!+8!!R)
!!!$2!0`!T`#S$3#R!!&Y!!!!c`$5!+N-!+N!$3!(Eh"PER0cE!!#!!!0!+J!!Qi
!!!!!!!!!UJ#V$3#U!!%a!!!!e`$Erk3+rk3!"!T`EQ&Y$3#V!!%a!!!!dJ$Ark-
+rk-!"!TcC@aP!J#Q!!)!V!#Y$3#X!!*X!!)!h3$Grk,rS3(rSJ!!!IqK!!!#!+d
!!J#Z!+m0!+i!!Q`!!3$G!0hrS!#`!IqJ!!!-!,!!(`!C)&0dBA*d)'eKDfPZCb"
dD'8JB@aTBA0PF`!#!!!#!+m!!J#a!,)0!,%!!dN!!J$G!3ArRrqH!,-+rjm!'#j
MEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!IqH!!!'!,-!!rqG!,3!Y3VrR3!%#QY
[Bf`0!,3!!@d!!!$K!16rR!VrR!!%#Q&XD@%'!,8!!rqE!,B!Y`VrQ`!%#QPZFfJ
0!,B!!M3!!!$R!1rrQJ#i#[qD!!3+BfC[E!d!Z!!"E`!!!1X!l[qC#rqC!$3`!"K
[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&
dD!B!Y`!$rjJ!ZIqA#[qB!!3+G'mJ)!d!Z3!#EJ!!!2)!r`#k!,X0!,S!!M3!!!$
i!2rrPJ#m#[q@!!3+CQPXC3d![!!"E3!!!2X!rJ#p$!#p!"-!$@p`C@jcFfaMEfj
Q,QJ!!J!!$3#l!!)d!!!!mJ$irj8![JVrP3!%#Q0QEf`0!,i!!@m!!!$f!2IrP![
rP!!@-!!*G'KPE@9`BA4S!!PdD'90C9"KG'J'rjF!!!)!XJ!#!,m!`!d![`!#E!!
#!3B""[q6rj)"rj-!!!(rNJ!!!J$!!!)!`3$#$3$"!!*b!!!""J%4!--!a!d!``!
#BJ!!!3B"$3$&!-B0!-8!!@m!!!%'!3RrN3[rN3!N-!!3Bh*jF(4[CQpXC'9bF'&
dD!!3Bh*jF(4[4QpXC'9b8'&dD!d!aJ!"E3!!!3N"$!$($!$(!!X!"6TKFfia!!)
!!!d!a!!"E`!!!!!!!2q3!![rN!!!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)!`J!
#!-J!b3d!b!!$53!#!4)"22q2rii!bJVrM`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!
!!'jeE'`"rii!!!B!bJ!$rid!b`$-#[q0!!3+DfpME!d!b`!"E3!!!4B"'Iq-#[q
-!!3+B@aTB3B!c!!$riX!c3$1#[q,!!3+D@jcD!d!c3!#0!!!!4`"*2q+!-m+riS
!"!TMCQpX$3$2!!&[!!!")!%MriN,riN!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9
bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J$1!!2rL!$3riF+riJ!"!T
dEb!J$3$3!!*Z!!!"*`%f!0%!dJd!d3!#0!!!!5m"0[q'!0-+riB!"!TQD@aP$3$
6!!&Y!!!"-J%e!03-!03!$!!'BA0Z-5jS!!)!!!d!dJ!#0!!!!5F",rq&!08+ri8
!"!TMCQpX$3$9!!&[!!!"+`%Zri3,ri3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!E
rK`!!!J$*!!)!eJ$A$3$@!!0*!!)"23&Rri2rJJ$B#[q$!"JZBfpbC@0bC@`U+LS
U!!!!!!!!N!!!ER9XE!(rJJ!!"J$B!!2rJ3$C!0S+ri%!"!TVEf0X$3$C!!&Y!!!
"33&%ri!+ri!!"!TKE'PK"J$D!!2rI`$E!0`+rhm!"!TTER0S$3$E!!)d!!!"4`&
2rhi!h3VrIJ!%#Q0QEf`0!0d!!@m!!!&,!8lrI3[rI3!d-!!BEh"PER0cE'PZBfa
eC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!0`!!rpm!0l
rH`VrI!!%#R4[)#!0!0i!!Qi!!!&5!@%!h`$J$3$I!!)d!!!"@J&KrhS!i3VrHJ!
%#QCTE'80!1%!!@d!!!&G!@!!iJ`!iJ!3!!TKFfiaAfeKBbjS!!)!!!d!i!!#0!!
!!9)"@[pj!1-+rhN!"!TMCQpX$3$M!!&[!!!"9J&CrhJ,rhJ!&$!!#(4PEA"`BA4
S!!KdC@e`8'&dD!ErH`!!!J$A!!)!j!$P$3$N!!*X!!)"D!&SrhIrGJ(rG`!!!Ip
f!!!#!18!!J$Q!1F0!1B!!R)!!!&S!A-!k!$T$3$S!!*L!!!"D!&[!1S!k`d!kJ!
"E`!!!@J"Drpe#rpe!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*
3BA4S$3$V!!&Y!!!"D`&Z!1`-!1`!#J!%1Q*TE`!#!!!0!1N!!@m!!!!!!!$rG![
rG!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J$R!!)!l3$Z$3$Y!!0*!!)"G!'Hrh2
rFJ$[#[pc!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(rFJ!!"J$[!!2rF3$
`!2%+rh%!"!TVEf0X$3$`!!&Y!!!"H!&lrh!+rh!!"!TKE'PK"J$a!!2rE`$b!2-
+rfm!"!TTER0S$3$b!!)d!!!"IJ''rfi!p!VrEJ!%#Q0QEf`0!23!!@m!!!'#!BA
rE3[rE3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
NC8C[E'4PFP"KG'J'!2-!!rpX!2ArD`VrE!!%#R4[)#!0!28!!Qi!!!'*!CJ!pJ$
h$3$f!!)d!!!"N3'BrfS!q!VrDJ!%#QCTE'80!2J!!@d!!!'8!CF!q3`!q3!,!!9
LD@mZD!!#!!!0!2F!!M3!!!'*!C(rD3$k#[pT!!3+BfC[E!d!qJ!"E`!!!Bd"N!$
rD![rD!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[pV!!!#!1i!!J$l!2`0!2X!!Q`
!!J'I!CrrCrpQ!IpR!!!"rfB!!!)!r!!#!2d!rJd!r3!#FJ!!!Cm"UJ$r!3!0!2m
!!Q)!!!'I!DB"!3%#$3%"!!&[!!!"R`'Lrf8,rf8!*$!!%'0bHA"dEfC[E'4PFR"
KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!3)!!@d!!!'L!D8"!``"!`!*!!-kBQB!!J!
!$3%!!!&[!!!!!!!!rf3,rf3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)!rJ!#!33
""3d""!!$53!#!DX"eIpMrf)""JVrB`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'j
eE'`"rf)!!!B""J!$rf%""`%)#[pK!!3+DfpME!d""`!"E3!!!Dm"X[pJ#[pJ!!3
+B@aTB3B"#!!$rem"#3%+#[pI!!3+D@jcD!d"#3!#0!!!!E8"[IpH!3X+rei!"!T
MCQpX$3%,!!&[!!!"Z3'mred,red!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&
dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J%+!!2rA!%-reX+re`!"!TdEb!
J$3%-!!*Z!!!"`!(2!3d"$Jd"$3!#0!!!!FJ"crpD!3m+reS!"!TQD@aP$3%2!!&
Y!!!"b`(1!4!-!4!!%!!+BQa[GfCTFfJZD!!#!!!0!3i!!M3!!!(!!FMr@3%4#[p
C!!3+BfC[E!d"%3!"E`!!!F3"arpB#rpB!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J
'reX!!!)""3!#!4)"%`d"%J!#E!!#!GB"e[pAreB"reF!!!(r9J!!!J%6!!)"&!%
9$3%8!!*b!!!"eJ(K!4B"&`d"&J!#BJ!!!GB"h3%B!4N0!4J!!@m!!!(@!GRr93[
r93!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"'3!"E3!
!!GN"h!%D$!%D!!N!!cTLEJ!#!!!0!4F!!@m!!!!!!!$r9![r9!!8-!!)G'9YF("
KG'J!#(4PEA"3BA4S!J%9!!)"'`%F$3%E!!0*!!)"iJ)-re2r8J%G#[p6!"JZBfp
bC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(r8J!!"J%G!!2r83%H!4m+re%!"!TVEf0
X$3%H!!&Y!!!"jJ(Tre!+re!!"!TKE'PK"J%I!!2r6`%J!5%+rdm!"!TTER0S$3%
J!!)d!!!"l!(drdi")JVr6J!%#Q0QEf`0!5)!!@m!!!(`!I2r63[r63!d-!!BEh"
PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J
'!5%!!rp-!52r5`Vr6!!%#R4[)#!0!5-!!Qi!!!(h!JB"*!%P$3%N!!)d!!!"r`)
'rdS"*JVr5J!%#QCTE'80!5B!!@d!!!)#!J8"*``"*`!+!!4LELjS!!)!!!d"*3!
#0!!!!IF"rrp*!5J+rdN!"!TMCQpX$3%S!!&[!!!"q`(qrdJ,rdJ!&$!!#(4PEA"
`BA4S!!KdC@e`8'&dD!Er5`!!!J%F!!)"+3%U$3%T!!*X!!)#$3)0rdIr4J(r4`!
!!Ip'!!!#!5S!!J%V!5`0!5X!!R)!!!)0!KJ",3%Z$3%Y!!*L!!!#$3)8!5m"-!d
",`!"E`!!!Jd#%2p&#rp&!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'Efa
NCA*3BA4S$3%`!!&Y!!!#%!)6!6%-!6%!$3!(1Q*eCQCPFJ!#!!!0!5i!!@m!!!!
!!!$r4![r4!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J%X!!)"-J%c$3%b!!0*!!)
#'3*$rd2r3J%d#[p$!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(r3J!!"J%
d!!2r33%e!6B+rd%!"!TVEf0X$3%e!!&Y!!!#(3)Jrd!+rd!!"!TKE'PK"J%f!!2
r2`%h!6J+rcm!"!TTER0S$3%h!!)d!!!#)`)Vrci"13Vr2J!%#Q0QEf`0!6N!!@m
!!!)R!LVr23[r23!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0
-5@jME(9NC8C[E'4PFP"KG'J'!6J!!rmm!6Vr1`Vr2!!%#R4[)#!0!6S!!Qi!!!)
Z!Md"1`%m$3%l!!)d!!!#0J)prcS"23Vr1J!%#QCTE'80!6d!!@d!!!)j!M`"2J`
"2J!1!!KLG@CQCA)ZD!!#!!!0!6`!!M3!!!)Z!MEr13%r#[mj!!3+BfC[E!d"2`!
"E`!!!M)#0Imi#rmi!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rcX!!!)"-`!#!8!
"33d"3!!#E!!#!N3#42mhrcB"rcF!!!(r0J!!!J&"!!)"3J&$$3&#!!*b!!!#4!*
2!83"43d"4!!#BJ!!!N3#5`&'!8F0!8B!!@m!!!*%!NIr03[r03!N-!!3Bh*jF(4
[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"4`!"E3!!!NF#5J&)$!&)!!X
!"6TMBA0d!!)!!!d"43!"E`!!!!!!!2md#rmd!"3`!!KdC@e`F'&dD!!)G'9YF&"
KG'J#!8-!!J&*!8S0!8N!!dN!!J*3!RVr-rmb!8X+rc-!'#jMEh*PBh*PE#SU+LS
!!!!!!!#3!!"ZG@aX!Imb!!!'!8X!!rma!8`"63Vr-3!%#QY[Bf`0!8`!!@d!!!*
8!PIr-!Vr-!!%#Q&XD@%'!8d!!rm[!8i"6`Vr,`!%#QPZFfJ0!8i!!M3!!!*D!Q,
r,J&3#[mZ!!3+BfC[E!d"8!!"E`!!!Pi#BImY#rmY!$3`!"K[F'9ZFh0XD@jME(9
NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B"6`!$rb`"8Im
V#[mX!!3+G'mJ)!d"83!#EJ!!!Q8#G!&5!9-0!9)!!M3!!!*Y!R6r+J&8#[mU!!3
+CQPXC3d"9!!"E3!!!R!#F`&9$!&9!!`!"Q0KFh3ZD!!#!!!0!9-!!M3!!!*P!Qh
r+3&@#[mT!!3+BfC[E!d"9J!"E`!!!QN#E2mS#rmS!"3`!!KdC@e`F'&dD!!)G'9
YF&"KG'J'rbX!!!)"5J!#!9F"@!d"9`!#E!!#!RX#HrmRrbB"rbF!!!(r*J!!!J&
B!!)"@3&D$3&C!!*b!!!#H`+'!9X"A!d"@`!#BJ!!!RX#JJ&G!9i0!9d!!@m!!!*
l!Rlr*3[r*3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d
"AJ!"E3!!!Ri#J3&I$!&I!!X!"6TMEfe`!!)!!!d"A!!"E`!!!!!!!2mN#rmN!"3
`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!9S!!J&J!@%0!@!!!dN!!J+(!V(r)rmL!@)
+rb-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!ImL!!!'!@)!!rmK!@-"C!V
r)3!%#QY[Bf`0!@-!!@d!!!+,!Slr)!Vr)!!%#Q&XD@%'!@3!!rmI!@8"CJVr(`!
%#QPZFfJ0!@8!!M3!!!+4!TRr(J&R#[mH!!3+BfC[E!d"C`!"E`!!!T8#Q2mG#rm
G!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4Qp
XC'9b8'&dD!B"CJ!$ra`"D2mE#[mF!!3+G'mJ)!d"D!!#EJ!!!T`#U`&T!@S0!@N
!!M3!!!+N!U[r'J&V#[mD!!3+CQPXC3d"D`!"E3!!!UF#UJ&X$!&X!!`!"Q0[EA!
ZD!!#!!!0!@S!!M3!!!+F!U6r'3&Y#[mC!!3+BfC[E!d"E3!"E`!!!U!#SrmB#rm
B!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'raX!!!)"B3!#!@i"E`d"EJ!#E!!#!V)
#X[mAraB"raF!!!(r&J!!!J&[!!)"F!&a$3&`!!*b!!!#XJ+p!A)"F`d"FJ!#BJ!
!!V)#Z3&d!A80!A3!!@m!!!+b!VAr&3[r&3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!
3Bh*jF(4[4QpXC'9b8'&dD!d"G3!"E3!!!V8#Z!&f$!&f!!X!"6TMEfjQ!!)!!!d
"F`!"E`!!!!!!!2m8#rm8!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!A%!!J&h!AJ
0!AF!!dN!!J+q!ZMr%rm5!AN+ra-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@a
X!Im5!!!'!AN!!rm4!AS"H`Vr%3!%#QY[Bf`0!AS!!@d!!!,#!XAr%!Vr%!!%#Q&
XD@%'!AX!!rm2!A`"I3Vr$`!%#QPZFfJ0!A`!!M3!!!,)!Y$r$J&q#[m1!!3+BfC
[E!d"IJ!"E`!!!X`#crm0#rm0!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J
!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B"I3!$r``"Irm,#[m-!!3+G'mJ)!d
"I`!#EJ!!!Y-#iJ'!!B%0!B!!!M3!!!,E!Z,r#J'##[m+!!3+CQPXC3d"JJ!"E3!
!!Yi#i3'$$!'$!!`!"Q0[EQBZD!!#!!!0!B%!!M3!!!,6!Y[r#3'%#[m*!!3+BfC
[E!d"K!!"E`!!!YF#f[m)#rm)!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'r`X!!!)
"H!!#!B8"KJd"K3!#E!!#!ZN#kIm(r`B"r`F!!!(r"J!!!J''!!)"K`')$3'(!!*
b!!!#k3,d!BN"LJd"L3!#BJ!!!ZN#m!',!B`0!BX!!@m!!!,T!Zcr"3[r"3!N-!!
3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"M!!"E3!!!Z`#l`'
0$!'0!!S!"$TNCA-!!J!!$3'+!!&[!!!!!!!!r`3,r`3!&$!!#(4PEA"`BA4S!!K
dC@e`8'&dD!)"L!!#!Bi"M`d"MJ!$53!#![8$(rm$r`)"N!!+r`-!'#jMEh*PBh*
PE#SU+LS!!!!!!!#3!!"ZG@aX!Im#!!!'!C!!!!2r!3'4!C)+r`%!"!TVEf0X$3'
4!!&Y!!!#q3,mr`!+r`!!"!TKE'PK"J'5!!2qr`'6!C3+r[m!"!TTER0S$3'6!!)
d!!!#r`-(r[i"P3VqrJ!%#Q0QEf`0!C8!!@m!!!-$!`Eqr3[qr3!d-!!BEh"PER0
cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!C3
!!rlm!CEqq`Vqr!!%#R4[)#!0!CB!!Qi!!!-+!aN"P`'B$3'A!!)d!!!$%J-Cr[S
"Q3VqqJ!%#QCTE'80!CN!!@d!!!-9!aJ"QJ`"QJ!,!!9NCA-ZD!!#!!!0!CJ!!M3
!!!-+!a,qq3'E#[lj!!3+BfC[E!d"Q`!"E`!!!`i$%Ili#rli!"3`!!KdC@e`F'&
dD!!)G'9YF&"KG'J'r[X!!!)"M`!#!C`"R3d"R!!#E!!#!b!$)2lhr[B"r[F!!!(
qpJ!!!J'G!!)"RJ'I$3'H!!*b!!!$)!-V!D!"S3d"S!!#BJ!!!b!$*`'L!D-0!D)
!!@m!!!-J!b2qp3[qp3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9
b8'&dD!d"S`!"E3!!!b-$*J'N$!'N!!N!!cTND!!#!!!0!D%!!@m!!!!!!!$qp![
qp!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J'I!!)"T3'Q$3'P!!0*!!)$,!0@r[2
qmJ'R#[lc!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(qmJ!!"J'R!!2qm3'
S!DN+r[%!"!TVEf0X$3'S!!&Y!!!$-!-cr[!+r[!!"!TKE'PK"J'T!!2ql`'U!DX
+rZm!"!TTER0S$3'U!!)d!!!$0J-qrZi"V!VqlJ!%#Q0QEf`0!D`!!@m!!!-k!ch
ql3[ql3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
NC8C[E'4PFP"KG'J'!DX!!rlX!Dhqk`Vql!!%#R4[)#!0!Dd!!Qi!!!0"!e!"VJ'
[$3'Z!!)d!!!$5303rZS"X!VqkJ!%#QCTE'80!E!!!@d!!!0-!dm"X3`"X3!+!!4
ND#jS!!)!!!d"V`!#0!!!!d%$5IlT!E)+rZN!"!TMCQpX$3'b!!&[!!!$430)rZJ
,rZJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eqk`!!!J'Q!!)"X`'d$3'c!!*X!!)
$9`0ArZIqjJ(qj`!!!IlQ!!!#!E3!!J'e!EB0!E8!!R)!!!0A!f)"Y`'i$3'h!!*
L!!!$9`0H!EN"ZJd"Z3!"E`!!!eF$@[lP#rlP!#3`!""MFRP`G'pQEfaNCA*`BA4
S!""MFRP`G'p'EfaNCA*3BA4S$3'k!!&Y!!!$@J0G!EX-!EX!#J!%1Q4cB3!#!!!
0!EJ!!@m!!!!!!!$qj![qj!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J'f!!)"[!'
p$3'm!!0*!!)$B`10rZ2qiJ'q#[lM!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9
XE!(qiJ!!"J'q!!2qi3'r!F!+rZ%!"!TVEf0X$3'r!!&Y!!!$C`0UrZ!+rZ!!"!T
KE'PK"J(!!!2qh`("!F)+rYm!"!TTER0S$3("!!)d!!!$E30erYi"``VqhJ!%#Q0
QEf`0!F-!!@m!!!0a!h6qh3[qh3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4
S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!F)!!rlF!F6qf`Vqh!!%#R4[)#!
0!F3!!Qi!!!0i!iF"a3('$3(&!!)d!!!$J!1(rYS"a`VqfJ!%#QCTE'80!FF!!@d
!!!1$!iB"b!`"b!!,!!9NFf%ZD!!#!!!0!FB!!M3!!!0i!i$qf3(*#[lC!!3+BfC
[E!d"b3!"E`!!!h`$IrlB#rlB!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rYX!!!)
"[3!#!FS"b`d"bJ!#E!!#!ii$M[lArYB"rYF!!!(qeJ!!!J(,!!)"c!(0$3(-!!*
b!!!$MJ1C!Fi"c`d"cJ!#BJ!!!ii$P3(3!G%0!G!!!@m!!!11!j(qe3[qe3!N-!!
3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d"d3!"E3!!!j%$P!(
5$!(5!!S!"$TPFR)!!J!!$3(2!!&[!!!!!!!!rY3,rY3!&$!!#(4PEA"`BA4S!!K
dC@e`8'&dD!)"c3!#!G-"e!d"d`!$53!#!jS$a2l6rY)"e3Vqd`!B,Q0[FQ9MFQ9
X+LSU+J!!!!!!!*!!!'jeE'`"rY)!!!B"e3!$rY%"eJ(A#[l4!!3+DfpME!d"eJ!
"E3!!!ji$SIl3#[l3!!3+B@aTB3B"e`!$rXm"f!(C#[l2!!3+D@jcD!d"f!!#0!!
!!k3$V2l1!GS+rXi!"!TMCQpX$3(D!!&[!!!$U!1VrXd,rXd!0$!!''p`C@jcFfa
TEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J(C!!2
qc!(ErXX+rX`!"!TdEb!J$3(E!!*Z!!!$V`1q!G`"h3d"h!!#0!!!!lF$[[l+!Gi
+rXS!"!TQD@aP$3(H!!&Y!!!$ZJ1p!Gm-!Gm!#`!&CA*b,QJ!!J!!$3(G!!)d!!!
$V`1hrXN"i!Vqb3!%#Q0QEf`0!H!!!@m!!!1c!lEqb![qb!!8-!!)G'9YF("KG'J
!#(4PEA"3BA4S"[l,!!!#!G3!!J(K!H)0!H%!!Q`!!J2&!mAqarl'!Il(!!!"rXB
!!!)"iJ!#!H-"j!d"i`!#FJ!!!m8$d!(P!HB0!H8!!Q)!!!2&!m`"j`(S$3(R!!&
[!!!$a32)rX8,rX8!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC[E'4PFP"
KG'J0!HJ!!@d!!!2)!mX"k3`"k3!+!!3kCAC`!!)!!!d"jJ!"E`!!!!!!!2l%#rl
%!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!H3!!J(U!HX0!HS!!dN!!J24!r[q`rl
#!H`+rX-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Il#!!!'!H`!!rl"!Hd
"lJVq`3!%#QY[Bf`0!Hd!!@d!!!29!pMq`!Vq`!!%#Q&XD@%'!Hi!!rkr!Hm"m!V
q[`!%#QPZFfJ0!Hm!!M3!!!2E!q2q[J(a#[kq!!3+BfC[E!d"m3!"E`!!!pm$i[k
p#rkp!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4
P4QpXC'9b8'&dD!B"m!!$rV`"m[kl#[km!!3+G'mJ)!d"mJ!#EJ!!!qB$p3(c!I3
0!I-!!M3!!!2Z!rAqZJ(e#[kk!!3+CQPXC3d"p3!"E3!!!r%$p!(f$!(f!!X!"@9
fF#jS!!)!!!d"p!!#0!!!!qB$l[kj!IF+rVN!"!TMCQpX$3(h!!&[!!!$kJ2YrVJ
,rVJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!EqZ`!!!J(V!!)"q!(j$3(i!!*X!!)
$r!2mrVIqYJ(qY`!!!Ikf!!!#!IN!!J(k!IX0!IS!!R)!!!2m"!F"r!(p$3(m!!*
L!!!$r!3$!Ii"r`d"rJ!"E`!!!r`$rrke#rke!#3`!""MFRP`G'pQEfaNCA*`BA4
S!""MFRP`G'p'EfaNCA*3BA4S$3(r!!&Y!!!$r`3#!J!-!J!!#`!&1QKYB@-!!J!
!$3(p!!&[!!!!!!!!rV3,rV3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)"q`!#!J%
#!Jd#!3!$53!#"!J%-[kcrV)#!`VqX`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'j
eE'`"rV)!!!B#!`!$rV%#"!)&#[ka!!3+DfpME!d#"!!"E3!!"!`%$rk`#[k`!!3
+B@aTB3B#"3!$rUm#"J)(#[k[!!3+D@jcD!d#"J!#0!!!"")%'[kZ!JJ+rUi!"!T
MCQpX$3))!!&[!!!%&J3CrUd,rUd!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&
dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J)(!!2qV!)*rUX+rU`!"!TdEb!
J$3)*!!*Z!!!%(33X!JS##`d##J!#0!!!"#8%,2kU!J`+rUS!"!TQD@aP$3)-!!&
Y!!!%+!3V!Jd-!Jd!$!!'D'eKBbjS!!)!!!d##`!#0!!!""d%*IkT!Ji+rUN!"!T
MCQpX$3)1!!&[!!!%)33NrUJ,rUJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!EqU`!
!!J)#!!)#$`)3$3)2!!*X!!)%-`3crUIqTJ(qT`!!!IkQ!!!#!K!!!J)4!K)0!K%
!!R)!!!3c"$i#%`)8$3)6!!*L!!!%-`3k!K8#&Jd#&3!"E`!!"$-%0[kP#rkP!#3
`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3)@!!&Y!!!%0J3
j!KF-!KF!#`!&1QPNC@%!!J!!$3)8!!&[!!!!!!!!rU3,rU3!&$!!#(4PEA"`BA4
S!!KdC@e`8'&dD!)#%J!#!KJ#'3d#'!!$53!#"$m%DIkMrU)#'JVqS`!B,Q0[FQ9
MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rU)!!!B#'J!$rU%#'`)F#[kK!!3+DfpME!d
#'`!"E3!!"%-%4[kJ#[kJ!!3+B@aTB3B#(!!$rTm#(3)H#[kI!!3+D@jcD!d#(3!
#0!!!"%N%8IkH!Km+rTi!"!TMCQpX$3)I!!&[!!!%6343rTd,rTd!0$!!''p`C@j
cFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J)
H!!2qR!)JrTX+rT`!"!TdEb!J$3)J!!*Z!!!%9!4M!L%#)Jd#)3!#0!!!"&`%Brk
D!L-+rTS!"!TQD@aP$3)M!!&Y!!!%A`4L!L3-!L3!$!!'D@4PB5jS!!)!!!d#)J!
#0!!!"&3%A2kC!L8+rTN!"!TMCQpX$3)P!!&[!!!%@!4ErTJ,rTJ!&$!!#(4PEA"
`BA4S!!KdC@e`8'&dD!EqQ`!!!J)C!!)#*J)R$3)Q!!*X!!)%DJ4UrTIqPJ(qP`!
!!Ik@!!!#!LF!!J)S!LN0!LJ!!R)!!!4U"(8#+J)V$3)U!!*L!!!%DJ4a!L`#,3d
#,!!"E`!!"'S%EIk9#rk9!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'Efa
NCA*3BA4S$3)Y!!&Y!!!%E34`!Li-!Li!$!!'1QaSBA0S!!)!!!d#+`!"E`!!!!!
!!2k8#rk8!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!LN!!J)[!M!0!Lm!!dN!!J4
f"+$qNrk5!M%+rT-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ik5!!!'!M%
!!rk4!M)#-`VqN3!%#QY[Bf`0!M)!!@d!!!4k"(hqN!!+rT!!!!3+B@aTB3B#-`!
$rSm#0!)e#[k2!!3+D@jcD!d#0!!#0!!!")!%L2k1!MB+rSi!"!TMCQpX$3)f!!&
[!!!%K!5(rSd,rSd!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP0
66%PZBfaeC'9'EfaNCA*3BA4S"J)e!!2qM!)hrSX+rS`!"!TdEb!J$3)h!!*Z!!!
%L`5D!MJ#13d#1!!#0!!!"*-%Q[k+!MS+rSS!"!TQD@aP$3)k!!&Y!!!%PJ5C!MX
-!MX!$3!(E'KKFfJZD!!#!!!0!MN!!M3!!!5,"*2qL3)m#[k*!!3+BfC[E!d#2!!
"E`!!")m%N[k)#rk)!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rSX!!!)#-!!#!Md
#2Jd#23!#E!!#"+%%SIk(rSB"rSF!!!(qKJ!!!J)q!!)#2`*!$3)r!!*b!!!%S35
X!N%#3Jd#33!#BJ!!"+%%U!*$!N30!N-!!@m!!!5K"+6qK3[qK3!N-!!3Bh*jF(4
[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d#4!!"E3!!"+3%T`*&$!*&!!S
!"$TYC$)!!J!!$3*#!!&[!!!!!!!!rS3,rS3!&$!!#(4PEA"`BA4S!!KdC@e`8'&
dD!)#3!!#!NB#4`d#4J!$53!#"+d%erk$rS)#5!VqJ`!B,Q0[FQ9MFQ9X+LSU+J!
!!!!!!*!!!'jeE'`"rS)!!!B#5!!$rS%#53*+#[k"!!3+DfpME!d#53!"E3!!",%
%Y2k!#[k!!!3+B@aTB3B#5J!$rRm#5`*-#[jr!!3+D@jcD!d#5`!#0!!!",F%[rj
q!Nd+rRi!"!TMCQpX$3*0!!&[!!!%Z`5qrRd,rRd!0$!!''p`C@jcFfaTEQ0XG@4
PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J*-!!2qI!*1rRX
+rR`!"!TdEb!J$3*1!!*Z!!!%`J64!Nm#8!d#6`!#0!!!"-S%dIjk!P%+rRS!"!T
QD@aP$3*4!!&Y!!!%c363!P)-!P)!#`!&E@3b,QJ!!J!!$3*3!!)d!!!%`J6+rRN
#8`VqH3!%#Q0QEf`0!P-!!@m!!!6'"-RqH![qH!!8-!!)G'9YF("KG'J!#(4PEA"
3BA4S"[jl!!!#!NF!!J*8!P80!P3!!Q`!!J6B"0MqGrjf!Ijh!!!"rRB!!!)#93!
#!PB#9`d#9J!#FJ!!"0J%i`*B!PN0!PJ!!Q)!!!6B"0m#@J*E$3*D!!&[!!!%f!6
ErR8,rR8!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!PX
!!@d!!!6E"0i#A!`#A!!+!!3kE@3e!!)!!!d#@3!"E`!!!!!!!2jd#rjd!"3`!!K
dC@e`F'&dD!!)G'9YF&"KG'J#!PF!!J*G!Pi0!Pd!!dN!!J6N"3lqFrjb!Pm+rR-
!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ijb!!!'!Pm!!rja!Q!#B3VqF3!
%#QY[Bf`0!Q!!!@d!!!6S"1[qF!VqF!!%#Q&XD@%'!Q%!!rj[!Q)#B`VqE`!%#QP
ZFfJ0!Q)!!M3!!!6Z"2EqEJ*N#[jZ!!3+BfC[E!d#C!!"E`!!"2)%pIjY#rjY!$3
`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9
b8'&dD!B#B`!$rQ`#CIjV#[jX!!3+G'mJ)!d#C3!#EJ!!"2N&#!*Q!QF0!QB!!M3
!!!8""3MqDJ*S#[jU!!3+CQPXC3d#D!!"E3!!"33&"`*T$!*T!!X!"@eN05jS!!)
!!!d#C`!#0!!!"2N&!IjT!QS+rQN!"!TMCQpX$3*U!!&[!!!%r38!rQJ,rQJ!&$!
!#(4PEA"`BA4S!!KdC@e`8'&dD!EqD`!!!J*H!!)#D`*X$3*V!!*X!!)&$`82rQI
qCJ(qC`!!!IjQ!!!#!Q`!!J*Y!Qi0!Qd!!R)!!!82"4S#E`*`$3*[!!*L!!!&$`8
@!R%#FJd#F3!"E`!!"3m&%[jP#rjP!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP
`G'p'EfaNCA*3BA4S$3*b!!&Y!!!&%J89!R--!R-!#`!&1QeNBc)!!J!!$3*`!!&
[!!!!!!!!rQ3,rQ3!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)#EJ!#!R3#G3d#G!!
$53!#"4X&4IjMrQ)#GJVqB`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rQ)
!!!B#GJ!$rQ%#G`*i#[jK!!3+DfpME!d#G`!"E3!!"4m&)[jJ#[jJ!!3+B@aTB3B
#H!!$rPm#H3*k#[jI!!3+D@jcD!d#H3!#0!!!"58&,IjH!RX+rPi!"!TMCQpX$3*
l!!&[!!!&+38XrPd,rPd!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"
PEP066%PZBfaeC'9'EfaNCA*3BA4S"J*k!!2qA!*mrPX+rP`!"!TdEb!J$3*m!!*
Z!!!&-!8r!Rd#IJd#I3!#0!!!"6J&2rjD!Rm+rPS!"!TQD@aP$3*r!!&Y!!!&1`8
q!S!-!S!!$!!'E@4M-LjS!!)!!!d#IJ!#0!!!"6!&12jC!S%+rPN!"!TMCQpX$3+
"!!&[!!!&0!8hrPJ,rPJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eq@`!!!J*e!!)
#JJ+$$3+#!!*X!!)&4J9'rPIq9J(q9`!!!Ij@!!!#!S-!!J+%!S80!S3!!R)!!!9
'"9%#KJ+($3+'!!*L!!!&4J90!SJ#L3d#L!!"E`!!"8B&5Ij9#rj9!#3`!""MFRP
`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3+*!!&Y!!!&539-!SS-!SS
!$J!)1QpLDQ9MG(-!!J!!$3+(!!&[!!!!!!!!rP3,rP3!&$!!#(4PEA"`BA4S!!K
dC@e`8'&dD!)#K3!#!SX#M!d#L`!$53!#"9)&I2j6rP)#M3Vq8`!B,Q0[FQ9MFQ9
X+LSU+J!!!!!!!*!!!'jeE'`"rP)!!!B#M3!$rP%#MJ+2#[j4!!3+DfpME!d#MJ!
"E3!!"9B&@Ij3#[j3!!3+B@aTB3B#M`!$rNm#N!!#N3Vq6`!%#QPZFfJ0!T!!!!)
d!!!&A!9NrNi#NJVq6J!%#Q0QEf`0!T)!!@m!!!9J"@2q63[q63!d-!!BEh"PER0
cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!T%
!!rj-!T2q5`Vq6!!%#R4[)#!0!T-!!Qi!!!9R"AB#P!+9$3+8!!)d!!!&E`9frNS
#PJVq5J!%#QCTE'80!TB!!@d!!!9b"A8#P``#P`!2!!P[BQTPBh4c,QJ!!J!!$3+
9!!)d!!!&C`9[rNN#Q!Vq53!%#Q0QEf`0!TJ!!@m!!!9V"@lq5![q5!!8-!!)G'9
YF("KG'J!#(4PEA"3BA4S"[j,!!!#!S`!!J+C!TS0!TN!!Q`!!J9p"Ahq4rj'!Ij
(!!!"rNB!!!)#QJ!#!TX#R!d#Q`!#FJ!!"Ad&L!+G!Ti0!Td!!Q)!!!9p"B3#R`+
J$3+I!!&[!!!&I3@!rN8,rN8!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC
[E'4PFP"KG'J0!U!!!@d!!!@!"B-#S3`#S3!+!!3kF'9Y!!)!!!d#RJ!"E`!!!!!
!!2j%#rj%!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!T`!!J+L!U-0!U)!!dN!!J@
*"E2q3rj#!U3+rN-!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ij#!!!'!U3
!!rj"!U8#TJVq33!%#QY[Bf`0!U8!!@d!!!@0"C!!rN!+rN!!"!TKE'PK"J+Q!!2
q2`+R!UJ+rMm!"!TTER0S$3+R!!)d!!!&N`@ErMi#U3Vq2J!%#Q0QEf`0!UN!!@m
!!!@A"CVq23[q23!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0
-5@jME(9NC8C[E'4PFP"KG'J'!UJ!!rim!UVq1`Vq2!!%#R4[)#!0!US!!Qi!!!@
H"Dd#U`+X$3+V!!)d!!!&TJ@YrMS#V3Vq1J!%#QCTE'80!Ud!!@d!!!@T"D`#VJ`
#VJ!,!!9`C@dZD!!#!!!0!U`!!M3!!!@H"DEq13+[#[ij!!3+BfC[E!d#V`!"E`!
!"D)&TIii#rii!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'rMX!!!)#S`!#!V!#X3d
#X!!$53!#"E3&h[ihrMB#XJVq0`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`
"rMB!!!B#XJ!$rM8#X`+d#[ie!!3+DfpME!d#X`!"E3!!"EJ&Zrid#[id!!3+B@a
TB3B#Y!!$rM-#Y3+f#[ic!!3+D@jcD!d#Y3!#0!!!"Ei&a[ib!VF+rM)!"!TMCQp
X$3+h!!&[!!!&`JA&rM%,rM%!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!
BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J+f!!2q-!+irLm+rM!!"!TdEb!J$3+
i!!*Z!!!&b3AB!VN#ZJd#Z3!#0!!!"G%&f2iZ!VX+rLi!"!TQD@aP$3+l!!&Y!!!
&e!AA!V`-!V`!$!!'F'9Y-LjS!!)!!!d#ZJ!#0!!!"FN&dIiY!Vd+rLd!"!TMCQp
X$3+p!!&[!!!&c3A3rL`,rL`!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eq,`!!!J+
a!!)#[J+r$3+q!!*X!!)&h`AIrL[q+J(q+`!!!IiU!!!#!Vm!!J,!!X%0!X!!!R)
!!!AI"HS#`J,$$3,#!!*L!!!&h`AQ!X3#a3d#a!!"E`!!"Gm&i[iT#riT!#3`!""
MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3,&!!&Y!!!&iJAP!XB
-!XB!$3!(1R"VBh-a-J!#!!!0!X-!!@m!!!!!!!$q+![q+!!8-!!)G'9YF("KG'J
!#(4PEA"3BA4S!J,"!!)#a`,)$3,(!!0*!!)&k`B9rLIq*J,*#[iR!"JZBfpbC@0
bC@`U+LSU!!!!!!!!N!!!ER9XE!(q*J!!"J,*!!2q*3,+!XX+rL8!"!TVEf0X$3,
+!!&Y!!!&l`AbrL3+rL3!"!TKE'PK"J,,!!2q)`,-!Xd+rL-!"!TTER0S$3,-!!)
d!!!&p3AprL)#cJVq)J!%#Q0QEf`0!Xi!!@m!!!Aj"Icq)3[q)3!d-!!BEh"PER0
cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!Xd
!!riJ!Xrq(`Vq)!!%#R4[)#!0!Xm!!Qi!!!B!"Jm#d!,4$3,3!!)d!!!'#!B2rKi
#dJVq(J!%#QCTE'80!Y)!!@d!!!B,"Ji#d``#d`!1!!K`Df0c-6)ZD!!#!!!0!Y%
!!M3!!!B!"JMq(3,8#[iG!!3+BfC[E!d#e!!"E`!!"J3'"riF#riF!"3`!!KdC@e
`F'&dD!!)G'9YF&"KG'J'rKm!!!)#b!!#!Y8#eJd#e3!#E!!#"KB'&[iErKS"rKX
!!!(q'J!!!J,@!!)#e`,B$3,A!!*b!!!'&JBK!YN#fJd#f3!#BJ!!"KB'(3,E!Y`
0!YX!!@m!!!B@"KRq'3[q'3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4Qp
XC'9b8'&dD!d#h!!"E3!!"KN'(!,G$!,G!!`!"MT`Df0c0`!#!!!0!YS!!@m!!!!
!!!$q'![q'!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J,B!!)#hJ,I$3,H!!0*!!)
')JC-rKIq&J,J#[iA!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!(q&J!!"J,
J!!2q&3,K!Z)+rK8!"!TVEf0X$3,K!!&Y!!!'*JBTrK3+rK3!"!TKE'PK"J,L!!2
q%`,M!Z3+rK-!"!TTER0S$3,M!!)d!!!',!BdrK)#j3Vq%J!%#Q0QEf`0!Z8!!@m
!!!B`"M2q%3[q%3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0
-5@jME(9NC8C[E'4PFP"KG'J'!Z3!!ri3!ZEq$`Vq%!!%#R4[)#!0!ZB!!Qi!!!B
h"NB#j`,S$3,R!!)d!!!'2`C'rJi#k3Vq$J!%#QCTE'80!ZN!!@d!!!C#"N8#kJ`
#kJ!0!!G`Df0c0bjS!!)!!!d#k!!#0!!!"MF'2ri0!ZX+rJd!"!TMCQpX$3,V!!&
[!!!'1`BqrJ`,rJ`!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eq$`!!!J,I!!)#l!,
Y$3,X!!*X!!)'63C0rJ[q#J(q#`!!!Ii+!!!#!Zd!!J,Z!Zm0!Zi!!R)!!!C0"PJ
#m!,a$3,`!!*L!!!'63C8![)#m`d#mJ!"E`!!"Nd'82i*#ri*!#3`!""MFRP`G'p
QEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3,c!!&Y!!!'8!C6![3-![3!#`!
&1R*KEQ3!!J!!$3,a!!&[!!!!!!!!rJJ,rJJ!&$!!#(4PEA"`BA4S!!KdC@e`8'&
dD!)#l`!#![8#pJd#p3!$53!#"PN'Jri(rJB#p`Vq"`!B,Q0[FQ9MFQ9X+LSU+J!
!!!!!!*!!!'jeE'`"rJB!!!B#p`!$rJ8#q!,j#[i&!!3+DfpME!d#q!!"E3!!"Pd
'B2i%#[i%!!3+B@aTB3B#q3!$rJ-#qJ,l#[i$!!3+D@jcD!d#qJ!#0!!!"Q-'Dri
#![`+rJ)!"!TMCQpX$3,m!!&[!!!'C`CUrJ%,rJ%!0$!!''p`C@jcFfaTEQ0XG@4
PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J,l!!2q!!,prIm
+rJ!!"!TdEb!J$3,p!!*Z!!!'EJCp![i#r`d#rJ!#0!!!"RB'IIhq!`!+rIi!"!T
QD@aP$3-!!!&Y!!!'H3Cm!`%-!`%!$!!'FQ&ZC#jS!!)!!!d#r`!#0!!!"Qi'G[h
p!`)+rId!"!TMCQpX$3-#!!&[!!!'FJCerI`,rI`!&$!!#(4PEA"`BA4S!!KdC@e
`8'&dD!Epr`!!!J,f!!)$!`-%$3-$!!*X!!)'K!D%rI[pqJ(pq`!!!Ihk!!!#!`3
!!J-&!`B0!`8!!R)!!!D%"Sm$"`-)$3-(!!*L!!!'K!D,!`N$#Jd$#3!"E`!!"S3
'Krhj#rhj!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3-
+!!&Y!!!'K`D+!`X-!`X!#J!%1R*M-J!#!!!0!`J!!@m!!!!!!!$pq![pq!!8-!!
)G'9YF("KG'J!#(4PEA"3BA4S!J-'!!)$$!-0$3--!!0*!!)'N!!'Z[hhrIB$$JV
pp`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rIB!!!B$$J!$rI8$$`-3#[h
e!!3+DfpME!d$$`!"E3!!"T3'Prhd#[hd!!3+B@aTB3B$%!!$rI-$%3-5#[hc!!3
+D@jcD!d$%3!#0!!!"TS'S[hb!a-+rI)!"!TMCQpX$3-6!!&[!!!'RJDKrI%,rI%
!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'Efa
NCA*3BA4S"J-5!!2pm!-8rHm+rI!!"!TdEb!J$3-8!!*Z!!!'T3Dd!a8$&Jd$&3!
#0!!!"Ud'Y2hZ!aF+rHi!"!TQD@aP$3-A!!&Y!!!'X!Dc!aJ-!aJ!#`!&FQ-b,QJ
!!J!!$3-@!!)d!!!'T3DYrHd$'3Vpl3!%#Q0QEf`0!aN!!@m!!!DT"Ucpl![pl!!
8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[h[!!!#!`d!!J-D!aX0!aS!!Q`!!JDl"V[
pkrhU!IhV!!!"rHS!!!)$'`!#!a`$(3d$(!!#FJ!!"VX'aJ-H!am0!ai!!Q)!!!D
l"X)$)!-K$3-J!!&[!!!'Z`DqrHN,rHN!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0
bHA"dEdC[E'4PFP"KG'J0!b%!!@d!!!Dq"X%$)J`$)J!+!!3kFQ-d!!)!!!d$(`!
"E`!!!!!!!2hS#rhS!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!ad!!J-M!b30!b-
!!dN!!JE("[(pjrhQ!b8+rHF!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"ZG@aX!Ih
Q!!!'!b8!!rhP!bB$*`Vpj3!%#QY[Bf`0!bB!!@d!!!E,"Xlpj!Vpj!!%#Q&XD@%
'!bF!!rhM!bJ$+3Vpi`!%#QPZFfJ0!bJ!!M3!!!E4"YRpiJ-U#[hL!!3+BfC[E!d
$+J!"E`!!"Y8'f2hK#rhK!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p
`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B$+3!$rH!$+rhI#[hJ!!3+G'mJ)!d$+`!
#EJ!!"Y`'k`-X!bd0!b`!!M3!!!EN"Z[phJ-Z#[hH!!3+CQPXC3d$,J!"E3!!"ZF
'kJ-[$!-[!!X!"A*M0#jS!!)!!!d$,3!#0!!!"Y`'j2hG!c!+rGd!"!TMCQpX$3-
`!!&[!!!'i!EMrG`,rG`!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!Eph`!!!J-N!!)
$-3-b$3-a!!*X!!)'mJEbrG[pfJ(pf`!!!IhD!!!#!c)!!J-c!c30!c-!!R)!!!E
b"[d$03-f$3-e!!*L!!!'mJEj!cF$1!d$0`!"E`!!"[)'pIhC#rhC!#3`!""MFRP
`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$3-i!!&Y!!!'p3Ei!cN-!cN
!#J!%1R*M03!#!!!0!cB!!@m!!!!!!!$pf![pf!!8-!!)G'9YF("KG'J!#(4PEA"
3BA4S!J-d!!)$1J-l$3-k!!0*!!)'rJFSrGIpeJ-m#[hA!"JZBfpbC@0bC@`U+LS
U!!!!!!!!N!!!ER9XE!(peJ!!"J-m!!2pe3-p!ci+rG8!"!TVEf0X$3-p!!&Y!!!
(!JF&rG3+rG3!"!TKE'PK"J-q!!2pd`-r!d!+rG-!"!TTER0S$3-r!!)d!!!(#!F
3rG)$33VpdJ!%#Q0QEf`0!d%!!@m!!!F-"`rpd3[pd3!d-!!BEh"PER0cE'PZBfa
eC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!d!!!rh3!d,
pc`Vpd!!%#R4[)#!0!d)!!Qi!!!F6"b)$3`0%$30$!!)d!!!('`FLrFi$43VpcJ!
%#QCTE'80!d8!!@d!!!FH"b%$4J`$4J!,!!9bBc8ZD!!#!!!0!d3!!M3!!!F6"a[
pc30(#[h0!!3+BfC[E!d$4`!"E`!!"aF('[h-#rh-!"3`!!KdC@e`F'&dD!!)G'9
YF&"KG'J'rFm!!!)$1`!#!dJ$53d$5!!#E!!#"bN(+Ih,rFS"rFX!!!(pbJ!!!J0
*!!)$5J0,$30+!!*b!!!(+3Fd!d`$63d$6!!#BJ!!"bN(-!01!dm0!di!!@m!!!F
T"bcpb3[pb3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d
$6`!"E3!!"b`(,`03$!03!!d!"cTbDA"PE@3!!J!!$300!!&[!!!!!!!!rFJ,rFJ
!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)$5`!#!e%$8Jd$83!$53!#"c8(Arh(rFB
$8`Vpa`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rFB!!!B$8`!$rF8$9!0
9#[h&!!3+DfpME!d$9!!"E3!!"cN(22h%#[h%!!3+B@aTB3B$93!$rF-$9J0A#[h
$!!3+D@jcD!d$9J!#0!!!"cm(4rh#!eJ+rF)!"!TMCQpX$30B!!&[!!!(3`G'rF%
,rF%!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9
'EfaNCA*3BA4S"J0A!!2p`!0CrEm+rF!!"!TdEb!J$30C!!*Z!!!(5JGC!eS$@`d
$@J!#0!!!"e)(@Ifq!e`+rEi!"!TQD@aP$30F!!&Y!!!(93GB!ed-!ed!$J!)FQP
`C@eN,QJ!!J!!$30E!!)d!!!(5JG5rEd$AJVp[3!%#Q0QEf`0!ei!!@m!!!G1"e(
p[![p[!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[fr!!!#!e)!!J0I!f!0!em!!Q`
!!JGJ"f$pZrfk!Ifl!!!"rES!!!)$B!!#!f%$BJd$B3!#FJ!!"f!(D`0M!f30!f-
!!Q)!!!GJ"fF$C30Q$30P!!&[!!!(B!GMrEN,rEN!*$!!%'0bHA"dEfC[E'4PFR"
KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!fB!!@d!!!GM"fB$C``$C`!+!!3kFR0K!!)
!!!d$C!!"E`!!!!!!!2fi#rfi!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J#!f)!!J0
S!fN0!fJ!!dN!!JGX"jEpYrff!fS+rEF!'#jMEh*PBh*PE#SU+LS!!!!!!!#3!!"
ZG@aX!Iff!!!'!fS!!rfe!fX$E!VpY3!%#QY[Bf`0!fX!!@d!!!G`"h2pY!VpY!!
%#Q&XD@%'!f`!!rfc!fd$EJVpX`!%#QPZFfJ0!fd!!M3!!!Gf"hlpXJ0[#[fb!!3
+BfC[E!d$E`!"E`!!"hS(IIfa#rfa!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4PFR"
KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B$EJ!$rE!$F2f[#[f`!!3+G'm
J)!d$F!!#EJ!!"i%(N!!$F30b$30a!!)d!!!(L3H3!2fZ!h-+rDi!"!TQD@aP$30
c!!&Y!!!(M!H2!h3-!h3!#`!&FR0K,QJ!!J!!$30b!!)d!!!(J3H*rDd$G3VpV3!
%#Q0QEf`0!h8!!@m!!!H&"iMpV![pV!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[f
[!!!#!fN!!J0f!hF0!hB!!Q`!!JHA"jIpUrfU!IfV!!!"rDS!!!)$G`!#!hJ$H3d
$H!!#FJ!!"jF(SJ0k!hX0!hS!!Q)!!!HA"ji$I!0p$30m!!&[!!!(P`HDrDN,rDN
!*$!!%'0bHA"dEfC[E'4PFR"KG'J!%'0bHA"dEdC[E'4PFP"KG'J0!hd!!@d!!!H
D"jd$IJ`$IJ!-!!BkFh4KBfX!!J!!$30l!!&[!!!!!!!!rDJ,rDJ!&$!!#(4PEA"
`BA4S!!KdC@e`8'&dD!)$H3!#!hm$J!d$I`!$53!#"k-(cIfRrDB$J3VpT`!B,Q0
[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rDB!!!B$J3!$rD8$JJ1$#[fP!!3+Dfp
ME!d$JJ!"E3!!"kF(U[fN#[fN!!3+B@aTB3B$J`!$rD-$K!1&#[fM!!3+D@jcD!d
$K!!#0!!!"kd(YIfL!iB+rD)!"!TMCQpX$31'!!&[!!!(X3HdrD%,rD%!0$!!''p
`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4
S"J1&!!2pS!1(rCm+rD!!"!TdEb!J$31(!!*Z!!!(Z!I(!iJ$L3d$L!!#0!!!"m!
(arfH!iS+rCi!"!TQD@aP$31+!!&Y!!!(``I'!iX-!iX!$3!(Fh4KBfXZD!!#!!!
0!iN!!M3!!!Hi"m$pR31-#[fG!!3+BfC[E!d$M!!"E`!!"l`([rfF#rfF!"3`!!K
dC@e`F'&dD!!)G'9YF&"KG'J'rCm!!!)$J!!#!id$MJd$M3!$53!#"mi(q2fErCS
$M`VpQ`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rCS!!!B$M`!$rCN$N!!
$N3VpQ3!%#QY[Bf`0!j!!!!&Y!!!(dJI9rCJ+rCJ!"!TKE'PK"J14!!2pP`15!j-
+rCF!"!TTER0S$315!!)d!!!(f!IJrCB$P!VpPJ!%#Q0QEf`0!j3!!@m!!!IF"pr
pP3[pP3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
NC8C[E'4PFP"KG'J'!j-!!rf8!jApN`VpP!!%#R4[)#!0!j8!!Qi!!!IM"r)$PJ1
A$31@!!)d!!!(k`IbrC)$Q!VpNJ!%#QCTE'80!jJ!!@d!!!IZ"r%$Q3`$Q3!4!!Y
cB@CPFh4KBfXZD!!#!!!0!jF!!M3!!!IM"q[pN31D#[f4!!3+BfC[E!d$QJ!"E`!
!"qF(k[f3!![pN!!!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!EpN`!!!J11!!)$Q`1
F$31E!!*X!!)(q3IjrBrpMJ(pM`!!!If1!!!#!j`!!J1G!ji0!jd!!R)!!!Ij#!3
$R`1J$31I!!*L!!!(q3J!!k%$SJd$S3!"E`!!"rN(r2f0#rf0!#3`!""MFRP`G'p
QEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S$31L!!&Y!!!(r!Ir!k--!k-!#J!
%1R0SB3!#!!!0!k!!!@m!!!!!!!$pM![pM!!8-!!)G'9YF("KG'J!#(4PEA"3BA4
S!J1H!!)$T!1P$31N!!0*!!))"3J[rB[pLJ1Q#[f,!"JZBfpbC@0bC@`U+LSU!!!
!!!!!N!!!ER9XE!(pLJ!!"J1Q!!2pL31R!kJ+rBN!"!TVEf0X$31R!!&Y!!!)#3J
-rBJ+rBJ!"!TKE'PK"J1S!!2pK`1T!kS+rBF!"!TTER0S$31T!!)d!!!)$`JArBB
$U`VpKJ!%#Q0QEf`0!kX!!@m!!!J6#"EpK3[pK3!d-!!BEh"PER0cE'PZBfaeC'9
QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!kS!!rf%!kcpJ`V
pK!!%#R4[)#!0!k`!!Qi!!!JD##N$V31Z$31Y!!)d!!!))JJTrB)$V`VpJJ!%#QC
TE'80!km!!@d!!!JP##J$X!`$X!!,!!9cD'%ZD!!#!!!0!ki!!M3!!!JD##,pJ31
a#[f"!!3+BfC[E!d$X3!"E`!!#"i))If!#rf!!"3`!!KdC@e`F'&dD!!)G'9YF&"
KG'J'rB-!!!)$T3!#!l)$X`d$XJ!#E!!##$!)-2errAi"rAm!!!(pIJ!!!J1c!!)
$Y!1e$31d!!*b!!!)-!Jl!lB$Y`d$YJ!#BJ!!#$!)0`1i!lN0!lJ!!@m!!!J`#$2
pI3[pI3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD!d$Z3!
"E3!!#$-)0J1k$!1k!!d!"cTdH(4IC')!!J!!$31h!!&[!!!!!!!!rA`,rA`!&$!
!#(4PEA"`BA4S!!KdC@e`8'&dD!)$Y3!#!lX$[!d$Z`!$53!##$`)C[elrAS$[3V
pH`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"rAS!!!B$[3!$rAN$[J1r#[e
j!!3+DfpME!d$[J!"E3!!#%!)3rei#[ei!!3+B@aTB3B$[`!$rAF$`!2"#[eh!!3
+D@jcD!d$`!!#0!!!#%B)6[ef!m)+rAB!"!TMCQpX$32#!!&[!!!)5JK0rA8,rA8
!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'Efa
NCA*3BA4S"J2"!!2pG!2$rA-+rA3!"!TdEb!J$32$!!*Z!!!)83KJ!m3$a3d$a!!
#0!!!#&N)B2eb!mB+rA)!"!TQD@aP$32'!!&Y!!!)A!KI!mF-!mF!$J!)G(KdAf4
L,QJ!!J!!$32&!!)d!!!)83KCrA%$b!VpF3!%#Q0QEf`0!mJ!!@m!!!K9#&MpF![
pF!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[ec!!!#!l`!!J2*!mS0!mN!!Q`!!JK
R#'IpEreZ!Ie[!!!"r@i!!!)$bJ!#!mX$c!d$b`!#FJ!!#'F)FJ20!mi0!md!!Q)
!!!KR#'i$c`23$322!!&[!!!)C`KUr@d,r@d!*$!!%'0bHA"dEfC[E'4PFR"KG'J
!%'0bHA"dEdC[E'4PFP"KG'J0!p!!!@d!!!KU#'d$d3`$d3!,!!8kH$8`13!#!!!
0!mi!!@m!!!!!!!$pE![pE!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!J2-!!)$dJ2
6$325!!0*!!))F`LGr@[pDJ28#[eV!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9
XE!(pDJ!!"J28!!2pD329!pB+r@N!"!TVEf0X$329!!&Y!!!)G`Kkr@J+r@J!"!T
KE'PK"J2@!!2pC`2A!pJ+r@F!"!TTER0S$32A!!)d!!!)I3L&r@B$f3VpCJ!%#Q0
QEf`0!pN!!@m!!!L"#)6pC3[pC3!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4
S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'!pJ!!reN!pVpB`VpC!!%#R4[)#!
0!pS!!Qi!!!L)#*F$f`2F$32E!!)d!!!)N!!)PreL!pd+r@)!"!TQD@aP$32G!!&
Y!!!)N`L@!pi-!pi!$!!'H$8`15jS!!)!!!d$h!!#0!!!#)J)N!$pB32I#[eK!!3
+BfC[E!d$h`!"E`!!#)`)MreJ#reJ!"3`!!KdC@e`F'&dD!!)G'9YF&"KG'J'r@-
!!!)$d`!#!q!$i3d$i!!$53!##*i)b2eIr9i$iJVpA`!B,Q0[FQ9MFQ9X+LSU+J!
!!!!!!*!!!'jeE'`"r9i!!!B$iJ!$r9d$i`2N#[eG!!3+DfpME!d$i`!"E3!!#+)
)TIeF#[eF!!3+B@aTB3B$j!!$r9X$j32Q#[eE!!3+D@jcD!d$j3!#0!!!#+J)X2e
D!qF+r9S!"!TMCQpX$32R!!&[!!!)V!L[r9N,r9N!0$!!''p`C@jcFfaTEQ0XG@4
PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J2Q!!2p@!2Sr9F
+r9J!"!TdEb!J$32S!!*Z!!!)X`M#!qN$kJd$k3!#0!!!#,X)`[e@!qX+r9B!"!T
QD@aP$32V!!&Y!!!)[JM"!q`-!q`!%!!+H$8`19pfCRNZD!!#!!!0!qS!!M3!!!L
c#,[p932Y#[e9!!3+BfC[E!d$l3!"E`!!#,F)Z[e8#re8!"3`!!KdC@e`F'&dD!!
)G'9YF&"KG'J'r9F!!!)$i3!#!qi$l`d$lJ!#E!!##-N)bIe6r9)"r9-!!!(p8J!
!!J2[!!)$m!2a$32`!!*b!!!)b3M8!r)$m`d$mJ!#BJ!!#-N)d!2d!r80!r3!!@m
!!!M*#-cp83[p83!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&
dD!d$p3!"E3!!#-`)c`2f$!2f!!d!"cTi06!jGM-!!J!!$32c!!&[!!!!!!!!r9!
,r9!!&$!!#(4PEA"`BA4S!!KdC@e`8'&dD!)$m3!#!rF$q!d$p`!$53!##08)rre
2r8i$q3Vp6`!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r8i!!!B$q3!$r8d
$qJ2l#[e0!!3+DfpME!d$qJ!"E3!!#0N)h2e-#[e-!!3+B@aTB3B$q`!$r8X$r!2
p#[e,!!3+D@jcD!d$r!!#0!!!#0m)jre+!ri+r8S!"!TMCQpX$32q!!&[!!!)i`M
Qr8N,r8N!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfa
eC'9'EfaNCA*3BA4S"J2p!!2p5!2rr8F+r8J!"!TdEb!J$32r!!*Z!!!)kJMj"!!
%!3d%!!!#0!!!#2))qIe'"!)+r8B!"!TQD@aP$33#!!&Y!!!)p3Mi"!--"!-!$J!
)H$8`1ABc,QJ!!J!!$33"!!)d!!!)kJMbr88%"!Vp43!%#Q0QEf`0"!3!!@m!!!M
Z#2(p4![p4!!8-!!)G'9YF("KG'J!#(4PEA"3BA4S"[e(!!!#!rJ!!J3&"!B0"!8
!!Q`!!JN!#3$p3re#!Ie$!!!"r8)!!!)%"J!#"!F%#!d%"`!$53!##3!*+[e"r8!
%#3Vp33!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r8!!!!B%#3!$r6m%#J3
,#[dr!!3+DfpME!d%#J!"E3!!#33*"rdq#[dq!!3+B@aTB3B%#`!$r6d%$!30#[d
p!!3+D@jcD!d%$!!#0!!!#3S*%[dm"!i+r6`!"!TMCQpX$331!!&[!!!*$JN4r6X
,r6X!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9
'EfaNCA*3BA4S"J30!!2p1J32r6N+r6S!"!TdEb!J$332!!*Z!!!*&3NN""!%%3d
%%!!#0!!!#4d**2di"")+r6J!"!TQD@aP$335!!&Y!!!*)!NM""--""-!#`!&Fh0
X,QJ!!J!!$334!!)d!!!*&3NGr6F%&!Vp0`!%#Q0QEf`0""3!!@m!!!NC#4cp0J[
p0J!H-!!0Fh0XCQpXC'9bF'&dD!!0Fh0X4QpXC'9b8'&dD!Ep13!!!J3)!!)%&33
@$339!!0*!!)*+`P9r6Ap0!3A#[de!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9
XE!(p0!!!"J3A!!2p-`3B""N+r6-!"!TVEf0X$33B!!&Y!!!*,`Nbr6)+r6)!"!T
KE'PK"J3C!!2p-33D""X+r6%!"!TTER0S$33D!!)d!!!*03Npr6!%(!Vp-!!%#Q0
QEf`0""`!!@m!!!Nj#6cp,`[p,`!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4
S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'""X!!rdZ""hp,3Vp,J!%#R4[)#!
0""d!!Qi!!!P!#8m%(J3I$33H!!)d!!!*5!P2r5`%)!Vp,!!%#QCTE'80"#!!!@d
!!!P,#8i%)3`%)3!-!!CcFf`b,QJ!!J!!$33I!!)d!!!*3!P)r5X%)JVp+`!%#Q0
QEf`0"#)!!@m!!!P%#8Ip+J[p+J!H-!!0Fh0XCQpXC'9bF'&dD!!0Fh0X4QpXC'9
b8'&dD!Ep,3!!!J3@!!)%)`3N$33M!!0*!!)*9JQ!r5Rp+!3P#[dT!"JZBfpbC@0
bC@`U+LSU!!!!!!!!N!!!ER9XE!(p+!!!"J3P!!2p*`3Q"#F+r5F!"!TVEf0X$33
Q!!&Y!!!*@JPGr5B+r5B!"!TKE'PK"J3R!!2p*33S"#N+r58!"!TTER0S$33S!!)
d!!!*B!PSr53%+JVp*!!%#Q0QEf`0"#S!!@m!!!PN#@Ip)`[p)`!d-!!BEh"PER0
cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'"#N
!!rdL"#[p)3Vp)J!%#R4[)#!0"#X!!Qi!!!PV#AS%,!3Y$33X!!)d!!!*F`Pkr5!
%,JVp)!!%#QCTE'80"#i!!@d!!!Pf#AN%,``%,`!0!!GcFf`b-bjS!!)!!!d%,3!
#0!!!#@X*FrdI"$!+r4m!"!TMCQpX$33`!!&[!!!*E`Pbr4i,r4i!(M!!$A0cE'C
[E'4PFR"KG'J!$A0cE%C[E'4PFP"KG'J'r5%!!!)%*!!#"$%%-Jd%-3!$53!##B%
*UrdGr4`%-`Vp(3!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r4`!!!B%-`!
$r4X%0!3e#[dE!!3+DfpME!d%0!!"E3!!#B8*L2dD#[dD!!3+B@aTB3B%03!$r4N
%0J3h#[dC!!3+D@jcD!d%0J!#0!!!#BX*NrdB"$J+r4J!"!TMCQpX$33i!!&[!!!
*M`Q5r4F,r4F!0$!!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%P
ZBfaeC'9'EfaNCA*3BA4S"J3h!!2p&J3jr48+r4B!"!TdEb!J$33j!!*Z!!!*PJQ
P"$S%1`d%1J!#0!!!#Ci*TId8"$`+r43!"!TQD@aP$33m!!&Y!!!*S3QN"$d-"$d
!$!!'Fh0X-bjS!!)!!!d%1`!#0!!!#CB*R[d6"$i+r4-!"!TMCQpX$33q!!&[!!!
*QJQGr4),r4)!(M!!$A0cE'C[E'4PFR"KG'J!$A0cE%C[E'4PFP"KG'J'r48!!!)
%-J!#"$m%3!d%2`!$53!##D`*e[d4r4!%33Vp%3!B,Q0[FQ9MFQ9X+LSU+J!!!!!
!!*!!!'jeE'`"r4!!!!B%33!$r3m%3J4$#[d2!!3+DfpME!d%3J!"E3!!#E!*Xrd
1#[d1!!3+B@aTB3B%3`!$r3d%4!4&#[d0!!3+D@jcD!d%4!!#0!!!#EB*[[d-"%B
+r3`!"!TMCQpX$34'!!&[!!!*ZJQpr3X,r3X!0$!!''p`C@jcFfaTEQ0XG@4PCQp
XC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*3BA4S"J4&!!2p#J4(r3N+r3S
!"!TdEb!J$34(!!*Z!!!*`3R3"%J%53d%5!!#0!!!#FN*d2d)"%S+r3J!"!TQD@a
P$34+!!&Y!!!*c!R2"%X-"%X!$!!'G'ac-5jS!!)!!!d%53!#0!!!#F%*bId("%`
+r3F!"!TMCQpX$34-!!&[!!!*a3R)r3B,r3B!(M!!$A0cE'C[E'4PFR"KG'J!$A0
cE%C[E'4PFP"KG'J'r3N!!!)%3!!#"%d%6Jd%63!#E!!##GF*erd&r33"r38!!!(
p"!!!!J41!!)%6`43$342!!0*!!)*e`S"r32p!J44#[d$!"JZBfpbC@0bC@`U+LS
U!!!!!!!!N!!!ER9XE!(p!J!!"J44!!2p!345"&-+r3%!"!TVEf0X$345!!&Y!!!
*f`RHr3!+r3!!"!TKE'PK"J46!!2mr`48"&8+r2m!"!TTER0S$348!!)d!!!*i3R
Tr2i%9JVmrJ!%#Q0QEf`0"&B!!@m!!!RP#HMmr3[mr3!d-!!BEh"PER0cE'PZBfa
eC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9NC8C[E'4PFP"KG'J'"&8!!rcm"&I
mq`Vmr!!%#R4[)#!0"&F!!Qi!!!RX#IX%@!4C$34B!!)d!!!*p!Rlr2S%@JVmqJ!
%#QCTE'80"&S!!@d!!!Rh#IS%@``%@`!1!!KMFRP`G'mZD!!#!!!0"&N!!M3!!!R
X#I6mq34F#[cj!!3+BfC[E!d%A!!"E`!!#I!*mrci#rci!#3`!""MFRP`G'pQEfa
NCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S"[cl!!!#"&!!!J4G"&i0"&d!!Q`!!JS
##J,mprcf!Ich!!!"r2B!!!)%AJ!#"&m%B!d%A`!$53!##J)+,2cer23%B3Vmp3!
B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r23!!!B%B3!$r2-%BJ4M#[cc!!3
+DfpME!d%BJ!"E3!!#JB+#Icb#[cb!!3+B@aTB3B%B`!$r2%%C!4P#[ca!!3+D@j
cD!d%C!!#0!!!#J`+&2c`"'B+r2!!"!TMCQpX$34Q!!&[!!!+%!S6r1m,r1m!0$!
!''p`C@jcFfaTEQ0XG@4PCQpXC'9bF'&dD!!BEh"PEP066%PZBfaeC'9'EfaNCA*
3BA4S"J4P!!2mlJ4Rr1d+r1i!"!TdEb!J$34R!!*Z!!!+&`SQ"'J%D3d%D!!#0!!
!#Km+*[cX"'S+r1`!"!TQD@aP$34U!!&Y!!!+)JSP"'X-"'X!%!!+Eh"PER0cE(B
ZD!!#!!!0"'N!!M3!!!SA#Krmk`4X#[cV!!3+BfC[E!d%E!!"E`!!#KX+([cU#rc
U!#3`!""MFRP`G'pQEfaNCA*`BA4S!""MFRP`G'p'EfaNCA*3BA4S"[cY!!!#"'!
!!J4Y"'i0"'d!!dN!!JSY#PImkIcS"'m+r1N!'#jMEh*PBh*PE#SU+LS!!!!!!!#
3!!"ZG@aX!IcS!!!'"'m!!rcR"(!%F3Vmj`!%#QY[Bf`0"(!!!@d!!!Sa#M6mjJV
mjJ!%#Q&XD@%'"(%!!rcP"()%F`Vmj3!%#QPZFfJ0"()!!M3!!!Sh#Mrmj!4d#[c
N!!3+BfC[E!d%G!!"E`!!#MX+2[cM#rcM!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4
PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B%F`!$r1)%GIcK#[cL!!3
+G'mJ)!d%G3!#EJ!!#N)+834f"(F0"(B!!M3!!!T+#P(mi!4i#[cJ!!3+CQPXC3d
%H!!"E3!!#Nd+8!4j$!4j!!i!#(4YC'PQCLjS!!)!!!d%G`!#0!!!#N)+5[cI"(S
+r0m!"!TMCQpX$34k!!&[!!!+4JT*r0i,r0i!*$!!%'0bHA"dEfC[E'4PFR"KG'J
!%'0bHA"dEdC[E'4PFP"KG'J'r1%!!!)%EJ!#"(X%I!d%H`!#E!!##PJ+@2cGr0`
"r0d!!!(mh!!!!J4m!!)%I34q$34p!!*X!!)+@!TBr0[mfJ(mf`!!!IcD!!!#"(i
!!J4r")!0"(m!!dN!!JTB#S,mfIcB")%+r0N!'#jMEh*PBh*PE#SU+LS!!!!!!!#
3!!"ZG@aX!IcB!!!'")%!!rcA"))%J`Vme`!%#QY[Bf`0"))!!@d!!!TF#PrmeJV
meJ!%#Q&XD@%'")-!!rc9")3%K3Vme3!%#QPZFfJ0")3!!M3!!!TL#QVme!5'#[c
8!!3+BfC[E!d%KJ!"E`!!#QB+DIc6#rc6!$3`!"K[F'9ZFh0XD@jME(9NC@C[E'4
PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD!B%K3!$r0)%Krc4#[c5!!3
+G'mJ)!d%K`!#EJ!!#Qd+I!5)")N0")J!!M3!!!Te#Rcmd!5+#[c3!!3+CQPXC3d
%LJ!"E3!!#RJ+H`5,$!5,!!`!"Q9IEh-ZD!!#!!!0")N!!M3!!!TY#RAmc`5-#[c
2!!3+BfC[E!d%M!!"E`!!#R%+G2c1#rc1!#B`!"&[F'9ZFh0XCQpXC'9bF'&dD!!
4Eh"PER0cE%C[E'4PFP"KG'J'r0%!!!)%J!!#")d%MJd%M3!$53!##S-+VIc0r-`
%M`Vmc3!B,Q0[FQ9MFQ9X+LSU+J!!!!!!!*!!!'jeE'`"r-`!!!B%M`!$r-X%N!!
%N3Vmb`!%#QY[Bf`0"*!!!!&Y!!!+K`U+r-S+r-S!"!TKE'PK"J54!!2mb355"*-
+r-N!"!TTER0S$355!!)d!!!+M3U9r-J%P!Vmb!!%#Q0QEf`0"*3!!@m!!!U4#T6
ma`[ma`!d-!!BEh"PER0cE'PZBfaeC'9QEfaNCA*`BA4S!"K[F'9Z8e0-5@jME(9
NC8C[E'4PFP"KG'J'"*-!!rc'"*Ama3VmaJ!%#R4[)#!0"*8!!Qi!!!UB#UF%PJ5
A$35@!!)d!!!+S!URr-3%Q!Vma!!%#QCTE'80"*J!!@d!!!UM#UB%Q3`%Q3!0!!G
PAfpc-LjS!!)!!!d%P`!#0!!!#TJ+S2c$"*S+r--!"!TMCQpX$35D!!&[!!!+R!U
Ir-),r-)!*M!!%@p`C@jcFfaQEfaNCA*`BA4S!"&[F'9ZFh0X4QpXC'9b8'&dD!E
ma3!!!J51!!)%Qrc"$35E!!*X!!)+VJUZr-$m[`(m`!!!!Ibr!!!#r-%!!!d!#3!
"E3!!!!!!!3!I!Irq!!!#!!B!!J5F"*d0"*`!!Q`!!J!!!!$m[[bp!Ibq!!!"r,d
!!!)%R3!#"*i%R`d%RJ!#E!!##V%+b!5Jr,`0"+!!!dN!!JUa#XMmZ`5K"+)+r,X
!'#jcHA0[C'a[Cf&cDh)!!!!!!!!!!&4&@&30"+%!!@d!!!Ua#V3%S``%S`!'!!!
!!J!!"J5L!!2mZJ5N"+8+r,S!"!TLG'jc$35N!!&+!!!+Y`Um"+B#"+B!!J5Rr,N
0"+F!!@d!!!Uh#VS%U!`%U!!+!!4%EfjP!!)!!!,mZ3!!"J5P!!2mZ!5Tr,F+r,J
!"!TRDACe$35T!!&Y!!!+[`V#r,B$r,B!"3EmY`!!!Ibm!!!#"*m!!J5Ur,80"+S
!!Q`!!J!!!!$mY2bc!Ibd!!!"r,-!!!,mY3!!$J!#!!!2%!!$!",mXJ5V"+`%V35
Z"+m%X!5a",)%X`5d",8%YJ5hr,(mX2b[r+i"r,)!!"!%U`!3r+hmV2bVr+VmUIb
Sr+ImT[bPr+6mSrbLr+(mS2bIr*i+r+d!'#jKCACdEf&`F'jeE'`!!)!!!!#3!!!
U+LSU#rbX!")`!!GdD'9`BA4S!!GdD'93BA4S#rbV!"``!!adD'9[E'4NC@aTEA-
!$(4SC8pXC%4PE'PYF`[mUJ!J-!!1G'KPF(*[DQ9MG("KG'J!$R4SC9"bEfTPBh4
3BA4S#rbT!"B`!!PdD'9YCA"KG'J!#A4SC8eP8'&dD![mU!!Q-!!4D@jME(9NC@C
[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S#rbR!$3`!"K[F'9ZFh0XD@jME(9
NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&dD![mTJ!N-!!3Bh*
jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD![mT3!H-!!0Fh0XCQpXC'9
bF'&dD!!0Fh0X4QpXC'9b8'&dD![mT!!Q-!!4Eh"PER0cE'C[E'4PFR"KG'J!%@p
`C@jcFfa'EfaNCA*3BA4S#rbM!#i`!"9dD'9ZCAGQEfaNCA*bC@CPFQ9ZBf8!&A4
SC8jPGdC[E'4PFP*PCQ9bC@jMC3[mSJ!8-!!)G'9YF("KG'J!#(4PEA"3BA4S!Ib
K!!!"r+!!!!(mR`!!!IbH!!!1"+`!"a$mR35ir*cmQ`5j",VmQJVmR3!B,Q&PGR4
[BA"`ER9XE!!!J!!!!*!!!#SU+LS0",J!!@X!!!!!#XJ%Z`)%Z`!#!!8%[!)%[!!
#"*lmQ3,mQ3!!!IbF!!!#r*X!!"!%Z3!!%!5k!)B!(rbBr*ImP[b9r*6mNrb5!#c
mNIb3!2b2r)lmMIb-!%rmL`"D!&[mLJ"Nr)N!EIb)r)ImKJ#2r)AmK2b$r),mJIb
!r(rmI[apr(cmH`#Tr(VmHIair(F![Iaf!-ImG3$8!1)!l!$j!3-"%!%D!5F"-3%
q!8J"93&I!@`"GJ'$!Bd"QJ'N!E%"Z`()!G)"h`(T!IB#!!)0!KF#*!)Z!MX#43*
5!P`#D3*c!S!#LJ+A!U%#VJ+m!XB#d`,G!ZS#p!-"!`X$'!-L!bm$130'!e!$A30
R!h3$IJ1,!jN$S`1`!lS$a`24!pi$l!2f"!-%%`3K"#m%234,"&X%D`4j")X%Q35
Mr(3%U2acr(,mF3VmQ!!%#Q0[BQS+r*F!'#jPBA*cCQCNFQ&XDA-!!!!!!!!J!'&
QC()+r*B!"!TMG(Kd#rb9!")`!!GdD'9`BA4S!!GdD'93BA4S#[b8!!3+BA0MFJV
mN`!%#R4iC'`,r*)!($!!$(4SC@pXC'4PE'PYF`!-G'KP6faN4'9XD@ec#[b4!!3
+BfPdE32mN!$rr3[mM`!J-!!1G'KPF(*[DQ9MG("KG'J!$R4SC9"bEfTPBh43BA4
S!rb1rri+r)d!"!T849K8#rb-!"B`!!PdD'9YCA"KG'J!#A4SC8eP8'&dD![mL`!
Q-!!4D@jME(9NC@C[E'4PFR"KG'J!%@PZBfaeC'9'EfaNCA*3BA4S#rb+!$3`!"K
[F'9ZFh0XD@jME(9NC@C[E'4PFR"KG'J!''p`C@j68da*EQ0XG@4P4QpXC'9b8'&
dD![mL3!N-!!3Bh*jF(4[CQpXC'9bF'&dD!!3Bh*jF(4[4QpXC'9b8'&dD![mL!!
H-!!0Fh0XCQpXC'9bF'&dD!!0Fh0X4QpXC'9b8'&dD![mK`!Q-!!4Eh"PER0cE'C
[E'4PFR"KG'J!%@p`C@jcFfa'EfaNCA*3BA4S#[b'!!3+BfC[E!VmK3!B,QeTFf0
cE'0d+LSU+J!!!!!!!*!!!#SU+LS+r)3!"!TcC@aP#[b$!"JZBfpbC@4PE'mU+LS
U!!!!!!!!N!!!+LSU+J(mJJ!!![b"!!!+r)!!"!TVEf0X#[ar!!3+D@jcD!2mIJ!
%#[ap!"JZBfpbC@0bC@`U+LSU!!!!!!!!N!!!ER9XE!VmI!!%#R*cE(3,r(X!,M!
!&A4SC@jPGfC[E'4PFR*PCQ9bC@jMC3!9G'KP6Q9h4QpXC'9b8Q9QCA*PEQ0P#[a
k!!3+F'jKE3VmH3!%#Q&XD@%+r(J!"!TdEb!J#[ah!!3+CQPXC32mGJ!'#rae!"3
`!!KdC@e`F'&dD!!)G'9YF&"KG'J+r(3!"!TLG'jc#[ac!!3+CfPfG32mFJ!&#[a
a!"JZFhPcEf4XEfGKFfYb!!!!!!!!!!"849K8%IbD#XRJ%JUYi1%TDJ`!!LrM*N9
4e%r&jLa&edrSaHBX4Nr%@qPF@eTVA&VU-NAE6m4Ek9aE@QYF@Z`bl5C&hNr,lbA
Y*N9J!""2bf%!%59K!")Pl5C&B!!66mYK!"3Pl5C&B!!96mYK!"BPl5C&B!!A6m[
Y*N9J!"K2amAQ,%C2&!!L+Q%!'9m!%#pK!"PK!"S[DJ`!'dmUB3!F,'S-!"eA!!K
B!"i!(fK2+Q%!)'%!'@%!)5TK!"PI!"![B3!L$!!M6em!*%9J!#92A`!PDJ`!'dp
K!#BUB3!F,'%!*ba'6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"R1,f%!+Q%!+bp
K!#`-!#02A`!9B3!Y*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,Lp
K!#TK!#m[B3!X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3!
`,f%!,!`!)dpI!"9K!$%P4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!
Z,f%!+Q%!-LpK!#`-!#02A`!9B3!c*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!
T+Q%!'9m!,LpK!#TK!$3[B3!X$!!M6em!&@%!059&B!!Z6bTK!#"K!#KK!#%UB3!
CA`!6,f%!+5TK!"PI!#i[B3!UB3!f,f%!,!`!)dpI!"9K!$FP4@!!,NmUB3!JB3!
SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!1#pK!#`-!#02A`!9B3!j*89J!#j
2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!$S[B3!X$!!M6em!&@%
!1b9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3!m,f%!,!`
!)dpI!"9K!$dP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%
!2LpK!#`-!#02A`!9B3!r*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m
!,LpK!#TK!%![B3!X$!!M6em!&@%!359&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%
!+5TK!"PI!#i[B3!UB3"#,f%!,!`!)dpI!"9K!%-P4@!!,NmUB3!JB3!SB3!K+Q%
!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!4#pK!#`-!#02A`!9B3"&*89J!#j2+Q%!)'%
!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!%B[B3!X$!!M6em!&@%!4b9&B!!
Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"),f%!,!`!)dpI!"9
K!%NP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!5LpK!#`
-!#02A`!9B3",*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#T
K!%`[B3!X$!!M6em!&@%!659&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"P
I!#i[B3!UB3"1,f%!,!`!)dpI!"9K!%mP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bp
K!#NUB3!CA`!Z,f%!+Q%!8#pK!#`-!#02A`!9B3"4*89J!#j2+Q%!)'%!+'%!)5T
K!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!&)[B3!X$!!M6em!&@%!8b9&B!!Z6bTK!#"
K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"8,f%!,!`!)dpI!"9K!&8P4@!
!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!9LpK!#`-!#02A`!
9B3"A*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!&J[B3!
X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"C,f%!,!`!)dp
I!"9K!&SP4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!@bp
K!#`-!#02A`!9B3"F*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,Lp
K!#TK!&d[B3!X$!!M6em!&@%!AL9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5T
K!"PI!#i[B3!UB3"I,f%!,!`!)dpI!"9K!'!P4@!!,NmUB3!JB3!SB3!K+Q%!'9m
!%bpK!#NUB3!CA`!Z,f%!+Q%!B5pK!#`-!#02A`!9B3"L*89J!#j2+Q%!)'%!+'%
!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!'-[B3!X$!!M6em!&@%!C#9&B!!Z6bT
K!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"P,f%!,!`!)dpI!"9K!'B
P4@!!,NmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!CbpK!#`-!#0
2A`!9B3"S*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!,LpK!#TK!'N
[B3!X$!!M6em!&@%!DL9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!#i
[B3!UB3"V,f%!,!`!)dmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%
!E#pK!#`-!#02A`!9B3"Y*89J!#j2+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m
!,LpK!#TK!'i[B3!X$!!M6em!&@%!Eb9&B!!Z6bTK!#"K!#KK!#%UB3!CA`!6,f%
!+5TK!"PI!#i[B3!UB3"`,f%!,!`!)dpI!"9K!(%P4@!!,NmUB3!JB3!SB3!K+Q%
!'9m!%bpK!#NUB3!CA`!Z,f%!+Q%!FLpK!#`-!#02+Q%!)'%!+'%!)5TK!"PI!"-
[B3!T+Q%!'9m!,LpK!#TK!(-[B3!X$!!M6em!&@%!G#9&B!!Z6bTK!#"K!#KK!#%
UB3!CA`!6,f%!+5TK!"PI!#i[B3!UB3"e,f%!,!`!)dmUB3!JB3!SB3!K+Q%!'9m
!%bpK!#NUB3!CA`!A,f%!+Q%!GLpK!#`-!#02+Q%!)'%!+'%!)5TK!"PI!"-[B3!
T+Q%!'9m!&bpK!#TK!(F[B3!X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"P
I!"F[B3!UB3"i,f%!,!`!)dmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!A,f%
!+Q%!H5pK!#`-!#02+Q%!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!&bpK!#TK!(S
[B3!X$!!M6bTK!#"K!#KK!#%UB3!CA`!6,f%!+5TK!"PI!"8[B3!UB3"l,f%!,!`
!)dmUB3!JB3!SB3!K+Q%!'9m!%bpK!#NUB3!CA`!9,f%!+Q%!I#pK!#`-!#02+Q%
!)'%!+'%!)5TK!"PI!"-[B3!T+Q%!'9m!&5pK!#TK!(d[B3!X$!!M6bTK!#"K!#K
K!#%UB3!CA`!6,f%!+5TK!"PI!"J[B3!UB3"q,f%!,!`!)dmUB3!JB3!SB3!K+Q%
!'9m!%bpK!#NUB3!CA`!B,f%!+Q%!IbpK!#`-!#028&92B3#!B3#"B3##DhCK!)0
K!)4K!#)-!)82$!5Y!&%!5deKBfPZG'pcD#")4$T%CA0VG'p`)%C[E'4PFMT*EQ0
[E@PZCcT[F'9ZFh0X,90139!Y-6Nj16%b-6%k6@&M6e-kE@YXD@jVFbjKF`!#!!!
1"+i!!J6mF!5p!ra`!!%1",d!!3!%[J`%[J!'!!!!!J!!$J5[!!)%r'm%[`2mE`!
%$J5r!!3!"-!%`36#"---"-!!%J!-6@&MD@jdEh0S)%K%!!)!!!`%`3!8!!j%CA0
VG'p`)%C[E'4PFJ!#!!!-"-)!$J!)5@jMEfeTEQF!!J!!$!6$!"X!&@p`C@jcFf`
Y8dj"8#da16Nj-6)a-3!#!!!-",!!4J"!6@&MD@jdEh0S)%K%1N4PFfYdEh!J4Qp
XC'9b1NPZBfpYD@jR1Qp`C@jcFf`Y8dj"8#da16Nj-6)a-6T0B@028`!#!!!-",%
!5!"#6@&MD@jdEh0S)%K%1N4PFfYdEh!J4QpXC'9b1NPZBfpYD@jR1Qp`C@jcFf`
Y8dj"8#da16Nj-6)a-6TTEQ0XG@4P!!)!!!`%XJ"3!%T0B@0TER4[FfJJ5%3k4'9
cDh4[F#"'EfaNCA)k5@jMEfeTEQFkEh"PER0cE#e66N&3,6%j16Na-M%a1QPZBfa
eC'8kEh"PER0cE!!#!!!-",-!4`""6@&MD@jdEh0S)%K%1N4PFfYdEh!J4QpXC'9
b1NPZBfpYD@jR1Qp`C@jcFf`Y8dj"8#da16Nj-6)a-6TMFRP`G'm!!J!!$!5d!%3
!2NeKBfPZG'pcD#")4$T%CA0VG'p`)%C[E'4PFMT*EQ0[E@PZCcT[F'9ZFh0X,90
139!Y-6Nj16%b-6%kFh0X!!)!!!`%Y3"!!$T0B@0TER4[FfJJ5%3k4'9cDh4[F#"
'EfaNCA)k5@jMEfeTEQFkEh"PER0cE#e66N&3,6%j16Na-M%a!!)!!!i%YJ!"&!6
%$J6%!!-B"-AmEJ6'$J6&!!-B"-ImE36)$J6(!!-B"-RmE!6+$J6*!!-B!"rmD`6
,#[aV!!3+BfC[E!`%b`!1!!K*EQ0[E@PZC`!#!!!+r'`!"!TMCQpX$!6+!"X!&@p
`C@jcFf`Y8dj"8#da16Nj-6)a-3!#!!!+r'd!"!TMCQpX$!6)!!d!"fPZBfaeC'8
!!J!!#[aZ!!3+BfC[E!`%aJ!9!!peER4TG'aPC#"QEfaNCA)!!J!!$!5h!%i!5%e
KBfPZG'pcD#")4$T%CA0VG'p`)%C[E'4PFMT*EQ0[E@PZCcT[F'9ZFh0X,90139!
Y-6Nj16%b-6%kBh*jF(4[1RJe-$Pf-`!#!!!"r,%!!!(mX!!!!Ib[!!!"r+i!!'&
cBh)!!3!-qYlHV3!!!3!!!*G#!!#@3J!!!AB!!$-8-0J!!!!F!AB!$h0MFhS!!!#
#6Np853!!!)jcBh"d!!!!QP4&@&3!!3#QFh4jE!!!!,j$6d4&!!%!bN*14%`!!!$
LBA"XG!!!!1j'8N9'!!!!qNP$6L-!!!%'D@0X0!!!!4*TBh-M!!!"(QPMFc3!!!%
UD'CNFJ!!!6C659T&!!!"3PG3Eh-!!!&1!!$rr`!!!!!!!!!!!)$rre!!!"i!!!!
!!)$rr`!!"cJ#DH#m"'Mrr`!!!*S!!!!!%iRrr`!!"Pi!!!!!"'Mrr`!!!53!!!!
!!!$rrb!!!9)!!!!!!!(rra3!!@i#DG`%!)$rr`!!!Pi#DH"X!!$rr`!!!Ri!!!!
!!)$rr`!!!S-#DH"d!*Err`!!!Si!!!!!!*Err`!!!j)!!!!!!*Err`!!"CB#DH%
i!*Err`!!"GS#DH%dkF$rr`!!"[`!!!!!rrrrr`!!"a)!!!!!!)$rr`!!"b!!!!!
!*4S:

126
MacOS/opensslconf.h Normal file
View File

@ -0,0 +1,126 @@
/* MacOS/opensslconf.h */
#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */
# if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
# define OPENSSLDIR "/usr/local/ssl"
# endif
#endif
#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
# define IDEA_INT unsigned int
#endif
#if defined(HEADER_MD2_H) && !defined(MD2_INT)
# define MD2_INT unsigned int
#endif
#if defined(HEADER_RC2_H) && !defined(RC2_INT)
/* I need to put in a mod for the alpha - eay */
# define RC2_INT unsigned int
#endif
#if defined(HEADER_RC4_H)
# if !defined(RC4_INT)
/*
* using int types make the structure larger but make the code faster on most
* boxes I have tested - up to %20 faster.
*/
/*-
* I don't know what does "most" mean, but declaring "int" is a must on:
* - Intel P6 because partial register stalls are very expensive;
* - elder Alpha because it lacks byte load/store instructions;
*/
# define RC4_INT unsigned char
# endif
# if !defined(RC4_CHUNK)
/*
* This enables code handling data aligned at natural CPU word
* boundary. See crypto/rc4/rc4_enc.c for further details.
*/
# define RC4_CHUNK unsigned long
# endif
#endif
#if defined(HEADER_DES_H) && !defined(DES_LONG)
/*
* If this is set to 'unsigned int' on a DEC Alpha, this gives about a %20
* speed up (longs are 8 bytes, int's are 4).
*/
# ifndef DES_LONG
# define DES_LONG unsigned long
# endif
#endif
#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
# define CONFIG_HEADER_BN_H
# if __option(longlong)
# define BN_LLONG
# else
# undef BN_LLONG
# endif
/* Should we define BN_DIV2W here? */
/* Only one for the following should be defined */
/*
* The prime number generation stuff may not work when EIGHT_BIT but I don't
* care since I've only used this mode for debuging the bignum libraries
*/
# undef SIXTY_FOUR_BIT_LONG
# undef SIXTY_FOUR_BIT
# define THIRTY_TWO_BIT
# undef SIXTEEN_BIT
# undef EIGHT_BIT
#endif
#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H)
# define CONFIG_HEADER_RC4_LOCL_H
/*
* if this is defined data[i] is used instead of *data, this is a %20 speedup
* on x86
*/
# undef RC4_INDEX
#endif
#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
# define CONFIG_HEADER_BF_LOCL_H
# define BF_PTR
#endif /* HEADER_BF_LOCL_H */
#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
# define CONFIG_HEADER_DES_LOCL_H
/*
* the following is tweaked from a config script, that is why it is a
* protected undef/define
*/
# ifndef DES_PTR
# define DES_PTR
# endif
/*
* This helps C compiler generate the correct code for multiple functional
* units. It reduces register dependancies at the expense of 2 more
* registers
*/
# ifndef DES_RISC1
# define DES_RISC1
# endif
# ifndef DES_RISC2
# undef DES_RISC2
# endif
# if defined(DES_RISC1) && defined(DES_RISC2)
YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED ! !!!!
# endif
/*
* Unroll the inner loop, this sometimes helps, sometimes hinders. Very mucy
* CPU dependant
*/
# ifndef DES_UNROLL
# define DES_UNROLL
# endif
#endif /* HEADER_DES_LOCL_H */
#ifndef __POWERPC__
# define MD32_XARRAY
#endif

692
Makefile Normal file
View File

@ -0,0 +1,692 @@
### Generated automatically from Makefile.org by Configure.
##
## Makefile for OpenSSL
##
VERSION=1.0.2s
MAJOR=1
MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0
SHLIB_VERSION_HISTORY=
SHLIB_MAJOR=1
SHLIB_MINOR=0.0
SHLIB_EXT=.so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
PLATFORM=linux-x86_64
OPTIONS=-Wa,--noexecstack no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-libunbound no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-ssl-trace no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic static-engine
CONFIGURE_ARGS=linux-x86_64 -Wa,--noexecstack
SHLIB_TARGET=linux-shared
# HERE indicates where this Makefile lives. This can be used to indicate
# where sub-Makefiles are expected to be. Currently has very limited usage,
# and should probably not be bothered with at all.
HERE=.
# INSTALL_PREFIX is for package builders so that they can configure
# for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
# Normally it is left empty.
INSTALL_PREFIX=
INSTALLTOP=/usr/local/ssl
# Do not edit this manually. Use Configure --openssldir=DIR do change this!
OPENSSLDIR=/usr/local/ssl
# NO_IDEA - Define to build without the IDEA algorithm
# NO_RC4 - Define to build without the RC4 algorithm
# NO_RC2 - Define to build without the RC2 algorithm
# THREADS - Define when building with threads, you will probably also need any
# system defines as well, i.e. _REENTERANT for Solaris 2.[34]
# TERMIO - Define the termio terminal subsystem, needed if sgtty is missing.
# TERMIOS - Define the termios terminal subsystem, Silicon Graphics.
# LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3).
# DEVRANDOM - Give this the value of the 'random device' if your OS supports
# one. 32 bytes will be read from this when the random
# number generator is initalised.
# SSL_FORBID_ENULL - define if you want the server to be not able to use the
# NULL encryption ciphers.
#
# LOCK_DEBUG - turns on lots of lock debug output :-)
# REF_CHECK - turn on some xyz_free() assertions.
# REF_PRINT - prints some stuff on structure free.
# CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff
# MFUNC - Make all Malloc/Free/Realloc calls call
# CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to
# call application defined callbacks via CRYPTO_set_mem_functions()
# MD5_ASM needs to be defined to use the x86 assembler for MD5
# SHA1_ASM needs to be defined to use the x86 assembler for SHA1
# RMD160_ASM needs to be defined to use the x86 assembler for RIPEMD160
# Do not define B_ENDIAN or L_ENDIAN if 'unsigned long' == 8. It must
# equal 4.
# PKCS1_CHECK - pkcs1 tests.
CC= gcc
CFLAG= -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
DEPFLAG= -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_SSL2 -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST -DOPENSSL_NO_WEAK_SSL_CIPHERS
PEX_LIBS=
EX_LIBS= -ldl
EXE_EXT=
ARFLAGS=
AR= ar $(ARFLAGS) r
RANLIB= /usr/bin/ranlib
RC= windres
NM= nm
PERL= /usr/local/bin/perl
TAR= tar
TARFLAGS= --no-recursion
MAKEDEPPROG= gcc
LIBDIR=lib
# We let the C compiler driver to take care of .s files. This is done in
# order to be excused from maintaining a separate set of architecture
# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
# gcc, then the driver will automatically translate it to -xarch=v8plus
# and pass it down to assembler.
AS=$(CC) -c
ASFLAG=$(CFLAG)
# For x86 assembler: Set PROCESSOR to 386 if you want to support
# the 80386.
PROCESSOR=
# CPUID module collects small commonly used assembler snippets
CPUID_OBJ= x86_64cpuid.o
BN_ASM= x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o
EC_ASM= ecp_nistz256.o ecp_nistz256-x86_64.o
DES_ENC= des_enc.o fcrypt_b.o
AES_ENC= aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o
BF_ENC= bf_enc.o
CAST_ENC= c_enc.o
RC4_ENC= rc4-x86_64.o rc4-md5-x86_64.o
RC5_ENC= rc5_enc.o
MD5_ASM_OBJ= md5-x86_64.o
SHA1_ASM_OBJ= sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o
RMD160_ASM_OBJ=
WP_ASM_OBJ= wp-x86_64.o
CMLL_ENC= cmll-x86_64.o cmll_misc.o
MODES_ASM_OBJ= ghash-x86_64.o aesni-gcm-x86_64.o
ENGINES_ASM_OBJ=
PERLASM_SCHEME= elf
# KRB5 stuff
KRB5_INCLUDES=
LIBKRB5=
# Zlib stuff
ZLIB_INCLUDE=
LIBZLIB=
# TOP level FIPS install directory.
FIPSDIR=/usr/local/ssl/fips-2.0
# This is the location of fipscanister.o and friends.
# The FIPS module build will place it $(INSTALLTOP)/lib
# but since $(INSTALLTOP) can only take the default value
# when the module is built it will be in /usr/local/ssl/lib
# $(INSTALLTOP) for this build may be different so hard
# code the path.
FIPSLIBDIR=
# The location of the library which contains fipscanister.o
# normally it will be libcrypto unless fipsdso is set in which
# case it will be libfips. If not compiling in FIPS mode at all
# this is empty making it a useful test for a FIPS compile.
FIPSCANLIB=
# Shared library base address. Currently only used on Windows.
#
BASEADDR=0xFB00000
DIRS= crypto ssl engines apps test tools
ENGDIRS= ccgost
SHLIBDIRS= crypto ssl
# dirs in crypto to build
SDIRS= \
objects \
md4 md5 sha mdc2 hmac ripemd whrlpool \
des aes rc2 rc4 idea bf cast camellia seed modes \
bn ec rsa dsa ecdsa dh ecdh dso engine \
buffer bio stack lhash rand err \
evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
cms pqueue ts srp cmac
# keep in mind that the above list is adjusted by ./Configure
# according to no-xxx arguments...
# tests to perform. "alltests" is a special word indicating that all tests
# should be performed.
TESTS = alltests
MAKEFILE= Makefile
MANDIR=$(OPENSSLDIR)/man
MAN1=1
MAN3=3
MANSUFFIX=
HTMLSUFFIX=html
HTMLDIR=$(OPENSSLDIR)/html
SHELL=/bin/sh
TOP= .
ONEDIRS=out tmp
EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS
WDIRS= windows
LIBS= libcrypto.a libssl.a
SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
SHARED_SSL=libssl$(SHLIB_EXT)
SHARED_LIBS=
SHARED_LIBS_LINK_EXTS=.so.$(SHLIB_MAJOR) .so
SHARED_LDFLAGS=-m64
GENERAL= Makefile
BASENAME= openssl
NAME= $(BASENAME)-$(VERSION)
TARFILE= ../$(NAME).tar
EXHEADER= e_os2.h
HEADER= e_os.h
all: Makefile build_all
# as we stick to -e, CLEARENV ensures that local variables in lower
# Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
# shell, which [annoyingly enough] terminates unset with error if VAR
# is not present:-( TOP= && unset TOP is tribute to HP-UX /bin/sh,
# which terminates unset with error if no variable was present:-(
CLEARENV= TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS} \
$${INCLUDE+INCLUDE} $${INCLUDES+INCLUDES} \
$${DIR+DIR} $${DIRS+DIRS} $${SRC+SRC} \
$${LIBSRC+LIBSRC} $${LIBOBJ+LIBOBJ} $${ALL+ALL} \
$${EXHEADER+EXHEADER} $${HEADER+HEADER} \
$${GENERAL+GENERAL} $${CFLAGS+CFLAGS} \
$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \
$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \
$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \
$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} \
$${APPS+APPS}
# LC_ALL=C ensures that error [and other] messages are delivered in
# same language for uniform treatment.
BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
CC='$(CC)' CFLAG='$(CFLAG)' \
AS='$(CC)' ASFLAG='$(CFLAG) -c' \
AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)' \
RC='$(RC)' \
CROSS_COMPILE='$(CROSS_COMPILE)' \
PERL='$(PERL)' ENGDIRS='$(ENGDIRS)' \
SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)' \
INSTALL_PREFIX='$(INSTALL_PREFIX)' \
INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)' \
LIBDIR='$(LIBDIR)' \
MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)' \
MAKEDEPPROG='$(MAKEDEPPROG)' \
SHARED_LDFLAGS='$(SHARED_LDFLAGS)' \
KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)' \
ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)' \
EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)' \
SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)' \
PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)' \
CPUID_OBJ='$(CPUID_OBJ)' BN_ASM='$(BN_ASM)' \
EC_ASM='$(EC_ASM)' DES_ENC='$(DES_ENC)' \
AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)' \
BF_ENC='$(BF_ENC)' CAST_ENC='$(CAST_ENC)' \
RC4_ENC='$(RC4_ENC)' RC5_ENC='$(RC5_ENC)' \
SHA1_ASM_OBJ='$(SHA1_ASM_OBJ)' \
MD5_ASM_OBJ='$(MD5_ASM_OBJ)' \
RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)' \
WP_ASM_OBJ='$(WP_ASM_OBJ)' \
MODES_ASM_OBJ='$(MODES_ASM_OBJ)' \
ENGINES_ASM_OBJ='$(ENGINES_ASM_OBJ)' \
PERLASM_SCHEME='$(PERLASM_SCHEME)' \
FIPSLIBDIR='${FIPSLIBDIR}' \
FIPSDIR='${FIPSDIR}' \
FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \
THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
# MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
# which in turn eliminates ambiguities in variable treatment with -e.
# BUILD_CMD is a generic macro to build a given target in a given
# subdirectory. The target must be given through the shell variable
# `target' and the subdirectory to build in must be given through `dir'.
# This macro shouldn't be used directly, use RECURSIVE_BUILD_CMD or
# BUILD_ONE_CMD instead.
#
# BUILD_ONE_CMD is a macro to build a given target in a given
# subdirectory if that subdirectory is part of $(DIRS). It requires
# exactly the same shell variables as BUILD_CMD.
#
# RECURSIVE_BUILD_CMD is a macro to build a given target in all
# subdirectories defined in $(DIRS). It requires that the target
# is given through the shell variable `target'.
BUILD_CMD= if [ -d "$$dir" ]; then \
( cd $$dir && echo "making $$target in $$dir..." && \
$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \
) || exit 1; \
fi
RECURSIVE_BUILD_CMD=for dir in $(DIRS); do $(BUILD_CMD); done
BUILD_ONE_CMD=\
if expr " $(DIRS) " : ".* $$dir " >/dev/null 2>&1; then \
$(BUILD_CMD); \
fi
reflect:
@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
sub_all: build_all
build_all: build_libs build_apps build_tests build_tools
build_libs: build_libcrypto build_libssl openssl.pc
build_libcrypto: build_crypto build_engines libcrypto.pc
build_libssl: build_ssl libssl.pc
build_crypto:
@dir=crypto; target=all; $(BUILD_ONE_CMD)
build_ssl: build_crypto
@dir=ssl; target=all; $(BUILD_ONE_CMD)
build_engines: build_crypto
@dir=engines; target=all; $(BUILD_ONE_CMD)
build_apps: build_libs
@dir=apps; target=all; $(BUILD_ONE_CMD)
build_tests: build_libs
@dir=test; target=all; $(BUILD_ONE_CMD)
build_tools: build_libs
@dir=tools; target=all; $(BUILD_ONE_CMD)
all_testapps: build_libs build_testapps
build_testapps:
@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
fips_premain_dso$(EXE_EXT): libcrypto.a
[ -z "$(FIPSCANLIB)" ] || $(CC) $(CFLAG) -Iinclude \
-DFINGERPRINT_PREMAIN_DSO_LOAD -o $@ \
$(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fipscanister.o \
libcrypto.a $(EX_LIBS)
libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)
@if [ "$(SHLIB_TARGET)" != "" ]; then \
if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
FIPSLD_LIBCRYPTO=libcrypto.a ; \
FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
fi; \
$(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared && \
(touch -c fips_premain_dso$(EXE_EXT) || :); \
else \
echo "There's no support for shared libraries on this platform" >&2; \
exit 1; \
fi
libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
@if [ "$(SHLIB_TARGET)" != "" ]; then \
$(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
else \
echo "There's no support for shared libraries on this platform" >&2; \
exit 1; \
fi
clean-shared:
@set -e; for i in $(SHLIBDIRS); do \
if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
tmp="$(SHARED_LIBS_LINK_EXTS)"; \
for j in $${tmp:-x}; do \
( set -x; rm -f lib$$i$$j ); \
done; \
fi; \
( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
fi; \
done
link-shared:
@ set -e; for i in $(SHLIBDIRS); do \
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
symlink.$(SHLIB_TARGET); \
libs="$$libs -l$$i"; \
done
build-shared: do_$(SHLIB_TARGET) link-shared
do_$(SHLIB_TARGET):
@ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
libs="$(LIBKRB5) $$libs"; \
fi; \
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
LIBDEPS="$$libs $(EX_LIBS)" \
link_a.$(SHLIB_TARGET); \
libs="-l$$i $$libs"; \
done
libcrypto.pc: Makefile
@ ( echo 'prefix=$(INSTALLTOP)'; \
echo 'exec_prefix=$${prefix}'; \
echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
echo 'includedir=$${prefix}/include'; \
echo 'enginesdir=$${libdir}/engines'; \
echo ''; \
echo 'Name: OpenSSL-libcrypto'; \
echo 'Description: OpenSSL cryptography library'; \
echo 'Version: '$(VERSION); \
echo 'Requires: '; \
echo 'Libs: -L$${libdir} -lcrypto'; \
echo 'Libs.private: $(EX_LIBS)'; \
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
libssl.pc: Makefile
@ ( echo 'prefix=$(INSTALLTOP)'; \
echo 'exec_prefix=$${prefix}'; \
echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
echo 'includedir=$${prefix}/include'; \
echo ''; \
echo 'Name: OpenSSL-libssl'; \
echo 'Description: Secure Sockets Layer and cryptography libraries'; \
echo 'Version: '$(VERSION); \
echo 'Requires.private: libcrypto'; \
echo 'Libs: -L$${libdir} -lssl'; \
echo 'Libs.private: $(EX_LIBS)'; \
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
openssl.pc: Makefile
@ ( echo 'prefix=$(INSTALLTOP)'; \
echo 'exec_prefix=$${prefix}'; \
echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
echo 'includedir=$${prefix}/include'; \
echo ''; \
echo 'Name: OpenSSL'; \
echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
echo 'Version: '$(VERSION); \
echo 'Requires: libssl libcrypto' ) > openssl.pc
Makefile: Makefile.org Configure config
@echo "Makefile is older than Makefile.org, Configure or config."
@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
@false
libclean:
rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib
clean: libclean
rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
rm -f $(LIBS)
rm -f openssl.pc libssl.pc libcrypto.pc
rm -f speed.* .pure
rm -f $(TARFILE)
@set -e; for i in $(ONEDIRS) ;\
do \
rm -fr $$i/*; \
done
distclean: clean
-$(RM) `find . -name .git -prune -o -type l -print`
$(RM) apps/CA.pl
$(RM) test/evptests.txt test/newkey.pem test/testkey.pem test/testreq.pem
$(RM) tools/c_rehash
$(RM) crypto/opensslconf.h
$(RM) Makefile Makefile.bak
makefile.one: files
$(PERL) util/mk1mf.pl >makefile.one; \
sh util/do_ms.sh
files:
$(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
@set -e; target=files; $(RECURSIVE_BUILD_CMD)
links:
@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
@set -e; target=links; $(RECURSIVE_BUILD_CMD)
gentests:
@(cd test && echo "generating dummy tests (if needed)..." && \
$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );
dclean:
rm -rf *.bak include/openssl certs/.0
@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
rehash: rehash.time
rehash.time: certs apps
@if [ -z "$(CROSS_COMPILE)" ]; then \
(OPENSSL="`pwd`/util/opensslwrap.sh"; \
[ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \
OPENSSL_DEBUG_MEMORY=on; \
export OPENSSL OPENSSL_DEBUG_MEMORY; \
$(PERL) tools/c_rehash certs/demo) && \
touch rehash.time; \
else :; fi
test: tests
tests: rehash
@(cd test && echo "testing..." && \
$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests );
OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
report:
@$(PERL) util/selftest.pl
update: errors stacks util/libeay.num util/ssleay.num TABLE
@set -e; target=update; $(RECURSIVE_BUILD_CMD)
depend:
@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
lint:
@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
tags:
rm -f TAGS
find . -name '[^.]*.[ch]' | xargs etags -a
errors:
$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
$(PERL) util/mkerr.pl -recurse -write
(cd engines; $(MAKE) PERL=$(PERL) errors)
stacks:
$(PERL) util/mkstack.pl -write
util/libeay.num::
$(PERL) util/mkdef.pl crypto update
util/ssleay.num::
$(PERL) util/mkdef.pl ssl update
TABLE: Configure
(echo 'Output of `Configure TABLE'"':"; \
$(PERL) Configure TABLE) > TABLE
# Build distribution tar-file. As the list of files returned by "find" is
# pretty long, on several platforms a "too many arguments" error or similar
# would occur. Therefore the list of files is temporarily stored into a file
# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
# tar does not support the --files-from option.
TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \
--owner 0 --group 0 \
--transform 's|^|$(NAME)/|' \
-cvf -
$(TARFILE).list:
find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
\! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \
\( \! -name '*test' -o -name bctest -o -name pod2mantest \) \
\! -name '.#*' \! -name '*.bak' \! -name '*~' \! -type l \
| sort > $(TARFILE).list
tar: $(TARFILE).list
find . -type d -print | xargs chmod 755
find . -type f -print | xargs chmod a+r
find . -type f -perm -0100 -print | xargs chmod a+x
$(TAR_COMMAND) | gzip --best > $(TARFILE).gz
rm -f $(TARFILE).list
ls -l $(TARFILE).gz
tar-snap: $(TARFILE).list
$(TAR_COMMAND) > $(TARFILE)
rm -f $(TARFILE).list
ls -l $(TARFILE)
dist:
$(PERL) Configure dist
@$(MAKE) SDIRS='$(SDIRS)' clean
@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
install: all install_docs install_sw
install_sw:
@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
$(INSTALL_PREFIX)$(OPENSSLDIR)/private
@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
do \
(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
done;
@set -e; target=install; $(RECURSIVE_BUILD_CMD)
@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
do \
if [ -f "$$i" ]; then \
( echo installing $$i; \
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i ); \
fi; \
done;
@set -e; if [ -n "$(SHARED_LIBS)" ]; then \
tmp="$(SHARED_LIBS)"; \
for i in $${tmp:-x}; \
do \
if [ -f "$$i" -o -f "$$i.a" ]; then \
( echo installing $$i; \
if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
else \
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
fi ); \
if expr $(PLATFORM) : 'mingw' > /dev/null; then \
( case $$i in \
*crypto*) i=libeay32.dll;; \
*ssl*) i=ssleay32.dll;; \
esac; \
echo installing $$i; \
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
fi; \
fi; \
done; \
( here="`pwd`"; \
cd $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR); \
$(MAKE) -f $$here/Makefile HERE="$$here" link-shared ); \
if [ "$(INSTALLTOP)" != "/usr" ]; then \
echo 'OpenSSL shared libraries have been installed in:'; \
echo ' $(INSTALLTOP)'; \
echo ''; \
sed -e '1,/^$$/d' doc/openssl-shared.txt; \
fi; \
fi
cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
install_html_docs:
here="`pwd`"; \
filecase=; \
case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
filecase=-i; \
esac; \
for subdir in apps crypto ssl; do \
mkdir -p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
for i in doc/$$subdir/*.pod; do \
fn=`basename $$i .pod`; \
echo "installing html/$$fn.$(HTMLSUFFIX)"; \
cat $$i \
| sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' \
| pod2html --podroot=doc --htmlroot=.. --podpath=apps:crypto:ssl \
| sed -r 's/<!DOCTYPE.*//g' \
> $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
$(PERL) util/extract-names.pl < $$i | \
grep -v $$filecase "^$$fn\$$" | \
(cd $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
while read n; do \
PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$(HTMLSUFFIX) "$$n".$(HTMLSUFFIX); \
done); \
done; \
done
install_docs:
@$(PERL) $(TOP)/util/mkdir-p.pl \
$(INSTALL_PREFIX)$(MANDIR)/man1 \
$(INSTALL_PREFIX)$(MANDIR)/man3 \
$(INSTALL_PREFIX)$(MANDIR)/man5 \
$(INSTALL_PREFIX)$(MANDIR)/man7
@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
here="`pwd`"; \
filecase=; \
case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
filecase=-i; \
esac; \
set -e; for i in doc/apps/*.pod; do \
fn=`basename $$i .pod`; \
sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
sh -c "$$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
$(PERL) util/extract-names.pl < $$i | \
(grep -v $$filecase "^$$fn\$$"; true) | \
(grep -v "[ ]"; true) | \
(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
while read n; do \
PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
done); \
done; \
set -e; for i in doc/crypto/*.pod doc/ssl/*.pod; do \
fn=`basename $$i .pod`; \
sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
sh -c "$$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
$(PERL) util/extract-names.pl < $$i | \
(grep -v $$filecase "^$$fn\$$"; true) | \
(grep -v "[ ]"; true) | \
(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
while read n; do \
PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
done); \
done
# DO NOT DELETE THIS LINE -- make depend depends on it.

690
Makefile.org Normal file
View File

@ -0,0 +1,690 @@
##
## Makefile for OpenSSL
##
VERSION=
MAJOR=
MINOR=
SHLIB_VERSION_NUMBER=
SHLIB_VERSION_HISTORY=
SHLIB_MAJOR=
SHLIB_MINOR=
SHLIB_EXT=
PLATFORM=dist
OPTIONS=
CONFIGURE_ARGS=
SHLIB_TARGET=
# HERE indicates where this Makefile lives. This can be used to indicate
# where sub-Makefiles are expected to be. Currently has very limited usage,
# and should probably not be bothered with at all.
HERE=.
# INSTALL_PREFIX is for package builders so that they can configure
# for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
# Normally it is left empty.
INSTALL_PREFIX=
INSTALLTOP=/usr/local/ssl
# Do not edit this manually. Use Configure --openssldir=DIR do change this!
OPENSSLDIR=/usr/local/ssl
# NO_IDEA - Define to build without the IDEA algorithm
# NO_RC4 - Define to build without the RC4 algorithm
# NO_RC2 - Define to build without the RC2 algorithm
# THREADS - Define when building with threads, you will probably also need any
# system defines as well, i.e. _REENTERANT for Solaris 2.[34]
# TERMIO - Define the termio terminal subsystem, needed if sgtty is missing.
# TERMIOS - Define the termios terminal subsystem, Silicon Graphics.
# LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3).
# DEVRANDOM - Give this the value of the 'random device' if your OS supports
# one. 32 bytes will be read from this when the random
# number generator is initalised.
# SSL_FORBID_ENULL - define if you want the server to be not able to use the
# NULL encryption ciphers.
#
# LOCK_DEBUG - turns on lots of lock debug output :-)
# REF_CHECK - turn on some xyz_free() assertions.
# REF_PRINT - prints some stuff on structure free.
# CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff
# MFUNC - Make all Malloc/Free/Realloc calls call
# CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to
# call application defined callbacks via CRYPTO_set_mem_functions()
# MD5_ASM needs to be defined to use the x86 assembler for MD5
# SHA1_ASM needs to be defined to use the x86 assembler for SHA1
# RMD160_ASM needs to be defined to use the x86 assembler for RIPEMD160
# Do not define B_ENDIAN or L_ENDIAN if 'unsigned long' == 8. It must
# equal 4.
# PKCS1_CHECK - pkcs1 tests.
CC= cc
CFLAG= -O
DEPFLAG=
PEX_LIBS=
EX_LIBS=
EXE_EXT=
ARFLAGS=
AR=ar $(ARFLAGS) r
RANLIB= ranlib
RC= windres
NM= nm
PERL= perl
TAR= tar
TARFLAGS= --no-recursion
MAKEDEPPROG=makedepend
LIBDIR=lib
# We let the C compiler driver to take care of .s files. This is done in
# order to be excused from maintaining a separate set of architecture
# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
# gcc, then the driver will automatically translate it to -xarch=v8plus
# and pass it down to assembler.
AS=$(CC) -c
ASFLAG=$(CFLAG)
# For x86 assembler: Set PROCESSOR to 386 if you want to support
# the 80386.
PROCESSOR=
# CPUID module collects small commonly used assembler snippets
CPUID_OBJ=
BN_ASM= bn_asm.o
EC_ASM=
DES_ENC= des_enc.o fcrypt_b.o
AES_ENC= aes_core.o aes_cbc.o
BF_ENC= bf_enc.o
CAST_ENC= c_enc.o
RC4_ENC= rc4_enc.o
RC5_ENC= rc5_enc.o
MD5_ASM_OBJ=
SHA1_ASM_OBJ=
RMD160_ASM_OBJ=
WP_ASM_OBJ=
CMLL_ENC=
MODES_ASM_OBJ=
ENGINES_ASM_OBJ=
PERLASM_SCHEME=
# KRB5 stuff
KRB5_INCLUDES=
LIBKRB5=
# Zlib stuff
ZLIB_INCLUDE=
LIBZLIB=
# TOP level FIPS install directory.
FIPSDIR=
# This is the location of fipscanister.o and friends.
# The FIPS module build will place it $(INSTALLTOP)/lib
# but since $(INSTALLTOP) can only take the default value
# when the module is built it will be in /usr/local/ssl/lib
# $(INSTALLTOP) for this build may be different so hard
# code the path.
FIPSLIBDIR=
# The location of the library which contains fipscanister.o
# normally it will be libcrypto unless fipsdso is set in which
# case it will be libfips. If not compiling in FIPS mode at all
# this is empty making it a useful test for a FIPS compile.
FIPSCANLIB=
# Shared library base address. Currently only used on Windows.
#
BASEADDR=
DIRS= crypto ssl engines apps test tools
ENGDIRS= ccgost
SHLIBDIRS= crypto ssl
# dirs in crypto to build
SDIRS= \
objects \
md2 md4 md5 sha mdc2 hmac ripemd whrlpool \
des aes rc2 rc4 rc5 idea bf cast camellia seed modes \
bn ec rsa dsa ecdsa dh ecdh dso engine \
buffer bio stack lhash rand err \
evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
cms pqueue ts jpake srp store cmac
# keep in mind that the above list is adjusted by ./Configure
# according to no-xxx arguments...
# tests to perform. "alltests" is a special word indicating that all tests
# should be performed.
TESTS = alltests
MAKEFILE= Makefile
MANDIR=$(OPENSSLDIR)/man
MAN1=1
MAN3=3
MANSUFFIX=
HTMLSUFFIX=html
HTMLDIR=$(OPENSSLDIR)/html
SHELL=/bin/sh
TOP= .
ONEDIRS=out tmp
EDIRS= times doc bugs util include certs ms shlib mt demos perl sf dep VMS
WDIRS= windows
LIBS= libcrypto.a libssl.a
SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
SHARED_SSL=libssl$(SHLIB_EXT)
SHARED_LIBS=
SHARED_LIBS_LINK_EXTS=
SHARED_LDFLAGS=
GENERAL= Makefile
BASENAME= openssl
NAME= $(BASENAME)-$(VERSION)
TARFILE= ../$(NAME).tar
EXHEADER= e_os2.h
HEADER= e_os.h
all: Makefile build_all
# as we stick to -e, CLEARENV ensures that local variables in lower
# Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
# shell, which [annoyingly enough] terminates unset with error if VAR
# is not present:-( TOP= && unset TOP is tribute to HP-UX /bin/sh,
# which terminates unset with error if no variable was present:-(
CLEARENV= TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS} \
$${INCLUDE+INCLUDE} $${INCLUDES+INCLUDES} \
$${DIR+DIR} $${DIRS+DIRS} $${SRC+SRC} \
$${LIBSRC+LIBSRC} $${LIBOBJ+LIBOBJ} $${ALL+ALL} \
$${EXHEADER+EXHEADER} $${HEADER+HEADER} \
$${GENERAL+GENERAL} $${CFLAGS+CFLAGS} \
$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \
$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \
$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \
$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} \
$${APPS+APPS}
# LC_ALL=C ensures that error [and other] messages are delivered in
# same language for uniform treatment.
BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
CC='$(CC)' CFLAG='$(CFLAG)' \
AS='$(CC)' ASFLAG='$(CFLAG) -c' \
AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)' \
RC='$(RC)' \
CROSS_COMPILE='$(CROSS_COMPILE)' \
PERL='$(PERL)' ENGDIRS='$(ENGDIRS)' \
SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)' \
INSTALL_PREFIX='$(INSTALL_PREFIX)' \
INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)' \
LIBDIR='$(LIBDIR)' \
MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)' \
MAKEDEPPROG='$(MAKEDEPPROG)' \
SHARED_LDFLAGS='$(SHARED_LDFLAGS)' \
KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)' \
ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)' \
EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)' \
SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)' \
PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)' \
CPUID_OBJ='$(CPUID_OBJ)' BN_ASM='$(BN_ASM)' \
EC_ASM='$(EC_ASM)' DES_ENC='$(DES_ENC)' \
AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)' \
BF_ENC='$(BF_ENC)' CAST_ENC='$(CAST_ENC)' \
RC4_ENC='$(RC4_ENC)' RC5_ENC='$(RC5_ENC)' \
SHA1_ASM_OBJ='$(SHA1_ASM_OBJ)' \
MD5_ASM_OBJ='$(MD5_ASM_OBJ)' \
RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)' \
WP_ASM_OBJ='$(WP_ASM_OBJ)' \
MODES_ASM_OBJ='$(MODES_ASM_OBJ)' \
ENGINES_ASM_OBJ='$(ENGINES_ASM_OBJ)' \
PERLASM_SCHEME='$(PERLASM_SCHEME)' \
FIPSLIBDIR='${FIPSLIBDIR}' \
FIPSDIR='${FIPSDIR}' \
FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}" \
THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
# MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
# which in turn eliminates ambiguities in variable treatment with -e.
# BUILD_CMD is a generic macro to build a given target in a given
# subdirectory. The target must be given through the shell variable
# `target' and the subdirectory to build in must be given through `dir'.
# This macro shouldn't be used directly, use RECURSIVE_BUILD_CMD or
# BUILD_ONE_CMD instead.
#
# BUILD_ONE_CMD is a macro to build a given target in a given
# subdirectory if that subdirectory is part of $(DIRS). It requires
# exactly the same shell variables as BUILD_CMD.
#
# RECURSIVE_BUILD_CMD is a macro to build a given target in all
# subdirectories defined in $(DIRS). It requires that the target
# is given through the shell variable `target'.
BUILD_CMD= if [ -d "$$dir" ]; then \
( cd $$dir && echo "making $$target in $$dir..." && \
$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \
) || exit 1; \
fi
RECURSIVE_BUILD_CMD=for dir in $(DIRS); do $(BUILD_CMD); done
BUILD_ONE_CMD=\
if expr " $(DIRS) " : ".* $$dir " >/dev/null 2>&1; then \
$(BUILD_CMD); \
fi
reflect:
@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
sub_all: build_all
build_all: build_libs build_apps build_tests build_tools
build_libs: build_libcrypto build_libssl openssl.pc
build_libcrypto: build_crypto build_engines libcrypto.pc
build_libssl: build_ssl libssl.pc
build_crypto:
@dir=crypto; target=all; $(BUILD_ONE_CMD)
build_ssl: build_crypto
@dir=ssl; target=all; $(BUILD_ONE_CMD)
build_engines: build_crypto
@dir=engines; target=all; $(BUILD_ONE_CMD)
build_apps: build_libs
@dir=apps; target=all; $(BUILD_ONE_CMD)
build_tests: build_libs
@dir=test; target=all; $(BUILD_ONE_CMD)
build_tools: build_libs
@dir=tools; target=all; $(BUILD_ONE_CMD)
all_testapps: build_libs build_testapps
build_testapps:
@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
fips_premain_dso$(EXE_EXT): libcrypto.a
[ -z "$(FIPSCANLIB)" ] || $(CC) $(CFLAG) -Iinclude \
-DFINGERPRINT_PREMAIN_DSO_LOAD -o $@ \
$(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fipscanister.o \
libcrypto.a $(EX_LIBS)
libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)
@if [ "$(SHLIB_TARGET)" != "" ]; then \
if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
FIPSLD_LIBCRYPTO=libcrypto.a ; \
FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
fi; \
$(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared && \
(touch -c fips_premain_dso$(EXE_EXT) || :); \
else \
echo "There's no support for shared libraries on this platform" >&2; \
exit 1; \
fi
libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
@if [ "$(SHLIB_TARGET)" != "" ]; then \
$(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
else \
echo "There's no support for shared libraries on this platform" >&2; \
exit 1; \
fi
clean-shared:
@set -e; for i in $(SHLIBDIRS); do \
if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
tmp="$(SHARED_LIBS_LINK_EXTS)"; \
for j in $${tmp:-x}; do \
( set -x; rm -f lib$$i$$j ); \
done; \
fi; \
( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
fi; \
done
link-shared:
@ set -e; for i in $(SHLIBDIRS); do \
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
symlink.$(SHLIB_TARGET); \
libs="$$libs -l$$i"; \
done
build-shared: do_$(SHLIB_TARGET) link-shared
do_$(SHLIB_TARGET):
@ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
libs="$(LIBKRB5) $$libs"; \
fi; \
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
LIBDEPS="$$libs $(EX_LIBS)" \
link_a.$(SHLIB_TARGET); \
libs="-l$$i $$libs"; \
done
libcrypto.pc: Makefile
@ ( echo 'prefix=$(INSTALLTOP)'; \
echo 'exec_prefix=$${prefix}'; \
echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
echo 'includedir=$${prefix}/include'; \
echo 'enginesdir=$${libdir}/engines'; \
echo ''; \
echo 'Name: OpenSSL-libcrypto'; \
echo 'Description: OpenSSL cryptography library'; \
echo 'Version: '$(VERSION); \
echo 'Requires: '; \
echo 'Libs: -L$${libdir} -lcrypto'; \
echo 'Libs.private: $(EX_LIBS)'; \
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
libssl.pc: Makefile
@ ( echo 'prefix=$(INSTALLTOP)'; \
echo 'exec_prefix=$${prefix}'; \
echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
echo 'includedir=$${prefix}/include'; \
echo ''; \
echo 'Name: OpenSSL-libssl'; \
echo 'Description: Secure Sockets Layer and cryptography libraries'; \
echo 'Version: '$(VERSION); \
echo 'Requires.private: libcrypto'; \
echo 'Libs: -L$${libdir} -lssl'; \
echo 'Libs.private: $(EX_LIBS)'; \
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
openssl.pc: Makefile
@ ( echo 'prefix=$(INSTALLTOP)'; \
echo 'exec_prefix=$${prefix}'; \
echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
echo 'includedir=$${prefix}/include'; \
echo ''; \
echo 'Name: OpenSSL'; \
echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
echo 'Version: '$(VERSION); \
echo 'Requires: libssl libcrypto' ) > openssl.pc
Makefile: Makefile.org Configure config
@echo "Makefile is older than Makefile.org, Configure or config."
@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
@false
libclean:
rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib
clean: libclean
rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
rm -f $(LIBS)
rm -f openssl.pc libssl.pc libcrypto.pc
rm -f speed.* .pure
rm -f $(TARFILE)
@set -e; for i in $(ONEDIRS) ;\
do \
rm -fr $$i/*; \
done
distclean: clean
-$(RM) `find . -name .git -prune -o -type l -print`
$(RM) apps/CA.pl
$(RM) test/evptests.txt test/newkey.pem test/testkey.pem test/testreq.pem
$(RM) tools/c_rehash
$(RM) crypto/opensslconf.h
$(RM) Makefile Makefile.bak
makefile.one: files
$(PERL) util/mk1mf.pl >makefile.one; \
sh util/do_ms.sh
files:
$(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
@set -e; target=files; $(RECURSIVE_BUILD_CMD)
links:
@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
@set -e; target=links; $(RECURSIVE_BUILD_CMD)
gentests:
@(cd test && echo "generating dummy tests (if needed)..." && \
$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );
dclean:
rm -rf *.bak include/openssl certs/.0
@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
rehash: rehash.time
rehash.time: certs apps
@if [ -z "$(CROSS_COMPILE)" ]; then \
(OPENSSL="`pwd`/util/opensslwrap.sh"; \
[ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \
OPENSSL_DEBUG_MEMORY=on; \
export OPENSSL OPENSSL_DEBUG_MEMORY; \
$(PERL) tools/c_rehash certs/demo) && \
touch rehash.time; \
else :; fi
test: tests
tests: rehash
@(cd test && echo "testing..." && \
$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests );
OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
report:
@$(PERL) util/selftest.pl
update: errors stacks util/libeay.num util/ssleay.num TABLE
@set -e; target=update; $(RECURSIVE_BUILD_CMD)
depend:
@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
lint:
@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
tags:
rm -f TAGS
find . -name '[^.]*.[ch]' | xargs etags -a
errors:
$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
$(PERL) util/mkerr.pl -recurse -write
(cd engines; $(MAKE) PERL=$(PERL) errors)
stacks:
$(PERL) util/mkstack.pl -write
util/libeay.num::
$(PERL) util/mkdef.pl crypto update
util/ssleay.num::
$(PERL) util/mkdef.pl ssl update
TABLE: Configure
(echo 'Output of `Configure TABLE'"':"; \
$(PERL) Configure TABLE) > TABLE
# Build distribution tar-file. As the list of files returned by "find" is
# pretty long, on several platforms a "too many arguments" error or similar
# would occur. Therefore the list of files is temporarily stored into a file
# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
# tar does not support the --files-from option.
TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \
--owner 0 --group 0 \
--transform 's|^|$(NAME)/|' \
-cvf -
$(TARFILE).list:
find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
\! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \
\( \! -name '*test' -o -name bctest -o -name pod2mantest \) \
\! -name '.#*' \! -name '*.bak' \! -name '*~' \! -type l \
| sort > $(TARFILE).list
tar: $(TARFILE).list
find . -type d -print | xargs chmod 755
find . -type f -print | xargs chmod a+r
find . -type f -perm -0100 -print | xargs chmod a+x
$(TAR_COMMAND) | gzip --best > $(TARFILE).gz
rm -f $(TARFILE).list
ls -l $(TARFILE).gz
tar-snap: $(TARFILE).list
$(TAR_COMMAND) > $(TARFILE)
rm -f $(TARFILE).list
ls -l $(TARFILE)
dist:
$(PERL) Configure dist
@$(MAKE) SDIRS='$(SDIRS)' clean
@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
install: all install_docs install_sw
install_sw:
@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
$(INSTALL_PREFIX)$(OPENSSLDIR)/private
@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
do \
(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
done;
@set -e; target=install; $(RECURSIVE_BUILD_CMD)
@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
do \
if [ -f "$$i" ]; then \
( echo installing $$i; \
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i ); \
fi; \
done;
@set -e; if [ -n "$(SHARED_LIBS)" ]; then \
tmp="$(SHARED_LIBS)"; \
for i in $${tmp:-x}; \
do \
if [ -f "$$i" -o -f "$$i.a" ]; then \
( echo installing $$i; \
if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
else \
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
fi ); \
if expr $(PLATFORM) : 'mingw' > /dev/null; then \
( case $$i in \
*crypto*) i=libeay32.dll;; \
*ssl*) i=ssleay32.dll;; \
esac; \
echo installing $$i; \
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
fi; \
fi; \
done; \
( here="`pwd`"; \
cd $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR); \
$(MAKE) -f $$here/Makefile HERE="$$here" link-shared ); \
if [ "$(INSTALLTOP)" != "/usr" ]; then \
echo 'OpenSSL shared libraries have been installed in:'; \
echo ' $(INSTALLTOP)'; \
echo ''; \
sed -e '1,/^$$/d' doc/openssl-shared.txt; \
fi; \
fi
cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
install_html_docs:
here="`pwd`"; \
filecase=; \
case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
filecase=-i; \
esac; \
for subdir in apps crypto ssl; do \
mkdir -p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
for i in doc/$$subdir/*.pod; do \
fn=`basename $$i .pod`; \
echo "installing html/$$fn.$(HTMLSUFFIX)"; \
cat $$i \
| sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' \
| pod2html --podroot=doc --htmlroot=.. --podpath=apps:crypto:ssl \
| sed -r 's/<!DOCTYPE.*//g' \
> $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
$(PERL) util/extract-names.pl < $$i | \
grep -v $$filecase "^$$fn\$$" | \
(cd $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
while read n; do \
PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$(HTMLSUFFIX) "$$n".$(HTMLSUFFIX); \
done); \
done; \
done
install_docs:
@$(PERL) $(TOP)/util/mkdir-p.pl \
$(INSTALL_PREFIX)$(MANDIR)/man1 \
$(INSTALL_PREFIX)$(MANDIR)/man3 \
$(INSTALL_PREFIX)$(MANDIR)/man5 \
$(INSTALL_PREFIX)$(MANDIR)/man7
@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
here="`pwd`"; \
filecase=; \
case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
filecase=-i; \
esac; \
set -e; for i in doc/apps/*.pod; do \
fn=`basename $$i .pod`; \
sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
sh -c "$$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
$(PERL) util/extract-names.pl < $$i | \
(grep -v $$filecase "^$$fn\$$"; true) | \
(grep -v "[ ]"; true) | \
(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
while read n; do \
PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
done); \
done; \
set -e; for i in doc/crypto/*.pod doc/ssl/*.pod; do \
fn=`basename $$i .pod`; \
sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
sh -c "$$pod2man \
--section=$$sec --center=OpenSSL \
--release=$(VERSION) `basename $$i`") \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
$(PERL) util/extract-names.pl < $$i | \
(grep -v $$filecase "^$$fn\$$"; true) | \
(grep -v "[ ]"; true) | \
(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
while read n; do \
PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
done); \
done
# DO NOT DELETE THIS LINE -- make depend depends on it.

655
Makefile.shared Normal file
View File

@ -0,0 +1,655 @@
#
# Helper makefile to link shared libraries in a portable way.
# This is much simpler than libtool, and hopefully not too error-prone.
#
# The following variables need to be set on the command line to build
# properly
# CC contains the current compiler. This one MUST be defined
CC=cc
CFLAGS=$(CFLAG)
# LDFLAGS contains flags to be used when temporary object files (when building
# shared libraries) are created, or when an application is linked.
# SHARED_LDFLAGS contains flags to be used when the shared library is created.
LDFLAGS=
SHARED_LDFLAGS=
NM=nm
# LIBNAME contains just the name of the library, without prefix ("lib"
# on Unix, "cyg" for certain forms under Cygwin...) or suffix (.a, .so,
# .dll, ...). This one MUST have a value when using this makefile to
# build shared libraries.
# For example, to build libfoo.so, you need to do the following:
#LIBNAME=foo
LIBNAME=
# APPNAME contains just the name of the application, without suffix (""
# on Unix, ".exe" on Windows, ...). This one MUST have a value when using
# this makefile to build applications.
# For example, to build foo, you need to do the following:
#APPNAME=foo
APPNAME=
# OBJECTS contains all the object files to link together into the application.
# This must contain at least one object file.
#OBJECTS=foo.o
OBJECTS=
# LIBEXTRAS contains extra modules to link together with the library.
# For example, if a second library, say libbar.a needs to be linked into
# libfoo.so, you need to do the following:
#LIBEXTRAS=libbar.a
# Note that this MUST be used when using the link_o targets, to hold the
# names of all object files that go into the target library.
LIBEXTRAS=
# LIBVERSION contains the current version of the library.
# For example, to build libfoo.so.1.2, you need to do the following:
#LIBVERSION=1.2
LIBVERSION=
# LIBCOMPATVERSIONS contains the compatibility versions (a list) of
# the library. They MUST be in decreasing order.
# For example, if libfoo.so.1.2.1 is backward compatible with libfoo.so.1.2
# and libfoo.so.1, you need to do the following:
#LIBCOMPATVERSIONS=1.2 1
# Note that on systems that use sonames, the last number will appear as
# part of it.
# It's also possible, for systems that support it (Tru64, for example),
# to add extra compatibility info with more precision, by adding a second
# list of versions, separated from the first with a semicolon, like this:
#LIBCOMPATVERSIONS=1.2 1;1.2.0 1.1.2 1.1.1 1.1.0 1.0.0
LIBCOMPATVERSIONS=
# LIBDEPS contains all the flags necessary to cover all necessary
# dependencies to other libraries.
LIBDEPS=
#------------------------------------------------------------------------------
# The rest is private to this makefile.
SET_X=:
#SET_X=set -x
top:
echo "Trying to use this makefile interactively? Don't."
CALC_VERSIONS= \
SHLIB_COMPAT=; SHLIB_SOVER=; \
if [ -n "$(LIBVERSION)$(LIBCOMPATVERSIONS)" ]; then \
prev=""; \
for v in `echo "$(LIBVERSION) $(LIBCOMPATVERSIONS)" | cut -d';' -f1`; do \
SHLIB_SOVER_NODOT=$$v; \
SHLIB_SOVER=.$$v; \
if [ -n "$$prev" ]; then \
SHLIB_COMPAT="$$SHLIB_COMPAT .$$prev"; \
fi; \
prev=$$v; \
done; \
fi
LINK_APP= \
( $(SET_X); \
LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \
LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS)}"; \
LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
$${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} )
LINK_SO= \
( $(SET_X); \
LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \
SHAREDCMD="$${SHAREDCMD:-$(CC)}"; \
SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
$${SHAREDCMD} $${SHAREDFLAGS} \
-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \
) && $(SYMLINK_SO)
SYMLINK_SO= \
if [ -n "$$INHIBIT_SYMLINKS" ]; then :; else \
prev=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
if [ -n "$$SHLIB_COMPAT" ]; then \
for x in $$SHLIB_COMPAT; do \
( $(SET_X); rm -f $$SHLIB$$x$$SHLIB_SUFFIX; \
ln -s $$prev $$SHLIB$$x$$SHLIB_SUFFIX ); \
prev=$$SHLIB$$x$$SHLIB_SUFFIX; \
done; \
fi; \
if [ -n "$$SHLIB_SOVER" ]; then \
( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
fi; \
fi
LINK_SO_A= SHOBJECTS="lib$(LIBNAME).a $(LIBEXTRAS)"; $(LINK_SO)
LINK_SO_O= SHOBJECTS="$(LIBEXTRAS)"; $(LINK_SO)
LINK_SO_A_VIA_O= \
SHOBJECTS=lib$(LIBNAME).o; \
ALL=$$ALLSYMSFLAGS; ALLSYMSFLAGS=; NOALLSYMSFLAGS=; \
( $(SET_X); \
ld $(LDFLAGS) -r -o lib$(LIBNAME).o $$ALL lib$(LIBNAME).a $(LIBEXTRAS) ); \
$(LINK_SO) && rm -f lib$(LIBNAME).o
LINK_SO_A_UNPACKED= \
UNPACKDIR=link_tmp.$$$$; rm -rf $$UNPACKDIR; mkdir $$UNPACKDIR; \
(cd $$UNPACKDIR; ar x ../lib$(LIBNAME).a) && \
([ -z "$(LIBEXTRAS)" ] || cp $(LIBEXTRAS) $$UNPACKDIR) && \
SHOBJECTS=$$UNPACKDIR/*.o; \
$(LINK_SO) && rm -rf $$UNPACKDIR
DETECT_GNU_LD=($(CC) -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null
DO_GNU_SO=$(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS='-Wl,--whole-archive'; \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
#This is rather special. It's a special target with which one can link
#applications without bothering with any features that have anything to
#do with shared libraries, for example when linking against static
#libraries. It's mostly here to avoid a lot of conditionals everywhere
#else...
link_app.:
$(LINK_APP)
link_o.gnu:
@ $(DO_GNU_SO); $(LINK_SO_O)
link_a.gnu:
@ $(DO_GNU_SO); $(LINK_SO_A)
link_app.gnu:
@ $(DO_GNU_APP); $(LINK_APP)
DO_BEOS_SO= SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS='-Wl,--whole-archive'; \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SUFFIX"
link_o.beos:
@ $(DO_BEOS_SO); $(LINK_SO_O)
link_a.beos:
@ $(DO_BEOS_SO); $(LINK_SO_A)
link_o.bsd:
@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
$(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
LIBDEPS=" "; \
ALLSYMSFLAGS="-Wl,-Bforcearchive"; \
NOALLSYMSFLAGS=; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib"; \
fi; $(LINK_SO_O)
link_a.bsd:
@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
$(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
LIBDEPS=" "; \
ALLSYMSFLAGS="-Wl,-Bforcearchive"; \
NOALLSYMSFLAGS=; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib"; \
fi; $(LINK_SO_A)
link_app.bsd:
@if $(DETECT_GNU_LD); then $(DO_GNU_APP); else \
LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBPATH)"; \
fi; $(LINK_APP)
# For Darwin AKA Mac OS/X (dyld)
# Originally link_o.darwin produced .so, because it was hard-coded
# in dso_dlfcn module. At later point dso_dlfcn switched to .dylib
# extension in order to allow for run-time linking with vendor-
# supplied shared libraries such as libz, so that link_o.darwin had
# to be harmonized with it. This caused minor controversy, because
# it was believed that dlopen can't be used to dynamically load
# .dylib-s, only so called bundle modules (ones linked with -bundle
# flag). The belief seems to be originating from pre-10.4 release,
# where dlfcn functionality was emulated by dlcompat add-on. In
# 10.4 dlopen was rewritten as native part of dyld and is documented
# to be capable of loading both dynamic libraries and bundles. In
# order to provide compatibility with pre-10.4 dlopen, modules are
# linked with -bundle flag, which makes .dylib extension misleading.
# It works, because dlopen is [and always was] extension-agnostic.
# Alternative to this heuristic approach is to develop specific
# MacOS X dso module relying on whichever "native" dyld interface.
link_o.darwin:
@ $(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME); \
SHLIB_SUFFIX=.dylib; \
ALLSYMSFLAGS='-all_load'; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS="$(CFLAGS) `echo $(SHARED_LDFLAGS) | sed s/dynamiclib/bundle/`"; \
if [ -n "$(LIBVERSION)" ]; then \
SHAREDFLAGS="$$SHAREDFLAGS -current_version $(LIBVERSION)"; \
fi; \
if [ -n "$$SHLIB_SOVER_NODOT" ]; then \
SHAREDFLAGS="$$SHAREDFLAGS -compatibility_version $$SHLIB_SOVER_NODOT"; \
fi; \
$(LINK_SO_O)
link_a.darwin:
@ $(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME); \
SHLIB_SUFFIX=.dylib; \
ALLSYMSFLAGS='-all_load'; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS)"; \
if [ -n "$(LIBVERSION)" ]; then \
SHAREDFLAGS="$$SHAREDFLAGS -current_version $(LIBVERSION)"; \
fi; \
if [ -n "$$SHLIB_SOVER_NODOT" ]; then \
SHAREDFLAGS="$$SHAREDFLAGS -compatibility_version $$SHLIB_SOVER_NODOT"; \
fi; \
SHAREDFLAGS="$$SHAREDFLAGS -install_name $(INSTALLTOP)/$(LIBDIR)/$$SHLIB$(SHLIB_EXT)"; \
$(LINK_SO_A)
link_app.darwin: # is there run-path on darwin?
$(LINK_APP)
link_o.cygwin:
@ $(CALC_VERSIONS); \
INHIBIT_SYMLINKS=yes; \
SHLIB=cyg$(LIBNAME); \
base=-Wl,--enable-auto-image-base; \
deffile=; \
if expr $(PLATFORM) : 'mingw' > /dev/null; then \
SHLIB=$(LIBNAME)eay32; base=; \
if test -f $(LIBNAME)eay32.def; then \
deffile=$(LIBNAME)eay32.def; \
fi; \
fi; \
SHLIB_SUFFIX=.dll; \
LIBVERSION="$(LIBVERSION)"; \
SHLIB_SOVER=${LIBVERSION:+"-$(LIBVERSION)"}; \
ALLSYMSFLAGS='-Wl,--whole-archive'; \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base $$deffile -Wl,-Bsymbolic"; \
$(LINK_SO_O)
#for mingw target if def-file is in use dll-name should match library-name
link_a.cygwin:
@ $(CALC_VERSIONS); \
INHIBIT_SYMLINKS=yes; \
SHLIB=cyg$(LIBNAME); SHLIB_SOVER=-$(LIBVERSION); SHLIB_SUFFIX=.dll; \
dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; extras=; \
base=-Wl,--enable-auto-image-base; \
if expr $(PLATFORM) : 'mingw' > /dev/null; then \
case $(LIBNAME) in \
crypto) SHLIB=libeay;; \
ssl) SHLIB=ssleay;; \
esac; \
SHLIB_SOVER=32; \
extras="$(LIBNAME).def"; \
$(PERL) util/mkdef.pl 32 $$SHLIB > $$extras; \
base=; [ $(LIBNAME) = "crypto" -a -n "$(FIPSCANLIB)" ] && base=-Wl,--image-base,0x63000000; \
fi; \
dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
$(PERL) util/mkrc.pl $$dll_name | \
$(RC) -o rc.o; \
extras="$$extras rc.o"; \
ALLSYMSFLAGS='-Wl,--whole-archive'; \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a $$extras"; \
[ -f apps/$$dll_name ] && rm apps/$$dll_name; \
[ -f test/$$dll_name ] && rm test/$$dll_name; \
$(LINK_SO_A) || exit 1; \
rm $$extras; \
cp -p $$dll_name apps/; \
cp -p $$dll_name test/
link_app.cygwin:
@if expr "$(CFLAGS)" : '.*OPENSSL_USE_APPLINK' > /dev/null; then \
LIBDEPS="$(TOP)/crypto/applink.o $${LIBDEPS:-$(LIBDEPS)}"; \
export LIBDEPS; \
fi; \
$(LINK_APP)
link_o.alpha-osf1:
@ if $(DETECT_GNU_LD); then \
$(DO_GNU_SO); \
else \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
SHLIB_HIST=`echo "$(LIBCOMPATVERSIONS)" | cut -d';' -f2 | sed -e 's/ */:/'`; \
if [ -n "$$SHLIB_HIST" ]; then \
SHLIB_HIST="$${SHLIB_HIST}:$(LIBVERSION)"; \
else \
SHLIB_HIST="$(LIBVERSION)"; \
fi; \
SHLIB_SOVER=; \
ALLSYMSFLAGS='-all'; \
NOALLSYMSFLAGS='-none'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-B,symbolic"; \
if [ -n "$$SHLIB_HIST" ]; then \
SHAREDFLAGS="$$SHAREDFLAGS -set_version $$SHLIB_HIST"; \
fi; \
fi; \
$(LINK_SO_O)
link_a.alpha-osf1:
@ if $(DETECT_GNU_LD); then \
$(DO_GNU_SO); \
else \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
SHLIB_HIST=`echo "$(LIBCOMPATVERSIONS)" | cut -d';' -f2 | sed -e 's/ */:/'`; \
if [ -n "$$SHLIB_HIST" ]; then \
SHLIB_HIST="$${SHLIB_HIST}:$(LIBVERSION)"; \
else \
SHLIB_HIST="$(LIBVERSION)"; \
fi; \
SHLIB_SOVER=; \
ALLSYMSFLAGS='-all'; \
NOALLSYMSFLAGS='-none'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-B,symbolic"; \
if [ -n "$$SHLIB_HIST" ]; then \
SHAREDFLAGS="$$SHAREDFLAGS -set_version $$SHLIB_HIST"; \
fi; \
fi; \
$(LINK_SO_A)
link_app.alpha-osf1:
@if $(DETECT_GNU_LD); then \
$(DO_GNU_APP); \
else \
LDFLAGS="$(CFLAGS) -rpath $(LIBRPATH)"; \
fi; \
$(LINK_APP)
link_o.solaris:
@ if $(DETECT_GNU_LD); then \
$(DO_GNU_SO); \
else \
$(CALC_VERSIONS); \
MINUSZ='-z '; \
($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS="$${MINUSZ}allextract"; \
NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
fi; \
$(LINK_SO_O)
link_a.solaris:
@ if $(DETECT_GNU_LD); then \
$(DO_GNU_SO); \
else \
$(CALC_VERSIONS); \
MINUSZ='-z '; \
($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=;\
ALLSYMSFLAGS="$${MINUSZ}allextract"; \
NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
fi; \
$(LINK_SO_A)
link_app.solaris:
@ if $(DETECT_GNU_LD); then \
$(DO_GNU_APP); \
else \
LDFLAGS="$(CFLAGS) -R $(LIBRPATH)"; \
fi; \
$(LINK_APP)
# OpenServer 5 native compilers used
link_o.svr3:
@ if $(DETECT_GNU_LD); then \
$(DO_GNU_SO); \
else \
$(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS="$(CFLAGS) -G -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
fi; \
$(LINK_SO_O)
link_a.svr3:
@ if $(DETECT_GNU_LD); then \
$(DO_GNU_SO); \
else \
$(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS="$(CFLAGS) -G -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
fi; \
$(LINK_SO_A_UNPACKED)
link_app.svr3:
@$(DETECT_GNU_LD) && $(DO_GNU_APP); \
$(LINK_APP)
# UnixWare 7 and OpenUNIX 8 native compilers used
link_o.svr5:
@ if $(DETECT_GNU_LD); then \
$(DO_GNU_SO); \
else \
$(CALC_VERSIONS); \
SHARE_FLAG='-G'; \
($(CC) -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS="$(CFLAGS) $${SHARE_FLAG} -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
fi; \
$(LINK_SO_O)
link_a.svr5:
@ if $(DETECT_GNU_LD); then \
$(DO_GNU_SO); \
else \
$(CALC_VERSIONS); \
SHARE_FLAG='-G'; \
($(CC) -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS="$(CFLAGS) $${SHARE_FLAG} -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
fi; \
$(LINK_SO_A_UNPACKED)
link_app.svr5:
@$(DETECT_GNU_LD) && $(DO_GNU_APP); \
$(LINK_APP)
link_o.irix:
@ if $(DETECT_GNU_LD); then \
$(DO_GNU_SO); \
else \
$(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
MINUSWL=""; \
($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSWL="-Wl,"; \
ALLSYMSFLAGS="$${MINUSWL}-all"; \
NOALLSYMSFLAGS="$${MINUSWL}-none"; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,-B,symbolic"; \
fi; \
$(LINK_SO_O)
link_a.irix:
@ if $(DETECT_GNU_LD); then \
$(DO_GNU_SO); \
else \
$(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
MINUSWL=""; \
($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSWL="-Wl,"; \
ALLSYMSFLAGS="$${MINUSWL}-all"; \
NOALLSYMSFLAGS="$${MINUSWL}-none"; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,-B,symbolic"; \
fi; \
$(LINK_SO_A)
link_app.irix:
@LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"; \
$(LINK_APP)
# 32-bit PA-RISC HP-UX embeds the -L pathname of libs we link with, so
# we compensate for it with +cdp ../: and +cdp ./:. Yes, these rewrite
# rules imply that we can only link one level down in catalog structure,
# but that's what takes place for the moment of this writing. +cdp option
# was introduced in HP-UX 11.x and applies in 32-bit PA-RISC link
# editor context only [it's simply ignored in other cases, which are all
# ELFs by the way].
#
link_o.hpux:
@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
$(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME).sl; \
expr "$(CFLAGS)" : '.*DSO_DLFCN' > /dev/null && SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS='-Wl,-Fl'; \
NOALLSYMSFLAGS=''; \
expr $(PLATFORM) : 'hpux64' > /dev/null && ALLSYMSFLAGS='-Wl,+forceload'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,+cdp,../:,+cdp,./:"; \
fi; \
rm -f $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX || :; \
$(LINK_SO_O) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
link_a.hpux:
@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
$(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME).sl; \
expr $(PLATFORM) : '.*ia64' > /dev/null && SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS='-Wl,-Fl'; \
NOALLSYMSFLAGS=''; \
expr $(PLATFORM) : 'hpux64' > /dev/null && ALLSYMSFLAGS='-Wl,+forceload'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,+cdp,../:,+cdp,./:"; \
fi; \
rm -f $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX || :; \
$(LINK_SO_A) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
link_app.hpux:
@if $(DETECT_GNU_LD); then $(DO_GNU_APP); else \
LDFLAGS="$(CFLAGS) -Wl,+s,+cdp,../:,+cdp,./:,+b,$(LIBRPATH)"; \
fi; \
$(LINK_APP)
link_o.aix:
@ $(CALC_VERSIONS); \
OBJECT_MODE=`expr "x$(SHARED_LDFLAGS)" : 'x\-[a-z]*\(64\)'` || :; \
OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS=''; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-bexpall,-bnolibpath,-bM:SRE'; \
$(LINK_SO_O);
link_a.aix:
@ $(CALC_VERSIONS); \
OBJECT_MODE=`expr "x$(SHARED_LDFLAGS)" : 'x\-[a-z]*\(64\)'` || : ; \
OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS='-bnogc'; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-bexpall,-bnolibpath,-bM:SRE'; \
$(LINK_SO_A_VIA_O)
link_app.aix:
LDFLAGS="$(CFLAGS) -Wl,-brtl,-blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}"; \
$(LINK_APP)
link_o.reliantunix:
@ $(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS=; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS='$(CFLAGS) -G'; \
$(LINK_SO_O)
link_a.reliantunix:
@ $(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME).so; \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS=; \
NOALLSYMSFLAGS=''; \
SHAREDFLAGS='$(CFLAGS) -G'; \
$(LINK_SO_A_UNPACKED)
link_app.reliantunix:
$(LINK_APP)
# Targets to build symbolic links when needed
symlink.gnu symlink.solaris symlink.svr3 symlink.svr5 symlink.irix \
symlink.aix symlink.reliantunix:
@ $(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME).so; \
$(SYMLINK_SO)
symlink.darwin:
@ $(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME); \
SHLIB_SUFFIX=.dylib; \
$(SYMLINK_SO)
symlink.hpux:
@ $(CALC_VERSIONS); \
SHLIB=lib$(LIBNAME).sl; \
expr $(PLATFORM) : '.*ia64' > /dev/null && SHLIB=lib$(LIBNAME).so; \
$(SYMLINK_SO)
# The following lines means those specific architectures do no symlinks
symlink.cygwin symlink.alpha-osf1 symlink.tru64 symlink.tru64-rpath symlink.beos:
# Compatibility targets
link_o.bsd-gcc-shared link_o.linux-shared link_o.gnu-shared: link_o.gnu
link_a.bsd-gcc-shared link_a.linux-shared link_a.gnu-shared: link_a.gnu
link_app.bsd-gcc-shared link_app.linux-shared link_app.gnu-shared: link_app.gnu
symlink.bsd-gcc-shared symlink.bsd-shared symlink.linux-shared symlink.gnu-shared: symlink.gnu
link_o.bsd-shared: link_o.bsd
link_a.bsd-shared: link_a.bsd
link_app.bsd-shared: link_app.bsd
link_o.darwin-shared: link_o.darwin
link_a.darwin-shared: link_a.darwin
link_app.darwin-shared: link_app.darwin
symlink.darwin-shared: symlink.darwin
link_o.cygwin-shared: link_o.cygwin
link_a.cygwin-shared: link_a.cygwin
link_app.cygwin-shared: link_app.cygwin
symlink.cygwin-shared: symlink.cygwin
link_o.alpha-osf1-shared: link_o.alpha-osf1
link_a.alpha-osf1-shared: link_a.alpha-osf1
link_app.alpha-osf1-shared: link_app.alpha-osf1
symlink.alpha-osf1-shared: symlink.alpha-osf1
link_o.tru64-shared: link_o.tru64
link_a.tru64-shared: link_a.tru64
link_app.tru64-shared: link_app.tru64
symlink.tru64-shared: symlink.tru64
link_o.tru64-shared-rpath: link_o.tru64-rpath
link_a.tru64-shared-rpath: link_a.tru64-rpath
link_app.tru64-shared-rpath: link_app.tru64-rpath
symlink.tru64-shared-rpath: symlink.tru64-rpath
link_o.solaris-shared: link_o.solaris
link_a.solaris-shared: link_a.solaris
link_app.solaris-shared: link_app.solaris
symlink.solaris-shared: symlink.solaris
link_o.svr3-shared: link_o.svr3
link_a.svr3-shared: link_a.svr3
link_app.svr3-shared: link_app.svr3
symlink.svr3-shared: symlink.svr3
link_o.svr5-shared: link_o.svr5
link_a.svr5-shared: link_a.svr5
link_app.svr5-shared: link_app.svr5
symlink.svr5-shared: symlink.svr5
link_o.irix-shared: link_o.irix
link_a.irix-shared: link_a.irix
link_app.irix-shared: link_app.irix
symlink.irix-shared: symlink.irix
link_o.hpux-shared: link_o.hpux
link_a.hpux-shared: link_a.hpux
link_app.hpux-shared: link_app.hpux
symlink.hpux-shared: symlink.hpux
link_o.aix-shared: link_o.aix
link_a.aix-shared: link_a.aix
link_app.aix-shared: link_app.aix
symlink.aix-shared: symlink.aix
link_o.reliantunix-shared: link_o.reliantunix
link_a.reliantunix-shared: link_a.reliantunix
link_app.reliantunix-shared: link_app.reliantunix
symlink.reliantunix-shared: symlink.reliantunix
link_o.beos-shared: link_o.beos
link_a.beos-shared: link_a.beos
link_app.beos-shared: link_app.gnu
symlink.beos-shared: symlink.beos

832
NEWS Normal file
View File

@ -0,0 +1,832 @@
NEWS
====
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019]
o 0-byte record padding oracle (CVE-2019-1559)
Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018]
o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
o Timing vulnerability in DSA signature generation (CVE-2018-0734)
Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018]
o Client DoS due to large DH parameter (CVE-2018-0732)
o Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [27 Mar 2018]
o Constructed ASN.1 types with a recursive definition could exceed the
stack (CVE-2018-0739)
Major changes between OpenSSL 1.0.2m and OpenSSL 1.0.2n [7 Dec 2017]
o Read/write after SSL object in error state (CVE-2017-3737)
o rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
Major changes between OpenSSL 1.0.2l and OpenSSL 1.0.2m [2 Nov 2017]
o bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
o Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
Major changes between OpenSSL 1.0.2k and OpenSSL 1.0.2l [25 May 2017]
o config now recognises 64-bit mingw and chooses mingw64 instead of mingw
Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017]
o Truncated packet could crash via OOB read (CVE-2017-3731)
o BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
o Montgomery multiplication may produce incorrect results (CVE-2016-7055)
Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016]
o Missing CRL sanity check (CVE-2016-7052)
Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]
o OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
o SWEET32 Mitigation (CVE-2016-2183)
o OOB write in MDC2_Update() (CVE-2016-6303)
o Malformed SHA512 ticket DoS (CVE-2016-6302)
o OOB write in BN_bn2dec() (CVE-2016-2182)
o OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
o Pointer arithmetic undefined behaviour (CVE-2016-2177)
o Constant time flag not preserved in DSA signing (CVE-2016-2178)
o DTLS buffered message DoS (CVE-2016-2179)
o DTLS replay protection DoS (CVE-2016-2181)
o Certificate message OOB reads (CVE-2016-6306)
Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]
o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
o Fix EVP_EncodeUpdate overflow (CVE-2016-2105)
o Fix EVP_EncryptUpdate overflow (CVE-2016-2106)
o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109)
o EBCDIC overread (CVE-2016-2176)
o Modify behavior of ALPN to invoke callback after SNI/servername
callback, such that updates to the SSL_CTX affect ALPN.
o Remove LOW from the DEFAULT cipher list. This removes singles DES from
the default.
o Only remove the SSLv2 methods with the no-ssl2-method option.
Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]
o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
o Disable SSLv2 default build, default negotiation and weak ciphers
(CVE-2016-0800)
o Fix a double-free in DSA code (CVE-2016-0705)
o Disable SRP fake user seed to address a server memory leak
(CVE-2016-0798)
o Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
(CVE-2016-0797)
o Fix memory issues in BIO_*printf functions (CVE-2016-0799)
o Fix side channel attack on modular exponentiation (CVE-2016-0702)
Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]
o DH small subgroups (CVE-2016-0701)
o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]
o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
o Certificate verify crash with missing PSS parameter (CVE-2015-3194)
o X509_ATTRIBUTE memory leak (CVE-2015-3195)
o Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs
o In DSA_generate_parameters_ex, if the provided seed is too short,
return an error
Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015]
o Alternate chains certificate forgery (CVE-2015-1793)
o Race condition handling PSK identify hint (CVE-2015-3196)
Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]
o Fix HMAC ABI incompatibility
Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015]
o Malformed ECParameters causes infinite loop (CVE-2015-1788)
o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
o CMS verify infinite loop with unknown hash function (CVE-2015-1792)
o Race condition handling NewSessionTicket (CVE-2015-1791)
Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015]
o OpenSSL 1.0.2 ClientHello sigalgs DoS fix (CVE-2015-0291)
o Multiblock corrupted pointer fix (CVE-2015-0290)
o Segmentation fault in DTLSv1_listen fix (CVE-2015-0207)
o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
o Segmentation fault for invalid PSS parameters fix (CVE-2015-0208)
o ASN.1 structure reuse memory corruption fix (CVE-2015-0287)
o PKCS7 NULL pointer dereferences fix (CVE-2015-0289)
o DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293)
o Empty CKE with client auth and DHE fix (CVE-2015-1787)
o Handshake with unseeded PRNG fix (CVE-2015-0285)
o Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209)
o X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288)
o Removed the export ciphers from the DEFAULT ciphers
Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]:
o Suite B support for TLS 1.2 and DTLS 1.2
o Support for DTLS 1.2
o TLS automatic EC curve selection.
o API to set TLS supported signature algorithms and curves
o SSL_CONF configuration API.
o TLS Brainpool support.
o ALPN support.
o CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015]
o Build fixes for the Windows and OpenVMS platforms
Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015]
o Fix for CVE-2014-3571
o Fix for CVE-2015-0206
o Fix for CVE-2014-3569
o Fix for CVE-2014-3572
o Fix for CVE-2015-0204
o Fix for CVE-2015-0205
o Fix for CVE-2014-8275
o Fix for CVE-2014-3570
Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
o Fix for CVE-2014-3513
o Fix for CVE-2014-3567
o Mitigation for CVE-2014-3566 (SSL protocol vulnerability)
o Fix for CVE-2014-3568
Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014]
o Fix for CVE-2014-3512
o Fix for CVE-2014-3511
o Fix for CVE-2014-3510
o Fix for CVE-2014-3507
o Fix for CVE-2014-3506
o Fix for CVE-2014-3505
o Fix for CVE-2014-3509
o Fix for CVE-2014-5139
o Fix for CVE-2014-3508
Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]
o Fix for CVE-2014-0224
o Fix for CVE-2014-0221
o Fix for CVE-2014-0198
o Fix for CVE-2014-0195
o Fix for CVE-2014-3470
o Fix for CVE-2010-5298
Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
o Fix for CVE-2014-0160
o Add TLS padding extension workaround for broken servers.
o Fix for CVE-2014-0076
Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]
o Don't include gmt_unix_time in TLS server and client random values
o Fix for TLS record tampering bug CVE-2013-4353
o Fix for TLS version checking bug CVE-2013-6449
o Fix for DTLS retransmission bug CVE-2013-6450
Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013]:
o Corrected fix for CVE-2013-0169
Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013]:
o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
o Include the fips configuration module.
o Fix OCSP bad key DoS attack CVE-2013-0166
o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
o Fix for TLS AESNI record handling flaw CVE-2012-2686
Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012]:
o Fix TLS/DTLS record length checking bug CVE-2012-2333
o Don't attempt to use non-FIPS composite ciphers in FIPS mode.
Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012]:
o Fix compilation error on non-x86 platforms.
o Make FIPS capable OpenSSL ciphers work in non-FIPS mode.
o Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0
Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012]:
o Fix for ASN1 overflow bug CVE-2012-2110
o Workarounds for some servers that hang on long client hellos.
o Fix SEGV in AES code.
Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]:
o TLS/DTLS heartbeat support.
o SCTP support.
o RFC 5705 TLS key material exporter.
o RFC 5764 DTLS-SRTP negotiation.
o Next Protocol Negotiation.
o PSS signatures in certificates, requests and CRLs.
o Support for password based recipient info for CMS.
o Support TLS v1.2 and TLS v1.1.
o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
o SRP support.
Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012]:
o Fix for CMS/PKCS#7 MMA CVE-2012-0884
o Corrected fix for CVE-2011-4619
o Various DTLS fixes.
Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g [18 Jan 2012]:
o Fix for DTLS DoS issue CVE-2012-0050
Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f [4 Jan 2012]:
o Fix for DTLS plaintext recovery attack CVE-2011-4108
o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
o Check parameters are not NULL in GOST ENGINE CVE-2012-0027
o Check for malformed RFC3779 data CVE-2011-4577
Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e [6 Sep 2011]:
o Fix for CRL vulnerability issue CVE-2011-3207
o Fix for ECDH crashes CVE-2011-3210
o Protection against EC timing attacks.
o Support ECDH ciphersuites for certificates using SHA2 algorithms.
o Various DTLS fixes.
Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d [8 Feb 2011]:
o Fix for security issue CVE-2011-0014
Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c [2 Dec 2010]:
o Fix for security issue CVE-2010-4180
o Fix for CVE-2010-4252
o Fix mishandling of absent EC point format extension.
o Fix various platform compilation issues.
o Corrected fix for security issue CVE-2010-3864.
Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b [16 Nov 2010]:
o Fix for security issue CVE-2010-3864.
o Fix for CVE-2010-2939
o Fix WIN32 build system for GOST ENGINE.
Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a [1 Jun 2010]:
o Fix for security issue CVE-2010-1633.
o GOST MAC and CFB fixes.
Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0 [29 Mar 2010]:
o RFC3280 path validation: sufficient to process PKITS tests.
o Integrated support for PVK files and keyblobs.
o Change default private key format to PKCS#8.
o CMS support: able to process all examples in RFC4134
o Streaming ASN1 encode support for PKCS#7 and CMS.
o Multiple signer and signer add support for PKCS#7 and CMS.
o ASN1 printing support.
o Whirlpool hash algorithm added.
o RFC3161 time stamp support.
o New generalised public key API supporting ENGINE based algorithms.
o New generalised public key API utilities.
o New ENGINE supporting GOST algorithms.
o SSL/TLS GOST ciphersuite support.
o PKCS#7 and CMS GOST support.
o RFC4279 PSK ciphersuite support.
o Supported points format extension for ECC ciphersuites.
o ecdsa-with-SHA224/256/384/512 signature types.
o dsa-with-SHA224 and dsa-with-SHA256 signature types.
o Opaque PRF Input TLS extension support.
o Updated time routines to avoid OS limitations.
Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]:
o CFB cipher definition fixes.
o Fix security issues CVE-2010-0740 and CVE-2010-0433.
Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010]:
o Cipher definition fixes.
o Workaround for slow RAND_poll() on some WIN32 versions.
o Remove MD2 from algorithm tables.
o SPKAC handling fixes.
o Support for RFC5746 TLS renegotiation extension.
o Compression memory leak fixed.
o Compression session resumption fixed.
o Ticket and SNI coexistence fixes.
o Many fixes to DTLS handling.
Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009]:
o Temporary work around for CVE-2009-3555: disable renegotiation.
Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009]:
o Fix various build issues.
o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789)
Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009]:
o Fix security issue (CVE-2008-5077)
o Merge FIPS 140-2 branch code.
Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008]:
o CryptoAPI ENGINE support.
o Various precautionary measures.
o Fix for bugs affecting certificate request creation.
o Support for local machine keyset attribute in PKCS#12 files.
Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007]:
o Backport of CMS functionality to 0.9.8.
o Fixes for bugs introduced with 0.9.8f.
Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]:
o Add gcc 4.2 support.
o Add support for AES and SSE2 assembly lanugauge optimization
for VC++ build.
o Support for RFC4507bis and server name extensions if explicitly
selected at compile time.
o DTLS improvements.
o RFC4507bis support.
o TLS Extensions support.
Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007]:
o Various ciphersuite selection fixes.
o RFC3779 support.
Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006]:
o Introduce limits to prevent malicious key DoS (CVE-2006-2940)
o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
o Changes to ciphersuite selection algorithm
Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006]:
o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
o New cipher Camellia
Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006]:
o Cipher string fixes.
o Fixes for VC++ 2005.
o Updated ECC cipher suite support.
o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free().
o Zlib compression usage fixes.
o Built in dynamic engine compilation support on Win32.
o Fixes auto dynamic engine loading in Win32.
Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005]:
o Fix potential SSL 2.0 rollback, CVE-2005-2969
o Extended Windows CE support
Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005]:
o Major work on the BIGNUM library for higher efficiency and to
make operations more streamlined and less contradictory. This
is the result of a major audit of the BIGNUM library.
o Addition of BIGNUM functions for fields GF(2^m) and NIST
curves, to support the Elliptic Crypto functions.
o Major work on Elliptic Crypto; ECDH and ECDSA added, including
the use through EVP, X509 and ENGINE.
o New ASN.1 mini-compiler that's usable through the OpenSSL
configuration file.
o Added support for ASN.1 indefinite length constructed encoding.
o New PKCS#12 'medium level' API to manipulate PKCS#12 files.
o Complete rework of shared library construction and linking
programs with shared or static libraries, through a separate
Makefile.shared.
o Rework of the passing of parameters from one Makefile to another.
o Changed ENGINE framework to load dynamic engine modules
automatically from specifically given directories.
o New structure and ASN.1 functions for CertificatePair.
o Changed the ZLIB compression method to be stateful.
o Changed the key-generation and primality testing "progress"
mechanism to take a structure that contains the ticker
function and an argument.
o New engine module: GMP (performs private key exponentiation).
o New engine module: VIA PadLOck ACE extension in VIA C3
Nehemiah processors.
o Added support for IPv6 addresses in certificate extensions.
See RFC 1884, section 2.2.
o Added support for certificate policy mappings, policy
constraints and name constraints.
o Added support for multi-valued AVAs in the OpenSSL
configuration file.
o Added support for multiple certificates with the same subject
in the 'openssl ca' index file.
o Make it possible to create self-signed certificates using
'openssl ca -selfsign'.
o Make it possible to generate a serial number file with
'openssl ca -create_serial'.
o New binary search functions with extended functionality.
o New BUF functions.
o New STORE structure and library to provide an interface to all
sorts of data repositories. Supports storage of public and
private keys, certificates, CRLs, numbers and arbitrary blobs.
This library is unfortunately unfinished and unused withing
OpenSSL.
o New control functions for the error stack.
o Changed the PKCS#7 library to support one-pass S/MIME
processing.
o Added the possibility to compile without old deprecated
functionality with the OPENSSL_NO_DEPRECATED macro or the
'no-deprecated' argument to the config and Configure scripts.
o Constification of all ASN.1 conversion functions, and other
affected functions.
o Improved platform support for PowerPC.
o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512).
o New X509_VERIFY_PARAM structure to support parametrisation
of X.509 path validation.
o Major overhaul of RC4 performance on Intel P4, IA-64 and
AMD64.
o Changed the Configure script to have some algorithms disabled
by default. Those can be explicitely enabled with the new
argument form 'enable-xxx'.
o Change the default digest in 'openssl' commands from MD5 to
SHA-1.
o Added support for DTLS.
o New BIGNUM blinding.
o Added support for the RSA-PSS encryption scheme
o Added support for the RSA X.931 padding.
o Added support for BSD sockets on NetWare.
o Added support for files larger than 2GB.
o Added initial support for Win64.
o Added alternate pkg-config files.
Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007]:
o FIPS 1.1.1 module linking.
o Various ciphersuite selection fixes.
Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006]:
o Introduce limits to prevent malicious key DoS (CVE-2006-2940)
o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006]:
o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006]:
o Visual C++ 2005 fixes.
o Update Windows build system for FIPS.
Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]:
o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.
Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]:
o Fix SSL 2.0 Rollback, CVE-2005-2969
o Allow use of fixed-length exponent on DSA signing
o Default fixed-window RSA, DSA, DH private-key operations
Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005]:
o More compilation issues fixed.
o Adaptation to more modern Kerberos API.
o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin.
o Enhanced x86_64 assembler BIGNUM module.
o More constification.
o Added processing of proxy certificates (RFC 3820).
Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005]:
o Several compilation issues fixed.
o Many memory allocation failure checks added.
o Improved comparison of X509 Name type.
o Mandatory basic checks on certificates.
o Performance improvements.
Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004]:
o Fix race condition in CRL checking code.
o Fixes to PKCS#7 (S/MIME) code.
Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004]:
o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
o Security: Fix null-pointer assignment in do_change_cipher_spec()
o Allow multiple active certificates with same subject in CA index
o Multiple X509 verification fixes
o Speed up HMAC and other operations
Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003]:
o Security: fix various ASN1 parsing bugs.
o New -ignore_err option to OCSP utility.
o Various interop and bug fixes in S/MIME code.
o SSL/TLS protocol fix for unrequested client certificates.
Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003]:
o Security: counter the Klima-Pokorny-Rosa extension of
Bleichbacher's attack
o Security: make RSA blinding default.
o Configuration: Irix fixes, AIX fixes, better mingw support.
o Support for new platforms: linux-ia64-ecc.
o Build: shared library support fixes.
o ASN.1: treat domainComponent correctly.
o Documentation: fixes and additions.
Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003]:
o Security: Important security related bugfixes.
o Enhanced compatibility with MIT Kerberos.
o Can be built without the ENGINE framework.
o IA32 assembler enhancements.
o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64.
o Configuration: the no-err option now works properly.
o SSL/TLS: now handles manual certificate chain building.
o SSL/TLS: certain session ID malfunctions corrected.
Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002]:
o New library section OCSP.
o Complete rewrite of ASN1 code.
o CRL checking in verify code and openssl utility.
o Extension copying in 'ca' utility.
o Flexible display options in 'ca' utility.
o Provisional support for international characters with UTF8.
o Support for external crypto devices ('engine') is no longer
a separate distribution.
o New elliptic curve library section.
o New AES (Rijndael) library section.
o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit,
Linux x86_64, Linux 64-bit on Sparc v9
o Extended support for some platforms: VxWorks
o Enhanced support for shared libraries.
o Now only builds PIC code when shared library support is requested.
o Support for pkg-config.
o Lots of new manuals.
o Makes symbolic links to or copies of manuals to cover all described
functions.
o Change DES API to clean up the namespace (some applications link also
against libdes providing similar functions having the same name).
Provide macros for backward compatibility (will be removed in the
future).
o Unify handling of cryptographic algorithms (software and engine)
to be available via EVP routines for asymmetric and symmetric ciphers.
o NCONF: new configuration handling routines.
o Change API to use more 'const' modifiers to improve error checking
and help optimizers.
o Finally remove references to RSAref.
o Reworked parts of the BIGNUM code.
o Support for new engines: Broadcom ubsec, Accelerated Encryption
Processing, IBM 4758.
o A few new engines added in the demos area.
o Extended and corrected OID (object identifier) table.
o PRNG: query at more locations for a random device, automatic query for
EGD style random sources at several locations.
o SSL/TLS: allow optional cipher choice according to server's preference.
o SSL/TLS: allow server to explicitly set new session ids.
o SSL/TLS: support Kerberos cipher suites (RFC2712).
Only supports MIT Kerberos for now.
o SSL/TLS: allow more precise control of renegotiations and sessions.
o SSL/TLS: add callback to retrieve SSL/TLS messages.
o SSL/TLS: support AES cipher suites (RFC3268).
Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003]:
o Security: fix various ASN1 parsing bugs.
o SSL/TLS protocol fix for unrequested client certificates.
Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003]:
o Security: counter the Klima-Pokorny-Rosa extension of
Bleichbacher's attack
o Security: make RSA blinding default.
o Build: shared library support fixes.
Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003]:
o Important security related bugfixes.
Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002]:
o New configuration targets for Tandem OSS and A/UX.
o New OIDs for Microsoft attributes.
o Better handling of SSL session caching.
o Better comparison of distinguished names.
o Better handling of shared libraries in a mixed GNU/non-GNU environment.
o Support assembler code with Borland C.
o Fixes for length problems.
o Fixes for uninitialised variables.
o Fixes for memory leaks, some unusual crashes and some race conditions.
o Fixes for smaller building problems.
o Updates of manuals, FAQ and other instructive documents.
Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002]:
o Important building fixes on Unix.
Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002]:
o Various important bugfixes.
Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002]:
o Important security related bugfixes.
o Various SSL/TLS library bugfixes.
Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002]:
o Various SSL/TLS library bugfixes.
o Fix DH parameter generation for 'non-standard' generators.
Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001]:
o Various SSL/TLS library bugfixes.
o BIGNUM library fixes.
o RSA OAEP and random number generation fixes.
o Object identifiers corrected and added.
o Add assembler BN routines for IA64.
o Add support for OS/390 Unix, UnixWare with gcc, OpenUNIX 8,
MIPS Linux; shared library support for Irix, HP-UX.
o Add crypto accelerator support for AEP, Baltimore SureWare,
Broadcom and Cryptographic Appliance's keyserver
[in 0.9.6c-engine release].
Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001]:
o Security fix: PRNG improvements.
o Security fix: RSA OAEP check.
o Security fix: Reinsert and fix countermeasure to Bleichbacher's
attack.
o MIPS bug fix in BIGNUM.
o Bug fix in "openssl enc".
o Bug fix in X.509 printing routine.
o Bug fix in DSA verification routine and DSA S/MIME verification.
o Bug fix to make PRNG thread-safe.
o Bug fix in RAND_file_name().
o Bug fix in compatibility mode trust settings.
o Bug fix in blowfish EVP.
o Increase default size for BIO buffering filter.
o Compatibility fixes in some scripts.
Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001]:
o Security fix: change behavior of OpenSSL to avoid using
environment variables when running as root.
o Security fix: check the result of RSA-CRT to reduce the
possibility of deducing the private key from an incorrectly
calculated signature.
o Security fix: prevent Bleichenbacher's DSA attack.
o Security fix: Zero the premaster secret after deriving the
master secret in DH ciphersuites.
o Reimplement SSL_peek(), which had various problems.
o Compatibility fix: the function des_encrypt() renamed to
des_encrypt1() to avoid clashes with some Unixen libc.
o Bug fixes for Win32, HP/UX and Irix.
o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and
memory checking routines.
o Bug fixes for RSA operations in threaded environments.
o Bug fixes in misc. openssl applications.
o Remove a few potential memory leaks.
o Add tighter checks of BIGNUM routines.
o Shared library support has been reworked for generality.
o More documentation.
o New function BN_rand_range().
o Add "-rand" option to openssl s_client and s_server.
Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000]:
o Some documentation for BIO and SSL libraries.
o Enhanced chain verification using key identifiers.
o New sign and verify options to 'dgst' application.
o Support for DER and PEM encoded messages in 'smime' application.
o New 'rsautl' application, low level RSA utility.
o MD4 now included.
o Bugfix for SSL rollback padding check.
o Support for external crypto devices [1].
o Enhanced EVP interface.
[1] The support for external crypto devices is currently a separate
distribution. See the file README.ENGINE.
Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000]:
o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8
o Shared library support for HPUX and Solaris-gcc
o Support of Linux/IA64
o Assembler support for Mingw32
o New 'rand' application
o New way to check for existence of algorithms from scripts
Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000]:
o S/MIME support in new 'smime' command
o Documentation for the OpenSSL command line application
o Automation of 'req' application
o Fixes to make s_client, s_server work under Windows
o Support for multiple fieldnames in SPKACs
o New SPKAC command line utilty and associated library functions
o Options to allow passwords to be obtained from various sources
o New public key PEM format and options to handle it
o Many other fixes and enhancements to command line utilities
o Usable certificate chain verification
o Certificate purpose checking
o Certificate trust settings
o Support of authority information access extension
o Extensions in certificate requests
o Simplified X509 name and attribute routines
o Initial (incomplete) support for international character sets
o New DH_METHOD, DSA_METHOD and enhanced RSA_METHOD
o Read only memory BIOs and simplified creation function
o TLS/SSL protocol bugfixes: Accept TLS 'client hello' in SSL 3.0
record; allow fragmentation and interleaving of handshake and other
data
o TLS/SSL code now "tolerates" MS SGC
o Work around for Netscape client certificate hang bug
o RSA_NULL option that removes RSA patent code but keeps other
RSA functionality
o Memory leak detection now allows applications to add extra information
via a per-thread stack
o PRNG robustness improved
o EGD support
o BIGNUM library bug fixes
o Faster DSA parameter generation
o Enhanced support for Alpha Linux
o Experimental MacOS support
Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999]:
o Transparent support for PKCS#8 format private keys: these are used
by several software packages and are more secure than the standard
form
o PKCS#5 v2.0 implementation
o Password callbacks have a new void * argument for application data
o Avoid various memory leaks
o New pipe-like BIO that allows using the SSL library when actual I/O
must be handled by the application (BIO pair)
Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999]:
o Lots of enhancements and cleanups to the Configuration mechanism
o RSA OEAP related fixes
o Added `openssl ca -revoke' option for revoking a certificate
o Source cleanups: const correctness, type-safe stacks and ASN.1 SETs
o Source tree cleanups: removed lots of obsolete files
o Thawte SXNet, certificate policies and CRL distribution points
extension support
o Preliminary (experimental) S/MIME support
o Support for ASN.1 UTF8String and VisibleString
o Full integration of PKCS#12 code
o Sparc assembler bignum implementation, optimized hash functions
o Option to disable selected ciphers
Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999]:
o Fixed a security hole related to session resumption
o Fixed RSA encryption routines for the p < q case
o "ALL" in cipher lists now means "everything except NULL ciphers"
o Support for Triple-DES CBCM cipher
o Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA
o First support for new TLSv1 ciphers
o Added a few new BIOs (syslog BIO, reliable BIO)
o Extended support for DSA certificate/keys.
o Extended support for Certificate Signing Requests (CSR)
o Initial support for X.509v3 extensions
o Extended support for compression inside the SSL record layer
o Overhauled Win32 builds
o Cleanups and fixes to the Big Number (BN) library
o Support for ASN.1 GeneralizedTime
o Splitted ASN.1 SETs from SEQUENCEs
o ASN1 and PEM support for Netscape Certificate Sequences
o Overhauled Perl interface
o Lots of source tree cleanups.
o Lots of memory leak fixes.
o Lots of bug fixes.
Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998]:
o Integration of the popular NO_RSA/NO_DSA patches
o Initial support for compression inside the SSL record layer
o Added BIO proxy and filtering functionality
o Extended Big Number (BN) library
o Added RIPE MD160 message digest
o Addeed support for RC2/64bit cipher
o Extended ASN.1 parser routines
o Adjustations of the source tree for CVS
o Support for various new platforms

235
Netware/build.bat Normal file
View File

@ -0,0 +1,235 @@
@echo off
rem ========================================================================
rem Batch file to automate building OpenSSL for NetWare.
rem
rem usage:
rem build [target] [debug opts] [assembly opts] [configure opts]
rem
rem target - "netware-clib" - CLib NetWare build (WinSock Sockets)
rem - "netware-clib-bsdsock" - CLib NetWare build (BSD Sockets)
rem - "netware-libc" - LibC NetWare build (WinSock Sockets)
rem - "netware-libc-bsdsock" - LibC NetWare build (BSD Sockets)
rem
rem debug opts - "debug" - build debug
rem
rem assembly opts - "nw-mwasm" - use Metrowerks assembler
rem - "nw-nasm" - use NASM assembler
rem - "no-asm" - don't use assembly
rem
rem configure opts- all unrecognized arguments are passed to the
rem perl configure script
rem
rem If no arguments are specified the default is to build non-debug with
rem no assembly. NOTE: there is no default BLD_TARGET.
rem
rem No assembly is the default - Uncomment section below to change
rem the assembler default
set ASM_MODE=
set ASSEMBLER=
set NO_ASM=no-asm
rem Uncomment to default to the Metrowerks assembler
rem set ASM_MODE=nw-mwasm
rem set ASSEMBLER=Metrowerks
rem set NO_ASM=
rem Uncomment to default to the NASM assembler
rem set ASM_MODE=nw-nasm
rem set ASSEMBLER=NASM
rem set NO_ASM=
rem No default Bld target
set BLD_TARGET=no_target
rem set BLD_TARGET=netware-clib
rem set BLD_TARGET=netware-libc
rem Default to build non-debug
set DEBUG=
rem Uncomment to default to debug build
rem set DEBUG=debug
set CONFIG_OPTS=
set ARG_PROCESSED=NO
rem Process command line args
:opts
if "a%1" == "a" goto endopt
if "%1" == "no-asm" set NO_ASM=no-asm
if "%1" == "no-asm" set ARG_PROCESSED=YES
if "%1" == "debug" set DEBUG=debug
if "%1" == "debug" set ARG_PROCESSED=YES
if "%1" == "nw-nasm" set ASM_MODE=nw-nasm
if "%1" == "nw-nasm" set ASSEMBLER=NASM
if "%1" == "nw-nasm" set NO_ASM=
if "%1" == "nw-nasm" set ARG_PROCESSED=YES
if "%1" == "nw-mwasm" set ASM_MODE=nw-mwasm
if "%1" == "nw-mwasm" set ASSEMBLER=Metrowerks
if "%1" == "nw-mwasm" set NO_ASM=
if "%1" == "nw-mwasm" set ARG_PROCESSED=YES
if "%1" == "netware-clib" set BLD_TARGET=netware-clib
if "%1" == "netware-clib" set ARG_PROCESSED=YES
if "%1" == "netware-clib-bsdsock" set BLD_TARGET=netware-clib-bsdsock
if "%1" == "netware-clib-bsdsock" set ARG_PROCESSED=YES
if "%1" == "netware-libc" set BLD_TARGET=netware-libc
if "%1" == "netware-libc" set ARG_PROCESSED=YES
if "%1" == "netware-libc-bsdsock" set BLD_TARGET=netware-libc-bsdsock
if "%1" == "netware-libc-bsdsock" set ARG_PROCESSED=YES
rem If we didn't recognize the argument, consider it an option for config
if "%ARG_PROCESSED%" == "NO" set CONFIG_OPTS=%CONFIG_OPTS% %1
if "%ARG_PROCESSED%" == "YES" set ARG_PROCESSED=NO
shift
goto opts
:endopt
rem make sure a valid BLD_TARGET was specified
if "%BLD_TARGET%" == "no_target" goto no_target
rem build the nlm make file name which includes target and debug info
set NLM_MAKE=
if "%BLD_TARGET%" == "netware-clib" set NLM_MAKE=netware\nlm_clib
if "%BLD_TARGET%" == "netware-clib-bsdsock" set NLM_MAKE=netware\nlm_clib_bsdsock
if "%BLD_TARGET%" == "netware-libc" set NLM_MAKE=netware\nlm_libc
if "%BLD_TARGET%" == "netware-libc-bsdsock" set NLM_MAKE=netware\nlm_libc_bsdsock
if "%DEBUG%" == "" set NLM_MAKE=%NLM_MAKE%.mak
if "%DEBUG%" == "debug" set NLM_MAKE=%NLM_MAKE%_dbg.mak
if "%NO_ASM%" == "no-asm" set ASM_MODE=
if "%NO_ASM%" == "no-asm" set ASSEMBLER=
if "%NO_ASM%" == "no-asm" set CONFIG_OPTS=%CONFIG_OPTS% no-asm
if "%NO_ASM%" == "no-asm" goto do_config
rem ==================================================
echo Generating x86 for %ASSEMBLER% assembler
echo Bignum
cd crypto\bn\asm
rem perl x86.pl %ASM_MODE% > bn-nw.asm
perl bn-586.pl %ASM_MODE% > bn-nw.asm
perl co-586.pl %ASM_MODE% > co-nw.asm
cd ..\..\..
echo AES
cd crypto\aes\asm
perl aes-586.pl %ASM_MODE% > a-nw.asm
cd ..\..\..
echo DES
cd crypto\des\asm
perl des-586.pl %ASM_MODE% > d-nw.asm
cd ..\..\..
echo "crypt(3)"
cd crypto\des\asm
perl crypt586.pl %ASM_MODE% > y-nw.asm
cd ..\..\..
echo Blowfish
cd crypto\bf\asm
perl bf-586.pl %ASM_MODE% > b-nw.asm
cd ..\..\..
echo CAST5
cd crypto\cast\asm
perl cast-586.pl %ASM_MODE% > c-nw.asm
cd ..\..\..
echo RC4
cd crypto\rc4\asm
perl rc4-586.pl %ASM_MODE% > r4-nw.asm
cd ..\..\..
echo MD5
cd crypto\md5\asm
perl md5-586.pl %ASM_MODE% > m5-nw.asm
cd ..\..\..
echo SHA1
cd crypto\sha\asm
perl sha1-586.pl %ASM_MODE% > s1-nw.asm
perl sha256-586.pl %ASM_MODE% > sha256-nw.asm
perl sha512-586.pl %ASM_MODE% > sha512-nw.asm
cd ..\..\..
echo RIPEMD160
cd crypto\ripemd\asm
perl rmd-586.pl %ASM_MODE% > rm-nw.asm
cd ..\..\..
echo RC5\32
cd crypto\rc5\asm
perl rc5-586.pl %ASM_MODE% > r5-nw.asm
cd ..\..\..
echo WHIRLPOOL
cd crypto\whrlpool\asm
perl wp-mmx.pl %ASM_MODE% > wp-nw.asm
cd ..\..\..
echo CPUID
cd crypto
perl x86cpuid.pl %ASM_MODE% > x86cpuid-nw.asm
cd ..\
rem ===============================================================
rem
:do_config
echo .
echo configure options: %CONFIG_OPTS% %BLD_TARGET%
echo .
perl configure %CONFIG_OPTS% %BLD_TARGET%
perl util\mkfiles.pl >MINFO
echo .
echo mk1mf.pl options: %DEBUG% %ASM_MODE% %CONFIG_OPTS% %BLD_TARGET%
echo .
perl util\mk1mf.pl %DEBUG% %ASM_MODE% %CONFIG_OPTS% %BLD_TARGET% >%NLM_MAKE%
make -f %NLM_MAKE% vclean
echo .
echo The makefile "%NLM_MAKE%" has been created use your maketool to
echo build (ex: make -f %NLM_MAKE%)
goto end
rem ===============================================================
rem
:no_target
echo .
echo . No build target specified!!!
echo .
echo . usage: build [target] [debug opts] [assembly opts] [configure opts]
echo .
echo . target - "netware-clib" - CLib NetWare build (WinSock Sockets)
echo . - "netware-clib-bsdsock" - CLib NetWare build (BSD Sockets)
echo . - "netware-libc" - LibC NetWare build (WinSock Sockets)
echo . - "netware-libc-bsdsock" - LibC NetWare build (BSD Sockets)
echo .
echo . debug opts - "debug" - build debug
echo .
echo . assembly opts - "nw-mwasm" - use Metrowerks assembler
echo . "nw-nasm" - use NASM assembler
echo . "no-asm" - don't use assembly
echo .
echo . configure opts- all unrecognized arguments are passed to the
echo . perl configure script
echo .
echo . If no debug or assembly opts are specified the default is to build
echo . non-debug without assembly
echo .
:end

113
Netware/cpy_tests.bat Normal file
View File

@ -0,0 +1,113 @@
@echo off
rem Batch file to copy OpenSSL stuff to a NetWare server for testing
rem This batch file will create an "opensssl" directory at the root of the
rem specified NetWare drive and copy the required files to run the tests.
rem It should be run from inside the "openssl\netware" subdirectory.
rem Usage:
rem cpy_tests.bat <test subdirectory> <NetWare drive>
rem <test subdirectory> - out_nw.dbg | out_nw
rem <NetWare drive> - any mapped drive letter
rem
rem example ( copy from debug build to m: dirve ):
rem cpy_tests.bat out_nw.dbg m:
rem
rem CAUTION: If a directory named OpenSSL exists on the target drive
rem it will be deleted first.
if "%1" == "" goto usage
if "%2" == "" goto usage
rem Assume running in \openssl directory unless cpy_tests.bat exists then
rem it must be the \openssl\netware directory
set loc=.
if exist cpy_tests.bat set loc=..
rem make sure the local build subdirectory specified is valid
if not exist %loc%\%1\NUL goto invalid_dir
rem make sure target drive is valid
if not exist %2\NUL goto invalid_drive
rem If an OpenSSL directory exists on the target drive, remove it
if exist %2\openssl\NUL goto remove_openssl
goto do_copy
:remove_openssl
echo .
echo OpenSSL directory exists on %2 - it will be removed!
pause
rmdir %2\openssl /s /q
:do_copy
rem make an "openssl" directory and others at the root of the NetWare drive
mkdir %2\openssl
mkdir %2\openssl\test_out
mkdir %2\openssl\apps
mkdir %2\openssl\certs
mkdir %2\openssl\test
rem copy the test nlms
copy %loc%\%1\*.nlm %2\openssl\
rem copy the test perl script
copy %loc%\netware\do_tests.pl %2\openssl\
rem copy the certs directory stuff
xcopy %loc%\certs\*.* %2\openssl\certs\ /s
rem copy the test directory stuff
copy %loc%\test\CAss.cnf %2\openssl\test\
copy %loc%\test\Uss.cnf %2\openssl\test\
copy %loc%\test\pkcs7.pem %2\openssl\test\
copy %loc%\test\pkcs7-1.pem %2\openssl\test\
copy %loc%\test\testcrl.pem %2\openssl\test\
copy %loc%\test\testp7.pem %2\openssl\test\
copy %loc%\test\testreq2.pem %2\openssl\test\
copy %loc%\test\testrsa.pem %2\openssl\test\
copy %loc%\test\testsid.pem %2\openssl\test\
copy %loc%\test\testx509.pem %2\openssl\test\
copy %loc%\test\v3-cert1.pem %2\openssl\test\
copy %loc%\test\v3-cert2.pem %2\openssl\test\
copy %loc%\crypto\evp\evptests.txt %2\openssl\test\
rem copy the apps directory stuff
copy %loc%\apps\client.pem %2\openssl\apps\
copy %loc%\apps\server.pem %2\openssl\apps\
copy %loc%\apps\openssl.cnf %2\openssl\apps\
echo .
echo Tests copied
echo Run the test script at the console by typing:
echo "Perl \openssl\do_tests.pl"
echo .
echo Make sure the Search path includes the OpenSSL subdirectory
goto end
:invalid_dir
echo.
echo Invalid build directory specified: %1
echo.
goto usage
:invalid_drive
echo.
echo Invalid drive: %2
echo.
goto usage
:usage
echo.
echo usage: cpy_tests.bat [test subdirectory] [NetWare drive]
echo [test subdirectory] - out_nw_clib.dbg, out_nw_libc.dbg, etc.
echo [NetWare drive] - any mapped drive letter
echo.
echo example: cpy_test out_nw_clib.dbg M:
echo (copy from clib debug build area to M: drive)
:end

624
Netware/do_tests.pl Normal file
View File

@ -0,0 +1,624 @@
# perl script to run OpenSSL tests
my $base_path = "\\openssl";
my $output_path = "$base_path\\test_out";
my $cert_path = "$base_path\\certs";
my $test_path = "$base_path\\test";
my $app_path = "$base_path\\apps";
my $tmp_cert = "$output_path\\cert.tmp";
my $OpenSSL_config = "$app_path\\openssl.cnf";
my $log_file = "$output_path\\tests.log";
my $pause = 0;
# process the command line args to see if they wanted us to pause
# between executing each command
foreach $i (@ARGV)
{
if ($i =~ /^-p$/)
{ $pause=1; }
}
main();
############################################################################
sub main()
{
# delete all the output files in the output directory
unlink <$output_path\\*.*>;
# open the main log file
open(OUT, ">$log_file") || die "unable to open $log_file\n";
print( OUT "========================================================\n");
my $outFile = "$output_path\\version.out";
system("openssl2 version (CLIB_OPT)/>$outFile");
log_output("CHECKING FOR OPENSSL VERSION:", $outFile);
algorithm_tests();
encryption_tests();
evp_tests();
pem_tests();
verify_tests();
ca_tests();
ssl_tests();
close(OUT);
print("\nCompleted running tests.\n\n");
print("Check log file for errors: $log_file\n");
}
############################################################################
sub algorithm_tests
{
my $i;
my $outFile;
my @tests = ( rsa_test, destest, ideatest, bftest, bntest, shatest, sha1test,
sha256t, sha512t, dsatest, md2test, md4test, md5test, mdc2test,
rc2test, rc4test, rc5test, randtest, rmdtest, dhtest, ecdhtest,
ecdsatest, ectest, exptest, casttest, hmactest );
print( "\nRUNNING CRYPTO ALGORITHM TESTS:\n\n");
print( OUT "\n========================================================\n");
print( OUT "CRYPTO ALGORITHM TESTS:\n\n");
foreach $i (@tests)
{
if (-e "$base_path\\$i.nlm")
{
$outFile = "$output_path\\$i.out";
system("$i (CLIB_OPT)/>$outFile");
log_desc("Test: $i\.nlm:");
log_output("", $outFile );
}
else
{
log_desc("Test: $i\.nlm: file not found");
}
}
}
############################################################################
sub encryption_tests
{
my $i;
my $outFile;
my @enc_tests = ( "enc", "rc4", "des-cfb", "des-ede-cfb", "des-ede3-cfb",
"des-ofb", "des-ede-ofb", "des-ede3-ofb",
"des-ecb", "des-ede", "des-ede3", "des-cbc",
"des-ede-cbc", "des-ede3-cbc", "idea-ecb", "idea-cfb",
"idea-ofb", "idea-cbc", "rc2-ecb", "rc2-cfb",
"rc2-ofb", "rc2-cbc", "bf-ecb", "bf-cfb",
"bf-ofb", "bf-cbc" );
my $input = "$base_path\\do_tests.pl";
my $cipher = "$output_path\\cipher.out";
my $clear = "$output_path\\clear.out";
print( "\nRUNNING ENCRYPTION & DECRYPTION TESTS:\n\n");
print( OUT "\n========================================================\n");
print( OUT "FILE ENCRYPTION & DECRYPTION TESTS:\n\n");
foreach $i (@enc_tests)
{
log_desc("Testing: $i");
# do encryption
$outFile = "$output_path\\enc.out";
system("openssl2 $i -e -bufsize 113 -k test -in $input -out $cipher (CLIB_OPT)/>$outFile" );
log_output("Encrypting: $input --> $cipher", $outFile);
# do decryption
$outFile = "$output_path\\dec.out";
system("openssl2 $i -d -bufsize 157 -k test -in $cipher -out $clear (CLIB_OPT)/>$outFile");
log_output("Decrypting: $cipher --> $clear", $outFile);
# compare files
$x = compare_files( $input, $clear, 1);
if ( $x == 0 )
{
print( "\rSUCCESS - files match: $input, $clear\n");
print( OUT "SUCCESS - files match: $input, $clear\n");
}
else
{
print( "\rERROR: files don't match\n");
print( OUT "ERROR: files don't match\n");
}
do_wait();
# Now do the same encryption but use Base64
# do encryption B64
$outFile = "$output_path\\B64enc.out";
system("openssl2 $i -a -e -bufsize 113 -k test -in $input -out $cipher (CLIB_OPT)/>$outFile");
log_output("Encrypting(B64): $cipher --> $clear", $outFile);
# do decryption B64
$outFile = "$output_path\\B64dec.out";
system("openssl2 $i -a -d -bufsize 157 -k test -in $cipher -out $clear (CLIB_OPT)/>$outFile");
log_output("Decrypting(B64): $cipher --> $clear", $outFile);
# compare files
$x = compare_files( $input, $clear, 1);
if ( $x == 0 )
{
print( "\rSUCCESS - files match: $input, $clear\n");
print( OUT "SUCCESS - files match: $input, $clear\n");
}
else
{
print( "\rERROR: files don't match\n");
print( OUT "ERROR: files don't match\n");
}
do_wait();
} # end foreach
# delete the temporary files
unlink($cipher);
unlink($clear);
}
############################################################################
sub pem_tests
{
my $i;
my $tmp_out;
my $outFile = "$output_path\\pem.out";
my %pem_tests = (
"crl" => "testcrl.pem",
"pkcs7" => "testp7.pem",
"req" => "testreq2.pem",
"rsa" => "testrsa.pem",
"x509" => "testx509.pem",
"x509" => "v3-cert1.pem",
"sess_id" => "testsid.pem" );
print( "\nRUNNING PEM TESTS:\n\n");
print( OUT "\n========================================================\n");
print( OUT "PEM TESTS:\n\n");
foreach $i (keys(%pem_tests))
{
log_desc( "Testing: $i");
my $input = "$test_path\\$pem_tests{$i}";
$tmp_out = "$output_path\\$pem_tests{$i}";
if ($i ne "req" )
{
system("openssl2 $i -in $input -out $tmp_out (CLIB_OPT)/>$outFile");
log_output( "openssl2 $i -in $input -out $tmp_out", $outFile);
}
else
{
system("openssl2 $i -in $input -out $tmp_out -config $OpenSSL_config (CLIB_OPT)/>$outFile");
log_output( "openssl2 $i -in $input -out $tmp_out -config $OpenSSL_config", $outFile );
}
$x = compare_files( $input, $tmp_out);
if ( $x == 0 )
{
print( "\rSUCCESS - files match: $input, $tmp_out\n");
print( OUT "SUCCESS - files match: $input, $tmp_out\n");
}
else
{
print( "\rERROR: files don't match\n");
print( OUT "ERROR: files don't match\n");
}
do_wait();
} # end foreach
}
############################################################################
sub verify_tests
{
my $i;
my $outFile = "$output_path\\verify.out";
$cert_path =~ s/\\/\//g;
my @cert_files = <$cert_path/*.pem>;
print( "\nRUNNING VERIFY TESTS:\n\n");
print( OUT "\n========================================================\n");
print( OUT "VERIFY TESTS:\n\n");
make_tmp_cert_file();
foreach $i (@cert_files)
{
system("openssl2 verify -CAfile $tmp_cert $i (CLIB_OPT)/>$outFile");
log_desc("Verifying cert: $i");
log_output("openssl2 verify -CAfile $tmp_cert $i", $outFile);
}
}
############################################################################
sub ssl_tests
{
my $outFile = "$output_path\\ssl_tst.out";
my($CAcert) = "$output_path\\certCA.ss";
my($Ukey) = "$output_path\\keyU.ss";
my($Ucert) = "$output_path\\certU.ss";
my($ssltest)= "ssltest -key $Ukey -cert $Ucert -c_key $Ukey -c_cert $Ucert -CAfile $CAcert";
print( "\nRUNNING SSL TESTS:\n\n");
print( OUT "\n========================================================\n");
print( OUT "SSL TESTS:\n\n");
system("ssltest -ssl2 (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2:");
log_output("ssltest -ssl2", $outFile);
system("$ssltest -ssl2 -server_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2 with server authentication:");
log_output("$ssltest -ssl2 -server_auth", $outFile);
system("$ssltest -ssl2 -client_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2 with client authentication:");
log_output("$ssltest -ssl2 -client_auth", $outFile);
system("$ssltest -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2 with both client and server authentication:");
log_output("$ssltest -ssl2 -server_auth -client_auth", $outFile);
system("ssltest -ssl3 (CLIB_OPT)/>$outFile");
log_desc("Testing sslv3:");
log_output("ssltest -ssl3", $outFile);
system("$ssltest -ssl3 -server_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv3 with server authentication:");
log_output("$ssltest -ssl3 -server_auth", $outFile);
system("$ssltest -ssl3 -client_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv3 with client authentication:");
log_output("$ssltest -ssl3 -client_auth", $outFile);
system("$ssltest -ssl3 -server_auth -client_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv3 with both client and server authentication:");
log_output("$ssltest -ssl3 -server_auth -client_auth", $outFile);
system("ssltest (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2/sslv3:");
log_output("ssltest", $outFile);
system("$ssltest -server_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2/sslv3 with server authentication:");
log_output("$ssltest -server_auth", $outFile);
system("$ssltest -client_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2/sslv3 with client authentication:");
log_output("$ssltest -client_auth ", $outFile);
system("$ssltest -server_auth -client_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2/sslv3 with both client and server authentication:");
log_output("$ssltest -server_auth -client_auth", $outFile);
system("ssltest -bio_pair -ssl2 (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2 via BIO pair:");
log_output("ssltest -bio_pair -ssl2", $outFile);
system("ssltest -bio_pair -dhe1024dsa -v (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2/sslv3 with 1024 bit DHE via BIO pair:");
log_output("ssltest -bio_pair -dhe1024dsa -v", $outFile);
system("$ssltest -bio_pair -ssl2 -server_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2 with server authentication via BIO pair:");
log_output("$ssltest -bio_pair -ssl2 -server_auth", $outFile);
system("$ssltest -bio_pair -ssl2 -client_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2 with client authentication via BIO pair:");
log_output("$ssltest -bio_pair -ssl2 -client_auth", $outFile);
system("$ssltest -bio_pair -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2 with both client and server authentication via BIO pair:");
log_output("$ssltest -bio_pair -ssl2 -server_auth -client_auth", $outFile);
system("ssltest -bio_pair -ssl3 (CLIB_OPT)/>$outFile");
log_desc("Testing sslv3 via BIO pair:");
log_output("ssltest -bio_pair -ssl3", $outFile);
system("$ssltest -bio_pair -ssl3 -server_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv3 with server authentication via BIO pair:");
log_output("$ssltest -bio_pair -ssl3 -server_auth", $outFile);
system("$ssltest -bio_pair -ssl3 -client_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv3 with client authentication via BIO pair:");
log_output("$ssltest -bio_pair -ssl3 -client_auth", $outFile);
system("$ssltest -bio_pair -ssl3 -server_auth -client_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv3 with both client and server authentication via BIO pair:");
log_output("$ssltest -bio_pair -ssl3 -server_auth -client_auth", $outFile);
system("ssltest -bio_pair (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2/sslv3 via BIO pair:");
log_output("ssltest -bio_pair", $outFile);
system("$ssltest -bio_pair -server_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2/sslv3 with server authentication via BIO pair:");
log_output("$ssltest -bio_pair -server_auth", $outFile);
system("$ssltest -bio_pair -client_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2/sslv3 with client authentication via BIO pair:");
log_output("$ssltest -bio_pair -client_auth", $outFile);
system("$ssltest -bio_pair -server_auth -client_auth (CLIB_OPT)/>$outFile");
log_desc("Testing sslv2/sslv3 with both client and server authentication via BIO pair:");
log_output("$ssltest -bio_pair -server_auth -client_auth", $outFile);
}
############################################################################
sub ca_tests
{
my $outFile = "$output_path\\ca_tst.out";
my($CAkey) = "$output_path\\keyCA.ss";
my($CAcert) = "$output_path\\certCA.ss";
my($CAserial) = "$output_path\\certCA.srl";
my($CAreq) = "$output_path\\reqCA.ss";
my($CAreq2) = "$output_path\\req2CA.ss";
my($CAconf) = "$test_path\\CAss.cnf";
my($Uconf) = "$test_path\\Uss.cnf";
my($Ukey) = "$output_path\\keyU.ss";
my($Ureq) = "$output_path\\reqU.ss";
my($Ucert) = "$output_path\\certU.ss";
print( "\nRUNNING CA TESTS:\n\n");
print( OUT "\n========================================================\n");
print( OUT "CA TESTS:\n");
system("openssl2 req -config $CAconf -out $CAreq -keyout $CAkey -new (CLIB_OPT)/>$outFile");
log_desc("Make a certificate request using req:");
log_output("openssl2 req -config $CAconf -out $CAreq -keyout $CAkey -new", $outFile);
system("openssl2 x509 -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey (CLIB_OPT)/>$outFile");
log_desc("Convert the certificate request into a self signed certificate using x509:");
log_output("openssl2 x509 -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey", $outFile);
system("openssl2 x509 -in $CAcert -x509toreq -signkey $CAkey -out $CAreq2 (CLIB_OPT)/>$outFile");
log_desc("Convert a certificate into a certificate request using 'x509':");
log_output("openssl2 x509 -in $CAcert -x509toreq -signkey $CAkey -out $CAreq2", $outFile);
system("openssl2 req -config $OpenSSL_config -verify -in $CAreq -noout (CLIB_OPT)/>$outFile");
log_output("openssl2 req -config $OpenSSL_config -verify -in $CAreq -noout", $outFile);
system("openssl2 req -config $OpenSSL_config -verify -in $CAreq2 -noout (CLIB_OPT)/>$outFile");
log_output( "openssl2 req -config $OpenSSL_config -verify -in $CAreq2 -noout", $outFile);
system("openssl2 verify -CAfile $CAcert $CAcert (CLIB_OPT)/>$outFile");
log_output("openssl2 verify -CAfile $CAcert $CAcert", $outFile);
system("openssl2 req -config $Uconf -out $Ureq -keyout $Ukey -new (CLIB_OPT)/>$outFile");
log_desc("Make another certificate request using req:");
log_output("openssl2 req -config $Uconf -out $Ureq -keyout $Ukey -new", $outFile);
system("openssl2 x509 -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -CAserial $CAserial (CLIB_OPT)/>$outFile");
log_desc("Sign certificate request with the just created CA via x509:");
log_output("openssl2 x509 -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -CAserial $CAserial", $outFile);
system("openssl2 verify -CAfile $CAcert $Ucert (CLIB_OPT)/>$outFile");
log_output("openssl2 verify -CAfile $CAcert $Ucert", $outFile);
system("openssl2 x509 -subject -issuer -startdate -enddate -noout -in $Ucert (CLIB_OPT)/>$outFile");
log_desc("Certificate details");
log_output("openssl2 x509 -subject -issuer -startdate -enddate -noout -in $Ucert", $outFile);
print(OUT "--\n");
print(OUT "The generated CA certificate is $CAcert\n");
print(OUT "The generated CA private key is $CAkey\n");
print(OUT "The current CA signing serial number is in $CAserial\n");
print(OUT "The generated user certificate is $Ucert\n");
print(OUT "The generated user private key is $Ukey\n");
print(OUT "--\n");
}
############################################################################
sub evp_tests
{
my $i = 'evp_test';
print( "\nRUNNING EVP TESTS:\n\n");
print( OUT "\n========================================================\n");
print( OUT "EVP TESTS:\n\n");
if (-e "$base_path\\$i.nlm")
{
my $outFile = "$output_path\\$i.out";
system("$i $test_path\\evptests.txt (CLIB_OPT)/>$outFile");
log_desc("Test: $i\.nlm:");
log_output("", $outFile );
}
else
{
log_desc("Test: $i\.nlm: file not found");
}
}
############################################################################
sub log_output( $ $ )
{
my( $desc, $file ) = @_;
my($error) = 0;
my($key);
my($msg);
if ($desc)
{
print("\r$desc\n");
print(OUT "$desc\n");
}
# loop waiting for test program to complete
while ( stat($file) == 0)
{ print(". "); sleep(1); }
# copy test output to log file
open(IN, "<$file");
while (<IN>)
{
print(OUT $_);
if ( $_ =~ /ERROR/ )
{
$error = 1;
}
}
# close and delete the temporary test output file
close(IN);
unlink($file);
if ( $error == 0 )
{
$msg = "Test Succeeded";
}
else
{
$msg = "Test Failed";
}
print(OUT "$msg\n");
if ($pause)
{
print("$msg - press ENTER to continue...");
$key = getc;
print("\n");
}
# Several of the testing scripts run a loop loading the
# same NLM with different options.
# On slow NetWare machines there appears to be some delay in the
# OS actually unloading the test nlms and the OS complains about.
# the NLM already being loaded. This additional pause is to
# to help provide a little more time for unloading before trying to
# load again.
sleep(1);
}
############################################################################
sub log_desc( $ )
{
my( $desc ) = @_;
print("\n");
print("$desc\n");
print(OUT "\n");
print(OUT "$desc\n");
print(OUT "======================================\n");
}
############################################################################
sub compare_files( $ $ $ )
{
my( $file1, $file2, $binary ) = @_;
my( $n1, $n2, $b1, $b2 );
my($ret) = 1;
open(IN0, $file1) || die "\nunable to open $file1\n";
open(IN1, $file2) || die "\nunable to open $file2\n";
if ($binary)
{
binmode IN0;
binmode IN1;
}
for (;;)
{
$n1 = read(IN0, $b1, 512);
$n2 = read(IN1, $b2, 512);
if ($n1 != $n2) {last;}
if ($b1 != $b2) {last;}
if ($n1 == 0)
{
$ret = 0;
last;
}
}
close(IN0);
close(IN1);
return($ret);
}
############################################################################
sub do_wait()
{
my($key);
if ($pause)
{
print("Press ENTER to continue...");
$key = getc;
print("\n");
}
}
############################################################################
sub make_tmp_cert_file()
{
my @cert_files = <$cert_path/*.pem>;
# delete the file if it already exists
unlink($tmp_cert);
open( TMP_CERT, ">$tmp_cert") || die "\nunable to open $tmp_cert\n";
print("building temporary cert file\n");
# create a temporary cert file that contains all the certs
foreach $i (@cert_files)
{
open( IN_CERT, $i ) || die "\nunable to open $i\n";
for(;;)
{
$n = sysread(IN_CERT, $data, 1024);
if ($n == 0)
{
close(IN_CERT);
last;
};
syswrite(TMP_CERT, $data, $n);
}
}
close( TMP_CERT );
}

254
Netware/globals.txt Normal file
View File

@ -0,0 +1,254 @@
An initial review of the OpenSSL code was done to determine how many
global variables where present. The idea was to determine the amount of
work required to pull the globals into an instance data structure in
order to build a Library NLM for NetWare. This file contains the results
of the review. Each file is listed along with the globals in the file.
The initial review was done very quickly so this list is probably
not a comprehensive list.
cryptlib.c
===========================================
static STACK *app_locks=NULL;
static STACK_OF(CRYPTO_dynlock) *dyn_locks=NULL;
static void (MS_FAR *locking_callback)(int mode,int type,
const char *file,int line)=NULL;
static int (MS_FAR *add_lock_callback)(int *pointer,int amount,
int type,const char *file,int line)=NULL;
static unsigned long (MS_FAR *id_callback)(void)=NULL;
static struct CRYPTO_dynlock_value *(MS_FAR *dynlock_create_callback)
(const char *file,int line)=NULL;
static void (MS_FAR *dynlock_lock_callback)(int mode,
struct CRYPTO_dynlock_value *l, const char *file,int line)=NULL;
static void (MS_FAR *dynlock_destroy_callback)(struct CRYPTO_dynlock_value *l,
const char *file,int line)=NULL;
mem.c
===========================================
static int allow_customize = 1; /* we provide flexible functions for */
static int allow_customize_debug = 1;/* exchanging memory-related functions at
/* may be changed as long as `allow_customize' is set */
static void *(*malloc_locked_func)(size_t) = malloc;
static void (*free_locked_func)(void *) = free;
static void *(*malloc_func)(size_t) = malloc;
static void *(*realloc_func)(void *, size_t)= realloc;
static void (*free_func)(void *) = free;
/* use default functions from mem_dbg.c */
static void (*malloc_debug_func)(void *,int,const char *,int,int)
= CRYPTO_dbg_malloc;
static void (*realloc_debug_func)(void *,void *,int,const char *,int,int)
= CRYPTO_dbg_realloc;
static void (*free_debug_func)(void *,int) = CRYPTO_dbg_free;
static void (*set_debug_options_func)(long) = CRYPTO_dbg_set_options;
static long (*get_debug_options_func)(void) = CRYPTO_dbg_get_options;
mem_dbg.c
===========================================
static int mh_mode=CRYPTO_MEM_CHECK_OFF;
static unsigned long order = 0; /* number of memory requests */
static LHASH *mh=NULL; /* hash-table of memory requests (address as key) */
static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's */
static long options = /* extra information to be recorded */
static unsigned long disabling_thread = 0;
err.c
===========================================
static LHASH *error_hash=NULL;
static LHASH *thread_hash=NULL;
several files have routines with static "init" to track if error strings
have been loaded ( may not want seperate error strings for each process )
The "init" variable can't be left "global" because the error has is a ptr
that is malloc'ed. The malloc'ed error has is dependant on the "init"
vars.
files:
pem_err.c
cpt_err.c
pk12err.c
asn1_err.c
bio_err.c
bn_err.c
buf_err.c
comp_err.c
conf_err.c
cpt_err.c
dh_err.c
dsa_err.c
dso_err.c
evp_err.c
obj_err.c
pkcs7err.c
rand_err.c
rsa_err.c
rsar_err.c
ssl_err.c
x509_err.c
v3err.c
err.c
These file have similar "init" globals but they are for other stuff not
error strings:
bn_lib.c
ecc_enc.c
s23_clnt.c
s23_meth.c
s23_srvr.c
s2_clnt.c
s2_lib.c
s2_meth.c
s2_srvr.c
s3_clnt.c
s3_lib.c
s3_srvr.c
t1_clnt.c
t1_meth.c
t1_srvr.c
rand_lib.c
===========================================
static RAND_METHOD *rand_meth= &rand_ssleay_meth;
md_rand.c
===========================================
static int state_num=0,state_index=0;
static unsigned char state[STATE_SIZE+MD_DIGEST_LENGTH];
static unsigned char md[MD_DIGEST_LENGTH];
static long md_count[2]={0,0};
static double entropy=0;
static int initialized=0;
/* This should be set to 1 only when ssleay_rand_add() is called inside
an already locked state, so it doesn't try to lock and thereby cause
a hang. And it should always be reset back to 0 before unlocking. */
static int add_do_not_lock=0;
obj_dat.c
============================================
static int new_nid=NUM_NID;
static LHASH *added=NULL;
b_sock.c
===========================================
static unsigned long BIO_ghbn_hits=0L;
static unsigned long BIO_ghbn_miss=0L;
static struct ghbn_cache_st
{
char name[129];
struct hostent *ent;
unsigned long order;
} ghbn_cache[GHBN_NUM];
static int wsa_init_done=0;
bio_lib.c
===========================================
static STACK_OF(CRYPTO_EX_DATA_FUNCS) *bio_meth=NULL;
static int bio_meth_num=0;
bn_lib.c
========================================
static int bn_limit_bits=0;
static int bn_limit_num=8; /* (1<<bn_limit_bits) */
static int bn_limit_bits_low=0;
static int bn_limit_num_low=8; /* (1<<bn_limit_bits_low) */
static int bn_limit_bits_high=0;
static int bn_limit_num_high=8; /* (1<<bn_limit_bits_high) */
static int bn_limit_bits_mont=0;
static int bn_limit_num_mont=8; /* (1<<bn_limit_bits_mont) */
conf_lib.c
========================================
static CONF_METHOD *default_CONF_method=NULL;
dh_lib.c
========================================
static DH_METHOD *default_DH_method;
static int dh_meth_num = 0;
static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dh_meth = NULL;
dsa_lib.c
========================================
static DSA_METHOD *default_DSA_method;
static int dsa_meth_num = 0;
static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dsa_meth = NULL;
dso_lib.c
========================================
static DSO_METHOD *default_DSO_meth = NULL;
rsa_lib.c
========================================
static RSA_METHOD *default_RSA_meth=NULL;
static int rsa_meth_num=0;
static STACK_OF(CRYPTO_EX_DATA_FUNCS) *rsa_meth=NULL;
x509_trs.c
=======================================
static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
static STACK_OF(X509_TRUST) *trtable = NULL;
x509_req.c
=======================================
static int *ext_nids = ext_nid_list;
o_names.c
======================================
static LHASH *names_lh=NULL;
static STACK_OF(NAME_FUNCS) *name_funcs_stack;
static int free_type;
static int names_type_num=OBJ_NAME_TYPE_NUM;
th-lock.c - NEED to add support for locking for NetWare
==============================================
static long *lock_count;
(other platform specific globals)
x_x509.c
==============================================
static int x509_meth_num = 0;
static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_meth = NULL;
evp_pbe.c
============================================
static STACK *pbe_algs;
evp_key.c
============================================
static char prompt_string[80];
ssl_ciph.c
============================================
static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
ssl_lib.c
=============================================
static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_meth=NULL;
static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_ctx_meth=NULL;
static int ssl_meth_num=0;
static int ssl_ctx_meth_num=0;
ssl_sess.c
=============================================
static int ssl_session_num=0;
static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_session_meth=NULL;
x509_vfy.c
============================================
static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_method=NULL;
static int x509_store_ctx_num=0;

19
Netware/readme.txt Normal file
View File

@ -0,0 +1,19 @@
Contents of the openssl\netware directory
==========================================
Regular files:
readme.txt - this file
do_tests.pl - perl script used to run the OpenSSL tests on NetWare
cpy_tests.bat - batch to to copy test stuff to NetWare server
build.bat - batch file to help with builds
set_env.bat - batch file to help setup build environments
globals.txt - results of initial code review to identify OpenSSL global variables
The following files are generated by the various scripts. They are
recreated each time and it is okay to delete them.
*.def - command files used by Metrowerks linker
*.mak - make files generated by mk1mf.pl

112
Netware/set_env.bat Normal file
View File

@ -0,0 +1,112 @@
@echo off
rem ========================================================================
rem Batch file to assist in setting up the necessary enviroment for
rem building OpenSSL for NetWare.
rem
rem usage:
rem set_env [target]
rem
rem target - "netware-clib" - Clib build
rem - "netware-libc" - LibC build
rem
rem
if "a%1" == "a" goto usage
set LIBC_BUILD=
set CLIB_BUILD=
set GNUC=
if "%1" == "netware-clib" set CLIB_BUILD=Y
if "%1" == "netware-clib" set LIBC_BUILD=
if "%1" == "netware-libc" set LIBC_BUILD=Y
if "%1" == "netware-libc" set CLIB_BUILD=
if "%2" == "gnuc" set GNUC=Y
if "%2" == "codewarrior" set GNUC=
rem Location of tools (compiler, linker, etc)
if "%NDKBASE%" == "" set NDKBASE=c:\Novell
rem If Perl for Win32 is not already in your path, add it here
set PERL_PATH=
rem Define path to the Metrowerks command line tools
rem or GNU Crosscompiler gcc / nlmconv
rem ( compiler, assembler, linker)
if "%GNUC%" == "Y" set COMPILER_PATH=c:\usr\i586-netware\bin;c:\usr\bin
if "%GNUC%" == "" set COMPILER_PATH=c:\prg\cwcmdl40
rem If using gnu make define path to utility
rem set GNU_MAKE_PATH=%NDKBASE%\gnu
set GNU_MAKE_PATH=c:\prg\tools
rem If using ms nmake define path to nmake
rem set MS_NMAKE_PATH=%NDKBASE%\msvc\600\bin
rem If using NASM assembler define path
rem set NASM_PATH=%NDKBASE%\nasm
set NASM_PATH=c:\prg\tools
rem Update path to include tool paths
set path=%path%;%COMPILER_PATH%
if not "%GNU_MAKE_PATH%" == "" set path=%path%;%GNU_MAKE_PATH%
if not "%MS_NMAKE_PATH%" == "" set path=%path%;%MS_NMAKE_PATH%
if not "%NASM_PATH%" == "" set path=%path%;%NASM_PATH%
if not "%PERL_PATH%" == "" set path=%path%;%PERL_PATH%
rem Set INCLUDES to location of Novell NDK includes
if "%LIBC_BUILD%" == "Y" set INCLUDE=%NDKBASE%\ndk\libc\include;%NDKBASE%\ndk\libc\include\winsock
if "%CLIB_BUILD%" == "Y" set INCLUDE=%NDKBASE%\ndk\nwsdk\include\nlm;%NDKBASE%\ws295sdk\include
rem Set Imports to location of Novell NDK import files
if "%LIBC_BUILD%" == "Y" set IMPORTS=%NDKBASE%\ndk\libc\imports
if "%CLIB_BUILD%" == "Y" set IMPORTS=%NDKBASE%\ndk\nwsdk\imports
rem Set PRELUDE to the absolute path of the prelude object to link with in
rem the Metrowerks NetWare PDK - NOTE: for Clib builds "clibpre.o" is
rem recommended, for LibC NKS builds libcpre.o must be used
if "%GNUC%" == "Y" goto gnuc
if "%LIBC_BUILD%" == "Y" set PRELUDE=%IMPORTS%\libcpre.o
rem if "%CLIB_BUILD%" == "Y" set PRELUDE=%IMPORTS%\clibpre.o
if "%CLIB_BUILD%" == "Y" set PRELUDE=%IMPORTS%\prelude.o
echo using MetroWerks CodeWarrior
goto info
:gnuc
if "%LIBC_BUILD%" == "Y" set PRELUDE=%IMPORTS%\libcpre.gcc.o
rem if "%CLIB_BUILD%" == "Y" set PRELUDE=%IMPORTS%\clibpre.gcc.o
if "%CLIB_BUILD%" == "Y" set PRELUDE=%IMPORTS%\prelude.gcc.o
echo using GNU GCC Compiler
:info
echo.
if "%LIBC_BUILD%" == "Y" echo Enviroment configured for LibC build
if "%LIBC_BUILD%" == "Y" echo use "netware\build.bat netware-libc ..."
if "%CLIB_BUILD%" == "Y" echo Enviroment configured for CLib build
if "%CLIB_BUILD%" == "Y" echo use "netware\build.bat netware-clib ..."
goto end
:usage
rem ===============================================================
echo.
echo No target build specified!
echo.
echo usage: set_env [target] [compiler]
echo.
echo target - "netware-clib" - Clib build
echo - "netware-libc" - LibC build
echo.
echo compiler - "gnuc" - GNU GCC Compiler
echo - "codewarrior" - MetroWerks CodeWarrior (default)
echo.
:end
echo.

213
PROBLEMS Normal file
View File

@ -0,0 +1,213 @@
* System libcrypto.dylib and libssl.dylib are used by system ld on MacOS X.
NOTE: The problem described here only applies when OpenSSL isn't built
with shared library support (i.e. without the "shared" configuration
option). If you build with shared library support, you will have no
problems as long as you set up DYLD_LIBRARY_PATH properly at all times.
This is really a misfeature in ld, which seems to look for .dylib libraries
along the whole library path before it bothers looking for .a libraries. This
means that -L switches won't matter unless OpenSSL is built with shared
library support.
The workaround may be to change the following lines in apps/Makefile and
test/Makefile:
LIBCRYPTO=-L.. -lcrypto
LIBSSL=-L.. -lssl
to:
LIBCRYPTO=../libcrypto.a
LIBSSL=../libssl.a
It's possible that something similar is needed for shared library support
as well. That hasn't been well tested yet.
Another solution that many seem to recommend is to move the libraries
/usr/lib/libcrypto.0.9.dylib, /usr/lib/libssl.0.9.dylib to a different
directory, build and install OpenSSL and anything that depends on your
build, then move libcrypto.0.9.dylib and libssl.0.9.dylib back to their
original places. Note that the version numbers on those two libraries
may differ on your machine.
As long as Apple doesn't fix the problem with ld, this problem building
OpenSSL will remain as is. Well, the problem was addressed in 0.9.8f by
passing -Wl,-search_paths_first, but it's unknown if the flag was
supported from the initial MacOS X release.
* Parallell make leads to errors
While running tests, running a parallell make is a bad idea. Many test
scripts use the same name for output and input files, which means different
will interfere with each other and lead to test failure.
The solution is simple for now: don't run parallell make when testing.
* Bugs in gcc triggered
- According to a problem report, there are bugs in gcc 3.0 that are
triggered by some of the code in OpenSSL, more specifically in
PEM_get_EVP_CIPHER_INFO(). The triggering code is the following:
header+=11;
if (*header != '4') return(0); header++;
if (*header != ',') return(0); header++;
What happens is that gcc might optimize a little too agressively, and
you end up with an extra incrementation when *header != '4'.
We recommend that you upgrade gcc to as high a 3.x version as you can.
- According to multiple problem reports, some of our message digest
implementations trigger bug[s] in code optimizer in gcc 3.3 for sparc64
and gcc 2.96 for ppc. Former fails to complete RIPEMD160 test, while
latter - SHA one.
The recomendation is to upgrade your compiler. This naturally applies to
other similar cases.
- There is a subtle Solaris x86-specific gcc run-time environment bug, which
"falls between" OpenSSL [0.9.8 and later], Solaris ld and GCC. The bug
manifests itself as Segmentation Fault upon early application start-up.
The problem can be worked around by patching the environment according to
http://www.openssl.org/~appro/values.c.
* solaris64-sparcv9-cc SHA-1 performance with WorkShop 6 compiler.
As subject suggests SHA-1 might perform poorly (4 times slower)
if compiled with WorkShop 6 compiler and -xarch=v9. The cause for
this seems to be the fact that compiler emits multiplication to
perform shift operations:-( To work the problem around configure
with './Configure solaris64-sparcv9-cc -DMD32_REG_T=int'.
* Problems with hp-parisc2-cc target when used with "no-asm" flag
When using the hp-parisc2-cc target, wrong bignum code is generated.
This is due to the SIXTY_FOUR_BIT build being compiled with the +O3
aggressive optimization.
The problem manifests itself by the BN_kronecker test hanging in an
endless loop. Reason: the BN_kronecker test calls BN_generate_prime()
which itself hangs. The reason could be tracked down to the bn_mul_comba8()
function in bn_asm.c. At some occasions the higher 32bit value of r[7]
is off by 1 (meaning: calculated=shouldbe+1). Further analysis failed,
as no debugger support possible at +O3 and additional fprintf()'s
introduced fixed the bug, therefore it is most likely a bug in the
optimizer.
The bug was found in the BN_kronecker test but may also lead to
failures in other parts of the code.
(See Ticket #426.)
Workaround: modify the target to +O2 when building with no-asm.
* Problems building shared libraries on SCO OpenServer Release 5.0.6
with gcc 2.95.3
The symptoms appear when running the test suite, more specifically
test/ectest, with the following result:
OSSL_LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$OSSL_LIBPATH:$LD_LIBRARY_PATH"; DYLD_LIBRARY_PATH="$OSSL_LIBPATH:$DYLD_LIBRARY_PATH"; SHLIB_PATH="$OSSL_LIBPATH:$SHLIB_PATH"; LIBPATH="$OSSL_LIBPATH:$LIBPATH"; if [ "debug-sco5-gcc" = "Cygwin" ]; then PATH="${LIBPATH}:$PATH"; fi; export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; ./ectest
ectest.c:186: ABORT
The cause of the problem seems to be that isxdigit(), called from
BN_hex2bn(), returns 0 on a perfectly legitimate hex digit. Further
investigation shows that any of the isxxx() macros return 0 on any
input. A direct look in the information array that the isxxx() use,
called __ctype, shows that it contains all zeroes...
Taking a look at the newly created libcrypto.so with nm, one can see
that the variable __ctype is defined in libcrypto's .bss (which
explains why it is filled with zeroes):
$ nm -Pg libcrypto.so | grep __ctype
__ctype B 0011659c
__ctype2 U
Curiously, __ctype2 is undefined, in spite of being declared in
/usr/include/ctype.h in exactly the same way as __ctype.
Any information helping to solve this issue would be deeply
appreciated.
NOTE: building non-shared doesn't come with this problem.
* ULTRIX build fails with shell errors, such as "bad substitution"
and "test: argument expected"
The problem is caused by ULTRIX /bin/sh supporting only original
Bourne shell syntax/semantics, and the trouble is that the vast
majority is so accustomed to more modern syntax, that very few
people [if any] would recognize the ancient syntax even as valid.
This inevitably results in non-trivial scripts breaking on ULTRIX,
and OpenSSL isn't an exclusion. Fortunately there is workaround,
hire /bin/ksh to do the job /bin/sh fails to do.
1. Trick make(1) to use /bin/ksh by setting up following environ-
ment variables *prior* you execute ./Configure and make:
PROG_ENV=POSIX
MAKESHELL=/bin/ksh
export PROG_ENV MAKESHELL
or if your shell is csh-compatible:
setenv PROG_ENV POSIX
setenv MAKESHELL /bin/ksh
2. Trick /bin/sh to use alternative expression evaluator. Create
following 'test' script for example in /tmp:
#!/bin/ksh
${0##*/} "$@"
Then 'chmod a+x /tmp/test; ln /tmp/test /tmp/[' and *prepend*
your $PATH with chosen location, e.g. PATH=/tmp:$PATH. Alter-
natively just replace system /bin/test and /bin/[ with the
above script.
* hpux64-ia64-cc fails blowfish test.
Compiler bug, presumably at particular patch level. It should be noted
that same compiler generates correct 32-bit code, a.k.a. hpux-ia64-cc
target. Drop optimization level to +O2 when compiling 64-bit bf_skey.o.
* no-engines generates errors.
Unfortunately, the 'no-engines' configuration option currently doesn't
work properly. Use 'no-hw' and you'll will at least get no hardware
support. We'll see how we fix that on OpenSSL versions past 0.9.8.
* 'make test' fails in BN_sqr [commonly with "error 139" denoting SIGSEGV]
if elder GNU binutils were deployed to link shared libcrypto.so.
As subject suggests the failure is caused by a bug in elder binutils,
either as or ld, and was observed on FreeBSD and Linux. There are two
options. First is naturally to upgrade binutils, the second one - to
reconfigure with additional no-sse2 [or 386] option passed to ./config.
* If configured with ./config no-dso, toolkit still gets linked with -ldl,
which most notably poses a problem when linking with dietlibc.
We don't have framework to associate -ldl with no-dso, therefore the only
way is to edit Makefile right after ./config no-dso and remove -ldl from
EX_LIBS line.
* hpux-parisc2-cc no-asm build fails with SEGV in ECDSA/DH.
Compiler bug, presumably at particular patch level. Remaining
hpux*-parisc*-cc configurations can be affected too. Drop optimization
level to +O2 when compiling bn_nist.o.
* solaris64-sparcv9-cc link failure
Solaris 8 ar can fail to maintain symbol table in .a, which results in
link failures. Apply 109147-09 or later or modify Makefile generated
by ./Configure solaris64-sparcv9-cc and replace RANLIB assignment with
RANLIB= /usr/ccs/bin/ar rs

101
README Normal file
View File

@ -0,0 +1,101 @@
OpenSSL 1.0.2s 28 May 2019
Copyright (c) 1998-2019 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
DESCRIPTION
-----------
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, fully featured, and Open Source toolkit implementing the
Secure Sockets Layer (SSLv3) and Transport Layer Security (TLS) protocols as
well as a full-strength general purpose cryptograpic library. The project is
managed by a worldwide community of volunteers that use the Internet to
communicate, plan, and develop the OpenSSL toolkit and its related
documentation.
OpenSSL is descended from the SSLeay library developed by Eric A. Young
and Tim J. Hudson. The OpenSSL toolkit is licensed under a dual-license (the
OpenSSL license plus the SSLeay license), which means that you are free to
get and use it for commercial and non-commercial purposes as long as you
fulfill the conditions of both licenses.
OVERVIEW
--------
The OpenSSL toolkit includes:
libssl.a:
Provides the client and server-side implementations for SSLv3 and TLS.
libcrypto.a:
Provides general cryptographic and X.509 support needed by SSL/TLS but
not logically part of it.
openssl:
A command line tool that can be used for:
Creation of key parameters
Creation of X.509 certificates, CSRs and CRLs
Calculation of message digests
Encryption and decryption
SSL/TLS client and server tests
Handling of S/MIME signed or encrypted mail
And more...
INSTALLATION
------------
See the appropriate file:
INSTALL Linux, Unix, etc.
INSTALL.DJGPP DOS platform with DJGPP
INSTALL.NW Netware
INSTALL.OS2 OS/2
INSTALL.VMS VMS
INSTALL.W32 Windows (32bit)
INSTALL.W64 Windows (64bit)
INSTALL.WCE Windows CE
SUPPORT
-------
See the OpenSSL website www.openssl.org for details on how to obtain
commercial technical support.
If you have any problems with OpenSSL then please take the following steps
first:
- Download the latest version from the repository
to see if the problem has already been addressed
- Configure with no-asm
- Remove compiler optimisation flags
If you wish to report a bug then please include the following information
and create an issue on GitHub:
- On Unix systems:
Self-test report generated by 'make report'
- On other systems:
OpenSSL version: output of 'openssl version -a'
OS Name, Version, Hardware platform
Compiler Details (name, version)
- Application Details (name, version)
- Problem Description (steps that will reproduce the problem, if known)
- Stack Traceback (if the application dumps core)
Just because something doesn't work the way you expect does not mean it
is necessarily a bug in OpenSSL.
HOW TO CONTRIBUTE TO OpenSSL
----------------------------
See CONTRIBUTING
LEGALITIES
----------
A number of nations restrict the use or export of cryptography. If you
are potentially subject to such restrictions you should seek competent
professional legal advice before attempting to develop or distribute
cryptographic code.

187
README.ASN1 Normal file
View File

@ -0,0 +1,187 @@
OpenSSL ASN1 Revision
=====================
This document describes some of the issues relating to the new ASN1 code.
Previous OpenSSL ASN1 problems
=============================
OK why did the OpenSSL ASN1 code need revising in the first place? Well
there are lots of reasons some of which are included below...
1. The code is difficult to read and write. For every single ASN1 structure
(e.g. SEQUENCE) four functions need to be written for new, free, encode and
decode operations. This is a very painful and error prone operation. Very few
people have ever written any OpenSSL ASN1 and those that have usually wish
they hadn't.
2. Partly because of 1. the code is bloated and takes up a disproportionate
amount of space. The SEQUENCE encoder is particularly bad: it essentially
contains two copies of the same operation, one to compute the SEQUENCE length
and the other to encode it.
3. The code is memory based: that is it expects to be able to read the whole
structure from memory. This is fine for small structures but if you have a
(say) 1Gb PKCS#7 signedData structure it isn't such a good idea...
4. The code for the ASN1 IMPLICIT tag is evil. It is handled by temporarily
changing the tag to the expected one, attempting to read it, then changing it
back again. This means that decode buffers have to be writable even though they
are ultimately unchanged. This gets in the way of constification.
5. The handling of EXPLICIT isn't much better. It adds a chunk of code into
the decoder and encoder for every EXPLICIT tag.
6. APPLICATION and PRIVATE tags aren't even supported at all.
7. Even IMPLICIT isn't complete: there is no support for implicitly tagged
types that are not OPTIONAL.
8. Much of the code assumes that a tag will fit in a single octet. This is
only true if the tag is 30 or less (mercifully tags over 30 are rare).
9. The ASN1 CHOICE type has to be largely handled manually, there aren't any
macros that properly support it.
10. Encoders have no concept of OPTIONAL and have no error checking. If the
passed structure contains a NULL in a mandatory field it will not be encoded,
resulting in an invalid structure.
11. It is tricky to add ASN1 encoders and decoders to external applications.
Template model
==============
One of the major problems with revision is the sheer volume of the ASN1 code.
Attempts to change (for example) the IMPLICIT behaviour would result in a
modification of *every* single decode function.
I decided to adopt a template based approach. I'm using the term 'template'
in a manner similar to SNACC templates: it has nothing to do with C++
templates.
A template is a description of an ASN1 module as several constant C structures.
It describes in a machine readable way exactly how the ASN1 structure should
behave. If this template contains enough detail then it is possible to write
versions of new, free, encode, decode (and possibly others operations) that
operate on templates.
Instead of having to write code to handle each operation only a single
template needs to be written. If new operations are needed (such as a 'print'
operation) only a single new template based function needs to be written
which will then automatically handle all existing templates.
Plans for revision
==================
The revision will consist of the following steps. Other than the first two
these can be handled in any order.
o Design and write template new, free, encode and decode operations, initially
memory based. *DONE*
o Convert existing ASN1 code to template form. *IN PROGRESS*
o Convert an existing ASN1 compiler (probably SNACC) to output templates
in OpenSSL form.
o Add support for BIO based ASN1 encoders and decoders to handle large
structures, initially blocking I/O.
o Add support for non blocking I/O: this is quite a bit harder than blocking
I/O.
o Add new ASN1 structures, such as OCSP, CRMF, S/MIME v3 (CMS), attribute
certificates etc etc.
Description of major changes
============================
The BOOLEAN type now takes three values. 0xff is TRUE, 0 is FALSE and -1 is
absent. The meaning of absent depends on the context. If for example the
boolean type is DEFAULT FALSE (as in the case of the critical flag for
certificate extensions) then -1 is FALSE, if DEFAULT TRUE then -1 is TRUE.
Usually the value will only ever be read via an API which will hide this from
an application.
There is an evil bug in the old ASN1 code that mishandles OPTIONAL with
SEQUENCE OF or SET OF. These are both implemented as a STACK structure. The
old code would omit the structure if the STACK was NULL (which is fine) or if
it had zero elements (which is NOT OK). This causes problems because an empty
SEQUENCE OF or SET OF will result in an empty STACK when it is decoded but when
it is encoded it will be omitted resulting in different encodings. The new code
only omits the encoding if the STACK is NULL, if it contains zero elements it
is encoded and empty. There is an additional problem though: because an empty
STACK was omitted, sometimes the corresponding *_new() function would
initialize the STACK to empty so an application could immediately use it, if
this is done with the new code (i.e. a NULL) it wont work. Therefore a new
STACK should be allocated first. One instance of this is the X509_CRL list of
revoked certificates: a helper function X509_CRL_add0_revoked() has been added
for this purpose.
The X509_ATTRIBUTE structure used to have an element called 'set' which took
the value 1 if the attribute value was a SET OF or 0 if it was a single. Due
to the behaviour of CHOICE in the new code this has been changed to a field
called 'single' which is 0 for a SET OF and 1 for single. The old field has
been deleted to deliberately break source compatibility. Since this structure
is normally accessed via higher level functions this shouldn't break too much.
The X509_REQ_INFO certificate request info structure no longer has a field
called 'req_kludge'. This used to be set to 1 if the attributes field was
(incorrectly) omitted. You can check to see if the field is omitted now by
checking if the attributes field is NULL. Similarly if you need to omit
the field then free attributes and set it to NULL.
The top level 'detached' field in the PKCS7 structure is no longer set when
a PKCS#7 structure is read in. PKCS7_is_detached() should be called instead.
The behaviour of PKCS7_get_detached() is unaffected.
The values of 'type' in the GENERAL_NAME structure have changed. This is
because the old code use the ASN1 initial octet as the selector. The new
code uses the index in the ASN1_CHOICE template.
The DIST_POINT_NAME structure has changed to be a true CHOICE type.
typedef struct DIST_POINT_NAME_st {
int type;
union {
STACK_OF(GENERAL_NAME) *fullname;
STACK_OF(X509_NAME_ENTRY) *relativename;
} name;
} DIST_POINT_NAME;
This means that name.fullname or name.relativename should be set
and type reflects the option. That is if name.fullname is set then
type is 0 and if name.relativename is set type is 1.
With the old code using the i2d functions would typically involve:
unsigned char *buf, *p;
int len;
/* Find length of encoding */
len = i2d_SOMETHING(x, NULL);
/* Allocate buffer */
buf = OPENSSL_malloc(len);
if(buf == NULL) {
/* Malloc error */
}
/* Use temp variable because &p gets updated to point to end of
* encoding.
*/
p = buf;
i2d_SOMETHING(x, &p);
Using the new i2d you can also do:
unsigned char *buf = NULL;
int len;
len = i2d_SOMETHING(x, &buf);
if(len < 0) {
/* Malloc error */
}
and it will automatically allocate and populate a buffer with the
encoding. After this call 'buf' will point to the start of the
encoding which is len bytes long.

289
README.ENGINE Normal file
View File

@ -0,0 +1,289 @@
ENGINE
======
With OpenSSL 0.9.6, a new component was added to support alternative
cryptography implementations, most commonly for interfacing with external
crypto devices (eg. accelerator cards). This component is called ENGINE,
and its presence in OpenSSL 0.9.6 (and subsequent bug-fix releases)
caused a little confusion as 0.9.6** releases were rolled in two
versions, a "standard" and an "engine" version. In development for 0.9.7,
the ENGINE code has been merged into the main branch and will be present
in the standard releases from 0.9.7 forwards.
There are currently built-in ENGINE implementations for the following
crypto devices:
o CryptoSwift
o Compaq Atalla
o nCipher CHIL
o Nuron
o Broadcom uBSec
In addition, dynamic binding to external ENGINE implementations is now
provided by a special ENGINE called "dynamic". See the "DYNAMIC ENGINE"
section below for details.
At this stage, a number of things are still needed and are being worked on:
1 Integration of EVP support.
2 Configuration support.
3 Documentation!
1 With respect to EVP, this relates to support for ciphers and digests in
the ENGINE model so that alternative implementations of existing
algorithms/modes (or previously unimplemented ones) can be provided by
ENGINE implementations.
2 Configuration support currently exists in the ENGINE API itself, in the
form of "control commands". These allow an application to expose to the
user/admin the set of commands and parameter types a given ENGINE
implementation supports, and for an application to directly feed string
based input to those ENGINEs, in the form of name-value pairs. This is an
extensible way for ENGINEs to define their own "configuration" mechanisms
that are specific to a given ENGINE (eg. for a particular hardware
device) but that should be consistent across *all* OpenSSL-based
applications when they use that ENGINE. Work is in progress (or at least
in planning) for supporting these control commands from the CONF (or
NCONF) code so that applications using OpenSSL's existing configuration
file format can have ENGINE settings specified in much the same way.
Presently however, applications must use the ENGINE API itself to provide
such functionality. To see first hand the types of commands available
with the various compiled-in ENGINEs (see further down for dynamic
ENGINEs), use the "engine" openssl utility with full verbosity, ie;
openssl engine -vvvv
3 Documentation? Volunteers welcome! The source code is reasonably well
self-documenting, but some summaries and usage instructions are needed -
moreover, they are needed in the same POD format the existing OpenSSL
documentation is provided in. Any complete or incomplete contributions
would help make this happen.
STABILITY & BUG-REPORTS
=======================
What already exists is fairly stable as far as it has been tested, but
the test base has been a bit small most of the time. For the most part,
the vendors of the devices these ENGINEs support have contributed to the
development and/or testing of the implementations, and *usually* (with no
guarantees) have experience in using the ENGINE support to drive their
devices from common OpenSSL-based applications. Bugs and/or inexplicable
behaviour in using a specific ENGINE implementation should be sent to the
author of that implementation (if it is mentioned in the corresponding C
file), and in the case of implementations for commercial hardware
devices, also through whatever vendor support channels are available. If
none of this is possible, or the problem seems to be something about the
ENGINE API itself (ie. not necessarily specific to a particular ENGINE
implementation) then you should mail complete details to the relevant
OpenSSL mailing list. For a definition of "complete details", refer to
the OpenSSL "README" file. As for which list to send it to;
openssl-users: if you are *using* the ENGINE abstraction, either in an
pre-compiled application or in your own application code.
openssl-dev: if you are discussing problems with OpenSSL source code.
USAGE
=====
The default "openssl" ENGINE is always chosen when performing crypto
operations unless you specify otherwise. You must actively tell the
openssl utility commands to use anything else through a new command line
switch called "-engine". Also, if you want to use the ENGINE support in
your own code to do something similar, you must likewise explicitly
select the ENGINE implementation you want.
Depending on the type of hardware, system, and configuration, "settings"
may need to be applied to an ENGINE for it to function as expected/hoped.
The recommended way of doing this is for the application to support
ENGINE "control commands" so that each ENGINE implementation can provide
whatever configuration primitives it might require and the application
can allow the user/admin (and thus the hardware vendor's support desk
also) to provide any such input directly to the ENGINE implementation.
This way, applications do not need to know anything specific to any
device, they only need to provide the means to carry such user/admin
input through to the ENGINE in question. Ie. this connects *you* (and
your helpdesk) to the specific ENGINE implementation (and device), and
allows application authors to not get buried in hassle supporting
arbitrary devices they know (and care) nothing about.
A new "openssl" utility, "openssl engine", has been added in that allows
for testing and examination of ENGINE implementations. Basic usage
instructions are available by specifying the "-?" command line switch.
DYNAMIC ENGINES
===============
The new "dynamic" ENGINE provides a low-overhead way to support ENGINE
implementations that aren't pre-compiled and linked into OpenSSL-based
applications. This could be because existing compiled-in implementations
have known problems and you wish to use a newer version with an existing
application. It could equally be because the application (or OpenSSL
library) you are using simply doesn't have support for the ENGINE you
wish to use, and the ENGINE provider (eg. hardware vendor) is providing
you with a self-contained implementation in the form of a shared-library.
The other use-case for "dynamic" is with applications that wish to
maintain the smallest foot-print possible and so do not link in various
ENGINE implementations from OpenSSL, but instead leaves you to provide
them, if you want them, in the form of "dynamic"-loadable
shared-libraries. It should be possible for hardware vendors to provide
their own shared-libraries to support arbitrary hardware to work with
applications based on OpenSSL 0.9.7 or later. If you're using an
application based on 0.9.7 (or later) and the support you desire is only
announced for versions later than the one you need, ask the vendor to
backport their ENGINE to the version you need.
How does "dynamic" work?
------------------------
The dynamic ENGINE has a special flag in its implementation such that
every time application code asks for the 'dynamic' ENGINE, it in fact
gets its own copy of it. As such, multi-threaded code (or code that
multiplexes multiple uses of 'dynamic' in a single application in any
way at all) does not get confused by 'dynamic' being used to do many
independent things. Other ENGINEs typically don't do this so there is
only ever 1 ENGINE structure of its type (and reference counts are used
to keep order). The dynamic ENGINE itself provides absolutely no
cryptographic functionality, and any attempt to "initialise" the ENGINE
automatically fails. All it does provide are a few "control commands"
that can be used to control how it will load an external ENGINE
implementation from a shared-library. To see these control commands,
use the command-line;
openssl engine -vvvv dynamic
The "SO_PATH" control command should be used to identify the
shared-library that contains the ENGINE implementation, and "NO_VCHECK"
might possibly be useful if there is a minor version conflict and you
(or a vendor helpdesk) is convinced you can safely ignore it.
"ID" is probably only needed if a shared-library implements
multiple ENGINEs, but if you know the engine id you expect to be using,
it doesn't hurt to specify it (and this provides a sanity check if
nothing else). "LIST_ADD" is only required if you actually wish the
loaded ENGINE to be discoverable by application code later on using the
ENGINE's "id". For most applications, this isn't necessary - but some
application authors may have nifty reasons for using it. The "LOAD"
command is the only one that takes no parameters and is the command
that uses the settings from any previous commands to actually *load*
the shared-library ENGINE implementation. If this command succeeds, the
(copy of the) 'dynamic' ENGINE will magically morph into the ENGINE
that has been loaded from the shared-library. As such, any control
commands supported by the loaded ENGINE could then be executed as per
normal. Eg. if ENGINE "foo" is implemented in the shared-library
"libfoo.so" and it supports some special control command "CMD_FOO", the
following code would load and use it (NB: obviously this code has no
error checking);
ENGINE *e = ENGINE_by_id("dynamic");
ENGINE_ctrl_cmd_string(e, "SO_PATH", "/lib/libfoo.so", 0);
ENGINE_ctrl_cmd_string(e, "ID", "foo", 0);
ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0);
ENGINE_ctrl_cmd_string(e, "CMD_FOO", "some input data", 0);
For testing, the "openssl engine" utility can be useful for this sort
of thing. For example the above code excerpt would achieve much the
same result as;
openssl engine dynamic \
-pre SO_PATH:/lib/libfoo.so \
-pre ID:foo \
-pre LOAD \
-pre "CMD_FOO:some input data"
Or to simply see the list of commands supported by the "foo" ENGINE;
openssl engine -vvvv dynamic \
-pre SO_PATH:/lib/libfoo.so \
-pre ID:foo \
-pre LOAD
Applications that support the ENGINE API and more specifically, the
"control commands" mechanism, will provide some way for you to pass
such commands through to ENGINEs. As such, you would select "dynamic"
as the ENGINE to use, and the parameters/commands you pass would
control the *actual* ENGINE used. Each command is actually a name-value
pair and the value can sometimes be omitted (eg. the "LOAD" command).
Whilst the syntax demonstrated in "openssl engine" uses a colon to
separate the command name from the value, applications may provide
their own syntax for making that separation (eg. a win32 registry
key-value pair may be used by some applications). The reason for the
"-pre" syntax in the "openssl engine" utility is that some commands
might be issued to an ENGINE *after* it has been initialised for use.
Eg. if an ENGINE implementation requires a smart-card to be inserted
during initialisation (or a PIN to be typed, or whatever), there may be
a control command you can issue afterwards to "forget" the smart-card
so that additional initialisation is no longer possible. In
applications such as web-servers, where potentially volatile code may
run on the same host system, this may provide some arguable security
value. In such a case, the command would be passed to the ENGINE after
it has been initialised for use, and so the "-post" switch would be
used instead. Applications may provide a different syntax for
supporting this distinction, and some may simply not provide it at all
("-pre" is almost always what you're after, in reality).
How do I build a "dynamic" ENGINE?
----------------------------------
This question is trickier - currently OpenSSL bundles various ENGINE
implementations that are statically built in, and any application that
calls the "ENGINE_load_builtin_engines()" function will automatically
have all such ENGINEs available (and occupying memory). Applications
that don't call that function have no ENGINEs available like that and
would have to use "dynamic" to load any such ENGINE - but on the other
hand such applications would only have the memory footprint of any
ENGINEs explicitly loaded using user/admin provided control commands.
The main advantage of not statically linking ENGINEs and only using
"dynamic" for hardware support is that any installation using no
"external" ENGINE suffers no unnecessary memory footprint from unused
ENGINEs. Likewise, installations that do require an ENGINE incur the
overheads from only *that* ENGINE once it has been loaded.
Sounds good? Maybe, but currently building an ENGINE implementation as
a shared-library that can be loaded by "dynamic" isn't automated in
OpenSSL's build process. It can be done manually quite easily however.
Such a shared-library can either be built with any OpenSSL code it
needs statically linked in, or it can link dynamically against OpenSSL
if OpenSSL itself is built as a shared library. The instructions are
the same in each case, but in the former (statically linked any
dependencies on OpenSSL) you must ensure OpenSSL is built with
position-independent code ("PIC"). The default OpenSSL compilation may
already specify the relevant flags to do this, but you should consult
with your compiler documentation if you are in any doubt.
This example will show building the "atalla" ENGINE in the
crypto/engine/ directory as a shared-library for use via the "dynamic"
ENGINE.
1) "cd" to the crypto/engine/ directory of a pre-compiled OpenSSL
source tree.
2) Recompile at least one source file so you can see all the compiler
flags (and syntax) being used to build normally. Eg;
touch hw_atalla.c ; make
will rebuild "hw_atalla.o" using all such flags.
3) Manually enter the same compilation line to compile the
"hw_atalla.c" file but with the following two changes;
(a) add "-DENGINE_DYNAMIC_SUPPORT" to the command line switches,
(b) change the output file from "hw_atalla.o" to something new,
eg. "tmp_atalla.o"
4) Link "tmp_atalla.o" into a shared-library using the top-level
OpenSSL libraries to resolve any dependencies. The syntax for doing
this depends heavily on your system/compiler and is a nightmare
known well to anyone who has worked with shared-library portability
before. 'gcc' on Linux, for example, would use the following syntax;
gcc -shared -o dyn_atalla.so tmp_atalla.o -L../.. -lcrypto
5) Test your shared library using "openssl engine" as explained in the
previous section. Eg. from the top-level directory, you might try;
apps/openssl engine -vvvv dynamic \
-pre SO_PATH:./crypto/engine/dyn_atalla.so -pre LOAD
If the shared-library loads successfully, you will see both "-pre"
commands marked as "SUCCESS" and the list of control commands
displayed (because of "-vvvv") will be the control commands for the
*atalla* ENGINE (ie. *not* the 'dynamic' ENGINE). You can also add
the "-t" switch to the utility if you want it to try and initialise
the atalla ENGINE for use to test any possible hardware/driver
issues.
PROBLEMS
========
It seems like the ENGINE part doesn't work too well with CryptoSwift on Win32.
A quick test done right before the release showed that trying "openssl speed
-engine cswift" generated errors. If the DSO gets enabled, an attempt is made
to write at memory address 0x00000002.

18
VMS/TODO Normal file
View File

@ -0,0 +1,18 @@
TODO:
=====
There are a few things that need to be worked out in the VMS version of
OpenSSL, still:
- Description files. ("Makefile's" :-))
- Script code to link an already compiled build tree.
- A VMSINSTALlable version (way in the future, unless someone else hacks).
- shareable images (DLL for you Windows folks).
There may be other things that I have missed and that may be desirable.
Please send mail to <openssl-users@openssl.org> or to me directly if you
have any ideas.
--
Richard Levitte <richard@levitte.org>
1999-05-24

34
VMS/VMSify-conf.pl Normal file
View File

@ -0,0 +1,34 @@
#! /usr/bin/perl
use strict;
use warnings;
my @directory_vars = ( "dir", "certs", "crl_dir", "new_certs_dir" );
my @file_vars = ( "database", "certificate", "serial", "crlnumber",
"crl", "private_key", "RANDFILE" );
while(<STDIN>) {
chomp;
foreach my $d (@directory_vars) {
if (/^(\s*\#?\s*${d}\s*=\s*)\.\/([^\s\#]*)([\s\#].*)$/) {
$_ = "$1sys\\\$disk:\[.$2$3";
} elsif (/^(\s*\#?\s*${d}\s*=\s*)(\w[^\s\#]*)([\s\#].*)$/) {
$_ = "$1sys\\\$disk:\[.$2$3";
}
s/^(\s*\#?\s*${d}\s*=\s*\$\w+)\/([^\s\#]*)([\s\#].*)$/$1.$2\]$3/;
while(/^(\s*\#?\s*${d}\s*=\s*(\$\w+\.|sys\\\$disk:\[\.)[\w\.]+)\/([^\]]*)\](.*)$/) {
$_ = "$1.$3]$4";
}
}
foreach my $f (@file_vars) {
s/^(\s*\#?\s*${f}\s*=\s*)\.\/(.*)$/$1sys\\\$disk:\[\/$2/;
while(/^(\s*\#?\s*${f}\s*=\s*(\$\w+|sys\\\$disk:\[)[^\/]*)\/(\w+\/[^\s\#]*)([\s\#].*)$/) {
$_ = "$1.$3$4";
}
if (/^(\s*\#?\s*${f}\s*=\s*(\$\w+|sys\\\$disk:\[)[^\/]*)\/(\w+)([\s\#].*)$/) {
$_ = "$1]$3.$4";
} elsif (/^(\s*\#?\s*${f}\s*=\s*(\$\w+|sys\\\$disk:\[)[^\/]*)\/([^\s\#]*)([\s\#].*)$/) {
$_ = "$1]$3$4";
}
}
print $_,"\n";
}

4
VMS/WISHLIST.TXT Normal file
View File

@ -0,0 +1,4 @@
* Have the building procedure contain a LINK-only possibility.
Wished by Mark Daniel <mark.daniel@dsto.defence.gov.au>
One way to enable that is also to go over to DESCRIP.MMS files.

67
VMS/install-vms.com Executable file
View File

@ -0,0 +1,67 @@
$! install-vms.com -- Installs the files in a given directory tree
$!
$! Author: Richard Levitte <richard@levitte.org>
$! Time of creation: 23-MAY-1998 19:22
$!
$! P1 root of the directory tree
$!
$!
$! Announce/identify.
$!
$ proc = f$environment( "procedure")
$ write sys$output "@@@ "+ -
f$parse( proc, , , "name")+ f$parse( proc, , , "type")
$!
$ on error then goto tidy
$ on control_c then goto tidy
$!
$ if p1 .eqs. ""
$ then
$ write sys$output "First argument missing."
$ write sys$output -
"Should be the directory where you want things installed."
$ exit
$ endif
$
$ if (f$getsyi( "cpu") .lt. 128)
$ then
$ arch = "VAX"
$ else
$ arch = f$edit( f$getsyi( "arch_name"), "upcase")
$ if (arch .eqs. "") then arch = "UNK"
$ endif
$
$ root = f$parse( P1, "[]A.;0", , , "SYNTAX_ONLY, NO_CONCEAL")- "A.;0"
$ root_dev = f$parse( root, , , "device", "syntax_only")
$ root_dir = f$parse( root, , , "directory", "syntax_only") - -
"[000000." - "][" - "[" - "]"
$ root = root_dev + "[" + root_dir
$
$ define /nolog wrk_sslroot 'root'.] /translation_attributes = concealed
$ define /nolog wrk_sslinclude wrk_sslroot:[include]
$
$ if f$parse( "wrk_sslroot:[000000]") .eqs. "" then -
create /directory /log wrk_sslroot:[000000]
$ if f$parse( "wrk_sslinclude:") .eqs. "" then -
create /directory /log wrk_sslinclude:
$ if f$parse( "wrk_sslroot:[vms]") .eqs. "" then -
create /directory /log wrk_sslroot:[vms]
$!
$ copy /log /protection = world:re openssl_startup.com wrk_sslroot:[vms]
$ copy /log /protection = world:re openssl_undo.com wrk_sslroot:[vms]
$ copy /log /protection = world:re openssl_utils.com wrk_sslroot:[vms]
$!
$ tidy:
$!
$ call deass wrk_sslroot
$ call deass wrk_sslinclude
$!
$ exit
$!
$ deass: subroutine
$ if (f$trnlnm( p1, "LNM$PROCESS") .nes. "")
$ then
$ deassign /process 'p1'
$ endif
$ endsubroutine
$!

476
VMS/mkshared.com Normal file
View File

@ -0,0 +1,476 @@
$! MKSHARED.COM -- Create shareable images.
$!
$! P1: "64" for 64-bit pointers.
$!
$! P2: Zlib object library path (optional).
$!
$! Input: [.UTIL]LIBEAY.NUM,[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO[32].OLB
$! [.UTIL]SSLEAY.NUM,[.xxx.EXE.SSL]SSL_LIBSSL[32].OLB
$! [.CRYPTO.xxx]OPENSSLCONF.H
$! Output: [.xxx.EXE.CRYPTO]SSL_LIBCRYPTO_SHR[32].OPT,.MAP,.EXE
$! [.xxx.EXE.SSL]SSL_LIBSSL_SRH[32].OPT,.MAP,.EXE
$!
$! So far, tests have only been made on VMS for Alpha. VAX will come in time.
$! ===========================================================================
$!
$! Announce/identify.
$!
$ proc = f$environment( "procedure")
$ write sys$output "@@@ "+ -
f$parse( proc, , , "name")+ f$parse( proc, , , "type")
$!
$! Save the original default device:[directory].
$!
$ def_orig = f$environment( "default")
$ on error then goto tidy
$ on control_c then goto tidy
$!
$! SET DEFAULT to the main kit directory.
$!
$ proc = f$environment("procedure")
$ proc = f$parse( "A.;", proc)- "A.;"
$ set default 'proc'
$ set default [-]
$!
$! ----- Prepare info for processing: version number and file info
$ gosub read_version_info
$ if libver .eqs. ""
$ then
$ write sys$error "ERROR: Couldn't find any library version info..."
$ go to tidy:
$ endif
$
$ if (f$getsyi("cpu") .lt. 128)
$ then
$ arch_vax = 1
$ arch = "VAX"
$ else
$ arch_vax = 0
$ arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
$ if (arch .eqs. "") then arch = "UNK"
$ endif
$!
$ archd = arch
$ lib32 = "32"
$ shr = "SHR32"
$!
$ if (p1 .nes. "")
$ then
$ if (p1 .eqs. "64")
$ then
$ archd = arch+ "_64"
$ lib32 = ""
$ shr = "SHR"
$ else
$ if (p1 .nes. "32")
$ then
$ write sys$output "Second argument invalid."
$ write sys$output "It should be "32", "64", or nothing."
$ exit
$ endif
$ endif
$ endif
$!
$! ----- Prepare info for processing: disabled algorithms info
$ gosub read_disabled_algorithms_info
$!
$ ZLIB = p2
$ zlib_lib = ""
$ if (ZLIB .nes. "")
$ then
$ file2 = f$parse( ZLIB, "libz.olb", , , "syntax_only")
$ if (f$search( file2) .eqs. "")
$ then
$ write sys$output ""
$ write sys$output "The Option ", ZLIB, " Is Invalid."
$ write sys$output " Can't find library: ''file2'"
$ write sys$output ""
$ goto tidy
$ endif
$ zlib_lib = ", ''file2' /library"
$ endif
$!
$ if (arch_vax)
$ then
$ libtit = "CRYPTO_TRANSFER_VECTOR"
$ libid = "Crypto"
$ libnum = "[.UTIL]LIBEAY.NUM"
$ libdir = "[.''ARCHD'.EXE.CRYPTO]"
$ libmar = "''libdir'SSL_LIBCRYPTO_''shr'.MAR"
$ libolb = "''libdir'SSL_LIBCRYPTO''lib32'.OLB"
$ libopt = "''libdir'SSL_LIBCRYPTO_''shr'.OPT"
$ libobj = "''libdir'SSL_LIBCRYPTO_''shr'.OBJ"
$ libmap = "''libdir'SSL_LIBCRYPTO_''shr'.MAP"
$ libgoal= "''libdir'SSL_LIBCRYPTO_''shr'.EXE"
$ libref = ""
$ libvec = "LIBCRYPTO"
$ if f$search( libolb) .nes. "" then gosub create_vax_shr
$ libtit = "SSL_TRANSFER_VECTOR"
$ libid = "SSL"
$ libnum = "[.UTIL]SSLEAY.NUM"
$ libdir = "[.''ARCHD'.EXE.SSL]"
$ libmar = "''libdir'SSL_LIBSSL_''shr'.MAR"
$ libolb = "''libdir'SSL_LIBSSL''lib32'.OLB"
$ libopt = "''libdir'SSL_LIBSSL_''shr'.OPT"
$ libobj = "''libdir'SSL_LIBSSL_''shr'.OBJ"
$ libmap = "''libdir'SSL_LIBSSL_''shr'.MAP"
$ libgoal= "''libdir'SSL_LIBSSL_''shr'.EXE"
$ libref = "[.''ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO_''shr'.EXE"
$ libvec = "LIBSSL"
$ if f$search( libolb) .nes. "" then gosub create_vax_shr
$ else
$ libid = "Crypto"
$ libnum = "[.UTIL]LIBEAY.NUM"
$ libdir = "[.''ARCHD'.EXE.CRYPTO]"
$ libolb = "''libdir'SSL_LIBCRYPTO''lib32'.OLB"
$ libopt = "''libdir'SSL_LIBCRYPTO_''shr'.OPT"
$ libmap = "''libdir'SSL_LIBCRYPTO_''shr'.MAP"
$ libgoal= "''libdir'SSL_LIBCRYPTO_''shr'.EXE"
$ libref = ""
$ if f$search( libolb) .nes. "" then gosub create_nonvax_shr
$ libid = "SSL"
$ libnum = "[.UTIL]SSLEAY.NUM"
$ libdir = "[.''ARCHD'.EXE.SSL]"
$ libolb = "''libdir'SSL_LIBSSL''lib32'.OLB"
$ libopt = "''libdir'SSL_LIBSSL_''shr'.OPT"
$ libmap = "''libdir'SSL_LIBSSL_''shr'.MAP"
$ libgoal= "''libdir'SSL_LIBSSL_''shr'.EXE"
$ libref = "[.''ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO_''shr'.EXE"
$ if f$search( libolb) .nes. "" then gosub create_nonvax_shr
$ endif
$!
$ tidy:
$!
$! Close any open files.
$!
$ if (f$trnlnm( "libnum", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
close libnum
$!
$ if (f$trnlnm( "mar", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
close mar
$!
$ if (f$trnlnm( "opt", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
close opt
$!
$ if (f$trnlnm( "vf", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
close vf
$!
$! Restore the original default device:[directory].
$!
$ set default 'def_orig'
$ exit
$
$! ----- Subroutines to build the shareable libraries
$! For each supported architecture, there's a main shareable library
$! creator, which is called from the main code above.
$! The creator will define a number of variables to tell the next levels of
$! subroutines what routines to use to write to the option files, call the
$! main processor, read_func_num, and when that is done, it will write version
$! data at the end of the .opt file, close it, and link the library.
$!
$! read_func_num reads through a .num file and calls the writer routine for
$! each line. It's also responsible for checking that order is properly kept
$! in the .num file, check that each line applies to VMS and the architecture,
$! and to fill in "holes" with dummy entries.
$!
$! The creator routines depend on the following variables:
$! libnum The name of the .num file to use as input
$! libolb The name of the object library to build from
$! libid The identification string of the shareable library
$! libopt The name of the .opt file to write
$! libtit The title of the assembler transfer vector file (VAX only)
$! libmar The name of the assembler transfer vector file (VAX only)
$! libmap The name of the map file to write
$! libgoal The name of the shareable library to write
$! libref The name of a shareable library to link in
$!
$! read_func_num depends on the following variables from the creator:
$! libwriter The name of the writer routine to call for each .num file line
$! -----
$
$! ----- Subroutines for non-VAX
$! -----
$! The creator routine
$ create_nonvax_shr:
$ open /write opt 'libopt'
$ write opt "identification=""",libid," ",libverstr,""""
$ write opt libolb, " /library"
$ if libref .nes. "" then write opt libref,"/SHARE"
$ write opt "SYMBOL_VECTOR=(-"
$ libfirstentry := true
$ libwrch := opt
$ libwriter := write_nonvax_transfer_entry
$ textcount = 0
$ gosub read_func_num
$ write opt ")"
$ write opt "GSMATCH=",libvmatch,",",libver
$ close opt
$ link /map = 'libmap' /full /share = 'libgoal' 'libopt' /options -
'zlib_lib'
$ return
$
$! The record writer routine
$ write_nonvax_transfer_entry:
$ if libentry .eqs. ".dummy" then return
$ if info_kind .eqs. "VARIABLE"
$ then
$ pr:=DATA
$ else
$ pr:=PROCEDURE
$ endif
$ textcount_this = f$length(pr) + f$length(libentry) + 5
$ if textcount + textcount_this .gt. 1024
$ then
$ write opt ")"
$ write opt "SYMBOL_VECTOR=(-"
$ textcount = 16
$ libfirstentry := true
$ endif
$ if libfirstentry
$ then
$ write 'libwrch' " ",libentry,"=",pr," -"
$ else
$ write 'libwrch' " ,",libentry,"=",pr," -"
$ endif
$ libfirstentry := false
$ textcount = textcount + textcount_this
$ return
$
$! ----- Subroutines for VAX
$! -----
$! The creator routine
$ create_vax_shr:
$ open /write mar 'libmar'
$ type sys$input:/out=mar:
;
; Transfer vector for VAX shareable image
;
$ write mar " .TITLE ",libtit
$ write mar " .IDENT /",libid,"/"
$ type sys$input:/out=mar:
;
; Define macro to assist in building transfer vector entries. Each entry
; should take no more than 8 bytes.
;
.MACRO FTRANSFER_ENTRY routine
.ALIGN QUAD
.TRANSFER routine
.MASK routine
JMP routine+2
.ENDM FTRANSFER_ENTRY
;
; Place entries in own program section.
;
$ write mar " .PSECT $$",libvec,",QUAD,PIC,USR,CON,REL,LCL,SHR,EXE,RD,NOWRT"
$ write mar libvec,"_xfer:"
$ libwrch := mar
$ libwriter := write_vax_ftransfer_entry
$ gosub read_func_num
$ type sys$input:/out=mar:
;
; Allocate extra storage at end of vector to allow for expansion.
;
$ write mar " .BLKB 32768-<.-",libvec,"_xfer> ; 64 pages total."
$! libwriter := write_vax_vtransfer_entry
$! gosub read_func_num
$ write mar " .END"
$ close mar
$ open /write opt 'libopt'
$ write opt "identification=""",libid," ",libverstr,""""
$ write opt libobj
$ write opt libolb, " /library"
$ if libref .nes. "" then write opt libref,"/SHARE"
$ type sys$input:/out=opt:
!
! Ensure transfer vector is at beginning of image
!
CLUSTER=FIRST
$ write opt "COLLECT=FIRST,$$",libvec
$ write opt "GSMATCH=",libvmatch,",",libver
$ type sys$input:/out=opt:
!
! make psects nonshareable so image can be installed.
!
PSECT_ATTR=$CHAR_STRING_CONSTANTS,NOWRT
$ libwrch := opt
$ libwriter := write_vax_psect_attr
$ gosub read_func_num
$ close opt
$ macro/obj='libobj' 'libmar'
$ link /map = 'libmap' /full /share = 'libgoal' 'libopt' /options -
'zlib_lib'
$ return
$
$! The record writer routine for VAX functions
$ write_vax_ftransfer_entry:
$ if info_kind .nes. "FUNCTION" then return
$ if libentry .eqs ".dummy"
$ then
$ write 'libwrch' " .BLKB 8" ! Dummy is zeroes...
$ else
$ write 'libwrch' " FTRANSFER_ENTRY ",libentry
$ endif
$ return
$! The record writer routine for VAX variables (should never happen!)
$ write_vax_psect_attr:
$ if info_kind .nes. "VARIABLE" then return
$ if libentry .eqs ".dummy" then return
$ write 'libwrch' "PSECT_ATTR=",libentry,",NOSHR"
$ return
$
$! ----- Common subroutines
$! -----
$! The .num file reader. This one has great responsibility.
$ read_func_num:
$ open /read libnum 'libnum'
$ goto read_nums
$
$ read_nums:
$ libentrynum=0
$ liblastentry:=false
$ entrycount=0
$ loop:
$ read /end=loop_end /err=loop_end libnum line
$ lin = f$edit( line, "COMPRESS,TRIM")
$! Skip a "#" comment line.
$ if (f$extract( 0, 1, lin) .eqs. "#") then goto loop
$ entrynum = f$int(f$element( 1, " ", lin))
$ entryinfo = f$element( 2, " ", lin)
$ curentry = f$element( 0, " ", lin)
$ info_exist = f$element( 0, ":", entryinfo)
$ info_platforms = ","+ f$element(1, ":", entryinfo)+ ","
$ info_kind = f$element( 2, ":", entryinfo)
$ info_algorithms = ","+ f$element( 3, ":", entryinfo)+ ","
$ if info_exist .eqs. "NOEXIST" then goto loop
$ truesum = 0
$ falsesum = 0
$ negatives = 1
$ plat_i = 0
$ loop1:
$ plat_entry = f$element( plat_i, ",", info_platforms)
$ plat_i = plat_i + 1
$ if plat_entry .eqs. "" then goto loop1
$ if plat_entry .nes. ","
$ then
$ if f$extract(0,1,plat_entry) .nes. "!" then negatives = 0
$ if (arch_vax)
$ then
$ if plat_entry .eqs. "EXPORT_VAR_AS_FUNCTION" then -
$ truesum = truesum + 1
$ if plat_entry .eqs. "!EXPORT_VAR_AS_FUNCTION" then -
$ falsesum = falsesum + 1
$ endif
$!
$ if ((plat_entry .eqs. "VMS") .or. -
((plat_entry .eqs. "ZLIB") .and. (ZLIB .nes. "")) .or. -
(arch_vax .and. (plat_entry .eqs. "VMSVAX"))) then -
truesum = truesum + 1
$!
$ if ((plat_entry .eqs. "!VMS") .or. -
(arch_vax .and. (plat_entry .eqs. "!VMSVAX"))) then -
falsesum = falsesum + 1
$!
$ goto loop1
$ endif
$ endloop1:
$!DEBUG!$ if info_platforms - "EXPORT_VAR_AS_FUNCTION" .nes. info_platforms
$!DEBUG!$ then
$!DEBUG!$ write sys$output line
$!DEBUG!$ write sys$output " truesum = ",truesum,-
$!DEBUG! ", negatives = ",negatives,", falsesum = ",falsesum
$!DEBUG!$ endif
$ if falsesum .ne. 0 then goto loop
$ if truesum+negatives .eq. 0 then goto loop
$ alg_i = 0
$ loop2:
$ alg_entry = f$element(alg_i,",",info_algorithms)
$ alg_i = alg_i + 1
$ if alg_entry .eqs. "" then goto loop2
$ if alg_entry .nes. ","
$ then
$ if disabled_algorithms - ("," + alg_entry + ",") .nes disabled_algorithms then goto loop
$ if f$trnlnm("OPENSSL_NO_"+alg_entry) .nes. "" then goto loop
$ goto loop2
$ endif
$ endloop2:
$ if info_platforms - "EXPORT_VAR_AS_FUNCTION" .nes. info_platforms
$ then
$!DEBUG!$ write sys$output curentry," ; ",entrynum," ; ",entryinfo
$ endif
$ redo:
$ next:=loop
$ tolibentry=curentry
$ if libentrynum .ne. entrynum
$ then
$ entrycount=entrycount+1
$ if entrycount .lt. entrynum
$ then
$!DEBUG!$ write sys$output "Info: entrycount: ''entrycount', entrynum: ''entrynum' => 0"
$ tolibentry=".dummy"
$ next:=redo
$ endif
$ if entrycount .gt. entrynum
$ then
$ write sys$error "Decreasing library entry numbers! Can't continue"
$ write sys$error """",line,""""
$ close libnum
$ return
$ endif
$ libentry=tolibentry
$!DEBUG!$ write sys$output entrycount," ",libentry," ",entryinfo
$ if libentry .nes. "" .and. libwriter .nes. "" then gosub 'libwriter'
$ else
$ write sys$error "Info: ""''curentry'"" is an alias for ""''libentry'"". Overriding..."
$ endif
$ libentrynum=entrycount
$ goto 'next'
$ loop_end:
$ close libnum
$ return
$
$! The version number reader
$ read_version_info:
$ libver = ""
$ open /read vf [.CRYPTO]OPENSSLV.H
$ loop_rvi:
$ read/err=endloop_rvi/end=endloop_rvi vf rvi_line
$ if rvi_line - "SHLIB_VERSION_NUMBER """ .eqs. rvi_line then -
goto loop_rvi
$ libverstr = f$element(1,"""",rvi_line)
$ libvmajor = f$element(0,".",libverstr)
$ libvminor = f$element(1,".",libverstr)
$ libvedit = f$element(2,".",libverstr)
$ libvpatch = f$cvui(0,8,f$extract(1,1,libvedit)+"@")-f$cvui(0,8,"@")
$ libvedit = f$extract(0,1,libvedit)
$ libver = f$string(f$int(libvmajor)*100)+","+-
f$string(f$int(libvminor)*100+f$int(libvedit)*10+f$int(libvpatch))
$ if libvmajor .eqs. "0"
$ then
$ libvmatch = "EQUAL"
$ else
$ ! Starting with the 1.0 release, backward compatibility should be
$ ! kept, so switch over to the following
$ libvmatch = "LEQUAL"
$ endif
$ endloop_rvi:
$ close vf
$ return
$
$! The disabled algorithms reader
$ read_disabled_algorithms_info:
$ disabled_algorithms = ","
$ open /read cf [.CRYPTO.'ARCH']OPENSSLCONF.H
$ loop_rci:
$ read/err=endloop_rci/end=endloop_rci cf rci_line
$ rci_line = f$edit(rci_line,"TRIM,COMPRESS")
$ rci_ei = 0
$ if f$extract(0,9,rci_line) .eqs. "# define " then rci_ei = 2
$ if f$extract(0,8,rci_line) .eqs. "#define " then rci_ei = 1
$ if rci_ei .eq. 0 then goto loop_rci
$ rci_e = f$element(rci_ei," ",rci_line)
$ if f$extract(0,11,rci_e) .nes. "OPENSSL_NO_" then goto loop_rci
$ disabled_algorithms = disabled_algorithms + f$extract(11,999,rci_e) + ","
$ goto loop_rci
$ endloop_rci:
$ close cf
$ return

1
VMS/multinet_shr.opt Normal file
View File

@ -0,0 +1 @@
multinet:multinet_socket_library.exe/share

108
VMS/openssl_startup.com Executable file
View File

@ -0,0 +1,108 @@
$!
$! Startup file for OpenSSL 1.x.
$!
$! 2011-03-05 SMS.
$!
$! This procedure must reside in the OpenSSL installation directory.
$! It will fail if it is copied to a different location.
$!
$! P1 qualifier(s) for DEFINE. For example, "/SYSTEM" to get the
$! logical names defined in the system logical name table.
$!
$! P2 "64", to use executables which were built with 64-bit pointers.
$!
$! Good (default) and bad status values.
$!
$ status = %x00010001 ! RMS$_NORMAL, normal successful completion.
$ rms_e_fnf = %x00018292 ! RMS$_FNF, file not found.
$!
$! Prepare for problems.
$!
$ orig_dev_dir = f$environment( "DEFAULT")
$ on control_y then goto clean_up
$ on error then goto clean_up
$!
$! Determine hardware architecture.
$!
$ if (f$getsyi( "cpu") .lt. 128)
$ then
$ arch_name = "VAX"
$ else
$ arch_name = f$edit( f$getsyi( "arch_name"), "upcase")
$ if (arch_name .eqs. "") then arch_name = "UNK"
$ endif
$!
$ if (p2 .eqs. "64")
$ then
$ arch_name_exe = arch_name+ "_64"
$ else
$ arch_name_exe = arch_name
$ endif
$!
$! Derive the OpenSSL installation device:[directory] from the location
$! of this command procedure.
$!
$ proc = f$environment( "procedure")
$ proc_dev_dir = f$parse( "A.;", proc, , , "no_conceal") - "A.;"
$ proc_dev = f$parse( proc_dev_dir, , , "device", "syntax_only")
$ proc_dir = f$parse( proc_dev_dir, , , "directory", "syntax_only") - -
".][000000"- "[000000."- "]["- "["- "]"
$ proc_dev_dir = proc_dev+ "["+ proc_dir+ "]"
$ set default 'proc_dev_dir'
$ set default [-]
$ ossl_dev_dir = f$environment( "default")
$!
$! Check existence of expected directories (to see if this procedure has
$! been moved away from its proper place).
$!
$ if ((f$search( "certs.dir;1") .eqs. "") .or. -
(f$search( "include.dir;1") .eqs. "") .or. -
(f$search( "private.dir;1") .eqs. "") .or. -
(f$search( "vms.dir;1") .eqs. ""))
$ then
$ write sys$output -
" Can't find expected common OpenSSL directories in:"
$ write sys$output " ''ossl_dev_dir'"
$ status = rms_e_fnf
$ goto clean_up
$ endif
$!
$ if ((f$search( "''arch_name_exe'_exe.dir;1") .eqs. "") .or. -
(f$search( "''arch_name'_lib.dir;1") .eqs. ""))
$ then
$ write sys$output -
" Can't find expected architecture-specific OpenSSL directories in:"
$ write sys$output " ''ossl_dev_dir'"
$ status = rms_e_fnf
$ goto clean_up
$ endif
$!
$! All seems well (enough). Define the OpenSSL logical names.
$!
$ ossl_root = ossl_dev_dir- "]"+ ".]"
$ define /translation_attributes = concealed /nolog'p1 SSLROOT 'ossl_root'
$ define /nolog 'p1' SSLCERTS sslroot:[certs]
$ define /nolog 'p1' SSLINCLUDE sslroot:[include]
$ define /nolog 'p1' SSLPRIVATE sslroot:[private]
$ define /nolog 'p1' SSLEXE sslroot:['arch_name_exe'_exe]
$ define /nolog 'p1' SSLLIB sslroot:['arch_name'_lib]
$!
$! Defining OPENSSL lets a C program use "#include <openssl/{foo}.h>":
$ define /nolog 'p1' OPENSSL SSLINCLUDE:
$!
$! Run a site-specific procedure, if it exists.
$!
$ if f$search( "sslroot:[vms]openssl_systartup.com") .nes."" then -
@ sslroot:[vms]openssl_systartup.com
$!
$! Restore the original default dev:[dir] (if known).
$!
$ clean_up:
$!
$ if (f$type( orig_dev_dir) .nes. "")
$ then
$ set default 'orig_dev_dir'
$ endif
$!
$ EXIT 'status'
$!

20
VMS/openssl_undo.com Executable file
View File

@ -0,0 +1,20 @@
$!
$! Deassign OpenSSL logical names.
$!
$ call deass "OPENSSL" "''p1'"
$ call deass "SSLCERTS" "''p1'"
$ call deass "SSLEXE" "''p1'"
$ call deass "SSLINCLUDE" "''p1'"
$ call deass "SSLLIB" "''p1'"
$ call deass "SSLPRIVATE" "''p1'"
$ call deass "SSLROOT" "''p1'"
$!
$ exit
$!
$deass: subroutine
$ if (f$trnlnm( p1) .nes. "")
$ then
$ deassign 'p2' 'p1'
$ endif
$ endsubroutine
$!

46
VMS/openssl_utils.com Normal file
View File

@ -0,0 +1,46 @@
$!
$! APPS.COM
$! Written By: Robert Byer
$! Vice-President
$! A-Com Computing, Inc.
$! byer@mail.all-net.net
$!
$!
$! Slightly modified by Richard Levitte <richard@levitte.org>
$!
$!
$! Always define OPENSSL. Others are optional (non-null P1).
$!
$ OPENSSL :== $SSLEXE:OPENSSL
$
$ IF (P1 .NES. "")
$ THEN
$ VERIFY :== $SSLEXE:OPENSSL VERIFY
$ ASN1PARSE:== $SSLEXE:OPENSSL ASN1PARS
$! REQ could conflict with REQUEST.
$ OREQ :== $SSLEXE:OPENSSL REQ
$ DGST :== $SSLEXE:OPENSSL DGST
$ DH :== $SSLEXE:OPENSSL DH
$ ENC :== $SSLEXE:OPENSSL ENC
$ GENDH :== $SSLEXE:OPENSSL GENDH
$ ERRSTR :== $SSLEXE:OPENSSL ERRSTR
$ CA :== $SSLEXE:OPENSSL CA
$ CRL :== $SSLEXE:OPENSSL CRL
$ RSA :== $SSLEXE:OPENSSL RSA
$ DSA :== $SSLEXE:OPENSSL DSA
$ DSAPARAM :== $SSLEXE:OPENSSL DSAPARAM
$ X509 :== $SSLEXE:OPENSSL X509
$ GENRSA :== $SSLEXE:OPENSSL GENRSA
$ GENDSA :== $SSLEXE:OPENSSL GENDSA
$ S_SERVER :== $SSLEXE:OPENSSL S_SERVER
$ S_CLIENT :== $SSLEXE:OPENSSL S_CLIENT
$ SPEED :== $SSLEXE:OPENSSL SPEED
$ S_TIME :== $SSLEXE:OPENSSL S_TIME
$ VERSION :== $SSLEXE:OPENSSL VERSION
$ PKCS7 :== $SSLEXE:OPENSSL PKCS7
$ CRL2PKCS7:== $SSLEXE:OPENSSL CRL2P7
$ SESS_ID :== $SSLEXE:OPENSSL SESS_ID
$ CIPHERS :== $SSLEXE:OPENSSL CIPHERS
$ NSEQ :== $SSLEXE:OPENSSL NSEQ
$ PKCS12 :== $SSLEXE:OPENSSL PKCS12
$ ENDIF

1
VMS/socketshr_shr.opt Normal file
View File

@ -0,0 +1 @@
socketshr/share

1
VMS/tcpip_shr_decc.opt Normal file
View File

@ -0,0 +1 @@
sys$share:tcpip$ipc_shr.exe/share

28
VMS/test-includes.com Normal file
View File

@ -0,0 +1,28 @@
$! Quick script to check how well including individual header files works
$! on VMS, even when the VMS macro isn't defined.
$
$ sav_def = f$env("DEFAULT")
$ here = f$parse("A.;0",f$ENV("PROCEDURE")) - "A.;0"
$ set default 'here'
$ set default [-.include.openssl]
$ define openssl 'f$env("DEFAULT")'
$ set default [--]
$
$ loop:
$ f = f$search("openssl:*.h")
$ if f .eqs. "" then goto loop_end
$ write sys$output "Checking ",f
$ open/write foo foo.c
$ write foo "#undef VMS"
$ write foo "#include <stdio.h>"
$ write foo "#include <openssl/",f$parse(f,,,"NAME"),".h>"
$ write foo "main()"
$ write foo "{printf(""foo\n"");}"
$ close foo
$ cc/STANDARD=ANSI89/NOLIST/PREFIX=ALL foo.c
$ delete foo.c;
$ goto loop
$ loop_end:
$ set default 'save_def'
$ exit

1
VMS/ucx_shr_decc.opt Normal file
View File

@ -0,0 +1 @@
sys$share:ucx$ipc_shr.exe/share

1
VMS/ucx_shr_decc_log.opt Normal file
View File

@ -0,0 +1 @@
ucx$ipc_shr/share

1
VMS/ucx_shr_vaxc.opt Normal file
View File

@ -0,0 +1 @@
sys$library:ucx$ipc.olb/library

236
apps/CA.com Normal file
View File

@ -0,0 +1,236 @@
$! CA - wrapper around ca to make it easier to use ... basically ca requires
$! some setup stuff to be done before you can use it and this makes
$! things easier between now and when Eric is convinced to fix it :-)
$!
$! CA -newca ... will setup the right stuff
$! CA -newreq ... will generate a certificate request
$! CA -sign ... will sign the generated request and output
$!
$! At the end of that grab newreq.pem and newcert.pem (one has the key
$! and the other the certificate) and cat them together and that is what
$! you want/need ... I'll make even this a little cleaner later.
$!
$!
$! 12-Jan-96 tjh Added more things ... including CA -signcert which
$! converts a certificate to a request and then signs it.
$! 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
$! environment variable so this can be driven from
$! a script.
$! 25-Jul-96 eay Cleaned up filenames some more.
$! 11-Jun-96 eay Fixed a few filename missmatches.
$! 03-May-96 eay Modified to use 'openssl cmd' instead of 'cmd'.
$! 18-Apr-96 tjh Original hacking
$!
$! Tim Hudson
$! tjh@cryptsoft.com
$!
$!
$! default ssleay.cnf file has setup as per the following
$! demoCA ... where everything is stored
$
$ IF F$TYPE(SSLEAY_CONFIG) .EQS. "" THEN SSLEAY_CONFIG := SSLLIB:SSLEAY.CNF
$
$ DAYS = "-days 365"
$ REQ = openssl + " req " + SSLEAY_CONFIG
$ CA = openssl + " ca " + SSLEAY_CONFIG
$ VERIFY = openssl + " verify"
$ X509 = openssl + " x509"
$ PKCS12 = openssl + " pkcs12"
$ echo = "write sys$Output"
$ RET = 1
$!
$! 2010-12-20 SMS.
$! Use a concealed logical name to reduce command line lengths, to
$! avoid DCL errors on VAX:
$! %DCL-W-TKNOVF, command element is too long - shorten
$! (Path segments like "openssl-1_0_1-stable-SNAP-20101217" accumulate
$! quickly.)
$!
$ CATOP = F$PARSE( F$ENVIRONMENT( "DEFAULT"), "[]")- "].;"+ ".demoCA.]"
$ define /translation_attributes = concealed CATOP 'CATOP'
$!
$ on error then goto clean_up
$ on control_y then goto clean_up
$!
$ CAKEY = "CATOP:[private]cakey.pem"
$ CACERT = "CATOP:[000000]cacert.pem"
$
$ __INPUT := SYS$COMMAND
$!
$ i = 1
$opt_loop:
$ if i .gt. 8 then goto opt_loop_end
$
$ prog_opt = F$EDIT(P'i',"lowercase")
$
$ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help")
$ THEN
$ echo "usage: CA -newcert|-newreq|-newca|-sign|-verify"
$ goto clean_up
$ ENDIF
$!
$ IF (prog_opt .EQS. "-input")
$ THEN
$ ! Get input from somewhere other than SYS$COMMAND
$ i = i + 1
$ __INPUT = P'i'
$ GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-newcert")
$ THEN
$ ! Create a certificate.
$ DEFINE /USER_MODE SYS$INPUT '__INPUT'
$ REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS'
$ RET=$STATUS
$ echo "Certificate (and private key) is in newreq.pem"
$ GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-newreq")
$ THEN
$ ! Create a certificate request
$ DEFINE /USER_MODE SYS$INPUT '__INPUT'
$ REQ -new -keyout newreq.pem -out newreq.pem 'DAYS'
$ RET=$STATUS
$ echo "Request (and private key) is in newreq.pem"
$ GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-newca")
$ THEN
$ ! If explicitly asked for or it doesn't exist then setup the directory
$ ! structure that Eric likes to manage things.
$ IF F$SEARCH( "CATOP:[000000]serial.") .EQS. ""
$ THEN
$ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[000000]
$ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[certs]
$ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[crl]
$ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[newcerts]
$ CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[private]
$
$ OPEN /WRITE ser_file CATOP:[000000]serial.
$ WRITE ser_file "01"
$ CLOSE ser_file
$ APPEND /NEW_VERSION NL: CATOP:[000000]index.txt
$
$ ! The following is to make sure access() doesn't get confused. It
$ ! really needs one file in the directory to give correct answers...
$ COPY NLA0: CATOP:[certs].;
$ COPY NLA0: CATOP:[crl].;
$ COPY NLA0: CATOP:[newcerts].;
$ COPY NLA0: CATOP:[private].;
$ ENDIF
$!
$ IF F$SEARCH( CAKEY) .EQS. ""
$ THEN
$ READ '__INPUT' FILE -
/PROMPT="CA certificate filename (or enter to create): "
$ IF (FILE .NES. "") .AND. (F$SEARCH(FILE) .NES. "")
$ THEN
$ COPY 'FILE' 'CAKEY'
$ RET=$STATUS
$ ELSE
$ echo "Making CA certificate ..."
$ DEFINE /USER_MODE SYS$INPUT '__INPUT'
$ REQ -new -x509 -keyout 'CAKEY' -out 'CACERT' 'DAYS'
$ RET=$STATUS
$ ENDIF
$ ENDIF
$ GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-pkcs12")
$ THEN
$ i = i + 1
$ cname = P'i'
$ IF cname .EQS. "" THEN cname = "My certificate"
$ PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CACERT' -
-out newcert.p12 -export -name "''cname'"
$ RET=$STATUS
$ goto clean_up
$ ENDIF
$!
$ IF (prog_opt .EQS. "-xsign")
$ THEN
$!
$ DEFINE /USER_MODE SYS$INPUT '__INPUT'
$ CA -policy policy_anything -infiles newreq.pem
$ RET=$STATUS
$ GOTO opt_loop_continue
$ ENDIF
$!
$ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq"))
$ THEN
$!
$ DEFINE /USER_MODE SYS$INPUT '__INPUT'
$ CA -policy policy_anything -out newcert.pem -infiles newreq.pem
$ RET=$STATUS
$ type newcert.pem
$ echo "Signed certificate is in newcert.pem"
$ GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-signcert")
$ THEN
$!
$ echo "Cert passphrase will be requested twice - bug?"
$ DEFINE /USER_MODE SYS$INPUT '__INPUT'
$ X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
$ DEFINE /USER_MODE SYS$INPUT '__INPUT'
$ CA -policy policy_anything -out newcert.pem -infiles tmp.pem
y
y
$ type newcert.pem
$ echo "Signed certificate is in newcert.pem"
$ GOTO opt_loop_continue
$ ENDIF
$!
$ IF (prog_opt .EQS. "-verify")
$ THEN
$!
$ i = i + 1
$ IF (p'i' .EQS. "")
$ THEN
$ DEFINE /USER_MODE SYS$INPUT '__INPUT'
$ VERIFY "-CAfile" 'CACERT' newcert.pem
$ ELSE
$ j = i
$ verify_opt_loop:
$ IF j .GT. 8 THEN GOTO verify_opt_loop_end
$ IF p'j' .NES. ""
$ THEN
$ DEFINE /USER_MODE SYS$INPUT '__INPUT'
$ __tmp = p'j'
$ VERIFY "-CAfile" 'CACERT' '__tmp'
$ tmp=$STATUS
$ IF tmp .NE. 0 THEN RET=tmp
$ ENDIF
$ j = j + 1
$ GOTO verify_opt_loop
$ verify_opt_loop_end:
$ ENDIF
$
$ GOTO opt_loop_end
$ ENDIF
$!
$ IF (prog_opt .NES. "")
$ THEN
$!
$ echo "Unknown argument ''prog_opt'"
$ RET = 3
$ goto clean_up
$ ENDIF
$
$opt_loop_continue:
$ i = i + 1
$ GOTO opt_loop
$
$opt_loop_end:
$!
$clean_up:
$!
$ if f$trnlnm( "CATOP", "LNM$PROCESS") .nes. "" then -
deassign /process CATOP
$!
$ EXIT 'RET'

188
apps/CA.pl Normal file
View File

@ -0,0 +1,188 @@
#!/usr/local/bin/perl
#
# CA - wrapper around ca to make it easier to use ... basically ca requires
# some setup stuff to be done before you can use it and this makes
# things easier between now and when Eric is convinced to fix it :-)
#
# CA -newca ... will setup the right stuff
# CA -newreq[-nodes] ... will generate a certificate request
# CA -sign ... will sign the generated request and output
#
# At the end of that grab newreq.pem and newcert.pem (one has the key
# and the other the certificate) and cat them together and that is what
# you want/need ... I'll make even this a little cleaner later.
#
#
# 12-Jan-96 tjh Added more things ... including CA -signcert which
# converts a certificate to a request and then signs it.
# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
# environment variable so this can be driven from
# a script.
# 25-Jul-96 eay Cleaned up filenames some more.
# 11-Jun-96 eay Fixed a few filename missmatches.
# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'.
# 18-Apr-96 tjh Original hacking
#
# Tim Hudson
# tjh@cryptsoft.com
#
# 27-Apr-98 snh Translation into perl, fix existing CA bug.
#
#
# Steve Henson
# shenson@bigfoot.com
# default openssl.cnf file has setup as per the following
# demoCA ... where everything is stored
my $openssl;
if(defined $ENV{OPENSSL}) {
$openssl = $ENV{OPENSSL};
} else {
$openssl = "openssl";
$ENV{OPENSSL} = $openssl;
}
$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
$DAYS="-days 365"; # 1 year
$CADAYS="-days 1095"; # 3 years
$REQ="$openssl req $SSLEAY_CONFIG";
$CA="$openssl ca $SSLEAY_CONFIG";
$VERIFY="$openssl verify";
$X509="$openssl x509";
$PKCS12="$openssl pkcs12";
$CATOP="./demoCA";
$CAKEY="cakey.pem";
$CAREQ="careq.pem";
$CACERT="cacert.pem";
$DIRMODE = 0777;
$RET = 0;
foreach (@ARGV) {
if ( /^(-\?|-h|-help)$/ ) {
print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n";
exit 0;
} elsif (/^-newcert$/) {
# create a certificate
system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
$RET=$?;
print "Certificate is in newcert.pem, private key is in newkey.pem\n"
} elsif (/^-newreq$/) {
# create a certificate request
system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
$RET=$?;
print "Request is in newreq.pem, private key is in newkey.pem\n";
} elsif (/^-newreq-nodes$/) {
# create a certificate request
system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
$RET=$?;
print "Request is in newreq.pem, private key is in newkey.pem\n";
} elsif (/^-newca$/) {
# if explicitly asked for or it doesn't exist then setup the
# directory structure that Eric likes to manage things
$NEW="1";
if ( "$NEW" || ! -f "${CATOP}/serial" ) {
# create the directory hierarchy
mkdir $CATOP, $DIRMODE;
mkdir "${CATOP}/certs", $DIRMODE;
mkdir "${CATOP}/crl", $DIRMODE ;
mkdir "${CATOP}/newcerts", $DIRMODE;
mkdir "${CATOP}/private", $DIRMODE;
open OUT, ">${CATOP}/index.txt";
close OUT;
open OUT, ">${CATOP}/crlnumber";
print OUT "01\n";
close OUT;
}
if ( ! -f "${CATOP}/private/$CAKEY" ) {
print "CA certificate filename (or enter to create)\n";
$FILE = <STDIN>;
chop $FILE;
# ask user for existing CA certificate
if ($FILE) {
cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
$RET=$?;
} else {
print "Making CA certificate ...\n";
system ("$REQ -new -keyout " .
"${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
system ("$CA -create_serial " .
"-out ${CATOP}/$CACERT $CADAYS -batch " .
"-keyfile ${CATOP}/private/$CAKEY -selfsign " .
"-extensions v3_ca " .
"-infiles ${CATOP}/$CAREQ ");
$RET=$?;
}
}
} elsif (/^-pkcs12$/) {
my $cname = $ARGV[1];
$cname = "My Certificate" unless defined $cname;
system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .
"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
"-export -name \"$cname\"");
$RET=$?;
print "PKCS #12 file is in newcert.p12\n";
exit $RET;
} elsif (/^-xsign$/) {
system ("$CA -policy policy_anything -infiles newreq.pem");
$RET=$?;
} elsif (/^(-sign|-signreq)$/) {
system ("$CA -policy policy_anything -out newcert.pem " .
"-infiles newreq.pem");
$RET=$?;
print "Signed certificate is in newcert.pem\n";
} elsif (/^(-signCA)$/) {
system ("$CA -policy policy_anything -out newcert.pem " .
"-extensions v3_ca -infiles newreq.pem");
$RET=$?;
print "Signed CA certificate is in newcert.pem\n";
} elsif (/^-signcert$/) {
system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
"-out tmp.pem");
system ("$CA -policy policy_anything -out newcert.pem " .
"-infiles tmp.pem");
$RET = $?;
print "Signed certificate is in newcert.pem\n";
} elsif (/^-verify$/) {
if (shift) {
foreach $j (@ARGV) {
system ("$VERIFY -CAfile $CATOP/$CACERT $j");
$RET=$? if ($? != 0);
}
exit $RET;
} else {
system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
$RET=$?;
exit 0;
}
} else {
print STDERR "Unknown arg $_\n";
print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
exit 1;
}
}
exit $RET;
sub cp_pem {
my ($infile, $outfile, $bound) = @_;
open IN, $infile;
open OUT, ">$outfile";
my $flag = 0;
while (<IN>) {
$flag = 1 if (/^-----BEGIN.*$bound/) ;
print OUT $_ if ($flag);
if (/^-----END.*$bound/) {
close IN;
close OUT;
return;
}
}
}

188
apps/CA.pl.in Normal file
View File

@ -0,0 +1,188 @@
#!/usr/local/bin/perl
#
# CA - wrapper around ca to make it easier to use ... basically ca requires
# some setup stuff to be done before you can use it and this makes
# things easier between now and when Eric is convinced to fix it :-)
#
# CA -newca ... will setup the right stuff
# CA -newreq[-nodes] ... will generate a certificate request
# CA -sign ... will sign the generated request and output
#
# At the end of that grab newreq.pem and newcert.pem (one has the key
# and the other the certificate) and cat them together and that is what
# you want/need ... I'll make even this a little cleaner later.
#
#
# 12-Jan-96 tjh Added more things ... including CA -signcert which
# converts a certificate to a request and then signs it.
# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
# environment variable so this can be driven from
# a script.
# 25-Jul-96 eay Cleaned up filenames some more.
# 11-Jun-96 eay Fixed a few filename missmatches.
# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'.
# 18-Apr-96 tjh Original hacking
#
# Tim Hudson
# tjh@cryptsoft.com
#
# 27-Apr-98 snh Translation into perl, fix existing CA bug.
#
#
# Steve Henson
# shenson@bigfoot.com
# default openssl.cnf file has setup as per the following
# demoCA ... where everything is stored
my $openssl;
if(defined $ENV{OPENSSL}) {
$openssl = $ENV{OPENSSL};
} else {
$openssl = "openssl";
$ENV{OPENSSL} = $openssl;
}
$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
$DAYS="-days 365"; # 1 year
$CADAYS="-days 1095"; # 3 years
$REQ="$openssl req $SSLEAY_CONFIG";
$CA="$openssl ca $SSLEAY_CONFIG";
$VERIFY="$openssl verify";
$X509="$openssl x509";
$PKCS12="$openssl pkcs12";
$CATOP="./demoCA";
$CAKEY="cakey.pem";
$CAREQ="careq.pem";
$CACERT="cacert.pem";
$DIRMODE = 0777;
$RET = 0;
foreach (@ARGV) {
if ( /^(-\?|-h|-help)$/ ) {
print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n";
exit 0;
} elsif (/^-newcert$/) {
# create a certificate
system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
$RET=$?;
print "Certificate is in newcert.pem, private key is in newkey.pem\n"
} elsif (/^-newreq$/) {
# create a certificate request
system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
$RET=$?;
print "Request is in newreq.pem, private key is in newkey.pem\n";
} elsif (/^-newreq-nodes$/) {
# create a certificate request
system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
$RET=$?;
print "Request is in newreq.pem, private key is in newkey.pem\n";
} elsif (/^-newca$/) {
# if explicitly asked for or it doesn't exist then setup the
# directory structure that Eric likes to manage things
$NEW="1";
if ( "$NEW" || ! -f "${CATOP}/serial" ) {
# create the directory hierarchy
mkdir $CATOP, $DIRMODE;
mkdir "${CATOP}/certs", $DIRMODE;
mkdir "${CATOP}/crl", $DIRMODE ;
mkdir "${CATOP}/newcerts", $DIRMODE;
mkdir "${CATOP}/private", $DIRMODE;
open OUT, ">${CATOP}/index.txt";
close OUT;
open OUT, ">${CATOP}/crlnumber";
print OUT "01\n";
close OUT;
}
if ( ! -f "${CATOP}/private/$CAKEY" ) {
print "CA certificate filename (or enter to create)\n";
$FILE = <STDIN>;
chop $FILE;
# ask user for existing CA certificate
if ($FILE) {
cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
$RET=$?;
} else {
print "Making CA certificate ...\n";
system ("$REQ -new -keyout " .
"${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
system ("$CA -create_serial " .
"-out ${CATOP}/$CACERT $CADAYS -batch " .
"-keyfile ${CATOP}/private/$CAKEY -selfsign " .
"-extensions v3_ca " .
"-infiles ${CATOP}/$CAREQ ");
$RET=$?;
}
}
} elsif (/^-pkcs12$/) {
my $cname = $ARGV[1];
$cname = "My Certificate" unless defined $cname;
system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .
"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
"-export -name \"$cname\"");
$RET=$?;
print "PKCS #12 file is in newcert.p12\n";
exit $RET;
} elsif (/^-xsign$/) {
system ("$CA -policy policy_anything -infiles newreq.pem");
$RET=$?;
} elsif (/^(-sign|-signreq)$/) {
system ("$CA -policy policy_anything -out newcert.pem " .
"-infiles newreq.pem");
$RET=$?;
print "Signed certificate is in newcert.pem\n";
} elsif (/^(-signCA)$/) {
system ("$CA -policy policy_anything -out newcert.pem " .
"-extensions v3_ca -infiles newreq.pem");
$RET=$?;
print "Signed CA certificate is in newcert.pem\n";
} elsif (/^-signcert$/) {
system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
"-out tmp.pem");
system ("$CA -policy policy_anything -out newcert.pem " .
"-infiles tmp.pem");
$RET = $?;
print "Signed certificate is in newcert.pem\n";
} elsif (/^-verify$/) {
if (shift) {
foreach $j (@ARGV) {
system ("$VERIFY -CAfile $CATOP/$CACERT $j");
$RET=$? if ($? != 0);
}
exit $RET;
} else {
system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
$RET=$?;
exit 0;
}
} else {
print STDERR "Unknown arg $_\n";
print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
exit 1;
}
}
exit $RET;
sub cp_pem {
my ($infile, $outfile, $bound) = @_;
open IN, $infile;
open OUT, ">$outfile";
my $flag = 0;
while (<IN>) {
$flag = 1 if (/^-----BEGIN.*$bound/) ;
print OUT $_ if ($flag);
if (/^-----END.*$bound/) {
close IN;
close OUT;
return;
}
}
}

198
apps/CA.sh Normal file
View File

@ -0,0 +1,198 @@
#!/bin/sh
#
# CA - wrapper around ca to make it easier to use ... basically ca requires
# some setup stuff to be done before you can use it and this makes
# things easier between now and when Eric is convinced to fix it :-)
#
# CA -newca ... will setup the right stuff
# CA -newreq ... will generate a certificate request
# CA -sign ... will sign the generated request and output
#
# At the end of that grab newreq.pem and newcert.pem (one has the key
# and the other the certificate) and cat them together and that is what
# you want/need ... I'll make even this a little cleaner later.
#
#
# 12-Jan-96 tjh Added more things ... including CA -signcert which
# converts a certificate to a request and then signs it.
# 10-Jan-96 eay Fixed a few more bugs and added the SSLEAY_CONFIG
# environment variable so this can be driven from
# a script.
# 25-Jul-96 eay Cleaned up filenames some more.
# 11-Jun-96 eay Fixed a few filename missmatches.
# 03-May-96 eay Modified to use 'ssleay cmd' instead of 'cmd'.
# 18-Apr-96 tjh Original hacking
#
# Tim Hudson
# tjh@cryptsoft.com
#
# default openssl.cnf file has setup as per the following
# demoCA ... where everything is stored
cp_pem() {
infile=$1
outfile=$2
bound=$3
flag=0
exec <$infile;
while read line; do
if [ $flag -eq 1 ]; then
echo $line|grep "^-----END.*$bound" 2>/dev/null 1>/dev/null
if [ $? -eq 0 ] ; then
echo $line >>$outfile
break
else
echo $line >>$outfile
fi
fi
echo $line|grep "^-----BEGIN.*$bound" 2>/dev/null 1>/dev/null
if [ $? -eq 0 ]; then
echo $line >$outfile
flag=1
fi
done
}
usage() {
echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
}
if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi # 1 year
CADAYS="-days 1095" # 3 years
REQ="$OPENSSL req $SSLEAY_CONFIG"
CA="$OPENSSL ca $SSLEAY_CONFIG"
VERIFY="$OPENSSL verify"
X509="$OPENSSL x509"
PKCS12="openssl pkcs12"
if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem
RET=0
while [ "$1" != "" ] ; do
case $1 in
-\?|-h|-help)
usage
exit 0
;;
-newcert)
# create a certificate
$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
RET=$?
echo "Certificate is in newcert.pem, private key is in newkey.pem"
;;
-newreq)
# create a certificate request
$REQ -new -keyout newkey.pem -out newreq.pem $DAYS
RET=$?
echo "Request is in newreq.pem, private key is in newkey.pem"
;;
-newreq-nodes)
# create a certificate request
$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
RET=$?
echo "Request (and private key) is in newreq.pem"
;;
-newca)
# if explicitly asked for or it doesn't exist then setup the directory
# structure that Eric likes to manage things
NEW="1"
if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
# create the directory hierarchy
mkdir -p ${CATOP}
mkdir -p ${CATOP}/certs
mkdir -p ${CATOP}/crl
mkdir -p ${CATOP}/newcerts
mkdir -p ${CATOP}/private
touch ${CATOP}/index.txt
fi
if [ ! -f ${CATOP}/private/$CAKEY ]; then
echo "CA certificate filename (or enter to create)"
read FILE
# ask user for existing CA certificate
if [ "$FILE" ]; then
cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
RET=$?
if [ ! -f "${CATOP}/serial" ]; then
$X509 -in ${CATOP}/$CACERT -noout -next_serial \
-out ${CATOP}/serial
fi
else
echo "Making CA certificate ..."
$REQ -new -keyout ${CATOP}/private/$CAKEY \
-out ${CATOP}/$CAREQ
$CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
-keyfile ${CATOP}/private/$CAKEY -selfsign \
-extensions v3_ca \
-infiles ${CATOP}/$CAREQ
RET=$?
fi
fi
;;
-xsign)
$CA -policy policy_anything -infiles newreq.pem
RET=$?
;;
-pkcs12)
if [ -z "$2" ] ; then
CNAME="My Certificate"
else
CNAME="$2"
fi
$PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
-out newcert.p12 -export -name "$CNAME"
RET=$?
exit $RET
;;
-sign|-signreq)
$CA -policy policy_anything -out newcert.pem -infiles newreq.pem
RET=$?
cat newcert.pem
echo "Signed certificate is in newcert.pem"
;;
-signCA)
$CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
RET=$?
echo "Signed CA certificate is in newcert.pem"
;;
-signcert)
echo "Cert passphrase will be requested twice - bug?"
$X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
$CA -policy policy_anything -out newcert.pem -infiles tmp.pem
RET=$?
cat newcert.pem
echo "Signed certificate is in newcert.pem"
;;
-verify)
shift
if [ -z "$1" ]; then
$VERIFY -CAfile $CATOP/$CACERT newcert.pem
RET=$?
else
for j
do
$VERIFY -CAfile $CATOP/$CACERT $j
if [ $? != 0 ]; then
RET=$?
fi
done
fi
exit $RET
;;
*)
echo "Unknown arg $i" >&2
usage
exit 1
;;
esac
shift
done
exit $RET

1059
apps/Makefile Normal file
View File

File diff suppressed because it is too large Load Diff

217
apps/app_rand.c Normal file
View File

@ -0,0 +1,217 @@
/* apps/app_rand.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#define NON_MAIN
#include "apps.h"
#undef NON_MAIN
#include <openssl/bio.h>
#include <openssl/rand.h>
static int seeded = 0;
static int egdsocket = 0;
int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn)
{
int consider_randfile = (file == NULL);
char buffer[200];
#ifdef OPENSSL_SYS_WINDOWS
RAND_screen();
#endif
if (file == NULL)
file = RAND_file_name(buffer, sizeof(buffer));
else if (RAND_egd(file) > 0) {
/*
* we try if the given filename is an EGD socket. if it is, we don't
* write anything back to the file.
*/
egdsocket = 1;
return 1;
}
if (file == NULL || !RAND_load_file(file, -1)) {
if (RAND_status() == 0) {
if (!dont_warn) {
BIO_printf(bio_e, "unable to load 'random state'\n");
BIO_printf(bio_e,
"This means that the random number generator has not been seeded\n");
BIO_printf(bio_e, "with much random data.\n");
if (consider_randfile) { /* explanation does not apply when a
* file is explicitly named */
BIO_printf(bio_e,
"Consider setting the RANDFILE environment variable to point at a file that\n");
BIO_printf(bio_e,
"'random' data can be kept in (the file will be overwritten).\n");
}
}
return 0;
}
}
seeded = 1;
return 1;
}
long app_RAND_load_files(char *name)
{
char *p, *n;
int last;
long tot = 0;
int egd;
for (;;) {
last = 0;
for (p = name; ((*p != '\0') && (*p != LIST_SEPARATOR_CHAR)); p++) ;
if (*p == '\0')
last = 1;
*p = '\0';
n = name;
name = p + 1;
if (*n == '\0')
break;
egd = RAND_egd(n);
if (egd > 0)
tot += egd;
else
tot += RAND_load_file(n, -1);
if (last)
break;
}
if (tot > 512)
app_RAND_allow_write_file();
return (tot);
}
int app_RAND_write_file(const char *file, BIO *bio_e)
{
char buffer[200];
if (egdsocket || !seeded)
/*
* If we did not manage to read the seed file, we should not write a
* low-entropy seed file back -- it would suppress a crucial warning
* the next time we want to use it.
*/
return 0;
if (file == NULL)
file = RAND_file_name(buffer, sizeof(buffer));
if (file == NULL || !RAND_write_file(file)) {
BIO_printf(bio_e, "unable to write 'random state'\n");
return 0;
}
return 1;
}
void app_RAND_allow_write_file(void)
{
seeded = 1;
}

3284
apps/apps.c Normal file
View File

File diff suppressed because it is too large Load Diff

389
apps/apps.h Normal file
View File

@ -0,0 +1,389 @@
/* apps/apps.h */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#ifndef HEADER_APPS_H
# define HEADER_APPS_H
# include "e_os.h"
# include <openssl/bio.h>
# include <openssl/x509.h>
# include <openssl/lhash.h>
# include <openssl/conf.h>
# include <openssl/txt_db.h>
# ifndef OPENSSL_NO_ENGINE
# include <openssl/engine.h>
# endif
# ifndef OPENSSL_NO_OCSP
# include <openssl/ocsp.h>
# endif
# include <openssl/ossl_typ.h>
int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
int app_RAND_write_file(const char *file, BIO *bio_e);
/*
* When `file' is NULL, use defaults. `bio_e' is for error messages.
*/
void app_RAND_allow_write_file(void);
long app_RAND_load_files(char *file); /* `file' is a list of files to read,
* separated by LIST_SEPARATOR_CHAR
* (see e_os.h). The string is
* destroyed! */
# ifndef MONOLITH
# define MAIN(a,v) main(a,v)
# ifndef NON_MAIN
CONF *config = NULL;
BIO *bio_err = NULL;
# else
extern CONF *config;
extern BIO *bio_err;
# endif
# else
# define MAIN(a,v) PROG(a,v)
extern CONF *config;
extern char *default_config_file;
extern BIO *bio_err;
# endif
# ifndef OPENSSL_SYS_NETWARE
# include <signal.h>
# endif
# ifdef SIGPIPE
# define do_pipe_sig() signal(SIGPIPE,SIG_IGN)
# else
# define do_pipe_sig()
# endif
# ifdef OPENSSL_NO_COMP
# define zlib_cleanup()
# else
# define zlib_cleanup() COMP_zlib_cleanup()
# endif
# if defined(MONOLITH) && !defined(OPENSSL_C)
# define apps_startup() \
do_pipe_sig()
# define apps_shutdown()
# else
# ifndef OPENSSL_NO_ENGINE
# define apps_startup() \
do { do_pipe_sig(); CRYPTO_malloc_init(); \
ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
ENGINE_load_builtin_engines(); setup_ui_method(); } while(0)
# define apps_shutdown() \
do { CONF_modules_unload(1); destroy_ui_method(); \
OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \
CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
RAND_cleanup(); \
ERR_free_strings(); zlib_cleanup();} while(0)
# else
# define apps_startup() \
do { do_pipe_sig(); CRYPTO_malloc_init(); \
ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
setup_ui_method(); } while(0)
# define apps_shutdown() \
do { CONF_modules_unload(1); destroy_ui_method(); \
OBJ_cleanup(); EVP_cleanup(); \
CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
RAND_cleanup(); \
ERR_free_strings(); zlib_cleanup(); } while(0)
# endif
# endif
# if defined(OPENSSL_SYSNAME_WIN32) || defined(OPENSSL_SYSNAME_WINCE)
# define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
# else
# define openssl_fdset(a,b) FD_SET(a, b)
# endif
typedef struct args_st {
char **data;
int count;
} ARGS;
# define PW_MIN_LENGTH 4
typedef struct pw_cb_data {
const void *password;
const char *prompt_info;
} PW_CB_DATA;
int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data);
int setup_ui_method(void);
void destroy_ui_method(void);
int should_retry(int i);
int args_from_file(char *file, int *argc, char **argv[]);
int str2fmt(char *s);
void program_name(char *in, char *out, int size);
int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[]);
# ifdef HEADER_X509_H
int dump_cert_text(BIO *out, X509 *x);
void print_name(BIO *out, const char *title, X509_NAME *nm,
unsigned long lflags);
# endif
int set_cert_ex(unsigned long *flags, const char *arg);
int set_name_ex(unsigned long *flags, const char *arg);
int set_ext_copy(int *copy_type, const char *arg);
int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
int add_oid_section(BIO *err, CONF *conf);
X509 *load_cert(BIO *err, const char *file, int format,
const char *pass, ENGINE *e, const char *cert_descrip);
X509_CRL *load_crl(const char *infile, int format);
int load_cert_crl_http(const char *url, BIO *err,
X509 **pcert, X509_CRL **pcrl);
EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *key_descrip);
EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *key_descrip);
STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
const char *pass, ENGINE *e,
const char *cert_descrip);
STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
const char *pass, ENGINE *e,
const char *cert_descrip);
X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
ENGINE *setup_engine(BIO *err, const char *engine, int debug);
void release_engine(ENGINE *e);
# ifndef OPENSSL_NO_OCSP
OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
const char *host, const char *path,
const char *port, int use_ssl,
const STACK_OF(CONF_VALUE) *headers,
int req_timeout);
# endif
int load_config(BIO *err, CONF *cnf);
char *make_config_name(void);
/* Functions defined in ca.c and also used in ocsp.c */
int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
ASN1_GENERALIZEDTIME **pinvtm, const char *str);
# define DB_type 0
# define DB_exp_date 1
# define DB_rev_date 2
# define DB_serial 3 /* index - unique */
# define DB_file 4
# define DB_name 5 /* index - unique when active and not
* disabled */
# define DB_NUMBER 6
# define DB_TYPE_REV 'R'
# define DB_TYPE_EXP 'E'
# define DB_TYPE_VAL 'V'
typedef struct db_attr_st {
int unique_subject;
} DB_ATTR;
typedef struct ca_db_st {
DB_ATTR attributes;
TXT_DB *db;
} CA_DB;
BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai);
int save_serial(char *serialfile, char *suffix, BIGNUM *serial,
ASN1_INTEGER **retai);
int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix);
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
CA_DB *load_index(char *dbfile, DB_ATTR *dbattr);
int index_index(CA_DB *db);
int save_index(const char *dbfile, const char *suffix, CA_DB *db);
int rotate_index(const char *dbfile, const char *new_suffix,
const char *old_suffix);
void free_index(CA_DB *db);
# define index_name_cmp_noconst(a, b) \
index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
(const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
int parse_yesno(const char *str, int def);
X509_NAME *parse_name(char *str, long chtype, int multirdn);
int args_verify(char ***pargs, int *pargc,
int *badarg, BIO *err, X509_VERIFY_PARAM **pm);
void policies_print(BIO *out, X509_STORE_CTX *ctx);
int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
const char *algname, ENGINE *e, int do_param);
int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts);
int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts);
int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts);
# ifndef OPENSSL_NO_PSK
extern char *psk_key;
# endif
# ifndef OPENSSL_NO_JPAKE
void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
# endif
# ifndef OPENSSL_NO_TLSEXT
unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
# endif /* ndef OPENSSL_NO_TLSEXT */
void print_cert_checks(BIO *bio, X509 *x,
const char *checkhost,
const char *checkemail, const char *checkip);
void store_setup_crl_download(X509_STORE *st);
# define FORMAT_UNDEF 0
# define FORMAT_ASN1 1
# define FORMAT_TEXT 2
# define FORMAT_PEM 3
# define FORMAT_NETSCAPE 4
# define FORMAT_PKCS12 5
# define FORMAT_SMIME 6
# define FORMAT_ENGINE 7
# define FORMAT_IISSGC 8 /* XXX this stupid macro helps us to avoid
* adding yet another param to load_*key() */
# define FORMAT_PEMRSA 9 /* PEM RSAPubicKey format */
# define FORMAT_ASN1RSA 10 /* DER RSAPubicKey format */
# define FORMAT_MSBLOB 11 /* MS Key blob format */
# define FORMAT_PVK 12 /* MS PVK file format */
# define FORMAT_HTTP 13 /* Download using HTTP */
# define EXT_COPY_NONE 0
# define EXT_COPY_ADD 1
# define EXT_COPY_ALL 2
# define NETSCAPE_CERT_HDR "certificate"
# define APP_PASS_LEN 1024
# define SERIAL_RAND_BITS 64
int app_isdir(const char *);
int fileno_stdin(void);
int fileno_stdout(void);
int raw_read_stdin(void *, int);
int raw_write_stdout(const void *, int);
# define TM_START 0
# define TM_STOP 1
double app_tminterval(int stop, int usertime);
# define OPENSSL_NO_SSL_INTERN
#endif

430
apps/asn1pars.c Normal file
View File

@ -0,0 +1,430 @@
/* apps/asn1pars.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/*
* A nice addition from Dr Stephen Henson <steve@openssl.org> to add the
* -strparse option which parses nested binary structures
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "apps.h"
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
/*-
* -inform arg - input format - default PEM (DER or PEM)
* -in arg - input file - default stdin
* -i - indent the details by depth
* -offset - where in the file to start
* -length - how many bytes to use
* -oid file - extra oid description file
*/
#undef PROG
#define PROG asn1parse_main
int MAIN(int, char **);
static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf);
int MAIN(int argc, char **argv)
{
int i, badops = 0, offset = 0, ret = 1, j;
unsigned int length = 0;
long num, tmplen;
BIO *in = NULL, *out = NULL, *b64 = NULL, *derout = NULL;
int informat, indent = 0, noout = 0, dump = 0;
char *infile = NULL, *str = NULL, *prog, *oidfile = NULL, *derfile = NULL;
char *genstr = NULL, *genconf = NULL;
unsigned char *tmpbuf;
const unsigned char *ctmpbuf;
BUF_MEM *buf = NULL;
STACK_OF(OPENSSL_STRING) *osk = NULL;
ASN1_TYPE *at = NULL;
informat = FORMAT_PEM;
apps_startup();
if (bio_err == NULL)
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
if (!load_config(bio_err, NULL))
goto end;
prog = argv[0];
argc--;
argv++;
if ((osk = sk_OPENSSL_STRING_new_null()) == NULL) {
BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
}
while (argc >= 1) {
if (strcmp(*argv, "-inform") == 0) {
if (--argc < 1)
goto bad;
informat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-in") == 0) {
if (--argc < 1)
goto bad;
infile = *(++argv);
} else if (strcmp(*argv, "-out") == 0) {
if (--argc < 1)
goto bad;
derfile = *(++argv);
} else if (strcmp(*argv, "-i") == 0) {
indent = 1;
} else if (strcmp(*argv, "-noout") == 0)
noout = 1;
else if (strcmp(*argv, "-oid") == 0) {
if (--argc < 1)
goto bad;
oidfile = *(++argv);
} else if (strcmp(*argv, "-offset") == 0) {
if (--argc < 1)
goto bad;
offset = atoi(*(++argv));
} else if (strcmp(*argv, "-length") == 0) {
if (--argc < 1)
goto bad;
length = atoi(*(++argv));
if (length == 0)
goto bad;
} else if (strcmp(*argv, "-dump") == 0) {
dump = -1;
} else if (strcmp(*argv, "-dlimit") == 0) {
if (--argc < 1)
goto bad;
dump = atoi(*(++argv));
if (dump <= 0)
goto bad;
} else if (strcmp(*argv, "-strparse") == 0) {
if (--argc < 1)
goto bad;
sk_OPENSSL_STRING_push(osk, *(++argv));
} else if (strcmp(*argv, "-genstr") == 0) {
if (--argc < 1)
goto bad;
genstr = *(++argv);
} else if (strcmp(*argv, "-genconf") == 0) {
if (--argc < 1)
goto bad;
genconf = *(++argv);
} else {
BIO_printf(bio_err, "unknown option %s\n", *argv);
badops = 1;
break;
}
argc--;
argv++;
}
if (badops) {
bad:
BIO_printf(bio_err, "%s [options] <infile\n", prog);
BIO_printf(bio_err, "where options are\n");
BIO_printf(bio_err, " -inform arg input format - one of DER PEM\n");
BIO_printf(bio_err, " -in arg input file\n");
BIO_printf(bio_err,
" -out arg output file (output format is always DER\n");
BIO_printf(bio_err, " -noout arg don't produce any output\n");
BIO_printf(bio_err, " -offset arg offset into file\n");
BIO_printf(bio_err, " -length arg length of section in file\n");
BIO_printf(bio_err, " -i indent entries\n");
BIO_printf(bio_err, " -dump dump unknown data in hex form\n");
BIO_printf(bio_err,
" -dlimit arg dump the first arg bytes of unknown data in hex form\n");
BIO_printf(bio_err, " -oid file file of extra oid definitions\n");
BIO_printf(bio_err, " -strparse offset\n");
BIO_printf(bio_err,
" a series of these can be used to 'dig' into multiple\n");
BIO_printf(bio_err, " ASN1 blob wrappings\n");
BIO_printf(bio_err,
" -genstr str string to generate ASN1 structure from\n");
BIO_printf(bio_err,
" -genconf file file to generate ASN1 structure from\n");
goto end;
}
ERR_load_crypto_strings();
in = BIO_new(BIO_s_file());
out = BIO_new(BIO_s_file());
if ((in == NULL) || (out == NULL)) {
ERR_print_errors(bio_err);
goto end;
}
BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
if (oidfile != NULL) {
if (BIO_read_filename(in, oidfile) <= 0) {
BIO_printf(bio_err, "problems opening %s\n", oidfile);
ERR_print_errors(bio_err);
goto end;
}
OBJ_create_objects(in);
}
if (infile == NULL)
BIO_set_fp(in, stdin, BIO_NOCLOSE);
else {
if (BIO_read_filename(in, infile) <= 0) {
perror(infile);
goto end;
}
}
if (derfile) {
if (!(derout = BIO_new_file(derfile, "wb"))) {
BIO_printf(bio_err, "problems opening %s\n", derfile);
ERR_print_errors(bio_err);
goto end;
}
}
if ((buf = BUF_MEM_new()) == NULL)
goto end;
if (!BUF_MEM_grow(buf, BUFSIZ * 8))
goto end; /* Pre-allocate :-) */
if (genstr || genconf) {
num = do_generate(bio_err, genstr, genconf, buf);
if (num < 0) {
ERR_print_errors(bio_err);
goto end;
}
}
else {
if (informat == FORMAT_PEM) {
BIO *tmp;
if ((b64 = BIO_new(BIO_f_base64())) == NULL)
goto end;
BIO_push(b64, in);
tmp = in;
in = b64;
b64 = tmp;
}
num = 0;
for (;;) {
if (!BUF_MEM_grow(buf, (int)num + BUFSIZ))
goto end;
i = BIO_read(in, &(buf->data[num]), BUFSIZ);
if (i <= 0)
break;
num += i;
}
}
str = buf->data;
/* If any structs to parse go through in sequence */
if (sk_OPENSSL_STRING_num(osk)) {
tmpbuf = (unsigned char *)str;
tmplen = num;
for (i = 0; i < sk_OPENSSL_STRING_num(osk); i++) {
ASN1_TYPE *atmp;
int typ;
j = atoi(sk_OPENSSL_STRING_value(osk, i));
if (j <= 0 || j >= tmplen) {
BIO_printf(bio_err, "'%s' is an invalid number\n",
sk_OPENSSL_STRING_value(osk, i));
continue;
}
tmpbuf += j;
tmplen -= j;
atmp = at;
ctmpbuf = tmpbuf;
at = d2i_ASN1_TYPE(NULL, &ctmpbuf, tmplen);
ASN1_TYPE_free(atmp);
if (!at) {
BIO_printf(bio_err, "Error parsing structure\n");
ERR_print_errors(bio_err);
goto end;
}
typ = ASN1_TYPE_get(at);
if ((typ == V_ASN1_OBJECT)
|| (typ == V_ASN1_BOOLEAN)
|| (typ == V_ASN1_NULL)) {
BIO_printf(bio_err, "Can't parse %s type\n", ASN1_tag2str(typ));
ERR_print_errors(bio_err);
goto end;
}
/* hmm... this is a little evil but it works */
tmpbuf = at->value.asn1_string->data;
tmplen = at->value.asn1_string->length;
}
str = (char *)tmpbuf;
num = tmplen;
}
if (offset < 0 || offset >= num) {
BIO_printf(bio_err, "Error: offset out of range\n");
goto end;
}
num -= offset;
if (length == 0 || length > (unsigned int)num)
length = (unsigned int)num;
if (derout) {
if (BIO_write(derout, str + offset, length) != (int)length) {
BIO_printf(bio_err, "Error writing output\n");
ERR_print_errors(bio_err);
goto end;
}
}
if (!noout &&
!ASN1_parse_dump(out, (unsigned char *)&(str[offset]), length,
indent, dump)) {
ERR_print_errors(bio_err);
goto end;
}
ret = 0;
end:
BIO_free(derout);
if (in != NULL)
BIO_free(in);
if (out != NULL)
BIO_free_all(out);
if (b64 != NULL)
BIO_free(b64);
if (ret != 0)
ERR_print_errors(bio_err);
if (buf != NULL)
BUF_MEM_free(buf);
if (at != NULL)
ASN1_TYPE_free(at);
if (osk != NULL)
sk_OPENSSL_STRING_free(osk);
OBJ_cleanup();
apps_shutdown();
OPENSSL_EXIT(ret);
}
static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf)
{
CONF *cnf = NULL;
int len;
long errline = 0;
unsigned char *p;
ASN1_TYPE *atyp = NULL;
if (genconf) {
cnf = NCONF_new(NULL);
if (!NCONF_load(cnf, genconf, &errline))
goto conferr;
if (!genstr)
genstr = NCONF_get_string(cnf, "default", "asn1");
if (!genstr) {
BIO_printf(bio, "Can't find 'asn1' in '%s'\n", genconf);
goto err;
}
}
atyp = ASN1_generate_nconf(genstr, cnf);
NCONF_free(cnf);
cnf = NULL;
if (!atyp)
return -1;
len = i2d_ASN1_TYPE(atyp, NULL);
if (len <= 0)
goto err;
if (!BUF_MEM_grow(buf, len))
goto err;
p = (unsigned char *)buf->data;
i2d_ASN1_TYPE(atyp, &p);
ASN1_TYPE_free(atyp);
return len;
conferr:
if (errline > 0)
BIO_printf(bio, "Error on line %ld of config file '%s'\n",
errline, genconf);
else
BIO_printf(bio, "Error loading config file '%s'\n", genconf);
err:
NCONF_free(cnf);
ASN1_TYPE_free(atyp);
return -1;
}

1
apps/ca-cert.srl Normal file
View File

@ -0,0 +1 @@
07

15
apps/ca-key.pem Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425
gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd
2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB
AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6
hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2
J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs
HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL
21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s
nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz
MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa
pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb
KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2
XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ
-----END RSA PRIVATE KEY-----

11
apps/ca-req.pem Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIBmTCCAQICAQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx
GjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgx
MDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgy
bTsZDCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/d
FXSv1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUe
cQU2mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAKlk7
cxu9gCJN3/iQFyJXQ6YphaiQAT5VBXTx9ftRrQIjA3vxlDzPWGDy+V5Tqa7h8PtR
5Bn00JShII2zf0hjyjKils6x/UkWmjEiwSiFp4hR70iE8XwSNEHY2P6j6nQEIpgW
kbfgmmUqk7dl2V+ossTJ80B8SBpEhrn81V/cHxA=
-----END CERTIFICATE REQUEST-----

2941
apps/ca.c Normal file
View File

File diff suppressed because it is too large Load Diff

11
apps/cert.pem Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN CERTIFICATE-----
MIIBoDCCAUoCAQAwDQYJKoZIhvcNAQEEBQAwYzELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSMwIQYD
VQQDExpTZXJ2ZXIgdGVzdCBjZXJ0ICg1MTIgYml0KTAeFw05NzA5MDkwMzQxMjZa
Fw05NzEwMDkwMzQxMjZaMF4xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0
YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFzAVBgNVBAMT
DkVyaWMgdGhlIFlvdW5nMFEwCQYFKw4DAgwFAANEAAJBALVEqPODnpI4rShlY8S7
tB713JNvabvn6Gned7zylwLLiXQAo/PAT6mfdWPTyCX9RlId/Aroh1ou893BA32Q
sggwDQYJKoZIhvcNAQEEBQADQQCU5SSgapJSdRXJoX+CpCvFy+JVh9HpSjCpSNKO
19raHv98hKAUJuP9HyM+SUsffO6mAIgitUaqW8/wDMePhEC3
-----END CERTIFICATE-----

239
apps/ciphers.c Normal file
View File

@ -0,0 +1,239 @@
/* apps/ciphers.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef OPENSSL_NO_STDIO
# define APPS_WIN16
#endif
#include "apps.h"
#include <openssl/err.h>
#include <openssl/ssl.h>
#undef PROG
#define PROG ciphers_main
static const char *ciphers_usage[] = {
"usage: ciphers args\n",
" -v - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
" -V - even more verbose\n",
" -ssl2 - SSL2 mode\n",
" -ssl3 - SSL3 mode\n",
" -tls1 - TLS1 mode\n",
NULL
};
int MAIN(int, char **);
int MAIN(int argc, char **argv)
{
int ret = 1, i;
int verbose = 0, Verbose = 0;
#ifndef OPENSSL_NO_SSL_TRACE
int stdname = 0;
#endif
const char **pp;
const char *p;
int badops = 0;
SSL_CTX *ctx = NULL;
SSL *ssl = NULL;
char *ciphers = NULL;
const SSL_METHOD *meth = NULL;
STACK_OF(SSL_CIPHER) *sk;
char buf[512];
BIO *STDout = NULL;
meth = SSLv23_server_method();
apps_startup();
if (bio_err == NULL)
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
STDout = BIO_new_fp(stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
STDout = BIO_push(tmpbio, STDout);
}
#endif
if (!load_config(bio_err, NULL))
goto end;
argc--;
argv++;
while (argc >= 1) {
if (strcmp(*argv, "-v") == 0)
verbose = 1;
else if (strcmp(*argv, "-V") == 0)
verbose = Verbose = 1;
#ifndef OPENSSL_NO_SSL_TRACE
else if (strcmp(*argv, "-stdname") == 0)
stdname = verbose = 1;
#endif
#ifndef OPENSSL_NO_SSL2
else if (strcmp(*argv, "-ssl2") == 0)
meth = SSLv2_client_method();
#endif
#ifndef OPENSSL_NO_SSL3
else if (strcmp(*argv, "-ssl3") == 0)
meth = SSLv3_client_method();
#endif
#ifndef OPENSSL_NO_TLS1
else if (strcmp(*argv, "-tls1") == 0)
meth = TLSv1_client_method();
#endif
else if ((strncmp(*argv, "-h", 2) == 0) || (strcmp(*argv, "-?") == 0)) {
badops = 1;
break;
} else {
ciphers = *argv;
}
argc--;
argv++;
}
if (badops) {
for (pp = ciphers_usage; (*pp != NULL); pp++)
BIO_printf(bio_err, "%s", *pp);
goto end;
}
OpenSSL_add_ssl_algorithms();
ctx = SSL_CTX_new(meth);
if (ctx == NULL)
goto err;
if (ciphers != NULL) {
if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
BIO_printf(bio_err, "Error in cipher list\n");
goto err;
}
}
ssl = SSL_new(ctx);
if (ssl == NULL)
goto err;
if (!verbose) {
for (i = 0;; i++) {
p = SSL_get_cipher_list(ssl, i);
if (p == NULL)
break;
if (i != 0)
BIO_printf(STDout, ":");
BIO_printf(STDout, "%s", p);
}
BIO_printf(STDout, "\n");
} else { /* verbose */
sk = SSL_get_ciphers(ssl);
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
SSL_CIPHER *c;
c = sk_SSL_CIPHER_value(sk, i);
if (Verbose) {
unsigned long id = SSL_CIPHER_get_id(c);
int id0 = (int)(id >> 24);
int id1 = (int)((id >> 16) & 0xffL);
int id2 = (int)((id >> 8) & 0xffL);
int id3 = (int)(id & 0xffL);
if ((id & 0xff000000L) == 0x02000000L) {
/* SSL2 cipher */
BIO_printf(STDout, " 0x%02X,0x%02X,0x%02X - ", id1,
id2, id3);
} else if ((id & 0xff000000L) == 0x03000000L) {
/* SSL3 cipher */
BIO_printf(STDout, " 0x%02X,0x%02X - ", id2,
id3);
} else {
/* whatever */
BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0,
id1, id2, id3);
}
}
#ifndef OPENSSL_NO_SSL_TRACE
if (stdname) {
const char *nm = SSL_CIPHER_standard_name(c);
if (nm == NULL)
nm = "UNKNOWN";
BIO_printf(STDout, "%s - ", nm);
}
#endif
BIO_puts(STDout, SSL_CIPHER_description(c, buf, sizeof(buf)));
}
}
ret = 0;
if (0) {
err:
SSL_load_error_strings();
ERR_print_errors(bio_err);
}
end:
if (ctx != NULL)
SSL_CTX_free(ctx);
if (ssl != NULL)
SSL_free(ssl);
if (STDout != NULL)
BIO_free_all(STDout);
apps_shutdown();
OPENSSL_EXIT(ret);
}

52
apps/client.pem Normal file
View File

@ -0,0 +1,52 @@
subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Client Cert
issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA
-----BEGIN CERTIFICATE-----
MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6yMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt
ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG
A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU
RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgQ2xpZW50IENlcnQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0ranbHRLcLVqN+0BzcZpY
+yOLqxzDWT1LD9eW1stC4NzXX9/DCtSIVyN7YIHdGLrIPr64IDdXXaMRzgZ2rOKs
lmHCAiFpO/ja99gGCJRxH0xwQatqAULfJVHeUhs7OEGOZc2nWifjqKvGfNTilP7D
nwi69ipQFq9oS19FmhwVHk2wg7KZGHI1qDyG04UrfCZMRitvS9+UVhPpIPjuiBi2
x3/FZIpL5gXJvvFK6xHY63oq2asyzBATntBgnP4qJFWWcvRx24wF1PnZabxuVoL2
bPnQ/KvONDrw3IdqkKhYNTul7jEcu3OlcZIMw+7DiaKJLAzKb/bBF5gm/pwW6As9
AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI
AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW
BBSZHKyLoTh7Mb409Zn/mK1ceSDAjDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49
hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAD0mL7PtPYgCEuDyOQSbLpeND5hVS
curxQdGnrJ6Acrhodb7E9ccATokeb0PLx6HBLQUicxhTZIQ9FbO43YkQcOU6C3BB
IlwskqmtN6+VmrQzNolHCDzvxNZs9lYL2VbGPGqVRyjZeHpoAlf9cQr8PgDb4d4b
vUx2KAhHQvV2nkmYvKyXcgnRuHggumF87mkxidriGAEFwH4qfOqetUg64WyxP7P2
QLipm04SyQa7ONtIApfVXgHcE42Py4/f4arzCzMjKe3VyhGkS7nsT55X/fWgTaRm
CQPkO+H94P958WTvQDt77bQ+D3IvYaVvfil8n6HJMOJfFT0LJuSUbpSXJg==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAtK2p2x0S3C1ajftAc3GaWPsji6scw1k9Sw/XltbLQuDc11/f
wwrUiFcje2CB3Ri6yD6+uCA3V12jEc4GdqzirJZhwgIhaTv42vfYBgiUcR9McEGr
agFC3yVR3lIbOzhBjmXNp1on46irxnzU4pT+w58IuvYqUBavaEtfRZocFR5NsIOy
mRhyNag8htOFK3wmTEYrb0vflFYT6SD47ogYtsd/xWSKS+YFyb7xSusR2Ot6Ktmr
MswQE57QYJz+KiRVlnL0cduMBdT52Wm8blaC9mz50PyrzjQ68NyHapCoWDU7pe4x
HLtzpXGSDMPuw4miiSwMym/2wReYJv6cFugLPQIDAQABAoIBAAZOyc9MhIwLSU4L
p4RgQvM4UVVe8/Id+3XTZ8NsXExJbWxXfIhiqGjaIfL8u4vsgRjcl+v1s/jo2/iT
KMab4o4D8gXD7UavQVDjtjb/ta79WL3SjRl2Uc9YjjMkyq6WmDNQeo2NKDdafCTB
1uzSJtLNipB8Z53ELPuHJhxX9QMHrMnuha49riQgXZ7buP9iQrHJFhImBjSzbxJx
L+TI6rkyLSf9Wi0Pd3L27Ob3QWNfNRYNSeTE+08eSRChkur5W0RuXAcuAICdQlCl
LBvWO/LmmvbzCqiDcgy/TliSb6CGGwgiNG7LJZmlkYNj8laGwalNlYZs3UrVv6NO
Br2loAECgYEA2kvCvPGj0Dg/6g7WhXDvAkEbcaL1tSeCxBbNH+6HS2UWMWvyTtCn
/bbD519QIdkvayy1QjEf32GV/UjUVmlULMLBcDy0DGjtL3+XpIhLKWDNxN1v1/ai
1oz23ZJCOgnk6K4qtFtlRS1XtynjA+rBetvYvLP9SKeFrnpzCgaA2r0CgYEA0+KX
1ACXDTNH5ySX3kMjSS9xdINf+OOw4CvPHFwbtc9aqk2HePlEsBTz5I/W3rKwXva3
NqZ/bRqVVeZB/hHKFywgdUQk2Uc5z/S7Lw70/w1HubNTXGU06Ngb6zOFAo/o/TwZ
zTP1BMIKSOB6PAZPS3l+aLO4FRIRotfFhgRHOoECgYEAmiZbqt8cJaJDB/5YYDzC
mp3tSk6gIb936Q6M5VqkMYp9pIKsxhk0N8aDCnTU+kIK6SzWBpr3/d9Ecmqmfyq7
5SvWO3KyVf0WWK9KH0abhOm2BKm2HBQvI0DB5u8sUx2/hsvOnjPYDISbZ11t0MtK
u35Zy89yMYcSsIYJjG/ROCUCgYEAgI2P9G5PNxEP5OtMwOsW84Y3Xat/hPAQFlI+
HES+AzbFGWJkeT8zL2nm95tVkFP1sggZ7Kxjz3w7cpx7GX0NkbWSE9O+T51pNASV
tN1sQ3p5M+/a+cnlqgfEGJVvc7iAcXQPa3LEi5h2yPR49QYXAgG6cifn3dDSpmwn
SUI7PQECgYEApGCIIpSRPLAEHTGmP87RBL1smurhwmy2s/pghkvUkWehtxg0sGHh
kuaqDWcskogv+QC0sVdytiLSz8G0DwcEcsHK1Fkyb8A+ayiw6jWJDo2m9+IF4Fww
1Te6jFPYDESnbhq7+TLGgHGhtwcu5cnb4vSuYXGXKupZGzoLOBbv1Zw=
-----END RSA PRIVATE KEY-----

1358
apps/cms.c Normal file
View File

File diff suppressed because it is too large Load Diff

442
apps/crl.c Normal file
View File

@ -0,0 +1,442 @@
/* apps/crl.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "apps.h"
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
#undef PROG
#define PROG crl_main
#undef POSTFIX
#define POSTFIX ".rvk"
static const char *crl_usage[] = {
"usage: crl args\n",
"\n",
" -inform arg - input format - default PEM (DER or PEM)\n",
" -outform arg - output format - default PEM\n",
" -text - print out a text format version\n",
" -in arg - input file - default stdin\n",
" -out arg - output file - default stdout\n",
" -hash - print hash value\n",
#ifndef OPENSSL_NO_MD5
" -hash_old - print old-style (MD5) hash value\n",
#endif
" -fingerprint - print the crl fingerprint\n",
" -issuer - print issuer DN\n",
" -lastupdate - lastUpdate field\n",
" -nextupdate - nextUpdate field\n",
" -crlnumber - print CRL number\n",
" -noout - no CRL output\n",
" -CAfile name - verify CRL using certificates in file \"name\"\n",
" -CApath dir - verify CRL using certificates in \"dir\"\n",
" -nameopt arg - various certificate name options\n",
NULL
};
static BIO *bio_out = NULL;
int MAIN(int, char **);
int MAIN(int argc, char **argv)
{
unsigned long nmflag = 0;
X509_CRL *x = NULL;
char *CAfile = NULL, *CApath = NULL;
int ret = 1, i, num, badops = 0, badsig = 0;
BIO *out = NULL;
int informat, outformat, keyformat;
char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout =
0, text = 0;
#ifndef OPENSSL_NO_MD5
int hash_old = 0;
#endif
int fingerprint = 0, crlnumber = 0;
const char **pp;
X509_STORE *store = NULL;
X509_STORE_CTX ctx;
X509_LOOKUP *lookup = NULL;
X509_OBJECT xobj;
EVP_PKEY *pkey;
int do_ver = 0;
const EVP_MD *md_alg, *digest = EVP_sha1();
apps_startup();
if (bio_err == NULL)
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
if (!load_config(bio_err, NULL))
goto end;
if (bio_out == NULL)
if ((bio_out = BIO_new(BIO_s_file())) != NULL) {
BIO_set_fp(bio_out, stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
bio_out = BIO_push(tmpbio, bio_out);
}
#endif
}
informat = FORMAT_PEM;
outformat = FORMAT_PEM;
keyformat = FORMAT_PEM;
argc--;
argv++;
num = 0;
while (argc >= 1) {
#ifdef undef
if (strcmp(*argv, "-p") == 0) {
if (--argc < 1)
goto bad;
if (!args_from_file(++argv, Nargc, Nargv)) {
goto end;
}
*/}
#endif
if (strcmp(*argv, "-inform") == 0) {
if (--argc < 1)
goto bad;
informat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-outform") == 0) {
if (--argc < 1)
goto bad;
outformat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-in") == 0) {
if (--argc < 1)
goto bad;
infile = *(++argv);
} else if (strcmp(*argv, "-gendelta") == 0) {
if (--argc < 1)
goto bad;
crldiff = *(++argv);
} else if (strcmp(*argv, "-key") == 0) {
if (--argc < 1)
goto bad;
keyfile = *(++argv);
} else if (strcmp(*argv, "-keyform") == 0) {
if (--argc < 1)
goto bad;
keyformat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-out") == 0) {
if (--argc < 1)
goto bad;
outfile = *(++argv);
} else if (strcmp(*argv, "-CApath") == 0) {
if (--argc < 1)
goto bad;
CApath = *(++argv);
do_ver = 1;
} else if (strcmp(*argv, "-CAfile") == 0) {
if (--argc < 1)
goto bad;
CAfile = *(++argv);
do_ver = 1;
} else if (strcmp(*argv, "-verify") == 0)
do_ver = 1;
else if (strcmp(*argv, "-text") == 0)
text = 1;
else if (strcmp(*argv, "-hash") == 0)
hash = ++num;
#ifndef OPENSSL_NO_MD5
else if (strcmp(*argv, "-hash_old") == 0)
hash_old = ++num;
#endif
else if (strcmp(*argv, "-nameopt") == 0) {
if (--argc < 1)
goto bad;
if (!set_name_ex(&nmflag, *(++argv)))
goto bad;
} else if (strcmp(*argv, "-issuer") == 0)
issuer = ++num;
else if (strcmp(*argv, "-lastupdate") == 0)
lastupdate = ++num;
else if (strcmp(*argv, "-nextupdate") == 0)
nextupdate = ++num;
else if (strcmp(*argv, "-noout") == 0)
noout = ++num;
else if (strcmp(*argv, "-fingerprint") == 0)
fingerprint = ++num;
else if (strcmp(*argv, "-crlnumber") == 0)
crlnumber = ++num;
else if (strcmp(*argv, "-badsig") == 0)
badsig = 1;
else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
/* ok */
digest = md_alg;
} else {
BIO_printf(bio_err, "unknown option %s\n", *argv);
badops = 1;
break;
}
argc--;
argv++;
}
if (badops) {
bad:
for (pp = crl_usage; (*pp != NULL); pp++)
BIO_printf(bio_err, "%s", *pp);
goto end;
}
ERR_load_crypto_strings();
x = load_crl(infile, informat);
if (x == NULL) {
goto end;
}
if (do_ver) {
store = X509_STORE_new();
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
if (lookup == NULL)
goto end;
if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM))
X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
if (lookup == NULL)
goto end;
if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM))
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
ERR_clear_error();
if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) {
BIO_printf(bio_err, "Error initialising X509 store\n");
goto end;
}
i = X509_STORE_get_by_subject(&ctx, X509_LU_X509,
X509_CRL_get_issuer(x), &xobj);
if (i <= 0) {
BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
goto end;
}
pkey = X509_get_pubkey(xobj.data.x509);
X509_OBJECT_free_contents(&xobj);
if (!pkey) {
BIO_printf(bio_err, "Error getting CRL issuer public key\n");
goto end;
}
i = X509_CRL_verify(x, pkey);
EVP_PKEY_free(pkey);
if (i < 0)
goto end;
if (i == 0)
BIO_printf(bio_err, "verify failure\n");
else
BIO_printf(bio_err, "verify OK\n");
}
if (crldiff) {
X509_CRL *newcrl, *delta;
if (!keyfile) {
BIO_puts(bio_err, "Missing CRL signing key\n");
goto end;
}
newcrl = load_crl(crldiff, informat);
if (!newcrl)
goto end;
pkey = load_key(bio_err, keyfile, keyformat, 0, NULL, NULL,
"CRL signing key");
if (!pkey) {
X509_CRL_free(newcrl);
goto end;
}
delta = X509_CRL_diff(x, newcrl, pkey, digest, 0);
X509_CRL_free(newcrl);
EVP_PKEY_free(pkey);
if (delta) {
X509_CRL_free(x);
x = delta;
} else {
BIO_puts(bio_err, "Error creating delta CRL\n");
goto end;
}
}
if (num) {
for (i = 1; i <= num; i++) {
if (issuer == i) {
print_name(bio_out, "issuer=", X509_CRL_get_issuer(x),
nmflag);
}
if (crlnumber == i) {
ASN1_INTEGER *crlnum;
crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number, NULL, NULL);
BIO_printf(bio_out, "crlNumber=");
if (crlnum) {
i2a_ASN1_INTEGER(bio_out, crlnum);
ASN1_INTEGER_free(crlnum);
} else
BIO_puts(bio_out, "<NONE>");
BIO_printf(bio_out, "\n");
}
if (hash == i) {
BIO_printf(bio_out, "%08lx\n",
X509_NAME_hash(X509_CRL_get_issuer(x)));
}
#ifndef OPENSSL_NO_MD5
if (hash_old == i) {
BIO_printf(bio_out, "%08lx\n",
X509_NAME_hash_old(X509_CRL_get_issuer(x)));
}
#endif
if (lastupdate == i) {
BIO_printf(bio_out, "lastUpdate=");
ASN1_TIME_print(bio_out, X509_CRL_get_lastUpdate(x));
BIO_printf(bio_out, "\n");
}
if (nextupdate == i) {
BIO_printf(bio_out, "nextUpdate=");
if (X509_CRL_get_nextUpdate(x))
ASN1_TIME_print(bio_out, X509_CRL_get_nextUpdate(x));
else
BIO_printf(bio_out, "NONE");
BIO_printf(bio_out, "\n");
}
if (fingerprint == i) {
int j;
unsigned int n;
unsigned char md[EVP_MAX_MD_SIZE];
if (!X509_CRL_digest(x, digest, md, &n)) {
BIO_printf(bio_err, "out of memory\n");
goto end;
}
BIO_printf(bio_out, "%s Fingerprint=",
OBJ_nid2sn(EVP_MD_type(digest)));
for (j = 0; j < (int)n; j++) {
BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n)
? '\n' : ':');
}
}
}
}
out = BIO_new(BIO_s_file());
if (out == NULL) {
ERR_print_errors(bio_err);
goto end;
}
if (outfile == NULL) {
BIO_set_fp(out, stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
} else {
if (BIO_write_filename(out, outfile) <= 0) {
perror(outfile);
goto end;
}
}
if (text)
X509_CRL_print(out, x);
if (noout) {
ret = 0;
goto end;
}
if (badsig)
x->signature->data[x->signature->length - 1] ^= 0x1;
if (outformat == FORMAT_ASN1)
i = (int)i2d_X509_CRL_bio(out, x);
else if (outformat == FORMAT_PEM)
i = PEM_write_bio_X509_CRL(out, x);
else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
}
if (!i) {
BIO_printf(bio_err, "unable to write CRL\n");
goto end;
}
ret = 0;
end:
if (ret != 0)
ERR_print_errors(bio_err);
BIO_free_all(out);
BIO_free_all(bio_out);
bio_out = NULL;
X509_CRL_free(x);
if (store) {
X509_STORE_CTX_cleanup(&ctx);
X509_STORE_free(store);
}
apps_shutdown();
OPENSSL_EXIT(ret);
}

334
apps/crl2p7.c Normal file
View File

@ -0,0 +1,334 @@
/* apps/crl2p7.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/*
* This was written by Gordon Chaffee <chaffee@plateau.cs.berkeley.edu> and
* donated 'to the cause' along with lots and lots of other fixes to the
* library.
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include "apps.h"
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/pkcs7.h>
#include <openssl/pem.h>
#include <openssl/objects.h>
static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile);
#undef PROG
#define PROG crl2pkcs7_main
/*-
* -inform arg - input format - default PEM (DER or PEM)
* -outform arg - output format - default PEM
* -in arg - input file - default stdin
* -out arg - output file - default stdout
*/
int MAIN(int, char **);
int MAIN(int argc, char **argv)
{
int i, badops = 0;
BIO *in = NULL, *out = NULL;
int informat, outformat;
char *infile, *outfile, *prog, *certfile;
PKCS7 *p7 = NULL;
PKCS7_SIGNED *p7s = NULL;
X509_CRL *crl = NULL;
STACK_OF(OPENSSL_STRING) *certflst = NULL;
STACK_OF(X509_CRL) *crl_stack = NULL;
STACK_OF(X509) *cert_stack = NULL;
int ret = 1, nocrl = 0;
apps_startup();
if (bio_err == NULL)
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
infile = NULL;
outfile = NULL;
informat = FORMAT_PEM;
outformat = FORMAT_PEM;
prog = argv[0];
argc--;
argv++;
while (argc >= 1) {
if (strcmp(*argv, "-inform") == 0) {
if (--argc < 1)
goto bad;
informat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-outform") == 0) {
if (--argc < 1)
goto bad;
outformat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-in") == 0) {
if (--argc < 1)
goto bad;
infile = *(++argv);
} else if (strcmp(*argv, "-nocrl") == 0) {
nocrl = 1;
} else if (strcmp(*argv, "-out") == 0) {
if (--argc < 1)
goto bad;
outfile = *(++argv);
} else if (strcmp(*argv, "-certfile") == 0) {
if (--argc < 1)
goto bad;
if (!certflst)
certflst = sk_OPENSSL_STRING_new_null();
if (!certflst)
goto end;
if (!sk_OPENSSL_STRING_push(certflst, *(++argv))) {
sk_OPENSSL_STRING_free(certflst);
goto end;
}
} else {
BIO_printf(bio_err, "unknown option %s\n", *argv);
badops = 1;
break;
}
argc--;
argv++;
}
if (badops) {
bad:
BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
BIO_printf(bio_err, "where options are\n");
BIO_printf(bio_err, " -inform arg input format - DER or PEM\n");
BIO_printf(bio_err, " -outform arg output format - DER or PEM\n");
BIO_printf(bio_err, " -in arg input file\n");
BIO_printf(bio_err, " -out arg output file\n");
BIO_printf(bio_err,
" -certfile arg certificates file of chain to a trusted CA\n");
BIO_printf(bio_err, " (can be used more than once)\n");
BIO_printf(bio_err,
" -nocrl no crl to load, just certs from '-certfile'\n");
ret = 1;
goto end;
}
ERR_load_crypto_strings();
in = BIO_new(BIO_s_file());
out = BIO_new(BIO_s_file());
if ((in == NULL) || (out == NULL)) {
ERR_print_errors(bio_err);
goto end;
}
if (!nocrl) {
if (infile == NULL)
BIO_set_fp(in, stdin, BIO_NOCLOSE);
else {
if (BIO_read_filename(in, infile) <= 0) {
perror(infile);
goto end;
}
}
if (informat == FORMAT_ASN1)
crl = d2i_X509_CRL_bio(in, NULL);
else if (informat == FORMAT_PEM)
crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
else {
BIO_printf(bio_err, "bad input format specified for input crl\n");
goto end;
}
if (crl == NULL) {
BIO_printf(bio_err, "unable to load CRL\n");
ERR_print_errors(bio_err);
goto end;
}
}
if ((p7 = PKCS7_new()) == NULL)
goto end;
if ((p7s = PKCS7_SIGNED_new()) == NULL)
goto end;
p7->type = OBJ_nid2obj(NID_pkcs7_signed);
p7->d.sign = p7s;
p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data);
if (!ASN1_INTEGER_set(p7s->version, 1))
goto end;
if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
goto end;
p7s->crl = crl_stack;
if (crl != NULL) {
sk_X509_CRL_push(crl_stack, crl);
crl = NULL; /* now part of p7 for OPENSSL_freeing */
}
if ((cert_stack = sk_X509_new_null()) == NULL)
goto end;
p7s->cert = cert_stack;
if (certflst)
for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) {
certfile = sk_OPENSSL_STRING_value(certflst, i);
if (add_certs_from_file(cert_stack, certfile) < 0) {
BIO_printf(bio_err, "error loading certificates\n");
ERR_print_errors(bio_err);
goto end;
}
}
sk_OPENSSL_STRING_free(certflst);
if (outfile == NULL) {
BIO_set_fp(out, stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
} else {
if (BIO_write_filename(out, outfile) <= 0) {
perror(outfile);
goto end;
}
}
if (outformat == FORMAT_ASN1)
i = i2d_PKCS7_bio(out, p7);
else if (outformat == FORMAT_PEM)
i = PEM_write_bio_PKCS7(out, p7);
else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
}
if (!i) {
BIO_printf(bio_err, "unable to write pkcs7 object\n");
ERR_print_errors(bio_err);
goto end;
}
ret = 0;
end:
if (in != NULL)
BIO_free(in);
if (out != NULL)
BIO_free_all(out);
if (p7 != NULL)
PKCS7_free(p7);
if (crl != NULL)
X509_CRL_free(crl);
apps_shutdown();
OPENSSL_EXIT(ret);
}
/*-
*----------------------------------------------------------------------
* int add_certs_from_file
*
* Read a list of certificates to be checked from a file.
*
* Results:
* number of certs added if successful, -1 if not.
*----------------------------------------------------------------------
*/
static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
{
BIO *in = NULL;
int count = 0;
int ret = -1;
STACK_OF(X509_INFO) *sk = NULL;
X509_INFO *xi;
in = BIO_new(BIO_s_file());
if ((in == NULL) || (BIO_read_filename(in, certfile) <= 0)) {
BIO_printf(bio_err, "error opening the file, %s\n", certfile);
goto end;
}
/* This loads from a file, a stack of x509/crl/pkey sets */
sk = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
if (sk == NULL) {
BIO_printf(bio_err, "error reading the file, %s\n", certfile);
goto end;
}
/* scan over it and pull out the CRL's */
while (sk_X509_INFO_num(sk)) {
xi = sk_X509_INFO_shift(sk);
if (xi->x509 != NULL) {
sk_X509_push(stack, xi->x509);
xi->x509 = NULL;
count++;
}
X509_INFO_free(xi);
}
ret = count;
end:
/* never need to OPENSSL_free x */
if (in != NULL)
BIO_free(in);
if (sk != NULL)
sk_X509_INFO_free(sk);
return (ret);
}

14
apps/demoCA/cacert.pem Normal file
View File

@ -0,0 +1,14 @@
subject=/C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
-----BEGIN X509 CERTIFICATE-----
MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV
BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz
MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV
BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3
LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb
/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0
DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn
IMs6ZOZB
-----END X509 CERTIFICATE-----

39
apps/demoCA/index.txt Normal file
View File

@ -0,0 +1,39 @@
R 980705233205Z 951009233205Z 01 certs/00000001 /CN=Eric Young
E 951009233205Z 02 certs/00000002 /CN=Duncan Young
R 980705233205Z 951201010000Z 03 certs/00000003 /CN=Tim Hudson
V 980705233205Z 04 certs/00000004 /CN=Eric Young4
V 980705233205Z 05 certs/00000004 /CN=Eric Young5
V 980705233205Z 06 certs/00000004 /CN=Eric Young6
V 980705233205Z 07 certs/00000004 /CN=Eric Young7
V 980705233205Z 08 certs/00000004 /CN=Eric Young8
V 980705233205Z 09 certs/00000004 /CN=Eric Young9
V 980705233205Z 0A certs/00000004 /CN=Eric YoungA
V 980705233205Z 0B certs/00000004 /CN=Eric YoungB
V 980705233205Z 0C certs/00000004 /CN=Eric YoungC
V 980705233205Z 0D certs/00000004 /CN=Eric YoungD
V 980705233205Z 0E certs/00000004 /CN=Eric YoungE
V 980705233205Z 0F certs/00000004 /CN=Eric YoungF
V 980705233205Z 10 certs/00000004 /CN=Eric Young10
V 980705233205Z 11 certs/00000004 /CN=Eric Young11
V 980705233205Z 12 certs/00000004 /CN=Eric Young12
V 980705233205Z 13 certs/00000004 /CN=Eric Young13
V 980705233205Z 14 certs/00000004 /CN=Eric Young14
V 980705233205Z 15 certs/00000004 /CN=Eric Young15
V 980705233205Z 16 certs/00000004 /CN=Eric Young16
V 980705233205Z 17 certs/00000004 /CN=Eric Young17
V 961206150305Z 010C unknown /C=AU/SP=QLD/O=Mincom Pty. Ltd./OU=MTR/CN=Eric Young/Email=eay@mincom.oz.au
V 961206153245Z 010D unknown /C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=Eric Young/Email=eay@mincom.oz.au
V 970322074816Z 010E unknown /CN=Eric Young/Email=eay@mincom.oz.au
V 970322075152Z 010F unknown /CN=Eric Young
V 970322075906Z 0110 unknown /CN=Eric Youngg
V 970324092238Z 0111 unknown /C=AU/SP=Queensland/CN=Eric Young
V 970324221931Z 0112 unknown /CN=Fred
V 970324224934Z 0113 unknown /C=AU/CN=eay
V 971001005237Z 0114 unknown /C=AU/SP=QLD/O=Mincom Pty Ltd/OU=MTR/CN=x509v3 test
V 971001010331Z 0115 unknown /C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=test again - x509v3
V 971001013945Z 0117 unknown /C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=x509v3 test
V 971014225415Z 0118 unknown /C=AU/SP=Queensland/CN=test
V 971015004448Z 0119 unknown /C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=test2
V 971016035001Z 011A unknown /C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=test64
V 971016080129Z 011B unknown /C=FR/O=ALCATEL/OU=Alcatel Mobile Phones/CN=bourque/Email=bourque@art.alcatel.fr
V 971016224000Z 011D unknown /L=Bedford/O=Cranfield University/OU=Computer Centre/CN=Peter R Lister/Email=P.Lister@cranfield.ac.uk

24
apps/demoCA/private/cakey.pem Normal file
View File

@ -0,0 +1,24 @@
issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA
subject=/C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server
-----BEGIN X509 CERTIFICATE-----
MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV
BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz
MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV
BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3
LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb
/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0
DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn
IMs6ZOZB
-----END X509 CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBALcsJdxJxa5rQ8UuQcEubZV6OqkDUXhFDyrRWNGI9p+PH9n9pYfe
Kl0xW+4kZr/AVdv+cMUsOV9an6gI/CEG1U8CAwEAAQJAXJMBZ34ZXHd1vtgL/3hZ
hexKbVTx/djZO4imXO/dxPGRzG2ylYZpHmG32/T1kaHpZlCHoEPgHoSzmxYXfxjG
sQIhAPmZ/bQOjmRUHM/VM2X5zrjjM6z18R1P6l3ObFwt9FGdAiEAu943Yh9SqMRw
tL0xHGxKmM/YJueUw1gB6sLkETN71NsCIQCeT3RhoqXfrpXDoEcEU+gwzjI1bpxq
agiNTOLfqGoA5QIhAIQFYjgzONxex7FLrsKBm16N2SFl5pXsN9SpRqqL2n63AiEA
g9VNIQ3xwpw7og3IbONifeku+J9qGMGQJMKwSTwrFtI=
-----END RSA PRIVATE KEY-----

1
apps/demoCA/serial Normal file
View File

@ -0,0 +1 @@
011E

6
apps/demoSRP/srp_verifier.txt Normal file
View File

@ -0,0 +1,6 @@
# This is a file that will be filled by the openssl srp routine.
# You can initialize the file with additional groups, these are
# records starting with a I followed by the g and N values and the id.
# The exact values ... you have to dig this out from the source of srp.c
# or srp_vfy.c
# The last value of an I is used as the default group for new users.

1
apps/demoSRP/srp_verifier.txt.attr Normal file
View File

@ -0,0 +1 @@
unique_subject = yes

620
apps/dgst.c Normal file
View File

@ -0,0 +1,620 @@
/* apps/dgst.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include "apps.h"
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/hmac.h>
#undef BUFSIZE
#define BUFSIZE 1024*8
#undef PROG
#define PROG dgst_main
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
const char *file, BIO *bmd);
static void list_md_fn(const EVP_MD *m,
const char *from, const char *to, void *arg)
{
const char *mname;
/* Skip aliases */
if (!m)
return;
mname = OBJ_nid2ln(EVP_MD_type(m));
/* Skip shortnames */
if (strcmp(from, mname))
return;
/* Skip clones */
if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST)
return;
if (strchr(mname, ' '))
mname = EVP_MD_name(m);
BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n",
mname, mname);
}
int MAIN(int, char **);
int MAIN(int argc, char **argv)
{
ENGINE *e = NULL, *impl = NULL;
unsigned char *buf = NULL;
int i, err = 1;
const EVP_MD *md = NULL, *m;
BIO *in = NULL, *inp;
BIO *bmd = NULL;
BIO *out = NULL;
#define PROG_NAME_SIZE 39
char pname[PROG_NAME_SIZE + 1];
int separator = 0;
int debug = 0;
int keyform = FORMAT_PEM;
const char *outfile = NULL, *keyfile = NULL;
const char *sigfile = NULL, *randfile = NULL;
int out_bin = -1, want_pub = 0, do_verify = 0;
EVP_PKEY *sigkey = NULL;
unsigned char *sigbuf = NULL;
int siglen = 0;
char *passargin = NULL, *passin = NULL;
#ifndef OPENSSL_NO_ENGINE
char *engine = NULL;
int engine_impl = 0;
#endif
char *hmac_key = NULL;
char *mac_name = NULL;
int non_fips_allow = 0;
STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
apps_startup();
if ((buf = (unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL) {
BIO_printf(bio_err, "out of memory\n");
goto end;
}
if (bio_err == NULL)
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
if (!load_config(bio_err, NULL))
goto end;
/* first check the program name */
program_name(argv[0], pname, sizeof(pname));
md = EVP_get_digestbyname(pname);
argc--;
argv++;
while (argc > 0) {
if ((*argv)[0] != '-')
break;
if (strcmp(*argv, "-c") == 0)
separator = 1;
else if (strcmp(*argv, "-r") == 0)
separator = 2;
else if (strcmp(*argv, "-rand") == 0) {
if (--argc < 1)
break;
randfile = *(++argv);
} else if (strcmp(*argv, "-out") == 0) {
if (--argc < 1)
break;
outfile = *(++argv);
} else if (strcmp(*argv, "-sign") == 0) {
if (--argc < 1)
break;
keyfile = *(++argv);
} else if (!strcmp(*argv, "-passin")) {
if (--argc < 1)
break;
passargin = *++argv;
} else if (strcmp(*argv, "-verify") == 0) {
if (--argc < 1)
break;
keyfile = *(++argv);
want_pub = 1;
do_verify = 1;
} else if (strcmp(*argv, "-prverify") == 0) {
if (--argc < 1)
break;
keyfile = *(++argv);
do_verify = 1;
} else if (strcmp(*argv, "-signature") == 0) {
if (--argc < 1)
break;
sigfile = *(++argv);
} else if (strcmp(*argv, "-keyform") == 0) {
if (--argc < 1)
break;
keyform = str2fmt(*(++argv));
}
#ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv, "-engine") == 0) {
if (--argc < 1)
break;
engine = *(++argv);
e = setup_engine(bio_err, engine, 0);
} else if (strcmp(*argv, "-engine_impl") == 0)
engine_impl = 1;
#endif
else if (strcmp(*argv, "-hex") == 0)
out_bin = 0;
else if (strcmp(*argv, "-binary") == 0)
out_bin = 1;
else if (strcmp(*argv, "-d") == 0)
debug = 1;
else if (!strcmp(*argv, "-fips-fingerprint"))
hmac_key = "etaonrishdlcupfm";
else if (strcmp(*argv, "-non-fips-allow") == 0)
non_fips_allow = 1;
else if (!strcmp(*argv, "-hmac")) {
if (--argc < 1)
break;
hmac_key = *++argv;
} else if (!strcmp(*argv, "-mac")) {
if (--argc < 1)
break;
mac_name = *++argv;
} else if (strcmp(*argv, "-sigopt") == 0) {
if (--argc < 1)
break;
if (!sigopts)
sigopts = sk_OPENSSL_STRING_new_null();
if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
break;
} else if (strcmp(*argv, "-macopt") == 0) {
if (--argc < 1)
break;
if (!macopts)
macopts = sk_OPENSSL_STRING_new_null();
if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv)))
break;
} else if ((m = EVP_get_digestbyname(&((*argv)[1]))) != NULL)
md = m;
else
break;
argc--;
argv++;
}
if (keyfile != NULL && argc > 1) {
BIO_printf(bio_err, "Can only sign or verify one file\n");
goto end;
}
if (do_verify && !sigfile) {
BIO_printf(bio_err,
"No signature to verify: use the -signature option\n");
goto end;
}
if ((argc > 0) && (argv[0][0] == '-')) { /* bad option */
BIO_printf(bio_err, "unknown option '%s'\n", *argv);
BIO_printf(bio_err, "options are\n");
BIO_printf(bio_err,
"-c to output the digest with separating colons\n");
BIO_printf(bio_err,
"-r to output the digest in coreutils format\n");
BIO_printf(bio_err, "-d to output debug info\n");
BIO_printf(bio_err, "-hex output as hex dump\n");
BIO_printf(bio_err, "-binary output in binary form\n");
BIO_printf(bio_err, "-hmac arg set the HMAC key to arg\n");
BIO_printf(bio_err, "-non-fips-allow allow use of non FIPS digest\n");
BIO_printf(bio_err,
"-sign file sign digest using private key in file\n");
BIO_printf(bio_err,
"-verify file verify a signature using public key in file\n");
BIO_printf(bio_err,
"-prverify file verify a signature using private key in file\n");
BIO_printf(bio_err,
"-keyform arg key file format (PEM or ENGINE)\n");
BIO_printf(bio_err,
"-out filename output to filename rather than stdout\n");
BIO_printf(bio_err, "-signature file signature to verify\n");
BIO_printf(bio_err, "-sigopt nm:v signature parameter\n");
BIO_printf(bio_err, "-hmac key create hashed MAC with key\n");
BIO_printf(bio_err,
"-mac algorithm create MAC (not neccessarily HMAC)\n");
BIO_printf(bio_err,
"-macopt nm:v MAC algorithm parameters or key\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err,
"-engine e use engine e, possibly a hardware device.\n");
#endif
EVP_MD_do_all_sorted(list_md_fn, bio_err);
goto end;
}
#ifndef OPENSSL_NO_ENGINE
if (engine_impl)
impl = e;
#endif
in = BIO_new(BIO_s_file());
bmd = BIO_new(BIO_f_md());
if ((in == NULL) || (bmd == NULL)) {
ERR_print_errors(bio_err);
goto end;
}
if (debug) {
BIO_set_callback(in, BIO_debug_callback);
/* needed for windows 3.1 */
BIO_set_callback_arg(in, (char *)bio_err);
}
if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
if (out_bin == -1) {
if (keyfile)
out_bin = 1;
else
out_bin = 0;
}
if (randfile)
app_RAND_load_file(randfile, bio_err, 0);
if (outfile) {
if (out_bin)
out = BIO_new_file(outfile, "wb");
else
out = BIO_new_file(outfile, "w");
} else {
out = BIO_new_fp(stdout, BIO_NOCLOSE);
#ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
#endif
}
if (!out) {
BIO_printf(bio_err, "Error opening output file %s\n",
outfile ? outfile : "(stdout)");
ERR_print_errors(bio_err);
goto end;
}
if ((! !mac_name + ! !keyfile + ! !hmac_key) > 1) {
BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n");
goto end;
}
if (keyfile) {
if (want_pub)
sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL,
e, "key file");
else
sigkey = load_key(bio_err, keyfile, keyform, 0, passin,
e, "key file");
if (!sigkey) {
/*
* load_[pub]key() has already printed an appropriate message
*/
goto end;
}
}
if (mac_name) {
EVP_PKEY_CTX *mac_ctx = NULL;
int r = 0;
if (!init_gen_str(bio_err, &mac_ctx, mac_name, impl, 0))
goto mac_end;
if (macopts) {
char *macopt;
for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) {
macopt = sk_OPENSSL_STRING_value(macopts, i);
if (pkey_ctrl_string(mac_ctx, macopt) <= 0) {
BIO_printf(bio_err,
"MAC parameter error \"%s\"\n", macopt);
ERR_print_errors(bio_err);
goto mac_end;
}
}
}
if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0) {
BIO_puts(bio_err, "Error generating key\n");
ERR_print_errors(bio_err);
goto mac_end;
}
r = 1;
mac_end:
if (mac_ctx)
EVP_PKEY_CTX_free(mac_ctx);
if (r == 0)
goto end;
}
if (non_fips_allow) {
EVP_MD_CTX *md_ctx;
BIO_get_md_ctx(bmd, &md_ctx);
EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
}
if (hmac_key) {
sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl,
(unsigned char *)hmac_key, -1);
if (!sigkey)
goto end;
}
if (sigkey) {
EVP_MD_CTX *mctx = NULL;
EVP_PKEY_CTX *pctx = NULL;
int r;
if (!BIO_get_md_ctx(bmd, &mctx)) {
BIO_printf(bio_err, "Error getting context\n");
ERR_print_errors(bio_err);
goto end;
}
if (do_verify)
r = EVP_DigestVerifyInit(mctx, &pctx, md, impl, sigkey);
else
r = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey);
if (!r) {
BIO_printf(bio_err, "Error setting context\n");
ERR_print_errors(bio_err);
goto end;
}
if (sigopts) {
char *sigopt;
for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
sigopt = sk_OPENSSL_STRING_value(sigopts, i);
if (pkey_ctrl_string(pctx, sigopt) <= 0) {
BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt);
ERR_print_errors(bio_err);
goto end;
}
}
}
}
/* we use md as a filter, reading from 'in' */
else {
EVP_MD_CTX *mctx = NULL;
if (!BIO_get_md_ctx(bmd, &mctx)) {
BIO_printf(bio_err, "Error getting context\n");
ERR_print_errors(bio_err);
goto end;
}
if (md == NULL)
md = EVP_md5();
if (!EVP_DigestInit_ex(mctx, md, impl)) {
BIO_printf(bio_err, "Error setting digest %s\n", pname);
ERR_print_errors(bio_err);
goto end;
}
}
if (sigfile && sigkey) {
BIO *sigbio;
sigbio = BIO_new_file(sigfile, "rb");
siglen = EVP_PKEY_size(sigkey);
sigbuf = OPENSSL_malloc(siglen);
if (!sigbio) {
BIO_printf(bio_err, "Error opening signature file %s\n", sigfile);
ERR_print_errors(bio_err);
goto end;
}
if (!sigbuf) {
BIO_printf(bio_err, "Out of memory\n");
ERR_print_errors(bio_err);
goto end;
}
siglen = BIO_read(sigbio, sigbuf, siglen);
BIO_free(sigbio);
if (siglen <= 0) {
BIO_printf(bio_err, "Error reading signature file %s\n", sigfile);
ERR_print_errors(bio_err);
goto end;
}
}
inp = BIO_push(bmd, in);
if (md == NULL) {
EVP_MD_CTX *tctx;
BIO_get_md_ctx(bmd, &tctx);
md = EVP_MD_CTX_md(tctx);
}
if (argc == 0) {
BIO_set_fp(in, stdin, BIO_NOCLOSE);
err = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
siglen, NULL, NULL, "stdin", bmd);
} else {
const char *md_name = NULL, *sig_name = NULL;
if (!out_bin) {
if (sigkey) {
const EVP_PKEY_ASN1_METHOD *ameth;
ameth = EVP_PKEY_get0_asn1(sigkey);
if (ameth)
EVP_PKEY_asn1_get0_info(NULL, NULL,
NULL, NULL, &sig_name, ameth);
}
if (md)
md_name = EVP_MD_name(md);
}
err = 0;
for (i = 0; i < argc; i++) {
int r;
if (BIO_read_filename(in, argv[i]) <= 0) {
perror(argv[i]);
err++;
continue;
} else
r = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
siglen, sig_name, md_name, argv[i], bmd);
if (r)
err = r;
(void)BIO_reset(bmd);
}
}
end:
if (buf != NULL) {
OPENSSL_cleanse(buf, BUFSIZE);
OPENSSL_free(buf);
}
if (in != NULL)
BIO_free(in);
if (passin)
OPENSSL_free(passin);
BIO_free_all(out);
EVP_PKEY_free(sigkey);
if (sigopts)
sk_OPENSSL_STRING_free(sigopts);
if (macopts)
sk_OPENSSL_STRING_free(macopts);
if (sigbuf)
OPENSSL_free(sigbuf);
if (bmd != NULL)
BIO_free(bmd);
release_engine(e);
apps_shutdown();
OPENSSL_EXIT(err);
}
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
const char *file, BIO *bmd)
{
size_t len;
int i;
for (;;) {
i = BIO_read(bp, (char *)buf, BUFSIZE);
if (i < 0) {
BIO_printf(bio_err, "Read Error in %s\n", file);
ERR_print_errors(bio_err);
return 1;
}
if (i == 0)
break;
}
if (sigin) {
EVP_MD_CTX *ctx;
BIO_get_md_ctx(bp, &ctx);
i = EVP_DigestVerifyFinal(ctx, sigin, (unsigned int)siglen);
if (i > 0)
BIO_printf(out, "Verified OK\n");
else if (i == 0) {
BIO_printf(out, "Verification Failure\n");
return 1;
} else {
BIO_printf(bio_err, "Error Verifying Data\n");
ERR_print_errors(bio_err);
return 1;
}
return 0;
}
if (key) {
EVP_MD_CTX *ctx;
BIO_get_md_ctx(bp, &ctx);
len = BUFSIZE;
if (!EVP_DigestSignFinal(ctx, buf, &len)) {
BIO_printf(bio_err, "Error Signing Data\n");
ERR_print_errors(bio_err);
return 1;
}
} else {
len = BIO_gets(bp, (char *)buf, BUFSIZE);
if ((int)len < 0) {
ERR_print_errors(bio_err);
return 1;
}
}
if (binout)
BIO_write(out, buf, len);
else if (sep == 2) {
for (i = 0; i < (int)len; i++)
BIO_printf(out, "%02x", buf[i]);
BIO_printf(out, " *%s\n", file);
} else {
if (sig_name) {
BIO_puts(out, sig_name);
if (md_name)
BIO_printf(out, "-%s", md_name);
BIO_printf(out, "(%s)= ", file);
} else if (md_name)
BIO_printf(out, "%s(%s)= ", md_name, file);
else
BIO_printf(out, "(%s)= ", file);
for (i = 0; i < (int)len; i++) {
if (sep && (i != 0))
BIO_printf(out, ":");
BIO_printf(out, "%02x", buf[i]);
}
BIO_printf(out, "\n");
}
return 0;
}

331
apps/dh.c Normal file
View File

@ -0,0 +1,331 @@
/* apps/dh.c */
/* obsoleted by dhparam.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#include <openssl/opensslconf.h> /* for OPENSSL_NO_DH */
#ifndef OPENSSL_NO_DH
# include <stdio.h>
# include <stdlib.h>
# include <time.h>
# include <string.h>
# include "apps.h"
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/bn.h>
# include <openssl/dh.h>
# include <openssl/x509.h>
# include <openssl/pem.h>
# undef PROG
# define PROG dh_main
/*-
* -inform arg - input format - default PEM (DER or PEM)
* -outform arg - output format - default PEM
* -in arg - input file - default stdin
* -out arg - output file - default stdout
* -check - check the parameters are ok
* -noout
* -text
* -C
*/
int MAIN(int, char **);
int MAIN(int argc, char **argv)
{
DH *dh = NULL;
int i, badops = 0, text = 0;
BIO *in = NULL, *out = NULL;
int informat, outformat, check = 0, noout = 0, C = 0, ret = 1;
char *infile, *outfile, *prog;
char *engine;
apps_startup();
if (bio_err == NULL)
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
if (!load_config(bio_err, NULL))
goto end;
engine = NULL;
infile = NULL;
outfile = NULL;
informat = FORMAT_PEM;
outformat = FORMAT_PEM;
prog = argv[0];
argc--;
argv++;
while (argc >= 1) {
if (strcmp(*argv, "-inform") == 0) {
if (--argc < 1)
goto bad;
informat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-outform") == 0) {
if (--argc < 1)
goto bad;
outformat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-in") == 0) {
if (--argc < 1)
goto bad;
infile = *(++argv);
} else if (strcmp(*argv, "-out") == 0) {
if (--argc < 1)
goto bad;
outfile = *(++argv);
}
# ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv, "-engine") == 0) {
if (--argc < 1)
goto bad;
engine = *(++argv);
}
# endif
else if (strcmp(*argv, "-check") == 0)
check = 1;
else if (strcmp(*argv, "-text") == 0)
text = 1;
else if (strcmp(*argv, "-C") == 0)
C = 1;
else if (strcmp(*argv, "-noout") == 0)
noout = 1;
else {
BIO_printf(bio_err, "unknown option %s\n", *argv);
badops = 1;
break;
}
argc--;
argv++;
}
if (badops) {
bad:
BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
BIO_printf(bio_err, "where options are\n");
BIO_printf(bio_err, " -inform arg input format - one of DER PEM\n");
BIO_printf(bio_err,
" -outform arg output format - one of DER PEM\n");
BIO_printf(bio_err, " -in arg input file\n");
BIO_printf(bio_err, " -out arg output file\n");
BIO_printf(bio_err, " -check check the DH parameters\n");
BIO_printf(bio_err,
" -text print a text form of the DH parameters\n");
BIO_printf(bio_err, " -C Output C code\n");
BIO_printf(bio_err, " -noout no output\n");
# ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err,
" -engine e use engine e, possibly a hardware device.\n");
# endif
goto end;
}
ERR_load_crypto_strings();
setup_engine(bio_err, engine, 0);
in = BIO_new(BIO_s_file());
out = BIO_new(BIO_s_file());
if ((in == NULL) || (out == NULL)) {
ERR_print_errors(bio_err);
goto end;
}
if (infile == NULL)
BIO_set_fp(in, stdin, BIO_NOCLOSE);
else {
if (BIO_read_filename(in, infile) <= 0) {
perror(infile);
goto end;
}
}
if (outfile == NULL) {
BIO_set_fp(out, stdout, BIO_NOCLOSE);
# ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
# endif
} else {
if (BIO_write_filename(out, outfile) <= 0) {
perror(outfile);
goto end;
}
}
if (informat == FORMAT_ASN1)
dh = d2i_DHparams_bio(in, NULL);
else if (informat == FORMAT_PEM)
dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
else {
BIO_printf(bio_err, "bad input format specified\n");
goto end;
}
if (dh == NULL) {
BIO_printf(bio_err, "unable to load DH parameters\n");
ERR_print_errors(bio_err);
goto end;
}
if (text) {
DHparams_print(out, dh);
# ifdef undef
printf("p=");
BN_print(stdout, dh->p);
printf("\ng=");
BN_print(stdout, dh->g);
printf("\n");
if (dh->length != 0)
printf("recommended private length=%ld\n", dh->length);
# endif
}
if (check) {
if (!DH_check(dh, &i)) {
ERR_print_errors(bio_err);
goto end;
}
if (i & DH_CHECK_P_NOT_PRIME)
printf("p value is not prime\n");
if (i & DH_CHECK_P_NOT_SAFE_PRIME)
printf("p value is not a safe prime\n");
if (i & DH_UNABLE_TO_CHECK_GENERATOR)
printf("unable to check the generator value\n");
if (i & DH_NOT_SUITABLE_GENERATOR)
printf("the g value is not a generator\n");
if (i == 0)
printf("DH parameters appear to be ok.\n");
}
if (C) {
unsigned char *data;
int len, l, bits;
len = BN_num_bytes(dh->p);
bits = BN_num_bits(dh->p);
data = (unsigned char *)OPENSSL_malloc(len);
if (data == NULL) {
perror("OPENSSL_malloc");
goto end;
}
l = BN_bn2bin(dh->p, data);
printf("static unsigned char dh%d_p[]={", bits);
for (i = 0; i < l; i++) {
if ((i % 12) == 0)
printf("\n\t");
printf("0x%02X,", data[i]);
}
printf("\n\t};\n");
l = BN_bn2bin(dh->g, data);
printf("static unsigned char dh%d_g[]={", bits);
for (i = 0; i < l; i++) {
if ((i % 12) == 0)
printf("\n\t");
printf("0x%02X,", data[i]);
}
printf("\n\t};\n\n");
printf("DH *get_dh%d()\n\t{\n", bits);
printf("\tDH *dh;\n\n");
printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n");
printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n",
bits, bits);
printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n",
bits, bits);
printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
printf("\t\treturn(NULL);\n");
printf("\treturn(dh);\n\t}\n");
OPENSSL_free(data);
}
if (!noout) {
if (outformat == FORMAT_ASN1)
i = i2d_DHparams_bio(out, dh);
else if (outformat == FORMAT_PEM)
i = PEM_write_bio_DHparams(out, dh);
else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
}
if (!i) {
BIO_printf(bio_err, "unable to write DH parameters\n");
ERR_print_errors(bio_err);
goto end;
}
}
ret = 0;
end:
if (in != NULL)
BIO_free(in);
if (out != NULL)
BIO_free_all(out);
if (dh != NULL)
DH_free(dh);
apps_shutdown();
OPENSSL_EXIT(ret);
}
#else /* !OPENSSL_NO_DH */
# if PEDANTIC
static void *dummy = &dummy;
# endif
#endif

10
apps/dh1024.pem Normal file
View File

@ -0,0 +1,10 @@
-----BEGIN DH PARAMETERS-----
MIGHAoGBAPSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY
jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6
ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpL3jHAgEC
-----END DH PARAMETERS-----
These are the 1024 bit DH parameters from "Assigned Number for SKIP Protocols"
(http://www.skip-vpn.org/spec/numbers.html).
See there for how they were generated.
Note that g is not a generator, but this is not a problem since p is a safe prime.

12
apps/dh2048.pem Normal file
View File

@ -0,0 +1,12 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV
89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50
T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknb
zSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdX
Q6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbT
CD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwIBAg==
-----END DH PARAMETERS-----
These are the 2048 bit DH parameters from "Assigned Number for SKIP Protocols"
(http://www.skip-vpn.org/spec/numbers.html).
See there for how they were generated.

18
apps/dh4096.pem Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN DH PARAMETERS-----
MIICCAKCAgEA+hRyUsFN4VpJ1O8JLcCo/VWr19k3BCgJ4uk+d+KhehjdRqNDNyOQ
l/MOyQNQfWXPeGKmOmIig6Ev/nm6Nf9Z2B1h3R4hExf+zTiHnvVPeRBhjdQi81rt
Xeoh6TNrSBIKIHfUJWBh3va0TxxjQIs6IZOLeVNRLMqzeylWqMf49HsIXqbcokUS
Vt1BkvLdW48j8PPv5DsKRN3tloTxqDJGo9tKvj1Fuk74A+Xda1kNhB7KFlqMyN98
VETEJ6c7KpfOo30mnK30wqw3S8OtaIR/maYX72tGOno2ehFDkq3pnPtEbD2CScxc
alJC+EL7RPk5c/tgeTvCngvc1KZn92Y//EI7G9tPZtylj2b56sHtMftIoYJ9+ODM
sccD5Piz/rejE3Ome8EOOceUSCYAhXn8b3qvxVI1ddd1pED6FHRhFvLrZxFvBEM9
ERRMp5QqOaHJkM+Dxv8Cj6MqrCbfC4u+ZErxodzuusgDgvZiLF22uxMZbobFWyte
OvOzKGtwcTqO/1wV5gKkzu1ZVswVUQd5Gg8lJicwqRWyyNRczDDoG9jVDxmogKTH
AaqLulO7R8Ifa1SwF2DteSGVtgWEN8gDpN3RBmmPTDngyF2DHb5qmpnznwtFKdTL
KWbuHn491xNO25CQWMtem80uKw+pTnisBRF/454n1Jnhub144YRBoN8CAQI=
-----END DH PARAMETERS-----
These are the 4096 bit DH parameters from "Assigned Number for SKIP Protocols"
(http://www.skip-vpn.org/spec/numbers.html).
See there for how they were generated.
Note that g is not a generator, but this is not a problem since p is a safe prime.

9
apps/dh512.pem Normal file
View File

@ -0,0 +1,9 @@
-----BEGIN DH PARAMETERS-----
MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak
XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC
-----END DH PARAMETERS-----
These are the 512 bit DH parameters from "Assigned Number for SKIP Protocols"
(http://www.skip-vpn.org/spec/numbers.html).
See there for how they were generated.
Note that g is not a generator, but this is not a problem since p is a safe prime.

556
apps/dhparam.c Normal file
View File

@ -0,0 +1,556 @@
/* apps/dhparam.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <openssl/opensslconf.h> /* for OPENSSL_NO_DH */
#ifndef OPENSSL_NO_DH
# include <stdio.h>
# include <stdlib.h>
# include <time.h>
# include <string.h>
# include "apps.h"
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/bn.h>
# include <openssl/dh.h>
# include <openssl/x509.h>
# include <openssl/pem.h>
# ifndef OPENSSL_NO_DSA
# include <openssl/dsa.h>
# endif
# undef PROG
# define PROG dhparam_main
# define DEFBITS 2048
/*-
* -inform arg - input format - default PEM (DER or PEM)
* -outform arg - output format - default PEM
* -in arg - input file - default stdin
* -out arg - output file - default stdout
* -dsaparam - read or generate DSA parameters, convert to DH
* -check - check the parameters are ok
* -noout
* -text
* -C
*/
static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb);
int MAIN(int, char **);
int MAIN(int argc, char **argv)
{
DH *dh = NULL;
int i, badops = 0, text = 0;
# ifndef OPENSSL_NO_DSA
int dsaparam = 0;
# endif
BIO *in = NULL, *out = NULL;
int informat, outformat, check = 0, noout = 0, C = 0, ret = 1;
char *infile, *outfile, *prog;
char *inrand = NULL;
char *engine = NULL;
ENGINE *e = NULL;
int num = 0, g = 0;
apps_startup();
if (bio_err == NULL)
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
if (!load_config(bio_err, NULL))
goto end;
infile = NULL;
outfile = NULL;
informat = FORMAT_PEM;
outformat = FORMAT_PEM;
prog = argv[0];
argc--;
argv++;
while (argc >= 1) {
if (strcmp(*argv, "-inform") == 0) {
if (--argc < 1)
goto bad;
informat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-outform") == 0) {
if (--argc < 1)
goto bad;
outformat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-in") == 0) {
if (--argc < 1)
goto bad;
infile = *(++argv);
} else if (strcmp(*argv, "-out") == 0) {
if (--argc < 1)
goto bad;
outfile = *(++argv);
}
# ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv, "-engine") == 0) {
if (--argc < 1)
goto bad;
engine = *(++argv);
}
# endif
else if (strcmp(*argv, "-check") == 0)
check = 1;
else if (strcmp(*argv, "-text") == 0)
text = 1;
# ifndef OPENSSL_NO_DSA
else if (strcmp(*argv, "-dsaparam") == 0)
dsaparam = 1;
# endif
else if (strcmp(*argv, "-C") == 0)
C = 1;
else if (strcmp(*argv, "-noout") == 0)
noout = 1;
else if (strcmp(*argv, "-2") == 0)
g = 2;
else if (strcmp(*argv, "-5") == 0)
g = 5;
else if (strcmp(*argv, "-rand") == 0) {
if (--argc < 1)
goto bad;
inrand = *(++argv);
} else if (((sscanf(*argv, "%d", &num) == 0) || (num <= 0)))
goto bad;
argv++;
argc--;
}
if (badops) {
bad:
BIO_printf(bio_err, "%s [options] [numbits]\n", prog);
BIO_printf(bio_err, "where options are\n");
BIO_printf(bio_err, " -inform arg input format - one of DER PEM\n");
BIO_printf(bio_err,
" -outform arg output format - one of DER PEM\n");
BIO_printf(bio_err, " -in arg input file\n");
BIO_printf(bio_err, " -out arg output file\n");
# ifndef OPENSSL_NO_DSA
BIO_printf(bio_err,
" -dsaparam read or generate DSA parameters, convert to DH\n");
# endif
BIO_printf(bio_err, " -check check the DH parameters\n");
BIO_printf(bio_err,
" -text print a text form of the DH parameters\n");
BIO_printf(bio_err, " -C Output C code\n");
BIO_printf(bio_err,
" -2 generate parameters using 2 as the generator value\n");
BIO_printf(bio_err,
" -5 generate parameters using 5 as the generator value\n");
BIO_printf(bio_err,
" numbits number of bits in to generate (default 2048)\n");
# ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err,
" -engine e use engine e, possibly a hardware device.\n");
# endif
BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
LIST_SEPARATOR_CHAR);
BIO_printf(bio_err,
" - load the file (or the files in the directory) into\n");
BIO_printf(bio_err, " the random number generator\n");
BIO_printf(bio_err, " -noout no output\n");
goto end;
}
ERR_load_crypto_strings();
e = setup_engine(bio_err, engine, 0);
if (g && !num)
num = DEFBITS;
# ifndef OPENSSL_NO_DSA
if (dsaparam) {
if (g) {
BIO_printf(bio_err,
"generator may not be chosen for DSA parameters\n");
goto end;
}
} else
# endif
{
/* DH parameters */
if (num && !g)
g = 2;
}
if (num) {
BN_GENCB cb;
BN_GENCB_set(&cb, dh_cb, bio_err);
if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL) {
BIO_printf(bio_err,
"warning, not much extra random data, consider using the -rand option\n");
}
if (inrand != NULL)
BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
app_RAND_load_files(inrand));
# ifndef OPENSSL_NO_DSA
if (dsaparam) {
DSA *dsa = DSA_new();
BIO_printf(bio_err,
"Generating DSA parameters, %d bit long prime\n", num);
if (!dsa
|| !DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL,
&cb)) {
if (dsa)
DSA_free(dsa);
ERR_print_errors(bio_err);
goto end;
}
dh = DSA_dup_DH(dsa);
DSA_free(dsa);
if (dh == NULL) {
ERR_print_errors(bio_err);
goto end;
}
} else
# endif
{
dh = DH_new();
BIO_printf(bio_err,
"Generating DH parameters, %d bit long safe prime, generator %d\n",
num, g);
BIO_printf(bio_err, "This is going to take a long time\n");
if (!dh || !DH_generate_parameters_ex(dh, num, g, &cb)) {
ERR_print_errors(bio_err);
goto end;
}
}
app_RAND_write_file(NULL, bio_err);
} else {
in = BIO_new(BIO_s_file());
if (in == NULL) {
ERR_print_errors(bio_err);
goto end;
}
if (infile == NULL)
BIO_set_fp(in, stdin, BIO_NOCLOSE);
else {
if (BIO_read_filename(in, infile) <= 0) {
perror(infile);
goto end;
}
}
if (informat != FORMAT_ASN1 && informat != FORMAT_PEM) {
BIO_printf(bio_err, "bad input format specified\n");
goto end;
}
# ifndef OPENSSL_NO_DSA
if (dsaparam) {
DSA *dsa;
if (informat == FORMAT_ASN1)
dsa = d2i_DSAparams_bio(in, NULL);
else /* informat == FORMAT_PEM */
dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
if (dsa == NULL) {
BIO_printf(bio_err, "unable to load DSA parameters\n");
ERR_print_errors(bio_err);
goto end;
}
dh = DSA_dup_DH(dsa);
DSA_free(dsa);
if (dh == NULL) {
ERR_print_errors(bio_err);
goto end;
}
} else
# endif
{
if (informat == FORMAT_ASN1) {
/*
* We have no PEM header to determine what type of DH params it
* is. We'll just try both.
*/
dh = d2i_DHparams_bio(in, NULL);
/* BIO_reset() returns 0 for success for file BIOs only!!! */
if (dh == NULL && BIO_reset(in) == 0)
dh = d2i_DHxparams_bio(in, NULL);
} else {
/* informat == FORMAT_PEM */
dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
}
if (dh == NULL) {
BIO_printf(bio_err, "unable to load DH parameters\n");
ERR_print_errors(bio_err);
goto end;
}
}
/* dh != NULL */
}
out = BIO_new(BIO_s_file());
if (out == NULL) {
ERR_print_errors(bio_err);
goto end;
}
if (outfile == NULL) {
BIO_set_fp(out, stdout, BIO_NOCLOSE);
# ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
# endif
} else {
if (BIO_write_filename(out, outfile) <= 0) {
perror(outfile);
goto end;
}
}
if (text) {
DHparams_print(out, dh);
}
if (check) {
if (!DH_check(dh, &i)) {
ERR_print_errors(bio_err);
goto end;
}
if (i & DH_CHECK_P_NOT_PRIME)
printf("p value is not prime\n");
if (i & DH_CHECK_P_NOT_SAFE_PRIME)
printf("p value is not a safe prime\n");
if (i & DH_UNABLE_TO_CHECK_GENERATOR)
printf("unable to check the generator value\n");
if (i & DH_NOT_SUITABLE_GENERATOR)
printf("the g value is not a generator\n");
if (i == 0)
printf("DH parameters appear to be ok.\n");
}
if (C) {
unsigned char *data;
int len, l, bits;
len = BN_num_bytes(dh->p);
bits = BN_num_bits(dh->p);
data = (unsigned char *)OPENSSL_malloc(len);
if (data == NULL) {
perror("OPENSSL_malloc");
goto end;
}
printf("#ifndef HEADER_DH_H\n"
"#include <openssl/dh.h>\n" "#endif\n");
printf("DH *get_dh%d()\n\t{\n", bits);
l = BN_bn2bin(dh->p, data);
printf("\tstatic unsigned char dh%d_p[]={", bits);
for (i = 0; i < l; i++) {
if ((i % 12) == 0)
printf("\n\t\t");
printf("0x%02X,", data[i]);
}
printf("\n\t\t};\n");
l = BN_bn2bin(dh->g, data);
printf("\tstatic unsigned char dh%d_g[]={", bits);
for (i = 0; i < l; i++) {
if ((i % 12) == 0)
printf("\n\t\t");
printf("0x%02X,", data[i]);
}
printf("\n\t\t};\n");
printf("\tDH *dh;\n\n");
printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n");
printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n",
bits, bits);
printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n",
bits, bits);
printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
printf("\t\t{ DH_free(dh); return(NULL); }\n");
if (dh->length)
printf("\tdh->length = %ld;\n", dh->length);
printf("\treturn(dh);\n\t}\n");
OPENSSL_free(data);
}
if (!noout) {
if (outformat == FORMAT_ASN1) {
if (dh->q != NULL)
i = i2d_DHxparams_bio(out, dh);
else
i = i2d_DHparams_bio(out, dh);
} else if (outformat == FORMAT_PEM) {
if (dh->q != NULL)
i = PEM_write_bio_DHxparams(out, dh);
else
i = PEM_write_bio_DHparams(out, dh);
} else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
}
if (!i) {
BIO_printf(bio_err, "unable to write DH parameters\n");
ERR_print_errors(bio_err);
goto end;
}
}
ret = 0;
end:
if (in != NULL)
BIO_free(in);
if (out != NULL)
BIO_free_all(out);
if (dh != NULL)
DH_free(dh);
release_engine(e);
apps_shutdown();
OPENSSL_EXIT(ret);
}
/* dh_cb is identical to dsa_cb in apps/dsaparam.c */
static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb)
{
char c = '*';
if (p == 0)
c = '.';
if (p == 1)
c = '+';
if (p == 2)
c = '*';
if (p == 3)
c = '\n';
BIO_write(cb->arg, &c, 1);
(void)BIO_flush(cb->arg);
# ifdef LINT
p = n;
# endif
return 1;
}
#else /* !OPENSSL_NO_DH */
# if PEDANTIC
static void *dummy = &dummy;
# endif
#endif

40
apps/dsa-ca.pem Normal file
View File

@ -0,0 +1,40 @@
-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMuj+BZgnOQ
PnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb77Cjcwtel
u+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DNSQIVAPcH
Me36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh5bNdmLso
hkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFNnFQPWAbu
SXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusBtXOlan7Y
Mu0OArgCgYAapll6iqz9XrZFlk2GCVcB+KihxWnH7IuHvSLw9YUrJahcBHmbpvt4
94lF4gC5w3WPM+vXJofbusk4GoQEEsQNMDaah4m49uUqAylOVFJJJXuirVJ+o+0T
tOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u3enxhqnDGQIUB78dhW77
J6zsFbSEHaQGUmfSeoM=
-----END DSA PRIVATE KEY-----
-----BEGIN CERTIFICATE REQUEST-----
MIICUjCCAhECAQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAxMCQ0Ew
ggG0MIIBKQYFKw4DAgwwggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaW
sxXgUy6P4FmCc5A+dTGZR3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5m
rmuINvvsKNzC16W75Sw5JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHk
cJVbUM1JAhUA9wcx7fpsBgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVo
bzDjaeHls12YuyiGSPzemQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqR
CZ228U2cVA9YBu5JdAfOVX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxB
F5WS6wG1c6Vqftgy7Q4CuAOBhAACgYAapll6iqz9XrZFlk2GCVcB+KihxWnH7IuH
vSLw9YUrJahcBHmbpvt494lF4gC5w3WPM+vXJofbusk4GoQEEsQNMDaah4m49uUq
AylOVFJJJXuirVJ+o+0TtOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u
3enxhqnDGaAAMAkGBSsOAwIbBQADMAAwLQIVAJGVuFsG/0DBuSZ0jF7ypdU0/G0v
AhQfeF5BoMMDbX/kidUVpQ6gadPlZA==
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE-----
MIIBrjCCAWwCAQswCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
CgYDVQQDEwNQQ0EwHhcNOTcwNjE1MDIxNDI5WhcNOTcwNzE1MDIxNDI5WjBSMQsw
CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
ZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDEwJDQTCBkjAJBgUrDgMCDAUAA4GE
AAKBgBqmWXqKrP1etkWWTYYJVwH4qKHFacfsi4e9IvD1hSslqFwEeZum+3j3iUXi
ALnDdY8z69cmh9u6yTgahAQSxA0wNpqHibj25SoDKU5UUkkle6KtUn6j7RO04UMh
MQCX5hllquJc4Pu105I6X1Esw8Lr51ocpL17ry7d6fGGqcMZMAkGBSsOAwIbBQAD
MQAwLgIVAJ4wtQsANPxHo7Q4IQZYsL12SKdbAhUAjJ9n38zxT+iai2164xS+LIfa
C1Q=
-----END CERTIFICATE-----

46
apps/dsa-pca.pem Normal file
View File

@ -0,0 +1,46 @@
-----BEGIN DSA PRIVATE KEY-----
MIIBvAIBAAKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMuj+BZgnOQ
PnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb77Cjcwtel
u+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DNSQIVAPcH
Me36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh5bNdmLso
hkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFNnFQPWAbu
SXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusBtXOlan7Y
Mu0OArgCgYEApu25HkB1b4gKMIV7aLGNSIknMzYgrB7o1kQxeDf34dDVRM9OZ8tk
umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgTmvTPT2j9TPjq7RUCFQDNvrBz
6TicfImU7UFRn9h00j0lJQ==
-----END DSA PRIVATE KEY-----
-----BEGIN CERTIFICATE REQUEST-----
MIICVTCCAhMCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAxMDUENB
MIIBtTCCASkGBSsOAwIMMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2G
lrMV4FMuj+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7O
Zq5riDb77Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR
5HCVW1DNSQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnl
aG8w42nh5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6
kQmdtvFNnFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15Als
QReVkusBtXOlan7YMu0OArgDgYUAAoGBAKbtuR5AdW+ICjCFe2ixjUiJJzM2IKwe
6NZEMXg39+HQ1UTPTmfLZLps+rZfolHDXuRKMXbGFdSF0nXYzotPCzi7GauwEJTZ
yr27ZZjA1C6apGSQ9GzuwNvZ4rCXystVEagAS8OQ4H3D4dWS17Zg31ICb5o4E5r0
z09o/Uz46u0VoAAwCQYFKw4DAhsFAAMxADAuAhUArRubTxsbIXy3AhtjQ943AbNB
nSICFQCu+g1iW3jwF+gOcbroD4S/ZcvB3w==
-----END CERTIFICATE REQUEST-----
-----BEGIN CERTIFICATE-----
MIIC0zCCApECAQAwCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
CgYDVQQDEwNQQ0EwHhcNOTcwNjE0MjI1NDQ1WhcNOTcwNzE0MjI1NDQ1WjBTMQsw
CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
ZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDEwNQQ0EwggG1MIIBKQYFKw4DAgww
ggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaWsxXgUy6P4FmCc5A+dTGZ
R3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5mrmuINvvsKNzC16W75Sw5
JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHkcJVbUM1JAhUA9wcx7fps
BgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVobzDjaeHls12YuyiGSPze
mQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqRCZ228U2cVA9YBu5JdAfO
VX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxBF5WS6wG1c6Vqftgy7Q4C
uAOBhQACgYEApu25HkB1b4gKMIV7aLGNSIknMzYgrB7o1kQxeDf34dDVRM9OZ8tk
umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgTmvTPT2j9TPjq7RUwCQYFKw4D
AhsFAAMxADAuAhUAvtv6AkMolix1Jvy3UnVEIUqdCUICFQC+jq8P49mwrY9oJ24n
5rKUjNBhSg==
-----END CERTIFICATE-----

372
apps/dsa.c Normal file
View File

@ -0,0 +1,372 @@
/* apps/dsa.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
#ifndef OPENSSL_NO_DSA
# include <stdio.h>
# include <stdlib.h>
# include <string.h>
# include <time.h>
# include "apps.h"
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/dsa.h>
# include <openssl/evp.h>
# include <openssl/x509.h>
# include <openssl/pem.h>
# include <openssl/bn.h>
# undef PROG
# define PROG dsa_main
/*-
* -inform arg - input format - default PEM (one of DER, NET or PEM)
* -outform arg - output format - default PEM
* -in arg - input file - default stdin
* -out arg - output file - default stdout
* -des - encrypt output if PEM format with DES in cbc mode
* -des3 - encrypt output if PEM format
* -idea - encrypt output if PEM format
* -aes128 - encrypt output if PEM format
* -aes192 - encrypt output if PEM format
* -aes256 - encrypt output if PEM format
* -camellia128 - encrypt output if PEM format
* -camellia192 - encrypt output if PEM format
* -camellia256 - encrypt output if PEM format
* -seed - encrypt output if PEM format
* -text - print a text version
* -modulus - print the DSA public key
*/
int MAIN(int, char **);
int MAIN(int argc, char **argv)
{
ENGINE *e = NULL;
int ret = 1;
DSA *dsa = NULL;
int i, badops = 0;
const EVP_CIPHER *enc = NULL;
BIO *in = NULL, *out = NULL;
int informat, outformat, text = 0, noout = 0;
int pubin = 0, pubout = 0;
char *infile, *outfile, *prog;
char *engine;
char *passargin = NULL, *passargout = NULL;
char *passin = NULL, *passout = NULL;
int modulus = 0;
int pvk_encr = 2;
apps_startup();
if (bio_err == NULL)
if ((bio_err = BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
if (!load_config(bio_err, NULL))
goto end;
engine = NULL;
infile = NULL;
outfile = NULL;
informat = FORMAT_PEM;
outformat = FORMAT_PEM;
prog = argv[0];
argc--;
argv++;
while (argc >= 1) {
if (strcmp(*argv, "-inform") == 0) {
if (--argc < 1)
goto bad;
informat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-outform") == 0) {
if (--argc < 1)
goto bad;
outformat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-in") == 0) {
if (--argc < 1)
goto bad;
infile = *(++argv);
} else if (strcmp(*argv, "-out") == 0) {
if (--argc < 1)
goto bad;
outfile = *(++argv);
} else if (strcmp(*argv, "-passin") == 0) {
if (--argc < 1)
goto bad;
passargin = *(++argv);
} else if (strcmp(*argv, "-passout") == 0) {
if (--argc < 1)
goto bad;
passargout = *(++argv);
}
# ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv, "-engine") == 0) {
if (--argc < 1)
goto bad;
engine = *(++argv);
}
# endif
else if (strcmp(*argv, "-pvk-strong") == 0)
pvk_encr = 2;
else if (strcmp(*argv, "-pvk-weak") == 0)
pvk_encr = 1;
else if (strcmp(*argv, "-pvk-none") == 0)
pvk_encr = 0;
else if (strcmp(*argv, "-noout") == 0)
noout = 1;
else if (strcmp(*argv, "-text") == 0)
text = 1;
else if (strcmp(*argv, "-modulus") == 0)
modulus = 1;
else if (strcmp(*argv, "-pubin") == 0)
pubin = 1;
else if (strcmp(*argv, "-pubout") == 0)
pubout = 1;
else if ((enc = EVP_get_cipherbyname(&(argv[0][1]))) == NULL) {
BIO_printf(bio_err, "unknown option %s\n", *argv);
badops = 1;
break;
}
argc--;
argv++;
}
if (badops) {
bad:
BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
BIO_printf(bio_err, "where options are\n");
BIO_printf(bio_err, " -inform arg input format - DER or PEM\n");
BIO_printf(bio_err, " -outform arg output format - DER or PEM\n");
BIO_printf(bio_err, " -in arg input file\n");
BIO_printf(bio_err,
" -passin arg input file pass phrase source\n");
BIO_printf(bio_err, " -out arg output file\n");
BIO_printf(bio_err,
" -passout arg output file pass phrase source\n");
# ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err,
" -engine e use engine e, possibly a hardware device.\n");
# endif
BIO_printf(bio_err,
" -des encrypt PEM output with cbc des\n");
BIO_printf(bio_err,
" -des3 encrypt PEM output with ede cbc des using 168 bit key\n");
# ifndef OPENSSL_NO_IDEA
BIO_printf(bio_err,
" -idea encrypt PEM output with cbc idea\n");
# endif
# ifndef OPENSSL_NO_AES
BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
BIO_printf(bio_err,
" encrypt PEM output with cbc aes\n");
# endif
# ifndef OPENSSL_NO_CAMELLIA
BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n");
BIO_printf(bio_err,
" encrypt PEM output with cbc camellia\n");
# endif
# ifndef OPENSSL_NO_SEED
BIO_printf(bio_err,
" -seed encrypt PEM output with cbc seed\n");
# endif
BIO_printf(bio_err, " -text print the key in text\n");
BIO_printf(bio_err, " -noout don't print key out\n");
BIO_printf(bio_err, " -modulus print the DSA public value\n");
goto end;
}
ERR_load_crypto_strings();
e = setup_engine(bio_err, engine, 0);
if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
goto end;
}
in = BIO_new(BIO_s_file());
out = BIO_new(BIO_s_file());
if ((in == NULL) || (out == NULL)) {
ERR_print_errors(bio_err);
goto end;
}
if (infile == NULL)
BIO_set_fp(in, stdin, BIO_NOCLOSE);
else {
if (BIO_read_filename(in, infile) <= 0) {
perror(infile);
goto end;
}
}
BIO_printf(bio_err, "read DSA key\n");
{
EVP_PKEY *pkey;
if (pubin)
pkey = load_pubkey(bio_err, infile, informat, 1,
passin, e, "Public Key");
else
pkey = load_key(bio_err, infile, informat, 1,
passin, e, "Private Key");
if (pkey) {
dsa = EVP_PKEY_get1_DSA(pkey);
EVP_PKEY_free(pkey);
}
}
if (dsa == NULL) {
BIO_printf(bio_err, "unable to load Key\n");
ERR_print_errors(bio_err);
goto end;
}
if (outfile == NULL) {
BIO_set_fp(out, stdout, BIO_NOCLOSE);
# ifdef OPENSSL_SYS_VMS
{
BIO *tmpbio = BIO_new(BIO_f_linebuffer());
out = BIO_push(tmpbio, out);
}
# endif
} else {
if (BIO_write_filename(out, outfile) <= 0) {
perror(outfile);
goto end;
}
}
if (text)
if (!DSA_print(out, dsa, 0)) {
perror(outfile);
ERR_print_errors(bio_err);
goto end;
}
if (modulus) {
fprintf(stdout, "Public Key=");
BN_print(out, dsa->pub_key);
fprintf(stdout, "\n");
}
if (noout)
goto end;
BIO_printf(bio_err, "writing DSA key\n");
if (outformat == FORMAT_ASN1) {
if (pubin || pubout)
i = i2d_DSA_PUBKEY_bio(out, dsa);
else
i = i2d_DSAPrivateKey_bio(out, dsa);
} else if (outformat == FORMAT_PEM) {
if (pubin || pubout)
i = PEM_write_bio_DSA_PUBKEY(out, dsa);
else
i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
NULL, 0, NULL, passout);
# if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_RC4)
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
EVP_PKEY *pk;
pk = EVP_PKEY_new();
if (pk == NULL)
goto end;
EVP_PKEY_set1_DSA(pk, dsa);
if (outformat == FORMAT_PVK)
i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
else if (pubin || pubout)
i = i2b_PublicKey_bio(out, pk);
else
i = i2b_PrivateKey_bio(out, pk);
EVP_PKEY_free(pk);
# endif
} else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
}
if (i <= 0) {
BIO_printf(bio_err, "unable to write private key\n");
ERR_print_errors(bio_err);
} else
ret = 0;
end:
if (in != NULL)
BIO_free(in);
if (out != NULL)
BIO_free_all(out);
if (dsa != NULL)
DSA_free(dsa);
release_engine(e);
if (passin)
OPENSSL_free(passin);
if (passout)
OPENSSL_free(passout);
apps_shutdown();
OPENSSL_EXIT(ret);
}
#else /* !OPENSSL_NO_DSA */
# if PEDANTIC
static void *dummy = &dummy;
# endif
#endif

9
apps/dsa1024.pem Normal file
View File

@ -0,0 +1,9 @@
-----BEGIN DSA PARAMETERS-----
MIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMuj+BZgnOQPnUx
mUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb77Cjcwtelu+Us
OSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DNSQIVAPcHMe36
bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh5bNdmLsohkj8
3pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFNnFQPWAbuSXQH
zlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusBtXOlan7YMu0O
Arg=
-----END DSA PARAMETERS-----

Some files were not shown because too many files have changed in this diff Show More